Swarm/service feature request: only publish ports on hosts meeting constraints

[FlorinAsavoaie]

It would be amazing if Docker would only bind to the ports published by services on the hosts that meet the constraints for that service (maybe make it a flag to do so?).

Example:

• I have X hosts that are a "management layer". They run the load balancers and other stuff. Load balancers are constrained to these nodes by node labels.
• I have Y hosts that are an "application layer". They run app servers, no ports published here via the mesh network, load balancers connect to them via the overlay networks. App services only run on these hosts by constraints via node labels.
• I have Z hosts that are a "DB layer" which have access to special distributed storage, etc. DB services only run on these hosts by constraints via node labels.

It sounds reasonable that Docker would only listen for ports published by the load balancers only on the "management" nodes and for ports published by the databases on their respective nodes.

[cpuguy83]

ping @mrjana @thaJeztah

Looks like a similar request (but not exactly) to #27917

[FlorinAsavoaie]

Yep, it is similar, but I think better as design, since it will not affect current functionality and not add extra ways of exposing ports either. It is just a flag ;-). If the idea is accepted, I can try to find the resources to submit a patch too.

[thaJeztah]

@FlorinAsavoaie @cpuguy83 I think this is a duplicate of #25257

However, I'm not entirely sure of the use case; the "routing mesh" takes care of routing requests to the node that a service runs on, so if you hit any node in the Swarm, networking traffic will be routed to your service; you can "hit" the nodes that run the actual tasks if you know which (group of) nodes it's deployed on.

Possibly related; #25688

[mavenugo]

@thaJeztah @FlorinAsavoaie i have heard of this requirement as well in use-cases where the External LB is dedicated to a certain set of nodes (in this issue its called the "Management layer"). whereas the Internal LB should be available on all the nodes. With Overlay networking and builtin SD and LB, internal-LB in swarm-mode is already supported on all the nodes.

When it comes to Routing-Mesh, it addresses the external LB requirement and as of 1.12 we don't provide this granularity. Being an user configurable option, I think providing this functionality is useful and especially if we make it constraint based & hence it is specific to a service.

[FlorinAsavoaie]

@thaJeztah, in my particular case, I could just make sure that the connections to all other nodes are blocked on that port by the firewall and just connect to that "group". I find this more of a workaround rather than an actual solution.

For me, both in this and other situations, this flag sounds like a natural thing to have. Especially useful in larger and larger deployments. I heard a customer once thinking about running multiple Swarm clusters for such a use case, which is definitely not the best way to achieve this requirement.

[thaJeztah]

I think this is mostly addressed through;

• Add support for host mode port PublishMode in services #27917