基於docker-compose部署jumpserver
組件說明
Jumpserver 爲管理後臺, 管理員可以通過 Web 頁面進行資產管理、用戶管理、資產授權等操作, 用戶可以通過 Web 頁面進行資產登錄, 文件管理等操作
koko 爲 SSH Server 和 Web Terminal Server 。用戶可以使用自己的賬戶通過 SSH 或者 Web Terminal 訪問 SSH 協議和 Telnet 協議資產
Luna 爲 Web Terminal Server 前端頁面, 用戶使用 Web Terminal 方式登錄所需要的組件
Guacamole 爲 RDP 協議和 VNC 協議資產組件, 用戶可以通過 Web Terminal 來連接 RDP 協議和 VNC 協議資產 (暫時只能通過 Web Terminal 來訪問)
端口說明
Jumpserver 默認 Web 端口爲 8080/tcp, 默認 WS 端口爲 8070/tcp, 配置文件 jumpserver/config.yml
koko 默認 SSH 端口爲 2222/tcp, 默認 Web Terminal 端口爲 5000/tcp 配置文件在 koko/config.yml
Guacamole 默認端口爲 8081/tcp, 配置文件 /config/tomcat9/conf/server.xml
Nginx 默認端口爲 80/tcp
Redis 默認端口爲 6379/tcp
Mysql 默認端口爲 3306/tcp
Protocol | Server name | Port |
---|---|---|
TCP | Jumpserver | 80 |
TCP | Guacamole | |
TCP | Db | 3306 |
TCP | Redis | 6379 |
TCP | koko | 2222 |
環境
系統: Centos 7
NFS-server: 192.168.150.192
數據庫 IP: 192.168.150.45
Redis ip: 192.168.150.45
Jumpserver IP: 192.168.150.45 192.168.150.26
koko IP: 192.168.150.45 192.168.150.26
Guacamole IP: 192.168.150.45 192.168.150.26
Tengine 代理IP: 192.168.150.45 192.168.150.26
安全設置
ssh、telnet協議 資產的防火牆設置允許 koko 與 jumpserver 訪問
rdp協議 資產的防火牆設置允許 guacamole 與jumpserver 訪問
防火牆設置
根據需求開放對應的端口,或者直接關閉防火牆
systemctl stop firewalld.service
systemctl disable firewalld.service
NFS部署
-
安裝epel庫
yum -y install epel-release wget
-
安裝nfs-server
yum -y install nfs-utils rpcbind systemctl enable rpcbind nfs-server nfs-lock nfs-idmap systemctl start rpcbind nfs-server nfs-lock nfs-idmap
-
創建NFS共享目錄
mkdir /data
-
設置NFS訪問權限
vim /etc/exports /data 192.168.150.*(rw,sync,no_root_squash)
/data 是剛纔創建的將被共享的目錄, 192.168.150. 表示整個 192.168.150. 的資產都有括號裏面的權限
也可以寫具體的授權對象 /data 192.168.150.45(rw,sync,no_root_squash) 192.168.150.26(rw,sync,no_root_squash) -
使exports生效
exportfs -a
-
安裝nfs-client (150.45 and 150.26)
showmount -e 192.168.150.192 mkdir -p /opt/jumpserver/data restorecon -R /opt/jumpserver/data/ mount -t nfs 192.168.150.192:/data /opt/jumpserver/data echo "192.168.150.192:/data /opt/jumpserver/data nfs defaults 0 0" >> /etc/fstab
docker-compose部署
- 安裝docker
安裝以下依賴包
yum install -y yum-utils device-mapper-persistent-data lvm2
添加docker的yum源
yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
更新yum源緩存, 安裝docker-ce
$ sudo yum makecache fast
$ sudo yum install docker-ce
配置鏡像加速器
sudo mkdir -p /etc/docker
sudo tee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors": ["https://zggyaen3.mirror.aliyuncs.com"]
}
EOF
sudo systemctl daemon-reload
sudo systemctl restart docker
普通用戶需要加入docker組
$ sudo usermod -a -G docker ${USER}
修改docker存儲位置(可以不改)
$ sudo systemctl stop docker
$ sudo mv /var/lib/docker /home/lan/docker
$ sudo ln -s /home/lan/docker /var/lib/docker
$ sudo systemctl start docker
$ sudo systemctl enable docker
- docker-compose安裝
$ sudo curl -L https://github.com/docker/compose/releases/download/1.23.2/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
$ sudo chmod +x /usr/local/bin/docker-compose
如果下載很慢可手動下載,再上傳至系統
下載路徑: https://github.com/docker/compose/releases/ 可以選擇對應的版本下載
部署jumpserver
-
下載jumpserver壓縮包
wget https://github.com/jumpserver/Dockerfile.git unzip Dockerfile-master.zip
-
使用shell腳本生成SECRET_KEY和BOOTSTRAP_TOKEN
if [ ! "$SECRET_KEY" ]; then SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`; echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc; echo $SECRET_KEY; else echo $SECRET_KEY; fi if [ ! "$BOOTSTRAP_TOKEN" ]; then BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`; echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc; echo $BOOTSTRAP_TOKEN; else echo $BOOTSTRAP_TOKEN; fi
-
修改.env文件,設置mysql,redis密碼
vim .env
# 版本號可以自己根據項目的版本修改 Version=1.5.9 # MySQL DB_HOST=192.168.150.45 DB_PORT=3306 DB_USER=jumpserver DB_PASSWORD=password DB_NAME=jumpserver # Redis REDIS_HOST=192.168.150.45 REDIS_PORT=6379 REDIS_PASSWORD=password # Core SECRET_KEY=15hMccXFn40TCKJETDnjlUhkZEXIAcq3E3aQ6T6LDmfLUN0oAV BOOTSTRAP_TOKEN=HT8qH0wSuyQjcNyh ## # SECRET_KEY 保護簽名數據的密匙, 首次安裝請一定要修改並牢記, 後續升級和遷移不可更改, 否則將導致加密的數據不可解密。 # BOOTSTRAP_TOKEN 爲組件認證使用的密鑰, 僅組件註冊時用。組件指 koko、guacamole
在150.45上修改docker-compose
vim docker-compose.yml
version: '3' # 由於測試環境資源有限,我的mysql跟redis也是部署在了150.45, 所以在150.26那臺上面指定mysql跟redis的地址就可以,不需要在啓動mysql和redis的容器 services: mysql: image: jumpserver/jms_mysql:${Version} container_name: jms_mysql restart: always tty: true environment: DB_PORT: $DB_PORT DB_USER: $DB_USER DB_PASSWORD: $DB_PASSWORD DB_NAME: $DB_NAME ports: - 3306:3306 volumes: - /opt/jumpserver/data/mysql-master:/var/lib/mysql - /opt/jumpserver/data/mysql-master.cnf:/etc/my.cnf networks: - jumpserver redis: image: jumpserver/jms_redis:${Version} container_name: jms_redis restart: always tty: true environment: REDIS_PORT: $REDIS_PORT REDIS_PASSWORD: $REDIS_PASSWORD ports: - 6379:6379 volumes: - /opt/jumpserver/data/redis-data:/var/lib/redis/ networks: - jumpserver core: image: jumpserver/jms_core:${Version} container_name: jms_core restart: always tty: true environment: SECRET_KEY: $SECRET_KEY BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN DB_HOST: $DB_HOST DB_PORT: $DB_PORT DB_USER: $DB_USER DB_PASSWORD: $DB_PASSWORD DB_NAME: $DB_NAME REDIS_HOST: $REDIS_HOST REDIS_PORT: $REDIS_PORT REDIS_PASSWORD: $REDIS_PASSWORD depends_on: - mysql - redis volumes: - core-data:/opt/jumpserver/data networks: - jumpserver koko: image: jumpserver/jms_koko:${Version} container_name: jms_koko restart: always tty: true environment: CORE_HOST: http://core:8080 BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN depends_on: - core - mysql - redis volumes: - koko-keys:/opt/koko/data/keys ports: - 2222:2222 networks: - jumpserver guacamole: image: jumpserver/jms_guacamole:${Version} container_name: jms_guacamole restart: always tty: true environment: JUMPSERVER_SERVER: http://core:8080 BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN JUMPSERVER_KEY_DIR: /config/guacamole/keys GUACAMOLE_HOME: /config/guacamole GUACAMOLE_LOG_LEVEL: ERROR JUMPSERVER_ENABLE_DRIVE: 'true' depends_on: - core - mysql - redis volumes: - guacamole-keys:/config/guacamole/keys networks: - jumpserver nginx: image: jumpserver/jms_nginx:${Version} container_name: jms_nginx restart: always tty: true depends_on: - core - koko - mysql - redis volumes: - core-data:/opt/jumpserver/data ports: - 80:80 networks: - jumpserver volumes: mysql-data: redis-data: core-data: koko-keys: guacamole-keys: networks: jumpserver:
在150.26上修改docker-compose文件
version: '3' services: core: image: jumpserver/jms_core:${Version} container_name: jms_core restart: always tty: true environment: SECRET_KEY: $SECRET_KEY BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN DB_HOST: $DB_HOST DB_PORT: $DB_PORT DB_USER: $DB_USER DB_PASSWORD: $DB_PASSWORD DB_NAME: $DB_NAME REDIS_HOST: $REDIS_HOST REDIS_PORT: $REDIS_PORT REDIS_PASSWORD: $REDIS_PASSWORD volumes: - /opt/jumpserver/data/core-data:/opt/jumpserver/data networks: - jumpserver koko: image: jumpserver/jms_koko:${Version} container_name: jms_koko restart: always tty: true environment: CORE_HOST: http://core:8080 BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN depends_on: - core volumes: - /opt/jumpserver/data/koko-keys:/opt/koko/data/keys ports: - 2222:2222 networks: - jumpserver guacamole: image: jumpserver/jms_guacamole:${Version} container_name: jms_guacamole restart: always tty: true environment: JUMPSERVER_SERVER: http://core:8080 BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN JUMPSERVER_KEY_DIR: /config/guacamole/keys GUACAMOLE_HOME: /config/guacamole GUACAMOLE_LOG_LEVEL: ERROR JUMPSERVER_ENABLE_DRIVE: 'true' depends_on: - core volumes: - /opt/jumpserver/data/guacamole-keys:/config/guacamole/keys networks: - jumpserver nginx: image: jumpserver/jms_nginx:${Version} container_name: jms_nginx restart: always tty: true depends_on: - core - koko volumes: - /opt/jumpserver/data/core-data:/opt/jumpserver/data ports: - 80:80 networks: - jumpserver volumes: core-data: koko-keys: guacamole-keys: networks: jumpserver:
- 啓動容器
docker-compose up -d
- 打開瀏覽器訪問150.45和150.26,默認賬號密碼是admin, 在瀏覽器上測試數據是否會同步