diff options
Diffstat (limited to 'packaging/docker')
-rw-r--r-- | packaging/docker/Dockerfile | 4 | ||||
-rw-r--r-- | packaging/docker/README.md | 138 | ||||
-rwxr-xr-x | packaging/docker/run.sh | 111 |
3 files changed, 187 insertions, 66 deletions
diff --git a/packaging/docker/Dockerfile b/packaging/docker/Dockerfile index 8e7c9a7b1..b12af313d 100644 --- a/packaging/docker/Dockerfile +++ b/packaging/docker/Dockerfile @@ -29,7 +29,7 @@ RUN chmod +x netdata-installer.sh && \ cp -rp /deps/* /usr/local/ && \ /bin/echo -e "INSTALL_TYPE='oci'\nPREBUILT_ARCH='$(uname -m)'" > ./system/.install-type && \ CFLAGS="$(packaging/docker/gen-cflags.sh)" LDFLAGS="-Wl,--gc-sections" ./netdata-installer.sh --dont-wait --dont-start-it --use-system-protobuf \ - ${EXTRA_INSTALL_OPTS} --disable-ebpf --one-time-build --enable-lto "$([ "$RELEASE_CHANNEL" = stable ] && echo --stable-channel)" + ${EXTRA_INSTALL_OPTS} --disable-ebpf --install-no-prefix / "$([ "$RELEASE_CHANNEL" = stable ] && echo --stable-channel)" # files to one directory RUN mkdir -p /app/usr/sbin/ \ @@ -122,7 +122,9 @@ RUN addgroup --gid ${NETDATA_GID} --system "${DOCKER_GRP}" && \ freeipmi.plugin \ go.d.plugin \ perf.plugin \ + ndsudo \ slabinfo.plugin \ + network-viewer.plugin \ systemd-journal.plugin; do \ [ -f "/usr/libexec/netdata/plugins.d/$name" ] && chmod 4755 "/usr/libexec/netdata/plugins.d/$name"; \ done && \ diff --git a/packaging/docker/README.md b/packaging/docker/README.md index 528ef5926..204e17ad1 100644 --- a/packaging/docker/README.md +++ b/packaging/docker/README.md @@ -12,6 +12,16 @@ import TabItem from '@theme/TabItem'; # Install Netdata with Docker +## Limitations running the Agent in Docker + +We do not officially support running our Docker images with the Docker CLI `--user` option or the Docker Compose +`user:` parameter. Such usage will usually still work, but some features will not be available when run this +way. Note that the agent will drop privileges appropriately inside the container during startup, meaning that even +when run without these options almost nothing in the container will actually run with an effective UID of 0. + +Our POWER8+ Docker images do not support our FreeIPMI collector. This is a technical limitation in FreeIPMI itself, +and unfortunately not something we can realistically work around. + ## Create a new Netdata Agent container You can create a new Agent container using either `docker run` or `docker-compose`. After using any method, you can @@ -24,12 +34,13 @@ along with their descriptions. <details open> <summary>Privileges</summary> -| Component | Privileges | Description | -|:---------------:|:-----------------------------:|--------------------------------------------------------------------------------------------------------------------------| -| cgroups.plugin | host PID mode, SYS_ADMIN | Container network interfaces monitoring. Map virtual interfaces in the system namespace to interfaces inside containers. | -| proc.plugin | host network mode | Host system networking stack monitoring. | -| go.d.plugin | host network mode | Monitoring applications running on the host and inside containers. | -| local-listeners | host network mode, SYS_PTRACE | Discovering local services/applications. Map open (listening) ports to running services/applications. | +| Component | Privileges | Description | +|:---------------------:|:-----------------------------:|--------------------------------------------------------------------------------------------------------------------------| +| cgroups.plugin | host PID mode, SYS_ADMIN | Container network interfaces monitoring. Map virtual interfaces in the system namespace to interfaces inside containers. | +| proc.plugin | host network mode | Host system networking stack monitoring. | +| go.d.plugin | host network mode | Monitoring applications running on the host and inside containers. | +| local-listeners | host network mode, SYS_PTRACE | Discovering local services/applications. Map open (listening) ports to running services/applications. | +| network-viewer.plugin | host network mode, SYS_ADMIN | Discovering all current network sockets and building a network-map. | </details> @@ -39,6 +50,7 @@ along with their descriptions. | Component | Mounts | Description | |:----------------------:|:--------------------------:|--------------------------------------------------------------------------------------------------------------------------------------------| | netdata | /etc/os-release | Host info detection. | +| diskspace.plugin | / | Host mount points monitoring. | | cgroups.plugin | /sys, /var/run/docker.sock | Docker containers monitoring and name resolution. | | go.d.plugin | /var/run/docker.sock | Docker Engine and containers monitoring. See [docker](https://github.com/netdata/go.d.plugin/tree/master/modules/docker#readme) collector. | | go.d.plugin | /var/log | Web servers logs tailing. See [weblog](https://github.com/netdata/go.d.plugin/tree/master/modules/weblog#readme) collector. | @@ -69,6 +81,7 @@ docker run -d --name=netdata \ -v netdataconfig:/etc/netdata \ -v netdatalib:/var/lib/netdata \ -v netdatacache:/var/cache/netdata \ + -v /:/host/root:ro,rslave \ -v /etc/passwd:/host/etc/passwd:ro \ -v /etc/group:/host/etc/group:ro \ -v /etc/localtime:/etc/localtime:ro \ @@ -110,6 +123,7 @@ services: - netdataconfig:/etc/netdata - netdatalib:/var/lib/netdata - netdatacache:/var/cache/netdata + - /:/host/root:ro,rslave - /etc/passwd:/host/etc/passwd:ro - /etc/group:/host/etc/group:ro - /etc/localtime:/etc/localtime:ro @@ -161,6 +175,43 @@ Add `- /run/dbus:/run/dbus:ro` to the netdata service `volumes`. </TabItem> </Tabs> +### With NVIDIA GPUs monitoring + + +Monitoring NVIDIA GPUs requires: + +- Using official [NVIDIA driver](https://www.nvidia.com/Download/index.aspx). +- Installing [NVIDIA Container Toolkit](https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/latest/install-guide.html). +- Allowing the Netdata container to access GPU resources. + + +<Tabs> +<TabItem value="docker_run" label="docker run"> + +<h3> Using the <code>docker run</code> command </h3> + +Add `--gpus 'all,capabilities=utility'` to your `docker run`. + +</TabItem> +<TabItem value="docker compose" label="docker-compose"> + +<h3> Using the <code>docker-compose</code> command</h3> + +Add the following to the netdata service. + +```yaml + deploy: + resources: + reservations: + devices: + - driver: nvidia + count: all + capabilities: [gpu] +``` + +</TabItem> +</Tabs> + ### With host-editable configuration Use a [bind mount](https://docs.docker.com/storage/bind-mounts/) for `/etc/netdata` rather than a volume. @@ -185,6 +236,7 @@ docker run -d --name=netdata \ -v $(pwd)/netdataconfig/netdata:/etc/netdata \ -v netdatalib:/var/lib/netdata \ -v netdatacache:/var/cache/netdata \ + -v /:/host/root:ro,rslave \ -v /etc/passwd:/host/etc/passwd:ro \ -v /etc/group:/host/etc/group:ro \ -v /etc/localtime:/etc/localtime:ro \ @@ -226,6 +278,7 @@ services: - ./netdataconfig/netdata:/etc/netdata - netdatalib:/var/lib/netdata - netdatacache:/var/cache/netdata + - /:/host/root:ro,rslave - /etc/passwd:/host/etc/passwd:ro - /etc/group:/host/etc/group:ro - /etc/localtime:/etc/localtime:ro @@ -246,7 +299,7 @@ volumes: ### With SSL/TLS enabled HTTP Proxy For a permanent installation on a public server, you -should [secure the Netdata instance](https://github.com/netdata/netdata/blob/master/docs/netdata-security.md). This +should [secure the Netdata instance](/docs/netdata-agent/securing-netdata-agents.md). This section contains an example of how to install Netdata with an SSL reverse proxy and basic authentication. You can use the following `docker-compose.yml` and Caddyfile files to run Netdata with Docker. Replace the domains and @@ -260,7 +313,7 @@ executed internally by the caddy server. ```caddyfile netdata.example.org { - reverse_proxy netdata:19999 + reverse_proxy host.docker.internal:19999 tls admin@example.org } ``` @@ -270,11 +323,15 @@ netdata.example.org { After setting Caddyfile run this with `docker-compose up -d` to have a fully functioning Netdata setup behind an HTTP reverse proxy. +Make sure Netdata bind to docker0 interface if you've custom `web.bind to` setting in `netdata.conf`. + ```yaml version: '3' services: caddy: image: caddy:2 + extra_hosts: + - "host.docker.internal:host-gateway" # To access netdata running with "network_mode: host". ports: - "80:80" - "443:443" @@ -285,9 +342,9 @@ services: netdata: image: netdata/netdata container_name: netdata - hostname: example.com # set to fqdn of host - restart: always pid: host + network_mode: host + restart: unless-stopped cap_add: - SYS_PTRACE - SYS_ADMIN @@ -297,6 +354,7 @@ services: - netdataconfig:/etc/netdata - netdatalib:/var/lib/netdata - netdatacache:/var/cache/netdata + - /:/host/root:ro,rslave - /etc/passwd:/host/etc/passwd:ro - /etc/group:/host/etc/group:ro - /etc/localtime:/etc/localtime:ro @@ -321,7 +379,7 @@ to Caddyfile. ### With Docker socket proxy Deploy a Docker socket proxy that accepts and filters out requests using something like -[HAProxy](https://github.com/netdata/netdata/blob/master/docs/Running-behind-haproxy.md) or +[HAProxy](/docs/netdata-agent/configuration/running-the-netdata-agent-behind-a-reverse-proxy/Running-behind-haproxy.md) or [CetusGuard](https://github.com/hectorm/cetusguard) so that it restricts connections to read-only access to the `/containers` endpoint. @@ -348,6 +406,7 @@ services: - netdataconfig:/etc/netdata - netdatalib:/var/lib/netdata - netdatacache:/var/cache/netdata + - /:/host/root:ro,rslave - /etc/passwd:/host/etc/passwd:ro - /etc/group:/host/etc/group:ro - /etc/localtime:/etc/localtime:ro @@ -395,6 +454,7 @@ services: - netdataconfig:/etc/netdata - netdatalib:/var/lib/netdata - netdatacache:/var/cache/netdata + - /:/host/root:ro,rslave - /etc/passwd:/host/etc/passwd:ro - /etc/group:/host/etc/group:ro - /etc/localtime:/etc/localtime:ro @@ -426,6 +486,62 @@ volumes: You can run the socket proxy in its own Docker Compose file and leave it on a private network that you can add to other services that require access. +### Rootless mode + +Netdata can be run successfully in a non-root environment, such as [rootless Docker](https://docs.docker.com/engine/security/rootless/). + +However, it should be noted that Netdata's data collection capabilities are considerably restricted in rootless Docker +due to its inherent limitations. While Netdata can function in a rootless environment, it cannot access certain +resources that require elevated privileges. The following components do not work: + +- container network interfaces monitoring (cgroup-network helper) +- disk I/O and file descriptors of applications and processes (apps.plugin) +- debugfs.plugin +- freeipmi.plugin +- perf.plugin +- slabinfo.plugin +- systemd-journal.plugin + +This method creates a [volume](https://docs.docker.com/storage/volumes/) for Netdata's configuration files +_within the container_ at `/etc/netdata`. +See the [configure section](#configure-agent-containers) for details. If you want to access the configuration files from +your _host_ machine, see [host-editable configuration](#with-host-editable-configuration). + +<Tabs> +<TabItem value="docker_run" label="docker run"> + +<h3> Using the <code>docker run</code> command </h3> + +Run the following command in your terminal to start a new container. + +```bash +docker run -d --name=netdata \ + --hostname=$(hostname) \ + -p 19999:19999 \ + -v netdataconfig:/etc/netdata \ + -v netdatalib:/var/lib/netdata \ + -v netdatacache:/var/cache/netdata \ + -v /etc/passwd:/host/etc/passwd:ro \ + -v /etc/group:/host/etc/group:ro \ + -v /etc/localtime:/etc/localtime:ro \ + -v /proc:/host/proc:ro \ + -v /sys:/host/sys:ro \ + -v /etc/os-release:/host/etc/os-release:ro \ + -v /run/user/$UID/docker.sock:/var/run/docker.sock:ro \ + --restart unless-stopped \ + --security-opt apparmor=unconfined \ + netdata/netdata +``` + +</TabItem> + +</Tabs> + +> :bookmark_tabs: Note +> +> If you plan to Claim the node to Netdata Cloud, you can find the command with the right parameters by clicking the " +> Add Nodes" button in your Space's "Nodes" view. + ## Docker tags See our full list of Docker images at [Docker Hub](https://hub.docker.com/r/netdata/netdata). diff --git a/packaging/docker/run.sh b/packaging/docker/run.sh index 415573320..6ba16d1ce 100755 --- a/packaging/docker/run.sh +++ b/packaging/docker/run.sh @@ -14,38 +14,6 @@ if [ ! -w / ] && [ "${EUID}" -eq 0 ]; then echo >&2 "WARNING: For more information, see https://learn.netdata.cloud/docs/agent/claim#known-issues-on-older-hosts-with-seccomp-enabled" fi -if [ ! "${DISABLE_TELEMETRY:-0}" -eq 0 ] || - [ -n "$DISABLE_TELEMETRY" ] || - [ ! "${DO_NOT_TRACK:-0}" -eq 0 ] || - [ -n "$DO_NOT_TRACK" ]; then - touch /etc/netdata/.opt-out-from-anonymous-statistics -fi - -chmod o+rX / 2>/dev/null || echo "Unable to change permissions without errors." - -BALENA_PGID=$(stat -c %g /var/run/balena.sock 2>/dev/null || true) -DOCKER_PGID=$(stat -c %g /var/run/docker.sock 2>/dev/null || true) - -re='^[0-9]+$' -if [[ $BALENA_PGID =~ $re ]]; then - echo "Netdata detected balena-engine.sock" - DOCKER_HOST='/var/run/balena-engine.sock' - PGID="$BALENA_PGID" -elif [[ $DOCKER_PGID =~ $re ]]; then - echo "Netdata detected docker.sock" - DOCKER_HOST="/var/run/docker.sock" - PGID="$DOCKER_PGID" -fi -export PGID -export DOCKER_HOST - -if [ -n "${PGID}" ]; then - echo "Creating docker group ${PGID}" - addgroup --gid "${PGID}" "docker" || echo >&2 "Could not add group docker with ID ${PGID}, its already there probably" - echo "Assign netdata user to docker group ${PGID}" - usermod --append --groups "docker" "${DOCKER_USR}" || echo >&2 "Could not add netdata user to group docker with ID ${PGID}" -fi - # Needed to read Proxmox VMs and (LXC) containers configuration files (name resolution + CPU and memory limits) function add_netdata_to_proxmox_conf_files_group() { group_guid="$(stat -c %g /host/etc/pve 2>/dev/null || true)" @@ -68,10 +36,65 @@ function add_netdata_to_proxmox_conf_files_group() { fi } -if [ -d "/host/etc/pve" ]; then - add_netdata_to_proxmox_conf_files_group || true +if [ ! "${DISABLE_TELEMETRY:-0}" -eq 0 ] || + [ -n "$DISABLE_TELEMETRY" ] || + [ ! "${DO_NOT_TRACK:-0}" -eq 0 ] || + [ -n "$DO_NOT_TRACK" ]; then + touch /etc/netdata/.opt-out-from-anonymous-statistics fi +chmod o+rX / 2>/dev/null || echo "Unable to change permissions without errors." + +if [ "${EUID}" -eq 0 ]; then + if [ -n "${NETDATA_EXTRA_APK_PACKAGES}" ]; then + echo >&2 "WARNING: Netdata’s Docker images have switched from Alpine to Debian as a base platform. Supplementary package support is now handled through the NETDATA_EXTRA_DEB_PACKAGES variable instead of NETDATA_EXTRA_APK_PACKAGES." + echo >&2 "WARNING: The container will still run, but supplementary packages listed in NETDATA_EXTRA_APK_PACKAGES will not be installed." + echo >&2 "WARNING: To remove these messages, either undefine NETDATA_EXTRA_APK_PACKAGES, or define it to an empty string." + fi + + if [ -n "${NETDATA_EXTRA_DEB_PACKAGES}" ]; then + echo "Fetching APT repository metadata." + if ! apt-get update; then + echo "Failed to fetch APT repository metadata." + else + echo "Installing supplementary packages." + export DEBIAN_FRONTEND="noninteractive" + # shellcheck disable=SC2086 + if ! apt-get install -y --no-install-recommends ${NETDATA_EXTRA_DEB_PACKAGES}; then + echo "Failed to install supplementary packages." + fi + fi + fi + + BALENA_PGID=$(stat -c %g /var/run/balena.sock 2>/dev/null || true) + DOCKER_PGID=$(stat -c %g /var/run/docker.sock 2>/dev/null || true) + + re='^[0-9]+$' + if [[ $BALENA_PGID =~ $re ]]; then + echo "Netdata detected balena-engine.sock" + DOCKER_HOST='/var/run/balena-engine.sock' + PGID="$BALENA_PGID" + elif [[ $DOCKER_PGID =~ $re ]]; then + echo "Netdata detected docker.sock" + DOCKER_HOST="/var/run/docker.sock" + PGID="$DOCKER_PGID" + fi + export PGID + export DOCKER_HOST + + if [ -n "${PGID}" ]; then + echo "Creating docker group ${PGID}" + addgroup --gid "${PGID}" "docker" || echo >&2 "Could not add group docker with ID ${PGID}, its already there probably" + echo "Assign netdata user to docker group ${PGID}" + usermod --append --groups "docker" "${DOCKER_USR}" || echo >&2 "Could not add netdata user to group docker with ID ${PGID}" + fi + + if [ -d "/host/etc/pve" ]; then + add_netdata_to_proxmox_conf_files_group || true + fi +else + echo >&2 "WARNING: Entrypoint started as non-root user. This is not officially supported and some features may not be available." +fi if mountpoint -q /etc/netdata; then echo "Copying stock configuration to /etc/netdata" @@ -97,24 +120,4 @@ if [ -n "${NETDATA_CLAIM_URL}" ] && [ -n "${NETDATA_CLAIM_TOKEN}" ] && [ ! -f /v -daemon-not-running fi -if [ -n "${NETDATA_EXTRA_APK_PACKAGES}" ]; then - echo >&2 "WARNING: Netdata’s Docker images have switched from Alpine to Debian as a base platform. Supplementary package support is now handled through the NETDATA_EXTRA_DEB_PACKAGES variable instead of NETDATA_EXTRA_APK_PACKAGES." - echo >&2 "WARNING: The container will still run, but supplementary packages listed in NETDATA_EXTRA_APK_PACKAGES will not be installed." - echo >&2 "WARNING: To remove these messages, either undefine NETDATA_EXTRA_APK_PACKAGES, or define it to an empty string." -fi - -if [ -n "${NETDATA_EXTRA_DEB_PACKAGES}" ]; then - echo "Fetching APT repository metadata." - if ! apt-get update; then - echo "Failed to fetch APT repository metadata." - else - echo "Installing supplementary packages." - export DEBIAN_FRONTEND="noninteractive" - # shellcheck disable=SC2086 - if ! apt-get install -y --no-install-recommends ${NETDATA_EXTRA_DEB_PACKAGES}; then - echo "Failed to install supplementary packages." - fi - fi -fi - exec /usr/sbin/netdata -u "${DOCKER_USR}" -D -s /host -p "${NETDATA_LISTENER_PORT}" "$@" |