Overview
In this blog post, we explore the 10 basic steps for doing a secure Tungsten Clustering deployment. A fresh Tungsten version 7 installation is secure by default. We also cover the various tungsten.ini options that impact an install.
The 10 Basic Steps
- Validate all of the Requirements have been met
- Perform all of the needed Prerequisites
- Become the tungsten OS user
- Get and prepare the software
- Create the configuration file
- Validate the Prerequisites and configuration
- Install the software
- Sync the auto-generated SSL certificates
- Start the Tungsten Clustering software
- Validate the installation
1. Validate the Requirements
The list of requirements is here:
https://docs.continuent.com/tungsten-clustering-7.1/deployment-requirements.html
2. Perform All Needed Prerequisites
We have a checklist here:
https://docs.continuent.com/tungsten-clustering-7.1/prerequisite-checklist.html
and have full documentation for the Prerequisites here:
https://docs.continuent.com/tungsten-clustering-7.1/prerequisite.html
3. Become the Tungsten OS User
You must be the tungsten OS user to perform the rest of the steps:
shell> sudo su - tungsten4. Get and Prepare the Software
Download the software from the Continuent Portal at https://www.continuent.com/downloads
Copy the software package to all nodes.
On all nodes, change to the software directory and extract the tarball:
shell> cd /opt/continuent/software
shell> tar xvzf tungsten-clustering-7.1.2-36.tar.gz
The docs for using the tarball are here:
https://docs.continuent.com/tungsten-clustering-7.1/deployment-sources.html#deployment-sources-tar
We also have an RPM package available via the download portal. Docs are here:
https://docs.continuent.com/tungsten-clustering-7.1/deployment-sources.html#deployment-sources-pkg
We also have a list of Best Practices for installs:
https://docs.continuent.com/tungsten-clustering-7.1/deployment-best-practices.html
5. Create the Configuration File
Create the configuration file with all of the desired options:
shell> vi /etc/tungsten/tungsten.iniExample configurations are available in our documentation, for example a standard cluster: https://docs.continuent.com/tungsten-clustering-7.1/deployment-primaryreplica.html#deployment-primaryreplica-prepare
In order for the configuration to persist during future updates, we need to execute the deployall script at install time. Add the install=true tpm option to your configuration to ensure that happens:
# Execute the deployall script at install time
install=trueAlso, since we have some post-install steps to take, let’s make sure that services do not start up after installation:
# Do not start the services after install
start-and-report=falseBelow we explain some security-specific options you may want to include.
We have documentation:
https://docs.continuent.com/tungsten-clustering-7.1/cmdline-tools-tpm.html
and a list of all configuration options here:
https://docs.continuent.com/tungsten-clustering-7.1/cmdline-tools-tpm-configoptions.html
Tungsten Security
The security is enabled by default in v7, so you do not need to do anything. As a conservative SysAdmin, I often prefer to explicitly state certain options in my configuration so that it is very clear to anyone looking at it what the current setup actually is.
To explicitly enable security, add disable-security-controls=false, for example:
# Enable Full Tungsten Security - this is the default in v7, state it explicitly anyway
disable-security-controls=falseDatabase-Facing Security
The installer does attempt to locate the database certs automatically, but I have found it is easier to just specify the full path to them. Also, please ensure those database certs are readable by the tungsten OS user.
# Enable Tungsten<>Database SSL and Specify Database Certificate Locations
# This enables SSL to the db for Manager and Replicator
# Please update the paths to match your own!!!
datasource-enable-ssl=true
datasource-mysql-ssl-ca=/etc/mysql/certs/ca.pem
datasource-mysql-ssl-cert=/etc/mysql/certs/client-cert.pem
datasource-mysql-ssl-key=/etc/mysql/certs/client-key.pemIf you need to supply CA-signed certs for the database or other purposes, that can be done easily as well, which we will cover in an upcoming post.
REST APIv2
In version 7, the REST APIv2 is enabled by default. It is very powerful and is used by the Tungsten Dashboard. You may also call it directly for monitoring and data gathering etc.
https://docs.continuent.com/tungsten-clustering-7.1/restapi.html
Authentication
To ensure that all nodes have the proper user and password for authentication, please include the following in tungsten.ini:
# Define REST APIv2 User and Password
rest-api-admin-user=tungsten
rest-api-admin-pass=YourPasswordHerePorts
To change the default port for each component, use the following:
manager-rest-api-port=8090
connector-rest-api-port=8096
replicator-rest-api-port=8097https://docs.continuent.com/tungsten-clustering-7.1/restapi.html#api-getting-started-ports
Listen Address
To change the default listener address from localhost/127.0.0.1 for each component, use the following:
connector-rest-api-address=0.0.0.0
manager-rest-api-address=0.0.0.0
replicator-rest-api-address=0.0.0.0https://docs.continuent.com/tungsten-clustering-7.1/restapi.html#api-getting-started-enabledisable
How to Disable the REST APIv2
To turn off the REST APIv2:
connector-rest-api=false
manager-rest-api=false
replicator-rest-api=falsehttps://docs.continuent.com/tungsten-clustering-7.1/restapi.html#api-getting-started-enabledisable
6. Validate the Prerequisites and Configuration
Change to the extracted Tungsten Cluster software “staging” directory:
shell> cd /opt/continuent/software/tungsten-clustering-7.1.2-36Run the validation using the tpm command:
shell> tools/tpm validate -iIf there are any errors, read the output carefully, resolve the issue with the configuration, and then repeat the validation step until it passes. If you cannot get the validation to work, please open a case with Continuent support.
7. Install the Software
Next, execute the install on all hosts but do not start services.
Go to the extracted software staging directory and run the installation using the tpm command:
shell> cd /opt/continuent/software/tungsten-clustering-7.1.2-36
shell> tools/tpm install -iIf there are any errors, read the output carefully, resolve the issue, then repeat the step until it passes.
Docs and an example session are located here:
https://docs.continuent.com/tungsten-clustering-7.1/deployment-primaryreplica.html
8. Sync the Auto-Generated SSL Certificates
On just one node, usually “db1”, copy the auto-generated SSL certificates to the other nodes.
Do this after all other nodes have completed installing during step 7:
shell> tools/tpm copy9. Start the Tungsten Clustering Software
Ensure the software is configured to start at boot time. If you added install=true to your tungsten.ini, you should not need to do this:
shell> sudo deployallNow start up the Cluster:
shell> startallhttps://docs.continuent.com//tungsten-clustering-7.1/deployment-startonboot.html
https://docs.continuent.com/tungsten-clustering-7.1/cmdline-tools-deployall.html
10. Validate the Installation
Check the cluster status and test replication:
shell> cctrl
cctrl> use {dataservice_name_here}
cctrl> set policy automatic
cctrl> ls
cctrl> cluster heartbeat
cctrl> ls
cctrl> cluster validate
cctrl> cluster topology validate
Here is example cluster topology validate output from a 2-site (global:nyc/london) Composite Active/Passive (CAP) cluster:
shell > cctrl -multi
[LOGICAL] / > use global
[LOGICAL] /global > cluster topology validate
Validating physical cluster 'london' for composite datasource 'london@global'
Validating datasource 'db4@london'
Validating datasource 'db5@london'
Validating datasource 'db6@london'
Physical cluster 'london' is VALID
Validating physical cluster 'nyc' for composite datasource 'nyc@global'
Validating datasource 'db1@nyc'
Validating datasource 'db2@nyc'
Validating datasource 'db3@nyc'
Physical cluster 'nyc' is VALID
Composite cluster 'global' is VALIDGetting Help
If you need support, please follow this procedure checklist:
https://docs.continuent.com/support-process/troubleshooting-support.html#troubleshooting-support-procedure
Full support information:
https://docs.continuent.com/support-process/troubleshooting-support.html
Wrap-Up
In this blog post, we explored the 10 basic steps for doing a secure Tungsten Clustering deployment. Since a fresh Tungsten version 7 installation is secure by default, we also covered the various tungsten.ini options that impact an install.
Comments
Add new comment