Multiple containers using another container for network in docker-compose?

General
1

Hi,

I am trying to create a docker-compose file where multiple containers use another container for their network. The documentation says I don’t do port publishing but put the ports in the VPN container.

My docker host is 192.168.9.7 and when I run a single container connected to the vpn container it works great. I can connect to 192.168.9.7:8080 and see my qbitorrent container’s web interface. But when I go into a bash shell in portainer and check my external IP it’s the VPN IP.

But when I add a second container - it works fine - I can connect to my new jackett container at 192.168.9.7:9117 BUT the bbittorrent is no longer accessible at 192.168.9.7:8080

If I comment out the line in my VPN service that says

 - 9117:9117

and rebuild then I’m back to being able to access qbittorrent on port 8080.

How do I tell docker I want one of those port mappings to be for one container, and another port mapping to be for another container? Is that possible?

Thanks :slight_smile:

version: "3.7"

networks:
  main:
    external:
      name: main
  default:
    driver: bridge

services:
  portainer:
    container_name: portainer
    image: portainer/portainer:latest
    restart: unless-stopped
    command: -H unix:///var/run/docker.sock
    networks:
      - main
    ports:
      - "$PORTAINER_PORT:9000"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - $DOCKERDIR/portainer/data:/data # Change to local directory if you want to save/transfer config locally
    environment:
      - TZ=$TZ
  vpn:
    image: ghcr.io/bubuntux/nordvpn
    cap_add:
      - NET_ADMIN               # Required
      - NET_RAW                 # Required
    environment:                # Review https://github.com/bubuntux/nordvpn#environment-variables
      - USER=$NORD_USER	  # Required
      - "PASS=NORD_PASS"         # Required
      - CONNECT=United_Kingdom
      - TECHNOLOGY=NordLynx
      - NETWORK=192.168.9.0/24  # So it can be accessed within the local network
    ports:
      - 8080:8080
      - 9117:9117
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=1  # Recomended if using ipv4 only
  torrent:
    image: ghcr.io/linuxserver/qbittorrent
    network_mode: service:vpn
    depends_on:
      - vpn
  jackett:
    image: lscr.io/linuxserver/jackett:latest
    network_mode: service:vpn
    depends_on:
      - vpn
    container_name: jackett
    environment:
      - PUID=$PUID
      - PGID=$PGID
      - TZ=$TZ
      - AUTO_UPDATE=true #optional
      #- RUN_OPTS=<run options here> #optional
    volumes:
      - $DOCKERDIR/jackett/config:/config
      - $DOCKERDIR/jackett/downloads:/downloads
    restart: unless-stopped
2

No. Using “network_mode” this way means your containers will be in the same network namespace as the VPN container. You can’t tell which container the port belongs to, because there is only one network. the “vpn” ccontainer’s network.

  1. What do you mean by “external IP”. How do you get that IP in the terminal?
  2. What do you mean by “bash shell in portainer”? Is it the shell of the portainer container or the shell of the one of the containers using the “vpn” network?

It is possible that the jackett container uses port 8080 too even though you don’t forward any host port to it. Since those containers are in the same network namespace, services inside those containers can’t listen on the same ports.