New Question
 
 
PRTG Network Monitor

Intuitive to Use.
Easy to manage.

200.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free PRTG
Download >>

 

What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

 

Top Tags


View all Tags


How can I create private key and certificate for the Docker sensor?

Votes:

0

Your Vote:

Up

Down

When I want to add a Docker sensor to my PRTG server, PRTG asks me to provide a private key and a certificate to access my Docker instance. Where can I get these Docker credentials? How do I create a Docker certificate and private key?

certificate credentials docker private-key prtg sensor

Created on Nov 30, 2015 1:42:54 PM by  Gerald Schoch [Paessler Support]



8 Replies

Accepted Answer

Votes:

0

Your Vote:

Up

Down

This article applies to PRTG Network Monitor 19 or later

Generating Docker Certificate and Private Key for PRTG

If you add the Docker Container Status sensor (available as of PRTG version 15.4.22) to PRTG, you will need to provide a Private Key and a Certificate to request monitoring data from Docker. This approach ensures a secure connection from PRTG to Docker, authenticated by a certificate signed by a trusted certificate authority (CA).

So before you add the sensor, create certificate and keys with OpenSSL. See How can I use a trusted SSL certificate with the PRTG web interface? for how to install OpenSSL. Of course, if you already have Docker certificates available, you can use one of these.

Find detailed instructions to create Docker certificates and keys in the Docker documentation: Protect the Docker daemon socket.

Steps to Take

In general, you need to follow these steps:

  1. Generate CA private and public keys using OpenSSL.
  2. Create server key and certificate signing request (CSR).
    • Ensure that the Common Name matches the hostname used to connect to Docker.
  3. Sign the public key with the CA.
  4. Configure the Docker daemon to accept connections from clients that provide a trusted certificate from your CA, for example: $ dockerd -H tcp://0.0.0.0:2376 -H fd:// --tlsverify=true --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem $other_args
    • -H tcp:0.0.0.0:2376 makes the Docker API available for all external IP addresses on port 2376. This is the port number you have to provide in section Docker Credentials of the sensor settings.
    • -H fd:// makes the API locally available to get the Docker commands to work on the console.
    • --tlsverify=true defines that the access is SSL encrypted and that any connecting client has to authenticate.
    • The certificates and keys (ending with .pem) are used for authentication of the sensor.

For more details like the exact commands and what you have to additionally consider, see the Docker documentation.

Note: In older Docker versions, the string to accept connections was: $ docker daemon -H tcp://0.0.0.0:2376 -H fd:// --tlsverify=true --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem

Note: If you have any issues when creating certificates and keys for Docker, contact Docker support.

Add the Sensor to PRTG

Now you have everything ready to monitor your Docker containers:

  1. In the Add Sensor dialog, enter the number of the Port you made available for API calls, usually port 2376.
  2. Open the file with the private key that you created before (for example, key.pem) with a text editor. Copy everything that this file contains and paste it into the Private Key field in the sensor settings.
  3. Open the server certificate file (for example, cert.pem) with a text editor. Copy everything that this file contains and paste it into the Certificate field in the sensor settings.

Complete the Add Sensor dialog and PRTG will start to monitor the status of your desired Docker containers.

Created on Dec 2, 2015 6:14:27 PM by  Gerald Schoch [Paessler Support]

Last change on Jul 25, 2019 9:43:35 AM by  Maike Behnsen [Paessler Support]



Votes:

0

Your Vote:

Up

Down

With the newer Docker versions ("dockerd" instead of "docker daemon") the string have to look like:

dockerd -H unix:///var/run/docker.sock -H tcp://0.0.0.0:2376 --tlsverify=true --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem $other_args

Successfully tested with Docker 17.12 on CentOS 7 and PRTG 18.1.36.3728+. Configured in /etc/systemd/system/docker.service.d/source-sysconfig.conf

Created on Feb 1, 2018 8:45:45 AM by  Mark Bendix (0)



Votes:

0

Your Vote:

Up

Down

Thank you for the update, Mark! We added it to the article.

Created on Feb 1, 2018 6:03:03 PM by  Gerald Schoch [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Hello,

Forgive the perhaps dumb question, but can I also use a self-signed certificate? My docker-host is inside a private network without any connection to the big bad internet and therefore doesn't need a publicly recognized certificate...

Thanks, Jaap.

Created on Jun 20, 2018 7:01:34 AM by  Jaap Lelie (0)



Votes:

0

Your Vote:

Up

Down

Hi there,

As long as the CA that issues the certificate is trusted from the server where PRTG runs on, then you shouldn't run into any issues. Just make sure that the certificate and the root certificate from the CA are in the SYSTEM-Store of the PRTG Server.

Best regards.

Created on Jun 20, 2018 7:51:30 AM by  Dariusz Gorka [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Are there any plans to make docker monitoring easier to monitor?

Created on Sep 14, 2018 10:59:33 AM by  amaze (0) 1



Votes:

0

Your Vote:

Up

Down

Hi there,

Currently there are no plans to develop this sensor further and to offer more options, the main reason is that the usage-rate of this sensor is rather low.

Best regards.

Created on Sep 14, 2018 1:48:18 PM by  Dariusz Gorka [Paessler Support]



Votes:

1

Your Vote:

Up

Down

Hi, Is it possible to monitor a docker node running in swarm mode? If its possible to monitor just one or all of the node separately, how can I apply the tls certificates to the swarm?

Thanks, Iroj

Created on Feb 14, 2019 3:19:15 AM by  IGurung (10)



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.