telegraf: run as root + bypass gosu drop to read docker.sock GID-independently

The container ran as user 0:994 and accessed the docker socket via group membership, but the host docker group GID is auto-assigned and varies per host (e.g. uk-8 is 988, not 994), so the hardcoded gid silently breaks telegraf's docker input wherever it differs (uk-8 was in a restart loop: permission denied on /var/run/docker.sock). Run as root (0:0) with entrypoint [telegraf] to skip the image's gosu privilege-drop, so telegraf reads the socket as its owner regardless of the host docker gid. Works uniformly fleet-wide; no regression on hosts where the gid happened to match. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-16 15:11:12 +00:00
parent fe94f3b605
commit 5fda0b60bc
1 changed files with 6 additions and 1 deletions
--- a/monitoring.yml
+++ b/monitoring.yml
@@ -169,7 +169,12 @@ services:

  telegraf:
    image: telegraf:latest
-    user: "0:994"
+    # Run as root and bypass the image's gosu privilege-drop so telegraf reads the
+    # docker socket as its OWNER (root). Avoids hardcoding the host docker group GID,
+    # which is auto-assigned and varies per host (e.g. 994 vs 988) - a hardcoded gid
+    # silently breaks telegraf's docker input wherever the gid differs.
+    user: "0:0"
+    entrypoint: ["telegraf"]
    container_name: telegraf
    restart: unless-stopped
    networks: