I just spent a little while chasing my tail, ending up back where I should have started: the doclinked from the docker image doc. As noted therein, discovery won’t work if you use Docker’s standard NAT/port mapping; you’ll need to use host networking. (though why does that doc give the port-mapping version as an example?)
One thing that threw me a little was the discussion in How do I advertise addresses for clients to connect to
but the solution therein (adding the host address to the listen address) won’t work: Syncthing inside the standard container/docker networking mode (bridging, NAT) can’t see / doesn’t know of the host’s network interfaces and thus can’t listen on or advertise them.
Using Docker’s host networking mode eliminates the network isolation between the container and the host. Whether this is a concern depends on your specific threat model and use case though.
