【SRE】安装Grafana实践

安装

# 下载并安装（以 CentOS/RHEL 为例）
sudo yum install -y wget
wget https://dl.grafana.com/oss/release/grafana-11.2.3-1.x86_64.rpm
sudo yum localinstall -y grafana-11.2.3-1.x86_64.rpm

初始化安全配置

• 开机自启动设置

sudo systemctl daemon-reload
sudo systemctl enable --now grafana-server

• 首次登录改密
  浏览器访问 http://<服务器IP>:3000
  默认账号 admin / admin，首次会强制修改密码（≥8 位含大小写+数字+符号）。

开启HTTPS（自签证书）

• 自签证书

# 1. 生成私钥与证书（有效期 10 年）
sudo mkdir -p /etc/grafana/ssl
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \-keyout /etc/grafana/ssl/grafana.key \-out /etc/grafana/ssl/grafana.crt \-subj "/C=CN/ST=BJ/L=BJ/O=MyOrg/CN=$(hostname -I | awk '{print $1}')"# 2. 修改 Grafana 配置
sudo vim /etc/grafana/grafana.ini

• 配置修改：/etc/grafana/grafana.ini

[server]
protocol = https
http_addr = 0.0.0.0
http_port = 3000
domain = <你的域名或IP>
cert_file = /etc/grafana/ssl/grafana.crt
cert_key = /etc/grafana/ssl/grafana.key[security]
# 强制强密码策略
disable_gravatar = true
allow_embedding = false
cookie_secure = true
cookie_samesite = strict

Nginx配置

server {listen 443 ssl;server_name grafana.example.com;   # 换成你的域名或IPssl_certificate     /etc/grafana/ssl/grafana.crt;ssl_certificate_key /etc/grafana/ssl/grafana.key;auth_basic "Grafana Access";auth_basic_user_file /etc/nginx/auth/grafana.htpasswd;location / {proxy_pass https://127.0.0.1:3000;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;}
}

问题

1、配置错误：*.ini 是配置文件，永远不要 source 或直接执行

-bash: app_mode: command not found
-bash: /etc/grafana/grafana.ini: line 10: syntax error near unexpected token `;'
-bash: /etc/grafana/grafana.ini: line 10: `;instance_name = ${HOSTNAME}'

• 重新修改

# 1. 用编辑器改，不要 source/执行
sudo vim /etc/grafana/grafana.ini
# 或
sudo nano /etc/grafana/grafana.ini# 2. 改完重启服务即可
sudo systemctl restart grafana-server# 利用 grafana-server 自带校验（非必须）
sudo grafana-server --config /etc/grafana/grafana.ini --config-check

2、测试访问被拒

curl https://127.0.0.1:3000 
curl: (7) Failed to connect to 127.0.0.1 port 3000: Connection refused

• 排查解决

# 检查grafana执行状态
sudo systemctl status grafana-server# 返回inactive(dead)的话，执行启动命令
sudo systemctl start grafana-server
sudo systemctl enable grafana-server# 返回fail, 查看grafana执行日志
sudo journalctl -u grafana-server -n 50# 确认监听地址和端口
sudo netstat -tunlp | grep grafana
# 或
sudo ss -tunlp | grep 3000# 重启命令
sudo systemctl restart grafana-server# 本机验证，返回 HTTP/1.1 200 OK则正常
curl -I http://127.0.0.1:3000/login

3、自签证书问题

could not load SSL certificate: open /etc/grafana/ssl/grafana.key: permission denied

• 修复证书权限

# 让 grafana 用户拥有读取权
sudo chown -R grafana:grafana /etc/grafana/ssl
sudo chmod 600 /etc/grafana/ssl/*.key
sudo chmod 644 /etc/grafana/ssl/*.crt

• 临时注释(先验证HTTP访问)

# 临时注释掉 HTTPS 三行
sudo sed -i 's/^protocol = https/;protocol = https/' /etc/grafana/grafana.ini
sudo sed -i 's/^cert_file =/;cert_file =/' /etc/grafana/grafana.ini
sudo sed -i 's/^cert_key =/;cert_key =/' /etc/grafana/grafana.ini

• 重启并验证

sudo systemctl daemon-reload
sudo systemctl restart grafana-server
# 看状态
systemctl is-active grafana-server
# 本机测试
curl -I http://127.0.0.1:3000/login

• 验证无问题，修改grafana.ini，再重启grafana

protocol   = https
cert_file  = /etc/grafana/ssl/grafana.crt
cert_key   = /etc/grafana/ssl/grafana.key