replication-manager
replication-manager copied to clipboard
signal18
what is the privilege of OS account in DB server?
We configured below replication-manager parameters to connect DB server OS via ssh. We can restart DB node from replication-manager as expected.
prov-orchestrator = "onpremise" onpremise-ssh = true onpremise-ssh-credential = "root" config.toml.txt
scheduler-jobs-ssh = true
Since remote root is not allowed, we are planning to create new OS service account for this. But we are not sure the setting "sudoer root user" in https://docs.signal18.io/configuration/provisioning/orchestrators/onpremise
Attached the config file. Kindly advise the privilege required.
Regards, William
Hi William,
It's not clear for me as well do you plan to take backups using ssh dbjobs ( the script is call dbjob_new , but can be duplicate and customize for your need) , dbjob are runs on the database server host after ssh connect, but i think we pass the host and credential of the monitoring user of replication-manager to connect into db inside the script , i guess the grants needed are the one that can take and restore backup but we also do a couple of trick when restore like flush tables and import tablespaces to reload a backup without restarting the database server .
Hope it help
Hi @svaroqui , we are using MariaDB. Tested replication-manager can start / stop db node using another os account. We modified "/usr/share/polkit-1/actions/org.freedesktop.systemd1.policy" to allow the new account running "systemctl start mariadb". Not sure auditor allows this or not.
This is initial testing and we haven't configured backup yet. Seems the remote access does not relate to backup.
Hi if you wan’t to enable configuration of database instances than you will need to enable dropping and adding files in
/etc/mysql /var/lib/mysql
You also need to tell replication-manger it’s own ip or hostname so that the job script can wget to replication-manger and get the config
./replication-manager-pro --config=etc/opensvc/cluster-api/cluster-demo/stephane.toml monitor --monitoring-save-config --help | grep monitoring-add --monitoring-address string How to contact this monitoring (default "localhost »)
To enable physical backups like mariabackup then you will also need
Binary execution of socat , mariabackup, mbstream and the mysql client
Stéphane Varoqui, VP of Products Phone: +33-6-95-92-64-01, skype: svaroqui https://signal18.io/ https://meet.signal18.io/
Le 31 juil. 2023 à 18:14, frelist @.***> a écrit :
Hi @svaroqui https://github.com/svaroqui , we are using MariaDB. Tested replication-manager can start / stop db node using another os account. We modified "/usr/share/polkit-1/actions/org.freedesktop.systemd1.policy" to allow the new account running "systemctl start mariadb". Not sure auditor allows this or not.
This is initial testing and we haven't configured backup yet. Seems the remote access does not relate to backup.
— Reply to this email directly, view it on GitHub https://github.com/signal18/replication-manager/issues/503#issuecomment-1658705836, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAWVCIAL57BSARTHIAR7K5LXS7KURANCNFSM6AAAAAA24VU6ZY. You are receiving this because you were mentioned.
Did you figure out how to solve your issue like with custom script , we would be very please if you could provide a contribution with an howto configure db nodes nodes for running ssh scripts under unpriviledged system user ?
Hi, sorry we haven't try as the remote root is allowed in the trusted environment.
We are currently working on improvement of remote scripting with better log on what is happening within mariabackup and xtrabackup. We found backups issues on the way, stay tune the next release will be a lot more battle tested