When I want to add a Docker sensor to my PRTG server, PRTG asks me to provide a private key and a certificate to access my Docker instance. Where can I get these Docker credentials? How do I create a Docker certificate and private key?
This article applies to PRTG Network Monitor 19 or later
Generating Docker Certificate and Private Key for PRTG
If you add the Docker Container Status sensor (available as of PRTG version 15.4.22) to PRTG, you need to provide a Private Key and a Certificate to request monitoring data from Docker. This approach ensures a secure connection from PRTG to Docker, authenticated by a certificate signed by a trusted certificate authority (CA).
So before you add the sensor, create a certificate and keys with OpenSSL. See How can I use a trusted SSL certificate with the PRTG web interface? for how to install OpenSSL. Of course, if you already have Docker certificates available, you can use one of these.
Find detailed instructions on how to create Docker certificates and keys in the Docker documentation: Protect the Docker daemon socket.
Steps to Take
In general, you need to follow these steps:
- Generate the CA private and public keys using OpenSSL.
- Create the server key and certificate signing request (CSR).
- Ensure that the Common Name matches the hostname used to connect to Docker.
- Sign the public key with the CA.
- Configure the Docker daemon to accept connections from clients that provide a trusted certificate from your CA, for example:
$ dockerd -H tcp://0.0.0.0:2376 -H fd:// --tlsverify=true --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem $other_args
- -H tcp:0.0.0.0:2376 makes the Docker API available for all external IP addresses on port 2376. This is the port number you have to provide in section Docker Credentials of the sensor settings.
- -H fd:// makes the API locally available to get the Docker commands to work on the console.
- --tlsverify=true defines that the access is SSL encrypted and that any connecting client has to authenticate.
- The certificates and keys (ending with .pem) are used for the authentication of the sensor.
For more details like the exact commands and what you have to additionally consider, see the Docker documentation.
Note: In older Docker versions, the string to accept connections was:
$ docker daemon -H tcp://0.0.0.0:2376 -H fd:// --tlsverify=true --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem
Note: If you have any issues when creating certificates and keys for Docker, contact Docker support.
Add the Sensor in PRTG
Now you have everything ready to monitor your Docker containers:
- In the Add Sensor dialog, enter the number of the Port you made available for API calls, usually port 2376.
- Open the file with the private key that you created before (for example, key.pem) with a text editor. Copy everything that this file contains and paste it into the Private Key field in the sensor settings.
- Open the server certificate file (for example, cert.pem) with a text editor. Copy everything that this file contains and paste it into the Certificate field in the sensor settings.
Complete the Add Sensor dialog and PRTG will start to monitor the status of your desired Docker containers.
With the newer Docker versions ("dockerd" instead of "docker daemon") the string have to look like:
dockerd -H unix:///var/run/docker.sock -H tcp://0.0.0.0:2376 --tlsverify=true --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem $other_args
Successfully tested with Docker 17.12 on CentOS 7 and PRTG 126.96.36.19928+. Configured in /etc/systemd/system/docker.service.d/source-sysconfig.conf
Thank you for the update, Mark! We added it to the article.
Forgive the perhaps dumb question, but can I also use a self-signed certificate? My docker-host is inside a private network without any connection to the big bad internet and therefore doesn't need a publicly recognized certificate...
As long as the CA that issues the certificate is trusted from the server where PRTG runs on, then you shouldn't run into any issues. Just make sure that the certificate and the root certificate from the CA are in the SYSTEM-Store of the PRTG Server.
Are there any plans to make docker monitoring easier to monitor?
Currently there are no plans to develop this sensor further and to offer more options, the main reason is that the usage-rate of this sensor is rather low.
Hi, Is it possible to monitor a docker node running in swarm mode? If its possible to monitor just one or all of the node separately, how can I apply the tls certificates to the swarm?
Dear Paessler Please reconsider the above statement from the 14'th of september 2018. Docker and docker-compose is spreading like wildfire, it would be great to have a more smooth monitoring of dockers running. It would also be very nice to have a much better explained article than this, sorry, but it's very confusing especially when you don't remember openssl commands by heart. I still haven't gotten this to work, the docker daemon will not accept my config file, allthough it will start with the commandline, and next step with getting the selfsigned certifiate accepted is still not working. I can apparently not use a properly signed public certificate for this, or am I misunderstanding something?
Dear Kenneth Fribert,
thank you for your feedback. Docker gets more and more use, but as of now other features are in even higher demand for PRTG and thus prioritized. A self-signed certificate can only be used if the CA is considered trusted.
OK. I spent a couple of hours now trying to get the sensor to work.
Isn't there a detailed documentation out there? Something like a step by step? Thanks for your help.
Unfortunately, there are no additional guides for this.