Docker and netstat: netstat is not showing ports,

I expose docker ports of my contaners to the host machine with something like

docker run -p 80:80 ...

then I try to display all listening ports for debugging purposes with netstat e.g.:

netstat -at

Strange thing is that netstat won't display my docker containers with exposed ports, although they are listening and reply to the browser.

How do I make netstat display those exposed ports?

UPDATE: I'm running this on Debian 8 Jessie. Here's what I do:

docker ps -a
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                      PORTS                                      NAMES
9dfa08bab50d        workflows-nginx     "/bin/sh -c '/usr/sbi"   2 hours ago         Up 2 hours                  0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp   workflows-nginx
d0b0c3f90f13        workflows-django    "/bin/sh -c 'python /"   7 hours ago         Up 3 hours                  0.0.0.0:8000->8000/tcp                     workflows-django
99a857c92533        workflows-db        "/docker-entrypoint.s"   7 hours ago         Up 3 hours                  5432/tcp                                   workflows-db

Here docker reports that container ports are forwarded to the host. Moreover, if I stop workflows-nginx container, it stops answering to the browser by http (port 80). If I start it again, it starts responding again.

Here is the output of sudo netstat -at | less:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 *:ssh                   *:*                     LISTEN     
tcp        0      0 localhost:ipp           *:*                     LISTEN     
tcp        0      0 *:15672                 *:*                     LISTEN     
tcp        0      0 *:postgresql            *:*                     LISTEN     
tcp        0      0 localhost:smtp          *:*                     LISTEN     
tcp        0      0 *:25672                 *:*                     LISTEN     
tcp        0      0 *:48142                 *:*                     LISTEN     
tcp        0      0 *:sunrpc                *:*                     LISTEN     
tcp        0      0 *:epmd                  *:*                     LISTEN     
tcp        0      0 bob-acer:34866          104.16.33.249:http      ESTABLISHED
tcp        0      0 bob-acer:42380          stackoverflow.com:https ESTABLISHED
tcp        0      0 bob-acer:42543          stackoverflow.com:https ESTABLISHED
tcp        0      0 bob-acer:42525          stackoverflow.com:https ESTABLISHED
tcp        0      0 bob-acer:44076          stackoverflow.com:https ESTABLISHED
tcp        0      0 bob-acer:42944          stackoverflow.com:https ESTABLISHED
tcp        0      0 localhost:epmd          localhost:50831         ESTABLISHED
tcp        0      0 bob-acer:42655          stackoverflow.com:https ESTABLISHED
tcp        0      0 bob-acer:42384          stackoverflow.com:https ESTABLISHED
tcp        0      0 bob-acer:44626          stackoverflow.com:https ESTABLISHED
tcp        0      0 bob-acer:42390          stackoverflow.com:https ESTABLISHED
tcp        0      0 localhost:50831         localhost:epmd          ESTABLISHED
tcp        0      0 bob-acer:48301          c2.52.c0ad.ip4.st:https ESTABLISHED
tcp        0      0 bob-acer:42151          stackoverflow.com:https ESTABLISHED
tcp        0      0 bob-acer:42205          stackoverflow.com:https ESTABLISHED
tcp        0      0 bob-acer:42539          stackoverflow.com:https ESTABLISHED
tcp        0      0 bob-acer:44737          stackoverflow.com:https ESTABLISHED
tcp        0      0 bob-acer:39648          77.94.164.251:https     ESTABLISHED
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN     
tcp6       0      0 localhost:ipp           [::]:*                  LISTEN     
tcp6       0      0 [::]:postgresql         [::]:*                  LISTEN     
tcp6       0      0 localhost:smtp          [::]:*                  LISTEN     
tcp6       0      0 [::]:44794              [::]:*                  LISTEN     
tcp6       0      0 [::]:8000               [::]:*                  LISTEN     
tcp6       0      0 [::]:amqp               [::]:*                  LISTEN     
tcp6       0      0 [::]:sunrpc             [::]:*                  LISTEN     
tcp6       1      0 localhost:58497         localhost:ipp           CLOSE_WAIT

As you can see, neither port 80, nor port 443 are reported. Port 8000 of workflows-django for some reason is opened on IPv6 interface. Moreover, I forgot to disable postgres on host machine and still they don't clash with postgres container workflows-db.

Everything is running on my local notebook, so I guess there can't be any confusion with the host.

My docker version is:

docker --version
Docker version 1.10.3, build 20f81dd

ANSWER: This is related to docker EXPOSE parameter. If you write this line in your dockerfile and run the container with -p, the port will be visible in netstat. If you use -p but don't write EXPOSE, your port won't be listed by netstat.

回答1:

netstat should display the exposed ports. Here is an example

anovil@anovil-Latitude-E6440:docker$ sudo netstat -at|grep 3030
anovil@anovil-Latitude-E6440:docker$ docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
anovil@anovil-Latitude-E6440:docker$ docker run -d -p 3030:80 httpd:2.4
4310ac5fbdbc7314ab4d23e34099a710a3a8790dcf2c6d0a84202c1de5c9fd30
anovil@anovil-Latitude-E6440:docker$ docker ps
CONTAINER ID        IMAGE               COMMAND              CREATED             STATUS              PORTS                  NAMES
4310ac5fbdbc        httpd:2.4           "httpd-foreground"   3 minutes ago       Up 3 minutes        0.0.0.0:3030->80/tcp   hungry_fermat
anovil@anovil-Latitude-E6440:docker$ sudo netstat -at|grep 3030
tcp6       0      0 [::]:3030               [::]:*                  LISTEN
anovil@anovil-Latitude-E6440:docker$ sudo netstat -tulpn|grep 3030
tcp6       0      0 :::3030                 :::*                    LISTEN      10294/docker-proxy
anovil@anovil-Latitude-E6440:docker$

Some basic things you need to verify yourself:

Are you running netstat with elevated privileges? Somethings might miss out when you are non-root
Is your docker container running on the same host as you expect? Check with docker ps
Does docker ps list the port forwarding? Like from the above, you should be able to see something like this 0.0.0.0:3030->80/tcp

Also note that, the docker-proxy is the one running on the host. All commands above assumes that you run on linux. This was tested with ubuntu 15.10

If you still feel you are missing the forwarding, then please post back your Operating System, docker version etc.

Thanks,

回答2:

This code will show you the opened ports with the pids inside the container:

container_name=some_container_name
c_pid=`docker container inspect -f "{{.State.Pid}}" ${container_name}`
nsenter -t ${c_pid} -n netstat -anp