Recommended way to connect to Consul Agent from Docker containers

[Chris Wash]

Hey everyone,

I have a question related to using Consul with Docker, which I hope is a pretty popular use case out there.

I have recently started using spring-cloud-consul in some of my Spring Boot services that run inside Docker containers.  I have a few Docker hosts that have Consul agents configured as well.  They run natively and not within other docker containers themselves.

I've been having trouble reaching them from within the Docker containers, however, without specifying --net=host on the container.  This scares the networking folks as a security problem in that our container can now potentially see things that it shouldn't on the container's host.

The only other way I can think to do this in bridged mode would be to bind the agent to 0.0.0.0, so it is available on the Docker host's loopback interface, then get the IP address of the Docker host running Consul natively into the container through --add-host and some expression evaluated when starting the container (or other hack mentioned in https://github.com/docker/docker/issues/1143).  But this scares the networking folks as well.

Is there a recommended way of doing this -- which ports are safe and should be exposed by the agent when running on a Docker host scenario like this where containers need to be able to talk to the Agent running on the host?

Thanks for any help/advice!

Chris

[Chris Stevens]

Hi Chris,

We just a great discussion over on another thread about this very topic:

https://groups.google.com/forum/#!topic/consul-tool/HgCXRY7C8FY

Check out that thread and let me know if you have any questions. The dummy network interface thing is pure genius!

I think most on this list tend to agree that Consul on the docker host (and not within a container) is the best approach for any non-trivial implementations.

- Chris

[Chris Wash]

Thanks, Chris!  Will see if I can get some buy in to try this out and post our results if we can.