Docker 命令中的 --net=host 选项到底有什么作用? [英] What does --net=host option in Docker command really do?

问题描述

我是 Docker 的初学者.我找不到任何关于此选项在 docker run 命令中的作用的明确描述，对此我感到有些困惑.

I'm a little bit beginner to Docker. I couldn't find any clear description of what this option does in docker run command in deep and bit confused about it.

我们可以在不指定端口的情况下使用它来访问在 docker 容器上运行的应用程序吗?例如，如果我通过在 docker run 命令中使用选项 -p 8080:8080 在端口 8080 中运行通过 docker 映像部署的 web 应用程序，我知道我必须在 Docker 容器的 8080 端口上访问它ip/theWebAppName.但我真的想不出 --net=host 选项是如何工作的.

Can we use it to access the applications running on docker containers without specifying a port? As an example if I run a webapp deployed via a docker image in port 8080 by using option -p 8080:8080 in docker run command, I know I will have to access it on 8080 port on Docker containers ip /theWebAppName. But I cannot really think of a way how --net=host option works.

推荐答案

安装 docker 后默认有 3 个网络:

After the docker installation you have 3 networks by default:

docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
f3be8b1ef7ce        bridge              bridge              local
fbff927877c1        host                host                local
023bb5940080        none                null                local

我尽量保持简单.因此，如果您默认启动一个容器，它将在网桥 (docker0) 网络内创建.

I'm trying to keep this simple. So if you start a container by default it will be created inside the bridge (docker0) network.

$ docker run -d jenkins
1498e581cdba        jenkins             "/bin/tini -- /usr..."   3 minutes ago       Up 3 minutes        8080/tcp, 50000/tcp   friendly_bell

在 jenkins 的 dockerfile 中，端口 8080 和 50000 是公开的.这些端口是为其桥接网络上的容器打开的.因此，桥接网络中的所有内容都可以通过端口 8080 和 50000 访问容器.桥接网络中的所有内容都在 "Subnet": "172.17.0.0/16", 的私有范围内，如果您想从外部访问它们，则必须使用 映射端口-p 8080:8080.这会将容器的端口映射到真实服务器(主机网络)的端口.因此，在 8080 上访问您的服务器将路由到端口 8080 上的桥接网络.

In the dockerfile of jenkins the ports 8080 and 50000 are exposed. Those ports are opened for the container on its bridge network. So everything inside that bridge network can access the container on port 8080 and 50000. Everything in the bridge network is in the private range of "Subnet": "172.17.0.0/16", If you want to access them from the outside you have to map the ports with -p 8080:8080. This will map the port of your container to the port of your real server (the host network). So accessing your server on 8080 will route to your bridgenetwork on port 8080.

现在你也有了你的主机网络.这不会容器化容器网络.因此，如果您在主机网络中启动一个容器，它将如下所示(这是第一个):

Now you also have your host network. Which does not containerize the containers networking. So if you start a container in the host network it will look like this (it's the first one):

CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                 NAMES
1efd834949b2        jenkins             "/bin/tini -- /usr..."   6 minutes ago       Up 6 minutes                              eloquent_panini
1498e581cdba        jenkins             "/bin/tini -- /usr..."   10 minutes ago      Up 10 minutes       8080/tcp, 50000/tcp   friendly_bell

不同之处在于端口.您的容器现在位于您的主机网络内.因此，如果您在主机上打开端口 8080，您将立即访问容器.

The difference is with the ports. Your container is now inside your host network. So if you open port 8080 on your host you will acces the container immediately.

$ sudo iptables -I INPUT 5 -p tcp -m tcp --dport 8080 -j ACCEPT

我已经在我的防火墙中打开了端口 8080，当我现在在端口 8080 上访问我的服务器时，我正在访问我的 jenkins.我认为这个博客也有助于更好地理解它.

I've opened port 8080 in my firewall and when I'm now accesing my server on port 8080 I'm accessing my jenkins. I think this blog is also useful to understand it better.

这篇关于Docker 命令中的 --net=host 选项到底有什么作用?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！