Ephemeral ports

If you aren't familiar with ephemeral ports, they are the port numbers that all outbound connections get assigned if the originating port is not explicitly specified on the connection, which is the vast majority of them. For example, if you do any kind of outbound HTTP request with almost every client library, you will most likely have one of these ephemeral ports assigned as the return communication port for your connection.

To see some sample ephemeral port usage on your machine, you can use netstat:

$ netstat -an | grep ESTABLISHED
tcp        0      0 192.168.56.101:46496     <redacted>:443      ESTABLISHED
tcp        0      0 192.168.56.101:45512     <redacted>:443      ESTABLISHED
tcp        0      0 192.168.56.101:42014     <redacted>:443      ESTABLISHED
<snip>
tcp        0      0 192.168.56.101:45984     <redacted>:443      ESTABLISHED
tcp        0      0 192.168.56.101:56528     <redacted>:443      ESTABLISHED

As you develop systems with multiple services with numerous outbound connections (which is practically mandatory when working with Docker services), you may notice that there are limits on the number of ports you are allowed to use and are likely to find that these ports may overlap with the ranges that some of your internal Docker services are using, causing intermittent and often annoying connectivity issues. In order to fix these issues, changes need to be made to the ephemeral port range.

Since these are also kernel settings, we can see what our current ranges are with sysctl, just like we did in a couple of earlier examples:

$ sysctl net.ipv4.ip_local_port_range
net.ipv4.ip_local_port_range = 32768    60999

You can see that our range is in the upper half of the port allocations, but any service that may start listening within that range could be in trouble. It is also possible that we may need more than 28,000 ports.

You may be curious how you get or set the ipv6 settings for this parameter, but luckily (at least for now) this same setting key is used for both ipv4 and ipv6 ephemeral port ranges. At some point, this setting name may change, but I think we are at least a couple of years away from that.

To change this value, we can either use sysctl -w for a temporary change or sysctl.d for a permanent change:

$ # First the temporary change to get us up to 40000
$ # ports. For our services, we separately have to
$ # ensure none listen on any ports above 24999.
$ sudo sysctl -w net.ipv4.ip_local_port_range="25000 65000"
net.ipv4.ip_local_port_range = 25000 65000

$ # Sanity check
$ sysctl net.ipv4.ip_local_port_range
net.ipv4.ip_local_port_range = 25000    65000

$ # Now for the permanent change (requires restart)
$ echo "net.ipv4.ip_local_port_range = 25000 65000" | sudo tee /etc/sysctl.d/10-ephemeral-ports.conf

With this change, we have effectively increased the number of outbound connections we can support by over 30%, but we could have just as easily used the same setting to ensure that ephemeral ports do not collide with other running services.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.219.103.183