Troubleshooting Docker container networking issues
Every now and then a Docker container cannot reach another one. These are the steps and tools I use for debugging it.
First we need to confirm that the containers are on the same network. Assuming we know which network they should communicate on, I use docker network inspect <network>
to inspect it. Check the containers
field and make sure both are prevalent. If you are unsure which network they are running on, use docker container inspect <container>
to figure it out.
Then I’ll exec into the container using docker exec -it --user root <container> sh
. Next up is to install some tools for debugging. To determine which package manager we should use we can check which distro is running using cat /etc/os-release
.
Depending on the task I’ll use some of these tools
nslookup
to verify that DNS lookups are done correctly. Check this article for how to install it on different distros. Runnslookup my-service
to see if the namemy-service
can be resolved.nmap
is a network mapper, excellent for finding what ports and protocols a container exposes. A simple scan can be performed bynmap my-service
. See my my article on scanning with nmap for more in-depth info.curl
to interact with the service.tcpflow
for monitoring traffic going in and out of the container. I usually run with with-gC
for a colorful compact format. It will listen on the default interface (typicallyeth0
). If I am only interested in HTTP access logs I instead usehttpry
instead.
That should be a good start in finding where the problem is. Good luck!