当前位置:网站首页>High availability cluster deployment of jumpserver: (6) deployment of SSH agent module Koko and implementation of system service management
High availability cluster deployment of jumpserver: (6) deployment of SSH agent module Koko and implementation of system service management
2020-11-06 01:17:00 【dusthunter】
1、 Configure firewall
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.255.200.1/30" port protocol="tcp" port="22222" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.255.200.1/30" port protocol="tcp" port="5000" accept"
firewall-cmd --reload
2、 install SSH agent koko modular
# download koko Install the package and unzip
cd /sas/jumpserver
wget https://github.com/jumpserver/koko/releases/download/v2.3.1/koko-v2.3.1-linux-amd64.tar.gz
tar -xf koko-v2.3.1-linux-amd64.tar.gz
mv koko-v2.3.1-linux-amd64 koko
cd koko
# The execution file is placed in /usr/local/bin/, Implement non absolute path calls
mv kubectl /usr/local/bin/
# Also in koko Download under directory kubectl.tar.gz package
wget https://download.jumpserver.org/public/ kubectl.tar.gz
tar -xf kubectl.tar.gz
chmod 755 kubectl
mv kubectl /usr/local/bin/rawkubectl
rm -rf kubectl.tar.gz
3、 modify koko The configuration file
# Back up the original configuration file
cd /sas/jumpserver/koko
cp config_example.yml config.yml
# modify koko The configuration file , Only the items that need to be modified are listed below
vi config.yml
# Jumpserver Project url, api Request registration will use
CORE_HOST: https://10.255.200.5
# modify BOOTSTRAP_TOKEN Keep up with jumpserver/config.yml In the same
BOOTSTRAP_TOKEN:xxxxxxxxxxxxxxxx
# Modify log level
LOG_LEVEL: ERROR
# Change the type of session sharing to redis
SHARE_ROOM_TYPE: redis
# modify Redis To configure , Be careful IP Is floating IP
REDIS_HOST: 10.255.200.4
REDIS_PORT: 6379
REDIS_PASSWORD: xxxxxxxx
REDIS_DB_ROOM: 6
4、 To write systemd System service management script
# To write SSH Agent module koko The startup script
vi /sas/jumpserver/tools/koko.service.sh
#!/bin/bash
cd /sas/jumpserver/koko/
case $1 in
start)
./koko -d
;;
stop)
./koko -s stop
;;
restart)
./koko -s stop && ./koko -d
;;
*)
;;
esac
# To write SSH Agent module system service configuration
vi /usr/lib/system/system/koko.service
[Unit]
Description=Jumpserver Koko Services
After=network.target remote-fs.target redis.service keepalived.service jumpserver.service
[Service]
Type=forking
ExecStart=/usr/bin/bash /sas/jumpserver/tools/koko.service.sh start
ExecReload=/usr/bin/bash /sas/jumpserver/tools/koko.service.sh restart
ExecStop=/usr/bin/bash /sas/jumpserver/tools/koko.service.sh stop
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
5、https Certificate validation error handling
tengine Enable https After that, we need to deploy koko and guacamole Import the security certificate on the host of , otherwise koko visit api Error will be reported when interface , The processing method is to add the relevant certificate information to the certificate trust list of the host .
# Look at the goal API Certificate information for the service , This method can be applied to other https The same applies to services
openssl s_client -showcerts -connect 10.255.200.5:443
...
-----BEGIN CERTIFICATE-----
MIIDizCCAnOgAwIBAgIUM4uh9rB+BGjNBBLssCLCMdP54fkwDQYJKoZIhvcNAQEL
BQAwSjELMAkGA1UEBhMCQ04xDjAMBgNVBAgMBUhVQkVJMQ4wDAYDVQQHDAVXVUhB
TjENMAsGA1UECgwESEJUVjEMMAoGA1UECwwDQ0pZMCAXDTIwMTAxNTA5Mjk1M1oY
DzIxMjAwOTIxMDkyOTUzWjBKMQswCQYDVQQGEwJDTjEOMAwGA1UECAwFSFVCRUkx
DjAMBgNVBAcMBVdVSEFOMQ0wCwYDVQQKDARIQlRWMQwwCgYDVQQLDANDSlkwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8elmgAtgkp3lrtVLGtan1ktQ9
+VxIofV88da9GL07lcPpMjJFqUpMngU7F+G4JUEntm/nxH9VypEp8QE+CMnRdYN0
WXnJczSC1bZDF48ya1HnZ+H6wTxfZpAf4ZCzrXHUyPWUyiHKaOAY54UVQkNLF54y
rEN7hNy5NPPPQf6fnYoN/q72VqDfwGNEtfO7k57Zqf94uh09nnqNjHhuW2ZdfzHG
3qWdwq9Kj7Q0IeQ9ufI/gd3yCfmej63HF3KLUbzzYgDHFZsAFmwTsmCoimhtlQK/
c5rQ4brGpTKl9Lg4R0d+/p7+FcBM76a/V/S42S6oyFYRaXaYnm3zrXttQ8VXAgMB
AAGjZzBlMAsGA1UdDwQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwNwYDVR0RBDAwLoIUanVtcHNlcnZlci5oYnJ0di5vcmeHBAr/yAWHBAr/yAGH
BAr/yAKHBAr/yAMwDQYJKoZIhvcNAQELBQADggEBAFphglFfhEwxjEQ6jsqGaiwt
r8tse1E6dsiPYjQeHq6sYKaV2G2KxGHs1Mh66augFG37ljV0XVtkaFUyc6F+b00p
Z7CSZ17gI7QcycZpcxClf7I3/CXpS/NDdYQR/yir1reYmE01H50bw5tNVaHZWrL0
kUXOtsh68dSq0lwbbNEoPh7bFZV746ycC8vZHGZVCzgCit2IRQa4OPt8lV025JJr
UTy/ASDLVZuGRkAa7z0dA5CFas9QFu/ya938NJVVFoHzUy+SwpME5rBlX9kU3pin
nkNQ5Bl3C10bEQtetAmdTGHV384rj2ZnfRLXobXw21oXJRLfuQPLvYHC8H4dsRQ=
-----END CERTIFICATE-----
...
# take -----BEGIN CERTIFICATE----- To -----END CERTIFICATE----- Add the middle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem ending
# Open the list of trust certificates , Use SHIFT+G Jump to the end of the file , Paste the certificate content
vi /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
6、 Other
Registered koko When the instance needs to be re registered due to configuration modification , You need to delete the relevant accesskey
rm –rf /sas/jumpserver/koko/data/keys/.access_key
koko Log file path :/sas/jumpserver/koko/data/logs
cat /sas/jumpserver/koko/data/logs/koko.log
版权声明
本文为[dusthunter]所创,转载请带上原文链接,感谢
边栏推荐
- Synchronous configuration from git to consult with git 2consul
- DRF JWT authentication module and self customization
- Vue 3 responsive Foundation
- EOS创始人BM: UE,UBI,URI有什么区别?
- 条码生成软件如何隐藏部分条码文字
- Filecoin最新动态 完成重大升级 已实现四大项目进展!
- JetCache埋点的骚操作,不服不行啊
- Can't be asked again! Reentrantlock source code, drawing a look together!
- hadoop 命令总结
- 微服務 - 如何解決鏈路追蹤問題
猜你喜欢
JetCache埋点的骚操作,不服不行啊
Elasticsearch database | elasticsearch-7.5.0 application construction
Basic principle and application of iptables
如何对Pandas DataFrame进行自定义排序
Working principle of gradient descent algorithm in machine learning
使用 Iceberg on Kubernetes 打造新一代云原生数据湖
The difference between Es5 class and ES6 class
一时技痒,撸了个动态线程池,源码放Github了
2018中国云厂商TOP5:阿里云、腾讯云、AWS、电信、联通 ...
事半功倍:在没有机柜的情况下实现自动化
随机推荐
事半功倍:在没有机柜的情况下实现自动化
全球疫情加速互联网企业转型,区块链会是解药吗?
GUI 引擎评价指标
文本去重的技术方案讨论(一)
Ubuntu18.04上安裝NS-3
The practice of the architecture of Internet public opinion system
Real time data synchronization scheme based on Flink SQL CDC
Use of vuepress
钻石标准--Diamond Standard
你的财务报告该换个高级的套路了——财务分析驾驶舱
如何在Windows Server 2012及更高版本中將域控制器降級
哇,ElasticSearch多字段权重排序居然可以这么玩
人工智能学什么课程?它将替代人类工作?
C language 100 question set 004 - statistics of the number of people of all ages
嘘!异步事件这样用真的好么?
PHP应用对接Justswap专用开发包【JustSwap.PHP】
技術總監,送給剛畢業的程式設計師們一句話——做好小事,才能成就大事
Query意图识别分析
连肝三个通宵,JVM77道高频面试题详细分析,就这?
熬夜总结了报表自动化、数据可视化和挖掘的要点,和你想的不一样