我的书签
添加书签
移除书签负载均衡
- 除 JumpServer 自身组件外, 其他组件的高可用请参考对应的官方文档进行部署
- 按照此方式部署后, 后续只需要根据需要扩容 core web 节点然后添加节点到 tengine 即可
- 如果已经有 HLB 或者 SLB 可以跳过 Tengine 部署, 第三方 LB 要注意 session 和 websocket 问题
- 如果已经有 云存储(* S3/Ceph/Swift/OSS/Azure) 可以跳过 MinIO 部署, MySQL Redis 也一样
Core Task 目前仅支持单节点运行, 后续会优化
设置 Repo
安装 MySQL
yum install -y mysql-community-server
配置 MySQL
if [ ! "$(cat /usr/bin/mysqld_pre_systemd | grep -v ^\# | grep initialize-insecure )" ]; thensed -i "s@--initialize @--initialize-insecure @g" /usr/bin/mysqld_pre_systemdfi
启动 MySQL
systemctl enable mysqldsystemctl start mysqld
数据库授权
mysql -uroot
Welcome to the MySQL monitor. Commands end with ; or \g.Your MySQL connection id is 2Server version: 5.7.32 MySQL Community Server (GPL)Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.Oracle is a registered trademark of Oracle Corporation and/or itsaffiliates. Other names may be trademarks of their respectiveowners.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.mysql> create database jumpserver default charset 'utf8';Query OK, 1 row affected (0.00 sec)mysql> set global validate_password_policy=LOW;Query OK, 0 rows affected (0.00 sec)mysql> create user 'jumpserver'@'%' identified by 'weakPassword';Query OK, 0 rows affected (0.00 sec)mysql> grant all on jumpserver.* to 'jumpserver'@'%';Query OK, 0 rows affected, 1 warning (0.00 sec)mysql> flush privileges;Query OK, 0 rows affected (0.00 sec)mysql> exitBye
配置防火墙
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.100.0/24" port protocol="tcp" port="3306" accept"firewall-cmd --reload
部署 Redis 服务
服务器: 192.168.100.11
设置 Repo
yum -y install epel-release https://repo.ius.io/ius-release-el7.rpm
安装 Redis
yum install -y redis5
配置 Redis
sed -i "s/bind 127.0.0.1/bind 0.0.0.0/g" /etc/redis.confsed -i "561i maxmemory-policy allkeys-lru" /etc/redis.confsed -i "481i requirepass weakPassword" /etc/redis.conf
systemctl enable redissystemctl start redis
配置防火墙
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.100.0/24" port protocol="tcp" port="6379" accept"firewall-cmd --reload
服务器: 192.168.100.21
下载 jumpserver-install
cd /optyum -y install wgetwget https://github.com/jumpserver/installer/releases/download/v2.9.2/jumpserver-installer-v2.9.2.tar.gztar -xf jumpserver-installer-v2.9.2.tar.gzcd jumpserver-installer-v2.9.2
修改配置文件
vi config-example.txt
# 修改下面选项, 其他保持默认### 注意: SECRET_KEY 和要其他 JumpServer 服务器一致, 加密的数据将无法解密## Task 配置USE_TASK=0 # 不启动 jms_celery# Core 配置### 启动后不能再修改,否则密码等等信息无法解密SECRET_KEY=kWQdmdCQKjaWlHYpPhkNQDkfaRulM6YnHctsHLlSPs8287o2kW # 要其他 JumpServer 服务器一致 (*)BOOTSTRAP_TOKEN=KXOeyNgDeTdpeu9q # 要其他 JumpServer 服务器一致 (*)LOG_LEVEL=ERROR# SESSION_COOKIE_AGE=86400SESSION_EXPIRE_AT_BROWSER_CLOSE=true# KoKo 配置SHARE_ROOM_TYPE=redis # KoKo 使用 redis 共享
./jmsctl.sh install
启动 JumpServer
./jmsctl.sh start
Creating network "jms_net" with driver "bridge"Creating jms_mysql ... doneCreating jms_redis ... doneCreating jms_core ... doneCreating jms_luna ... doneCreating jms_lina ... doneCreating jms_guacamole ... doneCreating jms_koko ... doneCreating jms_nginx ... done
部署 Core Web 02
服务器: 192.168.100.22
下载 jumpserver-install
cd /optyum -y install wgetwget https://github.com/jumpserver/installer/releases/download/v2.9.2/jumpserver-installer-v2.9.2.tar.gztar -xf jumpserver-installer-v2.9.2.tar.gzcd jumpserver-installer-v2.9.2
修改配置文件
vi config-example.txt
# 修改下面选项, 其他保持默认### 注意: SECRET_KEY 和要其他 JumpServer 服务器一致, 加密的数据将无法解密## Task 配置USE_TASK=0 # 不启动 jms_celery# Core 配置### 启动后不能再修改,否则密码等等信息无法解密SECRET_KEY=kWQdmdCQKjaWlHYpPhkNQDkfaRulM6YnHctsHLlSPs8287o2kW # 要其他 JumpServer 服务器一致 (*)BOOTSTRAP_TOKEN=KXOeyNgDeTdpeu9q # 要其他 JumpServer 服务器一致 (*)LOG_LEVEL=ERRORSESSION_EXPIRE_AT_BROWSER_CLOSE=true# KoKo 配置SHARE_ROOM_TYPE=redis # KoKo 使用 redis 共享
./jmsctl.sh install
启动 JumpServer
Creating network "jms_net" with driver "bridge"Creating jms_mysql ... doneCreating jms_redis ... doneCreating jms_core ... doneCreating jms_luna ... doneCreating jms_lina ... doneCreating jms_guacamole ... doneCreating jms_koko ... doneCreating jms_nginx ... done
服务器: 192.168.100.31
下载 jumpserver-install
cd /optyum -y install wgetwget https://github.com/jumpserver/installer/releases/download/v2.9.2/jumpserver-installer-v2.9.2.tar.gztar -xf jumpserver-installer-v2.9.2.tar.gzcd jumpserver-installer-v2.9.2
修改配置文件
vi config-example.txt
# 修改下面选项, 其他保持默认### 注意: SECRET_KEY 和要其他 JumpServer 服务器一致, 加密的数据将无法解密## Task 配置USE_TASK=1 # 启动 jms_celery# Core 配置### 启动后不能再修改,否则密码等等信息无法解密SECRET_KEY=kWQdmdCQKjaWlHYpPhkNQDkfaRulM6YnHctsHLlSPs8287o2kW # 要其他 JumpServer 服务器一致 (*)BOOTSTRAP_TOKEN=KXOeyNgDeTdpeu9q # 要其他 JumpServer 服务器一致 (*)LOG_LEVEL=ERROR# SESSION_COOKIE_AGE=86400SESSION_EXPIRE_AT_BROWSER_CLOSE=true# KoKo 配置SHARE_ROOM_TYPE=redis # KoKo 使用 redis 共享
./jmsctl.sh install
启动 JumpServer
./jmsctl.sh start
Creating network "jms_net" with driver "bridge"Creating jms_mysql ... doneCreating jms_redis ... doneCreating jms_core ... doneCreating jms_celery ... doneCreating jms_luna ... doneCreating jms_lina ... doneCreating jms_guacamole ... doneCreating jms_koko ... doneCreating jms_nginx ... done
部署 Tengine 服务
服务器: 192.168.100.100
vi /etc/yum.repos.d/nginx.repo
安装 Tengine
yum install -y https://github.com/wojiushixiaobai/tengine-rpm/releases/download/2.3.2/tengine-2.3.2-1.el7.ngx.x86_64.rpm
配置 Nginx
vi /etc/nginx/nginx.conf
user nginx;worker_processes auto;error_log /var/log/nginx/error.log warn;pid /var/run/nginx.pid;events {worker_connections 1024;}stream {log_format proxy '$remote_addr [$time_local] ''$protocol $status $bytes_sent $bytes_received ''$session_time "$upstream_addr" ''"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';access_log /var/log/nginx/tcp-access.log proxy;open_log_file_cache off;upstream kokossh {# core web 节点server 192.168.100.21:2222;server 192.168.100.22:2222;least_conn;}server {# 对外 ssh 端口listen 2222;proxy_pass kokossh;proxy_protocol on;proxy_connect_timeout 1s;}}http {include /etc/nginx/mime.types;default_type application/octet-stream;log_format main '$remote_addr - $remote_user [$time_local] "$request" ''$status $body_bytes_sent "$http_referer" ''"$http_user_agent" "$http_x_forwarded_for"';access_log /var/log/nginx/access.log main;sendfile on;#tcp_nopush on;keepalive_timeout 65;#gzip on;include /etc/nginx/conf.d/*.conf;}
echo > /etc/nginx/conf.d/default.confvi /etc/nginx/conf.d/jumpserver.conf
upstream core_web {server 192.168.100.21:8080;server 192.168.100.22:8080;session_sticky;}upstream core_task {# use_task = 1 的任务服务器, 目前只能单任务运行server 192.168.100.31:8080;}server {listen 80;server_name demo.jumpserver.org; # 自行修改成你的域名return 301 https://$server_name$request_uri;}server {listen 443 ssl;server_name demo.jumpserver.org; # 自行修改成你的域名ssl_certificate /etc/nginx/sslkey/1_jumpserver.org.crt; # 自行设置证书ssl_certificate_key /etc/nginx/sslkey/2_jumpserver.org.key; # 自行设置证书ssl_session_timeout 5m;ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_prefer_server_ciphers on;client_max_body_size 4096m; # 录像上传大小限制location ~ /replay/ {proxy_pass http://core_web;proxy_set_header X-Real-IP $remote_addr;proxy_set_header Host $host;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;}location ~ /(ops|task|tasks|flower)/ {proxy_pass http://core_task;proxy_http_version 1.1;proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection "upgrade";proxy_set_header X-Real-IP $remote_addr;proxy_set_header Host $host;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;}location /ws/ {proxy_pass http://core_task/ws/;proxy_http_version 1.1;proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection "upgrade";proxy_set_header X-Real-IP $remote_addr;proxy_set_header Host $host;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;}location / {proxy_pass http://core_web;proxy_buffering off;proxy_request_buffering off;proxy_http_version 1.1;proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection "upgrade";proxy_set_header X-Real-IP $remote_addr;proxy_set_header Host $host;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;}}
nginx -t
启动 Tengine
systemctl enable nginxsystemctl start nginx
配置防火墙
firewall-cmd --permanent --zone=public --add-port=80/tcpfirewall-cmd --permanent --zone=public --add-port=443/tcpfirewall-cmd --permanent --zone=public --add-port=2222/tcpfirewall-cmd --reload
服务器: 192.168.100.41
安装 Docker
yum install -y yum-utils device-mapper-persistent-data lvm2yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.reposed -i 's+download.docker.com+mirrors.aliyun.com/docker-ce+' /etc/yum.repos.d/docker-ce.repoyum makecache fastyum -y install docker-ce
配置 Docker
mkdir /etc/docker/vi /etc/docker/daemon.json
{"live-restore": true,"registry-mirrors": ["https://hub-mirror.c.163.com", "https://bmtrgdvx.mirror.aliyuncs.com", "http://f1361db2.m.daocloud.io"],"log-driver": "json-file","log-opts": {"max-file": "3", "max-size": "10m"}}
启动 Docker
systemctl enable dockersystemctl start docker
下载 MinIO 镜像
docker pull minio/minio:latest
latest: Pulling from minio/minioa591faa84ab0: Pull complete76b9354adec6: Pull completef9d8746550a4: Pull complete890b1dd95baa: Pull complete3a8518c890dc: Pull complete8053f0501aed: Pull complete506c41cb8532: Pull completeDigest: sha256:e7a725edb521dd2af07879dad88ee1dfebd359e57ad8d98104359ccfbdb92024Status: Downloaded newer image for minio/minio:latestdocker.io/minio/minio:latest
持久化数据目录
mkdir -p /opt/jumpserver/minio/data /opt/jumpserver/minio/config
启动 MinIO
## 请自行修改账号密码并牢记, 丢失后可以删掉容器后重新用新密码创建, 数据不会丢失# 9000 # 访问端口# MINIO_ROOT_USER=minio # minip 账号
docker run --name jms_minio -d -p 9000:9000 -e MINIO_ROOT_USER=minio -e MINIO_ROOT_PASSWORD=KXOeyNgDeTdpeu9q -v /opt/jumpserver/minio/data:/data -v /opt/jumpserver/minio/config:/root/.minio --restart=always minio/minio:latest server /data
- 访问 , 输入刚才设置的 MinIO 账号密码登录
- 点击右下角的 + 号, 选择 Create bucket 创建桶, Bucket Name 输入 jumpserver 回车确认
设置 JumpServer
- 访问 JumpServer Web 页面并使用管理员账号进行登录
- 点击左侧菜单栏的 [终端管理], 在页面的上方选择 [存储配置], 在 [录像存储] 下方选择 [创建] 选择 [Ceph]
