一、架构说明

1)参考官方文档:https://docs.jumpserver.org/zh/master/install/setup_by_lb/#jumpserver-01
2)架构如下:
1655545596377.png

3)主机规划

主机 系统版本 IP 安装软件
jms_node01 centos7.9 192.168.45.52 mysql5.7,keepalived,sersync,redis5,nfs,jms组件
jms_node02 centos7.9 192.168.45.53 mysql5.7,keepalived,sersync,redis5,rsyncd,nfs,jms组件

二、Mysql 双主配置

2.1) 45.52数据库安装

  1. mkdir -p /application
  2. tar xf mysql-5.7.37-linux-glibc2.12-x86_64.tar.gz -C /application
  3. cd /application
  4. mv mysql-5.7.37-linux-glibc2.12-x86_64 mysql
  6. #卸载mariadb
  7. rpm -qa | grep mariadb
  8. mariadb-libs-5.5.68-1.el7.x86_64
  9. rpm -e --nodeps mariadb-libs-5.5.68-1.el7.x86_64
  11. #添加mysql用户
  12. groupadd mysql
  13. useradd mysql -M -g mysql  -s /sbin/nologin
  15. #配置环境变量
  16. echo "export PATH=/application/mysql/bin:$PATH" >>/etc/profile
  17. source /etc/profile
  19. #创建mysql数据、日志的存放目录
  20. mkdir -p /data/mysql/data
  21. mkdir -p /var/log/mysql
  22. chown -R mysql.mysql /application/mysql
  23. chown -R mysql.mysql /data/mysql/data
  24. chown -R mysql.mysql /var/log/mysql
  26. #安装依赖包
  27. yum install libaio-devel -y
  29. #无密码初始化
  30. cd /application/mysql
  31. mysqld --initialize-insecure --user=mysql --basedir=/application/mysql --datadir=/data/mysql/data
  33. #修改mysql配置文件
  34. cat >/etc/my.cnf <<EOF
  35. [mysqld]
  36. user = mysql
  37. port = 3306
  38. datadir = /data/mysql/data
  39. basedir = /application/mysql
  40. socket = /tmp/mysql.sock
  41. bind-address = 0.0.0.0
  42. character-set-server = utf8mb4
  43. collation-server = utf8mb4_general_ci
  44. log-error = /var/log/mysql/mysqld.log
  45. innodb_file_per_table=1
  46. skip_name_resolve=1
  47. slow_query_log=1
  48. slow_query_log_file=mysql-slow.log
  49. symbolic-links=0
  50. explicit_defaults_for_timestamp=1
  51. log_bin=mysql-bin
  52. log_bin_index=mysql-bin.index
  53. relay_log=relay-log
  54. relay_log_index=relay-log.index
  55. sync_binlog=1
  56. innodb_flush_log_at_trx_commit=1
  57. binlog_format=row
  58. gtid_mode=on
  59. enforce_gtid_consistency=on
  60. server_id=2
  61. EOF
  63. #配置mysql启动服务
  64. cat >/etc/systemd/system/mysqld.service <<EOF
  65. [Unit]
  66. Description=MySQL Server
  67. Documentation=man:mysqld(8)
  68. Documentation=http://dev.mysql.com/doc/refman/en/using-systemd.html
  69. After=network.target
  70. After=syslog.target
  71. [Install]
  72. WantedBy=multi-user.target
  73. [Service]
  74. User=mysql
  75. Group=mysql
  76. ExecStart=/application/mysql/bin/mysqld --defaults-file=/etc/my.cnf
  77. LimitNOFILE = 5000
  78. EOF
  80. #修改MySQL的root密码
  81. alter user root@'localhost' identified by 'Admin@1234';
  82. systemctl start  mysqld.service
  83. systemctl enable mysqld.service
  84. systemctl status mysqld.service

2.2) 45.53数据库安装

  1. # 安装过程略,配置文件如下:
  2. cat >/etc/my.cnf <<EOF
  3. [mysqld]
  4. user = mysql
  5. port = 3306
  6. datadir = /data/mysql/data
  7. basedir = /application/mysql
  8. socket = /tmp/mysql.sock
  9. bind-address = 0.0.0.0
  10. character-set-server = utf8mb4
  11. collation-server = utf8mb4_general_ci
  12. log-error = /var/log/mysql/mysqld.log
  13. innodb_file_per_table=1
  14. skip_name_resolve=1
  15. slow_query_log=1
  16. slow_query_log_file=mysql-slow.log
  17. symbolic-links=0
  18. explicit_defaults_for_timestamp=1
  19. log_bin=mysql-bin
  20. log_bin_index=mysql-bin.index
  21. relay_log=relay-log
  22. relay_log_index=relay-log.index
  23. sync_binlog=1
  24. innodb_flush_log_at_trx_commit=1
  25. binlog_format=row
  26. gtid_mode=on
  27. enforce_gtid_consistency=on
  28. server_id=2
  29. EOF

2.3) 主主配置

  1. master节点创建同步用户:
  2. # mysql -uroot -p
  3. grant replication slave on *.* to 'repluser1'@'192.168.45.%' identified by 'Admin@1234';
  4. flush privileges;
  5. show global variables like 'server_uuid';
  7. slave节点使用具有复制权限的用户repluser1连接至master节点,并启动复制线程:
  8. change master to master_host='192.168.45.52',master_user='repluser1',master_password='Admin@1234',master_port=3306,master_auto_position=1;
  9. start slave;
  12. slave节点创建同步用户
  13. grant replication slave on *.* to 'repluser2'@'192.168.45.%' identified by 'Admin@1234';
  14. flush privileges;
  15. show global variables like 'server_uuid';
  17. master节点节点使用具有复制权限的用户repluser2连接至slave节点,并启动复制线程:
  18. change master to master_host='192.168.45.53',master_user='repluser1',master_password='Admin@1234',master_port=3306,master_auto_position=1;
  19. start slave;

2.4) 主主环境验证

  1. 主建库
  2.  create database db;
  3.  use db;
  4.  create table tb(id int unsigned auto_increment primary key not null,age int not null);
  5.  desc tb;
  6.  insert into tb(age) values(35),(40);
  7.  select * from tb;
  9. 备验证:
  10. show databases like 'db';
  11. select * from db.tb;
  13. --------------------------------
  14. 备增加数据:
  15. insert into db.tb(age) values(60),(80);
  16. select * from db.tb;
  18. 主测试
  19. select * from db.tb;

三、keepalived安装配置

3.1) 安装与配置

  1. # 45.52和45.53安装keepalived
  2. yum -y install keepalived
  4. # 45.52和45.53配置监控脚本
  5. cat > /etc/keepalived/chk_mysqld.sh <<EOF
  6. #!/bin/bash
  7. n=$(ps -C mysqld --no-headers | wc -l)
  8. if [ $n -eq 0 ]; then
  9. systemctl stop keepalived.service
  10. fi
  11. EOF
  12. chmod +x /etc/keepalived/chk_mysqld.sh
  14. # 生成VRRP验证密码
  15. [root@samba01 keepalived]# openssl rand -base64 7
  16. UyaWnJ/6LQ==
  18. # 45.52修改配置文件
  19. cd /etc/keepalived <<EOF
  20. mv keepalived.conf{,.bak}
  21. cat >  keepalived.conf
  22. global_defs {
  23. notification_email {
  24. root@localhost
  25. }
  27. notification_email_from node1@localhost
  28. smtp_server 127.0.0.1
  29. smtp_connect_timeout 30
  30. router_id node1
  31. vrrp_mcast_group4 224.1.100.88
  32. }
  34. vrrp_script chk_mysqld {
  35. script "/etc/keepalived/chk_mysqld.sh"
  36. interval 10
  38. }
  39. vrrp_instance VI_1 {
  40. state BACKUP
  41. nopreempt
  42. interface ens32
  43. virtual_router_id 50
  44. priority 100
  45. advert_int 5
  47. authentication {
  48. auth_type PASS
  49. auth_pass UyaWnJ/6LQ==
  50. }
  51. virtual_ipaddress {
  53. 192.168.45.55
  55. }
  57. track_script {
  58. chk_mysqld
  59. }
  61. }
  62. EOF
  63. systemctl start keepalived.service
  64. systemctl enable keepalived.service
  65. systemctl status keepalived.service
  67. # 45.53修改配置文件
  68. cd /etc/keepalived
  69. mv keepalived.conf{,.bak}
  70. cat > /etc/keepalived <<EOF
  71. global_defs {
  73. notification_email {
  75. root@localhost
  77. }
  79. notification_email_from node2@localhost
  81. smtp_server 127.0.0.1
  83. smtp_connect_timeout 30
  85. router_id node2
  87. vrrp_mcast_group4 224.1.100.88
  89. }
  93. vrrp_script chk_mysqld {
  95. script "/etc/keepalived/chk_mysqld.sh"
  97. interval 10
  99. }
  103. vrrp_instance VI_1 {
  105. state BACKUP
  107. nopreempt
  109. interface ens32
  111. virtual_router_id 50
  113. priority 98
  115. advert_int 5
  117. authentication {
  119. auth_type PASS
  121. auth_pass UyaWnJ/6LQ==
  123. }
  125. virtual_ipaddress {
  127. 192.168.45.55
  129. }
  131. track_script {
  133. chk_mysqld
  135. }
  137. }
  138. EOF
  139. systemctl start keepalived.service
  140. systemctl enable keepalived.service
  141. systemctl status keepalived.service

3.2) 验证

  1. tail -f /var/log/messages
  2. ip a 
  4. # 切换验证:
  5. 45.52
  6. systemctl stop mysqld.service
  8. # 45.53上会出现192.168.45.55的IP

四、安装nfs

4.1) 安装及配置

  1. # 45.52和45.53上安装
  2. yum -y install nfs-utils rpcbind
  3. systemctl enable rpcbind nfs-server nfs-lock nfs-idmap
  4. systemctl start rpcbind nfs-server nfs-lock nfs-idmap
  6. # 45.52上配置
  7. mkdir -p /opt/jumpserver/core/data
  8. chmod 777 -R /opt/jumpserver/core/data
  9. vi /etc/exports
  10. /opt/jumpserver/core/data 192.168.45.*(rw,sync,all_squash,anonuid=0,anongid=0)
  11. exportfs -a
  13. # 45.53上挂载
  14. mkdir -p /opt/jumpserver/core/data
  15. mount -t nfs 192.168.45.52:/opt/jumpserver/core/data /opt/jumpserver/core/data
  16. echo "192.168.45.52:/opt/jumpserver/core/data /opt/jumpserver/core/data nfs defaults 0 0" >> /etc/fstab

五、安装rsync和sersync

  1. # 45.53上新建备份目录
  2. mkdir -p /opt/jumpserver/core/data1
  3. chmod 777 -R /opt/jumpserver/core/data1
  5. # 45.53上配置rsync服务
  6. cat > /etc/rsyncd.conf <<EOF
  7. uid = nobody
  8. gid = nobody
  9. port = 873
  10. fake super = yes
  11. use chroot = no
  12. max connections = 200
  13. timeout = 600
  14. ignore errors 
  15. read only = false
  16. list = false
  17. auth users = rsync_backup
  18. secrets file = /etc/rsync.passwd
  19. log file = /var/log/rsyncd.log
  20. #################################
  21. [backup]
  22. path = /backup
  23. [data]
  24. path = /opt/jumpserver/core/data1
  25. EOF
  27. echo "rsync_backup:Admin@1234" >  /etc/rsync.passwd
  28. chmod 600 /etc/rsync.passwd
  30. systemctl restart rsyncd
  31. systemctl enable rsyncd
  34. 45.52 上安装sersync
  35. wget https://dsf.jb51.net/201111/tools/sersync_64bit_binary_stable_final.tar.gz
  36. tar xf sersync_64bit_binary_stable_final.tar.gz
  37. mv GNU-Linux-x86 /usr/local/sersync
  38. vi confxml.xml
  39. <?xml version="1.0" encoding="ISO-8859-1"?>
  40. <head version="2.5">
  41.     <host hostip="localhost" port="8008"></host>
  42.     <debug start="false"/>
  43.     <fileSystem xfs="true"/>
  44.     <filter start="false">
  45.     <exclude expression="(.*)\.svn"></exclude>
  46.     <exclude expression="(.*)\.gz"></exclude>
  47.     <exclude expression="^info/*"></exclude>
  48.     <exclude expression="^static/*"></exclude>
  49.     </filter>
  50.     <inotify>
  51.     <delete start="true"/>
  52.     <createFolder start="true"/>
  53.     <createFile start="true"/>
  54.     <closeWrite start="true"/>
  55.     <moveFrom start="true"/>
  56.     <moveTo start="true"/>
  57.     <attrib start="true"/>
  58.     <modify start="true"/>
  59.     </inotify>
  61.     <sersync>
  62.     <localpath watch="/opt/jumpserver/core/data">
  63.         <remote ip="192.168.45.53" name="data"/>
  64.         <!--<remote ip="192.168.8.39" name="tongbu"/>-->
  65.         <!--<remote ip="192.168.8.40" name="tongbu"/>-->
  66.     </localpath>
  67.     <rsync>
  68.         <commonParams params="-az"/>
  69.         <auth start="true" users="rsync_backup" passwordfile="/etc/rsync.pass"/>
  70.         <userDefinedPort start="false" port="874"/><!-- port=874 -->
  71.         <timeout start="true" time="100"/><!-- timeout=100 -->
  72.         <ssh start="false"/>
  73.     </rsync>
  74.     <failLog path="/tmp/rsync_fail_log.sh" timeToExecute="60"/><!--default every 60mins execute once-->
  75.     <crontab start="false" schedule="600"><!--600mins-->
  76.         <crontabfilter start="false">
  77.         <exclude expression="*.php"></exclude>
  78.         <exclude expression="info/*"></exclude>
  79.         </crontabfilter>
  80.     </crontab>
  81.     <plugin start="false" name="command"/>
  82.     </sersync>
  84.     <plugin name="command">
  85.     <param prefix="/bin/sh" suffix="" ignoreError="true"/>    <!--prefix /opt/tongbu/mmm.sh suffix-->
  86.     <filter start="false">
  87.         <include expression="(.*)\.php"/>
  88.         <include expression="(.*)\.sh"/>
  89.     </filter>
  90.     </plugin>
  92.     <plugin name="socket">
  93.     <localpath watch="/opt/tongbu">
  94.         <deshost ip="192.168.138.20" port="8009"/>
  95.     </localpath>
  96.     </plugin>
  97.     <plugin name="refreshCDN">
  98.     <localpath watch="/data0/htdocs/cms.xoyo.com/site/">
  99.         <cdninfo domainname="ccms.chinacache.com" port="80" username="xxxx" passwd="xxxx"/>
  100.         <sendurl base="http://pic.xoyo.com/cms"/>
  101.         <regexurl regex="false" match="cms.xoyo.com/site([/a-zA-Z0-9]*).xoyo.com/images"/>
  102.     </localpath>
  103.     </plugin>
  104. </head>
  106. echo "Admin@1234" > /etc/rsync.pass
  107. chmod 600 /etc/rsync.pass
  108. /usr/local/sersync/sersync2 -dro /usr/local/sersync/confxml.xml 
  110. chmod +x /etc/rc.local 
  111. echo "/usr/local/sersync/sersync2 -dro /usr/local/sersync/confxml.xml" >>/etc/rc.local

六、部署redis

  1. # 45.52和45.53部署redis
  2. yum -y install epel-release https://repo.ius.io/ius-release-el7.rpm
  3. yum install -y redis5
  4. sed -i "s/bind 127.0.0.1/bind 0.0.0.0/g" /etc/redis.conf
  5. sed -i "561i maxmemory-policy allkeys-lru" /etc/redis.conf
  6. sed -i "481i requirepass KXOeyNgDeTdpeu9q" /etc/redis.conf
  7. systemctl enable redis
  8. systemctl start redis

七、创建jumpserver数据库

  1.  # 在45.52或45.53上创建
  2.  create database jumpserver default charset 'utf8';
  3.  set global validate_password_policy=LOW;
  4.  create user 'jumpserver'@'%' identified by 'KXOeyNgDeTdpeu';
  5.  grant all on jumpserver.* to 'jumpserver'@'%';
  6.  flush privileges;
  7.  exit

八、部署jms组件

  1. # 45.52和45.53上下载jumpserver
  2. cd /opt
  3. yum -y install wget
  4. wget https://github.com/jumpserver/installer/releases/download/v2.23.0/jumpserver-installer-v2.23.0.tar.gz
  5. tar -xf jumpserver-installer-v2.23.0.tar.gz
  6. cd jumpserver-installer-v2.23.0
  8. cat  config-example.txt
  9. # 以下设置如果为空系统会自动生成随机字符串填入
  10. ## 迁移请修改 SECRET_KEY 和 BOOTSTRAP_TOKEN 为原来的设置
  11. ## 完整参数文档 https://docs.jumpserver.org/zh/master/admin-guide/env/
  13. ## 安装配置, 可以使用华为云加速下载, arm64 用户需要注释掉 DOCKER_IMAGE_PREFIX
  14. # DOCKER_IMAGE_PREFIX=swr.cn-south-1.myhuaweicloud.com
  15. VOLUME_DIR=/opt/jumpserver
  16. DOCKER_DIR=/var/lib/docker
  17. SECRET_KEY=kWQdmdCQKjaWlHYpPhkNQDkfaRulM6YnHctsHLlSPs8287o2kW
  18. BOOTSTRAP_TOKEN=KXOeyNgDeTdpeu9q
  19. LOG_LEVEL=ERROR
  21. ##  MySQL 配置, USE_EXTERNAL_MYSQL=1 表示使用外置 MySQL, 请输入正确的 MySQL 信息
  22. USE_EXTERNAL_MYSQL=1
  23. DB_HOST=192.168.45.55
  24. DB_PORT=3306
  25. DB_USER=jumpserver
  26. DB_PASSWORD=KXOeyNgDeTdpeu
  27. DB_NAME=jumpserver
  29. ##  Redis 配置, USE_EXTERNAL_REDIS=1 表示使用外置 Redis, 请输入正确的 Redis 信息
  30. USE_EXTERNAL_REDIS=1
  31. REDIS_HOST=192.168.45.52
  32. REDIS_PORT=6379
  33. REDIS_PASSWORD=KXOeyNgDeTdpeu9q
  35. ## Compose 项目设置, 如果 192.168.250.0/24 网段与你现有网段冲突, 请修改然后重启 JumpServer
  36. COMPOSE_PROJECT_NAME=jms
  37. COMPOSE_HTTP_TIMEOUT=3600
  38. DOCKER_CLIENT_TIMEOUT=3600
  39. DOCKER_SUBNET=192.168.250.0/24
  41. ## IPV6 设置, 容器是否开启 ipv6 nat, USE_IPV6=1 表示开启, 为 0 的情况下 DOCKER_SUBNET_IPV6 定义不生效
  42. USE_IPV6=0
  43. DOCKER_SUBNET_IPV6=fc00:1010:1111:200::/64
  45. ## 访问配置
  46. HTTP_PORT=80
  47. SSH_PORT=2222
  48. MAGNUS_MYSQL_PORT=33060
  49. MAGNUS_MARIADB_PORT=33061
  50. MAGNUS_REDIS_PORT=63790
  52. ## HTTPS 配置, 参考 https://docs.jumpserver.org/zh/master/admin-guide/proxy/ 配置
  53. # USE_LB=1
  54. # HTTPS_PORT=443
  55. # SERVER_NAME=your_domain_name
  56. # SSL_CERTIFICATE=your_cert
  57. # SSL_CERTIFICATE_KEY=your_cert_key
  59. ## Nginx 文件上传大小
  60. CLIENT_MAX_BODY_SIZE=4096m
  62. ## Task 配置, 是否启动 jms_celery 容器, 单节点必须开启
  63. USE_TASK=1
  65. ## XPack, USE_XPACK=1 表示开启, 开源版本设置无效
  66. USE_XPACK=0
  67. RDP_PORT=3389
  68. MAGNUS_POSTGRE_PORT=54320
  70. ## Core 配置, Session 定义, SESSION_COOKIE_AGE 表示闲置多少秒后 session 过期, SESSION_EXPIRE_AT_BROWSER_CLOSE=true 表示关闭浏览器即 session 过期
  71. # SESSION_COOKIE_AGE=86400
  72. SESSION_EXPIRE_AT_BROWSER_CLOSE=true
  74. ## 组件配置
  75. CORE_HOST=http://core:8080
  76. JUMPSERVER_ENABLE_FONT_SMOOTHING=true
  77. TCP_SEND_BUFFER_BYTES=4194304
  78. TCP_RECV_BUFFER_BYTES=6291456
  80. ## 终端使用宿主 HOSTNAME 标识
  81. SERVER_HOSTNAME=${HOSTNAME}
  83. ## 额外的配置
  84. CURRENT_VERSION=
  87. # 启动
  88. ./jmsctl.sh install

九、切换

  1. # 当45.52无法启动后,需要在45.53手动切换目录
  2. rm -fr /opt/jumpserver/core/data
  3. mv /opt/jumpserver/core/data1 /opt/jumpserver/core/data