jumpserver是做什么的这里就不啰嗦了,管理的机器过多,过于分散。这就需要使用到高可用的方案,首先我们要做的是打通各区域间的网络通信,如果各区域间的网络负载的项目不同那就没有必要都打通了,只需要能够进去公司即可,这样我们就在公司部署一个高可用的jumpserve,管理各区域的机器,如果公司也比较分散,那就打通各区域的网络使用各区域交叉的网络环境来部署,高可用的好处方便管理,也可以在最短时间内收集各区域的配置信息等等。下面本地测试一下高可用的环境搭建以及实验结果。
部署环境
| 计算机名 | IP | 服务 |
|---|---|---|
| wulaoer_server01 | 10.211.55.128 | jumpserver1 |
| wulaoer_server02 | 10.211.55.130 | jumpserver2 |
| wulaoer_mysql | 10.211.55.129 | mysql,redis,nfs |
在两个server上部署前段以及后台的jumpserver程序,mysql主要作为数据存储以及redis,这里也包含屏幕录制,两台的数据是同步的,这样就能保证不管那一台server挂了,另外一台的数据都能正常,不能影响用户和管理者的适用性。
注:操作前先备份录屏文件,mysql,redis,SECRET_KEY,BOOTSTRAP_TOKEN
wulaoer_server01配置
首先在server01上配置,也可以先安装好一台jumpserver,不过存储要放到mysql上。
[root@wulaoer_server01 ~]# yum update -y #防火墙和selinux配置 [root@wulaoer_server01 ~]# systemctl start firewalld #打开防火墙 [root@wulaoer_server01 ~]# firewall-cmd --zone=public --add-port=80/tcp --permanent #nginx端口 success [root@wulaoer_server01 ~]# firewall-cmd --zone=public --add-port=2222/tcp --permanent #用户ssh登录端口koko success [root@wulaoer_server01 ~]# firewall-cmd --reload #重新加载 success [root@wulaoer_server01 ~]# setenforce 0 [root@wulaoer_server01 ~]# sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config #selinux服务
安装依赖包
[root@wulaoer_server01 ~]# yum -y install wget gcc epel-release git
安装nginx代理服务整合jumpserver的各个组件
[root@wulaoer_server01 ~]# cat /etc/yum.repos.d/nginx.repo [nginx] name=nginx repo baseurl=http://nginx.org/packages/centos/7/$basearch/ gpgcheck=0 enabled=1 [root@wulaoer_server01 ~]# yum -y install nginx [root@wulaoer_server01 ~]# systemctl enable nginx
安装python3.6
[root@wulaoer_server01 ~]# yum -y install python36 python36-devel #配置并载入python3虚拟环境 [root@wulaoer_server01 ~]# cd /opt/ [root@wulaoer_server01 opt]# python3.6 -m venv wulaoer_py3 #wulaoer_py3为虚拟环境的名称,可以自己定义 [root@wulaoer_server01 opt]# source /opt/wulaoer_py3/bin/activate #进入虚拟环境使用activate,退出用deactivate命令 (wulaoer_py3) [root@wulaoer_server01 opt]# #提示(wulaoer_py3)代表进入虚拟环境 (wulaoer_py3) [root@wulaoer_server01 opt]# deactivate [root@wulaoer_server01 opt]#
下载jumpserver
[root@wulaoer_server01 opt]# yum -y install git #没有需要安装 Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirror.bit.edu.cn * epel: ftp.jaist.ac.jp * extras: mirrors.tuna.tsinghua.edu.cn * updates: mirror.bit.edu.cn Package git-1.8.3.1-20.el7.x86_64 already installed and latest version Nothing to do [root@wulaoer_server01 opt]# git clone --depth=1 https://github.com/jumpserver/jumpserver.git #安装jumpserver依赖包 [root@wulaoer_server01 opt]# yum -y install $(cat /opt/jumpserver/requirements/rpm_requirements.txt) #安装python库依赖包 [root@wulaoer_server01 opt]# source /opt/wulaoer_py3/bin/activate (wulaoer_py3) [root@wulaoer_server01 opt]# pip install wheel (wulaoer_py3) [root@wulaoer_server01 opt]# pip install --upgrade pip setuptools (wulaoer_py3) [root@wulaoer_server01 ~]# pip install -r /opt/jumpserver/requirements/requirements.txt
这里注意在pip安装的时候本地默认pip版本过低需要升级一下pip的版本,因为网络的原因总是导致pip升级超时,超时错误信息如下:
(wulaoer_py3) [root@wulaoer_server01 ~]# pip install --upgrade pip
Collecting pip
Downloading https://files.pythonhosted.org/packages/00/b6/9cfa56b4081ad13874b0c6f96af8ce16cfbc1cb06bedf8e9164ce5551ec1/pip-19.3.1-py2.py3-none-any.whl (1.4MB)
4% |█▍ | 61kB 3.3kB/s eta 0:06:50Exception:
Traceback (most recent call last):
File "/opt/wulaoer_py3/lib64/python3.6/site-packages/pip/_vendor/urllib3/response.py", line 302, in _error_catcher
yield
File "/opt/wulaoer_py3/lib64/python3.6/site-packages/pip/_vendor/urllib3/response.py", line 384, in read
data = self._fp.read(amt)
File "/opt/wulaoer_py3/lib64/python3.6/site-packages/pip/_vendor/cachecontrol/filewrapper.py", line 60, in read
data = self.__fp.read(amt)
File "/usr/lib64/python3.6/http/client.py", line 459, in read
n = self.readinto(b)
File "/usr/lib64/python3.6/http/client.py", line 503, in readinto
n = self.fp.readinto(b)
File "/usr/lib64/python3.6/socket.py", line 586, in readinto
return self._sock.recv_into(b)
File "/usr/lib64/python3.6/ssl.py", line 968, in recv_into
return self.read(nbytes, buffer)
File "/usr/lib64/python3.6/ssl.py", line 830, in read
return self._sslobj.read(len, buffer)
File "/usr/lib64/python3.6/ssl.py", line 587, in read
v = self._sslobj.read(len, buffer)
socket.timeout: The read operation timed out
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/opt/wulaoer_py3/lib64/python3.6/site-packages/pip/basecommand.py", line 215, in main
status = self.run(options, args)
File "/opt/wulaoer_py3/lib64/python3.6/site-packages/pip/commands/install.py", line 357, in run
wb.build(autobuilding=True)
File "/opt/wulaoer_py3/lib64/python3.6/site-packages/pip/wheel.py", line 753, in build
self.requirement_set.prepare_files(self.finder)
File "/opt/wulaoer_py3/lib64/python3.6/site-packages/pip/req/req_set.py", line 381, in prepare_files
ignore_dependencies=self.ignore_dependencies))
File "/opt/wulaoer_py3/lib64/python3.6/site-packages/pip/req/req_set.py", line 623, in _prepare_file
session=self.session, hashes=hashes)
File "/opt/wulaoer_py3/lib64/python3.6/site-packages/pip/download.py", line 821, in unpack_url
hashes=hashes
File "/opt/wulaoer_py3/lib64/python3.6/site-packages/pip/download.py", line 659, in unpack_http_url
hashes)
File "/opt/wulaoer_py3/lib64/python3.6/site-packages/pip/download.py", line 882, in _download_http_url
_download_url(resp, link, content_file, hashes)
File "/opt/wulaoer_py3/lib64/python3.6/site-packages/pip/download.py", line 603, in _download_url
hashes.check_against_chunks(downloaded_chunks)
File "/opt/wulaoer_py3/lib64/python3.6/site-packages/pip/utils/hashes.py", line 46, in check_against_chunks
for chunk in chunks:
File "/opt/wulaoer_py3/lib64/python3.6/site-packages/pip/download.py", line 571, in written_chunks
for chunk in chunks:
File "/opt/wulaoer_py3/lib64/python3.6/site-packages/pip/utils/ui.py", line 139, in iter
for x in it:
File "/opt/wulaoer_py3/lib64/python3.6/site-packages/pip/download.py", line 560, in resp_read
decode_content=False):
File "/opt/wulaoer_py3/lib64/python3.6/site-packages/pip/_vendor/urllib3/response.py", line 436, in stream
data = self.read(amt=amt, decode_content=decode_content)
File "/opt/wulaoer_py3/lib64/python3.6/site-packages/pip/_vendor/urllib3/response.py", line 401, in read
raise IncompleteRead(self._fp_bytes_read, self.length_remaining)
File "/usr/lib64/python3.6/contextlib.py", line 99, in __exit__
self.gen.throw(type, value, traceback)
File "/opt/wulaoer_py3/lib64/python3.6/site-packages/pip/_vendor/urllib3/response.py", line 307, in _error_catcher
raise ReadTimeoutError(self._pool, None, 'Read timed out.')
pip._vendor.urllib3.exceptions.ReadTimeoutError: HTTPSConnectionPool(host='files.pythonhosted.org', port=443): Read timed out.
You are using pip version 9.0.3, however version 19.3.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
解决这个超时问题就在后面跟一个超时时间,下面是解决方法:
(wulaoer_py3) [root@wulaoer_server01 ~]# pip install --default-timeout=1000 --upgrade pip
Collecting pip
Downloading https://files.pythonhosted.org/packages/00/b6/9cfa56b4081ad13874b0c6f96af8ce16cfbc1cb06bedf8e9164ce5551ec1/pip-19.3.1-py2.py3-none-any.whl (1.4MB)
100% |████████████████████████████████| 1.4MB 14kB/s
Installing collected packages: pip
Found existing installation: pip 9.0.3
Uninstalling pip-9.0.3:
Successfully uninstalled pip-9.0.3
Successfully installed pip-19.3.1
超时解决,继续上面的操作。
(wulaoer_py3) [root@wulaoer_server01 ~]# pip install wheel Requirement already satisfied: wheel in /opt/wulaoer_py3/lib/python3.6/site-packages (0.33.6) (wulaoer_py3) [root@wulaoer_server01 ~]# pip install --upgrade pip setuptools Requirement already up-to-date: pip in /opt/wulaoer_py3/lib/python3.6/site-packages (19.3.1) Requirement already up-to-date: setuptools in /opt/wulaoer_py3/lib/python3.6/site-packages (39.2.0) (wulaoer_py3) [root@wulaoer_server01 ~]# pip install -r /opt/jumpserver/requirements/requirements.txt
修改jumpserver配置文件
[root@wulaoer_server01 ~]# cd /opt/jumpserver/ [root@wulaoer_server01 jumpserver]# cp config_example.yml config.yml [root@wulaoer_server01 jumpserver]# SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50` # 生成随机SECRET_KEY [root@wulaoer_server01 jumpserver]# echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc [root@wulaoer_server01 jumpserver]# BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16` # 生成随机BOOTSTRAP_TOKEN [root@wulaoer_server01 jumpserver]# echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc [root@wulaoer_server01 jumpserver]# sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml [root@wulaoer_server01 jumpserver]# sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml [root@wulaoer_server01 jumpserver]# sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml [root@wulaoer_server01 jumpserver]# sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml [root@wulaoer_server01 jumpserver]# sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml [root@wulaoer_server01 jumpserver]# sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml [root@wulaoer_server01 jumpserver]# echo -e "\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m" 你的SECRET_KEY是 wNW7d1XvwzjhMNh7VvVQGqNoRNBSrZwQq5PQTQg3X0F3fmR3hA [root@wulaoer_server01 jumpserver]# echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m" 你的BOOTSTRAP_TOKEN是 mWQb5DXJhKTmfqQq
配置存储服务
安装redis服务,主要是存储cache和celery broke
[root@wulaoer_mysql ~]# yum -y install redis [root@wulaoer_mysql ~]# systemctl enable redis [root@wulaoer_mysql ~]# systemctl start redis
配置一下redis的远程连接
[root@wulaoer_mysql ~]# vim /etc/redis.conf ............................................. bind 127.0.0.1 改成 bind 0.0.0.0 ............................................. [root@wulaoer_mysql ~]# systemctl restart redis
安装mysql,可以参考:https://www.wulaoer.org/?p=220 安装之后我们需要配置以下远程权限,以便jumpserver能够访问到数据库的内容。
[root@wulaoer_mysql ~]# mysql -uroot -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 2 Server version: 5.6.44-log Source distribution Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | +--------------------+ 3 rows in set (0.39 sec) mysql> create database jumpserver; Query OK, 1 row affected (0.00 sec) mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | jumpserver | | mysql | | performance_schema | +--------------------+ 4 rows in set (0.01 sec) mysql> use jumpserver; Database changed mysql> grant all privileges on *.* to jumpserver@'%' identified by 'dd0e68?!'; Query OK, 0 rows affected (0.00 sec) mysql> flush privileges; Query OK, 0 rows affected (0.00 sec) mysql> select user,host from mysql.user; +------------+-----------+ | user | host | +------------+-----------+ | jumpserver | % | | root | 127.0.0.1 | | root | ::1 | | root | localhost | +------------+-----------+ 4 rows in set (0.00 sec)
关闭防火墙,不限制用户访问
[root@wulaoer_mysql ~]# vi /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled
关闭selinux,然后重启一下,并关闭防火墙。
[root@wulaoer_mysql ~]# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: active (running) since Fri 2019-12-06 22:36:54 CST; 10s ago
Docs: man:firewalld(1)
Main PID: 2597 (firewalld)
CGroup: /system.slice/firewalld.service
└─2597 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid
Dec 06 22:36:53 wulaoer_mysql systemd[1]: Starting firewalld - dynamic firewall daemon...
Dec 06 22:36:54 wulaoer_mysql systemd[1]: Started firewalld - dynamic firewall daemon.
[root@wulaoer_mysql ~]# systemctl stop firewalld.service
[root@wulaoer_mysql ~]#
[root@wulaoer_mysql ~]#
[root@wulaoer_mysql ~]# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
Dec 06 22:36:53 wulaoer_mysql systemd[1]: Starting firewalld - dynamic firewall daemon...
Dec 06 22:36:54 wulaoer_mysql systemd[1]: Started firewalld - dynamic firewall daemon.
Dec 06 22:37:10 wulaoer_mysql systemd[1]: Stopping firewalld - dynamic firewall daemon...
Dec 06 22:37:11 wulaoer_mysql systemd[1]: Stopped firewalld - dynamic firewall daemon.
我们使用的是mysql存储,所以需要使用mysql模块来连接mysql数据库
root@wulaoer_serve01 opt]# python3.6 -m venv wulaoer [root@wulaoer_server01 ~]# source /opt/wulaoer_py3/bin/activate (wulaoer_py3) [root@wulaoer_server01 ~]# cd /opt/jumpserver/ (wulaoer_py3) [root@wulaoer_server01 jumpserver]# pip install --default-timeout=1000 MySQL-python (wulaoer_py3) [root@wulaoer_server01 jumpserver]# ./jms start -d
可以设置新的代码进行自启动admin
(wulaoer_py3) [root@wulaoer_server01 jumpserver]# wget -O /usr/lib/systemd/system/jms.service https://demo.jumpserver.org/download/shell/centos/jms.service (wulaoer_py3) [root@wulaoer_server01 jumpserver]# chmod 755 /usr/lib/systemd/system/jms.service (wulaoer_py3) [root@wulaoer_server01 jumpserver]# systemctl enable jms Created symlink from /etc/systemd/system/multi-user.target.wants/jms.service to /usr/lib/systemd/system/jms.service. (wulaoer_py3) [root@wulaoer_server01 jumpserver]# ./jms start -d
使用docker部署koko和guacamole
[root@wulaoer_server01 jumpserver]# yum install -y yum-utils device-mapper-persistent-data lvm2
[root@wulaoer_server01 jumpserver]# yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
[root@wulaoer_server01 jumpserver]# yum makecache fast
[root@wulaoer_server01 jumpserver]# rpm --import https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[root@wulaoer_server01 jumpserver]# yum -y install docker-ce
[root@wulaoer_server01 jumpserver]# systemctl enable docker
[root@wulaoer_server01 jumpserver]# curl -sSL https://get.daocloud.io/daotools/set_mirror.sh | sh -s http://f1361db2.m.daocloud.io
[root@wulaoer_server01 jumpserver]# systemctl restart docker
[root@wulaoer_server01 jumpserver]# Server_IP=`ip addr | grep 'state UP' -A2 | grep inet | egrep -v '(127.0.0.1|inet6|docker)' | awk '{print $2}' | tr -d "addr:" | head -n 1 | cut -d / -f1`
[root@wulaoer_server01 jumpserver]# echo -e "\033[31m 你的服务器IP是 $Server_IP \033[0m"
你的服务器IP是 10.211.55.128
[root@wulaoer_server01 jumpserver]# docker run --name jms_koko -d -p 2222:2222 -p 127.0.0.1:5000:5000 -e CORE_HOST=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN --restart=always jumpserver/jms_koko:1.5.5
[root@wulaoer_server01 jumpserver]# docker run --name jms_guacamole -d -p 127.0.0.1:8081:8080 -e JUMPSERVER_SERVER=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN --restart=always jumpserver/jms_guacamole:1.5.5
安装web Terminal 前端 luna
[root@wulaoer_server01 jumpserver]# cd .. [root@wulaoer_server01 opt]# wget https://github.com/jumpserver/luna/releases/download/1.5.5/luna.tar.gz [root@wulaoer_server01 opt]# tar xf luna.tar.gz [root@wulaoer_server01 opt]# chown -R root:root luna
安装nginx 并配置整合各组件
[root@wulaoer_server01 opt]# rm -rf /etc/nginx/conf.d/default.conf
[root@wulaoer_server01 opt]# vim /etc/nginx/conf.d/jumpserver.conf
server {
listen 80;
# server_name _;
client_max_body_size 100m; # 录像及文件上传大小限制
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; # luna 路径, 如果修改安装目录, 此处需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 录像位置, 如果修改安装目录, 此处需要修改
}
location /static/ {
root /opt/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改
}
location /koko/ {
proxy_pass http://localhost:5000;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /ws/ {
proxy_pass http://localhost:8070;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location / {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
}
运行nginx
[root@wulaoer_server01 opt]# nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful [root@wulaoer_server01 opt]# systemctl start nginx
自此jumpserver服务安装完成,下面是配置的简单流程,先配置管理用户,管理用户可以理解为目标机器的用户,系统用户可以理解为通过jumpserver连接到目标机器的用户,也是jumpserver上的系统用户。下面就是增加资产
jumpserver单机已经设置完成,里面做了一部分设置包括用户和密码等信息
wulaoer_server02配置
和上面的wulaoer_server01配置一样,这里就不解释了
[root@wulaoer_server02 ~]# yum update -y [root@wulaoer_server02 ~]# systemctl start firewalld [root@wulaoer_server02 ~]# firewall-cmd --zone=public --add-port=80/tcp --permanent success [root@wulaoer_server02 ~]# firewall-cmd --zone=public --add-port=2222/tcp --permanent success [root@wulaoer_server02 ~]# firewall-cmd --reload success [root@wulaoer_server02 ~]# setenforce 0 [root@wulaoer_server02 ~]# sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config [root@wulaoer_server02 ~]# yum -y install wget gcc epel-release git [root@wulaoer_server02 ~]# vi /etc/yum.repos.d/nginx.repo [nginx] name=nginx repo baseurl=http://nginx.org/packages/centos/7/$basearch/ gpgcheck=0 enabled=1 [root@wulaoer_server02 ~]# yum -y install nginx [root@wulaoer_server02 ~]# systemctl enable nginx Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service. [root@wulaoer_server02 ~]# yum -y install python36 python36-devel [root@wulaoer_server02 opt]# python3.6 -m venv wulaoer [root@wulaoer_server02 opt]# source /opt/wulaoer/bin/activate (wulaoer) [root@wulaoer_server02 opt]# (wulaoer) [root@wulaoer_server02 opt]# deactivate [root@wulaoer_server02 opt]# git clone --depth=1 https://github.com/jumpserver/jumpserver.git Cloning into 'jumpserver'... remote: Enumerating objects: 1170, done. remote: Counting objects: 100% (1170/1170), done. remote: Compressing objects: 100% (1047/1047), done. remote: Total 1170 (delta 194), reused 581 (delta 61), pack-reused 0 Receiving objects: 100% (1170/1170), 6.29 MiB | 14.00 KiB/s, done. Resolving deltas: 100% (194/194), done. [root@wulaoer_server02 opt]# yum -y install $(cat /opt/jumpserver/requirements/rpm_requirements.txt) (wulaoer) [root@wulaoer_server02 ~]# pip install wheel (wulaoer) [root@wulaoer_server02 ~]# pip install --upgrade pip setuptools (wulaoer) [root@wulaoer_server02 ~]# pip install -r /opt/jumpserver/requirements/requirements.txt (wulaoer) [root@wulaoer_server02 jumpserver]# deactivate [root@wulaoer_server02 jumpserver]# cd
这里需要注意记录在wulaoer_server01上自动生成的SECRET_KEY和BOOTSTRAP_TOKEN要同步到wulaoer_server02上,主要修改三处,第一个是在bashrc文件的末尾追加,还有一个就是在jumpserver的配置文件中需要用到,最后就是创建koko和guacamole的时候需要用到。下面先追加到bashrc文件中,在wulaoer_server01中查看方法:
[root@wulaoer_serve01 ~]# cat ~/.bashrc
# .bashrc
# User specific aliases and functions
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
# Source global definitions
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi
SECRET_KEY=sqnHCKmBdA26EEJemhTalFkJP2xM22JNGSXmro8RT0lxE9gvam #这里增加的随机码和wulaoer_server01的一致
BOOTSTRAP_TOKEN=EgGz0NOYDfAXE18C
wulaoer_server02上也追加必须一样,注意!注意!注意!注意!注意!注意!注意!注意!
[root@wulaoer_server02 ~]# vi ~/.bashrc
# .bashrc
# User specific aliases and functions
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
# Source global definitions
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi
SECRET_KEY=sqnHCKmBdA26EEJemhTalFkJP2xM22JNGSXmro8RT0lxE9gvam
BOOTSTRAP_TOKEN=EgGz0NOYDfAXE18C
因为wulaoer_server01的jumpserver的配置文件已经设置好了,所以我们可以直接复制一份同步到wulaoer_server02上,启动一下看看是否正常。
[root@wulaoer_serve01 ~]# scp /opt/jumpserver/config.yml root@10.211.55.130:/opt/jumpserver/ root@10.211.55.130's password: config.yml
在wulaoer_server02中启动一下jumpserver,查看一下启动状态。
[root@wulaoer_server02 jumpserver]# source /opt/wulaoer/bin/activate (wulaoer) [root@wulaoer_server02 jumpserver]# ./jms start all
启动没有问题,下面继续
[root@wulaoer_server02 ~]# wget -O /usr/lib/systemd/system/jms.service https://demo.jumpserver.org/download/shell/centos/jms.service
[root@wulaoer_server02 ~]# chmod 755 /usr/lib/systemd/system/jms.service
[root@wulaoer_server02 ~]# systemctl enable jms
Created symlink from /etc/systemd/system/multi-user.target.wants/jms.service to /usr/lib/systemd/system/jms.service.
[root@wulaoer_server02 ~]# yum install -y yum-utils device-mapper-persistent-data lvm2
[root@wulaoer_server02 ~]# yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
[root@wulaoer_server02 ~]# yum makecache fast
[root@wulaoer_server02 ~]# rpm --import https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[root@wulaoer_server02 ~]# yum -y install docker-ce
[root@wulaoer_server02 ~]# systemctl enable docker
[root@wulaoer_server02 ~]# curl -sSL https://get.daocloud.io/daotools/set_mirror.sh | sh -s http://f1361db2.m.daocloud.io
[root@wulaoer_server02 ~]# systemctl restart docker
[root@wulaoer_server02 ~]# Server_IP=`ip addr | grep 'state UP' -A2 | grep inet | egrep -v '(127.0.0.1|inet6|docker)' | awk '{print $2}' | tr -d "addr:" | head -n 1 | cut -d / -f1`
[root@wulaoer_server02 ~]# SECRET_KEY="sqnHCKmBdA26EEJemhTalFkJP2xM22JNGSXmro8RT0lxE9gvam" #这里的随机码要和wulaoer_server01的一致
[root@wulaoer_server02 ~]# BOOTSTRAP_TOKEN="EgGz0NOYDfAXE18C" #这里的随机码要和wulaoer_server01的一致
[root@wulaoer_server02 ~]# docker run --name jms_koko -d -p 2222:2222 -p 127.0.0.1:5000:5000 -e CORE_HOST=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN --restart=always jumpserver/jms_koko:1.5.5
[root@wulaoer_server02 ~]# docker run --name jms_guacamole -d -p 127.0.0.1:8081:8080 -e JUMPSERVER_SERVER=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN --restart=always jumpserver/jms_guacamole:1.5.5
[root@wulaoer_server02 ~]# cd /opt/
[root@wulaoer_server02 opt]# wget https://github.com/jumpserver/luna/releases/download/1.5.5/luna.tar.gz
[root@wulaoer_server02 opt]# tar xf luna.tar.gz
[root@wulaoer_server02 opt]# chown -R root:root luna
[root@wulaoer_server02 opt]# rm -rf /etc/nginx/conf.d/default.conf
[root@wulaoer_server02 opt]# vi /etc/nginx/conf.d/jumpserver.conf
server {
listen 80;
# server_name _;
client_max_body_size 100m; # 录像及文件上传大小限制
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; # luna 路径, 如果修改安装目录, 此处需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 录像位置, 如果修改安装目录, 此处需要修改
}
location /static/ {
root /opt/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改
}
location /koko/ {
proxy_pass http://localhost:5000;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /ws/ {
proxy_pass http://localhost:8070;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location / {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
}
[root@wulaoer_server02 opt]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@wulaoer_server02 opt]# systemctl restart nginx
[root@wulaoer_server02 opt]# source /opt/wulaoer/bin/activate
(wulaoer) [root@wulaoer_server02 opt]# cd jumpserver/
(wulaoer) [root@wulaoer_server02 jumpserver]# ./jms start all
自此,高可用环境已经完成,这里出现一个问题就是在录屏两个节点直接数据没有同步,为了解决录屏同步问题,需要把录屏数据进行共享,我们使用NFS服务,做一个共享,分别挂载到两个录屏存储路径上,这样两个服务的录屏数据也就能够实现共享。下面搭建NFS服务,然后分别挂载到wulaoer_server01和wulaoer_server02上,然后修改nginx的存储路径,也可以直接挂载到nginx配置的存储路径上,下面先看NFS搭建。我在wulaoer_mysql上搭建NFS服务。
NFS搭建
在wulaoer_mysql上安装NFS服务端,做一个共享目录,让wulaoer_server01和wulaoer_server02能够把录屏文件写到共享目录中,可以同步查询。
[root@wulaoer_mysql ~]# rpm -qa | egrep "nfs|rpcbind" [root@wulaoer_mysql ~]# yum search nfs-utils rpcbind [root@wulaoer_mysql ~]# yum install -y nfs-utils rpcbind [root@wulaoer_mysql ~]# systemctl status rpcbind [root@wulaoer_mysql ~]# yum install -y net-tools lsof [root@wulaoer_mysql ~]# systemctl start rpcbind [root@wulaoer_mysql ~]# systemctl enable rpcbind
配置共享文件目录
[root@wulaoer_mysql ~]# mkdir /opt/move [root@wulaoer_mysql ~]# vi /etc/exports /opt/move/ 10.211.55.0/24(rw,sync,no_root_squash) [root@wulaoer_mysql ~]# systemctl reload nfs
在两个客户端wulaoer_server01和wulaoer_server02上创建共享目录,并挂载。录像文件根据nginx的配置有存储路径,
[root@wulaoer_serve01 ~]# ll /opt/jumpserver/data/media/
把NFS挂载到这个目录即可。
[root@wulaoer_serve01 ~]# yum -y install showmount [root@wulaoer_serve01 ~]# showmount 10.211.55.129 #查看共享的客户端地址 Hosts on 10.211.55.129: [root@wulaoer_serve01 media]# mount -t nfs 10.211.55.129:/opt/move /opt/jumpserver/data/media [root@wulaoer_serve02 media]# mount -t nfs 10.211.55.129:/opt/move /opt/jumpserver/data/media
可以写到fstab文件中开机自动挂载
[root@wulaoer_server01 ~]# vi /etc/fstab # # /etc/fstab # Created by anaconda on Thu Dec 5 02:35:59 2019 # # Accessible filesystems, by reference, are maintained under '/dev/disk' # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info # /dev/mapper/centos-root / xfs defaults 0 0 UUID=6fb6245f-4f95-4da6-b3c8-24a7a1a09df7 /boot xfs defaults 0 0 /dev/mapper/centos-swap swap swap defaults 0 0 10.211.55.129:/opt/move /opt/jumpserver/data/media nfs defaults _rnetdev 0 0 [root@wulaoer_server02 ~]# vi /etc/fstab # # /etc/fstab # Created by anaconda on Thu Dec 5 02:35:59 2019 # # Accessible filesystems, by reference, are maintained under '/dev/disk' # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info # /dev/mapper/centos-root / xfs defaults 0 0 UUID=6fb6245f-4f95-4da6-b3c8-24a7a1a09df7 /boot xfs defaults 0 0 /dev/mapper/centos-swap swap swap defaults 0 0 10.211.55.129:/opt/move /opt/jumpserver/data/media nfs defaults _rnetdev 0 0
保存,整个环境搭建完成,下面就是测试,使用两个不同的jumpserver远程操作同一台机器,看看是否有录屏存在,下面是录屏截图。
下面是对比两个jumpserver的录屏
至此,JumpServer高可用搭建完成,这里最主要一点就是数据的共享包括redis,mysql,录屏。
您可以选择一种方式赞助本站
支付宝扫一扫赞助
微信钱包扫描赞助
赏