Running a Linux Collector in a Docker Container as a Non-Root User
Last updated on 05 September, 2024Container security best practices recommend running Docker containers as non-root users with the minimum necessary privileges to perform their intended tasks. This helps to limit the impact of any security breaches and makes it easier to manage and secure your Docker environment.
Note: LM Container collectors are defaulted to non-root user installation for collector versions 35.100 or later.
By following the best practices, users can now run the LM Container collector as a non-root user (rootless mode). The following instructions help you get started.
Note: In the following Docker configuration examples, the “non-root user” is displayed as “logicmonitor”.
Requirement
- The collector version must be GD Collector 34.002 or later. See, GD Collector 34.002 Release Notes.
Non-root user: Running Docker Collector using LM Container Chart
- Install the LM Container Chart v3.0.0 or later.
- Edit the LM Container Chart to add the following configurations:
argus:
collector:
env:
COLLECTOR_NON_ROOT: "true" # explicitly double quote to avoid
type conversions to boolean and keep as string
- Run the following Helm upgrade command to update the LM Container Chart configurations:
helm upgrade \
--install \
--debug \
--wait \
--create-namespace \
--namespace="logicmonitor" \
-f lm-container-configuration.yaml --version <version>
lm-container logicmonitor/lm-container
Non-root user: Running Docker Collector using Argus and Collectorset-Controller charts
If you have an earlier LM Container deployment, then you need to migrate to the following component versions:
- Collectorset controller helm chart to version 1.4.0 or later.
- Argus Helm chart to version 2.5.0 or later.
Collectorset-Controller
Run the following Helm command to update the version Collectorset-Controller to v1.4.0 or later.
helm repo update
helm upgrade \
--install \
--debug \
--wait \
--namespace="logicmonitor" \
-f collectorset-controller-configuration.yaml \
collectorset-controller logicmonitor/collectorset-controller
Argus
- Edit the Argus configuration file to add the following configurations:
collector:
env:
COLLECTOR_NON_ROOT: "true" # explicitly double quote to avoid
type conversions to boolean
- Run the following Helm command to update cluster configurations and to Argus v2.5.0 or later.
helm repo update
helm upgrade \
--install \
--debug \
--wait \
--namespace="logicmonitor" \
-f argus-configuration.yaml \
argus logicmonitor/argus
Post-Installation or Upgrade
Once you complete the install or upgrade procedure for the cluster configurations, ensure to complete the following for continuous monitoring of the resources:
- Verify if the collector pod is up and running. Also, check the collector status by navigating to Settings > Collectors on the LogicMonitor portal.
- Ensure all datasources are collecting metrics and there is no loss in any metric value.
Configuration Rollback
If you want to rollback the configurations, you can complete the steps from the following options sequentially.
Option 1
- Set the
COLLECTOR_NON_ROOT
parameter value to “false” in the configuration file. - Apply updated configuration on the cluster by running the helm upgrade command. For more information, see the Argus configuration and upgrade section.
Option 2
- Set the Collector image tag to
v2.0.0
.
- Apply updated configuration on the cluster by running the helm upgrade command. For more information, see the Argus configuration and upgrade section.
Option 3
- Set the Collector image tag to
v2.0.0
. - Apply updated configuration on the cluster by running the helm upgrade command. For more information, see the Argus configuration and upgrade section.
- If you want to downgrade the collector version to the desired version, navigate to Settings > Collectors on the LogicMonitor portal.