How Private & Public IPs & Ports Work
The IP addresses and ports that come out of Kurtosis can be confusing at times. This document will explain how Kurtosis handles public and private IPs and ports.
Private IPs
Each Docker or Kubernetes cluster has a private IP address range, from 0.0.0.0
to 255.255.255.255
. Each container gets IP addresses from this range, and containers talk to other containers using these IP addresses. These IP addresses have nothing to do with the outside world's IP addresses, and are purely internal to the cluster.
These IP addresses are private to Docker/Kubernetes, so you will not be able to reach them from your host machine (i.e. outside the Docker/Kubernetes cluster). For example, a container with IP address 172.0.1.3
will not be reachable by curl
from your regular command line.
Private Ports
Containers can listen on ports. These ports do not conflict with other containers, nor do they conflict with ports on your host machine, outside the Docker/Kubernetes cluster. For example:
- You might be running Container A running a server listening on port
3000
, and Container B running a server listening on port3000
. Even though the containers are using the same port, they are treated separately inside of Docker/Kubernetes and do not conflict. - You might be running a server on your host machine on port
3000
, and a container in Docker/Kubernetes listening on port3000
. This is also fine, because the Docker/Kubernetes ports are private to the cluster.
These container ports are private: you will not be able to access them from your host machine.
Public IPs & Ports
To simplify your work, Kurtosis allows you to connect to every private port of every container. This is accomplished by binding every private port to an ephemeral port on your host machine. These ephemeral ports are called the "public ports" of the container because they allow the container to be accessed outside the Docker/Kubernetes cluster. To view the private & public port bindings of each container in Kurtosis, run kurtosis enclave inspect
and look for the bindings in the "Ports" column:
========================================== User Services ==========================================
GUID ID Ports Status
cl-beacon-1670597432 cl-beacon http: 4000/tcp -> 127.0.0.1:55947 RUNNING
metrics: 5054/tcp -> 127.0.0.1:55948
tcp-discovery: 9000/tcp -> 127.0.0.1:55949
udp-discovery: 9000/udp -> 127.0.0.1:52875
cl-validator-1670597459 cl-validator http: 5042/tcp -> 127.0.0.1:55955 RUNNING
metrics: 5064/tcp -> 127.0.0.1:55954
el-1670597405 el engine-rpc: 8551/tcp -> 127.0.0.1:55930 RUNNING
rpc: 8545/tcp -> 127.0.0.1:55928
tcp-discovery: 30303/tcp -> 127.0.0.1:55927
udp-discovery: 30303/udp -> 127.0.0.1:57433
ws: 8546/tcp -> 127.0.0.1:55929
forkmon-1670597469 forkmon http: 80/tcp -> 127.0.0.1:55962 RUNNING
grafana-1670597488 grafana http: 3000/tcp -> 127.0.0.1:55998 RUNNING
The IP address used to reach these containers is your localhost address, 127.0.0.1
. This is the "public IP address" of each container in the cluster.
The combination of public IP + port will allow you to connect to a container from your command line. For example, from the output above, curl 127.0.0.1:55947
on your command line would make a request to private port 4000
on the cl-client-0-beacon
service.