ss linux command

The ss command is capable of showing more information than the netstat and is faster. The netstat command reads various /proc files to gather information. However this approach falls weak when there are lots of connections to display. This makes it slower. The ss command gets its information directly from kernel space.

ss -l
ss -t
ss -u
ss -nt
ss -ltp
ss -nt '( dst :443 or dst :80 )'

netstat 命令参数

This program is obsolete. Replacement for netstat is ss. Replacement for netstat -r is ip route. Replacement for netstat -i is ip -s link. Replacement for netstat -g is ip maddr.

netstat -t -l 查看监听的 tcp
netstat -t --wide
netstat -an |grep :8080 端口8080 上的连接 (有些外部的)

只针对 linux, Mac 和 win 有些不一样.

  • a all
  • r 显示路由表
  • s statistics
  • n 不做主机和端口转换, 数字形式 number
  • c continuous print
  • e extend 多显示 owner
  • p 显示 program
  • l listening
    --wide 不截取

The socket has an established connection.
The socket is actively attempting to establish a connection.
A connection request has been received from the network.
The socket is closed, and the connection is shutting down.
Connection is closed, and the socket is waiting for a shutdown from the remote end.
The socket is waiting after close to handle packets still in the network.
The socket is not being used.
The remote end has shut down, waiting for the socket to close.
The remote end has shut down, and the socket is closed. Waiting for acknowledgement.
The socket is listening for incoming connections. Such sockets are not included in the output unless you specify the --listening (-l) or --all (-a) option.
Both sockets are shut down but we still don't have all our data sent.
The state of the socket is unknown.

docker internal

if you look in the Linux kernel, there is no such thing as a container

  • Containers share the host kernel
  • Containers use the kernel ability to group processes for resource control
  • Containers ensure isolation through namespaces
  • Containers feel like lightweight VMs (lower footprint, faster)


  • Chroot circa 1982
  • FreeBSD Jails circa 2000
  • Solaris Zones circa 2004
  • Meiosys - MetaClusters with Checkpoint/Restore 2004-05
  • Linux OpenVZ circa 2005 (not in mainstream Linux)
  • AIX WPARs circa 2007
  • LXC circa 2008
  • Systemd-nspawn circa 2010-2013
  • Docker circa 2013
    -- built on LXC
    -- moved to libcontainer (March 2014)
    -- appC (CoreOS) announced (December 2014)
    -- Open Containers standard for convergence with Docker Announced (June 2015)
    -- moved to runC (OCF compliant) (July 2015)

how it works

Namespaces, cgroups, Images, Layers & copy-on-write

Kernel Namespaces: isolation

  • Process trees (PID Namespace)
  • Mounts (MNT namespace) wc -l /proc/mounts
  • Network (Net namespace) ip addr
  • Users / UIDs (User Namespace)
  • Hostnames (UTS Namespace) hostname
  • Inter Process Communication (IPC Namespace) ipcs

Control Group: accounting

Kernel control groups (cgroups) allow you to do accounting on resources used by processes, a little bit of access control on device nodes and other things such as freezing groups of processes.

IPTables (networking)

solation on the networking level is achieved through the creation of virtual switches in the linux kernel. Linux Bridge is a kernel module, first introduced in 2.2 kernel (circa 2000). And it is administered using the brctl command on Linux.

Types of Containers

Given the above constructs, containers may be divided into 3 types as follows:

  1. System Containers share rootfs, PID, network, IPC and UTS with host system but live inside a cgroup.
  2. Application Containers live inside a cgroup and use namespaces (PID, network, IPC, chroot) for isolation from host system
  3. Pods use namespaces for isolation from host system but create sub groups which share PID, network, IPC and UTS except the rootfs.

docker providing

  • Image management
  • Resource Isolation
  • File System Isolation
  • Network Isolation
  • Change Management
  • Sharing
  • Process Management
  • Service Discovery (DNS since 1.10)



java GCViewer

最新的 GCViewer 项目地址

不用下载 GC.log 可以直接给它一个远程 URL.


There are other SSH commands besides the client ssh. Each has its own page.

ssh-keygen - creates a key pair for public key authentication
ssh-copy-id - configures a public key as authorized on a server
ssh-agent - agent to hold private key for single sign-on
ssh-add - tool to add a key to the agent
scp - file transfer client with RCP-like command interface
sftp - file transfer client with FTP-like command interface
sshd - OpenSSH server

The ssh program on a host receives its configuration from either the command line or from configuration files ~/.ssh/config and /etc/ssh/ssh_config.
configuration items: