bind主从部署过程

系统及部署环境

获取操作系统命令

  1. uname -sr
  2. cat /etc/redhat-release

设置机器信息及主备关系

主机 主备 操作系统 bind版本
fnc05 10.154.5.163 主机master CentOS Linux release 7.9.2009 (Core) / Linux 3.10.0-1160.11.1.el7.x86_64 BIND 9.16.17 (Stable Release)
fnc04 10.154.5.162 从机slave CentOS Linux release 7.8.2003 (Core) / Linux 3.10.0-1127.18.2.el7.x86_64 BIND 9.16.16 (Stable Release)
fnc03 10.154.5.214 从机slave BigCloud Enterprise Linux For LDK release 7.6.1906 (Core) / Linux 4.19.25-200.1.el7.bclinux.x86_64 BIND 9.16.17 (Stable Release)

上述主备机仍需注意如下配置:

  1. 确保防火墙的规则不会拦截Bind的监听端口,默认为53
  2. 确保主从服务器的时钟一致
  3. 确保named用户拥有操作相关目录的权限(默认安装后就有了)

bind9.16安装配置

9.16安装

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
cd /etc/yum.repos.d/

vim bind.repo
[copr:copr.fedorainfracloud.org:isc:bind]
name=Copr repo for bind owned by isc
baseurl=https://download.copr.fedorainfracloud.org/results/isc/bind/epel-7-$basearch/
type=rpm-md
skip_if_unavailable=True
gpgcheck=1
gpgkey=https://download.copr.fedorainfracloud.org/results/isc/bind/pubkey.gpg
repo_gpgcheck=0
enabled=1
enabled_metadata=1

yum list isc-bind*

yum install isc-bind-bind isc-bind-bind-utils isc-bind-bind-libs -y

守护进程文件位置:/etc/opt/isc/isc-bind/sysconfig/named
配置文件位置:/etc/opt/isc/isc-bind/named.conf
发现有如下内容:
options {
directory "/var/opt/isc/isc-bind/named/data";
listen-on { 127.0.0.1; };
listen-on-v6 { ::1; };
dnssec-validation auto;
};

logging {
channel default_debug {
file "named.run";
print-time yes;
severity dynamic;
};
};

#尝试启动,发现成功
systemctl start isc-bind-named
systemctl enable isc-bind-named
systemctl status isc-bind-named

安装过程可能确实某些安装包,可以自行安装:

1
2
3
4
5
6
7
wget http://mirror.centos.org/centos/7/os/x86_64/Packages/scl-utils-20130529-19.el7.x86_64.rpm

yum install scl-utils-build-20130529-19.el7.x86_64.rpm -y

# iso-codes
wget http://mirror.centos.org/centos/7/os/x86_64/Packages/iso-codes-3.46-2.el7.noarch.rpm
yum install iso-codes-3.46-2.el7.noarch.rpm -y

安装包下载网站

  1. Iso-codes Download (APK, DEB, EOPKG, RPM, TGZ, TXZ, XZ, ZST) (pkgs.org)

  2. scl-utils-20130529-19.el7.x86_64.rpm CentOS 7 Download (pkgs.org)

9.16配置

1
2
3
4
5
6
7
8
9
10
11
12
13
#在物理机/etc/profile.d/⽬录下创建isc-bind-named.sh⽂件。并输⼊以下内容,保存。
#然后重启物理机即可。
#!/bin/bash
source scl_source enable isc-bind

#或临时方案,不重启主机
scl enable isc-bind bash
rndc

#获取bind版本命令发,发现是9.16
named -v
#如若不是所安装的9.16版本,停止当前版本
systemctl stop named
配置rndc-confgen

主从都可照着此步骤配置(但从机可以不用配置,因为从机仅同步查询数据,不做维护)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
rndc-confgen -r  /dev/urandom  > /etc/opt/isc/isc-bind/rndc.conf

#生成rndc.conf文件,内容如下。
#将得到的内容,key和controls挪到named.conf中
#将得到的内容,key和算法,放到python程序的config.yml中
##bind_algorithm: md5
##bind_secret: rf27GDGjr6J2rRK5Ljsq2Q==

# Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "rf27GDGjr6J2rRK5Ljsq2Q==";
};

options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
# End of rndc.conf

# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# algorithm hmac-md5;
# secret "rf27GDGjr6J2rRK5Ljsq2Q==";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf
配置transfer-key
主机生成密钥
1
2
3
4
5
6
7
8
9
10
11
#生成一个主机名称为dnssec-transfer的128位HMAC-MD5算法的密钥文件(公钥+私钥)
dnssec-keygen -a HMAC-MD5 -b 128 -n HOST dnssec-transfer
#得到Kdnssec-transfer.+157+54187

ls -al Kdnssec-transfer.+157+54187.*
#-rw------- 1 root root 59 Jun 18 16:05 Kdnssec-transfer.+157+54187.key #公钥
#-rw------- 1 root root 165 Jun 18 16:05 Kdnssec-transfer.+157+54187.private #私钥

cat Kdnssec-transfer.+157+54187.private
#复制key参数
#Key: /y7HAkwBH0KP9g9M+jADJg==

将私钥key放到一个新的文件中,并将这个文件引入到named.conf中

1
2
3
4
5
6
7
8
9
10
11
12
13
14
cd /etc/opt/isc/isc-bind/ 或 cd /etc/  #密钥验证文件在/etc目录(与named.conf同一个目录下)

vim transfer.key
key "dnssec-transfer" { #密钥名称
algorithm hmac-md5; #加密算法
secret "/y7HAkwBH0KP9g9M+jADJg=="; #私钥加密字符串
};

chown root:named transfer.key #把文件所属组改为named,降低权限
chmod 640 transfer.key

vim /etc/named.conf
include "/etc/transfer.key";
allow-transfer { key dnssec-transfer; }; #只允许拥有该密钥验证文件的人进行同步
1
systemctl restart named
从机引用密钥
1
2
3
4
5
6
7
scp /etc/transfer.key root@从机ip地址:/etc/opt/isc/isc-bind/transfer.key

scp /etc/transfer.key root@10.154.5.214:/etc/opt/isc/isc-bind/transfer.key
scp /etc/transfer.key root@10.154.5.162:/etc/opt/isc/isc-bind/transfer.key

chown root:named transfer.key
chmod 640 transfer.key

named.conf文件:

1
2
3
4
5
6
include "/etc/opt/isc/isc-bind/transfer.key";

#不属于全局options
server 10.154.5.163 { # 主机ip地址
keys { dnssec-transfer; };
};

重启从服务器的Bind服务

1
systemctl restart isc-bind-named

发现已经同步过来了。

配置catalog
主机
  1. 打开目录/var/opt/isc/isc-bind/named/data,新建catalog目录文件(后缀名可以为.db或者.zone)
1
2
3
4
5
6
7
cd /var/opt/isc/isc-bind/named/data

vim catalog.default.zone
$TTL 3600
@ IN SOA . . 1 86400 3600 86400 3600
@ IN NS nop.
version IN TXT "1"
1
2
#修改权限
chown named.named catalog.default.zone
  1. 将catalog目录文件引入到named.conf中
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
options {
#...
allow-new-zones yes; # RNDC动态维护zones
notify yes; # 主动通知从机更新,而不需要等待轮询时间进行更新
also-notify { 10.154.5.162; }; # 被主动通知的从机地址,可多个地址
allow-transfer { 10.154.5.162; 10.154.5.163; }; # 只允许列表中的主机传递主域名服务器的数据,为了方便扩展可以设置为key
allow-update { any; }; #允许向主zone文件发送动态更新的匹配列表,如果设置为none,则无法使用update命令(更新记录zone等)
allow-query { any; }; #添加允许访问DNS的地址段
}

zone "catalog.default" {
type master;
file "catalog.default.zone";
#also-notify { 10.154.5.162; };
#allow-transfer { 10.154.5.162; 10.154.5.163; };
#allow-update { any; };
#allow-query { any; };
};
1
named-checkzone catalog.default catalog.default.zone
从机

named.conf配置catalog目录,与主机建立关联。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
options {
#...
listen-on port 53 { 127.0.0.1; 10.154.5.162; 10.154.5.163; }; # 主机
allow-new-zones yes; # RNDC动态维护zones
masterfile-format text; #从机乱码问题
catalog-zones {
zone "catalog.default" default-masters { 10.154.5.163; };
};
}
zone "catalog.default" {
type slave;
file "catalog.default.zone";
masters { 10.154.5.163; }; // 主机ip
};
验证

至此完成catalog目录的配置。

1
2
3
4
5
6
7
#主机、从机都重启
systemctl restart named 或
systemctl restart isc-bind-named

#在主机上验证主从是否搭建catalog成功
dig +short @10.154.5.163 soa catalog.default
dig +short @10.154.5.162 soa catalog.default
配置日志
生成日志存储文件

cd /var/opt/isc/isc-bind/log/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# vim namelist.txt
default.log
general.log
database.log
security.log
config.log
resolver.log
xfer-in.log
xfer-out.log
notify.log
client.log
unmatched.log
queries.log
network.log
update.log
dispatch.log
dnssec.log
lame-servers.log
1
2
3
4
5
6
7
8
9
10
11
12
13
#!/bin/bash

printf "*************************************\n"
echo " cat file whiel read line"
cat namelist.txt |while read line
do
echo $line;

touch $line;

done

chown named.named -R ../log
1
bash createlog.sh
1
2
3
4
#发送到从机
scp /var/opt/isc/isc-bind/log/namelist.txt root@10.154.5.162:/var/opt/isc/isc-bind/log/namelist.txt
scp /var/opt/isc/isc-bind/log/createlog.sh root@10.154.5.162:/var/opt/isc/isc-bind/log/createlog.sh
bash createlog.sh
named.conf配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
​```shell
logging {
channel default_file {
file "/var/opt/isc/isc-bind/log/default.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel general_file {
file "/var/opt/isc/isc-bind/log/general.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel database_file {
file "/var/opt/isc/isc-bind/log/database.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel security_file {
file "/var/opt/isc/isc-bind/log/security.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel config_file {
file "/var/opt/isc/isc-bind/log/config.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel resolver_file {
file "/var/opt/isc/isc-bind/log/resolver.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel xfer-in_file {
file "/var/opt/isc/isc-bind/log/xfer-in.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel xfer-out_file {
file "/var/opt/isc/isc-bind/log/xfer-out.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel notify_file {
file "/var/opt/isc/isc-bind/log/notify.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel client_file {
file "/var/opt/isc/isc-bind/log/client.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel unmatched_file {
file "/var/opt/isc/isc-bind/log/unmatched.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel queries_file {
file "/var/opt/isc/isc-bind/log/queries.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel network_file {
file "/var/opt/isc/isc-bind/log/network.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel update_file {
file "/var/opt/isc/isc-bind/log/update.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel dispatch_file {
file "/var/opt/isc/isc-bind/log/dispatch.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel dnssec_file {
file "/var/opt/isc/isc-bind/log/dnssec.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel lame-servers_file {
file "/var/opt/isc/isc-bind/log/lame-servers.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};

category default { default_file; };
category general { general_file; };
category database { database_file; };
category security { security_file; };
category config { config_file; };
category resolver { resolver_file; };
category xfer-in { xfer-in_file; };
category xfer-out { xfer-out_file; };
category notify { notify_file; };
category client { client_file; };
category unmatched { unmatched_file; };
category queries { queries_file; };
category network { network_file; };
category update { update_file; };
category dispatch { dispatch_file; };
category dnssec { dnssec_file; };
category lame-servers { lame-servers_file; };
}

主从机都配置!

最终主机配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
key rndc-key {
algorithm hmac-md5;
secret "rf27GDGjr6J2rRK5Ljsq2Q==";
};

include "/etc/opt/isc/isc-bind/transfer.key";
options {
directory "/var/opt/isc/isc-bind/named/data";
listen-on port 53 { 127.0.0.1; 10.154.5.163; };
#listen-on-v6 { ::1; };
dnssec-enable yes;
dnssec-validation yes;

allow-query { any; };
allow-update { any; };
allow-transfer { 10.154.5.163; key dnssec-transfer; };
notify yes;
#notify-to-soa yes;
also-notify { 10.154.5.162; 10.154.5.214; };
allow-new-zones yes;
};

statistics-channels {
inet 127.0.0.1 port 8888 allow { any; };
inet 10.154.5.163 port 8889 allow { any; };
};

controls {
inet * port 953
allow { any; } keys { "rndc-key"; };
};


logging {
channel default_debug {
file "named.run";
print-time yes;
severity dynamic;
};
channel default_file {
file "/var/opt/isc/isc-bind/log/default.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel general_file {
file "/var/opt/isc/isc-bind/log/general.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel database_file {
file "/var/opt/isc/isc-bind/log/database.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel security_file {
file "/var/opt/isc/isc-bind/log/security.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel config_file {
file "/var/opt/isc/isc-bind/log/config.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel resolver_file {
file "/var/opt/isc/isc-bind/log/resolver.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel xfer-in_file {
file "/var/opt/isc/isc-bind/log/xfer-in.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel xfer-out_file {
file "/var/opt/isc/isc-bind/log/xfer-out.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel notify_file {
file "/var/opt/isc/isc-bind/log/notify.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel client_file {
file "/var/opt/isc/isc-bind/log/client.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel unmatched_file {
file "/var/opt/isc/isc-bind/log/unmatched.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel queries_file {
file "/var/opt/isc/isc-bind/log/queries.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel network_file {
file "/var/opt/isc/isc-bind/log/network.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel update_file {
file "/var/opt/isc/isc-bind/log/update.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel dispatch_file {
file "/var/opt/isc/isc-bind/log/dispatch.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel dnssec_file {
file "/var/opt/isc/isc-bind/log/dnssec.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel lame-servers_file {
file "/var/opt/isc/isc-bind/log/lame-servers.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};

category default { default_file; };
category general { general_file; };
category database { database_file; };
category security { security_file; };
category config { config_file; };
category resolver { resolver_file; };
category xfer-in { xfer-in_file; };
category xfer-out { xfer-out_file; };
category notify { notify_file; };
category client { client_file; };
category unmatched { unmatched_file; };
category queries { queries_file; };
category network { network_file; };
category update { update_file; };
category dispatch { dispatch_file; };
category dnssec { dnssec_file; };
category lame-servers { lame-servers_file; };
};

zone "catalog.default" {
type master;
file "catalog.default.zone";
};
1
2
named-checkconf 验证配置
systemctl restart isc-bind-named
最终从机配置

从机配置同步数据所在目录slaves

1
2
3
cd /var/opt/isc/isc-bind/named/data
mkdir slaves
chown named.named slaves

named

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
key "rndc-key" {
algorithm hmac-sha256;
secret "bshuXqh379VDuCYQqWJY68F1rkCEsf5LLfc274USvZQ=";
};

options {
directory "/var/opt/isc/isc-bind/named/data/slaves";
listen-on port 53 { 127.0.0.1; 10.154.5.214; 10.154.5.163; };
#listen-on-v6 { ::1; };
dnssec-validation auto;

allow-query { any; };
allow-update { any; };
allow-transfer {any;};
allow-new-zones yes;
masterfile-format text;
catalog-zones {
zone "catalog.default" default-masters { 10.154.5.163; };
};

};

statistics-channels {
inet 127.0.0.1 port 8888 allow { any; };
inet 10.154.5.214 port 8889 allow { any; };
};

controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};

logging {
channel default_debug {
file "named.run";
print-time yes;
severity dynamic;
};

channel default_file {
file "/var/opt/isc/isc-bind/log/default.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel general_file {
file "/var/opt/isc/isc-bind/log/general.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel database_file {
file "/var/opt/isc/isc-bind/log/database.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel security_file {
file "/var/opt/isc/isc-bind/log/security.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel config_file {
file "/var/opt/isc/isc-bind/log/config.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel resolver_file {
file "/var/opt/isc/isc-bind/log/resolver.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel xfer-in_file {
file "/var/opt/isc/isc-bind/log/xfer-in.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel xfer-out_file {
file "/var/opt/isc/isc-bind/log/xfer-out.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel notify_file {
file "/var/opt/isc/isc-bind/log/notify.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel client_file {
file "/var/opt/isc/isc-bind/log/client.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel unmatched_file {
file "/var/opt/isc/isc-bind/log/unmatched.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel queries_file {
file "/var/opt/isc/isc-bind/log/queries.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel network_file {
file "/var/opt/isc/isc-bind/log/network.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel update_file {
file "/var/opt/isc/isc-bind/log/update.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel dispatch_file {
file "/var/opt/isc/isc-bind/log/dispatch.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel dnssec_file {
file "/var/opt/isc/isc-bind/log/dnssec.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel lame-servers_file {
file "/var/opt/isc/isc-bind/log/lame-servers.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};

category default { default_file; };
category general { general_file; };
category database { database_file; };
category security { security_file; };
category config { config_file; };
category resolver { resolver_file; };
category xfer-in { xfer-in_file; };
category xfer-out { xfer-out_file; };
category notify { notify_file; };
category client { client_file; };
category unmatched { unmatched_file; };
category queries { queries_file; };
category network { network_file; };
category update { update_file; };
category dispatch { dispatch_file; };
category dnssec { dnssec_file; };
category lame-servers { lame-servers_file; };
};


zone "catalog.default" {
type slave;
file "catalog.default.zone";
masters { 10.154.5.163; };
};
include "/etc/opt/isc/isc-bind/transfer.key";

server 10.154.5.163 {
keys { dnssec-transfer; };
};
1
systemctl restart isc-bind-named

性能监控

Bind基本配置

用于获取监控数据

vim /etc/opt/isc/isc-bind/named.conf

1
2
3
4
statistics-channels {
inet 127.0.0.1 port 8888 allow { any; };
inet 10.154.5.162 port 8889 allow { any; };
};

打开浏览器访问10.154.5.162:8889

注意端口号8889

bind_exporter

用于图形化展现。

bind_exporter基于statistics-channels记录的统计数据,并对数据统计分析并输出到Prometheus

下载

查看linux版本

1
2
# cat /proc/version
Linux version 3.10.0-1127.18.2.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) ) #1 SMP Sun Jul 26 15:27:06 UTC 2020

根据版本下载

https://github.com/prometheus-community/bind_exporter/releases

如上图,linux是86_64,则下载版本

bind_exporter-0.4.0.linux-amd64.tar.gz

配置

解压到/usr/local/bin/

1
2
3
4
5
6
7
 
tar -xvf bind_exporter-0.4.0.linux-amd64.tar.gz

cd /usr/local/bin/
-rwxr-xr-x 1 3434 3434 15762489 Jan 14 22:55 bind_exporter
-rw-r--r-- 1 3434 3434 11357 Jan 14 23:57 LICENSE
-rw-r--r-- 1 3434 3434 252 Jan 14 23:57 NOTICE

创建⼀个systemd配置⽂件以运⾏bind_exporter

  1. –web.listen-address为对外暴露的metric地址和端⼝,Prometheus从此处抓取bind_exporter的metrics;即对外提供数据的端口。
  2. – bind.stats-url为本地bind服务绑定的地址和IP。即获取bind数据的地址。

注意此处的⽤⼾和组可以使⽤与named程序相同的⽤⼾和组“named”,也可 以使⽤root。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
vim /etc/systemd/system/bind_exporter.service

[Unit]
Description=bind_exporter
Documentation=https://github.com/prometheus-community/bind_exporter
Wants=network-online.target
After=network-online.target
[Service]
Type=simple
User=root
Group=root
ExecReload=/bin/kill -HUP $MAINPID
ExecStart=/usr/local/bin/bind_exporter \
--bind.pid-file=/var/opt/isc/isc-bind/run/named/named.pid \
--bind.timeout=20s \
--web.listen-address=0.0.0.0:9154 \
--web.telemetry-path=/metrics \
--bind.stats-url=http://10.154.5.162:8889/ \
--bind.stats-groups=server,view,tasks
Restart=always
[Install]
WantedBy=default.target

注意端口号9154

加载并启动bind_export

1
2
systemctl daemon-reload
systemctl restart bind_exporter.service

Prometheus Server

Prometheus基于Go编写,编译后的软件包,不依赖于任何的第三⽅依赖。只需要下载对应平台的⼆进制包,解压并且添加基本 的配置即可正常启Prometheus Server。

Prometheus Server负责定时在目标上抓取Metrics数据,每个抓取目标都需要暴露一个HTTP服务接口用于Prometheus定时抓取。

这种调用被监控对象获取监控数据的方式被称为Pull。Pull方式体现了Prometheus独特的设计哲学与大多数采用了Push方式的监控系统不同。

但某些现有系统是通过push方式实现的,为了接入这个系统,Prometheus提供对PushGateway的支持,这些系统主动推送metrics到PushGateway,而Prometheus只是定时去Gateway上抓取数据。

AlertManager是独立于Prometheus的一个组件,在触发了预先设置在Prometheus中的高级规则后,Prometheus便会推送告警信息到AlertManager。

根据版本下载:

Download | Prometheus

1
2
3
tar -xf prometheus-2.27.1.linux-amd64.tar.gz
mv prometheus-2.27.1.linux-amd64 /usr/local/
ln -s /usr/local/prometheus-2.27.1.linux-amd64/ /usr/local/prometheus

创建Prometheus的⽤⼾(此处用户prometheus)及数据存储⽬录(/data/prometheus)

1
2
3
4
5
# useradd -s /sbin/nologin -M prometheus
# mkdir /data/prometheus -p
#修改⽬录属主
# chown -R prometheus:prometheus /usr/local/prometheus/
# chown -R prometheus:prometheus /data/prometheus/

配置/usr/local/prometheus/promethes.yml

1
cp prometheus.yml prometheus.yml-default #备份一下默认配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
# my global config
global:
scrape_interval: 15s # Set the scrape interval to every 15 seconds. Default is every 1 minute.
evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute.
# scrape_timeout is set to the global default (10s).

# Alertmanager configuration
alerting:
alertmanagers:
- static_configs:
- targets: ["localhost:9093"]
# - alertmanager:9093

# Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
rule_files:
# - "first_rules.yml"
# - "second_rules.yml"

# A scrape configuration containing exactly one endpoint to scrape:
# Here it's Prometheus itself.
scrape_configs:
# The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
- job_name: 'prometheus'

# metrics_path defaults to '/metrics'
# scheme defaults to 'http'.
scrape_interval: 5s
static_configs:
- targets: ['localhost:9090'] #浏览器访问9090打开管理界面

- job_name: 'bind-fnc04'
scrape_interval: 5s
static_configs:
- targets: ['10.154.5.162:9154'] #监听bind_exporter

默认启动后的端口为9090。

启动方式1

1
2
3
cd /usr/local/prometheus
./prometheus --version
./prometheus &

启动方式2

1
2
3
4
5
6
7
8
9
10
11
12
13
vim /etc/systemd/system/prometheus.service

[Unit]
Description=Prometheus
Documentation=https://prometheus.io/
After=network.target
[Service]
Type=simple
User=prometheus
ExecStart=/usr/local/prometheus/prometheus --config.file=/usr/local/prometheus/prometheus.yml --storage.tsdb.path=/data/prometheus
Restart=on-failure
[Install]
WantedBy=multi-user.target

如此可以用命令启动服务

1
2
3
systemctl daemon-reload
systemctl enable prometheus
systemctl start prometheus

浏览器访问http://10.154.5.162:9090/targets

Grafana

一个数据分析统计可视化报表,⽤来展⽰ prometheus收集到的数据

Grafana+Prometheus的详解以及使用 - 知乎 (zhihu.com)

下载

1
wget https://dl.grafana.com/oss/release/grafana-7.5.7.linux-amd64.tar.gz
1
2
3
tar -xzvf grafana-7.5.7.linux-amd64.tar.gz
mv grafana-7.5.7 /usr/local/
ln -s /usr/local/grafana-7.5.7/ /usr/local/grafana

创建grafana⽤⼾及数据存放⽬录

1
2
3
4
useradd -s /sbin/nologin -M grafana
mkdir /data/grafana
chown -R grafana:grafana /usr/local/grafana/
chown -R grafana:grafana /data/grafana

修改目录

1
2
3
4
5
6
7
8
 cd /usr/local/grafana/conf/
cp defaults.ini defaults.ini-default 先备份

vim defaults.ini
data = /data/grafana/data
logs = /data/grafana/log
plugins = /data/grafana/plugins
provisioning = /data/grafana/conf/provisioning

新增 grafana-server.service ⽂件,使⽤systemd来管理grafana服务

1
2
3
4
5
6
7
8
9
10
11
12
13
vim /etc/systemd/system/grafana-server.service

[Unit]
Description=Grafana
After=network.target
[Service]
User=grafana
Group=grafana
Type=notify
ExecStart=/usr/local/grafana/bin/grafana-server -homepath /usr/local/grafana
Restart=on-failure
[Install]
WantedBy=multi-user.target
1
2
3
systemctl start grafana-server
systemctl status grafana-server
systemctl enable grafana-server

打开浏览器访问

http://10.154.5.162:3000/login

默认的账号密码 admin/admin

把grafana和prometheus关联起来,也就是在 grafana中添加添加数据源——

在配置⻚⾯点击添加数据源,然后选择prometheus,输⼊prometheus服务的参数即可。

Grafana三种方式导入Dashboard

参考:

  1. Grafana三种方式导入Dashboard_y368769的博客-CSDN博客_grafana import
  2. https://grafana.com/grafana/dashboards

Node Exporter

https://prometheus.io/download/

采集主机的运⾏指标如CPU,内存,磁盘等信息。可以使⽤Node Exporter

1
wget https://github.com/prometheus/node_exporter/releases/download/v1.1.2/node_exporter-1.1.2.linux-amd64.tar.gz
1
2
3
4
5
6
ln -s  node_exporter-1.1.2.linux-amd64/  node_exporter

启动,默认会启动9100端⼝
nohup /usr/local/prometheus_exporter/node_exporter/node_exporter >/dev/null 2>&1 &

/usr/local/prometheus_exporter/node_exporter/node_exporter

开机启动

1
nohup /usr/local/prometheus_exporter/node_exporter/node_exporter >/dev/null 2>&1 &
加入prometheus

编辑prometheus.yml⽂件,增加后⾯4⾏.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
scrape_configs:
# The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
- job_name: 'prometheus'

# metrics_path defaults to '/metrics'
# scheme defaults to 'http'.
scrape_interval: 5s
static_configs:
- targets: ['localhost:9090']

- job_name: 'bind-fnc04'
scrape_interval: 5s
static_configs:
- targets: ['10.154.5.162:9154'] #监听bind_exporter


- job_name: 'node'
static_configs:
- targets: ['localhost:9100']

重启

1
systemctl restart prometheus.service
-------------Keep It Simple Stupid-------------
0%