From b492cabeeed18bc9cb43cc3b63303322d9720c8c Mon Sep 17 00:00:00 2001 From: teor Date: Fri, 23 Oct 2020 14:22:47 +1000 Subject: [PATCH] Bind grafana to localhost in metrics instructions Binding grafana to localhost makes it inaccessible from the wider internet, which is a secure default. Since we run docker with host networking, docker containers have access to D-Bus and other security-related services on localhost. So it's risky to also expose them to the wider internet. --- book/src/user/metrics.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/book/src/user/metrics.md b/book/src/user/metrics.md index 5fbece23d..261a0f73c 100644 --- a/book/src/user/metrics.md +++ b/book/src/user/metrics.md @@ -11,10 +11,10 @@ sudo docker volume create grafana-storage sudo docker volume create prometheus-storage # run prometheus with the included config -sudo docker run --network host -v prometheus-storage:/prometheus -v /path/to/zebra/prometheus.yaml:/etc/prometheus/prometheus.yml prom/prometheus +sudo docker -d run --network host -v prometheus-storage:/prometheus -v /path/to/zebra/prometheus.yaml:/etc/prometheus/prometheus.yml prom/prometheus # run grafana -sudo docker run -d --network host -e GF_SERVER_HTTP_PORT=3030 -v grafana-storage:/var/lib/grafana grafana/grafana +sudo docker -d run --network host -e GF_SERVER_HTTP_PORT=3030 -e GF_SERVER_HTTP_ADDR=localhost -v grafana-storage:/var/lib/grafana grafana/grafana ``` Now the grafana dashboard is available at [http://localhost:3030](http://localhost:3030) ; the default username and password is `admin`/`admin`.