Docker命令中的--net = host选项实际上是做什么的？ [英] What does --net=host option in Docker command really do?

问题描述

我是Docker的初学者。我在docker run命令中找不到此选项的任何清晰描述，对此深有疑问。

I'm a little bit beginner to Docker. I couldn't find any clear description of what this option does in docker run command in deep and bit confused about it.

我们可以使用它来访问在其上运行的应用程序吗？码头集装箱没有指定端口？例如，如果我通过在docker run命令中使用选项 -p 8080：8080 在端口8080中运行通过docker映像部署的webapp，我知道我将必须访问它在Docker容器ip / theWebAppName的8080端口上。但是我真的无法想到-net = host 选项如何工作。

Can we use it to access the applications running on docker containers without specifying a port? As an example if I run a webapp deployed via a docker image in port 8080 by using option -p 8080:8080 in docker run command, I know I will have to access it on 8080 port on Docker containers ip /theWebAppName. But I cannot really think of a way how --net=host option works.

推荐答案

在docker安装之后，默认情况下有3个网络：

After the docker installation you have 3 networks by default:

docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
f3be8b1ef7ce        bridge              bridge              local
fbff927877c1        host                host                local
023bb5940080        none                null                local

我正在尝试保持简单。因此，如果您默认启动一个容器，它将在网桥（docker0）网络中创建。

I'm trying to keep this simple. So if you start a container by default it will be created inside the bridge (docker0) network.

$ docker run -d jenkins
1498e581cdba        jenkins             "/bin/tini -- /usr..."   3 minutes ago       Up 3 minutes        8080/tcp, 50000/tcp   friendly_bell

在jenkins的dockerfile中，端口 8080 和 50000 被暴露。这些端口在其桥接网络上为容器打开。因此，该桥接网络中的所有内容都可以访问端口 8080 和 50000 上的容器。桥接网络中的所有内容均位于子网： 172.17.0.0/16，的私有范围内。如果要从外部访问它们，则必须映射 -p 8080：8080 的端口。这会将容器的端口映射到真实服务器（主机网络）的端口。因此，访问 8080 上的服务器将路由到端口 8080 上的网桥。

In the dockerfile of jenkins the ports 8080 and 50000 are exposed. Those ports are opened for the container on its bridge network. So everything inside that bridge network can access the container on port 8080 and 50000. Everything in the bridge network is in the private range of "Subnet": "172.17.0.0/16", If you want to access them from the outside you have to map the ports with -p 8080:8080. This will map the port of your container to the port of your real server (the host network). So accessing your server on 8080 will route to your bridgenetwork on port 8080.

现在您也有了主机网络。不会将容器网络化。因此，如果您在主机网络中启动一个容器，它将看起来像这样（这是第一个容器）：

Now you also have your host network. Which does not containerize the containers networking. So if you start a container in the host network it will look like this (it's the first one):

CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                 NAMES
1efd834949b2        jenkins             "/bin/tini -- /usr..."   6 minutes ago       Up 6 minutes                              eloquent_panini
1498e581cdba        jenkins             "/bin/tini -- /usr..."   10 minutes ago      Up 10 minutes       8080/tcp, 50000/tcp   friendly_bell

不同之处在于端口。您的容器现在位于主机网络中。因此，如果您在主机上打开端口 8080 ，则将立即访问该容器。

The difference is with the ports. Your container is now inside your host network. So if you open port 8080 on your host you will acces the container immediately.

$ sudo iptables -I INPUT 5 -p tcp -m tcp --dport 8080 -j ACCEPT

我已经在防火墙中以及当我打开防火墙时打开了端口 8080 现在在端口 8080 上访问服务器，我正在访问我的詹金斯。我认为此博客有助于更好地理解它。

I've opened port 8080 in my firewall and when I'm now accesing my server on port 8080 I'm accessing my jenkins. I think this blog is also useful to understand it better.

这篇关于Docker命令中的--net = host选项实际上是做什么的？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！