第15章 生产环境部署实践15.1 部署架构监控监控监控监控负载均衡节点1节点2节点3数据存储监控15.2 安全加固安全检查清单生产安全网络安全防火墙规则TLS加密禁用明文端口认证授权禁用匿名强密码定期更新访问控制最小权限主题隔离IP限制日志审计操作日志异常检测定期审查配置示例# 生产环境配置listener8883certfile /etc/mosquitto/certs/server.crt keyfile /etc/mosquitto/certs/server.key cafile /etc/mosquitto/certs/ca.crt require_certificatetruetls_version tlsv1.2 allow_anonymousfalsepassword_file /etc/mosquitto/passwd acl_file /etc/mosquitto/acl max_connections-1max_inflight_messages2015.3 Docker部署Docker Compose生产配置version:3.8services:mosquitto:image:eclipse-mosquitto:2restart:alwaysports:-1883:1883-8883:8883volumes:-./config:/mosquitto/config-./data:/mosquitto/data-./log:/mosquitto/logenvironment:-TZAsia/Shanghaideploy:resources:limits:cpus:2memory:1Greservations:cpus:1memory:512Mhealthcheck:test:[CMD,mosquitto_sub,-t,$$SYS/broker/uptime,-C,1]interval:30stimeout:10sretries:315.4 Kubernetes部署apiVersion:apps/v1kind:StatefulSetmetadata:name:mosquittospec:serviceName:mosquittoreplicas:3selector:matchLabels:app:mosquittotemplate:metadata:labels:app:mosquittospec:containers:-name:mosquittoimage:eclipse-mosquitto:2ports:-containerPort:1883-containerPort:8883volumeMounts:-name:configmountPath:/mosquitto/config-name:datamountPath:/mosquitto/dataresources:requests:memory:512Micpu:500mlimits:memory:1Gicpu:1000mvolumeClaimTemplates:-metadata:name:dataspec:accessModes:[ReadWriteOnce]resources:requests:storage:10Gi15.5 备份与恢复#!/bin/bash# 备份脚本BACKUP_DIR/backup/mosquitto/$(date%Y%m%d)mkdir-p$BACKUP_DIR# 备份配置cp-r/etc/mosquitto$BACKUP_DIR/# 备份数据cp-r/var/lib/mosquitto$BACKUP_DIR/# 备份密码和ACLcp/etc/mosquitto/passwd$BACKUP_DIR/cp/etc/mosquitto/acl$BACKUP_DIR/# 压缩tar-czf$BACKUP_DIR.tar.gz$BACKUP_DIR# 恢复tar-xzf$BACKUP_DIR.tar.gzcp-r$BACKUP_DIR/* /15.6 本章小结掌握了生产环境部署的最佳实践。