Host docker internal linux docker compose

Networking features in Docker Desktop for Mac

Estimated reading time: 4 minutes

Docker Desktop for Mac provides several networking features to make it easier to use.

Features

VPN Passthrough

Docker Desktop for Mac’s networking can work when attached to a VPN. To do this, Docker Desktop for Mac intercepts traffic from the containers and injects it into Mac as if it originated from the Docker application.

Port Mapping

When you run a container with the -p argument, for example:

Docker Desktop for Mac makes whatever is running on port 80 in the container (in this case, nginx ) available on port 80 of localhost . In this example, the host and container ports are the same. What if you need to specify a different host port? If, for example, you already have something running on port 80 of your host machine, you can connect the container to a different port:

Now, connections to localhost:8000 are sent to port 80 in the container. The syntax for -p is HOST_PORT:CLIENT_PORT .

HTTP/HTTPS Proxy Support

Known limitations, use cases, and workarounds

Following is a summary of current limitations on the Docker Desktop for Mac networking stack, along with some ideas for workarounds.

Changing internal IP addresses

The internal IP addresses used by Docker can be changed via the Settings (Windows) or Preferences (Mac). After changing IPs, it is necessary to reset the Kubernetes cluster and to leave any active Swarm.

There is no docker0 bridge on macOS

Because of the way networking is implemented in Docker Desktop for Mac, you cannot see a docker0 interface on the host. This interface is actually within the virtual machine.

I cannot ping my containers

Docker Desktop for Mac can’t route traffic to containers.

Per-container IP addressing is not possible

The docker (Linux) bridge network is not reachable from the macOS host.

Use cases and workarounds

There are two scenarios that the above limitations affect:

I want to connect from a container to a service on the host

The host has a changing IP address (or none if you have no network access). We recommend that you connect to the special DNS name host.docker.internal which resolves to the internal IP address used by the host. This is for development purpose and will not work in a production environment outside of Docker Desktop for Mac.

You can also reach the gateway using gateway.docker.internal .

If you have installed Python on your machine, use the following instructions as an example to connect from a container to a service on the host:

Run the following command to start a simple HTTP server on port 8000.

python -m http.server 8000

If you have installed Python 2.x, run python -m SimpleHTTPServer 8000 .

Now, run a container, install curl , and try to connect to the host using the following commands:

I want to connect to a container from the Mac

Port forwarding works for localhost ; —publish , -p , or -P all work. Ports exposed from Linux are forwarded to the host.

Our current recommendation is to publish a port, or to connect from another container. This is what you need to do even on Linux if the container is on an overlay network, not a bridge network, as these are not routed.

For example, to run an nginx webserver:

To clarify the syntax, the following two commands both expose port 80 on the container to port 8000 on the host:

To expose all ports, use the -P flag. For example, the following command starts a container (in detached mode) and the -P exposes all ports on the container to random ports on the host.

See the run command for more details on publish options used with docker run .

Источник

Docker Tip — How to use the host’s IP Address inside a Docker container on macOS, Windows, and Linux

Once in a while, you may need your Docker host’s IP address. For instance, you need to be able to connect to the host network from inside a Docker container to access your app or database running locally on the host. Debugging or reverse proxies running on your host are two additional example use-cases.

I’ll show you how to easily make this work simultaneously for macOS, Windows, and Linux — because their docker networking settings differ.

Docker Networking on macOS and Windows vs. Linux

For macOS and Windows the following special DNS name can be used:

The host has a changing IP address (or none if you have no network access). From 18.03 onwards our recommendation is to connect to the special DNS name host.docker.internal , which resolves to the internal IP address used by the host. This is for development purpose and will not work in a production environment outside of Docker Desktop for Mac/Windows.

The gateway is also reachable as gateway.docker.internal .

On Docker for Linux, the IP address of the gateway between the Docker host and the bridge network is 172.17.0.1 if you are using default networking.

Do you see the problem already? They are different, so you cannot simply run docker-compose up -d and all operating systems behave the same. But I got you covered, there’s an easy approach to make this work.

Setup docker-compose

I’ve seen some suggestions, like creating a Linux-specific config file docker-compose.override.yml (docs), but the solution a co-worker of mine came up with seems more elegant and less complex to me.

Exit fullscreen mode

So, what is happening here? The DB_UPSTREAM should point to the host’s IP and port 3000. $ is the critical piece here. This expression tells docker-compose to either us the environment variable DOCKER_GATEWAY_HOST or use the fallback host.docker.internal when resolving this value.

On both macOS and Windows it works out of the box now without anything left to do. 🚀

If you are running this stack on Linux you need to have the DOCKER_GATEWAY_HOST environment variable set for the Docker gateway host. Simply put this line into your .bashrc ( .bash_profile or .zshrc ):

Exit fullscreen mode

Now you can start the stack from macOS, Windows, and Linux without further configuration or overwrites. If you stick to this pattern — as we do — this works for every project of your company.

Great, isn’t it? I hope this saves you some time!

Источник

Как получить IP-адрес хоста docker из контейнера docker

Как говорится в названии. Мне нужно иметь возможность получить IP-адрес хостов docker и portmaps от хоста к контейнеру и сделать это внутри контейнера.

13 ответов

Как заметил @MichaelNeale, нет смысла использовать этот метод в Dockerfile (за исключением случаев, когда нам нужен этот IP только во время сборки), потому что этот IP будет жестко закодирован во время сборки.

On Docker для Mac, начиная с версии 18.03, вы можете использовать host.docker.internal как IP хоста.

Примечание, как в документация, » это для целей разработки[s] и не будет работать в производственной среде за пределами Docker для Mac.»Это потому, что в Docker для Mac «вы не можете увидеть интерфейс docker0 на хосте. Этот интерфейс фактически находится внутри виртуальной машины.»

это обновление от docker.for.mac.localhost , доступен, начиная с версии 17.06, и docker.for.mac.host.internal , доступно с версии 17.12, которая также может работать.

например, у меня есть переменные среды, установленные на моем хосте:

в своем docker-compose.yml файл, у меня есть это:

Обновление: On настройки для Mac, начиная с версии 18.03, вы можете использовать хоста.докер.внутренний как IP хоста. См.allanberry это!—15—>. Для предыдущих версий Docker для Mac может быть полезен следующий ответ:

на Docker для Mac docker0 мост не существует, поэтому другие ответы здесь могут не работать. Однако весь исходящий трафик маршрутизируется через родительский хост, поэтому, пока вы пытаетесь подключиться к IP-адресу, он распознает как сам по себе (и контейнер docker не думает, что это сам по себе), вы должны быть в состоянии подключиться. Например, если вы запустите это с родительского компьютера, запустите:

это должно показать вам IP вашего Mac в его текущей сети, и ваш контейнер docker также должен иметь возможность подключиться к этому адресу. Это, конечно, боль, если этот IP-адрес когда-либо изменится, но вы можете добавить пользовательский петлевой IP-адрес на свой Mac, который контейнер не думает, что сам по себе, делая что-то вроде этого родительская машина:

затем вы можете проверить соединение из контейнера docker с telnet. В моем случае я хотел подключиться к удаленному серверу xdebug:

теперь, когда трафик входит в ваш Mac, адресованный для 192.168.46.49 (и весь трафик, выходящий из вашего контейнера, проходит через ваш Mac), ваш Mac будет считать, что IP-это сам. Когда вы закончите использовать этот IP, вы можете удалить псевдоним loopback как это:

одна вещь, о которой нужно быть осторожным, заключается в том, что контейнер docker не будет отправлять трафик родительскому хосту, если он думает, что назначение трафика само по себе. Поэтому проверьте интерфейс loopback внутри контейнера, если у вас возникли проблемы:

в моем случае, это показал inet 127.0.0.1/8 что означает, что я не мог использовать IPs в

Источник

Networking in Compose

Estimated reading time: 6 minutes

This page applies to Compose file formats version 2 and higher. Networking features are not supported for Compose file version 1 (deprecated).

By default Compose sets up a single network for your app. Each container for a service joins the default network and is both reachable by other containers on that network, and discoverable by them at a hostname identical to the container name.

Your app’s network is given a name based on the “project name”, which is based on the name of the directory it lives in. You can override the project name with either the —project-name flag or the COMPOSE_PROJECT_NAME environment variable.

For example, suppose your app is in a directory called myapp , and your docker-compose.yml looks like this:

When you run docker-compose up , the following happens:

1. A network called myapp_default is created.
2. A container is created using web ’s configuration. It joins the network myapp_default under the name web .
3. A container is created using db ’s configuration. It joins the network myapp_default under the name db .

In v2.1+, overlay networks are always attachable

Starting in Compose file format 2.1, overlay networks are always created as attachable , and this is not configurable. This means that standalone containers can connect to overlay networks.

In Compose file format 3.x, you can optionally set the attachable property to false .

Each container can now look up the hostname web or db and get back the appropriate container’s IP address. For example, web ’s application code could connect to the URL postgres://db:5432 and start using the Postgres database.

It is important to note the distinction between HOST_PORT and CONTAINER_PORT . In the above example, for db , the HOST_PORT is 8001 and the container port is 5432 (postgres default). Networked service-to-service communication uses the CONTAINER_PORT . When HOST_PORT is defined, the service is accessible outside the swarm as well.

Within the web container, your connection string to db would look like postgres://db:5432 , and from the host machine, the connection string would look like postgres://:8001 .

Update containers

If you make a configuration change to a service and run docker-compose up to update it, the old container is removed and the new one joins the network under a different IP address but the same name. Running containers can look up that name and connect to the new address, but the old address stops working.

If any containers have connections open to the old container, they are closed. It is a container’s responsibility to detect this condition, look up the name again and reconnect.

Links

Links allow you to define extra aliases by which a service is reachable from another service. They are not required to enable services to communicate — by default, any service can reach any other service at that service’s name. In the following example, db is reachable from web at the hostnames db and database :

See the links reference for more information.

Multi-host networking

When deploying a Compose application on an Docker Engine with Swarm mode enabled, you can make use of the built-in overlay driver to enable multi-host communication.

Consult the Swarm mode section, to see how to set up a Swarm cluster, and the Getting started with multi-host networking to learn about multi-host overlay networks.

Specify custom networks

Instead of just using the default app network, you can specify your own networks with the top-level networks key. This lets you create more complex topologies and specify custom network drivers and options. You can also use it to connect services to externally-created networks which aren’t managed by Compose.

Each service can specify what networks to connect to with the service-level networks key, which is a list of names referencing entries under the top-level networks key.

Here’s an example Compose file defining two custom networks. The proxy service is isolated from the db service, because they do not share a network in common — only app can talk to both.

Networks can be configured with static IP addresses by setting the ipv4_address and/or ipv6_address for each attached network.

Networks can also be given a custom name (since version 3.5):

For full details of the network configuration options available, see the following references:

Configure the default network

Instead of (or as well as) specifying your own networks, you can also change the settings of the app-wide default network by defining an entry under networks named default :

Use a pre-existing network

If you want your containers to join a pre-existing network, use the external option:

Instead of attempting to create a network called [projectname]_default , Compose looks for a network called my-pre-existing-network and connect your app’s containers to it.

Источник

Post-installation steps for Linux

Estimated reading time: 15 minutes

This section contains optional procedures for configuring Linux hosts to work better with Docker.

Manage Docker as a non-root user

The Docker daemon binds to a Unix socket instead of a TCP port. By default that Unix socket is owned by the user root and other users can only access it using sudo . The Docker daemon always runs as the root user.

If you don’t want to preface the docker command with sudo , create a Unix group called docker and add users to it. When the Docker daemon starts, it creates a Unix socket accessible by members of the docker group.

The docker group grants privileges equivalent to the root user. For details on how this impacts security in your system, see Docker Daemon Attack Surface.

To create the docker group and add your user:

Create the docker group.

Add your user to the docker group.

Log out and log back in so that your group membership is re-evaluated.

If testing on a virtual machine, it may be necessary to restart the virtual machine for changes to take effect.

On a desktop Linux environment such as X Windows, log out of your session completely and then log back in.

On Linux, you can also run the following command to activate the changes to groups:

Verify that you can run docker commands without sudo .

This command downloads a test image and runs it in a container. When the container runs, it prints a message and exits.

If you initially ran Docker CLI commands using sudo before adding your user to the docker group, you may see the following error, which indicates that your

/.docker/ directory was created with incorrect permissions due to the sudo commands.

To fix this problem, either remove the

/.docker/ directory (it is recreated automatically, but any custom settings are lost), or change its ownership and permissions using the following commands:

Configure Docker to start on boot

Most current Linux distributions (RHEL, CentOS, Fedora, Debian, Ubuntu 16.04 and higher) use systemd to manage which services start when the system boots. On Debian and Ubuntu, the Docker service is configured to start on boot by default. To automatically start Docker and Containerd on boot for other distros, use the commands below:

To disable this behavior, use disable instead.

If you need to add an HTTP Proxy, set a different directory or partition for the Docker runtime files, or make other customizations, see customize your systemd Docker daemon options.

Use a different storage engine

For information about the different storage engines, see Storage drivers. The default storage engine and the list of supported storage engines depend on your host’s Linux distribution and available kernel drivers.

Configure default logging driver

Docker provides the capability to collect and view log data from all containers running on a host via a series of logging drivers. The default logging driver, json-file , writes log data to JSON-formatted files on the host filesystem. Over time, these log files expand in size, leading to potential exhaustion of disk resources.

To alleviate such issues, either configure the json-file logging driver to enable log rotation, use an alternative logging driver such as the “local” logging driver that performs log rotation by default, or use a logging driver that sends logs to a remote logging aggregator.

Configure where the Docker daemon listens for connections

By default, the Docker daemon listens for connections on a UNIX socket to accept requests from local clients. It is possible to allow Docker to accept requests from remote hosts by configuring it to listen on an IP address and port as well as the UNIX socket. For more detailed information on this configuration option take a look at “Bind Docker to another host/port or a unix socket” section of the Docker CLI Reference article.

Before configuring Docker to accept connections from remote hosts it is critically important that you understand the security implications of opening docker to the network. If steps are not taken to secure the connection, it is possible for remote non-root users to gain root access on the host. For more information on how to use TLS certificates to secure this connection, check this article on how to protect the Docker daemon socket.

Configuring Docker to accept remote connections can be done with the docker.service systemd unit file for Linux distributions using systemd, such as recent versions of RedHat, CentOS, Ubuntu and SLES, or with the daemon.json file which is recommended for Linux distributions that do not use systemd.

Configuring Docker to listen for connections using both the systemd unit file and the daemon.json file causes a conflict that prevents Docker from starting.

Configuring remote access with systemd unit file

Use the command sudo systemctl edit docker.service to open an override file for docker.service in a text editor.

Add or modify the following lines, substituting your own values.

Источник