Isn't it recommended to not make Docker listen on the TCP port?

raesene9 · on March 9, 2017

From reading the docs, it looks like ctop will connect to the local UNIX socket if there's no environment variable specifying a host, so you don't need to expose a TCP port to get this working.

andrewguenther · on March 9, 2017

You should always use a UNIX socket if you don't need remote access.

noinsight · on March 10, 2017

SSH supports forwarding UNIX sockets...

andrewguenther · on March 14, 2017

Would not recommend

zenlikethat · on March 10, 2017

Yes. Otherwise any process which can access the TCP port has full root access on the computer where Docker is installed. And root access to the entire Docker swarm cluster if swarm mode is enabled and the current node is acting as a manager.

Whether or not giving root access to a system performance tool is wise is left as an exercise to the reader.

dominotw · on March 9, 2017

even if protected by tls?

zenlikethat · on March 10, 2017

Not sure why you're getting down-voted, exposing the Docker API over a TCP socket using TLS is the only way to even hope to do it safely.

andrewguenther · on March 10, 2017

Not exposing it over TCP at all is the only way to do it safely...