In this tutorial we will learn how to troubleshoot networking issues without changing a running container. We will launch a new container sharing the same network namespace. This approach keeps containers clean from tools required for troubleshooting.

Launch the “broken” container

For the sake of this tutorial, let’s assume that we are troubleshooting an instance of nginx called broken:

docker container run -d --name broken nginx

Note the missing tools

Inside the container, several tools for troubleshooting networking issues are missing.

After entering the container…

docker container exec -it broken sh

… check for basic troubleshooting tools:

netstat
ip
nslookup
exit

Run separate container for troubleshooting

When two processes share a network namespace, they will behave identically on a network level.

The following container uses the same network namespace as the broken instance of nginx:

docker container run -it --network container:broken alpine

We can then install the tools required for troubleshooting:

apk add --update-cache iproute2 bind-tools net-tools

Start troubleshooting

At this point, the troubleshooting can begin!

Check DNS resolution:

nslookup localhost

Check IP addresses:

ip address

Check listen ports:

netstat -tuna

Exit troubleshooting container:

exit

Speed up the tool installation

Docker Captain Lukas Lach has published a special registry called cmd.cat which installs tools based on the name of the image. With the following command, we can launch a container including all of the above tools:

docker container run -it cmd.cat/netstat/ip/nslookup sh

Please repeat the above test to check that the commands are working.

Quiz

Which tools are used for troubleshooting networking issues? Select only one option

  • ( ) df
  • (x) netstat
  • ( ) free
  • ( ) uptime

Which namespace must be shared for troubleshooting networking issues? Select only one option

  • ( ) mount namespace
  • ( ) uts
  • (x) network
  • ( ) pid