堆栈内存溢出
  简体   繁体   English

Docker 容器的网络访问配置

[英]Docker Containers' Network Access Configuration

 原文  2022-06-28 13:57:04       docker/ networking/ docker-compose/ dockerfile/ keycloak

问题描述

I'm struggling to configure docker-compose file in order to achieve below structure.我正在努力配置 docker-compose 文件以实现以下结构。 Web container needs to be accessible through virtual pcs, physical devices (local & external), but the Keycloak container needs to be only accessible by web container. Web 容器需要可以通过虚拟 PC、物理设备(本地和外部)访问,但 Keycloak 容器需要只能通过 Web 容器访问。 How can I achieve this?我怎样才能做到这一点?

Desired Network Structure所需的网络结构

Web Container starts flask app expose on port 5000. Web 容器在端口 5000 上启动烧瓶应用程序公开。

My docker-compose file currently:我的 docker-compose 文件目前:

version: '2'
services:
  web:
    build: .
    ports:
      - '5000:5000'
    volumes:
      - .:/app
    depends_on:
      - keycloak
  keycloak:
    container_name: keycloak
    image: jboss/keycloak:13.0.1
    ports:
      - '8080:8080'
    environment:
      KEYCLOAK_USER: admin
      KEYCLOAK_PASSWORD: admin

1 个解决方案

解决方案1
 0 已采纳  2022-06-29 13:47:01

If a container doesn't have ports: , it (mostly*) isn't accessible from outside of Docker.如果容器没有ports: ,它(大部分*)不能从 Docker 外部访问。 If your goal is to have the container only be accessible from other containers, you can just delete ports: .如果您的目标是让容器只能从其他容器访问,您可以删除ports: .

In comments you ask about the container being reachable from other containers.在评论中,您询问是否可以从其他容器访问该容器。 So long as both containers are on the same Docker network (or the same Compose-provided default network) they can communicate using the other container's Compose service name and the port the process inside the container is listening on.只要两个容器在同一个 Docker 网络(或同一个 Compose 提供的default网络)上,它们就可以使用另一个容器的 Compose 服务名称和容器内的进程正在侦听的端口进行通信。 ports: aren't required, and they're ignored if they're present. ports:不是必需的,如果它们存在,它们将被忽略。

So in your setup, it should be enough to remove the ports: from the keycloak container.因此,在您的设置中,从keycloak容器中删除ports:就足够了。

version: '2.4'
services:
  web:
    build: .
    ports:
      - '5000:5000'
    depends_on:
      - keycloak
    # can call keycloak:8080
  keycloak:
    image: jboss/keycloak:13.0.1
    environment: { ... }
    # no ports:, container_name: is also unnecessary

(*) On a native-Linux host, the container's Docker-internal IP address will be reachable from the same host, but not other hosts, if you have some way of finding it (including port-scanning 172.16.0.0/20). (*) 在本机 Linux 主机上,容器的 Docker 内部 IP 地址可以从同一主机访问,但不能从其他主机访问,如果您有某种方法可以找到它(包括端口扫描 172.16.0.0/20)。 If someone can run docker commands then they can also easily attach other containers to the same network and gain access to the container, but if they can run docker commands then they can also pretty straightforwardly root the entire host.如果有人可以运行docker命令,那么他们也可以轻松地将其他容器附加到同一网络并获得对容器的访问权限,但如果他们可以运行docker命令,那么他们也可以非常直接地 root 整个主机。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何提取docker网络配置和容器 - how to pull docker network configuration and containers RHEL/CentOS 8 上的 Docker-ce - docker 容器没有出站网络访问权限 - Docker-ce on RHEL/CentOS 8 - No outbound network access for docker containers 用户定义的Docker网络中的Docker容器-仅从主机访问 - Docker containers in user defined docker network - access only from the host Docker容器中的配置管理 - configuration management in Docker Containers Docker容器无法访问本地网络DNS - Docker containers can't access local network DNS Docker容器会降低网络访问速度(Windows Server 2016容器) - Docker container slow network access (Windows Server 2016 containers) 使用nsenter访问未连接运行容器的Docker网络 - Using nsenter to access docker network that has no running containers attached 无法通过 macvlan 网络从主机访问 docker 容器 - Unable to access docker containers from host over macvlan network 如何在没有任何网络访问权限的情况下运行 docker 容器 - How to runner docker containers without any network access NGINX 配置多个 Docker 容器 - NGINX configuration for multiple Docker containers
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM