Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Docker: any way to list open sockets inside a running docker container?

I would like to execute netstat inside a running docker container to see open TCP sockets and their statuses. But, on some of my docker containers, netstat is not available. Is there any way to get open sockets (and their statuses, and which IP addresses they are connected to if any) without using netstat, via some docker API? (BTW, my container uses docker-proxy - that is, not directly bridged)

I guess I could look at /proc file system directly, but at that point, I might as well docker cp netstat into the container and execute it. I was wondering if there was any facility that docker might provide for this.

like image 270
AdvilUser Avatar asked Oct 31 '16 20:10

AdvilUser


People also ask

How do I find out what ports are running in my Docker container?

ANSWER: This is related to docker EXPOSE parameter. If you write this line in your dockerfile and run the container with -p, the port will be visible in netstat. If you use -p but don't write EXPOSE, your port won't be listed by netstat.

How do I know if my Docker port is exposed?

Exposed ports are visible when you list your containers with docker ps . They'll show up in the PORTS column, even though they won't actually be accessible outside the container. This gives you a simple way of checking which ports the software inside a container is listening on.

Can we expose a port on running container?

You can do this in the following ways: Add an EXPOSE instruction in the Dockerfile. Use the –expose flag at runtime to expose a port. Use the -p flag or -P flag in the Docker run string to publish a port.

How can I see what process is running inside a container?

Like it was mentioned, if you are already inside of a container, then just use ps -eaf command to see the running processes.


2 Answers

You can use the nsenter command to run a command on your host inside the network namespace of the Docker container. Just get the PID of your Docker container:

docker inspect -f '{{.State.Pid}}' container_name_or_id 

For example, on my system:

$ docker inspect -f '{{.State.Pid}}' c70b53d98466 15652 

And once you have the PID, use that as the argument to the target (-t) option of nsenter. For example, to run netstat inside the container network namespace:

$ sudo nsenter -t 15652 -n netstat Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address           Foreign Address         State       tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      

Notice that this worked even though the container does not have netstat installed:

$ docker exec -it c70b53d98466 netstat rpc error: code = 13 desc = invalid header field value "oci runtime error: exec failed: container_linux.go:247: starting container process caused \"exec: \\\"netstat\\\": executable file not found in $PATH\"\n" 

(nsenter is part of the util-linux package)

like image 151
larsks Avatar answered Sep 21 '22 03:09

larsks


The two commands from @larsks answer merged into one-liner - no need to copy-paste the PID(s) (just replace container_name_or_id):

sudo nsenter -t $(docker inspect -f '{{.State.Pid}}' container_name_or_id) -n netstat 
like image 28
mikatuo Avatar answered Sep 22 '22 03:09

mikatuo