zlacker

[parent] [thread] 4 comments
1. tomjen+(OP)[view] [source] 2025-01-05 20:23:41
To run Docker, you need to be an admin or in the Docker group, which warns you that it is equivalent to having sudo rights, AKA be an admin.

As for it not being explicitly permitted, no ports are exposed by default. You must provide the docker run command with -p, for each port you want exposed. From their perspective, they're just doing exactly what you told them to do.

Personally, I think it should default to giving you an error unless you specified what IPs to listen to, but this is far from a big of an issue as people make it out to be.

The biggest issue is that it is a ginormous foot gun for people who don't know Docker.

replies(1): >>diggan+74
2. diggan+74[view] [source] 2025-01-05 20:58:19
>>tomjen+(OP)
I don't remember the particular syntax, but isn't there a different to binding a port on the address the container runs on, VS binding a port on the host address?

Maybe it's the difference between "-P" and "-p", or specifying both "8080:8080" instead of "8080", but there is a difference, especially since one wouldn't be reachable outside of your machine and the other one would be on worse case trying to bind 0.0.0.0.

replies(2): >>johnta+Ir >>tomjen+1Q1
◧◩
3. johnta+Ir[view] [source] [discussion] 2025-01-06 00:49:19
>>diggan+74
You can specify the interface address to listen on, like "127.0.0.1:8080:8080" or "192.168.1.100:8080:8080". I have a lot of containers exposed like this but bind specifically to a vpn ip on the host so that they don't get exposed externally by default.
replies(1): >>diggan+0p1
◧◩◪
4. diggan+0p1[view] [source] [discussion] 2025-01-06 12:45:29
>>johnta+Ir
The trouble is that docker seems to default to using 0.0.0.0, so if you do `docker run -it -p 8080 node:latest` for example, now that container accepts incoming connections on port :32768 or whatever docker happens to assign it, which is bananas default behavior.
◧◩
5. tomjen+1Q1[view] [source] [discussion] 2025-01-06 16:13:40
>>diggan+74
-p exposes the port from the container on a specific port on the host machine. -P does the same, but for all ports listed as exposed in the container.

If you just run a container, it will expose zero ports, regardless of any config made in the Docker image or container.

The way you're supposed to use Docker is to create a Docker network, attach the various containers there, and expose only the ports on specific containers that you need external access to. All containers in any network can connect to each other, with zero exposed external ports.

The trouble is just that this is not really explained well for new users, and so ends up being that aforementioned foot gun.

[go to top]