New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Networking under the new menu #245
Comments
I've only used IOTstack for a couple of days so I cannot comment on your proposal, but you're right the networking was confusing. zigbee2mqtt_assistant is by default configured to connect to mosquitto, but it won't find the host, because mosquitto is in iotstack_nw network and zigbee2mqtt_assistant is not. Also, it's not clear whether iotstack_nw ("exposed by your host") is the correct network to use, or whether iotstack_nw_internal ("for interservice communication, no access to outside") would be adequate. |
@senarvi short answer: iotstack_nw The basic tests are:
If the answer to either/both is "yes" then "iotstack_nw" is appropriate. Because the vast majority of situations answer "yes" to both questions, it would be better if that was the default. The most appropriate default is so have no networking specified at all. Then docker-compose automatically sets up Then, if there are specific situations where you need specialised networks, handle those case-by-case. That's what the proposal is all about. |
There is a third option in the evaluation process: _The basic tests are:
If the answer to either/both is "yes" then "iotstack_nw" is appropriate._ And that is: If yes then is |
This PR follows on from [Issue 422](SensorsIot#422 (comment)) and the networking scheme proposed therein to support remote WireGuard clients obtaining DNS from ad-blockers (eg PiHole) running in another container on the same RPi as the WireGuard server. This PR implements: 1. Two internal networks: * "default" (`iotstack_default` at runtime). * "nextcloud" (`iotstack_nextcloud` at runtime). 2. Docker allocates all IP addressing, dynamically, from 172.16/12 (reverting from 10/8 subnets). 3. NextCloud *explicitly* joins both internal networks. 4. NextCloud_DB *explicitly* joins "nextcloud". 5. All other containers *implicitly* join "default". 6. No networking differences between old and new menus (full harmonisation). 7. Resolves all remaining new-menu inconsistencies first raised in [Issue 245](SensorsIot#245). Adds `use-container-dns.sh` to WireGuard service template folder to support WireGuard forwarding DNS requests to ad-blockers running on the same RPi. This is based on work done by @ukkopahis. This change is related to the networking changes which deviate from the scheme proposed in Issue 422. Documentation: 1. Adds "significant change to networking" to main README.md. 2. Updates WireGuard to explain how to forward DNS requests to ad-blockers running on the same RPi. Signed-off-by: Phill Kelley <pmk.57t49@lgosys.com>
@Slyke
I would like to open a discussion on "new menu" networking.
I have just done a clean clone of SensorsIot/IOTstack and stepped through the contents of the
.templates
folder to build the following table:Here are the things that jump out at me:
domoticz defines
network_mode: bridge
.I can't find any documentation to support that. See compose spec.
Any idea what "bridge" means in this context? Any idea why it actually works when it seems to be an undocumented option? What seems to happen is that domoticz is the only container attached to a network called "bridge".
Containers with a blue highlight have no "networks" clause in their service definitions. This implies that:
Interoperability issues seem to be a fairly common complaint on Discord.
The right-most column ("IOTstack_Net_Internal") is not associated with any service definition. It seems to serve no purpose other than to produce warning messages at "up" time.
The rationale for the "IOTstack_NextCloud" network is not clear. I assume it's intended to be a dedicated back-end path for database communications, presumably based on an assumption that it will improve performance.
Such an assumption might be valid were (a) real switching hardware involved and (b) the unicast load to/from the database engine sufficient to swamp unicast traffic reaching the front end but I question whether there's likely to be any measurable performance difference in a Docker environment running on a single RPi.
That said, my only real objection is the way it imposes itself on your attention at "up" time when it isn't in use. At the very least, I think that needs to be fixed. Please keep reading!
I assume PiHole is attached to "IOTstack_VPN" to provide a DMZ-like function such that DNS resolution does not have to reach the internal network. If there's another reason then please elaborate.
Rolling all that together, here's what I think we should do:
I just bet your next question is something like:
Not true!
What networks does Docker know about?
What's attached to IOTstack_VPN?
It's connected to PiHole. What about the iotstack_default network?
PiHole is attached to both the special case and default networks.
No smoke, no mirrors, nothing up my sleeve.
Seems to me this solves a bunch of problems:
Simplifying it down to just those containers that actually need specialised comms probably also creates the opportunity for you to revisit how network definitions get tacked onto docker-compose.yml, so that they are only included when needed.
Rather than the all-in-one
.templates/env.yml
, how about something like:A mention of a network name like "vpn_nw" in a service definition is the signal to include the "vpn_nw.yml" at the end of docker-compose.yml with the "networks:" header dependent on whether there is at least one extra network.
Including an empty "default.yml" would generalise the solution for the PiHole and NextCloud cases, and provide the opportunity to chuck out a warning if a service definition mentioned a network for which there was no corresponding NETWORK_NAME.yml file.
Thoughts?
The text was updated successfully, but these errors were encountered: