Docker container can't connect to host application using IP whitelist

Question

I have an application running on my host which has the following features: it listens to port 4001 (configurable) and only accepts connections from a whitelist of trusted IP addresses (127.0.0.1 only by default, other addresses can be be added but one by one, not using a mask).

(It's the interactive brokers gateway application which is run in java but I don't think that's important)

I have another application running inside a docker container which needs to connect to the host application.

(It's a python application accessing the IB API, but again I don't think that matters)

Ultimately I have will multiple containers on multiple machines trying to do the same thing, but I can't even get it working with one running on the same machine.

sudo docker run -t  myimage

Error: Couldn't connect to TWS.  Confirm that "Enable ActiveX and Socket Clients" is enabled on the TWS "Configure->API" menu.

(No response from IB Gateway on host machine)

IDEALLY I'd be able to set up the docker containers / bridge so that all the docker containers appear as if they are on a specific IP address, add it to the whitelist, and voila.

What I've tried:

1) using -p and EXPOSE

sudo docker run -t -p 4001:4001 myimage

Bind for 0.0.0.0:4001 failed: port is already allocated.

(No response from gateway)

This eithier doesn't work or leads to a "port already in use" conflict. I gather that these settings are designed for the opposite problem (host can't see a particular port on the container).

2) setting --net=host

sudo docker run -t --net=host myimage

Exception caught while reading socket - Connection reset by peer

(no response from gateway)

This should work since the docker container should now look like it's 127.0.0.1... but it doesn't.

3) setting --net=host and adding the local host's real IP address 192.168.0.12 (as suggested in comments) to the whitelist

sudo docker run -t --net=host myimage

Exception caught while reading socket - Connection reset by peer

(no response from gateway)

4) adding 172.17.0.1, ...2, ...3 to the whitelist on the host application (the bridge network is 172.17.0.0 and subsequent containers get allocated in this range)

sudo docker run -t  myimage

Error: Couldn't connect to TWS.  Confirm that "Enable ActiveX and Socket Clients" is enabled on the TWS "Configure->API" menu.

(no response from host)

This is horribly hacky but doesn't work eithier.

PS Note this is different from the problem of trying to run the host application IB Gateway inside a container - I am not doing that.

I don't want to run the host application inside another container, although in some ways that might be a neater solution.

Answer 1

Running the IB gateway is tricky on a number of different levels, including connecting to it, and especially if you want to automate the process.

We took a close look at connecting to it from other IPs, and finally gave up on it--gateway bug as far as we could tell. There is a setting to white IPs that can connect to the gateway, but it does not work and can not be scripted.

In our build process we create a docker base image, then add the gateway and any/all of the gateway's clients to that image. Then we run that final image.

Answer 2

(Posted on behalf of the OP).

Setting --net=host and changing the port from 4001 so it doesn't conflict with a live version of the gateway on the same network. The only IP address required in the whitelist is 127.0.0.1.

sudo docker run -t --net=host myimage