Docker swarm prevent node from participating in ingress network
Quite possibly a very trivial question but I can't find anything in the documentation about a feature like this. As we know from the routing mesh documentation:
All nodes participate in an ingress routing mesh. The routing mesh enables each node in the swarm to accept connections on published ports for any service running in the swarm, even if there’s no task running on the node. The routing mesh routes all incoming requests to published ports on available nodes to an active container.
However, I do not wish some nodes to participate in the routing mesh, but I still want them to participate in hosting the service.
The configuration I'm trying to achieve looks a bit like this:
I have a single service, hello-world, with three instances, one on each node.
I would like, in this example, only node-1 and node-2 to participate in externalising the ingress network. However, when I visit 10.0.0.3, it still exposes port 80 and 443 as it still has to have the ingress network on it to be able to run the container hello-world, and I would like this not to be the case.
In essence, I'd like to be able to run containers for a service that hosts port 80 & 443 on 10.0.0.3 without being to access it by visiting 10.0.0.3 in a web browser. Is there any way to configure this? Even if there's no container running on the node, it'll still forward traffic to a container that is running.
Thank you!
The short answer to your specific question is no, there is no supported way to selectively enable/disable the ingress network on specific nodes for specific overlay networks.
But based on what you're asking to do, the expected model for using only specific nodes for incoming traffic is to control which nodes receive the traffic, not shutoff ports on specific nodes...
In a typical 6-node swarm where you've separated out your managers to be protected in a different subnet from the DMZ (e.g. a subnet behind the workers). You'd use placement constraints to ensure your app workloads were only assigned to worker nodes, and those nodes were the only ones in the VLAN/Security Group/etc. for being accessible from user/client traffic.
Most prod designs of Swarm recommend protecting your managers (which manage the orchestration and scheduling of containers, store secrets, etc.) from external traffic.
Why not put your proxies on the workers in a client-accessible network, and have those nodes the only in DMZ/external LB.
Note that if you only allow firewall/LB access to some nodes (e.g. just 3 workers) then the other nodes that don't receive external incoming traffic are effectively not using their ingress networks, which achieves your desired result. The node that receives the external connection uses its VIP to route the traffic directly to the node that runs the published container port.
- Docker Compose prompted error: no configuration file provided: not found
- Docker start privileged?
- Gilab CI: load ssh key from environment variable
- Docker build "Could not resolve 'archive.ubuntu.com'" apt-get fails to install anything
- PostgreSQL database not connecting to spring-boot application
- how to stop/pause a pod in kubernetes
- Why is Docker installed but not Docker Compose?
- Docker compose can not start service network not found after restart docker
- Using Docker with nodejs with node-gyp dependencies
- Unable to load dynamic library 'oci8.so' (PHP 7.2)
- How do you connect to postgres running in a Docker container on OSx?
- Interactive shell in Docker image with Amazon ECS with `aws ecs run-task` followed by `aws ecs execute-command`
- My docker container has no internet
- docker:Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
- COPY with docker but with exclusion
- 'name' does not match any of the regexes: '^x-' while trying to set the project name in a docker-compose.yml
- ERROR DockerEnvironmentFactory: Docker container xxxxx logs, when trying to run Apache Beam pipeline written in Go using Spark runner
- Can't push docker image to Gitlab registry from pipeline: "denied: access forbidden"
- Kind kubernetes cluster failed to pull docker images
- How to run a command once in Docker compose
- Docker: adding a file from a parent directory
- Adding files to standard images using docker-compose
- Docker Image > 1GB in size from python:3.8.3-alpine
- Cannot remove Docker container with status "Created"
- docker: executable file not found in $PATH
- Spring Boot application shutting down immediately after start
- Locating data volumes in Docker Desktop (Windows)
- Setup custom cleanup for docker images in nexus repository
- How to assign more memory to docker container
- Sort by memory usage in docker stats