如何让不同的 Docker 容器相互通信而不将端口暴露给全世界 [英] How to let different Docker containers talk to each other without exposing the ports to the whole world
问题描述
我需要在受控环境中测试我的 kafka 使用者和消息触发器.所以我做了一个 ansible 项目来创建一些模拟 kafka 服务器:摩卡咖啡.
I needed to test my kafka consumer and message triggers in a controlled environment. So I made an ansible project for creating some mock kafka servers: mokafelk.
它工作正常,只是安全性很糟糕.playbook 默认启动一个 3 节点 dockerized kafka 集群,但 kafka 服务器上的监听端口是公开的.这是jinja2 模板用于创建集群的 Dockerfile.
It works fine except the security is shit. The playbook spins up a 3-node dockerized kafka cluster by default but the listening ports on the kafka servers are exposed to all. Here's the jinja2 template of the Dockerfile used for creating the cluster.
基本上我希望容器能够相互通信.我不认为容器链接是一种选择,因为在我看来链接只是一种方式.但是使用 127.0.0.1:{{ port }}:{{ port }} 公开端口只向主机公开端口,如果我是正确的,不会向其他容器公开端口.0.0.0.0:{{ port }}:{{ port }} 将端口暴露给全世界.那么我如何才能双向链接两个以上的容器呢?这一定是一个常见问题,但我似乎没有找到快速解决方案...
Basically I want the containers to be able to talk to each other. I don't think container linking is an option because it seems to me linking is only one-way. But exposing a port using 127.0.0.1:{{ port }}:{{ port }} only exposes the port to the hosting machine and does not expose the port to the other containers if I am correct. 0.0.0.0:{{ port }}:{{ port }} exposes the port to the whole world. So how could I link two+ containers both ways? This must be a common problem but I don't seem to find a quick solution...
推荐答案
docker 容器网络在这里详细解释:https://docs.docker.com/engine/userguide/networking/dockernetworks/
The docker container networking is explained in detail here: https://docs.docker.com/engine/userguide/networking/dockernetworks/
简而言之:
默认情况下,docker 守护进程会向主机系统添加一个网络适配器 docker0(它会尝试猜测可用的 IP,通常使用 172.17.0.1).您可以在 $ ifconfig 中看到这一点.
By default docker daemon adds a network adapter docker0 to the host system (it tries to guess an available IP, often uses 172.17.0.1). You can see this in $ ifconfig.
默认情况下,所有容器都以增量 IP 连接到此网络.您可以通过 $ docker inspect 检查容器网络设置.
All containers are by default connected to this network in incremental IPs. You can examine the containers network settings via $ docker inspect <container name>.
所以很有可能你的 docker 集群的 IP 如下:
卡夫卡1 172.17.0.2
卡夫卡2 172.17.0.3
卡夫卡3 172.17.0.4
弹性搜索 172.17.0.5
基巴纳 172.17.0.6
So chances are good your docker cluster's IPs are as follows:
kafka1 172.17.0.2
kafka2 172.17.0.3
kafka3 172.17.0.4
elasticsearch 172.17.0.5
kibana 172.17.0.6
然后,您可以在 172.17.0.2:9092、172.17.0.3:9092、172.17.0.4:9092 上从主机系统和容器访问您的 kafka.
You can then access your kafkas at 172.17.0.2:9092, 172.17.0.3:9092, 172.17.0.4:9092 from the host system and from the containers alike.
这篇关于如何让不同的 Docker 容器相互通信而不将端口暴露给全世界的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
