UDP Streaming application not making it out of docker container to external UDP socket on network (running on different server, but on network)

luxt1337 · May 17, 2021, 6:55pm

I have a docker application running on a server (.80) on network with separate hardware/server (.50) it will need to send data to over UDP. The controller service (running on .80) acts as an API exposed on 8000 that is accessible on network by opening ports in firewalld (on .80). firewall-cmd --permanent --add-port=8000/tcp

Additionally, the controller service when posted to/curled does some data processing under the hood before sending UDP data packets out to .50 on a UDP socket exposed at 239.0.0.5:7775.

When running the controller service in docker bridge network / custom network (.80) I am able to access the controller API as desired, but am unable to get the UDP packets sent out of .80 / received by UDP application running on .50

version: '3.5'
networks:
  m-serve: {}
volumes:
  redis-dev_database: {}
services:
  redis:
    image: localhost:5000/redis:latest
    hostname: redis
    networks:
      - m-serve
    ports:
      - 6379
    volumes:
      - type: volume
        source: redis-dev_database
        target: /etc/redis/database
        volume:
          nocopy: true
  controller:
    image: localhost:5000/controller:latest
    networks:
      - m-serve
    ports:
      - 8000:8000
    environment:
      - REDIS_HOST=redis

I am able to get around this and successfully push data out to the UDP socket on .50 server (239.0.0.5:7775), if I am running my services in network mode = “host” (6379 and 8000 are exposed as part of the docker image build, thus making them accessible to anyone on host, despite not defining in compose):

version: '3.5'
volumes:
  redis-dev_database: {}
services:
  redis:
    image: localhost:5000/redis:latest
    network_mode: host
    volumes:
      - type: volume
        source: redis-dev_database
        target: /etc/redis/database
        volume:
          nocopy: true
  controller:
    image: localhost:5000/controller:latest
    network_mode: host
    environment:
      - REDIS_HOST=localhost

However, this is likely less secure and not desirable since the redis service is no longer isolated in bridge network, and is available to anyone on the host machine (.80). My hunch is that it works for controller service sending UDP out, because it inherits some network configuration/routing/resolution configured in host that I am missing.

My system engineering / networking isn’t great, so my specific question: Is there a way to run the controller service on docker bridge network, but enable communication/access to UDP socket exposed by the other hardware/server running on network?

Or if I’m stuck running controller on host network in order to keep communication to other hardware running services I need to send UDP packets to, is there a more secure way to compose redis so controller can connect, but not everyone on host system has access/ability to connect to redis?

Please let me know if I’ve missed networking pieces needed to help diagnose and I will update this post!