Let's continue in configuring central MQTT broker. In previous article I described the OpenVPN part. Now is time for MQTT broker itself.
Broker implementation is mosquitto. It is open source software, compliant with MQTT version 3.1 and 3.1.1. First of all, lets install it:
root@buben-vps:~# apt-get install mosquitto
Configuration
Central broker should be configured with following attributes:
- Listen on VPN interface – This is what I discussed if previous post. To ensure that only authorized clients can access broker, it must listen on tunnel interface only.
- Client authentication – Even if key owners has access to broker, I like to add username/password protection. Credentials are send in plain text, but the are encrypted in VPN tunnel for outside world.
Broker configuration file should look like this:
#persistance setting persistence true persistence_location /var/lib/mosquitto/ # listen on localhost interface bind_address localhost # listen on VPN interface listener 1883 10.9.0.1 # User authentication password_file /etc/mosquitto/mosquitto.passwd allow_anonymous false
irst part specifies persistence directory. This is useful when clients uses messages with retain feature and broker is restarted for some reason. Persistence will save retain messages over broker restarts.
Next part defines listen interfaces. Default listener listen on localhost interface, second one listen on VPN interface. I want to listen on localhost for some data processing services which runs on the same machine.
Finally, last part defines user authentication. I use this feature for possibility to grant access to my VPN tunnel for other devices, but ensure that they cannot mess my MQTT data exchange. Unfortunately, authentication is required to clients from all interfaces. It would be great to require authentication for clients at VPN interface only.
Password file
To authenticate MQTT users, we need to store user names and passwords somewhere. Mosquitto comes with mosquitto_passwd
utility for managing password files. To create new file issue following commad:
root@buben-vps:~# mosquitto_passwd -c /etc/mosquitto/mosquitto.passwd testuser
Command asks you for password and store it in hashed form in appropriate file. Unfortunately, this utility cannot accept password via command line argument, so using some generated password is quite complicated.
I also noticed, that command can accept -U
option, which updates password file to use hashed password instead of plain text. I don't know why, but it re-hash already hashed passwords. This makes this feature little bit useless.
systemd unit
By default, mosquitto doesn't use standard systemd unit. It is started using traditional System V script located at /etc/init.d/mosquitto
. You can check this by following command:
root@buben-vps:~# systemctl status mosquitto ● mosquitto.service - LSB: mosquitto MQTT v3.1 message broker Loaded: loaded (/etc/init.d/mosquitto) Active: active (running) since Tue 2015-09-29 14:41:55 CEST; 9s ago CGroup: /system.slice/mosquitto.service └─3037 /usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf
I like modern systemd units, which runs services in foreground. So let's create is. Stop current mosquitto service at first:
root@buben-vps:~# systemctl stop mosquitto root@buben-vps:~# update-rc.d mosquitto remove root@buben-vps:~# rm /etc/init.d/mosquitto
Now create systemd unit file:
root@buben-vps:~# nano /etc/systemd/system/mosquitto.service
And paste following content:
[Unit] Description=MQTT v3.1 message broker After=network.target openvpn-server@buben-vps.service Requires=network.target openvpn-server@buben-vps.service [Service] Type=simple ExecStart=/usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf Restart=always [Install] WantedBy=multi-user.target
Lets talk about systemd unit configuration directives little bit. Requires
directive specifies that this unit needs active network.target
unit and openvpn-server@buben-vps.service unit
. If any unit listed there is stopped or fails, this unit will be stopped as well. After
directive defines activation order. Activation of this unit is delayed until all units listed at After
directive are started up.
Both After
and Requires
directives has same values. network.target
tells that service should be started after network related stuff is initialized (such as initialization of TCP/IP stack). This dependecy is much more important for shut-down procedure. It instructs systemd that this service should be terminated before network connectivity. This ensures that broker can nicely close all its connections. openvpn-server@buben-vps.service
defines dependency on service which provides VPN connectivity. Mosquitto is configured to listen at VPN tunnel IP address, so this service must be started up before mosquitto gets activated.
Other configuration directives are self explanatory. If you are not sure about their meaning, check systemd documentation.
After unit file is created, reload systemd configuration, enable unit and start it up:
root@buben-vps:~# systemctl daemon-reload root@buben-vps:~# systemctl enable mosquitto root@buben-vps:~# systemctl start mosquitto
And that's it. Central MQTT broker is up and running. In next articled I'll descibe building of different kinds of local MQTT brokers.
Žádné komentáře:
Okomentovat