1. Overview

Docker has become a popular choice for containerization, enabling us to build, package, and deploy applications with ease. With its lightweight containerization technology, Docker enables efficient resource utilization and seamless application deployment across various environments. When working with Docker containers, it’s essential to have visibility into the network connections, including open sockets, for monitoring, troubleshooting, and security purposes.

In this tutorial, we’ll explore different methods to list open sockets inside a running Docker container in Linux.

2. Start Docker Container

Before we list the open sockets, we need a running Docker container. We can start a container using the Docker command-line interface (CLI) in Linux.

For instance, to start a container with container ID: c7cee7fa71d5 in Linux,  we can use the following command:

$ sudo docker container ls -a                  
CONTAINER ID   IMAGE                COMMAND               CREATED        STATUS                       PORTS     NAMES
c7cee7fa71d5   mikesplain/openvas   "/bin/sh -c /start"   38 hours ago   Exited (137) 9 seconds ago             openvas
$ sudo docker container start c7cee7fa71d5                   
c7cee7fa71d5

3. Access the Shell of the Container

To access the Bash shell of the running container, we can use the docker exec command along with the -it options which stand for interactive and pseudo-TTY or terminal, respectively. Together, they enable an interactive session within the container, allowing us to enter commands and see their output:

$ sudo docker exec -it c7cee7fa71d5 bash
root@c7cee7fa71d5:/#

4. Install Required Tools

Once we access the container’s shell, we need to ensure that we have the necessary tools installed to list the open sockets. The specific tools required may vary depending on the Linux distribution used in the container*.*

We use the package manager available in the container’s Linux distribution to install the tools. For a container running a Debian-based distribution, for example, we’d use the apt command:

root@c7cee7fa71d5:/# apt-get update && apt-get install -y net-tools lsof

The command installs two packages: net-tools and lsof on a Debian-based system. The net-tools provide network monitoring tools such as ifconfig, ping, and netstat whereas lsof allows listing and gathering information about open files, network connections, and the processes that have them open.

5. List Open Sockets

With the required tools installed, we can list the open sockets inside the container. Here, we’ll see a few of the command-line tools.

5.1. Using netstat

The netstat command is a versatile tool that provides detailed information about network connections. Using it, let’s list the open sockets:

root@c7cee7fa71d5:/# netstat -tuln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:9390            0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:6379          0.0.0.0:*               LISTEN     
tcp6       0      0 :::443                  :::*                    LISTEN     
tcp6       0      0 :::25                   :::*                    LISTEN    

The command output displays a list of all open sockets in the container, along with their respective addresses and listening ports.

Let’s see what the -tuln options mean:

  • -t: displays TCP sockets
  • -u: displays UDP sockets
  • -l: shows listening sockets
  • -n: displays numeric addresses

5.2. Using ss

Another useful command for listing open sockets inside the Docker container is the ss command. In fact, the ss command is an alternative to netstat and provides more detailed information about socket connections.

Running ss -tuln displays a similar output as netstat, but with additional details, such as the socket’s inode number and process information:

root@c7cee7fa71d5:/# ss -tuln
Netid State      Recv-Q Send-Q                                    Local Address:Port                                                   Peer Address:Port              
tcp   LISTEN     0      512                                                   *:9390                                                              *:*                  
tcp   LISTEN     0      100                                                   *:25                                                                *:*                  
tcp   LISTEN     0      511                                           127.0.0.1:6379                                                              *:*                  
tcp   LISTEN     0      100                                                  :::25                                                               :::*                  
tcp   LISTEN     0      32                                                   :::443                                                              :::*                  

The output shows the listening TCP sockets and their corresponding local addresses and ports. Also, it shows the state of each socket, the number of bytes in the receive and send queues, and the local and peer addresses and ports.

5.3. Using nsenter

The nsenter command is a command-line tool in Linux that allows us to enter a specific namespace of a running process. It provides a convenient way to access and interact with namespaces such as network, mount, user, and more.

Firstly, we need to determine the PID (Process ID) of the Docker container we’ll inspect. We can use the docker inspect command to retrieve the PID along with the -f option to display the custom output format of the container:

$ sudo docker inspect -f '{{.State.Pid}}' c7cee7fa71d5
4089

The .State.Pid refers to the field in the Docker container’s metadata that represents the PID of the main process running inside the container.

Once we have the PID, we can utilize nsenter along with the -t option, which signifies the PID, and -n to specify the namespace of the container. Further, the nsenter command allows us to enter a different namespace, in this case, the container’s network namespace:

$ sudo nsenter -t 4089 -n netstat -tuln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 127.0.0.1:6379          0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:9390            0.0.0.0:*               LISTEN     
tcp6       0      0 :::443                  :::*                    LISTEN     

The command output shows the active internet connections on the system. Additionally, it displays TCP connections, their receive and send queue values, local addresses, foreign addresses, and connection states.

6. Conclusion

In this article, we explored several methods to list open sockets inside a running Docker container in Linux.

By using tools such as netstat, ss, and nsenter,  we can gain visibility over network connections and open sockets, identify potential issues, and ensure the smooth operation of the Dockerized applications.