目录
简介
为了保证服务器安全,加个堡垒机,所有ssh连接都通过堡垒机来完成,堡垒机也需要有身份认证,授权,访问控制,审计等功能。
Jumpserver 是一款由python编写开源的跳板机(堡垒机)系统,实现了跳板机应有的功能。基于ssh协议来管理,客户端无需安装agent。
在公司中,分配人员服务器权限也是相当方便,如:来一个新人,在Jumpserver分配Jumpserver账号即可,人员离职,在Jumpserver删掉人员账号即可。无需担心人员离职留下后门,当然前提是检查防火墙,只允许Jumpserver服务器有其他服务器的ssh的权限。
目前市面上已经有很多jumpserver产品提供使用,这里就介绍最广泛的一款。
环境介绍
- 按照此方式部署后,后续只需要根据需要扩容 JumpServer 节点然后添加节点到 HAProxy 即可
- 如果已经有 HLB 或者 SLB 可以跳过 HAProxy 部署,第三方 LB 要注意 session 和 websocket 问题
- 如果已经有 云存储 (* S3/Ceph/Swift/OSS/Azure) 可以跳过 MinIO 部署,MySQL Redis 也一样
- 生产环境中,应该使用 Ceph 等替代 NFS,或者部署高可用的 NFS 防止单点故障
- 系统环境为:Centos7
| Server Name | IP | Port | Use |
| Fastdfs | 192.168.100.11 | Core | |
| MySQL | 192.168.100.12 | 3306 | Core |
| Redis | 192.168.100.13 | 6379 | Core, Koko, Lion |
| HAProxy | 192.168.100.100 | 80,443,2222,33060,33061 | All |
| JumpServer 01 | 192.168.100.21 | 80,2222,33060,33061 | HAProxy |
| JumpServer 02 | 192.168.100.22 | 80,2222,33060,33061 | HAProxy |
| JumpServer 03 | 192.168.100.23 | 80,2222,33060,33061 | HAProxy |
| JumpServer 04 | 192.168.100.24 | 80,2222,33060,33061 | HAProxy |
| MinIO | 192.168.100.41 | 9000,9001 | Core, KoKo, Lion |
| Elasticsearch | 192.168.100.51 | 9200,9300 | Core, KoKo |
| Server Name | Minimize Hardware | Standard Hardware | Null |
| Fastdfs | 2Core/8GB RAM/100G HDD | 4Core/16GB RAM/1T SSD | Null |
| MySQL | 2Core/8GB RAM/90G HDD | 4Core/16GB RAM/1T SSD | Null |
| Redis | 2Core/8GB RAM/90G HDD | 4Core/16GB RAM/1T SSD | Null |
| HAProxy | 2Core/4GB RAM/60G HDD | 4Core/8GB RAM/60G SSD | Null |
| JumpServer 01 | 2Core/8GB RAM/60G HDD | 4Core/8GB RAM/90G SSD | Null |
| JumpServer 02 | 2Core/8GB RAM/60G HDD | 4Core/8GB RAM/90G SSD | Null |
| JumpServer 03 | 2Core/8GB RAM/60G HDD | 4Core/8GB RAM/90G SSD | Null |
| JumpServer 04 | 2Core/8GB RAM/60G HDD | 4Core/8GB RAM/90G SSD | Null |
| MinIO | 2Core/4GB RAM/100G HDD | 4Core/8GB RAM/1T SSD | Null |
| Elasticsearch | 2Core/4GB RAM/100G HDD | 4Core/8GB RAM/1T SSD | Null |
部署NFS
安装依赖
yum -y install epel-release安装 NFS
yum -y install nfs-utils rpcbind启动 NFS
systemctl enable rpcbind nfs-server nfs-lock nfs-idmap
systemctl start rpcbind nfs-server nfs-lock nfs-idmap配置防火墙
firewall-cmd --add-service=nfs --permanent --zone=public
firewall-cmd --add-service=mountd --permanent --zone=public
firewall-cmd --add-service=rpc-bind --permanent --zone=public
firewall-cmd --reload配置 NFS
mkdir /data
chmod 777 -R /data
vi /etc/exports
# 设置 NFS 访问权限, /data 是刚才创建的将被共享的目录,192.168.100.* 表示整个 192.168.100.* 的资产都有括号里面的权限
# 也可以写具体的授权对象 /data 192.168.100.30(rw,sync,no_root_squash)192.168.100.31(rw,sync,no_root_squash)
/data 192.168.100.*(rw,sync,all_squash,anonuid=0,anongid=0)
exportfs -a安装MySQL
设置Repo
yum -y localinstall http://mirrors.ustc.edu.cn/mysql-repo/mysql57-community-release-el7.rpm安装MySQL
yum install -y mysql-community-server配置MySQL
if [ ! "$(cat /usr/bin/mysqld_pre_systemd | grep -v ^\# | grep initialize-insecure )" ]; then
sed -i "s@--initialize @--initialize-insecure @g" /usr/bin/mysqld_pre_systemd
fi启动MySQL
systemctl enable mysqld
systemctl start mysqldMySQL授权
mysql -uroot
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.7.32 MySQL Community Server (GPL)
Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> create database jumpserver default charset 'utf8';
Query OK, 1 row affected (0.00 sec)
mysql> set global validate_password_policy=LOW;
Query OK, 0 rows affected (0.00 sec)
mysql> create user 'jumpserver'@'%' identified by 'KXOeyNgDeTdpeu9q';
Query OK, 0 rows affected (0.00 sec)
mysql> grant all on jumpserver.* to 'jumpserver'@'%';
Query OK, 0 rows affected, 1 warning (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
mysql> exit
Bye配置防火墙
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.100.0/24" port protocol="tcp" port="3306" accept"
firewall-cmd --reload部署Redis
设置repo
yum -y install epel-release https://repo.ius.io/ius-release-el7.rpm安装 Redis
yum install -y redis5配置 Redis
sed -i "s/bind 127.0.0.1/bind 0.0.0.0/g" /etc/redis.conf
sed -i "561i maxmemory-policy allkeys-lru" /etc/redis.conf
sed -i "481i requirepass KXOeyNgDeTdpeu9q" /etc/redis.conf启动 Redis
systemctl enable redis
systemctl start redis配置防火墙
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.100.0/24" port protocol="tcp" port="6379" accept"
firewall-cmd --reload部署Jump Server01
配置 NFS
yum -y install nfs-utils
showmount -e 192.168.100.11
# 将 Core 持久化目录挂载到 NFS, 默认 /opt/jumpserver/core/data, 请根据实际情况修改# JumpServer 持久化目录定义相关参数为 VOLUME_DIR, 在安装 JumpServer 过程中会提示
mkdir /opt/jumpserver/core/data
mount -t nfs 192.168.100.11:/data /opt/jumpserver/core/data
# 可以写入到 /etc/fstab, 重启自动挂载. 注意: 设置后如果 nfs 损坏或者无法连接该服务器将无法启动
echo"192.168.100.11:/data /opt/jumpserver/core/data nfs defaults 0 0" >> /etc/fstab下载 jumpserver-install
cd /opt
yum -y install wget
wget https://github.com/jumpserver/installer/releases/download/v2.28.8/jumpserver-installer-v2.28.8.tar.gz
tar -xf jumpserver-installer-v2.28.8.tar.gz
cd jumpserver-installer-v2.28.8修改配置文件
vi config-example.txt
# 修改下面选项, 其他保持默认, 请勿直接复制此处内容
### 注意: SECRET_KEY 和要其他 JumpServer 服务器一致, 加密的数据将无法解密
# 安装配置
### 注意持久化目录 VOLUME_DIR, 如果上面 NFS 挂载其他目录, 此处也要修改. 如: NFS 挂载到 /data/jumpserver/core/data, 则 VOLUME_DIR=/data/jumpserver
VOLUME_DIR=/opt/jumpserver
# Core 配置
### 启动后不能再修改,否则密码等等信息无法解密, 请勿直接复制下面的字符串
SECRET_KEY=kWQdmdCQKjaWlHYpPhkNQDkfaRulM6YnHctsHLlSPs8287o2kW
# 要其他 JumpServer 服务器一致 (*)BOOTSTRAP_TOKEN=KXOeyNgDeTdpeu9q # 要其他 JumpServer 服务器一致 (*)LOG_LEVEL=ERROR # 日志等级
# SESSION_COOKIE_AGE=86400SESSION_EXPIRE_AT_BROWSER_CLOSE=True # 关闭浏览器 session 过期
# MySQL 配置
DB_HOST=192.168.100.13
DB_PORT=3306DB_USER=jumpserver
DB_PASSWORD=KXOeyNgDeTdpeu9q
DB_NAME=jumpserver
# Redis 配置
REDIS_HOST=192.168.100.12
REDIS_PORT=6379REDIS_PASSWORD=KXOeyNgDeTdpeu9q
# KoKo Lion 配置
SHARE_ROOM_TYPE=redis # KoKo Lion 使用 redis 共享
REUSE_CONNECTION=False # Koko 禁用连接复用./jmsctl.sh install
██╗██╗ ██╗███╗ ███╗██████╗ ███████╗███████╗██████╗ ██╗ ██╗███████╗██████╗ ██║██║ ██║████╗ ████║██╔══██╗██╔════╝██╔════╝██╔══██╗██║ ██║██╔════╝██╔══██╗ ██║██║ ██║██╔████╔██║██████╔╝███████╗█████╗ ██████╔╝██║ ██║█████╗ ██████╔╝ ██ ██║██║ ██║██║╚██╔╝██║██╔═══╝ ╚════██║██╔══╝ ██╔══██╗╚██╗ ██╔╝██╔══╝ ██╔══██╗ ╚█████╔╝╚██████╔╝██║ ╚═╝ ██║██║ ███████║███████╗██║ ██║ ╚████╔╝ ███████╗██║ ██║ ╚════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚══════╝╚══════╝╚═╝ ╚═╝ ╚═══╝ ╚══════╝╚═╝ ╚═╝ Version: v2.28.8
1. 检查配置文件
配置文件位置: /opt/jumpserver/config
/opt/jumpserver/config/config.txt [ √ ]
/opt/jumpserver/config/nginx/lb_rdp_server.conf [ √ ]
/opt/jumpserver/config/nginx/lb_ssh_server.conf [ √ ]
/opt/jumpserver/config/nginx/cert/server.crt [ √ ]
/opt/jumpserver/config/nginx/cert/server.key [ √ ]
完成
2. 备份配置文件备份至 /opt/jumpserver/config/backup/config.txt.2021-07-15_22-26-13
完成
>>> 安装配置 Docker
1. 安装 Docker
开始下载 Docker 程序 ...
开始下载 Docker Compose 程序 ...
完成
2. 配置 Docker
是否需要自定义 docker 存储目录, 默认将使用目录 /var/lib/docker? (y/n) (默认为n): n
完成
3. 启动 Docker
Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /etc/systemd/system/docker.service.
完成
>>> 加载 Docker 镜像
Docker: Pulling from jumpserver/core:v2.28.8 [ OK ]
Docker: Pulling from jumpserver/koko:v2.28.8 [ OK ]
Docker: Pulling from jumpserver/web:v2.28.8 [ OK ]
Docker: Pulling from jumpserver/redis:6-alpine [ OK ]
Docker: Pulling from jumpserver/mysql:5 [ OK ]
Docker: Pulling from jumpserver/lion:v2.28.8 [ OK ]
>>> 安装配置 JumpServer
1. 配置网络是否需要支持 IPv6? (y/n) (默认为 n): n
完成
2. 配置加密密钥
SECRETE_KEY: YTE2YTVkMTMtMGE3MS00YzI5LWFlOWEtMTc2OWJlMmIyMDE2
BOOTSTRAP_TOKEN: YTE2YTVkMTMtMGE3
完成
3. 配置持久化目录
是否需要自定义持久化存储, 默认将使用目录 /opt/jumpserver? (y/n) (默认为 n): n
完成
4. 配置 MySQL
是否使用外部 MySQL? (y/n) (默认为 n): y
请输入 MySQL 的主机地址 (无默认值): 192.168.100.12
请输入 MySQL 的端口 (默认为3306): 3306
请输入 MySQL 的数据库(事先做好授权) (默认为jumpserver): jumpserver
请输入 MySQL 的用户名 (无默认值): jumpserver
请输入 MySQL 的密码 (无默认值): KXOeyNgDeTdpeu9q
完成
5. 配置 Redis是否使用外部 Redis? (y/n) (默认为 n): y
请输入 Redis 的主机地址 (无默认值): 192.168.100.13
请输入 Redis 的端口 (默认为6379): 6379
请输入 Redis 的密码 (无默认值): KXOeyNgDeTdpeu9q
完成
6. 配置对外端口
是否需要配置 JumpServer 对外访问端口? (y/n) (默认为 n): n
完成
7. 初始化数据库
Creating network "jms_net" with driver "bridge"
Creating jms_redis ... done
2021-07-15 22:39:52 Collect static files
2021-07-15 22:39:52 Collect static files done
2021-07-15 22:39:52 Check database structure change ...
2021-07-15 22:39:52 Migrate model change to database ...
475 static files copied to '/opt/jumpserver/data/static'.
Operations to perform:
Apply all migrations: acls, admin, applications, assets, audits, auth, authentication, captcha, common, contenttypes, django_cas_ng, django_celery_beat, jms_oidc_rp, notifications, ops, orgs, perms, sessions, settings, terminal, tickets, users
Running migrations:
Applying contenttypes.0001_initial... OK
Applying contenttypes.0002_remove_content_type_name... OK
Applying auth.0001_initial... OK
Applying auth.0002_alter_permission_name_max_length... OK
Applying auth.0003_alter_user_email_max_length... OK
Applying auth.0004_alter_user_username_opts... OK
Applying auth.0005_alter_user_last_login_null... OK
Applying auth.0006_require_contenttypes_0002... OK
Applying auth.0007_alter_validators_add_error_messages... OK
Applying auth.0008_alter_user_username_max_length... OK
...
Applying sessions.0001_initial... OK
Applying terminal.0032_auto_20210302_1853... OK
Applying terminal.0033_auto_20210324_1008... OK
Applying terminal.0034_auto_20210406_1434... OK
Applying terminal.0035_auto_20210517_1448... OK
Applying terminal.0036_auto_20210604_1124... OK
Applying terminal.0037_auto_20210623_1748... OK
Applying tickets.0008_auto_20210311_1113... OK
Applying tickets.0009_auto_20210426_1720... OK
>>> 安装完成了
1. 可以使用如下命令启动, 然后访问
cd /root/jumpserver-installer-v2.28.8
./jmsctl.sh start
2. 其它一些管理命令
./jmsctl.sh stop
./jmsctl.sh restart
./jmsctl.sh backup
./jmsctl.sh upgrade
更多还有一些命令, 你可以 ./jmsctl.sh --help 来了解
3. Web 访问http://192.168.100.212:80
默认用户: admin 默认密码: admin
4. SSH/SFTP 访问
ssh -p2222 admin@192.168.100.212
sftp -P2222 admin@192.168.100.212
5. 更多信息
我们的官网: https://www.jumpserver.org/
我们的文档: https://docs.jumpserver.org/启动 JumpServer
./jmsctl.sh start
Creating network "jms_net" with driver "bridge"
Creating jms_core ... done
Creating jms_celery ... done
Creating jms_lion ... done
Creating jms_koko ... done
Creating jms_magnus ... done
Creating jms_web ... done部署Jump server02
配置 NFS
yum -y install nfs-utils
showmount -e 192.168.100.11
# 将 Core 持久化目录挂载到 NFS, 默认 /opt/jumpserver/core/data, 请根据实际情况修改# JumpServer 持久化目录定义相关参数为 VOLUME_DIR, 在安装 JumpServer 过程中会提示
mkdir /opt/jumpserver/core/data
mount -t nfs 192.168.100.11:/data /opt/jumpserver/core/data
# 可以写入到 /etc/fstab, 重启自动挂载. 注意: 设置后如果 nfs 损坏或者无法连接该服务器将无法启动echo"192.168.100.11:/data /opt/jumpserver/core/data nfs defaults 0 0" >> /etc/fstab下载 jumpserver-install
cd /opt
yum -y install wget
wget https://github.com/jumpserver/installer/releases/download/v2.28.8/jumpserver-installer-v2.28.8.tar.gz
tar -xf jumpserver-installer-v2.28.8.tar.gz
cd jumpserver-installer-v2.28.8修改配置文件
vi config-example.txt
# 修改下面选项, 其他保持默认, 请勿直接复制此处内容
### 注意: SECRET_KEY 和要其他 JumpServer 服务器一致, 加密的数据将无法解密
# 安装配置
### 注意持久化目录 VOLUME_DIR, 如果上面 NFS 挂载其他目录, 此处也要修改. 如: NFS 挂载到/data/jumpserver/core/data, 则 DOCKER_DIR=/data/jumpserver
VOLUME_DIR=/opt/jumpserver
# Core 配置
### 启动后不能再修改,否则密码等等信息无法解密, 请勿直接复制下面的字符串
SECRET_KEY=kWQdmdCQKjaWlHYpPhkNQDkfaRulM6YnHctsHLlSPs8287o2kW
BOOTSTRAP_TOKEN=KXOeyNgDeTdpeu9q
LOG_LEVEL=ERROR
# SESSION_COOKIE_AGE=86400
SESSION_EXPIRE_AT_BROWSER_CLOSE=True
# MySQL 配置
DB_HOST=192.168.100.13
DB_PORT=3306
DB_USER=jumpserver
DB_PASSWORD=KXOeyNgDeTdpeu9q
DB_NAME=jumpserver
# Redis 配置
USE_EXTERNAL_REDIS=1
REDIS_HOST=192.168.100.12
REDIS_PORT=6379
REDIS_PASSWORD=KXOeyNgDeTdpeu9q
# KoKo Lion 配置
SHARE_ROOM_TYPE=redis
./jmsctl.sh install启动 JumpServer
./jmsctl.sh start
Creating network "jms_net" with driver "bridge"
Creating jms_core ... done
Creating jms_celery ... done
Creating jms_lion ... done
Creating jms_koko ... done
Creating jms_magnus ... done
Creating jms_web ... done部署 JumpServer 03
服务器: 192.168.100.23配置 NFS
yum -y install nfs-utils
showmount -e 192.168.100.11
# 将 Core 持久化目录挂载到 NFS, 默认 /opt/jumpserver/core/data, 请根据实际情况修改# JumpServer 持久化目录定义相关参数为 VOLUME_DIR, 在安装 JumpServer 过程中会提示
mkdir /opt/jumpserver/core/data
mount -t nfs 192.168.100.11:/data /opt/jumpserver/core/data
# 可以写入到 /etc/fstab, 重启自动挂载. 注意: 设置后如果 nfs 损坏或者无法连接该服务器将无法启动
echo"192.168.100.11:/data /opt/jumpserver/core/data nfs defaults 0 0" >> /etc/fstab下载 jumpserver-install
cd /opt
yum -y install wget
wget https://github.com/jumpserver/installer/releases/download/v2.28.8/jumpserver-installer-v2.28.8.tar.gz
tar -xf jumpserver-installer-v2.28.8.tar.gz
cd jumpserver-installer-v2.28.8修改配置文件
vi config-example.txt
# 修改下面选项, 其他保持默认, 请勿直接复制此处内容
### 注意: SECRET_KEY 和要其他 JumpServer 服务器一致, 加密的数据将无法解密
# 安装配置
### 注意持久化目录 VOLUME_DIR, 如果上面 NFS 挂载其他目录, 此处也要修改. 如: NFS 挂载到/data/jumpserver/core/data, 则 DOCKER_DIR=/data/jumpserver
VOLUME_DIR=/opt/jumpserver
# Core 配置
### 启动后不能再修改,否则密码等等信息无法解密, 请勿直接复制下面的字符串
SECRET_KEY=kWQdmdCQKjaWlHYpPhkNQDkfaRulM6YnHctsHLlSPs8287o2kW
BOOTSTRAP_TOKEN=KXOeyNgDeTdpeu9q
LOG_LEVEL=ERROR
# SESSION_COOKIE_AGE=86400
SESSION_EXPIRE_AT_BROWSER_CLOSE=True
# MySQL 配置
DB_HOST=192.168.100.13
DB_PORT=3306DB_USER=jumpserver
DB_PASSWORD=KXOeyNgDeTdpeu9q
DB_NAME=jumpserver
# Redis 配置
USE_EXTERNAL_REDIS=1
REDIS_HOST=192.168.100.12
REDIS_PORT=6379
REDIS_PASSWORD=KXOeyNgDeTdpeu9q
# KoKo Lion 配置
SHARE_ROOM_TYPE=redis
REUSE_CONNECTION=False
./jmsctl.sh install启动 JumpServer
./jmsctl.sh start
Creating network "jms_net" with driver "bridge"
Creating jms_core ... done
Creating jms_lion ... done
Creating jms_koko ... done
Creating jms_celery ... done
Creating jms_magnus ... done
Creating jms_web ... done部署 JumpServer 04
配置 NFS
yum -y install nfs-utils
showmount -e 192.168.100.11
# 将 Core 持久化目录挂载到 NFS, 默认 /opt/jumpserver/core/data, 请根据实际情况修改# JumpServer 持久化目录定义相关参数为 VOLUME_DIR, 在安装 JumpServer 过程中会提示
mkdir /opt/jumpserver/core/data
mount -t nfs 192.168.100.11:/data /opt/jumpserver/core/data
# 可以写入到 /etc/fstab, 重启自动挂载. 注意: 设置后如果 nfs 损坏或者无法连接该服务器将无法启动
echo"192.168.100.11:/data /opt/jumpserver/core/data nfs defaults 0 0" >> /etc/fstab下载 jumpserver-install
cd /opt
yum -y install wget
wget https://github.com/jumpserver/installer/releases/download/v2.28.8/jumpserver-installer-v2.28.8.tar.gz
tar -xf jumpserver-installer-v2.28.8.tar.gz
cd jumpserver-installer-v2.28.8修改配置文件
vi config-example.txt
# 修改下面选项, 其他保持默认, 请勿直接复制此处内容
### 注意: SECRET_KEY 和要其他 JumpServer 服务器一致, 加密的数据将无法解密
# 安装配置
### 注意持久化目录 VOLUME_DIR, 如果上面 NFS 挂载其他目录, 此处也要修改. 如: NFS 挂载到/data/jumpserver/core/data, 则 DOCKER_DIR=/data/jumpserver
VOLUME_DIR=/opt/jumpserver
# Core 配置
### 启动后不能再修改,否则密码等等信息无法解密, 请勿直接复制下面的字符串
SECRET_KEY=kWQdmdCQKjaWlHYpPhkNQDkfaRulM6YnHctsHLlSPs8287o2kW
BOOTSTRAP_TOKEN=KXOeyNgDeTdpeu9q
LOG_LEVEL=ERROR
# SESSION_COOKIE_AGE=86400
SESSION_EXPIRE_AT_BROWSER_CLOSE=True
# MySQL 配置
DB_HOST=192.168.100.13
DB_PORT=3306DB_USER=jumpserver
DB_PASSWORD=KXOeyNgDeTdpeu9q
DB_NAME=jumpserver
# Redis 配置
USE_EXTERNAL_REDIS=1
REDIS_HOST=192.168.100.12
REDIS_PORT=6379
REDIS_PASSWORD=KXOeyNgDeTdpeu9q
# KoKo Lion 配置
SHARE_ROOM_TYPE=redis
REUSE_CONNECTION=False
./jmsctl.sh install启动 JumpServer
./jmsctl.sh start
Creating network "jms_net" with driver "bridge"
Creating jms_core ... done
Creating jms_celery ... done
Creating jms_lion ... done
Creating jms_koko ... done
Creating jms_magnus ... done
Creating jms_web ... done部署 HAProxy 服务
安装依赖
yum -y install epel-release安装 HAProxy
yum install -y haproxy配置 HAProxy
vi /etc/haproxy/haproxy.cfg
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will# use if not designated in their block
#---------------------------------------------------------------------
defaults
log global
option dontlognull
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
listen stats bind *:8080
mode http stats enable
stats uri /haproxy
# 监控页面, 请自行修改. 访问地址为 http://192.168.100.100:8080/haproxy
stats refresh 5s
stats realm haproxy-status
stats auth admin:KXOeyNgDeTdpeu9q # 账户密码, 请自行修改. 访问 http://192.168.100.100:8080/haproxy 会要求输入
#---------------------------------------------------------------------
# check 检活参数说明
# inter 间隔时间, 单位: 毫秒
# rise 连续成功的次数, 单位: 次
# fall 连续失败的次数, 单位: 次
# 例: inter 2s rise 2 fall 3
# 表示 2 秒检查一次状态, 连续成功 2 次服务正常, 连续失败 3 次服务异常
#
# server 服务参数说明
# server 192.168.100.21 192.168.100.21:80 weight 1 cookie web01
# 第一个 192.168.100.21 做为页面展示的标识, 可以修改为其他任意字符串
# 第二个 192.168.100.21:80 是实际的后端服务端口
# weight 为权重, 多节点时安装权重进行负载均衡
# cookie 用户侧的 cookie 会包含此标识, 便于区分当前访问的后端节点
# 例: server db01 192.168.100.21:3306 weight 1 cookie db_01
#---------------------------------------------------------------------
listen jms-web
bind *:80 # 监听 80 端口
mode http
# redirect scheme https if !{ ssl_fc } # 重定向到 https
# bind *:443 ssl crt /opt/ssl.pem # https 设置
option httpclose
option forwardfor
option httpchk GET /api/health/ # Core 检活接口
cookie SERVERID insert indirect
hash-type consistent
fullconn 500
balance leastconn
server 192.168.100.21 192.168.100.21:80 weight 1 cookie web01 check inter 2s rise 2 fall 3 # JumpServer 服务器
server 192.168.100.22 192.168.100.22:80 weight 1 cookie web02 check inter 2s rise 2 fall 3
server 192.168.100.23 192.168.100.23:80 weight 1 cookie web03 check inter 2s rise 2 fall 3
server 192.168.100.24 192.168.100.24:80 weight 1 cookie web03 check inter 2s rise 2 fall 3
listen jms-ssh
bind *:2222
mode tcp
option tcp-check
fullconn 500
balance source
server 192.168.100.21 192.168.100.21:2222 weight 1 check inter 2s rise 2 fall 3 send-proxy
server 192.168.100.22 192.168.100.22:2222 weight 1 check inter 2s rise 2 fall 3 send-proxy
server 192.168.100.23 192.168.100.23:2222 weight 1 check inter 2s rise 2 fall 3 send-proxy
server 192.168.100.24 192.168.100.24:2222 weight 1 check inter 2s rise 2 fall 3 send-proxy
listen jms-koko
mode http
option httpclose
option forwardfor
option httpchk GET /koko/health/ HTTP/1.1\r\nHost:\ 192.168.100.100
# KoKo 检活接口, host 填写 HAProxy 的 ip 地址
cookie SERVERID insert indirect
hash-type consistent
fullconn 500
balance leastconn
server 192.168.100.21 192.168.100.21:80 weight 1 cookie web01 check inter 2s rise 2 fall 3
server 192.168.100.22 192.168.100.22:80 weight 1 cookie web02 check inter 2s rise 2 fall 3
server 192.168.100.23 192.168.100.23:80 weight 1 cookie web03 check inter 2s rise 2 fall 3
server 192.168.100.24 192.168.100.24:80 weight 1 cookie web03 check inter 2s rise 2 fall 3
listen jms-lion
mode http
option httpclose
option forwardfor
option httpchk GET /lion/health/ HTTP/1.1\r\nHost:\ 192.168.100.100
# Lion 检活接口, host 填写 HAProxy 的 ip 地址
cookie SERVERID insert indirect
hash-type consistent
fullconn 500
balance leastconn
server 192.168.100.21 192.168.100.21:80 weight 1 cookie web01 check inter 2s rise 2 fall 3
server 192.168.100.22 192.168.100.22:80 weight 1 cookie web02 check inter 2s rise 2 fall 3
server 192.168.100.23 192.168.100.23:80 weight 1 cookie web03 check inter 2s rise 2 fall 3
server 192.168.100.24 192.168.100.24:80 weight 1 cookie web03 check inter 2s rise 2 fall 3
listen jms-magnus
bind *:30000
mode tcp
option tcp-check
fullconn 500
balance source
server 192.168.100.21 192.168.100.21:30000 weight 1 check inter 2s rise 2 fall 3 send-proxy
server 192.168.100.22 192.168.100.22:30000 weight 1 check inter 2s rise 2 fall 3 send-proxy
server 192.168.100.23 192.168.100.23:30000 weight 1 check inter 2s rise 2 fall 3 send-proxy
server 192.168.100.24 192.168.100.24:30000 weight 1 check inter 2s rise 2 fall 3 send-proxy配置 Selinux
setsebool -P haproxy_connect_any 1启动 HAProxy
systemctl enable haproxy
systemctl start haproxy配置防火墙
firewall-cmd --permanent --zone=public --add-port=80/tcp
firewall-cmd --permanent --zone=public --add-port=443/tcp
firewall-cmd --permanent --zone=public --add-port=2222/tcp
firewall-cmd --permanent --zone=public --add-port=33060/tcp
firewall-cmd --permanent --zone=public --add-port=33061/tcp
firewall-cmd --reload部署MinlO服务
安装 Docker
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
sed -i 's+download.docker.com+mirrors.aliyun.com/docker-ce+' /etc/yum.repos.d/docker-ce.repo
yum makecache fast
yum -y install docker-ce配置 Docker
mkdir /etc/docker/
vi /etc/docker/daemon.json
{
"live-restore": true,
"registry-mirrors": ["https://hub-mirror.c.163.com", "https://bmtrgdvx.mirror.aliyuncs.com", "http://f1361db2.m.daocloud.io"],
"log-driver": "json-file",
"log-opts": {"max-file": "3", "max-size": "10m"}
}启动 Docker
systemctl enable docker
systemctl start docker下载 MinIO 镜像
docker pull minio/minio:latest
latest: Pulling from minio/minio
a591faa84ab0: Pull complete
76b9354adec6: Pull complete
f9d8746550a4: Pull complete
890b1dd95baa: Pull complete
3a8518c890dc: Pull complete
8053f0501aed: Pull complete
506c41cb8532: Pull complete
Digest: sha256:e7a725edb521dd2af07879dad88ee1dfebd359e57ad8d98104359ccfbdb92024
Status: Downloaded newer image for minio/minio:latest
docker.io/minio/minio:latest持久化数据目录
mkdir -p /opt/jumpserver/minio/data /opt/jumpserver/minio/config启动 MinIO
## 请自行修改账号密码并牢记,丢失后可以删掉容器后重新用新密码创建,数据不会丢失
# 9000 # api 访问端口
# 9001 # console 访问端口
# MINIO_ROOT_USER=minio # minio 账号
# MINIO_ROOT_PASSWORD=KXOeyNgDeTdpeu9q # minio 密码
docker run --name jms_minio -d -p 9000:9000 -p 9001:9001 -e MINIO_ROOT_USER=minio -e MINIO_ROOT_PASSWORD=KXOeyNgDeTdpeu9q -v /opt/jumpserver/minio/data:/data -v /opt/jumpserver/minio/config:/root/.minio --restart=always minio/minio:latest server /data --console-address ":9001"设置 MinIO
- 访问 http://192.168.100.41:9000,输入刚才设置的 MinIO 账号密码登录
- 点击左侧菜单的 Buckets,选择 Create Bucket 创建桶,Bucket Name 输入 jumpserver,然后点击 Save 保存
设置Jumpserver
- 访问 JumpServer Web 页面并使用管理员账号进行登录
- 点击左侧菜单栏的 [终端管理],在页面的上方选择 [存储配置],在 [录像存储] 下方选择 [创建] 选择 [Ceph]
- 根据下方的说明进行填写,保存后在 [终端管理] 页面对所有组件进行 [更新],录像存储选择 [jms-mino],提交
| 选项 | 参考值 | 说明 |
| 名称 (Name) | jms-minio | 标识, 不可重复 |
| 类型 (Type) | Ceph | 固定, 不可更改 |
| 桶名称 (Bucket) | jumpserver | Bucket Name |
| Access key | minio | MINIO_ROOT_USER |
| Secret key | KXOeyNgDeTdpeu9q | MINIO_ROOT_PASSWORD |
| 端点 (Endpoint) | minio 服务访问地址 | |
| 默认存储 | 新组件将自动使用该存储 |
部署 Elasticsearch 服务
安装 Docker
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
sed -i 's+download.docker.com+mirrors.aliyun.com/docker-ce+' /etc/yum.repos.d/docker-ce.repo
yum makecache fast
yum -y install docker-ce配置 Docker
mkdir /etc/docker/
vi /etc/docker/daemon.json
{
"live-restore": true,
"registry-mirrors": ["https://hub-mirror.c.163.com", "https://bmtrgdvx.mirror.aliyuncs.com", "http://f1361db2.m.daocloud.io"],
"log-driver": "json-file",
"log-opts": {"max-file": "3", "max-size": "10m"}
}启动 Docker
systemctl enable docker
systemctl start docker下载 Elasticsearch 镜像
docker pull docker.elastic.co/elasticsearch/elasticsearch:7.17.6持久化数据目录
mkdir -p /opt/jumpserver/elasticsearch/data /opt/jumpserver/elasticsearch/logs启动 Elasticsearch
## 请自行修改账号密码并牢记,丢失后可以删掉容器后重新用新密码创建,数据不会丢失
# 9200 # Web 访问端口
# 9300 # 集群通信
# discovery.type=single-node # 单节点
# bootstrap.memory_lock="true" # 锁定物理内存, 不使用 swap
# xpack.security.enabled="true" # 开启安全模块
# TAKE_FILE_OWNERSHIP="true" # 自动修改挂载文件夹的所属用户
# ES_JAVA_OPTS="-Xms512m -Xmx512m" # JVM 内存大小, 推荐设置为主机内存的一半
# elastic # Elasticsearch 账号
# ELASTIC_PASSWORD=KXOeyNgDeTdpeu9q # Elasticsearch 密码docker run --name jms_es -d -p 9200:9200 -p 9300:9300 -e cluster.name=docker-cluster -e discovery.type=single-node -e network.host=0.0.0.0 -e bootstrap.memory_lock="true" -e xpack.security.enabled="true" -e TAKE_FILE_OWNERSHIP="true" -e ES_JAVA_OPTS="-Xms512m -Xmx512m" -e ELASTIC_PASSWORD=KXOeyNgDeTdpeu9q -v /opt/jumpserver/elasticsearch/data:/usr/share/elasticsearch/data -v /opt/jumpserver/elasticsearch/logs:/usr/share/elasticsearch/logs --restart=always docker.elastic.co/elasticsearch/elasticsearch:7.17.6设置 JumpServer
- 访问 JumpServer Web 页面并使用管理员账号进行登录
- 点击左侧菜单栏的 [终端管理],在页面的上方选择 [存储配置],在 [命令存储] 下方选择 [创建] 选择 [Elasticsearch]
- 根据下方的说明进行填写,保存后在 [终端管理] 页面对所有组件进行 [更新],命令存储选择 [jms-es],提交
| 选项 | 参考值 | 说明 |
| 名称 (Name) | jms-es | 标识, 不可重复 |
| 类型 (Type) | Elasticsearch | 固定, 不可更改 |
| 主机 (Hosts) | ||
| 索引 (Index) | jumpserver | 索引 |
| 忽略证书认证 | https 自签 ssl 需要勾选 | |
| 默认存储 | 新组件将自动使用该存储 |
升级 注意事项
更新前请一定要做好备份工作
- 升级前请关闭所有 JumpServer 节点
- 在任意一个 JumpServer 节点按照升级文档完成升级操作
- 仔细检查该节点升级过程确保无异常
- 然后按照升级文档对其他 JumpServer 节点升级即可
cd /opt
wget https://github.com/jumpserver/installer/releases/download/v2.28.8/jumpserver-installer-v2.28.8.tar.gz
tar -xf jumpserver-installer-v2.28.8.tar.gz
cd jumpserver-installer-v2.28.8# 额外节点可以设置 SKIP_BACKUP_DB=1 跳过数据库备份, 第一个升级节点不要跳过备份exportSKIP_BACKUP_DB=1
./jmsctl.sh upgrade
627
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
