Grafana connecting to raw.githubusercontent.com

Hello,

Why Grafana running on Docker is trying to talk to

raw.githubusercontent.com (185.199.110.133)

You should to provide reproducible example. There is many options:

  • dashboard(s) loads some assets (e.g. images) from github
  • plugin(s) can be installed from github directly

I’m also seeing unexpected traffic from grafana-server to 185.199.110.133

  • grafana-server 7.3.2 running on Ubuntu 20.04
  • sole data source is an instance of Prometheus running on the same machine
  • no plugins
  • auth.github, auth.gitlab both disabled

Are there other settings that I should be inspecting? Thanks.

Hi Marc,

This address also belongs to GitHub.

$ host 185.199.110.133
133.110.199.185.in-addr.arpa domain name pointer cdn-185-199-110-133.github.com.

With kind regards,
Andreas.

Thanks, Andreas, and agreed.

My question is why is grafana-server connecting to GitHub?

I have no plugins, have not configured github/gitlabs authentication, and am using a data source on the same machine on which grafana-server is running. It’s concerning from a security perspective.

I looked at the traffic using Wireshark. It’s HTTPS, so I didn’t learn much from the packet trace.

Best, Marc

Hi Marc.

This might be a silly suggestion, but let us reassure ourselves about it. You did turn off the corresponding settings in the “Analytics” section of the configuration, right?

May I also ask some more questions:

  • Does it already happen when just starting the Docker container? If so, does it happen once or recurringly?
  • Or does it happen when you access Grafana from your Browser or an API client? If so, which resources are you navigating to – or does it even happen on every request then?

Indeed, maybe something from this subsystem will access GitHub? The new dynamic plugin catalog is on by default since Grafana 8.2, see Grafana 8.2 released: Dynamic plugin catalog, new fine-grained access control permissions, and more | Grafana Labs.

You can try to investigate by toggling plugin_admin_enabled = false.

Other than that, I would like to second @jangaraj here: Providing a reproducible example, e.g. by sharing your Dockerfile and/or corresponding command line invocations will be tremendously helpful.

With kind regards,
Andreas.

Hi Andreas,

Not silly at all … in fact both check_for_updates and reporting_enabled were enabled! I’ve disabled them and will see whether that eliminates the traffic. I’ll report back and share the invocation if it doesn’t.

I’m running 7.3.2, which doesn’t appear to have the plugin_admin_enabled option.

Also, while the original poster was running Grafana in Docker, I am not. I’m running it directly on the Ubuntu host.

With gratitude for the assistance, Marc

1 Like

Dear Marc,

Investigations

A quick check of the code base reveals the spot where the update checker connects to raw.githubusercontent.com:

$ ag --go githubusercontent

pkg/services/updatechecker/grafana_update_checker.go
70:	resp, err := httpClient.Get("https://raw.githubusercontent.com/grafana/grafana/main/latest.json")
$ http https://raw.githubusercontent.com/grafana/grafana/main/latest.json

{
    "stable": "8.3.3",
    "testing": "8.3.3"
}

Thoughts

It might have checked at a different endpoint before, the inline documentation said https://grafana.net in previous releases and says https://grafana.com now. From the observations above, the documentation might need an update.

Conclusion

After disabling reporting_enabled, I believe that will be fine now.

With kind regards,
Andreas.

2 Likes

Hi Andreas,

After 36 hours of running with check_for_updates and reporting_enabled both disabled, I have not seen any traffic from grafana-server to GitHub.

7.3.2 apparently uses the same endpoint to check for updates as 8.3.3. A strings on the grafana-server executable returns the following.

https://raw.githubusercontent.com/grafana/grafana/master/latest.json

Thank you for your research and for pointing me to the solution … much appreciated!

1 Like