0

I have multiple interfaces from my main server, e.g. (eno1, eno2, eno3, etc.) and multiple interfaces from an additional ethernet card, e.g. (enp7s0f0, enp7s0f1, etc.). I want to set up all my docker-compose.yaml files to use the different interfaces, e.g. I want to have service_1 use eno2, service_2 to use eno3, and service_3 use enp7s0f0. I want traffic in on specified ports and all traffic out to use the different interfaces.

Below is a sample docker-compsoe.yaml:

version: '3.7'

services:
    service_1:
        build: .
        networks: 
            - eno2
        ports:
            - 7878:7878

networks:
   eno2:
      driver: macvlan
      driver_opts:
          parent: eno2
      ipam:
          driver: default

I'm not sure the proper format for specifying a different interface I've looked over the Docker Compose Networking page, but can't seem to find what I'm looking for. I need a solution that is fully contained in a docker-compose.yaml file.

Edit: The macvlan appears to be what I'm trying to configure. Following post from here, I've edited Docker Compose file. However, I'm still not able to spin up multiple images that send outbound traffic through different interfaces, and activity goes through the default interface (eno1).

sempervent
  • 833
  • 2
  • 11
  • 23

2 Answers2

2

The network interfaces are operating in the host's namespace, and unless you are using the host network, you will not be able to even see them in your containers, since docker will create interface for the container namespace.

You can restrict the traffic flow by making the container's port be binded only to a given IP address (that belongs to one of the network interfaces).

Assuming you want to use enp7s0f0 for the service, and the interface has address 10.0.1.102 than you can specify the docker-compose as follows:

version: '3.7'

services:
    service_1:
        build: .
        networks: 
            - eno1
        ports:
            - "10.0.1.102:7878:7878"

networks:
   eno1:
jordanvrtanoski
  • 5,104
  • 1
  • 20
  • 29
  • Does this affect outgoing traffic as well? – sempervent Mar 13 '21 at 23:47
  • Not this one, the outgoing traffic will be affected by the routing table of the host. Once the host is set properly, the traffic will flow trough the interface you want. You can use `ip route` to check the routing tables – jordanvrtanoski Mar 14 '21 at 03:42
  • what if I want to bind to an interface that I don't have anything above physical layer enabled on? – MikeSchem Apr 19 '22 at 00:16
  • You can not bind the physical adapter since binding happens on logical (socket) level. What you can do to have access to the physical interfaces is to use a "host" network in the container. In such case the applications in the container will have access to the network interfaces of the host. Depending on the use case, you might need to add entitlements (capabilities) to the container such as "NET_RAW" – jordanvrtanoski Apr 19 '22 at 12:10
0

I found the docker-compose.yaml file able to recognize these options as I was working through the best way to uncover the root problem.

Here's the working docker.compose.yaml:

version: '3.7'

services:
    service_1:
        build: .
        networks: 
            - secure_web
        ports:
            - 7878:7878

networks:
   secure_web:
      driver: macvlan
      driver_opts:
          parent: eno1
      ipam:
          driver: default

You may want to additionally follow the following guides if you are looking for this solution:

Reading through those gave me a good refresher to tidy up exactly what I was looking for.

sempervent
  • 833
  • 2
  • 11
  • 23