New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WSL 2.0: networkingMode=mirrored
makes Docker unable to forward ports
#10494
Comments
Interestingly, the port forwarding does work from another machine on the same network as host. Just not on the host machine itself. Machine A:
Machine B:
|
Same issue Maybe related issues: |
Same problem here |
Yup, it's unfortunate but I have the same issue. I am on the release channel with windows version 10.0.22621.2359 |
networkingMode=mirrored
makes Docker unable to forward ports
Same problem here |
Switching to NAT helped me. |
same here |
+1 |
2 similar comments
+1 |
+1 |
@benhillis Any ideas/updates here? |
same here |
+1 |
Same issue here, the only way I found to make it "work" was adding ignoredPorts=8080 to the wslconfig, but if container has something like 4800:8080 need to add both ports to |
I think that's a workaround that would work... but I am waiting for someone from the WSL team to answer us here, did they get to know that is the issue, and if they have any plans to fix this? |
That seems to work. Nice find. |
If you run After starting the web server with
Requests from Windows side timeout with:
From another server it work, as mentioned by @driver1998 :
|
Just ran into this as well. AWS
(The port number changes randomly every time) Based on this: https://github.com/aws/aws-sam-cli/blob/c5b9b1e399a1e5c938ef72934a14ede934e17bac/samcli/local/docker/container.py#L124-L125 |
It seems like it's generally a problem with WSL itself. I am looking for a fix soon, since the new network mode is so much useful but it's not useable (usefully) in the current state. |
I ma having the same issue with apache. No changes other than added --experimental but now nothing works. (98)Address already in use: AH00072: make_sock: could not bind to address [::]:80 root@ACER-Nitro:/usr/sbin# lsof -nP -iTCP -sTCP:LISTEN |
Same problem |
|
there seem to be two issues why Docker containers cannot connect from Windows.
temporary measures for /etc/docker/daemon.json
when using mirrored, the behavior seems to be different from the previous localhostforwarding. use docker-proxy(listen on Linux)
interface is different, but the behavior remains the same. use iptables(listeon on container)
via localhostforwarding(until), source address(Windows) was the docker network gateway (=pointing to linux). via mirrored, source address is 127.0.0.1. |
most issues can be resolved by modifying daemon.json. however, the usability may change by not using iptables. https://gist.github.com/shigenobuokamoto/b565d468541fc8be7d7d76a0434496a0 my script is very simple, just apply the following rules to nftables.
this chain is processed immediately before PREROUTING, and will DNAT destination of the packet that arrives from loopback0 interface to 127.0.0.1 to 127.0.0.1. it may seem like a wasteful process, but adding this action breaks the prerouting hook and disables any Docker rules set in the PREROUTING chain. using userland-proxy only for access from localhost is the same as Docker's default behavior. to: who have already used it
both are methods to prevent the PREROUTING NAT rule. if you like, please try this as well. |
@felipecrs When you disable iptables manipulations by docker, you can't have isolated networks for your docker compose stacks. Imagine that I have an application composed of two containers: a web server (Tomcat port 8080) and a database (oracle port 1521). I create a When iptables manipulation is disabled, the Oracle database binds to 127.0.0.1:1521. If you try to start a second compose stack, Oracle will complain that the port is already in use. If iptables manipulation is enabled (default), each stack will have its own network ; e.g. "172.19.0.0/16" and "172.20.0.0/16" and Oracle in the first stack will bind to 172.19.0.3:1521 wile the one in the second stack will bind to 172.20.0.3:1521. In the tomcat container of the first stack, the The fix proposed by Shigenobu NAT the packets arriving on the loopback0 interface (the one the Windows packets come from) before forwarding them on the docker0 interface (the one Docker bridges its networks). See his comment of Sep, 30 2023 for the explanation of the problem. If you want more details on the networking of Docker, see https://docs.docker.com/network/network-tutorial-standalone/ and https://docs.docker.com/network/network-tutorial-host/. So, disabling iptables manipulation is fine for some simple use cases but you will quickly get stuk. |
Thanks both, very useful information. |
Although |
Just to renew this issue, I tested again with the just released WSL 2.2.1, but same problem still occurs. |
Still an issue with v4.28.0 |
@jsayer101 I don't understand your configuration. If you want to access ports on your WSL from other hosts, does your windows firewall authorize it? Have you tried the startup script propose above? |
Yea something is out of order. Corporate firewall wouldn't prevent you from accessing WSL on your own computer. Anyway, add this to your WSL OS (#10494 (comment)) and add the following settings to your .wslconfig. It's similar to what you have but with additional flags. This is working fine across all of my Win11 PCs
|
Your hack works fine for me. Thank you so much!.. Just one small issue.. it breaks other IPv6 access going to internet for me. My docker is not configured for IPv6. So.. could you help me understand what parts of the gist should be removed so that it does not mess with ipv6 routing stuff?
With normal |
if you exclude the line containing "ip6", IPv6 support will be disabled.
however, since this support controls the source port for sources other than WSL container (= the traffic routed by WSL container), it is strange that access via SSH is no longer possible. |
Thank you @shigenobuokamoto! That did the trick! Since, unfortunately, I do not understand what your script does... I am not able to explain why it works! |
Waiting for WSL to fix this issue. |
same issue |
same issue, please MS, help us! |
Hi there. We have a few questions as we narrow down what is going on. The below is referencing the troubleshooting docs in https://github.com/MicrosoftDocs/WSL/blob/main/WSL/troubleshooting.md Sadly not all changes have been replicated yet to https://learn.microsoft.com/en-us/windows/wsl/troubleshooting :(
Thanks for your help! |
In my scenario, I don't have I use docker-ce, not docker-desktop. My case: From WSL: From container docker: From container docker: |
seems like a new issue that is different from the current flow.
this is the then, i tried to think of a way to implement this method.
.wslconfig
|
Sorry @shigenobuokamoto , I mixed up the problems.
But I had the same port forwarding problem with my docker-ce and
Trying to connect via the browser or curl on the Windows machine doesn't work (http://localhost:8082). However, if I connect via WSL, it works. I set Now I think we're talking about the same thing in this issue. |
@AlencarGabriel, sorry if I offended you mirrored network has a rather special structure. it would be nice to have an official document, but i have written my thoughts below, so please use them as a reference. for connections from Windows Host to docker on WSL, you can control traffic to the container using daemon.json or nftables. currently, it is not possible to create the same behavior as native linux without controlling it. 10.173.16.72 is its own address to linux. since it processes the traffic that comes here by itself, it rejects connect to 8080 that is not open. but Linux itself can connect to 10.173.16.72:8080 (on Windows Host). this is where the magic of mirrored network. this issue and similar docker-related issues pointed to connect from Windows host to container service. |
🤣Damn, I've been messing around all afternoon. I turned off the firewall and forwarded the ports, but I just don't know why the telnet connection won't connect. Later I saw what you said and found out that it doesn’t work locally. |
What is your distribution? I'm tried configuring my WSL like yours, but I still can reproduce the issue. WindowsTerminal_7GBLym2iKS.mp4❯ wsl --version
WSL version: 2.2.3.0
Kernel version: 5.15.153.1-2
WSLg version: 1.0.61
MSRDC version: 1.2.5326
Direct3D version: 1.611.1-81528511
DXCore version: 10.0.26091.1-240325-1447.ge-release
Windows version: 10.0.22631.3447 |
BTW I can confirm that @shigenobuokamoto's workaround works like a charm. |
To follow-up on this thread, we are actively working to address this. We are considering solution such as that shown by @shigenobuokamoto earlier in this thread. We are currently considering options and possible side-effects for the multitude of ways Linux might be configured by users. Thanks everyone for the detailed feedback! |
Wow, I couldn't get it to work in mirrored mode for 4 hours, then it randomly worked after restarting services, killing processes, restarting wsl, running docker desktop as admin etc. Modifying my config finally worked: I added:
so my config now looks like this:
|
I'm using docker-ce, behind a corporate proxy/VPN with mirrored networking (no other wsl settings) and the only thing that has worked so far that allows access to docker containers ports from the windows host side is to not use iptables on the dockerd side. |
Just got this running recently with @underlines config. Forgot that mirrored mode requires a signed in user, which fails if offline (even signed in and online before reboot), which is beyond frustrating, and will cause me to recommend against docker desktop version of docker. |
Network Mode mirrored does not work for me with docker. Looks like port 2375 is only reachable via IPv6 ( Why I can reach http://localhost:2375/version via Browser, e. g. Testcontainers does not find a docker environment (despite DOCKER_HOST set to 'tcp://localhost:2375'). Even after 8 years, docker is just a nightmare with WSL(2).I am literally the only dev using Windows anymore on my team, everyone else is using Macs now where it just works. |
Windows Version
Microsoft Windows [Version 10.0.22631.2338]
WSL Version
2.0.0.0
Are you using WSL 1 or WSL 2?
Kernel Version
5.15.123.1-1
Distro Version
Ubuntu 20.04.6
Other Software
Docker version 24.0.6, build ed223bc
Repro Steps
networkingMode
tomirrored
docker run -d -p 8080:80 nginx:alpine
(example)localhost:8080
curl http//localhost:8080
same issueExpected Behavior
To forward the port and be able to connect to my containers
Actual Behavior
Doesn't forward the port, so I cannot connect to my containers.
Diagnostic Logs
No response
The text was updated successfully, but these errors were encountered: