基于docker-compose部署JumpServer堡垒机

一、环境准备

1、关闭防火墙selinux
systemctl stop firewalld
setenforce 0

2、配置yum仓库
mount /dev/sr0 /mnt #或者上传镜像用mount -p loop挂载
rm -rf /etc/yum.repos.d/*
cat > /etc/yum.repos.d/local.repo < EOF
[centos]
name=centos
baseurl=file:///mnt
enabled=1
gpgcheck=0
EOF
yum clean all && yum repolist
rm -rf /etc/yum.repos.d/*

3、配置阿里光碟源、docker源、安装docker-ce
yum install -y wget
wget https://mirrors.aliyun.com/repo/Centos-7.repo
wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum install -y docker-ce 

4、启动docker并设置为开机自启动
systemctl restart docker
systemctl enable docker

二、安装docker-compose

1、下载：
curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
 
2、开启可执行权限
chmod +x /usr/local/bin/docker-compose
 
3、 查看版本
docker-compose --version

三、部署JumpServer

基础环境准备

将软件包JumpServer.tar.gz下载到本地。

123云盘：
https://www.123pan.com/s/UToZjv-AuYOd

解压软件包：

tar -zxf JumpServer.tar.gz

导入镜像：

docker load -i JumpServer/images/centos_7.9.2009.tar

配置环境变量

编写环境变量脚本：

cd JumpServer/
vi .env
Version=v2.5.3
# MySQL
DB_HOST=mysql
DB_PORT=3306
DB_USER=root
DB_PASSWORD=000000
DB_NAME=root
# Redis
REDIS_HOST=redis
REDIS_PORT=6379
REDIS_PASSWORD=8URXPL2x3HZMi7xoGTdk3Upj
# Core
SECRET_KEY=B3f2w8P2PfxIAS7s4URrD9YmSbtqX4vXdPUL217kL9Xtetetss
BOOTSTRAP_TOKEN=7Q11Vz6R2J6BLAdO
LOG_LEVEL=ERROR

容器化部署MySQL

编写Dockerfile

编写yum源：

vi local.repo
[jumpserver]
name=jumpserver
baseurl=file:///opt/jumpserverrepo
enabled=1
gpgcheck=0

编写数据库初始化脚本：

vi mysql_init.sh
#!/bin/bash
if [ ! -d "/var/lib/mysql/$DB_NAME" ]; then
    config_mysql
    mysqld --initialize-insecure --user=mysql --datadir=/var/lib/mysql
    mysqld --daemonize --user=mysql
    sleep 5s
    mysql -uroot -e "create database $DB_NAME default charset 'utf8' collate 'utf8_bin';grant all on $DB_NAME.* to '$DB_USER'@'%' identified by '$DB_PASSWORD';flush privileges;";
    mysql --version
    tail -f /var/log/mysqld.log
else
    config_mysql
    mysqld --daemonize --user=mysql
    mysql --version
    tail -f /var/log/mysqld.log
fi

编写Dockerfile文件：

vi Dockerfile-mysql
FROM centos:7.9.2009
WORKDIR /opt
ARG Version=v2.5.3
ENV Version=${Version} \
    LANG=en_US.utf8
ADD jumpserverrepo.tar.gz .
RUN rm -rf /etc/yum.repos.d/*
COPY local.repo /etc/yum.repos.d/
RUN set -ex \
    && ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
    && echo "LANG=en_US.utf8" > /etc/locale.conf \
    && yum install -y mysql-community-server \
    && yum clean all \
    && rm -rf /var/cache/yum/*
COPY mysql_init.sh .
RUN chmod 755 ./mysql_init.sh
CMD ["./mysql_init.sh"]

构建镜像

 docker build -t jms_mysql:v1.0 -f Dockerfile-mysql .

容器化部署Redis

编写Redis初始化脚本：

vi redis_init.sh
#!/bin/bash
#
function config_redis {
        sed -i "s/port 6379/port $REDIS_PORT/g" /etc/redis.conf
        sed -i "481i requirepass $REDIS_PASSWORD" /etc/redis.conf
        sed -i "s/requirepass .*/requirepass $REDIS_PASSWORD/" /etc/redis.conf
}
config_redis
redis-server /etc/redis.conf

编写Dockerfile文件：

vi Dockerfile-redis
FROM centos:7.9.2009
WORKDIR /opt
ARG Version=v2.5.3
ENV Version=${Version} \
    LANG=en_US.utf8
ADD jumpserverrepo.tar.gz .
RUN rm -rf /etc/yum.repos.d/*
COPY local.repo /etc/yum.repos.d/
RUN set -ex \
    && ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
    && echo "LANG=en_US.utf8" > /etc/locale.conf \
    && echo "net.core.somaxconn = 1024" >> /etc/sysctl.conf \ #网络最大连接数
    && echo "vm.overcommit_memory = 1" >> /etc/sysctl.conf \ #虚拟内存配置
    && yum install -y redis \
    && sed -i "s/protected-mode yes/protected-mode no/g" /etc/redis.conf \ #关闭保护模式
    && sed -i "s/bind 127.0.0.1/bind 0.0.0.0/g" /etc/redis.conf \
    && sed -i "561i maxmemory-policy allkeys-lru" /etc/redis.conf \ #修改策略文件
    && yum clean all \
    && rm -rf /var/cache/yum/*
COPY redis_init.sh .
RUN chmod 755 ./redis_init.sh
CMD ["./redis_init.sh"]

构建镜像

docker build -t jms_redis:v1.0 -f Dockerfile-redis .

容器化部署Nginx

编写Dockerfile文件：

vi Dockerfile-nginx
FROM centos:7.9.2009
WORKDIR /opt
ARG Version=v2.5.3
ENV Version=${Version} \
    LANG=en_US.utf8
ADD jumpserverrepo.tar.gz .
RUN rm -rf /etc/yum.repos.d/*
COPY local.repo /etc/yum.repos.d/
ADD nginx/lina-v2.5.3.tar.gz .
ADD nginx/luna-v2.5.3.tar.gz .
RUN set -ex \
    && ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
    && echo "LANG=en_US.utf8" > /etc/locale.conf \
    && yum install -y nginx \
    && echo > /etc/nginx/conf.d/default.conf \
    && mv luna-${Version} luna \
    && mv lina-${Version} lina \
    && rm -rf /opt/*.tar.gz \
    && yum clean all \
    && rm -rf /var/tmp/yum*
COPY nginx/nginx.conf /etc/nginx/
CMD ["nginx", "-g", "daemon off;"]

构建镜像

docker build -t jms_nginx:v1.0 -f Dockerfile-nginx .

容器化部署Koko

编写Koko初始化脚本：

vi koko_init.sh
#!/bin/bash
#
sleep 5s
while [ "$(curl -I -m 10 -L -k -o /dev/null -s -w %{http_code} ${CORE_HOST}/api/health/)" != "200" ]
do
    echo "wait for jms_core ready"
    sleep 2
done   
if [ ! $LOG_LEVEL ]; then
    export LOG_LEVEL=ERROR
fi
cd /opt/koko
./koko

编写Dockerfile文件：

vi Dockerfile-koko
FROM centos:7.9.2009
MAINTAINER Chinaskills
WORKDIR /opt
ARG Version=v2.5.3
ENV Version=${Version} \
    LANG=en_US.utf8
ADD koko/kubectl.tar.gz .
ADD koko/koko-v2.5.3-linux-amd64.tar.gz .
RUN mkdir /opt/kubectl-aliases/
ADD koko/kubectl_aliases.tar.gz /opt/kubectl-aliases/
ADD jumpserverrepo.tar.gz .
RUN rm -rf /etc/yum.repos.d/*
COPY local.repo /etc/yum.repos.d/
RUN set -ex \
   && ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
   && echo "LANG=en_US.utf8" > /etc/locale.conf \
   && yum install -y mysql-community-client bash-completion \
   && mv koko-${Version}-linux-amd64 koko \
   && chown -R root:root koko \
   && mv /opt/koko/kubectl /usr/local/bin/ \
   && chmod 755 ./kubectl \
   && chown root:root ./kubectl \
   && mv kubectl /usr/local/bin/rawkubectl \
   && chown -R root:root /opt/kubectl-aliases/ \
   && chmod 755 /opt/koko/init-kubectl.sh \
   && rm -rf /opt/*.tar.gz \
   && yum clean all \
   && rm -rf /var/cache/yum*
COPY koko_init.sh .
RUN chmod 755 ./koko_init.sh
CMD [ "./koko_init.sh" ]

构建镜像

docker build -t jms_koko:v1.0 -f Dockerfile-koko .

容器化部署Guacamole

编写Guacamole初始化脚本：

vi guacamole_init.sh
#!/bin/bash
#
export JUMPSERVER_KEY_DIR=/config/guacamole/data/keys
export GUACAMOLE_HOME=/config/guacamole
export GUACAMOLE_LOG_LEVEL=ERROR
export JUMPSERVER_ENABLE_DRIVE=true
export JUMPSERVER_RECORD_PATH=/config/guacamole/data/record
export JUMPSERVER_CLEAR_DRIVE_SESSION=true
export JUMPSERVER_CLEAR_DRIVE_SCHEDULE=24

rm -rf /config/tomcat9/logs/*
sleep 5s
while [ "$(curl -I -m 10 -L -k -o /dev/null -s -w %{http_code} ${JUMPSERVER_SERVER}/api/health/)" != "200" ]
do
    echo "wait for jms_core ready"
    sleep 2
done
/etc/init.d/guacd start
cd /config/tomcat9/bin && ./startup.sh
echo "Guacamole version $Version, more see https://www.jumpserver.org"
echo "Quit the server with CONTROL-C."
echo "" > /config/guacamole/data/log/info.log
tail -f /config/guacamole/data/log/info.log

编写Dockerfile文件：

vi Dockerfile-guacamole
FROM centos:7.9.2009
WORKDIR /opt
MAINTAINER Chinaskills
ARG Version=v2.5.3
ENV Version=${Version} \
    LANG=en_US.utf8
ADD guacamole/apache-tomcat-7.0.33.tar.gz /config
COPY guacamole/ssh-forward.tar.gz /config
COPY guacamole/guacamole-client-v2.5.3.tar.gz /config
COPY guacamole/guacamole-server-1.2.0.tar.gz /config
COPY guacamole/docker-guacamole-v2.5.3.tar.gz /config
ADD jumpserverrepo.tar.gz .
RUN rm -rf /etc/yum.repos.d/*
COPY local.repo /etc/yum.repos.d/
RUN set -ex \
    && yum clean all \
    && ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
    && echo "LANG=en_US.utf8" > /etc/locale.conf \
    && yum install -y make gcc java-1.8.0-openjdk \
    && yum install -y cairo-devel libjpeg-turbo-devel libpng-devel libtool uuid-devel \    #可用yum install -y *
    && yum install -y ffmpeg-devel freerdp-devel pango-devel libssh2-devel libtelnet-devel libvncserver-devel libwebsockets-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-devel \
    && mkdir -p /config/guacamole/lib /config/guacamole/extensions /config/guacamole/data/log/ /config/guacamole/data/record /config/guacamole/data/drive \
    && cd /config \
    && mv apache-tomcat-7.0.33 tomcat9 \
    && rm -rf tomcat9/webapps/* \
    && sed -i 's/# export/export/g' /root/.bashrc \
    && sed -i 's/# alias l/alias l/g' /root/.bashrc \
    && echo "java.util.logging.ConsoleHandler.encoding = UTF-8" >> /config/tomcat9/conf/logging.properties \
    && mkdir /config/docker-guacamole \
    && tar -xf docker-guacamole-${Version}.tar.gz -C /config/docker-guacamole --strip-components 1 \
    && rm -rf docker-guacamole-${Version}.tar.gz \ #可不写
    && chown -R root:root /config/docker-guacamole \
    && tar -xf guacamole-server-1.2.0.tar.gz -C /config/docker-guacamole \
    && cd /config/docker-guacamole \
    && cd guacamole-server-1.2.0 \
    && ./configure --with-init-dir=/etc/init.d \ #环境检查
     && make \
    && make install \
    && ldconfig \
    && cd /config \
    && tar -xf ssh-forward.tar.gz -C /bin/ \
    && chmod 755 /bin/ssh-forward \
    && tar -xf guacamole-client-${Version}.tar.gz \
    && cp guacamole-client-${Version}/guacamole-*.war /config/tomcat9/webapps/ROOT.war \
    && cp guacamole-client-${Version}/guacamole-*.jar /config/guacamole/extensions/ \
    && cd /config \
    && mv /config/docker-guacamole/guacamole.properties /config/guacamole/ \
    && yum -y remove libwinpr \
    && rm -rf /config/docker-guacamole \
    && yum clean all \
    && rm -rf /var/tmp/yum*
COPY guacamole_init.sh .
RUN chmod 755 ./guacamole_init.sh
CMD ["./guacamole_init.sh"]

构建镜像

 docker build -t jms_guacamole:v1.0 -f Dockerfile-guacamole .

容器化部署Core

编写Core初始化脚本：

vi core_init.sh
#!/bin/bash
#
sleep 5s
while ! nc -z $DB_HOST $DB_PORT;
do
    echo "wait for jms_mysql ready"
    sleep 2s
done
while ! nc -z $REDIS_HOST $REDIS_PORT;
do
    echo "wait for jms_redis ready"
    sleep 2s
done

echo ""> jumpserver/config.yml
export LOG_LEVEL=ERROR
export WINDOWS_SKIP_ALL_MANUAL_PASSWORD=True
source /opt/py3/bin/activate
cd /opt/jumpserver && ./jms start

编写Dockerfile文件：

vi Dockerfile-core
FROM centos:7.9.2009
MAINTAINER Chinaskills
ARG Version=v2.5.3
ENV Version=${Version} \
    LANG=en_US.utf8
WORKDIR /opt
ADD core/packages.tar.gz .
ADD jumpserverrepo.tar.gz .
RUN rm -rf /etc/yum.repos.d/*
COPY local.repo /etc/yum.repos.d/
ADD core/jumpserver-v2.5.3.tar.gz .
RUN set -ex \
    && ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
    && echo "LANG=en_US.utf8" > /etc/locale.conf \
    && yum install -y gcc nc \
    && yum install -y python36 python36-devel \
    && mv jumpserver-${Version} jumpserver \
    && chown -R root:root jumpserver \
    && yum install -y $(cat /opt/jumpserver/requirements/rpm_requirements.txt) \
    && python3.6 -m venv /opt/py3 \
    && source /opt/py3/bin/activate \
    && pip3 install --no-index --find-links=/opt/packages/ -r /opt/jumpserver/requirements/requirements.txt \
    && yum clean all \
    && rm -rf /var/cache/yum/* \
    && rm -rf /opt/*.tar.gz \
    && rm -rf /var/cache/yum* \
    && rm -rf ~/.cache/pip
COPY core_init.sh .
RUN chmod 755 ./core_init.sh
CMD ["./core_init.sh"]

构建镜像

 docker build -t jms_core:v1.0 -f Dockerfile-core .

编排部署JumpServer

编写docker-compose.yml编排部署文件：

vi docker-compose.yaml
version: '3'
services:
  mysql:
    image: jms_mysql:v1.0
    container_name: jms_mysql
    restart: always
    tty: true
    environment:
      DB_PORT: $DB_PORT
      DB_USER: $DB_USER
      DB_PASSWORD: $DB_PASSWORD
      DB_NAME: $DB_NAME
    volumes:
      - mysql-data:/var/lib/mysql
    networks:
      - jumpserver

  redis:
    image: jms_redis:v1.0
    container_name: jms_redis
    restart: always
    tty: true
    environment:
      REDIS_PORT: $REDIS_PORT
      REDIS_PASSWORD: $REDIS_PASSWORD
    volumes:
      - redis-data:/var/lib/redis/
    networks:
      - jumpserver

  core:
    image: jms_core:v1.0
    container_name: jms_core
    restart: always
    tty: true
    environment:
      SECRET_KEY: $SECRET_KEY
      BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN
      LOG_LEVEL: $LOG_LEVEL
      DB_HOST: $DB_HOST
      DB_PORT: $DB_PORT
      DB_USER: $DB_USER
      DB_PASSWORD: $DB_PASSWORD
      DB_NAME: $DB_NAME
      REDIS_HOST: $REDIS_HOST
      REDIS_PORT: $REDIS_PORT
      REDIS_PASSWORD: $REDIS_PASSWORD
    depends_on:
      - mysql
      - redis
    volumes:
      - core-data:/opt/jumpserver/data
    networks:
      - jumpserver

  koko:
    image: jms_koko:v1.0
    container_name: jms_koko
    restart: always
    privileged: true
    tty: true
    environment:
      CORE_HOST: http://core:8080
      BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN
      LOG_LEVEL: $LOG_LEVEL
    depends_on:
      - core
      - mysql
      - redis
    volumes:
      - koko-data:/opt/koko/data
    ports:
      - 2222:2222
    networks:
      - jumpserver
  guacamole:
    image: jms_guacamole:v1.
    container_name: jms_guacamole
    restart: always
    tty: true
    environment:
      JUMPSERVER_SERVER: http://core:8080
      BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN
      GUACAMOLE_LOG_LEVEL: $LOG_LEVEL
    depends_on:
      - core
      - mysql
      - redis
    volumes:
      - guacamole-data:/config/guacamole/data
    networks:
      - jumpserver

  nginx:
    image: jms_nginx:v1.0
    container_name: jms_nginx
    restart: always
    tty: true
    depends_on:
      - core
      - koko
      - mysql
      - redis
    volumes:
      - core-data:/opt/jumpserver/data
    ports:
      - 81:80
    networks:
      - jumpserver
volumes:
  mysql-data:
  redis-data:
  core-data:
  koko-data:
  guacamole-data:
networks:
  jumpserver:

服务部署

docker-compose up -d

查看镜像列表：

 docker images

查看服务：

 docker-compose ps

在浏览器上通过http://NodeIP:81端口访问服务

登录（admin/admin）堡垒机