1

As far as I understand, a container is something like a sandboxed operating system. Isolated from the other processes and from computer networks unless explicitly allowed.

However, you can just:

docker run -it ubuntu

then go on to install curl and basically do anything on the Internet. Note that no ports have been exposed for the container. This means that my understanding of the isolation concept is wrong.

How can a container communicate with the Internet when no ports have been exposed?

Martin Drozdik
  • 12,742
  • 22
  • 81
  • 146
  • 1
    Desktop Docker isn't ultra-secure by default, because most of things you want to do need the container to see the internet. They should still be isolated from one another and the host, though. – jonrsharpe Apr 02 '20 at 12:53
  • 1
    Are you talking about running a container with `--network none`? (docs [here](https://docs.docker.com/network/none/)) because the command you've used doesn't mean that the container will not have networking. Also, check this question: [What is the difference between “expose” and “publish” in Docker?](https://stackoverflow.com/questions/22111060/what-is-the-difference-between-expose-and-publish-in-docker) – tgogos Apr 02 '20 at 12:59
  • @tgogos Thank you for the docs. I did not know that such a flag exists. Anyway I am surprised that networking works without publishing any ports. Through which port does the data flow into the container? – Martin Drozdik Apr 02 '20 at 13:23
  • Publishing a port is used to make your container reachable from outside. For example your bind port `80` of your host (machine) to port `8080` of your container and this way you make your service reachable from outside. On the other hand, your container can connect to the internet even without publishing anything because of NAT. – tgogos Apr 02 '20 at 13:33

0 Answers0