How to list exposed port of all containers?

Question

We have lots of containers started using Rancher with each container exposing multiple ports. Since we started the containers with Rancher, no port is exposed to the host by default.

$ docker container ls

shows no exposed ports for containers started by rancher. Rancher CLI rancheris not installed.

How to list ports which are exposed within the rancher network? Is this possible using the docker command? Or do I need rancher?

If Rancher uses some kind of **overlay network**, packets are encapsulated in some upper-layer protocol (for example, UDP). It's not possible to inspect container ports without tools provided by Rancher, because packets are transferred over a tunnel. — Yuankun, Apr 13 '18 at 16:39
```docker inspect``` has all information i am looking for. How to extract the ports on the commandline? Maybe via ```awk```? — WeSee, Apr 13 '18 at 16:41
Check out `docker inspect --format ...`. Link: https://docs.docker.com/engine/reference/commandline/inspect/#list-all-port-bindings — Yuankun, Apr 13 '18 at 16:42
Thanx, good hint. I tried: ```docker ps | awk '{print $1;}' | xargs docker inspect --format='{{.Config.Image}} {{range $p, $conf := .NetworkSettings.Ports}} {{$p}} -> {{(index $conf 0).HostPort}} {{end}}'``` but you were right, no ports are exposed there :-( — WeSee, Apr 13 '18 at 16:49
Also check out Rancher's netoworking docs: https://rancher.com/docs/rancher/latest/en/rancher-services/networking/ — Yuankun, Apr 13 '18 at 16:52

score 115 · Accepted Answer · answered Nov 27 '19 at 10:37

115

for show ports on one host you can try to use

docker container ls --format "table {{.ID}}\t{{.Names}}\t{{.Ports}}" -a

more examples you can find here docker-container-ls by manpages.ubuntu.com

answered Nov 27 '19 at 10:37

Sergey

1,266
1
8
4

7

That seemed so promising, and maybe even answers the OP's question, but I want to see the HOST ports, and these are just the ports the container exposes. – Auspex Oct 12 '21 at 10:55

score 6 · Answer 2 · answered Apr 14 '18 at 04:08

Rancher doesn't use docker paradigm for exposing ports, hence the information is not available using any of the docker command.

The ports are exposed on the host using custom iptables rules.

iptables-save | grep "\-A CATTLE_HOSTPORTS_POSTROUTING"

Though not pretty, the above command gives you a list of all rules related to exposed ports.

score 6 · Answer 3 · answered Jun 16 '21 at 17:42

You can use the following command to see Rancher's exposed ports so that it will show you the port number highlighted. However, it will not demonstrate to you which container exactly exposed which of the ports. Anyway, you will be able to deduce it by the name, using the "comments" section like "ingress-nginx/default-http-backend cluster IP":

iptables-save | grep -P "(--to-destination|--.port)" | grep -v "DROP" | grep -P ":\d+|--dport \d+"

With the above command, you will see the output like the following:

-A KUBE-SEP-2ICPNCS4ZCJFOURG -p tcp -m comment --comment "ingress-nginx/default-http-backend" -m tcp -j DNAT --to-destination 10.42.1.3:8080
-A KUBE-SEP-7KPAUC7DBZEOGEJO -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 10.42.0.6:53
-A KUBE-SEP-F4W6KYXNUTEPM6IK -p tcp -m comment --comment "kube-system/kube-dns:metrics" -m tcp -j DNAT --to-destination 10.42.1.2:9153
-A KUBE-SEP-J7ZDRJF2PSY5XJQS -p tcp -m comment --comment "kube-system/metrics-server:https" -m tcp -j DNAT --to-destination 10.42.0.5:4443
-A KUBE-SEP-KAJYD2TZYV7IYC6H -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 10.42.1.2:53
-A KUBE-SEP-LJF33VEROEJBDKWI -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 10.42.1.2:53
-A KUBE-SEP-PK2JJP3XEEJW3OPW -p tcp -m comment --comment "kube-system/kube-dns:metrics" -m tcp -j DNAT --to-destination 10.42.0.6:9153
-A KUBE-SEP-QMNQ4GQ2JI3QXI4N -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 10.42.0.6:53
-A KUBE-SEP-U5JKF7K4YNNYXQDU -p tcp -m comment --comment "default/kubernetes:https" -m tcp -j DNAT --to-destination 138.201.139.162:6443
-A KUBE-SERVICES ! -s 10.42.0.0/16 -d 10.43.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.43.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y
-A KUBE-SERVICES ! -s 10.42.0.0/16 -d 10.43.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 9153 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.43.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 9153 -j KUBE-SVC-JD5MR3NA4I4DYORP
-A KUBE-SERVICES ! -s 10.42.0.0/16 -d 10.43.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.43.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-SVC-TCOU7JCQXEZGVUNU
-A KUBE-SERVICES ! -s 10.42.0.0/16 -d 10.43.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.43.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-ERIFXISQEP7F7OF4
-A KUBE-SERVICES ! -s 10.42.0.0/16 -d 10.43.203.205/32 -p tcp -m comment --comment "kube-system/metrics-server:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.43.203.205/32 -p tcp -m comment --comment "kube-system/metrics-server:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-Z4ANX4WAEWEBLCTM
-A KUBE-SERVICES ! -s 10.42.0.0/16 -d 10.43.158.90/32 -p tcp -m comment --comment "ingress-nginx/default-http-backend cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.43.158.90/32 -p tcp -m comment --comment "ingress-nginx/default-http-backend cluster IP" -m tcp --dport 80 -j KUBE-SVC-JTFAIQOSQRKTQWS3

Therefore, you will see that multiple containers handle ports 80 and 443. You will not see the container names, but you will see their IP addresses, so you will be able to run docker inspect and find mathces. To see precisely who listens on certain ports, e.g 80 and 443, append one more grep to the command:

iptables-save | grep -P "(--to-destination|--.port)" | grep -v "DROP" | grep -P ":\d+|--dport \d+"|grep -P "\b(443|80)\b"

Therefore, you will see:

-A KUBE-SERVICES ! -s 10.42.0.0/16 -d 10.43.203.205/32 -p tcp -m comment --comment "kube-system/metrics-server:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.43.203.205/32 -p tcp -m comment --comment "kube-system/metrics-server:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-Z4ANX4WAEWEBLCTM
-A KUBE-SERVICES ! -s 10.42.0.0/16 -d 10.43.158.90/32 -p tcp -m comment --comment "ingress-nginx/default-http-backend cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.43.158.90/32 -p tcp -m comment --comment "ingress-nginx/default-http-backend cluster IP" -m tcp --dport 80 -j KUBE-SVC-JTFAIQOSQRKTQWS3
-A KUBE-SERVICES ! -s 10.42.0.0/16 -d 10.43.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.43.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y

How to list exposed port of all containers?

3 Answers3