Networking with blockade - restrict communication
arneboockmeyer opened this issue · comments
Hi,
lets say, we are using this configuration:
containers:
c1:
image: my_docker_image
c2:
image: my_docker_image
links: ["c1"]
c3:
image: my_docker_image
links: ["c2"]
In our understanding of the documentation, c2
should be able to communicate with c1
and c3
and c3
should be able to communicate with c2
but not with c1
(since they are not linked).
We tested this configuration and we were wondered that every machine can communicate with every other one. Do we misunderstand the documentation (part links
) or is this a bug? If we misunderstand the documentation, how can we archive our goal?
Thanks for your help!
Hello, links do not control which containers can communicate with each other. They are just a simple mechanism to tell containers about each other. When a container is linked to another, it automatically gets environment variables injected containing the IP and port information about the other container. See the docker docs for details. Note that this is a legacy mechanism, but I still rely on it in Blockade for now.
To do what you want, try creating a blockade partition. For example blockade partition c1,c2 c3
will allow c1 and c2 to communicate, but not c3.
Hi, thanks for the clarification.
If I use blockade partition c1,c2 c3
, c1
and c2
can communicate with each other, but c3
is isolated. I would like to create some kind of a chain c1 <-> c2 <-> c3
(and c3
should be unable to communicate with c1
directly). Is that possible?
Sorry, no that is not currently supported. It is possible, but would require reworking the iptables chains blockade uses to implement partitions. I'll keep it in mind for a future improvement.
Hi, thanks for your effort, but this is not urgent anymore. We build our own tool. Thanks for your help!