github.com/brahmaroutu/docker@v1.2.1-0.20160809185609-eb28dde01f16/docs/userguide/networking/default_network/binding.md

github.com/brahmaroutu/docker@v1.2.1-0.20160809185609-eb28dde01f16/docs/userguide/networking/default_network/binding.md (about)

     1  <!--[metadata]>
     2  +++
     3  title = "Bind container ports to the host"
     4  description = "expose, port, docker, bind publish"
     5  keywords = ["Examples, Usage, network, docker, documentation, user guide, multihost, cluster"]
     6  [menu.main]
     7  parent = "smn_networking_def"
     8  +++
     9  <![end-metadata]-->
    10  
    11  # Bind container ports to the host
    12  
    13  The information in this section explains binding container ports within the Docker default bridge. This is a `bridge` network named `bridge` created automatically when you install Docker.
    14  
    15  > **Note**: The [Docker networks feature](../dockernetworks.md) allows you to
    16  create user-defined networks in addition to the default bridge network.
    17  
    18  By default Docker containers can make connections to the outside world, but the
    19  outside world cannot connect to containers. Each outgoing connection will
    20  appear to originate from one of the host machine's own IP addresses thanks to an
    21  `iptables` masquerading rule on the host machine that the Docker server creates
    22  when it starts:
    23  
    24  ```
    25  $ sudo iptables -t nat -L -n
    26  
    27  ...
    28  Chain POSTROUTING (policy ACCEPT)
    29  target     prot opt source               destination
    30  MASQUERADE  all  --  172.17.0.0/16       0.0.0.0/0
    31  ...
    32  ```
    33  The Docker server creates a masquerade rule that let containers connect to IP
    34  addresses in the outside world.
    35  
    36  If you want containers to accept incoming connections, you will need to provide
    37  special options when invoking `docker run`. There are two approaches.
    38  
    39  First, you can supply `-P` or `--publish-all=true|false` to `docker run` which
    40  is a blanket operation that identifies every port with an `EXPOSE` line in the
    41  image's `Dockerfile` or `--expose <port>` commandline flag and maps it to a host
    42  port somewhere within an _ephemeral port range_. The `docker port` command then
    43  needs to be used to inspect created mapping. The _ephemeral port range_ is
    44  configured by `/proc/sys/net/ipv4/ip_local_port_range` kernel parameter,
    45  typically ranging from 32768 to 61000.
    46  
    47  Mapping can be specified explicitly using `-p SPEC` or `--publish=SPEC` option.
    48  It allows you to particularize which port on docker server - which can be any
    49  port at all, not just one within the _ephemeral port range_ -- you want mapped
    50  to which port in the container.
    51  
    52  Either way, you should be able to peek at what Docker has accomplished in your
    53  network stack by examining your NAT tables.
    54  
    55  ```
    56  # What your NAT rules might look like when Docker
    57  # is finished setting up a -P forward:
    58  
    59  $ iptables -t nat -L -n
    60  
    61  ...
    62  Chain DOCKER (2 references)
    63  target     prot opt source               destination
    64  DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:49153 to:172.17.0.2:80
    65  
    66  # What your NAT rules might look like when Docker
    67  # is finished setting up a -p 80:80 forward:
    68  
    69  Chain DOCKER (2 references)
    70  target     prot opt source               destination
    71  DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:172.17.0.2:80
    72  ```
    73  
    74  You can see that Docker has exposed these container ports on `0.0.0.0`, the
    75  wildcard IP address that will match any possible incoming port on the host
    76  machine. If you want to be more restrictive and only allow container services to
    77  be contacted through a specific external interface on the host machine, you have
    78  two choices. When you invoke `docker run` you can use either `-p
    79  IP:host_port:container_port` or `-p IP::port` to specify the external interface
    80  for one particular binding.
    81  
    82  Or if you always want Docker port forwards to bind to one specific IP address,
    83  you can edit your system-wide Docker server settings and add the option
    84  `--ip=IP_ADDRESS`. Remember to restart your Docker server after editing this
    85  setting.
    86  
    87  > **Note**: With hairpin NAT enabled (`--userland-proxy=false`), containers port
    88  exposure is achieved purely through iptables rules, and no attempt to bind the
    89  exposed port is ever made. This means that nothing prevents shadowing a
    90  previously listening service outside of Docker through exposing the same port
    91  for a container. In such conflicting situation, Docker created iptables rules
    92  will take precedence and route to the container.
    93  
    94  The `--userland-proxy` parameter, true by default, provides a userland
    95  implementation for inter-container and outside-to-container communication. When
    96  disabled, Docker uses both an additional `MASQUERADE` iptable rule and the
    97  `net.ipv4.route_localnet` kernel parameter which allow the host machine to
    98  connect to a local container exposed port through the commonly used loopback
    99  address: this alternative is preferred for performance reasons.
   100  
   101  ## Related information
   102  
   103  - [Understand Docker container networks](../dockernetworks.md)
   104  - [Work with network commands](../work-with-networks.md)
   105  - [Legacy container links](dockerlinks.md)