-
Notifications
You must be signed in to change notification settings - Fork 269
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support Host Network (--network host) mode on Docker Desktop for Mac and Windows #238
Comments
Although documentation stats not supported on any O/S but Linux, it also doesn't seem to work correctly (although it doesn't throw error) on Linux flavors on WSL2. The swarm configurations likewise don't function as they do in "bare metal" Linux, which can make for a ton of confusion in the docs. There is a large and growing population of Mac/Windows users that are not fully supported by the extant documentation, and issues like this (many other networking issues exist on those platforms too). I plan to follow this thread closely, and would welcome the chance to help refine docs so they apply across the board, or exceptions are noted where they exist. |
What is basically needed to make this work? Where would one need to start looking to make this work on MacOS? |
Having this supported could maybe help with the horrible network performance I see on macos docker ... This makes for instance using postgres in a container very painful. |
Hi - thanks for this issue and sorry for the delayed reply. We'll do some scoping on this and circle back on this thread shortly. |
This is certainly a feature I would love to see support for. lacking host network support makes it impossible for me to run services that need to be network aware on anything other than linux, since otherwise they only see the network bridge. |
Another limitation I've found - not being able to run a local Redis cluster https://redis.io/docs/manual/scaling/#redis-cluster-and-docker |
Related to docker/desktop-linux#87 |
Now with the new release 4.14.0 of Docker Desktop on Mac utilizing the Apple Virtualization Framework, it should be possible to add another network adapter featuring the bridged network aka. network_mode = host ? Is this a big challenge? Can somebody point out the hypervisor configuration for the Apple Virtualization Framework here? :) Also thanks for putting it in the "Considering" space of the docker-roadmap ! 👍 |
+1 - would be really nice to get this implemented as it works on Linux! |
Is there any way to get more updates on this ? I think this would be an extremely appreciated feature for mac users |
Here's the link to the filter to track its progress! https://github.com/docker/roadmap/projects/1?card_filter_query=network+host |
Yes please. Very much please. |
It doesn't seem to be getting traction or is it too early to tell? |
I've been waiting for 5 years for that. Can you please do it? If the security is main concern please disable this feature by default. |
bump. I have several tools that I would love to be able to containerize that need layer2 access. |
For everyone's bummed about this lack, the solution may very well be to switch to a more active project 🤷 It's been five years. For instance, https://orbstack.dev/, while not open-source, seems very promising and already supporting the |
Website has been registered for only 1 week. How well do you know it? |
Not well myself, but I work with 2 people that tested it and that raised excellent feedback. |
Good news! This has been added as a beta feature in Docker Desktop 4.29. |
yea its amazing for some features. I managed to run home assistant now outside of VM. But faced now new issues with USB stuff which cant be mouted to docker since 6 years as well :) Good Luck all. Hope people can resolve problems with this update |
Just downloaded and installed Docker Desktop on my Mac to test this out with the Scrypted docker-compose file in |
Yeah, I also tried with scrypted and homebridge. It's not working as intended. Although it works with nginx. Here are the open ports in the VM and on the host with both nginx and homebridge when using nginx
homebridge
It seems that only the ports listening on IPv4 addresses are exposed. |
Awesome, this update solved my issue! Thank you so much! 🤩 |
Disabling IPv6 in the VM solved the ports issue, exposing all ports and allowing network access to the Homebridge UI. However, it appears that mDNS is not functioning, and the service remains undiscoverable by HomeKit. Access VM
Disable IPv6
|
@ca0x Thanks for reporting. It seems you're hitting two limitations: Software working in dual-stack mode, or IPv6-only can't benefit from this improvement. As we're working toward adding better support for IPv6, we're going to fix this mishap soon -- most probably in v4.31. mDNS is currently not supported. We need to investigate exactly why. @vadimen Are you trying to use this feature with Windows Containers? This improvement works only if there's a Linux VM running. @Nemesis7 What ports Scrypted is listening to? Are some of them bound by DD on the host? It's probably worth filling a new issue in either https://github.com/docker/for-win or https://github.com/docker/for-mac. |
Yes, I was trying to use it with windows containers. Could you please suggest me any solution for this use case https://devops.stackexchange.com/questions/19117/bind-dedicated-ip-to-docker-container-in-windows-server-2022 ? |
@vadimen I'm not super familiar with Windows Containers networking. I think it's worth looking for a similar issue or asking on https://github.com/microsoft/Windows-Containers. |
@akerouanton By default it's port 10443, plus there one port for HomeKit which is variable and there is the mDNS port i.e. 5353, but shouldn't this recent release allow any container with |
@Nemesis7 It's definitely related but it'd be better to have a proper bug report. |
Hm, am I missing something? I'm running 4.30.0: Under "Features in development" I enabled "Enable host networking": (For unknown reasons that checkbox only became enabled when I logged into an account, it's unclear to me how networking and login are related.) If I now run netcat in listen mode in a container: I am unable to connect to that from outside the container: But if I exec into the container and try the connection from there, it works: That should work from the host as well, or not? |
Using
Also, when using listener mode the port is random:
If you run a listener like this, and then try to connect to it using localhost on the outer system, it still won't work, because you can see it is bound to
And after this, connecting to localhost on the outer host, using the port in the message (59271 in this example) should work. I tested this on Mac, although I see you're using Windows. I would hope it works the same, but YMMV. |
What image are you using for your container? The netcat syntax you're using is for BSD netcat, for GNU and Busybox netcat my syntax should be ok. I tried installing BSD netcat in my Alpine container but I couldn't get it to work with your commands: I tried specifying a local IPv4 address to rule out the IPv6 issue you mention with |
Based on your screenshot, to replicate your environment, I used alpine:latest.
I will admit I probably used the manpage from macOS (which would have the BSD version), not realizing the disparity between it and GNU/Linux. But the behavior I tested and pasted output from came from
I see now that your syntax works and has the right port (which it clarifies with
If you bind to the IPv4 stack it then allows connection from the outside host:
|
Ah, sorry to see that. Unfortunately I have no explanation for it. I would guess it is a difference in the Mac vs. Windows environment (either the network stack, or the way Docker Desktop works with the host OS, or both). I don't have any Windows machines around here to test it. |
It doesn't work with me. I'm using v4.33.0 on Windows 11, and have enabled the feature after signing in. Alas,
Am I doing something wrong? Do I have to create the host network somehow? |
@s13n This feature isn't compatible with Windows containers. It's meant to be used with Linux containers, on both macOS and Windows. |
@akerouanton Thanks! That wasn't clear to me, and the explanatory text near the tick box in the settings dialog doesn't mention it. Maybe it would be an idea to disable the choice when Docker Desktop is in Windows container mode. |
@s13n Thanks for reporting! This should be fixed in the next release (4.34). |
Tell us about your request
Right now,
docker run --network host <image>
is only available to Linux docker hosts. From the official documentation:Which service(s) is this request for?
Docker Desktop for Mac, Docker Desktop for Windows
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
Making a docker container with dynamic port mappings is not possible right now.
For example, a container that allows a user to accept connections on arbitrary ports through a netcat listener. During a network penetration test, the user may be testing outbound firewall rules and needs to dynamically accept connections on different ports in the container, eg
53
,80
,443
,1337
,9001
, or any other arbitary port. The user will not know these ports before starting the container, so it's not possible for the user to run the container withdocker run -p <ports> <image>
.With
docker run --network=host
, this could be accomplished by just using the same network schema aslocalhost
.Are you currently working around the issue?
The "best" workaround I know of would to add an
EXPOSE 1-1000
in the Dockerfile and run the container withdocker run -P <image>
, which is very slow and does still limits the range of open ports. Using the full port range ofEXPOSE 1-65535
hangs my terminal, so I don't know how effective it is.The
-P
flag is documented here: https://docs.docker.com/network/links/#connect-using-network-port-mappingThis is not a sustainable workaround.
Additional context
The text was updated successfully, but these errors were encountered: