Set up image rendering on Grafana Labs

Troubleshoot image rendering

Fri, 03 Apr 2026 12:35:46 -0500

Troubleshooting

This section answers common questions about troubleshooting the image renderer. The guidance is helpful for self-managed Grafana users. It isn’t particularly useful for Grafana Cloud users, as the image renderer is managed for you.

Available configuration options

To see all available options, run:

docker run --rm grafana/grafana-image-renderer:latest server --help

Much of the service’s functionality has configurable options. When troubleshooting the image renderer, these options are often the first ones to change.

The rest of this guide clarifies what these options are and do, so you can make the right experiments and changes.

Configuration file formats and paths

The service reads configuration files from its current working directory. With Docker images, this is /home/nonroot/ by default.

The file names must be one of config.json, config.yaml, or config.yml.

Monitor the image renderer

You can monitor the service using Prometheus or Grafana Mimir for metrics and any OpenTelemetry-compatible tracing backend for traces, such as Grafana Tempo. We recommend setting up both:

Point the metrics scraper to /metrics on the HTTP port (default :8081).
Point the service (--tracing.endpoint) to the tracing backend.

For a pre-built monitoring dashboard, refer to this example dashboard.

Change the HTTP server bind address

Use the --server.addr option to change the HTTP server bind address.

If no specific address is given, it listens on all interfaces. The syntax to only change the port is :8081 or any other port number.

Use multiple authentication tokens

Specify the option multiple times, for example: --server.auth-token <token1> --server.auth-token <token2>.

If you use JSON or YAML, you can use a list:

server:
  auth-token:
    - <token1>
    - <token2>

For environment variables, use a comma-separated list.

Change the logging level

Use the --log.level option to change the log level.

Valid values are debug, info, warn, and error. debug is very verbose. Production deployments should usually use info or warn.

Set up TLS on the HTTP server

You can serve the HTTP server over TLS (HTTPS) using the following options:

--server.certificate-file: Path to the TLS certificate file in PEM format.
--server.key-file: Path to the TLS private key file in PEM format. This must be the matching key for the given certificate file.
--server.min-tls-version: Minimum TLS version to accept. Valid values are 1.0, 1.1, 1.2 (default), and 1.3. The default value is sufficient for most security-conscious users.

Mutual TLS (mTLS) isn’t supported at this time.

Set up mTLS with the tracing backend

You can set up mTLS for the connection to the tracing backend using the following options:

--tracing.trusted-certificate: Path to the trusted CA certificate file in PEM format. This is used to verify the tracing backend’s certificate.
--tracing.client-certificate: Path to the client certificate file in PEM format. This is used to authenticate to the tracing backend.
--tracing.client-key: Path to the client private key file in PEM format. This must be the matching key for the given client certificate file.

Use a custom browser binary

Use the --browser.path option to set the browser binary.

The browser must support the Chrome DevTools Protocol, which limits the choices somewhat. This works fine with Chromium, Google Chrome, Microsoft Edge, Brave, and other similar browsers based on Chromium.

Only Chromium is officially supported. If a bug can’t be replicated with Chromium, the bug may not be prioritized or closed without a fix.

Use GPU acceleration

Enable GPU acceleration in the browser using the --browser.gpu option.

On some environments, such as Docker, Kubernetes, or other container and VM runtimes, you may need further configuration to pass the GPU through to the service.

Enable custom flags in the browser

Pass flags to the browser using the --browser.flag option.

The format is --${flag}=${value} or --${flag}, with the -- prefix being required. The parser splits each browser flag based on them.

For example, --browser.flag=--headless=false --host-resolver-rules=MAP * 127.0.0.1, EXCLUDE grafana --no-sandbox enables headful mode, forces the browser to resolve all network requests to 127.0.0.1 with exception of the grafana host, and disables sandbox mode.

Enable the browser sandbox

Enable the sandbox using the --browser.sandbox option.

On some Linux distributions, in Docker, Kubernetes, OpenShift, and other container and VM setups, this may not work out of the box. You may need to enable various virtualization features, seccomp profiles, AppArmor profiles, Linux capabilities, and more.

Use Linux namespaces for request isolation

Caution
Although there is an option to enable Linux namespaces, the functionality is unsupported. Proceed at your own risk, and ensure the option is disabled before reporting bugs.

To use new Linux namespaces for each rendering request, isolating the entire browser from the service and other requests, use the --browser.namespaced option.

This functionality requires Linux and various capabilities and AppArmor profiles to be set up.

Change the default browser time zone

Note
Every request can override this in the request query parameters.

To change the default time zone, set the --browser.timezone option to an IANA time zone name. For example, America/Los_Angeles or Europe/Berlin.

Many containers automatically set a TZ environment variable. This is used by default.

Add a header to every request from the browser

Note
Depending on the target website’s CORS settings, this may break all requests.

You can set a new header with --browser.header <name>=<value>. This header is added to every request made by the browser.

Pass through a trace header to every request from the browser

This is enabled by default if tracing is set up. Outgoing requests receive a Traceparent header.

If the incoming request to the service has a Traceparent header, that value is used. Otherwise, a new trace is started for every request.

Understand incomplete outputs and request timeouts

The browser waits for the web page to become ready. This is done by waiting for all of the following to complete or time out:

Scrolls all the web-ports (that is, to load the entire page).
- After every scroll, the browser waits the duration declared by the --browser.scroll-wait option, 50 milliseconds by default.
The browser waits the duration declared by the --browser.readiness.prior-wait option, 1 second by default.
The entire following sequence times out after the duration declared by the --browser.readiness.timeout option, 30 seconds by default:
- The sequence is repeated per duration declared by the --browser.readiness.interval option, 100 milliseconds by default.
- The browser waits for all Grafana queries to complete, unless the --browser.readiness.disable-query-wait option is enabled. This functionality requires Scenes to be enabled. If Scenes aren’t enabled, the check is skipped silently.
  - If the queries don’t complete within the duration declared by the --browser.readiness.give-up-on-all-queries option, the check is silently skipped. By default, this timeout is disabled.
  - If there is no first query detected within the duration declared by the --browser.readiness.give-up-on-first-query option, the check is silently skipped. By default, this timeout is 3 seconds.
  - If the --browser.readiness.wait-for-n-query-cycles is set to a value greater than 1, the service waits for N full query cycles to succeed before proceeding. Each query cycle is separated by the duration as declared by the --browser.readiness.interval option. If any query timeout passes during these cycles, the check is silently skipped.
- The browser waits for all network requests to complete, unless the --browser.readiness.disable-network-wait option is enabled.
  - If the network requests don’t complete within the duration declared by the --browser.readiness.network-idle-timeout option, the check is silently skipped. By default, this timeout is disabled.
- The browser waits for the web page’s layout to stabilise, meaning no more data changes. This can be disabled through the --browser.readiness.disable-dom-hashcode-wait option.
  - If the web page doesn’t stabilise within the duration declared by the --browser.readiness.dom-hashcode-timeout option, the check is silently skipped. By default, this timeout is disabled.

The service eats up all the memory in the container

Set the GOMEMLIMIT environment variable to a lower value than the container’s memory limit, such as 1GiB. The value shouldn’t be the same as the container’s memory limit, because Chromium needs free memory to serve requests.

We recommend adding 1 GiB to this environment variable for every 8 GiB of memory assigned to the container’s memory limit.

Unsupported CPU architectures

For unsupported CPU architectures, you can open an issue on GitHub.

Alternatively, compile the service yourself, following the instructions in the GitHub repository.

Use the image renderer service in an air-gapped environment

An air-gapped environment is one that doesn’t have access to the public internet, and may have requirements such as not supporting Docker.

Grafana Enterprise customers can receive more help with this from customer support.

With Docker

Before you begin, ensure you have the following:

A way to transfer data into the environment, such as a USB stick, SD card, external hard-drive, or similar.
Docker on the air-gapped environment.
Docker on an internet-connected environment.

To export a TAR file of the image, run:

docker image save -o grafana-image-renderer.tar grafana/grafana-image-renderer:latest

If you’re using a different CPU architecture than the air-gapped environment, you may need to specify --platform when saving the image. For example, if you have an air-gapped x86_64 (amd64) machine, use --platform linux/amd64.

Next, transfer the file to the machine.

Finally, import the image on the air-gapped environment:

docker image load grafana-image-renderer.tar

Without Docker

Before you begin, ensure you have the following:

A way to transfer data into the environment, such as a USB stick, SD card, external hard-drive, or similar.

We release binary files for Linux and Windows on our GitHub Releases page. Download the appropriate binary for your system, and transfer it to the machine.

You will also need to install a Chromium-based browser separately.

Use Docker without Grafana being dockerised

You can use host networking instead, or the binary releases.

Use the image renderer service on Windows without Docker

You can download the Windows binaries from the GitHub Releases page. For example, to use the image renderer service with the Brave browser on an ARM64 Windows host, run:

.\grafana-image-renderer-windows-arm64.exe server --browser.path "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe"

The browser must be installed separately and be a Chromium-based browser.

Custom CA certificates in Chromium

Identifying that the CA certificate is the problem is done by checking for net::ERR_CERT_AUTHORITY_INVALID errors in the service’s logs. Finding these errors may require enabling debug logging via the --log.level debug option.

Non-containerized Linux

For non-containerized Linux, you need nss tools (libnss3-tools on Debian). You will also need to know the $HOME directory of the user running the service, which can be found via running either eval echo ~<username> (for example: eval echo ~grafana) or getent passwd <username> (for example: getent passwd grafana). Run the following for that user:

certutil -d sql:"$HOME"/.pki/nssdb -A -n internal-root-ca -t C -i /path/to/internal-root-ca-here.crt.pem

You might also need other tooling. The error message will likely indicate what is missing from your environment.

Non-containerized Windows

For non-containerized, you need to do the same as on Linux, but to your global store:

certutil –addstore "Root" <path>/internal-root-ca-here.crt.pem

Container

The easiest way is to integrate the CA certificate directly into your own Docker image, based on the official one:

# Consider using a pinned version.
FROM grafana/grafana-image-renderer:latest

# Elevate our permissions to access system resources.
USER root

RUN mkdir -p /usr/local/share/ca-certificates/
# Convert from .pem to .crt
RUN openssl x509 -inform PEM -in rootCA.pem -out /usr/local/share/ca-certificates/rootCA.crt

# Regenerate the CA certificates in the container.
RUN update-ca-certificates --fresh

# Reassume the nonroot user for the service execution.
USER nonroot
# Note: for Kubernetes, OpenShift, and other setups, this may need a numeric ID. See the upstream Dockerfile for which UID to use.

# Some CA certificates also need to explicitly be included in the user's network security services database.
RUN mkdir -p /home/nonroot/.pki/nssdb
RUN certutil -d sql:/home/nonroot/.pki/nssdb -A -n internal-root-ca -t C -i /usr/local/share/ca-certificates/rootCA.crt

Distorted panels in the PDF export

This is most commonly caused by using the old PDF rendering engine in Grafana. To identify whether this applies to you, check whether the newPDFRendering feature flag has been explicitly set to false in Grafana’s configuration.

To solve this problem, remove the feature toggle override.

Debug the configuration

Note
The command recommended here prints secrets and sensitive information in plain text. Be careful when sharing the output or storing it in logs.

When the service doesn’t appear to be working as expected, it can be because the configuration is invalid. If the flags are invalid, the service won’t start, but the configuration files may contain unknown keys and thus silently ignore them.

To debug that the configuration is valid and what you expect, you can get a full dump of the Go structures representing the configuration by running the print-config command. For example:

docker run --rm -v ./config.json:/home/nonroot/config.json grafana/grafana-image-renderer:latest print-config

The command takes the exact same flags and configuration files as the server command does.

Limiting accessible domains

It is possible to limit which domains the browser can access by using Chrome policies. To limit this, mount a Chrome policy JSON file into /etc/chromium/policies/managed/, with contents such as:

{
  "URLBlocklist": ["*"],
  "URLAllowlist": ["https://*", "chrome://*"]
}

Image rendering flags

Fri, 03 Apr 2026 12:35:46 -0500

Image rendering flags

This section aims to list the entire set of flags that can be used to configure the image rendering service.

Configuration format

To configure the service, any of the following methods can be used:

Set CLI flags. These are passed in on the command line, and take complete precedence over all other methods. For example, --server.addr=":8081" sets the HTTP address to listen on all interfaces on port 8081.
Set environment variables. These are set in the environment. If environment variables are supported for a flag, they are listed in the help command.
Write a JSON or YAML configuration file. These must be named config.json, config.yaml, or config.yml. There should only be one file; precedence is undefined if multiple files are present. Dot-separated keys are nested keys. For example, the flag a.b becomes {"a": {"b": "VALUE"}} in the file. The configuration keys are always mentioned in the help command alongside the flag.

For example, a complete configuration file might look like this in YAML:

server:
  addr: ":8081" # server.addr
  auth-token: # server.auth-token
    - "a"
    - "b"

List of flags

The following is a complete list of all flags that are currently supported in the latest release. This is a verbatim copy of the output of the grafana-image-renderer server --help command.

--api.default-encoding=<string> [default: "pdf"] [${API_DEFAULT_ENCODING}]
    The default encoding for render requests when not specified. (values: pdf, png) [config: api.default-encoding]
--api.silence-request-log-path=<string> [${API_SILENCE_REQUEST_LOG_PATH}]
    Allows silencing the HTTP request logs for a certain path. It requires a direct match. Multiple values can be passed separated by comma or multiple flags. Examples: '/healthz', '/render/version'. [config: api.silence-request-log-path]
--browser.flag=<string> / --browser.flags=<string> [${BROWSER_FLAGS}, ${BROWSER_FLAG}]
    Flags to pass to the browser. These are syntaxed `--${flag}` or `--${flag}=${value}`. Note the required `--` prefix for each flag. [config: browser.flag]
--browser.force-polling-mode [default: false] [${BROWSER_FORCE_POLLING_MODE}]
    Forces the renderer to poll for scenes' query running count variable to detect when rendering is done, rather than use an event-based approach even when that is available. [config: browser.force-polling-mode]
--browser.gpu [default: false] [${BROWSER_GPU}]
    Enable GPU support in the browser. [config: browser.gpu]
--browser.header=<string> / --browser.headers=<string> [${BROWSER_HEADER}]
    Headers to add to every request the browser makes. Syntax is `${key}=${value}`. May be repeated. [config: browser.header]
--browser.max-height=<int> [default: 3000] [${BROWSER_MAX_HEIGHT}]
    The maximum height of the browser viewport. Requests cannot request a larger height than this, except for when capturing full-page screenshots. Negative means ignored. [config: browser.max-height]
--browser.max-width=<int> [default: 3000] [${BROWSER_MAX_WIDTH}]
    The maximum width of the browser viewport. Requests cannot request a larger width than this. Negative means ignored. [config: browser.max-width]
--browser.min-height=<int> [default: 500] [${BROWSER_MIN_HEIGHT}]
    The minimum height of the browser viewport. This is the default height in requests. [config: browser.min-height]
--browser.min-width=<int> [default: 1000] [${BROWSER_MIN_WIDTH}]
    The minimum width of the browser viewport. This is the default width in requests. [config: browser.min-width]
--browser.namespaced [default: false] [${BROWSER_NAMESPACED}]
    Enable namespacing the browser. This requires Linux and the CAP_SYS_ADMIN and CAP_SYS_CHROOT capabilities, or a privileged user. [config: browser.namespaced]
--browser.override=<string> / --browser.overrides=<string> [${BROWSER_OVERRIDE}]
    URL pattern override in format: 'pattern=--flag=value --flag2=value2'. Pattern is a regex. May be repeated. Example: --browser.override='^https://slow\.example\.com/.*=--browser.readiness.timeout=60s' [config: browser.override]
--browser.page-scale-factor=<float> [default: 1] [${BROWSER_PAGE_SCALE_FACTOR}]
    The page scale factor of the browser. [config: browser.page-scale-factor]
--browser.path=<string> [default: "chromium"] [${BROWSER_PATH}]
    The path to the browser's binary. This is resolved against PATH. [config: browser.path]
--browser.portrait [default: false] [${BROWSER_PORTRAIT}]
    Use a portrait viewport instead of the default landscape. [config: browser.portrait]
--browser.readiness.disable-dom-hashcode-wait [default: false] [${BROWSER_READINESS_DISABLE_DOM_HASHCODE_WAIT}]
    Disable waiting for the DOM to stabilize (i.e. not change) before capturing. [config: browser.readiness.disable-dom-hashcode-wait]
--browser.readiness.disable-network-wait [default: false] [${BROWSER_READINESS_DISABLE_NETWORK_WAIT}]
    Disable waiting for network requests to finish before capturing. [config: browser.readiness.disable-network-wait]
--browser.readiness.disable-query-wait [default: false] [${BROWSER_READINESS_DISABLE_QUERY_WAIT}]
    Disable waiting for queries to finish before capturing. [config: browser.readiness.disable-query-wait]
--browser.readiness.dom-hashcode-timeout=<duration> [default: 0s] [${BROWSER_READINESS_DOM_HASHCODE_TIMEOUT}]
    How long to wait before giving up on the DOM stabilizing (i.e. not changing). If <= 0, the timeout is disabled. [config: browser.readiness.dom-hashcode-timeout]
--browser.readiness.give-up-on-all-queries=<duration> [default: 0s] [${BROWSER_READINESS_GIVE_UP_ON_ALL_QUERIES}]
    How long to wait before giving up on all running queries. If <= 0, the give-up is disabled. [config: browser.readiness.give-up-on-all-queries]
--browser.readiness.give-up-on-first-query=<duration> [default: 3s] [${BROWSER_READINESS_GIVE_UP_ON_FIRST_QUERY}]
    How long to wait before giving up on a first query being registered. If <= 0, the give-up is disabled. [config: browser.readiness.give-up-on-first-query]
--browser.readiness.iteration-interval=<duration> [default: 100ms] [${BROWSER_READINESS_ITERATION_INTERVAL}]
    How long to wait between each iteration of checking whether the page is ready. Must be positive. [config: browser.readiness.iteration-interval]
--browser.readiness.network-idle-timeout=<duration> [default: 0s] [${BROWSER_READINESS_NETWORK_IDLE_TIMEOUT}]
    How long to wait before giving up on the network being idle. If <= 0, the timeout is disabled. [config: browser.readiness.network-idle-timeout]
--browser.readiness.prior-wait=<duration> [default: 1s] [${BROWSER_READINESS_PRIOR_WAIT}]
    The time to wait before checking for how ready the page is. This lets you force the webpage to take a beat and just do its thing before the service starts looking for whether it's time to render anything. If <= 0, this is disabled. [config: browser.readiness.prior-wait]
--browser.readiness.timeout=<duration> [default: 30s] [${BROWSER_READINESS_TIMEOUT}]
    The maximum time to wait for a web-page to become ready (i.e. no longer loading anything). If <= 0, the timeout is disabled. [config: browser.readiness.timeout]
--browser.readiness.wait-for-n-query-cycles=<int> [default: 1] [${BROWSER_READINESS_WAIT_FOR_N_QUERY_CYCLES}]
    The number of readiness checks that must pass consecutively before considering the page ready. [config: browser.readiness.wait-for-n-query-cycles]
--browser.sandbox [default: false] [${BROWSER_SANDBOX}]
    Enable the browser's sandbox. Sets the `no-sandbox` flag to `false` for you. [config: browser.sandbox]
--browser.time-between-scrolls=<duration> [default: 50ms] [${BROWSER_TIME_BETWEEN_SCROLLS}]
    The time between scroll events when capturing a full-page screenshot. [config: browser.time-between-scrolls]
--browser.time-zone=<string> / --browser.timezone=<string> / --browser.tz=<string> [default: "Etc/UTC"] [${BROWSER_TIMEZONE}, ${TZ}]
    The timezone for the browser to use, e.g. 'America/New_York'. [config: browser.timezone]
--browser.user-agent=<string> [${BROWSER_USER_AGENT}]
    Sets the default User-Agent header for browser requests. If not set, Chromium's default will be used instead. [config: browser.user-agent]
--browser.ws-url-read-timeout=<duration> [default: 0s] [${BROWSER_WS_URL_READ_TIMEOUT}]
    The timeout for reading the WebSocket URL when connecting to the browser. If <= 0, uses chromedp default (20s). [config: browser.ws-url-read-timeout]
--help / -h
    show help
--log.level=<string> [default: "info"] [${LOG_LEVEL}]
    The minimum level to log at (enum: debug, info, warn, error) [config: log.level]
--rate-limit.disabled [default: false] [${RATE_LIMIT_DISABLED}]
    Disable rate limiting entirely. [config: rate-limit.disabled]
--rate-limit.headroom=<uint> [default: 33554432] [${RATE_LIMIT_HEADROOM}]
    The amount of memory (in bytes) to leave as headroom after allocating memory for browser processes. Set to 0 to disable headroom. [config: rate-limit.headroom]
--rate-limit.max-available=<uint> [default: 0] [${RATE_LIMIT_MAX_AVAILABLE}]
    The maximum amount of memory (in bytes) available to processes. If more memory exists, only this amount is used. 0 disables the maximum. [config: rate-limit.max-available]
--rate-limit.max-limit=<uint> [default: 0] [${RATE_LIMIT_MAX_LIMIT}]
    The maximum number of requests to permit. Ratelimiting will reject requests if the number of currently running requests is at or above this value. Set to 0 to disable maximum. The v4 service used 5 by default. [config: rate-limit.max-limit]
--rate-limit.min-limit=<uint> [default: 3] [${RATE_LIMIT_MIN_LIMIT}]
    The minimum number of requests to permit. Ratelimiting will not reject requests if the number of currently running requests is below this value. Set to 0 to disable minimum (not recommended). [config: rate-limit.min-limit]
--rate-limit.min-memory-per-browser=<uint> [default: 67108864] [${RATE_LIMIT_MIN_MEMORY_PER_BROWSER}]
    The minimum amount of memory (in bytes) each browser process is expected to use. Set to 0 to disable the minimum. [config: rate-limit.min-memory-per-browser]
--rate-limit.process-tracker.decay=<int> [default: 5] [${RATE_LIMIT_PROCESS_TRACKER_DECAY}]
    The decay factor N to use in slow-moving averages of process statistics, where `avg = ((N-1)*avg + new) / N`. Must be at least 1. [config: rate-limit.process-tracker.decay]
--rate-limit.process-tracker.interval=<duration> [default: 50ms] [${RATE_LIMIT_PROCESS_TRACKER_INTERVAL}]
    How often to sample process statistics on the browser processes. Must be >= 1ms. [config: rate-limit.process-tracker.interval]
--server.addr=<string> [default: ":8081"] [${SERVER_ADDR}]
    The address to listen on for HTTP requests. [config: server.addr]
--server.auth-token=<string> / --server.auth-tokens=<string> / --server.token=<string> / --server.tokens=<string> [default: "-"] [${AUTH_TOKEN}]
    The X-Auth-Token header value that must be sent to the service to permit requests. May be repeated. [config: server.auth-token]
--server.cert-file=<string> / --server.cert=<string> / --server.certificate-file=<string> / --server.certificate=<string> [${SERVER_CERTIFICATE_FILE}]
    A path to a TLS certificate file to use for HTTPS. If not set, HTTP is used. [config: server.certificate-file]
--server.key-file=<string> / --server.key=<string> [${SERVER_KEY_FILE}]
    A path to a TLS key file to use for HTTPS. [config: server.key-file]
--server.min-tls-version=<string> [default: "1.2"] [${SERVER_MIN_TLS_VERSION}]
    The minimum TLS version to accept for HTTPS connections. (enum: 1.0, 1.1, 1.2, 1.3) [config: server.min-tls-version]
--tracing.client-certificate=<string> [${TRACING_CLIENT_CERTIFICATE}]
    A path to a PEM-encoded client certificate to use for mTLS when connecting to the tracing endpoint over gRPC or HTTPS. [config: tracing.client_certificate]
--tracing.client-key=<string> [${TRACING_CLIENT_KEY}]
    A path to a PEM-encoded client key to use for mTLS when connecting to the tracing endpoint over gRPC or HTTPS. [config: tracing.client_key]
--tracing.compressor=<string> [default: "none"] [${TRACING_COMPRESSOR}]
    The compression algorithm to use when sending traces. (enum: none, gzip) [config: tracing.compressor]
--tracing.endpoint=<string> [${TRACING_ENDPOINT}]
    The tracing endpoint to send spans to. Use grpc://, http://, or https:// to specify the protocol (grpc:// is implied). [config: tracing.endpoint]
--tracing.header=<string> / --tracing.headers=<string> [${TRACING_HEADER}]
    A header to add to requests to the tracing endpoint. Syntax is `${key}=${value}`. May be repeated. This is useful for things like authentication. [config: tracing.header]
--tracing.insecure [default: false] [${TRACING_INSECURE}]
    Whether to skip TLS verification when connecting. If set, the scheme in the endpoint is overridden to be insecure. [config: tracing.insecure]
--tracing.service-name=<string> [default: "grafana-image-renderer"] [${TRACING_SERVICE_NAME}]
    The service name to use in traces. [config: tracing.service_name]
--tracing.timeout=<duration> [default: 10s] [${TRACING_TIMEOUT}]
    The timeout for requests to the tracing endpoint. [config: tracing.timeout]
--tracing.trusted-certificate=<string> [${TRACING_TRUSTED_CERTIFICATE}]
    A path to a PEM-encoded certificate to use as a trusted root when connecting to the tracing endpoint over gRPC or HTTPS. [config: tracing.trusted_certificate]

Debug the configuration

Note
The command recommended here prints secrets and sensitive information in plain text. Be careful when sharing the output or storing it in logs.

To debug that the configuration is valid and what you expect, you can get a full dump of the Go structures representing the configuration by running the print-config command. For example:

docker run --rm -v ./config.json:/home/nonroot/config.json grafana/grafana-image-renderer:latest print-config

The command takes the exact same flags and configuration files as the server command does.