Develop Reference

docker compose: restrict internet access

I want to run with a container that is a copy of a production container, so I want to restrict access to the internet to prevent that call production servers.
But I need to access the container from the host machine with internet access
This is what I am trying to do:
version: '2.1'
services:
proxy:
image: traefik
command: --api.insecure=true --providers.docker
networks:
- no-internet
- internet
ports:
- "80:80"
- "8080:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
prod-service:
image: ....
depends_on:
- db
ports:
- "8094:8094"
labels:
- "traefik.http.routers.blog.rule=Host(`localhost`)"
- "traefik.port=8094"
networks:
- no-internet
db:
container_name: db
image: postgres:11
hostname: ap-db
expose:
- 5433
ports:
- 5433:5432
environment:
- POSTGRES_USER=postgres
- POSTGRES_PASSWORD=postgres
networks:
- no-internet
- internet
networks:
internet:
driver: bridge
no-internet:
internal: true
driver: bridge
But the trafic configuration is not working for me.
What is the best option to do this?
the answers I found do not take into account the access from the host machine, the container without internet is isolated
I appreciate any advice

Network IP address for docker compose

tl;dr I want every container in this stack to use the same IP & MAC address and be on my local network but need help on how to
For starters I'm new to docker and docker-compose. I made a docker-stack for my Plex Servers (three of them, one for movies by general categories/tv-shows, music, and holidays) with each one having its own IP address & MAC on my local network and now I want to make a second stack for some of my media management tools but this time I'd like the whole stack to use one IP address and MAC address but I haven't been able to figure out how to do it correctly/so it works
This is running on a QNAP NAS (TVS1282v3/QTS) but I am working through the CLI as I leaned that if I do a docker-compose through container station that it won't create the network for me
version: '2.4'
services:
Sonarr:
image: linuxserver/sonarr
container_name: Sonarr
environment:
- TZ=AMERICA/Denver
- name= Sonarr
volumes:
- /share/MediaManagement/Sonarr/config:/config:rw
- /share/MediaManagement/rip:/rip:rw
- /share/Plex:/Plex:rw
ports:
- 8989:8989
restart: unless-stopped
Radarr:
image: linuxserver/radarr
container_name: Radarr
environment:
- TZ=AMERICA/Denver
- name= Radarr
volumes:
- /share/MediaManagement/Radarr/config:/config:rw
- /share/MediaManagement/rip:/rip:rw
- /share/Plex:/Plex:rw
ports:
- 7878:7878
restart: unless-stopped
Lidarr:
image: linuxserver/lidarr
container_name: Lidarr
hostname: Lidarr
environment:
- TZ=AMERICA/Denver
- name= Lidarr
volumes:
- /share/MediaManagement/Lidarr/config:/config:rw
- /share/MediaManagement/rip:/rip:rw
- /share/Plex:/Plex:rw
ports:
- 8686:8686
restart: unless-stopped
networks:
qnet-static:
ipv4_address: 192.168.2.100
mac_address: 05:4A:AA:08:51:43
networks:
qnet-static:
driver: qnet
ipam:
driver: qnet
options:
iface: "eth0"
config:
- subnet: 192.168.2.0/23
gateway: 192.168.2.1
I have also tried it like how it was set up in my Plex compose file where I put
services:
NameOfService:
mac_address: 05:4A:AA:08:51:43
networks:
qnet-static:
ipv4_address: 192.168.2.100
....
networks: ##At the end, not in each service##
qnet-static:
driver: qnet
ipam:
driver: qnet
options:
iface: "eth0"
config:
- subnet: 192.168.2.0/23
gateway: 192.168.2.1
in each service but only the first container worked....
I also tried this at one point but still no luck/ it's syntax is wrong
networks:
qnet-static:
driver: qnet
ipam:
driver: qnet
options:
iface: "eth0"
config:
- subnet: 192.168.2.0/23
gateway: 192.168.2.250
ipv4_address: 192.168.2.100
mac_address: 05:4A:AA:08:51:43
Any help would be appreciate it as I am probably just missing a minor piece

Delete absolutely all of the networks: settings in the file. Don't try to manually assign IP address to containers or configure their MAC addresses.
Your containers will be accessible on your host's IP address, using the first ports: number for each. As far as other hosts on your network are concerned, the processes in containers will be indistinguishable from other services not running in containers.
You also do not need to manually set container_name: or hostname: in most circumstances. There are additional details of the Compose networking environment in Networking in Compose in the Docker documentation, though this mostly focuses on connections between containers. You usually don't need to think about the container-private IP address or (especially) the artificial MAC address within the container network environment.

Connecting 2 docker containers to the same TCP/IP or UNIX socket

I have 2 docker containers and I would like to deploy them using Ansible. They are deployed in the same host. Also, I need these 2 docker containers to communicate with each other via socketing either it's a TCP/IP socket or UNIX domain socket. However, I do not know what is the best practice to allow them to do so.

You could check network settings in docker-compose command
https://docs.docker.com/compose/networking/
I have a running Zabbix configured in this way, in which I had to set-up static IPs in order to link all the 3 containers in a stable way even after a server restart.
Network details are at the bottom.
version: '2'
services:
zabbix-server4:
container_name: zabbix-server4
image: zabbix/zabbix-server-mysql:alpine-4.0.5
networks:
zbx_net:
aliases:
- zabbix-server4
ipv4_address: 172.16.238.5
zabbix-web4:
container_name: zabbix-web4
image: zabbix/zabbix-web-nginx-mysql:alpine-4.0.5
ports:
- 127.0.0.1:11011:80
links:
- zabbix-server4
networks:
zbx_net:
aliases:
- zabbix-web4
ipv4_address: 172.16.238.10
zabbix-agent4:
container_name: zabbix-agent4
image: zabbix/zabbix-agent:alpine-4.0.5
links:
- zabbix-server4
networks:
zbx_net:
aliases:
- zabbix-agent4
ipv4_address: 172.16.238.15
networks:
zbx_net:
driver: bridge
driver_opts:
com.docker.network.enable_ipv6: "false"
ipam:
driver: default
config:
- subnet: 172.16.238.0/24
gateway: 172.16.238.1

My website using Docker cannot be reached by our company members in India (from American)

Here is my docker-compose file (with a few details taken out for privacy). The problem is that the site is available for everyone on our work network here, but those in other countries in other networks cannot. How can I resolve this so that everyone in the company can see the site?
version: '3'
services:
database:
container_name: database
image: ###
volumes:
- ###
networks:
- my-network
backend:
container_name: backend
image: ###
volumes:
- ###
links:
- database
environment:
DB_HOST: database
networks:
- my-network
frontend:
container_name: frontend
image: ###
networks:
- my-network
proxy:
container_name: proxy
image: ###
ports:
- "80:80"
links:
- frontend
- backend
networks:
- my-network
networks:
my-network:
ipam:
config:
- subnet: 192.168.0.0/24

I figured out that I had too many old network bridges open and one of them was the IP address my coworkers were on and it was blocking them.
So to fix it, I did
> ip addr
> docker network ls
And then you could prune if you see that there's too many open
> docker network prune

Provide static IP to docker containers via docker-compose

I'm trying to provide static IP address to containers. I understand that I have to create a custom network. I create it and the bridge interface is up on the host machine (Ubuntu 16.x). The containers get IP from this subnet but not the static I provided.
Here is my docker-compose.yml:
version: '2'
services:
mysql:
container_name: mysql
image: mysql:latest
restart: always
environment:
- MYSQL_ROOT_PASSWORD=root
ports:
- "3306:3306"
networks:
- vpcbr
apigw-tomcat:
container_name: apigw-tomcat
build: tomcat/.
ports:
- "8080:8080"
- "8009:8009"
networks:
- vpcbr
depends_on:
- mysql
networks:
vpcbr:
driver: bridge
ipam:
config:
- subnet: 10.5.0.0/16
gateway: 10.5.0.1
aux_addresses:
mysql: 10.5.0.5
apigw-tomcat: 10.5.0.6
The containers get 10.5.0.2 and 10.5.0.3, instead of 5 and 6.

Note that I don't recommend a fixed IP for containers in Docker unless you're doing something that allows routing from outside to the inside of your container network (e.g. macvlan). DNS is already there for service discovery inside of the container network and supports container scaling. And outside the container network, you should use exposed ports on the host. With that disclaimer, here's the compose file you want:
version: '2'
services:
mysql:
container_name: mysql
image: mysql:latest
restart: always
environment:
- MYSQL_ROOT_PASSWORD=root
ports:
- "3306:3306"
networks:
vpcbr:
ipv4_address: 10.5.0.5
apigw-tomcat:
container_name: apigw-tomcat
build: tomcat/.
ports:
- "8080:8080"
- "8009:8009"
networks:
vpcbr:
ipv4_address: 10.5.0.6
depends_on:
- mysql
networks:
vpcbr:
driver: bridge
ipam:
config:
- subnet: 10.5.0.0/16
gateway: 10.5.0.1

I was facing some difficulties with an environment variable that is with custom name (not with container name /port convention for KAPACITOR_BASE_URL and KAPACITOR_ALERTS_ENDPOINT). If we give service name in this case it wouldn't resolve the ip as
KAPACITOR_BASE_URL: http://kapacitor:9092
In above http://[**kapacitor**]:9092 would not resolve to http://172.20.0.2:9092
I resolved the static IPs issues using subnetting configurations.
version: "3.3"
networks:
frontend:
ipam:
config:
- subnet: 172.20.0.0/24
services:
db:
image: postgres:9.4.4
networks:
frontend:
ipv4_address: 172.20.0.5
ports:
- "5432:5432"
volumes:
- postgres_data:/var/lib/postgresql/data
redis:
image: redis:latest
networks:
frontend:
ipv4_address: 172.20.0.6
ports:
- "6379"
influxdb:
image: influxdb:latest
ports:
- "8086:8086"
- "8083:8083"
volumes:
- ../influxdb/influxdb.conf:/etc/influxdb/influxdb.conf
- ../influxdb/inxdb:/var/lib/influxdb
networks:
frontend:
ipv4_address: 172.20.0.4
environment:
INFLUXDB_HTTP_AUTH_ENABLED: "false"
INFLUXDB_ADMIN_ENABLED: "true"
INFLUXDB_USERNAME: "db_username"
INFLUXDB_PASSWORD: "12345678"
INFLUXDB_DB: db_customers
kapacitor:
image: kapacitor:latest
ports:
- "9092:9092"
networks:
frontend:
ipv4_address: 172.20.0.2
depends_on:
- influxdb
volumes:
- ../kapacitor/kapacitor.conf:/etc/kapacitor/kapacitor.conf
- ../kapacitor/kapdb:/var/lib/kapacitor
environment:
KAPACITOR_INFLUXDB_0_URLS_0: http://influxdb:8086
web:
build: .
environment:
RAILS_ENV: $RAILS_ENV
command: bundle exec rails s -b 0.0.0.0
ports:
- "3000:3000"
networks:
frontend:
ipv4_address: 172.20.0.3
links:
- db
- kapacitor
depends_on:
- db
volumes:
- .:/var/app/current
environment:
DATABASE_URL: postgres://postgres#db
DATABASE_USERNAME: postgres
DATABASE_PASSWORD: postgres
INFLUX_URL: http://influxdb:8086
INFLUX_USER: db_username
INFLUX_PWD: 12345678
KAPACITOR_BASE_URL: http://172.20.0.2:9092
KAPACITOR_ALERTS_ENDPOINT: http://172.20.0.3:3000
volumes:
postgres_data:

If you are never seeing the static IP address set, perhaps it could be because you are using "docker compose up". Try using "docker-compose up".
When I use "docker-compose up" (with the hyphen) I now see the static IPs assigned.
networks:
hfnet:
driver: bridge
ipam:
driver: default
config:
- subnet: 192.168.55.0/24
gateway: 192.168.55.1
services:
web:
image: 'mycompany/webserver:latest'
hostname: www
domainname: mycompany.com
stdin_open: true # docker run -i
tty: true # docker run -t
networks:
hfnet:
ipv4_address: 192.168.55.10
ports:
- '80:80'
- '443:443'
volumes:
- '../honeyfund:/var/www/html'
I wasted a lot of time to figure that one out. :(

I realized, that the more convenient and meaningful way is to give the container a container-name.
You can use the name in the same docker network as source.
This helped me because the docker-containers had changing IPs and by this I can communicate with another container with a static name that I can use in config-files.