Docker: any way to list open sockets inside a running docker container?

K

8

119

I would like to execute netstat inside a running docker container to see open TCP sockets and their statuses. But, on some of my docker containers, netstat is not available. Is there any way to get open sockets (and their statuses, and which IP addresses they are connected to if any) without using netstat, via some docker API? (BTW, my container uses docker-proxy - that is, not directly bridged)

I guess I could look at /proc file system directly, but at that point, I might as well docker cp netstat into the container and execute it. I was wondering if there was any facility that docker might provide for this.

Klee answered 31/10, 2016 at 20:56 Comment(0)

O

229

You can use the nsenter command to run a command on your host inside the network namespace of the Docker container. Just get the PID of your Docker container:

docker inspect -f '{{.State.Pid}}' container_name_or_id

For example, on my system:

$ docker inspect -f '{{.State.Pid}}' c70b53d98466
15652

And once you have the PID, use that as the argument to the target (-t) option of nsenter. For example, to run netstat inside the container network namespace:

$ sudo nsenter -t 15652 -n netstat
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN

Notice that this worked even though the container does not have netstat installed:

$ docker exec -it c70b53d98466 netstat
rpc error: code = 13 desc = invalid header field value "oci runtime error: exec failed: container_linux.go:247: starting container process caused \"exec: \\\"netstat\\\": executable file not found in $PATH\"\n"

(nsenter is part of the util-linux package)

Oystercatcher answered 31/10, 2016 at 23:22 Comment(8)

Does this solution applicable for other platforms such as windows, mac etc.,? – Biracial 1/11, 2016 at 6:42

@Rao, possibly: nsenter is a Linux command, so you would need to be able to log in to the Linux VM that is actually being used to host your Docker containers. And of course, that VM would need to have the nsenter command available. – Oystercatcher 1/11, 2016 at 11:6

you may use this snippet to get all netstat for all dockers #37172409 – Unspeakable 15/3, 2018 at 10:16

On an AWS EKS node, I'm root, but get: sudo nsenter -t 14207 -n netstat returns nsenter: cannot open /proc/14207/ns/net: No such file or directory. I can see the path that it says does not exist but cannot seem to do anything to interrogate it. Has anyone run into this? – Crept 21/4, 2021 at 15:59

nsenter => Permission denied sudo nsenter => bash: sudo: command not found – Facile 21/9, 2021 at 18:15

@marc If you're running on Linux it looks like you will need to either install and configure sudo or figure out another way to run commands as root (if you're not running on Linux then this answer won't be appropriate). – Oystercatcher 21/9, 2021 at 19:3

I'm in a linux container (nginx image). I think it doesn't run as root, no tools are installed so almost no diagnosis is possible. – Facile 22/9, 2021 at 9:39

You run nsenter on your host, not inside the container. – Oystercatcher 22/9, 2021 at 11:18

F

48

The two commands from @larsks answer merged into one-liner - no need to copy-paste the PID(s) (just replace container_name_or_id):

sudo nsenter -t $(docker inspect -f '{{.State.Pid}}' container_name_or_id) -n netstat

Freehand answered 6/11, 2018 at 22:3 Comment(1)

Sidenote: one would need to add another sudo so that the command is ... $(sudo docker inspect ..., otherwise the command will fail if it isn't run in a root shell. – Horrocks 11/6, 2021 at 19:53

M

6

If you have iproute2 package installed, you can use

sudo nsenter -t $(docker inspect -f '{{.State.Pid}}' container_name_or_id) -n ss

or

sudo nsenter -t $(docker inspect -f '{{.State.Pid}}' container_name_or_id) -n ss -ltu

It will show TCP and UDP

Mildew answered 2/2, 2021 at 19:35 Comment(0)

H

4

If you want them all (all containers) try this.

$ for i in `docker ps -q` ; do sudo nsenter -t $(docker inspect -f '{{.State.Pid}}' $i) -n netstat ; done

Hornbook answered 8/9, 2021 at 15:39 Comment(0)

D

1

I tried the other solutions and it didn't work for me by my colleague gave me this solution. Thought I would mention it here for others like me and for me to refer to later lol.

docker exec -it [container name] bash

grep -v “rem_address” /proc/net/tcp

Dara answered 5/11, 2021 at 13:54 Comment(1)

i just tried that, it outputs ` sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode \n 0: 0B00007F:ABD3 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 479599 1 0000000000000000 100 0 0 10 0` – Banwell 11/5, 2023 at 1:4

A

0

in macos and linux, here is to list all port running inside docker accross all container:

docker ps -q | xargs -n 1 docker port

Alunite answered 5/5 at 10:26 Comment(0)

C

-1

docker inspect <container_id>

Look for "ExposedPorts" in "Config"

Cahill answered 15/2, 2022 at 0:22 Comment(1)

Does this actually show ports in use, or is it just a list of exposed ports that the container can listen on? – Le 16/9, 2022 at 12:57

M

-3

server:docker container ls

CONTAINER ID    IMAGE              COMMAND                  CREATED          STATUS           PORTS       NAMES

80acfa804b59    admirito/gsad:10   "docker-entrypoint.s…"   18 minutes ago   Up 10 minutes    80/tcp      gvmcontainers_gsad_1

Materse answered 27/6, 2019 at 9:10 Comment(1)

this is wrong. this will only five you the ports that either the Dockerimage declared and those that were explicitly exposed (in both cases it doesn't matter if the container process is actually listening...) – Rhodia 21/12, 2019 at 13:43

Recommended topics

Hot tags