Skip to main content

Overview

IncidentFox provides 15 Docker tools for comprehensive container debugging, including logs, stats, exec, and inspection capabilities.

Tools Available

ToolDescription
docker_psList running containers
docker_logsFetch container logs
docker_inspectInspect container configuration
docker_statsGet container resource usage
docker_topShow running processes in container
docker_eventsStream Docker events
docker_diffShow filesystem changes in container
docker_execExecute command in running container
docker_imagesList Docker images
docker_networksList Docker networks
docker_volumesList Docker volumes
docker_compose_psList Compose services
docker_compose_logsGet Compose service logs
docker_healthCheck container health status
docker_portShow port mappings

Configuration

Local Docker Socket

{
  "tools": {
    "docker": {
      "enabled": true,
      "socket": "/var/run/docker.sock"
    }
  }
}

Remote Docker API

{
  "tools": {
    "docker": {
      "enabled": true,
      "host": "tcp://docker-host:2376",
      "tls_verify": true,
      "cert_path": "/path/to/certs"
    }
  }
}

Example Queries

Check Container Status

@incidentfox what containers are running on the app server?

Get Container Logs

@incidentfox show me logs from the nginx container for the last 30 minutes

Check Resource Usage

@incidentfox what is the CPU and memory usage of the api container?

Execute Diagnostic Command

@incidentfox run 'netstat -an' in the web container
The docker_exec tool requires explicit enablement due to security implications. It’s disabled by default.

Use Cases

Container Health Investigation

When a container is unhealthy:
  1. Check container status with docker_ps
  2. Review logs with docker_logs
  3. Inspect configuration with docker_inspect
  4. Check resource usage with docker_stats

Network Debugging

For connectivity issues:
  1. List networks with docker_networks
  2. Inspect container network settings
  3. Use docker_exec to run network diagnostics

Resource Exhaustion

When containers are slow or crashing:
  1. Check docker_stats for CPU/memory usage
  2. Review docker_events for OOM kills
  3. Analyze docker_diff for unexpected file changes

Security Considerations

Principle of Least Privilege

ToolRisk LevelRecommendation
docker_ps, docker_logsLowEnable by default
docker_stats, docker_inspectLowEnable by default
docker_execHighRequire approval workflow
docker_eventsMediumEnable with monitoring

Approval Workflow for Exec

{
  "tools": {
    "docker_exec": {
      "enabled": true,
      "require_approval": true,
      "allowed_commands": ["ps", "netstat", "cat /etc/hosts"]
    }
  }
}

Troubleshooting

Permission Denied

Error: permission denied while trying to connect to Docker socket
Solutions:
  1. Add the IncidentFox service user to the docker group
  2. Use TCP API with proper authentication
  3. Use sudo with proper configuration

Container Not Found

Ensure container names or IDs are correct. Use docker_ps to list available containers.

Next Steps

Kubernetes

For orchestrated containers

Log Analysis

Advanced log analysis tools