• Jumpserver双机高可用环境部署笔记


    之前在IDC部署了Jumpserver堡垒机环境,作为登陆线上服务器的统一入口。后面运行一段时间后,发现Jumpserver服务器的CPU负载使用率高达80%以上,主要是python程序对CPU的消耗比较大,由于是单机部署,处于安全考虑,急需要部署一套Jumpserver双机高可用环境,实现LB+HA的降低负载和故障转移的目的。以下记录了环境部署的过程:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91
    92
    93
    94
    95
    96
    97
    98
    99
    100
    101
    102
    103
    104
    105
    106
    107
    108
    109
    110
    111
    112
    113
    114
    115
    116
    117
    118
    119
    120
    121
    122
    123
    124
    125
    126
    127
    128
    129
    130
    131
    132
    133
    134
    135
    136
    137
    138
    139
    140
    141
    142
    143
    144
    145
    146
    147
    148
    149
    150
    151
    152
    153
    154
    155
    156
    157
    158
    159
    160
    161
    162
    163
    164
    165
    166
    167
    168
    169
    170
    171
    172
    173
    174
    175
    176
    177
    178
    179
    180
    181
    182
    183
    184
    185
    186
    187
    188
    189
    190
    191
    192
    193
    194
    195
    196
    197
    198
    199
    200
    201
    202
    203
    204
    205
    206
    207
    208
    209
    210
    211
    212
    213
    214
    215
    216
    217
    如下进行调整后,之前的jumpserver用户名、秘钥、密码等信息都不会变,只需要将ssh连接的地址改为ssh端口负载均衡的vip地址即可!
    也就是说对于用户来说,只需要修改登录ip地址,其他的都不受影响!
        
    1)环境准备
    192.168.10.20   之前的单机版jumpserver,作为master主机
    192.168.10.21   新加的jumpserver,作为slave从机     
        
    jumpserver机器的ssh端口统一调整为8888
    web访问的80端口负载是7层负载,通过Nginx+keepalived实现,域名为jump.kevin-inc.com
    ssh端口的负载是4层负载,也可以通过nginx的stream实现,(我在线上用的nginx+keepalived负载层并没有安装stream模块,为了不影响线上业务,另配置了lvs+keepalived)
        
    2)部署jumpserver备机(192.168.10.21)的jumpserver环境
    参考:http://www.cnblogs.com/kevingrace/p/5570279.html
        
    3)配置jumpserver主机和备机的mysql主主同步环境(先将master主机的jumpserver库数据同步到slave主机的mysql里面)
    参考这篇文章中的mysql主主同步配置:http://www.cnblogs.com/kevingrace/p/6710136.html
        
    4)同步文件,使用rsync+inotify实时同步,或使用rsync+crontab短时间定时同步(需要提前做192.168.10.20和192.168.10.21两台机器的ssh无密码登陆的信任关系)
       同步系统文件/etc/passwd/etc/shaow/etc/group文件
       同步jumpserver相关用户以及key文件:jumpserver/keys
       同步用户家目录的home目录
     
    注意:为了防止文件被强行覆盖掉,这里只能做单方向的文件同步,不能做双向同步,否则会出现:在其中一台机器的jumpserver界面里创建好用户后,但是在jumpserver服务器上的
    /etc/passwd文件里却没有该用户信息,因为被对方机器的同步强行覆盖掉了。
     
    正确的做法:
    在192.168.10.20机器上做rsync+crontab同步(10秒同步一次),另一台机器192.168.10.21不做同步;
    登陆http://192.168.10.20的jumpserver界面创建用户,这样用户信息很快就会被同步到另一台机器上了(注意:创建用户要在http://192.168.10.20的jumpserver界面里创建)
     
    [root@jumpserver01 ~]# crontab -l
    .........
     
    * * * * * /usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/passwd root@192.168.10.21:/etc/ /dev/null 2>&1
    * * * * * sleep 10;/usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/passwd root@192.168.10.21:/etc/ /dev/null 2>&1
    * * * * * sleep 20;/usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/passwd root@192.168.10.21:/etc/ /dev/null 2>&1
    * * * * * sleep 30;/usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/passwd root@192.168.10.21:/etc/ /dev/null 2>&1
    * * * * * sleep 40;/usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/passwd root@192.168.10.21:/etc/ /dev/null 2>&1
    * * * * * sleep 50;/usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/passwd root@192.168.10.21:/etc/ /dev/null 2>&1
     
    * * * * * /usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/shadow root@192.168.10.21:/etc/ /dev/null 2>&1
    * * * * * sleep 10;/usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/shadow root@192.168.10.21:/etc/ /dev/null 2>&1
    * * * * * sleep 20;/usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/shadow root@192.168.10.21:/etc/ /dev/null 2>&1
    * * * * * sleep 30;/usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/shadow root@192.168.10.21:/etc/ /dev/null 2>&1
    * * * * * sleep 40;/usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/shadow root@192.168.10.21:/etc/ /dev/null 2>&1
    * * * * * sleep 50;/usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/shadow root@192.168.10.21:/etc/ /dev/null 2>&1
     
    * * * * * /usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/group root@192.168.10.21:/etc/ /dev/null 2>&1
    * * * * * sleep 10;/usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/group root@192.168.10.21:/etc/ /dev/null 2>&1
    * * * * * sleep 20;/usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/group root@192.168.10.21:/etc/ /dev/null 2>&1
    * * * * * sleep 30;/usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/group root@192.168.10.21:/etc/ /dev/null 2>&1
    * * * * * sleep 40;/usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/group root@192.168.10.21:/etc/ /dev/null 2>&1
    * * * * * sleep 50;/usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/group root@192.168.10.21:/etc/ /dev/null 2>&1
     
    * * * * * /usr/bin/rsync -e "ssh -p8888" -avpgolr /data/jumpserver/keys/ 192.168.10.21:/data/jumpserver/keys/ /dev/null 2>&1
    * * * * * sleep 10;/usr/bin/rsync -e "ssh -p8888" -avpgolr /data/jumpserver/keys/ 192.168.10.21:/data/jumpserver/keys/ /dev/null 2>&1
    * * * * * sleep 20;/usr/bin/rsync -e "ssh -p8888" -avpgolr /data/jumpserver/keys/ 192.168.10.21:/data/jumpserver/keys/ /dev/null 2>&1
    * * * * * sleep 30;/usr/bin/rsync -e "ssh -p8888" -avpgolr /data/jumpserver/keys/ 192.168.10.21:/data/jumpserver/keys/ /dev/null 2>&1
    * * * * * sleep 40;/usr/bin/rsync -e "ssh -p8888" -avpgolr /data/jumpserver/keys/ 192.168.10.21:/data/jumpserver/keys/ /dev/null 2>&1
    * * * * * sleep 50;/usr/bin/rsync -e "ssh -p8888" -avpgolr /data/jumpserver/keys/ 192.168.10.21:/data/jumpserver/keys/ /dev/null 2>&1
     
    * * * * * /usr/bin/rsync -e "ssh -p8888" -avpgolr /home/ 192.168.10.21:/home/ /dev/null 2>&1
    * * * * * sleep 10;/usr/bin/rsync -e "ssh -p8888" -avpgolr /home/ 192.168.10.21:/home/ /dev/null 2>&1
    * * * * * sleep 20;/usr/bin/rsync -e "ssh -p8888" -avpgolr /home/ 192.168.10.21:/home/ /dev/null 2>&1
    * * * * * sleep 30;/usr/bin/rsync -e "ssh -p8888" -avpgolr /home/ 192.168.10.21:/home/ /dev/null 2>&1
    * * * * * sleep 40;/usr/bin/rsync -e "ssh -p8888" -avpgolr /home/ 192.168.10.21:/home/ /dev/null 2>&1
    * * * * * sleep 50;/usr/bin/rsync -e "ssh -p8888" -avpgolr /home/ 192.168.10.21:/home/ /dev/null 2>&1
     
    然后重启两台机器的jumpserver服务。
     
    5)web访问的80端口负载均衡配置。访问地址是http://jump.kevin-inc.com
    参考:http://www.cnblogs.com/kevingrace/p/6138185.html
        
    [root@inner-lb01 ~]# cat /data/nginx/conf/vhosts/jump.kevin-inc.com.conf
    upstream jump-inc {
          server 192.168.10.20:80 max_fails=3 fail_timeout=10s;
          server 192.168.10.21:80 max_fails=3 fail_timeout=10s;
    }
                  
      server {
          listen      80;
          server_name jump.kevin-inc.com;
            
          access_log  /data/nginx/logs/jump.kevin-inc.com-access.log main;
          error_log  /data/nginx/logs/jump.kevin-inc.com-error.log;
            
     location / {
             proxy_pass http://jump-inc;
             proxy_redirect off ;
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header REMOTE-HOST $remote_addr;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_connect_timeout 300;
             proxy_send_timeout 300;
             proxy_read_timeout 600;
             proxy_buffer_size 256k;
             proxy_buffers 4 256k;
             proxy_busy_buffers_size 256k;
             proxy_temp_file_write_size 256k;
             proxy_next_upstream error timeout invalid_header http_502 http_503 http_504;
             proxy_max_temp_file_size 128m;
             #proxy_cache mycache;
             #proxy_cache_valid 200 302 1h;
             #proxy_cache_valid 301 1d;
             #proxy_cache_valid any 1m;
            }
    }
        
        
    6)ssh登陆的8888端口的负载均衡配置
    lvs+keepalived的配置参考:http://www.cnblogs.com/kevingrace/p/5570500.html
        
    两台lvs配置如下(vip为10.0.8.24)
    [root@jump-lvs01 ~]# cat /etc/keepalived/keepalived.conf
    ! Configuration File for keepalived
           
    global_defs {
       router_id LVS_Master
    }
           
    vrrp_instance VI_1 {
        state MASTER           
        interface eth0        
        virtual_router_id 51   
        priority 100          
        advert_int 1           
        authentication {
            auth_type PASS     
            auth_pass 1111     
        }
        virtual_ipaddress {
            192.168.10.24    
        }
    }
           
    virtual_server 192.168.10.24 8888 {
        delay_loop 6           
        lb_algo wrr            
        lb_kind DR             
        #nat_mask 255.255.255.0
        persistence_timeout 600 
        protocol TCP          
           
        real_server 192.168.10.20 8888 {
            weight 3
            TCP_CHECK {
                connect_timeout 3
                nb_get_retry 3
                delay_before_retry 3
                connect_port 8888
            }
        }
        real_server 192.168.10.21 8888 {
            weight 3
            TCP_CHECK {
                connect_timeout 3
                nb_get_retry 3
                delay_before_retry 3
                connect_port 8888
            }
        }
    }
        
        
        
    [root@jump-lvs02 ~]# cat /etc/keepalived/keepalived.conf
    ! Configuration File for keepalived
           
    global_defs {
       router_id LVS_Backup
    }
           
    vrrp_instance VI_1 {
        state BACKUP           
        interface eth0        
        virtual_router_id 51   
        priority 90          
        advert_int 1           
        authentication {
            auth_type PASS     
            auth_pass 1111     
        }
        virtual_ipaddress {
            192.168.10.24    
        }
    }
           
    virtual_server 192.168.10.24 8888 {
        delay_loop 6           
        lb_algo wrr            
        lb_kind DR             
        #nat_mask 255.255.255.0
        persistence_timeout 600 
        protocol TCP          
           
        real_server 192.168.10.20 8888 {
            weight 3
            TCP_CHECK {
                connect_timeout 3
                nb_get_retry 3
                delay_before_retry 3
                connect_port 8888
            }
        }
        
        real_server 192.168.10.21 8888 {
            weight 3
            TCP_CHECK {
                connect_timeout 3
                nb_get_retry 3
                delay_before_retry 3
                connect_port 8888
            }
        }
    }
     
    在xshell客户端登陆堡垒机,堡垒机的地址可以是192.168.10.20、192.168.10.21、192.168.10.24,三个地址都可以。
  • 相关阅读:
    Conda 中安装 Keras
    Clean Docker :
    Conservation Vs Non-conservation Forms of conservation Equations
    C语言之预处理命令
    const指针用法总结
    C语言中的小启发(陆续更新。。。)
    左值与右值
    计算的次序
    C语言中的符号重载
    C语言之switch语句详解
  • 原文地址:https://www.cnblogs.com/cheyunhua/p/8684889.html
Copyright © 2020-2023  润新知