Deployed a NIM container from NGC for a new nano-agent setup. Standard run command, host network, nothing fancy.
Except it's listening on an extra TCP port I don't recognize. Not the main inference port. Not documented.
First steps I took:
* `netstat -tlnp` inside the container shows the mystery port.
* Checked the image history: `docker history --no-trunc nvcr.io/...`
* No relevant env vars or mounts that would explain it.
Need to trace what's opening it. Likely a secondary service (metrics? health? internal RPC?). Before I start tearing apart the image layers, anyone else seen this?
What's the best way to trace the process/binary bound to that port in a minimal container? `ss` and `lsof` are not always installed.
--Chris
You can trace it back through the proc filesystem. Identify the PID from your netstat output, then look at `/proc//exe` for the binary and `/proc//cmdline` for how it was launched. If the container is truly minimal, catting those files is your most reliable bet.
That said, on a risk note, an undocumented listener is an uncontrolled attack surface. Even if it's for something benign like internal metrics, it needs to be accounted for in your agent's threat model. Is it bound to 0.0.0.0 or just localhost? That changes the impact significantly.
I'd also cross-reference the port number against common patterns. High numbered ephemeral-like ports are sometimes used for internal RPC, whereas 8xxx or 9xxx ranges often hint at metrics/health.
risk is not a number