Access web server over https in a Docker container - https

I'm using Boot2Docker to manage Docker containers in Windows and I have a container running an IBM Liberty server (I guess is the same for any other server), I can access the server home screen in the host machine using only the ip (which I get using the command boot2docker ip), but if I try to access the server using the https port, like this xx.xx.xx.xx:9443 the connection fails.
I tried forwarding the port in VirtualBox like this:
And then access the server using the ports 1000 or 1001, but it fails too.
Am I missing something?
BTW, I'm using default NAT connection.

https uses port 443 (not 9443) by default.
Make both "Host Port" and "Guest Port" 443 and try again.

Related

How to disable selinux/iptables in MacOS to visit docker server from Host computer?

I am running a docker container of python server in my computer (MacOS Catalina, the container can connect MySQL and Redis from host computer, the server is running normally, but I can't visit server on host computer), in Linux environment, we need to disable the selinux, firewall and iptables, for example, edit /etc/selinux/config
and type as below
SELINUX=disabled
SELINUXTYPE=targeted
How to disable selinux/iptables in MacOS or how to visit docker server from the Host computer, I already tried to use host.docker.internal instead of 127.0.0.1, but it doesn't work, if I use host.docker.internal in MySQL or Redis config, also failed, I only can use the really IP such as 192.168.1.45 instead of host.docker.internal or 127.0.0.1

"bind: An attempt was made to access a socket in a way forbidden by its access permissions"

Say we have frontend and backend containers based on Docker Desktop (for Windows).
Backend container uses port 9001, and the frontend container listens to 9001.
The problem is that port 9001 is already in use by Windows 10 by the Intel driver, and it is impossible to run a container on this port:
Error response from daemon: Ports are not available: listen tcp 0.0.0.0:9001: bind: An attempt was made to access a socket in a way forbidden by its access permissions.
Could you please advise what is the way to handle this port if there is no ability to change it directly from application code?
A couple of ways:
When either using a docker run command, specify the host port to use, and set it to something other than 9001. i.e. -p 9002:9001 or Docker Compose, i.e.
ports:
- '9002:9001'
Then use port 9002 instead of 9001 when accessing the container from the host (Win 10).
Use Nginx and set up a reverse proxy, leave the host port empty when starting the container so no external post is opened on the host, and have the reverse proxy pass it over to the container's 9001 port.

How to access a port on the host machine when running docker container on MacOS with --network=host?

I have set up a couple of containers that interact with each other. The main application container runs on --network = host because it queries several mySQL containers running on different ports exposed on the host network.
I am trying to hit the application on the host but get an error:
curl: (7) Failed to connect to 0.0.0.0 port 36081: Connection refused
I am working on Docker installed on MacOS.
I have read several questions that indicate that docker on MacOS runs on a VM. But what is the workaround to access the application from the host? Any way to get the IP of the said VM?
You cannot use --network=host on Mac to connect via host ports but binding to host port using -p options works.
https://docs.docker.com/docker-for-mac/networking/#/there-is-no-docker0-bridge-on-osx
I WANT TO CONNECT TO A CONTAINER FROM THE MAC
Port forwarding works
for localhost; --publish, -p, or -P all work. Ports exposed from Linux
are forwarded to the host.
Our current recommendation is to publish a port, or to connect from
another container. This is what you need to do even on Linux if the
container is on an overlay network, not a bridge network, as these are
not routed.
For your use case,
You need to create a docker network and attach both the DB and application containers to this network. Then the containers will be able to talk to each other by their name. You can also publish the application container port so that you can access it from your host.
https://docs.docker.com/network/bridge/
Instead of creating the network, attaching the containers to the network etc manually, you can use docker-compose.
https://docs.docker.com/compose/

Setup ssh tunnel from docker container on macos Mojave 10.14

I am having trouble setting up an ssh tunnel on my mac machine. I have no problems setting up the tunnel on my ubuntu box. This is the command I run
ssh -nNT -L 172.18.0.1:4000:production-database-url:3306 jump-point
When I run this on my mac, I get the following error:
bind [172.18.0.1]:4000: Can't assign requested address
channel_setup_fwd_listener_tcpip: cannot listen to port: 4000 Could
not request local forwarding.
If I run without the bind_address (172.18.0.1), I am able to connect to the database via the tunnel.
If I bind to all interfaces (0.0.0.0), then tunnel is open, however, the connection to the database from inside the docker container does not work.
172.18.0.1 is the IP of docker's default bridge network gateway, not your host's IP.
You can run this command to check that.
$ docker network inspect bridge
Docker for Mac has limitations
There is no docker0 bridge on macOS (it's in the docker VM host on Mac and on Windows)
You cannot ping containers (without shaving a bunch of yaks)
Per-container IP addressing is not possible
Also note that this means the docker run option --net-host is not supported on Mac, but maybe that's a good thing
There is a workaround
These magic addresses resolve to the host's IP from within a container
docker.for.mac.localhost (deprecated)
docker.for.mac.host.internal (deprecated)
host.docker.internal
This resolves to the gateway of the host mac
gateway.docker.internal
Use the name host.docker.internal from within the container just like you would use localhost on the mac directly.
Don't worry about the bind address for the tunnel:
ssh -nNT -L 4000:production-database-url:3306 jump-point
You didn't mention which database but I take it from the port 3306 that it is MySQL.
To connect using the mysql cli from within a container, via an ssh tunnel on your host, to a remote mysql database server you can run:
mysql --host host.docker.internal [... other options go here]

Windows Container with Docker: Cannot reach httpd in container from host (Win2016 TP5)

I have a Windows Server 2016 TP5 machine that I use as a container host.
I have a Windows Container running that I manage with Docker. Inside this container I have an Apache httpd running on port 88.
The port mapping when I start the container is: 0.0.0.0:80->88/tcp, so I map port 80 of my container host to port 88 of the container.
This is the output from docker inspect: http://pastebin.com/AVem1eGV
I can now reach the Apache http start page from any other computer in the network through the DNS or IP.
In my case:
http://10.10.1.162/
http://documents.test2016-3.company.com/
But the same does not work when I try to call the same from the host system itself or from inside the container. So, on the host system, I try to access the same URL via browser or wget, and getting:
C:\> wget -UseBasicParsing http://documents.test2016-3.company.com/
wget : Unable to connect to the remote server
in both cases.
But I can ping the host from both the host itself as well as the container.
From the host:
C:\>ping test2016-3.company.com
Ping wird ausgeführt für TEST2016-3.company.com [fe80::847a:1430:8a10:b120%4] mit 32 Bytes Daten:
From the container:
PS C:\> ping documents.test2016-3.company.com
Pinging documents.test2016-3.company.com [10.10.1.162] with 32 bytes of data:
which seems to be able to resolve the name just fine.
What does work though is to call the Apache default page via the container hostname (which is win-de6u4068naf) and its running port directly (not through the port mapping), both from the host as well as inside the container:
http://win-de6u4068naf:88/
Just going the route through the container host hostname and mapped port from the host or container itself does not work properly!
Firewall rules allow everything on port 80 from any remote address or to port 80 (=inbound and outbound rules are both set to "allow" for "any").
I know that Microsoft/Docker changed the networking code base of the container/docker support from Windows Server 2016 TP4 to TP5. Not sure if that's related, or whether this is a bug or I'm having something not configured correctly yet.
I made a test and left Docker/Container out of the picture above and installed a plain Apache httpd itself on the container host system on port 80 (and no Docker running at all) just to check whether such setup works or not, in order to be sure that it is actually somehow Docker/Container related and not a problem with my network/host configuration in general. And this works fine, I can reach the Apache from outside as well as from the host itself, thus it must be a Docker/Container related problem.
Environment:
Windows Server 2016 TP5
Docker version 1.12.0-dev, build 2b97201
Got a reply on Microsoft's Github:
https://github.com/Microsoft/Virtualization-Documentation/issues/253#issuecomment-217975932
This is a known limitation in our Windows NAT implementation (WinNAT)
that you cannot access the external port in a static port mapping
directly from the container (NAT) host.

Resources