Disallow Egress From Docker Containers On Docker For Mac
Description says: The host networking driver only works on Linux hosts, and is not supported on Docker for Mac -net=host (host networking) does not work on Mac as it is not supported on Mac. Also says that -net=host is not supported on Mac. Hence, -net=host should be blocked/disallowed on Mac and an error like -net=host (host networking) is not supported on Mac should be displayed if -net=host is used on Mac. This way, users on Mac know that -net=host is not supported on Mac and will not waste time debugging host networking issues on Mac. Steps to reproduce the issue:.
Run any docker container with -net=host (host networking) on Mac. Docker run -d -name docker-nginx -net=host -p 80:80 nginx. Check if the container's port can be accessed on the Mac host. $ curl localhost:80 curl: (7) Failed to connect to localhost port 80: Connection refused Describe the results you received: Not able to access the container's port on the Mac host when -net=host is used on Mac. Describe the results you expected: $ docker run -d -name docker-nginx -net=host -p 80:80 nginx ERROR: -net=host (host networking) is not supported on Mac.
Thanks all for your feedback. I need to discuss this internally with my colleagues. It's really an experiment but I had 3 motivations:. we currently use a custom protocol to forward ports exposed with docker run -p and were wondering if we could switch to SOCKS instead to simplify part of the system.
we had some reliability problems with the vmnet.framework solution in the past. Sometimes it would get into a stuck state and the whole machine would need to be rebooted to fix it (or at least, we never found where the bad state was located). We did report this to Apple and it may have been fixed by now. we were wondering if it would be useful to use SOCKS as a cheap kind of VPN to connect to other places - maybe if you had a remote cluster and wanted to directly talk to the containers there.
Disallow Egress From Docker Containers On Docker For Mac
Maybe you want to attach yourself to a swarm overlay network (or similar). I'm not sure how useful this is. I tried setup instructions from with release 18.06.0-ce-rc3-mac68 (26342), but I couldn't access proxy service from OSX using simple telnet connect. At the beginning I thought the issue is caused by socks service is listening internally 127.0.01, but I tested that theory out with previous experimental build with 18.03.0-ce-rc2-mac56 (23206) and I was able to connect form osx while socks was configure to listen 127.0.0.1. I only wonder that some routing is missing in the latest build or something else.