Real-time EC2 Host Monitoring System with CI/CD
A Dockerized FastAPI-based monitoring system that runs inside a container but monitors the entire EC2 host machine.
- Full Host Monitoring: CPU, memory, disk usage of the EC2 host (not just the container)
- Process Monitoring: View all running processes on the host with ability to terminate them
- Docker Monitoring: Monitor Docker containers, images, and disk usage in real-time
- Jenkins Integration: View CI/CD build status, health score, and deployment history
- Code Quality Analysis: SonarQube integration for code quality, security vulnerabilities, and technical debt
- Container Security Scanning: Trivy integration for CVE detection in Docker images
- Real-time Updates: WebSocket-based live updates every 5 seconds
- Historical Metrics: Stored in MySQL for tracking trends
- Alert System: Automatic alerts when CPU or memory exceed thresholds
- Admin-Only Access: JWT-based authentication for single admin user
- Modern Dashboard: Responsive web UI with Chart.js visualizations
- CI/CD Pipeline: Automated deployments with Jenkins including health checks and rollback
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β EC2 Host β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Docker Network β β
β β β β
β β βββββββββββββ βββββββββββββ βββββββββββββ βββββββββββββ β β
β β β Frontend β β Backend β β MySQL β β Worker β β β
β β β (Nginx) β β (FastAPI) β β β β (Alerts) β β β
β β β :80 β β :8000 β β :3306 β β β β β
β β βββββββ¬ββββββ βββββββ¬ββββββ βββββββ¬ββββββ βββββββ¬ββββββ β β
β β β β β β β β
β β β pid:host β β β β
β β β privileged β β β β
β β ββββββββββββββββ΄βββββββββββββββ΄βββββββββββββββ β β
β β β β
β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β β β Jenkins (CI/CD) :8080 β β β
β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β
β β β β Automated Deployment Pipeline: β β β β
β β β β β’ GitHub webhook triggers build β β β β
β β β β β’ SonarQube code quality analysis β β β β
β β β β β’ Trivy container security scanning β β β β
β β β β β’ Build Docker images β β β β
β β β β β’ Deploy with zero downtime β β β β
β β β β β’ Health checks & auto rollback β β β β
β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β
β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β β β β
β β ββββββββββββββββββ ββββββββββββββββ Trivy CLI Tool β β
β β β SonarQube β β PostgreSQL β (Security Scanner) β β
β β β :9000 β β :5432 β β β
β β ββββββββββββββββββ ββββββββββββββββ β β
β β β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β
β βββββββββββββββββββββββββββββββββββ΄βββββββββββββββββββββββββββββββββββ β
β β Host System β β
β β /proc βββββββββββββββββββΊβ β β
β β /sys βββββββββββββββββββΊβ (mounted read-only into backend) β β
β β / βββββββββββββββββββΊβ β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
The web dashboard includes the following monitoring pages:
| Page | Description | Key Metrics |
|---|---|---|
| Overview | System metrics & alerts | CPU, Memory, Disk usage with real-time graphs |
| Processes | Running processes | PID, Name, CPU%, Memory%, Status, Kill action |
| Docker | Container & image monitoring | Containers (5), Images (5), Disk usage, Jenkins build status |
Docker Monitoring Features:
- Docker Status Card: Shows running containers, total images, disk usage breakdown
- Jenkins Build Card: Displays latest build number, status, duration, and health score
- Images Table: Lists all Docker images with size, repository, tag, and age
- Containers Table: Shows all containers with status, ports, and image information
InfraSentinel includes a production-ready CI/CD pipeline using Jenkins for automated deployments.
β
Automated Deployments - Push to GitHub β Auto-deploy to EC2
β
Zero Downtime - Rolling updates without service interruption
β
Code Quality Analysis - SonarQube scans for bugs, vulnerabilities, code smells
β
Security Scanning - Trivy scans Docker images for CVEs
β
Health Checks - Validates deployment before completing
β
Auto Rollback - Reverts to previous version on failure
β
Database Backups - Automatic backup before each deployment
β
Docker Network Fix - Ensures proper container connectivity
The Jenkinsfile defines 11 automated stages:
- Checkout - Pull latest code from GitHub
- Check CI Skip - Skip build if commit message contains [ci skip]
- Validate - Check configuration files and Dockerfiles
- Install Trivy - Install and update Trivy vulnerability scanner
- SonarQube Analysis - Code quality and security analysis
- Backup - Backup database and docker-compose.yml
- Build Images - Build backend, frontend, worker containers
- Security Scan with Trivy - Scan images for HIGH/CRITICAL CVEs
- Stop Services - Gracefully stop old containers
- Deploy - Start new containers with network connectivity
- Health Check - Verify backend health and all services running
- Cleanup - Remove old images and excess backups
InfraSentinel includes SonarQube 10.4 for continuous code quality and security analysis.
What SonarQube Analyzes:
- π Bugs - Code that is demonstrably wrong
- π Vulnerabilities - Security issues (OWASP Top 10, CWE)
- π₯ Security Hotspots - Code requiring security review
- π§Ή Code Smells - Maintainability issues
- π Coverage - Test coverage metrics
- π Duplications - Code duplication detection
- πΈ Technical Debt - Time to fix all issues
Access SonarQube:
- URL:
http://YOUR_EC2_IP:9000 - Default credentials:
admin/admin(change on first login) - Dashboard:
/dashboard?id=infrasentinel
Configuration Files:
sonar-project.properties- Project configuration- Integrated into Jenkins pipeline stage 5
Trivy is an open-source vulnerability scanner for containers.
What Trivy Scans:
- π¦ CVEs - Known vulnerabilities in packages
- π Misconfigurations - IaC security issues
- π Secrets - Exposed credentials in images
- π Licenses - Software license compliance
Scan Reports:
- Generated during Jenkins pipeline (stage 8)
- Saves reports to
trivy-reports/directory - Scans: Backend, Frontend, Worker images
- Filter: HIGH and CRITICAL severity only
Manual Scan:
# Scan specific image
trivy image infrasentinel-backend:latest
# Scan for secrets
trivy fs --scanners secret .
# Generate JSON report
trivy image --format json -o report.json YOUR_IMAGEPipeline Behavior:
- Displays vulnerability summary in console
- Saves detailed reports for review
β οΈ Currently logs warnings for CRITICAL CVEs- Can be configured to fail pipeline (uncomment exit 1)
| Method | Endpoint | Description |
|---|---|---|
| POST | /api/auth/login |
Login and get JWT token |
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/metrics/current |
Current CPU, memory, disk |
| GET | /api/metrics/history |
Historical metrics |
| GET | /api/metrics/cpu/detailed |
Detailed CPU info |
| GET | /api/metrics/memory/detailed |
Detailed memory info |
| GET | /api/metrics/disk/detailed |
Detailed disk info |
| GET | /api/metrics/alerts |
System alerts |
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/processes |
Top processes list |
| GET | /api/processes/top-cpu |
Top CPU consumers |
| GET | /api/processes/top-memory |
Top memory consumers |
| GET | /api/processes/{pid} |
Specific process info |
| POST | /api/processes/kill/{pid} |
Terminate a process |
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/docker/images |
List all Docker images |
| GET | /api/docker/containers |
List all Docker containers |
| GET | /api/docker/info |
Docker system info & disk usage |
| GET | /api/docker/jenkins |
Jenkins build status & health |
| Endpoint | Description |
|---|---|
ws://host/ws?token=JWT |
Real-time metrics & processes |
The backend container runs with special privileges to monitor the host:
backend:
pid: host # Share host PID namespace
privileged: true # Full host access
volumes:
- /proc:/host/proc:ro
- /sys:/host/sys:ro
- /:/host/root:ro
- /var/run/docker.sock:/var/run/docker.sock # Docker monitoringWhy these settings?
pid: host- Shows all host processes, not just container processesprivileged: true- Allows reading system metrics from /proc and /sys/proc,/sys,/mounts - Access to host filesystem for metrics- Docker socket mount - Enables monitoring of Docker containers and images
- β Change all default passwords (admin, MySQL, Jenkins)
- β Use strong SECRET_KEY in .env
- β Restrict SSH (port 22) to your IP only
- β Restrict Jenkins (port 8080) to your IP or GitHub webhook IPs
- β Never expose MySQL port 3306 or backend port 8000 publicly
- β Frontend (port 80) can be public for monitoring dashboard
| Type | Port | Source | Purpose |
|---|---|---|---|
| SSH | 22 | Your IP | Remote access |
| HTTP | 80 | 0.0.0.0/0 | Dashboard |
| Custom TCP | 8080 | Your IP | Jenkins UI |
| Custom TCP | 8080 | 140.82.112.0/20 | GitHub webhooks |
| Custom TCP | 8080 | 143.55.64.0/20 | GitHub webhooks |
| Custom TCP | 9000 | Your IP | SonarQube Dashboard |
For complete security setup instructions, see docs/AWS_DEPLOYMENT.md.
InfraSentinel/
βββ docker-compose.yml # Multi-container orchestration
βββ .env # Environment variables (create from .env.example)
βββ .env.example # Example configuration
βββ Jenkinsfile # CI/CD pipeline definition
βββ deploy.sh # Manual deployment script
βββ README.md # This file
βββ AWS_DEPLOYMENT.md # Complete AWS EC2 deployment guide
βββ WINDOWS_GUIDE.md # Windows development guide
βββ backend/ # FastAPI backend service
β βββ Dockerfile
β βββ requirements.txt
β βββ app/
β βββ main.py # FastAPI application entry
β βββ config.py # Configuration management
β βββ database.py # SQLAlchemy setup
β βββ models.py # Database models
β βββ schemas.py # Pydantic schemas
β βββ auth.py # JWT authentication
β βββ routes/
β β βββ __init__.py
β β βββ auth.py # Login endpoint
β β βββ metrics.py # Metrics endpoints
β β βββ processes.py # Process management
β β βββ docker.py # Docker & Jenkins monitoring
β βββ services/
β β βββ __init__.py
β β βββ metrics_collector.py # Collects host metrics
β β βββ process_monitor.py # Monitors host processes
β β βββ docker_monitor.py # Docker & Jenkins monitoring
β βββ websocket/
β βββ __init__.py
β βββ manager.py # WebSocket connection manager
βββ frontend/ # Nginx + static frontend
β βββ Dockerfile
β βββ nginx.conf
β βββ static/
β βββ index.html # Main dashboard
β βββ login.html # Login page
β βββ css/
β β βββ style.css # Dashboard styling
β βββ js/
β βββ auth.js # Authentication logic
β βββ app.js # Dashboard logic + WebSocket
βββ worker/ # Background alert worker
β βββ Dockerfile
β βββ requirements.txt
β βββ worker.py # Alert checking loop
βββ jenkins/ # Jenkins CI/CD configuration
β βββ casc.yaml # Configuration as Code
β βββ plugins.txt # Required Jenkins plugins
β βββ setup.sh # Setup script
β βββ README.md # Jenkins documentation
βββ db/ # Database initialization
β βββ init.sql # Schema + default admin user
βββ docs/ # Documentation
β βββ AWS_DEPLOYMENT.md # Full AWS EC2 deployment guide
β βββ AWS_EC2_QUICKSTART.md # Quick start for AWS with SonarQube/Trivy
β βββ SONARQUBE_TRIVY_GUIDE.md # Security & quality tools setup
β βββ JENKINS_GUIDE.md # Jenkins configuration
β βββ WINDOWS_GUIDE.md # Windows development guide
βββ sonar-project.properties # SonarQube project configuration
- Quick Start: docs/AWS_EC2_QUICKSTART.md - Fast deployment with all tools
- Full Guide: docs/AWS_DEPLOYMENT.md - Comprehensive step-by-step instructions
- Security Tools: docs/SONARQUBE_TRIVY_GUIDE.md - SonarQube & Trivy setup
- Windows: docs/WINDOWS_GUIDE.md - Windows setup with WSL2
- Jenkins Setup: docs/JENKINS_GUIDE.md - CI/CD pipeline configuration
- Metrics collected every 5 seconds
- Only top 20 processes displayed (configurable)
- Process list is real-time only (not stored)
- Historical metrics stored in MySQL
- WebSocket for efficient real-time updates
| Service | RAM Usage | Notes |
|---|---|---|
| Backend | ~150MB | FastAPI + metrics collection |
| Worker | ~120MB | Alert checking |
| MySQL | ~400MB | Persistent data storage |
| Frontend | ~30MB | Nginx static file server |
| Jenkins | ~500MB | CI/CD automation |
| SonarQube | ~1.5GB | Code quality analysis |
| PostgreSQL | ~200MB | SonarQube database |
| Total (Full Stack) | ~2.9GB | All services + security tools |
| Without SonarQube | ~1.2GB | Core monitoring + Jenkins |
| Core Only | ~700MB | Without CI/CD tools |
EC2 Instance Recommendations:
- Testing/Core only: t2.micro (1GB RAM) - no CI/CD
- Development: t3.small (2GB RAM) - with Jenkins, no SonarQube
- Production/Full Stack: t3.medium (4GB RAM) - with Jenkins + SonarQube + Trivy
Storage Requirements:
- Minimum: 20 GB
- Recommended: 30 GB (with room for Docker images and build artifacts)
MIT License - see LICENSE file for details.