Browser services' container in Docker Swarm mode
Adding to the answer @ben-hall provided above;Docker 1.13 will introduce an advanced syntax for the --publish flag, which includes a mode=host publish mode to publishing service ports (see the pull-request here: docker#27917, and docker#28943). Using this mode, ports of the containers (tasks) backing a service are published directly on the host they are running on, bypassing the Routing Mesh (and thus, load-balancer).
Keep in mind that as a consequence, only a single task of a service can run on a node.
On docker 1.13 and up; the following example creates a myservice service, an port 80 of the task is published on port 8080 of the node that the task is deployed on.
docker service create \ --name=myservice \ --publish mode=host,target=80,published=8080,protocol=tcp \ nginx:alpineContrary to tasks that publish ports through the routing mesh, docker ps also shows the ports that are published for tasks that use "host-mode" publishing (see the PORTS column);
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMESacca053effcc nginx@sha256:30e3a72672e4c4f6a5909a69f76f3d8361bd6c00c2605d4bf5fa5298cc6467c2 "nginx -g 'daemon ..." 3 seconds ago Up 2 seconds 443/tcp, 0.0.0.0:8080->80/tcp myservice.1.j7nbqov733mlo9hf160ssq8wd
Due to the way SwarmMode works with the IPVS Load Balancer (discussed at https://www.katacoda.com/courses/docker-orchestration/load-balance-service-discovery-swarm-mode), it's not possible to just access a single container deployed as a service.
Request for configuring the load balancer has an open Github issue at https://github.com/docker/docker/issues/23813
What you may find helpful is to use a proxy running on each node. This could be configured to only response to certain nodes request (in theory). Two which are designed around SwarmMode include: