Docker port mapping is failing for host network mode - macos

Mac running Docker Version 17.12.0-ce-mac55 (23011) here.
I have a very bizarre situation with Docker that I absolutely cannot explain!
I have a Dockerized web service that runs perfectly fine outside of Docker, running off of port 9200 (so: http://localhost:9200)
I can also run several other images locally (nginx, Oracle DB) and I can access them via localhost:80 and localhost:1521 respectively
When I run the container for my Dockerized service, I see (via docker logs <containerId>) the service startup without any errors whatsoever
Despite the fact that the container is running without any errors, I absolutely cannot connect to it from my Mac host via localhost:9200
The exact steps to reproduce are:
Clone this repo
Build the image via ./gradlew clean build && docker build -t locationservice .
Run the container via docker run -it -p 9200:9200 -d --net="host" --name locationservice locationservice
If you use docker ps to obtain the <containerId>, then you can keep hitting docker logs <containerId> until you see it has started up without errors
On my machine, when I try to curl against localhost:9200, I get "connection refused" errors (see below)
curl error is:
curl -X GET http://localhost:9200/bupo
curl: (7) Failed to connect to localhost port 9200: Connection refused
Some things I have ruled out:
localhost is absolutely resolveable from the host because we're running in host network mode and I have no problem connecting to nginx (port 80) and Oracle (port 1521) containers
The app is starting up and if you look at the logs you'll see it is starting up listening on 9200
Any ideas what the problem could be?!

Docker for Mac runs in a VM. --net=host refers to the Linux VM hosts network stack not OSX. There is no direct network path from OSX to the Docker VM other than mapped ports.
Mapped ports (docker run -p Y:N) in Docker for Mac are a little special, in addition to the user space proxy that runs on the Docker host normally, Docker for Mac also launches a user space proxy on OSX to listen on the same port and forward connections into the VM. The OSX process isn't started when using --net=host (and the Linux one isn't either of course).
→ docker run --name nc --rm --net=host -dp 9200:9200 busybox nc -lk -p 9201 -e echo hey
→ docker inspect nc --format '{{ json .NetworkSettings.Ports }}'
{}
→ sudo lsof -Pni | grep 9200
→
Then without --net=host
→ docker run --name nc --rm -dp 9200:9200 busybox nc -lk -p 9201 -e echo hey
→ docker inspect nc --format '{{ json .NetworkSettings.Ports }}'
{"9200/tcp":[{"HostIp":"0.0.0.0","HostPort":"9200"}]}
→ sudo lsof -Pni | grep 9200
vpnkit 42658 matt 28u IPv4 0x57f79853269b81bf 0t0 TCP *:9200 (LISTEN)
vpnkit 42658 matt 29u IPv6 0x57f798532765ca9f 0t0 TCP [::1]:9200 (LISTEN)
If your app requires --net=host then I would use Vagrant/Virtualbox to spin up a VM with a "Host Only" adapter. This means there is a direct network path that you can access from OSX on the VM. Here's the Vagrantfile I use.

Docker for Mac does not support host network mode very well: https://github.com/docker/for-mac/issues/1031
So at this moment the solution is to use default bridge mode.

Related

default docker-machine ip [duplicate]

I just migrated to using Docker for Mac, from previously using Docker Toolbox with virtualbox for OSX.
I used to get the machine IP address with $(docker-machine ip default).
Is there a reliable way to get the Hyperkit IP address?
Thanks!
In opposition to Docker toolbox, Docker for Windows and Docker for Mac are designed to give you the feeling that Docker is running directly on your OS, so they use lightweight virtual machines running under lightweight hypervisors (instead of VirtualBox) handled directly by the docker executable.
Hence you won't see them with docker-machine and you won't see another IP address than localhost.
Docker for Windows relies on the HyperV hypervisor which allows a network connection to tcp://localhost:2375.
Docker for Mac relies on the xhyve hypervisor, the way it's implemented only provides a connection through the socket unix:///var/run/docker.sock.
Workaround
To provide a TCP connection for Docker for Mac:
Install socat. With brew:
brew install socat
Run this socat command to forward TCP requests to the socket
socat TCP-LISTEN:2375,reuseaddr,fork,bind=localhost UNIX-CONNECT:/var/run/docker.sock
Map what you want on tcp://localhost:2375
Up to you to run the socat command on startup, if necessary.
This was for instance useful to me to associate the Webstorm nodeJS debugger to a nodeJS container (since at the time of writing, docker debugging is supported by Webstorm docker integration plugin, but not through unix sockets).
Documentation on Docker for Mac limitations
https://docs.docker.com/docker-for-mac/networking/#/known-limitations-use-cases-and-workarounds
There is no docker0 bridge on macOS
Because of the way networking is implemented in Docker for Mac, you cannot see a docker0 interface in macOS. This interface is actually within HyperKit.
You could use docker image for socat which starts every time you start 'docker for mac'
docker run -d --restart=always -p 2376:2375 -v
/var/run/docker.sock:/var/run/docker.sock bobrik/socat
TCP4-LISTEN:2375,fork,reuseaddr UNIX-CONNECT:/var/run/docker.sock
Find your docker API ip address:
ifconfig | grep 'inet 192'| awk '{ print $2}'
There's no need for working with the xhyve VM's IP address directly like you would with docker-machine. All port mappings are directly mapped to localhost.
$ docker run -d -p 8080:80 nginx:latest
$ curl localhost:8080
Also see the official documentation:
When you run a container with the -p argument, for example: $ docker run -p 80:80 -d nginx Docker for Mac will make the container port available at localhost.
My current solution is to create the containers using Docker Machine (A linux VM which is available under another IP address) and route all the traffic of the containers to the docker machine VM.
sudo route -n add -net 172.18.0.0/16 192.168.99.100
You can get the network range of your docker containers using docker inspect and the IP address of your docker machine VM using docker-machine ip
Another workaround is to use sudo ifconfig lo0 alias 172.17.0.1 so you can still use the same static IP address (if your Linux-based colleagues or bash scripts insist on using that).

Can't connect from outside of container to Clickhouse by HTTP on Mac OS

I'm trying to use ClickHouse with docker on Mac OS. I use next command:
docker run -d -p 8123:8123 --rm --name some-clickhouse-server -v /my/config/path/config.xml:/etc/clickhouse-server/config.xml --ulimit nofile=262144:262144 yandex/clickhouse-server:latest
Container successfully started, but when I try to connect to it by http curl 'http://localhost:8123' I have an error:
Failed to connect to localhost port 8123: Connection refused
When I connect to Clickhouse from Clickhouse-client (also using docker image) everything is OK
I ran Clickhouse-server image in -it mode, installed curl, started server and tried to connect clickhouse-server from inside of container, it's OK too
Also I tried to modify config.xml (which was copied from docker image) settings for listen_host (::, 0.0.0.0, ::1, 127.0.0.1)
and for every setting I tried to connect by curl for localhost, 127.0.0.1, 0.0.0.0 - nothing of this solved my problem
Normally, docker desktop write these details of host and container to /etc/hosts, after adding the clickhouse-service as follows has resolved this issue.
127.0.0.1 localhost clickhouse-service
I used Docker Toolbox on Mac OS (in conjunction with VirtualBox). So, I've migrated to Docker Desktop and this has solved my problem

Can't access docker container on port 80 on OSX

In my current job we have development environment made with docker-compose.
One container is nginx, which provide routing to other containers.
Everything seems fine and work to my colleague on windows and osx. But on my system (osx El Capitan), there is problem with accessing nginx container on port 80.
There is setup of container from docker-compose.yml
nginx:
build: ./dockerbuild/nginx
ports:
- 80:80
links:
- php
volumes_from:
- app
... and more
In ./dockerbuild/nginx there is nothing special, just nginx config as we know it from everywhere.
When I run everyting with docker-compose create and docker-compose start. Then docker ps give me
3b296c1e4775 docker_nginx "nginx -g 'daemon off" About an hour ago Up 47 minutes 0.0.0.0:80->80/tcp, 443/tcp docker_nginx_1
But when I try to access it for example via curl I get error. curl: (7) Failed to connect to localhost port 80: Connection refused
I try to run container with port 81 and everything works fine.
Port is really binded to docker
22:47 $ sudo lsof -i -n -P | grep TCP
...
com.docke 14718 schovi 38u IPv4 0x6e9c93c51ec4b617 0t0 TCP *:80 (LISTEN)
...
Firewall in osx is turned off and I have no other security.
if you are using docker-for-mac:
Accessing by localhost:80 is correct, though you still have to ensure you do not have a local apache/nginx service running. Often leftovers from boxen/homebrew exist binding that port, because thats what developers did back then :)
if you are using dockertoolbox/virtualbox/whatever hypervisor
You will not be able to access it by localhost, by by the docker-machine ip, so write docker-machine ip default and the use http://$ip:80 in your browser
if that does not help
Ensure your nginx container actually does work, so connect to the container: docker exec -i -t <containerid> bash
and then run ps aux nginx or if telnet is installed try to connect to localhost
Solved!
Problem was, that long long time ago I installed pow (super simple automated rails server which run application on app_name.local domain). And this beast left LaunchAgent script which update pf to forward port 80 to pow port.
In my current job we have development environment made with docker-compose.
A privilege to use.
[W]hen I try to access [nginx on port 80] for example via curl I get error.
Given there's nothing from causing you from accessing docker on your host os you should look at the app running inside the container to ensure it's binding to the correct host, e.g. 0.0.0.0 and not localhost.
For example, if you're running Nuxt inside a container with nuxt-ts observe Nuxt will default to localhost thereby causing the container not to connect to the docker network whereas npx nuxt-ts -H 0.0.0.0 gets things squared away with the container's internal server connecting to the ip of the docker network used (verify ip like docker container inspect d8af01990363).

Connecting to rethinkdb (or any other app running on an http port) from the Docker OS X beta

I've installed the Docker for Mac beta which allows you to use docker commands directly. I want to try to run rethinkdb through docker, so I've followed the instructions of the rethinkdb docker container docs and done the following:
docker run --name some-rethink -v "$PWD:/data" -d rethinkdb
This works, and I can see the container with docker ps and start shell with docker exec -it /bin/bash
However, I can't connect to the admin panel on my Mac directly with their suggestion
$BROWSER "http://$(docker inspect --format \
'{{ .NetworkSettings.IPAddress }}' some-rethink):8080"
This essentially amounts to google-chrome http://172.17.0.2:8080/, but this doesn't work. I asked around and was told
You can't use the docker private ip address space to access the ports
You have to forward them to the mac
However, I'm not sure how to do this as I don't have any port forwarding tools I'm familiar with such as ssh on the container itself. Using the suggested port forwarding command in the rethinkdb container docs ssh -fNTL ... but with localhost instead of remote does not work.
How can I connect to the rethinkdb admin panel through http with the docker beta on a Mac?
Try forwarding the container port using the -p flag in the docker run command, e.g.:
docker run -p 8080:8080 --name some-rethink -v "$PWD:/data" -d rethinkdb
and then it should be accessible on localhost,
google-chrome http://127.0.0.1:8080/
Relevant docker run docs: https://docs.docker.com/engine/reference/run/#/expose-incoming-ports

How to access web page served by nginx web server running in docker container

We are trying to use docker to run nginx but for some reason I'm unable to access the nginx web server running inside the docker container.
We have booted a Docker Container using the following Dockerfile: https://github.com/dwyl/learn-docker/blob/53cca71042482ca70e03033c66d969b475c61ac2/Dockerfile
(Its a basic hello world using nginx running on port 8888)
To run the container we used:
docker run -it ubuntu bash
we determined the Container's IP address using the docker inspect command:
docker inspect --format '{{ .NetworkSettings.IPAddress }}' a9404c168b21
which is: 172.17.0.11
when I try to visit the container's IP address and the nginx port in a browser http://172.17.0.11:8888/ we get ERR_CONNECTION_TIMED_OUT
or using curl:
curl 172.17.0.11:8888
curl: (7) Failed to connect to 172.17.0.11 port 8888: Connection refused
To attempt to solve this we googled extensively but suspect we might be asking the "wrong" questions...
You shouldn't be trying to hit the IP address of the container, you should be using the IP address of the host machine.
What you are missing is the mapping of the port of the host machine to the port of the container running the nginx server.
Assuming that you want to use port 8888 on the host machine, you need a parameter such as this to map the ports:
docker run ... -p 8888:8888 ...
Then you should be able to access you server at http://<HOST_MACHINE_IP>:8888
EDIT: There is another gotcha if you are running on a Mac. To use Docker on a Mac it's common to use boot2docker but boot2docker adds in another layer. You need determine the IP address of the boot2docker container and use that instead of localhost to access nginx.
$ boot2docker ip
The VM's Host only interface IP address is: <X.X.X.X>
$ wget http://<X.X.X.X>:8888
...
Connecting to <X.X.X.X>:8888... connected.
HTTP request sent, awaiting response... 200 OK
Reference: https://viget.com/extend/how-to-use-docker-on-os-x-the-missing-guide
EDIT: ... or with docker-machine the equivalent command would be docker-machine ip <machine-name> where <machine-name> is likely to be "default".
You may need to check if your container is running:
docker ps ( you should have an active container)
If no container is active:
docker run -p 80:80 -it /bin/bash
you will then be on your image terminal
start nginx - sudo service nginx start
ctrl p + ctrl q to quit docker without exiting the container
if you are on mac and using boot2docker you cannot use localhost to check your running nginx
so use boot2docker ip
browse using the boot2docker ip

Resources