1 JumpSrv部署(Docker)
堡垒机和vpn的区别
vpn是四层服务, 只负责转发请求到后端服务器
堡垒机是七层服务, 可以支持对用户的权限管理等功能
实验环境
CentOS 7 两台
JumpSrv 1.5.9
MySQL 5.6.49,Redis 4.0.14
1. 分别在JumpSrv服务器和数据库服务器上部署docker
阿里巴巴开源镜像站-OPSX镜像站-阿里云开发者社区 (aliyun.com)
docker-ce镜像-docker-ce下载地址-docker-ce安装教程-阿里巴巴开源镜像站 (aliyun.com)
[13:09:14 root@jumpsrv ~]#vim docker_install.sh
# step 1: 安装必要的一些系统工具
sudo yum install -y yum-utils device-mapper-persistent-data lvm2
# Step 2: 添加软件源信息
sudo yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
# Step 3: 更新并安装Docker-CE
sudo yum makecache fast
sudo yum -y install docker-ce
# Step 4: 开启Docker服务
sudo service docker start
[13:09:27 root@database ~]#vim docker_install.sh
# step 1: 安装必要的一些系统工具
sudo yum install -y yum-utils device-mapper-persistent-data lvm2
# Step 2: 添加软件源信息
sudo yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
# Step 3: 更新并安装Docker-CE
sudo yum makecache fast
sudo yum -y install docker-ce
# Step 4: 开启Docker服务
sudo service docker start
2. 在数据库服务器上, 部署MySQL-5.6.49
[13:25:51 root@database ~]#docker pull mysql:5.6.49
启动一个mysql容器
[13:46:43 root@database ~]#docker run -it --rm -p3306:3306 mysql:5.6.49 bash
[13:48:25 root@database ~]#docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
46f8ecd4b811 mysql:5.6.49 "docker-entrypoint.s…" 7 seconds ago Up 7 seconds 0.0.0.0:3306->3306/tcp awesome_bassi
打开另一个终端将容器中的配置文件拷贝到宿主机
[13:41:51 root@database ~]#mkdir -p /etc/mysql/mysql.conf.d # 服务端配置文件
[13:48:27 root@database ~]#docker cp 46f8ecd4b811:/etc/mysql/mysql.conf.d/mysqld.cnf /etc/mysql/mysql.conf.d/mysqld.cnf
[13:53:41 root@database ~]#mkdir -p /etc/mysql/conf.d # 客户端配置文件
[13:53:47 root@database ~]#docker cp 46f8ecd4b811:/etc/mysql/conf.d/mysql.cnf /etc/mysql/conf.d/mysql.cnf
将MySQL字符集改成utf8
[13:48:50 root@database ~]#vim /etc/mysql/mysql.conf.d/mysqld.cnf
...
character-set-server=utf8
[13:55:34 root@database ~]#vim /etc/mysql/conf.d/mysql.cnf
[mysql]
default-character-set=utf8
宿主机上创建保存MySQL数据的保存目录, 将MySQL数据存放到宿主机, 防止容器关闭后, 数据丢失
[13:56:17 root@database ~]#mkdir /data/mysql -p
退出之前创建的容器
[13:48:15 root@database ~]#docker run -it --rm -p3306:3306 mysql:5.6.49 bash
root@46f8ecd4b811:/# exit
exit
运行MySQL容器
[14:02:45 root@database ~]#docker run -d -p 3306:3306 \
-v /etc/mysql/mysql.conf.d/mysqld.cnf:/etc/mysql/mysql.conf.d/mysqld.cnf \ #将宿主机上准备好的配置文件挂载到容器内
-v /etc/mysql/conf.d/mysql.cnf:/etc/mysql/conf.d/mysql.cnf \ #将宿主机上准备好的配置文件挂载到容器内
-v /data/mysql:/var/lib/mysql -e MYSQL_ROOT_PASSWORD='Aa112211' \ #MySQL容器中的数据目录在/var/lib/mysql下, 因此要把宿主机上的MySQL数据目录挂载到/var/lib/mysql.
mysql:5.6.49
4e8620eec63776e50ec605e2b0368f9428a2c4f1c1155df08e0cdc805e57a15c
验证容器正常运行
[15:17:38 root@database ~]#docker logs -f a9dd6848d990
...
2020-12-01 08:44:59 1 [Note] Server hostname (bind-address): '*'; port: 3306
2020-12-01 08:44:59 1 [Note] IPv6 is available.
2020-12-01 08:44:59 1 [Note] - '::' resolves to '::';
2020-12-01 08:44:59 1 [Note] Server socket created on IP: '::'.
2020-12-01 08:44:59 1 [Warning] Insecure configuration for --pid-file: Location '/var/run/mysqld' in the path is accessible to all OS users. Consider choosing a different directory.
2020-12-01 08:44:59 1 [Warning] 'proxies_priv' entry '@ root@569bd6f7a9e9' ignored in --skip-name-resolve mode.
2020-12-01 08:44:59 1 [Note] Event Scheduler: Loaded 0 events
2020-12-01 08:44:59 1 [Note] mysqld: ready for connections.
Version: '5.6.49' socket: '/var/run/mysqld/mysqld.sock' port: 3306 MySQL Community Server (GPL)
在JumpSrv服务器上测试MySQL连接
[16:35:00 root@jumpsrv ~]#mysql -uroot -h10.0.0.227 -pAa112211
MySQL [(none)]> select user,host,password from mysql.user;
+------+-----------+-------------------------------------------+
| user | host | password |
+------+-----------+-------------------------------------------+
| root | localhost | *FA87043B7B7E24E31F1B8E34AD2AEC2C2AA66D40 |
| root | % | *FA87043B7B7E24E31F1B8E34AD2AEC2C2AA66D40 | #root账号是在所有服务器都可以连接.
+------+-----------+-------------------------------------------+
2 rows in set (0.00 sec)
3. 在MySQL上创建JumpSrv数据库
MySQL [(none)]> create database jumpserver default charset 'utf8' collate 'utf8_bin';
Query OK, 1 row affected (0.01 sec)
MySQL [(none)]> grant all on jumpserver.* to 'jumpserver'@'%' identified by 'Aa112211';
Query OK, 0 rows affected (0.00 sec)
jumpserver用户的密码不能是纯数字, 否则虽然MySQL可以运行, 但是JumpSrv连接MySQL会有问题.
测试在JumpSrv服务器上, 可以通过刚创建的jumpserver用户连接到MySQL
[17:48:33 root@jumpsrv ~]#mysql -ujumpserver -h10.0.0.227 -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 5
Server version: 5.6.49 MySQL Community Server (GPL)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]>
MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| jumpserver |
+--------------------+
2 rows in set (0.01 sec)
4. 在数据库服务器上, 部署Redis-4.0.14
[18:24:23 root@database ~]#docker pull redis:4.0.14
启动Redis容器, 对于redis的优化配置, 可以把配置文件拷贝到宿主机自行修改
[18:25:24 root@database ~]#docker run -d -p 6379:6379 redis:4.0.14
[18:26:28 root@database ~]#docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
a4d485f350d8 redis:4.0.14 "docker-entrypoint.s…" 38 seconds ago Up 38 seconds 0.0.0.0:6379->6379/tcp hopeful_cartwright
569bd6f7a9e9 mysql:5.6.49 "docker-entrypoint.s…" 2 hours ago Up 2 hours 0.0.0.0:3306->3306/tcp interesting_napier
测试JumpSrv服务器可以访问Redis
[18:28:00 root@jumpsrv ~]#yum -y install redis
[18:28:19 root@jumpsrv ~]#redis-cli -h 10.0.0.227
10.0.0.227:6379> info
# Server
redis_version:4.0.14
...
5. 在JumpServer服务器上部署JumpSrv 1.5.9
[18:40:45 root@jumpsrv ~]#docker pull jumpserver/jms_all:1.5.9
生成随机加密秘钥
[18:28:49 root@jumpsrv ~]#if [ ! "$SECRET_KEY" ]; then
> SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`;
> echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc;
> echo $SECRET_KEY;
> else
> echo $SECRET_KEY;
> fi
9phjC0oBxiJvOgdPr8dXcKj4oRJ9iWGSgr2kwzKE4Yceh19iHv
[18:32:15 root@jumpsrv ~]#if [ ! "$BOOTSTRAP_TOKEN" ]; then
> BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`;
> echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc;
> echo $BOOTSTRAP_TOKEN;
> else
> echo $BOOTSTRAP_TOKEN;
> fi
keinFlGQZTSOUqXl
启动JumpSrv容器
docker run --name jms_all -d \
-v /opt/jumpserver/data:/opt/jumpserver/data \
-p 80:80 \
-p 2222:2222 \
-e SECRET_KEY=9phjC0oBxiJvOgdPr8dXcKj4oRJ9iWGSgr2kwzKE4Yceh19iHv \
-e BOOTSTRAP_TOKEN=keinFlGQZTSOUqXl \
-e DB_HOST=10.0.0.227 \
-e DB_PORT=3306 \
-e DB_USER=jumpserver\
-e DB_PASSWORD=Aa112211 \
-e DB_NAME=jumpserver \
-e REDIS_HOST=10.0.0.227 \
-e REDIS_PORT=6379 \
-e REDIS_PASSWORD= \
--privileged=true \
jumpserver/jms_all:1.5.9
[18:47:54 root@jumpsrv ~]#docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0ab070c6a261 jumpserver/jms_all:1.5.9 "./entrypoint.sh" 30 seconds ago Up 28 seconds 0.0.0.0:80->80/tcp, 0.0.0.0:2222->2222/tcp jms_all
[18:49:29 root@jumpsrv ~]#docker logs -f 0ab070c6a261
Starting guacd: SUCCESS
Tomcat started.
Jumpserver ALL 1.5.9
官网 http://www.jumpserver.org
文档 http://docs.jumpserver.org
有问题请参考 http://docs.jumpserver.org/zh/docs/faq.html
进入容器命令 docker exec -it jms_all /bin/bash
6. 启动容器后会初始化JumpSrv, 生成对应数据库文件
MySQL [(none)]> show tables from jumpserver;
+----------------------------------------------+
| Tables_in_jumpserver |
+----------------------------------------------+
| applications_databaseapp |
| applications_remoteapp |
| assets_adminuser |
| assets_asset
...
7. 测试访问JumpSrv
image.png
默认的账号密码都是admin
image.png
8. 故障处理
无论是MySQL容器还是Redis容器down掉, 前端访问JumpSrv都会出现Internal Server Error
MySQL故障, 因为是容器启动, 并且数据都是存到宿主机, 一旦MySQL容器故障, 可以直接开一个新的容器, 数据都指向宿主机
docker run -d -p 3306:3306 -v /etc/mysql/mysql.conf.d/mysqld.cnf:/etc/mysql/mysql.conf.d/mysqld.cnf -v /etc/mysql/conf.d/mysql.cnf:/etc/mysql/conf.d/mysql.cnf -v /data/mysql:/var/lib/mysql -e MYSQL_ROOT_PASSWORD="Aa112211" mysql:5.6.49
1d234950c4a36cf84fecd40465341ffb7eb8d1674298ac2c36ec4984092d34bc
Redis故障, 和MySQL一样, 出现故障, 只要重新起个Redis容器即可
JumpSrv容器故障, 需要先重新生成秘钥对, 再重起一个容器
网友评论