Percona提供mongodb_exporter来监视MongoDB。它可以通过导出分片,复制和存储引擎指标来提供Prometheus时间序列数据库。因此,基本上,这就是我们通过Percona Monitoring and Management监视MongoDB的方式。
您可以从Github存储库下载或构建mongodb_exporter 。它还带有pmm-client软件包,它基于最新的可用mongodb_exporter版本。
mongodb_exporter文档中介绍了一种从mongodb_exporter到MongoDB的简单连接方法。但是,由于MongoDB和mongodb_exporter版本之间的选项更改,SSL / TLS连接有点棘手。
参考:
https://docs.mongodb.com/manual/reference/connection-string/#tls-options
https://github.com/percona/mongodb_exporter/releases/tag/v0.10.0
这篇博客文章将展示如何使用SSL / TLS选项配置MongoDB Exporter。
连接方法和选项
mongodb_exporter v 0.9.0
对于SSL连接mongodb_exporter和MongoDB,这是SSL选项的列表。
# ./mongodb_exporter --mongodb.uri=mongodb://mongodb_exporter:Admin123@localhost:27017 --mongodb.tls --mongodb.tls-ca /etc/mongodb/rootCA.pem --mongodb.tls-cert /etc/mongodb/mongodb.pem
INFO[0000] Starting mongodb_exporter (version=0.9.0, branch=v0.9.0, revision=a11b3b515ee219ef9bce6af7f41d3ff47cc71720) source="mongodb_exporter.go:108"
INFO[0000] Build context (go=go1.12.9, user=travis@build.travis-ci.com, date=20190830-18:19:56) source="mongodb_exporter.go:109"
INFO[0000] Starting HTTP server for http://:9216/metrics ... source="server.go:140"
MongoDB服务器日志:
ACCESS [conn1164] Successfully authenticated as principal mongodb_exporter on admin from client 127.0.0.1:40772
mongodb_exporter v 0.10.0
现在,使用相同的选项来测试与mongodb_exporter v0.10.0的SSL连接。
# ./mongodb_exporter --mongodb.uri=mongodb://mongodb_exporter:Admin123@localhost:27017 --mongodb.tls --mongodb.tls-ca /etc/mongodb/rootCA.pem --mongodb.tls-cert /etc/mongodb/mongodb.pem
mongodb_exporter: error: unknown long flag '--mongodb.tls', try --help
如我们所见,mongodb_exporter v0.10.0无法识别文档中的给定选项。由于mongodb_exporter v.0.10.0版本的更改而发生错误。
参考:https : //github.com/percona/mongodb_exporter/releases/tag/v0.10.0
go.mongodb.org/mongo-driver已更新至v1.1.1。
所有–mongodb.tls *标志均已删除。请改用tls-options。
根据MongoDB版本和对SSL / TSL的支持,我们将在mongodb.uri中使用以下选项:
| SSL选项 | TLS选项 |
|---|---|
| sslclientcertificatekeyfile | tlscertificatekeyfile |
| sslclientcertificatekeypassword | tlscertificatekeyfilepassword |
| 安全 | 安全 |
| sslcertificateauthorityfile | tlsca文件 |
例子
使用TLS选项
# ./mongodb_exporter --mongodb.uri="mongodb://mongodb_exporter:Admin123@localhost:27017/admin?tls=true&tlsCertificateKeyFile=/etc/mongodb/mongodb.pem&tlsAllowInvalidCertificates=true&tlsCAFile=/etc/mongodb/rootCA.pem"
INFO[0000] Starting mongodb_exporter (version=0.10.0, branch=v0.10.0, revision=bf683745093a9210ebacbeb235bb792e21d17389) source="mongodb_exporter.go:94"
INFO[0000] Build context (go=go1.12.9, user=travis@build.travis-ci.com, date=20190918-13:37:48) source="mongodb_exporter.go:95"
INFO[0000] Starting HTTP server for http://:9216/metrics ... source="server.go:140"
MongoDB日志:
I NETWORK [listener] connection accepted from 127.0.0.1:52146 #1564 (1 connection now open)
I NETWORK [conn1564] received client metadata from 127.0.0.1:52146 conn1564: { driver: { name: "mongo-go-driver", version: "v1.1.1" }, os: { type: "linux", architecture: "amd64" }, platform: "go1.12.9" }
I NETWORK [listener] connection accepted from 127.0.0.1:52148 #1565 (2 connections now open)
I NETWORK [conn1565] received client metadata from 127.0.0.1:52148 conn1565: { driver: { name: "mongo-go-driver", version: "v1.1.1" }, os: { type: "linux", architecture: "amd64" }, platform: "go1.12.9", application: { name: "mongodb_exporter" } }
I ACCESS [conn1565] Successfully authenticated as principal mongodb_exporter on admin from client 127.0.0.1:52148
使用SSL选项
# ./mongodb_exporter --mongodb.uri="mongodb://mongodb_exporter:Admin123@localhost:27017/admin?ssl=true&sslclientcertificatekeyfile=/etc/mongodb/mongodb.pem&sslinsecure=true&sslcertificateauthorityfile=/etc/mongodb/rootCA.pem"
INFO[0000] Starting mongodb_exporter (version=0.10.0, branch=v0.10.0, revision=bf683745093a9210ebacbeb235bb792e21d17389) source="mongodb_exporter.go:94"
INFO[0000] Build context (go=go1.12.9, user=travis@build.travis-ci.com, date=20190918-13:37:48) source="mongodb_exporter.go:95"
INFO[0000] Starting HTTP server for http://:9216/metrics ... source="server.go:140"
MongoDB日志:
I NETWORK [listener] connection accepted from 127.0.0.1:51650 #1544 (1 connection now open)
I NETWORK [conn1544] received client metadata from 127.0.0.1:51650 conn1544: { driver: { name: "mongo-go-driver", version: "v1.1.1" }, os: { type: "linux", architecture: "amd64" }, platform: "go1.12.9" }
I NETWORK [listener] connection accepted from 127.0.0.1:51652 #1545 (2 connections now open)
I NETWORK [conn1545] received client metadata from 127.0.0.1:51652 conn1545: { driver: { name: "mongo-go-driver", version: "v1.1.1" }, os: { type: "linux", architecture: "amd64" }, platform: "go1.12.9", application: { name: "mongodb_exporter" } }
I ACCESS [conn1545] Successfully authenticated as principal mongodb_exporter on admin from client 127.0.0.1:51652
如前所述,尽管SSL / TLS连接可能有些棘手,但我希望本文有助于您正确配置MongoDB Exporter!
原文链接:https://www.percona.com/blog/2020/04/17/how-to-configure-mongodb-exporter-with-ssl-tls/
