是否可以将docker端口暴露给特定接口 [英] Is it possible to expose docker ports to a specific interface
问题描述
我的服务器有两个网络接口eth0和wlan0,一个连接到Internet,另一个连接到内部网络。将带有docker-compose的Docker容器端口公开到特定接口的当前解决方案是使用:
My server has two network interfaces, eth0 and wlan0, one connected to the internet and the other to an internal network. The current solution of exposing Docker container ports with docker-compose to a specific interface is to use:
version: '2'
services:
mosquitto:
ports:
- "192.168.0.1:1883:1883"
这使得它很脆弱,因为IP地址是通过DHCP分配的。使用了多个设备,其中每个设备可能具有不同的IP地址。因此,是否可以仅将端口公开给特定接口?此外,所有内容都在 Resin.io 上运行,从而限制了iptables和co的配置。
This makes it brittle since the IP addresses are distributed via DHCP. Several devices are used, of which each may have a different IP address. Therefore, is it possible to expose ports to only a specific interface? In addition, everything runs on Resin.io, limiting the configuration of iptables and co.
推荐答案
您可以这样处理两个阻止者之一:
You can address either of the two blockers mentioned as such:
关于动态DHCP IP,您可以按照此resin.io指南来设置静态IP: https://docs.resin.io/reference/resinOS/network/2.x/#setting-a-static-ip 。设置静态ip后,您应该可以在端口
配置中使用它。
With regards to the dynamic DHCP IPs, you can follow this resin.io guide about setting up static IPs: https://docs.resin.io/reference/resinOS/network/2.x/#setting-a-static-ip. After setting up a static ip, you should be able to use it in the ports
configuration.
另一个选择是在 mosquitto
应用程序容器中使用iptables。这可以通过以下方式实现:
Another option is to use iptables, within your mosquitto
application container. This can be achieved by:
a)设置 network_mode:host
和 privileged: mosquitto服务的真实
设置
b)安装 iptables
作为< Dockerp中的code> RUN 指令(例如 RUN apt-get update&& apt-get install iptables
)
b) installing iptables
as part of a RUN
instruction in your Dockerfile (e.g. RUN apt-get update && apt-get install iptables
)
c)配置iptables(例如 iptables -A INPUT -i eth0 -p tcp --destination-port 1883 -j DROP
在 wlan0
接口上断开与端口1883的连接)
c) configuring iptables (e.g. iptables -A INPUT -i eth0 -p tcp --destination-port 1883 -j DROP
to drop connections to port 1883 on the wlan0
interface)
作为一个提示,我鼓励您看看我们的社区论坛( https://forums.resin.io )了解任何resin.io您可能有的问题。我们的用户群在那里非常活跃,并且可能会有更多的人对您有类似的问题或有用的建议。
As a side-note, I'd encourage you to have a look at our community forum (https://forums.resin.io) for any resin.io questions you might have. Our user base is pretty active there and chances are that more people will have a similar question or helpful suggestions for you.
谢谢!
这篇关于是否可以将docker端口暴露给特定接口的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!