Docker for Mac does not provide access to container IP from macOS host.
Reference Known limitations, use cases, and workarounds.
There is a complex solution,
which is also my source of inspiration. The main idea is to build a VPN between the macOS host and the docker virtual machine.
+------------+ +-----------------+
| | | Hypervisor |
| macOS | | +-----------+ |
| | | | Container | |
| | vpn | +-----------+ |
| VPN Client |<-------->| VPN Server |
+------------+ +-----------------+
But the macOS host cannot access the container, the vpn port must be exported and forwarded. Since the VPN connection is duplex, so we can reverse it.
+------------+ +-----------------+
| | | Hypervisor |
| macOS | | +-----------+ |
| | | | Container | |
| | vpn | +-----------+ |
| VPN Server |<-------->| VPN Client |
+------------+ +-----------------+
Even so, we need to do more extra work to use openvpn, such as certificates, configuration, etc. All I want is to access the container via IP, why is it so cumbersome. No need for security, multi-clients, or certificates, just connect.
+------------+ +-----------------+
| | | Hypervisor |
| macOS | | +-----------+ |
| | | | Container | |
| | udp | +-----------+ |
| TUN Server |<-------->| TUN Client |
+------------+ +-----------------+
In the view of Docker and iptables, this tool also provides the ability of two subnets to access each other.
+-------------------------------+
| Hypervisor |
| +----------+ +----------+ |
| | subnet 1 |<--->| subnet 2 | |
| +----------+ +----------+ |
+-------------------------------+
Install mac client of mac-docker-connector.
$ brew tap wenjunxiao/brew
$ brew install docker-connectorConfig route of docker network
$ docker network ls --filter driver=bridge --format "{{.ID}}" | xargs docker network inspect --format "route {{range .IPAM.Config}}{{.Subnet}}{{end}}" >> /usr/local/etc/docker-connector.confStart the service
$ sudo brew services start docker-connectorInstall docker front of mac-docker-connector
$ docker pull origin wenjunxiao/mac-docker-connectorStart the docker front. The network must be host, and add NET_ADMIN capability.
$ docker run -it -d --restart always --net host --cap-add NET_ADMIN --name mac-connector wenjunxiao/mac-docker-connectorIf you want to expose the containers of docker to other pepole, Please reference docker-accessor
Basic configuration items, do not need to modify these, unless your environment conflicts,
if necessary, then the docker container mac-docker-connector also needs to be started with the same parameters
-
addrvirtual network address, default192.168.251.1/24(change if it conflict)addr 192.168.251.1/24 -
portudp listen port, default2511(change if it conflict)port 2511 -
mtuthe MTU of network, default1400mtu 1400 -
hostudp listen host, used to be connected by mac-docker-connector, default127.0.0.1for security and adaptationhost 127.0.0.1Dynamic hot-loading configuration items can take effect without restarting, and need to be added or modified according to your needs.
-
routeAdd a route to access the docker container subnet, usually when you create a bridge network bydocker network create --subnet 172.56.72.0/24 app, runecho "route 172.56.72.0/24" >> /usr/local/etc/docker-connector.confto append route to config file.route 172.56.72.0/24 -
iptablesInsert(+) or delete(-) a iptable rule for two subnets to access each other.iptables 172.0.1.0+172.0.2.0 iptables 172.0.3.0-172.0.4.0The ip is subnet address without mask, and join with
+to insert a rule, and join with-to delete a rule. -
exposeExpose you docker container to other pepole, default disabled.expose 0.0.0.0:2512the exposed address should be connected by docker-accessor. And then add
exposeafter thenrouteyou want to be exposedroute 172.100.0.0/16 expose -
tokenDefine the access token and the virtual IP assigned after connectiontoken token-name 192.168.251.3The token name is customized and unique, and the IP must be valid in the virtual network defined by
addr