Fairly new to Docker. Our containers work fine when hitting localhost with curl or a browser, but any external calls to http://[ip address] just time out. We're seeing the exact same behavior with Kong and also a basic whoami. The only way the containers are externally accessible is when we add --network host to the docker run command, but that's not an option for our production use.
The server itself and firewall are configured correctly; when I shut down docker and spun up a simple webserver it was reachable at the IP address. Essentially, any bridge-type network for Docker is inaccessible to the outside world and produces time-outs on any call to a port we set it to listen for (vs immediate connection refused for random unmapped ports).
The run commands we're using:
docker run -d -p 80:80 containous/whoami
docker run -d --name kongtest \
-p 0.0.0.0:80:8000 -p 0.0.0.0:443:8443 \
kong/kong-gateway:3.0.0.0-alpine
Output from docker ps:
88a4bf28bbcd kong/kong-gateway:3.0.0.0-alpine "/docker-entrypoint.…" 5 seconds ago Up 5 seconds (health: starting) 8001-8004/tcp, 8444-8447/tcp, 0.0.0.0:80->8000/tcp, 0.0.0.0:443->8443/tcp kongtest
netstat -lntup using default or custom Docker bridge network:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 384272/sshd: /usr/s
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 640858/docker-proxy
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 384297/systemd-reso
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 640845/docker-proxy
tcp6 0 0 :::22 :::* LISTEN 384272/sshd: /usr/s
udp 0 0 127.0.0.53:53 0.0.0.0:* 384297/systemd-reso
udp 0 0 140.82.10.213:68 0.0.0.0:* 384291/systemd-netw
netstat -lntup using --network=host:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 384272/sshd: /usr/s
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 384297/systemd-reso
tcp6 0 0 :::22 :::* LISTEN 384272/sshd: /usr/s
tcp6 0 0 :::80 :::* LISTEN 708481/whoami
udp 0 0 127.0.0.53:53 0.0.0.0:* 384297/systemd-reso
udp 0 0 140.82.10.213:68 0.0.0.0:* 384291/systemd-netw
I did the netstat -tulpn | grep listen and had the next results:
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 14901/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1011/exim4
tcp 0 0 127.0.0.1:5000 0.0.0.0:* LISTEN 826/ang
tcp6 0 0 :::80 :::* LISTEN 655/apache2
tcp6 0 0 :::22 :::* LISTEN 14901/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1011/exim4
tcp6 0 0 :::443 :::* LISTEN 655/apache2
How can you close a port?
Does this configuration have any security issue?
The 1st part of the question - How to close the port ?
You can stop the service listed in the last column, or kill it. Stopping the service makes sure it wont start again on its own. Killing the service means some other process like upstart might start it up again.
The 2nd part of the question - Does this have a security issue ?
I would say yes, unless you have some firewall and access control mechanism in place. The reason is that the ssh service is listening for connections from any source. Ideally, you would restrict this on the firewall (or in the ssh config) and only allow known sources to connect. If you want to go one step further, make ssh listen on another port than the default port (22) so that you can avoid being seen by the most basic/common scanners. I only mention ssh as an example. You will need to review this periodically for any more software/services you deploy on that machine.
I just installed a check_mk server, I've done this on other missions, but first time failed after creating a site. I checked with netstat and I have this:
Proto Recv-Q Send-Q Adresse locale Adresse distante
Etat PID/Program name tcp 0 0 127.0.0.1:5000
0.0.0.0:* LISTEN 14925/httpd tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd tcp 0 0 0.0.0.0:22 0.0.0.0:*
LISTEN 962/sshd tcp 0 0 127.0.0.1:25
0.0.0.0:* LISTEN 1318/master tcp6 0 0 :::111 :::* LISTEN 1/systemd
tcp6 0 0 :::22 :::*
LISTEN 962/sshd tcp6 0 0 ::1:25 :::*
LISTEN 1318/master
telnet on port 80 hangs, ping works, If you have experienced this or suggests are welcome.
Regards,
Hassane
Never mind, I found the solution, for my cas it was the local firewall which was blocking. Disabling it make all works.
Regards,
Hassane
I had trouble connecting to my hbase docker via hbase shell from my local machine so I went into the container and did netstat -atp tcp | grep -i "listen"
tcp 0 0 03de42531368:16000 :::* LISTEN 184/java
tcp 0 0 :::9090 :::* LISTEN 507/java
tcp 0 0 :::2181 :::* LISTEN 12/java
tcp 0 0 :::9095 :::* LISTEN 507/java
tcp 0 0 03de42531368:16201 :::* LISTEN 276/java
tcp 0 0 :::16010 :::* LISTEN 184/java
tcp 0 0 :::16301 :::* LISTEN 276/java
tcp 0 0 :::http-alt :::* LISTEN 373/java
tcp 0 0 :::8085 :::* LISTEN 373/java
I saw my container in the response. Then I updated /etc/hosts with 03de42531368 pointing to 127.0.0.1. Afterwards, I was able to connect to my hbase docker.
That fixed the issue, however I had no idea why I saw my container id in the netstat response and had to add 03de42531368 to /etc/hosts.
Can anyone explain?
I expose docker ports of my contaners to the host machine with something like
docker run -p 80:80 ...
then I try to display all listening ports for debugging purposes with netstat e.g.:
netstat -at
Strange thing is that netstat won't display my docker containers with exposed ports, although they are listening and reply to the browser.
How do I make netstat display those exposed ports?
UPDATE:
I'm running this on Debian 8 Jessie. Here's what I do:
docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9dfa08bab50d workflows-nginx "/bin/sh -c '/usr/sbi" 2 hours ago Up 2 hours 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp workflows-nginx
d0b0c3f90f13 workflows-django "/bin/sh -c 'python /" 7 hours ago Up 3 hours 0.0.0.0:8000->8000/tcp workflows-django
99a857c92533 workflows-db "/docker-entrypoint.s" 7 hours ago Up 3 hours 5432/tcp workflows-db
Here docker reports that container ports are forwarded to the host. Moreover, if I stop workflows-nginx container, it stops answering to the browser by http (port 80). If I start it again, it starts responding again.
Here is the output of sudo netstat -at | less:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 localhost:ipp *:* LISTEN
tcp 0 0 *:15672 *:* LISTEN
tcp 0 0 *:postgresql *:* LISTEN
tcp 0 0 localhost:smtp *:* LISTEN
tcp 0 0 *:25672 *:* LISTEN
tcp 0 0 *:48142 *:* LISTEN
tcp 0 0 *:sunrpc *:* LISTEN
tcp 0 0 *:epmd *:* LISTEN
tcp 0 0 bob-acer:34866 104.16.33.249:http ESTABLISHED
tcp 0 0 bob-acer:42380 stackoverflow.com:https ESTABLISHED
tcp 0 0 bob-acer:42543 stackoverflow.com:https ESTABLISHED
tcp 0 0 bob-acer:42525 stackoverflow.com:https ESTABLISHED
tcp 0 0 bob-acer:44076 stackoverflow.com:https ESTABLISHED
tcp 0 0 bob-acer:42944 stackoverflow.com:https ESTABLISHED
tcp 0 0 localhost:epmd localhost:50831 ESTABLISHED
tcp 0 0 bob-acer:42655 stackoverflow.com:https ESTABLISHED
tcp 0 0 bob-acer:42384 stackoverflow.com:https ESTABLISHED
tcp 0 0 bob-acer:44626 stackoverflow.com:https ESTABLISHED
tcp 0 0 bob-acer:42390 stackoverflow.com:https ESTABLISHED
tcp 0 0 localhost:50831 localhost:epmd ESTABLISHED
tcp 0 0 bob-acer:48301 c2.52.c0ad.ip4.st:https ESTABLISHED
tcp 0 0 bob-acer:42151 stackoverflow.com:https ESTABLISHED
tcp 0 0 bob-acer:42205 stackoverflow.com:https ESTABLISHED
tcp 0 0 bob-acer:42539 stackoverflow.com:https ESTABLISHED
tcp 0 0 bob-acer:44737 stackoverflow.com:https ESTABLISHED
tcp 0 0 bob-acer:39648 77.94.164.251:https ESTABLISHED
tcp6 0 0 [::]:ssh [::]:* LISTEN
tcp6 0 0 localhost:ipp [::]:* LISTEN
tcp6 0 0 [::]:postgresql [::]:* LISTEN
tcp6 0 0 localhost:smtp [::]:* LISTEN
tcp6 0 0 [::]:44794 [::]:* LISTEN
tcp6 0 0 [::]:8000 [::]:* LISTEN
tcp6 0 0 [::]:amqp [::]:* LISTEN
tcp6 0 0 [::]:sunrpc [::]:* LISTEN
tcp6 1 0 localhost:58497 localhost:ipp CLOSE_WAIT
As you can see, neither port 80, nor port 443 are reported. Port 8000 of workflows-django for some reason is opened on IPv6 interface. Moreover, I forgot to disable postgres on host machine and still they don't clash with postgres container workflows-db.
Everything is running on my local notebook, so I guess there can't be any confusion with the host.
My docker version is:
docker --version
Docker version 1.10.3, build 20f81dd
ANSWER: This is related to docker EXPOSE parameter. If you write this line in your dockerfile and run the container with -p, the port will be visible in netstat. If you use -p but don't write EXPOSE, your port won't be listed by netstat.
It's never too late to answer a question.
Using netstat -tln, not netstat -at.
It's very simple to answer, if you notify the --numeric option for netstat. By using this option, netstat will print address with numbers instead of meaningful string. Then you can grep them as you mentioned. Following shows how it works.
[root#A01-R26-I52-155-3002023 ~]# netstat -tl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost.localdom:smux 0.0.0.0:* LISTEN
tcp 0 0 localhost.localdo:18121 0.0.0.0:* LISTEN
tcp 0 0 localhost.localdo:18122 0.0.0.0:* LISTEN
tcp 0 0 localhost.localdo:18123 0.0.0.0:* LISTEN
tcp 0 0 localhost.localdo:18124 0.0.0.0:* LISTEN
tcp 0 0 localhost.localdo:18125 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:sunrpc 0.0.0.0:* LISTEN
tcp 0 0 localhost.localdo:18928 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:20080 0.0.0.0:* LISTEN
tcp 0 0 A01-R26-:univ-appserver 0.0.0.0:* LISTEN
tcp 0 0 A01-R26-:univ-appserver 0.0.0.0:* LISTEN
tcp 0 0 localhost.:search-agent 0.0.0.0:* LISTEN
tcp 0 0 localhost:mosaicsyssvc1 0.0.0.0:* LISTEN
tcp 0 0 A01-R26-I52-155-300:ssh 0.0.0.0:* LISTEN
tcp6 0 0 [::]:37611 [::]:* LISTEN
tcp6 0 0 [::]:sunrpc [::]:* LISTEN
tcp6 0 0 [::]:microsan [::]:* LISTEN
tcp6 0 0 [::]:commtact-http [::]:* LISTEN
[root#A01-R26-I52-155-3002023 ~]# netstat -tln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:199 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:18121 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:18122 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:18123 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:18124 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:18125 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:18928 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:20080 0.0.0.0:* LISTEN
tcp 0 0 10.217.52.155:1233 0.0.0.0:* LISTEN
tcp 0 0 10.218.52.155:1233 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:1234 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:1235 0.0.0.0:* LISTEN
tcp 0 0 10.217.52.155:22 0.0.0.0:* LISTEN
tcp6 0 0 :::37611 :::* LISTEN
tcp6 0 0 :::111 :::* LISTEN
tcp6 0 0 :::20001 :::* LISTEN
tcp6 0 0 :::20002 :::* LISTEN
netstat should display the exposed ports. Here is an example
anovil#anovil-Latitude-E6440:docker$ sudo netstat -at|grep 3030
anovil#anovil-Latitude-E6440:docker$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
anovil#anovil-Latitude-E6440:docker$ docker run -d -p 3030:80 httpd:2.4
4310ac5fbdbc7314ab4d23e34099a710a3a8790dcf2c6d0a84202c1de5c9fd30
anovil#anovil-Latitude-E6440:docker$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4310ac5fbdbc httpd:2.4 "httpd-foreground" 3 minutes ago Up 3 minutes 0.0.0.0:3030->80/tcp hungry_fermat
anovil#anovil-Latitude-E6440:docker$ sudo netstat -at|grep 3030
tcp6 0 0 [::]:3030 [::]:* LISTEN
anovil#anovil-Latitude-E6440:docker$ sudo netstat -tulpn|grep 3030
tcp6 0 0 :::3030 :::* LISTEN 10294/docker-proxy
anovil#anovil-Latitude-E6440:docker$
Some basic things you need to verify yourself:
Are you running netstat with elevated privileges? Somethings might miss out when you are non-root
Is your docker container running on the same host as you expect? Check with docker ps
Does docker ps list the port forwarding? Like from the above, you should be able to see something like this 0.0.0.0:3030->80/tcp
Also note that, the docker-proxy is the one running on the host.
All commands above assumes that you run on linux.
This was tested with ubuntu 15.10
If you still feel you are missing the forwarding, then please post back your Operating System, docker version etc.
Thanks,
This code will show you the opened ports with the pids inside the container:
container_name=some_container_name
c_pid=`docker container inspect -f "{{.State.Pid}}" ${container_name}`
nsenter -t ${c_pid} -n netstat -anp
They are listed, just not in the way you might expect. If you're looking for an ipv4 listen port you won't see it (unless I believe if you're using both the EXPOSE and publish (-p) mechanisms in tandem), but what you will see is a docker proxy on ipv6, e.g. for a MySQL container:
netstat -tlpn4
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp6 0 0 :::3306 :::* LISTEN 9608/docker-proxy