When using Docker, ESTABLISHED connections are not displayed in netstat

Question

When using Docker, ESTABLISHED connections are not displayed in netstat

I have a docker container running on RHEL 7 with Docker 1.7.0. The program running in this container listens for TCP connections on port 5000. In my Dockerfile, I place the EXPOSE 5000 clause and I start the container with the following command:

docker run \ --name myProgram \ --detach \ --publish 5000:5000 \ --volume /home/docker/apps/myProgram/logs:/var/log/myProgram/ \ --volume /home/docker/apps/myProgram/conf:/usr/local/snnotificationreceiver/conf/ \ --restart always \ 10.167.152.15:5000/myProgram:1.0.0

When I execute netstat on the host, I see the LISTEN socket:

 [root@server bin]# netstat -naop | grep 5000 tcp6 0 0 :::5000 :::* LISTEN 33595/docker-proxy off (0.00/0/0)

I can connect to the application by connecting to the host IP address on port 5000, and the data that I send to the application comes. I know this because I see it in my application logs, the application also sends data through the socket. However, I do not see any ESTABLISHED connections using netstat on the docker host:

 [root@server bin]# netstat -naop | grep ESTABLISHED

I see an ESTABLISHED connection on the client side that does not use docker:

 [root@client ~]# netstat -naop | grep 5000 tcp 0 0 10.167.43.73:39218 10.167.152.138:5000 ESTABLISHED 21429/telnet off (0.00/0/0)

I did not find any docker command equivalent or similar to netstat. Is this normal? How can I see ESTABLISHED connections with a container or docker proxy?

thanks

+14

docker sockets netstat

user1272178 May 11 '16 at 19:42

source share

2 answers

You can use this snippet to get all INSTALLED for all dockers in the same row (if you got nsenter )

 docker inspect --format '{{.State.Pid}} {{printf "%.13s" .ID}} {{.Name}}' \ $(docker ps --format '{{.ID}}') | while read dockpid dockid dockname do echo $dockid $dockname sudo nsenter -t $dockpid -n netstat -pan | grep ESTABLISHED done

Pay attention to the INSTALLED in grep .

you can switch to a listening connection with netstat -pnl both TCP and UDP

 docker inspect --format '{{.State.Pid}} {{printf "%.13s" .ID}} {{.Name}}' \ $(docker ps --format '{{.ID}}') | while read dockpid dockid dockname do echo $dockid $dockname sudo nsenter -t $dockpid -n netstat -pnl done

or only TCP LISTEN

 docker inspect --format '{{.State.Pid}} {{printf "%.13s" .ID}} {{.Name}}' \ $(docker ps --format '{{.ID}}') | while read dockpid dockid dockname do echo $dockid $dockname sudo nsenter -t $dockpid -n netstat -pnlt done

+1

thibault ketterer Mar 15 '18 at 9:44

source share

AdvilUser · Accepted Answer · 2016-11-01T03:46:29+0000

You can:

 docker exec <containerid> netstat -tan | grep ESTABLISHED

or if you do not have netstat in your image dockers:

 docker inspect -f '{{.State.Pid}}' <containerid> # note the PID sudo nsenter -t <pid> -n netstat | grep ESTABLISHED

nsenter is part of the util-linux package. (plagiarism @larsks)

When using Docker, ESTABLISHED connections are not displayed in netstat

More articles: