Cadvisor: basic auth when running inside of a container

@pacuna you will need to inject the required files into a Docker image you derive from the cAdvisor one. Something like:

FROM google/cadvisor:latest
ADD auth.htpasswd /auth.htpasswd

EXPOSE 8080
ENTRYPOINT ["/usr/bin/cadvisor", "--http_auth_file", "auth.htpasswd", "--http_auth_realm localhost"]

To generate the file take a look at this doc which has some pointers.

Let us know if you have any questions or run into trouble.

@vmarmol thanks!!

I just want to add some information. @vmarmol 's answer is just fine, but, sadly there is a typing error.

It should be:
ENTRYPOINT ["/usr/bin/cadvisor", "--http_auth_file", "auth.htpasswd", "--http_auth_realm”, “localhost"]

I'm totally new with Docker, so it was hard to see what actually went wrong. After attaching to the container, i was able to see that something wasn't added like it should (_Well.. i just took two hours to figure that out - Rofl_):

Error response from daemon: no such id: 10636eca00c7
root@ docker attach 084e540e96a9
flag provided but not defined: -http_auth_realm localhost

So in the last line, you need to seperate --http_auth_realm and localhost.

And... For all the other people, trying to find a nice solution with Google searches and stuff - Here is what i thing is the most easy way to add this:

• Make a dir like "docker_cadvisor" in your home destination.
• Navigate to the folder.
• Make a htpasswd file and call it "auth.htpasswd" (More info at http://www.cyberciti.biz/faq/create-update-user-authentication-files/)

htpasswd -c auth.htpasswd WEBUSERNAME

• Make the Dockerfile, and add the information

nano Dockerfile

Paste in the informations:

FROM google/cadvisor:latest
ADD auth.htpasswd /auth.htpasswd

EXPOSE 8080
ENTRYPOINT ["/usr/bin/cadvisor", "--http_auth_file", "auth.htpasswd", "--http_auth_realm", "localhost"]

• Build the container, and call it somehing - I personally just called it "cadvisor". Please note that you have to keep the dot in the code.

docker build -t cadvisor .

• Give it some time.
• Run the container - Note that you NEED to CHANGE the buttomline, to the container ID you will get just after docker is done with working out all the good stuff. Actually i guess you are able to put in "cadvisor" as well the ID..

sudo docker run \
  --volume=/:/rootfs:ro \
  --volume=/var/run:/var/run:rw \
  --volume=/sys:/sys:ro \
  --volume=/var/lib/docker/:/var/lib/docker:ro \
  --publish=8080:8080 \
  --detach=true \
  --name=cadvisor \
  --restart=always \
bdc1c2d18ab5

Note that i have added "restart=always". This means that cAdvisor will start with the system. I personally changed publish from the default to "--publish=8383:8080 \" cause of another resource, running at port 8080.

Hopefully this can help other people, trying to get cAdvisor working with Docker WITH PASSWORD support. Please ask, if you read this and have any questions - and if you spot typing errors.

Update:
I just saw my own post - If you like dirty stuff - this is just a bit easier ;-) Replace USERNAME and PASSWORD.

cd /home/USERNAME \
&& htpasswd -c -i -b auth.htpasswd USERNAME PASSWORD \
&& touch newfile \
&& cat <<EOF > Dockerfile
FROM google/cadvisor:latest
ADD auth.htpasswd /auth.htpasswd

EXPOSE 8080
ENTRYPOINT ["/usr/bin/cadvisor", "--http_auth_file", "auth.htpasswd", "--http_auth_realm", "localhost"]
EOF
docker build -t cadvisor . \
&& docker run \
  --volume=/:/rootfs:ro \
  --volume=/var/run:/var/run:rw \
  --volume=/sys:/sys:ro \
  --volume=/var/lib/docker/:/var/lib/docker:ro \
  --publish=8080:8080 \
  --detach=true \
  --name=cadvisor \
  --restart=always \
 cadvisor

Thanks @vmarmol and @exetico! your answers helped me out a lot on this one.

If you guys are by chance interested I took your advise and put it into a container on docker hub - https://hub.docker.com/r/tim545/cadvisor-basicauth It works pretty well, I'm using it on a personal server at the moment. you can get it going in a few commands:

git clone https://github.com/tim545/docker-cadvisor-basicauth.git

docker build --build-arg USERNAME=admin --build-arg PASSWORD=Password1 -t tim545/cadvisor-basicauth .

docker run \
  --volume=/:/rootfs:ro \
  --volume=/var/run:/var/run:rw \
  --volume=/sys:/sys:ro \
  --volume=/var/lib/docker/:/var/lib/docker:ro \
  --publish=8080:8080 \
  --detach=true \
  --name=cadvisor-basicauth \
  --restart=always \
 tim545/cadvisor-basicauth:latest

The only spot where I fell short was parsing the environment variables in straight from the run command instead of having to manually clone->build->run using the --build-args's.

From what I understand it could be done by replacing ENTRYPOINT ["/usr/bin/cadvisor", "--http_auth_file", "auth.htpasswd", "--http_auth_realm", "localhost"] with something like ENTRYPOINT ["entrypoint.sh"] to run a bash script a bit like:

#!/bin/bash

htpasswd -c -i -b auth.htpasswd $USERNAME $PASSWORD

/usr/bin/cadvisor --http_auth_file auth.htpasswd --http_auth_realm localhost

I'm not very good with writing bash scripts and I think there's some extra things you need to do to make it work when being run from a docker container, but I think my main issue was being able to parse the USERNAME and PASSWORD to entrypoint.sh via the run command using environment variables like this:

docker run \
  --volume=/:/rootfs:ro \
  --volume=/var/run:/var/run:rw \
  --volume=/sys:/sys:ro \
  --volume=/var/lib/docker/:/var/lib/docker:ro \
  --publish=8080:8080 \
  --detach=true \
  --name=cadvisor-basicauth \
  --restart=always \
  -e USERNAME=admin \
  -e PASSWORD=Password1 \
 tim545/cadvisor-basicauth:latest

_Note: For anyone who just skipped to here, the above command does not work_

When I get some more time to spend on it I'll try again, but any help/pointers or even a PR would be appreciated.

Hi @tim545. I will give it a try, in my new ESXi setup at home. I think it will be a good idea to point out, how to use the arguments in the information.

Thanks @exetico, let me know how it goes. I updated the readme a bit to try and make the instructions clearer like you mentioned.

Thank you guys your comments were really useful. What I unfortunately miss is the implementation of basic auth in the Prometheus metrics endpoint (/metrics). The code has nothing about it and it is a feature I really need. Maybe I can contribute with it soon.

@gustavomcarmo is there some updates with implementing basic auth for prometheus endpoint?

Hi @Mist3ry, actually I've solved this by using NGINX in front of cAdvisor, as you can see here.