网站首页 > 技术文章 正文
1. 安装环境准备
1.1 主机环境准备
1.1.1. 关闭selinux
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
setenforce 01.1.2. 软件下载
apache-zookeeper-3.6.1-bin.tar.gz:下载地址
1.1.3. 部署规划
软件安装路径 /usr/local/zookeeper
端口规划 2192
1.1.4. 系统主机时间、时区、系统语言
? 本节视实际情况需要操作
? 修改时区
ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime? 修改系统语言环境
echo 'LANG="en_US.UTF-8"' >> /etc/profile && source /etc/profile? 配置主机NTP时间同步
yum -y install ntp
systemctl enable ntpd && systemctl start ntpd
echo 'server ntp1.aliyun.com' >> /etc/ntp.conf
echo 'server ntp2.aliyun.com' >> /etc/ntp.conf2. Zookeeper安装部署
2.1 Zookeeper依赖安装及部署
? 添加用户与用户组(用户名请自行定义)
groupadd -r middleware && useradd -s /sbin/nologin -r -M -g middleware middleware? JDK安装部署
tar -zxvf jdk-8u231-linux-x64.tar.gz -C /usr/local/
cat >>/etc/profile<<EOF
export JAVA_HOME=/usr/local/jdk1.8.0_231
export JRE_HOME=\${JAVA_HOME}/jre
export CLASSPATH=.:\${JAVA_HOME}/lib:\${JRE_HOME}/lib
export PATH=\${JAVA_HOME}/bin:\$PATH
EOF
source /etc/profile
java -version? 下载apache-zookeeper-3.6.1-bin.tar.gz安装包,并解压安装
yum -y install gcc gcc-c++ automake autoconf libevent-devel libevent make wget net-tools
cd /opt
wget https://mirror.bit.edu.cn/apache/zookeeper/zookeeper-3.6.1/apache-zookeeper-3.6.1-bin.tar.gz
tar -zxvf apache-zookeeper-3.6.1-bin.tar.gz -C /usr/local/
cd /usr/local/
mv apache-zookeeper-3.6.1-bin zookeeper
mkdir -p zookeeper/data/zookeeper
mkdir zookeeper/dataLog
cd zookeeper/conf
cp zoo_sample.cfg zoo.cfg? 修改zookeeper数据存储路径与连接端口
vi zoo.cfg
dataDir=/usr/local/zookeeper/data/zookeeper
dataLogDir=/usr/local/zookeeper/dataLog
clientPort=2192
chown -R middleware:middleware /usr/local/zookeeper? 配置Zookeeper环境变量
cat >>/etc/profile<< EOF
export PATH="\$PATH:/usr/local/zookeeper/bin"
EOF
source /etc/profile2.2 配置zookeeper系统服务
2.2.1. 针对6系统添加系统服务
1、添加防火墙策略
(1)所有机器可访问
iptables -A INPUT -p tcp --dport 2192 -j ACCEPT
service iptables save(2)特定IP192.168.31.130可访问本机2192端口
iptables -A INPUT -p tcp -s 192.168.31.130 --dport 2192 -j ACCEPT
service iptables save2、添加zookeeper系统服务启动脚本
cd /usr/local/zookeeper/bin/
sed -i '77aJAVA_HOME="/usr/local/jdk1.8.0_231"' zkEnv.sh
vi /etc/init.d/zookeeper
#!/bin/bash
#
# zookeeper start/stop the zookeeper daemon
#
# chkconfig: 345 80 20
# description: zookeeper is a message server.
#
ZOOKEEPER_HOME=/usr/local/zookeeper
PIDFILE=/usr/local/zookeeper/data/zookeeper/zookeeper_server.pid
case $1 in
start)
if [ -f $PIDFILE ]
then
echo "$PIDFILE exists, process is already running"
else
echo "Starting zookeeper server..."
sudo -u middleware $ZOOKEEPER_HOME/bin/zkServer.sh start
fi
;;
stop)
if [ ! -f $PIDFILE ]
then
echo "$PIDFILE does not exist, process is not running"
else
sudo -u middleware $ZOOKEEPER_HOME/bin/zkServer.sh stop
fi
;;
status)
if [ ! -f $PIDFILE ]
then
echo "$PIDFILE does not exist, process is not running"
else
sudo -u middleware $ZOOKEEPER_HOME/bin/zkServer.sh status
echo "Zookeeper service is running..."
fi
;;
restart)
sudo -u middleware $ZOOKEEPER_HOME/bin/zkServer.sh restart
;;
*)
echo "Please use start|stop|status|restart as first argument"
;;
esac3、配置zookeeper系统服务及自启动
chmod +x /etc/init.d/zookeeper
chkconfig --add zookeeper && chkconfig zookeeper on
chkconfig --list zookeeper4、启动与停止zookeeper服务
service zookeeper start
ps -ef|grep zookeeper
service zookeeper stop2.2.2. 针对7系统添加系统服务
1、添加防火墙策略
(1)所有机器可访问
firewall-cmd --permanent --zone=public --add-port=2192/tcp
firewall-cmd --reload(2)特定IP192.168.31.130可访问本机2192端口
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.31.130" port protocol="tcp" port="2192" accept"
firewall-cmd --reload(3)特定IP段192.168.142.0/24可访问本机2192端口
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.142.0/24" port protocol="tcp" port="2192" accept"
firewall-cmd --reload2、添加zookeeper系统服务启动脚本
获取当前服务器PATH路径信息,并将此信息添加到zookeeper系统服务中
echo $PATH
/usr/local/jdk1.8.0_231/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin
cat >/usr/lib/systemd/system/zookeeper.service<<EOF
[Unit]
Description=Zookeeper
After=network.target
[Service]
Type=forking
Environment=ZOO_LOG_DIR=/usr/local/zookeeper/logs
Environment=PATH=/usr/local/jdk1.8.0_231/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin
PIDFile=/usr/local/zookeeper/data/zookeeper/zookeeper_server.pid
ExecStart=/usr/local/zookeeper/bin/zkServer.sh start
ExecStop=/usr/local/zookeeper/bin/zkServer.sh stop
ExecRestart=/usr/local/zookeeper/bin/zkServer.sh restart
User=middleware
Group=middleware
[Install]
WantedBy=multi-user.target
EOF3、配置zookeeper系统服务及自启动
systemctl daemon-reload
systemctl enable zookeeper.service4、启动与停止zookeeper服务
systemctl start zookeeper
ps -ef|grep zookeeper
systemctl stop zookeeper3. Zookeeper加固
3.1 最小化权限用户启动
? 用户名请自行定义
groupadd -r middleware && useradd -s /sbin/nologin -r -M -g middleware middleware3.2 预防DOS攻击
? 限制zookeeper客户端的最大连接数。
vi /usr/local/zookeeper/conf/zoo.cfg
maxClientCnxns=603.3 修改默认2181端口
? 默认情况下,zookeeper默认使用2181端口,请修改默认监听端口,如本文档使用的是2192
vi /usr/local/zookeeper/conf/zoo.cfg
clientPort=21923.4 禁用管理控制台
? 如不需要使用zookeeper的管理控制台,建议禁用(zookeeper的管理控制台是由jetty启动的,默认为http,存在一定的信息泄露及安全隐患。)
? 操作指导:
在bin/zkServer.sh文件中,将如下
vi /usr/local/zookeeper/bin/zkServer.sh
start)
echo -n "Starting zookeeper ... "
if [ -f "$ZOOPIDFILE" ]; then
if kill -0 `cat "$ZOOPIDFILE"` > /dev/null 2>&1; then
echo $command already running as process `cat "$ZOOPIDFILE"`.
exit 1
fi
fi
nohup "$JAVA" $ZOO_DATADIR_AUTOCREATE "-Dzookeeper.log.dir=${ZOO_LOG_DIR}" \
"-Dzookeeper.log.file=${ZOO_LOG_FILE}" "-Dzookeeper.root.logger=${ZOO_LOG4J_PROP}" \
修改为(即在nohup这一行,添加 "-Dzookeeper.admin.enableServer=false")
start)
echo -n "Starting zookeeper ... "
if [ -f "$ZOOPIDFILE" ]; then
if kill -0 `cat "$ZOOPIDFILE"` > /dev/null 2>&1; then
echo $command already running as process `cat "$ZOOPIDFILE"`.
exit 1
fi
fi
nohup "$JAVA" $ZOO_DATADIR_AUTOCREATE "-Dzookeeper.log.dir=${ZOO_LOG_DIR}" \
"-Dzookeeper.log.file=${ZOO_LOG_FILE}" "-Dzookeeper.admin.enableServer=false" "-Dzookeeper.root.logger=${ZOO_LOG4J_PROP}" \3.5 日志清理
? 建议设置对zookeeper日志的定期清理功能,在配置文件中清理日志策略,如下所示:
vi /usr/local/zookeeper/conf/zoo.cfg
autopurge.snapRetainCount=10
autopurge.purgeInterval=24
参数说明:
autopurge.snapRetainCount=10 //保留多少个快照
autopurge.purgeInterval=24 //多少小时清理一次3.6 配置事务日志与快照日志分离
vi /usr/local/zookeeper/conf/zoo.cfg
dataDir=/usr/local/zookeeper/data/zookeeper
dataLogDir=/usr/local/zookeeper/dataLog3.7 添加对zookeeper的指定IP授权访问
? zookeeper在默认情况下,是允许任意客户端未经授权访问,存在很大的安全隐患。具体连接指令如下:
/usr/local/zookeeper/bin/zkCli.sh -server 127.0.0.1:2192
WatchedEvent state:SyncConnected type:None path:null //敲回车? 等待输入操作指令,如创建用户、授权等
[zk: 127.0.0.1:2192(CONNECTED) 0]? getAcl / 表示查看当前权限 quit 表示退出客户端连接
[zk: 127.0.0.1:2192(CONNECTED) 3] getAcl /
'world,'anyone
: cdrwa? 添加可访问IP,一组可访问ip间以符号,隔开,格式如下
[zk: 127.0.0.1:2192(CONNECTED) 3]
setAcl / ip:192.168.31.130:cdrwa,ip:127.0.0.1:cdrwa? 查看权限是否添加成功
[zk: 127.0.0.1:2192(CONNECTED) 3] getAcl /
'ip,'192.168.31.130
: cdrwa
'ip,'127.0.0.1
: cdrwa? 回退方法
[zk: 127.0.0.1:2192(CONNECTED) 3] setAcl / world:anyone:cdrwa? zookeeper身份的认证有4种方式:
(1)world:默认方式,相当于全世界都能访问
(2)auth:代表已经认证通过的用户(cli中可以通过addauth digest user:pwd 来添加当前上下文中的授权用户)
(3)digest:即用户名:密码这种方式认证,这也是业务系统中最常用的,用username:password 字符串来产生一个MD5串,然后该串被用来作为ACL ID,认证是通过明文发送username:password 来进行的,当用在ACL时,表达式为username:base64 ,base64是password的SHA1摘要的编码;
(4)ip:使用Ip地址认证
? ID授权对象ID是指,权限赋予的用户或者一个实体,例如:IP 地址或者机器,授权模式 授权对象有:
(1)IP:通常是一个IP地址或IP段,例如“192.168.29.100”或“192.168.29.100/110”
(2)Digest:自定义,通常是“username:BASE64(SHA-1(username:password))”,例如"foo:kWN6aNsbjcKWpqjiV7cg0N24raU="
(3)Word 只有一个ID:“anyone”
(4)Super:与Digest模式一致
? zookeeper支持的权限有5种分别是(其中delete是指对子节点的删除权限,其它4种权限指对自身节点的操作权限)
cdrwa:
create: 可以创建子节点;
read: 可以获取节点数据以及当前节点的子节点列表;
write: 可以为节点设置数据;
delete: 可以删除子节点;
admin: 可以为节点设置权限。3.8 账号与认证
1、通过zkCli.cmd 进入zookeeper客户端
/usr/local/zookeeper/bin/zkCli.sh -server 127.0.0.1:2192
WatchedEvent state:SyncConnected type:None path:null //敲回车
2、使用auth方式加密,添加用户名crm和密码pwd
addauth digest crm:crm#pwd
3、授予/dubbo auth权限
setAcl /dubbo auth:crm:crm#pwd:rwadc
4、查看目录加密后的权限
getAcl /dubbo3.9 配置防火墙策略
? 根据操作系统的不同,参考2.2章节(注意如果是配置特定IP地址访问时,也要添加3.7章节中添加的指定IP)
3.10 定期升级
? 使用官方最新稳定版本
4. Zookeeper优化
4.1 优化内核参数
cat >>/etc/sysctl.conf<<EOF
fs.file-max = 6815744
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.ip_local_port_range = 10000 65000
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_max_tw_buckets = 10000
net.core.somaxconn=4000
net.ipv4.tcp_syncookies = 1
net.core.netdev_max_backlog = 262144
net.ipv4.tcp_max_orphans = 262144
EOF
sysctl -p4.2 系统资源限制
cat >>/etc/security/limits.conf<<EOF
* soft nofile 65525
* hard nofile 65525
* soft nproc 65525
* hard nproc 65525
EOF5. 结束
猜你喜欢
- 2024-11-05 centos7手工搭建部署Java web 环境(jdk、tomcat)
- 2024-11-05 linux安装jdk教程(linux安装jdk1.8步骤)
- 2024-11-05 Java环境快速搭建(javaee环境搭建)
- 2024-11-05 Linux入门指南-搭建JAVAEE开发环境
- 2024-11-05 干 java 开发3年了,你还不知道 Linux 中有三种方式安装 JDK?
- 2024-11-05 linux 安装基础软件-jdk-mysql-tomcat
- 2024-11-05 Linux下JDK到底应该安装在哪儿?(linuxjdk安装路径)
- 2024-11-05 构建高可用ZooKeeper集群(高可用集群搭建详细步骤)
- 2024-11-05 Linux上安装jdk Tomcat mysql redis等教程
- 2024-11-05 Java开发必会的Linux命令(java开发用什么linux)
- 最近发表
-
- 使用Knative部署基于Spring Native的微服务
- 阿里p7大佬首次分享Spring Cloud学习笔记,带你从0搭建微服务
- ElasticSearch进阶篇之搞定在SpringBoot项目中的实战应用
- SpringCloud微服务架构实战:类目管理微服务开发
- SpringBoot+SpringCloud题目整理
- 《github精选系列》——SpringBoot 全家桶
- Springboot2.0学习2 超详细创建restful服务步骤
- SpringCloud系列:多模块聚合工程基本环境搭建「1」
- Spring Cloud Consul快速入门Demo
- Spring Cloud Contract快速入门Demo
- 标签列表
-
- cmd/c (57)
- c++中::是什么意思 (57)
- sqlset (59)
- ps可以打开pdf格式吗 (58)
- phprequire_once (61)
- localstorage.removeitem (74)
- routermode (59)
- vector线程安全吗 (70)
- & (66)
- java (73)
- org.redisson (64)
- log.warn (60)
- cannotinstantiatethetype (62)
- js数组插入 (83)
- resttemplateokhttp (59)
- gormwherein (64)
- linux删除一个文件夹 (65)
- mac安装java (72)
- reader.onload (61)
- outofmemoryerror是什么意思 (64)
- flask文件上传 (63)
- eacces (67)
- 查看mysql是否启动 (70)
- java是值传递还是引用传递 (58)
- 无效的列索引 (74)