Search code examples
dockerdocker-composedocker-network

disable IP forwarding if no port mapping definition in docker-compose.yml file

I am learning docker network. I created a simple docker-compose file that starts two tomcat containers:

version: '3'
services:
    tomcat-server-1:
        container_name: tomcat-server-1
        image: .../apache-tomcat-10.0:1.0
        ports:
            - "8001:8080"

    tomcat-server-2:
        container_name: tomcat-server-2
        image: .../apache-tomcat-10.0:1.0

After I start the containers with docker-compose up I can see that tomcat-server-1 responses on http://localhost:8001. At the first glance, the tomcat-server-2 is not available from localhost. That great, this is what I need.

When I inspect the two running containers I can see that they use the following internal IPs:

  • tomcat-server-1: 172.18.0.2
  • tomcat-server-2: 172.18.0.3

I see that the tomcat-server-1 is available from the host machine via http://172.18.0.2:8080 as well.

Then the following surprised me: The tomcat-server-2 is also available from the host machine vie http://172.18.0.3:8080 despite port mapping is not defined for this container in the docker-compose.yml file.

What I would like to reach is the following:

  • The two tomcat servers must see each other in the internal docker network via hostnames.
  • Tomcat must be available from the host machine ONLY if the port mapping is defined in the docker-compose file, eg.: "8001:8080".
  • If no port mapping definition then the container could NOT be unavailable. Either from localhost or its internal IP, eg.: 172.18.0.3.

I have tried to use different network configurations like the bridge, none, and host mode. No success.

Of course, the host mode can not work because both tomcat containers use internally the same port 8080. So if I am correct then only bridge or none mode that I can consider.

Is that possible to configure the docker network this way? That would be great to solve this via only the docker-compose file without any external docker, iptable, etc. manipulation.

Solution

  • Without additional firewalling setup, you can't prevent a Linux-native host from reaching the container-private IP addresses.

    That having been said, the container-private IP addresses are extremely limited. You can't reach them from other hosts. If Docker is running in a Linux VM (as the Docker Desktop application provides on MacOS or Windows) then the host outside the VM can't reach them either. In most cases I would recommend against looking up the container-private IP addresses up at all since they're not especially useful.

    I wouldn't worry about this case too much. If your security requirements need you to prevent non-Docker host processes from contacting the containers, then you probably also have pretty strict controls over what's actually running on the host and who can log in; you shouldn't have unexpected host processes that might be trying to connect to the containers.