diff options
Diffstat (limited to 'packaging/docker')
| -rw-r--r-- | packaging/docker/Dockerfile | 136 | ||||
| -rw-r--r-- | packaging/docker/README.md | 529 | ||||
| -rwxr-xr-x | packaging/docker/gen-cflags.sh | 9 | ||||
| -rwxr-xr-x | packaging/docker/health.sh | 18 | ||||
| -rwxr-xr-x | packaging/docker/run.sh | 120 |
5 files changed, 812 insertions, 0 deletions
diff --git a/packaging/docker/Dockerfile b/packaging/docker/Dockerfile new file mode 100644 index 00000000..8e7c9a7b --- /dev/null +++ b/packaging/docker/Dockerfile @@ -0,0 +1,136 @@ +# SPDX-License-Identifier: GPL-3.0-or-later +# author : paulfantom + +# This image contains preinstalled dependencies +# hadolint ignore=DL3007 +FROM netdata/builder:v2 as builder + +# One of 'nightly' or 'stable' +ARG RELEASE_CHANNEL=nightly + +ARG CFLAGS + +ENV CFLAGS=$CFLAGS + +ARG EXTRA_INSTALL_OPTS + +ENV EXTRA_INSTALL_OPTS=$EXTRA_INSTALL_OPTS + +ARG DEBUG_BUILD + +ENV DEBUG_BUILD=$DEBUG_BUILD + +# Copy source +COPY . /opt/netdata.git +WORKDIR /opt/netdata.git + +# Install from source +RUN chmod +x netdata-installer.sh && \ + cp -rp /deps/* /usr/local/ && \ + /bin/echo -e "INSTALL_TYPE='oci'\nPREBUILT_ARCH='$(uname -m)'" > ./system/.install-type && \ + CFLAGS="$(packaging/docker/gen-cflags.sh)" LDFLAGS="-Wl,--gc-sections" ./netdata-installer.sh --dont-wait --dont-start-it --use-system-protobuf \ + ${EXTRA_INSTALL_OPTS} --disable-ebpf --one-time-build --enable-lto "$([ "$RELEASE_CHANNEL" = stable ] && echo --stable-channel)" + +# files to one directory +RUN mkdir -p /app/usr/sbin/ \ + /app/usr/share \ + /app/usr/libexec \ + /app/usr/local \ + /app/usr/lib \ + /app/var/cache \ + /app/var/lib \ + /app/etc && \ + mv /usr/share/netdata /app/usr/share/ && \ + mv /usr/libexec/netdata /app/usr/libexec/ && \ + mv /usr/lib/netdata /app/usr/lib/ && \ + mv /var/cache/netdata /app/var/cache/ && \ + mv /var/lib/netdata /app/var/lib/ && \ + mv /etc/netdata /app/etc/ && \ + mv /usr/sbin/netdata /app/usr/sbin/ && \ + mv /usr/sbin/netdata-claim.sh /app/usr/sbin/ && \ + mv /usr/sbin/netdatacli /app/usr/sbin/ && \ + mv /usr/sbin/systemd-cat-native /app/usr/sbin/ && \ + mv packaging/docker/run.sh /app/usr/sbin/ && \ + mv packaging/docker/health.sh /app/usr/sbin/ && \ + mkdir -p /deps/etc && \ + cp -rp /deps/etc /app/usr/local/etc && \ + chmod -R o+rX /app && \ + chmod +x /app/usr/sbin/run.sh + +##################################################################### +# This image contains preinstalled dependencies +# hadolint ignore=DL3007 +FROM netdata/base:v2 as base + +LABEL org.opencontainers.image.authors="Netdatabot <bot@netdata.cloud>" +LABEL org.opencontainers.image.url="https://netdata.cloud" +LABEL org.opencontainers.image.documentation="https://learn.netdata.cloud" +LABEL org.opencontainers.image.source="https://github.com/netdata/netdata" +LABEL org.opencontainers.image.title="Netdata Agent" +LABEL org.opencontainers.image.description="Official Netdata Agent Docker Image" +LABEL org.opencontainers.image.vendor="Netdata Inc." + +ARG OFFICIAL_IMAGE=false +ENV NETDATA_OFFICIAL_IMAGE=$OFFICIAL_IMAGE + +ONBUILD ENV NETDATA_OFFICIAL_IMAGE=false + +ARG NETDATA_UID=201 +ARG NETDATA_GID=201 +ENV DOCKER_GRP netdata +ENV DOCKER_USR netdata +# If DISABLE_TELEMETRY is set, it will disable anonymous stats collection and reporting +#ENV DISABLE_TELEMETRY=1 +ENV NETDATA_LISTENER_PORT 19999 +EXPOSE $NETDATA_LISTENER_PORT + +ENV NETDATA_EXTRA_DEB_PACKAGES="" + +RUN mkdir -p /opt/src /var/log/netdata && \ + ln -sf /dev/stdout /var/log/netdata/access.log && \ + ln -sf /dev/stdout /var/log/netdata/aclk.log && \ + ln -sf /dev/stdout /var/log/netdata/debug.log && \ + ln -sf /dev/stderr /var/log/netdata/error.log && \ + ln -sf /dev/stderr /var/log/netdata/daemon.log && \ + ln -sf /dev/stdout /var/log/netdata/collector.log && \ + ln -sf /dev/stdout /var/log/netdata/fluentbit.log && \ + ln -sf /dev/stdout /var/log/netdata/health.log + +COPY --from=builder /app / + +# Create netdata user and apply the permissions as described in +# https://docs.netdata.cloud/docs/netdata-security/#netdata-directories, but own everything by root group due to https://github.com/netdata/netdata/pull/6543 +# hadolint ignore=DL3013 +RUN addgroup --gid ${NETDATA_GID} --system "${DOCKER_GRP}" && \ + adduser --system --no-create-home --shell /usr/sbin/nologin --uid ${NETDATA_UID} --home /etc/netdata --group "${DOCKER_USR}" && \ + chown -R root:root \ + /etc/netdata \ + /usr/share/netdata \ + /usr/libexec/netdata && \ + chown -R netdata:root \ + /usr/lib/netdata \ + /var/cache/netdata \ + /var/lib/netdata \ + /var/log/netdata && \ + chown -R netdata:netdata /var/lib/netdata/cloud.d && \ + chmod 0700 /var/lib/netdata/cloud.d && \ + chmod 0755 /usr/libexec/netdata/plugins.d/*.plugin && \ + for name in cgroup-network \ + local-listeners \ + apps.plugin \ + debugfs.plugin \ + freeipmi.plugin \ + go.d.plugin \ + perf.plugin \ + slabinfo.plugin \ + systemd-journal.plugin; do \ + [ -f "/usr/libexec/netdata/plugins.d/$name" ] && chmod 4755 "/usr/libexec/netdata/plugins.d/$name"; \ + done && \ + # Group write permissions due to: https://github.com/netdata/netdata/pull/6543 + find /var/lib/netdata /var/cache/netdata -type d -exec chmod 0770 {} \; && \ + find /var/lib/netdata /var/cache/netdata -type f -exec chmod 0660 {} \; && \ + cp -va /etc/netdata /etc/netdata.stock + +ENTRYPOINT ["/usr/sbin/run.sh"] + +HEALTHCHECK --interval=60s --timeout=10s --retries=3 CMD /usr/sbin/health.sh diff --git a/packaging/docker/README.md b/packaging/docker/README.md new file mode 100644 index 00000000..528ef592 --- /dev/null +++ b/packaging/docker/README.md @@ -0,0 +1,529 @@ +<!-- +title: "Install Netdata with Docker" +custom_edit_url: "https://github.com/netdata/netdata/edit/master/packaging/docker/README.md" +sidebar_label: "Docker" +learn_status: "Published" +learn_rel_path: "Installation/Installation methods" +sidebar_position: 40 +--> + +import Tabs from '@theme/Tabs'; +import TabItem from '@theme/TabItem'; + +# Install Netdata with Docker + +## Create a new Netdata Agent container + +You can create a new Agent container using either `docker run` or `docker-compose`. After using any method, you can +visit the Agent dashboard `http://NODE:19999`. + +The Netdata container requires different privileges and mounts to provide functionality similar to that provided by +Netdata installed on the host. Below you can find a list of Netdata components that need these privileges and mounts, +along with their descriptions. + +<details open> +<summary>Privileges</summary> + +| Component | Privileges | Description | +|:---------------:|:-----------------------------:|--------------------------------------------------------------------------------------------------------------------------| +| cgroups.plugin | host PID mode, SYS_ADMIN | Container network interfaces monitoring. Map virtual interfaces in the system namespace to interfaces inside containers. | +| proc.plugin | host network mode | Host system networking stack monitoring. | +| go.d.plugin | host network mode | Monitoring applications running on the host and inside containers. | +| local-listeners | host network mode, SYS_PTRACE | Discovering local services/applications. Map open (listening) ports to running services/applications. | + +</details> + +<details open> +<summary>Mounts</summary> + +| Component | Mounts | Description | +|:----------------------:|:--------------------------:|--------------------------------------------------------------------------------------------------------------------------------------------| +| netdata | /etc/os-release | Host info detection. | +| cgroups.plugin | /sys, /var/run/docker.sock | Docker containers monitoring and name resolution. | +| go.d.plugin | /var/run/docker.sock | Docker Engine and containers monitoring. See [docker](https://github.com/netdata/go.d.plugin/tree/master/modules/docker#readme) collector. | +| go.d.plugin | /var/log | Web servers logs tailing. See [weblog](https://github.com/netdata/go.d.plugin/tree/master/modules/weblog#readme) collector. | +| apps.plugin | /etc/passwd, /etc/group | Monitoring of host system resource usage by each user and user group. | +| proc.plugin | /proc | Host system monitoring (CPU, memory, network interfaces, disks, etc.). | +| systemd-journal.plugin | /var/log | Viewing, exploring and analyzing systemd journal logs. | + +</details> + +### Recommended way + +Both methods create a [volume](https://docs.docker.com/storage/volumes/) for Netdata's configuration files +_within the container_ at `/etc/netdata`. +See the [configure section](#configure-agent-containers) for details. If you want to access the configuration files from +your _host_ machine, see [host-editable configuration](#with-host-editable-configuration). + +<Tabs> +<TabItem value="docker_run" label="docker run"> + +<h3> Using the <code>docker run</code> command </h3> + +Run the following command in your terminal to start a new container. + +```bash +docker run -d --name=netdata \ + --pid=host \ + --network=host \ + -v netdataconfig:/etc/netdata \ + -v netdatalib:/var/lib/netdata \ + -v netdatacache:/var/cache/netdata \ + -v /etc/passwd:/host/etc/passwd:ro \ + -v /etc/group:/host/etc/group:ro \ + -v /etc/localtime:/etc/localtime:ro \ + -v /proc:/host/proc:ro \ + -v /sys:/host/sys:ro \ + -v /etc/os-release:/host/etc/os-release:ro \ + -v /var/log:/host/var/log:ro \ + -v /var/run/docker.sock:/var/run/docker.sock:ro \ + --restart unless-stopped \ + --cap-add SYS_PTRACE \ + --cap-add SYS_ADMIN \ + --security-opt apparmor=unconfined \ + netdata/netdata +``` + +</TabItem> +<TabItem value="docker compose" label="docker-compose"> + +<h3> Using the <code>docker-compose</code> command</h3> + +Create a file named `docker-compose.yml` in your project directory and paste the code below. From your project +directory, start Netdata by running `docker-compose up -d`. + +```yaml +version: '3' +services: + netdata: + image: netdata/netdata + container_name: netdata + pid: host + network_mode: host + restart: unless-stopped + cap_add: + - SYS_PTRACE + - SYS_ADMIN + security_opt: + - apparmor:unconfined + volumes: + - netdataconfig:/etc/netdata + - netdatalib:/var/lib/netdata + - netdatacache:/var/cache/netdata + - /etc/passwd:/host/etc/passwd:ro + - /etc/group:/host/etc/group:ro + - /etc/localtime:/etc/localtime:ro + - /proc:/host/proc:ro + - /sys:/host/sys:ro + - /etc/os-release:/host/etc/os-release:ro + - /var/log:/host/var/log:ro + - /var/run/docker.sock:/var/run/docker.sock:ro + +volumes: + netdataconfig: + netdatalib: + netdatacache: +``` + +</TabItem> +</Tabs> + +> :bookmark_tabs: Note +> +> If you plan to Claim the node to Netdata Cloud, you can find the command with the right parameters by clicking the " +> Add Nodes" button in your Space's "Nodes" view. + +### With systemd units monitoring + +Monitoring systemd units requires mounting `/run/dbus`. This mount is not available on non-systemd systems, so we cannot +use it in the Recommended Way. + +Mounting `/run/dbus` provides: + +- [go.d/systemdunits](https://github.com/netdata/go.d.plugin/tree/master/modules/systemdunits#readme). +- Systemd-list-units function: information about all systemd units, including their active state, description, whether + they are enabled, and more. + +<Tabs> +<TabItem value="docker_run" label="docker run"> + +<h3> Using the <code>docker run</code> command </h3> + +Add `-v /run/dbus:/run/dbus:ro` to your `docker run`. + +</TabItem> +<TabItem value="docker compose" label="docker-compose"> + +<h3> Using the <code>docker-compose</code> command</h3> + +Add `- /run/dbus:/run/dbus:ro` to the netdata service `volumes`. + +</TabItem> +</Tabs> + +### With host-editable configuration + +Use a [bind mount](https://docs.docker.com/storage/bind-mounts/) for `/etc/netdata` rather than a volume. + +This example assumes that you have created `netdataconfig/` in your home directory. + +```bash +mkdir netdataconfig +``` + +<Tabs> +<TabItem value="docker_run" label="docker run"> + +<h3> Using the <code>docker run</code> command </h3> + +Run the following command in your terminal to start a new container. + +```bash +docker run -d --name=netdata \ + --pid=host \ + --network=host \ + -v $(pwd)/netdataconfig/netdata:/etc/netdata \ + -v netdatalib:/var/lib/netdata \ + -v netdatacache:/var/cache/netdata \ + -v /etc/passwd:/host/etc/passwd:ro \ + -v /etc/group:/host/etc/group:ro \ + -v /etc/localtime:/etc/localtime:ro \ + -v /proc:/host/proc:ro \ + -v /sys:/host/sys:ro \ + -v /etc/os-release:/host/etc/os-release:ro \ + -v /var/log:/host/var/log:ro \ + -v /var/run/docker.sock:/var/run/docker.sock:ro \ + --restart unless-stopped \ + --cap-add SYS_PTRACE \ + --cap-add SYS_ADMIN \ + --security-opt apparmor=unconfined \ + netdata/netdata +``` + +</TabItem> +<TabItem value="docker compose" label="docker-compose"> + +<h3> Using the <code>docker-compose</code> command</h3> + +Create a file named `docker-compose.yml` in your project directory and paste the code below. From your project +directory, start Netdata by running `docker-compose up -d`. + +```yaml +version: '3' +services: + netdata: + image: netdata/netdata + container_name: netdata + pid: host + network_mode: host + restart: unless-stopped + cap_add: + - SYS_PTRACE + - SYS_ADMIN + security_opt: + - apparmor:unconfined + volumes: + - ./netdataconfig/netdata:/etc/netdata + - netdatalib:/var/lib/netdata + - netdatacache:/var/cache/netdata + - /etc/passwd:/host/etc/passwd:ro + - /etc/group:/host/etc/group:ro + - /etc/localtime:/etc/localtime:ro + - /proc:/host/proc:ro + - /sys:/host/sys:ro + - /etc/os-release:/host/etc/os-release:ro + - /var/log:/host/var/log:ro + - /var/run/docker.sock:/var/run/docker.sock:ro + +volumes: + netdatalib: + netdatacache: +``` + +</TabItem> +</Tabs> + +### With SSL/TLS enabled HTTP Proxy + +For a permanent installation on a public server, you +should [secure the Netdata instance](https://github.com/netdata/netdata/blob/master/docs/netdata-security.md). This +section contains an example of how to install Netdata with an SSL reverse proxy and basic authentication. + +You can use the following `docker-compose.yml` and Caddyfile files to run Netdata with Docker. Replace the domains and +email address for [Let's Encrypt](https://letsencrypt.org/) before starting. + +#### Caddyfile + +This file needs to be placed in `/opt` with name `Caddyfile`. Here you customize your domain, and you need to provide +your email address to obtain a Let's Encrypt certificate. Certificate renewal will happen automatically and will be +executed internally by the caddy server. + +```caddyfile +netdata.example.org { + reverse_proxy netdata:19999 + tls admin@example.org +} +``` + +#### docker-compose.yml + +After setting Caddyfile run this with `docker-compose up -d` to have a fully functioning Netdata setup behind an HTTP reverse +proxy. + +```yaml +version: '3' +services: + caddy: + image: caddy:2 + ports: + - "80:80" + - "443:443" + volumes: + - /opt/Caddyfile:/etc/caddy/Caddyfile + - caddy_data:/data + - caddy_config:/config + netdata: + image: netdata/netdata + container_name: netdata + hostname: example.com # set to fqdn of host + restart: always + pid: host + cap_add: + - SYS_PTRACE + - SYS_ADMIN + security_opt: + - apparmor:unconfined + volumes: + - netdataconfig:/etc/netdata + - netdatalib:/var/lib/netdata + - netdatacache:/var/cache/netdata + - /etc/passwd:/host/etc/passwd:ro + - /etc/group:/host/etc/group:ro + - /etc/localtime:/etc/localtime:ro + - /proc:/host/proc:ro + - /sys:/host/sys:ro + - /etc/os-release:/host/etc/os-release:ro + - /var/log:/host/var/log:ro + - /var/run/docker.sock:/var/run/docker.sock:ro +volumes: + caddy_data: + caddy_config: + netdatalib: + netdatacache: +``` + +#### Restrict access with basic auth + +You can restrict access by +following the [official caddy guide](https://caddyserver.com/docs/caddyfile/directives/basicauth#basicauth) and adding lines +to Caddyfile. + +### With Docker socket proxy + +Deploy a Docker socket proxy that accepts and filters out requests using something like +[HAProxy](https://github.com/netdata/netdata/blob/master/docs/Running-behind-haproxy.md) or +[CetusGuard](https://github.com/hectorm/cetusguard) so that it restricts connections to read-only access to +the `/containers` endpoint. + +The reason it's safer to expose the socket to the proxy is because Netdata has a TCP port exposed outside the Docker +network. Access to the proxy container is limited to only within the network. + +#### HAProxy + +```yaml +version: '3' +services: + netdata: + image: netdata/netdata + container_name: netdata + pid: host + network_mode: host + restart: unless-stopped + cap_add: + - SYS_PTRACE + - SYS_ADMIN + security_opt: + - apparmor:unconfined + volumes: + - netdataconfig:/etc/netdata + - netdatalib:/var/lib/netdata + - netdatacache:/var/cache/netdata + - /etc/passwd:/host/etc/passwd:ro + - /etc/group:/host/etc/group:ro + - /etc/localtime:/etc/localtime:ro + - /proc:/host/proc:ro + - /sys:/host/sys:ro + - /etc/os-release:/host/etc/os-release:ro + - /var/log:/host/var/log:ro + environment: + - DOCKER_HOST=localhost:2375 + proxy: + network_mode: host + image: tecnativa/docker-socket-proxy + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + environment: + - CONTAINERS=1 + +volumes: + netdataconfig: + netdatalib: + netdatacache: +``` + +**Note:** Replace `2375` with the port of your proxy. + +#### CetusGuard + +> Note: This deployment method is supported by the community + +```yaml +version: '3' +services: + netdata: + image: netdata/netdata + container_name: netdata + pid: host + network_mode: host + restart: unless-stopped + cap_add: + - SYS_PTRACE + - SYS_ADMIN + security_opt: + - apparmor:unconfined + volumes: + - netdataconfig:/etc/netdata + - netdatalib:/var/lib/netdata + - netdatacache:/var/cache/netdata + - /etc/passwd:/host/etc/passwd:ro + - /etc/group:/host/etc/group:ro + - /etc/localtime:/etc/localtime:ro + - /proc:/host/proc:ro + - /sys:/host/sys:ro + - /etc/os-release:/host/etc/os-release:ro + - /var/log:/host/var/log:ro + environment: + - DOCKER_HOST=localhost:2375 + cetusguard: + image: hectorm/cetusguard:v1 + network_mode: host + read_only: true + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + environment: + CETUSGUARD_BACKEND_ADDR: unix:///var/run/docker.sock + CETUSGUARD_FRONTEND_ADDR: tcp://:2375 + CETUSGUARD_RULES: | + ! Inspect a container + GET %API_PREFIX_CONTAINERS%/%CONTAINER_ID_OR_NAME%/json + +volumes: + netdataconfig: + netdatalib: + netdatacache: +``` + +You can run the socket proxy in its own Docker Compose file and leave it on a private network that you can add to +other services that require access. + +## Docker tags + +See our full list of Docker images at [Docker Hub](https://hub.docker.com/r/netdata/netdata). + +The official `netdata/netdata` Docker image provides the following named tags: + +| Tag | Description | +|:--------:|---------------------------------------------------------------------------------------------------------------------------------------------------------| +| `stable` | the most recently published stable build. | +| `edge` | the most recently published nightly build. In most cases, this is updated daily at around 01:00 UTC. | +| `latest` | the most recently published build, whether it’s a stable build or a nightly build. This is what Docker will use by default if you do not specify a tag. | +| `vX.Y.Z` | the full version of the release (for example, `v1.40.0`). | +| `vX.Y` | the major and minor version (for example, `v1.40`). | +| `vX` | just the major version (for example, `v1`). | + +The tags for minor and major versions are updated whenever a release that matches this tag is published (for example, +if `v1.40.1` were to be published, the `v1.40` tag would be updated to it instead of pointing to `v1.40.0`). + +## Configure Agent containers + +If you started an Agent container using one of the [recommended methods](#create-a-new-netdata-agent-container), and you +want to edit Netdata's configuration, you must first use `docker exec` to attach to the container. Replace `netdata` +with the name of your container. + +```bash +docker exec -it netdata bash +cd /etc/netdata +./edit-config netdata.conf +``` + +You need to restart the Agent to apply changes. Exit the container if you haven't already, then use the `docker` command +to restart the container: `docker restart netdata`. + +### Change the default hostname + +You can change the hostname of a Docker container, and thus the name that appears in the local dashboard and in Netdata +Cloud, when creating a new container. If you want to change the hostname of a Netdata container _after_ you started it, +you can safely stop and remove it. Your configuration and metrics data reside in persistent volumes and are reattached +to the recreated container. + +If you use `docker-run`, use the `--hostname` option with `docker run`. + +```bash +docker run -d --name=netdata \ + --hostname=my_docker_netdata +``` + +If you use `docker-compose`, add a `hostname:` key/value pair into your `docker-compose.yml` file, then create the +container again using `docker-compose up -d`. + +```yaml +version: '3' +services: + netdata: + image: netdata/netdata + container_name: netdata + hostname: my_docker_compose_netdata +``` + +If you don't want to destroy and recreate your container, you can edit the Agent's `netdata.conf` file directly. See the +above section on [configuring Agent containers](#configure-agent-containers) to find the appropriate method based on +how you created the container. + +Alternatively, you can directly use the hostname from the node running the container by mounting `/etc/hostname` from +the host in the container. With `docker run`, this can be done by adding `--volume /etc/hostname:/host/etc/hostname:ro` to +the options. If you are using Docker Compose, you can add an entry to the container's `volumes` section +reading `- /etc/hostname:/host/etc/hostname:ro`. + +## Adding extra packages at runtime + +By default, the official Netdata container images do not include a number of optional runtime dependencies. You +can add these dependencies, or any other APT packages, at runtime by listing them in the environment variable +`NETDATA_EXTRA_DEB_PACKAGES`. + +Commonly useful packages include: + +- `apcupsd`: For monitoring APC UPS devices. +- `lm-sensors`: For monitoring hardware sensors. +- `netcat-openbsd`: For IRC alert support. + +## Health Checks + +Our Docker image provides integrated support for health checks through the standard Docker interfaces. + +You can control how the health checks run by using the environment variable `NETDATA_HEALTHCHECK_TARGET` as follows: + +- If left unset, the health check will attempt to access the `/api/v1/info` endpoint of the agent. +- If set to the exact value 'cli', the health check script will use `netdatacli ping` to determine if the agent is + running correctly or not. This is sufficient to ensure that Netdata did not hang during startup, but does not provide + a rigorous verification that the daemon is collecting data or is otherwise usable. +- If set to anything else, the health check will treat the value as a URL to check for a 200 status code on. In most + cases, this should start with `http://localhost:19999/` to check the agent running in the container. + +In most cases, the default behavior of checking the `/api/v1/info` endpoint will be sufficient. If you are using a +configuration which disables the web server or restricts access to certain APIs, you will need to use a non-default +configuration for health checks to work. + +## Publish a test image to your own repository + +At Netdata, we provide multiple ways of testing your Docker images using your own repositories. +You may either use the command line tools available or take advantage of our GitHub Actions infrastructure. diff --git a/packaging/docker/gen-cflags.sh b/packaging/docker/gen-cflags.sh new file mode 100755 index 00000000..f5ccab8a --- /dev/null +++ b/packaging/docker/gen-cflags.sh @@ -0,0 +1,9 @@ +#!/bin/sh + +if [ -n "${CFLAGS}" ]; then + echo "${CFLAGS}" +elif [ -n "${DEBUG_BUILD}" ]; then + echo "-ffunction-sections -fdata-sections -Og -ggdb -pipe" +else + echo "-ffunction-sections -fdata-sections -O2 -funroll-loops -pipe" +fi diff --git a/packaging/docker/health.sh b/packaging/docker/health.sh new file mode 100755 index 00000000..00adf97a --- /dev/null +++ b/packaging/docker/health.sh @@ -0,0 +1,18 @@ +#!/bin/sh +# +# This is the script that gets run for our Docker image health checks. + +if [ -z "${NETDATA_HEALTHCHECK_TARGET}" ] ; then + # If users didn't request something else, query `/api/v1/info`. + PORT=${NETDATA_LISTENER_PORT:-19999} + NETDATA_HEALTHCHECK_TARGET="http://localhost:${PORT}/api/v1/info" +fi + +case "${NETDATA_HEALTHCHECK_TARGET}" in + cli) + netdatacli ping || exit 1 + ;; + *) + curl -sSL "${NETDATA_HEALTHCHECK_TARGET}" || exit 1 + ;; +esac diff --git a/packaging/docker/run.sh b/packaging/docker/run.sh new file mode 100755 index 00000000..41557332 --- /dev/null +++ b/packaging/docker/run.sh @@ -0,0 +1,120 @@ +#!/usr/bin/env bash +# +# Entry point script for netdata +# +# Copyright: 2018 and later Netdata Inc. +# SPDX-License-Identifier: GPL-3.0-or-later +# +# Author : Pavlos Emm. Katsoulakis <paul@netdata.cloud> +# Author : Austin S. Hemmelgarn <austin@netdata.cloud> +set -e + +if [ ! -w / ] && [ "${EUID}" -eq 0 ]; then + echo >&2 "WARNING: This Docker host appears to not properly support newer stat system calls. This is known to cause issues with Netdata (most notably, nodes running on such hosts **cannot be claimed**)." + echo >&2 "WARNING: For more information, see https://learn.netdata.cloud/docs/agent/claim#known-issues-on-older-hosts-with-seccomp-enabled" +fi + +if [ ! "${DISABLE_TELEMETRY:-0}" -eq 0 ] || + [ -n "$DISABLE_TELEMETRY" ] || + [ ! "${DO_NOT_TRACK:-0}" -eq 0 ] || + [ -n "$DO_NOT_TRACK" ]; then + touch /etc/netdata/.opt-out-from-anonymous-statistics +fi + +chmod o+rX / 2>/dev/null || echo "Unable to change permissions without errors." + +BALENA_PGID=$(stat -c %g /var/run/balena.sock 2>/dev/null || true) +DOCKER_PGID=$(stat -c %g /var/run/docker.sock 2>/dev/null || true) + +re='^[0-9]+$' +if [[ $BALENA_PGID =~ $re ]]; then + echo "Netdata detected balena-engine.sock" + DOCKER_HOST='/var/run/balena-engine.sock' + PGID="$BALENA_PGID" +elif [[ $DOCKER_PGID =~ $re ]]; then + echo "Netdata detected docker.sock" + DOCKER_HOST="/var/run/docker.sock" + PGID="$DOCKER_PGID" +fi +export PGID +export DOCKER_HOST + +if [ -n "${PGID}" ]; then + echo "Creating docker group ${PGID}" + addgroup --gid "${PGID}" "docker" || echo >&2 "Could not add group docker with ID ${PGID}, its already there probably" + echo "Assign netdata user to docker group ${PGID}" + usermod --append --groups "docker" "${DOCKER_USR}" || echo >&2 "Could not add netdata user to group docker with ID ${PGID}" +fi + +# Needed to read Proxmox VMs and (LXC) containers configuration files (name resolution + CPU and memory limits) +function add_netdata_to_proxmox_conf_files_group() { + group_guid="$(stat -c %g /host/etc/pve 2>/dev/null || true)" + [ -z "${group_guid}" ] && return + + if ! getent group "${group_guid}" >/dev/null; then + echo "Creating proxmox-etc-pve group with GID ${group_guid}" + if ! addgroup -g "${group_guid}" "proxmox-etc-pve"; then + echo >&2 "Failed to add group proxmox-etc-pve with GID ${group_guid}." + return + fi + fi + + if ! getent group "${group_guid}" | grep -q netdata; then + echo "Assign netdata user to group ${group_guid}" + if ! usermod -a -G "${group_guid}" "${DOCKER_USR}"; then + echo >&2 "Failed to add netdata user to group with GID ${group_guid}." + return + fi + fi +} + +if [ -d "/host/etc/pve" ]; then + add_netdata_to_proxmox_conf_files_group || true +fi + + +if mountpoint -q /etc/netdata; then + echo "Copying stock configuration to /etc/netdata" + cp -an /etc/netdata.stock/* /etc/netdata + cp -an /etc/netdata.stock/.[^.]* /etc/netdata +fi + +if [ -w "/etc/netdata" ]; then + if mountpoint -q /etc/netdata; then + hostname >/etc/netdata/.container-hostname + else + rm -f /etc/netdata/.container-hostname + fi +fi + +if [ -n "${NETDATA_CLAIM_URL}" ] && [ -n "${NETDATA_CLAIM_TOKEN}" ] && [ ! -f /var/lib/netdata/cloud.d/claimed_id ]; then + # shellcheck disable=SC2086 + /usr/sbin/netdata-claim.sh -token="${NETDATA_CLAIM_TOKEN}" \ + -url="${NETDATA_CLAIM_URL}" \ + ${NETDATA_CLAIM_ROOMS:+-rooms="${NETDATA_CLAIM_ROOMS}"} \ + ${NETDATA_CLAIM_PROXY:+-proxy="${NETDATA_CLAIM_PROXY}"} \ + ${NETDATA_EXTRA_CLAIM_OPTS} \ + -daemon-not-running +fi + +if [ -n "${NETDATA_EXTRA_APK_PACKAGES}" ]; then + echo >&2 "WARNING: Netdata’s Docker images have switched from Alpine to Debian as a base platform. Supplementary package support is now handled through the NETDATA_EXTRA_DEB_PACKAGES variable instead of NETDATA_EXTRA_APK_PACKAGES." + echo >&2 "WARNING: The container will still run, but supplementary packages listed in NETDATA_EXTRA_APK_PACKAGES will not be installed." + echo >&2 "WARNING: To remove these messages, either undefine NETDATA_EXTRA_APK_PACKAGES, or define it to an empty string." +fi + +if [ -n "${NETDATA_EXTRA_DEB_PACKAGES}" ]; then + echo "Fetching APT repository metadata." + if ! apt-get update; then + echo "Failed to fetch APT repository metadata." + else + echo "Installing supplementary packages." + export DEBIAN_FRONTEND="noninteractive" + # shellcheck disable=SC2086 + if ! apt-get install -y --no-install-recommends ${NETDATA_EXTRA_DEB_PACKAGES}; then + echo "Failed to install supplementary packages." + fi + fi +fi + +exec /usr/sbin/netdata -u "${DOCKER_USR}" -D -s /host -p "${NETDATA_LISTENER_PORT}" "$@" |