Remove unneeded ports from docker-compose.yml and

docker-compose.override.yml

Don't expose any ports except port 3000 to outside the Docker environment, and only expose port 3000 to the Docker host's loopback interface (127.0.0.1 and [::1]).

requested review from @anusha

added Waiting to be tested label

We would need to test the containers are still able to talk to each other when these port definitions are removed. Likely we have to define internal ports and make changes to the env file.

I think there's a misunderstanding on how docker-compose.yml files work.

Quote from Docker's documentation on compose files:

By default Compose sets up a single network for your app. Each container for a service joins the default network and is both reachable by other containers on that network, and discoverable by them at a hostname identical to the container name.

Networks

In our case, there actually is a custom network with the name of internal defined, and all containers are connected to that same network.
Side note: The name internal is probably not the best name choice here, because a network can also have a property called internal, which configures whether outbound connections (from containers in that network to the internet) should be forbidden (the default value for that internal flag is false, so by default, outbound internet connections are allowed). This would then look like this (the first internal is the network, the second one is the configuration flag):

networks:
  internal:
    internal: true

Ports

The ports: setting is completely orthogonal to this, and configures wheter a port of a container should be exposed to the Docker host or via the Docker host's own network interface (opening a pass-through listener on the Docker host on either 127.0.0.1:$portnumber or 0.0.0.0:$portnumber).

The ports: directive does not configure/define connections between containers (unless you expose container A's port on all of the host's network interfaces and then have container B connect to that exposed port on the host - but that would clearly not be the intended usage of these features).

tl;dr

• All containers that are connected to the same Docker network can connect to each other on all ports.
• In RDMS, currently all containers are connected to the same network, so they can all connect to each other on all ports.
• At least in our setup, the ports: directive is only needed to expose the web container's web server port (TCP port 3000 in our case) to the host, such that our nginx reverse proxy can connect to the web container's port 3000 when adding TLS and reverse-proxying that port to port 443 on the public network interface.

added 1 deleted label

When using the internal docker network, afaik, we need to replace localhost by the internal name. These changes should be only in the env file, but I would need to confirm (and change the default values in .env.template).

This MR is succeeded by https://gitlab.ruhr-uni-bochum.de/FDM/rdm-system/rdms/-/merge_requests/185#35b8c13cf2eb2a194eada000eb310d65aed53b2a

closed