Table: docker_container - Query Docker Containers using SQL
Docker Containers are a standard unit of software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another. With Docker, you can manage your infrastructure in the same ways you manage your applications. It provides a consistent and reproducible environment isolated from other applications.
Table Usage Guide
The docker_container
table provides insights into Docker Containers within Docker. As a DevOps engineer, explore container-specific details through this table, including the container's ID, image, command, created time, status, and more. Utilize it to uncover information about containers, such as those with specific configurations, the status of the containers, and the verification of container isolation.
Examples
List all containers
Explore all active containers in your Docker environment to manage and monitor your applications more effectively. This helps in identifying potential issues and understanding the overall status of your applications.
select *from docker_container;
select *from docker_container;
List running containers
Discover the segments that are actively running within your Docker environment. This can help you manage resources and troubleshoot issues more effectively.
select id, namesfrom docker_containerwhere state = 'running';
select id, namesfrom docker_containerwhere state = 'running';
Find a container by name
Discover the segments that correspond to a specific container name within your Docker environment. This allows you to quickly locate and analyze the details of a particular container, enhancing your overall management and oversight of your Docker resources.
select *from docker_containerwhere names ? '/practical_austin';
Error: SQLite does not support the '?' operator for JSON objects.
List containers which do not have a health check configured
Identify instances where Docker containers may lack a health check configuration. This is useful to ensure all containers are functioning correctly and to maintain optimal system health.
select id, names, image, command, createdfrom docker_containerwhere config -> 'Healthcheck' is null;
select id, names, image, command, createdfrom docker_containerwhere json_extract(config, '$.Healthcheck') is null;
List containers with host network namespace shared
Explore which Docker containers share the host's network namespace. This is useful for understanding potential security risks, as such containers have access to all network interfaces and services running on the host machine.
select id, names, image, command, createdfrom docker_containerwhere inspect -> 'HostConfig' ->> 'NetworkMode' = 'host';
select id, names, image, command, createdfrom docker_containerwhere json_extract(inspect, '$.HostConfig.NetworkMode') = 'host';
Control examples
- CIS v1.6.0 > 4 Container Images and Build File Configuration > 4.6 Ensure that HEALTHCHECK instructions have been added to container images
- CIS v1.6.0 > 5 Container Runtime Configuration > 5.10 Ensure that the host's network namespace is not shared
- CIS v1.6.0 > 5 Container Runtime Configuration > 5.11 Ensure that the memory usage for containers is limited
- CIS v1.6.0 > 5 Container Runtime Configuration > 5.12 Ensure that CPU priority is set appropriately on containers
- CIS v1.6.0 > 5 Container Runtime Configuration > 5.13 Ensure that the container's root filesystem is mounted as read only
- CIS v1.6.0 > 5 Container Runtime Configuration > 5.15 Ensure that the 'on-failure' container restart policy is set to '5'
- CIS v1.6.0 > 5 Container Runtime Configuration > 5.16 Ensure that the host's process namespace is not shared
- CIS v1.6.0 > 5 Container Runtime Configuration > 5.17 Ensure that the host's IPC namespace is not shared
- CIS v1.6.0 > 5 Container Runtime Configuration > 5.18 Ensure that host devices are not directly exposed to containers
- CIS v1.6.0 > 5 Container Runtime Configuration > 5.19 Ensure that the default ulimit is overwritten at runtime if needed
- CIS v1.6.0 > 5 Container Runtime Configuration > 5.2 Ensure that, if applicable, an AppArmor Profile is enabled
- CIS v1.6.0 > 5 Container Runtime Configuration > 5.20 Ensure mount propagation mode is not set to shared
- CIS v1.6.0 > 5 Container Runtime Configuration > 5.21 Ensure that the host's UTS namespace is not shared
- CIS v1.6.0 > 5 Container Runtime Configuration > 5.22 Ensure the default seccomp profile is not Disabled
- CIS v1.6.0 > 5 Container Runtime Configuration > 5.25 Ensure that cgroup usage is confirmed
- CIS v1.6.0 > 5 Container Runtime Configuration > 5.26 Ensure that the container is restricted from acquiring additional privileges
- CIS v1.6.0 > 5 Container Runtime Configuration > 5.29 Ensure that the PIDs cgroup limit is used
- CIS v1.6.0 > 5 Container Runtime Configuration > 5.31 Ensure that the host's user namespaces are not shared
- CIS v1.6.0 > 5 Container Runtime Configuration > 5.5 Ensure that privileged containers are not used
- CIS v1.6.0 > 5 Container Runtime Configuration > 5.6 Ensure sensitive host system directories are not mounted on containers
Schema for docker_container
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form, e.g. connection_name. | |
command | text | Main command running in the container. | |
config | jsonb | Config contains the configuration data about a container. | |
created | timestamp with time zone | Time when the container was created. | |
host_config | jsonb | Host configuration for the container. | |
id | text | ID of the container. | |
image | text | Name of the image for the container. | |
image_id | text | ID of the image for the container. | |
inspect | jsonb | Container Inspect returns the container information. | |
labels | jsonb | Labels for the container. | |
mounts | jsonb | Volume mounts for the container. | |
names | jsonb | Names assigned to the container. | |
network_settings | jsonb | Network settings for the container. | |
ports | jsonb | Ports open for the container. | |
size_root_fs | bigint | ||
size_rw | bigint | ||
state | text | State of the container: running, restarting, etc. | |
status | text | Status message from the container. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- docker
You can pass the configuration to the command with the --config
argument:
steampipe_export_docker --config '<your_config>' docker_container