Docker deployment without `host` networking

matutter commented 3 years ago

Is there a method to run the mindflavor/prometheus-wireguard-exporter docker image without requiring network_mode: host ?

The purpose would be to allow only prometheus running in a container access the exporter and not expose the API to the host.

version: "3.7"

networks:
  monitor-net:

services:
  wgexporter:
    container_name: wgexporter
    image: mindflavor/prometheus-wireguard-exporter
    restart: unless-stopped
    # Would prefer to just export metrics to other containers on the docker network.
    # expose:
    #   - 9586
    # networks:
      # - monitor-net
    # But cannot run `wg show` without this
    network_mode: host
    cap_add:
      - NET_ADMIN
    labels:
      org.label-schema.group: "monitoring"

shizunge commented 3 years ago

Try https://github.com/qoomon/docker-host Docker image to forward TCP and UDP traffic to the docker host.

arisudesu commented 3 years ago

Try binding to docker internal address then adding this address as an extra host for prometheus:

Mine looks like:

services:
  prometheus:
    container_name: prometheus
    build: prometheus
    extra_hosts:
      - 'wireguard-exporter:172.17.0.1'  # notice the extra host

  wireguard-exporter:
    container_name: wireguard-exporter
    image: 'mindflavor/prometheus-wireguard-exporter:3.5.1'
    command:
      - '-a'
      - '-l=172.17.0.1'  # notice the listen addr
      - '-p=9200'
      - '-n=/etc/wireguard/wg0.conf'
    network_mode: host
    volumes: [ /etc/wireguard/wg0.conf:/etc/wireguard/wg0.conf:ro ]
    cap_add: [ NET_ADMIN ]

This way the exporter should be available on docker network to prometheus.

MindFlavor / prometheus_wireguard_exporter

Docker deployment without `host` networking #62