sudo osqueryi --json 'select * from docker_container_ports'

is not showing any output even though there are docker ports associated with host ports.. Any idea ?

I don’t know how Osquery does it under the hood but Osquery might be attempting to access the Docker unix socket. I would check that the user Osquery is running under has the proper permissions to access it. Try running

sudo usermod -aG docker $USER

@CptOfEvilMinions I did

sudo usermod -aG docker $USER

but its still not showing any ports..

(1) what if you try with

--verbose

(2) does

docker_containers

work?

@theopolis (1) No useful logs related to the query (empty output for the query) (2) Yes

That's about the extent of my debugging skills 😛, other than

strace

and seeing what is going wrong or if this is expected. @Seshu is the original author (may be a good SME) and here's the code implementation https://github.com/osquery/osquery/blob/master/osquery/tables/applications/posix/docker.cpp

Which version of docker @Zweasta. Also Linux or macOS?

@Seshu

Docker version 19.03.5, build 633a0ea

Linux: CentOS

Does this show any output (because this is what Osquery does via code):

sudo curl -s --unix-socket /var/run/docker.sock -H 'Content-Type: application/json' <http://localhost/containers/json> | jq ".[] | .Ports"

-bash: jq: command not found

(23) Failed writing body

This the the output

You have to install

jq

. Or skip the pipe and redirect the output to a file. Look for

Ports

in each entry

[] [] Here is the output, after installing jq

That means docker is not reporting any ports for the two containers you have. Do you see any under Ports column when running docker CLI:

docker ps

docker inspect --format '{{.Config.ExposedPorts}}' container-id

For this command I got output as:

map[27017/tcp:{}]

for one of the containers similarly, I have one port reporting for my other container

If you have

EXPOSE

in your

Dockerfile

that should show up in

docker_container_ports

in

port

column. When the container is run, if the container port is mapped to a host port, then

host_ip

and

host_port

will be non-empty.

So, you are saying, I don't have expose in my Dockerfile ?

• If

EXPOSE

exists in

Dockerfile

, you should see a row in

docker_container_ports

even if no process is listening on that port • Whether

EXPOSE

exists or not in Dockerfile, if you use

-p/--publish

option when running the container, that should show up in

docker_container_ports

. In this case host_ip and host_port should not be empty

So, is there any way to figure out my issue here ?

You have to debug why docker is not reporting Ports (curl + jq). Nothing to do with Osquery.

okay.. Thanks for pointing in the right direction!🙂