I have a stack with docker-compose running on a VM.
Here is a sample output of my netstat -tulpn on the VM
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:9839 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:8484 0.0.0.0:* LISTEN
The docker is able to communicate with port 9839 (using 172.17.0.1) but not with port 8484.
Why is that?
That's because the program listening on port 8484 is bound to 127.0.0.1 meaning that it'll only accept connections from localhost.
The one listening on 9839 has bound to 0.0.0.0 meaning it'll accept connections from anywhere.
To make the one listening on 8484 accept connections from anywhere, you need to change what it's binding to. If it's something you've written yourself, you can change it in code. If it's not, there's probably a configuration setting your can set.
Related
I would like to run the VSCode OSS Web Server within a Docker Container, as described here: https://github.com/microsoft/vscode/wiki/How-to-Contribute#vs-code-for-the-web
The Container is running, but the port mapping doesn't work. I run my image with
docker run -it -p 9888:9888 -p 5877:5877 vscode-server
but I got nothing with curl -I http://localhost:9888 on my machine. The VScode server is running, but the mapping to the host will not work. I think the problem is the binding. It looks like the VScode Server will bind to 127.0.0.1 but should bind to 0.0.0.0
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:9888 0.0.0.0:* LISTEN 870/node
tcp 0 0 127.0.0.1:5877 0.0.0.0:* LISTEN 881/node
Can anybody help here?
Flink has all-zero listening in the Docker container. Binding 0.0.0.0 is equivalent to binding all IP addresses of the local host, causing network-wide listening. If the management plane, control plane, and user plane are divided on the local host, the original isolation principle of the system will be violated. For example, run the netstat -nultp command in jobmanager.
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:6123 0.0.0.0:* LISTEN 1100/java
tcp 0 0 0.0.0.0:6124 0.0.0.0:* LISTEN 1100/java
tcp 0 0 0.0.0.0:8081 0.0.0.0:* LISTEN 1100/java
tcp 0 0 0.0.0.0:50100 0.0.0.0:* LISTEN 1100/java
All-zero monitoring can cause some security problems. Can anyone give us an opinion on how to solve the all-zero monitoring problem?
I have a MariaDB docker container running on Synology DS918+ and redirects traffic from container port 3306 to external port 3333
When I see how it binds to the port, it seems different than a working example I have for another service that doesn't run on docker
Working :
ash-4.3# netstat -nao | grep 5000
tcp 0 0 0.0.0.0:5000 0.0.0.0:* LISTEN off (0.00/0/0)
tcp6 0 0 :::5000 :::* LISTEN
Not working:
ash-4.3# netstat -nao | grep 3333
tcp6 0 0 :::3333 :::* LISTEN off (0.00/0/0)
When I try to access port 3333 from my laptop to the remote machine running docker I'm able to do so, the issue is when trying to access the machine's private IP from within the machine itself, this one fails
Any help is appreciated here
To clarify, although your docker is only binding to the ipv6 interface(“:::”) not the ipv4(“0.0.0.0”), Docker forbids a loopback connection to its docker-proxy from the host. I believe this also fails in all networking modes.
If you’re connecting from container to another container, use the container name via the docker-dns and private LAN. For example, if your MariaDB container is named “maria”, I believe docker’s DNS on 127.0.0.11 offers a lookup for the name “maria” to a 172...* ipv4 to which other containers may connect if in the same 172.{subnet}../16 as your MariaDB host. Connect to “maria” in another container and the tcp magically gets to the right place.
If you’re trying to connect from the docker host to a container, this is a problem that I have resigned to proxying off my router in a hairpin NAT to the same upnp ports that I’ve exported via External Access on Synology, which feels like a poor solution but works today.
I'm running a simple web application inside a docker container. When I look at the output of netstat, the PID/Program name is blank.
root#fasf343344423# sudo netstat -tulnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:5697 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:9090 0.0.0.0:* LISTEN -
I've seen the PID before on a different setup. So, I want to understand if this is because of a setup issue. Appreciate your help
I was able to resolve this with the following change:
Edit /etc/apparmor.d/docker file and add the following line
ptrace peer=docker-default,
sudo service apparmor restart
As in my related question
Which PID is using a PORT inside a k8s pod without net tools
The lack of POSIX Capability CAP_SYS_PTRACE avoids netstat to trace the inode to PID
What ports are represented by the strings irdmi, availant-mgr, etc...?
In general, how do I figure this out? Is it assigned in some file somewhere?
netstat -lp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:irdmi *:* LISTEN 4648/python
tcp 0 0 *:availant-mgr *:* LISTEN 1777/sshd
tcp 0 0 *:shell *:* LISTEN 1732/xinetd
tcp 0 0 *:ssh *:* LISTEN 1698/sshd
Use the -n flag to show numerical addresses and ports.
netstat -an
If you run netstat -a it should list the actual port numbers you are listening on.
Typical protocol ports can be found here: http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
e.g. irdmi is typically 8000, SSH is 22.