[PART 2] Automated WebApp Provisioning and Secure Monitoring

Mon, 10 Mar 2025 07:13:02 +0000

Blog ini merupakan kelanjutan dari bagian sebelumnya. Jika belum membacanya, bisa cek disini.

Langkah Implementasi

Instalasi dan Konfigurasi Tools Prometheus.

Note : Lakukan langkah dibawah ini di monitoring node.

Download dan ekstrak file Prometheus.

~$ sudo su -
~# cd /opt
/opt# wget
https://github.com/prometheus/prometheus/releases/download/v2.48.1/prometheus-2.48.1.linux-amd64.tar.gz
/opt# tar xvfz prometheus-2.48.1.linux-amd64.tar.gz

Menambahkan file konfigurasi untuk Prometheus.

/opt# cd prometheus-2.48.1. linux-amd64
/opt/prometheus-2.48.1. linux-amd64# vim config.yml

---
global:
  scrape_interval:     10s
  evaluation_interval: 15s

scrape_configs:
  - job_name: 'node'
    scrape_interval:  5s
    static_configs:
    - targets: ['192.168.4.10:9100','192.168.4.20:9100','192.168.4.30:9100']

  - job_name: 'nginx'
    static_configs:
    - targets: ['192.168.4.20:9113']

  - job_name: 'cadvisor'
    static_configs:
    - targets: ['192.168.4.30:8080']

  - job_name: 'docker'
    static_configs:
    - targets: ['192.168.4.30:9323']

alerting:
  alertmanagers:
  - static_configs:
    - targets:
      - 192.168.4.10:9093

rule_files:
  - "rules/container.yml"
  - "rules/node.yml"
  - "rules/web-server.yml"

Membuat SSL Key dan Certificate Signing Request.

/opt/prometheus-2.48.1.linux-amd64# sudo openssl genrsa -out /opt/prometheus-2.48.1.linux-amd64/prometheus.key 2048
/opt/prometheus-2.48.1.linux-amd64# sudo openssl req -new -key /opt/prometheus-2.48.1.linux-amd64/prometheus.key -out /opt/prometheus-2.48.1.linux-amd64/prometheus.csr

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

Country Name (2 letter code) [AU]:ID
State or Province Name (full name) [Some-State]: South Kalimantan
Locality Name (eg, city) []:Banjarbaru
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Membuat SSL Self-Signed Certificate.

/opt/prometheus-2.48.1.linux-amd64# openssl x509 -req -days 365 -signkey prometheus.key -in prometheus.csr -out prometheus.crt -extfile <(echo "subjectAltName=IP:192.168.4.10" )

Certificate request self-signature ok
subject=C = ID, ST = South Kalimantan, L = Banjarbaru, O = Internet Widgits Pty Ltd

Instalasi paket yang dibutuhkan untuk basic authentication.

~# sudo apt-get update && sudo apt install apache2-utils -y

Membuat password untuk basic authentication.

~# htpasswd -nBC 12 "" | tr -d ':\n'
New password: <inputYourPassword>
Re-type new password: <inputYourPassword>

$2y$12$<saltAndHash>

Menambahkan konfigurasi untuk web agar SSL dan basic authentication diterapkan.

/opt/prometheus-2.48.1. linux-amd64# vim web.yml
basic_auth_users:
rifkyards: $2y$12$<saltAndHash>
tls_server_config:
    cert_file: /opt/prometheus-2.48.1.linux-amd64/prometheus.crt
    key_file: /opt/prometheus-2.48.1.linux-amd64/prometheus.key

Menambahkan rules untuk mengirimkan alert node yang mati ke Alert Manager.

/opt/prometheus-2.48.1.linux-amd64# vim rules/node.yml

# Add this lines
groups:
  - name: NodeStatus
    rules:
      - alert: "NodeMonitoringDown"
        expr: up{instance="192.168.4.10:9100"} == 0
        for: 5m
        labels:
          severity: critical
          instance: "{{ $labels.instance }}"
          alertname: "NodeMonitoringDown"
        annotations:
          title: "{{ $labels.instance }} is down"
          description: "The server with IP {{ $labels.instance }} has been down for more than 5 minutes."

      - alert: "NodeClient1Down"
        expr: up{instance="192.168.4.10:9100"} == 0
        for: 5m
        labels:
          severity: critical
          instance: "{{ $labels.instance }}"
          alertname: NodeClient1Down
        annotations:
          title: "{{ $labels.name }} is down"
          description: "The server with IP {{ $labels.instance }} has been down for more than 5 minutes."

      - alert: "NodeClient2Down"
        expr: up{instance="192.168.4.30:9100"} == 0
        for: 5m
        labels:
          severity: critical
          instance: "{{ $labels.instance }}"
          alertname: NodeClient2Down
        annotations:
          title: "{{ $labels.instance }} is down"
          description: "The server with IP {{ $labels.instance }} has been down for more than 5 minutes."

Menambahkan rules untuk mengirimkan alert Nginx Server yang mati ke Alert Manager.

/opt/prometheus-2.48.1.linux-amd64# vim rules/web-server.yml

# Add this lines
groups:
  - name: WebNginxStatus
    rules:
      - alert: NginxDown
        expr: nginx_up{instance="192.168.4.20:9113", job="nginx"} == 0
        for: 5m
        labels:
          severity: critical
          instance: "{{ $labels.instance }}"
          alertname: NginxDown
        annotations:
          title: "{{ $labels.name }} is down"
          description: "The {{ $labels.job }} server on {{ $labels.instance }} has been down for more than 5 minutes."

Menambahkan rules untuk mengirimkan alert container yang mati ke Alert Manager.

/opt/prometheus-2.48.1.linux-amd64# vim rules/container.yml

# Add this lines
groups:
  - name: containerMonitoring
    rules:
      - alert: "Container2048Down"
        expr: absent(container_start_time_seconds{name="2048-apps",instance="192.168.4.30:8080"})
        for: 5m
        labels:
          severity: critical
          instance: "{{ $labels.instance }}"
          alertname: Container2048Down
        annotations:
          title: "{{ $labels.name }} is down"
          description: "The {{ $labels.name }} container on {{ $labels.instance }} has been down for more than 5 minutes."

      - alert: "ContainerTicTacToeDown"
        expr: absent(container_start_time_seconds{name="tic-tac-toe-apps",instance="192.168.4.30:8080"})
        for: 5m
        labels:
          severity: critical
          instance: "{{ $labels.instance }}"
          alertname: ContainerTicTacToeDown
        annotations:
          title: "{{ $labels.name }} is down"
          description: "The {{ $labels.name }} container on {{ $labels.instance }} has been down for more than 5 minutes."

      - alert: "GeneralContainerDown"
        expr: time() - container_last_seen{instance="192.168.4.30:8080", image!="", name!~"2048-apps|tic-tac-toe-apps|cadvisor"} > 220
        for: 20s
        labels:
          severity: critical
          instance: "{{ $labels.instance }}"
          alertname: GeneralContainerDown
          resolved: 'false'
        annotations:
          title: "{{ $labels.name }} is down"
          description: "A container {{ $labels.name }} on {{ $labels.instance }} has been down for more than 5 minutes."

Menambahkan konfigurasi untuk Prometheus berjalan di SystemD.

~# vim /etc/systemd/system/prometheus_server.service

# Add this lines
[Unit]
Description=Prometheus Server

[Service]
User=root
ExecStart=/opt/prometheus-2.48.1.linux-amd64/prometheus --config.file=/opt/prometheus-2.48.1.linux-amd64/config.yml --web.config.file=/opt/prometheus-2.48.1.linux-amd64/web.yml --web.external-url=https://192.168.4.10:9090/

[Install]
WantedBy=default.target

Menjalankan perintah agar SystemD Prometheus berjalan.

~# systemctl daemon-reload
~# systemctl start prometheus_server
~# systemctl enable prometheus_server

Instalasi dan Konfigurasi Tools Alert Manager.

Note : Lakukan langkah dibawah ini di monitoring node.

[PART 1] Automated WebApp Provisioning and Secure Monitoring

Mon, 10 Mar 2025 03:13:02 +0000

Dalam lingkungan TI modern, banyak organisasi menghadapi tantangan dalam mengelola kombinasi aplikasi berbasis SystemD dan container. Kesulitan ini dapat menyebabkan kurangnya visibilitas terhadap performa sistem, meningkatkan risiko downtime yang tidak terdeteksi, dan menyulitkan tim dalam merespons masalah dengan cepat.

Untuk mengatasi tantangan ini, pendekatan yang umum diterapkan adalah menetapkan satu server sebagai pusat monitoring dan kontrol otomatisasi. Server ini berperan dalam mengintegrasikan berbagai alat seperti Terraform untuk otomatisasi pembuatan infrastruktur berbasis container, serta Ansible untuk mengelola konfigurasi sistem, termasuk pengumpulan metrik dan pengelolaan aplikasi berbasis SystemD.

Terraform on Rifky Ardiansyah

[PART 2] Automated WebApp Provisioning and Secure Monitoring

Langkah Implementasi

Instalasi dan Konfigurasi Tools Prometheus.

Instalasi dan Konfigurasi Tools Alert Manager.

[PART 1] Automated WebApp Provisioning and Secure Monitoring