From 5a6cb28beaa90a9c76856f160f751272bbe19bc3 Mon Sep 17 00:00:00 2001 From: decentral1se Date: Thu, 15 Jul 2021 16:22:02 +0200 Subject: [PATCH] Add a really dodgy networking page --- docs/networking.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 docs/networking.md diff --git a/docs/networking.md b/docs/networking.md new file mode 100644 index 0000000..75f9846 --- /dev/null +++ b/docs/networking.md @@ -0,0 +1,21 @@ +--- +title: Docker Networking +--- + +!!! warning + + Our understanding of Docker networking is probably wrong. We're working on it. + +# Traefik networking + +When a new Co-op Cloud instance is made, we make a "global" [overlay network](https://docs.docker.com/network/overlay/) which traefik sits on. This is the network that other apps use to speak to traefik and get traffic routed to them. Not every service in every app is also included in this network and hence not internet-facing. + +# App networking + +One service in an app, typically the one called `app`, sits on the "global" traefik network. This container is the one that should be publicy reachable on the internet. The other services in the app such as the database and caches should be not be publicly reachable or visible to other apps on the same instance. + +To deal with this, we make an additional "internal" network for each app which is namespaced to that app. So, if you deploy a Wordpress instance called `my_wordpress_blog` then there will be a network called `my_wordpress_blog_internal` created. This allows all the services in an app to speak to each other but not be reachable on the public internet. + +# Avoiding namespace conflicts + +When referencing an `app` service in a config file, you should prefix with the `STACK_NAME` to avoid namespace conflicts (because all these containers sit on the traefik overlay network). You might want to do something like this `{{ env "STACK_NAME" }}_app` (using Golang templating).