13

I have a service running on a host at port 8545. I have several docker containers which need access to this service on the host. The host is running ubuntu. I've successfully configured

extra_hosts: - "host.docker.internal:host-gateway"

in the docker-compose file I use to bring up my docker containers. However, I'm finding that the containers cannot access host.docker.internal:8545 unless I open up that port on the host with

ufw allow 8545

However, this opens up the port to anyone which isn't desirable.

How can I open up this port to just the docker containers running on the host?

EDIT: I've seen that the docker0 interface has an IP of 172.17.0.1. I tried running sudo ufw allow from 172.17.0.1 but that didn't enable my containers to access port 8545 on the host.

root@localhost:~/code/metis/ops# ufw status Status: active To Action From -- ------ ---- 22/tcp ALLOW Anywhere Anywhere ALLOW 172.17.0.1 22/tcp (v6) ALLOW Anywhere (v6) root@localhost:~/code/metis/ops# docker exec -it ops_l2geth-mainnet_1 /bin/sh / # geth attach http://host.docker.internal:8545 Fatal: Failed to start the JavaScript console: api modules: Post "http://host.docker.internal:8545": context deadline exceeded

EDIT 2: I also tried another suggestion from here which also didn't work:

root@localhost:~/code/metis/ops# ufw allow out on docker0 from 172.17.0.0/16 Rule added root@localhost:~/code/metis/ops# docker exec -it ops_l2geth-mainnet_1 /bin/sh / # geth attach http://host.docker.internal:8545 Fatal: Failed to start the JavaScript console: api modules: Post "http://host.docker.internal:8545": context deadline exceeded

EDIT 3: I forgot to mention that I'm running these containers with docker-compose. As I understand, docker-compose uses custom networks which might explain why the above ufw allow commands aren't helping.

Improve this question
4
  • 1
    stackoverflow.com/q/71416256/1030675 Commented Mar 9, 2022 at 22:02
  • yeah, I posted here because I saw a few votes to close the question on stackoverflow. The voters seemed to think this question is more relevant to superuser. Commented Mar 9, 2022 at 22:08
  • stackoverflow.com/questions/65070841/… Commented Mar 10, 2022 at 0:54
  • Hmm, I don't have problems accessing docker ports from the host. I have the reverse problem of accessing host ports from the docker container. I'll add an edit for something I just tried without success. Commented Mar 10, 2022 at 16:27

1 Answer 1

Reset to default
23

Figured it out! Though I'm not sure if this is a generic solution.

It turns out that because I started my containers with docker-compose the default docker0 interface with IP 172.17.0.1 wasn't how my containers were talking with the host. In my case, docker-compose made a new network called ops_default:

 ❯❯❯ docker network ls NETWORK ID NAME DRIVER SCOPE 2774ed101a84 bridge bridge local a6176c796a29 host host local dfcd1606b19d none null local 7415a4410daf ops_default bridge local

Inspecting the ops_default yielded the following

 ❯❯❯ docker network inspect ops_default [ { "Name": "ops_default", "Id": "7415a4410daf3df718ce957787abd1b9842e4e914fd1b2ff549c80e56d032265", "Created": "2022-03-10T16:14:13.789181757Z", "Scope": "local", "Driver": "bridge", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": null, "Config": [ { "Subnet": "172.22.0.0/16", "Gateway": "172.22.0.1" } ] }, "Internal": false, "Attachable": true, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": { } } ]

It seems that this network runs on subnet 172.22.0.0/16. Running ufw allow from 172.22.0.0/16 fixed my issue!

root@localhost:~/code/metis/ops# ufw status Status: active To Action From -- ------ ---- 22/tcp ALLOW Anywhere Anywhere ALLOW 172.22.0.0/16 22/tcp (v6) ALLOW Anywhere (v6) root@localhost:~/code/metis/ops# docker exec -it ops_l2geth-mainnet_1 /bin/sh / # geth attach http://host.docker.internal:8545 Welcome to the Geth JavaScript console! instance: Geth/v1.10.17-unstable-19c2c60b-20220308/linux-amd64/go1.17.8 at block: 14360238 (Thu, 10 Mar 2022 16:44:29 UTC) modules: eth:1.0 net:1.0 rpc:1.0 web3:1.0 >
Improve this answer
3
  • 1
    Thanks. This works but unfortunately is not the best solution - as soon as you restart docker-compose a new subnet is assigned meaning you need to reset the ufw's allow list everytime. Commented Dec 28, 2022 at 20:34
  • @kyriakos you can define the network in your docker compose check that: docs.docker.com/compose/compose-file/06-networks/#ipam Commented Jan 18, 2024 at 21:05
  • 1
    "It turns out that because I started my containers with docker-compose the default docker0 interface with IP 172.17.0.1 wasn't how my containers were talking with the host." -- I don't think this is correct. It's just that ufw prevents the containers from connecting to 172.17.0.1 (aka host.docker.internal). At least in my case I ended up setting ufw allow from 172.22.0.0/16 to 172.17.0.1 and this did the trick. Commented Mar 19, 2024 at 11:03

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.