Hi there and thanks for sharing your compose files. Would you mind adding a few more explanations about what needs to be done to run telegraf as non root user?

I saw the link to the blog post you added but I am unsure what I need to do to get your compose file from here up and running: https://github.com/Haxxnet/Compose-Examples/tree/main/examples/grafana-monitoring

Your compose file contains:
user: telegraf:998

What do I need to do so that telegraf has access to the volumes it needs?
Most of them seem to be root owned so I doubt thisd works out of the box.
Also, does telegraf:998 indicate the user name and UUID that will run inside the telegraf container? My docker host system obviously has no UUID 998 - any hints on what else needs to be done?

Btw. I use https://github.com/Tecnativa/docker-socket-proxy to give certain containers access to a limited part of the docker socket (possible permissions are listed here: https://github.com/Tecnativa/docker-socket-proxy/blob/master/Dockerfile) so I am wondering what permissions telegraph needs to be given on the docker socket?

i.e. traefik and watchtower are happy with these permissions:
events, ping, version, containers, images

Hi @ovizii,

sure, no worries.

If you read the provided reference link regarding Telegraf, you'll notice that the Telegraf release 1.20.3 now runs as non-root user. This may lead to permission issues now, as the previous Telegraf images were just run as root user.

If a user passes in the Docker socket for Telegraf to monitor Docker itself, then they will need to add the telegraf user to the group that owns the Docker socket.

As the reference link explains, you can run the following command on your server to obtain the correct GUID. In my case and most often, it will return 998 as group id.

stat -c '%g' /var/run/docker.sock

Alternatively, we can pass the whole command already in the compose file. During runtime, the correct group id will be obtained and applied on the Telegraf container. Should look like this then:

  telegraf:
    image: telegraf:latest
    user: telegraf:$(stat -c '%g' /var/run/docker.sock)

I adjusted the compose now. See 751053d

Btw. I use https://github.com/Tecnativa/docker-socket-proxy to give certain containers access to a limited part of the docker socket (possible permissions are listed here: https://github.com/Tecnativa/docker-socket-proxy/blob/master/Dockerfile) so I am wondering what permissions telegraph needs to be given on the docker socket?

i.e. traefik and watchtower are happy with these permissions: events, ping, version, containers, images

Sorry, I haven't used docker-socket-proxy. So no idea about relevant permissions.

Thank you! This makes so much more sense to me now. :-)

btw. stat -c '%g' /var/run/docker.sock returns 997 on my Debian 11 machine.

I will update this thread in case I figure out more about the docker-socket-proxy situation. For now, I have found out how to connect telegraf to docker via tcp instead of using the socket.

# Read metrics about docker containers
[[inputs.docker]]
  ## Docker Endpoint
  ##   To use TCP, set endpoint = "tcp://[ip]:[port]"
  ##   To use environment variables (ie, docker-machine), set endpoint = "ENV"
  ## endpoint = "unix:///var/run/docker.sock"
  endpoint = "tcp://docker-socket-proxy:2375"

In case I get permission problems I'll know exactly what permissions telegraf needs.