Overview
IncidentFox provides 15 Docker tools for comprehensive container debugging, including logs, stats, exec, and inspection capabilities.
| Tool | Description |
|---|
docker_ps | List running containers |
docker_logs | Fetch container logs |
docker_inspect | Inspect container configuration |
docker_stats | Get container resource usage |
docker_top | Show running processes in container |
docker_events | Stream Docker events |
docker_diff | Show filesystem changes in container |
docker_exec | Execute command in running container |
docker_images | List Docker images |
docker_networks | List Docker networks |
docker_volumes | List Docker volumes |
docker_compose_ps | List Compose services |
docker_compose_logs | Get Compose service logs |
docker_health | Check container health status |
docker_port | Show port mappings |
Configuration
Local Docker Socket
{
"tools": {
"docker": {
"enabled": true,
"socket": "/var/run/docker.sock"
}
}
}
Remote Docker API
{
"tools": {
"docker": {
"enabled": true,
"host": "tcp://docker-host:2376",
"tls_verify": true,
"cert_path": "/path/to/certs"
}
}
}
Example Queries
Check Container Status
@incidentfox what containers are running on the app server?
Get Container Logs
@incidentfox show me logs from the nginx container for the last 30 minutes
Check Resource Usage
@incidentfox what is the CPU and memory usage of the api container?
Execute Diagnostic Command
@incidentfox run 'netstat -an' in the web container
The docker_exec tool requires explicit enablement due to security implications. It’s disabled by default.
Use Cases
Container Health Investigation
When a container is unhealthy:
- Check container status with
docker_ps
- Review logs with
docker_logs
- Inspect configuration with
docker_inspect
- Check resource usage with
docker_stats
Network Debugging
For connectivity issues:
- List networks with
docker_networks
- Inspect container network settings
- Use
docker_exec to run network diagnostics
Resource Exhaustion
When containers are slow or crashing:
- Check
docker_stats for CPU/memory usage
- Review
docker_events for OOM kills
- Analyze
docker_diff for unexpected file changes
Security Considerations
Principle of Least Privilege
| Tool | Risk Level | Recommendation |
|---|
docker_ps, docker_logs | Low | Enable by default |
docker_stats, docker_inspect | Low | Enable by default |
docker_exec | High | Require approval workflow |
docker_events | Medium | Enable with monitoring |
Approval Workflow for Exec
{
"tools": {
"docker_exec": {
"enabled": true,
"require_approval": true,
"allowed_commands": ["ps", "netstat", "cat /etc/hosts"]
}
}
}
Troubleshooting
Permission Denied
Error: permission denied while trying to connect to Docker socket
- Add the IncidentFox service user to the
docker group
- Use TCP API with proper authentication
- Use sudo with proper configuration
Container Not Found
Ensure container names or IDs are correct. Use docker_ps to list available containers.
Next Steps
