Grafana Deployment Guide

The following instructions are for deploying Grafana.

Prerequisites

This guide is written for a Red Hat Enterprise Linux 8 based operating system which is operating within a cluster of systems and the following are the prerequisites:

• Grafana OS Installation Guide

• IdM Client Deployment Guide

• NFS Client Deployment Guide

If deploying as a standalone service, adjust the hostname fields accordingly and omit steps involving IdM, NFS, and follow-on deployment guides.

Follow-on Deployments

The following guides can be applied after the deployment of their associated nodes.

• RSyslog Deployment Guide

• Telegraf Deployment Guide

References

These instructions were written for Grafana 9.2.x

Instructions are based on the following documentation:
https://grafana.com/grafana/download?pg=get&platform=linux&plcmt=selfmanaged-box1-cta1&edition=oss

Post Deployment

The Grafana can be accessed at the following URL:
https://grafana.engwsc.example.com

Username: GRAFANA_ADMIN_USERNAME
Password: GRAFANA_ADMIN_PASSWORD (from step 6)

Deployment Scripts

Note

An example bash script of the instructions has been provided: deploy-grafana.sh

Deployment Steps

Note

Instructions assume execution using the root account.

1. Connect the system to the NFS Server:

See Guide: NFS Client Deployment Guide

2. Connect the system to the IdM Server:

See Guide: IdM Client Deployment Guide

3. Add the Grafana Yum Repository:

cat > /etc/yum.repos.d/grafana.repo <<EOF
[grafana]
name = grafana
baseurl = https://rpm.grafana.com
repo_gpgcheck = 1
enabled = 1
gpgcheck = 1
gpgkey = https://rpm.grafana.com/gpg.key
sslverify = 1
sslcacert = /etc/pki/tls/certs/ca-bundle.crt
exclude = *beta*
EOF

4. Install Dependencies:

dnf -y distro-sync
dnf -y install initscripts urw-fonts wget

5. Install Grafana:

dnf -y install grafana

6. Set up Grafana:

Important

Replace GRAFANA_ADMIN_USERNAME with the user name of the administrator (ex admin)
Replace GRAFANA_ADMIN_PASSWORD with a confidential secure password that will be used for Grafana GRAFANA_ADMIN_USERNAME account.

sed -i "s/^;domain =.*/domain = engwsc.example.com/g" /etc/grafana/grafana.ini
sed -i 's|^;reporting_enabled =.*|reporting_enabled = false|g' /etc/grafana/grafana.ini
sed -i 's|^;disable_gravatar =.*|disable_gravatar = true|g' /etc/grafana/grafana.ini

sed -i 's|^;admin_user =.*|admin_user = GRAFANA_ADMIN_USERNAME|g' /etc/grafana/grafana.ini
sed -i 's|^;admin_password =.*|admin_password = GRAFANA_ADMIN_PASSWORD|g' /etc/grafana/grafana.ini

7. Start the Grafana service:

systemctl daemon-reload
systemctl enable --now grafana-server

8. Install NGINX

dnf -y distro-sync
dnf -y install nginx

9. Create Self-Signed SSL Certificate:

Important

Replace values with the specifics of your network.

# Create directory structure
mkdir -p  /etc/pki/nginx/
chmod 755 /etc/pki/nginx/

# Country Name (2 letter code) [XX]:US
# State or Province Name (full name) []:New York
# Locality Name (eg, city) [Default City]:New York
# Organization Name (eg, company) [Default Company Ltd]:engwsc
# Organizational Unit Name (eg, section) []:
# Common Name (eg, your name or your server's hostname) []:grafana.engwsc.example.com
# Email Address []:

# Create certificate
openssl req -x509 -nodes -newkey rsa:4096 \
    -keyout "/etc/pki/nginx/grafana.engwsc.example.com.key" \
    -out    "/etc/pki/nginx/grafana.engwsc.example.com.crt" \
    -subj   "/CN=grafana.engwsc.example.com/C=US/ST=New York/L=New York/O=engwsc" \
    -days   365

# Set certificate permissions
chown root:root /etc/pki/nginx/grafana.engwsc.example.com.key
chown root:root /etc/pki/nginx/grafana.engwsc.example.com.crt
chmod 600       /etc/pki/nginx/grafana.engwsc.example.com.key

10. Configure NGINX:

Important

Replace example values with the specifics of your network.

mkdir -p /etc/nginx/conf.d/
cat > /etc/nginx/conf.d/grafana.conf <<EOF
server {
    listen 80;
    server_name grafana.engwsc.example.com;
    root /nowhere;
    rewrite ^ https://\$server_name\$request_uri permanent;
}
server
{
    listen      443 ssl http2;
    server_name grafana.engwsc.example.com;

    ssl_certificate "/etc/pki/nginx/grafana.engwsc.example.com.crt";
    ssl_certificate_key "/etc/pki/nginx/grafana.engwsc.example.com.key";
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout 10m;
    ssl_ciphers PROFILE=SYSTEM;
    ssl_prefer_server_ciphers on;

    location /
    {
      proxy_set_header Host \$http_host;
      proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
      proxy_pass       http://127.0.0.1:3000;
    }
}
EOF

11. Configure SELinux:

setsebool -P httpd_can_network_connect 1
semanage port -a -t http_port_t -p tcp 3000

12. Enable NGINX service:

systemctl daemon-reload
systemctl enable --now nginx

13. Set firewalld rules:

Important

Replace the IPv4 Address and Subnet mask with the value of your network.

systemctl enable --now firewalld
firewall-cmd --zone=public --add-source=192.168.1.0/24 --permanent
firewall-cmd --zone=public --add-service=http --permanent
firewall-cmd --zone=public --add-service=https --permanent
firewall-cmd --reload