swarm mode services: no ability to partition ingress network / constrain --publish to certain nodes only #25257
Description
Currently using --publish with Swarm Mode Services results in opening ports on the whole Swarm (ingress network if I understand correctly).
Notably, it's not possible to publish a service on an individual IP only, i.e.:
$ docker service create --name nginx --publish 192.168.99.101:80:80 nginx
invalid argument "192.168.99.101:80:80" for --publish: HostIP is not supported by a service.In any case, the above wouldn't be super useful because it would lock constrain the service to run only on the node which has the said IP.
On the other hand, currently there is no way to "overload" certain popular ports. If you publish port 80, every single node in the Swarm will open that port, preventing you from running multiple services on the same port in the same Swarm.
It would be good if there was a way to partition the swarm into network sections, so that selected nodes, for example A, B, C, D belong to one network section (call it partition-1), and E, F, G, H into another one (partition-2).
When publishing, we could select which network partition should be actually publishing the ports, i.e.:
$ docker service create --name nginx --publish partition-1:80:80 nginxThere should be an option to optionally constrain those services to run within the partition for increased performance (otherwise the swarm needs to proxy all the requests to the right node), but it's still much more manageable.
This would also help in the cases where the Node has multiple IPs assigned to it, as such node's IPs could be present in both partitions respectively.