JumpServer双机备份方案
一、写在前头
由于jumpserver目前不支持双机热备,因此本方案采用数据库以及系统用户数据备份实现,主要有以下方面:
1、MySQL数据库主主同步
2、系统文件:/etc/passwd /etc/shaow /etc/group文件同步(rsync+crontab)
3、jumpserver相关用户以及key文件:jumpserver/keys同步(rsync+crontab)
4、主服务器:10.44.131.212、从服务器:10.169.210.223
二、rsync配置
1、主服务器部分
①、关闭SELINUX 编辑防火墙配置文件/etc/selinux/config如下:
#SELINUX=enforcing #注释掉
#SELINUXTYPE=targeted #注释掉
SELINUX=disabled #增加
执行setenforce 0 立即生效
开启防火墙tcp 873端口,编辑防火墙配置文件/etc/sysconfig/iptables,添加以下内容:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 873 -j ACCEPT
重启防火墙使配置生效 /etc/init.d/iptables restart
②、安装Rsync服务端软件
yum install rsync -y
三、创建rsyncd.conf配置文件/etc/rsyncd.conf,添加以下内容:
uid = root
gid = root
use chroot = no
max connections = 4
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsync.lock
log file = /var/log/rsyncd.log
[jumpserver]
path = /data/jumpserver/keys
#ignore errors
read only = false
list = false
hosts allow = 10.169.210.223
hosts deny = 0.0.0.0/32
auth users = juser
secrets file = /etc/rsync.pass
[home]
path = /home
#ignore errors
read only = false
list = false
hosts allow = 10.169.210.223
hosts deny = 0.0.0.0/32
auth users = juser
secrets file = /etc/rsync.pass
[sysfile]
path = /etc/
#ignore errors
read only = false
list = false
hosts allow = 10.169.210.223
hosts deny = 0.0.0.0/32
auth users = juser
secrets file = /etc/rsync.pass
④、创建用户认证文件/etc/rsync.pass添加以下内容
juser:juser20160125 #格式,用户名:密码,可以设置多个,每行一个用户名:密码
修改配置文件权限:
chown root.root /etc/rsync.pass
chmod 600 /etc/rsync.pass
⑤、启动rsync
/usr/bin/rsync --daemon --config=/etc/rsyncd.conf
2、从服务器部分
①、创建认证密码文件 /etc/rsync.passc
修改配置文件权限:
chown root.root /etc/rsync.passc
chmod 600 /etc/rsync.passc
②、执行数据同步测试操作:
rsync -avH --port=873 --progress --delete [email protected]:jumpserver --password-file=/etc/rsync.passc /data/jumpservertest/
(命令行中-vzrtopg里的v是verbose,z是压缩,r是recursive,topg都是保持文件原有属性如属主、时间的参数。--progress是指显示出详细的进度情况,--delete是指如果服务器端删除了这一文件,那么客户端也相应把文件删除,保持真正的一致。--exclude "logs/" 表示不对/www/logs目录下的文件进行备份。--exclude "conf/ssl.*/"表示不对/www/conf/ssl.*/目录下的文件进行备份。
[email protected]:jumpserver表示对该命令是对服务器10.44.131.212中的jumpserver模块进行备份)
三、MySQL数据库主主配置
MySQL配置文件(主)
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
user=mysql
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
wait_timeout=864000
interactive_timeout=864000
server-id = 1
log-bin=mysql-bin
binlog_format=mixed
expire_logs_days=5
[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
MySQL配置文件(从)
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
user=mysql
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
server-id = 2
log-bin=mysql-bin
binlog_format=mixed
expire_logs_days=5
[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
修改配置文件后,重启MySQL:service mysqld restart
分别使用root用户登录两台数据库,执行以下密令进行主从复制授权:
GRANT REPLICATION SLAVE ON *.* TO repl@'10.169.210.223' IDENTIFIED BY 'xiaoniu0125';
GRANT REPLICATION SLAVE ON *.* TO repl@'localhost' IDENTIFIED BY 'xiaoniu0125';
GRANT REPLICATION SLAVE ON *.* TO repl@'%' IDENTIFIED BY 'xiaoniu0125';
flush privileges;
导出数据库数据,并上传到从服务器上执行数据导入:
mysqldump --single-transaction -h127.0.0.1 -ujumpserver -p jumpserver > jumpserver.sql
scp jumpserver.sql [email protected]:/data/
使用jumpserver用户登录从数据库执行数据导入:source /data/jumpserver.sql
使用root用户登录主数据库查看主数据库当前二进制日志信息:show master status \G
使用root用户登录从数据库,执行以下数据同步命令:
change master to master_host='10.44.131.212', master_port=3306, master_user='repl', master_password='xiaoniu0125', master_log_file='mysql-bin.000004', master_log_pos=188397822;
启动数据同步:start slave
查看数据同步状态:show slave status \G
使用root用户登录从数据库查看主数据库当前二进制日志信息:show master status \G
使用root用户登录主数据库,执行以下数据同步命令:
change master to master_host='10.169.210.223', master_port=3306, master_user='repl', master_password='xiaoniu0125', master_log_file='mysql-bin.000004', master_log_pos=188397822;
启动数据同步:start slave
查看数据同步状态:show slave status \G
四、系统用户相关文件、jumpserver相关用户以及key文件备份
1、登录从服务器备份/etc/passwd /etc/shaow /etc/group文件
mv /etc/passwd /etc/passwd_bak
mv /etc/shaow /etc/shaow_bak
mv /etc/group /etc/group_bak
2、登录主服务器并复制/etc/passwd /etc/shaow /etc/group 到从服务器
scp /etc/passwd [email protected]:/etc/
scp /etc/shaow [email protected]:/etc/
scp /etc/group [email protected]:/etc/
3、登录主服务器并复制/home路径下所有文件 到从服务器
scp -r /home/* [email protected]:/home/
3、登录主服务器并复制jumpserver下所有文件 到从服务器
scp -r /jumpserver [email protected]:/data/
4、执行jumpserver安装
yum -y install git python-pip mysql-devel gcc automake autoconf python-devel vim sshpass lrzsz
cd jumpserver/install && pip install -r requirements.txt
python install.py
5、修改相关文件权限,创建change.sh,内容如下:
#!/bin/sh
users=`ls -l /data/jumpserver/keys/user | grep pub | awk '{print $9}' | awk -F . '{print $1}'`
echo $users
for user in $users
do
echo /home/$user
echo /data/jumpserver/keys/user/$user*
/usr/bin/id $user >& /dev/null
result=$?
if [ $result == 0 ];then
echo "开始修改文件用户权限!"
chown $user.$user /home/$user
chown $user.$user /data/jumpserver/keys/user/$user*
result=`echo $?`
if [ $result == 0 ];then
echo [$now_time] "修改用户" $user "目录权限成功" >> /data/jumpserver/logs/jump_cron.log
else
echo [$now_time] "修改用户" $user "目录权限失败" >> /data/jumpserver/logs/jump_cron.log
exit 0
fi
else
echo [$now_time] $user "用户不存在!" >> /data/jumpserver/logs/jump_cron.log
fi
done
exit 0
执行改脚本:sh ./change.sh
6、修改日志文件权限:chmod 777 /data/jumpserver/logs/jumpserver.log
7、创建文件定时同步脚本,jump_cron.sh,内容如下:
#!/bin/sh
##获取当前系统时间
now_time=`date "+%Y-%m-_%d %H:%M:%S"`
##开始同步jumpserve用户以及keys数据
/usr/bin/rsync -avH --port=873 --progress --delete [email protected]::jumpserver --password-file=/etc/rsync.passc /data/jumpserver/keys
result=`echo $?`
if [ $result == 0 ];then
echo [$now_time] "同步jumpserve用户以及keys数据成功" >> /data/jumpserver/logs/jump_cron.log
else
echo [$now_time] "同步jumpserve用户以及keys失败" >> /data/jumpserver/logs/jump_cron.log
exit 0
fi
##同步系统用户数据
/usr/bin/rsync -avH --port=873 --progress --delete [email protected]::home --password-file=/etc/rsync.passc /home
result=`echo $?`
if [ $result == 0 ];then
echo [$now_time] "同步系统用户数据成功" >> /data/jumpserver/logs/jump_cron.log
else
echo [$now_time] "同步系统用户失败" >> /data/jumpserver/logs/jump_cron.log
exit 0
fi
##同步shaow passwd group文件
/usr/bin/rsync -avH --port=873 --progress --delete --include 'shaow' --include 'passwd' --include 'group' --exclude '*' [email protected]::sysfile --password-file=/etc/rsync.passc /etc/
result=`echo $?`
if [ $result == 0 ];then
echo [$now_time] "同步shaow passwd group文件成功" >> /data/jumpserver/logs/jump_cron.log
else
echo [$now_time] "同步shaow passwd group文件失败" >> /data/jumpserver/logs/jump_cron.log
exit 0
fi
##获取当前用户信息用于修改相关文件权限
users=`ls -l /data/jumpserver/keys/user | grep pub | awk '{print $9}' | awk -F . '{print $1}'`
echo $users
for user in $users
do
echo /home/$user
echo /data/jumpserver/keys/user/$user*
/usr/bin/id $user >& /dev/null
result=$?
if [ $result == 0 ];then
echo "开始修改文件用户权限!"
chown $user.$user /home/$user
chown $user.$user /data/jumpserver/keys/user/$user*
result=`echo $?`
if [ $result == 0 ];then
echo [$now_time] "修改用户" $user "目录权限成功" >> /data/jumpserver/logs/jump_cron.log
else
echo [$now_time] "修改用户" $user "目录权限失败" >> /data/jumpserver/logs/jump_cron.log
exit 0
fi
else
echo [$now_time] $user "用户不存在!" >> /data/jumpserver/logs/jump_cron.log
fi
done
exit 0
8、创建定时任务,5分钟执行一次数据同步操作crontab -e:
*/5 * * * * /bin/sh /data/jumpserver/jump_cron.sh >> /dev/null 2>&1
9、启动jumpserver:
./service.sh start