Skip to content

port ranges: docker picks a host port used by process other than itself #44136

@singholt

Description

@singholt

Description

Hello,

If I use a container port and map it to a range of host ports, docker picks one port from the specified host port range.

When doing so, docker picks a port in-use by a non-docker started process, when there are other ports in the range that are available.

For example,

docker run -itd -p 21-23:100 busybox 

Above, docker would pick one of 21-23 host port and map it to container port 100.

In the same example above, lets say host port 21 is in-use by a running container, host port 22 is for ssh, host port 23 is available. Docker skips 21, but picks 22 and fails while trying to map it to container port 100. whereas, it should determine that both port 21 and 22 are in-use, and then pick port 23.

It seems to only know of ports used by itself (process called docker-proxy)

Reproduce

  1. check host ports in use, for example port 22 for SSH, etc.

(output below is just an example, not the entire list of ports on my host)

sudo netstat -tulpn | grep LISTEN

tcp        0      0 127.0.0.1:39097         0.0.0.0:*               LISTEN      4824/containerd
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      3479/sshd
  1. run a container ctr1 with 1 container port mapped to a range of host ports
docker run -itd -p 21-23:100 busybox 

port 21 is free, docker maps it to container port 100.

  1. check in-use ports on the host
sudo netstat -tulpn | grep LISTEN
tcp        0      0 127.0.0.1:39097         0.0.0.0:*               LISTEN      4824/containerd
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      3479/sshd
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      6105/docker-proxy   
  1. run another container ctr2.
docker run -itd -p 21-23:100 busybox 

this fails with reason:
docker: Error response from daemon: driver failed programming external connectivity on endpoint X: Error starting userland proxy: listen tcp4 0.0.0.0:22: bind: address already in use.

Expected behavior

Docker should pick a host port that's not in-use, even if its used by processes other than docker-proxy

docker version

Client:
 Version:           20.10.17
 API version:       1.41
 Go version:        go1.18.3
 Git commit:        100c701
 Built:             Thu Jun 16 20:08:47 2022
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server:
 Engine:
  Version:          20.10.17
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.18.3
  Git commit:       a89b842
  Built:            Thu Jun 16 20:09:24 2022
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.6
  GitCommit:        10c12954828e7c7c9b6e0ea9b0c02b01407d3ae1
 runc:
  Version:          1.1.3
  GitCommit:        1e7bb5b773162b57333d57f612fd72e3f8612d94
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client:
 Context:    default
 Debug Mode: false

Server:
 Containers: 80
  Running: 2
  Paused: 0
  Stopped: 78
 Images: 7
 Server Version: 20.10.17
 Storage Driver: overlay2
  Backing Filesystem: xfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 10c12954828e7c7c9b6e0ea9b0c02b01407d3ae1
 runc version: 1e7bb5b773162b57333d57f612fd72e3f8612d94
 init version: de40ad0
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 4.14.290-217.505.amzn2.x86_64
 Operating System: Amazon Linux 2
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 7.582GiB
 Name: ip-10-0-30-217.ec2.internal
 ID: KSG3:W7JG:IKW7:HZZC:BMVO:WRTF:6CKK:ZHXU:4UV3:TVRV:4GSN:RV2X
 Docker Root Dir: /var/lib/docker
 Debug Mode: true
  File Descriptors: 57
  Goroutines: 65
  System Time: 2022-09-12T21:33:22.945918853Z
  EventsListeners: 1
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Additional Info

No response

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions