10

I have a service running on a host at port 8545. I have several docker containers which need access to this service on the host. The host is running ubuntu. I've successfully configured

extra_hosts:
- "host.docker.internal:host-gateway"

in the docker-compose file I use to bring up my docker containers. However, I'm finding that the containers cannot access host.docker.internal:8545 unless I open up that port on the host with

ufw allow 8545

However, this opens up the port to anyone which isn't desirable.

How can I open up this port to just the docker containers running on the host?

EDIT: I've seen that the docker0 interface has an IP of 172.17.0.1. I tried running sudo ufw allow from 172.17.0.1 but that didn't enable my containers to access port 8545 on the host.

root@localhost:~/code/metis/ops# ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
Anywhere                   ALLOW       172.17.0.1
22/tcp (v6)                ALLOW       Anywhere (v6)

root@localhost:~/code/metis/ops# docker exec -it ops_l2geth-mainnet_1 /bin/sh
/ # geth attach http://host.docker.internal:8545
Fatal: Failed to start the JavaScript console: api modules: Post "http://host.docker.internal:8545": context deadline exceeded

EDIT 2: I also tried another suggestion from here which also didn't work:

root@localhost:~/code/metis/ops# ufw allow out on docker0 from 172.17.0.0/16
Rule added
root@localhost:~/code/metis/ops# docker exec -it ops_l2geth-mainnet_1 /bin/sh
/ # geth attach http://host.docker.internal:8545
Fatal: Failed to start the JavaScript console: api modules: Post "http://host.docker.internal:8545": context deadline exceeded

EDIT 3: I forgot to mention that I'm running these containers with docker-compose. As I understand, docker-compose uses custom networks which might explain why the above ufw allow commands aren't helping.

Improve this question
4

1 Answer 1

Reset to default
17

Figured it out! Though I'm not sure if this is a generic solution.

It turns out that because I started my containers with docker-compose the default docker0 interface with IP 172.17.0.1 wasn't how my containers were talking with the host. In my case, docker-compose made a new network called ops_default:

 ❯❯❯ docker network ls
NETWORK ID     NAME          DRIVER    SCOPE
2774ed101a84   bridge        bridge    local
a6176c796a29   host          host      local
dfcd1606b19d   none          null      local
7415a4410daf   ops_default   bridge    local

Inspecting the ops_default yielded the following

 ❯❯❯ docker network inspect ops_default
[
    {
        "Name": "ops_default",
        "Id": "7415a4410daf3df718ce957787abd1b9842e4e914fd1b2ff549c80e56d032265",
        "Created": "2022-03-10T16:14:13.789181757Z",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.22.0.0/16",
                    "Gateway": "172.22.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": true,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
        }
    }
]

It seems that this network runs on subnet 172.22.0.0/16. Running ufw allow from 172.22.0.0/16 fixed my issue!

root@localhost:~/code/metis/ops# ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
Anywhere                   ALLOW       172.22.0.0/16
22/tcp (v6)                ALLOW       Anywhere (v6)

root@localhost:~/code/metis/ops# docker exec -it ops_l2geth-mainnet_1 /bin/sh
/ # geth attach http://host.docker.internal:8545
Welcome to the Geth JavaScript console!

instance: Geth/v1.10.17-unstable-19c2c60b-20220308/linux-amd64/go1.17.8
at block: 14360238 (Thu, 10 Mar 2022 16:44:29 UTC)
 modules: eth:1.0 net:1.0 rpc:1.0 web3:1.0

>
Improve this answer
3
  • 1
    Thanks. This works but unfortunately is not the best solution - as soon as you restart docker-compose a new subnet is assigned meaning you need to reset the ufw's allow list everytime.
    – kyriakos
    Commented Dec 28, 2022 at 20:34
  • @kyriakos you can define the network in your docker compose check that: docs.docker.com/compose/compose-file/06-networks/#ipam
    – Johann-S
    Commented Jan 18 at 21:05
  • "It turns out that because I started my containers with docker-compose the default docker0 interface with IP 172.17.0.1 wasn't how my containers were talking with the host." -- I don't think this is correct. It's just that ufw prevents the containers from connecting to 172.17.0.1 (aka host.docker.internal). At least in my case I ended up setting ufw allow from 172.22.0.0/16 to 172.17.0.1 and this did the trick.
    – balu
    Commented Mar 19 at 11:03

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .