Influxdata
/
docs-v2
mirror of https://github.com/influxdata/docs-v2.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

docs(influxdb3): release documentation for Core and Enterprise v3.8.0 (#6647) 

* docs(influxdb3): release documentation for Core and Enterprise v3.8.0

- Update latest_patch to 3.8.0 in products.yml
- Add placeholder release notes for v3.8.0
- Update site notification for v3.8.0 release

* chore: add 3.8 release notes (#6638)

Co-authored-by: Jason Stirnaman <jstirnaman@influxdata.com>

* feat(influxdb3): update install for DEB/RPM and add admin/security (#6643)

* feat(influxdb3): add shared/influxdb3-admin/security.md

* feat(influxdb3): update install for DEB/RPM

* chore: fix hard-coded 'enterprise' in influxdb3 install

* Update content/shared/influxdb3/install.md

Love it!

Co-authored-by: Jason Stirnaman <jstirnaman@influxdata.com>

* Update content/shared/influxdb3/install.md

Co-authored-by: Jason Stirnaman <jstirnaman@influxdata.com>

* Update content/shared/influxdb3/install.md

* Update content/shared/influxdb3/install.md

* Update content/shared/influxdb3/install.md

* Update content/shared/influxdb3/install.md

* Update content/shared/influxdb3/install.md

---------

Co-authored-by: Jason Stirnaman <jstirnaman@influxdata.com>

* Update content/shared/influxdb3/install.md

* chore: add influxdb 3.8 notification (#6645)

Co-authored-by: Jason Stirnaman <jstirnaman@influxdata.com>

---------

Co-authored-by: peterbarnett03 <peter.barnett03@gmail.com>
Co-authored-by: Jamie Strandboge <jamie@influxdata.com>
Co-authored-by: Scott Anderson <sanderson@users.noreply.github.com>
pull/6648/head
Jason Stirnaman 2025-12-18 10:54:25 -05:00 committed by GitHub
parent 5f792bd47a
commit 2f5af3c54c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 364 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
content/influxdb3/core/admin/security.md Normal file
View File

@ -0,0 +1,18 @@
---
title: Security
seotitle: InfluxDB 3 Core security guide
description: >
Tune {{% product-name %}} security for local requirements.
weight: 205
menu:
influxdb3_core:
parent: Administer InfluxDB
name: Security
related:
- /influxdb3/{{< product-key >}}/install/
source: /shared/influxdb3-admin/security.md
---
<!--
The content of this file is located at
//SOURCE - content/shared/influxdb3-admin/security.md

18
content/influxdb3/enterprise/admin/security.md Normal file
View File

@ -0,0 +1,18 @@
---
title: Security
seotitle: InfluxDB 3 Enterprise security guide
description: >
Tune {{% product-name %}} security for local requirements.
weight: 205
menu:
influxdb3_core:
parent: Administer InfluxDB
name: Security
related:
- /influxdb3/{{< product-key >}}/install/
source: /shared/influxdb3-admin/security.md
---
<!--
The content of this file is located at
//SOURCE - content/shared/influxdb3-admin/security.md

213
content/shared/influxdb3-admin/security.md Normal file
View File

@ -0,0 +1,213 @@
## Linux DEB and RPM
When installing via DEB/RPM on a `systemd`-enabled system, {{< product-name >}} will run in a sandboxed environment as configured by its `systemd` unit file. The shipped `systemd` unit file assumes the following filesystem layout as provided by the DEB and RPM packaging:
* `/etc/influxdb3`: directory for {{< product-name >}} configuration (by default, `0755` permissions with `influxdb3:influxdb3` ownership; adjust to `0750` permissions if storing sensitive credentials, etc)
* `/etc/influxdb3/influxdb3-{{< product-key >}}.conf`: TOML configuration file
* `/usr/bin/influxdb3`: {{< product-name >}} binary
* `/usr/lib/influxdb3/python`: directory containing the embedded interpreter used by the {{< product-name >}} processing engine
* `/var/lib/influxdb3`: writable directory for {{< product-name >}}
* `/var/lib/influxdb3/data`: default directory for {{< product-name >}} data files when `object-store` is set to `file` (the installation default for DEB/RPM)
* `/var/lib/influxdb3/plugins`: default directory for {{< product-name >}} plugin files
* `/var/log/influxdb3`: writable directory for logging (unused by default)
### `systemd` unit in detail
The unit file is self-documenting and can be viewed with:
```
$ systemctl cat influxdb3-{{< product-key >}}
# /usr/lib/systemd/system/influxdb3-{{< product-key >}}.service
[Unit]
Description={{< product-name >}}
After=network-online.target
[Service]
Type=simple
... <sandbox and other directives> ...
```
The intent of the default sandboxing is to provide meaningful security without breaking common usage; these security options are enabled by default:
* Basic Security
* `StateDirectory=influxdb3` - writable area relative to `/var/lib`
* `LogsDirectory=influxdb3` - writable area relative to `/var/log` (the unit is configured with `StandardOutput=journal` and `StandardError=journal` by default and will not use this directory)
* `User=influxdb3`, `Group=influxdb3`, `SupplementaryGroups=` - run {{< product-name >}} as the unprivileged `influxdb3:influxdb3` user. {{< product-name >}} does not require any special privileges to run and this should always be set to an unprivileged user
* `UMask=0027` - restrictive default file mode creation mask
* Limiting kernel attack surface
* `SystemCallFilter=@system-service`, `SystemCallArchitectures=native`, `SystemCallFilter=~io_uring_setup keyctl userfaultfd`, and `LockPersonality=true` - basic set of allowed Linux system calls excluding a few unneeded ones that can be abused
* `RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX` - limit allowed address families to those needed for basic functionality (ie, IP networking, DNS resolution, etc). Custom processing engine plugins that need kernel socket of route introspection may need to add `AF_NETLINK` to this list
* `RestrictNamespaces=true` - disallow use of Linux namespaces
* Limiting privileges to disallow gaining or inheriting permissions/capabilities (blocks ICMP `ping`, `passwd`, etc):
* `NoNewPrivileges=true`
* `RestrictSUIDSGID=true`
* `CapabilityBoundingSet=`
* `AmbientCapabilities=`
* Host protection
* `ProtectSystem=strict` - make host files read-only
* `ProtectHome=true` - disallow access to `/home` (tip: put credentials, configuration, etc in `/etc/influxdb3` or somewhere in `/var/lib/influxdb3` instead)
* `PrivateTmp=true` - use separate `/tmp` and `/var/tmp` from host
* `TemporaryFileSystem=/dev/shm:mode=1777` - use separate `/dev/shm` (override with `size=` to limit size too)
* `PrivateDevices=true` - allow only pseudo devices with no host mount propagation
* `ProtectKernelLogs=true` - disallow access to the kernel log ring buffer (needed if `PrivateDevices=false`)
* `PrivateIPC=true` - use separate SysV IPC from host
* `InaccessiblePaths=...` - disallow well-known system and user services' named sockets (needed since `AF_UNIX` is allowed)
* `ProtectProc=invisible` - hide processes not owned by this user (ie, `influxdb3:influxdb3`, see above). This provides strong isolation but means that plugins can't see other processes on the system, which could affect custom processing engine plugins that require this
While the above provides a lot of security, it leaves out directives that are necessarily site-specific like:
* `IPAddressDeny` and `IPAddressAllow` for limiting communications by the database and processing engine to certain IP addresses
* `MemoryHigh`, `MemoryMax`, etc for limiting memory usage (the database process already has configurable controls for memory so this is primarily useful to limit the processing engine)
* `Nice`, `CPUQuota`, `CPUSchedulingPolicy`, `LimitNPROC`, `TasksMax`, etc for limiting CPU usage (the database process already has configurable controls for CPU so this is primarily useful to limit the processing engine)
* `IOWeight`, etc for limiting I/O operations (primarily useful for limiting the processing engine)
* `ReadOnlyPaths`, `ReadWritePaths`, `InaccessiblePaths`, etc to allow/disallow other paths not covered by the default sandbox
Furthermore, due to a limit in {{% product-name %}} related to socket activation, `PrivateNetwork=true` cannot be used at this time.
Finally, while the `systemd` unit declares the above directives, `systemd` version 248 (released 2021-03-30 and available in Debian 12+, RHEL 9+, Ubuntu 22.04+) is required to utilize them. On older systems, `systemd` will log `Unknown lvalue '<directive>'` (or similar) and start the service normally (but without the protection).
### Tuning the `systemd` unit
While the shipped `systemd` unit is verified to work with {{% product-name %}} and [official plugins](https://docs.influxdata.com/influxdb3/{{< product-key >}}/plugins/library/official/), you may want to harden the unit further or loosen its restrictions in certain situations. Instead of modifying the `influxdb3-{{< product-key >}}.service` file directly, use `systemctl edit influxdb3-{{< product-key >}}` to add overrides.
#### Example: loosen for ProtectProc=default
Suppose a custom plugin needs access to read other processes' information from `/proc`, do:
1. Run `sudo systemctl edit influxdb3-{{< product-key >}}`
2. Edit the file to contain:
```
### Editing /etc/systemd/systemd/influxdb3-{{< product-key >}}.service.d/override.conf
### Anything between here and the comment below will become the new contents of the file
[Service]
# the 'foo' plugin needs to see other user's processes
ProtectProc=default
### Lines below this comment will be discarded
...
```
3. Verify the changes (the shipped unit is listed first followed by overrides):
```
$ sudo systemctl daemon-reload && systemctl cat --no-pager influxdb3-{{< product-key >}}
[Unit]
Description={{% product-name %}}
After=network-online.target
[Service]
...
ProtectProc=invisible
...
# /etc/systemd/system/influxdb3-{{< product-key >}}.service.d/override.conf
[Service]
# the 'foo' plugin needs to see other users' processes
ProtectProc=default
$
```
4. Restart the unit with `sudo systemctl restart influxdb3-{{< product-key >}}`
#### Example: restrict networking
`systemd` supports network filtering via BPF. When adding directives, the rule
evaluation order is:
1. Access is granted if matches entry in IPAddressAllow
2. Otherwise access is denied if matches entry in IPAddressDeny
3. Otherwise access is granted
For egress, the IP matches against sender and for ingress, it matches against
the receiver. This filtering only matches on IP addresses, not ports; if you
need more flexibility, use host firewall tools/cloud security groups instead.
As an example, to limit communications to only localhost, use
`systemctl edit influxdb3-{{< product-key >}}` to add:
```
### Editing /etc/systemd/systemd/influxdb3-{{< product-key >}}.service.d/override.conf
### Anything between here and the comment below will become the new contents of the file
IPAddressDeny=any
IPAddressAllow=localhost
### Lines below this comment will be discarded
...
```
Alternatively, to restrict networking to only public IP ranges, use this
instead:
```
### Editing /etc/systemd/systemd/influxdb3-{{< product-key >}}.service.d/override.conf
### Anything between here and the comment below will become the new contents of the file
IPAddressDeny=0.0.0.0/32 # 0.0.0.0 treated as 127.0.0.1
IPAddressDeny=127.0.0.0/8 # IPv4 loopback
IPAddressDeny=10.0.0.0/8 # IPv4 internal (RFC1918)
IPAddressDeny=172.16.0.0/12 # IPv4 internal (RFC1918)
IPAddressDeny=192.168.0.0/16 # IPv4 internal (RFC1918)
IPAddressDeny=169.254.0.0/16 # IPv4 link-local (RFC3927)
IPAddressDeny=224.0.0.0/4 # IPv4 multicast
IPAddressDeny=::1/128 # IPv6 loopback
IPAddressDeny=fe80::/64 # IPv6 link-local
IPAddressDeny=fc00::/7 # IPv6 unique local addr
IPAddressDeny=ff00::/8 # IPv6 multicast
### Lines below this comment will be discarded
...
```
{{% show-in "enterprise" %}}
#### Example: add memory, CPU and I/O control for process node
If {{% product-name %}} is configured to start as a standalone processing
engine node (eg, started with `--mode="process"`), then it could utilize
different security directives than the database itself. Eg, consider this
`systemd` override for limiting a processing engine-only node:
```
### Editing /etc/systemd/systemd/influxdb3-{{< product-key >}}.service.d/override.conf
### Anything between here and the comment below will become the new contents of the file
[Service]
# Memory - limit to 20% of the memory, killing it and restarting the service
# if it reaches 30%
MemoryHigh=20%
MemoryMax=30%
Restart=on-failure
RestartSec=5
StartLimitIntervalSec=600
StartLimitBurst=5
OOMPolicy=continue
# CPU - Limit to maximum of 2 CPUs with deprioritized nice value
Nice=10
CPUQuota=200%
CPUSchedulingPolicy=batch
LimitNPROC=256
TasksMax=256
# I/O - Limit I/O to not starve main database
IOWeight=50
### Lines below this comment will be discarded
...
```
{{% /show-in %}}
### systemd references
The `systemd` documentation has additional information on the above and more:
* [systemd](https://www.freedesktop.org/software/systemd/man/latest/)
* [systemd.service](https://www.freedesktop.org/software/systemd/man/latest/systemd.service.html)
* [systemd.exec](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html)
* [systemd.resource-control](https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html)

76
content/shared/influxdb3/install.md
View File

@ -4,7 +4,9 @@
- [Quick install for Linux and macOS](#quick-install-for-linux-and-macos)
- [Download and install the latest build artifacts](#download-and-install-the-latest-build-artifacts)
- [Pull the Docker image](#pull-the-docker-image)
- [Linux DEB and RPM install](#linux-deb-and-rpm-install)
- [Verify the installation](#verify-the-installation)
- [Run as a system service (Linux)](#run-as-a-system-service-linux)
{{% show-in "enterprise" %}}
> [!Note]
@ -42,6 +44,7 @@ Choose one of the following methods to install {{% product-name %}}:
- [Quick install for Linux and macOS](#quick-install-for-linux-and-macos)
- [Download and install the latest build artifacts](#download-and-install-the-latest-build-artifacts)
- [Pull the Docker image](#pull-the-docker-image)
- [Linux DEB and RPM install](#linux-deb-and-rpm-install)
### Quick install for Linux and macOS
@ -59,10 +62,17 @@ curl -O https://www.influxdata.com/d/install_influxdb3.sh \
> The quick installer script is updated with each {{% product-name %}} release,
> so it always installs the latest version.
> [!Important]
> #### Production deployment
>
> For production deployments, use [Linux DEB or RPM](#linux-deb-and-rpm-install)
> for built-in systemd sandboxing, or [Docker](#pull-the-docker-image) with your own
> container security configuration.
>
> For detailed security options, see [Manage security](/influxdb3/version/admin/security/).
### Download and install the latest build artifacts
You can also download and install [{{% product-name %}} build artifacts](/influxdb3/enterprise/install/#download-influxdb-3-enterprise-binaries) directly:
You can download and install [{{% product-name %}} build artifacts](/influxdb3/version/install/#download-influxdb-3-{{< product-key >}}-binaries) directly:
{{< expand-wrapper >}}
{{% expand "Linux binaries" %}}
@ -125,6 +135,56 @@ influxdb:3-{{< product-key >}}
{{< /expand-wrapper >}}
### Linux DEB and RPM install
Best practice for production deployments is to either install {{< product-name >}} via DEBs/RPMs or [Docker](#pull-the-docker-image). When installing via DEB/RPM on a `systemd`-enabled system, {{< product-name >}} will run in a sandboxed environment as configured by its `systemd` unit file. The shipped unit file provides meaningful security for many use cases; see [security](/influxdb3/{{< product-key >}}/admin/security/) for more information on the sandbox environment and how to tune it your environment.
When installed via DEB or RPM on a `systemd`-enabled system, {{< product-name >}} runs in a sandboxed environment.
The included `systemd` unit file configures the environment to provide security isolation for typical deployments.
For more information, see [Manage security](/influxdb3/version/admin/security/).
> [!Note]
> DEB and RPM installation is **recommended for production deployments** due to built-in systemd sandboxing.
{{< expand-wrapper >}}
{{% expand "DEB-based systems" %}}
Install from the InfluxData repository by running the following commands using `apt-get` to install {{< product-name >}} from the InfluxData repository:
Use `apt-get` to install {{< product-name >}} from the InfluxData repository:
```
```bash
gpg --show-keys --with-fingerprint --with-colons ./influxdata-archive.key 2>&1 \
| grep -q '^fpr:\+24C975CBA61A024EE1B631787C3D57159FC2F927:$' \
&& cat influxdata-archive.key \
| gpg --dearmor \
| sudo tee /usr/share/keyrings/influxdata-archive.gpg > /dev/null \
&& echo 'deb [signed-by=/usr/share/keyrings/influxdata-archive.gpg] https://repos.influxdata.com/debian stable main' \
| sudo tee /etc/apt/sources.list.d/influxdata.list
sudo apt-get update && sudo apt-get install influxdb3-{{< product-key >}}
```
{{% /expand %}}
{{% expand "RPM-based systems" %}}
Install from the InfluxData repository by running the following commands using `yum` to install {{< product-name >}} from the InfluxData repository:
Use `yum` to install {{< product-name >}} from the InfluxData repository:
```
```bash
curl --silent --location -O https://repos.influxdata.com/influxdata-archive.key
gpg --show-keys --with-fingerprint --with-colons ./influxdata-archive.key 2>&1 \
| grep -q '^fpr:\+24C975CBA61A024EE1B631787C3D57159FC2F927:$' \
&& sudo cp ./influxdata-archive.key /usr/share/influxdata-archive-keyring/keyrings/influxdata-archive.asc \
&& cat <<EOF | sudo tee /etc/yum.repos.d/influxdata.repo
[influxdata]
name = InfluxData Repository - Stable
baseurl = https://repos.influxdata.com/stable/\$basearch/main
enabled = 1
gpgcheck = 1
gpgkey = file:///usr/share/influxdata-archive-keyring/keyrings/influxdata-archive.asc
yum install influxdb3-{{< product-key >}}
EOF
```
{{% /expand %}}
{{< /expand-wrapper >}}
### Verify the installation
After installing {{% product-name %}}, enter the following command to verify
@ -141,6 +201,16 @@ If your system doesn't locate `influxdb3`, then `source` the configuration file
source ~/.zshrc
```
### Run as a system service (Linux)
{{% product-name %}} includes service files for running as a managed system service on Linux:
- **systemd**: For modern Linux distributions
- **SysV init**: For legacy system compatibility
Service files are included in the Linux binary downloads.
For more information, see the [release notes for v3.8.0](/influxdb3/corerelease-notes/#v380).
{{% show-in "enterprise" %}}
> [!Note]
> For information about setting up a multi-node {{% product-name %}} cluster,
@ -152,4 +222,4 @@ source ~/.zshrc
{{% /show-in %}}
{{% show-in "core" %}}
{{< page-nav next="/influxdb3/core/get-started/" nextText="Get started with InfluxDB 3 Core" >}}
{{% /show-in %}}
{{% /show-in %}}

31
content/shared/v3-core-enterprise-release-notes/_index.md
View File

@ -6,6 +6,37 @@
> All updates to Core are automatically included in Enterprise.
> The Enterprise sections below only list updates exclusive to Enterprise.
## v3.8.0 {date="2025-12-18"}
### Core
#### Features
- **Linux Service Management**: Run InfluxDB 3 as a managed system service on Linux ([#27026](https://github.com/influxdata/influxdb/pull/27026)):
- Use `influxdb3-launcher` script to initialize the service
- Deploy with systemd on modern Linux distributions
- Deploy with SysV init on legacy systems
- Customize service behavior with configuration files
#### Bug fixes
- **CLI**: View only active databases and tables when running `SHOW RETENTION`
- **Database operations**: Receive an error when attempting to delete tables from an already-deleted database
- **Retention Policy**: Receive an error when attempting to modify retention settings on deleted databases
#### Security
- **Processing Engine**: Run processing engine plugins with Python 3.13.11, which includes security and bug fixes ([#27014](https://github.com/influxdata/influxdb/pull/27014))
### Enterprise
All Core updates are included in Enterprise. Additional Enterprise-specific features and fixes:
#### Bug fixes
- **Table Limits**: Delete tables without affecting your table limit quota
- **Retention Policy**: Receive an error when attempting to modify retention settings on deleted tables
## v3.7.0 {date="2025-11-19"}
### Core

20
data/notifications.yaml
View File

@ -40,28 +40,26 @@
# - [The plan for InfluxDB 3.0 Open Source](https://influxdata.com/blog/the-plan-for-influxdb-3-0-open-source)
# - [InfluxDB 3.0 benchmarks](https://influxdata.com/blog/influxdb-3-0-is-2.5x-45x-faster-compared-to-influxdb-open-source/)
- id: influxdb3.7-explorer-1.5
- id: influxdb3.8-explorer-1.6
level: note
scope:
- /
title: New in InfluxDB 3.7
title: New in InfluxDB 3.8
slug: |
Key enhancements in InfluxDB 3.7 and the InfluxDB 3 Explorer 1.5.
Key enhancements in InfluxDB 3.8 and the InfluxDB 3 Explorer 1.6.
<a class="btn" href="https://www.influxdata.com/blog/influxdb-3-7/">See the Blog Post</a>
<a class="btn" href="https://www.influxdata.com/blog/influxdb-3-8/">See the Blog Post</a>
message: |
InfluxDB 3.7 is now available for both Core and Enterprise, landing alongside
version 1.5 of the InfluxDB 3 Explorer UI. This release focuses on giving
developers faster visibility into what their system is doing with one-click
monitoring, a streamlined installation pathway, and broader updates that
simplify day-to-day operations.
InfluxDB 3.8 is now available for both Core and Enterprise, alongside the
1.6 release of the InfluxDB 3 Explorer UI. This release is focused on
operational maturity and making InfluxDB easier to deploy, manage, and run
reliably in production.
For more information, check out:
- [See the announcement blog post](https://www.influxdata.com/blog/influxdb-3-7/)
- [See the announcement blog post](https://www.influxdata.com/blog/influxdb-3-8/)
- [InfluxDB 3 Core release notes](/influxdb3/core/release-notes/)
- [InfluxDB 3 Enterprise release notes](/influxdb3/enterprise/release-notes/)
- [Get Started with InfluxDB 3 Explorer](/influxdb3/explorer/get-started/)
- id: influxdb-docker-latest-tag
level: warn

4
data/products.yml
View File

@ -6,7 +6,7 @@ influxdb3_core:
versions: [core]
list_order: 2
latest: core
latest_patch: 3.7.0
latest_patch: 3.8.0
placeholder_host: localhost:8181
detector_config:
query_languages:
@ -37,7 +37,7 @@ influxdb3_enterprise:
versions: [enterprise]
list_order: 2
latest: enterprise
latest_patch: 3.7.0
latest_patch: 3.8.0
placeholder_host: localhost:8181
detector_config:
query_languages: