Forward host port to docker container

Question

Is it possible to have a Docker container access ports opened by the host? Concretely I have MongoDB and RabbitMQ running on the host and I'd like to run a process in a Docker container to listen to the queue and (optionally) write to the database.

I know I can forward a port from the container to the host (via the -p option) and have a connection to the outside world (i.e. internet) from within the Docker container but I'd like to not expose the RabbitMQ and MongoDB ports from the host to the outside world.

EDIT: some clarification:

Starting Nmap 5.21 ( http://nmap.org ) at 2013-07-22 22:39 CEST Nmap scan report for localhost (127.0.0.1) Host is up (0.00027s latency). PORT     STATE SERVICE 6311/tcp open  unknown  joelkuiper@vps20528 ~ % docker run -i -t base /bin/bash root@f043b4b235a7:/# apt-get install nmap root@f043b4b235a7:/# nmap 172.16.42.1 -p 6311 # IP found via docker inspect -> gateway  Starting Nmap 6.00 ( http://nmap.org ) at 2013-07-22 20:43 UTC Nmap scan report for 172.16.42.1 Host is up (0.000060s latency). PORT     STATE    SERVICE 6311/tcp filtered unknown MAC Address: E2:69:9C:11:42:65 (Unknown)  Nmap done: 1 IP address (1 host up) scanned in 13.31 seconds 

I had to do this trick to get any internet connection withing the container: My firewall is blocking network connections from the docker container to outside

EDIT: Eventually I went with creating a custom bridge using pipework and having the services listen on the bridge IP's. I went with this approach instead of having MongoDB and RabbitMQ listen on the docker bridge because it gives more flexibility.

Answer 1

A simple but relatively insecure way would be to use the --net=host option to docker run.

This option makes it so that the container uses the networking stack of the host. Then you can connect to services running on the host simply by using "localhost" as the hostname.

This is easier to configure because you won't have to configure the service to accept connections from the IP address of your docker container, and you won't have to tell the docker container a specific IP address or host name to connect to, just a port.

For example, you can test it out by running the following command, which assumes your image is called my_image, your image includes the telnet utility, and the service you want to connect to is on port 25:

docker run --rm -i -t --net=host my_image telnet localhost 25 

If you consider doing it this way, please see the caution about security on this page:

https://docs.docker.com/articles/networking/

It says:

--net=host -- Tells Docker to skip placing the container inside of a separate network stack. In essence, this choice tells Docker to not containerize the container's networking! While container processes will still be confined to their own filesystem and process list and resource limits, a quick ip addr command will show you that, network-wise, they live “outside” in the main Docker host and have full access to its network interfaces. Note that this does not let the container reconfigure the host network stack — that would require --privileged=true — but it does let container processes open low-numbered ports like any other root process. It also allows the container to access local network services like D-bus. This can lead to processes in the container being able to do unexpected things like restart your computer. You should use this option with caution.