BLOG POSTS
How to Install and Secure Grafana on Ubuntu 24

How to Install and Secure Grafana on Ubuntu 24

Grafana is an open-source analytics and interactive visualization platform that transforms your metrics into meaningful dashboards. With Ubuntu 24’s enhanced security features and improved package management, setting up Grafana becomes more straightforward while maintaining enterprise-grade security. This guide walks you through installing Grafana on Ubuntu 24, implementing proper security measures, and optimizing performance for production environments.

Understanding Grafana Architecture and Requirements

Grafana operates as a web-based application that connects to various data sources like Prometheus, InfluxDB, MySQL, and PostgreSQL. The application consists of several components: the web server, database backend, alerting engine, and plugin system. On Ubuntu 24, Grafana leverages systemd for service management and can utilize either SQLite for development or PostgreSQL/MySQL for production deployments.

Before installation, ensure your Ubuntu 24 system meets these requirements:

  • Minimum 1GB RAM (4GB recommended for production)
  • 2 CPU cores or more
  • At least 10GB available disk space
  • Network connectivity for downloading packages
  • Non-root user with sudo privileges

Step-by-Step Grafana Installation

The installation process involves adding the official Grafana repository, installing the package, and configuring the service. Start by updating your system and installing required dependencies:

sudo apt update && sudo apt upgrade -y
sudo apt install -y software-properties-common apt-transport-https wget curl

Add the Grafana GPG key and repository to ensure package authenticity:

wget -q -O - https://packages.grafana.com/gpg.key | sudo apt-key add -
echo "deb https://packages.grafana.com/oss/deb stable main" | sudo tee /etc/apt/sources.list.d/grafana.list

Install Grafana and enable the service:

sudo apt update
sudo apt install grafana
sudo systemctl enable grafana-server
sudo systemctl start grafana-server

Verify the installation by checking the service status:

sudo systemctl status grafana-server

Grafana should now be accessible at http://your-server-ip:3000 with default credentials (admin/admin).

Essential Security Configuration

Security should be your top priority when deploying Grafana in production. The default configuration lacks several critical security measures that need immediate attention.

Firewall Configuration

Configure UFW to restrict access to Grafana port:

sudo ufw enable
sudo ufw allow ssh
sudo ufw allow from your-trusted-ip to any port 3000
sudo ufw reload

SSL/TLS Implementation

Never run Grafana without HTTPS in production. Generate SSL certificates using Let’s Encrypt or configure a reverse proxy. Here’s a basic Nginx reverse proxy configuration:

sudo apt install nginx certbot python3-certbot-nginx
sudo nano /etc/nginx/sites-available/grafana

Add this configuration:

server {
    listen 80;
    server_name your-domain.com;
    
    location / {
        proxy_pass http://localhost:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Enable the site and obtain SSL certificate:

sudo ln -s /etc/nginx/sites-available/grafana /etc/nginx/sites-enabled/
sudo certbot --nginx -d your-domain.com
sudo systemctl reload nginx

Grafana Security Settings

Modify the main configuration file for enhanced security:

sudo nano /etc/grafana/grafana.ini

Critical security configurations:

[security]
admin_user = your-admin-username
admin_password = strong-password-here
secret_key = generate-random-32-char-key
disable_gravatar = true
cookie_secure = true
cookie_samesite = strict

[auth]
disable_login_form = false
disable_signout_menu = false

[auth.anonymous]
enabled = false

[server]
protocol = http
http_port = 3000
domain = your-domain.com
root_url = https://your-domain.com

Restart Grafana to apply changes:

sudo systemctl restart grafana-server

Database Backend Configuration

While SQLite works for development, production environments require PostgreSQL or MySQL. Here’s how to configure PostgreSQL as the backend:

sudo apt install postgresql postgresql-contrib
sudo systemctl start postgresql
sudo systemctl enable postgresql

Create a dedicated database and user:

sudo -u postgres psql
CREATE DATABASE grafana;
CREATE USER grafana WITH PASSWORD 'secure-password';
GRANT ALL PRIVILEGES ON DATABASE grafana TO grafana;
\q

Update Grafana configuration:

[database]
type = postgres
host = localhost:5432
name = grafana
user = grafana
password = secure-password
ssl_mode = require

Performance Optimization and Monitoring

Grafana performance depends on several factors including data source response times, dashboard complexity, and system resources. Monitor these key metrics:

Metric Optimal Range Impact
Memory Usage < 80% of available RAM Dashboard loading speed
CPU Usage < 70% average Query processing speed
Disk I/O < 80% capacity Database performance
Network Latency < 100ms to data sources Real-time data updates

Configure performance settings in grafana.ini:

[log]
level = warn

[analytics]
reporting_enabled = false
check_for_updates = false

[snapshots]
external_enabled = false

[dashboards]
versions_to_keep = 20

[alerting]
enabled = true
execute_alerts = true

Real-World Use Cases and Integration Examples

Grafana excels in various scenarios. Here are practical implementations:

Infrastructure Monitoring

Integrate with Prometheus for comprehensive system monitoring. Install Prometheus first:

wget https://github.com/prometheus/prometheus/releases/download/v2.40.0/prometheus-2.40.0.linux-amd64.tar.gz
tar xvfz prometheus-*.tar.gz
sudo mv prometheus-2.40.0.linux-amd64 /opt/prometheus

Create a systemd service for Prometheus and configure Grafana to use it as a data source through the UI at Data Sources → Add data source → Prometheus with URL http://localhost:9090.

Application Performance Monitoring

For applications running on VPS or dedicated servers, configure custom metrics collection using StatsD or direct API integration.

Common Issues and Troubleshooting

Several issues commonly occur during Grafana deployment:

  • Port 3000 already in use: Check for conflicting services with sudo netstat -tlnp | grep :3000
  • Permission denied errors: Ensure grafana user has proper permissions: sudo chown -R grafana:grafana /var/lib/grafana
  • Database connection failures: Verify database credentials and network connectivity
  • Plugin installation issues: Check internet connectivity and proxy settings
  • Memory issues: Monitor logs with sudo journalctl -u grafana-server -f

Debug configuration issues by temporarily increasing log verbosity:

[log]
level = debug

Alternative Monitoring Solutions Comparison

While Grafana is powerful, consider these alternatives based on your needs:

Solution Best For Complexity Cost
Grafana Flexible dashboards, multiple data sources Medium Free/Enterprise
Kibana Log analysis, Elasticsearch integration High Free/Commercial
Datadog All-in-one monitoring, cloud-native Low Subscription
Prometheus UI Simple metrics queries Low Free

Best Practices and Production Considerations

Follow these practices for robust Grafana deployments:

  • Implement regular backups of Grafana database and configuration files
  • Use configuration management tools like Ansible for consistent deployments
  • Set up monitoring for Grafana itself using external tools
  • Implement proper user management with LDAP or OAuth integration
  • Use templating and variables for scalable dashboard design
  • Regular security updates and dependency management
  • Load balancing for high-availability setups

Configure automated backups:

#!/bin/bash
BACKUP_DIR="/backup/grafana"
DATE=$(date +%Y%m%d_%H%M%S)

mkdir -p $BACKUP_DIR
sudo systemctl stop grafana-server
sudo tar -czf $BACKUP_DIR/grafana_backup_$DATE.tar.gz /etc/grafana /var/lib/grafana
sudo systemctl start grafana-server

For additional security, consider implementing rate limiting, IP whitelisting, and regular security audits. The official Grafana security documentation provides comprehensive guidance for enterprise deployments.

Your Grafana installation on Ubuntu 24 should now be secure, performant, and ready for production workloads. Regular maintenance, monitoring, and security updates will ensure optimal performance and protection against emerging threats.



This article incorporates information and material from various online sources. We acknowledge and appreciate the work of all original authors, publishers, and websites. While every effort has been made to appropriately credit the source material, any unintentional oversight or omission does not constitute a copyright infringement. All trademarks, logos, and images mentioned are the property of their respective owners. If you believe that any content used in this article infringes upon your copyright, please contact us immediately for review and prompt action.

This article is intended for informational and educational purposes only and does not infringe on the rights of the copyright owners. If any copyrighted material has been used without proper credit or in violation of copyright laws, it is unintentional and we will rectify it promptly upon notification. Please note that the republishing, redistribution, or reproduction of part or all of the contents in any form is prohibited without express written permission from the author and website owner. For permissions or further inquiries, please contact us.

Leave a reply

Your email address will not be published. Required fields are marked