负载均衡

环境说明

  • 除 JumpServer 自身组件外,其他组件的高可用请参考对应的官方文档进行部署
  • 按照此方式部署后,后续只需要根据需要扩容 JumpServer 节点然后添加节点到 HAProxy 即可
  • 如果已经有 HLB 或者 SLB 可以跳过 HAProxy 部署,第三方 LB 要注意 session 和 websocket 问题
  • 如果已经有 云存储 (* S3/Ceph/Swift/OSS/Azure) 可以跳过 MinIO 部署,MySQL Redis 也一样
  • 生产环境中,应该使用 Ceph 等替代 NFS,或者部署高可用的 NFS 防止单点故障
  • Redis 高可用快速部署可以参考此项目
DBVersionCacheVersion
MySQL>= 5.7Redis>= 6.0
MariaDB>= 10.2
Server NameIPPortUseMinimize HardwareStandard Hardware
NFS192.168.100.11Core2Core/8GB RAM/90G HDD4Core/16GB RAM/1T SSD
MySQL192.168.100.113306Core2Core/8GB RAM/90G HDD4Core/16GB RAM/1T SSD
Redis192.168.100.116379Core, Koko, Lion2Core/8GB RAM/90G HDD4Core/16GB RAM/1T SSD
HAProxy192.168.100.10080,443,2222All2Core/4GB RAM/60G HDD4Core/8GB RAM/60G SSD
JumpServer 01192.168.100.2180,2222HAProxy2Core/8GB RAM/60G HDD4Core/8GB RAM/90G SSD
JumpServer 02192.168.100.2280,2222HAProxy2Core/8GB RAM/60G HDD4Core/8GB RAM/90G SSD
JumpServer 03192.168.100.2380,2222HAProxy2Core/8GB RAM/60G HDD4Core/8GB RAM/90G SSD
JumpServer 04192.168.100.2480,2222HAProxy2Core/8GB RAM/60G HDD4Core/8GB RAM/90G SSD
MinIO192.168.100.419000,9001Core, KoKo, Lion2Core/4GB RAM/90G HDD4Core/8GB RAM/1T SSD
Server NameCheck HealthExample
Corehttp://core:8080/api/health/https://demo.jumpserver.org/api/health/
KoKohttp://koko:5000/koko/health/https://demo.jumpserver.org/koko/health/
Lionhttp://lion:8081/lion/health/https://demo.jumpserver.org/lion/health/

部署 NFS 服务

  1. 服务器: 192.168.100.11

安装依赖

  1. yum -y install epel-release

安装 NFS

  1. yum -y install nfs-utils rpcbind

启动 NFS

  1. systemctl enable rpcbind nfs-server nfs-lock nfs-idmap
  2. systemctl start rpcbind nfs-server nfs-lock nfs-idmap

配置防火墙

  1. firewall-cmd --add-service=nfs --permanent --zone=public
  2. firewall-cmd --add-service=mountd --permanent --zone=public
  3. firewall-cmd --add-service=rpc-bind --permanent --zone=public
  4. firewall-cmd --reload

配置 NFS

  1. mkdir /data
  2. chmod 777 -R /data
  3. vi /etc/exports
  1. # 设置 NFS 访问权限, /data 是刚才创建的将被共享的目录, 192.168.100.* 表示整个 192.168.100.* 的资产都有括号里面的权限
  2. # 也可以写具体的授权对象 /data 192.168.100.30(rw,sync,no_root_squash) 192.168.100.31(rw,sync,no_root_squash)
  3. /data 192.168.100.*(rw,sync,all_squash,anonuid=0,anongid=0)
  1. exportfs -a

部署 MySQL 服务

  1. 服务器: 192.168.100.11

设置 Repo

  1. yum -y localinstall http://mirrors.ustc.edu.cn/mysql-repo/mysql57-community-release-el7.rpm

安装 MySQL

  1. yum install -y mysql-community-server

配置 MySQL

  1. if [ ! "$(cat /usr/bin/mysqld_pre_systemd | grep -v ^\# | grep initialize-insecure )" ]; then
  2. sed -i "s@--initialize @--initialize-insecure @g" /usr/bin/mysqld_pre_systemd
  3. fi

启动 MySQL

  1. systemctl enable mysqld
  2. systemctl start mysqld

数据库授权

  1. mysql -uroot
  1. Welcome to the MySQL monitor. Commands end with ; or \g.
  2. Your MySQL connection id is 2
  3. Server version: 5.7.32 MySQL Community Server (GPL)
  4. Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
  5. Oracle is a registered trademark of Oracle Corporation and/or its
  6. affiliates. Other names may be trademarks of their respective
  7. owners.
  8. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
  9. mysql> create database jumpserver default charset 'utf8';
  10. Query OK, 1 row affected (0.00 sec)
  11. mysql> set global validate_password_policy=LOW;
  12. Query OK, 0 rows affected (0.00 sec)
  13. mysql> create user 'jumpserver'@'%' identified by 'KXOeyNgDeTdpeu9q';
  14. Query OK, 0 rows affected (0.00 sec)
  15. mysql> grant all on jumpserver.* to 'jumpserver'@'%';
  16. Query OK, 0 rows affected, 1 warning (0.00 sec)
  17. mysql> flush privileges;
  18. Query OK, 0 rows affected (0.00 sec)
  19. mysql> exit
  20. Bye

配置防火墙

  1. firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.100.0/24" port protocol="tcp" port="3306" accept"
  2. firewall-cmd --reload

部署 Redis 服务

  1. 服务器: 192.168.100.11

下载源码

  1. yum -y install epel-release wget make gcc-c++
  2. cd /opt
  3. wget https://download.redis.io/releases/redis-6.2.5.tar.gz

安装 Redis

  1. tar -xf redis-6.2.5.tar.gz
  2. cd redis-6.2.5
  3. make
  4. make install PREFIX=/usr/local/redis

配置 Redis

  1. cp redis.conf /etc/redis.conf
  2. sed -i "s/bind 127.0.0.1/bind 0.0.0.0/g" /etc/redis.conf
  3. sed -i "s/daemonize no/daemonize yes/g" /etc/redis.conf
  4. sed -i "s@pidfile /var/run/redis_6379.pid@pidfile /var/run/redis.pid@g" /etc/redis.conf
  5. sed -i "561i maxmemory-policy allkeys-lru" /etc/redis.conf
  6. sed -i "481i requirepass KXOeyNgDeTdpeu9q" /etc/redis.conf
  7. vi /etc/systemd/system/redis.service
  1. [Unit]
  2. Description=Redis persistent key-value database
  3. After=network.target
  4. After=network-online.target
  5. Wants=network-online.target
  6. [Service]
  7. Type=forking
  8. PIDFile=/var/run/redis.pid
  9. ExecStart=/usr/local/redis/bin/redis-server /etc/redis.conf
  10. ExecReload=/bin/kill -s HUP $MAINPID
  11. ExecStop=/bin/kill -s QUIT $MAINPID
  12. [Install]
  13. WantedBy=multi-user.target

启动 Redis

  1. systemctl enable redis
  2. systemctl start redis

配置防火墙

  1. firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.100.0/24" port protocol="tcp" port="6379" accept"
  2. firewall-cmd --reload

部署 JumpServer 01

  1. 服务器: 192.168.100.21

配置 NFS

  1. yum -y install nfs-utils
  2. showmount -e 192.168.100.11
  1. # 将 Core 持久化目录挂载到 NFS, 默认 /opt/jumpserver/core/data, 请根据实际情况修改
  2. # JumpServer 持久化目录定义相关参数为 VOLUME_DIR, 在安装 JumpServer 过程中会提示
  3. mkdir /opt/jumpserver/core/data
  4. mount -t nfs 192.168.100.11:/data /opt/jumpserver/core/data
  1. # 可以写入到 /etc/fstab, 重启自动挂载. 注意: 设置后如果 nfs 损坏或者无法连接该服务器将无法启动
  2. echo "192.168.100.11:/data /opt/jumpserver/core/data nfs defaults 0 0" >> /etc/fstab

下载 jumpserver-install

  1. cd /opt
  2. yum -y install wget
  3. wget https://github.com/jumpserver/installer/releases/download/v2.12.2/jumpserver-installer-v2.12.2.tar.gz
  4. tar -xf jumpserver-installer-v2.12.2.tar.gz
  5. cd jumpserver-installer-v2.12.2

修改配置文件

  1. vi config-example.txt
  1. # 修改下面选项, 其他保持默认, 请勿直接复制此处内容
  2. ### 注意: SECRET_KEY 和要其他 JumpServer 服务器一致, 加密的数据将无法解密
  3. # 安装配置
  4. ### 注意持久化目录 VOLUME_DIR, 如果上面 NFS 挂载其他目录, 此处也要修改. 如: NFS 挂载到/data/jumpserver/core/data, 则 DOCKER_DIR=/data/jumpserver
  5. VOLUME_DIR=/opt/jumpserver
  6. DOCKER_DIR=/var/lib/docker
  7. # Core 配置
  8. ### 启动后不能再修改,否则密码等等信息无法解密, 请勿直接复制下面的字符串
  9. SECRET_KEY=kWQdmdCQKjaWlHYpPhkNQDkfaRulM6YnHctsHLlSPs8287o2kW # 要其他 JumpServer 服务器一致 (*)
  10. BOOTSTRAP_TOKEN=KXOeyNgDeTdpeu9q # 要其他 JumpServer 服务器一致 (*)
  11. LOG_LEVEL=ERROR # 日志等级
  12. # SESSION_COOKIE_AGE=86400
  13. SESSION_EXPIRE_AT_BROWSER_CLOSE=true # 关闭浏览器 session 过期
  14. # MySQL 配置
  15. USE_EXTERNAL_MYSQL=1 # 使用外置 MySQL
  16. DB_HOST=192.168.100.11
  17. DB_PORT=3306
  18. DB_USER=jumpserve
  19. DB_PASSWORD=KXOeyNgDeTdpeu9q
  20. DB_NAME=jumpserver
  21. # Redis 配置
  22. USE_EXTERNAL_REDIS=1 # 使用外置 Redis
  23. REDIS_HOST=192.168.100.11
  24. REDIS_PORT=6379
  25. REDIS_PASSWORD=KXOeyNgDeTdpeu9q
  26. # KoKo Lion 配置
  27. SHARE_ROOM_TYPE=redis # KoKo Lion 使用 redis 共享
  1. ./jmsctl.sh install
  1. ██╗██╗ ██╗███╗ ███╗██████╗ ███████╗███████╗██████╗ ██╗ ██╗███████╗██████╗
  2. ██║██║ ██║████╗ ████║██╔══██╗██╔════╝██╔════╝██╔══██╗██║ ██║██╔════╝██╔══██╗
  3. ██║██║ ██║██╔████╔██║██████╔╝███████╗█████╗ ██████╔╝██║ ██║█████╗ ██████╔╝
  4. ██ ██║██║ ██║██║╚██╔╝██║██╔═══╝ ╚════██║██╔══╝ ██╔══██╗╚██╗ ██╔╝██╔══╝ ██╔══██╗
  5. ╚█████╔╝╚██████╔╝██║ ╚═╝ ██║██║ ███████║███████╗██║ ██║ ╚████╔╝ ███████╗██║ ██║
  6. ╚════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚══════╝╚══════╝╚═╝ ╚═╝ ╚═══╝ ╚══════╝╚═╝ ╚═╝
  7. Version: v2.12.2
  8. 1. 检查配置文件
  9. 配置文件位置: /opt/jumpserver/config
  10. /opt/jumpserver/config/config.txt [ ]
  11. /opt/jumpserver/config/nginx/lb_rdp_server.conf [ ]
  12. /opt/jumpserver/config/nginx/lb_ssh_server.conf [ ]
  13. /opt/jumpserver/config/nginx/cert/server.crt [ ]
  14. /opt/jumpserver/config/nginx/cert/server.key [ ]
  15. 完成
  16. 2. 备份配置文件
  17. 备份至 /opt/jumpserver/config/backup/config.txt.2021-07-15_22-26-13
  18. 完成
  19. >>> 安装配置 Docker
  20. 1. 安装 Docker
  21. 开始下载 Docker 程序 ...
  22. 开始下载 Docker Compose 程序 ...
  23. 完成
  24. 2. 配置 Docker
  25. 是否需要自定义 docker 存储目录, 默认将使用目录 /var/lib/docker? (y/n) (默认为 n): n
  26. 完成
  27. 3. 启动 Docker
  28. Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /etc/systemd/system/docker.service.
  29. 完成
  30. >>> 加载 Docker 镜像
  31. Docker: Pulling from jumpserver/core:v2.12.2 [ OK ]
  32. Docker: Pulling from jumpserver/koko:v2.12.2 [ OK ]
  33. Docker: Pulling from jumpserver/web:v2.12.2 [ OK ]
  34. Docker: Pulling from jumpserver/redis:6-alpine [ OK ]
  35. Docker: Pulling from jumpserver/mysql:5 [ OK ]
  36. Docker: Pulling from jumpserver/lion:v2.12.2 [ OK ]
  37. >>> 安装配置 JumpServer
  38. 1. 配置网络
  39. 是否需要支持 IPv6? (y/n) (默认为 n): n
  40. 完成
  41. 2. 配置加密密钥
  42. SECRETE_KEY: YTE2YTVkMTMtMGE3MS00YzI5LWFlOWEtMTc2OWJlMmIyMDE2
  43. BOOTSTRAP_TOKEN: YTE2YTVkMTMtMGE3
  44. 完成
  45. 3. 配置持久化目录
  46. 是否需要自定义持久化存储, 默认将使用目录 /opt/jumpserver? (y/n) (默认为 n): n
  47. 完成
  48. 4. 配置 MySQL
  49. 是否使用外部 MySQL? (y/n) (默认为 n): y
  50. 请输入 MySQL 的主机地址 (无默认值): 192.168.100.11
  51. 请输入 MySQL 的端口 (默认为3306): 3306
  52. 请输入 MySQL 的数据库(事先做好授权) (默认为jumpserver): jumpserver
  53. 请输入 MySQL 的用户名 (无默认值): jumpserver
  54. 请输入 MySQL 的密码 (无默认值): KXOeyNgDeTdpeu9q
  55. 完成
  56. 5. 配置 Redis
  57. 是否使用外部 Redis? (y/n) (默认为 n): y
  58. 请输入 Redis 的主机地址 (无默认值): 192.168.100.11
  59. 请输入 Redis 的端口 (默认为6379): 6379
  60. 请输入 Redis 的密码 (无默认值): KXOeyNgDeTdpeu9q
  61. 完成
  62. 6. 配置对外端口
  63. 是否需要配置 JumpServer 对外访问端口? (y/n) (默认为 n): n
  64. 完成
  65. 7. 初始化数据库
  66. Creating network "jms_net" with driver "bridge"
  67. Creating jms_redis ... done
  68. 2021-07-15 22:39:52 Collect static files
  69. 2021-07-15 22:39:52 Collect static files done
  70. 2021-07-15 22:39:52 Check database structure change ...
  71. 2021-07-15 22:39:52 Migrate model change to database ...
  72. 475 static files copied to '/opt/jumpserver/data/static'.
  73. Operations to perform:
  74. Apply all migrations: acls, admin, applications, assets, audits, auth, authentication, captcha, common, contenttypes, django_cas_ng, django_celery_beat, jms_oidc_rp, notifications, ops, orgs, perms, sessions, settings, terminal, tickets, users
  75. Running migrations:
  76. Applying contenttypes.0001_initial... OK
  77. Applying contenttypes.0002_remove_content_type_name... OK
  78. Applying auth.0001_initial... OK
  79. Applying auth.0002_alter_permission_name_max_length... OK
  80. Applying auth.0003_alter_user_email_max_length... OK
  81. Applying auth.0004_alter_user_username_opts... OK
  82. Applying auth.0005_alter_user_last_login_null... OK
  83. Applying auth.0006_require_contenttypes_0002... OK
  84. Applying auth.0007_alter_validators_add_error_messages... OK
  85. Applying auth.0008_alter_user_username_max_length... OK
  86. ...
  87. Applying sessions.0001_initial... OK
  88. Applying terminal.0032_auto_20210302_1853... OK
  89. Applying terminal.0033_auto_20210324_1008... OK
  90. Applying terminal.0034_auto_20210406_1434... OK
  91. Applying terminal.0035_auto_20210517_1448... OK
  92. Applying terminal.0036_auto_20210604_1124... OK
  93. Applying terminal.0037_auto_20210623_1748... OK
  94. Applying tickets.0008_auto_20210311_1113... OK
  95. Applying tickets.0009_auto_20210426_1720... OK
  96. >>> 安装完成了
  97. 1. 可以使用如下命令启动, 然后访问
  98. cd /root/jumpserver-installer-v2.12.2
  99. ./jmsctl.sh start
  100. 2. 其它一些管理命令
  101. ./jmsctl.sh stop
  102. ./jmsctl.sh restart
  103. ./jmsctl.sh backup
  104. ./jmsctl.sh upgrade
  105. 更多还有一些命令, 你可以 ./jmsctl.sh --help 来了解
  106. 3. Web 访问
  107. http://192.168.100.212:80
  108. 默认用户: admin 默认密码: admin
  109. 4. SSH/SFTP 访问
  110. ssh -p2222 admin@192.168.100.212
  111. sftp -P2222 admin@192.168.100.212
  112. 5. 更多信息
  113. 我们的官网: https://www.jumpserver.org/
  114. 我们的文档: https://docs.jumpserver.org/

启动 JumpServer

  1. ./jmsctl.sh start
  1. Creating network "jms_net" with driver "bridge"
  2. Creating jms_core ... done
  3. Creating jms_celery ... done
  4. Creating jms_lion ... done
  5. Creating jms_koko ... done
  6. Creating jms_web ... done

部署 JumpServer 02

  1. 服务器: 192.168.100.22

配置 NFS

  1. yum -y install nfs-utils
  2. showmount -e 192.168.100.11
  1. # 将 Core 持久化目录挂载到 NFS, 默认 /opt/jumpserver/core/data, 请根据实际情况修改
  2. # JumpServer 持久化目录定义相关参数为 VOLUME_DIR, 在安装 JumpServer 过程中会提示
  3. mkdir /opt/jumpserver/core/data
  4. mount -t nfs 192.168.100.11:/data /opt/jumpserver/core/data
  1. # 可以写入到 /etc/fstab, 重启自动挂载. 注意: 设置后如果 nfs 损坏或者无法连接该服务器将无法启动
  2. echo "192.168.100.11:/data /opt/jumpserver/core/data nfs defaults 0 0" >> /etc/fstab

下载 jumpserver-install

  1. cd /opt
  2. yum -y install wget
  3. wget https://github.com/jumpserver/installer/releases/download/v2.12.2/jumpserver-installer-v2.12.2.tar.gz
  4. tar -xf jumpserver-installer-v2.12.2.tar.gz
  5. cd jumpserver-installer-v2.12.2

修改配置文件

  1. vi config-example.txt
  1. # 修改下面选项, 其他保持默认, 请勿直接复制此处内容
  2. ### 注意: SECRET_KEY 和要其他 JumpServer 服务器一致, 加密的数据将无法解密
  3. # 安装配置
  4. ### 注意持久化目录 VOLUME_DIR, 如果上面 NFS 挂载其他目录, 此处也要修改. 如: NFS 挂载到/data/jumpserver/core/data, 则 DOCKER_DIR=/data/jumpserver
  5. VOLUME_DIR=/opt/jumpserver
  6. DOCKER_DIR=/var/lib/docker
  7. # Core 配置
  8. ### 启动后不能再修改,否则密码等等信息无法解密, 请勿直接复制下面的字符串
  9. SECRET_KEY=kWQdmdCQKjaWlHYpPhkNQDkfaRulM6YnHctsHLlSPs8287o2kW
  10. BOOTSTRAP_TOKEN=KXOeyNgDeTdpeu9q
  11. LOG_LEVEL=ERROR
  12. # SESSION_COOKIE_AGE=86400
  13. SESSION_EXPIRE_AT_BROWSER_CLOSE=true
  14. # MySQL 配置
  15. USE_EXTERNAL_MYSQL=1
  16. DB_HOST=192.168.100.11
  17. DB_PORT=3306
  18. DB_USER=jumpserver
  19. DB_PASSWORD=KXOeyNgDeTdpeu9q
  20. DB_NAME=jumpserver
  21. # Redis 配置
  22. USE_EXTERNAL_REDIS=1
  23. REDIS_HOST=192.168.100.11
  24. REDIS_PORT=6379
  25. REDIS_PASSWORD=KXOeyNgDeTdpeu9q
  26. # KoKo Lion 配置
  27. SHARE_ROOM_TYPE=redis
  1. ./jmsctl.sh install

启动 JumpServer

  1. ./jmsctl.sh start
  1. Creating network "jms_net" with driver "bridge"
  2. Creating jms_core ... done
  3. Creating jms_celery ... done
  4. Creating jms_lion ... done
  5. Creating jms_koko ... done
  6. Creating jms_web ... done

部署 JumpServer 03

  1. 服务器: 192.168.100.23

配置 NFS

  1. yum -y install nfs-utils
  2. showmount -e 192.168.100.11
  1. # 将 Core 持久化目录挂载到 NFS, 默认 /opt/jumpserver/core/data, 请根据实际情况修改
  2. # JumpServer 持久化目录定义相关参数为 VOLUME_DIR, 在安装 JumpServer 过程中会提示
  3. mkdir /opt/jumpserver/core/data
  4. mount -t nfs 192.168.100.11:/data /opt/jumpserver/core/data
  1. # 可以写入到 /etc/fstab, 重启自动挂载. 注意: 设置后如果 nfs 损坏或者无法连接该服务器将无法启动
  2. echo "192.168.100.11:/data /opt/jumpserver/core/data nfs defaults 0 0" >> /etc/fstab

下载 jumpserver-install

  1. cd /opt
  2. yum -y install wget
  3. wget https://github.com/jumpserver/installer/releases/download/v2.12.2/jumpserver-installer-v2.12.2.tar.gz
  4. tar -xf jumpserver-installer-v2.12.2.tar.gz
  5. cd jumpserver-installer-v2.12.2

修改配置文件

  1. vi config-example.txt
  1. # 修改下面选项, 其他保持默认, 请勿直接复制此处内容
  2. ### 注意: SECRET_KEY 和要其他 JumpServer 服务器一致, 加密的数据将无法解密
  3. # 安装配置
  4. ### 注意持久化目录 VOLUME_DIR, 如果上面 NFS 挂载其他目录, 此处也要修改. 如: NFS 挂载到/data/jumpserver/core/data, 则 DOCKER_DIR=/data/jumpserver
  5. VOLUME_DIR=/opt/jumpserver
  6. DOCKER_DIR=/var/lib/docker
  7. # Core 配置
  8. ### 启动后不能再修改,否则密码等等信息无法解密, 请勿直接复制下面的字符串
  9. SECRET_KEY=kWQdmdCQKjaWlHYpPhkNQDkfaRulM6YnHctsHLlSPs8287o2kW
  10. BOOTSTRAP_TOKEN=KXOeyNgDeTdpeu9q
  11. LOG_LEVEL=ERROR
  12. # SESSION_COOKIE_AGE=86400
  13. SESSION_EXPIRE_AT_BROWSER_CLOSE=true
  14. # MySQL 配置
  15. USE_EXTERNAL_MYSQL=1
  16. DB_HOST=192.168.100.11
  17. DB_PORT=3306
  18. DB_USER=jumpserver
  19. DB_PASSWORD=KXOeyNgDeTdpeu9q
  20. DB_NAME=jumpserver
  21. # Redis 配置
  22. USE_EXTERNAL_REDIS=1
  23. REDIS_HOST=192.168.100.11
  24. REDIS_PORT=6379
  25. REDIS_PASSWORD=KXOeyNgDeTdpeu9q
  26. # KoKo Lion 配置
  27. SHARE_ROOM_TYPE=redis
  1. ./jmsctl.sh install

启动 JumpServer

  1. ./jmsctl.sh start
  1. Creating network "jms_net" with driver "bridge"
  2. Creating jms_core ... done
  3. Creating jms_lion ... done
  4. Creating jms_koko ... done
  5. Creating jms_celery ... done
  6. Creating jms_web ... done

部署 JumpServer 04

  1. 服务器: 192.168.100.24

配置 NFS

  1. yum -y install nfs-utils
  2. showmount -e 192.168.100.11
  1. # 将 Core 持久化目录挂载到 NFS, 默认 /opt/jumpserver/core/data, 请根据实际情况修改
  2. # JumpServer 持久化目录定义相关参数为 VOLUME_DIR, 在安装 JumpServer 过程中会提示
  3. mkdir /opt/jumpserver/core/data
  4. mount -t nfs 192.168.100.11:/data /opt/jumpserver/core/data
  1. # 可以写入到 /etc/fstab, 重启自动挂载. 注意: 设置后如果 nfs 损坏或者无法连接该服务器将无法启动
  2. echo "192.168.100.11:/data /opt/jumpserver/core/data nfs defaults 0 0" >> /etc/fstab

下载 jumpserver-install

  1. cd /opt
  2. yum -y install wget
  3. wget https://github.com/jumpserver/installer/releases/download/v2.12.2/jumpserver-installer-v2.12.2.tar.gz
  4. tar -xf jumpserver-installer-v2.12.2.tar.gz
  5. cd jumpserver-installer-v2.12.2

修改配置文件

  1. vi config-example.txt
  1. # 修改下面选项, 其他保持默认, 请勿直接复制此处内容
  2. ### 注意: SECRET_KEY 和要其他 JumpServer 服务器一致, 加密的数据将无法解密
  3. # 安装配置
  4. ### 注意持久化目录 VOLUME_DIR, 如果上面 NFS 挂载其他目录, 此处也要修改. 如: NFS 挂载到/data/jumpserver/core/data, 则 DOCKER_DIR=/data/jumpserver
  5. VOLUME_DIR=/opt/jumpserver
  6. DOCKER_DIR=/var/lib/docker
  7. # Core 配置
  8. ### 启动后不能再修改,否则密码等等信息无法解密, 请勿直接复制下面的字符串
  9. SECRET_KEY=kWQdmdCQKjaWlHYpPhkNQDkfaRulM6YnHctsHLlSPs8287o2kW
  10. BOOTSTRAP_TOKEN=KXOeyNgDeTdpeu9q
  11. LOG_LEVEL=ERROR
  12. # SESSION_COOKIE_AGE=86400
  13. SESSION_EXPIRE_AT_BROWSER_CLOSE=true
  14. # MySQL 配置
  15. USE_EXTERNAL_MYSQL=1
  16. DB_HOST=192.168.100.11
  17. DB_PORT=3306
  18. DB_USER=jumpserver
  19. DB_PASSWORD=KXOeyNgDeTdpeu9q
  20. DB_NAME=jumpserver
  21. # Redis 配置
  22. USE_EXTERNAL_REDIS=1
  23. REDIS_HOST=192.168.100.11
  24. REDIS_PORT=6379
  25. REDIS_PASSWORD=KXOeyNgDeTdpeu9q
  26. # KoKo Lion 配置
  27. SHARE_ROOM_TYPE=redis
  1. ./jmsctl.sh install

启动 JumpServer

  1. ./jmsctl.sh start
  1. Creating network "jms_net" with driver "bridge"
  2. Creating jms_core ... done
  3. Creating jms_celery ... done
  4. Creating jms_lion ... done
  5. Creating jms_koko ... done
  6. Creating jms_web ... done

部署 HAProxy 服务

  1. 服务器: 192.168.100.100

安装依赖

  1. yum -y install epel-release

安装 HAProxy

  1. yum install -y haproxy

配置 HAProxy

  1. vi /etc/haproxy/haproxy.cfg
  1. global
  2. # to have these messages end up in /var/log/haproxy.log you will
  3. # need to:
  4. #
  5. # 1) configure syslog to accept network log events. This is done
  6. # by adding the '-r' option to the SYSLOGD_OPTIONS in
  7. # /etc/sysconfig/syslog
  8. #
  9. # 2) configure local2 events to go to the /var/log/haproxy.log
  10. # file. A line like the following can be added to
  11. # /etc/sysconfig/syslog
  12. #
  13. # local2.* /var/log/haproxy.log
  14. #
  15. log 127.0.0.1 local2
  16. chroot /var/lib/haproxy
  17. pidfile /var/run/haproxy.pid
  18. maxconn 4000
  19. user haproxy
  20. group haproxy
  21. daemon
  22. # turn on stats unix socket
  23. stats socket /var/lib/haproxy/stats
  24. #---------------------------------------------------------------------
  25. # common defaults that all the 'listen' and 'backend' sections will
  26. # use if not designated in their block
  27. #---------------------------------------------------------------------
  28. defaults
  29. log global
  30. option dontlognull
  31. option redispatch
  32. retries 3
  33. timeout http-request 10s
  34. timeout queue 1m
  35. timeout connect 10s
  36. timeout client 1m
  37. timeout server 1m
  38. timeout http-keep-alive 10s
  39. timeout check 10s
  40. maxconn 3000
  41. listen stats
  42. bind *:8080
  43. mode http
  44. stats enable
  45. stats uri /haproxy # 监控页面, 请自行修改. 访问地址为 http://192.168.100.100:8080/haproxy
  46. stats refresh 5s
  47. stats realm haproxy-status
  48. stats auth admin:KXOeyNgDeTdpeu9q # 账户密码, 请自行修改. 访问 http://192.168.100.100:8080/haproxy 会要求输入
  49. #---------------------------------------------------------------------
  50. # check 检活参数说明
  51. # inter 间隔时间, 单位: 毫秒
  52. # rise 连续成功的次数, 单位: 次
  53. # fall 连续失败的次数, 单位: 次
  54. # 例: inter 2s rise 2 fall 3
  55. # 表示 2 秒检查一次状态, 连续成功 2 次服务正常, 连续失败 3 次服务异常
  56. #
  57. # server 服务参数说明
  58. # server 192.168.100.21 192.168.100.21:80 weight 1 cookie web01
  59. # 第一个 192.168.100.21 做为页面展示的标识, 可以修改为其他任意字符串
  60. # 第二个 192.168.100.21:80 是实际的后端服务端口
  61. # weight 为权重, 多节点时安装权重进行负载均衡
  62. # cookie 用户侧的 cookie 会包含此标识, 便于区分当前访问的后端节点
  63. # 例: server db01 192.168.100.21:3306 weight 1 cookie db_01
  64. #---------------------------------------------------------------------
  65. listen jms-web
  66. bind *:80 # 监听 80 端口
  67. mode http
  68. # redirect scheme https if !{ ssl_fc } # 重定向到 https
  69. # bind *:443 ssl crt /opt/ssl.pem # https 设置
  70. option httplog
  71. option httpclose
  72. option forwardfor
  73. option httpchk GET /api/health/ # Core 检活接口
  74. cookie SERVERID insert indirect
  75. hash-type consistent
  76. fullconn 500
  77. balance leastconn
  78. server 192.168.100.21 192.168.100.21:80 weight 1 cookie web01 check inter 2s rise 2 fall 3 # JumpServer 服务器
  79. server 192.168.100.22 192.168.100.22:80 weight 1 cookie web02 check inter 2s rise 2 fall 3
  80. server 192.168.100.23 192.168.100.23:80 weight 1 cookie web03 check inter 2s rise 2 fall 3
  81. server 192.168.100.23 192.168.100.24:80 weight 1 cookie web03 check inter 2s rise 2 fall 3
  82. listen jms-ssh
  83. bind *:2222
  84. mode tcp
  85. option tcplog
  86. option tcp-check
  87. fullconn 500
  88. balance leastconn
  89. server 192.168.100.21 192.168.100.21:2222 weight 1 check inter 2s rise 2 fall 3 send-proxy
  90. server 192.168.100.22 192.168.100.22:2222 weight 1 check inter 2s rise 2 fall 3 send-proxy
  91. server 192.168.100.23 192.168.100.23:2222 weight 1 check inter 2s rise 2 fall 3 send-proxy
  92. server 192.168.100.24 192.168.100.23:2222 weight 1 check inter 2s rise 2 fall 3 send-proxy
  93. listen jms-koko
  94. mode http
  95. option httplog
  96. option httpclose
  97. option forwardfor
  98. option httpchk GET /koko/health/ HTTP/1.1\r\nHost:\ 192.168.100.100 # KoKo 检活接口, host 填写 HAProxy 的 ip 地址
  99. cookie SERVERID insert indirect
  100. hash-type consistent
  101. fullconn 500
  102. balance leastconn
  103. server 192.168.100.21 192.168.100.21:80 weight 1 cookie web01 check inter 2s rise 2 fall 3
  104. server 192.168.100.22 192.168.100.22:80 weight 1 cookie web02 check inter 2s rise 2 fall 3
  105. server 192.168.100.23 192.168.100.23:80 weight 1 cookie web03 check inter 2s rise 2 fall 3
  106. server 192.168.100.24 192.168.100.23:80 weight 1 cookie web03 check inter 2s rise 2 fall 3
  107. listen jms-lion
  108. mode http
  109. option httplog
  110. option httpclose
  111. option forwardfor
  112. option httpchk GET /lion/health/ HTTP/1.1\r\nHost:\ 192.168.100.100 # Lion 检活接口, host 填写 HAProxy 的 ip 地址
  113. cookie SERVERID insert indirect
  114. hash-type consistent
  115. fullconn 500
  116. balance leastconn
  117. server 192.168.100.21 192.168.100.21:80 weight 1 cookie web01 check inter 2s rise 2 fall 3
  118. server 192.168.100.22 192.168.100.22:80 weight 1 cookie web02 check inter 2s rise 2 fall 3
  119. server 192.168.100.23 192.168.100.23:80 weight 1 cookie web03 check inter 2s rise 2 fall 3
  120. server 192.168.100.24 192.168.100.23:80 weight 1 cookie web03 check inter 2s rise 2 fall 3
  121. #---------------------------------------------------------------------
  122. # Redis 主从或 Sentinel, 可以使用下面的方式检活
  123. #---------------------------------------------------------------------
  124. # listen redis
  125. # bind *:6379
  126. # mode tcp
  127. # timeout connect 3s
  128. # timeout server 6s
  129. # timeout client 6s
  130. # option tcplog
  131. # option tcp-check
  132. # tcp-check connect
  133. # tcp-check send AUTH\ KXOeyNgDeTdpeu9q\r\n # Redis 连接密码
  134. # tcp-check send PING\r\n
  135. # tcp-check expect string +PONG
  136. # tcp-check send info\ replication\r\n
  137. # tcp-check expect string role:master
  138. # tcp-check send QUIT\r\n
  139. # tcp-check expect string +OK
  140. # server redis01 192.168.100.11:6379 check inter 3s # Redis 服务器
  141. # server redis02 192.168.100.12:6379 check inter 3s
  142. # server redis03 192.168.100.13:6379 check inter 3s

配置 Selinux

  1. setsebool -P haproxy_connect_any 1

启动 HAProxy

  1. systemctl enable haproxy
  2. systemctl start haproxy

配置防火墙

  1. firewall-cmd --permanent --zone=public --add-port=80/tcp
  2. firewall-cmd --permanent --zone=public --add-port=443/tcp
  3. firewall-cmd --permanent --zone=public --add-port=2222/tcp
  4. firewall-cmd --reload

部署 MinIO 服务

  1. 服务器: 192.168.100.41

安装 Docker

  1. yum install -y yum-utils device-mapper-persistent-data lvm2
  2. yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
  3. sed -i 's+download.docker.com+mirrors.aliyun.com/docker-ce+' /etc/yum.repos.d/docker-ce.repo
  4. yum makecache fast
  5. yum -y install docker-ce

配置 Docker

  1. mkdir /etc/docker/
  2. vi /etc/docker/daemon.json
  1. {
  2. "live-restore": true,
  3. "registry-mirrors": ["https://hub-mirror.c.163.com", "https://bmtrgdvx.mirror.aliyuncs.com", "http://f1361db2.m.daocloud.io"],
  4. "log-driver": "json-file",
  5. "log-opts": {"max-file": "3", "max-size": "10m"}
  6. }

启动 Docker

  1. systemctl enable docker
  2. systemctl start docker

下载 MinIO 镜像

  1. docker pull minio/minio:latest
  1. latest: Pulling from minio/minio
  2. a591faa84ab0: Pull complete
  3. 76b9354adec6: Pull complete
  4. f9d8746550a4: Pull complete
  5. 890b1dd95baa: Pull complete
  6. 3a8518c890dc: Pull complete
  7. 8053f0501aed: Pull complete
  8. 506c41cb8532: Pull complete
  9. Digest: sha256:e7a725edb521dd2af07879dad88ee1dfebd359e57ad8d98104359ccfbdb92024
  10. Status: Downloaded newer image for minio/minio:latest
  11. docker.io/minio/minio:latest

持久化数据目录

  1. mkdir -p /opt/jumpserver/minio/data /opt/jumpserver/minio/config

启动 MinIO

  1. ## 请自行修改账号密码并牢记,丢失后可以删掉容器后重新用新密码创建,数据不会丢失
  2. # 9000 # api 访问端口
  3. # 9001 # console 访问端口
  4. # MINIO_ROOT_USER=minio # minio 账号
  5. # MINIO_ROOT_PASSWORD=KXOeyNgDeTdpeu9q # minio 密码
  1. docker run --name jms_minio -d -p 9000:9000 -p 9001:9001 -e MINIO_ROOT_USER=minio -e MINIO_ROOT_PASSWORD=KXOeyNgDeTdpeu9q -v /opt/jumpserver/minio/data:/data -v /opt/jumpserver/minio/config:/root/.minio --restart=always minio/minio:latest server /data --console-address ":9001"

设置 MinIO

  • 访问 http://192.168.100.41:9000,输入刚才设置的 MinIO 账号密码登录
  • 点击左侧菜单的 Buckets,选择 Create Bucket 创建桶,Bucket Name 输入 jumpserver,然后点击 Save 保存

设置 JumpServer

  • 访问 JumpServer Web 页面并使用管理员账号进行登录
  • 点击左侧菜单栏的 [终端管理],在页面的上方选择 [存储配置],在 [录像存储] 下方选择 [创建] 选择 [Ceph]
  • 根据下方的说明进行填写,保存后在 [终端管理] 页面对所有组件进行 [更新],录像存储选择 [jms-mino],提交
选项参考值说明
名称 (Name)jms-minio标识, 不可重复
类型 (Type)Ceph固定, 不可更改
桶名称 (Bucket)jumpserverBucket Name
Access keyminioMINIO_ROOT_USER
Secret keyKXOeyNgDeTdpeu9qMINIO_ROOT_PASSWORD
端点 (Endpoint)http://192.168.100.41:9000minio 服务访问地址
默认存储新组件将自动使用该存储

升级 注意事项

更新前请一定要做好备份工作

  • 升级前请关闭所有 JumpServer 节点
  • 在任意一个 JumpServer 节点按照升级文档完成升级操作
  • 仔细检查该节点升级过程确保无异常
  • 然后按照升级文档对其他 JumpServer 节点升级即可
  1. cd /opt
  2. wget https://github.com/jumpserver/installer/releases/download/v2.12.2/jumpserver-installer-v2.12.2.tar.gz
  3. tar -xf jumpserver-installer-v2.12.2.tar.gz
  4. cd jumpserver-installer-v2.12.2
  1. # 额外节点可以设置 SKIP_BACKUP_DB=1 跳过数据库备份, 第一个升级节点不要跳过备份
  2. export SKIP_BACKUP_DB=1
  3. ./jmsctl.sh upgrade