Skip to content

Deployment Overview of Percona Monitoring on Server

Prerequisites and Basic Requirements

The deployment of Percona Monitoring and Management (PMM) requires a server running a compatible Linux distribution, specifically Ubuntu. The following prerequisites must be met before initiating the installation:

  • Operating System: Ubuntu (version not specified, assumed to support APT).

  • Privileges: Root or sudo access is required to install packages, configure Docker, and manage system services.

  • Package Managers: The system must have access to the APT repository and the Python 3 package installer (pip3).

  • Network Connectivity: The server requires outbound internet access to download the PMM installer, Docker components, and certificate authority resources.

  • Domain Configuration: A domain name on the hostkey.in zone must be configured and resolved to the server's public IP address.

FQDN of the Final Panel

The application is accessible via a fully qualified domain name (FQDN) constructed using the server-specific identifier. The standard format for accessing the Percona Monitoring interface is:

percona<Server ID>.hostkey.in:443

Where <Server ID> is replaced by the specific identifier assigned to the server instance. The service utilizes HTTPS on port 443.

File and Directory Structure

The deployment organizes files and directories into the following locations on the host system and within the container:

  • Host System Configuration:

    • SSL Certificates: /etc/letsencrypt/live/percona<Server ID>.hostkey.in/

    • DH Parameters: /etc/letsencrypt/ssl-dhparams.pem

  • Container Internal Paths (PMM Server):

    • SSL Certificate: /srv/nginx/certificate.crt

    • SSL Private Key: /srv/nginx/certificate.key

    • CA Chain: /srv/nginx/ca-certs.pem

    • DH Parameters: /srv/nginx/dhparam.pem

    • Nginx Configuration: /srv/nginx/certificate.conf

Application Installation Process

The application is installed using the official Percona installer script, which is executed via the shell. The process includes system updates, dependency installation, and the deployment of the PMM agent and server.

  1. System Updates: All APT packages are updated and upgraded to the latest available versions.

  2. Dependency Installation: The following packages are installed on the host:

    • nginx

    • python3-pip

  3. Python Tools: The certbot and certbot-nginx packages are installed via pip.

  4. Docker Engine: The Docker runtime is installed and configured on the host.

  5. PMM Installation: The Percona Monitoring and Management suite is installed by executing the official download script: 

    curl -fsSL https://www.percona.com/get/pmm | /bin/bash

Access Rights and Security

Security measures implemented during the deployment include SSL/TLS encryption and file permission hardening:

  • SSL Certificates: A TLS certificate is issued via Certbot for the specific domain.

  • Certificate Injection: Certificates are copied from the host's Let's Encrypt directory into the pmm-server container.

  • File Ownership: Inside the container, ownership of certificate files and configuration files is set to the pmm user and pmm group to restrict access:

    • /srv/nginx/certificate.crt

    • /srv/nginx/certificate.key

    • /srv/nginx/ca-certs.pem

    • /srv/nginx/dhparam.pem

    • /srv/nginx/certificate.conf

Docker Containers and Their Deployment

The Percona Monitoring application runs within a Docker container managed as a single instance named pmm-server. The deployment involves:

  • Container Name: pmm-server

  • Internal Service Management: The container uses Supervisor to manage internal services, including Nginx.

  • Certificate Integration: Certificates are injected into the running container using docker cp, and the Nginx service within the container is restarted to apply the new SSL configuration.

Proxy Servers

Nginx is deployed both on the host system (as a dependency for Certbot) and inside the pmm-server container to handle reverse proxying and SSL termination.

  • SSL Provider: Certbot is used to issue and manage Let's Encrypt certificates.

  • Configuration: Nginx inside the container is configured to use the copied certificate files located in /srv/nginx/.

  • Service Restart: After certificate updates, the internal Nginx service is restarted via the Supervisor control interface using the command supervisorctl restart nginx.

Permission Settings

Specific file permissions and ownership are applied to ensure the security of cryptographic keys and certificates within the container:

  • User/Group: pmm:pmm

  • Files:

    • certificate.crt

    • certificate.key

    • ca-certs.pem

    • dhparam.pem

    • certificate.conf

These permissions are enforced by executing chown commands within the Docker container immediately after the files are copied.

Location of Configuration Files and Data

Configuration files and SSL data reside in the following locations:

  • Host SSL Directory: /etc/letsencrypt/live/percona<Server ID>.hostkey.in/

  • Host DH Parameters: /etc/letsencrypt/ssl-dhparams.pem

  • Container Nginx Directory: /srv/nginx/

    • Contains active certificates, private keys, and Nginx configuration files.

Available Ports for Connection

The application exposes the web interface via the standard HTTPS port:

  • Port 443: HTTPS (Secure HTTP) for accessing the Percona Monitoring panel.

Starting, Stopping, and Updating

The primary service management for the internal Nginx component is handled via the Supervisor utility within the Docker container.

  • Restart Nginx: To apply configuration changes or reload certificates, the Nginx service is restarted using: 

    docker exec -i pmm-server supervisorctl restart nginx

  • Container Management: The container pmm-server can be managed using standard Docker commands (e.g., docker start, docker stop, docker restart) on the host system.

question_mark
Is there anything I can help you with?
question_mark
AI Assistant ×