-
Notifications
You must be signed in to change notification settings - Fork 812
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WSL 2.0: networkingMode=mirrored
makes Docker unable to forward ports
#10494
Comments
Interestingly, the port forwarding does work from another machine on the same network as host. Just not on the host machine itself. Machine A:
Machine B:
|
Same issue Maybe related issues: |
Same problem here |
Yup, it's unfortunate but I have the same issue. I am on the release channel with windows version 10.0.22621.2359 |
networkingMode=mirrored
makes Docker unable to forward ports
Same problem here |
Switching to NAT helped me. |
same here |
+1 |
2 similar comments
+1 |
+1 |
@benhillis Any ideas/updates here? |
same here |
+1 |
Same issue here, the only way I found to make it "work" was adding ignoredPorts=8080 to the wslconfig, but if container has something like 4800:8080 need to add both ports to |
I think that's a workaround that would work... but I am waiting for someone from the WSL team to answer us here, did they get to know that is the issue, and if they have any plans to fix this? |
That seems to work. Nice find. |
If you run After starting the web server with
Requests from Windows side timeout with:
From another server it work, as mentioned by @driver1998 :
|
Just ran into this as well. AWS
(The port number changes randomly every time) Based on this: https://github.com/aws/aws-sam-cli/blob/c5b9b1e399a1e5c938ef72934a14ede934e17bac/samcli/local/docker/container.py#L124-L125 |
It seems like it's generally a problem with WSL itself. I am looking for a fix soon, since the new network mode is so much useful but it's not useable (usefully) in the current state. |
I ma having the same issue with apache. No changes other than added --experimental but now nothing works. (98)Address already in use: AH00072: make_sock: could not bind to address [::]:80 root@ACER-Nitro:/usr/sbin# lsof -nP -iTCP -sTCP:LISTEN |
Same problem |
|
there seem to be two issues why Docker containers cannot connect from Windows.
temporary measures for /etc/docker/daemon.json
when using mirrored, the behavior seems to be different from the previous localhostforwarding. use docker-proxy(listen on Linux)
interface is different, but the behavior remains the same. use iptables(listeon on container)
via localhostforwarding(until), source address(Windows) was the docker network gateway (=pointing to linux). via mirrored, source address is 127.0.0.1. |
As a note, this is not just docker. Even without docker and resetting WSL entirely this still occurs. mirrored mode does not work correctly with regular WSL images such as Ubuntu. |
@mwwhited I would recommend you open a separate issue. This one is specifically about Docker. |
There are several here all describing the same issue. Opening more is not going to fix it any better. |
But I can tell you this issue will very likely be closed as soon as the Docker CE issue is resolved. |
As already noted above I have cross mentioned the issue to try to get an actual fix instead of just a pile of work arounds. especially as these workarounds do not work for everyone |
Well it looks like the issue wasn't actually fixed for me. Not sure what I did or what changed to fix and then unfix the issue. Also when running the table ip nat { Where it looks like the |
although this issue occurs with Docker, i believe it is a compatibility issue at WSL.
my nftables rules partially cancels the effect of this parameter. if the Windows host could reflect the routing to the network inside WSL, the fourth point raised by @itispip would be easily solved. |
I just tested WSL 2.3.11 and unfortunately the problem remains there. |
@felipecrs : right - 2.3.1.1 fixes a variety of Linux container scenarios. This in particular will require Docker to change their route - tracked here: moby/moby#48056. We are in contact with them and the fix should hopefully be released soon. |
@keith-horton
this improvement gives us more options. in the daemon.json
this now works as well. but this change is made, 'userland-proxy: false' may no longer work. |
this may seem unnecessary since moby takes care of it, but this is a new improvement plan. WSL 2.3.11 brings several improvements to communication with Windows host. therefore, you can now use the following rules to improve communication from Windows host to Docker containers:
|
@shigenobuokamoto with WSL pre-release 2.3.11 would you still recommend your systemd script workaround? https://gist.github.com/shigenobuokamoto/b565d468541fc8be7d7d76a0434496a0 |
As an user, I can it still works fine. |
@codeart1st WSL 2.3.11 includes some improvements to mirrored networking, so i am looking into how to use them to improve the experience. this is the prototype new network-mirrored.service. please try this too. https://gist.github.com/shigenobuokamoto/540c5f09a03eb07149501e99a6c8d82b
|
Also, this would mean that whatever application that relies on the same feature as docker would have the same issue. It could be an old application that doesn't receive more support for example. Or some application that refuses to implement a fix just for WSL. So, yeah, I totally agree. The ideal would have been the fix to happen on WSL side. |
When will this fix be built into wsl? Now we can only use service script to make it work, I don't think this is a long term solution. Besides, I use nixos-wsl, this is my example module that can be used as a reference for nixos user, from @shigenobuokamoto {pkgs, ...}: {
systemd.services.network-mirrored = {
description = "network-mirrored";
enable = true;
wants = ["network-pre.target"];
wantedBy = ["multi-user.target"];
before = ["network-pre.target" "shutdown.target"];
serviceConfig = {
User = "root";
ExecStart = [
''
/bin/sh -ec '\
[ -x /usr/bin/wslinfo ] && [ "$(/usr/bin/wslinfo --networking-mode)" = "mirrored" ] || exit 0;\
echo "\
add chain ip nat WSLPREROUTING { type nat hook prerouting priority dstnat - 1; policy accept; };\
insert rule ip nat WSLPREROUTING iif loopback0 ip daddr 127.0.0.1 counter dnat to 127.0.0.1 comment mirrored;\
"|${pkgs.nftables}/bin/nft -f -\
'
''
];
ExecStop = [
''
/bin/sh -ec '\
[ -x /usr/bin/wslinfo ] && [ "$(/usr/bin/wslinfo --networking-mode)" = "mirrored" ] || exit 0;\
for chain in "ip nat WSLPREROUTING";\
do\
handle=$(${pkgs.nftables}/bin/nft -a list chain $chain | sed -En "s/^.*comment \\"mirrored\\" # handle ([0-9]+)$/\\1/p");\
for n in $handle; do echo "delete rule $chain handle $n"; done;\
done|${pkgs.nftables}/bin/nft -f -\
'
''
];
RemainAfterExit = "yes";
};
};
} |
here is a really dirty solution, I just wrote a nodejs tcp reverse proxy server to map the docker port to another port, so we can using another port because its created by a non-docker process. import net from 'net'
let map = {
15432: 5432,
13000: 3000,
}
for (const from in map) {
const to = map[from]
net
.createServer((server) => {
const client = net.createConnection(to)
server.pipe(client)
client.pipe(server)
})
.listen(from)
.on('listening', () => {
console.log(`tcp-proxy: ${from} -> ${to}`)
})
.on('error', (err) => {
console.error(err)
})
} |
@zaaack, if you are looking for a temporary solution, this one is the best you'll find: #10494 (comment) |
thanks, but my wsl is older and doesnt set systemd |
Has anyone had success configuring WSL to allow connections from containers in WSL to the windows host?
|
@jweaston .wslconfig
docker container (in WSL) can connect to 192.168.1.10:5966. |
hello. Docker completed the PR that fixes this issue - moby/moby#48514 Please try Docker version 27.3.0 |
It works in my test. :) |
My favorite flavor of Linux is Ubuntu via Docker via Ubuntu via WSL via Windows 11. |
Windows Version
Microsoft Windows [Version 10.0.22631.2338]
WSL Version
2.0.0.0
Are you using WSL 1 or WSL 2?
Kernel Version
5.15.123.1-1
Distro Version
Ubuntu 20.04.6
Other Software
Docker version 24.0.6, build ed223bc
Repro Steps
networkingMode
tomirrored
docker run -d -p 8080:80 nginx:alpine
(example)localhost:8080
curl http//localhost:8080
same issueExpected Behavior
To forward the port and be able to connect to my containers
Actual Behavior
Doesn't forward the port, so I cannot connect to my containers.
Diagnostic Logs
No response
The text was updated successfully, but these errors were encountered: