MQTT: Message Queuing Telemetry Transport,是 M2M (machine-to-machine) 訊息傳遞 protocol,設計用在 IoT (Internet of Things) 的設備之間,互相傳遞訊息。client 之間,不因訊息傳遞需求,而要互相以 mesh 方式連接在一起,而是透過 MQTT Broker (在 MQTT 稱為 broker 不是 server) 代理互傳訊息,發送與接收訊息時,需要指定 topic,也就是透過 topic 進行訊息分類,讓 client 自行決定要處理哪些 topic 的訊息。
Mosquitto 是開放常用的 MQTT broker,以下了解如何在 CentOS7 安裝與測試 Mosquitto。
安裝
yum -y install epel-release
yum -y install mosquitto
#啟動
systemctl enable mosquitto
systemctl start mosquitto安裝後可直接啟動並測試使用
用一個 terminal 執行
mosquitto_sub -h localhost -t test另一個 terminal 執行
mosquitto_pub -h localhost -t test -m "hello world"第一個 terminal 就能收到 "hello world"
Topic
Topic 是以階層式的概念定義,每個階層用 / 左斜線區隔。
ex: sensors/COMPUTER_NAME/temperature/HARDDRIVE_NAME
訊息的 subscriber 與 publisher 都需要指定 topic,subscriber 可在 topic 使用兩個 wildcards 符號
+代表某一個階層的全部
ex:
sensors/+/temperature/+就表示要取得所有 COMPUTER_NAME 以及 HARDDRIVE_NAME 的溫度ex: "a/b/c/d" 可用以下 pattern
a/b/c/d +/b/c/d a/+/c/d a/+/+/d +/+/+/+
#代表後面所有的階層
ex: "a/b/c/d" 可用以下 pattern
a/b/c/d # a/# a/b/# +/b/c/#
QoS
0
- at most once 最多只會傳送一次
- 訊息送出後,就不管
- 發送速度快
- 有可能會遺失訊息
1
- at least once 至少傳一次
- 當 broker 收到 publisher 訊息後,會回應 PUBACK,確認有收到要發布的訊息
- 如果 publisher 沒有收到 PUBACK,會自動重傳
- subscriber 有可能會收到重覆的訊息
2
- exactly once 只會傳送一次
- broker 收到 publisher 訊息後,會回應 PUREC,確認有收到要發布的訊息
- publisher 收到 PUREC 後,會再傳送 PUBREL 給 broker,告訴 broker 可以將訊息發布出去
- broker 會把訊息傳給有訂閱該 topic 的 subscribers,傳送完成後,會回應 PUBCOMP 給 publisher,通知訊息已經發布完成
- subscriber 不會收到重覆的訊息
密碼
mosquitto_passwd -c /etc/mosquitto/passwd test修改 /etc/mosquitto/mosquitto.conf
allow_anonymous false
password_file /etc/mosquitto/passwd直接發布會被拒絕
mosquitto_pub -h localhost -t "test" -m "hello world"
Connection error: Connection Refused: not authorised.要加上帳號/密碼
mosquitto_pub -h localhost -t "test" -m "hello world" -u test -P passwordTLS
產生 self signed SSL key 的步驟
Create a CA key pair
Create CA certificate and sign it with the private key from step 1
Create the broker key pair
Create a CA certificate sign request using the key from step 3
Use the CA certificate from step 2 to sign the request from step 4
產生 CA key pair
m2mqtt_ca.key
openssl genrsa -des3 -out m2mqtt_ca.key 2048
# 下面會詢問 pass phrase,是用來保護 ca private key: m2mqtt_ca.key
Generating RSA private key, 2048 bit long modulus
..+++
.........+++
e is 65537 (0x10001)
Enter pass phrase for m2mqtt_ca.key:
Verifying - Enter pass phrase for m2mqtt_ca.key:產生 CA 的憑證
m2mqtt_ca.crt
openssl req -new -x509 -days 3650 -key m2mqtt_ca.key -out m2mqtt_ca.crt
##
Enter pass phrase for m2mqtt_ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:TW
State or Province Name (full name) []:Taiwan
Locality Name (eg, city) [Default City]:Taichung
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:產生 mosquitto broker key pair
m2mqtt_srv.key
openssl genrsa -out m2mqtt_srv.key 2048
####
Generating RSA private key, 2048 bit long modulus
..............................+++
.............+++
e is 65537 (0x10001)產生 ceritificate request from CA
m2mqtt_srv.csr
openssl req -new -out m2mqtt_srv.csr -key m2mqtt_srv.key
###
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:TW
State or Province Name (full name) []:Taiwan
Locality Name (eg, city) [Default City]:Taichung
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:驗證,並對 certificate request 簽章
m2mqtt_srv.crt
openssl x509 -req -in m2mqtt_srv.csr -CA m2mqtt_ca.crt -CAkey m2mqtt_ca.key -CAcreateserial -out m2mqtt_srv.crt -days 3650得到的檔案
m2mqtt_ca.crt : CA Certificate
m2mqtt_ca.key : CA key pair (private, public)
m2mqtt_ca.srl : CA serial number file
m2mqtt_srv.crt : server certificate
m2mqtt_srv.csr : certificate sign request, not needed any more
m2mqtt_srv.key : server key pairmosquito 需要用到
m2mqtt_ca.crt : CA Certificate
m2mqtt_srv.crt : server certificate
m2mqtt_srv.key : server key pair複製檔案
mkdir /etc/mosquitto/certs
cp m2mqtt_ca.crt /etc/mosquitto/certs/
cp m2mqtt_srv.crt /etc/mosquitto/certs/
cp m2mqtt_srv.key /etc/mosquitto/certs/修改 mosquitto.conf
# 修改 default listener
port 1883
# wss
listener 9001
protocol websockets
cafile /etc/mosquitto/certs/m2mqtt_ca.crt
certfile /etc/mosquitto/certs/m2mqtt_srv.crt
keyfile /etc/mosquitto/certs/m2mqtt_srv.key如果啟動 mosquitto 在 /var/log/messages 看到這樣的錯誤,表示 openssl 必須要更新
relocation error: /lib64/libwebsockets.so.13: symbol SSL_CTX_set_alpn_select_cb, version libssl.so.10 not defined in file libssl.so.10 with link time referenceyum install openssl重新啟動 mosquitto
systemctl restart mosquitto.service從 netstat 發現 9001 只有對 ipv6 開啟,目前不曉得怎麼對 ipv4 也開啟
# netstat -anlp|grep 1883
tcp 0 0 0.0.0.0:1883 0.0.0.0:* LISTEN 31430/mosquitto
tcp6 0 0 :::1883 :::* LISTEN 31430/mosquitto
# netstat -anlp|grep 9001
tcp6 0 0 :::9001 :::* LISTEN 31430/mosquittoReferences
樹莓派安裝 Mosquitto 輕量級 MQTT Broker 教學,連接各種物聯網設備
How To Install and Secure the Mosquitto MQTT Messaging Broker on CentOS 7
如何在CentOS 7上安装和保护Mosquitto MQTT消息传递代理
Enable Secure Communication with TLS and the Mosquitto Broker
沒有留言:
張貼留言