docs: add "Rootless mode" to Docker install guide (#16632)

* cgroups: update default filter to allow docker rootless containers * add Rootless mode to docker readme
2025-04-14 09:38:34 +00:00 · 2023-12-20 11:46:52 +02:00 · 2023-12-20 11:46:52 +02:00 · 3ed97a3f82
commit 3ed97a3f82
parent 1bd9f34130
2 changed files with 58 additions and 1 deletions
--- a/collectors/cgroups.plugin/sys_fs_cgroup.c
+++ b/collectors/cgroups.plugin/sys_fs_cgroup.c
@ -418,6 +418,8 @@ void read_cgroup_plugin_configuration() {

                       " !*/init.scope "                      // ignore init.scope
                       " !/system.slice/run-*.scope "         // ignore system.slice/run-XXXX.scope
+                       " *user.slice/docker-*"                // allow docker rootless containers
+                       " !*user.slice*"                       // ignore the rest stuff in user.slice 
                       " *.scope "                            // we need all other *.scope for sure

                       // ----------------------------------------------------------------
@ -475,7 +477,6 @@ void read_cgroup_plugin_configuration() {
                       " !/system "
                       " !/systemd "
                       " !/user "
-                       " !/user.slice "
                       " !/lxc/*/* "                          //  #2161 #2649
                       " !/lxc.monitor "
                       " !/lxc.payload/*/* "
--- a/packaging/docker/README.md
+++ b/packaging/docker/README.md
@ -426,6 +426,62 @@ volumes:
 You can run the socket proxy in its own Docker Compose file and leave it on a private network that you can add to
 other services that require access.

+### Rootless mode
+
+Netdata can be run successfully in a non-root environment, such as [rootless Docker](https://docs.docker.com/engine/security/rootless/).
+
+However, it should be noted that Netdata's data collection capabilities are considerably restricted in rootless Docker
+due to its inherent limitations. While Netdata can function in a rootless environment, it cannot access certain
+resources that require elevated privileges. The following components do not work:
+
+- container network interfaces monitoring (cgroup-network helper)
+- disk I/O and file descriptors of applications and processes (apps.plugin)
+- debugfs.plugin
+- freeipmi.plugin
+- perf.plugin
+- slabinfo.plugin
+- systemd-journal.plugin
+
+This method creates a [volume](https://docs.docker.com/storage/volumes/) for Netdata's configuration files
+_within the container_ at `/etc/netdata`.
+See the [configure section](#configure-agent-containers) for details. If you want to access the configuration files from
+your _host_ machine, see [host-editable configuration](#with-host-editable-configuration).
+
+<Tabs>
+<TabItem value="docker_run" label="docker run">
+
+<h3> Using the <code>docker run</code> command </h3>
+
+Run the following command in your terminal to start a new container.
+
+```bash
+docker run -d --name=netdata \
+  --hostname=$(hostname) \
+  -p 19999:19999 \
+  -v netdataconfig:/etc/netdata \
+  -v netdatalib:/var/lib/netdata \
+  -v netdatacache:/var/cache/netdata \
+  -v /etc/passwd:/host/etc/passwd:ro \
+  -v /etc/group:/host/etc/group:ro \
+  -v /etc/localtime:/etc/localtime:ro \
+  -v /proc:/host/proc:ro \
+  -v /sys:/host/sys:ro \
+  -v /etc/os-release:/host/etc/os-release:ro \
+  -v /run/user/$UID/docker.sock:/var/run/docker.sock:ro \
+  --restart unless-stopped \
+  --security-opt apparmor=unconfined \
+  netdata/netdata
+```
+
+</TabItem>
+
+</Tabs>
+
+> :bookmark_tabs: Note
+>
+> If you plan to Claim the node to Netdata Cloud, you can find the command with the right parameters by clicking the "
+> Add Nodes" button in your Space's "Nodes" view.
+
 ## Docker tags

 See our full list of Docker images at [Docker Hub](https://hub.docker.com/r/netdata/netdata).