公开公开的Docker服务，尽管仅将端口公开给localhost [英] Docker service exposed publicly though made to expose ports to localhost only

问题描述

我创建了一项服务，并公开了它只能在我的docker swarm节点之一中的localhost上运行，但是我可以很容易地公开访问该服务。

I have created one service and exposed it to run only on localhost in one of my docker swarm node but I can access the service publicly too easily.

我有

这是我的docker-compose.yml，我曾经在堆栈中部署该服务

Here is my docker-compose.yml I have used to deploy the service in stack

version: "3"
networks:
    api-net:
        ipam:
            config:
                - subnet: 10.0.10.0/24

services:
    health-api:
        image: myprivateregistry:5000/healthapi:qa
        ports:
            - "127.0.0.1:9010:9010"
        networks:
            - api-net
        depends_on:
            - config-server
        deploy:
            mode: replicated
            replicas: 1
            placement:
                constraints:
                    - node.role == manager

我没有添加它所依赖的服务，因为我认为这不是问题。

I haven't added the service on which it depends as I don't think that is the problem.

<很少有人说它在docker swarm模式下不受支持。

Few says its not supported in docker swarm mode. Than what is solution in that case.

推荐答案

引用> https://github.com/moby/moby/issues/32299#issuecomment-290978794 ：

在群体模式下，如果发布某些内容（用于堆栈部署的端口），则该内容会在入口网络上发布，因此是公开的。有几种解决方法，但是要放上kind / bug，因为在使用具有此标记的端口（即host：port：port）进行堆栈部署时，我们至少应该警告人们。

On swarm mode, if you publish something (ports for stack deploy), it is published on the ingress network, and thus it is public. There is a few ways to get around, but putting kind/bug on that because we should at least warn people about that when doing a stack deploy with ports that have this notation (i.e. host:port:port).

要解决此问题，有几种方法：

To work around this, there is a few ways:

• 首先，您应该发布 mongo 端口仅在您希望它成为 public 时使用，否则，它可以通过docker中的名称发现包（同一网络上的另一个容器/服务）使用将可以通过 mongo dns名称访问它。）


• 如果要在主机中而不是在<$中发布它c $ c> ingress （因此，请不要集群成群，只在其运行的主机上，与没有集群模式一样），您需要使用 ports扩展语法。 / li>
  

• first, you should publish mongo ports only if you want it to be public, otherwise, it is available through the name discovery bundle in docker (another container/service on the same network will be able to reach it through mongo dns name).
• If you want to publish it in the host and not in ingress (so not swarm public, just on the host it is running, same way as without swarm mode), you need to use ports expanded syntax.

ports:
  - mode: host
    target: 80
    published: 9005

所以，原因是Swarm的入口网络，可使每个端口公开可用。使用扩展语法的解决方法不会绑定到回送接口，而是绑定到主机的 0.0.0.0 接口，与之相比，这仍然是一个改进通过入口网络连接到外部暴露的端口。

So, the reason is Swarm's ingress network, which makes every port publicly available. The workaround using the extended syntax doesn't bind to the loopback interface, but to the host's 0.0.0.0 interface, which is still an improvement compared to an externally exposed port via the ingress network.

这篇关于公开公开的Docker服务，尽管仅将端口公开给localhost的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！