2

I have a service running inside a docker-container, which by default only binds to localhost.

I could reconfigure / reprogram this service to bind to all interfaces, but this might have security implications in other contexts. Is there any way to expose a service bound to localhost inside a docker container?

TinkerTank
  • 5,685
  • 2
  • 32
  • 41
  • 1
    I was going to suggest `iptables` with `--cap-add=NET_ADMIN` but it appears there are some issues with DNAT in the container name space – Matt Nov 03 '16 at 12:44

1 Answers1

2

I ended up using socat inside the docker container, to proxy any tcp connections on the relevant port-number coming in on the public interface, to the private interface.

For example, this can be added to the docker-container run-script to proxy a service bound on localhost:3000 to the :3000, where it can be EXPOSED and --linked like any other service. Make sure to install socat inside the container.

socat TCP4-LISTEN:3000,bind=`hostname -I | tr -d '[:space:]'`,fork TCP4:localhost:3000 &

Please note; I am using hostname -I | tr -d '[:space:]' to discover the ip of the docker container. Since normally docker containers have only one public ip, this works well.

TinkerTank
  • 5,685
  • 2
  • 32
  • 41
  • Thank you! This worked for me for the AWS' SSM session-manager-plugin running inside a docker container to expose the tunnel created by `aws ssm start-session --target "${ec2_instance_id}" --document-name "AWS-StartPortForwardingSession"` – Ashutosh Jindal Feb 06 '23 at 16:01