# What is the difference between "expose" and "publish" in Docker?

In Docker, "expose" and "publish" are two related but distinct concepts that are used to control network access to containers.

The "expose" instruction is used in a Dockerfile to specify which ports the container should listen on for incoming connections. For example, the following Dockerfile excerpt exposes port 80 for HTTP traffic:

```bash
FROM nginx
EXPOSE 80
```

Note that the "expose" instruction does not actually open any ports on the container's network interface, nor does it create any network mappings. Instead, it simply documents which ports the container is designed to use.

The "publish" option, on the other hand, is used with the "docker run" command to create a network mapping between a port on the host system and a port exposed by the container. For example, the following command runs a container based on the nginx image and publishes port 8080 on the host system to port 80 in the container:

```bash
docker run -p 8080:80 nginx
```

This allows the container to receive incoming traffic on port 8080 from the host system's network interface, and forward it to port 80 inside the container.

So, in summary, "expose" is used to declare which ports a container listens on, while "publish" is used to create a network mapping between a port on the host system and a port exposed by the container.