access host's ssh tunnel from docker container
Asked Answered
M

9

102

Using ubuntu tusty, there is a service running on a remote machine, that I can access via port forwarding through an ssh tunnel from localhost:9999.

I have a docker container running. I need to access that remote service via the host's tunnel, from within the container.

I tried tunneling from the container to the host with -L 9000:host-ip:9999 , then accessing the service through 127.0.0.1:9000 from within the container fails to connect. To check wether the port mapping was on, I tried nc -luv -p 9999 # at host nc -luv -p 9000 # at container

following this, parag. 2 but there was no perceived communication, even when doing nc -luv host-ip -p 9000 at the container

I also tried mapping the ports via docker run -p 9999:9000 , but this reports that the bind failed because the host port is already in use (from the host tunnel to the remote machine, presumably).

So my questions are

1 - How will I achieve the connection? Do I need to setup an ssh tunnel to the host, or can this be achieved with the docker port mapping alone?

2 - What's a quick way to test that the connection is up? Via bash, preferably.

Thanks.

Matthaeus answered 25/8, 2016 at 11:9 Comment(1)
host.docker.internal is what you are looking for right?Premedical
V
19

I think you can do it by adding --net=host to your docker run. But see also this question: Forward host port to docker container

Veronique answered 25/8, 2016 at 12:37 Comment(5)
Thanks. I can connect to the service now. Is there a quick way to check that the connection is indeed up, tough?Matthaeus
you can actually use curl curl {ip}:{port}/randomendpoint or wget {ip}:{port}/randomendpointLeitmotiv
I don't think this will work in Mac OS, since there the docker daemon is actually on a vm: forums.docker.com/t/should-docker-run-net-host-work/14215/26Jannajannel
@Jannajannel is there a solution for Docker on Mac OS?Fango
So far as I know, not one that will work easily in all cases. For me, I just switched to from connecting to the host tunnel to having the container OS set up the tunnel itself. You could also try to figure out the networking between the VM and MacOS.Jannajannel
F
99

Using your hosts network as network for your containers via --net=host or in docker-compose via network_mode: host is one option but this has the unwanted side effect that (a) you now expose the container ports in your host system and (b) that you cannot connect to those containers anymore that are not mapped to your host network.

In your case, a quick and cleaner solution would be to make your ssh tunnel "available" to your docker containers (e.g. by binding ssh to the docker0 bridge) instead of exposing your docker containers in your host environment (as suggested in the accepted answer).

Setting up the tunnel:

For this to work, retrieve the ip your docker0 bridge is using via:

ifconfig

you will see something like this:

docker0   Link encap:Ethernet  HWaddr 03:41:4a:26:b7:31  
          inet addr:172.17.0.1  Bcast:172.17.255.255  Mask:255.255.0.0

Now you need to tell ssh to bind to this ip to listen for traffic directed towards port 9000 via

ssh -L 172.17.0.1:9000:host-ip:9999

Without setting the bind_address, :9000 would only be available to your host's loopback interface and not per se to your docker containers.

Side note: You could also bind your tunnel to 0.0.0.0, which will make ssh listen to all interfaces.

Setting up your application:

In your containerized application use the same docker0 ip to connect to the server: 172.17.0.1:9000. Now traffic being routed through your docker0 bridge will also reach your ssh tunnel :)

For example, if you have a "DOT.NET Core" application that needs to connect to a remote db located at :9000, your "ConnectionString" would contain "server=172.17.0.1,9000;.

Forwarding multiple connections:

When dealing with multiple outgoing connections (e.g. a docker container needs to connect to multiple remote DB's via tunnel), several valid techniques exist but an easy and straightforward way is to simply create multiple tunnels listening to traffic arriving at different docker0 bridge ports.

Within your ssh tunnel command (ssh -L [bind_address:]port:host:hostport] [user@]hostname), the port part of the bind_address does not have to match the hostport of the host and, therefore, can be freely chosen by you. So within your docker containers just channel the traffic to different ports of your docker0 bridge and then create several ssh tunnel commands (one for each port you are listening to) that intercept data at these ports and then forward it to the different hosts and hostports of your choice.

Fillmore answered 31/8, 2018 at 17:22 Comment(11)
This one should be the accepted answer. --net=host has indeed unwanted side effects...Imponderabilia
Sadly there is no docker0 on MacOS docs.docker.com/docker-for-mac/networking/…Kirkland
Hi @Davos, I am not familiar with docker on mac, but it should also be possible to choose a different available local network interface address other than the docker0 address. I just recommended this in my answer for convenience reasons. So maybe try to bind the ssh tunnel to your current eth0 address and in your docker application then use this address as destination, docker should automatically act as gateway and do the routing.Fillmore
The page you referenced also has a section "I want to connect from a container to a service on the host" which mentions the special DNS name "host.docker.internal" to resolve the host IP (mentioning also that it will not work in production). Some guys also pass the local IP via environment variables. Maybe you find other answers on SO that cover this topic in greater detail.Fillmore
Thanks for the follow up comment, I did find the magic DNS name and can confirm it worked. My use case was for something I only wanted to run locally, and it needed to connect via ssh tunnel to a remote data service. Running the tunnel within the container wasn't an option, the bridge network wasn't an option, so that DNS was the only way. I also could have just installed it on my host but less appealing. It's funny, the main value I get from docker is emulating production linux environments. And then the host's limitations go and leak through the hypervisor.Kirkland
This is awesome! I've been chasing my tail on this for THREE DAYS! Thank you! Binding the ssh tunnel to 0.0.0.0 fixed it. It was originally omitted, likely defaulting to 127.0.0.1.Cowpoke
Same as @Cowpoke I feel a strong random stranger on the internet love towards you. Thanks so much for your answer!!Cursed
Thanks guys for the warm feedback, it's clearly a tricky subject but I'm glad I could provide some support here :DFillmore
On the host system ssh -L 9090:0.0.0.0:9090 (listens to all IPs for port 9090) - then container config, port: 9090:9090 - then if you are on Docker for Mac you will need to generate a request to host.docker.internal:9090 from within the container -- that request should then be forwarded -- Thanks @B12Toaster and also @Cowpoke for the clue about 0.0.0.0Ineradicable
Very helpful, thanks! A note to others: make sure your host's firewall is disabled or forwards the appropriate port, otherwise it'll block the docker container connection attempts.Scevour
This answer works great. Would you mind updating the ssh command with user@host-ip? Because that's the first thing people will try and won't work just like I did.Inharmonious
L
41

on MacOS (tested in v19.03.2),

1) create a tunnel on host

ssh -i key.pem username@jump_server -L 3336:mysql_host:3306 -N

2) from container, you can use host.docker.internal or docker.for.mac.localhost or docker.for.mac.host.internal to reference host.

example,

mysql -h host.docker.internal -P 3336 -u admin -p

note from docker-for-mac official doc

I WANT TO CONNECT FROM A CONTAINER TO A SERVICE ON THE HOST

The host has a changing IP address (or none if you have no network access). From 18.03 onwards our recommendation is to connect to the special DNS name host.docker.internal, which resolves to the internal IP address used by the host. This is for development purpose and will not work in a production environment outside of Docker Desktop for Mac.

The gateway is also reachable as gateway.docker.internal.

Leftwich answered 22/9, 2019 at 22:21 Comment(2)
Wow this is so cool! Confirmed working on Docker 18.09.2 as well. Didn't know you can do that. I assume this will allow you to access any port your laptop's localhost, which really opens the door to a lot of resources.Dewitt
For Mac users this really is a life saver, since neither docker0 nor --net=host are supported. Thanks!Margarito
V
19

I think you can do it by adding --net=host to your docker run. But see also this question: Forward host port to docker container

Veronique answered 25/8, 2016 at 12:37 Comment(5)
Thanks. I can connect to the service now. Is there a quick way to check that the connection is indeed up, tough?Matthaeus
you can actually use curl curl {ip}:{port}/randomendpoint or wget {ip}:{port}/randomendpointLeitmotiv
I don't think this will work in Mac OS, since there the docker daemon is actually on a vm: forums.docker.com/t/should-docker-run-net-host-work/14215/26Jannajannel
@Jannajannel is there a solution for Docker on Mac OS?Fango
So far as I know, not one that will work easily in all cases. For me, I just switched to from connecting to the host tunnel to having the container OS set up the tunnel itself. You could also try to figure out the networking between the VM and MacOS.Jannajannel
C
5

I'd like to share my solution to this. My case was as follows: I had a PostgreSQL SSH tunnel on my host and I needed one of my containers from the stack to connect to a database through it.

I spent hours trying to find a solution (Ubuntu + Docker 19.03) and I failed. Instead of doing voodoo magic with iptables, doing modifications to the settings of the Docker engine itself I came up with a solution and was shocked I didn't thought of this earlier. The most important thing was I didn't want to use the host mode: security first.

Instead of trying to allow a container to talk to the host, I simply added another service to the stack, which would create the tunnel, so other containers could talk to easily without any hacks.

After configuring a host inside my ~/.ssh/config:

Host project-postgres-tunnel
    HostName remote.server.host
    User sshuser
    Port 2200
    ForwardAgent yes
    TCPKeepAlive yes
    ConnectTimeout 5
    ServerAliveCountMax 10
    ServerAliveInterval 15

And adding a service to the stack:

  postgres:
    image: cagataygurturk/docker-ssh-tunnel:0.0.1
    volumes:
      - $HOME/.ssh:/root/ssh:ro
    environment:
      TUNNEL_HOST: project-postgres-tunnel
      REMOTE_HOST: localhost
      LOCAL_PORT: 5432
      REMOTE_PORT: 5432
    # uncomment if you wish to access the tunnel on the host
    #ports:
    #  - 5432:5432

The PHP container started talking through the tunnel without any problems:

postgresql://user:password@postgres/db?serverVersion=11&charset=utf8

Just remember to put your public key inside that host if you haven't already:

ssh-copy-id project-postgres-tunnel

I'm pretty sure this will work regardless of the OS used (MacOS / Linux).

Chalky answered 27/2, 2020 at 9:57 Comment(3)
Could you please explain why the remote host address needs to be specified twice, once in the config file and once as environment variable?Mccaffrey
I'm not sure what is where, according to you, specified twice.Chalky
@emix, where are you grabbing the cagataygurturk/docker-ssh-tunnel:0.0.1 image from? I know they have a Github repo, but where is the image stored?Uncaredfor
A
4

I agree with @hlobit that @B12Toaster answer should be the accepted answer.

In case anyone hits this problem but with a slightly different setup with the SSH tunnel, here are my findings. In my case, instead of creating a tunnel from Docker host machine to remote machine using ssh -L, I was creating remote forward SSH tunnel from remote machine to Docker host machine using ssh -L.

In this setup, by default sshd does NOT allow gateway ports, i.e. in file /etc/ssh/sshd_config on Docker host, the GatewayPorts no should be uncommented and set to GatewayPorts yes or GatewayPorts clientspecified. I configured GatewayPorts clientspecified and configured the remote forward SSH tunnel by ssh -L 172.17.0.1:dockerHostPort:localhost:sshClientPort user@dockerHost. Remember to restart sshd after changing /etc/ssh/sshd_config (sudo systemctl restart sshd).

Your Docker container should be able to connect to Docker host on 172.17.0.1:dockerHostPort and this in turn gets tunnelled back to SSH client's localhost:sshClientPort.

References:

Anyhow answered 18/8, 2020 at 13:5 Comment(0)
S
1

On my side, running Docker in Windows Subsystem for Linux (WSL v1), I couldn't use docker0 connection approach. host.docker.internal also doesn't resolve (latest docker version).

However, I found out I could directly use the host-ip insider my docker container.

  1. Get your Host IP (Windows cmd: ipconfig), e.g. 192.168.0.5
  2. Bash into your Container and test if you can ping your host ip:
    - docker exec -it d6b4be5b20f7 /bin/bash
    - apt-get update && apt-get install iputils-ping
    - ping 192.168.0.5
PING 192.168.0.5  (192.168.0.5) 56(84) bytes of data.
64 bytes from 192.168.0.5 : icmp_seq=1 ttl=37 time=2.17 ms
64 bytes from 192.168.0.5 : icmp_seq=2 ttl=37 time=1.44 ms
64 bytes from 192.168.0.5 : icmp_seq=3 ttl=37 time=1.68 ms

Apparently, in Windows, you can directly connect from within containers to the host using the official host ip.

Surrounding answered 2/4, 2020 at 14:30 Comment(0)
F
1

My 2 cents for Ubuntu 18.04 - a very simple answer, no need for extra tunnels, extra containers, extra docker options or exposing host.

Simply, when creating a reverse tunnel make sure ssh binds to all interfaces as, by default, it binds ports of the reverse tunnel to localhost only. For example, in putty make sure that option Connection->SSH->Tunnels Remote ports do the same (SSH-2 only) is ticked. This is more or less equivalent to specifying the binding address 0.0.0.0 for the remote part of the tunnel (more details here):

-R [bind_address:]port:host:hostport

However, this did not work for me unless I allowed the GatewayPorts option in my sshd server configuration. Many thanks to Stefan Seidel for his great answer.

In short: (1) you bind the reverse tunnel to 0.0.0.0, (2) you let the sshd server to accept such tunnels.

Once this is done I can access my remote server from my docker containers via the docker gateway 172.17.0.1 and port bound to the host.

Fibrilliform answered 17/4, 2020 at 10:4 Comment(0)
K
0

In case anyone needs it (like I did), solution for Windows and WSL is same as @prayagupd mentioned for Mac OS

Create an SSH tunnel to your remote service with whatever tool you prefer to whatever port you prefer, for example 3300.

Then, from Docker container you can connect to, for example, MySQL DB on tunnel port 3300 using following command:

mysql -u user -p -h host.docker.internal -P 3300
Kriss answered 20/7, 2020 at 13:18 Comment(0)
R
0

An easy example to reproduce the situation and ssh to host

  1. Run a container. Use --network="host
docker container run --network="host" --interactive --tty --rm ubuntu bash
  1. Now you can access your host using localhost
    Now your host machine is a Linux machine that has a public-private key file to ssh into it. So copy the contents of your private key file and reproduce the key file inside your host. (However, this is just a demonstration. This is not a good way to copy key files)
  2. Now ssh into your host. Use localhost to access it.
ssh -i key_file.pem ec2-user@localhost
Redstart answered 31/12, 2021 at 11:3 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.