dhi.io/victoriametrics-vmstorage
VictoriaMetrics VMStorage is the ingestion component for a VictoriaMetrics cluster.
All examples in this guide use the public image. If you’ve mirrored the repository for your own use (for example, to your Docker Hub namespace), update your commands to reference the mirrored image instead of the public one.
For example:
dhi.io/<repository>:<tag><your-namespace>/dhi-<repository>:<tag>For the examples, you must first use docker login dhi.io to authenticate to the registry to pull the images.
This Docker Hardened VictoriaMetrics VMStorage image includes the vmstorage component of the VictoriaMetrics
monitoring stack. The vmstorage service is responsible for storing and retrieving time series data. It works in
conjunction with other VictoriaMetrics components like vminsert (for data ingestion) and vmselect (for querying
data).
docker run -d --name victoriametrics-vmstorage -p 8482:8482 -p 8400:8400 -p 8401:8401 dhi.io/victoriametrics-vmstorage:<tag>
You can install VictoriaMetrics using the official helm chart and replace the image. Replace <your-registry-secret>
with your Kubernetes image pull secret and <tag> with the desired image
tag.
helm repo add victoriametrics https://victoriametrics.github.io/helm-charts
helm repo update
helm upgrade --install victoria-metrics-cluster victoriametrics/victoria-metrics-cluster \
-n victoriametrics --create-namespace --wait \
--set "global.pullSecrets[0].name=<your-registry-secret>" \
--set vmstorage.image.registry="" \
--set vmstorage.image.repository="<IMAGE_REPOSITORY>" \
--set vmstorage.image.tag="<IMAGE_TAG>" \
--set vmstorage.podSecurityContext.enabled=true \
--set vmstorage.podSecurityContext.fsGroup=65532 \
--set vmstorage.securityContext.enabled=true \
--set vmstorage.securityContext.runAsNonRoot=true \
--set vmstorage.securityContext.runAsUser=65532 \
--set vmstorage.securityContext.runAsGroup=65532
| Feature | Non-hardened VictoriaMetrics VMStorage | Docker Hardened VictoriaMetrics VMStorage |
|---|---|---|
| Security | Standard base with common utilities | Minimal, hardened base with security patches |
| Shell access | Full shell (bash/sh) available | No shell in runtime variants |
| Package manager | apt/apk available | No package manager in runtime variants |
| User | Runs as root by default | Runs as nonroot user |
| Attack surface | Larger due to additional utilities | Minimal, only essential components |
| Debugging | Traditional shell debugging | Use Docker Debug or Image Mount for troubleshooting |
Docker Hardened Images prioritize security through minimalism:
The hardened images intended for runtime don't contain a shell nor any tools for debugging. Common debugging methods for applications built with Docker Hardened Images include:
Docker Debug provides a shell, common debugging tools, and lets you install other tools in an ephemeral, writable layer that only exists during the debugging session.
For example, you can use Docker Debug:
docker debug <image-name>
or mount debugging tools with the Image Mount feature:
docker run --rm -it --pid container:my-container \
--mount=type=image,source=dhi.io/busybox,destination=/dbg,ro \
dhi.io/victoriametrics-vmstorage:<tag> /dbg/bin/sh
Docker Hardened Images come in different variants depending on their intended use.
Runtime variants are designed to run your application in production. These images are intended to be used either
directly or as the FROM image in the final stage of a multi-stage build. These images typically:
Build-time variants typically include dev in the variant name and are intended for use in the first stage of a
multi-stage Dockerfile. These images typically:
Switching to the hardened VictoriaMetrics VMStorage image does not require any special changes. You can use it as a
drop-in replacement for the standard VictoriaMetrics VMStorage (victoriametrics/vmstorage) image in your existing
workflows and configurations. Note that the entry point for the hardened image may differ from the standard image, so
ensure that your commands and arguments are compatible.
Replace the image reference in your Docker run command or Compose file.
All your existing command-line arguments, environment variables, port mappings, and network settings remain the same.
Test your migration and use the troubleshooting tips below if you encounter any issues.
The hardened images intended for runtime don't contain a shell nor any tools for debugging. The recommended method for debugging applications built with Docker Hardened Images is to use Docker Debug to attach to these containers. Docker Debug provides a shell, common debugging tools, and lets you install other tools in an ephemeral, writable layer that only exists during the debugging session.
By default image variants intended for runtime, run as the nonroot user. Ensure that necessary files and directories are accessible to the nonroot user. You may need to copy files to different directories or change permissions so your application running as the nonroot user can access them.
Non-dev hardened images run as a nonroot user by default. As a result, applications in these images can't bind to privileged ports (below 1024) when running in Kubernetes or in Docker Engine versions older than 20.10.
By default, image variants intended for runtime don't contain a shell. Use dev images in build stages to run shell commands and then copy any necessary artifacts into the runtime stage. In addition, use Docker Debug to debug containers with no shell.
Docker Hardened Images may have different entry points than images such as Docker Official Images. Use docker inspect
to inspect entry points for Docker Hardened Images and update your Dockerfile if necessary.