I'm trying to use jmxtrans to send metrics of Kafka to Influxdb. I've downloded the jar file and configured necessary files for my case. When I try to start the jmxtrans as JAR_FILE=jmxtrans-259-all.jar jmxtrans.sh jvm.json it gives the Port already in use: 5555 error (5555 is the jmx port). My kafka systemd file (prometheus doesn't use jmx port):
[Unit]
Description=Apache Kafka Server (broker)
Documentation=http://kafka.apache.org/documentation.html
Requires=kafka-zookeeper.service
After=network.target remote-fs.target kafka-zookeeper.service
[Service]
Type=simple
User=kafka
Group=confluent
WorkingDirectory=/etc/systemd/system/
ExecStart=/bin/bash /etc/systemd/system/kafka
Restart=always
Environment="KAFKA_OPTS=-javaagent:/kafka/vty/jmx_prometheus_javaagent-0.3.1.jar=7080:/kafka/vty/kafka-0-8-2.yml"
#Environment="JMX_PORT=5555"
Environment="KAFKA_JMX_OPTS=-Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Djava.rmi.server.hostname=isstdkafld01 -Djava.net.preferIPv4Stack=true -Dcom.sun.management.jmxremote.port=5555"
[Install]
WantedBy=multi-user.target
I am pretty sure there is no process that uses the 5555 port, except kafka (PID 17397 is kafka). netstat -nltp also confirms that:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:7081 0.0.0.0:* LISTEN 124801/java
tcp 0 0 0.0.0.0:2191 0.0.0.0:* LISTEN 124801/java
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1184/rpcbind
tcp 0 0 0.0.0.0:9072 0.0.0.0:* LISTEN 17397/java
tcp 0 0 0.0.0.0:20048 0.0.0.0:* LISTEN 1637/rpc.mountd
tcp 0 0 0.0.0.0:5555 0.0.0.0:* LISTEN 17397/java
tcp 0 0 0.0.0.0:36629 0.0.0.0:* LISTEN 17397/java
tcp 0 0 0.0.0.0:33429 0.0.0.0:* LISTEN 17397/java
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 10716/sshd
tcp 0 0 0.0.0.0:43675 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:45759 0.0.0.0:* LISTEN 1649/rpc.statd
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:34183 0.0.0.0:* LISTEN 124801/java
tcp 0 0 0.0.0.0:7080 0.0.0.0:* LISTEN 17397/java
tcp6 0 0 :::9519 :::* LISTEN 94054/nsrexecd
tcp6 0 0 :::111 :::* LISTEN 1184/rpcbind
tcp6 0 0 :::20048 :::* LISTEN 1637/rpc.mountd
tcp6 0 0 :::8370 :::* LISTEN 94054/nsrexecd
tcp6 0 0 :::8146 :::* LISTEN 94054/nsrexecd
tcp6 0 0 :::4118 :::* LISTEN 28915/ds_agent
tcp6 0 0 :::3000 :::* LISTEN 20644/grafana-serve
tcp6 0 0 :::7937 :::* LISTEN 94054/nsrexecd
tcp6 0 0 :::41537 :::* LISTEN -
tcp6 0 0 :::2049 :::* LISTEN -
tcp6 0 0 :::9090 :::* LISTEN 123916/prometheus
tcp6 0 0 :::7938 :::* LISTEN 94054/nsrexecd
tcp6 0 0 :::33443 :::* LISTEN 1649/rpc.statd
What could be the reason? Mind that when I try to use another port which is not the jmx port, it doesn't give this error and goes for a timeout. The files I use are given below.
jvm.json (8086 is the port for influxdb)
{
"servers" : [ {
"port" : "9072",
"host" : "xxxxxxxxxx",
"alias": "kafka-1",
"queries" : [ {
"outputWriters" : [
{
"#class" : "com.googlecode.jmxtrans.model.output.InfluxDbWriterFactory",
"url" : "http://xxxxxxxxxx:8086/",
"database" : "kafka",
"username" : "admin",
"password" : "admin"
} ],
"obj" : "java.lang:type=Memory",
"attr" : [ "HeapMemoryUsage", "NonHeapMemoryUsage" ],
"resultAlias" : "jvmMemory"
}
],
"numQueryThreads" : 1
} ]
}
jmxtrans.sh
#!/bin/bash
#
# The MIT License
# Copyright © 2010 JmxTrans team
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
#
if (( $# != 1 )); then
echo "Usage: jmxtrans.sh <json file or dir>"
exit 1
fi
if [[ -f "${1}" ]]; then
JSON_CONFIG_OPT="-f ${1}"
elif [[ -d "${1}" ]]; then
JSON_CONFIG_OPT="-j ${1}"
else
echo "${1} is not a file nor a directory"
exit 1
fi
JAVA_HOME=${JAVA_HOME:-"/usr"}
LOG_DIR=${LOG_DIR:-"."}
if [[ "${JAR_FILE}" == "" ]]; then
JAR_FILE="$( cd "$( dirname "${BASH_SOURCE[0]}" )/../lib" >/dev/null && pwd )/jmxtrans-all.jar"
fi
ADDITIONAL_JARS=${ADDITIONAL_JARS:-""}
SECONDS_BETWEEN_RUNS=${SECONDS_BETWEEN_RUNS:-"60"}
JAVA=${JAVA:-"${JAVA_HOME}/bin/java"}
CHECK_JAVA=${CHECK_JAVA:-"true"}
JAVA_OPTS=${JAVA_OPTS:-"-Djava.awt.headless=true -Djava.net.preferIPv4Stack=true"}
HEAP_SIZE=${HEAP_SIZE:-"512"}
PERM_SIZE=${PERM_SIZE:-"384"}
MAX_PERM_SIZE=${MAX_PERM_SIZE:-"384"}
JMX_PORT=${JMX_PORT:-"5555"}
LOG_LEVEL=${LOG_LEVEL:-"info"}
CONTINUE_ON_ERROR=${CONTINUE_ON_ERROR:-"false"}
JMXTRANS_OPTS="${JMXTRANS_OPTS} -Djmxtrans.log.level=${LOG_LEVEL} -Djmxtrans.log.dir=${LOG_DIR}"
MONITOR_OPTS=${MONITOR_OPTS:-"-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.port=${JMX_PORT}"}
GC_OPTS=${GC_OPTS:-"-Xms${HEAP_SIZE}m -Xmx${HEAP_SIZE}m"}
SSL_OPTS=${SSL_OPTS:-""}
if [[ "${SSL_TRUSTSTORE}" != "" ]]; then
SSL_OPTS="${SSL_OPTS} -Djavax.net.ssl.trustStore=${SSL_TRUSTSTORE}"
if [[ "${SSL_TRUSTSTORE_PASSWORD}" != "" ]]; then
SSL_OPTS="${SSL_OPTS} -Djavax.net.ssl.trustStorePassword=${SSL_TRUSTSTORE_PASSWORD}"
fi
fi
if [[ "${ADDITIONAL_JARS}" == "" ]]; then
ADDITIONAL_JARS_OPTS=""
else
ADDITIONAL_JARS_OPTS="-a ${ADDITIONAL_JARS}"
fi
if [[ "${CHECK_JAVA}" == "true" ]]; then
JAVA_VERSION=`${JAVA} -version 2>&1`
if [[ $? != 0 ]]; then
echo "Cannot execute ${JAVA}!"
exit 1
fi
fi
if [[ ! -f ${JAR_FILE} ]]; then
echo "File not found - ${JAR_FILE}"
exit 1
fi
EXEC=${EXEC:-"-jar ${JAR_FILE} -e ${JSON_CONFIG_OPT} -s ${SECONDS_BETWEEN_RUNS} -c ${CONTINUE_ON_ERROR} ${ADDITIONAL_JARS_OPTS} ${ADDITIONAL_OPTS}"}
${JAVA} -server ${JAVA_OPTS} ${JMXTRANS_OPTS} ${GC_OPTS} ${MONITOR_OPTS} ${SSL_OPTS} ${EXEC}
Address already use issue:
Open your terminal:
ps aux || grep
list all running services and find the id you want to kill.
sudo kill -9 <id you want to kill>
Leaving the JMX_PORT=${JMX_PORT:-"5555"} line in jmxtrans.sh as its default value, 2101 solved the problem.
Related
Fairly new to Docker. Our containers work fine when hitting localhost with curl or a browser, but any external calls to http://[ip address] just time out. We're seeing the exact same behavior with Kong and also a basic whoami. The only way the containers are externally accessible is when we add --network host to the docker run command, but that's not an option for our production use.
The server itself and firewall are configured correctly; when I shut down docker and spun up a simple webserver it was reachable at the IP address. Essentially, any bridge-type network for Docker is inaccessible to the outside world and produces time-outs on any call to a port we set it to listen for (vs immediate connection refused for random unmapped ports).
The run commands we're using:
docker run -d -p 80:80 containous/whoami
docker run -d --name kongtest \
-p 0.0.0.0:80:8000 -p 0.0.0.0:443:8443 \
kong/kong-gateway:3.0.0.0-alpine
Output from docker ps:
88a4bf28bbcd kong/kong-gateway:3.0.0.0-alpine "/docker-entrypoint.…" 5 seconds ago Up 5 seconds (health: starting) 8001-8004/tcp, 8444-8447/tcp, 0.0.0.0:80->8000/tcp, 0.0.0.0:443->8443/tcp kongtest
netstat -lntup using default or custom Docker bridge network:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 384272/sshd: /usr/s
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 640858/docker-proxy
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 384297/systemd-reso
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 640845/docker-proxy
tcp6 0 0 :::22 :::* LISTEN 384272/sshd: /usr/s
udp 0 0 127.0.0.53:53 0.0.0.0:* 384297/systemd-reso
udp 0 0 140.82.10.213:68 0.0.0.0:* 384291/systemd-netw
netstat -lntup using --network=host:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 384272/sshd: /usr/s
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 384297/systemd-reso
tcp6 0 0 :::22 :::* LISTEN 384272/sshd: /usr/s
tcp6 0 0 :::80 :::* LISTEN 708481/whoami
udp 0 0 127.0.0.53:53 0.0.0.0:* 384297/systemd-reso
udp 0 0 140.82.10.213:68 0.0.0.0:* 384291/systemd-netw
I'm using two servers, A and B.
The two servers are connected with ssh connection.
I ran the below command at server A:
> sudo docker swarm init --advertise-addr SERVER_A_IP
Swarm initialized: current node (i3ob4imfipqcfm6l713shaem4) is now a manager.
To add a worker to this swarm, run the following command:
docker swarm join \
--token SWMTKN-1-2ru3tokyxfyep1ifp8diir89x8i94o0py5fcoaue12ep43tvy3-dls3jomzc2bh2by2f2s02i7y5 \
SERVER_A_IP:2377
To add a manager to this swarm, run 'docker swarm join-token manager' and follow the instructions.
And then the below command at server B:
> sudo docker swarm join --token SWMTKN-1-4s757ln39s1lkeu7xy8ucmv7rweqte4odedb4xi7x4fettu8sh-0wskijh5rzh42zxzbjs1hxfjr SERVER_A_IP:2377
Error response from daemon: rpc error: code = 14 desc = grpc: the connection is unavailable
What does this error mean?
Error response from daemon: rpc error: code = 14 desc = grpc: the connection is unavailable
I set firewall options for the both servers:
firewall-cmd --add-port=2376/tcp --permanent
firewall-cmd --add-port=2377/tcp --permanent
firewall-cmd --add-port=7946/tcp --permanent
firewall-cmd --add-port=7946/udp --permanent
firewall-cmd --add-port=4789/udp --permanent
I searched for this error, and tried another command at server A, and failed:
> sudo docker swarm init --advertise-addr SERVER_A_IP --listen-addr SERVER_B_IP
Error response from daemon: failed to listen on remote API address: listen tcp SERVER_B_IP:2377: bind: cannot assign requested address
result of netstat command:
> netstat -tuplen
(No info could be read for "-p": geteuid()=11000 but you should be root.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 127.0.0.1:199 0.0.0.0:* LISTEN 0 17082 -
tcp 0 0 0.0.0.0:873 0.0.0.0:* LISTEN 0 16129 -
tcp 0 0 0.0.0.0:65130 0.0.0.0:* LISTEN 0 19486 -
tcp 0 0 0.0.0.0:65131 0.0.0.0:* LISTEN 0 18964 -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 46782 -
tcp6 0 0 :::544 :::* LISTEN 0 48400 -
tcp6 0 0 :::873 :::* LISTEN 0 16130 -
tcp6 0 0 :::22 :::* LISTEN 0 46791 -
tcp6 0 0 :::2105 :::* LISTEN 0 48398 -
tcp6 0 0 :::543 :::* LISTEN 0 48399 -
udp 0 0 0.0.0.0:60823 0.0.0.0:* 0 17469 -
udp 0 0 0.0.0.0:37406 0.0.0.0:* 0 48150 -
udp 0 0 0.0.0.0:68 0.0.0.0:* 0 17486 -
udp 0 0 0.0.0.0:49238 0.0.0.0:* 0 48323 -
udp 0 0 0.0.0.0:161 0.0.0.0:* 0 17081 -
udp 0 0 127.0.0.1:323 0.0.0.0:* 0 18058 -
udp6 0 0 :::1106 :::* 0 17470 -
Any thought appreciated :)
I am running a network server under the jamq user in Docker.
[root#12af450e8259 /]# su jamq -c '/opt/jboss-amq-7-i0/bin/artemis-service start'
Starting artemis-service
artemis-service is now running (25)
I am then trying to list processes and their listening sockets using netstat as root, but for processes running as different user than me, I only see - instead of PID.
[root#12af450e8259 /]# netstat -nlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1/sshd
tcp 0 0 0.0.0.0:1883 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8161 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:5445 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:61613 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:61616 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN 1/sshd
I tried adding --privileged onto Docker command line, and that fixes the problem. I then wanted to use more granular capabilities, but I cannot find the right capability.
I tried
docker run --rm --cap-add=SYS_ADMIN --cap-add=NET_ADMIN -it myimage:latest bash
but that does not help.
The required capability is --cap-add=SYS_PTRACE. There are various reports in bugs that netstat needs this capability. For example, Bug 901754 - SELinux is preventing /usr/bin/netstat from using the 'sys_ptrace' capabilities.
The correct command therefore is
docker run --rm --cap-add=SYS_PTRACE -it myimage:latest bash
[root#f9c4b5fa7d1c /]# netstat -nlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 22/java
tcp 0 0 0.0.0.0:61613 0.0.0.0:* LISTEN 22/java
tcp 0 0 0.0.0.0:61616 0.0.0.0:* LISTEN 22/java
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 92/sshd
tcp 0 0 0.0.0.0:1883 0.0.0.0:* LISTEN 22/java
tcp 0 0 127.0.0.1:8161 0.0.0.0:* LISTEN 22/java
tcp 0 0 0.0.0.0:5445 0.0.0.0:* LISTEN 22/java
tcp6 0 0 :::22 :::* LISTEN 92/sshd
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
I need to set up Gitlb behind Traefik.
Everything works except authentication to the app via command line - I don't know how to expose port 22 via traefik.
Any idea how to set it up? How to expose port 22 of a docker container (via traefik)?
I changed the default port from 22 to 10022.
I'm getting via netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1132/sshd
tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 1126/systemd-resolv
tcp6 0 0 :::22 :::* LISTEN 1132/sshd
tcp6 0 0 :::443 :::* LISTEN 1590/docker-proxy
tcp6 0 0 :::10022 :::* LISTEN 1440/docker-proxy
tcp6 0 0 :::5355 :::* LISTEN 1126/systemd-resolv
tcp6 0 0 :::80 :::* LISTEN 1602/docker-proxy
tcp6 0 0 :::8080 :::* LISTEN 1578/docker-proxy
udp 0 0 127.0.0.53:53 0.0.0.0:* 1126/systemd-resolv
udp 0 0 0.0.0.0:68 0.0.0.0:* 864/dhclient
udp 0 0 0.0.0.0:5355 0.0.0.0:* 1126/systemd-resolv
udp6 0 0 :::5355 :::* 1126/systemd-resolv
I don't understand why 10022 is connected to docker-proxy.
When I try:
git push --set-upstream origin master
ssh: connect to host git.myserver.com port 10022: Connection refused
fatal: Could not read from remote repository.
Thank you very much
Traefik is an HTTP reverse proxy, and ssh is not an HTTP protocol. So you'll need to simply publish the container's ssh port on an unused port on the host.
As BMitch said, traefik won't handle TCP traffic if it is not HTTP. (SSH is not HTTP).
See this discussion: https://github.com/containous/traefik/issues/10
I recommend you to configure your networking stuff in order to route the traffic of :22 directly to the container.
I expose docker ports of my contaners to the host machine with something like
docker run -p 80:80 ...
then I try to display all listening ports for debugging purposes with netstat e.g.:
netstat -at
Strange thing is that netstat won't display my docker containers with exposed ports, although they are listening and reply to the browser.
How do I make netstat display those exposed ports?
UPDATE:
I'm running this on Debian 8 Jessie. Here's what I do:
docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9dfa08bab50d workflows-nginx "/bin/sh -c '/usr/sbi" 2 hours ago Up 2 hours 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp workflows-nginx
d0b0c3f90f13 workflows-django "/bin/sh -c 'python /" 7 hours ago Up 3 hours 0.0.0.0:8000->8000/tcp workflows-django
99a857c92533 workflows-db "/docker-entrypoint.s" 7 hours ago Up 3 hours 5432/tcp workflows-db
Here docker reports that container ports are forwarded to the host. Moreover, if I stop workflows-nginx container, it stops answering to the browser by http (port 80). If I start it again, it starts responding again.
Here is the output of sudo netstat -at | less:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 localhost:ipp *:* LISTEN
tcp 0 0 *:15672 *:* LISTEN
tcp 0 0 *:postgresql *:* LISTEN
tcp 0 0 localhost:smtp *:* LISTEN
tcp 0 0 *:25672 *:* LISTEN
tcp 0 0 *:48142 *:* LISTEN
tcp 0 0 *:sunrpc *:* LISTEN
tcp 0 0 *:epmd *:* LISTEN
tcp 0 0 bob-acer:34866 104.16.33.249:http ESTABLISHED
tcp 0 0 bob-acer:42380 stackoverflow.com:https ESTABLISHED
tcp 0 0 bob-acer:42543 stackoverflow.com:https ESTABLISHED
tcp 0 0 bob-acer:42525 stackoverflow.com:https ESTABLISHED
tcp 0 0 bob-acer:44076 stackoverflow.com:https ESTABLISHED
tcp 0 0 bob-acer:42944 stackoverflow.com:https ESTABLISHED
tcp 0 0 localhost:epmd localhost:50831 ESTABLISHED
tcp 0 0 bob-acer:42655 stackoverflow.com:https ESTABLISHED
tcp 0 0 bob-acer:42384 stackoverflow.com:https ESTABLISHED
tcp 0 0 bob-acer:44626 stackoverflow.com:https ESTABLISHED
tcp 0 0 bob-acer:42390 stackoverflow.com:https ESTABLISHED
tcp 0 0 localhost:50831 localhost:epmd ESTABLISHED
tcp 0 0 bob-acer:48301 c2.52.c0ad.ip4.st:https ESTABLISHED
tcp 0 0 bob-acer:42151 stackoverflow.com:https ESTABLISHED
tcp 0 0 bob-acer:42205 stackoverflow.com:https ESTABLISHED
tcp 0 0 bob-acer:42539 stackoverflow.com:https ESTABLISHED
tcp 0 0 bob-acer:44737 stackoverflow.com:https ESTABLISHED
tcp 0 0 bob-acer:39648 77.94.164.251:https ESTABLISHED
tcp6 0 0 [::]:ssh [::]:* LISTEN
tcp6 0 0 localhost:ipp [::]:* LISTEN
tcp6 0 0 [::]:postgresql [::]:* LISTEN
tcp6 0 0 localhost:smtp [::]:* LISTEN
tcp6 0 0 [::]:44794 [::]:* LISTEN
tcp6 0 0 [::]:8000 [::]:* LISTEN
tcp6 0 0 [::]:amqp [::]:* LISTEN
tcp6 0 0 [::]:sunrpc [::]:* LISTEN
tcp6 1 0 localhost:58497 localhost:ipp CLOSE_WAIT
As you can see, neither port 80, nor port 443 are reported. Port 8000 of workflows-django for some reason is opened on IPv6 interface. Moreover, I forgot to disable postgres on host machine and still they don't clash with postgres container workflows-db.
Everything is running on my local notebook, so I guess there can't be any confusion with the host.
My docker version is:
docker --version
Docker version 1.10.3, build 20f81dd
ANSWER: This is related to docker EXPOSE parameter. If you write this line in your dockerfile and run the container with -p, the port will be visible in netstat. If you use -p but don't write EXPOSE, your port won't be listed by netstat.
It's never too late to answer a question.
Using netstat -tln, not netstat -at.
It's very simple to answer, if you notify the --numeric option for netstat. By using this option, netstat will print address with numbers instead of meaningful string. Then you can grep them as you mentioned. Following shows how it works.
[root#A01-R26-I52-155-3002023 ~]# netstat -tl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost.localdom:smux 0.0.0.0:* LISTEN
tcp 0 0 localhost.localdo:18121 0.0.0.0:* LISTEN
tcp 0 0 localhost.localdo:18122 0.0.0.0:* LISTEN
tcp 0 0 localhost.localdo:18123 0.0.0.0:* LISTEN
tcp 0 0 localhost.localdo:18124 0.0.0.0:* LISTEN
tcp 0 0 localhost.localdo:18125 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:sunrpc 0.0.0.0:* LISTEN
tcp 0 0 localhost.localdo:18928 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:20080 0.0.0.0:* LISTEN
tcp 0 0 A01-R26-:univ-appserver 0.0.0.0:* LISTEN
tcp 0 0 A01-R26-:univ-appserver 0.0.0.0:* LISTEN
tcp 0 0 localhost.:search-agent 0.0.0.0:* LISTEN
tcp 0 0 localhost:mosaicsyssvc1 0.0.0.0:* LISTEN
tcp 0 0 A01-R26-I52-155-300:ssh 0.0.0.0:* LISTEN
tcp6 0 0 [::]:37611 [::]:* LISTEN
tcp6 0 0 [::]:sunrpc [::]:* LISTEN
tcp6 0 0 [::]:microsan [::]:* LISTEN
tcp6 0 0 [::]:commtact-http [::]:* LISTEN
[root#A01-R26-I52-155-3002023 ~]# netstat -tln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:199 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:18121 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:18122 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:18123 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:18124 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:18125 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:18928 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:20080 0.0.0.0:* LISTEN
tcp 0 0 10.217.52.155:1233 0.0.0.0:* LISTEN
tcp 0 0 10.218.52.155:1233 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:1234 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:1235 0.0.0.0:* LISTEN
tcp 0 0 10.217.52.155:22 0.0.0.0:* LISTEN
tcp6 0 0 :::37611 :::* LISTEN
tcp6 0 0 :::111 :::* LISTEN
tcp6 0 0 :::20001 :::* LISTEN
tcp6 0 0 :::20002 :::* LISTEN
netstat should display the exposed ports. Here is an example
anovil#anovil-Latitude-E6440:docker$ sudo netstat -at|grep 3030
anovil#anovil-Latitude-E6440:docker$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
anovil#anovil-Latitude-E6440:docker$ docker run -d -p 3030:80 httpd:2.4
4310ac5fbdbc7314ab4d23e34099a710a3a8790dcf2c6d0a84202c1de5c9fd30
anovil#anovil-Latitude-E6440:docker$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4310ac5fbdbc httpd:2.4 "httpd-foreground" 3 minutes ago Up 3 minutes 0.0.0.0:3030->80/tcp hungry_fermat
anovil#anovil-Latitude-E6440:docker$ sudo netstat -at|grep 3030
tcp6 0 0 [::]:3030 [::]:* LISTEN
anovil#anovil-Latitude-E6440:docker$ sudo netstat -tulpn|grep 3030
tcp6 0 0 :::3030 :::* LISTEN 10294/docker-proxy
anovil#anovil-Latitude-E6440:docker$
Some basic things you need to verify yourself:
Are you running netstat with elevated privileges? Somethings might miss out when you are non-root
Is your docker container running on the same host as you expect? Check with docker ps
Does docker ps list the port forwarding? Like from the above, you should be able to see something like this 0.0.0.0:3030->80/tcp
Also note that, the docker-proxy is the one running on the host.
All commands above assumes that you run on linux.
This was tested with ubuntu 15.10
If you still feel you are missing the forwarding, then please post back your Operating System, docker version etc.
Thanks,
This code will show you the opened ports with the pids inside the container:
container_name=some_container_name
c_pid=`docker container inspect -f "{{.State.Pid}}" ${container_name}`
nsenter -t ${c_pid} -n netstat -anp
They are listed, just not in the way you might expect. If you're looking for an ipv4 listen port you won't see it (unless I believe if you're using both the EXPOSE and publish (-p) mechanisms in tandem), but what you will see is a docker proxy on ipv6, e.g. for a MySQL container:
netstat -tlpn4
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp6 0 0 :::3306 :::* LISTEN 9608/docker-proxy