Docker Community Forums

Share and learn in the Docker community.

Service create --publish not on public interface

(Eezec) #1


I try to setup a docker-mariadb-cluster (

I’ve installed 3 vps, with 2 interfaces , with one private interface (eth0) and one public (eth1).
Swarm mode with docker 1.12 is running.

What is the best pratices to publish the databases port only on private interface (eth1) ?

Thanks for help

(Eezec) #2

well … other issue for storage either …

(Tomasz Korwel) #3

Why the need to publish the port at all? If your service is attached to overlay network all nodes will have access to each other via docker’s overlay network with no access from public network.

If the service needs to be consumed by another container (e.g. nginx) attach that service to cluster’s overlay network and only expose ports of that service.

(Eezec) #4

Sound good, I like this idea. May you can be more descriptive for the second part please ?


(Tomasz Korwel) #5

What I meant is that you can create mysql cluster by

docker service create --name mysql --replicas 3 --network my_overlay yourimagename

tasks running in this cluster will be able to talk to each other but will not be available to public network since you do not publih any ports. Then you can create nginx service:

docker service create --name nginx --network my_overlay -p 80:80 nginxcontainer

If you inspect the second task you will notice that it will have two network interfaces - one attached the the my_overlay network and another one attached to ingress network. The code that will be served by this task will be able to reach your db cluster under it’s name (e.g. mysql:3306) thanks to docker’s mesh network and internal dns and at the same time will be available to outside world on port 80 to serve www sites.