2

I have multiple stacks running in docker swarm with traefik, where services in each stack are connected to an overlay network (traefik-net) so traefik can talk to them.

If I have a service in each stack that's called the same service name (service1), and then have another service (service2) in either stack try to access it by the service name (ping http://service1), it'll sometimes hit service1 in the other stack, and sometimes hit service1 in the same stack.

docker network create --driver overlay traefik-net

stack1:

services:
  service1:
    networks:
      - default
      - traefik-net

  service2:
    networks:
      - default
      - traefik-net

networks:
  traefik-net:
    external: true

stack2:

services:
  service1:
    networks:
      - default
      - traefik-net

networks:
  traefik-net:
    external: true

I want service2 to only hit service1 that is in the same stack.

I assumed that a service could only hit a service in another stack by prefixing the stack name to the service name (ping http//stack2_service1). But I learned that because of the traefik-net overlay network, they apparently can call each other without the stack name prefix.

Is there a way to turn off service communication across stacks without stack name prefixes?

Or maybe there's a traefik specific solution to the problem?

If anyone has run into this problem I would a very much appreciate a solution.

mxrlkn
  • 83
  • 7

2 Answers2

3

Yes there is a solution to what you want to achieve you just need to make proper use of overlay networks.

By default all the services that are connected in the same overlay network can talk/resolve each other.

So let's visualize your current implementation. Now you have one network the traefik-net and you have connected there all your services so your design looks like that:

enter image description here

What you need to do in order to isolate services on different stacks but keep them accessible by traefik is to create a different overlay network in each stack file and connect traefik service to these networks by defining them as external in traefik stack file. You are going to end up like this:

enter image description here

In this implementation all the traffic between different stacks is only possible via traefik service and not directly.

zochamx
  • 850
  • 8
  • 17
  • 1
    I see. The downside to that approach is that I'd have to redeploy traefik everytime I want to connect a new stack, and manually define the network in the traefik stack file. In my scenario there's hundreds of stacks slowly being added over time. I would also be concerned about connecting traefik to hundreds of networks. Maybe that could cause issues. – mxrlkn May 14 '19 at 22:17
  • 1
    Yes that's true that traefik needs to be redeployed every time with this approach, on the other hand only this way you have network isolation, by prioritizing your dns resolution you just resolve according to your preference. If you don't have security concerns for network isolation then the dns trick is good enough. – zochamx May 15 '19 at 19:50
  • Yeah. My thought process is that if a stack needs to be public to the internet via traefik-net, then that'll be just as "insecure" as having those stacks connected on the same network anyway. If a stack can be accessed by a malicious actor via another stack, It can as well via the public internet. Thanks for the explanation. – mxrlkn May 16 '19 at 15:28
0

I found a similar question: Docker DNS with Multiple Projects Using the Same Network

There doesn't seem to be any solution other than to always hit stack_service instead of service.

mxrlkn
  • 83
  • 7