Docker container not resolving to host

timjnz · July 10, 2023, 5:54pm

Trying to connect to the host machine from a docker container per the docker docs:

services:
  myService:
    extra_hosts:
      host.docker.internal: host-gateway

Inside the myService container, I’m using curl to try to connect to another service running on the host on port 8002:

> curl http://host.docker.internal:8002
curl: (7) Failed to connect to host.docker.internal port 8002: Connection timed out

What am I missing? Is this a bug?

ivann · July 31, 2023, 3:26pm

I have the same issue. There must be a missing or conflicting firewall rule because it works if I stop the firewall. Docker’s firewall rules seems to be added but I’ve not spent the time to figure out what’s wrong and how to fix it.

APCodes · April 10, 2024, 10:18am

I just ran into what appears to be the same issue today. I have host.docker.internal set in my /etc/hosts file on NixOS, but the docker containers I am running cannot access it from inside the container. It just works fine for my buddy running the same stack on M1 Mac with docker deskop (and without any Nix stuff).

Did anyone of you two have any luck with finding out the reason? @ivann or @timjnz?

rjpc · April 11, 2024, 4:48pm

Any luck here? I haven’t seen the issue as I don’t use NixOS much anymore for Docker stuff and haven’t tested anything but I’m curious as I did depend on something like this just the other month and would be dismayed if I could no longer do it on NixOS

APCodes · April 11, 2024, 5:42pm

yeah, it will probably pop up again I think. If it does I will investigate any iptables related issues that might be involved here.

Nebucatnetzer · April 12, 2024, 9:03am

For my containers I do it like this:

Config on the service: nixos/default.nix at 3091d51bf59f43f7628bdb1abe21e34f45bf466e - nixos - Gitea: Git with a cup of tea

Allow the containers to access the DB on the host: nixos/default.nix at 3091d51bf59f43f7628bdb1abe21e34f45bf466e - nixos - Gitea: Git with a cup of tea

I reckon the first one you don’t need if you use compose.

rjpc · April 15, 2024, 4:17pm

Nice! I could never force myself to mess with iptables but now I have a good example. Many thanks.

selion · July 2, 2024, 4:01pm

so after way too much time I came up with this

 networking.firewall = {
      enable = true;
      extraCommands = ''
        iptables -I INPUT 1 -i docker0 -p tcp -d 172.17.0.1 -j ACCEPT
        iptables -I INPUT 2 -i docker0 -p udp -d 172.17.0.1 -j ACCEPT
      '';
    };

this accepts all incoming tcp and udp packets from interface docker0 to the host (172.17.0.1) .

only to find out that docker0 is (at least on my system) the interface for the default bridge network so containers on a different network still don’t have access to the host.

docker seems to use ip addresses 172.16.x.x-172.31.x.x which is 172.16.0.0/12 for its networks soo

  networking.firewall = {
      enable = true;
      extraCommands = ''
        iptables -I INPUT 1 -s 172.16.0.0/12 -p tcp -d 172.17.0.1 -j ACCEPT
        iptables -I INPUT 2 -s 172.16.0.0/12 -p udp -d 172.17.0.1 -j ACCEPT
      '';
    };

note that i use -I INPUT <N> (insert chain=INPUT position==1>) because nixos added a rule that would otherwise take precedence over those.

also i have 2 rules for tcp and udp

i also read something somewhere about a difference between extraCommands and extraStopCommands . something about not being idempotent. so if anyone knows the fix i would appreciate a fix.