Switch to using Debian as a base for our Docker images. (#15823)

* Update Dockerfile to properly work with Debian base images.

* add missing setuid plugins

* add systemd-journal

* disable building ebpf in Docker

* Fix docker group handling.

* fix "no such user"/" No such file or directory" warning

* fix netdata group and rm nut from docs

* fix missing systemd-cat-native

---------

Co-authored-by: ilyam8 <ilya@netdata.cloud>
Co-authored-by: Tasos Katsoulas <12612986+tkatsoulas@users.noreply.github.com>

netdata-installer.sh

@@ -1104,7 +1104,7 @@ else
   NETDATA_USER="${USER}"
   ROOT_USER="${USER}"
 fi
-NETDATA_GROUP="$(id -g -n "${NETDATA_USER}")"
+NETDATA_GROUP="$(id -g -n "${NETDATA_USER}" 2> /dev/null)"
 [ -z "${NETDATA_GROUP}" ] && NETDATA_GROUP="${NETDATA_USER}"
 echo >&2 "Netdata user and group set to: ${NETDATA_USER}/${NETDATA_GROUP}"
 
@@ -1177,7 +1177,7 @@ if [ "$(id -u)" -eq 0 ]; then
     # shellcheck disable=SC2086
     portable_add_user_to_group ${g} netdata && NETDATA_ADDED_TO_GROUPS="${NETDATA_ADDED_TO_GROUPS} ${g}"
   done
-  # Netdata must be able to read /etc/pve/qemu-server/* and /etc/pve/lxc/* 
+  # Netdata must be able to read /etc/pve/qemu-server/* and /etc/pve/lxc/*
   # for reading VMs/containers names, CPU and memory limits on Proxmox.
   if [ -d "/etc/pve" ]; then
     portable_add_user_to_group "www-data" netdata && NETDATA_ADDED_TO_GROUPS="${NETDATA_ADDED_TO_GROUPS} www-data"
@@ -1344,7 +1344,7 @@ if [ "$(id -u)" -eq 0 ]; then
     if ! iscontainer && command -v setcap 1> /dev/null 2>&1; then
       run chmod 0750 "${NETDATA_PREFIX}/usr/libexec/netdata/plugins.d/systemd-journal.plugin"
       if run setcap cap_dac_read_search+ep "${NETDATA_PREFIX}/usr/libexec/netdata/plugins.d/systemd-journal.plugin"; then
-        capabilities=1 
+        capabilities=1
       fi
     fi
 

packaging/docker/Dockerfile

@@ -3,7 +3,7 @@
 
 # This image contains preinstalled dependencies
 # hadolint ignore=DL3007
-FROM netdata/builder:v1 as builder
+FROM netdata/builder:v2 as builder
 
 # One of 'nightly' or 'stable'
 ARG RELEASE_CHANNEL=nightly
@@ -29,7 +29,7 @@ RUN chmod +x netdata-installer.sh && \
    cp -rp /deps/* /usr/local/ && \
    /bin/echo -e "INSTALL_TYPE='oci'\nPREBUILT_ARCH='$(uname -m)'" > ./system/.install-type && \
    CFLAGS="$(packaging/docker/gen-cflags.sh)" LDFLAGS="-Wl,--gc-sections" ./netdata-installer.sh --dont-wait --dont-start-it --use-system-protobuf \
-   ${EXTRA_INSTALL_OPTS} --one-time-build --enable-lto "$([ "$RELEASE_CHANNEL" = stable ] && echo --stable-channel)"
+   ${EXTRA_INSTALL_OPTS} --disable-ebpf --one-time-build --enable-lto "$([ "$RELEASE_CHANNEL" = stable ] && echo --stable-channel)"
 
 # files to one directory
 RUN mkdir -p /app/usr/sbin/ \
@@ -49,6 +49,7 @@ RUN mkdir -p /app/usr/sbin/ \
     mv /usr/sbin/netdata    /app/usr/sbin/ && \
     mv /usr/sbin/netdata-claim.sh    /app/usr/sbin/ && \
     mv /usr/sbin/netdatacli    /app/usr/sbin/ && \
+    mv /usr/sbin/systemd-cat-native /app/usr/sbin/ && \
     mv packaging/docker/run.sh        /app/usr/sbin/ && \
     mv packaging/docker/health.sh     /app/usr/sbin/ && \
     mkdir -p /deps/etc && \
@@ -59,7 +60,7 @@ RUN mkdir -p /app/usr/sbin/ \
 #####################################################################
 # This image contains preinstalled dependencies
 # hadolint ignore=DL3007
-FROM netdata/base:v1 as base
+FROM netdata/base:v2 as base
 
 LABEL org.opencontainers.image.authors="Netdatabot <bot@netdata.cloud>"
 LABEL org.opencontainers.image.url="https://netdata.cloud"
@@ -83,7 +84,7 @@ ENV DOCKER_USR netdata
 ENV NETDATA_LISTENER_PORT 19999
 EXPOSE $NETDATA_LISTENER_PORT
 
-ENV NETDATA_EXTRA_APK_PACKAGES=""
+ENV NETDATA_EXTRA_DEB_PACKAGES=""
 
 RUN mkdir -p /opt/src /var/log/netdata && \
     ln -sf /dev/stdout /var/log/netdata/access.log && \
@@ -92,16 +93,16 @@ RUN mkdir -p /opt/src /var/log/netdata && \
     ln -sf /dev/stderr /var/log/netdata/daemon.log && \
     ln -sf /dev/stdout /var/log/netdata/collector.log && \
     ln -sf /dev/stdout /var/log/netdata/fluentbit.log && \
-    ln -sf /dev/stdout /var/log/netdata/health.log && \
+    ln -sf /dev/stdout /var/log/netdata/health.log
-    addgroup -g ${NETDATA_GID} -S "${DOCKER_GRP}" && \
-    adduser -S -H -s /usr/sbin/nologin -u ${NETDATA_GID} -h /etc/netdata -G "${DOCKER_GRP}" "${DOCKER_USR}"
 
 COPY --from=builder /app /
 
-# Apply the permissions as described in
+# Create netdata user and apply the permissions as described in
 # https://docs.netdata.cloud/docs/netdata-security/#netdata-directories, but own everything by root group due to https://github.com/netdata/netdata/pull/6543
 # hadolint ignore=DL3013
-RUN chown -R root:root \
+RUN addgroup --gid ${NETDATA_GID} --system "${DOCKER_GRP}" && \
+    adduser --system --no-create-home --shell /usr/sbin/nologin --uid ${NETDATA_UID} --home /etc/netdata --group "${DOCKER_USR}" && \
+    chown -R root:root \
         /etc/netdata \
         /usr/share/netdata \
         /usr/libexec/netdata && \
@@ -113,17 +114,17 @@ RUN chown -R root:root \
     chown -R netdata:netdata /var/lib/netdata/cloud.d && \
     chmod 0700 /var/lib/netdata/cloud.d && \
     chmod 0755 /usr/libexec/netdata/plugins.d/*.plugin && \
-    chmod 4755 \
+    for name in cgroup-network \
-        /usr/libexec/netdata/plugins.d/cgroup-network \
+                local-listeners \
-        /usr/libexec/netdata/plugins.d/local-listeners \
+                apps.plugin \
-        /usr/libexec/netdata/plugins.d/apps.plugin \
+                debugfs.plugin \
-        /usr/libexec/netdata/plugins.d/debugfs.plugin && \
+                freeipmi.plugin \
-    if [ -f /usr/libexec/netdata/plugins.d/freeipmi.plugin ]; then \
+                go.d.plugin \
-        chmod 4755 /usr/libexec/netdata/plugins.d/freeipmi.plugin; \
+                perf.plugin \
-    fi && \
+                slabinfo.plugin \
-    if [ -f /usr/libexec/netdata/plugins.d/go.d.plugin ]; then \
+                systemd-journal.plugin; do \
-        chmod 4755 /usr/libexec/netdata/plugins.d/go.d.plugin; \
+        [ -f "/usr/libexec/netdata/plugins.d/$name" ] && chmod 4755 "/usr/libexec/netdata/plugins.d/$name"; \
-    fi && \
+    done && \
     # Group write permissions due to: https://github.com/netdata/netdata/pull/6543
     find /var/lib/netdata /var/cache/netdata -type d -exec chmod 0770 {} \; && \
     find /var/lib/netdata /var/cache/netdata -type f -exec chmod 0660 {} \; && \

packaging/docker/README.md

@@ -460,15 +460,13 @@ reading `- /etc/hostname:/host/etc/hostname:ro`.
 ## Adding extra packages at runtime
 
 By default, the official Netdata container images do not include a number of optional runtime dependencies. You
-can add these dependencies, or any other APK packages, at runtime by listing them in the environment variable
+can add these dependencies, or any other APT packages, at runtime by listing them in the environment variable
-`NETDATA_EXTRA_APK_PACKAGES`.
+`NETDATA_EXTRA_DEB_PACKAGES`.
 
 Commonly useful packages include:
 
 - `apcupsd`: For monitoring APC UPS devices.
-- `libvirt-daemon`: For resolving cgroup names for libvirt domains.
 - `lm-sensors`: For monitoring hardware sensors.
-- `msmtp`: For email alert support.
 - `netcat-openbsd`: For IRC alert support.
 
 ## Health Checks

packaging/docker/run.sh

@@ -41,9 +41,9 @@ export DOCKER_HOST
 
 if [ -n "${PGID}" ]; then
   echo "Creating docker group ${PGID}"
-  addgroup -g "${PGID}" "docker" || echo >&2 "Could not add group docker with ID ${PGID}, its already there probably"
+  addgroup --gid "${PGID}" "docker" || echo >&2 "Could not add group docker with ID ${PGID}, its already there probably"
   echo "Assign netdata user to docker group ${PGID}"
-  usermod -a -G "${PGID}" "${DOCKER_USR}" || echo >&2 "Could not add netdata user to group docker with ID ${PGID}"
+  usermod --append --groups "docker" "${DOCKER_USR}" || echo >&2 "Could not add netdata user to group docker with ID ${PGID}"
 fi
 
 # Needed to read Proxmox VMs and (LXC) containers configuration files (name resolution + CPU and memory limits)
@@ -98,13 +98,20 @@ if [ -n "${NETDATA_CLAIM_URL}" ] && [ -n "${NETDATA_CLAIM_TOKEN}" ] && [ ! -f /v
 fi
 
 if [ -n "${NETDATA_EXTRA_APK_PACKAGES}" ]; then
-  echo "Fetching APK repository metadata."
+  echo >&2 "WARNING: Netdata’s Docker images have switched from Alpine to Debian as a base platform. Supplementary package support is now handled through the NETDATA_EXTRA_DEB_PACKAGES variable instead of NETDATA_EXTRA_APK_PACKAGES."
-  if ! apk update; then
+  echo >&2 "WARNING: The container will still run, but supplementary packages listed in NETDATA_EXTRA_APK_PACKAGES will not be installed."
-    echo "Failed to fetch APK repository metadata."
+  echo >&2 "WARNING: To remove these messages, either undefine NETDATA_EXTRA_APK_PACKAGES, or define it to an empty string."
+fi
+
+if [ -n "${NETDATA_EXTRA_DEB_PACKAGES}" ]; then
+  echo "Fetching APT repository metadata."
+  if ! apt-get update; then
+    echo "Failed to fetch APT repository metadata."
   else
     echo "Installing supplementary packages."
+    export DEBIAN_FRONTEND="noninteractive"
     # shellcheck disable=SC2086
-    if ! apk add --no-cache ${NETDATA_EXTRA_APK_PACKAGES}; then
+    if ! apt-get install -y --no-install-recommends ${NETDATA_EXTRA_DEB_PACKAGES}; then
       echo "Failed to install supplementary packages."
     fi
   fi