Security
docker-exporter exposes Docker metrics with the smallest reasonable blast radius — which matters most on single-host Raspberry Pi and homelab setups without the Kubernetes-style network policies you'd otherwise lean on.
Posture
- Read-only socket. The Docker socket is mounted
:roand the exporter only issues read calls (list,inspect,stats). It never creates, starts, stops, or execs into containers. - Non-root. Runs as UID 65532 (the distroless
nonrootuser) — not root, inside or outside the container. - No privileged mode. Unlike cAdvisor, it needs no
--privilegedand no bind mounts of/proc,/sys, or the cgroup filesystem. The Docker socket is its only host dependency. - Minimal image. A single static musl binary on
distroless/static— no shell, no package manager, ~9 MB of attack surface.
Is read-only socket access actually safe?
Even mounted read-only, the Docker socket is a powerful interface: read access exposes container configuration, and on most hosts a compromised exporter can use that access to escalate privileges — Docker's own engine security docs treat access to the daemon socket as equivalent to root on the host. Treat docker-exporter like any component with socket access:
- Don't expose port
9713to untrusted networks. Keep it on an internal monitoring network and let Prometheus reach it there. - Pin the image to a specific version and update deliberately.
- If you need stronger isolation, run it behind a socket proxy that allowlists only the read endpoints it uses.
Reporting a vulnerability
Follow the disclosure policy in SECURITY.md — do not open a public issue for security reports.