Share and learn in the Docker community.
HI Team,
Is there any way to monitor the operations performed on my docker container?
So, i have a docker container with name web. Now i want to check if anyone performs docker exec , docker cp etc , i want to store out that result and get notified.
NOTE: Docker is installed in ubuntu server.
Don’t add users to the docker group so they need to use “sudo” in order to execute any docker command. Commands ran with sudo are logged and you can periodically check the log file and send a notification. On Ubuntu, the file is /var/log/auth.log
Of course make sure those users can’t sudo su and allow to run sudo docker only. Then optionally, you can also create a bash command alias (if you use the bash shell) so users don’t have to remember they need to run sudo docker not just docker.
sudo adduser docker-test
sudo groupadd docker-sudo
sudo usermod -aG docker-sudo docker-test
echo '%docker-sudo ALL=(root) NOPASSWD:/usr/bin/docker' > sudo tee /etc/sudoers.d/docker-sudo
echo "alias docker='sudo docker'" | sudo tee --append /etc/bash.bashrc
sudo su - docker-test
Then you can try the docker command as docker-test
docker info
Go back to your original user
exit
And search for docker in the auth log
sudo grep 'COMMAND=/usr/bin/docker' /var/log/auth.log
You will see something like this:
Feb 17 20:42:58 n3 sudo: docker-test : TTY=pts/1 ; PWD=/home/docker-test ; USER=root ; COMMAND=/usr/bin/docker info
If you enabled remote access for example using a TCP socket, you would need to monitor the API calls.
Note that even if you log the shell commands, unless you run rootless Docker, users can get root access through docker commands and get a shell on the host that you can’t log. Or if you monitor the API calls, you can catch when someone runs docker exec, but if that someone just runs a shell like docker exec -it containername bash, you will see only the bash command, but nothing that the user rns in the shell interactively.
Don’t give Docker access to anyone you don’t trust.