My project has an “app” container (business logic) and a “database” container (for persisting data). The app container needs to access bluetooth, and thus must be run with
network_mode: host. It seems that, in order for the app container to communicate with the database container, the database container must also be run with
This means (as far as I know) that any ports my containers expose for communication to each other (e.g. the database port) are now open to anyone who is on the same network as the device. I have tested this so far with an image in development mode only, and I was able to connect to the database without any trouble.
I was wondering if there is any way to configure the host OS to restrict incoming connections (on certain ports, or altogether), while still allowing the localhost connection that happens between the containers.
Alternatively, is there a better way to set up the database container so that it is accessible to the app container (which is on the host network), without exposing it on the host network itself?
Sidenote: I saw
RESIN_HOST_FIREWALL_MODE mentioned on the device configuration page in the Balena Cloud Dashboard, but I couldn’t find any documentation on it anywhere. Does anyone know what it is for?