Home > other >  How to restrict connections to dockerized MongoDB from other dockerized application in the same serv
How to restrict connections to dockerized MongoDB from other dockerized application in the same serv

Time:01-12

I am using Orion Context Broker (in docker container) and I need it to connect with MongoDB (which is in its own docker container). At the same time I must deny all incoming traffic to 27017 from external sources, because after running the docker-compose the port 27017 is "exposed" to public.

All of the above using Ubuntu 20.04.

This is my docker-compose.yml file

version: "3.5"
services:
  orion:
    image: fiware/orion-ld
    hostname: orion
    container_name: fiware-orion
    expose:
      - "1026"
    ports:
      - "1026:1026"
    depends_on:
      - mongo-db
    command: -dbhost mongo-db -logLevel DEBUG

  mongo-db:
    image: mongo:3.6
    hostname: mongo-db
    container_name: db-mongo
    ports:
      - "27017:27017"
    networks:
      - default
    command: --nojournal
    volumes:
      - mongo-db:/data

volumes:
  mongo-db: ~

172.18.0.3 is the internal IP given to Orion's docker container. So I tried adding --bind_ip 172.18.0.3 to command mongo_db parameter in the docker-compose file, but this breaks the docker-compose up process with this error:

db-mongo | 2022-01-12T13:17:56.650 0000 E STORAGE [initandlisten] Failed to set up listener: SocketException: Cannot assign requested address

And this is my ubuntu firewall rules (which I just learnt that docker bypasses[*])

OpenSSH                    ALLOW       Anywhere
1026                       ALLOW       Anywhere
27017                      DENY        Anywhere
27017                      ALLOW       127.0.0.1
27017                      ALLOW       172.18.0.3
OpenSSH (v6)               ALLOW       Anywhere (v6)
1026 (v6)                  ALLOW       Anywhere (v6)
27017 (v6)                 DENY        Anywhere (v6)

[*] https://www.techrepublic.com/article/how-to-fix-the-docker-and-ufw-security-flaw/ I have also made the fix suggested by the tutorial but if restart the docker then (for some unknown reason) I stop getting access to 1026 port which should be the only public port.

CodePudding user response:

The Compose ports: setting is what makes a container accessible from outside Docker space. It's not necessary (or used) for connections between containers. Deleting this should meet your needs.

version: '3.8'
services:
  orion:
    image: fiware/orion-ld
    ports:
      - "1026:1026"  # accessible from host port 1026
    depends_on:
      - mongo-db
    command: -dbhost mongo-db -logLevel DEBUG
    #  same hostname ^^^^^^^^ and default MongoDB port 27017
# vvvvvvvv
  mongo-db:
    image: mongo:3.6
    command: --nojournal
    volumes:
      - mongo-db:/data
    # no ports:, not accessible from outside Docker

volumes:
  mongo-db:

(I've also removed unnecessary container_name:, hostname:, networks:, and expose: options from this setup; they make no difference and the Compose stack should work just fine without them.)

CodePudding user response:

Put it on its own network (i.e. new docker network: orion_net) and only expose the ports you need. Currently you are on "default" network, which is shared.

Page link:https//www.codepudding.com/other/260472.html

Prev:ResponseEntity does not accept return type "byte[]" but "ResponseEntity"
Next:uwsgi failed to open python file /root/ ... /wsgi.py (DJANGO)
  •  Tags:  
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding