Privileged mode: Running ctop in docker under SELinux

terkwood profile image Felix Terkhorn Updated on ・1 min read

Some programs like ctop are nice to run using docker containers, so that you don't have to manually download a binary and copy it into /usr/local/bin, where it will sit in a sad little corner, unmanaged by apt or yum.

GitHub logo bcicen / ctop

Top-like interface for container metrics


release homebrew

Top-like interface for container metrics

ctop provides a concise and condensed overview of real-time metrics for multiple containers:


as well as an single container view for inspecting a specific container.

ctop comes with built-in support for Docker and runC; connectors for other container and cluster systems are planned for future releases.


Fetch the latest release for your platform:


sudo wget https://github.com/bcicen/ctop/releases/download/v0.7.3/ctop-0.7.3-linux-amd64 -O /usr/local/bin/ctop
sudo chmod +x /usr/local/bin/ctop


brew install ctop


sudo curl -Lo /usr/local/bin/ctop https://github.com/bcicen/ctop/releases/download/v0.7.3/ctop-0.7.3-darwin-amd64
sudo chmod +x /usr/local/bin/ctop


docker run --rm -ti \
  --name=ctop \
  --volume /var/run/docker.sock:/var/run/docker.sock:ro \

ctop is also available for Arch in the AUR


Build steps can be found here.


ctop requires no arguments and uses Docker host variables by default. See connectors for further configuration options.

Config file

While running, use S to save the current filters, sort field, and other options to a default…

But if you run an SELinux-enabled distribution, you'll find that running ctop as the documentation suggests, fails:

docker run --rm -ti \
  --name=ctop \
  --volume /var/run/docker.sock:/var/run/docker.sock:ro \

🐳 🐳 🐳

ctop - error ───────
  β”‚                                                                                 β”‚
  β”‚  [12:54:15 UTC] attempting to reconnect...                                      β”‚
  β”‚                                                                                 β”‚
  β”‚  [12:54:16 UTC] Get http://unix.sock/info: dial unix /var/run/docker.sock: con  β”‚
  β”‚  nect: permission denied                                               

What's going on here? Presumably SELinux is blocking the ctop container's access to information necessary for monitoring the other containers.

The Fix

Luckily, there's a very easy fix for this! You can just run the ctop container in privileged mode:

docker run --privileged --rm -ti  \
  --name=ctop   \
  --volume /var/run/docker.sock:/var/run/docker.sock:ro   quay.io/vektorlab/ctop:latest

Now you can see all your favorite containers, interact with their log interfaces, dip into their shells, etc:

  ctop - 12:57:42 UTC   8 containers

     NAME        CID         CPU         MEM         NET RX/TX   IO R/W      PIDS

   β—‰  bugout_bot… 8f84fe3983…      1%       2M / 944M 19M / 16M   1M / 0B     6
   β—‰  bugout_bug… 16f1479be4…      0%       3M / 944M 1M / 1M     6M / 0B     5
   β—‰  bugout_gat… fc951914df…      0%       3M / 944M 56M / 35M   256K / 0B   21

Posted on May 13 by:

terkwood profile

Felix Terkhorn


Independent software producer specialized in data and distributed systems. Past: tech lead for Disney+ DRM (NYC), consulting and contracting (NYC), startup scene, Salesforce, full-time lab staff.


markdown guide