Install Grafana on Ubuntu 16.04 LTS

Published on: Fri, Jun 8, 2018 at 1:15 pm EST
Linux Guides Server Apps Ubuntu

Introduction

Grafana is an open-source software that transforms multiple feeds from systems such as Graphite, Telegraf, and InfluxDB into beautiful metrics in a centralized dashboard.

This tutorial will cover the process of installing the Grafana web interface.

Prerequisites

  • An Ubuntu 16.04 LTS x64 server instance.
  • A sudo (or root account) user.
  • Optional: A DNS name (for use with Let's Encrypt certificates)

Update the system

Update your system before installing Grafana.

apt-get update && apt-get upgrade 

Preparing the firewall

First let’s harden the image a little bit. Let’s also check if the image that has been provisioned has ufw enabled.

root@vultr:~# ufw status
Status: inactive

By default it's disabled, so we will need to add a few rules:

  • Rule 1: ssh: TCP port 22
  • Rule 2: http: TCP port 3000 (default Grafana port)

Execute the following commands one by one.

ufw allow 22/tcp
ufw allow 3000/tcp

Enable the firewall services.

ufw enable

The firewall will prompt a dialog to accept changes. Just press Y.

Command may disrupt existing ssh connections. Proceed with operation (y|n)?

Installing Grafana

By default, Grafana is not in the repositories. Add the repo key and packages.

curl https://packagecloud.io/gpg.key | sudo apt-key add -

Next, add the "packagecloud" repository to your repositories.

add-apt-repository "deb https://packagecloud.io/grafana/stable/debian/ stretch main"

Update apt to fetch the latest information from our newly added "packagecloud" repo.

apt-get update

Now we can install Grafana.

apt-get install grafana

Once Grafana has been installed, start it with systemctl.

systemctl start grafana-server

This will show a working Grafana service.

systemctl status grafana-server

Start the Grafana service on boot.

systemctl enable grafana-server

Disabling Grafana registrations and anonymous access

Out of the box, Grafana allows visitors to create user accounts and preview dashboards without registering. This means we are exposing Grafana to the public internet. But not to worry, let's find and disable these settings.

First open Grafana's configuration file.

nano /etc/grafana/grafana.ini

Locate the allow_sign_up settings under the [users] heading.

[users]
# disable user signup / registration
;allow_sign_up = true

By default it is set to true, so change it to false and uncomment the line.

[users]
# disable user signup / registration
allow_sign_up = false

Next, verify that anonymous access is disabled. This can be found under the [auth.anonymous] settings.

[auth.anonymous]
# enable anonymous access
;enabled = false

Change it to false and uncomment the line.

[auth.anonymous]
enabled = false

Exit nano and save the file.

To activate the changes, restart Grafana.

systemctl restart grafana-server

Now verify that everything is working by checking Grafana's service status.

systemctl status grafana-server

The Grafana daemon listens to port 3000. In order to visit the Grafana Dashboard, point your browser to http://192.168.0.1:3000 (replace this IP with your actual server IP), and use the default login credentials below.

Username: admin
Password: admin

Enabling an HTTPS certificate for Grafana (optional)

This is an optional step. If we have a configured DNS name, we can use Let's encrypt to enable HTTPS for our new Grafana installation.

Installation and configuration of Nginx

To achieve this, we will be using Nginx, as this software is capable of using Let's Encrypt certificates.

Start by installing Nginx.

apt-get install nginx

Once installed, edit the default configuration.

nano /etc/nginx/sites-available/default

Replace the default configuration with the following configuration.

server {      
  listen 0.0.0.0:80;

  proxy_request_buffering off;
  proxy_buffering off;

  location / {
     proxy_pass http://127.0.0.1:3000;
     proxy_redirect     off;
     proxy_set_header   Host $host;
     proxy_set_header   X-Real-IP $remote_addr;
     proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header   X-Forwarded-Host $server_name;
  }
}

This will create a proxy for the website running at port 80. Restart Nginx, and enable it at boot.

systemctl restart nginx
systemctl enable nginx

Ensure everything is working.

systemctl status nginx

Disable the old Grafana port 3000 and allow traffic on port 80.

ufw allow 80/tcp
ufw delete allow 3000/tcp

Installing Let's Encrypt

Before we can use certbot, we need to add the correct PPA to the system containing our certbot packages.

add-apt-repository ppa:certbot/certbot

Press ENTER to accept the configuration change.

Update apt to gather the new packages.

apt-get update

Next install the Nginx module for assigning the certificates.

apt-get -y install python-certbot-nginx

Configuring certificates

Configure the firewall to allow the HTTPS through the firewall.

ufw allow 443/tcp

Before we can request new certificates, we need a DNS name.

nano /etc/nginx/sites-available/default

Add the following server_name setting. This is our DNS name.

server_name grafana.example.com;

Change the configuration to reflect this new setting.

server {
  server_name grafana.example.com;

  listen 0.0.0.0:80;

  proxy_request_buffering off;
  proxy_buffering off;

  location / {
     proxy_pass http://127.0.0.1:3000;
     proxy_redirect     off;
     proxy_set_header   Host $host;
     proxy_set_header   X-Real-IP $remote_addr;
     proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header   X-Forwarded-Host $server_name;
  }
}

Ensure we didn't make any errors and restart Nginx.

nginx -t
systemctl restart nginx

Now request a certificate with certbot.

certbot --nginx -d grafana.example.com

Provide your email and agree to questions asked by installer. You can safely say "No" to sharing your email. Certbot will automatically ask what to do with HTTPS. We will be using option 2: redirect to HTTPS.

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Auto renew certificates

Let's encrypt certificates require renewal. Luckily we can create a cron job for this. Start by editing the crontab.

crontab -e

Add the following line.

05 2 * * * /usr/bin/certbot renew --quiet

This will check at 2:05 AM if any certificates require a renewal and will renew them.

Grafana will be running on HTTPS now. One last thing is to change the admin password. Visit your installation at https://grafana.example.net. By default, the credentials for logging in are 'admin/admin'.

To change the admin username, click on the cog icon on the left, go to "Configuration", then "Server Admin" and click the admin username.

Want to contribute ?

You could earn up to $300 by adding new articles