Network ports between tasks in the same group

davidtek · May 9, 2024, 7:56pm

Hello,

I have two tasks within the same group in Nomad and would like to have the port 6000 exposed by one task and connected to by the other task.

However I don’t want the port 6000 exposed to anyone OUTSIDE of the task group, since it has the insecure x11 protocol exposed.

Here is the nomad job I built:

job "vnc" {

    group "vnc" {
      network {
  
        port "vnc" {
          to = 8080
        }
  
        port "x11" {
          static = 6000
        }
      }
      task "vnc" {
        driver = "docker"
  
        config {
          image = "theasp/novnc"
          ports = ["vnc","x11"]
        }
  
        env {
          RUN_XTERM="no"
        }
      }
  
      task "browser" {
        driver = "docker"
  
        config {
          image="psharkey/intellij:latest"
  
          entrypoint = ["sh", "-c", "sleep 5; /opt/intellij/bin/idea.sh"]
        }
  
        env {
          DISPLAY="${NOMAD_HOST_IP_vnc}:0.0"
        }
      }
  
    }
  }

The job works, however I find myself with 6000 exposed to the entire network but I wanted that ported only exposed to the other task(s) in my group.

I wonder if I have to use consul connect for this, it seems a bit overkill.

Thanks,

David

Kamilcuk · May 11, 2024, 10:31pm

I think you want just a bridge network. Networking | Nomad | HashiCorp Developer

davidtek · May 21, 2024, 5:39pm

I read the link you said, and that definitely looks like what I was looking for, I updated the sample job from the original post to use bridge:

job "vnc" {

  group "vnc" {

    network {
         mode = "bridge"
      port "vnc" {
        to = 8080
      }
    }

    task "vnc" {
      driver = "docker"

      config {
        image = "theasp/novnc"
        ports = ["vnc","x11"]
      }

      env {
        RUN_XTERM="no"
      }
    }

    task "browser" {
      driver = "docker"
      config {
        image="psharkey/intellij:latest"
        entrypoint = ["sh", "-c", "sleep 5; /opt/intellij/bin/idea.sh"]
      }
      env {
        DISPLAY="127.0.0.1:0.0"
      }
    }

  }
}

Looks like the right behaviour, thanks @Kamilcuk

system · July 22, 2024, 5:39pm

This topic was automatically closed 62 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Docker driver, join container (task) to two docker (nomad) bridged networks Nomad	2	392	May 24, 2022
Network isolation between groups/jobs on the same host Nomad	5	1577	April 5, 2022
Expose all ports between tasks Nomad	0	556	August 13, 2020
Configure network "pinning" for jobs Nomad	1	233	March 10, 2024
Nomad 101 : difficulty understanding networking between two tasks in one group Nomad	3	351	July 7, 2023

Network ports between tasks in the same group

Related topics