Configuring Docker Observer jobs

Using the Docker Observer, you can discover Docker network resources, including Docker Swarm clusters, and then visualize (or model) this data as a topology view.

Before you begin

Important: The Docker Observer supports Docker 3.1.0.

Note: Docker UCP 3.1.0 supports only TLS 1.2 for SSL negotiation and no longer supports TLS 1 and TLS 1.1.

Ensure you have the details for your Docker job to hand, specifically your Docker system's Unix socket, and or host and port number.

Enabling access to the URL routes

To access the URL routes for the topology Swagger documentation, see the Enabling access to URL routes topic.

About this task

Using the Observer Configuration UI you configure observer jobs that query the Docker REST API to retrieve data and display it as a topology in the Topology Viewer. The Docker Observer can model external Docker systems, and it can also provide a System health view of the Docker system on which IBM Cloud Pak® for AIOps runs.

The job parameters connect to a remote Docker using the host and port parameters.

Remote Docker

The 'host' and 'port' parameters of the job can be used to identify the TCP port that Docker can be reached on. The unix_socket parameter must not be supplied.

Docker is not accessible through TCP by default. To enable it, edit the 'docker.service' file. On Red Hat® OpenShift® Container Platform, this is available in /usr/lib/systemd/system. Amend the ExecStart option under the Service section to include a -H option. For example, to make it available externally on port 2375, you might add -H tcp://0.0.0.0:2375.

Note: If you want to continue to be able to access Docker through the default socket, for example if the Docker Observer container needs access, or if you want to be able to perform docker ps -a rather than docker -H tcp://0.0.0.0:2375 ps -a, then you need to also list it in the same line, as on the following example:

-H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sockCopy

You must reload the configuration:

sudo systemctl daemon-reload
sudo systemctl restart docker

Tip: If this fails to start Docker, and a Unix socket (or no socket at all) was specified, check that no directory with that name exists. If you start Docker with just a TCP socket and no Unix socket, this creates a /var/run/docker.sock directory, which you must delete after Docker is stopped, so that you can restart with access through that Unix socket.

Procedure

Define or edit the following parameters, then click Run job to save and run the job.

Encryption requirement: See the Configuring observer jobs security topic for more information.

Parameter Action Details
Unique ID Enter a unique name for the job Required
Host Use this to identify the TCP host socket (HTTP or HTTPS) on which to access the remote Docker system Required for remote Docker access only
Port Use this to identify the TCP port (HTTP or HTTPS) on which to access the remote Docker system Required for remote Docker access only
Unix Socket Use this to access local docker environments using the complete path Required for local Docker access only. Host and port parameters must be empty.
Username Specify the username of the remote Docker environment with HTTPS Required for remote Docker with HTTPS access only
Docker password Specify the password of the remote Docker environment with HTTPS Required for remote Docker with HTTPS access only.
Docker SSL Certificate Specify the certificate file name Optional
Docker SSL truststore File Specify the truststore file name. The observer generates the trust store file based on the file name provided. Tip: You can use the observer name as file name (<observer>.jks), for example Docker.jks. Required for remote Docker with HTTPs access only.The supported format is JKS and the file is relative to $ASM_HOME/security.
SSL truststore File Password Specify the truststore password the observer will use to decrypt the truststore file. Use a password that conforms to your internal security requirements. Required for remote Docker with HTTPs access only.
View Use this to select which resources are modeled in the topology view Optional. The Default displays running resources only. Options are Container (all running containers), Image (images used by running containers), and Task (running tasks only)
Containers to exclude List container you want to exclude Optional
Access scope Enter text to provide a scope for the resources. Access scope can help map alerts to resources when resources in different scopes share the same parameters, such as matchTokens. Optional. Tip: You can define access scope for locations, project names, namespaces, etc.
Generate debug support file Set this parameter to 'True' in order to capture the output of the next scheduled job run as a file. This file will be stored with an observer's log files and can be used to debug observer issues, for example at the request of your designated support team, or while using a test environment. For one-off jobs (that is, Load jobs), this parameter reverts to 'False' after the next completed run. To examine the output produced, you can load the generated debug file using the File Observer. Optional
Observer job description Enter additional information to describe the job Optional
Job schedule Specify when the job runs Optional. Load jobs only.