Skip to content

Deployment Overview of Percona Monitoring and Management on Server

Prerequisites and Basic Requirements

The deployment of Percona Monitoring and Management (PMM) requires a server running an Ubuntu-based operating system. The following components and privileges are necessary:

  • Root or sudo privileges to execute installation commands.
  • A valid domain name configured for the server, following the pattern {{ prefix }}{{ server_id }}.{{ zone }}.
  • Network access to the internet to download the PMM installer and SSL certificates.
  • The nginx web server and python3-pip package manager must be available on the host system.
  • Docker must be installed and running to host the PMM application containers.

File and Directory Structure

The application utilizes a specific directory structure within the Docker container and the host system for configuration and data storage:

  • Host SSL Certificates: Located in /etc/letsencrypt/live/{{ prefix }}{{ server_id }}.{{ zone }}/. This directory contains the cert.pem, privkey.pem, fullchain.pem, and ssl-dhparams.pem files issued by Certbot.
  • Container Nginx Configuration: Inside the pmm-server container, SSL certificates and configuration files are stored in /srv/nginx/.
  • certificate.crt: The public certificate.
  • certificate.key: The private key.
  • ca-certs.pem: The full certificate chain.
  • dhparam.pem: Diffie-Hellman parameters.
  • certificate.conf: The Nginx configuration file for SSL.

Application Installation Process

The Percona Monitoring and Management application is installed using the official Percona installer script. The installation process involves the following steps:

  1. Update and upgrade all APT packages on the host system.
  2. Install the nginx and python3-pip packages via the APT package manager.
  3. Install certbot and certbot-nginx using pip.
  4. Install Docker using the managed installation role.
  5. Execute the PMM installation script using the following command: 
    curl -fsSL https://www.percona.com/get/pmm | /bin/bash

Access Rights and Security

Security for the application is enforced through SSL/TLS encryption and specific user permissions within the container:

  • SSL/TLS: Certbot is used to issue and manage SSL certificates for the domain {{ prefix }}{{ server_id }}.{{ zone }}. The certificate is requested with the --nginx plugin to automatically configure Nginx.
  • User Permissions: Inside the pmm-server container, the pmm user (UID 0 in the context of the chown command) owns the SSL certificate files and configuration in /srv/nginx/.
  • Firewall: The host system must allow incoming traffic on standard web ports (80 and 443) to facilitate the Let's Encrypt HTTP challenge and secure HTTPS access.

Docker Containers and Their Deployment

The PMM application runs within a Docker container named pmm-server. The deployment involves copying host-generated SSL assets into the running container:

  • The container is started and managed by the PMM installer.
  • SSL certificates are copied from the host to the container using the docker cp command: 
    docker cp -L /etc/letsencrypt/live/{{ prefix }}{{ server_id }}.{{ zone }}/cert.pem pmm-server:/srv/nginx/certificate.crt
docker cp -L /etc/letsencrypt/live/{{ prefix }}{{ server_id }}.{{ zone }}/privkey.pem pmm-server:/srv/nginx/certificate.key
docker cp -L /etc/letsencrypt/live/{{ prefix }}{{ server_id }}.{{ zone }}/fullchain.pem pmm-server:/srv/nginx/ca-certs.pem
docker cp /etc/letsencrypt/ssl-dhparams.pem pmm-server:/srv/nginx/dhparam.pem
  • Ownership of the copied files is adjusted inside the container to ensure the application can read them: 
    docker exec -i -u 0 pmm-server chown pmm.pmm /srv/nginx/certificate.crt
docker exec -i -u 0 pmm-server chown pmm.pmm /srv/nginx/certificate.key
docker exec -i -u 0 pmm-server chown pmm.pmm /srv/nginx/ca-certs.pem
docker exec -i -u 0 pmm-server chown pmm.pmm /srv/nginx/dhparam.pem
docker exec -i -u 0 pmm-server chown pmm.pmm /srv/nginx/certificate.conf

Proxy Servers

Nginx acts as the reverse proxy for the PMM application, handling SSL termination and routing traffic to the internal services:

  • Configuration: Nginx is configured within the pmm-server container to use the SSL certificates located in /srv/nginx/.
  • Certbot Integration: The certbot-nginx plugin is used to automatically update Nginx configuration with the new certificates.
  • Service Management: The Nginx service inside the container is managed via supervisorctl.

Permission Settings

File permissions within the pmm-server container are strictly set to ensure the pmm user has the necessary access to SSL assets:

  • All certificate files (certificate.crt, certificate.key, ca-certs.pem, dhparam.pem) and the configuration file (certificate.conf) in /srv/nginx/ are owned by the pmm user and group.
  • These permissions are applied using the chown command executed with root privileges inside the container.

Starting, Stopping, and Updating

The Nginx proxy service within the PMM container is managed using the Supervisor control utility. To apply configuration changes or restart the web server, execute the following command:

docker exec -i pmm-server supervisorctl restart nginx

This command restarts the Nginx service inside the pmm-server container without stopping the entire PMM application stack.

question_mark
Is there anything I can help you with?
question_mark
AI Assistant ×