github.com/endocode/docker@v1.4.2-0.20160113120958-46eb4700391e/docs/userguide/networking/default_network/binding.md

github.com/endocode/docker@v1.4.2-0.20160113120958-46eb4700391e/docs/userguide/networking/default_network/binding.md (about)

     1  <!--[metadata]>
     2  +++
     3  title = "Bind container ports to the host"
     4  description = "expose, port, docker, bind publish"
     5  keywords = ["Examples, Usage, network, docker, documentation, user guide, multihost, cluster"]
     6  [menu.main]
     7  parent = "smn_networking_def"
     8  +++
     9  <![end-metadata]-->
    10  
    11  # Bind container ports to the host
    12  
    13  The information in this section explains binding container ports within the Docker default bridge. This is a `bridge` network named `bridge` created automatically when you install Docker.
    14  
    15  > **Note**: The [Docker networks feature](../dockernetworks.md) allows you to
    16  create user-defined networks in addition to the default bridge network.
    17  
    18  By default Docker containers can make connections to the outside world, but the
    19  outside world cannot connect to containers. Each outgoing connection will
    20  appear to originate from one of the host machine's own IP addresses thanks to an
    21  `iptables` masquerading rule on the host machine that the Docker server creates
    22  when it starts:
    23  
    24  ```
    25  $ sudo iptables -t nat -L -n
    26  ...
    27  Chain POSTROUTING (policy ACCEPT)
    28  target     prot opt source               destination
    29  MASQUERADE  all  --  172.17.0.0/16       0.0.0.0/0
    30  ...
    31  ```
    32  The Docker server creates a masquerade rule that let containers connect to IP
    33  addresses in the outside world.
    34  
    35  If you want containers to accept incoming connections, you will need to provide
    36  special options when invoking `docker run`. There are two approaches.
    37  
    38  First, you can supply `-P` or `--publish-all=true|false` to `docker run` which
    39  is a blanket operation that identifies every port with an `EXPOSE` line in the
    40  image's `Dockerfile` or `--expose <port>` commandline flag and maps it to a host
    41  port somewhere within an _ephemeral port range_. The `docker port` command then
    42  needs to be used to inspect created mapping. The _ephemeral port range_ is
    43  configured by `/proc/sys/net/ipv4/ip_local_port_range` kernel parameter,
    44  typically ranging from 32768 to 61000.
    45  
    46  Mapping can be specified explicitly using `-p SPEC` or `--publish=SPEC` option.
    47  It allows you to particularize which port on docker server - which can be any
    48  port at all, not just one within the _ephemeral port range_ -- you want mapped
    49  to which port in the container.
    50  
    51  Either way, you should be able to peek at what Docker has accomplished in your
    52  network stack by examining your NAT tables.
    53  
    54  ```
    55  # What your NAT rules might look like when Docker
    56  # is finished setting up a -P forward:
    57  
    58  $ iptables -t nat -L -n
    59  ...
    60  Chain DOCKER (2 references)
    61  target     prot opt source               destination
    62  DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:49153 to:172.17.0.2:80
    63  
    64  # What your NAT rules might look like when Docker
    65  # is finished setting up a -p 80:80 forward:
    66  
    67  Chain DOCKER (2 references)
    68  target     prot opt source               destination
    69  DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:172.17.0.2:80
    70  ```
    71  
    72  You can see that Docker has exposed these container ports on `0.0.0.0`, the
    73  wildcard IP address that will match any possible incoming port on the host
    74  machine. If you want to be more restrictive and only allow container services to
    75  be contacted through a specific external interface on the host machine, you have
    76  two choices. When you invoke `docker run` you can use either `-p
    77  IP:host_port:container_port` or `-p IP::port` to specify the external interface
    78  for one particular binding.
    79  
    80  Or if you always want Docker port forwards to bind to one specific IP address,
    81  you can edit your system-wide Docker server settings and add the option
    82  `--ip=IP_ADDRESS`. Remember to restart your Docker server after editing this
    83  setting.
    84  
    85  > **Note**: With hairpin NAT enabled (`--userland-proxy=false`), containers port
    86  exposure is achieved purely through iptables rules, and no attempt to bind the
    87  exposed port is ever made. This means that nothing prevents shadowing a
    88  previously listening service outside of Docker through exposing the same port
    89  for a container. In such conflicting situation, Docker created iptables rules
    90  will take precedence and route to the container.
    91  
    92  The `--userland-proxy` parameter, true by default, provides a userland
    93  implementation for inter-container and outside-to-container communication. When
    94  disabled, Docker uses both an additional `MASQUERADE` iptable rule and the
    95  `net.ipv4.route_localnet` kernel parameter which allow the host machine to
    96  connect to a local container exposed port through the commonly used loopback
    97  address: this alternative is preferred for performance reasons.
    98  
    99  ## Related information
   100  
   101  - [Understand Docker container networks](../dockernetworks.md)
   102  - [Work with network commands](../work-with-networks.md)
   103  - [Legacy container links](dockerlinks.md)