Any issues with including NetData on the root server and as an app add-on?
-
Using the install script is not even necessary, as netdata can just as well be run as a container itself. So a simple
docker-compose.yamlwith the following is enough:version: '3' services: netdata: image: netdata/netdata container_name: netdata pid: host network_mode: host restart: unless-stopped cap_add: - SYS_PTRACE - SYS_ADMIN security_opt: - apparmor:unconfined volumes: - ./netdataconfig/netdata:/etc/netdata - netdatalib:/var/lib/netdata - netdatacache:/var/cache/netdata - /etc/passwd:/host/etc/passwd:ro - /etc/group:/host/etc/group:ro - /proc:/host/proc:ro - /sys:/host/sys:ro - /etc/os-release:/host/etc/os-release:ro #- /var/run/docker.sock:/var/run/docker.sock:ro environment: - DOCKER_HOST=127.0.0.1:2375 cetusguard: image: hectorm/cetusguard:v1 network_mode: host read_only: true volumes: - /var/run/docker.sock:/var/run/docker.sock:ro environment: CETUSGUARD_BACKEND_ADDR: unix:///var/run/docker.sock CETUSGUARD_FRONTEND_ADDR: tcp://:2375 CETUSGUARD_RULES: | ! Inspect a container GET %API_PREFIX_CONTAINERS%/%CONTAINER_ID_OR_NAME%/json volumes: netdatalib: netdatacache:Afterwards one can just create an app proxy to
http://127.0.0.1:19999and netdata can be "publicly" reached.The above
docker-compose.yamlactually comes from the netdata documentation. -
Using the install script is not even necessary, as netdata can just as well be run as a container itself. So a simple
docker-compose.yamlwith the following is enough:version: '3' services: netdata: image: netdata/netdata container_name: netdata pid: host network_mode: host restart: unless-stopped cap_add: - SYS_PTRACE - SYS_ADMIN security_opt: - apparmor:unconfined volumes: - ./netdataconfig/netdata:/etc/netdata - netdatalib:/var/lib/netdata - netdatacache:/var/cache/netdata - /etc/passwd:/host/etc/passwd:ro - /etc/group:/host/etc/group:ro - /proc:/host/proc:ro - /sys:/host/sys:ro - /etc/os-release:/host/etc/os-release:ro #- /var/run/docker.sock:/var/run/docker.sock:ro environment: - DOCKER_HOST=127.0.0.1:2375 cetusguard: image: hectorm/cetusguard:v1 network_mode: host read_only: true volumes: - /var/run/docker.sock:/var/run/docker.sock:ro environment: CETUSGUARD_BACKEND_ADDR: unix:///var/run/docker.sock CETUSGUARD_FRONTEND_ADDR: tcp://:2375 CETUSGUARD_RULES: | ! Inspect a container GET %API_PREFIX_CONTAINERS%/%CONTAINER_ID_OR_NAME%/json volumes: netdatalib: netdatacache:Afterwards one can just create an app proxy to
http://127.0.0.1:19999and netdata can be "publicly" reached.The above
docker-compose.yamlactually comes from the netdata documentation. -
@fbartels ah nice, cetusguard is a great find. Haven't heard of that before! We have our own internal docker proxy protector which does similar.
-
Using the install script is not even necessary, as netdata can just as well be run as a container itself. So a simple
docker-compose.yamlwith the following is enough:version: '3' services: netdata: image: netdata/netdata container_name: netdata pid: host network_mode: host restart: unless-stopped cap_add: - SYS_PTRACE - SYS_ADMIN security_opt: - apparmor:unconfined volumes: - ./netdataconfig/netdata:/etc/netdata - netdatalib:/var/lib/netdata - netdatacache:/var/cache/netdata - /etc/passwd:/host/etc/passwd:ro - /etc/group:/host/etc/group:ro - /proc:/host/proc:ro - /sys:/host/sys:ro - /etc/os-release:/host/etc/os-release:ro #- /var/run/docker.sock:/var/run/docker.sock:ro environment: - DOCKER_HOST=127.0.0.1:2375 cetusguard: image: hectorm/cetusguard:v1 network_mode: host read_only: true volumes: - /var/run/docker.sock:/var/run/docker.sock:ro environment: CETUSGUARD_BACKEND_ADDR: unix:///var/run/docker.sock CETUSGUARD_FRONTEND_ADDR: tcp://:2375 CETUSGUARD_RULES: | ! Inspect a container GET %API_PREFIX_CONTAINERS%/%CONTAINER_ID_OR_NAME%/json volumes: netdatalib: netdatacache:Afterwards one can just create an app proxy to
http://127.0.0.1:19999and netdata can be "publicly" reached.The above
docker-compose.yamlactually comes from the netdata documentation. -
For Netdata to work well, it has to run like it runs on the host itself i.e without a sandbox. If you see https://learn.netdata.cloud/docs/installing/docker#recommended-way or the compose file @fbartels posted, it is giving access to proc, etc, sys of the host and docker access. This is security risk (or not) depending on whether you trust netdata. Cloudron apps don't have access to any of these things.
-
Using the install script is not even necessary, as netdata can just as well be run as a container itself. So a simple
docker-compose.yamlwith the following is enough:version: '3' services: netdata: image: netdata/netdata container_name: netdata pid: host network_mode: host restart: unless-stopped cap_add: - SYS_PTRACE - SYS_ADMIN security_opt: - apparmor:unconfined volumes: - ./netdataconfig/netdata:/etc/netdata - netdatalib:/var/lib/netdata - netdatacache:/var/cache/netdata - /etc/passwd:/host/etc/passwd:ro - /etc/group:/host/etc/group:ro - /proc:/host/proc:ro - /sys:/host/sys:ro - /etc/os-release:/host/etc/os-release:ro #- /var/run/docker.sock:/var/run/docker.sock:ro environment: - DOCKER_HOST=127.0.0.1:2375 cetusguard: image: hectorm/cetusguard:v1 network_mode: host read_only: true volumes: - /var/run/docker.sock:/var/run/docker.sock:ro environment: CETUSGUARD_BACKEND_ADDR: unix:///var/run/docker.sock CETUSGUARD_FRONTEND_ADDR: tcp://:2375 CETUSGUARD_RULES: | ! Inspect a container GET %API_PREFIX_CONTAINERS%/%CONTAINER_ID_OR_NAME%/json volumes: netdatalib: netdatacache:Afterwards one can just create an app proxy to
http://127.0.0.1:19999and netdata can be "publicly" reached.The above
docker-compose.yamlactually comes from the netdata documentation.@fbartels said in Any issues with including NetData on the root server and as an app add-on?:
Afterwards one can just create an app proxy to http://127.0.0.1:19999 and netdata can be "publicly" reached.
I just installed Netdata (stable) on another Cloudron production server. Installation went well, connection to Netdata cloud dashboard went well and indeed as @fbartels wrote, the "app proxy" works also to have a local only view!
Perfect!
-
@fbartels said in Any issues with including NetData on the root server and as an app add-on?:
Afterwards one can just create an app proxy to http://127.0.0.1:19999 and netdata can be "publicly" reached.
I just installed Netdata (stable) on another Cloudron production server. Installation went well, connection to Netdata cloud dashboard went well and indeed as @fbartels wrote, the "app proxy" works also to have a local only view!
Perfect!
-
@imc67 I understood, that installing netdata via the Kickstart command is not a bad thing to do?
https://learn.netdata.cloud/docs/installing/one-line-installer-for-all-linux-systems
ofc, taking into account, that messing with the system like that deviates from what is suggested for obvious reasons by Cloudron and is in my responsibility.
-
@imc67 I understood, that installing netdata via the Kickstart command is not a bad thing to do?
https://learn.netdata.cloud/docs/installing/one-line-installer-for-all-linux-systems
ofc, taking into account, that messing with the system like that deviates from what is suggested for obvious reasons by Cloudron and is in my responsibility.
-
Looks like we got our first support ticket related to installing netdata. I have not verified this but it seems that installing netdata installs the nodejs package which ends up downgrading nodejs to v12 . This in turn prevents Cloudron from starting up.
It's better to install netdata via Docker, atleast it would prevent the above issue.
-
Uhoh how do we check the version? And how to install it via Docker?
Netdata is extremely useful and needed like having a live dashboard in your car. Without its hard to drive
@imc67 said in Any issues with including NetData on the root server and as an app add-on?:
Uhoh how do we check the version?
I just found out: node -v on the command line.
On my 3 Cloudron's it says v18.16.0
Is that OK @girish ?
-
BTW nice to know:
Netdata is the most energy-efficient monitoring tool for Docker-based systems Dec 11, 2023: University of Amsterdam published a study related to the impact of monitoring tools for Docker based systems, aiming to answer 2 questions:
What is the impact of monitoring tools on the energy efficiency of Docker-based systems?
What is the impact of monitoring tools on the performance of Docker-based systems?
They tested ELK, Prometheus, Netdata and Zipkin, under 9 different configurations (Low, Mid, High Frequency vs. Low, Mid, High Workload, 3x3).This is how Netdata stands:
Netdata excels in energy efficiency: "... Netdata being the most energy-efficient tool ...", as the study says.
Netdata excels in CPU Usage, RAM Usage and Execution Time, and has a similar impact in Network Traffic as Prometheus.
The study did not normalize the results based on the number of metrics collected. Given that Netdata usually collects singificantly more metrics than the other tools, Netdata managed to outperform the other tools, while ingesting a much higher number of metrics. Read the full study here: https://www.ivanomalavolta.com/files/papers/ICSOC_2023.pdf -
@imc67 said in Any issues with including NetData on the root server and as an app add-on?:
Uhoh how do we check the version?
I just found out: node -v on the command line.
On my 3 Cloudron's it says v18.16.0
Is that OK @girish ?
@imc67 said in Any issues with including NetData on the root server and as an app add-on?:
On my 3 Cloudron's it says v18.16.0
Is that OK @girish ?
It is correct version right now. If netdata has a nodejs dep, then it might conflict with Cloudron's. We update Cloudron's nodejs without thinking about other software.
-
Still no single problem with 3 Cloudrons, I guess and am pretty sure it’s not NetData what’s causing your issue.
-
Hello,
I'm currently looking at this topic at the moment and maybe it would be possible to split this issue in two different subject.
I understood that the main issue to add netdata to cloudron as an app is the capabilities required from the docker image to be able to collect all the metrics of the host. Which I understand is a problem as it challenge the whole security design actually implemented.
But would it be conceivable to deploy netdata as a cloudron app with limited monitoring capabilities as a known limitation. I know that it can seems counter-productive but I have a specific purpose for which it could be useful : Using this netdata instance as a parent node to centralize all the metrics from different children and use the ldap/proxyauth addon of cloudron to add authentication to the WebUI
That would be a really great use case for me.And concerning the other subject of actually collecting the data of the cloudron host using netdata. IMHO a tutorial on how to deploy it with docker and /or docker-compose, and the firewall configuration needed would be enough for most admin I think.
