Source From Here
PrefaceCan’t connect to the server running in your container? Let’s see why, and how to fix it, starting with an example.
If you run a server on your machine listening on 127.0.0.1, the “loopback” or “localhost” address:
You can then load it in your browser at http://127.0.0.1:8000.
But if you kill that and run it in a container:
If you then try to connect with your browser to http://127.0.0.1:8000 you’ll get connection refused or connection reset.
What’s going on? To understand how to solve this, you need to know a minimal amount about how Docker’s networking works. In particular, this article will cover:
Networking without Docker
Let’s start with our first scenario: you run a server directly inside your operating system, and then connect to it. I’m going to assume the main OS is Linux, for simplicity of explanation. Docker runs on non-Linux OSes like macOS by running a Linux virtual machine, but the practical consequences are the same.
Your operating system has multiple network “interfaces”. For example, on my computer (with output shortened for clarity):
In this output we see three network interfaces:
Let’s go back to our starting, working example—you run a server listening on 127.0.0.1, and then connect to it. We can visualize it like this:
Network namespaces
You’ll notice the image above talks about a “Default network namespace”. So what’s that?
Docker is a system for running containers: a way to isolate processes from each other. It builds on a number of Linux kernel features, one of which is network namespaces—a way for different processes to have different network devices, IPs, firewall rules, and so on.
By default, each container run by Docker has its own network namespace, with its own IPs:
So this container has two interfaces, eth0 and lo, each with their own IP addresses. But because this is a different network namespace, these are different interfaces than the default namespace we saw above. To make it clear what this means, let’s run the Flask server inside a Docker container, and then diagram the results:
The resulting network setup looks like this:
Now it’s clear why there’s a connection refused: the server is listening on 127.0.0.1 inside the container’s network namespace. The browser is connecting to 127.0.0.1 in the main, default network namespace. But those are different interfaces, so no connection is made.
How do we connect the two network namespaces? With Docker port-forwarding.
Docker run port-forwarding (is not enough)
If we run docker run with -p 5000:5000, it will forward from all interfaces where the Docker daemon is running (for our purposes, the main network namespace) to the external IP address of the container.
To break it down explicitly: -p 5000:5000 means redirecting traffic from port 5000 on all interfaces in the main network namespace to the container’s port 5000 on its external interface. -p 8080:80 would redirect traffic from port 8080 on all interfaces in the main network namespace to port 80 on the container’s external interface. And so on.
(We’re doing port 5000 specifically because that’s where our Docker image is listening, Flask’s default port.)
So let’s run a container, and then look at a diagram to visually see what that means:
And now we see the second problem: the server is listening on 127.0.0.1 inside the container network namespace, but the port forwarding is going to the external IP, 172.17.0.2.
Thus, a connection reset or refused.
The solution: listen on all interfaces
Port forwarding can only connect to a single destination—but you can change where the server process is listening. You do this by listening on 0.0.0.0, which means “listen on all interfaces”.
For example, you can do:
Note: --bind 0.0.0.0 is specifically an option for http.server; it’s not a Docker option. Other servers will have other ways of specifying this. For example, for a Flask application packaged with a Dockerfile, you can do:
- FROM python:3.7-slim-stretch
- RUN pip install flask
- COPY . .
- ENV FLASK_APP=exampleapp:app
- CMD ["flask", "run", "--host", "0.0.0.0"]
Takeaways
沒有留言:
張貼留言