Config Seccomp
{
"defaultAction": "SCMP_ACT_ERRNO",
"syscalls": [
{
"names": ["read", "write", "exit", "sigreturn"],
"action": "SCMP_ACT_ALLOW"
}
]
}
Config apparmor
#include <tunables/global>
profile docker-nginx-profile flags=(attach_disconnected,mediate_deleted) {
capability net_bind_service,
capability setuid,
deny network inet,
}
Config Prometheus
global:
scrape_interval: 15s
scrape_configs:
- job_name: 'cadvisor'
static_configs:
- targets: ['cadvisor:8080']
cAdvisor run
docker run -d \
--name=cadvisor \
-p 8080:8080 \
--volume=/:/rootfs:ro \
--volume=/var/run:/var/run:ro \
--volume=/sys:/sys:ro \
--volume=/var/lib/docker/:/var/lib/docker:ro \
google/cadvisor
sudo docker run \
--volume=/:/rootfs:ro \
--volume=/var/run:/var/run:ro \
--volume=/sys:/sys:ro \
--volume=/var/lib/docker/:/var/lib/docker:ro \
--volume=/dev/disk/:/dev/disk:ro \
--publish=8080:8080 \
--detach=true \
--name=cadvisor \
--privileged \
--device=/dev/kmsg \
gcr.io/cadvisor/cadvisor
Docker Daemon Config
{
"log-driver": "json-file",
"log-opts": {
"max-size": "10m",
"max-file": "3"
}
}
Logstash.conf
input {
file {
path => "/var/lib/docker/containers/*/*.log"
start_position => "beginning"
sincedb_path => "/dev/null"
}
}
filter {
json {
source => "message"
}
}
output {
elasticsearch {
hosts => ["http://elasticsearch:9200"]
index => "docker-logs-%{+YYYY.MM.dd}"
}
}
Logstash & Kibana run
docker run -d --name logstash -p 5000:5000 \
-v $(pwd)/logstash.conf:/usr/share/logstash/pipeline/logstash.conf \
-v /var/lib/docker/containers:/var/lib/docker/containers:ro \
logstash:7.9.3
docker run -d --name elasticsearch -p 9200:9200 -e "discovery.type=single-node" elastic:7.9.3
docker run -d --name kibana \
-p 5601:5601 \
-e "ELASTICSEARCH_HOSTS=http://elasticsearch:9200" \
kibana:7.9.3
docker network create logs
docker network connect logs logstash
docker network connect logs elasticsearch
docker network connect logs kibana
