1. Overview
Docker has become a popular choice for containerization, enabling us to build, package, and deploy applications with ease. With its lightweight containerization technology, Docker enables efficient resource utilization and seamless application deployment across various environments. When working with Docker containers, it’s essential to have visibility into the network connections, including open sockets, for monitoring, troubleshooting, and security purposes.
In this tutorial, we’ll explore different methods to list open sockets inside a running Docker container in Linux.
2. Start Docker Container
Before we list the open sockets, we need a running Docker container. We can start a container using the Docker command-line interface (CLI) in Linux.
For instance, to start a container with container ID: c7cee7fa71d5 in Linux, we can use the following command:
$ sudo docker container ls -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c7cee7fa71d5 mikesplain/openvas "/bin/sh -c /start" 38 hours ago Exited (137) 9 seconds ago openvas
$ sudo docker container start c7cee7fa71d5
c7cee7fa71d5
3. Access the Shell of the Container
To access the Bash shell of the running container, we can use the docker exec command along with the -it options which stand for interactive and pseudo-TTY or terminal, respectively. Together, they enable an interactive session within the container, allowing us to enter commands and see their output:
$ sudo docker exec -it c7cee7fa71d5 bash
root@c7cee7fa71d5:/#
4. Install Required Tools
Once we access the container’s shell, we need to ensure that we have the necessary tools installed to list the open sockets. The specific tools required may vary depending on the Linux distribution used in the container*.*
We use the package manager available in the container’s Linux distribution to install the tools. For a container running a Debian-based distribution, for example, we’d use the apt command:
root@c7cee7fa71d5:/# apt-get update && apt-get install -y net-tools lsof
The command installs two packages: net-tools and lsof on a Debian-based system. The net-tools provide network monitoring tools such as ifconfig, ping, and netstat whereas lsof allows listing and gathering information about open files, network connections, and the processes that have them open.
5. List Open Sockets
With the required tools installed, we can list the open sockets inside the container. Here, we’ll see a few of the command-line tools.
5.1. Using netstat
The netstat command is a versatile tool that provides detailed information about network connections. Using it, let’s list the open sockets:
root@c7cee7fa71d5:/# netstat -tuln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:9390 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN
tcp6 0 0 :::443 :::* LISTEN
tcp6 0 0 :::25 :::* LISTEN
The command output displays a list of all open sockets in the container, along with their respective addresses and listening ports.
Let’s see what the -tuln options mean:
- -t: displays TCP sockets
- -u: displays UDP sockets
- -l: shows listening sockets
- -n: displays numeric addresses
5.2. Using ss
Another useful command for listing open sockets inside the Docker container is the ss command. In fact, the ss command is an alternative to netstat and provides more detailed information about socket connections.
Running ss -tuln displays a similar output as netstat, but with additional details, such as the socket’s inode number and process information:
root@c7cee7fa71d5:/# ss -tuln
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp LISTEN 0 512 *:9390 *:*
tcp LISTEN 0 100 *:25 *:*
tcp LISTEN 0 511 127.0.0.1:6379 *:*
tcp LISTEN 0 100 :::25 :::*
tcp LISTEN 0 32 :::443 :::*
The output shows the listening TCP sockets and their corresponding local addresses and ports. Also, it shows the state of each socket, the number of bytes in the receive and send queues, and the local and peer addresses and ports.
5.3. Using nsenter
The nsenter command is a command-line tool in Linux that allows us to enter a specific namespace of a running process. It provides a convenient way to access and interact with namespaces such as network, mount, user, and more.
Firstly, we need to determine the PID (Process ID) of the Docker container we’ll inspect. We can use the docker inspect command to retrieve the PID along with the -f option to display the custom output format of the container:
$ sudo docker inspect -f '{{.State.Pid}}' c7cee7fa71d5
4089
The .State.Pid refers to the field in the Docker container’s metadata that represents the PID of the main process running inside the container.
Once we have the PID, we can utilize nsenter along with the -t option, which signifies the PID, and -n to specify the namespace of the container. Further, the nsenter command allows us to enter a different namespace, in this case, the container’s network namespace:
$ sudo nsenter -t 4089 -n netstat -tuln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:9390 0.0.0.0:* LISTEN
tcp6 0 0 :::443 :::* LISTEN
The command output shows the active internet connections on the system. Additionally, it displays TCP connections, their receive and send queue values, local addresses, foreign addresses, and connection states.
6. Conclusion
In this article, we explored several methods to list open sockets inside a running Docker container in Linux.
By using tools such as netstat, ss, and nsenter, we can gain visibility over network connections and open sockets, identify potential issues, and ensure the smooth operation of the Dockerized applications.