You can improve the security of your PMM installation with:
To see which security features are enabled:
Tip You can gain an extra level of security by keeping PMM Server isolated from the internet, if possible.
You need valid SSL certificates to encrypt traffic between client and server.
With our Docker, OVF and AMI images, self-signed certificates are in
To use your own, you can either:
- mount the local certificate directory to the same location, or,
- copy your certificates to a running PMM Server container.
For example, if your own certificates are in
docker run -d -p 443:443 --volumes-from pmm-data \ --name pmm-server -v /etc/pmm-certs:/srv/nginx \ --restart always percona/pmm-server:2
The certificates must be owned by root. You can do this with:
sudo chown 0:0 /etc/pmm-certs/*
The mounted certificate directory (
/etc/pmm-certsin this example) must contain the files
For SSL encryption, the container must publish on port 443 instead of 80.
If PMM Server is running as a Docker image, use
docker cp to copy certificates. This example copies certificate files from the current working directory to a running PMM Server docker container.
docker cp certificate.crt pmm-server:/srv/nginx/certificate.crt docker cp certificate.key pmm-server:/srv/nginx/certificate.key docker cp ca-certs.pem pmm-server:/srv/nginx/ca-certs.pem docker cp dhparam.pem pmm-server:/srv/nginx/dhparam.pem
Enabling SSL when connecting PMM Client to PMM Server¶
pmm-admin config --server-url=https://<user>:<password>@<server IP>
Grafana HTTPS secure cookies¶
- Start a shell within the Docker container:
docker exec -it pmm-server bash
cookie_secureand set the value to
- Restart Grafana:
supervisorctl restart grafana
- Page updated 2021-03-19