深入浅出图解HDFS透明加密:从KMS、EZ Key到EDEK,一次搞懂密钥流转全过程
2026/6/8 21:55:58
完成LNMT架构,需要日志输出到挂载磁盘/data/logs/tomcat/目录下,并且每天凌晨00:00分crontab备份日志到/nas/logs/$(hostname)/2025/07_10/目录下,同时重载tomcat服务,日志格式需要遵循标准的输出格式。
一、架构与环境说明
| 组件 | 版本(推荐) | 系统适配 |
|---|---|---|
| Linux | Ubuntu 22.04/Rocky 9 | 主流企业级发行版 |
| Nginx | 1.24+ | 通用(包管理器安装) |
| MySQL | 8.0 | Ubuntu用MariaDB/MySQL,Rocky用MySQL |
| Tomcat | 9.0 | 通用(解压安装) |
| JDK | 1.8(OpenJDK) | 通用 |
二、前置准备(区分系统)
1. 系统基础配置
(1)Ubuntu 22.04
# 更新系统aptupdate&&aptupgrade -y# 关闭防火墙(生产环境精准放行)ufw disable# 关闭SELinux(Ubuntu默认无SELinux,可跳过)# 安装依赖工具aptinstall-ywgetvimcronrsyncopenjdk-8-jdk(2)Rocky Linux 9
# 更新系统dnf update -y# 关闭防火墙systemctl stop firewalld&&systemctl disable firewalld# 关闭SELinux(临时+永久)setenforce0&&sed-i's/^SELINUX=enforcing/SELINUX=disabled/'/etc/selinux/config# 安装依赖工具dnfinstall-ywgetvimcroniersyncjava-1.8.0-openjdk-devel# 启用EPEL源(Nginx依赖)dnfinstall-y epel-release2. 磁盘挂载确认
确保/data挂载独立磁盘(核心日志目录):
# 查看挂载状态df-h|grep/data# 若未挂载,示例挂载(替换/dev/sdb1为实际磁盘)mkdir-p /datamount/dev/sdb1 /data# 开机自动挂载(通用)echo"/dev/sdb1 /data ext4 defaults 0 0">>/etc/fstab# 验证挂载mount-a3. 创建核心目录
# Tomcat日志目录(设置权限)mkdir-p /data/logs/tomcatchmod-R755/data/logs/tomcat# NAS备份目录(提前确保/nas/logs已挂载NAS)mkdir-p /nas/logs/$(hostname)/$(date+%Y)/$(date+%m_%d)chmod-R755/nas/logs三、安装LNMT组件(区分系统)
1. 安装数据库(MySQL/MariaDB)
(1)Ubuntu 22.04(MariaDB 10.6)
aptinstall-y mariadb-server# 启动并开机自启systemctl start mariadb&&systemctlenablemariadb# 安全初始化(设置root密码、删除匿名用户)mysql_secure_installation(2)Rocky Linux 9(MySQL 8.0)
# 添加MySQL官方源dnfinstall-y https://dev.mysql.com/get/mysql80-community-release-el9-1.noarch.rpm# 安装MySQL服务dnfinstall-y mysql-community-server# 启动并开机自启systemctl start mysqld&&systemctlenablemysqld# 查看初始密码grep'temporary password'/var/log/mysqld.log# 安全初始化(修改密码+配置)mysql_secure_installation2. 安装Nginx
(1)Ubuntu 22.04
aptinstall-y nginx# 启动并开机自启systemctl start nginx&&systemctlenablenginx(2)Rocky Linux 9
dnfinstall-y nginx# 启动并开机自启systemctl start nginx&&systemctlenablenginx3. 安装Tomcat(通用步骤,跨系统)
(1)下载并解压Tomcat 9
# 下载稳定版Tomcat 9wgethttps://archive.apache.org/dist/tomcat/tomcat-9/v9.0.85/bin/apache-tomcat-9.0.85.tar.gz -P /usr/local/# 解压tar-zxvf /usr/local/apache-tomcat-9.0.85.tar.gz -C /usr/local/# 创建软链接(方便维护)ln-s /usr/local/apache-tomcat-9.0.85 /usr/local/tomcat(2)创建Tomcat系统用户
# Ubuntu/Rocky通用useradd-r -m -U -d /usr/local/tomcat -s /sbin/nologin tomcatchown-R tomcat:tomcat /usr/local/tomcat/(3)配置Tomcat系统服务(区分系统)
Ubuntu 22.04
cat>/etc/systemd/system/tomcat.service<<EOF [Unit] Description=Apache Tomcat 9 Web Server After=network.target mariadb.service [Service] Type=forking User=tomcat Group=tomcat Environment="JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64" Environment="CATALINA_HOME=/usr/local/tomcat" Environment="CATALINA_BASE=/usr/local/tomcat" Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC" ExecStart=/usr/local/tomcat/bin/startup.sh ExecStop=/usr/local/tomcat/bin/shutdown.sh Restart=on-failure [Install] WantedBy=multi-user.target EOFRocky Linux 9
cat>/etc/systemd/system/tomcat.service<<EOF [Unit] Description=Apache Tomcat 9 Web Server After=network.target mysqld.service [Service] Type=forking User=tomcat Group=tomcat Environment="JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk" Environment="CATALINA_HOME=/usr/local/tomcat" Environment="CATALINA_BASE=/usr/local/tomcat" Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC" ExecStart=/usr/local/tomcat/bin/startup.sh ExecStop=/usr/local/tomcat/bin/shutdown.sh Restart=on-failure [Install] WantedBy=multi-user.target EOF(4)启动Tomcat并设置开机自启
# 通用systemctl daemon-reload systemctl start tomcat&&systemctlenabletomcat# 验证启动状态systemctl status tomcat四、配置Tomcat标准日志(定向到/data/logs/tomcat)
Tomcat日志核心配置文件为conf/logging.properties,需修改输出目录并遵循Apache SimpleFormatter标准格式(时间戳+级别+消息)。
1. 编辑日志配置文件
vim/usr/local/tomcat/conf/logging.properties2. 替换核心配置(通用)
# 全局日志级别 .level = INFO # 日志处理器(文件+控制台) handlers = 1catalina.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler # ========== Catalina主日志(核心)========== 1catalina.org.apache.juli.FileHandler.level = INFO 1catalina.org.apache.juli.FileHandler.directory = /data/logs/tomcat # 定向到挂载磁盘 1catalina.org.apache.juli.FileHandler.prefix = catalina 1catalina.org.apache.juli.FileHandler.formatter = java.util.logging.SimpleFormatter 1catalina.org.apache.juli.FileHandler.encoding = UTF-8 # ========== 控制台日志(标准格式)========== java.util.logging.ConsoleHandler.level = INFO java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter java.util.logging.ConsoleHandler.encoding = UTF-8 # ========== Localhost日志 ========== 2localhost.org.apache.juli.FileHandler.level = INFO 2localhost.org.apache.juli.FileHandler.directory = /data/logs/tomcat 2localhost.org.apache.juli.FileHandler.prefix = localhost 2localhost.org.apache.juli.FileHandler.formatter = java.util.logging.SimpleFormatter 2localhost.org.apache.juli.FileHandler.encoding = UTF-8 # ========== Manager/Host-Manager日志 ========== 3manager.org.apache.juli.FileHandler.level = INFO 3manager.org.apache.juli.FileHandler.directory = /data/logs/tomcat 3manager.org.apache.juli.FileHandler.prefix = manager 3manager.org.apache.juli.FileHandler.formatter = java.util.logging.SimpleFormatter 3manager.org.apache.juli.FileHandler.encoding = UTF-8 4host-manager.org.apache.juli.FileHandler.level = INFO 4host-manager.org.apache.juli.FileHandler.directory = /data/logs/tomcat 4host-manager.org.apache.juli.FileHandler.prefix = host-manager 4host-manager.org.apache.juli.FileHandler.formatter = java.util.logging.SimpleFormatter 4host-manager.org.apache.juli.FileHandler.encoding = UTF-8 # ========== 标准日志格式定义 ========== # 格式:[日期 时间] [日志级别] 消息内容 java.util.logging.SimpleFormatter.format = [%1$tF %1$tT] [%4$-7s] %5$s %n3. 重启Tomcat生效
systemctl restart tomcat4. 验证日志输出
# 查看日志是否生成ls-l /data/logs/tomcat/# 查看日志格式是否符合标准cat/data/logs/tomcat/catalina.out|head-10标准日志示例:
[2025-07-10 15:30:00] [INFO ] Initializing ProtocolHandler ["http-nio-8080"] [2025-07-10 15:30:00] [INFO ] Starting service [Catalina] [2025-07-10 15:30:00] [INFO ] Starting Servlet engine: [Apache Tomcat/9.0.85]五、配置Crontab自动备份日志+重载Tomcat
1. 创建备份脚本(通用)
vim/usr/local/bin/tomcat_log_backup.sh2. 脚本内容(带容错+日志)
#!/bin/bash# 适配Ubuntu/Rocky Linux,备份Tomcat日志到NAS并重载Tomcat# 脚本日志文件BACKUP_LOG=/var/log/tomcat_log_backup.log# 源日志目录SRC_DIR=/data/logs/tomcat# NAS备份目录(按主机名+年+月_日分层)HOST_NAME=$(hostname)YEAR=$(date+%Y)DATE_DIR=$(date+%m_%d)DEST_DIR=/nas/logs/${HOST_NAME}/${YEAR}/${DATE_DIR}# 日志输出函数log(){echo"[$(date+'%Y-%m-%d %H:%M:%S')]$1">>${BACKUP_LOG}}# 检查源目录是否存在if[!-d${SRC_DIR}];thenlog"ERROR: 源日志目录${SRC_DIR}不存在!"exit1fi# 创建备份目录(递归创建)mkdir-p${DEST_DIR}if[$?-ne0];thenlog"ERROR: 创建备份目录${DEST_DIR}失败!"exit1fi# 备份日志(保留源文件,rsync增量备份)rsync-avz --exclude="*.tmp"--exclude="*.lock"${SRC_DIR}/${DEST_DIR}/if[$?-eq0];thenlog"SUCCESS: 日志备份到${DEST_DIR}完成"elselog"ERROR: 日志备份失败!"exit1fi# 重载Tomcat服务(平滑重启,避免业务中断)systemctl reload tomcatif[$?-eq0];thenlog"SUCCESS: Tomcat服务重载完成"elselog"ERROR: Tomcat服务重载失败!"exit1fi# 可选:清理7天前的备份(根据NAS容量调整)find/nas/logs/${HOST_NAME}/${YEAR}/ -type d -mtime +7 -execrm-rf{}\;log"INFO: 7天前的备份日志已清理(若有)"exit03. 赋予脚本执行权限
chmod+x /usr/local/bin/tomcat_log_backup.sh4. 测试脚本(确保无报错)
/usr/local/bin/tomcat_log_backup.sh# 查看测试日志cat/var/log/tomcat_log_backup.log5. 配置Crontab定时任务(通用)
# 编辑当前用户的crontab(建议用root用户)crontab-e6. 添加定时任务(凌晨00:00执行)
# 每天凌晨00:00执行Tomcat日志备份脚本00* * * /usr/local/bin/tomcat_log_backup.sh7. 验证Crontab配置
# 查看定时任务列表crontab-l# 重启cron服务(区分系统)# Ubuntusystemctl restartcron&&systemctlenablecron# Rocky Linuxsystemctl restart crond&&systemctlenablecrond六、Nginx反向代理Tomcat(LNMT架构闭环)
1. 编辑Nginx配置文件(通用)
# Ubuntuvim/etc/nginx/conf.d/tomcat_proxy.conf# Rocky Linuxvim/etc/nginx/conf.d/tomcat_proxy.conf2. 配置反向代理内容
server { listen 80; server_name localhost; # 替换为实际域名(如tomcat.example.com) # Nginx访问日志/错误日志(定向到/data) access_log /data/logs/nginx/tomcat_access.log main; error_log /data/logs/nginx/tomcat_error.log warn; # 反向代理Tomcat 8080端口 location / { proxy_pass http://127.0.0.1:8080; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_connect_timeout 60s; # 连接超时 proxy_read_timeout 60s; # 读取超时 } }3. 创建Nginx日志目录并重启
# 通用mkdir-p /data/logs/nginxchown-R nginx:nginx /data/logs/nginx# 检查配置语法nginx -t# 重启Nginxsystemctl restart nginx七、验证与故障排查
1. 验证日志备份
# 查看NAS备份目录ls-l /nas/logs/$(hostname)/$(date+%Y)/$(date+%m_%d)/# 查看备份脚本日志cat/var/log/tomcat_log_backup.log2. 验证Tomcat重载
# 查看Tomcat进程状态ps-ef|greptomcat# 查看Tomcat服务状态systemctl status tomcat# 查看Tomcat重启日志grep"reload"/data/logs/tomcat/catalina.out3. 常见故障排查
| 问题现象 | 排查方向 |
|---|---|
| 日志未输出到/data/logs/tomcat | 检查logging.properties中directory配置;检查tomcat用户对/data/logs/tomcat的写入权限 |
| Crontab任务未执行 | 查看/var/log/cron(Rocky)或/var/log/syslog(Ubuntu);测试脚本手动执行是否报错 |
| NAS备份失败 | 检查/nas/logs挂载状态(df -h);检查目标目录权限(chmod 755) |
| Tomcat重载失败 | 检查tomcat.service配置;执行systemctl daemon-reload;查看journalctl -u tomcat |
八、生产环境优化建议
- 日志轮转:配置logrotate管理Tomcat/Nginx日志(避免单文件过大):
# 示例Tomcat logrotate配置(/etc/logrotate.d/tomcat)/data/logs/tomcat/*.log{daily rotate7compress delaycompress missingok notifempty create644tomcat tomcat} - 监控告警:对接Prometheus+Grafana监控Tomcat状态,或配置脚本失败时邮件/钉钉告警;
- 权限加固:禁止root运行Tomcat/Nginx,限制日志目录仅对应用户可读写;
- NAS容灾:确保NAS存储做RAID/异地备份,避免日志丢失;
- JVM优化:根据业务调整Tomcat的JVM参数(CATALINA_OPTS),避免OOM。
九、系统差异速查表
| 操作项 | Ubuntu 22.04 | Rocky Linux 9 |
|---|---|---|
| 防火墙 | ufw disable | systemctl stop firewalld |
| SElinux | 无 | setenforce 0 + 修改/etc/selinux/config |
| JDK路径 | /usr/lib/jvm/java-8-openjdk-amd64 | /usr/lib/jvm/java-1.8.0-openjdk |
| Cron服务 | cron | crond |
| MySQL/MariaDB | 默认安装MariaDB 10.6 | 推荐安装MySQL 8.0 |