Networking issues can be a real headache, especially when dealing with containerized applications. Whether it’s latency, routing problems, DNS resolution, firewall issues, or incomplete ARPs, network problems can significantly degrade application performance. Fortunately, there’s a powerful tool that can help you troubleshoot and resolve these issues:
What is Netshoot?
Netshoot is a Docker container equipped with a comprehensive set of networking troubleshooting tools. It’s designed to help you diagnose and fix Docker and Kubernetes networking issues. With a proper understanding of how Docker and Kubernetes networking works and the right tools, you can troubleshoot and resolve these networking issues more effectively.
Understanding Network Namespaces
Before diving into the usage of
netshoot, it’s essential to understand a key concept: Network Namespaces. Network namespaces provide isolation of the system resources associated with networking. Docker uses network and other types of namespaces (
user, etc.) to create an isolated environment for each container. Everything from interfaces, routes, and IPs is completely isolated within the network namespace of the container.
The cool thing about namespaces is that you can switch between them. You can enter a different container’s network namespace, perform some troubleshooting on its network stack with tools that aren’t even installed on that container. Additionally,
netshoot can be used to troubleshoot the host itself by using the host’s network namespace. This allows you to perform any troubleshooting without installing any new packages directly on the host or your application’s package.
Using Netshoot with Docker
Container’s Network Namespace
If you’re having networking issues with your application’s container, you can launch
netshoot with that container’s network namespace like this:
$ sudo docker run -it --net container:<container_name> nicolaka/netshoot
Host’s Network Namespace
If you think the networking issue is on the host itself, you can launch
netshoot with that host’s network namespace:
$ sudo docker run -it --net host nicolaka/netshoot
Network’s Network Namespace
If you want to troubleshoot a Docker network, you can enter the network’s namespace using
nsenter. This is explained in the
nsenter section below.
Using Netshoot with Docker Compose
You can easily deploy
netshoot using Docker Compose using something like this:
version: "3.6" services: tcpdump: image: nicolaka/netshoot depends_on: - nginx command: tcpdump -i eth0 -w /data/nginx.pcap network_mode: service:nginx volumes: - $PWD/data:/data nginx: image: nginx:alpine ports: - 80:80
Netshoot includes a wide range of powerful tools for network troubleshooting. Here’s a list of the included packages along with a brief description of each:
- apache2-utils: Utilities for web server benchmarking and server status monitoring.
- bash: A popular Unix shell.
- bind-tools: Tools for querying DNS servers.
- bird: Internet routing daemon.
- bridge-utils: Utilities for configuring the Linux Ethernet bridge.
- busybox-extras: Provides several stripped-down Unix tools in a single executable.
- conntrack-tools: Tools for managing connection tracking records.
- curl: Tool for transferring data with URL syntax.
- dhcping: Tool to send DHCP requests to DHCP servers.
- drill: Tool similar to
- ethtool: Tool for displaying and changing NIC settings.
- file: Tool to determine the type of a file.
- fping: Tool to ping multiple hosts.
- grpcurl: Command-line tool for interacting with gRPC servers.
- iftop: Displays bandwidth usage on an interface.
- iperf: Tool for measuring TCP and UDP bandwidth performance.
- iperf3: A newer version of iperf.
- iproute2: Collection of utilities for controlling TCP/IP networking.
- ipset: Tool to manage IP sets.
- iptables: User-space utility program for configuring the IP packet filter rules.
- iptraf-ng: Network monitoring tool.
- iputils: Set of small useful utilities for Linux networking.
- ipvsadm: Utility to administer the IP Virtual Server services.
- jq: Lightweight and flexible command-line JSON processor.
- libc6-compat: Compatibility libraries for glibc.
- liboping: C library to generate ICMP echo requests.
- ltrace: A library call tracer.
- mtr: Network diagnostic tool.
- net-snmp-tools: Set of SNMP management tools.
- netcat-openbsd: Networking tool known as the “Swiss army knife” of networking.
- nftables: Successor to iptables.
- ngrep: Network packet analyzer.
- nmap: Network exploration tool and security scanner.
- nmap-nping: Packet generation and response analysis tool.
- nmap-scripts: Scripts for nmap.
- openssl: Toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.
- py3-pip: Package installer for Python.
- py3-setuptools: Python Distutils Enhancements.
- scapy: Packet manipulation tool.
- socat: Relay for bidirectional data transfer.
- speedtest-cli: Command-line interface for testing internet bandwidth.
- openssh: OpenSSH client and server.
- strace: System call tracer.
- tcpdump: Packet analyzer.
- tcptraceroute: Traceroute implementation using TCP packets.
- tshark: Network protocol analyzer.
- util-linux: Miscellaneous system utilities.
- vim: Highly configurable text editor.
- git: Distributed version control system.
- zsh: Unix shell.
- websocat: Simple WebSocket client.
- swaks: Swiss Army Knife for SMTP.
- perl-crypt-ssleay: Perl module for OpenSSL.
- perl-net-ssleay: Perl module for using OpenSSL.
With this extensive set of tools,
netshoot is a powerful ally in diagnosing and resolving network issues in your Docker and Kubernetes environments. Whether you’re dealing with latency, routing problems, DNS resolution, firewall issues, or incomplete ARPs,
netshoot has the tools you need to troubleshoot and fix these issues.
If you’re interested in trying out
netshoot for yourself, you can find the project on GitHub at https://github.com/nicolaka/netshoot. It’s a powerful tool that can help you troubleshoot and resolve network issues in your Docker and Kubernetes environments.