Type: docker_exec | Runner: Dashboard or Agent
Runs a shell command inside a running Docker container via the Docker API and checks the exit code. Exit code 0 = OK, anything else = Fail. Stdout and stderr are not captured.
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
container_name |
text | Yes | — | Exact container name as shown in docker ps --format "{{.Names}}" |
command |
text | Yes | — | Shell command to run inside the container. Runs via sh -c. Exit code 0 = OK. |
timeout |
number | No | 10 |
Total timeout in seconds covering exec creation, execution, and result inspection |
This check executes arbitrary shell commands inside the monitored container. The configured command has the same access rights as
docker execon the host — it can read environment variables (including secrets), write to mounted volumes, and interact with any process inside the container.
Implications:
docker_exec check has effective shell access to the monitored container.pid: host or host volume mounts (needed for ProcessCheck / DiskSpaceCheck), a container escape would extend the blast radius to the host.Mitigations:
mysqladmin ping or redis-cli ping with a dedicated read-only monitoring user rather than passing root credentials.docker_exec commands periodically — treat them like cron jobs with container-level access.| Status | Condition |
|---|---|
| OK | Command exits with code 0 |
| Fail | Command exits with any non-zero exit code |
| Fail | Docker API error (container not found, socket error, timeout during exec) |
| Unknown | Docker socket not available at /var/run/docker.sock |
| Unknown | Container name or command not configured |
Requires Docker socket access — same as Docker Container Health. The socket must be mounted for both the dashboard worker and agent containers.
# Symfony application health check
php bin/console app:health
# MySQL ping (when the database is only accessible inside the container network)
mysqladmin ping -h 127.0.0.1 -u root -p${MYSQL_ROOT_PASSWORD}
# Redis check with authentication
redis-cli -a ${REDIS_PASSWORD} ping
# Generic HTTP check from inside the container
curl -fsS http://localhost/health
sh -c — shell features (pipes, &&, environment variables) work as expected.