- What Grafana version and what operating system are you using?
Any version -
What are you trying to achieve?
I try to remove the ini file from the Grafana hosting environment for more security since the ini file contains some credentials in plain text. -
How are you trying to achieve it?
Thinking about deleting it after Grafana server startup - What happened?
Not sure if Grafana would load the file again during runtime - What did you expect to happen?
I expect the ini file is NOT used during runtime. And I did search the source code and tried to confirm it. It seems that the ini file is only loaded by pkg/setting.go during server startup, which matches my expectation, but I’d like to ask here to make sure my understanding is accurate.
You should find that the /etc/grafana/grafana/ini file is owned by root:grafana
with permissions rw-r-----
Therefore it is readable by the root user and any member of the grafana group
(which means the grafana user) only.
If you are concerned about sensitive information on your server being visible
to a user with root privileges then I suggest that you are giving root
privilege to the wrong sorts of people.
Antony.
Hi @ad4gsupport,
That’s terrible idea, don’t do it. I just moved grafana.ini
file from /etc/grafana/grafana.ini
and restarted grafana and now it won’t start… Here are proofs:
[root@monitoringserver grafana]# systemctl restart grafana-server.service
Job for grafana-server.service failed because the control process exited with error code.
See "systemctl status grafana-server.service" and "journalctl -xeu grafana-server.service" for details.
[root@monitoringserver grafana]#
[root@monitoringserver grafana]# ls -l /etc/grafana/
total 4
-rw-r-----. 1 root grafana 2594 Dec 2 22:24 ldap.toml
drwxr-xr-x. 1 root grafana 118 Dec 2 22:24 provisioning
[root@monitoringserver grafana]#
journalctl logs:
Feb 24 22:34:36 monitoringserver systemd[1]: Starting grafana-server.service - Grafana instance...
░░ Subject: A start job for unit grafana-server.service has begun execution
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ A start job for unit grafana-server.service has begun execution.
░░
░░ The job identifier is 8676.
Feb 24 22:34:36 monitoringserver grafana-server[7472]: logger=settings t=2023-02-24T22:34:36.899993332+01:00 level=error msg="failed to parse \"/etc/grafana/grafana.ini\": open /etc/grafana/grafana.ini: no such file or directory"
Feb 24 22:34:36 monitoringserver systemd[1]: grafana-server.service: Main process exited, code=exited, status=1/FAILURE
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ An ExecStart= process belonging to unit grafana-server.service has exited.
░░
░░ The process' exit code is 'exited' and its exit status is 1.
Tested on:
Grafana OSS 9.3.6.
Fedora 36
After moving grafana.ini file back to /etc/grafana/grafana.ini and restarting grafana-server.service everything works fine. But yes… you can remove that file and grafana will keep running (until first restart).
Best regards,
ldrascic
Use Hashicorp Vault (please note: it is enterprise feature = “paid” feature) for better security. You wouldn’t need to save any credentials in the Grafana ini file.