温馨提示:要看高清无码套图,请使用手机打开并单击图片放大查看。
1.文档编写目的
在前面的文章中Fayson介绍过《如何在CDH集群启用Kerberos》,对于一个启用了Kerberos的正式生产系统,还需要考虑KDC的高可用。而Kerberos服务是支持配置为主备模式的,数据同步是通过kprop服务将主节点的数据同步到备节点。本文主要讲述如何配置Kerberos服务的高可用。
内容概述
1.备节点安装Kerberos服务
2.主备节点Kerberos配置修改
3.主节点数据同步至备节点并配置同步任务
1.操作系统RedHat7.2
2.采用sudo权限的ec2-user用户
3.Kerberos节点
ip-172-31-22-86.ap-southeast-1.compute.internal(主)
ip-172-31-21-45.ap-southeast-1.compute.internal(备)
前置条件
1.主Kerberos已安装并与CDH集成
2.备节点安装Kerberos服务
[ec2-user@ip-172-31-21-45 ~]$ sudo yum -y install krb5-server krb5-libs krb5-auth-dialog krb5-workstation
注意:此处只安装服务,暂不做相应配置及启动服务。
3.主Kerberos节点操作
1.修改/etc/krb5.conf的配置文件,在realms配置下增加备Kerberos的配置
[realms]
CLOUDERA.COM = {
kdc = ip-172-31-22-86.ap-southeast-1.compute.internal
admin_server = ip-172-31-22-86.ap-southeast-1.compute.internal
kdc = ip-172-31-21-45.ap-southeast-1.compute.internal
admin_server = ip-172-31-21-45.ap-southeast-1.compute.internal
}
2.将修改后的/etc/krb5.conf文件同步到集群的所有Kerberos客户端节点相应目录
3.保存配置,然后重启krb5kdc和kadmin服务
[ec2-user@ip-172-31-22-86 ~]$ sudo systemctl restart krb5kdc
[ec2-user@ip-172-31-22-86 ~]$ sudo systemctl restart kadmin
4.创建主从同步账号,并为账号生成keytab文件
[ec2-user@ip-172-31-22-86 ~]$ sudo kadmin.local
kadmin.local: addprinc -randkey host/ip-172-31-22-86.ap-southeast-1.compute.internal
kadmin.local: addprinc -randkey host/ip-172-31-21-45.ap-southeast-1.compute.internal
kadmin.local:
kadmin.local: ktadd host/ip-172-31-22-86.ap-southeast-1.compute.internal
kadmin.local: ktadd host/ip-172-31-21-45.ap-southeast-1.compute.internal
使用随机生成秘钥的方式创建同步账号,并使用ktadd命令生成同步账号的keytab文件,默认文件生成在/etc/krb5.keytab下,生成多个账号则在krb5.keytab基础上追加。
5.复制以下文件到备Kerberos服务器相应目录
将/etc目录下的krb5.conf和krb5.keytab文件拷贝至备Kerberos服务器的/etc目录下
将/var/kerberos/krb5kdc目录下的.k5.CLOUDERA.COM、kadm5.acl和krb5.conf文件拷贝至备Kerberos服务器的/var/kerberos/krb5kdc目录
这里由于Fayson服务器使用的AWS非root用户权限问题,先将需要拷贝的文件拷贝至备Kerberos节点的ec2-user用户目录下,然后备服务器上使用sudo权限将文件拷贝至相应目录,以下操作是在备Kerberos服务器上进行
[ec2-user@ip-172-31-21-45 kerberos]$ sudo cp krb5.conf krb5.keytab /etc/
[ec2-user@ip-172-31-21-45 kerberos]$ sudo chown root:root /etc/krb5.*
[ec2-user@ip-172-31-21-45 kerberos]$ ll /etc/krb5.*
[ec2-user@ip-172-31-21-45 kerberos]$ sudo cp .k5.CLOUDERA.COM kadm5.acl kdc.conf /var/kerberos/krb5kdc/
[ec2-user@ip-172-31-21-45 kerberos]$ sudo chown root:root /var/kerberos/krb5kdc/*
[ec2-user@ip-172-31-21-45 kerberos]$ cd /var/kerberos/krb5kdc/
[ec2-user@ip-172-31-21-45 krb5kdc]$ ll -a
4.备Kerberos节点操作
1.需要申明用来同步的用户,在/var/kerberos/krb5kdc/kpropd.acl配置文件中添加对应账户,如果配置文件不存在则新增
[ec2-user@ip-172-31-21-45 krb5kdc]$ cd /var/kerberos/krb5kdc
[ec2-user@ip-172-31-21-45 krb5kdc]$ sudo vim kpropd.acl
host/ip-172-31-22-86.ap-southeast-1.compute.internal@CLOUDERA.COM
host/ip-172-31-21-45.ap-southeast-1.compute.internal@CLOUDERA.COM
2.启动kprop服务并加入系统自启动
[ec2-user@ip-172-31-21-45 krb5kdc]$ sudo systemctl enable kprop
[ec2-user@ip-172-31-21-45 krb5kdc]$ sudo systemctl start kprop
[ec2-user@ip-172-31-21-45 krb5kdc]$ sudo systemctl status kprop
备节点上已经准备好数据传输。接下来在主节点上使用kdb5_util将Kerberos库导出,然后通过kprop命令向备节点同步数据。
5.主节点数据同步至备节点
1.在主节点上使用kdb5_util命令导出Kerberos数据库文件
[ec2-user@ip-172-31-22-86 krb5kdc]$ sudo kdb5_util dump /var/kerberos/krb5kdc/master.dump
导出成功后生成master.dump和master.dump.dump_ok两个文件。
2.在主节点上使用kprop命令将master.dump文件同步至备节点
[ec2-user@ip-172-31-22-86 krb5kdc]$ sudo kprop -f /var/kerberos/krb5kdc/master.dump -d -P 754 ip-172-31-21-45.ap-southeast-1.compute.internal
32768 bytes sent.
60543 bytes sent.
Database propagation to ip-172-31-21-45.ap-southeast-1.compute.internal: SUCCEEDED
[ec2-user@ip-172-31-22-86 krb5kdc]$
有如上图标识则表示数据同步成功。
3.在备节点的/var/kerberos/krb5kdc目录下查看
[ec2-user@ip-172-31-21-45 krb5kdc]$ pwd
/var/kerberos/krb5kdc
[ec2-user@ip-172-31-21-45 krb5kdc]$ ll
total 132
-rw------- 1 root root 60543 Nov 14 10:36 from_master
-rw------- 1 root root 23 Nov 14 10:15 kadm5.acl
-rw------- 1 root root 486 Nov 14 10:15 kdc.conf
-rw-r--r-- 1 root root 132 Nov 14 10:23 kpropd.acl
-rw------- 1 root root 53248 Nov 14 10:36 principal
-rw------- 1 root root 8192 Nov 14 10:36 principal.kadm5
-rw------- 1 root root 0 Nov 14 10:36 principal.kadm5.lock
-rw------- 1 root root 0 Nov 14 10:36 principal.ok
[ec2-user@ip-172-31-21-45 krb5kdc]$
在备节点的/var/kerberos/krb5kdc目录下增加了如上图标识的文件。
4.在备节点上测试通过过来的数据是否能启动Kerberos服务
首先将kprop服务停止,将kpropd.acl文件备份并删除,然后启动krb5kdc和kadmin服务
[ec2-user@ip-172-31-21-45 krb5kdc]$sudo systemctl stop kprop
[ec2-user@ip-172-31-21-45 krb5kdc]$sudo mv /var/kerberos/krb5kdc/kpropd.acl/var/kerberos/krb5kdc/kpropd.acl.bak
[ec2-user@ip-172-31-21-45 krb5kdc]$sudo systemctl start krb5kdc
[ec2-user@ip-172-31-21-45 krb5kdc]$sudo systemctl start kadmin
修改备服务器的/etc/krb5.conf文件,将kdc和kadmin_server修改为备服务器地址,测试kinit是否正常
ec2-user@ip-172-31-21-45 krb5kdc$kinit fayson
Password for fayson@CLOUDERA.COM:
ec2-user@ip-172-31-21-45 krb5kdc$klist
Ticket cache:FILE:/tmp/krb5cc_1000
Default principal:fayson@CLOUDERA.COM
Valid starting Expires Service principal
11/14/2017 10:47:11 11/15/2017 10:47:11 krbtgt/CLOUDERA.COM@CLOUDERA.COM
renew until 11/21/201710:47:11
ec2-user@ip-172-31-21-45 krb5kdc$
测试完成需要将/etc/krb5.conf和kpropd.acl文件还原并启动kprop服务
ec2-user@ip-172-31-21-45 krb5kdc$sudo systemctl stop krb5kdc
ec2-user@ip-172-31-21-45 krb5kdc$sudo systemctl stop kadmin
ec2-user@ip-172-31-21-45 krb5kdc$
ec2-user@ip-172-31-21-45 krb5kdc$sudo mv /var/kerberos/krb5kdc/kpropd.acl.bak kpropd.acl
ec2-user@ip-172-31-21-45 krb5kdc$sudo systemctl start kprop
6.配置主节点crontab任务定时同步数据
1.编写同步脚本
ec2-user@ip-172-31-22-86 krb5kdc$pwd
/var/kerberos/krb5kdc
ec2-user@ip-172-31-22-86 krb5kdc$ sudovim kprop_sync.sh
#!/bin/bash
DUMP=/var/kerberos/krb5kdc/master.dump
PORT=754
SLAVE="ip-172-31-21-45.ap-southeast-1.compute.internal"
TIMESTAMP=date
echo "Start at $TIMESTAMP"
sudo kdb5_utildump $DUMP
sudo kprop -f $DUMP-d -P $PORT $SLAVE
2.赋予kprop_sync.sh脚本可执行权限,并测试
ec2-user@ip-172-31-22-86 krb5kdc$sudo chmod 700 /var/kerberos/krb5kdc/kprop_sync.sh
ec2-user@ip-172-31-22-86 krb5kdc$sudo sh /var/kerberos/krb5kdc/kprop_sync.sh
执行成功
3.配置crontab任务
ec2-user@ip-172-31-22-86 krb5kdc$sudo crontab -e
0 * * * * root/var/kerberos/krb5kdc/kprop_sync.sh >/var/kerberos/krb5kdc/lastupdate
退出并保存,启动服务并设置开机启动
ec2-user@ip-172-31-22-86 krb5kdc$sudo systemctl enable crond
ec2-user@ip-172-31-22-86 krb5kdc$sudo systemctl start crond
为天地立心,为生民立命,为往圣继绝学,为万世开太平。
温馨提示:要看高清无码套图,请使用手机打开并单击图片放大查看。