Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    Bjorn S
    @Bjeaurn
    I'm not entirely sure, I should check this; but the default network is the one generated by the stack upon creation right? so appa_default network?
    Yeah, I would assume you would just do ports: - 80:80
    Mike Holloway
    @mh720
    yes
    Bjorn S
    @Bjeaurn
    and then from inside the swarm, you would route towards this network
    instead what happens, and this is where I'm missing what I'm doing wrong, is when I bind 80:80, it becomes available to the entire world and docker swarm, instead of just in this network that I was expecting to be routing to
    Mike Holloway
    @mh720
    Yes, usually via the container ‘name’ (https://containername:internalport)
    Bjorn S
    @Bjeaurn
    so this specific stack configuration now affects all my other stack configurations
    ah yeah, the containername is interesting; wouldn't you expect this to be at a stack level or something?
    considering they're like isolated applications on their own?
    Mike Holloway
    @mh720
    if you expose a port (EXPOSED PORT:INTERNAL PORT), it will do exactly what you are seeing
    Bjorn S
    @Bjeaurn
    alright, so if I want to expose 80:80 but only to that internal network and then let the swarm route to that network and let that figure out what the entrypoint is; I need to setup a different network? Maybe in bridge mode instead of overlay?
    basically, if I would grab a docker-compose.yml from anywhere with a web app; you may assume a port 80 is bound somewhere. However, if there's already another stack that uses it, this won't work. This seems weird to me, as I understand that you'd have to route to that specific virtual network in your swarm (hence; the reverse proxy). But I wasn't expecting it to be swarm wide when you expose a port.
    Mike Holloway
    @mh720
    I think I’m missing something you are trying to accomplish, I must be. Are you wanting to isolate app containers into individual networks, and route between those networks (not expose them to the world)
    Bjorn S
    @Bjeaurn
    Really appreciate you taking the time talk me through it by the way @mh720
    Yes, basically.
    In my mind, I have multiple "fake" networks, isolated per stack
    In that network you can have containers expose port 80. so your config for appA doesn't touch your config for appB, they can both be using port 80 whatever.
    Then you either reverse proxy into the correct network (via IP or generated port? I don't know?), and let the docker swarm loadbalancer take it from there
    am I making a mistake in my mental mindmap?
    I mean, when I look at my networks topology now in swarmpit; I have test_default, test2_default (being appA and appB)
    and I would expect, they can both have their port 80 assignment in there.
    instead, they seem to give up their private network and influence the entire swarm, instead of just their own personal little stack
    am I making any sense at all? :-P
    Mike Holloway
    @mh720
    I don’t have any experience there. My experience is that you need to join other stacks into the SAME network in order for them to be able to route to each other. See ‘attachable: true’ within https://github.com/swarmstack/swarmstack/blob/master/docker-compose.yml and then maybe https://github.com/swarmstack/errbot-docker/blob/master/docker-compose-swarmstack.yml for example of a second stack connecting to the first one’s network
    Bjorn S
    @Bjeaurn
    hmmm ok, my main point being that I think stacks shouldn't (by default) be connecting to eachother
    Surely they need to expose something to the entire swarm, and that's up to a reverse proxy to figure out then
    which is a different situation in which I have a bit more experience myself using nginx
    It's just that I can't wrap my head around separating my stacks and containers into their own isolated areas and then having a main manager handle the routing to the correct stack/container
    Mike Holloway
    @mh720
    Seperate stack named networks will only be able to connect to each other if they ‘expose’ something to the world, otherwise they would be isolated from each other.
    Bjorn S
    @Bjeaurn
    hmm ok let's flip this around
    Ah ok that makes a bit more sense to me
    but that would mean you wouldn't expose port 80:80, but have it randomize instead so your proxy can take port 80:80
    or have a fixed port per application basically
    if you were running a docker swarm, and you wanted to deploy 2 or more separate apps that have no reason to communicate to eachother
    how would you go about separating and assigning networks and ports?
    Mike Holloway
    @mh720
    yup. or use reverse proxy. those I believe are your only options. Only 1 thing can ‘expose’ a given port per swarm (or non-swarm host)
    Bjorn S
    @Bjeaurn
    hmmm ok, then that's where my mental image is wrong
    I wasn't expecting an exposed port to be "Swarm wide"
    Mike Holloway
    @mh720
    Yup, they are.
    Bjorn S
    @Bjeaurn
    as I've noticed.
    But how would you organize like 3 apps in a swarm, all needing to expose port 80 cause it's the web.
    you would reverse proxy and give them fixed ports, 9001, 9002, 9003 etc?
    Mike Holloway
    @mh720
    Swarm will accept that exposed port’s traffic on ANY swarm host member, and transparently proxy that traffic for you to the correct host that the container (or containers) that the service is running on.
    Bjorn S
    @Bjeaurn
    Oooooh ok
    That does make a bit more sense
    Alright, and you connect by container name, so http://my-container:80
    Mike Holloway
    @mh720
    meaning that you could set up a DNS RR against all your swarm members to achieve a poor person’s HA, although in practice you’d instead want to use some sort of upstream load-balancer (HA proxy, etc) that is aware of the health of the hosts it’s sending traffic towards and not send it potentially to a dead swarm host
    Bjorn S
    @Bjeaurn
    is there a way, if you have like replicated containers, to connect to a "service" name or whatever the proper terminology is?
    Ah yeah, good point.
    Mike Holloway
    @mh720
    http://my-container:80 exactly