Docker暴露港口疯狂 [英] Docker exposing ports madness

问题描述

我已经使用docker-compose启动并运行了几个Docker容器。
Nginx通过9000 / tcp的内部端口转发连接到PHP。 PHP通过内部转发连接到mysql。
Nginx可以在公共网卡上访问

另一个运行postfix的容器是基于相同的baseimage，配置/启动与Nginx容器完全一样，但是端口不能从互联网访问。

nginx和postfix都以相同的方式曝光，所以为什么后缀不可达？

nginx（Dockerfile）

  ... 
 EXPOSE 80 / tcp 443 / tcp 
 ... 
  

postfix（Dockerfile）

  ... 
 EXPOSE 25 / tcp 465 / tcp 587 / tcp 
 ... 
  

docker-compose.yml

  ... nginx 
 ports：
  - 80：80 / tcp
  - 443：443 / tcp
 ... 
和
 ... postfix 
 ports：
  - 25：25 / tcp
  - 465：465 / tcp
  - 587：587 / tcp
 ... 
  

docker ps -a

  CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 
 550cf81ccfc3 nginxnginx -g'daemon ...17分钟前上17分0.0.0.0:80->80/tcp，0.0.0.0:443->443/tcp nginx 
 5b1b823c8b75 postfix/run.sh17分钟前上17分0.0.0.0:25->25/tcp，0.0.0.0:465->465/tcp，0.0.0.0:587->587/ tcp postfix 
 f7541058c973 phpphp5-fpm -F17分钟前上17分钟9000 / tcp php 
 ad1d1db33351 mysql/ sbin / entrypoint ....17分钟前Up 17分钟3306 / tcp mysql 
  

netstat -a

  Aktive Internetverbindungen（Nur服务器）
 Proto Recv-Q Send-Q本地地址外部地址状态PID /程序名称
 tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 464 / sshd 
 tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 461 / rsyslogd 
 tcp6 0 0 ::: 25 ::: * LISTEN 24924 / docker-代理
 tcp6 0 0 ::: 443 ::: * LISTEN 24937 / docker-proxy 
 tcp6 0 0 ::: 514 ::: * LISTEN 461 / rsyslogd 
 tcp6 0 0 :: ：587 ::: * LISTEN 24899 / docker-proxy 
 tcp6 0 0 ::: 80 ::: * LISTEN 24975 / docker-proxy 
 tcp6 0 0 ::: 465 ::: * LISTEN 24912 / docker-proxy 
  

iptables -S

  -P INPUT ACCEPT 
 -P FORWARD ACCEPT 
 -P OUTPUT ACCEPT 
 -N DOCKER 
 -N DOCKER-ISOLATION 
 -A DOCKER -d 172.17.0.4/32！ -i docker0 -o docker0 -p tcp -m tcp --dport 587 -j ACCEPT 
 -A DOCKER -d 172.17.0.6/32！ -i docker0 -o docker0 -p tcp -m tcp --dport 465 -j ACCEPT 
 -A DOCKER -d 172.17.0.6/32！ -i docker0 -o docker0 -p tcp -m tcp --dport 25 -j ACCEPT 
 -A DOCKER -d 172.17.0.7/32！ -i docker0 -o docker0 -p tcp -m tcp --dport 443 -j ACCEPT 
 -A DOCKER -d 172.17.0.7/32！ -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT 
  

Telnet on所有ips：ports从docker主机工作正常。

nmap从外面到公共ip：

  25：过滤
 80：打开
 110：过滤（虽然没有服务运行，〜*奇怪*〜）
 443：打开
 465：过滤
 587：过滤
  

uname -a

  Linux h2127057 3.16.0-4-amd64＃1 SMP Debian 3.16.39-1 + deb8u2（2017-03-07）x86_64 GNU / Linux 
  

如何知道解决方案？

解决方案

一个简单的服务器重新启动修复它！很蠢： - （

I've got several docker containers up and running using docker-compose. Nginx connected to PHP through internal port-forwarding at 9000/tcp. PHP connected to mysql through internal forwarding. Nginx is reachable at public NIC!

Another container running postfix is based on the same baseimage and configured/launched exactly the same as the Nginx-container but its ports are not accessible from the internet.

Both nginx and postfix are exposing the same way, so why is postfix not reachable??

nginx (Dockerfile)

...
EXPOSE 80/tcp 443/tcp
...

postfix (Dockerfile)

...
EXPOSE 25/tcp 465/tcp 587/tcp
...

docker-compose.yml

...nginx
ports:
  - "80:80/tcp"
  - "443:443/tcp"
...
and
...postfix
ports:
  - "25:25/tcp"
  - "465:465/tcp"
  - "587:587/tcp"
...

docker ps -a

CONTAINER ID    IMAGE     COMMAND                  CREATED          STATUS           PORTS                                                             NAMES
550cf81ccfc3    nginx     "nginx -g 'daemon ..."   17 minutes ago   Up 17 minutes    0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp                          nginx
5b1b823c8b75    postfix   "/run.sh"                17 minutes ago   Up 17 minutes    0.0.0.0:25->25/tcp, 0.0.0.0:465->465/tcp, 0.0.0.0:587->587/tcp    postfix
f7541058c973    php       "php5-fpm -F"            17 minutes ago   Up 17 minutes    9000/tcp                                                          php
ad1d1db33351    mysql     "/sbin/entrypoint...."   17 minutes ago   Up 17 minutes    3306/tcp                                                          mysql

netstat -a

Aktive Internetverbindungen (Nur Server)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      464/sshd        
tcp        0      0 0.0.0.0:514             0.0.0.0:*               LISTEN      461/rsyslogd    
tcp6       0      0 :::25                   :::*                    LISTEN      24924/docker-proxy
tcp6       0      0 :::443                  :::*                    LISTEN      24937/docker-proxy
tcp6       0      0 :::514                  :::*                    LISTEN      461/rsyslogd    
tcp6       0      0 :::587                  :::*                    LISTEN      24899/docker-proxy
tcp6       0      0 :::80                   :::*                    LISTEN      24975/docker-proxy
tcp6       0      0 :::465                  :::*                    LISTEN      24912/docker-proxy

iptables -S

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 587 -j ACCEPT
-A DOCKER -d 172.17.0.6/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 465 -j ACCEPT
-A DOCKER -d 172.17.0.6/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 25 -j ACCEPT
-A DOCKER -d 172.17.0.7/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.17.0.7/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT

Telnet on all ips:ports works fine from docker host.

nmap from outside to public ip:

25: filtered
80: open
110: filtered (although there is no service running, ~* weird *~)
443: open
465: filtered
587: filtered

uname -a

Linux h2127057 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u2 (2017-03-07) x86_64 GNU/Linux

How knows the solution??

解决方案

A simple server reboot fixed it! Pretty stupid. :-(

这篇关于Docker暴露港口疯狂的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！