Nomad: Allow binding Docker to loopback interface - Useful when proxying traffic

Created on 4 May 2017  路  7Comments  路  Source: hashicorp/nomad

Nomad version

Nomad v0.5.6

Operating system and Environment details

CentOS 7/ Ubuntu 16.04

Issue

Using this as reference: https://www.nomadproject.io/docs/drivers/docker.html
When specifying a docker based task config, can I specify it bind only on 127.0.0.1?
There shall be a different proxy docker which will listen on the outside and forward to this docker listening on 127.0.0.1

In my use case:
The TLS based proxy is stunnel and by custom application is running inside a separate docker.
I don't want my custom application to be accessible from outside the machine except via my Proxy Docker.
Related to #2611

Another hypothetical Example: Apache + MySQL.

Thanks and Regards,
Shantanu

themclient themcore themnetworking typenhancement
Source
picture shantanugadgil
👍3

Most helpful comment

We are also using Consul Connect for proxying service-to-service communication
https://www.consul.io/docs/connect/security.html#prevent-non-connect-traffic-to-services
so this feature would be extremely useful for that use-case

picture cliffcotino on 28 Nov 2018
👍4

All 7 comments

Hey unfortunately not. But it is an interesting and valid use case. I am going to rename the issue slightly and mark it as an enhancement!

dadgar picture dadgar on 4 May 2017
👍2

@dadgar Any update on this? Chances of landing in 0.6.0 ? 馃榾

Regards,
Shantanu

shantanugadgil picture shantanugadgil on 17 Jul 2017

@shantanugadgil Unfortunately not! Until there are multiple network binds on the client, this issue will be blocked.

dadgar picture dadgar on 18 Jul 2017

We are also using Consul Connect for proxying service-to-service communication
https://www.consul.io/docs/connect/security.html#prevent-non-connect-traffic-to-services
so this feature would be extremely useful for that use-case

cliffcotino picture cliffcotino on 28 Nov 2018
👍4

FWIW, since my original request, this has been solved by bundling stunnel inside the docker container along with the actual app.
The apps used were memcache and redis.

shantanugadgil picture shantanugadgil on 7 May 2019

Hello,

This enhancement makes sense because by default connect proxy uses 127.0.0.1 as local service address.

saez0pub picture saez0pub on 18 Sep 2020

Since the original request, memcache now has native TLS support (which is why I was needed this (_sort of_) )
It would be perfectly OK if this can be closed.

I _feel_ that the original request can be somehow solved using a combination of:
https://www.nomadproject.io/docs/configuration/client
https://www.nomadproject.io/docs/job-specification/network

Adding folks for comments:
@dadgar @angrycub

shantanugadgil picture shantanugadgil on 22 Sep 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

hamann picture hamann  路  3Comments
hynek picture hynek  路  3Comments
funkytaco picture funkytaco  路  3Comments
Garagoth picture Garagoth  路  3Comments
mlafeldt picture mlafeldt  路  3Comments