将应用封装到容器内运行可以极大的提升应用的可移植性、可维护性,但是在宿主机上运行netstat或ss指令就无法抓取到容器对外的网络连接情况了。本文分享一个在宿主机上运行查看容器对外网络连接情况的shell脚本。
一、直接上脚本
"vi checklink.sh"写入shell脚本文件,内容如下:
#!/bin/bash
##__author__='daigjianbing'
function check_netlink {
# 遍历容器名
for container_name in `docker ps | awk 'NR > 1 {print $NF}'`
do
# 查询容器cid
container_id=$(docker ps -aqf "name=$container_name")
echo "##############start##################"
echo "Check container:$container_name( container_id:$container_id ) now!"
# 在容器内执行网络查询命令,如果容器内没有netstat命令执行出错则继续执行ss
echo "# netstat -antup"
docker exec $container_id netstat -antup ||docker exec $container_id ss -antup
echo "##############end#################"
done
}
check_netlink
二、测试运行
1、本机环境,可以看到有一个应用容器和一个数据库容器
# cat /etc/os-release
NAME="openEuler"
VERSION="22.03 LTS"
ID="openEuler"
VERSION_ID="22.03"
PRETTY_NAME="openEuler 22.03 LTS"
ANSI_COLOR="0;31"
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
70cd3d673f84 phpipam/phpipam-www:1.5x "/sbin/tini -- /bin/…" 3 months ago Up 3 months 0.0.0.0:80->80/tcp ipam
c5fb20613b5d mariadb:10.5.18 "docker-entrypoint.s…" 3 months ago Up 3 months 0.0.0.0:3306->3306/tcp mysqldb
2、测试运行
root权限执行sh checklink.sh,输出结果如下:
##############start##################
Check container:ipam( container_id:70cd3d673f84 ) now!
# netstat -antup
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 20/httpd
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 20/httpd
tcp 0 0 172.17.0.2:46502 192.168.17.241:3306 TIME_WAIT -
tcp 0 0 172.17.0.2:46460 192.168.17.241:3306 TIME_WAIT -
tcp 0 0 172.17.0.2:46506 192.168.17.241:3306 TIME_WAIT -
tcp 0 0 172.17.0.2:80 192.168.17.234:64623 ESTABLISHED -
tcp 0 0 172.17.0.2:46468 192.168.17.241:3306 TIME_WAIT -
tcp 0 0 172.17.0.2:46518 192.168.17.241:3306 TIME_WAIT -
tcp 0 0 172.17.0.2:46440 192.168.17.241:3306 TIME_WAIT -
tcp 0 0 172.17.0.2:46464 192.168.17.241:3306 TIME_WAIT -
tcp 0 0 172.17.0.2:46532 192.168.17.241:3306 TIME_WAIT -
tcp 0 0 172.17.0.2:46498 192.168.17.241:3306 TIME_WAIT -
tcp 0 0 172.17.0.2:46436 192.168.17.241:3306 TIME_WAIT -
tcp 0 0 172.17.0.2:46484 192.168.17.241:3306 TIME_WAIT -
tcp 0 0 172.17.0.2:46522 192.168.17.241:3306 TIME_WAIT -
tcp 0 0 172.17.0.2:46528 192.168.17.241:3306 TIME_WAIT -
tcp 0 0 172.17.0.2:46428 192.168.17.241:3306 TIME_WAIT -
tcp 0 0 172.17.0.2:46494 192.168.17.241:3306 TIME_WAIT -
tcp 0 0 172.17.0.2:46472 192.168.17.241:3306 TIME_WAIT -
tcp 0 0 172.17.0.2:46488 192.168.17.241:3306 TIME_WAIT -
tcp 0 0 172.17.0.2:46480 192.168.17.241:3306 TIME_WAIT -
tcp 0 0 172.17.0.2:46432 192.168.17.241:3306 TIME_WAIT -
tcp 0 0 172.17.0.2:46452 192.168.17.241:3306 TIME_WAIT -
tcp 0 0 172.17.0.2:46476 192.168.17.241:3306 TIME_WAIT -
tcp 0 0 172.17.0.2:46444 192.168.17.241:3306 TIME_WAIT -
tcp 0 0 172.17.0.2:80 192.168.17.234:64614 TIME_WAIT -
tcp 0 0 172.17.0.2:46514 192.168.17.241:3306 TIME_WAIT -
tcp 0 0 172.17.0.2:46456 192.168.17.241:3306 TIME_WAIT -
tcp 0 0 172.17.0.2:80 192.168.17.234:64631 TIME_WAIT -
tcp 0 0 172.17.0.2:46510 192.168.17.241:3306 TIME_WAIT -
##############end#################
##############start##################
Check container:mysqldb( container_id:c5fb20613b5d ) now!
# netstat -antup
OCI runtime exec failed: exec failed: container_linux.go:330: starting container process caused "exec: \"netstat\": executable file not found in $PATH": unknown
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
tcp LISTEN 0 152 *:3306 *:*
tcp TIME-WAIT 0 0 [::ffff:172.17.0.3]:3306 [::ffff:172.17.0.1]:51276
tcp TIME-WAIT 0 0 [::ffff:172.17.0.3]:3306 [::ffff:172.17.0.1]:51200
tcp TIME-WAIT 0 0 [::ffff:172.17.0.3]:3306 [::ffff:172.17.0.1]:51242
##############end#################
3、数据分析示例
172.17.0.2为应用容器ipam,172.17.0.3为数据库容器mysqldb,宿主机实ip为192.168.17.241。可见数据库容器mysqldb仅有ipam容器通过宿主机172.17.0.1访问其172.17.0.3;3306端口的内部连接。应用容器ipam则有连接数据库容器192.168.17.241:3306的连接和来自外部192.168.17.234访问其80端口的连接。