I'm experimenting with Dockerfiles, and I think I understand most of the logic. However, I don't see the difference between "exposing" and "publishing" a port in this context.
All the tutorials I have seen first include the EXPOSE command in the Dockerfile:
...
EXPOSE 8080
...
They then build an image from this Dockerfile:
$ docker build -t an_image - < Dockerfile
And then publish the same port as above when running the image:
$ docker run -d -p 8080 an_image
or publish all ports using
$ docker run -d -P an_image
What is the point of exposing a port in the Dockerfile, if it will be published anyway? Would there ever be a need to expose a port first, and not publish it later? Effectively, I would like to specify all the ports that I will use in the Dockerfile when creating the image, and then not bother with them again, running them simply with:
$ docker run -d an_image
Is this possible?
Best Answer
Basically, you have three options:
EXPOSEnor-pEXPOSEEXPOSEand-p1) If you specify neither
EXPOSEnor-p, the service in the container will only be accessible from inside the container itself.2) If you
EXPOSEa port, the service in the container is not accessible from outside Docker, but from inside other Docker containers. So this is good for inter-container communication.3) If you
EXPOSEand-pa port, the service in the container is accessible from anywhere, even outside Docker.The reason why both are separated is IMHO because:
The documentation explicitly states:
It also points you to how to link containers, which basically is the inter-container communication I talked about.
PS: If you do
-p, but do notEXPOSE, Docker does an implicitEXPOSE. This is because if a port is open to the public, it is automatically also open to other Docker containers. Hence-pincludesEXPOSE. That's why I didn't list it above as a fourth case.