| 主机IP | 主机名 |
|---|---|
| 10.0.0.91 | elk91 |
| 10.0.0.92 | elk92 |
| 10.0.0.93 | elk93 |
nacos单机部署使用内置数据库
1.下载解压nacos
[root@elk91 ~]# wget https://github.com/alibaba/nacos/releases/download/2.5.1/nacos-server-2.5.1.tar.gz[root@elk91 ~]# tar xf nacos-server-2.5.1.tar.gz -C /usr/local
2.启动nacos单机版
[root@elk91 ~]# /usr/local/nacos/bin/startup.sh -m standalone
#查看日志
[root@elk91 ~]# tail -100f /usr/local/nacos/logs/start.out
#如下字样即为成功,--.,--.'|,--,: : | Nacos 2.5.1
,`--.'`| ' : ,---. Running in stand alone mode, All function modules
| : : | | ' ,'\ .--.--. Port: 8848
: | \ | : ,--.--. ,---. / / | / / ' Pid: 58224
| : ' '; | / \ / \. ; ,. :| : /`./ Console: http://10.0.0.91:8848/nacos/index.html
' ' ;. ;.--. .-. | / / '' | |: :| : ;_
| | | \ | \__\/: . .. ' / ' | .; : \ \ `. https://nacos.io
' : | ; .' ," .--.; |' ; :__| : | `----. \
| | '`--' / / ,. |' | '.'|\ \ / / /`--' /
' : | ; : .' \ : : `----' '--'. /
; |.' | , .-./\ \ / `--'---'
'---' `--`---' `----'2025-03-18 09:40:05,502 INFO Tomcat initialized with port(s): 8848 (http)
4.访问nacos的WebUI
http://10.0.0.91:8848/nacos/
Nacos启动脚本编写
1.编写启动脚本
cat > /lib/systemd/system/nacos.service <<EOF
[Unit]
Description=nacos.service
After=network.target
[Service]
Type=forking
Environment=JAVA_HOME=/usr/share/elasticsearch/jdk
ExecStart=/usr/local/nacos/bin/startup.sh -m standalone
ExecStop=/usr/local/nacos/bin/shutdown.sh
[Install]
WantedBy=multi-user.target
EOF
2.配置开机自启动
[root@elk91 ~]# systemctl daemon-reload
[root@elk91 ~]# systemctl enable --now nacos.service
[root@elk91 ~]# ss -ntl | grep 8848
LISTEN 0 100 *:8848 *:*
在93节点部署数据库
#安装软件包
[root@elk93 ~]# wget https://dev.mysql.com/get/Downloads/MySQL-8.4/mysql-8.4.4-linux-glibc2.28-x86_64.tar.xz
[root@elk93 ~]# tar xf mysql-8.4.4-linux-glibc2.28-x86_64.tar.xz -C /usr/local/#准备启动脚本并授权
[root@elk93 ~]# cp /usr/local/mysql-8.4.4-linux-glibc2.28-x86_64/support-files/mysql.server /etc/init.d/
[root@elk93 ~]# egrep "^basedir=|^datadir=" /etc/init.d/mysql.server
basedir=/usr/local/mysql844
datadir=/var/lib/mysql
[root@elk93 ~]# useradd -m mysql
[root@elk93 ~]# install -d /var/lib/mysql -o mysql -g mysql
[root@elk93 ~]# ll /var/lib/mysql/ -d
drwxr-xr-x 2 mysql mysql 4096 Mar 13 09:52 /var/lib/mysql/#准备配置文件
[root@elk93 ~]# cat /etc/my.cnf
[mysqld]
basedir=/usr/local/mysql844
datadir=/var/lib/mysql
socket=/tmp/mysql80.sock
port=3306[client]
socket=/tmp/mysql80.sock#启动MySQL服务
[root@elk93 ~]# cat /etc/profile.d/mysql.sh
#!/bin/bash
export MYSQL_HOME=/usr/local/mysql844
export PATH=$PATH:$MYSQL_HOME/bin
[root@elk93 ~]# source /etc/profile.d/mysql.sh
[root@elk93 ~]# ln -svf /usr/local/mysql-8.4.4-linux-glibc2.28-x86_64/ /usr/local/mysql844
[root@elk93 ~]# mysqld --initialize-insecure --user=mysql --datadir=/var/lib/mysql --basedir=/usr/local/mysql844
[root@elk93 ~]# /etc/init.d/mysql.server start
[root@elk93 ~]# ss -ntl | grep 3306
LISTEN 0 151 *:3306 *:*
LISTEN 0 70 *:33060 *:*
nacos配置MySQL作为数据源
1.停止刚刚启动的nacos服务
root@elk91:~# /usr/local/nacos/bin/shutdown.sh
The nacosServer(40151) is running...
Send shutdown request to nacosServer(40151) OK
2.拷贝nacos的SQL初始化语句
[root@elk91 ~]# scp /usr/local/nacos/conf/mysql-schema.sql 10.0.0.93:~
3.创建用户并授权,导入SQL语句
[root@elk93 ~]# mysql
mysql> CREATE DATABASE nacos;
mysql> CREATE USER nacos IDENTIFIED WITH mysql_native_password by 'dingzhiyan';
mysql> GRANT ALL ON nacos.* TO nacos;[root@elk93 ~]# mysql nacos < mysql-schema.sql
4.修改nacos的配置文件
[root@elk91 ~]# vim /usr/local/nacos/conf/application.properties
# 修改nacos的访问站点
server.servlet.contextPath=/
...
# 指定数据库的类型是MySQL
spring.sql.init.platform=mysql
# 数据库的数量,官方写的是1,此处我也写1.
db.num=1
# 指定数据库的主机,端口,数据库及相关参数。
db.url.0=jdbc:mysql://10.0.0.93:3306/nacos?characterEncoding=utf8&connectTimeout=1000&socketTimeout=3000&autoReconnect=true&useUnic ode=true&useSSL=false&serverTimezone=Asia/Shanghai
# 指定数据库的用户名
db.user.0=nacos
# 指定数据库的密码
db.password.0=dingzhiyan
5.重启nacos
[root@elk91 ~]# systemctl restart nacos.service
6.访问nacos的WebUI
http://10.0.0.91:8848/
7.写入配置信息观察MySQL数据库是否有数据存储
#在此查询,应有刚刚写入的信息
mysql> SELECT * FROM config_info;
nacos配置认证功能及RBAC实战
1.nacos认证概述
Nacos是一个内部微服务组件,需要在可信的内部网络中运行,不可暴露在公网环境,防止带来安全风险。
Nacos提供简单的鉴权实现,为防止业务错用的弱鉴权体系,不是防止恶意攻击的强鉴权体系。
如果运行在不可信的网络环境或者有强鉴权诉求,请参考官方简单实现做替换增强。
参考链接:
https://nacos.io/zh-cn/docs/auth.html
2.生成toke的值
自定义密钥时,推荐将配置项设置为Base64编码的字符串,且原始密钥长度不得低于32字符。
[root@elk91 ~]# openssl rand -base64 33
428Gjk5EGkADiPC+577iPOH49V1lGzDSN+gW8ggvUOyo
3.修改Nacos的配置文件
[root@elk91 ~]# tail -5 /usr/local/nacos/conf/application.properties
nacos.core.auth.system.type=nacos
#启用认证功能
nacos.core.auth.enabled=true
#设置 Nacos 服务器的身份验证密钥
nacos.core.auth.server.identity.key=yinzhengjie
#设置 Nacos 服务器的身份验证值
nacos.core.auth.server.identity.value=yinzhengjie
nacos.core.auth.plugin.nacos.token.secret.key=428Gjk5EGkADiPC+577iPOH49V1lGzDSN+gW8ggvUOyo
4.重启nacos
[root@elk91 ~]# systemctl restart nacos.service
5.登录测试
http://10.0.0.91:8848/#/login
6.设置初始密码登录
- 若使用默认设置,默认用户名密码均为nacos
nacos集群基于haproxy实现高可用实战
1.在单点的配置上修改配置文件
[root@elk91 ~]# cat /usr/local/nacos/conf/cluster.conf
10.0.0.91:8848
10.0.0.92:8848
10.0.0.93:8848
2.拷贝nacos程序
[root@elk91 ~]# scp -r /usr/local/nacos/ 10.0.0.92:/usr/local/
[root@elk91 ~]# scp -r /usr/local/nacos/ 10.0.0.93:/usr/local/
3.停止单点的nacos
[root@elk91 ~]# systemctl disable --now nacos.service
4.所有节点以集群的方式启动
①所有节点启动
/usr/local/nacos/bin/startup.sh -p embedded
注:默认就是以集群的方式启动,此处的-p直接指定了以集群方式启动
②访问验证
http://10.0.0.91:8848/#/clusterManagement
http://10.0.0.92:8848/#/clusterManagement
http://10.0.0.93:8848/#/clusterManagement
5.所有节点配置haproxy实现负载均衡
①修改内核参数
echo net.ipv4.ip_nonlocal_bind = 1 >> /etc/sysctl.d/nacos.conf
sysctl -f /etc/sysctl.d/nacos.conf
sysctl -q net.ipv4.ip_nonlocal_bind
②安装配置haproxy
apt -y install haproxy
③修改haproxy的配置文件
[root@elk91 ~]# tail -13 /etc/haproxy/haproxy.cfg
listen statusmode httpbind 0.0.0.0:9999stats enablelog globalstats uri /ruokstats auth admin:dingzhiyanlisten nacosbind 10.0.0.66:18848server elk91 10.0.0.91:8848 checkserver elk92 10.0.0.92:8848 checkserver elk93 10.0.0.93:8848 check
[root@elk91 ~]# scp /etc/haproxy/haproxy.cfg 10.0.0.92:/etc/haproxy
[root@elk91 ~]# scp /etc/haproxy/haproxy.cfg 10.0.0.93:/etc/haproxy
6.配置抢占式keepalived实现高可用
①在三台服务器上安装配置keepalived实现高可用
apt -y install keepalived
②修改keepalived的配置文件
[root@elk91 ~]# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {router_id 10.0.0.91
}
vrrp_script chk_haproxy {script "killall -0 haproxy"interval 2weight -20
}
vrrp_instance VI_1 {state MASTERinterface eth0virtual_router_id 251priority 100advert_int 1mcast_src_ip 10.0.0.91nopreemptauthentication {auth_type PASSauth_pass dingzhiyan}track_script {chk_haproxy}virtual_ipaddress {10.0.0.66}
}
[root@elk91 ~]# [root@elk92 ~]# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {router_id 10.0.0.92
}
vrrp_script chk_haproxy {script "killall -0 haproxy"interval 2weight -20
}
vrrp_instance VI_1 {state BACKUPinterface eth0virtual_router_id 251priority 80advert_int 1mcast_src_ip 10.0.0.92nopreemptauthentication {auth_type PASSauth_pass dingzhiyan}track_script {chk_haproxy}virtual_ipaddress {10.0.0.66}
}
[root@elk92 ~]# [root@elk93 ~]# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {router_id 10.0.0.93
}
vrrp_script chk_haproxy {script "killall -0 haproxy"interval 2weight -20
}
vrrp_instance VI_1 {state BACKUPinterface eth0virtual_router_id 251priority 60advert_int 1mcast_src_ip 10.0.0.93nopreemptauthentication {auth_type PASSauth_pass yinzhengjie}track_script {chk_haproxy}virtual_ipaddress {10.0.0.66}
}
③重启keepalived服务使得配置生效
[root@elk91 ~]# systemctl enable --now keepalived
[root@elk92 ~]# systemctl enable --now keepalived
[root@elk93 ~]# systemctl enable --now keepalived
⑤启动haproxy负载均衡器
systemctl restart haproxy.service
ss -ntl | grep 18848
LISTEN 0 4096 10.0.0.66:18848 0.0.0.0:*
7.访问测试验证
http://10.0.0.66:18848/#/login
8.验证高可用
[root@elk91 ~]# systemctl stop keepalived
