Connect to containers from other LAN segments

Hi,

I’m running Docker 18.05.0-ce on Fedora Server 28.

I know this has been asked before: https://forums.docker.com/t/docker-container-not-accesible-from-other-system-in-same-lan-network/39763/6, but I am beginning to think I am missing the point of containers as I can’t believe what should be a trivial task is so hard.

Lets say, I have a container running a web application, how on earth is one supposed to browse to it from any machine other than the Docker host or another container?

For instance:

  • VLAN50: Windows Client PC IP: 192.168.50.50/24 (No Docker components installed),
  • VLAN60: Docker host IP: 192.168.60.10/24
  • Docker0 IP: 172.16.0.3/24

I understand bridging and I can fire up a container and ping from the container to other VLANs, but what I can’t work out is how to ping or connect to the container, basically, there is no route, so say pinging a container with IP 172.16.0.5 from VLAN50 wouldn’t work. I can’t believe the solution is to start adding static routes to every machine that would want to connect to a container. I’m keeping this local and not even thinking about access from the Internet.

I have added a new VLAN on my router with an IP of 172.16.0.1/24, so other VLANs at least have the routing info.

I have reconfigured Docker0 interface to use 172.16.0.0/24 network, however, I must be misunderstanding this article as creating new container networks increments the second octet. If I force the network to use 172.16.0.0/24 network, then I can’t ping other VLANs:
docker network create --driver bridge alpine-net3 --gateway 172.16.0.1 --subnet 172.16.0.0/24

This makes the idea of creating a VLAN somewhat untenable.

I’m 90% certain it isn’t firewalld getting in the way. The physical interface is using the “trusted” zone.

Thinking about the Internet and containers, is this where Docker Swarm or Kubernetes comes in, providing the (seemingly) missing external network layer and load balancing.

Without Swarm or Kubernetes, is this what Ambassador (mentioned by @satwikbanerjee) simulates, or perhaps this is the limitation of Docker-ce and not what it’s designed for?

Should I be using macvlan instead of bridge?

I’m at at a loss as to how complex this is. I must be missing the point or not understanding something, otherwise, what is the point of a container if nobody can access the service within, unless they’re on the host.

Any help and direction will be gratefully received.

T, W.

Use docker run -p. This publishes a port from the container on your host. Then use the host’s DNS name or IP address, and the exposed port, to reach the container.

For instance, if you run:

docker run -p 8888:80 ... mywebservice

then (in your example) you could reach the service at http://192.168.60.10:8888/, using the host’s IP address and the first port number in the -p option.

My advice here is to never even consider the Docker-private IP addresses. Don’t try to manually configure them, don’t run docker inspect to try to find them, pay no attention to the docker0 interface, don’t try to set up macvlan to make them directly accessible. Just use docker run -p as the normal path that has always worked to reach containers from outside (and the Docker-provided inter-container DNS for containers to talk to each other).