1 .. _mgr-cephadm-monitoring:
6 Ceph Dashboard uses `Prometheus <https://prometheus.io/>`_, `Grafana
7 <https://grafana.com/>`_, and related tools to store and visualize detailed
8 metrics on cluster utilization and performance. Ceph users have three options:
10 #. Have cephadm deploy and configure these services. This is the default
11 when bootstrapping a new cluster unless the ``--skip-monitoring-stack``
13 #. Deploy and configure these services manually. This is recommended for users
14 with existing prometheus services in their environment (and in cases where
15 Ceph is running in Kubernetes with Rook).
16 #. Skip the monitoring stack completely. Some Ceph dashboard graphs will
19 The monitoring stack consists of `Prometheus <https://prometheus.io/>`_,
20 Prometheus exporters (:ref:`mgr-prometheus`, `Node exporter
21 <https://prometheus.io/docs/guides/node-exporter/>`_), `Prometheus Alert
22 Manager <https://prometheus.io/docs/alerting/alertmanager/>`_ and `Grafana
23 <https://grafana.com/>`_.
27 Prometheus' security model presumes that untrusted users have access to the
28 Prometheus HTTP endpoint and logs. Untrusted users have access to all the
29 (meta)data Prometheus collects that is contained in the database, plus a
30 variety of operational and debugging information.
32 However, Prometheus' HTTP API is limited to read-only operations.
33 Configurations can *not* be changed using the API and secrets are not
34 exposed. Moreover, Prometheus has some built-in measures to mitigate the
35 impact of denial of service attacks.
37 Please see `Prometheus' Security model
38 <https://prometheus.io/docs/operating/security/>` for more detailed
41 Deploying monitoring with cephadm
42 ---------------------------------
44 The default behavior of ``cephadm`` is to deploy a basic monitoring stack. It
45 is however possible that you have a Ceph cluster without a monitoring stack,
46 and you would like to add a monitoring stack to it. (Here are some ways that
47 you might have come to have a Ceph cluster without a monitoring stack: You
48 might have passed the ``--skip-monitoring stack`` option to ``cephadm`` during
49 the installation of the cluster, or you might have converted an existing
50 cluster (which had no monitoring stack) to cephadm management.)
52 To set up monitoring on a Ceph cluster that has no monitoring, follow the
55 #. Deploy a node-exporter service on every node of the cluster. The node-exporter provides host-level metrics like CPU and memory utilization:
59 ceph orch apply node-exporter
61 #. Deploy alertmanager:
65 ceph orch apply alertmanager
67 #. Deploy Prometheus. A single Prometheus instance is sufficient, but
68 for high availablility (HA) you might want to deploy two:
72 ceph orch apply prometheus
78 ceph orch apply prometheus --placement 'count:2'
84 ceph orch apply grafana
86 .. _cephadm-monitoring-networks-ports:
91 All monitoring services can have the network and port they bind to configured with a yaml service specification
109 It is possible to install or upgrade monitoring components based on other
110 images. To do so, the name of the image to be used needs to be stored in the
111 configuration first. The following configuration options are available.
113 - ``container_image_prometheus``
114 - ``container_image_grafana``
115 - ``container_image_alertmanager``
116 - ``container_image_node_exporter``
118 Custom images can be set with the ``ceph config`` command
122 ceph config set mgr mgr/cephadm/<option_name> <value>
128 ceph config set mgr mgr/cephadm/container_image_prometheus prom/prometheus:v1.4.1
130 If there were already running monitoring stack daemon(s) of the type whose
131 image you've changed, you must redeploy the daemon(s) in order to have them
132 actually use the new image.
134 For example, if you had changed the prometheus image
138 ceph orch redeploy prometheus
143 By setting a custom image, the default value will be overridden (but not
144 overwritten). The default value changes when updates become available.
145 By setting a custom image, you will not be able to update the component
146 you have set the custom image for automatically. You will need to
147 manually update the configuration (image name and tag) to be able to
150 If you choose to go with the recommendations instead, you can reset the
151 custom image you have set before. After that, the default value will be
152 used again. Use ``ceph config rm`` to reset the configuration option
156 ceph config rm mgr mgr/cephadm/<option_name>
162 ceph config rm mgr mgr/cephadm/container_image_prometheus
164 .. _cephadm-overwrite-jinja2-templates:
166 Using custom configuration files
167 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
169 By overriding cephadm templates, it is possible to completely customize the
170 configuration files for monitoring services.
172 Internally, cephadm already uses `Jinja2
173 <https://jinja.palletsprojects.com/en/2.11.x/>`_ templates to generate the
174 configuration files for all monitoring components. To be able to customize the
175 configuration of Prometheus, Grafana or the Alertmanager it is possible to store
176 a Jinja2 template for each service that will be used for configuration
177 generation instead. This template will be evaluated every time a service of that
178 kind is deployed or reconfigured. That way, the custom configuration is
179 preserved and automatically applied on future deployments of these services.
183 The configuration of the custom template is also preserved when the default
184 configuration of cephadm changes. If the updated configuration is to be used,
185 the custom template needs to be migrated *manually* after each upgrade of Ceph.
190 The following templates for files that will be generated by cephadm can be
191 overridden. These are the names to be used when storing with ``ceph config-key
194 - ``services/alertmanager/alertmanager.yml``
195 - ``services/grafana/ceph-dashboard.yml``
196 - ``services/grafana/grafana.ini``
197 - ``services/prometheus/prometheus.yml``
199 You can look up the file templates that are currently used by cephadm in
200 ``src/pybind/mgr/cephadm/templates``:
202 - ``services/alertmanager/alertmanager.yml.j2``
203 - ``services/grafana/ceph-dashboard.yml.j2``
204 - ``services/grafana/grafana.ini.j2``
205 - ``services/prometheus/prometheus.yml.j2``
210 The following command applies a single line value:
214 ceph config-key set mgr/cephadm/<option_name> <value>
216 To set contents of files as template use the ``-i`` argument:
220 ceph config-key set mgr/cephadm/<option_name> -i $PWD/<filename>
224 When using files as input to ``config-key`` an absolute path to the file must
228 Then the configuration file for the service needs to be recreated.
229 This is done using `reconfig`. For more details see the following example.
236 # set the contents of ./prometheus.yml.j2 as template
237 ceph config-key set mgr/cephadm/services/prometheus/prometheus.yml \
238 -i $PWD/prometheus.yml.j2
240 # reconfig the prometheus service
241 ceph orch reconfig prometheus
243 Deploying monitoring without cephadm
244 ------------------------------------
246 If you have an existing prometheus monitoring infrastructure, or would like
247 to manage it yourself, you need to configure it to integrate with your Ceph
250 * Enable the prometheus module in the ceph-mgr daemon
254 ceph mgr module enable prometheus
256 By default, ceph-mgr presents prometheus metrics on port 9283 on each host
257 running a ceph-mgr daemon. Configure prometheus to scrape these.
259 * To enable the dashboard's prometheus-based alerting, see :ref:`dashboard-alerting`.
261 * To enable dashboard integration with Grafana, see :ref:`dashboard-grafana`.
266 To disable monitoring and remove the software that supports it, run the following commands:
268 .. code-block:: console
270 $ ceph orch rm grafana
271 $ ceph orch rm prometheus --force # this will delete metrics data collected so far
272 $ ceph orch rm node-exporter
273 $ ceph orch rm alertmanager
274 $ ceph mgr module disable prometheus
276 See also :ref:`orch-rm`.
278 Setting up RBD-Image monitoring
279 -------------------------------
281 Due to performance reasons, monitoring of RBD images is disabled by default. For more information please see
282 :ref:`prometheus-rbd-io-statistics`. If disabled, the overview and details dashboards will stay empty in Grafana
283 and the metrics will not be visible in Prometheus.
288 Manually setting the Grafana URL
289 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
291 Cephadm automatically configures Prometheus, Grafana, and Alertmanager in
292 all cases except one.
294 In a some setups, the Dashboard user's browser might not be able to access the
295 Grafana URL that is configured in Ceph Dashboard. This can happen when the
296 cluster and the accessing user are in different DNS zones.
298 If this is the case, you can use a configuration option for Ceph Dashboard
299 to set the URL that the user's browser will use to access Grafana. This
300 value will never be altered by cephadm. To set this configuration option,
301 issue the following command:
305 ceph dashboard set-grafana-frontend-api-url <grafana-server-api>
307 It might take a minute or two for services to be deployed. After the
308 services have been deployed, you should see something like this when you issue the command ``ceph orch ls``:
310 .. code-block:: console
313 NAME RUNNING REFRESHED IMAGE NAME IMAGE ID SPEC
314 alertmanager 1/1 6s ago docker.io/prom/alertmanager:latest 0881eb8f169f present
315 crash 2/2 6s ago docker.io/ceph/daemon-base:latest-master-devel mix present
316 grafana 1/1 0s ago docker.io/pcuzner/ceph-grafana-el8:latest f77afcf0bcf6 absent
317 node-exporter 2/2 6s ago docker.io/prom/node-exporter:latest e5a616e4b9cf present
318 prometheus 1/1 6s ago docker.io/prom/prometheus:latest e935122ab143 present
320 Configuring SSL/TLS for Grafana
321 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
323 ``cephadm`` deploys Grafana using the certificate defined in the ceph
324 key/value store. If no certificate is specified, ``cephadm`` generates a
325 self-signed certificate during the deployment of the Grafana service.
327 A custom certificate can be configured using the following commands:
331 ceph config-key set mgr/cephadm/grafana_key -i $PWD/key.pem
332 ceph config-key set mgr/cephadm/grafana_crt -i $PWD/certificate.pem
334 If you have already deployed Grafana, run ``reconfig`` on the service to
335 update its configuration:
339 ceph orch reconfig grafana
341 The ``reconfig`` command also sets the proper URL for Ceph Dashboard.
343 Setting the initial admin password
344 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
346 By default, Grafana will not create an initial
347 admin user. In order to create the admin user, please create a file
348 ``grafana.yaml`` with this content:
352 service_type: grafana
354 initial_admin_password: mypassword
356 Then apply this specification:
360 ceph orch apply -i grafana.yaml
361 ceph orch redeploy grafana
363 Grafana will now create an admin user called ``admin`` with the
367 Setting up Alertmanager
368 -----------------------
370 Adding Alertmanager webhooks
371 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
373 To add new webhooks to the Alertmanager configuration, add additional
374 webhook urls like so:
378 service_type: alertmanager
381 default_webhook_urls:
385 Where ``default_webhook_urls`` is a list of additional URLs that are
386 added to the default receivers' ``<webhook_configs>`` configuration.
388 Run ``reconfig`` on the service to update its configuration:
392 ceph orch reconfig alertmanager
397 * :ref:`mgr-prometheus`