Don’t Wait for Your Server to Crash Before Taking Action
Have you ever woken up at 3 AM to frantic calls from your boss because the website was down, only to realize the cause was simply… a full hard drive? Previously, when managing CentOS 8 servers, I often had to SSH into each one and constantly run top or df -h. This method was exhausting and highly inefficient.
After CentOS 8 reached its end-of-life, I migrated my entire system to CentOS Stream 9. This was also when I standardized my monitoring process with Node Exporter. This tool consumes only about 15-30MB of RAM but can collect over 500 different system metrics. With CentOS Stream 9, the biggest challenge isn’t the installation itself, but navigating through the “barriers” of SELinux and Firewalld to ensure data flows smoothly to Prometheus.
Step 1: Set Up the User and Download Node Exporter
For security reasons, never run Node Exporter with root privileges. I will create a dedicated system user without login permissions to isolate the service.
# Create a dedicated system user
sudo useradd --no-create-home --shell /bin/false node_exporter
Version 1.8.2 is currently very stable. You should check for the latest version on the Prometheus GitHub page instead of using old versions in default repositories to take advantage of new collectors.
# Download and extract the binary
cd /tmp
curl -LO https://github.com/prometheus/node_exporter/releases/download/v1.8.2/node_exporter-1.8.2.linux-amd64.tar.gz
tar -xvf node_exporter-1.8.2.linux-amd64.tar.gz
# Move to the executable directory and set permissions
sudo mv node_exporter-1.8.2.linux-amd64/node_exporter /usr/local/bin/
sudo chown node_exporter:node_exporter /usr/local/bin/node_exporter
Step 2: Manage with Systemd
To ensure the service starts automatically with the OS, we need a systemd unit file. Avoid using screen or nohup, as they make debugging difficult when issues arise.
sudo vi /etc/systemd/system/node_exporter.service
A minimalist and secure configuration file:
[Unit]
Description=Node Exporter
Wants=network-online.target
After=network-online.target
[Service]
User=node_exporter
Group=node_exporter
Type=simple
ExecStart=/usr/local/bin/node_exporter
Restart=always
[Install]
WantedBy=multi-user.target
Enable the service with three familiar commands:
sudo systemctl daemon-reload
sudo systemctl enable --now node_exporter
Step 3: Bypassing Firewalld and SELinux Barriers
This is the part that causes many headaches. The service might show as active, but Prometheus still reports it as Down (Context deadline exceeded).
Open Firewalld Ports
CentOS Stream 9 is very strict about ports. You need to open port 9100 so the Prometheus server can “knock on the door” to fetch data.
sudo firewall-cmd --permanent --add-port=9100/tcp
sudo firewall-cmd --reload
Handling SELinux
SELinux often prevents Node Exporter from reading sensitive files in /proc. Instead of disabling SELinux entirely (which is dangerous), label the executable file so the system trusts it.
# Label as bin_t so the service runs validly under systemd
sudo chcon -u system_u -r object_r -t bin_t /usr/local/bin/node_exporter
Step 4: Verify the Results
Try requesting the server to export its own data locally. If you see a long list of lines like node_memory_Active_bytes, you’re on the right track.
curl http://localhost:9100/metrics
Step 5: Connect to Prometheus and Set Up Grafana
In the prometheus.yml file on your monitoring server, add the new target. Note that setting the scrape_interval to about 15s ensures smooth graphs without overloading the CPU.
scrape_configs:
- job_name: 'centos-stream-9'
static_configs:
- targets: ['192.168.1.10:9100']
Finally, use Grafana Dashboard ID: 1860. This is the gold standard template, helping you monitor everything from network bandwidth to disk read/write speeds (Disk IO) in real-time.
Real-World Experience
- Filter junk data: If your server has dozens of virtual network interfaces (e.g., Docker veth), use the
--collector.network.device-excludeflag to clean up your Dashboard. - Security: If you aren’t using an internal VPN, limit the IP addresses allowed to access port 9100 in Firewalld. Don’t expose your hardware information to the internet; tools like Shodan will scan and find your server within minutes.
Installing Node Exporter isn’t difficult. However, configuring it for security and optimizing metrics is what truly matters. I hope this guide helps keep your system running under full control.

