当前位置:网站首页>High availability cluster deployment of jumpserver: (6) deployment of SSH agent module Koko and implementation of system service management
High availability cluster deployment of jumpserver: (6) deployment of SSH agent module Koko and implementation of system service management
2020-11-06 01:17:00 【dusthunter】
1、 Configure firewall
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.255.200.1/30" port protocol="tcp" port="22222" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.255.200.1/30" port protocol="tcp" port="5000" accept"
firewall-cmd --reload
2、 install SSH agent koko modular
# download koko Install the package and unzip
cd /sas/jumpserver
wget https://github.com/jumpserver/koko/releases/download/v2.3.1/koko-v2.3.1-linux-amd64.tar.gz
tar -xf koko-v2.3.1-linux-amd64.tar.gz
mv koko-v2.3.1-linux-amd64 koko
cd koko
# The execution file is placed in /usr/local/bin/, Implement non absolute path calls
mv kubectl /usr/local/bin/
# Also in koko Download under directory kubectl.tar.gz package
wget https://download.jumpserver.org/public/ kubectl.tar.gz
tar -xf kubectl.tar.gz
chmod 755 kubectl
mv kubectl /usr/local/bin/rawkubectl
rm -rf kubectl.tar.gz
3、 modify koko The configuration file
# Back up the original configuration file
cd /sas/jumpserver/koko
cp config_example.yml config.yml
# modify koko The configuration file , Only the items that need to be modified are listed below
vi config.yml
# Jumpserver Project url, api Request registration will use
CORE_HOST: https://10.255.200.5
# modify BOOTSTRAP_TOKEN Keep up with jumpserver/config.yml In the same
BOOTSTRAP_TOKEN:xxxxxxxxxxxxxxxx
# Modify log level
LOG_LEVEL: ERROR
# Change the type of session sharing to redis
SHARE_ROOM_TYPE: redis
# modify Redis To configure , Be careful IP Is floating IP
REDIS_HOST: 10.255.200.4
REDIS_PORT: 6379
REDIS_PASSWORD: xxxxxxxx
REDIS_DB_ROOM: 6
4、 To write systemd System service management script
# To write SSH Agent module koko The startup script
vi /sas/jumpserver/tools/koko.service.sh
#!/bin/bash
cd /sas/jumpserver/koko/
case $1 in
start)
./koko -d
;;
stop)
./koko -s stop
;;
restart)
./koko -s stop && ./koko -d
;;
*)
;;
esac
# To write SSH Agent module system service configuration
vi /usr/lib/system/system/koko.service
[Unit]
Description=Jumpserver Koko Services
After=network.target remote-fs.target redis.service keepalived.service jumpserver.service
[Service]
Type=forking
ExecStart=/usr/bin/bash /sas/jumpserver/tools/koko.service.sh start
ExecReload=/usr/bin/bash /sas/jumpserver/tools/koko.service.sh restart
ExecStop=/usr/bin/bash /sas/jumpserver/tools/koko.service.sh stop
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
5、https Certificate validation error handling
tengine Enable https After that, we need to deploy koko and guacamole Import the security certificate on the host of , otherwise koko visit api Error will be reported when interface , The processing method is to add the relevant certificate information to the certificate trust list of the host .
# Look at the goal API Certificate information for the service , This method can be applied to other https The same applies to services
openssl s_client -showcerts -connect 10.255.200.5:443
...
-----BEGIN CERTIFICATE-----
MIIDizCCAnOgAwIBAgIUM4uh9rB+BGjNBBLssCLCMdP54fkwDQYJKoZIhvcNAQEL
BQAwSjELMAkGA1UEBhMCQ04xDjAMBgNVBAgMBUhVQkVJMQ4wDAYDVQQHDAVXVUhB
TjENMAsGA1UECgwESEJUVjEMMAoGA1UECwwDQ0pZMCAXDTIwMTAxNTA5Mjk1M1oY
DzIxMjAwOTIxMDkyOTUzWjBKMQswCQYDVQQGEwJDTjEOMAwGA1UECAwFSFVCRUkx
DjAMBgNVBAcMBVdVSEFOMQ0wCwYDVQQKDARIQlRWMQwwCgYDVQQLDANDSlkwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8elmgAtgkp3lrtVLGtan1ktQ9
+VxIofV88da9GL07lcPpMjJFqUpMngU7F+G4JUEntm/nxH9VypEp8QE+CMnRdYN0
WXnJczSC1bZDF48ya1HnZ+H6wTxfZpAf4ZCzrXHUyPWUyiHKaOAY54UVQkNLF54y
rEN7hNy5NPPPQf6fnYoN/q72VqDfwGNEtfO7k57Zqf94uh09nnqNjHhuW2ZdfzHG
3qWdwq9Kj7Q0IeQ9ufI/gd3yCfmej63HF3KLUbzzYgDHFZsAFmwTsmCoimhtlQK/
c5rQ4brGpTKl9Lg4R0d+/p7+FcBM76a/V/S42S6oyFYRaXaYnm3zrXttQ8VXAgMB
AAGjZzBlMAsGA1UdDwQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwNwYDVR0RBDAwLoIUanVtcHNlcnZlci5oYnJ0di5vcmeHBAr/yAWHBAr/yAGH
BAr/yAKHBAr/yAMwDQYJKoZIhvcNAQELBQADggEBAFphglFfhEwxjEQ6jsqGaiwt
r8tse1E6dsiPYjQeHq6sYKaV2G2KxGHs1Mh66augFG37ljV0XVtkaFUyc6F+b00p
Z7CSZ17gI7QcycZpcxClf7I3/CXpS/NDdYQR/yir1reYmE01H50bw5tNVaHZWrL0
kUXOtsh68dSq0lwbbNEoPh7bFZV746ycC8vZHGZVCzgCit2IRQa4OPt8lV025JJr
UTy/ASDLVZuGRkAa7z0dA5CFas9QFu/ya938NJVVFoHzUy+SwpME5rBlX9kU3pin
nkNQ5Bl3C10bEQtetAmdTGHV384rj2ZnfRLXobXw21oXJRLfuQPLvYHC8H4dsRQ=
-----END CERTIFICATE-----
...
# take -----BEGIN CERTIFICATE----- To -----END CERTIFICATE----- Add the middle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem ending
# Open the list of trust certificates , Use SHIFT+G Jump to the end of the file , Paste the certificate content
vi /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
6、 Other
Registered koko When the instance needs to be re registered due to configuration modification , You need to delete the relevant accesskey
rm –rf /sas/jumpserver/koko/data/keys/.access_key
koko Log file path :/sas/jumpserver/koko/data/logs
cat /sas/jumpserver/koko/data/logs/koko.log
版权声明
本文为[dusthunter]所创,转载请带上原文链接,感谢
边栏推荐
猜你喜欢
随机推荐
xmppmini 專案詳解:一步一步從原理跟我學實用 xmpp 技術開發 4.字串解碼祕笈與訊息包
自然语言处理之命名实体识别-tanfordcorenlp-NER(一)
快快使用ModelArts,零基礎小白也能玩轉AI!
[C#] (原創)一步一步教你自定義控制元件——04,ProgressBar(進度條)
Grouping operation aligned with specified datum
谁说Cat不能做链路跟踪的,给我站出来
小白量化投资交易入门课(python入门金融分析)
3分钟读懂Wi-Fi 6于Wi-Fi 5的优势
快快使用ModelArts,零基础小白也能玩转AI!
03_ Detailed explanation and test of installation and configuration of Ubuntu Samba
嘗試從零開始構建我的商城 (二) :使用JWT保護我們的資訊保安,完善Swagger配置
Using consult to realize service discovery: instance ID customization
不吹不黑,跨平臺框架AspNetCore開發實踐雜談
Cos start source code and creator
Introduction to Google software testing
Can't be asked again! Reentrantlock source code, drawing a look together!
熬夜总结了报表自动化、数据可视化和挖掘的要点,和你想的不一样
嘘!异步事件这样用真的好么?
CCR炒币机器人:“比特币”数字货币的大佬,你不得不了解的知识
用Python构建和可视化决策树