Secure Monitoring Solution in Docker

Docker Compose application for deploying InfluxDB, Grafana and Traefik in Docker.

The individual components are:

• InfluxDB: time-series database.

• Grafana: front-end for visualizing and querying data in InfluxDB.

• Traefik: edge router/reverse proxy which will auto-generate and auto-renew TLS certificates using Let's Encrypt. Traefik makes it so that data sent to and from Grafana and InfluxDB will be encrypted.

Prerequisites

• Docker

How to Run Locally

Deploy the docker-compose application:

docker-compose up

You can then access Grafana at monitoring.docker.localhost. Use the credentials in .env to log in to Grafana. InfluxDB will be listening on port 8086.

Grafana is accessible from the HTTP and HTTPS ports (80 and 443 respectively), with redirection from HTTP to HTTPS handled using Traefik routers.

Note that when accessing Grafana or InfluxDB that have been deployed locally, your browser and other apps may show warnings about invalid or self-signed TLS certificates. This is expected as localhost domains don't end with a valid top-level domain, so Traefik won't attempt to request a certificate for them.

Notes

• Grafana will automatically be set up with InfluxDB as a data source (set up under grafana/provisioning/datasources/influxdb.yml).

• InfluxDB will run shell scripts in docker-entrypoint-initdb.d on startup.

• If you're testing locally, and an application which you want to use to send data to InfluxDB can't be set to ignore TLS certificates, change the traefik.http.routers.influxdb-ssl.tls label to false for the InfluxDB container inside docker-compose.yml.

Deploying in Production

• Set a secure password for Grafana and InfluxDB.

• Change the MONITORING_DOMAIN environment variable in .env to the domain where the application will be hosted.

• Set the LETS_ENCRYPT_EMAIL environment variable in .env to a valid email that you wish to receive emails about certificates issues to.

• Uncomment the appropriate CA_SERVER environment variable in .env to use Let's Encrypt's production API.

  There is a limit of 5 certificates per week from Let's Encrypt's production server as stated here. For more info on the Let's Encrypt staging environment and Traefik, check the note under this Traefik docs page.

Useful Commands

Check container logs

sudo docker container logs <CONTAINER NAME OR ID> [--follow]

Attach to a container and use bash within it (useful for InfluxDB database maintenance)

sudo docker exec -it <CONTAINER NAME OR ID> bash

Start up the the InfluxDB CLI when attached to the InfluxDB docker container

influx --username <InfluxDB username> --password <InfluxDB password>

Links

• How to backup and restore InfluxDB database from Docker containers