Unable to bind to address other than 127.0.0.1 or 0.0.0.0

[HarlemSquirrel]

Actual Behavior

Attempting to bind a container to any port loopback address other than 0.0.0.0 or 127.0.0.1 results in no ports binding at all and services are not available from the host.

This works fine with Docker Desktop on MacBook Pro Apple M3 Pro with Mac OS 14.

Steps to Reproduce

Use the following docker-compose.yml

# docker-compose.yml
services:
  db:
    container_name: db
    image: postgres:15.4
    restart: unless-stopped
    ports:
      - '127.0.0.11:15432:5432'

# Set up new alias
sudo ifconfig lo0 alias 127.0.0.11

# Start container
docker compose up -d db

Result

# Check from host for listening
sudo lsof -nP -i4TCP:15432 -sTCP:LISTEN
# nothing

grep '15432' ~/Library/Logs/rancher-desktop/lima.ha.stderr.log
{"level":"debug","msg":"guest agent event: {Time:2024-04-23 21:52:05.733361439 +0000 UTC LocalPortsAdded:[{IP:127.0.0.11 Port:15432}] LocalPortsRemoved:[] Errors:[]}","time":"2024-04-23T17:52:06-04:00"}
{"level":"info","msg":"Not forwarding TCP 127.0.0.11:15432","time":"2024-04-23T17:52:06-04:00"}

Expected Behavior

Using Docker Desktop we see the container is able to bind.

sudo lsof -nP -i4TCP:15432 -sTCP:LISTEN

COMMAND     PID  USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
com.docke 30689 kmack  186u  IPv4 0x344982b0fe901de1      0t0  TCP 127.0.0.11:15432 (LISTEN)

Additional Information

No response

Rancher Desktop Version

1.13.1

Rancher Desktop K8s Version

1.29.3

Which container engine are you using?

moby (docker cli)

What operating system are you using?

macOS

Operating System / Build Version

macOS 14.3 (23D56)

What CPU architecture are you using?

arm64 (Apple Silicon)

Linux only: what package format did you use to install Rancher Desktop?

None

Windows User Only

No response

[jandubois]

bind a container to any port loopback address other than 0.0.0.0 or 127.0.0.1

This is indeed not currently supported and a limitation on how Lima implements port forwarding (forwarding between interfaces must be declared when the VM is started and cannot be modified at runtime).

So while this may look like a small thing, it would require changing the way port forwarding is implemented in the guest and host agents.

[HarlemSquirrel]

That makes sense. Is this something on the roadmap at all?

[jandubois]

Is this something on the roadmap at all?

It is not on the roadmap so far. It would have to be implemented in Lima first before we could enable it in Rancher Desktop. And we would have to figure out how to do the same thing on Windows.

I think it is a good idea, but the effort/benefit ratio unfortunately doesn't make it likely to be prioritized in the near future.

[jandubois]

I thought of a manual way to get this working: Create ~/Library/Application Support/rancher-desktop/lima/_config/override.yaml with the following content and restart Rancher Desktop:

portForwards:
- guestIP: 127.0.0.11
  hostIP: 127.0.0.11

That will tell the guest agent to forward that interface as well:

$ grep '15432' ~/Library/Logs/rancher-desktop/lima.ha.stderr.log
{"level":"debug","msg":"guest agent event: {Time:2024-04-25 16:20:37.783086267 +0000 UTC LocalPortsAdded:[{IP:127.0.0.11 Port:15432}] LocalPortsRemoved:[] Errors:[]}","time":"2024-04-25T09:20:39-07:00"}
{"level":"info","msg":"Forwarding TCP from 127.0.0.11:15432 to 127.0.0.11:15432","time":"2024-04-25T09:20:39-07:00"}

The lsof command still didn't show anything for me, but that was because the database didn't actually start properly, so the port was closed again right away:

$ docker logs db
Error: Database is uninitialized and superuser password is not specified.
       You must specify POSTGRES_PASSWORD to a non-empty value for the
       superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".

       You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
       connections without a password. This is *not* recommended.

       See PostgreSQL documentation about "trust":
       https://www.postgresql.org/docs/current/auth-trust.html

Note that the override.yaml file will be deleted if you ever perform a factory reset, and must be recreated manually again afterwards.

[HarlemSquirrel]

Interesting. Would this work if we want to do this with multiple IP addresses? Ideally we want to have multiple services running on the same ports but differ IP addresses.

[jandubois]

Would this work if we want to do this with multiple IP addresses?

Yes, you just have to list them all:

portForwards:
- guestIP: 127.0.0.11
  hostIP: 127.0.0.11
- guestIP: 127.0.0.12
  hostIP: 127.0.0.12
- guestIP: 127.0.0.13
  hostIP: 127.0.0.13

[HarlemSquirrel]

It works! 🎉