我到处搜索过这个,但经过一个半小时的搜索,我找不到任何相关内容。
如何连接到谷歌计算引擎上的数据库?即我想从我的笔记本电脑使用pgadmin3连接到我的谷歌计算引擎上运行的postgres服务器。
这甚至可能吗?如果是这样我该怎么办呢?
提前致谢!
答案 0 :(得分:2)
你需要:
netstat -ntpl来检查)。通常,Postgres将在端口5432上进行侦听。iptables -L)答案 1 :(得分:1)
PostgreSQL must also be configured to allow remote connections,否则,即使所有防火墙规则正确且PostgreSQL服务器正在正确的端口上监听,连接请求也将失败。
无法创建链接,但这是一个相当长的答案,因此可能会有所帮助。
nc或netcat nmap netstat lsof postgresql.conf pg_hba.conf nc或netcat $ nc -zv 4.3.2.1 5432
哪里
-v Produce more verbose output.
-z Only scan for listening daemons, without sending any data to
them. Cannot be used together with -l.
可能的结果:
Connection to 4.3.2.1port [tcp/postgresql] succeeded!
是的
nc: connect to 4.3.2.1 port 8000 (tcp) failed: Connection refused
端口已被防火墙打开,但服务未在监听或拒绝连接。
防火墙正在阻止。
nmap $ nmap 4.3.2.1
Starting Nmap 7.70 ( https://nmap.org ) at 2019-09-09 18:28 PDT
Nmap scan report for 1.2.3.4.bc.googleusercontent.com (4.3.2.1)
Host is up (0.12s latency).
Not shown: 993 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp closed http
443/tcp closed https
3389/tcp closed ms-wbt-server
4000/tcp closed remoteanything
5432/tcp open postgresql # firewall open, service up and listening
8000/tcp closed http-alt # firewall open, is service up or listening?
netstat $ netstat -tuplen
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 0.0.0.0:4000 0.0.0.0:* LISTEN 1000 4223185 29432/beam.smp
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 1000 4020942 15020/postgres
tcp 0 0 127.0.0.1:5433 0.0.0.0:* LISTEN 1000 3246566 20553/postgres
tcp6 0 0 ::1:5432 :::* LISTEN 1000 4020941 15020/postgres
tcp6 0 0 ::1:5433 :::* LISTEN 1000 3246565 20553/postgres
udp 0 0 224.0.0.251:5353 0.0.0.0:* 1000 4624644 6311/chrome --type=
udp 0 0 224.0.0.251:5353 0.0.0.0:* 1000 4624643 6311/chrome --type=
udp 0 0 224.0.0.251:5353 0.0.0.0:* 1000 4625649 6230/chrome
udp 0 0 0.0.0.0:68 0.0.0.0:* 0 20911 -
udp6 0 0 :::546 :::* 0 4621237 -
其中
-t | --tcp
-u | --udp
-p, --program
Show the PID and name of the program to which each socket belongs.
-l, --listening
Show only listening sockets. (These are omitted by default.)
-e, --extend
Display additional information. Use this option twice for maximum
detail.
--numeric, -n
Show numerical addresses instead of trying to determine symbolic host,
port or user names.
在运行PostgreSQL的实例上发布时,您看不到以下行,这意味着未为远程连接配置PostgreSQL:
tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN 1001 238400 30826/postgres
tcp6 0 0 :::5432 :::* LISTEN 1001 238401 30826/postgres
lsof 要检查实例服务是否正在运行。
$ sudo lsof -i -P -n | grep LISTEN
systemd-r 457 systemd-resolve 13u IPv4 14870 0t0 TCP 127.0.0.53:53 (LISTEN)
sshd 733 root 3u IPv4 19233 0t0 TCP *:22 (LISTEN)
sshd 733 root 4u IPv6 19244 0t0 TCP *:22 (LISTEN)
postgres 2733 postgres 3u IPv4 23655 0t0 TCP 127.0.0.1:5432 (LISTEN)
python3 26083 a_user 4u IPv4 392307 0t0 TCP *:8000 (LISTEN)
要通过笔记本电脑进行连接,您将需要笔记本电脑和Google Compute Engine(GCE)实例的公用IP地址。
(来自this article。)
$ dig +short myip.opendns.com @resolver1.opendns.com
4.3.2.1
$ gcloud compute instances list
NAME ZONE MACHINE_TYPE PREEMPTIBLE INTERNAL_IP EXTERNAL_IP STATUS
access-news us-east1-d n1-standard-2 10.142.0.5 34.73.156.19 RUNNING
lynx-dev us-east1-d n1-standard-1 10.142.0.2 35.231.66.229 RUNNING
tr2 us-east1-d n1-standard-1 10.142.0.3 35.196.195.199 RUNNING
如果您还需要实例的network-tags:
$ gcloud compute instances list --format='table(name,status,tags.list())'
NAME STATUS TAGS
access-news RUNNING fingerprint=mdTPd8rXoQM=,items=[u'access-news', u'http-server', u'https-server']
lynx-dev RUNNING fingerprint=CpSmrCTD0LE=,items=[u'http-server', u'https-server', u'lynx-dev']
tr2 RUNNING fingerprint=84JxACwWD7U=,items=[u'http-server', u'https-server', u'tr2']
仅处理以下GCE防火墙规则,但请确保iptables不会无意中阻止流量。
另请参见
iptables $ gcloud compute firewall-rules list
NAME NETWORK DIRECTION PRIORITY ALLOW DENY DISABLED
default-allow-http default INGRESS 1000 tcp:80 False
default-allow-https default INGRESS 1000 tcp:443 False
default-allow-icmp default INGRESS 65534 icmp False
default-allow-internal default INGRESS 65534 tcp:0-65535,udp:0-65535,icmp False
default-allow-rdp default INGRESS 65534 tcp:3389 False
default-allow-ssh default INGRESS 65534 tcp:22 False
pg-from-tag1-to-tag2 default INGRESS 1000 tcp:5432 False
To show all fields of the firewall, please show in JSON format: --format=json
To show all fields in table format, please see the examples in --help.
更全面的列表,其中还包括网络标签(来自gcloud compute firewall-rules list --help):
$ gcloud compute firewall-rules list --format="table( \
name, \
network, \
direction, \
priority, \
sourceRanges.list():label=SRC_RANGES, \
destinationRanges.list():label=DEST_RANGES, \
allowed[].map().firewall_rule().list():label=ALLOW, \
denied[].map().firewall_rule().list():label=DENY, \
sourceTags.list():label=SRC_TAGS, \
sourceServiceAccounts.list():label=SRC_SVC_ACCT, \
targetTags.list():label=TARGET_TAGS, \
targetServiceAccounts.list():label=TARGET_SVC_ACCT, \
disabled \
)"
NAME NETWORK DIRECTION PRIORITY SRC_RANGES DEST_RANGES ALLOW DENY SRC_TAGS SRC_SVC_ACCT TARGET_TAGS TARGET_SVC_ACCT DISABLED
default-allow-http default INGRESS 1000 0.0.0.0/0 tcp:80 http-server False
default-allow-https default INGRESS 1000 0.0.0.0/0 tcp:443 https-server False
default-allow-icmp default INGRESS 65534 0.0.0.0/0 icmp False
default-allow-internal default INGRESS 65534 10.128.0.0/9 tcp:0-65535,udp:0-65535,icmp False
default-allow-rdp default INGRESS 65534 0.0.0.0/0 tcp:3389 False
default-allow-ssh default INGRESS 65534 0.0.0.0/0 tcp:22 False
pg-from-tag1-to-tag2 default INGRESS 1000 4.3.2.1 tcp:5432 tag1 tag2 False
要从每个源打开每个实例的默认PostgreSQL端口(5432):
$ gcloud compute firewall-rules create \
postgres-all \
--network default \
--priority 1000 \
--direction ingress \
--action allow \
--rules tcp:5432 \
要将其限制在您的计算机(源:YOUR_IP)和GCE实例(目标:INSTANCE_IP)之间:
$ gcloud compute firewall-rules create \
postgres-from-you-to-instance \
--network default \
--priority 1000 \
--direction ingress \
--action allow \
--rules tcp:5432 \
--destination-ranges INSTANCES_IP \
--source-ranges YOUR_IP \
人们也可以使用源和目标网络标签或服务帐户来代替--source-ranges和--destination-ranges。参见"Source or destination" section in the firewall docs。
这是对Neeraj Singh的post的更新。
默认情况下,PostgreSQL被配置为绑定到“ localhost”,因此以下配置文件将需要更新:
postgresql.conf和
pg_hba.conf
可以从PostgreSQL本身查询两个文件的位置(从this Stackoverflow thread中获取技巧):
$ sudo -u postgres psql -c "SHOW hba_file" -c "SHOW config_file"
postgresql.conf 配置文件附带有用的提示以使此功能正常工作:
listen_addresses = 'localhost' # what IP address(es) to listen on;
# comma-separated list of addresses;
# defaults to 'localhost'; use '*' for all
# (change requires restart)
要获得快速而又肮脏的解决方案,只需将其更改为
listen_addresses = '*'
重新启动服务器(有关方法,请参见here)。 PostgreSQL重新启动后,它将开始侦听所有IP地址(请参见netstat -tuplen)。
要重新启动PostgreSQL:
$ sudo systemctl restart postgresql@11-main
# or
$ pg_ctl restart
listen_addresses文档说,它“ 指定服务器用于侦听来自客户端应用程序的连接的TCP / IP地址。”,仅此而已。它指定接收数据包的套接字,但是如果未验证传入连接(通过pg_hba.conf配置),则无论如何都将拒绝(丢弃?)数据包。
pg_hba.conf 来自20.1. The pg_hba.conf File:“ _Client身份验证由配置文件控制,该文件通常名为pg_hba.conf,并存储在数据库集群的数据目录中。(HBA表示基于主机的身份验证。)_“ < / p>
这是一个复杂的主题,因此阅读文档至关重要,但这足以在受信任的网络上进行开发:
host all all 0.0.0.0/0 trust
host all all ::/0 trust
这时需要重新启动。