top | item 33664342

(no title)

ammanley | 3 years ago

I might be reading this wrong, but is this something where you could launch your containerized app running on whatever port, and map it to `localhost:443` using something along the lines of `docker run -p 127.0.0.1:443:<whatever port in the container> My-App-Image` ? (might need sudo). I read this as wanting to have <your IP>:443 proxy to the container. Hope I'm not crazy.

discuss

tzs|3 years ago

The problem with "-p 127.0.0.1:443:<whatever port in the container>" is that there is already something on 127.0.0.1:443.

If I were running Docker on Linux this would not be a problem. I'd simply use bridged networking in the container which would give the container an IP that works for things running on the Linux host.

To access something on <whatever port in the container> I'd then just use <container IP>:<whatever port in the container>.

Docker Mac runs a Linux VM and then runs your containers on that Linux VM. Bridged networking there just bridges the containers to the Linux VM. The container's IP is not visible to the Mac, just to the Linux VM.

So I'm using Wireguard to tunnel between the Linux VM and the Mac, so that the container IPs end up visible on the Mac.

In case anyone else finds this useful, here are details of my setup.

• I've got a Docker network name "Mynet" that I put containers on with statically assigned IP addresses (e.g., "--network Mynet --ip 10.11.12.10"). Mynet has gateway 10.11.12.1. It was created with this command:

docker network create --driver=bridge --subnet 10.11.12.0/24 --ip-range=10.11.12.128/25 --gateway=10.11.12.1 Mynet

IP address 10.11.12.128-254 are dynamically allocated to containers that are run with "---network Mynet" but not assigned a static IP. 10.11.12.2-127 can be used for static IPs.

• On the Wireguard tunnel, I've given my Mac IP 10.11.0.2 and the Docker Linux VM IP 10.11.0.3.

• The Mac IP address on my home network is 192.168.0.2.

• I've made a Docker alpine image, which I named alpine-wg, that is just the base alpine image with the Wireguard tools installed. The Docker Mac Linux VM has Wireguard kernel support built in, so you just need an image with the tools in order to configure it.

• I've generated key pairs for the Mac and the Linux VM.

• Here is my Wireguard conf file for the Mac (stored on Mac as ~/wg/mac/wg.conf).

  [Interface]
  Address = 10.11.0.2/32
  PrivateKey = <Mac private key>
  ListenPort = 51820

  # docker VM
  [Peer]
  AllowedIPs = 10.11.0.3/32, 10.11.12.0/24
  PublicKey = <Linux VM public key>

• Here is the Wireguard conf file for the Linux VM (stored on Mac as ~/wg/linux-vm/base.conf):

  [Interface]
  Address = 10.11.0.3/32
  ListenPort = 51820
  PrivateKey = <Linux VM private key>

  [Peer]
  AllowedIPs = 10.11.0.2/32
  PublicKey = <Mac public key>
  EndPoint = 192.168.0.2:51820
  PersistentKeepalive = 25

• Commands to run on the Mac:

  # bring up the tunnel
  sudo wg-quick up /Users/tzs/wg/mac/wg.conf
  # take down the tunnel
  sudo wg-quick down /Users/tzs/wg/mac/wg.conf

• Aliases on the Mac to bring up, take down, and show the tunnel on the Linux VM:

  alias linux-wg-up='docker container run -it --rm --privileged --pid=host -v ~/wg/linux-vm:/wg alpine-wg nsenter -t 1 -u -n -i wg-quick up /wg/base.conf'

  alias linux-wg-down='docker container run -it --rm --privileged --pid=host -v ~/wg/linux-vm:/wg alpine-wg nsenter -t 1 -u -n -i wg-quick down /wg/base.conf'

  alias linux-wg-show='docker container run -it --rm --privileged --pid=host -v ~/wg/linux-vm:/wg alpine-wg nsenter -t 1 -u -n -i wg show'

ammanley|3 years ago

This was a fascinating read, thank you for sharing. TIL!

EDIT: Is your home IP address for your mac static? Seems like if it was dynamic, this would need to be updated, though I know you can use some simple programs to dynamically inquire for the IP, and then just template it out into the config files before launching, just in case.

skydhash|3 years ago

I have a similar need for work (k8s instead of docker) and I just use the routing table on my router and `/etc/hosts` files (need domain names fir certificates) works easy.