为什么默认情况下所有端口都使用此 Docker 图像发布
Why are all ports published by default with this Docker image
是否有任何不显眼的配置会导致所有端口被发布(在 docker 容器内外均可访问)?包含 运行 图像 w/o 任何选项,直接像:
docker run -it xxx/xxx /bin/bash
这是检查输出(请注意,"PublishAllPorts" 设置为 false,只有几个端口明确暴露):
{
"Id": "c0170d0dfde1a92550e4f3ac999cd13c9711f3b15493325d85a4b9c9542f5d01",
"Created": "2016-12-02T05:19:27.91485137Z",
"Path": "/bin/bash",
"Args": [],
"State": {
"Status": "running",
"Running": true,
"Paused": false,
"Restarting": false,
"OOMKilled": false,
"Dead": false,
"Pid": 26493,
"ExitCode": 0,
"Error": "",
"StartedAt": "2016-12-05T14:44:38.270973904Z",
"FinishedAt": "2016-12-05T14:43:57.974501757Z"
},
"Image": "sha256:2b6dff71e5b964409749dacabe5653d57879b860bfbddf37bb40a51c3d3c5778",
"ResolvConfPath": "/var/lib/docker/containers/c0170d0dfde1a92550e4f3ac999cd13c9711f3b15493325d85a4b9c9542f5d01/resolv.conf",
"HostnamePath": "/var/lib/docker/containers/c0170d0dfde1a92550e4f3ac999cd13c9711f3b15493325d85a4b9c9542f5d01/hostname",
"HostsPath": "/var/lib/docker/containers/c0170d0dfde1a92550e4f3ac999cd13c9711f3b15493325d85a4b9c9542f5d01/hosts",
"LogPath": "",
"Name": "/pedantic_perlman",
"RestartCount": 0,
"Driver": "devicemapper",
"MountLabel": "system_u:object_r:svirt_sandbox_file_t:s0:c570,c970",
"ProcessLabel": "system_u:system_r:svirt_lxc_net_t:s0:c570,c970",
"AppArmorProfile": "",
"ExecIDs": null,
"HostConfig": {
"Binds": null,
"ContainerIDFile": "",
"LogConfig": {
"Type": "journald",
"Config": {}
},
"NetworkMode": "default",
"PortBindings": {},
"RestartPolicy": {
"Name": "no",
"MaximumRetryCount": 0
},
"VolumeDriver": "",
"VolumesFrom": null,
"CapAdd": null,
"CapDrop": null,
"Dns": [],
"DnsOptions": [],
"DnsSearch": [],
"ExtraHosts": null,
"GroupAdd": null,
"IpcMode": "",
"Links": null,
"OomScoreAdj": 0,
"PidMode": "",
"Privileged": false,
"PublishAllPorts": false,
"ReadonlyRootfs": false,
"SecurityOpt": null,
"UTSMode": "",
"ShmSize": 67108864,
"ConsoleSize": [
0,
0
],
"Isolation": "",
"CpuShares": 0,
"CgroupParent": "",
"BlkioWeight": 0,
"BlkioWeightDevice": null,
"BlkioDeviceReadBps": null,
"BlkioDeviceWriteBps": null,
"BlkioDeviceReadIOps": null,
"BlkioDeviceWriteIOps": null,
"CpuPeriod": 0,
"CpuQuota": 0,
"CpusetCpus": "",
"CpusetMems": "",
"Devices": [],
"KernelMemory": 0,
"Memory": 0,
"MemoryReservation": 0,
"MemorySwap": 0,
"MemorySwappiness": -1,
"OomKillDisable": false,
"PidsLimit": 0,
"Ulimits": null
},
"GraphDriver": {
"Name": "devicemapper",
"Data": {
"DeviceId": "38",
"DeviceName": "docker-253:0-1970585-466a43a88fda2e37aa154f06eaf6dcdc1c7a68890be72471ded27e3e45f0b960",
"DeviceSize": "10737418240"
}
},
"Mounts": [],
"Config": {
"Hostname": "c0170d0dfde1",
"Domainname": "",
"User": "",
"AttachStdin": true,
"AttachStdout": true,
"AttachStderr": true,
"ExposedPorts": {
"11000/tcp": {},
"11443/tcp": {},
"16000/tcp": {},
"16001/tcp": {},
"19888/tcp": {},
"2181/tcp": {},
"22/tcp": {},
"60010/tcp": {},
"7077/tcp": {},
"8020/tcp": {},
"8042/tcp": {},
"8080/tcp": {},
"8088/tcp": {},
"8888/tcp": {},
"8983/tcp": {},
"9090/tcp": {},
"9092/tcp": {}
},
"Tty": true,
"OpenStdin": true,
"StdinOnce": true,
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"TERM=xterm"
],
"Cmd": [
"/bin/bash"
],
"Image": "docker.io/caioquirino/docker-cloudera-quickstart",
"Volumes": null,
"WorkingDir": "",
"Entrypoint": null,
"OnBuild": null,
"Labels": {}
},
"NetworkSettings": {
"Bridge": "",
"SandboxID": "e33871c583ead85bb1d5c68160f19fd67007e3f0fd18acaf92706d88e941d6a3",
"HairpinMode": false,
"LinkLocalIPv6Address": "",
"LinkLocalIPv6PrefixLen": 0,
"Ports": {
"11000/tcp": null,
"11443/tcp": null,
"16000/tcp": null,
"16001/tcp": null,
"19888/tcp": null,
"2181/tcp": null,
"22/tcp": null,
"60010/tcp": null,
"7077/tcp": null,
"8020/tcp": null,
"8042/tcp": null,
"8080/tcp": null,
"8088/tcp": null,
"8888/tcp": null,
"8983/tcp": null,
"9090/tcp": null,
"9092/tcp": null
},
"SandboxKey": "/var/run/docker/netns/e33871c583ea",
"SecondaryIPAddresses": null,
"SecondaryIPv6Addresses": null,
"EndpointID": "dfb52838892c31a3428efd6d0996b6f9ccbe2f9edc71a2a2e2cf0c08c622d538",
"Gateway": "172.17.0.1",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"IPAddress": "172.17.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"MacAddress": "02:42:ac:11:00:02",
"Networks": {
"bridge": {
"IPAMConfig": null,
"Links": null,
"Aliases": null,
"NetworkID": "17de08a7428d3243288647a88e991cdf8989b3c9aab17213a24acfbf396ded3a",
"EndpointID": "dfb52838892c31a3428efd6d0996b6f9ccbe2f9edc71a2a2e2cf0c08c622d538",
"Gateway": "172.17.0.1",
"IPAddress": "172.17.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "02:42:ac:11:00:02"
}
}
}
}
但我似乎仍然可以访问任何端口:
[root@localhost bryan]# curl 172.17.0.2:50070
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
暴露的端口在您的 Dockerfile 中定义并合并到映像配置中。他们告诉 docker 容器监听哪些端口,但默认情况下不发布它们。您需要使用 -p 发布特定端口或使用 -P.
将所有端口发布到随机主机端口
根据您的 linux iptables 配置,您将能够直接从 docker 主机与容器 interfaces/ports 对话,如您的示例所示。除非您可以通过本地主机接口访问这些端口,否则这些端口不会对外发布。您可以使用以下命令验证这一点:
curl 127.0.0.1:50070
是否有任何不显眼的配置会导致所有端口被发布(在 docker 容器内外均可访问)?包含 运行 图像 w/o 任何选项,直接像:
docker run -it xxx/xxx /bin/bash
这是检查输出(请注意,"PublishAllPorts" 设置为 false,只有几个端口明确暴露):
{
"Id": "c0170d0dfde1a92550e4f3ac999cd13c9711f3b15493325d85a4b9c9542f5d01",
"Created": "2016-12-02T05:19:27.91485137Z",
"Path": "/bin/bash",
"Args": [],
"State": {
"Status": "running",
"Running": true,
"Paused": false,
"Restarting": false,
"OOMKilled": false,
"Dead": false,
"Pid": 26493,
"ExitCode": 0,
"Error": "",
"StartedAt": "2016-12-05T14:44:38.270973904Z",
"FinishedAt": "2016-12-05T14:43:57.974501757Z"
},
"Image": "sha256:2b6dff71e5b964409749dacabe5653d57879b860bfbddf37bb40a51c3d3c5778",
"ResolvConfPath": "/var/lib/docker/containers/c0170d0dfde1a92550e4f3ac999cd13c9711f3b15493325d85a4b9c9542f5d01/resolv.conf",
"HostnamePath": "/var/lib/docker/containers/c0170d0dfde1a92550e4f3ac999cd13c9711f3b15493325d85a4b9c9542f5d01/hostname",
"HostsPath": "/var/lib/docker/containers/c0170d0dfde1a92550e4f3ac999cd13c9711f3b15493325d85a4b9c9542f5d01/hosts",
"LogPath": "",
"Name": "/pedantic_perlman",
"RestartCount": 0,
"Driver": "devicemapper",
"MountLabel": "system_u:object_r:svirt_sandbox_file_t:s0:c570,c970",
"ProcessLabel": "system_u:system_r:svirt_lxc_net_t:s0:c570,c970",
"AppArmorProfile": "",
"ExecIDs": null,
"HostConfig": {
"Binds": null,
"ContainerIDFile": "",
"LogConfig": {
"Type": "journald",
"Config": {}
},
"NetworkMode": "default",
"PortBindings": {},
"RestartPolicy": {
"Name": "no",
"MaximumRetryCount": 0
},
"VolumeDriver": "",
"VolumesFrom": null,
"CapAdd": null,
"CapDrop": null,
"Dns": [],
"DnsOptions": [],
"DnsSearch": [],
"ExtraHosts": null,
"GroupAdd": null,
"IpcMode": "",
"Links": null,
"OomScoreAdj": 0,
"PidMode": "",
"Privileged": false,
"PublishAllPorts": false,
"ReadonlyRootfs": false,
"SecurityOpt": null,
"UTSMode": "",
"ShmSize": 67108864,
"ConsoleSize": [
0,
0
],
"Isolation": "",
"CpuShares": 0,
"CgroupParent": "",
"BlkioWeight": 0,
"BlkioWeightDevice": null,
"BlkioDeviceReadBps": null,
"BlkioDeviceWriteBps": null,
"BlkioDeviceReadIOps": null,
"BlkioDeviceWriteIOps": null,
"CpuPeriod": 0,
"CpuQuota": 0,
"CpusetCpus": "",
"CpusetMems": "",
"Devices": [],
"KernelMemory": 0,
"Memory": 0,
"MemoryReservation": 0,
"MemorySwap": 0,
"MemorySwappiness": -1,
"OomKillDisable": false,
"PidsLimit": 0,
"Ulimits": null
},
"GraphDriver": {
"Name": "devicemapper",
"Data": {
"DeviceId": "38",
"DeviceName": "docker-253:0-1970585-466a43a88fda2e37aa154f06eaf6dcdc1c7a68890be72471ded27e3e45f0b960",
"DeviceSize": "10737418240"
}
},
"Mounts": [],
"Config": {
"Hostname": "c0170d0dfde1",
"Domainname": "",
"User": "",
"AttachStdin": true,
"AttachStdout": true,
"AttachStderr": true,
"ExposedPorts": {
"11000/tcp": {},
"11443/tcp": {},
"16000/tcp": {},
"16001/tcp": {},
"19888/tcp": {},
"2181/tcp": {},
"22/tcp": {},
"60010/tcp": {},
"7077/tcp": {},
"8020/tcp": {},
"8042/tcp": {},
"8080/tcp": {},
"8088/tcp": {},
"8888/tcp": {},
"8983/tcp": {},
"9090/tcp": {},
"9092/tcp": {}
},
"Tty": true,
"OpenStdin": true,
"StdinOnce": true,
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"TERM=xterm"
],
"Cmd": [
"/bin/bash"
],
"Image": "docker.io/caioquirino/docker-cloudera-quickstart",
"Volumes": null,
"WorkingDir": "",
"Entrypoint": null,
"OnBuild": null,
"Labels": {}
},
"NetworkSettings": {
"Bridge": "",
"SandboxID": "e33871c583ead85bb1d5c68160f19fd67007e3f0fd18acaf92706d88e941d6a3",
"HairpinMode": false,
"LinkLocalIPv6Address": "",
"LinkLocalIPv6PrefixLen": 0,
"Ports": {
"11000/tcp": null,
"11443/tcp": null,
"16000/tcp": null,
"16001/tcp": null,
"19888/tcp": null,
"2181/tcp": null,
"22/tcp": null,
"60010/tcp": null,
"7077/tcp": null,
"8020/tcp": null,
"8042/tcp": null,
"8080/tcp": null,
"8088/tcp": null,
"8888/tcp": null,
"8983/tcp": null,
"9090/tcp": null,
"9092/tcp": null
},
"SandboxKey": "/var/run/docker/netns/e33871c583ea",
"SecondaryIPAddresses": null,
"SecondaryIPv6Addresses": null,
"EndpointID": "dfb52838892c31a3428efd6d0996b6f9ccbe2f9edc71a2a2e2cf0c08c622d538",
"Gateway": "172.17.0.1",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"IPAddress": "172.17.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"MacAddress": "02:42:ac:11:00:02",
"Networks": {
"bridge": {
"IPAMConfig": null,
"Links": null,
"Aliases": null,
"NetworkID": "17de08a7428d3243288647a88e991cdf8989b3c9aab17213a24acfbf396ded3a",
"EndpointID": "dfb52838892c31a3428efd6d0996b6f9ccbe2f9edc71a2a2e2cf0c08c622d538",
"Gateway": "172.17.0.1",
"IPAddress": "172.17.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "02:42:ac:11:00:02"
}
}
}
}
但我似乎仍然可以访问任何端口:
[root@localhost bryan]# curl 172.17.0.2:50070
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
暴露的端口在您的 Dockerfile 中定义并合并到映像配置中。他们告诉 docker 容器监听哪些端口,但默认情况下不发布它们。您需要使用 -p 发布特定端口或使用 -P.
根据您的 linux iptables 配置,您将能够直接从 docker 主机与容器 interfaces/ports 对话,如您的示例所示。除非您可以通过本地主机接口访问这些端口,否则这些端口不会对外发布。您可以使用以下命令验证这一点:
curl 127.0.0.1:50070