for-mac icon indicating copy to clipboard operation
for-mac copied to clipboard
verified publisher icon docker

Unable to reach services behind VPN from docker container (4.29.0 - Apple Silicon)

Open OpenPj opened this issue 1 year ago • 0 comments

Description

After upgraded to Docker Desktop for Mac (Apple Silicon) 4.29.0 it's impossible to reach an external resource using a VPN client.

It could be a potential regression bug in Docker Desktop for Mac 4.29.0, the behavior is exactly the same of the following old issue: https://github.com/docker/for-mac/issues/5322

Reproduce

  1. Connect to VPN
  2. Do a curl / ping for the url of interest from host machine
  3. Verify that it succeeds
  4. Run a docker container and do the same
  5. Request times out
  6. Verify a public url (like google.com) is accessible from docker container

Expected behavior

Able to access resources behind VPN (that are accessible from my host machine)

docker version

Client:
 Cloud integration: v1.0.35+desktop.13
 Version:           26.0.0
 API version:       1.45
 Go version:        go1.21.8
 Git commit:        2ae903e
 Built:             Wed Mar 20 15:14:46 2024
 OS/Arch:           darwin/arm64
 Context:           default

Server: Docker Desktop 4.29.0 (145265)
 Engine:
  Version:          26.0.0
  API version:      1.45 (minimum version 1.24)
  Go version:       go1.21.8
  Git commit:       8b79278
  Built:            Wed Mar 20 15:18:02 2024
  OS/Arch:          linux/arm64
  Experimental:     false
 containerd:
  Version:          1.6.28
  GitCommit:        ae07eda36dd25f8a1b98dfbf587313b99c0190bb
 runc:
  Version:          1.1.12
  GitCommit:        v1.1.12-0-g51d5e94
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client:
 Version:    26.0.0
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.13.1-desktop.1
    Path:     /Users/pjlucidi/.docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.26.1-desktop.1
    Path:     /Users/pjlucidi/.docker/cli-plugins/docker-compose
  debug: Get a shell into any image or container. (Docker Inc.)
    Version:  0.0.27
    Path:     /Users/pjlucidi/.docker/cli-plugins/docker-debug
  dev: Docker Dev Environments (Docker Inc.)
    Version:  v0.1.2
    Path:     /Users/pjlucidi/.docker/cli-plugins/docker-dev
  extension: Manages Docker extensions (Docker Inc.)
    Version:  v0.2.23
    Path:     /Users/pjlucidi/.docker/cli-plugins/docker-extension
  feedback: Provide feedback, right in your terminal! (Docker Inc.)
    Version:  v1.0.4
    Path:     /Users/pjlucidi/.docker/cli-plugins/docker-feedback
  init: Creates Docker-related starter files for your project (Docker Inc.)
    Version:  v1.1.0
    Path:     /Users/pjlucidi/.docker/cli-plugins/docker-init
  sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
    Version:  0.6.0
    Path:     /Users/pjlucidi/.docker/cli-plugins/docker-sbom
  scout: Docker Scout (Docker Inc.)
    Version:  v1.6.3
    Path:     /Users/pjlucidi/.docker/cli-plugins/docker-scout
WARNING: Plugin "/Users/pjlucidi/.docker/cli-plugins/docker-scan" is not valid: failed to fetch metadata: fork/exec /Users/pjlucidi/.docker/cli-plugins/docker-scan: no such file or directory

Server:
 Containers: 16
  Running: 15
  Paused: 0
  Stopped: 1
 Images: 51
 Server Version: 26.0.0
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: ae07eda36dd25f8a1b98dfbf587313b99c0190bb
 runc version: v1.1.12-0-g51d5e94
 init version: de40ad0
 Security Options:
  seccomp
   Profile: unconfined
  cgroupns
 Kernel Version: 6.6.22-linuxkit
 Operating System: Docker Desktop
 OSType: linux
 Architecture: aarch64
 CPUs: 4
 Total Memory: 19.51GiB
 Name: docker-desktop
 ID: 5e8bcc8f-48c4-4389-b0e7-5b271bef5d97
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 No Proxy: hubproxy.docker.internal
 Labels:
  com.docker.desktop.address=unix:///Users/pjlucidi/Library/Containers/com.docker.docker/Data/docker-cli.sock
 Experimental: false
 Insecure Registries:
  hubproxy.docker.internal:5555
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: daemon is not using the default seccomp profile

Diagnostics ID

Unable to reach services behind VPN from docker container042D93C5-D448-42D0-A736-35D9959A74F3/20240429191615

Additional Info

I have currently resolved creating a manual NAT in the following way, considering utun4 the VPN network interface:

echo "nat on utun4 inet from 192.168.64.0/24 to any -> (utun4:0) extfilter ei" >> /tmp/docker_vpn.conf sudo pfctl -a com.apple.internet-sharing/shared_v4 -N -f /tmp/docker_vpn.conf 2> /dev/null

This workaround is similar to what is described in the old issue with a little change related to the interface declaration. Hope this helps.

OpenPj avatar Apr 29 '24 19:04 OpenPj