How to connect to a swarm container from host?

I have a Swarm running with a Postgres database as part of it. I’m trying to figure out how to connect to the database so I can query it. Back when I used Compose in a previous setup I was able to expose the port to the host and then SSH into the host and just connect over a tunnel. However with Swarm it doesn’t seem possible to expose a container to the host as well.

So if I have a swarm entry visible on the host as

root@do-prod-node-3:~# docker ps
CONTAINER ID        IMAGE                                      COMMAND                  CREATED             STATUS              PORTS               NAMES
ac4a573c2c14       postgres:9.6                                "/docker-entrypoint.s"   7 minutes ago       Up 7 minutes        5432/tcp            authdb.1.7yg3gx1naqhti3lpzy1pu9qpn

I can’t access this container as is from the host (that I’m aware of). If I use the publish-add option of Swarm then I can access the container… however it is also exposed on the public interface.

What is the best way to securely connect to the database from the host and only the host?

I am sorry because maybe I haven’t understand your question… Why don’t you just consume the service and use the postgresql secure options for your environment?. Maybe I am missing something?
Regards,
Javier R.

In regular Docker you can do docker run --name some-postgres -p 127.0.0.1:5432:5432 -e POSTGRES_PASSWORD=mysecretpassword -d postgres. This will bind port 5432 so it is only accessible to the localhost. If you omit the 127.0.0.1 then it is accessible to the world.

However, if I do docker service update authdb --publish-add 127.0.0.1:5432:5432 Then I get the message invalid argument "127.0.0.1:5432:5432" for --publish-add: HostIP is not supported by a service.

So I’m basically trying to figure out how to achieve this same feature that regular Docker has. Then I can SSH into the host with a tunnel and query the database from my laptop.

Remember that routing mesh will guide any request on any cluster node to your 5432 … no matter where is the service. I think that service is a concept near “publish to the world” and maybe you can’t do that. Maybe I am wrong.
Javier R.