Monitoring stack with VeilNet
Prerequisites
- Docker and Docker Compose installed
- VeilNet registration token
- Access to VeilNet Guardian service
- Sufficient disk space for metrics storage
Overview
This guide shows you how to deploy Grafana and Prometheus, a powerful monitoring and visualization stack, with VeilNet for secure remote access. Prometheus collects metrics, and Grafana provides beautiful dashboards for visualization.
With VeilNet, you can securely access your monitoring dashboards from anywhere without exposing them to the public internet.
Step 1: Create Docker Compose Configuration
Create a docker-compose.yml file with the following configuration:
services:
veilnet-conflux:
container_name: veilnet-conflux
restart: unless-stopped
env_file:
- .env
image: veilnet/conflux:beta
pull_policy: always
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun
network_mode: host
prometheus:
image: prom/prometheus:latest
container_name: prometheus
restart: unless-stopped
volumes:
- prometheus:/prometheus
- ./prometheus.yml:/etc/prometheus/prometheus.yml:ro
command:
- '--config.file=/etc/prometheus/prometheus.yml'
- '--storage.tsdb.path=/prometheus'
- '--web.console.libraries=/etc/prometheus/console_libraries'
- '--web.console.templates=/etc/prometheus/consoles'
network_mode: "container:veilnet-conflux"
depends_on:
- veilnet-conflux
grafana:
image: grafana/grafana:latest
container_name: grafana
restart: unless-stopped
volumes:
- grafana:/var/lib/grafana
environment:
- GF_SECURITY_ADMIN_USER=admin
- GF_SECURITY_ADMIN_PASSWORD=<GRAFANA_ADMIN_PASSWORD>
- GF_USERS_ALLOW_SIGN_UP=false
network_mode: "container:veilnet-conflux"
depends_on:
- veilnet-conflux
- prometheus
volumes:
prometheus:
driver: local
driver_opts:
type: none
o: bind
device: ./prometheus
grafana:
driver: local
driver_opts:
type: none
o: bind
device: ./grafana
Step 2: Create Prometheus Configuration
Create a prometheus.yml file in the same directory:
global:
scrape_interval: 15s
evaluation_interval: 15s
scrape_configs:
- job_name: 'prometheus'
static_configs:
- targets: ['localhost:9090']
Step 3: Create Environment File
Create a .env file in the same directory as your docker-compose.yml with the following variables:
VEILNET_REGISTRATION_TOKEN=<YOUR_REGISTRATION_TOKEN>
VEILNET_GUARDIAN=<YOUR_GUARDIAN_URL>
VEILNET_PORTAL=true
VEILNET_CONFLUX_TAG=<YOUR_CONFLUX_TAG>
VEILNET_CONFLUX_CIDR=<VEILNET_CIDR>
Replace the placeholders:
<YOUR_REGISTRATION_TOKEN>: Your VeilNet registration token (obtained from the VeilNet portal)<YOUR_GUARDIAN_URL>: The URL of your VeilNet Guardian service (e.g.,https://guardian.veilnet.app)<YOUR_CONFLUX_TAG>: A tag to identify this Conflux instance (e.g.,monitoring-server)<VEILNET_CIDR>: Any IP address (e.g.,10.128.0.5/16) in CIDR format that belongs to the realm subnet (e.g.,10.128.0.0/16)<GRAFANA_ADMIN_PASSWORD>: Strong password for Grafana admin user
Step 4: Create Data Directories
Create the directories for persistent data storage:
mkdir -p prometheus grafana
These directories will store:
prometheus: Prometheus metrics databasegrafana: Grafana dashboards, datasources, and user data
Step 5: Deploy the Stack
Start all services:
docker-compose up -d
This will:
- Pull the Prometheus, Grafana, and VeilNet Conflux images
- Start all containers
- Create persistent volumes for data storage
- Automatically restart containers if they stop
Step 6: Verify Deployment
Check that all containers are running:
docker-compose ps
View the VeilNet Conflux logs to verify it's connecting:
docker logs veilnet-conflux -f
You should see logs indicating successful registration and connection to the VeilNet network.
Step 7: Initial Configuration
Local Access
- Prometheus: Open
http://localhost:9090to access the Prometheus UI - Grafana: Open
http://localhost:3000and log in with:- Username:
admin - Password: The password you set in the environment variable
- Username:
Configure Grafana Data Source
- Log in to Grafana (locally or via VeilNet IP)
- Go to Configuration → Data Sources → Add data source
- Select "Prometheus"
- Set the URL to
http://localhost:9090(since containers share the network namespace) - Click "Save & Test"
Remote Access via VeilNet
- Find your host's VeilNet IP address:
ip addr show veilnet
Or check the VeilNet portal to see your assigned IP address.
- Access the services from anywhere using:
- Prometheus:
http://<veilnet-ip>:9090(e.g.,http://10.128.0.5:9090) - Grafana:
http://<veilnet-ip>:3000(e.g.,http://10.128.0.5:3000)
- Prometheus:
Step 8: Access Your Monitoring Stack
Local Access
Once the services are running, you can access them locally:
- Prometheus UI:
http://localhost:9090 - Grafana:
http://localhost:3000
Remote Access via VeilNet
With VeilNet configured, you can access your monitoring stack remotely from anywhere in the world using the host's VeilNet IP address, as long as your device is also connected to the same VeilNet realm.
Access the services using:
- Prometheus UI:
http://<veilnet-ip>:9090(e.g.,http://10.128.0.5:9090) - Grafana:
http://<veilnet-ip>:3000(e.g.,http://10.128.0.5:3000)
Step 9: Create Your First Dashboard
- Log in to Grafana (locally or via VeilNet IP)
- Go to Dashboards → New Dashboard
- Add a panel and select Prometheus as the data source
- Create queries to visualize your metrics
- Save the dashboard
You can also import pre-built dashboards from the Grafana dashboard library.
Updating Services
To update to newer versions:
docker-compose pull
docker-compose up -d
This will pull the latest images and restart the containers with updated versions.
Stopping and Removing
To stop all services:
docker-compose down
To remove containers and volumes (this will delete all data):
docker-compose down -v
Warning: Removing volumes will delete all Prometheus metrics and Grafana dashboards. Make sure to export important dashboards before removing volumes.
FAQ
How do I add more targets to Prometheus?
Edit the prometheus.yml file and add more scrape configs. For example, to monitor a Node Exporter on another host:
scrape_configs:
- job_name: 'node-exporter'
static_configs:
- targets: ['<veilnet-ip>:9100']
Can I monitor services on other hosts?
Yes! As long as the other hosts are connected to VeilNet, you can configure Prometheus to scrape metrics from them using their VeilNet IP addresses. This allows you to monitor your entire infrastructure securely. Since Prometheus and Grafana share the network namespace with veilnet-conflux, they can also use the VeilNet TUN device for optimal network performance.
How do I set up alerts?
Configure alerting rules in Prometheus and set up Alertmanager. You can also configure Grafana alerting for visual alerts in dashboards.
Can I use Grafana Cloud with this setup?
You can use Grafana Cloud as a remote data source, but with VeilNet, you have secure access to your self-hosted Grafana instance from anywhere, so you may not need Grafana Cloud.
How much storage do I need?
Prometheus storage depends on your retention period and scrape interval. Plan for at least 10-50 GB for a small to medium deployment. Adjust retention in Prometheus configuration if needed.
Why use NET_ADMIN capability instead of privileged mode?
The NET_ADMIN capability provides only the necessary permissions for VeilNet to create and manage network interfaces, without granting full privileged access. This is more secure while still allowing VeilNet to function properly.