diff --git a/Dockerfiles/agent/Dockerfile b/Dockerfiles/agent/Dockerfile index 8ac4e773df2ab..ec47e665f5bd1 100644 --- a/Dockerfiles/agent/Dockerfile +++ b/Dockerfiles/agent/Dockerfile @@ -49,7 +49,11 @@ ARG WITH_JMX ENV DOCKER_DD_AGENT=yes \ PATH=/opt/datadog-agent/bin/agent/:/opt/datadog-agent/embedded/bin/:$PATH \ CURL_CA_BUNDLE=/opt/datadog-agent/embedded/ssl/certs/cacert.pem \ - TERM=xterm \ + # Disable dsd, apm and logs listening until user decides so, to avoid unknown open ports + DD_DOGSTATSD_NON_LOCAL_TRAFFIC=false \ + DD_APM_ENABLED=false \ + DD_APM_NON_LOCAL_TRAFFIC=true \ + DD_LOGS_ENABLED=false \ # Pass envvar variables to agents S6_KEEP_ENV=1 \ # Direct all agent logs to stdout diff --git a/Dockerfiles/agent/README.md b/Dockerfiles/agent/README.md index d14352731dc60..4dc59483d556f 100644 --- a/Dockerfiles/agent/README.md +++ b/Dockerfiles/agent/README.md @@ -28,9 +28,11 @@ The agent is highly customizable, here are the most used environment variables: ##### Optional collection agents +These features are disabled by default for security or performance reasons, you need to explicitly enable them: + - `DD_APM_ENABLED`: run the trace-agent along with the infrastructure agent, allowing the container to accept traces on 8126/tcp -- `DD_PROCESS_AGENT_ENABLED`: run the [process-agent](https://docs.datadoghq.com/graphing/infrastructure/process/) along with the infrastructure agent, feeding data to the Live Process View and Live Containers View - `DD_LOGS_ENABLED`: run the [log-agent](https://docs.datadoghq.com/logs/) along with the infrastructure agent. [See below for details](#log-collection) +- `DD_PROCESS_AGENT_ENABLED`: enable live process collection in the [process-agent](https://docs.datadoghq.com/graphing/infrastructure/process/). The Live Container View is already enabled by default if the Docker socket is available ##### Dogstatsd (custom metrics) diff --git a/docs/agent/changes.md b/docs/agent/changes.md index 147a96a53cec4..18c4a909a222c 100644 --- a/docs/agent/changes.md +++ b/docs/agent/changes.md @@ -193,7 +193,12 @@ The APM agent (also known as _trace agent_) is shipped by default with the Agent 6 in the Linux, MacOS and Windows packages. Similar to the Agent 5, the APM agent is enabled by default. To disable it, set -`apm_enabled` to `false` in the main agent configuration (`datadog.yaml`). +`apm_enabled` to `false` in the main agent configuration (`datadog.yaml`). It only +listens to localhost by default. You can set `apm_config.apm_non_local_traffic = true` +to enable listening on the network. + +In the Docker image, the APM agent is disabled by default. You can enable it by setting +the `DD_APM_ENABLED` envvar to `true`. It will listen to all interfaces by default. _Optional_: If you need to use apm-specific configuration options (i.e. options that would be specified under the `[trace.config]`, `[trace.sampler]` and `[trace.receiver]` in diff --git a/releasenotes/notes/disable-apm-default-f32eaa7cb3d7f157.yaml b/releasenotes/notes/disable-apm-default-f32eaa7cb3d7f157.yaml new file mode 100644 index 0000000000000..493a45596449b --- /dev/null +++ b/releasenotes/notes/disable-apm-default-f32eaa7cb3d7f157.yaml @@ -0,0 +1,9 @@ +--- +upgrade: + - | + Normal installations: APM now listens to localhost only by default, you need to set + `apm_config.apm_non_local_traffic = true` to enable listening on the network + - | + Docker image: APM is now disabled by default, you need to set `DD_APM_ENABLED=true` + to run the trace agent. It listens on all interfaces by default when running, you can + set `DD_APM_NON_LOCAL_TRAFFIC=false` to only listen on localhost