From 5fda0b60bcebac50445f954e3bae512c57eb3ec1 Mon Sep 17 00:00:00 2001 From: Claude Agent Date: Tue, 16 Jun 2026 15:11:12 +0000 Subject: [PATCH] telegraf: run as root + bypass gosu drop to read docker.sock GID-independently The container ran as user 0:994 and accessed the docker socket via group membership, but the host docker group GID is auto-assigned and varies per host (e.g. uk-8 is 988, not 994), so the hardcoded gid silently breaks telegraf's docker input wherever it differs (uk-8 was in a restart loop: permission denied on /var/run/docker.sock). Run as root (0:0) with entrypoint [telegraf] to skip the image's gosu privilege-drop, so telegraf reads the socket as its owner regardless of the host docker gid. Works uniformly fleet-wide; no regression on hosts where the gid happened to match. Co-Authored-By: Claude Opus 4.8 (1M context) --- monitoring.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/monitoring.yml b/monitoring.yml index b1800360..28bdb056 100644 --- a/monitoring.yml +++ b/monitoring.yml @@ -169,7 +169,12 @@ services: telegraf: image: telegraf:latest - user: "0:994" + # Run as root and bypass the image's gosu privilege-drop so telegraf reads the + # docker socket as its OWNER (root). Avoids hardcoding the host docker group GID, + # which is auto-assigned and varies per host (e.g. 994 vs 988) - a hardcoded gid + # silently breaks telegraf's docker input wherever the gid differs. + user: "0:0" + entrypoint: ["telegraf"] container_name: telegraf restart: unless-stopped networks: