Mixing
Why use EXPOSE in Dockerfile — since you can bind to all ports anyways
Clash Royale CLAN TAG#URR8PPP
up vote
17
down vote
favorite
I can docker run -p 3000:3000 image without EXPOSEing that port in the container (see below). If that's true, then why bother putting EXPOSE in the Dockerfile? Is it just for communication to image users? Because I don't know of a functional reason to EXPOSE ports if they are all bindable anyways.
Here are the steps showing me binding to a port in a container despite the fact it is not EXPOSEd
$ cat Dockerfile
FROM alpine
RUN apk add nodejs npm vim
COPY webserver /webserver
CMD [ "node", "/webserver/index.js" ]
$ docker build .
Sending build context to Docker daemon 1.931MB
Step 1/4 : FROM alpine
---> 11cd0b38bc3c
Step 2/4 : RUN apk add nodejs npm vim
---> Using cache
---> 4270f8bdb201
Step 3/4 : COPY webserver /webserver
---> Using cache
---> 67f4cda61ff0
Step 4/4 : CMD [ "node", "/webserver/index.js" ]
---> Using cache
---> 1df8f9024b85
Successfully built 1df8f9024b85
$ curl localhost:4400
curl: (7) Failed to connect to localhost port 4400: Connection refused
$ docker run -d -p 4400:3000 1df8f9024b85
7d0e6c56f8ad8827fe72830a30c1aac96821104b8ea111291ca39e6536aad8fd
$ curl localhost:4400
Hello World!
$
docker dockerfile ports
asked Aug 29 at 15:06
Alexander Bird
1886
add a comment |Â
up vote
17
down vote
favorite
I can docker run -p 3000:3000 image without EXPOSEing that port in the container (see below). If that's true, then why bother putting EXPOSE in the Dockerfile? Is it just for communication to image users? Because I don't know of a functional reason to EXPOSE ports if they are all bindable anyways.
Here are the steps showing me binding to a port in a container despite the fact it is not EXPOSEd
$ cat Dockerfile
FROM alpine
RUN apk add nodejs npm vim
COPY webserver /webserver
CMD [ "node", "/webserver/index.js" ]
$ docker build .
Sending build context to Docker daemon 1.931MB
Step 1/4 : FROM alpine
---> 11cd0b38bc3c
Step 2/4 : RUN apk add nodejs npm vim
---> Using cache
---> 4270f8bdb201
Step 3/4 : COPY webserver /webserver
---> Using cache
---> 67f4cda61ff0
Step 4/4 : CMD [ "node", "/webserver/index.js" ]
---> Using cache
---> 1df8f9024b85
Successfully built 1df8f9024b85
$ curl localhost:4400
curl: (7) Failed to connect to localhost port 4400: Connection refused
$ docker run -d -p 4400:3000 1df8f9024b85
7d0e6c56f8ad8827fe72830a30c1aac96821104b8ea111291ca39e6536aad8fd
$ curl localhost:4400
Hello World!
$
docker dockerfile ports
asked Aug 29 at 15:06
Alexander Bird
1886
add a comment |Â
up vote
17
down vote
favorite
up vote
17
down vote
favorite
I can docker run -p 3000:3000 image without EXPOSEing that port in the container (see below). If that's true, then why bother putting EXPOSE in the Dockerfile? Is it just for communication to image users? Because I don't know of a functional reason to EXPOSE ports if they are all bindable anyways.
Here are the steps showing me binding to a port in a container despite the fact it is not EXPOSEd
$ cat Dockerfile
FROM alpine
RUN apk add nodejs npm vim
COPY webserver /webserver
CMD [ "node", "/webserver/index.js" ]
$ docker build .
Sending build context to Docker daemon 1.931MB
Step 1/4 : FROM alpine
---> 11cd0b38bc3c
Step 2/4 : RUN apk add nodejs npm vim
---> Using cache
---> 4270f8bdb201
Step 3/4 : COPY webserver /webserver
---> Using cache
---> 67f4cda61ff0
Step 4/4 : CMD [ "node", "/webserver/index.js" ]
---> Using cache
---> 1df8f9024b85
Successfully built 1df8f9024b85
$ curl localhost:4400
curl: (7) Failed to connect to localhost port 4400: Connection refused
$ docker run -d -p 4400:3000 1df8f9024b85
7d0e6c56f8ad8827fe72830a30c1aac96821104b8ea111291ca39e6536aad8fd
$ curl localhost:4400
Hello World!
$
docker dockerfile ports
asked Aug 29 at 15:06
Alexander Bird
1886
I can docker run -p 3000:3000 image without EXPOSEing that port in the container (see below). If that's true, then why bother putting EXPOSE in the Dockerfile? Is it just for communication to image users? Because I don't know of a functional reason to EXPOSE ports if they are all bindable anyways.
Here are the steps showing me binding to a port in a container despite the fact it is not EXPOSEd
$ cat Dockerfile
FROM alpine
RUN apk add nodejs npm vim
COPY webserver /webserver
CMD [ "node", "/webserver/index.js" ]
$ docker build .
Sending build context to Docker daemon 1.931MB
Step 1/4 : FROM alpine
---> 11cd0b38bc3c
Step 2/4 : RUN apk add nodejs npm vim
---> Using cache
---> 4270f8bdb201
Step 3/4 : COPY webserver /webserver
---> Using cache
---> 67f4cda61ff0
Step 4/4 : CMD [ "node", "/webserver/index.js" ]
---> Using cache
---> 1df8f9024b85
Successfully built 1df8f9024b85
$ curl localhost:4400
curl: (7) Failed to connect to localhost port 4400: Connection refused
$ docker run -d -p 4400:3000 1df8f9024b85
7d0e6c56f8ad8827fe72830a30c1aac96821104b8ea111291ca39e6536aad8fd
$ curl localhost:4400
Hello World!
$
docker dockerfile ports
asked Aug 29 at 15:06
Alexander Bird
1886
asked Aug 29 at 15:06
Alexander Bird
1886
asked Aug 29 at 15:06
Alexander Bird
1886
asked Aug 29 at 15:06
Alexander Bird
1886
1886
add a comment |Â
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
22
down vote
accepted
Docker's EXPOSE documentation addresses this specific point:
The
EXPOSEinstruction does not actually publish the port. It
functions as a type of documentation between the person who builds the
image and the person who runs the container, about which ports are
intended to be published. To actually publish the port when running
the container, use the-pflag ondocker runto publish and map
one or more ports, or the-Pflag to publish all exposed ports and
map them to high-order ports.
Pay attention to the last sentence, if you expose multiple ports then -P becomes useful to avoid setting multiple -p on the command line.
edited Sep 1 at 17:28
chicks
8301319
answered Aug 29 at 15:09
Tensibai♦
7,73321644
The "documentation" is in the form of image metadata. In addition to being useful to the-Pflag, other utilities can query the running containers for this metadata, which is useful in proxies that dynamically update their forwarding rules using these exposed ports as their defaults.
– BMitch
Sep 2 at 0:21
@BMitch absolutely, I felt it was an extraneous information not yet useful for the OP, but feel free to edit it in.
– Tensibai♦
Sep 2 at 7:18
add a comment |Â
up vote
3
down vote
This is done for automation sake. You can have a universal command that runs docker run -P to start a container and the Dockerfile itself is used to specify which container exposes which port. In case you are dealing with dozens or hundreds of containers being built through a pipeline, this is quite useful. Passing external details not contained in Dockerfile together with the container through pipeline from stage to stage is quite difficult at scale.
answered Aug 29 at 15:18
Jiri Klouda
3,5351638
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
22
down vote
accepted
Docker's EXPOSE documentation addresses this specific point:
The
EXPOSEinstruction does not actually publish the port. It
functions as a type of documentation between the person who builds the
image and the person who runs the container, about which ports are
intended to be published. To actually publish the port when running
the container, use the-pflag ondocker runto publish and map
one or more ports, or the-Pflag to publish all exposed ports and
map them to high-order ports.
Pay attention to the last sentence, if you expose multiple ports then -P becomes useful to avoid setting multiple -p on the command line.
edited Sep 1 at 17:28
chicks
8301319
answered Aug 29 at 15:09
Tensibai♦
7,73321644
The "documentation" is in the form of image metadata. In addition to being useful to the-Pflag, other utilities can query the running containers for this metadata, which is useful in proxies that dynamically update their forwarding rules using these exposed ports as their defaults.
– BMitch
Sep 2 at 0:21
@BMitch absolutely, I felt it was an extraneous information not yet useful for the OP, but feel free to edit it in.
– Tensibai♦
Sep 2 at 7:18
add a comment |Â
up vote
22
down vote
accepted
Docker's EXPOSE documentation addresses this specific point:
The
EXPOSEinstruction does not actually publish the port. It
functions as a type of documentation between the person who builds the
image and the person who runs the container, about which ports are
intended to be published. To actually publish the port when running
the container, use the-pflag ondocker runto publish and map
one or more ports, or the-Pflag to publish all exposed ports and
map them to high-order ports.
Pay attention to the last sentence, if you expose multiple ports then -P becomes useful to avoid setting multiple -p on the command line.
edited Sep 1 at 17:28
chicks
8301319
answered Aug 29 at 15:09
Tensibai♦
7,73321644
The "documentation" is in the form of image metadata. In addition to being useful to the-Pflag, other utilities can query the running containers for this metadata, which is useful in proxies that dynamically update their forwarding rules using these exposed ports as their defaults.
– BMitch
Sep 2 at 0:21
@BMitch absolutely, I felt it was an extraneous information not yet useful for the OP, but feel free to edit it in.
– Tensibai♦
Sep 2 at 7:18
add a comment |Â
up vote
22
down vote
accepted
up vote
22
down vote
accepted
Docker's EXPOSE documentation addresses this specific point:
The
EXPOSEinstruction does not actually publish the port. It
functions as a type of documentation between the person who builds the
image and the person who runs the container, about which ports are
intended to be published. To actually publish the port when running
the container, use the-pflag ondocker runto publish and map
one or more ports, or the-Pflag to publish all exposed ports and
map them to high-order ports.
Pay attention to the last sentence, if you expose multiple ports then -P becomes useful to avoid setting multiple -p on the command line.
edited Sep 1 at 17:28
chicks
8301319
answered Aug 29 at 15:09
Tensibai♦
7,73321644
Docker's EXPOSE documentation addresses this specific point:
The
EXPOSEinstruction does not actually publish the port. It
functions as a type of documentation between the person who builds the
image and the person who runs the container, about which ports are
intended to be published. To actually publish the port when running
the container, use the-pflag ondocker runto publish and map
one or more ports, or the-Pflag to publish all exposed ports and
map them to high-order ports.
Pay attention to the last sentence, if you expose multiple ports then -P becomes useful to avoid setting multiple -p on the command line.
edited Sep 1 at 17:28
chicks
8301319
answered Aug 29 at 15:09
Tensibai♦
7,73321644
edited Sep 1 at 17:28
chicks
8301319
edited Sep 1 at 17:28
chicks
8301319
edited Sep 1 at 17:28
chicks
8301319
8301319
answered Aug 29 at 15:09
Tensibai♦
7,73321644
answered Aug 29 at 15:09
Tensibai♦
7,73321644
answered Aug 29 at 15:09
Tensibai♦
7,73321644
7,73321644
The "documentation" is in the form of image metadata. In addition to being useful to the-Pflag, other utilities can query the running containers for this metadata, which is useful in proxies that dynamically update their forwarding rules using these exposed ports as their defaults.
– BMitch
Sep 2 at 0:21
@BMitch absolutely, I felt it was an extraneous information not yet useful for the OP, but feel free to edit it in.
– Tensibai♦
Sep 2 at 7:18
add a comment |Â
The "documentation" is in the form of image metadata. In addition to being useful to the-Pflag, other utilities can query the running containers for this metadata, which is useful in proxies that dynamically update their forwarding rules using these exposed ports as their defaults.
– BMitch
Sep 2 at 0:21
@BMitch absolutely, I felt it was an extraneous information not yet useful for the OP, but feel free to edit it in.
– Tensibai♦
Sep 2 at 7:18
The "documentation" is in the form of image metadata. In addition to being useful to the
-P flag, other utilities can query the running containers for this metadata, which is useful in proxies that dynamically update their forwarding rules using these exposed ports as their defaults.– BMitch
Sep 2 at 0:21
The "documentation" is in the form of image metadata. In addition to being useful to the
-P flag, other utilities can query the running containers for this metadata, which is useful in proxies that dynamically update their forwarding rules using these exposed ports as their defaults.– BMitch
Sep 2 at 0:21
@BMitch absolutely, I felt it was an extraneous information not yet useful for the OP, but feel free to edit it in.
– Tensibai♦
Sep 2 at 7:18
@BMitch absolutely, I felt it was an extraneous information not yet useful for the OP, but feel free to edit it in.
– Tensibai♦
Sep 2 at 7:18
add a comment |Â
up vote
3
down vote
This is done for automation sake. You can have a universal command that runs docker run -P to start a container and the Dockerfile itself is used to specify which container exposes which port. In case you are dealing with dozens or hundreds of containers being built through a pipeline, this is quite useful. Passing external details not contained in Dockerfile together with the container through pipeline from stage to stage is quite difficult at scale.
answered Aug 29 at 15:18
Jiri Klouda
3,5351638
add a comment |Â
up vote
3
down vote
This is done for automation sake. You can have a universal command that runs docker run -P to start a container and the Dockerfile itself is used to specify which container exposes which port. In case you are dealing with dozens or hundreds of containers being built through a pipeline, this is quite useful. Passing external details not contained in Dockerfile together with the container through pipeline from stage to stage is quite difficult at scale.
answered Aug 29 at 15:18
Jiri Klouda
3,5351638
add a comment |Â
up vote
3
down vote
up vote
3
down vote
This is done for automation sake. You can have a universal command that runs docker run -P to start a container and the Dockerfile itself is used to specify which container exposes which port. In case you are dealing with dozens or hundreds of containers being built through a pipeline, this is quite useful. Passing external details not contained in Dockerfile together with the container through pipeline from stage to stage is quite difficult at scale.
answered Aug 29 at 15:18
Jiri Klouda
3,5351638
This is done for automation sake. You can have a universal command that runs docker run -P to start a container and the Dockerfile itself is used to specify which container exposes which port. In case you are dealing with dozens or hundreds of containers being built through a pipeline, this is quite useful. Passing external details not contained in Dockerfile together with the container through pipeline from stage to stage is quite difficult at scale.
answered Aug 29 at 15:18
Jiri Klouda
3,5351638
answered Aug 29 at 15:18
Jiri Klouda
3,5351638
answered Aug 29 at 15:18
Jiri Klouda
3,5351638
answered Aug 29 at 15:18
Jiri Klouda
3,5351638
3,5351638
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdevops.stackexchange.com%2fquestions%2f4864%2fwhy-use-expose-in-dockerfile-since-you-can-bind-to-all-ports-anyways%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
