I want to know what is the user who stopped a docker container.
There are several user accounts on my server. I suspect that one of them sometimes stops the container.
How can I find the user that performed this operation?
Asked
Active
Viewed 542 times
2 Answers
0
You can use su -c history username to check command history of a user, I don't know how many users you have but you could loop through them and grep for commands taking docker containers down.
Shardj
- 1,800
- 2
- 17
- 43
-
The user who wants to execute this query is not root – mgnfcnt2 Mar 27 '19 at 09:38
-
Try sudo cat /home/USER_YOU_WANT_TO_VIEW/.bash_history then – Shardj Mar 27 '19 at 09:45
-
@GeorgeAppleton If the user is not **root** how s/he can execute **sudo** command? – Mgnfcnt Mar 27 '19 at 10:58
-
Being logged in as root and having sudo permissions aren't the same thing. By asking this question I made the assumption that they have sudo permissions to read other users history, otherwise the question makes no sense – Shardj Mar 27 '19 at 11:13
0
You can install GNU Accounting Utilities, to be able to see commands executed by users:
#centos
yum install psacct
# ubuntu:
apt-get install acct
#Also make sure that the cooresponding service is enabled:
/etc/init.d/psacct status
Then, after you realize that the container is stopped execute:
lastcomm --command docker
# or
lastcomm --command kill
to see which executed the above command(s).
You can use the above in combination with:
docker container logs <name-of-the-container>
to see what is the exact time on which the container was stopped. (E.g. you may see a message on the logs: "stopping service..") and match it with lastcomm output.
Other useful commands that come with the above package:sa, ac
Marinos An
- 9,481
- 6
- 63
- 96