案例说明:
在KingbaseES V8R6集群启动时,会启动node_exporter进程,此进程主要用于向kmonitor监控服务输出节点状态信息。在系统安全漏洞扫描中,提示出现以下安全漏洞:
对于未使用kmonitor建立集群监控的环境,可以将此进程禁用,而不影响集群正常管理和运行。
一、kmonitor监控服务架构
连接集群时,主节点部署kingbase_exporter以及node_exporter,备节点仅部署node_exporter。单机部署时同时部署kingbase_exporter和node_exporter。
二、集群启动后node_export进程信息
# 查看进程信息
[kingbase@node102 bin]$ ps -ef |grep export
kingbase 23221 1 0 13:15 ? 00:00:00 /home/kingbase/cluster/R6HA/kha/kingbase/bin/../share/node_exporter
kingbase 23222 1 0 13:15 ? 00:00:00 /home/kingbase/cluster/R6HA/kha/kingbase/bin/../share/postgres_exporter
# 查看进程服务端口
[kingbase@node102 bin]$ netstat -antlp |grep node_export
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp6 0 0 :::9100 :::* LISTEN 23221/node_exporter三、关闭和禁用node_export进程Tips:在集群中node_export进程的启动,是由bin/monitor_exporter.sh脚本管理,此脚本可以启动或关闭node_export服务。
1)在集群启动后通过monitor.sh关闭node_export
# 通过monitor.sh关闭node_export服务
[kingbase@node102 bin]$ ./monitor_exporter.sh stop
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Service process "node_export" was killed at process 23221
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Service process "postgres_ex" was killed at process 23222
# 查看node_export进程
[kingbase@node102 bin]$ ps -ef |grep export2)修改sys_monitor.sh禁止node_export进程启动
重启sys_monitor.sh测试:
# 重启sys_monitor.sh
[kingbase@node102 bin]$ ./sys_monitor.sh restart
2022-08-30 13:22:16 Ready to stop all DB ...
.......
2022-08-30 13:23:06 repmgrd on "[192.168.1.102]" start success.
ID | Name | Role | Status | Upstream | repmgrd | PID | Paused? | Upstream last seen
----+---------+---------+-----------+----------+---------+-------+---------+--------------------
1 | node101 | primary | * running | | running | 25688 | no | n/a
2 | node102 | standby | running | node101 | running | 28962 | no | 1 second(s) ago
[2022-08-30 13:23:13] [NOTICE] redirecting logging output to "/home/kingbase/cluster/R6HA/kha/kingbase/log/kbha.log"
[2022-08-30 13:23:14] [NOTICE] redirecting logging output to "/home/kingbase/cluster/R6HA/kha/kingbase/log/kbha.log"
2022-08-30 13:23:15 Done.
# 查看node_export进程状态
[kingbase@node102 bin]$ ps -ef |grep export
# 查看集群节点状态
[kingbase@node102 bin]$ ./repmgr cluster show
ID | Name | Role | Status | Upstream | Location | Priority | Timeline | Connection string
----+---------+---------+-----------+----------+----------+----------+----------+----------------------------------------------------------------------------------------------------------------------------------------------------
1 | node101 | primary | * running | | default | 100 | 13 | host=192.168.1.101 user=system dbname=esrep port=54321 connect_timeout=10 keepalives=1 keepalives_idle=10 keepalives_interval=1 keepalives_count=3
2 | node102 | standby | running | node101 | default | 100 | 13 | host=192.168.1.102 user=system dbname=esrep port=54321 connect_timeout=10 keepalives=1 keepalives_idle=10 keepalives_interval=1 keepalives_count=3=如上所示,node_export进程在集群启动时,没有被启动,此进程被禁用,不影响集群的正常运行和管理。=
四、总结
对于KingbaseES V8R6的集群node_export主要用于kmonitor监控服务,对于未部署此监控服务的环境,可以在集群中禁止node_export服务的启动。
376
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
