summaryrefslogtreecommitdiffstats
path: root/packaging/docker
diff options
context:
space:
mode:
Diffstat (limited to 'packaging/docker')
-rw-r--r--packaging/docker/Dockerfile44
-rw-r--r--packaging/docker/README.md74
-rwxr-xr-xpackaging/docker/run.sh46
3 files changed, 123 insertions, 41 deletions
diff --git a/packaging/docker/Dockerfile b/packaging/docker/Dockerfile
index ddc4a4f5c..8e7c9a7b1 100644
--- a/packaging/docker/Dockerfile
+++ b/packaging/docker/Dockerfile
@@ -3,7 +3,7 @@
# This image contains preinstalled dependencies
# hadolint ignore=DL3007
-FROM netdata/builder:v1 as builder
+FROM netdata/builder:v2 as builder
# One of 'nightly' or 'stable'
ARG RELEASE_CHANNEL=nightly
@@ -29,7 +29,7 @@ RUN chmod +x netdata-installer.sh && \
cp -rp /deps/* /usr/local/ && \
/bin/echo -e "INSTALL_TYPE='oci'\nPREBUILT_ARCH='$(uname -m)'" > ./system/.install-type && \
CFLAGS="$(packaging/docker/gen-cflags.sh)" LDFLAGS="-Wl,--gc-sections" ./netdata-installer.sh --dont-wait --dont-start-it --use-system-protobuf \
- ${EXTRA_INSTALL_OPTS} --one-time-build --enable-lto "$([ "$RELEASE_CHANNEL" = stable ] && echo --stable-channel)"
+ ${EXTRA_INSTALL_OPTS} --disable-ebpf --one-time-build --enable-lto "$([ "$RELEASE_CHANNEL" = stable ] && echo --stable-channel)"
# files to one directory
RUN mkdir -p /app/usr/sbin/ \
@@ -49,6 +49,7 @@ RUN mkdir -p /app/usr/sbin/ \
mv /usr/sbin/netdata /app/usr/sbin/ && \
mv /usr/sbin/netdata-claim.sh /app/usr/sbin/ && \
mv /usr/sbin/netdatacli /app/usr/sbin/ && \
+ mv /usr/sbin/systemd-cat-native /app/usr/sbin/ && \
mv packaging/docker/run.sh /app/usr/sbin/ && \
mv packaging/docker/health.sh /app/usr/sbin/ && \
mkdir -p /deps/etc && \
@@ -59,7 +60,7 @@ RUN mkdir -p /app/usr/sbin/ \
#####################################################################
# This image contains preinstalled dependencies
# hadolint ignore=DL3007
-FROM netdata/base:v1 as base
+FROM netdata/base:v2 as base
LABEL org.opencontainers.image.authors="Netdatabot <bot@netdata.cloud>"
LABEL org.opencontainers.image.url="https://netdata.cloud"
@@ -83,23 +84,26 @@ ENV DOCKER_USR netdata
ENV NETDATA_LISTENER_PORT 19999
EXPOSE $NETDATA_LISTENER_PORT
-ENV NETDATA_EXTRA_APK_PACKAGES=""
+ENV NETDATA_EXTRA_DEB_PACKAGES=""
RUN mkdir -p /opt/src /var/log/netdata && \
ln -sf /dev/stdout /var/log/netdata/access.log && \
+ ln -sf /dev/stdout /var/log/netdata/aclk.log && \
ln -sf /dev/stdout /var/log/netdata/debug.log && \
ln -sf /dev/stderr /var/log/netdata/error.log && \
+ ln -sf /dev/stderr /var/log/netdata/daemon.log && \
ln -sf /dev/stdout /var/log/netdata/collector.log && \
- ln -sf /dev/stdout /var/log/netdata/health.log && \
- addgroup -g ${NETDATA_GID} -S "${DOCKER_GRP}" && \
- adduser -S -H -s /usr/sbin/nologin -u ${NETDATA_GID} -h /etc/netdata -G "${DOCKER_GRP}" "${DOCKER_USR}"
+ ln -sf /dev/stdout /var/log/netdata/fluentbit.log && \
+ ln -sf /dev/stdout /var/log/netdata/health.log
COPY --from=builder /app /
-# Apply the permissions as described in
+# Create netdata user and apply the permissions as described in
# https://docs.netdata.cloud/docs/netdata-security/#netdata-directories, but own everything by root group due to https://github.com/netdata/netdata/pull/6543
# hadolint ignore=DL3013
-RUN chown -R root:root \
+RUN addgroup --gid ${NETDATA_GID} --system "${DOCKER_GRP}" && \
+ adduser --system --no-create-home --shell /usr/sbin/nologin --uid ${NETDATA_UID} --home /etc/netdata --group "${DOCKER_USR}" && \
+ chown -R root:root \
/etc/netdata \
/usr/share/netdata \
/usr/libexec/netdata && \
@@ -111,17 +115,17 @@ RUN chown -R root:root \
chown -R netdata:netdata /var/lib/netdata/cloud.d && \
chmod 0700 /var/lib/netdata/cloud.d && \
chmod 0755 /usr/libexec/netdata/plugins.d/*.plugin && \
- chmod 4755 \
- /usr/libexec/netdata/plugins.d/cgroup-network \
- /usr/libexec/netdata/plugins.d/local-listeners \
- /usr/libexec/netdata/plugins.d/apps.plugin \
- /usr/libexec/netdata/plugins.d/debugfs.plugin && \
- if [ -f /usr/libexec/netdata/plugins.d/freeipmi.plugin ]; then \
- chmod 4755 /usr/libexec/netdata/plugins.d/freeipmi.plugin; \
- fi && \
- if [ -f /usr/libexec/netdata/plugins.d/go.d.plugin ]; then \
- chmod 4755 /usr/libexec/netdata/plugins.d/go.d.plugin; \
- fi && \
+ for name in cgroup-network \
+ local-listeners \
+ apps.plugin \
+ debugfs.plugin \
+ freeipmi.plugin \
+ go.d.plugin \
+ perf.plugin \
+ slabinfo.plugin \
+ systemd-journal.plugin; do \
+ [ -f "/usr/libexec/netdata/plugins.d/$name" ] && chmod 4755 "/usr/libexec/netdata/plugins.d/$name"; \
+ done && \
# Group write permissions due to: https://github.com/netdata/netdata/pull/6543
find /var/lib/netdata /var/cache/netdata -type d -exec chmod 0770 {} \; && \
find /var/lib/netdata /var/cache/netdata -type f -exec chmod 0660 {} \; && \
diff --git a/packaging/docker/README.md b/packaging/docker/README.md
index b4ce58254..528ef5926 100644
--- a/packaging/docker/README.md
+++ b/packaging/docker/README.md
@@ -21,7 +21,7 @@ The Netdata container requires different privileges and mounts to provide functi
Netdata installed on the host. Below you can find a list of Netdata components that need these privileges and mounts,
along with their descriptions.
-<details>
+<details open>
<summary>Privileges</summary>
| Component | Privileges | Description |
@@ -33,16 +33,18 @@ along with their descriptions.
</details>
-<details>
+<details open>
<summary>Mounts</summary>
-| Component | Mounts | Description |
-|:--------------:|:--------------------------:|-------------------------------------------------------------------------------------------------------------------------------------|
-| netdata | /etc/os-release | Host info detection. |
-| cgroups.plugin | /sys, /var/run/docker.sock | Docker containers monitoring and name resolution. |
-| go.d.plugin | /var/run/docker.sock | Docker Engine and containers monitoring. See [docker](https://github.com/netdata/go.d.plugin/tree/master/modules/docker) collector. |
-| apps.plugin | /etc/passwd, /etc/group | Monitoring of host system resource usage by each user and user group. |
-| proc.plugin | /proc | Host system monitoring (CPU, memory, network interfaces, disks, etc.). |
+| Component | Mounts | Description |
+|:----------------------:|:--------------------------:|--------------------------------------------------------------------------------------------------------------------------------------------|
+| netdata | /etc/os-release | Host info detection. |
+| cgroups.plugin | /sys, /var/run/docker.sock | Docker containers monitoring and name resolution. |
+| go.d.plugin | /var/run/docker.sock | Docker Engine and containers monitoring. See [docker](https://github.com/netdata/go.d.plugin/tree/master/modules/docker#readme) collector. |
+| go.d.plugin | /var/log | Web servers logs tailing. See [weblog](https://github.com/netdata/go.d.plugin/tree/master/modules/weblog#readme) collector. |
+| apps.plugin | /etc/passwd, /etc/group | Monitoring of host system resource usage by each user and user group. |
+| proc.plugin | /proc | Host system monitoring (CPU, memory, network interfaces, disks, etc.). |
+| systemd-journal.plugin | /var/log | Viewing, exploring and analyzing systemd journal logs. |
</details>
@@ -69,9 +71,11 @@ docker run -d --name=netdata \
-v netdatacache:/var/cache/netdata \
-v /etc/passwd:/host/etc/passwd:ro \
-v /etc/group:/host/etc/group:ro \
+ -v /etc/localtime:/etc/localtime:ro \
-v /proc:/host/proc:ro \
-v /sys:/host/sys:ro \
-v /etc/os-release:/host/etc/os-release:ro \
+ -v /var/log:/host/var/log:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
--restart unless-stopped \
--cap-add SYS_PTRACE \
@@ -108,9 +112,11 @@ services:
- netdatacache:/var/cache/netdata
- /etc/passwd:/host/etc/passwd:ro
- /etc/group:/host/etc/group:ro
+ - /etc/localtime:/etc/localtime:ro
- /proc:/host/proc:ro
- /sys:/host/sys:ro
- /etc/os-release:/host/etc/os-release:ro
+ - /var/log:/host/var/log:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
volumes:
@@ -127,6 +133,34 @@ volumes:
> If you plan to Claim the node to Netdata Cloud, you can find the command with the right parameters by clicking the "
> Add Nodes" button in your Space's "Nodes" view.
+### With systemd units monitoring
+
+Monitoring systemd units requires mounting `/run/dbus`. This mount is not available on non-systemd systems, so we cannot
+use it in the Recommended Way.
+
+Mounting `/run/dbus` provides:
+
+- [go.d/systemdunits](https://github.com/netdata/go.d.plugin/tree/master/modules/systemdunits#readme).
+- Systemd-list-units function: information about all systemd units, including their active state, description, whether
+ they are enabled, and more.
+
+<Tabs>
+<TabItem value="docker_run" label="docker run">
+
+<h3> Using the <code>docker run</code> command </h3>
+
+Add `-v /run/dbus:/run/dbus:ro` to your `docker run`.
+
+</TabItem>
+<TabItem value="docker compose" label="docker-compose">
+
+<h3> Using the <code>docker-compose</code> command</h3>
+
+Add `- /run/dbus:/run/dbus:ro` to the netdata service `volumes`.
+
+</TabItem>
+</Tabs>
+
### With host-editable configuration
Use a [bind mount](https://docs.docker.com/storage/bind-mounts/) for `/etc/netdata` rather than a volume.
@@ -153,9 +187,11 @@ docker run -d --name=netdata \
-v netdatacache:/var/cache/netdata \
-v /etc/passwd:/host/etc/passwd:ro \
-v /etc/group:/host/etc/group:ro \
+ -v /etc/localtime:/etc/localtime:ro \
-v /proc:/host/proc:ro \
-v /sys:/host/sys:ro \
-v /etc/os-release:/host/etc/os-release:ro \
+ -v /var/log:/host/var/log:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
--restart unless-stopped \
--cap-add SYS_PTRACE \
@@ -192,9 +228,11 @@ services:
- netdatacache:/var/cache/netdata
- /etc/passwd:/host/etc/passwd:ro
- /etc/group:/host/etc/group:ro
+ - /etc/localtime:/etc/localtime:ro
- /proc:/host/proc:ro
- /sys:/host/sys:ro
- /etc/os-release:/host/etc/os-release:ro
+ - /var/log:/host/var/log:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
volumes:
@@ -261,9 +299,11 @@ services:
- netdatacache:/var/cache/netdata
- /etc/passwd:/host/etc/passwd:ro
- /etc/group:/host/etc/group:ro
+ - /etc/localtime:/etc/localtime:ro
- /proc:/host/proc:ro
- /sys:/host/sys:ro
- /etc/os-release:/host/etc/os-release:ro
+ - /var/log:/host/var/log:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
volumes:
caddy_data:
@@ -310,9 +350,11 @@ services:
- netdatacache:/var/cache/netdata
- /etc/passwd:/host/etc/passwd:ro
- /etc/group:/host/etc/group:ro
+ - /etc/localtime:/etc/localtime:ro
- /proc:/host/proc:ro
- /sys:/host/sys:ro
- /etc/os-release:/host/etc/os-release:ro
+ - /var/log:/host/var/log:ro
environment:
- DOCKER_HOST=localhost:2375
proxy:
@@ -333,6 +375,8 @@ volumes:
#### CetusGuard
+> Note: This deployment method is supported by the community
+
```yaml
version: '3'
services:
@@ -353,9 +397,11 @@ services:
- netdatacache:/var/cache/netdata
- /etc/passwd:/host/etc/passwd:ro
- /etc/group:/host/etc/group:ro
+ - /etc/localtime:/etc/localtime:ro
- /proc:/host/proc:ro
- /sys:/host/sys:ro
- /etc/os-release:/host/etc/os-release:ro
+ - /var/log:/host/var/log:ro
environment:
- DOCKER_HOST=localhost:2375
cetusguard:
@@ -444,22 +490,20 @@ above section on [configuring Agent containers](#configure-agent-containers) to
how you created the container.
Alternatively, you can directly use the hostname from the node running the container by mounting `/etc/hostname` from
-the host in the container. With `docker run`, this can be done by adding `--volume /etc/hostname:/etc/hostname:ro` to
+the host in the container. With `docker run`, this can be done by adding `--volume /etc/hostname:/host/etc/hostname:ro` to
the options. If you are using Docker Compose, you can add an entry to the container's `volumes` section
-reading `- /etc/hostname:/etc/hostname:ro`.
+reading `- /etc/hostname:/host/etc/hostname:ro`.
## Adding extra packages at runtime
By default, the official Netdata container images do not include a number of optional runtime dependencies. You
-can add these dependencies, or any other APK packages, at runtime by listing them in the environment variable
-`NETDATA_EXTRA_APK_PACKAGES`.
+can add these dependencies, or any other APT packages, at runtime by listing them in the environment variable
+`NETDATA_EXTRA_DEB_PACKAGES`.
Commonly useful packages include:
- `apcupsd`: For monitoring APC UPS devices.
-- `libvirt-daemon`: For resolving cgroup names for libvirt domains.
- `lm-sensors`: For monitoring hardware sensors.
-- `msmtp`: For email alert support.
- `netcat-openbsd`: For IRC alert support.
## Health Checks
diff --git a/packaging/docker/run.sh b/packaging/docker/run.sh
index 1b6ce7c66..415573320 100755
--- a/packaging/docker/run.sh
+++ b/packaging/docker/run.sh
@@ -41,11 +41,38 @@ export DOCKER_HOST
if [ -n "${PGID}" ]; then
echo "Creating docker group ${PGID}"
- addgroup -g "${PGID}" "docker" || echo >&2 "Could not add group docker with ID ${PGID}, its already there probably"
+ addgroup --gid "${PGID}" "docker" || echo >&2 "Could not add group docker with ID ${PGID}, its already there probably"
echo "Assign netdata user to docker group ${PGID}"
- usermod -a -G "${PGID}" "${DOCKER_USR}" || echo >&2 "Could not add netdata user to group docker with ID ${PGID}"
+ usermod --append --groups "docker" "${DOCKER_USR}" || echo >&2 "Could not add netdata user to group docker with ID ${PGID}"
fi
+# Needed to read Proxmox VMs and (LXC) containers configuration files (name resolution + CPU and memory limits)
+function add_netdata_to_proxmox_conf_files_group() {
+ group_guid="$(stat -c %g /host/etc/pve 2>/dev/null || true)"
+ [ -z "${group_guid}" ] && return
+
+ if ! getent group "${group_guid}" >/dev/null; then
+ echo "Creating proxmox-etc-pve group with GID ${group_guid}"
+ if ! addgroup -g "${group_guid}" "proxmox-etc-pve"; then
+ echo >&2 "Failed to add group proxmox-etc-pve with GID ${group_guid}."
+ return
+ fi
+ fi
+
+ if ! getent group "${group_guid}" | grep -q netdata; then
+ echo "Assign netdata user to group ${group_guid}"
+ if ! usermod -a -G "${group_guid}" "${DOCKER_USR}"; then
+ echo >&2 "Failed to add netdata user to group with GID ${group_guid}."
+ return
+ fi
+ fi
+}
+
+if [ -d "/host/etc/pve" ]; then
+ add_netdata_to_proxmox_conf_files_group || true
+fi
+
+
if mountpoint -q /etc/netdata; then
echo "Copying stock configuration to /etc/netdata"
cp -an /etc/netdata.stock/* /etc/netdata
@@ -71,13 +98,20 @@ if [ -n "${NETDATA_CLAIM_URL}" ] && [ -n "${NETDATA_CLAIM_TOKEN}" ] && [ ! -f /v
fi
if [ -n "${NETDATA_EXTRA_APK_PACKAGES}" ]; then
- echo "Fetching APK repository metadata."
- if ! apk update; then
- echo "Failed to fetch APK repository metadata."
+ echo >&2 "WARNING: Netdata’s Docker images have switched from Alpine to Debian as a base platform. Supplementary package support is now handled through the NETDATA_EXTRA_DEB_PACKAGES variable instead of NETDATA_EXTRA_APK_PACKAGES."
+ echo >&2 "WARNING: The container will still run, but supplementary packages listed in NETDATA_EXTRA_APK_PACKAGES will not be installed."
+ echo >&2 "WARNING: To remove these messages, either undefine NETDATA_EXTRA_APK_PACKAGES, or define it to an empty string."
+fi
+
+if [ -n "${NETDATA_EXTRA_DEB_PACKAGES}" ]; then
+ echo "Fetching APT repository metadata."
+ if ! apt-get update; then
+ echo "Failed to fetch APT repository metadata."
else
echo "Installing supplementary packages."
+ export DEBIAN_FRONTEND="noninteractive"
# shellcheck disable=SC2086
- if ! apk add --no-cache ${NETDATA_EXTRA_APK_PACKAGES}; then
+ if ! apt-get install -y --no-install-recommends ${NETDATA_EXTRA_DEB_PACKAGES}; then
echo "Failed to install supplementary packages."
fi
fi
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-10 07:27:47 +0000