From 4a71bfb08bda587975be3c6061d2144c937d4f51 Mon Sep 17 00:00:00 2001 From: Nikolaus Date: Sun, 16 Apr 2017 10:29:29 +0400 Subject: [PATCH] make bind mounts readonly, you don't want some node-exporter vulnerability lead to write access on your node fix collector.sysfs mistakenly use /host/sysfs eventhough sysfs is mounted on /host/sys fix ignored mountpoints to work with bind mounts add ignored fs-types to not display a lot of useless NaN and 0 metrics for mounts related to docker put CLI arguments for command parameter in one value definition, seems like a bug in docker compose, only the first element in an array of commands is used --- docker-compose.yml | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 4a5e8d2..7a1d66e 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -32,18 +32,15 @@ services: - cadvisor networks: - back-tier - + node-exporter: container_name: node-exporter image: prom/node-exporter - volumes: - - /proc:/host/proc - - /sys:/host/sys - - /:/rootfs - command: - - '-collector.procfs=/host/proc' - - '-collector.sysfs=/host/sysfs' - - '-collector.filesystem.ignored-mount-points="^/(sys|proc|dev|host|etc)($$|/)"' + volumes: + - /proc:/host/proc:ro + - /sys:/host/sys:ro + - /:/rootfs:ro + command: '-collector.procfs=/host/proc -collector.sysfs=/host/sys -collector.filesystem.ignored-mount-points="^(/rootfs|/host|)/(sys|proc|dev|host|etc)($$|/)" collector.filesystem.ignored-fs-types="^(sys|proc|auto|cgroup|devpts|ns|au|fuse\.lxc|mqueue)(fs|)$$"' expose: - 9100 networks: @@ -52,14 +49,14 @@ services: image: prom/alertmanager ports: - 9093:9093 - volumes: + volumes: - ./alertmanager/:/etc/alertmanager/ networks: - back-tier command: - '-config.file=/etc/alertmanager/config.yml' - '-storage.path=/alertmanager' - + cadvisor: image: google/cadvisor volumes: @@ -71,7 +68,7 @@ services: - 8080 networks: - back-tier - + grafana: image: grafana/grafana depends_on: