发表新帖
发表新帖

How to publish ports in docker files

后端 未结
关注
4 2058
有刺的猬
有刺的猬 2021-02-03 21:45

I need to map the ports on the host to the ports on the container. I can achieve this by running the \"docker run\" command with the -p option. How do

4条回答
  • 悲&欢浪女
    悲&欢浪女 (楼主)
    2021-02-03 22:22

    You can't. What ports are published on the docker host is strictly a decision that should be made by the local administrator, not by the image they are trying to run; this would be (a) a security problem (hey, I just opened up ssh access to your system!) and (b) prone to failure (my webserver container can't bind on port 80 because I'm already running a server on port 80).

    If you want to avoid long docker run command lines, consider using something like docker-compose to automate the process. You can then pass docker-compose a configuration like:

    mywebserver:
  image: myname/mywebserver
  ports:
    - 80:8080

    And then a simple docker-compose up will start your container with container port 8080 bound to host port 80.

    Update 2017-03-11

    In response to Willa's comment:

    • Using docker-compose will not help with the port collision issue. The port collision issue is a reason why images should not be able to specify host port bindings. I was simply offering docker-compose as an alternative to long docker run command lines with multiple port bindings. The port collision issue would potentially allow a container to perform a denial-of-service attack on your host: if, for example, a container starts and binds to port 80 before an Apache server on your host (or in another container), then you have just lost your web service.

    • Regarding the security issue: If an image were able to specify host port bindings, it would be possible for containers to open up access to the container without your knowledge. Permitting a remote user to access a container on your host opens you up to the possibility of a host compromise in the event that the namespace features in the kernel fail to completely isolate the container, and even if you completely trust the isolation it opens you up to potential legal problems if that container is used for illicit purposes. In either case it's a bad idea.

    0 讨论(0)
 看不清?
提交回复
热议问题