Docker containers using pre-defined network are inaccessible

mattheworiordan · September 12, 2016, 2:06am

I need a system whereby containers have predictable internal IP addresses for our development environment (most of us are on Macs). To date we’ve used Boot2Docker, but we want to move everything into the native Docker for Mac.

However, we’ve hit an issue that I cannot figure out if we’re doing something wrong, or perhaps there are limitations in what’s possible with Docker for Mac.

Firstly I set up a custom Docker network with a large subnet:

docker network create --driver=bridge --subnet=172.18.0.0/16 -o com.docker.network.bridge.enable_icc=true -o com.docker.network.bridge.enable_ip_masquerade=true -o com.docker.network.bridge.host_binding_ipv4=0.0.0.0 foo.local

I then run a simple container and assign it an IP address in the newly defined network:

docker run --rm -t -i --ip 172.18.10.0 --net=foo.local ubuntu:trusty /bin/netcat -l 4444

From the host, I try and netcat to it and nothing happens: netcat 172.18.10.0 4444. It is unable to connect using the private IP address on that port.

So then I try exposing a port:

docker run --rm -t -i --ip 172.18.10.0 --expose 4444 --net=foo.local ubuntu:trusty /bin/netcat -l 4444

And try and netcat or telnet to 172.18.10.0 on port 4444 and still nothing.

Then I thought that maybe the OS X host is simply unable to communicate with the new private network, so I’ll try this all using container to container communication.

docker run --rm -t -i --ip 172.18.10.5 --net=foo.local ubuntu:trusty /bin/netcat 172.18.10.0 4444

And voila, one container is able to talk to the other container on that network.

So does this mean the mac OS is unable to communicate directly with containers unless they are exposing a port on the host network? If so, that’s really not great and should be mentioned in the Docker for Mac documentation. I have read that binding ports from containers to more than host network interface is not possible, but I had assumed that restrictions like this would not apply internally.

Do I perhaps need to set up a bridge of some sort to explicitly allow this? An ifconfig on the host unfortunately only reveals on interface.

If anyone can help advise how one can use a custom network (so that IP addresses can be specified for hosts) I’d greatly appreciate it!

mattheworiordan · September 12, 2016, 2:35am

I also see that the containers I set up through the REST API cannot access each other on the private IPs, whereas containers started with docker run can.

The steps I take to create containers are:

Create the container
Bind the network using https://docs.docker.com/engine/reference/api/docker_remote_api_v1.25/#/connect-a-container-to-a-network. I pass through a payload that looks:

{ 
  "Container" => "[container-id-here]",
  "EndpointConfig" => {
    "IPAMConfig" => {
      "IPv4Address" => "172.18.10.15"
     },
  }
}

Start the container

Unfortunately once the container is up, I notice that the containers on the foo.local network cannot communicate with each other, and when doing an inspect, I can see that some fields such as “IPAddress” and “Gateway” for network settings are empty:

        "NetworkSettings": {
            "Bridge": "",
            "SandboxID": "93bead497b26d14f5230fde80e5a0564603deea67e361fb76106720722f90647",
            "HairpinMode": false,
            "LinkLocalIPv6Address": "",
            "LinkLocalIPv6PrefixLen": 0,
            "Ports": null,
            "SandboxKey": "/var/run/docker/netns/93bead497b26",
            "SecondaryIPAddresses": null,
            "SecondaryIPv6Addresses": null,
            "EndpointID": "",
            "Gateway": "",
            "GlobalIPv6Address": "",
            "GlobalIPv6PrefixLen": 0,
            "IPAddress": "",
            "IPPrefixLen": 0,
            "IPv6Gateway": "",
            "MacAddress": "",
            "Networks": {
                "ably.local": {
                    "IPAMConfig": {
                        "IPv4Address": "172.18.39.2"
                    },
                    "Links": null,
                    "Aliases": [
                        "161dc5e1a544"
                    ],
                    "NetworkID": "43bd5659f53b1e03f2fc9e088ae50ede7f1e909b7949f90fbcf7f35e330ef04a",
                    "EndpointID": "",
                    "Gateway": "",
                    "IPAddress": "",
                    "IPPrefixLen": 0,
                    "IPv6Gateway": "",
                    "GlobalIPv6Address": "",
                    "GlobalIPv6PrefixLen": 0,
                    "MacAddress": ""
                }
            }
        }

How is one supposed to start containers using the REST API in the correct way to bind containers to a network?

garagatyi · September 14, 2016, 10:41am

Try to access container from OSX on localhost instead of 172.x.x.x