Add a really dodgy networking page

This commit is contained in:
decentral1se 2021-07-15 16:22:02 +02:00
parent 4b054591bf
commit 5a6cb28bea
No known key found for this signature in database
GPG Key ID: 5E2EF5A63E3718CC

21
docs/networking.md Normal file
View File

@ -0,0 +1,21 @@
---
title: Docker Networking
---
!!! warning
Our understanding of Docker networking is probably wrong. We're working on it.
# Traefik networking
When a new Co-op Cloud instance is made, we make a "global" [overlay network](https://docs.docker.com/network/overlay/) which traefik sits on. This is the network that other apps use to speak to traefik and get traffic routed to them. Not every service in every app is also included in this network and hence not internet-facing.
# App networking
One service in an app, typically the one called `app`, sits on the "global" traefik network. This container is the one that should be publicy reachable on the internet. The other services in the app such as the database and caches should be not be publicly reachable or visible to other apps on the same instance.
To deal with this, we make an additional "internal" network for each app which is namespaced to that app. So, if you deploy a Wordpress instance called `my_wordpress_blog` then there will be a network called `my_wordpress_blog_internal` created. This allows all the services in an app to speak to each other but not be reachable on the public internet.
# Avoiding namespace conflicts
When referencing an `app` service in a config file, you should prefix with the `STACK_NAME` to avoid namespace conflicts (because all these containers sit on the traefik overlay network). You might want to do something like this `{{ env "STACK_NAME" }}_app` (using Golang templating).