Troubleshooting Docker container networking issues

Every now and then a Docker container cannot reach another one. These are the steps and tools I use for debugging it.

First we need to confirm that the containers are on the same network. Assuming we know which network they should communicate on, I use docker network inspect <network> to inspect it. Check the containers field and make sure both are prevalent. If you are unsure which network they are running on, use docker container inspect <container> to figure it out.

Then I’ll exec into the container using docker exec -it --user root <container> sh. Next up is to install some tools for debugging. To determine which package manager we should use we can check which distro is running using cat /etc/os-release.

Depending on the task I’ll use some of these tools

• nslookup to verify that DNS lookups are done correctly. Check this article for how to install it on different distros. Run nslookup my-service to see if the name my-service can be resolved.
• nmap is a network mapper, excellent for finding what ports and protocols a container exposes. A simple scan can be performed by nmap my-service . See my my article on scanning with nmap for more in-depth info.
• curl to interact with the service.
• tcpflow for monitoring traffic going in and out of the container. I usually run with with -gC for a colorful compact format. It will listen on the default interface (typically eth0). If I am only interested in HTTP access logs I instead use httpry instead.

That should be a good start in finding where the problem is. Good luck!