Switch to using Debian as a base for our Docker images. (#15823)

* Update Dockerfile to properly work with Debian base images. * add missing setuid plugins * add systemd-journal * disable building ebpf in Docker * Fix docker group handling. * fix "no such user"/" No such file or directory" warning * fix netdata group and rm nut from docs * fix missing systemd-cat-native --------- Co-authored-by: ilyam8 <ilya@netdata.cloud> Co-authored-by: Tasos Katsoulas <12612986+tkatsoulas@users.noreply.github.com>
2025-04-05 22:15:32 +00:00 · 2023-11-28 07:28:54 -05:00 · 2023-11-28 07:28:54 -05:00 · d8e2aff0ae
commit d8e2aff0ae
parent 16926d80fc
4 changed files with 39 additions and 33 deletions
--- a/netdata-installer.sh
+++ b/netdata-installer.sh
@ -1104,7 +1104,7 @@ else
  NETDATA_USER="${USER}"
  ROOT_USER="${USER}"
 fi
-NETDATA_GROUP="$(id -g -n "${NETDATA_USER}")"
+NETDATA_GROUP="$(id -g -n "${NETDATA_USER}" 2> /dev/null)"
 [ -z "${NETDATA_GROUP}" ] && NETDATA_GROUP="${NETDATA_USER}"
 echo >&2 "Netdata user and group set to: ${NETDATA_USER}/${NETDATA_GROUP}"

@ -1177,7 +1177,7 @@ if [ "$(id -u)" -eq 0 ]; then
    # shellcheck disable=SC2086
    portable_add_user_to_group ${g} netdata && NETDATA_ADDED_TO_GROUPS="${NETDATA_ADDED_TO_GROUPS} ${g}"
  done
-  # Netdata must be able to read /etc/pve/qemu-server/* and /etc/pve/lxc/* 
+  # Netdata must be able to read /etc/pve/qemu-server/* and /etc/pve/lxc/*
  # for reading VMs/containers names, CPU and memory limits on Proxmox.
  if [ -d "/etc/pve" ]; then
    portable_add_user_to_group "www-data" netdata && NETDATA_ADDED_TO_GROUPS="${NETDATA_ADDED_TO_GROUPS} www-data"
@ -1344,7 +1344,7 @@ if [ "$(id -u)" -eq 0 ]; then
    if ! iscontainer && command -v setcap 1> /dev/null 2>&1; then
      run chmod 0750 "${NETDATA_PREFIX}/usr/libexec/netdata/plugins.d/systemd-journal.plugin"
      if run setcap cap_dac_read_search+ep "${NETDATA_PREFIX}/usr/libexec/netdata/plugins.d/systemd-journal.plugin"; then
-        capabilities=1 
+        capabilities=1
      fi
    fi

--- a/packaging/docker/Dockerfile
+++ b/packaging/docker/Dockerfile
@ -3,7 +3,7 @@

 # This image contains preinstalled dependencies
 # hadolint ignore=DL3007
-FROM netdata/builder:v1 as builder
+FROM netdata/builder:v2 as builder

 # One of 'nightly' or 'stable'
 ARG RELEASE_CHANNEL=nightly
@ -29,7 +29,7 @@ RUN chmod +x netdata-installer.sh && \
   cp -rp /deps/* /usr/local/ && \
   /bin/echo -e "INSTALL_TYPE='oci'\nPREBUILT_ARCH='$(uname -m)'" > ./system/.install-type && \
   CFLAGS="$(packaging/docker/gen-cflags.sh)" LDFLAGS="-Wl,--gc-sections" ./netdata-installer.sh --dont-wait --dont-start-it --use-system-protobuf \
-   ${EXTRA_INSTALL_OPTS} --one-time-build --enable-lto "$([ "$RELEASE_CHANNEL" = stable ] && echo --stable-channel)"
+   ${EXTRA_INSTALL_OPTS} --disable-ebpf --one-time-build --enable-lto "$([ "$RELEASE_CHANNEL" = stable ] && echo --stable-channel)"

 # files to one directory
 RUN mkdir -p /app/usr/sbin/ \
@ -49,6 +49,7 @@ RUN mkdir -p /app/usr/sbin/ \
    mv /usr/sbin/netdata    /app/usr/sbin/ && \
    mv /usr/sbin/netdata-claim.sh    /app/usr/sbin/ && \
    mv /usr/sbin/netdatacli    /app/usr/sbin/ && \
+    mv /usr/sbin/systemd-cat-native /app/usr/sbin/ && \
    mv packaging/docker/run.sh        /app/usr/sbin/ && \
    mv packaging/docker/health.sh     /app/usr/sbin/ && \
    mkdir -p /deps/etc && \
@ -59,7 +60,7 @@ RUN mkdir -p /app/usr/sbin/ \
 #####################################################################
 # This image contains preinstalled dependencies
 # hadolint ignore=DL3007
-FROM netdata/base:v1 as base
+FROM netdata/base:v2 as base

 LABEL org.opencontainers.image.authors="Netdatabot <bot@netdata.cloud>"
 LABEL org.opencontainers.image.url="https://netdata.cloud"
@ -83,7 +84,7 @@ ENV DOCKER_USR netdata
 ENV NETDATA_LISTENER_PORT 19999
 EXPOSE $NETDATA_LISTENER_PORT

-ENV NETDATA_EXTRA_APK_PACKAGES=""
+ENV NETDATA_EXTRA_DEB_PACKAGES=""

 RUN mkdir -p /opt/src /var/log/netdata && \
    ln -sf /dev/stdout /var/log/netdata/access.log && \
@ -92,16 +93,16 @@ RUN mkdir -p /opt/src /var/log/netdata && \
    ln -sf /dev/stderr /var/log/netdata/daemon.log && \
    ln -sf /dev/stdout /var/log/netdata/collector.log && \
    ln -sf /dev/stdout /var/log/netdata/fluentbit.log && \
-    ln -sf /dev/stdout /var/log/netdata/health.log && \
-    addgroup -g ${NETDATA_GID} -S "${DOCKER_GRP}" && \
-    adduser -S -H -s /usr/sbin/nologin -u ${NETDATA_GID} -h /etc/netdata -G "${DOCKER_GRP}" "${DOCKER_USR}"
+    ln -sf /dev/stdout /var/log/netdata/health.log

 COPY --from=builder /app /

-# Apply the permissions as described in
+# Create netdata user and apply the permissions as described in
 # https://docs.netdata.cloud/docs/netdata-security/#netdata-directories, but own everything by root group due to https://github.com/netdata/netdata/pull/6543
 # hadolint ignore=DL3013
-RUN chown -R root:root \
+RUN addgroup --gid ${NETDATA_GID} --system "${DOCKER_GRP}" && \
+    adduser --system --no-create-home --shell /usr/sbin/nologin --uid ${NETDATA_UID} --home /etc/netdata --group "${DOCKER_USR}" && \
+    chown -R root:root \
        /etc/netdata \
        /usr/share/netdata \
        /usr/libexec/netdata && \
@ -113,17 +114,17 @@ RUN chown -R root:root \
    chown -R netdata:netdata /var/lib/netdata/cloud.d && \
    chmod 0700 /var/lib/netdata/cloud.d && \
    chmod 0755 /usr/libexec/netdata/plugins.d/*.plugin && \
-    chmod 4755 \
-        /usr/libexec/netdata/plugins.d/cgroup-network \
-        /usr/libexec/netdata/plugins.d/local-listeners \
-        /usr/libexec/netdata/plugins.d/apps.plugin \
-        /usr/libexec/netdata/plugins.d/debugfs.plugin && \
-    if [ -f /usr/libexec/netdata/plugins.d/freeipmi.plugin ]; then \
-        chmod 4755 /usr/libexec/netdata/plugins.d/freeipmi.plugin; \
-    fi && \
-    if [ -f /usr/libexec/netdata/plugins.d/go.d.plugin ]; then \
-        chmod 4755 /usr/libexec/netdata/plugins.d/go.d.plugin; \
-    fi && \
+    for name in cgroup-network \
+                local-listeners \
+                apps.plugin \
+                debugfs.plugin \
+                freeipmi.plugin \
+                go.d.plugin \
+                perf.plugin \
+                slabinfo.plugin \
+                systemd-journal.plugin; do \
+        [ -f "/usr/libexec/netdata/plugins.d/$name" ] && chmod 4755 "/usr/libexec/netdata/plugins.d/$name"; \
+    done && \
    # Group write permissions due to: https://github.com/netdata/netdata/pull/6543
    find /var/lib/netdata /var/cache/netdata -type d -exec chmod 0770 {} \; && \
    find /var/lib/netdata /var/cache/netdata -type f -exec chmod 0660 {} \; && \
--- a/packaging/docker/README.md
+++ b/packaging/docker/README.md
@ -460,15 +460,13 @@ reading `- /etc/hostname:/host/etc/hostname:ro`.
 ## Adding extra packages at runtime

 By default, the official Netdata container images do not include a number of optional runtime dependencies. You
-can add these dependencies, or any other APK packages, at runtime by listing them in the environment variable
-`NETDATA_EXTRA_APK_PACKAGES`.
+can add these dependencies, or any other APT packages, at runtime by listing them in the environment variable
+`NETDATA_EXTRA_DEB_PACKAGES`.

 Commonly useful packages include:

 - `apcupsd`: For monitoring APC UPS devices.
- `libvirt-daemon`: For resolving cgroup names for libvirt domains.
 - `lm-sensors`: For monitoring hardware sensors.
- `msmtp`: For email alert support.
 - `netcat-openbsd`: For IRC alert support.

 ## Health Checks
--- a/packaging/docker/run.sh
+++ b/packaging/docker/run.sh
@ -41,9 +41,9 @@ export DOCKER_HOST

 if [ -n "${PGID}" ]; then
  echo "Creating docker group ${PGID}"
-  addgroup -g "${PGID}" "docker" || echo >&2 "Could not add group docker with ID ${PGID}, its already there probably"
+  addgroup --gid "${PGID}" "docker" || echo >&2 "Could not add group docker with ID ${PGID}, its already there probably"
  echo "Assign netdata user to docker group ${PGID}"
-  usermod -a -G "${PGID}" "${DOCKER_USR}" || echo >&2 "Could not add netdata user to group docker with ID ${PGID}"
+  usermod --append --groups "docker" "${DOCKER_USR}" || echo >&2 "Could not add netdata user to group docker with ID ${PGID}"
 fi

 # Needed to read Proxmox VMs and (LXC) containers configuration files (name resolution + CPU and memory limits)
@ -98,13 +98,20 @@ if [ -n "${NETDATA_CLAIM_URL}" ] && [ -n "${NETDATA_CLAIM_TOKEN}" ] && [ ! -f /v
 fi

 if [ -n "${NETDATA_EXTRA_APK_PACKAGES}" ]; then
-  echo "Fetching APK repository metadata."
-  if ! apk update; then
-    echo "Failed to fetch APK repository metadata."
+  echo >&2 "WARNING: Netdata’s Docker images have switched from Alpine to Debian as a base platform. Supplementary package support is now handled through the NETDATA_EXTRA_DEB_PACKAGES variable instead of NETDATA_EXTRA_APK_PACKAGES."
+  echo >&2 "WARNING: The container will still run, but supplementary packages listed in NETDATA_EXTRA_APK_PACKAGES will not be installed."
+  echo >&2 "WARNING: To remove these messages, either undefine NETDATA_EXTRA_APK_PACKAGES, or define it to an empty string."
+fi
+
+if [ -n "${NETDATA_EXTRA_DEB_PACKAGES}" ]; then
+  echo "Fetching APT repository metadata."
+  if ! apt-get update; then
+    echo "Failed to fetch APT repository metadata."
  else
    echo "Installing supplementary packages."
+    export DEBIAN_FRONTEND="noninteractive"
    # shellcheck disable=SC2086
-    if ! apk add --no-cache ${NETDATA_EXTRA_APK_PACKAGES}; then
+    if ! apt-get install -y --no-install-recommends ${NETDATA_EXTRA_DEB_PACKAGES}; then
      echo "Failed to install supplementary packages."
    fi
  fi