2

I want to support connecting to the guest on privileged ports—such as port 80—when using Vagrant with VirtualBox but it doesn’t seem to work. What is the best option on how to handle this?

I am running Vagrant w/ Virtualbox on my Mac, and have a CentOS 7 guest. Inside the guest I'm experimenting with Docker, and have a few different containers running.

In my Vagrantfile I've setup minimal port forwarding rules and these get created properly within VirtualBox by vagrant.

  # Create a forwarded port mapping which allows access to a specific port
  # within the machine from a port on the host machine. In the example below,
  # accessing "localhost:8080" will access port 80 on the guest machine.
  # NOTE: This will enable public access to the opened port
  config.vm.network "forwarded_port", guest: 8080, host: 8080
  config.vm.network "forwarded_port", guest: 80, host: 8081
  config.vm.network "forwarded_port", guest: 3306, host: 3306

From Virtualbox, everything is setup as expected (Nat networking, forwarding rules)

VirtualBox Network Configuration

Port Forwarding Rules

When I run lsof on the macOS, I see this which looks and works as expected:

VBoxHeadl 1265 david   15u  IPv4 0x54ccbd2a67321437      0t0  TCP localhost:2222 (LISTEN)
VBoxHeadl 1265 david   16u  IPv4 0x54ccbd2a602a3b3f      0t0  TCP *:3306 (LISTEN)
VBoxHeadl 1265 david   17u  IPv4 0x54ccbd2a672ad627      0t0  TCP *:8080 (LISTEN)
VBoxHeadl 1265 david   18u  IPv4 0x54ccbd2a6539fd2f      0t0  TCP *:8081 (LISTEN)

The Problem

If I attempt to forward a privileged port (:80 in this case), the port forwarding does not work. There is no OSX process listening on :80.

Inside the VM I can wget the page from the running webserver, and really nothing should appear to be any different to the Guest VM.

The Virtualbox manual says this shouldn't work?

In the virtual box manual NAT networking section, there is a section titled 6.3.3. NAT limitations

Forwarding host ports < 1024 impossible: On Unix-based hosts (e.g. Linux, Solaris, Mac OS X) it is not possible to bind to ports below 1024 from applications that are not run by root. As a result, if you try to configure such a port forwarding, the VM will refuse to start.

So, perhaps this is stating that this should not work, however, it is not true that the VM won't start. It runs fine in my case, which makes me question if the manual is talking about running the host OS for virtual box, or the guest os's.

Is this the reason that Virtualbox w/NAT and port forwarding doesn't start a listener for Port 80?

A message seems to have popped up at Vagrant up that I haven't seen before:

==> default: You are trying to forward to privileged ports (ports <= 1024). Most
==> default: operating systems restrict this to only privileged process (typically
==> default: processes running as an administrative user). This is a warning in case
==> default: the port forwarding doesn't work. If any problems occur, please try a
==> default: port higher than 1024.

So that certainly seems to remove any confusion.

Conclusion

A Private network or a bridged network are both viable solutions to allow me to utilize natural Guest ports even if they are privileged (< 1024) on the Host.

This also removes the need to setup individual port forwarding. In my case, the Private network seems like the best option, as it's a bit more secure in that only my Mac can see the Guest.

Here is the necessary Vagrantfile configuration:

# Create a private network, which allows host-only access to the machine   
# using a specific IP.   
config.vm.network "private_network", ip: "192.168.20.20"

This also facilitates adding one or more entries to the mac's /etc/hosts file for the guest, providing convenience.

Improve this question
1
  • I have been experimenting with vagrant share, and I just want to state the it will not read the configuration and use the Private Network option properly. So if you do want to do that you still need to map a > 1024 host only port redundantly so that the Vagrant Share can find it and map it with Ngrok.
    – gview
    Commented Jul 18, 2017 at 20:54

1 Answer 1

Reset to default
1

I think the best option depends on all the things you're trying to do. For VirtualBox-containing server environments, I tend to run all my VMs with a bridged adapter so they all have IP addresses on the LAN. There is no issue with privileged ports in this case. Furthermore, migrating VMs to a new machine is reasonably simple since all VMs in a cluster are already addressable by all the other VMs in the cluster.

Sometimes, I start a remote tunnel via ssh, but this is more rare. Instances where this is useful is to temporarily expose a VM on my computer to the outside world on a public web server without having to put my computer directly onto the Internet.

Improve this answer
1
  • I have started using the "Private" network, but I think bridged is also a good option, especially if I end up needing to expose the server to other workstations on my net.
    – gview
    Commented Jun 30, 2017 at 18:55

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .