一、環(huán)境準(zhǔn)備
系統(tǒng):
CentOS 7.8.2003
版本:
V4.4.6
安裝方式:
源碼包安裝
下載地址
https://fastdl.mongodb.org/linux/mongodb-linux-x86_64-rhel70-4.4.6.tgz
服務(wù)器:
image.png
二、目錄規(guī)劃
01.二進(jìn)制包目錄:
/usr/local/mongodb/bin
02.數(shù)據(jù)目錄:
存在MongoDB所有服務(wù)的數(shù)據(jù)信息
/data/mongodb
03.所有配置文件:
所有服務(wù)的配置文件存在目錄
/data/mongodb/conf
shard1:
存放第一分片的數(shù)據(jù)矢劲、日志和pid
/data/mongodb/shard1
shard2:
存放第二分片的數(shù)據(jù)、日志和pid
/data/mongodb/shard2
shard3:
存放第三分片的數(shù)據(jù)贮缅、日志和pid
/data/mongodb/shard3
config server:
存放存儲(chǔ)服務(wù)的數(shù)據(jù)读宙、日志和pid
/data/mongodb/config
mongos:
存放第路由的日志和pid
/data/mongodb/mongos
三、創(chuàng)建用戶(hù)和目錄并授權(quán)
useradd -s /sbin/nologin -M mongod
mkdir -p /data/mongodb/conf
mkdir -p /data/mongodb/{config,shard{1..3},mongos}/{data,log}
cd /usr/local/src/
wget https://fastdl.mongodb.org/linux/mongodb-linux-x86_64-rhel70-4.4.6.tgz
tar xf mongodb-linux-x86_64-rhel70-4.4.6.tgz
ln -s /usr/local/src/mongodb-linux-x86_64-rhel70-4.4.6 /usr/local/mongodb
chown -R mongod:mongod /usr/local/mongodb/
四柬泽、創(chuàng)建各個(gè)服務(wù)的配置文件
01.shard1:
shard1.conf
cat >/data/mongodb/conf/shard1.conf <<EOF
systemLog:
destination: file
path: /data/mongodb/shard1/log/shard1.log
logAppend: true
storage:
journal:
enabled: true
dbPath: /data/mongodb/shard1/data
directoryPerDB: true
#engine: wiredTiger
wiredTiger:
engineConfig:
cacheSizeGB: 1
directoryForIndexes: true
collectionConfig:
blockCompressor: zlib
indexConfig:
prefixCompression: true
net:
bindIp: `ifconfig eth0|awk 'NR==2{print $2}'`,127.0.0.1
port: 27001
replication:
oplogSizeMB: 2048
replSetName: sh1
sharding:
clusterRole: shardsvr
processManagement:
fork: true
EOF
02.shard2:
shard2.conf
cat >/data/mongodb/conf/shard2.conf <<EOF
systemLog:
destination: file
path: /data/mongodb/shard2/log/shard2.log
logAppend: true
storage:
journal:
enabled: true
dbPath: /data/mongodb/shard2/data
directoryPerDB: true
#engine: wiredTiger
wiredTiger:
engineConfig:
cacheSizeGB: 1
directoryForIndexes: true
collectionConfig:
blockCompressor: zlib
indexConfig:
prefixCompression: true
net:
bindIp: `ifconfig eth0|awk 'NR==2{print $2}'`,127.0.0.1
port: 27002
replication:
oplogSizeMB: 2048
replSetName: sh2
sharding:
clusterRole: shardsvr
processManagement:
fork: true
EOF
03.shard3:
shard3.conf
cat >/data/mongodb/conf/shard3.conf <<EOF
systemLog:
destination: file
path: /data/mongodb/shard3/log/shard3.log
logAppend: true
storage:
journal:
enabled: true
dbPath: /data/mongodb/shard3/data
directoryPerDB: true
#engine: wiredTiger
wiredTiger:
engineConfig:
cacheSizeGB: 1
directoryForIndexes: true
collectionConfig:
blockCompressor: zlib
indexConfig:
prefixCompression: true
net:
bindIp: `ifconfig eth0|awk 'NR==2{print $2}'`,127.0.0.1
port: 27003
replication:
oplogSizeMB: 2048
replSetName: sh3
sharding:
clusterRole: shardsvr
processManagement:
fork: true
EOF
04.config server:
config.conf
cat > /data/mongodb/conf/config.conf <<EOF
systemLog:
destination: file
path: /data/mongodb/config/log/config.log
logAppend: true
storage:
journal:
enabled: true
dbPath: /data/mongodb/config/data
directoryPerDB: true
#engine: wiredTiger
wiredTiger:
engineConfig:
cacheSizeGB: 1
directoryForIndexes: true
collectionConfig:
blockCompressor: zlib
indexConfig:
prefixCompression: true
net:
bindIp: `ifconfig eth0|awk 'NR==2{print $2}'`,127.0.0.1
port: 21000
replication:
oplogSizeMB: 2048
replSetName: configReplSet
sharding:
clusterRole: configsvr
processManagement:
fork: true
EOF
05.mongos:
mongos.conf
cat > /data/mongodb/conf/mongos.conf <<EOF
systemLog:
destination: file
path: /data/mongodb/mongos/log/mongos.log
logAppend: true
net:
bindIp: `ifconfig eth0|awk 'NR==2{print $2}'`,127.0.0.1
port: 20000
sharding:
configDB: configReplSet/192.168.10.66:21000,192.168.10.67:21000,192.168.10.68:21000
processManagement:
fork: true
EOF
chown -R mongo.mongo /data/mongodb
五、編寫(xiě)服務(wù)啟動(dòng)腳本:
shard1:
cat > /usr/lib/systemd/system/mongo-shard1.service << EOF
[Unit]
Description=mongodb-shard1
After=network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
User=mongod
Group=mongod
ExecStart=/usr/local/mongodb/bin/mongod -f /data/mongodb/conf/shard1.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/usr/local/mongodb/bin/mongod -f /data/mongodb/conf/shard1.conf --shutdown
PrivateTmp=true
[Install]
WantedBy=multi-user.target
EOF
shard2:
cat > /usr/lib/systemd/system/mongo-shard2.service << EOF
[Unit]
Description=mongodb-shard2
After=network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
User=mongod
Group=mongod
ExecStart=/usr/local/mongodb/bin/mongod -f /data/mongodb/conf/shard2.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/usr/local/mongodb/bin/mongod -f /data/mongodb/conf/shard2.conf --shutdown
PrivateTmp=true
[Install]
WantedBy=multi-user.target
EOF
shard3:
cat > /usr/lib/systemd/system/mongo-shard3.service << EOF
[Unit]
Description=mongodb-shard3
After=network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
User=mongod
Group=mongod
ExecStart=/usr/local/mongodb/bin/mongod -f /data/mongodb/conf/shard3.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/usr/local/mongodb/bin/mongod -f /data/mongodb/conf/shard3.conf --shutdown
PrivateTmp=true
[Install]
WantedBy=multi-user.target
EOF
config server嫁蛇;
cat > /usr/lib/systemd/system/mongo-config.service << EOF
[Unit]
Description=mongodb-config
After=network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
User=mongod
Group=mongod
ExecStart=/usr/local/mongodb/bin/mongod -f /data/mongodb/conf/config.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/usr/local/mongodb/bin/mongod -f /data/mongodb/conf/config.conf --shutdown
PrivateTmp=true
[Install]
WantedBy=multi-user.target
EOF
mongos:
cat > /usr/lib/systemd/system/mongos.service << EOF
[Unit]
Description=Mongo Router Service
After=mongo-config.service
[Service]
Type=forking
User=mongod
Group=mongod
ExecStart=/usr/local/mongodb/bin/mongos --config /data/mongodb/conf/mongos.conf
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
六锨并、啟動(dòng)所有節(jié)點(diǎn)(先不啟動(dòng)mongos),并搭建復(fù)制集
注意啟動(dòng)順序睬棚,這幾個(gè)服務(wù)啟動(dòng)順序無(wú)所謂第煮,最重要的是mongos要留到最后配置好了之后再啟動(dòng)
# 重新加載system單元
systemctl daemon-reload
# 啟動(dòng)
systemctl start mongo-config
systemctl start mongo-shard1
systemctl start mongo-shard2
systemctl start mongo-shard3
# 添加到開(kāi)機(jī)自啟
systemctl enable mongo-config
systemctl enable mongo-shard1
systemctl enable mongo-shard2
systemctl enable mongo-shard3
01.搭建 config server 復(fù)制集(任意一臺(tái)):
config服務(wù)是整個(gè)集群的大腦。所有的節(jié)點(diǎn)抑党、認(rèn)證包警、配置信息都會(huì)記錄在這里,可以理解為k8s的etcd.
/usr/local/mongodb/bin/mongo --port 21000 admin
config = {_id: 'configReplSet', members: [
{_id: 0, host: '192.168.10.66:21000'},
{_id: 1, host: '192.168.10.67:21000'},
{_id: 2, host: '192.168.10.68:21000'}]
}
rs.initiate(config)
rs.status();
注:configserver 可以是一個(gè)節(jié)點(diǎn)底靠,官方建議復(fù)制集害晦。configserver不能有arbiter。
新版本中暑中,要求必須是復(fù)制集篱瞎。
注:mongodb 3.4之后苟呐,雖然要求config server為replica set,但是不支持arbiter
02.搭建 sh1 復(fù)制集:(在第一臺(tái)服務(wù)器執(zhí)行:66)
在不是將要成為仲栽節(jié)點(diǎn)arbiter的服務(wù)器上執(zhí)行
/usr/local/mongodb/bin/mongo --port 27001 admin
config = {_id: 'sh1', members: [
{_id: 0, host: '192.168.10.66:27001'},
{_id: 1, host: '192.168.10.67:27001'},
{_id: 2, host: '192.168.10.68:27001',"arbiterOnly":true}]
}
rs.initiate(config)
rs.status()
或者可以執(zhí)行:
/usr/local/mongodb/bin/mongo --port 27001 admin
rs.initiate()
rs.add("192.168.10.67:27001")
rs.addArb("192.168.10.68:27001")
03.搭建 sh2 復(fù)制集:(在第二臺(tái)服務(wù)器執(zhí)行:67)
在不是將要成為仲栽節(jié)點(diǎn)arbiter的服務(wù)器上執(zhí)行
/usr/local/mongodb/bin/mongo --port 27002 admin
config = {_id: 'sh2', members: [
{_id: 0, host: '192.168.10.66:27002',"arbiterOnly":true},
{_id: 1, host: '192.168.10.67:27002'},
{_id: 2, host: '192.168.10.68:27002'}]
}
rs.initiate(config)
rs.status()
或者:
/usr/local/mongodb/bin/mongo --port 27002 admin
rs.initiate()
rs.add("192.168.10.68:27002")
rs.addArb("192.168.10.66:27002")
04.搭建 sh3 復(fù)制集:(在第三臺(tái)服務(wù)器執(zhí)行:68)
在不是將要成為仲栽節(jié)點(diǎn)arbiter的服務(wù)器上執(zhí)行
/usr/local/mongodb/bin/mongo --port 27003 admin
config = {_id: 'sh3', members: [
{_id: 0, host: '192.168.10.66:27003'},
{_id: 1, host: '192.168.10.67:27003',"arbiterOnly":true},
{_id: 2, host: '192.168.10.68:27003'}]
}
rs.initiate(config)
rs.status()
或者:
/usr/local/mongodb/bin/mongo --port 27003 admin
rs.initiate()
rs.add("192.168.10.66:27003")
rs.addArb("192.168.10.67:27003")
注意查看主從關(guān)系是否正確俐筋,如果副本集出錯(cuò)牵素,可以手動(dòng)刪除再添加
七、啟動(dòng)mongos(三臺(tái))
在確定復(fù)制集都準(zhǔn)確無(wú)誤之后澄者,在三臺(tái)服務(wù)器上啟動(dòng)mongos服務(wù)
systemctl start mongos
systemctl enable mongos
八笆呆、分片集群添加節(jié)點(diǎn)
連接到任意一個(gè)mongos(192.168.10.66),做以下配置
(1)連接到mongs的admin數(shù)據(jù)庫(kù)
/usr/local/mongodb/bin/mongo --port 20000 admin
(2)添加分片
db.runCommand( { addshard : "sh1/192.168.10.66:27001,192.168.10.67:27001,192.168.10.68:27001",name:"shard1"} )
db.runCommand( { addshard : "sh2/192.168.10.66:27002,192.168.10.67:27002,192.168.10.68:27002",name:"shard2"} )
db.runCommand( { addshard : "sh3/192.168.10.66:27003,192.168.10.67:27003,192.168.10.68:27003",name:"shard3"} )
(3)整體狀態(tài)查看
sh.status();
九粱挡、使用分片集群
(1) RANGE分片配置及測(cè)試
01.激活數(shù)據(jù)庫(kù)分片功能
登入任意一臺(tái)服務(wù)器的mongos節(jié)點(diǎn)赠幕,然后啟用數(shù)據(jù)庫(kù)分片
/usr/local/mongodb/bin/mongo --port 20000 admin
db.runCommand( { enablesharding : "test" } )
02.指定分片鍵對(duì)集合分片
### 創(chuàng)建索引
use test
db.vast.ensureIndex( { id: 1 } )
### 開(kāi)啟分片
use admin
db.runCommand( { shardcollection : "test.vast",key : {id: 1} } )
03.集群分片驗(yàn)證
use test
for(i=1;i<10000;i++){ db.vast.insert({"id":i,"name":"shenzheng","age":70,"date":new Date()}); }
db.vast.stats()
04.分片結(jié)果測(cè)試
shard1:
/usr/local/mongodb/bin/mongo --port 27001
db.vast.count();
shard2:
/usr/local/mongodb/bin/mongo --port 27002
db.vast.count();
shard3:
/usr/local/mongodb/bin/mongo --port 27003
db.vast.count();
(2) Hash分片配置及測(cè)試
對(duì)oldboy庫(kù)下的vast大表進(jìn)行hash
創(chuàng)建哈希索引
(1)對(duì)于oldboy開(kāi)啟分片功能
mongo --port 38017 admin
use admin
admin> db.runCommand( { enablesharding : "oldboy" } )
(2)對(duì)于oldboy庫(kù)下的vast表建立hash索引
use oldboy
oldboy> db.vast.ensureIndex( { id: "hashed" } )
(3)開(kāi)啟分片
use admin
admin > sh.shardCollection( "oldboy.vast", { id: "hashed" } )
(4)錄入10w行數(shù)據(jù)測(cè)試
use oldboy
for(i=1;i<100000;i++){ db.vast.insert({"id":i,"name":"shenzheng","age":70,"date":new Date()}); }
(5)hash分片結(jié)果測(cè)試
mongo --port 38021
use oldboy
db.vast.count();
mongo --port 38024
use oldboy
db.vast.count();
十、啟動(dòng)順序
systemctl start mongo-config
systemctl start mongo-shard1
systemctl start mongo-shard2
systemctl start mongo-shard3
systemctl start mongos
十一询筏、停止順序
systemctl stop mongos
systemctl stop mongo-shard1
systemctl stop mongo-shard2
systemctl stop mongo-shard3
systemctl stop mongo-config
十二榕堰、用戶(hù)安全認(rèn)證
01.在未開(kāi)啟用戶(hù)訪(fǎng)問(wèn)控制的實(shí)例下創(chuàng)建管理員賬戶(hù)
/usr/local/mongodb/bin/mongo --port 27001 admin
db.createUser(
{
user: "myUserAdmin",
pwd: "123456",
roles: [ { role: "userAdminAnyDatabase", db: "admin" }, "readWriteAnyDatabase" ]
}
)
02.查看創(chuàng)建的用戶(hù)
db.getUsers()
03.配置文件添加權(quán)限認(rèn)證參數(shù)
vim /data/mongodb/conf/shard1.conf
...
security:
authorization: enabled
04.重啟shard1
systemctl restart mongo-shard1
05.使用admin用戶(hù)登錄
/usr/local/mongodb/bin/mongongo --authenticationDatabase "admin" -u "myUserAdmin" -p
十三、優(yōu)化告警
01.優(yōu)化一:
告警:
Access control is not enabled for the database. Read and write access to data and configuration is unrestricted
描述:沒(méi)有開(kāi)啟訪(fǎng)問(wèn)控制
解決辦法:
開(kāi)啟安全賬戶(hù)功能
02.優(yōu)化二:
告警:
/sys/kernel/mm/transparent_hugepage/enabled is 'always'. We suggest setting it to 'never'
/sys/kernel/mm/transparent_hugepage/defrag is 'always'. We suggest setting it to 'never'
描述:關(guān)閉大內(nèi)存頁(yè)
解決辦法:
echo "never" > /sys/kernel/mm/transparent_hugepage/enabled
echo "never" > /sys/kernel/mm/transparent_hugepage/defrag
注意:改完要重啟
03.優(yōu)化三:
告警:
Soft rlimits too low
currentValue: 1024
recommendedMinimum: 64000
描述:rlimits太低
解決辦法:
cat >> /etc/profile<<EOF
ulimit -f unlimited
ulimit -t unlimited
ulimit -v unlimited
ulimit -n 64000
ulimit -m unlimited
ulimit -u 64000
EOF
source /etc/profile
04.優(yōu)化四:
告警:
** WARNING: This replica set has a Primary-Secondary-Arbiter architecture, but readConcern:majority is enabled
描述:在MongoDB 3.2及往后版本支持read concern嫌套,介紹詳見(jiàn)https://docs.mongodb.com/v4.0/reference/read-concern/index.html逆屡。 在PSA結(jié)構(gòu)中,可以將read concern關(guān)掉
解決辦法:
在配置中增加enableMajorityReadConcern=false踱讨。
05.優(yōu)化五:
告警:
** for this node. This is not a recommended configuration. Please see
** https://dochub.mongodb.org/core/psa-disable-rc-majority
描述:
解決辦法:
06.優(yōu)化六:
告警:
** WARNING: The configured WiredTiger cache size is more than 80% of available RAM.
See http://dochub.mongodb.org/core/faq-memory-diagnostics-wt
描述:內(nèi)存不足
解決辦法:
方法1: 加大機(jī)器內(nèi)存
方法2: 調(diào)小配置文件里的緩存大小 cacheSizeGB: 0.5
07.優(yōu)化七:
告警:
** WARNING: You are running this process as the root user, which is not recommended.
描述:不建議以root身份運(yùn)行
解決辦法:
方法1: 創(chuàng)建普通用戶(hù)mongo魏蔗,然后切換到mongo用戶(hù)啟動(dòng)
方法2: 使用system方式登陸,指定運(yùn)行用戶(hù)為普通用戶(hù)mongo
08.優(yōu)化八:
告警:
** WARNING: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine
描述:數(shù)據(jù)目錄磁盤(pán)不是XFS格式
解決辦法:
把磁盤(pán)格式轉(zhuǎn)成XFS
十四、備份恢復(fù)
01.備份恢復(fù)工具介紹
(1)** mongoexport/mongoimport
(2)***** mongodump/mongorestore
02.備份工具區(qū)別在哪里痹筛?
應(yīng)用場(chǎng)景總結(jié):
mongoexport/mongoimport:json csv
1莺治、異構(gòu)平臺(tái)遷移 mysql <---> mongodb
2、同平臺(tái)帚稠,跨大版本:mongodb 2 ----> mongodb 3
mongodump/mongorestore
日常備份恢復(fù)時(shí)使用.
03.導(dǎo)出工具mongoexport
mongoexport具體用法如下所示:
$ mongoexport --help
參數(shù)說(shuō)明:
-h:指明數(shù)據(jù)庫(kù)宿主機(jī)的IP
-u:指明數(shù)據(jù)庫(kù)的用戶(hù)名
-p:指明數(shù)據(jù)庫(kù)的密碼
-d:指明數(shù)據(jù)庫(kù)的名字
-c:指明collection的名字
-f:指明要導(dǎo)出那些列
-o:指明到要導(dǎo)出的文件名
-q:指明導(dǎo)出數(shù)據(jù)的過(guò)濾條件
--authenticationDatabase admin
1.單表備份至json格式
mongoexport -uroot -proot123 --port 27017 --authenticationDatabase admin -d oldboy -c log -o /mongodb/log.json
注:備份文件的名字可以自定義谣旁,默認(rèn)導(dǎo)出了JSON格式的數(shù)據(jù)。
2. 單表備份至csv格式
如果我們需要導(dǎo)出CSV格式的數(shù)據(jù)滋早,則需要使用----type=csv參數(shù):
mongoexport -uroot -proot123 --port 27017 --authenticationDatabase admin -d test -c log --type=csv -f uid,name,age,date -o /mongodb/log.csv
04.導(dǎo)入工具mongoimport
$ mongoimport --help
參數(shù)說(shuō)明:
-h:指明數(shù)據(jù)庫(kù)宿主機(jī)的IP
-u:指明數(shù)據(jù)庫(kù)的用戶(hù)名
-p:指明數(shù)據(jù)庫(kù)的密碼
-d:指明數(shù)據(jù)庫(kù)的名字
-c:指明collection的名字
-f:指明要導(dǎo)入那些列
-j, --numInsertionWorkers=<number> number of insert operations to run concurrently (defaults to 1)
//并行
數(shù)據(jù)恢復(fù):
1.恢復(fù)json格式表數(shù)據(jù)到log1
mongoimport -uroot -proot123 --port 27017 --authenticationDatabase admin -d oldboy -c log1 /mongodb/log.json
2.恢復(fù)csv格式的文件到log2
上面演示的是導(dǎo)入JSON格式的文件中的內(nèi)容榄审,如果要導(dǎo)入CSV格式文件中的內(nèi)容,則需要通過(guò)--type參數(shù)指定導(dǎo)入格式馆衔,具體如下所示:
錯(cuò)誤的恢復(fù)
注意:
(1)csv格式的文件頭行,有列名字
mongoimport -uroot -proot123 --port 27017 --authenticationDatabase admin -d oldboy -c log2 --type=csv --headerline --file /mongodb/log.csv
(2)csv格式的文件頭行怨绣,沒(méi)有列名字
mongoimport -uroot -proot123 --port 27017 --authenticationDatabase admin -d oldboy -c log3 --type=csv -f id,name,age,date --file /mongodb/log.csv
--headerline:指明第一行是列名角溃,不需要導(dǎo)入。
十五篮撑、基于分片集群的安全認(rèn)證
借鑒于:
https://www.cnblogs.com/pl-boke/p/10064489.html
00.在未開(kāi)啟用戶(hù)訪(fǎng)問(wèn)控制之前創(chuàng)建管理員賬戶(hù)
# 連接任意mongos
# 注意在admin庫(kù)下操作
/usr/local/mongodb/bin/mongo --port 20000 admin
db.createUser(
{
user: "root",
pwd: "123456",
roles: [ { role: "userAdminAnyDatabase", db: "admin" }, "readWriteAnyDatabase" ]
}
)
# 驗(yàn)證用戶(hù)是否創(chuàng)建成功
db.auth("root","123456")
# 返回為1說(shuō)明創(chuàng)建成功
對(duì)分片集群執(zhí)行訪(fǎng)問(wèn)控制需要配置兩個(gè)方面:
1减细、副本集和共享集群的各個(gè)節(jié)點(diǎn)成員之間使用內(nèi)部身份驗(yàn)證,可以使用密鑰文件或x.509證書(shū)赢笨。密鑰文件比較簡(jiǎn)單未蝌,本文介紹的也是使用密鑰文件驮吱,官方推薦如果是測(cè)試環(huán)境可以使用密鑰文件,但是正是環(huán)境萧吠,官方推薦x.509證書(shū)左冬。原理就是,集群中每一個(gè)實(shí)例彼此連接的時(shí)候都檢驗(yàn)彼此使用的證書(shū)的內(nèi)容是否相同纸型。只有證書(shū)相同的實(shí)例彼此才可以訪(fǎng)問(wèn)
2拇砰、使用客戶(hù)端連接到mongodb集群時(shí),開(kāi)啟訪(fǎng)問(wèn)授權(quán)狰腌。對(duì)于集群外部的訪(fǎng)問(wèn)除破。如通過(guò)可視化客戶(hù)端,或者通過(guò)代碼連接的時(shí)候琼腔,需要開(kāi)啟授權(quán)瑰枫。
01.生成密鑰文件
在keyfile身份驗(yàn)證中,副本集中的每個(gè)mongod實(shí)例都使用keyfile的內(nèi)容作為共享密碼丹莲,只有具有正確密鑰文件的mongod或者mongos實(shí)例可以連接到副本集光坝。
# 注意文件的權(quán)限和擁有者
openssl rand -base64 756 > /data/mongodb/conf/KeyFile.file
chmod 400 /data/mongodb/conf/KeyFile.file
密鑰文件的內(nèi)容必須在6到1024個(gè)字符之間,并且在unix/linux系統(tǒng)中文件所有者必須有對(duì)文件至少有讀的權(quán)限圾笨。
02.把密鑰文件分發(fā)給另外兩臺(tái)服務(wù)器
cd /data/mongodb/conf/
scp testKeyFile.file root@192.168.10.67:`pwd`
scp testKeyFile.file root@192.168.10.68:`pwd`
03.關(guān)閉整個(gè)分片集群
注意關(guān)閉的順序
systemctl stop mongos
systemctl stop mongo-shard1
systemctl stop mongo-shard2
systemctl stop mongo-shard3
systemctl stop mongo-config
04.修改配置文件(三臺(tái)服務(wù)器)
向config.conf教馆、shard1.conf、shard2.conf擂达、shard3.conf配置文件追加以下信息:
security:
keyFile: /data/mongodb/conf/testKeyFile.file
authorization: enabled
向mongos.conf文件追加以下信息:
security:
keyFile: /data/mongodb/conf/testKeyFile.file
注意實(shí)際的文件位置
解釋?zhuān)?br>
mongos比mongod少了authorization:enabled的配置土铺。
原因是,副本集加分片的安全認(rèn)證需要配置兩方面的板鬓,副本集各個(gè)節(jié)點(diǎn)之間使用內(nèi)部身份驗(yàn)證悲敷,用于內(nèi)部各個(gè)mongo實(shí)例的通信,只有相同keyfile才能相互訪(fǎng)問(wèn)俭令。所以都要開(kāi)啟keyFile: /data/mongodb/testKeyFile.file
然而對(duì)于所有的mongod后德,才是真正的保存數(shù)據(jù)的分片。mongos只做路由抄腔,不保存數(shù)據(jù)瓢湃。所以所有的mongod開(kāi)啟訪(fǎng)問(wèn)數(shù)據(jù)的授權(quán)authorization:enabled。這樣用戶(hù)只有賬號(hào)密碼正確才能訪(fǎng)問(wèn)到數(shù)據(jù)
05.啟動(dòng)服務(wù)(三臺(tái)服務(wù)器)
systemctl start mongo-config
systemctl start mongo-shard1
systemctl start mongo-shard2
systemctl start mongo-shard3
systemctl start mongos
06.連接mongos測(cè)試
# 不用賬戶(hù)密碼也能連接進(jìn)來(lái)
/usr/local/mongodb/bin/mongo --port 20000 admin
# 但是show dbs返回空
mongos> show dbs
連接時(shí)加上賬戶(hù)和密碼再試試看
/usr/local/mongodb/bin/mongo --port 20000 admin -uroot -p123456
mongos> show dbs
admin 0.000GB
config 0.003GB
