Finding out the veth# interface of a docker container

Question

I have hundreds of containers in various software virtual switches. I would like to know if its possible to find out which vnet# belongs to which docker container. Right now, I am detecting that by watching syslog as each container gets created. In KVM, there is a command "virsh domiflist ", which is exactly what i'm looking for.

NZD · Accepted Answer · 2017-03-07T00:27:18.960

24

The iflink of the container is the same as the ifindex of the veth#.

You can get the iflink of the container as follows:

docker exec -it <container-name> bash -c 'cat /sys/class/net/eth0/iflink'

Say, that results in 12, then grep for that:

grep -l 12 /sys/class/net/veth*/ifindex

That will give a unique result, on my system:

/sys/class/net/veth11d4238/ifindex

Combine that in a script:

#!/bin/bash

for container in $(docker ps -q); do
    iflink=`docker exec -it $container bash -c 'cat /sys/class/net/eth0/iflink'`
    iflink=`echo $iflink|tr -d '\r'`
    veth=`grep -l $iflink /sys/class/net/veth*/ifindex`
    veth=`echo $veth|sed -e 's;^.*net/\(.*\)/ifindex$;\1;'`
    echo $container:$veth
done

The script was written to be easy to follow.

Sample run:

$ docker ps -q
c4d8096eff43
34ac6e9f1e6e
d5a2aa5f3de3

$ sudo ./vethfinder
c4d8096eff43:veth11d4238
34ac6e9f1e6e:veth7d52cd1
d5a2aa5f3de3:vethe46073d

Reference: https://forums.docker.com/t/relationship-between-interface-vethxxxxx-and-container/12872/20

edited Mar 07 '17 at 00:27

answered Feb 28 '17 at 07:03

NZD

2,630

Thank you, but it for some reason doesn't always work. I have 50 containers, and the script above would return 1 or 2 blanks. When I look at the iflink value for both containers, they are not +1 from the value obtained from inside the container. – user2066671 Mar 02 '17 at 06:20
This is a guess: It could be a timing issue. If containers are created too quickly after each other, then assigning the iflink values might get out of sync. The system might assign two consecutive iflink values to two containers, instead of alternating between the container and the system. – NZD Mar 03 '17 at 00:37
This is interesting, I create and run the containers in a for loop, the last container iflink is always very different. For example, the iflink from /sys/class/net/veth###/iflink returns 4205, but the container's /sys/class/eth0/iflink shows 4216 – user2066671 Mar 04 '17 at 00:27
Beats me. I tried a few things: starting a bunch of containers, verified that iflink lines up nicely. Stopped a few containers and created a few new ones, verified that iflink still lines up nicely. I got 115 containers running and my highest iflink was 244. How do you get to 4216? – NZD Mar 05 '17 at 05:39
I also checked the post I got the information from. It states: "This can be found out by matching a container interface's iflink value with a host veth interface's ifindex value". My script uses iflink for both. Maybe try 'ifindex' for 'veth' ? – NZD Mar 05 '17 at 05:51
I'll try that. I think iflink goes up continuously as the docker daemon is running. So if you run container creation/deletion in a loop, the iflink just goes up continously – user2066671 Mar 06 '17 at 07:55
you are right, checking against veth/ifindex is a match to containers eth0/iflink. So the relationship is 1 to 1 and the increment to the container's /sys/class/net/eth0/iflink is not required at all – user2066671 Mar 06 '17 at 19:59
That's great! Sorry about me misreading the post in the docker forum. I tested it on my docker box and I've updated the post. – NZD Mar 06 '17 at 20:14
No, thank you! You have no idea how helpful your answer has been. Now I can launch as many containers as possible without waiting for veth detection! – user2066671 Mar 06 '17 at 21:46
1

Since many containers don't have a bash-shell ready, I've changed bash to sh in the first line of the for loop. Now it reads: iflink=docker exec -it $container sh -c 'cat /sys/class/net/eth0/iflink' This works fine in all my containers. – MadMike Jan 15 '18 at 15:03
I can't seem to run this code. When I put it into docker-vethfinder.sh, make it an executable and sudo sh docker-vethfinder.sh I get "docker-vethfinder.sh: 2: Syntax error: word unexpected (expecting "do")" – Grumpy ol' Bear Jul 13 '22 at 18:11
@Grumpyol'Bear Are you sure you copied the commands correctly? There's nothing on line 2 of the script. It should work equally well with bash and with sh. – NZD Jul 15 '22 at 04:57

score 3 · Answer 2 · answered May 21 '18 at 10:20

searches for all interfaces in containers.

#!/bin/bash

for container in $(docker ps --format '{{.Names}}'); do
    iflink=`docker exec -it $container bash -c 'cat /sys/class/net/eth*/iflink'`
    for net in $iflink;do
        net=`echo $net|tr -d '\r'`
        veth=`grep -l $net /sys/class/net/veth*/ifindex`
        veth=`echo $veth|sed -e 's;^.*net/\(.*\)/ifindex$;\1;'`
        echo $container:$veth
    done
done

score 2 · Answer 3 · answered Apr 19 '18 at 09:07

I am using a different method, which seem to work just fine:

[root@kh1 ~]# docker inspect 6d48e279c5b8 --format '{{.State.Pid}}'                                                                                                                                                                                                              
56316
[root@kh1 ~]# 
[root@kh1 ~]# ip netns identify 56316
ns-56316
[root@kh1 ~]# 
[root@kh1 ~]# ip netns list | grep ns-56316
ns-56316 (id: 6)
[root@kh1 ~]# 
[root@kh1 ~]# ip link show | grep -B1 "link-netnsid 6"
330: veth1ce76e2b@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master cni0 state UP mode DEFAULT group default 
    link/ether de:f8:ce:a2:85:f9 brd ff:ff:ff:ff:ff:ff link-netnsid 6

I have created a tool that does the steps above automatically. You can download the linux x86_64 binary from here — mhristache, May 29 '18 at 11:36

Johannes Di · Answer 4 · 2021-12-16T13:26:27.813

0

Have a look here: https://stackoverflow.com/questions/37860936/find-out-which-network-interface-belongs-to-docker-container

There are examples of how one can fetch veth names for running docker containers without root access.

An example shell script can be found here: https://github.com/dicho-usp/dockerveth

#!/bin/bash
NAME=$1
PID=$(docker inspect $NAME --format "{{.State.Pid}}")
while read iface id; do
    [[ "$iface" == lo ]] && continue
    veth=$(ip -br addr | sed -nre "s/(veth.)@if$id./\1/p")
    echo -e "$NAME\t$iface\t$veth"
done < <(</proc/$PID/net/igmp awk '/^[0-9]+/{print $2 " " $1;}')

edited Dec 16 '21 at 13:26

answered Dec 16 '21 at 13:17

Johannes Di

101

2

Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center. – Community Dec 16 '21 at 13:18

Finding out the veth# interface of a docker container

4 Answers4