Should docker run --net=host work?

I would expect that because I’ve been “sold” docker for mac not “docker under a different virtualization engine.” FitNesse tests that run under docker on mac in a virtual box work, but do not work “natively” because FitNesse can not connect to the exposed web interfaces running in the docker container.

Documentation on how to use --net=host under OSX would be great. What documentation I’ve found so far leads me to believe that --net=host should work on mac the way it works on Linux.

What’s the advantage of “docker for mac” if it behaves differently than “docker for Linux?”


-p doesn’t work like it does in Linux. For example:

%>docker run -p 8765:8765 ua-cloud
%>curl localhost:8765/start
Cloud OK

%>docker run -p 8765:8765 --net=host ua-cloud
%>curl localhost:8765/start
curl: (7) Failed to connect to localhost port 8765: Connection refused

Under linux, I can get docker containers to talk to each other and allow me to access exposed URLs. Under docker for mac, it seams I can not.

In the Dockerfile for cloud, we have

EXPOSE 8765 9090 61666

I’m not sure if that’s equivalent to -p 8765:8765 …

“Faster and more reliable: no more VirtualBox! The Docker engine is running in an Alpine Linux distribution on top of an xhyve Virtual Machine on Mac OS X or on a Hyper-V VM on Windows, and that VM is managed by the Docker application. You don’t need docker-machine to run Docker for Mac and Windows.”

I’m having difficulty finding any documentation from Docker that states that Docker for Mac is anything other than docker with a different VM…

Well, I guess since this issue isn’t going to be accepted as an issue or fixed, then Docker for make is a non-starter for me.

I assumed “Docker for mac” meant my Docker images that work out of the box in Linux would work in Mac. They don’t and when I report they don’t, I’m told “that’s not the goal”. If that’s not the goal, then it’s not a solution for me.

Thanks anyways.

I’m sorry that Docker for Mac doesn’t fit your needs. I hope in the future, that OSes can, similar to FreeBSD provide a syscall interface that is Linux compatible, allowing for docker to run actually native, instead of just through a VM.

Windows has been working towards this with Windows Subsystems for Linux, but obviously for people who need Docker “NAO!” on Windows, a VM is the only option.

Sadly, I don’t know of any projects to do something similar for OSX. :frowning:

1 Like

I assumed “Docker for mac” meant my Docker images that work out of the box in Linux would work in Mac.

If you need Linux on your Mac, run VirtualBox (using Vagrant?) and run Docker inside those VMs. You should do this especially if you need to test your apps on a multi-host setup.

You can also run “Docker in Docker” in Docker for Mac, so you can run a swarm of Docker daemons which might be enough of a test environment for your multi-host apps. Within the swarm, you can use Docker networks to isolate your services to only certain user defined networks.

I’ve been using Docker for Mac since the public beta has come out, and while it is still beta, it has been a huge improvement over Docker Toolbox using VirtualBox VMs. I don’t think Docker for Mac is intended for deployment of your apps, only so you can test them on your laptop during development. For this purpose, Docker for Mac is a huge step in the right direction.

How exactly could I found this $DOCKER_HOST ?

I don’t think docker for mac set any additional environment variable.

At least I would like to have a way to access my service through vm’s ip address


The latest update seems to work, or what I was trying earlier didn’t. Mapping ports with -p now works flawlessly, now I can use docker for mac in the same manner as other developers do using VirtualBox and a linux distro.

This is what I had hoped it would be. Thanks.

@curtisrcooley What does mapping ports with -p have to do with the subject of this thread?

Here’s an example of something that you could do with docker-machine that I haven’t been able to solve on Docker for Mac:

Take Kafka running on Zookeeper. The new producer for Kafka requires that you initially connect to a broker and then Zookeeper gives you a list of broker hostnames and ports to use for all other communication. This list is going to be hostnames that are resolvable inside of Docker, even if the initial connection was established on a published port on localhost.

With docker-machine, it was possible to set Kafka to advertise a hostname that worked both inside and outside of Docker, giving you the ability to publish to topics from, say, a REPL on a Dockerized Kafka broker, while not breaking communication with Kafka from other containers. This doesn’t seem possible with Docker for Mac, and Kakfa is far from the only kind of distributed system that works on this kind of bootstrap discovery model.

If you have --net=host then any ports mapped with -p are not exported. You seem to get one or the other on Docker for Mac. At least that’s the behavior a couple releases ago. We have scripts to work around this, so I can’t verify it hasn’t been fixed in the latest update.

1 Like

In my setup, I’m still using docker toolbox for MAC (i.e. virtualbox as docker machine) and a workaround to make this behaviour happens is to establish a reverse tunnel between MAC OSX and docker-machine

ssh -t -R8000:localhost:8000 docker@$(docker-machine ip dev)

after having the tunnel opened, I can “docker run -it --rm --net=host buildpack-deps:curl curl localhost:8000” and get the desired behaviour

I know it is just a work around… but it is there… just in case it could be useful for somebody

you are welcome to try it on xhyve as well, I think it should work AS-IS

1 Like

I thought the purpose of the --net=host is to tell docker to replicate that same ifconfig detail into the running container as well.

It seems like this is not the case.

My machine ifconfig has an en0 interface with ip 10.x.x.x while in a running container the ifconfig shows an en0 interface with 192.x.x.x.

Could someone explain the mechanics for how the networking works?

It would be really nice if you documented that this does not work the way one would expect. Anyone that has read the marketing for Docker for Mac hears that the OSX host acts like the host. Look at the -p and -v options for mapping.

–net=host simply does not behave the same way, and --net=host combined with -p : behaves in a VERY surprising way.

The very least you could do is document this behavior. It seems reasonable to warn anyone who actually tries to use these flags when they use them that they are not going to get what they would on Linux.


I mean, yeah, that sounds reasonable. But I’m not actually, myself, connected with Docker. I’m just a random person who has invested a lot of time and interest into various emulation and virtualization stuff, and then worked at Google, and when I left, I didn’t have borg. So…

:frowning: you might be able to find an official contact method to get in touch with someone, or possibly file a “bug” noting that documentation isn’t clear about --net=host outside of Linux. (The same problem is going to manifest in Windows as well.)


Total agreed. I have tried docker on Mac and expected --network host should work out of box. But after that I realised that I would still have come back to bridge mode with port mapping option.

It would be very nice if we have the networking host mode working properly as it is supposed it should be more convenient in local testing mode.

Thank everyone for elaborating this issue.

How is $DOCKER_HOST set? It’s not set on my local install of mac docker.

1 Like

I agree with the original poster. Quite simply if something isn’t working the same it should be documented as such. All the technical explanations in the world about why do not change the the issue, nor that the documentation misrepresents it. Funnily enough I came here with the same problem, but on linux - I guess mine is different. Hope it’s all working good now anyway.


In my opinion, you should check your iptables rules. To access the port of your container from your host, you must open the corresponding port, for example 80 of the host machine (because docker does not create an iptables rule to redirect port 80 of your machine to port 80 of the container because the container directly uses the port 80 of your machine, distributions like centos have rules of firewall which blocks the connection on the ports)
Pour autoriser une connexion sur un port : sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT

@mitack @snowgirl Maybe this is the reason.

The host networking driver only works on Linux hosts, and is not supported on Docker Desktop for Mac, Docker Desktop for Windows, or Docker EE for Windows Server.

See details in Use host networking | Docker Documentation