archive/netdata_netdata
0
0
Fork 0
mirror of https://github.com/netdata/netdata.git synced 2025-04-13 17:19:11 +00:00
Code Issues Projects Releases Wiki Activity

Better support running the Docker entrypoint code as a non-root user. ()

Browse source 
* Better support running our Docker images without root in the container.

Users can override what user ID is used inside of a container when
creating the container. We don’t technically properly support this, but
we should also ideally not _break_ such usage either as there are
legitimate use-cases for it. This moves code that will only work when
run as root inside the container inside a conditional in our entrypoint
script so that it doesn’t break things otherwise.

* Update Docker documentation.

* Include all group manipulations in the EUID == 0 case.
This commit is contained in:
Austin S. Hemmelgarn 2024-01-19 07:00:02 -05:00 committed by GitHub
parent e5de17af61
commit 12c986d745
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 67 additions and 54 deletions
packaging/docker
README.mdrun.sh

10
packaging/docker/README.md
View file

@ -12,6 +12,16 @@ import TabItem from '@theme/TabItem';
# Install Netdata with Docker # Install Netdata with Docker
## Limitations running the Agent in Docker
We do not officially support running our Docker images with the Docker CLI `--user` option or the Docker Compose
`user:` parameter. Such usage will usually still work, but some features will not be available when run this
way. Note that the agent will drop privileges appropriately inside the container during startup, meaning that even
when run without these options almost nothing in the container will actually run with an effective UID of 0.
Our POWER8+ Docker images do not support our FreeIPMI collector. This is a technical limitation in FreeIPMI itself,
and unfortunately not something we can realistically work around.
## Create a new Netdata Agent container ## Create a new Netdata Agent container
You can create a new Agent container using either `docker run` or `docker-compose`. After using any method, you can You can create a new Agent container using either `docker run` or `docker-compose`. After using any method, you can

111
packaging/docker/run.sh
View file

@ -14,38 +14,6 @@ if [ ! -w / ] && [ "${EUID}" -eq 0 ]; then
echo >&2 "WARNING: For more information, see https://learn.netdata.cloud/docs/agent/claim#known-issues-on-older-hosts-with-seccomp-enabled" echo >&2 "WARNING: For more information, see https://learn.netdata.cloud/docs/agent/claim#known-issues-on-older-hosts-with-seccomp-enabled"
fi fi
if [ ! "${DISABLE_TELEMETRY:-0}" -eq 0 ] ||
[ -n "$DISABLE_TELEMETRY" ] ||
[ ! "${DO_NOT_TRACK:-0}" -eq 0 ] ||
[ -n "$DO_NOT_TRACK" ]; then
touch /etc/netdata/.opt-out-from-anonymous-statistics
fi
chmod o+rX / 2>/dev/null || echo "Unable to change permissions without errors."
BALENA_PGID=$(stat -c %g /var/run/balena.sock 2>/dev/null || true)
DOCKER_PGID=$(stat -c %g /var/run/docker.sock 2>/dev/null || true)
re='^[0-9]+$'
if [[ $BALENA_PGID =~ $re ]]; then
echo "Netdata detected balena-engine.sock"
DOCKER_HOST='/var/run/balena-engine.sock'
PGID="$BALENA_PGID"
elif [[ $DOCKER_PGID =~ $re ]]; then
echo "Netdata detected docker.sock"
DOCKER_HOST="/var/run/docker.sock"
PGID="$DOCKER_PGID"
fi
export PGID
export DOCKER_HOST
if [ -n "${PGID}" ]; then
echo "Creating docker group ${PGID}"
addgroup --gid "${PGID}" "docker" || echo >&2 "Could not add group docker with ID ${PGID}, its already there probably"
echo "Assign netdata user to docker group ${PGID}"
usermod --append --groups "docker" "${DOCKER_USR}" || echo >&2 "Could not add netdata user to group docker with ID ${PGID}"
fi
# Needed to read Proxmox VMs and (LXC) containers configuration files (name resolution + CPU and memory limits) # Needed to read Proxmox VMs and (LXC) containers configuration files (name resolution + CPU and memory limits)
function add_netdata_to_proxmox_conf_files_group() { function add_netdata_to_proxmox_conf_files_group() {
group_guid="$(stat -c %g /host/etc/pve 2>/dev/null || true)" group_guid="$(stat -c %g /host/etc/pve 2>/dev/null || true)"
@ -68,10 +36,65 @@ function add_netdata_to_proxmox_conf_files_group() {
fi fi
} }
if [ -d "/host/etc/pve" ]; then if [ ! "${DISABLE_TELEMETRY:-0}" -eq 0 ] ||
add_netdata_to_proxmox_conf_files_group || true [ -n "$DISABLE_TELEMETRY" ] ||
[ ! "${DO_NOT_TRACK:-0}" -eq 0 ] ||
[ -n "$DO_NOT_TRACK" ]; then
touch /etc/netdata/.opt-out-from-anonymous-statistics
fi fi
chmod o+rX / 2>/dev/null || echo "Unable to change permissions without errors."
if [ "${EUID}" -eq 0 ]; then
if [ -n "${NETDATA_EXTRA_APK_PACKAGES}" ]; then
echo >&2 "WARNING: Netdatas Docker images have switched from Alpine to Debian as a base platform. Supplementary package support is now handled through the NETDATA_EXTRA_DEB_PACKAGES variable instead of NETDATA_EXTRA_APK_PACKAGES."
echo >&2 "WARNING: The container will still run, but supplementary packages listed in NETDATA_EXTRA_APK_PACKAGES will not be installed."
echo >&2 "WARNING: To remove these messages, either undefine NETDATA_EXTRA_APK_PACKAGES, or define it to an empty string."
fi
if [ -n "${NETDATA_EXTRA_DEB_PACKAGES}" ]; then
echo "Fetching APT repository metadata."
if ! apt-get update; then
echo "Failed to fetch APT repository metadata."
else
echo "Installing supplementary packages."
export DEBIAN_FRONTEND="noninteractive"
# shellcheck disable=SC2086
if ! apt-get install -y --no-install-recommends ${NETDATA_EXTRA_DEB_PACKAGES}; then
echo "Failed to install supplementary packages."
fi
fi
fi
BALENA_PGID=$(stat -c %g /var/run/balena.sock 2>/dev/null || true)
DOCKER_PGID=$(stat -c %g /var/run/docker.sock 2>/dev/null || true)
re='^[0-9]+$'
if [[ $BALENA_PGID =~ $re ]]; then
echo "Netdata detected balena-engine.sock"
DOCKER_HOST='/var/run/balena-engine.sock'
PGID="$BALENA_PGID"
elif [[ $DOCKER_PGID =~ $re ]]; then
echo "Netdata detected docker.sock"
DOCKER_HOST="/var/run/docker.sock"
PGID="$DOCKER_PGID"
fi
export PGID
export DOCKER_HOST
if [ -n "${PGID}" ]; then
echo "Creating docker group ${PGID}"
addgroup --gid "${PGID}" "docker" || echo >&2 "Could not add group docker with ID ${PGID}, its already there probably"
echo "Assign netdata user to docker group ${PGID}"
usermod --append --groups "docker" "${DOCKER_USR}" || echo >&2 "Could not add netdata user to group docker with ID ${PGID}"
fi
if [ -d "/host/etc/pve" ]; then
add_netdata_to_proxmox_conf_files_group || true
fi
else
echo >&2 "WARNING: Entrypoint started as non-root user. This is not officially supported and some features may not be available."
fi
if mountpoint -q /etc/netdata; then if mountpoint -q /etc/netdata; then
echo "Copying stock configuration to /etc/netdata" echo "Copying stock configuration to /etc/netdata"
@ -97,24 +120,4 @@ if [ -n "${NETDATA_CLAIM_URL}" ] && [ -n "${NETDATA_CLAIM_TOKEN}" ] && [ ! -f /v
-daemon-not-running -daemon-not-running
fi fi
if [ -n "${NETDATA_EXTRA_APK_PACKAGES}" ]; then
echo >&2 "WARNING: Netdatas Docker images have switched from Alpine to Debian as a base platform. Supplementary package support is now handled through the NETDATA_EXTRA_DEB_PACKAGES variable instead of NETDATA_EXTRA_APK_PACKAGES."
echo >&2 "WARNING: The container will still run, but supplementary packages listed in NETDATA_EXTRA_APK_PACKAGES will not be installed."
echo >&2 "WARNING: To remove these messages, either undefine NETDATA_EXTRA_APK_PACKAGES, or define it to an empty string."
fi
if [ -n "${NETDATA_EXTRA_DEB_PACKAGES}" ]; then
echo "Fetching APT repository metadata."
if ! apt-get update; then
echo "Failed to fetch APT repository metadata."
else
echo "Installing supplementary packages."
export DEBIAN_FRONTEND="noninteractive"
# shellcheck disable=SC2086
if ! apt-get install -y --no-install-recommends ${NETDATA_EXTRA_DEB_PACKAGES}; then
echo "Failed to install supplementary packages."
fi
fi
fi
exec /usr/sbin/netdata -u "${DOCKER_USR}" -D -s /host -p "${NETDATA_LISTENER_PORT}" "$@" exec /usr/sbin/netdata -u "${DOCKER_USR}" -D -s /host -p "${NETDATA_LISTENER_PORT}" "$@"