Jumpserver雙機高可用環境部署筆記
阿新 • • 發佈:2018-04-01
inotify head LG end sts 時間 x11 註意 dex
之前在IDC部署了Jumpserver堡壘機環境,作為登陸線上服務器的統一入口。後面運行一段時間後,發現Jumpserver服務器的CPU負載使用率高達80%以上,主要是python程序對CPU的消耗比較大,由於是單機部署,處於安全考慮,急需要部署一套Jumpserver雙機高可用環境,實現LB+HA的降低負載和故障轉移的目的。以下記錄了環境部署的過程:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 |
如下進行調整後,之前的jumpserver用戶名、秘鑰、密碼等信息都不會變,只需要將 ssh 連接的地址改為 ssh 端口負載均衡的vip地址即可!
也就是說對於用戶來說,只需要修改登錄ip地址,其他的都不受影響!
1)環境準備
192.168.10.20 之前的單機版jumpserver,作為master主機
192.168.10.21 新加的jumpserver,作為slave從機
jumpserver機器的 ssh 端口統一調整為8888
web訪問的80端口負載是7層負載,通過Nginx+keepalived實現,域名為jump.kevin-inc.com
ssh 端口的負載是4層負載,也可以通過nginx的stream實現,(我在線上用的nginx+keepalived負載層並沒有安裝stream模塊,為了不影響線上業務,另配置了lvs+keepalived)
2)部署jumpserver備機(192.168.10.21)的jumpserver環境
參考:http: //www .cnblogs.com /kevingrace/p/5570279 .html
3)配置jumpserver主機和備機的mysql主主同步環境(先將master主機的jumpserver庫數據同步到slave主機的mysql裏面)
參考這篇文章中的mysql主主同步配置:http: //www .cnblogs.com /kevingrace/p/6710136 .html
4)同步文件,使用 rsync +inotify實時同步,或使用 rsync + crontab 短時間定時同步(需要提前做192.168.10.20和192.168.10.21兩臺機器的 ssh 無密碼登陸的信任關系)
同步系統文件 /etc/passwd 、 /etc/shaow 、 /etc/group 文件
同步jumpserver相關用戶以及key文件:jumpserver /keys
同步用戶家目錄的home目錄
註意:為了防止文件被強行覆蓋掉,這裏只能做單方向的文件同步,不能做雙向同步,否則會出現:在其中一臺機器的jumpserver界面裏創建好用戶後,但是在jumpserver服務器上的
/etc/passwd 文件裏卻沒有該用戶信息,因為被對方機器的同步強行覆蓋掉了。
正確的做法:
在192.168.10.20機器上做 rsync + crontab 同步(10秒同步一次),另一臺機器192.168.10.21不做同步;
登陸http: //192 .168.10.20的jumpserver界面創建用戶,這樣用戶信息很快就會被同步到另一臺機器上了(註意:創建用戶要在http: //192 .168.10.20的jumpserver界面裏創建)
[root@jumpserver01 ~] # crontab -l
.........
* * * * * /usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/passwd [email protected]: /etc/ > /dev/null 2>&1
* * * * * sleep 10; /usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/passwd [email protected]: /etc/ > /dev/null 2>&1
* * * * * sleep 20; /usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/passwd [email protected]: /etc/ > /dev/null 2>&1
* * * * * sleep 30; /usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/passwd [email protected]: /etc/ > /dev/null 2>&1
* * * * * sleep 40; /usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/passwd [email protected]: /etc/ > /dev/null 2>&1
* * * * * sleep 50; /usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/passwd [email protected]: /etc/ > /dev/null 2>&1
* * * * * /usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/shadow [email protected]: /etc/ > /dev/null 2>&1
* * * * * sleep 10; /usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/shadow [email protected]: /etc/ > /dev/null 2>&1
* * * * * sleep 20; /usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/shadow [email protected]: /etc/ > /dev/null 2>&1
* * * * * sleep 30; /usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/shadow [email protected]: /etc/ > /dev/null 2>&1
* * * * * sleep 40; /usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/shadow [email protected]: /etc/ > /dev/null 2>&1
* * * * * sleep 50; /usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/shadow [email protected]: /etc/ > /dev/null 2>&1
* * * * * /usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/group [email protected]: /etc/ > /dev/null 2>&1
* * * * * sleep 10; /usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/group [email protected]: /etc/ > /dev/null 2>&1
* * * * * sleep 20; /usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/group [email protected]: /etc/ > /dev/null 2>&1
* * * * * sleep 30; /usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/group [email protected]: /etc/ > /dev/null 2>&1
* * * * * sleep 40; /usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/group [email protected]: /etc/ > /dev/null 2>&1
* * * * * sleep 50; /usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/group [email protected]: /etc/ > /dev/null 2>&1
* * * * * /usr/bin/rsync -e "ssh -p8888" -avpgolr /data/jumpserver/keys/ 192.168.10.21: /data/jumpserver/keys/ > /dev/null 2>&1
* * * * * sleep 10; /usr/bin/rsync -e "ssh -p8888" -avpgolr /data/jumpserver/keys/ 192.168.10.21: /data/jumpserver/keys/ > /dev/null 2>&1
* * * * * sleep 20; /usr/bin/rsync -e "ssh -p8888" -avpgolr /data/jumpserver/keys/ 192.168.10.21: /data/jumpserver/keys/ > /dev/null 2>&1
* * * * * sleep 30; /usr/bin/rsync -e "ssh -p8888" -avpgolr /data/jumpserver/keys/ 192.168.10.21: /data/jumpserver/keys/ > /dev/null 2>&1
* * * * * sleep 40; /usr/bin/rsync -e "ssh -p8888" -avpgolr /data/jumpserver/keys/ 192.168.10.21: /data/jumpserver/keys/ > /dev/null 2>&1
* * * * * sleep 50; /usr/bin/rsync -e "ssh -p8888" -avpgolr /data/jumpserver/keys/ 192.168.10.21: /data/jumpserver/keys/ > /dev/null 2>&1
* * * * * /usr/bin/rsync -e "ssh -p8888" -avpgolr /home/ 192.168.10.21: /home/ > /dev/null 2>&1
* * * * * sleep 10; /usr/bin/rsync -e "ssh -p8888" -avpgolr /home/ 192.168.10.21: /home/ > /dev/null 2>&1
* * * * * sleep 20; /usr/bin/rsync -e "ssh -p8888" -avpgolr /home/ 192.168.10.21: /home/ > /dev/null 2>&1
* * * * * sleep 30; /usr/bin/rsync -e "ssh -p8888" -avpgolr /home/ 192.168.10.21: /home/ > /dev/null 2>&1
* * * * * sleep 40; /usr/bin/rsync -e "ssh -p8888" -avpgolr /home/ 192.168.10.21: /home/ > /dev/null 2>&1
* * * * * sleep 50; /usr/bin/rsync -e "ssh -p8888" -avpgolr /home/ 192.168.10.21: /home/ > /dev/null 2>&1
然後重啟兩臺機器的jumpserver服務。
5)web訪問的80端口負載均衡配置。訪問地址是http: //jump .kevin-inc.com
參考:http: //www .cnblogs.com /kevingrace/p/6138185 .html
[root@inner-lb01 ~] # cat /data/nginx/conf/vhosts/jump.kevin-inc.com.conf
upstream jump-inc {
server 192.168.10.20:80 max_fails=3 fail_timeout=10s;
server 192.168.10.21:80 max_fails=3 fail_timeout=10s;
}
server {
listen 80;
server_name jump.kevin-inc.com;
access_log /data/nginx/logs/jump .kevin-inc.com-access.log main;
error_log /data/nginx/logs/jump .kevin-inc.com-error.log;
location / {
proxy_pass http: //jump-inc ;
proxy_redirect off ;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 600;
proxy_buffer_size 256k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 256k;
proxy_next_upstream error timeout invalid_header http_502 http_503 http_504;
proxy_max_temp_file_size 128m;
#proxy_cache mycache;
#proxy_cache_valid 200 302 1h;
#proxy_cache_valid 301 1d;
#proxy_cache_valid any 1m;
}
}
6) ssh 登陸的8888端口的負載均衡配置
lvs+keepalived的配置參考:http: //www .cnblogs.com /kevingrace/p/5570500 .html
兩臺lvs配置如下(vip為10.0.8.24)
[root@jump-lvs01 ~] # cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id LVS_Master
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.10.24
}
}
virtual_server 192.168.10.24 8888 {
delay_loop 6
lb_algo wrr
lb_kind DR
#nat_mask 255.255.255.0
persistence_timeout 600
protocol TCP
real_server 192.168.10.20 8888 {
weight 3
TCP_CHECK {
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
connect_port 8888
}
}
real_server 192.168.10.21 8888 {
weight 3
TCP_CHECK {
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
connect_port 8888
}
}
}
[root@jump-lvs02 ~] # cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id LVS_Backup
}
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 51
priority 90
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.10.24
}
}
virtual_server 192.168.10.24 8888 {
delay_loop 6
lb_algo wrr
lb_kind DR
#nat_mask 255.255.255.0
persistence_timeout 600
protocol TCP
real_server 192.168.10.20 8888 {
weight 3
TCP_CHECK {
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
connect_port 8888
}
}
real_server 192.168.10.21 8888 {
weight 3
TCP_CHECK {
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
connect_port 8888
}
}
}
在xshell客戶端登陸堡壘機,堡壘機的地址可以是192.168.10.20、192.168.10.21、192.168.10.24,三個地址都可以。
|
Jumpserver雙機高可用環境部署筆記