Troubleshooting servers - ICDP internal

Various shell commands

(Continuation from sys-admin-docker.md)

All other containers can be checked with their friendly container name, e.g. mdis_php_grind_1:

On wb45 run:

sudo -u Nagios /etc/nagios3/conf.d/check_docker_by_ssh -c mdis_php_grind_1

If this doesn't work, then run on rz-vm412:

$HOME/bin/docker_nagios/dkc_status.sh -c mdis_php_grind_1

Expected output:

OK: mdis_php_grind_1 status is running

Based on script (produces slightly more output): $HOME/bin/docker_nagios/check_docker --connection /var/run/docker.sock --cpu 10:20 --timeout 4 2>/dev/null

Connect to Docker Daemon via encryption, TCP socket

Communications between Docker Host and Docker containers are insecure, by default. It is recommended to encrypt the connections. Certificates and 3rd-Part Certificate Chain files are in

TBA 😃

Check if TCP socket connection is enabled for Docker daemon.

Port 2376 must be open. This port is the standard port for an encryptyed TCP socket connection. For security reasons, it should only accept connections from localhost or from hosts that you trust.

Command sudo ufw status numbered should return a firewall rule that allows accessing this port from the Nagios host.

[7] 2376 ALLOW IN 139.17.<...>

Check if port is open:

# as root on localhost
nmap --open localhost

# or more specifically
sudo nmap -PN -sT -p 2376 139.17.229.12

PORT     STATE SERVICE
2376/tcp open  Docker

TLS/SSL

For encrypted communications, the certificates and keys must be stored in a directory. Alternatives are:

/etc/ssl/certs/       # Debian/Ubuntu standard dir
/usr/share/ca-certificates/       # for your own certiicates
/usr/local/share/ca-certificates/ # and chain files

TBC