diff options
Diffstat (limited to 'packaging/docker')
-rw-r--r-- | packaging/docker/Dockerfile | 9 | ||||
-rw-r--r-- | packaging/docker/README.md | 209 | ||||
-rwxr-xr-x | packaging/docker/run.sh | 15 |
3 files changed, 146 insertions, 87 deletions
diff --git a/packaging/docker/Dockerfile b/packaging/docker/Dockerfile index ce5a0b93..fcd9432b 100644 --- a/packaging/docker/Dockerfile +++ b/packaging/docker/Dockerfile @@ -51,7 +51,9 @@ RUN mkdir -p /app/usr/sbin/ \ mv /usr/sbin/netdatacli /app/usr/sbin/ && \ mv packaging/docker/run.sh /app/usr/sbin/ && \ mv packaging/docker/health.sh /app/usr/sbin/ && \ - cp -rp /deps/* /app/usr/local/ && \ + mkdir -p /deps/etc && \ + cp -rp /deps/etc /app/usr/local/etc && \ + chmod -R o+rX /app && \ chmod +x /app/usr/sbin/run.sh ##################################################################### @@ -106,6 +108,9 @@ RUN chown -R root:root \ if [ -f /usr/libexec/netdata/plugins.d/freeipmi.plugin ]; then \ chmod 4755 /usr/libexec/netdata/plugins.d/freeipmi.plugin; \ fi && \ + if [ -f /usr/libexec/netdata/plugins.d/go.d.plugin ] && command -v setcap 1>/dev/null 2>&1; then \ + setcap "cap_net_raw=eip" /usr/libexec/netdata/plugins.d/go.d.plugin 2>/dev/null; \ + fi && \ # Group write permissions due to: https://github.com/netdata/netdata/pull/6543 find /var/lib/netdata /var/cache/netdata -type d -exec chmod 0770 {} \; && \ find /var/lib/netdata /var/cache/netdata -type f -exec chmod 0660 {} \; && \ @@ -114,6 +119,8 @@ RUN chown -R root:root \ ENV NETDATA_LISTENER_PORT 19999 EXPOSE $NETDATA_LISTENER_PORT +ENV NETDATA_EXTRA_APK_PACKAGES="" + ENTRYPOINT ["/usr/sbin/run.sh"] HEALTHCHECK --interval=60s --timeout=10s --retries=3 CMD /usr/sbin/health.sh diff --git a/packaging/docker/README.md b/packaging/docker/README.md index aec5723e..ef7dd6de 100644 --- a/packaging/docker/README.md +++ b/packaging/docker/README.md @@ -1,26 +1,16 @@ <!-- title: "Install Netdata with Docker" -date: "2020-04-23" custom_edit_url: "https://github.com/netdata/netdata/edit/master/packaging/docker/README.md" -sidebar_label: "Install Netdata with Docker" +sidebar_label: "Docker" learn_status: "Published" -learn_topic_type: "Tasks" -learn_rel_path: "Installation" +learn_rel_path: "Installation/Installation methods" +sidebar_position: 40 --> -# Install the Netdata Agent with Docker +import Tabs from '@theme/Tabs'; +import TabItem from '@theme/TabItem'; -Running the Netdata Agent in a container works best for an internal network or to quickly analyze a host. Docker helps -you get set up quickly, and doesn't install anything permanent on the system, which makes uninstalling the Agent easy. - -See our full list of Docker images at [Docker Hub](https://hub.docker.com/r/netdata/netdata). - -Starting with v1.30, Netdata collects anonymous usage information by default and sends it to a self-hosted PostHog instance within the Netdata infrastructure. Read -about the information collected, and learn how to-opt, on our [anonymous statistics](https://github.com/netdata/netdata/blob/master/docs/anonymous-statistics.md) -page. - -The usage statistics are _vital_ for us, as we use them to discover bugs and prioritize new features. We thank you for -_actively_ contributing to Netdata's future. +# Install Netdata with Docker ## Limitations running the Agent in Docker @@ -41,22 +31,7 @@ and unfortunately not something we can realistically work around. ## Create a new Netdata Agent container -> **Notice**: all `docker run` commands and `docker-compose` configurations explicitly set the `nofile` limit. This is -> required on some distros until [14177](https://github.com/netdata/netdata/issues/14177) is resolved. Failure to do so -> may cause a task running in a container to hang and consume 100% of the CPU core. - -<details> -<summary>What are these "some distros"?</summary> - -If `LimitNOFILE=infinity` results in an open file limit of 1073741816: - -```bash -[fedora37 ~]$ docker run --rm busybox grep open /proc/self/limits -Max open files 1073741816 1073741816 files -``` -</details> - -You can create a new Agent container using either `docker run` or Docker Compose. After using either method, you can +You can create a new Agent container using either `docker run` or `docker-compose`. After using either method, you can visit the Agent dashboard `http://NODE:19999`. Both methods create a [bind mount](https://docs.docker.com/storage/bind-mounts/) for Netdata's configuration files @@ -64,7 +39,12 @@ _within the container_ at `/etc/netdata`. See the [configuration section](#confi you want to access the configuration files from your _host_ machine, see [host-editable configuration](#host-editable-configuration). -**`docker run`**: Use the `docker run` command, along with the following options, to start a new container. +<Tabs> +<TabItem value="docker_run" label="docker run"> + +<h3> Using the <code>docker run</code> command </h3> + +Run the following command along with the following options on your terminal, to start a new container. ```bash docker run -d --name=netdata \ @@ -80,48 +60,65 @@ docker run -d --name=netdata \ --restart unless-stopped \ --cap-add SYS_PTRACE \ --security-opt apparmor=unconfined \ - --ulimit nofile=4096 \ netdata/netdata ``` -**Docker Compose**: Copy the following code and paste into a new file called `docker-compose.yml`, then run -`docker-compose up -d` in the same directory as the `docker-compose.yml` file to start the container. - -```yaml -version: '3' -services: - netdata: - image: netdata/netdata - container_name: netdata - hostname: example.com # set to fqdn of host - ports: - - 19999:19999 - restart: unless-stopped - cap_add: - - SYS_PTRACE - security_opt: - - apparmor:unconfined - ulimits: - nofile: - soft: 4096 - volumes: - - netdataconfig:/etc/netdata - - netdatalib:/var/lib/netdata - - netdatacache:/var/cache/netdata - - /etc/passwd:/host/etc/passwd:ro - - /etc/group:/host/etc/group:ro - - /proc:/host/proc:ro - - /sys:/host/sys:ro - - /etc/os-release:/host/etc/os-release:ro - -volumes: - netdataconfig: - netdatalib: - netdatacache: -``` +> ### Note +> +> If you plan to Claim the node to Netdata Cloud, you can find the command with the right parameters by clicking the "Add Nodes" button in your Space's Nodes tab. + +</TabItem> +<TabItem value="docker compose" label="docker-compose"> + +<h3> Using the <code>docker-compose</code> command</h3> + +#### Steps + +1. Copy the following code and paste into a new file called `docker-compose.yml` + + ```yaml + version: '3' + services: + netdata: + image: netdata/netdata + container_name: netdata + hostname: example.com # set to fqdn of host + ports: + - 19999:19999 + restart: unless-stopped + cap_add: + - SYS_PTRACE + security_opt: + - apparmor:unconfined + volumes: + - netdataconfig:/etc/netdata + - netdatalib:/var/lib/netdata + - netdatacache:/var/cache/netdata + - /etc/passwd:/host/etc/passwd:ro + - /etc/group:/host/etc/group:ro + - /proc:/host/proc:ro + - /sys:/host/sys:ro + - /etc/os-release:/host/etc/os-release:ro + + volumes: + netdataconfig: + netdatalib: + netdatacache: + ``` + +2. Run `docker-compose up -d` in the same directory as the `docker-compose.yml` file to start the container. + +> :bookmark_tabs: Note +> +> If you plan to Claim the node to Netdata Cloud, you can find the command with the right parameters by clicking the "Add Nodes" button in your Space's "Nodes" view. + +</TabItem> +</Tabs> ## Docker tags +See our full list of Docker images at [Docker Hub](https://hub.docker.com/r/netdata/netdata). + The official `netdata/netdata` Docker image provides the following named tags: * `stable`: The `stable` tag will always point to the most recently published stable build. @@ -136,6 +133,20 @@ Additionally, for each stable release, three tags are pushed, one with the full that would match that tag (for example, if `v1.30.1` were to be published, the `v1.30` tag would be updated to point to that instead of `v1.30.0`). +## Adding extra packages at runtime + +By default, the official Netdata container images do not include a number of optional runtime dependencies. You +can add these dependencies, or any other APK packages, at runtime by listing them in the environment variable +`NETDATA_EXTRA_APK_PACKAGES`. + +Commonly useful packages include: + +- `apcupsd`: For monitoring APC UPS devices. +- `libvirt-daemon`: For resolving cgroup names for libvirt domains. +- `lm-sensors`: For monitoring hardware sensors. +- `msmtp`: For email alert support. +- `netcat-openbsd`: For IRC alert support. + ## Health Checks Our Docker image provides integrated support for health checks through the standard Docker interfaces. @@ -176,7 +187,9 @@ to restart the container: `docker restart netdata`. ### Host-editable configuration -> **Warning**: [edit-config](https://github.com/netdata/netdata/blob/master/docs/configure/nodes.md#the-netdata-config-directory) script doesn't work when executed on +> :warning: Warning +> +> The [edit-config](https://github.com/netdata/netdata/blob/master/docs/configure/nodes.md#the-netdata-config-directory) script doesn't work when executed on > the host system. If you want to make your container's configuration directory accessible from the host system, you need to use a @@ -208,7 +221,6 @@ docker run -d --name=netdata \ --restart unless-stopped \ --cap-add SYS_PTRACE \ --security-opt apparmor=unconfined \ - --ulimit nofile=4096 \ netdata/netdata ``` @@ -230,9 +242,6 @@ services: - SYS_PTRACE security_opt: - apparmor:unconfined - ulimits: - nofile: - soft: 4096 volumes: - ./netdataconfig/netdata:/etc/netdata:ro - netdatalib:/var/lib/netdata @@ -322,17 +331,17 @@ your machine from within the container. Please read the following carefully. #### Docker socket proxy (safest option) Deploy a Docker socket proxy that accepts and filters out requests using something like -[HAProxy](https://github.com/netdata/netdata/blob/master/docs/Running-behind-haproxy.md) so that it restricts connections to read-only access to the CONTAINERS +[HAProxy](https://github.com/netdata/netdata/blob/master/docs/Running-behind-haproxy.md) or +[CetusGuard](https://github.com/hectorm/cetusguard) so that it restricts connections to read-only access to the `/containers` endpoint. The reason it's safer to expose the socket to the proxy is because Netdata has a TCP port exposed outside the Docker network. Access to the proxy container is limited to only within the network. -Below is [an example repository (and image)](https://github.com/Tecnativa/docker-socket-proxy) that provides a proxy to -the socket. +Here are two examples, the first using [a Docker image based on HAProxy](https://github.com/Tecnativa/docker-socket-proxy) +and the second using [CetusGuard](https://github.com/hectorm/cetusguard). -You run the Docker Socket Proxy in its own Docker Compose file and leave it on a private network that you can add to -other services that require access. +##### Docker Socket Proxy (HAProxy) ```yaml version: '3' @@ -347,17 +356,46 @@ services: proxy: image: tecnativa/docker-socket-proxy volumes: - - /var/run/docker.sock:/var/run/docker.sock:ro + - /var/run/docker.sock:/var/run/docker.sock:ro environment: - CONTAINERS=1 - ``` **Note:** Replace `2375` with the port of your proxy. +##### CetusGuard + +```yaml +version: '3' +services: + netdata: + image: netdata/netdata + # ... rest of your config ... + ports: + - 19999:19999 + environment: + - DOCKER_HOST=cetusguard:2375 + cetusguard: + image: hectorm/cetusguard:v1 + read_only: true + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + environment: + CETUSGUARD_BACKEND_ADDR: unix:///var/run/docker.sock + CETUSGUARD_FRONTEND_ADDR: tcp://:2375 + CETUSGUARD_RULES: | + ! Inspect a container + GET %API_PREFIX_CONTAINERS%/%CONTAINER_ID_OR_NAME%/json +``` + +You can run the socket proxy in its own Docker Compose file and leave it on a private network that you can add to +other services that require access. + #### Giving group access to the Docker socket (less safe) +> :warning: Caution +> > You should seriously consider the necessity of activating this option, as it grants to the `netdata` -user access to the privileged socket connection of docker service and therefore your whole machine. +> user access to the privileged socket connection of docker service and therefore your whole machine. If you want to have your container names resolved by Netdata, make the `netdata` user be part of the group that owns the socket. @@ -386,6 +424,8 @@ grep docker /etc/group | cut -d ':' -f 3 #### Running as root (unsafe) +> :warning: Caution +> > You should seriously consider the necessity of activating this option, as it grants to the `netdata` user access to > the privileged socket connection of docker service, and therefore your whole machine. @@ -495,9 +535,6 @@ services: - SYS_PTRACE security_opt: - apparmor:unconfined - ulimits: - nofile: - soft: 4096 volumes: - netdatalib:/var/lib/netdata - netdatacache:/var/cache/netdata @@ -520,4 +557,4 @@ Caddyfile. ## Publish a test image to your own repository At Netdata, we provide multiple ways of testing your Docker images using your own repositories. -You may either use the command line tools available or take advantage of our GitHub Acions infrastructure. +You may either use the command line tools available or take advantage of our GitHub Actions infrastructure. diff --git a/packaging/docker/run.sh b/packaging/docker/run.sh index 9029e22b..ed77c394 100755 --- a/packaging/docker/run.sh +++ b/packaging/docker/run.sh @@ -21,6 +21,8 @@ if [ ! "${DISABLE_TELEMETRY:-0}" -eq 0 ] || touch /etc/netdata/.opt-out-from-anonymous-statistics fi +chmod o+rX / # Needed to fix permissions issues in some cases. + BALENA_PGID=$(stat -c %g /var/run/balena.sock 2>/dev/null || true) DOCKER_PGID=$(stat -c %g /var/run/docker.sock 2>/dev/null || true) @@ -67,4 +69,17 @@ if [ -n "${NETDATA_CLAIM_URL}" ] && [ -n "${NETDATA_CLAIM_TOKEN}" ] && [ ! -f /v -daemon-not-running fi +if [ -n "${NETDATA_EXTRA_APK_PACKAGES}" ]; then + echo "Fetching APK repository metadata." + if ! apk update; then + echo "Failed to fetch APK repository metadata." + else + echo "Installing supplementary packages." + # shellcheck disable=SC2086 + if ! apk add --no-cache ${NETDATA_EXTRA_APK_PACKAGES}; then + echo "Failed to install supplementary packages." + fi + fi +fi + exec /usr/sbin/netdata -u "${DOCKER_USR}" -D -s /host -p "${NETDATA_LISTENER_PORT}" "$@" |