English | 中文简体

Change mac-docker-connector to desktop-docker-connector to support both Docker Desktop for Mac and Docker Desktop for Windows

desktop-docker-connector

Docker Desktop for Mac and Windows does not provide access to container IP from host(macOS or Windows). Reference Known limitations, use cases, and workarounds. There is a complex solution, which is also my source of inspiration. The main idea is to build a VPN between the macOS/Windows host and the docker virtual machine.

+---------------+          +--------------------+
|               |          | Hypervisor/Hyper-V |
| macOS/Windows |          |  +-----------+     |
|               |          |  | Container |     |
|               |   vpn    |  +-----------+     |
|   VPN Client  |<-------->|   VPN Server       |
+---------------+          +--------------------+

But the macOS/Windows host cannot access the container, the vpn port must be exported and forwarded. Since the VPN connection is duplex, so we can reverse it.

+---------------+          +--------------------+
|               |          | Hypervisor/Hyper-V |
| macOS/Windows |          |  +-----------+     |
|               |          |  | Container |     |
|               |   vpn    |  +-----------+     |
| VPN Server    |<-------->|   VPN Client       |
+---------------+          +--------------------+

Even so, we need to do more extra work to use openvpn, such as certificates, configuration, etc. All I want is to access the container via IP, why is it so cumbersome. No need for security, multi-clients, or certificates, just connect.

+---------------+          +--------------------+
|               |          | Hypervisor/Hyper-V |
| macOS/Windows |          |  +-----------+     |
|               |          |  | Container |     |
|               |   udp    |  +-----------+     |
| TUN Server    |<-------->|   TUN Client       |
+---------------+          +--------------------+

In the view of Docker and iptables, this tool also provides the ability of two subnets to access each other.

+-------------------------------+ 
|      Hypervisor/Hyper-V       | 
| +----------+     +----------+ | 
| | subnet 1 |<--->| subnet 2 | |
| +----------+     +----------+ |
+-------------------------------+

Usage

Host

MacOS

Install mac client of desktop-docker-connector.

$ brew tap wenjunxiao/brew
$ brew install docker-connector

Config route of docker network

$ docker network ls --filter driver=bridge --format "{{.ID}}" | xargs docker network inspect --format "route {{range .IPAM.Config}}{{.Subnet}}{{end}}" >> "$(brew --prefix)/etc/docker-connector.conf"

Start the service

$ sudo brew services start docker-connector

Windows

Need to install tap driver tap-windows from OpenVPN. Download the latest version http://build.openvpn.net/downloads/releases/latest/tap-windows-latest-stable.exe and install.

Download windows client of desktop-docker-connector from Releases, and then unzip it.

Append bridge network to options.conf, format like route 172.17.0.0/16.

route 172.17.0.0/16

Run directly by bat start-connector.bat or install as service by follow step:

1. Run the bat install-service.bat to install as windows service.
2. Run the bat start-service.bat to start the connector service. And finally, you can run the bat stop-service.bat to stop the connector service, run the bat uninstall-service.bat to uninstall the connector service.

Docker

Install docker front of desktop-docker-connector

$ docker pull wenjunxiao/desktop-docker-connector

Start the docker front. The network must be host, and add NET_ADMIN capability.

$ docker run -it -d --restart always --net host --cap-add NET_ADMIN --name desktop-connector wenjunxiao/desktop-docker-connector

If you want to expose the containers of docker to other pepole, Please reference docker-accessor

Configuration

Basic configuration items, do not need to modify these, unless your environment conflicts, if necessary, then the docker container desktop-docker-connector also needs to be started with the same parameters

• addr virtual network address, default 192.168.251.1/24 (change if it conflict)

  addr 192.168.251.1/24
  

• port udp listen port, default 2511 (change if it conflict)

  port 2511
  

• mtu the MTU of network, default 1400

  mtu 1400
  

• host udp listen host, used to be connected by desktop-docker-connector, default 127.0.0.1 for security and adaptation

  host 127.0.0.1
  

  Dynamic hot-loading configuration items can take effect without restarting, and need to be added or modified according to your needs.

• route Add a route to access the docker container subnet, usually when you create a bridge network by docker network create --subnet 172.56.72.0/24 app, run echo "route 172.56.72.0/24" >> "$(brew --prefix)/etc/docker-connector.conf" to append route to config file.

  route 172.56.72.0/24
  

• iptables Insert(+) or delete(-) a iptable rule for two subnets to access each other.

  iptables 172.0.1.0+172.0.2.0
  iptables 172.0.3.0-172.0.4.0
  

  The ip is subnet address without mask, and join with + to insert a rule, and join with - to delete a rule.

• expose Expose you docker container to other pepole, default disabled.

  expose 0.0.0.0:2512
  

  the exposed address should be connected by docker-accessor. And then add expose after then route you want to be exposed

  route 172.100.0.0/16 expose
  

• token Define the access token and the virtual IP assigned after connection

  token token-name 192.168.251.3
  

  The token name is customized and unique, and the IP must be valid in the virtual network defined by addr

• hosts allows the custom domain with ip 127.0.0.1, also can be used in the container

  hosts /etc/hosts .local .inc
  

  The first parameter is the hosts file, and the subsequent parameters are the filtered domain name suffix

• proxy allows services that listen locally on 127.0.0.1 to be accessed by the container

  proxy 127.0.0.1:80:80
  

  The first part 127.0.0.1:80 is the address where the local service listens, and the port 80 in the latter part is the port where the proxy listens