How to access containers by internal IPs 172.x.x.x

[wclr]

How to access containers by internal IP 172.x.x.x from dev machine (with docker for windows installed)? So by default you can not connect to containers.

I found out that it can be achived by adding route manually (you actually need to add routes for each sub-netwrok, I usually do for 17-25):

route /P add 172.17.0.0 MASK 255.255.0.0 10.0.75
route /P add 172.18.0.0 MASK 255.255.0.0 10.0.75
route /P add 172.19.0.0 MASK 255.255.0.0 10.0.75
...

Is is a valid method? Shouldn't it be made possible by default?

[mverrilli]

Oh and I just realized why you said that, because you mentioned a different solution instead of the one mentioned on top. I actually do use a route method, but that's because I've abandoned Docker for Windows in favor of running VMWare Photon (has Docker). Then I just use the route I mentioned and the firewall entry. I had responded because I was watching this topic.

[wclr]

@mverrilli no, on windows you need both =) you need routes and you need to modify MobyLinux as well, does Photon supports docker-compose workflows?

[mverrilli]

@whitecolor Ahh, then I'd suggest using the route I mentioned to avoid issues. :-) docker-compose is coming in the next Photon release, I think.

[archfz]

+1 for this issue, needed for proper development usage

[ondraondra81]

@whitecolor

or with single command: docker run --rm -ti --privileged --network=none --pid=host justincormack/nsenter1 bin/sh -c "iptables -A FORWARD -j ACCEPT"

how make this change pernament?

[wclr]

how make this change pernament?

You can not, because image is started from scratch each time. Maybe there a way to modify original image, i'm not sure.

I use another method: my meta-framework runs a script that fixes docker each time any of my dev containers are started.

[edyan]

Hi and thanks for that discussion that helped me to fix the same issue.

I have developed a tool that compose the docker-compose command and this is how I did to make it "persistent" (even if it's not really, it'll happen only on start) : https://github.com/edyan/stakkr/blob/master/stakkr/actions.py#L227

But I have 2 questions:

• Do you think the iptables + route workaround could work under Mac also ? I know the route command is different, and I have no mac to test ...
• The 10.0.75.2 could be different in another system, is there any docker command to get it ? I searched and didn't find one ...

Thanks !

[wclr]

@edyan

• I think it should work on mac, I mad it work with docker toolbox using routes, latest docker version just dont work on my mac but I think it should be the same issue.

• You may try determine 10.0.75.2 inside MobyLinux with ip addr show | grep hvint0

[edyan]

@whitecolor

Thanks :)

I did that and that works very well : docker run --net=host --pid=host -it --privileged --rm alpine /bin/sh -c "ip addr show hvint0 | grep -oE '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b'"

I'll wait to find a mac to be able to write the right route command !

[wclr]

For routing docker toobox on mac I did:

sudo route add  172.16.0.0/15 192.168.99.100 > /dev/null

[edyan]

thanks, I'll keep it like that and see later ... if you have some time one day, you can try stakkr under mac, then I'll know if it works or not.

By the way, it's very useful (it's not because I did it 😄 , doc : http://stakkr.readthedocs.io/)

It's a "docker" alternative to vagrant and it avoids configuring the docker-compose config file manually ...

[zenglian]

wrong..

[edyan]

@leonsoft connect the containers together ? If they are in the same network, it's by default. Use docker compose or another tool (such as stakkr) to have your container on the same network.

Else you can create a network and attach all containers to it (see : https://docs.docker.com/engine/reference/commandline/network_connect/)

[zenglian]

oops..

[lucnap]

I work in this situation:

• Windows + VMWare
• docker is installed into a linux virtual machine
• linux virtual machine has ip 192.168.2.25
• docker bridge network is 172.17.0.0
• have a container with internal ip address 172.17.0.2
• my windows PC has ip 192.168.2.2
• to be able to ping docker container 172.17.0.2 from my windows PC have execute this command in windows prompt as Administrator: route ADD -p 172.17.0.0 MASK 255.255.0.0 192.168.2.25 now ping 172.17.0.2 works correctly in windows prompt

(Windows 7, Ubuntu 4.4, linux docker 17.06)

[zenglian]

I think I was wrong. Everything works as expected on linux, but I was on windows. I.e., you can visit container services via IP directly on linux.

[edyan]

@lucnap @leonsoft

Yes that's the topic of the discussion, everything works well (or not) with docker installed on Linux, we can access containers from the host, but not on Mac and Windows for which we need specific commands.

[Koc]

Is it possible to create connection type host inside hyper-v and access without adding routes? Like in virtualbox - add host only adapter

[Koc]

after running docker run --rm -ti --privileged --network=none --pid=host justincormack/nsenter1 bin/sh -c "iptables -A FORWARD -j ACCEPT" new containers hasn't access to the Internet. I should restart docker

[edyan]

Are you using docker containers or windows ?

What's your version?

[Koc]

I am using docker for windows and linux containers.

Version: 17.06.2-ce-win27 (13194)
Channel: stable
Sha1: 428bd6ceae2994bd2fc2a72ec122507abe2cf526
Started on: 2017/09/12 07:11:21.287
Resources: C:\Program Files\Docker\Docker\Resources
OS: Windows 10 Enterprise
Edition: Enterprise
Id: 1703
Build: 15063
BuildLabName: 15063.0.amd64fre.rs2_release.170317-1834
File: C:\Users\Koc\AppData\Local\Docker\log.txt
CommandLine: "C:\Program Files\Docker\Docker\Docker for Windows.exe" 

[edyan]

With the same version I did the following and it works :

$ docker run --rm -d nginx
# Install iputils-ping, the ct name is "blissful_brahmagupta"
$ docker exec blissful_brahmagupta ping 8.8.8.8
# It works

$ docker run --rm -ti --privileged --network=none --pid=host justincormack/nsenter1 bin/sh -c "iptables -A FORWARD -j ACCEPT"
$ docker exec blissful_brahmagupta ping 8.8.8.8
# It works

$ docker run --rm -d nginx
# Install iputils-ping, the new ct name is "wonderful_borg"
$ docker exec wonderful_borg ping 8.8.8.8
# It works

Did I miss something ?

Emmanuel

[Koc]

@edyan strange thing. Floating bug, it works for me now but doesn't works before. Will try find how to reproduce it again.

[Koc]

@edyan I've created separate issue for my problem with internet connection https://github.com/docker/for-win/issues/1122

[Koc]

I've tryed docker toolbox based on virtualbox. It creates two network adapter for virtual machine: NAT + host-only network. And I can access containers (172.x.x.x) directly without any manipulation with routes or iptables. Why docker for win cann't use same approach with two network adapters?

[thedrint]

@Koc docker for win use Hyper-V (а это отвратительная штука, в которой даже нельзя запустить образ windows10). Moby VM inside Hyper-V use only pre-created "DockerNAT" network interface, which is looks like NAT-interface in Virtualbox. Maybe this is reason. (Честно говоря, тоже подумываю перейти на docker toolbox).

[ondraondra81]

or with single command: docker run --rm -ti --privileged --network=none --pid=host justincormack/nsenter1 bin/sh -c "iptables -A FORWARD -j ACCEPT"

@whitecolor this workaround stop working with 17.10.0-ce version. I getting err message bin/sh: iptables: not found

[wclr]

@ondraondra81 I didn't install 17.10.0-ce yet. maybe try to add apk add iptables

[johnmckay-reward]

I'm still seeing this issue with the latest version of Docker on Windows! Annoying!

[wclr]

@jmkni this is current by design behavior, unfortunately.

[johnmckay-reward]

@whitecolor Ah, annoying, thanks!

[knowlesy]

docker run --rm -ti --privileged --network=none --pid=host justincormack/nsenter1 bin/sh -c "iptables -A FORWARD -j ACCEPT"

resolved it for me you amazing person!

[ionghitun]

I have same issue as @ondraondra81 ,with version 17.12.0-ce, i tried @whitecolor solution and it didn't work / # apk add iptables

ERROR: Unable to lock database: Read-only file system ERROR: Failed to open apk database: Read-only file system

[wclr]

@ionghitun that is a bad news, I'm still on 17.09.1-ce, didn't check the later versions, you should try/search for some tricks to workaround the issue to unlock it, there probably should be some way.

[ionghitun]

I reinstalled 17.09.1 and works, indeed is bad news not working on latest version.

[nkapashi]

After upgrading to 17.12.0-ce (15048) I started getting the "bin/sh: iptables: not found" too. The fix for me was:

docker run --rm -ti --privileged --network=none --pid=host docker4w/nsenter-dockerd bin/sh -c "iptables -A FORWARD -j ACCEPT"

[ionghitun]

@nkapashi I confirm it works, thanks!

[MSudhira]

I have docker version 7.09.0-ce-mac35 (19611) Docker service running on MAC(Docker for mac) Not able to ping the Container with Ip address 127.17.0.1 from the host machine. Any work around for the ping to work on MAC?

I have tried the #docker run --rm -ti --privileged --network=none --pid=host imagename bin/sh -c "iptables -A FORWARD -j ACCEPT" but still not able to ping it.

[vidyas78]

Docker Version: 17.12.0-ce

1) I did docker run --rm -ti --privileged --network=none --pid=host imagename bin/sh -c "iptables -A FORWARD -j ACCEPT" 2) ifconfig gave the below iNet address: lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:279 errors:0 dropped:0 overruns:0 frame:0 TX packets:279 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:69424 (67.7 KiB) TX bytes:69424 (67.7 KiB)

Now how to access the service url? localhost:8080 doesnt work.

[wclr]

@vidyas78 you should be able to access 172.x.x.x, which are internal docker network addresses (to get it for a container - docker inspect [container-name] | grep 172). Also may use https://github.com/aacebedo/dnsdock to access containers using DNS names.

Also if you are not so familiar with basic docker networking and related stuff, just consider using host port mapping without involving hacky solution discussed in the current thread.

[vidyas78]

My application docker image is built on linux OS image. When running the container, I have a need to have the container join the subnet mask the host is in. In Linux OS , I'm able to achieve this using docker run --net=host . But in Windows when I use --network=host , windows uses Hyper-V and the IP gets mapped to 10.X.X.X. During this mode, docker inspect [container-name] | grep 172 returns empty. Neither I'm able to make it join the host nor able to find out the internal IP of the container.

I was hunting for various options to solve this. Is there any way to achieve this? Would appreciate any inputs provided. Thanks!

[ghost]

Running Linux OS running as host and installing docker, it will automatically works flawlessly and you are able to ping 172.x.x.x depending on your IP, Linux doesn't use virtualization since docker is install natvely on the computer. As for Windows, it uses Hyper-V and it uses 10.0.75.2 as the VM's IP address. and as for Mac, it uses something i forgot the name is, but when you install docker, you can use http://localhost to access the VM. if you are using port, then make sure that u use the right port to access whatever application you are using.

Windows and Mac are not fun to use with Docker but it works with ports flawlessly, but Linux is more flawlessly :)

[vidyas78]

Is there any alternative for --net=host @ Windows that's proven to perform the same behavior as in Linux?

[ghost]

@vidyas78

Most likely not, because Docker relies on Hyper-V when you are using Windows 10 Professional and it uses NAT to communicate with. I've already tried different ways but it doesn't seem to work. If users got the route add port working before is probably because they were using an older version of Windows 10 Pro. Docker gets install natively under Linux so it behaves differently and it can be communicate one another perfectly. I pretty much gave up so I'm just using ports, so if you have applications running u should be using 10.0.75.2:port.

[fabricek]

I ve found a workaround. I m talking about windows hyper v docker containers in same subnet as host. This long thread is a bit confusing. The default network bridge is not the same as a user-defined network bridge. (see https://docs.docker.com/network/bridge) So create a new network bridge br0 whith your parameters (powershell syntax).

docker network create \`
  --driver=bridge \`
  --subnet=172.28.0.0/16 \`
  --ip-range=172.28.5.0/24 \`
  --gateway=172.28.5.254 \`
  br0

And create a route in cmd terminal : route add 172.28.0.0 mask 255.255.0.0 10.0.75.2 -p If your Internal Virtual Switch\Subnet Address parameter in docker settings is 10.0.75.0 (default) you must use 10.0.75.2 Or check @whitecolor command docker run --net=host --pid=host -it --privileged --rm alpine /bin/sh -c "ip addr show hvint0 | grep -oE '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b'" Start all your docker containers with --network=br0 example : docker run --rm --network=br0 -it alpine /bin/sh

ip a (give you the ip container ie 172.28.5.1 )

You can now ping all containers from host (192.168.0.5 for example ) and ping 172.28.5.1 is ok

@rn commented on 29 Dec 2016 give a great anwser and he says "Note however, we don't really recommend this approach and would suggest to use..." I don't touch iptables here and i would like to know if my approach is safer and why ?

[ghost]

@fabricek I tried your solution, and doesn't even work. that seems to be same if i were to use compose to create the bridge as below

version: '2'
services:
  sandbox:
    image: wordpress:php7.1-apache
    container_name: sandbox_wordpress
    ports:
      - '80'
    environment:
      WORDPRESS_DB_NAME: sandbox
      WORDPRESS_DB_USER: wordpress
      WORDPRESS_DB_PASSWORD: sup1er2man3
      WORDPRESS_TABLE_PREFIX: wp_sandbox_
    volumes:
      - './public_html:/var/www/html'      
    networks:
      mynet:
        ipv4_address: 172.26.0.5

  themereview:
    image: wordpress:php7.1-apache
    container_name: themereview_wordpress
    ports:
      - '80'
    environment:
      WORDPRESS_DB_NAME: themereview
      WORDPRESS_DB_USER: wordpress
      WORDPRESS_DB_PASSWORD: sup1er2man3
      WORDPRESS_TABLE_PREFIX: wp_themereview_
    volumes:
      - './public_html:/var/www/html'
    networks:
      mynet:
        ipv4_address: 172.26.0.6

  mysql:
    image: mariadb
    container_name: sandbox_mysql
    environment:
      MYSQL_ROOT_PASSWORD: example
      MYSQL_DATABASE: sandbox
      MYSQL_USER: wordpress
      MYSQL_PASSWORD: sup1er2man3
    volumes:
#      - db_data:/var/lib/mysql
      - './docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d'
    networks:
      mynet:
        ipv4_address: 172.26.0.7
        aliases:
          - mysql

  phpmyadmin:
    image: phpmyadmin/phpmyadmin
    container_name: sandbox_phpmyadmin
    environment:
     - PMA_ARBITRARY=1
    ports:
     - '80'
    volumes:
     - /sessions
    networks:
        mynet:
            ipv4_address: 172.26.0.8

#volumes:
#    db_data:

networks:
  mynet:
    driver: bridge
    ipam:
      config:
        - subnet: 172.26.0.0/24

and add route to it.

[fabricek]

Review all my points it should work. You didn't put all the options in your mynet config. Try create manually network and remove it from your dockerfile to test. What route rule are you using ? Can you ping the container or this is your wordpress which is not reachable ? Putting a alpine image in your dockerfile with same parameters is pingable ? Make some tests and tell us what's wrong.

[fabricek]

Oh i ve missed something. Try my example today and it won't work. I check it and will tell you what is missing.

[ghost]

@fabricek

I'm going to assume that mynet is basically the same as if you were to create br0 then i made a route to route add 172.26.0.0 mask 255.255.0.0 10.0.75.2 -p I'm still not able to ping any of the 172.0.0.0 IP address. I don't use alpine, since wordpress:php7.1-apache instead.

[topiaruss]

@benlumia007 is ping port on container open? Is ICMP traffic served by container?