Hi all - what’s a good way to run oathkeeper locally in Docker so it can talk to local upstream services? E.g. the following doesn’t seem to expose its ports on the host:

docker build -t ory-oathkeeper-demo . && docker run --rm --name ory-oathkeeper-demo --network host ory-oathkeeper-demo --config /config.yaml serve

(Config looks like this:)

% cat config.yaml                                                                                                                                                
serve:
  proxy:
    port: 4455 # run the proxy at port 4455
  api:
    port: 4456 # run the api at port 4456

access_rules:
  repositories:
    - file:///rules.json

errors:
  fallback:
    - json
  handlers:
    json:
      enabled: true
      config:
        verbose: true
    redirect:
      enabled: true
      config:
        to: <https://www.ory.sh/docs>

mutators:
  header:
    enabled: true
    config:
      headers:
        X-User: "{{ print .Subject }}"
        # You could add some other headers, for example with data from the
        # session.
        # X-Some-Arbitrary-Data: "{{ print .Extra.some.arbitrary.data }}"
  noop:
    enabled: true
  id_token:
    enabled: true
    config:
      issuer_url: <http://localhost:4455/>
      jwks_url: file:///jwks.json

authorizers:
  allow:
    enabled: true
  deny:
    enabled: true

authenticators:
  anonymous:
    enabled: true
    config:
      subject: guest

And the logs show it registering on 4455:

<snip>
time=2023-05-12T09:56:35Z level=info msg=No tracer configured - skipping tracing setup audience=application service_name=ORY Oathkeeper service_version=v0.40.3
time=2023-05-12T09:56:35Z level=info msg=Detected access rule repository change, processing updates. audience=application repos=[file:///rules.json] service_name=ORY Oathkeeper service_version=v0.40.3
time=2023-05-12T09:56:35Z level=info msg=Detected file change for access rules. Triggering a reload. audience=application event=fsnotify file=/rules.json service_name=ORY Oathkeeper service_version=v0.40.3
time=2023-05-12T09:56:35Z level=info msg=Software quality assurance features are enabled. Learn more at: <https://www.ory.sh/docs/ecosystem/sqa> audience=application service_name=ORY Oathkeeper service_version=v0.40.3
time=2023-05-12T09:56:35Z level=info msg=Listening on http://:9000 audience=application service_name=ORY Oathkeeper service_version=v0.40.3
time=2023-05-12T09:56:35Z level=info msg=TLS has not been configured for api, skipping audience=application service_name=ORY Oathkeeper service_version=v0.40.3
time=2023-05-12T09:56:35Z level=info msg=TLS has not been configured for proxy, skipping audience=application service_name=ORY Oathkeeper service_version=v0.40.3
time=2023-05-12T09:56:35Z level=info msg=Listening on http://:4455 audience=application service_name=ORY Oathkeeper service_version=v0.40.3
time=2023-05-12T09:56:35Z level=info msg=Listening on http://:4456 audience=application service_name=ORY Oathkeeper service_version=v0.40.3

And yet:

Are you certain localhost properly resolves to 127.0.0.1?

Good point - here’s ping:

% ping localhost
PING localhost (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.118 ms
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.261 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.060 ms
^C
--- localhost ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.060/0.146/0.261/0.084 ms

Try connecting via the IP address in the browser maybe? Shouldn't be an issue normally though. Do other ports / services work?

It does work if I use docker compose and its networking, just pointing at the d-c service