如何让不同的Docker容器彼此通信而又不将端口暴露给整个世界 [英] How to let different Docker containers talk to each other without exposing the ports to the whole world

问题描述

我需要在受控环境中测试 kafka 使用者和消息触发器。因此，我做了一个 ansible 项目，用于创建一些模拟的 kafka 服务器： mokafelk 。

I needed to test my kafka consumer and message triggers in a controlled environment. So I made an ansible project for creating some mock kafka servers: mokafelk.

它的工作原理很好，但安全性很差。 剧本旋转一个3节点的 dockerized kafka 集群默认情况下，但kafka服务器上的侦听端口公开给所有人。这是 jinja2 Dockerfile 的模板>。

It works fine except the security is shit. The playbook spins up a 3-node dockerized kafka cluster by default but the listening ports on the kafka servers are exposed to all. Here's the jinja2 template of the Dockerfile used for creating the cluster.

基本上，我希望容器是能够互相交谈。我不认为容器链接是一种选择，因为在我看来链接只是一种方式。但是使用 127.0.0.1：{{port}}：{{port}} 公开端口只会将端口公开给主机，而不会将该端口公开给主机。容器，如果我是对的。 0.0.0.0：{{port}}：{{port}} 将端口暴露给全世界。那么我怎么能双向链接两个以上的容器呢？这肯定是一个普遍的问题，但是我似乎找不到快速解决方案...

Basically I want the containers to be able to talk to each other. I don't think container linking is an option because it seems to me linking is only one-way. But exposing a port using 127.0.0.1:{{ port }}:{{ port }} only exposes the port to the hosting machine and does not expose the port to the other containers if I am correct. 0.0.0.0:{{ port }}:{{ port }} exposes the port to the whole world. So how could I link two+ containers both ways? This must be a common problem but I don't seem to find a quick solution...

推荐答案

docker容器网络是此处详细说明： https://docs.docker.com/engine/userguide/networking / dockernetworks /

The docker container networking is explained in detail here: https://docs.docker.com/engine/userguide/networking/dockernetworks/

简而言之：

默认情况下，docker守护进程会将网络适配器docker0添加到主机系统（它试图猜测可用的IP，通常使用172.17.0.1）。您可以在 $ ifconfig 中看到它。

By default docker daemon adds a network adapter docker0 to the host system (it tries to guess an available IP, often uses 172.17.0.1). You can see this in $ ifconfig.

默认情况下，所有容器都以增量IP连接到该网络。您可以通过 $ docker inspect<容器名称> 来检查容器的网络设置。

All containers are by default connected to this network in incremental IPs. You can examine the containers network settings via $ docker inspect <container name>.

所以您的机会很大docker群集的IP如下：

kafka1 172.17.0.2

kafka2 172.17.0.3

kafka3 172.17.0.4

elasticsearch 172.17。 0.5

kibana 172.17.0.6

So chances are good your docker cluster's IPs are as follows:
kafka1 172.17.0.2
kafka2 172.17.0.3
kafka3 172.17.0.4
elasticsearch 172.17.0.5
kibana 172.17.0.6

然后您可以通过172.17.0.2:9092、172.17.0.3:9092、172.17访问您的kafkas .0.4：9092从主机系统以及从容器开始。

You can then access your kafkas at 172.17.0.2:9092, 172.17.0.3:9092, 172.17.0.4:9092 from the host system and from the containers alike.

这篇关于如何让不同的Docker容器彼此通信而又不将端口暴露给整个世界的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！