More than 1 network/NIC&bind container to networks
-
Hi,
as requested by @girish a feature request thread following a discussion here:Current situation:
(Please correct me if I am wrong here)
At the moment cloudron only "listens" to one NIC per OS instance it is deployed upon. This is usually (and recommended to be) a public IP.
Requests from other NICs are not handled or not properly handled.Feature request:
- Allow cloudron to listen to more than one NIC at the same time (but not hard-coded all)
- Allow cloudron to listen to more than one network&IP at the same time at least via different NICs (**)
- Allow cloudron admins to govern what networks a app listens to.
(*: As this could kill the setup of some bare-metal users I recon, e.g. when they have other services running on the same machine already)
(**: I am fully aware that this could also facilitated with one NIC in a lot of cases, but this would require far more modifications on the base OS, so maybe we should split these requirements to later FRs)Reasoning/scenario:
Keeping internal and external networks appart is always a good idea and network segration has is a de facto industry standard for ages now but has become even more important in cases where IoT or guest devices are used within an internal network.While some users mainly provide only public facing (e.g. LAMP, Wikis, Helpdesk for customers) or only internally facing services (internal Wiki, Media content, etc.) a deployment in a DMZ - in a laymans words: the middle ground between Internal&external networking- makes sense.
(Note: This of course be also facilitated by using two or more separate cloudron instances if you have a seperate set of apps for internal and external and I would recommend this security wise, but it is outside the scope of cloudron if you don't - keeping Apps synched is it's own game)*Now, in theory you could always let your internal hosts use the "outside" network to access cloudron - but that is often undesired e.g. for security reasons and additonally puts load on your WAN/UTM/FW.
Especially on virtualized cloudron hosts (e.g. on a bridged Proxmox setup) the easiest way for many users might be to just add another virtual NIC to the VM and define the network the VM should also be connected to.
But here comes the problem - while it is absolutely possible to have a docker container listen to different or multiple hosts so far cloudron does not allow this.
To give a few examples where this would be handy:
- You want IoT devices to access media files and be monitored by Prometheus or the proposed [Zabbix](https://forum.cloudron.io/topic/1211/zabbix-network-monitoring-solution?_=1666369185907?
- You want students to access a wiki, moodle and an internal mail system but not the internet; Staff on their Network should meanwhile access the internet, moodle, media files, the wiki, the ticket system.
- You want internal staff to access certain ressources (e.g. invoice ninja and paperless) but don't want them public facing while a project management system should be both internally and externally used?
In all these cases gradual control over the networks would be used to get a proper setup - and in all those cases you need a host that has acess to multiple networks at the same time.
(Disclaimer: As there are a fair bit of not that adept users and people not speaking english as their first language here I tried to keep wording simple, sorry to all the Pros out there)
-
-
-