初始化安装环境
创建完openGauss配置文件后,在执行安装前,为了后续能以最小权限进行安装及openGauss管理操作,保证系统安全性,需要运行安装前置脚本gs_preinstall准备好安装用户及环境。
安装前置脚本gs_preinstall可以协助用户自动完成如下的安装环境准备工作:
- 自动设置Linux内核参数以达到提高服务器负载能力的目的。这些参数直接影响数据库系统的运行状态,请仅在确认必要时调整。openGauss所设置的Linux内核参数取值请参见配置操作系统参数。
- 自动将openGauss配置文件、安装包拷贝到openGauss主机的相同目录下。
- openGauss安装用户、用户组不存在时,自动创建安装用户以及用户组。
- 读取openGauss配置文件中的目录信息并创建,将目录权限授予安装用户。
- 已完成的所有任务。
注意事项
- 用户需要检查上层目录权限,保证安装用户对安装包和配置文件目录读写执行的权限。
- xml文件中各主机的名称与IP映射配置正确。
- 只能使用root用户执行gs_preinstall命令。
操作步骤
1.以root用户登录待安装openGauss的任意主机,并按规划创建存放安装包的目录。
说明:
不建议把安装包的存放目录规划到openGauss用户的根目录或其子目录下,可能导致权限问题。
openGauss用户须具有/opt/software/openGauss目录的读写权限。
2.将安装包“openGauss-x.x.x-openEuler-64bit-all.tar.gz”和配置文件“cluster_config.xml”都上传至上一步所创建的目录中。
3.在安装包所在的目录下,解压安装包openGauss-x.x.x-openEuler-64bit-all.tar.gz。安装包解压后,会有OM安装包和Server安装包。继续解压OM安装包,会在/opt/software/openGauss路径下自动生成script子目录,并且在script目录下生成gs_preinstall等各种OM工具脚本。
tar -zxvf openGauss-x.x.x-openEuler-64bit-all.tar.gz
tar -zxvf openGauss-x.x.x-openEuler-64bit-om.tar.gz
说明:
在执行前置脚本gs_preinstall时,需要规划好openGauss配置文件路径、安装包存放路径、程序安装目录、实例数据目录,后续普通用户使用过程中不能再更改这些路径。
运行前置脚本gs_preinstall准备安装环境时,脚本内部会自动将openGauss配置文件、解压后的安装包同步拷贝到其余服务器的相同目录下。
在执行前置脚本或者互信前,请检查/etc/profile文件中是否包含错误输出信息,如果存在错误输出,需手动处理。
4.进入到工具脚本存放目录下。
cd /opt/software/openGauss/script
5.如果是openEuler的操作系统为确保适配python版本,执行如下命令打开gspylib/common/CheckPythonVersion.py文件,将if not pythonVersion = = (3, 6):修改为if not pythonVersion > = (3, 6):,键入“ESC”键进入指令模式,执行:wq保存并退出修改。
vi gspylib/common/CheckPythonVersion.py
6.如果是openEuler的操作系统,执行如下命令打开performance.sh文件,用#注释sysctl -w vm.min_free_kbytes=112640 &> /dev/null,键入“ESC”键进入指令模式,执行:wq保存并退出修改。
vi /etc/profile.d/performance.sh
7.为确保成功安装,检查hostname与/etc/hostname是否一致。预安装过程中,会对hostname进行检查。
8.使用gs_preinstall准备好安装环境。若为共用环境需加入--sep-env-file=ENVFILE参数分离环境变量,避免与其他用户相互影响,ENVFILE为用户自行指定的环境变量分离文件的路径,可以为一个空文件。
采用交互模式执行前置,并在执行过程中自动创建操作系统root用户互信和omm用户互信:
./gs_preinstall -U omm -G dbgrp -X /opt/software/openGauss/cluster_config.xml
omm为数据库管理员(也是运行openGauss的操作系统用户),dbgrp为运行openGauss的操作系统用户的群组名称,/opt/software/openGauss/cluster_config.xml为openGauss配置文件路径。在执行过程中,用户根据提示选择是否创建互信,并输入操作系统root用户或omm用户的密码。
不允许创建root用户互信时,创建omm用户,在各主机上执行本地模式前置,然后用户手动创建openGauss用户互信:如果预安装指定-L参数,预安装前需手动将所有节点的主机名和ip映射关系,写入各个主机的/etc/hosts,并在每个映射关系后边加入注释内容:#Gauss OM IP Hosts Mapping。
a.执行下面命令准备安装环境。
cd /opt/software/openGauss/script
./gs_preinstall -U omm -G dbgrp -L -X /opt/software/openGauss/cluster_config.xml
说明: 此操作需要在每台主机上执行该命令。
采用非交互模式执行前置:
a.参考手工建立互信章节手工建立root用户互信和openGauss用户互信。
b.执行下面命令准备安装环境。
cd /opt/software/openGauss/script
./gs_preinstall -U omm -G dbgrp -X /opt/software/openGauss/cluster_config.xml --non-interactive
说明:
此模式要求用户确保在执行前,已经建立了各节点root用户互信和openGauss用户互信。
root用户互信可能会存在安全隐患,因此建议用户在执行完安装后,立即删除各主机上root用户的互信。
示例
执行前置脚本:
plat1:/opt/software/openGauss/script # ./gs_preinstall -U omm -G dbgrp -X /opt/software/openGauss/cluster_config.xml
Parsing the configuration file.
Successfully parsed the configuration file.
Installing the tools on the local node.
Successfully installed the tools on the local node.
Are you sure you want to create trust for root (yes/no)? yes
Please enter password for root.
Password:
Creating SSH trust for the root permission user.
Checking network information.
All nodes in the network are Normal.
Successfully checked network information.
Creating SSH trust.
Creating the local key file.
Successfully created the local key files.
Appending local ID to authorized_keys.
Successfully appended local ID to authorized_keys.
Updating the known_hosts file.
Successfully updated the known_hosts file.
Appending authorized_key on the remote node.
Successfully appended authorized_key on all remote node.
Checking common authentication file content.
Successfully checked common authentication content.
Distributing SSH trust file to all node.
Successfully distributed SSH trust file to all node.
Verifying SSH trust on all hosts.
Successfully verified SSH trust on all hosts.
Successfully created SSH trust.
Successfully created SSH trust for the root permission user.
Setting pssh path
Successfully set core path.
Distributing package.
Begin to distribute package to tool path.
Successfully distribute package to tool path.
Begin to distribute package to package path.
Successfully distribute package to package path.
Successfully distributed package.
Are you sure you want to create the user[omm] and create trust for it (yes/no)? yes
Please enter password for cluster user.
Password:
Please enter password for cluster user again.
Password:
Successfully created [omm] user on all nodes.
Preparing SSH service.
Successfully prepared SSH service.
Installing the tools in the cluster.
Successfully installed the tools in the cluster.
Checking hostname mapping.
Successfully checked hostname mapping.
Creating SSH trust for [omm] user.
Checking network information.
All nodes in the network are Normal.
Successfully checked network information.
Creating SSH trust.
Creating the local key file.
Successfully created the local key files.
Appending local ID to authorized_keys.
Successfully appended local ID to authorized_keys.
Updating the known_hosts file.
Successfully updated the known_hosts file.
Appending authorized_key on the remote node.
Successfully appended authorized_key on all remote node.
Checking common authentication file content.
Successfully checked common authentication content.
Distributing SSH trust file to all node.
Successfully distributed SSH trust file to all node.
Verifying SSH trust on all hosts.
Successfully verified SSH trust on all hosts.
Successfully created SSH trust.
Successfully created SSH trust for [omm] user.
Checking OS software.
Successfully check os software.
Checking OS version.
Creating cluster's path.
Successfully created cluster's path.
Set and check OS parameter.
Setting OS parameters.
Successfully set OS parameters.
Preparing CRON service.
Successfully prepared CRON service.
Setting user environmental variables.
Successfully set user environmental variables.
Setting the dynamic link library.
Successfully set the dynamic link library.
Setting Core file
Successfully set core path.
Setting pssh path
Successfully set pssh path.
Set ARM Optimization.
No need to set ARM Optimization.
Fixing server package owner.
Successfully set finish flag.
Preinstallation succeeded.
如果主备机的root用户密码不同,且不能统一修改为一致时,执行前置脚本本地安装模式:
plat1:/opt/software/openGauss/script # ./gs_preinstall -U omm -G dbgrp -L -X /opt/software/openGauss/cluster_config.xml
Parsing the configuration file.
Successfully parsed the configuration file.
Installing the tools on the local node.
Successfully installed the tools on the local node.
Checking OS version.
Successfully checked OS version.
Creating cluster's path.
Successfully created cluster's path.
Set and check OS parameter.
Setting OS parameters.
Successfully set OS parameters.
Warning: Installation environment contains some warning messages.
Please get more details by "/home/package/r8c00/script/gs_checkos -i A -h SIA1000068990".
Set and check OS parameter completed.
Preparing CRON service.
Successfully prepared CRON service.
Preparing SSH service.
Successfully prepared SSH service.
Setting user environmental variables.
Successfully set user environmental variables.
Configuring alarms on the cluster nodes.
Successfully configured alarms on the cluster nodes.
Setting the dynamic link library.
Successfully set the dynamic link library.
Setting Cgroup.
Successfully set Cgroup.
Setting finish flag.
Successfully set finish flag.
Preinstallation succeeded.
以非交互模式执行前置:
plat1:/opt/software/openGauss/script # ./gs_preinstall -U omm -G dbgrp -X /opt/software/openGauss/cluster_config.xml --non-interactive
Parsing the configuration file.
Successfully parsed the configuration file.
Installing the tools on the local node.
Successfully installed the tools on the local node.
Distributing package.
Begin to distribute package to tool path.
Successfully distribute package to tool path.
Begin to distribute package to package path.
Successfully distribute package to package path.
Successfully distributed package.
Installing the tools in the cluster.
Successfully installed the tools in the cluster.
Checking hostname mapping.
Successfully checked hostname mapping.
Checking OS version.
Successfully checked OS version.
Creating cluster's path.
Successfully created cluster's path.
Set and check OS parameter.
Setting OS parameters.
Successfully set OS parameters.
Set and check OS parameter completed.
Preparing CRON service.
Successfully prepared CRON service.
Preparing SSH service.
Successfully prepared SSH service.
Setting user environmental variables.
Successfully set user environmental variables.
Configuring alarms on the cluster nodes.
Successfully configured alarms on the cluster nodes.
Setting the dynamic link library.
Successfully set the dynamic link library.
Setting Cgroup.
Successfully set Cgroup.
Set ARM Optimization.
Successfully set ARM Optimization.
Setting finish flag.
Successfully set finish flag.
Preinstallation succeeded.
错误排查
如果准备安装环境失败请根据openGauss日志目录“$GAUSSLOG/om”下的“gs_preinstall-YYYY-MM-DD_HHMMSS.log”和“gs_local-YYYY-MM-DD_HHMMSS.log”中的日志信息排查错误。例如配置文件中“gaussdbLogPath”参数指定的路径为“/var/log/gaussdb”,则“$GAUSSLOG/om”路径为“/var/log/gaussdb/omm/om”,omm用户为运行openGauss的用户。
须知:
准备安装用户及环境的过程中会使用root添加定时任务用于定时巡检和上报。
openGauss在安装过程中,需要在openGauss中的主机间执行命令,传送文件等操作。因此,在普通用户安装前需要确保互信是连通的。前置脚本中会先建立root用户间的互信,然后创建普通用户,并建立普通用户间的互信。
须知:
root用户互信可能会存在安全隐患,因此建议用户在使用完成后,立即删除各主机上root用户的互信。
- 确保ssh服务打开。
- 确保ssh端口不会被防火墙关闭。
- 确保xml文件中各主机名称和IP配置正确。
- 确保所有机器节点间网络畅通。
- 如果为普通用户建立互信,需要提前在各主机创建相同用户并设置密码。
如果各主机安装并启动了SELinux服务,需要确保/root和/home目录安全上下文为默认值(home目录:system_u:object_r:home_root_t:s0,root目录:system_u:object_r:admin_home_t:s0)或者关闭掉SELinux服务。
检查系统SELinux状态的方法:执行命令getenforce,如果返回结果是Enforcing ,说明SELinux安装并启用。
检查目录安全上下文的命令:
ls -ldZ /root | awk '{print $4}'
ls -ldZ /home | awk '{print $4}'
恢复目录安全上下文命令:
restorecon -r -vv /root/
使用脚本建立互信
1.创建一个执行互信脚本所需要的输入文本,并在此文件中添加openGauss中所有主机IP。
plat1:/opt/software/openGauss> vim hostfile
192.168.0.1
192.168.0.2
192.168.0.3
2.以需要创建互信的用户执行脚本。 3.执行下面脚本建立互信。
plat1:/opt/software/openGauss/script# ./gs_sshexkey -f /opt/software/hostfile
/opt/software/hostfile为主机列表,列出所有需要建立互信机器的主机IP。
手工建立互信
如果openGauss各主机的root密码不一致,gs_preinstall脚本无法建立互信,可以手工建立互信。
说明:
建立互信的过程中需要生成如下4个文件:authorized_keys、id_rsa、id_rsa.pub、known_hosts。请勿删除或破坏这些互信相关的文件。
手工建立信任关系,步骤如下,plat1,plat2,plat3是主机名:
1.在其中一个主机上,生成root用户的本机授权文件。假设在主机plat1上执行。
a. 生成密钥。
ssh-keygen -t rsa
示例如下:
plat1:~ # ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
d5:35:46:33:27:22:09:f0:1e:12:a7:87:fa:33:3f:ab root@plat1
The key's randomart image is:
+--[ RSA 2048]----+
| o.o.....O .|
| * .o + * |
| + + . . |
| . + o |
| . S |
| . |
| +. |
| E.oo |
b. 生成本机授权文件。
cat .ssh/id_rsa.pub >> ~/.ssh/authorized_keys
示例如下:
plat1:~ # cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
2.收集所有的待建互信主机的公钥,写入到本机的known_hosts文件中。此步骤需要在步骤1执行的主机上执行。需要收集plat1、plat2、plat3三个主机的公钥。
a. 收集plat1的公钥,写入到本机known_hosts文件中。
ssh-keyscan -t rsa plat1 >> ~/.ssh/known_hosts
示例如下:
plat1:~ # ssh-keyscan -t rsa plat1 >> ~/.ssh/known_hosts
# plat1 SSH-2.0-OpenSSH_5.1
b. 收集plat2的公钥,写入到本机known_hosts文件中。
ssh-keyscan -t rsa plat2 >> ~/.ssh/known_hosts
示例如下:
plat1:~ # ssh-keyscan -t rsa plat2 >> ~/.ssh/known_hosts
# plat2 SSH-2.0-OpenSSH_5.1
c. 收集plat3的公钥,写入到本机known_hosts文件中。
ssh-keyscan -t rsa plat3 >> ~/.ssh/known_hosts
示例如下:
说明:
当远程主机的公钥被接受以后,它就会被保存在文件$HOME/.ssh/known_hosts之中。下次再连接这台主机,系统就会认出它的公钥已经保存在本地了,从而跳过警告部分。
如果该主机上known_hosts文件被删除,互信仍然可以使用,但是会有告警提示信息。如果需要规避告警提示信息,请将/etc/ssh/ssh_config配置文件中,StrictHostKeyChecking参数设置为no。
3.将互信文件分发到其它所有主机上。在本例中,需要将plat1上的互信文件分发到plat2和plat3上。
a. 将互信文件分发到plat2上。Password输入拷贝目标主机的密码。
scp -r ~/.ssh plat2:~
示例如下:
plat1:~ # scp -r ~/.ssh plat2:~
Password:
authorized_keys 100% 796 0.8KB/s 00:00
id_rsa 100% 1675 1.6KB/s 00:00
id_rsa.pub 100% 398 0.4KB/s 00:00
known_hosts 100% 1089 1.1KB/s 00:00
b. 将互信文件分发到plat3上。Password输入拷贝目标主机的密码。
scp -r ~/.ssh plat3:~
示例如下:
plat1:~ # scp -r ~/.ssh plat3:~
Password:
authorized_keys 100% 796 0.8KB/s 00:00
id_rsa 100% 1675 1.6KB/s 00:00
id_rsa.pub 100% 398 0.4KB/s 00:00
known_hosts 100% 1089 1.1KB/s 00:00
4.查看互信是否建成功,可以互相ssh主机名。输入exit退出。
plat1:~ # ssh plat2
Last login: Sat Jun 20 14:01:07 2020
plat2:~ # exit
logout
Connection to plat2 closed.
plat1:~ #
说明:
如果三个以上节点,和上述过程类似。假设节点名为plat1、plat2、plat3、……。第一步,需要在plat1上生成root用户的本机授权文件;第二步,需要收集所有待建互信主机(plat1、plat2、plat3、……)的公钥并写入到本机known_hosts文件中;第三步,需要将互信文件分发到除本机外的所有其它主机(plat2、plat3、……)上;第四步,检查互信是否建立成功。
删除root用户互信
为了避免root用户互信可能存在的安全隐患,因此建议用户在使用完成后,立即删除各主机上root用户的互信。
1.删除openGauss数据库各节点上的互信相关文件/root/.ssh。
rm –rf \~/.ssh
2.查看互信是否删除成功,可以互相ssh主机名,提示不能互信,互信删除成功。
plat1:\~ \# ssh plat2
he authenticity of host ' plssat2 \(plat2\)' can't be established.
ECDSA key fingerprint is SHA256:Q4DPRedFytsjsJSKf4l2lHKuzVw4prq3bIUCNVKIa7M.
ECDSA key fingerprint is MD5:e2:77:6c:aa:4c:43:5f:f2:c4:58:ec:d5:53:de:7c:fc.
Are you sure you want to continue connecting \(yes/no\)?
示例
root用户建立互信示例:
plat1:~ # gs_sshexkey -f /opt/software/hostfile -W Gauss_123
Checking network information.
All nodes in the network are Normal.
Successfully checked network information.
Creating SSH trust.
Creating the local key file.
Successfully created the local key files.
Appending local ID to authorized_keys.
Successfully appended local ID to authorized_keys.
Updating the known_hosts file.
Successfully updated the known_hosts file.
Appending authorized_key on the remote node.
Successfully appended authorized_key on all remote node.
Checking common authentication file content.
Successfully checked common authentication content.
Distributing SSH trust file to all node.
Successfully distributed SSH trust file to all node.
Verifying SSH trust on all hosts.
Successfully verified SSH trust on all hosts.
Successfully created SSH trust.
普通用户建立互信示例:
gaussdb@plat1:~ > gs_sshexkey -f /opt/software/hostfile -W Gauss_123
Checking network information.
All nodes in the network are Normal.
Successfully checked network information.
Creating SSH trust.
Creating the local key file.
Successfully created the local key files.
Appending local ID to authorized_keys.
Successfully appended local ID to authorized_keys.
Updating the known_hosts file.
Successfully updated the known_hosts file.
Appending authorized_key on the remote node.
Successfully appended authorized_key on all remote node.
Checking common authentication file content.
Successfully checked common authentication content.
Distributing SSH trust file to all node.
Successfully distributed SSH trust file to all node.
Verifying SSH trust on all hosts.
Successfully verified SSH trust on all hosts.
Successfully created SSH trust.
安全模式下建立互信示例,需要用户根据提示,手动输入建立互信的用户密码(建议使用安全模式):
plat1:~ # gs_sshexkey -f /opt/software/hostfile
Please enter password for current user[root].
Password:
Checking network information.
All nodes in the network are Normal.
Successfully checked network information.
Creating SSH trust.
Creating the local key file.
Appending local ID to authorized_keys.
Successfully appended local ID to authorized_keys.
Updating the known_hosts file.
Successfully updated the known_hosts file.
Appending authorized_key on the remote node.
Successfully appended authorized_key on all remote node.
Checking common authentication file content.
Successfully checked common authentication content.
Distributing SSH trust file to all node.
Successfully distributed SSH trust file to all node.
Verifying SSH trust on all hosts.
Successfully verified SSH trust on all hosts.
Successfully created SSH trust.
openGauss要求各主机上的操作系统参数设置成一定的值,以满足系统运行的性能要求等。
这些参数有些会在openGauss安装环境准备阶段完成设置,且这些参数将直接影响openGauss的运行状态,请仅在确认必要时进行手动调整。方法如下:
1.以root用户身份登录服务器。
2.对文件“/etc/sysctl.conf”进行编辑修改。
具体参数的修改请参见。
3.执行如下命令使修改配置生效。
sysctl -p
表 1 操作系统参数
文件系统参数
soft nofile
说明:soft nofile表示软限制,用户使用的文件句柄数量可以超过该限制,但是如果超过会有告警信息。
推荐取值:1000000
hard nofile
说明:hard nofile表示硬限制,是一个严格的限制,用户使用的文件句柄数量一定不能超过该设置。
推荐取值:1000000
stack size
说明:线程堆栈大小。
推荐值:3072
transparent_hugepage设置
openGauss默认关闭使用transparent_hugepage服务,并将关闭命令写入操作系统启动文件。
文件句柄设置
需要对文件句柄数进行手动设置时,使用root用户执行如下命令进行参数修改:
echo "* soft nofile 1000000" >>/etc/security/limits.conf
完成修改后,需重启操作系统使得设置的参数生效。
表 2 文件句柄数设置
系统支持的最大进程数设置
需要对系统支持的最大进程数进行手动设置时,执行如下命令打开conf文件。
修改* soft nproc参数。
完成修改后,需重启操作系统使得设置的参数生效。
表 3 系统支持的最大进程数设置
表 4 网卡参数配置
须知:
设置网卡参数的命令只有在设置成功后,才会被写入系统启动文件。执行失败的信息会被记入后台日志中。