Jumpserver Dual-machine backup scheme

First, write in front of

Since Jumpserver currently does not support dual-machine hot standby, the program uses database and system user data backup implementation, mainly in the following areas:

1, MySQL database master synchronization

2. System files:/etc/passwd/etc/shaow/etc/group file synchronization (Rsync+crontab)

3, Jumpserver related users and key files: Jumpserver/keys synchronization (Rsync+crontab)

4. Primary server: 10.44.131.212, slave server: 10.169.210.223

Second, rsync configuration

1, the main server part

①, close the SELinux edit firewall configuration file/etc/selinux/config as follows:

#SELINUX =enforcing #注释掉

#SELINUXTYPE =targeted #注释掉

Selinux=disabled #增加

Execution Setenforce 0 Immediate effect

Open the firewall TCP 873 port, edit the firewall configuration file/etc/sysconfig/iptables, and add the following:

-A rh-firewall-1-input-m state--state new-m tcp-p TCP--dport 873-j ACCEPT

Restart the firewall for configuration to take effect/etc/init.d/iptables restart

②, installing Rsync Server Software

Yum Install Rsync-y

Third, create the rsyncd.conf profile/etc/rsyncd.conf, add the following:

UID = root

GID = root

Use chroot = no

Max connections = 4

PID file =/var/run/rsyncd.pid

Lock file =/var/run/rsync.lock

Log file =/var/log/rsyncd.log

[Jumpserver]

Path =/data/jumpserver/keys

#ignore errors

Read Only = False

List = False

Hosts allow = 10.169.210.223

Hosts Deny = 0.0.0.0/32

Auth users = Juser

Secrets file =/etc/rsync.pass

[Home]

Path =/Home

#ignore errors

Read Only = False

List = False

Hosts allow = 10.169.210.223

Hosts Deny = 0.0.0.0/32

Auth users = Juser

Secrets file =/etc/rsync.pass

[Sysfile]

Path =/etc/

#ignore errors

Read Only = False

List = False

Hosts allow = 10.169.210.223

Hosts Deny = 0.0.0.0/32

Auth users = Juser

Secrets file =/etc/rsync.pass

④, create user authentication file/etc/rsync.pass Add the following content

juser:juser20160125 #格式, user name: password, can be set multiple, one user name per line: password

Modify Profile Permissions:

Chown Root.root/etc/rsync.pass

chmod 600/etc/rsync.pass

⑤, start rsync

/usr/bin/rsync--daemon--config=/etc/rsyncd.conf

2. From the server section

①, create the authentication password file/ETC/RSYNC.PASSC

Modify Profile Permissions:

Chown ROOT.ROOT/ETC/RSYNC.PASSC

chmod 600/ETC/RSYNC.PASSC

②, perform data synchronization test operations:

RSYNC-AVH--port=873--progress--delete [email protected]:jumpserver--password-file=/etc/rsync.passc/data/ jumpservertest/

(v in-VZRTOPG in command line is Verbose,z is compression, R is RECURSIVE,TOPG is the parameter that keeps the original property of the file as owner, time. --progress is the display of detailed progress,--delete is that if the server side delete the file, then the client will also delete the file, to maintain true consistency. --exclude "logs/" means that the files in the/www/logs directory are not backed up. --exclude "conf/ssl.*/" means that the files in the/www/conf/ssl.*/directory are not backed up.

[Email protected]:jumpserver indicates that the command is a backup of the Jumpserver module in the server 10.44.131.212.]

Third, MySQL database master configuration

MySQL configuration file (master)

[Mysqld]

Datadir=/var/lib/mysql

Socket=/var/lib/mysql/mysql.sock

User=mysql

# Disabling Symbolic-links is recommended to prevent assorted security risks

Symbolic-links=0

wait_timeout=864000

interactive_timeout=864000

Server-id = 1

Log-bin=mysql-bin

Binlog_format=mixed

Expire_logs_days=5

[Mysqld_safe]

Log-error=/var/log/mysqld.log

Pid-file=/var/run/mysqld/mysqld.pid

MySQL configuration file (from)

[Mysqld]

Datadir=/var/lib/mysql

Socket=/var/lib/mysql/mysql.sock

User=mysql

# Disabling Symbolic-links is recommended to prevent assorted security risks

Symbolic-links=0

Server-id = 2

Log-bin=mysql-bin

Binlog_format=mixed

Expire_logs_days=5

[Mysqld_safe]

Log-error=/var/log/mysqld.log

Pid-file=/var/run/mysqld/mysqld.pid

After modifying the configuration file, restart Mysql:service mysqld restart

Log in to two databases using the root user, and perform the following Chitian for master-slave replication authorization:

GRANT REPLICATION SLAVE On * * to [e-mail protected] ' 10.169.210.223 ' identified by ' xiaoniu0125 ';

GRANT REPLICATION SLAVE On * * to [e-mail protected] ' localhost ' identified by ' xiaoniu0125 ';

GRANT REPLICATION SLAVE On * * to [e-mail protected] '% ' identified by ' xiaoniu0125 ';

Flush privileges;

Export the database data and upload it to perform data import from the server:

Mysqldump--single-transaction-h127.0.0.1-ujumpserver-p jumpserver > Jumpserver.sql

SCP Jumpserver.sql [Email protected]:/data/

Perform data import from database using Jumpserver user logon: Source/data/jumpserver.sql

Use the root user to log in to the primary database to view the current binary log information for the primary database: Show Master Status \g

Using the root user to log in from the database, perform the following data synchronization commands:

Change Master to master_host= ' 10.44.131.212 ', master_port=3306, master_user= ' repl ', master_password= ' xiaoniu0125 ', Master_log_file= ' mysql-bin.000004 ', master_log_pos=188397822;

Start data synchronization: Start slave

View Data sync Status: Show slave status \g

Use root login to view the current binary log information for the primary database from the database: Show Master Status \g

Log in to the primary database using the root user and perform the following data synchronization commands:

Change Master to master_host= ' 10.169.210.223 ', master_port=3306, master_user= ' repl ', master_password= ' xiaoniu0125 ', Master_log_file= ' mysql-bin.000004 ', master_log_pos=188397822;

Start data synchronization: Start slave

View Data sync Status: Show slave status \g

Iv. system user related files, jumpserver related users and key file backup

1. Log in from server backup/etc/passwd/etc/shaow/etc/group file

Mv/etc/passwd/etc/passwd_bak

Mv/etc/shaow/etc/shaow_bak

Mv/etc/group/etc/group_bak

2. Log in to the master server and copy the/etc/passwd/etc/shaow/etc/group to the slave server

scp/etc/passwd [Email protected]:/etc/

scp/etc/shaow [Email protected]:/etc/

Scp/etc/group [Email protected]:/etc/

3. Log in to the master server and copy all files from the/home path to the slave server

Scp-r/home/* [Email protected]:/home/

3. Log in to the master server and copy all files under Jumpserver to the slave server

Scp-r/jumpserver [Email protected]:/data/

4. Perform Jumpserver installation

Yum-y install git python-pip mysql-devel gcc automake autoconf python-devel vim sshpass Lrzsz

CD Jumpserver/install && pip Install-r requirements.txt

Python install.py

5, modify the relevant file permissions, create change.sh, the content is as follows:

#!/bin/sh

users= ' Ls-l/data/jumpserver/keys/user | grep Pub | awk ' {print $9} ' | Awk-f. ' {print '} '

Echo $users

For user in $users

Do

echo/home/$user

echo/data/jumpserver/keys/user/$user *

/usr/bin/id $user >&/dev/null

Result=$?

if [$result = = 0];then

echo "Start modifying file user rights!" "

Chown $user. $user/home/$user

Chown $user. $user/data/jumpserver/keys/user/$user *

Result= ' echo $? '

if [$result = = 0];then

echo [$now _time] "Modify user" $user "directory Permissions succeeded" >>/data/jumpserver/logs/jump_cron.log

Else

echo [$now _time] "Modify user" $user "Directory Permissions failed" >>/data/jumpserver/logs/jump_cron.log

Exit 0

Fi

Else

echo [$now _time] $user "user does not exist! ">>/data/jumpserver/logs/jump_cron.log

Fi

Done

Exit 0

Execute the change script: Sh./change.sh

6. Modify log file permissions: chmod 777/data/jumpserver/logs/jumpserver.log

7, create the file Timing synchronization script, jump_cron.sh, the content is as follows:

#!/bin/sh

# #获取当前系统时间

Now_time= ' Date ' +%y-%m-_%d%h:%m:%s "'

# #开始同步jumpserve用户以及keys数据

/USR/BIN/RSYNC-AVH--port=873--progress--delete [email protected]::jumpserver--password-file=/etc/rsync.passc/ Data/jumpserver/keys

Result= ' echo $? '

if [$result = = 0];then

echo [$now _time] "Sync jumpserve users and Keys data success" >>/data/jumpserver/logs/jump_cron.log

Else

echo [$now _time] "Sync jumpserve user and keys failed" >>/data/jumpserver/logs/jump_cron.log

Exit 0

Fi

# #同步系统用户数据

/USR/BIN/RSYNC-AVH--port=873--progress--delete [email protected]::home--password-file=/etc/rsync.passc/home

Result= ' echo $? '

if [$result = = 0];then

echo [$now _time] "Synchronization system User Data Success" >>/data/jumpserver/logs/jump_cron.log

Else

echo [$now _time] "Sync system user failed" >>/data/jumpserver/logs/jump_cron.log

Exit 0

Fi

# #同步shaow passwd Group File

/USR/BIN/RSYNC-AVH--port=873--progress--delete--include ' shaow '--include ' passwd '--include ' group '--exclude ' * ' [E Mail Protected]::sysfile--password-file=/etc/rsync.passc/etc/

Result= ' echo $? '

if [$result = = 0];then

echo [$now _time] "Sync shaow passwd Group File Success" >>/data/jumpserver/logs/jump_cron.log

Else

echo [$now _time] "Sync shaow passwd Group file failed" >>/data/jumpserver/logs/jump_cron.log

Exit 0

Fi

# #获取当前用户信息用于修改相关文件权限

users= ' Ls-l/data/jumpserver/keys/user | grep Pub | awk ' {print $9} ' | Awk-f. ' {print '} '

Echo $users

For user in $users

Do

echo/home/$user

echo/data/jumpserver/keys/user/$user *

/usr/bin/id $user >&/dev/null

Result=$?

if [$result = = 0];then

echo "Start modifying file user rights!" "

Chown $user. $user/home/$user

Chown $user. $user/data/jumpserver/keys/user/$user *

Result= ' echo $? '

if [$result = = 0];then

echo [$now _time] "Modify user" $user "directory Permissions succeeded" >>/data/jumpserver/logs/jump_cron.log

Else

echo [$now _time] "Modify user" $user "Directory Permissions failed" >>/data/jumpserver/logs/jump_cron.log

Exit 0

Fi

Else

echo [$now _time] $user "user does not exist! ">>/data/jumpserver/logs/jump_cron.log

Fi

Done

Exit 0

8, create a scheduled task, 5 minutes to perform a data synchronization operation CRONTAB-E:

*/5 * * * */bin/sh/data/jumpserver/jump_cron.sh >>/dev/null 2>&1

9. Start Jumpserver:

./service.sh Start

This article is from the "My Ops Time" blog, so be sure to keep this source http://aaronsa.blog.51cto.com/5157083/1740524

Jumpserver Dual-machine backup scheme