Why use EXPOSE in Dockerfile — since you can bind to all ports anyways

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
17
down vote

favorite
1












I can docker run -p 3000:3000 image without EXPOSEing that port in the container (see below). If that's true, then why bother putting EXPOSE in the Dockerfile? Is it just for communication to image users? Because I don't know of a functional reason to EXPOSE ports if they are all bindable anyways.




Here are the steps showing me binding to a port in a container despite the fact it is not EXPOSEd



$ cat Dockerfile
FROM alpine
RUN apk add nodejs npm vim
COPY webserver /webserver
CMD [ "node", "/webserver/index.js" ]


$ docker build .
Sending build context to Docker daemon 1.931MB
Step 1/4 : FROM alpine
---> 11cd0b38bc3c
Step 2/4 : RUN apk add nodejs npm vim
---> Using cache
---> 4270f8bdb201
Step 3/4 : COPY webserver /webserver
---> Using cache
---> 67f4cda61ff0
Step 4/4 : CMD [ "node", "/webserver/index.js" ]
---> Using cache
---> 1df8f9024b85
Successfully built 1df8f9024b85


$ curl localhost:4400
curl: (7) Failed to connect to localhost port 4400: Connection refused


$ docker run -d -p 4400:3000 1df8f9024b85
7d0e6c56f8ad8827fe72830a30c1aac96821104b8ea111291ca39e6536aad8fd


$ curl localhost:4400
Hello World!


$






share|improve this question
























    up vote
    17
    down vote

    favorite
    1












    I can docker run -p 3000:3000 image without EXPOSEing that port in the container (see below). If that's true, then why bother putting EXPOSE in the Dockerfile? Is it just for communication to image users? Because I don't know of a functional reason to EXPOSE ports if they are all bindable anyways.




    Here are the steps showing me binding to a port in a container despite the fact it is not EXPOSEd



    $ cat Dockerfile
    FROM alpine
    RUN apk add nodejs npm vim
    COPY webserver /webserver
    CMD [ "node", "/webserver/index.js" ]


    $ docker build .
    Sending build context to Docker daemon 1.931MB
    Step 1/4 : FROM alpine
    ---> 11cd0b38bc3c
    Step 2/4 : RUN apk add nodejs npm vim
    ---> Using cache
    ---> 4270f8bdb201
    Step 3/4 : COPY webserver /webserver
    ---> Using cache
    ---> 67f4cda61ff0
    Step 4/4 : CMD [ "node", "/webserver/index.js" ]
    ---> Using cache
    ---> 1df8f9024b85
    Successfully built 1df8f9024b85


    $ curl localhost:4400
    curl: (7) Failed to connect to localhost port 4400: Connection refused


    $ docker run -d -p 4400:3000 1df8f9024b85
    7d0e6c56f8ad8827fe72830a30c1aac96821104b8ea111291ca39e6536aad8fd


    $ curl localhost:4400
    Hello World!


    $






    share|improve this question






















      up vote
      17
      down vote

      favorite
      1









      up vote
      17
      down vote

      favorite
      1






      1





      I can docker run -p 3000:3000 image without EXPOSEing that port in the container (see below). If that's true, then why bother putting EXPOSE in the Dockerfile? Is it just for communication to image users? Because I don't know of a functional reason to EXPOSE ports if they are all bindable anyways.




      Here are the steps showing me binding to a port in a container despite the fact it is not EXPOSEd



      $ cat Dockerfile
      FROM alpine
      RUN apk add nodejs npm vim
      COPY webserver /webserver
      CMD [ "node", "/webserver/index.js" ]


      $ docker build .
      Sending build context to Docker daemon 1.931MB
      Step 1/4 : FROM alpine
      ---> 11cd0b38bc3c
      Step 2/4 : RUN apk add nodejs npm vim
      ---> Using cache
      ---> 4270f8bdb201
      Step 3/4 : COPY webserver /webserver
      ---> Using cache
      ---> 67f4cda61ff0
      Step 4/4 : CMD [ "node", "/webserver/index.js" ]
      ---> Using cache
      ---> 1df8f9024b85
      Successfully built 1df8f9024b85


      $ curl localhost:4400
      curl: (7) Failed to connect to localhost port 4400: Connection refused


      $ docker run -d -p 4400:3000 1df8f9024b85
      7d0e6c56f8ad8827fe72830a30c1aac96821104b8ea111291ca39e6536aad8fd


      $ curl localhost:4400
      Hello World!


      $






      share|improve this question












      I can docker run -p 3000:3000 image without EXPOSEing that port in the container (see below). If that's true, then why bother putting EXPOSE in the Dockerfile? Is it just for communication to image users? Because I don't know of a functional reason to EXPOSE ports if they are all bindable anyways.




      Here are the steps showing me binding to a port in a container despite the fact it is not EXPOSEd



      $ cat Dockerfile
      FROM alpine
      RUN apk add nodejs npm vim
      COPY webserver /webserver
      CMD [ "node", "/webserver/index.js" ]


      $ docker build .
      Sending build context to Docker daemon 1.931MB
      Step 1/4 : FROM alpine
      ---> 11cd0b38bc3c
      Step 2/4 : RUN apk add nodejs npm vim
      ---> Using cache
      ---> 4270f8bdb201
      Step 3/4 : COPY webserver /webserver
      ---> Using cache
      ---> 67f4cda61ff0
      Step 4/4 : CMD [ "node", "/webserver/index.js" ]
      ---> Using cache
      ---> 1df8f9024b85
      Successfully built 1df8f9024b85


      $ curl localhost:4400
      curl: (7) Failed to connect to localhost port 4400: Connection refused


      $ docker run -d -p 4400:3000 1df8f9024b85
      7d0e6c56f8ad8827fe72830a30c1aac96821104b8ea111291ca39e6536aad8fd


      $ curl localhost:4400
      Hello World!


      $








      share|improve this question











      share|improve this question




      share|improve this question










      asked Aug 29 at 15:06









      Alexander Bird

      1886




      1886




















          2 Answers
          2






          active

          oldest

          votes

















          up vote
          22
          down vote



          accepted










          Docker's EXPOSE documentation addresses this specific point:




          The EXPOSE instruction does not actually publish the port. It
          functions as a type of documentation between the person who builds the
          image and the person who runs the container, about which ports are
          intended to be published. To actually publish the port when running
          the container, use the -p flag on docker run to publish and map
          one or more ports, or the -P flag to publish all exposed ports and
          map them to high-order ports.




          Pay attention to the last sentence, if you expose multiple ports then -P becomes useful to avoid setting multiple -p on the command line.






          share|improve this answer






















          • The "documentation" is in the form of image metadata. In addition to being useful to the -P flag, other utilities can query the running containers for this metadata, which is useful in proxies that dynamically update their forwarding rules using these exposed ports as their defaults.
            – BMitch
            Sep 2 at 0:21










          • @BMitch absolutely, I felt it was an extraneous information not yet useful for the OP, but feel free to edit it in.
            – Tensibai♦
            Sep 2 at 7:18

















          up vote
          3
          down vote













          This is done for automation sake. You can have a universal command that runs docker run -P to start a container and the Dockerfile itself is used to specify which container exposes which port. In case you are dealing with dozens or hundreds of containers being built through a pipeline, this is quite useful. Passing external details not contained in Dockerfile together with the container through pipeline from stage to stage is quite difficult at scale.






          share|improve this answer




















            Your Answer







            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "674"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: false,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdevops.stackexchange.com%2fquestions%2f4864%2fwhy-use-expose-in-dockerfile-since-you-can-bind-to-all-ports-anyways%23new-answer', 'question_page');

            );

            Post as a guest






























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            22
            down vote



            accepted










            Docker's EXPOSE documentation addresses this specific point:




            The EXPOSE instruction does not actually publish the port. It
            functions as a type of documentation between the person who builds the
            image and the person who runs the container, about which ports are
            intended to be published. To actually publish the port when running
            the container, use the -p flag on docker run to publish and map
            one or more ports, or the -P flag to publish all exposed ports and
            map them to high-order ports.




            Pay attention to the last sentence, if you expose multiple ports then -P becomes useful to avoid setting multiple -p on the command line.






            share|improve this answer






















            • The "documentation" is in the form of image metadata. In addition to being useful to the -P flag, other utilities can query the running containers for this metadata, which is useful in proxies that dynamically update their forwarding rules using these exposed ports as their defaults.
              – BMitch
              Sep 2 at 0:21










            • @BMitch absolutely, I felt it was an extraneous information not yet useful for the OP, but feel free to edit it in.
              – Tensibai♦
              Sep 2 at 7:18














            up vote
            22
            down vote



            accepted










            Docker's EXPOSE documentation addresses this specific point:




            The EXPOSE instruction does not actually publish the port. It
            functions as a type of documentation between the person who builds the
            image and the person who runs the container, about which ports are
            intended to be published. To actually publish the port when running
            the container, use the -p flag on docker run to publish and map
            one or more ports, or the -P flag to publish all exposed ports and
            map them to high-order ports.




            Pay attention to the last sentence, if you expose multiple ports then -P becomes useful to avoid setting multiple -p on the command line.






            share|improve this answer






















            • The "documentation" is in the form of image metadata. In addition to being useful to the -P flag, other utilities can query the running containers for this metadata, which is useful in proxies that dynamically update their forwarding rules using these exposed ports as their defaults.
              – BMitch
              Sep 2 at 0:21










            • @BMitch absolutely, I felt it was an extraneous information not yet useful for the OP, but feel free to edit it in.
              – Tensibai♦
              Sep 2 at 7:18












            up vote
            22
            down vote



            accepted







            up vote
            22
            down vote



            accepted






            Docker's EXPOSE documentation addresses this specific point:




            The EXPOSE instruction does not actually publish the port. It
            functions as a type of documentation between the person who builds the
            image and the person who runs the container, about which ports are
            intended to be published. To actually publish the port when running
            the container, use the -p flag on docker run to publish and map
            one or more ports, or the -P flag to publish all exposed ports and
            map them to high-order ports.




            Pay attention to the last sentence, if you expose multiple ports then -P becomes useful to avoid setting multiple -p on the command line.






            share|improve this answer














            Docker's EXPOSE documentation addresses this specific point:




            The EXPOSE instruction does not actually publish the port. It
            functions as a type of documentation between the person who builds the
            image and the person who runs the container, about which ports are
            intended to be published. To actually publish the port when running
            the container, use the -p flag on docker run to publish and map
            one or more ports, or the -P flag to publish all exposed ports and
            map them to high-order ports.




            Pay attention to the last sentence, if you expose multiple ports then -P becomes useful to avoid setting multiple -p on the command line.







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Sep 1 at 17:28









            chicks

            8301319




            8301319










            answered Aug 29 at 15:09









            Tensibai♦

            7,73321644




            7,73321644











            • The "documentation" is in the form of image metadata. In addition to being useful to the -P flag, other utilities can query the running containers for this metadata, which is useful in proxies that dynamically update their forwarding rules using these exposed ports as their defaults.
              – BMitch
              Sep 2 at 0:21










            • @BMitch absolutely, I felt it was an extraneous information not yet useful for the OP, but feel free to edit it in.
              – Tensibai♦
              Sep 2 at 7:18
















            • The "documentation" is in the form of image metadata. In addition to being useful to the -P flag, other utilities can query the running containers for this metadata, which is useful in proxies that dynamically update their forwarding rules using these exposed ports as their defaults.
              – BMitch
              Sep 2 at 0:21










            • @BMitch absolutely, I felt it was an extraneous information not yet useful for the OP, but feel free to edit it in.
              – Tensibai♦
              Sep 2 at 7:18















            The "documentation" is in the form of image metadata. In addition to being useful to the -P flag, other utilities can query the running containers for this metadata, which is useful in proxies that dynamically update their forwarding rules using these exposed ports as their defaults.
            – BMitch
            Sep 2 at 0:21




            The "documentation" is in the form of image metadata. In addition to being useful to the -P flag, other utilities can query the running containers for this metadata, which is useful in proxies that dynamically update their forwarding rules using these exposed ports as their defaults.
            – BMitch
            Sep 2 at 0:21












            @BMitch absolutely, I felt it was an extraneous information not yet useful for the OP, but feel free to edit it in.
            – Tensibai♦
            Sep 2 at 7:18




            @BMitch absolutely, I felt it was an extraneous information not yet useful for the OP, but feel free to edit it in.
            – Tensibai♦
            Sep 2 at 7:18










            up vote
            3
            down vote













            This is done for automation sake. You can have a universal command that runs docker run -P to start a container and the Dockerfile itself is used to specify which container exposes which port. In case you are dealing with dozens or hundreds of containers being built through a pipeline, this is quite useful. Passing external details not contained in Dockerfile together with the container through pipeline from stage to stage is quite difficult at scale.






            share|improve this answer
























              up vote
              3
              down vote













              This is done for automation sake. You can have a universal command that runs docker run -P to start a container and the Dockerfile itself is used to specify which container exposes which port. In case you are dealing with dozens or hundreds of containers being built through a pipeline, this is quite useful. Passing external details not contained in Dockerfile together with the container through pipeline from stage to stage is quite difficult at scale.






              share|improve this answer






















                up vote
                3
                down vote










                up vote
                3
                down vote









                This is done for automation sake. You can have a universal command that runs docker run -P to start a container and the Dockerfile itself is used to specify which container exposes which port. In case you are dealing with dozens or hundreds of containers being built through a pipeline, this is quite useful. Passing external details not contained in Dockerfile together with the container through pipeline from stage to stage is quite difficult at scale.






                share|improve this answer












                This is done for automation sake. You can have a universal command that runs docker run -P to start a container and the Dockerfile itself is used to specify which container exposes which port. In case you are dealing with dozens or hundreds of containers being built through a pipeline, this is quite useful. Passing external details not contained in Dockerfile together with the container through pipeline from stage to stage is quite difficult at scale.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Aug 29 at 15:18









                Jiri Klouda

                3,5351638




                3,5351638



























                     

                    draft saved


                    draft discarded















































                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdevops.stackexchange.com%2fquestions%2f4864%2fwhy-use-expose-in-dockerfile-since-you-can-bind-to-all-ports-anyways%23new-answer', 'question_page');

                    );

                    Post as a guest













































































                    Comments

                    Popular posts from this blog

                    What does second last employer means? [closed]

                    Installing NextGIS Connect into QGIS 3?

                    One-line joke