From f8dd8f074def2448519dd7af3f4beabd6c09ae61 Mon Sep 17 00:00:00 2001
From: David Karlsson <35727626+dvdksn@users.noreply.github.com>
Date: Tue, 12 Dec 2023 22:36:26 +0100
Subject: [PATCH] docs: refresh --publish, add --publish-all
Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
---
docs/reference/commandline/run.md | 43 +++++++++++++++++++++++--------
1 file changed, 32 insertions(+), 11 deletions(-)
diff --git a/docs/reference/commandline/run.md b/docs/reference/commandline/run.md
index 092204f6684a..46e46db56148 100644
--- a/docs/reference/commandline/run.md
+++ b/docs/reference/commandline/run.md
@@ -90,7 +90,7 @@ Create and run a new container from an image
| `--platform` | `string` | | Set platform if server is multi-platform capable |
| [`--privileged`](#privileged) | | | Give extended privileges to this container |
| [`-p`](#publish), [`--publish`](#publish) | `list` | | Publish a container's port(s) to the host |
-| `-P`, `--publish-all` | | | Publish all exposed ports to random ports |
+| [`-P`](#publish-all), [`--publish-all`](#publish-all) | | | Publish all exposed ports to random ports |
| [`--pull`](#pull) | `string` | `missing` | Pull image before running (`always`, `missing`, `never`) |
| `-q`, `--quiet` | | | Suppress the pull output |
| [`--read-only`](#read-only) | | | Mount the container's root filesystem as read only |
@@ -483,26 +483,47 @@ $ docker run -t -i --mount type=bind,src=/data,dst=/data busybox sh
### Publish or expose port (-p, --expose)
```console
-$ docker run -p 127.0.0.1:80:8080/tcp ubuntu bash
+$ docker run -p 127.0.0.1:80:8080/tcp nginx:alpine
```
-This binds port `8080` of the container to TCP port `80` on `127.0.0.1` of the host
-machine. You can also specify `udp` and `sctp` ports.
-The [Docker User Guide](https://docs.docker.com/network/links/)
-explains in detail how to use ports in Docker.
+This binds port `8080` of the container to TCP port `80` on `127.0.0.1` of the
+host. You can also specify `udp` and `sctp` ports. The [Networking overview
+page](https://docs.docker.com/network/) explains in detail how to publish ports
+with Docker.
-Note that ports which are not bound to the host (i.e., `-p 80:80` instead of
-`-p 127.0.0.1:80:80`) are externally accessible. This also applies if
-you configured UFW to block this specific port, as Docker manages its
-own iptables rules. [Read more](https://docs.docker.com/network/iptables/)
+> **Note**
+>
+> If you don't specify an IP address (i.e., `-p 80:80` instead of `-p
+> 127.0.0.1:80:80`) when publishing a container's ports, Docker publishes the
+> port on all interfaces (address `0.0.0.0`) by default. These ports are
+> externally accessible. This also applies if you configured UFW to block this
+> specific port, as Docker manages its own iptables rules. [Read
+> more](https://docs.docker.com/network/packet-filtering-firewalls/)
```console
-$ docker run --expose 80 ubuntu bash
+$ docker run --expose 80 nginx:alpine
```
This exposes port `80` of the container without publishing the port to the host
system's interfaces.
+### Publish all exposed ports (-P, --publish-all)
+
+```console
+$ docker run -P nginx:alpine
+```
+
+The `-P`, or `--publish-all`, flag publishes all the exposed ports to the host.
+Docker binds each exposed port to a random port on the host.
+
+The `-P` flag only publishes port numbers that are explicitly flagged as
+exposed, either using the Dockerfile `EXPOSE` instruction or the `--expose`
+flag for the `docker run` command.
+
+The range of ports are within an *ephemeral port range* defined by
+`/proc/sys/net/ipv4/ip_local_port_range`. Use the `-p` flag to explicitly map a
+single port or range of ports.
+
### Set the pull policy (--pull)
Use the `--pull` flag to set the image pull policy when creating (and running)