Docker service exposed publicly though made to expose ports to localhost only

问题

I have created one service and exposed it to run only on localhost in one of my docker swarm node but I can access the service publicly too easily.

I have deleted and redeployed the docker stack but still same issue.

Here is my docker-compose.yml I have used to deploy the service in stack

version: "3"
networks:
    api-net:
        ipam:
            config:
                - subnet: 10.0.10.0/24

services:
    health-api:
        image: myprivateregistry:5000/healthapi:qa
        ports:
            - "127.0.0.1:9010:9010"
        networks:
            - api-net
        depends_on:
            - config-server
        deploy:
            mode: replicated
            replicas: 1
            placement:
                constraints:
                    - node.role == manager

I haven't added the service on which it depends as I don't think that is the problem.

Few says its not supported in docker swarm mode. Than what is solution in that case.

回答1:

Quoting https://github.com/moby/moby/issues/32299#issuecomment-290978794:

On swarm mode, if you publish something (ports for stack deploy), it is published on the ingress network, and thus it is public. There is a few ways to get around, but putting kind/bug on that because we should at least warn people about that when doing a stack deploy with ports that have this notation (i.e. host:port:port).

To work around this, there is a few ways:

• first, you should publish mongo ports only if you want it to be public, otherwise, it is available through the name discovery bundle in docker (another container/service on the same network will be able to reach it through mongo dns name).
• If you want to publish it in the host and not in ingress (so not swarm public, just on the host it is running, same way as without swarm mode), you need to use ports expanded syntax.

ports:
  - mode: host
    target: 80
    published: 9005

So, the reason is Swarm's ingress network, which makes every port publicly available. The workaround using the extended syntax doesn't bind to the loopback interface, but to the host's 0.0.0.0 interface, which is still an improvement compared to an externally exposed port via the ingress network.

回答2:

In order to access in swarm mode, you need to expose the port either to same or another port which would outside the container.

Something like this:

ports:
    - "80:80"
    - "443:443"

来源：https://stackoverflow.com/questions/50621936/docker-service-exposed-publicly-though-made-to-expose-ports-to-localhost-only