一直以来,安装ORACLE RAC,都是直接关闭防火墙,要问为什么,说是官方的推荐,具体可以见 RAC instabilities due to firewall (netfilter/iptables) enabled on the cluster interconnect (Doc ID 554781.1),启动了防火墙,就会导致集群之间出现问题,因此,也算没有办法的办法。说的人多了,也就信了。直到最近,一个用户,说等保要求必须在主机上启动防火墙,说已经启动了一个集群,要不看看。一看不要紧,确实可以放开防火墙的,而且集群不受影响。想了一下,主要是以前一直纠结端口,其实,使用富规则,方便多了,内部节点之间,可以完全放开这个端口,就解决了这个端口不停变化的问题。个人觉得这个可行,分享出来。希望可以用于日常生产。
下面我在本地模拟了出来。
LINUX 7.9 +19C RAC
1.模拟RAC环境 ip地址情况
192.168.133.203 host03
192.168.133.204 host04
10.0.0.203 host03-priv
10.0.0.204 host04-priv
192.168.133.205 host03-vip
192.168.133.206 host04-vip
192.168.133.208 ocm-scan
2.放开两个节点之间的IP
--增加公网
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.133.203/32" accept'
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.133.204/32" accept'
--增加VIP
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.133.205/32" accept'
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.133.206/32" accept'
--增加SCAN IP
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.133.208/32" accept'
--增加私网
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.0.0.203/32" accept'
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.0.0.204/32" accept'
--增加HAIP
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="169.254.0.0/16" accept'
3.允许应用服务器,备份服务器等等
firewa-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.133.0/24" port protocol="tcp" port="1521" accept'
4.规则生效
firewall-cmd --reload
5.验证
--列出防火墙设置
[root@host03 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33 ens36 ens37 ens38
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.133.203/32" accept
rule family="ipv4" source address="192.168.133.204/32" accept
rule family="ipv4" source address="192.168.133.205/32" accept
rule family="ipv4" source address="192.168.133.206/32" accept
rule family="ipv4" source address="192.168.133.208/32" accept
rule family="ipv4" source address="10.0.0.203/32" accept
rule family="ipv4" source address="10.0.0.204/32" accept
rule family="ipv4" source address="169.254.0.0/16" accept
rule family="ipv4" source address="192.168.133.0/24" port port="1521" protocol="tcp" accept
--列出crsd 状态
[grid@host03 ~]$ crsctl stat res ora.crsd -init -t
--------------------------------------------------------------------------------
Name Target State Server State details
--------------------------------------------------------------------------------
Cluster Resources
--------------------------------------------------------------------------------
ora.crsd
1 ONLINE ONLINE host03 STABLE
--------------------------------------------------------------------------------
--测试数据库连接
SQL> conn system/oracle_4U@'192.168.133.204/racdb.example.com'Connected.
SQL> conn system/oracle_4U@'192.168.133.203/racdb.example.com'Connected.
SQL> conn system/oracle_4U@'192.168.133.205/racdb.example.com'Connected.
SQL> conn system/oracle_4U@'192.168.133.206/racdb.example.com'Connected.
SQL> conn system/oracle_4U@'192.168.133.208/racdb.example.com'Connected
至此,防火墙设置搞定
6.保持联系
----------------------------------------------------------------------
如果你对数据库技术感兴趣,我们还可以在微信群:水煮数据库 进行交流,主要交流日常运维中用到的数据库相关问题,包含但不限于:ORACLE,PG,MYSQL,SQLSERVER,OB,TIDB,达梦,TDSQL,OPENGAUSS,人大金仓,GBASE等等,加我微信吧:zq24803366,备注:水煮数据库, 我拉你入群。
----------------------------------------------------------------------
)
几何 15 转换)
