zoukankan      html  css  js  c++  java
  • 基于docker-compose部署jumpserver

    基于docker-compose部署jumpserver

    组件说明

    Jumpserver 为管理后台, 管理员可以通过 Web 页面进行资产管理、用户管理、资产授权等操作, 用户可以通过 Web 页面进行资产登录, 文件管理等操作
    koko 为 SSH Server 和 Web Terminal Server 。用户可以使用自己的账户通过 SSH 或者 Web Terminal 访问 SSH 协议和 Telnet 协议资产
    Luna 为 Web Terminal Server 前端页面, 用户使用 Web Terminal 方式登录所需要的组件
    Guacamole 为 RDP 协议和 VNC 协议资产组件, 用户可以通过 Web Terminal 来连接 RDP 协议和 VNC 协议资产 (暂时只能通过 Web Terminal 来访问)

    端口说明

    Jumpserver 默认 Web 端口为 8080/tcp, 默认 WS 端口为 8070/tcp, 配置文件 jumpserver/config.yml
    koko 默认 SSH 端口为 2222/tcp, 默认 Web Terminal 端口为 5000/tcp 配置文件在 koko/config.yml
    Guacamole 默认端口为 8081/tcp, 配置文件 /config/tomcat9/conf/server.xml
    Nginx 默认端口为 80/tcp
    Redis 默认端口为 6379/tcp
    Mysql 默认端口为 3306/tcp

    Protocol Server name Port
    TCP Jumpserver 80
    TCP Guacamole
    TCP Db 3306
    TCP Redis 6379
    TCP koko 2222
    环境

    系统: Centos 7

    NFS-server: 192.168.150.192

    数据库 IP: 192.168.150.45

    Redis ip: 192.168.150.45

    Jumpserver IP: 192.168.150.45 192.168.150.26

    koko IP: 192.168.150.45 192.168.150.26

    Guacamole IP: 192.168.150.45 192.168.150.26

    Tengine 代理IP: 192.168.150.45 192.168.150.26

    安全设置

    ssh、telnet协议 资产的防火墙设置允许 koko 与 jumpserver 访问

    rdp协议 资产的防火墙设置允许 guacamole 与jumpserver 访问

    防火墙设置

    根据需求开放对应的端口,或者直接关闭防火墙

    systemctl stop firewalld.service
    systemctl disable firewalld.service
    
    NFS部署
    1. 安装epel库

      yum -y install epel-release wget
      
    2. 安装nfs-server

      yum -y install nfs-utils rpcbind
      systemctl enable rpcbind nfs-server nfs-lock nfs-idmap
      systemctl start rpcbind nfs-server nfs-lock nfs-idmap
      
    3. 创建NFS共享目录

      mkdir /data
      
    4. 设置NFS访问权限

      vim /etc/exports
      /data 192.168.150.*(rw,sync,no_root_squash)
      

      /data 是刚才创建的将被共享的目录, 192.168.150.* 表示整个 192.168.150.* 的资产都有括号里面的权限
      也可以写具体的授权对象 /data 192.168.150.45(rw,sync,no_root_squash) 192.168.150.26(rw,sync,no_root_squash)

    5. 使exports生效

      exportfs -a
      
    6. 安装nfs-client (150.45 and 150.26)

      showmount -e 192.168.150.192
      mkdir -p /opt/jumpserver/data
      restorecon -R /opt/jumpserver/data/
      mount -t nfs 192.168.150.192:/data /opt/jumpserver/data
      echo "192.168.150.192:/data /opt/jumpserver/data nfs defaults 0 0" >> /etc/fstab
      
    docker-compose部署
    1. 安装docker

    安装以下依赖包

    yum install -y yum-utils device-mapper-persistent-data lvm2
    

    添加docker的yum源

    yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
    
    

    更新yum源缓存, 安装docker-ce

    $ sudo yum makecache fast
    $ sudo yum install docker-ce
    
    

    配置镜像加速器

    sudo mkdir -p /etc/docker
    sudo tee /etc/docker/daemon.json <<-'EOF'
    {
      "registry-mirrors": ["https://zggyaen3.mirror.aliyuncs.com"]
    }
    EOF
    sudo systemctl daemon-reload
    sudo systemctl restart docker
    
    

    普通用户需要加入docker组

    $ sudo usermod -a -G docker ${USER}
    
    

    修改docker存储位置(可以不改)

    $ sudo systemctl stop docker
    $ sudo mv /var/lib/docker /home/lan/docker
    $ sudo ln -s /home/lan/docker /var/lib/docker
    $ sudo systemctl start docker
    $ sudo systemctl enable docker
    
    
    1. docker-compose安装
    $ sudo curl -L https://github.com/docker/compose/releases/download/1.23.2/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
    $ sudo chmod +x /usr/local/bin/docker-compose
    
    

    如果下载很慢可手动下载,再上传至系统

    下载路径: https://github.com/docker/compose/releases/ 可以选择对应的版本下载

    部署jumpserver
    1. 下载jumpserver压缩包

      wget https://github.com/jumpserver/Dockerfile.git
      unzip Dockerfile-master.zip
      
      
    2. 使用shell脚本生成SECRET_KEY和BOOTSTRAP_TOKEN

      if [ ! "$SECRET_KEY" ]; then
        SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`;
        echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc;
        echo $SECRET_KEY;
      else
        echo $SECRET_KEY;
      fi  
      if [ ! "$BOOTSTRAP_TOKEN" ]; then
        BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`;
        echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc;
        echo $BOOTSTRAP_TOKEN;
      else
        echo $BOOTSTRAP_TOKEN;
      fi
      
      
    3. 修改.env文件,设置mysql,redis密码

      vim .env
      
      
      # 版本号可以自己根据项目的版本修改
      Version=1.5.9
      
      # MySQL
      DB_HOST=192.168.150.45
      DB_PORT=3306
      DB_USER=jumpserver
      DB_PASSWORD=password
      DB_NAME=jumpserver
      
      # Redis
      REDIS_HOST=192.168.150.45
      REDIS_PORT=6379
      REDIS_PASSWORD=password
      
      # Core
      SECRET_KEY=15hMccXFn40TCKJETDnjlUhkZEXIAcq3E3aQ6T6LDmfLUN0oAV
      BOOTSTRAP_TOKEN=HT8qH0wSuyQjcNyh
      
      ##
      # SECRET_KEY 保护签名数据的密匙, 首次安装请一定要修改并牢记, 后续升级和迁移不可更改, 否则将导致加密的数据不可解密。
      # BOOTSTRAP_TOKEN 为组件认证使用的密钥, 仅组件注册时用。组件指 koko、guacamole
      
      

      在150.45上修改docker-compose

      vim docker-compose.yml
      
      
      version: '3' # 由于测试环境资源有限,我的mysql跟redis也是部署在了150.45, 所以在150.26那台上面指定mysql跟redis的地址就可以,不需要在启动mysql和redis的容器
      services:
        mysql:
          image: jumpserver/jms_mysql:${Version}
          container_name: jms_mysql
          restart: always
          tty: true
          environment:
            DB_PORT: $DB_PORT
            DB_USER: $DB_USER
            DB_PASSWORD: $DB_PASSWORD
            DB_NAME: $DB_NAME
          ports:
            - 3306:3306
          volumes:
            - /opt/jumpserver/data/mysql-master:/var/lib/mysql
            - /opt/jumpserver/data/mysql-master.cnf:/etc/my.cnf
          networks:
            - jumpserver
      
        redis:
          image: jumpserver/jms_redis:${Version}
          container_name: jms_redis
          restart: always
          tty: true
          environment:
            REDIS_PORT: $REDIS_PORT
            REDIS_PASSWORD: $REDIS_PASSWORD
          ports:
            - 6379:6379
          volumes:
            - /opt/jumpserver/data/redis-data:/var/lib/redis/
          networks:
            - jumpserver
      
        core:
          image: jumpserver/jms_core:${Version}
          container_name: jms_core
          restart: always
          tty: true
          environment:
            SECRET_KEY: $SECRET_KEY
            BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN
            DB_HOST: $DB_HOST
            DB_PORT: $DB_PORT
            DB_USER: $DB_USER
            DB_PASSWORD: $DB_PASSWORD
            DB_NAME: $DB_NAME
            REDIS_HOST: $REDIS_HOST
            REDIS_PORT: $REDIS_PORT
            REDIS_PASSWORD: $REDIS_PASSWORD
          depends_on:
            - mysql
            - redis
          volumes:
            - core-data:/opt/jumpserver/data
          networks:
            - jumpserver
      
        koko:
          image: jumpserver/jms_koko:${Version}
          container_name: jms_koko
          restart: always
          tty: true
          environment:
            CORE_HOST: http://core:8080
            BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN
          depends_on:
            - core
            - mysql
            - redis
          volumes:
            - koko-keys:/opt/koko/data/keys
          ports:
            - 2222:2222
          networks:
            - jumpserver
      
        guacamole:
          image: jumpserver/jms_guacamole:${Version}
          container_name: jms_guacamole
          restart: always
          tty: true
          environment:
            JUMPSERVER_SERVER: http://core:8080
            BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN
            JUMPSERVER_KEY_DIR: /config/guacamole/keys
            GUACAMOLE_HOME: /config/guacamole
            GUACAMOLE_LOG_LEVEL: ERROR
            JUMPSERVER_ENABLE_DRIVE: 'true'
          depends_on:
            - core
            - mysql
            - redis
          volumes:
            - guacamole-keys:/config/guacamole/keys
          networks:
            - jumpserver
      
        nginx:
          image: jumpserver/jms_nginx:${Version}
          container_name: jms_nginx
          restart: always
          tty: true
          depends_on:
            - core
            - koko
            - mysql
            - redis
          volumes:
            - core-data:/opt/jumpserver/data
          ports:
            - 80:80
          networks:
            - jumpserver
      
      volumes:
        mysql-data:
        redis-data:
        core-data:
        koko-keys:
        guacamole-keys:
      
      networks:
        jumpserver:
      
      

      在150.26上修改docker-compose文件

      version: '3'
      services:
        core:
          image: jumpserver/jms_core:${Version}
          container_name: jms_core
          restart: always
          tty: true
          environment:
            SECRET_KEY: $SECRET_KEY
            BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN
            DB_HOST: $DB_HOST
            DB_PORT: $DB_PORT
            DB_USER: $DB_USER
            DB_PASSWORD: $DB_PASSWORD
            DB_NAME: $DB_NAME
            REDIS_HOST: $REDIS_HOST
            REDIS_PORT: $REDIS_PORT
            REDIS_PASSWORD: $REDIS_PASSWORD
          volumes:
            - /opt/jumpserver/data/core-data:/opt/jumpserver/data
          networks:
            - jumpserver
      
        koko:
          image: jumpserver/jms_koko:${Version}
          container_name: jms_koko
          restart: always
          tty: true
          environment:
            CORE_HOST: http://core:8080
            BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN
          depends_on:
            - core
          volumes:
            - /opt/jumpserver/data/koko-keys:/opt/koko/data/keys
          ports:
            - 2222:2222
          networks:
            - jumpserver
      
        guacamole:
          image: jumpserver/jms_guacamole:${Version}
          container_name: jms_guacamole
          restart: always
          tty: true
          environment:
            JUMPSERVER_SERVER: http://core:8080
            BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN
            JUMPSERVER_KEY_DIR: /config/guacamole/keys
            GUACAMOLE_HOME: /config/guacamole
            GUACAMOLE_LOG_LEVEL: ERROR
            JUMPSERVER_ENABLE_DRIVE: 'true'
          depends_on:
            - core
          volumes:
            - /opt/jumpserver/data/guacamole-keys:/config/guacamole/keys
          networks:
            - jumpserver
      
        nginx:
          image: jumpserver/jms_nginx:${Version}
          container_name: jms_nginx
          restart: always
          tty: true
          depends_on:
            - core
            - koko
          volumes:
            - /opt/jumpserver/data/core-data:/opt/jumpserver/data
          ports:
            - 80:80
          networks:
            - jumpserver
      
      volumes:
        core-data:
        koko-keys:
        guacamole-keys:
      
      networks:
        jumpserver:
      
      
    4. 启动容器

    docker-compose up -d
    
    
    1. 打开浏览器访问150.45和150.26,默认账号密码是admin, 在浏览器上测试数据是否会同步
    微醺生活,醉美人生
  • 相关阅读:
    velocity模板引擎学习(2)-velocity tools 2.0
    silverlight: http请求的GET及POST示例
    职责链(Chain of Responsibility)模式在航空货运中的运用实例
    H2 Database入门
    velocity模板引擎学习(1)
    Struts2、Spring MVC4 框架下的ajax统一异常处理
    企业应用通用架构图
    nginx学习(2):启动gzip、虚拟主机、请求转发、负载均衡
    nginx学习(1):编译、安装、启动
    eclipse/intellij Idea集成jetty
  • 原文地址:https://www.cnblogs.com/sonyy/p/13155941.html
Copyright © 2011-2022 走看看