为什么在Vagrant VM上与PostgreSQL的连接被拒绝?

时间:2019-06-04 15:54:10

标签: postgresql vagrant

我有两个Vagrant VM,一个配置为Web服务器,另一个配置为数据库服务器。当我尝试在Web服务器上针对数据库服务器上的清单数据库运行psql命令时,连接被拒绝:

psql -h db00 -U dsmith -d inventory -p 15432

psql: could not connect to server: Connection refused
        Is the server running on the host "db00" (192.168.2.101) and accepting
        TCP/IP connections on port 15432?

这是我的Vagrantfile:

VAGRANTFILE_API_VERSION = "2"

Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
  config.vm.box = "debian/stretch64"
  config.vm.synced_folder "./shared", "/vagrant", type: "virtualbox"
  ENV['ANSIBLE_ROLES_PATH'] = "/Users/dsmith/playbooks/roles-debian9"

  config.vm.define "db" do |db|
    db.vm.hostname = "db00.example.com"
    db.vm.network :private_network, ip: "192.168.2.101"
    db.vm.network :forwarded_port, guest: 5432, host: 15432
    config.vm.provision "ansible" do |ansible|
      ansible.playbook = "provision.yml"
      ansible.compatibility_mode = "2.0"
      ansible.become = true
    end
  end

  config.vm.define "web" do |web|
    web.vm.hostname = "web00.example.com"
    web.vm.network :private_network, ip: "192.168.2.102"
    web.ssh.forward_agent = true
    config.vm.provision "ansible" do |ansible|
      ansible.playbook = "provision.yml"
      ansible.compatibility_mode = "2.0"
      ansible.become = true
    end
  end
end

这里的关键线是网络forwarded_port线。我想我是在告诉Vagrant,如果在端口5432上向数据库服务器VM发出了请求,请将其转发到服务器本身的端口15432,这是我已配置PostgreSQL在该服务器上侦听的端口。根据我的研究,我认为这是我应该做的,但是我不确定。

这是我的PostgreSQL配置文件:

# /etc/postgresql/9.6/main/postgresql.conf
data_directory = '/var/lib/postgresql/9.6/main'
hba_file = '/etc/postgresql/9.6/main/pg_hba.conf'
ident_file = '/etc/postgresql/9.6/main/pg_ident.conf'
external_pid_file = '/var/run/postgresql/9.6-main.pid'
listen_addresses = '*'
port = 15432
unix_socket_directories = '/var/run/postgresql'

这是我的身份验证配置文件:

# /etc/postgresql/9.6/main/pg_hba.conf
local   all             postgres                                peer
local   all             all                                     peer
host    all             all             127.0.0.1/32            md5
host    all             all             ::1/128                 md5
host all all 0.0.0.0/0 trust

根据我的研究,“ listen_addresses”行在postgres配置文件中很重要,而“ host all all ...”行在hba配置文件中很重要。

以下是数据库服务器上运行的防火墙规则:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1037:93696]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.2.102/32 -d 192.168.2.101/32 -p tcp -m tcp --sport 1024:65535 --dport 15432 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables_INPUT_denied: " --log-level 7
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables_FORWARD_denied: " --log-level 7
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -s 192.168.2.101/32 -d 192.168.2.102/32 -p tcp -m tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
COMMIT

重要的规则是说在端口15432上接受从192.168.2.102(web00)到192.168.2.101(db00)的任何内容。但是我真的认为防火墙不是问题所在,因为如果我刷新所有规则,就会遇到相同的错误。

我在这里做错了什么?我已经尝试过了,但是我错过了一些东西。

0 个答案:

没有答案