1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
|
# Copyright (C) 2014 Red Hat, Inc. Bryn M. Reeves <bmr@redhat.com>
# This file is part of the sos project: https://github.com/sosreport/sos
#
# This copyrighted material is made available to anyone wishing to use,
# modify, copy, or redistribute it subject to the terms and conditions of
# version 2 of the GNU General Public License.
#
# See the LICENSE file in the source distribution for further information.
from sos.report.plugins import (Plugin, RedHatPlugin, UbuntuPlugin,
SoSPredicate, CosPlugin)
class Docker(Plugin, CosPlugin):
short_desc = 'Docker containers'
plugin_name = 'docker'
profiles = ('container',)
option_list = [
("all", "enable capture for all containers, even containers "
"that have terminated", 'fast', False),
("logs", "capture logs for running containers",
'fast', False),
("size", "capture image sizes for docker ps", 'slow', False)
]
def setup(self):
self.add_copy_spec([
"/etc/docker/daemon.json",
"/var/lib/docker/repositories-*"
])
self.add_env_var([
'HTTP_PROXY',
'HTTPS_PROXY',
'NO_PROXY',
'ALL_PROXY',
'DOCKER_BUILD_PROXY',
'DOCKER_RUN_PROXY'
])
self.add_journal(units="docker")
self.add_cmd_output("ls -alhR /etc/docker")
self.set_cmd_predicate(SoSPredicate(self, services=["docker"]))
subcmds = [
'events --since 24h --until 1s',
'info',
'images',
'ps',
'ps -a',
'stats --no-stream',
'version',
'volume ls'
]
for subcmd in subcmds:
self.add_cmd_output("docker %s" % subcmd)
# separately grab these separately as they can take a *very* long time
if self.get_option('size'):
self.add_cmd_output('docker ps -as')
self.add_cmd_output('docker system df')
nets = self.collect_cmd_output('docker network ls')
if nets['status'] == 0:
n = [n.split()[1] for n in nets['output'].splitlines()[1:]]
for net in n:
self.add_cmd_output("docker network inspect %s" % net)
containers = [
c[0] for c in self.get_containers(runtime='docker',
get_all=self.get_option('all'))
]
images = self.get_container_images(runtime='docker')
volumes = self.get_container_volumes(runtime='docker')
for container in containers:
self.add_cmd_output("docker inspect %s" % container,
subdir='containers')
if self.get_option('logs'):
self.add_cmd_output("docker logs -t %s" % container,
subdir='containers')
for img in images:
name, img_id = img
insp = name if 'none' not in name else img_id
self.add_cmd_output("docker inspect %s" % insp, subdir='images')
for vol in volumes:
self.add_cmd_output("docker volume inspect %s" % vol,
subdir='volumes')
def postproc(self):
# Attempts to match key=value pairs inside container inspect output
# for potentially sensitive items like env vars that contain passwords.
# Typically, these will be seen in env elements or similar, and look
# like this:
# "Env": [
# "mypassword=supersecret",
# "container=oci"
# ],
# This will mask values when the variable name looks like it may be
# something worth obfuscating.
env_regexp = r'(?P<var>(pass|key|secret|PASS|KEY|SECRET).*?)=' \
'(?P<value>.*?)"'
self.do_cmd_output_sub('*inspect*', env_regexp,
r'\g<var>=********"')
class RedHatDocker(Docker, RedHatPlugin):
packages = ('docker', 'docker-latest', 'docker-io', 'docker-engine',
'docker-ce', 'docker-ee')
def setup(self):
super(RedHatDocker, self).setup()
self.add_copy_spec([
"/etc/udev/rules.d/80-docker.rules",
"/etc/containers/"
])
class UbuntuDocker(Docker, UbuntuPlugin):
packages = ('docker.io', 'docker-engine', 'docker-ce', 'docker-ee')
def setup(self):
super(UbuntuDocker, self).setup()
self.add_copy_spec([
"/etc/containerd/",
"/etc/default/docker",
"/run/docker/libcontainerd/containerd/events.log"
])
# vim: set et ts=4 sw=4 :
|
