Manage user roles
AlloyDB Omni uses the same set of predefined PostgreSQL user roles that AlloyDB for PostgreSQL includes , with the following differences:
-
AlloyDB Omni includes a superuser role named
alloydbadmin, and a non-superuser role namedalloydbmetadata. -
The default
postgresuser has a superuser role. -
All other predefined user roles have no privileges. They are reserved for potential uses in the future.
As with AlloyDB, it's a best practice to follow these steps when setting up a database:
-
Define or import your databases using the
postgresuser role. In a new installation, this role has superuser privileges, and requires no password. -
Create new user roles that have the correct level of access to your application's tables, again using the
postgresuser role. -
Configure your application to connect to the database using these new, limited-access roles.
You can create and define as many new user roles as you need. Don't modify or delete any of the user roles with which AlloyDB Omni ships.
For more information, see Manage AlloyDB Omni users and roles .
Monitor AlloyDB Omni
Monitoring your AlloyDB Omni installation includes reading and analyzing AlloyDB Omni log files.
AlloyDB Omni running on Kubernetes provides a set of basic metrics available as Prometheus endpoints. For a list of available metrics, see AlloyDB Omni metrics .
Additionally, AlloyDB Omni running on Kubernetes exposes metrics from custom resources leveraging kube-state-metrics (KSM). To enable custom resource metrics, see Monitor AlloyDB Omni Kubernetes operator custom resources .
Single-server
By default, to retrieve AlloyDB Omni logs, run:
Docker
docker
logs
CONTAINER_NAME
Replace CONTAINER_NAME
with the name of your AlloyDB Omni container.
To configure the logging behavior of AlloyDB Omni, see Customize your AlloyDB Omni installation .
Podman
podman
logs
CONTAINER_NAME
Replace CONTAINER_NAME
with the name of your AlloyDB Omni container.
To configure the logging behavior of AlloyDB Omni, see Customize your AlloyDB Omni installation .
Kubernetes
Find your database cluster log files
postgresql.audit
and postgresql.log
files are located on the file system
of the database pod. postgresql.audit
is only present if you enabled pgaudit
.
To access these files, follow these steps:
-
Define an environment variable containing the name of the database pod.
export DB_POD = ` kubectl get pod -l alloydbomni.internal.dbadmin.goog/dbcluster = DB_CLUSTER_NAME ,alloydbomni.internal.dbadmin.goog/task-type = database -o jsonpath = '{.items[0].metadata.name}' `Replace
DB_CLUSTER_NAMEwith the name of your database cluster. It's the same database cluster name you declared when you created it . -
Run a shell on the database pod as root.
kubectl exec ${ DB_POD } -it -- /bin/bash -
Find the log files in the
/obs/diagnostic/directory:-
/obs/diagnostic/postgresql.audit -
/obs/diagnostic/postgresql.log
-
List monitoring services
v1.0
When you create a database cluster, AlloyDB Omni creates the following monitoring service for each instance CR of the database cluster in the same namespace:
al- INSTANCE_NAME
-monitoring-system
To list the monitoring services, run the following command.
kubectl
get
svc
-n
NAMESPACE
|
grep
monitoring
Replace NAMESPACE
with a namespace where your cluster belongs.
The following example response shows the al-1060-dbc-monitoring-system
, al-3de6-dbc-monitoring-system
, and al-4bc0-dbc-monitoring-system
services. Each service corresponds to one instance.
al-1060-dbc-monitoring-system
ClusterIP
10
.0.15.227
<none>
9187
/TCP
7d20h
al-3de6-dbc-monitoring-system
ClusterIP
10
.0.5.205
<none>
9187
/TCP
7d19h
al-4bc0-dbc-monitoring-system
ClusterIP
10
.0.15.92
<none>
9187
/TCP
7d19h
Version < 1.0
When you create a database cluster, AlloyDB Omni creates the following monitoring services in the same namespace as the database cluster:
-
DB_CLUSTER -monitoring-db -
DB_CLUSTER -monitoring-system
To list the monitoring services, run the following command.
kubectl
get
svc
-n
NAMESPACE
|
grep
monitoring
Replace NAMESPACE
with a namespace where your cluster belongs.
The following example response shows the al-2953-dbcluster-foo7-monitoring-system
and the al-2953-dbcluster-foo7-monitoring-db
service.
al-2953-dbcluster-foo7-monitoring-db
ClusterIP
10
.36.3.243
<none>
9187
/TCP
44m
al-2953-dbcluster-foo7-monitoring-system
ClusterIP
10
.36.7.72
<none>
9187
/TCP
44m
View Prometheus metrics from the command line
The port 9187
is named as metricsalloydbomni
for all monitoring services.
-
Set up port forwarding from your local environment to the monitoring service.
kubectl port-forward service/ MONITORING_SERVICE -n NAMESPACE MONITORING_METRICS_PORT :metricsalloydbomniReplace the following:
-
MONITORING_SERVICE: The name of the monitoring service that you want to forward—for example,al-1060-dbc-monitoring-system. -
NAMESPACE: The namespace where your cluster belongs. -
MONITORING_METRICS_PORT: A local available TCP port.
The following response shows that the services are being forwarded.
Forwarding from 127 .0.0.1:9187 -> 9187 Forwarding from [ ::1 ] :9187 -> 9187 -
-
While the previous command runs, you can access monitoring metrics through HTTP on the port that you specified. For example, you can use
curlto see all of the metrics as plain text:curl http://localhost: MONITORING_METRICS_PORT /metrics
View metrics using the Prometheus API
The alloydbomni.internal.dbadmin.goog/task-type
label key and the metricsalloydbomni
port is available as a default for all monitoring services in AlloyDB Omni. You can use them together with a single serviceMonitor
custom resource to select all the services for all namespaces in your database cluster.
For more information about using the Prometheus API, see the Prometheus Operator documentation .
The following is an example spec
field of the serviceMonitor
custom resource that includes the alloydbomni.internal.dbadmin.gdc.goog/task-type
label key and metricsalloydbomni
port. The serviceMonitor
custom resource monitors and collects all the kubernetes services in all namespaces
For more information about the complete ServiceMonitor
definition, see the ServiceMonitor
custom resource definition
.
v1.0
spec
:
selector
:
matchLabels
:
alloydbomni.internal.dbadmin.goog/task-type
:
monitoring
namespaceSelector
:
any
:
true
endpoints
:
-
port
:
metricsalloydbomni
Version < 1.0
spec
:
selector
:
matchExpressions
:
-
key
:
alloydbomni.internal.dbadmin.gdc.goog/task-type
operator
:
Exists
values
:
[]
namespaceSelector
:
any
:
true
endpoints
:
-
port
:
metricsalloydbomni
View metrics using Grafana
For a visual representation of metrics in AlloyDB Omni on Kubernetes, use the monitoring dashboard. The monitoring dashboard relies on a basic observability stack that consists of Prometheus and Grafana. To configure the monitoring dashboard to collect metrics from AlloyDB Omni, follow these steps:
-
To download the Grafana dashboard, use the
wgetcommand:wget https://raw.githubusercontent.com/GoogleCloudPlatform/alloydb-omni-samples/refs/heads/main/monitoring-dashboards/grafana/alloydbomni_dashboard.yaml -
You must download and install the grafana-operator before deploying Grafana in Kubernetes. For detailed instructions, see Installation .
-
Add the
monitoring.dashboard/product=alloydb-omnilabel to the Grafana instance where you install the dashboard:kubectl label grafana/ GRAFANA_INSTANCE_NAME monitoring.dashboard/product = alloydb-omni -n NAMESPACEReplace the following:
-
GRAFANA_INSTANCE_NAME: the name of the Grafana instance where you put the dashboard. -
NAMESPACE: the namespace where you deployed the Grafana operator.
-
-
To apply the Grafana dashboard configuration to your AlloyDB Omni cluster on Kubernetes, use the following command:
kubectl apply -f alloydbomni_dashboard.yaml -n NAMESPACESee Grafana operator documentation for information about using the Grafana operator.
-
To configure Grafana to use Prometheus as a data source, see Datasources .
-
To verify Grafana is configured correctly, do one of the following:
- View the collection of Grafana panels on the AlloyDB Omni dashboard.
-
Retrieve information about the Grafana dashboard in a Kubernetes cluster:
kubectl get grafanadashboard alloydb-omni-dashboard -n NAMESPACE -o jsonpath = '{.status.conditions[?(@.type=="DashboardSynchronized")].status}'If the command returns
True, thealloydb-omni-dashboardis successfully deployed to the Grafana instance.
Upgrade AlloyDB Omni
To upgrade from AlloyDB Omni 15.5.2 or earlier to 15.5.4, follow instructions in Migrate from earlier version of AlloyDB Omni to latest version .
To upgrade from 15.5.4 and later:
-
Restart AlloyDB Omni using a new image version.
-
Make sure to specify your data directory to match the same path as used in earlier versions of AlloyDB Omni.
Uninstall AlloyDB Omni
Single-server
To uninstall AlloyDB Omni, stop and delete the AlloyDB Omni container using the following command:
Docker
docker
container
stop
CONTAINER_NAME
docker
container
rm
CONTAINER_NAME
Replace CONTAINER_NAME
with the name of your AlloyDB Omni container.
Podman
podman
container
stop
CONTAINER_NAME
podman
container
rm
CONTAINER_NAME
Replace CONTAINER_NAME
with the name of your AlloyDB Omni container.
Podman
podman
container
stop
CONTAINER_NAME
podman
container
rm
CONTAINER_NAME
Replace CONTAINER_NAME
with the name of your AlloyDB Omni container.
You can move, archive, or delete an external data directory depending on whether and how you want to preserve your data after uninstalling AlloyDB Omni.
Kubernetes
Delete your database cluster
To delete your database cluster, set isDeleted
to true
in its manifest.
You can accomplish this with the following command.
kubectl
patch
dbclusters.alloydbomni.dbadmin.goog
DB_CLUSTER_NAME
-p
'{"spec":{"isDeleted":true}}'
--type =
merge
Replace DB_CLUSTER_NAME
with the name of your database
cluster. It's the same database cluster name you declared when you created
it
.
Uninstall the AlloyDB Omni operator
To uninstall the AlloyDB Omni Kubernetes operator from your Kubernetes cluster, take the following steps:
-
Delete all of your database clusters:
for ns in $( kubectl get dbclusters.alloydbomni.dbadmin.goog --all-namespaces -o = jsonpath = '{range .items[*]}{.metadata.namespace}{"\n"}{end}' ) ; do for cr in $( kubectl get dbclusters.alloydbomni.dbadmin.goog -n $ns -o = jsonpath = '{range .items[*]}{.metadata.name}{"\n"}{end}' ) ; do kubectl patch dbclusters.alloydbomni.dbadmin.goog $cr -n $ns --type = merge -p '{"spec":{"isDeleted":true}}' done done -
Wait for the AlloyDB Omni Kubernetes operator to delete all of your database clusters. Use the following command to check whether any database resources remain:
kubectl get dbclusters.alloydbomni.dbadmin.goog --all-namespaces -
Delete other resources that the AlloyDB Omni Kubernetes operator created:
kubectl delete failovers.alloydbomni.dbadmin.goog --all --all-namespaceskubectl delete restores.alloydbomni.dbadmin.goog --all --all-namespaceskubectl delete switchovers.alloydbomni.dbadmin.goog --all --all-namespaces -
Uninstall the AlloyDB Omni Kubernetes operator:
helm uninstall alloydbomni-operator --namespace alloydb-omni-system -
Clean up secrets, custom resource descriptions, and namespaces related to the AlloyDB Omni Kubernetes operator:
kubectl delete certificate -n alloydb-omni-system --allkubectl get secrets --all-namespaces -o custom-columns = NAMESPACE:.metadata.namespace,NAME:.metadata.name,ANNOTATION:.metadata.annotations.cert-manager \. io/issuer-name | grep -E 'alloydbomni|dbs-al' | awk '{print $1 " " $2}' | xargs -n 2 kubectl delete secret -nkubectl delete crd -l alloydb-omni = truekubectl delete ns alloydb-omni-system
Resize your Kubernetes-based database cluster
To resize the CPU, memory, or storage of your Kubernetes-based database cluster,
update the resources
field of the manifests that define its pod. The
AlloyDB Omni operator applies the new specifications to your database pod
immediately.
For more information about the AlloyDB Omni operator manifest syntax, see Create a database cluster .
The following restrictions apply to modifying a running database cluster's resources:
- You can increase a disk's size only if the specified
storageClasssupports volume expansion. - You can't decrease a disk's size.
