1. Create a container Nginx, to not port mapping
[the root @ localhost ~] RUN # Docker --name my_nginx - D Nginx
7be3673a4c0f8f7ffe79a7b11ab86c4327dacaf734ed574e88e28c1db2243716
[the root @ localhost ~] # Docker PS - A # 80 can see the container port is enabled, but not mapped on the host
CONTAINER ID IMAGE COMMAND NAMES the STATUS PORTS CREATED
7be3673a4c0f Nginx " Nginx -g '... daemon " . 5 seconds The ago Member Up . 4 seconds The 80 / TCP my_nginx
2. The network information obtaining the container
[root @ localhost ~] # Docker Exec -it my_nginx / bin / bash # Nginx can see the container is very simple, not a lot of shell commands, you can not view some of the information we want to
root @ 7be3673a4c0f: / # ip A
bash: ip : the Command not found
root @ 7be3673a4c0f: / # ifconfig
bash: ifconfig: the Command not found
root @ localhost ~ ] # Docker network inspect Bridge # we can look through inspect what network information
" Containers " : {
" 7be3673a4c0f8f7ffe79a7b11ab86c4327dacaf734ed574e88e28c1db2243716 " : {
" the Name " : " my_nginx " ,
"EndpointID": "6fa4eedf32d4a9d75b591d102613944d49a3cd40d2e41ea6c386685584fd09a7",
"MacAddress": "02:42:ac:11:00:02",
"IPv4Address": "172.17.0.2/16", #容器的IP地址
"IPv6Address": ""
}
},
3. Access it through the host IP address and port container
[root@localhost ~]# ping 172.17.0.2 #可以ping通
PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data.
64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.073 ms
[root@localhost ~]# telnet 172.17.0.2 80 #Telnet 80端口正常
Trying 172.17.0.2...
Connected to 172.17.0.2 .
The Escape Character IS ' ^] ' .
[The root @ localhost ~] # curl -I 172.17 . 0.2 # Nginx vessel access port 80. Normal
the HTTP / 1.1 200 is the OK
Summary: If you have created a default container service ports that can be accessed from the host, the outside can not access
4. Create a container, by starting port mapping parameter -p
[the root @ localhost ~] # Docker RM - F my_nginx
[the root @ localhost ~] RUN # Docker --name my_nginx -d -p 80 : 80 Nginx # -p parameters noted format
f1166a72ab910b425cf32b91ababde2a5b6a4fda6db08852bf7a99d925d4985f
[the root @ localhost ~] PS # Docker - a # rule here mapped 0.0.0.0
, which means the host will accept traffic from all interfaces. The user can -p IP:host_port:container_port
or -p IP::port
be allowed to specify the IP, interface and on the host access to the container so as to introduce more stringent rules
CONTAINER ID PORTS the STATUS the IMAGE CREATED the COMMAND NAMES
f1166a72ab91 Nginx " Nginx -g '... daemon " . 3 seconds The ago Member Up . 3 seconds 0.0.0.0:80->80/tcp my_nginx
If you want to permanently bound to a fixed IP address, you can Docker profile /etc/docker/daemon.json
add the following contents:
{
"ip": "0.0.0.0"
}
Access by the host IP address (attention port)
[root@localhost ~]# ifconfig eth0|awk 'NR==2{print $2}'
172.16.150.135
5. Create a container, by starting port mapping parameter -P
[root@localhost ~]# docker rm -f my_nginx
my_nginx
[root@localhost ~]# docker run --name my_nginx -d -P nginx #-P直接使用,不需要指定端口
8f9df2a803766862d08709b77054d35e890ca72c0ea17770dac8b3815278d35b
[root@localhost ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
8f9df2a80376 nginx "nginx -g 'daemon ..." 5 seconds ago Up 5 seconds 0.0.0.0:10000->80/tcp my_nginx
External Access (note port)
Usage and 6.-P and the difference parameter -p
Official Documentation Documentation:
-P, --publish-all=true|false
Publish all exposed ports to random ports on the host interfaces. The default is false.
When set to true publish all exposed ports to the host interfaces. The default is false. If the operator uses -P (or -p) then Docker will make the
exposed port accessible on the host and the ports will be available to any client that can reach the host. When using -P, Docker will bind any exposed
port to a random port on the host within an ephemeral port range defined by /proc/sys/net/ipv4/ip_local_port_range. To find the mapping between the host
ports and the exposed ports, use docker port.
-p, --publish=[]
Publish a container's port, or range of ports, to the host.
Format: ip:hostPort:containerPort | ip::containerPort | hostPort:containerPort | containerPort Both hostPort and containerPort can be specified as a
range of ports. When specifying ranges for both, the number of container ports in the range must match the number of host ports in the range. (e.g.,
docker run -p 1234-1236:1222-1224 --name thisWorks -t busybox but not docker run -p 1230-1236:1230-1240 --name RangeContainerPortsBiggerThanRangeHost‐
Ports -t busybox) With ip: docker run -p 127.0.0.1:$HOSTPORT:$CONTAINERPORT --name CONTAINER -t someimage Use docker port to see the actual mapping:
docker port CONTAINER $CONTAINERPORT
-P:
Enable a port, random on the host via the random port mapping container port range through the / proc / SYS / NET / IPv4 / of ip_local_port_range configuration obtaining
[the root @ localhost ~] # CAT / proc / SYS / NET / IPv4 / of ip_local_port_range
10000 65000
-p:
You can specify the port to be mapped, and, only on a designated port can be bound to a container.
Port mapping formats are supported: ip: HostPort: containerport # designated ip, specify the host port, the specified container Port ip :: containerport # designated ip, did not specify a host port, specify the container Port HostPort: Container # unspecified ip port, specify the host port, designated port container used repeatedly
-p marker can bind a plurality of ports , for example, -p 00: 80 -p 8088: 8080
can specify the range , for example, -p 1234-1236: 1222-1224
Regardless of the kind of way, it is actually in the local iptable
add the corresponding rules of nat table:
Use -p 80:80
when:
[root@localhost ~]# iptables -t nat -vnL|grep :80
0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:80
0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:172.17.0.2:80
Use -P
when:
[root@localhost ~]# iptables -t nat -vnL|grep :80
0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:80
0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000 to:172.17.0.2:80