Inconsistent reporting of dual-stack port-mappings in docker ps #49654
Description
Description
We're not consistently reporting dual-stack port mappings in docker ps.
When the userland proxy is enabled, the five containers created below result in ports being mapped to both the IPv4 and the IPv6 unspecified address. However, docker ps report that the port-mappings for the first two containers (ie. test1, test2) are only available over IPv4 -- ss shows that it's not the case.
When the userland proxy is disabled, and all containers are started it seems we're also needlessly binding an IPv6 port.
Reproduce
With the userland proxy enabled:
$ docker network create --ipv4=true --ipv6=false testnetv4
$ docker network create --ipv4=false --ipv6=true testnetv6
$ docker network create --ipv4=true --ipv6=true testnetv4v6
$ docker run -d --name test1 --network testnetv4 --network testnetv6 -p 0.0.0.0:80:80 -p '[::]:80:80' nginx
$ docker run -d --name test2 --network testnetv4 --network testnetv6 -p 8080:80 nginx
$ docker run -d --name test3 --network testnetv4 --network testnetv6 -P nginx
$ docker run -d --name test4 --network testnetv4 -P nginx
$ docker run -d --name test5 --network testnetv4v6 -P nginx
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
10aff324bc40 nginx "/docker-entrypoint.…" About a minute ago Up About a minute 0.0.0.0:32770->80/tcp, [::]:32770->80/tcp test5
4e3723f3597f nginx "/docker-entrypoint.…" About a minute ago Up About a minute 0.0.0.0:32769->80/tcp, [::]:32769->80/tcp test4
59f6766a9deb nginx "/docker-entrypoint.…" About a minute ago Up About a minute 0.0.0.0:32768->80/tcp test3
4cafb8d1917e nginx "/docker-entrypoint.…" About a minute ago Up About a minute 0.0.0.0:8080->80/tcp test2
9e49486eb762 nginx "/docker-entrypoint.…" About a minute ago Up About a minute 0.0.0.0:80->80/tcp test1
$ ss -tlpn
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 4096 0.0.0.0:32770 0.0.0.0:* users:(("docker-proxy",pid=15505,fd=7))
LISTEN 0 4096 0.0.0.0:32769 0.0.0.0:* users:(("docker-proxy",pid=15386,fd=7))
LISTEN 0 4096 0.0.0.0:32768 0.0.0.0:* users:(("docker-proxy",pid=15279,fd=7))
LISTEN 0 4096 0.0.0.0:80 0.0.0.0:* users:(("docker-proxy",pid=14994,fd=7))
LISTEN 0 4096 0.0.0.0:8080 0.0.0.0:* users:(("docker-proxy",pid=15147,fd=7))
LISTEN 0 4096 [::]:32770 [::]:* users:(("docker-proxy",pid=15512,fd=7))
LISTEN 0 4096 [::]:32769 [::]:* users:(("docker-proxy",pid=15392,fd=7))
LISTEN 0 4096 [::]:32768 [::]:* users:(("docker-proxy",pid=15266,fd=7))
LISTEN 0 4096 [::]:80 [::]:* users:(("docker-proxy",pid=15008,fd=7))
LISTEN 0 4096 [::]:8080 [::]:* users:(("docker-proxy",pid=15160,fd=7)) And here's the API response confirming it's not coming from the CLI:
curl -s http://127.0.0.1:2374/containers/json\?all\=true | jq '[.[] | {Names, Ports}]'
[
{
"Names": [
"/test5"
],
"Ports": [
{
"IP": "0.0.0.0",
"PrivatePort": 80,
"PublicPort": 32770,
"Type": "tcp"
},
{
"IP": "::",
"PrivatePort": 80,
"PublicPort": 32770,
"Type": "tcp"
}
]
},
{
"Names": [
"/test4"
],
"Ports": [
{
"IP": "0.0.0.0",
"PrivatePort": 80,
"PublicPort": 32769,
"Type": "tcp"
},
{
"IP": "::",
"PrivatePort": 80,
"PublicPort": 32769,
"Type": "tcp"
}
]
},
{
"Names": [
"/test3"
],
"Ports": [
{
"IP": "0.0.0.0",
"PrivatePort": 80,
"PublicPort": 32768,
"Type": "tcp"
}
]
},
{
"Names": [
"/test2"
],
"Ports": [
{
"IP": "0.0.0.0",
"PrivatePort": 80,
"PublicPort": 8080,
"Type": "tcp"
}
]
},
{
"Names": [
"/test1"
],
"Ports": [
{
"IP": "0.0.0.0",
"PrivatePort": 80,
"PublicPort": 80,
"Type": "tcp"
}
]
}
]Stopping and the daemon, and starting it again with --userland-proxy=false (notice port [::]:32768 in ss output):
$ docker start test1 test2 test3 test4 test5
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
10aff324bc40 nginx "/docker-entrypoint.…" 7 minutes ago Up 19 seconds 0.0.0.0:32771->80/tcp, [::]:32771->80/tcp test5
4e3723f3597f nginx "/docker-entrypoint.…" 8 minutes ago Up 19 seconds 0.0.0.0:32770->80/tcp test4
59f6766a9deb nginx "/docker-entrypoint.…" 8 minutes ago Up 20 seconds 0.0.0.0:32769->80/tcp test3
4cafb8d1917e nginx "/docker-entrypoint.…" 8 minutes ago Up 20 seconds 0.0.0.0:8080->80/tcp test2
9e49486eb762 nginx "/docker-entrypoint.…" 8 minutes ago Up 20 seconds 0.0.0.0:80->80/tcp test1
$ ss -tlpn
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 0 0.0.0.0:32771 0.0.0.0:* users:(("dockerd",pid=17937,fd=76))
LISTEN 0 0 0.0.0.0:32770 0.0.0.0:* users:(("dockerd",pid=17937,fd=66))
LISTEN 0 0 0.0.0.0:32769 0.0.0.0:* users:(("dockerd",pid=17937,fd=54))
LISTEN 0 0 0.0.0.0:80 0.0.0.0:* users:(("dockerd",pid=17937,fd=31))
LISTEN 0 0 0.0.0.0:8080 0.0.0.0:* users:(("dockerd",pid=17937,fd=42))
LISTEN 0 0 [::]:32771 [::]:* users:(("dockerd",pid=17937,fd=77))
LISTEN 0 0 [::]:32768 [::]:* users:(("dockerd",pid=17937,fd=55))
LISTEN 0 0 [::]:80 [::]:* users:(("dockerd",pid=17937,fd=30))
LISTEN 0 0 [::]:8080 [::]:* users:(("dockerd",pid=17937,fd=43)) Daemon logs for the 2nd run: daemon.log
Expected behavior
No response
docker version
Client:
Version: 28.0.1
API version: 1.48
Go version: go1.23.6
Git commit: 068a01e
Built: Wed Feb 26 10:38:16 2025
OS/Arch: darwin/arm64
Context: default
Server:
Engine:
Version: dev
API version: 1.48 (minimum version 1.24)
Go version: go1.23.7
Git commit: c49ac0491031a9a95f1eb0f5acdb3cb5c701d59f
Built: Mon Mar 17 21:17:59 2025
OS/Arch: linux/arm64
Experimental: false
containerd:
Version: v1.7.25
GitCommit: bcc810d6b9066471b0b6fa75f557a15a1cbf31bb
runc:
Version: 1.2.5
GitCommit: v1.2.5-0-g59923ef
docker-init:
Version: 0.19.0
GitCommit: de40ad0docker info
Client:
Version: 28.0.1
Context: default
Debug Mode: false
Plugins:
ai: Docker AI Agent - Ask Gordon (Docker Inc.)
Version: v0.9.8
Path: /Users/aker/.docker/cli-plugins/docker-ai
buildx: Docker Buildx (Docker Inc.)
Version: v0.19.1-desktop.1
Path: /Users/aker/.pinata/downloads/docker-plugins/v0.19.1-desktop.1/docker-buildx
cloud: Docker Cloud (Docker Inc.)
Version: 0.2.15
Path: /Users/aker/.docker/cli-plugins/docker-cloud
compose: Docker Compose (Docker Inc.)
Version: v2.33.1-desktop.1
Path: /Users/aker/.docker/cli-plugins/docker-compose
debug: Get a shell into any image or container (Docker Inc.)
Version: 0.0.38
Path: /Users/aker/.docker/cli-plugins/docker-debug
desktop: Docker Desktop commands (Beta) (Docker Inc.)
Version: v0.1.5
Path: /Users/aker/.docker/cli-plugins/docker-desktop
dev: Docker Dev Environments (Docker Inc.)
Version: v0.1.2
Path: /Users/aker/.docker/cli-plugins/docker-dev
extension: Manages Docker extensions (Docker Inc.)
Version: v0.2.27
Path: /Users/aker/.docker/cli-plugins/docker-extension
init: Creates Docker-related starter files for your project (Docker Inc.)
Version: v1.4.0
Path: /Users/aker/.docker/cli-plugins/docker-init
model: Docker Model Runner (Docker Inc.)
Version: 4.40.0
Path: /Users/aker/.docker/cli-plugins/docker-model
sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
Version: 0.6.0
Path: /Users/aker/.docker/cli-plugins/docker-sbom
scout: Docker Scout (Docker Inc.)
Version: v1.16.3
Path: /Users/aker/.docker/cli-plugins/docker-scout
WARNING: Plugin "/Users/aker/.docker/cli-plugins/docker-harmonia" is not valid: failed to fetch metadata: fork/exec /Users/aker/.docker/cli-plugins/docker-harmonia: no such file or directory
Server:
Containers: 4
Running: 4
Paused: 0
Stopped: 0
Images: 3
Server Version: dev
Storage Driver: vfs
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
Swarm: inactive
Runtimes: crun io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: bcc810d6b9066471b0b6fa75f557a15a1cbf31bb
runc version: v1.2.5-0-g59923ef
init version: de40ad0
Security Options:
seccomp
Profile: builtin
cgroupns
Kernel Version: 6.10.14-linuxkit
Operating System: Debian GNU/Linux 12 (bookworm) (containerized)
OSType: linux
Architecture: aarch64
CPUs: 14
Total Memory: 7.653GiB
Name: af0d27b2eac8
ID: ce30dea5-0596-48bc-890e-df1a3b40ce7a
Docker Root Dir: /var/lib/docker
Debug Mode: true
File Descriptors: 64
Goroutines: 79
System Time: 2025-03-18T07:34:33.266817126Z
EventsListeners: 0
Experimental: false
Insecure Registries:
::1/128
127.0.0.0/8
Live Restore Enabled: false
[DEPRECATION NOTICE]: API is accessible on http://0.0.0.0:2374 without encryption.
Access to the remote API is equivalent to root access on the host. Refer
to the 'Docker daemon attack surface' section in the documentation for
more information: https://docs.docker.com/go/attack-surface/
In future versions this will be a hard failure preventing the daemon from starting! Learn more at: https://docs.docker.com/go/api-security/Additional Info
No response