当前位置:网站首页>High availability cluster deployment of jumpserver: (6) deployment of SSH agent module Koko and implementation of system service management
High availability cluster deployment of jumpserver: (6) deployment of SSH agent module Koko and implementation of system service management
2020-11-06 01:17:00 【dusthunter】
1、 Configure firewall
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.255.200.1/30" port protocol="tcp" port="22222" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.255.200.1/30" port protocol="tcp" port="5000" accept"
firewall-cmd --reload
2、 install SSH agent koko modular
# download koko Install the package and unzip
cd /sas/jumpserver
wget https://github.com/jumpserver/koko/releases/download/v2.3.1/koko-v2.3.1-linux-amd64.tar.gz
tar -xf koko-v2.3.1-linux-amd64.tar.gz
mv koko-v2.3.1-linux-amd64 koko
cd koko
# The execution file is placed in /usr/local/bin/, Implement non absolute path calls
mv kubectl /usr/local/bin/
# Also in koko Download under directory kubectl.tar.gz package
wget https://download.jumpserver.org/public/ kubectl.tar.gz
tar -xf kubectl.tar.gz
chmod 755 kubectl
mv kubectl /usr/local/bin/rawkubectl
rm -rf kubectl.tar.gz
3、 modify koko The configuration file
# Back up the original configuration file
cd /sas/jumpserver/koko
cp config_example.yml config.yml
# modify koko The configuration file , Only the items that need to be modified are listed below
vi config.yml
# Jumpserver Project url, api Request registration will use
CORE_HOST: https://10.255.200.5
# modify BOOTSTRAP_TOKEN Keep up with jumpserver/config.yml In the same
BOOTSTRAP_TOKEN:xxxxxxxxxxxxxxxx
# Modify log level
LOG_LEVEL: ERROR
# Change the type of session sharing to redis
SHARE_ROOM_TYPE: redis
# modify Redis To configure , Be careful IP Is floating IP
REDIS_HOST: 10.255.200.4
REDIS_PORT: 6379
REDIS_PASSWORD: xxxxxxxx
REDIS_DB_ROOM: 6
4、 To write systemd System service management script
# To write SSH Agent module koko The startup script
vi /sas/jumpserver/tools/koko.service.sh
#!/bin/bash
cd /sas/jumpserver/koko/
case $1 in
start)
./koko -d
;;
stop)
./koko -s stop
;;
restart)
./koko -s stop && ./koko -d
;;
*)
;;
esac
# To write SSH Agent module system service configuration
vi /usr/lib/system/system/koko.service
[Unit]
Description=Jumpserver Koko Services
After=network.target remote-fs.target redis.service keepalived.service jumpserver.service
[Service]
Type=forking
ExecStart=/usr/bin/bash /sas/jumpserver/tools/koko.service.sh start
ExecReload=/usr/bin/bash /sas/jumpserver/tools/koko.service.sh restart
ExecStop=/usr/bin/bash /sas/jumpserver/tools/koko.service.sh stop
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
5、https Certificate validation error handling
tengine Enable https After that, we need to deploy koko and guacamole Import the security certificate on the host of , otherwise koko visit api Error will be reported when interface , The processing method is to add the relevant certificate information to the certificate trust list of the host .
# Look at the goal API Certificate information for the service , This method can be applied to other https The same applies to services
openssl s_client -showcerts -connect 10.255.200.5:443
...
-----BEGIN CERTIFICATE-----
MIIDizCCAnOgAwIBAgIUM4uh9rB+BGjNBBLssCLCMdP54fkwDQYJKoZIhvcNAQEL
BQAwSjELMAkGA1UEBhMCQ04xDjAMBgNVBAgMBUhVQkVJMQ4wDAYDVQQHDAVXVUhB
TjENMAsGA1UECgwESEJUVjEMMAoGA1UECwwDQ0pZMCAXDTIwMTAxNTA5Mjk1M1oY
DzIxMjAwOTIxMDkyOTUzWjBKMQswCQYDVQQGEwJDTjEOMAwGA1UECAwFSFVCRUkx
DjAMBgNVBAcMBVdVSEFOMQ0wCwYDVQQKDARIQlRWMQwwCgYDVQQLDANDSlkwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8elmgAtgkp3lrtVLGtan1ktQ9
+VxIofV88da9GL07lcPpMjJFqUpMngU7F+G4JUEntm/nxH9VypEp8QE+CMnRdYN0
WXnJczSC1bZDF48ya1HnZ+H6wTxfZpAf4ZCzrXHUyPWUyiHKaOAY54UVQkNLF54y
rEN7hNy5NPPPQf6fnYoN/q72VqDfwGNEtfO7k57Zqf94uh09nnqNjHhuW2ZdfzHG
3qWdwq9Kj7Q0IeQ9ufI/gd3yCfmej63HF3KLUbzzYgDHFZsAFmwTsmCoimhtlQK/
c5rQ4brGpTKl9Lg4R0d+/p7+FcBM76a/V/S42S6oyFYRaXaYnm3zrXttQ8VXAgMB
AAGjZzBlMAsGA1UdDwQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwNwYDVR0RBDAwLoIUanVtcHNlcnZlci5oYnJ0di5vcmeHBAr/yAWHBAr/yAGH
BAr/yAKHBAr/yAMwDQYJKoZIhvcNAQELBQADggEBAFphglFfhEwxjEQ6jsqGaiwt
r8tse1E6dsiPYjQeHq6sYKaV2G2KxGHs1Mh66augFG37ljV0XVtkaFUyc6F+b00p
Z7CSZ17gI7QcycZpcxClf7I3/CXpS/NDdYQR/yir1reYmE01H50bw5tNVaHZWrL0
kUXOtsh68dSq0lwbbNEoPh7bFZV746ycC8vZHGZVCzgCit2IRQa4OPt8lV025JJr
UTy/ASDLVZuGRkAa7z0dA5CFas9QFu/ya938NJVVFoHzUy+SwpME5rBlX9kU3pin
nkNQ5Bl3C10bEQtetAmdTGHV384rj2ZnfRLXobXw21oXJRLfuQPLvYHC8H4dsRQ=
-----END CERTIFICATE-----
...
# take -----BEGIN CERTIFICATE----- To -----END CERTIFICATE----- Add the middle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem ending
# Open the list of trust certificates , Use SHIFT+G Jump to the end of the file , Paste the certificate content
vi /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
6、 Other
Registered koko When the instance needs to be re registered due to configuration modification , You need to delete the relevant accesskey
rm –rf /sas/jumpserver/koko/data/keys/.access_key
koko Log file path :/sas/jumpserver/koko/data/logs
cat /sas/jumpserver/koko/data/logs/koko.log
版权声明
本文为[dusthunter]所创,转载请带上原文链接,感谢
边栏推荐
- How to get started with new HTML5 (2)
- 多机器人行情共享解决方案
- Microservices: how to solve the problem of link tracing
- Working principle of gradient descent algorithm in machine learning
- DRF JWT authentication module and self customization
- 怎么理解Python迭代器与生成器?
- 幽默:黑客式编程其实类似机器学习!
- X Window System介紹
- 使用NLP和ML来提取和构造Web数据
- 神经网络简史
猜你喜欢
一时技痒,撸了个动态线程池,源码放Github了
通过深层神经网络生成音乐
DRF JWT authentication module and self customization
从海外进军中国,Rancher要执容器云市场牛耳 | 爱分析调研
多机器人行情共享解决方案
TRON智能钱包PHP开发包【零TRX归集】
Don't go! Here is a note: picture and text to explain AQS, let's have a look at the source code of AQS (long text)
2018中国云厂商TOP5:阿里云、腾讯云、AWS、电信、联通 ...
钻石标准--Diamond Standard
自然语言处理之命名实体识别-tanfordcorenlp-NER(一)
随机推荐
GUI 引擎评价指标
连肝三个通宵,JVM77道高频面试题详细分析,就这?
(1) ASP.NET Introduction to core3.1 Ocelot
事半功倍:在没有机柜的情况下实现自动化
数字城市响应相关国家政策大力发展数字孪生平台的建设
Elasticsearch 第六篇:聚合統計查詢
Technical director, to just graduated programmers a word - do a good job in small things, can achieve great things
Programmer introspection checklist
连肝三个通宵,JVM77道高频面试题详细分析,就这?
Kitty中的动态线程池支持Nacos,Apollo多配置中心了
嘘!异步事件这样用真的好么?
Skywalking series blog 1 - install stand-alone skywalking
神经网络简史
“颜值经济”的野望:华熙生物净利率六连降,收购案遭上交所问询
Analysis of ThreadLocal principle
业内首发车道级导航背后——详解高精定位技术演进与场景应用
一时技痒,撸了个动态线程池,源码放Github了
使用NLP和ML来提取和构造Web数据
WeihanLi.Npoi 1.11.0/1.12.0 Release Notes
從小公司進入大廠,我都做對了哪些事?