回顾及今日内容:
1.整个网站权限规划

2. 高可用服务
   2.1 keepalived 工作原理
   2.2 环境准备
   2.3 keepalived指南
   2.4 keepalived 故障 脑裂/列脑
   2.5 keepalived高可用 基于服务器
3. web java服务
   3.1 环境
   3.2 tomcat相关核心文件
   3.3 开启tomcat管理端
   3.4 开启tomcat远程监控功能
   3.5 server.xml
   3.6 tomcat部署应用
   3.7 Tomcat安全优化体系
   4.任务
4. shell+git+jenkins

1.整个网站权限规划

• web 存储 数据库
• web
  网站站点目录: 文件 644 目录755 root root
  网站上传目录:文件 644 目录755 www www
• 存储
  共享用户与web用户一致 uid gid一致
  限制网段
  挂载参数nodev,noexec,nosuid
• 数据库
  精确授权 wordpress all
  增删改查
  select
  insert create
  delete drop
  update alter

[root@web01 ~]# find /html/blog/ -type f |xargs chmod
644
[root@web01 ~]# find /html/blog/ -type d |xargs chmod
755
[root@web01 ~]# #chown -R root.root /html/blog/
[root@web01 ~]# umount /html/blog/wp-content/uploads/
[root@web01 ~]# mount -t nfs -o nosuid,noexec,nodev
172.16.1.31:/data/web_uploads /html/blog/wpcontent/
uploads/

2. 高可用服务

• ha high Available
• keepalived heartbeat

• keepalived 诞生是为了给lvs做高可用 (keepalived for lvs)

  
  image.png

2.1 keepalived 工作原理

• vrrp 虚拟路由冗余协议 诞生是为公司网站网络设备做高可用 3层路由

  
  image.png

2.2 环境准备

lb01
lb02
web01
web02

#web01 web02
curl 10.0.0.0.[7-8]/oldboy.html
web01 www
web02 www
[root@web01 ~]# cat /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user
[$time_local] "$request" '
'$status $body_bytes_sent
"$http_referer" '
'"$http_user_agent"
"$http_x_forwarded_for" $document_root';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
server {
listen 80 ;
server_name www.oldboy.com;
root /html/www;
location / {
index index.html;
}
}
server {
server_name blog.oldboy.com;
listen 80;
root /html/blog;
index index.php index.html;
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME
$document_root$fastcgi_script_name;
include fastcgi_params;
}
}
}
[root@web01 ~]# cat /html/www/oldboy.html
web01 10.0.0.7 172.16.1.7 www
#lb01 lb02
keepalived
yum install -y keepalived
nginx 负载均衡

2.3 keepalived指南

• 结构 分为3个部分

# GLOBAL CONFIGURATION 全局定义部分
# VRRPD CONFIGURATION vrrp实例部分 vip
# LVS CONFIGURATION keepalived 管理lvs配置
# keepalived.conf配置文件中 !或 #都表示注释
! Configuration File for keepalived
##全局定义
global_defs { #全局定义部分 global definations
router_id lb01 #我们每个keepalived服务/软件 要有1个独
一无二的id
}
##vrrp实例 设置vip
vrrp_instance VI_1 { #vrrp_instance 实例的名称 名称在
同一对主备之间要一致
state MASTER #state状态 MASTER(主 大写)
BACKUP(备)
interface eth0 #指定网卡
virtual_router_id 52 #每个vrrp实例的id号 每个实例要有
自己的id 在同一对主备中 id要一致
priority 100 #优先级 主大于备 主100 备50
advert_int 1 #心跳间隔 每1秒 发送1次存活状态 给
备
authentication { #简单认证 主备
auth_type PASS
auth_pass 1111
}
virtual_ipaddress { #vip 通过ip命令添加的
#10.0.0.3 #vip 阿里云HAVIP(keepalived 截止
2018)
10.0.0.3/24 dev eth0 label eth0:1 #被
ifconfig识别
}
}

image.png

2.4 keepalived 故障 脑裂/列脑

image.png
image.png

什么时候发送报警信息?

• 备:只要备节点有vip 就报警
  老男孩教育-Linux学院
• 备VIP: 主挂了
• 备VIP: 脑裂

[root@lb02 ~]# ip a |grep 10.0.0.3
inet 10.0.0.3/24 scope global secondary eth0:1
[root@lb02 ~]# ip a |grep -c 10.0.0.3
1
[root@lb02 ~]# systemctl stop firewalld.service
[root@lb02 ~]# ip a |grep -c 10.0.0.3
0

2.5 keepalived高可用 基于服务器

• keepalived漂移:
  keep挂了
  断网
  nginx或某个服务挂了 目前不会漂移
• nginx负载均衡高可用

#给 keepalived 添加 检查脚本
脚本:检查nginx是否运行 如果不运行 关闭keepalived
配置keepalived调用脚本
##脚本:检查nginx是否运行 如果不运行 关闭keepalived
###第1个里程碑-命令行取出nginx服务状态
#检查进程数量
ps -ef |grep -c '[n]ginx'
#检查端口数量
ss -lntup |grep nginx
ss -lntup |grep -c nginx
#检查端口
lsof -i:80

image.png

###第2个里程碑-keepalived调用 脚本
#####vrrp_script
[root@lb01 /server/scripts]# cat
/etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id lb01
}
vrrp_script chk_lb {
script /server/scripts/chk_lb.sh
interval 2
timeout 10
weight 1
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 52
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.3/24 dev eth0 label eth0:1
}
track_script {
chk_lb
}
}
vrrp_instance VI_2 {
state MASTER
interface eth0
virtual_router_id 53
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.4/24 dev eth0 label eth0:2
}
track_script {
chk_lb
}
}

3. web java服务

• LNMP (架构) php开发
• java开发
  jvm
  1份放在jvm中 只要机器有jvm环境 就可以运行java代码 1份
  代码处处使用 可移植性
  java virutal machine java虚拟机
  jdk jre
  jdk java development kit java 开发环境 jdk ~ jre + 开
  发工具
  jre java runtime environment java运行环境
  java代码容器
  tomcat
  resin
  weblogic (配合oracle数据库 )

3.1 环境

• web01 db01 nfs01
• jdk
  jdk (oracle)
  openjdk
• tomcat

• 准备jdk环境

  
  image.png
  image.png
• jdk 环境准备

[root@web01 /app/tools]# tar xf jdk-8u60-linuxx64.
tar.gz -C /app/
[root@web01 /app/tools]#
[root@web01 /app/tools]# ln -s /app/jdk1.8.0_60/
/app/jdk
[root@web01 /app/tools]# ll -d /app/jdk
lrwxrwxrwx 1 root root 17 Nov 17 14:46 /app/jdk ->
/app/jdk1.8.0_60/
cat >>/etc/profile<<'EOF'
export JAVA_HOME=/app/jdk
export PATH=$JAVA_HOME/bin:$JAVA_HOME/jre/bin:$PATH
export
CLASSPATH=.:$JAVA_HOME/lib:$JAVA_HOME/jre/lib:$JAVA_HO
ME/lib/tools.jar
EOF
[root@web01 /app/tools]# . /etc/profile
[root@web01 /app/tools]# java -version
java version "1.8.0_60"
Java(TM) SE Runtime Environment (build 1.8.0_60-b27)
Java HotSpot(TM) 64-Bit Server VM (build 25.60-b23,
mixed mode)

• tomcat环境准备

[root@web01 /app/tools]# tar xf apache-tomcat-
8.0.27.tar.gz -C /app/
[root@web01 /app/tools]# ln -s /app/apache-tomcat-
8.0.27/ /app/tomcat
[root@web01 /app/tools]# /app/tomcat/bin/version.sh
Using CATALINA_BASE: /app/tomcat
Using CATALINA_HOME: /app/tomcat
Using CATALINA_TMPDIR: /app/tomcat/temp
Using JRE_HOME: /app/jdk
Using CLASSPATH:
/app/tomcat/bin/bootstrap.jar:/app/tomcat/bin/tomcatjuli.
jar
Server version: Apache Tomcat/8.0.27
Server built: Sep 28 2015 08:17:25 UTC
Server number: 8.0.27.0
OS Name: Linux
OS Version: 3.10.0-957.el7.x86_64
Architecture: amd64
JVM Version: 1.8.0_60-b27
JVM Vendor: Oracle Corporation

• tomcat启动与检查

[root@web01 /app/tools]# /app/tomcat/bin/startup.sh
Using CATALINA_BASE: /app/tomcat
Using CATALINA_HOME: /app/tomcat
Using CATALINA_TMPDIR: /app/tomcat/temp
Using JRE_HOME: /app/jdk
Using CLASSPATH:
/app/tomcat/bin/bootstrap.jar:/app/tomcat/bin/tomcatjuli.
jar
Tomcat started.
[root@web01 /app/tools]# ss -lntup |grep tomcat
[root@web01 /app/tools]# ps -ef |grep java
root 8730 1 13 15:00 pts/0 00:00:03
/app/jdk/bin/java -
Djava.util.logging.config.file=/app/tomcat/conf/loggin
g.properties -
Djava.util.logging.manager=org.apache.juli.ClassLoader
LogManager -Djava.endorsed.dirs=/app/tomcat/endorsed -
classpath
/app/tomcat/bin/bootstrap.jar:/app/tomcat/bin/tomcatjuli.
jar -Dcatalina.base=/app/tomcat -
Dcatalina.home=/app/tomcat -
Djava.io.tmpdir=/app/tomcat/temp
org.apache.catalina.startup.Bootstrap start
root 8761 8516 0 15:00 pts/0 00:00:00 grep
--color=auto java
[root@web01 /app/tools]# ss -lntup |grep java
tcp LISTEN 0 100 :::8009
:::* users:
(("java",pid=8730,fd=51))
tcp LISTEN 0 100 :::8080
:::* users:
(("java",pid=8730,fd=46))
tcp LISTEN 0 1 ::ffff:127.0.0.1:8005
:::* users:
(("java",pid=8730,fd=76))

image.png

3.2 tomcat相关核心文件

[root@web01 /app/tools]# ll /app/tomcat/
total 92
drwxr-xr-x 2 root root 4096 Nov 17 14:59 bin
drwxr-xr-x 3 root root 198 Nov 17 15:00 conf
drwxr-xr-x 2 root root 4096 Nov 17 14:59 lib
-rw-r--r-- 1 root root 57011 Sep 28 2015 LICENSE
drwxr-xr-x 2 root root 197 Nov 17 15:00 logs
-rw-r--r-- 1 root root 1444 Sep 28 2015 NOTICE
-rw-r--r-- 1 root root 6741 Sep 28 2015 RELEASENOTES
-rw-r--r-- 1 root root 16204 Sep 28 2015 RUNNING.txt
drwxr-xr-x 2 root root 30 Nov 17 14:59 temp
drwxr-xr-x 7 root root 81 Sep 28 2015 webapps
drwxr-xr-x 3 root root 22 Nov 17 15:00 work

tomcat 目录	核心内容
bin	tomcat管理命令
	startup.sh
	shutdown.sh
	catalina.sh #核心脚本 startup shutdown 都会调用 #修改 tomcat启动参数 (开启 tomcat远程监控功能) (跳转jvm参 数)
conf	server.xml #tomcat主配置文件 nginx.conf
	web.xml #补充 额外配置
	tomcat-user.xml #配置tomcat管 理端的用户
logs	catalina.out #tomcat最全日志 startup app启动时间. 切割后内容默认不会被清空	1s=1000ms 1ms=1000us 1us=1000ns
	catalina.2019-11-17.log #catalina.out切割日志
	localhost_access_log.2019-11- 17.txt #tomcat访问日志
webapps	站点目录

3.3 开启tomcat管理端

[root@web01 /app/tomcat/conf]# cat tomcat-users.xml
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users xmlns="http://tomcat.apache.org/xml"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://tomcat.apache.org/xml
tomcat-users.xsd"
version="1.0">
<role rolename="admin-gui"/>
<role rolename="manager-gui"/>
<role rolename="host-gui"/>
<user username="tomcat" password="tomcat"
roles="admin-gui,manager-gui,host-gui"/>
</tomcat-users>

3.4 开启tomcat远程监控功能

• zabbix监控tomcat准备

1. 开启tomcat远程监控功能
2. zabbix 服务端 安装java gateway
3. 监控 tomcat获取数据

• 开启tomcat远程监控功能

# catalina.sh
[root@web01 /app/tomcat/logs]# ps -ef |grep java
root 9021 1 0 15:49 pts/1 00:00:06
/app/jdk/bin/java -
Djava.util.logging.config.file=/app/tomcat/conf/loggin
g.properties -
Djava.util.logging.manager=org.apache.juli.ClassLoader
LogManager -Djava.endorsed.dirs=/app/tomcat/endorsed -
classpath
/app/tomcat/bin/bootstrap.jar:/app/tomcat/bin/tomcatjuli.
jar -Dcatalina.base=/app/tomcat -
Dcatalina.home=/app/tomcat -
Djava.io.tmpdir=/app/tomcat/temp
org.apache.catalina.startup.Bootstrap start
root 9110 8543 0 16:00 pts/1 00:00:00 grep
--color=auto java
CATALINA_OPTS="$CATALINA_OPTS
-Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.port=12345
-Dcom.sun.management.jmxremote.authenticate=false
-Dcom.sun.management.jmxremote.ssl=false
-Djava.rmi.server.hostname=10.0.0.7"
CATALINA_OPTS="$CATALINA_OPTS #CATALINA_OPTS
tomcat运行的参数
-Dcom.sun.management.jmxremote #jmxremote 开启tomcat
远程监控功能
-Dcom.sun.management.jmxremote.port=12345 #tomcat远程
监控端口
-Dcom.sun.management.jmxremote.authenticate=false #远程
监控认证
-Dcom.sun.management.jmxremote.ssl=false
#https
-Djava.rmi.server.hostname=10.0.0.7" #本地的ip地址
/app/jdk/bin/java -
Djava.util.logging.config.file=/app/tomcat/conf/loggin
g.properties -
Djava.util.logging.manager=org.apache.juli.ClassLoader
LogManager -Dcom.sun.management.jmxremote -
Dcom.sun.management.jmxremote.port=12345 -
Dcom.sun.management.jmxremote.authenticate=false -
Dcom.sun.management.jmxremote.ssl=false -
Djava.rmi.server.hostname=10.0.0.7 -
Djava.endorsed.dirs=/app/tomcat/endorsed -classpath
/app/tomcat/bin/bootstrap.jar:/app/tomcat/bin/tomcatjuli.
jar -Dcatalina.base=/app/tomcat -
Dcatalina.home=/app/tomcat -
Djava.io.tmpdir=/app/tomcat/temp
org.apache.catalina.startup.Bootstrap start
/app/jdk/bin/java
-
Djava.util.logging.config.file=/app/tomcat/conf/loggin
g.properties
-
Djava.util.logging.manager=org.apache.juli.ClassLoader
LogManager
-Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.port=12345
-Dcom.sun.management.jmxremote.authenticate=false
-Dcom.sun.management.jmxremote.ssl=false
-Djava.rmi.server.hostname=10.0.0.7
-Djava.endorsed.dirs=/app/tomcat/endorsed
-classpath
/app/tomcat/bin/bootstrap.jar:/app/tomcat/bin/tomcatjuli.
jar
-Dcatalina.base=/app/tomcat -
Dcatalina.home=/app/tomcat
-Djava.io.tmpdir=/app/tomcat/temp
org.apache.catalina.startup.Bootstrap
start
[root@web01 /app/tomcat/logs]# ss -lntup |grep java
tcp LISTEN 0 100 :::8009
:::* users:
(("java",pid=9239,fd=54))
tcp LISTEN 0 100 :::8080
:::* users:
(("java",pid=9239,fd=50))
tcp LISTEN 0 50 :::38547
:::* users:
(("java",pid=9239,fd=21))
tcp LISTEN 0 50 :::41589
:::* users:
(("java",pid=9239,fd=19))
tcp LISTEN 0 50 :::12345
:::* users:
(("java",pid=9239,fd=20))
tcp LISTEN 0 1 ::ffff:127.0.0.1:8005
:::* users:
(("java",pid=9239,fd=78))

• windows安装 jdk 进行连接12345端口

windows下面 通过everything jconsole.exe
C:\Program Files\Java\jdk1.8.0_31\bin\jconsole.exe

image.png
image.png
image.png

3.5 server.xml

<?xml version='1.0' encoding='utf-8'?>
<Server port="8005" shutdown="SHUTDOWN">
#8005
#8080
#8009
# tomcat 管理功能 相关配置
<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be
updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabase
Factory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
#tomcat web端口
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
#8009
## 与apache进行沟通 端口
<Connector port="8009" protocol="AJP/1.3"
redirectPort="8443" />
#tomcat虚拟主机 配置
#name === nginx server_name
#appBase === nginx root
#unpackWARs 自动解压
#autoDeploy 自动部署
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<Valve
className="org.apache.catalina.valves.AccessLogValve"
directory="logs"
prefix="localhost_access_log"
suffix=".txt"
pattern="%h %l %u %t &quot;%r&quot; %s
%b" />
</Host>

Tomcat Connector(Tomcat连接器)有bio、nio、apr三种运行模式。

• bio(blocking I/O)是指阻塞式I/O操作，Tomcat在默认情况下就是以bio
  模式运行的。这可以从守护线程的信息看出来。
• nio(non-blocking I/O)是非阻塞I/O操作。nio是一个基于缓冲区并能提
  供非阻塞I/O操作的Java API，它拥有比bio更好的并发运行性能
• apr(Apache portable Run-time libraries/Apache可移植运行库)是
  Apache HTTP服务器的支持库。

<Server port="8005" shutdown="SHUTDOWN">	shutdown端口 连接到8005 输入暗号 tomcat关闭

3.6 tomcat部署应用

• wordpress.zip
• war 包 相当于是zip压缩包 需要包war包放在 tomcat webapps下面
  运行
• jar 包 直接运行 java -jar xxxx.jar
• war包

select,insert,create,delete,drop,update,alter
create database jpress charset utf8;
grant all on jpress.* to 'jpress'@'172.16.1.%'
identified by '12345';

http://10.0.0.7:8080/jpress/ #用户访问
http://10.0.0.7:8080/jpress/admin #后台

• jar

3.7 Tomcat安全优化体系

4.任务

• heartbeat
• 部署java应用 jira

• 完成综合架构图 绘制

  
  老男孩教育-期末架构-v2.0.jpg

5. shell+git+jenkins