So I’ve been working with Docker since May in order to dockerize an application. I’m pretty far along and have gotten my Dockerfiles and images already set up in a private repository and have a fairly good grasp on the docker engine. I’ve gotten GUI configured by forwarding the X socket of the host (I understand the security concerns) and am currently trying to get some networking between a dockerized app and an app on another host to interact.
Essentially, I have an application running on a local machine at ip MACHINE1 which will need port interactions on ports PORT1, PORT2, and PORT3. I have it sitting on the machine waiting for any incoming connections from outside hosts which will then start a constant communication between the two once set up. I also now have the same application (a different instance of it) running on a docker container on a different machine at ip MACHINE2. I’ve come to understand that the default docker networking creates a subnet with the docker0 interface on the docker host, which means that the docker container’s dynamically created ip (e.g. 172.17.0.2) is not accessible by anything other than the host machine running the docker daemon.
So rather than trying to find out how to forward all the packets incoming on the 3 ports between the container and the outside host, I decided to place the application on top of the hosts network stack by using the --net host option on run. This means that now my docker container should be accessible by ip MACHINE2. However, when I attempt communications from outside hosts there doesn’t seem to be anything being exchanged between the two.
As a test I have attempted to start a SSH server on the container and exposed it at port 12345 while still running on the host network. Running netstat -ntlp in both the container and the docker host show that the port is open and available, and I am able to SSH in with the docker host. However, when I attempt to SSH into the container from my local machine at MACHINE1, I get a connection timed out (not even refused). This means that it’s likely that the ports aren’t actually being exposed on the host network and are only available to the docker host. I’ve been messing around with my /etc/hosts, iptables, and some other things and nothing has come up with any positive results.
To sum up, I just want to have the container and any outside hosts attempting to connect to the container the ability to communicate with one another over the ports PORT1, PORT2, and PORT3, making the container look like any other host. It doesn’t matter if this is possible with or without exposing the host’s network stack, I simply just want to be able to get this to work. Any help would be appreciated. Thanks!
The normal way to do this would be to start the application with docker run -p 11111:11111 -p 22222:22222 -p 33333:33333 me/myapp and ask Docker to publish those ports for you. Assuming this is a pretty normal TCP server-type application, you shouldn’t have to do anything special: Docker will forward incoming requests to your container, and the normal TCP responses will get sent back out to the correct place.
Did you try this? Does it work?
You should want to be able to accept inbound connections like any other process. The separate private unroutable IP address is an implementation detail you don’t usually need to worry about.
I have tried that much earlier in this process, but sadly it doesn’t work due to the way the application is setup. The two applications need to have constant communication with each other based off of their IP addresses and the dockerized application uses the unroutable ip address from the eth0 device (e.g. 172.17.0.2 if on docker0).
This means that when the dockerized application communicates with the real one at MACHINE1, the real one expects to be able to communicate back through the dynamically allocated ip of 172.17.0.2, which obviously only is meant for the docker host and not for outside hosts. Which is why I tried switching over to the host network, because I knew that the ip for the container would be resolvable to the outside.
Edit: Found out that the problem was that only certain ports were being allowed through the company firewall, and the 3 ports I was trying to use were not being allowed between the 2 hosts. Using the --net host option worked fine after configuring the correct ports.