poupas/docker-compose.yml

## docker-compose.yml
version: "3.4"
services:
  node-exporter:
    # Both "image" keys specify the same image.
    # But using the hash ensures that the image is not tampered with.
    #image: prom/node-exporter:v1.2.2
    image: prom/node-exporter@sha256:a990408ed288669bbad5b5b374fe1584e54825cde4a911c1a3d6301a907a030c
    container_name: exporter
    cap_drop:
    - ALL
    # nobody:nobody inside the container
    user: "65534:65534"
    restart: unless-stopped
    command: "--path.rootfs=/host --web.listen-address=:${EXPORTER_METRICS_PORT:-9101}"
    volumes:
    - "/fakeroot:/host:ro,rslave"
    network_mode: host
  proc-checker:
    image: ubuntu:20.04
    container_name: proc-checker
    volumes:
    - "/fakeroot:/host:ro,rslave"
    command:
    - /bin/sh
    - -c
    - >
      set -eu
      && apt-get update -y
      && apt-get install -y python3-psutil
      && python3 -c "import json, os, psutil;
      psutil.PROCFS_PATH='/host/proc';
      procs = ['%s\t%s' % (p.info['username'], ' '.join(p.info['cmdline'])) for p in psutil.process_iter(['username', 'cmdline']) if p.info['cmdline']];
      print('\n\n\n\n\n\nProcesses seen by root:\nuser\tcommand\n%s' % '\n'.join(procs));
      os.setgid(65534);
      os.setuid(65534);
      procs = ['%s\t%s' % (p.info['username'], ' '.join(p.info['cmdline'])) for p in psutil.process_iter(['username', 'cmdline'])];
      print('\n\n\n\n\n\nProcesses seen by nobody:\nuser\tcommand\n%s' % '\n'.join(procs));
      "

## mount-limited-proc.sh
#!/bin/sh
mountpoint -q /fakeroot/proc || { mkdir -p /fakeroot/proc && mount -t proc proc -o hidepid=2,ro /fakeroot/proc; }
	version: "3.4"
	services:
	node-exporter:
	# Both "image" keys specify the same image.
	# But using the hash ensures that the image is not tampered with.
	#image: prom/node-exporter:v1.2.2
	image: prom/node-exporter@sha256:a990408ed288669bbad5b5b374fe1584e54825cde4a911c1a3d6301a907a030c
	container_name: exporter
	cap_drop:
	- ALL
	# nobody:nobody inside the container
	user: "65534:65534"
	restart: unless-stopped
	command: "--path.rootfs=/host --web.listen-address=:${EXPORTER_METRICS_PORT:-9101}"
	volumes:
	- "/fakeroot:/host:ro,rslave"
	network_mode: host
	proc-checker:
	image: ubuntu:20.04
	container_name: proc-checker
	volumes:
	- "/fakeroot:/host:ro,rslave"
	command:
	- /bin/sh
	- -c
	- >
	set -eu
	&& apt-get update -y
	&& apt-get install -y python3-psutil
	&& python3 -c "import json, os, psutil;
	psutil.PROCFS_PATH='/host/proc';
	procs = ['%s\t%s' % (p.info['username'], ' '.join(p.info['cmdline'])) for p in psutil.process_iter(['username', 'cmdline']) if p.info['cmdline']];
	print('\n\n\n\n\n\nProcesses seen by root:\nuser\tcommand\n%s' % '\n'.join(procs));
	os.setgid(65534);
	os.setuid(65534);
	procs = ['%s\t%s' % (p.info['username'], ' '.join(p.info['cmdline'])) for p in psutil.process_iter(['username', 'cmdline'])];
	print('\n\n\n\n\n\nProcesses seen by nobody:\nuser\tcommand\n%s' % '\n'.join(procs));
	"
	#!/bin/sh
	mountpoint -q /fakeroot/proc \|\| { mkdir -p /fakeroot/proc && mount -t proc proc -o hidepid=2,ro /fakeroot/proc; }