0

For the first time in my life, I am unable to figure out what process is listening on a specific port in Linux :)

This is an Ubuntu Server 22.04 installation, running K8s. There is an ingress controller in the cluster that is binding to ports 80 and 443, and I know this works because:

:~# curl localhost <html> <head><title>404 Not Found</title></head> <body> <center><h1>404 Not Found</h1></center> <hr><center>nginx</center> </body> </html> :~# curl localhost:443 <html> <head><title>400 The plain HTTP request was sent to HTTPS port</title></head> <body> <center><h1>400 Bad Request</h1></center> <center>The plain HTTP request was sent to HTTPS port</center> <hr><center>nginx</center> </body> </html> ~# curl https://localhost:443 -k <html> <head><title>404 Not Found</title></head> <body> <center><h1>404 Not Found</h1></center> <hr><center>nginx</center> </body> </html>

The problem is that I cannot figure out what process binds to those ports, and how. I did try using ss, but nothing shows up:

:~# ss -tlnpu | grep 80 tcp LISTEN 0 4096 192.168.13.191:2380 0.0.0.0:* users:(("etcd",pid=1452,fd=8)) tcp LISTEN 0 4096 127.0.0.1:2380 0.0.0.0:* users:(("etcd",pid=1452,fd=7)) :~# ss -tlnpu | grep 443 tcp LISTEN 0 4096 *:6443 *:* users:(("kube-apiserver",pid=1546,fd=7))

How can I figure out the actual process that is listening on the ports?

Improve this question
4
  • 1
    Sanity check: what address does localhost resolve to? Commented Nov 23, 2022 at 8:19
  • 2
    Look at iptables rules, particularly the nat tables where you will have DNAT rules. Maybe your ports 80 & 443 are being forwarded elsewhere or rewritten to different ports Commented Nov 23, 2022 at 8:21
  • 1
    Are you running the ss command within the appropriate container? The processes managed by Kubernetes (K8s) could be in a separate network namespace, so a host-level ss might not see them without the -N <namespace> or --net=<namespace> option. Commented Nov 23, 2022 at 8:50
  • 1
    @StephenKitt - I did check iptables, but I didn't think to look at the nat tables as well :) . @roaima is right - there are DNAT rules rewriting the packets. If you would post that as an answer, I would gladly accept it! Commented Nov 23, 2022 at 8:52

1 Answer 1

Reset to default
1

In your specific case, it looks like I see you're running Kubernetes, so there's a good chance you could find the containers listening to that port using a docker command:

$ docker ps --format "table {{.ID}}\t{{.Names}}\t{{.Ports}}" CONTAINER ID NAMES PORTS a690f047d3c8 quizzical_sanderson 0.0.0.0:8080->8080/tcp, 8443/tcp 431ff622ad62 tender_payne 0.0.0.0:9191->9090/tcp 78941a2ee170 awx_task 8052/tcp 2f5fc70ac576 awx_web 0.0.0.0:80->8052/tcp, 0.0.0.0:443->8053/tcp

You could see the container awx_web forwards ports 80 and 443 from the host to ports 8052 and 8053 respectively in the container's private network namespace.

You could also just run docker ps, without the --format argument. I used the --format argument to make it more readable and convenient.

Improve this answer
1
  • Thank you, but this does not apply. Even if it was a container, I should have been able to see the process using ss (in the case of docker, the process is usually docker-proxy). Also, this is a recent k8s version, so it uses containerd instead of docker as the runtime. Commented Nov 23, 2022 at 12:27

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.