diff options
Diffstat (limited to 'packaging/docker')
-rw-r--r-- | packaging/docker/Dockerfile | 44 | ||||
-rw-r--r-- | packaging/docker/README.md | 74 | ||||
-rwxr-xr-x | packaging/docker/run.sh | 46 |
3 files changed, 123 insertions, 41 deletions
diff --git a/packaging/docker/Dockerfile b/packaging/docker/Dockerfile index ddc4a4f5c..8e7c9a7b1 100644 --- a/packaging/docker/Dockerfile +++ b/packaging/docker/Dockerfile @@ -3,7 +3,7 @@ # This image contains preinstalled dependencies # hadolint ignore=DL3007 -FROM netdata/builder:v1 as builder +FROM netdata/builder:v2 as builder # One of 'nightly' or 'stable' ARG RELEASE_CHANNEL=nightly @@ -29,7 +29,7 @@ RUN chmod +x netdata-installer.sh && \ cp -rp /deps/* /usr/local/ && \ /bin/echo -e "INSTALL_TYPE='oci'\nPREBUILT_ARCH='$(uname -m)'" > ./system/.install-type && \ CFLAGS="$(packaging/docker/gen-cflags.sh)" LDFLAGS="-Wl,--gc-sections" ./netdata-installer.sh --dont-wait --dont-start-it --use-system-protobuf \ - ${EXTRA_INSTALL_OPTS} --one-time-build --enable-lto "$([ "$RELEASE_CHANNEL" = stable ] && echo --stable-channel)" + ${EXTRA_INSTALL_OPTS} --disable-ebpf --one-time-build --enable-lto "$([ "$RELEASE_CHANNEL" = stable ] && echo --stable-channel)" # files to one directory RUN mkdir -p /app/usr/sbin/ \ @@ -49,6 +49,7 @@ RUN mkdir -p /app/usr/sbin/ \ mv /usr/sbin/netdata /app/usr/sbin/ && \ mv /usr/sbin/netdata-claim.sh /app/usr/sbin/ && \ mv /usr/sbin/netdatacli /app/usr/sbin/ && \ + mv /usr/sbin/systemd-cat-native /app/usr/sbin/ && \ mv packaging/docker/run.sh /app/usr/sbin/ && \ mv packaging/docker/health.sh /app/usr/sbin/ && \ mkdir -p /deps/etc && \ @@ -59,7 +60,7 @@ RUN mkdir -p /app/usr/sbin/ \ ##################################################################### # This image contains preinstalled dependencies # hadolint ignore=DL3007 -FROM netdata/base:v1 as base +FROM netdata/base:v2 as base LABEL org.opencontainers.image.authors="Netdatabot <bot@netdata.cloud>" LABEL org.opencontainers.image.url="https://netdata.cloud" @@ -83,23 +84,26 @@ ENV DOCKER_USR netdata ENV NETDATA_LISTENER_PORT 19999 EXPOSE $NETDATA_LISTENER_PORT -ENV NETDATA_EXTRA_APK_PACKAGES="" +ENV NETDATA_EXTRA_DEB_PACKAGES="" RUN mkdir -p /opt/src /var/log/netdata && \ ln -sf /dev/stdout /var/log/netdata/access.log && \ + ln -sf /dev/stdout /var/log/netdata/aclk.log && \ ln -sf /dev/stdout /var/log/netdata/debug.log && \ ln -sf /dev/stderr /var/log/netdata/error.log && \ + ln -sf /dev/stderr /var/log/netdata/daemon.log && \ ln -sf /dev/stdout /var/log/netdata/collector.log && \ - ln -sf /dev/stdout /var/log/netdata/health.log && \ - addgroup -g ${NETDATA_GID} -S "${DOCKER_GRP}" && \ - adduser -S -H -s /usr/sbin/nologin -u ${NETDATA_GID} -h /etc/netdata -G "${DOCKER_GRP}" "${DOCKER_USR}" + ln -sf /dev/stdout /var/log/netdata/fluentbit.log && \ + ln -sf /dev/stdout /var/log/netdata/health.log COPY --from=builder /app / -# Apply the permissions as described in +# Create netdata user and apply the permissions as described in # https://docs.netdata.cloud/docs/netdata-security/#netdata-directories, but own everything by root group due to https://github.com/netdata/netdata/pull/6543 # hadolint ignore=DL3013 -RUN chown -R root:root \ +RUN addgroup --gid ${NETDATA_GID} --system "${DOCKER_GRP}" && \ + adduser --system --no-create-home --shell /usr/sbin/nologin --uid ${NETDATA_UID} --home /etc/netdata --group "${DOCKER_USR}" && \ + chown -R root:root \ /etc/netdata \ /usr/share/netdata \ /usr/libexec/netdata && \ @@ -111,17 +115,17 @@ RUN chown -R root:root \ chown -R netdata:netdata /var/lib/netdata/cloud.d && \ chmod 0700 /var/lib/netdata/cloud.d && \ chmod 0755 /usr/libexec/netdata/plugins.d/*.plugin && \ - chmod 4755 \ - /usr/libexec/netdata/plugins.d/cgroup-network \ - /usr/libexec/netdata/plugins.d/local-listeners \ - /usr/libexec/netdata/plugins.d/apps.plugin \ - /usr/libexec/netdata/plugins.d/debugfs.plugin && \ - if [ -f /usr/libexec/netdata/plugins.d/freeipmi.plugin ]; then \ - chmod 4755 /usr/libexec/netdata/plugins.d/freeipmi.plugin; \ - fi && \ - if [ -f /usr/libexec/netdata/plugins.d/go.d.plugin ]; then \ - chmod 4755 /usr/libexec/netdata/plugins.d/go.d.plugin; \ - fi && \ + for name in cgroup-network \ + local-listeners \ + apps.plugin \ + debugfs.plugin \ + freeipmi.plugin \ + go.d.plugin \ + perf.plugin \ + slabinfo.plugin \ + systemd-journal.plugin; do \ + [ -f "/usr/libexec/netdata/plugins.d/$name" ] && chmod 4755 "/usr/libexec/netdata/plugins.d/$name"; \ + done && \ # Group write permissions due to: https://github.com/netdata/netdata/pull/6543 find /var/lib/netdata /var/cache/netdata -type d -exec chmod 0770 {} \; && \ find /var/lib/netdata /var/cache/netdata -type f -exec chmod 0660 {} \; && \ diff --git a/packaging/docker/README.md b/packaging/docker/README.md index b4ce58254..528ef5926 100644 --- a/packaging/docker/README.md +++ b/packaging/docker/README.md @@ -21,7 +21,7 @@ The Netdata container requires different privileges and mounts to provide functi Netdata installed on the host. Below you can find a list of Netdata components that need these privileges and mounts, along with their descriptions. -<details> +<details open> <summary>Privileges</summary> | Component | Privileges | Description | @@ -33,16 +33,18 @@ along with their descriptions. </details> -<details> +<details open> <summary>Mounts</summary> -| Component | Mounts | Description | -|:--------------:|:--------------------------:|-------------------------------------------------------------------------------------------------------------------------------------| -| netdata | /etc/os-release | Host info detection. | -| cgroups.plugin | /sys, /var/run/docker.sock | Docker containers monitoring and name resolution. | -| go.d.plugin | /var/run/docker.sock | Docker Engine and containers monitoring. See [docker](https://github.com/netdata/go.d.plugin/tree/master/modules/docker) collector. | -| apps.plugin | /etc/passwd, /etc/group | Monitoring of host system resource usage by each user and user group. | -| proc.plugin | /proc | Host system monitoring (CPU, memory, network interfaces, disks, etc.). | +| Component | Mounts | Description | +|:----------------------:|:--------------------------:|--------------------------------------------------------------------------------------------------------------------------------------------| +| netdata | /etc/os-release | Host info detection. | +| cgroups.plugin | /sys, /var/run/docker.sock | Docker containers monitoring and name resolution. | +| go.d.plugin | /var/run/docker.sock | Docker Engine and containers monitoring. See [docker](https://github.com/netdata/go.d.plugin/tree/master/modules/docker#readme) collector. | +| go.d.plugin | /var/log | Web servers logs tailing. See [weblog](https://github.com/netdata/go.d.plugin/tree/master/modules/weblog#readme) collector. | +| apps.plugin | /etc/passwd, /etc/group | Monitoring of host system resource usage by each user and user group. | +| proc.plugin | /proc | Host system monitoring (CPU, memory, network interfaces, disks, etc.). | +| systemd-journal.plugin | /var/log | Viewing, exploring and analyzing systemd journal logs. | </details> @@ -69,9 +71,11 @@ docker run -d --name=netdata \ -v netdatacache:/var/cache/netdata \ -v /etc/passwd:/host/etc/passwd:ro \ -v /etc/group:/host/etc/group:ro \ + -v /etc/localtime:/etc/localtime:ro \ -v /proc:/host/proc:ro \ -v /sys:/host/sys:ro \ -v /etc/os-release:/host/etc/os-release:ro \ + -v /var/log:/host/var/log:ro \ -v /var/run/docker.sock:/var/run/docker.sock:ro \ --restart unless-stopped \ --cap-add SYS_PTRACE \ @@ -108,9 +112,11 @@ services: - netdatacache:/var/cache/netdata - /etc/passwd:/host/etc/passwd:ro - /etc/group:/host/etc/group:ro + - /etc/localtime:/etc/localtime:ro - /proc:/host/proc:ro - /sys:/host/sys:ro - /etc/os-release:/host/etc/os-release:ro + - /var/log:/host/var/log:ro - /var/run/docker.sock:/var/run/docker.sock:ro volumes: @@ -127,6 +133,34 @@ volumes: > If you plan to Claim the node to Netdata Cloud, you can find the command with the right parameters by clicking the " > Add Nodes" button in your Space's "Nodes" view. +### With systemd units monitoring + +Monitoring systemd units requires mounting `/run/dbus`. This mount is not available on non-systemd systems, so we cannot +use it in the Recommended Way. + +Mounting `/run/dbus` provides: + +- [go.d/systemdunits](https://github.com/netdata/go.d.plugin/tree/master/modules/systemdunits#readme). +- Systemd-list-units function: information about all systemd units, including their active state, description, whether + they are enabled, and more. + +<Tabs> +<TabItem value="docker_run" label="docker run"> + +<h3> Using the <code>docker run</code> command </h3> + +Add `-v /run/dbus:/run/dbus:ro` to your `docker run`. + +</TabItem> +<TabItem value="docker compose" label="docker-compose"> + +<h3> Using the <code>docker-compose</code> command</h3> + +Add `- /run/dbus:/run/dbus:ro` to the netdata service `volumes`. + +</TabItem> +</Tabs> + ### With host-editable configuration Use a [bind mount](https://docs.docker.com/storage/bind-mounts/) for `/etc/netdata` rather than a volume. @@ -153,9 +187,11 @@ docker run -d --name=netdata \ -v netdatacache:/var/cache/netdata \ -v /etc/passwd:/host/etc/passwd:ro \ -v /etc/group:/host/etc/group:ro \ + -v /etc/localtime:/etc/localtime:ro \ -v /proc:/host/proc:ro \ -v /sys:/host/sys:ro \ -v /etc/os-release:/host/etc/os-release:ro \ + -v /var/log:/host/var/log:ro \ -v /var/run/docker.sock:/var/run/docker.sock:ro \ --restart unless-stopped \ --cap-add SYS_PTRACE \ @@ -192,9 +228,11 @@ services: - netdatacache:/var/cache/netdata - /etc/passwd:/host/etc/passwd:ro - /etc/group:/host/etc/group:ro + - /etc/localtime:/etc/localtime:ro - /proc:/host/proc:ro - /sys:/host/sys:ro - /etc/os-release:/host/etc/os-release:ro + - /var/log:/host/var/log:ro - /var/run/docker.sock:/var/run/docker.sock:ro volumes: @@ -261,9 +299,11 @@ services: - netdatacache:/var/cache/netdata - /etc/passwd:/host/etc/passwd:ro - /etc/group:/host/etc/group:ro + - /etc/localtime:/etc/localtime:ro - /proc:/host/proc:ro - /sys:/host/sys:ro - /etc/os-release:/host/etc/os-release:ro + - /var/log:/host/var/log:ro - /var/run/docker.sock:/var/run/docker.sock:ro volumes: caddy_data: @@ -310,9 +350,11 @@ services: - netdatacache:/var/cache/netdata - /etc/passwd:/host/etc/passwd:ro - /etc/group:/host/etc/group:ro + - /etc/localtime:/etc/localtime:ro - /proc:/host/proc:ro - /sys:/host/sys:ro - /etc/os-release:/host/etc/os-release:ro + - /var/log:/host/var/log:ro environment: - DOCKER_HOST=localhost:2375 proxy: @@ -333,6 +375,8 @@ volumes: #### CetusGuard +> Note: This deployment method is supported by the community + ```yaml version: '3' services: @@ -353,9 +397,11 @@ services: - netdatacache:/var/cache/netdata - /etc/passwd:/host/etc/passwd:ro - /etc/group:/host/etc/group:ro + - /etc/localtime:/etc/localtime:ro - /proc:/host/proc:ro - /sys:/host/sys:ro - /etc/os-release:/host/etc/os-release:ro + - /var/log:/host/var/log:ro environment: - DOCKER_HOST=localhost:2375 cetusguard: @@ -444,22 +490,20 @@ above section on [configuring Agent containers](#configure-agent-containers) to how you created the container. Alternatively, you can directly use the hostname from the node running the container by mounting `/etc/hostname` from -the host in the container. With `docker run`, this can be done by adding `--volume /etc/hostname:/etc/hostname:ro` to +the host in the container. With `docker run`, this can be done by adding `--volume /etc/hostname:/host/etc/hostname:ro` to the options. If you are using Docker Compose, you can add an entry to the container's `volumes` section -reading `- /etc/hostname:/etc/hostname:ro`. +reading `- /etc/hostname:/host/etc/hostname:ro`. ## Adding extra packages at runtime By default, the official Netdata container images do not include a number of optional runtime dependencies. You -can add these dependencies, or any other APK packages, at runtime by listing them in the environment variable -`NETDATA_EXTRA_APK_PACKAGES`. +can add these dependencies, or any other APT packages, at runtime by listing them in the environment variable +`NETDATA_EXTRA_DEB_PACKAGES`. Commonly useful packages include: - `apcupsd`: For monitoring APC UPS devices. -- `libvirt-daemon`: For resolving cgroup names for libvirt domains. - `lm-sensors`: For monitoring hardware sensors. -- `msmtp`: For email alert support. - `netcat-openbsd`: For IRC alert support. ## Health Checks diff --git a/packaging/docker/run.sh b/packaging/docker/run.sh index 1b6ce7c66..415573320 100755 --- a/packaging/docker/run.sh +++ b/packaging/docker/run.sh @@ -41,11 +41,38 @@ export DOCKER_HOST if [ -n "${PGID}" ]; then echo "Creating docker group ${PGID}" - addgroup -g "${PGID}" "docker" || echo >&2 "Could not add group docker with ID ${PGID}, its already there probably" + addgroup --gid "${PGID}" "docker" || echo >&2 "Could not add group docker with ID ${PGID}, its already there probably" echo "Assign netdata user to docker group ${PGID}" - usermod -a -G "${PGID}" "${DOCKER_USR}" || echo >&2 "Could not add netdata user to group docker with ID ${PGID}" + usermod --append --groups "docker" "${DOCKER_USR}" || echo >&2 "Could not add netdata user to group docker with ID ${PGID}" fi +# Needed to read Proxmox VMs and (LXC) containers configuration files (name resolution + CPU and memory limits) +function add_netdata_to_proxmox_conf_files_group() { + group_guid="$(stat -c %g /host/etc/pve 2>/dev/null || true)" + [ -z "${group_guid}" ] && return + + if ! getent group "${group_guid}" >/dev/null; then + echo "Creating proxmox-etc-pve group with GID ${group_guid}" + if ! addgroup -g "${group_guid}" "proxmox-etc-pve"; then + echo >&2 "Failed to add group proxmox-etc-pve with GID ${group_guid}." + return + fi + fi + + if ! getent group "${group_guid}" | grep -q netdata; then + echo "Assign netdata user to group ${group_guid}" + if ! usermod -a -G "${group_guid}" "${DOCKER_USR}"; then + echo >&2 "Failed to add netdata user to group with GID ${group_guid}." + return + fi + fi +} + +if [ -d "/host/etc/pve" ]; then + add_netdata_to_proxmox_conf_files_group || true +fi + + if mountpoint -q /etc/netdata; then echo "Copying stock configuration to /etc/netdata" cp -an /etc/netdata.stock/* /etc/netdata @@ -71,13 +98,20 @@ if [ -n "${NETDATA_CLAIM_URL}" ] && [ -n "${NETDATA_CLAIM_TOKEN}" ] && [ ! -f /v fi if [ -n "${NETDATA_EXTRA_APK_PACKAGES}" ]; then - echo "Fetching APK repository metadata." - if ! apk update; then - echo "Failed to fetch APK repository metadata." + echo >&2 "WARNING: Netdata’s Docker images have switched from Alpine to Debian as a base platform. Supplementary package support is now handled through the NETDATA_EXTRA_DEB_PACKAGES variable instead of NETDATA_EXTRA_APK_PACKAGES." + echo >&2 "WARNING: The container will still run, but supplementary packages listed in NETDATA_EXTRA_APK_PACKAGES will not be installed." + echo >&2 "WARNING: To remove these messages, either undefine NETDATA_EXTRA_APK_PACKAGES, or define it to an empty string." +fi + +if [ -n "${NETDATA_EXTRA_DEB_PACKAGES}" ]; then + echo "Fetching APT repository metadata." + if ! apt-get update; then + echo "Failed to fetch APT repository metadata." else echo "Installing supplementary packages." + export DEBIAN_FRONTEND="noninteractive" # shellcheck disable=SC2086 - if ! apk add --no-cache ${NETDATA_EXTRA_APK_PACKAGES}; then + if ! apt-get install -y --no-install-recommends ${NETDATA_EXTRA_DEB_PACKAGES}; then echo "Failed to install supplementary packages." fi fi |