24/7/365 Support

Monitoring Docker containers in Ubuntu

In this recipe, we will learn to monitor Docker containers.

How to do it…

Docker provides inbuilt monitoring with the docker stats command, which can be used to get a live stream of the resource utilization of Docker containers.

To monitor multiple containers at once using their respective IDs or names, use this command:

$ docker stats mysql f9617f4b716c

With docker logs, you can fetch logs of your application running inside a container. This can be used similarly to the tail -f command:

$ docker logs -f ubuntu

Docker also records state change events from containers. These events include start, stop, create, kill, and so on. You can get real-time events with docker events:

$ docker events

To get past events, use the --since flag with docker events:

$ docker events --since '2015-11-01'

You can also check the changes in the container filesystem with the docker diff command. This will list newly added (A), changed (C), or deleted (D) files.

$ docker diff ubuntu

Another useful command is docker top, which helps look inside a container. This commands displays the processes running inside a container:

$ docker top ubuntu

How it works…

Docker provides various inbuilt commands to monitor containers and the processes running inside them. It uses native system constructs such as namespaces and cgroups. Most of these statistics are collected from the native system. Logs are directly collected from running processes.

Need something more, possibly a tool with graphical output? There are various such tools available. One well-known tool is cAdvisor by Google. You can run the tool itself as a Docker container, as follows:

docker run -d -p 8080:8080 --name cadvisor \

--volume=/:/rootfs:ro \

--volume=/var/run:/var/run:rw \

--volume=/sys:/sys:ro \

--volume=/var/lib/docker/:/var/lib/docker:ro \

google/cadvisor:latest

Once the container has been started, you can access the UI at your server domain or IP on port 8080 or any other port that you use. cAdvisor is able to monitor both LXC and Docker containers. In addition, it can report host system resources.

Set a proper firewall on your host system. Ubuntu comes preinstalled with UFW; you simply need to add the necessary rules and enable the firewall. Refer to article 2Networking for more details on UFW configuration.

On Ubuntu systems, Docker ships with the AppArmor profile. This profile is installed and enforced with a Docker installation. Make sure you have AppArmor installed and working properly. AppArmor will provide better security against unknown vulnerabilities:

$ sudo apparmor_status

Next, we will move on to configure the Docker daemon. You can get a list of all available options with the docker daemon --help command:

$ docker daemon --help

You can configure these settings in the Docker configuration file at /etc/default/docker, or start the Docker daemon with all required settings from the command line.

Edit the Docker configuration and add the following settings to the DOCKER_OPTS section:

$ sudo nano /etc/default/docker

Turn off inter-container communication:

--icc=false

Set default ulimit restrictions:

--default-ulimitnproc=512:1024 --default-ulimitnofile=50:100

Set the default storage driver to overlayfs:

---storage-driver=overlay

Once you have configured all these settings, restart the Docker daemon:

$ sudo service docker restart

Now, you can use the security bench script provided by Docker. This script checks for common security best practices and gives you a list of all the things that need to be improved.

Clone the script from the Docker GitHub repository:

$ git clone https://github.com/docker/docker-bench- security.git

Execute the script:

$ cd docker-bench-security

$ sh docker-bench-security.sh

Try to fix the issues reported by this script.

Now, we will look at Docker container configurations.

The most important part of a Docker container is its image. Make sure that you download or pull the images from a trusted repository. You can get most of the images from the official Docker repository, Docker Hub.

Alternatively, you can build the images on your own server. Dockerfiles for the most popular images are quite easily available and you can easily build images after verifying their contents and making any changes if required.

When building your own images, make sure you don't add the root user:

RUN group add -r user && user add -r -g user user

USER user

When creating a new container, make sure that you configure CPU and memory limits as per the containers requirements. You can also pass container-specific ulimit settings when creating containers:

$ docker run --cpu-shares1024 --memory 512 --cpuset-cpus 1

Whenever possible, set your containers to read-only:

$ docker run --read-only

Use read-only volumes:

$ docker run -v /shared/path:/container/path:ro ubuntu

Try not to publish application ports. Use a private Docker network or Docker links when possible. For example, when setting up WordPress in the previous recipe, we used a Docker network and connected WordPress and MySQL without exposing MySQL ports.

Help Category:

What Our Clients Say