From d079b656b4719739b2247dcd9d46e9bec793095a Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Mon, 6 Feb 2023 17:11:34 +0100 Subject: Merging upstream version 1.38.0. Signed-off-by: Daniel Baumann --- packaging/docker/Dockerfile | 15 +++++--- packaging/docker/README.md | 93 +++++++++++++++++++-------------------------- packaging/docker/run.sh | 8 ++++ 3 files changed, 57 insertions(+), 59 deletions(-) (limited to 'packaging/docker') diff --git a/packaging/docker/Dockerfile b/packaging/docker/Dockerfile index 287c592bb..ce5a0b932 100644 --- a/packaging/docker/Dockerfile +++ b/packaging/docker/Dockerfile @@ -76,16 +76,13 @@ RUN mkdir -p /opt/src /var/log/netdata && \ ln -sf /dev/stdout /var/log/netdata/access.log && \ ln -sf /dev/stdout /var/log/netdata/debug.log && \ ln -sf /dev/stderr /var/log/netdata/error.log && \ - # fping from alpine apk is on a different location. Moving it. - ln -snf /usr/sbin/fping /usr/local/bin/fping && \ - chmod 4755 /usr/local/bin/fping && \ + ln -sf /dev/stdout /var/log/netdata/collector.log && \ # Add netdata user addgroup -g ${NETDATA_GID} -S "${DOCKER_GRP}" && \ adduser -S -H -s /usr/sbin/nologin -u ${NETDATA_GID} -h /etc/netdata -G "${DOCKER_GRP}" "${DOCKER_USR}" # Fix handling of config directory # Long-term this should leverage BuildKit’s mount option. -COPY --from=builder /wheels /wheels COPY --from=builder /app / # Apply the permissions as described in @@ -112,8 +109,6 @@ RUN chown -R root:root \ # Group write permissions due to: https://github.com/netdata/netdata/pull/6543 find /var/lib/netdata /var/cache/netdata -type d -exec chmod 0770 {} \; && \ find /var/lib/netdata /var/cache/netdata -type f -exec chmod 0660 {} \; && \ - pip --no-cache-dir install /wheels/* && \ - rm -rf /wheels && \ cp -va /etc/netdata /etc/netdata.stock ENV NETDATA_LISTENER_PORT 19999 @@ -124,3 +119,11 @@ ENTRYPOINT ["/usr/sbin/run.sh"] HEALTHCHECK --interval=60s --timeout=10s --retries=3 CMD /usr/sbin/health.sh ONBUILD ENV NETDATA_OFFICIAL_IMAGE=false + +LABEL org.opencontainers.image.authors="Netdatabot " +LABEL org.opencontainers.image.url="https://netdata.cloud" +LABEL org.opencontainers.image.documentation="https://learn.netdata.cloud" +LABEL org.opencontainers.image.source="https://github.com/netdata/netdata" +LABEL org.opencontainers.image.title="Netdata Agent" +LABEL org.opencontainers.image.description="Official Netdata Agent Docker Image" +LABEL org.opencontainers.image.vendor="Netdata Inc." diff --git a/packaging/docker/README.md b/packaging/docker/README.md index d00262a1b..aec5723e3 100644 --- a/packaging/docker/README.md +++ b/packaging/docker/README.md @@ -1,7 +1,11 @@ # Install the Netdata Agent with Docker @@ -12,7 +16,7 @@ you get set up quickly, and doesn't install anything permanent on the system, wh See our full list of Docker images at [Docker Hub](https://hub.docker.com/r/netdata/netdata). Starting with v1.30, Netdata collects anonymous usage information by default and sends it to a self-hosted PostHog instance within the Netdata infrastructure. Read -about the information collected, and learn how to-opt, on our [anonymous statistics](/docs/anonymous-statistics.md) +about the information collected, and learn how to-opt, on our [anonymous statistics](https://github.com/netdata/netdata/blob/master/docs/anonymous-statistics.md) page. The usage statistics are _vital_ for us, as we use them to discover bugs and prioritize new features. We thank you for @@ -37,6 +41,21 @@ and unfortunately not something we can realistically work around. ## Create a new Netdata Agent container +> **Notice**: all `docker run` commands and `docker-compose` configurations explicitly set the `nofile` limit. This is +> required on some distros until [14177](https://github.com/netdata/netdata/issues/14177) is resolved. Failure to do so +> may cause a task running in a container to hang and consume 100% of the CPU core. + +
+What are these "some distros"? + +If `LimitNOFILE=infinity` results in an open file limit of 1073741816: + +```bash +[fedora37 ~]$ docker run --rm busybox grep open /proc/self/limits +Max open files 1073741816 1073741816 files +``` +
+ You can create a new Agent container using either `docker run` or Docker Compose. After using either method, you can visit the Agent dashboard `http://NODE:19999`. @@ -61,6 +80,7 @@ docker run -d --name=netdata \ --restart unless-stopped \ --cap-add SYS_PTRACE \ --security-opt apparmor=unconfined \ + --ulimit nofile=4096 \ netdata/netdata ``` @@ -81,6 +101,9 @@ services: - SYS_PTRACE security_opt: - apparmor:unconfined + ulimits: + nofile: + soft: 4096 volumes: - netdataconfig:/etc/netdata - netdatalib:/var/lib/netdata @@ -153,7 +176,7 @@ to restart the container: `docker restart netdata`. ### Host-editable configuration -> **Warning**: [edit-config](/docs/configure/nodes.md#the-netdata-config-directory) script doesn't work when executed on +> **Warning**: [edit-config](https://github.com/netdata/netdata/blob/master/docs/configure/nodes.md#the-netdata-config-directory) script doesn't work when executed on > the host system. If you want to make your container's configuration directory accessible from the host system, you need to use a @@ -169,12 +192,12 @@ docker rm -f netdata_tmp ``` **`docker run`**: Use the `docker run` command, along with the following options, to start a new container. Note the -changed `-v $(pwd)/netdataconfig/netdata:/etc/netdata:ro \` line from the recommended example above. +changed `-v $(pwd)/netdataconfig/netdata:/etc/netdata \` line from the recommended example above. ```bash docker run -d --name=netdata \ -p 19999:19999 \ - -v $(pwd)/netdataconfig/netdata:/etc/netdata:ro \ + -v $(pwd)/netdataconfig/netdata:/etc/netdata \ -v netdatalib:/var/lib/netdata \ -v netdatacache:/var/cache/netdata \ -v /etc/passwd:/host/etc/passwd:ro \ @@ -185,6 +208,7 @@ docker run -d --name=netdata \ --restart unless-stopped \ --cap-add SYS_PTRACE \ --security-opt apparmor=unconfined \ + --ulimit nofile=4096 \ netdata/netdata ``` @@ -206,6 +230,9 @@ services: - SYS_PTRACE security_opt: - apparmor:unconfined + ulimits: + nofile: + soft: 4096 volumes: - ./netdataconfig/netdata:/etc/netdata:ro - netdatalib:/var/lib/netdata @@ -295,7 +322,7 @@ your machine from within the container. Please read the following carefully. #### Docker socket proxy (safest option) Deploy a Docker socket proxy that accepts and filters out requests using something like -[HAProxy](/docs/Running-behind-haproxy.md) so that it restricts connections to read-only access to the CONTAINERS +[HAProxy](https://github.com/netdata/netdata/blob/master/docs/Running-behind-haproxy.md) so that it restricts connections to read-only access to the CONTAINERS endpoint. The reason it's safer to expose the socket to the proxy is because Netdata has a TCP port exposed outside the Docker @@ -414,13 +441,13 @@ services: ### Pass command line options to Netdata Since we use an [ENTRYPOINT](https://docs.docker.com/engine/reference/builder/#entrypoint) directive, you can provide -[Netdata daemon command line options](/daemon/README.md#command-line-options) such as the IP address Netdata will be +[Netdata daemon command line options](https://github.com/netdata/netdata/blob/master/daemon/README.md#command-line-options) such as the IP address Netdata will be running on, using the [command instruction](https://docs.docker.com/engine/reference/builder/#cmd). ## Install the Agent using Docker Compose with SSL/TLS enabled HTTP Proxy For a permanent installation on a public server, you should [secure the Netdata -instance](/docs/netdata-security.md). This section contains an example of how to install Netdata with an SSL +instance](https://github.com/netdata/netdata/blob/master/docs/netdata-security.md). This section contains an example of how to install Netdata with an SSL reverse proxy and basic authentication. You can use the following `docker-compose.yml` and Caddyfile files to run Netdata with Docker. Replace the domains and @@ -468,6 +495,9 @@ services: - SYS_PTRACE security_opt: - apparmor:unconfined + ulimits: + nofile: + soft: 4096 volumes: - netdatalib:/var/lib/netdata - netdatacache:/var/cache/netdata @@ -490,47 +520,4 @@ Caddyfile. ## Publish a test image to your own repository At Netdata, we provide multiple ways of testing your Docker images using your own repositories. -You may either use the command line tools available or take advantage of our Travis CI infrastructure. - -### Inside Netdata organization, using Travis CI - -To enable Travis CI integration on your own repositories (Docker and GitHub), you need to be part of the Netdata -organization. - -Once you have contacted the Netdata owners to setup you up on GitHub and Travis, execute the following steps - -- Preparation - - Have Netdata forked on your personal GitHub account - - Get a GitHub token: Go to **GitHub settings** -> **Developer Settings** -> **Personal access tokens**, and - generate a new token with full access to `repo_hook`, read-only access to `admin:org`, `public_repo`, - `repo_deployment`, `repo:status`, and `user:email` settings enabled. This will be your `GITHUB_TOKEN` that is - described later in the instructions, so keep it somewhere safe. - - Contact the Netdata team and seek for permissions on `https://scan.coverity.com` should you require Travis to be - able to push your forked code to coverity for analysis and report. Once you are setup, you should have your - email you used in coverity and a token from them. These will be your `COVERITY_SCAN_SUBMIT_EMAIL` and - `COVERITY_SCAN_TOKEN` that we will refer to later. - - Have a valid Docker hub account, the credentials from this account will be your `DOCKER_USERNAME` and - `DOCKER_PWD` mentioned later. - -- Setting up Travis CI for your own fork (Detailed instructions provided by Travis team [here](https://docs.travis-ci.com/user/tutorial/)) - - Login to travis with your own GITHUB credentials (There is Open Auth access) - - Go to your profile settings, under [repositories](https://travis-ci.com/account/repositories) section and setup - your Netdata fork to be built by Travis CI. - - Once the repository has been setup, go to repository settings within Travis CI (usually under - `https://travis-ci.com/NETDATA_DEVELOPER/netdata/settings`, where `NETDATA_DEVELOPER` is your GitHub handle), - and select your desired settings. - -- While in Travis settings, under Netdata repository settings in the Environment Variables section, you need to add - the following: - - `DOCKER_USERNAME` and `DOCKER_PWD` variables so that Travis can log in to your Docker Hub account and publish - Docker images there. - - `REPOSITORY` variable to `NETDATA_DEVELOPER/netdata`, where `NETDATA_DEVELOPER` is your GitHub handle again. - - `GITHUB_TOKEN` variable with the token generated on the preparation step, for Travis workflows to function - properly. - - `COVERITY_SCAN_SUBMIT_EMAIL` and `COVERITY_SCAN_TOKEN` variables to enable Travis to submit your code for - analysis to Coverity. - -Having followed these instructions, your forked repository should be all set up for integration with Travis CI. Happy -testing! - - +You may either use the command line tools available or take advantage of our GitHub Acions infrastructure. diff --git a/packaging/docker/run.sh b/packaging/docker/run.sh index 1e001256c..9029e22b6 100755 --- a/packaging/docker/run.sh +++ b/packaging/docker/run.sh @@ -49,6 +49,14 @@ if mountpoint -q /etc/netdata && [ -z "$(ls -A /etc/netdata)" ]; then cp -a /etc/netdata.stock/. /etc/netdata fi +if [ -w "/etc/netdata" ]; then + if mountpoint -q /etc/netdata; then + hostname >/etc/netdata/.container-hostname + else + rm -f /etc/netdata/.container-hostname + fi +fi + if [ -n "${NETDATA_CLAIM_URL}" ] && [ -n "${NETDATA_CLAIM_TOKEN}" ] && [ ! -f /var/lib/netdata/cloud.d/claimed_id ]; then # shellcheck disable=SC2086 /usr/sbin/netdata-claim.sh -token="${NETDATA_CLAIM_TOKEN}" \ -- cgit v1.2.3