features icon indicating copy to clipboard operation
features copied to clipboard

Published 20 hours ago verified publisher icon devcontainers

`docker-from-docker`: processes inside the container can't access ports forwarded from the docker bridge network

Open davidwallacejackson opened this issue 2 years ago • 3 comments

When running docker-from-docker, if a container maps a port to the bridge network, I'd expect to be able to open another terminal and hit that port. Instead, the port is exposed outside of the dev container, but remains inaccessible inside of it, which breaks development setups that mix dockerized and non-dockerized services. Here's a minimal reproduction.

I saw this bug using:

Host: macOS 12.3.1 Visual Studio Code: 1.71.2 Docker Host: Desktop 4.12.0, Engine 20.10.17 Remote Containers Extension: v0.252.0

Port forwarding works as expected both inside and outside of the container when using docker-in-docker instead of docker-from-docker.

davidwallacejackson avatar Sep 19 '22 20:09 davidwallacejackson

I've been digging into this some more, and it seems like this might be an expected property of docker-from-docker that requires additional tooling to resolve. My first thought was that there might be a way to do this with iptables, but I'm not super savvy with it, and the articles I found on the subject suggested that doing so would require changing some systemctl settings that can't actually be changed in docker.

My next best idea is to run some kind of proxy service inside the container -- because the forwarded ports can still be accessed within the dev container by directly hitting the IP addresses of the service containers, it should be possible to scan the default docker bridge network for forwarded ports (maybe docker exposes this in docker network inspect somewhere) and then proxy those ports back onto the dev container's localhost. Of course, forwarding ports back to the container in this way would probably induce vscode to attempt to forward them again back to the host (where they're already available). I'm not sure if this would have any negative consequences. It also seems kind of convoluted.

davidwallacejackson avatar Sep 20 '22 01:09 davidwallacejackson

@davidwallacejackson did you find a solution for this in docker-outside-of-docker?

edulix avatar Oct 01 '23 08:10 edulix

Also, the forwarding of ports in VS Code with Github Codespaces was working to me (and Sequent Tech team) before with docker-outside-of-docker, but then just recently last week or so it suddenly stopped working.

edulix avatar Oct 02 '23 11:10 edulix