10000 basic auth when running inside of a container · Issue #784 · google/cadvisor · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

basic auth when running inside of a container #784

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
pacuna opened this issue Jun 26, 2015 · 12 comments
Closed

basic auth when running inside of a container #784

pacuna opened this issue Jun 26, 2015 · 12 comments

Comments

@pacuna
Copy link
pacuna commented Jun 26, 2015

can someone explain me how should I use the basic auth feature for the web-ui when running cadvisor inside of a container?

Thanks in advance.
@vmarmol
Copy link
Contributor
vmarmol commented Jun 26, 2015

@pacuna you will need to inject the required files into a Docker image you derive from the cAdvisor one. Something like:

FROM google/cadvisor:latest
ADD auth.htpasswd /auth.htpasswd

EXPOSE 8080
ENTRYPOINT ["/usr/bin/cadvisor", "--http_auth_file", "auth.htpasswd", "--http_auth_realm localhost"]

To generate the file take a look at this doc which has some pointers.

Let us know if you have any questions or run into trouble.

@pacuna
Copy link
Author
pacuna commented Jun 26, 2015

@vmarmol thanks!!

@pacuna pacuna closed this as completed Jun 26, 2015
@exetico
Copy link
exetico commented Nov 15, 2015
edited
Loading

I just want to add some information. @vmarmol 's answer is just fine, but, sadly there is a typing error.

It should be:
ENTRYPOINT ["/usr/bin/cadvisor", "--http_auth_file", "auth.htpasswd", "--http_auth_realm”, “localhost"]

I'm totally new with Docker, so it was hard to see what actually went wrong. After attaching to the container, i was able to see that something wasn't added like it should (Well.. i just took two hours to figure that out - Rofl):

Error response from daemon: no such id: 10636eca00c7
root@ docker attach 084e540e96a9
flag provided but not defined: -http_auth_realm localhost

So in the last line, you need to seperate --http_auth_realm and localhost.

And... For all the other people, trying to find a nice solution with Google searches and stuff - Here is what i thing is the most easy way to add this:

htpasswd -c auth.htpasswd WEBUSERNAME
  • Make the Dockerfile, and add the information
nano Dockerfile

Paste in the informations:

FROM google/cadvisor:latest
ADD auth.htpasswd /auth.htpasswd

EXPOSE 8080
ENTRYPOINT ["/usr/bin/cadvisor", "--http_auth_file", "auth.htpasswd", "--http_auth_realm", "localhost"]
  • Build the container, and call it somehing - I personally just called it "cadvisor". Please note that you have to keep the dot in the code.
docker build -t cadvisor .
  • Give it some time.
  • Run the container - Note that you NEED to CHANGE the buttomline, to the container ID you will get just after docker is done with working out all the good stuff. Actually i guess you are able to put in "cadvisor" as well the ID..
sudo docker run \
  --volume=/:/rootfs:ro \
  --volume=/var/run:/var/run:rw \
  --volume=/sys:/sys:ro \
  --volume=/var/lib/docker/:/var/lib/docker:ro \
  --publish=8080:8080 \
  --detach=true \
  --name=cadvisor \
  --restart=always \
bdc1c2d18ab5

Note that i have added "restart=always". This means that cAdvisor will start with the system. I personally changed publish from the default to "--publish=8383:8080 " cause of another resource, running at port 8080.

Hopefully this can help other people, trying to get cAdvisor working with Docker WITH PASSWORD support. Please ask, if you read this and have any questions - and if you spot typing errors.

Update:
I just saw my own post - If you like dirty stuff - this is just a bit easier ;-) Replace USERNAME and PASSWORD.

cd /home/USERNAME \
&& htpasswd -c -i -b auth.htpasswd USERNAME PASSWORD \
&& touch newfile \
&& cat <<EOF > Dockerfile
FROM google/cadvisor:latest
ADD auth.htpasswd /auth.htpasswd

EXPOSE 8080
ENTRYPOINT ["/usr/bin/cadvisor", "--http_auth_file", "auth.htpasswd", "--http_auth_realm", "localhost"]
EOF
docker build -t cadvisor . \
&& docker run \
  --volume=/:/rootfs:ro \
  --volume=/var/run:/var/run:rw \
  --volume=/sys:/sys:ro \
  --volume=/var/lib/docker/:/var/lib/docker:ro \
  --publish=8080:8080 \
  --detach=true \
  --name=cadvisor \
  --restart=always \
 cadvisor

@tim545
Copy link
tim545 commented Jan 16, 2017

Thanks @vmarmol and @exetico! your answers helped me out a lot on this one.

If you guys are by chance interested I took your advise and put it into a container on docker hub - https://hub.docker.com/r/tim545/cadvisor-basicauth It works pretty well, I'm using it on a personal server at the moment. you can get it going in a few commands:

git clone https://github.com/tim545/docker-cadvisor-basicauth.git

docker build --build-arg USERNAME=admin --build-arg PASSWORD=Password1 -t tim545/cadvisor-basicauth .

docker run \
  --volume=/:/rootfs:ro \
  --volume=/var/run:/var/run:rw \
  --volume=/sys:/sys:ro \
  --volume=/var/lib/docker/:/var/lib/docker:ro \
  --publish=8080:8080 \
  --detach=true \
  --name=cadvisor-basicauth \
  --restart=always \
 tim545/cadvisor-basicauth:latest

The only spot where I fell short was parsing the environment variables in straight from the run command instead of having to manually clone->build->run using the --build-args's.

From what I understand it could be done by replacing ENTRYPOINT ["/usr/bin/cadvisor", "--http_auth_file", "auth.htpasswd", "--http_auth_realm", "localhost"] with something like ENTRYPOINT ["entrypoint.sh"] to run a bash script a bit like:

#!/bin/bash

htpasswd -c -i -b auth.htpasswd $USERNAME $PASSWORD

/usr/bin/cadvisor --http_auth_file auth.htpasswd --http_auth_realm localhost

I'm not very good with writing bash scripts and I think there's some extra things you need to do to make it work when being run from a docker container, but I think my main issue was being able to parse the USERNAME and PASSWORD to entrypoint.sh via the run command using environment variables like this:

docker run \
  --volume=/:/rootfs:ro \
  --volume=/var/run:/var/run:rw \
  --volume=/sys:/sys:ro \
  --volume=/var/lib/docker/:/var/lib/docker:ro \
  --publish=8080:8080 \
  --detach=true \
  --name=cadvisor-basicauth \
  --restart=always \
  -e USERNAME=admin \
  -e PASSWORD=Password1 \
 tim545/cadvisor-basicauth:latest

Note: For anyone who just skipped to here, the above command does not work

When I get some more time to spend on it I'll try again, but any help/pointers or even a PR would be appreciated.

@exetico
Copy link
exetico commented Feb 15, 2017
edited
Loading

Hi @tim545. I will give it a try, in my new ESXi setup at home. I think it will be a good idea to point out, how to use the arguments in the information.

image

@tim545
Copy link
tim545 commented Feb 16, 2017

Thanks @exetico, let me know how it goes. I updated the readme a bit to try and make the instructions clearer like you mentioned.

@gustavomcarmo
Copy link

Thank you guys your comments were really useful. What I unfortunately miss is the implementation of basic auth in the Prometheus metrics endpoint (/metrics). The code has nothing about it and it is a feature I really need. Maybe I can contribute with it soon.

@Mist3ry
Copy link
Mist3ry commented Oct 5, 2020

@gustavomcarmo is there some updates with implementing basic auth for prometheus endpoint?

@gustavomcarmo
Copy link

Hi @Mist3ry, actually I've solved this by using NGINX in front of cAdvisor, as you can see here.

@chiqui3d
Copy link
chiqui3d commented Apr 17, 2021
edited
Loading

Gustavo's solution is good, but also if you don't publish the port and add it to the internal Prometheus network I think you would also be safe, you could access from Grafana to the API.

@rodneytamblyn
Copy link

This is probably obvious to many, but in case it isn't for all: the alternative is to block the cAdvisor port on the server firewall (e.g. drop 8080) and use ssh port forwarding

Open a new terminal on your local machine and enter (updating domain, user and certification details you can omit -i value if you are using user/pass ssh)

ssh -i ~/.ssh/MYCERTIFICATE -L localhost:8080:my.server.com:8080 USER@my.server.com

Then open your browser to locahost:8080 and cAdvisor will appear.

@vuongtlt13
Copy link

You just need set ENV VARIABLES for basic auth

This repo could help you https://github.com/vuongtlt13/prometheus_exporters

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@vmarmol @tim545 @rodneytamblyn @pacuna @chiqui3d @exetico @gustavomcarmo @vuongtlt13 @Mist3ry
0