From 3746f3fe7c98495eed0d2c5b899af633d3c778af Mon Sep 17 00:00:00 2001 From: tommy Date: Tue, 30 Jun 2026 22:44:42 -0500 Subject: [PATCH] monitoring: capture compute6 Diun compose (closes audit visibility gap) Deployed 2026-06-30 to close compute6's image-update blind spot; was running on compute6 but not tracked. Includes the required security_opt apparmor=unconfined (compute6 host norm) without which Diun can't read the docker socket. Co-Authored-By: Claude Opus 4.8 --- monitoring/diun-compute6/README.md | 13 ++++++++ monitoring/diun-compute6/docker-compose.yml | 33 +++++++++++++++++++++ 2 files changed, 46 insertions(+) create mode 100644 monitoring/diun-compute6/README.md create mode 100644 monitoring/diun-compute6/docker-compose.yml diff --git a/monitoring/diun-compute6/README.md b/monitoring/diun-compute6/README.md new file mode 100644 index 0000000..8f708bc --- /dev/null +++ b/monitoring/diun-compute6/README.md @@ -0,0 +1,13 @@ +# Diun on compute6 + +Closes the compute6 image-update-visibility gap found in the 2026-06-30 drift audit +(node01/02/media-server already ran Diun; compute6 did not). Mirrors the node01/02 +crazymax/diun pattern; watches compute6's ~10 local containers via the docker socket, +notifies the same HA webhook. + +Deploys to compute6 at `~/diun/docker-compose.yml`. + +**compute6 quirk:** `security_opt: apparmor=unconfined` is REQUIRED here — compute6's +default AppArmor profile blocks the container's docker-socket access (every compute6 +container runs unconfined for this reason). Without it Diun logs "permission denied" +on the socket and finds 0 images. diff --git a/monitoring/diun-compute6/docker-compose.yml b/monitoring/diun-compute6/docker-compose.yml new file mode 100644 index 0000000..1e4608e --- /dev/null +++ b/monitoring/diun-compute6/docker-compose.yml @@ -0,0 +1,33 @@ +services: + # ============================================================ + # DIUN - Docker Image Update Notifier (compute6) + # ============================================================ + # Mirrors the node01/02 pattern (crazymax/diun) to close the compute6 + # image-update visibility gap. Watches compute6's local containers via the + # docker socket; notifies the same HA webhook -> mobile_app_tomcell. + # No traefik_public here (doesn't exist on compute6) -> default bridge; + # Diun needs only the socket + outbound to registries and .100:8123. + # ============================================================ + diun: + image: crazymax/diun:latest + container_name: diun + restart: unless-stopped + mem_limit: 256m + cpus: 0.5 + environment: + - TZ=America/Chicago + - LOG_LEVEL=info + - LOG_JSON=false + - DIUN_WATCH_WORKERS=20 + - DIUN_WATCH_SCHEDULE=0 8 * * * + - DIUN_WATCH_FIRSTCHECKNOTIF=false + - DIUN_PROVIDERS_DOCKER=true + - DIUN_PROVIDERS_DOCKER_WATCHBYDEFAULT=true + - DIUN_NOTIF_WEBHOOK_ENDPOINT=http://192.168.99.100:8123/api/webhook/diun_image_update + - DIUN_NOTIF_WEBHOOK_METHOD=POST + - DIUN_NOTIF_WEBHOOK_HEADERS_CONTENT-TYPE=application/json + security_opt: + - apparmor=unconfined + volumes: + - ./data:/data + - /var/run/docker.sock:/var/run/docker.sock:ro