kingbaseES V8R6集群运维案例之---读写分离集群修改ssh端口

案例说明：
KingbaseES V8R6集群在部署运行后，由于生产安全的需求，需要将ssh默认通讯端口修改，由于默认集群节点之间通过ssh建立互信连接，如果系统修改了ssh默认端口，将影响集群节点的ssh连接。本案例描述了，如何修改集群配置来应对系统对ssh端口的修改。

适用版本：

KingbaseES V8R6

集群架构：

案例操作说明：

1）本案例在通用机环境下执行。
2）修改ssh端口对于集群的运行，只需要修改repmgr.conf文件中变量即可。

一、查看当前集群状态

[kingbase@node2 bin]$ ./repmgr cluster show
 ID | Name    | Role    | Status    | Upstream | Location | Priority | Timeline | Connection string                                                                                                                                
----+---------+---------+-----------+----------+----------+----------+----------+----------------
 1  | node248 | standby |   running | node249  | default  | 100      | 6        | host=192.168.7.248 user=esrep dbname=esrep port=54321 connect_timeout=10 keepalives=1 keepalives_idle=10 keepalives_interval=1 keepalives_count=3
 2  | node249 | primary | * running |          | default  | 100      | 6        | host=192.168.7.249 user=esrep dbname=esrep port=54321 connect_timeout=10 keepalives=1 keepalives_idle=10 keepalives_interval=1 keepalives_count

二、修改操作系统和集群配置文件ssh端口号（所有节点）

1）查看系统原ssh端口号（默认22）

[kingbase@node2 bin]$ netstat -antlp |grep 22
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 192.168.122.1:53        0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 192.168.7.249:22        192.168.7.116:55883     ESTABLISHED -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -

2）查看集群repmgr.conf应用ssh端口

[kingbase@node2 bin]$ cat ../etc/repmgr.conf|grep ssh
ssh_options='-q -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o ServerAliveInterval=2 -o ServerAliveCountMax=5 -p 22'

=== 默认用-p 22 指定集群ssh通讯端口===

3）修改操作系统配置

[root@node1 ~]# cat /etc/ssh/sshd_config|grep -i Port
# If you want to change the port on a SELinux system, you have to tell
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
Port 2222

[kingbase@node101 data]$ cat /etc/services |grep -i ssh
ssh             2222/tcp                          # The Secure Shell (SSH) Protocol
ssh             2222/udp                          # The Secure Shell (SSH) Protocol

4）修改集群ssh通讯端口（改为2222）

[kingbase@node1 bin]$ cat ../etc/repmgr.conf |grep ssh
ssh_options='-q -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o ServerAliveInterval=2 -o ServerAliveCountMax=5 -p 2222'

5）重启sshd服务

[root@node1 ~]# systemctl restart sshd

[root@node1 ~]# netstat -an |grep 22
tcp        0      0 0.0.0.0:2222            0.0.0.0:*               LISTEN  

6）通过非默认端口ssh连接测试

[root@node1 ~]# ssh -p 2222 node2
Last failed login: Mon Mar  1 17:06:07 CST 2021 from 192.168.7.116 on ssh:notty
There were 2 failed login attempts since the last successful login.
Last login: Mon Mar  1 16:43:29 2021 from 192.168.7.249

=== 从以上可知，修改端口后ssh信任关系正常===

7）sys_monitor.sh重启集群测试

[kingbase@node1 bin]$ ./sys_monitor.sh restart
2021-03-01 17:29:55 Ready to stop all DB ...
......

2021-03-01 17:30:32 repmgrd on "[192.168.7.249]" start success.
 ID | Name    | Role    | Status    | Upstream | repmgrd | PID   | Paused? | Upstream last seen
----+---------+---------+-----------+----------+---------+-------+---------+--------------------
 1  | node248 | standby |   running | node249  | running | 16767 | no      | 0 second(s) ago    
 2  | node249 | primary | * running |          | running | 17865 | no      | n/a                
2021-03-01 17:30:38 Done.

8）查看集群节点状态

[kingbase@node1 bin]$ ./repmgr cluster show
 ID | Name    | Role    | Status    | Upstream | Location | Priority | Timeline | Connection string                                                                                                                                
----+---------+---------+-----------+----------+----------+----------+----------+----------------
 1  | node248 | standby |   running | node249  | default  | 100      | 6        | host=192.168.7.248 user=esrep dbname=esrep port=54321 connect_timeout=10 keepalives=1 keepalives_idle=10 keepalives_interval=1 keepalives_count=3
 2  | node249 | primary | * running |          | default  | 100      | 6        | host=192.168.7.249 user=esrep dbname=esrep port=54321 connect_timeout=10 keepalives=1 keepalives_idle=10 keepalives_interval=1 keepalives_count

=== 从以上可知，修改ssh端口后，集群通讯正常===

三、总结
对于KingbaseES V8R6集群部署后，修改ssh端口操作比较简单。但在使用sys_backup.sh执行数据库物理备份时仍然用到了ssh连接，修改ssh端口后，会影响调用sys_backup.sh执行备份操作，关于sys_backup.sh在修改ssh端口后如何操作，请看另外的博文《kingbaseES V8R6集群运维案例---修改ssh端口执行sys_backup.sh备份》。