{"id":2202,"date":"2020-05-31T17:36:34","date_gmt":"2020-05-31T14:36:34","guid":{"rendered":"https:\/\/www.void.gr\/kargig\/blog\/?p=2202"},"modified":"2020-06-01T22:45:21","modified_gmt":"2020-06-01T19:45:21","slug":"linux-network-troubleshooting-a-la-dr-house","status":"publish","type":"post","link":"https:\/\/www.void.gr\/kargig\/blog\/2020\/05\/31\/linux-network-troubleshooting-a-la-dr-house\/","title":{"rendered":"Linux network troubleshooting a la Dr. House"},"content":{"rendered":"\n<h3 class=\"wp-block-heading\">Intro<\/h3>\n\n\n\n<p>The following story is inspired by a recent case I had to troubleshoot at work. I think it is a nice example of troubleshooting Linux networking issues, so I&#8217;ve modified\/simplified the setup a bit to be able to reproduce it on a VM. I&#8217;ll go through the troubleshooting steps in almost the same way we handled the actual case. Service names, IPs, ports, etc are all different that the real case as the focus should not be the example itself but the process.<\/p>\n\n\n\n<p>It all started a few days ago when I was asked to help on an &#8220;unusual&#8221; case. Docker containers on every single host of an installation could not establish connections towards services that listen on the &#8220;main&#8221; IP of the host they run on, nor can they ping that IP, but the containers have full access to the internet and can connect to the service ports on other hosts in the LAN. As everyone who has done even a tiny bit of support, asking whether something changed recently in the setup is always replied back with a single global truth: &#8220;nothing has recently changed, it just stopped working&#8221;.<br \/>Challenge accepted!<br \/><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Reproduction setup<\/h3>\n\n\n\n<p>For reproduction purposes I&#8217;ve used a VM with one ethernet interface, and a docker bridge. In this VM I have injected the same problem as with the real case. Even though the real case case was a bit more complicated, to make following the post somewhat easier, I&#8217;ve used only one service listening on the host, an Elasticsearch process, and only one Kibana docker container that needs to communicate with Elasticsearch on the host.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Troubleshooting process<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><pre><code2>Host interfaces:\n\n2: ens5: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 9001 qdisc mq state UP group default qlen 1000\n&nbsp;&nbsp;&nbsp;&nbsp;link\/ether 06:ce:3b:94:fe:ac brd ff:ff:ff:ff:ff:ff\n&nbsp;&nbsp;&nbsp;&nbsp;inet 172.31.45.100\/20 brd 172.31.47.255 scope global dynamic ens5\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; valid_lft 3572sec preferred_lft 3572sec\n&nbsp;&nbsp;&nbsp;&nbsp;inet6 fe80::4ce:3bff:fe94:feac\/64 scope link \n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; valid_lft forever preferred_lft forever\n3: docker0: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qdisc noqueue state UP group default \n&nbsp;&nbsp;&nbsp;&nbsp;link\/ether 02:42:e9:38:3d:a8 brd ff:ff:ff:ff:ff:ff\n&nbsp;&nbsp;&nbsp;&nbsp;inet 172.17.0.1\/16 scope global docker0\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; valid_lft forever preferred_lft forever\n&nbsp;&nbsp;&nbsp;&nbsp;inet6 fe80::42:e9ff:fe38:3da8\/64 scope link \n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; valid_lft forever preferred_lft forever<\/code2><\/pre><\/pre>\n\n\n\n<p>Kibana&#8217;s config has the following ENV variable set ELASTICSEARCH_HOSTS=<a href=\"http:\/\/172.31.45.100:9200\">http:\/\/172.31.45.100:9200<\/a>, and for simplification purposes let&#8217;s assume that this IP could not be changed.<\/p>\n\n\n\n<p>As originally described, curl from the container towards the service IP:port does not work<\/p>\n\n\n\n<pre class=\"wp-block-code\"><pre><code2>(container) bash-4.2$ curl -v 172.31.45.100:9200\n* About to connect() to 172.31.45.100 port 9200 (#0)\n*&nbsp;&nbsp; Trying 172.31.45.100...<\/code2><\/pre><\/pre>\n\n\n\n<p>it just hangs there without error. There&#8217;s no DNS resolution involved here, straight curl towards the IP:port<\/p>\n\n\n\n<p>Let&#8217;s check if the service is actually listening on the host<\/p>\n\n\n\n<pre class=\"wp-block-code\"><pre><code2>[root@ip-172-31-45-100 ~]# ss -ltnp | grep 9200\nLISTEN&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;128&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [::]:9200&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;[::]:*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; users:((&quot;java&quot;,pid=17892,fd=257))<\/code2><\/pre><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<p>The service listens on 9200. Since the service listens on all interfaces, let&#8217;s curl from the container towards the service IP:port on the docker0 interface.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<pre class=\"wp-block-code\"><pre><code2>bash-4.2$ curl -v 172.17.0.1:9200\n* About to connect() to 172.17.0.1 port 9200 (#0)\n*&nbsp;&nbsp; Trying 172.17.0.1...\n* Connected to 172.17.0.1 (172.17.0.1) port 9200 (#0)\n&gt; GET \/ HTTP\/1.1\n&gt; User-Agent: curl\/7.29.0\n&gt; Host: 172.17.0.1:9200\n&gt; Accept: *\/*\n&gt; \n&lt; HTTP\/1.1 200 OK\n&lt; content-type: application\/json; charset=UTF-8\n&lt; content-length: 524\n&lt; \n{\n&nbsp;&nbsp;&quot;name&quot; : &quot;node1&quot;,\n&nbsp;&nbsp;&quot;cluster_name&quot; : &quot;centos7&quot;,\n&nbsp;&nbsp;&quot;cluster_uuid&quot; : &quot;d6fBSua6Q9OvSu534roTpA&quot;,\n&nbsp;&nbsp;&quot;version&quot; : {\n&nbsp;&nbsp;&nbsp;&nbsp;&quot;number&quot; : &quot;7.7.0&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&quot;build_flavor&quot; : &quot;default&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&quot;build_type&quot; : &quot;rpm&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&quot;build_hash&quot; : &quot;81a1e9eda8e6183f5237786246f6dced26a10eaf&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&quot;build_date&quot; : &quot;2020-05-12T02:01:37.602180Z&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&quot;build_snapshot&quot; : false,\n&nbsp;&nbsp;&nbsp;&nbsp;&quot;lucene_version&quot; : &quot;8.5.1&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&quot;minimum_wire_compatibility_version&quot; : &quot;6.8.0&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&quot;minimum_index_compatibility_version&quot; : &quot;6.0.0-beta1&quot;\n&nbsp;&nbsp;},\n&nbsp;&nbsp;&quot;tagline&quot; : &quot;You Know, for Search&quot;\n}<\/code2><\/pre><\/pre>\n\n\n\n<p>that works, so the service is running properly. Curl-ing the service from the host using the host&#8217;s IP also works<\/p>\n\n\n\n<pre class=\"wp-block-code\"><pre><code2>[root@ip-172-31-45-100 ~]# curl http:\/\/172.31.45.100:9200\n{\n&nbsp;&nbsp;&quot;name&quot; : &quot;node1&quot;,\n&nbsp;&nbsp;&quot;cluster_name&quot; : &quot;centos7&quot;,\n&nbsp;&nbsp;&quot;cluster_uuid&quot; : &quot;d6fBSua6Q9OvSu534roTpA&quot;,\n&nbsp;&nbsp;&quot;version&quot; : {\n&nbsp;&nbsp;&nbsp;&nbsp;&quot;number&quot; : &quot;7.7.0&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&quot;build_flavor&quot; : &quot;default&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&quot;build_type&quot; : &quot;rpm&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&quot;build_hash&quot; : &quot;81a1e9eda8e6183f5237786246f6dced26a10eaf&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&quot;build_date&quot; : &quot;2020-05-12T02:01:37.602180Z&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&quot;build_snapshot&quot; : false,\n&nbsp;&nbsp;&nbsp;&nbsp;&quot;lucene_version&quot; : &quot;8.5.1&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&quot;minimum_wire_compatibility_version&quot; : &quot;6.8.0&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&quot;minimum_index_compatibility_version&quot; : &quot;6.0.0-beta1&quot;\n&nbsp;&nbsp;},\n&nbsp;&nbsp;&quot;tagline&quot; : &quot;You Know, for Search&quot;\n}<\/code2><\/pre><\/pre>\n\n\n\n<p>Let&#8217;s check for internet connectivity from the container<\/p>\n\n\n\n<pre class=\"wp-block-code\"><pre><code2>bash-4.2$ curl -v 1.1.1.1\n* About to connect() to 1.1.1.1 port 80 (#0)\n*&nbsp;&nbsp; Trying 1.1.1.1...\n* Connected to 1.1.1.1 (1.1.1.1) port 80 (#0)\n&gt; GET \/ HTTP\/1.1\n&gt; User-Agent: curl\/7.29.0\n&gt; Host: 1.1.1.1\n&gt; Accept: *\/*\n&gt; \n&lt; HTTP\/1.1 301 Moved Permanently\n&lt; Date: Sun, 31 May 2020 10:10:27 GMT\n&lt; Content-Type: text\/html\n&lt; Transfer-Encoding: chunked\n&lt; Connection: keep-alive\n&lt; Location: https:\/\/1.1.1.1\/\n&lt; Served-In-Seconds: 0.000\n&lt; CF-Cache-Status: HIT\n&lt; Age: 5334\n&lt; Expires: Sun, 31 May 2020 14:10:27 GMT\n&lt; Cache-Control: public, max-age=14400\n&lt; cf-request-id: 030bcf27a3000018e57f0f5200000001\n&lt; Server: cloudflare\n&lt; CF-RAY: 59bfe7b90b7518e5-FRA\n&lt; \n&lt;html&gt;\n&lt;head&gt;&lt;title&gt;301 Moved Permanently&lt;\/title&gt;&lt;\/head&gt;\n&lt;body bgcolor=&quot;white&quot;&gt;\n&lt;center&gt;&lt;h1&gt;301 Moved Permanently&lt;\/h1&gt;&lt;\/center&gt;\n&lt;hr&gt;&lt;center&gt;cloudflare-lb&lt;\/center&gt;\n&lt;\/body&gt;\n&lt;\/html&gt;<\/code2><\/pre><\/pre>\n\n\n\n<p>internet connectivity for the container works just fine. Let&#8217;s curl to another host in the same LAN on the same service port.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><pre><code2>bash-4.2$ curl -v 172.31.45.101:9200\n* About to connect() to 172.31.45.101 port 9200 (#0)\n*&nbsp;&nbsp; Trying 172.31.45.101...\n* Connected to 172.31.45.101 (172.31.45.101) port 9200 (#0)\n&gt; GET \/ HTTP\/1.1\n&gt; User-Agent: curl\/7.29.0\n&gt; Host: 172.31.45.101:9200\n&gt; Accept: *\/*\n&gt; \n&lt; HTTP\/1.1 200 OK\n&lt; content-type: application\/json; charset=UTF-8\n&lt; content-length: 524\n&lt; \n{\n&nbsp;&nbsp;&quot;name&quot; : &quot;node2&quot;,\n&nbsp;&nbsp;&quot;cluster_name&quot; : &quot;centos7&quot;,\n&nbsp;&nbsp;&quot;cluster_uuid&quot; : &quot;d6fBSua6Q9OvSu534roTpA&quot;,\n&nbsp;&nbsp;&quot;version&quot; : {\n&nbsp;&nbsp;&nbsp;&nbsp;&quot;number&quot; : &quot;7.7.0&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&quot;build_flavor&quot; : &quot;default&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&quot;build_type&quot; : &quot;rpm&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&quot;build_hash&quot; : &quot;81a1e9eda8e6183f5237786246f6dced26a10eaf&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&quot;build_date&quot; : &quot;2020-05-12T02:01:37.602180Z&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&quot;build_snapshot&quot; : false,\n&nbsp;&nbsp;&nbsp;&nbsp;&quot;lucene_version&quot; : &quot;8.5.1&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&quot;minimum_wire_compatibility_version&quot; : &quot;6.8.0&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&quot;minimum_index_compatibility_version&quot; : &quot;6.0.0-beta1&quot;\n&nbsp;&nbsp;},\n&nbsp;&nbsp;&quot;tagline&quot; : &quot;You Know, for Search&quot;\n}<\/code2><\/pre><\/pre>\n\n\n\n<p>That also works. Time to use the swiss army knife of network troubleshooting, tcpdump. If you want to find which veth interface a container uses you can either use <a href=\"https:\/\/github.com\/micahculpepper\/dockerveth\" target=\"_blank\" rel=\"noreferrer noopener\">dockerveth<\/a> or use the following commands to figure it out manually.<br \/>Get the iflink of container&#8217;s eth0:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code2>[root@ip-172-31-45-100 ~]# docker exec -it &lt;container-name&gt; bash -c &#039;cat \/sys\/class\/net\/eth0\/iflink&#039;<\/code2><\/pre>\n\n\n\n<p>In this case that would be:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><pre><code2># docker exec -it kibana bash -c &#039;cat \/sys\/class\/net\/eth0\/iflink&#039;\n41<\/code2><\/pre><\/pre>\n\n\n\n<p>then find the file name of the ifindex that contains that link number in `\/sys\/class\/net\/veth*\/ifindex` of the host<\/p>\n\n\n\n<pre class=\"wp-block-code\"><pre><code2>[root@ip-172-31-45-100 ~]# grep -lw 41 \/sys\/class\/net\/veth*\/ifindex\n\/sys\/class\/net\/veth0006ca6\/ifindex<\/code2><\/pre><\/pre>\n\n\n\n<p>`veth0006ca6` is what we need to use. Let&#8217;s run tcpdump on it<\/p>\n\n\n\n<pre class=\"wp-block-code\"><pre><code2>[root@ip-172-31-45-100 ~]# tcpdump -nni veth0006ca6\n10:06:16.745143 IP 172.17.0.2.47166 &gt; 172.31.45.100.9200: Flags [S], seq 1062649548, win 29200, options [mss 1460,sackOK,TS val 1781316 ecr 0,nop,wscale 7], length 0\n10:06:16.749126 IP 172.17.0.2.47168 &gt; 172.31.45.100.9200: Flags [S], seq 4174345004, win 29200, options [mss 1460,sackOK,TS val 1781320 ecr 0,nop,wscale 7], length 0\n10:06:16.749131 IP 172.17.0.2.47170 &gt; 172.31.45.100.9200: Flags [S], seq 1386880792, win 29200, options [mss 1460,sackOK,TS val 1781320 ecr 0,nop,wscale 7], length 0<\/code2><\/pre><\/pre>\n\n\n\n<p>the syn packet is seen going out of the container&#8217;s veth interface. So let&#8217;s tcpdump on docker0<\/p>\n\n\n\n<pre class=\"wp-block-code\"><pre><code2>[root@ip-172-31-45-100 ~]# tcpdump -nni docker0\n10:07:07.813153 IP 172.17.0.2.47148 &gt; 172.31.45.100.9200: Flags [S], seq 4114480937, win 29200, options [mss 1460,sackOK,TS val 1396384 ecr 0,nop,wscale 7], length 0\n10:07:07.845141 IP 172.17.0.2.47144 &gt; 172.31.45.100.9200: Flags [S], seq 3273546229, win 29200, options [mss 1460,sackOK,TS val 1412416 ecr 0,nop,wscale 7], length 0\n10:07:07.845147 IP 172.17.0.2.47146 &gt; 172.31.45.100.9200: Flags [S], seq 2062214864, win 29200, options [mss 1460,sackOK,TS val 1412416 ecr 0,nop,wscale 7], length 0<\/code2><\/pre><\/pre>\n\n\n\n<p>the syn packet can also be seen on the docker0 bridge. The syn packet cannot be seen on the interface (ens5) that has the service IP (172.31.45.100) on it, since it doesn&#8217;t traverse that link to go outside the host.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><pre><code2>[root@ip-172-31-45-100 ~]# tcpdump -nni ens5 port 9200 or icmp\ntcpdump: verbose output suppressed, use -v or -vv for full protocol decode\nlistening on ens5, link-type EN10MB (Ethernet), capture size 262144 bytes<\/code2><\/pre><\/pre>\n\n\n\n<p>Let&#8217;s check routing entries.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><pre><code2>[root@ip-172-31-45-100 ~]# ip route ls\ndefault via 172.31.32.1 dev ens5 \n172.17.0.0\/16 dev docker0 proto kernel scope link src 172.17.0.1 \n172.31.32.0\/20 dev ens5 proto kernel scope link src 172.31.45.100 <\/code2><\/pre><\/pre>\n\n\n\n<p>Nothing interesting here at all. Time to check iptables.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><pre><code2>[root@ip-172-31-45-100 ~]# iptables -nxvL\nChain INPUT (policy ACCEPT 169 packets, 27524 bytes)\n&nbsp;&nbsp;&nbsp;&nbsp;pkts&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;bytes target&nbsp;&nbsp;&nbsp;&nbsp; prot opt in&nbsp;&nbsp;&nbsp;&nbsp; out&nbsp;&nbsp;&nbsp;&nbsp; source&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; destination&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \n\nChain FORWARD (policy DROP 0 packets, 0 bytes)\n&nbsp;&nbsp;&nbsp;&nbsp;pkts&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;bytes target&nbsp;&nbsp;&nbsp;&nbsp; prot opt in&nbsp;&nbsp;&nbsp;&nbsp; out&nbsp;&nbsp;&nbsp;&nbsp; source&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; destination&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \n&nbsp;&nbsp;&nbsp;&nbsp; 368&nbsp;&nbsp;&nbsp;&nbsp;27870 DOCKER-ISOLATION&nbsp;&nbsp;all&nbsp;&nbsp;--&nbsp;&nbsp;*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0.0.0.0\/0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0.0.0.0\/0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \n&nbsp;&nbsp;&nbsp;&nbsp; 184&nbsp;&nbsp;&nbsp;&nbsp;14254 DOCKER&nbsp;&nbsp;&nbsp;&nbsp; all&nbsp;&nbsp;--&nbsp;&nbsp;*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;docker0&nbsp;&nbsp;0.0.0.0\/0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0.0.0.0\/0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \n&nbsp;&nbsp;&nbsp;&nbsp; 184&nbsp;&nbsp;&nbsp;&nbsp;14254 ACCEPT&nbsp;&nbsp;&nbsp;&nbsp; all&nbsp;&nbsp;--&nbsp;&nbsp;*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;docker0&nbsp;&nbsp;0.0.0.0\/0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0.0.0.0\/0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ctstate RELATED,ESTABLISHED\n&nbsp;&nbsp;&nbsp;&nbsp; 184&nbsp;&nbsp;&nbsp;&nbsp;13616 ACCEPT&nbsp;&nbsp;&nbsp;&nbsp; all&nbsp;&nbsp;--&nbsp;&nbsp;docker0 !docker0&nbsp;&nbsp;0.0.0.0\/0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0.0.0.0\/0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0 ACCEPT&nbsp;&nbsp;&nbsp;&nbsp; all&nbsp;&nbsp;--&nbsp;&nbsp;docker0 docker0&nbsp;&nbsp;0.0.0.0\/0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0.0.0.0\/0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \n\nChain OUTPUT (policy ACCEPT 109 packets, 10788 bytes)\n&nbsp;&nbsp;&nbsp;&nbsp;pkts&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;bytes target&nbsp;&nbsp;&nbsp;&nbsp; prot opt in&nbsp;&nbsp;&nbsp;&nbsp; out&nbsp;&nbsp;&nbsp;&nbsp; source&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; destination&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \n\nChain DOCKER (1 references)\n&nbsp;&nbsp;&nbsp;&nbsp;pkts&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;bytes target&nbsp;&nbsp;&nbsp;&nbsp; prot opt in&nbsp;&nbsp;&nbsp;&nbsp; out&nbsp;&nbsp;&nbsp;&nbsp; source&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; destination&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \n\nChain DOCKER-ISOLATION (1 references)\n&nbsp;&nbsp;&nbsp;&nbsp;pkts&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;bytes target&nbsp;&nbsp;&nbsp;&nbsp; prot opt in&nbsp;&nbsp;&nbsp;&nbsp; out&nbsp;&nbsp;&nbsp;&nbsp; source&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; destination&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \n&nbsp;&nbsp;&nbsp;&nbsp; 368&nbsp;&nbsp;&nbsp;&nbsp;27870 RETURN&nbsp;&nbsp;&nbsp;&nbsp; all&nbsp;&nbsp;--&nbsp;&nbsp;*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0.0.0.0\/0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0.0.0.0\/0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\n\n[root@ip-172-31-45-100 ~]# iptables -nxvL -t nat\nChain PREROUTING (policy ACCEPT 0 packets, 0 bytes)\n&nbsp;&nbsp;&nbsp;&nbsp;pkts&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;bytes target&nbsp;&nbsp;&nbsp;&nbsp; prot opt in&nbsp;&nbsp;&nbsp;&nbsp; out&nbsp;&nbsp;&nbsp;&nbsp; source&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; destination&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \n&nbsp;&nbsp;&nbsp;&nbsp; 204&nbsp;&nbsp;&nbsp;&nbsp;12200 DOCKER&nbsp;&nbsp;&nbsp;&nbsp; all&nbsp;&nbsp;--&nbsp;&nbsp;*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0.0.0.0\/0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0.0.0.0\/0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ADDRTYPE match dst-type LOCAL\n\nChain INPUT (policy ACCEPT 0 packets, 0 bytes)\n&nbsp;&nbsp;&nbsp;&nbsp;pkts&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;bytes target&nbsp;&nbsp;&nbsp;&nbsp; prot opt in&nbsp;&nbsp;&nbsp;&nbsp; out&nbsp;&nbsp;&nbsp;&nbsp; source&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; destination&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \n\nChain OUTPUT (policy ACCEPT 6 packets, 456 bytes)\n&nbsp;&nbsp;&nbsp;&nbsp;pkts&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;bytes target&nbsp;&nbsp;&nbsp;&nbsp; prot opt in&nbsp;&nbsp;&nbsp;&nbsp; out&nbsp;&nbsp;&nbsp;&nbsp; source&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; destination&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0 DOCKER&nbsp;&nbsp;&nbsp;&nbsp; all&nbsp;&nbsp;--&nbsp;&nbsp;*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0.0.0.0\/0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; !127.0.0.0\/8&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ADDRTYPE match dst-type LOCAL\n\nChain POSTROUTING (policy ACCEPT 6 packets, 456 bytes)\n&nbsp;&nbsp;&nbsp;&nbsp;pkts&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;bytes target&nbsp;&nbsp;&nbsp;&nbsp; prot opt in&nbsp;&nbsp;&nbsp;&nbsp; out&nbsp;&nbsp;&nbsp;&nbsp; source&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; destination&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;92&nbsp;&nbsp;&nbsp;&nbsp; 6808 MASQUERADE&nbsp;&nbsp;all&nbsp;&nbsp;--&nbsp;&nbsp;*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;!docker0&nbsp;&nbsp;172.17.0.0\/16&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0.0.0.0\/0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \n\nChain DOCKER (2 references)\n&nbsp;&nbsp;&nbsp;&nbsp;pkts&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;bytes target&nbsp;&nbsp;&nbsp;&nbsp; prot opt in&nbsp;&nbsp;&nbsp;&nbsp; out&nbsp;&nbsp;&nbsp;&nbsp; source&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; destination&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \n&nbsp;&nbsp;&nbsp;&nbsp; 191&nbsp;&nbsp;&nbsp;&nbsp;11460 RETURN&nbsp;&nbsp;&nbsp;&nbsp; all&nbsp;&nbsp;--&nbsp;&nbsp;docker0 *&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0.0.0.0\/0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0.0.0.0\/0&nbsp;&nbsp;\n\n[root@ip-172-31-45-100 ~]# iptables -nxvL -t mangle\nChain PREROUTING (policy ACCEPT 0 packets, 0 bytes)\n&nbsp;&nbsp;&nbsp;&nbsp;pkts&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;bytes target&nbsp;&nbsp;&nbsp;&nbsp; prot opt in&nbsp;&nbsp;&nbsp;&nbsp; out&nbsp;&nbsp;&nbsp;&nbsp; source&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; destination&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \n\nChain INPUT (policy ACCEPT 0 packets, 0 bytes)\n&nbsp;&nbsp;&nbsp;&nbsp;pkts&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;bytes target&nbsp;&nbsp;&nbsp;&nbsp; prot opt in&nbsp;&nbsp;&nbsp;&nbsp; out&nbsp;&nbsp;&nbsp;&nbsp; source&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; destination&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \n\nChain FORWARD (policy ACCEPT 0 packets, 0 bytes)\n&nbsp;&nbsp;&nbsp;&nbsp;pkts&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;bytes target&nbsp;&nbsp;&nbsp;&nbsp; prot opt in&nbsp;&nbsp;&nbsp;&nbsp; out&nbsp;&nbsp;&nbsp;&nbsp; source&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; destination&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \n\nChain OUTPUT (policy ACCEPT 0 packets, 0 bytes)\n&nbsp;&nbsp;&nbsp;&nbsp;pkts&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;bytes target&nbsp;&nbsp;&nbsp;&nbsp; prot opt in&nbsp;&nbsp;&nbsp;&nbsp; out&nbsp;&nbsp;&nbsp;&nbsp; source&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; destination&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \n\nChain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)\n&nbsp;&nbsp;&nbsp;&nbsp;pkts&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;bytes target&nbsp;&nbsp;&nbsp;&nbsp; prot opt in&nbsp;&nbsp;&nbsp;&nbsp; out&nbsp;&nbsp;&nbsp;&nbsp; source&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; destination&nbsp;&nbsp;<\/code2><\/pre><\/pre>\n\n\n\n<p>There&#8217;s not even a DROP rule at all and all the policies are set to ACCEPT. iptables is definitely not dropping the connection. Even if there was a DROP rule, we would see the packet on tcpdump&#8230;so where&#8217;s the packet going ?<\/p>\n\n\n\n<p>Let&#8217;s add an extra rule for both FORWARD and INPUT chains just to see if iptables can match these rules as the packets are passing by.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><pre><code2>[root@ip-172-31-45-100 ~]# iptables -I INPUT -p tcp --dport 9200\n[root@ip-172-31-45-100 ~]# iptables -I FORWARD -p tcp --dport 9200<\/code2><\/pre><\/pre>\n\n\n\n<p>wait for a while and then check the statistics of those 2 rules:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><pre><code2>[root@ip-172-31-45-100 ~]# iptables -nxvL | grep 9200\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;tcp&nbsp;&nbsp;--&nbsp;&nbsp;*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0.0.0.0\/0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0.0.0.0\/0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;tcp dpt:9200\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;tcp&nbsp;&nbsp;--&nbsp;&nbsp;*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0.0.0.0\/0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0.0.0.0\/0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;tcp dpt:9200<\/code2><\/pre><\/pre>\n\n\n\n<p>no packets match these 2 rules at all! Time to inspect the container and the docker bridge network.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><pre><code2>[root@ip-172-31-45-100 ~]# docker network inspect bridge\n[\n&nbsp;&nbsp;&nbsp;&nbsp;{\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Name&quot;: &quot;bridge&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Id&quot;: &quot;a6290df54ea24d14faa8d003d17802b3f8a4967680bc0c82c1211ab75d1815e2&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Created&quot;: &quot;2020-05-31T09:40:19.81958733Z&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Scope&quot;: &quot;local&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Driver&quot;: &quot;bridge&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;EnableIPv6&quot;: false,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;IPAM&quot;: {\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Driver&quot;: &quot;default&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Options&quot;: null,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Config&quot;: [\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Subnet&quot;: &quot;172.17.0.0\/16&quot;\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;]\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;},\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Internal&quot;: false,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Attachable&quot;: false,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Containers&quot;: {},\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Options&quot;: {\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;com.docker.network.bridge.default_bridge&quot;: &quot;true&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;com.docker.network.bridge.enable_icc&quot;: &quot;true&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;com.docker.network.bridge.enable_ip_masquerade&quot;: &quot;true&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;com.docker.network.bridge.host_binding_ipv4&quot;: &quot;0.0.0.0&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;com.docker.network.bridge.name&quot;: &quot;docker0&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;com.docker.network.driver.mtu&quot;: &quot;1500&quot;\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;},\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Labels&quot;: {}\n&nbsp;&nbsp;&nbsp;&nbsp;}\n]<\/code2><\/pre><\/pre>\n\n\n\n<p>pretty standard options for the bridge network, even `enable_icc` is set to `true`. What about the container though ?<\/p>\n\n\n\n<pre class=\"wp-block-code\"><pre><code2>[root@ip-172-31-45-100 ~]# docker inspect kibana\n[\n&nbsp;&nbsp;&nbsp;&nbsp;{\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Id&quot;: &quot;2f08cc190b760361d9aa2951b4c9c407561fe35b8dbdc003f3f535719456f460&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Created&quot;: &quot;2020-05-31T10:24:11.942315341Z&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Path&quot;: &quot;\/usr\/local\/bin\/dumb-init&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Args&quot;: [\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;--&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;\/usr\/local\/bin\/kibana-docker&quot;\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;],\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;State&quot;: {\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Status&quot;: &quot;running&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Running&quot;: true,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Paused&quot;: false,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Restarting&quot;: false,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;OOMKilled&quot;: false,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Dead&quot;: false,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Pid&quot;: 3735,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;ExitCode&quot;: 0,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Error&quot;: &quot;&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;StartedAt&quot;: &quot;2020-05-31T10:24:12.329214827Z&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;FinishedAt&quot;: &quot;0001-01-01T00:00:00Z&quot;\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;},\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Image&quot;: &quot;sha256:eadc7b3d59dd47b1b56f280732f38d16a4b31947cbc758516adbe1df5472b407&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;ResolvConfPath&quot;: &quot;\/var\/lib\/docker\/containers\/2f08cc190b760361d9aa2951b4c9c407561fe35b8dbdc003f3f535719456f460\/resolv.conf&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;HostnamePath&quot;: &quot;\/var\/lib\/docker\/containers\/2f08cc190b760361d9aa2951b4c9c407561fe35b8dbdc003f3f535719456f460\/hostname&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;HostsPath&quot;: &quot;\/var\/lib\/docker\/containers\/2f08cc190b760361d9aa2951b4c9c407561fe35b8dbdc003f3f535719456f460\/hosts&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;LogPath&quot;: &quot;&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Name&quot;: &quot;\/kibana&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;RestartCount&quot;: 0,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Driver&quot;: &quot;overlay2&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;MountLabel&quot;: &quot;system_u:object_r:svirt_sandbox_file_t:s0:c434,c792&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;ProcessLabel&quot;: &quot;system_u:system_r:svirt_lxc_net_t:s0:c434,c792&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;AppArmorProfile&quot;: &quot;&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;ExecIDs&quot;: null,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;HostConfig&quot;: {\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Binds&quot;: null,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;ContainerIDFile&quot;: &quot;&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;LogConfig&quot;: {\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Type&quot;: &quot;journald&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Config&quot;: {}\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;},\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;NetworkMode&quot;: &quot;bridge&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;PortBindings&quot;: {\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;5601\/tcp&quot;: [\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;HostIp&quot;: &quot;&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;HostPort&quot;: &quot;5601&quot;\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;]\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;},\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;RestartPolicy&quot;: {\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Name&quot;: &quot;no&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;MaximumRetryCount&quot;: 0\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;},\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;AutoRemove&quot;: true,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;VolumeDriver&quot;: &quot;&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;VolumesFrom&quot;: null,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;CapAdd&quot;: null,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;CapDrop&quot;: null,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Dns&quot;: [],\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;DnsOptions&quot;: [],\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;DnsSearch&quot;: [],\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;ExtraHosts&quot;: null,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;GroupAdd&quot;: null,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;IpcMode&quot;: &quot;&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Cgroup&quot;: &quot;&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Links&quot;: null,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;OomScoreAdj&quot;: 0,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;PidMode&quot;: &quot;&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Privileged&quot;: false,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;PublishAllPorts&quot;: false,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;ReadonlyRootfs&quot;: false,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;SecurityOpt&quot;: null,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;UTSMode&quot;: &quot;&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;UsernsMode&quot;: &quot;&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;ShmSize&quot;: 67108864,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Runtime&quot;: &quot;docker-runc&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;ConsoleSize&quot;: [\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;],\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Isolation&quot;: &quot;&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;CpuShares&quot;: 0,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Memory&quot;: 0,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;NanoCpus&quot;: 0,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;CgroupParent&quot;: &quot;&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;BlkioWeight&quot;: 0,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;BlkioWeightDevice&quot;: null,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;BlkioDeviceReadBps&quot;: null,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;BlkioDeviceWriteBps&quot;: null,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;BlkioDeviceReadIOps&quot;: null,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;BlkioDeviceWriteIOps&quot;: null,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;CpuPeriod&quot;: 0,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;CpuQuota&quot;: 0,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;CpuRealtimePeriod&quot;: 0,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;CpuRealtimeRuntime&quot;: 0,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;CpusetCpus&quot;: &quot;&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;CpusetMems&quot;: &quot;&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Devices&quot;: [],\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;DiskQuota&quot;: 0,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;KernelMemory&quot;: 0,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;MemoryReservation&quot;: 0,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;MemorySwap&quot;: 0,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;MemorySwappiness&quot;: -1,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;OomKillDisable&quot;: false,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;PidsLimit&quot;: 0,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Ulimits&quot;: null,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;CpuCount&quot;: 0,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;CpuPercent&quot;: 0,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;IOMaximumIOps&quot;: 0,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;IOMaximumBandwidth&quot;: 0\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;},\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;GraphDriver&quot;: {\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Name&quot;: &quot;overlay2&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Data&quot;: {\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;LowerDir&quot;: &quot;\/var\/lib\/docker\/overlay2\/84217deb518fa6b50fb38aab03aa6a819150e0a248cf233bda8091b136c4825a-init\/diff:\/var\/lib\/docker\/overlay2\/bfda0aa2ec51f7047b5694e5daf89735f3021691e6154bc370827c168c4572f0\/diff:\/var\/lib\/docker\/overlay2\/5d32d74a3bb95b8e3377b1c115622f12a817a591936c4ae2da4512bc2e281e4b\/diff:\/var\/lib\/docker\/overlay2\/6482e711a89a90bebd61834aa8bd3463f567684dd3cdbbf2698179b752fdad7b\/diff:\/var\/lib\/docker\/overlay2\/4ae81e6a07956c974d985674c35e113ad3fbd9f4fdde43f4752c0e36a1153e69\/diff:\/var\/lib\/docker\/overlay2\/8330cdd839ec316133d659805f2839d1e65b16fbf7035324f419c2aa8d097925\/diff:\/var\/lib\/docker\/overlay2\/cd377c8c6fb23d050771d55ca15253cc9fa5043c7e49f41a2f73acd25f8e7ca9\/diff:\/var\/lib\/docker\/overlay2\/408c72d7e496be76503bbb01d5248c25be98e2290d71cae83d8d5d09d714f81d\/diff:\/var\/lib\/docker\/overlay2\/20068d51c4dd214db7b2b9d30fe13feb2e8ab35de646c9b652fea255476d396b\/diff:\/var\/lib\/docker\/overlay2\/0fdedfd6dbb551d32a9e826188a74936d0cec56e97c1b917fdd04b0e49a59a70\/diff:\/var\/lib\/docker\/overlay2\/0238ff31fbd60fdeaee1e162c92a1aa46735ec7b17df3b11455c09f18657c30f\/diff:\/var\/lib\/docker\/overlay2\/99a7a64a569e5e524e4139f9cf95bd929744c85c1633bcd8173c9172756c3233\/diff&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;MergedDir&quot;: &quot;\/var\/lib\/docker\/overlay2\/84217deb518fa6b50fb38aab03aa6a819150e0a248cf233bda8091b136c4825a\/merged&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;UpperDir&quot;: &quot;\/var\/lib\/docker\/overlay2\/84217deb518fa6b50fb38aab03aa6a819150e0a248cf233bda8091b136c4825a\/diff&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;WorkDir&quot;: &quot;\/var\/lib\/docker\/overlay2\/84217deb518fa6b50fb38aab03aa6a819150e0a248cf233bda8091b136c4825a\/work&quot;\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;},\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Mounts&quot;: [],\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Config&quot;: {\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Hostname&quot;: &quot;2f08cc190b76&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Domainname&quot;: &quot;&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;User&quot;: &quot;kibana&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;AttachStdin&quot;: false,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;AttachStdout&quot;: true,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;AttachStderr&quot;: true,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;ExposedPorts&quot;: {\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;5601\/tcp&quot;: {}\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;},\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Tty&quot;: false,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;OpenStdin&quot;: false,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;StdinOnce&quot;: false,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Env&quot;: [\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;ELASTICSEARCH_HOSTS=http:\/\/172.31.45.100:9200&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;PATH=\/usr\/share\/kibana\/bin:\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;ELASTIC_CONTAINER=true&quot;\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;],\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Cmd&quot;: [\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;\/usr\/local\/bin\/kibana-docker&quot;\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;],\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Image&quot;: &quot;docker.elastic.co\/kibana\/kibana:7.7.0&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Volumes&quot;: null,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;WorkingDir&quot;: &quot;\/usr\/share\/kibana&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Entrypoint&quot;: [\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;\/usr\/local\/bin\/dumb-init&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;--&quot;\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;],\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;OnBuild&quot;: null,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Labels&quot;: {\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;license&quot;: &quot;Elastic License&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;org.label-schema.build-date&quot;: &quot;2020-05-12T03:25:49.654Z&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;org.label-schema.license&quot;: &quot;Elastic License&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;org.label-schema.name&quot;: &quot;kibana&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;org.label-schema.schema-version&quot;: &quot;1.0&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;org.label-schema.url&quot;: &quot;https:\/\/www.elastic.co\/products\/kibana&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;org.label-schema.usage&quot;: &quot;https:\/\/www.elastic.co\/guide\/en\/kibana\/index.html&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;org.label-schema.vcs-url&quot;: &quot;https:\/\/github.com\/elastic\/kibana&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;org.label-schema.vendor&quot;: &quot;Elastic&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;org.label-schema.version&quot;: &quot;7.7.0&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;org.opencontainers.image.created&quot;: &quot;2020-05-04 00:00:00+01:00&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;org.opencontainers.image.licenses&quot;: &quot;GPL-2.0-only&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;org.opencontainers.image.title&quot;: &quot;CentOS Base Image&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;org.opencontainers.image.vendor&quot;: &quot;CentOS&quot;\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;},\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;NetworkSettings&quot;: {\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Bridge&quot;: &quot;&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;SandboxID&quot;: &quot;258a4a11f55f7425b837c7d5c0420dd344add081be79da7e33c146501dd8f0ec&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;HairpinMode&quot;: false,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;LinkLocalIPv6Address&quot;: &quot;&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;LinkLocalIPv6PrefixLen&quot;: 0,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Ports&quot;: {\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;5601\/tcp&quot;: [\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;HostIp&quot;: &quot;0.0.0.0&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;HostPort&quot;: &quot;5601&quot;\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;]\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;},\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;SandboxKey&quot;: &quot;\/var\/run\/docker\/netns\/258a4a11f55f&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;SecondaryIPAddresses&quot;: null,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;SecondaryIPv6Addresses&quot;: null,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;EndpointID&quot;: &quot;7126885dddf9ff031f2ff8c3b2cbd14708391dae619020bdb40efe7a849a01c7&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Gateway&quot;: &quot;172.17.0.1&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;GlobalIPv6Address&quot;: &quot;&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;GlobalIPv6PrefixLen&quot;: 0,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;IPAddress&quot;: &quot;172.17.0.2&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;IPPrefixLen&quot;: 16,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;IPv6Gateway&quot;: &quot;&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;MacAddress&quot;: &quot;02:42:ac:11:00:02&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Networks&quot;: {\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;bridge&quot;: {\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;IPAMConfig&quot;: null,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Links&quot;: null,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Aliases&quot;: null,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;NetworkID&quot;: &quot;a6290df54ea24d14faa8d003d17802b3f8a4967680bc0c82c1211ab75d1815e2&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;EndpointID&quot;: &quot;7126885dddf9ff031f2ff8c3b2cbd14708391dae619020bdb40efe7a849a01c7&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Gateway&quot;: &quot;172.17.0.1&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;IPAddress&quot;: &quot;172.17.0.2&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;IPPrefixLen&quot;: 16,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;IPv6Gateway&quot;: &quot;&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;GlobalIPv6Address&quot;: &quot;&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;GlobalIPv6PrefixLen&quot;: 0,\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;MacAddress&quot;: &quot;02:42:ac:11:00:02&quot;\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}\n&nbsp;&nbsp;&nbsp;&nbsp;}\n]<\/code2><\/pre><\/pre>\n\n\n\n<p>all looks very normal regarding the docker container. Let&#8217;s check sysctl settings in \/etc<\/p>\n\n\n\n<pre class=\"wp-block-code\"><pre><code2>[root@ip-172-31-45-100 ~]# ls -Fla \/etc\/sysctl.d\/\ntotal 12\ndrwxr-xr-x.&nbsp;&nbsp;2 root root&nbsp;&nbsp; 28 May 31 09:34 .\/\ndrwxr-xr-x. 84 root root 8192 May 31 10:15 ..\/\nlrwxrwxrwx.&nbsp;&nbsp;1 root root&nbsp;&nbsp; 14 May 31 09:34 99-sysctl.conf -&gt; ..\/sysctl.conf\n\n[root@ip-172-31-45-100 ~]# cat \/etc\/sysctl.d\/99-sysctl.conf \n\n# sysctl settings are defined through files in\n# \/usr\/lib\/sysctl.d\/, \/run\/sysctl.d\/, and \/etc\/sysctl.d\/.\n#\n# Vendors settings live in \/usr\/lib\/sysctl.d\/.\n# To override a whole file, create a new file with the same in\n# \/etc\/sysctl.d\/ and put new settings there. To override\n# only specific settings, add a file with a lexically later\n# name in \/etc\/sysctl.d\/ and put new settings there.\n#\n# For more information, see sysctl.conf(5) and sysctl.d(5).<\/code2><\/pre><\/pre>\n\n\n\n<p>nothing interesting here as well. What if someone has messed up ip forwarding via other means though ?<\/p>\n\n\n\n<pre class=\"wp-block-code\"><pre><code2>[root@ip-172-31-45-100 ~]# sysctl -a 2&gt;\/dev\/null| grep forward | grep -v ipv6\nnet.ipv4.conf.all.forwarding = 1\nnet.ipv4.conf.all.mc_forwarding = 0\nnet.ipv4.conf.default.forwarding = 1\nnet.ipv4.conf.default.mc_forwarding = 0\nnet.ipv4.conf.docker0.forwarding = 1\nnet.ipv4.conf.docker0.mc_forwarding = 0\nnet.ipv4.conf.ens5.forwarding = 1\nnet.ipv4.conf.ens5.mc_forwarding = 0\nnet.ipv4.conf.lo.forwarding = 1\nnet.ipv4.conf.lo.mc_forwarding = 0\nnet.ipv4.ip_forward = 1\nnet.ipv4.ip_forward_use_pmtu = 0<\/code2><\/pre><\/pre>\n\n\n\n<p>all looks fine here too. Let&#8217;s check some more sysctl settings regarding bridge + iptables<\/p>\n\n\n\n<pre class=\"wp-block-code\"><pre><code2>[root@ip-172-31-45-100 ~]# sysctl -a 2&gt;\/dev\/null| grep bridge\nnet.bridge.bridge-nf-call-arptables = 1\nnet.bridge.bridge-nf-call-ip6tables = 1\nnet.bridge.bridge-nf-call-iptables = 1\nnet.bridge.bridge-nf-filter-pppoe-tagged = 0\nnet.bridge.bridge-nf-filter-vlan-tagged = 0\nnet.bridge.bridge-nf-pass-vlan-input-dev = 0<\/code2><\/pre><\/pre>\n\n\n\n<p>everything still looks fine in these configuration settings, but the packets from the container still can&#8217;t reach the host.<br \/>Next step is to setup a netcat listening service on the host on a different port and try to connect to it via the container. That still doesn&#8217;t work, no packets to be seen on ens5.<br \/>Could it be ebtables ? No..no way..but what if&#8230;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><pre><code2>[root@ip-172-31-45-100 ~]# ebtables -L\nBridge table: filter\nBridge chain: INPUT, entries: 0, policy: ACCEPT\nBridge chain: FORWARD, entries: 0, policy: ACCEPT\nBridge chain: OUTPUT, entries: 0, policy: ACCEPT<\/code2><\/pre><\/pre>\n\n\n\n<p>still nothing interesting. Could it be a kernel bug ? is this some custom kernel ?<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code2>[root@ip-172-31-45-100 ~]# uname -a\nLinux ip-172-31-45-100.eu-central-1.compute.internal 3.10.0-1062.12.1.el7.x86_64 #1 SMP Tue Feb 4 23:02:59 UTC 2020 x86_64 x86_64 x86_64 GNU\/Linux<\/code2><\/pre>\n\n\n\n<p>nope&#8230;that&#8217;s a vanilla centos7 kernel. Could it be nftables ? On 3.10 kernel and centos7 ?<\/p>\n\n\n\n<pre class=\"wp-block-code\"><pre><code2>[root@ip-172-31-45-100 ~]# nft list tables\n-bash: nft: command not found<\/code2><\/pre><\/pre>\n\n\n\n<p>Nobody uses nftables yet, right ? Another wild thought, are there any ip rules defined ?<\/p>\n\n\n\n<pre class=\"wp-block-code\"><pre><code2>[root@ip-172-31-45-100 ~]# ip rule ls\n0:&nbsp;&nbsp;&nbsp;&nbsp;from all lookup local \n100:&nbsp;&nbsp;&nbsp;&nbsp;from 172.31.45.100 lookup 1 \n32766:&nbsp;&nbsp;&nbsp;&nbsp;from all lookup main \n32767:&nbsp;&nbsp;&nbsp;&nbsp;from all lookup default <\/code2><\/pre><\/pre>\n\n\n\n<p>bingo, there&#8217;s a rule with priority 100 that matches the host&#8217;s IP address! What is this ip rule doing there ? Let&#8217;s check <code>routing table 1<\/code> that the lookup of rule 100 points to<\/p>\n\n\n\n<pre class=\"wp-block-code\"><pre><code2>[root@ip-172-31-45-100 ~]# ip route ls table 1\ndefault via 172.31.32.1 dev ens5 \n172.31.32.0\/20 dev ens5 scope link <\/code2><\/pre><\/pre>\n\n\n\n<p>at last, here&#8217;s the answer!<\/p>\n\n\n\n<p>There&#8217;s an IP rule entry that says that packets with a source IP of the ens5 interface should lookup routing entries only in <code>routing table 1<\/code>, which is not the main routing table. That routing table knows nothing about the docker network (172.17.0.0\/16). Let&#8217;s delete the rule from the host<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code2>[root@ip-172-31-45-100 ~]# ip rule del from 172.31.45.100\/32 tab 1 priority 100<\/code2><\/pre>\n\n\n\n<p>and check if the container can contact the service now<\/p>\n\n\n\n<pre class=\"wp-block-code\"><pre><code2>(container) bash-4.2$ curl 172.31.45.100:9200\n{\n&nbsp;&nbsp;&quot;name&quot; : &quot;node1&quot;,\n&nbsp;&nbsp;&quot;cluster_name&quot; : &quot;centos7&quot;,\n&nbsp;&nbsp;&quot;cluster_uuid&quot; : &quot;d6fBSua6Q9OvSu534roTpA&quot;,\n&nbsp;&nbsp;&quot;version&quot; : {\n&nbsp;&nbsp;&nbsp;&nbsp;&quot;number&quot; : &quot;7.7.0&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&quot;build_flavor&quot; : &quot;default&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&quot;build_type&quot; : &quot;rpm&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&quot;build_hash&quot; : &quot;81a1e9eda8e6183f5237786246f6dced26a10eaf&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&quot;build_date&quot; : &quot;2020-05-12T02:01:37.602180Z&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&quot;build_snapshot&quot; : false,\n&nbsp;&nbsp;&nbsp;&nbsp;&quot;lucene_version&quot; : &quot;8.5.1&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&quot;minimum_wire_compatibility_version&quot; : &quot;6.8.0&quot;,\n&nbsp;&nbsp;&nbsp;&nbsp;&quot;minimum_index_compatibility_version&quot; : &quot;6.0.0-beta1&quot;\n&nbsp;&nbsp;},\n&nbsp;&nbsp;&quot;tagline&quot; : &quot;You Know, for Search&quot;\n}<\/code2><\/pre><code2><\/code2><\/pre>\n\n\n\n<p>Success!<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Where&#8217;s the SYN+ACK ?<\/h3>\n\n\n\n<p>Does the SYN packet reach the listening service ? No&#8230;and the reason is <code>rp_filter<\/code>. Centos7 sets <code>net.ipv4.conf.default.rp_filter=1<\/code>, so when <code>docker0<\/code> interface gets created it is set to <code>net.ipv4.conf.docker0.rp_filter=1<\/code>. <\/p>\n\n\n\n<p>Here&#8217;s what <code>rp_filter<\/code> values <a href=\"https:\/\/www.kernel.org\/doc\/Documentation\/networking\/ip-sysctl.txt\" target=\"_blank\" rel=\"noreferrer noopener\">mean according to kernel documentation<\/a>:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>0 &#8211; No source validation.<\/li><li>1 &#8211; Strict mode as defined in RFC3704 Strict Reverse Path Each incoming packet is tested against the FIB and if the interface is not the best reverse path the packet check will fail. By default failed packets are discarded.<\/li><li>2 &#8211; Loose mode as defined in RFC3704 Loose Reverse Path Each incoming packet&#8217;s source address is also tested against the FIB and if the source address is not reachable via any interface the packet check will fail.<\/li><\/ul>\n\n\n\n<p>After reverting the deleted ip rule via <code>ip rule add from 172.31.45.100\/32 tab 1 priority 100<\/code> and setting <code>sysctl -w net.ipv4.conf.docker0.rp_filter=0<\/code> we can see the SYN+ACK packet going out of <code>ens5<\/code> interface towards the default gateway.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><pre><code2>[root@ip-172-31-45-100 ~]# tcpdump -enni ens5 port 9200\ntcpdump: verbose output suppressed, use -v or -vv for full protocol decode\nlistening on ens5, link-type EN10MB (Ethernet), capture size 262144 bytes\n15:44:19.028353 06:ce:3b:94:fe:ac &gt; 06:1b:e5:19:30:12, ethertype IPv4 (0x0800), length 74: 172.31.45.100.9200 &gt; 172.17.0.2.47460: Flags [S.], seq 1431574088, ack 1879007024, win 26847, options [mss 8961,sackOK,TS val 22063599 ecr 22063599,nop,wscale 7], length 0\n15:44:20.029163 06:ce:3b:94:fe:ac &gt; 06:1b:e5:19:30:12, ethertype IPv4 (0x0800), length 74: 172.31.45.100.9200 &gt; 172.17.0.2.47460: Flags [S.], seq 1431574088, ack 1879007024, win 26847, options [mss 8961,sackOK,TS val 22064600 ecr 22063599,nop,wscale 7], length 0\n15:44:21.229126 06:ce:3b:94:fe:ac &gt; 06:1b:e5:19:30:12, ethertype IPv4 (0x0800), length 74: 172.31.45.100.9200 &gt; 172.17.0.2.47460: Flags [S.], seq 1431574088, ack 1879007024, win 26847, options [mss 8961,sackOK,TS val 22065800 ecr 22063599,nop,wscale 7], length 0<\/code2><\/pre><\/pre>\n\n\n\n<p>Finding such discarded packets, called martians, in the logs can be done by enabling <code>log_martians<\/code> via <code>sysctl -w net.ipv4.conf.all.log_martians=1<\/code>. Example syslog message:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><pre><code2>May 31 16:01:08 ip-172-31-45-100 kernel: IPv4: martian source 172.31.45.100 from 172.17.0.2, on dev docker018\nMay 31 16:01:08 ip-172-31-45-100 kernel: ll header: 00000000: 02 42 e9 38 3d a8 02 42 ac 11 00 02 08 00 .B.8=..B......<\/code2><\/pre><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">But why ?<\/h3>\n\n\n\n<p>Why was the rule there in the original case ? Multihoming was tried, it didn&#8217;t work as expected and not all the configs were removed. Grep-ing \/etc for the host&#8217;s IP found the following file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">\/etc\/sysconfig\/network-scripts\/rule-ens5:from 172.31.45.100\/32 tab 1 priority 100<\/pre>\n\n\n\n<p>In multihoming it&#8217;s common that packets reaching a host on interface X should also be replied back from interface X. <a href=\"https:\/\/serverfault.com\/a\/736047\" target=\"_blank\" rel=\"noreferrer noopener\">Part of a method to achieve this is to assign each interface its own routing table<\/a>.<\/p>\n\n\n\n<p>So when asked to troubleshoot networking issues act like <a href=\"https:\/\/en.wikipedia.org\/wiki\/House_(TV_series)\" target=\"_blank\" rel=\"noreferrer noopener\">Dr. House<\/a> would, assume the worst.<\/p>\n\n\n\n<p>P.S. thanks to <a href=\"https:\/\/twitter.com\/hwoarang_\" target=\"_blank\" rel=\"noreferrer noopener\">Markos<\/a> for the comments on improving the blogpost<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Intro The following story is inspired by a recent case I had to troubleshoot at work. I think it is a nice example of troubleshooting Linux networking issues, so I&#8217;ve modified\/simplified the setup a bit to be able to reproduce it on a VM. I&#8217;ll go through the troubleshooting steps in almost the same way [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"footnotes":""},"categories":[5,3,8],"tags":[633,634,328,595,599,635],"class_list":["post-2202","post","type-post","status-publish","format-standard","hentry","category-internet","category-linux","category-networking","tag-container","tag-docker","tag-iptables","tag-linux","tag-networking","tag-troubleshooting"],"aioseo_notices":[],"views":8016,"_links":{"self":[{"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/posts\/2202","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/comments?post=2202"}],"version-history":[{"count":37,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/posts\/2202\/revisions"}],"predecessor-version":[{"id":2242,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/posts\/2202\/revisions\/2242"}],"wp:attachment":[{"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/media?parent=2202"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/categories?post=2202"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/tags?post=2202"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}