Run Garnet on standalone hosts and containers.

Why monitor Docker?

  • Container breakouts and privilege escalation
  • Malicious containers running crypto miners
  • Supply chain attacks in Docker images
  • Data exfiltration from containerized apps
  • Resource abuse using host compute

Setup (2 minutes)

1. Get API token

# Get token from: dashboard.garnet.ai/tokens
export GARNET_API_TOKEN="garnet_xxx"

2. Run Jibril container

# Deploy Garnet agent
docker run -d \
  --name jibril \
  --privileged \
  --pid=host \
  --restart=unless-stopped \
  -e GARNET_API_TOKEN=$GARNET_API_TOKEN \
  ghcr.io/garnetlabs/jibril:latest

3. Verify deployment

# Check container is running
docker ps | grep jibril
# Expected: jibril container with "Up" status

# Check logs
docker logs jibril
# Expected: "Connected to Garnet Platform"
Result: Garnet monitors all containers and host processes

Configuration

Deployment modes

Advanced configuration

docker run -d \
  --name jibril \
  --privileged \
  --pid=host \
  --restart=unless-stopped \
  -e GARNET_API_TOKEN=$GARNET_API_TOKEN \
  -e GARNET_MODE=production \
  -e GARNET_BLOCKING=true \
  -e GARNET_LOG_LEVEL=info \
  -e GARNET_SCAN_INTERVAL=30s \
  -e GARNET_ALLOW_PATTERNS="docker.*,npm install" \
  --memory=512m \
  --cpus=0.5 \
  -v /var/run/docker.sock:/var/run/docker.sock:ro \
  ghcr.io/garnetlabs/jibril:latest
Environment variables:
  • GARNET_MODE: production, development, or lightweight
  • GARNET_BLOCKING: true or false
  • GARNET_LOG_LEVEL: debug, info, warn, error
  • GARNET_SCAN_INTERVAL: How often to scan (default: 60s)
  • GARNET_ALLOW_PATTERNS: Comma-separated patterns to ignore

What gets detected

Container Security

  • Container escapes
  • Privilege escalation
  • Unauthorized mounts
  • Runtime modifications

Network Threats

  • C2 communications
  • Data exfiltration
  • DNS tunneling
  • Port scanning

Resource Abuse

  • Crypto mining
  • Fork bombs
  • CPU/memory abuse
  • Storage exhaustion

Malicious Activity

  • Malware execution
  • Backdoor installation
  • Credential theft
  • File tampering

Verification

After deployment:
  1. Check container status
docker ps --filter name=jibril --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}"
  1. View logs
docker logs jibril --tail 50 --follow
# Look for "Connected to Garnet Platform"
  1. Test container monitoring
# Run a test container
docker run --rm alpine:latest sh -c "curl http://malicious.test.garnet.ai"
# Should trigger detection
  1. Visit dashboard - agent should appear within 2 minutes
Docker deployment showing detection events

Example detections

Crypto miner in container

{
  "detection": "Cryptocurrency mining detected",
  "container": "suspicious_app_123",
  "process": "xmrig --donate-level=0 -o pool.minexmr.com:4444",
  "action": "Container killed, image quarantined"
}

Container escape attempt

{
  "detection": "Container breakout attempt",
  "container": "web_server_456", 
  "process": "mount /dev/sda1 /mnt/host",
  "action": "Process blocked, security team alerted"
}

Management

Update Jibril

# Pull latest image
docker pull ghcr.io/garnetlabs/jibril:latest

# Stop current container
docker stop jibril && docker rm jibril

# Start with new image
docker run -d \
  --name jibril \
  --privileged \
  --pid=host \
  --restart=unless-stopped \
  -e GARNET_API_TOKEN=$GARNET_API_TOKEN \
  ghcr.io/garnetlabs/jibril:latest

Monitor resources

# Check resource usage
docker stats jibril --no-stream

# Check disk usage
docker system df

View detailed logs

# Real-time logs
docker logs jibril --follow

# Export logs
docker logs jibril > garnet-logs.txt

Troubleshooting

Symptoms:
docker ps -a | grep jibril
# Shows "Exited" status
Fix:
  1. Check Docker version (needs ≥20.10):
docker --version
  1. Verify host kernel version:
uname -r
# Needs Linux kernel ≥5.15
  1. Check container logs:
docker logs jibril
# Look for specific error messages
  1. Ensure privileged mode:
docker inspect jibril | grep Privileged
# Should show "Privileged": true
Wait 2-3 minutes for initial connection.If still missing:
  1. Check container logs:
docker logs jibril --tail 100
  1. Test network connectivity:
docker exec jibril nslookup api.garnet.ai
  1. Verify API token:
docker exec jibril printenv GARNET_API_TOKEN
  1. Test API access:
curl -H "Authorization: Bearer $GARNET_API_TOKEN" https://api.garnet.ai/v1/agents
Symptoms: Host performance degradedSolutions:
  1. Set resource limits:
docker update --memory=256m --cpus=0.25 jibril
  1. Use lightweight mode:
docker stop jibril
docker run -d \
  --name jibril \
  --privileged \
  --pid=host \
  -e GARNET_API_TOKEN=$GARNET_API_TOKEN \
  -e GARNET_MODE=lightweight \
  ghcr.io/garnetlabs/jibril:latest
  1. Increase scan interval:
docker stop jibril
docker run -d \
  --name jibril \
  --privileged \
  --pid=host \
  -e GARNET_API_TOKEN=$GARNET_API_TOKEN \
  -e GARNET_SCAN_INTERVAL=120s \
  ghcr.io/garnetlabs/jibril:latest
Symptoms: Legitimate containers flagged as threatsFix: Add allowlist patterns:
docker stop jibril
docker run -d \
  --name jibril \
  --privileged \
  --pid=host \
  -e GARNET_API_TOKEN=$GARNET_API_TOKEN \
  -e GARNET_ALLOW_PATTERNS="docker.*,npm install,yarn install,pip install" \
  ghcr.io/garnetlabs/jibril:latest
Or configure in dashboard: Settings → Policies → Add Allowlist

Uninstall

# Stop and remove container
docker stop jibril && docker rm jibril

# Remove image (optional)
docker rmi ghcr.io/garnetlabs/jibril:latest

# Clean up volumes (if any)
docker volume prune

Next steps

View Detections

Monitor container security

Enable Blocking

Stop threats automatically

Multi-Host Setup

Scale to clusters