Expose Docker port internally

docker

I'd like to run a Docker container which only exposes it's ports INTERNALLY within the docker instance on the said host. This means I do NOT want it public.

Hows does one do this from the command line? The code below opens it publicly.

docker run -p 27017:27017 --name mongo mongo

Best Answer

If you execute:

docker run -p 27017:27017 --name mongo mongo

Then docker interprets that as:

docker run -p 0.0.0.0:27017:27017 --name mongo mongo

Which means that the port is accessible from the host, but also externally.

You can verify that by running nmap -p 27017 <host IP> from a different machine against your host. Port 27017 should show up as 'open'.

If you execute:

docker run -p 127.0.0.1:27017:27017 --name mongo mongo

Then the port is only accessible from the host.

You can verify that by running nmap -p 27017 <host IP> from a different machine against your host. Port 27017 should show up as 'closed'.

Finally, if you execute:

docker run --name mongo mongo

Then all ports will be local to the container.

Again, you can verify that by running nmap on your host against the container: nmap -p 27017 <container IP>. Port 27017 should show up as 'closed'.

Related Solutions

Networking – “reply from unexpected source” when DNS server is running as docker container in the docker host

I had the same problem.

For everyone out there facing the same issue:

I'm working in Linux (specifically Ubuntu), I had dnsmasq setup in my host machine. Same setup works in mac, but in Linux, the container inside is not able to resolv to my local dnsmasq, even though I use the correct IP address to point to my machine (not localhost/127.0.0.1). Basically the same setup as above. It didn't work.

After I specifically use network: bridge in all my services,the same IP now connected. So, the problem is, default network in docker engine in Linux is not connected by default to host interfaces. We have to specifically use bridged network for this. Now, why does it work on Mac? I don't know. Probably because the host interfaces were bridged by default in Mac.

Expose fuse mounted inside a docker container

The solution comes from the post s3 mounted inside the container. how to expose it to the host?

In this post is described a solution using glusterFS, requiring more permissions for the container. The docker command used:

docker run --cap-add SYS_ADMIN --device fuse -v host_mount_dir:container_mount_dir:shared IMAGE COMMAND

For an error like "Path /foo is mounted on /foo but it is not a shared mount ...", the reason is that the docker daemon runs in different mount namespace than systemd. This is the solution for making it run in the same namespace:

mkdir -p /etc/systemd/system/docker.service.d/
cat <<EOF > /etc/systemd/system/docker.service.d/clear_mount_propagation_flags.conf
[Service]
MountFlags=shared
EOF

And restart the docker daemon.

A remark is that the mount is visible on the host if mounted into a directory binded by -v.

Best Answer

Related Solutions

Networking – “reply from unexpected source” when DNS server is running as docker container in the docker host

Expose fuse mounted inside a docker container

Related Question