Skip to content

Deployment Overview of Grafana on Server

Prerequisites and Basic Requirements

The deployment requires a Linux server running either Debian/Ubuntu or RHEL-based distributions. The following network ports must be open and accessible through the server's firewall:

  • Port 80/tcp for HTTP traffic.
  • Port 443/tcp for HTTPS traffic.
  • Port 3000/tcp for internal Grafana communication (exposed via Docker).

Administrative privileges (root or sudo) are required to manage Docker services, configure the firewall, and modify system files.

File and Directory Structure

The application utilizes the following directory structure on the host system:

  • /root/grafana: The primary working directory containing the Docker Compose configuration file (compose.yml).
  • /data/nginx/user_conf.d: Stores custom Nginx configuration files for the reverse proxy.
  • /data/nginx/nginx-certbot.env: Environment file containing configuration for the Nginx-Certbot service.
  • /data/grafana/datasources: Directory mounted to the Grafana container for provisioning data sources.
  • /etc/letsencrypt: Directory mounted to the Nginx container for storing SSL certificates managed by Certbot.

Application Installation Process

The application is deployed using Docker Compose. The installation process involves the following steps:

  1. Ensure Docker is installed and running on the server.
  2. Create the necessary Docker volumes:
    • nginx_secrets: An external volume for SSL certificates.
    • grafana-data: An external volume for persistent Grafana data.
  3. Place the compose.yml file in the /root/grafana directory.
  4. Execute the Docker Compose command to start the services.

The deployment utilizes the following container images: - jonasal/nginx-certbot:latest for the reverse proxy and SSL management. - grafana/grafana-oss:<version> for the Grafana application, where <version> is defined by the hk_grafana_ver variable.

Access Rights and Security

Firewall rules are configured to allow incoming traffic on ports 80 and 443. The configuration differs based on the operating system:

  • Debian/Ubuntu: The ufw firewall is used to enable ports 80/tcp and 443/tcp.
  • RHEL: The firewalld service is used to enable ports 80/tcp and 443/tcp in the public zone.

The Grafana service is not directly exposed to the public internet; instead, traffic is routed through the Nginx reverse proxy which handles SSL termination.

Docker Containers and Their Deployment

The deployment consists of two main services defined in the compose.yml file:

  1. nginx:

    • Image: jonasal/nginx-certbot:latest
    • Ports: Maps host ports 80 and 443 to container ports 80 and 443.
    • Volumes: Mounts nginx_secrets to /etc/letsencrypt and /data/nginx/user_conf.d to /etc/nginx/user_conf.d.
    • Environment: Uses [email protected] and loads additional settings from /data/nginx/nginx-certbot.env.
    • Restart Policy: unless-stopped.

  2. grafana:

    • Image: grafana/grafana-oss:<version>
    • Ports: Maps host port 3000 to container port 3000.
    • Volumes: Mounts /data/grafana/datasources to /etc/grafana/provisioning/datasources and grafana-data to /var/lib/grafana.
    • Restart Policy: unless-stopped.

The services are started using the command docker compose up -d executed from the /root/grafana directory.

Proxy Servers

The Nginx container acts as a reverse proxy for Grafana. It handles SSL certificate generation and renewal using Certbot. The proxy configuration is stored in /data/nginx/user_conf.d and is mounted into the Nginx container. The proxy forwards incoming HTTPS traffic to the Grafana container running on port 3000.

Permission Settings

The directory /root/grafana is created with the following permissions: - Owner: root - Group: root - Mode: 0644

The compose.yml file within this directory is also owned by root with mode 0644. Docker volumes are managed by the Docker daemon, and file permissions within the containers are handled by the respective container images.

Starting, Stopping, and Updating

To manage the Grafana deployment, use the following Docker Compose commands from the /root/grafana directory:

  • Start services: 
    docker compose up -d
  • Stop services: 
    docker compose down
  • Update services: To update the application, modify the compose.yml file to change the image version or configuration, then run: 
    docker compose up -d

After the services are started, the administrator password for Grafana is reset using the grafana-cli tool inside the container. The command executed is: 

docker exec -i grafana-grafana-1 grafana-cli admin reset-admin-password <password>

question_mark
Is there anything I can help you with?
question_mark
AI Assistant ×