Configuring Instana backend on Docker
You can configure Instana backend on Docker as follows:
- Creating a template for the settings.hcl file
- Default configurations
- Data directories
- Data store credentials
- Data retention
- Settings
- Enabling HSTS
- Generating REST API clients
- Replacing existing certificates
- Custom certificates for webhook or mail integrations
Creating a template for the settings.hcl file
The settings.hcl
file is generated during the installation process. This file has all the configurations, such as download key, sales key, Instana related configurations like profile, tenant name, unit name, and hostname of the
environment. These configurations are needed to install the Instana backend. You can configure this file, and then Instana-console
uses this file to install the Docker-based backend.
If you want to install Instana, you need to install the settings.hcl
file.
If required, create a settings.hcl
file with default (empty) values by running the following command:
instana settings template
Default configurations
The values for the following parameters are populated during the installation:
type = "single"
profile = "normal"
tenant = "<Your-tenancy-identifier>"
unit = "<Your-backend-identifier>"
agent_key = "<Your-agent-key>"
sales_key = "<Your-sales-key>"
host_name = "<The-FQDN-of-the-machine-the-backend-is-installed-on>"
token_secret = "<max_12_digits>"
cert {
crt = "<Path-to-your-signed-certificate>"
key = "<Path-to-your-private-key-file>"
}
If you want to change the parameters, run the vi settings.hcl
command. To apply the new configuration settings to your Docker-based Instana backend, run instana update
command.
Data directories
Instana defaults to the following directory structures:
dir {
metrics = "/mnt/metrics"
traces = "/mnt/traces"
data = "/mnt/data"
logs = "/var/log/instana"
}
Directory | Description | Type |
---|---|---|
Metrics | Cassandra creates its data directory in this parent directory. Mount the directory on a high-IO device with dedicated disks (/mnt/metrics ). |
string |
Traces | ClickHouse creates its data directory in this parent directory. Mount the directory on a high-IO device with dedicated disks (/mnt/traces ). |
string |
Data | Instana and third-party components store data in this parent directory. | string |
Logs | All the components in the Instana stack create log files in this parent directory. | string |
Data store credentials
All data stores require authentication. Optional: Configure the credentials. Credentials that are not specified are initially generated and added to the settings.hcl
file. You can change the passwords by updating them in the settings.hcl
file.
To apply the changes, run the following command:
instana update
Only passwords can be changed. Users are fixed and cannot be changed.
...
datastore "cassandra" {
user = "cassandra"
password = "SECURE_PASS"
}
datastore "elasticsearch" {
user = "elastic"
password = "SECURE_PASS"
}
datastore "kafka" {
user = "kafka"
password = "SECURE_PASS"
}
datastore "clickhouse" {
user = "clickhouse"
password = "SECURE_PASS"
}
datastore "postgres" {
user = "postgres"
password = "SECURE_PASS"
}
datastore "aggregator" {
user = "aggregator"
password = "SECURE_PASS"
}
...
Special case: Multi-host
For multi-host setups, ClickHouse credentials are not automatically created on the Instana backend host because they must match the values from the ClickHouse host.
Copy the ClickHouse credential block from the ClickHouse host into the settings.hcl
file of the Instana host.
Data retention
Data retention for infrastructure and platform monitoring
The following data retention parameters are calculated during the installation. A value of zero tells the system to not remove the rollups of this time span. A zero value for smaller rollups can cause the disks to quickly fill up.
retention {
metric_roll_up_5 = 86400
metric_roll_up_60 = 2678400
metric_roll_up_300 = 8035200
metric_roll_up_3600 = 34214400
}
When BeeInstana Metric Pipeline (beta) is enabled, you can configure the retention for metrics that are stored in the BeeInstana data store. See the following example:
env_var "FLAGS_retention_10s"{
value="86400"
}
env_var "FLAGS_retention_60s"{
value="2678400"
}
env_var "FLAGS_retention_300s"{
value="8035200"
}
env_var "FLAGS_retention_3600s"{
value="34214400"
}
Retention | Description | Type |
---|---|---|
metric_roll_up_5 |
Duration (in seconds) in which 5-second-rollups are available. | int |
metric_roll_up_60 |
Duration (in seconds) in which 1-minute-rollups are available. | int |
metric_roll_up_300 |
Duration (in seconds) in which 5-minute-rollups are available. | int |
metric_roll_up_3600 |
Duration (in seconds) in which 1-hour-rollups are available. | int |
FLAGS_retention_10s |
Duration (in seconds) in which 10-second metric data that is stored in BeeInstana is retained. | int |
FLAGS_retention_60s |
Duration (in seconds) in which 60-second metric data that is stored in BeeInstana is retained. | int |
FLAGS_retention_300s |
Duration (in seconds) in which 5-minute metric data that is stored in BeeInstana is retained. | int |
FLAGS_retention_3600s |
Duration (in seconds) in which 1-hour metric data that is stored in BeeInstana is retained. | int |
Chart granularity is determined only based on the size of the selected time range. This means that changing the metric data retention doesn't affect the granularity of metric data that is shown in the Instana dashboards. These metric retention properties are for information only and must not be changed.
Data retention for application perspectives and end-user monitoring
Application perspectives and end-user monitoring both share the following data retention parameter:
retention {
app_data_short_term = 7
}
Retention | Description | Type |
---|---|---|
app_data_short_term |
Days of retention. | int |
Changing the app_data_short_term
field can impact only the new application perspectives data.
Only values that are greater than or equal to 7 days are valid. Values that are less than 7 lead to a failure of the entire system.
See the following examples:
app_data_short_term
is changed from 7 days to 14 days: Old data is deleted if it is older than 7 days, while new data is deleted if it is older than 14 days.app_data_short_term
is changed from 14 days to 7 days: Old data is deleted if it is older than 14 days, while new data is deleted if it is older than 7 days.
Changing the app_data_short_term
field has an immediate effect on the old and new end-user monitoring data.
See the following examples:
app_data_short_term
is changed from 7 days to 14 days: Old and new data is deleted if it is 14 days old.app_data_short_term
is changed from 14 days to 7 days: Old and new data is deleted if it is 7 days old.
Beyond the retention period, a subset of the data is kept for 13 months.
Settings
Docker repository settings
See the following settings:
docker_repository {
base_url = "my.mirror.internal/v2/artifact-public.instana.io"
username = "user"
password = "pass"
}
Parameter | Description | Type |
---|---|---|
base_url |
Base URL for the mirror repository, depending on your tag. | string |
username |
Username for the repository server. | string |
password |
Password for the repository server. | string |
End-user monitoring (EUM) settings
See the following settings:
eum {
tracking_base_url = "https://mobile.acmecorp.com/eum/"
}
Parameter | Description | Type |
---|---|---|
tracking_base_url |
URL under which the end-user monitoring ingestion endpoint is published. This configuration has no impact on data ingestion or processing. Instead, it is used to present correct JavaScript and mobile app agent installation instructions within the Instana user interface. For more information, see the dedicated Configuring end-user monitoring documentation. | string |
Notifications server settings
See the following settings:
email {
smtp {
from = "notif@acmecorp.com"
host = "relay-1.acme.internal"
port = 25
user = "ops-notif@acmecorp.com"
password = "yUnoEm41l"
use_ssl = true
start_tls = false
}
}
Parameter | Description | Type |
---|---|---|
from |
The email address of the sender from the notification emails. | string |
host |
The SMTP server address or hostname that sends the notification emails. | string |
port |
Port of the SMTP server that sends the notification emails. | int |
user |
Username for the SMTP server that sends the notification emails. | string |
password |
Password for the SMTP server that sends the notification emails. | string |
use_ssl |
The value indicates whether the SMTP server that sends the notification emails is using SSL encryption. | bool |
start_tls |
The value indicates whether the SMTP server that sends the notification emails upgrades to TLS after the connection is established. | bool |
OAuth settings
See the following settings:
o_auth {
client_id = "123456-1n574n4adgjlmnop.apps.googleusercontent.com"
client_secret = "XNLV-fpf_deadBeEf1234"
}
Parameter | Description | Type |
---|---|---|
client_id |
Client ID for the Google oauth credential. | string |
client_secret |
Client secret password for the Google oauth credential. | string |
Proxy settings
See the following settings:
proxy {
host = "10.9.4.13"
port = 8080
user = "anonymous"
password = "P4ssword1234"
}
Parameter | Description | Type |
---|---|---|
host |
If your backend server communicates with the internet by using a proxy server, enter either the proxy address or hostname. | string |
port |
Port for the proxy server to speak to. | int |
user |
Username for the proxy server. | string |
password |
Password for the proxy server. | string |
Enabling HSTS
To enable HTTP Strict Transport Security (HSTS) globally, add the following flag in the root of the settings.hcl
file:
hsts_enabled = true
Generating REST API clients
The URL to the local open API specification is https://{onpremhost}/docs/openapi
(after on-premises release 170). For more information about how to configure REST API clients, see Web REST API docs.
Replacing existing certificates
To replace existing certificates with other certificates, update paths to your certificate files in the settings.hcl
file by using the following command:
cert {
...
}
Then, update the system by running the following command:
instana update -f /path/to/settings.hcl
cert {
crt = "/mnt/cert/tls.crt"
key = "/mnt/cert/tls.key"
}
Custom certificates for webhook or mail integrations
If Instana can't validate the certificate that your SMTP server presents, you might see the following TLS error:
ERROR c.i.email.service.client.JavaMail - Mail could not be send due to an error
javax.mail.MessagingException: Could not convert socket to TLS
To configure your Instana installation to successfully send data to a webhook with a custom certificate, provide a custom Java™ keystore (jssecacerts
) that contains your certificate for JVMs.
Complete the following steps to configure your Instana installation:
-
Copy the current JVM keystore from your JVM
$JAVA_HOME/lib/security/cacerts
. -
Import your custom certificate into this keystore by using the JVM keytool with the following command:
$JAVA_HOME/bin/keytool -importcert -file custom-crt.crt -alias instana.com -keystore cacerts -storepass changeit
-
Add the absolute path of the keystore by setting the
custom_keystore
configuration key in the root of thesettings.hcl
file.custom_keystore="<path_to_javakeystore>"