Closed simonhoellein closed 3 months ago
I can't reproduce this. Any chance there connection is not direct and there's something else returning the 403? Can you get the metrics endpoint from a browser?
hi @bo0tzz,
thanks for your reply! The connection between the two containers should be direct as they are in the same docker network:
root@docker-ext-2:~# docker network inspect immich-frontend
[
{
"Name": "immich-frontend",
"Id": "b512518366f4d53eb3a54294a0f4f6456d4bb53a7f652a095ca32f3b2dfb0dc2",
"Created": "2024-06-12T15:43:47.62235189Z",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.30.0.0/16",
"Gateway": "172.30.0.1"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {
"969853fd79336a5a630c630fef5a92022d4c2a8c4ad901b3d68434b350107e43": {
"Name": "nri-prometheus",
"EndpointID": "7ae6eef03a20909e5dd37f72cd5fb60e2ec113a43cf753f6297234ac8569f520",
"MacAddress": "02:42:ac:1e:00:03",
"IPv4Address": "172.30.0.3/16",
"IPv6Address": ""
},
"caf714457b80113fa74b5499273503de84f139303e27e57575105a06718f0965": {
"Name": "immich_server",
"EndpointID": "0174d0405fe1bdeb50cbcf7e77ec1b56b7eb626444d70b8a0f87511e21c324fd",
"MacAddress": "02:42:ac:1e:00:02",
"IPv4Address": "172.30.0.2/16",
"IPv6Address": ""
}
},
"Options": {},
"Labels": {
"com.docker.compose.network": "immich-frontend",
"com.docker.compose.project": "immich-app",
"com.docker.compose.version": "2.27.1"
}
}
]
I've deployed another container with the same network config as the NewRelic container and did a traceroute. They should have direct connection...
root@023d97f0997a:/# traceroute immich-server
traceroute to immich-server (172.30.0.2), 30 hops max, 60 byte packets
1 immich_server.immich-frontend (172.30.0.2) 0.149 ms 0.028 ms 0.023 ms
When I curl from the other container in the same network i get:
root@023d97f0997a:/# curl http://immich-server:8081/metrics
# HELP target_info Target metadata
# TYPE target_info gauge
target_info{service_name="immich",telemetry_sdk_language="nodejs",telemetry_sdk_name="opentelemetry",telemetry_sdk_version="1.24.1",service_version="1.106.2",process_pid="19",process_executable_name="immich-api",process_executable_path="/usr/local/bin/node",process_command_args="[\"/usr/local/bin/node\",\"/usr/src/app/dist/workers/api.js\"]",process_runtime_version="20.14.0",process_runtime_name="nodejs",process_runtime_description="Node.js",process_command="/usr/src/app/dist/workers/api.js",process_owner="root",host_name="caf714457b80",host_arch="arm64"} 1
# HELP http_server_duration Measures the duration of inbound HTTP requests.
# UNIT http_server_duration ms
# TYPE http_server_duration histogram
[...]
When I curl from the docker host to the forwarded endpoint I get:
root@docker-ext-2:~# curl http://localhost:8081/metrics
# HELP target_info Target metadata
# TYPE target_info gauge
target_info{service_name="immich",telemetry_sdk_language="nodejs",telemetry_sdk_name="opentelemetry",telemetry_sdk_version="1.24.1",service_version="1.106.2",process_pid="19",process_executable_name="immich-api",process_executable_path="/usr/local/bin/node",process_command_args="[\"/usr/local/bin/node\",\"/usr/src/app/dist/workers/api.js\"]",process_runtime_version="20.14.0",process_runtime_name="nodejs",process_runtime_description="Node.js",process_command="/usr/src/app/dist/workers/api.js",process_owner="root",host_name="caf714457b80",host_arch="arm64"} 1
# HELP http_server_duration Measures the duration of inbound HTTP requests.
# UNIT http_server_duration ms
# TYPE http_server_duration histogram
[...]
With curl, I don't have any problems accessing the metrics, but for some reason the NewRelic Browser Agent has. Could it be that only certain browser agents are allowed to access the /metrics
path from the immich-server?
for your convenience, this is the compose file I've used to run the NewRelic container:
name: nri-prometheus
x-default-logging: &logging
driver: "json-file"
options:
max-size: "5m"
max-file: "2"
tag: "{{.Name}}"
services:
nri-prometheus:
container_name: nri-prometheus
image: newrelic/nri-prometheus:latest
volumes:
- ./nri-config.yaml:/config.yaml
environment:
- LICENSE_KEY="eu01xxabe***************************"
networks:
- monitoring
- immich-frontend
restart: always
networks:
monitoring:
name: newrelic-monitoring
driver: bridge
immich-frontend:
external: true
Could it be that only certain browser agents are allowed to access the /metrics path from the immich-server?
Almost certainly not.
I have no idea why this might be happening, but since curl is working fine, this seems more like a newrelic issue 🤔
Looking at the error again:
unexpected post response code
This sounds like newrelic is trying to send a POST request? That definitely won't work.
mabe i need to investigate further. Thanks for your help and patience!
The bug
I am trying to scrape the Prometheus endpoints from the immich-server with the newrelic-prometheus integration. This is also running as a docker container on the same host with access to the network from the immich-server.
Scraping the metrics with curl from the cli of the docker host works fine, but if the prometheus agent trys to aceess the metrics page (http://immich-server:8081/metrics) it gets an HTTP403: Forbidden.
Is it possible that the metrics endpoint only allow certain clients?
The OS that Immich Server is running on
Ubuntu Server 22.04 LTS
Version of Immich Server
v1.106.2
Version of Immich Mobile App
v1.106.1
Platform with the issue
Your docker-compose.yml content
Your .env content
Reproduction steps
wget http://immich-server:8081/metrics
Relevant log output
Additional information
No response