How to make jobs communicate over loopback interface

spuder · September 30, 2019, 9:14pm

I have 2 containers in a nomad group. How can I make it so they communicate over a loopback interface without registering the service in consul?

job "foobar" {
    datacenters = ["dc1"]
    group "foo" {

        volume "puppet-certs" {
            type = "host"
            config {
                source = "puppet-certs"
            }
        }
        task "corvus" {
            driver = "docker"
            config {
                image = "gitlab.example.com:4567/example/corvus:0.2.7"
                entrypoint = [" /go/bin/corvus"]
                args = [
                "--nodes",
                "redis.service.consul:6379",
                "--bind",
                "8379",
                "/dev/null"
                ]
            }
            resources {
                network {
                    port "corvus" {
                        static = "8379"
                    }
                }
            }
        }
        task "redis-cli" {
            driver = "docker"
            config {
                image = "redis:4.0.10"
                command = "/bin/sleep"
                args = ["10000"]
            }
        }

    }
}

I then log into the redis-cli and try and query the other container on the loopback

nomad alloc exec -task redis-cli -job foobar /bin/bash
$ redis-cli ping -p 8379  #no response

spuder · September 30, 2019, 9:22pm

In Nomad 0.10 and newer, you can use consul connect to create envoy proxies that will seamlessly route traffice without having to create consul services

Ensure that you have the CNI plugins already installed

change the network mode to “bridge”.

    group "foo" {

        network {
            mode = "bridge"
        }

Add an envoy proxy sidecar on the service you want to connect to (corvus)

            service {
                connect {
                    sidecar_service {}
                }
            }

Register the destination port on the service you are connecting from (redis-cli)

            service {
                connect {
                    sidecar_service {
                        proxy {
                            upstreams {
                                destination_name = "corvus"
                                local_bind_port = 8379
                            }
                        }
                    }

                }
            }

A full example:

job "foobar" {
    datacenters = ["dc1"]
    group "foo" {

        network {
            mode = "bridge"
        }
        task "corvus" {
            driver = "docker"
            config {
                image = "gitlab.example.com:4567/example/ci-images/corvus:0.2.7"
                entrypoint = ["/go/bin/corvus"]
                args = [
                "--nodes",
                "corvus.service.consul:6379",
                "--bind",
                "8379",
                "/dev/null"
                ]
            }
            service {
                connect {
                    sidecar_service {}
                }
            }
        }
        task "redis-cli" {
            driver = "docker"
            config {
                image = "redis:4.0.10"
                command = "/bin/sleep"
                args = ["10000"]
            }
            service {
                connect {
                    sidecar_service {
                        proxy {
                            upstreams {
                                destination_name = "corvus"
                                local_bind_port = 8379
                            }
                        }
                    }

                }
            }
        }

    }
}

I can then connect into the ‘redis-cli’ task and run these commands

nomad alloc exec -task redis-cli -job foobar /bin/bash
apt update
apt install telnet net-tools
redis-cli -h localhost -p 8379 ping
PONG

Netstat also shows just the 1 available port as listening

netstat -plnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:8379            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:8379            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:8379            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:8379            0.0.0.0:*               LISTEN      -

Topic		Replies	Views
Communication between different jobs with Consul Connect Nomad connect	2	1164	September 8, 2021
Getting to grips with sidecar_service, consul and service mesh Nomad connect , consul	0	446	May 3, 2022
Can't get simple nomad job to communicate with connect upstream Nomad consul	1	234	January 2, 2024
Nomad task listening on or connecting to the node's loopback interface with Connect enabled Nomad	0	811	May 25, 2020
Nomad using Consul Service Mesh Nomad	3	286	May 3, 2023

How to make jobs communicate over loopback interface

Related topics