Docker – netcat closes established connection between docker containers

coreosdockernetcat

I am on coreos and have started three containers.

docker run --rm -ti -p 80 --name one ubuntu /bin/bash
docker run --rm --link one:one -p $HOST_IP::80 -ti --name two ubuntu /bin/bash
docker run --rm -ti -p 80 --name three ubuntu /bin/bash

$ docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS                  PORTS                         NAMES
57b76ef98d16        ubuntu:14.04        "/bin/bash"         8 minutes ago       Up 8 minutes            0.0.0.0:49154->80/tcp         three
a3160a19c377        ubuntu:14.04        "/bin/bash"         9 minutes ago       Up 9 minutes            $HOST_IP:$DOCKER_PORT->80/tcp two
0ac743ae3a1a        ubuntu:14.04        "/bin/bash"         9 minutes ago       Up 9 minutes            0.0.0.0:49153->80/tcp         one,two/one

I can verify container two can talk to container one.

# container one, listen on port 80
$ hostname -i 
172.17.0.2
$ nc -l 80

# container two, writing to port 80 (typing foo results in foo appearing on container one)
$ hostname -i 
172.17.0.3
$ nc 172.17.0.2 80
foo

If I try the same for communication from container three to container two, the connection "succeeds" but gets closed immediately.

# container two, listen on port 80
$ hostname -i 
172.17.0.3
$ nc -l 80

# container three, writing to port 80 (connection gets just closed)
$ hostname -i 
172.17.0.4
$ nc $HOST_IP $DOCKER_PORT -v
Connection to $HOST_IP $DOCKER_PORT port [tcp/*] succeeded!
$

Some environment information

# coreos version
$ cat /etc/lsb-release
DISTRIB_ID=CoreOS
DISTRIB_RELEASE=459.0.0
DISTRIB_CODENAME="Red Dog"
DISTRIB_DESCRIPTION="CoreOS 459.0.0"

# docker info
$ docker info
Containers: 4
Images: 278
Storage Driver: btrfs
Execution Driver: native-0.2
Kernel Version: 3.16.2+
Operating System: CoreOS 459.0.0

# ubuntu container info
$ uname -a
Linux 57b76ef98d16 3.16.2+ #2 SMP Fri Oct 3 07:45:37 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

My question is why I am not able to write messages from container three to container two and why the connection can be established, but will be still closed automatically.

Best Answer

The default behavior of netcat (and nc) is to close connections automatically (unless the -k flag is presented).

As far as the connections between container two and container three, container two isn't actually listening on port 80 on the underlying host, it's relying on NAT (network address translation) and forwarding of traffic. In this case you're trying to make a loop through the iptables "firewall" and the traffic cannot be returned. That being said running this on a current CoreOS alpha host (459.0.0) I was able to duplicate this and see the traffic successfully route between the containers. Try it again with -k and see how it fares.

Related Topic