High availability cluster deployment of jumpserver: (6) deployment of SSH agent module Koko and implementation of system service management

1、 Configure firewall

firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.255.200.1/30" port protocol="tcp" port="22222" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.255.200.1/30" port protocol="tcp" port="5000" accept"
firewall-cmd --reload

2、 install SSH agent koko modular

#  download koko Install the package and unzip 
cd /sas/jumpserver
wget https://github.com/jumpserver/koko/releases/download/v2.3.1/koko-v2.3.1-linux-amd64.tar.gz
tar -xf koko-v2.3.1-linux-amd64.tar.gz
mv koko-v2.3.1-linux-amd64 koko

cd koko
# The execution file is placed in /usr/local/bin/, Implement non absolute path calls  
mv kubectl /usr/local/bin/

# Also in koko Download under directory kubectl.tar.gz package 
wget https://download.jumpserver.org/public/ kubectl.tar.gz 
tar -xf kubectl.tar.gz
chmod 755 kubectl
mv kubectl /usr/local/bin/rawkubectl
rm -rf kubectl.tar.gz

3、 modify koko The configuration file

#  Back up the original configuration file 
cd /sas/jumpserver/koko
cp config_example.yml config.yml

#  modify koko The configuration file , Only the items that need to be modified are listed below 
vi config.yml

# Jumpserver Project url, api Request registration will use 
CORE_HOST: https://10.255.200.5
#  modify BOOTSTRAP_TOKEN Keep up with jumpserver/config.yml In the same 
BOOTSTRAP_TOKEN：xxxxxxxxxxxxxxxx
#  Modify log level 
LOG_LEVEL: ERROR
#  Change the type of session sharing to redis
SHARE_ROOM_TYPE: redis
#  modify Redis To configure , Be careful IP Is floating IP
REDIS_HOST: 10.255.200.4
REDIS_PORT: 6379
REDIS_PASSWORD: xxxxxxxx
REDIS_DB_ROOM: 6

4、 To write systemd System service management script

#  To write SSH Agent module koko The startup script 
vi /sas/jumpserver/tools/koko.service.sh

#!/bin/bash

cd /sas/jumpserver/koko/

case $1 in
start)
    ./koko -d
    ;;
stop)
    ./koko -s stop
    ;;
restart)
    ./koko -s stop && ./koko -d
    ;;
*)
    ;;
esac

#  To write SSH Agent module system service configuration 
vi /usr/lib/system/system/koko.service

[Unit]
Description=Jumpserver Koko Services
After=network.target remote-fs.target redis.service keepalived.service jumpserver.service

[Service]
Type=forking
ExecStart=/usr/bin/bash /sas/jumpserver/tools/koko.service.sh start
ExecReload=/usr/bin/bash /sas/jumpserver/tools/koko.service.sh restart
ExecStop=/usr/bin/bash /sas/jumpserver/tools/koko.service.sh stop
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target

5、https Certificate validation error handling

tengine Enable https After that, we need to deploy koko and guacamole Import the security certificate on the host of , otherwise koko visit api Error will be reported when interface , The processing method is to add the relevant certificate information to the certificate trust list of the host .

#  Look at the goal API Certificate information for the service , This method can be applied to other https The same applies to services 
openssl s_client -showcerts -connect 10.255.200.5:443

...

-----BEGIN CERTIFICATE-----
MIIDizCCAnOgAwIBAgIUM4uh9rB+BGjNBBLssCLCMdP54fkwDQYJKoZIhvcNAQEL
BQAwSjELMAkGA1UEBhMCQ04xDjAMBgNVBAgMBUhVQkVJMQ4wDAYDVQQHDAVXVUhB
TjENMAsGA1UECgwESEJUVjEMMAoGA1UECwwDQ0pZMCAXDTIwMTAxNTA5Mjk1M1oY
DzIxMjAwOTIxMDkyOTUzWjBKMQswCQYDVQQGEwJDTjEOMAwGA1UECAwFSFVCRUkx
DjAMBgNVBAcMBVdVSEFOMQ0wCwYDVQQKDARIQlRWMQwwCgYDVQQLDANDSlkwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8elmgAtgkp3lrtVLGtan1ktQ9
+VxIofV88da9GL07lcPpMjJFqUpMngU7F+G4JUEntm/nxH9VypEp8QE+CMnRdYN0
WXnJczSC1bZDF48ya1HnZ+H6wTxfZpAf4ZCzrXHUyPWUyiHKaOAY54UVQkNLF54y
rEN7hNy5NPPPQf6fnYoN/q72VqDfwGNEtfO7k57Zqf94uh09nnqNjHhuW2ZdfzHG
3qWdwq9Kj7Q0IeQ9ufI/gd3yCfmej63HF3KLUbzzYgDHFZsAFmwTsmCoimhtlQK/
c5rQ4brGpTKl9Lg4R0d+/p7+FcBM76a/V/S42S6oyFYRaXaYnm3zrXttQ8VXAgMB
AAGjZzBlMAsGA1UdDwQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwNwYDVR0RBDAwLoIUanVtcHNlcnZlci5oYnJ0di5vcmeHBAr/yAWHBAr/yAGH
BAr/yAKHBAr/yAMwDQYJKoZIhvcNAQELBQADggEBAFphglFfhEwxjEQ6jsqGaiwt
r8tse1E6dsiPYjQeHq6sYKaV2G2KxGHs1Mh66augFG37ljV0XVtkaFUyc6F+b00p
Z7CSZ17gI7QcycZpcxClf7I3/CXpS/NDdYQR/yir1reYmE01H50bw5tNVaHZWrL0
kUXOtsh68dSq0lwbbNEoPh7bFZV746ycC8vZHGZVCzgCit2IRQa4OPt8lV025JJr
UTy/ASDLVZuGRkAa7z0dA5CFas9QFu/ya938NJVVFoHzUy+SwpME5rBlX9kU3pin
nkNQ5Bl3C10bEQtetAmdTGHV384rj2ZnfRLXobXw21oXJRLfuQPLvYHC8H4dsRQ=
-----END CERTIFICATE-----

...

#  take -----BEGIN CERTIFICATE----- To -----END CERTIFICATE----- Add the middle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem  ending 

#  Open the list of trust certificates , Use SHIFT+G Jump to the end of the file , Paste the certificate content 
vi /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

6、 Other

Registered koko When the instance needs to be re registered due to configuration modification , You need to delete the relevant accesskey

rm –rf /sas/jumpserver/koko/data/keys/.access_key

koko Log file path ：/sas/jumpserver/koko/data/logs

cat /sas/jumpserver/koko/data/logs/koko.log