Menu
I would like to execute netstat inside a running docker container to see open TCP sockets and their statuses. But, on some of my docker containers, netstat is not available. Is there any way to get open sockets (and their statuses, and which IP addresses they are connected to if any) without using netstat, via some docker API? (BTW, my container uses docker-proxy - that is, not directly bridged)
I guess I could look at /proc file system directly, but at that point, I might as well docker cp netstat into the container and execute it. I was wondering if there was any facility that docker might provide for this.
270
ANSWER: This is related to docker EXPOSE parameter. If you write this line in your dockerfile and run the container with -p, the port will be visible in netstat. If you use -p but don't write EXPOSE, your port won't be listed by netstat.
Exposed ports are visible when you list your containers with docker ps . They'll show up in the PORTS column, even though they won't actually be accessible outside the container. This gives you a simple way of checking which ports the software inside a container is listening on.
You can do this in the following ways: Add an EXPOSE instruction in the Dockerfile. Use the –expose flag at runtime to expose a port. Use the -p flag or -P flag in the Docker run string to publish a port.
Like it was mentioned, if you are already inside of a container, then just use ps -eaf command to see the running processes.
You can use the nsenter command to run a command on your host inside the network namespace of the Docker container. Just get the PID of your Docker container:
docker inspect -f '{{.State.Pid}}' container_name_or_id For example, on my system:
$ docker inspect -f '{{.State.Pid}}' c70b53d98466 15652 And once you have the PID, use that as the argument to the target (-t) option of nsenter. For example, to run netstat inside the container network namespace:
$ sudo nsenter -t 15652 -n netstat Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN Notice that this worked even though the container does not have netstat installed:
$ docker exec -it c70b53d98466 netstat rpc error: code = 13 desc = invalid header field value "oci runtime error: exec failed: container_linux.go:247: starting container process caused \"exec: \\\"netstat\\\": executable file not found in $PATH\"\n" (nsenter is part of the util-linux package)
151
The two commands from @larsks answer merged into one-liner - no need to copy-paste the PID(s) (just replace container_name_or_id):
sudo nsenter -t $(docker inspect -f '{{.State.Pid}}' container_name_or_id) -n netstat If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
