Deploy docker-composed elastic apm 7.3.2 with proxy auth on a single remote docker host.
requirements
- a remote host with docker and docker-compose installed. There's a playbook for that.
- ssh access to said host as root
- docker group present on host to run sudoless
$ cd deploy
# You only need to run setup once
$ ansible-playbook -i $HOST, setup.yml
# deploy.yml is idempotent
$ ansible-playbook -i $HOST, deploy.ymlTo secure the stack you have two options:
- Use the provided proxy to authorize access to kibana. Start by adding users on the remote host.
# The -c flag creates the file. Omit to add multiple users.
$ htpasswd [-c] ./conf/nginx/.htpasswd <user>- Use a tunnel
$ ssh -N -L 127.0.0.1:<local-port>:127.0.0.1:<remote-port> <user>@<host>Regardless of your choice, you also need to generate an ELASTIC_APM_SECRET_TOKEN
$ openssl rand -hex 16Manage the elastic apm stack
# Only needs to be run once
$ chown root conf/apm/apm-server.ymlRun everything
$ ELASTIC_APM_SECRET_TOKEN=<token> docker-compose up|down [-d -v]As apm-server is dependent on es and kibana (and they are sloow to boot) it might take a while (10-20s) for the stack to be up. The stack will also restart on host reboot.
# verify stack health
$ ./up.shRun web app test
$ docker run -p 9300:9300 -d \
-e DEBUG=1 \ # default no logging
-e ELASTIC_APM_ACTIVE=false \ # default true
-e ELASTIC_APM_LOG_LEVEL=debug|trace \ # default info
-e ELASTIC_APM_SERVER_URL=<url> \ # default localhost:8200
-e ELASTIC_APM_SECRET_TOKEN=<token> \
--name silly-web-app pokus2000/silly-web-app:1.2.0Make an api request - or several with a load test tool like vegeta
$ curl -i http://localhost:9300/api/v1/user
# load test
$ vegeta attack -rate=<n> -duration=<5s|m> -targets=targets.txt | vegeta reportNow we're ready to view the apm data in kibana. Use credentials created during preparations for kibana access if the stack is deployed and running behind the proxy. There's an exported dashboard template under /dashboards that you can import into kibana under Management/Saved Objects/Import.
Communication between services via local docker network. Only apm-server and proxy (to kibana) are open to the internet. Elasticsearch and kibana are exposed only on localhost.
+-------------------------------------------------------------------+
| |
| +-----------------------------------+ +------------------+ |
| | | | | |
| | elasticsearch 127.0.0.1:9200 | | kibana | |
| | | | 127.0.0.1:5601 | |
| +-------------------------------+---+ | | |
| ^ | | |
| +-------------------------------->+ | |
| | | +----------+-------+ |
| | | ^ |
| | | | |
| +------+---------------+ +-+-------------------+---+ |
| | | | | |
| | proxy 0.0.0.0:443 | | apm-server 0.0.0.0:8200 | |
| | | | | |
| +-----+----------------+ +------+------------------+ |
| ^ ^ |
| | | |
+-------------------------------------------------------------------+
| |
| |
+ +
internet
- nginx proxy auth
- restart always
- apm-server secret_token
- toggle apm rum
- pass secrets via ENV
- persistant service data
- add metricbeat
- persistant, non-blocking logging
- turn off proxy access log for /
- add feedback for when stack is up. apm-server takes a while depending on es and kibana.
- dockerize test app
- consider healtchecks https://docs.docker.com/compose/compose-file/#healthcheck (
/api/statusfor kibana/for es and apm-server) - ssl for proxy
-
./up.shshould show host unavailable - disable basic auth on proxy /ping
- apm-server.yml must be owned by root
- silly-web-app kibana dashboard export
MIT