是否有任何不显眼的配置会导致所有端口都被发布(可在 docker 容器内外访问)?包含在没有任何选项的情况下运行图像,直接如下:
docker run -it xxx/xxx /bin/bash
这是检查输出(请注意,“PublishAllPorts”设置为 false,仅显式暴露了几个端口):
{
"Id": "c0170d0dfde1a92550e4f3ac999cd13c9711f3b15493325d85a4b9c9542f5d01",
"Created": "2016-12-02T05:19:27.91485137Z",
"Path": "/bin/bash",
"Args": [],
"State": {
"Status": "running",
"Running": true,
"Paused": false,
"Restarting": false,
"OOMKilled": false,
"Dead": false,
"Pid": 26493,
"ExitCode": 0,
"Error": "",
"StartedAt": "2016-12-05T14:44:38.270973904Z",
"FinishedAt": "2016-12-05T14:43:57.974501757Z"
},
"Image": "sha256:2b6dff71e5b964409749dacabe5653d57879b860bfbddf37bb40a51c3d3c5778",
"ResolvConfPath": "/var/lib/docker/containers/c0170d0dfde1a92550e4f3ac999cd13c9711f3b15493325d85a4b9c9542f5d01/resolv.conf",
"HostnamePath": "/var/lib/docker/containers/c0170d0dfde1a92550e4f3ac999cd13c9711f3b15493325d85a4b9c9542f5d01/hostname",
"HostsPath": "/var/lib/docker/containers/c0170d0dfde1a92550e4f3ac999cd13c9711f3b15493325d85a4b9c9542f5d01/hosts",
"LogPath": "",
"Name": "/pedantic_perlman",
"RestartCount": 0,
"Driver": "devicemapper",
"MountLabel": "system_u:object_r:svirt_sandbox_file_t:s0:c570,c970",
"ProcessLabel": "system_u:system_r:svirt_lxc_net_t:s0:c570,c970",
"AppArmorProfile": "",
"ExecIDs": null,
"HostConfig": {
"Binds": null,
"ContainerIDFile": "",
"LogConfig": {
"Type": "journald",
"Config": {}
},
"NetworkMode": "default",
"PortBindings": {},
"RestartPolicy": {
"Name": "no",
"MaximumRetryCount": 0
},
"VolumeDriver": "",
"VolumesFrom": null,
"CapAdd": null,
"CapDrop": null,
"Dns": [],
"DnsOptions": [],
"DnsSearch": [],
"ExtraHosts": null,
"GroupAdd": null,
"IpcMode": "",
"Links": null,
"OomScoreAdj": 0,
"PidMode": "",
"Privileged": false,
"PublishAllPorts": false,
"ReadonlyRootfs": false,
"SecurityOpt": null,
"UTSMode": "",
"ShmSize": 67108864,
"ConsoleSize": [
0,
0
],
"Isolation": "",
"CpuShares": 0,
"CgroupParent": "",
"BlkioWeight": 0,
"BlkioWeightDevice": null,
"BlkioDeviceReadBps": null,
"BlkioDeviceWriteBps": null,
"BlkioDeviceReadIOps": null,
"BlkioDeviceWriteIOps": null,
"CpuPeriod": 0,
"CpuQuota": 0,
"CpusetCpus": "",
"CpusetMems": "",
"Devices": [],
"KernelMemory": 0,
"Memory": 0,
"MemoryReservation": 0,
"MemorySwap": 0,
"MemorySwappiness": -1,
"OomKillDisable": false,
"PidsLimit": 0,
"Ulimits": null
},
"GraphDriver": {
"Name": "devicemapper",
"Data": {
"DeviceId": "38",
"DeviceName": "docker-253:0-1970585-466a43a88fda2e37aa154f06eaf6dcdc1c7a68890be72471ded27e3e45f0b960",
"DeviceSize": "10737418240"
}
},
"Mounts": [],
"Config": {
"Hostname": "c0170d0dfde1",
"Domainname": "",
"User": "",
"AttachStdin": true,
"AttachStdout": true,
"AttachStderr": true,
"ExposedPorts": {
"11000/tcp": {},
"11443/tcp": {},
"16000/tcp": {},
"16001/tcp": {},
"19888/tcp": {},
"2181/tcp": {},
"22/tcp": {},
"60010/tcp": {},
"7077/tcp": {},
"8020/tcp": {},
"8042/tcp": {},
"8080/tcp": {},
"8088/tcp": {},
"8888/tcp": {},
"8983/tcp": {},
"9090/tcp": {},
"9092/tcp": {}
},
"Tty": true,
"OpenStdin": true,
"StdinOnce": true,
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"TERM=xterm"
],
"Cmd": [
"/bin/bash"
],
"Image": "docker.io/caioquirino/docker-cloudera-quickstart",
"Volumes": null,
"WorkingDir": "",
"Entrypoint": null,
"OnBuild": null,
"Labels": {}
},
"NetworkSettings": {
"Bridge": "",
"SandboxID": "e33871c583ead85bb1d5c68160f19fd67007e3f0fd18acaf92706d88e941d6a3",
"HairpinMode": false,
"LinkLocalIPv6Address": "",
"LinkLocalIPv6PrefixLen": 0,
"Ports": {
"11000/tcp": null,
"11443/tcp": null,
"16000/tcp": null,
"16001/tcp": null,
"19888/tcp": null,
"2181/tcp": null,
"22/tcp": null,
"60010/tcp": null,
"7077/tcp": null,
"8020/tcp": null,
"8042/tcp": null,
"8080/tcp": null,
"8088/tcp": null,
"8888/tcp": null,
"8983/tcp": null,
"9090/tcp": null,
"9092/tcp": null
},
"SandboxKey": "/var/run/docker/netns/e33871c583ea",
"SecondaryIPAddresses": null,
"SecondaryIPv6Addresses": null,
"EndpointID": "dfb52838892c31a3428efd6d0996b6f9ccbe2f9edc71a2a2e2cf0c08c622d538",
"Gateway": "172.17.0.1",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"IPAddress": "172.17.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"MacAddress": "02:42:ac:11:00:02",
"Networks": {
"bridge": {
"IPAMConfig": null,
"Links": null,
"Aliases": null,
"NetworkID": "17de08a7428d3243288647a88e991cdf8989b3c9aab17213a24acfbf396ded3a",
"EndpointID": "dfb52838892c31a3428efd6d0996b6f9ccbe2f9edc71a2a2e2cf0c08c622d538",
"Gateway": "172.17.0.1",
"IPAddress": "172.17.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "02:42:ac:11:00:02"
}
}
}
}
但我似乎仍然可以访问任何端口:
[root@localhost bryan]# curl 172.17.0.2:50070
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
最佳答案
公开的端口在您的 Dockerfile 中定义并合并到镜像配置中。它们告诉 docker 容器监听哪些端口,但默认情况下不发布它们。您需要使用 -p 发布特定端口或使用 -P 将所有端口发布到随机主机端口.
根据您的 linux iptables 配置,您将能够直接与 docker 主机中的容器接口(interface)/端口通信,如您的示例所示。除非您可以通过 localhost 接口(interface)访问这些端口,否则这些端口不会向外界发布。您可以使用以下命令验证这一点:
curl 127.0.0.1:50070
关于docker - 为什么默认情况下所有端口都使用此 Docker 镜像发布,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/40980242/