Jumpserver双机高可用环境部署笔记
以前在IDC部署了Jumpserver堡垒机环境,做为登录线上服务器的统一入口。后面运行一段时间后,发现Jumpserver服务器的CPU负载使用率高达80%以上,主要是python程序对CPU的消耗比较大,因为是单机部署,处于安全考虑,急须要部署一套Jumpserver双机高可用环境,实现LB+HA的下降负载和故障转移的目的。如下记录了环境部署的过程:html
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
|
以下进行调整后,以前的jumpserver用户名、秘钥、密码等信息都不会变,只须要将
ssh
链接的地址改成
ssh
端口负载均衡的vip地址便可!
也就是说对于用户来讲,只须要修改登陆ip地址,其余的都不受影响!
1)环境准备
192.168.10.20 以前的单机版jumpserver,做为master主机
192.168.10.21 新加的jumpserver,做为slave从机
jumpserver机器的
ssh
端口统一调整为8888
web访问的80端口负载是7层负载,经过Nginx+keepalived实现,域名为jump.kevin-inc.com
ssh
端口的负载是4层负载,也能够经过nginx的stream实现,(我在线上用的nginx+keepalived负载层并无安装stream模块,为了避免影响线上业务,另配置了lvs+keepalived)
2)部署jumpserver备机(192.168.10.21)的jumpserver环境
参考:http:
//www
.cnblogs.com
/kevingrace/p/5570279
.html
3)配置jumpserver主机和备机的mysql主主同步环境(先将master主机的jumpserver库数据同步到slave主机的mysql里面)
参考这篇文章中的mysql主主同步配置:http:
//www
.cnblogs.com
/kevingrace/p/6710136
.html
4)同步文件,使用
rsync
+inotify实时同步,或使用
rsync
+
crontab
短期定时同步(须要提早作192.168.10.20和192.168.10.21两台机器的
ssh
无密码登录的信任关系)
同步系统文件
/etc/passwd
、
/etc/shaow
、
/etc/group
文件
同步jumpserver相关用户以及key文件:jumpserver
/keys
同步用户家目录的home目录
注意:为了防止文件被强行覆盖掉,这里只能作单方向的文件同步,不能作双向同步,不然会出现:在其中一台机器的jumpserver界面里建立好用户后,可是在jumpserver服务器上的
/etc/passwd
文件里却没有该用户信息,由于被对方机器的同步强行覆盖掉了。
正确的作法:
在192.168.10.20机器上作
rsync
+
crontab
同步(10秒同步一次),另外一台机器192.168.10.21不作同步;
登录http:
//192
.168.10.20的jumpserver界面建立用户,这样用户信息很快就会被同步到另外一台机器上了(注意:建立用户要在http:
//192
.168.10.20的jumpserver界面里建立)
[root@jumpserver01 ~]
# crontab -l
.........
* * * * *
/usr/bin/rsync
-e
"ssh -p8888"
-avpgolr
/etc/passwd
root@192.168.10.21:
/etc/
>
/dev/null
2>&1
* * * * *
sleep
10;
/usr/bin/rsync
-e
"ssh -p8888"
-avpgolr
/etc/passwd
root@192.168.10.21:
/etc/
>
/dev/null
2>&1
* * * * *
sleep
20;
/usr/bin/rsync
-e
"ssh -p8888"
-avpgolr
/etc/passwd
root@192.168.10.21:
/etc/
>
/dev/null
2>&1
* * * * *
sleep
30;
/usr/bin/rsync
-e
"ssh -p8888"
-avpgolr
/etc/passwd
root@192.168.10.21:
/etc/
>
/dev/null
2>&1
* * * * *
sleep
40;
/usr/bin/rsync
-e
"ssh -p8888"
-avpgolr
/etc/passwd
root@192.168.10.21:
/etc/
>
/dev/null
2>&1
* * * * *
sleep
50;
/usr/bin/rsync
-e
"ssh -p8888"
-avpgolr
/etc/passwd
root@192.168.10.21:
/etc/
>
/dev/null
2>&1
* * * * *
/usr/bin/rsync
-e
"ssh -p8888"
-avpgolr
/etc/shadow
root@192.168.10.21:
/etc/
>
/dev/null
2>&1
* * * * *
sleep
10;
/usr/bin/rsync
-e
"ssh -p8888"
-avpgolr
/etc/shadow
root@192.168.10.21:
/etc/
>
/dev/null
2>&1
* * * * *
sleep
20;
/usr/bin/rsync
-e
"ssh -p8888"
-avpgolr
/etc/shadow
root@192.168.10.21:
/etc/
>
/dev/null
2>&1
* * * * *
sleep
30;
/usr/bin/rsync
-e
"ssh -p8888"
-avpgolr
/etc/shadow
root@192.168.10.21:
/etc/
>
/dev/null
2>&1
* * * * *
sleep
40;
/usr/bin/rsync
-e
"ssh -p8888"
-avpgolr
/etc/shadow
root@192.168.10.21:
/etc/
>
/dev/null
2>&1
* * * * *
sleep
50;
/usr/bin/rsync
-e
"ssh -p8888"
-avpgolr
/etc/shadow
root@192.168.10.21:
/etc/
>
/dev/null
2>&1
* * * * *
/usr/bin/rsync
-e
"ssh -p8888"
-avpgolr
/etc/group
root@192.168.10.21:
/etc/
>
/dev/null
2>&1
* * * * *
sleep
10;
/usr/bin/rsync
-e
"ssh -p8888"
-avpgolr
/etc/group
root@192.168.10.21:
/etc/
>
/dev/null
2>&1
* * * * *
sleep
20;
/usr/bin/rsync
-e
"ssh -p8888"
-avpgolr
/etc/group
root@192.168.10.21:
/etc/
>
/dev/null
2>&1
* * * * *
sleep
30;
/usr/bin/rsync
-e
"ssh -p8888"
-avpgolr
/etc/group
root@192.168.10.21:
/etc/
>
/dev/null
2>&1
* * * * *
sleep
40;
/usr/bin/rsync
-e
"ssh -p8888"
-avpgolr
/etc/group
root@192.168.10.21:
/etc/
>
/dev/null
2>&1
* * * * *
sleep
50;
/usr/bin/rsync
-e
"ssh -p8888"
-avpgolr
/etc/group
root@192.168.10.21:
/etc/
>
/dev/null
2>&1
* * * * *
/usr/bin/rsync
-e
"ssh -p8888"
-avpgolr
/data/jumpserver/keys/
192.168.10.21:
/data/jumpserver/keys/
>
/dev/null
2>&1
* * * * *
sleep
10;
/usr/bin/rsync
-e
"ssh -p8888"
-avpgolr
/data/jumpserver/keys/
192.168.10.21:
/data/jumpserver/keys/
>
/dev/null
2>&1
* * * * *
sleep
20;
/usr/bin/rsync
-e
"ssh -p8888"
-avpgolr
/data/jumpserver/keys/
192.168.10.21:
/data/jumpserver/keys/
>
/dev/null
2>&1
* * * * *
sleep
30;
/usr/bin/rsync
-e
"ssh -p8888"
-avpgolr
/data/jumpserver/keys/
192.168.10.21:
/data/jumpserver/keys/
>
/dev/null
2>&1
* * * * *
sleep
40;
/usr/bin/rsync
-e
"ssh -p8888"
-avpgolr
/data/jumpserver/keys/
192.168.10.21:
/data/jumpserver/keys/
>
/dev/null
2>&1
* * * * *
sleep
50;
/usr/bin/rsync
-e
"ssh -p8888"
-avpgolr
/data/jumpserver/keys/
192.168.10.21:
/data/jumpserver/keys/
>
/dev/null
2>&1
* * * * *
/usr/bin/rsync
-e
"ssh -p8888"
-avpgolr
/home/
192.168.10.21:
/home/
>
/dev/null
2>&1
* * * * *
sleep
10;
/usr/bin/rsync
-e
"ssh -p8888"
-avpgolr
/home/
192.168.10.21:
/home/
>
/dev/null
2>&1
* * * * *
sleep
20;
/usr/bin/rsync
-e
"ssh -p8888"
-avpgolr
/home/
192.168.10.21:
/home/
>
/dev/null
2>&1
* * * * *
sleep
30;
/usr/bin/rsync
-e
"ssh -p8888"
-avpgolr
/home/
192.168.10.21:
/home/
>
/dev/null
2>&1
* * * * *
sleep
40;
/usr/bin/rsync
-e
"ssh -p8888"
-avpgolr
/home/
192.168.10.21:
/home/
>
/dev/null
2>&1
* * * * *
sleep
50;
/usr/bin/rsync
-e
"ssh -p8888"
-avpgolr
/home/
192.168.10.21:
/home/
>
/dev/null
2>&1
而后重启两台机器的jumpserver服务。
5)web访问的80端口负载均衡配置。访问地址是http:
//jump
.kevin-inc.com
参考:http:
//www
.cnblogs.com
/kevingrace/p/6138185
.html
[root@inner-lb01 ~]
# cat /data/nginx/conf/vhosts/jump.kevin-inc.com.conf
upstream jump-inc {
server 192.168.10.20:80 max_fails=3 fail_timeout=10s;
server 192.168.10.21:80 max_fails=3 fail_timeout=10s;
}
server {
listen 80;
server_name jump.kevin-inc.com;
access_log
/data/nginx/logs/jump
.kevin-inc.com-access.log main;
error_log
/data/nginx/logs/jump
.kevin-inc.com-error.log;
location / {
proxy_pass http:
//jump-inc
;
proxy_redirect off ;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 600;
proxy_buffer_size 256k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 256k;
proxy_next_upstream error timeout invalid_header http_502 http_503 http_504;
proxy_max_temp_file_size 128m;
#proxy_cache mycache;
#proxy_cache_valid 200 302 1h;
#proxy_cache_valid 301 1d;
#proxy_cache_valid any 1m;
}
}
6)
ssh
登录的8888端口的负载均衡配置
lvs+keepalived的配置参考:http:
//www
.cnblogs.com
/kevingrace/p/5570500
.html
两台lvs配置以下(vip为10.0.8.24)
[root@jump-lvs01 ~]
# cat /etc/keepalived/keepalived.conf
! Configuration File
for
keepalived
global_defs {
router_id LVS_Master
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.10.24
}
}
virtual_server 192.168.10.24 8888 {
delay_loop 6
lb_algo wrr
lb_kind DR
#nat_mask 255.255.255.0
persistence_timeout 600
protocol TCP
real_server 192.168.10.20 8888 {
weight 3
TCP_CHECK {
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
connect_port 8888
}
}
real_server 192.168.10.21 8888 {
weight 3
TCP_CHECK {
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
connect_port 8888
}
}
}
[root@jump-lvs02 ~]
# cat /etc/keepalived/keepalived.conf
! Configuration File
for
keepalived
global_defs {
router_id LVS_Backup
}
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 51
priority 90
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.10.24
}
}
virtual_server 192.168.10.24 8888 {
delay_loop 6
lb_algo wrr
lb_kind DR
#nat_mask 255.255.255.0
persistence_timeout 600
protocol TCP
real_server 192.168.10.20 8888 {
weight 3
TCP_CHECK {
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
connect_port 8888
}
}
real_server 192.168.10.21 8888 {
weight 3
TCP_CHECK {
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
connect_port 8888
}
}
}
在xshell客户端登录堡垒机,堡垒机的地址能够是192.168.10.20、192.168.10.2一、192.168.10.24,三个地址均可以
|
转载散尽浮华python
相关文章
- 1. Jumpserver双机高可用环境部署笔记
- 2. 部署Jumpserver环境
- 3. Centos下SFTP双机高可用环境部署记录
- 4. DRBD+Heartbeat+Mysql高可用环境部署
- 5. consul安装配置,生产环境部署高可用环境
- 6. MySQL高可用方案-PXC环境部署记录
- 7. MySQL高可用架构-MHA环境部署记录
- 8. Redis+Keepalived高可用环境部署记录
- 9. MySQL高可用架构-MMM环境部署记录
- 10. MySQL 高可用方案-PXC环境部署记录
- 更多相关文章...
- • Maven 自动化部署 - Maven教程
- • C# 环境 - C#教程
- • Tomcat学习笔记(史上最全tomcat学习笔记)
- • 使用阿里云OSS+CDN部署前端页面与加速静态资源
相关标签/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. CVPR 2020 论文大盘点-光流篇
- 2. Photoshop教程_ps中怎么载入图案?PS图案如何导入?
- 3. org.pentaho.di.core.exception.KettleDatabaseException:Error occurred while trying to connect to the
- 4. SonarQube Scanner execution execution Error --- Failed to upload report - 500: An error has occurred
- 5. idea 导入源码包
- 6. python学习 day2——基础学习
- 7. 3D将是页游市场新赛道?
- 8. osg--交互
- 9. OSG-交互
- 10. Idea、spring boot 图片(pgn显示、jpg不显示)解决方案
欢迎关注本站公众号,获取更多信息
