即使该端口被iptables阻止,运行服务器的Docker容器为什么仍将端口暴露给外界?

24

我在Docker容器中运行MySQL时遇到问题。我的测试映像是从以下Dockerfile构建的:

# See: https://index.docker.io/u/brice/mysql/

FROM ubuntu:12.10
MAINTAINER Joni Kahara <joni.kahara@async.fi> 

# Because docker replaces /sbin/init: https://github.com/dotcloud/docker/issues/1024
RUN dpkg-divert --local --rename --add /sbin/initctl
RUN ln -s /bin/true /sbin/initctl

RUN apt-get update
RUN apt-get upgrade -y

RUN apt-get -y install mysql-server

RUN sed -i -e"s/^bind-address\s*=\s*127.0.0.1/bind-address = 0.0.0.0/" /etc/mysql/my.cnf

RUN /usr/bin/mysqld_safe & \
    sleep 10s && \
    mysql -e "GRANT ALL ON *.* to 'root'@'%'; FLUSH PRIVILEGES;"

EXPOSE 3306

VOLUME ["/var/lib/mysql", "/var/log/mysql"]

CMD ["mysqld_safe"]

从上面的文件构建图像后,我使用以下命令运行它:

docker run -p 3306:3306 asyncfi/magento-mysql

之后一切都变好了,我可以从本地计算机登录到该MySQL实例。但是,我也可以从任何其他机器登录。

我已经设置了防火墙,以过滤除进入特定端口(“隐藏”的SSH,HTTP,HTTPS)的流量以外的所有内容,实际上,这种过滤似乎确实有效。例如,如果我在端口1234上运行Django开发服务器,则可以从本地计算机进行连接,但不能从外部进行连接。因此,当防火墙将数据包发送到作为“普通”进程运行的服务器时,而不是在服务器在容器中运行时,防火墙似乎正在对它们进行过滤。

iptables -L -v --line-numbers表示以下内容:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     2265  107K ACCEPT     all  --  lo     any     anywhere             anywhere
2     240K  319M ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
3       14  1040 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:<REDACTED>
4       21  1092 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:http
5        6   360 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:https
6      538 34656 LOG        all  --  any    any     anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables DROP: "
7      551 35424 DROP       all  --  any    any     anywhere             anywhere

Chain FORWARD (policy ACCEPT 5 packets, 296 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  docker0 docker0  anywhere             anywhere
2     6752  396K ACCEPT     all  --  docker0 !docker0  anywhere             anywhere
3     125K  188M ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT 51148 packets, 14M bytes)
num   pkts bytes target     prot opt in     out     source               destination

Docker版本为:

Client version: 0.7.3
Go version (client): go1.2
Git commit (client): 8502ad4
Server version: 0.7.3
Git commit (server): 8502ad4
Go version (server): go1.2
Last stable version: 0.7.3

为什么将MySQL端口暴露给外界?

iptables  docker 
hara原
source

Answers:

28

感谢#docker IRC频道用户Michael Crosby和Paul Czar,我现在能够回答我自己的问题。问题在于我这样运行容器:

docker run -p 3306:3306 asyncfi/magento-mysql

这会将容器的端口发布到主机的所有接口,这绝对不是我目前正在寻找的端口。要仅绑定到本地主机,必须按以下方式运行容器:

docker run -p 127.0.0.1:3306:3306 asyncfi/magento-mysql

另外EXPOSE,Dockerfile中的行不是必需的,因为使用了“暴露”机制来链接容器

hara原
source
By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.