Table: docker_container - Query Docker Containers using SQL
Docker Containers are a standard unit of software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another. With Docker, you can manage your infrastructure in the same ways you manage your applications. It provides a consistent and reproducible environment isolated from other applications.
Table Usage Guide
The docker_container
table provides insights into Docker Containers within Docker. As a DevOps engineer, explore container-specific details through this table, including the container's ID, image, command, created time, status, and more. Utilize it to uncover information about containers, such as those with specific configurations, the status of the containers, and the verification of container isolation.
Examples
List all containers
Explore all active containers in your Docker environment to manage and monitor your applications more effectively. This helps in identifying potential issues and understanding the overall status of your applications.
select *from docker_container;
select *from docker_container;
List running containers
Discover the segments that are actively running within your Docker environment. This can help you manage resources and troubleshoot issues more effectively.
select id, namesfrom docker_containerwhere state = 'running';
select id, namesfrom docker_containerwhere state = 'running';
Find a container by name
Discover the segments that correspond to a specific container name within your Docker environment. This allows you to quickly locate and analyze the details of a particular container, enhancing your overall management and oversight of your Docker resources.
select *from docker_containerwhere names ? '/practical_austin';
Error: SQLite does not support the '?' operator for JSON objects.
List containers which do not have a health check configured
Identify instances where Docker containers may lack a health check configuration. This is useful to ensure all containers are functioning correctly and to maintain optimal system health.
select id, names, image, command, createdfrom docker_containerwhere config -> 'Healthcheck' is null;
select id, names, image, command, createdfrom docker_containerwhere json_extract(config, '$.Healthcheck') is null;
List containers with host network namespace shared
Explore which Docker containers share the host's network namespace. This is useful for understanding potential security risks, as such containers have access to all network interfaces and services running on the host machine.
select id, names, image, command, createdfrom docker_containerwhere inspect -> 'HostConfig' ->> 'NetworkMode' = 'host';
select id, names, image, command, createdfrom docker_containerwhere json_extract(inspect, '$.HostConfig.NetworkMode') = 'host';
Control examples
- 4.6 Ensure that HEALTHCHECK instructions have been added to container images
- 5.10 Ensure that the host's network namespace is not shared
- 5.11 Ensure that the memory usage for containers is limited
- 5.12 Ensure that CPU priority is set appropriately on containers
- 5.13 Ensure that the container's root filesystem is mounted as read only
- 5.15 Ensure that the 'on-failure' container restart policy is set to '5'
- 5.16 Ensure that the host's process namespace is not shared
- 5.17 Ensure that the host's IPC namespace is not shared
- 5.18 Ensure that host devices are not directly exposed to containers
- 5.19 Ensure that the default ulimit is overwritten at runtime if needed
- 5.2 Ensure that, if applicable, an AppArmor Profile is enabled
- 5.20 Ensure mount propagation mode is not set to shared
- 5.21 Ensure that the host's UTS namespace is not shared
- 5.22 Ensure the default seccomp profile is not Disabled
- 5.25 Ensure that cgroup usage is confirmed
- 5.26 Ensure that the container is restricted from acquiring additional privileges
- 5.29 Ensure that the PIDs cgroup limit is used
- 5.31 Ensure that the host's user namespaces are not shared
- 5.5 Ensure that privileged containers are not used
- 5.6 Ensure sensitive host system directories are not mounted on containers
Schema for docker_container
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form, e.g. connection_name. | |
command | text | Main command running in the container. | |
config | jsonb | Config contains the configuration data about a container. | |
created | timestamp with time zone | Time when the container was created. | |
host_config | jsonb | Host configuration for the container. | |
id | text | ID of the container. | |
image | text | Name of the image for the container. | |
image_id | text | ID of the image for the container. | |
inspect | jsonb | Container Inspect returns the container information. | |
labels | jsonb | Labels for the container. | |
mounts | jsonb | Volume mounts for the container. | |
names | jsonb | Names assigned to the container. | |
network_settings | jsonb | Network settings for the container. | |
ports | jsonb | Ports open for the container. | |
size_root_fs | bigint | ||
size_rw | bigint | ||
state | text | State of the container: running, restarting, etc. | |
status | text | Status message from the container. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- docker
You can pass the configuration to the command with the --config
argument:
steampipe_export_docker --config '<your_config>' docker_container