3

I had a really hard time coming up with a short and descriptive title for this... Let me explain:

In classic Docker (no swarm mode) I had my system set up in a way that my PostgreSQL database would expose its main port (5432) only to localhost. That way I could SSH into my web server, tunnel port 5432 to localhost and use pgAdmin on my dev machine as if the database were running locally on my machine. This is comfortable to use and (to my knowledge) pretty secure.

However, I am currently in the process of migrating this to swarm mode. As far as I know (and could google) it is not possible to expose a service port only to localhost in swarm mode. This also kind of makes sense, since services can spontaneously move to a different node and you really don't want to be concerned with which service is running where.

In my case the database service will be constrained to a single node since I'm using standard local volumes for database persistence (for now at least). So I know on which machine the db is running.

Now, the services can talk to one another just fine without exposing any ports because they're all on the same overlay network. However, when I want to inspect (or modify) my database interactively, for example with pgAdmin, I can only see unsatisfying solutions:

  • expose port 5432 (and all its potentially exploitable vulnerabilities) to the internet
  • spin up a pgAdmin service inside the same overlay network as postgresql and expose that to the internet (again: hackable)
  • SSH into the db node, exec into the container and do everything from the command line (ugh...)

Is there any better way to handle this? Am I missing something?

As an aside, I consider the following points off-topic for this discussion:

  • I know you shouldn't manually modify live databases. This is for testing and diagnostics only.
  • I know that it would be better to use some advanced volume management stuff like REX-Ray or whatever, but currently this is overkill for me. Please don't try to convince me to move away from local volumes just because it's "better".
  • I know I could just not use swarm mode for the db. I still want to learn how to handle this properly in swarm mode since the use case (secure access to swarm service) doesn't seem very exotic to me. Also I want to use some swarm-only features like secrets and configs.
MadMonkey
  • 295
  • 1
  • 2
  • 8
  • You could expose pgsql port only to a specific interface (let's say a subnet VPC), and keep using ssh tunnels to securely connect to it. IIRC `-p localhost:port:dockerguest:port` is the full parametrisation for exposing ports. – Marcel Feb 04 '19 at 16:16
  • As far as I know this only works for classical (non-swarm) containers. In swarm mode (`docker service create`) you can no longer set IPs for the ports. Or did you mean something else? – MadMonkey Feb 04 '19 at 16:53
  • you can run sshd service in your swarm with the access to your db overlay network – Bob Jul 04 '21 at 11:47

0 Answers0