-
Notifications
You must be signed in to change notification settings - Fork 230
/
Dockerfile-nonroot
118 lines (99 loc) · 5.71 KB
/
Dockerfile-nonroot
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
FROM ubuntu:16.04
RUN apt-get -q update \
&& apt-get -qy install wget apt-transport-https vim git postgresql postgresql-plpython3-9.5 postgresql-plpython-9.5 libfontconfig python3-pip libssl-dev libpq-dev \
&& pip3 install -U pip
RUN pip3 install supervisor \
&& locale-gen "en_US.UTF-8" && apt autoremove -y \
&& mkdir -p /var/log/supervisor /etc/supervisor /pgwatch2 \
&& rm -rf /var/lib/postgresql/9.5/main \
&& echo "include = 'pgwatch_postgresql.conf'" >> /etc/postgresql/9.5/main/postgresql.conf \
&& chgrp -R 0 /pgwatch2 /var/log/supervisor /etc/supervisor /var/run /var/lib/postgresql /var/log/postgresql /var/run/postgresql /etc/postgresql \
&& chmod -R g=u /pgwatch2 /var/log/supervisor /etc/supervisor /var/run /var/lib/postgresql /var/log/postgresql /etc/postgresql \
&& chmod g=u /etc/passwd
### Download and install external components
# Grafana [https://grafana.com/grafana/download]
# latest ver.: curl -so- https://api.github.com/repos/grafana/grafana/tags | grep -Eo '"v[0-9\.]+"' | grep -Eo '[0-9\.]+' | sort -nr | head -1
# Influxdb [https://portal.influxdata.com/downloads]
# latest ver.: curl -so- https://api.github.com/repos/influxdata/influxdb/tags | grep -Eo '"v[0-9\.]+"' | grep -Eo '[0-9\.]+' | sort -nr | head -1
RUN wget -q -O grafana.deb https://dl.grafana.com/oss/release/grafana_6.7.4_amd64.deb \
&& wget -q -O - https://dl.influxdata.com/influxdb/releases/influxdb_1.8.3_amd64.deb > influxdb_amd64.deb \
&& dpkg -i grafana.deb && rm grafana.deb \
&& mkdir -p /var/run/grafana \
&& chgrp -R 0 /etc/grafana/ /usr/share/grafana /var/lib/grafana /var/log/grafana /var/run/grafana \
&& chmod -R g=u /etc/grafana/ /usr/share/grafana /var/lib/grafana /var/log/grafana /var/run/grafana \
&& dpkg -i influxdb_amd64.deb && rm influxdb_amd64.deb \
&& chgrp -R 0 /var/lib/influxdb /var/log/influxdb /usr/lib/influxdb /etc/influxdb \
&& chmod -R g=u /var/lib/influxdb /var/log/influxdb /usr/lib/influxdb /etc/influxdb \
&& sed -i 's/\# query-log-enabled = true/query-log-enabled = false/' /etc/influxdb/influxdb.conf \
&& sed -i 's/\# \[monitor\]/\[monitor\]/' /etc/influxdb/influxdb.conf \
&& sed -i 's/\# store-enabled = true/store-enabled = false/' /etc/influxdb/influxdb.conf \
&& sed -i 's/\# \[http\]/\[http\]/' /etc/influxdb/influxdb.conf \
&& sed -i '0,/\# log-enabled = true/{s/\# log-enabled = true/log-enabled = false/}' /etc/influxdb/influxdb.conf \
&& sed -i 's/\# bind-address = \"127.0.0.1:8088\"/bind-address = \":8088\"/' /etc/influxdb/influxdb.conf \
&& sed -i 's/\# wal-fsync-delay = \"0s\"/wal-fsync-delay = \"500ms\"/' /etc/influxdb/influxdb.conf \
&& sed -i 's/\# index-version = \"inmem\"/index-version = \"tsi1\"/' /etc/influxdb/influxdb.conf
# Add pgwatch2 sources
ADD pgwatch2 /pgwatch2
ADD webpy /pgwatch2/webpy
# For showing Git versions via :8080/versions or 'pgwatch2 --version'
ARG GIT_HASH
ARG GIT_TIME
ENV GIT_HASH=${GIT_HASH}
ENV GIT_TIME=${GIT_TIME}
# Go installation [https://golang.org/dl/]
# Grafana config customizations, Web UI requirements, compilation of the Go gatherer
RUN wget -q -O /tmp/go.tar.gz https://dl.google.com/go/go1.15.6.linux-amd64.tar.gz \
&& tar -C /usr/local -xzf /tmp/go.tar.gz \
&& export PATH=$PATH:/usr/local/go/bin \
&& cp /pgwatch2/bootstrap/grafana_custom_config.ini /etc/grafana/grafana.ini \
&& pip3 install -r /pgwatch2/webpy/requirements_influx_metrics.txt \
&& echo "$GIT_HASH" > /pgwatch2/build_git_version.txt \
&& cd /pgwatch2 && bash build_gatherer.sh \
&& rm /tmp/go.tar.gz \
&& rm -rf /usr/local/go \
&& mkdir /pgwatch2/persistent-config \
&& chgrp -R 0 /pgwatch2/webpy /pgwatch2/persistent-config \
&& chmod -R g=u /pgwatch2/webpy /pgwatch2/persistent-config \
&& grafana-cli plugins install savantly-heatmap-panel
# both Python 2 and 3 only there for the "transition" period, to not brake some people upgrading to a newer image.
# at some point Python2 should be dropped completely.
RUN pip3 install psutil
ADD grafana_dashboards /pgwatch2/grafana_dashboards
# For showing all component versions via :8080/versions. Assuming project is cloned from Github here
COPY .git/refs/heads/master /pgwatch2/build_git_version.txt
# Set up supervisord [https://docs.docker.com/engine/admin/using_supervisord/]
COPY supervisord-nonroot.conf /etc/supervisor/supervisord.conf
# Postgres (ver 9.5) config tuning
# NB! When security is a concern one should definitely alter "pgwatch2" password in change_pw.sql and maybe modify pg_hba.conf accordingly
COPY postgresql.conf /etc/postgresql/9.5/main/pgwatch_postgresql.conf
COPY pg_hba.conf /etc/postgresql/9.5/main/pg_hba.conf
COPY docker-launcher-nonroot.sh /pgwatch2/
ENV NOTESTDB 1
ENV PW2_AES_GCM_KEYPHRASE_FILE /pgwatch2/persistent-config/default-password-encryption-key.txt
# Admin UI for configuring servers to be monitored
EXPOSE 8080
# Gatherer healthcheck port / metric statistics (JSON)
EXPOSE 8081
# Postgres DB holding the pgwatch2 config DB
EXPOSE 5432
# Grafana UI
EXPOSE 3000
# InfluxDB API
EXPOSE 8086
# InfluxDB backup port
EXPOSE 8088
# Prometheus scraping port
EXPOSE 9187
### Volumes for easier updating to newer to newer pgwatch2 containers
### NB! Backwards compatibility is not 100% guaranteed (e.g. InfluxDB has changed index storage format) so a backup
### using traditional means is still recommended before updating - see "Updating to a newer Docker version" from README
VOLUME /pgwatch2/persistent-config
VOLUME /var/lib/postgresql
VOLUME /var/lib/influxdb
VOLUME /var/lib/grafana
###
### OpenShift compatibility - run all using an unprivileged user:
### https://docs.openshift.org/latest/creating_images/guidelines.html#openshift-specific-guidelines
###
USER 10001
CMD ["/pgwatch2/docker-launcher-nonroot.sh"]