MongoDB 副本集+分片认证方式搭建

参考资料：

https://www.cnblogs.com/ityouknow/p/7344005.html
https://jorwen-fang.iteye.com/blog/2031756
https://www.cnblogs.com/bjx2020/p/9350232.html
https://www.jb51.net/article/161315.htm
https://blog.51cto.com/beigai/1751381

环境规划：

服务器1:192.168.142.138   　　服务器1:192.168.142.139   　　服务器1:192.168.142.140
mongos:20000   　　　　　　　 mongos:20000    　　　　　　　mongos:20000
config:21000   　　　　　　　　 config:21000   　　　　　　　    config:21000
shard1:28001(主节点)   　　　　shard1:28001(副本节点)   　　　shard1:28001(仲裁节点)
shard2:28002(仲裁节点)   　　　shard2:28002(主节点)   　　　　shard2:28002(副本节点)
shard3:28003(副本节点)   　　　shard3:28003(仲裁节点)   　　　shard3:28003(主节点)

首先安装依赖包：

yum -y install ntp lrzsz nmap tree dos2unix nc vim zip unizp telnet dstat

#1. 关闭SElinux

sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config

grep SELINUX=disabled /etc/selinux/config

setenforce

getenforce

#2. 关闭iptables

/etc/init.d/iptables stop # 执行两次，确保关闭。

/etc/init.d/iptables stop

chkconfig iptables off

#3. 时间同步

echo "#time sync by oldboy at 2019-7-30" >>/var/spool/cron/root

echo '*/5 * * * * /usr/sbin/ntpdate time.nist.gov >/dev/null 2>&1' >>/var/spool/cron/root

crontab -l

#4. 加大文件描述

cat >>/etc/security/limits.conf<<"EOF"

#

*           soft   nofile

*           hard   nofile

*           soft   nproc

*           hard   nproc        

mongodb soft nofile

mongodb hard nofile

mongodb soft nproc

mongodb hard nproc 

EOF

tail - /etc/security/limits.conf

echo "mongodb  ALL=(ALL)       NOPASSWD: ALL" >>/etc/sudoers

#5. 内核优化

cp /etc/sysctl.conf /etc/sysctl.conf-$(date +%F).bak

cat >> /etc/sysctl.conf << "EOF"

net.ipv4.ip_forward =

net.ipv4.conf.default.rp_filter =

net.ipv4.conf.default.accept_source_route =

kernel.sysrq =

kernel.core_uses_pid =

net.ipv4.tcp_syncookies =

kernel.msgmnb =

kernel.msgmax =

kernel.shmmax =

kernel.shmall =

net.ipv4.tcp_max_tw_buckets =

net.ipv4.tcp_sack =

net.ipv4.tcp_window_scaling =

net.ipv4.tcp_rmem =

net.ipv4.tcp_wmem =

net.core.wmem_default =

net.core.rmem_default =

net.core.rmem_max =

net.core.wmem_max =

net.core.netdev_max_backlog =

net.core.somaxconn =

net.ipv4.tcp_max_orphans =

net.ipv4.tcp_max_syn_backlog =

net.ipv4.tcp_timestamps =

net.ipv4.tcp_synack_retries =

net.ipv4.tcp_syn_retries =

net.ipv4.tcp_tw_recycle =

net.ipv4.tcp_tw_reuse =

net.ipv4.tcp_mem =

net.ipv4.tcp_fin_timeout =

net.ipv4.tcp_keepalive_time =

net.ipv4.ip_local_port_range =

#net.ipv4.icmp_echo_ignore_all =   #禁ping，如果有nagios监控，这步可省去

# 以下参数是对iptables防火墙的优化，防火墙不开，会有提示，可以忽略不理。

net.nf_conntrack_max=

net.netfilter.nf_conntrack_tcp_timeout_established=

net.netfilter.nf_conntrack_tcp_timeout_time_wait=

net.netfilter.nf_conntrack_tcp_timeout_close_wait=

net.netfilter.nf_conntrack_tcp_timeout_fin_wait=

EOF

/sbin/sysctl -p

echo "sysctl set OK!!"

# 6、系统优化

echo "never" >/sys/kernel/mm/transparent_hugepage/enabled

echo "never" >/sys/kernel/mm/transparent_hugepage/defrag

cat >> /etc/rc.local <<"EOF"

echo "never" > /sys/kernel/mm/transparent_hugepage/enabled

echo "never" > /sys/kernel/mm/transparent_hugepage/defrag

EOF

# 7、添加用户

useradd -d /data/mongodb mongodb

echo "mongodbpwd" | passwd --stdin mongodb

# 8、修改主机配置

cat >>/etc/hosts<<EOF

192.168.142.138  mongodb1

192.168.142.139  mongodb2

192.168.142.140  mongodb3

EOF

# 9、下载安装

cd /opt/

wget http://downloads.mongodb.org/linux/mongodb-linux-x86_64-rhel62-v3.4-latest.tgz

# 注意系统时间同步

/usr/sbin/ntpdate ntp1.aliyun.com

tar -zxf mongodb-linux-x86_64-rhel62-v3.-latest.tgz

ln -s /opt/mongodb-linux-x86_64-rhel62-3.4.--gaa313e18da/ /data/mongodb/mongodb

chown -R mongodb.mongodb /opt/mongodb-linux-x86_64-rhel62-3.4.--gaa313e18da/

# 10、创建相应的目录

su - mongodb

#建立mongos及日志目录

mkdir -p /data/mongodb/mongos/log

#建立config server 数据文件存放目录

mkdir -p /data/mongodb/config/data

#建立config server 日志文件存放目录

mkdir -p /data/mongodb/config/log

#建立shard1 数据文件存放目录

mkdir -p /data/mongodb/shard1/data

#建立shard1 日志文件存放目录

mkdir -p /data/mongodb/shard1/log

#建立shard2 数据文件存放目录

mkdir -p /data/mongodb/shard2/data

#建立shard2 日志文件存放目录

mkdir -p /data/mongodb/shard2/log

#建立shard3 数据文件存放目录

mkdir -p /data/mongodb/shard3/data

#建立shard3 日志文件存放目录

mkdir -p /data/mongodb/shard3/log

#秘钥目录文件

mkdir -p /data/mongodb/keys_file

# 11、配置文件编写

# Config server配置

# 需要在 su - mongodb

cat >/data/mongodb/config/mongo.conf <<"EOF"

dbpath=/data/mongodb/config/data/

logpath=/data/mongodb/config/log/config.log

logappend=true

#打开web监控

httpinterface=true

rest=true

maxConns=

bind_ip=0.0.0.0

port=

fork=true

configsvr=true

replSet=cfgrps

#auth=true

#keyFile=/data/mongodb/keys_file/keyfile.key

EOF

# shard1

# 需要在 su - mongodb

cat > /data/mongodb/shard1/shard1.conf <<"EOF"

dbpath=/data/mongodb/shard1/data

logpath=/data/mongodb/shard1/log/shard1.log

logappend=true

#打开web监控

httpinterface=true

rest=true

maxConns=

bind_ip=0.0.0.0

port=

fork=true

replSet=shard1

shardsvr=true

journal=false

#auth=true

#keyFile=/data/mongodb/keys_file/keyfile.key

EOF

# shard2

# 需要在 su - mongodb

cat > /data/mongodb/shard2/shard2.conf <<"EOF"

dbpath=/data/mongodb/shard2/data

logpath=/data/mongodb/shard2/log/shard2.log

logappend=true

#打开web监控

httpinterface=true

rest=true

maxConns=

bind_ip=0.0.0.0

port=

fork=true

replSet=shard2

shardsvr=true

journal=false

#auth=true

#keyFile=/data/mongodb/keys_file/keyfile.key

EOF

# shard3

# 需要在 su - mongodb

cat > /data/mongodb/shard3/shard3.conf <<"EOF"

dbpath=/data/mongodb/shard3/data

logpath=/data/mongodb/shard3/log/shard3.log

logappend=true

#打开web监控

httpinterface=true

rest=true

maxConns=

bind_ip=0.0.0.0

port=

fork=true

replSet=shard3

shardsvr=true

journal=false

#auth=true

#keyFile=/data/mongodb/keys_file/keyfile.key

EOF

# mongos

# 需要在 su - mongodb

cat >/data/mongodb/mongos/mongos.conf <<"EOF"

logpath=/data/mongodb/mongos/log/mongos.log

logappend=true

#打开web监控

httpinterface=true

#rest=true

maxConns=

port=

fork=true

configdb=cfgrps/192.168.142.138:,192.168.142.139:,192.168.142.140:

#keyFile=/data/mongodb/keys_file/keyfile.key

EOF

# 12、生产key认证文件

echo "DliTNL0mHEeGk8QPxtlH" >/data/mongodb/keys_file/keyfile.key

#设置文件的权限为400，不然服务无法启动

chmod  /data/mongodb/keys_file/keyfile.key

注意：上面配置文件，我是先把密码认证等注释掉了，方便先启动，后创建用户，启用认证。

#三、集群初始化

# 启动 config server 服务

cat >>/data/mongodb/.bashrc<<"EOF"

alias mongo_config_start_21000="numactl --interleave=all /data/mongodb/mongodb/bin/mongod -f /data/mongodb/config/mongo.conf"

alias mongo_config_login_21000="/data/mongodb/mongodb/bin/mongo --port 21000 --host 127.0.0.1"

EOF

source ~/.bash_profile

# 登录第一台 192.168.142.138

/data/mongodb/mongodb/bin/mongo --port  --host 192.168.142.138

use admin

config={_id:"cfgrps",configsvr:true,members:[{_id:,host:"192.168.142.138:21000"},{_id:,host:"192.168.142.139:21000"},{_id:,host:"192.168.142.140:21000"}]}

rs.initiate(config)

# 启动shard1

# 启动shard1

cat >>/data/mongodb/.bashrc<<"EOF"

alias mongo_shard1_start_28001="numactl --interleave=all /data/mongodb/mongodb/bin/mongod -f /data/mongodb/shard1/shard1.conf"

alias mongo_shard1_login_28001="/data/mongodb/mongodb/bin/mongo --port 21000 --host 127.0.0.1"

alias mongo_shard2_start_28002="numactl --interleave=all /data/mongodb/mongodb/bin/mongod -f /data/mongodb/shard2/shard2.conf"

alias mongo_shard2_login_28002="/data/mongodb/mongodb/bin/mongo --port 21000 --host 127.0.0.1"

alias mongo_shard3_start_28003="numactl --interleave=all /data/mongodb/mongodb/bin/mongod -f /data/mongodb/shard3/shard3.conf"

alias mongo_shard3_login_28003="/data/mongodb/mongodb/bin/mongo --port 21000 --host 127.0.0.1"

EOF

source ~/.bash_profile

# 登录第一台shard1 192.168.142.138
/data/mongodb/mongodb/bin/mongo --port 28001 --host 192.168.142.138
use admin;
config = { _id:"shard1",members:[ {_id:0,host:"192.168.142.138:28001"}, {_id:1,host:"192.168.142.139:28001"},{_id:2,host:"192.168.142.140:28001",arbiterOnly:true}] }
rs.initiate(config)

# 登录第二台shard2 192.168.142.139

/data/mongodb/mongodb/bin/mongo --port  --host 192.168.142.139

use admin;

config = { _id:"shard2",members:[ {_id:,host:"192.168.142.138:28002",arbiterOnly:true}, {_id:,host:"192.168.142.139:28002"},{_id:,host:"192.168.142.140:28002"}] }

rs.initiate(config)

# 登录第三台shard3 192.168.142.140

/data/mongodb/mongodb/bin/mongo --port  --host 192.168.142.140

use admin;

config = { _id:"shard3",members:[ {_id:,host:"192.168.142.138:28003"}, {_id:,host:"192.168.142.139:28003",arbiterOnly:true},{_id:,host:"192.168.142.140:28003"}] }

rs.initiate(config)

# 登录主节点, 添加存储集群的管理账号

/data/mongodb/mongodb/bin/mongo --port  --host 192.168.142.139

/data/mongodb/mongodb/bin/mongo --port  --host 192.168.142.140

/data/mongodb/mongodb/bin/mongo --port  --host 192.168.142.140

use admin

db.createUser({user: "root",pwd: "",roles: [ { role: "root", db: "admin" } ]})

# 启动mongos 服务

cat >>/data/mongodb/.bashrc<<"EOF"

alias mongos_start_20000="numactl --interleave=all /data/mongodb/mongodb/bin/mongos -f /data/mongodb/mongos/mongos.conf"

alias mongos_login_20000="/data/mongodb/mongodb/bin/mongo --port 20000 --host 127.0.0.1"

EOF

 source ~/.bash_profile

numactl --interleave=all /data/mongodb/mongodb/bin/mongos -f /data/mongodb/mongos/mongos.conf

# 添加config server的管理账号,登录任意一个mongos节点

/data/mongodb/mongodb/bin/mongo --port  --host 127.0.0.1

use admin

db.createUser({user: "root",pwd: "",roles: [ { role: "root", db: "admin" } ]})

# 登录mongos，添加分片

/data/mongodb/mongodb/bin/mongo --port  --host 127.0.0.1

use admin

db.auth('root','')

#添加分片

sh.addShard('shard1/192.168.142.138:28001,192.168.142.139:28001,192.168.142.140:28001')

sh.addShard('shard2/192.168.142.138:28002,192.168.142.139:28002,192.168.142.140:28002')

sh.addShard('shard3/192.168.142.138:28003,192.168.142.139:28003,192.168.142.140:28003')

#查看分片状态

sh.status()

# 关闭所有服务

for i in `ps -ef| grep -Ei 'bin/mongod|bin/mongos'|grep -v 'grep'| awk '{print $2}'`; do kill - $i; done

# 启用认证文件认证方式，修改配置文件，去掉如下注释

#auth=true

#keyFile=/data/mongodb/keys_file/keyfile.key

sed -i 's/#auth=true/auth=true/' /data/mongodb/config/mongo.conf

sed -i 's/#keyFile=/keyFile=/'   /data/mongodb/config/mongo.conf

sed -i 's/#auth=true/auth=true/' /data/mongodb/shard1/shard1.conf

sed -i 's/#keyFile=/keyFile=/'   /data/mongodb/shard1/shard1.conf

sed -i 's/#auth=true/auth=true/' /data/mongodb/shard2/shard2.conf

sed -i 's/#keyFile=/keyFile=/'   /data/mongodb/shard2/shard2.conf

sed -i 's/#auth=true/auth=true/' /data/mongodb/shard3/shard3.conf

sed -i 's/#keyFile=/keyFile=/'   /data/mongodb/shard3/shard3.conf

# sed -i '/auth=true/d' /data/mongodb/mongos/mongos.conf

sed -i 's/#keyFile=/keyFile=/'   /data/mongodb/mongos/mongos.conf

# 服务异常重启，需要删除lock文件

# find /data/mongodb/*/ -name *.lock | xargs rm -f "{}" \;

mongo_config_start_21000
mongo_shard1_start_28001
mongo_shard2_start_28002
mongo_shard3_start_28003
mongos_start_20000

# 查看服务进程
ps -ef|grep mongodb/bin|grep -v 'grep'

# 启用认证后，登录mongos

[mongodb@mongodb1 ~]$ mongos_login_20000

MongoDB shell version v3.4.21--gaa313e18da

connecting to: mongodb://127.0.0.1:20000/

MongoDB server version: 3.4.--gaa313e18da

mongos> show dbs

--31T13::28.568+ E QUERY    [thread1] Error: listDatabases failed:{

    "ok" : ,

    "errmsg" : "not authorized on admin to execute command { listDatabases: 1.0 }",

    "code" : ,

    "codeName" : "Unauthorized"

} :

_getErrorWithCode@src/mongo/shell/utils.js::

Mongo.prototype.getDBs@src/mongo/shell/mongo.js::

shellHelper.show@src/mongo/shell/utils.js::

shellHelper@src/mongo/shell/utils.js::

@(shellhelp2)::

mongos> use admin

switched to db admin

mongos> db.auth('root','');

mongos> 

# 或者直接登录

/data/mongodb/mongodb/bin/mongo -u root -p "" --port  --host 127.0.0.1 --authenticationDatabase admin mongodb_test

# 创建数据库、集合并记载分片数据

use admin

db.runCommand({"enablesharding":"mongodb_test"})

db.runCommand({"shardcollection":"mongodb_test.results","key":{user_id:"hashed"}})

use mongodb_test

db.results.ensureIndex({user_id:"hashed"}, {background: true})

for (var i=;i<=;i++) db.results.insert({"ip" : "192.168.100.254","g_roup": "gateway","mac" :"oc:eg:23:7d:2b:8g","address" :"jiuxianqiaohanhaiguoji113","user_id" : i,"name" :"user10000000","title" :"system","database" :"mongodb","telphone" :NumberLong(""),"mail" :"enu@163.com.com","os" :"win10","company" : "zjfound"})

# 登录其中一个shard1

mongo  --port

shard3:PRIMARY> use admin;

shard3:PRIMARY> show dbs;

admin         .000GB

local         .002GB

mongodb_test  .004GB

shard3:PRIMARY> db.results.findOne();

{

    "_id" : ObjectId("5d412cf4e475bc17f0657a57"),

    "ip" : "192.168.100.254",

    "g_roup" : "gateway",

    "mac" : "oc:eg:23:7d:2b:8g",

    "address" : "jiuxianqiaohanhaiguoji113",

    "user_id" : ,

    "name" : "user10000000",

    "title" : "system",

    "database" : "mongodb",

    "telphone" : NumberLong(""),

    "mail" : "enu@163.com.com",

    "os" : "win10",

    "company" : "zjfound"

}

shard3:PRIMARY>

# 交付业务方

#登录任意一个mongos节点

use admin

db.auth('root','')

#切到业务数据库

use mongodb_test

#建立读写账号

db.createUser({user: "mongodb_test_rw",pwd: "",roles: [{ role: "readWrite", db: "mongodb_test" },{ role: "dbOwner", db: "mongodb_test" }]})

#建立只读账号(根据业务需求确认是否需要)
db.createUser({user: "mongodb_test_r",pwd: "123456",roles: [ { role: "read", db: "mongodb_test" } ]})

# 交付开发人员信息

连接地址：192.168.142.138:, 192.168.142.139:, 192.168.142.140:

库名：mongodb_test

账号：mongodb_test_rw

密码：

# 后期开启分片方法(另一种)

/*

        #指定testdb分片生效

        db.runCommand( { enablesharding :"testdb"});

        #指定数据库里需要分片的集合和片键

        db.runCommand( { shardcollection : "testdb.table1",key : {id: 1} } )

*/

#指定需要分片的数据库
mongos> sh.enableSharding("yw_db") 

#在yw_db数据库的users集合中创建了name和age为升序的片键
mongos> sh.shardCollection("yw_db.users",{name:1,age:1}) 

# 查看分片状态 
sh.status()

# 附录：iptables添加

iptables -I INPUT -s 192.168.142.0/ -i eth0 -p tcp -m tcp --dport  -j ACCEPT

iptables -I INPUT -s 192.168.142.0/ -i eth0 -p tcp -m tcp --dport  -j ACCEPT

iptables -I INPUT -s 192.168.142.0/ -i eth0 -p tcp -m tcp --dport  -j ACCEPT

iptables -I INPUT -s 192.168.142.0/ -i eth0 -p tcp -m tcp --dport  -j ACCEPT

iptables -I INPUT -s 192.168.142.0/ -i eth0 -p tcp -m tcp --dport  -j ACCEPT

service iptables save

service iptables reload

# 导入数据

mongoimport  -u root -p ''  --port  --authenticationDatabase admin --db mongodb_test --collection fudao_course_log --type csv --headerline --ignoreBlanks --file fudao_course_log.csv