Using New Relic on Docker

When enabling APM on Docker, it is really easy to decide that you want to store your New Relic license in git as this is the simplest method of getting New Relic installed and setup. This can turn disastrous if your git repository is compromised, allowing malicious attackers to send fake data to your monitoring ruining your trust in the metrics.

It is preferable to keep your license keys a secret to avoid this scenario from playing out, and in this post I will be outlining the way I have avoided putting my New Relic license key into the git repo.

Building the credentials into our Container

This method builds the website container without storing the credentials in the source code. Instead, it will build the container and uses the "NEWRELIC_KEY" variable as an argument within the Dockerfile.

This reduces the risk of License key exposure as it gets build into the container, although does not completely alleviate all possible scenarios. If the Docker registry you are using is accessed, then the image can be downloaded and the License Key extracted by running a container.

Build Script

# Retrieve our New Relic key via AWS SSM
export NEWRELIC_KEY=$(aws ssm get-parameters --name sktan.newrelic_key --with-decryption --query 'Parameters[0].Value' --output text)
# Inject it as a build argument
docker build -f Dockerfile . -t example-container --no-cache --build-arg NEWRELIC_KEY

Dockerfile

# Update our package lists and installs the minimum requirements to setup the New Relic apt source.
RUN apt-get update
RUN DEBIAN_FRONTEND=noninteractive apt-get install -y curl gnupg2 

# Setup the New Relic apt source for Debian
RUN echo deb http://apt.newrelic.com/debian/ newrelic non-free | tee /etc/apt/sources.list.d/newrelic.list
RUN curl -fsSL https://download.newrelic.com/548C16BF.gpg | apt-key add -

# Configure the 2 required settings when running installing New Relic
RUN DEBIAN_FRONTEND=noninteractive echo newrelic-php5 newrelic-php5/application-name string www.sktan.com | debconf-set-selections
RUN DEBIAN_FRONTEND=noninteractive echo newrelic-php5 newrelic-php5/license-key string ${NEWRELIC_KEY} | debconf-set-selections

# Install New Relic PHP APM
RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y newrelic-php5

Loading credentials at runtime

Mounting the New Relic configuration file

This method mounts the configuration file into our docker container, ensuring that the credentials are never stored permanently on the container itself. Other variations of this can include pulling the file out of secure storage during container execution (e.g. Dockerswarm secrets) or injecting values into the configuration file during Container execution as part of the start scripts.

docker run -d -p 80:80 --restart=always --name example-container -v /var/www/configs/newrelic-example-container.ini:/etc/php/7.2/fpm/conf.d/20-newrelic.ini docker-registry.example.com/example-container:latest

Reconfiguring newrelic.ini file on start

This method will reconfigure the New Relic configuration file prior to the PHP process starting.

website.sh

# Format of ini parameters we are changing
# newrelic.appname = ""
# newrelic.license = ""

NEWRELIC_LICENSE=$(aws ssm get-parameters --name sktan.newrelic_key --with-decryption --query 'Parameters[0].Value' --output text)
sed -i "s/^newrelic.appname = .*/newrelic.appname = \"${NEWRELIC_APPNAME}\"/g" /etc/php/7.2/fpm/conf.d/20-newrelic.ini
sed -i "s/^newrelic.license = .*/newrelic.license = \"${NEWRELIC_LICENSE}\"/g" /etc/php/7.2/fpm/conf.d/20-newrelic.ini

# Start PHP-FPM
php-fpm7.2 -F -R