diff options
| author | mzinal <zinal@ydb.tech> | 2023-02-17 13:52:31 +0300 |
|---|---|---|
| committer | mzinal <zinal@ydb.tech> | 2023-02-17 13:52:31 +0300 |
| commit | 71c9dc43d48055edab1354e1406de37e3e6dd672 (patch) | |
| tree | 8ae5f6b3b8b905f76e6ecbcd235fdbfb5fc4f948 | |
| parent | cd21459f6ea789b57cb76b39cb52553923024abd (diff) | |
| download | ydb-71c9dc43d48055edab1354e1406de37e3e6dd672.tar.gz | |
PR from branch users/mzinal/
better bare metal deployment instruction in Russian
systemd service file templates for ydbd, TLS certificate generator script sample for YDB
19 files changed, 825 insertions, 523 deletions
diff --git a/ydb/deploy/systemd_services/nontls/ydbd-storage.service b/ydb/deploy/systemd_services/nontls/ydbd-storage.service new file mode 100644 index 0000000000..84e1ac2175 --- /dev/null +++ b/ydb/deploy/systemd_services/nontls/ydbd-storage.service @@ -0,0 +1,25 @@ +[Unit] +Description=YDB storage node +After=network-online.target rc-local.service +Wants=network-online.target +StartLimitInterval=10 +StartLimitBurst=15 + +[Service] +Restart=always +RestartSec=1 +User=ydb +PermissionsStartOnly=true +StandardOutput=syslog +StandardError=syslog +SyslogIdentifier=ydbd +SyslogFacility=daemon +SyslogLevel=err +Environment=LD_LIBRARY_PATH=/opt/ydb/lib +ExecStart=/opt/ydb/bin/ydbd server --log-level 3 --syslog --tcp --yaml-config /opt/ydb/cfg/config.yaml --grpc-port 2135 --ic-port 19001 --mon-port 8765 --node static +LimitNOFILE=65536 +LimitCORE=0 +LimitMEMLOCK=3221225472 + +[Install] +WantedBy=multi-user.target diff --git a/ydb/deploy/systemd_services/nontls/ydbd-testdb.service b/ydb/deploy/systemd_services/nontls/ydbd-testdb.service new file mode 100644 index 0000000000..79a718e91f --- /dev/null +++ b/ydb/deploy/systemd_services/nontls/ydbd-testdb.service @@ -0,0 +1,25 @@ +[Unit] +Description=YDB testdb dynamic node +After=network-online.target rc-local.service +Wants=network-online.target +StartLimitInterval=10 +StartLimitBurst=15 + +[Service] +Restart=always +RestartSec=1 +User=ydb +PermissionsStartOnly=true +StandardOutput=syslog +StandardError=syslog +SyslogIdentifier=ydbd +SyslogFacility=daemon +SyslogLevel=err +Environment=LD_LIBRARY_PATH=/opt/ydb/lib +ExecStart=/opt/ydb/bin/ydbd server --grpc-port 2136 --ic-port 19002 --mon-port 8766 --yaml-config /opt/ydb/cfg/config.yaml --tenant /Root/testdb --node-broker <ydb1>:2135 --node-broker <ydb2>:2135 --node-broker <ydb3>:2135 +LimitNOFILE=65536 +LimitCORE=0 +LimitMEMLOCK=32212254720 + +[Install] +WantedBy=multi-user.target diff --git a/ydb/deploy/systemd_services/ydbd-storage.service b/ydb/deploy/systemd_services/ydbd-storage.service new file mode 100644 index 0000000000..98f321184a --- /dev/null +++ b/ydb/deploy/systemd_services/ydbd-storage.service @@ -0,0 +1,26 @@ +[Unit] +Description=YDB storage node +After=network-online.target rc-local.service +Wants=network-online.target +StartLimitInterval=10 +StartLimitBurst=15 + +[Service] +Restart=always +RestartSec=1 +User=ydb +PermissionsStartOnly=true +StandardOutput=syslog +StandardError=syslog +SyslogIdentifier=ydbd +SyslogFacility=daemon +SyslogLevel=err +Environment=LD_LIBRARY_PATH=/opt/ydb/lib +ExecStart=/opt/ydb/bin/ydbd server --log-level 3 --syslog --tcp --yaml-config /opt/ydb/cfg/config.yaml \ + --grpcs-port 2135 --ic-port 19001 --mon-port 8765 --mon-cert /opt/ydb/certs/web.pem --node static +LimitNOFILE=65536 +LimitCORE=0 +LimitMEMLOCK=3221225472 + +[Install] +WantedBy=multi-user.target diff --git a/ydb/deploy/systemd_services/ydbd-testdb.service b/ydb/deploy/systemd_services/ydbd-testdb.service new file mode 100644 index 0000000000..e7bcc24dc3 --- /dev/null +++ b/ydb/deploy/systemd_services/ydbd-testdb.service @@ -0,0 +1,28 @@ +[Unit] +Description=YDB testdb dynamic node +After=network-online.target rc-local.service +Wants=network-online.target +StartLimitInterval=10 +StartLimitBurst=15 + +[Service] +Restart=always +RestartSec=1 +User=ydb +PermissionsStartOnly=true +StandardOutput=syslog +StandardError=syslog +SyslogIdentifier=ydbd +SyslogFacility=daemon +SyslogLevel=err +Environment=LD_LIBRARY_PATH=/opt/ydb/lib +ExecStart=/opt/ydb/bin/ydbd server --grpcs-port 2136 --ic-port 19002 \ + --mon-port 8766 --mon-cert /opt/ydb/certs/web.pem --ca /opt/ydb/certs/ca.crt \ + --yaml-config /opt/ydb/cfg/config.yaml --tenant /Root/testdb \ + --node-broker grpcs://<ydb1>:2135 --node-broker grpcs://<ydb2>:2135 --node-broker grpcs://<ydb3>:2135 +LimitNOFILE=65536 +LimitCORE=0 +LimitMEMLOCK=32212254720 + +[Install] +WantedBy=multi-user.target diff --git a/ydb/deploy/tls_cert_gen/README.md b/ydb/deploy/tls_cert_gen/README.md new file mode 100644 index 0000000000..05d536cff7 --- /dev/null +++ b/ydb/deploy/tls_cert_gen/README.md @@ -0,0 +1,13 @@ +# TLS certificate generation script for YDB + +In order to simplify generation and re-generation of certificates for YDB cluster, the `ydb-ca-update.sh` script has been created. + +The recommended option is to generate a separate certificate for each cluster node. Users may choose to generate a single wildcard certificate for the whole cluster instead, by specifying the host name in the form of `*.domain.com`. + +The script reads the list of certificate host names from `ydb-ca-nodes.txt` file, one hostname per line. Host names should be specified exactly as they are defined in the YDB cluster configuration file. If the wildcard name is used, it should match the correspoding hosts DNS names. Up to two host names can be specified in each line, both referring to the same host. + +The generated certificates are written into the directory structure in the `CA` subdirectory, which is created if missing. + +In case the certificate authority is not initialized yet, private CA key and certificate are generated. + +For each host name or wildcard listed in the `ydb-ca-nodes.txt` file, each invocation of the script generates the new key and new certificate signed by the private CA. All generated files are put into `CA/certs/YYYY-MM-DD_hh-mi-ss` subdirectory. diff --git a/ydb/deploy/tls_cert_gen/ydb-ca-nodes.txt.example b/ydb/deploy/tls_cert_gen/ydb-ca-nodes.txt.example new file mode 100644 index 0000000000..edede8ace4 --- /dev/null +++ b/ydb/deploy/tls_cert_gen/ydb-ca-nodes.txt.example @@ -0,0 +1,3 @@ +ycydb-s1 ycydb-s1.ru-central1.internal +ycydb-s2 ycydb-s2.ru-central1.internal +ycydb-s3 ycydb-s3.ru-central1.internal diff --git a/ydb/deploy/tls_cert_gen/ydb-ca-update.sh b/ydb/deploy/tls_cert_gen/ydb-ca-update.sh new file mode 100755 index 0000000000..46703add66 --- /dev/null +++ b/ydb/deploy/tls_cert_gen/ydb-ca-update.sh @@ -0,0 +1,154 @@ +#! /bin/sh + +set -e +set +u + +NODES_FILE=ydb-ca-nodes.txt +KEY_BITS=4096 + +[ -d CA ] || mkdir CA +cd CA + +[ -d secure ] || mkdir secure +[ -d certs ] || mkdir certs +[ -d nodes ] || mkdir nodes + +if [ ! -f ca.cnf ]; then + echo "** Generating CA configuration file" +cat >ca.cnf <<EOF +[ ca ] +default_ca = CA_default + +[ CA_default ] +default_days = 365 +database = index.txt +serial = serial.txt +default_md = sha256 +copy_extensions = copy +unique_subject = no + +[ req ] +prompt=no +distinguished_name = distinguished_name +x509_extensions = extensions + +[ distinguished_name ] +organizationName = YDB +commonName = YDB CA + +[ extensions ] +keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment,keyCertSign +basicConstraints = critical,CA:true,pathlen:1 + +[ signing_policy ] +organizationName = supplied +commonName = optional + +[ signing_node_req ] +keyUsage = critical,digitalSignature,keyEncipherment +extendedKeyUsage = serverAuth,clientAuth + +# Used to sign client certificates. +[ signing_client_req ] +keyUsage = critical,digitalSignature,keyEncipherment +extendedKeyUsage = clientAuth +EOF +fi + +if [ ! -f secure/ca.key ]; then + echo "** Generating CA key" + openssl genrsa -out secure/ca.key ${KEY_BITS} +fi + +if [ ! -f certs/ca.crt ]; then + echo "** Generating CA certificate" + openssl req -new -x509 -config ca.cnf -key secure/ca.key -out certs/ca.crt -days 1830 -batch +fi + +[ -f index.txt ] || touch index.txt +[ -f serial.txt ] || (echo 01 >serial.txt) + +# The '..' part here is due to changed current directory +if [ ! -f ../${NODES_FILE} ]; then + echo "** Missing file ${NODES_FILE} - EXIT" + exit 0 +fi + +make_node_conf() { + mkdir -p nodes/"$1" + cfile=nodes/"$1"/options.cnf + if [ ! -f ${cfile} ]; then + echo "** Creating node configuration file for $2..." +cat > ${cfile} <<EOF +# OpenSSL node configuration file +[ req ] +prompt=no +distinguished_name = distinguished_name +req_extensions = extensions + +[ distinguished_name ] +organizationName = YDB + +[ extensions ] +subjectAltName = @alt_names + +[ alt_names ] +DNS.1=$2 +EOF + if [ ! -z "$3" ]; then + vn=1 + for nn in $3; do + vn=`echo "$vn + 1" | bc` + echo "DNS.$vn=$nn" >>${cfile} + done + fi + fi +} + +make_node_key() { + if [ ! -f nodes/"$1"/node.key ]; then + mkdir -p nodes/"$1" + echo "** Generating key for node $2..." + openssl genrsa -out nodes/"$1"/node.key ${KEY_BITS} + fi +} + +make_node_csr() { + if [ ! -f nodes/"$1"/node.csr ]; then + echo "** Generating CSR for node $2..." + openssl req -new -sha256 -config nodes/"$1"/options.cnf -key nodes/"$1"/node.key -out nodes/"$1"/node.csr -batch + fi +} + +make_node_cert() { + if [ ! -f nodes/"$1"/node.crt ]; then + echo "** Generating certificate for node $2..." + openssl ca -config ca.cnf -keyfile secure/ca.key -cert certs/ca.crt -policy signing_policy \ + -extensions signing_node_req -out nodes/"$1"/node.crt -outdir nodes/"$1"/ -in nodes/"$1"/node.csr -batch + fi + if [ ! -f nodes/"$1"/web.pem ]; then + cat nodes/"$1"/node.key nodes/"$1"/node.crt certs/ca.crt >nodes/"$1"/web.pem + fi +} + +DEST_NAME=`date "+%Y-%m-%d_%H-%M-%S"` +[ -d certs/"$DEST_NAME" ] || mkdir certs/"$DEST_NAME" +cp -v certs/ca.crt certs/"$DEST_NAME"/ + +move_node_files() { + mv -v nodes/"$1" certs/"$DEST_NAME"/ +} + +# The '..' part here is due to changed current directory +(cat ../${NODES_FILE}; echo "") | while read node node2; do + if [ ! -z "$node" ]; then + safe_node=`echo $node | tr '*$/' '___'` + make_node_conf "$safe_node" "$node" "$node2" + make_node_key "$safe_node" "$node" + make_node_csr "$safe_node" "$node" + make_node_cert "$safe_node" "$node" + move_node_files "$safe_node" "$node" + fi +done + +echo "All done. Certificates are in CA/certs/$DEST_NAME" diff --git a/ydb/deploy/yaml_config_examples/block-4-2.yaml b/ydb/deploy/yaml_config_examples/block-4-2.yaml index 2982a718f6..a3442b76b5 100644 --- a/ydb/deploy/yaml_config_examples/block-4-2.yaml +++ b/ydb/deploy/yaml_config_examples/block-4-2.yaml @@ -171,3 +171,15 @@ channel_profile_config: pdisk_category: 1 storage_pool_kind: ssd profile_id: 0 +interconnect_config: + start_tcp: true + encryption_mode: OPTIONAL + path_to_certificate_file: "/opt/ydb/certs/node.crt" + path_to_private_key_file: "/opt/ydb/certs/node.key" + path_to_ca_file: "/opt/ydb/certs/ca.crt" +grpc_config: + cert: "/opt/ydb/certs/node.crt" + key: "/opt/ydb/certs/node.key" + ca: "/opt/ydb/certs/ca.crt" + services_enabled: + - legacy diff --git a/ydb/deploy/yaml_config_examples/mirror-3dc-3-nodes.yaml b/ydb/deploy/yaml_config_examples/mirror-3dc-3-nodes.yaml index 77d493ad48..c5f0757f7f 100644 --- a/ydb/deploy/yaml_config_examples/mirror-3dc-3-nodes.yaml +++ b/ydb/deploy/yaml_config_examples/mirror-3dc-3-nodes.yaml @@ -151,3 +151,15 @@ channel_profile_config: pdisk_category: 0 storage_pool_kind: ssd profile_id: 0 +interconnect_config: + start_tcp: true + encryption_mode: OPTIONAL + path_to_certificate_file: "/opt/ydb/certs/node.crt" + path_to_private_key_file: "/opt/ydb/certs/node.key" + path_to_ca_file: "/opt/ydb/certs/ca.crt" +grpc_config: + cert: "/opt/ydb/certs/node.crt" + key: "/opt/ydb/certs/node.key" + ca: "/opt/ydb/certs/ca.crt" + services_enabled: + - legacy diff --git a/ydb/deploy/yaml_config_examples/mirror-3dc-9-nodes.yaml b/ydb/deploy/yaml_config_examples/mirror-3dc-9-nodes.yaml index fcb593b24e..ccb58cd258 100644 --- a/ydb/deploy/yaml_config_examples/mirror-3dc-9-nodes.yaml +++ b/ydb/deploy/yaml_config_examples/mirror-3dc-9-nodes.yaml @@ -168,3 +168,15 @@ channel_profile_config: pdisk_category: 1 storage_pool_kind: ssd profile_id: 0 +interconnect_config: + start_tcp: true + encryption_mode: OPTIONAL + path_to_certificate_file: "/opt/ydb/certs/node.crt" + path_to_private_key_file: "/opt/ydb/certs/node.key" + path_to_ca_file: "/opt/ydb/certs/ca.crt" +grpc_config: + cert: "/opt/ydb/certs/node.crt" + key: "/opt/ydb/certs/node.key" + ca: "/opt/ydb/certs/ca.crt" + services_enabled: + - legacy diff --git a/ydb/docs/en/core/_includes/storage-device-requirements.md b/ydb/docs/en/core/_includes/storage-device-requirements.md index 06cd0192b2..823f961d4f 100644 --- a/ydb/docs/en/core/_includes/storage-device-requirements.md +++ b/ydb/docs/en/core/_includes/storage-device-requirements.md @@ -6,4 +6,6 @@ The minimum disk size is 80 GB, otherwise the {{ ydb-short-name }} node won't be Configurations with disks less than 800 GB or any types of storage system virtualization cannot be used for production services or system performance testing. +We don't recommend storing {{ ydb-short-name }} data on disks used by other processes (including the operating system). + {% endnote %} diff --git a/ydb/docs/en/core/cluster/topology.md b/ydb/docs/en/core/cluster/topology.md index 4a2a6d059e..563010ca02 100644 --- a/ydb/docs/en/core/cluster/topology.md +++ b/ydb/docs/en/core/cluster/topology.md @@ -1,5 +1,10 @@ # Topology +{{ ydb-short-name }} cluster is built from nodes of two types - static and dynamic: + +* static nodes store data, implementing one of the supported redundancy modes depending on the operating mode configured; +* dynamic nodes execute queries, handle transaction coordination and perform other data management functions. + Cluster topology is determined by the fault tolerance requirements. The following operating modes are available: | Mode | Storage<br>volume multiplier | Minimum<br>number<br>of nodes | Description | diff --git a/ydb/docs/en/core/deploy/manual/_includes/prepare-configs.md b/ydb/docs/en/core/deploy/manual/_includes/prepare-configs.md index fe4aaa3d0a..39cabfd401 100644 --- a/ydb/docs/en/core/deploy/manual/_includes/prepare-configs.md +++ b/ydb/docs/en/core/deploy/manual/_includes/prepare-configs.md @@ -42,6 +42,11 @@ Prepare a configuration file for {{ ydb-short-name }}: rack: '1' ``` +1. In the `blob_storage_config` section, update the FQDN of each node used to store the static storage group: + + * in the `mirror-3-dc` mode, FQDNs for 9 nodes are needed; + * in the `block-4-2` mode, FQDNs for 8 nodes are needed. + 1. Enable user authentication (optional). If you plan to use authentication and user access differentiation features in the {{ ydb-short-name }} cluster, add the following parameters to the `domains_config` section: diff --git a/ydb/docs/en/core/deploy/manual/deploy-ydb-on-premises.md b/ydb/docs/en/core/deploy/manual/deploy-ydb-on-premises.md index c1b755f52b..1f98879c04 100644 --- a/ydb/docs/en/core/deploy/manual/deploy-ydb-on-premises.md +++ b/ydb/docs/en/core/deploy/manual/deploy-ydb-on-premises.md @@ -6,79 +6,84 @@ This document describes how to deploy a multi-tenant {{ ydb-short-name }} cluste ### Prerequisites {#requirements} -Make sure you have SSH access to all servers. This is required to install artifacts and run the {{ ydb-short-name }} executable. The network configuration must allow TCP connections on the following ports (by default): +Review the [system requirements](../../cluster/system-requirements.md) and the [cluster topology](../../cluster/topology.md). + +Make sure you have SSH access to all servers. This is required to install artifacts and run the {{ ydb-short-name }} executable. + +The network configuration must allow TCP connections on the following ports (by default, can be changed if necessary): +* 22: SSH service. * 2135, 2136: GRPC for client-cluster interaction. * 19001, 19002: Interconnect for intra-cluster node interaction. -* 8765, 8766: The HTTP interface for cluster monitoring. +* 8765, 8766: The HTTP interface of {{ ydb-short-name }} Embedded UI. -Review the [system requirements](../../cluster/system-requirements.md) and the [cluster topology](../../cluster/topology.md). +Ensure the clock synchronization for the servers within the cluster, using `ntpd` or `chrony` tools. Ideally all servers should be synced to the same time source, to ensure that leap seconds are handled in the same way. + +If your servers' Linux flavor uses `syslogd` for logging, configure logfiles rotation using the `logrotate` or similar tools. {{ ydb-short-name }} services may generate a significant amount of log data, specifically when the logging level is increased for diagnostical purposes, so system log files rotation is important to avoid the overflows of the `/var` filesystem. Select the servers and disks to be used for storing data: * Use the `block-4-2` fault tolerance model for cluster deployment in one availability zone (AZ). Use at least 8 nodes to be able to withstand the loss of 2 of them. * Use the `mirror-3-dc` fault tolerance model for cluster deployment in three availability zones (AZ). To survive the loss of a single AZ and of 1 node in another AZ, use at least 9 nodes. The number of nodes in each AZ should be the same. -Run each static node on a separate server. +{% note info %} -For more information about hardware requirements, see [{#T}](../../cluster/system-requirements.md). +Run each static node on a separate server. Static and dynamic nodes may run on the same server. Multiple dynamic nodes may run on the same server, provided that it has sufficient compute resources. -## Create a system user and a group to run {{ ydb-short-name }} {#create-user} - -On each server that will be running {{ ydb-short-name }}, execute the command below: - -```bash -sudo groupadd ydb -sudo useradd ydb -g ydb -``` +{% endnote %} -To make sure that {{ ydb-short-name }} has access to block disks to run, you need to add the process owner to the `disk` group: +For more information about the hardware requirements, see [{#T}](../../cluster/system-requirements.md). -```bash -sudo usermod -aG disk ydb -``` +### TLS keys and certificates preparation {#tls-certificates} -## Prepare and format disks on each server {#prepare-disks} +Traffic protection and {{ ydb-short-name }} server node authentication is implemented using the TLS protocol. Before installing the cluster, the list of nodes, their naming scheme and particular names should be defined, and used to prepare the TLS keys and certificates. -{% note warning %} +The existing or new TLS certificates can be used. The following PEM-encoded key and certificate files are needed to run the cluster: +* `ca.crt` - public certificate of the Certification Authority (CA), used to sign all other TLS certificate (same file on all servers in the cluster); +* `node.key` - secret keys for each of the cluster nodes (separate key for each server); +* `node.crt` - public certificate for each of the cluster nodes (the certificate for the corresponding private key); +* `web.pem` - node secret key, node public certificate and Certification Authority certificate concatenation, to be used by the internal HTTP monitoring service (separate file for each server). -We don't recommend storing data on disks used by other processes (including the operating system). +Certificate parameters are typically defined by the organizational policies. Typically {{ ydb-short-name }} certificates are generated with the following parameters: +* 2048 or 4096 bit RSA keys; +* SHA-256 with RSA encryption algorithm for certificate signing; +* node certificates validity period - 1 year; +* CA certificate validity period - 3 years or more. -{% endnote %} +The CA certificate must be marked appropriately: it needs the CA sign, and the usage for "Digital Signature, Non Repudiation, Key Encipherment, Certificate Sign" enabled. -{% include [_includes/storage-device-requirements.md](../../_includes/storage-device-requirements.md) %} +For node certificates, it is important that the actual host name (or names) matches the values specified in the "Subject Alternative Name" field. Node certificates should have "Digital Signature, Key Encipherment" usage enabled, as well as "TLS Web Server Authentication, TLS Web Client Authentication" extended usage. Node certificates should support both server and client authentication (`extendedKeyUsage = serverAuth,clientAuth` option in the OpenSSL settings). -1. Create a partition on the selected disk: +{{ ydb-short-name }} repository on Github contains the [sample script](https://github.com/ydb-platform/ydb/blob/main/ydb/deploy/tls_cert_gen/) which can be used to automate the batch generation or renewal of TLS certificates for the whole cluster. The script can build the key and certificate files for the list of cluster nodes in a single operation, which simplifies the installation preparation. - {% note alert %} +## Create a system user and a group to run {{ ydb-short-name }} {#create-user} - The following step will delete all partitions on the specified disks. Make sure that you specified the disks that have no other data! +On each server that will be running {{ ydb-short-name }}, execute the command below: - {% endnote %} +```bash +sudo groupadd ydb +sudo useradd ydb -g ydb +``` - ```bash - sudo parted /dev/nvme0n1 mklabel gpt -s - sudo parted -a optimal /dev/nvme0n1 mkpart primary 0% 100% - sudo parted /dev/nvme0n1 name 1 ydb_disk_ssd_01 - sudo partx --u /dev/nvme0n1 - ``` +To make sure that {{ ydb-short-name }} has access to block disks to run, the new system user needs to be added to the `disk` group: - As a result, a disk labeled `/dev/disk/by-partlabel/ydb_disk_ssd_01` will appear on the system. +```bash +sudo usermod -aG disk ydb +``` - If you plan to use more than one disk on each server, replace `ydb_disk_ssd_01` with a unique label for each one. You'll need to use these disks later in the configuration files. +## Install {{ ydb-short-name }} software on each server {#install-binaries} -1. Download and unpack an archive with the `ydbd` executable and the libraries required for {{ ydb-short-name }} to run: +1. Download and unpack the archive with the `ydbd` executable and the required libraries: ```bash mkdir ydbd-stable-linux-amd64 curl -L https://binaries.ydb.tech/ydbd-stable-linux-amd64.tar.gz | tar -xz --strip-component=1 -C ydbd-stable-linux-amd64 ``` -1. Create directories to run: +1. Create the directories to install the {{ ydb-short-name }} binaries: ```bash sudo mkdir -p /opt/ydb /opt/ydb/cfg - sudo chown -R ydb:ydb /opt/ydb ``` 1. Copy the executable and libraries to the appropriate directories: @@ -88,183 +93,84 @@ We don't recommend storing data on disks used by other processes (including the sudo cp -iR ydbd-stable-linux-amd64/lib /opt/ydb/ ``` -1. Format the disk with the builtin command below: - - ```bash - sudo LD_LIBRARY_PATH=/opt/ydb/lib /opt/ydb/bin/ydbd admin bs disk obliterate /dev/disk/by-partlabel/ydb_disk_ssd_01 - ``` +1. Set the file and directory ownership: - Perform this operation for each disk that will be used for data storage. + ```bash + sudo chown -R root:bin /opt/ydb + ``` -## Prepare configuration files {#config} - -{% list tabs %} - -- Unprotected mode - - In unprotected mode, traffic between cluster nodes and between the client and cluster uses an unencrypted connection. Use this mode for testing purposes. - - {% include [prepare-configs.md](_includes/prepare-configs.md) %} +## Prepare and format disks on each server {#prepare-disks} -- Protected mode +{% include [_includes/storage-device-requirements.md](../../_includes/storage-device-requirements.md) %} - In protected mode, traffic between cluster nodes and between the client and cluster is encrypted using the TLS protocol. +1. Create a partition on the selected disk: - {% note info %} + {% note alert %} - You can use existing TLS certificates. It's important that certificates support both server and client authentication (`extendedKeyUsage = serverAuth,clientAuth`). + The following step will delete all partitions on the specified disks. Make sure that you specified the disks that have no other data! {% endnote %} - 1. Create a key and a certificate for the Certification Authority (CA): - - 1. Create a directory named `secure` to store the CA key and one named `certs` for certificates and node keys: - - ```bash - mkdir secure - mkdir certs - ``` - - 1. Create a configuration file named `ca.cnf` with the following contents: - - ```text - [ ca ] - default_ca = CA_default - - [ CA_default ] - default_days = 365 - database = index.txt - serial = serial.txt - default_md = sha256 - copy_extensions = copy - unique_subject = no - - [ req ] - prompt=no - distinguished_name = distinguished_name - x509_extensions = extensions - - [ distinguished_name ] - organizationName = YDB - commonName = YDB CA - - [ extensions ] - keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment,keyCertSign - basicConstraints = critical,CA:true,pathlen:1 - - [ signing_policy ] - organizationName = supplied - commonName = optional - - [ signing_node_req ] - keyUsage = critical,digitalSignature,keyEncipherment - extendedKeyUsage = serverAuth,clientAuth - - # Used to sign client certificates. - [ signing_client_req ] - keyUsage = critical,digitalSignature,keyEncipherment - extendedKeyUsage = clientAuth - ``` - - 1. Create a CA key: - - ```bash - openssl genrsa -out secure/ca.key 2048 - ``` - - Save this key separately, you'll need it for issuing certificates. If it's lost, you'll have to reissue all certificates. - - 1. Create a private Certificate Authority (CA) certificate: - - ```bash - openssl req -new -x509 -config ca.cnf -key secure/ca.key -out certs/ca.crt -days 1830 -batch - ``` - - 1. Create a text database and an OpenSSL certificate index file: - - ```bash - touch index.txt - echo 01 >serial.txt - ``` - - 1. Create keys and certificates for the cluster nodes: - - 1. Create a `node.cnf` configuration file with the following contents: - - ```text - # OpenSSL node configuration file - [ req ] - prompt = no - distinguished_name = distinguished_name - req_extensions = extensions - - [ distinguished_name ] - organizationName = YDB - - [ extensions ] - subjectAltName = DNS:<node>.<domain> - ``` - - 1. Create a certificate key: - - ```bash - openssl genrsa -out certs/node.key 2048 - ``` - - 1. Create a Certificate Signing Request (CSR): - - ```bash - openssl req -new -sha256 -config node.cnf -key certs/node.key -out node.csr -batch - ``` - - 1. Create a node certificate: - - ```bash - openssl ca -config ca.cnf -keyfile secure/ca.key -cert certs/ca.crt -policy signing_policy \ - -extensions signing_node_req -out certs/node.crt -outdir certs/ -in node.csr -batch - ``` + ```bash + DISK=/dev/nvme0n1 + sudo parted ${DISK} mklabel gpt -s + sudo parted -a optimal ${DISK} mkpart primary 0% 100% + sudo parted ${DISK} name 1 ydb_disk_ssd_01 + sudo partx --u ${DISK} + ``` - Create similar certificate-key pairs for each node. + As a result, a disk labeled `/dev/disk/by-partlabel/ydb_disk_ssd_01` will appear in the system. - 1. Create certificate directories on each node: + If you plan to use more than one disk on each server, replace `ydb_disk_ssd_01` with a unique label for each one. Disk labels must be unique within a single server, and are used in the configuration files, as shown in the subsequent instructions. - ```bash - sudo mkdir /opt/ydb/certs - sudo chown -R ydb:ydb /opt/ydb/certs - sudo chmod 0750 /opt/ydb/certs - ``` + For cluster servers having similar disk configuration it is convenient to use exacty the same disk labels, to simplify the subsequent configuration. - 1. Copy the certificates and node keys to the installation folder: +2. Format the disk with the builtin command below: - ```bash - sudo -u ydb cp certs/ca.crt certs/node.crt certs/node.key /opt/ydb/certs/ - ``` + ```bash + sudo LD_LIBRARY_PATH=/opt/ydb/lib /opt/ydb/bin/ydbd admin bs disk obliterate /dev/disk/by-partlabel/ydb_disk_ssd_01 + ``` - 1. {% include [prepare-configs.md](_includes/prepare-configs.md) %} + Perform this operation for each disk that will be used to store {{ ydb-short-name }} data. - 1. Enable the traffic encryption mode in the {{ ydb-short-name }} configuration file. +## Prepare configuration files {#config} - In the `interconnect_config` and `grpc_config` sections, specify the path to the certificate, key, and CA certificate: +{% include [prepare-configs.md](_includes/prepare-configs.md) %} + +When TLS traffic protection is to be used (which is the default), ensure that {{ ydb-short-name }} configuration file contains the proper paths to key and certificate files in the `interconnect_config` and `grpc_config` sections, as shown below: + +```json +interconnect_config: + start_tcp: true + encryption_mode: OPTIONAL + path_to_certificate_file: "/opt/ydb/certs/node.crt" + path_to_private_key_file: "/opt/ydb/certs/node.key" + path_to_ca_file: "/opt/ydb/certs/ca.crt" +grpc_config: + cert: "/opt/ydb/certs/node.crt" + key: "/opt/ydb/certs/node.key" + ca: "/opt/ydb/certs/ca.crt" + services_enabled: + - legacy +``` - ```json - interconnect_config: - start_tcp: true - encryption_mode: OPTIONAL - path_to_certificate_file: "/opt/ydb/certs/node.crt" - path_to_private_key_file: "/opt/ydb/certs/node.key" - path_to_ca_file: "/opt/ydb/certs/ca.crt" +Save the {{ ydb-short-name }} configuration file as `/opt/ydb/cfg/config.yaml` on each server of the cluster. - grpc_config: - cert: "/opt/ydb/certs/node.crt" - key: "/opt/ydb/certs/node.key" - ca: "/opt/ydb/certs/ca.crt" - ``` +For more detailed information about creating configurations, see [Cluster configurations](../configuration/config.md). -{% endlist %} +## Copy TLS keys and certificates to each server {#tls-copy-cert} -Save the {{ ydb-short-name }} configuration file as `/opt/ydb/cfg/config.yaml` on each cluster node. +The TLS keys and certificates prepared need to be copied into the protected directory on each node of the {{ ydb-short-name }} cluster. An example of commands to create of the protected directory and copy the key and certificate files into it is shown below. -For more detailed information about creating configurations, see [Cluster configurations](../configuration/config.md). +```bash +sudo mkdir -p /opt/ydb/certs +sudo cp -v ca.crt /opt/ydb/certs/ +sudo cp -v node.crt /opt/ydb/certs/ +sudo cp -v node.key /opt/ydb/certs/ +sudo cp -v web.pem /opt/ydb/certs/ +sudo chown -R ydb:ydb /opt/ydb/certs +sudo chmod 700 /opt/ydb/certs +``` ## Start static nodes {#start-storage} @@ -272,19 +178,19 @@ For more detailed information about creating configurations, see [Cluster config - Manually - Run {{ ydb-short-name }} storage on each node: + Run {{ ydb-short-name }} storage service on each static node: ```bash sudo su - ydb cd /opt/ydb export LD_LIBRARY_PATH=/opt/ydb/lib - /opt/ydb/bin/ydbd server --log-level 3 --syslog --tcp --yaml-config /opt/ydb/cfg/config.yaml \ - --grpc-port 2135 --ic-port 19001 --mon-port 8765 --node static + /opt/ydb/bin/ydbd server --log-level 3 --syslog --tcp --yaml-config /opt/ydb/cfg/config.yaml \ + --grpcs-port 2135 --ic-port 19001 --mon-port 8765 --mon-cert /opt/ydb/certs/web.pem --node static ``` - Using systemd - On every node, create a `/etc/systemd/system/ydbd-storage.service` configuration file with the following contents: + On each static node, create a `/etc/systemd/system/ydbd-storage.service` systemd configuration file with the following contents. Sample file is also available [in the repository](https://github.com/ydb-platform/ydb/blob/main/ydb/deploy/systemd_services/ydbd-storage.service). ```text [Unit] @@ -305,7 +211,10 @@ For more detailed information about creating configurations, see [Cluster config SyslogFacility=daemon SyslogLevel=err Environment=LD_LIBRARY_PATH=/opt/ydb/lib - ExecStart=/opt/ydb/bin/ydbd server --log-level 3 --syslog --tcp --yaml-config /opt/ydb/cfg/config.yaml --grpc-port 2135 --ic-port 19001 --mon-port 8765 --node static + ExecStart=/opt/ydb/bin/ydbd server --log-level 3 --syslog --tcp \ + --yaml-config /opt/ydb/cfg/config.yaml \ + --grpcs-port 2135 --ic-port 19001 --mon-port 8765 \ + --mon-cert /opt/ydb/certs/web.pem --node static LimitNOFILE=65536 LimitCORE=0 LimitMEMLOCK=3221225472 @@ -314,7 +223,7 @@ For more detailed information about creating configurations, see [Cluster config WantedBy=multi-user.target ``` - Run {{ ydb-short-name }} storage on each node: + Run {{ ydb-short-name }} storage service on each static node: ```bash sudo systemctl start ydbd-storage @@ -324,98 +233,121 @@ For more detailed information about creating configurations, see [Cluster config ## Initialize a cluster {#initialize-cluster} -Cluster initialization actions depend on whether user authentication mode is enabled in the {{ ydb-short-name }} configuration file. - -{% list tabs %} +Cluster initialization configures the set of static nodes defined in the cluster configuration file to store {{ ydb-short-name }} data. -- Authentication disabled +To perform the cluster initialization, the path to the `ca.crt` file containing the Certification Authority certificate has to be specified in the corresponding commands. Copy the `ca.crt` file to the host where those commands will be executed. - On one of the cluster nodes, run the commands: +Cluster initialization actions sequence depends on whether user authentication mode is enabled in the {{ ydb-short-name }} configuration file. - ```bash - export LD_LIBRARY_PATH=/opt/ydb/lib - /opt/ydb/bin/ydbd admin blobstorage config init --yaml-file /opt/ydb/cfg/config.yaml - echo $? - ``` - - The command execution code should be null. +{% list tabs %} - Authentication enabled - To execute administrative commands (including cluster initialization, database creation, disk management, and others) in a cluster with user authentication mode enabled, you must first get an authentication token using the {{ ydb-short-name }} CLI client version 2.0.0 or higher. You must install the {{ ydb-short-name }} CLI client on any computer with network access to the cluster nodes (for example, on one of the cluster nodes) by following the [installation instructions](../../reference/ydb-cli/install.md). + To execute the administrative commands (including cluster initialization, database creation, disk management, and others) in a cluster with user authentication enabled, an authentication token has to be obtained using the {{ ydb-short-name }} CLI client version 2.0.0 or higher. The {{ ydb-short-name }} CLI client can be installed on any computer with network access to the cluster nodes (for example, on one of the cluster nodes) by following the [installation instructions](../../reference/ydb-cli/install.md). When the cluster is first installed, it has a single `root` account with a blank password, so the command to get the token is the following: ```bash - ydb -e grpc://<node1.ydb.tech>:2135 -d /Root \ - --user root --no-password auth get-token --force >token-file + ydb -e grpcs://<node1.ydb.tech>:2135 -d /Root --ca-file ca.crt \ + --user root --no-password auth get-token --force >token-file ``` - Any cluster server can be specified as a connection server (the `-e` or `--endpoint` parameter). + Any static node's address can be specified as the endpoint (the `-e` or `--endpoint` parameter). - If TLS traffic protection was enabled, use the protected `grpcs` protocol instead of the `grpc` protocol in the command above and additionally specify the path to the CA certificate in the `--ca-file` parameter. For example: + If the command above is executed successfully, the authentication token will be written to `token-file`. This token file needs to be copied to one of the cluster storage nodes. Next, run the following commands on this cluster node: ```bash - ydb -e grpcs://<node1.ydb.tech>:2135 -d /Root --ca-file /opt/ydb/certs/ca.crt \ - --user root --no-password auth get-token --force >token-file + export LD_LIBRARY_PATH=/opt/ydb/lib + /opt/ydb/bin/ydbd -f token-file --ca-file ca.crt -s grpcs://`hostname -f`:2135 \ + admin blobstorage config init --yaml-file /opt/ydb/cfg/config.yaml + echo $? ``` - If the command above is executed successfully, the authentication token will be written to `token-file`. You need to copy this file to the cluster node on which you intend to run the cluster initialization and database creation commands later. Next, run the commands on this cluster node: +- Authentication disabled + + On one of the cluster storage nodes, run the commands: ```bash export LD_LIBRARY_PATH=/opt/ydb/lib - /opt/ydb/bin/ydbd -f token-file admin blobstorage config init --yaml-file /opt/ydb/cfg/config.yaml + /opt/ydb/bin/ydbd --ca-file ca.crt -s grpcs://`hostname -f`:2135 \ + admin blobstorage config init --yaml-file /opt/ydb/cfg/config.yaml echo $? ``` - The command execution code should be null. - {% endlist %} +Upon successful cluster initialization, the command execution status code shown on the screen should be zero. + ## Create a database {#create-db} -To work with tables, you need to create at least one database and run a process to service this database (a dynamic node): +To work with tables, you need to create at least one database and run a process (or processes) to service this database (a dynamic node). -```bash -LD_LIBRARY_PATH=/opt/ydb/lib /opt/ydb/bin/ydbd admin database /Root/testdb create ssd:1 -``` +In order to run the database creation administrative command, the `ca.crt` file with the CA certificate is needed, similar to the cluster initialization steps shown above. -If user authentication mode is enabled in the cluster, the authentication token must be passed to the database creation command. The procedure for getting a token is described in the [cluster initialization](#initialize-cluster) section. +On database creation the initial number of storage groups is configured, which determines the available input/output throughput and data storage capacity. The number of storage groups can be increased after the database creation, if needed. -A variant of the database creation command with reference to the token file: +Database creation actions sequence depends on whether user authentication mode is enabled in the {{ ydb-short-name }} configuration file. -```bash -LD_LIBRARY_PATH=/opt/ydb/lib /opt/ydb/bin/ydbd -f token-file admin database /Root/testdb create ssd:1 -``` +{% list tabs %} + +- Authentication enabled + + The authentication token is needed. The existing token file obtained at [cluster initialization stage](#initialize-cluster) can be used, or the new token can be obtained. + + The authentication token file needs to be copied to one of the static nodes. Next, run the following commands on this cluster node: + + ```bash + export LD_LIBRARY_PATH=/opt/ydb/lib + /opt/ydb/bin/ydbd -f token-file --ca-file ca.crt -s grpcs://`hostname -s`:2135 \ + admin database /Root/testdb create ssd:1 + echo $? + ``` + +- Authentication disabled + + On one of the static nodes, run the commands: + + ```bash + export LD_LIBRARY_PATH=/opt/ydb/lib + /opt/ydb/bin/ydbd --ca-file ca.crt -s grpcs://`hostname -s`:2135 \ + admin database /Root/testdb create ssd:1 + echo $? + ``` + +{% endlist %} The command examples above use the following parameters: * `/Root`: The name of the root domain, must match the `domains_config`.`domain`.`name` setting in the cluster configuration file. * `testdb`: The name of the created database. -* `ssd:1`: The name of the storage pool and the number of the block in the pool. The pool name usually means the type of data storage devices and must match the `storage_pool_types`.`kind` setting inside the `domains_config`.`domain` element of the configuration file. +* `ssd:1`: The name of the storage pool and the number of the storage groups to be used by the database. The pool name usually means the type of data storage devices and must match the `storage_pool_types`.`kind` setting inside the `domains_config`.`domain` element of the configuration file. + +Upon successful database creation, the command execution status code shown on the screen should be zero. -## Start the database dynamic node {#start-dynnode} +## Start the dynamic nodes {#start-dynnode} {% list tabs %} - Manually - Start the {{ ydb-short-name }} dynamic node for the /Root/testdb database: + Start the {{ ydb-short-name }} dynamic node for the `/Root/testdb` database: ```bash sudo su - ydb cd /opt/ydb export LD_LIBRARY_PATH=/opt/ydb/lib - /opt/ydb/bin/ydbd server --grpc-port 2136 --ic-port 19002 --mon-port 8766 --yaml-config /opt/ydb/cfg/config.yaml \ - --tenant /Root/testdb --node-broker <node1.ydb.tech>:2135 --node-broker <node2.ydb.tech>:2135 --node-broker <node3.ydb.tech>:2135 + /opt/ydb/bin/ydbd server --grpcs-port 2136 --ic-port 19002 \ + --mon-port 8766 --mon-cert /opt/ydb/certs/web.pem --ca /opt/ydb/certs/ca.crt \ + --yaml-config /opt/ydb/cfg/config.yaml --tenant /Root/testdb \ + --node-broker grpcs://<ydb1>:2135 \ + --node-broker grpcs://<ydb2>:2135 \ + --node-broker grpcs://<ydb3>:2135 ``` - Where `<nodeN.ydb.tech>` is the FQDN of the servers running the static nodes. - - Run additional dynamic nodes on other servers to ensure database availability. + In the command shown above `<ydbN>` entries correspond to the FQDNs of any three servers running the static nodes. - Using systemd - 1. Create a configuration file named `/etc/systemd/system/ydbd-testdb.service` with the following content: + Create a systemd configuration file named `/etc/systemd/system/ydbd-testdb.service` with the following content. Sample file is also available [in the repository](https://github.com/ydb-platform/ydb/blob/main/ydb/deploy/systemd_services/ydbd-testdb.service). ```text [Unit] @@ -436,7 +368,12 @@ The command examples above use the following parameters: SyslogFacility=daemon SyslogLevel=err Environment=LD_LIBRARY_PATH=/opt/ydb/lib - ExecStart=/opt/ydb/bin/ydbd server --grpc-port 2136 --ic-port 19002 --mon-port 8766 --yaml-config /opt/ydb/cfg/config.yaml --tenant /Root/testdb --node-broker <node1.ydb.tech>:2135 --node-broker <node2.ydb.tech>:2135 --node-broker <node3.ydb.tech>:2135 + ExecStart=/opt/ydb/bin/ydbd server --grpcs-port 2136 --ic-port 19002 \ + --mon-port 8766 --mon-cert /opt/ydb/certs/web.pem --ca /opt/ydb/certs/ca.crt \ + --yaml-config /opt/ydb/cfg/config.yaml --tenant /Root/testdb \ + --node-broker grpcs://<ydb1>:2135 \ + --node-broker grpcs://<ydb2>:2135 \ + --node-broker grpcs://<ydb3>:2135 LimitNOFILE=65536 LimitCORE=0 LimitMEMLOCK=32212254720 @@ -445,48 +382,48 @@ The command examples above use the following parameters: WantedBy=multi-user.target ``` - Where `<nodeN.ydb.tech>` is the FQDN of the servers running the static nodes. + In the file shown above `<ydbN>` entries correspond to the FQDNs of any three servers running the static nodes. - 1. Start the {{ ydb-short-name }} dynamic node for the /Root/testdb database: + Start the {{ ydb-short-name }} dynamic node for the `/Root/testdb` database: ```bash sudo systemctl start ydbd-testdb ``` - 1. Run additional dynamic nodes on other servers to ensure database availability. - {% endlist %} -## Initial account setup {#security-setup} +Start the additional dynamic nodes on other servers to scale and to ensure database and availability. -If authentication mode is enabled in the cluster configuration file, initial account setup must be done before working with the {{ ydb-short-name }} cluster. +## Initial user accounts setup {#security-setup} + +If authentication mode is enabled in the cluster configuration file, initial user accounts setup must be done before working with the {{ ydb-short-name }} cluster. The initial installation of the {{ ydb-short-name }} cluster automatically creates a `root` account with a blank password, as well as a standard set of user groups described in the [Access management](../../cluster/access.md) section. -To perform initial account setup in the created {{ ydb-short-name }} cluster, run the following operations: +To perform the initial user accounts setup in the created {{ ydb-short-name }} cluster, run the following operations: 1. Install the {{ ydb-short-name }} CLI as described in the [documentation](../../reference/ydb-cli/install.md). 1. Set the password for the `root` account: ```bash - ydb -e grpc://<node.ydb.tech>:2136 -d /Root/testdb --user root --no-password \ + ydb --ca-file ca.crt -e grpcs://<node.ydb.tech>:2136 -d /Root/testdb --user root --no-password \ yql -s 'ALTER USER root PASSWORD "passw0rd"' ``` Replace the `passw0rd` value with the required password. -1. Create additional accounts: +1. Create the additional accounts: ```bash - ydb -e grpc://<node.ydb.tech>:2136 -d /Root/testdb --user root \ + ydb --ca-file ca.crt -e grpcs://<node.ydb.tech>:2136 -d /Root/testdb --user root \ yql -s 'CREATE USER user1 PASSWORD "passw0rd"' ``` -1. Set the account rights by including them in the integrated groups: +1. Set the account permissions by including it into the security groups: ```bash - ydb -e grpc://<node.ydb.tech>:2136 -d /Root/testdb --user root \ + ydb --ca-file ca.crt -e grpcs://<node.ydb.tech>:2136 -d /Root/testdb --user root \ yql -s 'ALTER GROUP `ADMINS` ADD USER user1' ``` @@ -494,8 +431,6 @@ In the command examples above, `<node.ydb.tech>` is the FQDN of the server runni When running the account creation and group assignment commands, the {{ ydb-short-name }} CLI client will request the `root` user's password. You can avoid multiple password entries by creating a connection profile as described in the [{{ ydb-short-name }} CLI documentation](../../reference/ydb-cli/profile/index.md). -If TLS traffic protection was enabled in the cluster, use the protected `grpcs` protocol instead of the `grpc` protocol in the command above and specify the path to the CA certificate in the `--ca-file` parameter (or save it in the connection profile). - ## Test the created database {#try-first-db} 1. Install the {{ ydb-short-name }} CLI as described in the [documentation](../../reference/ydb-cli/install.md). @@ -503,15 +438,64 @@ If TLS traffic protection was enabled in the cluster, use the protected `grpcs` 1. Create a `test_table`: ```bash - ydb -e grpc://<node.ydb.tech>:2136 -d /Root/testdb scripting yql \ - --script 'CREATE TABLE `testdir/test_table` (id Uint64, title Utf8, PRIMARY KEY (id));' + ydb --ca-file ca.crt -e grpcs://<node.ydb.tech>:2136 -d /Root/testdb --user root \ + yql -s 'CREATE TABLE `testdir/test_table` (id Uint64, title Utf8, PRIMARY KEY (id));' ``` Where `<node.ydb.tech>` is the FQDN of the server running the dynamic node that supports the `/Root/testdb` database. - The command above must be adjusted if TLS traffic protection or user authentication mode is enabled in the cluster. Example: +## Validate the access to the embedded UI - ```bash - ydb -e grpcs://<node.ydb.tech>:2136 -d /Root/testdb --ca-file ydb-ca.crt --user root scripting yql \ - --script 'CREATE TABLE `testdir/test_table` (id Uint64, title Utf8, PRIMARY KEY (id));' - ``` +To validate the access to {{ ydb-short-name }} embedded UI a Web browser should be used, opening the address `https://<node.ydb.tech>:8765`, where `<node.ydb.tech>` should be replaced with the FQDN of any static node server. + +Web browser should be configured to trust the CA used to generate the cluster node certificates, otherwise a warning will be shown that the certificate is not trusted. + +In case the authentication is enabled, the Web browser will display the login and password prompt. After entering the correct credentials, the initial {{ ydb-short-name }} embedded UI page will be shown. The available functions and user interface are described in the following document: [{#T}](../../maintenance/embedded_monitoring/index.md). + +{% note info %} + +Highly available HTTP load balancer, based on `haproxy`, `nginx` or similar software, is typically used to enable access to the {{ ydb-short-name }} embedded UI. The configuration details for HTTP load balancer are out of scope for the basic {{ ydb-short-name }} installation instruction. + +{% endnote %} + + +# Installing {{ ydb-short-name }} in the unprotected mode + +{% note warning %} + +We DO NOT recommend to run {{ ydb-short-name }} in the unprotected mode for any purpose. + +{% endnote %} + +The installation procedure described above assumes that {{ ydb-short-name }} runs in its default protected mode. + +The unprotected {{ ydb-short-name }} mode is also available, and is intended for internal purposes, mainly for the development and testing of {{ ydb-short-name }} software. When running in the unprotected mode: +* all traffic is passed in the clear text, including the intra-cluster communications and cluster-client communications; +* user authentication is not used (enabling authentication without TLS traffic protection does not make much sense, as login and password are both passed unprotected through the network). + +Installing {{ ydb-short-name }} for the unprotected mode is performed according with the general procedure described above, with the exceptions listed below: + +1. TLS keys and certificates generation is skipped. No need to copy the key and certificate files to cluster servers. + +1. Subsection `security_config` of section `domains_config` is excluded from the configuration file. Sections `interconnect_config` and `grpc_config` are excluded, too. + +1. The syntax of commands to start static and dynamic nodes is reduced: the options referring to TLS key and certificate files are excluded, `grpc` protocol name is used instead of `grpcs` for connection points. + +1. The step to obtain the authentication token before cluster initialization and database creation is skipped. + +1. Cluster initialization is performed with the following command: + + ```bash + export LD_LIBRARY_PATH=/opt/ydb/lib + /opt/ydb/bin/ydbd admin blobstorage config init --yaml-file /opt/ydb/cfg/config.yaml + echo $? + ``` + +1. Database creation is performed with the following command: + + ```bash + export LD_LIBRARY_PATH=/opt/ydb/lib + /opt/ydb/bin/ydbd admin database /Root/testdb create ssd:1 + ``` + +1. `grpc` protocol is used instead of `grpcs` when configuring the connections to the database in {{ ydb-short-name }} CLI and applications. Authentication is not used. diff --git a/ydb/docs/ru/core/_includes/storage-device-requirements.md b/ydb/docs/ru/core/_includes/storage-device-requirements.md index b9dde90f2d..5bed5f0284 100644 --- a/ydb/docs/ru/core/_includes/storage-device-requirements.md +++ b/ydb/docs/ru/core/_includes/storage-device-requirements.md @@ -6,4 +6,6 @@ ΠΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΠΈ Ρ Π΄ΠΈΡΠΊΠ°ΠΌΠΈ ΠΎΠ±ΡΠ΅ΠΌΠΎΠΌ ΠΌΠ΅Π½ΡΡΠ΅ 800 ΠΠ ΠΈΠ»ΠΈ Ρ Π»ΡΠ±ΡΠΌΠΈ Π²ΠΈΠ΄Π°ΠΌΠΈ Π²ΠΈΡΡΡΠ°Π»ΠΈΠ·Π°ΡΠΈΠΈ ΡΠΈΡΡΠ΅ΠΌΡ Ρ
ΡΠ°Π½Π΅Π½ΠΈΡ Π½Π΅Π»ΡΠ·Ρ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡ Π΄Π»Ρ ΡΠ΅ΡΠ²ΠΈΡΠΎΠ², Π½Π°Ρ
ΠΎΠ΄ΡΡΠΈΡ
ΡΡ Π² ΠΏΡΠΎΠΌΡΡΠ»Π΅Π½Π½ΠΎΠΉ ΡΠΊΡΠΏΠ»ΡΠ°ΡΠ°ΡΠΈΠΈ, Π° ΡΠ°ΠΊΠΆΠ΅ Π΄Π»Ρ ΡΠ΅ΡΡΠΈΡΠΎΠ²Π°Π½ΠΈΡ ΠΏΡΠΎΠΈΠ·Π²ΠΎΠ΄ΠΈΡΠ΅Π»ΡΠ½ΠΎΡΡΠΈ ΡΠΈΡΡΠ΅ΠΌΡ. +ΠΡ Π½Π΅ ΡΠ΅ΠΊΠΎΠΌΠ΅Π½Π΄ΡΠ΅ΠΌ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡ Π΄Π»Ρ Ρ
ΡΠ°Π½Π΅Π½ΠΈΡ Π΄Π°Π½Π½ΡΡ
{{ ydb-short-name }} Π΄ΠΈΡΠΊΠΈ, ΠΊΠΎΡΠΎΡΡΠ΅ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΡΡΡΡ Π΄ΡΡΠ³ΠΈΠΌΠΈ ΠΏΡΠΎΡΠ΅ΡΡΠ°ΠΌΠΈ (Π² ΡΠΎΠΌ ΡΠΈΡΠ»Π΅ ΠΎΠΏΠ΅ΡΠ°ΡΠΈΠΎΠ½Π½ΠΎΠΉ ΡΠΈΡΡΠ΅ΠΌΠΎΠΉ). + {% endnote %} diff --git a/ydb/docs/ru/core/cluster/system-requirements.md b/ydb/docs/ru/core/cluster/system-requirements.md index c145463cd0..24abfb85e4 100644 --- a/ydb/docs/ru/core/cluster/system-requirements.md +++ b/ydb/docs/ru/core/cluster/system-requirements.md @@ -26,7 +26,7 @@ Π Π°Π±ΠΎΡΠΎΡΠΏΠΎΡΠΎΠ±Π½ΠΎΡΡΡ ΠΈ ΠΏΡΠΎΠΈΠ·Π²ΠΎΠ΄ΠΈΡΠ΅Π»ΡΠ½ΠΎΡΡΡ {{ ydb-short-name }} Π½Π΅ ΡΠ΅ΡΡΠΈΡΠΎΠ²Π°Π»Π°ΡΡ Π½ΠΈ Π½Π° ΠΊΠ°ΠΊΠΈΡ
Π²ΠΈΠ΄Π°Ρ
Π²ΠΈΡΡΡΠ°Π»ΡΠ½ΡΡ
ΠΈΠ»ΠΈ ΡΠ΅ΡΠ΅Π²ΡΡ
ΡΡΡΡΠΎΠΉΡΡΠ² Ρ
ΡΠ°Π½Π΅Π½ΠΈΡ. - ΠΡΠΈ ΠΏΠ»Π°Π½ΠΈΡΠΎΠ²Π°Π½ΠΈΠΈ ΠΌΠ΅ΡΡΠ° ΡΡΠΎΠΈΡ ΡΡΠΈΡΡΠ²Π°ΡΡ, ΡΡΠΎ {{ ydb-short-name }} ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅Ρ ΡΠ°ΡΡΡ Π΄ΠΈΡΠΊΠΎΠ²ΠΎΠ³ΠΎ ΠΏΡΠΎΡΡΡΠ°Π½ΡΡΠ²Π° Π΄Π»Ρ ΡΠ²ΠΎΠΈΡ
Π²Π½ΡΡΡΠ΅Π½Π½ΠΈΡ
Π½ΡΠΆΠ΄. Π’Π°ΠΊ, Π½Π°ΠΏΡΠΈΠΌΠ΅Ρ, Π½Π° ΡΡΠ΅Π΄Π½Π΅Π³ΠΎ ΡΠ°Π·ΠΌΠ΅ΡΠ° ΠΊΠ»Π°ΡΡΠ΅ΡΠ΅ ΠΈΠ· 8 Π½ΠΎΠ΄ ΠΌΠΎΠΆΠ½ΠΎ ΠΎΠΆΠΈΠ΄Π°ΡΡ ΠΏΠΎΡΡΠ΅Π±Π»Π΅Π½ΠΈΡ ΠΏΠΎΠ΄ ΡΡΠ°ΡΠΈΡΠ΅ΡΠΊΡΡ Π³ΡΡΠΏΠΏΡ ΠΎΠΊΠΎΠ»ΠΎ 100 ΠΠ± Π½Π° Π²Π΅ΡΡ ΠΊΠ»Π°ΡΡΠ΅Ρ. ΠΠ° Π±ΠΎΠ»ΡΡΠΎΠΌ ΠΊΠ»Π°ΡΡΠ΅ΡΠ΅ Ρ >1500 Π½ΠΎΠ΄ β ΠΎΠΊΠΎΠ»ΠΎ 200 ΠΠ±. Π’Π°ΠΊ ΠΆΠ΅ Π΅ΡΡΡ Π»ΠΎΠ³ΠΈ ΡΠ°Π·ΠΌΠ΅ΡΠΎΠΌ 25.6 ΠΠ± Π½Π° ΠΊΠ°ΠΆΠ΄ΠΎΠΌ Pdisk ΠΈ ΡΠΈΡΡΠ΅ΠΌΠ½Π°Ρ ΠΎΠ±Π»Π°ΡΡΡ Π½Π° ΠΊΠ°ΠΆΠ΄ΠΎΠΌ Pdisk. ΠΡ ΡΠ°Π·ΠΌΠ΅Ρ Π·Π°Π²ΠΈΡΠΈΡ ΠΎΡ ΡΠ°Π·ΠΌΠ΅ΡΠ° Pdisk, Π½ΠΎ Π½Π΅ ΠΌΠ΅Π½Π΅Π΅ 0.2 ΠΠ±. + ΠΡΠΈ ΠΏΠ»Π°Π½ΠΈΡΠΎΠ²Π°Π½ΠΈΠΈ ΠΌΠ΅ΡΡΠ° ΡΡΠΎΠΈΡ ΡΡΠΈΡΡΠ²Π°ΡΡ, ΡΡΠΎ {{ ydb-short-name }} ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅Ρ ΡΠ°ΡΡΡ Π΄ΠΈΡΠΊΠΎΠ²ΠΎΠ³ΠΎ ΠΏΡΠΎΡΡΡΠ°Π½ΡΡΠ²Π° Π΄Π»Ρ ΡΠ²ΠΎΠΈΡ
Π²Π½ΡΡΡΠ΅Π½Π½ΠΈΡ
Π½ΡΠΆΠ΄. Π’Π°ΠΊ, Π½Π°ΠΏΡΠΈΠΌΠ΅Ρ, Π½Π° ΡΡΠ΅Π΄Π½Π΅Π³ΠΎ ΡΠ°Π·ΠΌΠ΅ΡΠ° ΠΊΠ»Π°ΡΡΠ΅ΡΠ΅ ΠΈΠ· 8 ΡΠ·Π»ΠΎΠ² ΠΌΠΎΠΆΠ½ΠΎ ΠΎΠΆΠΈΠ΄Π°ΡΡ ΠΏΠΎΡΡΠ΅Π±Π»Π΅Π½ΠΈΡ ΠΏΠΎΠ΄ ΡΡΠ°ΡΠΈΡΠ΅ΡΠΊΡΡ Π³ΡΡΠΏΠΏΡ ΠΎΠΊΠΎΠ»ΠΎ 100 ΠΠ± Π½Π° Π²Π΅ΡΡ ΠΊΠ»Π°ΡΡΠ΅Ρ. ΠΠ° Π±ΠΎΠ»ΡΡΠΎΠΌ ΠΊΠ»Π°ΡΡΠ΅ΡΠ΅ Ρ >1500 ΡΠ·Π»ΠΎΠ² β ΠΎΠΊΠΎΠ»ΠΎ 200 ΠΠ±. Π’Π°ΠΊΠΆΠ΅ Π΅ΡΡΡ ΡΠΈΡΡΠ΅ΠΌΠ½ΡΠ΅ Π»ΠΎΠ³ΠΈ ΡΠ°Π·ΠΌΠ΅ΡΠΎΠΌ 25.6 ΠΠ± Π½Π° ΠΊΠ°ΠΆΠ΄ΠΎΠΌ Pdisk ΠΈ ΡΠΈΡΡΠ΅ΠΌΠ½Π°Ρ ΠΎΠ±Π»Π°ΡΡΡ Π½Π° ΠΊΠ°ΠΆΠ΄ΠΎΠΌ Pdisk. ΠΡ ΡΠ°Π·ΠΌΠ΅Ρ Π·Π°Π²ΠΈΡΠΈΡ ΠΎΡ ΡΠ°Π·ΠΌΠ΅ΡΠ° Pdisk, Π½ΠΎ Π½Π΅ ΠΌΠ΅Π½Π΅Π΅ 0.2 ΠΠ±. ## ΠΡΠΎΠ³ΡΠ°ΠΌΠΌΠ½Π°Ρ ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΡ {#software} diff --git a/ydb/docs/ru/core/cluster/topology.md b/ydb/docs/ru/core/cluster/topology.md index 98d60a526b..ea10c20440 100644 --- a/ydb/docs/ru/core/cluster/topology.md +++ b/ydb/docs/ru/core/cluster/topology.md @@ -1,5 +1,10 @@ # Π’ΠΎΠΏΠΎΠ»ΠΎΠ³ΠΈΡ +ΠΠ»Π°ΡΡΠ΅Ρ {{ ydb-short-name }} ΡΠΎΡΡΠΎΠΈΡ ΠΈΠ· ΡΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΈΡ
ΠΈ Π΄ΠΈΠ½Π°ΠΌΠΈΡΠ΅ΡΠΊΠΈΡ
ΡΠ·Π»ΠΎΠ²: + +* ΡΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΈΠ΅ ΡΠ·Π»Ρ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠΈΠ²Π°ΡΡ Ρ
ΡΠ°Π½Π΅Π½ΠΈΠ΅ Π΄Π°Π½Π½ΡΡ
, ΡΠ΅Π°Π»ΠΈΠ·ΡΡ ΠΎΠ΄Π½Ρ ΠΈΠ· ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΈΠ²Π°Π΅ΠΌΡΡ
ΡΡ
Π΅ΠΌ ΠΈΠ·Π±ΡΡΠΎΡΠ½ΠΎΡΡΠΈ Π² Π·Π°Π²ΠΈΡΠΈΠΌΠΎΡΡΠΈ ΠΎΡ ΡΡΡΠ°Π½ΠΎΠ²Π»Π΅Π½Π½ΠΎΠ³ΠΎ ΡΠ΅ΠΆΠΈΠΌΠ° ΡΠ°Π±ΠΎΡΡ; +* Π΄ΠΈΠ½Π°ΠΌΠΈΡΠ΅ΡΠΊΠΈΠ΅ ΡΠ·Π»Ρ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠΈΠ²Π°ΡΡ Π²ΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΠ΅ Π·Π°ΠΏΡΠΎΡΠΎΠ², ΠΊΠΎΠΎΡΠ΄ΠΈΠ½Π°ΡΠΈΡ ΡΡΠ°Π½Π·Π°ΠΊΡΠΈΠΉ ΠΈ Π΄ΡΡΠ³ΠΈΠ΅ ΡΡΠ½ΠΊΡΠΈΠΈ ΡΠΏΡΠ°Π²Π»Π΅Π½ΠΈΡ Π΄Π°Π½Π½ΡΠΌΠΈ. + Π’ΠΎΠΏΠΎΠ»ΠΎΠ³ΠΈΡ ΠΊΠ»Π°ΡΡΠ΅ΡΠ° ΠΎΠΏΡΠ΅Π΄Π΅Π»ΡΠ΅ΡΡΡ ΡΡΠ΅Π±ΠΎΠ²Π°Π½ΠΈΡΠΌΠΈ ΠΊ ΠΎΡΠΊΠ°Π·ΠΎΡΡΡΠΎΠΉΡΠΈΠ²ΠΎΡΡΠΈ. ΠΠΎΡΡΡΠΏΠ½Ρ ΡΠ»Π΅Π΄ΡΡΡΠΈΠ΅ ΡΠ΅ΠΆΠΈΠΌΡ ΡΠ°Π±ΠΎΡΡ: Π Π΅ΠΆΠΈΠΌ | ΠΠ½ΠΎΠΆΠΈΡΠ΅Π»Ρ<br>ΠΎΠ±ΡΠ΅ΠΌΠ° Ρ
ΡΠ°Π½Π΅Π½ΠΈΡ | ΠΠΈΠ½ΠΈΠΌΠ°Π»ΡΠ½ΠΎΠ΅<br>ΠΊΠΎΠ»ΠΈΡΠ΅ΡΡΠ²ΠΎ<br>ΡΠ·Π»ΠΎΠ² | ΠΠΏΠΈΡΠ°Π½ΠΈΠ΅ @@ -11,7 +16,7 @@ {% note info %} -ΠΠΎΠ΄ Π²ΡΡ
ΠΎΠ΄ΠΎΠΌ ΠΈΠ· ΡΡΡΠΎΡ ΡΠ·Π»Π° ΠΏΠΎΠ΄ΡΠ°Π·ΡΠΌΠ΅Π²Π°Π΅ΡΡΡ ΠΊΠ°ΠΊ ΠΏΠΎΠ»Π½Π°Ρ ΡΠ°ΠΊ ΠΈ ΡΠ°ΡΡΠΈΡΠ½Π°Ρ Π΅Π³ΠΎ Π½Π΅Π΄ΠΎΡΡΡΠΏΠ½ΠΎΡΡΡ, Π½Π°ΠΏΡΠΈΠΌΠ΅Ρ Π²ΡΡ
ΠΎΠ΄ ΠΈΠ· ΡΡΡΠΎΡ ΠΎΠ΄Π½ΠΎΠ³ΠΎ Π΄ΠΈΡΠΊΠ° Π½Π° ΡΠ·Π»Π΅. +ΠΠΎΠ΄ Π²ΡΡ
ΠΎΠ΄ΠΎΠΌ ΠΈΠ· ΡΡΡΠΎΡ ΡΠ·Π»Π° ΠΏΠΎΠ΄ΡΠ°Π·ΡΠΌΠ΅Π²Π°Π΅ΡΡΡ ΠΊΠ°ΠΊ ΠΏΠΎΠ»Π½Π°Ρ, ΡΠ°ΠΊ ΠΈ ΡΠ°ΡΡΠΈΡΠ½Π°Ρ Π΅Π³ΠΎ Π½Π΅Π΄ΠΎΡΡΡΠΏΠ½ΠΎΡΡΡ, Π½Π°ΠΏΡΠΈΠΌΠ΅Ρ Π²ΡΡ
ΠΎΠ΄ ΠΈΠ· ΡΡΡΠΎΡ ΠΎΠ΄Π½ΠΎΠ³ΠΎ Π΄ΠΈΡΠΊΠ° Π½Π° ΡΠ·Π»Π΅. ΠΡΠΈΠ²Π΅Π΄Π΅Π½Π½ΡΠΉ Π²ΡΡΠ΅ ΠΌΠ½ΠΎΠΆΠΈΡΠ΅Π»Ρ ΠΎΠ±ΡΠ΅ΠΌΠ° Ρ
ΡΠ°Π½Π΅Π½ΠΈΡ ΠΎΡΠ½ΠΎΡΠΈΡΡΡ ΡΠΎΠ»ΡΠΊΠΎ ΠΊ ΡΠ°ΠΊΡΠΎΡΡ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠ΅Π½ΠΈΡ ΠΎΡΠΊΠ°Π·ΠΎΡΡΡΠΎΠΉΡΠΈΠ²ΠΎΡΡΠΈ. ΠΠ»Ρ ΠΏΠ»Π°Π½ΠΈΡΠΎΠ²Π°Π½ΠΈΡ ΡΠ°Π·ΠΌΠ΅ΡΠ° Ρ
ΡΠ°Π½ΠΈΠ»ΠΈΡΠ° Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎ ΡΡΠΈΡΡΠ²Π°ΡΡ Π΄ΡΡΠ³ΠΈΠ΅ Π²Π»ΠΈΡΡΡΠΈΠ΅ ΡΠ°ΠΊΡΠΎΡΡ (Π½Π°ΠΏΡΠΈΠΌΠ΅Ρ, ΡΡΠ°Π³ΠΌΠ΅Π½ΡΠ°ΡΠΈΡ ΠΈ Π³ΡΠ°Π½ΡΠ»ΡΡΠ½ΠΎΡΡΡ ΡΠ»ΠΎΡΠΎΠ²). diff --git a/ydb/docs/ru/core/deploy/manual/_includes/prepare-configs.md b/ydb/docs/ru/core/deploy/manual/_includes/prepare-configs.md index 3021eeb304..599bf37e83 100644 --- a/ydb/docs/ru/core/deploy/manual/_includes/prepare-configs.md +++ b/ydb/docs/ru/core/deploy/manual/_includes/prepare-configs.md @@ -42,6 +42,11 @@ rack: '1' ``` +1. Π ΡΠ΅ΠΊΡΠΈΠΈ `blob_storage_config` ΡΠΊΠΎΡΡΠ΅ΠΊΡΠΈΡΡΠΉΡΠ΅ FQDN Π²ΡΠ΅Ρ
Π½ΠΎΠ΄, ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΠΌΡΡ
Π΄Π»Ρ ΡΠ°Π·ΠΌΠ΅ΡΠ΅Π½ΠΈΡ ΡΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΎΠΉ Π³ΡΡΠΏΠΏΡ Ρ
ΡΠ°Π½Π΅Π½ΠΈΡ: + + * Π΄Π»Ρ ΡΡ
Π΅ΠΌΡ `mirror-3-dc` Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎ ΡΠΊΠ°Π·Π°ΡΡ FQDN Π΄Π»Ρ 9 Π½ΠΎΠ΄; + * Π΄Π»Ρ ΡΡ
Π΅ΠΌΡ `block-4-2` Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎ ΡΠΊΠ°Π·Π°ΡΡ FQDN Π΄Π»Ρ 8 Π½ΠΎΠ΄. + 1. ΠΠΊΠ»ΡΡΠΈΡΠ΅ Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΡ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Π΅ΠΉ (ΠΎΠΏΡΠΈΠΎΠ½Π°Π»ΡΠ½ΠΎ). ΠΡΠ»ΠΈ Π²Ρ ΠΏΠ»Π°Π½ΠΈΡΡΠ΅ΡΠ΅ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡ Π² ΠΊΠ»Π°ΡΡΠ΅ΡΠ΅ {{ ydb-short-name }} Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΠΈ Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ ΠΈ ΡΠ°Π·Π³ΡΠ°Π½ΠΈΡΠ΅Π½ΠΈΡ Π΄ΠΎΡΡΡΠΏΠ° ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Π΅ΠΉ, Π΄ΠΎΠ±Π°Π²ΡΡΠ΅ Π² ΡΠ΅ΠΊΡΠΈΡ `domains_config` ΡΠ»Π΅Π΄ΡΡΡΠΈΠ΅ Π΄ΠΎΠΏΠΎΠ»Π½ΠΈΡΠ΅Π»ΡΠ½ΡΠ΅ ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΡ: diff --git a/ydb/docs/ru/core/deploy/manual/deploy-ydb-on-premises.md b/ydb/docs/ru/core/deploy/manual/deploy-ydb-on-premises.md index 679a6970e3..0e8768d7b3 100644 --- a/ydb/docs/ru/core/deploy/manual/deploy-ydb-on-premises.md +++ b/ydb/docs/ru/core/deploy/manual/deploy-ydb-on-premises.md @@ -6,66 +6,72 @@ ### Π’ΡΠ΅Π±ΠΎΠ²Π°Π½ΠΈΡ {#requirements} -Π£ Π²Π°Ρ Π΄ΠΎΠ»ΠΆΠ΅Π½ Π±ΡΡΡ ssh Π΄ΠΎΡΡΡΠΏ Π½Π° Π²ΡΠ΅ ΡΠ΅ΡΠ²Π΅ΡΠ°. ΠΡΠΎ Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎ Π΄Π»Ρ ΡΡΡΠ°Π½ΠΎΠ²ΠΊΠΈ Π°ΡΡΠ΅ΡΠ°ΠΊΡΠΎΠ² ΠΈ Π·Π°ΠΏΡΡΠΊΠ° ΠΈΡΠΏΠΎΠ»Π½ΡΠ΅ΠΌΠΎΠ³ΠΎ ΡΠ°ΠΉΠ»Π° {{ ydb-short-name }}. Π‘Π΅ΡΠ΅Π²Π°Ρ ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΡ Π΄ΠΎΠ»ΠΆΠ½Π° ΡΠ°Π·ΡΠ΅ΡΠ°ΡΡ TCP ΡΠΎΠ΅Π΄ΠΈΠ½Π΅Π½ΠΈΡ ΠΏΠΎ ΡΠ»Π΅Π΄ΡΡΡΠΈΠΌ ΠΏΠΎΡΡΠ°ΠΌ (ΠΏΠΎ ΡΠΌΠΎΠ»ΡΠ°Π½ΠΈΡ): +ΠΠ·Π½Π°ΠΊΠΎΠΌΡΡΠ΅ΡΡ Ρ [ΡΠΈΡΡΠ΅ΠΌΠ½ΡΠΌΠΈ ΡΡΠ΅Π±ΠΎΠ²Π°Π½ΠΈΡΠΌΠΈ](../../cluster/system-requirements.md) ΠΈ [ΡΠΎΠΏΠΎΠ»ΠΎΠ³ΠΈΠ΅ΠΉ ΠΊΠ»Π°ΡΡΠ΅ΡΠ°](../../cluster/topology.md). -* 2135, 2136 - grpc Π΄Π»Ρ ΠΊΠ»ΠΈΠ΅Π½Ρ-ΠΊΠ»Π°ΡΡΠ΅ΡΠ½ΠΎΠ³ΠΎ Π²Π·Π°ΠΈΠΌΠΎΠ΄Π΅ΠΉΡΡΠ²ΠΈΡ; -* 19001, 19002 - Interconnect Π΄Π»Ρ Π²Π½ΡΡΡΠΈΠΊΠ»Π°ΡΡΠ΅ΡΠ½ΠΎΠ³ΠΎ Π²Π·Π°ΠΈΠΌΠΎΠ΄Π΅ΠΉΡΡΠ²ΠΈΡ Π½ΠΎΠ΄; -* 8765, 8766 - http ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡ Π΄Π»Ρ ΠΌΠΎΠ½ΠΈΡΠΎΡΠΈΠ½Π³Π° ΠΊΠ»Π°ΡΡΠ΅ΡΠ°. +Π£ Π²Π°Ρ Π΄ΠΎΠ»ΠΆΠ΅Π½ Π±ΡΡΡ SSH Π΄ΠΎΡΡΡΠΏ Π½Π° Π²ΡΠ΅ ΡΠ΅ΡΠ²Π΅ΡΠ°. ΠΡΠΎ Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎ Π΄Π»Ρ ΡΡΡΠ°Π½ΠΎΠ²ΠΊΠΈ Π°ΡΡΠ΅ΡΠ°ΠΊΡΠΎΠ² ΠΈ Π·Π°ΠΏΡΡΠΊΠ° ΠΈΡΠΏΠΎΠ»Π½ΡΠ΅ΠΌΠΎΠ³ΠΎ ΡΠ°ΠΉΠ»Π° {{ ydb-short-name }}. -ΠΠ·Π½Π°ΠΊΠΎΠΌΡΡΠ΅ΡΡ Ρ [ΡΠΈΡΡΠ΅ΠΌΠ½ΡΠΌΠΈ ΡΡΠ΅Π±ΠΎΠ²Π°Π½ΠΈΡΠΌΠΈ](../../cluster/system-requirements.md) ΠΈ [ΡΠΎΠΏΠΎΠ»ΠΎΠ³ΠΈΠ΅ΠΉ ΠΊΠ»Π°ΡΡΠ΅ΡΠ°](../../cluster/topology.md). +Π‘Π΅ΡΠ΅Π²Π°Ρ ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΡ Π΄ΠΎΠ»ΠΆΠ½Π° ΡΠ°Π·ΡΠ΅ΡΠ°ΡΡ TCP ΡΠΎΠ΅Π΄ΠΈΠ½Π΅Π½ΠΈΡ ΠΏΠΎ ΡΠ»Π΅Π΄ΡΡΡΠΈΠΌ ΠΏΠΎΡΡΠ°ΠΌ (ΠΏΠΎ ΡΠΌΠΎΠ»ΡΠ°Π½ΠΈΡ, ΠΌΠΎΠ³ΡΡ Π±ΡΡΡ ΠΈΠ·ΠΌΠ΅Π½Π΅Π½Ρ Π½Π°ΡΡΡΠΎΠΉΠΊΠ°ΠΌΠΈ): -ΠΡΠ±Π΅ΡΠΈΡΠ΅ ΡΠ΅ΡΠ²Π΅ΡΡ ΠΈ Π΄ΠΈΡΠΊΠΈ, ΠΊΠΎΡΠΎΡΡΠ΅ Π±ΡΠ΄ΡΡ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡΡΡ Π΄Π»Ρ Ρ
ΡΠ°Π½Π΅Π½ΠΈΡ Π΄Π°Π½Π½ΡΡ
: +* 22: ΡΠ΅ΡΠ²ΠΈΡ SSH; +* 2135, 2136 - GRPC Π΄Π»Ρ ΠΊΠ»ΠΈΠ΅Π½Ρ-ΠΊΠ»Π°ΡΡΠ΅ΡΠ½ΠΎΠ³ΠΎ Π²Π·Π°ΠΈΠΌΠΎΠ΄Π΅ΠΉΡΡΠ²ΠΈΡ; +* 19001, 19002 - Interconnect Π΄Π»Ρ Π²Π½ΡΡΡΠΈΠΊΠ»Π°ΡΡΠ΅ΡΠ½ΠΎΠ³ΠΎ Π²Π·Π°ΠΈΠΌΠΎΠ΄Π΅ΠΉΡΡΠ²ΠΈΡ ΡΠ·Π»ΠΎΠ²; +* 8765, 8766 - HTTP ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡ {{ ydb-short-name }} Embedded UI. -* ΠΡΠΏΠΎΠ»ΡΠ·ΡΠΉΡΠ΅ ΡΡ
Π΅ΠΌΡ ΠΎΡΠΊΠ°Π·ΠΎΡΡΡΠΎΠΉΡΠΈΠ²ΠΎΡΡΠΈ `block-4-2` Π΄Π»Ρ ΡΠ°Π·Π²Π΅ΡΡΡΠ²Π°Π½ΠΈΡ ΠΊΠ»Π°ΡΡΠ΅ΡΠ° Π² ΠΎΠ΄Π½ΠΎΠΉ Π·ΠΎΠ½Π΅ Π΄ΠΎΡΡΡΠΏΠ½ΠΎΡΡΠΈ (AZ). Π§ΡΠΎΠ±Ρ ΠΏΠ΅ΡΠ΅ΠΆΠΈΠ²Π°ΡΡ ΠΎΡΠΊΠ°Π· 2 Π½ΠΎΠ΄ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠΉΡΠ΅ Π½Π΅ ΠΌΠ΅Π½Π΅Π΅ 8 Π½ΠΎΠ΄. -* ΠΡΠΏΠΎΠ»ΡΠ·ΡΠΉΡΠ΅ ΡΡ
Π΅ΠΌΡ ΠΎΡΠΊΠ°Π·ΠΎΡΡΡΠΎΠΉΡΠΈΠ²ΠΎΡΡΠΈ `mirror-3-dc` Π΄Π»Ρ ΡΠ°Π·Π²Π΅ΡΡΡΠ²Π°Π½ΠΈΡ ΠΊΠ»Π°ΡΡΠ΅ΡΠ° Π² ΡΡΠ΅Ρ
Π·ΠΎΠ½Π°Ρ
Π΄ΠΎΡΡΡΠΏΠ½ΠΎΡΡΠΈ (AZ). Π§ΡΠΎΠ±Ρ ΠΏΠ΅ΡΠ΅ΠΆΠΈΠ²Π°ΡΡ ΠΎΡΠΊΠ°Π· 1 AZ ΠΈ 1 Π½ΠΎΠ΄Ρ Π² Π΄ΡΡΠ³ΠΎΠΌ AZ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠΉΡΠ΅ Π½Π΅ ΠΌΠ΅Π½Π΅Π΅ 9 Π½ΠΎΠ΄. ΠΠΎΠ»ΠΈΡΠ΅ΡΡΠ²ΠΎ Π½ΠΎΠ΄ Π² ΠΊΠ°ΠΆΠ΄ΠΎΠΉ AZ Π΄ΠΎΠ»ΠΆΠ½ΠΎ Π±ΡΡΡ ΠΎΠ΄ΠΈΠ½Π°ΠΊΠΎΠ²ΡΠΌ. +Π£Π±Π΅Π΄ΠΈΡΠ΅ΡΡ Π² ΡΠΎΠΌ, ΡΡΠΎ ΡΠΈΡΡΠ΅ΠΌΠ½ΡΠ΅ ΡΠ°ΡΡ Π½Π° Π²ΡΠ΅Ρ
ΡΠ΅ΡΠ²Π΅ΡΠ°Ρ
Π² ΡΠΎΡΡΠ°Π²Π΅ ΠΊΠ»Π°ΡΡΠ΅ΡΠ° ΡΠΈΠ½Ρ
ΡΠΎΠ½ΠΈΠ·ΠΈΡΠΎΠ²Π°Π½Ρ Ρ ΠΏΠΎΠΌΠΎΡΡΡ ΠΈΠ½ΡΡΡΡΠΌΠ΅Π½ΡΠΎΠ² `ntpd` ΠΈΠ»ΠΈ `chrony`. ΠΠ΅Π»Π°ΡΠ΅Π»ΡΠ½ΠΎ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡ Π΅Π΄ΠΈΠ½ΡΠΉ ΠΈΡΡΠΎΡΠ½ΠΈΠΊ Π²ΡΠ΅ΠΌΠ΅Π½ΠΈ Π΄Π»Ρ Π²ΡΠ΅Ρ
ΡΠ΅ΡΠ²Π΅ΡΠΎΠ² ΠΊΠ»Π°ΡΡΠ΅ΡΠ°, ΡΡΠΎΠ±Ρ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠΈΡΡ ΠΎΠ΄ΠΈΠ½Π°ΠΊΠΎΠ²ΡΡ ΠΎΠ±ΡΠ°Π±ΠΎΡΠΊΡ ΡΠ΅ΠΊΡΠ½Π΄ ΠΊΠΎΠΎΡΠ΄ΠΈΠ½Π°ΡΠΈΠΈ (leap seconds). -ΠΠ°ΠΏΡΡΠΊΠ°ΠΉΡΠ΅ ΠΊΠ°ΠΆΠ΄ΡΡ ΡΡΠ°ΡΠΈΡΠ΅ΡΠΊΡΡ Π½ΠΎΠ΄Ρ Π½Π° ΠΎΡΠ΄Π΅Π»ΡΠ½ΠΎΠΌ ΡΠ΅ΡΠ²Π΅ΡΠ΅. +ΠΡΠ»ΠΈ ΠΏΡΠΈΠΌΠ΅Π½ΡΠ΅ΠΌΡΠΉ Π½Π° ΡΠ΅ΡΠ²Π΅ΡΠ°Ρ
ΠΊΠ»Π°ΡΡΠ΅ΡΠ° ΡΠΈΠΏ Linux ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅Ρ `syslogd` Π΄Π»Ρ Π»ΠΎΠ³ΠΈΡΠΎΠ²Π°Π½ΠΈΡ, Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎ Π½Π°ΡΡΡΠΎΠΈΡΡ ΡΠΎΡΠ°ΡΠΈΡ ΡΠ°ΠΉΠ»ΠΎΠ² Π»ΠΎΠ³Π° Ρ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΠ΅ΠΌ ΠΈΠ½ΡΡΡΡΠΌΠ΅Π½ΡΠ° `logrotate` ΠΈΠ»ΠΈ Π΅Π³ΠΎ Π°Π½Π°Π»ΠΎΠ³ΠΎΠ². Π‘Π΅ΡΠ²ΠΈΡΡ {{ ydb-short-name }} ΠΌΠΎΠ³ΡΡ Π³Π΅Π½Π΅ΡΠΈΡΠΎΠ²Π°ΡΡ Π·Π½Π°ΡΠΈΡΠ΅Π»ΡΠ½ΡΠΉ ΠΎΠ±ΡΠ΅ΠΌ ΡΠΈΡΡΠ΅ΠΌΠ½ΡΡ
Π»ΠΎΠ³ΠΎΠ², Π² ΠΎΡΠΎΠ±Π΅Π½Π½ΠΎΡΡΠΈ ΠΏΡΠΈ ΠΏΠΎΠ²ΡΡΠ΅Π½ΠΈΠΈ ΡΡΠΎΠ²Π½Ρ Π»ΠΎΠ³ΠΈΡΠΎΠ²Π°Π½ΠΈΡ Π΄Π»Ρ Π΄ΠΈΠ°Π³Π½ΠΎΡΡΠΈΡΠ΅ΡΠΊΠΈΡ
ΡΠ΅Π»Π΅ΠΉ, ΠΏΠΎΡΡΠΎΠΌΡ Π²Π°ΠΆΠ½ΠΎ Π²ΠΊΠ»ΡΡΠΈΡΡ ΡΠΎΡΠ°ΡΠΈΡ ΡΠ°ΠΉΠ»ΠΎΠ² ΡΠΈΡΡΠ΅ΠΌΠ½ΠΎΠ³ΠΎ Π»ΠΎΠ³Π° Π΄Π»Ρ ΠΈΡΠΊΠ»ΡΡΠ΅Π½ΠΈΡ ΡΠΈΡΡΠ°ΡΠΈΠΉ ΠΏΠ΅ΡΠ΅ΠΏΠΎΠ»Π½Π΅Π½ΠΈΡ ΡΠ°ΠΉΠ»ΠΎΠ²ΠΎΠΉ ΡΠΈΡΡΠ΅ΠΌΡ `/var`. -ΠΠΎΠ΄ΡΠΎΠ±Π½Π΅Π΅ ΡΡΠ΅Π±ΠΎΠ²Π°Π½ΠΈΡ ΠΊ ΠΎΠ±ΠΎΡΡΠ΄ΠΎΠ²Π°Π½ΠΈΡ ΠΎΠΏΠΈΡΠ°Π½Ρ Π² ΡΠ°Π·Π΄Π΅Π»Π΅ [{#T}](../../cluster/system-requirements.md). +ΠΡΠ±Π΅ΡΠΈΡΠ΅ ΡΠ΅ΡΠ²Π΅ΡΡ ΠΈ Π΄ΠΈΡΠΊΠΈ, ΠΊΠΎΡΠΎΡΡΠ΅ Π±ΡΠ΄ΡΡ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡΡΡ Π΄Π»Ρ Ρ
ΡΠ°Π½Π΅Π½ΠΈΡ Π΄Π°Π½Π½ΡΡ
: -## Π‘ΠΎΠ·Π΄Π°ΠΉΡΠ΅ ΡΠΈΡΡΠ΅ΠΌΠ½ΠΎΠ³ΠΎ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ ΠΈ Π³ΡΡΠΏΠΏΡ, ΠΎΡ ΠΈΠΌΠ΅Π½ΠΈ ΠΊΠΎΡΠΎΡΠΎΠ³ΠΎ Π±ΡΠ΄Π΅Ρ ΡΠ°Π±ΠΎΡΠ°ΡΡ {{ ydb-short-name }} {#create-user} +* ΠΡΠΏΠΎΠ»ΡΠ·ΡΠΉΡΠ΅ ΡΡ
Π΅ΠΌΡ ΠΎΡΠΊΠ°Π·ΠΎΡΡΡΠΎΠΉΡΠΈΠ²ΠΎΡΡΠΈ `block-4-2` Π΄Π»Ρ ΡΠ°Π·Π²Π΅ΡΡΡΠ²Π°Π½ΠΈΡ ΠΊΠ»Π°ΡΡΠ΅ΡΠ° Π² ΠΎΠ΄Π½ΠΎΠΉ Π·ΠΎΠ½Π΅ Π΄ΠΎΡΡΡΠΏΠ½ΠΎΡΡΠΈ (AZ). Π§ΡΠΎΠ±Ρ ΠΏΠ΅ΡΠ΅ΠΆΠΈΠ²Π°ΡΡ ΠΎΡΠΊΠ°Π· 2 ΡΠ΅ΡΠ²Π΅ΡΠΎΠ², ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠΉΡΠ΅ Π½Π΅ ΠΌΠ΅Π½Π΅Π΅ 8 ΡΠ΅ΡΠ²Π΅ΡΠΎΠ². +* ΠΡΠΏΠΎΠ»ΡΠ·ΡΠΉΡΠ΅ ΡΡ
Π΅ΠΌΡ ΠΎΡΠΊΠ°Π·ΠΎΡΡΡΠΎΠΉΡΠΈΠ²ΠΎΡΡΠΈ `mirror-3-dc` Π΄Π»Ρ ΡΠ°Π·Π²Π΅ΡΡΡΠ²Π°Π½ΠΈΡ ΠΊΠ»Π°ΡΡΠ΅ΡΠ° Π² ΡΡΠ΅Ρ
Π·ΠΎΠ½Π°Ρ
Π΄ΠΎΡΡΡΠΏΠ½ΠΎΡΡΠΈ (AZ). Π§ΡΠΎΠ±Ρ ΠΏΠ΅ΡΠ΅ΠΆΠΈΠ²Π°ΡΡ ΠΎΡΠΊΠ°Π· 1 AZ ΠΈ 1 ΡΠ΅ΡΠ²Π΅ΡΠ° Π² Π΄ΡΡΠ³ΠΎΠΉ AZ, ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠΉΡΠ΅ Π½Π΅ ΠΌΠ΅Π½Π΅Π΅ 9 ΡΠ΅ΡΠ²Π΅ΡΠΎΠ². ΠΠΎΠ»ΠΈΡΠ΅ΡΡΠ²ΠΎ Π·Π°Π΄Π΅ΠΉΡΡΠ²ΠΎΠ²Π°Π½Π½ΡΡ
ΡΠ΅ΡΠ²Π΅ΡΠΎΠ² Π² ΠΊΠ°ΠΆΠ΄ΠΎΠΉ AZ Π΄ΠΎΠ»ΠΆΠ½ΠΎ Π±ΡΡΡ ΠΎΠ΄ΠΈΠ½Π°ΠΊΠΎΠ²ΡΠΌ. -ΠΠ° ΠΊΠ°ΠΆΠ΄ΠΎΠΌ ΡΠ΅ΡΠ²Π΅ΡΠ΅, Π³Π΄Π΅ Π±ΡΠ΄Π΅Ρ Π·Π°ΠΏΡΡΠ΅Π½ {{ ydb-short-name }} Π²ΡΠΏΠΎΠ»Π½ΠΈΡΠ΅: +{% note info %} -```bash -sudo groupadd ydb -sudo useradd ydb -g ydb -``` +ΠΠ°ΠΏΡΡΠΊΠ°ΠΉΡΠ΅ ΠΊΠ°ΠΆΠ΄ΡΠΉ ΡΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΈΠΉ ΡΠ·Π΅Π» (ΡΠ·Π΅Π» Ρ
ΡΠ°Π½Π΅Π½ΠΈΡ Π΄Π°Π½Π½ΡΡ
) Π½Π° ΠΎΡΠ΄Π΅Π»ΡΠ½ΠΎΠΌ ΡΠ΅ΡΠ²Π΅ΡΠ΅. ΠΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎ ΡΠΎΠ²ΠΌΠ΅ΡΠ΅Π½ΠΈΠ΅ ΡΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΈΡ
ΠΈ Π΄ΠΈΠ½Π°ΠΌΠΈΡΠ΅ΡΠΊΠΈΡ
ΡΠ·Π»ΠΎΠ² Π½Π° ΠΎΠ΄Π½ΠΎΠΌ ΡΠ΅ΡΠ²Π΅ΡΠ΅, Π° ΡΠ°ΠΊΠΆΠ΅ ΡΠ°Π·ΠΌΠ΅ΡΠ΅Π½ΠΈΠ΅ Π½Π° ΠΎΠ΄Π½ΠΎΠΌ ΡΠ΅ΡΠ²Π΅ΡΠ΅ Π½Π΅ΡΠΊΠΎΠ»ΡΠΊΠΈΡ
Π΄ΠΈΠ½Π°ΠΌΠΈΡΠ΅ΡΠΊΠΈΡ
ΡΠ·Π»ΠΎΠ² ΠΏΡΠΈ Π½Π°Π»ΠΈΡΠΈΠΈ Π΄ΠΎΡΡΠ°ΡΠΎΡΠ½ΡΡ
Π²ΡΡΠΈΡΠ»ΠΈΡΠ΅Π»ΡΠ½ΡΡ
ΡΠ΅ΡΡΡΡΠΎΠ². -ΠΠ»Ρ ΡΠΎΠ³ΠΎ, ΡΡΠΎΠ±Ρ ΡΠ΅ΡΠ²ΠΈΡ {{ ydb-short-name }} ΠΈΠΌΠ΅Π» Π΄ΠΎΡΡΡΠΏ ΠΊ Π±Π»ΠΎΡΠ½ΡΠΌ Π΄ΠΈΡΠΊΠ°ΠΌ Π΄Π»Ρ ΡΠ°Π±ΠΎΡΡ, Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎ Π΄ΠΎΠ±Π°Π²ΠΈΡΡ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ, ΠΏΠΎΠ΄ ΠΊΠΎΡΠΎΡΡΠΌ Π±ΡΠ΄Π΅Ρ Π·Π°ΠΏΡΡΠ΅Π½ ΠΏΡΠΎΡΠ΅ΡΡ, Π² Π³ΡΡΠΏΠΏΡ `disk`: +{% endnote %} -```bash -sudo usermod -aG disk ydb -``` +ΠΠΎΠ΄ΡΠΎΠ±Π½Π΅Π΅ ΡΡΠ΅Π±ΠΎΠ²Π°Π½ΠΈΡ ΠΊ ΠΎΠ±ΠΎΡΡΠ΄ΠΎΠ²Π°Π½ΠΈΡ ΠΎΠΏΠΈΡΠ°Π½Ρ Π² ΡΠ°Π·Π΄Π΅Π»Π΅ [{#T}](../../cluster/system-requirements.md). -## ΠΠΎΠ΄Π³ΠΎΡΠΎΠ²ΡΡΠ΅ ΠΈ ΠΎΡΡΠΎΡΠΌΠ°ΡΠΈΡΡΠΉΡΠ΅ Π΄ΠΈΡΠΊΠΈ Π½Π° ΠΊΠ°ΠΆΠ΄ΠΎΠΌ ΡΠ΅ΡΠ²Π΅ΡΠ΅ {#prepare-disks} +### ΠΠΎΠ΄Π³ΠΎΡΠΎΠ²ΠΊΠ° ΠΊΠ»ΡΡΠ΅ΠΉ ΠΈ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΎΠ² TLS {#tls-certificates} -{% note warning %} +ΠΠ°ΡΠΈΡΠ° ΡΡΠ°ΡΠΈΠΊΠ° ΠΈ ΠΏΡΠΎΠ²Π΅ΡΠΊΠ° ΠΏΠΎΠ΄Π»ΠΈΠ½Π½ΠΎΡΡΠΈ ΡΠ΅ΡΠ²Π΅ΡΠ½ΡΡ
ΡΠ·Π»ΠΎΠ² {{ ydb-short-name }} ΠΎΡΡΡΠ΅ΡΡΠ²Π»ΡΠ΅ΡΡΡ Ρ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΠ΅ΠΌ ΠΏΡΠΎΡΠΎΠΊΠΎΠ»Π° TLS. ΠΠ΅ΡΠ΅Π΄ ΡΡΡΠ°Π½ΠΎΠ²ΠΊΠΎΠΉ ΠΊΠ»Π°ΡΡΠ΅ΡΠ° Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎ ΡΠΏΠ»Π°Π½ΠΈΡΠΎΠ²Π°ΡΡ ΡΠΎΡΡΠ°Π² ΡΠ΅ΡΠ²Π΅ΡΠΎΠ², ΠΎΠΏΡΠ΅Π΄Π΅Π»ΠΈΡΡΡΡ ΡΠΎ ΡΡ
Π΅ΠΌΠΎΠΉ ΠΈΠΌΠ΅Π½ΠΎΠ²Π°Π½ΠΈΡ ΡΠ·Π»ΠΎΠ² ΠΈ ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½ΡΠΌΠΈ ΠΈΠΌΠ΅Π½Π°ΠΌΠΈ, ΠΈ ΠΏΠΎΠ΄Π³ΠΎΡΠΎΠ²ΠΈΡΡ ΠΊΠ»ΡΡΠΈ ΠΈ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΡ TLS. -ΠΡ Π½Π΅ ΡΠ΅ΠΊΠΎΠΌΠ΅Π½Π΄ΡΠ΅ΠΌ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡ Π΄Π»Ρ Ρ
ΡΠ°Π½Π΅Π½ΠΈΡ Π΄Π°Π½Π½ΡΡ
Π΄ΠΈΡΠΊΠΈ, ΠΊΠΎΡΠΎΡΡΠ΅ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΡΡΡΡ Π΄ΡΡΠ³ΠΈΠΌΠΈ ΠΏΡΠΎΡΠ΅ΡΡΠ°ΠΌΠΈ (Π² ΡΠΎΠΌ ΡΠΈΡΠ»Π΅ ΠΎΠΏΠ΅ΡΠ°ΡΠΈΠΎΠ½Π½ΠΎΠΉ ΡΠΈΡΡΠ΅ΠΌΠΎΠΉ). +ΠΡ ΠΌΠΎΠΆΠ΅ΡΠ΅ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡ ΡΡΡΠ΅ΡΡΠ²ΡΡΡΠΈΠ΅ ΠΈΠ»ΠΈ ΡΠ³Π΅Π½Π΅ΡΠΈΡΠΎΠ²Π°ΡΡ Π½ΠΎΠ²ΡΠ΅ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΡ. Π‘Π»Π΅Π΄ΡΡΡΠΈΠ΅ ΡΠ°ΠΉΠ»Ρ ΠΊΠ»ΡΡΠ΅ΠΉ ΠΈ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΎΠ² TLS Π΄ΠΎΠ»ΠΆΠ½Ρ Π±ΡΡΡ ΠΏΠΎΠ΄Π³ΠΎΡΠΎΠ²Π»Π΅Π½Ρ Π² ΡΠΎΡΠΌΠ°ΡΠ΅ PEM: +* `ca.crt` - ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°Ρ ΡΠ΅Π½ΡΡΠ° ΡΠ΅Π³ΠΈΡΡΡΠ°ΡΠΈΠΈ (Certification Authority, CA), ΠΊΠΎΡΠΎΡΡΠΌ ΠΏΠΎΠ΄ΠΏΠΈΡΠ°Π½Ρ ΠΎΡΡΠ°Π»ΡΠ½ΡΠ΅ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΡ TLS (ΠΎΠ΄ΠΈΠ½Π°ΠΊΠΎΠ²ΡΠ΅ ΡΠ°ΠΉΠ»Ρ Π½Π° Π²ΡΠ΅Ρ
ΡΠ·Π»Π°Ρ
ΠΊΠ»Π°ΡΡΠ΅ΡΠ°); +* `node.key` - ΡΠ΅ΠΊΡΠ΅ΡΠ½ΡΠ΅ ΠΊΠ»ΡΡΠΈ TLS Π΄Π»Ρ ΠΊΠ°ΠΆΠ΄ΠΎΠ³ΠΎ ΠΈΠ· ΡΠ·Π»ΠΎΠ² ΠΊΠ»Π°ΡΡΠ΅ΡΠ° (ΡΠ²ΠΎΠΉ ΠΊΠ»ΡΡ Π½Π° ΠΊΠ°ΠΆΠ΄ΡΠΉ ΡΠ΅ΡΠ²Π΅Ρ ΠΊΠ»Π°ΡΡΠ΅ΡΠ°); +* `node.crt` - ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΡ TLS Π΄Π»Ρ ΠΊΠ°ΠΆΠ΄ΠΎΠ³ΠΎ ΠΈΠ· ΡΠ·Π»ΠΎΠ² ΠΊΠ»Π°ΡΡΠ΅ΡΠ° (ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΡΡΡΠΈΠΉ ΠΊΠ»ΡΡΡ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°Ρ); +* `web.pem` - ΠΊΠΎΠ½ΠΊΠ°ΡΠ΅Π½Π°ΡΠΈΡ ΡΠ΅ΠΊΡΠ΅ΡΠ½ΠΎΠ³ΠΎ ΠΊΠ»ΡΡΠ° ΡΠ·Π»Π°, ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠ° ΡΠ·Π»Π° ΠΈ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠ° ΡΠ΅Π½ΡΡΠ° ΡΠ΅Π³ΠΈΡΡΡΠ°ΡΠΈΠΈ Π΄Π»Ρ ΡΠ°Π±ΠΎΡΡ HTTP ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠ° ΠΌΠΎΠ½ΠΈΡΠΎΡΠΈΠ½Π³Π° (ΡΠ²ΠΎΠΉ ΡΠ°ΠΉΠ» Π½Π° ΠΊΠ°ΠΆΠ΄ΡΠΉ ΡΠ΅ΡΠ²Π΅Ρ ΠΊΠ»Π°ΡΡΠ΅ΡΠ°). -{% endnote %} +ΠΠ΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΡΠ΅ ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΡ ΡΠΎΡΠΌΠΈΡΠΎΠ²Π°Π½ΠΈΡ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΎΠ² ΠΎΠΏΡΠ΅Π΄Π΅Π»ΡΡΡΡΡ ΠΏΠΎΠ»ΠΈΡΠΈΠΊΠΎΠΉ ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΠΈ. ΠΠ±ΡΡΠ½ΠΎ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΡ ΠΈ ΠΊΠ»ΡΡΠΈ Π΄Π»Ρ {{ ydb-short-name }} ΡΠΎΡΠΌΠΈΡΡΡΡΡΡ ΡΠΎ ΡΠ»Π΅Π΄ΡΡΡΠΈΠΌΠΈ ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΠ°ΠΌΠΈ: +* ΠΊΠ»ΡΡΠΈ RSA Π΄Π»ΠΈΠ½ΠΎΡ 2048 ΠΈΠ»ΠΈ 4096 Π±ΠΈΡ; +* Π°Π»Π³ΠΎΡΠΈΡΠΌ ΠΏΠΎΠ΄ΠΏΠΈΡΠΈ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΎΠ² SHA-256 Ρ ΡΠΈΡΡΠΎΠ²Π°Π½ΠΈΠ΅ΠΌ RSA; +* ΡΡΠΎΠΊ Π΄Π΅ΠΉΡΡΠ²ΠΈΡ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΎΠ² ΡΠ·Π»ΠΎΠ² Π½Π΅ ΠΌΠ΅Π½Π΅Π΅ 1 Π³ΠΎΠ΄Π°; +* ΡΡΠΎΠΊ Π΄Π΅ΠΉΡΡΠ²ΠΈΡ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠ° ΡΠ΅Π½ΡΡΠ° ΡΠ΅Π³ΠΈΡΡΡΠ°ΡΠΈΠΈ Π½Π΅ ΠΌΠ΅Π½Π΅Π΅ 3 Π»Π΅Ρ. -{% include [_includes/storage-device-requirements.md](../../_includes/storage-device-requirements.md) %} +ΠΠ΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎ, ΡΡΠΎΠ±Ρ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°Ρ ΡΠ΅Π½ΡΡΠ° ΡΠ΅Π³ΠΈΡΡΡΠ°ΡΠΈΠΈ Π±ΡΠ» ΠΏΠΎΠΌΠ΅ΡΠ΅Π½ ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΡΡΡΠΈΠΌ ΠΎΠ±ΡΠ°Π·ΠΎΠΌ: Π΄ΠΎΠ»ΠΆΠ΅Π½ Π±ΡΡΡ ΡΡΡΠ°Π½ΠΎΠ²Π»Π΅Π½ ΠΏΡΠΈΠ·Π½Π°ΠΊ CA, Π° ΡΠ°ΠΊΠΆΠ΅ Π²ΠΊΠ»ΡΡΠ΅Π½Ρ Π²ΠΈΠ΄Ρ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΡ "Digital Signature, Non Repudiation, Key Encipherment, Certificate Sign". -1. Π‘ΠΎΠ·Π΄Π°ΠΉΡΠ΅ ΡΠ°Π·Π΄Π΅Π» Π½Π° Π²ΡΠ±ΡΠ°Π½Π½ΠΎΠΌ Π΄ΠΈΡΠΊΠ΅: +ΠΠ»Ρ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΎΠ² ΡΠ·Π»ΠΎΠ² Π²Π°ΠΆΠ½ΠΎ ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΠΈΠ΅ ΡΠ°ΠΊΡΠΈΡΠ΅ΡΠΊΠΎΠ³ΠΎ ΠΈΠΌΠ΅Π½ΠΈ Ρ
ΠΎΡΡΠ° (ΠΈΠ»ΠΈ ΠΈΠΌΡΠ½ Ρ
ΠΎΡΡΠΎΠ²) Π·Π½Π°ΡΠ΅Π½ΠΈΡΠΌ, ΡΠΊΠ°Π·Π°Π½Π½ΡΠΌ Π² ΠΏΠΎΠ»Π΅ "Subject Alternative Name". ΠΠ»Ρ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΎΠ² Π΄ΠΎΠ»ΠΆΠ½Ρ Π±ΡΡΡ Π²ΠΊΠ»ΡΡΠ΅Π½Ρ Π²ΠΈΠ΄Ρ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΡ "Digital Signature, Key Encipherment" ΠΈ ΡΠ°ΡΡΠΈΡΠ΅Π½Π½ΡΠ΅ Π²ΠΈΠ΄Ρ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΡ "TLS Web Server Authentication, TLS Web Client Authentication". ΠΠ΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎ, ΡΡΠΎΠ±Ρ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΡ ΡΠ·Π»ΠΎΠ² ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΈΠ²Π°Π»ΠΈ ΠΊΠ°ΠΊ ΡΠ΅ΡΠ²Π΅ΡΠ½ΡΡ, ΡΠ°ΠΊ ΠΈ ΠΊΠ»ΠΈΠ΅Π½ΡΡΠΊΡΡ Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΡ (ΠΎΠΏΡΠΈΡ `extendedKeyUsage = serverAuth,clientAuth` Π² Π½Π°ΡΡΡΠΎΠΉΠΊΠ°Ρ
OpenSSL). - {% note alert %} +ΠΠ»Ρ ΠΏΠ°ΠΊΠ΅ΡΠ½ΠΎΠΉ Π³Π΅Π½Π΅ΡΠ°ΡΠΈΠΈ ΠΈΠ»ΠΈ ΠΎΠ±Π½ΠΎΠ²Π»Π΅Π½ΠΈΡ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΎΠ² ΠΊΠ»Π°ΡΡΠ΅ΡΠ° {{ ydb-short-name }} Ρ ΠΏΠΎΠΌΠΎΡΡΡ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠ½ΠΎΠ³ΠΎ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠ΅Π½ΠΈΡ OpenSSL ΠΌΠΎΠΆΠ½ΠΎ Π²ΠΎΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡΡΡ [ΠΏΡΠΈΠΌΠ΅ΡΠΎΠΌ ΡΠΊΡΠΈΠΏΡΠ°](https://github.com/ydb-platform/ydb/blob/main/ydb/deploy/tls_cert_gen/), ΡΠ°Π·ΠΌΠ΅ΡΡΠ½Π½ΡΠΌ Π² ΡΠ΅ΠΏΠΎΠ·ΠΈΡΠΎΡΠΈΠΈ {{ ydb-short-name }} Π½Π° Github. Π‘ΠΊΡΠΈΠΏΡ ΠΏΠΎΠ·Π²ΠΎΠ»ΡΠ΅Ρ Π°Π²ΡΠΎΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠΈ ΡΡΠΎΡΠΌΠΈΡΠΎΠ²Π°ΡΡ Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΡΠ΅ ΡΠ°ΠΉΠ»Ρ ΠΊΠ»ΡΡΠ΅ΠΉ ΠΈ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΎΠ² Π΄Π»Ρ Π²ΡΠ΅Π³ΠΎ Π½Π°Π±ΠΎΡΠ° ΡΠ·Π»ΠΎΠ² ΠΊΠ»Π°ΡΡΠ΅ΡΠ° Π·Π° ΠΎΠ΄Π½Ρ ΠΎΠΏΠ΅ΡΠ°ΡΠΈΡ, ΠΎΠ±Π»Π΅Π³ΡΠ°Ρ ΠΏΠΎΠ΄Π³ΠΎΡΠΎΠ²ΠΊΡ ΠΊ ΡΡΡΠ°Π½ΠΎΠ²ΠΊΠ΅. - Π‘Π»Π΅Π΄ΡΡΡΠ°Ρ ΠΎΠΏΠ΅ΡΠ°ΡΠΈΡ ΡΠ΄Π°Π»ΠΈΡ Π²ΡΠ΅ ΡΠ°Π·Π΄Π΅Π»Ρ Π½Π° ΡΠΊΠ°Π·Π°Π½Π½ΡΡ
Π΄ΠΈΡΠΊΠ°Ρ
! Π£Π±Π΅Π΄ΠΈΡΠ΅ΡΡ, ΡΡΠΎ Π²Ρ ΡΠΊΠ°Π·Π°Π»ΠΈ Π΄ΠΈΡΠΊΠΈ, Π½Π° ΠΊΠΎΡΠΎΡΡΡ
Π½Π΅Ρ Π΄ΡΡΠ³ΠΈΡ
Π΄Π°Π½Π½ΡΡ
! +## Π‘ΠΎΠ·Π΄Π°ΠΉΡΠ΅ ΡΠΈΡΡΠ΅ΠΌΠ½ΠΎΠ³ΠΎ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ ΠΈ Π³ΡΡΠΏΠΏΡ, ΠΎΡ ΠΈΠΌΠ΅Π½ΠΈ ΠΊΠΎΡΠΎΡΡΡ
Π±ΡΠ΄Π΅Ρ ΡΠ°Π±ΠΎΡΠ°ΡΡ {{ ydb-short-name }} {#create-user} - {% endnote %} +ΠΠ° ΠΊΠ°ΠΆΠ΄ΠΎΠΌ ΡΠ΅ΡΠ²Π΅ΡΠ΅, Π³Π΄Π΅ Π±ΡΠ΄Π΅Ρ Π·Π°ΠΏΡΡΠ΅Π½ {{ ydb-short-name }}, Π²ΡΠΏΠΎΠ»Π½ΠΈΡΠ΅: - ```bash - sudo parted /dev/nvme0n1 mklabel gpt -s - sudo parted -a optimal /dev/nvme0n1 mkpart primary 0% 100% - sudo parted /dev/nvme0n1 name 1 ydb_disk_ssd_01 - sudo partx --u /dev/nvme0n1 - ``` +```bash +sudo groupadd ydb +sudo useradd ydb -g ydb +``` + +ΠΠ»Ρ ΡΠΎΠ³ΠΎ, ΡΡΠΎΠ±Ρ ΡΠ΅ΡΠ²ΠΈΡ {{ ydb-short-name }} ΠΈΠΌΠ΅Π» Π΄ΠΎΡΡΡΠΏ ΠΊ Π±Π»ΠΎΡΠ½ΡΠΌ Π΄ΠΈΡΠΊΠ°ΠΌ Π΄Π»Ρ ΡΠ°Π±ΠΎΡΡ, Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎ Π΄ΠΎΠ±Π°Π²ΠΈΡΡ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ, ΠΏΠΎΠ΄ ΠΊΠΎΡΠΎΡΡΠΌ Π±ΡΠ΄ΡΡ Π·Π°ΠΏΡΡΠ΅Π½Ρ ΠΏΡΠΎΡΠ΅ΡΡΡ {{ ydb-short-name }}, Π² Π³ΡΡΠΏΠΏΡ `disk`: - ΠΠΎΡΠ»Π΅ Π²ΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΡ Π² ΡΠΈΡΡΠ΅ΠΌΠ΅ ΠΏΠΎΡΠ²ΠΈΡΡΡ Π΄ΠΈΡΠΊ Ρ Π»Π΅ΠΉΠ±Π»ΠΎΠΌ `/dev/disk/by-partlabel/ydb_disk_ssd_01`. +```bash +sudo usermod -aG disk ydb +``` - ΠΡΠ»ΠΈ Π²Ρ ΠΏΠ»Π°Π½ΠΈΡΡΠ΅ΡΠ΅ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡ Π±ΠΎΠ»Π΅Π΅ ΠΎΠ΄Π½ΠΎΠ³ΠΎ Π΄ΠΈΡΠΊΠ° Π½Π° ΠΊΠ°ΠΆΠ΄ΠΎΠΌ ΡΠ΅ΡΠ²Π΅ΡΠ΅, ΡΠΊΠ°ΠΆΠΈΡΠ΅ Π΄Π»Ρ ΠΊΠ°ΠΆΠ΄ΠΎΠ³ΠΎ ΡΠ²ΠΎΠΉ ΡΠ½ΠΈΠΊΠ°Π»ΡΠ½ΡΠΉ Π»Π΅ΠΉΠ±Π» Π²ΠΌΠ΅ΡΡΠΎ `ydb_disk_ssd_01`. ΠΡΠΈ Π΄ΠΈΡΠΊΠΈ Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎ Π±ΡΠ΄Π΅Ρ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡ Π² ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΠΎΠ½Π½ΡΡ
ΡΠ°ΠΉΠ»Π°Ρ
Π΄Π°Π»Π΅Π΅. +## Π£ΡΡΠ°Π½ΠΎΠ²ΠΈΡΠ΅ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠ½ΠΎΠ΅ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠ΅Π½ΠΈΠ΅ {{ ydb-short-name }} Π½Π° ΠΊΠ°ΠΆΠ΄ΠΎΠΌ ΡΠ΅ΡΠ²Π΅ΡΠ΅ {#install-binaries} 1. Π‘ΠΊΠ°ΡΠ°ΠΉΡΠ΅ ΠΈ ΡΠ°ΡΠΏΠ°ΠΊΡΠΉΡΠ΅ Π°ΡΡ
ΠΈΠ² Ρ ΠΈΡΠΏΠΎΠ»Π½ΡΠ΅ΠΌΡΠΌ ΡΠ°ΠΉΠ»ΠΎΠΌ `ydbd` ΠΈ Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΡΠΌΠΈ Π΄Π»Ρ ΡΠ°Π±ΠΎΡΡ {{ ydb-short-name }} Π±ΠΈΠ±Π»ΠΈΠΎΡΠ΅ΠΊΠ°ΠΌΠΈ: @@ -74,11 +80,10 @@ sudo usermod -aG disk ydb curl -L https://binaries.ydb.tech/ydbd-stable-linux-amd64.tar.gz | tar -xz --strip-component=1 -C ydbd-stable-linux-amd64 ``` -1. Π‘ΠΎΠ·Π΄Π°ΠΉΡΠ΅ Π΄ΠΈΡΠ΅ΠΊΡΠΎΡΠΈΠΈ Π΄Π»Ρ Π·Π°ΠΏΡΡΠΊΠ°: +1. Π‘ΠΎΠ·Π΄Π°ΠΉΡΠ΅ Π΄ΠΈΡΠ΅ΠΊΡΠΎΡΠΈΠΈ Π΄Π»Ρ ΡΠ°Π·ΠΌΠ΅ΡΠ΅Π½ΠΈΡ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠ½ΠΎΠ³ΠΎ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠ΅Π½ΠΈΡ {{ ydb-short-name }}: ```bash sudo mkdir -p /opt/ydb /opt/ydb/cfg - sudo chown -R ydb:ydb /opt/ydb ``` 1. Π‘ΠΊΠΎΠΏΠΈΡΡΠΉΡΠ΅ ΠΈΡΠΏΠΎΠ»Π½ΡΠ΅ΠΌΡΠΉ ΡΠ°ΠΉΠ» ΠΈ Π±ΠΈΠ±Π»ΠΈΠΎΡΠ΅ΠΊΠΈ Π² ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΡΡΡΠΈΠ΅ Π΄ΠΈΡΠ΅ΠΊΡΠΎΡΠΈΠΈ: @@ -88,203 +93,104 @@ sudo usermod -aG disk ydb sudo cp -iR ydbd-stable-linux-amd64/lib /opt/ydb/ ``` -1. ΠΡΡΠΎΡΠΌΠ°ΡΠΈΡΡΠΉΡΠ΅ Π΄ΠΈΡΠΊ Π²ΡΡΡΠΎΠ΅Π½Π½ΠΎΠΉ ΠΊΠΎΠΌΠ°Π½Π΄ΠΎΠΉ: +1. Π£ΡΡΠ°Π½ΠΎΠ²ΠΈΡΠ΅ Π²Π»Π°Π΄Π΅Π»ΡΡΠ° ΡΠ°ΠΉΠ»ΠΎΠ² ΠΈ ΠΊΠ°ΡΠ°Π»ΠΎΠ³ΠΎΠ²: ```bash - sudo LD_LIBRARY_PATH=/opt/ydb/lib /opt/ydb/bin/ydbd admin bs disk obliterate /dev/disk/by-partlabel/ydb_disk_ssd_01 + sudo chown -R root:bin /opt/ydb ``` - ΠΡΠΎΠ΄Π΅Π»Π°ΠΉΡΠ΅ Π΄Π°Π½Π½ΡΡ ΠΎΠΏΠ΅ΡΠ°ΡΠΈΡ Π΄Π»Ρ ΠΊΠ°ΠΆΠ΄ΠΎΠ³ΠΎ Π΄ΠΈΡΠΊΠ°, ΠΊΠΎΡΠΎΡΡΠΉ Π±ΡΠ΄Π΅Ρ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡΡΡ Π΄Π»Ρ Ρ
ΡΠ°Π½Π΅Π½ΠΈΡ Π΄Π°Π½Π½ΡΡ
. - -## ΠΠΎΠ΄Π³ΠΎΡΠΎΠ²ΡΡΠ΅ ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΠΎΠ½Π½ΡΠ΅ ΡΠ°ΠΉΠ»Ρ {#config} - -{% list tabs %} - -- ΠΠ΅Π·Π°ΡΠΈΡΠ΅Π½Π½ΡΠΉ ΡΠ΅ΠΆΠΈΠΌ - - Π Π½Π΅Π·Π°ΡΠΈΡΠ΅Π½Π½ΠΎΠΌ ΡΠ΅ΠΆΠΈΠΌΠ΅ ΡΡΠ°ΡΠΈΠΊ ΠΌΠ΅ΠΆΠ΄Ρ Π½ΠΎΠ΄Π°ΠΌΠΈ ΠΊΠ»Π°ΡΡΠ΅ΡΠ°, Π° ΡΠ°ΠΊΠΆΠ΅ ΠΌΠ΅ΠΆΠ΄Ρ ΠΊΠ»ΠΈΠ΅Π½ΡΠΎΠΌ ΠΈ ΠΊΠ»Π°ΡΡΠ΅ΡΠΎΠΌ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅Ρ Π½Π΅ΡΠΈΡΡΠΎΠ²Π°Π½Π½ΠΎΠ΅ ΡΠΎΠ΅Π΄ΠΈΠ½Π΅Π½ΠΈΠ΅. ΠΡΠΏΠΎΠ»ΡΠ·ΡΠΉΡΠ΅ Π΄Π°Π½Π½ΡΠΉ ΡΠ΅ΠΆΠΈΠΌ Π΄Π»Ρ ΡΠ΅ΡΡΠΎΠ²ΡΡ
Π·Π°Π΄Π°Ρ. - - {% include [prepare-configs.md](_includes/prepare-configs.md) %} - -- ΠΠ°ΡΠΈΡΠ΅Π½Π½ΡΠΉ ΡΠ΅ΠΆΠΈΠΌ - - Π Π·Π°ΡΠΈΡΠ΅Π½Π½ΠΎΠΌ ΡΠ΅ΠΆΠΈΠΌΠ΅ ΡΡΠ°ΡΠΈΠΊ ΠΌΠ΅ΠΆΠ΄Ρ Π½ΠΎΠ΄Π°ΠΌΠΈ ΠΊΠ»Π°ΡΡΠ΅ΡΠ°, Π° ΡΠ°ΠΊΠΆΠ΅ ΠΌΠ΅ΠΆΠ΄Ρ ΠΊΠ»ΠΈΠ΅Π½ΡΠΎΠΌ ΠΈ ΠΊΠ»Π°ΡΡΠ΅ΡΠΎΠΌ ΡΠΈΡΡΡΠ΅ΡΡΡ ΠΏΡΠΎΡΠΎΠΊΠΎΠ»ΠΎΠΌ TLS. - - {% note info %} - - ΠΡ ΠΌΠΎΠΆΠ΅ΡΠ΅ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡ ΡΡΡΠ΅ΡΡΠ²ΡΡΡΠΈΠ΅ TLS ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΡ. ΠΠ°ΠΆΠ½ΠΎ, ΡΡΠΎΠ±Ρ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΡ ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΈΠ²Π°Π»ΠΈ ΠΊΠ°ΠΊ ΡΠ΅ΡΠ²Π΅ΡΠ½ΡΡ, ΡΠ°ΠΊ ΠΈ ΠΊΠ»ΠΈΠ΅Π½ΡΡΠΊΡΡ Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΡ (`extendedKeyUsage = serverAuth,clientAuth`) - - {% endnote %} - - 1. Π‘ΠΎΠ·Π΄Π°ΠΉΡΠ΅ ΠΊΠ»ΡΡ ΠΈ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°Ρ Π΄Π»Ρ ΡΠ΅Π½ΡΡΠ° ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ (CA): - - 1. Π‘ΠΎΠ·Π΄Π°ΠΉΡΠ΅ Π΄ΠΈΡΠ΅ΠΊΡΠΎΡΠΈΠΈ `secure`, Π² ΠΊΠΎΡΠΎΡΠΎΠΉ Π±ΡΠ΄Π΅Ρ Ρ
ΡΠ°Π½ΠΈΡΡΡΡ ΠΊΠ»ΡΡ CA, ΠΈ `certs` Π΄Π»Ρ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΎΠ² ΠΈ ΠΊΠ»ΡΡΠ΅ΠΉ Π½ΠΎΠ΄: - - ```bash - mkdir secure - mkdir certs - ``` - - 1. Π‘ΠΎΠ·Π΄Π°ΠΉΡΠ΅ ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΠΎΠ½Π½ΡΠΉ ΡΠ°ΠΉΠ» `ca.cnf` ΡΠΎ ΡΠ»Π΅Π΄ΡΡΡΠΈΠΌ ΡΠΎΠ΄Π΅ΡΠΆΠΈΠΌΡΠΌ: - - ```text - [ ca ] - default_ca = CA_default - - [ CA_default ] - default_days = 365 - database = index.txt - serial = serial.txt - default_md = sha256 - copy_extensions = copy - unique_subject = no - - [ req ] - prompt=no - distinguished_name = distinguished_name - x509_extensions = extensions - - [ distinguished_name ] - organizationName = YDB - commonName = YDB CA - - [ extensions ] - keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment,keyCertSign - basicConstraints = critical,CA:true,pathlen:1 - - [ signing_policy ] - organizationName = supplied - commonName = optional - - [ signing_node_req ] - keyUsage = critical,digitalSignature,keyEncipherment - extendedKeyUsage = serverAuth,clientAuth - - # Used to sign client certificates. - [ signing_client_req ] - keyUsage = critical,digitalSignature,keyEncipherment - extendedKeyUsage = clientAuth - ``` - - 1. Π‘ΠΎΠ·Π΄Π°ΠΉΡΠ΅ CA ΠΊΠ»ΡΡ: - - ```bash - openssl genrsa -out secure/ca.key 2048 - ``` - - Π‘ΠΎΡ
ΡΠ°Π½ΠΈΡΠ΅ ΡΡΠΎΡ ΠΊΠ»ΡΡ ΠΎΡΠ΄Π΅Π»ΡΠ½ΠΎ, ΠΎΠ½ Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌ Π΄Π»Ρ Π²ΡΠΏΠΈΡΡΠ²Π°Π½ΠΈΡ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΎΠ². ΠΡΠΈ Π΅Π³ΠΎ ΡΡΠ΅ΡΠ΅ Π²Π°ΠΌ Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎ Π±ΡΠ΄Π΅Ρ ΠΏΠ΅ΡΠ΅Π²ΡΠΏΡΡΡΠΈΡΡ Π²ΡΠ΅ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΡ. - - 1. Π‘ΠΎΠ·Π΄Π°ΠΉΡΠ΅ ΡΠ°ΡΡΠ½ΡΠΉ Certificate Authority (CA) ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°Ρ: - - ```bash - openssl req -new -x509 -config ca.cnf -key secure/ca.key -out certs/ca.crt -days 1830 -batch - ``` - - 1. Π‘ΠΎΠ·Π΄Π°ΠΉΡΠ΅ ΡΠ΅ΠΊΡΡΠΎΠ²ΡΡ Π±Π°Π·Ρ Π΄Π°Π½Π½ΡΡ
ΠΈ ΡΠ°ΠΉΠ» ΠΈΠ½Π΄Π΅ΠΊΡΠ° ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΎΠ² OpenSSL: - - ```bash - touch index.txt - echo 01 >serial.txt - ``` - - 1. Π‘ΠΎΠ·Π΄Π°ΠΉΡΠ΅ ΠΊΠ»ΡΡΠΈ ΠΈ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΡ Π΄Π»Ρ Π½ΠΎΠ΄ ΠΊΠ»Π°ΡΡΠ΅ΡΠ°: - - 1. Π‘ΠΎΠ·Π΄Π°ΠΉΡΠ΅ ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΠΎΠ½Π½ΡΠΉ ΡΠ°ΠΉΠ» `node.cnf` ΡΠΎ ΡΠ»Π΅Π΄ΡΡΡΠΈΠΌ ΡΠΎΠ΄Π΅ΡΠΆΠΈΠΌΡΠΌ: - - ```text - # OpenSSL node configuration file - [ req ] - prompt = no - distinguished_name = distinguished_name - req_extensions = extensions - - [ distinguished_name ] - organizationName = YDB - - [ extensions ] - subjectAltName = DNS:<node>.<domain> - ``` +## ΠΠΎΠ΄Π³ΠΎΡΠΎΠ²ΡΡΠ΅ ΠΈ ΠΎΡΡΠΎΡΠΌΠ°ΡΠΈΡΡΠΉΡΠ΅ Π΄ΠΈΡΠΊΠΈ Π½Π° ΠΊΠ°ΠΆΠ΄ΠΎΠΌ ΡΠ΅ΡΠ²Π΅ΡΠ΅ {#prepare-disks} - 1. Π‘ΠΎΠ·Π΄Π°ΠΉΡΠ΅ ΠΊΠ»ΡΡ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠ°: +{% include [_includes/storage-device-requirements.md](../../_includes/storage-device-requirements.md) %} - ```bash - openssl genrsa -out certs/node.key 2048 - ``` +1. Π‘ΠΎΠ·Π΄Π°ΠΉΡΠ΅ ΡΠ°Π·Π΄Π΅Π»Ρ Π½Π° Π²ΡΠ±ΡΠ°Π½Π½ΡΡ
Π΄ΠΈΡΠΊΠ°Ρ
: - 1. Π‘ΠΎΠ·Π΄Π°ΠΉΡΠ΅ Certificate Signing Request (CSR): + {% note alert %} - ```bash - openssl req -new -sha256 -config node.cnf -key certs/node.key -out node.csr -batch - ``` + Π‘Π»Π΅Π΄ΡΡΡΠ°Ρ ΠΎΠΏΠ΅ΡΠ°ΡΠΈΡ ΡΠ΄Π°Π»ΠΈΡ Π²ΡΠ΅ ΡΠ°Π·Π΄Π΅Π»Ρ Π½Π° ΡΠΊΠ°Π·Π°Π½Π½ΠΎΠΌ Π΄ΠΈΡΠΊΠ΅! Π£Π±Π΅Π΄ΠΈΡΠ΅ΡΡ, ΡΡΠΎ Π²Ρ ΡΠΊΠ°Π·Π°Π»ΠΈ Π΄ΠΈΡΠΊ, Π½Π° ΠΊΠΎΡΠΎΡΠΎΠΌ Π½Π΅Ρ Π΄ΡΡΠ³ΠΈΡ
Π΄Π°Π½Π½ΡΡ
! - 1. Π‘ΠΎΠ·Π΄Π°ΠΉΡΠ΅ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°Ρ Π½ΠΎΠ΄Ρ: + {% endnote %} - ```bash - openssl ca -config ca.cnf -keyfile secure/ca.key -cert certs/ca.crt -policy signing_policy \ - -extensions signing_node_req -out certs/node.crt -outdir certs/ -in node.csr -batch - ``` + ```bash + DISK=/dev/nvme0n1 + sudo parted ${DISK} mklabel gpt -s + sudo parted -a optimal ${DISK} mkpart primary 0% 100% + sudo parted ${DISK} name 1 ydb_disk_ssd_01 + sudo partx --u ${DISK} + ``` - Π‘ΠΎΠ·Π΄Π°ΠΉΡΠ΅ Π°Π½Π°Π»ΠΎΠ³ΠΈΡΠ½ΡΠ΅ ΠΏΠ°ΡΡ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°Ρ-ΠΊΠ»ΡΡ Π΄Π»Ρ ΠΊΠ°ΠΆΠ΄ΠΎΠΉ Π½ΠΎΠ΄Ρ. + ΠΠΎΡΠ»Π΅ Π²ΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΡ Π² ΡΠΈΡΡΠ΅ΠΌΠ΅ ΠΏΠΎΡΠ²ΠΈΡΡΡ Π΄ΠΈΡΠΊ Ρ ΠΌΠ΅ΡΠΊΠΎΠΉ `/dev/disk/by-partlabel/ydb_disk_ssd_01`. - 1. Π‘ΠΎΠ·Π΄Π°ΠΉΡΠ΅ Π½Π° ΠΊΠ°ΠΆΠ΄ΠΎΠΉ Π½ΠΎΠ΄Π΅ Π΄ΠΈΡΠ΅ΠΊΡΠΈΡΠΈΠΈ Π΄Π»Ρ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΎΠ²: + ΠΡΠ»ΠΈ Π²Ρ ΠΏΠ»Π°Π½ΠΈΡΡΠ΅ΡΠ΅ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡ Π±ΠΎΠ»Π΅Π΅ ΠΎΠ΄Π½ΠΎΠ³ΠΎ Π΄ΠΈΡΠΊΠ° Π½Π° ΠΊΠ°ΠΆΠ΄ΠΎΠΌ ΡΠ΅ΡΠ²Π΅ΡΠ΅, ΡΠΊΠ°ΠΆΠΈΡΠ΅ Π΄Π»Ρ ΠΊΠ°ΠΆΠ΄ΠΎΠ³ΠΎ ΡΠ²ΠΎΡ ΡΠ½ΠΈΠΊΠ°Π»ΡΠ½ΡΡ ΠΌΠ΅ΡΠΊΡ Π²ΠΌΠ΅ΡΡΠΎ `ydb_disk_ssd_01`. ΠΠ΅ΡΠΊΠΈ Π΄ΠΈΡΠΊΠΎΠ² Π΄ΠΎΠ»ΠΆΠ½Ρ Π±ΡΡΡ ΡΠ½ΠΈΠΊΠ°Π»ΡΠ½Ρ Π² ΡΠ°ΠΌΠΊΠ°Ρ
ΠΊΠ°ΠΆΠ΄ΠΎΠ³ΠΎ ΡΠ΅ΡΠ²Π΅ΡΠ°, ΠΈ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΡΡΡΡ Π² ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΠΎΠ½Π½ΡΡ
ΡΠ°ΠΉΠ»Π°Ρ
, ΠΊΠ°ΠΊ ΠΏΠΎΠΊΠ°Π·Π°Π½ΠΎ Π² ΠΏΠΎΡΠ»Π΅Π΄ΡΡΡΠΈΡ
ΠΈΠ½ΡΡΡΡΠΊΡΠΈΡΡ
. - ```bash - sudo mkdir /opt/ydb/certs - sudo chown -R ydb:ydb /opt/ydb/certs - sudo chmod 0750 /opt/ydb/certs - ``` + ΠΠ»Ρ ΡΠΏΡΠΎΡΠ΅Π½ΠΈΡ ΠΏΠΎΡΠ»Π΅Π΄ΡΡΡΠ΅ΠΉ Π½Π°ΡΡΡΠΎΠΉΠΊΠΈ ΡΠ΄ΠΎΠ±Π½ΠΎ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡ ΠΎΠ΄ΠΈΠ½Π°ΠΊΠΎΠ²ΡΠ΅ ΠΌΠ΅ΡΠΊΠΈ Π΄ΠΈΡΠΊΠΎΠ² Π½Π° ΡΠ΅ΡΠ²Π΅ΡΠ°Ρ
ΠΊΠ»Π°ΡΡΠ΅ΡΠ°, ΠΈΠΌΠ΅ΡΡΠΈΡ
ΠΈΠ΄Π΅Π½ΡΠΈΡΠ½ΡΡ ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΡ Π΄ΠΈΡΠΊΠΎΠ². - 1. Π‘ΠΊΠΎΠΏΠΈΡΡΠΉΡΠ΅ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΡ ΠΈ ΠΊΠ»ΡΡΠΈ Π½ΠΎΠ΄Ρ Π² ΠΊΠ°ΡΠ°Π»ΠΎΠ³ ΠΈΠ½ΡΡΠ°Π»Π»ΡΡΠΈΠΈ: +2. ΠΡΡΠΎΡΠΌΠ°ΡΠΈΡΡΠΉΡΠ΅ Π΄ΠΈΡΠΊ Π²ΡΡΡΠΎΠ΅Π½Π½ΠΎΠΉ Π² ΠΈΡΠΏΠΎΠ»Π½ΡΠ΅ΠΌΡΠΉ ΡΠ°ΠΉΠ» `ydbd` ΠΊΠΎΠΌΠ°Π½Π΄ΠΎΠΉ: - ```bash - sudo -u ydb cp certs/ca.crt certs/node.crt certs/node.key /opt/ydb/certs/ - ``` + ```bash + sudo LD_LIBRARY_PATH=/opt/ydb/lib /opt/ydb/bin/ydbd admin bs disk obliterate /dev/disk/by-partlabel/ydb_disk_ssd_01 + ``` - 1. {% include [prepare-configs.md](_includes/prepare-configs.md) %} + ΠΡΠΎΠ΄Π΅Π»Π°ΠΉΡΠ΅ Π΄Π°Π½Π½ΡΡ ΠΎΠΏΠ΅ΡΠ°ΡΠΈΡ Π΄Π»Ρ ΠΊΠ°ΠΆΠ΄ΠΎΠ³ΠΎ Π΄ΠΈΡΠΊΠ°, ΠΊΠΎΡΠΎΡΡΠΉ Π±ΡΠ΄Π΅Ρ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡΡΡ Π΄Π»Ρ Ρ
ΡΠ°Π½Π΅Π½ΠΈΡ Π΄Π°Π½Π½ΡΡ
{{ ydb-short-name }}. - 1. ΠΠΊΠ»ΡΡΠΈΡΠ΅ ΡΠ΅ΠΆΠΈΠΌ ΡΠΈΡΡΠΎΠ²Π°Π½ΠΈΡ ΡΡΠ°ΡΠΈΠΊΠ° Π² ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΠΎΠ½Π½ΠΎΠΌ ΡΠ°ΠΉΠ»Π΅ {{ ydb-short-name }}. +## ΠΠΎΠ΄Π³ΠΎΡΠΎΠ²ΡΡΠ΅ ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΠΎΠ½Π½ΡΠ΅ ΡΠ°ΠΉΠ»Ρ {#config} - Π ΡΠ΅ΠΊΡΠΈΡΡ
`interconnect_config` ΠΈ `grpc_config` ΡΠΊΠ°ΠΆΠΈΡΠ΅ ΠΏΡΡΡ Π΄ΠΎ ΡΠ°ΠΉΠ»ΠΎΠ² ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠ°, ΠΊΠ»ΡΡΠ° ΠΈ CA ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠ°: +{% include [prepare-configs.md](_includes/prepare-configs.md) %} + +ΠΡΠΈ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΠΈ ΡΠ΅ΠΆΠΈΠΌΠ° ΡΠΈΡΡΠΎΠ²Π°Π½ΠΈΡ ΡΡΠ°ΡΠΈΠΊΠ° ΡΠ±Π΅Π΄ΠΈΡΠ΅ΡΡ Π² Π½Π°Π»ΠΈΡΠΈΠΈ Π² ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΠΎΠ½Π½ΠΎΠΌ ΡΠ°ΠΉΠ»Π΅ {{ ydb-short-name }} ΡΡΡΠ°Π½ΠΎΠ²Π»Π΅Π½Π½ΡΡ
ΠΏΡΡΠ΅ΠΉ ΠΊ ΡΠ°ΠΉΠ»Π°ΠΌ ΠΊΠ»ΡΡΠ΅ΠΉ ΠΈ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΎΠ² Π² ΡΠ΅ΠΊΡΠΈΡΡ
`interconnect_config` ΠΈ `grpc_config`: + +```json +interconnect_config: + start_tcp: true + encryption_mode: OPTIONAL + path_to_certificate_file: "/opt/ydb/certs/node.crt" + path_to_private_key_file: "/opt/ydb/certs/node.key" + path_to_ca_file: "/opt/ydb/certs/ca.crt" +grpc_config: + cert: "/opt/ydb/certs/node.crt" + key: "/opt/ydb/certs/node.key" + ca: "/opt/ydb/certs/ca.crt" + services_enabled: + - legacy +``` - ```json - interconnect_config: - start_tcp: true - encryption_mode: OPTIONAL - path_to_certificate_file: "/opt/ydb/certs/node.crt" - path_to_private_key_file: "/opt/ydb/certs/node.key" - path_to_ca_file: "/opt/ydb/certs/ca.crt" +Π‘ΠΎΡ
ΡΠ°Π½ΠΈΡΠ΅ ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΠΎΠ½Π½ΡΠΉ ΡΠ°ΠΉΠ» {{ ydb-short-name }} ΠΏΠΎΠ΄ ΠΈΠΌΠ΅Π½Π΅ΠΌ `/opt/ydb/cfg/config.yaml` Π½Π° ΠΊΠ°ΠΆΠ΄ΠΎΠΌ ΡΠ΅ΡΠ²Π΅ΡΠ΅ ΠΊΠ»Π°ΡΡΠ΅ΡΠ°. - grpc_config: - cert: "/opt/ydb/certs/node.crt" - key: "/opt/ydb/certs/node.key" - ca: "/opt/ydb/certs/ca.crt" - ``` +ΠΠΎΠ»Π΅Π΅ ΠΏΠΎΠ΄ΡΠΎΠ±Π½Π°Ρ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ ΠΏΠΎ ΡΠΎΠ·Π΄Π°Π½ΠΈΡ ΡΠ°ΠΉΠ»Π° ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΠΈ ΠΏΡΠΈΠ²Π΅Π΄Π΅Π½Π° Π² ΡΡΠ°ΡΡΠ΅ [ΠΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΡ ΠΊΠ»Π°ΡΡΠ΅ΡΠ°](../configuration/config.md). -{% endlist %} +## Π‘ΠΊΠΎΠΏΠΈΡΡΠΉΡΠ΅ ΠΊΠ»ΡΡΠΈ ΠΈ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΡ TLS Π½Π° ΠΊΠ°ΠΆΠ΄ΡΠΉ ΡΠ΅ΡΠ²Π΅Ρ {#tls-copy-cert} -Π‘ΠΎΡ
ΡΠ°Π½ΠΈΡΠ΅ ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΠΎΠ½Π½ΡΠΉ ΡΠ°ΠΉΠ» {{ ydb-short-name }} ΠΏΠΎΠ΄ ΠΈΠΌΠ΅Π½Π΅ΠΌ `/opt/ydb/cfg/config.yaml` Π½Π° ΠΊΠ°ΠΆΠ΄ΠΎΠΌ ΡΠ·Π»Π΅ ΠΊΠ»Π°ΡΡΠ΅ΡΠ°. +ΠΠΎΠ΄Π³ΠΎΡΠΎΠ²Π»Π΅Π½Π½ΡΠ΅ ΠΊΠ»ΡΡΠΈ ΠΈ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΡ TLS Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎ ΡΠΊΠΎΠΏΠΈΡΠΎΠ²Π°ΡΡ Π² Π·Π°ΡΠΈΡΠ΅Π½Π½ΡΠΉ ΠΊΠ°ΡΠ°Π»ΠΎΠ³ Π½Π° ΠΊΠ°ΠΆΠ΄ΠΎΠΌ ΠΈΠ· ΡΠ·Π»ΠΎΠ² ΠΊΠ»Π°ΡΡΠ΅ΡΠ° {{ ydb-short-name }}. ΠΠΈΠΆΠ΅ ΠΏΡΠΈΠ²Π΅Π΄Π΅Π½ ΠΏΡΠΈΠΌΠ΅Ρ ΠΊΠΎΠΌΠ°Π½Π΄ Π΄Π»Ρ ΡΠΎΠ·Π΄Π°Π½ΠΈΡ Π·Π°ΡΠΈΡΠ΅Π½Π½ΠΎΠ³ΠΎ ΠΊΠ°ΡΠ°Π»ΠΎΠ³Π° ΠΈ ΠΊΠΎΠΏΠΈΡΠΎΠ²Π°Π½ΠΈΡ ΡΠ°ΠΉΠ»ΠΎΠ² Ρ ΠΊΠ»ΡΡΠ°ΠΌΠΈ ΠΈ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠ°ΠΌΠΈ. -ΠΠΎΠ»Π΅Π΅ ΠΏΠΎΠ΄ΡΠΎΠ±Π½Π°Ρ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ ΠΏΠΎ ΡΠΎΠ·Π΄Π°Π½ΠΈΡ ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΠΈ ΠΏΡΠΈΠ²Π΅Π΄Π΅Π½Π° Π² ΡΡΠ°ΡΡΠ΅ [ΠΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΡ ΠΊΠ»Π°ΡΡΠ΅ΡΠ°](../configuration/config.md). +```bash +sudo mkdir -p /opt/ydb/certs +sudo cp -v ca.crt /opt/ydb/certs/ +sudo cp -v node.crt /opt/ydb/certs/ +sudo cp -v node.key /opt/ydb/certs/ +sudo cp -v web.pem /opt/ydb/certs/ +sudo chown -R ydb:ydb /opt/ydb/certs +sudo chmod 700 /opt/ydb/certs +``` -## ΠΠ°ΠΏΡΡΡΠΈΡΠ΅ ΡΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΈΠ΅ Π½ΠΎΠ΄Ρ {#start-storage} +## ΠΠ°ΠΏΡΡΡΠΈΡΠ΅ ΡΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΈΠ΅ ΡΠ·Π»Ρ {#start-storage} {% list tabs %} - ΠΡΡΡΠ½ΡΡ - ΠΠ°ΠΏΡΡΡΠΈΡΠ΅ Π½Π° ΠΊΠ°ΠΆΠ΄ΠΎΠΉ Π½ΠΎΠ΄Π΅ {{ ydb-short-name }} storage: + ΠΠ°ΠΏΡΡΡΠΈΡΠ΅ ΡΠ΅ΡΠ²ΠΈΡ Ρ
ΡΠ°Π½Π΅Π½ΠΈΡ Π΄Π°Π½Π½ΡΡ
{{ ydb-short-name }} Π½Π° ΠΊΠ°ΠΆΠ΄ΠΎΠΌ ΡΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΎΠΌ ΡΠ·Π»Π΅ ΠΊΠ»Π°ΡΡΠ΅ΡΠ°: ```bash sudo su - ydb cd /opt/ydb export LD_LIBRARY_PATH=/opt/ydb/lib - /opt/ydb/bin/ydbd server --log-level 3 --syslog --tcp --yaml-config /opt/ydb/cfg/config.yaml \ - --grpc-port 2135 --ic-port 19001 --mon-port 8765 --node static + /opt/ydb/bin/ydbd server --log-level 3 --syslog --tcp --yaml-config /opt/ydb/cfg/config.yaml \ + --grpcs-port 2135 --ic-port 19001 --mon-port 8765 --mon-cert /opt/ydb/certs/web.pem --node static ``` - Π‘ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΠ΅ΠΌ systemd - Π‘ΠΎΠ·Π΄Π°ΠΉΡΠ΅ Π½Π° ΠΊΠ°ΠΆΠ΄ΠΎΠΉ Π½ΠΎΠ΄Π΅ ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΠΎΠ½Π½ΡΠΉ ΡΠ°ΠΉΠ» `/etc/systemd/system/ydbd-storage.service` ΡΠΎ ΡΠ»Π΅Π΄ΡΡΡΠΈΠΌ ΡΠΎΠ΄Π΅ΡΠΆΠΈΠΌΡΠΌ: + Π‘ΠΎΠ·Π΄Π°ΠΉΡΠ΅ Π½Π° ΠΊΠ°ΠΆΠ΄ΠΎΠΌ ΡΠ΅ΡΠ²Π΅ΡΠ΅, Π³Π΄Π΅ Π±ΡΠ΄Π΅Ρ ΡΠ°Π·ΠΌΠ΅ΡΠ΅Π½ ΡΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΈΠΉ ΡΠ·Π΅Π» ΠΊΠ»Π°ΡΡΠ΅ΡΠ°, ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΠΎΠ½Π½ΡΠΉ ΡΠ°ΠΉΠ» systemd `/etc/systemd/system/ydbd-storage.service` ΠΏΠΎ ΠΏΡΠΈΠ²Π΅Π΄Π΅Π½Π½ΠΎΠΌΡ Π½ΠΈΠΆΠ΅ ΠΎΠ±ΡΠ°Π·ΡΡ. ΠΠ±ΡΠ°Π·Π΅Ρ ΡΠ°ΠΉΠ»Π° ΡΠ°ΠΊΠΆΠ΅ ΠΌΠΎΠΆΠ½ΠΎ [ΡΠΊΠ°ΡΠ°ΡΡ ΠΈΠ· ΡΠ΅ΠΏΠΎΠ·ΠΈΡΠΎΡΠΈΡ](https://github.com/ydb-platform/ydb/blob/main/ydb/deploy/systemd_services/ydbd-storage.service). ```text [Unit] @@ -305,7 +211,10 @@ sudo usermod -aG disk ydb SyslogFacility=daemon SyslogLevel=err Environment=LD_LIBRARY_PATH=/opt/ydb/lib - ExecStart=/opt/ydb/bin/ydbd server --log-level 3 --syslog --tcp --yaml-config /opt/ydb/cfg/config.yaml --grpc-port 2135 --ic-port 19001 --mon-port 8765 --node static + ExecStart=/opt/ydb/bin/ydbd server --log-level 3 --syslog --tcp \ + --yaml-config /opt/ydb/cfg/config.yaml \ + --grpcs-port 2135 --ic-port 19001 --mon-port 8765 \ + --mon-cert /opt/ydb/certs/web.pem --node static LimitNOFILE=65536 LimitCORE=0 LimitMEMLOCK=3221225472 @@ -314,7 +223,7 @@ sudo usermod -aG disk ydb WantedBy=multi-user.target ``` - ΠΠ°ΠΏΡΡΡΠΈΡΠ΅ Π½Π° ΠΊΠ°ΠΆΠ΄ΠΎΠΉ Π½ΠΎΠ΄Π΅ {{ ydb-short-name }} storage: + ΠΠ°ΠΏΡΡΡΠΈΡΠ΅ ΡΠ΅ΡΠ²ΠΈΡ Π½Π° ΠΊΠ°ΠΆΠ΄ΠΎΠΌ ΡΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΎΠΌ ΡΠ·Π»Π΅ {{ ydb-short-name }}: ```bash sudo systemctl start ydbd-storage @@ -324,21 +233,13 @@ sudo usermod -aG disk ydb ## ΠΠ½ΠΈΡΠΈΠ°Π»ΠΈΠ·ΠΈΡΡΠΉΡΠ΅ ΠΊΠ»Π°ΡΡΠ΅Ρ {#initialize-cluster} -ΠΠ΅ΠΉΡΡΠ²ΠΈΡ ΠΏΠΎ ΠΈΠ½ΠΈΡΠΈΠ°Π»ΠΈΠ·Π°ΡΠΈΠΈ ΠΊΠ»Π°ΡΡΠ΅ΡΠ° Π·Π°Π²ΠΈΡΡΡ ΠΎΡ ΡΠΎΠ³ΠΎ, Π²ΠΊΠ»ΡΡΠ΅Π½ Π»ΠΈ Π² ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΠΎΠ½Π½ΠΎΠΌ ΡΠ°ΠΉΠ»Π΅ {{ ydb-short-name }} ΡΠ΅ΠΆΠΈΠΌ Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Π΅ΠΉ. - -{% list tabs %} - -- ΠΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΡ Π²ΡΠΊΠ»ΡΡΠ΅Π½Π° +ΠΠΏΠ΅ΡΠ°ΡΠΈΡ ΠΈΠ½ΠΈΡΠΈΠ°Π»ΠΈΠ·Π°ΡΠΈΠΈ ΠΊΠ»Π°ΡΡΠ΅ΡΠ° ΠΎΡΡΡΠ΅ΡΡΠ²Π»ΡΠ΅Ρ Π½Π°ΡΡΡΠΎΠΉΠΊΡ Π½Π°Π±ΠΎΡΠ° ΡΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΈΡ
ΡΠ·Π»ΠΎΠ², ΠΏΠ΅ΡΠ΅ΡΠΈΡΠ»Π΅Π½Π½ΡΡ
Π² ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΠΎΠ½Π½ΠΎΠΌ ΡΠ°ΠΉΠ»Π΅ ΠΊΠ»Π°ΡΡΠ΅ΡΠ°, Π΄Π»Ρ Ρ
ΡΠ°Π½Π΅Π½ΠΈΡ Π΄Π°Π½Π½ΡΡ
{{ ydb-short-name }}. - ΠΠ° ΠΎΠ΄Π½ΠΎΠΉ ΠΈΠ· Π½ΠΎΠ΄ ΠΊΠ»Π°ΡΡΠ΅ΡΠ° Π²ΡΠΏΠΎΠ»Π½ΠΈΡΠ΅ ΠΊΠΎΠΌΠ°Π½Π΄Ρ: +ΠΠ»Ρ ΠΈΠ½ΠΈΡΠΈΠ°Π»ΠΈΠ·Π°ΡΠΈΠΈ ΠΊΠ»Π°ΡΡΠ΅ΡΠ° ΠΏΠΎΡΡΠ΅Π±ΡΠ΅ΡΡΡ ΡΠ°ΠΉΠ» ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠ° ΡΠ΅Π½ΡΡΠ° ΡΠ΅Π³ΠΈΡΡΡΠ°ΡΠΈΠΈ `ca.crt`, ΠΏΡΡΡ ΠΊ ΠΊΠΎΡΠΎΡΠΎΠΌΡ Π΄ΠΎΠ»ΠΆΠ΅Π½ Π±ΡΡΡ ΡΠΊΠ°Π·Π°Π½ ΠΏΡΠΈ Π²ΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΠΈ ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΡΡΡΠΈΡ
ΠΊΠΎΠΌΠ°Π½Π΄. ΠΠ΅ΡΠ΅Π΄ Π²ΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΠ΅ΠΌ ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΡΡΡΠΈΡ
ΠΊΠΎΠΌΠ°Π½Π΄ ΡΠΊΠΎΠΏΠΈΡΡΠΉΡΠ΅ ΡΠ°ΠΉΠ» `ca.crt` Π½Π° ΡΠ΅ΡΠ²Π΅Ρ, Π½Π° ΠΊΠΎΡΠΎΡΠΎΠΌ ΡΡΠΈ ΠΊΠΎΠΌΠ°Π½Π΄Ρ Π±ΡΠ΄ΡΡ Π²ΡΠΏΠΎΠ»Π½ΡΡΡΡΡ. - ```bash - export LD_LIBRARY_PATH=/opt/ydb/lib - /opt/ydb/bin/ydbd admin blobstorage config init --yaml-file /opt/ydb/cfg/config.yaml - echo $? - ``` +ΠΠΎΡΡΠ΄ΠΎΠΊ Π΄Π΅ΠΉΡΡΠ²ΠΈΠΉ ΠΏΠΎ ΠΈΠ½ΠΈΡΠΈΠ°Π»ΠΈΠ·Π°ΡΠΈΠΈ ΠΊΠ»Π°ΡΡΠ΅ΡΠ° Π·Π°Π²ΠΈΡΡΡ ΠΎΡ ΡΠΎΠ³ΠΎ, Π²ΠΊΠ»ΡΡΠ΅Π½ Π»ΠΈ Π² ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΠΎΠ½Π½ΠΎΠΌ ΡΠ°ΠΉΠ»Π΅ {{ ydb-short-name }} ΡΠ΅ΠΆΠΈΠΌ Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Π΅ΠΉ. - ΠΠΎΠ΄ Π·Π°Π²Π΅ΡΡΠ΅Π½ΠΈΡ ΠΊΠΎΠΌΠ°Π½Π΄Ρ Π΄ΠΎΠ»ΠΆΠ΅Π½ Π±ΡΡΡ Π½ΡΠ»Π΅Π²ΡΠΌ. +{% list tabs %} - ΠΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΡ Π²ΠΊΠ»ΡΡΠ΅Π½Π° @@ -347,75 +248,106 @@ sudo usermod -aG disk ydb ΠΡΠΈ ΠΏΠ΅ΡΠ²ΠΎΠ½Π°ΡΠ°Π»ΡΠ½ΠΎΠΉ ΡΡΡΠ°Π½ΠΎΠ²ΠΊΠ΅ ΠΊΠ»Π°ΡΡΠ΅ΡΠ° Π² Π½ΡΠΌ ΡΡΡΠ΅ΡΡΠ²ΡΠ΅Ρ Π΅Π΄ΠΈΠ½ΡΡΠ²Π΅Π½Π½Π°Ρ ΡΡΡΡΠ½Π°Ρ Π·Π°ΠΏΠΈΡΡ `root` Ρ ΠΏΡΡΡΡΠΌ ΠΏΠ°ΡΠΎΠ»Π΅ΠΌ, ΠΏΠΎΡΡΠΎΠΌΡ ΠΊΠΎΠΌΠ°Π½Π΄Π° ΠΏΠΎΠ»ΡΡΠ΅Π½ΠΈΡ ΡΠΎΠΊΠ΅Π½Π° Π²ΡΠ³Π»ΡΠ΄ΠΈΡ ΡΠ»Π΅Π΄ΡΡΡΠΈΠΌ ΠΎΠ±ΡΠ°Π·ΠΎΠΌ: ```bash - ydb -e grpc://<node1.ydb.tech>:2135 -d /Root \ - --user root --no-password auth get-token --force >token-file + ydb -e grpcs://<node1.ydb.tech>:2135 -d /Root --ca-file ca.crt \ + --user root --no-password auth get-token --force >token-file ``` - Π ΠΊΠ°ΡΠ΅ΡΡΠ²Π΅ ΡΠ΅ΡΠ²Π΅ΡΠ° Π΄Π»Ρ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ΅Π½ΠΈΡ (ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡ `-e` ΠΈΠ»ΠΈ `--endpoint`) ΠΌΠΎΠΆΠ΅Ρ Π±ΡΡΡ ΡΠΊΠ°Π·Π°Π½ Π»ΡΠ±ΠΎΠΉ ΠΈΠ· ΡΠ΅ΡΠ²Π΅ΡΠΎΠ² ΠΊΠ»Π°ΡΡΠ΅ΡΠ°. + Π ΠΊΠ°ΡΠ΅ΡΡΠ²Π΅ ΡΠ΅ΡΠ²Π΅ΡΠ° Π΄Π»Ρ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ΅Π½ΠΈΡ (ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡ `-e` ΠΈΠ»ΠΈ `--endpoint`) ΠΌΠΎΠΆΠ΅Ρ Π±ΡΡΡ ΡΠΊΠ°Π·Π°Π½ Π»ΡΠ±ΠΎΠΉ ΠΈΠ· ΡΠ΅ΡΠ²Π΅ΡΠΎΠ² Ρ
ΡΠ°Π½Π΅Π½ΠΈΡ Π² ΡΠΎΡΡΠ°Π²Π΅ ΠΊΠ»Π°ΡΡΠ΅ΡΠ°. - ΠΡΠ»ΠΈ Π±ΡΠ»Π° Π²ΠΊΠ»ΡΡΠ΅Π½Π° Π·Π°ΡΠΈΡΠ° ΡΡΠ°ΡΠΈΠΊΠ° Ρ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΠ΅ΠΌ TLS, ΡΠΎ Π²ΠΌΠ΅ΡΡΠΎ ΠΏΡΠΎΡΠΎΠΊΠΎΠ»Π° `grpc` Π² ΠΊΠΎΠΌΠ°Π½Π΄Π΅ Π²ΡΡΠ΅ ΡΠ»Π΅Π΄ΡΠ΅Ρ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡ Π΅Π³ΠΎ Π·Π°ΡΠΈΡΠ΅Π½Π½ΡΠΉ Π²Π°ΡΠΈΠ°Π½Ρ `grpcs`, ΠΈ Π΄ΠΎΠΏΠΎΠ»Π½ΠΈΡΠ΅Π»ΡΠ½ΠΎ ΡΠΊΠ°Π·Π°ΡΡ ΠΏΡΡΡ ΠΊ ΡΠ°ΠΉΠ»Ρ Ρ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΎΠΌ CA Π² ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΠ΅ `--ca-file`. ΠΠ°ΠΏΡΠΈΠΌΠ΅Ρ: + ΠΡΠΈ ΡΡΠΏΠ΅ΡΠ½ΠΎΠΌ Π²ΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΠΈ ΡΠΊΠ°Π·Π°Π½Π½ΠΎΠΉ Π²ΡΡΠ΅ ΠΊΠΎΠΌΠ°Π½Π΄Ρ Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΎΠ½Π½ΡΠΉ ΡΠΎΠΊΠ΅Π½ Π±ΡΠ΄Π΅Ρ Π·Π°ΠΏΠΈΡΠ°Π½ Π² ΡΠ°ΠΉΠ» `token-file`. Π€Π°ΠΉΠ» ΡΠΎΠΊΠ΅Π½Π° Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎ ΡΠΊΠΎΠΏΠΈΡΠΎΠ²Π°ΡΡ Π½Π° ΠΎΠ΄ΠΈΠ½ ΠΈΠ· ΡΠ΅ΡΠ²Π΅ΡΠΎΠ² Ρ
ΡΠ°Π½Π΅Π½ΠΈΡ Π² ΡΠΎΡΡΠ°Π²Π΅ ΠΊΠ»Π°ΡΡΠ΅ΡΠ°, Π° Π·Π°ΡΠ΅ΠΌ Π½Π° Π²ΡΠ±ΡΠ°Π½Π½ΠΎΠΌ ΡΠ΅ΡΠ²Π΅ΡΠ΅ Π²ΡΠΏΠΎΠ»Π½ΠΈΡΡ ΠΊΠΎΠΌΠ°Π½Π΄Ρ: ```bash - ydb -e grpcs://<node1.ydb.tech>:2135 -d /Root --ca-file /opt/ydb/certs/ca.crt \ - --user root --no-password auth get-token --force >token-file + export LD_LIBRARY_PATH=/opt/ydb/lib + /opt/ydb/bin/ydbd -f token-file --ca-file ca.crt -s grpcs://`hostname -f`:2135 \ + admin blobstorage config init --yaml-file /opt/ydb/cfg/config.yaml + echo $? ``` - ΠΡΠΈ ΡΡΠΏΠ΅ΡΠ½ΠΎΠΌ Π²ΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΠΈ ΡΠΊΠ°Π·Π°Π½Π½ΠΎΠΉ Π²ΡΡΠ΅ ΠΊΠΎΠΌΠ°Π½Π΄Ρ Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΎΠ½Π½ΡΠΉ ΡΠΎΠΊΠ΅Π½ Π±ΡΠ΄Π΅Ρ Π·Π°ΠΏΠΈΡΠ°Π½ Π² ΡΠ°ΠΉΠ» `token-file`. ΠΡΠΎΡ ΡΠ°ΠΉΠ» Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎ Π±ΡΠ΄Π΅Ρ ΡΠΊΠΎΠΏΠΈΡΠΎΠ²Π°ΡΡ Π½Π° Π½ΠΎΠ΄Ρ ΠΊΠ»Π°ΡΡΠ΅ΡΠ°, Π½Π° ΠΊΠΎΡΠΎΡΠΎΠΉ Π² Π΄Π°Π»ΡΠ½Π΅ΠΉΡΠ΅ΠΌ Π²Ρ ΡΠΎΠ±ΠΈΡΠ°Π΅ΡΠ΅ΡΡ Π²ΡΠΏΠΎΠ»Π½ΡΡΡ ΠΊΠΎΠΌΠ°Π½Π΄Ρ ΠΈΠ½ΠΈΡΠΈΠ°Π»ΠΈΠ·Π°ΡΠΈΠΈ ΠΊΠ»Π°ΡΡΠ΅ΡΠ° ΠΈ ΡΠΎΠ·Π΄Π°Π½ΠΈΡ Π±Π°Π·Ρ Π΄Π°Π½Π½ΡΡ
. ΠΠ°Π»Π΅Π΅ Π½Π° ΡΡΠΎΠΉ Π½ΠΎΠ΄Π΅ ΠΊΠ»Π°ΡΡΠ΅ΡΠ° Π²ΡΠΏΠΎΠ»Π½ΠΈΡΠ΅ ΠΊΠΎΠΌΠ°Π½Π΄Ρ: +- ΠΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΡ Π²ΡΠΊΠ»ΡΡΠ΅Π½Π° + + ΠΠ° ΠΎΠ΄Π½ΠΎΠΌ ΠΈΠ· ΡΠ΅ΡΠ²Π΅ΡΠΎΠ² Ρ
ΡΠ°Π½Π΅Π½ΠΈΡ Π² ΡΠΎΡΡΠ°Π²Π΅ ΠΊΠ»Π°ΡΡΠ΅ΡΠ° Π²ΡΠΏΠΎΠ»Π½ΠΈΡΠ΅ ΠΊΠΎΠΌΠ°Π½Π΄Ρ: ```bash export LD_LIBRARY_PATH=/opt/ydb/lib - /opt/ydb/bin/ydbd -f token-file admin blobstorage config init --yaml-file /opt/ydb/cfg/config.yaml + /opt/ydb/bin/ydbd --ca-file ca.crt -s grpcs://`hostname -f`:2135 \ + admin blobstorage config init --yaml-file /opt/ydb/cfg/config.yaml echo $? ``` - ΠΠΎΠ΄ Π·Π°Π²Π΅ΡΡΠ΅Π½ΠΈΡ ΠΊΠΎΠΌΠ°Π½Π΄Ρ Π΄ΠΎΠ»ΠΆΠ΅Π½ Π±ΡΡΡ Π½ΡΠ»Π΅Π²ΡΠΌ. - {% endlist %} +ΠΡΠΈ ΡΡΠΏΠ΅ΡΠ½ΠΎΠΌ Π²ΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΠΈ ΠΈΠ½ΠΈΡΠΈΠ°Π»ΠΈΠ·Π°ΡΠΈΠΈ ΠΊΠ»Π°ΡΡΠ΅ΡΠ° Π²ΡΠ²Π΅Π΄Π΅Π½Π½ΡΠΉ Π½Π° ΡΠΊΡΠ°Π½ ΠΊΠΎΠ΄ Π·Π°Π²Π΅ΡΡΠ΅Π½ΠΈΡ ΠΊΠΎΠΌΠ°Π½Π΄Ρ ΠΈΠ½ΠΈΡΠΈΠ°Π»ΠΈΠ·Π°ΡΠΈΠΈ ΠΊΠ»Π°ΡΡΠ΅ΡΠ° Π΄ΠΎΠ»ΠΆΠ΅Π½ Π±ΡΡΡ Π½ΡΠ»Π΅Π²ΡΠΌ. + ## Π‘ΠΎΠ·Π΄Π°ΠΉΡΠ΅ Π±Π°Π·Ρ Π΄Π°Π½Π½ΡΡ
{#create-db} -ΠΠ»Ρ ΡΠ°Π±ΠΎΡΡ Ρ ΡΠ°Π±Π»ΠΈΡΠ°ΠΌΠΈ Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎ ΡΠΎΠ·Π΄Π°ΡΡ ΠΊΠ°ΠΊ ΠΌΠΈΠ½ΠΈΠΌΡΠΌ ΠΎΠ΄Π½Ρ Π±Π°Π·Ρ Π΄Π°Π½Π½ΡΡ
ΠΈ ΠΏΠΎΠ΄Π½ΡΡΡ ΠΏΡΠΎΡΠ΅ΡΡ, ΠΎΠ±ΡΠ»ΡΠΆΠΈΠ²Π°ΡΡΠΈΠΉ ΡΡΡ Π±Π°Π·Ρ Π΄Π°Π½Π½ΡΡ
(Π΄ΠΈΠ½Π°ΠΌΠΈΡΠ΅ΡΠΊΡΡ Π½ΠΎΠ΄Ρ): +ΠΠ»Ρ ΡΠ°Π±ΠΎΡΡ Ρ ΡΠ°Π±Π»ΠΈΡΠ°ΠΌΠΈ Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎ ΡΠΎΠ·Π΄Π°ΡΡ ΠΊΠ°ΠΊ ΠΌΠΈΠ½ΠΈΠΌΡΠΌ ΠΎΠ΄Π½Ρ Π±Π°Π·Ρ Π΄Π°Π½Π½ΡΡ
ΠΈ Π·Π°ΠΏΡΡΡΠΈΡΡ ΠΏΡΠΎΡΠ΅ΡΡ ΠΈΠ»ΠΈ ΠΏΡΠΎΡΠ΅ΡΡΡ, ΠΎΠ±ΡΠ»ΡΠΆΠΈΠ²Π°ΡΡΠΈΠ΅ ΡΡΡ Π±Π°Π·Ρ Π΄Π°Π½Π½ΡΡ
(Π΄ΠΈΠ½Π°ΠΌΠΈΡΠ΅ΡΠΊΠΈΠ΅ ΡΠ·Π»Ρ). -```bash -LD_LIBRARY_PATH=/opt/ydb/lib /opt/ydb/bin/ydbd admin database /Root/testdb create ssd:1 -``` +ΠΠ»Ρ Π²ΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΡ Π°Π΄ΠΌΠΈΠ½ΠΈΡΡΡΠ°ΡΠΈΠ²Π½ΠΎΠΉ ΠΊΠΎΠΌΠ°Π½Π΄Ρ ΡΠΎΠ·Π΄Π°Π½ΠΈΡ Π±Π°Π·Ρ Π΄Π°Π½Π½ΡΡ
ΠΏΠΎΡΡΠ΅Π±ΡΠ΅ΡΡΡ ΡΠ°ΠΉΠ» ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠ° ΡΠ΅Π½ΡΡΠ° ΡΠ΅Π³ΠΈΡΡΡΠ°ΡΠΈΠΈ `ca.crt`, Π°Π½Π°Π»ΠΎΠ³ΠΈΡΠ½ΠΎ ΠΎΠΏΠΈΡΠ°Π½Π½ΠΎΠΌΡ Π²ΡΡΠ΅ ΠΏΠΎΡΡΠ΄ΠΊΡ Π²ΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΡ Π΄Π΅ΠΉΡΡΠ²ΠΈΠΉ ΠΏΠΎ ΠΈΠ½ΠΈΡΠΈΠ°Π»ΠΈΠ·Π°ΡΠΈΠΈ ΠΊΠ»Π°ΡΡΠ΅ΡΠ°. -ΠΡΠ»ΠΈ Π² ΠΊΠ»Π°ΡΡΠ΅ΡΠ΅ Π²ΠΊΠ»ΡΡΠ΅Π½ ΡΠ΅ΠΆΠΈΠΌ Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Π΅ΠΉ, ΡΠΎ Π² ΠΊΠΎΠΌΠ°Π½Π΄Ρ ΡΠΎΠ·Π΄Π°Π½ΠΈΡ Π±Π°Π·Ρ Π΄Π°Π½Π½ΡΡ
Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎ ΠΏΠ΅ΡΠ΅Π΄Π°ΡΡ Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΎΠ½Π½ΡΠΉ ΡΠΎΠΊΠ΅Π½. ΠΡΠΎΡΠ΅Π΄ΡΡΠ° ΠΏΠΎΠ»ΡΡΠ΅Π½ΠΈΡ ΡΠΎΠΊΠ΅Π½Π° ΠΎΠΏΠΈΡΠ°Π½Π° Π² ΡΠ°Π·Π΄Π΅Π»Π΅ ΠΏΠΎ [ΠΈΠ½ΠΈΡΠΈΠ°Π»ΠΈΠ·Π°ΡΠΈΠΈ ΠΊΠ»Π°ΡΡΠ΅ΡΠ°](#initialize-cluster). +ΠΡΠΈ ΡΠΎΠ·Π΄Π°Π½ΠΈΠΈ Π±Π°Π·Ρ Π΄Π°Π½Π½ΡΡ
ΡΡΡΠ°Π½Π°Π²Π»ΠΈΠ²Π°Π΅ΡΡΡ ΠΏΠ΅ΡΠ²ΠΎΠ½Π°ΡΠ°Π»ΡΠ½ΠΎΠ΅ ΠΊΠΎΠ»ΠΈΡΠ΅ΡΡΠ²ΠΎ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΠΌΡΡ
Π³ΡΡΠΏΠΏ Ρ
ΡΠ°Π½Π΅Π½ΠΈΡ, ΠΎΠΏΡΠ΅Π΄Π΅Π»ΡΡΡΠ΅Π΅ Π΄ΠΎΡΡΡΠΏΠ½ΡΡ ΠΏΡΠΎΠΏΡΡΠΊΠ½ΡΡ ΡΠΏΠΎΡΠΎΠ±Π½ΠΎΡΡΡ Π²Π²ΠΎΠ΄Π°-Π²ΡΠ²ΠΎΠ΄Π° ΠΈ ΠΌΠ°ΠΊΡΠΈΠΌΠ°Π»ΡΠ½ΡΡ Π΅ΠΌΠΊΠΎΡΡΡ Ρ
ΡΠ°Π½Π΅Π½ΠΈΡ. ΠΠΎΠ»ΠΈΡΠ΅ΡΡΠ²ΠΎ Π³ΡΡΠΏΠΏ Ρ
ΡΠ°Π½Π΅Π½ΠΈΡ ΠΌΠΎΠΆΠ΅Ρ Π±ΡΡΡ ΠΏΡΠΈ Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎΡΡΠΈ ΡΠ²Π΅Π»ΠΈΡΠ΅Π½ΠΎ ΠΏΠΎΡΠ»Π΅ ΡΠΎΠ·Π΄Π°Π½ΠΈΡ Π±Π°Π·Ρ Π΄Π°Π½Π½ΡΡ
. -ΠΠ°ΡΠΈΠ°Π½Ρ ΠΊΠΎΠΌΠ°Π½Π΄Ρ ΡΠΎΠ·Π΄Π°Π½ΠΈΡ Π±Π°Π·Ρ Π΄Π°Π½Π½ΡΡ
Ρ ΡΠΊΠ°Π·Π°Π½ΠΈΠ΅ΠΌ ΡΠ°ΠΉΠ»Π° ΡΠΎΠΊΠ΅Π½Π°: +ΠΠΎΡΡΠ΄ΠΎΠΊ Π΄Π΅ΠΉΡΡΠ²ΠΈΠΉ ΠΏΠΎ ΡΠΎΠ·Π΄Π°Π½ΠΈΡ Π±Π°Π·Ρ Π΄Π°Π½Π½ΡΡ
Π·Π°Π²ΠΈΡΠΈΡ ΠΎΡ ΡΠΎΠ³ΠΎ, Π²ΠΊΠ»ΡΡΠ΅Π½ Π»ΠΈ Π² ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΠΎΠ½Π½ΠΎΠΌ ΡΠ°ΠΉΠ»Π΅ {{ ydb-short-name }} ΡΠ΅ΠΆΠΈΠΌ Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Π΅ΠΉ. -```bash -LD_LIBRARY_PATH=/opt/ydb/lib /opt/ydb/bin/ydbd -f token-file admin database /Root/testdb create ssd:1 -``` +{% list tabs %} + +- ΠΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΡ Π²ΠΊΠ»ΡΡΠ΅Π½Π° + + ΠΠ΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎ ΠΏΠΎΠ»ΡΡΠΈΡΡ Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΎΠ½Π½ΡΠΉ ΡΠΎΠΊΠ΅Π½. ΠΠΎΠΆΠ΅Ρ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡΡΡ ΡΠ°ΠΉΠ» Ρ ΡΠΎΠΊΠ΅Π½ΠΎΠΌ Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ, ΠΏΠΎΠ»ΡΡΠ΅Π½Π½ΡΠΉ ΠΏΡΠΈ Π²ΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΠΈ [ΠΈΠ½ΠΈΡΠΈΠ°Π»ΠΈΠ·Π°ΡΠΈΠΈ ΠΊΠ»Π°ΡΡΠ΅ΡΠ°](#initialize-cluster), Π»ΠΈΠ±ΠΎ ΠΏΠΎΠ΄Π³ΠΎΡΠΎΠ²Π»Π΅Π½ Π½ΠΎΠ²ΡΠΉ ΡΠΎΠΊΠ΅Π½. + + Π€Π°ΠΉΠ» ΡΠΎΠΊΠ΅Π½Π° Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎ ΡΠΊΠΎΠΏΠΈΡΠΎΠ²Π°ΡΡ Π½Π° ΠΎΠ΄ΠΈΠ½ ΠΈΠ· ΡΠ΅ΡΠ²Π΅ΡΠΎΠ² Ρ
ΡΠ°Π½Π΅Π½ΠΈΡ Π² ΡΠΎΡΡΠ°Π²Π΅ ΠΊΠ»Π°ΡΡΠ΅ΡΠ°, Π° Π·Π°ΡΠ΅ΠΌ Π½Π° Π²ΡΠ±ΡΠ°Π½Π½ΠΎΠΌ ΡΠ΅ΡΠ²Π΅ΡΠ΅ Π²ΡΠΏΠΎΠ»Π½ΠΈΡΡ ΠΊΠΎΠΌΠ°Π½Π΄Ρ: + + ```bash + export LD_LIBRARY_PATH=/opt/ydb/lib + /opt/ydb/bin/ydbd -f token-file --ca-file ca.crt -s grpcs://`hostname -s`:2135 \ + admin database /Root/testdb create ssd:1 + echo $? + ``` + +- ΠΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΡ Π²ΡΠΊΠ»ΡΡΠ΅Π½Π° -Π ΠΏΡΠΈΠ²Π΅Π΄Π΅Π½Π½ΡΡ
Π²ΡΡΠ΅ ΠΏΡΠΈΠΌΠ΅ΡΠ°Ρ
ΠΊΠΎΠΌΠ°Π½Π΄ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΡΡΡΡ ΡΠ»Π΅Π΄ΡΡΡΠΈΠ΅ ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΡ: + ΠΠ° ΠΎΠ΄Π½ΠΎΠΌ ΠΈΠ· ΡΠ΅ΡΠ²Π΅ΡΠΎΠ² Ρ
ΡΠ°Π½Π΅Π½ΠΈΡ Π² ΡΠΎΡΡΠ°Π²Π΅ ΠΊΠ»Π°ΡΡΠ΅ΡΠ° Π²ΡΠΏΠΎΠ»Π½ΠΈΡΠ΅ ΠΊΠΎΠΌΠ°Π½Π΄Ρ: + + ```bash + export LD_LIBRARY_PATH=/opt/ydb/lib + /opt/ydb/bin/ydbd --ca-file ca.crt -s grpcs://`hostname -s`:2135 \ + admin database /Root/testdb create ssd:1 + echo $? + ``` + +{% endlist %} + +ΠΡΠΈ ΡΡΠΏΠ΅ΡΠ½ΠΎΠΌ ΡΠΎΠ·Π΄Π°Π½ΠΈΠΈ Π±Π°Π·Ρ Π΄Π°Π½Π½ΡΡ
, Π²ΡΠ²Π΅Π΄Π΅Π½Π½ΡΠΉ Π½Π° ΡΠΊΡΠ°Π½ ΠΊΠΎΠ΄ Π·Π°Π²Π΅ΡΡΠ΅Π½ΠΈΡ ΠΊΠΎΠΌΠ°Π½Π΄Ρ Π΄ΠΎΠ»ΠΆΠ΅Π½ Π±ΡΡΡ Π½ΡΠ»Π΅Π²ΡΠΌ. + +Π ΠΏΡΠΈΠ²Π΅Π΄Π΅Π½Π½ΠΎΠΌ Π²ΡΡΠ΅ ΠΏΡΠΈΠΌΠ΅ΡΠ΅ ΠΊΠΎΠΌΠ°Π½Π΄ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΡΡΡΡ ΡΠ»Π΅Π΄ΡΡΡΠΈΠ΅ ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΡ: * `/Root` - ΠΈΠΌΡ ΠΊΠΎΡΠ½Π΅Π²ΠΎΠ³ΠΎ Π΄ΠΎΠΌΠ΅Π½Π°, Π΄ΠΎΠ»ΠΆΠ½ΠΎ ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΠΎΠ²Π°ΡΡ Π½Π°ΡΡΡΠΎΠΉΠΊΠ΅ `domains_config`.`domain`.`name` Π² ΡΠ°ΠΉΠ»Π΅ ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΠΈ ΠΊΠ»Π°ΡΡΠ΅ΡΠ°; * `testdb` - ΠΈΠΌΡ ΡΠΎΠ·Π΄Π°Π²Π°Π΅ΠΌΠΎΠΉ Π±Π°Π·Ρ Π΄Π°Π½Π½ΡΡ
; -* `ssd:1` - ΠΈΠΌΡ ΠΏΡΠ»Π° Ρ
ΡΠ°Π½Π΅Π½ΠΈΡ ΠΈ Π½ΠΎΠΌΠ΅Ρ Π±Π»ΠΎΠΊΠ° Π² ΠΏΡΠ»Π΅. ΠΠΌΡ ΠΏΡΠ»Π° ΠΎΠ±ΡΡΠ½ΠΎ ΠΎΠ·Π½Π°ΡΠ°Π΅Ρ ΡΠΈΠΏ ΡΡΡΡΠΎΠΉΡΡΠ² Ρ
ΡΠ°Π½Π΅Π½ΠΈΡ Π΄Π°Π½Π½ΡΡ
ΠΈ Π΄ΠΎΠ»ΠΆΠ½ΠΎ ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΠΎΠ²Π°ΡΡ Π½Π°ΡΡΡΠΎΠΉΠΊΠ΅ `storage_pool_types`.`kind` Π²Π½ΡΡΡΠΈ ΡΠ»Π΅ΠΌΠ΅Π½ΡΠ° `domains_config`.`domain` ΡΠ°ΠΉΠ»Π° ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΠΈ. +* `ssd:1` - ΠΈΠΌΡ ΠΏΡΠ»Π° Ρ
ΡΠ°Π½Π΅Π½ΠΈΡ ΠΈ ΠΊΠΎΠ»ΠΈΡΠ΅ΡΡΠ²ΠΎ Π²ΡΠ΄Π΅Π»ΡΠ΅ΠΌΡΡ
Π³ΡΡΠΏΠΏ Ρ
ΡΠ°Π½Π΅Π½ΠΈΡ. ΠΠΌΡ ΠΏΡΠ»Π° ΠΎΠ±ΡΡΠ½ΠΎ ΠΎΠ·Π½Π°ΡΠ°Π΅Ρ ΡΠΈΠΏ ΡΡΡΡΠΎΠΉΡΡΠ² Ρ
ΡΠ°Π½Π΅Π½ΠΈΡ Π΄Π°Π½Π½ΡΡ
ΠΈ Π΄ΠΎΠ»ΠΆΠ½ΠΎ ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΠΎΠ²Π°ΡΡ Π½Π°ΡΡΡΠΎΠΉΠΊΠ΅ `storage_pool_types`.`kind` Π²Π½ΡΡΡΠΈ ΡΠ»Π΅ΠΌΠ΅Π½ΡΠ° `domains_config`.`domain` ΡΠ°ΠΉΠ»Π° ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΠΈ. -## ΠΠ°ΠΏΡΡΡΠΈΡΠ΅ Π΄ΠΈΠ½Π°ΠΌΠΈΡΠ΅ΡΠΊΡΡ Π½ΠΎΠ΄Ρ Π±Π°Π·Ρ Π΄Π°Π½Π½ΡΡ
{#start-dynnode} +## ΠΠ°ΠΏΡΡΡΠΈΡΠ΅ Π΄ΠΈΠ½Π°ΠΌΠΈΡΠ΅ΡΠΊΠΈΠ΅ ΡΠ·Π»Ρ {#start-dynnode} {% list tabs %} - ΠΡΡΡΠ½ΡΡ - ΠΠ°ΠΏΡΡΡΠΈΡΠ΅ Π΄ΠΈΠ½Π°ΠΌΠΈΡΠ΅ΡΠΊΡΡ Π½ΠΎΠ΄Ρ {{ ydb-short-name }} Π΄Π»Ρ Π±Π°Π·Ρ /Root/testdb: + ΠΠ°ΠΏΡΡΡΠΈΡΠ΅ Π΄ΠΈΠ½Π°ΠΌΠΈΡΠ΅ΡΠΊΠΈΠΉ ΡΠ·Π΅Π» {{ ydb-short-name }} Π΄Π»Ρ Π±Π°Π·Ρ `/Root/testdb`: ```bash sudo su - ydb cd /opt/ydb export LD_LIBRARY_PATH=/opt/ydb/lib - /opt/ydb/bin/ydbd server --grpc-port 2136 --ic-port 19002 --mon-port 8766 --yaml-config /opt/ydb/cfg/config.yaml \ - --tenant /Root/testdb --node-broker <node1.ydb.tech>:2135 --node-broker <node2.ydb.tech>:2135 --node-broker <node3.ydb.tech>:2135 + /opt/ydb/bin/ydbd server --grpcs-port 2136 --ic-port 19002 \ + --mon-port 8766 --mon-cert /opt/ydb/certs/web.pem --ca /opt/ydb/certs/ca.crt \ + --yaml-config /opt/ydb/cfg/config.yaml --tenant /Root/testdb \ + --node-broker grpcs://<ydb1>:2135 \ + --node-broker grpcs://<ydb2>:2135 \ + --node-broker grpcs://<ydb3>:2135 ``` - ΠΠ΄Π΅ `<nodeN.ydb.tech>` - FQDN ΡΠ΅ΡΠ²Π΅ΡΠΎΠ², Π½Π° ΠΊΠΎΡΠΎΡΡΡ
Π·Π°ΠΏΡΡΠ΅Π½Ρ ΡΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΈΠ΅ Π½ΠΎΠ΄Ρ. - - ΠΠ°ΠΏΡΡΡΠΈΡΠ΅ Π΄ΠΎΠΏΠΎΠ»Π½ΠΈΡΠ΅Π»ΡΠ½ΡΠ΅ Π΄ΠΈΠ½Π½ΠΎΠ΄Ρ Π½Π° Π΄ΡΡΠ³ΠΈΡ
ΡΠ΅ΡΠ²Π΅ΡΠ°Ρ
Π΄Π»Ρ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠ΅Π½ΠΈΡ Π΄ΠΎΡΡΡΠΏΠ½ΠΎΡΡΠΈ Π±Π°Π·Ρ Π΄Π°Π½Π½ΡΡ
. + Π ΠΏΡΠΈΠΌΠ΅ΡΠ΅ ΠΊΠΎΠΌΠ°Π½Π΄Ρ Π²ΡΡΠ΅ `<ydbN>` - FQDN ΡΡΠ΅Ρ
Π»ΡΠ±ΡΡ
ΡΠ΅ΡΠ²Π΅ΡΠΎΠ², Π½Π° ΠΊΠΎΡΠΎΡΡΡ
Π·Π°ΠΏΡΡΠ΅Π½Ρ ΡΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΈΠ΅ ΡΠ·Π»Ρ ΠΊΠ»Π°ΡΡΠ΅ΡΠ°. - Π‘ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΠ΅ΠΌ systemd - 1. Π‘ΠΎΠ·Π΄Π°ΠΉΡΠ΅ ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΠΎΠ½Π½ΡΠΉ ΡΠ°ΠΉΠ» `/etc/systemd/system/ydbd-testdb.service` ΡΠΎ ΡΠ»Π΅Π΄ΡΡΡΠΈΠΌ ΡΠΎΠ΄Π΅ΡΠΆΠΈΠΌΡΠΌ: + Π‘ΠΎΠ·Π΄Π°ΠΉΡΠ΅ ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΠΎΠ½Π½ΡΠΉ ΡΠ°ΠΉΠ» systemd `/etc/systemd/system/ydbd-testdb.service` ΠΏΠΎ ΠΏΡΠΈΠ²Π΅Π΄Π΅Π½Π½ΠΎΠΌΡ Π½ΠΈΠΆΠ΅ ΠΎΠ±ΡΠ°Π·ΡΡ. ΠΠ±ΡΠ°Π·Π΅Ρ ΡΠ°ΠΉΠ»Π° ΡΠ°ΠΊΠΆΠ΅ ΠΌΠΎΠΆΠ½ΠΎ [ΡΠΊΠ°ΡΠ°ΡΡ ΠΈΠ· ΡΠ΅ΠΏΠΎΠ·ΠΈΡΠΎΡΠΈΡ](https://github.com/ydb-platform/ydb/blob/main/ydb/deploy/systemd_services/ydbd-testdb.service). ```text [Unit] @@ -436,7 +368,12 @@ LD_LIBRARY_PATH=/opt/ydb/lib /opt/ydb/bin/ydbd -f token-file admin database /Roo SyslogFacility=daemon SyslogLevel=err Environment=LD_LIBRARY_PATH=/opt/ydb/lib - ExecStart=/opt/ydb/bin/ydbd server --grpc-port 2136 --ic-port 19002 --mon-port 8766 --yaml-config /opt/ydb/cfg/config.yaml --tenant /Root/testdb --node-broker <node1.ydb.tech>:2135 --node-broker <node2.ydb.tech>:2135 --node-broker <node3.ydb.tech>:2135 + ExecStart=/opt/ydb/bin/ydbd server --grpcs-port 2136 --ic-port 19002 \ + --mon-port 8766 --mon-cert /opt/ydb/certs/web.pem --ca /opt/ydb/certs/ca.crt \ + --yaml-config /opt/ydb/cfg/config.yaml --tenant /Root/testdb \ + --node-broker grpcs://<ydb1>:2135 \ + --node-broker grpcs://<ydb2>:2135 \ + --node-broker grpcs://<ydb3>:2135 LimitNOFILE=65536 LimitCORE=0 LimitMEMLOCK=32212254720 @@ -445,18 +382,18 @@ LD_LIBRARY_PATH=/opt/ydb/lib /opt/ydb/bin/ydbd -f token-file admin database /Roo WantedBy=multi-user.target ``` - ΠΠ΄Π΅ `<nodeN.ydb.tech>` - FQDN ΡΠ΅ΡΠ²Π΅ΡΠΎΠ², Π½Π° ΠΊΠΎΡΠΎΡΡΡ
Π·Π°ΠΏΡΡΠ΅Π½Ρ ΡΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΈΠ΅ Π½ΠΎΠ΄Ρ. + Π ΠΏΡΠΈΠΌΠ΅ΡΠ΅ ΡΠ°ΠΉΠ»Π° Π²ΡΡΠ΅ `<ydbN>` - FQDN ΡΡΠ΅Ρ
Π»ΡΠ±ΡΡ
ΡΠ΅ΡΠ²Π΅ΡΠΎΠ², Π½Π° ΠΊΠΎΡΠΎΡΡΡ
Π·Π°ΠΏΡΡΠ΅Π½Ρ ΡΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΈΠ΅ ΡΠ·Π»Ρ ΠΊΠ»Π°ΡΡΠ΅ΡΠ°. - 1. ΠΠ°ΠΏΡΡΡΠΈΡΠ΅ Π΄ΠΈΠ½Π°ΠΌΠΈΡΠ΅ΡΠΊΡΡ Π½ΠΎΠ΄Ρ {{ ydb-short-name }} Π΄Π»Ρ Π±Π°Π·Ρ /Root/testdb: + ΠΠ°ΠΏΡΡΡΠΈΡΠ΅ Π΄ΠΈΠ½Π°ΠΌΠΈΡΠ΅ΡΠΊΠΈΠΉ ΡΠ·Π΅Π» {{ ydb-short-name }} Π΄Π»Ρ Π±Π°Π·Ρ `/Root/testdb`: ```bash sudo systemctl start ydbd-testdb ``` - 1. ΠΠ°ΠΏΡΡΡΠΈΡΠ΅ Π΄ΠΎΠΏΠΎΠ»Π½ΠΈΡΠ΅Π»ΡΠ½ΡΠ΅ Π΄ΠΈΠ½Π½ΠΎΠ΄Ρ Π½Π° Π΄ΡΡΠ³ΠΈΡ
ΡΠ΅ΡΠ²Π΅ΡΠ°Ρ
Π΄Π»Ρ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠ΅Π½ΠΈΡ Π΄ΠΎΡΡΡΠΏΠ½ΠΎΡΡΠΈ Π±Π°Π·Ρ Π΄Π°Π½Π½ΡΡ
. - {% endlist %} +ΠΠ°ΠΏΡΡΡΠΈΡΠ΅ Π΄ΠΎΠΏΠΎΠ»Π½ΠΈΡΠ΅Π»ΡΠ½ΡΠ΅ Π΄ΠΈΠ½Π°ΠΌΠΈΡΠ΅ΡΠΊΠΈΠ΅ ΡΠ·Π»Ρ Π½Π° Π΄ΡΡΠ³ΠΈΡ
ΡΠ΅ΡΠ²Π΅ΡΠ°Ρ
Π΄Π»Ρ ΠΌΠ°ΡΡΡΠ°Π±ΠΈΡΠΎΠ²Π°Π½ΠΈΡ ΠΈ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠ΅Π½ΠΈΡ ΠΎΡΠΊΠ°Π·ΠΎΡΡΡΠΎΠΉΡΠΈΠ²ΠΎΡΡΠΈ Π±Π°Π·Ρ Π΄Π°Π½Π½ΡΡ
. + ## ΠΠ΅ΡΠ²ΠΎΠ½Π°ΡΠ°Π»ΡΠ½Π°Ρ Π½Π°ΡΡΡΠΎΠΉΠΊΠ° ΡΡΠ΅ΡΠ½ΡΡ
Π·Π°ΠΏΠΈΡΠ΅ΠΉ {#security-setup} ΠΡΠ»ΠΈ Π² ΡΠ°ΠΉΠ»Π΅ Π½Π°ΡΡΡΠΎΠ΅ΠΊ ΠΊΠ»Π°ΡΡΠ΅ΡΠ° Π²ΠΊΠ»ΡΡΠ΅Π½ ΡΠ΅ΠΆΠΈΠΌ Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ, ΡΠΎ ΠΏΠ΅ΡΠ΅Π΄ Π½Π°ΡΠ°Π»ΠΎΠΌ ΡΠ°Π±ΠΎΡΡ Ρ ΠΊΠ»Π°ΡΡΠ΅ΡΠΎΠΌ {{ ydb-short-name }} Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎ Π²ΡΠΏΠΎΠ»Π½ΠΈΡΡ ΠΏΠ΅ΡΠ²ΠΎΠ½Π°ΡΠ°Π»ΡΠ½ΡΡ Π½Π°ΡΡΡΠΎΠΉΠΊΡ ΡΡΠ΅ΡΠ½ΡΡ
Π·Π°ΠΏΠΈΡΠ΅ΠΉ. @@ -470,7 +407,7 @@ LD_LIBRARY_PATH=/opt/ydb/lib /opt/ydb/bin/ydbd -f token-file admin database /Roo 1. ΠΡΠΏΠΎΠ»Π½ΠΈΡΠ΅ ΡΡΡΠ°Π½ΠΎΠ²ΠΊΡ ΠΏΠ°ΡΠΎΠ»Ρ ΡΡΠ΅ΡΠ½ΠΎΠΉ Π·Π°ΠΏΠΈΡΠΈ `root`: ```bash - ydb -e grpc://<node.ydb.tech>:2136 -d /Root/testdb --user root --no-password \ + ydb --ca-file ca.crt -e grpcs://<node.ydb.tech>:2136 -d /Root/testdb --user root --no-password \ yql -s 'ALTER USER root PASSWORD "passw0rd"' ``` @@ -479,23 +416,21 @@ LD_LIBRARY_PATH=/opt/ydb/lib /opt/ydb/bin/ydbd -f token-file admin database /Roo 1. Π‘ΠΎΠ·Π΄Π°ΠΉΡΠ΅ Π΄ΠΎΠΏΠΎΠ»Π½ΠΈΡΠ΅Π»ΡΠ½ΡΠ΅ ΡΡΠ΅ΡΠ½ΡΠ΅ Π·Π°ΠΏΠΈΡΠΈ: ```bash - ydb -e grpc://<node.ydb.tech>:2136 -d /Root/testdb --user root \ + ydb --ca-file ca.crt -e grpcs://<node.ydb.tech>:2136 -d /Root/testdb --user root \ yql -s 'CREATE USER user1 PASSWORD "passw0rd"' ``` 1. Π£ΡΡΠ°Π½ΠΎΠ²ΠΈΡΠ΅ ΠΏΡΠ°Π²Π° ΡΡΠ΅ΡΠ½ΡΡ
Π·Π°ΠΏΠΈΡΠ΅ΠΉ, Π²ΠΊΠ»ΡΡΠΈΠ² ΠΈΡ
Π²ΠΎ Π²ΡΡΡΠΎΠ΅Π½Π½ΡΠ΅ Π³ΡΡΠΏΠΏΡ: ```bash - ydb -e grpc://<node.ydb.tech>:2136 -d /Root/testdb --user root \ + ydb --ca-file ca.crt -e grpcs://<node.ydb.tech>:2136 -d /Root/testdb --user root \ yql -s 'ALTER GROUP `ADMINS` ADD USER user1' ``` -Π ΠΏΠ΅ΡΠ΅ΡΠΈΡΠ»Π΅Π½Π½ΡΡ
Π²ΡΡΠ΅ ΠΏΡΠΈΠΌΠ΅ΡΠ°Ρ
ΠΊΠΎΠΌΠ°Π½Π΄ `<node.ydb.tech>` - FQDN ΡΠ΅ΡΠ²Π΅ΡΠ°, Π½Π° ΠΊΠΎΡΠΎΡΠΎΠΌ Π·Π°ΠΏΡΡΠ΅Π½Π° Π΄ΠΈΠ½Π°ΠΌΠΈΡΠ΅ΡΠΊΠ°Ρ Π½ΠΎΠ΄Π°, ΠΎΠ±ΡΠ»ΡΠΆΠΈΠ²Π°ΡΡΠ°Ρ Π±Π°Π·Ρ `/Root/testdb`. +Π ΠΏΠ΅ΡΠ΅ΡΠΈΡΠ»Π΅Π½Π½ΡΡ
Π²ΡΡΠ΅ ΠΏΡΠΈΠΌΠ΅ΡΠ°Ρ
ΠΊΠΎΠΌΠ°Π½Π΄ `<node.ydb.tech>` - FQDN ΡΠ΅ΡΠ²Π΅ΡΠ°, Π½Π° ΠΊΠΎΡΠΎΡΠΎΠΌ Π·Π°ΠΏΡΡΠ΅Π½ Π»ΡΠ±ΠΎΠΉ Π΄ΠΈΠ½Π°ΠΌΠΈΡΠ΅ΡΠΊΠΈΠΉ ΡΠ·Π΅Π», ΠΎΠ±ΡΠ»ΡΠΆΠΈΠ²Π°ΡΡΠΈΠΉ Π±Π°Π·Ρ `/Root/testdb`. ΠΡΠΈ Π²ΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΠΈ ΠΊΠΎΠΌΠ°Π½Π΄ ΡΠΎΠ·Π΄Π°Π½ΠΈΡ ΡΡΠ΅ΡΠ½ΡΡ
Π·Π°ΠΏΠΈΡΠ΅ΠΉ ΠΈ ΠΏΡΠΈΡΠ²ΠΎΠ΅Π½ΠΈΡ Π³ΡΡΠΏΠΏ ΠΊΠ»ΠΈΠ΅Π½Ρ {{ ydb-short-name }} CLI Π±ΡΠ΄Π΅Ρ Π·Π°ΠΏΡΠ°ΡΠΈΠ²Π°ΡΡ Π²Π²ΠΎΠ΄ ΠΏΠ°ΡΠΎΠ»Ρ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ `root`. ΠΠ·Π±Π΅ΠΆΠ°ΡΡ ΠΌΠ½ΠΎΠ³ΠΎΠΊΡΠ°ΡΠ½ΠΎΠ³ΠΎ Π²Π²ΠΎΠ΄Π° ΠΏΠ°ΡΠΎΠ»Ρ ΠΌΠΎΠΆΠ½ΠΎ, ΡΠΎΠ·Π΄Π°Π² ΠΏΡΠΎΡΠΈΠ»Ρ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ΅Π½ΠΈΡ, ΠΊΠ°ΠΊ ΠΎΠΏΠΈΡΠ°Π½ΠΎ Π² [Π΄ΠΎΠΊΡΠΌΠ΅Π½ΡΠ°ΡΠΈΠΈ {{ ydb-short-name }} CLI](../../reference/ydb-cli/profile/index.md). -ΠΡΠ»ΠΈ Π² ΠΊΠ»Π°ΡΡΠ΅ΡΠ΅ Π±ΡΠ»Π° Π²ΠΊΠ»ΡΡΠ΅Π½Π° Π·Π°ΡΠΈΡΠ° ΡΡΠ°ΡΠΈΠΊΠ° Ρ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΠ΅ΠΌ TLS, ΡΠΎ Π²ΠΌΠ΅ΡΡΠΎ ΠΏΡΠΎΡΠΎΠΊΠΎΠ»Π° `grpc` Π² ΠΊΠΎΠΌΠ°Π½Π΄Π΅ Π²ΡΡΠ΅ ΡΠ»Π΅Π΄ΡΠ΅Ρ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡ Π΅Π³ΠΎ Π·Π°ΡΠΈΡΠ΅Π½Π½ΡΠΉ Π²Π°ΡΠΈΠ°Π½Ρ `grpcs`, ΠΈ Π΄ΠΎΠΏΠΎΠ»Π½ΠΈΡΠ΅Π»ΡΠ½ΠΎ ΡΠΊΠ°Π·Π°ΡΡ ΠΏΡΡΡ ΠΊ ΡΠ°ΠΉΠ»Ρ Ρ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΎΠΌ CA Π² ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΠ΅ `--ca-file` (Π»ΠΈΠ±ΠΎ ΡΠΎΡ
ΡΠ°Π½ΠΈΡΡ Π² ΠΏΡΠΎΡΠΈΠ»Π΅ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ΅Π½ΠΈΡ). - ## ΠΡΠΎΡΠ΅ΡΡΠΈΡΡΠΉΡΠ΅ ΡΠ°Π±ΠΎΡΡ Ρ ΡΠΎΠ·Π΄Π°Π½Π½ΠΎΠΉ Π±Π°Π·ΠΎΠΉ {#try-first-db} 1. Π£ΡΡΠ°Π½ΠΎΠ²ΠΈΡΠ΅ {{ ydb-short-name }} CLI, ΠΊΠ°ΠΊ ΠΎΠΏΠΈΡΠ°Π½ΠΎ Π² [Π΄ΠΎΠΊΡΠΌΠ΅Π½ΡΠ°ΡΠΈΠΈ](../../reference/ydb-cli/install.md). @@ -503,15 +438,64 @@ LD_LIBRARY_PATH=/opt/ydb/lib /opt/ydb/bin/ydbd -f token-file admin database /Roo 1. Π‘ΠΎΠ·Π΄Π°ΠΉΡΠ΅ ΡΠ΅ΡΡΠΎΠ²ΡΡ ΡΠ°Π±Π»ΠΈΡΡ `test_table`: ```bash - ydb -e grpc://<node.ydb.tech>:2136 -d /Root/testdb scripting yql \ - --script 'CREATE TABLE `testdir/test_table` (id Uint64, title Utf8, PRIMARY KEY (id));' + ydb --ca-file ca.crt -e grpcs://<node.ydb.tech>:2136 -d /Root/testdb --user root \ + yql -s 'CREATE TABLE `testdir/test_table` (id Uint64, title Utf8, PRIMARY KEY (id));' ``` - ΠΠ΄Π΅ `<node.ydb.tech>` - FQDN ΡΠ΅ΡΠ²Π΅ΡΠ°, Π½Π° ΠΊΠΎΡΠΎΡΠΎΠΌ Π·Π°ΠΏΡΡΠ΅Π½Π° Π΄ΠΈΠ½Π°ΠΌΠΈΡΠ΅ΡΠΊΠ°Ρ Π½ΠΎΠ΄Π°, ΠΎΠ±ΡΠ»ΡΠΆΠΈΠ²Π°ΡΡΠ°Ρ Π±Π°Π·Ρ `/Root/testdb`. + ΠΠ΄Π΅ `<node.ydb.tech>` - FQDN ΡΠ΅ΡΠ²Π΅ΡΠ°, Π½Π° ΠΊΠΎΡΠΎΡΠΎΠΌ Π·Π°ΠΏΡΡΠ΅Π½ Π΄ΠΈΠ½Π°ΠΌΠΈΡΠ΅ΡΠΊΠΈΠΉ ΡΠ·Π΅Π», ΠΎΠ±ΡΠ»ΡΠΆΠΈΠ²Π°ΡΡΠΈΠΉ Π±Π°Π·Ρ `/Root/testdb`. - Π£ΠΊΠ°Π·Π°Π½Π½ΡΡ Π²ΡΡΠ΅ ΠΊΠΎΠΌΠ°Π½Π΄Ρ Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎ Π±ΡΠ΄Π΅Ρ ΡΠΊΠΎΡΡΠ΅ΠΊΡΠΈΡΠΎΠ²Π°ΡΡ, Π΅ΡΠ»ΠΈ Π² ΠΊΠ»Π°ΡΡΠ΅ΡΠ΅ Π²ΠΊΠ»ΡΡΠ΅Π½Π° Π·Π°ΡΠΈΡΠ° ΡΡΠ°ΡΠΈΠΊΠ° Ρ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΠ΅ΠΌ TLS ΠΈΠ»ΠΈ Π°ΠΊΡΠΈΠ²ΠΈΡΠΎΠ²Π°Π½ ΡΠ΅ΠΆΠΈΠΌ Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Π΅ΠΉ. ΠΡΠΈΠΌΠ΅Ρ: +## ΠΡΠΎΠ²Π΅ΡΠΊΠ° Π΄ΠΎΡΡΡΠΏΠ° ΠΊΠΎ Π²ΡΡΡΠΎΠ΅Π½Π½ΠΎΠΌΡ web-ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΡ - ```bash - ydb -e grpcs://<node.ydb.tech>:2136 -d /Root/testdb --ca-file ydb-ca.crt --user root scripting yql \ - --script 'CREATE TABLE `testdir/test_table` (id Uint64, title Utf8, PRIMARY KEY (id));' - ``` +ΠΠ»Ρ ΠΏΡΠΎΠ²Π΅ΡΠΊΠΈ Π΄ΠΎΡΡΡΠΏΠ° ΠΊΠΎ Π²ΡΡΡΠΎΠ΅Π½Π½ΠΎΠΌΡ web-ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΡ {{ ydb-short-name }} Π΄ΠΎΡΡΠ°ΡΠΎΡΠ½ΠΎ ΠΎΡΠΊΡΡΡΡ Π² Web-Π±ΡΠ°ΡΠ·Π΅ΡΠ΅ ΡΡΡΠ°Π½ΠΈΡΡ Ρ Π°Π΄ΡΠ΅ΡΠΎΠΌ `https://<node.ydb.tech>:8765`, Π³Π΄Π΅ `<node.ydb.tech>` - FQDN ΡΠ΅ΡΠ²Π΅ΡΠ°, Π½Π° ΠΊΠΎΡΠΎΡΠΎΠΌ Π·Π°ΠΏΡΡΠ΅Π½ Π»ΡΠ±ΠΎΠΉ ΡΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΈΠΉ ΡΠ·Π΅Π» {{ ydb-short-name }}. + +Π Web-Π±ΡΠ°ΡΠ·Π΅ΡΠ΅ Π΄ΠΎΠ»ΠΆΠ½ΠΎ Π±ΡΡΡ Π½Π°ΡΡΡΠΎΠ΅Π½ΠΎ Π΄ΠΎΠ²Π΅ΡΠΈΠ΅ Π² ΠΎΡΠ½ΠΎΡΠ΅Π½ΠΈΠΈ ΡΠ΅Π½ΡΡΠ° ΡΠ΅Π³ΠΈΡΡΡΠ°ΡΠΈΠΈ, Π²ΡΠΏΡΡΡΠΈΠ²ΡΠ΅Π³ΠΎ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΡ Π΄Π»Ρ ΠΊΠ»Π°ΡΡΠ΅ΡΠ° {{ ydb-short-name }}, Π² ΠΏΡΠΎΡΠΈΠ²Π½ΠΎΠΌ ΡΠ»ΡΡΠ°Π΅ Π±ΡΠ΄Π΅Ρ ΠΎΡΠΎΠ±ΡΠ°ΠΆΠ΅Π½ΠΎ ΠΏΡΠ΅Π΄ΡΠΏΡΠ΅ΠΆΠ΄Π΅Π½ΠΈΠ΅ ΠΎΠ± ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΠΈ Π½Π΅Π΄ΠΎΠ²Π΅ΡΠ΅Π½Π½ΠΎΠ³ΠΎ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠ°. + +ΠΡΠ»ΠΈ Π² ΠΊΠ»Π°ΡΡΠ΅ΡΠ΅ Π²ΠΊΠ»ΡΡΠ΅Π½Π° Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΡ, Π² Web-Π±ΡΠ°ΡΠ·Π΅ΡΠ΅ Π΄ΠΎΠ»ΠΆΠ΅Π½ ΠΎΡΠΎΠ±ΡΠ°Π·ΠΈΡΡΡΡ Π·Π°ΠΏΡΠΎΡ Π»ΠΎΠ³ΠΈΠ½Π° ΠΈ ΠΏΠ°ΡΠΎΠ»Ρ. ΠΠΎΡΠ»Π΅ Π²Π²ΠΎΠ΄Π° Π²Π΅ΡΠ½ΡΡ
Π΄Π°Π½Π½ΡΡ
Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ Π΄ΠΎΠ»ΠΆΠ½Π° ΠΎΡΠΎΠ±ΡΠ°Π·ΠΈΡΡΡΡ Π½Π°ΡΠ°Π»ΡΠ½Π°Ρ ΡΡΡΠ°Π½ΠΈΡΠ° Π²ΡΡΡΠΎΠ΅Π½Π½ΠΎΠ³ΠΎ web-ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠ°. ΠΠΏΠΈΡΠ°Π½ΠΈΠ΅ Π΄ΠΎΡΡΡΠΏΠ½ΡΡ
ΡΡΠ½ΠΊΡΠΈΠΉ ΠΈ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»ΡΡΠΊΠΎΠ³ΠΎ ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠ° ΠΏΡΠΈΠ²Π΅Π΄Π΅Π½ΠΎ Π² ΡΠ°Π·Π΄Π΅Π»Π΅ [{#T}](../../maintenance/embedded_monitoring/index.md). + +{% note info %} + +ΠΠ±ΡΡΠ½ΠΎ Π΄Π»Ρ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠ΅Π½ΠΈΡ Π΄ΠΎΡΡΡΠΏΠ° ΠΊΠΎ Π²ΡΡΡΠΎΠ΅Π½Π½ΠΎΠΌΡ web-ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΡ {{ ydb-short-name }} Π½Π°ΡΡΡΠ°ΠΈΠ²Π°ΡΡ ΠΎΡΠΊΠ°Π·ΠΎΡΡΡΠΎΠΉΡΠΈΠ²ΡΠΉ HTTP-Π±Π°Π»Π°Π½ΡΠΈΡΠΎΠ²ΡΠΈΠΊ Π½Π° Π±Π°Π·Π΅ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠ½ΠΎΠ³ΠΎ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠ΅Π½ΠΈΡ `haproxy`, `nginx` ΠΈΠ»ΠΈ Π°Π½Π°Π»ΠΎΠ³ΠΎΠ². ΠΠ΅ΡΠ°Π»ΠΈ Π½Π°ΡΡΡΠΎΠΉΠΊΠΈ HTTP-Π±Π°Π»Π°Π½ΡΠΈΡΠΎΠ²ΡΠΈΠΊΠ° Π²ΡΡ
ΠΎΠ΄ΡΡ Π·Π° ΡΠ°ΠΌΠΊΠΈ ΡΡΠ°Π½Π΄Π°ΡΡΠ½ΠΎΠΉ ΠΈΠ½ΡΡΡΡΠΊΡΠΈΠΈ ΠΏΠΎ ΡΡΡΠ°Π½ΠΎΠ²ΠΊΠ΅ {{ ydb-short-name }}. + +{% endnote %} + + +# ΠΡΠΎΠ±Π΅Π½Π½ΠΎΡΡΠΈ ΡΡΡΠ°Π½ΠΎΠ²ΠΊΠΈ {{ ydb-short-name }} Π² Π½Π΅Π·Π°ΡΠΈΡΠ΅Π½Π½ΠΎΠΌ ΡΠ΅ΠΆΠΈΠΌΠ΅ + +{% note warning %} + +ΠΡ Π½Π΅ ΡΠ΅ΠΊΠΎΠΌΠ΅Π½Π΄ΡΠ΅ΠΌ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡ Π½Π΅Π·Π°ΡΠΈΡΠ΅Π½Π½ΡΠΉ ΡΠ΅ΠΆΠΈΠΌ ΡΠ°Π±ΠΎΡΡ {{ ydb-short-name }} Π½ΠΈ ΠΏΡΠΈ ΡΠΊΡΠΏΠ»ΡΠ°ΡΠ°ΡΠΈΠΈ, Π½ΠΈ ΠΏΡΠΈ ΡΠ°Π·ΡΠ°Π±ΠΎΡΠΊΠ΅ ΠΏΡΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΠΉ. + +{% endnote %} + +ΠΠΏΠΈΡΠ°Π½Π½Π°Ρ Π²ΡΡΠ΅ ΠΏΡΠΎΡΠ΅Π΄ΡΡΠ° ΡΡΡΠ°Π½ΠΎΠ²ΠΊΠΈ ΠΏΡΠ΅Π΄ΡΡΠΌΠ°ΡΡΠΈΠ²Π°Π΅Ρ ΡΠ°Π·Π²ΡΡΡΡΠ²Π°Π½ΠΈΠ΅ {{ ydb-short-name }} Π² ΡΡΠ°Π½Π΄Π°ΡΡΠ½ΠΎΠΌ Π·Π°ΡΠΈΡΠ΅Π½Π½ΠΎΠΌ ΡΠ΅ΠΆΠΈΠΌΠ΅. + +ΠΠ΅Π·Π°ΡΠΈΡΡΠ½Π½ΡΠΉ ΡΠ΅ΠΆΠΈΠΌ ΡΠ°Π±ΠΎΡΡ {{ ydb-short-name }} ΠΏΡΠ΅Π΄Π½Π°Π·Π½Π°ΡΠ΅Π½ Π΄Π»Ρ ΡΠ΅ΡΠ΅Π½ΠΈΡ ΡΠ΅ΡΡΠΎΠ²ΡΡ
Π·Π°Π΄Π°Ρ, ΠΏΡΠ΅ΠΈΠΌΡΡΠ΅ΡΡΠ²Π΅Π½Π½ΠΎ ΡΠ²ΡΠ·Π°Π½Π½ΡΡ
Ρ ΡΠ°Π·ΡΠ°Π±ΠΎΡΠΊΠΎΠΉ ΠΈ ΡΠ΅ΡΡΠΈΡΠΎΠ²Π°Π½ΠΈΠ΅ΠΌ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠ½ΠΎΠ³ΠΎ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠ΅Π½ΠΈΡ {{ ydb-short-name }}. Π Π½Π΅Π·Π°ΡΠΈΡΠ΅Π½Π½ΠΎΠΌ ΡΠ΅ΠΆΠΈΠΌΠ΅: +* ΡΡΠ°ΡΠΈΠΊ ΠΌΠ΅ΠΆΠ΄Ρ ΡΠ·Π»Π°ΠΌΠΈ ΠΊΠ»Π°ΡΡΠ΅ΡΠ°, Π° ΡΠ°ΠΊΠΆΠ΅ ΠΌΠ΅ΠΆΠ΄Ρ ΠΏΡΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΡΠΌΠΈ ΠΈ ΠΊΠ»Π°ΡΡΠ΅ΡΠΎΠΌ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅Ρ Π½Π΅Π·Π°ΡΠΈΡΡΠΎΠ²Π°Π½Π½ΡΠ΅ ΡΠΎΠ΅Π΄ΠΈΠ½Π΅Π½ΠΈΡ; +* Π½Π΅ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΡΡΡ Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΡ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Π΅ΠΉ (Π²ΠΊΠ»ΡΡΠ΅Π½ΠΈΠ΅ Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ ΠΏΡΠΈ ΠΎΡΡΡΡΡΡΠ²ΠΈ ΡΠΈΡΡΠΎΠ²Π°Π½ΠΈΡ ΡΡΠ°ΡΠΈΠΊΠ° Π½Π΅ ΠΈΠΌΠ΅Π΅Ρ ΡΠΌΡΡΠ»Π°, ΠΏΠΎΡΠΊΠΎΠ»ΡΠΊΡ Π»ΠΎΠ³ΠΈΠ½ ΠΈ ΠΏΠ°ΡΠΎΠ»Ρ Π² ΡΠ°ΠΊΠΎΠΉ ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΠΈ ΠΏΠ΅ΡΠ΅Π΄Π°Π²Π°Π»ΠΈΡΡ Π±Ρ ΡΠ΅ΡΠ΅Π· ΡΠ΅ΡΡ Π² ΠΎΡΠΊΡΡΡΠΎΠΌ Π²ΠΈΠ΄Π΅). + +Π£ΡΡΠ°Π½ΠΎΠ²ΠΊΠ° {{ ydb-short-name }} Π΄Π»Ρ ΡΠ°Π±ΠΎΡΡ Π² Π½Π΅Π·Π°ΡΠΈΡΠ΅Π½Π½ΠΎΠΌ ΡΠ΅ΠΆΠΈΠΌΠ΅ ΠΏΡΠΎΠΈΠ·Π²ΠΎΠ΄ΠΈΡΡΡ Π² ΠΏΠΎΡΡΠ΄ΠΊΠ΅, ΠΎΠΏΠΈΡΠ°Π½Π½ΠΎΠΌ Π²ΡΡΠ΅, ΡΠΎ ΡΠ»Π΅Π΄ΡΡΡΠΈΠΌΠΈ ΠΈΡΠΊΠ»ΡΡΠ΅Π½ΠΈΡΠΌΠΈ: + +1. ΠΡΠΈ ΠΏΠΎΠ΄Π³ΠΎΡΠΎΠ²ΠΊΠ΅ ΠΊ ΡΡΡΠ°Π½ΠΎΠ²ΠΊΠ΅ Π½Π΅ ΡΡΠ΅Π±ΡΠ΅ΡΡΡ ΡΠΎΡΠΌΠΈΡΠΎΠ²Π°ΡΡ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΡ ΠΈ ΠΊΠ»ΡΡΠΈ TLS, ΠΈ Π½Π΅ Π²ΡΠΏΠΎΠ»Π½ΡΠ΅ΡΡΡ ΠΊΠΎΠΏΠΈΡΠΎΠ²Π°Π½ΠΈΠ΅ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΎΠ² ΠΈ ΠΊΠ»ΡΡΠ΅ΠΉ Π½Π° ΡΠ·Π»Ρ ΠΊΠ»Π°ΡΡΠ΅ΡΠ°. + +1. ΠΠ· ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΠΎΠ½Π½ΡΡ
ΡΠ°ΠΉΠ»ΠΎΠ² ΠΊΠ»Π°ΡΡΠ΅ΡΠ½ΡΡ
ΡΠ·Π»ΠΎΠ² ΠΈΡΠΊΠ»ΡΡΠ°Π΅ΡΡΡ ΠΏΠΎΠ΄ΡΠ΅ΠΊΡΠΈΡ `security_config` Π² ΡΠ΅ΠΊΡΠΈΠΈ `domains_config`, Π° ΡΠ°ΠΊΠΆΠ΅ ΡΠ΅Π»ΠΈΠΊΠΎΠΌ ΠΈΡΠΊΠ»ΡΡΠ°ΡΡΡΡ ΡΠ΅ΠΊΡΠΈΠΈ `interconnect_config` ΠΈ `grpc_config`. + +1. ΠΡΠΏΠΎΠ»ΡΠ·ΡΡΡΡΡ ΡΠΏΡΠΎΡΠ΅Π½Π½ΡΠΉ Π²Π°ΡΠΈΠ°Π½Ρ ΠΊΠΎΠΌΠ°Π½Π΄ Π·Π°ΠΏΡΡΠΊΠ° ΡΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΈΡ
ΠΈ Π΄ΠΈΠ½Π°ΠΌΠΈΡΠ΅ΡΠΊΠΈΡ
ΡΠ·Π»ΠΎΠ² ΠΊΠ»Π°ΡΡΠ΅ΡΠ°: ΠΈΡΠΊΠ»ΡΡΠ°ΡΡΡΡ ΠΎΠΏΡΠΈΠΈ Ρ ΠΈΠΌΠ΅Π½Π°ΠΌΠΈ ΡΠ°ΠΉΠ»ΠΎΠ² ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΎΠ² ΠΈ ΠΊΠ»ΡΡΠ΅ΠΉ, ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΡΡΡ ΠΏΡΠΎΡΠΎΠΊΠΎΠ» `grpc` Π²ΠΌΠ΅ΡΡΠΎ `grpcs` ΠΏΡΠΈ ΡΠΊΠ°Π·Π°Π½ΠΈΠΈ ΡΠΎΡΠ΅ΠΊ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ΅Π½ΠΈΡ. + +1. ΠΡΠΎΠΏΡΡΠΊΠ°Π΅ΡΡΡ Π½Π΅Π½ΡΠΆΠ½ΡΠΉ Π² Π½Π΅Π·Π°ΡΠΈΡΠ΅Π½Π½ΠΎΠΌ ΡΠ΅ΠΆΠΈΠΌΠ΅ ΡΠ°Π³ ΠΏΠΎ ΠΏΠΎΠ»ΡΡΠ΅Π½ΠΈΡ ΡΠΎΠΊΠ΅Π½Π° Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ ΠΏΠ΅ΡΠ΅Π΄ Π²ΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΠ΅ΠΌ ΠΈΠ½ΠΈΡΠΈΠ°Π»ΠΈΠ·Π°ΡΠΈΠΈ ΠΊΠ»Π°ΡΡΠ΅ΡΠ° ΠΈ ΡΠΎΠ·Π΄Π°Π½ΠΈΠ΅ΠΌ Π±Π°Π·Ρ Π΄Π°Π½Π½ΡΡ
. + +1. ΠΠΎΠΌΠ°Π½Π΄Π° ΠΈΠ½ΠΈΡΠΈΠ°Π»ΠΈΠ·Π°ΡΠΈΠΈ ΠΊΠ»Π°ΡΡΠ΅ΡΠ° Π²ΡΠΏΠΎΠ»Π½ΡΠ΅ΡΡΡ Π² ΡΠ»Π΅Π΄ΡΡΡΠ΅ΠΉ ΡΠΎΡΠΌΠ΅: + + ```bash + export LD_LIBRARY_PATH=/opt/ydb/lib + /opt/ydb/bin/ydbd admin blobstorage config init --yaml-file /opt/ydb/cfg/config.yaml + echo $? + ``` + +1. ΠΠΎΠΌΠ°Π½Π΄Π° ΡΠΎΠ·Π΄Π°Π½ΠΈΡ Π±Π°Π·Ρ Π΄Π°Π½Π½ΡΡ
Π²ΡΠΏΠΎΠ»Π½ΡΠ΅ΡΡΡ Π² ΡΠ»Π΅Π΄ΡΡΡΠ΅ΠΉ ΡΠΎΡΠΌΠ΅: + + ```bash + export LD_LIBRARY_PATH=/opt/ydb/lib + /opt/ydb/bin/ydbd admin database /Root/testdb create ssd:1 + ``` + +1. ΠΡΠΈ ΠΎΠ±ΡΠ°ΡΠ΅Π½ΠΈΠΈ ΠΊ Π±Π°Π·Π΅ Π΄Π°Π½Π½ΡΡ
ΠΈΠ· {{ ydb-short-name }} CLI ΠΈ ΠΏΡΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΠΉ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΡΡΡ ΠΏΡΠΎΡΠΎΠΊΠΎΠ» grpc Π²ΠΌΠ΅ΡΡΠΎ grpcs, ΠΈ Π½Π΅ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΡΡΡ Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΡ. |