how to make the node-exporter and cadvisor available to prometheus container only?

Question

I have successfully setup Prometheus service in a docker container.Also I am running the services like node-exporter and cadvisor on different other ports in the same hosts.

All the services are being run using the docker-compose. Here is the sample

version: '2'


volumes:
    grafana_data: {}

services:

    prometheus:
        image: prom/prometheus
        privileged: true
        volumes:
            - ./prometheus.yml:/etc/prometheus/prometheus.yml
            - ./alertmanager/alert.rules:/alertmanager/alert.rules
        command:
            - '--config.file=/etc/prometheus/prometheus.yml'
        ports:
            - '9090:9090'

    node-exporter:
        image: prom/node-exporter
        ports:
            - '9100:9100'
    cadvisor:
        image: google/cadvisor:latest 
        privileged: true
        volumes:
            - /:/rootfs:ro
            - /var/run:/var/run:rw
            - /var/lib/docker/:/var/lib/docker:ro
            - /dev/disk/:/dev/disk:ro
            - /cgroup:/sys/fs/cgroup:ro
        ports:
            - '8080:8080'

How to make the cadvisor service not accessible to public as for now everyone can access the cadvisor and node-exporter visiting the host url with ports it is being assigned. But as the prometheus depends on it only prometheus should be able to access it.

Answer 1

If you don't need to access the service externally, simply don't publish the ports for that service, delete the ports section from each of those services. The resulting compose file will look like:

version: '2'
volumes:
    grafana_data: {}
services:
    prometheus:
        image: prom/prometheus
        privileged: true
        volumes:
            - ./prometheus.yml:/etc/prometheus/prometheus.yml
            - ./alertmanager/alert.rules:/alertmanager/alert.rules
        command:
            - '--config.file=/etc/prometheus/prometheus.yml'
        ports:
            - '9090:9090'

    node-exporter:
        image: prom/node-exporter
        # removed "ports" from here

    cadvisor:
        image: google/cadvisor:latest 
        privileged: true
        volumes:
            - /:/rootfs:ro
            - /var/run:/var/run:rw
            - /var/lib/docker/:/var/lib/docker:ro
            - /dev/disk/:/dev/disk:ro
            - /cgroup:/sys/fs/cgroup:ro
        # removed "ports" from here

Containers talk to each other across a shared network, which you get by default with docker compose or a docker stack. To use container to container networking, reference the target container by it's service name (in this case: node-exporter and cadvisor), and use the container port, not the published port, which in your case was the same.