2

I don't have much practical experience with containers, yet I see a lot of people using alternative ports to deploy their services. As a consequence, here's a very basic question: Is there a good reason why in docker containers we should avoid standard TCP/UDP ports?

Popular examples for such ports are 80 for HTTP, 21 for FTP, 443 for HTTPS, 22 for SSH, etc. Often these are substituted with ports like 8080 or 3000 for 80, 8443 for 443, 1022 for 22,...

There are good reasons to do these substitutions in general:

  • Ports under 1024 are reserved to system processes thus accessible only to the root user.
  • These system ports are often avoided in development in order to prevent conflicts with other services that might be possibly running.
  • Sometimes such alternative ports are used as a way to achieve a level of security-by-obscurity.

However, to me it seems that the isolated nature of containers predisposes that standard ports are used. This could lead to some benefits, such as easier development and testing due to to default configurations.

mapto
  • 121
  • 5

1 Answers1

1

It probably helps to avoid resource conflicts with the system that hosts the container, while at the same time the container can have documented port numbers.

aventurin
  • 221
  • 1
  • 2
  • 7
  • 1
    Watch out, these are ports in the guest system. They can be mapped to different ports on the guest system. While such mapping to different ports certainly could add a level off confusion, it is often the case that containers are shared and reused, whereas configuring ports on the host is something done by someone who has some knowledge of the environment. – mapto Mar 03 '19 at 19:53
  • 1
    That's generally true. But there's also host networking where the container's port is exposed on the host's IP address. – aventurin Mar 03 '19 at 20:25
  • This might be the answer to my question. Could you please elaborate on it or link to some resources? – mapto Mar 04 '19 at 08:15
  • Sorry, in my first comment I obviously meant "They can be mapped to different ports on the HOST system." – mapto Mar 04 '19 at 08:17