diff --git a/Dockerfile b/Dockerfile index 4b3e22c58..c8ed670f6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ FROM ubuntu:latest -EXPOSE 80 +EXPOSE 80 443 WORKDIR /opt @@ -42,20 +42,19 @@ RUN git clone https://github.com/Percona-Lab/grafana_mongodb_dashboards.git && \ cp grafana_mongodb_dashboards/dashboards/* /var/lib/grafana/dashboards/ COPY grafana.ini /etc/grafana/grafana.ini COPY grafana-postinstall.sh /opt -RUN chgrp grafana /etc/grafana/grafana.ini && \ - /opt/grafana-postinstall.sh +RUN /opt/grafana-postinstall.sh # ####################### # # Percona Query Analytics # # ####################### # -ADD https://www.percona.com/downloads/TESTING/pmm/percona-qan-api-1.0.0-20160805.fc1a822-x86_64.tar.gz \ - https://www.percona.com/downloads/TESTING/pmm/percona-qan-app-1.0.3-20160805.00641f9.tar.gz \ +ADD https://www.percona.com/downloads/TESTING/pmm/percona-qan-api-1.0.0-20160811.d7d95f1-x86_64.tar.gz \ + https://www.percona.com/downloads/TESTING/pmm/percona-qan-app-1.0.3-20160811.7ef1760.tar.gz \ /opt/ RUN mkdir qan-api && \ - tar zxf percona-qan-api-1.0.0-20160805.fc1a822-x86_64.tar.gz --strip-components=1 -C qan-api && \ + tar zxf percona-qan-api-1.0.0-20160811.d7d95f1-x86_64.tar.gz --strip-components=1 -C qan-api && \ mkdir qan-app && \ - tar zxf percona-qan-app-1.0.3-20160805.00641f9.tar.gz --strip-components=1 -C qan-app + tar zxf percona-qan-app-1.0.3-20160811.7ef1760.tar.gz --strip-components=1 -C qan-app COPY qan-install.sh /opt RUN /opt/qan-install.sh @@ -76,6 +75,8 @@ RUN unzip consul_0.6.4_linux_amd64.zip && \ # ##### # COPY nginx.conf /etc/nginx +COPY nginx-ssl.conf /etc/nginx +RUN touch /etc/nginx/.htpasswd # ############ # # Landing page # @@ -88,4 +89,5 @@ COPY landing-page/ /opt/landing-page/ # ############################## # COPY supervisord.conf /etc/supervisor/supervisord.conf -CMD ["supervisord", "-c", "/etc/supervisor/supervisord.conf"] +COPY entrypoint.sh /opt +CMD ["/opt/entrypoint.sh"] diff --git a/VERSION b/VERSION index 6d7de6e6a..ee90284c2 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.0.2 +1.0.4 diff --git a/docker-compose.yml b/docker-compose.yml index 955f3699c..7c80bad74 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -18,9 +18,14 @@ services: restart: always ports: - "80:80" + - "443:443" volumes_from: - pmm-data -# environment: -# - METRICS_RETENTION=720h -# - METRICS_MEMORY=262144 -# - METRICS_RESOLUTION=1s +# volumes: +# - /root/docker_shared_volumes/ssl:/etc/nginx/ssl + environment: + - METRICS_RETENTION=720h + - METRICS_MEMORY=262144 + - METRICS_RESOLUTION=1s +# - HTTP_USER=pmm +# - HTTP_PASSWORD=abc123 diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100755 index 000000000..a17fbf460 --- /dev/null +++ b/entrypoint.sh @@ -0,0 +1,20 @@ +#!/bin/bash + +replace 1s ${METRICS_RESOLUTION:-1s} -- /opt/prometheus/prometheus.yml + +if [ -e /etc/nginx/ssl/server.crt ] && [ -e /etc/nginx/ssl/server.key ]; then + sed -i 's/#include nginx-ssl.conf/include nginx-ssl.conf/' /etc/nginx/nginx.conf + if [ -e /etc/nginx/ssl/dhparam.pem ]; then + sed -i 's/#ssl_dhparam/ssl_dhparam/' /etc/nginx/nginx-ssl.conf + fi +fi + +if [ -n "$HTTP_PASSWORD" ]; then + echo "${HTTP_USER:-pmm}:$(openssl passwd -apr1 $HTTP_PASSWORD)" > /etc/nginx/.htpasswd + sed -i 's/auth_basic off/auth_basic "PMM Server"/' /etc/nginx/nginx.conf + + # Disable Grafana HTTP auth + sed -i '/\[auth.basic\]/ a enabled=false' /etc/grafana/grafana.ini +fi + +supervisord -c /etc/supervisor/supervisord.conf diff --git a/grafana-postinstall.sh b/grafana-postinstall.sh index 5a85baf74..d7da389d6 100755 --- a/grafana-postinstall.sh +++ b/grafana-postinstall.sh @@ -1,5 +1,6 @@ -#!/bin/sh +#!/bin/bash +chgrp grafana /etc/grafana/grafana.ini service grafana-server start for i in `seq 30`; do diff --git a/nginx-ssl.conf b/nginx-ssl.conf new file mode 100644 index 000000000..1a7716317 --- /dev/null +++ b/nginx-ssl.conf @@ -0,0 +1,13 @@ +listen *:443 ssl; +ssl_certificate ssl/server.crt; +ssl_certificate_key ssl/server.key; +#ssl_dhparam ssl/dhparam.pem; +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK; +ssl_stapling on; +ssl_stapling_verify on; +resolver 8.8.8.8 8.8.4.4 valid=300s; +resolver_timeout 2s; +ssl_prefer_server_ciphers on; +ssl_session_cache shared:SSL:10m; +add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; diff --git a/nginx.conf b/nginx.conf index 4bceb8072..4a9359c8d 100644 --- a/nginx.conf +++ b/nginx.conf @@ -22,8 +22,14 @@ http { listen *:80; server_name _; server_tokens off; - root /opt/landing-page; - + root /opt/landing-page; + + ## BEGIN Those lines are managed from entrypoint.sh + #include nginx-ssl.conf; + auth_basic off; + auth_basic_user_file .htpasswd; + ## END + # Grafana rewrite ^/graph$ /graph/; location /graph { @@ -61,6 +67,9 @@ http { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_read_timeout 86400; + + # Temporary until agent supports this. + auth_basic off; } } } diff --git a/prometheus.yml b/prometheus.yml index b4adfb370..55290595c 100644 --- a/prometheus.yml +++ b/prometheus.yml @@ -13,11 +13,11 @@ scrape_configs: - job_name: override consul_sd_configs: - server: 'localhost:8500' - services: ['os', 'mongodb'] + services: ['linux:metrics', 'mongodb:metrics'] relabel_configs: - source_labels: ['__meta_consul_service'] - regex: '(.*)' + regex: '(.+):metrics' target_label: 'job' replacement: '$1' - source_labels: ['__meta_consul_tags'] @@ -39,9 +39,11 @@ scrape_configs: - job_name: mysql-hr + metrics_path: /metrics-hr + consul_sd_configs: - server: 'localhost:8500' - services: ['mysql-hr'] + services: ['mysql:metrics'] relabel_configs: - target_label: 'job' @@ -53,11 +55,13 @@ scrape_configs: - job_name: mysql-mr + metrics_path: /metrics-mr scrape_interval: 5s scrape_timeout: 1s + consul_sd_configs: - server: 'localhost:8500' - services: ['mysql-mr'] + services: ['mysql:metrics'] relabel_configs: - target_label: 'job' @@ -69,12 +73,13 @@ scrape_configs: - job_name: mysql-lr + metrics_path: /metrics-lr scrape_interval: 60s scrape_timeout: 5s consul_sd_configs: - server: 'localhost:8500' - services: ['mysql-lr'] + services: ['mysql:metrics'] relabel_configs: - target_label: 'job' diff --git a/supervisord.conf b/supervisord.conf index a72d2c538..d74291925 100644 --- a/supervisord.conf +++ b/supervisord.conf @@ -64,7 +64,7 @@ autorestart = true [program:prometheus] priority = 7 # Sleep to wait for consul to start up. -command = bash -c "sleep 5 && replace 1s ${METRICS_RESOLUTION:-1s} -- /opt/prometheus/prometheus.yml && /opt/prometheus/prometheus -config.file=/opt/prometheus/prometheus.yml -storage.local.path=/opt/prometheus/data -web.listen-address=:9090 -storage.local.retention=${METRICS_RETENTION:-720h} -storage.local.memory-chunks=${METRICS_MEMORY:-262144} -web.console.libraries=/opt/prometheus/console_libraries -web.console.templates=/opt/prometheus/consoles -web.external-url=http://localhost:9090/prometheus/" +command = bash -c "sleep 5 && /opt/prometheus/prometheus -config.file=/opt/prometheus/prometheus.yml -storage.local.path=/opt/prometheus/data -web.listen-address=:9090 -storage.local.retention=${METRICS_RETENTION:-720h} -storage.local.memory-chunks=${METRICS_MEMORY:-262144} -web.console.libraries=/opt/prometheus/console_libraries -web.console.templates=/opt/prometheus/consoles -web.external-url=http://localhost:9090/prometheus/" stdout_logfile = /var/log/prometheus.log stderr_logfile = /var/log/prometheus.log autorestart = true