Deployment Overview of Grafana on Server¶

Prerequisites and Basic Requirements¶

To successfully deploy and operate Grafana on the server, the following system prerequisites must be met:

• Operating System: Compatible with Debian/Ubuntu or RHEL/CentOS distributions.

• Privileges: Administrative (root) access is required to manage Docker containers, configure firewalls, and handle file permissions.

• Domain: The system must be configured to serve content on the hostkey.in domain.

• Ports:

• 80/tcp and 443/tcp must be open on the firewall for HTTPS and HTTP traffic.

• 3000/tcp is used internally for the Grafana application container.

FQDN of the Final Panel¶

The Grafana interface is accessible via the following Fully Qualified Domain Name (FQDN) format:

grafana<Server ID>.hostkey.in:443

Replace <Server ID> with the specific identifier assigned to the host instance. The application operates over HTTPS on port 443.

File and Directory Structure¶

The deployment utilizes specific directories for configuration files, application data, and certificates:

• Application Directory: /root/grafana

• Contains the compose.yml file used for orchestrating the Docker containers.

• Nginx Configuration: /data/nginx/user_conf.d

• Stores custom Nginx server block configurations for the Grafana domain.

• Grafana Data Volume: Mapped to /var/lib/grafana inside the container.

• Let's Encrypt Certificates: Stored in the nginx_secrets volume mounted at /etc/letsencrypt.

• Datasource Provisioning: /data/grafana/datasources mounted to /etc/grafana/provisioning/datasources inside the container.

Application Installation Process¶

The application is deployed using Docker Compose. The installation process involves the following steps:

1. Docker Installation: Ensure the Docker engine is installed and running on the host.

2. Directory Setup: Create the /root/grafana directory with root ownership.

3. Compose File Generation: The compose.yml file is generated and placed in /root/grafana/compose.yml.

4. Volume Creation: A persistent Docker volume named grafana-data is created to store Grafana's internal data.

5. Service Launch: The containers are started using the docker compose up -d command.

6. Version: The deployment utilizes Grafana version 8.2.6.

Access Rights and Security¶

Security configurations are applied via the host firewall and container isolation:

• Firewall Rules:

• On Debian/Ubuntu systems, ufw (Uncomplicated Firewall) is configured to allow traffic on ports 80 and 443.

• On RHEL/CentOS systems, firewalld is configured to allow 80/tcp and 443/tcp in the public zone.

• Container Isolation: Services run within isolated Docker containers with defined port mappings and volume mounts.

• SSL/TLS: SSL certificates are managed automatically via the Nginx container using Certbot, ensuring encrypted communication over port 443.

Databases¶

The provided configuration does not include an external database deployment. Grafana utilizes its internal SQLite database by default, with all data stored within the grafana-data Docker volume. External data sources are provisioned via the /data/grafana/datasources directory.

Docker Containers and Their Deployment¶

The application consists of two primary services defined in the compose.yml file:

• nginx:

• Image: jonasal/nginx-certbot:latest

• Function: Acts as the reverse proxy and manages SSL certificates via Certbot.

• Ports: Exposes 80 and 443 to the host.

• Volumes: Mounts nginx_secrets for certificates and /data/nginx/user_conf.d for custom configurations.

• grafana:

• Image: grafana/grafana-oss:8.2.6

• Function: Runs the Grafana monitoring and visualization application.

• Ports: Maps internal port 3000 to host port 3000.

• Volumes:

  • grafana-data mapped to /var/lib/grafana for persistent storage.

  • /data/grafana/datasources mapped to /etc/grafana/provisioning/datasources for datasource configuration.

The restart policy for both containers is set to unless-stopped.

Proxy Servers¶

Access to Grafana is mediated through an Nginx reverse proxy:

• Software: Nginx with Certbot integration (jonasal/nginx-certbot).

• SSL/TLS: Automatic SSL certificate management is enabled via Let's Encrypt.

• Configuration: Custom proxy rules for the Grafana subdomain are located in /data/nginx/user_conf.d/<prefix><server_id>.hostkey.in.conf.

• Routing: The proxy forwards requests from port 443 to the internal Grafana service running on port 3000.

Permission Settings¶

File and directory permissions are set to ensure proper access for the Docker containers and system administrators:

• Compose Directory: /root/grafana is owned by root:root with 0644 permissions.

• Compose File: compose.yml is owned by root:root with 0644 permissions.

• Nginx Configs: Custom configurations in /data/nginx/user_conf.d are managed by the host system and accessed by the Nginx container via volume mount.

Location of Configuration Files and Data¶

Critical configuration and data files are located at the following paths:

Available Ports for Connection¶

The following ports are configured for external and internal access:

• 443 (TCP): HTTPS traffic for the Grafana web interface (external access).

• 80 (TCP): HTTP traffic used for SSL certificate validation and redirection (external access).

• 3000 (TCP): Direct internal access to the Grafana container (not intended for direct external production access without the proxy).

Starting, Stopping, and Updating¶

Service management is handled via Docker Compose commands executed from the /root/grafana directory.

• Start Services:

  cd /root/grafana
  docker compose up -d
  

• Stop Services:

  cd /root/grafana
  docker compose down
  

• Restart Services:

  cd /root/grafana
  docker compose restart
  

• Update Logs:

  cd /root/grafana
  docker compose logs -f grafana
  

To update the application version, modify the image tag in the compose.yml file and restart the services.