bind主从部署过程

系统及部署环境

获取操作系统命令

uname -sr
cat /etc/redhat-release

设置机器信息及主备关系

主机	主备	操作系统	bind版本
fnc05 10.154.5.163	主机master	CentOS Linux release 7.9.2009 (Core) / Linux 3.10.0-1160.11.1.el7.x86_64	BIND 9.16.17 (Stable Release)
fnc04 10.154.5.162	从机slave	CentOS Linux release 7.8.2003 (Core) / Linux 3.10.0-1127.18.2.el7.x86_64	BIND 9.16.16 (Stable Release)
fnc03 10.154.5.214	从机slave	BigCloud Enterprise Linux For LDK release 7.6.1906 (Core) / Linux 4.19.25-200.1.el7.bclinux.x86_64	BIND 9.16.17 (Stable Release)

上述主备机仍需注意如下配置：

确保防火墙的规则不会拦截Bind的监听端口，默认为53
确保主从服务器的时钟一致
确保named用户拥有操作相关目录的权限（默认安装后就有了）

bind9.16安装配置

9.16安装

cd /etc/yum.repos.d/

vim bind.repo
[copr:copr.fedorainfracloud.org:isc:bind]
name=Copr repo for bind owned by isc
baseurl=https://download.copr.fedorainfracloud.org/results/isc/bind/epel-7-$basearch/
type=rpm-md
skip_if_unavailable=True
gpgcheck=1
gpgkey=https://download.copr.fedorainfracloud.org/results/isc/bind/pubkey.gpg
repo_gpgcheck=0
enabled=1
enabled_metadata=1

yum list isc-bind*

yum install isc-bind-bind isc-bind-bind-utils isc-bind-bind-libs -y

守护进程文件位置：/etc/opt/isc/isc-bind/sysconfig/named
配置文件位置：/etc/opt/isc/isc-bind/named.conf
发现有如下内容：
options {
        directory "/var/opt/isc/isc-bind/named/data";
        listen-on { 127.0.0.1; };
        listen-on-v6 { ::1; };
        dnssec-validation auto;
};

logging {
        channel default_debug {
                file "named.run";
                print-time yes;
                severity dynamic;
        };
};

#尝试启动，发现成功
systemctl start isc-bind-named
systemctl enable isc-bind-named
systemctl status isc-bind-named

安装过程可能确实某些安装包，可以自行安装：

wget http://mirror.centos.org/centos/7/os/x86_64/Packages/scl-utils-20130529-19.el7.x86_64.rpm

yum install scl-utils-build-20130529-19.el7.x86_64.rpm -y

# iso-codes
wget http://mirror.centos.org/centos/7/os/x86_64/Packages/iso-codes-3.46-2.el7.noarch.rpm
yum install iso-codes-3.46-2.el7.noarch.rpm -y

安装包下载网站

9.16配置

#在物理机/etc/profile.d/⽬录下创建isc-bind-named.sh⽂件。并输⼊以下内容，保存。
#然后重启物理机即可。
#!/bin/bash
source scl_source enable isc-bind

#或临时方案，不重启主机
scl enable isc-bind bash
rndc

#获取bind版本命令发，发现是9.16
named -v
#如若不是所安装的9.16版本，停止当前版本
systemctl stop named

配置rndc-confgen

主从都可照着此步骤配置（但从机可以不用配置，因为从机仅同步查询数据，不做维护）

rndc-confgen -r  /dev/urandom  > /etc/opt/isc/isc-bind/rndc.conf

#生成rndc.conf文件，内容如下。
#将得到的内容，key和controls挪到named.conf中
#将得到的内容，key和算法，放到python程序的config.yml中
##bind_algorithm: md5
##bind_secret: rf27GDGjr6J2rRK5Ljsq2Q==

# Start of rndc.conf
key "rndc-key" {
        algorithm hmac-md5;
        secret "rf27GDGjr6J2rRK5Ljsq2Q==";
};

options {
        default-key "rndc-key";
        default-server 127.0.0.1;
        default-port 953;
};
# End of rndc.conf

# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
#       algorithm hmac-md5;
#       secret "rf27GDGjr6J2rRK5Ljsq2Q==";
# };
#
# controls {
#       inet 127.0.0.1 port 953
#               allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf

配置transfer-key

主机生成密钥

#生成一个主机名称为dnssec-transfer的128位HMAC-MD5算法的密钥文件（公钥+私钥）
dnssec-keygen -a HMAC-MD5 -b 128 -n HOST  dnssec-transfer
#得到Kdnssec-transfer.+157+54187

ls -al Kdnssec-transfer.+157+54187.*
#-rw------- 1 root root  59 Jun 18 16:05 Kdnssec-transfer.+157+54187.key #公钥
#-rw------- 1 root root 165 Jun 18 16:05 Kdnssec-transfer.+157+54187.private #私钥

cat Kdnssec-transfer.+157+54187.private
#复制key参数
#Key: /y7HAkwBH0KP9g9M+jADJg==

将私钥key放到一个新的文件中，并将这个文件引入到named.conf中

cd /etc/opt/isc/isc-bind/ 或 cd /etc/  #密钥验证文件在/etc目录(与named.conf同一个目录下)

vim transfer.key
key "dnssec-transfer" {                                     #密钥名称
    algorithm hmac-md5;                                      #加密算法
    secret "/y7HAkwBH0KP9g9M+jADJg==";                       #私钥加密字符串
};

chown root:named transfer.key                            #把文件所属组改为named，降低权限
chmod 640 transfer.key 

vim /etc/named.conf
include "/etc/transfer.key";
allow-transfer { key dnssec-transfer; };  #只允许拥有该密钥验证文件的人进行同步

1	systemctl restart named

从机引用密钥

scp /etc/transfer.key root@从机ip地址:/etc/opt/isc/isc-bind/transfer.key

scp /etc/transfer.key root@10.154.5.214:/etc/opt/isc/isc-bind/transfer.key
scp /etc/transfer.key root@10.154.5.162:/etc/opt/isc/isc-bind/transfer.key

chown root:named transfer.key
chmod 640 transfer.key

named.conf文件：

include "/etc/opt/isc/isc-bind/transfer.key";

#不属于全局options
server 10.154.5.163 { # 主机ip地址
 	keys { dnssec-transfer; };
};

重启从服务器的Bind服务

1	systemctl restart isc-bind-named

发现已经同步过来了。

配置catalog

主机

打开目录/var/opt/isc/isc-bind/named/data，新建catalog目录文件（后缀名可以为.db或者.zone）

cd /var/opt/isc/isc-bind/named/data

vim catalog.default.zone
$TTL 3600
@       IN SOA . . 1 86400 3600 86400 3600
@       IN NS  nop.
version IN TXT "1"

1 2	#修改权限 chown named.named catalog.default.zone

将catalog目录文件引入到named.conf中

options {
	#...
	allow-new-zones yes; # RNDC动态维护zones
	notify yes; # 主动通知从机更新,而不需要等待轮询时间进行更新
 	also-notify { 10.154.5.162; }; # 被主动通知的从机地址，可多个地址
 	allow-transfer { 10.154.5.162; 10.154.5.163; }; # 只允许列表中的主机传递主域名服务器的数据,为了方便扩展可以设置为key
    allow-update { any; }; #允许向主zone文件发送动态更新的匹配列表，如果设置为none，则无法使用update命令（更新记录zone等）
    allow-query  { any; }; #添加允许访问DNS的地址段
}

zone "catalog.default" {
          type master;
          file "catalog.default.zone";
          #also-notify { 10.154.5.162; }; 
          #allow-transfer { 10.154.5.162; 10.154.5.163; };
          #allow-update { any; }; 
          #allow-query { any; };
};

1	named-checkzone catalog.default catalog.default.zone

从机

named.conf配置catalog目录，与主机建立关联。

options {
	#...
	listen-on port 53 { 127.0.0.1; 10.154.5.162; 10.154.5.163; }; # 主机
	allow-new-zones yes; # RNDC动态维护zones
	masterfile-format text; #从机乱码问题
	catalog-zones {
                zone "catalog.default"  default-masters { 10.154.5.163; };
    };
}
zone "catalog.default" {
          type slave;
          file "catalog.default.zone";
          masters { 10.154.5.163; }; // 主机ip
};

验证

至此完成catalog目录的配置。

#主机、从机都重启
systemctl restart named 或
systemctl restart isc-bind-named

#在主机上验证主从是否搭建catalog成功
dig +short @10.154.5.163 soa catalog.default
dig +short @10.154.5.162 soa catalog.default

配置日志

生成日志存储文件

cd /var/opt/isc/isc-bind/log/

# vim namelist.txt
default.log
general.log
database.log
security.log
config.log
resolver.log
xfer-in.log
xfer-out.log
notify.log
client.log
unmatched.log
queries.log
network.log
update.log
dispatch.log
dnssec.log
lame-servers.log

#!/bin/bash

printf "*************************************\n"
echo " cat file whiel read line"
cat namelist.txt |while read line
do
echo $line;

touch $line;

done

chown named.named -R ../log

1	bash createlog.sh

#发送到从机
scp /var/opt/isc/isc-bind/log/namelist.txt  root@10.154.5.162:/var/opt/isc/isc-bind/log/namelist.txt
scp /var/opt/isc/isc-bind/log/createlog.sh  root@10.154.5.162:/var/opt/isc/isc-bind/log/createlog.sh
bash createlog.sh

named.conf配置

```shell
logging {
 channel default_file {
        file "/var/opt/isc/isc-bind/log/default.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel general_file {
        file "/var/opt/isc/isc-bind/log/general.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel database_file {
        file "/var/opt/isc/isc-bind/log/database.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel security_file {
        file "/var/opt/isc/isc-bind/log/security.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel config_file {
        file "/var/opt/isc/isc-bind/log/config.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel resolver_file {
        file "/var/opt/isc/isc-bind/log/resolver.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel xfer-in_file {
        file "/var/opt/isc/isc-bind/log/xfer-in.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel xfer-out_file {
        file "/var/opt/isc/isc-bind/log/xfer-out.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel notify_file {
        file "/var/opt/isc/isc-bind/log/notify.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel client_file {
        file "/var/opt/isc/isc-bind/log/client.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel unmatched_file {
        file "/var/opt/isc/isc-bind/log/unmatched.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel queries_file {
        file "/var/opt/isc/isc-bind/log/queries.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel network_file {
        file "/var/opt/isc/isc-bind/log/network.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel update_file {
        file "/var/opt/isc/isc-bind/log/update.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel dispatch_file {
        file "/var/opt/isc/isc-bind/log/dispatch.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel dnssec_file {
        file "/var/opt/isc/isc-bind/log/dnssec.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel lame-servers_file {
        file "/var/opt/isc/isc-bind/log/lame-servers.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };

    category default { default_file; };
    category general { general_file; };
    category database { database_file; };
    category security { security_file; };
    category config { config_file; };
    category resolver { resolver_file; };
    category xfer-in { xfer-in_file; };
    category xfer-out { xfer-out_file; };
    category notify { notify_file; };
    category client { client_file; };
    category unmatched { unmatched_file; };
    category queries { queries_file; };
    category network { network_file; };
    category update { update_file; };
    category dispatch { dispatch_file; };
    category dnssec { dnssec_file; };
    category lame-servers { lame-servers_file; };
}

主从机都配置！

最终主机配置

key rndc-key {
        algorithm hmac-md5;
        secret "rf27GDGjr6J2rRK5Ljsq2Q==";
};

include "/etc/opt/isc/isc-bind/transfer.key";
options {
	directory "/var/opt/isc/isc-bind/named/data";
	listen-on port 53 { 127.0.0.1; 10.154.5.163; };
	#listen-on-v6 { ::1; };
	dnssec-enable yes;
	dnssec-validation yes;

	allow-query { any; };
        allow-update { any; };
	allow-transfer { 10.154.5.163; key dnssec-transfer; };
	notify yes;
	#notify-to-soa yes;
	also-notify { 10.154.5.162; 10.154.5.214; };
	allow-new-zones yes;
};

statistics-channels {
      inet 127.0.0.1 port 8888 allow { any; };
      inet 10.154.5.163 port 8889 allow { any; };
};

controls {
       inet * port 953
       allow { any; } keys { "rndc-key"; };
};


logging {
	channel default_debug {
		file "named.run";
		print-time yes;
		severity dynamic;
	};
   channel default_file {
        file "/var/opt/isc/isc-bind/log/default.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel general_file {
        file "/var/opt/isc/isc-bind/log/general.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel database_file {
        file "/var/opt/isc/isc-bind/log/database.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel security_file {
        file "/var/opt/isc/isc-bind/log/security.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel config_file {
        file "/var/opt/isc/isc-bind/log/config.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel resolver_file {
        file "/var/opt/isc/isc-bind/log/resolver.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel xfer-in_file {
        file "/var/opt/isc/isc-bind/log/xfer-in.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel xfer-out_file {
        file "/var/opt/isc/isc-bind/log/xfer-out.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel notify_file {
        file "/var/opt/isc/isc-bind/log/notify.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel client_file {
        file "/var/opt/isc/isc-bind/log/client.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel unmatched_file {
        file "/var/opt/isc/isc-bind/log/unmatched.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel queries_file {
        file "/var/opt/isc/isc-bind/log/queries.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel network_file {
        file "/var/opt/isc/isc-bind/log/network.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel update_file {
        file "/var/opt/isc/isc-bind/log/update.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel dispatch_file {
        file "/var/opt/isc/isc-bind/log/dispatch.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel dnssec_file {
        file "/var/opt/isc/isc-bind/log/dnssec.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel lame-servers_file {
        file "/var/opt/isc/isc-bind/log/lame-servers.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };

    category default { default_file; };
    category general { general_file; };
    category database { database_file; };
    category security { security_file; };
    category config { config_file; };
    category resolver { resolver_file; };
    category xfer-in { xfer-in_file; };
    category xfer-out { xfer-out_file; };
    category notify { notify_file; };
    category client { client_file; };
    category unmatched { unmatched_file; };
    category queries { queries_file; };
    category network { network_file; };
    category update { update_file; };
    category dispatch { dispatch_file; };
    category dnssec { dnssec_file; };
    category lame-servers { lame-servers_file; };
};

zone "catalog.default" {
        type master;
        file "catalog.default.zone";
};

1 2	named-checkconf 验证配置 systemctl restart isc-bind-named

最终从机配置

从机配置同步数据所在目录slaves

1
2
3

cd /var/opt/isc/isc-bind/named/data
mkdir slaves
chown named.named slaves

named

key "rndc-key" {
        algorithm hmac-sha256;
        secret "bshuXqh379VDuCYQqWJY68F1rkCEsf5LLfc274USvZQ=";
};

options {
	directory "/var/opt/isc/isc-bind/named/data/slaves";
	listen-on port 53 { 127.0.0.1; 10.154.5.214; 10.154.5.163; };
	#listen-on-v6 { ::1; };
	dnssec-validation auto;

	allow-query { any; };
        allow-update { any; };
        allow-transfer {any;};
	allow-new-zones yes;
	masterfile-format text;
	catalog-zones {
                zone "catalog.default"  default-masters { 10.154.5.163; };
        };

};

statistics-channels {
      inet 127.0.0.1 port 8888 allow { any; };
      inet 10.154.5.214 port 8889 allow { any; };
};

 controls {
       inet 127.0.0.1 port 953
               allow { 127.0.0.1; } keys { "rndc-key"; };
 };

logging {
	channel default_debug {
		file "named.run";
		print-time yes;
		severity dynamic;
	};

 channel default_file {
        file "/var/opt/isc/isc-bind/log/default.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel general_file {
        file "/var/opt/isc/isc-bind/log/general.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel database_file {
        file "/var/opt/isc/isc-bind/log/database.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel security_file {
        file "/var/opt/isc/isc-bind/log/security.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel config_file {
        file "/var/opt/isc/isc-bind/log/config.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel resolver_file {
        file "/var/opt/isc/isc-bind/log/resolver.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel xfer-in_file {
        file "/var/opt/isc/isc-bind/log/xfer-in.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel xfer-out_file {
        file "/var/opt/isc/isc-bind/log/xfer-out.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel notify_file {
        file "/var/opt/isc/isc-bind/log/notify.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel client_file {
        file "/var/opt/isc/isc-bind/log/client.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel unmatched_file {
        file "/var/opt/isc/isc-bind/log/unmatched.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel queries_file {
        file "/var/opt/isc/isc-bind/log/queries.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel network_file {
        file "/var/opt/isc/isc-bind/log/network.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel update_file {
        file "/var/opt/isc/isc-bind/log/update.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel dispatch_file {
        file "/var/opt/isc/isc-bind/log/dispatch.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel dnssec_file {
        file "/var/opt/isc/isc-bind/log/dnssec.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel lame-servers_file {
        file "/var/opt/isc/isc-bind/log/lame-servers.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };

    category default { default_file; };
    category general { general_file; };
    category database { database_file; };
    category security { security_file; };
    category config { config_file; };
    category resolver { resolver_file; };
    category xfer-in { xfer-in_file; };
    category xfer-out { xfer-out_file; };
    category notify { notify_file; };
    category client { client_file; };
    category unmatched { unmatched_file; };
    category queries { queries_file; };
    category network { network_file; };
    category update { update_file; };
    category dispatch { dispatch_file; };
    category dnssec { dnssec_file; };
    category lame-servers { lame-servers_file; };
};


zone "catalog.default" {
        type slave;
        file "catalog.default.zone";
        masters { 10.154.5.163; };
};
include "/etc/opt/isc/isc-bind/transfer.key";

server 10.154.5.163 {
 	keys { dnssec-transfer; };
};

1	systemctl restart isc-bind-named

性能监控

Bind基本配置

用于获取监控数据

vim /etc/opt/isc/isc-bind/named.conf

statistics-channels {
      inet 127.0.0.1 port 8888 allow { any; };
      inet 10.154.5.162 port 8889 allow { any; };
};

打开浏览器访问10.154.5.162:8889

注意端口号8889

bind_exporter

用于图形化展现。

bind_exporter基于statistics-channels记录的统计数据，并对数据统计分析并输出到Prometheus

下载

查看linux版本

1 2	# cat /proc/version Linux version 3.10.0-1127.18.2.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) ) #1 SMP Sun Jul 26 15:27:06 UTC 2020

根据版本下载

https://github.com/prometheus-community/bind_exporter/releases

如上图，linux是86_64，则下载版本

bind_exporter-0.4.0.linux-amd64.tar.gz

配置

解压到/usr/local/bin/

 
 tar -xvf bind_exporter-0.4.0.linux-amd64.tar.gz
 
 cd /usr/local/bin/
-rwxr-xr-x 1 3434 3434 15762489 Jan 14 22:55 bind_exporter
-rw-r--r-- 1 3434 3434    11357 Jan 14 23:57 LICENSE
-rw-r--r-- 1 3434 3434      252 Jan 14 23:57 NOTICE

创建⼀个systemd配置⽂件以运⾏bind_exporter

–web.listen-address为对外暴露的metric地址和端⼝，Prometheus从此处抓取bind_exporter的metrics；即对外提供数据的端口。
– bind.stats-url为本地bind服务绑定的地址和IP。即获取bind数据的地址。

注意此处的⽤⼾和组可以使⽤与named程序相同的⽤⼾和组“named”，也可以使⽤root。

vim /etc/systemd/system/bind_exporter.service

[Unit]
Description=bind_exporter
Documentation=https://github.com/prometheus-community/bind_exporter
Wants=network-online.target
After=network-online.target
[Service]
Type=simple
User=root
Group=root
ExecReload=/bin/kill -HUP $MAINPID
ExecStart=/usr/local/bin/bind_exporter \
--bind.pid-file=/var/opt/isc/isc-bind/run/named/named.pid \
--bind.timeout=20s \
--web.listen-address=0.0.0.0:9154 \
--web.telemetry-path=/metrics \
--bind.stats-url=http://10.154.5.162:8889/ \
--bind.stats-groups=server,view,tasks
Restart=always
[Install]
WantedBy=default.target

注意端口号9154

加载并启动bind_export

1 2	systemctl daemon-reload systemctl restart bind_exporter.service

Prometheus Server

Prometheus基于Go编写，编译后的软件包，不依赖于任何的第三⽅依赖。只需要下载对应平台的⼆进制包，解压并且添加基本的配置即可正常启Prometheus Server。

Prometheus Server负责定时在目标上抓取Metrics数据，每个抓取目标都需要暴露一个HTTP服务接口用于Prometheus定时抓取。

这种调用被监控对象获取监控数据的方式被称为Pull。Pull方式体现了Prometheus独特的设计哲学与大多数采用了Push方式的监控系统不同。

但某些现有系统是通过push方式实现的，为了接入这个系统，Prometheus提供对PushGateway的支持，这些系统主动推送metrics到PushGateway，而Prometheus只是定时去Gateway上抓取数据。

AlertManager是独立于Prometheus的一个组件，在触发了预先设置在Prometheus中的高级规则后，Prometheus便会推送告警信息到AlertManager。

根据版本下载：

Download | Prometheus

1
2
3

tar -xf prometheus-2.27.1.linux-amd64.tar.gz
mv prometheus-2.27.1.linux-amd64 /usr/local/
ln -s /usr/local/prometheus-2.27.1.linux-amd64/ /usr/local/prometheus

创建Prometheus的⽤⼾(此处用户prometheus)及数据存储⽬录（/data/prometheus）

# useradd -s /sbin/nologin -M prometheus
# mkdir /data/prometheus -p
#修改⽬录属主
# chown -R prometheus:prometheus /usr/local/prometheus/
# chown -R prometheus:prometheus /data/prometheus/

配置/usr/local/prometheus/promethes.yml

1	cp prometheus.yml prometheus.yml-default #备份一下默认配置

# my global config
global:
  scrape_interval:     15s # Set the scrape interval to every 15 seconds. Default is every 1 minute.
  evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute.
  # scrape_timeout is set to the global default (10s).

# Alertmanager configuration
alerting:
  alertmanagers:
  - static_configs:
    - targets: ["localhost:9093"]
      # - alertmanager:9093

# Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
rule_files:
  # - "first_rules.yml"
  # - "second_rules.yml"

# A scrape configuration containing exactly one endpoint to scrape:
# Here it's Prometheus itself.
scrape_configs:
  # The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
  - job_name: 'prometheus'

    # metrics_path defaults to '/metrics'
    # scheme defaults to 'http'.
	scrape_interval: 5s
    static_configs:
    - targets: ['localhost:9090'] #浏览器访问9090打开管理界面
   
  - job_name: 'bind-fnc04'
	scrape_interval: 5s
    static_configs:
    - targets: ['10.154.5.162:9154'] #监听bind_exporter

默认启动后的端口为9090。

启动方式1

1
2
3

cd /usr/local/prometheus
./prometheus --version
./prometheus &

启动方式2

vim /etc/systemd/system/prometheus.service

[Unit]
Description=Prometheus
Documentation=https://prometheus.io/
After=network.target
[Service]
Type=simple
User=prometheus
ExecStart=/usr/local/prometheus/prometheus --config.file=/usr/local/prometheus/prometheus.yml --storage.tsdb.path=/data/prometheus
Restart=on-failure
[Install]
WantedBy=multi-user.target

如此可以用命令启动服务

1
2
3

systemctl daemon-reload
systemctl enable prometheus
systemctl start prometheus

浏览器访问http://10.154.5.162:9090/targets

Grafana

一个数据分析统计可视化报表，⽤来展⽰ prometheus收集到的数据

Grafana+Prometheus的详解以及使用 - 知乎 (zhihu.com)

下载

1	wget https://dl.grafana.com/oss/release/grafana-7.5.7.linux-amd64.tar.gz

1
2
3

tar -xzvf grafana-7.5.7.linux-amd64.tar.gz
mv grafana-7.5.7 /usr/local/
ln -s /usr/local/grafana-7.5.7/ /usr/local/grafana

创建grafana⽤⼾及数据存放⽬录

useradd -s /sbin/nologin -M grafana
mkdir /data/grafana
chown -R grafana:grafana /usr/local/grafana/
chown -R grafana:grafana /data/grafana

修改目录

 cd /usr/local/grafana/conf/
 cp defaults.ini defaults.ini-default 先备份
 
 vim defaults.ini
data = /data/grafana/data
logs = /data/grafana/log
plugins = /data/grafana/plugins
provisioning = /data/grafana/conf/provisioning

新增 grafana-server.service ⽂件，使⽤systemd来管理grafana服务

vim /etc/systemd/system/grafana-server.service

[Unit]
Description=Grafana
After=network.target
[Service]
User=grafana
Group=grafana
Type=notify
ExecStart=/usr/local/grafana/bin/grafana-server -homepath /usr/local/grafana
Restart=on-failure
[Install]
WantedBy=multi-user.target

1
2
3

systemctl start grafana-server
systemctl status grafana-server
systemctl enable grafana-server

打开浏览器访问

http://10.154.5.162:3000/login

默认的账号密码 admin/admin

把grafana和prometheus关联起来，也就是在 grafana中添加添加数据源——

在配置⻚⾯点击添加数据源，然后选择prometheus，输⼊prometheus服务的参数即可。

Grafana三种方式导入Dashboard

参考：

Node Exporter

https://prometheus.io/download/

采集主机的运⾏指标如CPU，内存，磁盘等信息。可以使⽤Node Exporter

1	wget https://github.com/prometheus/node_exporter/releases/download/v1.1.2/node_exporter-1.1.2.linux-amd64.tar.gz

ln -s  node_exporter-1.1.2.linux-amd64/  node_exporter

启动，默认会启动9100端⼝
nohup /usr/local/prometheus_exporter/node_exporter/node_exporter >/dev/null 2>&1 &
或
/usr/local/prometheus_exporter/node_exporter/node_exporter

开机启动

1	nohup /usr/local/prometheus_exporter/node_exporter/node_exporter >/dev/null 2>&1 &

加入prometheus

编辑prometheus.yml⽂件，增加后⾯4⾏.

scrape_configs:
  # The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
  - job_name: 'prometheus'

    # metrics_path defaults to '/metrics'
    # scheme defaults to 'http'.
    scrape_interval: 5s
    static_configs:
    - targets: ['localhost:9090']

  - job_name: 'bind-fnc04'
    scrape_interval: 5s
    static_configs:
    - targets: ['10.154.5.162:9154'] #监听bind_exporter


  - job_name: 'node'
    static_configs:
    - targets: ['localhost:9100']

重启

1	systemctl restart prometheus.service