Docker Community Forums

Share and learn in the Docker community.

Is it possible to publish the same port in both "ingress" and "host" PublishModes?

Hi all,

I have a Docker Service (Traefic) which I’ve exposed via port 80 in “Host” mode (in order to get the real client ip, so I can write rules to restrict traffic to specific “internal” services/networks). So far so good.

"EndpointSpec" : {
    "Ports" : [ 
        {
            "PublishedPort" : 80,
            "TargetPort" : 80,
            "PublishMode" : "host",
            "Protocol" : "tcp"
        }
    ]
},

Now I want to also expose Traefik on my Swarm’s Ingress network, so my Swarm Workers can access these “restricted” services (i.e. private Docker Registry). I thought I could add a second EndpointSpec - to share port 80, but it doesn’t seem to work. Changing the PublishedPort to 5000 also didn’t work.

Is this possible?

i.e.

"EndpointSpec" : {
    "Ports" : [ 
        {
            "PublishedPort" : 80,
            "TargetPort" : 80,
            "PublishMode" : "host",
            "Protocol" : "tcp"
        }, 
        {
            "PublishedPort" : 5000,
            "TargetPort" : 80,
            "PublishMode" : "ingress",
            "Protocol" : "tcp"
        }
    ]
},

Some background…

Core Problem: I want to share privately built docker images across my Docker Swarm, so I can scale services to other nodes.

A pretty common scenario I’d imagine…

Background: To achieve this, I want to run a single-replica Docker Registry in my swarm on a manager node. I want to expose it via the ingress network, so that it’s available to all workers (to provision services!)… but I don’t want to expose this service to the public (because, security).

  • I’ve tried binding the port to the loopback interface - which doesn’t work with docker swarm. (e.g 127.0.0.1:80).
  • I don’t want to mess with iptables if I can help it.
  • I’ve tried using “Internal: true” on my ingress network, but then I can’t access it on the swarm worker hosts.

I’m open to suggestions!

e.g.
Workaround1: Use scp to save/push/load docker images onto the worker nodes - bleagh! )