Two simple, quick methods to access the host network from a Docker container. Sometimes you need to be able to connect to the host network from inside a Docker container. Could be for debugging, or small projects, or whatever reason. $ [email protected]:~$ docker run -it busybox /bin/sh / # ping docker.for.mac.localhost PING docker.for.
Article ID: KB000135
Issue
Typically, container-container networking issues manifest themselves as intermittent connection timeouts. They could also manifest as a complete failure of container-container networking.
This walkthrough will guide you to collect the necessary information to determine the root cause of a network connectivity problem.
Prerequisites
First, determine the names of the affected Docker swarm services, networks, and hosts.
Identify a Docker host from which network requests are not answered correctly. If the requests are submitted through the ingress network, then to a frontend service, then via another network to a backend service, then start troubleshooting by splitting the problem in half and using
netshoot
to connect from the frontend directly to the backend service.Resolution
To troubleshoot container-container networking issues, start by examining the user-defined network. If the problem isn't found, move to troubleshooting the ingress network. Both are discussed below.
Troubleshooting a User-Defined Network
- On the host where the frontend container is running, start a netshoot container reusing the network namespace affected container:Steps 2 through 6 are executed inside this shell.
- Look up all backend IP addresses by DNS name:
DNS names are created for containers and services and are scoped to each overlay network the container or service attaches to. Standalone containers user the container name for the hostnames. Looking up the name of a service returns the IP of the service's load balancing VIP. To lookup the IP of each task created by a service, use 'task.service_name' as the domain name.
For example, to lookup the IP addresses for a the backend service use:
- Issue a netcat TCP test to each backend task IP address on the port where it should be listening:
nc -zvw2 $backend_ip <listening_port>
Where:<listening_port>
is changed to the port the backend tasks are listening on
To iterate over multiple task IPs for a service, you can use the following for loop:Note: Output is only expected for IPs where connections fail. - If no connections fail but requests submitted via the ingress network continue to have problems, move to the next section on troubleshooting the ingress network. If no connections fail, and the issue has only been seen container-container, then check another set of services or hosts until one task fails to reach another.
- For any backend IP addresses reported as failed, do a reverse name lookup of the affected IP to determine its service name and task id:Results will be formatted servicename.slot.taskid.networkname
- Exit the netshoot container and collect
docker network inspect -v
against the network between the two containers. Note the HostIP of tasks in the Services section that failed the netcat test. - On a manager, for the set of all failed service names and tasks, collect the following:
- For tasks that are still present (
inspect --type task
returns output), note their Created and Updated times. Collect Docker daemon logs covering this time frame from the netshoot host, all managers, and hosts of unresponsive tasks as identified by their HostIP.If your Docker daemon logs to journald, for example: - Collect the output of https://github.com/docker/libnetwork/tree/master/support from all hosts in the network path. This will expose and allow for the verification of the kernel programming if needed.
Troubleshooting the Ingress Network
Service discovery is disabled on the ingress network for security reasons, so you can't use
nslookup tasks.service
to establish which backend IPs to test. Instead use the ipvs loadbalancer programming of the kernel.- On a manager, use
docker service inspect
to identify the VIP for the service on the ingress network (where is changed to the name of the service): - Using
curl
identify a Docker host from which network requests to the ingress published port of the service are not answered correctly:
- Use a netshoot container to enter into the ingress_sbox namespace on that host:
- Look up the decimal ingress firewall mark for the service in question:Where
<vip>
is replaced with the IP address of the service determined by service inspect. - List all the backend task IP addresses using ipvsadmWhere
<fwmark>
is the decimal firewall mark extracted from the iptables mangle table. - Issue a netcat TCP test to each task IP address on the port where it should be listening:Where:
<listening_port>
is changed to the port the backend tasks are listening on<fwmark>
is the changed to the decimal firewall mark extracted from theiptables
mangle table
Note: Output is only expected for IPs where connections fail. - Exit the netshoot container and collect
docker network inspect -v ingress
. Note the HostIP, service name, and task ID of any tasks with failed backend IP addresses. - On a manager, for the set of all failed service names and tasks, collect the following:
- For tasks that are still present (
inspect --type task
returns output), note their Created and Updated times. Collect Docker daemon logs covering this time frame from the netshoot host, all managers, and hosts of unresponsive tasks as identified by their HostIP.If your Docker daemon logs to journald, for example: - Collect the output of https://github.com/adamancini/libnetwork/blob/improved_support_script/support.sh from all hosts in the network path. This will expose and allow us to verify kernel programming if needed.
![Docker Docker](/uploads/1/2/5/8/125852454/370588276.png)
Welcome to Docker Desktop!
The Docker Desktop for Mac section contains information about the Docker Desktop Community Stable release. For information about features available in Edge releases, see the Edge release notes. For information about Docker Desktop Enterprise (DDE) releases, see Docker Desktop Enterprise.
Docker is a full development platform for creating containerized applications. Docker Desktop is the best way to get started with Docker on Mac.
See Install Docker Desktop for download information, system requirements, and installation instructions.
Check versions
Ensure your versions of
docker
, docker-compose
, and docker-machine
areup-to-date and compatible with Docker.app
. Your output may differ if you arerunning different versions.Explore the application
- Open a command-line terminal and test that your installation works byrunning the simple Docker image,hello-world:
- Start a Dockerized web server. Like the
hello-world
image above, if theimage is not found locally, Docker pulls it from Docker Hub. - In a web browser, go to
http://localhost/
to view the nginx homepage.Because we specified the default HTTP port, it isn’t necessary to append:80
at the end of the URL.Early beta releases useddocker
as the hostname to build the URL. Now,ports are exposed on the private IP addresses of the VM and forwarded tolocalhost
with no other host name set. - View the details on the container while your web server is running (with
docker container ls
ordocker ps
): - Stop and remove containers and images with the following commands. Use the“all” flag (
--all
or-a
) to view stopped containers.
Preferences
Choose the Docker menu > Preferences from themenu bar and configure the runtime options described below.
General
On the General tab, you can configure when to start and update Docker:
- Start Docker Desktop when you log in: Automatically starts Docker Desktop when you open your session.
- Automatically check for updates: By default, Docker Desktop automatically checks for updates and notifies you when an update is available. You can manually check for updates anytime by choosing Check for Updates from the main Docker menu.
- Include VM in Time Machine backups: Select this option to back up the Docker Desktop virtual machine. This option is disabled by default.
- Securely store Docker logins in macOS keychain: Docker Desktop stores your Docker login credentials in macOS keychain by default.
- Send usage statistics: Docker Desktop sends diagnostics, crash reports, and usage data. This information helps Docker improve and troubleshoot the application. Clear the check box to opt out.
Resources
The Resources tab allows you to configure CPU, memory, disk, proxies, network, and other resources.
Advanced
On the Advanced tab, you can limit resources available to Docker.
Advanced settings are:
CPUs: By default, Docker Desktop is set to use half the number of processorsavailable on the host machine. To increase processing power, set this to ahigher number; to decrease, lower the number.
Memory: By default, Docker Desktop is set to use
2
GB runtime memory,allocated from the total available memory on your Mac. To increase the RAM, set this to a higher number. To decrease it, lower the number.Swap: Configure swap file size as needed. The default is 1 GB.
Disk image size: Specify the size of the disk image.
Disk image location: Specify the location of the Linux volume where containers and images are stored.
You can also move the disk image to a different location. If you attempt to move a disk image to a location that already has one, you get a prompt asking if you want to use the existing image or replace it.
File sharing
Choose the local directories you’d like to share with your containers. File sharing is required for volume mounting if the project lives outside of the
/Users
directory. In that case, share the drive where the Dockerfile and volume are located. Otherwise, you get file not found
or cannot start service
errors at runtime`.File share settings are:
- Add a Directory: Click
+
and navigate to the directory you want to add. - Apply & Restart makes the directory available to containers using Docker’sbind mount (
-v
) feature.There are some limitations on the directories that can be shared:- It is not possible to share a directory that is a subdirectory of an already shared directory.
- The directory must not exist inside of Docker.
For more information, see:
- Namespaces in the topic onosxfs file system sharing.
- Volume mounting requires file sharing for any project directories outside of
/Users
.)
Proxies
Docker Desktop detects HTTP/HTTPS Proxy Settings from macOS and automaticallypropagates these to Docker and to your containers. For example, if you set yourproxy settings to
http://proxy.example.com
, Docker uses this proxy whenpulling containers.When you start a container, your proxy settings propagate into the containers.For example:
You can see from the above output that the
HTTP_PROXY
, http_proxy
, andno_proxy
environment variables are set. When your proxy configuration changes,Docker restarts automatically to pick up the new settings. If you have anycontainers that you would like to keep running across restarts, you should consider using restart policies.Network
You can configure Docker Desktop networking to work on a virtual private network (VPN). Specify a network address translation (NAT) prefix and subnet mask to enable Internet connectivity.
Docker Engine
The Docker Engine page allows you to configure the Docker daemon to determine how your containers run.
Type a JSON configuration file in the box to configure the daemon settings. For a full list of options, see the Docker Engine dockerd commandlinereference.
Click Apply & Restart to save your settings and restart Docker Desktop.
Command Line
On the Command Line page, you can specify whether or not to enable experimental features.
Experimental features provide early access to future product functionality.These features are intended for testing and feedback only as they may changebetween releases without warning or can be removed entirely from a futurerelease. Experimental features must not be used in production environments.Docker does not offer support for experimental features. For more information,see Experimental features.
To enable experimental features in the Docker CLI, edit the
config.json
file and set experimental
to enabled.To enable experimental features from the Docker Desktop menu, clickSettings (Preferences on macOS) > Daemon and then select theExperimental features check box.
On both Docker Desktop Edge and Stable releases, you can toggle the experimental features on and off. If you toggle the experimental features off, Docker Desktop uses the current generally available release of Docker Engine.
You can see whether you are running experimental mode at the command line. If
Experimental
is true
, then Docker is running in experimental mode, as shownhere. (If false
, Experimental mode is off.)Kubernetes
Docker Desktop includes a standalone Kubernetes server that runs on your Mac, sothat you can test deploying your Docker workloads on Kubernetes.
The Kubernetes client command,
kubectl
, is included and configured to connectto the local Kubernetes server. If you have kubectl
already installed andpointing to some other environment, such as minikube
or a GKE cluster, be sureto change context so that kubectl
is pointing to docker-for-desktop
:If you installed
kubectl
with Homebrew, or by some other method, andexperience conflicts, remove /usr/local/bin/kubectl
.- To enable Kubernetes support and install a standalone instance of Kubernetesrunning as a Docker container, select Enable Kubernetes. To set Kubernetes as thedefault orchestrator, select Deploy Docker Stacks to Kubernetes by default.Click Apply & Restart to save the settings. This instantiates images required to run the Kubernetes server as containers, and installs the
/usr/local/bin/kubectl
command on your Mac.When Kubernetes is enabled and running, an additional status bar item displaysat the bottom right of the Docker Desktop Preferences dialog.The status of Kubernetes shows in the Docker menu and the context points todocker-desktop
. - By default, Kubernetes containers are hidden from commands like
dockerservice ls
, because managing them manually is not supported. To make themvisible, select Show system containers (advanced) and click Apply andRestart. Most users do not need this option. - To disable Kubernetes support at any time, clear the Enable Kubernetes check box. TheKubernetes containers are stopped and removed, and the
/usr/local/bin/kubectl
command is removed.For more about using the Kubernetes integration with Docker Desktop, seeDeploy on Kubernetes.
Reset
Reset and Restart options
On Docker Desktop Mac, the Restart Docker Desktop, Reset to factory defaults, and other reset options are available from the Troubleshoot menu.
For information about the reset options, see Logs and Troubleshooting.
Add TLS certificates
You can add trusted Certificate Authorities (CAs) (used to verify registryserver certificates) and client certificates (used to authenticate toregistries) to your Docker daemon.
Add custom CA certificates (server side)
All trusted CAs (root or intermediate) are supported. Docker Desktop creates acertificate bundle of all user-trusted CAs based on the Mac Keychain, andappends it to Moby trusted certificates. So if an enterprise SSL certificate istrusted by the user on the host, it is trusted by Docker Desktop.
To manually add a custom, self-signed certificate, start by adding thecertificate to the macOS keychain, which is picked up by Docker Desktop. Here isan example:
Or, if you prefer to add the certificate to your own local keychain only (ratherthan for all users), run this command instead:
See also, Directory structures forcertificates.
Note: You need to restart Docker Desktop after making any changes to thekeychain or to the
~/.docker/certs.d
directory in order for the changes totake effect.For a complete explanation of how to do this, see the blog post AddingSelf-signed Registry Certs to Docker & Docker Desktop forMac.
Add client certificates
You can put your client certificates in
~/.docker/certs.d/<MyRegistry>:<Port>/client.cert
and~/.docker/certs.d/<MyRegistry>:<Port>/client.key
.When the Docker Desktop application starts, it copies the
~/.docker/certs.d
folder on your Mac to the /etc/docker/certs.d
directory on Moby (the DockerDesktop xhyve
virtual machine).- You need to restart Docker Desktop after making any changes to the keychainor to the
~/.docker/certs.d
directory in order for the changes to takeeffect. - The registry cannot be listed as an insecure registry (see DockerDaemon). Docker Desktop ignores certificates listedunder insecure registries, and does not send client certificates. Commandslike
docker run
that attempt to pull from the registry produce errormessages on the command line, as well as on the registry.
Directory structures for certificates
If you have this directory structure, you do not need to manually add the CAcertificate to your Mac OS system login:
The following further illustrates and explains a configuration with customcertificates:
You can also have this directory structure, as long as the CA certificate isalso in your keychain.
To learn more about how to install a CA root certificate for the registry andhow to set the client TLS certificate for verification, see Verify repositoryclient with certificates in the Docker Enginetopics.
Install shell completion
Docker Desktop comes with scripts to enable completion for the
docker
,docker-machine
, and docker-compose
commands. The completion scripts may befound inside Docker.app
, in the Contents/Resources/etc/
directory and can beinstalled both in Bash and Zsh.Bash
Bash has built-in support forcompletion To activate completion for Docker commands, these files need to becopied or symlinked to your
bash_completion.d/
directory. For example, if youinstalled bash via Homebrew:Add the following to your
~/.bash_profile
:OR
Zsh
In Zsh, the completionsystem takes care of things. To activate completion for Docker commands,these files need to be copied or symlinked to your Zsh
site-functions/
directory. For example, if you installed Zsh via Homebrew:Give feedback and get help
To get help from the community, review current user topics, join or start adiscussion, log on to our Docker Desktop for Macforum.
To report bugs or problems, log on to Docker Desktop for Mac issues onGitHub,where you can review community reported issues, and file new ones. See Logsand Troubleshooting for more details.
For information about providing feedback on the documentation or update it yourself, see Contribute to documentation.
Docker Hub
Select Sign in /Create Docker ID from the Docker Desktop menu to access your Docker Hub account. Once logged in, you can access your Docker Hub repositories and organizations directly from the Docker Desktop menu.
For more information, refer to the following Docker Hub topics:
Two-factor authentication
![Mac Mac](https://docs.docker.com/docker-for-mac/images/menu/prefs-reset.png)
Docker Desktop enables you to sign into Docker Hub using two-factor authentication. Two-factor authentication provides an extra layer of security when accessing your Docker Hub account.
You must enable two-factor authentication in Docker Hub before signing into your Docker Hub account through Docker Desktop. For instructions, see Enable two-factor authentication for Docker Hub.
After you have enabled two-factor authentication:
- Go to the Docker Desktop menu and then select Sign in / Create Docker ID.
- Enter your Docker ID and password and click Sign in.
- After you have successfully signed in, Docker Desktop prompts you to enter the authentication code. Enter the six-digit code from your phone and then click Verify.
After you have successfully authenticated, you can access your organizations and repositories directly from the Docker Desktop menu.
Where to go next
- Try out the walkthrough at Get Started.
- Dig in deeper with Docker Labs examplewalkthroughs and source code.
- For a summary of Docker command line interface (CLI) commands, see Docker CLIReference Guide.
- Check out the blog post, What’s New in Docker 17.06 Community Edition(CE).