背景
之前安装官方文档快速搭建了一套jumpserver, 用的是单节点集群,包括mysql和redis在内是跑在容器里的,因为用的人越来越多,所以考虑架构上改造成高可用的
改造步骤
一、数据库高可用
将数据库和redis独立部署,或者使用云rds等,确保数据库层的高可用
1. 备份数据,并迁移到新库
jmsctl.sh db_backup
根据命令输出找到备份的sql文件
注意此期间不要有增加资产等操作。
创建数据库并导入备份数据
# mysql -uroot -pCREATE DATABASE jumpserver CHARACTER SET utf8;GRANT ALL ON jumpserver.* to 'jumpserver'@'%' identified by 'XXXXX';# 导入mysql -h you.db.ip -p jumpserver < /tmp/jumpserver.sql
准备好redis连接串
2. 修改配置
cd /opt/jumpserver/config# 备份cp config.txt config.txt.$(date +%F)# 修改USE_EXTERNAL_MYSQL=1DB_HOST=your.mysql.ipDB_PORT=3306DB_USER=jumpserverDB_PASSWORD=XXXXXDB_NAME=jumpserverUSE_EXTERNAL_REDIS=1REDIS_HOST=your.redis.ipREDIS_PORT=6379REDIS_PASSWORD=XXXXX
3. 重启jumpserver
jmsctl.sh restart
4. 登录web和命令行分别验证功能是否正常
这里遇到一个jumpserver的bug, 切换redis后,首页的统计信息接口获取失败
临时解决办法
通过看代码找到这个接口使用到的redis key
然后在新redis里手动设置一下,这个key的类型是hash
# 登录老的redisdocker exec -it jms_redis bashredis-cli
auth PASSWORD # 这个在备份配置文件找select 4keys cache*
HGETALL cache.orgs.caches.OrgResourceStatisticsCache.org_00000000-0000-0000-0000-000000000002
2、共享存储
这里主要是/opt/jumpserver/core/data下的数据,主要是ansible执行记录、审计日志、和审计视频等。
通过NFS共享
yum -y install epel-release
yum install -y nfs-utils rpcbind
systemctl enable rpcbind nfs-server nfs-lock nfs-idmap
systemctl start rpcbind nfs-server nfs-lock nfs-idmap###vi /etc/exports
/opt/jumpserver/core/data 192.168.100.*(rw,sync,all_squash,anonuid=0,anongid=0)## 上面改成自己的ip段# 发布exportfs -a# 验证showmount -e localhost
3、新增jumpserver节点
# 挂载nfsyum -y install nfs-utils# debian apt-get install nfs-commmnmount -t nfs -o n## vi /etc/fstab10.x.x.x:/opt/jumpserver/core/data /opt/jumpserver/core/data nfs rw,nfsvers=3 0 0mkdir -p /opt/jumpserver/core/datamount -a# 下载安装cd /opt
yum -y install wgetwget https://github.com/jumpserver/installer/releases/download/v2.28.8/jumpserver-installer-v2.28.8.tar.gztar -xf jumpserver-installer-v2.28.8.tar.gzcd jumpserver-installer-v2.28.8
./jmsctl.sh install# 拷贝配置scp 10.x.x.x:/opt/jumpserver/config/config.txt /opt/jumpserver/config/config.txt
./jmsctl.sh start
4、增加nginx代理节点
http代理
[sre@nginx-01 ~]$ cat /etc/nginx/conf.d/jumpserver.conf
server {
listen 80;
server_name jumpserver.xxx.com;
return 301 https://$server_name$request_uri;}server {
listen 443 ssl http2;
server_name jumpserver.xxx.com;
ssl_certificate /etc/nginx/ssl/xxx.com.pem;
ssl_certificate_key /etc/nginx/ssl/xxx.com.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_protocols TLSv1.1 TLSv1.2;
add_header Strict-Transport-Security "max-age=63072000" always;
client_max_body_size 4096m; # 录像及文件上传大小限制
location / {
# 这里的 ip 是后端 JumpServer nginx 的 ip
proxy_pass http://jumpserver_https_srv;
proxy_http_version 1.1;
proxy_buffering off;
proxy_request_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}}upstream jumpserver_https_srv {
server 10.x.x.6 weight=1 max_fails=0 fail_timeout=35s;
server 10.x.x.7 weight=1 max_fails=0 fail_timeout=35s;
hash $remote_addr consistent;}
tcp代理
ssh命令行登录端口
[sre@online-01 ~]$ cat /etc/nginx/stream.d/jumpserver.conf
upstream jupmserver_srv {
server 10.x.x.6:2222;
server 10.x.x.7:2222;}server {
listen 2222;
proxy_pass jupmserver_srv;
proxy_timeout 86400s;
proxy_connect_timeout 600s;}# 数据库登录端口server {
listen 30000-30100; #
proxy_pass 10.x.x.6:$server_port;
proxy_timeout 86400s;
proxy_connect_timeout 600s;}server {
listen 30100-30200; # 这里要去修改Magnus 监听的端口范围
proxy_pass 10.x.x.7:$server_port;
proxy_timeout 86400s;
proxy_connect_timeout 600s;}
5、高可用验证
验证web登录,并刷新测试是否会需要重新登录
验证命令行登录,确保两个节点都能登录,具体可以登录机器后执行w查看jumpserver ip
验证web 文件传输
验证应用/数据库命令行连接。
推荐本站淘宝优惠价购买喜欢的宝贝:
本文链接:https://hqyman.cn/post/5124.html 非本站原创文章欢迎转载,原创文章需保留本站地址!
打赏微信支付宝扫一扫,打赏作者吧~
休息一下~~