Good afternoon, there is a problem, it is necessary to close access to all containers from the world except locale.

version: '2' services: mongodb: image: 'bitnami/mongodb:latest' network_mode: "host" volumes: - /bitnami/mongo:/bitnami ports: - "127.0.0.1:27017:27017" environment: - MONGODB_ROOT_PASSWORD=password123 redis: image: 'bitnami/redis:latest' network_mode: "host" volumes: - /bitnami/redis:/bitnami ports: - '127.0.0.1:6379:6379' environment: - REDIS_PASSWORD=password123 main: build: . network_mode: "host" ports: - "127.0.0.1:8080:8080" volumes: - .:/code - /settings:/go/settings/

That's where root @ localhost: ~ # netstat -plnt

 Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:5000 0.0.0.0:* LISTEN 2774/nginx: worker tcp 0 0 0.0.0.0:27017 0.0.0.0:* LISTEN 3224/mongod tcp 0 0 0.0.0.0:6379 0.0.0.0:* LISTEN 3097/redis-server 0 tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2774/nginx: worker tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 29048/sshd tcp6 0 0 :::22 :::* LISTEN 29048/sshd tcp6 0 0 :::8000 :::* LISTEN 3282/code

That says that containers are open for access from the outside. It is necessary to close everything and give access only through lokalkhost.

  • one
    As an option - iptables - not? - Mikhail Alekseevich
  • @ Mikhail Alekseevich because I am not a Linux guru, and if I am not mistaken, after restarting the entire stack, the docker will again open this case. For this there is clearly an adequate solution invented for this purpose. - Zaazik
  • It will open if you do not register it in rc.init for example :) But you have one subnet written in your config and another one opens. This is more of a bug, iptables is best dealt with. - Mikhail Alekseevich
  • @ MikhailAlekseevich this case is not network_mode: "host"? If there is an option to fix the docker compos file so that the access was only locale-hos the example "localhost: 8000" or "127.0.0.1:8000" Then I will be glad to put REPU at the top, but through iptablitsii well, it's a dreary and long time for me, for This is a quick and painless solution. - Zaazik
  • In docker> = 17.06, this was fixed and a new chain was added that docker does not restart when restarting. Proof: github.com/moby/moby/issues/29184 - nobody

1 answer 1

Everything was decided that removed

  network_mode: "host"

In all services, and in return just added links to radishes and mongo.

 version: '2' services: mongodb: image: 'bitnami/mongodb:latest' volumes: - /bitnami/mongo:/bitnami ports: - "127.0.0.1:27017:27017" environment: - MONGODB_ROOT_PASSWORD=password123 redis: image: 'bitnami/redis:latest' volumes: - /bitnami/redis:/bitnami ports: - '127.0.0.1:6379:6379' environment: - REDIS_PASSWORD=password123 main: build: . links: - mongodb - redis ports: - "127.0.0.1:8080:8080" volumes: - .:/code - /settings:/go/settings/ dev: build: . links: - mongodb - redis ports: - "127.0.0.1:8000:8000" volumes: - .:/code - /settings:/go/settings/ # #volumes : # redis: # - /bitnami/redis # mongodb: # - /bitnami/mongo root@localhost:/home/InterExchangeHustla# netstat -plnt Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:5000 0.0.0.0:* LISTEN 2774/nginx: worker tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN 8728/docker-proxy tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 8697/docker-proxy tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 12138/docker-proxy tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2774/nginx: worker tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 29048/sshd tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN 10258/docker-proxy tcp6 0 0 :::22 :::* LISTEN 29048/sshd