Open normtown opened 5 years ago
Docker Engine: 18.09.2
macOS: 10.13.6
% docker run --rm --privileged --pid=host debian nsenter -t 1 -m -u -n -i iptables-save
nsenter: failed to execute iptables-save: No such file or directory
@normtown if you check the README, there is an additional note under the command you're using Depending on the docker-for-mac version the command may change
Can you try this command instead?
$ docker run --rm --privileged --pid=host docker4w/nsenter-dockerd /bin/sh -c 'iptables -A FORWARD -i eth1 -j ACCEPT'
Then attempt to ping the container? If the ping works, the routing has been setup properly
I keep all the latest wrappings for this system within the nodejs docker helpers package I created You can always look there to see how I tie it all together https://github.com/AlmirKadric-Published/helpers-docker-nodejs
Thanks for that clarification. I ran the command. There were no error messages, but also still no change in behavior. My laptop shell still cannot connect to nc
running in a Docker container. ping
also doesn't work (times out).
On a side note, it wasn't clear to me that I needed to run that command because the README says:
Note: Although not required for docker-for-mac versions greater than 17.12.0, the above command can be replaced with the following if ever needed...
I read that as neither command (above or below) being necessary when running a version greater than 17.12.0. In my case, I'm running 18.09.2.
so to clarify you followed these steps:
./sbin/docker_tap_install.sh
docker_tap_up.sh
route add -net <IP RANGE> -netmask <IP MASK> 10.0.75.2
(where IP RANGE is the range of your docker containers network, usually defined in docker compose file)ping <CONTAINER IP STARTING WITH IP RANGE>
docker run --rm --privileged --pid=host docker4w/nsenter-dockerd /bin/sh -c 'iptables -A FORWARD -i eth1 -j ACCEPT'
let me know if the above helps in any way
P.S. Also check this issue for a list of information you can provide me to help debug the issue: https://github.com/AlmirKadric-Published/docker-tuntap-osx/issues/11
Example docker-compose file:
version: '2'
services:
percona:
container_name: ${COMPOSE_PROJECT_NAME}-percona
image: percona:5.7.21
environment:
- MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
restart: always
networks:
app_net:
ipv4_address: ${IP_RANGE}.3
redis:
container_name: ${COMPOSE_PROJECT_NAME}-redis
image: redis:4.0.10
restart: always
networks:
app_net:
ipv4_address: ${IP_RANGE}.4
networks:
app_net:
driver: bridge
ipam:
driver: default
config:
- subnet: ${IP_RANGE}.0/24
gateway: ${IP_RANGE}.1
@normtown any update on this? Did you manage to fix your issue?
I really don't get why this is not working. I'm simply running a netcat listener in my container:
...and trying to connect from my laptop's shell, which fails:
Before doing this test, I had set up a route on my laptop that uses the
10.0.75.2
gateway:...which we can see here:
We can see the
tap1
virtual device is present on the laptop:...and we can see the network devices in the container here:
Hyperkit appears to be running with the
tap1
device passed to it:One thing that seems a little odd to me is that bus 2 has both a "hard disk" on it (
ahci-hd
) and the tap device that was injected by the shim script (virtio-tap
). The script seems to assume that anything on bus 2 is a network device. I'm curious why that is the case.Interestingly, the laptop cannot connect to the host VM either. I can get a shell with
screen
:Here's
ifconfig
from the host VM:And I run a netcat listener in the host VM:
...with the same result when I try to connect from the Mac shell:
For completeness, here's the rest of any debug info I can think of giving.
The route table on the host VM:
And the tuntap devices installed on the Mac: