Documentation

chronograf CLI

The chronograf command line interface (CLI) includes options to manage Chronograf security.

Usage

chronograf [flags]

Chronograf service flags

FlagDescriptionEnv. Variable
--hostIP the Chronograf service listens on. By default, 0.0.0.0$HOST
--portPort the Chronograf service listens on for insecure connections. By default, 8888$PORT
-b,--bolt-pathFile path to the BoltDB file. By default, ./chronograf-v1.db$BOLT_PATH
-c,--canned-pathFile path to the directory of canned dashboard files. By default, /usr/share/chronograf/canned$CANNED_PATH
--resources-pathPath to directory of canned dashboards, sources, Kapacitor connections, and organizations. By default, /usr/share/chronograf/resources$RESOURCES_PATH
-p, --basepathURL path prefix under which all Chronograf routes will be mounted.$BASE_PATH
--status-feed-urlURL of JSON feed to display as a news feed on the client status page. By default, https://www.influxdata.com/feed/json$STATUS_FEED_URL
-v, --versionDisplays the version of the Chronograf service
-h, --host-page-disabledDisables the hosts page$HOST_PAGE_DISABLED

InfluxDB connection flags

FlagDescriptionEnv. Variable
--influxdb-urlInfluxDB URL, including the protocol, IP address, and port$INFLUXDB_URL
--influxdb-usernameInfluxDB username$INFLUXDB_USERNAME
--influxdb-passwordInfluxDB password$INFLUXDB_PASSWORD
--influxdb-orgInfluxDB 2.x or InfluxDB Cloud organization name$INFLUXDB_ORG
--influxdb-tokenInfluxDB 2.x or InfluxDB Cloud authentication token$INFLUXDB_TOKEN

Kapacitor connection flags

FlagDescriptionEnv. Variable
--kapacitor-urlLocation of your Kapacitor instance, including http://, IP address, and port$KAPACITOR_URL
--kapacitor-usernameUsername for your Kapacitor instance$KAPACITOR_USERNAME
--kapacitor-passwordPassword for your Kapacitor instance$KAPACITOR_PASSWORD

TLS (Transport Layer Security) flags

FlagDescriptionEnv. Variable
--certFile path to PEM-encoded public key certificate$TLS_CERTIFICATE
--keyFile path to private key associated with given certificate$TLS_PRIVATE_KEY
--tls-ciphersComma-separated list of supported cipher suites. Use help to print available ciphers.$TLS_CIPHERS
--tls-min-versionMinimum version of the TLS protocol that will be negotiated. (default: 1.2)$TLS_MIN_VERSION
--tls-max-versionMaximum version of the TLS protocol that will be negotiated.$TLS_MAX_VERSION

Other service option flags

FlagDescriptionEnv. Variable
--custom-auto-refreshAdd custom auto-refresh options using semicolon separated list of label=milliseconds pairs`$CUSTOM-AUTO-REFRESH
--custom-linkAdd a custom link to Chronograf user menu options using <display_name>:<link_address> syntax. For multiple custom links, include multiple flags.
-d, --developRun the Chronograf service in developer mode
-h, --helpDisplay command line help for Chronograf
-l, --log-levelSet the logging level. Valid values include info (default), debug, and error$LOG_LEVEL
-r, --reporting-disabledDisable reporting of usage statistics. Usage statistics reported once every 24 hours include: OS, arch, version, cluster_id, and uptime.$REPORTING_DISABLED

Authentication option flags

General authentication flags

FlagDescriptionEnv. Variable
-t, --token-secretSecret for signing tokens$TOKEN_SECRET
--auth-durationTotal duration, in hours, of cookie life for authentication. Default value is 720h.$AUTH_DURATION
--public-urlPublic URL required to access Chronograf using a web browser. For example, if you access Chronograf using the default URL, the public URL value would be http://localhost:8888. Required for Google OAuth 2.0 authentication. Used for Auth0 and some generic OAuth 2.0 authentication providers.$PUBLIC_URL
—-htpasswdPath to password file for use with HTTP basic authentication. See NGINX documentation for more on password files.$HTPASSWD

GitHub-specific OAuth 2.0 authentication flags

FlagDescriptionEnv. Variable
--github-urlGithub base URL. Default is https://github.com. Required if using Github Enterprise$GH_URL
-i, --github-client-idGitHub client ID value for OAuth 2.0 support$GH_CLIENT_ID
-s, --github-client-secretGitHub client secret value for OAuth 2.0 support$GH_CLIENT_SECRET
-o, --github-organizationRestricts authorization to users from specified Github organizations. To add more than one organization, add multiple flags. Optional.$GH_ORGS

Google-specific OAuth 2.0 authentication flags

FlagDescriptionEnv. Variable
--google-client-idGoogle client ID value for OAuth 2.0 support$GOOGLE_CLIENT_ID
--google-client-secretGoogle client secret value for OAuth 2.0 support$GOOGLE_CLIENT_SECRET
--google-domainsRestricts authorization to users from specified Google email domain. To add more than one domain, add multiple flags. Optional.$GOOGLE_DOMAINS

Auth0-specific OAuth 2.0 authentication flags

FlagDescriptionEnv. Variable
--auth0-domainSubdomain of your Auth0 client. Available on the configuration page for your Auth0 client.$AUTH0_DOMAIN
--auth0-client-idAuth0 client ID value for OAuth 2.0 support$AUTH0_CLIENT_ID
--auth0-client-secretAuth0 client secret value for OAuth 2.0 support$AUTH0_CLIENT_SECRET
--auth0-organizationsRestricts authorization to users specified Auth0 organization. To add more than one organization, add multiple flags. Optional. Organizations are set using an organization key in the user’s app_metadata.$AUTH0_ORGS

Heroku-specific OAuth 2.0 authentication flags

FlagDescriptionEnv. Variable
--heroku-client-idHeroku client ID value for OAuth 2.0 support$HEROKU_CLIENT_ID
--heroku-secretHeroku secret for OAuth 2.0 support$HEROKU_SECRET
--heroku-organizationRestricts authorization to users from specified Heroku organization. To add more than one organization, add multiple flags. Optional.$HEROKU_ORGS

Generic OAuth 2.0 authentication flags

FlagDescriptionEnv. Variable
--generic-nameGeneric OAuth 2.0 name presented on the login page$GENERIC_NAME
--generic-client-idGeneric OAuth 2.0 client ID value. Can be used for a custom OAuth 2.0 service.$GENERIC_CLIENT_ID
--generic-client-secretGeneric OAuth 2.0 client secret value$GENERIC_CLIENT_SECRET
--generic-scopesScopes requested by provider of web client$GENERIC_SCOPES
--generic-domainsEmail domain required for user email addresses$GENERIC_DOMAINS
--generic-auth-urlAuthorization endpoint URL for the OAuth 2.0 provider$GENERIC_AUTH_URL
--generic-token-urlToken endpoint URL for the OAuth 2.0 provider$GENERIC_TOKEN_URL
--generic-api-urlURL that returns OpenID UserInfo-compatible information$GENERIC_API_URL
--oauth-no-pkceDisable OAuth PKCE$OAUTH_NO_PKCE

etcd flags

FlagDescriptionEnv. Variable
-e, --etcd-endpointsetcd endpoint URL (include multiple flags for multiple endpoints)$ETCD_ENDPOINTS
--etcd-usernameetcd username$ETCD_USERNAME
--etcd-passwordetcd password$ETCD_PASSWORD
--etcd-dial-timeoutTotal time to wait before timing out while connecting to etcd endpoints (0 means no timeout, default: -1s)$ETCD_DIAL_TIMEOUT
--etcd-request-timeoutTotal time to wait before timing out the etcd view or update (0 means no timeout, default: -1s)$ETCD_REQUEST_TIMEOUT
--etcd-certPath to PEM encoded TLS public key certificate for use with TLS$ETCD_CERTIFICATE
--etcd-keyPath to private key associated with given certificate for use with TLS$ETCD_PRIVATE_KEY
--etcd-root-caPath to root CA certificate for TLS verification`$ETCD-ROOT-CA

Was this page helpful?

Thank you for your feedback!


Linux Package Signing Key Rotation

All signed InfluxData Linux packages have been resigned with an updated key. If using Linux, you may need to update your package configuration to continue to download and verify InfluxData software packages.

For more information, see the Linux Package Signing Key Rotation blog post.

InfluxDB Cloud backed by InfluxDB IOx

All InfluxDB Cloud organizations created on or after January 31, 2023 are backed by the new InfluxDB IOx storage engine. Check the right column of your InfluxDB Cloud organization homepage to see which InfluxDB storage engine you’re using.

If powered by IOx, this is the correct documentation.

If powered by TSM, see the TSM-based InfluxDB Cloud documentation.

InfluxDB Cloud backed by InfluxDB TSM

All InfluxDB Cloud organizations created on or after January 31, 2023 are backed by the new InfluxDB IOx storage engine which enables nearly unlimited series cardinality and SQL query support. Check the right column of your InfluxDB Cloud organization homepage to see which InfluxDB storage engine you’re using.

If powered by TSM, this is the correct documentation.

If powered by IOx, see the IOx-based InfluxDB Cloud documentation.

State of the InfluxDB Cloud (IOx) documentation

The new documentation for InfluxDB Cloud backed by InfluxDB IOx is a work in progress. We are adding new information and content almost daily. Thank you for your patience!

If there is specific information you’re looking for, please submit a documentation issue.