Jumpserver双机高可用环境部署笔记
之前在IDC部署了Jumpserver堡垒机环境,作为登陆线上服务器的统一入口。后面运行一段时间后,发现Jumpserver服务器的CPU负载使用率高达80%以上,主要是python程序对CPU的消耗比较大,由于是单机部署,处于安全考虑,急需要部署一套Jumpserver双机高可用环境,实现LB+HA的降低负载和故障转移的目的。以下记录了环境部署的过程:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
|
如下进行调整后,之前的jumpserver用户名、秘钥、密码等信息都不会变,只需要将 ssh 连接的地址改为 ssh 端口负载均衡的vip地址即可! 也就是说对于用户来说,只需要修改登录ip地址,其他的都不受影响! 1)环境准备 192.168.10.20 之前的单机版jumpserver,作为master主机 192.168.10.21 新加的jumpserver,作为slave从机 jumpserver机器的 ssh 端口统一调整为8888 web访问的80端口负载是7层负载,通过Nginx+keepalived实现,域名为jump.kevin-inc.com ssh 端口的负载是4层负载,也可以通过nginx的stream实现,(我在线上用的nginx+keepalived负载层并没有安装stream模块,为了不影响线上业务,另配置了lvs+keepalived) 2)部署jumpserver备机(192.168.10.21)的jumpserver环境 参考:http: //www .cnblogs.com /kevingrace/p/5570279 .html 3)配置jumpserver主机和备机的mysql主主同步环境(先将master主机的jumpserver库数据同步到slave主机的mysql里面) 参考这篇文章中的mysql主主同步配置:http: //www .cnblogs.com /kevingrace/p/6710136 .html 4)同步文件,使用 rsync +inotify实时同步,或使用 rsync + crontab 短时间定时同步(需要提前做192.168.10.20和192.168.10.21两台机器的 ssh 无密码登陆的信任关系) 同步系统文件 /etc/passwd 、 /etc/shaow 、 /etc/group 文件 同步jumpserver相关用户以及key文件:jumpserver /keys 同步用户家目录的home目录 注意:为了防止文件被强行覆盖掉,这里只能做单方向的文件同步,不能做双向同步,否则会出现:在其中一台机器的jumpserver界面里创建好用户后,但是在jumpserver服务器上的 /etc/passwd 文件里却没有该用户信息,因为被对方机器的同步强行覆盖掉了。 正确的做法: 在192.168.10.20机器上做 rsync + crontab 同步(10秒同步一次),另一台机器192.168.10.21不做同步; 登陆http: //192 .168.10.20的jumpserver界面创建用户,这样用户信息很快就会被同步到另一台机器上了(注意:创建用户要在http: //192 .168.10.20的jumpserver界面里创建) [root@jumpserver01 ~] # crontab -l ......... * * * * * /usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/passwd root@192.168.10.21: /etc/ > /dev/null 2>&1 * * * * * sleep 10; /usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/passwd root@192.168.10.21: /etc/ > /dev/null 2>&1 * * * * * sleep 20; /usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/passwd root@192.168.10.21: /etc/ > /dev/null 2>&1 * * * * * sleep 30; /usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/passwd root@192.168.10.21: /etc/ > /dev/null 2>&1 * * * * * sleep 40; /usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/passwd root@192.168.10.21: /etc/ > /dev/null 2>&1 * * * * * sleep 50; /usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/passwd root@192.168.10.21: /etc/ > /dev/null 2>&1 * * * * * /usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/shadow root@192.168.10.21: /etc/ > /dev/null 2>&1 * * * * * sleep 10; /usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/shadow root@192.168.10.21: /etc/ > /dev/null 2>&1 * * * * * sleep 20; /usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/shadow root@192.168.10.21: /etc/ > /dev/null 2>&1 * * * * * sleep 30; /usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/shadow root@192.168.10.21: /etc/ > /dev/null 2>&1 * * * * * sleep 40; /usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/shadow root@192.168.10.21: /etc/ > /dev/null 2>&1 * * * * * sleep 50; /usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/shadow root@192.168.10.21: /etc/ > /dev/null 2>&1 * * * * * /usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/group root@192.168.10.21: /etc/ > /dev/null 2>&1 * * * * * sleep 10; /usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/group root@192.168.10.21: /etc/ > /dev/null 2>&1 * * * * * sleep 20; /usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/group root@192.168.10.21: /etc/ > /dev/null 2>&1 * * * * * sleep 30; /usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/group root@192.168.10.21: /etc/ > /dev/null 2>&1 * * * * * sleep 40; /usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/group root@192.168.10.21: /etc/ > /dev/null 2>&1 * * * * * sleep 50; /usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/group root@192.168.10.21: /etc/ > /dev/null 2>&1 * * * * * /usr/bin/rsync -e "ssh -p8888" -avpgolr /data/jumpserver/keys/ 192.168.10.21: /data/jumpserver/keys/ > /dev/null 2>&1 * * * * * sleep 10; /usr/bin/rsync -e "ssh -p8888" -avpgolr /data/jumpserver/keys/ 192.168.10.21: /data/jumpserver/keys/ > /dev/null 2>&1 * * * * * sleep 20; /usr/bin/rsync -e "ssh -p8888" -avpgolr /data/jumpserver/keys/ 192.168.10.21: /data/jumpserver/keys/ > /dev/null 2>&1 * * * * * sleep 30; /usr/bin/rsync -e "ssh -p8888" -avpgolr /data/jumpserver/keys/ 192.168.10.21: /data/jumpserver/keys/ > /dev/null 2>&1 * * * * * sleep 40; /usr/bin/rsync -e "ssh -p8888" -avpgolr /data/jumpserver/keys/ 192.168.10.21: /data/jumpserver/keys/ > /dev/null 2>&1 * * * * * sleep 50; /usr/bin/rsync -e "ssh -p8888" -avpgolr /data/jumpserver/keys/ 192.168.10.21: /data/jumpserver/keys/ > /dev/null 2>&1 * * * * * /usr/bin/rsync -e "ssh -p8888" -avpgolr /home/ 192.168.10.21: /home/ > /dev/null 2>&1 * * * * * sleep 10; /usr/bin/rsync -e "ssh -p8888" -avpgolr /home/ 192.168.10.21: /home/ > /dev/null 2>&1 * * * * * sleep 20; /usr/bin/rsync -e "ssh -p8888" -avpgolr /home/ 192.168.10.21: /home/ > /dev/null 2>&1 * * * * * sleep 30; /usr/bin/rsync -e "ssh -p8888" -avpgolr /home/ 192.168.10.21: /home/ > /dev/null 2>&1 * * * * * sleep 40; /usr/bin/rsync -e "ssh -p8888" -avpgolr /home/ 192.168.10.21: /home/ > /dev/null 2>&1 * * * * * sleep 50; /usr/bin/rsync -e "ssh -p8888" -avpgolr /home/ 192.168.10.21: /home/ > /dev/null 2>&1 然后重启两台机器的jumpserver服务。 5)web访问的80端口负载均衡配置。访问地址是http: //jump .kevin-inc.com 参考:http: //www .cnblogs.com /kevingrace/p/6138185 .html [root@inner-lb01 ~] # cat /data/nginx/conf/vhosts/jump.kevin-inc.com.conf upstream jump-inc { server 192.168.10.20:80 max_fails=3 fail_timeout=10s; server 192.168.10.21:80 max_fails=3 fail_timeout=10s; } server { listen 80; server_name jump.kevin-inc.com; access_log /data/nginx/logs/jump .kevin-inc.com-access.log main; error_log /data/nginx/logs/jump .kevin-inc.com-error.log; location / { proxy_pass http: //jump-inc ; proxy_redirect off ; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header REMOTE-HOST $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_connect_timeout 300; proxy_send_timeout 300; proxy_read_timeout 600; proxy_buffer_size 256k; proxy_buffers 4 256k; proxy_busy_buffers_size 256k; proxy_temp_file_write_size 256k; proxy_next_upstream error timeout invalid_header http_502 http_503 http_504; proxy_max_temp_file_size 128m; #proxy_cache mycache; #proxy_cache_valid 200 302 1h; #proxy_cache_valid 301 1d; #proxy_cache_valid any 1m; } } 6) ssh 登陆的8888端口的负载均衡配置 lvs+keepalived的配置参考:http: //www .cnblogs.com /kevingrace/p/5570500 .html 两台lvs配置如下(vip为10.0.8.24) [root@jump-lvs01 ~] # cat /etc/keepalived/keepalived.conf ! Configuration File for keepalived global_defs { router_id LVS_Master } vrrp_instance VI_1 { state MASTER interface eth0 virtual_router_id 51 priority 100 advert_int 1 authentication { auth_type PASS auth_pass 1111 } virtual_ipaddress { 192.168.10.24 } } virtual_server 192.168.10.24 8888 { delay_loop 6 lb_algo wrr lb_kind DR #nat_mask 255.255.255.0 persistence_timeout 600 protocol TCP real_server 192.168.10.20 8888 { weight 3 TCP_CHECK { connect_timeout 3 nb_get_retry 3 delay_before_retry 3 connect_port 8888 } } real_server 192.168.10.21 8888 { weight 3 TCP_CHECK { connect_timeout 3 nb_get_retry 3 delay_before_retry 3 connect_port 8888 } } } [root@jump-lvs02 ~] # cat /etc/keepalived/keepalived.conf ! Configuration File for keepalived global_defs { router_id LVS_Backup } vrrp_instance VI_1 { state BACKUP interface eth0 virtual_router_id 51 priority 90 advert_int 1 authentication { auth_type PASS auth_pass 1111 } virtual_ipaddress { 192.168.10.24 } } virtual_server 192.168.10.24 8888 { delay_loop 6 lb_algo wrr lb_kind DR #nat_mask 255.255.255.0 persistence_timeout 600 protocol TCP real_server 192.168.10.20 8888 { weight 3 TCP_CHECK { connect_timeout 3 nb_get_retry 3 delay_before_retry 3 connect_port 8888 } } real_server 192.168.10.21 8888 { weight 3 TCP_CHECK { connect_timeout 3 nb_get_retry 3 delay_before_retry 3 connect_port 8888 } } } 在xshell客户端登陆堡垒机,堡垒机的地址可以是192.168.10.20、192.168.10.21、192.168.10.24,三个地址都可以 |
转载散尽浮华