Skip to content

Commit b8f6832

Browse files
authored
docs: add security best practices (#483)
1 parent 140dc35 commit b8f6832

File tree

3 files changed

+33
-3
lines changed

3 files changed

+33
-3
lines changed

distributions/README.md

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -132,6 +132,23 @@ If the distribution provides a default configuration, some options are exposed v
132132

133133
We recommend using the default configuration, but you can always supply your own via the `--config` [flag](https://opentelemetry.io/docs/collector/configuration/). The full list of components available for configuration is available in the respective `manifest.yaml`.
134134

135+
### Security Best Practices
136+
137+
This section summarizes security practices we deem the most crucial. For comprehensive security guidance, refer to the [Collector configuration best practices](https://opentelemetry.io/docs/security/config-best-practices/).
138+
139+
#### Minimize Privileged Access
140+
141+
The collector should run as a non-root user whenever possible. If a use-case requires elevated privileges or RBAC, this will be documented in its installation instructions.
142+
143+
#### Store secrets securely
144+
Store secrets like API keys or certificates in a dedicated secret store and avoid hardcoding secrets in your config and instead prefer [environment variable expansion](https://opentelemetry.io/docs/collector/configuration/#environment-variables).
145+
146+
#### Secure connections
147+
Receivers and Exporters should always be configured to use a secure and authenticated connection. In practical terms this means
148+
- using TLS for outgoing and incoming (requires [setting up certificates](https://opentelemetry.io/docs/collector/configuration/#setting-up-certificates)) connections
149+
- require authentication for backends the collector writes to, e.g. via an API Key
150+
- bind receivers to specific network interfaces, such as a pod’s IP, or `localhost` instead of `0.0.0.0` ([#1](https://opentelemetry.io/docs/security/config-best-practices/#protect-against-denial-of-service-attacks), [#2](https://cwe.mitre.org/data/definitions/1327.html)) to prevent exposing unintended access
151+
135152
## Additional Notes
136153

137154
### Healthcheck

distributions/nrdot-collector-host/README.md

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,9 +16,15 @@ Note: See [general README](../README.md) for information that applies to all dis
1616

1717
The following instructions assume you have read and understood the [general installation instructions](../README.md#installation).
1818

19+
### Linux Packages and NRDOT_MODE=ROOT
20+
Our linux packages (deb, rpm) install the collector as a `systemd` service. By default the collector is installed as a non-root user to prevent unintended access by accident. While this is usually sufficient for the `hostmetricsreceiver` to scrape host metrics, the `filelogreceiver` is likely to run into permission issues reading the default files from the `/var/log` directory and report errors for the affected files.
21+
Your options to address this issue are:
22+
- adjust the list of files to avoid accessing privileged files, either by providing your own complete config or by overwriting the list, e.g. `--config 'yaml:receivers::filelog::include: [/var/log/dpkg.log, /var/log/messages]'`
23+
- provide access to those files for the collector user, see `nrdot-collector-host.service` for the exact IDs
24+
- install the collector in root mode by setting the environment variable `NRDOT_MODE=ROOT` before calling `dpkg`/`rpm` to install the service
25+
1926
### Containerized Environments
20-
If you're deploying the `host` distribution as a container, make sure to configure the [root_path](https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/receiver/hostmetricsreceiver/README.md#collecting-host-metrics-from-inside-a-container-linux-only) and mount the host's file system accordingly, otherwise NRDOT will not be able
21-
See also [our troubleshooting guide](./TROUBLESHOOTING.md) for more details.
27+
If you're deploying the collector as a container, make sure to configure the [root_path](https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/receiver/hostmetricsreceiver/README.md#collecting-host-metrics-from-inside-a-container-linux-only) and mount the host's file system accordingly, otherwise NRDOT will not be able to collect host metrics. See also [our troubleshooting guide](./TROUBLESHOOTING.md) for more details.
2228

2329

2430
## Configuration

distributions/nrdot-collector/README.md

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,8 +29,15 @@ This is the default use case for `nrdot-collector`, i.e. the published artifacts
2929

3030
The following instructions assume you have read and understood the [general installation instructions](../README.md#installation).
3131

32+
#### Linux Packages and NRDOT_MODE=ROOT
33+
Our linux packages (deb, rpm) install the collector as a `systemd` service. By default the collector is installed as a non-root user to prevent unintended access by accident. While this is usually sufficient for the `hostmetricsreceiver` to scrape host metrics, the `filelogreceiver` is likely to run into permission issues reading the default files from the `/var/log` directory and report errors for the affected files.
34+
Your options to address this issue are:
35+
- adjust the list of files to avoid accessing privileged files, either by providing your own complete config or by overwriting the list, e.g. `--config 'yaml:receivers::filelog::include: [/var/log/dpkg.log, /var/log/messages]'`
36+
- provide access to those files for the collector user, see `nrdot-collector.service` for the exact IDs
37+
- install the collector in root mode by setting the environment variable `NRDOT_MODE=ROOT` before calling `dpkg`/`rpm` to install the service
38+
3239
#### Containerized Environments
33-
When deploying as a container, configure the [root_path](https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/receiver/hostmetricsreceiver/README.md#collecting-host-metrics-from-inside-a-container-linux-only) and mount the host's file system accordingly for proper host metrics collection. See [troubleshooting guide](./TROUBLESHOOTING.md) for details.
40+
If you're deploying the collector as a container, make sure to configure the [root_path](https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/receiver/hostmetricsreceiver/README.md#collecting-host-metrics-from-inside-a-container-linux-only) and mount the host's file system accordingly, otherwise NRDOT will not be able to collect host metrics. See also [our troubleshooting guide](./TROUBLESHOOTING.md) for more details.
3441

3542
### Configuration
3643

0 commit comments

Comments
 (0)