jumpserver v1.5.9最新版本高可用部署方案
- 实验目的:测试jumpserver高可用部署方案
- 实验环境:
- CentOS Linux release 7.6.1810 (Core)
| 主机名 | ip |
|---|---|
| host11 | 192.168.17.11 |
| host12 | 192.168.17.12 |
- 官网地址:
https://www.jumpserver.org/
- 官方主机配置要求:
硬件配置: 2个CPU核心, 4G 内存, 50G 硬盘(最低)
操作系统: Linux 发行版 x86_64
Python = 3.6.x
Mysql Server ≥ 5.6
Mariadb Server ≥ 5.5.56
Redis
jms版本:V.1.5.9
- 方案:
- 官网文档:
https://docs.jumpserver.org/zh/master/install/step_by_step/
- 组件介绍:
- Jumpserver 为管理后台, 管理员可以通过 Web 页面进行资产管理、用户管理、资产授权等操作, 用户可以通过 Web 页面进行资产登录, 文件管理等操作
- koko 为 SSH Server 和 Web Terminal Server。用户可以使用自己的账户通过 SSH 或者 Web Terminal 访问 SSH 协议和 Telnet 协议资产
- Luna 为 Web Terminal Server 前端页面, 用户使用 Web Terminal 方式登录所需要的组件
- Guacamole 为 RDP 协议和 VNC 协议资产组件, 用户可以通过 Web Terminal 来连接 RDP 协议和 VNC 协议资产 (暂时只能通过 Web Terminal 来访问)
- 端口说明:
- Jumpserver 默认 Web 端口为 8080/tcp, 默认 WS 端口为 8070/tcp,配置文件jumpserver/config.yml
- koko 默认 SSH 端口为 2222/tcp, 默认 Web Terminal 端口为 5000/tcp 配置文件在 koko/config.yml
- Guacamole 默认端口为 8081/tcp, 配置文件 /config/tomcat9/conf/server.xml
- Nginx 默认端口为 80/tcp
- Redis 默认端口为 6379/tcp
- Mysql 默认端口为 3306/tcp
一,双主机均需要配置部分
1,环境初始化配置:
1.1 配置阿里镜像源
阿里镜像站地址:https://developer.aliyun.com/mirror/
centos7:
1. 备份(如有配置其他epel源)
mv /etc/yum.repos.d/epel.repo /etc/yum.repos.d/epel.repo.backup
mv /etc/yum.repos.d/epel-testing.repo /etc/yum.repos.d/epel-testing.repo.backup
2. 下载新repo 到/etc/yum.repos.d/
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
# yum makecache fast
1.2 系统环境变量设置
1.关闭selinux:
setenforce=0 #可以通过配置文件永久关闭
2,关闭firewall
systemctl stop firewalled
3.修改字符集,否则可能报input/output error的问题,因为日志里打印了中文
export LC_ALL=zh_CN.UTF-8
echo 'LANG=zh_CN.UTF-8' >/etc/locale.conf
1.3 准备Python3和Python虚拟环境
1,安装相关的软件包:
yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git
2,下载python3.6并安装设置:
wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz 3
3,tar xf Python-3.6.1.tar.xz -C /opt/ && cd /opt/
4,./configure && make && make install
## 这里必须执行编译安装,否则在安装 Python 库依赖时会有麻烦...
5, 创建Python3虚拟环境
cd /opt
python3 -m venv py3
source /opt/py3/bin/activate
6,退出虚拟环境
deactivate
1.4 安装docker(直接安装最新版即可)
#安装必要的系统工具
yum install -y yum-utils device-mapper-persistent-data lvm2
#添加软件源
yum-config-manager \
--add-repo \
http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
安装最新docker:
yum -y install docker-ce
systemctl daemon-reload && systemctl restart docker && systemctl enable docker
#安装指定版本的docker
# 注意:
# 官方软件源默认启用了最新的软件,您可以通过编辑软件源的方式获取各个版本的软件包。例如官方并没有将测试版本的软件源置为可用,您可以通过以下方式开启。同理可以开启各种测试版本等。
# vim /etc/yum.repos.d/docker-ce.repo
# 将[docker-ce-test]下方的enabled=0修改为enabled=1
#
# 安装指定版本的Docker-CE:
Step 1: 查找Docker-CE的版本:
yum list docker-ce.x86_64 --showduplicates | sort -r
Loading mirror speeds from cached hostfile
Loaded plugins: branch, fastestmirror, langpacks
docker-ce.x86_64 17.03.1.ce-1.el7.centos docker-ce-stable
docker-ce.x86_64 17.03.1.ce-1.el7.centos @docker-ce-stable
docker-ce.x86_64 17.03.0.ce-1.el7.centos docker-ce-stable
Available Packages
Step2: 安装指定版本的Docker-CE: (VERSION例如上面的17.03.0.ce.1-1.el7.centos)
yum -y install docker-ce-18.09.9-3.el7
systemctl start docker
systemctl enable docker
## 创建 /etc/docker 目录
mkdir /etc/docker
# 配置 daemon.(存放docker的配置文件)
cat > /etc/docker/daemon.json <2,安装Jumpserver、redis、mysql
2.1 下载安装Jumpserver
1,获取jumpserver代码:
cd /opt && \
git clone --depth=1 https://github.com/jumpserver/jumpserver.git
2,安装编译环境依赖:
cd /opt/jumpserver/requirements
yum install -y $(cat rpm_requirements.txt)
3,安装Python依赖库:
source /opt/py3/bin/activate
pip install --upgrade pip
pip install wheel
pip install -r requirements.txt
# 官网下载不要指定-i参数,因为镜像上可能没有最新的 包,如果没有任何报错请继续,出错需要多执行几次
#如若出错请尝试:
pip install -r requirements.txt -i https://pypi.tuna.tsinghua.edu.cn/simple
# 如果以上安装还报错,尝试阿里云得镜像加速
pip install wheel -i https://mirrors.aliyun.com/pypi/simple/
pip install --upgrade pip setuptools -i https://mirrors.aliyun.com/pypi/simple/
pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
2.2 修改jumpserver 配置文件
2.2.1 修改模板配置文件
cd /opt/jumpserver && \
cp config_example.yml config.yml
2.2.2 生成随机加密密钥和初始化token(!重要,需要保存好)
touch key.token
# 生成secret_key:
if [ "$SECRET_KEY" = "" ]; then SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`; echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc; echo $SECRET_KEY; else echo $SECRET_KEY; fi >> key.token
# 生成BOOTSTART_TOKEN:
if [ "$BOOTSTRAP_TOKEN" = "" ]; then BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`; echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc; echo $BOOTSTRAP_TOKEN; else echo $BOOTSTRAP_TOKEN; fi >> key.token
2.2.3 修改jumpserver配置文件(注意mysql和redis设置)
vi config.yml
# SECURITY WARNING: keep the secret key used in production secret!
# 加密秘钥 生产环境中请修改为随机字符串,请勿外泄, 可使用命令生成
# $ cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 49;echo
SECRET_KEY: kInCfsfq30smLYWlCh8UB1XFNVSAh2BhRGqugINe6oMUzxzc72
# SECURITY WARNING: keep the bootstrap token used in production secret!
# 预共享Token coco和guacamole用来注册服务账号,不在使用原来的注册接受机制
BOOTSTRAP_TOKEN: 2VbjmVw9rl7qsVTa
# Development env open this, when error occur display the full process track, Production disable it
# DEBUG 模式 开启DEBUG后遇到错误时可以看到更多日志
# DEBUG: true
# DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/
# 日志级别
# LOG_LEVEL: DEBUG
# LOG_DIR:
# Session expiration setting, Default 24 hour, Also set expired on on browser close
# 浏览器Session过期时间,默认24小时, 也可以设置浏览器关闭则过期
# SESSION_COOKIE_AGE: 86400
# SESSION_EXPIRE_AT_BROWSER_CLOSE: false
# Database setting, Support sqlite3, mysql, postgres ....
# 数据库设置
# See https://docs.djangoproject.com/en/1.10/ref/settings/#databases
# SQLite setting:
# 使用单文件sqlite数据库
# DB_ENGINE: sqlite3
# DB_NAME:
# MySQL or postgres setting like:
# 使用Mysql作为数据库
DB_ENGINE: mysql
DB_HOST: 127.0.0.1
DB_PORT: 3306
DB_USER: jumpserver
DB_PASSWORD: jms321654
DB_NAME: jumpserver
# When Django start it will bind this host and port
# ./manage.py runserver 127.0.0.1:8080
# 运行时绑定端口
HTTP_BIND_HOST: 0.0.0.0
HTTP_LISTEN_PORT: 8080
WS_LISTEN_PORT: 8070
# Use Redis as broker for celery and web socket
# Redis配置
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
REDIS_PASSWORD: redis321654
# REDIS_DB_CELERY: 3
# REDIS_DB_CACHE: 4
# Use OpenID Authorization
# 使用 OpenID 进行认证设置
# AUTH_OPENID: False # True or False
# BASE_SITE_URL: None
# AUTH_OPENID_CLIENT_ID: client-id
# AUTH_OPENID_CLIENT_SECRET: client-secret
# AUTH_OPENID_PROVIDER_ENDPOINT: https://op-example.com/
# AUTH_OPENID_PROVIDER_AUTHORIZATION_ENDPOINT: https://op-example.com/authorize
# AUTH_OPENID_PROVIDER_TOKEN_ENDPOINT: https://op-example.com/token
# AUTH_OPENID_PROVIDER_JWKS_ENDPOINT: https://op-example.com/jwks
# AUTH_OPENID_PROVIDER_USERINFO_ENDPOINT: https://op-example.com/userinfo
# AUTH_OPENID_PROVIDER_END_SESSION_ENDPOINT: https://op-example.com/logout
# AUTH_OPENID_PROVIDER_SIGNATURE_ALG: HS256
# AUTH_OPENID_PROVIDER_SIGNATURE_KEY: None
# AUTH_OPENID_SCOPES: "openid profile email"
# AUTH_OPENID_ID_TOKEN_MAX_AGE: 60
# AUTH_OPENID_ID_TOKEN_INCLUDE_CLAIMS: True
# AUTH_OPENID_USE_STATE: True
# AUTH_OPENID_USE_NONCE: True
# AUTH_OPENID_SHARE_SESSION: True
# AUTH_OPENID_IGNORE_SSL_VERIFICATION: True
# AUTH_OPENID_ALWAYS_UPDATE_USER: True
# Use Radius authorization
# 使用Radius来认证
# AUTH_RADIUS: false
# RADIUS_SERVER: localhost
# RADIUS_PORT: 1812
# RADIUS_SECRET:
# CAS 配置
# AUTH_CAS': False,
# CAS_SERVER_URL': "http://host/cas/",
# CAS_ROOT_PROXIED_AS': 'http://jumpserver-host:port',
# CAS_LOGOUT_COMPLETELY': True,
# CAS_VERSION': 3,
# LDAP/AD settings
# LDAP 搜索分页数量
# AUTH_LDAP_SEARCH_PAGED_SIZE: 1000
#
# 定时同步用户
# 启用 / 禁用
# AUTH_LDAP_SYNC_IS_PERIODIC: True
# 同步间隔 (单位: 时) (优先)
# AUTH_LDAP_SYNC_INTERVAL: 12
# Crontab 表达式
# AUTH_LDAP_SYNC_CRONTAB: * 6 * * *
#
# LDAP 用户登录时仅允许在用户列表中的用户执行 LDAP Server 认证
# AUTH_LDAP_USER_LOGIN_ONLY_IN_USERS: False
#
# LDAP 认证时如果日志中出现以下信息将参数设置为 0 (详情参见:https://www.python-ldap.org/en/latest/faq.html)
# In order to perform this operation a successful bind must be completed on the connection
# AUTH_LDAP_OPTIONS_OPT_REFERRALS: -1
# OTP settings
# OTP/MFA 配置
# OTP_VALID_WINDOW: 0
# OTP_ISSUER_NAME: Jumpserver
# Perm show single asset to ungrouped node
# 是否把未授权节点资产放入到 未分组 节点中
# PERM_SINGLE_ASSET_TO_UNGROUP_NODE: false
#
# 启用定时任务
# PERIOD_TASK_ENABLE: True
#
# 启用二次复合认证配置
# LOGIN_CONFIRM_ENABLE: False
#
# Windows 登录跳过手动输入密码
# WINDOWS_SKIP_ALL_MANUAL_PASSWORD: False
2.3 安装redis
2.3.1 下载redis 5.0.2版本并编译
yum install gcc
cd /opt
wget http://download.redis.io/releases/redis-5.0.2.tar.gz
tar xf redis-5.0.2.tar.gz
cd redis-5.0.2
make && make install
mkdir redis
mv /opt/redis/redis.conf /opt/redis
mv /opt/redis/src/redis-cli redis-server /opt/redis
2.3.2 修改redis配置文件,密码为jms配置文件中定义
redis.conf配置如下(主要设置数据库使用密码访问):
bind 127.0.0.1
protected-mode no
port 6379
tcp-backlog 128
timeout 10
tcp-keepalive 300
daemonize no
supervised no
pidfile /var/run/redis_6379.pid
loglevel notice
logfile ""
databases 16
always-show-logo yes
save 900 1
save 300 10
save 60 10000
stop-writes-on-bgsave-error yes
rdbcompression yes
rdbchecksum yes
dbfilename dump.rdb
dir ./
replica-serve-stale-data yes
replica-read-only yes
repl-diskless-sync no
repl-diskless-sync-delay 5
repl-disable-tcp-nodelay no
replica-priority 100
requirepass wallet828
lazyfree-lazy-eviction no
lazyfree-lazy-expire no
lazyfree-lazy-server-del no
replica-lazy-flush no
appendonly yes
appendfilename "appendonly.aof"
appendfsync everysec
no-appendfsync-on-rewrite no
auto-aof-rewrite-percentage 100
auto-aof-rewrite-min-size 64mb
aof-load-truncated yes
aof-use-rdb-preamble yes
lua-time-limit 5000
slowlog-log-slower-than 10000
slowlog-max-len 128
latency-monitor-threshold 0
notify-keyspace-events ""
hash-max-ziplist-entries 512
hash-max-ziplist-value 64
list-max-ziplist-size -2
list-compress-depth 0
set-max-intset-entries 512
zset-max-ziplist-entries 128
zset-max-ziplist-value 64
hll-sparse-max-bytes 3000
stream-node-max-bytes 4096
stream-node-max-entries 100
activerehashing yes
client-output-buffer-limit normal 0 0 0
client-output-buffer-limit replica 256mb 64mb 60
client-output-buffer-limit pubsub 32mb 8mb 60
hz 10
dynamic-hz yes
aof-rewrite-incremental-fsync yes
rdb-save-incremental-fsync yes
2.3.3 启动redis
安装tmux,开启终端窗口启动:
yum -y install tmux
tmux
/opt/redis/redis-server /opt/redis/redis.conf
2.4 安装mysql 5.6
2.4.1 使用安装脚本一键安装
mysql的主配置文件如下:
[root@host11 mysql]# cat my.cnf
[mysqld]
socket=/var/lib/mysql/mysql.sock
user=mysql
symbolic-links=0
datadir=/data/mysql
innodb_file_per_table=1
[client]
port=3306
socket=/var/lib/mysql/mysql.sock
[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/tmp/mysql.sock
脚本内容如下,需下载mysql 5.6二进制安装包:
[root@host11 opt]# cat mysql-install.sh
#!/bin/bash
DIR=`pwd`
NAME="mysql-5.6.34-linux-glibc2.5-x86_64.tar.gz"
FULL_NAME=${DIR}/${NAME}
DATA_DIR="/data/mysql"
yum install vim gcc gcc-c++ wget autoconf net-tools lrzsz iotop lsof iotop bash-completion -y
yum install curl policycoreutils openssh-server openssh-clients postfix -y
if [ -f ${FULL_NAME} ];then
echo "安装文件存在"
else
echo "安装文件不存在"
exit 3
fi
if [ -h /usr/local/mysql ];then
echo "Mysql 已经安装"
exit 3
else
tar xvf ${FULL_NAME} -C /usr/local/src
ln -sv /usr/local/src/mysql-5.6.34-linux-glibc2.5-x86_64 /usr/local/mysql
if id mysql;then
echo "mysql 用户已经存在,跳过创建用户过程"
fi
useradd mysql -s /sbin/nologin
if id mysql;then
chown -R mysql.mysql /usr/local/mysql/* -R
if [ ! -d /data/mysql ];then
mkdir -pv /data/mysql && chown -R mysql.mysql /data -R
/usr/local/mysql/scripts/mysql_install_db --user=mysql --datadir=/data/mysql --basedir=/usr/local/mysql/
cp /usr/local/src/mysql-5.6.34-linux-glibc2.5-x86_64/support-files/mysql.server /etc/init.d/mysqld
chmod a+x /etc/init.d/mysqld
cp ${DIR}/my.cnf /etc/my.cnf
ln -sv /usr/local/mysql/bin/mysql /usr/bin/mysql
/etc/init.d/mysqld start
else
echo "MySQL数据目录已经存在,"
exit 3
fi
fi
fi
mysql启动文件目录在:
/usr/local/mysql/bin
2.4.2 创建相关数据库和账号
mysql> create database jumpserver default charset 'utf8' collate 'utf8_bin';
mysql> grant all privileges on *.* to jumpserver@'192.168.17.%' identified by 'jms321654';
删除匿名账户:
mysql> use mysql
mysql> delete from user where user='';
mysql> flush privileges;
注意: 需要将mysql二进制的日志格式修改为row格式,否者后续高可用使用时会报1665的错误
【报错原因】
innodb的事务隔离级别是read commited或者read uncommited模式时,binlog不可以使用statement模式。
【解决方法】
不重启mysql实例的解决方法:
设置成row
set global binlog_format=row;
问题解决!
或:
mysql> SET SESSION binlog_format = 'ROW';
mysql> SET GLOBAL binlog_format = 'ROW';
注意: 若手动修改linux下面/etc/my.cnf : binlog_format = row , 需要重启mysql。
2.4.3 启动jumpserver
source /opt/py3/bin/activate
./jms start -d
或者放到tmux里面启动运行
3,docker部署koko组件
3.1 拉取镜像
jumpserver/jms_koko:1.5.9
3.2 启动docker镜像
3.2.1 192.168.17.11启动:
注意:BOOTSTRAP_TOKEN和jumpserver保持一致
docker run --name jms_koko -d \
-p 2222:2222 \
-p 127.0.0.1:5000:5000 \
-e CORE_HOST=http://192.168.17.11:8080 \
-e BOOTSTRAP_TOKEN=2VbjmVw9rl7qsVTa \
-e LOG_LEVEL=ERROR \
--restart=always \
jumpserver/jms_koko:1.5.9
3.2.2 192.168.17.12启动:
docker run --name jms_koko -d \
-p 2222:2222 \
-p 127.0.0.1:5000:5000 \
-e CORE_HOST=http://192.168.17.11:8080 \
-e BOOTSTRAP_TOKEN=osOtiBxtBqopBxwV \
-e LOG_LEVEL=ERROR \
--restart=always \
jumpserver/jms_koko:1.5.9
4,docker 部署 guacamole 组件
4.1 docker镜像下载
docker pull jumpserver/jms_guacamole:1.5.9
4.1.1 192.168.17.11启动
注意:BOOTSTRAP_TOKEN和jumpserver中配置一样
docker run --name jms_guacamole -d \
-p 127.0.0.1:8081:8080 \
-e JUMPSERVER_SERVER=http://192.168.17.11:8080 \
-e BOOTSTRAP_TOKEN=2VbjmVw9rl7qsVTa \
-e GUACAMOLE_LOG_LEVEL=ERROR \
jumpserver/jms_guacamole:1.5.9
4.1.2 192.168.17.12启动
注意:BOOTSTRAP_TOKEN和jumpserver中配置一样
docker run --name jms_guacamole -d \
-p 127.0.0.1:8081:8080 \
-e JUMPSERVER_SERVER=http://192.168.17.11:8080 \
-e BOOTSTRAP_TOKEN=osOtiBxtBqopBxwV \
-e GUACAMOLE_LOG_LEVEL=ERROR \
jumpserver/jms_guacamole:1.5.9
5,下载lua组件
wget https://github.com/jumpserver/luna/releases/download/1.5.9/luna.tar.gz
或者:
wget http://demo.jumpserver.org/download/luna/1.5.9/luna.tar.gz
tar -xf luna.tar.gz
chown -R nginx:nginx luna
6,nginx 代理
编译安装1.16版本
1,安装依赖包:
yum install -y gcc gcc-c++ pcre pcre-devel zlib zlib-devel openssl openssl-devel
2,从官网下载安装包
wget https://nginx.org/download/nginx-1.16.0.tar.gz
3,解压并安装
tar zxvf nginx-1.16.0.tar.gz
cd nginx-1.16.0
4,添加nginx用户
useradd nginx -s /sbin/nologin -M
5,编译
./configure --prefix=/apps/nginx --user=nginx --group=nginx \
--with-http_ssl_module --with-http_v2_module --with-http_realip_module \
--with-http_stub_status_module --with-http_gzip_static_module --with-pcre \
--with-stream --with-stream_ssl_module --with-stream_realip_module
make && make install
6,对nginx做软连接
ln -s /apps/nginx/sbin/nginx /usr/local/sbin/
7,修改配置文件
echo > /apps/nginx/conf/conf.d/default.conf
vi /apps/nginx/conf/conf.d/default.conf
7.1主配置文件配置
[root@host11 conf]# cat nginx.conf|grep -v "#" |grep -v "^$"
user nginx;
worker_processes auto;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server_tokens off;
include /apps/nginx/conf/conf.d/*.conf;
server {
listen 80;
server_name localhost;
location / {
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
7.2,子配置文件
[root@host11 conf]# cat /apps/nginx/conf/conf.d/jumpserver.conf
server {
listen 80;
server_name 192.168.17.245;
client_max_body_size 100m; # 录像及文件上传大小限制
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; # luna 路径, 如果修改安装目录, 此处需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 录像位置, 如果修改安装目录, 此处需要修改
}
location /static/ {
root /opt/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改
}
location /koko/ {
proxy_pass http://localhost:5000;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /ws/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8070;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location / {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
8,启动nginx
nginx -t
nginx
7,通过浏览器访问2个主机
7.1 网页登陆
http://ip:8080
用户名:admin
密码:admin
二,双机同步设置部分
1,对2台主机的Mysql数据库做主从同步
1.1 在master主机打开二进制日志
master:192.168.17.11
vim /etc/my.cnf
在[mysqld]下添加
server_id=1
log-bin=/var/lib/mysql/master-bin
重启mysql:
# /etc/init.d/mysqld restart
1.2添加同步数据账号
cd /usr/local/mysql/bin/
mysql> grant replication slave on *.* to 'jumpserver'@'192.168.17.%' identified by 'jms321654';
mysql> show master status;
+-------------------+----------+--------------+------------------+-------------------+
| File | Position | Binlog_Do_DB | Binlog_Ignore_DB | Executed_Gtid_Set |
+-------------------+----------+--------------+------------------+-------------------+
| master-bin.000001 | 335 | | | |
+-------------------+----------+--------------+------------------+-------------------+
1 row in set (0.01 sec)
1.3 对slave(192.168.17.12)进行配置
在[mysqld]下添加:
vim /etc/my.cnf
server-id=2
relay-log=/var/lib/mysql/relay-bin
slave-skip-errors=all
重启mysql:
/etc/init.d/mysqld restart
cd /usr/local/mysql/bin/
mysql>CHANGE MASTER TO
MASTER_HOST='192.168.17.11',
MASTER_USER='jumpserver',
MASTER_PASSWORD='jms321654',
MASTER_PORT=3306,
MASTER_LOG_FILE='master-bin.000001',
MASTER_LOG_POS=335;
mysql>start slave;
mysql>show slave status\G
(IO线程和SQL线程一定要都起来)
2,同步/opt/kokodir/data/keys目录
此目录记录用户密钥相关信息,如不同步jumpserver备机无法同步主机生产的私钥,从 而无法远程管理资产.
2.1 两台jumpserver做免密互信登录操作:
ssh-keygen
ssh-copy-id 192.168.17.12
ssh-copy-id 192.168.17.11
2.1 制定任务计划
2.1.1 192.168.17.11(master主机)
yum -y install crontabs
#crontab相关:
查看crontab ‐l
2 service crond start#启动服务
3 sudo service crond stop #关闭服务
4 sudo service crond restart #重启服务
5 sudo service crond reload #重新载入配置
6 sudo service crond status #查看服务状态
加入开机自动启动:
chkconfig --level 35 crond on
查看crontab执行记录
tail ‐f /var/log/cron
crontab -e
30 * * * * root /usr/bin/docker cp jms_koko:/opt/koko/data/keys /opt/koko/data/
* * * * * sleep 10;/usr/bin/scp -r /opt/koko/data/keys/ [email protected]:/opt/koko/data/ > /dev/null 2>&1
* * * * * sleep 20;/usr/bin/scp -r /opt/koko/data/keys/ [email protected]:/opt/koko/data/ > /dev/null 2>&1
* * * * * sleep 30;/usr/bin/scp -r /opt/koko/data/keys/ [email protected]:/opt/koko/data/ > /dev/null 2>&1
* * * * * sleep 40;/usr/bin/scp -r /opt/koko/data/keys/ [email protected]:/opt/koko/data/ > /dev/null 2>&1
* * * * * sleep 50;/usr/bin/scp -r /opt/koko/data/keys/ [email protected]:/opt/koko/data/ > /dev/null 2>&1
2.1.2 slave主机192.168.17.12
crontab -e
30 * * * * root /usr/bin/docker cp /opt/koko/data/keys jms_koko:/opt/koko/data/keys
3,配置nginx+keepalived高可用
3.1修改nginx的配置文件,2台主机配置一样
3.1.1 vim /etc/nginx/conf.d/jumpserver.conf
#添加直接通过vip来访问jms组件,修改源文件中的proxy-pass,文件注意备份
vim /etc/nginx/conf.d/jumpserver.conf
server {
listen 80;
server_name 192.168.17.245;
# access_log /usr/local/nginx/logs/oa-access.log main;
# error_log /usr/local/nginx/logs/oa-error.log;
location / {
proxy_pass http://192.168.17.245:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For; $proxy_add_x_forwarded_for;
}
}
3.1.2 重新加载nginx
nginx -t
nginx -s reload
3.2 安装配置keepalived
3.2.1编译安装keepalived
yum -y install unzip.x86_64
wget https://github.com/acassen/keepalived/archive/v2.1.2.zip
unzip v2.1.2.zip
cd /opt/keepalived/keepalived-2.1.2
# bash autogen.sh
# ./configure --prefix=/usr/local/keepalived
make && make install
3.2.2修改配置文件
配置文件释义:
vim /etc/keepalived/keepalived.conf
配置讲解:
! Configuration File for keepalived #全局定义
global_defs {
notification_email { #指定keepalived在发生事件时(比如切换)发送通知邮件的邮箱
#[email protected] #设置报警邮件地址,可以设置多个,每行一个。 需开启本机的sendmail服务
#[email protected]
}
#notification_email_from [email protected] #keepalived在发生诸如切换操作时需要发送email通知地址
#smtp_server 127.0.0.1 #指定发送email的smtp服务器
#smtp_connect_timeout 30 #设置连接smtp server的超时时间
#router_id master-node #运行keepalived的机器的一个标识,通常可设为hostname。故障发生时,发邮件时显示在邮件主题中的信息。
}
vrrp_script chk_http_port { #检测nginx服务是否在运行。有很多方式,比如进程,用脚本检测等等
script "/opt/nginx.sh" #这里通过脚本监测
interval 2 #脚本执行间隔,每2s检测一次
weight -5 #脚本结果导致的优先级变更,检测失败(脚本返回非0)则优先级 -5
fall 2 #检测连续2次失败才算确定是真失败。会用weight减少优先级(1-255之间)
rise 1 #检测1次成功就算成功。但不修改优先级
}
vrrp_instance VI_1 { #keepalived在同一virtual_router_id中priority(0-255)最大的会成为master,也就是接管VIP,当priority最大的主机发生故障后次priority将会接管
state MASTER #指定keepalived的角色,MASTER表示此主机是主服务器,BACKUP表示此主机是备用服务器。注意这里的state指定instance(Initial)的初始状态,就是说在配置好后,这台服务器的初始状态就是这里指定的,但这里指定的不算,还是得要通过竞选通过优先级来确定。如果这里设置为MASTER,但如若他的优先级不及另外一台,那么这台在发送通告时,会发送自己的优先级,另外一台发现优先级不如自己的高,那么他会就回抢占为MASTER
interface eno16777736 #指定HA监测网络的接口。实例绑定的网卡,因为在配置虚拟IP的时候必须是在已有的网卡上添加的
mcast_src_ip 192.168.24.30 # 发送多播数据包时的源IP地址,这里注意了,这里实际上就是在哪个地址上发送VRRP通告,这个非常重要,一定要选择稳定的网卡端口来发送,这里相当于heartbeat的心跳端口,如果没有设置那么就用默认的绑定的网卡的IP,也就是interface指定的IP地址
virtual_router_id 51 #虚拟路由标识,这个标识是一个数字,同一个vrrp实例使用唯一的标识。即同一vrrp_instance下,MASTER和BACKUP必须是一致的
priority 100 #定义优先级,数字越大,优先级越高,在同一个vrrp_instance下,MASTER的优先级必须大于BACKUP的优先级
advert_int 1 #设定MASTER与BACKUP负载均衡器之间同步检查的时间间隔,单位是秒
authentication { #设置验证类型和密码。主从必须一样
auth_type PASS #设置vrrp验证类型,主要有PASS和AH两种
auth_pass 1111 #设置vrrp验证密码,在同一个vrrp_instance下,MASTER与BACKUP必须使用相同的密码才能正常通信
}
virtual_ipaddress { #VRRP HA 虚拟地址 如果有多个VIP,继续换行填写,也可只写ip 192.168.24.222
192.168.24.222/24 dev eno16777736
}
track_script { #执行监控的服务。注意这个设置不能紧挨着写在vrrp_script配置块的后面(实验中碰过的坑),否则nginx监控失效!!
chk_http_port #引用VRRP脚本,即在 vrrp_script 部分指定的名字。定期运行它们来改变优先级,并最终引发主备切换。
}
}
master配置:vi /usr/local/keepalived/etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
[email protected]
}
notification_email_from [email protected]
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id master-node
vrrp_skip_check_adv_addr
vrrp_strict
vrrp_iptables
vrrp_garp_interval 0
vrrp_gna_interval 0
}
vrrp_script chk_http_port {
script "/opt/nginx.sh"
interval 2
weight -5
fall 2
rise 1
}
vrrp_instance VI_1 {
state MASTER
interface ens33
virtual_router_id 51
priority 80
advert_int 1
authentication {
auth_type PASS
auth_pass 1204
}
virtual_ipaddress {
192.168.17.245 dev ens33 label ens33:1
}
track_script {
chk_http_port
}
}
slave 配置:vi /usr/local/keepalived/etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
[email protected]
}
notification_email_from [email protected]
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id master-node
vrrp_skip_check_adv_addr
vrrp_strict
vrrp_iptables
vrrp_garp_interval 0
vrrp_gna_interval 0
}
vrrp_script chk_http_port {
script "/opt/nginx.sh"
interval 2
weight -5
fall 2
rise 1
}
vrrp_instance VI_1 {
state SLAVE
interface ens33
virtual_router_id 51
priority 70
advert_int 1
authentication {
auth_type PASS
auth_pass 1204
}
virtual_ipaddress {
192.168.17.245 dev ens33 label ens33:1
}
track_script {
chk_http_port
}
}
3.2.3 启动及检查
将keepalived注册为系统服务:
cp /opt/keepalived/keepalived-2.1.2/keepalived/etc/init.d/keepalived /etc/init.d/
mkdir /etc/keepalived
cp /usr/local/keepalived/etc/keepalived/keepalived.conf /etc/keepalived
cp /usr/local/keepalived/sbin/keepalived /etc/sysconfig/keepalived
cp /usr/local/keepalived/sbin/keepalived /usr/sbin/
这样就可以执行service keepalived [start | stop | reload | restart ]命令
systemctl enable keepalived.service
可分别关掉master/slave上的keepalived来测试VIP的地址漂移
3.3 配置nginx存活状态检测脚本
该脚本运行路径要与keeplived中定义的保持一致
- 如果nginx未启动,尝试重启Nginx,如果还是未成功,则关闭keeplived。
vim /opt/nginx.sh
#!/bin/bash
counter=$(ps -C nginx --no-heading|wc -l)
if [ "${counter}" = "0" ]; then
nginx
sleep 2
counter=$(ps -C nginx --no-heading|wc -l)
if [ "${counter}" = "0" ]; then
/etc/init.d/keepalived stop
fi
fi
chmod a+x /opt/nginx.sh
主备执行:
systemctl restart keepalived.service
可以手动关掉master上的nginx,查看nginx是否会通过脚本自动启动
4,可以通过访问vip来访问jumpserver
jumpser的具体使用文档可以参考:
[jumpserver文档](https://docs.jumpserver.org/zh/master/)