This is my eighth day of the August Challenge.

The paper

After the operational thinking: the Cobbler unattended operation system installation standardization “, “operational thinking: operating system configuration of standardization and automation, after the two articles, operations teams have been able to fast delivery specification is consistent with the server, we demand is how to further nanotubes server and provide unified login.

And to do that, we need a fortress. Here we take an in-depth look at how to manage servers and implement unified login through the application of JumpServer.

Traditional management

The traditional management method brings the following problems to the operation and maintenance team and the development and test personnel:

  1. The development, operation and maintenance, test and login to the production environment require a second jump, and the operation is complicated;
  2. Development, operation and maintenance, test login to a variety of environmental servers, strongly rely on the account password, once the management and control is careless, it is easy to lead to password leakage, bringing great security risks;
  3. To cooperate with audit, o&M needs to deploy additional operations such as operation record audit and remote record on the server, which brings additional burden to o&M work.
  4. Basic operations require additional effort to maintain access control policies;
  5. Incorrect passwords frequently lead to re-authentication, which wastes unnecessary login time.
  6. For new members of the operation and maintenance team, they need to spend a lot of effort to get familiar with business-related servers, which extends the time to integrate into the team.

In addition to being inconvenient to use, the traditional management method is actually extremely unfriendly to new team members due to scattered assets, which brings additional pressure to complex operation and maintenance work.

Jumpserver management mode

Based on the isolation of the test environment and production environment, the JumpServer login system implements unified login management based on different environments, effectively separating the rights of operation and maintenance, development, and testing. The details are as follows:

  1. Users can be managed in a unified manner by interconnecting with LDAP. O&m only needs to allocate assets to users, and users do not need to be created.
  2. The user login password is isolated from the server login password. The server login password is not involved during user use, which effectively prevents password leakage.
  3. Support various forms of operation records, historical command records and videos, can be directly used for audit;
  4. Assets are grouped by business and function, so that team members can be familiar with components and business distribution.
  5. Supports command filtering and enhancing the no-secret permission for easy use and management.

As a result, JumpServer not only makes it easier for us to manage, but it also empowers the team and gives the user a better experience.

Implementation of the plan

JumpServer can support 100+ or even thousands of servers in various environments. It is not easy to quickly manage a server with inconsistent accounts. The process is divided into the following stages:

  1. Server account planning includes three types: management account, application account, and log account.
  2. Configuration automation: The open source automation tool is used as the unified configuration center to deploy three types of accounts in batches, which greatly improves work efficiency;
  3. Asset allocation: Before the environment is separated or isolated, servers are allocated for each service to ensure that developers can log in to the servers properly.
  4. Check the assets of development and testing personnel to ensure the assets are in place;

In fact, each of the above stages is to consume a lot of energy, to consider the long-term standard, long-term management, rather than for the sake of simple application and online.

Ps: In this implementation process, automated operation and maintenance tools such as Ansible and SaltStack can be used to implement centralized asset management. In this way, servers can be quickly managed.

conclusion

With our unremitting efforts, a set of initial framework system supported by operation and maintenance specifications, which can effectively control the server, can be officially opened to development and testing.

But there is a fly in the ointment. When JumpServer was launched, the biggest drawback was the management of assets by category.

  1. Groups by system cannot effectively correspond to services, resulting in confusion.
  2. By business grouping, there must be a common organizational classification for development, operations, and testing, so this classification will eventually be open to development and testing. Good organizational classification allows different teams to become more familiar with the server’s business distribution faster and greatly improves the login experience.

Whether JumpServer’s asset grouping should be consistent with the CMDB’s asset grouping is another question to consider, but I’ll leave it to you to think about.