Networking with blockade - restrict communication

[arneboockmeyer]

Hi,

lets say, we are using this configuration:

containers:
  c1:
    image: my_docker_image

  c2:
    image: my_docker_image
    links: ["c1"]

  c3:
    image: my_docker_image
    links: ["c2"]

In our understanding of the documentation, c2 should be able to communicate with c1 and c3 and c3 should be able to communicate with c2 but not with c1 (since they are not linked).

We tested this configuration and we were wondered that every machine can communicate with every other one. Do we misunderstand the documentation (part links) or is this a bug? If we misunderstand the documentation, how can we archive our goal?

Thanks for your help!

[labisso]

Hello, links do not control which containers can communicate with each other. They are just a simple mechanism to tell containers about each other. When a container is linked to another, it automatically gets environment variables injected containing the IP and port information about the other container. See the docker docs for details. Note that this is a legacy mechanism, but I still rely on it in Blockade for now.

To do what you want, try creating a blockade partition. For example blockade partition c1,c2 c3 will allow c1 and c2 to communicate, but not c3.

[arneboockmeyer]

Hi, thanks for the clarification. If I use blockade partition c1,c2 c3, c1 and c2 can communicate with each other, but c3 is isolated. I would like to create some kind of a chain c1 <-> c2 <-> c3 (and c3 should be unable to communicate with c1 directly). Is that possible?

[labisso]

Sorry, no that is not currently supported. It is possible, but would require reworking the iptables chains blockade uses to implement partitions. I'll keep it in mind for a future improvement.

[arneboockmeyer]

Hi, thanks for your effort, but this is not urgent anymore. We build our own tool. Thanks for your help!