Tip
This is the documentation for the 20.10 version. Looking for the documentation of the latest version? Have a look here.
Prometheus Exporter¶
TNSR includes a Prometheus exporter which supports statistical data from the
dataplane (VPP) only. This data is typically fed into Grafana. When active,
the service listens for connections on TCP port 9482.
See also
Configuring Grafana and its supporting systems is outside the scope of this documentation. Consult its documentation for details.
Warning
The Prometheus service on TNSR does not perform authentication or encryption. Only transmit data across trusted network paths, and do not expose the service to untrusted networks.
Data exported by Prometheus may be sensitive in nature, so protect access to the service with appropriate standard ACLs or host ACLs depending on the namespace in which the service is running. Do not open access to the Prometheus port unilaterally.
Configuring Prometheus¶
- prometheus <namespace> enable
Enables the Prometheus Exporter service in either the
hostordataplanenamespace.Warning
Using the
hostnamespace is more secure as limits the exposure of the service to host OS management networks.After enabling the service, start it as described in Service Control.
- prometheus <namespace> disable
Disables the Prometheus Exporter service in the given namespace.
- prometheus <namespace> filter <regex> [<regex> […]]
Adds one or more regular expression filters which limit the data exposed by the service. For a list of items which can be filtered, query the service as described in Querying Prometheus Data.
- prometheus no <namespace> filter <regex>
Removes a filter.
Querying Prometheus Data¶
The URL for metrics is: http://<IP address>:9482/metrics
In the URL, <IP address> is an IP address on an interface in the appropriate
namespace. For example, if Prometheus is running in the host namespace, the
IP address would be from a host OS management interface on TNSR.
Note
This service is not meant to be queried by a web browser. Use a client
which understands Prometheus data, or a client such as curl which will
print the data returned by the service when testing.
Protecting Prometheus¶
As mentioned in the warning at the start of this section, the Prometheus service does not have its own encryption or authentication. As such, the primary ways to protect the service are:
- Isolate the service to the appropriate namespace
This is typically the
hostnamespace, but some TNSR configurations do not have host interfaces.- Protect the network paths carrying Prometheus data
Use a directly connected secure path, such as a local management network. If the data must be transmitted remotely, encrypt the path between Prometheus and the host collecting its data, for example, with an IPsec tunnel.
- Restrict access with ACLs
Limit access to the prometheus server on TCP port
9482using access lists. When running in thehostnamespace, use host ACLs and when running in thedataplanenamespace use standard ACLs.Note
The default set of host ACLs denies access to the service, but take care when crafting rules to only permit access from authorized hosts or networks.
This example host ACL permits access to the Prometheus service from one IPv4 host,
198.51.100.244:tnsr(config)# host acl prometheus tnsr(config-host-acl)# sequence 10 tnsr(config-host-acl)# rule 10 tnsr(config-host-acl-rule)# action permit tnsr(config-host-acl-rule)# description Allow Prometheus tnsr(config-host-acl-rule)# match ip protocol tcp tnsr(config-host-acl-rule)# match ip port destination 9482 tnsr(config-host-acl-rule)# match ip version 4 tnsr(config-host-acl-rule)# match ip address source 198.51.100.244/32 tnsr(config-host-acl-rule)# exit tnsr(config-host-acl)# exit tnsr(config)#