Run Metricbeat on Docker
editRun Metricbeat on Docker
editDocker images for Metricbeat are available from the Elastic Docker registry. The base image is centos:7.
A list of all published Docker images and tags is available at www.docker.elastic.co.
These images are free to use under the Elastic license. They contain open source and free commercial features and access to paid commercial features. Start a 30-day trial to try out all of the paid commercial features. See the Subscriptions page for information about Elastic license levels.
Pull the image
editObtaining Metricbeat for Docker is as simple as issuing a docker pull
command
against the Elastic Docker registry.
docker pull docker.elastic.co/beats/metricbeat:8.15.4
Alternatively, you can download other Docker images that contain only features available under the Apache 2.0 license. To download the images, go to www.docker.elastic.co.
Optional: Verify the image
editYou can use the Cosign application to verify the Metricbeat Docker image signature.
wget https://artifacts.elastic.co/cosign.pub cosign verify --key cosign.pub docker.elastic.co/beats/metricbeat:8.15.4
The cosign
command prints the check results and the signature payload in JSON format:
Verification for docker.elastic.co/beats/metricbeat:8.15.4 -- The following checks were performed on each of these signatures: - The cosign claims were validated - Existence of the claims in the transparency log was verified offline - The signatures were verified against the specified public key
Run the Metricbeat setup
editRunning Metricbeat with the setup command will create the index pattern and load visualizations , dashboards, and machine learning jobs. Run this command:
docker run \ docker.elastic.co/beats/metricbeat:8.15.4 \ setup -E setup.kibana.host=kibana:5601 \ -E output.elasticsearch.hosts=["elasticsearch:9200"]
Substitute your Kibana and Elasticsearch hosts and ports. |
|
If you are using the hosted Elasticsearch Service in Elastic Cloud, replace
the |
-E cloud.id=<Cloud ID from Elasticsearch Service> \ -E cloud.auth=elastic:<elastic password>
Run Metricbeat on a read-only file system
editIf you’d like to run Metricbeat in a Docker container on a read-only file
system, you can do so by specifying the --read-only
option.
Metricbeat requires a stateful directory to store application data, so
with the --read-only
option you also need to use the --mount
option to
specify a path to where that data can be stored.
For example:
docker run --rm \ --mount type=bind,source=$(pwd)/data,destination=/usr/share/metricbeat/data \ --read-only \ docker.elastic.co/beats/metricbeat:8.15.4
Configure Metricbeat on Docker
editThe Docker image provides several methods for configuring Metricbeat. The conventional approach is to provide a configuration file via a volume mount, but it’s also possible to create a custom image with your configuration included.
Example configuration file
editDownload this example configuration file as a starting point:
curl -L -O https://raw.githubusercontent.com/elastic/beats/8.15/deploy/docker/metricbeat.docker.yml
Volume-mounted configuration
editOne way to configure Metricbeat on Docker is to provide metricbeat.docker.yml
via a volume mount.
With docker run
, the volume mount can be specified like this.
docker run -d \ --name=metricbeat \ --user=root \ --volume="$(pwd)/metricbeat.docker.yml:/usr/share/metricbeat/metricbeat.yml:ro" \ --volume="/var/run/docker.sock:/var/run/docker.sock:ro" \ --volume="/sys/fs/cgroup:/hostfs/sys/fs/cgroup:ro" \ --volume="/proc:/hostfs/proc:ro" \ --volume="/:/hostfs:ro" \ docker.elastic.co/beats/metricbeat:8.15.4 metricbeat -e \ -E output.elasticsearch.hosts=["elasticsearch:9200"]
Customize your configuration
editThe metricbeat.docker.yml
file you downloaded earlier is configured to deploy Beats modules based on the Docker labels applied to your containers. See Hints based autodiscover for more details. Add labels to your application Docker containers, and they will be picked up by the Beats autodiscover feature when they are deployed. Here is an example command for an Apache HTTP Server container with labels to configure the Filebeat and Metricbeat modules for the Apache HTTP Server:
docker run \ --label co.elastic.logs/module=apache2 \ --label co.elastic.logs/fileset.stdout=access \ --label co.elastic.logs/fileset.stderr=error \ --label co.elastic.metrics/module=apache \ --label co.elastic.metrics/metricsets=status \ --label co.elastic.metrics/hosts='${data.host}:${data.port}' \ --detach=true \ --name my-apache-app \ -p 8080:80 \ httpd:2.4
Custom image configuration
editIt’s possible to embed your Metricbeat configuration in a custom image. Here is an example Dockerfile to achieve this:
FROM docker.elastic.co/beats/metricbeat:8.15.4 COPY --chown=root:metricbeat metricbeat.yml /usr/share/metricbeat/metricbeat.yml
Monitor the host machine
editWhen executing Metricbeat in a container, there are some important things to be aware of if you want to monitor the host machine or other containers. Let’s walk-through some examples using Docker as our container orchestration tool.
This example highlights the changes required to make the system module work properly inside of a container. This enables Metricbeat to monitor the host machine from within the container.
docker run \ --mount type=bind,source=/proc,target=/hostfs/proc,readonly \ --mount type=bind,source=/sys/fs/cgroup,target=/hostfs/sys/fs/cgroup,readonly \ --mount type=bind,source=/,target=/hostfs,readonly \ --mount type=bind,source=/var/run/dbus/system_bus_socket,target=/hostfs/var/run/dbus/system_bus_socket,readonly \ --env DBUS_SYSTEM_BUS_ADDRESS='unix:path=/hostfs/var/run/dbus/system_bus_socket' \ --net=host \ --cgroupns=host \ docker.elastic.co/beats/metricbeat:8.15.4 -e -system.hostfs=/hostfs
Metricbeat’s system module collects much of its data through the Linux proc
filesystem, which is normally located at |
|
By default, cgroup reporting is enabled for the
system process metricset, so you need
to mount the host’s cgroup mountpoints within the container. They need to be
mounted inside the directory specified by the |
|
If you want to be able to monitor filesystems from the host by using the system filesystem metricset, then those filesystems need to be mounted inside of the container. They can be mounted at any location. |
|
The system users metricset and system service metricset
both require access to dbus. Mount the dbus socket and set the |
|
The system network metricset uses data from |
|
Runs the container using the host’s cgroup namespace, instead of a private namespace. While this is optional, system process metricset may produce more correct cgroup metrics when running in host mode. |
The special filesystems /proc
and /sys
are only available if the
host system is running Linux. Attempts to bind-mount these filesystems will
fail on Windows and MacOS.
If the system socket metricset
is being used on Linux, more privileges will need to be granted to Metricbeat.
This metricset reads files from /proc
that are an interface to internal
objects owned by other users. The capabilities needed to read all these files
(sys_ptrace
and dac_read_search
) are disabled by default on Docker. To
grant these permissions these flags are needed too:
--user root --cap-add sys_ptrace --cap-add dac_read_search
Monitor a service in another container
editNext, let’s look at an example of monitoring a containerized service from a Metricbeat container.
docker run \ --network=mysqlnet \ -e MYSQL_PASSWORD=secret \ docker.elastic.co/beats/metricbeat:8.15.4
Placing the Metricbeat and MySQL containers on the same Docker network
allows Metricbeat access to the exposed ports of the MySQL container, and
makes the hostname |
|
If you do not want to hardcode certain values into your Metricbeat
configuration, then you can pass them into the container either as environment
variables or as command line flags to Metricbeat (see the |
The mysql module configuration would look like this: