[chore][processor/resourcedetection][receiver/docker_stats] Update documentation about docker socket permissions#44923
Conversation
…cumentation about docker socket permissions Signed-off-by: Paulo Dias <[email protected]>
| getent group docker | ||
|
|
||
| # Linux example - Run with docker group (replace 999 with your docker group GID) | ||
| docker run --group-add 999 \ |
There was a problem hiding this comment.
Does this add to group 999 on host or in container? Do you need to think about user namespace mapping etc, or does is it all handled?
There was a problem hiding this comment.
I added a note about user namespaces. PTAL
| #### Alternative Approaches | ||
|
|
||
| For enhanced security, consider: | ||
| - Using a Docker API proxy that restricts access to only required endpoints |
There was a problem hiding this comment.
Do we have a recommended example of a docker API proxy?
There was a problem hiding this comment.
@jamesmoessis Maybe the one refered on the issue https://github.com/Tecnativa/docker-socket-proxy
I added it as an example. I'm not sure if we should explicitly recommend one.
|
|
||
| For enhanced security, consider: | ||
| - Using a Docker API proxy that restricts access to only required endpoints | ||
| - Running this receiver in an isolated collector instance with elevated privileges, forwarding metrics to your main collector via OTLP |
There was a problem hiding this comment.
IMO, a container with elevated privileges should not expose receiver ports (e.g. OTLP, zipkin ports) as the risk of RCE is higher when ports are exposed (thinking log4J type vulnerability). If a container is elevated to collect host metrics, best practise IMO would be to have a separate container that receives push.
There was a problem hiding this comment.
This is what this item is technically recommending. But I updated the item to be more explicit. PTAL
Signed-off-by: Paulo Dias <[email protected]>
Signed-off-by: Paulo Dias <[email protected]>
|
This PR was marked stale due to lack of activity. It will be closed in 14 days. |
|
@jamesmoessis, could you please take a look at this again? Thank you 🙏 |
|
@paulojmdias apologies for the delay, taking a look today |
|
No need to apologize, many Thanks @jamesmoessis 🙏 |
…cumentation about docker socket permissions (open-telemetry#44923) <!--Ex. Fixing a bug - Describe the bug and how this fixes the issue. Ex. Adding a feature - Explain what this achieves.--> #### Description Update documentation to reflect the permission needed to interact with the Docker socket in processor/resourcedetection and receiver/docker_stats <!-- Issue number (e.g. open-telemetry#1234) or full URL to issue, if applicable. --> #### Link to tracking issue Fixes open-telemetry#11791 --------- Signed-off-by: Paulo Dias <[email protected]>
Description
Update documentation to reflect the permission needed to interact with the Docker socket in processor/resourcedetection and receiver/docker_stats
Link to tracking issue
Fixes #11791