Deployment Overview of Prometheus on Server¶

Prerequisites and Basic Requirements¶

Operating System: Ubuntu (compatible with Docker Engine).
Privileges: Root access or sudo privileges are required for container management and file system operations.
Domain Zone: hostkey.in.
Ports:
Internal Application Port: 9090.
External HTTPS Port: 443.
Network: Docker Engine must be installed and running on the host system.

FQDN of the Final Panel¶

The application is accessible via the hostkey.in domain. The fully qualified domain name (FQDN) follows the format: prometheus<Server ID>.hostkey.in:443

Replace <Server ID> with the specific identifier assigned to the server instance.

File and Directory Structure¶

The deployment utilizes the following directory structure for data storage and configuration:

Prometheus Data Directory: /srv/prometheus
Prometheus Configuration Directory: /srv/prometheus/config
Nginx and Certbot Configuration: /root/nginx
Nginx User Configuration: /data/nginx/user_conf.d

Application Installation Process¶

The application is deployed as a Docker container using the official Prometheus image. The installation process includes the following steps:

Ensure Docker Engine is installed and active on the Ubuntu host.
Create the necessary directories for persistent data and configuration files:
/srv/prometheus
/srv/prometheus/config
Initialize the Prometheus configuration file prometheus.yml within the configuration directory with default scrape settings.
Deploy the Prometheus container with the following parameters:
Image: prom/prometheus:v3.0.0
Container Name: prometheus
Restart Policy: always
Ports: Maps host port 9090 to container port 9090.
Volumes:
- Mounts /srv/prometheus/config/prometheus.yml to /etc/prometheus/prometheus.yml.
- Mounts /srv/prometheus to /prometheus for time-series data storage.
Command Flags:
- --config.file=/etc/prometheus/prometheus.yml
- --storage.tsdb.path=/prometheus
- --web.console.libraries=/etc/prometheus/console_libraries
- --web.console.templates=/etc/prometheus/consoles
- --web.enable-lifecycle

Access Rights and Security¶

Firewall: The host must allow incoming traffic on port 9090 for direct container access and port 443 for the reverse proxy.
User Permissions: The Prometheus data directory is owned by user ID 65534 (nobody) and group ID 65534.
Directory Permissions:
The Prometheus data directory is set to mode 0775 with recursive application.
The Nginx configuration directory is owned by root:root with mode 0755.

Docker Containers and Their Deployment¶

The system consists of two primary Docker components: the Prometheus application and the Nginx reverse proxy with Certbot.

Prometheus Container The Prometheus container is managed individually using docker_container logic with the following specifications:

Image: prom/prometheus:v3.0.0
State: Started with always restart policy.
Network: Exposed directly on the host interface.

Nginx and Certbot Containers The reverse proxy and SSL certificate management are handled via a Docker Compose stack located at /root/nginx/compose.yml.

Nginx Service:
Image: jonasal/nginx-certbot:latest
Restart Policy: unless-stopped
Network Mode: host
Environment:
- CERTBOT_EMAIL: [email protected]
Volumes:
- nginx_secrets (external) mounted to /etc/letsencrypt.
- Host path /data/nginx/user_conf.d mounted to /etc/nginx/user_conf.d.

Proxy Servers¶

Access to the Prometheus panel is routed through an Nginx reverse proxy which also handles SSL termination using Let's Encrypt.

Proxy Configuration: The Nginx configuration file is located at /data/nginx/user_conf.d/prometheus<Server ID>.hostkey.in.conf.
Proxy Pass: Traffic is forwarded from the external Nginx listener to the internal Prometheus container at http://127.0.0.1:9090.
SSL/TLS: Managed automatically by the jonasal/nginx-certbot container, which issues and renews certificates for the hostkey.in zone.
Paths:
Internal Path: /
External Path: /

Permission Settings¶

File and directory permissions are configured to ensure secure operation of the services:

/srv/prometheus and /srv/prometheus/config:
Owner: 65534:65534
Mode: 0775 (recursive for data directory).
/root/nginx:
Owner: root:root
Mode: 0755.
/root/nginx/compose.yml:
Owner: root:root
Mode: 0644.
/data/nginx/user_conf.d:
Mounted into the Nginx container; permissions on the host directory ensure Nginx can read the configuration files.

Location of Configuration Files and Data¶

File/Directory	Path	Description
Prometheus Configuration	`/srv/prometheus/config/prometheus.yml`	Main configuration file defining scrape jobs and intervals.
Prometheus Data	`/srv/prometheus`	Persistent storage for time-series database (TSDB).
Nginx Compose File	`/root/nginx/compose.yml`	Docker Compose definition for the reverse proxy.
Nginx SSL Secrets	`nginx_secrets` volume	Let's Encrypt certificates and keys.
Custom Nginx Config	`/data/nginx/user_conf.d/prometheus<Server ID>.hostkey.in.conf`	Virtual host configuration for the domain.

Available Ports for Connection¶

Port 9090: Direct access to the Prometheus web interface (internal or host-accessible).
Port 443: Secure HTTPS access via the Nginx reverse proxy for the hostkey.in domain.

Starting, Stopping, and Updating¶

Prometheus Service Management

Start/Restart: Managed automatically by the Docker container restart policy (always). To manually restart the container, use standard Docker commands (e.g., docker restart prometheus).
Stop: To stop the service, use docker stop prometheus.

Nginx and Certbot Service Management The reverse proxy stack is managed via Docker Compose from the /root/nginx directory:

Start/Restart:
```
docker compose up -d
```
Execute this command within the /root/nginx directory.
Stop:
```
docker compose down
```

Update: Pull the latest images and redeploy:

docker compose pull && docker compose up -d

To update the Prometheus application version, modify the image tag in the deployment logic to the desired version and restart the container.