Support docker network route <network-name> to provide client OS direct container access

[jamshid]

Output of docker version:

Client:
 Version:      1.11.0
 API version:  1.23
 Go version:   go1.5.4
 Git commit:   4dc5990
 Built:        Wed Apr 13 19:36:04 2016
 OS/Arch:      darwin/amd64

Server:
 Version:      1.11.0
 API version:  1.23
 Go version:   go1.5.4
 Git commit:   a5315b8
 Built:        Tue Apr 26 15:23:39 2016
 OS/Arch:      linux/amd64

Output of docker info:

Containers: 35
 Running: 9
 Paused: 0
 Stopped: 26
Images: 998
Server Version: 1.11.0
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Backing Filesystem: extfs
 Dirs: 801
 Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins: 
 Volume: local
 Network: host bridge null
Kernel Version: 4.4.6-moby
Operating System: Alpine Linux v3.3
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 3.859 GiB
Name: docker
ID: F64G:UTRO:Y4S4:V43M:7OMT:SCYT:NBPL:O77A:CLSL:JZWZ:7RMU:UP5E
Docker Root Dir: /var/lib/docker
Debug mode (client): false
Debug mode (server): true
 File Descriptors: 61
 Goroutines: 110
 System Time: 2016-04-30T04:36:45.951786883Z
 EventsListeners: 2
Registry: https://index.docker.io/v1/

Additional environment details (AWS, VirtualBox, physical, etc.):

Docker for Mac, but want this ability in all scenarios, including docker swarm.

Steps to reproduce the issue:
I want my docker client (laptop) to be able to provide direct access to docker containers by their ip address. This is very useful when you're running/debugging a program locally that needs to talk to a cluster of servers running within docker. I can't access by published ports, my local program needs direct access each container by ip.

This works (at least used to) on my macbook with a docker-machine virtualbox server:

sudo route add -net 172.17.0.0/16 192.168.65.2 # 192.168.X.Y is the docker VM ip

but it does not work (I can't ping a container's ip) on Docker for Mac, or with Swarm, or a remote docker server (e.g. digitalocean).

Describe the results you received:

macbook$ ping 172.18.0.8
PING 172.18.0.8 (172.18.0.8): 56 data bytes
ping: sendto: Network is unreachable

Describe the results you expected:

I expect to be able to curl http://172.18.0.8 as if my macbook is in the container's network.

Sorry I don't know enough about networking to know if or how this is possible. Maybe it's possible now with a unix script or by using the weave network plugin.

This seems useful enough to be a "batteries included" feature.

The feature I'm imagining is docker network route myproject_backend will give the machine running the docker client an ip address on the docker network, e.g. created by a docker-compose project that names its network backend.

[fntlnz]

I had the same need so I wrote a little daemon that listen for docker events to route network from the host interface to the VM interface.

Basically on OS X I do the route add thing as you did and on the VM I just preallocate the ip addresses so that can be used by docker and routed by the host.

docker run -p 10.0.0.40:80:80 nginx

You can find more here: https://github.com/fntlnz/docker-machine-router

P.S: my solution is currently limited to OS X using docker-machine. I'm also trying to "reverse engineer" the route command code taken from Apple open source in order to add routes programmatically. You can check out my progress here

[justincormack]

Hi, we would like to add this to docker for mac, but there are issues at the moment in terms of OS support on OSX. I did have it working as a prototype on an earlier version, but there are various reasons why it is difficult to support. For overlay networks it is also a problem as OSX does not have the necessary support, and Apple does not really support adding kernel modules. At the moment your best bet is to run the programs you want to access with in containers themselves.

[jamshid]

Sorry I don't know this stuff well... but is https://github.com/docker/vpnkit another way that I can get what I want?

Instead of docker network route how about docker network setupvpnfor <network-name>, to start a VPN service with access to my containers' network? Then I just connect from my laptop (or whatever) using my OS's standard VPN client software.

[justincormack]

@jamshid unfortunately the overlay network drivers are not compatible with VPN clients, and there are no VPN overlay drivers yet. We are considering some VPN based approaches, but no decisions have been made.

[relgames]

HyperKit supports it already moby/hyperkit#45
And looks like people can already do it https://forums.docker.com/t/support-tap-interface-for-direct-container-access-incl-multi-host/17835 by changing configuration.

What are the complications to enable it by default?

[Multiply]

I would also love some public accessible status on this issue. It used to work in earlier version of Docker for Mac. It is one of the biggest selling points for us to go from Docker Toolbox and to Docker for Mac.

[cpuguy83]

@Multiply Routing from the osx host to the container network has never been supported in docker4mac.
It works in Toolbox because Toolbox uses vbox bridge networking.

[Multiply]

@cpuguy83 I had routing working in one of the early beta versions, maybe using different launch options, but I had it working, at least.

[westsouthnight]

Its be a very nice!

[pauldraper]

Basic use case:

1. I want to run a FTP server.
2. I like Docker. I want to run it in Docker.
3. FTP servers (in passive mode) must have a large number of auxillary ports.
4. I specify a port range.
5. Performance goes to hell because Docker is entirely reliant on user space proxies and starts a process for every single port.
6. I abandon Docker and choose a more performant virtualization technology for my case.

[guss77]

The current status with Docker Desktop for Mac is that the Linux VM is managed using HyperKit and does not expose a network interface to communicate directly with the Linux VM, so there is no way to route traffic into the Linux VM. The only way to access the Linux VM hosted containers is to configure them to expose ports, which will have the Docker Desktop for Mac open the relevant ports on the host's network interface.

Maybe in the future Docker Desktop for Mac will also use VPNKit or something like that to create virtual network interfaces that map to the docker networks running in the Linux VM - at which point this issue will be moot - but until then there is nothing to do about this issue and I suggest closing it.