https://janikvonrotz.ch/tags/grafana/ Recent content in Grafana on Janik von Rotz Hugo en Tue, 09 Nov 2021 09:13:06 +0100 https://janikvonrotz.ch/2021/11/09/nginx-loki-promtail-and-grafana/ Tue, 09 Nov 2021 09:13:06 +0100 https://janikvonrotz.ch/2021/11/09/nginx-loki-promtail-and-grafana/ <p>Hey devops engineer, you don&rsquo;t need Logtail, Sentry, Datadog or any other SaaS/PaaS service to manage your logs. Collecting and analyzing log files is super easy with the LPG-stack. Another acronym that stands for <strong>Loki, Promtail and Grafana</strong>.</p> <p>I will give you a brief overview of how you can deploy the LPG-stack and label your log entries with Promtail. To sum it up we will have look at Grafana and see how we can query the log data</p> <p><img src="https://janikvonrotz.ch/images/LPG-Stack.png" alt=""></p> <p>Usually you would follow these four steps to setup the log monitoring system:</p> <ol> <li>Setup loki for indexing log data</li> <li>Setup nginx reverse proxy to expose loki with basic auth</li> <li>Configure promtail and forward logs on host</li> <li>Create a dashboard in grafana and query the data</li> </ol> <p>However, giving details on the full setup would make this post unnecessarily long. That is why I added a note <em>Not covered:</em> note to every section. The deployment of these services depends heavily on the technology (f.g. Kubernetes, Docker Compose or Ansible) you are using. I will fokus on the most important part - the config files.</p> <h3 id="loki">Loki</h3> <p><em>Not covered: Deployment and configuration of the Loki container.</em></p> <p>Loki manages the log index. It receives the log files from Promtail and acts as a datasource for Grafana.</p> <p>The configuration below is based on the official template and has not been altered notably.</p> <p><strong>local-config.yml</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yml" data-lang="yml"><span style="display:flex;"><span><span style="color:#75715e"># https://github.com/grafana/loki/blob/v2.3.0/cmd/loki/loki-local-config.yaml</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">auth_enabled</span>: <span style="color:#66d9ef">false</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#f92672">server</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">http_listen_port</span>: <span style="color:#ae81ff">3100</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">grpc_listen_port</span>: <span style="color:#ae81ff">9096</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#f92672">ingester</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">wal</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">enabled</span>: <span style="color:#66d9ef">true</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">dir</span>: <span style="color:#ae81ff">/tmp/wal</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">lifecycler</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">address</span>: <span style="color:#ae81ff">127.0.0.1</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">ring</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">kvstore</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">store</span>: <span style="color:#ae81ff">inmemory</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">replication_factor</span>: <span style="color:#ae81ff">1</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">final_sleep</span>: <span style="color:#ae81ff">0s</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">chunk_idle_period</span>: <span style="color:#ae81ff">1h </span> <span style="color:#75715e"># Any chunk not receiving new logs in this time will be flushed</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">max_chunk_age</span>: <span style="color:#ae81ff">1h </span> <span style="color:#75715e"># All chunks will be flushed when they hit this age, default is 1h</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">chunk_target_size</span>: <span style="color:#ae81ff">1048576</span> <span style="color:#75715e"># Loki will attempt to build chunks up to 1.5MB, flushing first if chunk_idle_period or max_chunk_age is reached first</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">chunk_retain_period</span>: <span style="color:#ae81ff">30s </span> <span style="color:#75715e"># Must be greater than index read cache TTL if using an index cache (Default index read cache TTL is 5m)</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">max_transfer_retries</span>: <span style="color:#ae81ff">0</span> <span style="color:#75715e"># Chunk transfers disabled</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#f92672">schema_config</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">configs</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">from</span>: <span style="color:#e6db74">2020-10-24</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">store</span>: <span style="color:#ae81ff">boltdb-shipper</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">object_store</span>: <span style="color:#ae81ff">filesystem</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">schema</span>: <span style="color:#ae81ff">v11</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">index</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">prefix</span>: <span style="color:#ae81ff">index_</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">period</span>: <span style="color:#ae81ff">24h</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#f92672">storage_config</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">boltdb_shipper</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">active_index_directory</span>: <span style="color:#ae81ff">/tmp/loki/boltdb-shipper-active</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">cache_location</span>: <span style="color:#ae81ff">/tmp/loki/boltdb-shipper-cache</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">cache_ttl</span>: <span style="color:#ae81ff">24h </span> <span style="color:#75715e"># Can be increased for faster performance over longer query periods, uses more disk space</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">shared_store</span>: <span style="color:#ae81ff">filesystem</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">filesystem</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">directory</span>: <span style="color:#ae81ff">/tmp/loki/chunks</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#f92672">compactor</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">working_directory</span>: <span style="color:#ae81ff">/tmp/loki/boltdb-shipper-compactor</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">shared_store</span>: <span style="color:#ae81ff">filesystem</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#f92672">limits_config</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">reject_old_samples</span>: <span style="color:#66d9ef">true</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">reject_old_samples_max_age</span>: <span style="color:#ae81ff">168h</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#f92672">chunk_store_config</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">max_look_back_period</span>: <span style="color:#ae81ff">0s</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#f92672">table_manager</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">retention_deletes_enabled</span>: <span style="color:#66d9ef">false</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">retention_period</span>: <span style="color:#ae81ff">0s</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#f92672">ruler</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">storage</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">type</span>: <span style="color:#ae81ff">local</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">local</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">directory</span>: <span style="color:#ae81ff">/tmp/loki/rules</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">rule_path</span>: <span style="color:#ae81ff">/tmp/loki/rules-temp</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">alertmanager_url</span>: <span style="color:#ae81ff">http://localhost:9093</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">ring</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">kvstore</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">store</span>: <span style="color:#ae81ff">inmemory</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">enable_api</span>: <span style="color:#66d9ef">true</span> </span></span></code></pre></div><h3 id="nginx-reverse-proxy">Nginx reverse proxy</h3> <p><em>Not covered: Full nginx config with https server definition.</em></p> <p>The Nginx proxy terminates https connections and ensures the connections to Loki are authenticated with basic auth.</p> <p>The configuration below shows the proxy configuration for Loki.</p> <p><strong>loki.nginx</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>location /loki/api/v1 <span style="color:#f92672">{</span> </span></span><span style="display:flex;"><span> auth_basic <span style="color:#e6db74">&#34;loki&#34;</span>; </span></span><span style="display:flex;"><span> auth_basic_user_file /etc/nginx/conf.d/proxies/loki.htpasswd; </span></span><span style="display:flex;"><span> proxy_pass http://loki01:3100/loki/api/v1; </span></span><span style="display:flex;"><span> include /etc/letsencrypt/proxy-params.conf; </span></span><span style="display:flex;"><span><span style="color:#f92672">}</span> </span></span></code></pre></div><h3 id="promtail">Promtail</h3> <p><em>Not covered: Deployment of the Promtail container.</em></p> <p>Promtail has access to the log folder of the host machine. It extracts all log data and forwards the content to Loki.</p> <p>Promtail has been configured to use basic auth and extract Docker log files. Before sending the log files it processes and labels the log lines.</p> <p><strong>config.yml</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yml" data-lang="yml"><span style="display:flex;"><span><span style="color:#f92672">server</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">http_listen_port</span>: <span style="color:#ae81ff">9080</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">grpc_listen_port</span>: <span style="color:#ae81ff">0</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#f92672">positions</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">filename</span>: <span style="color:#ae81ff">/tmp/positions.yaml</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#f92672">clients</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">url</span>: <span style="color:#ae81ff">https://loki:ohs24234ch5vahz5ieVei@monitor.example.com/loki/api/v1/push</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#f92672">scrape_configs</span>: </span></span><span style="display:flex;"><span>- <span style="color:#f92672">job_name</span>: <span style="color:#ae81ff">containers</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">static_configs</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">targets</span>: </span></span><span style="display:flex;"><span> - <span style="color:#ae81ff">localhost</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">labels</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">job</span>: <span style="color:#ae81ff">containerlogs</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">instance</span>: <span style="color:#ae81ff">server.example.com</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">__path__</span>: <span style="color:#ae81ff">/var/lib/docker/containers/*/*log</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">pipeline_stages</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">json</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">expressions</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">output</span>: <span style="color:#ae81ff">log</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">stream</span>: <span style="color:#ae81ff">stream</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">attrs</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">json</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">expressions</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">tag</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">source</span>: <span style="color:#ae81ff">attrs</span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">regex</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">expression</span>: <span style="color:#ae81ff">(?P&lt;container_name&gt;(?:[^|]*[^|])).(?P&lt;image_name&gt;(?:[^|]*[^|]))</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">source</span>: <span style="color:#ae81ff">tag</span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">timestamp</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">format</span>: <span style="color:#ae81ff">RFC3339Nano</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">source</span>: <span style="color:#ae81ff">time</span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">labels</span>: </span></span><span style="display:flex;"><span> <span style="color:#75715e">#tag:</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">stream</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">container_name</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">image_name</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">output</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">source</span>: <span style="color:#ae81ff">output</span> </span></span></code></pre></div><p>Ensure docker containers are deployed with these log options:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-json" data-lang="json"><span style="display:flex;"><span><span style="color:#e6db74">&#34;LogConfig&#34;</span><span style="color:#960050;background-color:#1e0010">:</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;Type&#34;</span>: <span style="color:#e6db74">&#34;json-file&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;Config&#34;</span>: { </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;max-file&#34;</span>: <span style="color:#e6db74">&#34;3&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;max-size&#34;</span>: <span style="color:#e6db74">&#34;10m&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;tag&#34;</span>: <span style="color:#e6db74">&#34;nginx03|nginx&#34;</span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>}<span style="color:#960050;background-color:#1e0010">,</span> </span></span></code></pre></div><h3 id="grafana">Grafana</h3> <p><em>Not covered: Deployment of the Grafana container.</em></p> <p>Grafana is our monitoring tool. It visualizes the data from Loki. Getting the data requires settings up a data source.</p> <p><img src="https://janikvonrotz.ch/images/grafana-datasource-loki.png" alt=""></p> <p>If the connection is private, there is no need for authentication.</p> <p>In the Grafana data explorer the log data can be queried:</p> <p><img src="https://janikvonrotz.ch/images/grafana-data-explorer.png" alt=""></p> <p>With queries like <code>rate(({job=&quot;containerlogs&quot;} |= &quot;error&quot;)[1m])</code> the frequency of errors within a time range will be returned.</p> <p>Finally, you could setup an alert for a certain threshold on the frequency quer.</p> https://janikvonrotz.ch/2021/04/19/add-prometheus-instance-variable-to-grafana-query/ Mon, 19 Apr 2021 18:05:23 +0200 https://janikvonrotz.ch/2021/04/19/add-prometheus-instance-variable-to-grafana-query/ <p>Prometheus stores the instance or host name for every metric. If you want to filter your dashboard data based on the instance name you need a Grafana variable.</p> <p>Open the Grafana, select your dashboard and navigate to <em>Settings &gt; Variables</em>. Create a new variable:</p> <p>Name: <code>isntance</code><br> Typoe: <code>Query</code><br> Lable: <code>Instance</code><br> Data source: <code>Prometheus</code><br> Query: <code>label_values(instance)</code><br> Include All option: <code>true</code></p> <p>Check if the preview returns the instances.</p> <p>Next open a panel and insert <code>{instance=~&quot;$instance&quot;}</code> into your metric like this:</p> <p><img src="https://janikvonrotz.ch/images/add-varaible-to-grafana-query.png" alt=""></p> <p>Now all the panel data will be filtered by whatever is set for the variable.</p> <p><strong>Update 2021-09-06</strong></p> <p>You can also add filters to the query. Use the <code>label_values({job!=&quot;blackbox&quot;},instance)</code> query to return labels for instances that are not monitored by a blackbox exporter.</p> https://janikvonrotz.ch/2020/09/07/monitor-cron-jobs-with-prometheus-grafana-and-node-exporter/ Mon, 07 Sep 2020 11:26:05 +0200 https://janikvonrotz.ch/2020/09/07/monitor-cron-jobs-with-prometheus-grafana-and-node-exporter/ <p>Nobody wants to be notified by email anymore, especially if its a failed cron job. We have advanced monitoring systems that tell if somethings wrong. In my case I use <a href="https://grafana.com/">Grafana</a> and <a href="https://prometheus.io/">Prometheus</a> and <a href="https://github.com/prometheus/node_exporter">Node exporter</a> to collect host metric, visualize them and send out alerts. Usually, one would set up an exporter to monitor an new piece of software, but for cron there isn&rsquo;t any exporter available. In contraire there are a lot of online service to monitor your cron jobs, such as <a href="https://cronitor.io/">Cronitor.io</a>. But we do not want to add another dependency for simply monitoring cron jobs.</p> <p>In this tutorial I will elaborate on how I look after cron jobs with Prometheus and Grafana. We are going to configure the textfile collector of the Node exporter, define custom metrics and visualize them in a Grafana dashboard.</p> <p>I assume that there is machine running with cron jobs. This machine has multiple cron jobs and a configured Node exporter. The Node metrics are scrapped by Prometheus and visualized in Grafana.</p> <p>First, we are going to add a bash script to write custom Node exporter metrics. Copy the script below to the host.</p> <p><strong>/usr/local/bin/write-node-exporter-metric</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e">#!/bin/bash </span></span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Display Help</span> </span></span><span style="display:flex;"><span>Help<span style="color:#f92672">()</span> <span style="color:#f92672">{</span> </span></span><span style="display:flex;"><span> echo </span></span><span style="display:flex;"><span> echo <span style="color:#e6db74">&#34;write-node-exporter-metric&#34;</span> </span></span><span style="display:flex;"><span> echo <span style="color:#e6db74">&#34;##########################&#34;</span> </span></span><span style="display:flex;"><span> echo </span></span><span style="display:flex;"><span> echo <span style="color:#e6db74">&#34;Description: Write node-exporter metric.&#34;</span> </span></span><span style="display:flex;"><span> echo <span style="color:#e6db74">&#34;Syntax: write-node-exporter-metric [-n|-c|-v|help]&#34;</span> </span></span><span style="display:flex;"><span> echo <span style="color:#e6db74">&#34;Example: write-node-exporter-metric -n cron_job -c \&#34;Renew certs for proxy01\&#34; -v 0&#34;</span> </span></span><span style="display:flex;"><span> echo <span style="color:#e6db74">&#34;options:&#34;</span> </span></span><span style="display:flex;"><span> echo <span style="color:#e6db74">&#34; -n Reference of custom metric type. Defaults to &#39;cron_job&#39;&#34;</span> </span></span><span style="display:flex;"><span> echo <span style="color:#e6db74">&#34; -c Code for metric value.&#34;</span> </span></span><span style="display:flex;"><span> echo <span style="color:#e6db74">&#34; -v Value of metric.&#34;</span> </span></span><span style="display:flex;"><span> echo <span style="color:#e6db74">&#34; help Show write-node-exporter-metric help.&#34;</span> </span></span><span style="display:flex;"><span> echo </span></span><span style="display:flex;"><span><span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Show help and exit</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">if</span> <span style="color:#f92672">[[</span> $1 <span style="color:#f92672">==</span> <span style="color:#e6db74">&#39;help&#39;</span> <span style="color:#f92672">]]</span>; <span style="color:#66d9ef">then</span> </span></span><span style="display:flex;"><span> Help </span></span><span style="display:flex;"><span> exit </span></span><span style="display:flex;"><span><span style="color:#66d9ef">fi</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Process params</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">while</span> getopts <span style="color:#e6db74">&#34;:n :c: :v:&#34;</span> opt; <span style="color:#66d9ef">do</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">case</span> $opt in </span></span><span style="display:flex;"><span> n<span style="color:#f92672">)</span> TYPE<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;</span>$OPTARG<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> ;; </span></span><span style="display:flex;"><span> c<span style="color:#f92672">)</span> CODE<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;</span>$OPTARG<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> ;; </span></span><span style="display:flex;"><span> v<span style="color:#f92672">)</span> VALUE<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;</span>$OPTARG<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> ;; </span></span><span style="display:flex;"><span> <span style="color:#ae81ff">\?</span><span style="color:#f92672">)</span> echo <span style="color:#e6db74">&#34;Invalid option -</span>$OPTARG<span style="color:#e6db74">&#34;</span> &gt;&amp;<span style="color:#ae81ff">2</span> </span></span><span style="display:flex;"><span> Help </span></span><span style="display:flex;"><span> exit;; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">esac</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">done</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Fallback to environment vars and default values</span> </span></span><span style="display:flex;"><span>: <span style="color:#e6db74">${</span>TYPE:=<span style="color:#e6db74">&#39;cron_job&#39;</span><span style="color:#e6db74">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#f92672">[[</span> -z <span style="color:#e6db74">&#34;</span>$CODE<span style="color:#e6db74">&#34;</span> <span style="color:#f92672">]]</span> <span style="color:#f92672">&amp;&amp;</span> <span style="color:#f92672">{</span> echo <span style="color:#e6db74">&#34;Parameter -c|code is empty&#34;</span> ; exit 1; <span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">[[</span> -z <span style="color:#e6db74">&#34;</span>$VALUE<span style="color:#e6db74">&#34;</span> <span style="color:#f92672">]]</span> <span style="color:#f92672">&amp;&amp;</span> <span style="color:#f92672">{</span> echo <span style="color:#e6db74">&#34;Parameter -v|value is empty&#34;</span> ; exit 1; <span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">if</span> <span style="color:#f92672">[</span> <span style="color:#e6db74">&#34;</span>$TYPE<span style="color:#e6db74">&#34;</span> <span style="color:#f92672">==</span> <span style="color:#e6db74">&#34;cron_job&#34;</span> <span style="color:#f92672">]</span>; <span style="color:#66d9ef">then</span> </span></span><span style="display:flex;"><span> echo <span style="color:#e6db74">&#34;Write metric node_cron_job_exit_code for code \&#34;</span>$CODE<span style="color:#e6db74">\&#34; with value </span>$VALUE<span style="color:#e6db74">.&#34;</span> </span></span><span style="display:flex;"><span> ID<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>echo $CODE | shasum | cut -c1-5<span style="color:#66d9ef">)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> cat <span style="color:#e6db74">&lt;&lt; EOF &gt;&gt; /var/tmp/node_cron_job_exit_code.$ID.prom.$$ </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"># HELP node_cron_job_exit_code Last exit code of cron job. </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"># TYPE node_cron_job_exit_code counter </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">node_cron_job_exit_code{code=&#34;$CODE&#34;} $VALUE </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">EOF</span> </span></span><span style="display:flex;"><span> mv /var/tmp/node_cron_job_exit_code.$ID.prom.$$ /var/tmp/node_cron_job_exit_code.$ID.prom </span></span><span style="display:flex;"><span><span style="color:#66d9ef">fi</span> </span></span></code></pre></div><p>And make it executable.</p> <p><code>chmod +x /usr/local/bin/write-node-exporter-metric</code></p> <p>By default this script writes metric text files to <code>/var/tmp</code>. This folder is watched by Node exporter. Set the <a href="https://github.com/prometheus/node_exporter#textfile-collector">textfile collector directory flag</a> <code>--collector.textfile.directory</code> for the Node exporter. If you are using Docker to run the exporter, set the following config:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yml" data-lang="yml"><span style="display:flex;"><span>... </span></span><span style="display:flex;"><span><span style="color:#f92672">volumes</span>: </span></span><span style="display:flex;"><span> - <span style="color:#ae81ff">/:/hostfs</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">command</span>: <span style="color:#e6db74">&#39;--collector.textfile.directory=/hostfs/var/tmp&#39;</span> </span></span><span style="display:flex;"><span>... </span></span></code></pre></div><p>Let&rsquo;s write a custom metric and see if it scrapped by Prometheus.</p> <p>Run <code>write-node-exporter-metric -c 'Renew certs for proxy01' -v 0</code> on the command line.</p> <p>Check the metrics interface of the host and search for <code>node_cron_job_exit_code</code>.</p> <p>Use this curl command if you want to stick to the console:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>curl --silent --user username:password <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> https://host.example.com/node-exporter/metrics | <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> grep node_cron_job_exit_code </span></span></code></pre></div><p>If the value has been exposed, open Grafana and explore the metrics.</p> <p>Create a new panel and use this query:</p> <p><code>sum by (instance) (node_cron_job_exit_code)</code></p> <p>This query sums all cron jobs exit codes by instance. If the sum is not null something went wrong.</p> <p>Create an alert that triggers if the metric is greater than 0.</p> <p>When setting up cron jobs <code>crontab -e</code> from now on you simply have to add the write metric command at end of the line. Here is an example:</p> <p><code>45 0 * * 0 /usr/share/cerbot/renew-certs; write-node-exporter-metric -c 'Renew certs for proxy' -v $?</code></p> <p>No matter if the job succeeds or fails, the exit code is written and forwarded to Prometheus.</p> <p>What do you think? Do you like this solution? Let me know how you monitor cron jobs.</p> https://janikvonrotz.ch/2020/08/27/grafana-oauth-with-keycloak-and-how-to-validate-a-jwt-token/ Thu, 27 Aug 2020 17:18:30 +0200 https://janikvonrotz.ch/2020/08/27/grafana-oauth-with-keycloak-and-how-to-validate-a-jwt-token/ <p>In this tutorial I am going to show how you can connect a <a href="https://grafana.com/">Garafana</a> container that is hidden behind proxy with Keycloak. We want to log into Grafana with a Keycloak user and experience a seamless SSO-flow. Therefore we are going to configure an OAuth client for Grafana.</p> <p>For this tutorial I assume that our two services are reachable from a public domain.</p> <p>Keycloak: <code>login.example.com</code><br> Grafana: <code>monitor.example.com</code></p> <p>Replace these domains with your case.</p> <h1 id="setup-keycloak">Setup Keycloak</h1> <p>First we are going to create a new Keycloak client. I assume Keycloak is already running and a realm has been configured.</p> <p>Login into Keycloak and select <em>Configure &gt; Clients &gt; Create</em>.<br> Create a new client with these configurations:</p> <p>Client ID: <code>monitor.example.com</code><br> Client Protocol: <code>openid-connect</code><br> Root URL: <code>https://monitor.example.com</code></p> <p>Further make these configurations:</p> <p>Access Type: <code>confidentials</code> <em>// The OAuth client must use a client id and secret.</em><br> Root URL: <code>${authBaseUrl}</code><br> Valid Redirect URIs: <code>https://monitor.example.com/login/generic_oauth</code><br> Base URL: <code>/login/generic_oauth</code><br> Clear <em>Admin URL</em> and <em>Web Origins</em>.</p> <p>Click save and open the <em>Credentials</em> tab. Copy the Secret into a separate note, we will need it in the second and third part of this tutorial.</p> <p>Open the tab <em>Roles</em> and click <em>Add Role</em>. Create a new role with name <code>admin</code>. This role defines the access level for Grafana.</p> <p>Assign the client role to your Keycloak user.</p> <p>Header over to <em>Scope</em> tab and set <em>Full Scope Allowed</em> to <code>OFF</code>. We do not want to share any other details about the realm in the client token.</p> <p>Finally, we are going to configure a client mapper for the roles property. We must ensure that Grafana can extract the access role from the JWT token. Open the <em>Mappers</em> tab and click on <em>Create</em>. Create an entry with these options:</p> <p>Name: <code>Roles</code><br> Mapper Type: <code>User Client Role</code><br> Client ID: <code>monitor.example.com</code><br> Token Claim Name: <code>roles</code><br> Claim JSON type: <code>string</code></p> <p>In the next step we are going to verify that Grafana can retrieve a valid access token.</p> <h1 id="verify-jwt-token">Verify JWT token</h1> <p>Open your shell, enter the command below and populate the <code>&lt;&gt;</code>-fields. Copy the client secret from the note.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>KEYCLOAK_USERNAME<span style="color:#f92672">=</span>&lt;Keycloak username&gt; </span></span><span style="display:flex;"><span>KEYCLOAK_PASSWORD<span style="color:#f92672">=</span>&lt;Keycloak password&gt; </span></span><span style="display:flex;"><span>KEYCLOAK_REALM<span style="color:#f92672">=</span>&lt;Keycloak realm name&gt; </span></span><span style="display:flex;"><span>KEYCLOAK_CLIENT_SECRET<span style="color:#f92672">=</span>&lt;Keycloak client secret&gt; </span></span><span style="display:flex;"><span>curl -s <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span>-d <span style="color:#e6db74">&#34;client_id=monitor.example.com&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span>-d <span style="color:#e6db74">&#34;client_secret=</span>$KEYCLOAK_CLIENT_SECRET<span style="color:#e6db74">&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span>-d <span style="color:#e6db74">&#34;username=</span>$KEYCLOAK_USERNAME<span style="color:#e6db74">&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span>-d <span style="color:#e6db74">&#34;password=</span>$KEYCLOAK_PASSWORD<span style="color:#e6db74">&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span>-d <span style="color:#e6db74">&#34;grant_type=password&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#34;https://login.example.com/auth/realms/</span>$KEYCLOAK_REALM<span style="color:#e6db74">/protocol/openid-connect/token&#34;</span> | jq -r <span style="color:#e6db74">&#39;.access_token&#39;</span> </span></span></code></pre></div><p>Then copy the encoded output, open <a href="https://jwt.io#debugger-io">https://jwt.io#debugger-io</a> and paste it into the left box. On the rights side you should find the decoded JSON output with this property:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-json" data-lang="json"><span style="display:flex;"><span><span style="color:#e6db74">&#34;roles&#34;</span><span style="color:#960050;background-color:#1e0010">:</span> [ </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;admin&#34;</span> </span></span><span style="display:flex;"><span>]<span style="color:#960050;background-color:#1e0010">,</span> </span></span></code></pre></div><p>This means the client role has been added to the JWT token and mapped correctly .</p> <p>Grafana&rsquo;s generic OAuth can be configured to look for this property using a <a href="https://jmespath.org/">JMESPath</a>. Open this <a href="https://jmespath.org/">site</a>, paste the decoded output of the JWT token and enter this filter:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-txt" data-lang="txt"><span style="display:flex;"><span>contains(roles[*], &#39;admin&#39;) &amp;&amp; &#39;Admin&#39; || contains(roles[*], &#39;editor&#39;) &amp;&amp; &#39;Editor&#39; || &#39;Viewer&#39; </span></span></code></pre></div><p>The results box should say <code>Admin</code>.</p> <h1 id="grafana">Grafana</h1> <p>We assume that the Grafana container is running and needs to be configured for OAuth access.</p> <p>My first choice of configuring any container is using environment variables. Luckily all Grafana settings can be set using environment variables.</p> <p>Make the following configurations for the Grafana container:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yml" data-lang="yml"><span style="display:flex;"><span><span style="color:#f92672">GF_SERVER_DOMAIN</span>: <span style="color:#e6db74">&#34;monitor.example.com&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">GF_SERVER_ROOT_URL</span>: <span style="color:#e6db74">&#34;https://monitor.exmpale.com&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">GF_AUTH_GENERIC_OAUTH_ENABLED</span>: <span style="color:#e6db74">&#34;true&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">GF_AUTH_GENERIC_OAUTH_NAME</span>: <span style="color:#e6db74">&#34;Login Keycloak&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP</span>: <span style="color:#e6db74">&#34;true&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">GF_AUTH_GENERIC_OAUTH_CLIENT_ID</span>: <span style="color:#e6db74">&#34;monitor.example.com&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET</span>: <span style="color:#e6db74">&#34;$KEYCLOAK_CLIENT_SECRET&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">GF_AUTH_GENERIC_OAUTH_SCOPES</span>: <span style="color:#ae81ff">profile</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">GF_AUTH_GENERIC_OAUTH_AUTH_URL</span>: <span style="color:#e6db74">&#34;https://login.example.com/auth/realms/example.com/protocol/openid-connect/auth&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">GF_AUTH_GENERIC_OAUTH_TOKEN_URL</span>: <span style="color:#e6db74">&#34;https://login.example.com/auth/realms/example.com/protocol/openid-connect/token&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">GF_AUTH_GENERIC_OAUTH_API_URL</span>: <span style="color:#e6db74">&#34;https://login.example.com/auth/realms/example.com/protocol/openid-connect/userinfo&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH</span>: <span style="color:#e6db74">&#34;contains(roles[*], &#39;admin&#39;) &amp;&amp; &#39;Admin&#39; || contains(roles[*], &#39;editor&#39;) &amp;&amp; &#39;Editor&#39; || &#39;Viewer&#39;&#34;</span> </span></span></code></pre></div><p><strong>Test</strong></p> <p>Once everything is deployed logout of Grafana and click on the <code>Login Keycloak</code> button below the login form. You will be forwarded to Keycloak. Keycloak will check the redirect url and client key of the request. If everything looks good to go, you should see the Keycloak login form. Login using the Keycloak user and password and you should be redirected back to Grafana on a successful login. Grafana will create a user if it does not already exist.</p> <h1 id="further-readings">Further readings</h1> <p>You want to access restricitions for the Grafana client? See my post <a href="https://janikvonrotz.ch/2020/04/30/role-based-access-control-for-multiple-keycloak-clients/">role based access control for multiple Keycloak clients</a> for details.</p> <p>The Grafana and Prometheus documentation is one of the best documentation I have seen so far. Make sure to check it out.</p> <h1 id="source">Source</h1> <p>Here are the articles that helped me creating this tutorial:</p> <ul> <li><a href="https://www.janua.fr/keycloak-access-token-verification-example/">Janua - Keycloak Access Token verification example</a></li> <li><a href="https://grafana.com/docs/grafana/latest/auth/generic-oauth/">Grafana Labs - Generic OAuth Authentication</a></li> <li><a href="https://www.techrunnr.com/how-to-setup-oauth-for-grafana-using-keycloak/">Techrunnr - How to setup OAuth for Grafana using Keycloak</a></li> </ul>