Understanding Docker network isolation

Question

I have created the following docker-compose file...

version: '3'

services:
  db-service:
    image: postgres:11
    volumes:
      - ./db:/var/lib/postgresql/data
    expose: 
      - 5432
    environment:
      - POSTGRES_PASSWORD=mypgpassword
    networks:
      - net1
  pgadmin:
    image: dpage/pgadmin4
    volumes:
      - ./pgadmin:/var/lib/pgadmin
    ports:
      - 5000:80
    environment:
      - [email protected]
      - PGADMIN_DEFAULT_PASSWORD=mypass
    networks:
      - net1
networks:
  net1:
    external: false

From reading various docs on the docker site, my expectation was that the pgadmin container would be able to access the postgres container via port 5432 but that I should not be able to access postgres directly from the host. However, I am able to use psql to access the database from the host machine.

In fact, if I comment out the expose and ports lines I can still access both containers from the host.

What am I missing about this?

EDIT - I am accessing the container by first running docker container inspect... to get the IP address. For the postgres container I'm using

psql -h xxx.xxx.xxx.xxx -U postgres

It prompts me for the password and then allows me to do all the normal things you would expect.

In the case of the pgadmin container I point my browser to the IP address and get the pgadmin interface.

Note that both of those are being executed from a terminal on the host, not from within either container. I've also commented out the expose command and can still access the postgres db.

Answer 1

docker-compose creates a network for those two containers to be able talk to each-other when you run it, through a DNS service which will contain pointers to each service, by name.

So from the perspective of the pgadmin container, the dbserver can be reached under hostname db-service (because that is what you named your service in the docker-compose.yml file).

So, that traffic does not go through the host, as you were assuming, but through the aforementioned network.

For proof, docker exec -it [name-of-pg-admin-container] /bin/sh and type: ping db-service. You will see that docker provides a DNS resolution and that you can even open a connection to the normal postgres port there.