是否有任何不显眼的配置会导致所有端口被发布(在docker容器内外都可访问)?包含运行图像没有任何选项,直接如下:
docker run -it xxx/xxx /bin/bash
这里是检查输出(请注意" PublishAllPorts"设置为false,只显示几个端口):
{
"Id": "c0170d0dfde1a92550e4f3ac999cd13c9711f3b15493325d85a4b9c9542f5d01",
"Created": "2016-12-02T05:19:27.91485137Z",
"Path": "/bin/bash",
"Args": [],
"State": {
"Status": "running",
"Running": true,
"Paused": false,
"Restarting": false,
"OOMKilled": false,
"Dead": false,
"Pid": 26493,
"ExitCode": 0,
"Error": "",
"StartedAt": "2016-12-05T14:44:38.270973904Z",
"FinishedAt": "2016-12-05T14:43:57.974501757Z"
},
"Image": "sha256:2b6dff71e5b964409749dacabe5653d57879b860bfbddf37bb40a51c3d3c5778",
"ResolvConfPath": "/var/lib/docker/containers/c0170d0dfde1a92550e4f3ac999cd13c9711f3b15493325d85a4b9c9542f5d01/resolv.conf",
"HostnamePath": "/var/lib/docker/containers/c0170d0dfde1a92550e4f3ac999cd13c9711f3b15493325d85a4b9c9542f5d01/hostname",
"HostsPath": "/var/lib/docker/containers/c0170d0dfde1a92550e4f3ac999cd13c9711f3b15493325d85a4b9c9542f5d01/hosts",
"LogPath": "",
"Name": "/pedantic_perlman",
"RestartCount": 0,
"Driver": "devicemapper",
"MountLabel": "system_u:object_r:svirt_sandbox_file_t:s0:c570,c970",
"ProcessLabel": "system_u:system_r:svirt_lxc_net_t:s0:c570,c970",
"AppArmorProfile": "",
"ExecIDs": null,
"HostConfig": {
"Binds": null,
"ContainerIDFile": "",
"LogConfig": {
"Type": "journald",
"Config": {}
},
"NetworkMode": "default",
"PortBindings": {},
"RestartPolicy": {
"Name": "no",
"MaximumRetryCount": 0
},
"VolumeDriver": "",
"VolumesFrom": null,
"CapAdd": null,
"CapDrop": null,
"Dns": [],
"DnsOptions": [],
"DnsSearch": [],
"ExtraHosts": null,
"GroupAdd": null,
"IpcMode": "",
"Links": null,
"OomScoreAdj": 0,
"PidMode": "",
"Privileged": false,
"PublishAllPorts": false,
"ReadonlyRootfs": false,
"SecurityOpt": null,
"UTSMode": "",
"ShmSize": 67108864,
"ConsoleSize": [
0,
0
],
"Isolation": "",
"CpuShares": 0,
"CgroupParent": "",
"BlkioWeight": 0,
"BlkioWeightDevice": null,
"BlkioDeviceReadBps": null,
"BlkioDeviceWriteBps": null,
"BlkioDeviceReadIOps": null,
"BlkioDeviceWriteIOps": null,
"CpuPeriod": 0,
"CpuQuota": 0,
"CpusetCpus": "",
"CpusetMems": "",
"Devices": [],
"KernelMemory": 0,
"Memory": 0,
"MemoryReservation": 0,
"MemorySwap": 0,
"MemorySwappiness": -1,
"OomKillDisable": false,
"PidsLimit": 0,
"Ulimits": null
},
"GraphDriver": {
"Name": "devicemapper",
"Data": {
"DeviceId": "38",
"DeviceName": "docker-253:0-1970585-466a43a88fda2e37aa154f06eaf6dcdc1c7a68890be72471ded27e3e45f0b960",
"DeviceSize": "10737418240"
}
},
"Mounts": [],
"Config": {
"Hostname": "c0170d0dfde1",
"Domainname": "",
"User": "",
"AttachStdin": true,
"AttachStdout": true,
"AttachStderr": true,
"ExposedPorts": {
"11000/tcp": {},
"11443/tcp": {},
"16000/tcp": {},
"16001/tcp": {},
"19888/tcp": {},
"2181/tcp": {},
"22/tcp": {},
"60010/tcp": {},
"7077/tcp": {},
"8020/tcp": {},
"8042/tcp": {},
"8080/tcp": {},
"8088/tcp": {},
"8888/tcp": {},
"8983/tcp": {},
"9090/tcp": {},
"9092/tcp": {}
},
"Tty": true,
"OpenStdin": true,
"StdinOnce": true,
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"TERM=xterm"
],
"Cmd": [
"/bin/bash"
],
"Image": "docker.io/caioquirino/docker-cloudera-quickstart",
"Volumes": null,
"WorkingDir": "",
"Entrypoint": null,
"OnBuild": null,
"Labels": {}
},
"NetworkSettings": {
"Bridge": "",
"SandboxID": "e33871c583ead85bb1d5c68160f19fd67007e3f0fd18acaf92706d88e941d6a3",
"HairpinMode": false,
"LinkLocalIPv6Address": "",
"LinkLocalIPv6PrefixLen": 0,
"Ports": {
"11000/tcp": null,
"11443/tcp": null,
"16000/tcp": null,
"16001/tcp": null,
"19888/tcp": null,
"2181/tcp": null,
"22/tcp": null,
"60010/tcp": null,
"7077/tcp": null,
"8020/tcp": null,
"8042/tcp": null,
"8080/tcp": null,
"8088/tcp": null,
"8888/tcp": null,
"8983/tcp": null,
"9090/tcp": null,
"9092/tcp": null
},
"SandboxKey": "/var/run/docker/netns/e33871c583ea",
"SecondaryIPAddresses": null,
"SecondaryIPv6Addresses": null,
"EndpointID": "dfb52838892c31a3428efd6d0996b6f9ccbe2f9edc71a2a2e2cf0c08c622d538",
"Gateway": "172.17.0.1",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"IPAddress": "172.17.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"MacAddress": "02:42:ac:11:00:02",
"Networks": {
"bridge": {
"IPAMConfig": null,
"Links": null,
"Aliases": null,
"NetworkID": "17de08a7428d3243288647a88e991cdf8989b3c9aab17213a24acfbf396ded3a",
"EndpointID": "dfb52838892c31a3428efd6d0996b6f9ccbe2f9edc71a2a2e2cf0c08c622d538",
"Gateway": "172.17.0.1",
"IPAddress": "172.17.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "02:42:ac:11:00:02"
}
}
}
}
但我仍然可以看到任何端口:
[root@localhost bryan]# curl 172.17.0.2:50070
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
答案 0 :(得分:2)
暴露端口在Dockerfile中定义并合并到映像配置中。它们告诉docker容器侦听哪些端口,但默认情况下不会发布它们。您需要使用-p发布特定端口,或者使用-P将所有端口发布到随机主机端口。
根据您的linux iptables配置,您将能够直接与docker主机中的容器接口/端口进行通信,如您的示例所示。除非您可以通过localhost接口访问端口,否则这些端口不会针对外部世界发布。您可以使用以下命令对此进行验证:
curl 127.0.0.1:50070