Docker creating "hidden" networks

dude1589 · October 24, 2022, 9:51pm

Hi
Somehow I found out I have docker-pr process listening to ports on my host machine while no containers are running and no networks exist excep default networks.

> sudo lsof -i -P -n -f | grep LISTEN
systemd-r  833 systemd-resolve   14u  IPv4  27764      0t0  TCP 127.0.0.53:53 (LISTEN)
sshd       940            root    3u  IPv4  28720      0t0  TCP *:22 (LISTEN)
sshd       940            root    4u  IPv6  28731      0t0  TCP *:22 (LISTEN)
docker-pr 1337            root    4u  IPv4  27282      0t0  TCP *:3006 (LISTEN)
docker-pr 1345            root    4u  IPv6  28012      0t0  TCP *:3006 (LISTEN)
docker-pr 1371            root    4u  IPv4  28041      0t0  TCP *:3080 (LISTEN)
docker-pr 1379            root    4u  IPv6  28044      0t0  TCP *:3080 (LISTEN)
docker-pr 1406            root    4u  IPv4  28067      0t0  TCP *:443 (LISTEN)
docker-pr 1413            root    4u  IPv6  30776      0t0  TCP *:443 (LISTEN)
docker-pr 1426            root    4u  IPv4  30788      0t0  TCP *:80 (LISTEN)
docker-pr 1433            root    4u  IPv6  29896      0t0  TCP *:80 (LISTEN)
docker-pr 1480            root    4u  IPv4  26577      0t0  TCP *:3016 (LISTEN)
docker-pr 1487            root    4u  IPv6  27364      0t0  TCP *:3016 (LISTEN)
docker-pr 1504            root    4u  IPv4  30857      0t0  TCP *:3017 (LISTEN)
docker-pr 1511            root    4u  IPv6  29182      0t0  TCP *:3017 (LISTEN)
docker-pr 1603            root    4u  IPv4  30045      0t0  TCP *:8080 (LISTEN)
docker-pr 1611            root    4u  IPv6  26608      0t0  TCP *:8080 (LISTEN)
node      3290           user 18u  IPv4  37222      0t0  TCP 127.0.0.1:43779 (LISTEN)
docker-pr 9538            root    4u  IPv4  59563      0t0  TCP *:222 (LISTEN)
docker-pr 9545            root    4u  IPv6  58696      0t0  TCP *:222 (LISTEN)
> docker ps
CONTAINER ID   IMAGE     COMMAND   CREATED   STATUS    PORTS     NAMES
> docker network ls
NETWORK ID     NAME      DRIVER    SCOPE
cbe2f3df6094   bridge    bridge    local
7838b0590a9b   host      host      local
6dbea9ae09ea   none      null      local

I tried restarting the docker service. no luck.

I tried reinstalling docker using this:
https://docs.docker.com/engine/install/ubuntu/#install-using-the-repository

after reinstall the list of ports only contained 22 for ssh.
but when I performed a reboot everything came back.

When trying to figure out what or who is running these processes I found:

> ps aux | grep docker
root         862  0.4  0.2 1642776 78632 ?       Ssl  21:26   0:02 dockerd --group docker --exec-root=/run/snap.docker --data-root=/var/snap/docker/common/var-lib-docker --pidfile=/run/snap.docker/docker.pid --config-file=/var/snap/docker/2285/config/daemon.json
root        1075  0.5  0.2 2480720 80796 ?       Ssl  21:26   0:03 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
root        1337  0.0  0.0 1074996 2984 ?        Sl   21:26   0:00 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 3006 -container-ip 172.24.0.2 -container-port 8443
root        1345  0.0  0.0 1148728 3224 ?        Sl   21:26   0:00 /usr/bin/docker-proxy -proto tcp -host-ip :: -host-port 3006 -container-ip 172.24.0.2 -container-port 8443
root        1371  0.0  0.0 1296448 3268 ?        Sl   21:26   0:00 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 3080 -container-ip 172.23.0.3 -container-port 80
root        1379  0.0  0.0 1074996 3224 ?        Sl   21:26   0:00 /usr/bin/docker-proxy -proto tcp -host-ip :: -host-port 3080 -container-ip 172.23.0.3 -container-port 80
root        1406  0.0  0.0 1148728 3184 ?        Sl   21:26   0:00 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 443 -container-ip 172.24.0.3 -container-port 443
root        1413  0.0  0.0 1148472 3184 ?        Sl   21:26   0:00 /usr/bin/docker-proxy -proto tcp -host-ip :: -host-port 443 -container-ip 172.24.0.3 -container-port 443
root        1426  0.0  0.0 1148472 3072 ?        Sl   21:26   0:00 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 80 -container-ip 172.24.0.3 -container-port 80
root        1433  0.0  0.0 1074996 3004 ?        Sl   21:26   0:00 /usr/bin/docker-proxy -proto tcp -host-ip :: -host-port 80 -container-ip 172.24.0.3 -container-port 80
root        1480  0.0  0.0 1148472 3132 ?        Sl   21:26   0:00 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 3016 -container-ip 172.23.0.4 -container-port 8080
root        1487  0.0  0.0 1148728 3240 ?        Sl   21:26   0:00 /usr/bin/docker-proxy -proto tcp -host-ip :: -host-port 3016 -container-ip 172.23.0.4 -container-port 8080
root        1504  0.0  0.0 1148728 3152 ?        Sl   21:26   0:00 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 3017 -container-ip 172.23.0.5 -container-port 8080
root        1511  0.0  0.0 1074740 3076 ?        Sl   21:26   0:00 /usr/bin/docker-proxy -proto tcp -host-ip :: -host-port 3017 -container-ip 172.23.0.5 -container-port 8080
root        1603  0.0  0.0 1222460 3276 ?        Sl   21:26   0:00 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 8080 -container-ip 172.24.0.6 -container-port 80
root        1611  0.0  0.0 1074740 3160 ?        Sl   21:26   0:00 /usr/bin/docker-proxy -proto tcp -host-ip :: -host-port 8080 -container-ip 172.24.0.6 -container-port 80
root        3354  0.2  0.1 1509380 52092 ?       Ssl  21:26   0:01 containerd --config /run/snap.docker/containerd/containerd.toml --log-level error
root        9538  0.0  0.0 1148472 3144 ?        Sl   21:35   0:00 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 222 -container-ip 172.24.0.4 -container-port 22
root        9545  0.0  0.0 1222204 3012 ?        Sl   21:35   0:00 /usr/bin/docker-proxy -proto tcp -host-ip :: -host-port 222 -container-ip 172.24.0.4 -container-port 22

ip add show output:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 18:c0:4d:7a:3c:49 brd ff:ff:ff:ff:ff:ff
    altname enp0s31f6
    inet 192.168.1.27/24 metric 100 brd 192.168.1.255 scope global dynamic eno1
       valid_lft 2791sec preferred_lft 2791sec
    inet6 ---------/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 760789sec preferred_lft 302983sec
    inet6 ---------/64 scope link 
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:d2:4a:9f:c5 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
4: br-8ac03a825197: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:8e:0d:24:88 brd ff:ff:ff:ff:ff:ff
    inet 172.23.0.1/16 brd 172.23.255.255 scope global br-8ac03a825197
       valid_lft forever preferred_lft forever
    inet6 fe80::42:8eff:fe0d:2488/64 scope link 
       valid_lft forever preferred_lft forever
5: br-92edc4f1c994: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:f3:0c:23:bc brd ff:ff:ff:ff:ff:ff
    inet 172.24.0.1/16 brd 172.24.255.255 scope global br-92edc4f1c994
       valid_lft forever preferred_lft forever
    inet6 fe80::42:f3ff:fe0c:23bc/64 scope link 
       valid_lft forever preferred_lft forever
7: vethb92b79e@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-92edc4f1c994 state UP group default 
    link/ether 7e:aa:6a:86:d2:de brd ff:ff:ff:ff:ff:ff link-netnsid 7
    inet6 fe80::7caa:6aff:fe86:d2de/64 scope link 
       valid_lft forever preferred_lft forever
9: veth927b6cb@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-8ac03a825197 state UP group default 
    link/ether ea:98:64:04:e8:2a brd ff:ff:ff:ff:ff:ff link-netnsid 5
    inet6 fe80::e898:64ff:fe04:e82a/64 scope link 
       valid_lft forever preferred_lft forever
11: veth5139633@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-92edc4f1c994 state UP group default 
    link/ether 46:92:8a:37:24:57 brd ff:ff:ff:ff:ff:ff link-netnsid 6
    inet6 fe80::4492:8aff:fe37:2457/64 scope link 
       valid_lft forever preferred_lft forever
13: vethe943d98@if12: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-8ac03a825197 state UP group default 
    link/ether 22:9a:ec:2c:1e:b2 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::209a:ecff:fe2c:1eb2/64 scope link 
       valid_lft forever preferred_lft forever
15: veth0a66092@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-8ac03a825197 state UP group default 
    link/ether b6:b9:83:ab:e1:78 brd ff:ff:ff:ff:ff:ff link-netnsid 3
    inet6 fe80::b4b9:83ff:feab:e178/64 scope link 
       valid_lft forever preferred_lft forever
19: veth9992565@if18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-8ac03a825197 state UP group default 
    link/ether 4a:10:15:b1:56:33 brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet6 fe80::4810:15ff:feb1:5633/64 scope link 
       valid_lft forever preferred_lft forever
23: vethbf56281@if22: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-92edc4f1c994 state UP group default 
    link/ether 76:f1:22:94:25:7e brd ff:ff:ff:ff:ff:ff link-netnsid 2
    inet6 fe80::74f1:22ff:fe94:257e/64 scope link 
       valid_lft forever preferred_lft forever
25: vetha6cf80b@if24: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-92edc4f1c994 state UP group default 
    link/ether ca:bf:a5:f2:c5:c1 brd ff:ff:ff:ff:ff:ff link-netnsid 9
    inet6 fe80::c8bf:a5ff:fef2:c5c1/64 scope link 
       valid_lft forever preferred_lft forever
87: vetha87c3cb@if86: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-92edc4f1c994 state UP group default 
    link/ether 2a:04:e9:58:ac:d7 brd ff:ff:ff:ff:ff:ff link-netnsid 4
    inet6 fe80::2804:e9ff:fe58:acd7/64 scope link 
       valid_lft forever preferred_lft forever

I also tried this solution from stack-overflow: https://stackoverflow.com/questions/39130263/docker-proxy-using-port-when-no-containers-are-running
Which did solve the issue but after starting docker-compose again the problem came back.

I would really appreciate any help finding out how to fix this.

20027477fla · January 28, 2023, 12:57am

Hi I have the same problem here I tried to go even further and disable the SVM system in my BIOS and in theory my docker shouldn’t even work but after listing the ports again there they were.

rimelek · January 29, 2023, 11:35pm

@dude1589 Have you been able to solve it?

@20027477fla There must be a service that recreates containers and user defined networks (if you really have the same problem). If you can’t find running containers, it is possible that you are using a different Docker context. Try running the following command to find out

docker context ls

Docker CE uses the “default” context. Docker Desktop can add “desktop-linux” as a new context and Rancher Desktop adds “rancher-desktop” as context name. You could also have “rootless” docker which is an other context. While you are using a different context, the default docker-ce can still run in the background.

IF containers are coming back fter reinstalling Docker, that indicates that you either reinstalled an other docker installation or there is a service defined somewhere that starts after booting the OS and uses docker commands or docker compose to recreate containers.