docker容器的端口映射

1.建立一个Nginx 容器,先不映射端口

[root@localhost ~]# docker run --name my_nginx -d nginx 7be3673a4c0f8f7ffe79a7b11ab86c4327dacaf734ed574e88e28c1db2243716 [root@localhost ~]# docker ps -a #能够看到容器启用了80端口,可是在宿主机上没有进行映射 CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 7be3673a4c0f nginx "nginx -g 'daemon ..."   5 seconds ago       Up 4 seconds        80/tcp              my_nginx

2.获取该容器的网络信息

[root@localhost ~]# docker exec -it my_nginx  /bin/bash  #能够看到Nginx容器很是简洁，不少shell命令都没有，没法查看一些咱们想要的信息 root@7be3673a4c0f:/# ip a bash: ip: command not found root@7be3673a4c0f:/# ifconfig bash: ifconfig: command not found root@localhost ~]# docker network inspect bridge  #咱们能够经过inspect查看一下网络信息 "Containers": { "7be3673a4c0f8f7ffe79a7b11ab86c4327dacaf734ed574e88e28c1db2243716": { "Name": "my_nginx", "EndpointID": "6fa4eedf32d4a9d75b591d102613944d49a3cd40d2e41ea6c386685584fd09a7", "MacAddress": "02:42:ac:11:00:02", "IPv4Address": "172.17.0.2/16", #容器的IP地址 "IPv6Address": "" } }, 

3.经过宿主机访问一下容器IP地址及端口

[root@localhost ~]# ping 172.17.0.2 #能够ping通 PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data. 64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.073 ms [root@localhost ~]# telnet 172.17.0.2 80 #Telnet 80端口正常 Trying 172.17.0.2... Connected to 172.17.0.2. Escape character is '^]'. [root@localhost ~]# curl -I 172.17.0.2 #访问Nginx容器80端口正常 HTTP/1.1 200 OK

小结：默认建立的容器若是有服务端口那么从宿主机能够访问，外部没法访问

4.建立一个容器，经过-p参数启动端口映射

[root@localhost ~]# docker rm -f my_nginx [root@localhost ~]# docker run --name my_nginx -d -p 80:80 nginx  #注意-p参数的格式 f1166a72ab910b425cf32b91ababde2a5b6a4fda6db08852bf7a99d925d4985f [root@localhost ~]# docker ps -a #这里的规则映射了 ，意味着将接受主机来自全部接口的流量。用户能够经过  或  来指定容许访问容器的主机上的 IP、接口等，以制定更严格的规则 CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES f1166a72ab91 nginx "nginx -g 'daemon ..."   3 seconds ago       Up 3 seconds        0.0.0.0:80->80/tcp my_nginx
0.0.0.0-p IP:host_port:container_port-p IP::port

若是但愿永久绑定到某个固定的 IP 地址，能够在 Docker 配置文件 /etc/docker/daemon.json 中添加以下内容：

{ "ip": "0.0.0.0" }

经过宿主机IP地址访问(注意端口)

[root@localhost ~]# ifconfig eth0|awk 'NR==2{print $2}'
172.16.150.135

 

5.建立一个容器，经过-P参数启动端口映射

[root@localhost ~]# docker rm -f my_nginx my_nginx [root@localhost ~]# docker run --name my_nginx -d -P nginx #-P直接使用，不须要指定端口 8f9df2a803766862d08709b77054d35e890ca72c0ea17770dac8b3815278d35b [root@localhost ~]# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 8f9df2a80376 nginx "nginx -g 'daemon ..."   5 seconds ago       Up 5 seconds        0.0.0.0:10000->80/tcp   my_nginx

外部访问(注意端口)

 6.-P及-p参数的用法及区别

官方文档文档：

   -P, --publish-all=true|false Publish all exposed ports to random ports on the host interfaces. The default is false. When set to true publish all exposed ports to the host interfaces. The default is false. If the operator uses -P (or  -p) then Docker will make the exposed port accessible on the host and the ports will be available to any client that can reach the host. When using -P, Docker will bind any exposed port to a random port on the host within an ephemeral port range defined by /proc/sys/net/ipv4/ip_local_port_range. To find the mapping between the host ports and the exposed ports, use docker port. -p, --publish=[] Publish a container's port, or range of ports, to the host.
 Format: ip:hostPort:containerPort |  ip::containerPort  | hostPort:containerPort | containerPort Both hostPort and containerPort can be specified as a range of ports. When specifying ranges for both, the number of container ports in the range must match the number of host ports in the range. (e.g., docker run -p 1234-1236:1222-1224 --name thisWorks -t busybox but not docker run -p 1230-1236:1230-1240 --name RangeContainerPortsBiggerThanRangeHost‐ Ports -t busybox) With ip: docker run -p 127.0.0.1:$HOSTPORT:$CONTAINERPORT --name CONTAINER -t someimage Use docker port to see the actual mapping: docker port CONTAINER $CONTAINERPORT

-P：

在宿主机上经过随机端口映射容器内启用端口，随机的端口范围经过/proc/sys/net/ipv4/ip_local_port_range配置获取 [root@localhost ~]# cat /proc/sys/net/ipv4/ip_local_port_range 10000 65000

-p：

能够指定要映射的端口，而且，在一个指定端口上只能够绑定一个容器。 端口映射支持的格式有： 　　ip:hostport:containerport #指定ip、指定主机port、指定容器port 　　ip::containerport #指定ip、未指定主机port、指定容器port 　　hostport:container #未指定ip port、指定主机port、指定容器port 屡次使用-p标记能够绑定多个端口，例 -p 00:80 -p 8088:8080
能够指定范围，例 -p 1234-1236:1222-1224

无论用那种办法，其实也是在本地的 iptable 的 nat 表中添加相应的规则：

使用 -p 80:80 时：

[root@localhost ~]#  iptables -t nat -vnL|grep :80
    0     0 MASQUERADE  tcp  --  *      *       172.17.0.2           172.17.0.2           tcp dpt:80
    0     0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:172.17.0.2:80

使用 -P 时：

[root@localhost ~]#  iptables -t nat -vnL|grep :80
    0     0 MASQUERADE  tcp  --  *      *       172.17.0.2           172.17.0.2           tcp dpt:80
    0     0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:10000 to:172.17.0.2:80