本文参考老广开发二次开发后的堡垒机部署方案,在此基础上进行集群部署,提高其可靠性。尽管国外已经有类似的功能的堡垒机的发布,但是还是要感谢老广在百忙之中再次开发出精简功能,更加使用的jumpserver堡垒机。
本文内容虽然亲测,但难免仍有错误指出。各位同行发现有请帮忙反馈,以便及时改进。
目 录
部分一 堡垒机架构原理
jumpserver基本架构
jumpserver程序主要通过python语言编写。通过jumpserver前端页面可以简洁、直观的查看管理主机和用户。
jumpserver主要调用的服务和默认端口:
http:80
ldap:389
mysql:3306
ssh:22
jumpserver集群架构
通过jumpserver集群实现ldap,数据库,http,ssh服务器的高可用性。
架构中的服务及对应的软件:
ldap:openldap
DB:mysql
ssh:openssh
http:nginx
lvs:keepalived、ipvsadm
部分二部署
部署概述
部署主要分为四个部分:
- LDAP realserver部署
通过使用openldap镜像模式,实现两台ldap服务器之间的数据一致性
- mysql realserver部署
通过使用mysql主主同步模式,实现两台数据库之间的数据一致性
- jumpsrver 部署
该部分,主要部署jumpserver主程序,并通过nginx+uwsgi+django实现前端应用和ldap多线程
- 调度服务器部署
通过keepalived+ipvsadm搭建主备模式,实现DR的高可用
平台环境:
系统:centOS 6.6-64bit
数据库:MySql 5.1.73
openldap:openldap-2.4.39
nginx:nginx-1.9.1
pcre:pcre-8.36
uwsgi:uwsgi-2.0.10
MySQL-python-1.2.3
ssh:OpenSSH-5.3
LDAP realserver部署
1. 安装openldap软件
分别在两台服务器上安装openlap软件:
# yum -y installopenldap openldap-clients nss-pam-ldapd pam_ldap
2. 配置openldap
2.1准备配置文件
复制slap的配置文件模版
#cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
复制ldap的数据库配置文件模版
cp/usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
复制sudo文件
cp /usr/share/doc/sudo-1.8.6p3/schema.OpenLDAP/etc/openldap/schema/sudo.schema
2.2 修改配置文件
vim /etc/openldap/slapd.conf
include /etc/openldap/schema/sudo.schema
database bdb
suffix "dc=test,dc=net"
checkpoint 1024 15
rootdn "cn=Manager,dc=test,dc=net"
rootpw secret123 ## 密码,本初设置为明文
# rootpw {crypt}ijasdfNcSNctBYg
loglevel 1 ## 添加日志等级
#### ldap数据同步,这里选择的是mirror mode ########
index objectClass,entryCSN,entryUUID eq
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
serverID 2
syncrepl rid=234
provider=ldap://10.60.8.17:389
bindmethod=simple
binddn="cn=admin,dc=test,dc=net"
[email protected]
searchbase="dc=test,dc=net"
schemachecking=on
type=refreshAndPersist
retry="60 +"
mirrormode on
2.3 修改日志配置文件
vim /etc/rsyslog.conf
在local.* 7 下添加如下一行
local.* 4 /var/log/ldap.log
重启rsyslog服务器,查看是否生成日志文件
# service rsyslog restart
2.4 生成新的ldap数据库文件
一般情况下,/etc/openldap/slapd.d/目录下会保存sladp的配置数据,例如ldap的目录结果和密码等,如果修改了这些配置需要删除该目录下的文件并重新生成新的数据文件。
# service slapd start
# rm -rf /etc/openldap/slapd.d/*
# slaptest -f/etc/openldap/slapd.conf -F /etc/openldap/slapd.d ##生成新文件
# chown -R ldap:ldap/etc/openldap/slapd.d/ #更改属主为ldap
# service slapd restart
# netstat -tulnp | grep slapd
2.5 导入ldif数据库框架
使用migrationtools工具到处框架。
- 安装migrationtools工具
# yum installmigrationtools
- 修改migrationtools配置
# vim /usr/share/migrationtools/migrate_common.ph
修改71-74行配置
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "test.net"; ## 修改为相应的前缀
# Default base
$DEFAULT_BASE = "dc=test,dc=net";##修改为相应的前缀
- 导出框架
#cd /usr/share/migrationtools
# ./migrate_base.pl >base.ldif
#./migrate_passwd.pl>passwd.ldif
#./migrate_group.pl > group.ldif
- 导入条目框架
# ldapadd -x -D "cn=Manager,dc=test,dc=net"-W -f base.ldif
# ldapadd -x -D "cn=Manager,dc=test,dc=net"-W -f group.ldif
# ldapadd -x -D "cn=Manager,dc=test,dc=net"-W -f passwd.ldif
MySQL realserver部署
1. 安装mysql服务端软件
# yum install -y msyqlmysql-server mysql-devel
2. 配置mysql主主同步
- 配置mysql主文件
#vim /etc/my.conf
mysql1的配置:
pid-file = /var/lib/mysql/mysqld.qid
port = 3306
log-bin = master-bin
log-bin-index = master-bin.index
server-id = 1
relay-log-index = slave-relay-bin.index
relay-log = slave-relay-bin
auto_increment_increment=2
auto_increment_offset=1
mysql2的配置
pid-file = /var/lib/mysql/mysqld.qid
port = 3306
log-bin = master-bin
log-bin-index = master-bin.index
server-id = 1
relay-log-index = slave-relay-bin.index
relay-log = slave-relay-bin
auto_increment_increment=2
auto_increment_offset=2
- 授权对方主机同步权限
msyql > grant replication on jumpserver.*to ‘jumpserver’@’10.60.8.17’ identified on ‘mysql234’ //该步骤在10.60.8.16主机mysql1上执行
msyql > grant replication on jumpserver.* to ‘jumpserver’@’10.60.8.16’identified on ‘mysql234’ //该步骤在10.60.8.17主机mysql2上执行
- 指定master主机
mysql1(10.60.8.16)制定master
查看mysql2主机上master信息:
mysql>show master status ;
+--------------------+----------+--------------+------------------+
|File | Position |Binlog_Do_DB | Binlog_Ignore_DB |
+--------------------+----------+--------------+------------------+
| masterB-bin.000005 | 8310 | | |
+--------------------+----------+--------------+------------------+
1 row in set (0.00 sec)
- 指定master:
mysql> CHANGE MASTER TO
->MASTER_HOST=‘10.60.8.17‘,
->MASTER_PORT=‘3306‘,
->MASTER_USER=‘jumpserver‘,
-> MASTER_PASSWORD=‘mysql234‘,
-> MASTER_LOG_FILE=‘masterB-bin.000005‘,
-> MASTER_LOG_POS=8310;
注意离这里的二进制日志文件名和位置对应的是对方主机的master信息,最后一行的没有引号。
- 查看slave状态
在对方master上查看,如下现象显示配置成功。可插入列表查看是否同步状态
mysql> show slave status\G;
***************************1. row ***************************
Slave_IO_State:Waiting for master to send event
Master_Host:10.6.2.148
Master_User:jumpserver
Master_Port:3306
Connect_Retry:60
Master_Log_File:masterB-bin.000005
Read_Master_Log_Pos:8310
Relay_Log_File:slave-relay-bin.000029
Relay_Log_Pos:253
Relay_Master_Log_File:masterB-bin.000005
Slave_IO_Running: Yes
Slave_SQL_Running: Yes
Replicate_Do_DB:
Replicate_Ignore_DB:
Replicate_Do_Table:
Replicate_Ignore_Table:
Replicate_Wild_Do_Table:
Replicate_Wild_Ignore_Table:
Last_Errno:0
Last_Error:
Skip_Counter:0
Exec_Master_Log_Pos:8310
Relay_Log_Space:555
Until_Condition:None
Until_Log_File:
Until_Log_Pos:0
Master_SSL_Allowed:No
Master_SSL_CA_File:
Master_SSL_CA_Path:
Master_SSL_Cert:
Master_SSL_Cipher:
Master_SSL_Key:
Seconds_Behind_Master:0
Master_SSL_Verify_Server_Cert:No
Last_IO_Errno: 0
Last_IO_Error:
Last_SQL_Errno: 0
Last_SQL_Error:
1 row in set (0.00 sec)
jumpserver主程序部署
相关软件包下载链接:http://bbs.jumpserver.org/read-83
两个
1. 环境准备
建议linux为minal安装
安装软件:
yum install -y vim automake autoconf gcc xz ncurses-develpatch python-devel git python-pip gcc-c++ mysql mysql-devel
2. 安装主程序
2.1 解压文件
tar xf jumpserver.tar.bz2 –C /opt
tar xf node_modules.tar.bz2 –C /opt/jumpserver/websocket
tar xfpip-build-root.tar.bz2 -C /tmp
2.2 获取更新
git pull origin master:master
2.3 删除不兼容模块
cd /opt/jumpserver/docs
rm -rf /usr/lib64/python2.6/site-packages/Crypto && echo y |pip uninstall pycrypto
2.4 安装依赖模块
pip install -rrequirements.txt -i http://pypi.douban.com/simple
2.5 配置jumpserver.conf文件
cd /opt/jumpserver
vim jumpserver.conf
[base]
ip = 10.60.8.14//本机ip
port = 80
key = 88aaaf7ffe3c6c04
[db]
host = 10.60.8.16 //mysql数据库的ip,测试时需要在mysql上授权
port = 3306 //数据库端口
user = jumpserver //用户名
password = mysql234 //数据库密码
database = jumpserver //数据库名称
[ldap]
ldap_enable = 1
host_url = ldap://10.60.8.16:389 //ldap服务器地址
base_dn = dc=test, dc=net //ldap目录后缀
root_dn = cn=Manager,dc=test,dc=net
root_pw = secret234 //密码
[websocket]
web_socket_host = 10.60.8.14:3000 //web socket
[mail]
email_host = smtp.exmail.qq.com //设置发件邮箱
email_port = 25
email_host_user = [email protected]
email_host_password = jumpserver123
email_use_tls= False
2.6 创建日志目录
mkdir -p logs/{connect,exec_cmds} && chmod -R 777 logs
2.7 django sync db 到数据库
chmod +x *.py *.sh
echo no | python manage.py syncdb
2.8 安装配置websocket
yum -y install nodejs npm
cd /opt/jumpserver/websocket
npm install
cd /opt/jumpserver
sh service.sh start
2.9 登录测试
cd /opt/jumpserver/docs
cp zzjumpserver.sh/etc/profile.d/
浏览器访问http://10.6.2.14/install初始化,然后登录,默认帐号密码:admin admin
3. Nginx+uwsgi+django部署
3.1安装pcre
tar-zxvf pcre-8.36.tar.gz
cdpcre-8.36
./configure
make && make install
3.2 安装nginx
tar -zxvf nginx-1.9.1.tar.gz
cd nginx-1.9.1
./configure --user=nobody --group=nobody --prefix=/usr/local/nginx--with-http_stub_status_module --with-cc-opt=‘-O3‘ --with-cpu-opt=opteron
make && make install
3.3安装MySQL-python
tar-zxvf nginx-1.9.1.tar.gz
cdnginx-1.9.1
./configure--user=nobody --group=nobody --prefix=/usr/local/nginx--with-http_stub_status_module --with-cc-opt=‘-O3‘ --with-cpu-opt=opteron
make&& make install
3.4先安装libxml,在安装uwsgi
yum-y install libxml*
tar-zxvf uwsgi-2.0.10.tar.gz
cduwsgi-2.0.10
make
cpuwsgi /usr/bin
3.5配置nginx
#cd /usr/local/nginx/conf/
添加子配置文件:
#vim django_uwsgi.conf
# Django project
server {
listen 80;
server_name 192.168.20.128;
location / {
uwsgi_pass 127.0.0.1:9000;
include uwsgi_params;
access_log off;
}
location ^~ /static {
root /opt/jumpserver;
}
location ^~ /admin/ {
uwsgi_pass 127.0.0.1:9000;
include uwsgi_params;
access_log off;
}
location ~*^.+\.(mpg|avi|mp3|swf|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|txt|tar|mid|midi|wav|rtf|mpeg)${
root /opt/jumpserver/static;
access_log off;
}
}
添加uwsgi输出头支持和追加子配置文件django_uwsgi.conf
# vimnginx.conf
http{
........
includeuwsgi_params;
include django_uwsgi.conf;
}
3.6 UWSGI配置
mkdir -p/home/uwsgi;cd /home/uwsgi
mkdir -p/opt/jumpserver/logs
echo"" > /opt/jumpserver/logs/django.log
vim uwsgi.xml
<uwsgi>
<socket>127.0.0.1:9000</socket>
<listen>80</listen>
<master>true</master>
<pidfile>/usr/local/nginx/uwsgi.pid</pidfile>
<processes>8</processes>
<pythonpath>/opt/jumpserver</pythonpath>
<pythonpath>/opt/</pythonpath>
<module>django_wsgi</module>
<profiler>true</profiler>
<memory-report>true</memory-report>
<enable-threads>true</enable-threads>
<logdate>true</logdate>
<limit-as>6048</limit-as>
<daemonize>/opt/jumpserver/logs/django.log</daemonize>
</uwsgi>
3.7创建应用模块
# cd /opt/jumpserver
# vim django_wsgi.py
import os
os.environ[‘DJANGO_SETTINGS_MODULE‘] =‘jumpserver.settings‘
import django.core.handlers.wsgi
application = django.core.handlers.wsgi.WSGIHandler()
3.8启动服务
cd /lib/
ln -s libpcre.so.0.0.1 libpcre.so.1
ln -s /usr/local/lib/libpcre.so.1 /lib64/
/usr/bin/uwsgi -x /home/uwsgi/uwsgi.xml
/usr/local/nginx/sbin/nginx
3.9查看进程
# ps -ef|grep uwsgi|grep -v grep
root 13711 1 0 Jul10 ? 00:00:02 /usr/bin/uwsgi -x/home/uwsgi/uwsgi.xml
root 13712 13711 0 Jul10 ? 00:00:00 /usr/bin/uwsgi -x /home/uwsgi/uwsgi.xml
root 13713 13711 0 Jul10 ? 00:00:00 /usr/bin/uwsgi -x/home/uwsgi/uwsgi.xml
root 13714 13711 0 Jul10 ? 00:00:00 /usr/bin/uwsgi -x/home/uwsgi/uwsgi.xml
root 13715 13711 0 Jul10 ? 00:00:00 /usr/bin/uwsgi -x/home/uwsgi/uwsgi.xml
root 13716 13711 0 Jul10 ? 00:00:00 /usr/bin/uwsgi -x/home/uwsgi/uwsgi.xml
root 13717 13711 0 Jul10 ? 00:00:00 /usr/bin/uwsgi -x/home/uwsgi/uwsgi.xml
root 13718 13711 0 Jul10 ? 00:00:00 /usr/bin/uwsgi -x/home/uwsgi/uwsgi.xml
root 13719 13711 0 Jul10 ? 00:00:14 /usr/bin/uwsgi -x/home/uwsgi/uwsgi.xml
3.10监听端口
# netstat -an|grep 9000
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN
# netstat –lpnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:58357 0.0.0.0:* LISTEN 4934/rpc.mountd
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 4435/named
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1148/sshd
tcp 0 0 0.0.0.0:3000 0.0.0.0:* LISTEN 13782/node
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 4435/named
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1225/master
tcp 0 0 0.0.0.0:39199 0.0.0.0:* LISTEN 4934/rpc.mountd
tcp 0 0 0.0.0.0:46399 0.0.0.0:* LISTEN 995/rpc.statd
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 13711/uwsgi
tcp 0 0 0.0.0.0:44585 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:46505 0.0.0.0:* LISTEN 4934/rpc.mountd
tcp 0 0 0.0.0.0:873 0.0.0.0:* LISTEN 3503/rsync
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 4688/rpcbind
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 13458/nginx
tcp 0 0 ::1:53 :::* LISTEN 4435/named
tcp 0 0 :::22 :::* LISTEN 1148/sshd
tcp 0 0 :::51864 :::* LISTEN 4934/rpc.mountd
tcp 0 0 ::1:953 :::* LISTEN 4435/named
tcp 0 0 ::1:25 :::* LISTEN 1225/master
tcp 0 0 :::52635 :::* LISTEN 4934/rpc.mountd
tcp 0 0 :::33886 :::* LISTEN -
tcp 0 0 :::33791 :::* LISTEN 995/rpc.statd
tcp 0 0 :::2049 :::* LISTEN -
tcp 0 0 :::51969 :::* LISTEN 4934/rpc.mountd
tcp 0 0 :::873 :::* LISTEN 3503/rsync
tcp 0 0 :::111 :::* LISTEN 4688/rpcbind
# lsof-i :80
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
nginx 13458 root 6u IPv4 55588 0t0 TCP *:http (LISTEN)
nginx 13733 nobody 6u IPv4 55588 0t0 TCP *:http (LISTEN)
3.11正常访问http://10.60.8.14,确认是否可以正常访问
3.12修改jumpserver主程序启动脚本
# vim /opt/jumpserver/service.sh
执行脚本service.sh,重新启动服务
sh service.sh restart
3.13 编写uwsgi启动脚本
cd /home/uwsgi
vim uwsgiserver.sh
#!/bin/bash
if [ $1 = start ];then
psid=`ps aux|grep "uwsgi"|grep -v "grep"|wc -l`
if [$psid -gt 2 ];then
echo "uwsgi is running!"
exit 0
else
/usr/bin/uwsgi -x /home/uwsgi/uwsgi.xml
fi
echo"Start uwsgi service [OK]"
elif [ $1 = stop ];then
killall -9 uwsgi
echo"Stop uwsgi service [OK]"
elif [ $1 = restart ];then
killall -9 uwsgi
/usr/bin/uwsgi -x /home/uwsgi/uwsgi.xml
echo"Restart uwsgi service [OK]"
else
echo"Usages: sh uwsgiserver.sh [start|stop|restart]"
fi
3.14 重启服务
依次重启下列服务:
cd /home/uwsgi
sh uwsgiserver.sh restart
cd /usr/local/nginx/sbin
./nginx -s reload
4. glusterfs部署
保持两台jumpserver服务器中/opt/jumpserver/keys与/opt/jumpserver/logs的一致性
- 安装glusterfs软件
yum install -y glusterfs glusterfs-server glusterfs-cli
- 配置glusterfs
在jumpserver1上添加对方服务器到贡献存储池
# gluster peer probe 10.60.8.115
Probe successful
- 创建复制卷
在两台服务器上分别创建keys,logs目录
# /usr/local/share/logs
# /usr/local/share/keys
# gluster volumekey replica 2 transport tcp 10.60.8.14: /usr/local/share/keys 10.60.8.15:
/usr/local/share/keys
# gluster volumelog replica 2 transport tcp 10.60.8.14: /usr/local/share/logs 10.60.8.15:
/usr/local/share/logs
- 启动复制卷
# gluster volume start log
# gluster volume start key
- 挂载卷
#mount –tglusterfs 10.6.2.14:log /opt/jumpserver/logs
#mount –tglusterfs 10.6.2.14:key /opt/jumpserver/keys
在/etc/fstab文件中添加如下两行
jump1:log /opt/jumpserver/logs glusterfs defaults 0 0
jump1:key /opt/jumpserver/keys glusterfs defaults 0 0
重新挂载
# mount –a
- 开机启动glusterfs服务
# chkconfig --level 35glusterfsd on
keepalived部署
1. 安装软件
2台lvs服务器上安装软件
yum install –y ipvsadm keepalived
2. lvs主服务器上修改主配置文件
# vim /etc/keepalived/keepalived.conf
lvs主服务器配置如下:
!Configuration File for keepalived
global_defs{
notification_email {
[email protected]
}
notification_email_from [email protected]
smtp_server 10.60.8.22
smtp_connect_timeout 30
router_id LVS_DEVEL
}
vrrp_sync_grouptest {
group {
VI_1
vi_2
}
}
vrrp_instanceVI_1 {
state MASTER
interface eth0
virtual_router_id 55
priority 85
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.60.8.10
}
}
vrrp_instanceVI_2 {
state BACKUP
interface eth0
virtual_router_id 65
priority 90
advert_int 1
authentication {
auth_type PASS
auth_pass 2222
}
virtual_ipaddress {
10.60.8.11
}
}
virtual_server10.60.8.10 80 {
delay_loop 6
lb_algo sh
lb_kind DR
# nat_mask 255.255.255.128
persistence_timeout 120
protocol TCP
real_server 10.60.8.14 80 {
weight 3
TCP_CHECK {
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
connect_port 80
}
}
real_server 10.60.8.15 80 {
weight 3
TCP_CHECK {
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
connect_port 80
}
}
}
virtual_server10.60.8.10 22 {
delay_loop 6
lb_algo wlc
lb_kind DR
# nat_mask 255.255.255.128
persistence_timeout 120
protocol TCP
real_server 10.60.8.14 22 {
weight 3
TCP_CHECK {
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
connect_port 22
}
}
real_server 10.60.8.15 22 {
weight 3
TCP_CHECK {
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
connect_port 22
}
}
}
virtual_server10.60.8.11 3306 {
delay_loop 6
lb_algo wlc
lb_kind DR
# nat_mask 255.255.255.128
persistence_timeout 120
protocol TCP
real_server 10.60.8.16 3306 {
weight 3
TCP_CHECK {
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
connect_port 3306
}
}
real_server 10.60.8.17 3306 {
weight 3
TCP_CHECK {
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
connect_port 3306
}
}
}
3. 备用服务器(LVS_备)文件配置
keepalived.conf配置方法和步骤二相同,需要把步骤二中红色部分参数修改为如下:
state:slave
4. 配置realserverlvs脚本
脚本统一放在/usr/local/lvs/目录下
ip:10.60.8.16-17的realserver脚本配置如下:
#!/bin/bash
VIP=10.60.8.11
/etc/rc.d/init.d/functions
case"$1" in
start)
ifconfiglo:0 $VIP broadcast $VIP netmask 255.255.255.255
/sbin/routeadd -host $VIP dev lo:0
echo"1" >/proc/sys/net/ipv4/conf/lo/arp_ignore
echo"2" >/proc/sys/net/ipv4/conf/lo/arp_announce
echo"1" >/proc/sys/net/ipv4/conf/all/arp_ignore
echo"2" >/proc/sys/net/ipv4/conf/all/arp_announce
sysctl -p> /dev/null 2>&1
echo"Realserver start OK"
;;
stop)
route del$VIP > /dev/null 2>&1
echo"0" > /proc/sys/net/ipv4/conf/lo/arp_ignore
echo"0" > /proc/sys/net/ipv4/conf/lo/arp_announce
echo"0" > /proc/sys/net/ipv4/conf/all/arp_ignore
echo"0" > /proc/sys/net/ipv4/conf/all/arp_announce
echo"Realserver stoped"
;;
*)
echo"Usage: $0 {start|stop}"
exit 1
esac
exit 0
ip:10.60.8.14-15配置如下:
#!/bin/bash
VIP=10.60.8.10
/etc/rc.d/init.d/functions
case"$1" in
start)
ifconfiglo:0 $VIP broadcast $VIP netmask 255.255.255.255
/sbin/routeadd -host $VIP dev lo:0
echo"1" >/proc/sys/net/ipv4/conf/lo/arp_ignore
echo"2" >/proc/sys/net/ipv4/conf/lo/arp_announce
echo"1" >/proc/sys/net/ipv4/conf/all/arp_ignore
echo"2" > /proc/sys/net/ipv4/conf/all/arp_announce
sysctl -p> /dev/null 2>&1
echo"Realserver start OK"
;;
stop)
route del$VIP > /dev/null 2>&1
echo"0" > /proc/sys/net/ipv4/conf/lo/arp_ignore
echo"0" > /proc/sys/net/ipv4/conf/lo/arp_announce
echo"0" > /proc/sys/net/ipv4/conf/all/arp_ignore
echo"0" > /proc/sys/net/ipv4/conf/all/arp_announce
echo"Realserver stoped"
;;
*)
echo"Usage: $0 {start|stop}"
exit 1
esac
exit 0
5. 设置开机启动脚步
echo “sh /usr/local/lvs/realserver.sh start > /dev/null &&” >> /etc/rc.local
部分三测试
1. 后台服务切换测试
- 依次随机关闭jumpserver主程序,slapd,msyql中任意的一台后,在前端访问管理页面,添加和删除测试用户,主机,测试是否成功
- 下载密钥登录堡垒机,尝试连接后端主机,并执行授权命令,测试是否成功
- 管理主调度服务器,尝试登录前端管理页面,查看是否能够成功
部分四管理
前端页面管理可参考:
http://laoguang.blog.51cto.com/6013350/1636708
新建用户注意事项
通过lvs登录到前端管理页面后,新建用户后,实际上只在一台jumpserver服务器上产生用户,另一台不会主动生成用户信息,因此需要手动添加用户,并拷贝密钥文件。添加用户是注意查看用户的信息(uid,gid),确保uid与gid一致。
添加用户:
useradd -u uid -g gid 用户名
拷贝密钥,复制/$HOME/.ssh目下authorized_keys文件到对应的目录内。
客户端使用
- 1. 安装终端工具xshell
- 2. 导入密钥
- 3. 登录
部分五排错
1. 登录前端管理页面报错
安装Nginx+uwsgi+django后,登录前端管理页面报错。
解决方案:
确认已经安装软件mysql-devel,Nginx+uwsgi+django安装部署的每一步都已经成功执行
2. ldapadd导入框架是提示错误
解决方法:
- 确认导入命令及参数无误
- 删除ldap配置数据文件,重新生成新的配置数据文件。
# rm -rf /etc/openldap/slapd.d/*
# slaptest -f/etc/openldap/slapd.conf -F /etc/openldap/slapd.d
# chown -R ldap:ldap/etc/openldap/slapd.d/*
# service slapd restart