docker 中定义了几种方式用于暴露容器中的端口,现将其总结如下.

dockerfile 中可以使用EXPOSE

指令

,仅说明容器需要对外暴露的端口,没有实际的暴露出去

EXPOSE [/...]

启动容器的时候通过参数指定

# 暴露特定端口到主机的特定端口

docker run -p 80:80

# 暴露容器的所有端口(exposed 端口)到主机的随机端口

docker run -P

# 添加dockerfile中expose 的端口

docker run -expose

dockerfile EXPOSE 指令

TheEXPOSE

instruction informs Docker that the container listens on the specified network ports at runtime. You can specify whether the port listens on TCP or UDP, and the default is TCP if the protocol is not specified.

TheEXPOSE

instruction does not actually publish the port. It functions as a type of documentation between the person who builds the image and the person who runs the container, about which ports are intended to be published. To actually publish the port when running the container, use the-p

flag on docker run to publish and map one or more ports, or the-P

flag to publish all exposed ports and map them to high-order ports.

By default,EXPOSE

assumes TCP. You can also specify UDP:

EXPOSE 80/udp

To expose on both TCP and UDP, include two lines:

EXPOSE 80/tcp

EXPOSE 80/udp

In this case, if you use-P

with docker run, the port will be exposed once for TCP and once for UDP. Remember that-P

uses an ephemeral high-ordered host port on the host, so the port will not be the same for TCP and UDP.

Regardless of theEXPOSE

settings, you can override them at runtime by using the-p

flag. For example

docker run -p 80:80/tcp -p 80:80/udp ...

To set up port redirection on the host system, see using the-P

flag. The docker network command supports creating networks for communication among containers without the need to expose or publish specific ports, because the containers connected to the network can communicate with each other over any port. For detailed information, see the overview of this feature).

docker run 参数

The following run command options work with container networking:

--expose=[]: Expose a port or a range of ports inside the container.

These are additional to those exposed by the `EXPOSE` instruction

-P : Publish all exposed ports to the host interfaces

-p=[] : Publish a container's port or a range of ports to the host

format: ip:hostPort:containerPort | ip::containerPort | hostPort:containerPort | containerPort

Both hostPort and containerPort can be specified as a

range of ports. When specifying ranges for both, the

number of container ports in the range must match the

number of host ports in the range, for example:

-p 1234-1236:1234-1236/tcp

When specifying a range for hostPort only, the

containerPort must not be a range. In this case the

container port is published somewhere within the

specified hostPort range. (e.g., `-p 1234-1236:1234/tcp`)

(use 'docker port' to see the actual mapping)

--link="" : Add link to another container (:alias or )

With the exception of the EXPOSE directive, an image developer hasn’t got much control over networking. The EXPOSE instruction defines the initial incoming ports that provide services. These ports are available to processes inside the container. An operator can use the--expose

option to add to the exposed ports.

To expose a container’s internal port, an operator can start the container with the-P

or-p

flag. The exposed port is accessible on the host and the ports are available to any client that can reach the host.

The-P

option publishes all the ports to the host interfaces. Docker binds each exposed port to a random port on the host. The range of ports are within an ephemeral port range defined by/proc/sys/net/ipv4/ip_local_port_range

. Use the-p

flag to explicitly map a single port or range of ports.

The port number inside the container (where the service listens) does not need to match the port number exposed on the outside of the container (where clients connect). For example, inside the container an HTTP service is listening on port 80 (and so the image developer specifiesEXPOSE 80

in the Dockerfile). At runtime, the port might be bound to 42800 on the host. To find the mapping between the host ports and the exposed ports, use docker port.

If the operator uses--link

when starting a new client container in the default bridge network, then the client container can access the exposed port via a private networking interface. If –link is used when starting a container in a user-defined network as described in Networking overview, it will provide a named alias for the container being linked to.

References

Logo

权威|前沿|技术|干货|国内首个API全生命周期开发者社区

更多推荐