Mon-Proxy is a tool designed to filter Docker containers primarily for Zabbix Agent 2 in multi-tenant environments. It provides a solution for filtering Docker API requests based on container labels, enabling access control and monitoring capabilities. The Filtering is only concerned on /containers/json
every other GET request to the docker API will be proxied!
- Filter Docker container list requests based on container labels
- Support for multiple output sockets
- Seamless integration with existing tools -> every request other than listing containers just gets proxied
- Configurable through environment variables
- Docker
- Go 1.22 or higher
Clone the repository:
git clone https://github.com/yourusername/mon-proxy.git
cd mon-proxy
Build the Docker image:
docker build -t mon-proxy:latest .
Mon-Proxy is configured using environment variables. The main configuration setup can be found in:
func GetSocketConfigs() []proxy.ProxyConfig {
var configs []proxy.ProxyConfig
loop:
for i := 1; ; i++ {
destSocket := cfg.GetEnv(fmt.Sprintf("DESTINATION_SOCKET_%d", i), "")
label := cfg.GetEnv(fmt.Sprintf("REQUIRED_LABEL_%d", i), "")
if destSocket == "" || label == "" {
break loop
}
configs = append(configs, proxy.ProxyConfig{
DestinationSocket: destSocket,
RequiredLabel: label,
})
log.Debug("destination socket config: ", destSocket, "label: ", label)
}
return configs
}
SOURCE_SOCKET
: The source Docker socket (default:/var/run/docker.sock
)DESTINATION_SOCKET_n
: The destination socket for the nth configurationREQUIRED_LABEL_n
: The required label for the nth configuration
You can run Mon-Proxy using Docker Compose. An example configuration is provided below:
services:
mon-proxy:
image: mon-proxy:latest
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- sock:/run/mon-proxy
environment:
- SOURCE_SOCKET=/var/run/docker.sock
- DESTINATION_SOCKET_1=/run/mon-proxy/filtered-docker-1.sock
- REQUIRED_LABEL_1=it.monitoring.enabled=true
- DESTINATION_SOCKET_2=/run/mon-proxy/filtered-docker-2.sock
- REQUIRED_LABEL_2=tenant.monitoring.enabled=false
restart: unless-stopped
test-client:
image: docker:dind
depends_on:
- mon-proxy
volumes:
- sock:/run/mon-proxy:ro
environment:
- DOCKER_HOST=unix:///run/mon-proxy/filtered-docker-1.sock
command: ["/bin/sleep", "Infinity"]
allowed:
image: alpine:latest
depends_on:
- test-client
labels:
- monitoring.enabled=true
- it.monitoring.enabled=true
command: ["/bin/sleep", "Infinity"]
denied:
image: alpine:latest
depends_on:
- test-client
labels:
- monitoring.enabled=false
command: ["/bin/sleep", "Infinity"]
volumes:
sock:
To start the services:
docker-compose up -d
This will start Mon-Proxy along with test containers to demonstrate its functionality.
You can test the proxy by using the test-client
service in the Docker Compose file. It's configured to use the filtered Docker socket.
To set up a development environment:
- Install Go 1.22 or higher
- Clone the repository
- Run
go mod download
to install dependencies
You can use the provided VS Code launch configuration for debugging:
{
"version": "0.2.0",
"configurations": [
{
"name": "Launch Package",
"type": "go",
"request": "launch",
"mode": "auto",
"program": "${workspaceFolder}/cmd/mon-proxy"
}
]
}
This project is licensed under the GNU General Public License v3.0. See the LICENSE file for details.