[UPDATED] Network Mode Settings when I Use Secure Storage API

Hope I have a App including containerA, containerB, containerC in the edge. I hope containerC could access secure storage, so I set containerC network mode is "proxy-redirect". But I hope containerA, containerB network mode is "host"(biz requirements). And I hope my app could be built success with IEAP CLI and started success.   Issue The overall architecture for this issue is below.   Here is my initial docker-compose.yaml file   version: '2.4' services: containerA: image: containerA:0.2.0-1 container_name: containerA hostname: containerA network_mode: "host" mem_limit: 3221225472 containerB: image: containerB:0.2.0-1 hostname: containerB container_name: containerB environment: - PGID=1000 - PUID=1000 mem_limit: 524288000 networks: - proxy-redirect depends_on: - containerA containerC: image: containerC:0.2.0-1 hostname: containerC container_name: containerC environment: - PGID=1000 - PUID=1000 mem_limit: 524288000 networks: - proxy-redirect depends_on: - containerA - containerB networks: proxy-redirect: name: proxy-redirect driver: bridge   I use standalone mode to create/ export app file with the commands below and the command is executed success and no errors. ie-app-publisher sa c -a "local-cli" -p "XOCYSSensorAppID8d83v5du87BJ8nwB" -r "localrepo" -d "desc" -i "/data/xo/container-bridge/sensor.png" -w "https://cwniu.com" ie-app-publisher sa ac -a "local-cli" -n "xo-cys-sensor-configuration" -d "XO CYS Sensor App Configuration" -p "xo-cys-sensor-config-configurator" -f /data/xo/container-bridge/sensor-activation.jws ie-app-publisher sa cv -a "local-cli" -v 1.0.0-1 -y "/data/xo/container-bridge/docker-compose.yaml" -m ie-app-publisher sa ev -a "local-cli" -v 1.0.0-1 -e /data/xo/container-bridge   But I found that below code is removed in docker-compose.yaml inside the .app file, which cause the app installation errors. networks:     proxy-redirect:         name: proxy-redirect         driver: bridge       ENV industrial-edge-app-publisher-v1.8.3.deb ie-app-publisher is 1.8.0 IED: Version pied-1.13.0-4-b-rc1 non-productive use only IEM Version: 1.13.10   Question Could I set different network mode for different containers in the same docker-compose.yaml in edge system?   Why the IEAP CLI remove my networks policy? Do I use it in an incorrect way? Thanks~
2 answers

Thank you for this question – we will come back to you with an answer asap!


Re 1:

  • the “network_mode” can only be set per service, as it applies to individual containers.
  • Please understand that setting a “network_mode: host” automatically and unconditionally exposes all your containers’ ports, regardless of whether you want this to happen or not. There is no way to avoid this, as this is the way Linux (Docker) containers work.
  • “network_mode: host” makes it impossible to connect the container to any Docker network, and especially not the proxy-redirect network.
  • “network_mode: host” can cause other applications to become uninstallable due to port conflicts.


There are much better ways to access the host’s network namespace if really necessary without attaching the container to the host network namespace, avoiding a lot of TRA issues all the way down. Please contact me directly, if you want to learn more.


You can get a detailed view into your IED’s and containers’ communication setup by installing the OpenSource Siemens Edgeshark app (download .zip, unpack .app, import .app into your IEM, deploy app). Please note that this is not a product, but a tool we provide in hope of further fostering the Industrial Edge platform.