I could be wrong, but isn’t it best not to expose 5001. Usually 5001 is only needed internally within the Docker container to run CLI commands.
My understanding is that you would only want to expose it if you wanted to be able to remotely control the CLI