DEV Community

Felix Terkhorn
Felix Terkhorn

Posted on • Updated on

Privileged mode: Running ctop in docker under SELinux

Some programs like ctop are nice to run using docker containers, so that you don't have to manually download a binary and copy it into /usr/local/bin, where it will sit in a sad little corner, unmanaged by apt or yum.

GitHub logo bcicen / ctop

Top-like interface for container metrics

ctop

release homebrew macports

Top-like interface for container metrics

ctop provides a concise and condensed overview of real-time metrics for multiple containers:

ctop

as well as a single container view for inspecting a specific container.

ctop comes with built-in support for Docker and runC; connectors for other container and cluster systems are planned for future releases.

Install

Fetch the latest release for your platform:

Debian/Ubuntu

Maintained by a third party

echo "deb http://packages.azlux.fr/debian/ buster main" | sudo tee /etc/apt/sources.list.d/azlux.list
wget -qO - https://azlux.fr/repo.gpg.key | sudo apt-key add -
sudo apt update
sudo apt install docker-ctop
Enter fullscreen mode Exit fullscreen mode

Arch

ctop is available for Arch in the AUR

Linux (Generic)

sudo wget https://github.com/bcicen/ctop/releases/download/v0.7.7/ctop-0.7.7-linux-amd64 -O /usr/local/bin/ctop
sudo chmod +x /usr/local/bin/ctop
Enter fullscreen mode Exit fullscreen mode

OS X

brew install ctop
Enter fullscreen mode Exit fullscreen mode

or

sudo port install ctop
Enter fullscreen mode Exit fullscreen mode

or

sudo curl -Lo /usr/local/bin/ctop https://github.com/bcicen/ctop/releases/download/v0.7.7/ctop-0.7.7-darwin-amd64
sudo chmod +x /usr/local/bin/ctop
Enter fullscreen mode Exit fullscreen mode

Docker

docker run --rm -ti \
  --name=ctop \
  --volume /var/run/docker.sock:/var/run/docker.sock:ro \
  quay.io/vektorlab/ctop:latest
Enter fullscreen mode Exit fullscreen mode

Building

Build steps can be found…

But if you run an SELinux-enabled distribution, you'll find that running ctop as the documentation suggests, fails:

docker run --rm -ti \
  --name=ctop \
  --volume /var/run/docker.sock:/var/run/docker.sock:ro \
  quay.io/vektorlab/ctop:latest
Enter fullscreen mode Exit fullscreen mode

🐳 🐳 🐳

ctop - error ───────
  β”‚                                                                                 β”‚
  β”‚  [12:54:15 UTC] attempting to reconnect...                                      β”‚
  β”‚                                                                                 β”‚
  β”‚  [12:54:16 UTC] Get http://unix.sock/info: dial unix /var/run/docker.sock: con  β”‚
  β”‚  nect: permission denied                                               
Enter fullscreen mode Exit fullscreen mode

What's going on here? Presumably SELinux is blocking the ctop container's access to information necessary for monitoring the other containers.

The Fix

Luckily, there's a very easy fix for this! You can just run the ctop container in privileged mode:

docker run --privileged --rm -ti  \
  --name=ctop   \
  --volume /var/run/docker.sock:/var/run/docker.sock:ro   quay.io/vektorlab/ctop:latest
Enter fullscreen mode Exit fullscreen mode

Now you can see all your favorite containers, interact with their log interfaces, dip into their shells, etc:

  ctop - 12:57:42 UTC   8 containers

     NAME        CID         CPU         MEM         NET RX/TX   IO R/W      PIDS

   β—‰  bugout_bot… 8f84fe3983…      1%       2M / 944M 19M / 16M   1M / 0B     6
   β—‰  bugout_bug… 16f1479be4…      0%       3M / 944M 1M / 1M     6M / 0B     5
   β—‰  bugout_gat… fc951914df…      0%       3M / 944M 56M / 35M   256K / 0B   21
Enter fullscreen mode Exit fullscreen mode

Top comments (0)