Bidirectional (reverse) localhost forwarding for Docker host net about orbstack HOT 11 CLOSED

Released in v0.7.0.

from orbstack.

@robindiddams That looks like a different issue, so please open a new one and I'd be happy to take a look.

Note that Docker Desktop doesn't currently support localhost forwarding at all with host net, so anything that works in Docker Desktop can't be the same issue.

from orbstack.

I've considered supporting access to the host via localhost. There's no reason it couldn't be implemented, but I think it could lead to unexpected/surprising behavior in some cases. It might still be the better compromise though.

For now, you can access the host like this: curl host.internal:9000

from orbstack.

@QU35T-code Does host.internal work for your use case or would you still prefer to use localhost for accessing macOS services from Docker?

from orbstack.

Hey @kdrag0n,

I use docker as a working environment (with pentest tools already installed in my container). I use all the graphic tools (GUI) directly on my host and the others no GUI tools on my container. Sometimes, I need to make my container communicate with my host simply via 127.0.0.1 and as currently on one side I have to do 127.0.0.1 and on the other host.internal, that complicates the thing.

Let's take a concrete case :

I am using a VPN to access the target machines network.

• If I run the VPN in my container, I can access it only through my container and not from my host.
• If I run the VPN from my host, I can access it from my host and from my container.

The problem is that running it from my host is not really the best choice for me because :

• I don't see the interface created by the VPN.
• If I want to send packets to the server via the VPN, it's possible, but I can't receive any (because I receive on my host and not the container).

I don't know if it's exactly related to the bidirectional which is not on 127.0.0.1, but it's strange not to see the VPN interface created :

Container :

[Mar 03, 2023 - 07:23:25 (UTC)] exegol-test-3 /workspace # ip a|grep tun0

Host :

❯ ifconfig|grep tun0
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000
        inet6 fe80::e9d9:1c9:ee28:1652%utun0 prefixlen 64 scopeid 0xf

from orbstack.

Okay, I have an idea for implementing bidirectional localhost forwarding seamlessly. However, it will likely be a special case limited to Docker + host net, disabled for full Linux machines to avoid surprising behavior (especially wrt. firewalls).

Your example with separate VPN interfaces would require bridged networking, which is a very different problem. Please open a separate issue if it's important to you, and I'll evaluate the feasibility. At a glance, I don't quite see why you couldn't connect to hosts accessible via VPN (for example, curl 10.8.8.111) by using the respective IPs in the container, but we can discuss this on another issue.

from orbstack.

This is still planned, but postponed due to complications with the IPv6 implementation.

from orbstack.

It’s very nice ! You are doing a good job 🎉

from orbstack.

I have a similar issue where the hostname for other containers isnt reachable, I think this is the same issue above (but lmk if not and ill make a new ticket):

I have a docker compose file that spins up a cockroachdb cluster, specifying the peers by their hostname:

version: "3.5"
services:
   cockroach1:
      image: cockroachdb/cockroach:v22.2.6
      command:
         - start
         - --insecure
         - --join=cockroach1,cockroach2,cockroach3
         - --listen-addr=:26257
         - --locality=region=gcp-us-central1
      ports:
         - "26257:26257"
         - "9999:8080"
   cockroach2:
      image: cockroachdb/cockroach:v22.2.6
      command:
         - start
         - --insecure
         - --join=cockroach1,cockroach2,cockroach3
         - --listen-addr=:26257
         - --locality=region=gcp-us-west1
      ports:
         - "26258:26257"
   cockroach3:
      image: cockroachdb/cockroach:v22.2.6
      command:
         - start
         - --insecure
         - --join=cockroach1,cockroach2,cockroach3
         - --listen-addr=:26257
         - --locality=region=gcp-us-east1
      ports:
         - "26259:26257"

This doesnt work in orbstack, but does in vanilla docker.

Changing each one of those --join=cockroach1,cockroach2,cockroach3 to --join=host.internal:26257,host.internal:26258,host.internal:26259 but that i think breaks it for my docker-using colleagues.

from orbstack.

Added for the next version. With Docker host networking, localhost will work as expected on regular Linux hosts, and you'll be able to connect in both directions (macOS -> Linux and Linux -> macOS).

There's nothing preventing this from being added for OrbStack Linux machines as well, but for now it's only enabled for Docker host networking to avoid potential confusion (e.g. when port-scanning localhost in the machine with nmap or running other programs that try to connect to localhost ports).

If anyone wants this feature for Linux machines, feel free to open a new issue and and we'd be happy to consider enabling it.

from orbstack.

Big thanks @kdrag0n ❤️

from orbstack.