首页 文章

Docker服务公开暴露,但只是将端口暴露给localhost

提问于
浏览
9

我创建了一个服务,并将其暴露在我的docker swarm节点中的localhost上,但我可以公开访问该服务 .

我删除并重新部署了docker堆栈,但仍然存在同样的问题 .

Here is my docker-compose.yml I have used to deploy the service in stack

version: "3"
networks:
    api-net:
        ipam:
            config:
                - subnet: 10.0.10.0/24

services:
    health-api:
        image: myprivateregistry:5000/healthapi:qa
        ports:
            - "127.0.0.1:9010:9010"
        networks:
            - api-net
        depends_on:
            - config-server
        deploy:
            mode: replicated
            replicas: 1
            placement:
                constraints:
                    - node.role == manager

我没有添加它所依赖的服务,因为我不认为这是问题所在 .

很少有人说它在docker swarm模式下不受支持 . 而不是那种情况下的解决方案 .

docker docker-compose docker-swarm

2 回答

  • -1

    引用https://github.com/moby/moby/issues/32299#issuecomment-290978794

    On swarm mode, if you publish something (ports for stack deploy), it is published on the ingress network, and thus it is public. There is a few ways to get around, but putting kind/bug on that because we should at least warn people about that when doing a stack deploy with ports that have this notation (i.e. host:port:port).

To work around this, there is a few ways:

- first, you should publish mongo ports only if you want it to be public, otherwise, it is available through the name discovery bundle in docker (another container/service on the same network will be able to reach it through mongo dns name).
- If you want to publish it in the host and not in ingress (so not swarm public, just on the host it is running, same way as without swarm mode), you need to use ports expanded syntax.

... (example and some more details regarding the effect of the extended syntax).

    因此,原因是Swarm的入口网络,它使每个端口都公开可用 . 使用扩展语法的解决方法不会绑定到环回接口,而是绑定到主机的 0.0.0.0 接口,与通过入口网络的外部公开端口相比,这仍然是一种改进 .

    回复于
  • 4

    要以群集模式访问,您需要将端口暴露给容器外部的相同或另一个端口 .

    像这样的东西:

    ports:
    - "80:80"
    - "443:443"
    回复于

相关问题