This guide covers the installation and setup of Prometheus Node Exporter on a Linux system using systemd. Following these steps ensures that Node Exporter runs securely under a dedicated user account.
Create a system user for Node Exporter without a home directory and login shell:
useradd --no-create-home --shell /usr/sbin/nologin node_exporterThis ensures Node Exporter runs with minimal permissions.
Visit the Node Exporter GitHub releases page.
Download the latest stable release for Linux (.tar.gz archive).
Example using wget for version 1.9.1:
wget https://github.com/prometheus/node_exporter/releases/download/v1.9.1/node_exporter-1.9.1.linux-amd64.tar.gzExtract the archive:
tar -xzf node_exporter-1.9.1.linux-amd64.tar.gzMove the executable to /usr/local/bin:
mv node_exporter-1.9.1.linux-amd64/node_exporter /usr/local/bin/Set ownership to the Node Exporter user:
chown node_exporter:node_exporter /usr/local/bin/node_exporterCreate a systemd service file:
vi /etc/systemd/system/node_exporter.serviceAdd the following content:
[Unit]
Description=Prometheus Node Exporter
After=network.target
[Service]
User=node_exporter
Group=node_exporter
Type=simple
ExecStart=/usr/local/bin/node_exporter
[Install]
WantedBy=multi-user.target
Reload systemd to recognize the new service, then enable and start it:
systemctl daemon-reload
systemctl enable --now node_exporterVerify that Node Exporter is running:
systemctl status node_exporterNode Exporter is now installed, running, and set to start automatically on boot. You can access metrics at http://<server-ip>:9100/metrics.
- Restrict access to metrics: Node Exporter exposes multiple sensitive server metrics. Ensure that port
9100is not publicly accessible. Limit access to Prometheus servers or trusted IPs using a firewall (e.g.,ufw,iptables, or security groups if on cloud). - Clean up installation files: After installation, remove the downloaded archive and extracted folders to avoid unnecessary disk usage and clutter.