go.d fail2ban: add docker support (#18081)

src/collectors/plugins.d/ndsudo.c

@@ -61,6 +61,14 @@ struct command {
             [1] = NULL,
         },
     },
+    {
+        .name = "fail2ban-client-status-socket",
+        .params = "-s {{socket_path}} status",
+        .search = {
+            [0] = "fail2ban-client",
+            [1] = NULL,
+        },
+    },
     {
         .name = "fail2ban-client-status-jail",
         .params = "status {{jail}}",
@@ -69,6 +77,14 @@ struct command {
             [1] = NULL,
         },
     },
+    {
+        .name = "fail2ban-client-status-jail-socket",
+        .params = "-s {{socket_path}} status {{jail}}",
+        .search = {
+            [0] = "fail2ban-client",
+            [1] = NULL,
+        },
+    },
     {
         .name = "storcli-controllers-info",
         .params = "/cALL show all J nolog",

src/go/plugin/go.d/modules/fail2ban/exec.go

@@ -6,6 +6,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"os"
 	"os/exec"
 	"strings"
 	"time"
@@ -15,27 +16,46 @@ import (
 
 var errJailNotExist = errors.New("jail not exist")
 
+const socketPathInDocker = "/host/var/run/fail2ban/fail2ban.sock"
+
 func newFail2BanClientCliExec(ndsudoPath string, timeout time.Duration, log *logger.Logger) *fail2banClientCliExec {
+	_, err := os.Stat("/host/var/run")
+
 	return &fail2banClientCliExec{
-		Logger:     log,
-		ndsudoPath: ndsudoPath,
-		timeout:    timeout,
+		Logger:         log,
+		ndsudoPath:     ndsudoPath,
+		timeout:        timeout,
+		isInsideDocker: err == nil,
 	}
 }
 
 type fail2banClientCliExec struct {
 	*logger.Logger
 
-	ndsudoPath string
-	timeout    time.Duration
+	ndsudoPath     string
+	timeout        time.Duration
+	isInsideDocker bool
 }
 
 func (e *fail2banClientCliExec) status() ([]byte, error) {
+	if e.isInsideDocker {
+		return e.execute("fail2ban-client-status-socket",
+			"--socket_path", socketPathInDocker,
+		)
+	}
 	return e.execute("fail2ban-client-status")
 }
 
 func (e *fail2banClientCliExec) jailStatus(jail string) ([]byte, error) {
-	return e.execute("fail2ban-client-status-jail", "--jail", jail)
+	if e.isInsideDocker {
+		return e.execute("fail2ban-client-status-jail-socket",
+			"--jail", jail,
+			"--socket_path", socketPathInDocker,
+		)
+	}
+	return e.execute("fail2ban-client-status-jail",
+		"--jail", jail,
+	)
 }
 
 func (e *fail2banClientCliExec) execute(args ...string) ([]byte, error) {

src/go/plugin/go.d/modules/fail2ban/metadata.yaml

@@ -44,7 +44,16 @@ modules:
           description: ""
     setup:
       prerequisites:
-        list: []
+        list:
+          - title: For Netdata running in a Docker container
+            description: |
+              1. **Install Fail2ban client**.
+              
+                  Ensure `fail2ban-client` is available in the container by setting the environment variable `NETDATA_EXTRA_DEB_PACKAGES=fail2ban` when starting the container.
+              
+              2. **Mount host's `/var/run` directory**.
+              
+                  Mount the host machine's `/var/run` directory to `/host/var/run` inside your Netdata container. This grants Netdata access to the Fail2ban socket file, typically located at `/var/run/fail2ban/fail2ban.sock`.
       configuration:
         file:
           name: go.d/fail2ban.conf