Open prashant-shahi opened 2 years ago
/cc @ybettan so I get track of the issue.
What is the status on Openshift support?
Hello, I finally got it to work on Openshift.
First of all, when using official Signoz helm chart you need to change secutiryContext (so I just sed
'ed 1001
to 1000960000
, because of my openshift.io/sa.scc.uid-range
annotation on openshift namespace). Also, I changed secutityContext in child zookeeper chart.
Second problem was query-service and frontend, whose containers wants too much permissions from Openshift's point of view.
I rewrited Dockerfile like this (use ubi8 native Openshift image)
# use a minimal alpine image
FROM registry.access.redhat.com/ubi8/ubi-minimal
# Add Maintainer Info
LABEL maintainer="signoz"
# define arguments that can be passed during build time
ARG TARGETOS TARGETARCH
# add ca-certificates in case you need them
# RUN apk update && apk add ca-certificates && rm -rf /var/cache/apk/*
# set working directory
WORKDIR /app
ADD query-service-linux-amd64 query-service
# copy the query-service binary
# COPY pkg/query-service/bin/query-service-${TARGETOS}-${TARGETARCH} /root/query-service
# copy prometheus YAML config
COPY config/prometheus.yml /app/config/prometheus.yml
COPY templates /app/templates
# Make query-service executable for non-root users
RUN chmod -R 777 /app
# RUN chmod 755 /app /app/query-service
# run the binary
ENTRYPOINT ["./query-service"]
CMD ["-config", "/app/config/prometheus.yml"]
EXPOSE 8080
Then you need to change query-service StatefulSet in helm chart, again sed
ed /root
to /app
For the fronteng image I used some other tricks. We need to change pid location in default nginx.conf and create some writable dirs for cache
worker_processes 4;
pid /var/cache/nginx/nginx.pid;
worker_rlimit_nofile 64000;
events {
worker_connections 8000;
multi_accept on;
use epoll;
}
http {
sendfile on;
client_max_body_size 6G;
client_body_buffer_size 1m;
client_body_timeout 15;
client_header_timeout 15;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 30;
types_hash_max_size 2048;
server_tokens off;
directio 10m;
open_file_cache max=200000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
server_names_hash_bucket_size 100;
server_name_in_redirect off;
reset_timedout_connection on;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
##
access_log off;
error_log /dev/stderr crit;
##
# Gzip Settings
##
gzip on;
gzip_disable "MSIE [1-6]\.";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 4 8k;
gzip_http_version 1.1;
gzip_types application/x-javascript text/css application/javascript text/javascript text/plain text/xml application/json application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/xml font/eot font/opentype font/otf image/svg+xml image/vnd.microsoft.icon application/xml+rss;
##
# WebSocket Support
##
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
##
# Common proxy settings
##
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_read_timeout 600;
proxy_send_timeout 600;
proxy_redirect off;
charset utf-8;
include conf.d/*.conf;
}
Then in Dockerfile
FROM nginx:1.25.2-alpine
# Add Maintainer Info
LABEL maintainer="signoz"
# Set working directory
WORKDIR /frontend
# Remove default nginx index page
RUN rm -rf /usr/share/nginx/html/*
# Copy custom nginx config and static files
COPY conf/nginx.conf /etc/nginx/
COPY conf/default.conf /etc/nginx/conf.d/default.conf
COPY build /usr/share/nginx/html
RUN mkdir -p /var/cache/nginx/client_temp && \
chmod -R 777 /var/cache/nginx && \
chmod -R 777 /usr/share/nginx
EXPOSE 3301
ENTRYPOINT ["nginx", "-g", "daemon off;"]
I pushed images here, you can try to use them
brrra/signoz-frontend:0.37.2
brrra/signoz-query-service:v0.37.2
P.S. One day I will create PR to, may be)
@drevofil Thanks for sharing this. It is much appreciated.
@drevofil A PR would be great 👍
Is your feature request related to a problem?
There were few issues while running SigNoz helm chart in Openshift. (Read more here: #617) Openshift only allow non-root images as it adds extra layer of security to the containers.
Version information
Additional context