Grafana & influxDB on Debian 10
goals:
- secure connected grafana dashboard
- reverse proxy served on port 443 for grafana
- secure influxdb installation with collectd support
- privilege seperation for db management
get startet
install grafana
## solve dependencies
> apt install apt-transport-https software-properties-common gnupg nginx
## add grafana key
> wget -q -O - https://packages.grafana.com/gpg.key | <sudo> apt-key add -
## past grafana repo in /etc/apt/sources.list.d/grafana.list
> echo "deb https://packages.grafana.com/oss/deb stable main" | <sudo> tee -a /etc/apt/sources.list.d/grafana.list
## refresh repo and install grafana
> apt update ; apt install grafana
## start and enable service
> systemctl enable grafana-server
> systemctl start grafana-server
install influxdb
## add influxdb key
> wget -qO- https://repos.influxdata.com/influxdb.key | <sudo> apt-key add -
## past influxdb repo in /etc/apt/sources.list.d/influxdb.list
> echo "deb https://repos.influxdata.com/debian buster stable" | <sudo> tee -a /etc/apt/sources.list.d/influxdb.list
## refresh repo and install influxdb
> apt update ; apt install influxdb
## generate self signed certificates
> openssl req -x509 -nodes -subj "/C=XX/ST=XX/L=XX/O=XX/OU=XX/CN=XX" -newkey rsa:4096 -keyout /etc/ssl/influxdb.key -out /etc/ssl/influxdb.crt -days 365
> chown -R influxdb:influxdb /etc/ssl/influxdb.*
## start and enable service
> systemctl enable influxdb
> systemctl start influxdb
reverse proxy
## generate self signed certificates
> openssl req -x509 -nodes -subj "/C=XX/ST=XX/L=XX/O=XX/OU=XX/CN=XX" -newkey rsa:4096 -keyout /etc/ssl/nginx.key -out /etc/ssl/nginx.crt -days 365
## configure /etc/nginx/sites-available/default
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 ssl;
server_name example.com;
ssl_certificate /etc/ssl/nginx.crt;
ssl_certificate_key /etc/ssl/nginx.key;
location / {
proxy_pass http://localhost:3000;
}
}
## restart nginx
> systemctl restart nginx
setup influxdb incl. collectd
## edit /etc/influxdb/influxdb.conf
[meta]
dir = "/var/lib/influxdb/meta"
[data]
dir = "/var/lib/influxdb/data"
wal-dir = "/var/lib/influxdb/wal"
series-id-set-cache-size = 100
[coordinator]
[retention]
[shard-precreation]
[monitor]
[http]
https-enabled = true
https-certificate = "/etc/ssl/influxdb.crt"
https-private-key = "/etc/ssl/influxdb.key"
[logging]
[subscriber]
[[graphite]]
[[collectd]]
[[opentsdb]]
[[udp]]
[continuous_queries]
[tls]
## restart service
> systemctl restart influxdb
## check tls connection
> influx -ssl -unsafeSsl -host example.com
## create db admin
CREATE USER <username> WITH PASSWORD '<password>' WITH ALL PRIVILEGES
## create user only for read access
CREATE USER user WITH PASSWORD '<password>'
## create user telegraf
CREATE USER telegraf WITH PASSWORD '<password>'
## create user collectd
CREATE USER collectd WITH PASSWORD '<password>'
## add authentication to /etc/influxdb/influxdb.conf
[http]
auth-enabled = true # add this
https-enabled = true
https-certificate = "/etc/ssl/influxdb.crt"
https-private-key = "/etc/ssl/influxdb.key"
## restart service
> systemctl restart influxdb
## login with
> influx -ssl -unsafeSsl -host example.com -username user -password <password>
## create telegraf database
CREATE DATABASE telegraf
## add read only user to telegraf database
GRANT READ ON telegraf TO user
## add all allowed user to telegraf database
GRANT ALL ON telegraf TO telegraf
## create collectd database
CREATE DATABASE collectd
## add read only user to collectd database
GRANT READ ON collectd TO user
## add all allowed user to telegraf database
GRANT ALL ON collectd TO collectd
## now we can login to grafana dashbord and connect to influxdb
## setup influxdb data source like:
> URL:
* https://localhost:8086
> Auth:
* Skip TLS Verify = true
> Database
* telegraf
> User
* user # the read only user
## for collectd support edit /etc/influxdb/influxdb.conf
[[collectd]]
enabled = true
bind-address = ":25826"
database = "collectd"
retention-policy = ""
batch-size = 5000
batch-pending = 10
batch-timeout = "10s"
read-buffer = 0
typesdb = "/usr/share/collectd/types.db"
security-level = "encrypt"
auth-file = "/etc/collectd/auth_file"
parse-multivalue-plugin = "split"
## make directorys and download types.db
> mkdir -p /usr/share/collectd/collectd
> wget -P /usr/share/collectd/ https://raw.githubusercontent.com/collectd/collectd/master/src/types.db
> chown -R influxdb:influxdb /usr/share/collectd/
> mkdir -p /etc/collectd/auth_file
> chown influxdb:influxdb /etc/collectd/auth_file
## setup auth_file on /etc/collectd/auth_file
collectd: <password>
## restart service
> systemctl restart influxdb
## wait a second and check if the service still run
> systemctl status influxdb
## now we can log into grafana
## setup influxdb data source like:
> URL:
* https://localhost:8086
> Auth:
* Skip TLS Verify = true
> Database
* collectd
> User
* user # the read only user
## collectd openbsd example file /etc/collectd.conf
Hostname "example.com"
FQDNLookup true
BaseDir "/var/collectd"
PIDFile "/var/collectd/collectd.pid"
TypesDB "/usr/local/share/collectd/types.db"
Interval 10.0
# Client
LoadPlugin "network"
LoadPlugin "interface"
LoadPlugin "logfile"
LoadPlugin "cpu"
LoadPlugin "memory"
LoadPlugin "swap"
<Plugin interface>
Interface "vr0"
Interface "vr1"
Interface "vr2"
IgnoreSelected false
</Plugin>
# Client
<Plugin network>
<Server "example.com" "25826">
SecurityLevel Encrypt
Username "collectd"
Password "<password>"
Interface "vio0"
</Server>
TimeToLive 128
MaxPacketSize 1452
</Plugin>
See: TypesDB
24-10-2020