Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Docker container can't connect to host application using IP whitelist

I have an application running on my host which has the following features: it listens to port 4001 (configurable) and only accepts connections from a whitelist of trusted IP addresses (127.0.0.1 only by default, other addresses can be be added but one by one, not using a mask).

(It's the interactive brokers gateway application which is run in java but I don't think that's important)

I have another application running inside a docker container which needs to connect to the host application.

(It's a python application accessing the IB API, but again I don't think that matters)

Ultimately I have will multiple containers on multiple machines trying to do the same thing, but I can't even get it working with one running on the same machine.

sudo docker run -t  myimage

Error: Couldn't connect to TWS.  Confirm that "Enable ActiveX and Socket Clients" is enabled on the TWS "Configure->API" menu.

(No response from IB Gateway on host machine)

IDEALLY I'd be able to set up the docker containers / bridge so that all the docker containers appear as if they are on a specific IP address, add it to the whitelist, and voila.

What I've tried:

1) using -p and EXPOSE

sudo docker run -t -p 4001:4001 myimage

Bind for 0.0.0.0:4001 failed: port is already allocated.

(No response from gateway)

This eithier doesn't work or leads to a "port already in use" conflict. I gather that these settings are designed for the opposite problem (host can't see a particular port on the container).

2) setting --net=host

sudo docker run -t --net=host myimage

Exception caught while reading socket - Connection reset by peer

(no response from gateway)

This should work since the docker container should now look like it's 127.0.0.1... but it doesn't.

3) setting --net=host and adding the local host's real IP address 192.168.0.12 (as suggested in comments) to the whitelist

sudo docker run -t --net=host myimage

Exception caught while reading socket - Connection reset by peer

(no response from gateway)

4) adding 172.17.0.1, ...2, ...3 to the whitelist on the host application (the bridge network is 172.17.0.0 and subsequent containers get allocated in this range)

sudo docker run -t  myimage

Error: Couldn't connect to TWS.  Confirm that "Enable ActiveX and Socket Clients" is enabled on the TWS "Configure->API" menu.

(no response from host)

This is horribly hacky but doesn't work eithier.

PS Note this is different from the problem of trying to run the host application IB Gateway inside a container - I am not doing that.

I don't want to run the host application inside another container, although in some ways that might be a neater solution.

like image 906
robcarver Avatar asked Jan 19 '17 15:01

robcarver


People also ask

Can a Docker container access host?

To access host machine from the docker container you must attach an IP alias to your network interface. You can bind whichever IP you want, just make sure you're not using it to anything else. Then make sure that you server is listening to the IP mentioned above or 0.0.

Can I run iptables in Docker container?

Docker installs two custom iptables chains named DOCKER-USER and DOCKER , and it ensures that incoming packets are always checked by these two chains first. All of Docker's iptables rules are added to the DOCKER chain. Do not manipulate this chain manually.

What IP address does a Docker container use?

Usually Docker uses the default 172.17. 0.0/16 subnet for container networking.


2 Answers

Running the IB gateway is tricky on a number of different levels, including connecting to it, and especially if you want to automate the process.

We took a close look at connecting to it from other IPs, and finally gave up on it--gateway bug as far as we could tell. There is a setting to white IPs that can connect to the gateway, but it does not work and can not be scripted.

In our build process we create a docker base image, then add the gateway and any/all of the gateway's clients to that image. Then we run that final image.

like image 97
Pablo Rodriguez Bertorello Avatar answered Nov 10 '22 06:11

Pablo Rodriguez Bertorello


(Posted on behalf of the OP).

Setting --net=host and changing the port from 4001 so it doesn't conflict with a live version of the gateway on the same network. The only IP address required in the whitelist is 127.0.0.1.

sudo docker run -t --net=host myimage
like image 24
halfer Avatar answered Nov 10 '22 06:11

halfer