I'm really struggling here and googled a lot... no solution worked so far.
我真的在这里苦苦挣扎,google了很多...到目前为止还没有解决方案。
I'm running several docker containers (nodejs, mongodb,...) on my Ubuntu machine. Unfortunately, Docker (v1.6) exposes all ports to public! Since I have an nginx reverse proxy (also in a docker container), I only want port 80 to be accessible from outside - UFW does not work in this case, since Docker operates on iptables.
我在我的Ubuntu机器上运行了几个docker容器(nodejs,mongodb,...)。不幸的是,Docker(v1.6)将所有端口暴露给公众!由于我有一个nginx反向代理(也在docker容器中),我只希望从外部访问端口80 - 在这种情况下UFW不起作用,因为Docker在iptables上运行。
So I tried the following suggestions:
所以我尝试了以下建议:
-
Changed DOCKER_OPTS to the following (and restarted docker service):
将DOCKER_OPTS更改为以下(并重新启动的docker服务):
DOCKER_OPTS="--ip 127.0.0.1 --iptables=false"
-
Added the following rules to my iptables (for nodejs port 3001)
在我的iptables中添加了以下规则(对于nodejs端口3001)
iptables -I PREROUTING 1 -t mangle ! -s 127.0.0.1 -p tcp --dport 3001 -j ACCEPT iptables -I PREROUTING 2 -t mangle -p tcp --dport 3001 -j DROP
=> both changes do not work?
=>两个变化都不起作用?
Are there any other suggestions that might help here?
还有其他建议可能有帮助吗?
In short: I only want port 80 (nginx docker container) to be exposed to public... all other (e.g. 3001) should be rejected when not accessed from localhost!
简而言之:我只希望将端口80(nginx docker容器)暴露给公共...当不从localhost访问时,所有其他(例如3001)应该被拒绝!
UPDATE:
I forgot to mention that I start the containers with "-p 3001:3000" (e.g. for the nodejs app).
我忘了提到我用“-p 3001:3000”启动容器(例如对于nodejs应用程序)。
I don't want this port (3001) to be accessible from the web... but only from other containers or the docker host system).
我不希望从Web访问此端口(3001)...但只能从其他容器或docker主机系统访问。
Thank you very much in advance.
非常感谢你提前。
Greetz,
Sascha
1 个解决方案
#1
Just drop the -p
from your docker run
command line.
只需从docker run命令行中删除-p即可。
Container ports will, by default, be available to other containers running on your system without using -p
. You just need to know the ip address of the target container. For example, if I start a web server:
默认情况下,容器端口可用于系统上运行的其他容器,而不使用-p。您只需要知道目标容器的IP地址。例如,如果我启动Web服务器:
$ docker run --name web -d larsks/mini-httpd
And get the ip address:
并获取IP地址:
$ docker inspect --format '{{ .NetworkSettings.IPAddress }}' web
172.17.0.3
Then from the host or any other container I can run something like:
然后从主机或任何其他容器我可以运行如下:
# curl http://172.17.0.3/
I can also use container linking if I don't want to muck around with ip addresses. For example, if the web
container above is already running, I can link it to a new container:
如果我不想使用ip地址,我也可以使用容器链接。例如,如果上面的Web容器已经运行,我可以将它链接到一个新容器:
$ docker run --link web:web -it alpine sh
And then access it by name:
然后按名称访问它:
/ # wget -O- http://web/
<pre>
___ _ __ __ _
|_ _| |_ \ \ / /__ _ __| | _____
| || __| \ \ /\ / / _ \| '__| |/ / __|
| || |_ \ V V / (_) | | | <\__ \_
|___|\__| \_/\_/ \___/|_| |_|\_\___(_)
</pre>
#1
Just drop the -p
from your docker run
command line.
只需从docker run命令行中删除-p即可。
Container ports will, by default, be available to other containers running on your system without using -p
. You just need to know the ip address of the target container. For example, if I start a web server:
默认情况下,容器端口可用于系统上运行的其他容器,而不使用-p。您只需要知道目标容器的IP地址。例如,如果我启动Web服务器:
$ docker run --name web -d larsks/mini-httpd
And get the ip address:
并获取IP地址:
$ docker inspect --format '{{ .NetworkSettings.IPAddress }}' web
172.17.0.3
Then from the host or any other container I can run something like:
然后从主机或任何其他容器我可以运行如下:
# curl http://172.17.0.3/
I can also use container linking if I don't want to muck around with ip addresses. For example, if the web
container above is already running, I can link it to a new container:
如果我不想使用ip地址,我也可以使用容器链接。例如,如果上面的Web容器已经运行,我可以将它链接到一个新容器:
$ docker run --link web:web -it alpine sh
And then access it by name:
然后按名称访问它:
/ # wget -O- http://web/
<pre>
___ _ __ __ _
|_ _| |_ \ \ / /__ _ __| | _____
| || __| \ \ /\ / / _ \| '__| |/ / __|
| || |_ \ V V / (_) | | | <\__ \_
|___|\__| \_/\_/ \___/|_| |_|\_\___(_)
</pre>