本文参考老广二次开发后的堡垒机部署方案,在此基础上进行集群部署,提高其可靠性。尽管国外已经有类似的功能的堡垒机的发布,但是还是要感谢老广在百忙之中开发出更加实用的堡垒机。
本文内容虽然亲测,但内容难免有不当指出。各位同行发现有请帮忙反馈,以便及时改进。
堡垒机jumpserver集群部署手册... 1
目录... 2
部分一 堡垒机架构原理... 3
jumpserver基本架构... 3
jumpserver集群架构... 4
部分二部署... 5
部署概述... 5
平台环境:... 5
LDAP realserver部署... 6
1. 安装openldap软件... 6
2. 配置openldap. 6
MySQL realserver部署... 9
1. 安装mysql服务端软件... 9
2. 配置mysql主主同步... 9
jumpserver主程序部署... 12
1. 环境准备... 12
2. 安装主程序... 12
3. Nginx+uwsgi+django部署... 13
4. glusterfs部署... 20
keepalived部署... 22
1. 安装软件... 22
2. lvs主服务器上修改主配置文件... 22
3. 备用服务器(LVS_备)文件配置... 25
4. 配置realserver lvs脚本... 25
5. 设置开机启动脚步... 27
部分三测试... 28
1. 后台服务切换测试... 28
2. 调度器主备切换... 28
部分四管理... 29
新建用户注意事项... 29
部分五排错... 30
1. 登录前端管理页面报错... 30
2. ldapadd导入框架是提示错误... 30
jumpserver程序主要通过python语言编写。通过jumpserver前端页面可以简洁、直观的查看管理主机和用户。
jumpserver主要调用的服务和默认端口:
http:80
ldap:389
mysql:3306
ssh:22
通过jumpserver集群实现ldap,数据库,http,ssh服务器的高可用性。
架构中的服务及对应的软件:
ldap:openldap
DB:mysql
ssh:openssh
http:nginx
lvs:keepalived、ipvsadm
部署主要分为四个部分:
LDAP realserver部署
通过使用openldap镜像模式,实现两台ldap服务器之间的数据一致性
mysql realserver部署
通过使用mysql主主同步模式,实现两台数据库之间的数据一致性
jumpsrver 部署
该部分,主要部署jumpserver主程序,并通过nginx+uwsgi+django实现前端应用和ldap多线程
调度服务器部署
通过keepalived+ipvsadm搭建主备模式,实现DR的高可用
系统:centOS 6.6-64bit
数据库:MySql 5.1.73
openldap:openldap-2.4.39
nginx:nginx-1.9.1
pcre:pcre-8.36
uwsgi:uwsgi-2.0.10
MySQL-python-1.2.3
ssh:OpenSSH-5.3
分别在两台服务器上安装openlap软件:
# yum -y installopenldap openldap-clients nss-pam-ldapd pam_ldap
2. 配置openldap
2.1准备配置文件
复制slap的配置文件模版
#cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
复制ldap的数据库配置文件模版
cp/usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
复制sudo文件
cp /usr/share/doc/sudo-1.8.6p3/schema.OpenLDAP/etc/openldap/schema/sudo.schema
2.2 修改配置文件
vim /etc/openldap/slapd.conf
include /etc/openldap/schema/sudo.schema
database bdb
suffix "dc=test,dc=net"
checkpoint 1024 15
rootdn "cn=Manager,dc=test,dc=net"
rootpw secret123 ## 密码,本初设置为明文
# rootpw {crypt}ijasdfNcSNctBYg
loglevel 1 ## 添加日志等级
#### ldap数据同步,这里选择的是mirror mode ########
index objectClass,entryCSN,entryUUID eq
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
serverID 2
syncrepl rid=234
provider=ldap://10.60.8.17:389
bindmethod=simple
binddn="cn=admin,dc=test,dc=net"
credentials=test@ADMIN
searchbase="dc=test,dc=net"
schemachecking=on
type=refreshAndPersist
retry="60 +"
mirrormode on
2.3 修改日志配置文件
vim /etc/rsyslog.conf
在local.* 7 下添加如下一行
local.* 4 /var/log/ldap.log
重启rsyslog服务器,查看是否生成日志文件
# service rsyslog restart
2.4 生成新的ldap数据库文件
一般情况下,/etc/openldap/slapd.d/目录下会保存sladp的配置数据,例如ldap的目录结果和密码等,如果修改了这些配置需要删除该目录下的文件并重新生成新的数据文件。
# service slapd start
# rm -rf /etc/openldap/slapd.d/*
# slaptest -f/etc/openldap/slapd.conf -F /etc/openldap/slapd.d ##生成新文件
# chown -R ldap:ldap/etc/openldap/slapd.d/ #更改属主为ldap
# service slapd restart
# netstat -tulnp | grep slapd
2.5 导入ldif数据库框架
使用migrationtools工具到处框架。
安装migrationtools工具
# yum installmigrationtools
修改migrationtools配置
# vim /usr/share/migrationtools/migrate_common.ph
修改71-74行配置
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "test.net"; ## 修改为相应的前缀
# Default base
$DEFAULT_BASE = "dc=test,dc=net";##修改为相应的前缀
导出框架
#cd /usr/share/migrationtools
# ./migrate_base.pl >base.ldif
#./migrate_passwd.pl>passwd.ldif
#./migrate_group.pl > group.ldif
导入条目框架
# ldapadd -x -D "cn=Manager,dc=test,dc=net"-W -f base.ldif
# ldapadd -x -D "cn=Manager,dc=test,dc=net"-W -f group.ldif
# ldapadd -x -D "cn=Manager,dc=test,dc=net"-W -f passwd.ldif
1. 安装mysql服务端软件
# yum install -y msyqlmysql-server mysql-devel
2. 配置mysql主主同步
配置mysql主文件
#vim /etc/my.conf
mysql1的配置:
pid-file = /var/lib/mysql/mysqld.qid
port = 3306
log-bin = master-bin
log-bin-index = master-bin.index
server-id = 1
relay-log-index = slave-relay-bin.index
relay-log = slave-relay-bin
auto_increment_increment=2
auto_increment_offset=1
mysql2的配置
pid-file = /var/lib/mysql/mysqld.qid
port = 3306
log-bin = master-bin
log-bin-index = master-bin.index
server-id = 1
relay-log-index = slave-relay-bin.index
relay-log = slave-relay-bin
auto_increment_increment=2
auto_increment_offset=2
授权对方主机同步权限
msyql > grant replication on jumpserver.*to ‘jumpserver’@’10.60.8.17’ identified on ‘mysql234’ //该步骤在10.60.8.16主机mysql1上执行
msyql > grant replication on jumpserver.* to ‘jumpserver’@’10.60.8.16’identified on ‘mysql234’ //该步骤在10.60.8.17主机mysql2上执行
指定master主机
mysql1(10.60.8.16)制定master
查看mysql2主机上master信息:
mysql>show master status ;
+--------------------+----------+--------------+------------------+
|File | Position |Binlog_Do_DB | Binlog_Ignore_DB |
+--------------------+----------+--------------+------------------+
| masterB-bin.000005 | 8310 | | |
+--------------------+----------+--------------+------------------+
1 row in set (0.00 sec)
指定master:
mysql> CHANGE MASTER TO
->MASTER_HOST='10.60.8.17',
->MASTER_PORT='3306',
->MASTER_USER='jumpserver',
-> MASTER_PASSWORD='mysql234',
-> MASTER_LOG_FILE='masterB-bin.000005',
-> MASTER_LOG_POS=8310;
注意离这里的二进制日志文件名和位置对应的是对方主机的master信息,最后一行的没有引号。
查看slave状态
在对方master上查看,如下现象显示配置成功。可插入列表查看是否同步状态
mysql> show slave status\G;
***************************1. row ***************************
Slave_IO_State:Waiting for master to send event
Master_Host:10.6.2.148
Master_User:jumpserver
Master_Port:3306
Connect_Retry:60
Master_Log_File:masterB-bin.000005
Read_Master_Log_Pos:8310
Relay_Log_File:slave-relay-bin.000029
Relay_Log_Pos:253
Relay_Master_Log_File:masterB-bin.000005
Slave_IO_Running: Yes
Slave_SQL_Running: Yes
Replicate_Do_DB:
Replicate_Ignore_DB:
Replicate_Do_Table:
Replicate_Ignore_Table:
Replicate_Wild_Do_Table:
Replicate_Wild_Ignore_Table:
Last_Errno:0
Last_Error:
Skip_Counter:0
Exec_Master_Log_Pos:8310
Relay_Log_Space:555
Until_Condition:None
Until_Log_File:
Until_Log_Pos:0
Master_SSL_Allowed:No
Master_SSL_CA_File:
Master_SSL_CA_Path:
Master_SSL_Cert:
Master_SSL_Cipher:
Master_SSL_Key:
Seconds_Behind_Master:0
Master_SSL_Verify_Server_Cert:No
Last_IO_Errno: 0
Last_IO_Error:
Last_SQL_Errno: 0
Last_SQL_Error:
1 row in set (0.00 sec)
相关软件包下载链接:http://bbs.jumpserver.org/read-83
两个
建议linux为minal安装
安装软件:
yum install -y vim automake autoconf gcc xz ncurses-develpatch python-devel git python-pip gcc-c++ mysql mysql-devel
2.1 解压文件
tar xf jumpserver.tar.bz2 �CC /opt
tar xf node_modules.tar.bz2 �CC /opt/jumpserver/websocket
tar xfpip-build-root.tar.bz2 -C /tmp
2.2 获取更新
git pull origin master:master
2.3 删除不兼容模块
cd /opt/jumpserver/docs
rm -rf /usr/lib64/python2.6/site-packages/Crypto && echo y |pip uninstall pycrypto
2.4 安装依赖模块
pip install -rrequirements.txt -i http://pypi.douban.com/simple
2.5 配置jumpserver.conf文件
cd /opt/jumpserver
vim jumpserver.conf
[base]
ip = 10.60.8.14//本机ip
port = 80
key = 88aaaf7ffe3c6c04
[db]
host = 10.60.8.16 //mysql数据库的ip,测试时需要在mysql上授权
port = 3306 //数据库端口
user = jumpserver //用户名
password = mysql234 //数据库密码
database = jumpserver //数据库名称
[ldap]
ldap_enable = 1
host_url = ldap://10.60.8.16:389 //ldap服务器地址
base_dn = dc=test, dc=net //ldap目录后缀
root_dn = cn=Manager,dc=test,dc=net
root_pw = secret234 //密码
[websocket]
web_socket_host = 10.60.8.14:3000 //web socket
[mail]
email_host = smtp.exmail.qq.com //设置发件邮箱
email_port = 25
email_host_user = [email protected]
email_host_password = jumpserver123
email_use_tls= False
2.6 创建日志目录
mkdir -p logs/{connect,exec_cmds} && chmod -R 777 logs
2.7 django sync db 到数据库
chmod +x *.py *.sh
echo no | python manage.py syncdb
2.8 安装配置websocket
yum -y install nodejs npm
cd /opt/jumpserver/websocket
npm install
cd /opt/jumpserver
sh service.sh start
2.9 登录测试
cd /opt/jumpserver/docs
cp zzjumpserver.sh/etc/profile.d/
浏览器访问http://10.6.2.14/install初始化,然后登录,默认帐号密码:admin admin
3. Nginx+uwsgi+django部署
3.1安装pcre
tar-zxvf pcre-8.36.tar.gz
cdpcre-8.36
./configure
make && make install
3.2 安装nginx
tar -zxvf nginx-1.9.1.tar.gz
cd nginx-1.9.1
./configure --user=nobody --group=nobody --prefix=/usr/local/nginx--with-http_stub_status_module --with-cc-opt='-O3' --with-cpu-opt=opteron
make && make install
3.3安装MySQL-python
tar-zxvf nginx-1.9.1.tar.gz
cdnginx-1.9.1
./configure--user=nobody --group=nobody --prefix=/usr/local/nginx--with-http_stub_status_module --with-cc-opt='-O3' --with-cpu-opt=opteron
make&& make install
3.4先安装libxml,在安装uwsgi
yum-y install libxml*
tar-zxvf uwsgi-2.0.10.tar.gz
cduwsgi-2.0.10
make
cpuwsgi /usr/bin
3.5配置nginx
#cd /usr/local/nginx/conf/
添加子配置文件:
#vim django_uwsgi.conf
# Django project
server {
listen 80;
server_name 192.168.20.128;
location / {
uwsgi_pass 127.0.0.1:9000;
include uwsgi_params;
access_log off;
}
location ^~ /static {
root /opt/jumpserver;
}
location ^~ /admin/ {
uwsgi_pass 127.0.0.1:9000;
include uwsgi_params;
access_log off;
}
location ~*^.+\.(mpg|avi|mp3|swf|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|txt|tar|mid|midi|wav|rtf|mpeg)${
root /opt/jumpserver/static;
access_log off;
}
}
添加uwsgi输出头支持和追加子配置文件django_uwsgi.conf
# vimnginx.conf
http{
........
includeuwsgi_params;
include django_uwsgi.conf;
}
3.6 UWSGI配置
mkdir -p/home/uwsgi;cd /home/uwsgi
mkdir -p/opt/jumpserver/logs
echo"" > /opt/jumpserver/logs/django.log
vim uwsgi.xml
<uwsgi>
<socket>127.0.0.1:9000</socket>
<listen>80</listen>
<master>true</master>
<pidfile>/usr/local/nginx/uwsgi.pid</pidfile>
<processes>8</processes>
<pythonpath>/opt/jumpserver</pythonpath>
<pythonpath>/opt/</pythonpath>
<module>django_wsgi</module>
<profiler>true</profiler>
<memory-report>true</memory-report>
<enable-threads>true</enable-threads>
<logdate>true</logdate>
<limit-as>6048</limit-as>
<daemonize>/opt/jumpserver/logs/django.log</daemonize>
</uwsgi>
3.7创建应用模块
# cd /opt/jumpserver
# vim django_wsgi.py
import os
os.environ['DJANGO_SETTINGS_MODULE'] ='jumpserver.settings'
import django.core.handlers.wsgi
application = django.core.handlers.wsgi.WSGIHandler()
3.8启动服务
cd /lib/
ln -s libpcre.so.0.0.1 libpcre.so.1
ln -s /usr/local/lib/libpcre.so.1 /lib64/
/usr/bin/uwsgi -x /home/uwsgi/uwsgi.xml
/usr/local/nginx/sbin/nginx
3.9查看进程
# ps -ef|grep uwsgi|grep -v grep
root 13711 1 0 Jul10 ? 00:00:02 /usr/bin/uwsgi -x/home/uwsgi/uwsgi.xml
root 13712 13711 0 Jul10 ? 00:00:00 /usr/bin/uwsgi -x /home/uwsgi/uwsgi.xml
root 13713 13711 0 Jul10 ? 00:00:00 /usr/bin/uwsgi -x/home/uwsgi/uwsgi.xml
root 13714 13711 0 Jul10 ? 00:00:00 /usr/bin/uwsgi -x/home/uwsgi/uwsgi.xml
root 13715 13711 0 Jul10 ? 00:00:00 /usr/bin/uwsgi -x/home/uwsgi/uwsgi.xml
root 13716 13711 0 Jul10 ? 00:00:00 /usr/bin/uwsgi -x/home/uwsgi/uwsgi.xml
root 13717 13711 0 Jul10 ? 00:00:00 /usr/bin/uwsgi -x/home/uwsgi/uwsgi.xml
root 13718 13711 0 Jul10 ? 00:00:00 /usr/bin/uwsgi -x/home/uwsgi/uwsgi.xml
root 13719 13711 0 Jul10 ? 00:00:14 /usr/bin/uwsgi -x/home/uwsgi/uwsgi.xml
3.10监听端口
# netstat -an|grep 9000
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN
# netstat �Clpnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:58357 0.0.0.0:* LISTEN 4934/rpc.mountd
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 4435/named
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1148/sshd
tcp 0 0 0.0.0.0:3000 0.0.0.0:* LISTEN 13782/node
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 4435/named
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1225/master
tcp 0 0 0.0.0.0:39199 0.0.0.0:* LISTEN 4934/rpc.mountd
tcp 0 0 0.0.0.0:46399 0.0.0.0:* LISTEN 995/rpc.statd
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 13711/uwsgi
tcp 0 0 0.0.0.0:44585 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:46505 0.0.0.0:* LISTEN 4934/rpc.mountd
tcp 0 0 0.0.0.0:873 0.0.0.0:* LISTEN 3503/rsync
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 4688/rpcbind
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 13458/nginx
tcp 0 0 ::1:53 :::* LISTEN 4435/named
tcp 0 0 :::22 :::* LISTEN 1148/sshd
tcp 0 0 :::51864 :::* LISTEN 4934/rpc.mountd
tcp 0 0 ::1:953 :::* LISTEN 4435/named
tcp 0 0 ::1:25 :::* LISTEN 1225/master
tcp 0 0 :::52635 :::* LISTEN 4934/rpc.mountd
tcp 0 0 :::33886 :::* LISTEN -
tcp 0 0 :::33791 :::* LISTEN 995/rpc.statd
tcp 0 0 :::2049 :::* LISTEN -
tcp 0 0 :::51969 :::* LISTEN 4934/rpc.mountd
tcp 0 0 :::873 :::* LISTEN 3503/rsync
tcp 0 0 :::111 :::* LISTEN 4688/rpcbind
# lsof-i :80
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
nginx 13458 root 6u IPv4 55588 0t0 TCP *:http (LISTEN)
nginx 13733 nobody 6u IPv4 55588 0t0 TCP *:http (LISTEN)
3.11正常访问http://10.60.8.14,确认是否可以正常访问
3.12修改jumpserver主程序启动脚本
# vim /opt/jumpserver/service.sh
执行脚本service.sh,重新启动服务
sh service.sh restart
3.13 编写uwsgi启动脚本
cd /home/uwsgi
vim uwsgiserver.sh
#!/bin/bash
if [ $1 = start ];then
psid=`ps aux|grep "uwsgi"|grep -v "grep"|wc -l`
if [$psid -gt 2 ];then
echo "uwsgi is running!"
exit 0
else
/usr/bin/uwsgi -x /home/uwsgi/uwsgi.xml
fi
echo"Start uwsgi service [OK]"
elif [ $1 = stop ];then
killall -9 uwsgi
echo"Stop uwsgi service [OK]"
elif [ $1 = restart ];then
killall -9 uwsgi
/usr/bin/uwsgi -x /home/uwsgi/uwsgi.xml
echo"Restart uwsgi service [OK]"
else
echo"Usages: sh uwsgiserver.sh [start|stop|restart]"
fi
3.14 重启服务
依次重启下列服务:
cd /home/uwsgi
sh uwsgiserver.sh restart
cd /usr/local/nginx/sbin
./nginx -s reload
保持两台jumpserver服务器中/opt/jumpserver/keys与/opt/jumpserver/logs的一致性
安装glusterfs软件
yum install -y glusterfs glusterfs-server glusterfs-cli
配置glusterfs
在jumpserver1上添加对方服务器到贡献存储池
# gluster peer probe 10.60.8.115
Probe successful
创建复制卷
在两台服务器上分别创建keys,logs目录
# /usr/local/share/logs
# /usr/local/share/keys
# gluster volumekey replica 2 transport tcp 10.60.8.14: /usr/local/share/keys 10.60.8.15:
/usr/local/share/keys
# gluster volumelog replica 2 transport tcp 10.60.8.14: /usr/local/share/logs 10.60.8.15:
/usr/local/share/logs
启动复制卷
# gluster volume start log
# gluster volume start key
挂载卷
#mount �Ctglusterfs 10.6.2.14:log /opt/jumpserver/logs
#mount �Ctglusterfs 10.6.2.14:key /opt/jumpserver/keys
在/etc/fstab文件中添加如下两行
jump1:log /opt/jumpserver/logs glusterfs defaults 0 0
jump1:key /opt/jumpserver/keys glusterfs defaults 0 0
重新挂载
# mount �Ca
开机启动glusterfs服务
# chkconfig --level 35glusterfsd on
2台lvs服务器上安装软件
yum install �Cy ipvsadm keepalived
# vim /etc/keepalived/keepalived.conf
lvs主服务器配置如下:
!Configuration File for keepalived
global_defs{
notification_email {
}
notification_email_from [email protected]
smtp_server 10.60.8.22
smtp_connect_timeout 30
router_id LVS_DEVEL
}
vrrp_sync_grouptest {
group {
VI_1
vi_2
}
}
vrrp_instanceVI_1 {
state MASTER
interface eth0
virtual_router_id 55
priority 85
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.60.8.10
}
}
vrrp_instanceVI_2 {
state BACKUP
interface eth0
virtual_router_id 65
priority 90
advert_int 1
authentication {
auth_type PASS
auth_pass 2222
}
virtual_ipaddress {
10.60.8.11
}
}
virtual_server10.60.8.10 80 {
delay_loop 6
lb_algo sh
lb_kind DR
# nat_mask 255.255.255.128
persistence_timeout 120
protocol TCP
real_server 10.60.8.14 80 {
weight 3
TCP_CHECK {
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
connect_port 80
}
}
real_server 10.60.8.15 80 {
weight 3
TCP_CHECK {
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
connect_port 80
}
}
}
virtual_server10.60.8.10 22 {
delay_loop 6
lb_algo wlc
lb_kind DR
# nat_mask 255.255.255.128
persistence_timeout 120
protocol TCP
real_server 10.60.8.14 22 {
weight 3
TCP_CHECK {
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
connect_port 22
}
}
real_server 10.60.8.15 22 {
weight 3
TCP_CHECK {
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
connect_port 22
}
}
}
virtual_server10.60.8.11 3306 {
delay_loop 6
lb_algo wlc
lb_kind DR
# nat_mask 255.255.255.128
persistence_timeout 120
protocol TCP
real_server 10.60.8.16 3306 {
weight 3
TCP_CHECK {
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
connect_port 3306
}
}
real_server 10.60.8.17 3306 {
weight 3
TCP_CHECK {
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
connect_port 3306
}
}
}
keepalived.conf配置方法和步骤二相同,需要把步骤二中红色部分参数修改为如下:
state:slave
脚本统一放在/usr/local/lvs/目录下
ip:10.60.8.16-17的realserver脚本配置如下:
#!/bin/bash
VIP=10.60.8.11
/etc/rc.d/init.d/functions
case"$1" in
start)
ifconfiglo:0 $VIP broadcast $VIP netmask 255.255.255.255
/sbin/routeadd -host $VIP dev lo:0
echo"1" >/proc/sys/net/ipv4/conf/lo/arp_ignore
echo"2" >/proc/sys/net/ipv4/conf/lo/arp_announce
echo"1" >/proc/sys/net/ipv4/conf/all/arp_ignore
echo"2" >/proc/sys/net/ipv4/conf/all/arp_announce
sysctl -p> /dev/null 2>&1
echo"Realserver start OK"
;;
stop)
route del$VIP > /dev/null 2>&1
echo"0" > /proc/sys/net/ipv4/conf/lo/arp_ignore
echo"0" > /proc/sys/net/ipv4/conf/lo/arp_announce
echo"0" > /proc/sys/net/ipv4/conf/all/arp_ignore
echo"0" > /proc/sys/net/ipv4/conf/all/arp_announce
echo"Realserver stoped"
;;
*)
echo"Usage: $0 {start|stop}"
exit 1
esac
exit 0
ip:10.60.8.14-15配置如下:
#!/bin/bash
VIP=10.60.8.10
/etc/rc.d/init.d/functions
case"$1" in
start)
ifconfiglo:0 $VIP broadcast $VIP netmask 255.255.255.255
/sbin/routeadd -host $VIP dev lo:0
echo"1" >/proc/sys/net/ipv4/conf/lo/arp_ignore
echo"2" >/proc/sys/net/ipv4/conf/lo/arp_announce
echo"1" >/proc/sys/net/ipv4/conf/all/arp_ignore
echo"2" > /proc/sys/net/ipv4/conf/all/arp_announce
sysctl -p> /dev/null 2>&1
echo"Realserver start OK"
;;
stop)
route del$VIP > /dev/null 2>&1
echo"0" > /proc/sys/net/ipv4/conf/lo/arp_ignore
echo"0" > /proc/sys/net/ipv4/conf/lo/arp_announce
echo"0" > /proc/sys/net/ipv4/conf/all/arp_ignore
echo"0" > /proc/sys/net/ipv4/conf/all/arp_announce
echo"Realserver stoped"
;;
*)
echo"Usage: $0 {start|stop}"
exit 1
esac
exit 0
echo “sh /usr/local/lvs/realserver.sh start > /dev/null &&” >> /etc/rc.local
依次随机关闭jumpserver主程序,slapd,msyql中任意的一台后,在前端访问管理页面,添加和删除测试用户,主机,测试是否成功
下载密钥登录堡垒机,尝试连接后端主机,并执行授权命令,测试是否成功
管理主调度服务器,尝试登录前端管理页面,查看是否能够成功
前端页面管理可参考:
http://laoguang.blog.51cto.com/6013350/1636708
通过lvs登录到前端管理页面后,新建用户后,实际上只在一台jumpserver服务器上产生用户,另一台不会主动生成用户信息,因此需要手动添加用户,并拷贝密钥文件。添加用户是注意查看用户的信息(uid,gid),确保uid与gid一致。
添加用户:
useradd -u uid -g gid 用户名
拷贝密钥,复制/$HOME/.ssh目下authorized_keys文件到对应的目录内。
1. 安装终端工具xshell
2. 导入密钥
3. 登录
安装Nginx+uwsgi+django后,登录前端管理页面报错。
解决方案:
确认已经安装软件mysql-devel,Nginx+uwsgi+django安装部署的每一步都已经成功执行
解决方法:
确认导入命令及参数无误
删除ldap配置数据文件,重新生成新的配置数据文件。
# rm -rf /etc/openldap/slapd.d/*
# slaptest -f/etc/openldap/slapd.conf -F /etc/openldap/slapd.d
# chown -R ldap:ldap/etc/openldap/slapd.d/*
# service slapd restart