Merge pull request #2656 from wojiushixiaobai/docs

[Add]修改mariadb分布式部署文档

docs/distributed_02.rst

@@ -17,6 +17,8 @@
 +==========+============+=================+===============+========================+
 |    TCP   |    Nginx   | 192.168.100.100 | 80, 443, 2222 |           All          |
 +----------+------------+-----------------+---------------+------------------------+
+|    TCP   |    Nginx   | 192.168.100.100 |      3306     |       Jumpserver       |
++----------+------------+-----------------+---------------+------------------------+
 
 开始安装
 ~~~~~~~~~~~~
@@ -33,11 +35,14 @@
     $ firewall-cmd --zone=public --add-port=80/tcp --permanent
     $ firewall-cmd --zone=public --add-port=443/tcp --permanent
     $ firewall-cmd --zone=public --add-port=2222/tcp --permanent
+    $ firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.100.0/24" port protocol="tcp" port="3306" accept"
+    # 192.168.100.0/24 为整个 Jumpserver 网络网段, 这里就偷懒了, 自己根据实际情况修改即可
+
     $ firewall-cmd --reload
 
-    # 设置 http 访问权限
-    $ setsebool -P httpd_can_network_connect 1
-    $ semanage port -a -t http_port_t -p tcp 2222
+    # 设置 selinux
+    $ setenforce 0
+    $ sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
 
 .. code-block:: shell
 
@@ -92,17 +97,30 @@
         access_log /var/log/nginx/tcp-access.log  proxy;
         open_log_file_cache off;
 
+        upstream MariaDB {
+            server 192.168.100.10:3306;
+            server 192.168.100.11:3306 backup;  # 多节点
+            server 192.168.100.12:3306 down;  # 多节点
+            # 这里是 Mariadb 的后端ip
+        }
+
         upstream cocossh {
-            server 192.168.100.40:2222 weight=1;
-            server 192.168.100.40:2223 weight=1;  # 多节点
+            server 192.168.100.40:2222;
+            server 192.168.100.40:2223;  # 多节点
             # 这里是 coco ssh 的后端ip
-            hash $remote_addr;
+            least_conn;
         }
+
+        server {
+            listen 3306;
+            proxy_pass MariaDB;
+            proxy_connect_timeout 1s;  # detect failure quickly
+        }
+
         server {
             listen 2222;
             proxy_pass cocossh;
-            proxy_connect_timeout 10s;
-            proxy_timeout 24h;   #代理超时
+            proxy_connect_timeout 1s;  # detect failure quickly
         }
     }
 

docs/distributed_03.rst

@@ -12,42 +12,137 @@
 
 -  系统: CentOS 7
 -  IP: 192.168.100.10
+-  服务: MariaDB Galera Cluster
 
 +----------+------------+-----------------+---------------+------------------------+
 | Protocol | ServerName |        IP       |      Port     |         Used By        |
 +==========+============+=================+===============+========================+
-|    TCP   |    Mysql   | 192.168.100.10  |      3306     |        Jumpserver      |
+|    TCP   | Mariadb-01 | 192.168.100.10  |      3306     |        Jumpserver      |
 +----------+------------+-----------------+---------------+------------------------+
+|    TCP   | Mariadb-02 | 192.168.100.11  |      3306     |        Jumpserver      |
++----------+------------+-----------------+---------------+------------------------+
+|    TCP   | Mariadb-03 | 192.168.100.12  |      3306     |        Jumpserver      |
++----------+------------+-----------------+---------------+------------------------+
+
+
 
 开始安装
 ~~~~~~~~~~~~
 
 .. code-block:: shell
 
-    # 升级系统
+    # 以下命令需要在三台数据库服务器分别执行
     $ yum upgrade -y
 
-    # 安装 mariadb 服务
-    $ yum install -y install mariadb mariadb-devel mariadb-server
+    # 添加 MariaDB 源
+    $ vi /etc/yum.repos.d/MariaDB.repo
+    [mariadb]
+    name = MariaDB
+    baseurl = http://mirrors.ustc.edu.cn/mariadb/yum/10.1/centos7-amd64
+    gpgkey=http://mirrors.ustc.edu.cn/mariadb/yum/RPM-GPG-KEY-MariaDB
+    gpgcheck=1
+
+    # 安装 MariaDB Galera Cluster
+    $ yum install -y mariadb mariadb-server mariadb-common galera rsync
+
+    # 设置 Firewalld 和 Selinux
+    $ firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.100.0/24" port protocol="tcp" port="3306" accept"
+    $ firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.100.0/24" port protocol="tcp" port="4567" accept"
+    $ firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.100.0/24" port protocol="tcp" port="4568" accept"
+    $ firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.100.0/24" port protocol="tcp" port="4444" accept"
+    $ firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.100.0/24" port protocol="udp" port="4567" accept"
+    # 192.168.100.0/24 为整个 Jumpserver 网络网段, 这里就偷懒了, 自己根据实际情况修改即可
 
-    # 设置防火墙, 开放 3306 端口 给 jumpserver 访问
-    $ firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.100.30" port protocol="tcp" port="3306" accept"
     $ firewall-cmd --reload
 
-    # 设置 mariadb 服务
-    $ systemctl enable mariadb
+    $ setenforce 0
+    $ sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
+
+.. code-block:: shell
+
+    # 在 192.168.100.10 上执行初始化命令
     $ systemctl start mariadb
+    $ mysql_secure_installation  # 推荐设置 root 密码, 其他选项可以全部 y
+    $ systemctl stop mariadb
+
+.. code-block:: shell
+
+    # 在 192.168.100.10 上执行以下命令
+    $ vi /etc/my.cnf.d/server.cnf
+    ...
+    [galera]
+    wsrep_on=ON
+    wsrep_provider=/usr/lib64/galera/libgalera_smm.so
+    wsrep_cluster_name=galera_cluster
+    wsrep_cluster_address="gcomm://192.168.100.10,192.168.100.11,192.168.100.12"
+    wsrep_node_name=Mariadb-01   # 注意这里改成本机 hostname
+    wsrep_node_address=192.168.100.10   # 注意这里改成本机 ip
+    binlog_format=row
+    default_storage_engine=InnoDB
+    innodb_autoinc_lock_mode=2
+    ...
+
+    # 在 192.168.100.11 上执行以下命令
+    $ vi /etc/my.cnf.d/server.cnf
+    ...
+    [galera]
+    wsrep_on=ON
+    wsrep_provider=/usr/lib64/galera/libgalera_smm.so
+    wsrep_cluster_name=galera_cluster
+    wsrep_cluster_address="gcomm://192.168.100.10,192.168.100.11,192.168.100.12"
+    wsrep_node_name=Mariadb-02   # 注意这里改成本机 hostname
+    wsrep_node_address=192.168.100.11   # 注意这里改成本机 ip
+    binlog_format=row
+    default_storage_engine=InnoDB
+    innodb_autoinc_lock_mode=2
+
+    # 在 192.168.100.12 上执行以下命令
+    $ vi /etc/my.cnf.d/server.cnf
+    ...
+    [galera]
+    wsrep_on=ON
+    wsrep_provider=/usr/lib64/galera/libgalera_smm.so
+    wsrep_cluster_name=galera_cluster
+    wsrep_cluster_address="gcomm://192.168.100.10,192.168.100.11,192.168.100.12"
+    wsrep_node_name=Mariadb-03   # 注意这里改成本机 hostname
+    wsrep_node_address=192.168.100.12   # 注意这里改成本机 ip
+    binlog_format=row
+    default_storage_engine=InnoDB
+    innodb_autoinc_lock_mode=2
+
+.. code-block:: shell
+
+    # 在 192.168.100.10 上执行以下命令
+    $ sudo -u mysql /usr/sbin/mysqld --wsrep-new-cluster &> /tmp/wsrep_new_cluster.log &
+    $ disown $!
+    $ tail -f /tmp/wsrep_new_cluster.log  # 如果出现 ready for connections, 表示启动成功
+
+.. code-block:: shell
+
+    # 在 192.168.100.11 和 192.168.100.12 启动 mariadb 服务
+    $ systemctl start mariadb
+
+.. code-block:: shell
+
+    # 回到第一台服务器
+    $ ps -ef | grep mysqld | grep -v grep | awk '{print $2}' | xargs kill -9
+    $ systemctl start mariadb
+
+.. code-block:: shell
 
-    # 推荐使用该命令进行一些安全设置(可跳过)
-    $ mysql_secure_installation
+    # 在任意数据库服务器执行以下命令验证 MariaDB Galera Cluster
+    $ mysql -uroot -p -e "show status like 'wsrep_cluster_size'"  # 这里应该显示集群里有3个节点
+    $ mysql -uroot -p -e "show status like 'wsrep_connected'"  # 这里应该显示ON
+    $ mysql -uroot -p -e "show status like 'wsrep_incoming_addresses'"  # 这里应该显示3个ip
+    $ mysql -uroot -p -e "show status like 'wsrep_local_state_comment'"  # 这里显示节点的同步状态
 
 .. code-block:: shell
 
-    # 创建数据库及授权, 192.168.100.30 是 jumpserver 服务器的 ip
+    # 创建 Jumpserver 数据库及授权
     $ mysql -uroot
     > create database jumpserver default charset 'utf8';
-    > grant all on jumpserver.* to 'jumpserver'@'192.168.100.30' identified by 'weakPassword';
+    > grant all on jumpserver.* to 'jumpserver'@'192.168.100.%' identified by 'weakPassword';
     > flush privileges;
     > quit
 
-    # 数据库的主从设置请参考其官方, 之后会补上
+之后去 nginx 设置 tcp 代理即可

docs/distributed_05.rst

@@ -112,7 +112,7 @@
     # MySQL or postgres setting like:
     # 使用Mysql作为数据库
     DB_ENGINE: mysql
-    DB_HOST: 127.0.0.1
+    DB_HOST: 192.168.100.100
     DB_PORT: 3306
     DB_USER: jumpserver
     DB_PASSWORD: 你的数据库密码

docs/setup_by_aliyuncloud.rst

@@ -50,75 +50,12 @@
       && systemctl restart docker \
       && docker pull jumpserver/jms_coco:1.4.10 \
       && docker pull jumpserver/jms_guacamole:1.4.10 \
-      && rm -rf /etc/nginx/conf.d/default.conf
+      && rm -rf /etc/nginx/conf.d/default.conf \
+      && curl -o /etc/nginx/conf.d/jumpserver.conf https://demo.jumpserver.org/download/nginx/conf.d/jumpserver.conf
 
 .. code-block:: shell
 
-    $ echo -e "\033[31m 4. 配置nginx \033[0m" \
-      && cat << EOF > /etc/nginx/conf.d/jumpserver.conf
-    server {
-        listen 80;
-
-        client_max_body_size 100m;  # 录像及文件上传大小限制
-
-        location /luna/ {
-            try_files \$uri / /index.html;
-            alias /opt/luna/;
-        }
-
-        location /media/ {
-            add_header Content-Encoding gzip;
-            root /opt/jumpserver/data/;
-        }
-
-        location /static/ {
-            root /opt/jumpserver/data/;
-        }
-
-        location /socket.io/ {
-            proxy_pass       http://localhost:5000/socket.io/;
-            proxy_buffering off;
-            proxy_http_version 1.1;
-            proxy_set_header Upgrade \$http_upgrade;
-            proxy_set_header Connection "upgrade";
-            proxy_set_header X-Real-IP \$remote_addr;
-            proxy_set_header Host \$host;
-            proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
-            access_log off;
-        }
-
-        location /coco/ {
-            proxy_pass       http://localhost:5000/coco/;
-            proxy_set_header X-Real-IP \$remote_addr;
-            proxy_set_header Host \$host;
-            proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
-            access_log off;
-        }
-
-        location /guacamole/ {
-            proxy_pass       http://localhost:8081/;
-            proxy_buffering off;
-            proxy_http_version 1.1;
-            proxy_set_header Upgrade \$http_upgrade;
-            proxy_set_header Connection \$http_connection;
-            proxy_set_header X-Real-IP \$remote_addr;
-            proxy_set_header Host \$host;
-            proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
-            access_log off;
-        }
-
-        location / {
-            proxy_pass http://localhost:8080;
-            proxy_set_header X-Real-IP \$remote_addr;
-            proxy_set_header Host \$host;
-            proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
-        }
-    }
-    EOF
-
-.. code-block:: shell
-
-    $ echo -e "\033[31m 5. 处理配置文件 \033[0m" \
+    $ echo -e "\033[31m 4. 处理配置文件 \033[0m" \
       && if [ "$DB_PASSWORD" = "" ]; then DB_PASSWORD=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24`; fi \
       && if [ "$SECRET_KEY" = "" ]; then SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`; echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc; fi \
       && if [ "$BOOTSTRAP_TOKEN" = "" ]; then BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`; echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc; fi \
@@ -128,7 +65,7 @@
 
 .. code-block:: shell
 
-    $ echo -e "\033[31m 6. 启动 Jumpserver \033[0m" \
+    $ echo -e "\033[31m 5. 启动 Jumpserver \033[0m" \
       && systemctl start nginx \
       && cd /opt/jumpserver \
       && ./jms start all -d \

docs/setup_by_centos7.rst

@@ -370,7 +370,6 @@ CentOS 7 安装文档
             listen 2220;  # 不能使用已经使用的端口, 自行修改, 用户ssh登录时的端口
             proxy_pass cocossh;
             proxy_connect_timeout 10s;
-            proxy_timeout 24h;   #代理超时
         }
     }
     # 到此结束