{"id":25804709,"url":"https://github.com/carverauto/serviceradar","last_synced_at":"2026-04-01T17:39:21.168Z","repository":{"id":272341108,"uuid":"916252207","full_name":"carverauto/serviceradar","owner":"carverauto","description":"Zero-trust Opensource Network Management and Observability Platform","archived":false,"fork":false,"pushed_at":"2026-03-28T18:00:13.000Z","size":338832,"stargazers_count":848,"open_issues_count":205,"forks_count":63,"subscribers_count":7,"default_branch":"staging","last_synced_at":"2026-03-28T19:23:06.146Z","etag":null,"topics":["armis","causal-discovery","causal-inference","deck-gl","erts","homelab","monitoring-tool","netbox","network-monitoring-tool","network-scanning","observability","ocsf","ocsf-schema","otel","ubiquiti","wasi","wasm","wazero","zero-trust"],"latest_commit_sha":null,"homepage":"http://docs.serviceradar.cloud/","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/carverauto.png","metadata":{"files":{"readme":"README-Docker.md","changelog":"CHANGELOG","contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":"SUPPORT.md","governance":"GOVERNANCE.md","roadmap":"ROADMAP.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":"MAINTAINERS.md","copyright":null,"agents":"AGENTS.md","dco":null,"cla":null},"funding":{"github":"mfreeman451","patreon":null,"open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"lfx_crowdfunding":null,"polar":null,"buy_me_a_coffee":null,"thanks_dev":null,"custom":null}},"created_at":"2025-01-13T18:33:55.000Z","updated_at":"2026-03-27T22:11:02.000Z","dependencies_parsed_at":"2025-02-02T06:23:03.987Z","dependency_job_id":"c8a87dad-7acd-403e-b51d-8d9020cb863a","html_url":"https://github.com/carverauto/serviceradar","commit_stats":null,"previous_names":["mfreeman451/homemon","mfreeman451/serviceradar","carverauto/serviceradar"],"tags_count":200,"template":false,"template_full_name":null,"purl":"pkg:github/carverauto/serviceradar","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/carverauto%2Fserviceradar","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/carverauto%2Fserviceradar/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/carverauto%2Fserviceradar/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/carverauto%2Fserviceradar/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/carverauto","download_url":"https://codeload.github.com/carverauto/serviceradar/tar.gz/refs/heads/staging","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/carverauto%2Fserviceradar/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31290537,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-01T13:12:26.723Z","status":"ssl_error","status_checked_at":"2026-04-01T13:12:25.102Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["armis","causal-discovery","causal-inference","deck-gl","erts","homelab","monitoring-tool","netbox","network-monitoring-tool","network-scanning","observability","ocsf","ocsf-schema","otel","ubiquiti","wasi","wasm","wazero","zero-trust"],"created_at":"2025-02-27T18:53:28.432Z","updated_at":"2026-04-01T17:39:21.159Z","avatar_url":"https://github.com/carverauto.png","language":"JavaScript","funding_links":["https://github.com/sponsors/mfreeman451"],"categories":["Monitoring \u0026 Metrics","JavaScript"],"sub_categories":["Other Monitoring"],"readme":"# ServiceRadar Docker Quick Start\n\nThis guide gets you started with ServiceRadar using Docker Compose in under 5 minutes.\n\n## Prerequisites\n\n- Docker Engine 20.10+ with Docker Compose 2.0+\n- 8GB+ RAM\n- 50GB+ disk space\n\n## OS-Specific Setup\n\n### AlmaLinux 9 / RHEL 9 / Rocky Linux 9\n\n```bash\n# Install Docker\nsudo dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo\nsudo dnf install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin\n\n# Enable and start Docker\nsudo systemctl enable --now docker\n\n# Add your user to the docker group\nsudo usermod -aG docker $USER\nnewgrp docker\n\n# Install Git (if needed)\nsudo dnf install -y git\n```\n\n### Ubuntu / Debian\n\n```bash\n# Install Docker\ncurl -fsSL https://get.docker.com | sudo sh\n\n# Add your user to the docker group\nsudo usermod -aG docker $USER\nnewgrp docker\n```\n\n### macOS\n\nInstall [Docker Desktop](https://www.docker.com/products/docker-desktop/) and ensure it's running.\n\n## Quick Start\n\n1. **Clone and navigate**:\n   ```bash\n   git clone https://github.com/carverauto/serviceradar.git\n   cd serviceradar\n   ```\n\n2. **Create environment file**:\n   ```bash\n   cp .env.example .env\n   ```\n\n3. **Pull the images**:\n   ```bash\n   docker compose pull\n   ```\n\n4. **Start ServiceRadar**:\n   ```bash\n   docker compose up -d\n   ```\n\nBy default, Compose pulls `latest` tags. Set `APP_TAG` when you need a pinned release or commit.\nTo default to the dev compose overlay (no `-f`), set `COMPOSE_FILE=docker-compose.yml:docker-compose.dev.yml` in `.env`.\n\n5. **Get your admin password**:\n   ```bash\n   docker compose logs config-updater | grep \"Password:\"\n   ```\n\n6. **Access ServiceRadar**:\n   - Web Interface: https://localhost (Caddy on port 443, self-signed)\n   - HTTP fallback: http://localhost (Caddy on port 80)\n   - API via Caddy: https://localhost/api/\n   - Email: `root@localhost`\n   - Password: (from step 5)\n\n## Update an Existing Stack\n\n1. Optional: choose a target image tag (Compose defaults to `latest`):\n   - Latest release: `APP_TAG=v1.0.77`\n   - Specific commit: `APP_TAG=sha-\u003cgit-sha\u003e`\n\n2. Pull + restart with the new tag:\n   ```bash\n   export APP_TAG=v1.0.77\n   docker compose pull\n   docker compose up -d --force-recreate\n   ```\n\n## Startup Sequence\n\nThe stack automatically handles certificate generation and configuration:\n\n1. **cert-generator** - Creates all mTLS certificates (one-shot)\n2. **cnpg** - PostgreSQL with mTLS + password auth\n3. **cert-permissions-fixer** - Sets proper certificate ownership (one-shot)\n4. **config-updater** - Writes the bootstrap admin password (one-shot)\n5. **nats** - Message broker with mTLS\n6. **datasvc** - Internal coordination service (planned to be phased out)\n7. **core-elx, agent-gateway, web-ng** - Control plane services\n8. **zen, log-promotion, db-event-writer** - Bulk ingestion consumers\n9. **agent** - Edge agent (collectors + embedded engines + Wasm plugins)\n\n## Test Your Setup\n\nRun the included test script:\n```bash\n./test-docker-setup.sh\n```\n\n## CNPG mTLS Notes\n\nThe CNPG container enforces mTLS + password for all TCP connections. Client certs\nare generated by `cert-generator` and stored in the `cert-data` volume.\n\nDocker Compose now auto-migrates an existing local PG16 `cnpg-data` volume to\nPG18 during startup. For existing installs, the normal operator path is:\n\n```bash\ngit pull\ndocker compose pull\ndocker compose up -d\n```\n\nFresh installs and already-migrated PG18 volumes automatically no-op in the\nmigration step and continue startup normally.\n\nThe standalone migration helper remains available for explicit/manual recovery:\n\n```bash\n./docker/compose/migrate-cnpg-pg16-to-pg18.sh\n```\n\nIf the old install used non-default credentials without a persisted\n`cnpg-credentials` volume, provide them when running the standalone migration:\n\n```bash\nCNPG_SUPERUSER=\u003csource-superuser\u003e \\\nCNPG_SUPERUSER_PASSWORD=\u003csource-superuser-password\u003e \\\nCNPG_PASSWORD=\u003capp-password\u003e \\\n./docker/compose/migrate-cnpg-pg16-to-pg18.sh\n```\n\nFor existing installations, we now store CNPG credentials in the\n`cnpg-credentials` volume to avoid shipping static passwords. If you already\nhave a data volume from the pre-security Docker Compose stack, the bootstrap\ncontainer will automatically recover the legacy defaults on first restart.\n\nIf you previously used the secure credential volume and lost it, or if you use\ncustom passwords, seed the credentials once so services can reconnect:\n\n```bash\ndocker compose run --rm \\\n  -e CNPG_SUPERUSER=\u003cpostgres-or-legacy-superuser\u003e \\\n  -e CNPG_PASSWORD=\u003capp-password\u003e \\\n  -e CNPG_SUPERUSER_PASSWORD=\u003cpostgres-password\u003e \\\n  db-credentials\n```\n\nExample psql connection (from host):\n```bash\nAPP_PASSWORD=$(docker compose exec -T cnpg cat /etc/serviceradar/cnpg/serviceradar-password)\nPGSSLMODE=verify-full \\\nPGSSLROOTCERT=/path/to/root.pem \\\nPGSSLCERT=/path/to/workstation.pem \\\nPGSSLKEY=/path/to/workstation-key.pem \\\nPGPASSWORD=\"${APP_PASSWORD}\" \\\npsql -h localhost -p 5455 -U serviceradar -d serviceradar\n```\n\n## Device Enrichment Rule Overrides\n\n`core-elx` supports filesystem override rules at `/var/lib/serviceradar/rules/device-enrichment`.\nBy default Compose binds `./docker/compose/rules/device-enrichment` into that path (read-only).\n\n```bash\n# Optional: use a custom host directory for overrides\nexport DEVICE_ENRICHMENT_RULES_DIR_HOST=/path/to/rules\ndocker compose up -d --force-recreate core-elx\ndocker compose logs core-elx | grep \"Device enrichment rules loaded\"\n```\n\n## What's Next?\n\n- **Configure devices**: See [Device Configuration Guide](docs/docs/device-configuration.md)\n- **Full documentation**: See [Docker Setup Guide](docs/docs/docker-setup.md)\n- **Security**: See [TLS Security Guide](docs/docs/tls-security.md) - Change your admin password after first login\n\n## Build Images Locally (Bazel)\n\nServiceRadar container images are built with Bazel. Load the agent image into your local Docker daemon before starting Compose:\n\n```bash\nbazel run //docker/images:agent_image_amd64_tar\n```\n\nTo publish the agent image (and the rest of the stack) to GHCR using the same Bazel targets:\n\n```bash\n# Push just the agent image\nbazel run //docker/images:agent_image_amd64_push\n\n# Or push every image in one go\nbazel run //docker/images:push_all\n```\n\n## Common Commands\n\n```bash\n# View all service status\ndocker compose ps\n\n# View logs for all services\ndocker compose logs\n\n# View logs for specific service\ndocker compose logs core-elx\n\n# Follow logs in real-time\ndocker compose logs -f\n\n# Stop all services\ndocker compose down\n\n# Restart a service\ndocker compose restart core-elx\n\n# Update to a specific version\nexport APP_TAG=v1.0.77\ndocker compose pull\ndocker compose up -d --force-recreate\n```\n\n## Troubleshooting\n\nIf services fail to start:\n\n1. **Check logs**: `docker compose logs [service-name]`\n2. **Verify resources**: Ensure Docker has enough memory/CPU\n3. **Check ports**: Ensure ports 80, 8090, 514, 162 are available\n4. **Reset**: `docker compose down \u0026\u0026 docker volume prune \u0026\u0026 docker compose up -d`\n\n### AlmaLinux 9 / RHEL 9 Specific Issues\n\n**SELinux blocking containers**:\n```bash\n# Allow containers to manage cgroups\nsudo setsebool -P container_manage_cgroup on\n\n# Or temporarily disable SELinux (not recommended for production)\nsudo setenforce 0\n```\n\n**Firewall blocking ports**:\n```bash\nsudo firewall-cmd --add-port=80/tcp --permanent    # Web UI (Caddy)\nsudo firewall-cmd --add-port=443/tcp --permanent   # Web UI HTTPS (optional)\nsudo firewall-cmd --add-port=8090/tcp --permanent  # Core API (direct)\nsudo firewall-cmd --reload\n```\n\n**Certificate permission issues**:\n```bash\n# Check cert-permissions-fixer ran successfully\ndocker compose logs cert-permissions-fixer\n```\n\n## Security Notice\n\nOn first startup, ServiceRadar generates:\n- Random admin password\n- API keys and JWT secrets\n- mTLS certificates for all services\n\n**Save your admin password**. The password is stored in the `admin-creds` volume,\nseparate from the shared cert volume, at `/etc/serviceradar/admin/admin-password`:\n```bash\ndocker compose exec web-ng cat /etc/serviceradar/admin/admin-password\n```\n\n## Support\n\n- [Complete Documentation](docs/docs/)\n- [Report Issues](https://github.com/carverauto/serviceradar/issues)\n- [Community Support](https://github.com/carverauto/serviceradar/discussions)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcarverauto%2Fserviceradar","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcarverauto%2Fserviceradar","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcarverauto%2Fserviceradar/lists"}