Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

`sudo osqueryi --json 'select * from docker_container_ports'`  is not showing any output even though there are docker ports associated with host ports.. Any idea ?

I don’t know how Osquery does it under the hood but Osquery might be attempting to access the Docker unix socket.

I would check that the user Osquery is running under has the proper permissions to access it.

Try running `sudo usermod -aG docker $USER`

<@U6GKV8TQQ> I did `sudo usermod -aG docker $USER` but its still not showing any ports..

(1) what if you try with `--verbose`
(2) does `docker_containers` work?

<@U09M563C7>
(1) No useful logs related to the query (empty output for the query)
(2) Yes

That's about the extent of my debugging skills :stuck_out_tongue:, other than `strace` and seeing what is going wrong or if this is expected. <@U4RTY3JFP> is the original author (may be a good SME) and here's the code implementation <https://github.com/osquery/osquery/blob/master/osquery/tables/applications/posix/docker.cpp>

Which version of docker <@U014VH7NQ66>. Also Linux or macOS?

<@U4RTY3JFP> `Docker version 19.03.5, build 633a0ea`
`Linux: CentOS`

Does this show any output (because this is what Osquery does via code):
```sudo curl -s --unix-socket /var/run/docker.sock -H 'Content-Type: application/json' <http://localhost/containers/json> | jq ".[] | .Ports"```

`-bash: jq: command not found`
`(23) Failed writing body`
This the the output

You have to install `jq`. Or skip the pipe and redirect the output to a file. Look for `Ports` in each entry

[]
[]
Here is the output, after installing jq

That means docker is not reporting any ports for the two containers you have. Do you see any under Ports column when running docker CLI: `docker ps`

`docker inspect --format '{{.Config.ExposedPorts}}' container-id`
For this command I got output as: `map[27017/tcp:{}]` for one of the containers
similarly, I have one port reporting for my other container

If you have `EXPOSE` in your `Dockerfile` that should show up in `docker_container_ports` in `port` column. When the container is run, if the container port is mapped to a host port, then `host_ip` and `host_port` will be non-empty.

So, you are saying, I don't have expose in my Dockerfile ?

• If `EXPOSE` exists in `Dockerfile`, you should see a row in `docker_container_ports` even if no process is listening on that port
• Whether `EXPOSE` exists or not in Dockerfile, if you use `-p/--publish` option when running the container, that should show up in `docker_container_ports` . In this case host_ip and host_port should not be empty

So, is there any way to figure out my issue here ?

You have to debug why docker is not reporting Ports (curl + jq). Nothing to do with Osquery.

okay.. Thanks for pointing in the right direction!:slightly_smiling_face: