案例说明:

在集群管理中,会使用到root权限(如ip、aring命令等),为安全需要,有的生产环境禁止普通用户su切换到root,本案例测试了禁止普通用户su切换到root对集群管理带来的影响。

集群节点信息:

 ID | Name    | Role    | Status    | Upstream | repmgrd | PID  | Paused? | Upstream last seen

----+---------+---------+-----------+----------+---------+------+---------+--------------------

 1  | node200 | primary | * running |          | running | 4459 | no      | n/a

 2  | node201 | standby |   running | node200  | running | 3106 | no      | 0 second(s) ago

集群状态信息:

[kingbase@node1 bin]$ ./repmgr cluster show

ID | Name    | Role    | Status    | Upstream | Location | Priority | Timeline | Connection string

----+---------+---------+-----------+----------+----------+----------+----------+---------------------------------------------------------------------------------------------------------------------------------------------------

1  | node200 | primary | * running |          | default  | 100      | 17       | host=192.168.8.200 user=esrep dbname=esrep port=54321 connect_timeout=10 keepalives=1 keepalives_idle=10 keepalives_interval=1 keepalives_count=3

2  | node201 | standby |   running | node200  | default  | 100      | 17       | host=192.168.8.201 user=esrep dbname=esrep port=54321 connect_timeout=10 keepalives=1 keepalives_idle=10 keepalives_interval=1 keepalives_count=3

一、配置系统禁用su切换到root

[kingbase@node1 bin]$ cat /etc/pam.d/su |grep use_uid

#auth           sufficient      pam_wheel.so trust use_uid

auth            required        pam_wheel.so use_uid

account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet

su用户切换测试:

[kingbase@node1 bin]$ su -

Password:

su: Permission denied

二、集群管理测试

1、集群停止测试

[kingbase@node1 bin]$ ./sys_monitor.sh stop

2022-12-05 11:37:53 Ready to stop all DB ...

.......

2022-12-05 11:38:07 Done.

#集群停止后,自动注释KINGBASECRON文件中的计划任务

[kingbase@node1 bin]$ cat /etc/cron.d/KINGBASECRON 

#*/1 * * * * kingbase . /etc/profile;/home/kingbase/cluster/R6C/R6HA/kingbase/bin/kbha -A daemon -f /home/kingbase/cluster/R6C/R6HA/kingbase/bin/../etc/repmgr.conf

2、集群启动测试

[kingbase@node1 bin]$ ./sys_monitor.sh start

2022-12-05 11:38:43 Ready to start all DB ...

......

2022-12-05 11:39:19 repmgrd on "[192.168.8.200]" start success.

 ID | Name    | Role    | Status    | Upstream | repmgrd | PID  | Paused? | Upstream last seen

----+---------+---------+-----------+----------+---------+------+---------+--------------------

 1  | node200 | primary | * running |          | running | 4459 | no      | n/a

 2  | node201 | standby |   running | node200  | running | 3106 | no      | 0 second(s) ago

[2022-12-05 11:39:34] [NOTICE] redirecting logging output to "/home/kingbase/cluster/R6C/R6HA/kingbase/log/kbha.log"

[2022-12-05 11:39:27] [NOTICE] redirecting logging output to "/home/kingbase/cluster/R6C/R6HA/kingbase/log/kbha.log"

2022-12-05 11:39:29 Done.

#集群启动后,KINGBASECRON计划任务被启动

[kingbase@node1 bin]$ cat /etc/cron.d/KINGBASECRON 

*/1 * * * * kingbase . /etc/profile;/home/kingbase/cluster/R6C/R6HA/kingbase/bin/kbha -A daemon -f /home/kingbase/cluster/R6C/R6HA/kingbase/bin/../etc/repmgr.conf

3、主备switchover切换测试

---如下所示,主备switchover可以正常切换。

[kingbase@node2 bin]$ ./repmgr standby switchover -h 192.168.8.200 -U esrep -d esrep

WARNING: following problems with command line parameters detected:

  database connection parameters not required when executing UNKNOWN ACTION

NOTICE: executing switchover on node "node201" (ID: 2)

.......

INFO: unpause node "node200" (ID 1) successfully

INFO: unpausing repmgrd on node "node201" (ID 2)

INFO: unpause node "node201" (ID 2) successfully

NOTICE: STANDBY SWITCHOVER has completed successfully

[kingbase@node2 bin]$ ./repmgr cluster show

 ID | Name    | Role    | Status    | Upstream | Location | Priority | Timeline | Connection string

----+---------+---------+-----------+----------+----------+----------+----------+---------------------------------------------------------------------------------------------------------------------------------------------------

 1  | node200 | standby |   running | node201  | default  | 100      | 17       | host=192.168.8.200 user=esrep dbname=esrep port=54321 connect_timeout=10 keepalives=1 keepalives_idle=10 keepalives_interval=1 keepalives_count=3

 2  | node201 | primary | * running |          | default  | 100      | 18       | host=192.168.8.201 user=esrep dbname=esrep port=54321 connect_timeout=10 keepalives=1 keepalives_idle=10 keepalives_interval=1 keepalives_count=3

4、主备failover切换测试

----如下所示,主备failover切换成功。

[kingbase@node2 bin]$ ./repmgr cluster show

 ID | Name    | Role    | Status    | Upstream | Location | Priority | Timeline | Connection string

----+---------+---------+-----------+----------+----------+----------+----------+---------------------------------------------------------------------------------------------------------------------------------------------------

 1  | node200 | standby |   running | node201  | default  | 100      | 17       | host=192.168.8.200 user=esrep dbname=esrep port=54321 connect_timeout=10 keepalives=1 keepalives_idle=10 keepalives_interval=1 keepalives_count=3

 2  | node201 | primary | * running |          | default  | 100      | 18       | host=192.168.8.201 user=esrep dbname=esrep port=54321 connect_timeout=10 keepalives=1 keepalives_idle=10 keepalives_interval=1 keepalives_count=3

[kingbase@node2 bin]$ ./sys_ctl stop -D ../data

waiting for server to shut down...... done

server stopped

 [kingbase@node2 bin]$ ./repmgr cluster show

 ID | Name    | Role    | Status    | Upstream | Location | Priority | Timeline | Connection string

----+---------+---------+-----------+----------+----------+----------+----------+-----------------------------------------------------------------------------------------------------------------------------------------------------

 1  | node200 | primary | * running |          | default  | 100      | 19       | host=192.168.8.200 user=esrep dbname=esrep port=54321 connect_timeout=10 keepalives=10 keepalives_idle=10 keepalives_interval=10 keepalives_count=3

 2  | node201 | standby |   running | node200  | default  | 100      | 19       | host=192.168.8.201 user=esrep dbname=esrep port=54321 connect_timeout=10 keepalives=10 keepalives_idle=10 keepalives_interval=10 keepalives_count=3

5、repmgrd进程管理

---如下所示,在节点repmgrd进程异常退出时,通过KINGBASECRON中计划任务,被kbha进程自动启动 。

#查看节点repmgr进程

[kingbase@node2 sys_log]$ ps -ef |grep repmgr

kingbase  3106     1  0 11:39 ?        00:00:59 /home/kingbase/cluster/R6C/R6HA/kingbase/bin/repmgrd -d -v -f /home/kingbase/cluster/R6C/R6HA/kingbase/bin/../etc/repmgr.conf

kingbase  3610     1  0 11:39 ?        00:00:16 /home/kingbase/cluster/R6C/R6HA/kingbase/bin/kbha -A daemon -f /home/kingbase/cluster/R6C/R6HA/kingbase/bin/../etc/repmgr.conf

#模拟repmgr进程异常退出

[kingbase@node2 sys_log]$ kill -9 3106  3610

#repmgr进程被启动

[kingbase@node2 sys_log]$ ps -ef |grep repmgr

kingbase 14254     1  0 14:28 ?        00:00:00 /home/kingbase/cluster/R6C/R6HA/kingbase/bin/kbha -A daemon -f /home/kingbase/cluster/R6C/R6HA/kingbase/bin/../etc/repmgr.conf

kingbase 14878     1  0 14:28 ?        00:00:00 /home/kingbase/cluster/R6C/R6HA/kingbase/bin/repmgrd -d -v -f /home/kingbase/cluster/R6C/R6HA/kingbase/bin/../etc/repmgr.conf

6、物理备份测试

---如下所示 ,在主库执行sys_backup.sh init的备份初始化成功。

[kingbase@node1 bin]$ ./sys_backup.sh init

# generate single sys_rman.conf...DONE

# update single archive_command with sys_rman.archive-push...DONE

# create stanza and check...(maybe 60+ seconds)

# create stanza and check...DONE

# initial first full backup...(maybe several minutes)

# initial first full backup...DONE

# Initial sys_rman OK.

'sys_backup.sh start' should be executed when need back-rest feature.

#创建物理备份计划任务

[kingbase@node1 bin]$ ./sys_backup.sh start

Enable some sys_rman in crontab-daemon

Set full-backup in 7 days

Set incr-backup in 1 days

0 2 */7 * * kingbase /home/kingbase/cluster/R6C/R6HA/kingbase/bin/sys_rman --config=/home/kingbase/kbbr6_repo/sys_rman.conf --stanza=kingbase --archive-copy --type=full backup >> /home/kingbase/cluster/R6C/R6HA/kingbase/log/sys_rman_backup_full.log 2>&1

0 4 */1 * * kingbase /home/kingbase/cluster/R6C/R6HA/kingbase/bin/sys_rman --config=/home/kingbase/kbbr6_repo/sys_rman.conf --stanza=kingbase --archive-copy --type=incr backup >> /home/kingbase/cluster/R6C/R6HA/kingbase/log/sys_rman_backup_incr.log 2>&1

#查看计划任务

[kingbase@node1 bin]$ cat /etc/cron.d/KINGBASECRON 

*/1 * * * * kingbase . /etc/profile;/home/kingbase/cluster/R6C/R6HA/kingbase/bin/kbha -A daemon -f /home/kingbase/cluster/R6C/R6HA/kingbase/bin/../etc/repmgr.conf

0 2 */7 * * kingbase /home/kingbase/cluster/R6C/R6HA/kingbase/bin/sys_rman --config=/home/kingbase/kbbr6_repo/sys_rman.conf --stanza=kingbase --archive-copy --type=full backup >> /home/kingbase/cluster/R6C/R6HA/kingbase/log/sys_rman_backup_full.log 2>&1

0 4 */1 * * kingbase /home/kingbase/cluster/R6C/R6HA/kingbase/bin/sys_rman --config=/home/kingbase/kbbr6_repo/sys_rman.conf --stanza=kingbase --archive-copy --type=incr backup >> /home/kingbase/cluster/R6C/R6HA/kingbase/log/sys_rman_backup_incr.log 2>&1

测试计划任务自动备份:

自动备份完成 :

[kingbase@node1 bin]$ /home/kingbase/cluster/R6C/R6HA/kingbase/bin/sys_rman --config=/home/kingbase/kbbr6_repo/sys_rman.conf --stanza=kingbase info

stanza: kingbase

    status: ok

    cipher: none

    db (current)

        wal archive min/max (V008R006C005B0023-1): 000000110000000200000032/000000130000000200000038

        full backup: 20221205-113404F

            timestamp start/stop: 2022-12-05 11:34:04 / 2022-12-05 11:35:58

            wal start/stop: 000000110000000200000033 / 000000110000000200000033

            database size: 710.9MB, backup size: 710.9MB

            repository size: 54.9MB, repository backup size: 54.9MB

        full backup: 20221205-144102F

            timestamp start/stop: 2022-12-05 14:41:02 / 2022-12-05 14:42:38

            wal start/stop: 000000130000000200000038 / 000000130000000200000038

            database size: 807MB, backup size: 807MB

            repository size: 61MB, repository backup size: 61MB

三、总结

通过以上对集群管理的测试可知,系统禁用普通用户su切换到root用户,集群日常管理不受影响。集群管理需要用到root用户,但是通过ssh远程执行的,而ssh配置在集群时就配置好,在集群管理时不需要用到su权限。

KingbaseES V8R6 集群运维案例 -- 禁止普通用户su到root的更多相关文章

  1. KingbaseES V8R6集群运维案例之---repmgr standby promote应用案例

    案例说明: 在容灾环境中,跨区域部署的异地备节点不会自主提升为主节点,在主节点发生故障或者人为需要切换时需要手动执行切换操作.若主节点已经失效,希望将异地备机提升为主节点. $bin/repmgr s ...

  2. KingbaseES V8R3集群运维案例之---主库系统down failover切换过程分析

    ​ 案例说明: KingbaseES V8R3集群failover时两个cluster都会触发,但只有一个cluster会调用脚本去执行真正的切换流程,另一个有对应的打印,但不会调用脚本,只是走相关的 ...

  3. KingbaseES V8R3集群运维案例之---kingbase_monitor.sh启动”two master“案例

    案例说明: KingbaseES V8R3集群,执行kingbase_monitor.sh启动集群,出现"two master"节点的故障,启动集群失败:通过手工sys_ctl启动 ...

  4. KingbaseES V8R3集群运维案例之---cluster.log ERROR: md5 authentication failed

    案例说明: 在KingbaseES V8R3集群的cluster.log日志中,经常会出现"ERROR: md5 authentication failed:DETAIL: password ...

  5. KingbaseES V8R3集群运维案例之---用户自定义表空间管理

    ​案例说明: KingbaseES 数据库支持用户自定义表空间的创建,并建议表空间的文件存储路径配置到数据库的data目录之外.本案例复现了,当用户自定义表空间存储路径配置到data下时,出现的故障问 ...

  6. kingbaseES V8R6集群备份恢复案例之---备库作为repo主机执行物理备份

    ​ 案例说明: 此案例是在KingbaseES V8R6集群环境下,当主库磁盘空间不足时,执行sys_rman备份,将集群的备库节点作为repo主机,执行备份,并将备份存储在备库的磁盘空间. 集群架构 ...

  7. KingbaseES V8R6集群外部备份案例

    案例说明: 本案例采用sys_backup.sh执行物理备份,备份使用如下逻辑架构:集群采用CentOS 7系统,repo采用kylin V10 Server. 一主一备+外部备份 此场景为主备双机常 ...

  8. KingbaseES V8R6集群管理运维案例之---repmgr standby switchover故障

    案例说明: 在KingbaseES V8R6集群备库执行"repmgr standby switchover"时,切换失败,并且在执行过程中,伴随着"repmr stan ...

  9. KingbaseES V8R6集群维护案例之---停用集群node_export进程

    案例说明: 在KingbaseES V8R6集群启动时,会启动node_exporter进程,此进程主要用于向kmonitor监控服务输出节点状态信息.在系统安全漏洞扫描中,提示出现以下安全漏洞: 对 ...

  10. KingbaseES V8R6集群维护之--修改数据库服务端口案例

    ​ 案例说明: 对于KingbaseES数据库单实例环境,只需要修改kingbase.conf文件的'port'参数即可,但是对于KingbaseES V8R6集群中涉及到多个配置文件的修改,并且在应 ...

随机推荐

  1. SpringBoot+MyBatisPlus+Thymeleaf+AdminLTE增删改查实战

    说明 AdminLTE是网络上比较流行的一款Bootstrap模板,包含丰富的样式.组件和插件,非常适用于后端开发人员做后台管理系统. 因为最近又做了个后台管理系统,这次就选的是AdminLTE做主题 ...

  2. Kotlin 协程五 —— 在Android 中使用 Kotlin 协程

    目录 一.Android MVVM 结构 二.添加依赖 三.在后台线程中执行 3.1 协程解决了什么问题 3.2 保证主线程安全 3.3 withContext 的性能 四.结构化并发 4.1 追踪协 ...

  3. 逆向实战31——xhs—xs算法分析

    前言 本文章中所有内容仅供学习交流,抓包内容.敏感网址.数据接口均已做脱敏处理,严禁用于商业用途和非法用途,否则由此产生的一切后果均与作者无关,若有侵权,请联系我立即删除! 公众号链接 目标网站 aH ...

  4. 【Azure 应用服务】Python fastapi Function在Azure中遇见AttributeError异常(AttributeError: 'AsgiMiddleware' object has no attribute 'handle_async')

    问题描述 参考文档"Using FastAPI Framework with Azure Functions", 使用FastAPI 模块在Function中实现API请求.通过V ...

  5. java 考试易考识记题目(一)

    笔者擅长 C# 语言,4月份要考试,学习 JAVA 是为了考试罢了. 如何在最短时间内学习 JAVA 基础语法和通过考试考核呢~ 学习 JAVA ,要为了应付考试,判断.循环这部分,C.C++.C#. ...

  6. 【转载】大数据OLAP系统--开源组件方案对比

    开源大数据OLAP组件,可以分为MOLAP和ROLAP两类.ROLAP中又可细分为MPP数据库和SQL引擎两类.对于SQL引擎又可以再细分为基于MPP架构的SQL引擎和基于通用计算框架的SQL引擎: ...

  7. 文心一言 VS 讯飞星火 VS chatgpt (207)-- 算法导论15.4 4题

    四.说明如何只使用表 c 中 2*min(m,n) 个表项及O(1)的额外空间来计算LCS的长度.然后说明如何只用 min(m,n) 个表项及O(1)的额外空间完成相同的工作.要写代码的时候,请用go ...

  8. Linux操作系统加固建议

    1.1.1 口令锁定策略 1.执行备份 (1).redhat执行备份: #cp -p /etc/pam.d/system-auth /etc/pam.d/system-auth_bak (2).SUS ...

  9. 掌握pandas cut函数,一键实现数据分类

    pandas中的cut函数可将一维数据按照给定的区间进行分组,并为每个值分配对应的标签.其主要功能是将连续的数值数据转化为离散的分组数据,方便进行分析和统计. 1. 数据准备 下面的示例中使用的数据采 ...

  10. GitHUb上渗透测试工具

    来自GitHub的系列渗透测试工具渗透测试 Kali - GNU / Linux发行版,专为数字取证和渗透测试而设计.(https://www.kali.org/)ArchStrike - 为安全专业 ...