Skip to content

[chore][processor/resourcedetection][receiver/docker_stats] Update documentation about docker socket permissions#44923

Merged
atoulme merged 3 commits into
open-telemetry:mainfrom
paulojmdias:chore/11791
Jan 8, 2026
Merged

[chore][processor/resourcedetection][receiver/docker_stats] Update documentation about docker socket permissions#44923
atoulme merged 3 commits into
open-telemetry:mainfrom
paulojmdias:chore/11791

Conversation

@paulojmdias

Copy link
Copy Markdown
Member

Description

Update documentation to reflect the permission needed to interact with the Docker socket in processor/resourcedetection and receiver/docker_stats

Link to tracking issue

Fixes #11791

…cumentation about docker socket permissions

Signed-off-by: Paulo Dias <[email protected]>
getent group docker

# Linux example - Run with docker group (replace 999 with your docker group GID)
docker run --group-add 999 \

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this add to group 999 on host or in container? Do you need to think about user namespace mapping etc, or does is it all handled?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added a note about user namespaces. PTAL

Comment thread receiver/dockerstatsreceiver/README.md Outdated
#### Alternative Approaches

For enhanced security, consider:
- Using a Docker API proxy that restricts access to only required endpoints

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we have a recommended example of a docker API proxy?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jamesmoessis Maybe the one refered on the issue https://github.com/Tecnativa/docker-socket-proxy

I added it as an example. I'm not sure if we should explicitly recommend one.

Comment thread receiver/dockerstatsreceiver/README.md Outdated

For enhanced security, consider:
- Using a Docker API proxy that restricts access to only required endpoints
- Running this receiver in an isolated collector instance with elevated privileges, forwarding metrics to your main collector via OTLP

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO, a container with elevated privileges should not expose receiver ports (e.g. OTLP, zipkin ports) as the risk of RCE is higher when ports are exposed (thinking log4J type vulnerability). If a container is elevated to collect host metrics, best practise IMO would be to have a separate container that receives push.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is what this item is technically recommending. But I updated the item to be more explicit. PTAL

Signed-off-by: Paulo Dias <[email protected]>
Signed-off-by: Paulo Dias <[email protected]>
@github-actions

Copy link
Copy Markdown
Contributor

This PR was marked stale due to lack of activity. It will be closed in 14 days.

@paulojmdias

Copy link
Copy Markdown
Member Author

@jamesmoessis, could you please take a look at this again? Thank you 🙏

@jamesmoessis

Copy link
Copy Markdown
Contributor

@paulojmdias apologies for the delay, taking a look today

@jamesmoessis jamesmoessis left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@paulojmdias

Copy link
Copy Markdown
Member Author

No need to apologize, many Thanks @jamesmoessis 🙏

@paulojmdias paulojmdias added ready to merge Code review completed; ready to merge by maintainers and removed waiting-for-code-owners labels Jan 8, 2026
@atoulme
atoulme merged commit a189ac5 into open-telemetry:main Jan 8, 2026
207 of 212 checks passed
@github-actions github-actions Bot added this to the next release milestone Jan 8, 2026
@paulojmdias
paulojmdias deleted the chore/11791 branch January 8, 2026 21:32
mbdeveci pushed a commit to mbdeveci/opentelemetry-collector-contrib that referenced this pull request Jan 12, 2026
…cumentation about docker socket permissions (open-telemetry#44923)

<!--Ex. Fixing a bug - Describe the bug and how this fixes the issue.
Ex. Adding a feature - Explain what this achieves.-->
#### Description

Update documentation to reflect the permission needed to interact with
the Docker socket in processor/resourcedetection and
receiver/docker_stats

<!-- Issue number (e.g. open-telemetry#1234) or full URL to issue, if applicable. -->
#### Link to tracking issue
Fixes open-telemetry#11791

---------

Signed-off-by: Paulo Dias <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

processor/resourcedetection Resource detection processor ready to merge Code review completed; ready to merge by maintainers receiver/dockerstats

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[processor/resourcedetection], [receiver/dockerstats] Collector cannot query Docker socket in official contrib images

6 participants