Telegraf binary will be removed from container images Announcement

The current release of our Varnish container images is the last one that will ship with the telegraf binary included. Starting with the next release, telegraf will no longer be present in the images.

Affected container images:

• quay.io/varnish-software/varnish-plus
• quay.io/varnish-software/varnish-plus-waf

If you do not rely on the bundled telegraf binary, no action is required.

Why we are removing it

telegraf is a sizable binary that is only used by a fraction of our users and with fewer binaries in the image means fewer CVEs to track, fewer components that need patching.

Clearer separation of concerns, metrics collection is often best handled by a dedicated sidecar or node-level agent that can be versioned, configured, and upgraded independently of Varnish.

A bundled telegraf tied to our release cycle inevitably lags behind upstream.

Adding telegraf back

If you still need telegraf inside the Varnish container, you can install it yourself by extending the image. A simple example Dockerfile:

FROM quay.io/varnish-software/varnish-plus:latest

# Switch to root user so we can install packages
user root

# Install telegraf from the InfluxData repository
RUN apt-get update && apt-get install -y curl gnupg ca-certificates && \
    curl -fsSL https://repos.influxdata.com/influxdata-archive.key | \
        gpg --dearmor -o /etc/apt/trusted.gpg.d/influxdata-archive.gpg && \
    echo "deb https://repos.influxdata.com/debian stable main" \
        > /etc/apt/sources.list.d/influxdata.list && \
    apt-get update && apt-get install -y telegraf && \
    rm -rf /var/lib/apt/lists/*

# Switch back to varnish user as default
user varnish

Build the image:

docker build -t my-varnish-with-telegraf .

Running telegraf as a sidecar container is also a common and often preferable alternative.

Running telegraf as a sidecar

The telegraf Varnish input plugin needs access to the varnishstat binary and the Varnish shared memory log. The easiest way to give the sidecar both is to base it on the Varnish image and share Varnish’s working directory and process namespace.

A small Dockerfile for the sidecar:

FROM quay.io/varnish-software/varnish-plus:latest
user root
RUN apt-get update && apt-get install -y telegraf && \
    rm -rf /var/lib/apt/lists/*
user varnish
ENTRYPOINT ["telegraf"]

A minimal docker compose example that runs Varnish and the telegraf sidecar together:

services:
  varnish:
    image: quay.io/varnish-software/varnish-plus:latest
    ports:
      - "80:80"
    volumes:
      - varnish-run:/var/lib/varnish

  telegraf:
    build: ./telegraf
    pid: "service:varnish"
    volumes:
      - varnish-run:/var/lib/varnish
      - ./telegraf.conf:/etc/telegraf/telegraf.conf:ro

volumes:
  varnish-run:

A minimal telegraf.conf that uses the Varnish input plugin:

[[inputs.varnish]]
  binary = "/usr/bin/varnishstat"
  instance_name = "varnish"

[[outputs.file]]
  files = ["stdout"]

In Kubernetes, the same pattern is achieved by adding the telegraf container to the Varnish pod, setting shareProcessNamespace: true, and mounting the Varnish working directory as a shared emptyDir volume in both containers.