"Private" bridge networking

bensherred · March 30, 2024, 9:44am

Hi there,

I’ve been trying to figure this out for a while now with no joy. I have the following 2 jobs which are using Docker and bridge networking:

job "job1" {
  type = "service"

  group "group" {
    count = 1

    network {
      mode = "bridge"
    }

    task "web" {
      driver = "docker"

      config {
        image = "nginx:latest"
      }
    }

    task "redis" {
      driver = "docker"

      config {
        image = "redis:latest"
      }
    }
  }
}

job "job2" {
  type = "service"

  group "group" {
    count = 1

    network {
      mode = "bridge"
    }

    task "web" {
      driver = "docker"

      config {
        image = "nginx:latest"
      }
    }
  }
}

My question is: Is there a way I can make it so the jobs/groups cannot communicate with other jobs/groups, but each task gets given its own IP and can communicate with other tasks in the same group?

fred-gb · March 31, 2024, 11:47am

Hi,

Do you know Consul Service Mesh?

This is a way I use to get them to communicate across tasks and groups.

This an example jobs I used:

job "mosquitto-stack" {
  region = "global"
  datacenters = ["dc1"]
  type = "service"
  node_pool = "all"

  group "mosquitto-server" {

    count = 1

    restart {
      attempts = 10
      interval = "5m"
      delay = "10s"
      mode = "delay"
    }

    network {
      mode = "bridge"

        port "mqtt" {
        to = 1883
        static = 1883
      }
    }

    service {
      name = "mqtt"
      port = "1883"

      connect {
        sidecar_service {}

        sidecar_task {
          resources {
            cpu    = 64
            memory = 64
          }
        }
      }
    }

    task "server" {
      driver = "docker"

      config {
        image = "eclipse-mosquitto:latest"

        mount {
          type = "bind"
          target = "/mosquitto/config/mosquitto.conf"
          source = "local/mosquitto.conf"
          readonly = false
          bind_options {
            propagation = "rshared"
          }
        }

        ports = ["mqtt"]
      }

      template {
        data = <<EOH
listener 1883
allow_anonymous true
EOH
        destination = "local/mosquitto.conf"
      }

      template {
        data = <<EOH
ANSIBLE_FORCE_COLOR=TRUE

EOH
        destination = "secrets/file.env"
        env         = true
      }

      resources {
        cpu    = 128
        memory = 128
      }
    }
  }

  group "mosquitto-client" {

    count = 1

    restart {
      attempts = 10
      interval = "5m"
      delay = "10s"
      mode = "delay"
    }

    network {
      mode = "bridge"
    }

    service {
      name = "mesh"

      connect {
        sidecar_service {
          proxy {
            upstreams {
              destination_name = "mqtt"
              local_bind_port  = "1883"
            }
          }
        }
        sidecar_task {
          resources {
            cpu    = 64
            memory = 64
          }
        }
      }
    }

    task "client" {
      driver = "docker"

      config {
        image = "alpine:latest"
        entrypoint = ["/bin/sleep", "3600"]
      }

      resources {
        cpu    = 128
        memory = 128
      }
    }
  }
}

benvanstaveren · March 31, 2024, 8:56pm

You don’t have to - that’s exactly what Nomad sets up for you. A task in a group can communicate with other tasks in the same group (see the Nomad Runtime Environment docs, you can get the IP:port of all other declared ports, which you would declare using the port stanza in the network block.