search

SigNoz / signoz

SigNoz is an open-source observability platform native to OpenTelemetry with logs, traces and metrics in a single application. An open-source alternative to DataDog, NewRelic, etc. 🔥 🖥. 👉 Open source Application Performance Monitoring (APM) & Observability tool
https://signoz.io
Other
18.87k stars 1.23k forks source link

[Feature Request] - Support for Openshift #632

Open prashant-shahi opened 2 years ago

prashant-shahi commented 2 years ago

Is your feature request related to a problem?

There were few issues while running SigNoz helm chart in Openshift. (Read more here: #617) Openshift only allow non-root images as it adds extra layer of security to the containers.

Version information

Additional context

ybettan commented 2 years ago

/cc @ybettan so I get track of the issue.

patrijua commented 1 year ago

What is the status on Openshift support?

drevofil commented 8 months ago

Hello, I finally got it to work on Openshift. First of all, when using official Signoz helm chart you need to change secutiryContext (so I just sed'ed 1001 to 1000960000, because of my openshift.io/sa.scc.uid-range annotation on openshift namespace). Also, I changed secutityContext in child zookeeper chart. Second problem was query-service and frontend, whose containers wants too much permissions from Openshift's point of view. I rewrited Dockerfile like this (use ubi8 native Openshift image)

# use a minimal alpine image
FROM registry.access.redhat.com/ubi8/ubi-minimal

# Add Maintainer Info
LABEL maintainer="signoz"

# define arguments that can be passed during build time
ARG TARGETOS TARGETARCH

# add ca-certificates in case you need them
# RUN apk update && apk add ca-certificates && rm -rf /var/cache/apk/*

# set working directory
WORKDIR /app

ADD query-service-linux-amd64  query-service

# copy the query-service binary
# COPY pkg/query-service/bin/query-service-${TARGETOS}-${TARGETARCH} /root/query-service
# copy prometheus YAML config
COPY config/prometheus.yml /app/config/prometheus.yml
COPY templates /app/templates

# Make query-service executable for non-root users
RUN chmod -R 777 /app
# RUN chmod 755 /app /app/query-service

# run the binary
ENTRYPOINT ["./query-service"]

CMD ["-config", "/app/config/prometheus.yml"]

EXPOSE 8080

Then you need to change query-service StatefulSet in helm chart, again seded /root to /app

For the fronteng image I used some other tricks. We need to change pid location in default nginx.conf and create some writable dirs for cache

worker_processes 4;
pid /var/cache/nginx/nginx.pid;
worker_rlimit_nofile 64000;

events {
        worker_connections 8000;
        multi_accept on;
        use epoll;
}

http {
        sendfile on;
        client_max_body_size 6G;
        client_body_buffer_size 1m;
        client_body_timeout 15;
        client_header_timeout 15;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 30;
        types_hash_max_size 2048;
        server_tokens off;

        directio 10m;
        open_file_cache max=200000 inactive=20s;
        open_file_cache_valid 30s;
        open_file_cache_min_uses 2;
        open_file_cache_errors on;

        proxy_buffer_size   128k;
        proxy_buffers   4 256k;
        proxy_busy_buffers_size   256k;

        server_names_hash_bucket_size 100;
        server_name_in_redirect off;
        reset_timedout_connection on;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # Logging Settings
        ##

        access_log off;
        error_log /dev/stderr crit;

        ##
        # Gzip Settings
        ##

        gzip on;
        gzip_disable "MSIE [1-6]\.";

        gzip_vary on;
        gzip_proxied any;
        gzip_comp_level 6;
        gzip_buffers 4 8k;
        gzip_http_version 1.1;
        gzip_types application/x-javascript text/css application/javascript text/javascript text/plain text/xml application/json application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/xml font/eot font/opentype font/otf image/svg+xml image/vnd.microsoft.icon application/xml+rss;

        ##
        # WebSocket Support
        ##

        map $http_upgrade $connection_upgrade {
                default upgrade;
                ''      close;
        }

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        ##
        # Common proxy settings
        ##

        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_read_timeout 600;
        proxy_send_timeout 600;
        proxy_redirect off;
        charset utf-8;

        include conf.d/*.conf;

}

Then in Dockerfile

FROM nginx:1.25.2-alpine

# Add Maintainer Info
LABEL maintainer="signoz"

# Set working directory
WORKDIR /frontend

# Remove default nginx index page
RUN rm -rf /usr/share/nginx/html/*

# Copy custom nginx config and static files
COPY conf/nginx.conf /etc/nginx/
COPY conf/default.conf /etc/nginx/conf.d/default.conf
COPY build /usr/share/nginx/html

RUN mkdir -p /var/cache/nginx/client_temp && \
    chmod -R 777  /var/cache/nginx && \
    chmod -R 777 /usr/share/nginx

EXPOSE 3301

ENTRYPOINT ["nginx", "-g", "daemon off;"]

I pushed images here, you can try to use them

brrra/signoz-frontend:0.37.2
brrra/signoz-query-service:v0.37.2

P.S. One day I will create PR to, may be)

prashant-shahi commented 8 months ago

@drevofil Thanks for sharing this. It is much appreciated.

ankitnayan commented 8 months ago

@drevofil A PR would be great 👍