Configuring Instana backend on Docker

You can configure Instana backend on Docker as follows:

Creating a template for the settings.hcl file

The settings.hcl file is generated during the installation process. This file has all the configurations, such as download key, sales key, Instana related configurations like profile, tenant name, unit name, and hostname of the environment. These configurations are needed to install the Instana backend. You can configure this file, and then Instana-console uses this file to install the Docker-based backend.

If you want to install Instana, you need to install the settings.hcl file.

If required, create a settings.hcl file with default (empty) values by running the following command:

instana settings template

Default configurations

The values for the following parameters are populated during the installation:

type      = "single"
profile   = "normal"
tenant    = "<Your-tenancy-identifier>"
unit      = "<Your-backend-identifier>"
agent_key = "<Your-agent-key>"
sales_key = "<Your-sales-key>"
host_name = "<The-FQDN-of-the-machine-the-backend-is-installed-on>"
token_secret = "<max_12_digits>"

cert {
  crt     = "<Path-to-your-signed-certificate>"
  key     = "<Path-to-your-private-key-file>"
}

If you want to change the parameters, run the vi settings.hcl command. To apply the new configuration settings to your Docker-based Instana backend, run instana update command.

Data directories

Instana defaults to the following directory structures:

dir {
  metrics  = "/mnt/metrics"
  traces   = "/mnt/traces"
  data     = "/mnt/data"
  logs     = "/var/log/instana"
}
Directory Description Type
Metrics Cassandra creates its data directory in this parent directory. Mount the directory on a high-IO device with dedicated disks (/mnt/metrics). string
Traces ClickHouse creates its data directory in this parent directory. Mount the directory on a high-IO device with dedicated disks (/mnt/traces). string
Data Instana and third-party components store data in this parent directory. string
Logs All the components in the Instana stack create log files in this parent directory. string

Data store credentials

All data stores require authentication. Optional: Configure the credentials. Credentials that are not specified are initially generated and added to the settings.hcl file. You can change the passwords by updating them in the settings.hcl file.

To apply the changes, run the following command:

instana update

Only passwords can be changed. Users are fixed and cannot be changed.

...
datastore "cassandra" {
  user     = "cassandra"
  password = "SECURE_PASS"
}
datastore "elasticsearch" {
  user     = "elastic"
  password = "SECURE_PASS"
}
datastore "kafka" {
  user     = "kafka"
  password = "SECURE_PASS"
}
datastore "clickhouse" {
  user     = "clickhouse"
  password = "SECURE_PASS"
}
datastore "postgres" {
  user     = "postgres"
  password = "SECURE_PASS"
}
datastore "aggregator" {
  user     = "aggregator"
  password = "SECURE_PASS"
}
...

Special case: Multi-host

For multi-host setups, ClickHouse credentials are not automatically created on the Instana backend host because they must match the values from the ClickHouse host.

Copy the ClickHouse credential block from the ClickHouse host into the settings.hcl file of the Instana host.

Data retention

Data retention for infrastructure and platform monitoring

The following data retention parameters are calculated during the installation. A value of zero tells the system to not remove the rollups of this time span. A zero value for smaller rollups can cause the disks to quickly fill up.

retention {
  metric_roll_up_5     = 86400
  metric_roll_up_60    = 2678400
  metric_roll_up_300   = 8035200
  metric_roll_up_3600  = 34214400
}

When BeeInstana Metric Pipeline (beta) is enabled, you can configure the retention for metrics that are stored in the BeeInstana data store. See the following example:

env_var "FLAGS_retention_10s"{
  value="86400"
}
env_var "FLAGS_retention_60s"{
  value="2678400"
}
env_var "FLAGS_retention_300s"{
  value="8035200"
}
env_var "FLAGS_retention_3600s"{
  value="34214400"
}
Retention Description Type
metric_roll_up_5 Duration (in seconds) in which 5-second-rollups are available. int
metric_roll_up_60 Duration (in seconds) in which 1-minute-rollups are available. int
metric_roll_up_300 Duration (in seconds) in which 5-minute-rollups are available. int
metric_roll_up_3600 Duration (in seconds) in which 1-hour-rollups are available. int
FLAGS_retention_10s Duration (in seconds) in which 10-second metric data that is stored in BeeInstana is retained. int
FLAGS_retention_60s Duration (in seconds) in which 60-second metric data that is stored in BeeInstana is retained. int
FLAGS_retention_300s Duration (in seconds) in which 5-minute metric data that is stored in BeeInstana is retained. int
FLAGS_retention_3600s Duration (in seconds) in which 1-hour metric data that is stored in BeeInstana is retained. int

Chart granularity is determined only based on the size of the selected time range. This means that changing the metric data retention doesn't affect the granularity of metric data that is shown in the Instana dashboards. These metric retention properties are for information only and must not be changed.

Data retention for application perspectives and end-user monitoring

Application perspectives and end-user monitoring both share the following data retention parameter:

retention {
  app_data_short_term  = 7
}
Retention Description Type
app_data_short_term Days of retention. int

Changing the app_data_short_term field can impact only the new application perspectives data.

Only values that are greater than or equal to 7 days are valid. Values that are less than 7 lead to a failure of the entire system.

See the following examples:

  • app_data_short_term is changed from 7 days to 14 days: Old data is deleted if it is older than 7 days, while new data is deleted if it is older than 14 days.
  • app_data_short_term is changed from 14 days to 7 days: Old data is deleted if it is older than 14 days, while new data is deleted if it is older than 7 days.

Changing the app_data_short_term field has an immediate effect on the old and new end-user monitoring data.

See the following examples:

  • app_data_short_term is changed from 7 days to 14 days: Old and new data is deleted if it is 14 days old.
  • app_data_short_term is changed from 14 days to 7 days: Old and new data is deleted if it is 7 days old.

Beyond the retention period, a subset of the data is kept for 13 months.

Settings

Docker repository settings

See the following settings:

docker_repository {
  base_url = "my.mirror.internal/v2/artifact-public.instana.io"
  username = "user"
  password = "pass"
}
Parameter Description Type
base_url Base URL for the mirror repository, depending on your tag. string
username Username for the repository server. string
password Password for the repository server. string

End-user monitoring (EUM) settings

See the following settings:

eum {
  tracking_base_url     = "https://mobile.acmecorp.com/eum/"
}
Parameter Description Type
tracking_base_url URL under which the end-user monitoring ingestion endpoint is published. This configuration has no impact on data ingestion or processing. Instead, it is used to present correct JavaScript and mobile app agent installation instructions within the Instana user interface. For more information, see the dedicated Configuring end-user monitoring documentation. string

Notifications server settings

See the following settings:

email {
  smtp {
    from      = "notif@acmecorp.com"
    host      = "relay-1.acme.internal"
    port      = 25
    user      = "ops-notif@acmecorp.com"
    password  = "yUnoEm41l"
    use_ssl   = true
    start_tls = false
  }
}
Parameter Description Type
from The email address of the sender from the notification emails. string
host The SMTP server address or hostname that sends the notification emails. string
port Port of the SMTP server that sends the notification emails. int
user Username for the SMTP server that sends the notification emails. string
password Password for the SMTP server that sends the notification emails. string
use_ssl The value indicates whether the SMTP server that sends the notification emails is using SSL encryption. bool
start_tls The value indicates whether the SMTP server that sends the notification emails upgrades to TLS after the connection is established. bool

OAuth settings

See the following settings:

o_auth {
  client_id     = "123456-1n574n4adgjlmnop.apps.googleusercontent.com"
  client_secret = "XNLV-fpf_deadBeEf1234"
}
Parameter Description Type
client_id Client ID for the Google oauth credential. string
client_secret Client secret password for the Google oauth credential. string

Proxy settings

See the following settings:

proxy {
  host     = "10.9.4.13"
  port     = 8080
  user     = "anonymous"
  password = "P4ssword1234"
}
Parameter Description Type
host If your backend server communicates with the internet by using a proxy server, enter either the proxy address or hostname. string
port Port for the proxy server to speak to. int
user Username for the proxy server. string
password Password for the proxy server. string

Enabling HSTS

To enable HTTP Strict Transport Security (HSTS) globally, add the following flag in the root of the settings.hcl file:

hsts_enabled = true

Generating REST API clients

The URL to the local open API specification is https://{onpremhost}/docs/openapi (after on-premises release 170). For more information about how to configure REST API clients, see Web REST API docs.

Replacing existing certificates

To replace existing certificates with other certificates, update paths to your certificate files in the settings.hcl file by using the following command:

cert {
...
}

Then, update the system by running the following command:

instana update -f /path/to/settings.hcl
cert {
  crt = "/mnt/cert/tls.crt"
  key = "/mnt/cert/tls.key"
}

Custom certificates for webhook or mail integrations

If Instana can't validate the certificate that your SMTP server presents, you might see the following TLS error:

ERROR c.i.email.service.client.JavaMail - Mail could not be send due to an error
javax.mail.MessagingException: Could not convert socket to TLS

To configure your Instana installation to successfully send data to a webhook with a custom certificate, provide a custom Java™ keystore (jssecacerts) that contains your certificate for JVMs.

Complete the following steps to configure your Instana installation:

  1. Copy the current JVM keystore from your JVM $JAVA_HOME/lib/security/cacerts.

  2. Import your custom certificate into this keystore by using the JVM keytool with the following command:

    $JAVA_HOME/bin/keytool -importcert -file custom-crt.crt -alias instana.com -keystore cacerts -storepass changeit
    
  3. Add the absolute path of the keystore by setting the custom_keystore configuration key in the root of the settings.hcl file.

    custom_keystore="<path_to_javakeystore>"