案例说明:

在集群管理中,会使用到root权限(如ip、aring命令等),为安全需要,有的生产环境禁止普通用户su切换到root,本案例测试了禁止普通用户su切换到root对集群管理带来的影响。

集群节点信息:

  1.  ID | Name    | Role    | Status    | Upstream | repmgrd | PID  | Paused? | Upstream last seen
  2. ----+---------+---------+-----------+----------+---------+------+---------+--------------------
  3.  1  | node200 | primary | * running |          | running | 4459 | no      | n/a
  4.  2  | node201 | standby |   running | node200  | running | 3106 | no      | 0 second(s) ago

集群状态信息:

  1. [kingbase@node1 bin]$ ./repmgr cluster show
  2. ID | Name    | Role    | Status    | Upstream | Location | Priority | Timeline | Connection string
  3. ----+---------+---------+-----------+----------+----------+----------+----------+---------------------------------------------------------------------------------------------------------------------------------------------------
  4. 1  | node200 | primary | * running |          | default  | 100      | 17       | host=192.168.8.200 user=esrep dbname=esrep port=54321 connect_timeout=10 keepalives=1 keepalives_idle=10 keepalives_interval=1 keepalives_count=3
  5. 2  | node201 | standby |   running | node200  | default  | 100      | 17       | host=192.168.8.201 user=esrep dbname=esrep port=54321 connect_timeout=10 keepalives=1 keepalives_idle=10 keepalives_interval=1 keepalives_count=3

一、配置系统禁用su切换到root

  1. [kingbase@node1 bin]$ cat /etc/pam.d/su |grep use_uid
  2. #auth           sufficient      pam_wheel.so trust use_uid
  3. auth            required        pam_wheel.so use_uid
  4. account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet

su用户切换测试:

  1. [kingbase@node1 bin]$ su -
  2. Password:
  3. su: Permission denied

二、集群管理测试

1、集群停止测试

  1. [kingbase@node1 bin]$ ./sys_monitor.sh stop
  2. 2022-12-05 11:37:53 Ready to stop all DB ...
  3. .......
  4. 2022-12-05 11:38:07 Done.
  6. #集群停止后,自动注释KINGBASECRON文件中的计划任务
  7. [kingbase@node1 bin]$ cat /etc/cron.d/KINGBASECRON 
  9. #*/1 * * * * kingbase . /etc/profile;/home/kingbase/cluster/R6C/R6HA/kingbase/bin/kbha -A daemon -f /home/kingbase/cluster/R6C/R6HA/kingbase/bin/../etc/repmgr.conf

2、集群启动测试

  1. [kingbase@node1 bin]$ ./sys_monitor.sh start
  2. 2022-12-05 11:38:43 Ready to start all DB ...
  3. ......
  5. 2022-12-05 11:39:19 repmgrd on "[192.168.8.200]" start success.
  6.  ID | Name    | Role    | Status    | Upstream | repmgrd | PID  | Paused? | Upstream last seen
  7. ----+---------+---------+-----------+----------+---------+------+---------+--------------------
  8.  1  | node200 | primary | * running |          | running | 4459 | no      | n/a
  9.  2  | node201 | standby |   running | node200  | running | 3106 | no      | 0 second(s) ago
  10. [2022-12-05 11:39:34] [NOTICE] redirecting logging output to "/home/kingbase/cluster/R6C/R6HA/kingbase/log/kbha.log"
  12. [2022-12-05 11:39:27] [NOTICE] redirecting logging output to "/home/kingbase/cluster/R6C/R6HA/kingbase/log/kbha.log"
  14. 2022-12-05 11:39:29 Done.
  16. #集群启动后,KINGBASECRON计划任务被启动
  17. [kingbase@node1 bin]$ cat /etc/cron.d/KINGBASECRON 
  19. */1 * * * * kingbase . /etc/profile;/home/kingbase/cluster/R6C/R6HA/kingbase/bin/kbha -A daemon -f /home/kingbase/cluster/R6C/R6HA/kingbase/bin/../etc/repmgr.conf

3、主备switchover切换测试

---如下所示,主备switchover可以正常切换。

  1. [kingbase@node2 bin]$ ./repmgr standby switchover -h 192.168.8.200 -U esrep -d esrep
  2. WARNING: following problems with command line parameters detected:
  3.   database connection parameters not required when executing UNKNOWN ACTION
  4. NOTICE: executing switchover on node "node201" (ID: 2)
  5. .......
  6. INFO: unpause node "node200" (ID 1) successfully
  7. INFO: unpausing repmgrd on node "node201" (ID 2)
  8. INFO: unpause node "node201" (ID 2) successfully
  9. NOTICE: STANDBY SWITCHOVER has completed successfully
  11. [kingbase@node2 bin]$ ./repmgr cluster show
  12.  ID | Name    | Role    | Status    | Upstream | Location | Priority | Timeline | Connection string
  13. ----+---------+---------+-----------+----------+----------+----------+----------+---------------------------------------------------------------------------------------------------------------------------------------------------
  14.  1  | node200 | standby |   running | node201  | default  | 100      | 17       | host=192.168.8.200 user=esrep dbname=esrep port=54321 connect_timeout=10 keepalives=1 keepalives_idle=10 keepalives_interval=1 keepalives_count=3
  15.  2  | node201 | primary | * running |          | default  | 100      | 18       | host=192.168.8.201 user=esrep dbname=esrep port=54321 connect_timeout=10 keepalives=1 keepalives_idle=10 keepalives_interval=1 keepalives_count=3

4、主备failover切换测试

----如下所示,主备failover切换成功。

  1. [kingbase@node2 bin]$ ./repmgr cluster show
  2.  ID | Name    | Role    | Status    | Upstream | Location | Priority | Timeline | Connection string
  3. ----+---------+---------+-----------+----------+----------+----------+----------+---------------------------------------------------------------------------------------------------------------------------------------------------
  4.  1  | node200 | standby |   running | node201  | default  | 100      | 17       | host=192.168.8.200 user=esrep dbname=esrep port=54321 connect_timeout=10 keepalives=1 keepalives_idle=10 keepalives_interval=1 keepalives_count=3
  5.  2  | node201 | primary | * running |          | default  | 100      | 18       | host=192.168.8.201 user=esrep dbname=esrep port=54321 connect_timeout=10 keepalives=1 keepalives_idle=10 keepalives_interval=1 keepalives_count=3
  7. [kingbase@node2 bin]$ ./sys_ctl stop -D ../data
  8. waiting for server to shut down...... done
  9. server stopped
  11.  [kingbase@node2 bin]$ ./repmgr cluster show
  12.  ID | Name    | Role    | Status    | Upstream | Location | Priority | Timeline | Connection string
  13. ----+---------+---------+-----------+----------+----------+----------+----------+-----------------------------------------------------------------------------------------------------------------------------------------------------
  14.  1  | node200 | primary | * running |          | default  | 100      | 19       | host=192.168.8.200 user=esrep dbname=esrep port=54321 connect_timeout=10 keepalives=10 keepalives_idle=10 keepalives_interval=10 keepalives_count=3
  15.  2  | node201 | standby |   running | node200  | default  | 100      | 19       | host=192.168.8.201 user=esrep dbname=esrep port=54321 connect_timeout=10 keepalives=10 keepalives_idle=10 keepalives_interval=10 keepalives_count=3

5、repmgrd进程管理

---如下所示,在节点repmgrd进程异常退出时,通过KINGBASECRON中计划任务,被kbha进程自动启动 。

  1. #查看节点repmgr进程
  2. [kingbase@node2 sys_log]$ ps -ef |grep repmgr
  3. kingbase  3106     1  0 11:39 ?        00:00:59 /home/kingbase/cluster/R6C/R6HA/kingbase/bin/repmgrd -d -v -f /home/kingbase/cluster/R6C/R6HA/kingbase/bin/../etc/repmgr.conf
  4. kingbase  3610     1  0 11:39 ?        00:00:16 /home/kingbase/cluster/R6C/R6HA/kingbase/bin/kbha -A daemon -f /home/kingbase/cluster/R6C/R6HA/kingbase/bin/../etc/repmgr.conf
  6. #模拟repmgr进程异常退出
  7. [kingbase@node2 sys_log]$ kill -9 3106  3610
  9. #repmgr进程被启动
  10. [kingbase@node2 sys_log]$ ps -ef |grep repmgr
  11. kingbase 14254     1  0 14:28 ?        00:00:00 /home/kingbase/cluster/R6C/R6HA/kingbase/bin/kbha -A daemon -f /home/kingbase/cluster/R6C/R6HA/kingbase/bin/../etc/repmgr.conf
  12. kingbase 14878     1  0 14:28 ?        00:00:00 /home/kingbase/cluster/R6C/R6HA/kingbase/bin/repmgrd -d -v -f /home/kingbase/cluster/R6C/R6HA/kingbase/bin/../etc/repmgr.conf

6、物理备份测试

---如下所示 ,在主库执行sys_backup.sh init的备份初始化成功。

  1. [kingbase@node1 bin]$ ./sys_backup.sh init
  2. # generate single sys_rman.conf...DONE
  3. # update single archive_command with sys_rman.archive-push...DONE
  4. # create stanza and check...(maybe 60+ seconds)
  5. # create stanza and check...DONE
  6. # initial first full backup...(maybe several minutes)
  7. # initial first full backup...DONE
  8. # Initial sys_rman OK.
  9. 'sys_backup.sh start' should be executed when need back-rest feature.
  11. #创建物理备份计划任务
  12. [kingbase@node1 bin]$ ./sys_backup.sh start
  13. Enable some sys_rman in crontab-daemon
  14. Set full-backup in 7 days
  15. Set incr-backup in 1 days
  16. 0 2 */7 * * kingbase /home/kingbase/cluster/R6C/R6HA/kingbase/bin/sys_rman --config=/home/kingbase/kbbr6_repo/sys_rman.conf --stanza=kingbase --archive-copy --type=full backup >> /home/kingbase/cluster/R6C/R6HA/kingbase/log/sys_rman_backup_full.log 2>&1
  17. 0 4 */1 * * kingbase /home/kingbase/cluster/R6C/R6HA/kingbase/bin/sys_rman --config=/home/kingbase/kbbr6_repo/sys_rman.conf --stanza=kingbase --archive-copy --type=incr backup >> /home/kingbase/cluster/R6C/R6HA/kingbase/log/sys_rman_backup_incr.log 2>&1
  19. #查看计划任务
  20. [kingbase@node1 bin]$ cat /etc/cron.d/KINGBASECRON 
  22. */1 * * * * kingbase . /etc/profile;/home/kingbase/cluster/R6C/R6HA/kingbase/bin/kbha -A daemon -f /home/kingbase/cluster/R6C/R6HA/kingbase/bin/../etc/repmgr.conf
  23. 0 2 */7 * * kingbase /home/kingbase/cluster/R6C/R6HA/kingbase/bin/sys_rman --config=/home/kingbase/kbbr6_repo/sys_rman.conf --stanza=kingbase --archive-copy --type=full backup >> /home/kingbase/cluster/R6C/R6HA/kingbase/log/sys_rman_backup_full.log 2>&1
  24. 0 4 */1 * * kingbase /home/kingbase/cluster/R6C/R6HA/kingbase/bin/sys_rman --config=/home/kingbase/kbbr6_repo/sys_rman.conf --stanza=kingbase --archive-copy --type=incr backup >> /home/kingbase/cluster/R6C/R6HA/kingbase/log/sys_rman_backup_incr.log 2>&1

测试计划任务自动备份:

自动备份完成 :

  1. [kingbase@node1 bin]$ /home/kingbase/cluster/R6C/R6HA/kingbase/bin/sys_rman --config=/home/kingbase/kbbr6_repo/sys_rman.conf --stanza=kingbase info
  2. stanza: kingbase
  3.     status: ok
  4.     cipher: none
  6.     db (current)
  7.         wal archive min/max (V008R006C005B0023-1): 000000110000000200000032/000000130000000200000038
  9.         full backup: 20221205-113404F
  10.             timestamp start/stop: 2022-12-05 11:34:04 / 2022-12-05 11:35:58
  11.             wal start/stop: 000000110000000200000033 / 000000110000000200000033
  12.             database size: 710.9MB, backup size: 710.9MB
  13.             repository size: 54.9MB, repository backup size: 54.9MB
  15.         full backup: 20221205-144102F
  16.             timestamp start/stop: 2022-12-05 14:41:02 / 2022-12-05 14:42:38
  17.             wal start/stop: 000000130000000200000038 / 000000130000000200000038
  18.             database size: 807MB, backup size: 807MB
  19.             repository size: 61MB, repository backup size: 61MB

三、总结

通过以上对集群管理的测试可知,系统禁用普通用户su切换到root用户,集群日常管理不受影响。集群管理需要用到root用户,但是通过ssh远程执行的,而ssh配置在集群时就配置好,在集群管理时不需要用到su权限。

KingbaseES V8R6 集群运维案例 -- 禁止普通用户su到root的更多相关文章

  1. KingbaseES V8R6集群运维案例之---repmgr standby promote应用案例

    案例说明: 在容灾环境中,跨区域部署的异地备节点不会自主提升为主节点,在主节点发生故障或者人为需要切换时需要手动执行切换操作.若主节点已经失效,希望将异地备机提升为主节点. $bin/repmgr s ...

  2. KingbaseES V8R3集群运维案例之---主库系统down failover切换过程分析

    ​ 案例说明: KingbaseES V8R3集群failover时两个cluster都会触发,但只有一个cluster会调用脚本去执行真正的切换流程,另一个有对应的打印,但不会调用脚本,只是走相关的 ...

  3. KingbaseES V8R3集群运维案例之---kingbase_monitor.sh启动”two master“案例

    案例说明: KingbaseES V8R3集群,执行kingbase_monitor.sh启动集群,出现"two master"节点的故障,启动集群失败:通过手工sys_ctl启动 ...

  4. KingbaseES V8R3集群运维案例之---cluster.log ERROR: md5 authentication failed

    案例说明: 在KingbaseES V8R3集群的cluster.log日志中,经常会出现"ERROR: md5 authentication failed:DETAIL: password ...

  5. KingbaseES V8R3集群运维案例之---用户自定义表空间管理

    ​案例说明: KingbaseES 数据库支持用户自定义表空间的创建,并建议表空间的文件存储路径配置到数据库的data目录之外.本案例复现了,当用户自定义表空间存储路径配置到data下时,出现的故障问 ...

  6. kingbaseES V8R6集群备份恢复案例之---备库作为repo主机执行物理备份

    ​ 案例说明: 此案例是在KingbaseES V8R6集群环境下,当主库磁盘空间不足时,执行sys_rman备份,将集群的备库节点作为repo主机,执行备份,并将备份存储在备库的磁盘空间. 集群架构 ...

  7. KingbaseES V8R6集群外部备份案例

    案例说明: 本案例采用sys_backup.sh执行物理备份,备份使用如下逻辑架构:集群采用CentOS 7系统,repo采用kylin V10 Server. 一主一备+外部备份 此场景为主备双机常 ...

  8. KingbaseES V8R6集群管理运维案例之---repmgr standby switchover故障

    案例说明: 在KingbaseES V8R6集群备库执行"repmgr standby switchover"时,切换失败,并且在执行过程中,伴随着"repmr stan ...

  9. KingbaseES V8R6集群维护案例之---停用集群node_export进程

    案例说明: 在KingbaseES V8R6集群启动时,会启动node_exporter进程,此进程主要用于向kmonitor监控服务输出节点状态信息.在系统安全漏洞扫描中,提示出现以下安全漏洞: 对 ...

  10. KingbaseES V8R6集群维护之--修改数据库服务端口案例

    ​ 案例说明: 对于KingbaseES数据库单实例环境,只需要修改kingbase.conf文件的'port'参数即可,但是对于KingbaseES V8R6集群中涉及到多个配置文件的修改,并且在应 ...

随机推荐

  1. 使用webgl(three.js)创建自动化抽象化3D机房,3D机房模块详细介绍(抽象版一)

    目前市面上有两种机房 一种是普通机房 一种是由微模块组成的机房,本文主要介绍普通机房的抽象化体现模式. 抽象机房模式:机房展示过程中,我们需要对机房进行建模,当遇到大量机房需要建模时,这无疑是巨大工作 ...

  2. 树莓派/Linux ubuntu 开机自动改网络mac地址(主要适用于拷贝内存卡的情况/不同树莓派mac地址不同)

    树莓派/Linux ubuntu 开机自动改网络mac地址(主要适用于拷贝内存卡的情况/不同树莓派mac地址不同) yaml文件名根据自己原卡中名字更改 address=$(cat /sys/clas ...

  3. 学习go语言编程之常量

    什么在常量 在Golang中,常量是指在编译期就已知且不可改变的值. 字面常量 在程序中硬编码的常量值被称为字面常量,如: -12 // 整数类型常量 3.1415926 // 浮点类型常量 3.2+ ...

  4. 7z命令

    文件解压缩命令 语法格式:7z 参数 文件名 常用参数 a 向压缩包中添加文件 t 测试压缩包的完整性 d 从压缩包中删除文件 u 更新压缩包中的文件 e 从压缩包中提取文件 x 解压文件时保留绝对路 ...

  5. 类型注解Callable

    from collections.abc import Callable """ Callable[[ParamType1, ParamType2], ReturnTyp ...

  6. channel管道

    channel 如果说goroutine是并发体的话,那么channels则是他们之间的通信机制.一个channel是一个通信机制,它可以让一个goroutine通过它给另一个goroutine发生值 ...

  7. Q查询的高级用法

    示例:如前端需要通过下拉框选择需要通过什么过滤字段来查询输入的关键字,后端如何使用Q查询过滤包含输入的关键字呢? def customers(request): search_field = requ ...

  8. KVM整理

    管理命令: virsh list --all 查看所有虚拟机状态 virsh start vm1 VM1开机 virsh shutdown vm1 VM1关机 virsh destroy vm1 强制 ...

  9. Netty笔记(4) - 对Http和WebSocket的支持、心跳检测机制

    对HTTP的支持 服务端代码: 向 PipeLine中 注册 HttpServerCodec Http协议的编码解码一体的Handler 处理Http请求 封装Http响应 public class ...

  10. foundation部分学习记录(更正更新中……)

    foundation部分学习记录(更新中--) 从FDB的角度看,它对上层只提供有序+事务+KV存储的抽象. 设计原则 模块化分割,尽量细分且模块之间相互解耦 例如事务系统内,其提交(write pa ...