maj process + TLS node exporter OK

README.md

@@ -1,14 +1,11 @@
 # PROMETHEUS & GRAFANA
 
-Ce projet vise à monitorer un server avec une stack Docker.
+Ce projet vise à monitorer des serveurs via prometheus pour centraliser le scraping, node exporter pour les host metrics, cadvisor pour les metrics des conteneurs docker et grafana pour afficher les metrics sous forme de dashboards
+
+![PROM](docs/prom.png)
 
 ## CONFIGURATION
 
-- Configuration des accès via Caddy:
-```bash
-nano .env
-```
-
 - Configuration de la boîte mail pour les alertes:
 ```bash
 nano alertmanager/alertmanager.yml
@@ -19,10 +16,71 @@ nano alertmanager/alertmanager.yml
 nano alertmanager/alert.rules
 ```
 
+- Configuration des alertes:
+```bash
+nano alertmanager/alert.rules
+```
+
 > Grafana est accessible via l'adresse: http://<IP-SERVER>:3000
 
+### NODE EXPORTER TLS
+
+- Créer un enregistrement DNS pointant vers votre serveur
+- Créer une configuration serveur pointant le DNS vers 127.0.0.1:9100 (port exposé par node exporter) [exemple pour nginx](docs/nginx-config)
+
+#### NODE EXPORTER HOST
+
+- Create certs:
+
+```bash
+openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -keyout gn-prod.key -out gn-prod.crt -subj "/C=FR/ST=PARIS/L=GarageNum/O=prom/CN=legaragenumerique.fr" -addext "subjectAltName = DNS:gnprod"
+```
+
+- Create password:
+
+```bash
+htpasswd -nBC 10 "" | tr -d ':\n'; echo
+```
+
+- Node exporter web.yml (/etc/node-exporter/web.yml):
+
+```yaml
+tls_server_config:
+  cert_file: gn-prod.crt
+  key_file: gn-prod.key
+basic_auth_users:
+  prometheus: <the-output-value-of-htpasswd>
+```
+
+- Copy certs to prometheus host
+
+## PROMETHEUS HOST
+
+- Config prometheus.yml (/etc/prometheus/prometheus.yml):
+
+```yaml
+scrape_configs:
+  - job_name: 'node-exporter-tls'
+    scheme: https
+    basic_auth:
+      username: prometheus
+      password: <the-plain-text-password>
+    tls_config:
+      ca_file: gn-prod.crt
+      insecure_skip_verify: true
+    static_configs:
+    - targets: ['node-exporter-ip:9100']
+      labels:
+        instance: friendly-instance-name
+```
+
+
+
+
 ## TO DO 
 
-- [ ] node exporter
+- [x] node exporter
-- [ ] node exporter -> prometheus via https
+- [x] node exporter -> prometheus via https
-- [ ] dashboard for Grafana amd64
+- [ ] dashboard for Grafana amd64:
+    - [x] host metrics
+    - [ ] cadvisor for docker

docker-compose.yml

@@ -1,5 +1,6 @@
 version: '2.1'
 
+
 networks:
   monitor-net:
     driver: bridge
@@ -10,6 +11,7 @@ volumes:
 
 services:
 
+# METRICS GATHERER
   prometheus:
     image: prom/prometheus:v2.17.1
     container_name: prometheus
@@ -31,6 +33,7 @@ services:
     labels:
       org.label-schema.group: "monitoring"
 
+# FOR ALERTS
   alertmanager:
     image: prom/alertmanager:v0.20.0
     container_name: alertmanager
@@ -48,6 +51,7 @@ services:
     labels:
       org.label-schema.group: "monitoring"
 
+# FOR HOST METRICS
   nodeexporter:
     image: prom/node-exporter:v0.18.1
     container_name: nodeexporter
@@ -68,6 +72,7 @@ services:
     labels:
       org.label-schema.group: "monitoring"
 
+# FOR DOCKER CONTAINERS
   cadvisor:
     image: gcr.io/cadvisor/cadvisor
     container_name: cadvisor
@@ -85,6 +90,7 @@ services:
     labels:
       org.label-schema.group: "monitoring"
 
+# POUR AFFICHAGE DASHBOARD
   grafana:
     image: grafana/grafana:6.7.2
     container_name: grafana
@@ -96,8 +102,8 @@ services:
       - GF_SECURITY_ADMIN_PASSWORD=${ADMIN_PASSWORD}
       - GF_USERS_ALLOW_SIGN_UP=false
     restart: unless-stopped
-    expose:
+    ports:
-      - 3000
+      - 3000;3000
     networks:
       - monitor-net
     labels:
@@ -113,24 +119,3 @@ services:
       - monitor-net
     labels:
       org.label-schema.group: "monitoring"
-
-  caddy:
-    image: caddy:2.6.4
-    container_name: caddy
-    ports:
-      - "3000:3000"
-      - "9090:9090"
-      - "9093:9093"
-      - "9091:9091"
-    volumes:
-      - ./caddy:/etc/caddy
-    env_file:
-      - .env
-    # environment:
-    #   - ADMIN_USER=${ADMIN_USER}
-    #   - ADMIN_PASSWORD=${ADMIN_PASSWORD}
-    restart: unless-stopped
-    networks:
-      - monitor-net
-    labels:
-      org.label-schema.group: "monitoring"

docs/nginx-config

@@ -0,0 +1,34 @@
+upstream nodeexporter {
+        server 127.0.0.1:9100;
+        }
+
+server {
+        listen 80;
+        listen [::]:80;
+        server_name monitoring.mondomaine.tld;
+
+        location / {
+                proxy_pass http://nodeexporter;
+        }
+
+}
+
+server {
+        listen 443 ssl;
+        listen [::]:443 ssl;
+        server_name monitoring.mondomaine.tld;
+
+    error_log /var/log/nginx/monitoring.mondomaine.tld-proxy-error.log;
+    access_log /var/log/nginx/monitoring.mondomaine.tld-proxy-access.log;
+
+    ssl_certificate           /etc/letsencrypt/live/monitoring.mondomaine.tld/fullchain.pem;
+    ssl_certificate_key       /etc/letsencrypt/live/monitoring.mondomaine.tld/privkey.pem;
+
+    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers         HIGH:!aNULL:!MD5;
+
+        location / {
+                proxy_pass http://nodeexporter;
+        }
+
+}

prometheus/prometheus.yml

@@ -12,6 +12,8 @@ rule_files:
   - "alert.rules"
 
 # A scrape configuration containing exactly one endpoint to scrape.
+
+# LOCAL SERVER
 scrape_configs:
   - job_name: 'nodeexporter'
     scrape_interval: 5s
@@ -34,6 +36,21 @@ scrape_configs:
     static_configs:
       - targets: ['pushgateway:9091']
 
+# DISTANT SERVER (WITH NODE EXPORTER)
+  # - job_name: 'serveur-distant'
+  #   scheme: https
+  #   basic_auth:
+  #     username: 'prometheus'
+  #     password: 'htpassword-non-crypté'
+  #   tls_config:
+  #     ca_file: certif.crt
+  #     insecure_skip_verify: true
+  #   scrape_interval: 10s
+  #   honor_labels: true
+  #   static_configs:
+  #     - targets: ['monitoring.mondomaine.tld:9100']
+  #       labels:
+  #         instance: serveur-distant
 
 alerting:
   alertmanagers: