JumpServer高可用部署

avatar 2019年12月10日23:14:30 评论 1,841 次浏览

jumpserver是做什么的这里就不啰嗦了,管理的机器过多,过于分散。这就需要使用到高可用的方案,首先我们要做的是打通各区域间的网络通信,如果各区域间的网络负载的项目不同那就没有必要都打通了,只需要能够进去公司即可,这样我们就在公司部署一个高可用的jumpserve,管理各区域的机器,如果公司也比较分散,那就打通各区域的网络使用各区域交叉的网络环境来部署,高可用的好处方便管理,也可以在最短时间内收集各区域的配置信息等等。下面本地测试一下高可用的环境搭建以及实验结果。

部署环境

计算机名 IP 服务
wulaoer_server01 10.211.55.128 jumpserver1
wulaoer_server02 10.211.55.130 jumpserver2
wulaoer_mysql 10.211.55.129 mysql,redis,nfs

在两个server上部署前段以及后台的jumpserver程序,mysql主要作为数据存储以及redis,这里也包含屏幕录制,两台的数据是同步的,这样就能保证不管那一台server挂了,另外一台的数据都能正常,不能影响用户和管理者的适用性。

注:操作前先备份录屏文件,mysql,redis,SECRET_KEY,BOOTSTRAP_TOKEN

wulaoer_server01配置

首先在server01上配置,也可以先安装好一台jumpserver,不过存储要放到mysql上。

[root@wulaoer_server01 ~]#  yum update -y
#防火墙和selinux配置
[root@wulaoer_server01 ~]# systemctl start firewalld    #打开防火墙
[root@wulaoer_server01 ~]# firewall-cmd --zone=public --add-port=80/tcp --permanent  #nginx端口
success
[root@wulaoer_server01 ~]# firewall-cmd --zone=public --add-port=2222/tcp --permanent  #用户ssh登录端口koko
success
[root@wulaoer_server01 ~]# firewall-cmd --reload  #重新加载
success
[root@wulaoer_server01 ~]# setenforce 0
[root@wulaoer_server01 ~]# sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config #selinux服务

安装依赖包

[root@wulaoer_server01 ~]# yum -y install wget gcc epel-release git

安装nginx代理服务整合jumpserver的各个组件

[root@wulaoer_server01 ~]# cat /etc/yum.repos.d/nginx.repo 
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/7/$basearch/
gpgcheck=0
enabled=1
[root@wulaoer_server01 ~]# yum -y install nginx
[root@wulaoer_server01 ~]# systemctl enable nginx

安装python3.6

[root@wulaoer_server01 ~]# yum -y install python36 python36-devel
#配置并载入python3虚拟环境
[root@wulaoer_server01 ~]# cd /opt/
[root@wulaoer_server01 opt]# python3.6 -m venv wulaoer_py3  #wulaoer_py3为虚拟环境的名称,可以自己定义
[root@wulaoer_server01 opt]# source /opt/wulaoer_py3/bin/activate #进入虚拟环境使用activate,退出用deactivate命令
(wulaoer_py3) [root@wulaoer_server01 opt]#  #提示(wulaoer_py3)代表进入虚拟环境
(wulaoer_py3) [root@wulaoer_server01 opt]# deactivate 
[root@wulaoer_server01 opt]#

下载jumpserver

[root@wulaoer_server01 opt]# yum -y install git #没有需要安装
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.bit.edu.cn
 * epel: ftp.jaist.ac.jp
 * extras: mirrors.tuna.tsinghua.edu.cn
 * updates: mirror.bit.edu.cn
Package git-1.8.3.1-20.el7.x86_64 already installed and latest version
Nothing to do
[root@wulaoer_server01 opt]# git clone --depth=1 https://github.com/jumpserver/jumpserver.git
#安装jumpserver依赖包
[root@wulaoer_server01 opt]# yum -y install $(cat /opt/jumpserver/requirements/rpm_requirements.txt)
#安装python库依赖包
[root@wulaoer_server01 opt]# source /opt/wulaoer_py3/bin/activate
(wulaoer_py3) [root@wulaoer_server01 opt]#  pip install wheel
(wulaoer_py3) [root@wulaoer_server01 opt]# pip install --upgrade pip setuptools
(wulaoer_py3) [root@wulaoer_server01 ~]# pip install -r /opt/jumpserver/requirements/requirements.txt

这里注意在pip安装的时候本地默认pip版本过低需要升级一下pip的版本,因为网络的原因总是导致pip升级超时,超时错误信息如下:

(wulaoer_py3) [root@wulaoer_server01 ~]# pip install --upgrade pip
Collecting pip
  Downloading https://files.pythonhosted.org/packages/00/b6/9cfa56b4081ad13874b0c6f96af8ce16cfbc1cb06bedf8e9164ce5551ec1/pip-19.3.1-py2.py3-none-any.whl (1.4MB)
    4% |█▍                              | 61kB 3.3kB/s eta 0:06:50Exception:
Traceback (most recent call last):
  File "/opt/wulaoer_py3/lib64/python3.6/site-packages/pip/_vendor/urllib3/response.py", line 302, in _error_catcher
    yield
  File "/opt/wulaoer_py3/lib64/python3.6/site-packages/pip/_vendor/urllib3/response.py", line 384, in read
    data = self._fp.read(amt)
  File "/opt/wulaoer_py3/lib64/python3.6/site-packages/pip/_vendor/cachecontrol/filewrapper.py", line 60, in read
    data = self.__fp.read(amt)
  File "/usr/lib64/python3.6/http/client.py", line 459, in read
    n = self.readinto(b)
  File "/usr/lib64/python3.6/http/client.py", line 503, in readinto
    n = self.fp.readinto(b)
  File "/usr/lib64/python3.6/socket.py", line 586, in readinto
    return self._sock.recv_into(b)
  File "/usr/lib64/python3.6/ssl.py", line 968, in recv_into
    return self.read(nbytes, buffer)
  File "/usr/lib64/python3.6/ssl.py", line 830, in read
    return self._sslobj.read(len, buffer)
  File "/usr/lib64/python3.6/ssl.py", line 587, in read
    v = self._sslobj.read(len, buffer)
socket.timeout: The read operation timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/wulaoer_py3/lib64/python3.6/site-packages/pip/basecommand.py", line 215, in main
    status = self.run(options, args)
  File "/opt/wulaoer_py3/lib64/python3.6/site-packages/pip/commands/install.py", line 357, in run
    wb.build(autobuilding=True)
  File "/opt/wulaoer_py3/lib64/python3.6/site-packages/pip/wheel.py", line 753, in build
    self.requirement_set.prepare_files(self.finder)
  File "/opt/wulaoer_py3/lib64/python3.6/site-packages/pip/req/req_set.py", line 381, in prepare_files
    ignore_dependencies=self.ignore_dependencies))
  File "/opt/wulaoer_py3/lib64/python3.6/site-packages/pip/req/req_set.py", line 623, in _prepare_file
    session=self.session, hashes=hashes)
  File "/opt/wulaoer_py3/lib64/python3.6/site-packages/pip/download.py", line 821, in unpack_url
    hashes=hashes
  File "/opt/wulaoer_py3/lib64/python3.6/site-packages/pip/download.py", line 659, in unpack_http_url
    hashes)
  File "/opt/wulaoer_py3/lib64/python3.6/site-packages/pip/download.py", line 882, in _download_http_url
    _download_url(resp, link, content_file, hashes)
  File "/opt/wulaoer_py3/lib64/python3.6/site-packages/pip/download.py", line 603, in _download_url
    hashes.check_against_chunks(downloaded_chunks)
  File "/opt/wulaoer_py3/lib64/python3.6/site-packages/pip/utils/hashes.py", line 46, in check_against_chunks
    for chunk in chunks:
  File "/opt/wulaoer_py3/lib64/python3.6/site-packages/pip/download.py", line 571, in written_chunks
    for chunk in chunks:
  File "/opt/wulaoer_py3/lib64/python3.6/site-packages/pip/utils/ui.py", line 139, in iter
    for x in it:
  File "/opt/wulaoer_py3/lib64/python3.6/site-packages/pip/download.py", line 560, in resp_read
    decode_content=False):
  File "/opt/wulaoer_py3/lib64/python3.6/site-packages/pip/_vendor/urllib3/response.py", line 436, in stream
    data = self.read(amt=amt, decode_content=decode_content)
  File "/opt/wulaoer_py3/lib64/python3.6/site-packages/pip/_vendor/urllib3/response.py", line 401, in read
    raise IncompleteRead(self._fp_bytes_read, self.length_remaining)
  File "/usr/lib64/python3.6/contextlib.py", line 99, in __exit__
    self.gen.throw(type, value, traceback)
  File "/opt/wulaoer_py3/lib64/python3.6/site-packages/pip/_vendor/urllib3/response.py", line 307, in _error_catcher
    raise ReadTimeoutError(self._pool, None, 'Read timed out.')
pip._vendor.urllib3.exceptions.ReadTimeoutError: HTTPSConnectionPool(host='files.pythonhosted.org', port=443): Read timed out.
You are using pip version 9.0.3, however version 19.3.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.

解决这个超时问题就在后面跟一个超时时间,下面是解决方法:

(wulaoer_py3) [root@wulaoer_server01 ~]# pip install --default-timeout=1000 --upgrade pip
Collecting pip
  Downloading https://files.pythonhosted.org/packages/00/b6/9cfa56b4081ad13874b0c6f96af8ce16cfbc1cb06bedf8e9164ce5551ec1/pip-19.3.1-py2.py3-none-any.whl (1.4MB)
    100% |████████████████████████████████| 1.4MB 14kB/s 
Installing collected packages: pip
  Found existing installation: pip 9.0.3
    Uninstalling pip-9.0.3:
      Successfully uninstalled pip-9.0.3
Successfully installed pip-19.3.1

超时解决,继续上面的操作。

(wulaoer_py3) [root@wulaoer_server01 ~]# pip install wheel
Requirement already satisfied: wheel in /opt/wulaoer_py3/lib/python3.6/site-packages (0.33.6)
(wulaoer_py3) [root@wulaoer_server01 ~]# pip install --upgrade pip setuptools
Requirement already up-to-date: pip in /opt/wulaoer_py3/lib/python3.6/site-packages (19.3.1)
Requirement already up-to-date: setuptools in /opt/wulaoer_py3/lib/python3.6/site-packages (39.2.0)
(wulaoer_py3) [root@wulaoer_server01 ~]# pip install -r /opt/jumpserver/requirements/requirements.txt
修改jumpserver配置文件
[root@wulaoer_server01 ~]# cd /opt/jumpserver/
[root@wulaoer_server01 jumpserver]# cp config_example.yml config.yml 
[root@wulaoer_server01 jumpserver]# SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`   # 生成随机SECRET_KEY
[root@wulaoer_server01 jumpserver]# echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc
[root@wulaoer_server01 jumpserver]# BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`   # 生成随机BOOTSTRAP_TOKEN
[root@wulaoer_server01 jumpserver]# echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
[root@wulaoer_server01 jumpserver]# sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml
[root@wulaoer_server01 jumpserver]#  sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
[root@wulaoer_server01 jumpserver]#  sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
[root@wulaoer_server01 jumpserver]# sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
[root@wulaoer_server01 jumpserver]# sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
[root@wulaoer_server01 jumpserver]# sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml
[root@wulaoer_server01 jumpserver]# echo -e "\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m"
 你的SECRET_KEY是 wNW7d1XvwzjhMNh7VvVQGqNoRNBSrZwQq5PQTQg3X0F3fmR3hA 
[root@wulaoer_server01 jumpserver]# echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
 你的BOOTSTRAP_TOKEN是 mWQb5DXJhKTmfqQq

配置存储服务

安装redis服务,主要是存储cache和celery broke

[root@wulaoer_mysql ~]# yum -y install redis
[root@wulaoer_mysql ~]# systemctl enable redis
[root@wulaoer_mysql ~]# systemctl start redis

配置一下redis的远程连接

[root@wulaoer_mysql ~]# vim /etc/redis.conf 
.............................................
bind 127.0.0.1 改成 bind 0.0.0.0
.............................................
[root@wulaoer_mysql ~]# systemctl restart redis

安装mysql,可以参考:https://www.wulaoer.org/?p=220 安装之后我们需要配置以下远程权限,以便jumpserver能够访问到数据库的内容。

[root@wulaoer_mysql ~]# mysql -uroot -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.6.44-log Source distribution

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
+--------------------+
3 rows in set (0.39 sec)

mysql> create database jumpserver;
Query OK, 1 row affected (0.00 sec)

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| jumpserver         |
| mysql              |
| performance_schema |
+--------------------+
4 rows in set (0.01 sec)

mysql> use jumpserver;
Database changed
mysql> grant all privileges on *.* to jumpserver@'%' identified by 'dd0e68?!';
Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

mysql> select user,host from mysql.user;
+------------+-----------+
| user       | host      |
+------------+-----------+
| jumpserver | %         |
| root       | 127.0.0.1 |
| root       | ::1       |
| root       | localhost |
+------------+-----------+
4 rows in set (0.00 sec)

关闭防火墙,不限制用户访问

[root@wulaoer_mysql ~]# vi /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled

关闭selinux,然后重启一下,并关闭防火墙。

[root@wulaoer_mysql ~]# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: active (running) since Fri 2019-12-06 22:36:54 CST; 10s ago
     Docs: man:firewalld(1)
 Main PID: 2597 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─2597 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid

Dec 06 22:36:53 wulaoer_mysql systemd[1]: Starting firewalld - dynamic firewall daemon...
Dec 06 22:36:54 wulaoer_mysql systemd[1]: Started firewalld - dynamic firewall daemon.
[root@wulaoer_mysql ~]# systemctl stop firewalld.service
[root@wulaoer_mysql ~]# 
[root@wulaoer_mysql ~]# 
[root@wulaoer_mysql ~]# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:firewalld(1)

Dec 06 22:36:53 wulaoer_mysql systemd[1]: Starting firewalld - dynamic firewall daemon...
Dec 06 22:36:54 wulaoer_mysql systemd[1]: Started firewalld - dynamic firewall daemon.
Dec 06 22:37:10 wulaoer_mysql systemd[1]: Stopping firewalld - dynamic firewall daemon...
Dec 06 22:37:11 wulaoer_mysql systemd[1]: Stopped firewalld - dynamic firewall daemon.

我们使用的是mysql存储,所以需要使用mysql模块来连接mysql数据库

root@wulaoer_serve01 opt]# python3.6 -m venv wulaoer
[root@wulaoer_server01 ~]# source /opt/wulaoer_py3/bin/activate
(wulaoer_py3) [root@wulaoer_server01 ~]# cd /opt/jumpserver/
(wulaoer_py3) [root@wulaoer_server01 jumpserver]# pip install --default-timeout=1000 MySQL-python
(wulaoer_py3) [root@wulaoer_server01 jumpserver]# ./jms start -d

可以设置新的代码进行自启动admin

(wulaoer_py3) [root@wulaoer_server01 jumpserver]# wget -O /usr/lib/systemd/system/jms.service https://demo.jumpserver.org/download/shell/centos/jms.service
(wulaoer_py3) [root@wulaoer_server01 jumpserver]# chmod 755 /usr/lib/systemd/system/jms.service
(wulaoer_py3) [root@wulaoer_server01 jumpserver]# systemctl enable jms
Created symlink from /etc/systemd/system/multi-user.target.wants/jms.service to /usr/lib/systemd/system/jms.service.
(wulaoer_py3) [root@wulaoer_server01 jumpserver]# ./jms start -d

使用docker部署koko和guacamole

[root@wulaoer_server01 jumpserver]# yum install -y yum-utils device-mapper-persistent-data lvm2
[root@wulaoer_server01 jumpserver]# yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
[root@wulaoer_server01 jumpserver]# yum makecache fast
[root@wulaoer_server01 jumpserver]# rpm --import https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[root@wulaoer_server01 jumpserver]# yum -y install docker-ce
[root@wulaoer_server01 jumpserver]# systemctl enable docker
[root@wulaoer_server01 jumpserver]# curl -sSL https://get.daocloud.io/daotools/set_mirror.sh | sh -s http://f1361db2.m.daocloud.io
[root@wulaoer_server01 jumpserver]#  systemctl restart docker
[root@wulaoer_server01 jumpserver]#  Server_IP=`ip addr | grep 'state UP' -A2 | grep inet | egrep -v '(127.0.0.1|inet6|docker)' | awk '{print $2}' | tr -d "addr:" | head -n 1 | cut -d / -f1`
[root@wulaoer_server01 jumpserver]# echo -e "\033[31m 你的服务器IP是 $Server_IP \033[0m"
 你的服务器IP是 10.211.55.128 
[root@wulaoer_server01 jumpserver]# docker run --name jms_koko -d -p 2222:2222 -p 127.0.0.1:5000:5000 -e CORE_HOST=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN --restart=always jumpserver/jms_koko:1.5.5
[root@wulaoer_server01 jumpserver]# docker run --name jms_guacamole -d -p 127.0.0.1:8081:8080 -e JUMPSERVER_SERVER=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN --restart=always jumpserver/jms_guacamole:1.5.5

安装web Terminal 前端 luna

[root@wulaoer_server01 jumpserver]# cd ..
[root@wulaoer_server01 opt]# wget https://github.com/jumpserver/luna/releases/download/1.5.5/luna.tar.gz
[root@wulaoer_server01 opt]# tar xf luna.tar.gz
[root@wulaoer_server01 opt]# chown  -R root:root luna

安装nginx 并配置整合各组件

[root@wulaoer_server01 opt]# rm -rf /etc/nginx/conf.d/default.conf 
[root@wulaoer_server01 opt]# vim /etc/nginx/conf.d/jumpserver.conf
server {
    listen 80;
    # server_name _;

    client_max_body_size 100m;  # 录像及文件上传大小限制

    location /luna/ {
        try_files $uri / /index.html;
        alias /opt/luna/;  # luna 路径, 如果修改安装目录, 此处需要修改
    }

    location /media/ {
        add_header Content-Encoding gzip;
        root /opt/jumpserver/data/;  # 录像位置, 如果修改安装目录, 此处需要修改
    }

    location /static/ {
        root /opt/jumpserver/data/;  # 静态资源, 如果修改安装目录, 此处需要修改
    }

    location /koko/ {
        proxy_pass       http://localhost:5000;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location /guacamole/ {
        proxy_pass       http://localhost:8081/;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location /ws/ {
        proxy_pass http://localhost:8070;
        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }
}

运行nginx

[root@wulaoer_server01 opt]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@wulaoer_server01 opt]# systemctl start nginx

自此jumpserver服务安装完成,下面是配置的简单流程,先配置管理用户,管理用户可以理解为目标机器的用户,系统用户可以理解为通过jumpserver连接到目标机器的用户,也是jumpserver上的系统用户。下面就是增加资产

jumpserver单机已经设置完成,里面做了一部分设置包括用户和密码等信息

wulaoer_server02配置

和上面的wulaoer_server01配置一样,这里就不解释了

[root@wulaoer_server02 ~]#  yum update -y
[root@wulaoer_server02 ~]# systemctl start firewalld
[root@wulaoer_server02 ~]# firewall-cmd --zone=public --add-port=80/tcp --permanent
success
[root@wulaoer_server02 ~]# firewall-cmd --zone=public --add-port=2222/tcp --permanent
success
[root@wulaoer_server02 ~]# firewall-cmd --reload 
success
[root@wulaoer_server02 ~]# setenforce 0
[root@wulaoer_server02 ~]# sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
[root@wulaoer_server02 ~]# yum -y install wget gcc epel-release git
[root@wulaoer_server02 ~]# vi /etc/yum.repos.d/nginx.repo
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/7/$basearch/
gpgcheck=0
enabled=1
[root@wulaoer_server02 ~]# yum -y install nginx
[root@wulaoer_server02 ~]#  systemctl enable nginx 
Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service.
[root@wulaoer_server02 ~]#  yum -y install python36 python36-devel
[root@wulaoer_server02 opt]# python3.6 -m venv wulaoer
[root@wulaoer_server02 opt]# source /opt/wulaoer/bin/activate
(wulaoer) [root@wulaoer_server02 opt]# 
(wulaoer) [root@wulaoer_server02 opt]# deactivate 
[root@wulaoer_server02 opt]# git clone --depth=1 https://github.com/jumpserver/jumpserver.git
Cloning into 'jumpserver'...
remote: Enumerating objects: 1170, done.
remote: Counting objects: 100% (1170/1170), done.
remote: Compressing objects: 100% (1047/1047), done.
remote: Total 1170 (delta 194), reused 581 (delta 61), pack-reused 0
Receiving objects: 100% (1170/1170), 6.29 MiB | 14.00 KiB/s, done.
Resolving deltas: 100% (194/194), done.
[root@wulaoer_server02 opt]# yum -y install $(cat /opt/jumpserver/requirements/rpm_requirements.txt)
(wulaoer) [root@wulaoer_server02 ~]# pip install wheel
(wulaoer) [root@wulaoer_server02 ~]# pip install --upgrade pip setuptools
(wulaoer) [root@wulaoer_server02 ~]#  pip install -r /opt/jumpserver/requirements/requirements.txt
(wulaoer) [root@wulaoer_server02 jumpserver]# deactivate 
[root@wulaoer_server02 jumpserver]# cd

这里需要注意记录在wulaoer_server01上自动生成的SECRET_KEY和BOOTSTRAP_TOKEN要同步到wulaoer_server02上,主要修改三处,第一个是在bashrc文件的末尾追加,还有一个就是在jumpserver的配置文件中需要用到,最后就是创建koko和guacamole的时候需要用到。下面先追加到bashrc文件中,在wulaoer_server01中查看方法:

[root@wulaoer_serve01 ~]# cat ~/.bashrc 
# .bashrc

# User specific aliases and functions

alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'

# Source global definitions
if [ -f /etc/bashrc ]; then
        . /etc/bashrc
fi
SECRET_KEY=sqnHCKmBdA26EEJemhTalFkJP2xM22JNGSXmro8RT0lxE9gvam   #这里增加的随机码和wulaoer_server01的一致
BOOTSTRAP_TOKEN=EgGz0NOYDfAXE18C

wulaoer_server02上也追加必须一样,注意!注意!注意!注意!注意!注意!注意!注意!

[root@wulaoer_server02 ~]# vi ~/.bashrc 
# .bashrc

# User specific aliases and functions

alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'

# Source global definitions
if [ -f /etc/bashrc ]; then
        . /etc/bashrc
fi
SECRET_KEY=sqnHCKmBdA26EEJemhTalFkJP2xM22JNGSXmro8RT0lxE9gvam
BOOTSTRAP_TOKEN=EgGz0NOYDfAXE18C

因为wulaoer_server01的jumpserver的配置文件已经设置好了,所以我们可以直接复制一份同步到wulaoer_server02上,启动一下看看是否正常。

[root@wulaoer_serve01 ~]# scp /opt/jumpserver/config.yml root@10.211.55.130:/opt/jumpserver/
root@10.211.55.130's password: 
config.yml

在wulaoer_server02中启动一下jumpserver,查看一下启动状态。

[root@wulaoer_server02 jumpserver]# source /opt/wulaoer/bin/activate
(wulaoer) [root@wulaoer_server02 jumpserver]# ./jms start all

启动没有问题,下面继续

[root@wulaoer_server02 ~]# wget -O /usr/lib/systemd/system/jms.service https://demo.jumpserver.org/download/shell/centos/jms.service
[root@wulaoer_server02 ~]# chmod 755 /usr/lib/systemd/system/jms.service
[root@wulaoer_server02 ~]# systemctl enable jms
Created symlink from /etc/systemd/system/multi-user.target.wants/jms.service to /usr/lib/systemd/system/jms.service.
[root@wulaoer_server02 ~]# yum install -y yum-utils device-mapper-persistent-data lvm2
[root@wulaoer_server02 ~]#  yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
[root@wulaoer_server02 ~]# yum makecache fast
[root@wulaoer_server02 ~]# rpm --import https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[root@wulaoer_server02 ~]# yum -y install docker-ce
[root@wulaoer_server02 ~]# systemctl enable docker
[root@wulaoer_server02 ~]#  curl -sSL https://get.daocloud.io/daotools/set_mirror.sh | sh -s http://f1361db2.m.daocloud.io
[root@wulaoer_server02 ~]# systemctl restart docker
[root@wulaoer_server02 ~]#  Server_IP=`ip addr | grep 'state UP' -A2 | grep inet | egrep -v '(127.0.0.1|inet6|docker)' | awk '{print $2}' | tr -d "addr:" | head -n 1 | cut -d / -f1`
[root@wulaoer_server02 ~]# SECRET_KEY="sqnHCKmBdA26EEJemhTalFkJP2xM22JNGSXmro8RT0lxE9gvam" #这里的随机码要和wulaoer_server01的一致
[root@wulaoer_server02 ~]# BOOTSTRAP_TOKEN="EgGz0NOYDfAXE18C" #这里的随机码要和wulaoer_server01的一致
[root@wulaoer_server02 ~]# docker run --name jms_koko -d -p 2222:2222 -p 127.0.0.1:5000:5000 -e CORE_HOST=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN --restart=always jumpserver/jms_koko:1.5.5
[root@wulaoer_server02 ~]# docker run --name jms_guacamole -d -p 127.0.0.1:8081:8080 -e JUMPSERVER_SERVER=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN --restart=always jumpserver/jms_guacamole:1.5.5
[root@wulaoer_server02 ~]# cd /opt/
[root@wulaoer_server02 opt]#  wget https://github.com/jumpserver/luna/releases/download/1.5.5/luna.tar.gz
[root@wulaoer_server02 opt]#  tar xf luna.tar.gz
[root@wulaoer_server02 opt]# chown -R root:root luna
[root@wulaoer_server02 opt]# rm -rf /etc/nginx/conf.d/default.conf 
[root@wulaoer_server02 opt]# vi /etc/nginx/conf.d/jumpserver.conf
server {
    listen 80;
    # server_name _;

    client_max_body_size 100m;  # 录像及文件上传大小限制

    location /luna/ {
        try_files $uri / /index.html;
        alias /opt/luna/;  # luna 路径, 如果修改安装目录, 此处需要修改
    }

    location /media/ {
        add_header Content-Encoding gzip;
        root /opt/jumpserver/data/;  # 录像位置, 如果修改安装目录, 此处需要修改
    }

    location /static/ {
        root /opt/jumpserver/data/;  # 静态资源, 如果修改安装目录, 此处需要修改
    }

    location /koko/ {
        proxy_pass       http://localhost:5000;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location /guacamole/ {
        proxy_pass       http://localhost:8081/;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location /ws/ {
        proxy_pass http://localhost:8070;
        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }
}
[root@wulaoer_server02 opt]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@wulaoer_server02 opt]# systemctl restart nginx
[root@wulaoer_server02 opt]# source /opt/wulaoer/bin/activate
(wulaoer) [root@wulaoer_server02 opt]# cd jumpserver/
(wulaoer) [root@wulaoer_server02 jumpserver]# ./jms start all

自此,高可用环境已经完成,这里出现一个问题就是在录屏两个节点直接数据没有同步,为了解决录屏同步问题,需要把录屏数据进行共享,我们使用NFS服务,做一个共享,分别挂载到两个录屏存储路径上,这样两个服务的录屏数据也就能够实现共享。下面搭建NFS服务,然后分别挂载到wulaoer_server01和wulaoer_server02上,然后修改nginx的存储路径,也可以直接挂载到nginx配置的存储路径上,下面先看NFS搭建。我在wulaoer_mysql上搭建NFS服务。

NFS搭建

在wulaoer_mysql上安装NFS服务端,做一个共享目录,让wulaoer_server01和wulaoer_server02能够把录屏文件写到共享目录中,可以同步查询。

[root@wulaoer_mysql ~]#  rpm -qa | egrep "nfs|rpcbind"
[root@wulaoer_mysql ~]# yum search nfs-utils  rpcbind
[root@wulaoer_mysql ~]# yum install -y nfs-utils  rpcbind
[root@wulaoer_mysql ~]# systemctl status rpcbind
[root@wulaoer_mysql ~]# yum install -y net-tools lsof
[root@wulaoer_mysql ~]# systemctl start rpcbind
[root@wulaoer_mysql ~]# systemctl enable rpcbind

配置共享文件目录

[root@wulaoer_mysql ~]# mkdir /opt/move
[root@wulaoer_mysql ~]# vi /etc/exports
/opt/move/      10.211.55.0/24(rw,sync,no_root_squash)
[root@wulaoer_mysql ~]# systemctl reload nfs

在两个客户端wulaoer_server01和wulaoer_server02上创建共享目录,并挂载。录像文件根据nginx的配置有存储路径,

[root@wulaoer_serve01 ~]# ll /opt/jumpserver/data/media/

把NFS挂载到这个目录即可。

[root@wulaoer_serve01 ~]# yum -y install showmount
[root@wulaoer_serve01 ~]# showmount 10.211.55.129      #查看共享的客户端地址
Hosts on 10.211.55.129:
[root@wulaoer_serve01 media]# mount -t nfs 10.211.55.129:/opt/move /opt/jumpserver/data/media
[root@wulaoer_serve02 media]# mount -t nfs 10.211.55.129:/opt/move /opt/jumpserver/data/media

可以写到fstab文件中开机自动挂载

[root@wulaoer_server01 ~]# vi /etc/fstab 

#
# /etc/fstab
# Created by anaconda on Thu Dec  5 02:35:59 2019
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/centos-root /                       xfs     defaults        0 0
UUID=6fb6245f-4f95-4da6-b3c8-24a7a1a09df7 /boot                   xfs     defaults        0 0
/dev/mapper/centos-swap swap                    swap    defaults        0 0
10.211.55.129:/opt/move /opt/jumpserver/data/media nfs  defaults        _rnetdev        0 0     
[root@wulaoer_server02 ~]# vi /etc/fstab 

#
# /etc/fstab
# Created by anaconda on Thu Dec  5 02:35:59 2019
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/centos-root /                       xfs     defaults        0 0
UUID=6fb6245f-4f95-4da6-b3c8-24a7a1a09df7 /boot                   xfs     defaults        0 0
/dev/mapper/centos-swap swap                    swap    defaults        0 0
10.211.55.129:/opt/move /opt/jumpserver/data/media nfs  defaults        _rnetdev        0 0

保存,整个环境搭建完成,下面就是测试,使用两个不同的jumpserver远程操作同一台机器,看看是否有录屏存在,下面是录屏截图。

下面是对比两个jumpserver的录屏

至此,JumpServer高可用搭建完成,这里最主要一点就是数据的共享包括redis,mysql,录屏。

avatar

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: