KingbaseES V8R6叢集運維繫列 -- 修改ssh通訊為 sys_securecmdd 通訊

風陵渡口_發表於2023-12-13
運維
KingbaseES V8R6叢集運維繫列 -- 修改ssh通訊為 sys_securecmdd 通訊
一、適用於:
本檔案使用於KingbaseES V008R006版本。
二、關於SYS_SECURECMDD:
sys_securecmdd是KingbaseES叢集自帶的工具,叢集監控、管理叢集時透過sys_securecmdd安全執行命令而不使用ssh服務。
sys_securecmdd主要包含以下檔案:
服務端 sys_securecmdd 預設監聽8890埠,接受客戶端連線。
sys_secureftp 服務端呼叫,用於接收檔案。
sys_HAscmdd.sh 指令碼,管理服務端。
客戶端 sys_securecmd 客戶端,用於連線服務端。
金鑰檔案 accept_hosts 免密檔案
key_file 私鑰檔案
其他檔案 securecmdd_config 服務端配置檔案
securecmd_config 客戶端配置檔案
sys_HAscmdd.conf 指令碼配置檔案
securecmdd.service 服務模板檔案,服務端可以使用此檔案 註冊為服務。
依賴庫檔案 libcrypto.so.10 依賴openssl編譯,為了不同環境能夠 使用,需要帶上編譯使用的庫檔案。
sys_HAscmdd.conf是sys_securecmdd的配置檔案,其中引數說明如下:
引數名稱 描述 取值約束
start_method 啟動sys_securecmdd程式並保證程式 高可用的方式。systemd,通用機叢集 預設值,透過service服務啟動 sys_securecmdd;crontab,專用機 叢集預設值,透過crond服務定時啟動 sys_securecmdd。 crontab, systemd 預設為crontab。
scmd_port 程式sys_securecmdd的監聽埠,修 改後,需要使用 sys_HAscmdd.sh腳 本初始化。 INT,預設8890。
三、安裝部署SYS_SECURECMDD服務:
進行安裝部署SYS_SECURECMDD服務期間,不要停止資料庫。
  1. 部署SYS_SECURECMDD服務:
1.1 查詢伺服器防火牆是否開啟:
所有的節點執行此操作:
systemctl status firewalld.service
如果active狀態是running,表示防火牆是開啟的。
Active: active (running)
防火牆開啟的話需要新增對應策略
其中10046是為sys_securecmdd服務預留的埠
firewall-cmd --permanent --add-port=10046/tcp
firewall-cmd --permanent --add-port=10046/udp
firewall-cmd --reload
新增完策略後可以使用以下命令檢視是否生效
如果有新增的埠輸出說明是生效的
firewall-cmd --list-port
54321/tcp 54321/udp 10046/tcp 10046/udp
1.2 上傳securecmdd.zip到叢集所有節點:
zip包預設路徑
../V008R006C007B0012/ClientTools/guitools/DeployTools/zip/Lin64/
$ ls -l
total 2260
drwxrwxr-x.  3 kes_v8r6c7b12 kes_v8r6c7b12      83 Feb 27 16:04 cluster
-rw-r--r--.  1 kes_v8r6c7b12 kes_v8r6c7b12 2115099 Mar  1 14:22 securecmdd.zip
scp securecmdd.zip到node2節點
$ scp securecmdd.zip kes_v8r6c7b12@node2:~
The authenticity of host 'node2 (192.168.10.43)' can't be established.
securecmdd.zip                             100% 2066KB  14.8MB/s   00:00
1.3 解壓securecmdd.zip並安裝securecmdd:
叢集所有節點都執行以下操作:
解壓securecmdd.zip包
$ unzip securecmdd.zip
Archive:  securecmdd.zip
creating: securecmdd/
creating: securecmdd/lib/
inflating: securecmdd/lib/libcrypto.so.10
inflating: securecmdd/lib/libssl.so.10
creating: securecmdd/bin/
inflating: securecmdd/bin/sys_securecmd
inflating: securecmdd/bin/sys_secureftp
inflating: securecmdd/bin/sys_HAscmdd.sh
inflating: securecmdd/bin/sys_securecmdd
creating: securecmdd/share/
inflating: securecmdd/share/sys_HAscmdd.conf
inflating: securecmdd/share/key_file
inflating: securecmdd/share/securecmdd_config
inflating: securecmdd/share/securecmdd.service
inflating: securecmdd/share/securecmd_config
inflating: securecmdd/share/accept_hosts
修改sys_HAscmdd.conf更改預設埠8890為10046
sys_HAscmdd.conf配置檔案在securecmdd/share目錄下
vi sys_HAscmdd.conf
scmd_port=10046
執行sys_HAscmdd.sh init進行初始化
如果出現以下錯誤,需要切換為root使用者執行
$ sys_HAscmdd.sh init
Only execute by root, current user is kes_v8r6c7b12
init成功
./sys_HAscmdd.sh init
successfully initialized the sys_securecmdd, please use "./sys_HAscmdd.sh start" to start the sys_securecmdd
使用./sys_HAscmdd.sh start啟動
./sys_HAscmdd.sh start
Created symlink /etc/systemd/system/multi-user.target.wants/securecmdd.service → /etc/systemd/system/securecmdd.service.
檢視是否正常啟動
systemctl status securecmdd
● securecmdd.service - KingbaseES - sys_securecmdd daemon
Loaded: loaded (/etc/systemd/system/securecmdd.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2023-03-01 14:55:36 CST; 12s ago
Main PID: 39535 (sys_securecmdd)
Tasks: 1 (limit: 12498)
Memory: 668.0K
CGroup: /system.slice/securecmdd.service
└─39535 sys_securecmdd: /home/kes_v8r6c7b12/securecmdd/bin/sys_securecmdd -f /etc/.kes/securecmdd_config [listener] 0 of 128-256 startups
Mar 01 14:55:36 node1 systemd[1]: Started KingbaseES - sys_securecmdd daemon.
測試連線是否正常
./sys_securecmd kes_v8r6c7b12@192.168.10.43 date
Wed Mar  1 15:02:29 CST 2023
./sys_securecmd kes_v8r6c7b12@192.168.10.40 date
Wed Mar  1 15:02:38 CST 2023
測試透過後,至此完成securecmdd的安裝。
sys_securecmdd安裝完成後,會在root、kingbase使用者目錄生成.es目錄,包含以下檔案(.es目錄的檔案建議不要修改):
key_file是sys_securecmdd服務私鑰檔案。
accept_hosts是sys_securecmdd服務金鑰檔案(叢集節點互信使用)。
root使用者目錄
[root@node2 ~]# ls -l .es/
total 8
-rw------- 1 root root  381 Mar  3 14:07 accept_hosts
-rw------- 1 root root 1675 Mar  3 14:07 key_file
資料庫使用者目錄
[root@node2 ~]# ls -l /home/kes_v8r6c7b12/.es/
total 8
-rw------- 1 kes_v8r6c7b12 kes_v8r6c7b12  381 Mar  3 14:07 accept_hosts
-rw------- 1 kes_v8r6c7b12 kes_v8r6c7b12 1675 Mar  3 14:07 key_file
[root@node2 ~]#
修改accept_hosts檔案會導致叢集節點互信失效,失效後的處理:
在所有的節點執行以下操作:
停止sys_securecmdd服務
./sys_HAscmdd.sh stop
重新初始化sys_securecmdd服務
./sys_HAscmdd.sh init
啟動sys_securecmdd服務
./sys_HAscmdd.sh start
測試節點連通性
[root@node2 bin]# ./sys_securecmd root@node1 date
Fri Mar  3 14:07:33 CST 2023
[root@node2 bin]# ./sys_securecmd root@node2 date
Fri Mar  3 14:07:36 CST 2023
[root@node2 bin]# ./sys_securecmd root@192.168.10.40 date
Fri Mar  3 14:07:45 CST 2023
[root@node2 bin]# ./sys_securecmd root@192.168.10.43 date
Fri Mar  3 14:07:48 CST 2023
四、修改資料庫叢集使用SYS_SECURECMDD通訊
  1. 修改repmgr.conf配置檔案使用SYS_SECURECMDD通訊:
在叢集所有節點進行以下操作:
修改repmgr.con檔案裡面use_scmd=off為on
use_scmd=off 是不使用SYS_SECURECMDD通訊,使用系統SSH進行通訊。use_scmd=on 使用SYS_SECURECMDD通訊
use_scmd=on
修改scmd_options 選項裡面埠為sys_HAscmdd.conf檔案裡面scmd_port=10046
scmd_options='-q -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o ServerAliveInterval=2 -o ServerAliveCountMax=5 -p 10046'
2. 修改完成後,使用sys_monitor.sh重啟資料庫叢集。
[kes_v8r6c7b12@node1 ~]$ sys_monitor.sh restart
2023-03-03 14:19:38 Ready to stop all DB ...
Service process "node_export" was killed at process 9578
Service process "postgres_ex" was killed at process 9579
Service process "node_export" was killed at process 1344
Service process "postgres_ex" was killed at process 1345
2023-03-03 14:19:42 begin to stop repmgrd on "[192.168.10.40]".
2023-03-03 14:19:42 repmgrd on "[192.168.10.40]" stop success.
2023-03-03 14:19:42 begin to stop repmgrd on "[192.168.10.43]".
2023-03-03 14:19:43 repmgrd on "[192.168.10.43]" stop success.
2023-03-03 14:19:43 begin to stop DB on "[192.168.10.43]".
waiting for server to shut down.... done
server stopped
2023-03-03 14:19:43 DB on "[192.168.10.43]" stop success.
2023-03-03 14:19:43 begin to stop DB on "[192.168.10.40]".
waiting for server to shut down.... done
server stopped
2023-03-03 14:19:43 DB on "[192.168.10.40]" stop success.
2023-03-03 14:19:44 Done.
2023-03-03 14:19:44 Ready to start all DB ...
2023-03-03 14:19:44 begin to start DB on "[192.168.10.40]".
waiting for server to start.... done
server started
2023-03-03 14:19:44 execute to start DB on "[192.168.10.40]" success, connect to check it.
2023-03-03 14:19:45 DB on "[192.168.10.40]" start success.
2023-03-03 14:19:45 Try to ping trusted_servers on host 192.168.10.40 ...
2023-03-03 14:19:48 Try to ping trusted_servers on host 192.168.10.43 ...
2023-03-03 14:19:50 begin to start DB on "[192.168.10.43]".
waiting for server to start.... done
server started
2023-03-03 14:19:51 execute to start DB on "[192.168.10.43]" success, connect to check it.
2023-03-03 14:19:52 DB on "[192.168.10.43]" start success.
ID | Name  | Role    | Status    | Upstream | Location | Priority | Timeline | LSN_Lag | Connection string
----+-------+---------+-----------+----------+----------+----------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------
1  | node1 | primary | * running |          | default  | 100      | 1        |         | host=192.168.10.40 user=esrep dbname=esrep port=54321 connect_timeout=10 keepalives=1 keepalives_idle=10 keepalives_interval=1 keepalives_count=3
2  | node2 | standby |   running | node1    | default  | 100      | 1        | 0 bytes | host=192.168.10.43 user=esrep dbname=esrep port=54321 connect_timeout=10 keepalives=1 keepalives_idle=10 keepalives_interval=1 keepalives_count=3
2023-03-03 14:19:52 The primary DB is started.
2023-03-03 14:19:52 begin to start repmgrd on "[192.168.10.40]".
[2023-03-03 14:19:53] [NOTICE] using provided configuration file "/home/kes_v8r6c7b12/cluster/kingbase/etc/repmgr.conf"
[2023-03-03 14:19:53] [NOTICE] redirecting logging output to "/home/kes_v8r6c7b12/cluster/kingbase/log/hamgr.log"
2023-03-03 14:19:54 repmgrd on "[192.168.10.40]" start success.
2023-03-03 14:19:54 begin to start repmgrd on "[192.168.10.43]".
[2023-03-03 14:19:55] [NOTICE] using provided configuration file "/home/kes_v8r6c7b12/cluster/kingbase/etc/repmgr.conf"
[2023-03-03 14:19:55] [NOTICE] redirecting logging output to "/home/kes_v8r6c7b12/cluster/kingbase/log/hamgr.log"
2023-03-03 14:19:56 repmgrd on "[192.168.10.43]" start success.
ID | Name  | Role    | Status    | Upstream | repmgrd | PID   | Paused? | Upstream last seen
----+-------+---------+-----------+----------+---------+-------+---------+--------------------
1  | node1 | primary | * running |          | running | 10436 | no      | n/a
2  | node2 | standby |   running | node1    | running | 5932  | no      | 1 second(s) ago
[2023-03-03 14:19:58] [NOTICE] redirecting logging output to "/home/kes_v8r6c7b12/cluster/kingbase/log/kbha.log"
[2023-03-03 14:20:00] [NOTICE] redirecting logging output to "/home/kes_v8r6c7b12/cluster/kingbase/log/kbha.log"
2023-03-03 14:20:01 Done.
[kes_v8r6c7b12@node1 ~]$
至此,叢集通訊切換完成。
五、驗證是否切換成功:
使用KingbaseES備份進行驗證,叢集使用的通訊服務:
執行以下命令,觀察備份執行輸出:
sh -x sys_backup.sh init
如果有以下內容輸出說明叢集通訊服務切換成功
sys_securecmd -q -n -o ConnectTimeout=30 -o StrictHostKeyChecking=no -o PreferredAuthentications=publickey


來自 “ ITPUB部落格 ” ,連結:https://blog.itpub.net/30162734/viewspace-2999906/,如需轉載,請註明出處,否則將追究法律責任。

相關文章