Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Yes it's user error, but it's also a nasty trap for users who are not careful. And it hurts the most, where people are most likely to make the mistake (developers need to publish ports to access local containers on their development machines, but must take care not to do so when deploying to production).


Use `docker network` or the equivalent in the docker-compose file. Not taking time to think about how the software works is not the fault of the software.


nginx listens on port 80. Accessible from machine. Inaccessible from outside unless allowed by ufw.

docker listens on port X. Accessible on machine. Also accessible from outside regardless of ufw.

No amount of time and experience will make you think that configuring a software to listen on a port will automagically poke a hole in the firewall.


The scope of Docker and nginx are incomparable, so the comparison is wrong.

It starts with the simple truth: `docker` doesn't `listen` on any port.

Or maybe a simple question: How can I run `docker run -p 8080 nginx` over and over without port conflict?

Or - lets expand scope even more. How is docker supposed to know about your choice of firewall? What about upstream firewalls? What about multiple versions of firewalls on a host (ufw vs. fern vs.)?

Can go on and on..


Just tried this because I usually use docker with k8s or compose, so wasn't sure of the behavior.

> It starts with the simple truth: `docker` doesn't `listen` on any port.

If I run the command below, `docker-proxy` starts listening on an incrementing port.

> Or maybe a simple question: How can I run `docker run -p 8080 nginx` over and over without port conflict?

Because you're not specifying a port on the host; you're specifying a port on the container. I've never used the single port form of `-p`; I would've guessed it was the same as `-p 8080:8080`.


The same way nginx doesn't care about the choice of firewall because it doesn't automagically poke holes in the firewall.

May be a simple question: How are you able run nginx and open http:// localhost without it making any changes to the firewall. Can go on and on.


If everyone designed software like you are advocating then we'd be even worse off.

What's wrong with "users should be careful" and "software shouldn't contain footguns"?


Software following the path of least surprise is a good rule of thumb.


I disagree with the premise that in this instance there is a footgun. There isn't.


> Use `docker network` or the equivalent in the docker-compose file.

Everyone knows what the correct solution is. That's not what the discussion is about.

> Not taking time to think about how the software works

You're blaming the effect of poor design on alleged incompetence of people you know nothing about.


> Everyone knows what the correct solution is.

Clearly not.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: