如何在Docker文件中发布端口 [英] How to publish ports in docker files

问题描述

我需要将主机上的端口映射到容器上的端口.我可以通过使用-p选项运行"docker run"命令来实现此目的.如何通过Dockerfile实现这一目标? 使用以下内容给出"deprecated error"

I need to map the ports on the host to the ports on the container. I can achieve this by running the "docker run" command with the -p option. How do I achieve this through the Dockerfile? Using the following gives a "deprecated error"

EXPOSE 80:8080

我还能如何通过dockerfile公开暴露的端口?

How else can I make the exposed ports public through teh dockerfile?

推荐答案

您不能.在docker主机上发布哪些端口严格来说是本地管理员应做出的决定，而不是由他们试图运行的映像决定.这将是(a)一个安全问题(嘿，我刚刚打开了对您系统的ssh访问权限！)，并且(b)容易出现故障(我的Web服务器容器无法在端口80上绑定，因为我已经在服务器上运行服务器了)端口80).

You can't. What ports are published on the docker host is strictly a decision that should be made by the local administrator, not by the image they are trying to run; this would be (a) a security problem (hey, I just opened up ssh access to your system!) and (b) prone to failure (my webserver container can't bind on port 80 because I'm already running a server on port 80).

如果要避免使用长docker run命令行，请考虑使用类似 docker-compose 之类的东西.使过程自动化.然后，您可以通过docker-compose这样的配置:

If you want to avoid long docker run command lines, consider using something like docker-compose to automate the process. You can then pass docker-compose a configuration like:

mywebserver:
  image: myname/mywebserver
  ports:
    - 80:8080

然后简单的docker-compose up将使用绑定到主机端口80的容器端口8080启动容器.

And then a simple docker-compose up will start your container with container port 8080 bound to host port 80.

更新2017-03-11

回应Willa的评论:

In response to Willa's comment:

• 使用docker-compose不能解决端口冲突问题.端口冲突问题是映像不应该指定主机端口绑定的原因.我只是提供docker-compose作为具有多个端口绑定的长docker run命令行的替代方法.端口冲突问题可能会允许容器在您的主机上执行拒绝服务攻击:例如，如果某个容器启动并绑定到端口80，而该主机在主机(或另一个容器)中的Apache服务器之前，则你刚刚失去了你的Web服务.

• Using docker-compose will not help with the port collision issue. The port collision issue is a reason why images should not be able to specify host port bindings. I was simply offering docker-compose as an alternative to long docker run command lines with multiple port bindings. The port collision issue would potentially allow a container to perform a denial-of-service attack on your host: if, for example, a container starts and binds to port 80 before an Apache server on your host (or in another container), then you have just lost your web service.

关于安全性问题:如果映像能够指定主机端口绑定，则容器可能会在您不知情的情况下打开对容器的访问.如果内核中的命名空间功能无法完全隔离容器，并且即使您完全信任隔离也会打开主机，则允许远程用户访问主机上的容器将有可能破坏主机.如果该容器用于非法目的，可能会造成法律上的问题.无论哪种情况，这都是一个坏主意.

Regarding the security issue: If an image were able to specify host port bindings, it would be possible for containers to open up access to the container without your knowledge. Permitting a remote user to access a container on your host opens you up to the possibility of a host compromise in the event that the namespace features in the kernel fail to completely isolate the container, and even if you completely trust the isolation it opens you up to potential legal problems if that container is used for illicit purposes. In either case it's a bad idea.

这篇关于如何在Docker文件中发布端口的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！