I looking for a good way to give the grafana-agent
minimal permissions but still be able to gather logs from docker containers. This is related to the documentation given on the docker integration.
The most straight forward integration would be to just use
- job_name: docker
static_configs:
- targets: [localhost]
labels:
job: docker
instance: {{ hostname }}
__path__: /var/lib/docker/containers/*/*-json.log
but the files and directories are all owned by root. And giving the grafana-agent
full root access does not sound like the smartest idea. Maybe using ACLs could be an alternative:
setfacl -R -m group:grafana-agent:rX /var/lib/docker/containers
But for this to be inherited to new containers it would require some owner changes on some docker directories - and I didn’t have the guts to try this on a live system.
It’s a shame the docker files are not root:docker
owned and at least readable to the docker group. Given the level of access of members of that group - it would make sense.
For better or worse it seems like access /var/run/docker.sock
can provide access to docker - including access to logs.
- job_name: integrations/docker
docker_sd_configs:
- host: unix:///var/run/docker.sock
refresh_interval: 5s
relabel_configs:
- action: replace
replacement: integrations/docker
source_labels:
- __meta_docker_container_id
target_label: job
- source_labels:
- __meta_docker_container_name
regex: '/(.*)'
target_label: container
- source_labels:
- __meta_docker_container_log_stream
target_label: stream
I suspect the access to the unix socket is why it requires the grafana-agent
become part of the docker
group to work. Then again this is giving full access to docker and by that extend to root. Something to be aware of.
Where I am still a bit wondering is whether using the cadvisor
is a requirement for docker_sd_configs
or not. It’s also a shame all this re-labelling has to be done explicitly/manually in the config.
I am just wondering what people use for gather logs. Especially when there is the goal to give up the least possible permissions.