In this tutorial we will learn how to troubleshoot networking issues without changing a running container. We will launch a new container sharing the same network namespace. This approach keeps containers clean from tools required for troubleshooting.
Launch the “broken” container
For the sake of this tutorial, let’s assume that we are troubleshooting an instance of nginx called broken:
docker container run -d --name broken nginx
Note the missing tools
Inside the container, several tools for troubleshooting networking issues are missing.
After entering the container…
docker container exec -it broken sh
… check for basic troubleshooting tools:
netstat
ip
nslookup
exit
Run separate container for troubleshooting
When two processes share a network namespace, they will behave identically on a network level.
The following container uses the same network namespace as the broken instance of nginx:
docker container run -it --network container:broken alpine
We can then install the tools required for troubleshooting:
apk add --update-cache iproute2 bind-tools net-tools
Start troubleshooting
At this point, the troubleshooting can begin!
Check DNS resolution:
nslookup localhost
Check IP addresses:
ip address
Check listen ports:
netstat -tuna
Exit troubleshooting container:
exit
Speed up the tool installation
Docker Captain Lukas Lach has published a special registry called cmd.cat which installs tools based on the name of the image. With the following command, we can launch a container including all of the above tools:
docker container run -it cmd.cat/netstat/ip/nslookup sh
Please repeat the above test to check that the commands are working.
Quiz
Which tools are used for troubleshooting networking issues? Select only one option
- ( ) df
- (x) netstat
- ( ) free
- ( ) uptime
Which namespace must be shared for troubleshooting networking issues? Select only one option
- ( ) mount namespace
- ( ) uts
- (x) network
- ( ) pid
