Docker Community Forums

Share and learn in the Docker community.

Will docker for mac support bi-directional connection between host and container in the future?


(Kaijun) #1

As mentioned in the doc, the main limitation of docker for mac is:

Unfortunately, due to limitations in OSX, we’re unable to route traffic to containers, and from containers back to the host.

I’m kind of newbie with linux’s network, I’m curious if it’s possible to enable the bi-directional connection between host and container in the future, or it just won’t happen because of using xhyve?


(Zhang Xiangjun) #2

+1 for bi-directional network between host and the build in alpine linux box.


(Grav) #3

If I’m connected to a WLAN, my containers can reach the host on that LAN IP.

It’s all a bit random to me why this works, and of course there are several caveats, such as the need to be connected to a WLAN, and that this IP must be static …


(Mitack) #4

With Docker Toolbox, I can be disconnected from any network, and still connect from a container to the ‘host’. (If we’re defining ‘host’ to be the OSX host system and not the virtual machine running the docker daemon.) I can also run an app on the host that is bound to localhost, so that no outside connections are allowed, but a container can still connect the the host.

There’s been many, many threads opened and heavily commented on in this forum over the past few months about reaching the ‘host’ from a container. They’ve all gone unanswered by the Docker team and have fallen by the wayside.

As I’ve posted in at least one other thread in this forum, this is the single reason I don’t and won’t use Docker for Mac, because my development environment necessitates some apps to run natively on OSX, and my containers can’t reach those apps.


(David Wisner) #5

If somebody reading this is a pfctl guru… maybe there’s a way. OpenBSD’s PF (firewall) exists natively in macOS, and has been since 10.7 - but I’m not sure what it’s being used for. I’ve found one gui that works and here’s documentation. It’s not a 1 - 1 map with OpenBSD’s pf - but it’s almost like iptables - maybe more powerful - I know it’s possible to create interesting networks within LAN

You can configure your Mac as a dual-homed router in order to share your Mac’s Internet connection and VPN connection with other computers, tablets, smartphone and such. Normally you do it activating the “Internet Sharing” service in OS X System Preferences - Sharing panel. But Murus offers an alternative way to do the same thing, with many more options. Using Murus you will be able to share your Internet connections with per-client and per-service rules, increasing security of both your Mac and your clients. You are also able to forward services from your client to the Internet using Murus port forwarding.

I’m NOT (typo) very knowledgable in this layer of abstraction - however, in the past during the early stages of beta development, I was able to see the networks created via docker, monitor the traffic, disable / enable filtering onto those ports, etc. - I attempted to re-route traffic from that interface - but I’m pretty sure you’ll need to disable the murus preset rules and actually configure the network from scratch to get the topology to work for this case. The gui helps as an initial guidepost, and it’s better than the cmdline - but if it’s possible to do this, then the pf rules can simply be included with docker (or another addon) as a daemon to configure the pf


(Kaijun) #6

Hi all,

i found an article from other container product(not docker): https://www.flockport.com/using-flockbox-with-xhyve/, and i also haven’t even tested it if it does work indeed.

at the end, it mentions:

You can also use routing instead of portforwarding described above to access apps in containers. Routing will make the entire container subnet inside the VM available on the host.

If you would prefer to use routing instead of port forwarding this is how it works. Routing commands need to be run on the host.

If your VM IP is 192.168.64.3 and container subnet is 10.0.3.0/24 you can create a route with a command like below

sudo route -n add 10.0.3.0/24 192.168.64.3

Xyhve creates a bridge100 interface automatically for VM networking. Run a quick ifconfig to check the interface bridge100 is on, for instance en4, and then run the command below.

sudo ifconfig bridge100 -hostfilter en4

Now you should be able to ping any container inside the VM directly from the host

ping 10.0.3.175

To access the app on your Hosts browser edit the /etc/hosts file on the host as described above with port forwarding but this time associate the container IP with the app URL.

Sorry that I have bare knowledge of the linux networking stuffs, but is it a workaround?

I don’t know how to get the IP Address of the vm(alpine with docker) running inside xhyve, any ideas?