部署多个client,每个clien端·都需要配置promtail和jaeger,所以想着开启多租户
可以按照官方的grafana的一些权限配置相关信息
https://grafana.com/docs/grafana/latest/http_api/org/
https://aws.amazon.com/cn/blogs/opensource/how-to-manage-grafana-and-loki-in-a-regulated-multitenant-environment/
一loki的多租户
1 配置loki开启多租户模式
root@ubunt-demo:~# cat /etc/loki/loki-config.yaml
auth_enabled: true
server:
http_listen_port: 3100
grpc_listen_port: 9096
grpc_server_max_recv_msg_size: 1073741824 #grpc最大接收消息值,默认4m
grpc_server_max_send_msg_size: 1073741824 #grpc最大发送消息值,默认4m
common:
path_prefix: /etc/loki
storage:
filesystem:
chunks_directory: /etc/loki/chunks
rules_directory: /etc/loki/rules
ingester:
lifecycler:
address: 127.0.0.1
ring:
kvstore:
store: inmemory
replication_factor: 1
final_sleep: 0s
chunk_idle_period: 5m
chunk_retain_period: 30s
max_transfer_retries: 0
max_chunk_age: 20m #一个timeseries块在内存中的最大持续时间。如果timeseries运行的时间超过此时间,则当前块将刷新到存储并创建一个新块
schema_config:
configs:
- from: 2020-10-24
store: boltdb-shipper
object_store: filesystem
schema: v11
index:
prefix: index_
period: 24h
limits_config:
unordered_writes: true
enforce_metric_name: false
reject_old_samples: true
reject_old_samples_max_age: 168h
ingestion_rate_strategy: "global"
ingestion_rate_mb: 30 #修改每用户摄入速率限制,即每秒样本量,默认值为4M
ingestion_burst_size_mb: 15 #修改每用户摄入速率限制,即每秒样本量,默认值为6M
chunk_store_config:
#max_look_back_period: 168h #回看日志行的最大时间,只适用于即时日志
max_look_back_period: 168h
table_manager:
retention_deletes_enabled: true #日志保留周期开关,默认为false
retention_period: 168h #日志保留周期
ruler:
# 触发告警事件后的回调查询地址
# 如果用grafana的话就配置成grafana/explore
external_url:
# alertmanager地址
alertmanager_url: <alertmanager_endpoint>
enable_alertmanager_v2: true
# 启用loki rules API
enable_api: true
# 对rules分片,支持ruler多实例
enable_sharding: true
# ruler服务的一致性哈希环配置,用于支持多实例和分片
#ring:
# kvstore:
# consul:
# host: <consul-endpoint>:8500
# store: consul
# rules临时规则文件存储路径
rule_path: /etc/loki/rules
# rules规则存储
# 主要支持本地存储(local)和对象文件系统(azure, gcs, s3, swift)
storage:
type: local
local:
directory: /etc/loki/rules-temp
# rules规则加载时间
#flush_period: 1m
# By default, Loki will send anonymous, but uniquely-identifiable usage and configuration
# analytics to Grafana Labs. These statistics are sent to https://stats.grafana.org/
#
# Statistics help us better understand how Loki is used, and they show us performance
# levels for most users. This helps us prioritize features and documentation.
# For more information on what's sent, look at
# https://github.com/grafana/loki/blob/main/pkg/usagestats/stats.go
# Refer to the buildReport method to see what goes into a report.
#
# If you would like to disable reporting, uncomment the following lines:
analytics:
reporting_enabled: false
2 promtail 添加tenant_id 并与grafana中orgid的用户对应
重要的是 tenant_id
2.1 192.168.56.240 节点1
root@ubunt-demo:~# cat /etc/promtail/promtail-config.yaml
server:
http_listen_port: 9080
grpc_listen_port: 0
positions:
filename: /etc/promtail/positions.yaml
clients:
- url: http://192.168.56.240:3100/loki/api/v1/push
tenant_id: 3
batchwait: 1s
batchsize: 1048576
basic_auth:
username: jiangli_test
password: wang123.
scrape_configs:
- job_name: system
static_configs:
- targets:
- localhost
labels:
job: varlogs
host: ubunt-demo
__path__: /var/log/*log
- job_name: crontab
static_configs:
- targets:
- localhost
labels:
job: loki_sar_log
host: ubunt-demo
__path__: /opt/monitor/sar.log
- job_name: nginx
static_configs:
- targets:
- localhost
labels:
job: loki_nginx
host: ubunt-demo
__path__: /var/log/nginx/*log
2.2 192.168.56.221 节点2
[root@mysql_test ~]# cat /opt/promtail/promtail-config.yaml
server:
http_listen_port: 9080
grpc_listen_port: 0
positions:
filename: /opt/promtail/positions.yaml
clients:
- url: http://192.168.56.240:3100/loki/api/v1/push
tenant_id: 4
batchwait: 1s
batchsize: 1048576
basic_auth:
username: mysql_test
password: wang123.
scrape_configs:
- job_name: system
static_configs:
- targets:
- localhost
labels:
job: 221_varlogs
host: mysql_test
__path__: /var/log/*log
- job_name: nginx
static_configs:
- targets:
- localhost
labels:
job: 221_nginx
host: mysql_test
__path__: /var/log/nginx/*log
3.nginx的配置
192.168.56.240
server {
listen 80;
server_name localhost 192.168.56.240;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
auth_basic off;
}
auth_basic "Loki";
auth_basic_user_file /etc/nginx/mypasswords/passwdfile;
location /grafana {
proxy_pass http://127.0.0.1:3000;
proxy_set_header Host $host;
auth_basic off;
}
location /grafana/api/live {
rewrite ^/grafana/(.*) /$1 break;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:3000/;
auth_basic off;
}
location ~ /api/prom/rules.* {
proxy_pass http://127.0.0.1:3100$request_uri;
}
location ~ /api/prom/alerts.* {
proxy_pass http://127.0.0.1:3100$request_uri;
}
location = /api/prom/tail {
proxy_pass http://127.0.0.1:3100$request_uri;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location ~ /api/prom/.* {
proxy_pass http://127.0.0.1:3100$request_uri;
}
location ~ /loki/api/v1/alerts.* {
proxy_pass http://127.0.0.1:3100$request_uri;
}
location ~ /loki/api/v1/rules.* {
proxy_pass http://127.0.0.1:3100$request_uri;
}
location = /loki/api/v1/tail {
proxy_pass http://127.0.0.1:3100$request_uri;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
#location ~ /loki/api/.* {
# proxy_pass http://127.0.0.1:3100$request_uri;
#}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
3.1 创建验证用户
htpasswd参数
-c 创建passwdfile.如果passwdfile 已经存在,那么它会重新写入并删去原有内容.
-n 不更新passwordfile,直接显示密码
-m 使用MD5加密(默认)
-d 使用CRYPT加密(默认)
-p 使用普通文本格式的密码
-s 使用SHA加密
-b 命令行中一并输入用户名和密码而不是根据提示输入密码,可以看见明文,不需要交互
-D 删除指定的用户
示例:htpasswd -bc linuxeye_pd linuxeye_user linuxeye_password
htpasswd -bc linuxeye_pd linuxeye_user linuxeye_password
##添加一个验证用户 需要与promtail中的用户密码一致
root@ubunt-demo:~# htpasswd -bc /etc/nginx/mypasswords/passwdfile mysql_test wang123.
Adding password for user mysql_test
root@ubunt-demo:~# cat /etc/nginx/mypasswords/passwdfile
mysql_test:$apr1$nGJA3qbP$ynjFrul.p4TaJxZy3qzll1
# 新增验证用户
root@ubunt-demo:/etc/nginx/mypasswords# htpasswd -b passwdfile jiangli_test wang123.
Adding password for user jiangli_test
root@ubunt-demo:/etc/nginx/mypasswords# cat passwdfile
mysql_test:$apr1$nGJA3qbP$ynjFrul.p4TaJxZy3qzll1
jiangli_test:$apr1$s1IDy0qD$.Gg.jLqTuVtRYcp7obUoN/
4.启动相应的服务
其他配置看其他文档,后续会统一
docker run --user root --name grafana -d --net host --restart=always --mount type=volume,source=grafana,target=/var/lib/grafana -v /etc/grafana:/etc/grafana grafana/grafana:8.3.5
docker run --user root --name loki -d -p 3100:3100 -p 9095:9095 --restart=always -v /etc/loki:/etc/loki grafana/loki:2.5.0 -config.file=/etc/loki/loki-config.yaml
docker run -d --user root --name promtail --restart=always -v /etc/promtail:/etc/promtail -v /var/log:/var/log grafana/promtail:2.5.0 -config.file=/etc/promtail/promtail-config.yaml
docker run -d --user root --name jaeger --restart=always -p5775:5775/udp -p6831:6831/udp -p6832:6832/udp -p5778:5778/tcp jaegertracing/jaeger-agent:1.33 --reporter.grpc.host-port=192.168.56.240:14250
docker run -d --user root --name tempo -p 3200:3200 -p14268:14268 -p14250:14250 --restart=always -v /etc/tempo.yaml:/etc/tempo.yaml -v /tmp/tempo:/tmp/tempo grafana/tempo:latest -config.file=/etc/tempo.yaml
4.1 然后在添加多个组织对应不同的orgid
4.1.1 添加组织
将不同的租户通过Org隔离开,分别配置不同的数据源,以此实现不同租户仅能查询自身数据的目标。
orgid =
4.1.2 切换到jiangli_test
注意 mysql_test与jiangli_test 操作一致 就不在写了 ,只是配置请求头时,指定orgid
192.168.56.240,我配置文件中写的3 ,一个角色下可以有多个组织,实现数据隔离,但是我的数据是在loki服务器本地存储的
与之对应的 orgid= tenant_id =3
5.切换到jiangli_test,添加数据来源loki
5.1 添加请求头,以及nginx身份验证
5.2 添加tempo
5.3 tempo添加数据来源,不添加也行
5.4 最后 通过切换组织,来实现数据的隔离
或者,添加多个loki面板 通过不同的命名规则开添加到默认的orgID,当然这么配置每个对应的请求头都与之对应的odgID
命名规则
loki_orgidname_orgid
在jiangli_test组织下只能查看orgid=3(tenant_id)的promtail收集到的数据
6 添加多个loki面板 通过不同的命名规则并添加到不同的orgID,
下面图中可以看出我的orgid为1但是查询到不同的服务器上日志
6.1 192.168.56.240 jiangli_test
6.2 192.168.56.221 mysql_test 添加nginx验证,以及orgid验证