之前在IDC部署了Jumpserver堡垒机环境,作为登陆线上服务器的统一入口。后面运行一段时间后,发现Jumpserver服务器的CPU负载使用率高达80%以上,主要是python程序对CPU的消耗比较大,由于是单机部署,处于安全考虑,急需要部署一套Jumpserver双机高可用环境,实现LB+HA的降低负载和故障转移的目的。以下记录了环境部署的过程:
如下进行调整后,之前的jumpserver用户名、秘钥、密码等信息都不会变,只需要将ssh连接的地址改为ssh端口负载均衡的vip地址即可!
也就是说对于用户来说,只需要修改登录ip地址,其他的都不受影响!
1)环境准备
192.168.10.20 之前的单机版jumpserver,作为master主机
192.168.10.21 新加的jumpserver,作为slave从机
jumpserver机器的ssh端口统一调整为8888
web访问的80端口负载是7层负载,通过Nginx+keepalived实现,域名为jump.kevin-inc.com
ssh端口的负载是4层负载,也可以通过nginx的stream实现,(我在线上用的nginx+keepalived负载层并没有安装stream模块,为了不影响线上业务,另配置了lvs+keepalived)
2)部署jumpserver备机(192.168.10.21)的jumpserver环境
参考:http://www.cnblogs.com/kevingrace/p/5570279.html
3)配置jumpserver主机和备机的mysql主主同步环境(先将master主机的jumpserver库数据同步到slave主机的mysql里面)
参考这篇文章中的mysql主主同步配置:http://www.cnblogs.com/kevingrace/p/6710136.html
4)同步文件,使用rsync+inotify实时同步,或使用rsync+crontab短时间定时同步(需要提前做192.168.10.20和192.168.10.21两台机器的ssh无密码登陆的信任关系)
同步系统文件/etc/passwd、/etc/shaow、/etc/group文件
同步jumpserver相关用户以及key文件:jumpserver/keys
同步用户家目录的home目录
注意:为了防止文件被强行覆盖掉,这里只能做单方向的文件同步,不能做双向同步,否则会出现:在其中一台机器的jumpserver界面里创建好用户后,但是在jumpserver服务器上的
/etc/passwd文件里却没有该用户信息,因为被对方机器的同步强行覆盖掉了。
正确的做法:
在192.168.10.20机器上做rsync+crontab同步(10秒同步一次),另一台机器192.168.10.21不做同步;
登陆http://192.168.10.20的jumpserver界面创建用户,这样用户信息很快就会被同步到另一台机器上了(注意:创建用户要在http://192.168.10.20的jumpserver界面里创建)
[root@jumpserver01 ~]# crontab -l
.........
* * * * * /usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/passwd root@192.168.10.21:/etc/ > /dev/null 2>&1
* * * * * sleep 10;/usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/passwd root@192.168.10.21:/etc/ > /dev/null 2>&1
* * * * * sleep 20;/usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/passwd root@192.168.10.21:/etc/ > /dev/null 2>&1
* * * * * sleep 30;/usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/passwd root@192.168.10.21:/etc/ > /dev/null 2>&1
* * * * * sleep 40;/usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/passwd root@192.168.10.21:/etc/ > /dev/null 2>&1
* * * * * sleep 50;/usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/passwd root@192.168.10.21:/etc/ > /dev/null 2>&1
* * * * * /usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/shadow root@192.168.10.21:/etc/ > /dev/null 2>&1
* * * * * sleep 10;/usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/shadow root@192.168.10.21:/etc/ > /dev/null 2>&1
* * * * * sleep 20;/usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/shadow root@192.168.10.21:/etc/ > /dev/null 2>&1
* * * * * sleep 30;/usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/shadow root@192.168.10.21:/etc/ > /dev/null 2>&1
* * * * * sleep 40;/usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/shadow root@192.168.10.21:/etc/ > /dev/null 2>&1
* * * * * sleep 50;/usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/shadow root@192.168.10.21:/etc/ > /dev/null 2>&1
* * * * * /usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/group root@192.168.10.21:/etc/ > /dev/null 2>&1
* * * * * sleep 10;/usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/group root@192.168.10.21:/etc/ > /dev/null 2>&1
* * * * * sleep 20;/usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/group root@192.168.10.21:/etc/ > /dev/null 2>&1
* * * * * sleep 30;/usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/group root@192.168.10.21:/etc/ > /dev/null 2>&1
* * * * * sleep 40;/usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/group root@192.168.10.21:/etc/ > /dev/null 2>&1
* * * * * sleep 50;/usr/bin/rsync -e "ssh -p8888" -avpgolr /etc/group root@192.168.10.21:/etc/ > /dev/null 2>&1
* * * * * /usr/bin/rsync -e "ssh -p8888" -avpgolr /data/jumpserver/keys/ 192.168.10.21:/data/jumpserver/keys/ > /dev/null 2>&1
* * * * * sleep 10;/usr/bin/rsync -e "ssh -p8888" -avpgolr /data/jumpserver/keys/ 192.168.10.21:/data/jumpserver/keys/ > /dev/null 2>&1
* * * * * sleep 20;/usr/bin/rsync -e "ssh -p8888" -avpgolr /data/jumpserver/keys/ 192.168.10.21:/data/jumpserver/keys/ > /dev/null 2>&1
* * * * * sleep 30;/usr/bin/rsync -e "ssh -p8888" -avpgolr /data/jumpserver/keys/ 192.168.10.21:/data/jumpserver/keys/ > /dev/null 2>&1
* * * * * sleep 40;/usr/bin/rsync -e "ssh -p8888" -avpgolr /data/jumpserver/keys/ 192.168.10.21:/data/jumpserver/keys/ > /dev/null 2>&1
* * * * * sleep 50;/usr/bin/rsync -e "ssh -p8888" -avpgolr /data/jumpserver/keys/ 192.168.10.21:/data/jumpserver/keys/ > /dev/null 2>&1
* * * * * /usr/bin/rsync -e "ssh -p8888" -avpgolr /home/ 192.168.10.21:/home/ > /dev/null 2>&1
* * * * * sleep 10;/usr/bin/rsync -e "ssh -p8888" -avpgolr /home/ 192.168.10.21:/home/ > /dev/null 2>&1
* * * * * sleep 20;/usr/bin/rsync -e "ssh -p8888" -avpgolr /home/ 192.168.10.21:/home/ > /dev/null 2>&1
* * * * * sleep 30;/usr/bin/rsync -e "ssh -p8888" -avpgolr /home/ 192.168.10.21:/home/ > /dev/null 2>&1
* * * * * sleep 40;/usr/bin/rsync -e "ssh -p8888" -avpgolr /home/ 192.168.10.21:/home/ > /dev/null 2>&1
* * * * * sleep 50;/usr/bin/rsync -e "ssh -p8888" -avpgolr /home/ 192.168.10.21:/home/ > /dev/null 2>&1
然后重启两台机器的jumpserver服务。
5)web访问的80端口负载均衡配置。访问地址是http://jump.kevin-inc.com
参考:http://www.cnblogs.com/kevingrace/p/6138185.html
[root@inner-lb01 ~]# cat /data/nginx/conf/vhosts/jump.kevin-inc.com.conf
upstream jump-inc {
server 192.168.10.20:80 max_fails=3 fail_timeout=10s;
server 192.168.10.21:80 max_fails=3 fail_timeout=10s;
}
server {
listen 80;
server_name jump.kevin-inc.com;
access_log /data/nginx/logs/jump.kevin-inc.com-access.log main;
error_log /data/nginx/logs/jump.kevin-inc.com-error.log;
location / {
proxy_pass http://jump-inc;
proxy_redirect off ;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 600;
proxy_buffer_size 256k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 256k;
proxy_next_upstream error timeout invalid_header http_502 http_503 http_504;
proxy_max_temp_file_size 128m;
#proxy_cache mycache;
#proxy_cache_valid 200 302 1h;
#proxy_cache_valid 301 1d;
#proxy_cache_valid any 1m;
}
}
6)ssh登陆的8888端口的负载均衡配置
lvs+keepalived的配置参考:http://www.cnblogs.com/kevingrace/p/5570500.html
两台lvs配置如下(vip为10.0.8.24)
[root@jump-lvs01 ~]# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id LVS_Master
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.10.24
}
}
virtual_server 192.168.10.24 8888 {
delay_loop 6
lb_algo wrr
lb_kind DR
#nat_mask 255.255.255.0
persistence_timeout 600
protocol TCP
real_server 192.168.10.20 8888 {
weight 3
TCP_CHECK {
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
connect_port 8888
}
}
real_server 192.168.10.21 8888 {
weight 3
TCP_CHECK {
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
connect_port 8888
}
}
}
[root@jump-lvs02 ~]# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id LVS_Backup
}
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 51
priority 90
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.10.24
}
}
virtual_server 192.168.10.24 8888 {
delay_loop 6
lb_algo wrr
lb_kind DR
#nat_mask 255.255.255.0
persistence_timeout 600
protocol TCP
real_server 192.168.10.20 8888 {
weight 3
TCP_CHECK {
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
connect_port 8888
}
}
real_server 192.168.10.21 8888 {
weight 3
TCP_CHECK {
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
connect_port 8888
}
}
}
在xshell客户端登陆堡垒机,堡垒机的地址可以是192.168.10.20、192.168.10.21、192.168.10.24,三个地址都可以。