Grafana Kiosk

A very useful feature of Grafana is the ability to display dashboards and playlists on a large TV.

This provides a utility to quickly standup a kiosk on devices like a Raspberry Pi or NUC.

The utitilty provides these options:

• Login
  • to a Grafana server (local account)
  • to a Grafana server with anonymous-mode enabled (same method used on play.grafana.org)
  • to a Grafana Cloud instance
  • to a Grafana server with OAuth enabled
  • to an AWS Managed Grafana instance (both with and without MFA)
• Switch to kiosk or kiosk-tv mode
• Display the default home page set for the user
• Display a specified dashboard
• Start a playlist immediately (inactive mode enable)
• Can specify where to start kiosk for multiple displays

Additionally, an initialize option is provided to configure LXDE for Raspberry Pi Desktop.

Installing on Linux

Download the zip or tar file from releases

The release file includes pre-built binaries. See table below for the types available.

Extract the zip or tar file, and copy the appropriate binary to /usr/bin/grafana-kiosk:

# sudo cp -p grafana-kiosk.linux.armv7 /usr/bin/grafana-kiosk
# sudo chmod 755 /usr/bin/grafana-kiosk

Dependencies/Suggestion Packages

This application can run on most operating systems, but for linux some additional binaries are suggested for full support.

Suggesting Packages:

unclutter (for hiding mouse/cursor) rng-tools (for entropy issues)

Usage

NOTE: Flags with parameters should use an "equals" -autofit=true -URL=https://play.grafana.org when used with any boolean flags.

  -URL string
      URL to Grafana server (default "https://play.grafana.org")
  -apikey string
      apikey
  -audience string
      idtoken audience
  -auto-login
      oauth_auto_login is enabled in grafana config
  -autofit
      Fit panels to screen (default true)
  -c string
      Path to configuration file (config.yaml)
  -field-password string
      Fieldname for the password (default "password")
  -field-username string
      Fieldname for the username (default "username")
  -ignore-certificate-errors
      Ignore SSL/TLS certificate error
  -keyfile string
      idtoken json credentials (default "key.json")
  -kiosk-mode string
      Kiosk Display Mode [full|tv|disabled]
        full = No TOPNAV and No SIDEBAR
        tv = No SIDEBAR
        disabled = omit option
        (default "full")
  -login-method string
      [anon|local|gcom|goauth|idtoken|apikey|aws] (default "anon")
  -lxde
      Initialize LXDE for kiosk mode
  -lxde-home string
      Path to home directory of LXDE user running X Server (default "/home/pi")
  -password string
      password (default "guest")
  -playlists
      URL is a playlist
  -username string
      username (default "guest")
  -use-mfa
      MFA is enabled for given account (default false)
  -window-position string
      Top Left Position of Kiosk (default "0,0")
  -window-size string
      Size of Kiosk in pixels (e.g. "1920,1080")

Using a configuration file

The kiosk can also be started using a configuration file, along with environment variables. When using this option, all other arguments passed are ignored.

general:
  kiosk-mode: full
  autofit: true
  lxde: true
  lxde-home: /home/pi

target:
  login-method: anon
  username: user
  password: changeme
  playlist: false
  URL: https://play.grafana.org
  ignore-certificate-errors: false

grafana-kiosk -c config.yaml

Environment variables can be set and will override the configuration file. They can also be used instead of a configuration file.

  KIOSK_AUTOFIT bool
      fit panels to screen (default "true")
  KIOSK_LXDE_ENABLED bool
      initialize LXDE for kiosk mode (default "false")
  KIOSK_LXDE_HOME string
      path to home directory of LXDE user running X Server (default "/home/pi")
  KIOSK_MODE string
      [full|tv|disabled] (default "full")
  KIOSK_WINDOW_POSITION string
      Top Left Position of Kiosk (default "0,0")
  KIOSK_WINDOW_SIZE string
      Size of Kiosk in pixels (e.g. "1920,1080")
  KIOSK_IGNORE_CERTIFICATE_ERRORS bool
      Ignore SSL/TLS certificate errors (default "false")
  KIOSK_IS_PLAYLIST bool
      URL is a playlist (default "false")
  KIOSK_LOGIN_METHOD string
      [anon|local|gcom|goauth|idtoken|apikey|aws] (default "anon")
  KIOSK_LOGIN_PASSWORD string
      password (default "guest")
  KIOSK_URL string
      URL to Grafana server (default "https://play.grafana.org")
  KIOSK_LOGIN_USER string
      username (default "guest")
  KIOSK_GOAUTH_AUTO_LOGIN bool
      [false|true]
  KIOSK_GOAUTH_FIELD_USER string
      Username html input name value
  KIOSK_GOAUTH_FIELD_PASSWORD string
      Password html input name value
  KIOSK_IDTOKEN_KEYFILE string
      JSON Credentials for idtoken (default "key.json")
  KIOSK_IDTOKEN_AUDIENCE string
      Audience for idtoken, tpyically your oauth client id
  KIOSK_APIKEY_APIKEY string
      APIKEY Generated in Grafana Server

Hosted Grafana using grafana.com authentication

This will login to a Hosted Grafana instance and take the browser to the default dashboard in fullscreen kiosk mode:

./bin/grafana-kiosk -URL=https://bkgann3.grafana.net -login-method=gcom -username=bkgann -password=abc123 -kiosk-mode=full

This will login to a Hosted Grafana instance and take the browser to a specific dashboard in tv kiosk mode:

./bin/grafana-kiosk -URL=https://bkgann3.grafana.net/dashboard/db/sensu-summary -login-method=gcom -username=bkgann -password=abc123 -kiosk-mode tv

This will login to a Hosted Grafana instance and take the browser to a playlist in fullscreen kiosk mode, and autofit the panels to fill the display.

./bin/grafana-kiosk -URL=https://bkgann3.grafana.net/playlists/play/1 -login-method=gcom -username=bkgann -password=abc123 -kiosk-mode=full -playlists -autofit=true

Grafana Server with Local Accounts

This will login to a grafana server that uses local accounts:

./bin/grafana-kiosk -URL=https://localhost:3000 -login-method=local -username=admin -password=admin -kiosk-mode=tv

If you are using a self-signed certificate, you can remove the certificate error with -ignore-certificate-errors

./bin/grafana-kiosk -URL=https://localhost:3000 -login-method=local -username=admin -password=admin -kiosk-mode=tv -ignore-certificate-errors

Grafana Server with Anonymous access enabled

This will take the browser to the default dashboard on play.grafana.org in fullscreen kiosk mode (no login needed):

./bin/grafana-kiosk -URL=https://play.grafana.org -login-method=anon -kiosk-mode=tv

This will take the browser to a playlist on play.grafana.org in fullscreen kiosk mode (no login needed):

./bin/grafana-kiosk -URL=https://play.grafana.org/playlists/play/1 -login-method=anon -kiosk-mode=tv

Grafana Server with Api Key

This will take the browser to the default dashboard on play.grafana.org in fullscreen kiosk mode:

./bin/grafana-kiosk -URL=https://play.grafana.org -login-method apikey --apikey "xxxxxxxxxxxxxxx" -kiosk-mode=tv

Grafana Server with Generic Oauth

This will login to a Generic Oauth service, configured on Grafana. Oauth_auto_login is disabeld. As Oauth provider is Keycloak used.

go run pkg/cmd/grafana-kiosk/main.go -URL=https://my.grafana.oauth/playlists/play/1  -login-method=goauth -username=test -password=test

This will login to a Generic Oauth service, configured on Grafana. Oauth_auto_login is disabeld. As Oauth provider is Keycloak used and also the login and password html input name is set.

go run pkg/cmd/grafana-kiosk/main.go -URL=https://my.grafana.oauth/playlists/play/1 -login-method=goauth -username=test -password=test -field-username=username -field-password=password

This will login to a Generic Oauth service, configured on Grafana. Oauth_auto_login is enabled. As Oauth provider is Keycloak used and also the login and password html input name is set.

go run pkg/cmd/grafana-kiosk/main.go -URL=https://my.grafana.oauth/playlists/play/1 -login-method=goauth -username=test -password=test -field-username=username -field-password=password -auto-login=true

Google Idtoken authentication

This allows you to log in through Google Identity Aware Proxy using a service account through injecting authorization headers with bearer tokens into each request. the idtoken library will generate new tokens as needed on expiry, allowing grafana kiosk mode without exposing a fully privileged google user on your kiosk device.

./bin/grafana-kiosk -URL=https://play.grafana.org/playlists/play/1 -login-method=idtoken -keyfile /tmp/foo.json -audience myoauthid.apps.googleusercontent.com

LXDE Options

The -lxde option initializes settings for the desktop.

Actions Performed:

• sets profile via lxpanel to LXDE
• sets pcmanfs profile to LXDE
• runs xset s off to disable screensaver
• runs xset -dpms to disable power-saving (prevents screen from turning off)
• runs xset s noblank disables blank mode for screensaver (maybe not needed)
• runs unclutter to hide the mouse

The -lxde-home option allows you to specify a different $HOME directory where the lxde configuration files can be found.

Automatic Startup

Session-based

LXDE can start the kiosk automatically by creating this file:

Create/edit the file: /home/pi/.config/lxsession/LXDE-pi/autostart

/usr/bin/grafana-kiosk -URL=https://bkgann3.grafana.net/dashboard/db/sensu-summary -login-method=gcom -username=bkgann -password=abc123 -kiosk-mode=full -lxde

Session with disconnected "screen"

Alternatively you can run grafana-kiosk under screen, which can very useful for debugging.

Create/edit the file: /home/pi/.config/lxsession/LXDE-pi/autostart

screen -d -m bash -c "/usr/bin/grafana-kiosk -URL=https://bkgann3.grafana.net/dashboard/db/sensu-summary -login-method=gcom -username=bkgann -password=abc123 -kiosk-mode=full -lxde"

Desktop Link

Create/edit the file: /home/pi/.config/autostart/grafana-kiosk.desktop

[Desktop Entry]
Type=Application
Exec=/usr/bin/grafana-kiosk -URL=https://bkgann3.grafana.net/dashboard/db/sensu-summary -login-method=gcom -username=bkgann -password=abc123 -kiosk-mode=full -lxde

Desktop Link with disconnected "screen"

[Desktop Entry]
Type=Application
Exec=screen -d -m bash -c /usr/bin/grafana-kiosk -URL=https://bkgann3.grafana.net/dashboard/db/sensu-summary -login-method=gcom -username=bkgann -password=abc123 -kiosk-mode=full -lxde

Systemd startup

# sudo touch /etc/systemd/system/grafana-kiosk.service
# sudo chmod 664 /etc/systemd/system/grafana-kiosk.service

[Unit]
Description=Grafana Kiosk
Documentation=https://github.com/grafana/grafana-kiosk
Documentation=https://grafana.com/blog/2019/05/02/grafana-tutorial-how-to-create-kiosks-to-display-dashboards-on-a-tv
After=network.target

[Service]
User=pi
Environment="DISPLAY=:0"
Environment="XAUTHORITY=/home/pi/.Xauthority"

# Disable screensaver and monitor standby
ExecStartPre=xset s off
ExecStartPre=xset -dpms
ExecStartPre=xset s noblank

ExecStart=/usr/bin/grafana-kiosk -URL=<url> -login-method=local -username=<username> -password=<password> -playlists=true

[Install]
WantedBy=graphical.target

Reload systemd:

# sudo systemctl daemon-reload

Enable, Start, Get Status, and logs:

# sudo systemctl enable grafana-kiosk
# sudo systemctl start grafana-kiosk
# sudo systemctl status grafana-kiosk

Logs:

journalctl -u grafana-kiosk

Troubleshooting

Timeout Launching

2020/08/24 10:18:41 Launching local login kiosk
panic: websocket url timeout reached

Often this is due to lack of entropy, for linux you would need to install rng-tools (or an equivalent).

apt install rng-tools

Building

A Magefile is provided for building the utility, you can install mage by following the instructions at https://magefile.org/

mage -v

This will generate executables in "bin" that can be run on a variety of platforms.

For full build and testing options use:

mage -l

TODO

• RHEL/CentOS auto-startup
• Everything in issues!

References

• TV and Kiosk Mode
• Grafana Playlists

Thanks to our Contributors

• Michael Pasqualone for the session-based startup ideas!
• Brendan Ball for contributing the desktop link startup example for LXDE!
• Alex Heylin for the v7 login fix - and also works with v6!
• Xan Manning for the ignore certificate option!
• David Stäheli for the OAuth implementation!
• Marcus Ramberg for the Google ID Token Auth implementation!
• Ronan Salmon for API token authentication!

Any many others!