Fix rootless Podman logging and enforce runner-specific configuration

README.md

@@ -1,4 +1,3 @@
-
 # Rocket.Chat Compose Files
 
 ## Important Note!
@@ -13,13 +12,14 @@ https://forums.rocket.chat/t/action-required-docker-compose-moving-from-bitnami-
 2. cd to the cloned dir: `cd rocketchat-compose`
 3. Copy the example environment file: `cp .env.example .env`
 4. Edit .env file and update values
-5. Start the stack: `docker compose -f compose.database.yml -f compose.monitoring.yml -f compose.traefik.yml -f compose.yml up -d`
+5. Start the stack: `docker compose -f docker.yml --profile '*' up -d`
 
 You can access Rocket.Chat at: http://localhost
 
 You can login to Grafana at: http://grafana.localhost with the default credentials:
-* User: admin
-* Password: rc-admin
+
+- User: admin
+- Password: rc-admin
 
 ## Getting Started
 
@@ -31,9 +31,9 @@ git clone --depth 1 https://github.com/RocketChat/rocketchat-compose.git
 
 ---
 
-
 ### Docker/Podman Compose
 
+When deploying with Podman, it is required to enable the user-level Podman socket with `systemctl --user enable --now podman.socket`. Note that `sudo` is not used, as it should be enabled at the user level.
 
 For deploying the recommended stack with Rocket.Chat, Traefik, MongoDB, NATS, and Prometheus for monitoring:
 
@@ -62,63 +62,68 @@ For deploying the recommended stack with Rocket.Chat, Traefik, MongoDB, NATS, an
      ```
 
 2. **Using Grafana as a Path instead of Subdomain:**
-  - Change the variables
-    ```env
-    # set this to empty
-    GRAFANA_DOMAIN=
-    # set this to you desired path without trailing slash
-    GRAFANA_PATH=/grafana
-    ```
-  - If you wan't to use subdomain
-    ```env
-    # set this to your subdomain
-    GRAFANA_DOMAIN=grafana.your-domain.com
-    # set this as empty
-    GRAFANA_PATH=
-    ```
+
+- Change the variables
+  ```env
+  # set this to empty
+  GRAFANA_DOMAIN=
+  # set this to you desired path without trailing slash
+  GRAFANA_PATH=/grafana
+  ```
+- If you wan't to use subdomain
+  ```env
+  # set this to your subdomain
+  GRAFANA_DOMAIN=grafana.your-domain.com
+  # set this as empty
+  GRAFANA_PATH=
+  ```
 
 3. **Start the stack:**
    - With Docker Compose:
      ```bash
-     docker compose \
+     docker compose -f docker.yml --profile '*' up -d
+     ```
+   - Or with Podman Compose (rootless, recommended):
+     ```bash
+     podman compose \
        -f compose.monitoring.yml \
        -f compose.traefik.yml \
        -f compose.database.yml \
        -f compose.yml \
+       -f podman.yml \
        up -d
      ```
-   - Or with Podman Compose:
+   - If your Podman setup requires rootful mode, use:
      ```bash
      podman compose \
        -f compose.monitoring.yml \
        -f compose.traefik.yml \
        -f compose.database.yml \
        -f compose.yml \
+       -f podman-rootful.yml \
        up -d
      ```
 
-   This will launch all containers. Rocket.Chat will be available at [http://localhost](http://localhost), and Grafana at [http://grafana.localhost](http://grafana.localhost).
-   > **Note:** If deploying to a custom domain, update `ROOT_URL` and related variables accordingly.
+This will launch all containers. Rocket.Chat will be available at [http://localhost](http://localhost), and Grafana at [http://grafana.localhost](http://grafana.localhost).
+
+> **Note:** Rootless Podman is preferred for security and compatibility. Use rootful mode only if required by your environment. If deploying to a custom domain, update `ROOT_URL` and related variables accordingly.
 
 4. **Stop the stack:**
-  - With Docker Compose:
-    ```bash
-    docker compose \
-        -f compose.monitoring.yml \
-        -f compose.traefik.yml \
-        -f compose.database.yml \
-        -f compose.yml \
-        down
-    ```
-  - Or with Podman Compose:
-     ```bash
-     podman compose \
-       -f compose.monitoring.yml \
-       -f compose.traefik.yml \
-       -f compose.database.yml \
-       -f compose.yml \
-       down
-     ```
+
+- With Docker Compose:
+  ```bash
+  docker compose -f docker.yml --profile '*' down
+  ```
+- Or with Podman Compose:
+  ```bash
+  podman compose \
+    -f compose.monitoring.yml \
+    -f compose.traefik.yml \
+    -f compose.database.yml \
+    -f compose.yml \
+    -f podman.yml \
+    down
+  ```
 
 ---
 
@@ -133,13 +138,22 @@ podman compose \
   up -d
 ```
 
-
 ---
 
 ### Multiple servers
+
 When running multiple Rocket.Chat servers, you can configure Traefik to discover those servers and include them in load balancing by adding a variable in the `.env` file:
 
 ```env
 ROCKETCHAT_BACKEND_SERVERS=rocketchat-1:3000,rocketchat-2:3000,rocketchat-3:3000
 ```
 
+## Using docker.yml
+
+If you want to start all services and enable all profiles, use the following command:
+
+```bash
+docker compose -f docker.yml --profile '*' up -d
+```
+
+This will launch all containers defined in docker.yml and included compose files, enabling every profile (database, monitoring, traefik, etc).

compose.database.yml

@@ -16,9 +16,9 @@ services:
     ports:
       - "${NATS_BIND_IP:-127.0.0.1}:${NATS_PORT_NUMBER:-4222}:4222"
     logging:
-      driver: "journald"
-      options:
-        tag: "${COMPOSE_PROJECT_NAME:-rocketchat}#nats#{{.Name}}"
+      driver: "json-file"
+    labels:
+      container_tag: "${COMPOSE_PROJECT_NAME:-rocketchat}#nats"
 
   nats-exporter:
     image: docker.io/natsio/prometheus-nats-exporter:${NATS_EXPORTER_VERSION:-0.17.3}
@@ -30,11 +30,6 @@ services:
       - -healthz
       - -varz
       - "http://nats:8222"
-    logging:
-      driver: "journald"
-      options:
-        tag: "${COMPOSE_PROJECT_NAME:-rocketchat}#nats-exporter#{{.Name}}"
-
   mongodb-fix-permission-container:
     image: docker.io/mongodb/mongodb-community-server:${MONGODB_VERSION:-8.2}-ubi8
     restart: on-failure
@@ -43,10 +38,6 @@ services:
       - ${MONGODB_HOST_PATH:-mongodb_data}:/data/db:rw
     environment:
       MONGODB_USER_ID: ${MONGODB_USER_ID:-1001}
-    logging:
-      driver: "journald"
-      options:
-        tag: "${COMPOSE_PROJECT_NAME:-rocketchat}#mongodb-fix-permission-container#{{.Name}}"
     entrypoint: |
       sh -xc '
         owner="$(stat -c %u /data/db)";
@@ -72,9 +63,9 @@ services:
     volumes:
       - ${MONGODB_HOST_PATH:-mongodb_data}:/data/db:rw
     logging:
-      driver: "journald"
-      options:
-        tag: "${COMPOSE_PROJECT_NAME:-rocketchat}#mongodb-init-container#{{.Name}}"
+      driver: "json-file"
+    labels:
+      container_tag: "${COMPOSE_PROJECT_NAME:-rocketchat}#mongodb-init-container"
     entrypoint: |
       sh -xc '
         echo "=====> Waiting for MongoDB to be healthy before initiating replica set...";
@@ -86,7 +77,7 @@ services:
         mongosh "$$MONGODB_URI" --eval "rs.initiate({_id: \"$$MONGODB_REPLICA_SET_NAME\", members: [{ _id: 0, host: \"$$MONGODB_ADVERTISED_HOSTNAME:$$MONGODB_PORT_NUMBER\" }]})";
         echo "=====> Initiating ReplSet done...";
       '
-        
+
   mongodb:
     image: docker.io/mongodb/mongodb-community-server:${MONGODB_VERSION:-8.2}-ubi8
     restart: always
@@ -119,16 +110,16 @@ services:
       MONGODB_ADVERTISED_HOSTNAME: ${MONGODB_ADVERTISED_HOSTNAME:-mongodb}
       ALLOW_EMPTY_PASSWORD: ${ALLOW_EMPTY_PASSWORD:-yes}
     logging:
-      driver: "journald"
-      options:
-        tag: "${COMPOSE_PROJECT_NAME:-rocketchat}#mongodb#{{.Name}}"
+      driver: "json-file"
+    labels:
+      container_tag: "${COMPOSE_PROJECT_NAME:-rocketchat}#mongodb"
     healthcheck:
       test:
-      - CMD
-      - mongosh
-      - "mongodb://${MONGODB_ADVERTISED_HOSTNAME:-mongodb}:${MONGODB_PORT_NUMBER:-27017}/?directConnection=true"
-      - --eval
-      - "\"db.adminCommand('ping')\""
+        - CMD
+        - mongosh
+        - "mongodb://${MONGODB_ADVERTISED_HOSTNAME:-mongodb}:${MONGODB_PORT_NUMBER:-27017}/?directConnection=true"
+        - --eval
+        - '"db.adminCommand(''ping'')"'
       interval: 30s
       timeout: 10s
       retries: 10
@@ -146,10 +137,6 @@ services:
       - --mongodb.uri=${MONGODB_URI:-mongodb://mongodb:27017}
       - --collect-all
       - --compatible-mode
-    logging:
-      driver: "journald"
-      options:
-        tag: "${COMPOSE_PROJECT_NAME:-rocketchat}#mongodb-exporter#{{.Name}}"
 
 volumes:
   mongodb_data: {driver: local}

compose.monitoring.yml

@@ -27,9 +27,9 @@ services:
       #   retries: 10
       #   start_period: 10s
     logging:
-      driver: "journald"
-      options:
-        tag: "${COMPOSE_PROJECT_NAME:-rocketchat}#prometheus#{{.Name}}"
+      driver: "json-file"
+    labels:
+      container_tag: "${COMPOSE_PROJECT_NAME:-rocketchat}#prometheus"
   node-exporter:
     image: docker.io/prom/node-exporter:${NODE_EXPORTER_VERSION:-v1.9.1}
     restart: always
@@ -47,38 +47,34 @@ services:
     expose:
       - 9100
     logging:
-      driver: "journald"
-      options:
-        tag: "${COMPOSE_PROJECT_NAME:-rocketchat}#node-exporter#{{.Name}}"
+      driver: "json-file"
+    labels:
+      container_tag: "${COMPOSE_PROJECT_NAME:-rocketchat}#node-exporter"
 
   loki:
     image: docker.io/grafana/loki:3.6
     command: -config.file=/etc/loki/config.yaml -config.expand-env=true
     user: "0"
     volumes:
-      - ./files/loki/config.yaml:/etc/loki/config.yaml
+      - ./files/loki/config.yaml:/etc/loki/config.yaml:z
       - loki_data:/data/loki:rw
     logging:
-      driver: "journald"
-      options:
-        tag: "${COMPOSE_PROJECT_NAME:-rocketchat}#loki#{{.Name}}"
+      driver: "json-file"
+    labels:
+      container_tag: "${COMPOSE_PROJECT_NAME:-rocketchat}#loki"
 
   opentelemetry-logs-collector:
     image: docker.io/otel/opentelemetry-collector-contrib:0.143.0
     command: ["--config=/etc/otel-collector-config.yaml"]
     user: "0"
-    environment:
-      - HOST_PROC=/hostfs/proc
-      - HOST_SYS=/hostfs/sys
-      - HOST_ROOT=/hostfs
     volumes:
-      - ./files/opentelemetry/config.yaml:/etc/otel-collector-config.yaml:ro
-      # - /run/log/journal:/hostfs/run/log/journal:ro
-      - /:/hostfs/:z
+      - ./files/opentelemetry/config.yaml:/etc/otel-collector-config.yaml:z
     logging:
-      driver: "journald"
-      options:
-        tag: "${COMPOSE_PROJECT_NAME:-rocketchat}#opentelemetry-logs-collector#{{.Name}}"
+      driver: none
+    # volumes:
+    #   - ./files/opentelemetry/config.yaml:/etc/otel-collector-config.yaml:ro
+    #   - ${CONTAINER_LOGS_PATH:/var/lib/docker/containers}:/hostfs/storage:ro,z
+    #   - ${DOCKER_SOCK_PATH:/var/run/docker.sock}:/var/run/docker.sock:ro,z
 
   grafana:
     image: docker.io/grafana/grafana:${GRAFANA_VERSION:-12.0.2}
@@ -99,12 +95,12 @@ services:
       - GF_SERVER_SERVE_FROM_SUB_PATH=true
       - GF_SERVER_ROOT_URL=http://${GRAFANA_DOMAIN}${GRAFANA_PATH}/
     logging:
-      driver: "journald"
-      options:
-        tag: "${COMPOSE_PROJECT_NAME:-rocketchat}#grafana#{{.Name}}"
+      driver: "json-file"
+    labels:
+      container_tag: "${COMPOSE_PROJECT_NAME:-rocketchat}#grafana"
 
 volumes:
-  prometheus_tsdb: {driver: local}
-  prometheus_config: {driver: local}
-  grafana_data: {driver: local}
-  loki_data: {driver: local}
+  prometheus_tsdb: { driver: local }
+  prometheus_config: { driver: local }
+  grafana_data: { driver: local }
+  loki_data: { driver: local }

compose.traefik.yml

@@ -93,14 +93,9 @@ services:
 
         echo "files generated, keeping container alive to podman-compose detect it"
         tail -f /dev/null
-
     volumes:
-      - traefik_config:/traefik_config:z
+      - traefik_config:/traefik_config:Z
     restart: "no"
-    logging:
-      driver: "journald"
-      options:
-        tag: "${COMPOSE_PROJECT_NAME:-rocketchat}#traefik-init#{{.Name}}"
 
   traefik:
     image: docker.io/traefik:${TRAEFIK_RELEASE:-v3.4}
@@ -141,18 +136,18 @@ services:
       - ${TRAEFIK_DASHBOARD_PORT:-8080}
       - ${TRAEFIK_HTTPS_PORT:-443}
     volumes:
-      - traefik_ssl:/letsencrypt:z
-      - traefik_config:/traefik_config:z
+      - traefik_ssl:/letsencrypt:Z
+      - traefik_config:/traefik_config:Z
       # healthcheck:
       #   test: ["CMD", "traefik", "healthcheck"]
       #   interval: 30s
       #   timeout: 30s
       #   retries: 5
       #   start_period: 30s
     logging:
-      driver: "journald"
-      options:
-        tag: "${COMPOSE_PROJECT_NAME:-rocketchat}#traefik#{{.Name}}"
+      driver: "json-file"
+    labels:
+      container_tag: "${COMPOSE_PROJECT_NAME:-rocketchat}#traefik"
 
 volumes:
   # this is for ssl shennanigans, users usually won't need to bother with it