Introduction

Grafana plugins are subject to security sandbox restrictions that control what operations plugins can perform. After a Grafana upgrade, stricter sandbox enforcement or plugin incompatibility can cause previously working plugins to fail loading. This breaks dashboards and data visualizations that depend on the affected plugin.

Symptoms

  • Grafana logs show Plugin not loaded or sandbox violation error after upgrade
  • Plugin does not appear in the plugin list in the Grafana UI
  • Dashboards using the plugin show Panel plugin not found error
  • Grafana server logs show failed to load plugin: sandbox policy violation
  • Error message: Plugin my-plugin requires elevated permissions that violate sandbox restrictions

Common Causes

  • Grafana upgrade introduced stricter plugin sandbox enforcement
  • Plugin version incompatible with the new Grafana version's plugin API
  • Plugin attempts to access restricted filesystem paths or network endpoints
  • Plugin signature verification fails after Grafana's signing requirements changed
  • allow_loading_unsigned_plugins configuration not set for custom plugins

Step-by-Step Fix

  1. 1.Check plugin loading errors in Grafana logs: Identify the specific violation.
  2. 2.```bash
  3. 3.journalctl -u grafana-server | grep -i "plugin|sandbox|signature" | tail -20
  4. 4.`
  5. 5.Verify plugin compatibility with the current Grafana version: Check the plugin manifest.
  6. 6.```bash
  7. 7.cat /var/lib/grafana/plugins/my-plugin/plugin.json | jq '.name, .info.version, .dependencies.grafanaDependency'
  8. 8.`
  9. 9.Allow unsigned plugins if using custom builds: Configure Grafana to load unsigned plugins.
  10. 10.```ini
  11. 11.# grafana.ini
  12. 12.[plugins]
  13. 13.allow_loading_unsigned_plugins = my-plugin,another-custom-plugin
  14. 14.`
  15. 15.Update the plugin to a version compatible with the current Grafana: Install the correct version.
  16. 16.```bash
  17. 17.grafana cli plugins update my-plugin
  18. 18.# Or install a specific version
  19. 19.grafana cli --pluginUrl https://example.com/my-plugin-2.1.0.zip plugins install my-plugin
  20. 20.`
  21. 21.Restart Grafana and verify plugin loads: Confirm the plugin is active.
  22. 22.```bash
  23. 23.systemctl restart grafana-server
  24. 24.grafana cli plugins ls | grep my-plugin
  25. 25.`

Prevention

  • Test plugin compatibility with new Grafana versions in a staging environment before upgrading
  • Pin plugin versions in deployment configurations to prevent unexpected updates
  • Monitor Grafana plugin loading status after every Grafana version upgrade
  • Use only officially signed plugins from the Grafana plugin catalog when possible
  • Document all custom plugins and their required allow_loading_unsigned_plugins entries
  • Set up automated plugin health checks that verify all expected plugins are loaded after upgrades