连接到Docker容器上的裸露端口时连接被拒绝

时间:2019-10-18 16:10:58

标签: linux docker flask dockerfile containers

Dockerfile看起来像这样:

FROM ubuntu:latest
LABEL Spongebob Dockerpants "s.dockerpants@comcast.net"
RUN apt-get update -y
RUN apt-get install -y python3-pip python3-dev build-essential

#Add source files
COPY . /app
ENV HOME=/app
WORKDIR /app

# Install Python web server and dependencies
RUN pip3 install -r requirements.txt

ENV FLASK_APP=app.py

# Expose port
EXPOSE 8090
#ENTRYPOINT ["python3"]
CMD ["python3", "app.py"]
CMD tail -f /dev/null

我这样启动容器:

docker run --name taskman -p 8090:8090 -d task-manager-app:latest

我看到容器正在运行,我的本地主机正在监听8090:

CORP\n0118236 @ a-33jxiw0rv8is5 in ~/docker_pete/flask-task-manager on master*
$ docker ps
CONTAINER ID        IMAGE                     COMMAND                  CREATED              STATUS              PORTS                    NAMES
c1ac5cb27698        task-manager-app:latest   "/bin/sh -c 'tail -f…"   About a minute ago   Up About a minute   0.0.0.0:8090->8090/tcp   taskman

CORP\n0118236 @ a-33jxiw0rv8is5 in ~/docker_pete/flask-task-manager on master*
$ sudo netstat -nlp | grep 8090
tcp6       0      0 :::8090                 :::*                    LISTEN      1154/docker-proxy   

我尝试按照我发出的docker run命令通过localhost在容器上达到8090,但得到“连接被拒绝”

CORP\n0118236 @ a-33jxiw0rv8is5 in ~/docker_pete/flask-task-manager on master*
$ curl http://localhost:8090
curl: (56) Recv failure: Connection reset by peer

然后我检查了端口绑定,看起来还可以:

CORP\n0118236 @ a-33jxiw0rv8is5 in ~/docker_pete/flask-task-manager on master*
$ sudo docker port c1ac5cb27698 8090
0.0.0.0:8090

当我进行码头检查时,我看到了:

$ docker inspect c1ac5cb27698 | grep -A 55 "NetworkSettings"
        "NetworkSettings": {
            "Bridge": "",
            "SandboxID": "7c2249761e4f48eef373c6744161b0709f312863c94fdc17138913952be698a0",
            "HairpinMode": false,
            "LinkLocalIPv6Address": "",
            "LinkLocalIPv6PrefixLen": 0,
            "Ports": {
                "8090/tcp": [
                    {
                        "HostIp": "0.0.0.0",
                        "HostPort": "8090"
                    }
                ]
            },
            "SandboxKey": "/var/run/docker/netns/7c2249761e4f",
            "SecondaryIPAddresses": null,
            "SecondaryIPv6Addresses": null,
            "EndpointID": "ea7552d0ba9e8f0c865fa4a0f24781811c7332a1e7473c48e88fa4dbe6e5e05d",
            "Gateway": "172.17.0.1",
            "GlobalIPv6Address": "",
            "GlobalIPv6PrefixLen": 0,
            "IPAddress": "172.17.0.2",
            "IPPrefixLen": 16,
            "IPv6Gateway": "",
            "MacAddress": "02:42:ac:11:00:02",
            "Networks": {
                "bridge": {
                    "IPAMConfig": null,
                    "Links": null,
                    "Aliases": null,
                    "NetworkID": "cfb5be57fdeed8a08b1650b5706a00542c5249903ce33052ff3f0d3dab619675",
                    "EndpointID": "ea7552d0ba9e8f0c865fa4a0f24781811c7332a1e7473c48e88fa4dbe6e5e05d",
                    "Gateway": "172.17.0.1",
                    "IPAddress": "172.17.0.2",
                    "IPPrefixLen": 16,
                    "IPv6Gateway": "",
                    "GlobalIPv6Address": "",
                    "GlobalIPv6PrefixLen": 0,
                    "MacAddress": "02:42:ac:11:00:02",
                    "DriverOpts": null
                }
            }
        }
    }

我能够从本地主机ping容器:

CORP\n0118236 @ a-33jxiw0rv8is5 in ~/docker_pete/flask-task-manager on master*
$ ping 172.17.0.2
PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data.
64 bytes from 172.17.0.2: icmp_seq=1 ttl=255 time=0.045 ms
64 bytes from 172.17.0.2: icmp_seq=2 ttl=255 time=0.042 ms
64 bytes from 172.17.0.2: icmp_seq=3 ttl=255 time=0.047 ms
^C
--- 172.17.0.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2053ms
rtt min/avg/max/mdev = 0.042/0.044/0.047/0.008 ms

配置中是否有任何原因导致这些连接被拒绝?绑定有问题吗?

1 个答案:

答案 0 :(得分:0)

您的docker文件包含两行CMD,但是docker只接受最新的一行。

CMD ["python3", "app.py"]
CMD tail -f /dev/null

在容器内执行的实际命令是tail命令,该命令不会绑定并监听端口。您可以ping通该容器,因为使用tail命令可以使该容器处于活动状态。