Is docker capable of exposing a port only to the host and not to the outside.
I need to put a docker running with a mongo database, and I wanted that it was only accessible from the host, but I need to link the host port 27017.
Is this possible, or do the only possible way is to change firewall definitions?
Sure, just bind it to localhost, like this:
docker run -p 127.0.0.1:27017:27017
Also: Your host can also talk to each container normally over its IP. Use docker inspect $ID to get a json dump (beside other stuff) containing the network IP.
Related
Using Ubuntu 20.04.
I have a Docker web container that I can access locally at localhost:8000 I want to instead access this by typing hello.localhost in my browser.
I can accomplish this by adding the containers ip address to my /etc/hosts file but the problem is that this ip address can change. How can I resolve this?
Generally, you would solve this using port publishing. Let's say you have multiple containers; we'll call them hello and goodbye. You'd like to access them as http://hello.localhost and http://goodbye.localhost, without having to append a port number.
You can bind each container to a specific ip on your host, like this:
docker run --name hello -p 127.0.0.2:80:8000 myimage
docker run --name goodbye -p 127.0.0.3:80:8000 myimage
Here, we've bound port 8000 on container hello to 127.0.0.2:80, and port 8000 on container goodbye to 127.0.0.3:80. All that we need to do now is tell our host about names for these addresses, which we can do by adding something like this to /etc/hosts:
127.0.0.2 hello.localhost
127.0.0.3 goodbye.localhost
Now you can browse to http://hello.localhost or http://goodbye.localhost (as long as your browser is running on the same machine as your docker containers).
I am experimenting about Docker-networking, I had set up a scenario as below,
Installed docker in a host-X connected over a network (host-X IP: 60.0.0.28) and run a basic docker container of ubuntu-OS (Docker Container is connected to the default docker bridge network only i.e. 172.17.0.0/16 & 172.17.0.2 is container IP). Now trying to communicate that running container from another host-Y with in the same network (host-Y IP: 60.0.0.40) in which no docker is installed.
I had added basic route in host-Y like, "ip route add 172.17.0.0/16 via 60.0.0.28 dev ens3" .
From the container i am able to ping the Host-Y & in reverse case, i am only able to ping the docker gateway "172.17.0.1" from Host-Y but not able to reach the container.
There are a wide variety of situations where the Docker-internal IP addresses just aren't useful; calling from a different host is one of them. You should totally ignore those as an implementation detail.
If you take Docker out of the picture, and run the process directly on the host, this should be straightforward: from host Y, you can call the process on host X given its DNS name and the port the server is running on.
hostY$ curl http://hostX:12345/
If the process is actually running in a Docker container, you need to make sure you've started the container with a published port. This doesn't necessarily need to match the port the process is listening on.
hostX$ docker run -p 12345:12345 imagename
Once you've done this, the process can be reached via the host's DNS name or IP address, and the published port, the same way as with a non-container server.
In normal circumstances you should not need to think about the Docker-internal IP addresses; you do not need manual ip route-setup commands like you show, and you shouldn't docker inspect or docker run --ip to find or set this detail.
Let’s assume you want to start Dockerized nginx on host X.
You’d run:
docker run --detach -p 8080:80 nginx
Then you could access your nginx instance using http://60.0.0.28:8080.
I have a process running on a host that needs to communicate with a docker and I want it to be done by some parameter that can't change (like docker name or host name) unlike IP (prefer not to make the IP of the docker static or install external dockers for this).
I'm aware that dockers can resolve addressees by name in a private network and that's what I want but not between dockers but between process running on the host and docker.
couldn't find a solution, can it be done ?
Edit:
I'm not allowed to use host network and open additional ports on the host for security reasons.
You're welcome to choose the way which fits your needs better.
Option 1. Use host's networking. In this case Docker does not create separate net for container and you connect to container's services as if they would run on your host:
docker run --network=host <image_name>
Drawback of this approach - low isolation and thus security. You dont need to expose any ports here - if service listens on 8080, just open localhost:8080 and enjoy.
Second approach is more correct - you expose (somehow forward) internal ports in container and map them onto ports in the host.
docker run -p 8080:80 <image_name>
This will map port 80 from container to port 8080 on the host. As in previous example, you still connect using localhost, e.g. localhost:8080.
I want to open port on docker container.
but not using docker run -p option.
because container have assigned independent IP address by bridge network.
so my system don't need port forwarding.
for example.
host OS has IP 172.30.1.2
container has IP 172.30.1.3
so I want to connect the container with 172.30.1.3:80 directly.
then, I tried something using iptables. but it is denied.
are there some way possible?
You can specify an IP endpoint when exposing ports. For example: -p 172.30.1.3:80:80
Check documentation here
I have the following situation. I have a service that listens to 127.0.0.1 on port 1234 (This cannot be changed for security reasons). On the same machine run a docker container. I need to somehow connect to the service on the host from within the container. Because the service only accepts requests from 127.0.0.1, i need somehow to link the port from the container to the host port but in reverse so when i connect from within the container to 127.0.0.1:1234 the service on the host will receive the data. Is this possible?
Thanks.
With the default bridged network, you won't be able to connect from the container to a service on the host listening on 127.0.0.1. But you can use --net=host when running a container to use the host network stack directly in the container. It removes some of the isolation, but then allows you to talk directly to 127.0.0.1 as the container and talk to services running on the host.
Question
How to bind Dockerized service on localhost:port ?
Answer
Use the -p as this: docker run -p 127.0.0.1:1234:1234 <other options> <image> <command>.