mysql-centos7安装mysql自动化运维平台
码云地址(forked from 烂泥行天下/archer)
https://gitee.com/jiaminxu/archer
docker 地址分别如下
https://dev.aliyun.com/detail.html?spm=5176.1972343.2.12.7b475aaaLiCfMf&repoId=142093
https://dev.aliyun.com/detail.html?spm=5176.1972343.2.38.XtXtLh&repoId=142147
1 安装docker
#yum install报错:Another app is currently holding the yum lock; waiting for it to exit...
#解决:yum被锁定了,rm -rf /var/run/yum.pid 强制杀死进程来解决
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum makecache fast
yum -y install docker-ce
service docker start
#设置docker开机自启动
systemctl enable docker
2 pull 所需镜像
docker pull registry.cn-hangzhou.aliyuncs.com/lihuanhuan/archer
docker pull registry.cn-hangzhou.aliyuncs.com/lihuanhuan/inception
#下载完之后查看镜像
docker images
3 创建配置文件/etc/inc.cnf
#10.6.11.199替换为192.168.92.111
cat >>/etc/inc.cnf<<EOF
[inception]
general_log=1
general_log_file=inception.log
port=6669
socket=/tmp/inc.socket
character-set-client-handshake=0
character-set-server=utf8
#备份库信息
inception_remote_system_password=Hangzhou@123
inception_remote_system_user=root
inception_remote_backup_port=3306
inception_remote_backup_host=192.168.92.111
inception_support_charset=utf8,utf8mb4
inception_enable_nullable=0
inception_check_primary_key=1
inception_check_column_comment=1
inception_check_table_comment=1
inception_osc_on=OFF
inception_osc_bin_dir=/usr/bin
inception_osc_min_table_size=1
inception_osc_chunk_time=0.1
inception_enable_blob_type=1
inception_check_column_default_value=1
EOF
#指定配置文件和端口启动
docker run --name inception -v /etc/inc.cnf:/etc/inc.cnf -p 6669:6669 -dti registry.cn-hangzhou.aliyuncs.com/lihuanhuan/inception
#启动inspection
docker start inception
4 安装mysql5.7
#Docker安装MySQL5.7
docker pull mysql:5.7
docker images
#先让容器在后台运行,并取个别名为mysql5.7,此时还没有修改配置文件
docker run --name mysql5.7 -e MYSQL_ROOT_PASSWORD=Hangzhou@123 -d mysql:5.7
docker ps
#查看容器内部的配置文件:conf.d my.cnf my.cnf.fallback mysql.cnf mysql.conf.d
docker exec mysql5.7 ls /etc/mysql
#进入容器终端
docker exec -it mysql5.7 /bin/bash
#进入mysql终端,并输入密码
mysql -uroot -pHangzhou@123
grant all privileges on *.* to root@'%' identified by 'Hangzhou@123';
flush privileges;
quit;
exit
#在宿主机创建配置文件目录
mkdir -p /root/mysql5.7/conf
#复制容器内部的配置文件到宿主机
docker cp -a mysql5.7:/etc/mysql/ /root/mysql5.7/conf
#在宿主机创建数据目录
mkdir /root/mysql5.7/data
#赋予宿主机/root/mysql5.7目录最高读写权限
chmod -R 777 /root/mysql5.7
#删除mysql5.7容器,-f参数是强制删除运行中的容器
docker rm -f mysql5.7
#重新运行容器,映射端口,并挂载配置文件、数据文件,设置账号密码,并设置编码方式为UTF-8
docker run --restart=always -p 3306:3306 --name mysql5.7 -v /root/mysql5.7/conf:/etc/mysql -v /root/mysql5.7/data:/var/lib/mysql -e MYSQL_ROOT_PASSWORD=Hangzhou@123 -d mysql:5.7 --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci
#开放宿主机防火墙3306端口
firewall-cmd --zone=public --add-port=3306/tcp --permanent
firewall-cmd --reload
mysql5.7安装完毕之后 创建django初始化的/etc/settings.py
红色标注为需要根据自身服务器修改的地方 如果出现报错 注意配置中间是否有多余空行
vi /etc/settings.py
# -*- coding: UTF-8 -*-
"""
Django settings for archer project.
Generated by 'django-admin startproject' using Django 1.8.17.
For more information on this file, see
https://docs.djangoproject.com/en/1.8/topics/settings/
For the full list of settings and their values, see
https://docs.djangoproject.com/en/1.8/ref/settings/
"""
# Build paths inside the project like this: os.path.join(BASE_DIR, ...)
import os
import pymysql
pymysql.install_as_MySQLdb()
BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
# Quick-start development settings - unsuitable for production
# See https://docs.djangoproject.com/en/1.8/howto/deployment/checklist/
# SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = 'hfusaf2m4ot#7)fkw#di2bu6(cv0@opwmafx5n#6=3d%x^hpl6'
# SECURITY WARNING: don't run with debug turned on in production!
DEBUG = True
ALLOWED_HOSTS = ['*']
# 解决nginx部署跳转404
USE_X_FORWARDED_HOST = True
# Application definition
INSTALLED_APPS = (
'django_admin_bootstrapped',
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'django_apscheduler',
'sql',
)
MIDDLEWARE_CLASSES = (
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'django.middleware.security.SecurityMiddleware',
'sql.check_login_middleware.CheckLoginMiddleware',
'sql.exception_logging_middleware.ExceptionLoggingMiddleware',
)
ROOT_URLCONF = 'archer.urls'
TEMPLATES = [
{
'BACKEND': 'django.template.backends.django.DjangoTemplates',
'DIRS': [os.path.join(BASE_DIR, 'sql/static')],
'APP_DIRS': True,
'OPTIONS': {
'context_processors': [
'django.template.context_processors.debug',
'django.template.context_processors.request',
'django.contrib.auth.context_processors.auth',
'django.contrib.messages.context_processors.messages',
'sql.processor.global_info',
],
},
},
]
WSGI_APPLICATION = 'archer.wsgi.application'
# Internationalization
# https://docs.djangoproject.com/en/1.8/topics/i18n/
LANGUAGE_CODE = 'zh-hans'
TIME_ZONE = 'Asia/Shanghai'
USE_I18N = True
USE_TZ = False
# 时间格式化
USE_L10N = False
DATETIME_FORMAT = 'Y-m-d H:i:s'
DATE_FORMAT = 'Y-m-d'
# Static files (CSS, JavaScript, Images)
# https://docs.djangoproject.com/en/1.8/howto/static-files/
STATIC_URL = '/static/'
STATIC_ROOT = os.path.join(BASE_DIR, 'static')
# 扩展django admin里users字段用到,指定了sql/models.py里的class users
AUTH_USER_MODEL = "sql.users"
###############以下部分需要用户根据自己环境自行修改###################
# session 设置
SESSION_COOKIE_AGE = 60 * 30 # 30分钟
SESSION_SAVE_EVERY_REQUEST = True
SESSION_EXPIRE_AT_BROWSER_CLOSE = True # 关闭浏览器,则COOKIE失效
# Database
# https://docs.djangoproject.com/en/1.8/ref/settings/#databases
# 该项目本身的mysql数据库地址
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.mysql',
'NAME': 'archer_github',
'USER': 'root',
'PASSWORD': 'Hangzhou@123',
'HOST': '192.168.92.111',
'PORT': '3306'
}
}
# inception组件所在的地址
INCEPTION_HOST = '192.168.92.111'
INCEPTION_PORT = '6669'
# 查看回滚SQL时候会用到,这里要告诉archer去哪个mysql里读取inception备份的回滚信息和SQL.
# 注意这里要和inception组件的inception.conf里的inception_remote_XX部分保持一致.
INCEPTION_REMOTE_BACKUP_HOST = '192.168.92.111'
INCEPTION_REMOTE_BACKUP_PORT = 3306
INCEPTION_REMOTE_BACKUP_USER = 'inception'
INCEPTION_REMOTE_BACKUP_PASSWORD = 'inception'
# 账户登录失败锁定时间(秒)
LOCK_TIME_THRESHOLD = 300
# 账户登录失败 几次 锁账户
LOCK_CNT_THRESHOLD = 5
# LDAP
ENABLE_LDAP = False
if ENABLE_LDAP:
import ldap
# from django_auth_ldap.config import LDAPSearch, GroupOfNamesType
from django_auth_ldap.config import LDAPSearch, GroupOfUniqueNamesType
AUTHENTICATION_BACKENDS = (
'django_auth_ldap.backend.LDAPBackend', # 配置为先使用LDAP认证,如通过认证则不再使用后面的认证方式
'django.contrib.auth.backends.ModelBackend', # sso系统中手动创建的用户也可使用,优先级靠后。注意这2行的顺序
)
# if use self signed certificate, Remove AUTH_LDAP_GLOBAL_OPTIONS annotations
# AUTH_LDAP_GLOBAL_OPTIONS={
# ldap.OPT_X_TLS_REQUIRE_CERT: ldap.OPT_X_TLS_NEVER
# }
AUTH_LDAP_BIND_DN = "cn=xx,dc=xx,dc=xx"
AUTH_LDAP_BIND_PASSWORD = "xx"
AUTH_LDAP_SERVER_URI = "ldap://ldap.xx.com"
AUTH_LDAP_BASEDN = "dc=xx,dc=xx"
AUTH_LDAP_USER_DN_TEMPLATE = "cn=%(user)s,ou=xx,dc=xx,dc=xx"
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("ou=xx,dc=xx,dc=xx",
ldap.SCOPE_SUBTREE, "(objectClass=groupOfUniqueNames)"
)
AUTH_LDAP_GROUP_TYPE = GroupOfUniqueNamesType()
AUTH_LDAP_ALWAYS_UPDATE_USER = True # 每次登录从ldap同步用户信息
AUTH_LDAP_USER_ATTR_MAP = { # key为archer.sql_users字段名,value为ldap中字段名,用于同步用户信息
"username": "xx",
"display": "xx",
"email": "xx"
}
# AUTH_LDAP_MIRROR_GROUPS = True # 直接把ldap的组复制到django一份,和AUTH_LDAP_FIND_GROUP_PERMS互斥.用户每次登录会根据ldap来更新数据库的组关系
# AUTH_LDAP_FIND_GROUP_PERMS = True # django从ldap的组权限中获取权限,这种方式,django自身不创建组,每次请求都调用ldap
# AUTH_LDAP_CACHE_GROUPS = True # 如打开FIND_GROUP_PERMS后,此配置生效,对组关系进行缓存,不用每次请求都调用ldap
# AUTH_LDAP_GROUP_CACHE_TIMEOUT = 600 # 缓存时间
# 开启以下配置注释,可以帮助调试ldap集成
LDAP_LOGS = '/tmp/ldap.log'
DEFAULT_LOGS = '/tmp/default.log'
stamdard_format = '[%(asctime)s][%(threadName)s:%(thread)d]' +
'[task_id:%(name)s][%(filename)s:%(lineno)d] ' +
'[%(levelname)s]- %(message)s'
LOGGING = {
'version': 1,
'disable_existing_loggers': False,
'formatters': {
'standard': { # 详细
'format': stamdard_format
},
},
'handlers': {
'default': {
'level': 'DEBUG',
'class': 'logging.handlers.RotatingFileHandler',
'filename': DEFAULT_LOGS,
'maxBytes': 1024 * 1024 * 100, # 5 MB
'backupCount': 5,
'formatter': 'standard',
},
'ldap': {
'level': 'DEBUG',
'class': 'logging.handlers.RotatingFileHandler',
'filename': LDAP_LOGS,
'maxBytes': 1024 * 1024 * 100, # 5 MB
'backupCount': 5,
'formatter': 'standard',
},
'console': {
'level': 'DEBUG',
'class': 'logging.StreamHandler',
}
},
'loggers': {
'default': { # default日志,存放于log中
'handlers': ['default'],
'level': 'DEBUG',
},
# 'django.db': { # 打印SQL语句到console,方便开发
# 'handlers': ['console'],
# 'level': 'DEBUG',
# 'propagate': False,
# },
'django.request': { # 打印错误堆栈信息到console,方便开发
'handlers': ['console'],
'level': 'DEBUG',
'propagate': False,
},
'django_auth_ldap': { # django_auth_ldap模块相关日志打印到console
'handlers': ['ldap'],
'level': 'DEBUG',
'propagate': True, # 选择关闭继承,不然这个logger继承自默认,日志就会被记录2次了(''一次,自己一次)
}
}
}
# 是否开启邮件提醒功能:发起SQL上线后会发送邮件提醒审核人审核,执行完毕会发送给DBA. on是开,off是关,配置为其他值均会被archer认为不开启邮件功能
MAIL_ON_OFF = 'off'
MAIL_SSL = False # 是否使用SSL
MAIL_REVIEW_SMTP_SERVER = 'mail.xxx.com'
MAIL_REVIEW_SMTP_PORT = 25
MAIL_REVIEW_FROM_ADDR = 'archer@xxx.com' # 发件人,也是登录SMTP server需要提供的用户名
MAIL_REVIEW_FROM_PASSWORD = '' # 发件人邮箱密码,如果为空则不需要login SMTP server
# 是否过滤【DROP DATABASE】|【DROP TABLE】|【TRUNCATE PARTITION】|【TRUNCATE TABLE】等高危DDL操作:
# on是开,会首先用正则表达式匹配sqlContent,如果匹配到高危DDL操作,则判断为“自动审核不通过”;off是关,直接将所有的SQL语句提交给inception,对于上述高危DDL操作,只备份元数据
CRITICAL_DDL_ON_OFF = 'off'
# 是否开启SQL查询功能,关闭会隐藏菜单和相关功能
QUERY = True
# 当inception语法树打印失败时在线查询的结果控制,建议修改inception变量inception_enable_select_star=OFF,否则select * 会报错
# True是开启校验,失败不允许继续执行并返回错,
# False是关闭校验,继续执行,关闭校验会导致解析失败的查询表权限验证和脱敏功能失效
CHECK_QUERY_ON_OFF = True
# 是否开启动态脱敏查询,采取正则遍历处理结果集的方式,会影响部分查询效率
DATA_MASKING_ON_OFF = True
# 管理员在线查询的结果集限制
ADMIN_QUERY_LIMIT = 5000
# 是否开启慢日志管理,关闭会隐藏菜单和相关功能
SLOWQUERY = False
# sqladvisor的路径配置,如'/opt/SQLAdvisor/sqladvisor/sqladvisor',''代表关闭,隐藏菜单和相关功能
SQLADVISOR = '/opt/SQLAdvisor/sqladvisor/sqladvisor'
# 是否开启AliYunRDS管理
ALIYUN_RDS_MANAGE = False
5 创建一个archer_github的数据库
#我用的编码格式utf8mb4_bin
create database archer_github character set utf8mb4 collate utf8mb4_bin;
#在mysql中执行如下sql 否则回滚sql时 会提示inception账号的一系列问题哦
grant all privileges on *.* to 'inception'@'%' identified by 'inception' with grant option;
flush privileges;
创建完数据库之后 运行容器
#docker rm 67fbcb242d09 删除已存在容器 按CONTAINER ID
docker run --name archer -v /etc/settings.py:/opt/archer/archer/settings.py -e NGINX_PORT=9123 -p 9123:9123 -dti registry.cn-hangzhou.aliyuncs.com/lihuanhuan/archer:latest
#报错:
docker: Error response from daemon: driver failed programming external connectivity on endpoint archer (67a3a5c01bb71ecbd0a951687d80f0993248bfcc5396634f0096795f344b1576): (iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 9123 -j DNAT --to-destination 172.17.0.4:9123 ! -i docker0: iptables: No chain/target/match by that name.
(exit status 1)).
解决:
systemctl stop firewalld
systemctl restart docker
docker rm archer
docker run --name archer -v......
6 进入容器 执行初始化命令
docker exec -ti archer /bin/bash
cd /opt/archer
source /opt/venv4archer/bin/activate
修改 archer/settings.py 修改其中 数据库的地址及账号密码 否则makemigrations会报错
不知道为什么挂载进来的settings.py没有替换原来文件夹中的settings.py 2个文件同时存在
python3 manage.py makemigrations sql
#输出如下:
Migrations for 'sql':
0001_initial.py:
- Create model SlowQuery
- Create model SlowQueryHistory
- Create model users
- Create model AliyunAccessKey
- Create model AliyunRdsConfig
- Create model DataMaskingColumns
- Create model DataMaskingRules
- Create model master_config
- Create model QueryLog
- Create model QueryPrivileges
- Create model QueryPrivilegesApply
- Create model slave_config
- Create model workflow
- Create model WorkflowAudit
- Create model WorkflowAuditDetail
- Create model WorkflowAuditSetting
- Alter unique_together for workflowaudit (1 constraint(s))
- Add field cluster_name to aliyunrdsconfi
python3 manage.py migrate
#输出如下:
Operations to perform:
Synchronize unmigrated apps: messages, django_admin_bootstrapped, staticfiles
Apply all migrations: auth, sql, contenttypes, sessions, admin, django_apscheduler
Synchronizing apps without migrations:
Creating tables...
Running deferred SQL...
Installing custom SQL...
Running migrations:
Rendering model states... DONE
Applying contenttypes.0001_initial... OK
Applying contenttypes.0002_remove_content_type_name... OK
Applying auth.0001_initial... OK
Applying auth.0002_alter_permission_name_max_length... OK
Applying auth.0003_alter_user_email_max_length... OK
Applying auth.0004_alter_user_username_opts... OK
Applying auth.0005_alter_user_last_login_null... OK
Applying auth.0006_require_contenttypes_0002... OK
Applying sql.0001_initial... OK
Applying admin.0001_initial... OK
Applying django_apscheduler.0001_initial... OK
Applying django_apscheduler.0002_auto_20180412_0758... OK
Applying sessions.0001_initial... OK
# 创建管理员账号:django用户,用来创建新用户和添加数据库
#输入Username: django,密码相同,邮箱为qq
python3 manage.py createsuperuser
#创建完毕 查看容器状态
#推出初始化环境venv4archer
exit
docker ps -a
7 关闭防火墙或添加防火墙规则访问
申请发布sql工单流程
普通用户登录http://10.6.11.199:9123
create database test character set utf8mb4 collate utf8mb4_bin;
alter table test.test add PRIMARY key(id);
create table test.test(id int,name varchar(200));
insert into test.test select 1,'n1';
insert into test.test select 2,'n2';
select * from test.test where id=2;
update test.test set name='nn22' where id=2;
输入你要执行的sql
审批人账号收到邮件
用审批人账号登录
审核通过
DBA账号收到邮件
用DBA账号登录
执行
回滚同理
如果需要加入阿里云RDS修改配置文件settings.py
也可以加上邮件通知
重启archer 的docker服务 就可以了
测试回滚功能
审核并执行
执行成功
查看数据库中备份
提交回滚请求 需要检测之后提交
切换dba账号执行回滚
回滚成功
邮件也收到了 只不过我为了测试 邮件通知人 都是自己
需要修改的话直接在 后台数据管理 中修改
如果数据库名太长的话 会报错
Global environment error
The backup dbname 'rm-bp1570xxxfo.mysql.rds.aliyuncs.com-3306- lse_home_prod ' is too long.
原因是RDS库名+端口+数据库名太长了 超过了mysql 的information_schema中字段的值64
所以库名不要超过11字节 就不会报上述错误了(sql错误请忽略 我就是拿来演示的)
要不就ping一下阿里云的RDS地址 把RDS地址换成ip即可
在工单界面 也是看不到具体ip的
再安装一个80端口的nginx 解析到docker的9123的nginx 端口
只需要添加下面一条设置即可
把9123 80 3306 6669端口加入防火墙 并reload
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=9123/tcp --permanent
firewall-cmd --zone=public --add-port=3306/tcp --permanent
firewall-cmd --zone=public --add-port=6669/tcp --permanent
firewall-cmd --reload
如果你的sql 比较大,可能会报错
修改archer 容器里nginx配置中client_max_body_size
设置大一点就可以了
加入ldap 由于之前搭建的服务器是没有介入内网ldap的 配置ldap的时候就一模一样再装了一遍
不过我的ou带有空格 cn带有空格所以自己重新配置了用“”把字段括起来了
红色框框处需要自行根据ou进行修改
可以先安装ldapsearch 测试
yum install -y openldap-servers openldap-clients migrationtools
ldapsearch -x -W -h 172.16.5.1 -p 389 -b "dc=tiansoft,dc=com" -D "cn=Jiamin Xu(Hugo),ou=FTE,ou=Domain Users,dc=tiansoft,dc=com"
至此mysql自动化运维平台已经搭建完毕 配置方面请根据个人需求配置。