Docker and netstat: netstat is not showing ports, exposed by docker containers
DockerNetstatDocker Problem Overview
I expose docker ports of my contaners to the host machine with something like
docker run -p 80:80 ...
then I try to display all listening ports for debugging purposes with netstat e.g.:
netstat -at
Strange thing is that netstat won't display my docker containers with exposed ports, although they are listening and reply to the browser.
How do I make netstat display those exposed ports?
UPDATE: I'm running this on Debian 8 Jessie. Here's what I do:
docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9dfa08bab50d workflows-nginx "/bin/sh -c '/usr/sbi" 2 hours ago Up 2 hours 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp workflows-nginx
d0b0c3f90f13 workflows-django "/bin/sh -c 'python /" 7 hours ago Up 3 hours 0.0.0.0:8000->8000/tcp workflows-django
99a857c92533 workflows-db "/docker-entrypoint.s" 7 hours ago Up 3 hours 5432/tcp workflows-db
Here docker reports that container ports are forwarded to the host. Moreover, if I stop workflows-nginx container, it stops answering to the browser by http (port 80). If I start it again, it starts responding again.
Here is the output of sudo netstat -at | less:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 localhost:ipp *:* LISTEN
tcp 0 0 *:15672 *:* LISTEN
tcp 0 0 *:postgresql *:* LISTEN
tcp 0 0 localhost:smtp *:* LISTEN
tcp 0 0 *:25672 *:* LISTEN
tcp 0 0 *:48142 *:* LISTEN
tcp 0 0 *:sunrpc *:* LISTEN
tcp 0 0 *:epmd *:* LISTEN
tcp 0 0 bob-acer:34866 104.16.33.249:http ESTABLISHED
tcp 0 0 bob-acer:42380 stackoverflow.com:https ESTABLISHED
tcp 0 0 bob-acer:42543 stackoverflow.com:https ESTABLISHED
tcp 0 0 bob-acer:42525 stackoverflow.com:https ESTABLISHED
tcp 0 0 bob-acer:44076 stackoverflow.com:https ESTABLISHED
tcp 0 0 bob-acer:42944 stackoverflow.com:https ESTABLISHED
tcp 0 0 localhost:epmd localhost:50831 ESTABLISHED
tcp 0 0 bob-acer:42655 stackoverflow.com:https ESTABLISHED
tcp 0 0 bob-acer:42384 stackoverflow.com:https ESTABLISHED
tcp 0 0 bob-acer:44626 stackoverflow.com:https ESTABLISHED
tcp 0 0 bob-acer:42390 stackoverflow.com:https ESTABLISHED
tcp 0 0 localhost:50831 localhost:epmd ESTABLISHED
tcp 0 0 bob-acer:48301 c2.52.c0ad.ip4.st:https ESTABLISHED
tcp 0 0 bob-acer:42151 stackoverflow.com:https ESTABLISHED
tcp 0 0 bob-acer:42205 stackoverflow.com:https ESTABLISHED
tcp 0 0 bob-acer:42539 stackoverflow.com:https ESTABLISHED
tcp 0 0 bob-acer:44737 stackoverflow.com:https ESTABLISHED
tcp 0 0 bob-acer:39648 77.94.164.251:https ESTABLISHED
tcp6 0 0 [::]:ssh [::]:* LISTEN
tcp6 0 0 localhost:ipp [::]:* LISTEN
tcp6 0 0 [::]:postgresql [::]:* LISTEN
tcp6 0 0 localhost:smtp [::]:* LISTEN
tcp6 0 0 [::]:44794 [::]:* LISTEN
tcp6 0 0 [::]:8000 [::]:* LISTEN
tcp6 0 0 [::]:amqp [::]:* LISTEN
tcp6 0 0 [::]:sunrpc [::]:* LISTEN
tcp6 1 0 localhost:58497 localhost:ipp CLOSE_WAIT
As you can see, neither port 80, nor port 443 are reported. Port 8000 of workflows-django for some reason is opened on IPv6 interface. Moreover, I forgot to disable postgres on host machine and still they don't clash with postgres container workflows-db.
Everything is running on my local notebook, so I guess there can't be any confusion with the host.
My docker version is:
docker --version
Docker version 1.10.3, build 20f81dd
ANSWER: This is related to docker EXPOSE parameter. If you write this line in your dockerfile and run the container with -p, the port will be visible in netstat. If you use -p but don't write EXPOSE, your port won't be listed by netstat.
Docker Solutions
Solution 1 - Docker
It's never too late to answer a question.
Using netstat -tln, not netstat -at.
It's very simple to answer, if you notify the --numeric option for netstat. By using this option, netstat will print address with numbers instead of meaningful string. Then you can grep them as you mentioned. Following shows how it works.
[root@A01-R26-I52-155-3002023 ~]# netstat -tl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost.localdom:smux 0.0.0.0:* LISTEN
tcp 0 0 localhost.localdo:18121 0.0.0.0:* LISTEN
tcp 0 0 localhost.localdo:18122 0.0.0.0:* LISTEN
tcp 0 0 localhost.localdo:18123 0.0.0.0:* LISTEN
tcp 0 0 localhost.localdo:18124 0.0.0.0:* LISTEN
tcp 0 0 localhost.localdo:18125 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:sunrpc 0.0.0.0:* LISTEN
tcp 0 0 localhost.localdo:18928 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:20080 0.0.0.0:* LISTEN
tcp 0 0 A01-R26-:univ-appserver 0.0.0.0:* LISTEN
tcp 0 0 A01-R26-:univ-appserver 0.0.0.0:* LISTEN
tcp 0 0 localhost.:search-agent 0.0.0.0:* LISTEN
tcp 0 0 localhost:mosaicsyssvc1 0.0.0.0:* LISTEN
tcp 0 0 A01-R26-I52-155-300:ssh 0.0.0.0:* LISTEN
tcp6 0 0 [::]:37611 [::]:* LISTEN
tcp6 0 0 [::]:sunrpc [::]:* LISTEN
tcp6 0 0 [::]:microsan [::]:* LISTEN
tcp6 0 0 [::]:commtact-http [::]:* LISTEN
[root@A01-R26-I52-155-3002023 ~]# netstat -tln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:199 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:18121 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:18122 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:18123 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:18124 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:18125 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:18928 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:20080 0.0.0.0:* LISTEN
tcp 0 0 10.217.52.155:1233 0.0.0.0:* LISTEN
tcp 0 0 10.218.52.155:1233 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:1234 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:1235 0.0.0.0:* LISTEN
tcp 0 0 10.217.52.155:22 0.0.0.0:* LISTEN
tcp6 0 0 :::37611 :::* LISTEN
tcp6 0 0 :::111 :::* LISTEN
tcp6 0 0 :::20001 :::* LISTEN
tcp6 0 0 :::20002 :::* LISTEN
Solution 2 - Docker
netstat should display the exposed ports. Here is an example
anovil@anovil-Latitude-E6440:docker$ sudo netstat -at|grep 3030
anovil@anovil-Latitude-E6440:docker$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
anovil@anovil-Latitude-E6440:docker$ docker run -d -p 3030:80 httpd:2.4
4310ac5fbdbc7314ab4d23e34099a710a3a8790dcf2c6d0a84202c1de5c9fd30
anovil@anovil-Latitude-E6440:docker$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4310ac5fbdbc httpd:2.4 "httpd-foreground" 3 minutes ago Up 3 minutes 0.0.0.0:3030->80/tcp hungry_fermat
anovil@anovil-Latitude-E6440:docker$ sudo netstat -at|grep 3030
tcp6 0 0 [::]:3030 [::]:* LISTEN
anovil@anovil-Latitude-E6440:docker$ sudo netstat -tulpn|grep 3030
tcp6 0 0 :::3030 :::* LISTEN 10294/docker-proxy
anovil@anovil-Latitude-E6440:docker$
Some basic things you need to verify yourself:
- Are you running netstat with elevated privileges? Somethings might miss out when you are non-root
- Is your docker container running on the same host as you expect? Check with
docker ps - Does
docker pslist the port forwarding? Like from the above, you should be able to see something like this0.0.0.0:3030->80/tcp
Also note that, the docker-proxy is the one running on the host. All commands above assumes that you run on linux. This was tested with ubuntu 15.10
If you still feel you are missing the forwarding, then please post back your Operating System, docker version etc.
Thanks,
Solution 3 - Docker
This code will show you the opened ports with the pids inside the container:
container_name=some_container_name
c_pid=`docker container inspect -f "{{.State.Pid}}" ${container_name}`
nsenter -t ${c_pid} -n netstat -anp
Solution 4 - Docker
They are listed, just not in the way you might expect. If you're looking for an ipv4 listen port you won't see it (unless I believe if you're using both the EXPOSE and publish (-p) mechanisms in tandem), but what you will see is a docker proxy on ipv6, e.g. for a MySQL container:
netstat -tlpn4
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp6 0 0 :::3306 :::* LISTEN 9608/docker-proxy