为什么所有的端口默认都是用这个Docker镜像发布的
是否有任何不明显的configuration会导致所有的端口被发布(可以在Docker容器内外使用)? 包含运行没有任何选项的图像,直线如:
docker run -it xxx/xxx /bin/bash 这里是检查输出(注意“PublishAllPorts”被设置为false,只有less数几个端口明确暴露):
{ "Id": "c0170d0dfde1a92550e4f3ac999cd13c9711f3b15493325d85a4b9c9542f5d01", "Created": "2016-12-02T05:19:27.91485137Z", "Path": "/bin/bash", "Args": [], "State": { "Status": "running", "Running": true, "Paused": false, "Restarting": false, "OOMKilled": false, "Dead": false, "Pid": 26493, "ExitCode": 0, "Error": "", "StartedAt": "2016-12-05T14:44:38.270973904Z", "FinishedAt": "2016-12-05T14:43:57.974501757Z" }, "Image": "sha256:2b6dff71e5b964409749dacabe5653d57879b860bfbddf37bb40a51c3d3c5778", "ResolvConfPath": "/var/lib/docker/containers/c0170d0dfde1a92550e4f3ac999cd13c9711f3b15493325d85a4b9c9542f5d01/resolv.conf", "HostnamePath": "/var/lib/docker/containers/c0170d0dfde1a92550e4f3ac999cd13c9711f3b15493325d85a4b9c9542f5d01/hostname", "HostsPath": "/var/lib/docker/containers/c0170d0dfde1a92550e4f3ac999cd13c9711f3b15493325d85a4b9c9542f5d01/hosts", "LogPath": "", "Name": "/pedantic_perlman", "RestartCount": 0, "Driver": "devicemapper", "MountLabel": "system_u:object_r:svirt_sandbox_file_t:s0:c570,c970", "ProcessLabel": "system_u:system_r:svirt_lxc_net_t:s0:c570,c970", "AppArmorProfile": "", "ExecIDs": null, "HostConfig": { "Binds": null, "ContainerIDFile": "", "LogConfig": { "Type": "journald", "Config": {} }, "NetworkMode": "default", "PortBindings": {}, "RestartPolicy": { "Name": "no", "MaximumRetryCount": 0 }, "VolumeDriver": "", "VolumesFrom": null, "CapAdd": null, "CapDrop": null, "Dns": [], "DnsOptions": [], "DnsSearch": [], "ExtraHosts": null, "GroupAdd": null, "IpcMode": "", "Links": null, "OomScoreAdj": 0, "PidMode": "", "Privileged": false, "PublishAllPorts": false, "ReadonlyRootfs": false, "SecurityOpt": null, "UTSMode": "", "ShmSize": 67108864, "ConsoleSize": [ 0, 0 ], "Isolation": "", "CpuShares": 0, "CgroupParent": "", "BlkioWeight": 0, "BlkioWeightDevice": null, "BlkioDeviceReadBps": null, "BlkioDeviceWriteBps": null, "BlkioDeviceReadIOps": null, "BlkioDeviceWriteIOps": null, "CpuPeriod": 0, "CpuQuota": 0, "CpusetCpus": "", "CpusetMems": "", "Devices": [], "KernelMemory": 0, "Memory": 0, "MemoryReservation": 0, "MemorySwap": 0, "MemorySwappiness": -1, "OomKillDisable": false, "PidsLimit": 0, "Ulimits": null }, "GraphDriver": { "Name": "devicemapper", "Data": { "DeviceId": "38", "DeviceName": "docker-253:0-1970585-466a43a88fda2e37aa154f06eaf6dcdc1c7a68890be72471ded27e3e45f0b960", "DeviceSize": "10737418240" } }, "Mounts": [], "Config": { "Hostname": "c0170d0dfde1", "Domainname": "", "User": "", "AttachStdin": true, "AttachStdout": true, "AttachStderr": true, "ExposedPorts": { "11000/tcp": {}, "11443/tcp": {}, "16000/tcp": {}, "16001/tcp": {}, "19888/tcp": {}, "2181/tcp": {}, "22/tcp": {}, "60010/tcp": {}, "7077/tcp": {}, "8020/tcp": {}, "8042/tcp": {}, "8080/tcp": {}, "8088/tcp": {}, "8888/tcp": {}, "8983/tcp": {}, "9090/tcp": {}, "9092/tcp": {} }, "Tty": true, "OpenStdin": true, "StdinOnce": true, "Env": [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "TERM=xterm" ], "Cmd": [ "/bin/bash" ], "Image": "docker.io/caioquirino/docker-cloudera-quickstart", "Volumes": null, "WorkingDir": "", "Entrypoint": null, "OnBuild": null, "Labels": {} }, "NetworkSettings": { "Bridge": "", "SandboxID": "e33871c583ead85bb1d5c68160f19fd67007e3f0fd18acaf92706d88e941d6a3", "HairpinMode": false, "LinkLocalIPv6Address": "", "LinkLocalIPv6PrefixLen": 0, "Ports": { "11000/tcp": null, "11443/tcp": null, "16000/tcp": null, "16001/tcp": null, "19888/tcp": null, "2181/tcp": null, "22/tcp": null, "60010/tcp": null, "7077/tcp": null, "8020/tcp": null, "8042/tcp": null, "8080/tcp": null, "8088/tcp": null, "8888/tcp": null, "8983/tcp": null, "9090/tcp": null, "9092/tcp": null }, "SandboxKey": "/var/run/docker/netns/e33871c583ea", "SecondaryIPAddresses": null, "SecondaryIPv6Addresses": null, "EndpointID": "dfb52838892c31a3428efd6d0996b6f9ccbe2f9edc71a2a2e2cf0c08c622d538", "Gateway": "172.17.0.1", "GlobalIPv6Address": "", "GlobalIPv6PrefixLen": 0, "IPAddress": "172.17.0.2", "IPPrefixLen": 16, "IPv6Gateway": "", "MacAddress": "02:42:ac:11:00:02", "Networks": { "bridge": { "IPAMConfig": null, "Links": null, "Aliases": null, "NetworkID": "17de08a7428d3243288647a88e991cdf8989b3c9aab17213a24acfbf396ded3a", "EndpointID": "dfb52838892c31a3428efd6d0996b6f9ccbe2f9edc71a2a2e2cf0c08c622d538", "Gateway": "172.17.0.1", "IPAddress": "172.17.0.2", "IPPrefixLen": 16, "IPv6Gateway": "", "GlobalIPv6Address": "", "GlobalIPv6PrefixLen": 0, "MacAddress": "02:42:ac:11:00:02" } } } }
但是我仍然可以打到任何港口:
[root@localhost bryan]# curl 172.17.0.2:50070 <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
公开的端口在你的Dockerfile中被定义并被合并到图像configuration中。 他们告诉docker容器监听哪个端口,但默认情况下不会发布它们。 您需要使用-p发布特定端口,或使用-P将所有端口发布到随机主机端口。
根据您的linux iptablesconfiguration,您将能够直接与Docker主机交换容器接口/端口,如您的示例所示。 除非您可以通过本地主机接口访问端口,否则这些端口不会发布到外部世界。 您可以使用以下命令来validation它:
curl 127.0.0.1:50070