docker-compose端口与暴露端口有什么区别

最新推荐文章于 2024-05-14 19:41:49 发布

CHCH998

最新推荐文章于 2024-05-14 19:41:49 发布

阅读量6.1k

点赞数 1

文章标签： docker docker-compose

原文链接：https://oldbug.net/q/2lCP6/What-is-the-difference-between-docker-compose-ports-vs-expose

版权

本文翻译自：What is the difference between docker-compose ports vs expose

docker-compose.yml ports和expose选项之间有什么区别

#1楼

参考：https://stackoom.com/question/2lCP6/docker-compose端口与暴露端口有什么区别

#2楼

According to the docker-compose reference , 根据docker-compose参考，

Ports is defined as: 端口定义为：

Expose ports . 露出端口。 Either specify both ports (HOST:CONTAINER), or just the container port (a random host port will be chosen). 要么指定两个端口（HOST：CONTAINER），要么仅指定容器端口（将选择一个随机主机端口）。

Ports mentioned in docker-compose.yml will be shared among different services started by the docker-compose. docker-compose.yml中提到的端口将在docker-compose启动的不同服务之间共享。
Ports will be exposed to the host machine to a random port or a given port. 端口将向主机公开一个随机端口或给定端口。

My docker-compose.yml looks like: 我docker-compose.yml看起来像：

mysql:
  image: mysql:5.7
  ports:
    - "3306"

If I do docker-compose ps , it will look like: 如果我做docker-compose ps ，它将看起来像：

  Name                     Command               State            Ports
-------------------------------------------------------------------------------------
  mysql_1       docker-entrypoint.sh mysqld      Up      0.0.0.0:32769->3306/tcp

Expose is defined as: 公开定义为：

Expose ports without publishing them to the host machine - they'll only be accessible to linked services. 公开端口而不将其发布到主机上-只有链接的服务才能访问它们。 Only the internal port can be specified. 只能指定内部端口。

Ports are not exposed to host machines, only exposed to other services. 端口不暴露给主机，仅暴露给其他服务。

mysql:
  image: mysql:5.7
  expose:
    - "3306"

If I do docker-compose ps , it will look like: 如果我做docker-compose ps ，它将看起来像：

  Name                  Command             State    Ports
---------------------------------------------------------------
 mysql_1      docker-entrypoint.sh mysqld   Up      3306/tcp

#3楼

Ports This section is used to define the mapping between the host server and Docker container. 端口此部分用于定义主机服务器和Docker容器之间的映射。

ports:
   - 10005:80

It means the application running inside the container is exposed at port 80. But external system/entity cannot access it, so it need to be mapped to host server port. 这意味着在容器内部运行的应用程序在端口80处公开。但是外部系统/实体无法访问它，因此需要将其映射到主机服务器端口。

Note: you have to open the host port 10005 and modify firewall rules to allow external entities to access the application. 注意：您必须打开主机端口10005并修改防火墙规则，以允许外部实体访问应用程序。

They can use 他们可以使用

http://{host IP}:10005 http：// {主机IP}：10005

something like this 像这样的东西

EXPOSE This is exclusively used to define the port on which application is running inside the docker container. EXPOSE这专门用于定义在Docker容器中运行应用程序的端口。

You can define it in dockerfile as well. 您也可以在dockerfile中定义它。 Generally, it is good and widely used practice to define EXPOSE inside dockerfile because very rarely anyone run them on other port than default 80 port 通常，在dockerfile中定义EXPOSE是一种良好且广泛使用的做法，因为很少有人在默认80端口以外的其他端口上运行它们

#4楼

I totally agree with the answers before. 我完全同意之前的回答。 I just like to mention that the difference between expose and ports is part of the security concept in docker. 我只想提一下，暴露和端口之间的区别是docker安全概念的一部分。 It goes hand in hand with the networking of docker. 它与docker的网络并驾齐驱。 For example: 例如：

Imagine an application with a web front-end and a database back-end. 想象一个具有Web前端和数据库后端的应用程序。 The outside world needs access to the web front-end (perhaps on port 80), but only the back-end itself needs access to the database host and port. 外界需要访问Web前端（也许在端口80上），但是只有后端本身需要访问数据库主机和端口。 Using a user-defined bridge, only the web port needs to be opened, and the database application doesn't need any ports open, since the web front-end can reach it over the user-defined bridge. 使用用户定义的网桥，只需打开Web端口，并且数据库应用程序不需要打开任何端口，因为Web前端可以通过用户定义的网桥到达它。

This is a common use case when setting up a network architecture in docker. 这是在Docker中设置网络架构时的常见用例。 So for example in a default bridge network, not ports are accessible from the outer world. 因此，例如在默认网桥网络中，无法从外部访问端口。 Therefor you can open an ingresspoint with "ports". 因此，您可以使用“端口”打开一个入口点。 With using "expose" you define communication within the network. 通过使用“暴露”，您可以定义网络内的通信。 If you want to expose the default ports you don't need to define "expose" in your docker-compose file. 如果要公开默认端口，则无需在docker-compose文件中定义“公开”。

#5楼

ports : 端口：

Activates the container to listen for specified port(s) from the world outside of the docker(can be same host machine or a different machine) AND also accessible world inside docker. 激活容器以侦听来自docker外部世界的指定端口（可以是同一主机或不同的计算机），也可以从docker内部访问世界。
More than one port can be specified (that's is why ports not port) 可以指定多个端口（这就是为什么端口没有端口的原因）

expose : 暴露：

Activates container to listen for a specific port only from the world inside of docker AND not accessible world outside of the docker. 激活容器以仅侦听docker内部的世界中的特定端口，而不侦听docker外部的世界中的特定端口。
More than one port can be specified 可以指定多个端口

#6楼

Ports 港口

The ports section will publish ports on the host. ports部分将在主机上发布端口。 Docker will setup a forward for a specific port from the host network into the container. Docker将为从主机网络到容器的特定端口设置转发。 By default this is implemented with a userspace proxy process ( docker-proxy ) that listens on the first port, and forwards into the container, which needs to listen on the second point. 默认情况下，这是通过用户空间代理进程（ docker-proxy ）实现的，该进程在第一个端口上侦听，然后转发到需要在第二个端口上侦听的容器。 If the container is not listening on the destination port, you will still see something listening on the host, but get a connection refused if you try to connect to that host port, from the failed forward into your container. 如果容器未在目标端口上侦听，您仍然会在主机上看到某些内容，但是如果尝试连接到该主机端口（从故障转发到容器），则连接将被拒绝。

Note, the container must be listening on all network interfaces since this proxy is not running within the container's network namespace and cannot reach 127.0.0.1 inside the container. 请注意，容器必须在所有网络接口上进行侦听，因为此代理未在容器的网络名称空间内运行，并且无法在容器内部达到127.0.0.1。 The IPv4 method for that is to configure your application to listen on 0.0.0.0 . IPv4的方法是将应用程序配置为侦听0.0.0.0 。

Also note that published ports do not work in the opposite direction. 另请注意，已发布的端口不能以相反的方向工作。 You cannot connect to a service on the host from the container by publishing a port. 您无法通过发布端口从容器连接到主机上的服务。 Instead you'll find docker errors trying to listen to the already-in-use host port. 相反，您会发现尝试侦听已在使用的主机端口的docker错误。

Expose 暴露

Expose is documentation. 公开是文档。 It sets metadata on the image, and when running, on the container too. 它在图像上以及运行时在容器上设置元数据。 Typically you configure this in the Dockerfile with the EXPOSE instruction, and it serves as documentation for the users running your image, for them to know on which ports by default your application will be listening. 通常，您使用EXPOSE指令在Dockerfile中进行配置，它用作运行映像的用户的文档，以使他们知道默认情况下您的应用程序将在哪些端口上侦听。 When configured with a compose file, this metadata is only set on the container. 当配置有撰写文件时，此元数据仅在容器上设置。 You can see the exposed ports when you run a docker inspect on the image or container. 在映像或容器上运行docker inspect时，您可以看到暴露的端口。

There are a few tools that rely on exposed ports. 有一些依赖公开端口的工具。 In docker, the -P flag will publish all exposed ports onto ephemeral ports on the host. 在docker中， -P标志会将所有公开的端口发布到主机上的临时端口上。 There are also various reverse proxies that will default to using an exposed port when sending traffic to your application if you do not explicitly set the container port. 如果没有显式设置容器端口，则当向应用程序发送流量时，还有许多反向代理默认使用暴露端口。

Other than those external tools, expose has no impact at all on the networking between containers. 除了那些外部工具之外，暴露对容器之间的网络完全没有影响。 You only need a common docker network, and connecting to the container port, to access one container from another. 您只需要一个公共的docker网络并连接到容器端口，即可从另一个容器访问一个容器。 If that network is user created (eg not the default bridge network named bridge ), you can use DNS to connect to the other containers. 如果该网络是用户创建的（例如，不是名为bridge的默认桥接网络），则可以使用DNS连接到其他容器。