Home > Enterprise >  Docker-compose "ports": listen on multiple IP addresses / IP range
Docker-compose "ports": listen on multiple IP addresses / IP range

Time:03-30

Instead of listening to a single IP address like e.g. localhost:

ports:
- "127.0.0.1:80:80"

I want the container to only listen to a local network, i.e. e.g.:

ports:
- "10.0.0.0/16:80:80"

ERROR: The Compose file './docker-compose.yml' is invalid because:
services.SERVICE.ports contains an invalid type, it should be a number, or an object

Is this possible?

I don't want to use things like swarm mode etc., yet.


If IP range is not supported, maybe at least multiple IP addresses like 10.0.0.2 and 10.0.0.3?

ERROR: for CONTAINER  Cannot start service SERVICE: driver failed programming external connectivity on endpoint CONTAINER (...): Error starting userland proxy: listen tcp 10.0.0.3:80: bind: cannot assign requested address

ERROR: for SERVICE  Cannot start service SERVICE: driver failed programming external connectivity on endpoint CONTAINER (...): Error starting userland proxy: listen tcp 10.0.0.3:80: bind: cannot assign requested address

Or is it not even supported to listen to 10.0.0.3 ?

The host machine is connected to 10.0.0.0/16:

> ifconfig
ens10: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1450
        inet 10.0.0.2  netmask 255.255.255.255  broadcast 10.0.0.2
        inet6 f**0::8**0:ff:f**9:b**7  prefixlen 64  scopeid 0x20<link>
        ether **:00:00:**:**:**  txqueuelen 1000  (Ethernet)

CodePudding user response:

Listening to a single IP address seems not correct. The service is listening at an IP address.

Let's say your VM has two network interfaces (ethernet cards):

Network 1 → subnet: 10.0.0.0/24 and IP 10.0.0.100
Network 2 → subnet: 10.0.1.0/24 and IP 10.0.1.200

  • If you set 127.0.0.1:80:80 that means that your service listening at 127.0.0.1's (localhost) port 80.
  • If you want to access service from 10.0.0.0/24 subnet you should set 10.0.0.100:80:80 and use http://10.0.0.100:80 address to be able connect your container from external hosts

If you want to access service from multiple networks simultaneously you can bind the container port to multiple ports, where the IP is the connection source IP):

ports:
- 10.0.0.100:80:80
- 10.0.1.200:80:80
- 127.0.0.1:80:80

And don't forget to open 80 port at VM's firewall, if a firewall exists and restricts that network

CodePudding user response:

If you give Compose ports: (or docker run -p) an IP address, it must be a specific known IP address of a host interface, or 0.0.0.0 for "all interfaces". The Docker daemon gives this specific IP address to a bind(2) call, which takes an address and not a network, and follows the rules in ip(7) for IPv4.

With the output you show, you can only bind containers to 10.0.0.2. If you want to use other IP addresses on the same network, you also need to assign them to the host; see for example How can I (from CLI) assign multiple IP addresses to one interface? on Ask Ubuntu, and then you can bind a container to the newly-added address.

If your system is on multiple physical networks, you can have any number of ports: so long as the host address and host port are unique. In particular you can have multiple ports: that all forward to the same container port.

ports:
  # make this visible to the external load balancer on port 80
  - '192.168.17.2:80:3000'
  # also make this visible to the internal network also on port 80
  - '10.0.0.2:80:3000'
  # and the management network but on port 3000
  - '10.99.0.36:3000:3000'

Again, the host must already have these IP addresses in the ifconfig output.

CodePudding user response:

I think you misunderstood this field.

When you map 127.0.0.1:80:80 you will map interface 127.0.0.1 from your host to your container.

In the case of the 127.0.0.1 you can only access it from inside your host.

When you map 10.0.0.3:80:80 you will map interface 10.0.0.3 from your host to your container. And all ip who can access 10.0.0.3 will have acces to your docker container mapping.

But in anycase this field will not do any filtering about who access this container

EDIT: After your modification i've seen my misunderstood about your question.

You want docker to create "bridge interface" to not share the ip of your host.

I don't think this is possible when using the port mapping

  • Related