Reputation: 263
When using Docker, ESTABLISHED connections don't appear in netstat
I have a docker container running on RHEL 7 with Docker 1.7.0. The program which running in this container listens for TCP connections on port 5000. In my Dockerfile I put the sentence EXPOSE 5000 and I run the container with the following command:
docker run \
--name myProgram \
--detach \
--publish 5000:5000 \
--volume /home/docker/apps/myProgram/logs:/var/log/myProgram/ \
--volume /home/docker/apps/myProgram/conf:/usr/local/snnotificationreceiver/conf/ \
--restart always \
10.167.152.15:5000/myProgram:1.0.0
When I execute netstat on the host I see the LISTEN socket:
[root@server bin]# netstat -naop | grep 5000
tcp6 0 0 :::5000 :::* LISTEN 33595/docker-proxy off (0.00/0/0)
I can connect to the application by connecting to the host ip address on port 5000 and the data I send to the application arrives. I know this because I see it on my application logs, the application also sends data through the socket. However I don't see any ESTABLISHED connections using netstat on the docker host:
[root@server bin]# netstat -naop | grep ESTABLISHED
I see the ESTABLISHED connection on the client side which doesn't use docker:
[root@client ~]# netstat -naop | grep 5000
tcp 0 0 10.167.43.73:39218 10.167.152.138:5000 ESTABLISHED 21429/telnet off (0.00/0/0)
I didn't find any docker command equivalent or similar to netstat Is this normal? How can I see the ESTABLISHED connections to a container or to the docker-proxy?
Thanks
Upvotes: 26
Views: 15280
Answers (2)
Reputation: 1024
You may use this snippet to get all the ESTABLISHED for all dockers in one row (if you got nsenter)
docker inspect --format '{{.State.Pid}} {{printf "%.13s" .ID}} {{.Name}}' \
$(docker ps --format '{{.ID}}') | while read dockpid dockid dockname
do
echo $dockid $dockname
sudo nsenter -t $dockpid -n netstat -pan | grep ESTABLISHED
done
note the ESTABLISHED in the grep.
you can change to the listening connection with netstat -pnl both TCP and UDP
docker inspect --format '{{.State.Pid}} {{printf "%.13s" .ID}} {{.Name}}' \
$(docker ps --format '{{.ID}}') | while read dockpid dockid dockname
do
echo $dockid $dockname
sudo nsenter -t $dockpid -n netstat -pnl
done
or only TCP LISTEN
docker inspect --format '{{.State.Pid}} {{printf "%.13s" .ID}} {{.Name}}' \
$(docker ps --format '{{.ID}}') | while read dockpid dockid dockname
do
echo $dockid $dockname
sudo nsenter -t $dockpid -n netstat -pnlt
done
Upvotes: 6
Reputation: 3442
You can either do:
docker exec <containerid> netstat -tan | grep ESTABLISHED
or if you don't have netstat in your docker image:
docker inspect -f '{{.State.Pid}}' <containerid> # note the PID
sudo nsenter -t <pid> -n netstat | grep ESTABLISHED
nsenter is part of util-linux package. (plagiarized @larsks)
Upvotes: 31
Related Questions
- Docker Compose wait for container X before starting Y
- How to give non-root user in Docker container access to a volume mounted on the host
- How to copy Docker images from one host to another without using a repository
- Docker: any way to list open sockets inside a running docker container?
- Forward host port to docker container
- Docker and netstat: why is netstat not showing ports, exposed by docker containers
- Running Docker for Windows, Error when exposing Ports
- Docker and netstat: netstat is not showing ports, exposed by docker containers
- How to restart a docker container based on a port service failure