16

For testing our escrow build, I'm attempting to set up a docker network that's isolated from the host and from the outside world.

I've got the following docker-compose.yml (inspired by this forum post):

version: '3'

services:
  redis:
    image: "redis:2.8.23"
    networks:
      - isolated

  # ... more services (TODO)

networks:
  isolated:
    driver: overlay
    internal: true

When I run docker-compose up -d; it creates the network, but then fails to create the containers, reporting the following:

ERROR: This node is not a swarm manager. Use "docker swarm init" or "docker swarm join" to connect this node to swarm and try again.

But I'm not using docker swarm, nor do I want to.

If I remove the services: stanza from the file, it brings up the network without the error. It warns that the network is unused (obviously).

If I remove the services/redis/networks stanza, it brings up the container correctly.

What am I doing wrong?

I found this answer, which uses driver: bridge for the network, but that still allows access to the host.

  • Docker version 18.09.3, build 774a1f4
  • docker-compose version 1.21.2, build a133471
Roger Lipscombe
  • 89,048
  • 55
  • 235
  • 380

1 Answers1

17

You have specified the network driver to be overlay.

The overlay network driver very much depends on swarm mode and can effectively be considered to be a swarm mode component.

Instead, you should choose a driver that is a local scope driver rather than a swarm scope driver.

The driver you should use is the bridge driver. The bridge network driver is not part of swarm mode and does not depend on swarm mode being active to utilize it.

Since you are using docker-compose, you can just leave the specific driver out entirely, and it will choose the appropriate driver for you. I would recommend removing the driver: overlay line out completely and leaving the rest of the file as-is:

version: '3'

services:
  redis:
    image: "redis:2.8.23"
    networks:
      - isolated

  # ... more services (TODO)

networks:
  isolated:
    internal: true
programmerq
  • 6,262
  • 25
  • 40
  • This is what I did in the end, but it leaves the container able to access the host. I can live with that, I guess, but I'd prefer a completely isolated network... – Roger Lipscombe Mar 08 '19 at 21:21
  • Take a look at the macvlan driver too. – programmerq Mar 08 '19 at 21:22
  • I am getting the same error while trying to create --attachable overlay network for standalone container – Gunjan Shah Apr 17 '21 at 02:38
  • @GunjanShah if you want to use any swarm features, including attachable overlay networks, you'll need to make the node be a part of a swarm. – programmerq Apr 19 '21 at 13:17
  • @programmerq, I was referring documents on docker website : https://docs.docker.com/network/overlay/. The docs for overlay network for standalone container is really confusing. They have not clearly mentioned that the node must needs to be swarm resource where we can create attachable overlay network. Even I have added new question on this query. You can add more details there if you don't mind : https://stackoverflow.com/questions/67134199/error-while-creating-overlay-network-for-standalone-containers – Gunjan Shah Apr 20 '21 at 08:38