Skip to content

Latest commit

 

History

History
113 lines (94 loc) · 3.62 KB

docker-compose-review.md

File metadata and controls

113 lines (94 loc) · 3.62 KB
Raw

Docker Compose File Review

Version

version: '3.9'

This specifies the Docker Compose file format version. 3.9 is the latest version of the v3 specification, released in October 2020. It requires Docker Engine 19.03.0+.

Volumes

volumes:
    prometheus_data: {}
    grafana_data: {}

These define named volumes for persistent data storage. This is important because:

  • prometheus_data stores your metrics history
  • grafana_data stores your dashboards, users, and settings The empty brackets {} mean using default options, which is fine here.

Networks

networks:
  front-tier:
  back-tier:

Creates two custom networks for service segregation:

  • front-tier: For services that need external access

    • Currently used by: Grafana, nginx
    • This allows these services to handle external web traffic while maintaining isolation

  • back-tier: For internal service communication

    • Used by: All services (Prometheus, Grafana, Alertmanager, Blackbox, nginx)
    • Enables secure internal communication between services
    • Prevents direct external access to monitoring components

Current benefits:

  1. Grafana and nginx can serve web traffic while keeping monitoring services private
  2. Services in back-tier can communicate without being exposed to the internet
  3. Services can be selectively added to either network based on their needs
  4. Provides a foundation for adding more services with proper isolation

This network segregation is a security best practice, though currently underutilized as most services are in both networks.

Services

Prometheus

  prometheus:
    image: docker.io/prom/prometheus

Uses the official Prometheus image. Good practice to specify docker.io explicitly.

Volume configuration:

    volumes:
      - ./prometheus/:/etc/prometheus/
      - prometheus_data:/prometheus

Mounts:

  • Local config directory to container
  • Named volume for data persistence This is correctly configured.

Command configuration:

    command:
      - '--config.file=/etc/prometheus/config.yml'
      - '--storage.tsdb.path=/prometheus'
      - '--web.console.libraries=/usr/share/prometheus/console_libraries'
      - '--web.console.templates=/usr/share/prometheus/consoles'
      - '--web.enable-lifecycle'

Standard Prometheus configuration flags. The --web.enable-lifecycle is particularly useful for runtime configuration reloading.

Links (Note: Deprecated):

    links:
      - alertmanager:alertmanager
      - blackbox_exporter

'links' is legacy and deprecated. Consider removing this and rely on network aliases instead.

Grafana

  grafana:
    image: docker.io/grafana/grafana

Historical note on Grafana users:

  • Pre-6.5.0 (2019): Grafana ran as root (user ID 0) by default
  • A common fix was to set user: "104" (internal grafana user)
  • Post-6.5.0: Grafana runs as non-root by default (user ID 472)
  • Current best practice: Let Grafana use its default non-root user

General Recommendations

  1. Consider adding healthchecks for each service
  2. Consider adding resource limits
  3. You might want to add container_name for easier identification
  4. Consider adding labels for better organization
  5. You might want to add logging configuration

Security Notes

  1. Services are properly segregated into front-tier and back-tier networks
  2. Volumes are properly configured for persistence
  3. Consider reviewing exposed ports and limiting access where possible

Maintenance Notes

  1. The 'links' directive in Prometheus service should be removed as it's deprecated
  2. Version 3.8 is appropriate for current needs
  3. Grafana now handles non-root user configuration automatically