securing grafana, adding more fixes

This commit is contained in:
seba 2018-06-17 13:05:55 +02:00
parent 0d34d60b40
commit b6bc290f99
8 changed files with 2244 additions and 28 deletions

View File

@ -20,11 +20,28 @@ else
fi fi
# START docker-compose # START docker-compose
docker-compose up -d docker-compose up -d --remove-orphans
# ADD DATASOURCES AND DASHBOARDS # ADD DATASOURCES AND DASHBOARDS
echo "adding datasources..."
docker exec -it -u 0 grafana /var/lib/grafana/ds/add_datasources.sh
echo "adding dashboards..." echo "adding dashboards..."
docker exec -it -u 0 grafana /var/lib/grafana/ds/add_dashboards.sh docker exec -it -u 0 grafana /var/lib/grafana/ds/add_dashboards.sh
echo "adding datasources..."
docker exec -it -u 0 grafana /var/lib/grafana/ds/add_datasources.sh ## NOW LET'S SECURE GRAFANA
# CHECKING OUT ORIGINAL FILE
#echo -e "checking out original docker-compose.yml"
#git checkout docker-compose.yml
## STOPPING and REMOVING GRAFANA CONTAINER
echo -e "stopping & removing grafana container"
container_id=$(docker container ls | grep grafana| awk '{print $1}')
docker stop $container_id
docker rm $container_id
# REPLACING HTTP with HTTPS
echo -e "changing http to https"
sed -i 's/GF_SERVER_PROTOCOL: "http"/GF_SERVER_PROTOCOL: "https"/g' docker-compose.yml
docker-compose up -d grafana

View File

@ -23,7 +23,7 @@ services:
INFLUXDB_REPORTING_DISABLED: "true" INFLUXDB_REPORTING_DISABLED: "true"
INFLUXDB_DB: telegraf INFLUXDB_DB: telegraf
INFLUXDB_USER: telegraf INFLUXDB_USER: telegraf
INFLUXDB_USER_PASSWORD: nimda INFLUXDB_USER_PASSWORD: nimda321
grafana: grafana:
image: grafana/grafana:5.1.3 image: grafana/grafana:5.1.3
@ -35,15 +35,23 @@ services:
- private - private
volumes: volumes:
- grafana_lib:/var/lib/grafana - grafana_lib:/var/lib/grafana
- /etc/grafana/privkey1.pem:/etc/grafana/privkey1.pem:ro
- /etc/grafana/fullchain1.pem:/etc/grafana/fullchain1.pem:ro
- ${PWD}/grafana/:/var/lib/grafana/ds/ - ${PWD}/grafana/:/var/lib/grafana/ds/
environment: environment:
GF_AUTH_ANONYMOUS_ENABLED: "true" GF_AUTH_ANONYMOUS_ENABLED: "false"
GF_AUTH_ANONYMOUS_ORG_ROLE: "Admin" GF_SECURITY_ADMIN_PASSWORD: "nimda321"
GF_SECURITY_ADMIN_USER: "admin"
GF_SERVER_PROTOCOL: "http"
GF_SERVER_DOMAIN: "sebson.ddns.net"
GF_SERVER_CERT_FILE: "/etc/grafana/fullchain1.pem"
GF_SERVER_CERT_KEY: "/etc/grafana/privkey1.pem"
GF_SERVER_METRICS_ENABLED: "true"
GF_SERVER_METRICS_INTERVAL_SECONDS: "10"
INFLUXDB_URI: "http://influxdb:8086" INFLUXDB_URI: "http://influxdb:8086"
INFLUXDB_DB: telegraf INFLUXDB_DB: telegraf
INFLUXDB_USER: telegraf INFLUXDB_USER: telegraf
INFLUXDB_USER_PASSWORD: nimda INFLUXDB_USER_PASSWORD: nimda321
command: ["bash", "/var/lib/grafana/ds/add_datasources.sh"]
telegraf: telegraf:
image: telegraf:latest image: telegraf:latest
@ -64,7 +72,7 @@ services:
- private - private
command: "--config.file=/etc/prometheus/prometheus.yml --storage.tsdb.path=/prometheus" command: "--config.file=/etc/prometheus/prometheus.yml --storage.tsdb.path=/prometheus"
ports: ports:
- 9090:9090 - 9091:9090
depends_on: depends_on:
- node_exporter - node_exporter
@ -80,12 +88,24 @@ services:
- public - public
- private - private
environment: environment:
DOGSNAME: "Gula&Bodka" DOGSNAME: "GULA,BODKA"
command: command:
- "--collector.textfile" - "--collectors.enabled=textfile"
- "--collector.textfile.directory=/var/lib/node_exporter/textfile_collector/" - "--collector.textfile.directory=/var/lib/node_exporter/textfile_collector/"
expose: expose:
- 9100 - 9100
ports: ports:
- 9100:9100 - 9101:9100
cadvisor:
image: google/cadvisor
volumes:
- /:/rootfs:ro
- /var/run:/var/run:rw
- /sys:/sys:ro
- /var/lib/docker/:/var/lib/docker:ro
ports:
- 18080:8080
networks:
- private
- public
restart: unless-stopped

View File

@ -19,7 +19,7 @@ LPURPLE='\033[01;35m'
LCYAN='\033[01;36m' LCYAN='\033[01;36m'
WHITE='\033[01;37m' WHITE='\033[01;37m'
GRAFANA_URL=http://admin:admin@localhost:3000 GRAFANA_URL=http://admin:nimda321@localhost:3000
grafana_api() { grafana_api() {

View File

@ -3,7 +3,7 @@
# ADD INFLUXDB DATASOURCE # ADD INFLUXDB DATASOURCE
curl -s -H "Content-Type: application/json" \ curl -s -H "Content-Type: application/json" \
-XPOST http://admin:admin@localhost:3000/api/datasources \ -XPOST http://admin:nimda321@localhost:3000/api/datasources \
-d @- <<EOF -d @- <<EOF
{ {
"name": "influxdb", "name": "influxdb",
@ -12,14 +12,14 @@ curl -s -H "Content-Type: application/json" \
"url": "http://influxdb:8086", "url": "http://influxdb:8086",
"database": "telegraf", "database": "telegraf",
"user":"telegraf", "user":"telegraf",
"password":"nimda", "password":"nimda321",
"basicAuth":false "basicAuth":false
} }
EOF EOF
## ADD PROMETHEUS DATASOURCE ## ADD PROMETHEUS DATASOURCE
curl -s -H "Content-Type: application/json" \ curl -s -H "Content-Type: application/json" \
-XPOST http://admin:admin@localhost:3000/api/datasources \ -XPOST http://admin:nimda321@localhost:3000/api/datasources \
-d @- <<EOF -d @- <<EOF
{ {
"name": "prometheus", "name": "prometheus",

File diff suppressed because it is too large Load Diff

View File

@ -32,3 +32,7 @@ scrape_configs:
scrape_interval: "15s" scrape_interval: "15s"
static_configs: static_configs:
- targets: ['node_exporter:9100'] - targets: ['node_exporter:9100']
- job_name: 'cadvisor'
scrape_interval: "15s"
static_configs:
- targets: ['cadvisor:8080']

View File

@ -62,7 +62,7 @@ write_consistency = "any"
## If not provided, will default to 5s. 0s means no timeout (not recommended). ## If not provided, will default to 5s. 0s means no timeout (not recommended).
timeout = "5s" timeout = "5s"
username = "telegraf" username = "telegraf"
password = "nimda" password = "nimda321"
## Set the user agent for HTTP POSTs (can be useful for log differentiation) ## Set the user agent for HTTP POSTs (can be useful for log differentiation)
user_agent = "telegraf-agent" user_agent = "telegraf-agent"
## Set UDP payload size, defaults to InfluxDB UDP Client default (512 bytes) ## Set UDP payload size, defaults to InfluxDB UDP Client default (512 bytes)

View File

@ -13,16 +13,16 @@ do_cleanup () {
fi fi
read -r -p "Do you want to delete all docker \"bridge\" networks? [y/N] " response # read -r -p "Do you want to delete all docker \"bridge\" networks? [y/N] " response
if [[ "$response" =~ ^([yY][eE][sS]|[yY])+$ ]] # if [[ "$response" =~ ^([yY][eE][sS]|[yY])+$ ]]
then # then
for n in $(docker network ls | grep "bridge" | awk '/ / { print $1 }'); do # for n in $(docker network ls | grep "bridge" | awk '/ / { print $1 }'); do
echo -e "attempting to delete network: $n" # echo -e "attempting to delete network: $n"
docker network rm $n || echo "cannot remove: $n" # docker network rm $n || echo "cannot remove: $n"
done # done
else # else
echo -e "'no' chosen" # echo -e "'no' chosen"
fi # fi
read -r -p "Do you want to delete all docker dangling images? [y/N] " response read -r -p "Do you want to delete all docker dangling images? [y/N] " response
if [[ "$response" =~ ^([yY][eE][sS]|[yY])+$ ]] if [[ "$response" =~ ^([yY][eE][sS]|[yY])+$ ]]