Is it possible to publish container's ports to host under docker executor?

Let’s suppose I want to run a docker-container that publishes a port to the host so that I can connect from host to the app running in the container using that published port. Is it possible to do that on CircleCI? It seems like it’s not, I just want to clarify.

My config looks like that:

   - setup_remote_docker:
        version: 18.05.0-ce
    - run:
        name: run Mitmdump
        command: |
          docker run --rm -d -p 8080:8080 mitmproxy/mitmproxy mitmdump --flow-detail 3

Here is an example build:

nc -w 15 -z localhost 8080 command tests whether the port is open and notice how it fails.

Yes and no :grin:

So, Docker running inside a Docker executor has to limit the permissions you have to modify the networking stack. My understanding is a bit fuzzy, but I believe that if you were to publish ports, by definition you would have permissions that would allow you to change other things in the network stack, which could affect other customers. Since that is a security issue, it is not allowed.

What you can do instead is to bring up another container in parallel, and then run your command in that container. Docker Compose is excellent for this, in fact - as that will automatically set up a virtual network and create local DNS entries for each service/container.

Let’s say you set up your existing image as a service called mitmproxy, and you set up the host command in a service called nc (in a docker-compose.yml file). You can then run the nc command from the nc container, using something like this in the host:

docker exec -it nc-container-name nc -w 15 -z mitmproxy-container-name 8080

Since there is no need to publish ports when connecting containers in the same virtual network, this will succeed.

1 Like

Nice. Thant’s for thorough explanation.

1 Like