[ { "path": ".craft.yml", "content": "minVersion: 2.21.6\nchangelogPolicy: auto\npreReleaseCommand: bash scripts/bump-version.sh\nartifactProvider:\n name: none\ntargets:\n- name: github\nversioning:\n policy: calver\n" }, { "path": ".editorconfig", "content": "root = true\n\n[*]\ncharset = utf-8\nend_of_line = lf\nindent_style = space\ninsert_final_newline = true\n\n[*.sh]\nindent_size = 2\n\n[*.yml]\nindent_size = 2\n\n[nginx/*.conf]\nindent_style = tab\n" }, { "path": ".gitattributes", "content": "/.gitattributes export-ignore\n/.gitignore export-ignore\n/.github export-ignore\n/.editorconfig export-ignore\n/.craft.yml export-ignore\n" }, { "path": ".github/ISSUE_TEMPLATE/config.yml", "content": "blank_issues_enabled: false\ncontact_links:\n - name: Report a security vulnerability\n url: https://sentry.io/security/#vulnerability-disclosure\n about: Please see our guide for responsible disclosure.\n" }, { "path": ".github/ISSUE_TEMPLATE/feature-request.yml", "content": "name: 💡 Feature Request\ndescription: Tell us about a problem our software could solve but doesn't.\nbody:\n - type: textarea\n id: problem\n attributes:\n label: Problem Statement\n description: What problem could `self-hosted` solve that it doesn't?\n placeholder: |-\n I want to make whirled peas, but `self-hosted` doesn't blend.\n validations:\n required: true\n - type: textarea\n id: expected\n attributes:\n label: Solution Brainstorm\n description: We know you have bright ideas to share ... share away, friend.\n placeholder: |-\n Add a blender to `self-hosted`.\n validations:\n required: false\n - type: markdown\n attributes:\n value: |-\n ## Thanks\n Check our [triage docs](https://open.sentry.io/triage/) for what to expect next.\n validations:\n required: false\n" }, { "path": ".github/ISSUE_TEMPLATE/problem-report.yml", "content": "name: 🐞 Problem Report\ndescription: Tell us about something that's not working the way you expect.\nbody:\n - type: input\n id: self_hosted_version\n attributes:\n label: Self-Hosted Version\n placeholder: 21.7.0 ← should look like this (check the footer)\n description: What version of self-hosted Sentry are you running?\n validations:\n required: true\n - type: input\n id: cpu_architecture\n attributes:\n label: CPU Architecture\n placeholder: x86_64 ← should look like this\n description: |\n What cpu architecture are you running self-hosted on?\n e.g: (docker info --format '{{.Architecture}}')\n validations:\n required: true\n - type: input\n id: docker_version\n attributes:\n label: Docker Version\n placeholder: 20.10.16 ← should look like this (docker --version)\n description: |\n What version of docker are you using to run self-hosted?\n e.g: (docker --version)\n validations:\n required: true\n - type: input\n id: docker_compose_version\n attributes:\n label: Docker Compose Version\n placeholder: 2.6.0 ← should look like this (docker compose version)\n description: |\n What version of docker compose are you using to run self-hosted?\n e.g: (docker compose version)\n validations:\n required: true\n - type: checkboxes\n id: machine_specification\n attributes:\n label: Machine Specification\n description: Make sure your system meets the [minimum system requirements of Sentry](https://develop.sentry.dev/self-hosted/#required-minimum-system-resources).\n options:\n - label: My system meets the minimum system requirements of Sentry\n required: true\n validations:\n required: true\n - type: input\n id: installation_type\n attributes:\n label: Installation Type\n placeholder: Fresh install / Upgrade from 24.8.0 to 25.5.1\n description: |\n Are you filing this issue for a fresh install or an upgrade?\n validations:\n required: true\n - type: textarea\n id: repro\n attributes:\n label: Steps to Reproduce\n description: How can we see what you're seeing? Specific is terrific.\n placeholder: |-\n 1. foo\n 2. bar\n 3. baz\n validations:\n required: true\n - type: textarea\n id: expected\n attributes:\n label: Expected Result\n description: |\n What did you expect to happen?\n validations:\n required: true\n - type: textarea\n id: actual\n attributes:\n label: Actual Result\n description: |\n Logs? Screenshots? Yes, please.\n e.g.:\n - latest install logs: `ls -1 sentry_install_log-*.txt | tail -1 | xargs cat`\n - `docker compose logs` output\n placeholder: |-\n e.g.:\n - logs output\n validations:\n required: true\n - type: input\n id: event_id\n attributes:\n label: Event ID\n description: |\n If you opted into sending errors to our error monitoring and the error has an event ID, enter it here!\n placeholder: c2d85058-d3b0-4d85-a509-e2ba965845d7\n - type: markdown\n attributes:\n value: |-\n ## Thanks\n Check our [triage docs](https://open.sentry.io/triage/) for what to expect next.\n\n If you're reporting a security issue, please follow our [security policy](https://github.com/getsentry/.github/blob/main/SECURITY.md) instead.\n validations:\n required: false\n" }, { "path": ".github/ISSUE_TEMPLATE/release.yml", "content": "name: 📦 Release Issue\ndescription: Start a new self-hosted Sentry release\ntitle: Release YY.M.N\nbody:\n - type: textarea\n attributes:\n label: Body\n description: \"Edit YY.M.N in the title and three times in the first line of the body, then submit. 👍\"\n value: |\n [previous YY.M.N](https://github.com/getsentry/self-hosted/issues) | ***YY.M.N*** | [next YY.M.N](https://github.com/getsentry/self-hosted/issues)\n\n - [ ] Release all components (_replace items with [publish repo issue links](https://github.com/getsentry/publish/issues)_).\n - [ ] [`relay`](https://github.com/getsentry/relay/actions/workflows/release_binary.yml)\n - [ ] [`sentry`](https://github.com/getsentry/sentry/actions/workflows/release.yml)\n - [ ] [`snuba`](https://github.com/getsentry/snuba/actions/workflows/release.yml)\n - [ ] [`symbolicator`](https://github.com/getsentry/symbolicator/actions/workflows/release.yml)\n - [ ] [`vroom`](https://github.com/getsentry/vroom/actions/workflows/release.yaml)\n - [ ] [`uptime-checker`](https://github.com/getsentry/uptime-checker/actions/workflows/release.yml)\n - [ ] [`taskbroker`](https://github.com/getsentry/taskbroker/actions/workflows/release.yml)\n - [ ] Release self-hosted.\n - [ ] [Prepare the `self-hosted` release](https://github.com/getsentry/self-hosted/actions/workflows/release.yml) (_replace with publish issue repo link_).\n - [ ] Check to make sure the new release branch in self-hosted includes the appropriate CalVer images.\n - [ ] Accept (publish) the release.\n - [ ] Edit [release notes](https://github.com/getsentry/self-hosted/releases).\n - [ ] Follow up.\n - [ ] [Create the next release issue](https://github.com/getsentry/self-hosted/issues/new?assignees=&labels=&projects=&template=release.yml) and link it from this one.\n - _replace with link_\n - [ ] Update the [release issue template](https://github.com/getsentry/self-hosted/blob/master/.github/ISSUE_TEMPLATE/release.yml).\n - [ ] Create a PR to update relocation release tests to add the new version.\n - _replace with link_\n validations:\n required: true\n" }, { "path": ".github/PULL_REQUEST_TEMPLATE.md", "content": "\n\n\n\n\n\n\n\n\n### Legal Boilerplate\n\nLook, I get it. The entity doing business as \"Sentry\" was incorporated in the State of Delaware in 2015 as Functional Software, Inc. and is gonna need some rights from me in order to utilize my contributions in this here PR. So here's the deal: I retain all rights, title and interest in and to my contributions, and by keeping this boilerplate intact I confirm that Sentry can use, modify, copy, and redistribute my contributions, under Sentry's choice of terms.\n" }, { "path": ".github/dependabot.yml", "content": "version: 2\nupdates:\n - package-ecosystem: docker\n directory: \"/\"\n schedule:\n interval: daily\n open-pull-requests-limit: 0 # only security updates\n reviewers:\n - \"@getsentry/dev-infra\"\n - \"@getsentry/security\"\n\n - package-ecosystem: \"github-actions\"\n directory: \"/\"\n schedule:\n # Check for updates to GitHub Actions every week\n interval: \"weekly\"\n reviewers:\n - \"@getsentry/dev-infra\"\n - \"@getsentry/security\"\n" }, { "path": ".github/workflows/changelog-preview.yml", "content": "name: Changelog Preview\non:\n pull_request_target:\n types:\n - opened\n - synchronize\n - reopened\n - edited\n - labeled\n - unlabeled\npermissions:\n contents: write\n pull-requests: write\n statuses: write\n\njobs:\n changelog-preview:\n uses: getsentry/craft/.github/workflows/changelog-preview.yml@v2\n secrets: inherit\n" }, { "path": ".github/workflows/enforce-license-compliance.yml", "content": "name: Enforce License Compliance\n\non:\n push:\n branches: [master]\n pull_request:\n branches: [master]\n\npermissions:\n contents: read\n\njobs:\n enforce-license-compliance:\n if: github.repository_owner == 'getsentry'\n runs-on: ubuntu-latest\n steps:\n - name: 'Enforce License Compliance'\n uses: getsentry/action-enforce-license-compliance@main\n with:\n fossa_api_key: ${{ secrets.FOSSA_API_KEY }}\n" }, { "path": ".github/workflows/fast-revert.yml", "content": "on:\n pull_request_target:\n types: [labeled]\n workflow_dispatch:\n inputs:\n pr:\n required: true\n description: pr number\n co_authored_by:\n required: true\n description: '`name ` for triggering user'\n\n# disable all permissions -- we use the PAT's permissions instead\npermissions: {}\n\njobs:\n revert:\n runs-on: ubuntu-latest\n if: |\n github.event_name == 'workflow_dispatch' || github.event.label.name == 'Trigger: Revert'\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n token: ${{ secrets.BUMP_SENTRY_TOKEN }}\n - uses: getsentry/action-fast-revert@35b4b6c1f8f91b5911159568b3b15e531b5b8174 # v2.0.1\n with:\n pr: ${{ github.event.number || github.event.inputs.pr }}\n co_authored_by: ${{ github.event.inputs.co_authored_by || format('{0} <{1}+{0}@users.noreply.github.com>', github.event.sender.login, github.event.sender.id) }}\n committer_name: getsentry-bot\n committer_email: bot@sentry.io\n token: ${{ secrets.BUMP_SENTRY_TOKEN }}\n - name: comment on failure\n run: |\n curl \\\n --silent \\\n -X POST \\\n -H 'Authorization: token ${{ secrets.BUMP_SENTRY_TOKEN }}' \\\n -d'{\"body\": \"revert failed (conflict? already reverted?) -- [check the logs](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})\"}' \\\n https://api.github.com/repositories/${{ github.event.repository.id }}/issues/${{ github.event.number || github.event.inputs.pr }}/comments\n if: failure()\n" }, { "path": ".github/workflows/lock.yml", "content": "name: 'Lock closed issues/PRs'\non:\n schedule:\n - cron: '11 3 * * *'\n workflow_dispatch:\njobs:\n lock:\n if: github.repository_owner == 'getsentry'\n runs-on: ubuntu-latest\n steps:\n - uses: getsentry/forked-action-lock-threads@master\n with:\n github-token: ${{ github.token }}\n issue-lock-inactive-days: 15\n issue-lock-reason: ''\n pr-lock-inactive-days: 15\n pr-lock-reason: ''\n" }, { "path": ".github/workflows/pre-commit.yml", "content": "name: pre-commit\n\non:\n pull_request:\n push:\n branches: [master]\n\npermissions:\n contents: read\n\njobs:\n pre-commit:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0\n with:\n python-version: 3.x\n - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1\n" }, { "path": ".github/workflows/release.yml", "content": "name: Release\non:\n workflow_dispatch:\n inputs:\n version:\n description: Version to release (or \"auto\")\n required: false\n force:\n description: Force a release even when there are release-blockers (optional)\n required: false\n schedule:\n # We want the release to be at 10 or 11am Pacific Time\n # We also make this an hour after all others such as Sentry,\n # Snuba, and Relay to make sure their releases finish.\n - cron: \"0 18 15 * *\"\npermissions:\n contents: read\njobs:\n release:\n if: github.repository_owner == 'getsentry'\n runs-on: ubuntu-latest\n name: \"Release a new version\"\n steps:\n - name: Get auth token\n id: token\n uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1\n with:\n app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }}\n private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }}\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n token: ${{ steps.token.outputs.token }}\n fetch-depth: 0\n - name: Prepare release\n id: prepare-release\n uses: getsentry/craft@013a7b2113c2cac0ff32d5180cfeaefc7c9ce5b6 # v2.24.1\n env:\n GITHUB_TOKEN: ${{ steps.token.outputs.token }}\n with:\n version: ${{ github.event.inputs.version }}\n force: ${{ github.event.inputs.force }}\n outputs:\n release-version: ${{ env.RELEASE_VERSION }}\n dogfood-release:\n if: github.repository_owner == 'getsentry'\n runs-on: ubuntu-latest\n name: Create release on self-hosted dogfood instance\n needs: release\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n fetch-depth: 0\n - uses: getsentry/action-release@dab6548b3c03c4717878099e43782cf5be654289 # v3.5.0\n env:\n SENTRY_ORG: self-hosted\n SENTRY_PROJECT: installer\n SENTRY_URL: https://self-hosted.getsentry.net/\n SENTRY_AUTH_TOKEN: ${{ secrets.SELF_HOSTED_RELEASE_TOKEN }}\n with:\n environment: production\n version: ${{ needs.release.outputs.release-version }}\n ignore_empty: true\n ignore_missing: true\n" }, { "path": ".github/workflows/shellcheck.yml", "content": "name: \"ShellCheck\"\non:\n push:\n paths:\n - \"**.sh\"\n branches: [master]\n pull_request:\n paths:\n - \"**.sh\"\n branches: [master]\n\npermissions:\n contents: read\n\njobs:\n shellcheck:\n name: ShellCheck\n runs-on: ubuntu-latest\n steps:\n - name: Repository checkout\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n fetch-depth: 0\n\n - name: Run ShellCheck\n run: |\n git diff --name-only -z `git merge-base origin/master HEAD` -- \\\n install/_lib.sh \\\n 'optional-modifications/**.sh' \\\n 'scripts/**.sh' \\\n unit-test.sh \\\n 'workstation/**.sh' \\\n | xargs -0 -r -- \\\n shellcheck \\\n --shell=bash \\\n --format=json1 \\\n --external-sources \\\n | jq -r '\n .comments\n | map(.level |= if ([.] | inside([\"info\", \"style\"])) then \"notice\" else . end)\n | .[] as $note\n | \"::\\($note.level) file=\\($note.file),line=\\($note.line),endLine=\\($note.endLine),col=\\($note.column),endColumn=\\($note.endColumn)::[SC\\($note.code)] \\($note.message)\"\n ' \\\n | grep . >&2 && exit 1\n\n exit 0\n" }, { "path": ".github/workflows/test.yml", "content": "\nname: Test\non:\n # Run CI on all pushes to the master and release/** branches, and on all new\n # pull requests, and on all pushes to pull requests (even if a pull request\n # is not against master).\n push:\n branches:\n - \"master\"\n - \"release/**\"\n pull_request:\n schedule:\n - cron: \"0 0,12 * * *\"\n\nconcurrency:\n group: ${{ github.ref_name || github.sha }}\n cancel-in-progress: true\n\npermissions:\n contents: read\n\ndefaults:\n run:\n shell: bash\njobs:\n unit-test:\n if: github.repository_owner == 'getsentry'\n runs-on: ${{ matrix.os }}\n strategy:\n matrix:\n os: [ubuntu-24.04, ubuntu-24.04-arm]\n name: ${{ matrix.os == 'ubuntu-24.04-arm' && 'unit tests (arm64)' || 'unit tests' }}\n steps:\n - name: Checkout\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n\n - name: Unit Tests\n run: ./unit-test.sh\n\n integration-test:\n if: github.repository_owner == 'getsentry'\n runs-on: ${{ matrix.os }}\n strategy:\n fail-fast: false\n matrix:\n os: [ubuntu-24.04, ubuntu-24.04-arm]\n container_engine: ['docker'] # TODO: add 'podman' into the list\n compose_profiles: ['feature-complete', 'errors-only']\n name: ${{ format('integration test{0}{1}{2}', matrix.os == 'ubuntu-24.04-arm' && ' (arm64)' || '', matrix.container_engine == 'podman' && ' (podman)' || '', matrix.compose_profiles == 'errors-only' && ' (errors-only)' || '') }}\n env:\n REPORT_SELF_HOSTED_ISSUES: 0\n SELF_HOSTED_TESTING_DSN: ${{ vars.SELF_HOSTED_TESTING_DSN }}\n CONTAINER_ENGINE_PODMAN: ${{ matrix.container_engine == 'podman' && '1' || '0' }}\n steps:\n - name: Checkout\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n\n - name: Install Podman\n if: matrix.container_engine == 'podman'\n run: |\n sudo apt-get update\n sudo apt-get install -y --no-install-recommends podman\n # TODO: Replace below with podman-compose\n # We need this commit to be able to work: https://github.com/containers/podman-compose/commit/8206cc3ea277eee6c2e87d4cd66eba8eae3d44eb\n pip3 install --user https://github.com/containers/podman-compose/archive/main.tar.gz\n echo \"PODMAN_COMPOSE_PROVIDER=podman-compose\" >> $GITHUB_ENV\n echo \"PODMAN_COMPOSE_WARNING_LOGS=false\" >> $GITHUB_ENV\n\n - name: Use action from local checkout\n uses: './'\n with:\n compose_profiles: ${{ matrix.compose_profiles }}\n CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}\n" }, { "path": ".gitignore", "content": "# Error reporting choice cache\n.reporterrors\n\n# Byte-compiled / optimized / DLL files\n__pycache__/\n*.py[cod]\n*$py.class\n\n# C extensions\n*.so\n\n# Distribution / packaging\n.Python\nenv/\nbuild/\ndevelop-eggs/\ndist/\ndownloads/\neggs/\n.eggs/\nlib/\nlib64/\nparts/\nsdist/\nvar/\n*.egg-info/\n.installed.cfg\n*.egg\n\n# PyInstaller\n# Usually these files are written by a python script from a template\n# before PyInstaller builds the exe, so as to inject date/other infos into it.\n*.manifest\n*.spec\n\n# Installer logs\npip-log.txt\npip-delete-this-directory.txt\nsentry_install_log*.txt\nsentry_reset_log*.txt\nsentry_restore_log*.txt\nsentry_backup_log*.txt\n\n# Unit test / coverage reports\nhtmlcov/\n.tox/\n.coverage\n.coverage.*\n.cache\nnosetests.xml\ncoverage.xml\n*.cover\n.hypothesis/\n\n# Translations\n*.mo\n*.pot\n\n# Django stuff:\n*.log\nlocal_settings.py\n\n# Sphinx documentation\ndocs/_build/\n\n# PyBuilder\ntarget/\n\n# Ipython Notebook\n.ipynb_checkpoints\n\n# https://docs.docker.com/compose/extends/\ndocker-compose.override.yml\n\n# https://docs.docker.com/compose/environment-variables/#using-the---env-file--option\n.env.custom\n\n*.tar\ndata/\n\n# Editor / IDE\n.vscode/tags\n.idea\n\n# custom Sentry config\nsentry/sentry.conf.py\nsentry/config.yml\nsentry/*.bak\nsentry/backup.json\nsentry/enhance-image.sh\nsentry/requirements.txt\nrelay/credentials.json\nrelay/config.yml\nsymbolicator/config.yml\ngeoip/GeoIP.conf\ngeoip/*.mmdb\ngeoip/.geoipupdate.lock\n\n# integration testing\n_integration-test/custom-ca-roots/nginx/*\nsentry/test-custom-ca-roots.py\n\n# OSX minutia\n.DS_Store\n" }, { "path": ".pre-commit-config.yaml", "content": "exclude: '\\.patch$'\nrepos:\n- repo: local\n hooks:\n # Based on https://github.com/scop/pre-commit-shfmt/blob/main/.pre-commit-hooks.yaml\n # Customized to also work on ARM, and give diff for CI on failure.\n - id: shfmt\n name: shfmt\n description: Format shell source code\n language: docker_image\n entry: --net none mvdan/shfmt:v3.5.1\n args: [-w, -d]\n files: .*\\.sh\n stages: [commit, merge-commit, push, manual]\n- repo: https://github.com/pre-commit/pre-commit-hooks\n rev: v4.3.0\n hooks:\n - id: check-case-conflict\n - id: check-executables-have-shebangs\n - id: check-merge-conflict\n - id: check-symlinks\n - id: end-of-file-fixer\n - id: trailing-whitespace\n - id: check-yaml\n" }, { "path": ".python-version", "content": "3.12\n" }, { "path": "CHANGELOG.md", "content": "# Changelog\n\n## 26.3.1\n\n- No documented changes.\n\n## 26.3.0\n\n### New Features ✨\n\n- Reorder pull images by @aldy505 in [#4202](https://github.com/getsentry/self-hosted/pull/4202)\n\n### Bug Fixes 🐛\n\n- Manual image tags rollback to nightly by @aldy505 in [#4204](https://github.com/getsentry/self-hosted/pull/4204)\n\n### Internal Changes 🔧\n\n#### Deps\n\n- Bump actions/setup-node from 6.2.0 to 6.3.0 by @dependabot in [#4206](https://github.com/getsentry/self-hosted/pull/4206)\n- Bump getsentry/craft from 2.21.7 to 2.23.2 by @dependabot in [#4207](https://github.com/getsentry/self-hosted/pull/4207)\n- Bump minimatch from 9.0.5 to 9.0.7 in /_integration-test/nodejs by @dependabot in [#4189](https://github.com/getsentry/self-hosted/pull/4189)\n\n## 26.2.1\n\n### Bug Fixes 🐛\n\n#### Release\n\n- Restore version bumping for releases by @BYK in [#4191](https://github.com/getsentry/self-hosted/pull/4191)\n- Be explicit about pre release and post release command by @hubertdeng123 in [#4190](https://github.com/getsentry/self-hosted/pull/4190)\n\n#### Other\n\n- Prevent script injection vulnerability in get-compose-action by @fix-it-felix-sentry in [#4179](https://github.com/getsentry/self-hosted/pull/4179)\n\n### Internal Changes 🔧\n\n- (deps) Bump getsentry/craft from 2.21.4 to 2.21.7 by @dependabot in [#4188](https://github.com/getsentry/self-hosted/pull/4188)\n\n### Other\n\n- Use docker-compose shipped in GHA runners by @aminvakil in [#4184](https://github.com/getsentry/self-hosted/pull/4184)\n\n## 26.1.0\n\n### New Features ✨\n\n- Switch nodestore-s3 package to getsentry org by @aldy505 in [#4119](https://github.com/getsentry/self-hosted/pull/4119)\n\n### Build / dependencies / internal 🔧\n\n- (deps) Bump astral-sh/setup-uv from 7.1.5 to 7.1.6 by @dependabot in [#4100](https://github.com/getsentry/self-hosted/pull/4100)\n\n### Other\n\n- Include SDK version 10 when using local JS SDK assets by @hsgt-brice in [#4130](https://github.com/getsentry/self-hosted/pull/4130)\n\n## 25.12.1\n\n### Build / dependencies / internal 🔧\n\n- chore(deps): bump seaweedfs version to 3.97 by @kostirez1 in [#4120](https://github.com/getsentry/self-hosted/pull/4120)\n\n## 25.12.0\n\n### New Features ✨\n\n- feat(release): Manually run post release script by @hubertdeng123 in [#4073](https://github.com/getsentry/self-hosted/pull/4073)\n\n- feat: bump action-setup-venv to use working-directory by @aldy505 in [#4098](https://github.com/getsentry/self-hosted/pull/4098)\n\n### Bug Fixes 🐛\n\n- fix: Provide useful info on permission errors by @BYK in [#4096](https://github.com/getsentry/self-hosted/pull/4096)\n- fix: missing 'SENTRY_SYSTEM_SECRET_KEY' declaration on Docker Compose block by @aldy505 in [#4087](https://github.com/getsentry/self-hosted/pull/4087)\n- fix: grep seaweedfs bucket name instead of using awk by @aldy505 in [#4076](https://github.com/getsentry/self-hosted/pull/4076)\n\n### Build / dependencies / internal 🔧\n\n#### Deps\n\n- build(deps): bump actions/create-github-app-token from 2.2.0 to 2.2.1 by @dependabot in [#4090](https://github.com/getsentry/self-hosted/pull/4090)\n- build(deps): bump actions/setup-node from 4.4.0 to 6.1.0 by @dependabot in [#4091](https://github.com/getsentry/self-hosted/pull/4091)\n- build(deps): bump astral-sh/setup-uv from 7.1.4 to 7.1.5 by @dependabot in [#4093](https://github.com/getsentry/self-hosted/pull/4093)\n\n- chore: guard unit-test.sh from being invoked by users by @aldy505 in [#4085](https://github.com/getsentry/self-hosted/pull/4085)\n- chore: ask installation type on problem report template by @aldy505 in [#4086](https://github.com/getsentry/self-hosted/pull/4086)\n\n### Other\n\n- Revert \"Revert \"ref: migrate to uv (#4061)\"\" by @aldy505 in [#4097](https://github.com/getsentry/self-hosted/pull/4097)\n- Revert \"ref: migrate to uv (#4061)\" by @BYK in [#4094](https://github.com/getsentry/self-hosted/pull/4094)\n- test: integration test for user feedback by @aldy505 in [#3880](https://github.com/getsentry/self-hosted/pull/3880)\n- ref: migrate to uv by @aldy505 in [#4061](https://github.com/getsentry/self-hosted/pull/4061)\n- Add shm_size configuration back to postgres by @max-wittig in [#4072](https://github.com/getsentry/self-hosted/pull/4072)\n\n## 25.11.1\n\n### Build / dependencies / internal 🔧\n\n- chore: remove some more unused directories by @aldy505 in [#4046](https://github.com/getsentry/self-hosted/pull/4046)\n- build(deps): bump actions/create-github-app-token from 2.1.4 to 2.2.0 by @dependabot in [#4058](https://github.com/getsentry/self-hosted/pull/4058)\n- build(deps): bump actions/checkout from 5 to 6 by @dependabot in [#4059](https://github.com/getsentry/self-hosted/pull/4059)\n- chore: uptime checker is missing on the release issue by @aldy505 in [#4047](https://github.com/getsentry/self-hosted/pull/4047)\n\n### Bug Fixes 🐛\n\n- fix(profiling): Ingest profile file path by @Zylphrex in [#4060](https://github.com/getsentry/self-hosted/pull/4060)\n- fix: ensure seaweedfs lifecycle policy is set correctly by @kodebach in [#4040](https://github.com/getsentry/self-hosted/pull/4040)\n- fix: missing SYMBOLICATOR_STATSD_ADDR environment var for symbolicator-cleanup by @aldy505 in [#4042](https://github.com/getsentry/self-hosted/pull/4042)\n\n### Other\n\n- Add `dcx` shortcut for docker compose exec with HTTP proxy env vars by @copilot-swe-agent in [#4067](https://github.com/getsentry/self-hosted/pull/4067)\n\n## 25.11.0\n\n### Various fixes & improvements\n\n- feat: statsd configuration through environment variables (#4031) by @aldy505\n- ref: sound SENTRY_DISALLOWED_IPS on the configuration file (#3981) by @aldy505\n- fix: broken link to Errors-Only Mode docs (#4032) by @mariansimecek\n- Fix Clickhouse max_server_memory_usage_to_ram_ratio setting (#4025) by @otoriphoenix\n- Increase default max_suspicious_broken_parts to 100 (#4011) by @stevenobird\n- fix(install): add migrate-pgbouncer.sh to install.sh (#4030) by @kodebach\n- fix: remove snuba uptime results consumer (#4027) by @aldy505\n\n## 25.10.0\n\n### Various fixes & improvements\n\n- fix: geoip standalone script should check on CONTAINER_ENGINE variable first (#3982) by @aldy505\n- fix: missing `-dir` flag for seaweedfs (#3991) by @aldy505\n- Remove symbolicator volume once (#3994) by @aminvakil\n- Remove symbolicator external volume (#3992) by @aminvakil\n- chore(spans): Remove old snuba-spans consumer (#3989) by @jjbayer\n- Bump redis 6.2.20-alpine (#3988) by @aminvakil\n- ref: add `continue-on-error` for codecov action on self-hosted integration tests (#3978) by @aldy505\n- ref: use dedicated `healthcheck` command for symbolicator & remove cron for `symbolicator-cleanup` (#3979) by @aldy505\n- fix(actions): include arch and compose_profiles information on cache keys (#3974) by @aldy505\n- ref: Remove proxy_next_upstream directives (#3973) by @aminvakil\n- fix: Unset the proxy when performing the seaweedfs health check (#3959) by @SteppingHat\n- fix: logic error in s3 install script (#3965) by @kodebach\n- Fix swap allocation in integration test (#3972) by @aminvakil\n- chore(tasks) Remove reference to celery (#3962) by @markstory\n- Respect uppercase proxy variables (#3949) by @aminvakil\n- chore(tasks): Remove the worker and cron containers (#3946) by @markstory\n- fix: install behind a proxy (#3944) by @moroine\n\n## 25.9.0\n\n### Various fixes & improvements\n\n- fix: able to setup nodestore multiple times (#3940) by @aldy505\n- build(deps): bump actions/create-github-app-token from 2.1.1 to 2.1.4 (#3936) by @dependabot\n- docs: provide information for SENTRY_AIR_GAP flag on Django config file (#3935) by @aldy505\n- feat: Use S3 node store with seaweedfs (#3498) by @BYK\n- feat(tasks): Remove taskworker option override and add worker healthcheck (#3933) by @markstory\n- feat: install script to migrate sentry.conf.py config to use pgbouncer (#3898) by @aldy505\n- chore(deps): bump clickhouse to 25.3 (#3878) by @aldy505\n- feat: enable `issue-views` flag (#3922) by @aldy505\n- feat: query against `eap` dataset instead of `metrics` dataset for spans (#3923) by @aldy505\n- build(deps): bump actions/setup-python from 5 to 6 (#3927) by @dependabot\n- Add restart policy to pgbouncer service (#3925) by @frederikspang\n- fix(tests): skip logs event test for errors-only (#3915) by @aldy505\n- Improve nginx depends_on policy (#3914) by @aminvakil\n- test: run errors-only integration tests (#3910) by @aldy505\n- feat: enable Logs feature (#3912) by @aldy505\n- fix: ensuring vroom permission should be skipped on errors-only (#3911) by @aldy505\n- chore(deps): bump patches version (#3879) by @aldy505\n- Revert \"increase postgres max_connections above 100 connections (#2740)\" (#3899) by @aminvakil\n- Add pgbouncer (#3884) by @frederikspang\n- chore: resolve GHA code scanning alerts (#3889) by @aldy505\n- fix(enhancement): search for permissions on docker container instead of host and combine it in one command for performance enhancement (#3890) by @LvckyAPI\n- build(deps): bump actions/create-github-app-token from 2.1.0 to 2.1.1 (#3885) by @dependabot\n- build(deps): bump actions/checkout from 4 to 5 (#3883) by @dependabot\n\n## 25.8.0\n\n### Various fixes & improvements\n\n- feat: Relay healthcheck (#3875) by @aldy505\n- fix: setup swapfile only if runner architecture is X64 or X86 (#3876) by @aldy505\n- Set minimum bash version to 4.4.0 (#3873) by @aminvakil\n- fix: adjust file healthcheck durations (#3874) by @mzglinski\n- feat: healthchecks for sentry components (#3859) by @mzglinski\n- fix(eap): Fix dataset parameter to target spans (#3866) by @phacops\n- build(deps): bump actions/create-github-app-token from 2.0.6 to 2.1.0 (#3865) by @dependabot\n- fix(scripts): use `env` to find `bash` interpreter (#3861) by @Zaczero\n- fix(scripts): every known flags should be shifted before executing the sentry command (#3831) by @aldy505\n- fix: uptime checker image should be bumped to the tagged release (#3858) by @aldy505\n- fix(enhancement): ensure correct ownership check before setting permissions of profiles (#3855) by @LvckyAPI\n- chore(features): cleanup feature flags grouped by its' category (#3843) by @aldy505\n- fix: add schedulers for generic metrics subscriptions (#3847) by @mzglinski\n- feat: Continue using celery in self-hosted for now (#3845) by @markstory\n- feat(features): add `profiling-view` flag (#3837) by @aldy505\n- Potential fix for code scanning alert no. 12: Workflow does not contain permissions (#3822) by @aldy505\n- docs: clearly state that `system.internal-url-prefix` shouldn't be changed (#3829) by @aldy505\n- feat(install): Adds support for podman(compose) (#3673) by @DuncanConroy\n- fix(action): missing project directory path for failure inspection (#3825) by @aldy505\n- Cleanup unused feature flags (#3820) by @doc-sheet\n- feat: inspect docker compose failure on self-hosted e2e action (#3817) by @aldy505\n\n## 25.7.0\n\n### Various fixes & improvements\n\n- feat: Swap `trace-view-v1` feature flag with `visibility-explore-view` (#3801) by @aldy505\n- fix: set harakiri Django option to 30s (#3792) by @aldy505\n- feat(images):Cutover images to ghcr (#3800) by @hubertdeng123\n- docs: encourage community patches (#3794) by @aldy505\n- feat: run EAP-related containers (#3778) by @aldy505\n- feat(uptime): Enable uptime in self-hosted (#3787) by @evanpurkhiser\n- feat: make `system.secret-key` configurable from environment variables (#3783) by @aldy505\n- ci: run tests on arm64 (#3750) by @aldy505\n\n## 25.6.2\n\n### Various fixes & improvements\n\n- fix: Increase timeout for flakey test (#3781) by @tobias-wilfert\n- chore: provide detailed note for sentry endpoint settings (#3780) by @aldy505\n\n## 25.6.1\n\n### Various fixes & improvements\n\n- fix(taskworker) Remove num-brokers (#3769) by @markstory\n- feat: enable customization sentry DSN endpoint (#3747) by @yildizozgur\n- ref(js-assets): Simplify how we call nginx container (#3761) by @BYK\n- Revert \"fix(vroom): Explicitly set PROFILES_DIR for upcoming change\" (#3760) by @hubertdeng123\n- fix(vroom): Explicitly set PROFILES_DIR for upcoming change (#3759) by @BYK\n\n## 25.6.0\n\n### Various fixes & improvements\n\n- enable shell linter for more scripts (#3748) by @doc-sheet\n- feat: migrate to arm64-compatible smtp image (#3746) by @ezhevita\n- Introduce patches with external kafka (#3521) by @aldy505\n- add shellcheck action to lint bash scripts (#3710) by @doc-sheet\n- tests: Install version 2.x of Python SDK (#3745) by @sentrivana\n- feat(features): enable continuous profiling (#3742) by @aldy505\n- feat: Add taskbroker + worker + scheduler (#3738) by @markstory\n- fix(profiles): Run the profile chunks consumer (#3739) by @phacops\n- chore: prune removed feature flags on main repository (#3731) by @aldy505\n- remove index workaround (#3730) by @asottile-sentry\n- Make usage of Python SDK future proof (#3714) by @antonpirker\n\n## 25.5.1\n\n### Various fixes & improvements\n\n- Add missing lib script to sentry-admin.sh (#3693) by @djakielski\n- chore: cleanup obsolete feature flags (#3701) by @doc-sheet\n\n## 25.5.0\n\n### Various fixes & improvements\n\n- build(deps): bump actions/create-github-app-token from 2.0.2 to 2.0.6 (#3690) by @dependabot\n- Resolve datetime deprecation warnings (#3686) by @emmanuel-ferdman\n- ref: remove SENTRY_USE_BIG_INTS (always True) (#3687) by @asottile-sentry\n\n## 25.4.0\n\n### Stand-alone Docker Compose Fixes\n\nBy: @aminvakil (#3658, #3654)\n\n### Various fixes & improvements\n\n- chore(relay): specify spool.enveloppe.max_backpressure_memory_percent configuration for handling relay's failing healthcheck (#3635) by @aldy505\n- build(deps): bump actions/create-github-app-token from 1.12.0 to 2.0.2 (#3649) by @dependabot\n- build(deps): bump actions/create-github-app-token from 1.11.7 to 1.12.0 (#3639) by @dependabot\n- Minimum requirements for 'errors-only' profile (#3634) by @madest92\n- build(deps): bump actions/create-github-app-token from 1.11.6 to 1.11.7 (#3632) by @dependabot\n- feat(sentry): add dynamic sampling feature to config (#3631) by @aldy505\n- docs(config): add example config for Google Auth (#3623) by @junsung-cho\n- fix: js-sdk directory/file permission should be set correctly (#3616) by @aldy505\n- feat(features): enable session replay canvas (#3619) by @aldy505\n\n## 25.3.0\n\n### Various fixes & improvements\n\n- feat(features): enable trace view (#3617) by @aldy505\n- feat: provide monitoring-related configurations (#3611) by @aldy505\n- Enforce license compliance only on getsentry repository (#3606) by @aminvakil\n- Fix unbound variable error in install script (#3601) by @brettdh\n- Add --short to docker-compose version (#3605) by @aminvakil\n- ref: Less complicated docker compose detection (#3604) by @BYK\n- Use docker-compose if version is gte docker compose (#3595) by @aminvakil\n- build(deps): bump actions/create-github-app-token from 1.11.3 to 1.11.6 (#3598) by @dependabot\n- build(deps): bump getsentry/action-release from 1 to 3 (#3599) by @dependabot\n- Bump docker-compose 2.33.1 (#3597) by @aminvakil\n- refactor: move system.url-prefix under systems settings section (#3588) by @leeoocca\n\n## 25.2.0\n\n### Various fixes & improvements\n\n- build(deps): bump actions/create-github-app-token from 1.11.2 to 1.11.3 (#3569) by @dependabot\n- feat: merge `.env` and `.env.custom` file during installation (#3564) by @aldy505\n- build(deps): bump actions/create-github-app-token from 1.11.1 to 1.11.2 (#3561) by @dependabot\n- feat: Require both inputs to be set on action (#3554) by @BYK\n- ref: Simpler and more accurate cache keys (#3553) by @BYK\n- Hand off open-source to dev-infra (#3549) by @chadwhitacre\n- ci: Remove obsolete `dcr up -w` from import test (#3544) by @BYK\n- fix: github.action_path may not have trailing slash (#3547) by @BYK\n- chore: Remove upgrade test (#3541) by @hubertdeng123\n- fix: Use correct path for get compose action (#3539) by @hubertdeng123\n- fix: Caching of sentry migrations should cover additional folders (#3542) by @hubertdeng123\n- ci: Move self-contained action reference to master branch (#3538) by @BYK\n- breaking: Upgrade min Compose version to 2.23.2 (#3535) by @BYK\n- ci: Even better cache keys and granular caching (#3534) by @BYK\n- test: Reorganize backup/restore tests for speed and reliability (#3537) by @BYK\n\n## 25.1.0\n\n### Various fixes & improvements\n\n- ci: Use generic Docker volume cache action (#3524) by @BYK\n- ci: Less volatile cache keys (#3522) by @BYK\n- docs: include regular env file on wrap-up (#3523) by @aldy505\n- ci: Faster and smarter backup/restore tests (#3516) by @BYK\n- fix: Fix the new e2e action to be portable (#3520) by @BYK\n- ci: Move e2e test action into the repo (#3519) by @BYK\n- ci: Only test on compose 2.26 w/ customizations (#3506) by @BYK\n- ci: Skip DB ops during install completely on cache hit (#3496) by @BYK\n- chore: Remove everything zookeeper (#3499) by @hubertdeng123\n- ci: Cache postgres volume after first migration (#3488) by @BYK\n- fix: Remove the extra space in the log file names (#3212) by @melnele\n- ref(snuba): Combine bootstrap & migrate for faster bootstrap (#3491) by @BYK\n- ref(geoip): Remove geoipupdate from compose (#3490) by @BYK\n- build(deps): bump actions/create-github-app-token from 1.11.0 to 1.11.1 (#3492) by @dependabot\n\n## 24.12.1\n\n### Various fixes & improvements\n\n- chore: clearer message for errors-only mode (#3487) by @aldy505\n- chore(relay): provide opt-in max_memory_percent config as workaround for failing healthcheck (#3486) by @aldy505\n- fix(nginx): _assets should rewrite to _static/sentry/dist (#3483) by @BYK\n\n## 24.12.0\n\n- No documented changes.\n\n## 24.11.2\n\n### Various fixes & improvements\n\n- fix(redis): Actually use custom config (#3459) by @BYK\n- feat(release): Replace release bot with GH app (#3458) by @Jeffreyhung\n- chore(issue-template): ask for machine specification and provide link to security policy (#3447) by @aldy505\n- add sentry/backup.json to gitignore (#3450) by @niklassc7\n- ref: remove suggested fix (#3446) by @aldy505\n\n## 24.11.1\n\n### Various fixes & improvements\n\n- fix(redis): Use a safer eviction rule (#3432) by @BYK\n- feat: add Redis configuration for improved memory management (#3427) by @Hassanzadeh-sd\n- build(deps): bump codecov/codecov-action from 4 to 5 (#3429) by @dependabot\n\n## 24.11.0\n\n### Various fixes & improvements\n\n- feat(healthcheck): Improve redis healthcheck (#3422) by @hubertdeng123\n- fix: missing mime types and turning off autoindex for js-sdk endpoint (#3395) by @aldy505\n- fix: Use js.sentry-cdn.com for JS SDK downloads (#3417) by @BYK\n- fix(loader): provide js sdk assets from 4.x (#3415) by @aldy505\n- Revert \"Revert \"ref(feedback): remove issue platform flags after releasing issue types\"\" (#3403) by @BYK\n- Revert \"ref(feedback): remove issue platform flags after releasing issue types\" (#3402) by @BYK\n- ref(feedback): remove issue platform flags after releasing issue types (#3397) by @aliu39\n- fix(sentry-admin): Do not wait for command finish to display output (#3390) by @Makhonya\n\n## 24.10.0\n\n### Various fixes & improvements\n\n- chore: Disable codecov for master/release branches (#3384) by @hubertdeng123\n- chore: replace old URLs of the repo with the new docs (#3375) by @victorelec14\n- ref: span normalization allowed host config (#3245) by @aldy505\n- docs: explicitly specify `mail.use-{tls,ssl}` is mutually exclusive (#3368) by @aldy505\n- ref: allow hosted js sdk bundles (#3365) by @aldy505\n- fix(clickhouse): Allow nullable key (#3354) by @nikhars\n\n## 24.9.0\n\n### Various fixes & improvements\n\n- docs: link to develop docs (#3307) by @joshuarli\n- fix: more leeway for minimum RAM (#3290) by @joshuarli\n- Mandate minimum requirements for ram/cpu (#3275) by @hubertdeng123\n- ref(feedback): cleanup topic rollout option (#3276) by @aliu39\n- Update release template (#3270) by @hubertdeng123\n\n## 24.8.0\n\n### Various fixes & improvements\n\n- Migrate to zookeeper-less kafka (#3263) by @hubertdeng123\n- Revert \"ref(feedback): cleanup topic rollout option\" (#3262) by @aliu39\n- ref(feedback): cleanup topic rollout option (#3256) by @aliu39\n- Remove cdc and wal2json and use the default postgres entrypoint (#3260) by @beezz\n- add `-euo pipefail` to enhance-image.example.sh (#3246) by @asottile-sentry\n- remove python-dev (#3242) by @asottile-sentry\n- feat: enable user feedback feature (#3193) by @aldy505\n- Use CDN by default for JS SDK Loader (#3213) by @stayallive\n\n## 24.7.1\n\n### Various fixes & improvements\n\n- Fix: errors only config flag (#3220) by @hubertdeng123\n- Add errors only self-hosted infrastructure (#3190) by @hubertdeng123\n- feat(generic-metrics): Add gauges to docker compose, re-try (#3177) by @ayirr7\n\n## 24.7.0\n\n### Various fixes & improvements\n\n- Check postgres os before proceeding with install (#3197) by @hubertdeng123\n- Update sentry-admin.sh to select its own working directory (#3184) by @theoriginalgri\n- feat: add insights feature flags (#3152) by @aldy505\n- feat(relay): Forward /api/0/relays/* to inner relays (#3144) by @iambriccardo\n\n## 24.6.0\n\n### Various fixes & improvements\n\n- Use general kafka topic creation in self-hosted (#3121) by @hubertdeng123\n- Use non-alpine postgres (#3116) by @hubertdeng123\n- Bump Python SDK version used in tests (#3108) by @sentrivana\n\n## 24.5.1\n\n### Various fixes & improvements\n\n- Update consumer flags (#3112) by @hubertdeng123\n- feat: Add crons task consumers (#3106) by @wedamija\n- Update minimum docker compose requirement (#3078) by @JannKleen\n- Different approach to editing permissions of docker volumes (#3084) by @hubertdeng123\n- ref(spans): Add new feature flags needed (#3092) by @phacops\n- chore: Add comment explaining the one liner in clickhouse config (#3085) by @hubertdeng123\n- Fix install: use dynamic docker root dir instead of hardcoded one (#3064) by @boutetnico\n- Typo in config.example.yml (#3063) by @luchaninov\n\n## 24.5.0\n\n### Various fixes & improvements\n\n- fix: Make docker volume script respect compose project name (#3039) by @hubertdeng123\n- remove ref to skip writes (#3041) by @john-z-yang\n- Add clickhouse healthchecks to upgrade (#3024) by @hubertdeng123\n- Upgrade clickhouse to 23.8 (#3009) by @hubertdeng123\n- fix: use nginx realip module (#2977) by @oioki\n- Add upgrade test (#3012) by @hubertdeng123\n- Bump kafka and zookeeper versions (#2988) by @hubertdeng123\n\n## 24.4.2\n\n### Various fixes & improvements\n\n- Edit test file name (#3002) by @hubertdeng123\n- Revert \"Sampling: Run e2e tests every 5 minutes\" (#2999) by @hubertdeng123\n- Fix master test failures (#3000) by @hubertdeng123\n- Sampling: Run e2e tests every 5 minutes (#2994) by @hubertdeng123\n- Tweak e2e test github action (#2987) by @hubertdeng123\n- fix(performance): Add spans-first-ui flag to enable starfish/performance module views in ui (#2993) by @edwardgou-sentry\n- Bump docker compose version in CI (#2980) by @hubertdeng123\n- Upgrade postgres to 14.11 (#2975) by @mdtro\n- Add workstation configuration (#2968) by @azaslavsky\n\n## 24.4.1\n\n### Various fixes & improvements\n\n- chore(deps): bump memcached and redis to latest patch versions (#2973) by @mdtro\n- Use docker compose exec to create additional kafka topics (#2904) by @saz\n- Add example to docker compose version in problem report (#2959) by @edgariscoding\n- Port last integration tests to python (#2966) by @hubertdeng123\n\n## 24.4.0\n\n### Various fixes & improvements\n\n- Use python for e2e tests (#2953) by @hubertdeng123\n- feat: adds group attributes consumer (#2927) by @scefali\n- fix(spans): Adds organizations:standalone-span-ingestion flag to default config (#2936) by @edwardgou-sentry\n- Bump ubuntu version for tests (#2923) by @hubertdeng123\n- Write Customization tests in python (#2918) by @hubertdeng123\n- feat(clickhouse): Added max_suspicious_broken_parts to the config.xml (#2853) by @victorelec14\n- Port backup tests to python (#2907) by @hubertdeng123\n- Fix defunct java processes (#2914) by @hubertdeng123\n- Integration tests in python (#2892) by @hubertdeng123\n- feat: run outcomes-billing consumer (#2909) by @lynnagara\n- Remove duplicate feature flags (#2899) by @JannKleen\n\n## 24.3.0\n\n### Various fixes & improvements\n\n- feat(spans): Ingest spans (#2861) by @phacops\n- Integration test improvements (#2858) by @hubertdeng123\n- increase postgres max_connections above 100 connections (#2740) by @erfantkerfan\n- deps: bump maxmind/geoipupdate to 6.1.0 (#2859) by @victorelec14\n- Enable proxy buffering in nginx (#2844) by @RexTim\n- Add snuba rust consumers (#2831) by @hubertdeng123\n- simplify if for open-ai-suggestion (#2732) by @LvckyAPI\n- Upgrade to FSL-1.1 (#2835) by @chadwhitacre\n- chore: provide clearer csrf url example (#2833) by @aldy505\n- chore: Use django ORM to perform sql commands (#2827) by @hubertdeng123\n- revert changes in 3067683f6c0e1c6dd9ceb72cb5155c1dbf3bf501 (#2829) by @hubertdeng123\n- use rust consumers in self-hosted (3067683f) by @hubertdeng123\n\n## 24.2.0\n\n### Various fixes & improvements\n\n- Bump nginx version (#2797) by @hubertdeng123\n- build(deps): bump pre-commit/action from 3.0.0 to 3.0.1 (#2788) by @dependabot\n- Tweak postgres indexing fix (#2792) by @hubertdeng123\n- fix: DB migration script (#2779) by @hubertdeng123\n\n## 24.1.2\n\n### Various fixes & improvements\n\n- Check memcached backend in Django (#2778) by @chadwhitacre\n- Fix groupedmessage indexing error (#2777) by @hubertdeng123\n- build(deps): bump actions/setup-python from 4 to 5 (#2644) by @dependabot\n- feat: provide csrf settings information for sentry config (#2762) by @aldy505\n- Fix apt config generation when http_proxy is set (#2725) (#2734) by @lemrouch\n\n## 24.1.1\n\n### Various fixes & improvements\n\n- Revert \"Move open ai key from env variables\" (#2724) by @hubertdeng123\n- Fix cache error self hosted (#2722) by @hubertdeng123\n\n## 24.1.0\n\n### Various fixes & improvements\n\n- Enable crons (#2712) by @hubertdeng123\n- Parameterize backup restore script (#2412) by @hubertdeng123\n- Run tests only on getsentry repository (#2681) by @aminvakil\n- Tweak the template now that we can see it (#2670) by @chadwhitacre\n- Nginx client request body is buffered to a temporary file (#2630) by @zKoz210\n\n## 23.12.1\n\n### Various fixes & improvements\n\n- Make a release issue template (#2666) by @chadwhitacre\n\n## 23.12.0\n\n### Various fixes & improvements\n\n- test(backup): Use --no-prompt for backup tests (#2618) by @azaslavsky\n\n## 23.11.2\n\n- No documented changes.\n\n## 23.11.1\n\n### Various fixes & improvements\n\n- feat: Add sentry-admin.sh tool (#2594) by @azaslavsky\n- Patch for dev self-hosted environments (#2592) by @hubertdeng123\n- Relicense under FSL-1.0-Apache-2.0 (#2586) by @chadwhitacre\n- Bump minimum ram usage (#2585) by @hubertdeng123\n\n## 23.11.0\n\n### Various fixes & improvements\n\n- feat: provide a toggle to enable discord integration (#2548) by @aldy505\n- ref: fix a typo (#2556) by @asottile-sentry\n- ref: use `git branch --show-current` instead of sed (#2550) by @asottile-sentry\n- Remove sessions infra (#2514) by @hubertdeng123\n- Upgrade Clickhouse to 21.8 (#2536) by @hubertdeng123\n- [Snyk] Security upgrade debian from bullseye-slim to bookworm-20231009-slim (#2511) by @Indigi-managed\n- snuba: Remove deprecated CLI arg (#2515) by @lynnagara\n\n## 23.10.1\n\n### Various fixes & improvements\n\n- Revert \"feat: upgrade to zookeeper-less kafka (#2445)\" (#2500) by @hubertdeng123\n- Add fast revert GH workflow (#2499) by @hubertdeng123\n- build(deps): bump actions/checkout from 3 to 4 (#2493) by @dependabot\n- configure dependabot (#2491) by @mdtro\n- deps: bump nginx to 1.25.2 (#2490) by @mdtro\n- feat: upgrade to zookeeper-less kafka (#2445) by @joshuarli\n- Update outdated install option in README (#2440) by @hubertdeng123\n\n## 23.10.0\n\n### Various fixes & improvements\n\n- Switch geoipupdate image to ghcr.io (#2442) by @hkraal\n- Add system.url-prefix to config for visibility (#2426) by @hubertdeng123\n- Remove CSPMiddleware since it is enabled by default in the upstream sentry (#2434) by @oioki\n- Update nginx.conf (#2455) by @mwarkentin\n- Update Redis container image to 6.2.13 (#2432) by @mencarellic\n\n## 23.9.1\n\n### Various fixes & improvements\n\n- fix: e2e test jq bug (#2410) by @azaslavsky\n- feat(backup): Support new backup script (#2407) by @azaslavsky\n- Decrease frequency of e2e tests (#2383) by @hubertdeng123\n- Reduce logs coming from clickhouse (#2382) by @hubertdeng123\n- Increase frequency of e2e test runs (#2375) by @hubertdeng123\n- Remove nginx content-disposition hack for safari (#2381) by @hubertdeng123\n- Attempt to fix integration test flakiness (#2372) by @hubertdeng123\n- change health check for kafka service (#2371) by @johnatannvmd\n- Add metrics and generic metrics backend (#2355) by @hubertdeng123\n- Bump self-hosted e2e action commit sha (#2369) by @hubertdeng123\n\n## 23.8.0\n\n### Various fixes & improvements\n\n- Add issue platform infra (#2309) by @hubertdeng123\n\n## 23.7.2\n\n### Various fixes & improvements\n\n- Ignore fixture-custom-ca-roots service in integration test (#2321) by @hubertdeng123\n- Update GeoIpUpdate to v6.0.0 (#2287) by @victorelec14\n- Bump healthcheck timeout (#2300) by @hubertdeng123\n\n## 23.7.1\n\n### Various fixes & improvements\n\n- Resolve Safari Content-Disposition header bug (#2297) by @azaslavsky\n- feat: vroom cleanup script that respects default retention days (#2211) by @aldy505\n\n## 23.7.0\n\n### Various fixes & improvements\n\n- Remove nc -q option (#2275) by @hubertdeng123\n- Move open ai key from env variables (#2274) by @hubertdeng123\n- Fix command called in reset script (#2254) by @stayallive\n- Remove stale-bot in self-hosted (#2255) by @hubertdeng123\n- Update geoipupdate to 5.1.1 (#2236) by @williamdes\n\n## 23.6.2\n\n### Various fixes & improvements\n\n- Update nginx to 1.25.1 (#2235) by @williamdes\n- Fix error fingerprinting (#2237) by @chadwhitacre\n- A couple unit testing improvements (#2238) by @chadwhitacre\n- Fix #1684 (#2234) by @azaslavsky\n- Update memcached to 1.6.21 (#2231) by @williamdes\n- Update redis to 6.2.12 (#2230) by @williamdes\n- ref: Move all consumers to unified consumer CLI (#2224) by @hubertdeng123\n- Revert \"ref: Move most consumers to unified consumer CLI\" (#2223) by @hubertdeng123\n- ref: Move most consumers to unified consumer CLI (#2203) by @untitaker\n- Release 23.6.1 cleanup (#2209) by @hubertdeng123\n\n## 23.6.1\n\n### Various fixes & improvements\n\n- Fix bump version script (#2207) by @hubertdeng123\n\n## 23.6.0\n\n### Various fixes & improvements\n\n- Remove docker compose v1 (#2187) by @hubertdeng123\n- ref(compose): Separate ingest consumers (#2193) by @jan-auer\n- feat(profiling): Run profiling on self-hosted (#2154) by @phacops\n\n## 23.5.2\n\n- No documented changes.\n\n## 23.5.1\n\n### Various fixes & improvements\n\n- fix(suggested-fix): key should be 'key', not 'token' (#2146) by @aldy505\n\n## 23.5.0\n\n### Various fixes & improvements\n\n- Add no strict offset reset options to consumers (#2144) by @hubertdeng123\n- Add settings for enabling CSP to config file (#2134) by @hubertdeng123\n- feat: add suggested fix feature (#2115) by @aldy505\n- adding ulimits for zookeeper, kafka, and web (#2123) by @jamincollins\n- Uninstall Docker Compose v1 from CI so it's not used for tests (#2114) by @hubertdeng123\n- Fixed docker compose issue in backup/restore (#2110) by @montaniasystemab\n- Enable upstream keepalive (#2099) by @otbutz\n- Bump commit sha for e2e test action (#2104) by @hubertdeng123\n- Use docker compose exec to account for differences in container names for Postgres upgrade (#2096) by @hubertdeng123\n- Change symbolicator to use CalVer for release (#2091) by @hubertdeng123\n\n## 23.4.0\n\n### Postgres 14 Upgrade\n\nWe've now included an upgrade from Postgres 9.6 to 14.5 that will automatically be run via the `./install.sh` script.\n\nBy: @hubertdeng123 (#2074)\n\n### Various fixes & improvements\n\n- Remove clean function testing line (#2082) by @hubertdeng123\n- Fix command to get docker compose version in problem report template (#2080) by @hubertdeng123\n- Tweak permissioning of backup file in backup script to read/write for all users (#2043) by @hubertdeng123\n- Remove commit-batch-size parameter (#2058) by @hubertdeng123\n- Support external sourcemaps bigger, than 1Mb (#2050) by @le0pard\n- Add github setup instructions to config.example.yml (#2051) by @tm1000\n- ref(snuba): Use snuba self-hosted settings (#2039) by @enochtangg\n\n## 23.3.1\n\n### Various fixes & improvements\n\n- Bump Kafka version to keep up with SaaS (#2037) by @chadwhitacre\n- Add Backup/restore scripts (#2029) by @hubertdeng123\n- Add opt in error monitoring to reset and clean scripts (#2021) by @hubertdeng123\n\n## 23.3.0\n\n### Various fixes & improvements\n\n- Remove ZooKeeper snapshot (#2020) by @dereckson\n- feat(snuba): Add snuba sessions subscription service (#2006) by @klboke\n- Add backup/restore integration tests (#2012) by @hubertdeng123\n- ref(snuba): Remove snuba-cleanup, snuba-transactions-cleanup jobs (#2003) by @klboke\n- ref(replays): Remove the session-replay-ui flag (#2010) by @ryan953\n- Remove broken replay integration test (#2011) by @hubertdeng123\n- Bump self-hosted-e2e-tests action commit sha (#2008) by @hubertdeng123\n- Revert symbolicator tests (#2004) by @hubertdeng123\n- post-process-forwarder: Update CLI command (#1999) by @lynnagara\n- feat(replays): add replays to self hosted (#1990) by @JoshFerge\n- Remove issue status helper automation (#1989) by @hubertdeng123\n- Add proxy buffer size config to fix Bad Gateway (#1984) by @SCjona\n- Reference paths relative to project root (#1800) by @spawnia\n- Run close stale issues/PRs only on getsentry (#1969) by @aminvakil\n\n## 23.2.0\n\n### Various fixes & improvements\n\n- Run lock issues/PRs only on getsentry (#1966) by @aminvakil\n- Updates Redis to 6.2.10 (#1937) by @danielhartnell\n- Handle missing example files gracefully (#1950) by @chadwhitacre\n- Fix post-release.sh for `git pull` (#1938) by @BYK\n- Manually change 23.1.1 to nightly (#1936) by @hubertdeng123\n\n## 23.1.1\n\n### Various fixes & improvements\n\n- ci: Add test for symbolicator pipeline (#1916) by @ethanhs\n\n## 23.1.0\n\n### Various fixes & improvements\n\n- ci: Check health of services after running integration tests and fix snuba-replacer (#1897) by @ethanhs\n- Add wal2json debugging (#1906) by @chadwhitacre\n- Pick up CI bugfix (#1905) by @chadwhitacre\n- ref: Move jq build to error-handling.sh, and use proxy config (#1895) by @ethanhs\n- fix(CI): use default curl retry mechanism for wal2json install (#1890) by @volokluev\n- ref: Retry wal2json download in installer (#1881) by @ethanhs\n- ci: Remove GCB and update Github Action SHA (#1880) by @ethanhs\n\n## 22.12.0\n\n### Various fixes & improvements\n\n- Build each service image individually (#1858) by @ethanhs\n- Set higher kafka healthcheck timeout and fix clickhouse timeout (#1855) by @ethanhs\n- Add --skip-sse42-requirements to install.sh and enable SKIP_SSE42_REQUIREMENTS override (#1790) by @erinaceous\n- Fix commit-log-topic parameter configuration problem (#1817) by @klboke\n- Add .idea to .gitignore (#1803) by @spawnia\n- Add USE_X_FORWARDED_HOST to example config (#1804) by @crinjes\n- (fix): Fix contributor PR e2e tests (#1820) by @hubertdeng123\n\n## 22.11.0\n\n### Various fixes & improvements\n\n- Fix jq usage (#1814) by @ethanhs\n- Try adding end to end tests using new action (#1806) by @ethanhs\n- Add context line, error msg to envelope (#1784) by @hubertdeng123\n- Update to actions/checkoutv3 to address upcoming github deprecations (#1792) by @mattgauntseo-sentry\n- ref: upgrade actions/setup-python to avoid set-output deprecation (#1789) by @asottile-sentry\n- Enforce error reporting (#1777) by @hubertdeng123\n- Upload end of log as breadcrumbs, use exceptions and stacktrace (#1775) by @ethanhs\n- Fix sentry release for dogfood instance (#1768) by @hubertdeng123\n- Add pre-commit config (#1738) by @ethanhs\n- Do not send event on INT signal (#1773) by @hubertdeng123\n\n## 22.10.0\n\n### Various fixes & improvements\n\n- Split post process forwarders (#1759) by @chadwhitacre\n- Revert \"Enforce error reporting for self-hosted\" (#1755) by @hubertdeng123\n- Enforce error reporting for self-hosted (#1753) by @hubertdeng123\n- ref: Remove unused scripts and code (#1710) by @BYK\n- Check to see if docker compose exists, else error out (#1733) by @hubertdeng123\n- Fix minimum version requirements for docker and docker compose (#1732) by @hubertdeng123\n- Factor out clean and use it in unit-test (#1731) by @chadwhitacre\n- Reorganize unit test layout (#1729) by @hubertdeng123\n- Request event ID in issue template (#1723) by @ethanhs\n- Tag releases with sentry-cli (#1718) by @hubertdeng123\n- Send full logs as an attachment to our dogfood instance (#1715) by @hubertdeng123\n\n## 22.9.0\n\n### Various fixes & improvements\n\n- Fix traceback hash for error monitoring (#1700) by @hubertdeng123\n- Add section about error monitoring to the README (#1699) by @ethanhs\n- Switch from .reporterrors file to flag + envvar (#1697) by @chadwhitacre\n- Rename flag to --skip-user-creation (#1696) by @chadwhitacre\n- Default to not sending data to Sentry for now (#1695) by @chadwhitacre\n- fix(e2e tests): Pull branch that initially triggers gcp build for PRs (#1694) by @hubertdeng123\n- fix(e2e tests): Add .reporterrors file for GCP run of e2e tests (#1691) by @hubertdeng123\n- Error monitoring of the self-hosted installer (#1679) by @ethanhs\n- added docker commands in the description (#1673) by @victorelec14\n- Use docker-compose 2.7.0 instead of 2.2.3 in CI (#1591) by @aminvakil\n\n## 22.8.0\n\n- No documented changes.\n\n## 22.7.0\n\n### Various fixes & improvements\n\n- ref: use sort -V to check minimum versions (#1553) by @ethanhs\n- Get more data from users in issue templates (#1497) by @aminvakil\n- Add ARM support (#1538) by @chadwhitacre\n- do not use gosu for snuba-transactions-cleanup and snuba-cleanup (#1564) by @goganchic\n- ref: Replace regex with --short flag to get compose version (#1551) by @ethanhs\n- Improve installation through proxy (#1543) by @goganchic\n- Cleanup .env{,.custom} handling (#1539) by @chadwhitacre\n- Bump nginx:1.22.0-alpine (#1506) by @aminvakil\n- Run release a new version job only on getsentry (#1529) by @aminvakil\n\n## 22.6.0\n\n### Various fixes & improvements\n\n- fix \"services.web.healthcheck.retries must be a number\" (#1482) by @yuval1986\n- Add volume for nginx cache (#1511) by @glensc\n- snuba: New subscriptions infrastructure rollout (#1507) by @lynnagara\n- Ease modification of base image (#1479) by @spawnia\n\n## 22.5.0\n\n### Various fixes & improvements\n\n- ref: reset user to root for installation (#1469) by @asottile-sentry\n- Document From email display name (#1446) by @chadwhitacre\n- Bring in CLA Lite (#1439) by @chadwhitacre\n- fix: replace git.io links with redirect targets (#1430) by @asottile-sentry\n\n## 22.4.0\n\n### Various fixes & improvements\n\n- Use better API key when available (#1408) by @chadwhitacre\n- Use a custom action (#1407) by @chadwhitacre\n- Add some debug logging (#1340) by @chadwhitacre\n- meta(gha): Deploy workflow enforce-license-compliance.yml (#1388) by @chadwhitacre\n- Turn off containers under old name as well (#1384) by @chadwhitacre\n\n## 22.3.0\n\n### Various fixes & improvements\n\n- Run CI every night (#1334) by @aminvakil\n- Docker-Compose: Avoid setting hostname to '' (#1365) by @glensc\n- meta(gha): Deploy workflow enforce-license-compliance.yml (#1375) by @chadwhitacre\n- ci: Change stale GitHub workflow to run once a day (#1371) by @kamilogorek\n- ci: Temporary fix for interactive prompt on createuser (#1370) by @BYK\n- meta(gha): Deploy workflow enforce-license-compliance.yml (#1347) by @chadwhitacre\n- Add SaaS nudge to README (#1327) by @chadwhitacre\n\n## 22.2.0\n\n### Various fixes & improvements\n\n- fix: unbound variable _group in reset/dc-detect-version script (#1283) (#1284) by @lovetodream\n- Remove routing helper (#1323) by @chadwhitacre\n- Bump nginx:1.21.6-alpine (#1319) by @aminvakil\n- Add a cloudbuild.yaml for GCB (#1315) by @chadwhitacre\n- Update set-up-and-migrate-database.sh (#1308) by @drmrbrewer\n- Pull relay explicitly to avoid garbage in creds (#1301) by @chadwhitacre\n- Improve logging of docker versions and relay creds (#1298) by @chadwhitacre\n- Remove file again (#1299) by @chadwhitacre\n- Clean up relay credentials generation (#1289) by @chadwhitacre\n- Add CI compose version 1.29.2 / 2.0.1 / 2.2.3 (#1290) by @chadwhitacre\n- Revert \"Add CI compose version 1.29.2 / 2.0.1 / 2.2.3 (#1251)\" (#1272) by @chadwhitacre\n- Add CI compose version 1.29.2 / 2.0.1 / 2.2.3 (#1251) by @aminvakil\n\n## 22.1.0\n\n### Various fixes & improvements\n\n- Make healthcheck variables configurable in .env (#1248) by @aminvakil\n- Take some actions to avoid unhealthy containers (#1241) by @chadwhitacre\n- Install: setup umask (#1222) by @glensc\n- Deprecated /docker-entrypoint.sh call (#1218) by @marcinroman\n- Bump nginx:1.21.5-alpine (#1230) by @aminvakil\n- Fix reset.sh docker-compose call (#1215) by @aminvakil\n- Set worker_processes to auto (#1207) by @aminvakil\n\n## 21.12.0\n\n### Support Docker Compose v2 (ongoing)\n\nSelf-hosted Sentry mostly works with Docker Compose v2 (in addition to v1 >= 1.28.0). There is [one more bug](https://github.com/getsentry/self-hosted/issues/1133) we are trying to squash.\n\nBy: @chadwhitacre (#1179)\n\n### Prevent Component Drift\n\nWhen a user runs the `install.sh` script, they get the latest version of the Sentry, Snuba, Relay and Symbolicator projects. However there is no guarantee they have pulled the latest `self-hosted` version first, and running an old one may cause problems. To mitigate this, we now perform a check during installation that the user is on the latest commit if they are on the `master` branch. You can disable this check with `--skip-commit-check`.\n\nBy: @chadwhitacre (#1191), @aminvakil (#1186)\n\n### React to log4shell\n\nSelf-hosted Sentry is [not vulnerable](https://github.com/getsentry/self-hosted/issues/1196) to the [log4shell](https://log4shell.com/) vulnerability.\n\nBy: @chadwhitacre (#1203)\n\n### Forum → Issues\n\nIn the interest of reducing sources of truth, providing better support, and restarting the fire of the self-hosted Sentry community, we [deprecated the Discourse forum in favor of GitHub Issues](https://github.com/getsentry/self-hosted/issues/1151).\n\nBy: @chadwhitacre (#1167, #1160, #1159)\n\n### Rename onpremise to self-hosted (ongoing)\n\nIn the beginning we used the term \"on-premise\" and over time we introduced the term \"self-hosted.\" In an effort to regain some consistency for both branding and developer mental overhead purposes, we are standardizing on the term \"self-hosted.\" This release includes a fair portion of the work towards this across multiple repos, hopefully a future release will include the remainder. Some orphaned containers / volumes / networks are [expected](https://github.com/getsentry/self-hosted/pull/1169#discussion_r756401917). You may clean them up with `docker-compose down --remove-orphans`.\n\nBy: @chadwhitacre (#1169)\n\n### Add support for custom DotEnv file\n\nThere are several ways to [configure self-hosted Sentry](https://develop.sentry.dev/self-hosted/#configuration) and one of them is the `.env` file. In this release we add support for a `.env.custom` file that is git-ignored to make it easier for you to override keys configured this way with custom values. Thanks to @Sebi94nbg for the contribution!\n\nBy: @Sebi94nbg (#1113)\n\n### Various fixes & improvements\n\n- Revert \"Rename onpremise to self-hosted\" (5495fe2e) by @chadwhitacre\n- Rename onpremise to self-hosted (9ad05d87) by @chadwhitacre\n\n## 21.11.0\n\n### Various fixes & improvements\n\n- Fix #1079 - bug in reset.sh (#1134) by @chadwhitacre\n- ci: Enable parallel tests again, increase timeouts (#1125) by @BYK\n- fix: Hide compose errors during version check (#1124) by @BYK\n- build: Omit nightly bump commit from changelog (#1120) by @BYK\n- build: Set master version to nightly (d3e77857)\n\n## 21.10.0\n\n### Support for Docker Compose v2 (ongoing)\n\nYou asked for it and you did it! Sentry self-hosted now can work with Docker Compose v2 thanks to our community's contributions.\n\nPRs: #1116\n\n### Various fixes & improvements\n\n- docs: simplify Linux `sudo` instructions in README (#1096)\n- build: Set master version to nightly (58874cf9)\n\n## 21.9.0\n\n- fix(healthcheck): Increase retries to 5 (#1072)\n- fix(requirements): Make compose version check bw-compatible (#1068)\n- ci: Test with the required minimum docker-compose (#1066)\n Run tests using docker-compose `1.28.0` instead of latest\n- fix(clickhouse): Use correct HTTP port for healthcheck (#1069)\n Fixes the regular `Unexpected packet` errors in Clickhouse\n\n## 21.8.0\n\n- feat: Support custom CA roots ([#27062](https://github.com/getsentry/sentry/pull/27062)), see the [docs](https://develop.sentry.dev/self-hosted/custom-ca-roots/) for more details.\n- fix: Fix `curl` image to version 7.77.0\n- upgrade: docker-compose version to 1.29.2\n- feat: Leverage health checks for depends_on\n\n## 21.7.0\n\n- No documented changes.\n\n## 21.6.3\n\n- No documented changes.\n\n## 21.6.2\n\n- BREAKING CHANGE: The frontend bundle will be loaded asynchronously (via [#25744](https://github.com/getsentry/sentry/pull/25744)). This is a breaking change that can affect custom plugins that access certain globals in the django template. Please see https://forum.sentry.io/t/breaking-frontend-changes-for-custom-plugins/14184 for more information.\n\n## 21.6.1\n\n- No documented changes.\n\n## 21.6.0\n\n- feat: Add healthchecks for redis, memcached and postgres (#975)\n" }, { "path": "CONTRIBUTING.md", "content": "## Testing\n\n### Running Tests with Pytest\n\nWe use pytest for running tests. To run the tests:\n\n1) Ensure that you are in the root directory of the project.\n2) Run the following command:\n```bash\npytest\n```\n\nThis will automatically discover and run all test cases in the project.\n" }, { "path": "LICENSE.md", "content": "# Functional Source License, Version 1.1, Apache 2.0 Future License\n\n## Abbreviation\n\nFSL-1.1-Apache-2.0\n\n## Notice\n\nCopyright 2016-2024 Functional Software, Inc. dba Sentry\n\n## Terms and Conditions\n\n### Licensor (\"We\")\n\nThe party offering the Software under these Terms and Conditions.\n\n### The Software\n\nThe \"Software\" is each version of the software that we make available under\nthese Terms and Conditions, as indicated by our inclusion of these Terms and\nConditions with the Software.\n\n### License Grant\n\nSubject to your compliance with this License Grant and the Patents,\nRedistribution and Trademark clauses below, we hereby grant you the right to\nuse, copy, modify, create derivative works, publicly perform, publicly display\nand redistribute the Software for any Permitted Purpose identified below.\n\n### Permitted Purpose\n\nA Permitted Purpose is any purpose other than a Competing Use. A Competing Use\nmeans making the Software available to others in a commercial product or\nservice that:\n\n1. substitutes for the Software;\n\n2. substitutes for any other product or service we offer using the Software\n that exists as of the date we make the Software available; or\n\n3. offers the same or substantially similar functionality as the Software.\n\nPermitted Purposes specifically include using the Software:\n\n1. for your internal use and access;\n\n2. for non-commercial education;\n\n3. for non-commercial research; and\n\n4. in connection with professional services that you provide to a licensee\n using the Software in accordance with these Terms and Conditions.\n\n### Patents\n\nTo the extent your use for a Permitted Purpose would necessarily infringe our\npatents, the license grant above includes a license under our patents. If you\nmake a claim against any party that the Software infringes or contributes to\nthe infringement of any patent, then your patent license to the Software ends\nimmediately.\n\n### Redistribution\n\nThe Terms and Conditions apply to all copies, modifications and derivatives of\nthe Software.\n\nIf you redistribute any copies, modifications or derivatives of the Software,\nyou must include a copy of or a link to these Terms and Conditions and not\nremove any copyright notices provided in or with the Software.\n\n### Disclaimer\n\nTHE SOFTWARE IS PROVIDED \"AS IS\" AND WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR\nPURPOSE, MERCHANTABILITY, TITLE OR NON-INFRINGEMENT.\n\nIN NO EVENT WILL WE HAVE ANY LIABILITY TO YOU ARISING OUT OF OR RELATED TO THE\nSOFTWARE, INCLUDING INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES,\nEVEN IF WE HAVE BEEN INFORMED OF THEIR POSSIBILITY IN ADVANCE.\n\n### Trademarks\n\nExcept for displaying the License Details and identifying us as the origin of\nthe Software, you have no right under these Terms and Conditions to use our\ntrademarks, trade names, service marks or product names.\n\n## Grant of Future License\n\nWe hereby irrevocably grant you an additional license to use the Software under\nthe Apache License, Version 2.0 that is effective on the second anniversary of\nthe date we make the Software available. On or after that date, you may use the\nSoftware under the Apache License, Version 2.0, in which case the following\nwill apply:\n\nLicensed under the Apache License, Version 2.0 (the \"License\"); you may not use\nthis file except in compliance with the License.\n\nYou may obtain a copy of the License at\n\nhttp://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software distributed\nunder the License is distributed on an \"AS IS\" BASIS, WITHOUT WARRANTIES OR\nCONDITIONS OF ANY KIND, either express or implied. See the License for the\nspecific language governing permissions and limitations under the License.\n" }, { "path": "README.md", "content": "# Self-Hosted Sentry 26.3.1\n\n[Sentry](https://sentry.io/), feature-complete and packaged up for low-volume deployments and proofs-of-concept.\n\nDocumentation [here](https://develop.sentry.dev/self-hosted/).\n" }, { "path": "_integration-test/conftest.py", "content": "import os\nfrom os.path import join\nimport subprocess\n\nimport pytest\n\nSENTRY_CONFIG_PY = \"sentry/sentry.conf.py\"\nSENTRY_TEST_HOST = os.getenv(\"SENTRY_TEST_HOST\", \"http://localhost:9000\")\nTEST_USER = \"test@example.com\"\nTEST_PASS = \"test123TEST\"\n\n\n@pytest.fixture(scope=\"session\", autouse=True)\ndef configure_self_hosted_environment(request):\n subprocess.run(\n [\"docker\", \"compose\", \"--ansi\", \"never\", \"up\", \"--wait\"],\n check=True,\n capture_output=True,\n )\n # Create test user\n subprocess.run(\n [\n \"docker\",\n \"compose\",\n \"exec\",\n \"-T\",\n \"web\",\n \"sentry\",\n \"createuser\",\n \"--force-update\",\n \"--superuser\",\n \"--email\",\n TEST_USER,\n \"--password\",\n TEST_PASS,\n \"--no-input\",\n ],\n check=True,\n text=True,\n )\n\n\n@pytest.fixture()\ndef setup_backup_restore_env_variables():\n os.environ[\"SENTRY_DOCKER_IO_DIR\"] = os.path.join(os.getcwd(), \"sentry\")\n os.environ[\"SKIP_USER_CREATION\"] = \"1\"\n" }, { "path": "_integration-test/custom-ca-roots/custom-ca-roots-test.py", "content": "import unittest\n\nimport requests\n\n\nclass CustomCATests(unittest.TestCase):\n def test_valid_self_signed(self):\n self.assertEqual(requests.get(\"https://self.test\").text, \"ok\")\n\n def test_invalid_self_signed(self):\n with self.assertRaises(requests.exceptions.SSLError):\n requests.get(\"https://fail.test\")\n\n\nif __name__ == \"__main__\":\n unittest.main()\n" }, { "path": "_integration-test/custom-ca-roots/docker-compose.test.yml", "content": "version: '3.4'\nservices:\n fixture-custom-ca-roots:\n image: nginx:1.21.0-alpine\n restart: unless-stopped\n volumes:\n - ./_integration-test/custom-ca-roots/nginx:/etc/nginx:ro\n networks:\n default:\n aliases:\n - self.test\n - fail.test\n" }, { "path": "_integration-test/fixtures/envelope-with-profile", "content": "{\"event_id\":\"66578634d48d433db0ad52882d1efe5b\",\"sent_at\":\"2023-05-17T14:54:31.057Z\",\"sdk\":{\"name\":\"sentry.javascript.node\",\"version\":\"7.46.0\"},\"trace\":{\"environment\":\"production\",\"transaction\":\"fib: sourcemaps here\",\"public_key\":\"05ab86aebbe14a24bcab62caa839cf27\",\"trace_id\":\"33321bfbd5304bcc9663d1b53b08f84e\",\"sample_rate\":\"1\"}}\n{\"type\":\"transaction\"}\n{\"contexts\":{\"profile\":{\"profile_id\":\"e73aaf1f29b24812be60132f32d09f92\"},\"trace\":{\"op\":\"test\",\"span_id\":\"b38f2b24537c3858\",\"trace_id\":\"33321bfbd5304bcc9663d1b53b08f84e\"},\"runtime\":{\"name\":\"node\",\"version\":\"v16.16.0\"},\"app\":{\"app_start_time\":\"2023-05-17T14:54:27.678Z\",\"app_memory\":57966592},\"os\":{\"kernel_version\":\"22.3.0\",\"name\":\"macOS\",\"version\":\"13.2\",\"build\":\"22D49\"},\"device\":{\"boot_time\":\"2023-05-12T15:08:41.047Z\",\"arch\":\"arm64\",\"memory_size\":34359738368,\"free_memory\":6861651968,\"processor_count\":10,\"cpu_description\":\"Apple M1 Pro\",\"processor_frequency\":24},\"culture\":{\"locale\":\"en-US\",\"timezone\":\"America/New_York\"}},\"spans\":[],\"start_timestamp\":1684335267.744,\"tags\":{},\"timestamp\":1684335271.033,\"transaction\":\"fib: sourcemaps here\",\"type\":\"transaction\",\"transaction_info\":{\"source\":\"custom\"},\"platform\":\"node\",\"server_name\":\"TK6G745PW1.local\",\"event_id\":\"66578634d48d433db0ad52882d1efe5b\",\"environment\":\"production\",\"sdk\":{\"integrations\":[\"InboundFilters\",\"FunctionToString\",\"Console\",\"Http\",\"OnUncaughtException\",\"OnUnhandledRejection\",\"ContextLines\",\"LocalVariables\",\"Context\",\"Modules\",\"RequestData\",\"LinkedErrors\",\"ProfilingIntegration\"],\"name\":\"sentry.javascript.node\",\"version\":\"7.46.0\",\"packages\":[{\"name\":\"npm:@sentry/node\",\"version\":\"7.46.0\"}]},\"debug_meta\":{\"images\":[]},\"modules\":{}}\n{\"type\":\"profile\"}\n{\"event_id\":\"e73aaf1f29b24812be60132f32d09f92\",\"timestamp\":\"2023-05-17T14:54:27.744Z\",\"platform\":\"node\",\"version\":\"1\",\"release\":\"\",\"environment\":\"production\",\"runtime\":{\"name\":\"node\",\"version\":\"16.16.0\"},\"os\":{\"name\":\"darwin\",\"version\":\"22.3.0\",\"build_number\":\"Darwin Kernel Version 22.3.0: Thu Jan 5 20:48:54 PST 2023; root:xnu-8792.81.2~2/RELEASE_ARM64_T6000\"},\"device\":{\"locale\":\"en_US.UTF-8\",\"model\":\"arm64\",\"manufacturer\":\"Darwin\",\"architecture\":\"arm64\",\"is_emulator\":false},\"debug_meta\":{\"images\":[]},\"profile\":{\"samples\":[{\"stack_id\":0,\"thread_id\":\"0\",\"elapsed_since_start_ns\":125000},{\"stack_id\":0,\"thread_id\":\"0\",\"elapsed_since_start_ns\":13958000}],\"frames\":[{\"lineno\":14129,\"colno\":17,\"function\":\"startProfiling\",\"abs_path\":\"/Users/jonasbadalic/code/node-profiler/lib/index.js\"}],\"stacks\":[[0]],\"thread_metadata\":{\"0\":{\"name\":\"main\"}}},\"transaction\":{\"name\":\"fib: sourcemaps here\",\"id\":\"66578634d48d433db0ad52882d1efe5b\",\"trace_id\":\"33321bfbd5304bcc9663d1b53b08f84e\",\"active_thread_id\":\"0\"}}\n" }, { "path": "_integration-test/fixtures/envelope-with-transaction", "content": "{\"event_id\":\"66578634d48d433db0ad52882d1efe5b\",\"sent_at\":\"2023-05-17T14:54:31.057Z\",\"sdk\":{\"name\":\"sentry.javascript.node\",\"version\":\"7.46.0\"},\"trace\":{\"environment\":\"production\",\"transaction\":\"fib: sourcemaps here\",\"public_key\":\"05ab86aebbe14a24bcab62caa839cf27\",\"trace_id\":\"33321bfbd5304bcc9663d1b53b08f84e\",\"sample_rate\":\"1\"}}\n{\"type\":\"transaction\"}\n{\"contexts\":{\"trace\":{\"op\":\"test\",\"span_id\":\"b38f2b24537c3858\",\"trace_id\":\"33321bfbd5304bcc9663d1b53b08f84e\"},\"runtime\":{\"name\":\"node\",\"version\":\"v16.16.0\"},\"app\":{\"app_start_time\":\"2023-05-17T14:54:27.678Z\",\"app_memory\":57966592},\"os\":{\"kernel_version\":\"22.3.0\",\"name\":\"macOS\",\"version\":\"13.2\",\"build\":\"22D49\"},\"device\":{\"boot_time\":\"2023-05-12T15:08:41.047Z\",\"arch\":\"arm64\",\"memory_size\":34359738368,\"free_memory\":6861651968,\"processor_count\":10,\"cpu_description\":\"Apple M1 Pro\",\"processor_frequency\":24},\"culture\":{\"locale\":\"en-US\",\"timezone\":\"America/New_York\"}},\"spans\":[],\"start_timestamp\":1684335267.744,\"tags\":{},\"timestamp\":1684335271.033,\"transaction\":\"fib: sourcemaps here\",\"type\":\"transaction\",\"transaction_info\":{\"source\":\"custom\"},\"platform\":\"node\",\"server_name\":\"TK6G745PW1.local\",\"event_id\":\"66578634d48d433db0ad52882d1efe5b\",\"environment\":\"production\",\"sdk\":{\"integrations\":[\"InboundFilters\",\"FunctionToString\",\"Console\",\"Http\",\"OnUncaughtException\",\"OnUnhandledRejection\",\"ContextLines\",\"LocalVariables\",\"Context\",\"Modules\",\"RequestData\",\"LinkedErrors\",\"ProfilingIntegration\"],\"name\":\"sentry.javascript.node\",\"version\":\"7.46.0\",\"packages\":[{\"name\":\"npm:@sentry/node\",\"version\":\"7.46.0\"}]},\"debug_meta\":{\"images\":[]},\"modules\":{}}\n" }, { "path": "_integration-test/nodejs/.gitignore", "content": "node_modules\n" }, { "path": "_integration-test/nodejs/instrument.js", "content": "import * as Sentry from \"@sentry/node\";\n\nSentry.init({\n dsn: process.env.SENTRY_DSN,\n sampleRate: 1.0,\n tracesSampleRate: 1.0,\n enableLogs: true,\n profileLifecycle: \"manual\",\n sendClientReports: true,\n sendDefaultPii: true,\n debug: true,\n});\n" }, { "path": "_integration-test/nodejs/package.json", "content": "{\n \"name\": \"sentry-self-hosted-integration-test-nodejs\",\n \"version\": \"0.0.0\",\n \"description\": \"Scripts to run for features only available on Nodejs SDK\",\n \"author\": \"Sentry \",\n \"type\": \"module\",\n \"scripts\": {\n \"start\": \"node --import ./instrument.js index.js\"\n },\n \"dependencies\": {\n \"@sentry/node\": \"^10.5.0\"\n }\n}\n" }, { "path": "_integration-test/nodejs/user-feedback.js", "content": "import * as Sentry from \"@sentry/node\";\n\nSentry.captureFeedback({\n message: \"I love your startup!\",\n name: \"John Doe\",\n email: \"john@example.com\",\n url: \"https://example.com\",\n});\n\n\nSentry.flush(5000);\n" }, { "path": "_integration-test/test_01_basics.py", "content": "import datetime\nimport json\nimport os\nimport re\nimport shutil\nimport subprocess\nimport sys\nimport time\nfrom functools import lru_cache\nfrom typing import Callable\n\nimport httpx\nimport pytest\nimport sentry_sdk\nfrom sentry_sdk import logger as sentry_logger\nfrom bs4 import BeautifulSoup\nfrom cryptography import x509\nfrom cryptography.hazmat.backends import default_backend\nfrom cryptography.hazmat.primitives import hashes, serialization\nfrom cryptography.hazmat.primitives.asymmetric import rsa\nfrom cryptography.x509.oid import NameOID\n\nSENTRY_CONFIG_PY = \"sentry/sentry.conf.py\"\nSENTRY_TEST_HOST = os.getenv(\"SENTRY_TEST_HOST\", \"http://localhost:9000\")\nTEST_USER = \"test@example.com\"\nTEST_PASS = \"test123TEST\"\nTIMEOUT_SECONDS = 120\n\n\ndef poll_for_response(\n request: str, client: httpx.Client, validator: Callable = None\n) -> httpx.Response:\n for i in range(TIMEOUT_SECONDS):\n response = client.get(\n request, follow_redirects=True, headers={\"Referer\": SENTRY_TEST_HOST}\n )\n if response.status_code == 200:\n if validator is None or validator(response.text):\n break\n time.sleep(1)\n else:\n raise AssertionError(\n \"timeout waiting for response status code 200 or valid data\"\n )\n return response\n\n\n@lru_cache\ndef get_sentry_dsn(client: httpx.Client) -> str:\n response = poll_for_response(\n f\"{SENTRY_TEST_HOST}/api/0/projects/sentry/internal/keys/\",\n client,\n lambda x: len(json.loads(x)[0][\"dsn\"][\"public\"]) > 0,\n )\n sentry_dsn = json.loads(response.text)[0][\"dsn\"][\"public\"]\n return sentry_dsn\n\n\n@pytest.fixture()\ndef client_login():\n client = httpx.Client()\n response = client.get(SENTRY_TEST_HOST, follow_redirects=True)\n parser = BeautifulSoup(response.text, \"html.parser\")\n login_csrf_token = parser.find(\"input\", {\"name\": \"csrfmiddlewaretoken\"})[\"value\"]\n login_response = client.post(\n f\"{SENTRY_TEST_HOST}/auth/login/sentry/\",\n follow_redirects=True,\n data={\n \"op\": \"login\",\n \"username\": TEST_USER,\n \"password\": TEST_PASS,\n \"csrfmiddlewaretoken\": login_csrf_token,\n },\n headers={\"Referer\": f\"{SENTRY_TEST_HOST}/auth/login/sentry/\"},\n )\n assert login_response.status_code == 200\n yield (client, login_response)\n\n\ndef test_initial_redirect():\n initial_auth_redirect = httpx.get(SENTRY_TEST_HOST, follow_redirects=True)\n assert initial_auth_redirect.url == f\"{SENTRY_TEST_HOST}/auth/login/sentry/\"\n\n\ndef test_asset_internal_rewrite():\n \"\"\"Tests whether we correctly map `/_assets/*` to `/_static/dist/sentry` as\n we don't have a CDN setup in self-hosted.\"\"\"\n response = httpx.get(f\"{SENTRY_TEST_HOST}/_assets/entrypoints/app.js\")\n assert response.status_code == 200\n assert response.headers[\"Content-Type\"] == \"text/javascript\"\n\n\ndef test_login(client_login):\n client, login_response = client_login\n parser = BeautifulSoup(login_response.text, \"html.parser\")\n script_tag = parser.find(\n \"script\", string=lambda x: x and \"window.__initialData\" in x\n )\n assert script_tag is not None\n json_data = json.loads(script_tag.text.split(\"=\", 1)[1].strip().rstrip(\";\"))\n assert json_data[\"isAuthenticated\"] is True\n assert json_data[\"user\"][\"username\"] == \"test@example.com\"\n assert json_data[\"user\"][\"isSuperuser\"] is True\n assert login_response.cookies[\"sc\"] is not None\n # Set up initial/required settings (InstallWizard request)\n client.headers.update({\"X-CSRFToken\": login_response.cookies[\"sc\"]})\n response = client.put(\n f\"{SENTRY_TEST_HOST}/api/0/internal/options/?query=is:required\",\n follow_redirects=True,\n headers={\"Referer\": SENTRY_TEST_HOST},\n data={\n \"mail.use-tls\": False,\n \"mail.username\": \"\",\n \"mail.port\": 25,\n \"system.admin-email\": \"test@example.com\",\n \"mail.password\": \"\",\n \"system.url-prefix\": SENTRY_TEST_HOST,\n \"auth.allow-registration\": False,\n \"beacon.anonymous\": True,\n },\n )\n assert response.status_code == 200\n\n\ndef test_receive_event(client_login):\n event_id = None\n client, _ = client_login\n\n sentry_sdk.init(dsn=get_sentry_dsn(client))\n\n event_id = sentry_sdk.capture_exception(Exception(\"a failure\"))\n assert event_id is not None\n response = poll_for_response(\n f\"{SENTRY_TEST_HOST}/api/0/projects/sentry/internal/events/{event_id}/\", client\n )\n response_json = json.loads(response.text)\n assert response_json[\"eventID\"] == event_id\n assert response_json[\"metadata\"][\"value\"] == \"a failure\"\n\n\ndef test_cleanup_crons_running():\n docker_services = subprocess.check_output(\n [\n \"docker\",\n \"compose\",\n \"--ansi\",\n \"never\",\n \"ps\",\n \"-a\",\n ],\n text=True,\n )\n pattern = re.compile(\n r\"(\\-cleanup\\s+running)|(\\-cleanup[_-].+\\s+Up\\s+)\", re.MULTILINE\n )\n cleanup_crons = pattern.findall(docker_services)\n assert len(cleanup_crons) > 0\n\n\ndef test_custom_certificate_authorities():\n # Set environment variable\n os.environ[\"COMPOSE_FILE\"] = (\n \"docker-compose.yml:_integration-test/custom-ca-roots/docker-compose.test.yml\"\n )\n\n test_nginx_conf_path = \"_integration-test/custom-ca-roots/nginx\"\n custom_certs_path = \"certificates\"\n\n # Generate tightly constrained CA\n ca_key = rsa.generate_private_key(\n public_exponent=65537, key_size=2048, backend=default_backend()\n )\n\n ca_name = x509.Name(\n [x509.NameAttribute(NameOID.COMMON_NAME, \"TEST CA *DO NOT TRUST*\")]\n )\n\n ca_cert = (\n x509.CertificateBuilder()\n .subject_name(ca_name)\n .issuer_name(ca_name)\n .public_key(ca_key.public_key())\n .serial_number(x509.random_serial_number())\n .not_valid_before(datetime.datetime.now(datetime.timezone.utc))\n .not_valid_after(\n datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=1)\n )\n .add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True)\n .add_extension(\n x509.KeyUsage(\n digital_signature=False,\n key_encipherment=False,\n content_commitment=False,\n data_encipherment=False,\n key_agreement=False,\n key_cert_sign=True,\n crl_sign=True,\n encipher_only=False,\n decipher_only=False,\n ),\n critical=True,\n )\n .add_extension(\n x509.NameConstraints([x509.DNSName(\"self.test\")], None), critical=True\n )\n .add_extension(\n x509.SubjectKeyIdentifier.from_public_key(ca_key.public_key()),\n critical=False,\n )\n .sign(private_key=ca_key, algorithm=hashes.SHA256())\n )\n\n ca_key_path = f\"{test_nginx_conf_path}/ca.key\"\n ca_crt_path = f\"{test_nginx_conf_path}/ca.crt\"\n\n with open(ca_key_path, \"wb\") as key_file:\n key_file.write(\n ca_key.private_bytes(\n encoding=serialization.Encoding.PEM,\n format=serialization.PrivateFormat.TraditionalOpenSSL,\n encryption_algorithm=serialization.NoEncryption(),\n )\n )\n\n with open(ca_crt_path, \"wb\") as cert_file:\n cert_file.write(ca_cert.public_bytes(serialization.Encoding.PEM))\n\n # Create custom certs path and copy ca.crt\n os.makedirs(custom_certs_path, exist_ok=True)\n shutil.copyfile(ca_crt_path, f\"{custom_certs_path}/test-custom-ca-roots.crt\")\n # Generate server key and certificate\n\n self_test_key_path = os.path.join(test_nginx_conf_path, \"self.test.key\")\n self_test_csr_path = os.path.join(test_nginx_conf_path, \"self.test.csr\")\n self_test_cert_path = os.path.join(test_nginx_conf_path, \"self.test.crt\")\n\n self_test_key = rsa.generate_private_key(public_exponent=65537, key_size=2048)\n\n self_test_req = (\n x509.CertificateSigningRequestBuilder()\n .subject_name(\n x509.Name(\n [\n x509.NameAttribute(\n NameOID.COMMON_NAME, \"Self Signed with CA Test Server\"\n )\n ]\n )\n )\n .add_extension(\n x509.SubjectAlternativeName([x509.DNSName(\"self.test\")]), critical=False\n )\n .sign(self_test_key, hashes.SHA256())\n )\n\n self_test_cert = (\n x509.CertificateBuilder()\n .subject_name(\n x509.Name(\n [\n x509.NameAttribute(\n NameOID.COMMON_NAME, \"Self Signed with CA Test Server\"\n )\n ]\n )\n )\n .issuer_name(ca_cert.issuer)\n .serial_number(x509.random_serial_number())\n .not_valid_before(datetime.datetime.now(datetime.timezone.utc))\n .not_valid_after(\n datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=1)\n )\n .public_key(self_test_req.public_key())\n .add_extension(\n x509.SubjectAlternativeName([x509.DNSName(\"self.test\")]), critical=False\n )\n .add_extension(\n x509.SubjectKeyIdentifier.from_public_key(self_test_req.public_key()),\n critical=False,\n )\n .add_extension(\n x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(\n ca_cert.extensions.get_extension_for_class(x509.SubjectKeyIdentifier).value\n ),\n critical=False,\n )\n .sign(private_key=ca_key, algorithm=hashes.SHA256())\n )\n\n # Save server key, CSR, and certificate\n with open(self_test_key_path, \"wb\") as key_file:\n key_file.write(\n self_test_key.private_bytes(\n encoding=serialization.Encoding.PEM,\n format=serialization.PrivateFormat.TraditionalOpenSSL,\n encryption_algorithm=serialization.NoEncryption(),\n )\n )\n with open(self_test_csr_path, \"wb\") as csr_file:\n csr_file.write(self_test_req.public_bytes(serialization.Encoding.PEM))\n with open(self_test_cert_path, \"wb\") as cert_file:\n cert_file.write(self_test_cert.public_bytes(serialization.Encoding.PEM))\n\n # Generate server key and certificate for fake.test\n\n fake_test_key_path = os.path.join(test_nginx_conf_path, \"fake.test.key\")\n fake_test_cert_path = os.path.join(test_nginx_conf_path, \"fake.test.crt\")\n\n fake_test_key = rsa.generate_private_key(public_exponent=65537, key_size=2048)\n\n fake_test_cert = (\n x509.CertificateBuilder()\n .subject_name(\n x509.Name(\n [x509.NameAttribute(NameOID.COMMON_NAME, \"Self Signed Test Server\")]\n )\n )\n .issuer_name(\n x509.Name(\n [x509.NameAttribute(NameOID.COMMON_NAME, \"Self Signed Test Server\")]\n )\n )\n .serial_number(x509.random_serial_number())\n .not_valid_before(datetime.datetime.now(datetime.timezone.utc))\n .not_valid_after(\n datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=1)\n )\n .public_key(fake_test_key.public_key())\n .add_extension(\n x509.SubjectAlternativeName([x509.DNSName(\"fake.test\")]), critical=False\n )\n .add_extension(\n x509.SubjectKeyIdentifier.from_public_key(fake_test_key.public_key()),\n critical=False,\n )\n .sign(private_key=fake_test_key, algorithm=hashes.SHA256())\n )\n\n # Save server key and certificate for fake.test\n with open(fake_test_key_path, \"wb\") as key_file:\n key_file.write(\n fake_test_key.private_bytes(\n encoding=serialization.Encoding.PEM,\n format=serialization.PrivateFormat.TraditionalOpenSSL,\n encryption_algorithm=serialization.NoEncryption(),\n )\n )\n # Our asserts for this test case must be executed within the web container, so we are copying a python test script into the mounted sentry directory\n with open(fake_test_cert_path, \"wb\") as cert_file:\n cert_file.write(fake_test_cert.public_bytes(serialization.Encoding.PEM))\n shutil.copyfile(\n \"_integration-test/custom-ca-roots/custom-ca-roots-test.py\",\n \"sentry/test-custom-ca-roots.py\",\n )\n\n subprocess.run(\n [\n \"docker\",\n \"compose\",\n \"--ansi\",\n \"never\",\n \"up\",\n \"--wait\",\n \"fixture-custom-ca-roots\",\n ],\n check=True,\n )\n subprocess.run(\n [\n \"docker\",\n \"compose\",\n \"--ansi\",\n \"never\",\n \"run\",\n \"--no-deps\",\n \"web\",\n \"python3\",\n \"/etc/sentry/test-custom-ca-roots.py\",\n ],\n check=True,\n )\n subprocess.run(\n [\n \"docker\",\n \"compose\",\n \"--ansi\",\n \"never\",\n \"rm\",\n \"-s\",\n \"-f\",\n \"-v\",\n \"fixture-custom-ca-roots\",\n ],\n check=True,\n )\n\n # Remove files\n os.remove(f\"{custom_certs_path}/test-custom-ca-roots.crt\")\n os.remove(\"sentry/test-custom-ca-roots.py\")\n\n # Unset environment variable\n if \"COMPOSE_FILE\" in os.environ:\n del os.environ[\"COMPOSE_FILE\"]\n\n\n@pytest.mark.skipif(os.environ.get(\"COMPOSE_PROFILES\") != \"feature-complete\", reason=\"Only run if feature-complete\")\ndef test_receive_transaction_events(client_login):\n client, _ = client_login\n sentry_sdk.init(\n dsn=get_sentry_dsn(client), profiles_sample_rate=1.0, traces_sample_rate=1.0\n )\n\n def placeholder_fn():\n sum = 0\n for i in range(5):\n sum += i\n time.sleep(0.25)\n\n with sentry_sdk.start_transaction(op=\"task\", name=\"Test Transactions\"):\n placeholder_fn()\n\n poll_for_response(\n f\"{SENTRY_TEST_HOST}/api/0/organizations/sentry/events/?dataset=profiles&field=profile.id&project=1&statsPeriod=1h\",\n client,\n lambda x: len(json.loads(x)[\"data\"]) > 0,\n )\n poll_for_response(\n f\"{SENTRY_TEST_HOST}/api/0/organizations/sentry/events/?dataset=spans&field=id&project=1&statsPeriod=1h\",\n client,\n lambda x: len(json.loads(x)[\"data\"]) > 0,\n )\n\n@pytest.mark.skipif(os.environ.get(\"COMPOSE_PROFILES\") != \"feature-complete\", reason=\"Only run if feature-complete\")\ndef test_receive_user_feedback_events(client_login):\n client, _ = client_login\n sentry_dsn = get_sentry_dsn(client)\n\n\n # Execute `node --import instrument.js user-feedback.js` on the `nodejs` directory with the `SENTRY_DSN` env var set\n env = os.environ.copy()\n env[\"SENTRY_DSN\"] = sentry_dsn\n subprocess.run(\n [\"node\", \"--import\", \"./instrument.js\", \"./user-feedback.js\"],\n check=True,\n shell=False,\n env=env,\n cwd=\"_integration-test/nodejs\",\n stdout=sys.stdout,\n stderr=sys.stderr,\n timeout=60,\n )\n\n poll_for_response(\n f\"{SENTRY_TEST_HOST}/api/0/organizations/sentry/issues/?query=issue.category%3Afeedback\",\n client,\n lambda x: len(json.loads(x)) > 0,\n )\n poll_for_response(\n f\"{SENTRY_TEST_HOST}/api/0/organizations/sentry/events/?dataset=issuePlatform&field=message&field=title&field=timestamp&project=1&statsPeriod=1h\",\n client,\n lambda x: len(json.loads(x)[\"data\"]) > 0,\n )\n\n@pytest.mark.skipif(os.environ.get(\"COMPOSE_PROFILES\") != \"feature-complete\", reason=\"Only run if feature-complete\")\ndef test_receive_logs_events(client_login):\n client, _ = client_login\n sentry_sdk.init(\n dsn=get_sentry_dsn(client), profiles_sample_rate=1.0, traces_sample_rate=1.0, enable_logs=True,\n )\n\n sentry_logger.trace('Starting database connection {database}', database=\"users\")\n sentry_logger.debug('Cache miss for user {user_id}', user_id=123)\n sentry_logger.info('Updated global cache')\n sentry_logger.warning('Rate limit reached for endpoint {endpoint}', endpoint='/api/results/')\n sentry_logger.error('Failed to process payment. Order: {order_id}. Amount: {amount}', order_id=\"or_2342\", amount=99.99)\n sentry_logger.fatal('Database {database} connection pool exhausted', database=\"users\")\n sentry_logger.error(\n 'Payment processing failed',\n attributes={\n 'payment.provider': 'stripe',\n 'payment.method': 'credit_card',\n 'payment.currency': 'USD',\n 'user.subscription_tier': 'premium'\n }\n )\n\n poll_for_response(\n f\"{SENTRY_TEST_HOST}/api/0/organizations/sentry/events/?dataset=ourlogs&field=sentry.item_id&field=project.id&field=trace&field=severity_number&field=severity&field=timestamp&field=timestamp_precise&field=observed_timestamp&field=message&project=1&statsPeriod=1h\",\n client,\n lambda x: len(json.loads(x)[\"data\"]) > 0,\n )\n\ndef test_customizations():\n commands = [\n [\n \"docker\",\n \"compose\",\n \"--ansi\",\n \"never\",\n \"run\",\n \"--no-deps\",\n \"web\",\n \"bash\",\n \"-c\",\n \"if [ ! -e /created-by-enhance-image ]; then exit 1; fi\",\n ],\n [\n \"docker\",\n \"compose\",\n \"--ansi\",\n \"never\",\n \"run\",\n \"--no-deps\",\n \"--entrypoint=/etc/sentry/entrypoint.sh\",\n \"sentry-cleanup\",\n \"bash\",\n \"-c\",\n \"if [ ! -e /created-by-enhance-image ]; then exit 1; fi\",\n ],\n [\n \"docker\",\n \"compose\",\n \"--ansi\",\n \"never\",\n \"run\",\n \"--no-deps\",\n \"web\",\n \"python\",\n \"-c\",\n \"import ldap\",\n ],\n [\n \"docker\",\n \"compose\",\n \"--ansi\",\n \"never\",\n \"run\",\n \"--no-deps\",\n \"--entrypoint=/etc/sentry/entrypoint.sh\",\n \"sentry-cleanup\",\n \"python\",\n \"-c\",\n \"import ldap\",\n ],\n ]\n for command in commands:\n result = subprocess.run(command, check=False)\n assert result.returncode == 0\n" }, { "path": "_integration-test/test_02_backup.py", "content": "import os\nfrom os.path import join\nimport subprocess\n\n\ndef test_sentry_admin(setup_backup_restore_env_variables):\n sentry_admin_sh = os.path.join(os.getcwd(), \"sentry-admin.sh\")\n output = subprocess.run(\n [sentry_admin_sh, \"--help\"], check=True, capture_output=True, encoding=\"utf8\"\n ).stdout\n assert \"Usage: ./sentry-admin.sh\" in output\n assert \"SENTRY_DOCKER_IO_DIR\" in output\n\n output = subprocess.run(\n [sentry_admin_sh, \"permissions\", \"--help\"],\n check=True,\n capture_output=True,\n encoding=\"utf8\",\n ).stdout\n assert \"Usage: ./sentry-admin.sh permissions\" in output\n\n\ndef test_01_backup(setup_backup_restore_env_variables):\n # Docker was giving me permission issues when trying to create this file and write to it even after giving read + write access\n # to group and owner. Instead, try creating the empty file and then give everyone write access to the backup file\n file_path = os.path.join(os.getcwd(), \"sentry\", \"backup.json\")\n sentry_admin_sh = os.path.join(os.getcwd(), \"sentry-admin.sh\")\n open(file_path, \"a\", encoding=\"utf8\").close()\n os.chmod(file_path, 0o666)\n assert os.path.getsize(file_path) == 0\n subprocess.run(\n [\n sentry_admin_sh,\n \"export\",\n \"global\",\n \"/sentry-admin/backup.json\",\n \"--no-prompt\",\n ],\n check=True,\n )\n assert os.path.getsize(file_path) > 0\n\n\ndef test_02_import(setup_backup_restore_env_variables):\n # Bring postgres down and recreate the docker volume\n subprocess.run([\"docker\", \"compose\", \"--ansi\", \"never\", \"down\"], check=True)\n # We reset all DB-related volumes here and not just Postgres although the backups\n # are only for Postgres. The reason is to get a \"clean slate\" as we need the Kafka\n # and Clickhouse volumes to be back to their initial state as well (without any events)\n # We cannot just rm and create them as they still need the migrations.\n for name in (\"postgres\", \"clickhouse\", \"kafka\"):\n subprocess.run([\"docker\", \"volume\", \"rm\", f\"sentry-{name}\"], check=True)\n subprocess.run([\"docker\", \"volume\", \"create\", f\"sentry-{name}\"], check=True)\n subprocess.run(\n [\n \"rsync\",\n \"-aW\",\n \"--super\",\n \"--numeric-ids\",\n \"--no-compress\",\n \"--mkpath\",\n join(os.environ[\"RUNNER_TEMP\"], \"volumes\", f\"sentry-{name}\", \"\"),\n f\"/var/lib/docker/volumes/sentry-{name}/\",\n ],\n check=True,\n capture_output=True,\n )\n\n sentry_admin_sh = os.path.join(os.getcwd(), \"sentry-admin.sh\")\n subprocess.run(\n [\n sentry_admin_sh,\n \"import\",\n \"global\",\n \"/sentry-admin/backup.json\",\n \"--no-prompt\",\n ],\n check=True,\n )\n # TODO: Check something actually restored here like the test user we have from earlier\n" }, { "path": "_unit-test/_test_setup.sh", "content": "set -euo pipefail\n\nsource install/_lib.sh\n\n_ORIGIN=$(pwd)\n\nrm -rf /tmp/sentry-self-hosted-test-sandbox.*\n_SANDBOX=\"$(mktemp -d /tmp/sentry-self-hosted-test-sandbox.XXX)\"\n\nsource install/detect-platform.sh\ndocker build -t sentry-self-hosted-jq-local --platform=\"$DOCKER_PLATFORM\" jq\n\nreport_success() {\n echo \"$(basename $0) - Success 👍\"\n}\n\nteardown() {\n test \"${DEBUG:-}\" || rm -rf \"$_SANDBOX\"\n cd \"$_ORIGIN\"\n}\n\nsetup() {\n # Clone the local repo into a temp dir. FWIW `git clone --local` breaks for\n # me because it depends on hard-linking, which doesn't work across devices,\n # and I happen to have my workspace and /tmp on separate devices.\n git -c advice.detachedHead=false clone --depth=1 \"file://$_ORIGIN\" \"$_SANDBOX\"\n\n # Now propagate any local changes from the working copy to the sandbox. This\n # provides a pretty nice dev experience: edit the files in the working copy,\n # then run `DEBUG=1 some-test.sh` to leave the sandbox up for interactive\n # dev/debugging.\n git status --porcelain | while read line; do\n # $line here is something like `M some-script.sh`.\n\n local filepath=\"$(cut -f2 -d' ' <(echo $line))\"\n local filestatus=\"$(cut -f1 -d' ' <(echo $line))\"\n\n case $filestatus in\n D)\n rm \"$_SANDBOX/$filepath\"\n ;;\n A | M | AM | ??)\n ln -sf \"$(realpath $filepath)\" \"$_SANDBOX/$filepath\"\n ;;\n **)\n echo \"Wuh? $line\"\n exit 77\n ;;\n esac\n done\n\n cd \"$_SANDBOX\"\n\n trap teardown EXIT\n}\n\nsetup\n" }, { "path": "_unit-test/bootstrap-s3-nodestore-test.sh", "content": "#!/usr/bin/env bash\n\nsource _unit-test/_test_setup.sh\nsource install/dc-detect-version.sh\nsource install/create-docker-volumes.sh\n\n# Set the flag to apply automatic updates\nexport APPLY_AUTOMATIC_CONFIG_UPDATES=1\n\n# Here we're just gonna test to run it multiple times\n# Only to make sure it doesn't break\nfor i in $(seq 1 5); do\n source install/bootstrap-s3-nodestore.sh\ndone\n\nreport_success\n" }, { "path": "_unit-test/bootstrap-s3-profiles-test.sh", "content": "#!/usr/bin/env bash\n\nsource _unit-test/_test_setup.sh\nsource install/dc-detect-version.sh\nsource install/create-docker-volumes.sh\nsource install/ensure-files-from-examples.sh\nexport COMPOSE_PROFILES=\"feature-complete\"\n$dc pull vroom\nsource install/ensure-correct-permissions-profiles-dir.sh\n\n# Generate some random files on `sentry-vroom` volume for testing\n$dc run --rm --no-deps -v sentry-vroom:/var/vroom/sentry-profiles --entrypoint /bin/bash vroom -c '\n for i in $(seq 1 1000); do\n echo This is test file $i > /var/vroom/sentry-profiles/test_file_$i.txt\n done\n'\n\n# Set the flag to apply automatic updates\nexport APPLY_AUTOMATIC_CONFIG_UPDATES=1\n\n# Here we're just gonna test to run it multiple times\n# Only to make sure it doesn't break\nfor i in $(seq 1 5); do\n source install/bootstrap-s3-profiles.sh\ndone\n\n# Ensure that the files have been migrated to SeaweedFS\nmigrated_files_count=$($dc exec seaweedfs s3cmd --access_key=sentry --secret_key=sentry --no-ssl --region=us-east-1 --host=seaweedfs:8333 --host-bucket=\"seaweedfs:8333/%(bucket)\" ls s3://profiles/ | wc -l)\nif [[ \"$migrated_files_count\" -ne 1000 ]]; then\n echo \"Error: Expected 1000 migrated files, but found $migrated_files_count\"\n exit 1\nfi\n\n# Manual cleanup, otherwise `create-docker-volumes.sh` will fail\n$dc down -v --remove-orphans\n\nreport_success\n" }, { "path": "_unit-test/create-docker-volumes-test.sh", "content": "#!/usr/bin/env bash\n\nsource _unit-test/_test_setup.sh\n\nget_volumes() {\n # If grep returns no strings, we still want to return without error\n docker volume ls --quiet | { grep '^sentry-.*' || true; } | sort\n}\n\n# Maybe they exist prior, maybe they don't. Script is idempotent.\n\nexpected_volumes=\"sentry-clickhouse\nsentry-data\nsentry-kafka\nsentry-postgres\nsentry-redis\nsentry-seaweedfs\"\n\nbefore=$(get_volumes)\n\ntest \"$before\" == \"\" || test \"$before\" == \"$expected_volumes\"\n\nsource install/create-docker-volumes.sh\n\nafter=$(get_volumes)\ntest \"$after\" == \"$expected_volumes\"\n\nreport_success\n" }, { "path": "_unit-test/ensure-relay-credentials-test.sh", "content": "#!/usr/bin/env bash\n\nsource _unit-test/_test_setup.sh\nsource install/dc-detect-version.sh\n\n# using _file format for these variables since there is a creds defined in dc-detect-version.sh\ncfg_file=relay/config.yml\ncreds_file=relay/credentials.json\n\n# Relay files don't exist in a clean clone.\ntest ! -f $cfg_file\ntest ! -f $creds_file\n\n# Running the install script adds them.\nsource install/ensure-relay-credentials.sh\ntest -f $cfg_file\ntest -f $creds_file\ntest \"$(jq -r 'keys[2]' \"$creds_file\")\" = \"secret_key\"\n\n# If the files exist we don't touch it.\necho GARBAGE >$cfg_file\necho MOAR GARBAGE >$creds_file\nsource install/ensure-relay-credentials.sh\ntest \"$(cat $cfg_file)\" = \"GARBAGE\"\ntest \"$(cat $creds_file)\" = \"MOAR GARBAGE\"\n\nreport_success\n" }, { "path": "_unit-test/error-handling-test.sh", "content": "#!/usr/bin/env bash\n\nsource _unit-test/_test_setup.sh\n\nexport REPORT_SELF_HOSTED_ISSUES=1\n\n# This is set up in dc-detect-version.sh, but for\n# our purposes we don't care about proxies.\ndbuild=\"docker build\"\nsource install/error-handling.sh\n\n# mock send_envelope\nsend_envelope() {\n echo \"Test Sending $1\"\n}\n\n##########################\n\nexport -f send_envelope\necho \"Testing initial send_event\"\nexport log_file=test_log.txt\necho \"Test Logs\" >\"$log_file\"\necho \"Error Msg\" >>\"$log_file\"\nbreadcrumbs=$(generate_breadcrumb_json | sed '$d' | $jq -s -c)\nSEND_EVENT_RESPONSE=$(\n send_event \\\n \"'foo' exited with status 1\" \\\n \"Test exited with status 1\" \\\n \"Traceback: ignore me\" \\\n \"{\\\"ignore\\\": \\\"me\\\"}\" \\\n \"$breadcrumbs\"\n)\nrm \"$log_file\"\nexpected_filename='sentry-envelope-f73e4da437c42a1d28b86a81ebcff35d'\ntest \"$SEND_EVENT_RESPONSE\" == \"Test Sending $expected_filename\"\nENVELOPE_CONTENTS=$(cat \"/tmp/$expected_filename\")\ntest \"$ENVELOPE_CONTENTS\" == \"$(cat _unit-test/snapshots/$expected_filename)\"\necho \"Pass.\"\n\n##########################\n\necho \"Testing send_event duplicate\"\nSEND_EVENT_RESPONSE=$(\n send_event \\\n \"'foo' exited with status 1\" \\\n \"Test exited with status 1\" \\\n \"Traceback: ignore me\" \\\n \"{\\\"ignore\\\": \\\"me\\\"}\" \\\n \"$breadcrumbs\"\n)\ntest \"$SEND_EVENT_RESPONSE\" == \"Looks like you've already sent this error to us, we're on it :)\"\necho \"Pass.\"\nrm \"/tmp/$expected_filename\"\n\n##########################\n\necho \"Testing cleanup without minimizing downtime\"\nexport REPORT_SELF_HOSTED_ISSUES=0\nexport MINIMIZE_DOWNTIME=''\nexport dc=':'\necho \"Test Logs\" >\"$log_file\"\nCLEANUP_RESPONSE=$(cleanup ERROR) # the linenumber of this line must match just below\nrm \"$log_file\"\ntest \"$CLEANUP_RESPONSE\" == 'Error in _unit-test/error-handling-test.sh:62.\n'\\''local cmd=\"${BASH_COMMAND}\"'\\'' exited with status 0\n\nCleaning up...'\necho \"Pass.\"\n\n##########################\n\necho \"Testing cleanup while minimizing downtime\"\nexport REPORT_SELF_HOSTED_ISSUES=0\nexport MINIMIZE_DOWNTIME=1\necho \"Test Logs\" >\"$log_file\"\nCLEANUP_RESPONSE=$(cleanup ERROR) # the linenumber of this line must match just below\nrm \"$log_file\"\ntest \"$CLEANUP_RESPONSE\" == 'Error in _unit-test/error-handling-test.sh:76.\n'\\''local cmd=\"${BASH_COMMAND}\"'\\'' exited with status 0\n\n*NOT* cleaning up, to clean your environment run \"docker compose stop\".'\necho \"Pass.\"\n\n##########################\n\nreport_success\n" }, { "path": "_unit-test/geoip-test.sh", "content": "#!/usr/bin/env bash\n\nsource _unit-test/_test_setup.sh\n\nmmdb=geoip/GeoLite2-City.mmdb\n\n# Starts with no mmdb, ends up with empty.\ntest ! -f $mmdb\nsource install/geoip.sh\ndiff -rub $mmdb $mmdb.empty\n\n# Doesn't clobber existing, though.\necho GARBAGE >$mmdb\nsource install/geoip.sh\ntest \"$(cat $mmdb)\" = \"GARBAGE\"\n\nreport_success\n" }, { "path": "_unit-test/js-sdk-assets-test.sh", "content": "#!/usr/bin/env bash\n\nsource _unit-test/_test_setup.sh\nsource install/dc-detect-version.sh\n$dcb --force-rm web\n$dc pull nginx\n\nexport SETUP_JS_SDK_ASSETS=1\n\nsource install/setup-js-sdk-assets.sh\n\nsdk_files=$($dcr --no-deps nginx ls -lah /var/www/js-sdk/)\nsdk_tree=$($dcr --no-deps nginx tree /var/www/js-sdk/ | tail -n 1)\nnon_empty_file_count=$($dcr --no-deps nginx find /var/www/js-sdk/ -type f -size +1k | wc -l)\n\n# `sdk_files` should contains 7 lines, '4.*', '5.*', '6.*', `7.*`, `8.*`, `9.*`, and `10.*`\necho $sdk_files\ntotal_directories=$(echo \"$sdk_files\" | grep -c '[4-9|10]\\.[0-9]*\\.[0-9]*$')\necho $total_directories\ntest \"7\" == \"$total_directories\"\necho \"Pass\"\n\n# `sdk_tree` should output \"7 directories, 29 files\"\necho \"$sdk_tree\"\ntest \"7 directories, 29 files\" == \"$(echo \"$sdk_tree\")\"\necho \"Pass\"\n\n# Files should all be >1k (ensure they are not empty)\necho \"Testing file sizes\"\ntest \"29\" == \"$non_empty_file_count\"\necho \"Pass\"\n\n# Files should be owned by the root user\necho \"Testing file ownership\"\ndirectory_owners=$(echo \"$sdk_files\" | awk '$3==\"root\" { print $0 }' | wc -l)\necho \"$directory_owners\"\ntest \"$directory_owners\" == \"9\"\necho \"Pass\"\n\nreport_success\n" }, { "path": "_unit-test/merge-env-file-test.sh", "content": "#!/usr/bin/env bash\n\n# This is a test file for a part of `_lib.sh`, where we read `.env.custom` file if there is one.\n# We only want to give very minimal value to the `.env.custom` file, and expect that it would\n# be merged with the original `.env` file, with the `.env.custom` file taking precedence.\ncat <\".env.custom\"\nSENTRY_EVENT_RETENTION_DAYS=10\nEOF\n\n# The `_test_setup.sh` script sources `install/_lib.sh`, so.. finger crossed this should works.\nsource _unit-test/_test_setup.sh\n\nrm -f .env.custom\n\necho \"Expecting SENTRY_EVENT_RETENTION_DAYS to be 10, got ${SENTRY_EVENT_RETENTION_DAYS}\"\ntest \"$SENTRY_EVENT_RETENTION_DAYS\" == \"10\"\necho \"Pass\"\necho \"Expecting SENTRY_BIND to be 9000, got ${SENTRY_BIND}\"\ntest \"$SENTRY_BIND\" == \"9000\"\necho \"Pass\"\necho \"Expecting COMPOSE_PROJECT_NAME to be sentry-self-hosted, got ${COMPOSE_PROJECT_NAME}\"\ntest \"$COMPOSE_PROJECT_NAME\" == \"sentry-self-hosted\"\necho \"Pass\"\n\nreport_success\n" }, { "path": "_unit-test/migrate-pgbouncer-test.sh", "content": "#!/usr/bin/env bash\n\nsource _unit-test/_test_setup.sh\nsource install/dc-detect-version.sh\n\nsource install/ensure-files-from-examples.sh\ncp $SENTRY_CONFIG_PY /tmp/sentry_conf_py\n# Set the flag to apply automatic updates\nexport APPLY_AUTOMATIC_CONFIG_UPDATES=1\n\n# Declare expected content\nexpected_db_config=$(\n cat <<'EOF'\nDATABASES = {\n \"default\": {\n \"ENGINE\": \"sentry.db.postgres\",\n \"NAME\": \"postgres\",\n \"USER\": \"postgres\",\n \"PASSWORD\": \"\",\n \"HOST\": \"pgbouncer\",\n \"PORT\": \"\",\n }\n}\nEOF\n)\n\necho \"Test 1 (pre 25.9.0 release)\"\n# Modify the `DATABASES = {` to the next `}` line, with:\n# DATABASES = {\n# \"default\": {\n# \"ENGINE\": \"sentry.db.postgres\",\n# \"NAME\": \"postgres\",\n# \"USER\": \"postgres\",\n# \"PASSWORD\": \"\",\n# \"HOST\": \"postgres\",\n# \"PORT\": \"\",\n# }\n# }\n\n# Create the replacement text in a temp file\ncat >/tmp/sentry_conf_py_db_config <<'EOF'\nDATABASES = {\n \"default\": {\n \"ENGINE\": \"sentry.db.postgres\",\n \"NAME\": \"postgres\",\n \"USER\": \"postgres\",\n \"PASSWORD\": \"\",\n \"HOST\": \"postgres\",\n \"PORT\": \"\",\n }\n}\nEOF\n\n# Replace the block\nsed -i '/^DATABASES = {$/,/^}$/{\n /^DATABASES = {$/r /tmp/sentry_conf_py_db_config\n d\n}' $SENTRY_CONFIG_PY\n\n# Clean up\nrm /tmp/sentry_conf_py_db_config\n\nsource install/migrate-pgbouncer.sh\n\n# Extract actual content\nactual_db_config=$(sed -n '/^DATABASES = {$/,/^}$/p' $SENTRY_CONFIG_PY)\n\n# Compare\nif [ \"$actual_db_config\" = \"$expected_db_config\" ]; then\n echo \"DATABASES section is correct\"\nelse\n echo \"DATABASES section does not match\"\n echo \"Expected:\"\n echo \"$expected_db_config\"\n echo \"Actual:\"\n echo \"$actual_db_config\"\n exit 1\nfi\n\n# Reset the file\nrm $SENTRY_CONFIG_PY\ncp /tmp/sentry_conf_py $SENTRY_CONFIG_PY\n\necho \"Test 2 (post 25.9.0 release)\"\n# Modify the `DATABASES = {` to the next `}` line, with:\n# DATABASES = {\n# \"default\": {\n# \"ENGINE\": \"sentry.db.postgres\",\n# \"NAME\": \"postgres\",\n# \"USER\": \"postgres\",\n# \"PASSWORD\": \"\",\n# \"HOST\": \"pgbouncer\",\n# \"PORT\": \"\",\n# }\n# }\n\n# Create the replacement text in a temp file\ncat >/tmp/sentry_conf_py_db_config <<'EOF'\nDATABASES = {\n \"default\": {\n \"ENGINE\": \"sentry.db.postgres\",\n \"NAME\": \"postgres\",\n \"USER\": \"postgres\",\n \"PASSWORD\": \"\",\n \"HOST\": \"pgbouncer\",\n \"PORT\": \"\",\n }\n}\nEOF\n\n# Replace the block\nsed -i '/^DATABASES = {$/,/^}$/{\n /^DATABASES = {$/r /tmp/sentry_conf_py_db_config\n d\n}' $SENTRY_CONFIG_PY\n\n# Clean up\nrm /tmp/sentry_conf_py_db_config\n\nsource install/migrate-pgbouncer.sh\n\n# Extract actual content\nactual_db_config=$(sed -n '/^DATABASES = {$/,/^}$/p' $SENTRY_CONFIG_PY)\n\n# Compare\nif [ \"$actual_db_config\" = \"$expected_db_config\" ]; then\n echo \"DATABASES section is correct\"\nelse\n echo \"DATABASES section does not match\"\n echo \"Expected:\"\n echo \"$expected_db_config\"\n echo \"Actual:\"\n echo \"$actual_db_config\"\n exit 1\nfi\n\n# Reset the file\nrm $SENTRY_CONFIG_PY\ncp /tmp/sentry_conf_py $SENTRY_CONFIG_PY\n\necho \"Test 3 (custom postgres config)\"\n# Modify the `DATABASES = {` to the next `}` line, with:\n# DATABASES = {\n# \"default\": {\n# \"ENGINE\": \"sentry.db.postgres\",\n# \"NAME\": \"postgres\",\n# \"USER\": \"sentry\",\n# \"PASSWORD\": \"sentry\",\n# \"HOST\": \"postgres.internal\",\n# \"PORT\": \"5432\",\n# }\n# }\n\n# Create the replacement text in a temp file\ncat >/tmp/sentry_conf_py_db_config <<'EOF'\nDATABASES = {\n \"default\": {\n \"ENGINE\": \"sentry.db.postgres\",\n \"NAME\": \"postgres\",\n \"USER\": \"sentry\",\n \"PASSWORD\": \"sentry\",\n \"HOST\": \"postgres.internal\",\n \"PORT\": \"5432\",\n }\n}\nEOF\n\n# Replace the block\nsed -i '/^DATABASES = {$/,/^}$/{\n /^DATABASES = {$/r /tmp/sentry_conf_py_db_config\n d\n}' $SENTRY_CONFIG_PY\n\n# Clean up\nrm /tmp/sentry_conf_py_db_config\n\nsource install/migrate-pgbouncer.sh\n\n# Extract actual content\nactual_db_config=$(sed -n '/^DATABASES = {$/,/^}$/p' $SENTRY_CONFIG_PY)\n\n# THe file should NOT be modified\nif [ \"$actual_db_config\" = \"$expected_db_config\" ]; then\n echo \"DATABASES section SHOULD NOT be modified\"\n echo \"Expected:\"\n echo \"$expected_db_config\"\n echo \"Actual:\"\n echo \"$actual_db_config\"\n exit 1\nelse\n echo \"DATABASES section is correct\"\nfi\n\n# Remove the file\nrm $SENTRY_CONFIG_PY /tmp/sentry_conf_py\n\nreport_success\n" }, { "path": "_unit-test/multiple-seaweedfs-bucket-test.sh", "content": "#!/usr/bin/env bash\n\nsource _unit-test/_test_setup.sh\nsource install/dc-detect-version.sh\nsource install/create-docker-volumes.sh\n\nstart_service_and_wait_ready seaweedfs\n\n$dcx seaweedfs apk add --no-cache s3cmd\ns3cmd=\"$dc exec seaweedfs s3cmd\"\n\n# Create multiple buckets for testing\nbuckets=(bucket1 bucket2 bucket3)\nfor bucket in \"${buckets[@]}\"; do\n $s3cmd --access_key=sentry --secret_key=sentry --no-ssl --region=us-east-1 --host=localhost:8333 --host-bucket='localhost:8333/%(bucket)' mb s3://$bucket\ndone\n\n# Verify that all buckets were created successfully\nbucket_list=$($s3cmd --access_key=sentry --secret_key=sentry --no-ssl --region=us-east-1 --host=localhost:8333 --host-bucket='localhost:8333/%(bucket)' ls)\nfor bucket in \"${buckets[@]}\"; do\n if ! echo \"$bucket_list\" | grep -q \"s3://$bucket\"; then\n echo \"Error: Bucket s3://$bucket was not created successfully.\"\n exit 1\n fi\ndone\n\n# Can find \"bucket2\"\nif ! echo \"$bucket_list\" | grep -q \"s3://bucket2\"; then\n echo \"Error: Bucket s3://bucket2 was not found.\"\n exit 1\nfi\n\n# Can't find \"bucket5\", should not exist\nif echo \"$bucket_list\" | grep -q \"s3://bucket5\"; then\n echo \"Error: Bucket s3://bucket5 should not exist.\"\n exit 1\nfi\n\nreport_success\n" }, { "path": "_unit-test/snapshots/sentry-envelope-f73e4da437c42a1d28b86a81ebcff35d", "content": "{\"event_id\":\"f73e4da437c42a1d28b86a81ebcff35d\",\"dsn\":\"https://19555c489ded4769978daae92f2346ca@self-hosted.getsentry.net/3\"}\n{\"type\":\"event\"}\n{\"level\":\"error\",\"exception\":{\"values\":[{\"type\":\"Error\",\"value\":\"Test exited with status 1\",\"stacktrace\":{\"frames\":[{\"ignore\":\"me\"}]}}]},\"breadcrumbs\":{\"values\":[{\"message\":\"Test Logs\",\"category\":\"log\",\"level\":\"info\"}]},\"fingerprint\":[\"f73e4da437c42a1d28b86a81ebcff35d\"]}\n{\"type\":\"attachment\",\"length\":20,\"content_type\":\"text/plain\",\"filename\":\"install_log.txt\"}\nTest Logs\nError Msg\n" }, { "path": "action.yaml", "content": "name: \"Sentry self-hosted end-to-end tests\"\ninputs:\n project_name:\n required: false\n description: \"e.g. snuba, sentry, relay, self-hosted\"\n image_url:\n required: false\n description: \"The URL to the built relay, snuba, sentry image to test against.\"\n compose_profiles:\n required: false\n description: \"Docker Compose profile to use. Defaults to feature-complete.\"\n CODECOV_TOKEN:\n required: false\n description: \"The Codecov token to upload coverage.\"\n\nruns:\n using: \"composite\"\n steps:\n - name: Validate inputs and configure test image\n shell: bash\n env:\n PROJECT_NAME: ${{ inputs.project_name }}\n IMAGE_URL: ${{ inputs.image_url }}\n COMPOSE_PROFILES: ${{ inputs.compose_profiles }}\n run: |\n if [[ -n \"$PROJECT_NAME\" && -n \"$IMAGE_URL\" ]]; then\n image_var=$(echo \"${PROJECT_NAME}_IMAGE\" | tr '[:lower:]' '[:upper:]')\n echo \"${image_var}=$IMAGE_URL\" >> ${{ github.action_path }}/.env\n elif [[ -z \"$PROJECT_NAME\" && -z \"$IMAGE_URL\" ]]; then\n echo \"No project name and image URL set. Skipping image configuration.\"\n else\n echo \"You must set both project_name and image_url or unset both.\"\n echo \"project_name: $PROJECT_NAME, image_url: $IMAGE_URL\"\n exit 1\n fi\n\n # `COMPOSE_PROFILES` may only be `feature-complete` or `errors-only`\n if [[ \"$COMPOSE_PROFILES\" != \"\" && \"$COMPOSE_PROFILES\" != \"feature-complete\" && \"$COMPOSE_PROFILES\" != \"errors-only\" ]]; then\n echo \"COMPOSE_PROFILES must be either unset, or set to either 'feature-complete' or 'errors-only'.\"\n exit 1\n else\n echo \"COMPOSE_PROFILES=$COMPOSE_PROFILES\" >> ${{ github.action_path }}/.env\n fi\n\n - name: Cleanup runner image\n shell: bash\n run: |\n ### Inspired by https://github.com/endersonmenezes/free-disk-space ###\n sudo rm -rf /usr/local/.ghcup\n sudo rm -rf /home/runner/Android /usr/local/lib/android /opt/android /usr/local/android-sdk\n sudo rm -rf /usr/share/dotnet /usr/share/doc/dotnet-*\n df -h\n\n - name: Setup uv\n uses: astral-sh/setup-uv@e06108dd0aef18192324c70427afc47652e63a82 # v7.5.0\n with:\n working-directory: ${{ github.action_path }}\n version: \"0.9.15\"\n # we just cache the venv-dir directly in action-setup-venv\n enable-cache: false\n\n - uses: getsentry/action-setup-venv@6e8aebf461914919d9de6e3082669d6bfecc400c # v3.1.0\n with:\n python-version: \"3.12\"\n cache-dependency-path: uv.lock\n install-cmd: uv sync --frozen --active\n working-directory: ${{ github.action_path }}\n\n - name: Setup dev environment\n shell: bash\n run: |\n cd ${{ github.action_path }}\n\n echo \"PY_COLORS=1\" >> \"$GITHUB_ENV\"\n ### pytest-sentry configuration ###\n if [ \"$GITHUB_REPOSITORY\" = \"getsentry/self-hosted\" ]; then\n echo \"PYTEST_SENTRY_DSN=$SELF_HOSTED_TESTING_DSN\" >> $GITHUB_ENV\n echo \"PYTEST_SENTRY_TRACES_SAMPLE_RATE=0\" >> $GITHUB_ENV\n\n # This records failures on master to sentry in order to detect flakey tests, as it's\n # expected that people have failing tests on their PRs\n if [ \"$GITHUB_REF\" = \"refs/heads/master\" ]; then\n echo \"PYTEST_SENTRY_ALWAYS_REPORT=1\" >> $GITHUB_ENV\n fi\n fi\n\n - name: Compute Docker Volume Cache Keys\n id: cache_key\n shell: bash\n run: |\n source ${{ github.action_path }}/.env\n # See https://explainshell.com/explain?cmd=ls%20-Rv1rpq\n # for that long `ls` command\n SENTRY_MIGRATIONS_MD5=$(docker run --rm --entrypoint bash $SENTRY_IMAGE -c '{ cat migrations_lockfile.txt; grep -Poz \"(?s)(?<=class Topic\\\\(Enum\\\\):\\\\n).+?(?=\\\\n\\\\n\\\\n)\" src/sentry/conf/types/kafka_definition.py; }' | md5sum | cut -d ' ' -f 1)\n echo \"SENTRY_MIGRATIONS_MD5=$SENTRY_MIGRATIONS_MD5\" >> $GITHUB_OUTPUT\n SNUBA_MIGRATIONS_MD5=$(docker run --rm --entrypoint bash $SNUBA_IMAGE -c '{ ls -Rv1rpq snuba/snuba_migrations/**/*.py; grep -Poz \"(?s)(?<=class Topic\\\\(Enum\\\\):\\\\n).+?(?=\\\\n\\\\n\\\\n)\" snuba/utils/streams/topics.py; }' | md5sum | cut -d ' ' -f 1)\n echo \"SNUBA_MIGRATIONS_MD5=$SNUBA_MIGRATIONS_MD5\" >> $GITHUB_OUTPUT\n echo \"ARCH=$(uname -m)\" >> $GITHUB_OUTPUT\n\n - name: Restore Sentry Volume Cache\n id: restore_cache_sentry\n uses: BYK/docker-volume-cache-action/restore@be89365902126f508dcae387a32ec3712df6b1cd\n with:\n key: db-volumes-sentry-v3-${{ steps.cache_key.outputs.ARCH }}-${{ inputs.compose_profiles }}-${{ steps.cache_key.outputs.SENTRY_MIGRATIONS_MD5 }}\n restore-keys: |\n key: db-volumes-sentry-v3-${{ steps.cache_key.outputs.ARCH }}-${{ inputs.compose_profiles }}\n volumes: |\n sentry-postgres\n\n - name: Restore Snuba Volume Cache\n id: restore_cache_snuba\n uses: BYK/docker-volume-cache-action/restore@be89365902126f508dcae387a32ec3712df6b1cd\n with:\n key: db-volumes-snuba-v3-${{ steps.cache_key.outputs.ARCH }}-${{ inputs.compose_profiles }}-${{ steps.cache_key.outputs.SNUBA_MIGRATIONS_MD5 }}\n restore-keys: |\n key: db-volumes-snuba-v3-${{ steps.cache_key.outputs.ARCH }}-${{ inputs.compose_profiles }}\n volumes: |\n sentry-clickhouse\n\n - name: Restore Kafka Volume Cache\n id: restore_cache_kafka\n uses: BYK/docker-volume-cache-action/restore@be89365902126f508dcae387a32ec3712df6b1cd\n with:\n key: db-volumes-kafka-v2-${{ steps.cache_key.outputs.ARCH }}-${{ inputs.compose_profiles }}-${{ steps.cache_key.outputs.SENTRY_MIGRATIONS_MD5 }}-${{ steps.cache_key.outputs.SNUBA_MIGRATIONS_MD5 }}\n restore-keys: |\n db-volumes-kafka-v2-${{ steps.cache_key.outputs.ARCH }}-${{ inputs.compose_profiles }}-${{ steps.cache_key.outputs.SENTRY_MIGRATIONS_MD5 }}\n db-volumes-kafka-v2-${{ steps.cache_key.outputs.ARCH }}-${{ inputs.compose_profiles }}\n volumes: |\n sentry-kafka\n\n - name: Install self-hosted\n env:\n # Note that cache keys for Sentry and Snuba have their respective Kafka configs built into them\n # and the Kafka volume cache is comprises both keys. This way we can omit the Kafka cache hit\n # in here to still avoid running Sentry or Snuba migrations if only one of their Kafka config has\n # changed. Heats up your head a bit but if you think about it, it makes sense.\n SKIP_SENTRY_MIGRATIONS: ${{ steps.restore_cache_sentry.outputs.cache-hit == 'true' && '1' || '' }}\n SKIP_SNUBA_MIGRATIONS: ${{ steps.restore_cache_snuba.outputs.cache-hit == 'true' && '1' || '' }}\n shell: bash\n run: |\n cd ${{ github.action_path }}\n # Add some customizations to test that path\n cat <> sentry/enhance-image.sh\n #!/bin/bash\n touch /created-by-enhance-image\n apt-get update\n apt-get install -y gcc libsasl2-dev python-dev-is-python3 libldap2-dev libssl-dev\n EOT\n chmod 755 sentry/enhance-image.sh\n echo \"python-ldap\" > sentry/requirements.txt\n\n ./install.sh --no-report-self-hosted-issues --skip-commit-check\n\n - name: Save Sentry Volume Cache\n if: steps.restore_cache_sentry.outputs.cache-hit != 'true'\n uses: BYK/docker-volume-cache-action/save@be89365902126f508dcae387a32ec3712df6b1cd\n with:\n key: ${{ steps.restore_cache_sentry.outputs.cache-primary-key }}\n volumes: |\n sentry-postgres\n\n - name: Save Snuba Volume Cache\n if: steps.restore_cache_snuba.outputs.cache-hit != 'true'\n uses: BYK/docker-volume-cache-action/save@be89365902126f508dcae387a32ec3712df6b1cd\n with:\n key: ${{ steps.restore_cache_snuba.outputs.cache-primary-key }}\n volumes: |\n sentry-clickhouse\n\n - name: Save Kafka Volume Cache\n if: steps.restore_cache_kafka.outputs.cache-hit != 'true'\n uses: BYK/docker-volume-cache-action/save@be89365902126f508dcae387a32ec3712df6b1cd\n with:\n key: ${{ steps.restore_cache_kafka.outputs.cache-primary-key }}\n volumes: |\n sentry-kafka\n\n - name: Setup swapfile\n shell: bash\n run: |\n sudo swapoff -a\n sudo fallocate -l 16G /swapfile\n sudo chmod 600 /swapfile\n sudo mkswap /swapfile\n sudo swapon /swapfile\n sudo swapon --show\n free -h\n\n - name: Setup Nodejs\n uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0\n with:\n node-version: \"22.x\"\n\n - name: Install Nodejs dependencies\n shell: bash\n run: |\n cd ${{ github.action_path }}/_integration-test/nodejs\n npm ci\n\n - name: Integration Test\n shell: bash\n env:\n COMPOSE_PROFILES: ${{ inputs.compose_profiles }}\n run: |\n sudo chown root /usr/bin/rsync && sudo chmod u+s /usr/bin/rsync\n rsync -aW --super --numeric-ids --no-compress --mkpath \\\n /var/lib/docker/volumes/sentry-postgres \\\n /var/lib/docker/volumes/sentry-clickhouse \\\n /var/lib/docker/volumes/sentry-kafka \\\n \"$RUNNER_TEMP/volumes/\"\n cd ${{ github.action_path }}\n pytest -x --cov --junitxml=junit.xml _integration-test/\n\n - name: Upload coverage to Codecov\n if: inputs.CODECOV_TOKEN\n continue-on-error: true\n uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2\n with:\n directory: ${{ github.action_path }}\n token: ${{ inputs.CODECOV_TOKEN }}\n slug: getsentry/self-hosted\n\n - name: Upload test results to Codecov\n if: inputs.CODECOV_TOKEN && !cancelled()\n continue-on-error: true\n uses: codecov/test-results-action@0fa95f0e1eeaafde2c782583b36b28ad0d8c77d3 # v1.2.1\n with:\n directory: ${{ github.action_path }}\n token: ${{ inputs.CODECOV_TOKEN }}\n\n - name: Inspect failure\n if: failure()\n shell: bash\n run: |\n echo \"::group::Inspect failure - docker compose ps\"\n cd ${{ github.action_path }}\n docker compose ps\n echo \"::endgroup::\"\n echo \"::group::Inspect failure - docker compose logs\"\n docker compose logs\n echo \"::endgroup::\"\n" }, { "path": "certificates/.gitignore", "content": "# Add all custom CAs in this folder\n*\n!.gitignore\n" }, { "path": "clickhouse/Dockerfile", "content": "ARG BASE_IMAGE\nFROM ${BASE_IMAGE}\n" }, { "path": "clickhouse/config.xml", "content": "\n \n \n \n warning\n true\n \n \n \n \n \n \n \n\n \n \n \n\n 1\n\n \n \n 0\n 0\n \n \n \n 1\n \n 100\n \n\n" }, { "path": "clickhouse/default-password.xml", "content": "\n \n \n \n \n ::/0\n \n \n \n\n" }, { "path": "codecov.yml", "content": "coverage:\n status:\n project:\n default:\n only_pulls: true\n patch:\n default:\n only_pulls: true\n" }, { "path": "cron/Dockerfile", "content": "ARG BASE_IMAGE\nFROM ${BASE_IMAGE}\nUSER 0\nRUN if [ -n \"${HTTP_PROXY}\" ]; then echo \"Acquire::http::proxy \\\"${HTTP_PROXY}\\\";\" >> /etc/apt/apt.conf; fi\nRUN if [ -n \"${HTTPS_PROXY}\" ]; then echo \"Acquire::https::proxy \\\"${HTTPS_PROXY}\\\";\" >> /etc/apt/apt.conf; fi\nRUN if [ -n \"${http_proxy}\" ]; then echo \"Acquire::http::proxy \\\"${http_proxy}\\\";\" >> /etc/apt/apt.conf; fi\nRUN if [ -n \"${https_proxy}\" ]; then echo \"Acquire::https::proxy \\\"${https_proxy}\\\";\" >> /etc/apt/apt.conf; fi\nRUN apt-get update && apt-get install -y --no-install-recommends cron && \\\n rm -r /var/lib/apt/lists/*\nCOPY entrypoint.sh /entrypoint.sh\nENTRYPOINT [\"/entrypoint.sh\"]\n" }, { "path": "cron/entrypoint.sh", "content": "#!/usr/bin/env bash\n\nif [ \"$(ls -A /usr/local/share/ca-certificates/)\" ]; then\n update-ca-certificates\nfi\n\n# Prior art:\n# - https://github.com/renskiy/cron-docker-image/blob/5600db37acf841c6d7a8b4f3866741bada5b4622/debian/start-cron#L34-L36\n# - https://blog.knoldus.com/running-a-cron-job-in-docker-container/\n\ndeclare -p | grep -Ev 'BASHOPTS|BASH_VERSINFO|EUID|PPID|SHELLOPTS|UID' >/container.env\n\n{ for cron_job in \"$@\"; do echo -e \"SHELL=/bin/bash\nBASH_ENV=/container.env\n${cron_job} > /proc/1/fd/1 2>/proc/1/fd/2\"; done; } |\n sed --regexp-extended 's/\\\\(.)/\\1/g' |\n crontab -\ncrontab -l\nexec cron -f -l -L 15\n" }, { "path": "docker-compose.yml", "content": "x-restart-policy: &restart_policy\n restart: unless-stopped\nx-pull-policy: &pull_policy\n pull_policy: never\nx-depends_on-healthy: &depends_on-healthy\n condition: service_healthy\nx-depends_on-default: &depends_on-default\n condition: service_started\nx-healthcheck-defaults: &healthcheck_defaults\n # Avoid setting the interval too small, as docker uses much more CPU than one would expect.\n # Related issues:\n # https://github.com/moby/moby/issues/39102\n # https://github.com/moby/moby/issues/39388\n # https://github.com/getsentry/self-hosted/issues/1000\n interval: \"$HEALTHCHECK_INTERVAL\"\n timeout: \"$HEALTHCHECK_TIMEOUT\"\n retries: $HEALTHCHECK_RETRIES\n start_period: \"$HEALTHCHECK_START_PERIOD\"\nx-file-healthcheck: &file_healthcheck_defaults\n test: [\"CMD-SHELL\", \"rm /tmp/health.txt\"]\n interval: \"$HEALTHCHECK_FILE_INTERVAL\"\n timeout: \"$HEALTHCHECK_FILE_TIMEOUT\"\n retries: $HEALTHCHECK_FILE_RETRIES\n start_period: \"$HEALTHCHECK_FILE_START_PERIOD\"\nx-sentry-defaults: &sentry_defaults\n <<: [*restart_policy, *pull_policy]\n image: sentry-self-hosted-local\n # Set the platform to build for linux/arm64 when needed on Apple silicon Macs.\n platform: ${DOCKER_PLATFORM:-}\n build:\n context: ./sentry\n args:\n - SENTRY_IMAGE\n depends_on:\n redis:\n <<: *depends_on-healthy\n kafka:\n <<: *depends_on-healthy\n pgbouncer:\n <<: *depends_on-healthy\n memcached:\n <<: *depends_on-default\n smtp:\n <<: *depends_on-default\n seaweedfs:\n <<: *depends_on-default\n snuba-api:\n <<: *depends_on-default\n symbolicator:\n <<: *depends_on-default\n entrypoint: \"/etc/sentry/entrypoint.sh\"\n command: [\"run\", \"web\"]\n environment:\n PYTHONUSERBASE: \"/data/custom-packages\"\n SENTRY_CONF: \"/etc/sentry\"\n SNUBA: \"http://snuba-api:1218\"\n VROOM: \"http://vroom:8085\"\n # Force everything to use the system CA bundle\n # This is mostly needed to support installing custom CA certs\n # This one is used by botocore\n DEFAULT_CA_BUNDLE: &ca_bundle \"/etc/ssl/certs/ca-certificates.crt\"\n # This one is used by requests\n REQUESTS_CA_BUNDLE: *ca_bundle\n # This one is used by grpc/google modules\n GRPC_DEFAULT_SSL_ROOTS_FILE_PATH_ENV_VAR: *ca_bundle\n # Leaving the value empty to just pass whatever is set\n # on the host system (or in the .env file)\n COMPOSE_PROFILES:\n SENTRY_EVENT_RETENTION_DAYS:\n SENTRY_MAIL_HOST:\n SENTRY_MAX_EXTERNAL_SOURCEMAP_SIZE:\n SENTRY_SYSTEM_SECRET_KEY:\n SENTRY_STATSD_ADDR: \"${STATSD_ADDR:-}\"\n volumes:\n - \"sentry-data:/data\"\n - \"./sentry:/etc/sentry\"\n - \"./geoip:/geoip:ro\"\n - \"./certificates:/usr/local/share/ca-certificates:ro\"\nx-snuba-defaults: &snuba_defaults\n <<: *restart_policy\n depends_on:\n clickhouse:\n <<: *depends_on-healthy\n kafka:\n <<: *depends_on-healthy\n redis:\n <<: *depends_on-healthy\n image: \"$SNUBA_IMAGE\"\n environment:\n SNUBA_SETTINGS: self_hosted\n CLICKHOUSE_HOST: clickhouse\n DEFAULT_BROKERS: \"kafka:9092\"\n REDIS_HOST: redis\n UWSGI_MAX_REQUESTS: \"10000\"\n UWSGI_DISABLE_LOGGING: \"true\"\n # Leaving the value empty to just pass whatever is set\n # on the host system (or in the .env file)\n SENTRY_EVENT_RETENTION_DAYS:\n # If you have statsd server, you can utilize that to monitor self-hosted Snuba containers.\n # To start, state these environment variables below on your `.env.` file and adjust the options as needed.\n SNUBA_STATSD_ADDR: \"${STATSD_ADDR:-}\"\nservices:\n smtp:\n <<: *restart_policy\n image: registry.gitlab.com/egos-tech/smtp\n volumes:\n - \"sentry-smtp:/var/spool/exim4\"\n - \"sentry-smtp-log:/var/log/exim4\"\n environment:\n MAILNAME: ${SENTRY_MAIL_HOST:-}\n # Refer to https://develop.sentry.dev/self-hosted/configuration/email/#as-aws-ses-relay\n SES_USER:\n SES_PASSWORD:\n SES_REGION:\n memcached:\n <<: *restart_policy\n image: \"memcached:1.6.26-alpine\"\n command: [\"-I\", \"${SENTRY_MAX_EXTERNAL_SOURCEMAP_SIZE:-1M}\"]\n healthcheck:\n <<: *healthcheck_defaults\n # From: https://stackoverflow.com/a/31877626/5155484\n test: echo stats | nc 127.0.0.1 11211\n redis:\n <<: *restart_policy\n image: \"redis:6.2.20-alpine\"\n healthcheck:\n <<: *healthcheck_defaults\n test: redis-cli ping | grep PONG\n volumes:\n - \"sentry-redis:/data\"\n - type: bind\n read_only: true\n source: ./redis.conf\n target: /usr/local/etc/redis/redis.conf\n ulimits:\n nofile:\n soft: 10032\n hard: 10032\n command: [\"redis-server\", \"/usr/local/etc/redis/redis.conf\"]\n postgres:\n <<: *restart_policy\n # Using the same postgres version as Sentry dev for consistency purposes\n image: \"postgres:14.19-bookworm\"\n healthcheck:\n <<: *healthcheck_defaults\n # Using default user \"postgres\" from sentry/sentry.conf.example.py or value of POSTGRES_USER if provided\n test: [\"CMD-SHELL\", \"pg_isready -U ${POSTGRES_USER:-postgres}\"]\n command:\n [\"postgres\"]\n environment:\n POSTGRES_HOST_AUTH_METHOD: \"trust\"\n volumes:\n - \"sentry-postgres:/var/lib/postgresql/data\"\n shm_size: 256m\n pgbouncer:\n <<: *restart_policy\n image: \"edoburu/pgbouncer:v1.24.1-p1\"\n healthcheck:\n <<: *healthcheck_defaults\n # Using default user \"postgres\" from sentry/sentry.conf.example.py or value of POSTGRES_USER if provided\n test: [\"CMD-SHELL\", \"psql -U postgres -p 5432 -h 127.0.0.1 -tA -c \\\"select 1;\\\" -d postgres >/dev/null\"]\n depends_on:\n postgres:\n <<: *depends_on-healthy\n environment:\n DB_USER: ${POSTGRES_USER:-postgres}\n DB_HOST: postgres\n DB_NAME: postgres\n AUTH_TYPE: trust\n POOL_MODE: transaction\n ADMIN_USERS: postgres,sentry\n MAX_CLIENT_CONN: 10000\n\n kafka:\n <<: *restart_policy\n image: \"confluentinc/cp-kafka:7.6.6\"\n environment:\n # https://docs.confluent.io/platform/current/installation/docker/config-reference.html#cp-kakfa-example\n KAFKA_PROCESS_ROLES: \"broker,controller\"\n KAFKA_CONTROLLER_QUORUM_VOTERS: \"1001@127.0.0.1:29093\"\n KAFKA_CONTROLLER_LISTENER_NAMES: \"CONTROLLER\"\n KAFKA_NODE_ID: \"1001\"\n CLUSTER_ID: \"MkU3OEVBNTcwNTJENDM2Qk\"\n KAFKA_LISTENERS: \"PLAINTEXT://0.0.0.0:29092,INTERNAL://0.0.0.0:9093,EXTERNAL://0.0.0.0:9092,CONTROLLER://0.0.0.0:29093\"\n KAFKA_ADVERTISED_LISTENERS: \"PLAINTEXT://127.0.0.1:29092,INTERNAL://kafka:9093,EXTERNAL://kafka:9092\"\n KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: \"PLAINTEXT:PLAINTEXT,INTERNAL:PLAINTEXT,EXTERNAL:PLAINTEXT,CONTROLLER:PLAINTEXT\"\n KAFKA_INTER_BROKER_LISTENER_NAME: \"PLAINTEXT\"\n KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: \"1\"\n KAFKA_OFFSETS_TOPIC_NUM_PARTITIONS: \"1\"\n KAFKA_LOG_RETENTION_HOURS: \"24\"\n KAFKA_MESSAGE_MAX_BYTES: \"50000000\" #50MB or bust\n KAFKA_MAX_REQUEST_SIZE: \"50000000\" #50MB on requests apparently too\n CONFLUENT_SUPPORT_METRICS_ENABLE: \"false\"\n KAFKA_LOG4J_LOGGERS: \"kafka.cluster=WARN,kafka.controller=WARN,kafka.coordinator=WARN,kafka.log=WARN,kafka.server=WARN,state.change.logger=WARN\"\n KAFKA_LOG4J_ROOT_LOGLEVEL: \"WARN\"\n KAFKA_TOOLS_LOG4J_LOGLEVEL: \"WARN\"\n ulimits:\n nofile:\n soft: 4096\n hard: 4096\n volumes:\n - \"sentry-kafka:/var/lib/kafka/data\"\n - \"sentry-kafka-log:/var/lib/kafka/log\"\n - \"sentry-secrets:/etc/kafka/secrets\"\n healthcheck:\n <<: *healthcheck_defaults\n test: [\"CMD-SHELL\", \"nc -z localhost 9092\"]\n interval: 10s\n timeout: 10s\n retries: 30\n clickhouse:\n <<: [*restart_policy, *pull_policy]\n image: clickhouse-self-hosted-local\n build:\n context: ./clickhouse\n args:\n BASE_IMAGE: \"altinity/clickhouse-server:25.3.6.10034.altinitystable\"\n ulimits:\n nofile:\n soft: 262144\n hard: 262144\n volumes:\n - \"sentry-clickhouse:/var/lib/clickhouse\"\n - \"sentry-clickhouse-log:/var/log/clickhouse-server\"\n - type: \"bind\"\n read_only: true\n source: \"./clickhouse/config.xml\"\n target: \"/etc/clickhouse-server/config.d/sentry.xml\"\n - type: \"bind\"\n read_only: true\n source: \"./clickhouse/default-password.xml\"\n target: \"/etc/clickhouse-server/users.d/default-password.xml\"\n environment:\n # This limits Clickhouse's memory to 30% of the host memory\n # If you have high volume and your search return incomplete results\n # You might want to change this to a higher value (and ensure your host has enough memory)\n MAX_MEMORY_USAGE_RATIO: 0.3\n healthcheck:\n test: [\n \"CMD-SHELL\",\n # Manually override any http_proxy envvar that might be set, because\n # this wget does not support no_proxy. See:\n # https://github.com/getsentry/self-hosted/issues/1537\n \"HTTP_PROXY='' http_proxy='' wget -nv -t1 --spider 'http://localhost:8123/' || exit 1\",\n ]\n interval: 10s\n timeout: 10s\n retries: 30\n seaweedfs:\n <<: *restart_policy\n image: \"chrislusf/seaweedfs:4.09_large_disk\"\n entrypoint: \"weed\"\n command: >-\n server\n -dir=/data\n -filer=true\n -filer.port=8888\n -filer.port.grpc=18888\n -filer.defaultReplicaPlacement=000\n -master=true\n -master.port=9333\n -master.port.grpc=19333\n -metricsPort=9091\n -s3=true\n -s3.port=8333\n -s3.port.grpc=18333\n -volume=true\n -volume.dir.idx=/data/idx\n -volume.index=leveldbLarge\n -volume.max=0\n -volume.preStopSeconds=8\n -volume.readMode=redirect\n -volume.port=8080\n -volume.port.grpc=18080\n -ip=127.0.0.1\n -ip.bind=0.0.0.0\n -webdav=false\n environment:\n AWS_ACCESS_KEY_ID: sentry\n AWS_SECRET_ACCESS_KEY: sentry\n volumes:\n - \"sentry-seaweedfs:/data\"\n healthcheck:\n test: [\n \"CMD-SHELL\",\n # Manually override any http_proxy envvar that might be set, because\n # this wget does not support no_proxy. See:\n # https://github.com/getsentry/self-hosted/issues/1537\n \"http_proxy='' wget -q -O- http://seaweedfs:8080/healthz http://seaweedfs:9333/cluster/healthz http://seaweedfs:8333/healthz || exit 1\",\n ]\n interval: 30s\n timeout: 20s\n retries: 5\n start_period: 60s\n snuba-api:\n <<: *snuba_defaults\n healthcheck:\n <<: *healthcheck_defaults\n test:\n - \"CMD\"\n - \"/bin/bash\"\n - \"-c\"\n # Courtesy of https://unix.stackexchange.com/a/234089/108960\n - 'exec 3<>/dev/tcp/127.0.0.1/1218 && echo -e \"GET /health HTTP/1.1\\r\\nhost: 127.0.0.1\\r\\n\\r\\n\" >&3 && grep ok -s -m 1 <&3'\n # Kafka consumer responsible for feeding events into Clickhouse\n snuba-errors-consumer:\n <<: *snuba_defaults\n command: rust-consumer --storage errors --consumer-group snuba-consumers --auto-offset-reset=latest --max-batch-time-ms 750 --no-strict-offset-reset --health-check-file /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n # Kafka consumer responsible for feeding outcomes into Clickhouse\n # Use --auto-offset-reset=earliest to recover up to 7 days of TSDB data\n # since we did not do a proper migration\n snuba-outcomes-consumer:\n <<: *snuba_defaults\n command: rust-consumer --storage outcomes_raw --consumer-group snuba-consumers --auto-offset-reset=earliest --max-batch-time-ms 750 --no-strict-offset-reset --health-check-file /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n snuba-outcomes-billing-consumer:\n <<: *snuba_defaults\n command: rust-consumer --storage outcomes_raw --consumer-group snuba-consumers --auto-offset-reset=earliest --max-batch-time-ms 750 --no-strict-offset-reset --raw-events-topic outcomes-billing --health-check-file /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n snuba-group-attributes-consumer:\n <<: *snuba_defaults\n command: rust-consumer --storage group_attributes --consumer-group snuba-group-attributes-consumers --auto-offset-reset=latest --max-batch-time-ms 750 --no-strict-offset-reset --health-check-file /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n snuba-replacer:\n <<: *snuba_defaults\n command: replacer --storage errors --auto-offset-reset=latest --no-strict-offset-reset\n snuba-subscription-consumer-events:\n <<: *snuba_defaults\n command: subscriptions-scheduler-executor --dataset events --entity events --auto-offset-reset=latest --no-strict-offset-reset --consumer-group=snuba-events-subscriptions-consumers --followed-consumer-group=snuba-consumers --schedule-ttl=60 --stale-threshold-seconds=900 --health-check-file /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n #############################################\n ## Feature Complete Sentry Snuba Consumers ##\n #############################################\n # Kafka consumer responsible for feeding transactions data into Clickhouse\n snuba-transactions-consumer:\n <<: *snuba_defaults\n command: rust-consumer --storage transactions --consumer-group transactions_group --auto-offset-reset=latest --max-batch-time-ms 750 --no-strict-offset-reset --health-check-file /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n profiles:\n - feature-complete\n snuba-replays-consumer:\n <<: *snuba_defaults\n command: rust-consumer --storage replays --consumer-group snuba-consumers --auto-offset-reset=latest --max-batch-time-ms 750 --no-strict-offset-reset --health-check-file /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n profiles:\n - feature-complete\n snuba-issue-occurrence-consumer:\n <<: *snuba_defaults\n command: rust-consumer --storage search_issues --consumer-group generic_events_group --auto-offset-reset=latest --max-batch-time-ms 750 --no-strict-offset-reset --health-check-file /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n profiles:\n - feature-complete\n snuba-metrics-consumer:\n <<: *snuba_defaults\n command: rust-consumer --storage metrics_raw --consumer-group snuba-metrics-consumers --auto-offset-reset=latest --max-batch-time-ms 750 --no-strict-offset-reset --health-check-file /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n profiles:\n - feature-complete\n snuba-subscription-consumer-transactions:\n <<: *snuba_defaults\n command: subscriptions-scheduler-executor --dataset transactions --entity transactions --auto-offset-reset=latest --no-strict-offset-reset --consumer-group=snuba-transactions-subscriptions-consumers --followed-consumer-group=transactions_group --schedule-ttl=60 --stale-threshold-seconds=900 --health-check-file /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n profiles:\n - feature-complete\n snuba-subscription-consumer-metrics:\n <<: *snuba_defaults\n command: subscriptions-scheduler-executor --dataset metrics --entity metrics_sets --entity metrics_counters --auto-offset-reset=latest --no-strict-offset-reset --consumer-group=snuba-metrics-subscriptions-consumers --followed-consumer-group=snuba-metrics-consumers --schedule-ttl=60 --stale-threshold-seconds=900 --health-check-file /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n profiles:\n - feature-complete\n snuba-subscription-consumer-generic-metrics-distributions:\n <<: *snuba_defaults\n command: subscriptions-scheduler-executor --dataset generic_metrics --entity=generic_metrics_distributions --auto-offset-reset=latest --no-strict-offset-reset --consumer-group=snuba-generic-metrics-distributions-subscriptions-schedulers --followed-consumer-group=snuba-gen-metrics-distributions-consumers --schedule-ttl=60 --stale-threshold-seconds=900 --health-check-file /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n profiles:\n - feature-complete\n snuba-subscription-consumer-generic-metrics-sets:\n <<: *snuba_defaults\n command: subscriptions-scheduler-executor --dataset generic_metrics --entity=generic_metrics_sets --auto-offset-reset=latest --no-strict-offset-reset --consumer-group=snuba-generic-metrics-sets-subscriptions-schedulers --followed-consumer-group=snuba-gen-metrics-sets-consumers --schedule-ttl=60 --stale-threshold-seconds=900 --health-check-file /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n profiles:\n - feature-complete\n snuba-subscription-consumer-generic-metrics-counters:\n <<: *snuba_defaults\n command: subscriptions-scheduler-executor --dataset generic_metrics --entity=generic_metrics_counters --auto-offset-reset=latest --no-strict-offset-reset --consumer-group=snuba-generic-metrics-counters-subscriptions-schedulers --followed-consumer-group=snuba-gen-metrics-counters-consumers --schedule-ttl=60 --stale-threshold-seconds=900 --health-check-file /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n profiles:\n - feature-complete\n snuba-subscription-consumer-generic-metrics-gauges:\n <<: *snuba_defaults\n command: subscriptions-scheduler-executor --dataset generic_metrics --entity=generic_metrics_gauges --auto-offset-reset=latest --no-strict-offset-reset --consumer-group=snuba-generic-metrics-gauges-subscriptions-schedulers --followed-consumer-group=snuba-gen-metrics-gauges-consumers --schedule-ttl=60 --stale-threshold-seconds=900 --health-check-file /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n profiles:\n - feature-complete\n snuba-generic-metrics-distributions-consumer:\n <<: *snuba_defaults\n command: rust-consumer --storage generic_metrics_distributions_raw --consumer-group snuba-gen-metrics-distributions-consumers --auto-offset-reset=latest --max-batch-time-ms 750 --no-strict-offset-reset --health-check-file /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n profiles:\n - feature-complete\n snuba-generic-metrics-sets-consumer:\n <<: *snuba_defaults\n command: rust-consumer --storage generic_metrics_sets_raw --consumer-group snuba-gen-metrics-sets-consumers --auto-offset-reset=latest --max-batch-time-ms 750 --no-strict-offset-reset --health-check-file /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n profiles:\n - feature-complete\n snuba-generic-metrics-counters-consumer:\n <<: *snuba_defaults\n command: rust-consumer --storage generic_metrics_counters_raw --consumer-group snuba-gen-metrics-counters-consumers --auto-offset-reset=latest --max-batch-time-ms 750 --no-strict-offset-reset --health-check-file /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n profiles:\n - feature-complete\n snuba-generic-metrics-gauges-consumer:\n <<: *snuba_defaults\n command: rust-consumer --storage generic_metrics_gauges_raw --consumer-group snuba-gen-metrics-gauges-consumers --auto-offset-reset=latest --max-batch-time-ms 750 --no-strict-offset-reset --health-check-file /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n profiles:\n - feature-complete\n snuba-profiling-profiles-consumer:\n <<: *snuba_defaults\n command: rust-consumer --storage profiles --consumer-group snuba-consumers --auto-offset-reset=latest --max-batch-time-ms 1000 --no-strict-offset-reset --health-check-file /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n profiles:\n - feature-complete\n snuba-profiling-functions-consumer:\n <<: *snuba_defaults\n command: rust-consumer --storage functions_raw --consumer-group snuba-consumers --auto-offset-reset=latest --max-batch-time-ms 1000 --no-strict-offset-reset --health-check-file /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n profiles:\n - feature-complete\n snuba-profiling-profile-chunks-consumer:\n <<: *snuba_defaults\n command: rust-consumer --storage profile_chunks --consumer-group snuba-consumers --auto-offset-reset=latest --max-batch-time-ms 1000 --no-strict-offset-reset --health-check-file /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n profiles:\n - feature-complete\n snuba-eap-items-consumer:\n <<: *snuba_defaults\n command: rust-consumer --storage eap_items --consumer-group eap_items_group --auto-offset-reset=latest --max-batch-time-ms 1000 --no-strict-offset-reset --use-rust-processor --health-check-file /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n profiles:\n - feature-complete\n snuba-subscription-consumer-eap-items:\n <<: *snuba_defaults\n command: subscriptions-scheduler-executor --dataset events_analytics_platform --entity eap_items --auto-offset-reset=latest --no-strict-offset-reset --consumer-group=snuba-eap-items-subscriptions-consumers --followed-consumer-group=eap_items_group --schedule-ttl=60 --stale-threshold-seconds=900 --health-check-file /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n symbolicator:\n <<: *restart_policy\n image: \"$SYMBOLICATOR_IMAGE\"\n environment:\n SYMBOLICATOR_STATSD_ADDR: ${STATSD_ADDR:-127.0.0.1:8125}\n command: run -c /etc/symbolicator/config.yml\n volumes:\n - \"sentry-symbolicator:/data\"\n - type: bind\n read_only: true\n source: ./symbolicator\n target: /etc/symbolicator\n healthcheck:\n <<: *healthcheck_defaults\n test: [\"CMD\", \"/bin/symbolicator\", \"healthcheck\", \"-c\", \"/etc/symbolicator/config.yml\"]\n symbolicator-cleanup:\n <<: *restart_policy\n image: \"$SYMBOLICATOR_IMAGE\"\n environment:\n SYMBOLICATOR_STATSD_ADDR: ${STATSD_ADDR:-127.0.0.1:8125}\n command: \"cleanup -c /etc/symbolicator/config.yml --repeat 1h\"\n volumes:\n - \"sentry-symbolicator:/data\"\n - type: bind\n read_only: true\n source: ./symbolicator\n target: /etc/symbolicator\n web:\n <<: *sentry_defaults\n ulimits:\n nofile:\n soft: 4096\n hard: 4096\n healthcheck:\n <<: *healthcheck_defaults\n test:\n - \"CMD\"\n - \"/bin/bash\"\n - \"-c\"\n # Courtesy of https://unix.stackexchange.com/a/234089/108960\n - 'exec 3<>/dev/tcp/127.0.0.1/9000 && echo -e \"GET /_health/ HTTP/1.1\\r\\nhost: 127.0.0.1\\r\\n\\r\\n\" >&3 && grep ok -s -m 1 <&3'\n events-consumer:\n <<: *sentry_defaults\n command: run consumer ingest-events --consumer-group ingest-consumer --healthcheck-file-path /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n attachments-consumer:\n <<: *sentry_defaults\n command: run consumer ingest-attachments --consumer-group ingest-consumer --healthcheck-file-path /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n post-process-forwarder-errors:\n <<: *sentry_defaults\n command: run consumer --no-strict-offset-reset post-process-forwarder-errors --consumer-group post-process-forwarder --synchronize-commit-log-topic=snuba-commit-log --synchronize-commit-group=snuba-consumers --healthcheck-file-path /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n subscription-consumer-events:\n <<: *sentry_defaults\n command: run consumer events-subscription-results --consumer-group query-subscription-consumer --healthcheck-file-path /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n ##############################################\n ## Feature Complete Sentry Ingest Consumers ##\n ##############################################\n transactions-consumer:\n <<: *sentry_defaults\n command: run consumer ingest-transactions --consumer-group ingest-consumer --healthcheck-file-path /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n profiles:\n - feature-complete\n metrics-consumer:\n <<: *sentry_defaults\n command: run consumer ingest-metrics --consumer-group metrics-consumer --healthcheck-file-path /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n profiles:\n - feature-complete\n generic-metrics-consumer:\n <<: *sentry_defaults\n command: run consumer ingest-generic-metrics --consumer-group generic-metrics-consumer --healthcheck-file-path /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n profiles:\n - feature-complete\n billing-metrics-consumer:\n <<: *sentry_defaults\n command: run consumer billing-metrics-consumer --consumer-group billing-metrics-consumer --healthcheck-file-path /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n profiles:\n - feature-complete\n ingest-replay-recordings:\n <<: *sentry_defaults\n command: run consumer ingest-replay-recordings --consumer-group ingest-replay-recordings --healthcheck-file-path /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n profiles:\n - feature-complete\n ingest-occurrences:\n <<: *sentry_defaults\n command: run consumer ingest-occurrences --consumer-group ingest-occurrences --healthcheck-file-path /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n profiles:\n - feature-complete\n ingest-profiles:\n <<: *sentry_defaults\n command: run consumer ingest-profiles --consumer-group ingest-profiles --healthcheck-file-path /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n profiles:\n - feature-complete\n ingest-monitors:\n <<: *sentry_defaults\n command: run consumer ingest-monitors --consumer-group ingest-monitors --healthcheck-file-path /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n profiles:\n - feature-complete\n ingest-feedback-events:\n <<: *sentry_defaults\n command: run consumer ingest-feedback-events --consumer-group ingest-feedback --healthcheck-file-path /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n profiles:\n - feature-complete\n process-spans:\n <<: *sentry_defaults\n command: run consumer --no-strict-offset-reset process-spans --consumer-group process-spans --healthcheck-file-path /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n profiles:\n - feature-complete\n process-segments:\n <<: *sentry_defaults\n command: run consumer --no-strict-offset-reset process-segments --consumer-group process-segments --healthcheck-file-path /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n profiles:\n - feature-complete\n monitors-clock-tick:\n <<: *sentry_defaults\n command: run consumer monitors-clock-tick --consumer-group monitors-clock-tick --healthcheck-file-path /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n profiles:\n - feature-complete\n monitors-clock-tasks:\n <<: *sentry_defaults\n command: run consumer monitors-clock-tasks --consumer-group monitors-clock-tasks --healthcheck-file-path /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n profiles:\n - feature-complete\n uptime-results:\n <<: *sentry_defaults\n command: run consumer uptime-results --consumer-group uptime-results --healthcheck-file-path /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n profiles:\n - feature-complete\n post-process-forwarder-transactions:\n <<: *sentry_defaults\n command: run consumer --no-strict-offset-reset post-process-forwarder-transactions --consumer-group post-process-forwarder --synchronize-commit-log-topic=snuba-transactions-commit-log --synchronize-commit-group transactions_group --healthcheck-file-path /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n profiles:\n - feature-complete\n post-process-forwarder-issue-platform:\n <<: *sentry_defaults\n command: run consumer --no-strict-offset-reset post-process-forwarder-issue-platform --consumer-group post-process-forwarder --synchronize-commit-log-topic=snuba-generic-events-commit-log --synchronize-commit-group generic_events_group --healthcheck-file-path /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n profiles:\n - feature-complete\n subscription-consumer-transactions:\n <<: *sentry_defaults\n command: run consumer transactions-subscription-results --consumer-group query-subscription-consumer --healthcheck-file-path /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n profiles:\n - feature-complete\n subscription-consumer-eap-items:\n <<: *sentry_defaults\n command: run consumer subscription-results-eap-items --consumer-group subscription-results-eap-items --healthcheck-file-path /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n profiles:\n - feature-complete\n subscription-consumer-metrics:\n <<: *sentry_defaults\n command: run consumer metrics-subscription-results --consumer-group query-subscription-consumer --healthcheck-file-path /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n profiles:\n - feature-complete\n subscription-consumer-generic-metrics:\n <<: *sentry_defaults\n command: run consumer generic-metrics-subscription-results --consumer-group query-subscription-consumer --healthcheck-file-path /tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n profiles:\n - feature-complete\n sentry-cleanup:\n <<: *sentry_defaults\n image: sentry-cleanup-self-hosted-local\n build:\n context: ./cron\n args:\n BASE_IMAGE: sentry-self-hosted-local\n entrypoint: \"/entrypoint.sh\"\n command: '\"0 0 * * * gosu sentry sentry cleanup --days $SENTRY_EVENT_RETENTION_DAYS\"'\n nginx:\n <<: *restart_policy\n ports:\n - \"$SENTRY_BIND:80/tcp\"\n image: \"nginx:1.29.5-alpine\"\n volumes:\n - type: bind\n read_only: true\n source: ./nginx.conf\n target: /etc/nginx/nginx.conf\n - sentry-nginx-cache:/var/cache/nginx\n - sentry-nginx-www:/var/www\n healthcheck:\n <<: *healthcheck_defaults\n test:\n - \"CMD\"\n - \"/usr/bin/curl\"\n - http://localhost\n depends_on:\n web:\n <<: *depends_on-healthy\n restart: true\n relay:\n <<: *depends_on-healthy\n restart: true\n relay:\n <<: *restart_policy\n image: \"$RELAY_IMAGE\"\n environment:\n RELAY_STATSD_ADDR: ${STATSD_ADDR:-127.0.0.1:8125}\n volumes:\n - type: bind\n read_only: true\n source: ./relay\n target: /work/.relay\n - type: bind\n read_only: true\n source: ./geoip\n target: /geoip\n depends_on:\n kafka:\n <<: *depends_on-healthy\n redis:\n <<: *depends_on-healthy\n web:\n <<: *depends_on-healthy\n healthcheck:\n <<: *healthcheck_defaults\n test: [\"CMD\", \"/bin/relay\", \"healthcheck\"]\n taskbroker:\n <<: *restart_policy\n image: \"$TASKBROKER_IMAGE\"\n environment:\n TASKBROKER_KAFKA_CLUSTER: \"kafka:9092\"\n TASKBROKER_KAFKA_DEADLETTER_CLUSTER: \"kafka:9092\"\n TASKBROKER_DB_PATH: \"/opt/sqlite/taskbroker-activations.sqlite\"\n TASKBROKER_STATSD_ADDR: ${STATSD_ADDR:-127.0.0.1:8125}\n volumes:\n - sentry-taskbroker:/opt/sqlite\n depends_on:\n kafka:\n <<: *depends_on-healthy\n taskscheduler:\n <<: *sentry_defaults\n command: run taskworker-scheduler\n taskworker:\n <<: *sentry_defaults\n command: run taskworker --concurrency=$SENTRY_TASKWORKER_CONCURRENCY --rpc-host=taskbroker:50051 --health-check-file-path=/tmp/health.txt\n healthcheck:\n <<: *file_healthcheck_defaults\n vroom:\n <<: *restart_policy\n image: \"$VROOM_IMAGE\"\n environment:\n SENTRY_KAFKA_BROKERS_PROFILING: \"kafka:9092\"\n SENTRY_KAFKA_BROKERS_OCCURRENCES: \"kafka:9092\"\n SENTRY_BUCKET_PROFILES: \"s3://profiles?region=us-east-1&endpoint=seaweedfs:8333&s3ForcePathStyle=true&disableSSL=true\"\n AWS_ACCESS_KEY: \"sentry\"\n AWS_SECRET_KEY: \"sentry\"\n SENTRY_SNUBA_HOST: \"http://snuba-api:1218\"\n volumes:\n - sentry-vroom:/var/vroom/sentry-profiles\n healthcheck:\n <<: *healthcheck_defaults\n test:\n - \"CMD\"\n - \"/bin/bash\"\n - \"-c\"\n # Courtesy of https://unix.stackexchange.com/a/234089/108960\n - 'exec 3<>/dev/tcp/127.0.0.1/8085 && echo -e \"GET /health HTTP/1.1\\r\\nhost: 127.0.0.1\\r\\n\\r\\n\" >&3 && grep OK -s -m 1 <&3'\n depends_on:\n kafka:\n <<: *depends_on-healthy\n profiles:\n - feature-complete\n vroom-cleanup:\n <<: [*restart_policy, *pull_policy]\n image: vroom-cleanup-self-hosted-local\n build:\n context: ./cron\n args:\n BASE_IMAGE: \"$VROOM_IMAGE\"\n entrypoint: \"/entrypoint.sh\"\n environment:\n # Leaving the value empty to just pass whatever is set\n # on the host system (or in the .env file)\n SENTRY_EVENT_RETENTION_DAYS:\n command: '\"0 0 * * * find /var/vroom/sentry-profiles -type f -mtime +$SENTRY_EVENT_RETENTION_DAYS -delete\"'\n volumes:\n - sentry-vroom:/var/vroom/sentry-profiles\n profiles:\n - feature-complete\n uptime-checker:\n <<: *restart_policy\n image: \"$UPTIME_CHECKER_IMAGE\"\n command: run\n environment:\n UPTIME_CHECKER_RESULTS_KAFKA_CLUSTER: kafka:9092\n UPTIME_CHECKER_REDIS_HOST: redis://redis:6379\n # Set to `true` will allow uptime checks against private IP addresses\n UPTIME_CHECKER_ALLOW_INTERNAL_IPS: \"false\"\n # The number of times to retry failed checks before reporting them as failed\n UPTIME_CHECKER_FAILURE_RETRIES: \"1\"\n # DNS name servers to use when making checks in the http checker.\n # Separated by commas. Leaving this unset will default to the systems dns\n # resolver.\n #UPTIME_CHECKER_HTTP_CHECKER_DNS_NAMESERVERS: \"8.8.8.8,8.8.4.4\"\n UPTIME_CHECKER_STATSD_ADDR: ${STATSD_ADDR:-127.0.0.1:8125}\n depends_on:\n kafka:\n <<: *depends_on-healthy\n redis:\n <<: *depends_on-healthy\n profiles:\n - feature-complete\n\nvolumes:\n # These store application data that should persist across restarts.\n sentry-data:\n external: true\n sentry-postgres:\n external: true\n sentry-redis:\n external: true\n sentry-kafka:\n external: true\n sentry-clickhouse:\n external: true\n sentry-seaweedfs:\n external: true\n # The volume stores cached version of debug symbols, source maps etc. Upon\n # removal symbolicator will re-download them.\n sentry-symbolicator:\n # This volume stores JS SDK assets and the data inside this volume should\n # be cleaned periodically on upgrades.\n sentry-nginx-www:\n # This volume stores profiles and should be persisted.\n # Not being external will still persist data across restarts.\n # It won't persist if someone does a docker compose down -v.\n sentry-vroom:\n # This volume stores task data that is inflight\n # It should persist across restarts. If this volume is\n # deleted, up to ~2048 tasks will be lost.\n sentry-taskbroker:\n # These store ephemeral data that needn't persist across restarts.\n # That said, volumes will be persisted across restarts until they are deleted.\n sentry-secrets:\n sentry-smtp:\n sentry-nginx-cache:\n sentry-kafka-log:\n sentry-smtp-log:\n sentry-clickhouse-log:\n" }, { "path": "get-compose-action/action.yaml", "content": "name: \"Get Docker Compose\"\ninputs:\n version:\n required: false\n default: 2.33.1\n description: \"Docker Compose version\"\n\nruns:\n using: \"composite\"\n steps:\n - name: Get Compose\n shell: bash\n env:\n COMPOSE_VERSION: ${{ inputs.version }}\n run: |\n # Docker Compose v1 is installed here, remove it\n sudo rm -f \"/usr/local/bin/docker-compose\"\n sudo rm -f \"/usr/local/lib/docker/cli-plugins/docker-compose\"\n sudo mkdir -p \"/usr/local/lib/docker/cli-plugins\"\n sudo curl -L https://github.com/docker/compose/releases/download/v\"$COMPOSE_VERSION\"/docker-compose-`uname -s`-`uname -m` -o \"/usr/local/lib/docker/cli-plugins/docker-compose\"\n sudo chmod +x \"/usr/local/lib/docker/cli-plugins/docker-compose\"\n" }, { "path": "install/_detect-container-engine.sh", "content": "echo \"${_group}Detecting container engine ...\"\n\nif [[ \"${CONTAINER_ENGINE_PODMAN:-0}\" -eq 1 ]] && command -v podman &>/dev/null; then\n export CONTAINER_ENGINE=\"podman\"\nelif command -v docker &>/dev/null; then\n export CONTAINER_ENGINE=\"docker\"\nelse\n echo \"FAIL: Neither podman nor docker is installed on the system.\"\n exit 1\nfi\necho \"Detected container engine: $CONTAINER_ENGINE\"\necho \"${_endgroup}\"\n" }, { "path": "install/_lib.sh", "content": "# Allow `.env` overrides using the `.env.custom` file.\n# We pass this to docker compose in a couple places.\nif [[ -f .env.custom ]]; then\n _ENV=.env.custom\nelse\n _ENV=.env\nfi\n\n# Reading .env.custom has to come first. The value won't be overriden, instead\n# it would persist because of `export -p> >\"$t\"` later, which exports current\n# environment variables to a temporary file with a `declare -x KEY=value` format.\n# The new values on `.env` would be set only if they are not already set.\nif [[ \"$_ENV\" == \".env.custom\" ]]; then\n q=$(mktemp) && export -p >\"$q\" && set -a && . \".env.custom\" && set +a && . \"$q\" && rm \"$q\" && unset q\nfi\n\n# Read .env for default values with a tip o' the hat to https://stackoverflow.com/a/59831605/90297\nt=$(mktemp) && export -p >\"$t\" && set -a && . \".env\" && set +a && . \"$t\" && rm \"$t\" && unset t\n\nif [ \"${GITHUB_ACTIONS:-}\" = \"true\" ]; then\n _group=\"::group::\"\n _endgroup=\"::endgroup::\"\nelse\n _group=\"▶ \"\n _endgroup=\"\"\nfi\n\n# A couple of the config files are referenced from other subscripts, so they\n# get vars, while multiple subscripts call ensure_file_from_example.\nfunction ensure_file_from_example {\n target=\"$1\"\n if [[ -f \"$target\" ]]; then\n echo \"$target already exists, skipped creation.\"\n else\n # sed from https://stackoverflow.com/a/25123013/90297\n # shellcheck disable=SC2001\n example=\"$(echo \"$target\" | sed 's/\\.[^.]*$/.example&/')\"\n if [[ ! -f \"$example\" ]]; then\n echo \"Oops! Where did $example go? 🤨 We need it in order to create $target.\"\n exit\n fi\n echo \"Creating $target ...\"\n cp -n \"$example\" \"$target\"\n fi\n}\n\n# Check the version of $1 is greater than or equal to $2 using sort. Note: versions must be stripped of \"v\"\nfunction vergte() {\n printf \"%s\\n%s\" \"$1\" \"$2\" | sort --version-sort --check=quiet --reverse\n}\n\nexport SENTRY_CONFIG_PY=sentry/sentry.conf.py\nexport SENTRY_CONFIG_YML=sentry/config.yml\n\n# Increase the default 10 second SIGTERM timeout\n# to ensure task queues are properly drained\n# between upgrades as task signatures may change across\n# versions\nexport STOP_TIMEOUT=60 # seconds\n" }, { "path": "install/_logging.sh", "content": "# Thanks to https://unix.stackexchange.com/a/145654/108960\nlog_file=sentry_install_log-$(date +'%Y-%m-%d_%H-%M-%S').txt\nexec &> >(tee -a \"$log_file\")\n" }, { "path": "install/_min-requirements.sh", "content": "# Don't forget to update the README and other docs when you change these!\nMIN_DOCKER_VERSION='19.03.6'\nMIN_COMPOSE_VERSION='2.32.2'\n\nMIN_PODMAN_VERSION='4.9.3'\nMIN_PODMAN_COMPOSE_VERSION='1.3.0'\n\nMIN_BASH_VERSION='4.4.0'\n\n# 16 GB minimum host RAM, but there'll be some overhead outside of what\n# can be allotted to docker\nif [[ \"$COMPOSE_PROFILES\" == \"errors-only\" ]]; then\n MIN_RAM_HARD=7000 # MB\n MIN_CPU_HARD=2\nelse\n MIN_RAM_HARD=14000 # MB\n MIN_CPU_HARD=4\nfi\n" }, { "path": "install/bootstrap-s3-nodestore.sh", "content": "echo \"${_group}Bootstrapping seaweedfs (node store)...\"\n\nstart_service_and_wait_ready seaweedfs postgres\n$dcx seaweedfs apk add --no-cache s3cmd\n$dc exec seaweedfs mkdir -p /data/idx/\ns3cmd=\"$dc exec seaweedfs s3cmd\"\n\nbucket_list=$($s3cmd --access_key=sentry --secret_key=sentry --no-ssl --region=us-east-1 --host=localhost:8333 --host-bucket='localhost:8333/%(bucket)' ls)\n\nif ! echo \"$bucket_list\" | grep -q \"s3://nodestore\"; then\n apply_config_changes_nodestore=0\n # Only touch if no existing nodestore config is found\n if ! grep -q \"SENTRY_NODESTORE\" $SENTRY_CONFIG_PY; then\n if [[ -z \"${APPLY_AUTOMATIC_CONFIG_UPDATES:-}\" ]]; then\n echo\n echo \"We want to migrate Nodestore backend from Postgres to S3 which will\"\n echo \"help reducing Postgres storage issues. In order to do that, we need\"\n echo \"to modify your sentry.conf.py file contents.\"\n echo \"Do you want us to do it automatically for you?\"\n echo\n\n yn=\"\"\n until [ ! -z \"$yn\" ]; do\n read -p \"y or n? \" yn\n case $yn in\n y | yes | 1)\n export apply_config_changes_nodestore=1\n echo\n echo -n \"Thank you.\"\n ;;\n n | no | 0)\n export apply_config_changes_nodestore=0\n echo\n echo -n \"Alright, you will need to update your sentry.conf.py file manually before running 'docker compose up'.\"\n ;;\n *) yn=\"\" ;;\n esac\n done\n\n echo\n echo \"To avoid this prompt in the future, use one of these flags:\"\n echo\n echo \" --apply-automatic-config-updates\"\n echo \" --no-apply-automatic-config-updates\"\n echo\n echo \"or set the APPLY_AUTOMATIC_CONFIG_UPDATES environment variable:\"\n echo\n echo \" APPLY_AUTOMATIC_CONFIG_UPDATES=1 to apply automatic updates\"\n echo \" APPLY_AUTOMATIC_CONFIG_UPDATES=0 to not apply automatic updates\"\n echo\n sleep 5\n fi\n\n if [[ \"$APPLY_AUTOMATIC_CONFIG_UPDATES\" == 1 || \"$apply_config_changes_nodestore\" == 1 ]]; then\n nodestore_config=$(sed -n '/SENTRY_NODESTORE/,/[}]/{p}' sentry/sentry.conf.example.py)\n if [[ $($dc exec postgres psql -qAt -U postgres -c \"select exists (select * from nodestore_node limit 1)\") = \"t\" ]]; then\n nodestore_config=$(echo -e \"$nodestore_config\" | sed '$s/\\}/ \"read_through\": True,\\n \"delete_through\": True,\\n\\}/')\n fi\n echo \"$nodestore_config\" >>$SENTRY_CONFIG_PY\n fi\n fi\n\n $dc exec seaweedfs mkdir -p /data/idx/\n $s3cmd --access_key=sentry --secret_key=sentry --no-ssl --region=us-east-1 --host=localhost:8333 --host-bucket='localhost:8333/%(bucket)' mb s3://nodestore\nelse\n echo \"Node store already exists, skipping creation...\"\nfi\n\nif [[ -z \"${APPLY_AUTOMATIC_CONFIG_UPDATES:-}\" || \"$APPLY_AUTOMATIC_CONFIG_UPDATES\" == 1 ]]; then\n # XXX(aldy505): Should we refactor this?\n lifecycle_policy=$(\n cat <\n\n \n Sentry-Nodestore-Rule\n Enabled\n \n \n $SENTRY_EVENT_RETENTION_DAYS\n \n \n\nEOF\n )\n\n echo \"Making sure the bucket lifecycle policy is all set up correctly...\"\n $dc exec seaweedfs sh -c \"printf '%s' '$lifecycle_policy' > /tmp/nodestore-lifecycle-policy.xml\"\n $s3cmd --access_key=sentry --secret_key=sentry --no-ssl --region=us-east-1 --host=localhost:8333 --host-bucket='localhost:8333/%(bucket)' setlifecycle /tmp/nodestore-lifecycle-policy.xml s3://nodestore\n $s3cmd --access_key=sentry --secret_key=sentry --no-ssl --region=us-east-1 --host=localhost:8333 --host-bucket='localhost:8333/%(bucket)' getlifecycle s3://nodestore\nfi\n\necho \"${_endgroup}\"\n" }, { "path": "install/bootstrap-s3-profiles.sh", "content": "# The purpose of this file is to have both `sentry`-based containers and `vroom` use the same bucket for profiling.\n# On pre-25.10.0, we have a `sentry-vroom` volume which stores the profiling data however, since this version,\n# the behavior changed, and `vroomrs` now ingests profiles directly. Both services must share the same bucket,\n# but at the time of this writing, it's not possible because the `sentry-vroom` volume has ownership set to `vroom:vroom`.\n# This prevents the `sentry`-based containers from performing read/write operations on that volume.\n#\n# Therefore, this script should do the following:\n# 1. Check if there are any files inside the `sentry-vroom` volume.\n# 2. If (1) finds files, copy those files into a \"profiles\" bucket on SeaweedFS.\n# 3. Point `filestore-profiles` and vroom to the SeaweedFS \"profiles\" bucket.\n\n# Should only run when `$COMPOSE_PROFILES` is set to `feature-complete`\nif [[ \"$COMPOSE_PROFILES\" == \"feature-complete\" ]]; then\n echo \"${_group}Bootstrapping seaweedfs (profiles)...\"\n\n start_service_and_wait_ready seaweedfs\n $dcx seaweedfs apk add --no-cache s3cmd\n s3cmd=\"$dc exec seaweedfs s3cmd\"\n\n bucket_list=$($s3cmd --access_key=sentry --secret_key=sentry --no-ssl --region=us-east-1 --host=localhost:8333 --host-bucket='localhost:8333/%(bucket)' ls)\n\n if ! echo \"$bucket_list\" | grep -q \"s3://profiles\"; then\n apply_config_changes_profiles=0\n # Only touch if no existing profiles config is found\n if ! grep -q \"filestore.profiles-backend\" $SENTRY_CONFIG_YML; then\n if [[ -z \"${APPLY_AUTOMATIC_CONFIG_UPDATES:-}\" ]]; then\n echo\n echo \"We are migrating the Profiles data directory from the 'sentry-vroom' volume to SeaweedFS.\"\n echo \"This migration will ensure profiles ingestion works correctly with the new 'vroomrs'\"\n echo \"and allows both 'sentry' and 'vroom' to transition smoothly.\"\n echo \"To complete this, your sentry/config.yml file needs to be modified.\"\n echo \"Would you like us to perform this modification automatically?\"\n echo\n\n yn=\"\"\n until [ ! -z \"$yn\" ]; do\n read -p \"y or n? \" yn\n case $yn in\n y | yes | 1)\n export apply_config_changes_profiles=1\n echo\n echo -n \"Thank you.\"\n ;;\n n | no | 0)\n export apply_config_changes_profiles=0\n echo\n echo -n \"Alright, you will need to update your sentry/config.yml file manually before running 'docker compose up'.\"\n ;;\n *) yn=\"\" ;;\n esac\n done\n\n echo\n echo \"To avoid this prompt in the future, use one of these flags:\"\n echo\n echo \" --apply-automatic-config-updates\"\n echo \" --no-apply-automatic-config-updates\"\n echo\n echo \"or set the APPLY_AUTOMATIC_CONFIG_UPDATES environment variable:\"\n echo\n echo \" APPLY_AUTOMATIC_CONFIG_UPDATES=1 to apply automatic updates\"\n echo \" APPLY_AUTOMATIC_CONFIG_UPDATES=0 to not apply automatic updates\"\n echo\n sleep 5\n fi\n\n if [[ \"$APPLY_AUTOMATIC_CONFIG_UPDATES\" == 1 || \"$apply_config_changes_profiles\" == 1 ]]; then\n profiles_config=$(sed -n '/filestore.profiles-backend/,/s3v4\"/{p}' sentry/config.example.yml)\n echo \"$profiles_config\" >>$SENTRY_CONFIG_YML\n fi\n fi\n\n $s3cmd --access_key=sentry --secret_key=sentry --no-ssl --region=us-east-1 --host=localhost:8333 --host-bucket='localhost:8333/%(bucket)' mb s3://profiles\n\n # Check if there are files in the sentry-vroom volume\n start_service_and_wait_ready vroom\n vroom_files_count=$($dc exec vroom sh -c \"find /var/vroom/sentry-profiles -type f | wc -l\")\n if [[ \"$vroom_files_count\" -gt 0 ]]; then\n echo \"Migrating $vroom_files_count files from 'sentry-vroom' volume to 'profiles' bucket on SeaweedFS...\"\n\n # Use a temporary container to copy files from the volume to SeaweedFS\n\n $dcx -u root vroom sh -c 'mkdir -p /var/lib/apt/lists/partial && apt-get update && apt-get install -y --no-install-recommends s3cmd'\n $dc exec vroom sh -c 's3cmd --access_key=sentry --secret_key=sentry --no-ssl --region=us-east-1 --host=seaweedfs:8333 --host-bucket=\"seaweedfs:8333/%(bucket)\" sync /var/vroom/sentry-profiles/ s3://profiles/'\n\n echo \"Migration completed.\"\n else\n echo \"No files found in 'sentry-vroom' volume. Skipping files migration.\"\n fi\n else\n echo \"'profiles' bucket already exists on SeaweedFS. Skipping creation.\"\n fi\n\n if [[ -z \"${APPLY_AUTOMATIC_CONFIG_UPDATES:-}\" || \"$APPLY_AUTOMATIC_CONFIG_UPDATES\" == 1 ]]; then\n lifecycle_policy=$(\n cat <\n\n \n Sentry-Profiles-Rule\n Enabled\n \n \n $SENTRY_EVENT_RETENTION_DAYS\n \n \n\nEOF\n )\n\n $dc exec seaweedfs sh -c \"printf '%s' '$lifecycle_policy' > /tmp/profiles-lifecycle-policy.xml\"\n $s3cmd --access_key=sentry --secret_key=sentry --no-ssl --region=us-east-1 --host=localhost:8333 --host-bucket='localhost:8333/%(bucket)' setlifecycle /tmp/profiles-lifecycle-policy.xml s3://profiles\n\n echo \"Making sure the bucket lifecycle policy is all set up correctly...\"\n $s3cmd --access_key=sentry --secret_key=sentry --no-ssl --region=us-east-1 --host=localhost:8333 --host-bucket='localhost:8333/%(bucket)' getlifecycle s3://profiles\n fi\n echo \"${_endgroup}\"\nfi\n" }, { "path": "install/bootstrap-snuba.sh", "content": "echo \"${_group}Bootstrapping and migrating Snuba ...\"\n\nif [[ -z \"${SKIP_SNUBA_MIGRATIONS:-}\" ]]; then\n $dcr snuba-api bootstrap --force\nelse\n echo \"Skipped DB migrations due to SKIP_SNUBA_MIGRATIONS=$SKIP_SNUBA_MIGRATIONS\"\nfi\n\necho \"${_endgroup}\"\n" }, { "path": "install/build-docker-images.sh", "content": "echo \"${_group}Building and tagging Docker images ...\"\n\necho \"\"\n# Build any service that provides the image sentry-self-hosted-local first,\n# as it is used as the base image for sentry-cleanup-self-hosted-local.\n$dcb web\n# Build each other service individually to localize potential failures better.\nfor service in $($dc config --services); do\n $dcb \"$service\"\ndone\necho \"\"\necho \"Docker images built.\"\n\necho \"${_endgroup}\"\n" }, { "path": "install/check-latest-commit.sh", "content": "echo \"${_group}Checking for latest commit ... \"\n\n# Checks if we are on latest commit from github if it is running from master branch\nif [[ -d \"../.git\" && \"${SKIP_COMMIT_CHECK:-0}\" != 1 ]]; then\n if [[ $(git branch --show-current) == \"master\" ]]; then\n if [[ $(git rev-parse HEAD) != $(git ls-remote $(git rev-parse --abbrev-ref @{u} | sed 's/\\// /g') | cut -f1) ]]; then\n echo \"Seems like you are not using the latest commit from the self-hosted repository. Please pull the latest changes and try again, or suppress this check with --skip-commit-check.\"\n exit 1\n fi\n fi\nelse\n echo \"skipped\"\nfi\n\necho \"${_endgroup}\"\n" }, { "path": "install/check-memcached-backend.sh", "content": "echo \"${_group}Checking memcached backend ...\"\n\nif grep -q \"\\.PyMemcacheCache\" \"$SENTRY_CONFIG_PY\"; then\n echo \"PyMemcacheCache found in $SENTRY_CONFIG_PY, gonna assume you're good.\"\nelse\n if grep -q \"\\.MemcachedCache\" \"$SENTRY_CONFIG_PY\"; then\n echo \"MemcachedCache found in $SENTRY_CONFIG_PY, you should switch to PyMemcacheCache.\"\n echo \"See:\"\n echo \" https://develop.sentry.dev/self-hosted/releases/#breaking-changes\"\n exit 1\n else\n echo 'Your setup looks weird. Good luck.'\n fi\nfi\n\necho \"${_endgroup}\"\n" }, { "path": "install/check-minimum-requirements.sh", "content": "echo \"${_group}Checking minimum requirements ...\"\n\nsource install/_min-requirements.sh\n\nDOCKER_VERSION=$($CONTAINER_ENGINE version --format '{{.Server.Version}}' || echo '')\nif [[ -z \"$DOCKER_VERSION\" ]]; then\n echo \"FAIL: Unable to get $CONTAINER_ENGINE version, is the $CONTAINER_ENGINE daemon running?\"\n exit 1\nfi\n\nif [[ \"$CONTAINER_ENGINE\" == \"docker\" ]]; then\n if ! vergte ${DOCKER_VERSION//v/} $MIN_DOCKER_VERSION; then\n echo \"FAIL: Expected minimum docker version to be $MIN_DOCKER_VERSION but found $DOCKER_VERSION\"\n exit 1\n fi\n if ! vergte ${COMPOSE_VERSION//v/} $MIN_COMPOSE_VERSION; then\n echo \"FAIL: Expected minimum $dc_base version to be $MIN_COMPOSE_VERSION but found $COMPOSE_VERSION\"\n exit 1\n fi\nelif [[ \"$CONTAINER_ENGINE\" == \"podman\" ]]; then\n if ! vergte ${DOCKER_VERSION//v/} $MIN_PODMAN_VERSION; then\n echo \"FAIL: Expected minimum podman version to be $MIN_PODMAN_VERSION but found $DOCKER_VERSION\"\n exit 1\n fi\n if ! vergte ${COMPOSE_VERSION//v/} $MIN_PODMAN_COMPOSE_VERSION; then\n echo \"FAIL: Expected minimum $dc_base version to be $MIN_PODMAN_COMPOSE_VERSION but found $COMPOSE_VERSION\"\n exit 1\n fi\nfi\necho \"Found $CONTAINER_ENGINE version $DOCKER_VERSION\"\necho \"Found $CONTAINER_ENGINE Compose version $COMPOSE_VERSION\"\n\nCPU_AVAILABLE_IN_DOCKER=$($CONTAINER_ENGINE run --rm busybox nproc --all)\nif [[ \"$CPU_AVAILABLE_IN_DOCKER\" -lt \"$MIN_CPU_HARD\" ]]; then\n echo \"FAIL: Required minimum CPU cores available to Docker is $MIN_CPU_HARD, found $CPU_AVAILABLE_IN_DOCKER\"\n exit 1\nfi\n\nRAM_AVAILABLE_IN_DOCKER=$($CONTAINER_ENGINE run --rm busybox free -m 2>/dev/null | awk '/Mem/ {print $2}')\nif [[ \"$RAM_AVAILABLE_IN_DOCKER\" -lt \"$MIN_RAM_HARD\" ]]; then\n echo \"FAIL: Required minimum RAM available to Docker is $MIN_RAM_HARD MB, found $RAM_AVAILABLE_IN_DOCKER MB\"\n exit 1\nfi\n\n#SSE4.2 required by Clickhouse (https://clickhouse.yandex/docs/en/operations/requirements/)\n# On KVM, cpuinfo could falsely not report SSE 4.2 support, so skip the check. https://github.com/ClickHouse/ClickHouse/issues/20#issuecomment-226849297\n# This may also happen on other virtualization software such as on VMWare ESXi hosts.\nIS_KVM=$($CONTAINER_ENGINE run --rm busybox grep -c 'Common KVM processor' /proc/cpuinfo || :)\nif [[ ! \"$SKIP_SSE42_REQUIREMENTS\" -eq 1 && \"$IS_KVM\" -eq 0 && \"$DOCKER_ARCH\" = \"x86_64\" ]]; then\n SUPPORTS_SSE42=$($CONTAINER_ENGINE run --rm busybox grep -c sse4_2 /proc/cpuinfo || :)\n if [[ \"$SUPPORTS_SSE42\" -eq 0 ]]; then\n echo \"FAIL: The CPU your machine is running on does not support the SSE 4.2 instruction set, which is required for one of the services Sentry uses (Clickhouse). See https://github.com/getsentry/self-hosted/issues/340 for more info.\"\n exit 1\n fi\nfi\n\nif ! vergte \"${BASH_VERSION}\" \"${MIN_BASH_VERSION}\"; then\n echo \"FAIL: Expected minimum bash version to be ${MIN_BASH_VERSION} but found ${BASH_VERSION}\"\n exit 1\nfi\n\necho \"${_endgroup}\"\n" }, { "path": "install/create-docker-volumes.sh", "content": "echo \"${_group}Creating volumes for persistent storage ...\"\n\ncreate_volume() {\n create_command=\"$CONTAINER_ENGINE volume create\"\n if [ \"$CONTAINER_ENGINE\" = \"podman\" ]; then\n create_command=\"$create_command --ignore $1\"\n else\n create_command=\"$create_command --name=$1\"\n fi\n\n $create_command\n}\n\necho \"Created $(create_volume sentry-clickhouse).\"\necho \"Created $(create_volume sentry-data).\"\necho \"Created $(create_volume sentry-kafka).\"\necho \"Created $(create_volume sentry-postgres).\"\necho \"Created $(create_volume sentry-redis).\"\necho \"Created $(create_volume sentry-seaweedfs).\"\n\necho \"${_endgroup}\"\n" }, { "path": "install/dc-detect-version.sh", "content": "if [ \"${GITHUB_ACTIONS:-}\" = \"true\" ]; then\n _group=\"::group::\"\n _endgroup=\"::endgroup::\"\nelse\n _group=\"▶ \"\n _endgroup=\"\"\nfi\n\necho \"${_group}Initializing Docker|Podman Compose ...\"\n\nexport CONTAINER_ENGINE=\"docker\"\nif [[ \"${CONTAINER_ENGINE_PODMAN:-0}\" -eq 1 ]]; then\n if command -v podman &>/dev/null; then\n export CONTAINER_ENGINE=\"podman\"\n else\n echo \"FAIL: Podman is not installed on the system.\"\n exit 1\n fi\nfi\n\n# To support users that are symlinking to docker-compose\ndc_base=\"$(${CONTAINER_ENGINE} compose version --short &>/dev/null && echo \"$CONTAINER_ENGINE compose\" || echo '')\"\ndc_base_standalone=\"$(${CONTAINER_ENGINE}-compose version --short &>/dev/null && echo \"$CONTAINER_ENGINE-compose\" || echo '')\"\n\nCOMPOSE_VERSION=$([ -n \"$dc_base\" ] && $dc_base version --short || echo '')\nSTANDALONE_COMPOSE_VERSION=$([ -n \"$dc_base_standalone\" ] && $dc_base_standalone version --short || echo '')\n\nif [[ -z \"$COMPOSE_VERSION\" && -z \"$STANDALONE_COMPOSE_VERSION\" ]]; then\n echo \"FAIL: Docker|Podman Compose is required to run self-hosted\"\n exit 1\nfi\n\nif [[ -z \"$COMPOSE_VERSION\" ]] || [[ -n \"$STANDALONE_COMPOSE_VERSION\" ]] && ! vergte ${COMPOSE_VERSION//v/} ${STANDALONE_COMPOSE_VERSION//v/}; then\n COMPOSE_VERSION=\"${STANDALONE_COMPOSE_VERSION}\"\n dc_base=\"$dc_base_standalone\"\nfi\n\nif [[ \"$CONTAINER_ENGINE\" == \"podman\" ]]; then\n NO_ANSI=\"--no-ansi\"\nelse\n NO_ANSI=\"--ansi never\"\nfi\n\nif [[ \"$(basename $0)\" = \"install.sh\" ]]; then\n dc=\"$dc_base $NO_ANSI --env-file ${_ENV}\"\nelse\n dc=\"$dc_base $NO_ANSI\"\nfi\n\nproxy_args=\"--build-arg HTTP_PROXY=${HTTP_PROXY:-} --build-arg HTTPS_PROXY=${HTTPS_PROXY:-} --build-arg NO_PROXY=${NO_PROXY:-} --build-arg http_proxy=${http_proxy:-} --build-arg https_proxy=${https_proxy:-} --build-arg no_proxy=${no_proxy:-}\"\nexec_proxy_args=\"-e HTTP_PROXY=${HTTP_PROXY:-} -e HTTPS_PROXY=${HTTPS_PROXY:-} -e NO_PROXY=${NO_PROXY:-} -e http_proxy=${http_proxy:-} -e https_proxy=${https_proxy:-} -e no_proxy=${no_proxy:-}\"\nif [[ \"$CONTAINER_ENGINE\" == \"podman\" ]]; then\n proxy_args_dc=\"--podman-build-args HTTP_PROXY=${HTTP_PROXY:-},HTTPS_PROXY=${HTTPS_PROXY:-},NO_PROXY=${NO_PROXY:-},http_proxy=${http_proxy:-},https_proxy=${https_proxy:-},no_proxy=${no_proxy:-}\"\n # Disable pod creation as these are one-off commands and creating a pod\n # prints its pod id to stdout which is messing with the output that we\n # rely on various places such as configuration generation\n dcr=\"$dc --profile=feature-complete --in-pod=false run --rm\"\nelse\n proxy_args_dc=$proxy_args\n dcr=\"$dc run --pull=never --rm\"\nfi\ndcb=\"$dc build $proxy_args\"\ndbuild=\"$CONTAINER_ENGINE build $proxy_args\"\ndcx=\"$dc exec $exec_proxy_args\"\necho \"$dcr\"\n# Utility function to handle --wait with docker and podman\nfunction start_service_and_wait_ready() {\n local options=()\n local services=()\n local found_service=0\n\n for arg in \"$@\"; do\n if [[ $found_service -eq 0 && \"$arg\" == -* ]]; then\n options+=(\"$arg\")\n else\n found_service=1\n services+=(\"$arg\")\n fi\n done\n\n if [ \"$CONTAINER_ENGINE\" = \"podman\" ]; then\n $dc up --force-recreate -d \"${options[@]}\" \"${services[@]}\"\n for service in \"${services[@]}\"; do\n while ! $CONTAINER_ENGINE ps --filter \"health=healthy\" | grep \"$service\"; do\n sleep 2\n done\n done\n else\n $dc up --wait \"${options[@]}\" \"${services[@]}\"\n fi\n}\n\necho \"${_endgroup}\"\n" }, { "path": "install/detect-platform.sh", "content": "source install/_detect-container-engine.sh\n\necho \"${_group}Detecting Docker platform\"\n\n# Sentry SaaS uses stock Yandex ClickHouse, but they don't provide images that\n# support ARM, which is relevant especially for Apple M1 laptops, Sentry's\n# standard developer environment. As a workaround, we use an altinity image\n# targeting ARM.\n#\n# See https://github.com/getsentry/self-hosted/issues/1385#issuecomment-1101824274\n#\n# Images built on ARM also need to be tagged to use linux/arm64 on Apple\n# silicon Macs to work around an issue where they are built for\n# linux/amd64 by default due to virtualization.\n# See https://github.com/docker/cli/issues/3286 for the Docker bug.\n\nFORMAT=\"{{.Architecture}}\"\nif [[ $CONTAINER_ENGINE == \"podman\" ]]; then\n FORMAT=\"{{.Host.Arch}}\"\nfi\n\nDOCKER_ARCH_OUTPUT=$($CONTAINER_ENGINE info --format \"$FORMAT\" 2>&1)\nDOCKER_INFO_EXIT_CODE=$?\n\nif [[ $DOCKER_INFO_EXIT_CODE -ne 0 ]]; then\n echo \"FAIL: Unable to get $CONTAINER_ENGINE architecture information.\"\n echo \"$DOCKER_ARCH_OUTPUT\"\n if [[ \"$DOCKER_ARCH_OUTPUT\" == *\"permission denied\"* ]]; then\n echo \"\"\n echo \"You may need to add your user to the docker group:\"\n echo \" sudo usermod -aG docker \\$USER\"\n echo \"Then log out and log back in, or run: newgrp docker\"\n fi\n exit 1\nfi\n\nexport DOCKER_ARCH=\"$DOCKER_ARCH_OUTPUT\"\nif [[ \"$DOCKER_ARCH\" = \"x86_64\" || \"$DOCKER_ARCH\" = \"amd64\" ]]; then\n export DOCKER_PLATFORM=\"linux/amd64\"\nelif [[ \"$DOCKER_ARCH\" = \"aarch64\" ]]; then\n export DOCKER_PLATFORM=\"linux/arm64\"\nelse\n echo \"FAIL: Unsupported docker architecture $DOCKER_ARCH.\"\n exit 1\nfi\necho \"Detected Docker platform is $DOCKER_PLATFORM\"\n\necho \"${_endgroup}\"\n" }, { "path": "install/ensure-correct-permissions-profiles-dir.sh", "content": "#!/usr/bin/env bash\n\n# TODO: Remove this after the next hard-stop\n\n# Should only run when `$COMPOSE_PROFILES` is set to `feature-complete`\nif [[ \"$COMPOSE_PROFILES\" == \"feature-complete\" ]]; then\n echo \"${_group}Ensuring correct permissions on profiles directory ...\"\n\n # Check if the parent directory of /var/vroom/sentry-profiles is already owned by vroom:vroom\n if [ \"$($dcr --no-deps --entrypoint /bin/bash --user root vroom -c \"stat -c '%U:%G' /var/vroom/sentry-profiles\" 2>/dev/null)\" = \"vroom:vroom\" ]; then\n echo \"Ownership of /var/vroom/sentry-profiles is already set to vroom:vroom. Skipping chown.\"\n else\n $dcr --no-deps --entrypoint /bin/bash --user root vroom -c 'chown -R vroom:vroom /var/vroom/sentry-profiles && chmod -R o+rwx /var/vroom/sentry-profiles'\n fi\n\n echo \"${_endgroup}\"\nfi\n" }, { "path": "install/ensure-files-from-examples.sh", "content": "echo \"${_group}Ensuring files from examples ...\"\n\nensure_file_from_example \"$SENTRY_CONFIG_PY\"\nensure_file_from_example \"$SENTRY_CONFIG_YML\"\nensure_file_from_example symbolicator/config.yml\n\necho \"${_endgroup}\"\n" }, { "path": "install/ensure-relay-credentials.sh", "content": "echo \"${_group}Ensuring Relay credentials ...\"\n\nRELAY_CONFIG_YML=relay/config.yml\nRELAY_CREDENTIALS_JSON=relay/credentials.json\n\nensure_file_from_example $RELAY_CONFIG_YML\n\nif [[ -f \"$RELAY_CREDENTIALS_JSON\" ]]; then\n echo \"$RELAY_CREDENTIALS_JSON already exists, skipped creation.\"\nelse\n\n # There are a couple gotchas here:\n #\n # 1. We need to use a tmp file because if we redirect output directly to\n # credentials.json, then the shell will create an empty file that relay\n # will then try to read from (regardless of options such as --stdout or\n # --overwrite) and fail because it is empty.\n #\n # 2. We pull relay:nightly before invoking `run relay credentials generate`\n # because an implicit pull under the run causes extra stdout that results\n # in a garbage credentials.json.\n #\n # 3. We need to use -T to ensure that we receive output on Docker Compose\n # 1.x and 2.2.3+ (funny story about that ... ;). Note that the long opt\n # --no-tty doesn't exist in Docker Compose 1.\n\n $dc pull relay\n creds=\"$dcr --no-deps -T relay credentials\"\n $creds generate --stdout >\"$RELAY_CREDENTIALS_JSON\".tmp\n mv \"$RELAY_CREDENTIALS_JSON\".tmp \"$RELAY_CREDENTIALS_JSON\"\n if ! grep -q Credentials <($creds show); then\n # Let's fail early if creds failed, to make debugging easier.\n echo \"Failed to create relay credentials in $RELAY_CREDENTIALS_JSON.\"\n echo \"--- credentials.json v ---------------------------------------\"\n cat -v \"$RELAY_CREDENTIALS_JSON\" || true\n echo \"--- credentials.json ^ ---------------------------------------\"\n exit 1\n fi\n echo \"Relay credentials written to $RELAY_CREDENTIALS_JSON.\"\nfi\n\necho \"${_endgroup}\"\n" }, { "path": "install/error-handling.sh", "content": "echo \"${_group}Setting up error handling ...\"\n\nif [ -z \"${SENTRY_DSN:-}\" ]; then\n export SENTRY_DSN='https://19555c489ded4769978daae92f2346ca@self-hosted.getsentry.net/3'\nfi\n\n$dbuild -t sentry-self-hosted-jq-local --platform=\"$DOCKER_PLATFORM\" jq\n\njq=\"$CONTAINER_ENGINE run --rm -i sentry-self-hosted-jq-local\"\nsentry_cli=\"$CONTAINER_ENGINE run --rm -v /tmp:/work -e SENTRY_DSN=$SENTRY_DSN getsentry/sentry-cli\"\n\nsend_envelope() {\n # Send envelope\n $sentry_cli send-envelope \"$envelope_file\"\n}\n\ngenerate_breadcrumb_json() {\n cat $log_file | $jq -R -c 'split(\"\\n\") | {\"message\": (.[0]//\"\"), \"category\": \"log\", \"level\": \"info\"}'\n}\n\nsend_event() {\n # Use traceback hash as the UUID since it is 32 characters long\n local cmd_exit=$1\n local error_msg=$2\n local traceback=$3\n local traceback_json=$4\n local breadcrumbs=$5\n local fingerprint_value=$(\n echo -n \"$cmd_exit $error_msg $traceback\" |\n $CONTAINER_ENGINE run -i --rm busybox md5sum |\n cut -d' ' -f1\n )\n local envelope_file=\"sentry-envelope-${fingerprint_value}\"\n local envelope_file_path=\"/tmp/$envelope_file\"\n # If the envelope file exists, we've already sent it\n if [[ -f $envelope_file_path ]]; then\n echo \"Looks like you've already sent this error to us, we're on it :)\"\n return\n fi\n # If we haven't sent the envelope file, make it and send to Sentry\n # The format is documented at https://develop.sentry.dev/sdk/envelopes/\n # Grab length of log file, needed for the envelope header to send an attachment\n local file_length=$(wc -c <$log_file | awk '{print $1}')\n\n # Add header for initial envelope information\n $jq -n -c --arg event_id \"$fingerprint_value\" \\\n --arg dsn \"$SENTRY_DSN\" \\\n '$ARGS.named' >\"$envelope_file_path\"\n # Add header to specify the event type of envelope to be sent\n echo '{\"type\":\"event\"}' >>\"$envelope_file_path\"\n\n # Next we construct the meat of the event payload, which we build up\n # inside out using jq\n # See https://develop.sentry.dev/sdk/event-payloads/\n # for details about the event payload\n\n # Then we need the exception payload\n # https://develop.sentry.dev/sdk/event-payloads/exception/\n # but first we need to make the stacktrace which goes in the exception payload\n frames=$(echo \"$traceback_json\" | $jq -s -c)\n stacktrace=$($jq -n -c --argjson frames \"$frames\" '$ARGS.named')\n exception=$(\n $jq -n -c --arg \"type\" Error \\\n --arg value \"$error_msg\" \\\n --argjson stacktrace \"$stacktrace\" \\\n '$ARGS.named'\n )\n\n # It'd be a bit cleaner in the Sentry UI if we passed the inputs to\n # fingerprint_value hash rather than the hash itself (I believe the ultimate\n # hash ends up simply being a hash of our hash), but we want the hash locally\n # so that we can avoid resending the same event (design decision to avoid\n # spam in the system). It was also futzy to figure out how to get the\n # traceback in there properly. Meh.\n event_body=$(\n $jq -n -c --arg level error \\\n --argjson exception \"{\\\"values\\\":[$exception]}\" \\\n --argjson breadcrumbs \"{\\\"values\\\": $breadcrumbs}\" \\\n --argjson fingerprint \"[\\\"$fingerprint_value\\\"]\" \\\n '$ARGS.named'\n )\n echo \"$event_body\" >>$envelope_file_path\n # Add attachment to the event\n attachment=$(\n $jq -n -c --arg \"type\" attachment \\\n --arg length \"$file_length\" \\\n --arg content_type \"text/plain\" \\\n --arg filename install_log.txt \\\n '{\"type\": $type,\"length\": $length|tonumber,\"content_type\": $content_type,\"filename\": $filename}'\n )\n echo \"$attachment\" >>$envelope_file_path\n cat $log_file >>$envelope_file_path\n # Send envelope\n send_envelope $envelope_file\n}\n\nif [[ -z \"${REPORT_SELF_HOSTED_ISSUES:-}\" ]]; then\n echo\n echo \"Hey, so ... we would love to automatically find out about issues with your\"\n echo \"Sentry instance so that we can improve the product. Turns out there is an app\"\n echo \"for that, called Sentry. Would you be willing to let us automatically send data\"\n echo \"about your instance upstream to Sentry for development and debugging purposes?\"\n echo\n echo \" y / yes / 1\"\n echo \" n / no / 0\"\n echo\n echo \"(Btw, we send this to our own self-hosted Sentry instance, not to Sentry SaaS,\"\n echo \"so that we can be in this together.)\"\n echo\n echo \"Here's the info we may collect:\"\n echo\n echo \" - OS username\"\n echo \" - IP address\"\n echo \" - install log\"\n echo \" - runtime errors\"\n echo \" - performance data\"\n echo\n echo \"Thirty (30) day retention. No marketing. Privacy policy at sentry.io/privacy.\"\n echo\n\n yn=\"\"\n until [ ! -z \"$yn\" ]; do\n read -p \"y or n? \" yn\n case $yn in\n y | yes | 1)\n export REPORT_SELF_HOSTED_ISSUES=1\n echo\n echo -n \"Thank you.\"\n ;;\n n | no | 0)\n export REPORT_SELF_HOSTED_ISSUES=0\n echo\n echo -n \"Understood.\"\n ;;\n *) yn=\"\" ;;\n esac\n done\n\n echo \" To avoid this prompt in the future, use one of these flags:\"\n echo\n echo \" --report-self-hosted-issues\"\n echo \" --no-report-self-hosted-issues\"\n echo\n echo \"or set the REPORT_SELF_HOSTED_ISSUES environment variable:\"\n echo\n echo \" REPORT_SELF_HOSTED_ISSUES=1 to send data\"\n echo \" REPORT_SELF_HOSTED_ISSUES=0 to not send data\"\n echo\n sleep 5\nfi\n\n# Make sure we can use sentry-cli if we need it.\nif [ \"$REPORT_SELF_HOSTED_ISSUES\" == 1 ]; then\n if ! $CONTAINER_ENGINE pull getsentry/sentry-cli:latest; then\n echo \"Failed to pull sentry-cli, won't report to Sentry after all.\"\n export REPORT_SELF_HOSTED_ISSUES=0\n fi\nfi\n\n# Courtesy of https://stackoverflow.com/a/2183063/90297\ntrap_with_arg() {\n func=\"$1\"\n shift\n for sig; do\n trap \"$func $sig\" \"$sig\"\n done\n}\n\nDID_CLEAN_UP=0\n# the cleanup function will be the exit point\ncleanup() {\n local retcode=$?\n local cmd=\"${BASH_COMMAND}\"\n if [[ \"$DID_CLEAN_UP\" -eq 1 ]]; then\n return 0\n fi\n DID_CLEAN_UP=1\n if [[ \"$1\" != \"EXIT\" ]]; then\n set +o xtrace\n # Save the error message that comes from the last line of the log file\n error_msg=$(tail -n 1 \"$log_file\")\n # Create the breadcrumb payload now before stacktrace is printed\n # https://develop.sentry.dev/sdk/event-payloads/breadcrumbs/\n # Use sed to remove the last line, that is reported through the error message\n breadcrumbs=$(generate_breadcrumb_json | sed '$d' | $jq -s -c)\n printf -v err '%s' \"Error in ${BASH_SOURCE[1]}:${BASH_LINENO[0]}.\"\n printf -v cmd_exit '%s' \"'$cmd' exited with status $retcode\"\n printf '%s\\n%s\\n' \"$err\" \"$cmd_exit\"\n local stack_depth=${#FUNCNAME[@]}\n local traceback=\"\"\n local traceback_json=\"\"\n if [ $stack_depth -gt 2 ]; then\n for ((i = $(($stack_depth - 1)), j = 1; i > 0; i--, j++)); do\n local indent=\"$(yes a | head -$j | tr -d '\\n')\"\n local src=${BASH_SOURCE[$i]}\n local lineno=${BASH_LINENO[$i - 1]}\n local funcname=${FUNCNAME[$i]}\n JSON=$(\n $jq -n -c --arg filename \"$src\" \\\n --arg \"function\" \"$funcname\" \\\n --arg lineno \"$lineno\" \\\n '{\"filename\": $filename, \"function\": $function, \"lineno\": $lineno|tonumber}'\n )\n # If we're in the stacktrace of the file we failed on, we can add a context line with the command run that failed\n if [[ $i -eq 1 ]]; then\n JSON=$(\n $jq -n -c --arg cmd \"$cmd\" \\\n --argjson json \"$JSON\" \\\n '$json + {\"context_line\": $cmd}'\n )\n fi\n printf -v traceback_json '%s\\n' \"$traceback_json$JSON\"\n printf -v traceback '%s\\n' \"$traceback${indent//a/-}> $src:$funcname:$lineno\"\n done\n fi\n echo \"$traceback\"\n\n # Only send event when report issues flag is set and if trap signal is not INT (ctrl+c)\n if [[ \"$REPORT_SELF_HOSTED_ISSUES\" == 1 && \"$1\" != \"INT\" ]]; then\n send_event \"$cmd_exit\" \"$error_msg\" \"$traceback\" \"$traceback_json\" \"$breadcrumbs\"\n fi\n\n if [[ -n \"$MINIMIZE_DOWNTIME\" ]]; then\n echo \"*NOT* cleaning up, to clean your environment run \\\"docker compose stop\\\".\"\n else\n echo \"Cleaning up...\"\n fi\n fi\n\n if [[ -z \"$MINIMIZE_DOWNTIME\" ]]; then\n $dc stop -t $STOP_TIMEOUT &>/dev/null\n fi\n}\n\necho \"${_endgroup}\"\n" }, { "path": "install/generate-secret-key.sh", "content": "echo \"${_group}Generating secret key ...\"\n\nif grep -xq \"system.secret-key: '!!changeme!!'\" $SENTRY_CONFIG_YML; then\n # This is to escape the secret key to be used in sed below\n # Note the need to set LC_ALL=C due to BSD tr and sed always trying to decode\n # whatever is passed to them. Kudos to https://stackoverflow.com/a/23584470/90297\n SECRET_KEY=$(\n export LC_ALL=C\n head /dev/urandom | tr -dc \"a-z0-9@#%^&*(-_=+)\" | head -c 50 | sed -e 's/[\\/&]/\\\\&/g'\n )\n sed -i -e 's/^system.secret-key:.*$/system.secret-key: '\"'$SECRET_KEY'\"'/' $SENTRY_CONFIG_YML\n echo \"Secret key written to $SENTRY_CONFIG_YML\"\nfi\n\necho \"${_endgroup}\"\n" }, { "path": "install/geoip.sh", "content": "echo \"${_group}Setting up GeoIP integration ...\"\n\n# If `$CONTAINER_ENGINE` is not set, we assume that we are running this script independently\n# to update the geoip database as written on the documentation.\n# Therefore we need to `source _detect-container-engine.sh` to detect the container engine.\nscript_dir=$(cd \"$(dirname \"${BASH_SOURCE[0]}\")\" &>/dev/null && pwd -P)\nif [[ -z \"$CONTAINER_ENGINE\" ]]; then\n if [[ -f \"$script_dir/_detect-container-engine.sh\" ]]; then\n source $script_dir/_detect-container-engine.sh\n else\n echo \"Error: Cannot find _detect-container-engine.sh. Defaulting to docker.\"\n export CONTAINER_ENGINE=\"docker\"\n fi\nfi\n\ninstall_geoip() {\n local mmdb=geoip/GeoLite2-City.mmdb\n local conf=geoip/GeoIP.conf\n local result='Done'\n\n echo \"Setting up IP address geolocation ...\"\n if [[ ! -f \"$mmdb\" ]]; then\n echo -n \"Installing (empty) IP address geolocation database ... \"\n cp \"$mmdb.empty\" \"$mmdb\"\n echo \"done.\"\n else\n echo \"IP address geolocation database already exists.\"\n fi\n\n if [[ ! -f \"$conf\" ]]; then\n echo \"IP address geolocation is not configured for updates.\"\n echo \"See https://develop.sentry.dev/self-hosted/geolocation/ for instructions.\"\n result='Error'\n else\n echo \"IP address geolocation is configured for updates.\"\n echo \"Updating IP address geolocation database ... \"\n if ! $CONTAINER_ENGINE run --rm -v \"./geoip:/sentry\" --entrypoint '/usr/bin/geoipupdate' \"ghcr.io/maxmind/geoipupdate:v6.1.0\" \"-d\" \"/sentry\" \"-f\" \"/sentry/GeoIP.conf\"; then\n result='Error'\n fi\n echo \"$result updating IP address geolocation database.\"\n fi\n echo \"$result setting up IP address geolocation.\"\n}\n\ninstall_geoip\n\necho \"${_endgroup}\"\n" }, { "path": "install/migrate-pgbouncer.sh", "content": "echo \"${_group}Migrating Postgres config to PGBouncer...\"\n# If users has this EXACT configuration on their `sentry.conf.py` file:\n# ```python\n# DATABASES = {\n# \"default\": {\n# \"ENGINE\": \"sentry.db.postgres\",\n# \"NAME\": \"postgres\",\n# \"USER\": \"postgres\",\n# \"PASSWORD\": \"\",\n# \"HOST\": \"postgres\",\n# \"PORT\": \"\",\n# }\n# }\n# ```\n# We need to migrate it to this configuration:\n# ```python\n# DATABASES = {\n# \"default\": {\n# \"ENGINE\": \"sentry.db.postgres\",\n# \"NAME\": \"postgres\",\n# \"USER\": \"postgres\",\n# \"PASSWORD\": \"\",\n# \"HOST\": \"pgbouncer\",\n# \"PORT\": \"\",\n# }\n# }\n# ```\n\nif sed -n '/^DATABASES = {$/,/^}$/p' \"$SENTRY_CONFIG_PY\" | grep -q '\"HOST\": \"postgres\"'; then\n apply_config_changes_pgbouncer=0\n if [[ -z \"${APPLY_AUTOMATIC_CONFIG_UPDATES:-}\" ]]; then\n echo\n echo \"We added PGBouncer to the default Compose stack, and to use that\"\n echo \"you will need to modify your sentry.conf.py file contents.\"\n echo \"Do you want us to make this change automatically for you?\"\n echo\n\n yn=\"\"\n until [ ! -z \"$yn\" ]; do\n read -p \"y or n? \" yn\n case $yn in\n y | yes | 1)\n export apply_config_changes_pgbouncer=1\n echo\n echo -n \"Thank you.\"\n ;;\n n | no | 0)\n export apply_config_changes_pgbouncer=0\n echo\n echo -n \"Alright, you will need to update your sentry.conf.py file manually before running 'docker compose up' or remove the $(pgbouncer) service if you don't want to use that.\"\n ;;\n *) yn=\"\" ;;\n esac\n done\n\n echo\n echo \"To avoid this prompt in the future, use one of these flags:\"\n echo\n echo \" --apply-automatic-config-updates\"\n echo \" --no-apply-automatic-config-updates\"\n echo\n echo \"or set the APPLY_AUTOMATIC_CONFIG_UPDATES environment variable:\"\n echo\n echo \" APPLY_AUTOMATIC_CONFIG_UPDATES=1 to apply automatic updates\"\n echo \" APPLY_AUTOMATIC_CONFIG_UPDATES=0 to not apply automatic updates\"\n echo\n sleep 5\n fi\n\n if [[ \"$APPLY_AUTOMATIC_CONFIG_UPDATES\" == 1 || \"$apply_config_changes_pgbouncer\" == 1 ]]; then\n echo \"Migrating $SENTRY_CONFIG_PY to use PGBouncer\"\n sed -i 's/\"HOST\": \"postgres\"/\"HOST\": \"pgbouncer\"/' \"$SENTRY_CONFIG_PY\"\n echo \"Migrated $SENTRY_CONFIG_PY to use PGBouncer\"\n fi\nelif sed -n '/^DATABASES = {$/,/^}$/p' \"$SENTRY_CONFIG_PY\" | grep -q '\"HOST\": \"pgbouncer\"'; then\n echo \"Found pgbouncer in $SENTRY_CONFIG_PY, I'm assuming you're good! :)\"\nelse\n echo \"⚠️ You don't have standard configuration for Postgres in $SENTRY_CONFIG_PY, skipping pgbouncer migration. I'm assuming you know what you're doing.\"\n echo \" For more information about PGBouncer, refer to https://github.com/getsentry/self-hosted/pull/3884\"\nfi\n\necho \"${_endgroup}\"\n" }, { "path": "install/parse-cli.sh", "content": "echo \"${_group}Parsing command line ...\"\n\nshow_help() {\n cat <&/dev/null\n}\nremove_volume() {\n remove_command=\"$CONTAINER_ENGINE volume remove\"\n $remove_command $1\n}\n\nif exists_volume sentry-symbolicator; then\n echo \"Removed $(remove_volume sentry-symbolicator).\"\nfi\n\necho \"${_endgroup}\"\n" }, { "path": "install/update-docker-images.sh", "content": "echo \"${_group}Fetching and updating $CONTAINER_ENGINE images ...\"\n\nif [ \"$CONTAINER_ENGINE\" = \"podman\" ]; then\n # podman compose doesn't have the --ignore-pull-failures option, so can just\n # run the command normally\n $dc --profile feature-complete pull || true\nelse\n # We tag locally built images with a '-self-hosted-local' suffix. `docker\n # compose pull` tries to pull these too and shows a 404 error on the console\n # which is confusing and unnecessary. To overcome this, we add the\n # stderr>stdout redirection below and pass it through grep, ignoring all lines\n # having this '-onpremise-local' suffix.\n\n $dc pull --ignore-pull-failures 2>&1 | grep -v -- -self-hosted-local || true\nfi\n\n# We may not have the set image on the repo (local images) so allow fails\n$CONTAINER_ENGINE pull ${SENTRY_IMAGE} || true\n\necho \"${_endgroup}\"\n" }, { "path": "install/upgrade-clickhouse.sh", "content": "echo \"${_group}Upgrading Clickhouse ...\"\n\n# First check to see if user is upgrading by checking for existing clickhouse volume\nif [ \"$CONTAINER_ENGINE\" = \"podman\" ]; then\n ps_command=\"$dc ps\"\n build_arg=\"--podman-build-args\"\nelse\n # docker compose needs to be run with the -a flag to show all containers\n ps_command=\"$dc ps -a\"\n build_arg=\"--build-arg\"\nfi\n\nif $ps_command | grep -q clickhouse; then\n # Start clickhouse if it is not already running\n start_service_and_wait_ready clickhouse\n\n # In order to get to 25.3, we need to first upgrade go from 21.8 -> 22.8 -> 23.3 -> 23.8 -> 24.8 -> 25.3\n version=$($dc exec clickhouse clickhouse-client -q 'SELECT version()')\n if [[ \"$version\" == \"21.8.13.1.altinitystable\" || \"$version\" == \"21.8.12.29.altinitydev.arm\" ]]; then\n echo \"Detected clickhouse version $version\"\n $dc down clickhouse\n\n echo \"Upgrading clickhouse to 22.8\"\n $dcb $build_arg BASE_IMAGE=altinity/clickhouse-server:22.8.15.25.altinitystable clickhouse\n start_service_and_wait_ready clickhouse\n $dc down clickhouse\n\n echo \"Upgrading clickhouse to 23.3\"\n $dcb $build_arg BASE_IMAGE=altinity/clickhouse-server:23.3.19.33.altinitystable clickhouse\n start_service_and_wait_ready clickhouse\n $dc down clickhouse\n\n echo \"Upgrading clickhouse to 23.8\"\n $dcb $build_arg BASE_IMAGE=altinity/clickhouse-server:23.8.11.29.altinitystable clickhouse\n start_service_and_wait_ready clickhouse\n $dc down clickhouse\n\n echo \"Upgrading clickhouse to 24.8\"\n $dcb $build_arg BASE_IMAGE=altinity/clickhouse-server:24.8.14.10459.altinitystable clickhouse\n start_service_and_wait_ready clickhouse\n $dc down clickhouse\n\n echo \"Upgrading clickhouse to 25.3\"\n $dcb $build_arg BASE_IMAGE=altinity/clickhouse-server:25.3.6.10034.altinitystable clickhouse\n start_service_and_wait_ready clickhouse\n elif [[ \"$version\" == \"23.8.11.29.altinitystable\" ]]; then\n echo \"Detected clickhouse version $version\"\n $dc down clickhouse\n\n echo \"Upgrading clickhouse to 24.8\"\n $dcb $build_arg BASE_IMAGE=altinity/clickhouse-server:24.8.14.10459.altinitystable clickhouse\n start_service_and_wait_ready clickhouse\n $dc down clickhouse\n\n echo \"Upgrading clickhouse to 25.3\"\n $dcb $build_arg BASE_IMAGE=altinity/clickhouse-server:25.3.6.10034.altinitystable clickhouse\n start_service_and_wait_ready clickhouse\n else\n echo \"Detected clickhouse version $version. Skipping upgrades!\"\n fi\nfi\necho \"${_endgroup}\"\n" }, { "path": "install/upgrade-postgres.sh", "content": "echo \"${_group}Ensuring proper PostgreSQL version ...\"\n\nif [[ -n \"$($CONTAINER_ENGINE volume ls -q --filter name=sentry-postgres)\" && \"$($CONTAINER_ENGINE run --rm -v sentry-postgres:/db busybox cat /db/PG_VERSION 2>/dev/null)\" == \"9.6\" ]]; then\n $CONTAINER_ENGINE volume rm sentry-postgres-new || true\n # If this is Postgres 9.6 data, start upgrading it to 14.0 in a new volume\n $CONTAINER_ENGINE run --rm \\\n -v sentry-postgres:/var/lib/postgresql/9.6/data \\\n -v sentry-postgres-new:/var/lib/postgresql/14/data \\\n tianon/postgres-upgrade:9.6-to-14\n\n # Get rid of the old volume as we'll rename the new one to that\n $CONTAINER_ENGINE volume rm sentry-postgres\n $CONTAINER_ENGINE volume create --name sentry-postgres\n # There's no rename volume in Docker so copy the contents from old to new name\n # Also append the `host all all all trust` line as `tianon/postgres-upgrade:9.6-to-14`\n # doesn't do that automatically.\n $CONTAINER_ENGINE run --rm -v sentry-postgres-new:/from -v sentry-postgres:/to alpine ash -c \\\n \"cd /from ; cp -av . /to ; echo 'host all all all trust' >> /to/pg_hba.conf\"\n # Finally, remove the new old volume as we are all in sentry-postgres now.\n $CONTAINER_ENGINE volume rm sentry-postgres-new\n echo \"Re-indexing due to glibc change, this may take a while...\"\n echo \"Starting up new PostgreSQL version\"\n start_service_and_wait_ready postgres\n\n # Wait for postgres\n RETRIES=5\n until $dc exec postgres psql -U postgres -c \"select 1\" >/dev/null 2>&1 || [ $RETRIES -eq 0 ]; do\n echo \"Waiting for postgres server, $((RETRIES--)) remaining attempts...\"\n sleep 1\n done\n\n # VOLUME_NAME is the same as container name\n # Reindex all databases and their system catalogs which are not templates\n DBS=$($dc exec postgres psql -qAt -U postgres -c \"SELECT datname FROM pg_database WHERE datistemplate = false;\")\n for db in ${DBS}; do\n echo \"Re-indexing database: ${db}\"\n $dc exec postgres psql -qAt -U postgres -d ${db} -c \"reindex system ${db}\"\n $dc exec postgres psql -qAt -U postgres -d ${db} -c \"reindex database ${db};\"\n done\n\n $dc stop postgres\nfi\n\necho \"${_endgroup}\"\n" }, { "path": "install/wrap-up.sh", "content": "if [[ \"$MINIMIZE_DOWNTIME\" ]]; then\n echo \"${_group}Waiting for Sentry to start ...\"\n\n # Start the whole setup, except nginx and relay.\n start_service_and_wait_ready --remove-orphans $($dc config --services | grep -v -E '^(nginx|relay)$')\n $dc restart relay\n $dc exec -T nginx nginx -s reload\n\n $CONTAINER_ENGINE run --rm --network=\"${COMPOSE_PROJECT_NAME}_default\" alpine ash \\\n -c 'while [[ \"$(wget -T 1 -q -O- http://web:9000/_health/)\" != \"ok\" ]]; do sleep 0.5; done'\n\n # Make sure everything is up. This should only touch relay and nginx\n start_service_and_wait_ready $($dc config --services)\n\n echo \"${_endgroup}\"\nelse\n echo \"\"\n echo \"-----------------------------------------------------------------\"\n echo \"\"\n echo \"You're all done! Run the following command to get Sentry running:\"\n echo \"\"\n if [[ \"${_ENV}\" =~ \".env.custom\" ]]; then\n echo \" $dc_base --env-file .env --env-file ${_ENV} up --wait\"\n else\n if [[ \"$CONTAINER_ENGINE\" == \"podman\" ]]; then\n if [[ \"$COMPOSE_PROFILES\" == \"feature-complete\" ]]; then\n echo \" $dc_base --profile=feature-complete up --force-recreate -d\"\n else\n echo \" $dc_base up --force-recreate -d\"\n fi\n else\n echo \" $dc_base up --wait\"\n fi\n fi\n echo \"\"\n echo \"-----------------------------------------------------------------\"\n echo \"\"\nfi\n" }, { "path": "install.sh", "content": "#!/usr/bin/env bash\nset -eEuo pipefail\ntest \"${DEBUG:-}\" && set -x\n\n# Override any user-supplied umask that could cause problems, see #1222\numask 002\n\n# Pre-pre-flight? 🤷\nif [[ -n \"${MSYSTEM:-}\" ]]; then\n echo \"Seems like you are using an MSYS2-based system (such as Git Bash) which is not supported. Please use WSL instead.\"\n exit 1\nfi\n\nsource install/_logging.sh\nsource install/_lib.sh\n\n# Pre-flight. No impact yet.\nsource install/parse-cli.sh\nsource install/detect-platform.sh\nsource install/dc-detect-version.sh\nsource install/error-handling.sh\n# We set the trap at the top level so that we get better tracebacks.\ntrap_with_arg cleanup ERR INT TERM EXIT\nsource install/check-latest-commit.sh\nsource install/check-minimum-requirements.sh\n\n# Let's go! Start impacting things.\n# Upgrading clickhouse needs to come first before turning things off, since we need the old clickhouse image\n# in order to determine whether or not the clickhouse version needs to be upgraded.\nsource install/upgrade-clickhouse.sh\nsource install/update-docker-images.sh\nsource install/turn-things-off.sh\nsource install/create-docker-volumes.sh\nsource install/ensure-files-from-examples.sh\nsource install/check-memcached-backend.sh\nsource install/ensure-relay-credentials.sh\nsource install/generate-secret-key.sh\nsource install/build-docker-images.sh\nsource install/bootstrap-s3-nodestore.sh\nsource install/bootstrap-snuba.sh\nsource install/upgrade-postgres.sh\nsource install/ensure-correct-permissions-profiles-dir.sh\nsource install/bootstrap-s3-profiles.sh\nsource install/set-up-and-migrate-database.sh\nsource install/migrate-pgbouncer.sh\nsource install/geoip.sh\nsource install/setup-js-sdk-assets.sh\nsource install/wrap-up.sh\n" }, { "path": "jq/Dockerfile", "content": "FROM debian:bookworm-slim\n\nLABEL MAINTAINER=\"oss@sentry.io\"\n\nRUN set -x \\\n && apt-get update \\\n && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends jq \\\n && apt-get clean \\\n && rm -rf /var/lib/apt/lists/*\n\nENTRYPOINT [\"jq\"]\n" }, { "path": "nginx.conf", "content": "user nginx;\nworker_processes auto;\n\nerror_log /var/log/nginx/error.log warn;\npid /var/run/nginx.pid;\n\n\nevents {\n\tworker_connections 1024;\n}\n\n\nhttp {\n\tinclude /etc/nginx/mime.types;\n\tdefault_type application/octet-stream;\n\n\tlog_format main '$remote_addr - $remote_user [$time_local] \"$request\" '\n\t'$status $body_bytes_sent \"$http_referer\" '\n\t'\"$http_user_agent\" \"$http_x_forwarded_for\"';\n\n\taccess_log /var/log/nginx/access.log main;\n\n\tsendfile on;\n\ttcp_nopush on;\n\ttcp_nodelay on;\n\treset_timedout_connection on;\n\n\tkeepalive_timeout 75s;\n\n\tgzip off;\n\tserver_tokens off;\n\n\tserver_names_hash_bucket_size 64;\n\ttypes_hash_max_size 2048;\n\ttypes_hash_bucket_size 64;\n\tclient_body_buffer_size 64k;\n\tclient_max_body_size 100m;\n\n\tproxy_http_version 1.1;\n\tproxy_redirect off;\n\tproxy_buffer_size 128k;\n\tproxy_buffers 4 256k;\n\tproxy_busy_buffers_size 256k;\n\n\t# Docker default address pools\n\t# https://github.com/moby/libnetwork/blob/3797618f9a38372e8107d8c06f6ae199e1133ae8/ipamutils/utils.go#L10-L22\n\tset_real_ip_from 172.17.0.0/16;\n\tset_real_ip_from 172.18.0.0/16;\n\tset_real_ip_from 172.19.0.0/16;\n\tset_real_ip_from 172.20.0.0/14;\n\tset_real_ip_from 172.24.0.0/14;\n\tset_real_ip_from 172.28.0.0/14;\n\tset_real_ip_from 192.168.0.0/16;\n\tset_real_ip_from 10.0.0.0/8;\n\treal_ip_header X-Forwarded-For;\n\treal_ip_recursive on;\n\n\t# Remove the Connection header if the client sends it,\n\t# it could be \"close\" to close a keepalive connection\n\tproxy_set_header Connection '';\n\tproxy_set_header Host $host;\n\tproxy_set_header X-Forwarded-For $remote_addr;\n\tproxy_set_header X-Forwarded-Proto $scheme;\n\tproxy_set_header X-Request-Id $request_id;\n\tproxy_read_timeout 30s;\n\tproxy_send_timeout 5s;\n\n\tupstream relay {\n\t\tserver relay:3000;\n\t\tkeepalive 2;\n\t}\n\n\tupstream sentry {\n\t\tserver web:9000;\n\t\tkeepalive 2;\n\t}\n\n\tserver {\n\t\tlisten 80;\n\n\t\tlocation /api/store/ {\n\t\t\tproxy_pass http://relay;\n\t\t}\n\t\tlocation ~ ^/api/[1-9]\\d*/ {\n\t\t\tproxy_pass http://relay;\n\t\t}\n\t\tlocation ^~ /api/0/relays/ {\n\t\t\tproxy_pass http://relay;\n\t\t}\n\t\tlocation ^~ /js-sdk/ {\n\t\t\troot /var/www/;\n\t\t\t# This value is set to mimic the behavior of the upstream Sentry CDN. For security reasons,\n\t\t\t# it is recommended to change this to your Sentry URL (in most cases same as system.url-prefix).\n\t\t\tadd_header Access-Control-Allow-Origin *;\n\t\t}\n\t\tlocation / {\n\t\t\tproxy_pass http://sentry;\n\t\t}\n\t\tlocation /_assets/ {\n\t\t\tproxy_pass http://sentry/_static/dist/sentry/;\n\t\t\tproxy_hide_header Content-Disposition;\n\t\t}\n\t\tlocation /_static/ {\n\t\t\tproxy_pass http://sentry;\n\t\t\tproxy_hide_header Content-Disposition;\n\t\t}\n\t}\n}\n" }, { "path": "optional-modifications/README.md", "content": "# Optional Modifications\n\nWhile the default self-hosted Sentry installation is often sufficient, there are instances where leveraging existing infrastructure becomes a practical necessity, particularly for users with limited resources. This is where **patches**, or what can be understood as a **plugin system**, come into play.\n\nA patch system comprises a collection of patch files (refer to man patch(1) for detailed information) designed to modify an existing Sentry configuration. This allows for targeted adjustments to achieve specific operational goals, optimizing Sentry's functionality within your current environment. This approach provides a flexible alternative to a full, customized re-installation, enabling users to adapt Sentry to their specific needs with greater efficiency.\n\nWe also actively encourage the community to contribute! If you've developed a patch that enhances your self-hosted Sentry experience, consider submitting a pull request. Your contributions can be invaluable to other users facing similar challenges, fostering a collaborative environment where shared solutions benefit everyone.\n\n> [!WARNING]\n> Beware that this is very experimental and might not work as expected.\n>\n> **Use it at your own risk!**\n\n## How to use patches\n\nThe patches are designed mostly to help modify the existing configuration files. You will need to run the `install.sh` script afterwards.\n\nThey should be run from the root directory. For example, the `external-kafka` patches should be run as:\n\n```bash\npatch -p0 < optional-modifications/patches/external-kafka/.env.patch\npatch -p0 < optional-modifications/patches/external-kafka/config.example.yml.patch\npatch -p0 < optional-modifications/patches/external-kafka/sentry.conf.example.py.patch\npatch -p0 < optional-modifications/patches/external-kafka/docker-compose.yml.patch\n```\n\nThe `-p0` flag is important to ensure the patch applies to the correct absolute file path.\n\nSome patches might require additional steps to be taken, like providing credentials or additional TLS certificates. Make sure to see your changed files before running the `install.sh` script.\n\n## How to create patches\n\n1. Copy the original file to a temporary file name. For example, if you want to create a `clustered-redis` patch, you might want to copy `docker-compose.yml` to `docker-compose.clustered-redis.yml`.\n2. Make your changes on the `docker-compose.clustered-redis.yml` file.\n3. Run the following command to create the patch:\n ```bash\n diff -Naru docker-compose.yml docker-compose.clustered-redis.yml > docker-compose.yml.patch\n ```\n Or the template command:\n ```bash\n diff -Naru [original file] [patched file] > [destination file].patch\n ```\n4. Create a new directory in the `optional-modifications/patches` folder with the name of the patch. For example, `optional-modifications/patches/clustered-redis`.\n5. Move the patched files (like `docker-compose.yml.patch` earlier) into the new directory.\n\n## Official support\n\nWhile Sentry employees aren't able to offer dedicated support for these patches, they can provide valuable information to help move things forward. Ultimately, we really encourage the community to take the wheel, maintaining and fostering these patches themselves. If you have questions, Sentry employees will be there to help guide you.\n\nSee the [support policy for self-hosted Sentry](https://develop.sentry.dev/self-hosted/support/) for more information.\n" }, { "path": "optional-modifications/patches/external-kafka/config.example.yml.patch", "content": "--- relay/config.example.yml\t2025-05-15 08:27:40.426876887 +0700\n+++ relay/config.example.external-kafka.yml\t2025-05-15 08:34:21.113311217 +0700\n@@ -7,8 +7,15 @@\n processing:\n enabled: true\n kafka_config:\n- - {name: \"bootstrap.servers\", value: \"kafka:9092\"}\n+ - {name: \"bootstrap.servers\", value: \"kafka-node1:9092,kafka-node2:9092,kafka-node3:9092\"}\n - {name: \"message.max.bytes\", value: 50000000} # 50MB\n+ - {name: \"security.protocol\", value: \"PLAINTEXT\"}\n+ - {name: \"sasl.mechanism\", value: \"PLAIN\"} # Remove or comment this line if SASL is not used.\n+ - {name: \"sasl.username\", value: \"username\"} # Remove or comment this line if SASL is not used.\n+ - {name: \"sasl.password\", value: \"password\"} # Remove or comment this line if SASL is not used.\n+ - {name: \"ssl.ca.location\", value: \"/kafka-certificates/ca.pem\"} # Remove or comment this line if SSL is not used.\n+ - {name: \"ssl.certificate.location\", value: \"/kafka-certificates/client.pem\"} # Remove or comment this line if SSL is not used.\n+ - {name: \"ssl.key.location\", value: \"/kafka-certificates/client.key\"} # Remove or comment this line if SSL is not used.\n redis: redis://redis:6379\n geoip_path: \"/geoip/GeoLite2-City.mmdb\"\n \n" }, { "path": "optional-modifications/patches/external-kafka/docker-compose.yml.patch", "content": "--- docker-compose.yml\t2025-07-08 10:22:36.600616503 +0700\n+++ docker-compose.external-kafka.yml\t2025-07-08 10:36:44.069900011 +0700\n@@ -26,8 +26,6 @@\n depends_on:\n redis:\n <<: *depends_on-healthy\n- kafka:\n- <<: *depends_on-healthy\n postgres:\n <<: *depends_on-healthy\n memcached:\n@@ -59,6 +57,14 @@\n SENTRY_EVENT_RETENTION_DAYS:\n SENTRY_MAIL_HOST:\n SENTRY_MAX_EXTERNAL_SOURCEMAP_SIZE:\n+ KAFKA_BOOTSTRAP_SERVERS: ${KAFKA_BOOTSTRAP_SERVERS:-kafka:9092}\n+ KAFKA_SECURITY_PROTOCOL: ${KAFKA_SECURITY_PROTOCOL:-PLAINTEXT}\n+ KAFKA_SSL_CA_LOCATION: ${KAFKA_SSL_CA_LOCATION:-}\n+ KAFKA_SSL_CERTIFICATE_LOCATION: ${KAFKA_SSL_CERTIFICATE_LOCATION:-}\n+ KAFKA_SSL_KEY_LOCATION: ${KAFKA_SSL_KEY_LOCATION:-}\n+ KAFKA_SASL_MECHANISM: ${KAFKA_SASL_MECHANISM:-}\n+ KAFKA_SASL_USERNAME: ${KAFKA_SASL_USERNAME:-}\n+ KAFKA_SASL_PASSWORD: ${KAFKA_SASL_PASSWORD:-}\n volumes:\n - \"sentry-data:/data\"\n - \"./sentry:/etc/sentry\"\n@@ -69,15 +75,20 @@\n depends_on:\n clickhouse:\n <<: *depends_on-healthy\n- kafka:\n- <<: *depends_on-healthy\n redis:\n <<: *depends_on-healthy\n image: \"$SNUBA_IMAGE\"\n environment:\n SNUBA_SETTINGS: self_hosted\n CLICKHOUSE_HOST: clickhouse\n- DEFAULT_BROKERS: \"kafka:9092\"\n+ DEFAULT_BROKERS: ${KAFKA_BOOTSTRAP_SERVERS:-kafka:9092}\n+ KAFKA_SECURITY_PROTOCOL: ${KAFKA_SECURITY_PROTOCOL:-PLAINTEXT}\n+ KAFKA_SSL_CA_PATH: ${KAFKA_SSL_CA_LOCATION:-}\n+ KAFKA_SSL_CERT_PATH: ${KAFKA_SSL_CERTIFICATE_LOCATION:-}\n+ KAFKA_SSL_KEY_PATH: ${KAFKA_SSL_KEY_LOCATION:-}\n+ KAFKA_SASL_MECHANISM: ${KAFKA_SASL_MECHANISM:-}\n+ KAFKA_SASL_USERNAME: ${KAFKA_SASL_USERNAME:-}\n+ KAFKA_SASL_PASSWORD: ${KAFKA_SASL_PASSWORD:-}\n REDIS_HOST: redis\n UWSGI_MAX_REQUESTS: \"10000\"\n UWSGI_DISABLE_LOGGING: \"true\"\n@@ -136,43 +147,7 @@\n POSTGRES_HOST_AUTH_METHOD: \"trust\"\n volumes:\n - \"sentry-postgres:/var/lib/postgresql/data\"\n- kafka:\n- <<: *restart_policy\n- image: \"confluentinc/cp-kafka:7.6.1\"\n- environment:\n- # https://docs.confluent.io/platform/current/installation/docker/config-reference.html#cp-kakfa-example\n- KAFKA_PROCESS_ROLES: \"broker,controller\"\n- KAFKA_CONTROLLER_QUORUM_VOTERS: \"1001@127.0.0.1:29093\"\n- KAFKA_CONTROLLER_LISTENER_NAMES: \"CONTROLLER\"\n- KAFKA_NODE_ID: \"1001\"\n- CLUSTER_ID: \"MkU3OEVBNTcwNTJENDM2Qk\"\n- KAFKA_LISTENERS: \"PLAINTEXT://0.0.0.0:29092,INTERNAL://0.0.0.0:9093,EXTERNAL://0.0.0.0:9092,CONTROLLER://0.0.0.0:29093\"\n- KAFKA_ADVERTISED_LISTENERS: \"PLAINTEXT://127.0.0.1:29092,INTERNAL://kafka:9093,EXTERNAL://kafka:9092\"\n- KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: \"PLAINTEXT:PLAINTEXT,INTERNAL:PLAINTEXT,EXTERNAL:PLAINTEXT,CONTROLLER:PLAINTEXT\"\n- KAFKA_INTER_BROKER_LISTENER_NAME: \"PLAINTEXT\"\n- KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: \"1\"\n- KAFKA_OFFSETS_TOPIC_NUM_PARTITIONS: \"1\"\n- KAFKA_LOG_RETENTION_HOURS: \"24\"\n- KAFKA_MESSAGE_MAX_BYTES: \"50000000\" #50MB or bust\n- KAFKA_MAX_REQUEST_SIZE: \"50000000\" #50MB on requests apparently too\n- CONFLUENT_SUPPORT_METRICS_ENABLE: \"false\"\n- KAFKA_LOG4J_LOGGERS: \"kafka.cluster=WARN,kafka.controller=WARN,kafka.coordinator=WARN,kafka.log=WARN,kafka.server=WARN,state.change.logger=WARN\"\n- KAFKA_LOG4J_ROOT_LOGLEVEL: \"WARN\"\n- KAFKA_TOOLS_LOG4J_LOGLEVEL: \"WARN\"\n- ulimits:\n- nofile:\n- soft: 4096\n- hard: 4096\n- volumes:\n- - \"sentry-kafka:/var/lib/kafka/data\"\n- - \"sentry-kafka-log:/var/lib/kafka/log\"\n- - \"sentry-secrets:/etc/kafka/secrets\"\n- healthcheck:\n- <<: *healthcheck_defaults\n- test: [\"CMD-SHELL\", \"nc -z localhost 9092\"]\n- interval: 10s\n- timeout: 10s\n- retries: 30\n+ kafka: !reset null\n clickhouse:\n <<: *restart_policy\n image: clickhouse-self-hosted-local\n@@ -509,9 +484,8 @@\n read_only: true\n source: ./geoip\n target: /geoip\n+ - ./certificates/kafka:/kafka-certificates:ro\n depends_on:\n- kafka:\n- <<: *depends_on-healthy\n redis:\n <<: *depends_on-healthy\n web:\n@@ -520,8 +494,22 @@\n <<: *restart_policy\n image: \"$TASKBROKER_IMAGE\"\n environment:\n- TASKBROKER_KAFKA_CLUSTER: \"kafka:9092\"\n- TASKBROKER_KAFKA_DEADLETTER_CLUSTER: \"kafka:9092\"\n+ TASKBROKER_KAFKA_CLUSTER: ${KAFKA_BOOTSTRAP_SERVERS:-kafka:9092}\n+ TASKBROKER_KAFKA_SECURITY_PROTOCOL: ${KAFKA_SECURITY_PROTOCOL:-PLAINTEXT}\n+ TASKBROKER_KAFKA_SSL_CA_LOCATION: ${KAFKA_SSL_CA_LOCATION:-}\n+ TASKBROKER_KAFKA_SSL_CERTIFICATE_LOCATION: ${KAFKA_SSL_CERTIFICATE_LOCATION:-}\n+ TASKBROKER_KAFKA_SSL_KEY_LOCATION: ${KAFKA_SSL_KEY_LOCATION:-}\n+ TASKBROKER_KAFKA_SASL_MECHANISM: ${KAFKA_SASL_MECHANISM:-}\n+ TASKBROKER_KAFKA_SASL_USERNAME: ${KAFKA_SASL_USERNAME:-}\n+ TASKBROKER_KAFKA_SASL_PASSWORD: ${KAFKA_SASL_PASSWORD:-}\n+ TASKBROKER_KAFKA_DEADLETTER_CLUSTER: ${KAFKA_BOOTSTRAP_SERVERS:-kafka:9092}\n+ TASKBROKER_KAFKA_DEADLETTER_SECURITY_PROTOCOL: ${KAFKA_SECURITY_PROTOCOL:-PLAINTEXT}\n+ TASKBROKER_KAFKA_DEADLETTER_SSL_CA_LOCATION: ${KAFKA_SSL_CA_LOCATION:-}\n+ TASKBROKER_KAFKA_DEADLETTER_SSL_CERTIFICATE_LOCATION: ${KAFKA_SSL_CERTIFICATE_LOCATION:-}\n+ TASKBROKER_KAFKA_DEADLETTER_SSL_KEY_LOCATION: ${KAFKA_SSL_KEY_LOCATION:-}\n+ TASKBROKER_KAFKA_DEADLETTER_SASL_MECHANISM: ${KAFKA_SASL_MECHANISM:-}\n+ TASKBROKER_KAFKA_DEADLETTER_SASL_USERNAME: ${KAFKA_SASL_USERNAME:-}\n+ TASKBROKER_KAFKA_DEADLETTER_SASL_PASSWORD: ${KAFKA_SASL_PASSWORD:-}\n TASKBROKER_DB_PATH: \"/opt/sqlite/taskbroker-activations.sqlite\"\n volumes:\n - sentry-taskbroker:/opt/sqlite\n@@ -538,15 +526,21 @@\n <<: *restart_policy\n image: \"$VROOM_IMAGE\"\n environment:\n- SENTRY_KAFKA_BROKERS_PROFILING: \"kafka:9092\"\n- SENTRY_KAFKA_BROKERS_OCCURRENCES: \"kafka:9092\"\n+ SENTRY_KAFKA_BROKERS_PROFILING: ${KAFKA_BOOTSTRAP_SERVERS:-kafka:9092}\n+ SENTRY_KAFKA_BROKERS_OCCURRENCES: ${KAFKA_BOOTSTRAP_SERVERS:-kafka:9092}\n+ SENTRY_KAFKA_BROKERS_SPANS: ${KAFKA_BOOTSTRAP_SERVERS:-kafka:9092}\n+ SENTRY_KAFKA_SECURITY_PROTOCOL: ${KAFKA_SECURITY_PROTOCOL:-PLAINTEXT}\n+ SENTRY_KAFKA_SSL_CA_PATH: ${KAFKA_SSL_CA_LOCATION:-}\n+ SENTRY_KAFKA_SSL_CERT_PATH: ${KAFKA_SSL_CERTIFICATE_LOCATION:-}\n+ SENTRY_KAFKA_SSL_KEY_PATH: ${KAFKA_SSL_KEY_LOCATION:-}\n+ SENTRY_KAFKA_SASL_MECHANISM: ${KAFKA_SASL_MECHANISM:-}\n+ SENTRY_KAFKA_SASL_USERNAME: ${KAFKA_SASL_USERNAME:-}\n+ SENTRY_KAFKA_SASL_PASSWORD: ${KAFKA_SASL_PASSWORD:-}\n SENTRY_BUCKET_PROFILES: file:///var/vroom/sentry-profiles\n SENTRY_SNUBA_HOST: \"http://snuba-api:1218\"\n volumes:\n - sentry-vroom:/var/vroom/sentry-profiles\n- depends_on:\n- kafka:\n- <<: *depends_on-healthy\n+ - ./certificates/kafka:/kafka-certificates:ro\n profiles:\n - feature-complete\n vroom-cleanup:\n@@ -571,7 +565,14 @@\n image: \"$UPTIME_CHECKER_IMAGE\"\n command: run\n environment:\n- UPTIME_CHECKER_RESULTS_KAFKA_CLUSTER: kafka:9092\n+ UPTIME_CHECKER_RESULTS_KAFKA_CLUSTER: ${KAFKA_BOOTSTRAP_SERVERS:-kafka:9092}\n+ UPTIME_CHECKER_KAFKA_SECURITY_PROTOCOL: ${KAFKA_SECURITY_PROTOCOL:-PLAINTEXT}\n+ UPTIME_CHECKER_KAFKA_SSL_CA_LOCATION: ${KAFKA_SSL_CA_LOCATION:-}\n+ UPTIME_CHECKER_KAFKA_SSL_CERT_LOCATION: ${KAFKA_SSL_CERTIFICATE_LOCATION:-}\n+ UPTIME_CHECKER_KAFKA_SSL_KEY_LOCATION: ${KAFKA_SSL_KEY_LOCATION:-}\n+ UPTIME_CHECKER_KAFKA_SASL_MECHANISM: ${KAFKA_SASL_MECHANISM:-}\n+ UPTIME_CHECKER_KAFKA_SASL_USERNAME: ${KAFKA_SASL_USERNAME:-}\n+ UPTIME_CHECKER_KAFKA_SASL_PASSWORD: ${KAFKA_SASL_PASSWORD:-}\n UPTIME_CHECKER_REDIS_HOST: redis://redis:6379\n # Set to `true` will allow uptime checks against private IP addresses\n UPTIME_CHECKER_ALLOW_INTERNAL_IPS: \"false\"\n@@ -582,8 +583,6 @@\n # resolver.\n #UPTIME_CHECKER_HTTP_CHECKER_DNS_NAMESERVERS: \"8.8.8.8,8.8.4.4\"\n depends_on:\n- kafka:\n- <<: *depends_on-healthy\n redis:\n <<: *depends_on-healthy\n profiles:\n@@ -597,8 +596,6 @@\n external: true\n sentry-redis:\n external: true\n- sentry-kafka:\n- external: true\n sentry-clickhouse:\n external: true\n sentry-symbolicator:\n" }, { "path": "optional-modifications/patches/external-kafka/sentry.conf.example.py.patch", "content": "--- sentry/sentry.conf.example.py\t2025-05-15 08:27:40.427876868 +0700\n+++ sentry/sentry.conf.example.external-kafka.py\t2025-05-15 08:32:44.845127931 +0700\n@@ -132,9 +132,17 @@\n SENTRY_CACHE = \"sentry.cache.redis.RedisCache\"\n \n DEFAULT_KAFKA_OPTIONS = {\n- \"bootstrap.servers\": \"kafka:9092\",\n+ \"bootstrap.servers\": env(\"KAFKA_BOOTSTRAP_SERVERS\", \"kafka:9092\"),\n \"message.max.bytes\": 50000000,\n \"socket.timeout.ms\": 1000,\n+ \"security.protocol\": env(\"KAFKA_SECURITY_PROTOCOL\", \"PLAINTEXT\"), # Valid options are PLAINTEXT, SSL, SASL_PLAINTEXT, SASL_SSL\n+ # If you don't use any of these options below, you can remove them or set them to `None`.\n+ \"sasl.mechanism\": env(\"KAFKA_SASL_MECHANISM\", None), # Valid options are PLAIN, SCRAM-SHA-256, SCRAM-SHA-512. Other mechanism might be unavailable.\n+ \"sasl.username\": env(\"KAFKA_SASL_USERNAME\", None),\n+ \"sasl.password\": env(\"KAFKA_SASL_PASSWORD\", None),\n+ \"ssl.ca.location\": env(\"KAFKA_SSL_CA_LOCATION\", None), # Remove this line if SSL is not used.\n+ \"ssl.certificate.location\": env(\"KAFKA_SSL_CERTIFICATE_LOCATION\", None), # Remove this line if SSL is not used.\n+ \"ssl.key.location\": env(\"KAFKA_SSL_KEY_LOCATION\", None), # Remove this line if SSL is not used.\n }\n \n SENTRY_EVENTSTREAM = \"sentry.eventstream.kafka.KafkaEventStream\"\n" }, { "path": "pyproject.toml", "content": "[project]\nname = \"sentry-self-hosted\"\nversion = \"0.1.0\"\ndescription = \"Sentry, feature-complete and packaged up for low-volume deployments and proofs-of-concept.\"\nreadme = \"README.md\"\nrequires-python = \">=3.11\"\ndependencies = []\n\n[dependency-groups]\ndev = [\n \"beautifulsoup4>=4.7.1\",\n \"cryptography>=43.0.3\",\n \"httpx>=0.25.2\",\n \"pytest>=8.0.0\",\n \"pytest-cov>=4.1.0\",\n \"pytest-rerunfailures>=11.0\",\n \"pytest-sentry>=0.1.11\",\n \"sentry-sdk>=2.4.0,<3.0.0\",\n]\n" }, { "path": "redis.conf", "content": "# redis.conf\n\n# The 'maxmemory' directive controls the maximum amount of memory Redis is allowed to use.\n# Setting 'maxmemory 0' means there is no limit on memory usage, allowing Redis to use as much\n# memory as the operating system allows. This is suitable for environments where memory\n# constraints are not a concern.\n#\n# Alternatively, you can specify a limit, such as 'maxmemory 15gb', to restrict Redis to\n# using a maximum of 15 gigabytes of memory.\n#\n# Example:\n# maxmemory 0 # Unlimited memory usage\n# maxmemory 15gb # Limit memory usage to 15 GB\n\nmaxmemory 0\n\n# This setting determines how Redis evicts keys when it reaches the memory limit.\n# `allkeys-lru` evicts the least recently used keys from all keys stored in Redis,\n# allowing frequently accessed data to remain in memory while older data is removed.\n# That said we use `volatile-lru` as Redis is used both as a cache and processing\n# queue in self-hosted Sentry.\n# > The volatile-lru and volatile-random policies are mainly useful when you want to\n# > use a single Redis instance for both caching and for a set of persistent keys.\n# > However, you should consider running two separate Redis instances in a case like\n# > this, if possible.\n\nmaxmemory-policy volatile-lru\n" }, { "path": "relay/config.example.yml", "content": "relay:\n upstream: \"http://web:9000/\"\n host: 0.0.0.0\n port: 3000\nlogging:\n level: WARN\nprocessing:\n enabled: true\n kafka_config:\n - {name: \"bootstrap.servers\", value: \"kafka:9092\"}\n - {name: \"message.max.bytes\", value: 50000000} # 50MB\n redis: redis://redis:6379\n geoip_path: \"/geoip/GeoLite2-City.mmdb\"\n\n# In some cases, relay might fail to find out the actual machine memory\n# therefore it makes the healthcheck fail and events can't be submitted.\n# See https://github.com/getsentry/self-hosted/issues/3330 for more details.\n# As a workaround, uncomment the following `health` and `spool` sections:\n#\n# health:\n# max_memory_percent: 1.0\n# spool:\n# envelopes:\n# path: \"/tmp/relay-spool-envelopes\"\n# max_backpressure_memory_percent: 1.0\n\n# If you have statsd server, you can utilize that to monitor self-hosted Relay.\n# To start, uncomment the following `metrics` section and adjust the options as needed.\n#\nmetrics:\n statsd: \"${RELAY_STATSD_ADDR}\"\n prefix: \"sentry.relay\" # Adjust this to your needs, default is \"sentry.relay\"\n# sample_rate: 1.0 # Adjust this to your needs, default is 1.0\n# # `periodic_secs` is the interval for periodic metrics emitted from Relay.\n# # Setting it to `0` seconds disables the periodic metrics.\n# periodic_secs: 5\n" }, { "path": "scripts/_lib.sh", "content": "#!/usr/bin/env bash\n\nset -eEuo pipefail\n\nif [ -n \"${DEBUG:-}\" ]; then\n set -x\nfi\n\nfunction confirm() {\n read -r -p \"$1 [y/n] \" confirmation\n if [ \"$confirmation\" != \"y\" ]; then\n echo \"Canceled. 😅\"\n exit\n fi\n}\n\n# The purpose of this script is to make it easy to reset a local self-hosted\n# install to a clean state, optionally targeting a particular version.\n\nfunction reset() {\n # If we have a version given, validate it.\n # ----------------------------------------\n # Note that arbitrary git refs won't work, because the *_IMAGE variables in\n # .env will almost certainly point to :latest. Tagged releases are generally\n # the only refs where these component versions are pinned, so enforce that\n # we're targeting a valid tag here. Do this early in order to fail fast.\n if [ -n \"$version\" ]; then\n set +e\n if ! git rev-parse --verify --quiet \"refs/tags/$version\" >/dev/null; then\n echo \"Bad version: $version\"\n exit\n fi\n set -e\n fi\n\n # Make sure they mean it.\n if [ \"${FORCE_CLEAN:-}\" == \"1\" ]; then\n echo \"☠️ Seeing FORCE=1, forcing cleanup.\"\n echo\n else\n confirm \"☠️ Warning! 😳 This is highly destructive! 😱 Are you sure you wish to proceed?\"\n echo \"Okay ... good luck! 😰\"\n fi\n\n # assert that commands are defined\n : \"${dc:?}\" \"${cmd:?}\"\n\n # Hit the reset button.\n $dc down --volumes --remove-orphans --rmi local\n\n # Remove any remaining (likely external) volumes with name matching 'sentry-.*'.\n for volume in $(docker volume list --format '{{ .Name }}' | grep '^sentry-'); do\n docker volume remove \"$volume\" >/dev/null &&\n echo \"Removed volume: $volume\" ||\n echo \"Skipped volume: $volume\"\n done\n\n # If we have a version given, switch to it.\n if [ -n \"$version\" ]; then\n git checkout \"$version\"\n fi\n}\n\nfunction backup() {\n local type\n\n type=${1:-\"global\"}\n touch \"${PWD}/sentry/backup.json\"\n chmod 666 \"${PWD}/sentry/backup.json\"\n $dc run -v \"${PWD}/sentry:/sentry-data/backup\" --rm -T -e SENTRY_LOG_LEVEL=CRITICAL web export \"$type\" /sentry-data/backup/backup.json\n}\n\nfunction restore() {\n local type\n\n type=\"${1:-global}\"\n $dc run --rm -T web import \"$type\" /etc/sentry/backup.json\n}\n\n# Needed variables to source error-handling script\nexport STOP_TIMEOUT=60\n\n# Save logs in order to send envelope to Sentry\nlog_file=\"sentry_${cmd%% *}_log-$(date +%Y-%m-%d_%H-%M-%S).txt\"\nexec &> >(tee -a \"$log_file\")\nversion=\"\"\n\n# Source files needed to set up error-handling\nsource install/_lib.sh\nsource install/dc-detect-version.sh\nsource install/detect-platform.sh\nsource install/error-handling.sh\ntrap_with_arg cleanup ERR INT TERM EXIT\n" }, { "path": "scripts/backup.sh", "content": "#!/usr/bin/env bash\nMINIMIZE_DOWNTIME=\"${MINIMIZE_DOWNTIME:-}\"\nREPORT_SELF_HOSTED_ISSUES=\"${REPORT_SELF_HOSTED_ISSUES:-}\"\n\nwhile (($#)); do\n case \"$1\" in\n --report-self-hosted-issues) REPORT_SELF_HOSTED_ISSUES=1 ;;\n --no-report-self-hosted-issues) REPORT_SELF_HOSTED_ISSUES=0 ;;\n --minimize-downtime) MINIMIZE_DOWNTIME=1 ;;\n *) version=$1 ;;\n esac\n shift\ndone\n\ncmd=\"backup $1\"\nsource scripts/_lib.sh\n$cmd\n" }, { "path": "scripts/bump-version.sh", "content": "#!/usr/bin/env bash\nset -eu\n\n# Craft passes versions via env vars (preferred) with positional args as fallback\n# for manual invocation (e.g. post-release.sh calls this with positional args).\nOLD_VERSION=\"${CRAFT_OLD_VERSION:-${1:-}}\"\nNEW_VERSION=\"${CRAFT_NEW_VERSION:-${2:-}}\"\n\nsed -i -e \"s/^\\(SENTRY\\|SNUBA\\|RELAY\\|SYMBOLICATOR\\|TASKBROKER\\|VROOM\\|UPTIME_CHECKER\\)_IMAGE=\\([^:]\\+\\):.\\+\\$/\\1_IMAGE=\\2:$NEW_VERSION/\" .env\nsed -i -e \"s/^# Self-Hosted Sentry.*/# Self-Hosted Sentry $NEW_VERSION/\" README.md\n\n[ -z \"$OLD_VERSION\" ] || echo \"Previous version: $OLD_VERSION\"\necho \"New version: $NEW_VERSION\"\n" }, { "path": "scripts/post-release.sh", "content": "#!/usr/bin/env bash\nset -eu\n\n# Bring master back to nightlies after merge from release branch\ngit checkout master && git pull --rebase\n./scripts/bump-version.sh '' 'nightly'\ngit diff --quiet || git commit -anm $'build: Set master version to nightly\\n\\n#skip-changelog' && git pull --rebase && git push\n" }, { "path": "scripts/reset.sh", "content": "#!/usr/bin/env bash\nMINIMIZE_DOWNTIME=\"${MINIMIZE_DOWNTIME:-}\"\nREPORT_SELF_HOSTED_ISSUES=\"${REPORT_SELF_HOSTED_ISSUES:-}\"\n\nwhile (($#)); do\n case \"$1\" in\n --report-self-hosted-issues) REPORT_SELF_HOSTED_ISSUES=1 ;;\n --no-report-self-hosted-issues) REPORT_SELF_HOSTED_ISSUES=0 ;;\n --minimize-downtime) MINIMIZE_DOWNTIME=1 ;;\n *) version=$1 ;;\n esac\n shift\ndone\n\ncmd=reset\nsource scripts/_lib.sh\n$cmd\n" }, { "path": "scripts/restore.sh", "content": "#!/usr/bin/env bash\nMINIMIZE_DOWNTIME=\"${MINIMIZE_DOWNTIME:-}\"\nREPORT_SELF_HOSTED_ISSUES=\"${REPORT_SELF_HOSTED_ISSUES:-}\"\n\nwhile (($#)); do\n case \"$1\" in\n --report-self-hosted-issues) REPORT_SELF_HOSTED_ISSUES=1 ;;\n --no-report-self-hosted-issues) REPORT_SELF_HOSTED_ISSUES=0 ;;\n --minimize-downtime) MINIMIZE_DOWNTIME=1 ;;\n *) version=$1 ;;\n esac\n shift\ndone\n\ncmd=\"restore $1\"\nsource scripts/_lib.sh\n\n$cmd\n" }, { "path": "sentry/Dockerfile", "content": "ARG SENTRY_IMAGE\nFROM ${SENTRY_IMAGE}\n\nRUN pip install https://github.com/getsentry/sentry-nodestore-s3/archive/main.zip\n\nCOPY . /usr/src/sentry\n\nRUN if [ -s /usr/src/sentry/enhance-image.sh ]; then \\\n /usr/src/sentry/enhance-image.sh; \\\n fi\n\nRUN if [ -s /usr/src/sentry/requirements.txt ]; then \\\n echo \"sentry/requirements.txt is deprecated, use sentry/enhance-image.sh - see https://develop.sentry.dev/self-hosted/#enhance-sentry-image\"; \\\n pip install -r /usr/src/sentry/requirements.txt; \\\n fi\n" }, { "path": "sentry/config.example.yml", "content": "# While a lot of configuration in Sentry can be changed via the UI, for all\n# new-style config (as of 8.0) you can also declare values here in this file\n# to enforce defaults or to ensure they cannot be changed via the UI. For more\n# information see the Sentry documentation.\n\n###############\n# Mail Server #\n###############\n\n# mail.backend: 'smtp' # Use dummy if you want to disable email entirely\nmail.host: 'smtp'\n# mail.port: 25\n# mail.username: ''\n# mail.password: ''\n# NOTE: `mail.use-tls` and `mail.use-ssl` are mutually exclusive and should not\n# appear at the same time. Only uncomment one of them.\n# mail.use-tls: false\n# mail.use-ssl: false\n\n# NOTE: The following 2 configs (mail.from and mail.list-namespace) are set\n# through SENTRY_MAIL_HOST in sentry.conf.py so remove those first if\n# you want your values in this file to be effective!\n\n# The email address to send on behalf of\n# mail.from: 'root@localhost' or ...\n# mail.from: 'System Administrator '\n\n# The mailing list namespace for emails sent by this Sentry server.\n# This should be a domain you own (often the same domain as the domain\n# part of the `mail.from` configuration parameter value) or `localhost`.\n# mail.list-namespace: 'localhost'\n\n# If you'd like to configure email replies, enable this.\n# mail.enable-replies: true\n\n# When email-replies are enabled, this value is used in the Reply-To header\n# mail.reply-hostname: ''\n\n# If you're using mailgun for inbound mail, set your API key and configure a\n# route to forward to /api/hooks/mailgun/inbound/\n# Also don't forget to set `mail.enable-replies: true` above.\n# mail.mailgun-api-key: ''\n\n###################\n# System Settings #\n###################\n\n# This is the main URL prefix where Sentry can be accessed.\n# Sentry will use this to create links to its different parts of the web UI.\n# This is most helpful if you are using an external reverse proxy.\n# system.url-prefix: https://example.sentry.com\n\n# Most of the time, this should NOT be changed. It's used for communication\n# between containers. `web` is the container's name, and `9000` is the\n# default port opened by the Sentry backend (this is NOT the public port).\n#\n# If you want to change the publicly exposed domain or port, you should change\n# `system.url-prefix` above instead, along with `SENTRY_BIND` in `.env` file.\n# Also see https://develop.sentry.dev/self-hosted/#productionalizing.\nsystem.internal-url-prefix: 'http://web:9000'\n\n# If this file ever becomes compromised, it's important to generate a new key.\n# Changing this value will result in all current sessions being invalidated.\n# A new key can be generated with `$ sentry config generate-secret-key`\n#\n# If you are using SENTRY_SYSTEM_SECRET_KEY that is being set on your `.env` or `.env.custom` file,\n# you should remove this line below as it won't be used anyway.\nsystem.secret-key: '!!changeme!!'\n\n# The ``redis.clusters`` setting is used, unsurprisingly, to configure Redis\n# clusters. These clusters can be then referred to by name when configuring\n# backends such as the cache, digests, or TSDB backend.\n# redis.clusters:\n# default:\n# hosts:\n# 0:\n# host: 127.0.0.1\n# port: 6379\n\n################\n# File storage #\n################\n\n# Uploaded media uses these `filestore` settings. The available\n# backends are either `filesystem` or `s3`.\n\nfilestore.backend: 'filesystem'\nfilestore.options:\n location: '/data/files'\ndsym.cache-path: '/data/dsym-cache'\nreleasefile.cache-path: '/data/releasefile-cache'\n\n# filestore.backend: 's3'\n# filestore.options:\n# access_key: 'AKIXXXXXX'\n# secret_key: 'XXXXXXX'\n# bucket_name: 's3-bucket-name'\n\nfilestore.profiles-backend: 's3'\nfilestore.profiles-options:\n bucket_acl: \"private\"\n default_acl: \"private\"\n access_key: \"sentry\"\n secret_key: \"sentry\"\n bucket_name: \"profiles\"\n region_name: \"us-east-1\"\n endpoint_url: \"http://seaweedfs:8333\"\n addressing_style: \"path\"\n signature_version: \"s3v4\"\n\nsymbolicator.enabled: true\nsymbolicator.options:\n url: \"http://symbolicator:3021\"\n\ntransaction-events.force-disable-internal-project: true\n\n######################\n# GitHub Integration #\n######################\n\n# Refer to https://develop.sentry.dev/integrations/github/ for setup instructions.\n\n# github-login.extended-permissions: ['repo']\n# github-app.id: GITHUB_APP_ID\n# github-app.name: 'GITHUB_APP_NAME'\n# github-app.webhook-secret: 'GITHUB_WEBHOOK_SECRET' # Use only if configured in GitHub\n# github-app.client-id: 'GITHUB_CLIENT_ID'\n# github-app.client-secret: 'GITHUB_CLIENT_SECRET'\n# github-app.private-key: |\n# -----BEGIN RSA PRIVATE KEY-----\n# privatekeyprivatekeyprivatekeyprivatekey\n# privatekeyprivatekeyprivatekeyprivatekey\n# privatekeyprivatekeyprivatekeyprivatekey\n# privatekeyprivatekeyprivatekeyprivatekey\n# privatekeyprivatekeyprivatekeyprivatekey\n# -----END RSA PRIVATE KEY-----\n\n#####################\n# Slack Integration #\n#####################\n\n# Refer to https://develop.sentry.dev/integrations/slack/ for setup instructions.\n\n# slack.client-id: <'client id'>\n# slack.client-secret: \n# slack.signing-secret: \n## If legacy-app is True use verification-token instead of signing-secret\n# slack.verification-token: \n\n\n#######################\n# Discord Integration #\n#######################\n\n# Refer to https://develop.sentry.dev/integrations/discord/\n\n# discord.application-id: \"\"\n# discord.public-key: \"\"\n# discord.client-secret: \"\"\n# discord.bot-token: \"\"\n\n###############\n# Google Auth #\n###############\n\n# Refer to https://develop.sentry.dev/self-hosted/sso/#google-auth\n\n# auth-google.client-id: \"\"\n# auth-google.client-secret: \"\"\n" }, { "path": "sentry/enhance-image.example.sh", "content": "#!/bin/bash\nset -euo pipefail\n\n# Enhance the base $SENTRY_IMAGE with additional dependencies, plugins - see https://develop.sentry.dev/self-hosted/#enhance-sentry-image\n# For example:\n# apt-get update\n# apt-get install -y gcc libsasl2-dev libldap2-dev libssl-dev\n# pip install python-ldap\n" }, { "path": "sentry/entrypoint.sh", "content": "#!/bin/bash\nset -e\n\nif [ \"$(ls -A /usr/local/share/ca-certificates/)\" ]; then\n update-ca-certificates\nfi\n\nif [ -e /etc/sentry/requirements.txt ]; then\n echo \"sentry/requirements.txt is deprecated, use sentry/enhance-image.sh - see https://develop.sentry.dev/self-hosted/#enhance-sentry-image\"\nfi\n\nsource /docker-entrypoint.sh\n" }, { "path": "sentry/requirements.example.txt", "content": "# sentry/requirements.txt is deprecated, use sentry/enhance-image.sh - see https://develop.sentry.dev/self-hosted/#enhance-sentry-image\n" }, { "path": "sentry/sentry.conf.example.py", "content": "# This file is just Python, with a touch of Django which means\n# you can inherit and tweak settings to your hearts content.\n\nfrom sentry.conf.server import * # NOQA\n\nBYTE_MULTIPLIER = 1024\nUNITS = (\"K\", \"M\", \"G\")\n\n\ndef unit_text_to_bytes(text):\n unit = text[-1].upper()\n power = UNITS.index(unit) + 1\n return float(text[:-1]) * (BYTE_MULTIPLIER**power)\n\n\n# Generously adapted from pynetlinux: https://github.com/rlisagor/pynetlinux/blob/e3f16978855c6649685f0c43d4c3fcf768427ae5/pynetlinux/ifconfig.py#L197-L223\ndef get_internal_network():\n import ctypes\n import fcntl\n import math\n import socket\n import struct\n\n iface = b\"eth0\"\n sockfd = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\n ifreq = struct.pack(b\"16sH14s\", iface, socket.AF_INET, b\"\\x00\" * 14)\n\n try:\n ip = struct.unpack(\n b\"!I\", struct.unpack(b\"16sH2x4s8x\", fcntl.ioctl(sockfd, 0x8915, ifreq))[2]\n )[0]\n netmask = socket.ntohl(\n struct.unpack(b\"16sH2xI8x\", fcntl.ioctl(sockfd, 0x891B, ifreq))[2]\n )\n except IOError:\n return ()\n base = socket.inet_ntoa(struct.pack(b\"!I\", ip & netmask))\n netmask_bits = 32 - int(round(math.log(ctypes.c_uint32(~netmask).value + 1, 2), 1))\n return \"{0:s}/{1:d}\".format(base, netmask_bits)\n\n\nINTERNAL_SYSTEM_IPS = (get_internal_network(),)\n\n\nDATABASES = {\n \"default\": {\n \"ENGINE\": \"sentry.db.postgres\",\n \"NAME\": \"postgres\",\n \"USER\": \"postgres\",\n \"PASSWORD\": \"\",\n \"HOST\": \"pgbouncer\",\n \"PORT\": \"\",\n }\n}\n\n# If you're expecting any kind of real traffic on Sentry, we highly recommend\n# configuring the CACHES and Redis settings\n\n###########\n# General #\n###########\n\n# Instruct Sentry that this install intends to be run by a single organization\n# and thus various UI optimizations should be enabled.\nSENTRY_SINGLE_ORGANIZATION = True\n\n# Sentry event retention days specifies how long events are retained in the database.\n# This should be set on your `.env` or `.env.custom` file, instead of modifying\n# the value here.\n# NOTE: The longer the days, the more disk space is required.\nSENTRY_OPTIONS[\"system.event-retention-days\"] = int(\n env(\"SENTRY_EVENT_RETENTION_DAYS\", \"90\")\n)\n\n# The secret key is being used for various cryptographic operations, such as\n# generating a CSRF token, session token, and registering Relay instances.\n# The secret key value should be set on your `.env` or `.env.custom` file\n# instead of modifying the value here.\n#\n# If the key ever becomes compromised, it's important to generate a new key.\n# Changing this value will result in all current sessions being invalidated.\n# A new key can be generated with `$ sentry config generate-secret-key`\nif env(\"SENTRY_SYSTEM_SECRET_KEY\"):\n SENTRY_OPTIONS[\"system.secret-key\"] = env(\"SENTRY_SYSTEM_SECRET_KEY\", \"\")\n\n# Self-hosted Sentry infamously has a lot of Docker containers required to make\n# all the features work. Oftentimes, users don't use the full feature set that\n# requires all the containers. This is a way to enable only the error monitoring\n# feature which also reduces the amount of containers required to run Sentry.\n#\n# To make Sentry work with all features, set `COMPOSE_PROFILES` to `feature-complete`\n# in your `.env` file. To enable only the error monitoring feature, set\n# `COMPOSE_PROFILES` to `errors-only`.\n#\n# See https://develop.sentry.dev/self-hosted/optional-features/errors-only/\nSENTRY_SELF_HOSTED_ERRORS_ONLY = env(\"COMPOSE_PROFILES\") != \"feature-complete\"\n\n# When running in an air-gapped environment, set this to True to entirely disable\n# external network calls and features that require Internet connectivity.\n#\n# Setting the value to False while running in an air-gapped environment will\n# cause some containers to raise exceptions. One known example is fetching\n# AI model prices from various public APIs.\nSENTRY_AIR_GAP = False\n\n# As of 25.9.0 (September 2025 release), Sentry enforces tighter restrictions\n# of allowed IP addresses for outgoing requests. This is to prevent\n# accidentally leaking sensitive information to third parties.\n#\n# By default, Sentry will not allow requests to private IP addresses.\n# You can override this by configuring the allowed IP addresses here.\n# Below is the default value, which is a list of IP addresses that are\n# considered \"private\" and \"reserved\".\n#\n# SENTRY_DISALLOWED_IPS: tuple[str, ...] = (\n# # https://en.wikipedia.org/wiki/Reserved_IP_addresses#IPv4\n# \"0.0.0.0/8\",\n# \"10.0.0.0/8\",\n# \"100.64.0.0/10\",\n# \"127.0.0.0/8\",\n# \"169.254.0.0/16\",\n# \"172.16.0.0/12\",\n# \"192.0.0.0/29\",\n# \"192.0.2.0/24\",\n# \"192.88.99.0/24\",\n# \"192.168.0.0/16\",\n# \"198.18.0.0/15\",\n# \"198.51.100.0/24\",\n# \"224.0.0.0/4\",\n# \"240.0.0.0/4\",\n# \"255.255.255.255/32\",\n# # https://en.wikipedia.org/wiki/IPv6#IPv4-mapped_IPv6_addresses\n# # Subnets match the IPv4 subnets above\n# \"::ffff:0:0/104\",\n# \"::ffff:a00:0/104\",\n# \"::ffff:6440:0/106\",\n# \"::ffff:7f00:0/104\",\n# \"::ffff:a9fe:0/112\",\n# \"::ffff:ac10:0/108\",\n# \"::ffff:c000:0/125\",\n# \"::ffff:c000:200/120\",\n# \"::ffff:c058:6300/120\",\n# \"::ffff:c0a8:0/112\",\n# \"::ffff:c612:0/111\",\n# \"::ffff:c633:6400/120\",\n# \"::ffff:e000:0/100\",\n# \"::ffff:f000:0/100\",\n# \"::ffff:ffff:ffff/128\",\n# # https://en.wikipedia.org/wiki/Reserved_IP_addresses#IPv6\n# \"::1/128\",\n# \"::ffff:0:0/96\",\n# \"64:ff9b::/96\",\n# \"64:ff9b:1::/48\",\n# \"100::/64\",\n# \"2001:0000::/32\",\n# \"2001:20::/28\",\n# \"2001:db8::/32\",\n# \"2002::/16\",\n# \"fc00::/7\",\n# \"fe80::/10\",\n# \"ff00::/8\",\n# )\n\n################\n# Node Storage #\n################\n\n# Sentry uses an abstraction layer called \"node storage\" to store raw events.\n# Previously, it used PostgreSQL as the backend, but this didn't scale for\n# high-throughput environments. Read more about this in the documentation:\n# https://develop.sentry.dev/backend/application-domains/nodestore/\n#\n# Through this setting, you can use the provided blob storage or\n# your own S3-compatible API from your infrastructure.\n# Other backend implementations for node storage developed by the community\n# are available in public GitHub repositories.\n\nSENTRY_NODESTORE = \"sentry_nodestore_s3.S3PassthroughDjangoNodeStorage\"\nSENTRY_NODESTORE_OPTIONS = {\n \"compression\": True,\n \"endpoint_url\": \"http://seaweedfs:8333\",\n \"bucket_path\": \"nodestore\",\n \"bucket_name\": \"nodestore\",\n \"region_name\": \"us-east-1\",\n \"aws_access_key_id\": \"sentry\",\n \"aws_secret_access_key\": \"sentry\",\n}\n\n#########\n# Redis #\n#########\n\n# Generic Redis configuration used as defaults for various things including:\n# Buffers, Quotas, TSDB\n\nSENTRY_OPTIONS[\"redis.clusters\"] = {\n \"default\": {\n \"hosts\": {0: {\"host\": \"redis\", \"password\": \"\", \"port\": \"6379\", \"db\": \"0\"}}\n }\n}\n\n#########\n# Cache #\n#########\n\n# Sentry currently utilizes two separate mechanisms. While CACHES is not a\n# requirement, it will optimize several high throughput patterns.\n\nCACHES = {\n \"default\": {\n \"BACKEND\": \"django.core.cache.backends.memcached.PyMemcacheCache\",\n \"LOCATION\": [\"memcached:11211\"],\n \"TIMEOUT\": 3600,\n \"OPTIONS\": {\"ignore_exc\": True},\n }\n}\n\n# A primary cache is required for things such as processing events\nSENTRY_CACHE = \"sentry.cache.redis.RedisCache\"\n\nDEFAULT_KAFKA_OPTIONS = {\n \"bootstrap.servers\": \"kafka:9092\",\n \"message.max.bytes\": 50000000,\n \"socket.timeout.ms\": 1000,\n}\n\nSENTRY_EVENTSTREAM = \"sentry.eventstream.kafka.KafkaEventStream\"\nSENTRY_EVENTSTREAM_OPTIONS = {\"producer_configuration\": DEFAULT_KAFKA_OPTIONS}\n\nKAFKA_CLUSTERS[\"default\"] = DEFAULT_KAFKA_OPTIONS\n\n###############\n# Rate Limits #\n###############\n\n# Rate limits apply to notification handlers and are enforced per-project\n# automatically.\n\nSENTRY_RATELIMITER = \"sentry.ratelimits.redis.RedisRateLimiter\"\n\n##################\n# Update Buffers #\n##################\n\n# Buffers (combined with queueing) act as an intermediate layer between the\n# database and the storage API. They will greatly improve efficiency on large\n# numbers of the same events being sent to the API in a short amount of time.\n# (read: if you send any kind of real data to Sentry, you should enable buffers)\n\nSENTRY_BUFFER = \"sentry.buffer.redis.RedisBuffer\"\n\n##########\n# Quotas #\n##########\n\n# Quotas allow you to rate limit individual projects or the Sentry install as\n# a whole.\n\nSENTRY_QUOTAS = \"sentry.quotas.redis.RedisQuota\"\n\n########\n# TSDB #\n########\n\n# The TSDB is used for building charts as well as making things like per-rate\n# alerts possible.\n\nSENTRY_TSDB = \"sentry.tsdb.redissnuba.RedisSnubaTSDB\"\n\n#########\n# SNUBA #\n#########\n\nSENTRY_SEARCH = \"sentry.search.snuba.EventsDatasetSnubaSearchBackend\"\nSENTRY_SEARCH_OPTIONS = {}\nSENTRY_TAGSTORE_OPTIONS = {}\n\n###########\n# Digests #\n###########\n\n# The digest backend powers notification summaries.\n\nSENTRY_DIGESTS = \"sentry.digests.backends.redis.RedisBackend\"\n\n##############\n# Web Server #\n##############\n\nSENTRY_WEB_HOST = \"0.0.0.0\"\nSENTRY_WEB_PORT = 9000\nSENTRY_WEB_OPTIONS = {\n \"http\": \"%s:%s\" % (SENTRY_WEB_HOST, SENTRY_WEB_PORT),\n \"protocol\": \"uwsgi\",\n # This is needed in order to prevent https://github.com/getsentry/sentry/blob/c6f9660e37fcd9c1bbda8ff4af1dcfd0442f5155/src/sentry/services/http.py#L70\n \"uwsgi-socket\": None,\n \"so-keepalive\": True,\n # Keep this between 15s-75s as that's what Relay supports\n \"http-keepalive\": 15,\n \"http-chunked-input\": True,\n # the number of web workers\n \"workers\": 3,\n \"threads\": 4,\n \"memory-report\": False,\n # The `harakiri` option terminates requests that take longer than the\n # defined amount of time (in seconds) which can help avoid stuck workers\n # caused by GIL issues or deadlocks.\n # Ensure nginx `proxy_read_timeout` configuration (default: 30)\n # on your `nginx.conf` file to be at least 5 seconds longer than this.\n # \"harakiri\": 25,\n # Some stuff so uwsgi will cycle workers sensibly\n \"max-requests\": 100000,\n \"max-requests-delta\": 500,\n \"max-worker-lifetime\": 86400,\n # Duplicate options from sentry default just so we don't get\n # bit by sentry changing a default value that we depend on.\n \"thunder-lock\": True,\n \"log-x-forwarded-for\": False,\n \"buffer-size\": 32768,\n \"limit-post\": 209715200,\n \"disable-logging\": True,\n \"reload-on-rss\": 600,\n \"ignore-sigpipe\": True,\n \"ignore-write-errors\": True,\n \"disable-write-exception\": True,\n}\n\n###########\n# SSL/TLS #\n###########\n\n# If you're using a reverse SSL proxy, you should enable the X-Forwarded-Proto\n# header and enable the settings below\n\n# SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')\n# USE_X_FORWARDED_HOST = True\n# SESSION_COOKIE_SECURE = True\n# CSRF_COOKIE_SECURE = True\n# SOCIAL_AUTH_REDIRECT_IS_HTTPS = True\n\n# End of SSL/TLS settings\n\n########\n# Mail #\n########\n\nSENTRY_OPTIONS[\"mail.list-namespace\"] = env(\"SENTRY_MAIL_HOST\", \"localhost\")\nSENTRY_OPTIONS[\"mail.from\"] = f\"sentry@{SENTRY_OPTIONS['mail.list-namespace']}\"\n\n############\n# Features #\n############\n\n# Sentry uses feature flags to enable certain features. Some features may\n# require additional configuration or containers. To learn more about how\n# Sentry uses feature flags, see https://develop.sentry.dev/backend/application-domains/feature-flags/\n#\n# The features listed here are stable and generally available on SaaS.\n# To enable preview features, see https://develop.sentry.dev/self-hosted/configuration/#enabling-preview-features\n\nSENTRY_FEATURES[\"projects:sample-events\"] = False\nSENTRY_FEATURES.update(\n {\n feature: True\n for feature in (\n \"organizations:discover\",\n \"organizations:global-views\",\n \"organizations:issue-views\",\n \"organizations:incidents\",\n \"organizations:integrations-issue-basic\",\n \"organizations:integrations-issue-sync\",\n \"organizations:invite-members\",\n \"organizations:sso-basic\",\n \"organizations:sso-saml2\",\n \"organizations:advanced-search\",\n \"organizations:issue-platform\",\n \"organizations:monitors\",\n \"organizations:dashboards-mep\",\n \"organizations:mep-rollout-flag\",\n \"organizations:dashboards-rh-widget\",\n \"organizations:dynamic-sampling\",\n \"projects:custom-inbound-filters\",\n \"projects:data-forwarding\",\n \"projects:discard-groups\",\n \"projects:plugins\",\n \"projects:rate-limits\",\n \"projects:servicehooks\",\n )\n # Performance/Tracing/Spans related flags\n + (\n \"organizations:performance-view\",\n \"organizations:span-stats\",\n \"organizations:visibility-explore-view\",\n \"organizations:visibility-explore-range-high\",\n \"organizations:transaction-metrics-extraction\",\n \"organizations:indexed-spans-extraction\",\n \"organizations:insights-entry-points\",\n \"organizations:insights-initial-modules\",\n \"organizations:insights-addon-modules\",\n \"organizations:insights-modules-use-eap\",\n \"organizations:standalone-span-ingestion\",\n \"organizations:starfish-mobile-appstart\",\n \"organizations:on-demand-metrics-extraction\",\n \"projects:span-metrics-extraction\",\n \"projects:span-metrics-extraction-addons\",\n )\n # Session Replay related flags\n + (\n \"organizations:session-replay\",\n )\n # User Feedback related flags\n + (\n \"organizations:user-feedback-ui\",\n )\n # Profiling related flags\n + (\n \"organizations:profiling\",\n \"organizations:profiling-view\",\n )\n # Continuous Profiling related flags\n + (\n \"organizations:continuous-profiling\",\n \"organizations:continuous-profiling-stats\",\n )\n # Uptime Monitoring related flags\n + (\n \"organizations:uptime\",\n \"organizations:uptime-create-issues\",\n )\n # Logs related flags\n + (\n \"organizations:ourlogs-enabled\",\n \"organizations:ourlogs-ingestion\",\n \"organizations:ourlogs-stats\",\n \"organizations:ourlogs-replay-ui\",\n )\n }\n)\n\n#######################\n# MaxMind Integration #\n#######################\n\nGEOIP_PATH_MMDB = \"/geoip/GeoLite2-City.mmdb\"\n\n#########################\n# Bitbucket Integration #\n#########################\n\n# BITBUCKET_CONSUMER_KEY = 'YOUR_BITBUCKET_CONSUMER_KEY'\n# BITBUCKET_CONSUMER_SECRET = 'YOUR_BITBUCKET_CONSUMER_SECRET'\n\n##############################################\n# Content Security Policy settings\n##############################################\n\n# CSP_REPORT_URI = \"https://{your-sentry-installation}/api/{csp-project}/security/?sentry_key={sentry-key}\"\nCSP_REPORT_ONLY = True\n\n# optional extra permissions\n# https://django-csp.readthedocs.io/en/latest/configuration.html\n# CSP_SCRIPT_SRC += [\"example.com\"]\n\n############################\n# Sentry Endpoint Settings #\n############################\n\n# If your Sentry installation has different hostnames for ingestion and web UI,\n# in which your web UI is accessible via private corporate network, yet your\n# ingestion hostname is accessible from the public internet, you can uncomment\n# this following options in order to have the ingestion hostname rendered\n# correctly on the SDK configuration UI.\n#\n# SENTRY_ENDPOINT = \"https://sentry.ingest.example.com\"\n\n#################\n# CSRF Settings #\n#################\n\n# Since version 24.1.0, Sentry migrated to Django 4 which contains stricter CSRF protection.\n# If you are accessing Sentry from multiple domains behind a reverse proxy, you should set\n# this to match your IPs/domains. Ports should be included if you are using custom ports.\n# https://docs.djangoproject.com/en/4.2/ref/settings/#std-setting-CSRF_TRUSTED_ORIGINS\n\n# CSRF_TRUSTED_ORIGINS = [\"https://example.com\", \"http://127.0.0.1:9000\"]\n\n#################\n# JS SDK Loader #\n#################\n\n# Configure Sentry JS SDK bundle URL template for Loader Scripts.\n# Learn more about the Loader Scripts: https://docs.sentry.io/platforms/javascript/install/loader/\n# If you wish to host your own JS SDK bundles, set `SETUP_JS_SDK_ASSETS` environment variable to `1`\n# on your `.env` or `.env.custom` file. Then, replace the value below with your own public URL.\n# For example: \"https://sentry.example.com/js-sdk/%s/bundle%s.min.js\"\n#\n# By default, the previous JS SDK assets version will be pruned during upgrades, if you wish\n# to keep the old assets, set `SETUP_JS_SDK_KEEP_OLD_ASSETS` environment variable to any value on\n# your `.env` or `.env.custom` file. The files should only be a few KBs, and this might be useful\n# if you're using it directly like a CDN instead of using the loader script.\nJS_SDK_LOADER_DEFAULT_SDK_URL = \"https://browser.sentry-cdn.com/%s/bundle%s.min.js\"\n\n#####################\n# Insights Settings #\n#####################\n\n# Since version 24.3.0, Insights features are available on self-hosted. For Requests module,\n# there are scrubbing logic done on Relay to prevent high cardinality of stored HTTP hosts.\n# However in self-hosted scenario, the amount of stored HTTP hosts might be consistent,\n# and you may have allow list of hosts that you want to keep. Uncomment the following line\n# to allow specific hosts. It might be IP addresses or domain names (without `http://` or `https://`).\n\n# SENTRY_OPTIONS[\"relay.span-normalization.allowed_hosts\"] = [\"example.com\", \"192.168.10.1\"]\n\n##############\n# Monitoring #\n##############\n\n# By default, Sentry uses dummy statsd monitoring backend that is a no-op.\n# If you have a statsd server, you can utilize that to monitor self-hosted\n# Sentry for \"sentry\"-related containers.\n#\n# To start, uncomment the following line and adjust the options as needed.\n\nSENTRY_STATSD_ADDR = env(\"SENTRY_STATSD_ADDR\")\nif SENTRY_STATSD_ADDR:\n host, _, port = SENTRY_STATSD_ADDR.partition(\":\")\n port = int(port or 8125)\n SENTRY_METRICS_BACKEND = 'sentry.metrics.statsd.StatsdMetricsBackend'\n SENTRY_METRICS_OPTIONS: dict[str, Any] = {\n 'host': host,\n 'port': port,\n }\n# SENTRY_METRICS_SAMPLE_RATE = 1.0 # Adjust this to your needs, default is 1.0\n# SENTRY_METRICS_PREFIX = \"sentry.\" # Adjust this to your needs, default is \"sentry.\"\n" }, { "path": "sentry-admin.sh", "content": "#!/usr/bin/env bash\n\n# Set the script directory as working directory.\ncd $(dirname $0)\n\n# Detect docker and platform state.\nsource install/_lib.sh\nsource install/dc-detect-version.sh\nsource install/detect-platform.sh\n\n# Define the Docker volume mapping.\nVOLUME_MAPPING=\"${SENTRY_DOCKER_IO_DIR:-$HOME/.sentry/sentry-admin}:/sentry-admin\"\n\n# Custom help text paragraphs\nHELP_TEXT_SUFFIX=\"\nAll file paths are relative to the 'web' docker container, not the host environment. To pass files\nto/from the host system for commands that require it ('execfile', 'export', 'import', etc), you may\nspecify a 'SENTRY_DOCKER_IO_DIR' environment variable to mount a volume for file IO operations into\nthe host filesystem. The default value of 'SENTRY_DOCKER_IO_DIR' points to '~/.sentry/sentry-admin'\non the host filesystem. Commands that write files should write them to the '/sentry-admin' in the\n'web' container (ex: './sentry-admin.sh export global /sentry-admin/my-export.json').\n\"\n\n# Actual invocation that runs the command in the container.\ninvocation() {\n start_service_and_wait_ready postgres\n start_service_and_wait_ready pgbouncer\n start_service_and_wait_ready redis --wait\n $dcr --no-deps -v \"$VOLUME_MAPPING\" -T -e SENTRY_LOG_LEVEL=CRITICAL web \"$@\" 2>&1\n}\n\n# Function to modify lines starting with `Usage: sentry` to say `Usage: ./sentry-admin.sh` instead.\nrename_sentry_bin_in_help_output() {\n local output=\"$1\"\n local help_prefix=\"$2\"\n local usage_seen=false\n\n output=$(invocation \"$@\")\n\n echo -e \"\\n\\n\"\n\n while IFS= read -r line; do\n if [[ $line == \"Usage: sentry\"* ]] && [ \"$usage_seen\" = false ]; then\n echo -e \"\\n\\n\"\n echo \"${line/sentry/./sentry-admin.sh}\"\n echo \"$help_prefix\"\n usage_seen=true\n else\n if [[ $line == \"Options:\"* ]] && [ -n \"$1\" ]; then\n echo \"$help_prefix\"\n fi\n echo \"$line\"\n fi\n done <<<\"$output\"\n}\n\n# Check for the user passing ONLY the '--help' argument - we'll add a special prefix to the output.\nif { [ \"$1\" = \"help\" ] || [ \"$1\" = \"--help\" ]; } && [ \"$#\" -eq 1 ]; then\n rename_sentry_bin_in_help_output \"$(invocation \"$@\")\" \"$HELP_TEXT_SUFFIX\"\n exit 0\nfi\n\n# Check for '--help' in other contexts.\nfor arg in \"$@\"; do\n if [ \"$arg\" = \"--help\" ]; then\n rename_sentry_bin_in_help_output \"$(invocation \"$@\")\"\n exit 0\n fi\ndone\n\n# Help has not been requested - go ahead and execute the command.\necho -e \"\\n\\n\"\ninvocation \"$@\"\n" }, { "path": "symbolicator/config.example.yml", "content": "# See: https://getsentry.github.io/symbolicator/#configuration\ncache_dir: \"/data\"\nbind: \"0.0.0.0:3021\"\nlogging:\n level: \"warn\"\n\nsentry_dsn: null # TODO: Automatically fill this with the internal project DSN\n\n# If you have statsd server, you can utilize that to monitor self-hosted Symbolicator.\nmetrics:\n statsd: \"${SYMBOLICATOR_STATSD_ADDR}\" # It is recommended to use IP address instead of domain name\n prefix: \"sentry.symbolicator\" # Adjust this to your needs, default is \"symbolicator\"\n" }, { "path": "unit-test.sh", "content": "#!/usr/bin/env bash\n\n# The test should not be run by regular users. This should only be run in CI or by developers.\nif [[ \"$CI\" != \"true\" ]]; then\n echo \"This script is intended to be run in CI or by developers only.\"\n exit 1\nfi\n\nexport REPORT_SELF_HOSTED_ISSUES=0 # will be over-ridden in the relevant test\n\nFORCE_CLEAN=1 \"./scripts/reset.sh\"\nfail=0\nfor test_file in _unit-test/*-test.sh; do\n if [ -n \"$1\" ] && [ \"$1\" != \"$test_file\" ]; then\n echo \"🙊 Skipping $test_file ...\"\n continue\n fi\n echo \"🙈 Running $test_file ...\"\n $test_file\n exit_code=$?\n if [ $exit_code != 0 ]; then\n echo fail 👎 with exit code $exit_code\n fail=1\n fi\ndone\n\nexit $fail\n" }, { "path": "workstation/200_download-self-hosted.sh", "content": "#!/bin/bash\nset -eo pipefail\n\n# Create getsentry folder and enter.\nmkdir /home/user/getsentry\ncd /home/user/getsentry\n\n# Pull down sentry and self-hosted.\ngit clone https://github.com/getsentry/sentry.git\ngit clone https://github.com/getsentry/self-hosted.git\ncd self-hosted\n" }, { "path": "workstation/201_install-self-hosted.sh", "content": "#!/bin/bash\n#\n\n# Install self-hosted. Assumed `200_download-self-hosted.sh` has already run.\n./install.sh --skip-commit-check --skip-user-creation --skip-sse42-requirements --no-report-self-hosted-issues\n\n# Apply CSRF override to the newly installed sentry settings.\necho \"CSRF_TRUSTED_ORIGINS = [\\\"https://9000-$WEB_HOST\\\"]\" >>/home/user/getsentry/self-hosted/sentry/sentry.conf.py\n" }, { "path": "workstation/299_setup-completed.sh", "content": "#!/bin/bash\n#\n\n# Add a dot file to the home directory indicating that the setup has been completed successfully.\n# The host-side of the connection will look for this file when polling for completion to indicate to\n# the user that the workstation is ready for use.\n#\n# Works under the assumption that this is the last setup script to run!\necho \"ready_at: $(date -u +\"%Y-%m-%dT%H:%M:%SZ\")\" >/home/user/.sentry.workstation.remote\n" }, { "path": "workstation/README.md", "content": "# Remote Self-Hosted Development on Google Cloud Workstation\n\nThis document specifies how to set up remote workstation development for `self-hosted` using Google\nCloud. While this feature is primarily intended for Sentry developers seeking to develop or test\nchanges to `self-hosted`, in theory anyone with a Google Cloud account and the willingness to incur\nthe associated costs could replicate the setup described here.\n\nThe goal of remote workstations is to provide turn-key instances for developing on `self-hosted`, in\neither postinstall (the `/.install.sh` script has already run) or preinstall (it has not) modes. By\nusing Ubuntu as a base image, we are able to provide a fresh development environment that is very\nsimilar to the Linux-based x86 instances that self-hosted is intended to be deployed to.\n\nSpecifically, the goals of this effort are:\n\n- Create and manage turn-key virtual machines for development in either preinstall or postinstall\n mode quickly and with minimal manual user input.\n- Simulate real `self-hosted` deployment environments as faithfully as possible.\n- Create a smooth developer experience when using VSCode and GitHub.\n\nThe last point is worth emphasizing: this tool is specifically optimized to work well with VSCode\nremote server (for the actual development) and GitHub (for pushing changes). Supporting any other\nworkflows is an explicit ***non-goal*** of this setup.\n\nThe instructions here are for how to setup workstations as an administrator (that is, the person in\ncharge of managing and paying for the entire fleet of workstations). End users are expected to\ncreate, connect to, manage, and shut down workstations as needed via the the `sentry` developer CLI\nusing the `sentry workstations ...` set of commands. For most use cases outside of\nSentry-the-company, the administrator and end user will be the same individual: they'll configure\ntheir Google Cloud projects and billing, and then use them via `sentry workstations ...` commands on\ntheir local machine.\n\n## Configuring Google Cloud\n\nYou'll need to use two Google Cloud services to enable remote `self-hosted` deployment: Google Cloud\nWorkstations to run the actual virtual machines, and the Artifact Registry to store the base images\ndescribed in the adjacent Dockerfiles.\n\nThe rest of this document will assume that you are configuring these services to be used from the\nwest coast of the United States (ie: `us-west1`), but a similar set of processes could be applied\nfor any region supported by Google Cloud.\n\n### Creating an Artifact Registry\n\nYou can create an artifact registry using the Google Cloud Platform UI\n[here](https://console.cloud.google.com/artifacts):\n\n![Create an Artifact Registry](./docs/img/create_artifcat_registry.png)\n\nThe dialog should be straightforward. We'll name our new repository `sentry-workstation-us` and put\nit in `us-west1`, but you could change these to whatever options suit your liking. Leave the\nremaining configurations as they are:\n\n![Create a Repository](./docs/img/create_repository.png)\n\n### Setting up Cloud Workstations\n\nTo use Google Cloud Workstations, you'll need to make at least one workstation cluster, and at least\none configuration therein.\n\nNavigate to the services [control panel](https://console.cloud.google.com/workstations/overview).\nFrom here, you'll need to make one cluster for each region you plan to support. We'll make one for\n`us-west1` in this tutorial, naming it `us-west` for clarity:\n\n![Create a Workstation cluster](./docs/img/create_cluster.png)\n\nNow, create a new configuration for that cluster. There are a few choices to make here:\n\n- Do you want it to be a preinstall (ie, `./install.sh` has not run) or postinstall (it has)\n instance?\n- Do you want to use a small, standard or large resource allocation?\n- How aggressively do you want to auto-sleep and auto-shutdown instances? More aggressive setups\n will save money, but be more annoying for end users.\n\nFor this example, we'll make a `postinstall` instance with a `standard` resource allocation, but you\ncan of course change these as you wish.\n\nOn the first panel, name the instance (we recommend using the convention\n`[INSTALL_KIND]-[SIZE]-[CLUSTER_NAME]`, so this one `postinstall-standard-us-west`) and assign it to\nthe existing cluster:\n\n![Create a config](./docs/img/create_config_1.png)\n\nNext, pick a resource and cost saving configuration that makes sense for you. In our experience, an\nE2 instance is plenty for most day-to-day development work.\n\n![Create a config](./docs/img/create_config_2.png)\n\nOn the third panel, select `Custom container image`, then choose one of your `postinstall` images\n(see below for how to generate these). Assign the default Compute Engine service account to it, then\nchoose to `Create a new empty persistent disk` for it. A balanced 10GB disk should be plenty for\nshorter development stints:\n\n![Create a config](./docs/img/create_config_3.png)\n\nOn the last screen, set the appropriate IAM policy to allow access to the new machine for your\nusers. You should be ready to go!\n\n## Creating and uploading an image artifact\n\nEach Cloud Workstation configuration you create will need to use a Docker image, the `Dockerfile`s\nand scripts for which are found in this directory. There are two kinds of images: `preinstall` (ie,\n`./install.sh` has not run) and `postinstall` (it has). To proceed, you'll need to install the\n`gcloud` and `docker` CLI, then login to both and set your project as the default:\n\n```shell\n$> export GCP_PROJECT_ID=my-gcp-project # Obviously, your project is likely to have another name.\n$> gcloud auth application-default login\n$> gcloud config set project $GCP_PROJECT_ID\n$> gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://us-docker.pkg.dev\n```\n\nNext, you'll set some useful variables for this session (note: the code below assumes we are pushing\nto the `sentry-workstation-us` repository defined above):\n\n```shell\n$> export GROUP=sentry-workstation # Pick whatever name you like here.\n$> export REGION=us # Name your regions as you see fit - these are not tied to GCP definitions.\n$> export PHASE=pre # Use `pre` for preinstall, `post` for postinstall.\n$> export REPO=${GROUP}-${REGION}\n$> export IMAGE_TAG=${GROUP}/${PHASE}install:latest\n$> export IMAGE_URL=us-docker.pkg.dev/${GCP_PROJECT_ID}/${REPO}/${GROUP}/${PHASE}install:latest\n```\n\nNow, build the docker image of your choosing:\n\n```shell\n$> docker build -t ${IMAGE_TAG} -f ./${PHASE}install/Dockerfile .\n$> docker image ls | grep \"${GROUP}/${PHASE}install\"\n```\n\nFinally, upload it to the Google Cloud Artifact Registry repository of interest:\n\n```shell\n$> docker tag ${IMAGE_TAG} ${IMAGE_URL}\n$> docker push ${IMAGE_URL}\n```\n\n## Creating and connecting to a workstation\n\nOnce the Google Cloud services are configured and the docker images uploaded per the instructions\nabove, end users should be able to list the configurations available to them using `sentry\nworkstations config`:\n\n```shell\n$> sentry workstations configs --project=$GCP_PROJECT_ID\n\nNAME CLUSTER REGION MACHINE TYPE\npostinstall-standard-us-west us-west us-west1 e2-standard-4\npostinstall-large-us-west us-west us-west1 e2-standard-8\npreinstall-standard-us-west us-west us-west1 e2-standard-4\npreinstall-large-us-west us-west us-west1 e2-standard-8\n```\n\nThey will then be able to create a new workstation using the `sentry workstations create` command,\nconnect to an existing one using `sentry workstations connect`, and use similar `sentry workstations\n...` commands to disconnect from and destroy workstations, as well as to check the status of their\nactive connections. The `create` and `connect` commands will provide further instructions in-band on\nhow to connect a their local VSCode to the remote server, use SSH to connect to the terminal\ndirectly, add a GitHub access token, or access their running `self-hosted` instance via a web\nbrowser.\n" }, { "path": "workstation/commands.sh", "content": "sudo wget -qO- https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor >packages.microsoft.gpg\nsudo install -D -o root -g root -m 644 packages.microsoft.gpg /etc/apt/keyrings/packages.microsoft.gpg\nsudo sh -c 'echo \"deb [arch=amd64,arm64,armhf signed-by=/etc/apt/keyrings/packages.microsoft.gpg] https://packages.microsoft.com/repos/code stable main\" > /etc/apt/sources.list.d/vscode.list'\nsudo rm -f packages.microsoft.gpg\n" }, { "path": "workstation/postinstall/Dockerfile", "content": "# Use a predefined image with no out-of-the-box IDE set up.\nFROM us-west1-docker.pkg.dev/cloud-workstations-images/predefined/base:latest\n\n# Modifications to the `/home` directory must take place outside of the Dockerfile. Add a startup\n# script to handle the cloning of the `sentry` and `self-hosted` repositories.\nCOPY 200_download-self-hosted.sh /etc/workstation-startup.d/\nCOPY 201_install-self-hosted.sh /etc/workstation-startup.d/\nCOPY 299_setup-completed.sh /etc/workstation-startup.d/\n\nRUN chmod -R +x /etc/workstation-startup.d\n\n# Avoid prompts from apt by setting it to non-interactive.\nENV DEBIAN_FRONTEND=noninteractive\n\n# Install VSCode and the GitHub CLI.\nRUN wget -qO- https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > vscode.gpg \\\n && install -D -o root -g root -m 644 vscode.gpg /etc/apt/keyrings/vscode.gpg \\\n && sh -c 'echo \"deb [arch=amd64,arm64,armhf signed-by=/etc/apt/keyrings/vscode.gpg] https://packages.microsoft.com/repos/code stable main\" > /etc/apt/sources.list.d/vscode.list' \\\n && rm -f vscode.gpg \\\n && apt-get update \\\n && apt-get install -y code \\\n && apt-get install -y curl \\\n && curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/gh.gpg \\\n && chmod go+r /usr/share/keyrings/gh.gpg \\\n && echo \"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/gh.gpg] https://cli.github.com/packages stable main\" > /etc/apt/sources.list.d/github-cli.list \\\n && rm -f gh.gpg \\\n && apt-get update \\\n && apt-get install -y gh \\\n && rm -rf /var/lib/apt/lists/*\n\n# Reset the DEBIAN_FRONTEND environment variable.\nENV DEBIAN_FRONTEND=\n" }, { "path": "workstation/preinstall/Dockerfile", "content": "# Use a predefined image with no out-of-the-box IDE set up.\nFROM us-west1-docker.pkg.dev/cloud-workstations-images/predefined/base:latest\n\n# Modifications to the `/home` directory must take place outside of the Dockerfile. Add a startup\n# script to handle the cloning of the `sentry` and `self-hosted` repositories.\nCOPY 200_download-self-hosted.sh /etc/workstation-startup.d/\nCOPY 299_setup-completed.sh /etc/workstation-startup.d/\n\nRUN chmod -R +x /etc/workstation-startup.d\n\n# Avoid prompts from apt by setting it to non-interactive.\nENV DEBIAN_FRONTEND=noninteractive\n\n# Install VSCode and the GitHub CLI.\nRUN wget -qO- https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > vscode.gpg \\\n && install -D -o root -g root -m 644 vscode.gpg /etc/apt/keyrings/vscode.gpg \\\n && sh -c 'echo \"deb [arch=amd64,arm64,armhf signed-by=/etc/apt/keyrings/vscode.gpg] https://packages.microsoft.com/repos/code stable main\" > /etc/apt/sources.list.d/vscode.list' \\\n && rm -f vscode.gpg \\\n && apt-get update \\\n && apt-get install -y code \\\n && apt-get install -y curl \\\n && curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/gh.gpg \\\n && chmod go+r /usr/share/keyrings/gh.gpg \\\n && echo \"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/gh.gpg] https://cli.github.com/packages stable main\" > /etc/apt/sources.list.d/github-cli.list \\\n && rm -f gh.gpg \\\n && apt-get update \\\n && apt-get install -y gh \\\n && rm -rf /var/lib/apt/lists/*\n\n# Reset the DEBIAN_FRONTEND environment variable.\nENV DEBIAN_FRONTEND=\n" } ]