New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SWARM Mode - Docker binds ingress ports always on 0.0.0.0 #35318
Comments
The See https://docs.docker.com/engine/swarm/services/#publish-a-services-ports-directly-on-the-swarm-node Closing as this is expected behavior and is documented, but feel free to discuss. |
Hi, Thanks. So, there isn't a method where I can deploy a service in the swarm which binds on host1 to IP X and on host2 to IP Y? It has to bind to all addresses available on the host? |
@eyenx That seems correct as the service could be scheduled anywhere on the cluster. |
There's a tracking issue that shows which options are not (yet) supported for swarm services here: #25303. Issues about For publishing ports (slightly related) the |
Okay. Thank you very much. |
I am a little bit confused now. Checked now a lot of tickets but could not find what I was looking for. So hope somebody here can help me as it seems very closely related. |
@janober on recent versions of docker you can specify a It was implemented in this pull request: #32717 Note that this option can only be set on |
@thaJeztah thanks a lot for the fast reply. That sounds like exactly what I am looking for. Sadly does it not work for me. I am running Docker version 17.09.0-ce, build afdb6d4. So that option is already there. However when I start swarm like this:
and then a container, for example ngnix like that:
I can not just access the web page via http://x.x.x.x I can still access it via the other IP address http://y.y.y.y Do I understand or do something wrong? |
Let me double-check with @fcrisciani |
@janober just tried jour solution:
also by specifying the interface-name:
but docker-swarm is also still listening on the other interface eth0... |
@janober the flag data-path-addr is used only to separate data-path traffic from control-plane traffic, meaning that all the overlay traffic (VXLAN) if going to exit and enter on the interface specified by the data-path-addr knob. The flag does not change the listening address of swarm @alex-sainer
so will match any packet coming to that dst port. |
@fcrisciani Thanks for clarifying! |
Maybe also my later question is not very clear. I am also not talking about the "--listen-addr" because also that one does not change the "listening" I am talking about. I want to change the IP the docker services respond to. |
@janober at the moment there is no real way to avoid that, the As an idea for a future improvement would be to create the iptables rules using the listening address if specified |
@fcrisciani Thanks for the answer. My use case is that my servers are part of two networks. An internal private network which can not be accessed from the internet (in which all servers are in and I via VPN) and an external one which can be accessed via the internet. I wanted to have a very simple but still secure way of accessing docker swarm services in the private network only (without having to deal with the complicated IP table stuff). |
I have the same problem. my solution was to run in host mode. To be sure it would bind in the address I want in each docker node. I have to remove docker_gwbridge from each node before join swarm and do something like docker network create -o "com.docker.network.bridge.host_binding_ipv4"="192.168.1.151" docker_gwbridge 192.168.1.151 is the ip I want to expose in this node On compose I was using
It would be GREAT have something like that for ingress. And it sounds really simple to implement. Hope we have it. |
found a workaround: publish docker services ports to the "service" range (i.e 22222:22288) and drop packets on these ports for a public interface now i can configure my frontend to map to the local interface
if i need to expose any port to public from the swarm (i.e. 25 - smtp), i can just use port out of "service" range... fuh.... dirty hack |
just to be sure: there is still no way of defining what IP ingress is listening for? |
@ppetermann correct; it's being tracked in #26696 |
im not sure if my problem is related. i can access all the services from every node via |
time just slip-slidin away ... just to be sure: there is still no way of defining what IP ingress is listening for? |
I have exactly the same issue - overlay network via publish. I was trying with and without host mode. In host mode docker-proxy binding is 0.0.0.0:port, otherwise dockerd is *:port. But still doesn't work. I can connect from other hosts or locally via 0.0.0.0 or localhost:. Other services on the same node also cannot connect to published one. |
Description
We have multiple hosts using swarm mode.
Some of this hosts have two or more external IP addresses. Docker swarm services with published ports always bind to 0.0.0.0:. Even after launching dockerd with --ip=xxx.xxx.xxx.xx.
Container not started in swarm mode, are binding to the correct IP. Services in Swarm are always binding published ports to every IP known by the Host (eno1,eno2 and lo). We cannot use the second IP with a port already taken by docker swarm.
Steps to reproduce the issue:
Describe the results you received:
Started dockerd with --ip argument:
root 4869 1.1 10.0 2749972 102920 ? Ssl 12:36 0:12 /usr/bin/dockerd -H fd:// --ip=139.59.215.247 --swarm-default-advertise-addr=139.59.215.247
Swarm services bind published ports to every IP known by the system (0.0.0.0).
Describe the results you expected:
Expected swarm services to bind published ports only on IP 139.59.215.247.
Additional information you deem important (e.g. issue happens only occasionally):
Output of
docker version
:Output of
docker info
:The text was updated successfully, but these errors were encountered: