Fix server port when network mode is host (#2353)

blkt · web-flow · commit a3199a6beae9 · 2025-10-29T16:07:04.000+01:00
Docker networking works differently depending on whether it's running inside a VM or on the (linux) host itself, with VM-based installations like Docker Desktop not supporting `host` network. What happens is that the port is exposed on the VM rather than the actual host. Note that this is the case for linux running Docker Desktop. On the other hand, Docker Engine installations work just fine on linux, but we were still configuring the Proxy to try to connect to the wrong port. This is PR assumes that * all linux installations run docker engine * all non-linux installations run on VMs Fixes #2317
diff --git a/pkg/container/docker/client.go b/pkg/container/docker/client.go
@@ -291,20 +291,33 @@ func (c *Client) DeployWorkload(
 		return 0, nil
 	}
 
+	firstPortInt, err := extractFirstPort(options)
+	if err != nil {
+		return 0, err // extractFirstPort already wraps the error with context.
+	}
 	if isolateNetwork {
 		// just extract the first exposed port
-		firstPortInt, err := extractFirstPort(options)
-		if err != nil {
-			return 0, err // extractFirstPort already wraps the error with context.
-		}
 		hostPort, err = c.ops.createIngressContainer(ctx, name, firstPortInt, attachStdio, externalEndpointsConfig,
 			permissionProfile.Network)
 		if err != nil {
 			return 0, fmt.Errorf("failed to create ingress container: %v", err)
 		}
 	}
 
-	return hostPort, nil
+	// NOTE: this is a hack to get the final port for the workload.
+	// The intended behavior is the following
+	// * if network is "bridge" (default) and network isolation is not enabled, then
+	//   the Proxy should use the Docker assigned port
+	// * if network is "bridge" (default) and network isolation is enabled, then
+	//   the Proxy should use the egress container port
+	// * if network is "host", then the Proxy should use the MCP server port
+	//
+	// The last case is not supported in VM-based installations like Docker Desktop.
+	// Unfortunately, there's no reliable way to know if the user is using a VM-based
+	// installation and we assume that Linux installations are Docker Engine installations.
+	finalPort := calculateFinalPort(hostPort, firstPortInt, permissionConfig.NetworkMode)
+
+	return finalPort, nil
 }
 
 // ListWorkloads lists workloads
@@ -1314,6 +1327,9 @@ func (c *Client) createContainer(
 	if err != nil {
 		return "", NewContainerError(err, "", fmt.Sprintf("failed to create container: %v", err))
 	}
+	if resp.Warnings != nil {
+		logger.Debugf("Container creation warnings: %v", resp.Warnings)
+	}
 
 	// Start the container
 	err = c.api.ContainerStart(ctx, resp.ID, container.StartOptions{})
@@ -1386,10 +1402,21 @@ func (c *Client) createDnsContainer(ctx context.Context, dnsContainerName string
 	return dnsContainerId, dnsContainerIP, nil
 }
 
-func (c *Client) createMcpContainer(ctx context.Context, name string, networkName string, image string, command []string,
-	envVars map[string]string, labels map[string]string, attachStdio bool, permissionConfig *runtime.PermissionConfig,
-	additionalDNS string, exposedPorts map[string]struct{}, portBindings map[string][]runtime.PortBinding,
-	isolateNetwork bool) error {
+func (c *Client) createMcpContainer(
+	ctx context.Context,
+	name string,
+	networkName string,
+	image string,
+	command []string,
+	envVars map[string]string,
+	labels map[string]string,
+	attachStdio bool,
+	permissionConfig *runtime.PermissionConfig,
+	additionalDNS string,
+	exposedPorts map[string]struct{},
+	portBindings map[string][]runtime.PortBinding,
+	isolateNetwork bool,
+) error {
 	// Create container configuration
 	config := &container.Config{
 		Image:        image,
diff --git a/pkg/container/docker/client_final_port_linux.go b/pkg/container/docker/client_final_port_linux.go
@@ -0,0 +1,10 @@
+//go:build linux
+
+package docker
+
+func calculateFinalPort(hostPort int, firstPortInt int, networkName string) int {
+	if networkName == "host" {
+		return firstPortInt
+	}
+	return hostPort
+}
diff --git a/pkg/container/docker/client_final_port_other.go b/pkg/container/docker/client_final_port_other.go
@@ -0,0 +1,7 @@
+//go:build !linux
+
+package docker
+
+func calculateFinalPort(hostPort int, _ int, _ string) int {
+	return hostPort
+}
diff --git a/pkg/transport/http.go b/pkg/transport/http.go
@@ -321,8 +321,12 @@ func (t *HTTPTransport) Start(ctx context.Context) error {
 
 	// Create the transparent proxy
 	t.proxy = transparent.NewTransparentProxy(
-		t.host, t.proxyPort, t.containerName, targetURI,
-		t.prometheusHandler, t.authInfoHandler,
+		t.host,
+		t.proxyPort,
+		t.containerName,
+		targetURI,
+		t.prometheusHandler,
+		t.authInfoHandler,
 		t.remoteURL == "",
 		t.remoteURL != "",
 		string(t.transportType),
