Hackernoon logoDon’t blindly trust the Docker ping by@frontside

Don’t blindly trust the Docker ping

Author profile picture

@frontsideDavid Rieger

I was playing around with the good old ping command in an alpine Docker container today. I wanted to perform a little load test for another service so I experimented with different package sizes (ping -s <size in byte>), which caused me quite a bit of MTU-related frustration (but that’s a different story).

Upon googling about pings from docker, I stumbled across this forum post.

I will let you read the post yourself instead of copying everything in here, but the essence is: ping packets may return to you even if you send the pings to a non-existing host.

And it’s true. I took a random IP and made sure it’s not actually ping-able from my desktop.

$ ping -c 5
PING ( 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
--- ping statistics ---
5 packets transmitted, 0 packets received, 100.0% packet loss

Then ran it from inside a Docker container.

$ docker run alpine ping -c 5
PING ( 56 data bytes
64 bytes from seq=0 ttl=37 time=0.447 ms
64 bytes from seq=1 ttl=37 time=0.469 ms
64 bytes from seq=2 ttl=37 time=0.524 ms
64 bytes from seq=3 ttl=37 time=0.476 ms
64 bytes from seq=4 ttl=37 time=0.461 ms
--- ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.447/0.475/0.524 ms

This is bad news, because it means you can’t really trust ping anymore. You might have a health-check that tests connectivity to one of your production services through pings and keeps reporting green even though the service is down.

To make matters worse, it doesn’t happen for all fake IPs and the forum post was created over a year ago.

The good news is, this only happens for Docker on MAC (maybe Windows as well), but not Linux.

Screenshot of the “ghost ping”.


Join Hacker Noon

Create your free account to unlock your custom reading experience.