I often wish to use networking utilities to investigate Docker problems without having to install them inside my containers or, worse, having to bake them into my images. Enter Nsenter:
# Show the listening TCP sockets in the Docker container named 'boop'.
sudo nsenter --net --target "$(sudo docker inspect -f {{.State.Pid}} boop)" \
ss -ltnp
# Identify all established HTTP connections to Bunnyinfo.local from the first
# container associated with the 'bunnyfacts' Swarm service.
sudo nsenter --net \
--target "$(sudo docker inspect -f {{.State.Pid}} \
"$(sudo docker ps -qfname=bunnyfacts | head -1)")" \
conntrack -L -d "$(getent hosts bunnyinfo.local. |
awk '{ print $1; exit }')" \
-p tcp --dport 80 --state ESTABLISHED
This works with the other user namespaces too.