Docker port mapping is failing for host network mode

Question

Mac running Docker Version 17.12.0-ce-mac55 (23011) here.

I have a very bizarre situation with Docker that I absolutely cannot explain!

• I have a Dockerized web service that runs perfectly fine outside of Docker, running off of port 9200 (so: http://localhost:9200 )
• I can also run several other images locally (nginx, Oracle DB) and I can access them via localhost:80 and localhost:1521 respectively
• When I run the container for my Dockerized service, I see (via docker logs <containerId> ) the service startup without any errors whatsoever
• Despite the fact that the container is running without any errors, I absolutely cannot connect to it from my Mac host via localhost:9200

The exact steps to reproduce are:

1. Clone this repo
2. Build the image via ./gradlew clean build && docker build -t locationservice .
3. Run the container via docker run -it -p 9200:9200 -d --net="host" --name locationservice locationservice
4. If you use docker ps to obtain the <containerId> , then you can keep hitting docker logs <containerId> until you see it has started up without errors
5. On my machine, when I try to curl against localhost:9200 , I get " connection refused " errors (see below)

curl error is:

curl -X GET http://localhost:9200/bupo
curl: (7) Failed to connect to localhost port 9200: Connection refused

Some things I have ruled out:

• localhost is absolutely resolveable from the host because we're running in host network mode and I have no problem connecting to nginx (port 80) and Oracle (port 1521) containers
• The app is starting up and if you look at the logs you'll see it is starting up listening on 9200

Any ideas what the problem could be?!

Answer 1

Docker for Mac runs in a VM. --net=host refers to the Linux VM hosts network stack not OSX. There is no direct network path from OSX to the Docker VM other than mapped ports.

Mapped ports ( docker run -p Y:N ) in Docker for Mac are a little special, in addition to the user space proxy that runs on the Docker host normally, Docker for Mac also launches a user space proxy on OSX to listen on the same port and forward connections into the VM. The OSX process isn't started when using --net=host (and the Linux one isn't either of course).

→ docker run --name nc --rm --net=host -dp 9200:9200 busybox nc -lk -p 9201 -e echo hey
→ docker inspect nc --format '{{ json .NetworkSettings.Ports }}'
{}  
→ sudo lsof -Pni | grep 9200
→ 

Then without --net=host

→ docker run --name nc --rm -dp 9200:9200 busybox nc -lk -p 9201 -e echo hey
→ docker inspect nc --format '{{ json .NetworkSettings.Ports }}'
{"9200/tcp":[{"HostIp":"0.0.0.0","HostPort":"9200"}]}
→ sudo lsof -Pni | grep 9200
vpnkit    42658           matt   28u  IPv4 0x57f79853269b81bf      0t0  TCP *:9200 (LISTEN)
vpnkit    42658           matt   29u  IPv6 0x57f798532765ca9f      0t0  TCP [::1]:9200 (LISTEN)

If your app requires --net=host then I would use Vagrant/Virtualbox to spin up a VM with a "Host Only" adapter. This means there is a direct network path that you can access from OSX on the VM. Here's the Vagrantfile I use.

Answer 2

Docker for Mac does not support host network mode very well: https://github.com/docker/for-mac/issues/1031

So at this moment the solution is to use default bridge mode.