I have cloned this project:
https://github.com/andfanilo/vue-hello-world
and made a dockerfile for it:
FROM node:10
RUN apt install curl
# make the 'app' folder the current working directory
RUN mkdir /app
# copy project files and folders to the current working directory (i.e. 'app' folder)
COPY . /app
WORKDIR /app
RUN npm install
CMD [ "npm", "run", "serve" ]
I build and run it with:
FRONTEND_IMAGE='frontend-simple-image'
FRONTEND_CONTAINER_NAME='frontend-simple-container'
docker build -t ${FRONTEND_IMAGE} .
docker rm -f ${FRONTEND_CONTAINER_NAME}
docker run -it --name ${FRONTEND_CONTAINER_NAME} ${FRONTEND_IMAGE}
It builds and runs successfully:
And I can access it on my host browser:
Which is all good except I would not expect that I could access from my host browser according to:
https://docs.docker.com/config/containers/container-networking/
By default, when you create a container, it does not publish any of its ports to the outside world. To make a port available to services outside of Docker, or to Docker containers which are not connected to the container’s network, use the --publish or -p flag. This creates a firewall rule which maps a container port to a port on the Docker host. Here are some examples.
So why does it work (accessing the web application from my host browser) without adding e.g -p 8080:8080 to docker run??
It's all working fine. To access the website you are using 172.17.0.2 which belongs to the initial Docker bridge network 172.17.0.0/16. It's a basic network in which all containers are being created if you won't specify any other network.
Because bridge is a network created on your host machine you can freely access it using direct IP address. But if you will try to access the Vue app through localhost:8080 or 127.0.0.1:8080 you shouldn't be able to connect, as you are using a different network. After adding -p 8080:8080 the behavior should change and an app will be accessible through localhost.
Basically an "outside world" from Docker documentation means a network beyond the ones assigned to the container, so in your case, an "outside world" is anything but 172.17.0.0/16.
You can read more about container communications here.
Related
I am running a custom image (based on the docker image Locust) locally using the below command
docker run -p 5557:5557 my-stress-test:0.1
My dockerfile looks as below
FROM locustio/locust:latest
COPY ./ /mnt/locust
CMD ["-P", "5557", "-f", "/mnt/locust/locustfile.py"]
Now, I deploy this image on to my cloud service which runs this image generating the command
docker run -p 5557 my-stress-test:0.1
This is the command I cannot change. However, I am not able to run the image without port forwarding, like -p 5557:5557. How can I change my dockerfile or anything to run the image without port forwarding.
In dockers you should know how its network works.
There is 3 type of port configuration:
docker run my-stress-test:0.1
docker run -p 5557:5557 my-stress-test:0.1
docker run -p 127.0.0.1:5557:5557 my-stress-test:0.1
In the first type, only apps in the same network as this app can connect to that port.
In the second type, all apps inside and outside of the container network can connect to that port.
In the third type only apps inside the container network, and other apps inside the host can connect to the app, and apps outside of the host cannot connect to the app.
I think the third type is what you are looking for.
If you have multiple network in your host, and you want other apps from other hosts to access the app, you can bind that network ip to the port. for example
docker run -p 192.168.0.10:5557:5557 my-stress-test:0.1
With Docker, you can't publish ports in the dockerfile or at any other time other than at run by design.
How to publish ports in docker files
This question will be best posed to your cloud provider as to why you're unable to change the command that runs a container of your image.
I'm experimenting with Dockerfiles, and I think I understand most of the logic. However, I don't see the difference between "exposing" and "publishing" a port in this context.
All the tutorials I have seen first include the EXPOSE command in the Dockerfile:
...
EXPOSE 8080
...
They then build an image from this Dockerfile:
$ docker build -t an_image - < Dockerfile
And then publish the same port as above when running the image:
$ docker run -d -p 8080 an_image
or publish all ports using
$ docker run -d -P an_image
What is the point of exposing a port in the Dockerfile, if it will be published anyway? Would there ever be a need to expose a port first, and not publish it later? Effectively, I would like to specify all the ports that I will use in the Dockerfile when creating the image, and then not bother with them again, running them simply with:
$ docker run -d an_image
Is this possible?
Basically, you have three (four) options:
Neither specify EXPOSE nor -p
Only specify EXPOSE
Specify EXPOSE and -p
Only specify -p which implicitly does EXPOSE
If you specify neither EXPOSE nor -p, the service in the container will only be accessible from inside the container itself.
If you EXPOSE a port, the service in the container is not accessible from outside Docker, but from inside other Docker containers. So this is good for inter-container communication.
If you EXPOSE and -p a port, the service in the container is accessible from anywhere, even outside Docker.
If you do -p, but do not EXPOSE, Docker does an implicit EXPOSE. This is because if a port is open to the public, it is automatically also open to other Docker containers. Hence -p includes EXPOSE. This is effectively same as 3).
The reason why both are separated is IMHO because:
choosing a host port depends on the host and hence does not belong to the Dockerfile (otherwise it would be depending on the host),
and often it's enough if a service in a container is accessible from other containers.
The documentation explicitly states:
The EXPOSE instruction exposes ports for use within links.
It also points you to how to link containers, which basically is the inter-container communication I talked about.
Short answer:
EXPOSE is a way of documenting
--publish (or -p) is a way of mapping a host port to a running container port
Notice below that:
EXPOSE is related to Dockerfiles ( documenting )
--publish is related to docker run ... ( execution / run-time )
Exposing and publishing ports
In Docker networking, there are two different mechanisms that directly involve network ports: exposing and publishing ports. This applies to the default bridge network and user-defined bridge networks.
You expose ports using the EXPOSE keyword in the Dockerfile or the --expose flag to docker run. Exposing ports is a way of documenting which ports are used, but does not actually map or open any ports. Exposing ports is optional.
You publish ports using the --publish or --publish-all flag to docker run. This tells Docker which ports to open on the container’s network interface. When a port is published, it is mapped to an available high-order port (higher than 30000) on the host machine, unless you specify the port to map to on the host machine at runtime. You cannot specify the port to map to on the host machine when you build the image (in the Dockerfile), because there is no way to guarantee that the port will be available on the host machine where you run the image.
from: Docker container networking
Update October 2019: the above piece of text is no longer in the docs but an archived version is here: docs.docker.com/v17.09/engine/userguide/networking/#exposing-and-publishing-ports
Maybe the current documentation is the below:
Published ports
By default, when you create a container, it does not publish any of its ports to the outside world. To make a port available to services outside of Docker, or to Docker containers which are not connected to the container's network, use the --publish or -p flag. This creates a firewall rule which maps a container port to a port on the Docker host.
and can be found here: docs.docker.com/config/containers/container-networking/#published-ports
Also,
EXPOSE
...The EXPOSE instruction does not actually publish the port. It functions as a type of documentation between the person who builds the image and the person who runs the container, about which ports are intended to be published.
from: Dockerfile reference
Service access when EXPOSE / --publish are not defined:
At #Golo Roden's answer it is stated that::
"If you do not specify any of those, the service in the container will not be accessible from anywhere except from inside the container itself."
Maybe that was the case at the time the answer was being written, but now it seems that even if you do not use EXPOSE or --publish, the host and other containers of the same network will be able to access a service you may start inside that container.
How to test this:
I've used the following Dockerfile. Basically, I start with ubuntu and install a tiny web-server:
FROM ubuntu
RUN apt-get update && apt-get install -y mini-httpd
I build the image as "testexpose" and run a new container with:
docker run --rm -it testexpose bash
Inside the container, I launch a few instances of mini-httpd:
root#fb8f7dd1322d:/# mini_httpd -p 80
root#fb8f7dd1322d:/# mini_httpd -p 8080
root#fb8f7dd1322d:/# mini_httpd -p 8090
I am then able to use curl from the host or other containers to fetch the home page of mini-httpd.
Further reading
Very detailed articles on the subject by Ivan Pepelnjak:
Exposed ports
Published ports
See the official documentation reference: https://docs.docker.com/engine/reference/builder/#expose
The EXPOSE allows you to define private (container) and public (host) ports to expose at image build time for when the container is running if you run the container with -P.
$ docker help run
...
-P, --publish-all Publish all exposed ports to random ports
...
The public port and protocol are optional, if not a public port is specified, a random port will be selected on host by docker to expose the specified container port on Dockerfile.
A good pratice is do not specify public port, because it limits only one container per host ( a second container will throw a port already in use ).
You can use -p in docker run to control what public port the exposed container ports will be connectable.
Anyway, If you do not use EXPOSE (with -P on docker run) nor -p, no ports will be exposed.
If you always use -p at docker run you do not need EXPOSE but if you use EXPOSE your docker run command may be more simple, EXPOSE can be useful if you don't care what port will be exposed on host, or if you are sure of only one container will be loaded.
You expose ports using the EXPOSE keyword in the Dockerfile or the
--expose flag to docker run. Exposing ports is a way of documenting which
ports are used, but does not actually map or open any ports. Exposing ports
is optional.
Source: github commit
Most people use docker compose with networks. The documentation states:
The Docker network feature supports creating networks without the need to expose ports within the network, for detailed information see the overview of this feature).
Which means that if you use networks for communication between containers you don't need to worry about exposing ports.
EXPOSE keyword lets owner to inform others that which ports are going to be used by the container mainly.
You can publish any port even if you don't specify the port in EXPOSE.
For example we create a Dockerfile with nginx image that exposes port 1234
FROM nginx:latest
EXPOSE 1234
and build it
docker build -t porttest .
And run it with publishing 80 port to localhost:80
docker run -p 80:80 porttest
When you go localhost:80, you will see nginx default page.
Nginx default page
expose - will only allow that specific port to connect with container and it will use as "inter container communication " only
-p ( publish ) will map the host port with container port ( which you have already exposed in step 1 or in docker file ) and once you expose it , you will need to map it so we use publish , it will then access container outside world/internet.
EXPOSE is used to map local port container port
ie : if you specify expose in docker file like
EXPOSE 8090
What will does it will map localhost port 8090 to container port 8090
I am running a docker container locally on my Mac system. I have pasted the Dockerfile contents at the bottom of this post. I have exposed port 8888 in the image and I would like to access the python program from my host browser using container-ip-address:8888. But, it doesn't connect. Mapping it to a port on localhost works, but I don't want to do that. How can I solve this? (Already tried creating a docker network and running the container as part of the new network - no dice). Any help would be much appreciated.
Dockerfile contents -
FROM python:latest
RUN mkdir -p /usr/src/app
WORKDIR /usr/src/app
COPY . /usr/src/app
EXPOSE 8888
RUN pip install tornado
CMD ["python", "./api.py" ]
Expose just tells docker that this container going to work with this port. it doesn't map it anywhere.
https://docs.docker.com/engine/reference/builder/#expose
Mapping is the task of code which is running your container. In case of local machine its a docker. If you don't map port in docker run then container will not be accessible from outside of docker network. At the same time your host machine is not in docker network. Same in case if you create docker network manually - your machine just doesn't have access to inner parts of it.
In other words you have to choose your way:
use -p .... when you do docker run (local development)
or define it in docker compose file if you use docker composer (mostly local development). this approach is very useful when you are running multiple communicating systems in docker.
or do it through kubernetes yaml definition file on production if you go into kubernetes with your solution (production with orchestrator/ autoscaler and etc.)
I'am learning docker and start test simple project contains only index.php, but it not work.
I start docker in VirtualBox(CentOS) on my Windows OS.
I have index.php
<?php
echo "Hello world";
I have Dockerfile
FROM php:7.0-apache
COPY . /var/www/html
Then build image and start container:
docker build -t php-app .
docker run php-app
When I start container I see its ip
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.4.
In VirtualBox I can see index.php using
curl 172.17.0.4/index.php
But in my Windows OS I type 192.168.1.194 (VirtualBox ip) in browser and I don't see my index.php. Apparently problem in ports. But what should I change to see index.php in Docker via my Windows browser?
You need to expose your port.
Run the container with this command:
docker run -p 80:80 php-app
This way your container's 80 port which is where your Apache instance is listening, will be bound to your host's (your virtual box vm in this case) 80 port and you should be able to reach it from outside.
You can read docker's all command line options' documentation in the official page here: https://docs.docker.com/engine/reference/run/#pid-equivalent
I'm experimenting with Dockerfiles, and I think I understand most of the logic. However, I don't see the difference between "exposing" and "publishing" a port in this context.
All the tutorials I have seen first include the EXPOSE command in the Dockerfile:
...
EXPOSE 8080
...
They then build an image from this Dockerfile:
$ docker build -t an_image - < Dockerfile
And then publish the same port as above when running the image:
$ docker run -d -p 8080 an_image
or publish all ports using
$ docker run -d -P an_image
What is the point of exposing a port in the Dockerfile, if it will be published anyway? Would there ever be a need to expose a port first, and not publish it later? Effectively, I would like to specify all the ports that I will use in the Dockerfile when creating the image, and then not bother with them again, running them simply with:
$ docker run -d an_image
Is this possible?
Basically, you have three (four) options:
Neither specify EXPOSE nor -p
Only specify EXPOSE
Specify EXPOSE and -p
Only specify -p which implicitly does EXPOSE
If you specify neither EXPOSE nor -p, the service in the container will only be accessible from inside the container itself.
If you EXPOSE a port, the service in the container is not accessible from outside Docker, but from inside other Docker containers. So this is good for inter-container communication.
If you EXPOSE and -p a port, the service in the container is accessible from anywhere, even outside Docker.
If you do -p, but do not EXPOSE, Docker does an implicit EXPOSE. This is because if a port is open to the public, it is automatically also open to other Docker containers. Hence -p includes EXPOSE. This is effectively same as 3).
The reason why both are separated is IMHO because:
choosing a host port depends on the host and hence does not belong to the Dockerfile (otherwise it would be depending on the host),
and often it's enough if a service in a container is accessible from other containers.
The documentation explicitly states:
The EXPOSE instruction exposes ports for use within links.
It also points you to how to link containers, which basically is the inter-container communication I talked about.
Short answer:
EXPOSE is a way of documenting
--publish (or -p) is a way of mapping a host port to a running container port
Notice below that:
EXPOSE is related to Dockerfiles ( documenting )
--publish is related to docker run ... ( execution / run-time )
Exposing and publishing ports
In Docker networking, there are two different mechanisms that directly involve network ports: exposing and publishing ports. This applies to the default bridge network and user-defined bridge networks.
You expose ports using the EXPOSE keyword in the Dockerfile or the --expose flag to docker run. Exposing ports is a way of documenting which ports are used, but does not actually map or open any ports. Exposing ports is optional.
You publish ports using the --publish or --publish-all flag to docker run. This tells Docker which ports to open on the container’s network interface. When a port is published, it is mapped to an available high-order port (higher than 30000) on the host machine, unless you specify the port to map to on the host machine at runtime. You cannot specify the port to map to on the host machine when you build the image (in the Dockerfile), because there is no way to guarantee that the port will be available on the host machine where you run the image.
from: Docker container networking
Update October 2019: the above piece of text is no longer in the docs but an archived version is here: docs.docker.com/v17.09/engine/userguide/networking/#exposing-and-publishing-ports
Maybe the current documentation is the below:
Published ports
By default, when you create a container, it does not publish any of its ports to the outside world. To make a port available to services outside of Docker, or to Docker containers which are not connected to the container's network, use the --publish or -p flag. This creates a firewall rule which maps a container port to a port on the Docker host.
and can be found here: docs.docker.com/config/containers/container-networking/#published-ports
Also,
EXPOSE
...The EXPOSE instruction does not actually publish the port. It functions as a type of documentation between the person who builds the image and the person who runs the container, about which ports are intended to be published.
from: Dockerfile reference
Service access when EXPOSE / --publish are not defined:
At #Golo Roden's answer it is stated that::
"If you do not specify any of those, the service in the container will not be accessible from anywhere except from inside the container itself."
Maybe that was the case at the time the answer was being written, but now it seems that even if you do not use EXPOSE or --publish, the host and other containers of the same network will be able to access a service you may start inside that container.
How to test this:
I've used the following Dockerfile. Basically, I start with ubuntu and install a tiny web-server:
FROM ubuntu
RUN apt-get update && apt-get install -y mini-httpd
I build the image as "testexpose" and run a new container with:
docker run --rm -it testexpose bash
Inside the container, I launch a few instances of mini-httpd:
root#fb8f7dd1322d:/# mini_httpd -p 80
root#fb8f7dd1322d:/# mini_httpd -p 8080
root#fb8f7dd1322d:/# mini_httpd -p 8090
I am then able to use curl from the host or other containers to fetch the home page of mini-httpd.
Further reading
Very detailed articles on the subject by Ivan Pepelnjak:
Exposed ports
Published ports
See the official documentation reference: https://docs.docker.com/engine/reference/builder/#expose
The EXPOSE allows you to define private (container) and public (host) ports to expose at image build time for when the container is running if you run the container with -P.
$ docker help run
...
-P, --publish-all Publish all exposed ports to random ports
...
The public port and protocol are optional, if not a public port is specified, a random port will be selected on host by docker to expose the specified container port on Dockerfile.
A good pratice is do not specify public port, because it limits only one container per host ( a second container will throw a port already in use ).
You can use -p in docker run to control what public port the exposed container ports will be connectable.
Anyway, If you do not use EXPOSE (with -P on docker run) nor -p, no ports will be exposed.
If you always use -p at docker run you do not need EXPOSE but if you use EXPOSE your docker run command may be more simple, EXPOSE can be useful if you don't care what port will be exposed on host, or if you are sure of only one container will be loaded.
You expose ports using the EXPOSE keyword in the Dockerfile or the
--expose flag to docker run. Exposing ports is a way of documenting which
ports are used, but does not actually map or open any ports. Exposing ports
is optional.
Source: github commit
Most people use docker compose with networks. The documentation states:
The Docker network feature supports creating networks without the need to expose ports within the network, for detailed information see the overview of this feature).
Which means that if you use networks for communication between containers you don't need to worry about exposing ports.
EXPOSE keyword lets owner to inform others that which ports are going to be used by the container mainly.
You can publish any port even if you don't specify the port in EXPOSE.
For example we create a Dockerfile with nginx image that exposes port 1234
FROM nginx:latest
EXPOSE 1234
and build it
docker build -t porttest .
And run it with publishing 80 port to localhost:80
docker run -p 80:80 porttest
When you go localhost:80, you will see nginx default page.
Nginx default page
expose - will only allow that specific port to connect with container and it will use as "inter container communication " only
-p ( publish ) will map the host port with container port ( which you have already exposed in step 1 or in docker file ) and once you expose it , you will need to map it so we use publish , it will then access container outside world/internet.
EXPOSE is used to map local port container port
ie : if you specify expose in docker file like
EXPOSE 8090
What will does it will map localhost port 8090 to container port 8090