案例说明:
在KingbaseES V8R6的后期版本中,为了解决有的主机之间不允许root用户ssh登录的问题,使用了securecmdd作为集群部署分发和通讯的服务,有生产环境通过漏洞扫描,在8890(securecmdd默认通讯端口)发现安全漏洞,需要将集群的通讯改为ssh(默认部署后,使用的是securecmdd通讯),本案例详细介绍了修改方法。
Tips:
本案例只用于通用机环境,专用机只能用securecmdd通讯。
适用版本:
KingbaseES V8R6
一、验证集群节点ssh互信
1. 数据库用户(kingbase)在节点间建立ssh互信
2. root用户在节点间建立ssh互信。
3. kingbase和root之间建立节点间及本节点ssh互信。
二、修改集群securecmdd配置(all nodes)
Tips:
集群部署完成后,只需要修改repmgr.conf的配置即可。
三、关闭securecmdd服务(all nodes)
[root@node102 .ssh]# systemctl stop securecmdd
四、重启集群验证
1、重启集群服务
[kingbase@node101 bin]$ ./sys_monitor.sh restart
2022-08-18 14:05:25 Ready to stop all DB ...
......
ID | Name | Role | Status | Upstream | repmgrd | PID | Paused? | Upstream last seen
----+---------+---------+-----------+----------+---------+-------+---------+--------------------
1 | node101 | primary | * running | | running | 18851 | no | n/a
2 | node102 | standby | running | node101 | running | 22815 | no | 1 second(s) ago
[2022-08-18 14:05:59] [NOTICE] redirecting logging output to "/home/kingbase/cluster/R6HA/kha/kingbase/log/kbha.log"
[2022-08-18 14:06:03] [NOTICE] redirecting logging output to "/home/kingbase/cluster/R6HA/kha/kingbase/log/kbha.log"
2022-08-18 14:06:06 Done.
=如下所示,sys_monitor.sh根据repmgr.conf配置,自动选择ssh执行节点间的通讯。=
2、查看集群节点状态
[kingbase@node101 bin]$ ./repmgr cluster show
ID | Name | Role | Status | Upstream | Location | Priority | Timeline | Connection string
----+---------+---------+-----------+----------+----------+----------+----------+----------------------------------------------------------------------------------------------------------------------------------------------------
1 | node101 | primary | * running | | default | 100 | 9 | host=192.168.1.101 user=system dbname=esrep port=54321 connect_timeout=10 keepalives=1 keepalives_idle=10 keepalives_interval=1 keepalives_count=3
2 | node102 | standby | running | node101 | default | 100 | 9 | host=192.168.1.102 user=system dbname=esrep port=54321 connect_timeout=10 keepalives=1 keepalives_idle=10 keepalives_interval=1 keepalives_count=3
五、总结
对于KingbaseES V8R6的集群在部署后,默认启用securecmdd进行节点通讯,如果在通用机环境允许建立用户的ssh互信,可以直接通过ssh通讯,不使用securecmdd来通讯。