slafs/sentry

By slafs

Updated over 7 years ago

my approach for Dockerizing Sentry (configurable with Postgres, Redis cache, Celery w. Redis and LDAP auth backend)

Image
53

100K+

Sentry in Docker

Maintenance

Since Sentry now officially supports installation via Docker - this repository will no longer be updated.

More info on Sentry's Docker installation https://docs.sentry.io/server/installation/docker/.

Warning about build tags

Latest changes introduced some new build tags:

  • 8.0 - current stable version (8.0.X)
  • 7.7 - old stable version (7.7.4) - no longer updated
  • 7.6 - old stable version (7.6.2) - no longer updated
  • 7.5 - old stable version (7.5.6) - no longer updated
  • 7.4 - old stable version (7.4.3) - no longer updated
  • 7.3 - old stable version (7.3.2) - no longer updated
  • 7.2 - old stable version (7.2.0) - no longer updated
  • 7.1 - old stable version (7.1.4) - no longer updated
  • 7.0 - older stable version (7.0.2) - no longer updated
  • 6.4 - even older stable version (6.4.4) - no longer updated
  • dev - current master on github (infrequent builds)
  • latest (the default one used earlier) - is now the same as 8.0

if you want to keep your builds same as before update your Dockerfiles and change FROM slafs/sentry to FROM slafs/sentry:6.4.

Requirements Status

This is my approach for running Sentry inside Docker. Almost everything here is configurable via environment variables (including DATABASES and CACHES settings). It can be easily configured to run with redis (cache, buffers and celery broker), postgres database, LDAP and REMOTE_USER authentication backends.

Quickstart

to run a Sentry instance with default settings (with sqlite, locmem cache and no celery) run:

docker run -d --name=sentry --volume=/tmp/sentry:/data -p 80:9000 -e SECRET_KEY=randomvalue -e SENTRY_URL_PREFIX=http://sentry.mydomain.com slafs/sentry

You can visit now http://sentry.mydomain.com (assuming sentry.mydomain.com is mapped to your docker host) and login with default credentials (username admin and password admin) and create your first team and project.

Your sqlite database file and gunicorn logs are available in /tmp/sentry directory.

Contributing

Try not to fork this repo just to create your own Docker image with some minor tweak. Please open an issue on GitHub and maybe we can include your use case directly within this image :).

You can even write a test case for your feature ;). See CONTRIBUTING.md.

Also feel free to give feedback and comments about this image in general.

Advanced usage

Copy the file with environment variables environment.example e.g cp environment.example environment and after tweaking some values run sentry like this

docker run -d --name=sentry --volume=/tmp/sentry:/data -p 80:9000 --env-file=environment slafs/sentry

ENTRYPOINT for this image is a little wrapper script around default sentry executable. Default CMD is start which runs upgrade command (initializes and upgrades the database) and creates a default administrator (superuser) and then runs a http service (as in sentry --config=... start).

All commands and args are passed to the sentry executable. This means

docker run [docker options] slafs/sentry --help

refers to running:

sentry --config=/conf/sentry.conf.py --help

inside the container.

Admin user

You can specify a username, password and email address to create an initial sentry administrator.

Add those variables to your environment file

SENTRY_ADMIN_USERNAME=slafs
SENTRY_ADMIN_PASSWORD=mysecretpass
SENTRY_ADMIN_EMAIL=slafs@foo.com

See django docs for details about createsuperuser command.

The default administrator username is admin with password admin (and root@localhost as email adress).

Postgres

It is recommended to run your sentry instance with PostgreSQL database. To link your sentry instance with a postgres container you can do it like this:

  1. Pull an official PostgreSQL image: docker pull postgres (if you haven't already).
  2. Run postgres container (from the official Docker image): docker run -d --name=postgres_container postgres.
  3. Add DATABASE_URL=postgres://postgres:@postgresdb/postgres to environment file.
  4. Run sentry with linked postgres container: docker run -d --name=sentry --volume=/tmp/sentry:/data -p 80:9000 --env-file=environment --link=postgres_container:postgresdb slafs/sentry

Notice that an alias for your linked postgres container (postgresdb) is the same as a postgres host in DATABASE_URL variable.

DATABASE_URL is a value that is parsed by an external app called dj-database-url.

Redis

Redis container can be used to improve sentry performance in number of ways. It can be used as a:

  • cache backend,
  • sentry buffers,
  • celery broker.

You can link your sentry instance with a redis container like this:

  1. Pull an official Redis image: docker pull redis (if you haven't already).
  2. Run redis container (from the official Docker image): docker run -d --name=redis_container redis

docker run -d --name=sentry --volume=/tmp/sentry:/data -p 80:9000 --env-file=environment --link=postgres_container:postgresdb --link=redis_container:redis slafs/sentry```

If you want to use a different container alias for redis you should add SENTRY_REDIS_HOST=your_redis_alias to environment file.

Cache with redis

To use a redis cache backend add CACHE_URL=hiredis://redis:6379/2 (make sure you won't have a trailing / in this setting) to environment file (where redis is the alias of your linked redis container). See django-cache-url docs for available formats.

Sentry buffers with redis

To use sentry update buffers with redis you must add SENTRY_USE_REDIS_BUFFERS=True to environment file.

If you have many redis containers/hosts you can set a list of those hosts in SENTRY_REDIS_BUFFERS variable so they can be used by sentry. Like this: SENTRY_REDIS_BUFFERS=redis1:6380,redis2:6381.

See sentry docs for details about redis buffer.

Celery with redis (and postgres)

To use Celery in sentry you must add CELERY_ALWAYS_EAGER=False to your environment file and run a celery worker like this:

docker run -d --name=sentry_celery_worker --link=redis_container:redis --link=postgres_container:postgresdb --volume=/tmp/sentry:/data --env-file=environment slafs/sentry celery worker -B

You can also set a different BROKER_URL via environment file by adding this: SENTRY_BROKER_URL=redis://otherredishost:6379/1

You can run as many celery worker containers as you want but remember that only one of them should be run with -B option.

If you're using default values for CELERY_RESULT_SERIALIZER, CELERY_TASK_SERIALIZER and CELERY_ACCEPT_CONTENT (default values support pickle) you have to set C_FORCE_ROOT env var (to say 1) to be able to run celery as a root user. You can avoid this by setting those three to json. Refer to Celery's serializer docs for more info about security implications of using pickle as a task serialization format.

Time-series storage with redis

To have time-series data you must add SENTRY_USE_REDIS_TSDB=True to the environment file.

By default Redis time-series storage will use the Redis connection defined by SENTRY_REDIS_HOST and SENTRY_REDIS_PORT. Similarly to configuring buffers, you can set SENTRY_REDIS_TSDBS to a list of Redis servers: SENTRY_REDIS_TSDBS=redis1:6379,redis2:6380

Email

You can configure all email settings by environment variables with SENTRY_ prefix. You have to also change an email backend and set it to SENTRY_EMAIL_BACKEND=django.core.mail.backends.smtp.EmailBackend or something similar.

LDAP

With this image You should be able to easily configure LDAP authentication for your Sentry instance. To enable it add SENTRY_USE_LDAP=True to your environment file. Then set the needed options by adding env variables with LDAP_ prefix (see the table below). LDAP authentication backend is provided by django-auth-ldap.

REMOTE_USER

To enable authentication via REMOTE_USER, add SENTRY_USE_REMOTE_USER=True to your environment file. See the AUTH_REMOTE_USER_* env variables below for further configuration.

Available environment variables

Refer to sentry documentation, django documentation, celery documentation and django-auth-ldap documentation for the meaning of each setting.

Environment variable nameDjango/Sentry settingTypeDefault valueDescription
SECRET_KEYSECRET_KEYREQUIRED!set this to something random
SENTRY_URL_PREFIXSENTRY_URL_PREFIXREQUIRED!no trailing slash!
DATABASE_URLDATABASESsqlite:////data/sentry.db
CACHE_URLCACHESlocmem://
CELERY_ALWAYS_EAGERCELERY_ALWAYS_EAGERboolTrue
SENTRY_BROKER_URLBROKER_URLredis://<SENTRY_REDIS_HOST>:<SENTRY_REDIS_PORT>/1
CELERY_RESULT_SERIALIZERCELERY_RESULT_SERIALIZERpickleYou may want change it to json. See http://docs.celeryproject.org/en/stable/configuration.html#celery-result-serializer
CELERY_TASK_SERIALIZERCELERY_TASK_SERIALIZERpickleYou may want change it to json. See http://docs.celeryproject.org/en/stable/configuration.html#celery-task-serializer
CELERY_ACCEPT_CONTENTCELERY_ACCEPT_CONTENTlistpickle,jsonComma separated values. You may want change it to json. See http://docs.celeryproject.org/en/stable/configuration.html#celery-accept-content
SENTRY_REDIS_HOSTredis
SENTRY_REDIS_PORTint6379
SENTRY_WEB_HOSTSENTRY_WEB_HOST0.0.0.0
SENTRY_WEB_PORTSENTRY_WEB_PORTint9000
SENTRY_WORKERSSENTRY_WEB_OPTIONS['workers']int3the number of gunicorn workers
SENTRY_USE_REDIS_BUFFERSboolFalse
SENTRY_REDIS_BUFFERSSENTRY_REDIS_OPTIONS['hosts']*list<SENTRY_REDIS_HOST>:<SENTRY_REDIS_PORT>comma separated list of redis hosts (host1:port1,host2:port2,...)
SENTRY_USE_REDIS_TSDBboolFalse
SENTRY_REDIS_TSDBSSENTRY_TSDB_OPTIONS['hosts']*list<SENTRY_REDIS_HOST>:<SENTRY_REDIS_PORT>comma separated list of redis hosts (host1:port1,host2:port2,...)
SENTRY_EMAIL_BACKENDEMAIL_BACKENDdjango.core.mail.backends.console.EmailBackend
SENTRY_EMAIL_HOSTEMAIL_HOSTlocalhost
SENTRY_EMAIL_HOST_PASSWORDEMAIL_HOST_PASSWORD''
SENTRY_EMAIL_HOST_USEREMAIL_HOST_USER''
SENTRY_EMAIL_PORTEMAIL_PORTint25
SENTRY_EMAIL_USE_TLSEMAIL_USE_TLSboolFalse
SENTRY_SERVER_EMAILSERVER_EMAILroot@localhost
SENTRY_ALLOW_REGISTRATIONSENTRY_ALLOW_REGISTRATIONboolFalse
SENTRY_ADMIN_USERNAMEadminusername for Sentry's superuser
SENTRY_ADMIN_PASSWORDadminpassword for Sentry's superuser
SENTRY_ADMIN_EMAILSENTRY_ADMIN_EMAILroot@localhostemail address for Sentry's superuser and a setting as of Sentry 7.3
SENTRY_DATA_DIR/datacustom location for logs and sqlite database
TWITTER_CONSUMER_KEYTWITTER_CONSUMER_KEY''
TWITTER_CONSUMER_SECRETTWITTER_CONSUMER_SECRET''
FACEBOOK_APP_IDFACEBOOK_APP_ID''
FACEBOOK_API_SECRETFACEBOOK_API_SECRET''
GOOGLE_OAUTH2_CLIENT_IDGOOGLE_OAUTH2_CLIENT_ID''
GOOGLE_OAUTH2_CLIENT_SECRETGOOGLE_OAUTH2_CLIENT_SECRET''
GITHUB_APP_IDGITHUB_APP_ID''
GITHUB_API_SECRETGITHUB_API_SECRET''
TRELLO_API_KEYTRELLO_API_KEY''
TRELLO_API_SECRETTRELLO_API_SECRET''
BITBUCKET_CONSUMER_KEYBITBUCKET_CONSUMER_KEY''
BITBUCKET_CONSUMER_SECRETBITBUCKET_CONSUMER_SECRET''
SENTRY_USE_LDAPboolFalseif set to False all other LDAP settings are discarded
LDAP_SERVERAUTH_LDAP_SERVER_URIldap://localhost
LDAP_BIND_DNAUTH_LDAP_BIND_DN''
LDAP_BIND_PASSWORDAUTH_LDAP_BIND_PASSWORD''
LDAP_USER_DNAUTH_LDAP_USER_SEARCH*REQUIRED! if you want to use LDAP authfirst argument of LDAPSearch (base_dn) when searching for users
LDAP_USER_FILTERAUTH_LDAP_USER_SEARCH*(&(objectClass=inetOrgPerson)(cn=%(user)s))third argument of LDAPSearch (filterstr) when searching for users
LDAP_GROUP_DNAUTH_LDAP_GROUP_SEARCH*''first argument of LDAPSearch (base_dn) when searching for groups
LDAP_GROUP_FILTERAUTH_LDAP_GROUP_SEARCH*(objectClass=groupOfUniqueNames)third argument of LDAPSearch (filterstr) when searching for groups
LDAP_GROUP_TYPEAUTH_LDAP_GROUP_TYPE*''if set to 'groupOfUniqueNames' then AUTH_LDAP_GROUP_TYPE = GroupOfUniqueNamesType(), if set to 'posixGroup' then AUTH_LDAP_GROUP_TYPE = PosixGroupType().
LDAP_REQUIRE_GROUPAUTH_LDAP_REQUIRE_GROUPNone
LDAP_DENY_GROUPAUTH_LDAP_DENY_GROUPNone
LDAP_MAP_FIRST_NAMEAUTH_LDAP_USER_ATTR_MAP['first_name']givenName
LDAP_MAP_LAST_NAMEAUTH_LDAP_USER_ATTR_MAP['last_name']sn
LDAP_MAP_MAILAUTH_LDAP_USER_ATTR_MAP['email']mail
LDAP_GROUP_ACTIVEAUTH_LDAP_USER_FLAGS_BY_GROUP['is_active']''
LDAP_GROUP_STAFFAUTH_LDAP_USER_FLAGS_BY_GROUP['is_staff']''
LDAP_GROUP_SUPERUSERAUTH_LDAP_USER_FLAGS_BY_GROUP['is_superuser']''
LDAP_FIND_GROUP_PERMSAUTH_LDAP_FIND_GROUP_PERMSboolFalse
LDAP_CACHE_GROUPSAUTH_LDAP_CACHE_GROUPSboolTrue
LDAP_GROUP_CACHE_TIMEOUTAUTH_LDAP_GROUP_CACHE_TIMEOUTint3600
LDAP_LOGLEVELDEBUGdjango_auth_ldap logger level (other values: NOTSET (to disable), INFO, WARNING, ERROR or CRITICAL)
SENTRY_USE_REMOTE_USERboolFalseuse REMOTE_USER for authentication; useful if you're behind your own SSO
AUTH_REMOTE_USER_HEADERNoneif set, this value will be read from the request object instead of REMOTE_USER, as described here. For example: HTTP_X_SSO_USERNAME
SENTRY_INITIAL_TEAMconvenient in development - creates an initial team inside Sentry DB with the given name
SENTRY_INITIAL_PROJECTconvenient in development - creates an initial project for the above team (owner for both is the created admin )
SENTRY_INITIAL_PLATFORM'python'convenient in development - indicates a platform for the above initial project
SENTRY_INITIAL_KEYconvenient in development - updates a key for the above project so you can set DSN in your client. (e.g. public:secret)
SENTRY_INITIAL_DOMAINSconvenient in development - updates allowed domains for usage with raven-js e.g. example.com *.example.com (space separated)
SENTRY_SCRIPTS_DIRconvenient in development - required for the wrapper and non Docker scenarios (you can leave this empty)
SENTRY_SECURE_PROXY_SSL_HEADERSECURE_PROXY_SSL_HEADERNonewhen running with SSL set this to 'HTTP_X_FORWARDED_PROTO,https' (comma separated)
SENTRY_USE_X_FORWARDED_HOSTUSE_X_FORWARDED_HOSTboolFalsewhen running behind proxy or with SSL set this to 'True'
SENTRY_ALLOW_ORIGINSENTRY_ALLOW_ORIGINNoneallows JavaScript clients to submit cross-domain error reports. (e.g. "http://foo.example"
SENTRY_BEACONSENTRY_BEACONboolTruecontrols sending statistics to https://www.getsentry.com/remote/beacon/
SENTRY_PUBLICSENTRY_PUBLICboolFalseShould Sentry make all data publicly accessible? This should only be used if you’re installing Sentry behind your company’s firewall.
SENTRY_DOCKER_DO_DB_CHECKanyif this variable is set (to any non-empty value) the script (sentry_run) will check if DB is accessible before running migrations/service - helps to avoid nasty race conditions

Extending the image

If your use case is out the scope of this generic image, you can extend this image to include your custom packages, configuration etc. and still be able to take advantage of all features here. All you need to do is create your own image based on this one.

For example to install and use a plugin like sentry-github and/or change a setting that isn't managed by this image you can have a following config script my_custom_settings.py:

# get all the configuration from the original image
from sentry_docker_conf import *  # noqa

# change some settings - for example the port
# (of course you can do this also by setting environment variable ``SENTRY_WEB_PORT``)
SENTRY_WEB_PORT = 5000

# configure sentry-github
GITHUB_APP_ID = 'GitHub Application Client ID'
GITHUB_API_SECRET = 'GitHub Application Client Secret'
GITHUB_EXTENDED_PERMISSIONS = ['repo']
...

and a

Docker Pull Command

docker pull slafs/sentry