securing grafana, adding more fixes

deploy_all.sh

@@ -20,11 +20,28 @@ else
 fi
 
 # START docker-compose
-docker-compose up -d 
+docker-compose up -d --remove-orphans
 
 # ADD DATASOURCES AND DASHBOARDS
+echo "adding datasources..."
+docker exec -it -u 0 grafana /var/lib/grafana/ds/add_datasources.sh
+
 echo "adding dashboards..."
 docker exec -it -u 0 grafana /var/lib/grafana/ds/add_dashboards.sh
 
-echo "adding datasources..."
-docker exec -it -u 0 grafana /var/lib/grafana/ds/add_datasources.sh
+
+## NOW LET'S SECURE GRAFANA
+# CHECKING OUT ORIGINAL FILE
+#echo -e "checking out original docker-compose.yml"
+#git checkout docker-compose.yml
+
+## STOPPING and REMOVING GRAFANA CONTAINER
+echo -e "stopping & removing grafana container"
+container_id=$(docker container ls | grep grafana| awk '{print $1}')
+docker stop $container_id
+docker rm $container_id
+
+# REPLACING HTTP with HTTPS
+echo -e "changing http to https"
+sed -i 's/GF_SERVER_PROTOCOL: "http"/GF_SERVER_PROTOCOL: "https"/g' docker-compose.yml
+docker-compose up -d grafana

docker-compose.yml

@@ -23,7 +23,7 @@ services:
       INFLUXDB_REPORTING_DISABLED: "true"
       INFLUXDB_DB: telegraf
       INFLUXDB_USER: telegraf
-      INFLUXDB_USER_PASSWORD: nimda
+      INFLUXDB_USER_PASSWORD: nimda321
 
   grafana:
       image: grafana/grafana:5.1.3
@@ -35,15 +35,23 @@ services:
         - private
       volumes:
         - grafana_lib:/var/lib/grafana
+        - /etc/grafana/privkey1.pem:/etc/grafana/privkey1.pem:ro
+        - /etc/grafana/fullchain1.pem:/etc/grafana/fullchain1.pem:ro
         - ${PWD}/grafana/:/var/lib/grafana/ds/
       environment:
-        GF_AUTH_ANONYMOUS_ENABLED: "true"
-        GF_AUTH_ANONYMOUS_ORG_ROLE: "Admin"
+        GF_AUTH_ANONYMOUS_ENABLED: "false"
+        GF_SECURITY_ADMIN_PASSWORD: "nimda321"
+        GF_SECURITY_ADMIN_USER: "admin"
+        GF_SERVER_PROTOCOL: "http"
+        GF_SERVER_DOMAIN: "sebson.ddns.net"
+        GF_SERVER_CERT_FILE: "/etc/grafana/fullchain1.pem"
+        GF_SERVER_CERT_KEY: "/etc/grafana/privkey1.pem"
+        GF_SERVER_METRICS_ENABLED: "true"
+        GF_SERVER_METRICS_INTERVAL_SECONDS: "10"
         INFLUXDB_URI: "http://influxdb:8086"
         INFLUXDB_DB: telegraf
         INFLUXDB_USER: telegraf
-        INFLUXDB_USER_PASSWORD: nimda
-      command: ["bash", "/var/lib/grafana/ds/add_datasources.sh"]
+        INFLUXDB_USER_PASSWORD: nimda321
         
   telegraf:
     image: telegraf:latest
@@ -64,7 +72,7 @@ services:
      - private
     command: "--config.file=/etc/prometheus/prometheus.yml --storage.tsdb.path=/prometheus"
     ports:
-     - 9090:9090
+     - 9091:9090
     depends_on:
      - node_exporter
 
@@ -80,12 +88,24 @@ services:
       - public
       - private
     environment:
-      DOGSNAME:      "Gula&Bodka"
+      DOGSNAME:      "GULA,BODKA"
     command:
-      - "--collector.textfile"
+      - "--collectors.enabled=textfile"
       - "--collector.textfile.directory=/var/lib/node_exporter/textfile_collector/"
     expose:
       - 9100
     ports:
-      - 9100:9100
-
+      - 9101:9100
+  cadvisor:
+    image: google/cadvisor
+    volumes:
+      - /:/rootfs:ro
+      - /var/run:/var/run:rw
+      - /sys:/sys:ro
+      - /var/lib/docker/:/var/lib/docker:ro
+    ports:
+      - 18080:8080
+    networks:
+      - private 
+      - public
+    restart: unless-stopped 

grafana/add_dashboards.sh

@@ -19,7 +19,7 @@ LPURPLE='\033[01;35m'
 LCYAN='\033[01;36m'
 WHITE='\033[01;37m'
 
-GRAFANA_URL=http://admin:admin@localhost:3000
+GRAFANA_URL=http://admin:nimda321@localhost:3000
 
 
 grafana_api() {

grafana/add_datasources.sh

@@ -3,7 +3,7 @@
 
 # ADD INFLUXDB DATASOURCE
 curl -s -H "Content-Type: application/json" \
-    -XPOST http://admin:admin@localhost:3000/api/datasources \
+    -XPOST http://admin:nimda321@localhost:3000/api/datasources \
     -d @- <<EOF
 {
     "name": "influxdb",
@@ -12,14 +12,14 @@ curl -s -H "Content-Type: application/json" \
     "url": "http://influxdb:8086",
     "database": "telegraf",
     "user":"telegraf",
-    "password":"nimda",
+    "password":"nimda321",
     "basicAuth":false
 }
 EOF
 
 ## ADD PROMETHEUS DATASOURCE
 curl -s -H "Content-Type: application/json" \
-    -XPOST http://admin:admin@localhost:3000/api/datasources \
+    -XPOST http://admin:nimda321@localhost:3000/api/datasources \
     -d @- <<EOF
 {
     "name": "prometheus",

prometheus/prometheus.yml

@@ -32,3 +32,7 @@ scrape_configs:
     scrape_interval: "15s"
     static_configs:
       - targets: ['node_exporter:9100']
+  - job_name: 'cadvisor'
+    scrape_interval: "15s"
+    static_configs:
+      - targets: ['cadvisor:8080']

telegraf.conf

@@ -62,7 +62,7 @@ write_consistency = "any"
 ## If not provided, will default to 5s. 0s means no timeout (not recommended).
 timeout = "5s"
 username = "telegraf"
-password = "nimda"
+password = "nimda321"
 ## Set the user agent for HTTP POSTs (can be useful for log differentiation)
 user_agent = "telegraf-agent"
 ## Set UDP payload size, defaults to InfluxDB UDP Client default (512 bytes)

undeploy_all.sh

@@ -13,16 +13,16 @@ do_cleanup () {
 	fi
 
 	
-	read -r -p "Do you want to delete all docker \"bridge\" networks? [y/N] " response
-	if [[ "$response" =~ ^([yY][eE][sS]|[yY])+$ ]]
-	then
-		for n in $(docker network ls | grep "bridge" | awk '/ / { print $1 }'); do
-			echo -e "attempting to delete network: $n"
-			docker network rm $n || echo "cannot remove: $n"
-		done
-	else
-        	echo -e "'no' chosen"
-	fi
+#	read -r -p "Do you want to delete all docker \"bridge\" networks? [y/N] " response
+#	if [[ "$response" =~ ^([yY][eE][sS]|[yY])+$ ]]
+#	then
+#		for n in $(docker network ls | grep "bridge" | awk '/ / { print $1 }'); do
+#			echo -e "attempting to delete network: $n"
+#			docker network rm $n || echo "cannot remove: $n"
+#		done
+#	else
+#        	echo -e "'no' chosen"
+#	fi
 
 	read -r -p "Do you want to delete all docker dangling images? [y/N] " response
 	if [[ "$response" =~ ^([yY][eE][sS]|[yY])+$ ]]