Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[networking] prevent users to use the ingress network #25396

Closed
rogaha opened this issue Aug 4, 2016 · 10 comments
Closed

[networking] prevent users to use the ingress network #25396

rogaha opened this issue Aug 4, 2016 · 10 comments
Labels
area/networking area/swarm kind/enhancement Enhancements are not bugs or new features but can improve usability or performance. version/1.12
Milestone
1.12.2

Comments

@rogaha
Copy link
Contributor

rogaha commented Aug 4, 2016
edited

Assuming that the ingress network is only meant to be used internally, we should either:

  1. Warm the users that they should not use that network to create services and block them.
  2. Hide the ingress network from the docker network ls list as they are not able to manage it anyway.

I've seem lots of users using that network to create services.

@mavenugo @mrjana do you have any thoughts on that?
@rogaha rogaha mentioned this issue Aug 4, 2016
Closed
@thaJeztah thaJeztah added kind/enhancement Enhancements are not bugs or new features but can improve usability or performance. area/networking version/1.12 area/swarm labels Aug 4, 2016
@thaJeztah thaJeztah added this to the 1.12.1 milestone Aug 4, 2016
@thaJeztah
Copy link
Member

ping @mrjana any ideas on this one?

@rogaha
Copy link
Contributor Author

rogaha commented Aug 25, 2016

ping @mrjana @mavenugo

@mavenugo
Copy link
Contributor

@rogaha yes. I agree. We should probably prevent users to use this network to attach services.

@tiborvass tiborvass modified the milestones: 1.12.1, 1.12.2 Aug 30, 2016
@Richard-Mathie
Copy link
Contributor

@mavenugo arrrrgghh nooooo

Can this be configurable as it is important for testing and fault finding to be able to check the network connection to services. By all means It would be great to lock things down in production. But in development, and with docker's quit frankly flaky networking we need to be able to dig down and find the fault and this may involve using dig, nslookup and curl on the service. The ingress network is an overlay network, don't hide is as 'magic'.

btw, having a really hard time mapping a kafka services to use docker swarm mode. All i really want is to use docker swarm mode to simplify service orchestration and service discovery. But there are real issues with the dns not pointing, or forgetting about, or remembering dead services, and traffic not being transferred through the VIP and ingress endpoint. Without being able to see what is under the hood, and test the service at every level, fault finding and fixing this mess would be impossible.

@Richard-Mathie
Copy link
Contributor

Also if you are serious about this and applying granular segmentation on services. A service (A) with a published port (and thus on the ingress network), shouldn't be able to connect to another service (B) on the ingress network on any port not published by (B). Or should that be A shouldn't be able to talk to B at all? The latter is a bit silly as A can talk to B through local host on the published port (Though this will go through the VIP as I understand).

@thaJeztah
Copy link
Member

@Richard-Mathie could you open a separate issue for the problems you're having with kafka / networking?

@cpuguy83 cpuguy83 mentioned this issue Sep 14, 2016
Closed
@Richard-Mathie
Copy link
Contributor

@thaJeztah I have done this now at #26594

@thaJeztah thaJeztah modified the milestones: 1.13.0, 1.12.2 Sep 15, 2016
@thaJeztah thaJeztah mentioned this issue Sep 23, 2016
Closed
@thaJeztah thaJeztah mentioned this issue Sep 30, 2016
Closed
@rogaha rogaha mentioned this issue Oct 1, 2016
Closed
@mavenugo
Copy link
Contributor

mavenugo commented Oct 4, 2016

@rogaha @thaJeztah @Richard-Mathie PTAL #27147. Based on the analysis and discussions around #24637, we think it is better to make ingress network as special one and not let user manipulate it. Pls comment asap.

@rogaha
Copy link
Contributor Author

rogaha commented Oct 5, 2016

Agreed! Thanks for the heads up @mavenugo

This was referenced Oct 5, 2016
Closed
Merged
@thaJeztah thaJeztah modified the milestones: 1.12.2, 1.13.0 Oct 10, 2016
@thaJeztah
Copy link
Member

Looks like this was fixed in 1.12.2;

docker service create --network=ingress nginx:alpine
Error response from daemon: rpc error: code = 3 desc = Service cannot be explicitly attached to "ingress" network which is a swarm internal network

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/networking area/swarm kind/enhancement Enhancements are not bugs or new features but can improve usability or performance. version/1.12
Projects
None yet
Milestone
1.12.2
Development

No branches or pull requests
5 participants
@tiborvass @thaJeztah @rogaha @mavenugo @Richard-Mathie