Configuring Instana backend on Docker

You can configure Instana backend on Docker as follows:

Creating a template for the settings.hcl file
Default configuration
Data directories
Datastore credentials
- Special case multi-host
Data retention
- Data retention for infrastructure and platform monitoring
- Data retention for application perspectives and end-user monitoring
Notifications server settings
Proxy settings
Docker repository settings
OAuth settings
End-user monitoring (EUM) settings
Enabling HSTS
Generating REST API clients
Enabling audit logging
Replacing existing certificates
Custom certificates for webhook or mail integrations

Creating a template for the settings.hcl file

The settings.hcl file is generated during the installation process.

If required, run the command instana settings template to create a settings.hcl file with default (empty) values.

Default configuration

The values for the following parameters are populated during the installation.

type      = "single"
profile   = "normal"
tenant    = "<Your-tenancy-identifier>"
unit      = "<Your-backend-identifier>"
agent_key = "<Your-agent-key>"
sales_key = "<Your-sales-key>"
host_name = "<The-FQDN-of-the-machine-the-backend-is-installed-on>"
token_secret = "<max_12_digits>"

cert {
  crt     = "<Path-to-your-signed-certificate>"
  key     = "<Path-to-your-private-key-file>"
}

Data directories

Instana defaults to the following directory structures.

dir {
  metrics  = "/mnt/metrics"
  traces   = "/mnt/traces"
  data     = "/mnt/data"
  logs     = "/var/log/instana"
}

Directory	Description	Type
Metrics	The parent directory where Cassandra creates its data directory. You are recommended putting the directory on a high IO device with dedicated disks (`/mnt/metrics`).	string
Traces	The parent directory where Clickhouse creates its data directory. You are recommended putting the directory on a high IO device with dedicated disks (`/mnt/traces`).	string
Data	The parent directory where Instana and third-party components store data.	string
Logs	The parent directory where all the components in Instana stack create log files.	string

Datastore credentials

All data stores require authentication. The configuration of the credentials is optional. Credentials that are not specified are initially generated and added to the settings.hcl file. Passwords can be changed by updating them in the settings.hcl file. Changes are applied by running instana update.

Note: Only passwords can be changed, users are fixed and cannot be changed.

...
datastore "cassandra" {
  user     = "cassandra"
  password = "SECURE_PASS"
}
datastore "elasticsearch" {
  user     = "elastic"
  password = "SECURE_PASS"
}
datastore "kafka" {
  user     = "kafka"
  password = "SECURE_PASS"
}
datastore "clickhouse" {
  user     = "clickhouse"
  password = "SECURE_PASS"
}
datastore "postgres" {
  user     = "postgres"
  password = "SECURE_PASS"
}
datastore "aggregator" {
  user     = "aggregator"
  password = "SECURE_PASS"
}
...

Special case multi-host

For multi-host setups, it is important to note that Clickhouse credentials are not automatically created on the Instana host, as they must match the values from the Clickhouse host. Simply copy the Clickhouse credential block from the Clickhouse host into the settings.hcl file of the Instana host.

Data retention

Data retention for infrastructure and platform monitoring

The following data retention parameters are calculated during the installation. A value of zero tells the system to not drop rollups of this time span. A zero value for smaller rollups can cause the disks to quickly fill up.

retention {
  metric_roll_up_5     = 86400
  metric_roll_up_60    = 2678400
  metric_roll_up_300   = 8035200
  metric_roll_up_3600  = 34214400
}

When BeeInstana Metric Pipeline (beta) is enabled, you can configure the retention for metrics that are stored in the BeeInstana data store. See the following example:

env_var "FLAGS_retention_10s"{
  value="86400"
}
env_var "FLAGS_retention_60s"{
  value="2678400"
}
env_var "FLAGS_retention_300s"{
  value="8035200"
}
env_var "FLAGS_retention_3600s"{
  value="34214400"
}

Retention	Description	Type
`metric_roll_up_5`	Duration (in seconds) in which 5-second-rollups are available.	int
`metric_roll_up_60`	Duration (in seconds) in which 1-minute-rollups are available.	int
`metric_roll_up_300`	Duration (in seconds) in which 5-minute-rollups are available.	int
`metric_roll_up_3600`	Duration (in seconds) in which 1-hour-rollups are available.	int
`FLAGS_retention_10s`	Duration (in seconds) in which 10-second metric data that is stored in BeeInstana is retained.	int
`FLAGS_retention_60s`	Duration (in seconds) in which 60-second metric data that is stored in BeeInstana is retained.	int
`FLAGS_retention_300s`	Duration (in seconds) in which 5-minute metric data that is stored in BeeInstana is retained.	int
`FLAGS_retention_3600s`	Duration (in seconds) in which 1-hour metric data that is stored in BeeInstana is retained.	int

Note: Chart granularity is determined only based on the size of the selected time range. This means that changing the metric data retention doesn't affect the granularity of metric data that is shown in Instana dashboards. These metric retention properties are for information only and should not be changed.

Data retention for application perspectives and end-user monitoring

application perspectives and end-user monitoring share the data retention parameter:

retention {
  app_data_short_term  = 7
}

Retention	Description	Type
`app_data_short_term`	Days of retention.	int

Changing the app_data_short_term field can impact only new application perspectives data.

Note: Only values that are greater than or equal to 7 days are valid. Values that are less than 7 lead to a failure of the entire system.

See the following examples:

app_data_short_term is changed from 7 days to 14 days: Old data is deleted if it is older than 7 days, while new data is deleted if it is older than 14 days.
app_data_short_term is changed from 14 days to 7 days: Old data is deleted if it is older than 14 days, while new data is deleted if it is older than 7 days.

Changing the app_data_short_term field has an immediate effect on old and new end-user monitoring data.

See the following examples:

app_data_short_term is changed from 7 days to 14 days: Old and new data is deleted if it is 14 days old.
app_data_short_term is changed from 14 days to 7 days: Old and new data is deleted if it is 7 days old.

Beyond the retention period, a subset of the data is kept for 13 months.

Notifications server settings

See the following settings:

email {

  smtp {
    from      = "notif@acmecorp.com"
    host      = "relay-1.acme.internal"
    port      = 25
    user      = "ops-notif@acmecorp.com"
    password  = "yUnoEm41l"
    use_ssl   = true
    start_tls = false
  }
}

Parameter	Description	Type
`from`	Sender email address from notification emails.	string
`host`	SMTP server address or hostname that sends notification emails.	string
`port`	Port of the SMTP server that sends notification emails.	int
`user`	Username for the SMTP server that sends notification emails.	string
`password`	Password for the SMTP server that sends notification emails.	string
`use_ssl`	Indicates whether the SMTP server that sends notification emails is spoken to by using SSL.	bool
`start_tls`	Indicates whether the SMTP server that sends notification emails is spoken to by using SSL.	bool

Proxy settings

See the following settings:

proxy {
  host     = "10.9.4.13"
  port     = 8080
  user     = "anonymous"
  password = "P4ssword1234"
}

Parameter	Description	Type
`host`	If your backend server communicates with the cluster-external internet by using a proxy server, enter either the proxy address or hostname.	string
`port`	Port for the proxy server to speak to.	int
`user`	Username for the proxy server.	string
`password`	Password for the proxy server.	string

Docker repository settings

See the following settings:

docker_repository {
  base_url = "my.mirror.internal/v2/artifact-public.instana.io"
  username = "user"
  password = "pass"
}

Parameter	Description	Type
`base_url`	Base URL for the mirror repository, depending on your tag.	string
`username`	Username for the repository server.	string
`password`	Password for the repository server.	string

OAuth settings

See the following settings:

o_auth {
  client_id     = "123456-1n574n4adgjlmnop.apps.googleusercontent.com"
  client_secret = "XNLV-fpf_deadBeEf1234"
}

Parameter	Description	Type
`client_id`	Client ID for the Google oauth credential.	string
`client_secret`	Client secret password for the Google oauth credential.	string

End-user monitoring (EUM) settings

See the following settings:

eum {
  tracking_base_url     = "https://mobile.acmecorp.com/eum/"
}

Parameter	Description	Type
`tracking_base_url`	URL under which the end-user monitoring ingestion endpoint is published. This configuration has no impact on data ingestion or processing. Instead, it is used to present correct JavaScript and mobile app agent installation instructions within the Instana user interface. For more information, see the dedicated Self-hosted/On-premises End-User Monitoring documentation.	string

Enabling HSTS

To enable HSTS globally, add the following flag in the root of the settings.hcl file:

hsts_enabled = true

Generating REST API clients

The URL to the local open API specification is https://{onpremhost}/docs/openapi (after on-premises release 170). For detailed information about how to configure REST API clients, see Web REST API docs.

Enabling audit logging

To configure an audit logger that logs each login to the Instana system, the following config toggle must be activated at root level in settings.hcl. Then, the system must be updated by running the command instana update -f /path/to/settings.hcl. The new log file can be found in the following path in the log directory /instana/butler/audit.log.

toggle "config.audit.log.level" {
  value = "info"
}

Replacing existing certificates

To replace existing certificates with other certificates, update paths to your certificate files in the settings.hcl file. Then, the system must be updated by running the command instana update -f /path/to/settings.hcl.

cert {
  crt = "/mnt/cert/tls.crt"
  key = "/mnt/cert/tls.key"
}

Custom certificates for webhook or mail integrations

If Instana can't validate the certificate that your SMTP server presents, you might see the following TLS error:

ERROR c.i.email.service.client.JavaMail - Mail could not be send due to an error
javax.mail.MessagingException: Could not convert socket to TLS

To configure your Instana installation to successfully send data to webhook with a custom certificate, you can provide a custom Java™ keystore (jssecacerts) that contains your certificate for JVMs.

Copy a current JVM keystore from your JVM $JAVA_HOME/lib/security/cacerts.

Import your custom cert into this keystore by using the JVM keytool with the following command:

$JAVA_HOME/bin/keytool -importcert -file custom-crt.crt -alias instana.com -keystore cacerts -storepass changeit
```3. Now you must add the absolute path of the keystore by using the configuration key `custom_keystore` in the `settings.hcl` file.

``` {: codeblock}
custom_keystore="<path_to_javakeystore>"