在實際項目中,Mycat服務也需要考慮高可用性,如果Mycat所在的服務器出現宕機,或者Mycat服務故障,需要有備機提供服務,需要考慮Mycat集羣。
高可用方案:
我們可以使用HAProxy+Keepalived配合兩臺Mycat搭起Mycat集羣,實現高可用性。HAProxy實現了Mycat多節點的集羣高可用和負載均衡,而HAProxy自身的高可用則可以通過Keepalived來實現。
Mycat及主從可參考MySQL 中間件Mycat部署
一、安裝配置HAProxy
[root@haproxy ~]# wget https://src.fedoraproject.org/repo/pkgs/haproxy/haproxy-1.8.23.tar.gz/sha512/bfd65179345285f6f4581a7dce42e638b89e12717d4cb9218afa085759161e04b6c78307d04265a6c97cd484b67949781639da5236edb89137585c625130be4f/haproxy-1.8.23.tar.gz
[root@haproxy ~]# tar zxf haproxy-1.8.23.tar.gz
[root@haproxy ~]# cd haproxy-1.8.23/
#查看內核版本
[root@haproxy haproxy-1.8.23]# uname -r
3.10.0-514.el7.x86_64
#查看位shu
[root@haproxy ~]# uname -m
x86_64
#進行編譯
[root@haproxy haproxy-1.8.23]# make TARGET=linux310 PREFIX=/usr/local/haproxy ARCH=x86_64
#編譯完成後安裝
[root@haproxy haproxy-1.8.23]# make install PREFIX=/usr/local/haproxy
[root@haproxy ~]# vim /usr/local/haproxy/haproxy.conf
global
log 127.0.0.1 local0
#log 127.0.0.1 local1 notice
#log loghost local0 info
maxconn 4096
chroot /usr/local/haproxy
pidfile /usr/local/haproxy/haproxy.pid
uid 99
gid 99
daemon
#debug
#quiet
defaults
log global
mode tcp
option abortonclose
option redispatch
retries 3
maxconn 2000
timeout connect 5000
timeout client 50000
timeout server 50000
listen proxy_status
bind :48066
mode tcp
balance roundrobin # 輪詢方式訪問mycat
server mycat_1 192.168.171.134:8066 check inter 10s
server mycat_2 192.168.171.140:8066 check inter 10s
frontend admin_stats
bind :7777
mode http
stats enable
option httplog
maxconn 10
stats refresh 30s
stats uri /admin
stats auth admin:123123
stats hide-version
stats admin if TRUE
[root@haproxy ~]# /usr/local/haproxy/sbin/haproxy -f /usr/local/haproxy/haproxy.conf # 啓動
[root@haproxy ~]# ss -anput | grep haproxy # 查看是否啓動
udp UNCONN 0 0 *:33498 *:* users:(("haproxy",pid=4535,fd=4))
tcp LISTEN 0 10 *:7777 *:* users:(("haproxy",pid=4535,fd=5))
tcp LISTEN 0 128 *:48066 *:* users:(("haproxy",pid=4535,fd=3))
瀏覽器訪問http://192.168.171.132/admin:7777
在彈出框輸入賬戶密碼
驗證負載均衡,通過haproxy訪問Mycat
[root@haproxy ~]# mysql -umycat -p123456 -h192.168.171.132 -P48066
再次安裝配置一個haproxy服務器(配置方法同上)
#將之前的配置文件傳到新安裝的haproxy
[root@haproxy ~]# scp /usr/local/haproxy/haproxy.conf [email protected]:/usr/local/haproxy/
#啓動haproxy2
[root@hahaproxy2 haproxy-1.8.23]# /usr/local/haproxy/sbin/haproxy -f /usr/local/haproxy/haproxy.conf
二、配置Keepalived
#在兩個haproxy主機上都安裝上Keepalived
#安裝依賴包
[root@haproxy ~]# yum -y install openssl-devel popt-devel kernel-devel
[root@haproxy ~]# tar zxf keepalived-2.0.20.tar.gz
[root@haproxy ~]# cd keepalived-2.0.20/
[root@haproxy keepalived-2.0.20]# ./configure --prefix=/ && make && make install
[root@haproxy ~]# vim /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id LVS_DEVEL
}
vrrp_instance VI_1 {
state MASTER
interface ens33
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.171.250 # VIP地址
}
}
virtual_server 192.168.171.250 48066 {
delay_loop 6
lb_algo rr
lb_kind NAT
persistence_timeout 50
protocol TCP
real_server 192.168.171.132 48066 {
weight 1
TCP_CHECK {
connect_timeout 3
retry 3
delay_before_retry 3
}
}
real_server 192.168.171.136 48066 {
weight 1
TCP_CHECK {
connect_timeout 3
retry 3
delay_before_retry 3
}
}
}
[root@haproxy ~]# systemctl start keepalived # 啓動服務
#將配置文件複製到haproxy2上
[root@localhost ~]# scp /etc/keepalived/keepalived.conf [email protected]:/etc/keepalived/
#修改haproxy上的Keepalived配置文件
! Configuration File for keepalived
global_defs {
router_id LVS_2 # 修改id
}
vrrp_instance VI_1 {
state BACKUP # 修改狀態
interface ens33
virtual_router_id 51
priority 50 # 優先級修改
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.171.250
}
}
[root@haproxy2 ~]# systemctl start keepalived
測試高可用,連接VIP地址進行管理mycat
[root@haproxy ~]# mysql -umycat -p123456 -h192.168.171.250 -P48066
mysql> show databases;
+----------+
| DATABASE |
+----------+
| TESTDB |
+----------+
1 row in set (0.00 sec)
Mycat安全設置
1、權限配置
1)user標籤權限控制
目前Mycat對於中間件的連接控制並沒有做太複雜的控制,目前只做了中間件邏輯庫級別的讀寫權限控制。
#修改server.xml配置文件user部分
<user name="mycat" defaultAccount="true">
<property name="password">123456</property>
<property name="schemas">TESTDB</property>
<property name="defaultSchema">TESTDB</property>
</user>
user name="user">
<property name="password">user</property>
<property name="schemas">TESTDB</property>
<property name="readOnly">true</property>
<property name="defaultSchema">TESTDB</property>
</user>
2)privileges標籤權限控制
在user標籤下的privilege標籤可以對邏輯庫(schema)、表(table)進行精細化的DML權限控制。privileges標籤下的check屬性,如爲true開啓權限檢查,爲false不開啓,默認爲false。
由於Mycat一個用戶的schemas屬性可配置多個邏輯庫(schema),所以privileges的下級節點schema節點同樣可配置多個,對多庫多表進行細粒度的DML權限控制
#修改server.xml的privileges部分
<!-- 表級 DML 權限設置 -->
<privileges check="false">
<schema name="TESTDB" dml="0110" >
<table name="tb01" dml="0000"></table>
<table name="tb02" dml="1111"></table>
</schema>
</privileges>
SQL攔截
firewall標籤用來定義防火牆;firewall下whitehost標籤用來定義IP白名單,blacklist用來定義SQL黑名單。
1、設置白名單
#srserver.xml配置文件
<firewall>
<whitehost>
<host host="192.168.171.250" user="root"/>
</whitehost>
</firewall>
2、設置黑名單
<firewall>
<whitehost>
<host host="192.168.171.250" user="root"/>
</whitehost>
<blacklist check="true">
<property name="deleteAllow">false</property>
</blacklist>
</firewall>
可以設置的黑名單SQL攔截列表