基于docker-compose部署jumpserver_docker的jumpserver/koko容器中config.yml中sshd_port参数需要打

基于docker-compose部署jumpserver

组件说明

Jumpserver 为管理后台, 管理员可以通过 Web 页面进行资产管理、用户管理、资产授权等操作, 用户可以通过 Web 页面进行资产登录, 文件管理等操作
koko 为 SSH Server 和 Web Terminal Server 。用户可以使用自己的账户通过 SSH 或者 Web Terminal 访问 SSH 协议和 Telnet 协议资产
Luna 为 Web Terminal Server 前端页面, 用户使用 Web Terminal 方式登录所需要的组件
Guacamole 为 RDP 协议和 VNC 协议资产组件, 用户可以通过 Web Terminal 来连接 RDP 协议和 VNC 协议资产 (暂时只能通过 Web Terminal 来访问)

端口说明

Jumpserver 默认 Web 端口为 8080/tcp, 默认 WS 端口为 8070/tcp, 配置文件 jumpserver/config.yml
koko 默认 SSH 端口为 2222/tcp, 默认 Web Terminal 端口为 5000/tcp 配置文件在 koko/config.yml
Guacamole 默认端口为 8081/tcp, 配置文件 /config/tomcat9/conf/server.xml
Nginx 默认端口为 80/tcp
Redis 默认端口为 6379/tcp
Mysql 默认端口为 3306/tcp

环境

系统: Centos 7

NFS-server: 192.168.150.192

数据库 IP: 192.168.150.45

Redis ip: 192.168.150.45

Jumpserver IP: 192.168.150.45 192.168.150.26

koko IP: 192.168.150.45 192.168.150.26

Guacamole IP: 192.168.150.45 192.168.150.26

Tengine 代理IP: 192.168.150.45 192.168.150.26

安全设置

ssh、telnet协议 资产的防火墙设置允许 koko 与 jumpserver 访问

rdp协议 资产的防火墙设置允许 guacamole 与jumpserver 访问

防火墙设置

根据需求开放对应的端口,或者直接关闭防火墙

systemctl stop firewalld.service
systemctl disable firewalld.service

NFS部署

1. 安装epel库

   yum -y install epel-release wget
   

2. 安装nfs-server

   yum -y install nfs-utils rpcbind
   systemctl enable rpcbind nfs-server nfs-lock nfs-idmap
   systemctl start rpcbind nfs-server nfs-lock nfs-idmap
   

3. 创建NFS共享目录

   mkdir /data
   

4. 设置NFS访问权限

   vim /etc/exports
   /data 192.168.150.*(rw,sync,no_root_squash)
   

   /data 是刚才创建的将被共享的目录, 192.168.150. 表示整个 192.168.150. 的资产都有括号里面的权限
   也可以写具体的授权对象 /data 192.168.150.45(rw,sync,no_root_squash) 192.168.150.26(rw,sync,no_root_squash)

5. 使exports生效

   exportfs -a
   

6. 安装nfs-client (150.45 and 150.26)

   showmount -e 192.168.150.192
   mkdir -p /opt/jumpserver/data
   restorecon -R /opt/jumpserver/data/
   mount -t nfs 192.168.150.192:/data /opt/jumpserver/data
   echo "192.168.150.192:/data /opt/jumpserver/data nfs defaults 0 0" >> /etc/fstab
   

docker-compose部署

1. 安装docker

安装以下依赖包

yum install -y yum-utils device-mapper-persistent-data lvm2

添加docker的yum源

yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

更新yum源缓存， 安装docker-ce

$ sudo yum makecache fast
$ sudo yum install docker-ce

配置镜像加速器

sudo mkdir -p /etc/docker
sudo tee /etc/docker/daemon.json <<-'EOF'
{
  "registry-mirrors": ["https://zggyaen3.mirror.aliyuncs.com"]
}
EOF
sudo systemctl daemon-reload
sudo systemctl restart docker

普通用户需要加入docker组

$ sudo usermod -a -G docker ${USER}

修改docker存储位置(可以不改)

$ sudo systemctl stop docker
$ sudo mv /var/lib/docker /home/lan/docker
$ sudo ln -s /home/lan/docker /var/lib/docker
$ sudo systemctl start docker
$ sudo systemctl enable docker

1. docker-compose安装

$ sudo curl -L https://github.com/docker/compose/releases/download/1.23.2/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
$ sudo chmod +x /usr/local/bin/docker-compose

如果下载很慢可手动下载，再上传至系统

下载路径: https://github.com/docker/compose/releases/ 可以选择对应的版本下载

部署jumpserver

1. 下载jumpserver压缩包

   wget https://github.com/jumpserver/Dockerfile.git
   unzip Dockerfile-master.zip
   

2. 使用shell脚本生成SECRET_KEY和BOOTSTRAP_TOKEN

   if [ ! "$SECRET_KEY" ]; then
    SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`;
    echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc;
    echo $SECRET_KEY;
   else
    echo $SECRET_KEY;
   fi  
   if [ ! "$BOOTSTRAP_TOKEN" ]; then
    BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`;
    echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc;
    echo $BOOTSTRAP_TOKEN;
   else
    echo $BOOTSTRAP_TOKEN;
   fi
   

3. 修改.env文件,设置mysql,redis密码

   vim .env
   

   # 版本号可以自己根据项目的版本修改
   Version=1.5.9
    
   # MySQL
   DB_HOST=192.168.150.45
   DB_PORT=3306
   DB_USER=jumpserver
   DB_PASSWORD=password
   DB_NAME=jumpserver
    
   # Redis
   REDIS_HOST=192.168.150.45
   REDIS_PORT=6379
   REDIS_PASSWORD=password
    
   # Core
   SECRET_KEY=15hMccXFn40TCKJETDnjlUhkZEXIAcq3E3aQ6T6LDmfLUN0oAV
   BOOTSTRAP_TOKEN=HT8qH0wSuyQjcNyh
    
   ##
   # SECRET_KEY 保护签名数据的密匙, 首次安装请一定要修改并牢记, 后续升级和迁移不可更改, 否则将导致加密的数据不可解密。
   # BOOTSTRAP_TOKEN 为组件认证使用的密钥, 仅组件注册时用。组件指 koko、guacamole
   

   在150.45上修改docker-compose

   vim docker-compose.yml
   

   version: '3' # 由于测试环境资源有限,我的mysql跟redis也是部署在了150.45, 所以在150.26那台上面指定mysql跟redis的地址就可以,不需要在启动mysql和redis的容器
   services:
    mysql:
      image: jumpserver/jms_mysql:${Version}
      container_name: jms_mysql
      restart: always
      tty: true
      environment:
        DB_PORT: $DB_PORT
        DB_USER: $DB_USER
        DB_PASSWORD: $DB_PASSWORD
        DB_NAME: $DB_NAME
      ports:
        - 3306:3306
      volumes:
        - /opt/jumpserver/data/mysql-master:/var/lib/mysql
        - /opt/jumpserver/data/mysql-master.cnf:/etc/my.cnf
      networks:
        - jumpserver
    
    redis:
      image: jumpserver/jms_redis:${Version}
      container_name: jms_redis
      restart: always
      tty: true
      environment:
        REDIS_PORT: $REDIS_PORT
        REDIS_PASSWORD: $REDIS_PASSWORD
      ports:
        - 6379:6379
      volumes:
        - /opt/jumpserver/data/redis-data:/var/lib/redis/
      networks:
        - jumpserver
    
    core:
      image: jumpserver/jms_core:${Version}
      container_name: jms_core
      restart: always
      tty: true
      environment:
        SECRET_KEY: $SECRET_KEY
        BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN
        DB_HOST: $DB_HOST
        DB_PORT: $DB_PORT
        DB_USER: $DB_USER
        DB_PASSWORD: $DB_PASSWORD
        DB_NAME: $DB_NAME
        REDIS_HOST: $REDIS_HOST
        REDIS_PORT: $REDIS_PORT
        REDIS_PASSWORD: $REDIS_PASSWORD
      depends_on:
        - mysql
        - redis
      volumes:
        - core-data:/opt/jumpserver/data
      networks:
        - jumpserver
    
    koko:
      image: jumpserver/jms_koko:${Version}
      container_name: jms_koko
      restart: always
      tty: true
      environment:
        CORE_HOST: http://core:8080
        BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN
      depends_on:
        - core
        - mysql
        - redis
      volumes:
        - koko-keys:/opt/koko/data/keys
      ports:
        - 2222:2222
      networks:
        - jumpserver
    
    guacamole:
      image: jumpserver/jms_guacamole:${Version}
      container_name: jms_guacamole
      restart: always
      tty: true
      environment:
        JUMPSERVER_SERVER: http://core:8080
        BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN
        JUMPSERVER_KEY_DIR: /config/guacamole/keys
        GUACAMOLE_HOME: /config/guacamole
        GUACAMOLE_LOG_LEVEL: ERROR
        JUMPSERVER_ENABLE_DRIVE: 'true'
      depends_on:
        - core
        - mysql
        - redis
      volumes:
        - guacamole-keys:/config/guacamole/keys
      networks:
        - jumpserver
    
    nginx:
      image: jumpserver/jms_nginx:${Version}
      container_name: jms_nginx
      restart: always
      tty: true
      depends_on:
        - core
        - koko
        - mysql
        - redis
      volumes:
        - core-data:/opt/jumpserver/data
      ports:
        - 80:80
      networks:
        - jumpserver
    
   volumes:
    mysql-data:
    redis-data:
    core-data:
    koko-keys:
    guacamole-keys:
    
   networks:
    jumpserver:
   

   在150.26上修改docker-compose文件

   version: '3'
   services:
    core:
      image: jumpserver/jms_core:${Version}
      container_name: jms_core
      restart: always
      tty: true
      environment:
        SECRET_KEY: $SECRET_KEY
        BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN
        DB_HOST: $DB_HOST
        DB_PORT: $DB_PORT
        DB_USER: $DB_USER
        DB_PASSWORD: $DB_PASSWORD
        DB_NAME: $DB_NAME
        REDIS_HOST: $REDIS_HOST
        REDIS_PORT: $REDIS_PORT
        REDIS_PASSWORD: $REDIS_PASSWORD
      volumes:
        - /opt/jumpserver/data/core-data:/opt/jumpserver/data
      networks:
        - jumpserver
    
    koko:
      image: jumpserver/jms_koko:${Version}
      container_name: jms_koko
      restart: always
      tty: true
      environment:
        CORE_HOST: http://core:8080
        BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN
      depends_on:
        - core
      volumes:
        - /opt/jumpserver/data/koko-keys:/opt/koko/data/keys
      ports:
        - 2222:2222
      networks:
        - jumpserver
    
    guacamole:
      image: jumpserver/jms_guacamole:${Version}
      container_name: jms_guacamole
      restart: always
      tty: true
      environment:
        JUMPSERVER_SERVER: http://core:8080
        BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN
        JUMPSERVER_KEY_DIR: /config/guacamole/keys
        GUACAMOLE_HOME: /config/guacamole
        GUACAMOLE_LOG_LEVEL: ERROR
        JUMPSERVER_ENABLE_DRIVE: 'true'
      depends_on:
        - core
      volumes:
        - /opt/jumpserver/data/guacamole-keys:/config/guacamole/keys
      networks:
        - jumpserver
    
    nginx:
      image: jumpserver/jms_nginx:${Version}
      container_name: jms_nginx
      restart: always
      tty: true
      depends_on:
        - core
        - koko
      volumes:
        - /opt/jumpserver/data/core-data:/opt/jumpserver/data
      ports:
        - 80:80
      networks:
        - jumpserver
    
   volumes:
    core-data:
    koko-keys:
    guacamole-keys:
    
   networks:
    jumpserver:
   

4. 启动容器

docker-compose up -d

1. 打开浏览器访问150.45和150.26,默认账号密码是admin, 在浏览器上测试数据是否会同步