Update of grafana-image-renderer behind a firewall

[mjtrangoni]

What would you like to be added:

I would like to be able to update and manage the grafana-image-renderer plugin behind a firewall. Would it be possible for hosting this on grafana.com as the other plugins does?

See,

# grafana-cli plugins install grafana-image-renderer
installing grafana-image-renderer @ 1.0.10
from: https://grafana.com/api/plugins/grafana-image-renderer/versions/1.0.10/download
into: /var/lib/grafana/plugins

Error: ✗ Failed to download plugin archive: Failed to send request: Get https://github-production-release-asset-2e65be.s3.amazonaws.com/133923497/644bb580-5286-11ea-91fb-f8524720c9e4?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20200219%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200219T162008Z&X-Amz-Expires=300&X-Amz-Signature=ebdf0c81979431c1920f768c6ef7b53d056b78f0c19a947551f54187f3afd43d&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3Dplugin-linux-x64-glibc.zip&response-content-type=application%2Foctet-stream: read tcp XX.XX.XX.XX:56270->52.216.168.139:443: read: connection reset by peer

NAME:
   Grafana cli plugins install - install <plugin id> <plugin version (optional)>

USAGE:
   Grafana cli plugins install [arguments...]

# nslookup 52.216.168.139
139.168.216.52.in-addr.arpa name = s3-1-w.amazonaws.com.

Why is this needed:

Because this is the only plugin which is downloaded from outside of grafana.com.

See also this as reference. #60

[marefr]

@mjtrangoni have you tried multiple times? If you download from here from Grafana server (if possible) does that work?

Have you blocked amazonaws.com in your firewall?

[mjtrangoni]

Hi @marefr, Yes, I only have grafana.com whitelisted on the firewall side, which is enough for all the plugins I installed. Is it possible for you offering it behind grafana.com instead of the github CDN, in this case AWS?

[mjtrangoni]

@marefr any update on this?

[marefr]

No, cannot see we do anything in regards for this in a long time.

[mjtrangoni]

Hi @marefr, this is still an issue.

[marefr]

No, as I wrote last time: "cannot see we do anything in regards for this in a long time". All plugins on grafana.com are downloaded via GitHub.

[mjtrangoni]

My problem is, so that you see that, for example this is the update from grafana-piechart-panel @ 1.4.0 to grafana-piechart-panel @ 1.5.0 without problems,

# strace -f -e trace=network grafana-cli plugins install grafana-piechart-panel 2>&1 | grep sin_addr | grep -v 'inet_addr("10'
[pid 20497] connect(3, {sa_family=AF_INET, sin_port=htons(9), sin_addr=inet_addr("35.241.23.245")}, 16) = 0
[pid 20497] getpeername(3, {sa_family=AF_INET, sin_port=htons(9), sin_addr=inet_addr("35.241.23.245")}, [112->16]) = 0
[pid 20497] connect(3, {sa_family=AF_INET, sin_port=htons(443), sin_addr=inet_addr("35.241.23.245")}, 16) = -1 EINPROGRESS (Operation now in progress)
[pid 20499] getpeername(3, {sa_family=AF_INET, sin_port=htons(443), sin_addr=inet_addr("35.241.23.245")}, [112->16]) = 0
[pid 20497] connect(6, {sa_family=AF_INET, sin_port=htons(9), sin_addr=inet_addr("35.241.23.245")}, 16) = 0
[pid 20497] getpeername(6, {sa_family=AF_INET, sin_port=htons(9), sin_addr=inet_addr("35.241.23.245")}, [112->16]) = 0
[pid 20497] connect(6, {sa_family=AF_INET, sin_port=htons(443), sin_addr=inet_addr("35.241.23.245")}, 16) = -1 EINPROGRESS (Operation now in progress)
[pid 20494] getpeername(6, {sa_family=AF_INET, sin_port=htons(443), sin_addr=inet_addr("35.241.23.245")}, [112->16]) = 0
[pid 20497] connect(7, {sa_family=AF_INET, sin_port=htons(443), sin_addr=inet_addr("140.82.113.9")}, 16) = -1 EINPROGRESS (Operation now in progress)
[pid 20494] getpeername(7, {sa_family=AF_INET, sin_port=htons(443), sin_addr=inet_addr("140.82.113.9")}, [112->16]) = 0

and the case of the grafana-image-renderer without success,

# strace -f -e trace=network grafana-cli plugins install grafana-image-renderer 2>&1 | grep sin_addr | grep -v 'inet_addr("10'
[pid 20466] connect(3, {sa_family=AF_INET, sin_port=htons(9), sin_addr=inet_addr("35.241.23.245")}, 16) = 0
[pid 20466] getpeername(3, {sa_family=AF_INET, sin_port=htons(9), sin_addr=inet_addr("35.241.23.245")}, [112->16]) = 0
[pid 20466] connect(3, {sa_family=AF_INET, sin_port=htons(443), sin_addr=inet_addr("35.241.23.245")}, 16) = -1 EINPROGRESS (Operation now in progress)
[pid 20462] getpeername(3, {sa_family=AF_INET, sin_port=htons(443), sin_addr=inet_addr("35.241.23.245")}, [112->16]) = 0
[pid 20466] connect(6, {sa_family=AF_INET, sin_port=htons(9), sin_addr=inet_addr("35.241.23.245")}, 16) = 0
[pid 20466] getpeername(6, {sa_family=AF_INET, sin_port=htons(9), sin_addr=inet_addr("35.241.23.245")}, [112->16]) = 0
[pid 20466] connect(6, {sa_family=AF_INET, sin_port=htons(443), sin_addr=inet_addr("35.241.23.245")}, 16) = -1 EINPROGRESS (Operation now in progress)
[pid 20460] getpeername(6, {sa_family=AF_INET, sin_port=htons(443), sin_addr=inet_addr("35.241.23.245")}, [112->16]) = 0
[pid 20463] connect(7, {sa_family=AF_INET, sin_port=htons(443), sin_addr=inet_addr("140.82.118.3")}, 16) = -1 EINPROGRESS (Operation now in progress)
[pid 20460] getpeername(7, {sa_family=AF_INET, sin_port=htons(443), sin_addr=inet_addr("140.82.118.3")}, [112->16]) = 0
[pid 20466] connect(8, {sa_family=AF_INET, sin_port=htons(443), sin_addr=inet_addr("52.216.228.152")}, 16) = -1 EINPROGRESS (Operation now in progress)
[pid 20463] getpeername(8, {sa_family=AF_INET, sin_port=htons(443), sin_addr=inet_addr("52.216.228.152")}, [112->16]) = 0

And the difference is that the first downloads directly from github,

# nslookup 140.82.113.9
9.113.82.140.in-addr.arpa   name = lb-140-82-113-9-iad.github.com.

and the second from AWS`s S3,

# nslookup 52.216.228.152
152.228.216.52.in-addr.arpa name = s3-1-w.amazonaws.com.