Improve handling of Docker host-gateway routing

Previously, we explicitly handled the host.docker.internal alias,
treating it as non-routeable (so that it was handled locally, and the
mapping to 127.0.0.1 went to the host). This was tied to the specific
alias, and didn't support other EXTRA_HOSTS mappings. This is now
expanded, with custom mappings and other standard aliases also
included.

This also reduces our dependency on host.docker.internal generally,
which we're going to move away from for proxy config imminently.

Author: pimterry

src/interceptors/docker/docker-networking.ts

@@ -151,7 +151,9 @@ function combineSets<T>(...sets: ReadonlySet<T>[]): ReadonlySet<T> {
     return new Set(result);
 }
 
-function combineSetMaps<T>(...setMaps: Array<{ [key: string]: ReadonlySet<T> }>): { [key: string]: ReadonlySet<T> } {
+function combineSetMaps<T>(...setMaps: Array<{ [key: string]: ReadonlySet<T> }>): {
+    [key: string]: ReadonlySet<T>
+} {
     const keys = _.uniq(_.flatMap(setMaps, (mapping) => Object.keys(mapping)));
 
     return _.fromPairs(
@@ -163,6 +165,12 @@ function combineSetMaps<T>(...setMaps: Array<{ [key: string]: ReadonlySet<T> }>)
     );
 }
 
+// We treat host gateway routes totally separately to other routes. They resolve to 127.0.0.1,
+// but from the *host* POV (not the container/tunnel) so we have to handle them separately.
+const HostGateway = Symbol('host-gateway');
+type HostGateway = typeof HostGateway;
+const HostGatewaySet = new Set<HostGateway>([HostGateway]);
+
 /**
  * Network monitors tracks which networks the intercepted containers are connected to, and
  * monitors the network aliases & IPs accessible on those networks.
@@ -192,7 +200,7 @@ class DockerNetworkMonitor {
 
     private readonly networkTargets: {
         [networkId: string]: {
-            [hostname: string]: ReadonlySet<string>
+            [hostname: string]: ReadonlySet<string | HostGateway>
         }
     } = mobx.observable({});
 
@@ -206,20 +214,34 @@ class DockerNetworkMonitor {
         return new Set([
             ..._.flatten(
                 Object.values(this.networkTargets)
-                    .map((networkMap) => Object.keys(networkMap))
-            ).filter((host) =>
-                // We don't reroute the host hostname - the host is accessible from the host already
-                host !== DOCKER_HOST_HOSTNAME
+                    .map((networkMap) =>
+                        Object.entries(networkMap)
+                        // Exclude any aliases that might map to the host itself:
+                        .filter(([_alias, targets]) => ![...targets].some(t => t === HostGateway))
+                        .map(([alias]) => alias)
+                    )
             )
         ]);
     }
 
-    // The list of mappings per-network, binding aliases to their (0+) target IPs
+    // The list of mappings per-network, binding aliases to their (0+) target IPs.
+    // For aliases returned by dockerRoutedAliases, this should be the tunnel-relative
+    // IP. For other aliases, this should be host-relative.
     get aliasIpMap(): { [host: string]: ReadonlySet<string> } {
-        return combineSetMaps(...Object.values(this.networkTargets), {
+        const aliasMap = combineSetMaps(...Object.values(this.networkTargets), {
             // The Docker hostname always maps to the host's localhost, and it's not automatically included
             // on platforms (Windows & Mac) where Docker resolves it implicitly.
-            [DOCKER_HOST_HOSTNAME]: new Set(['127.0.0.1'])
+            'host.docker.internal': HostGatewaySet
+        });
+
+        return _.mapValues(aliasMap, (targets): ReadonlySet<string> => {
+            if ([...targets].some(t => t === HostGateway)) {
+                // For all host-gateway targets, we simplify to direct traffic
+                // directly back to the host itself:
+                return new Set(['127.0.0.1']);
+            } else {
+                return targets as ReadonlySet<string>;
+            }
         });
     }
 
@@ -281,7 +303,9 @@ class DockerNetworkMonitor {
         return isInterceptedContainer(container, this.proxyPort);
     }
 
-    private async getNetworkAliases(networkId: string): Promise<{ [host: string]: ReadonlySet<string> } | undefined> {
+    private async getNetworkAliases(networkId: string): Promise<
+        { [host: string]: ReadonlySet<string | HostGateway> } | undefined
+    > {
         const networkDetails: Docker.NetworkInspectInfo = await this.docker.getNetwork(networkId).inspect();
         const isDefaultBridge = networkDetails.Options?.['com.docker.network.bridge.default_bridge'] === 'true';
 
@@ -304,7 +328,14 @@ class DockerNetworkMonitor {
             return undefined;
         }
 
-        const aliases: Array<readonly [alias: string, targetIp: string]> = [];
+        const aliases: Array<readonly [alias: string, targetIp: string | HostGateway]> = [];
+
+        aliases.push(['host.docker.internal', HostGateway]);
+        aliases.push(['gateway.docker.internal', HostGateway]); // Seems equivalent? Very rarely used AFAICT.
+        // Deprecated but still functional Docker Desktop aliases:
+        if (process.platform === 'darwin') aliases.push(['docker.for.mac.localhost', HostGateway]);
+        if (process.platform === 'win32') aliases.push(['docker.for.win.localhost', HostGateway]);
+
 
         /*
          * So, what names are resolveable on a network?
@@ -370,7 +401,7 @@ class DockerNetworkMonitor {
                         const alias = hostParts[0];
                         const target = hostParts.slice(1).join(':');
                         const targetIp = target === 'host-gateway'
-                            ? '127.0.0.1'
+                            ? HostGateway
                             : target;
                         return [alias, targetIp] as const
                     })
@@ -417,6 +448,6 @@ class DockerNetworkMonitor {
             if (!aliasMap[alias]) aliasMap[alias] = new Set();
             aliasMap[alias].add(target);
             return aliasMap;
-        }, {} as { [alias: string]: Set<string> });
+        }, {} as { [alias: string]: Set<string | HostGateway> });
     }
 }

test/fixtures/docker/compose/docker-compose.networks.yml

@@ -28,11 +28,20 @@ services:
     links:
       - "default-service-a:a"
 
+  extra-host-service:
+    build: .
+    extra_hosts:
+      - 'custom.host.address.example:host-gateway'
+    environment:
+      EXTRA_TARGET: 'http://custom.host.address.example:9876' # The host container
+
   multi-network-a:
     build: .
     networks:
       - custom_net_1
       - custom_net_2
+    extra_hosts:
+      - 'host.docker.internal:host-gateway'
     environment:
       EXTRA_TARGET: 'http://host.docker.internal:9876' # The host container
 

test/fixtures/docker/compose/index.js

@@ -40,10 +40,18 @@ const TARGETS = [
     // Can we remotely resolve our own loopback address?
     [`http://localhost:${SERVER_PORT}/`, isOurHostname],
     [`http://127.0.0.1:${SERVER_PORT}/`, isOurHostname],
+    // (This works because Mockttp replaces localhost addresses in requests with
+    // the client's IP)
+
     // We can remote resolve our Docker hostname?
     [`http://${OUR_HOSTNAME}:${SERVER_PORT}/`, isOurHostname],
-    // Can we resolve a mocked-only URL? (This will always fail normally)
+    // (This works because our hostname is picked up by the network monitor, so the
+    // request is sent via the tunnel, and our DNS server routes it to our IP.
+
+    // Can we resolve a mocked-only URL?
     [`https://example.test/`, is('Mock response')],
+    // (This will always fail normally, but works in testing because we specifically
+    // spot this and inject the response).
 ];
 
 if (process.env.EXTRA_TARGET) {
@@ -84,10 +92,10 @@ const pollInterval = setInterval(async () => {
         console.log("All requests ok");
         clearInterval(pollInterval);
 
-        // Exit OK, but after a delay, so the other container can still make requests to us.
+        // Exit OK, but after a delay, so the other containers can still make requests to us.
         setTimeout(() => {
             process.exit(0);
-        }, 2000);
+        }, 5000);
     } else {
         console.log("Requests failed with", responses.map(r => r.message || r.statusCode));
     }

test/interceptors/docker-terminal-interception.spec.ts

@@ -303,6 +303,7 @@ Successfully built <hash>
             `host_1`,
             `default-service-a_1`,
             `default-linked-service-b_1`,
+            `extra-host-service_1`,
             `multi-network-a_1`,
             `multi-network-b_1`
         ].forEach((container) => {