In this tutorial we will learn how to troubleshoot networking issues without changing a running container. We will launch a new container sharing the same network namespace. This approach keeps containers clean from tools required for troubleshooting.
Launch the “broken” container
For the sake of this tutorial, let’s assume that we are troubleshooting an instance of nginx called
docker container run -d --name broken nginx
Note the missing tools
Inside the container, several tools for troubleshooting networking issues are missing.
After entering the container…
docker container exec -it broken sh
… check for basic troubleshooting tools:
netstat ip nslookup exit
Run separate container for troubleshooting
When two processes share a network namespace, they will behave identically on a network level.
The following container uses the same network namespace as the broken instance of nginx:
docker container run -it --network container:broken alpine
We can then install the tools required for troubleshooting:
apk add --update-cache iproute2 bind-tools net-tools
At this point, the troubleshooting can begin!
Check DNS resolution:
Check IP addresses:
Check listen ports:
Exit troubleshooting container:
Speed up the tool installation
Docker Captain Lukas Lach has published a special registry called
cmd.cat which installs tools based on the name of the image. With the following command, we can launch a container including all of the above tools:
docker container run -it cmd.cat/netstat/ip/nslookup sh
Please repeat the above test to check that the commands are working.
Which tools are used for troubleshooting networking issues? Select only one option
- ( ) df
- (x) netstat
- ( ) free
- ( ) uptime
Which namespace must be shared for troubleshooting networking issues? Select only one option
- ( ) mount namespace
- ( ) uts
- (x) network
- ( ) pid