案例说明:

在集群管理中,会使用到root权限(如ip、aring命令等),为安全需要,有的生产环境禁止普通用户su切换到root,本案例测试了禁止普通用户su切换到root对集群管理带来的影响。

集群节点信息:

 ID | Name    | Role    | Status    | Upstream | repmgrd | PID  | Paused? | Upstream last seen

----+---------+---------+-----------+----------+---------+------+---------+--------------------

 1  | node200 | primary | * running |          | running | 4459 | no      | n/a

 2  | node201 | standby |   running | node200  | running | 3106 | no      | 0 second(s) ago

集群状态信息:

[kingbase@node1 bin]$ ./repmgr cluster show

ID | Name    | Role    | Status    | Upstream | Location | Priority | Timeline | Connection string

----+---------+---------+-----------+----------+----------+----------+----------+---------------------------------------------------------------------------------------------------------------------------------------------------

1  | node200 | primary | * running |          | default  | 100      | 17       | host=192.168.8.200 user=esrep dbname=esrep port=54321 connect_timeout=10 keepalives=1 keepalives_idle=10 keepalives_interval=1 keepalives_count=3

2  | node201 | standby |   running | node200  | default  | 100      | 17       | host=192.168.8.201 user=esrep dbname=esrep port=54321 connect_timeout=10 keepalives=1 keepalives_idle=10 keepalives_interval=1 keepalives_count=3

一、配置系统禁用su切换到root

[kingbase@node1 bin]$ cat /etc/pam.d/su |grep use_uid

#auth           sufficient      pam_wheel.so trust use_uid

auth            required        pam_wheel.so use_uid

account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet

su用户切换测试:

[kingbase@node1 bin]$ su -

Password:

su: Permission denied

二、集群管理测试

1、集群停止测试

[kingbase@node1 bin]$ ./sys_monitor.sh stop

2022-12-05 11:37:53 Ready to stop all DB ...

.......

2022-12-05 11:38:07 Done.

#集群停止后,自动注释KINGBASECRON文件中的计划任务

[kingbase@node1 bin]$ cat /etc/cron.d/KINGBASECRON 

#*/1 * * * * kingbase . /etc/profile;/home/kingbase/cluster/R6C/R6HA/kingbase/bin/kbha -A daemon -f /home/kingbase/cluster/R6C/R6HA/kingbase/bin/../etc/repmgr.conf

2、集群启动测试

[kingbase@node1 bin]$ ./sys_monitor.sh start

2022-12-05 11:38:43 Ready to start all DB ...

......

2022-12-05 11:39:19 repmgrd on "[192.168.8.200]" start success.

 ID | Name    | Role    | Status    | Upstream | repmgrd | PID  | Paused? | Upstream last seen

----+---------+---------+-----------+----------+---------+------+---------+--------------------

 1  | node200 | primary | * running |          | running | 4459 | no      | n/a

 2  | node201 | standby |   running | node200  | running | 3106 | no      | 0 second(s) ago

[2022-12-05 11:39:34] [NOTICE] redirecting logging output to "/home/kingbase/cluster/R6C/R6HA/kingbase/log/kbha.log"

[2022-12-05 11:39:27] [NOTICE] redirecting logging output to "/home/kingbase/cluster/R6C/R6HA/kingbase/log/kbha.log"

2022-12-05 11:39:29 Done.

#集群启动后,KINGBASECRON计划任务被启动

[kingbase@node1 bin]$ cat /etc/cron.d/KINGBASECRON 

*/1 * * * * kingbase . /etc/profile;/home/kingbase/cluster/R6C/R6HA/kingbase/bin/kbha -A daemon -f /home/kingbase/cluster/R6C/R6HA/kingbase/bin/../etc/repmgr.conf

3、主备switchover切换测试

---如下所示,主备switchover可以正常切换。

[kingbase@node2 bin]$ ./repmgr standby switchover -h 192.168.8.200 -U esrep -d esrep

WARNING: following problems with command line parameters detected:

  database connection parameters not required when executing UNKNOWN ACTION

NOTICE: executing switchover on node "node201" (ID: 2)

.......

INFO: unpause node "node200" (ID 1) successfully

INFO: unpausing repmgrd on node "node201" (ID 2)

INFO: unpause node "node201" (ID 2) successfully

NOTICE: STANDBY SWITCHOVER has completed successfully

[kingbase@node2 bin]$ ./repmgr cluster show

 ID | Name    | Role    | Status    | Upstream | Location | Priority | Timeline | Connection string

----+---------+---------+-----------+----------+----------+----------+----------+---------------------------------------------------------------------------------------------------------------------------------------------------

 1  | node200 | standby |   running | node201  | default  | 100      | 17       | host=192.168.8.200 user=esrep dbname=esrep port=54321 connect_timeout=10 keepalives=1 keepalives_idle=10 keepalives_interval=1 keepalives_count=3

 2  | node201 | primary | * running |          | default  | 100      | 18       | host=192.168.8.201 user=esrep dbname=esrep port=54321 connect_timeout=10 keepalives=1 keepalives_idle=10 keepalives_interval=1 keepalives_count=3

4、主备failover切换测试

----如下所示,主备failover切换成功。

[kingbase@node2 bin]$ ./repmgr cluster show

 ID | Name    | Role    | Status    | Upstream | Location | Priority | Timeline | Connection string

----+---------+---------+-----------+----------+----------+----------+----------+---------------------------------------------------------------------------------------------------------------------------------------------------

 1  | node200 | standby |   running | node201  | default  | 100      | 17       | host=192.168.8.200 user=esrep dbname=esrep port=54321 connect_timeout=10 keepalives=1 keepalives_idle=10 keepalives_interval=1 keepalives_count=3

 2  | node201 | primary | * running |          | default  | 100      | 18       | host=192.168.8.201 user=esrep dbname=esrep port=54321 connect_timeout=10 keepalives=1 keepalives_idle=10 keepalives_interval=1 keepalives_count=3

[kingbase@node2 bin]$ ./sys_ctl stop -D ../data

waiting for server to shut down...... done

server stopped

 [kingbase@node2 bin]$ ./repmgr cluster show

 ID | Name    | Role    | Status    | Upstream | Location | Priority | Timeline | Connection string

----+---------+---------+-----------+----------+----------+----------+----------+-----------------------------------------------------------------------------------------------------------------------------------------------------

 1  | node200 | primary | * running |          | default  | 100      | 19       | host=192.168.8.200 user=esrep dbname=esrep port=54321 connect_timeout=10 keepalives=10 keepalives_idle=10 keepalives_interval=10 keepalives_count=3

 2  | node201 | standby |   running | node200  | default  | 100      | 19       | host=192.168.8.201 user=esrep dbname=esrep port=54321 connect_timeout=10 keepalives=10 keepalives_idle=10 keepalives_interval=10 keepalives_count=3

5、repmgrd进程管理

---如下所示,在节点repmgrd进程异常退出时,通过KINGBASECRON中计划任务,被kbha进程自动启动 。

#查看节点repmgr进程

[kingbase@node2 sys_log]$ ps -ef |grep repmgr

kingbase  3106     1  0 11:39 ?        00:00:59 /home/kingbase/cluster/R6C/R6HA/kingbase/bin/repmgrd -d -v -f /home/kingbase/cluster/R6C/R6HA/kingbase/bin/../etc/repmgr.conf

kingbase  3610     1  0 11:39 ?        00:00:16 /home/kingbase/cluster/R6C/R6HA/kingbase/bin/kbha -A daemon -f /home/kingbase/cluster/R6C/R6HA/kingbase/bin/../etc/repmgr.conf

#模拟repmgr进程异常退出

[kingbase@node2 sys_log]$ kill -9 3106  3610

#repmgr进程被启动

[kingbase@node2 sys_log]$ ps -ef |grep repmgr

kingbase 14254     1  0 14:28 ?        00:00:00 /home/kingbase/cluster/R6C/R6HA/kingbase/bin/kbha -A daemon -f /home/kingbase/cluster/R6C/R6HA/kingbase/bin/../etc/repmgr.conf

kingbase 14878     1  0 14:28 ?        00:00:00 /home/kingbase/cluster/R6C/R6HA/kingbase/bin/repmgrd -d -v -f /home/kingbase/cluster/R6C/R6HA/kingbase/bin/../etc/repmgr.conf

6、物理备份测试

---如下所示 ,在主库执行sys_backup.sh init的备份初始化成功。

[kingbase@node1 bin]$ ./sys_backup.sh init

# generate single sys_rman.conf...DONE

# update single archive_command with sys_rman.archive-push...DONE

# create stanza and check...(maybe 60+ seconds)

# create stanza and check...DONE

# initial first full backup...(maybe several minutes)

# initial first full backup...DONE

# Initial sys_rman OK.

'sys_backup.sh start' should be executed when need back-rest feature.

#创建物理备份计划任务

[kingbase@node1 bin]$ ./sys_backup.sh start

Enable some sys_rman in crontab-daemon

Set full-backup in 7 days

Set incr-backup in 1 days

0 2 */7 * * kingbase /home/kingbase/cluster/R6C/R6HA/kingbase/bin/sys_rman --config=/home/kingbase/kbbr6_repo/sys_rman.conf --stanza=kingbase --archive-copy --type=full backup >> /home/kingbase/cluster/R6C/R6HA/kingbase/log/sys_rman_backup_full.log 2>&1

0 4 */1 * * kingbase /home/kingbase/cluster/R6C/R6HA/kingbase/bin/sys_rman --config=/home/kingbase/kbbr6_repo/sys_rman.conf --stanza=kingbase --archive-copy --type=incr backup >> /home/kingbase/cluster/R6C/R6HA/kingbase/log/sys_rman_backup_incr.log 2>&1

#查看计划任务

[kingbase@node1 bin]$ cat /etc/cron.d/KINGBASECRON 

*/1 * * * * kingbase . /etc/profile;/home/kingbase/cluster/R6C/R6HA/kingbase/bin/kbha -A daemon -f /home/kingbase/cluster/R6C/R6HA/kingbase/bin/../etc/repmgr.conf

0 2 */7 * * kingbase /home/kingbase/cluster/R6C/R6HA/kingbase/bin/sys_rman --config=/home/kingbase/kbbr6_repo/sys_rman.conf --stanza=kingbase --archive-copy --type=full backup >> /home/kingbase/cluster/R6C/R6HA/kingbase/log/sys_rman_backup_full.log 2>&1

0 4 */1 * * kingbase /home/kingbase/cluster/R6C/R6HA/kingbase/bin/sys_rman --config=/home/kingbase/kbbr6_repo/sys_rman.conf --stanza=kingbase --archive-copy --type=incr backup >> /home/kingbase/cluster/R6C/R6HA/kingbase/log/sys_rman_backup_incr.log 2>&1

测试计划任务自动备份:

自动备份完成 :

[kingbase@node1 bin]$ /home/kingbase/cluster/R6C/R6HA/kingbase/bin/sys_rman --config=/home/kingbase/kbbr6_repo/sys_rman.conf --stanza=kingbase info

stanza: kingbase

    status: ok

    cipher: none

    db (current)

        wal archive min/max (V008R006C005B0023-1): 000000110000000200000032/000000130000000200000038

        full backup: 20221205-113404F

            timestamp start/stop: 2022-12-05 11:34:04 / 2022-12-05 11:35:58

            wal start/stop: 000000110000000200000033 / 000000110000000200000033

            database size: 710.9MB, backup size: 710.9MB

            repository size: 54.9MB, repository backup size: 54.9MB

        full backup: 20221205-144102F

            timestamp start/stop: 2022-12-05 14:41:02 / 2022-12-05 14:42:38

            wal start/stop: 000000130000000200000038 / 000000130000000200000038

            database size: 807MB, backup size: 807MB

            repository size: 61MB, repository backup size: 61MB

三、总结

通过以上对集群管理的测试可知,系统禁用普通用户su切换到root用户,集群日常管理不受影响。集群管理需要用到root用户,但是通过ssh远程执行的,而ssh配置在集群时就配置好,在集群管理时不需要用到su权限。

KingbaseES V8R6 集群运维案例 -- 禁止普通用户su到root的更多相关文章

  1. KingbaseES V8R6集群运维案例之---repmgr standby promote应用案例

    案例说明: 在容灾环境中,跨区域部署的异地备节点不会自主提升为主节点,在主节点发生故障或者人为需要切换时需要手动执行切换操作.若主节点已经失效,希望将异地备机提升为主节点. $bin/repmgr s ...

  2. KingbaseES V8R3集群运维案例之---主库系统down failover切换过程分析

    ​ 案例说明: KingbaseES V8R3集群failover时两个cluster都会触发,但只有一个cluster会调用脚本去执行真正的切换流程,另一个有对应的打印,但不会调用脚本,只是走相关的 ...

  3. KingbaseES V8R3集群运维案例之---kingbase_monitor.sh启动”two master“案例

    案例说明: KingbaseES V8R3集群,执行kingbase_monitor.sh启动集群,出现"two master"节点的故障,启动集群失败:通过手工sys_ctl启动 ...

  4. KingbaseES V8R3集群运维案例之---cluster.log ERROR: md5 authentication failed

    案例说明: 在KingbaseES V8R3集群的cluster.log日志中,经常会出现"ERROR: md5 authentication failed:DETAIL: password ...

  5. KingbaseES V8R3集群运维案例之---用户自定义表空间管理

    ​案例说明: KingbaseES 数据库支持用户自定义表空间的创建,并建议表空间的文件存储路径配置到数据库的data目录之外.本案例复现了,当用户自定义表空间存储路径配置到data下时,出现的故障问 ...

  6. kingbaseES V8R6集群备份恢复案例之---备库作为repo主机执行物理备份

    ​ 案例说明: 此案例是在KingbaseES V8R6集群环境下,当主库磁盘空间不足时,执行sys_rman备份,将集群的备库节点作为repo主机,执行备份,并将备份存储在备库的磁盘空间. 集群架构 ...

  7. KingbaseES V8R6集群外部备份案例

    案例说明: 本案例采用sys_backup.sh执行物理备份,备份使用如下逻辑架构:集群采用CentOS 7系统,repo采用kylin V10 Server. 一主一备+外部备份 此场景为主备双机常 ...

  8. KingbaseES V8R6集群管理运维案例之---repmgr standby switchover故障

    案例说明: 在KingbaseES V8R6集群备库执行"repmgr standby switchover"时,切换失败,并且在执行过程中,伴随着"repmr stan ...

  9. KingbaseES V8R6集群维护案例之---停用集群node_export进程

    案例说明: 在KingbaseES V8R6集群启动时,会启动node_exporter进程,此进程主要用于向kmonitor监控服务输出节点状态信息.在系统安全漏洞扫描中,提示出现以下安全漏洞: 对 ...

  10. KingbaseES V8R6集群维护之--修改数据库服务端口案例

    ​ 案例说明: 对于KingbaseES数据库单实例环境,只需要修改kingbase.conf文件的'port'参数即可,但是对于KingbaseES V8R6集群中涉及到多个配置文件的修改,并且在应 ...

随机推荐

  1. centos7使用repo方式安装zabbix4.0

    1.安装zabbix的repo源 rpm -ivh https://mirrors.tuna.tsinghua.edu.cn/zabbix/zabbix/4.0/rhel/7/x86_64/zabbi ...

  2. Acrobat 教程

    https://helpx.adobe.com/cn/acrobat/using/pdf-form-field-properties.html

  3. zookeeper运行时dos窗口一闪而过

    错误:从官网下载zookeeper解压到本地之后,鼠标双击运行zkServer.cmd文件,dos窗口一闪而过,看不到错误原因: 解决方法:通过dos窗口执行zkServer.cmd文件,对应的错误信 ...

  4. 【Azure K8S | AKS】在AKS中创建 StatefulSet 示例

    问题描述 [Azure K8S | AKS]在AKS集群中创建 PVC(PersistentVolumeClaim)和 PV(PersistentVolume) 示例 [Azure K8S|AKS]进 ...

  5. 【Azure Developer】在微软云中国区,如何使用Microsoft GraphAPI连接到B2C Tenant

    问题描述 如题所述,当在中国区使用Microsoft GraphAPI连接B2C Tenant时候,如何来设置中国区的Endpoint呢?在GitHub的示例中,并没有示例介绍如何连接中国区.如 问题 ...

  6. 【Azure API 管理】APIM关闭开发者门户的办法

    问题描述 APIM默认提供了开发者门户,可以让用户体验如何来调用接口.但如果不想开发这个功能的情况下,是否有办法关闭呢? 问题解答 答案是:开发人员门户是没有办法关闭的.但是作为另一种的代替方案,如自 ...

  7. 【Azure 环境】Azure门户中 Metrics 图表的聚合指标每项具体代表什么意思呢?

    问题描述 下图中,指标里的每项聚合指标具体代表什么呢? 问题解答 Azure Metrics 指标中提供了五种基本的聚合类型. Sum - 在聚合间隔内捕获的所有值的总和. 有时称为总聚合. Coun ...

  8. Cookie session token 区别?

    Cookie一开始为了解决登录状态的问题,token是为了对保存的数据进行加密,加密了之后cookie就保存了加密之后的密文,这个就是token,session是因为数据保存到客户端不安全,把数据保存 ...

  9. 解决Abp设置DefaultLanguage默认语言不生效的问题

    @ 目录 现象 原因分析 解决问题 现象 默认地,Abp的语言提供程序将返回的CultureInfo为En,在一些默认实现的接口(比如/api/TokenAuth/Authenticate)返回的错误 ...

  10. Spring事务(二)-@Transactional注解

    上一节说了Spring的事务配置,其中,声明式事务配置里有5种配置方式, @Transactional注解应该是最为常用的一种方式了.这一节就说说@Transactional注解. @Transact ...