我有一个带有wildfly服务器的docker映像,该映像绑定到0.0.0.0接口上的端口8080、8443、8787和9990(用于开发和远程调试)。
Dockerfile
本身不包含任何EXPOSE
语句,因为我想使用docker-compose.yml
有选择地公开端口。
Dockerfile(缩短)
FROM ubuntu:bionic
ARG DEBIAN_FRONTEND=noninteractive
RUN apt-get update && \
apt-get install -y -q some,packages,here
&& apt-get clean \
&& apt-get autoclean \
&& apt-get --purge -y autoremove \
&& rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
ENV WILDFLY_VERSION 16.0.0.Final
ENV WFLY_DIR /wildfly-$WILDFLY_VERSION
ENV JBOSS_HOME $WFLY_DIR
ADD /wildfly-$WILDFLY_VERSION
RUN groupadd -g 999 wildfly && useradd -r -u 999 -g wildfly --home= --shell=/bin/bash wildfly
RUN chown -R wildfly:wildfly /wildfly-$WILDFLY_VERSION
RUN chmod 755 $WFLY_DIR/bin/*.sh
USER wildfly
docker-compose.yml文件实质上包含以下内容:
version: "3.5"
services:
appsvr:
build: ../../images/myimage/
command: ["/bin/bash", "/start.sh"]
expose:
- 8443
- 8787
我以docker-compose up -d
开始容器,并且按预期出现了wildfly。现在,我检查哪些端口已暴露并获取容器的ip:
bash% docker inspect --format=" {{ .NetworkSettings.Ports }} " containername
map[8443/tcp:[] 8787/tcp:[]]
bash% docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' containername
172.20.0.10
这似乎是正确的。我可以连接到8443,但是我不能连接到8787,进一步使用nmap进行IP收益分析:
bash% nmap -p8000-10000 172.20.0.10
Starting Nmap 6.40 ( http://nmap.org ) at 2019-10-04 16:33 UTC
Nmap scan report for ip-172-20-0-10.eu-central-1.compute.internal (172.20.0.10)
Host is up (0.00029s latency).
Not shown: 1998 closed ports
PORT STATE SERVICE
8080/tcp open http-proxy
8443/tcp open https-alt
9990/tcp open osm-appsrvr
Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds
这很奇怪,因为我没有公开8080或9990(我检查了一下,在响应请求的8080上确实是野蝇)。而8787-尽管是通过docker-compose暴露的(并且在轰击入容器后也可以在容器内打开!)-却不是。
我的docker-engine和docker-compose版本
bash% docker version
Client:
Version: 18.06.1-ce
API version: 1.38
Go version: go1.10.3
Git commit: e68fc7a215d7133c34aa18e3b72b4a21fd0c6136
Built: Fri Jun 28 23:16:08 2019
OS/Arch: linux/amd64
Experimental: false
Server:
Engine:
Version: 18.06.1-ce
API version: 1.38 (minimum version 1.12)
Go version: go1.10.3
Git commit: e68fc7a/18.06.1-ce
Built: Fri Jun 28 23:17:39 2019
OS/Arch: linux/amd64
Experimental: false
bash% docker-compose version
docker-compose version 1.21.2, build a133471
docker-py version: 3.3.0
CPython version: 3.6.5
OpenSSL version: OpenSSL 1.0.1t 3 May 2016
这是意料之中的吗?我认为不是。还是我在概念上误解了EXPOSE应该如何工作(我假设未暴露的端口不可见,反之亦然?)