Running a Linux Collector in a Docker Container as a Non-Root User

Container security best practices recommend running Docker containers as non-root users with the minimum necessary privileges to perform their intended tasks. This helps to limit the impact of any security breaches and makes it easier to manage and secure your Docker environment.

By following the best practices, users can now run the LM Container collector as a non-root user (rootless mode). The following instructions help you get started.

Requirement

• The collector version must be GD Collector 34.002 or later. See, GD Collector 34.002 Release Notes.

Non-root user: Running Docker Collector using LM Container Chart

1. Install the LM Container Chart v3.0.0 or later.
   
2. Edit the LM Container Chart to add the following configurations:

argus:

  collector:

    env:

      COLLECTOR_NON_ROOT: "true" # explicitly double quote to avoid
type conversions to boolean and keep as string    

3. Run the following Helm upgrade command to update the LM Container Chart configurations:

helm upgrade \

    --install \

    --debug \

    --wait \

    --create-namespace \

    --namespace="logicmonitor" \

    -f lm-container-configuration.yaml --version <version>

    lm-container logicmonitor/lm-container

Non-root user: Running Docker Collector using Argus and Collectorset-Controller charts 

If you have an earlier LM Container deployment, then you need to migrate to the following component versions:

• Collectorset controller helm chart to version 1.4.0 or later.
• Argus Helm chart to version 2.5.0 or later.

Collectorset-Controller

Run the following Helm command to update the version Collectorset-Controller to v1.4.0 or later.

helm repo update

helm upgrade \

    --install \

    --debug \

    --wait \

    --namespace="logicmonitor" \

    -f collectorset-controller-configuration.yaml \

    collectorset-controller logicmonitor/collectorset-controller

Argus

1. Edit the Argus configuration file to add the following configurations:

collector:

  env:

    COLLECTOR_NON_ROOT: "true" # explicitly double quote to avoid
    type conversions to boolean 

2. Run the following Helm command to update cluster configurations and to Argus v2.5.0 or later.

helm repo update

helm upgrade \

    --install \

    --debug \

    --wait \

    --namespace="logicmonitor" \

    -f argus-configuration.yaml \

    argus logicmonitor/argus

Post-Installation or Upgrade 

Once you complete the install or upgrade procedure for the cluster configurations, ensure to complete the following for continuous monitoring of the resources:

1. Verify if the collector pod is up and running. Also, check the collector status by navigating to Settings > Collectors on the LogicMonitor portal.
   
2. Ensure all datasources are collecting metrics and there is no loss in any metric value.

Configuration Rollback

If you want to rollback the configurations, you can complete the steps from the following options sequentially.

Option 1

1. Set the COLLECTOR_NON_ROOT parameter value to “false” in the configuration file.
   
2. Apply updated configuration on the cluster by running the helm upgrade command. For more information, see the Argus configuration and upgrade section.

Option 2

1. Set the Collector image tag to v2.0.0.

3. Apply updated configuration on the cluster by running the helm upgrade command. For more information, see the Argus configuration and upgrade section.

Option 3

1. Set the Collector image tag to v2.0.0.
   
2. Apply updated configuration on the cluster by running the helm upgrade command. For more information, see the Argus configuration and upgrade section.
   
3.  If you want to downgrade the collector version to the desired version, navigate to Settings > Collectors on the LogicMonitor portal.