负载均衡

    • 除 JumpServer 自身组件外,其他组件的高可用请参考对应的官方文档进行部署
    • 按照此方式部署后,后续只需要根据需要扩容 JumpServer 节点然后添加节点到 HAProxy 即可
    • 如果已经有 HLB 或者 SLB 可以跳过 HAProxy 部署,第三方 LB 要注意 session 和 websocket 问题
    • 如果已经有 云存储 (* S3/Ceph/Swift/OSS/Azure) 可以跳过 MinIO 部署,MySQL Redis 也一样
    • 生产环境中,应该使用 Ceph 等替代 NFS,或者部署高可用的 NFS 防止单点故障
    • Redis 高可用快速部署可以参考此项目

    安装依赖

    安装 NFS

    1. yum -y install nfs-utils rpcbind

    启动 NFS

    1. systemctl enable rpcbind nfs-server nfs-lock nfs-idmap
    2. systemctl start rpcbind nfs-server nfs-lock nfs-idmap

    配置防火墙

    1. firewall-cmd --add-service=nfs --permanent --zone=public
    2. firewall-cmd --add-service=mountd --permanent --zone=public
    3. firewall-cmd --add-service=rpc-bind --permanent --zone=public
    4. firewall-cmd --reload

    配置 NFS

    1. mkdir /data
    2. chmod 777 -R /data
    4. vi /etc/exports
    1. # 设置 NFS 访问权限, /data 是刚才创建的将被共享的目录, 192.168.100.* 表示整个 192.168.100.* 的资产都有括号里面的权限
    2. # 也可以写具体的授权对象 /data 192.168.100.30(rw,sync,no_root_squash) 192.168.100.31(rw,sync,no_root_squash)
    3. /data 192.168.100.*(rw,sync,all_squash,anonuid=0,anongid=0)
    1. exportfs -a

    部署 MySQL 服务

    1. 服务器: 192.168.100.11

    设置 Repo

    1. yum -y localinstall http://mirrors.ustc.edu.cn/mysql-repo/mysql57-community-release-el7.rpm

    安装 MySQL

    1. yum install -y mysql-community-server

    配置 MySQL

    1. if [ ! "$(cat /usr/bin/mysqld_pre_systemd | grep -v ^\# | grep initialize-insecure )" ]; then
    2.     sed -i "s@--initialize @--initialize-insecure @g" /usr/bin/mysqld_pre_systemd
    3. fi

    启动 MySQL

    1. systemctl enable mysqld
    2. systemctl start mysqld

    数据库授权

    1. mysql -uroot
    1. Welcome to the MySQL monitor.  Commands end with ; or \g.
    2. Your MySQL connection id is 2
    3. Server version: 5.7.32 MySQL Community Server (GPL)
    5. Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
    7. Oracle is a registered trademark of Oracle Corporation and/or its
    8. affiliates. Other names may be trademarks of their respective
    9. owners.
    11. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
    13. mysql> create database jumpserver default charset 'utf8';
    14. Query OK, 1 row affected (0.00 sec)
    16. mysql> set global validate_password_policy=LOW;
    17. Query OK, 0 rows affected (0.00 sec)
    19. mysql> create user 'jumpserver'@'%' identified by 'KXOeyNgDeTdpeu9q';
    20. Query OK, 0 rows affected (0.00 sec)
    22. mysql> grant all on jumpserver.* to 'jumpserver'@'%';
    23. Query OK, 0 rows affected, 1 warning (0.00 sec)
    25. mysql> flush privileges;
    26. Query OK, 0 rows affected (0.00 sec)
    28. mysql> exit
    29. Bye

    配置防火墙

    1. firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.100.0/24" port protocol="tcp" port="3306" accept"
    2. firewall-cmd --reload

    部署 Redis 服务

    1. 服务器: 192.168.100.11

    下载源码

    1. yum -y install epel-release wget make gcc-c++
    2. cd /opt
    3. wget https://download.redis.io/releases/redis-6.2.5.tar.gz

    安装 Redis

    1. tar -xf redis-6.2.5.tar.gz
    2. cd redis-6.2.5
    3. make
    4. make install PREFIX=/usr/local/redis

    配置 Redis

    1. cp redis.conf /etc/redis.conf
    2. sed -i "s/bind 127.0.0.1/bind 0.0.0.0/g" /etc/redis.conf
    3. sed -i "s/daemonize no/daemonize yes/g" /etc/redis.conf
    4. sed -i "s@pidfile /var/run/redis_6379.pid@pidfile /var/run/redis.pid@g" /etc/redis.conf
    5. sed -i "902i requirepass KXOeyNgDeTdpeu9q" /etc/redis.conf
    6. sed -i "1023i maxmemory-policy allkeys-lru" /etc/redis.conf
    7. vi /etc/systemd/system/redis.service
    1. [Unit]
    2. Description=Redis persistent key-value database
    3. After=network.target
    4. After=network-online.target
    5. Wants=network-online.target
    7. [Service]
    8. Type=forking
    9. PIDFile=/var/run/redis.pid
    10. ExecStart=/usr/local/redis/bin/redis-server /etc/redis.conf
    11. ExecReload=/bin/kill -s HUP $MAINPID
    12. ExecStop=/bin/kill -s QUIT $MAINPID
    14. [Install]
    15. WantedBy=multi-user.target

    启动 Redis

    1. systemctl enable redis
    2. systemctl start redis

    配置防火墙

    1. firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.100.0/24" port protocol="tcp" port="6379" accept"
    2. firewall-cmd --reload
    1. 服务器: 192.168.100.21

    配置 NFS

    1. yum -y install nfs-utils
    2. showmount -e 192.168.100.11
    1. # 将 Core 持久化目录挂载到 NFS, 默认 /opt/jumpserver/core/data, 请根据实际情况修改
    2. # JumpServer 持久化目录定义相关参数为 VOLUME_DIR, 在安装 JumpServer 过程中会提示
    3. mkdir /opt/jumpserver/core/data
    4. mount -t nfs 192.168.100.11:/data /opt/jumpserver/core/data
    1. # 可以写入到 /etc/fstab, 重启自动挂载. 注意: 设置后如果 nfs 损坏或者无法连接该服务器将无法启动
    2. echo "192.168.100.11:/data /opt/jumpserver/core/data nfs defaults 0 0" >> /etc/fstab
    1. cd /opt
    2. yum -y install wget
    3. wget https://github.com/jumpserver/installer/releases/download/v2.14.2/jumpserver-installer-v2.14.2.tar.gz
    4. tar -xf jumpserver-installer-v2.14.2.tar.gz
    5. cd jumpserver-installer-v2.14.2

    修改配置文件

    1. vi config-example.txt
    1. # 修改下面选项, 其他保持默认, 请勿直接复制此处内容
    2. ### 注意: SECRET_KEY 和要其他 JumpServer 服务器一致, 加密的数据将无法解密
    4. # 安装配置
    5. ### 注意持久化目录 VOLUME_DIR, 如果上面 NFS 挂载其他目录, 此处也要修改. 如: NFS 挂载到/data/jumpserver/core/data, 则 DOCKER_DIR=/data/jumpserver
    6. VOLUME_DIR=/opt/jumpserver
    7. DOCKER_DIR=/var/lib/docker
    9. # Core 配置
    10. ### 启动后不能再修改,否则密码等等信息无法解密, 请勿直接复制下面的字符串
    11. SECRET_KEY=kWQdmdCQKjaWlHYpPhkNQDkfaRulM6YnHctsHLlSPs8287o2kW    # 要其他 JumpServer 服务器一致 (*)
    12. BOOTSTRAP_TOKEN=KXOeyNgDeTdpeu9q                                 # 要其他 JumpServer 服务器一致 (*)
    13. LOG_LEVEL=ERROR                                                  # 日志等级
    14. # SESSION_COOKIE_AGE=86400
    15. SESSION_EXPIRE_AT_BROWSER_CLOSE=true                             # 关闭浏览器 session 过期
    17. # MySQL 配置
    18. USE_EXTERNAL_MYSQL=1                                             # 使用外置 MySQL
    19. DB_HOST=192.168.100.11
    20. DB_PORT=3306
    21. DB_USER=jumpserve
    22. DB_PASSWORD=KXOeyNgDeTdpeu9q
    23. DB_NAME=jumpserver
    25. # Redis 配置
    26. USE_EXTERNAL_REDIS=1                                             # 使用外置 Redis
    27. REDIS_HOST=192.168.100.11
    28. REDIS_PORT=6379
    29. REDIS_PASSWORD=KXOeyNgDeTdpeu9q
    31. # KoKo Lion 配置
    32. SHARE_ROOM_TYPE=redis                                            # KoKo Lion 使用 redis 共享
    1. ./jmsctl.sh install

    启动 JumpServer

    1. ./jmsctl.sh start
    1. Creating network "jms_net" with driver "bridge"
    2. Creating jms_core      ... done
    3. Creating jms_celery    ... done
    4. Creating jms_lion      ... done
    5. Creating jms_koko      ... done
    6. Creating jms_web       ... done

    部署 JumpServer 02

    1. 服务器: 192.168.100.22

    配置 NFS

    1. yum -y install nfs-utils
    2. showmount -e 192.168.100.11
    1. # 将 Core 持久化目录挂载到 NFS, 默认 /opt/jumpserver/core/data, 请根据实际情况修改
    2. # JumpServer 持久化目录定义相关参数为 VOLUME_DIR, 在安装 JumpServer 过程中会提示
    3. mkdir /opt/jumpserver/core/data
    4. mount -t nfs 192.168.100.11:/data /opt/jumpserver/core/data
    1. # 可以写入到 /etc/fstab, 重启自动挂载. 注意: 设置后如果 nfs 损坏或者无法连接该服务器将无法启动
    2. echo "192.168.100.11:/data /opt/jumpserver/core/data nfs defaults 0 0" >> /etc/fstab

    下载 jumpserver-install

    1. cd /opt
    2. yum -y install wget
    3. wget https://github.com/jumpserver/installer/releases/download/v2.14.2/jumpserver-installer-v2.14.2.tar.gz
    4. tar -xf jumpserver-installer-v2.14.2.tar.gz
    5. cd jumpserver-installer-v2.14.2

    修改配置文件

    1. vi config-example.txt
    1. # 修改下面选项, 其他保持默认, 请勿直接复制此处内容
    2. ### 注意: SECRET_KEY 和要其他 JumpServer 服务器一致, 加密的数据将无法解密
    4. # 安装配置
    5. ### 注意持久化目录 VOLUME_DIR, 如果上面 NFS 挂载其他目录, 此处也要修改. 如: NFS 挂载到/data/jumpserver/core/data, 则 DOCKER_DIR=/data/jumpserver
    6. VOLUME_DIR=/opt/jumpserver
    7. DOCKER_DIR=/var/lib/docker
    9. # Core 配置
    10. ### 启动后不能再修改,否则密码等等信息无法解密, 请勿直接复制下面的字符串
    11. BOOTSTRAP_TOKEN=KXOeyNgDeTdpeu9q
    12. LOG_LEVEL=ERROR
    13. # SESSION_COOKIE_AGE=86400
    14. SESSION_EXPIRE_AT_BROWSER_CLOSE=true
    16. # MySQL 配置
    17. USE_EXTERNAL_MYSQL=1
    19. DB_PORT=3306
    20. DB_USER=jumpserver
    21. DB_PASSWORD=KXOeyNgDeTdpeu9q
    22. DB_NAME=jumpserver
    24. # Redis 配置
    25. USE_EXTERNAL_REDIS=1
    26. REDIS_HOST=192.168.100.11
    27. REDIS_PORT=6379
    28. REDIS_PASSWORD=KXOeyNgDeTdpeu9q
    30. # KoKo Lion 配置
    31. SHARE_ROOM_TYPE=redis
    1. ./jmsctl.sh install

    启动 JumpServer

    1. ./jmsctl.sh start
    1. Creating network "jms_net" with driver "bridge"
    2. Creating jms_core      ... done
    3. Creating jms_celery    ... done
    4. Creating jms_lion      ... done
    5. Creating jms_koko      ... done
    6. Creating jms_web       ... done

    部署 JumpServer 03

    1. 服务器: 192.168.100.23

    配置 NFS

    1. yum -y install nfs-utils
    2. showmount -e 192.168.100.11
    1. # 将 Core 持久化目录挂载到 NFS, 默认 /opt/jumpserver/core/data, 请根据实际情况修改
    2. # JumpServer 持久化目录定义相关参数为 VOLUME_DIR, 在安装 JumpServer 过程中会提示
    3. mkdir /opt/jumpserver/core/data
    4. mount -t nfs 192.168.100.11:/data /opt/jumpserver/core/data
    1. # 可以写入到 /etc/fstab, 重启自动挂载. 注意: 设置后如果 nfs 损坏或者无法连接该服务器将无法启动
    2. echo "192.168.100.11:/data /opt/jumpserver/core/data nfs defaults 0 0" >> /etc/fstab

    下载 jumpserver-install

    1. cd /opt
    2. yum -y install wget
    3. wget https://github.com/jumpserver/installer/releases/download/v2.14.2/jumpserver-installer-v2.14.2.tar.gz
    4. tar -xf jumpserver-installer-v2.14.2.tar.gz
    5. cd jumpserver-installer-v2.14.2

    修改配置文件

    1. vi config-example.txt
    1. # 修改下面选项, 其他保持默认, 请勿直接复制此处内容
    2. ### 注意: SECRET_KEY 和要其他 JumpServer 服务器一致, 加密的数据将无法解密
    4. # 安装配置
    5. ### 注意持久化目录 VOLUME_DIR, 如果上面 NFS 挂载其他目录, 此处也要修改. 如: NFS 挂载到/data/jumpserver/core/data, 则 DOCKER_DIR=/data/jumpserver
    6. VOLUME_DIR=/opt/jumpserver
    7. DOCKER_DIR=/var/lib/docker
    9. # Core 配置
    10. ### 启动后不能再修改,否则密码等等信息无法解密, 请勿直接复制下面的字符串
    11. SECRET_KEY=kWQdmdCQKjaWlHYpPhkNQDkfaRulM6YnHctsHLlSPs8287o2kW
    12. BOOTSTRAP_TOKEN=KXOeyNgDeTdpeu9q
    13. LOG_LEVEL=ERROR
    14. # SESSION_COOKIE_AGE=86400
    15. SESSION_EXPIRE_AT_BROWSER_CLOSE=true
    17. # MySQL 配置
    18. USE_EXTERNAL_MYSQL=1
    19. DB_HOST=192.168.100.11
    20. DB_PORT=3306
    21. DB_USER=jumpserver
    22. DB_PASSWORD=KXOeyNgDeTdpeu9q
    23. DB_NAME=jumpserver
    25. # Redis 配置
    26. USE_EXTERNAL_REDIS=1
    27. REDIS_HOST=192.168.100.11
    28. REDIS_PORT=6379
    29. REDIS_PASSWORD=KXOeyNgDeTdpeu9q
    31. # KoKo Lion 配置
    32. SHARE_ROOM_TYPE=redis
    1. ./jmsctl.sh install

    启动 JumpServer

    1. ./jmsctl.sh start
    1. Creating network "jms_net" with driver "bridge"
    2. Creating jms_core      ... done
    3. Creating jms_lion      ... done
    4. Creating jms_koko      ... done
    5. Creating jms_celery    ... done
    6. Creating jms_web       ... done
    1. 服务器: 192.168.100.24

    配置 NFS

    1. yum -y install nfs-utils
    2. showmount -e 192.168.100.11
    1. # 将 Core 持久化目录挂载到 NFS, 默认 /opt/jumpserver/core/data, 请根据实际情况修改
    2. # JumpServer 持久化目录定义相关参数为 VOLUME_DIR, 在安装 JumpServer 过程中会提示
    3. mkdir /opt/jumpserver/core/data
    4. mount -t nfs 192.168.100.11:/data /opt/jumpserver/core/data
    1. # 可以写入到 /etc/fstab, 重启自动挂载. 注意: 设置后如果 nfs 损坏或者无法连接该服务器将无法启动
    2. echo "192.168.100.11:/data /opt/jumpserver/core/data nfs defaults 0 0" >> /etc/fstab

    下载 jumpserver-install

    1. cd /opt
    2. yum -y install wget
    3. wget https://github.com/jumpserver/installer/releases/download/v2.14.2/jumpserver-installer-v2.14.2.tar.gz
    4. tar -xf jumpserver-installer-v2.14.2.tar.gz
    5. cd jumpserver-installer-v2.14.2

    修改配置文件

    1. vi config-example.txt
    1. # 修改下面选项, 其他保持默认, 请勿直接复制此处内容
    2. ### 注意: SECRET_KEY 和要其他 JumpServer 服务器一致, 加密的数据将无法解密
    4. # 安装配置
    5. ### 注意持久化目录 VOLUME_DIR, 如果上面 NFS 挂载其他目录, 此处也要修改. 如: NFS 挂载到/data/jumpserver/core/data, 则 DOCKER_DIR=/data/jumpserver
    6. VOLUME_DIR=/opt/jumpserver
    7. DOCKER_DIR=/var/lib/docker
    9. # Core 配置
    10. ### 启动后不能再修改,否则密码等等信息无法解密, 请勿直接复制下面的字符串
    11. SECRET_KEY=kWQdmdCQKjaWlHYpPhkNQDkfaRulM6YnHctsHLlSPs8287o2kW
    12. BOOTSTRAP_TOKEN=KXOeyNgDeTdpeu9q
    13. LOG_LEVEL=ERROR
    14. # SESSION_COOKIE_AGE=86400
    15. SESSION_EXPIRE_AT_BROWSER_CLOSE=true
    17. # MySQL 配置
    18. USE_EXTERNAL_MYSQL=1
    19. DB_HOST=192.168.100.11
    20. DB_PORT=3306
    21. DB_USER=jumpserver
    22. DB_PASSWORD=KXOeyNgDeTdpeu9q
    23. DB_NAME=jumpserver
    25. # Redis 配置
    26. USE_EXTERNAL_REDIS=1
    27. REDIS_HOST=192.168.100.11
    28. REDIS_PORT=6379
    29. REDIS_PASSWORD=KXOeyNgDeTdpeu9q
    31. # KoKo Lion 配置
    32. SHARE_ROOM_TYPE=redis
    1. ./jmsctl.sh install

    启动 JumpServer

    1. Creating network "jms_net" with driver "bridge"
    2. Creating jms_core      ... done
    3. Creating jms_celery    ... done
    4. Creating jms_lion      ... done
    5. Creating jms_koko      ... done
    6. Creating jms_web       ... done

    部署 HAProxy 服务

    1. 服务器: 192.168.100.100

    安装依赖

    1. yum -y install epel-release

    安装 HAProxy

    1. yum install -y haproxy

    配置 HAProxy

    1. vi /etc/haproxy/haproxy.cfg
    1. global
    2.     # to have these messages end up in /var/log/haproxy.log you will
    3.     # need to:
    4.     #
    5.     # 1) configure syslog to accept network log events.  This is done
    6.     #    by adding the '-r' option to the SYSLOGD_OPTIONS in
    7.     #    /etc/sysconfig/syslog
    8.     #
    9.     # 2) configure local2 events to go to the /var/log/haproxy.log
    10.     #   file. A line like the following can be added to
    11.     #   /etc/sysconfig/syslog
    12.     #
    13.     #    local2.*                       /var/log/haproxy.log
    14.     #
    15.     log         127.0.0.1 local2
    17.     chroot      /var/lib/haproxy
    18.     pidfile     /var/run/haproxy.pid
    19.     maxconn     4000
    20.     user        haproxy
    21.     group       haproxy
    22.     daemon
    24.     # turn on stats unix socket
    25.     stats socket /var/lib/haproxy/stats
    27. #---------------------------------------------------------------------
    28. # common defaults that all the 'listen' and 'backend' sections will
    29. # use if not designated in their block
    30. #---------------------------------------------------------------------
    31. defaults
    32.     log                     global
    33.     option                  dontlognull
    34.     option                  redispatch
    35.     retries                 3
    36.     timeout http-request    10s
    37.     timeout queue           1m
    38.     timeout connect         10s
    39.     timeout client          1m
    40.     timeout server          1m
    41.     timeout http-keep-alive 10s
    42.     timeout check           10s
    43.     maxconn                 3000
    45. listen stats
    46.     mode http
    47.     stats enable
    48.     stats uri /haproxy                      # 监控页面, 请自行修改. 访问地址为 http://192.168.100.100:8080/haproxy
    49.     stats refresh 5s
    50.     stats realm haproxy-status
    51.     stats auth admin:KXOeyNgDeTdpeu9q       # 账户密码, 请自行修改. 访问 http://192.168.100.100:8080/haproxy 会要求输入
    53. #---------------------------------------------------------------------
    54. # check  检活参数说明
    55. # inter  间隔时间, 单位: 毫秒
    56. # rise   连续成功的次数, 单位: 次
    57. # fall   连续失败的次数, 单位: 次
    58. # 例: inter 2s rise 2 fall 3
    59. # 表示 2 秒检查一次状态, 连续成功 2 次服务正常, 连续失败 3 次服务异常
    60. #
    61. # server 服务参数说明
    62. # server 192.168.100.21 192.168.100.21:80 weight 1 cookie web01
    63. # 第一个 192.168.100.21 做为页面展示的标识, 可以修改为其他任意字符串
    64. # 第二个 192.168.100.21:80 是实际的后端服务端口
    65. # weight 为权重, 多节点时安装权重进行负载均衡
    66. # cookie 用户侧的 cookie 会包含此标识, 便于区分当前访问的后端节点
    67. # 例: server db01 192.168.100.21:3306 weight 1 cookie db_01
    68. #---------------------------------------------------------------------
    70. listen jms-web
    71.     bind *:80                               # 监听 80 端口
    72.     mode http
    74.     # redirect scheme https if !{ ssl_fc }  # 重定向到 https
    75.     # bind *:443 ssl crt /opt/ssl.pem       # https 设置
    77.     option httpclose
    78.     option forwardfor
    79.     option httpchk GET /api/health/         # Core 检活接口
    81.     cookie SERVERID insert indirect
    82.     hash-type consistent
    83.     fullconn 500
    84.     balance leastconn
    85.     server 192.168.100.21 192.168.100.21:80 weight 1 cookie web01 check inter 2s rise 2 fall 3  # JumpServer 服务器
    86.     server 192.168.100.22 192.168.100.22:80 weight 1 cookie web02 check inter 2s rise 2 fall 3
    87.     server 192.168.100.23 192.168.100.23:80 weight 1 cookie web03 check inter 2s rise 2 fall 3
    88.     server 192.168.100.23 192.168.100.24:80 weight 1 cookie web03 check inter 2s rise 2 fall 3
    90. listen jms-ssh
    91.     bind *:2222
    92.     mode tcp
    94.     option tcp-check
    96.     fullconn 500
    97.     balance leastconn
    98.     server 192.168.100.21 192.168.100.21:2222 weight 1 check inter 2s rise 2 fall 3 send-proxy
    99.     server 192.168.100.22 192.168.100.22:2222 weight 1 check inter 2s rise 2 fall 3 send-proxy
    100.     server 192.168.100.23 192.168.100.23:2222 weight 1 check inter 2s rise 2 fall 3 send-proxy
    101.     server 192.168.100.24 192.168.100.23:2222 weight 1 check inter 2s rise 2 fall 3 send-proxy
    103. listen jms-koko
    104.     mode http
    106.     option httpclose
    107.     option forwardfor
    108.     option httpchk GET /koko/health/ HTTP/1.1\r\nHost:\ 192.168.100.100  # KoKo 检活接口, host 填写 HAProxy 的 ip 地址
    110.     cookie SERVERID insert indirect
    111.     hash-type consistent
    112.     fullconn 500
    113.     balance leastconn
    114.     server 192.168.100.21 192.168.100.21:80 weight 1 cookie web01 check inter 2s rise 2 fall 3
    115.     server 192.168.100.22 192.168.100.22:80 weight 1 cookie web02 check inter 2s rise 2 fall 3
    116.     server 192.168.100.23 192.168.100.23:80 weight 1 cookie web03 check inter 2s rise 2 fall 3
    117.     server 192.168.100.24 192.168.100.23:80 weight 1 cookie web03 check inter 2s rise 2 fall 3
    119. listen jms-lion
    120.     mode http
    122.     option httpclose
    123.     option forwardfor
    124.     option httpchk GET /lion/health/ HTTP/1.1\r\nHost:\ 192.168.100.100  # Lion 检活接口, host 填写 HAProxy 的 ip 地址
    126.     cookie SERVERID insert indirect
    127.     hash-type consistent
    128.     fullconn 500
    129.     balance leastconn
    130.     server 192.168.100.21 192.168.100.21:80 weight 1 cookie web01 check inter 2s rise 2 fall 3
    131.     server 192.168.100.22 192.168.100.22:80 weight 1 cookie web02 check inter 2s rise 2 fall 3
    132.     server 192.168.100.23 192.168.100.23:80 weight 1 cookie web03 check inter 2s rise 2 fall 3
    133.     server 192.168.100.24 192.168.100.23:80 weight 1 cookie web03 check inter 2s rise 2 fall 3
    1. setsebool -P haproxy_connect_any 1

    启动 HAProxy

    1. systemctl enable haproxy
    2. systemctl start haproxy

    配置防火墙

    1. firewall-cmd --permanent --zone=public --add-port=80/tcp
    2. firewall-cmd --permanent --zone=public --add-port=443/tcp
    3. firewall-cmd --permanent --zone=public --add-port=2222/tcp
    4. firewall-cmd --reload

    部署 MinIO 服务

    1. 服务器: 192.168.100.41
    3. # 集群部署请参考 (http://docs.minio.org.cn/docs/master/minio-erasure-code-quickstart-guide)

    安装 Docker

    1. yum install -y yum-utils device-mapper-persistent-data lvm2
    2. yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
    3. sed -i 's+download.docker.com+mirrors.aliyun.com/docker-ce+' /etc/yum.repos.d/docker-ce.repo
    4. yum makecache fast
    5. yum -y install docker-ce

    配置 Docker

    1. mkdir /etc/docker/
    2. vi /etc/docker/daemon.json
    1. {
    2.   "live-restore": true,
    3.   "registry-mirrors": ["https://hub-mirror.c.163.com", "https://bmtrgdvx.mirror.aliyuncs.com", "http://f1361db2.m.daocloud.io"],
    4.   "log-driver": "json-file",
    5.   "log-opts": {"max-file": "3", "max-size": "10m"}
    6. }

    启动 Docker

    1. systemctl enable docker
    2. systemctl start docker

    下载 MinIO 镜像

    1. docker pull minio/minio:latest
    1. latest: Pulling from minio/minio
    2. a591faa84ab0: Pull complete
    3. 76b9354adec6: Pull complete
    4. f9d8746550a4: Pull complete
    5. 890b1dd95baa: Pull complete
    6. 3a8518c890dc: Pull complete
    7. 8053f0501aed: Pull complete
    8. 506c41cb8532: Pull complete
    9. Digest: sha256:e7a725edb521dd2af07879dad88ee1dfebd359e57ad8d98104359ccfbdb92024
    10. Status: Downloaded newer image for minio/minio:latest
    11. docker.io/minio/minio:latest

    持久化数据目录

    1. mkdir -p /opt/jumpserver/minio/data /opt/jumpserver/minio/config

    启动 MinIO

    1. ## 请自行修改账号密码并牢记,丢失后可以删掉容器后重新用新密码创建,数据不会丢失
    2. # 9000                                  # api     访问端口
    3. # 9001                                  # console 访问端口
    4. # MINIO_ROOT_USER=minio                 # minio 账号
    5. # MINIO_ROOT_PASSWORD=KXOeyNgDeTdpeu9q  # minio 密码
    1. docker run --name jms_minio -d -p 9000:9000 -p 9001:9001 -e MINIO_ROOT_USER=minio -e MINIO_ROOT_PASSWORD=KXOeyNgDeTdpeu9q -v /opt/jumpserver/minio/data:/data -v /opt/jumpserver/minio/config:/root/.minio --restart=always minio/minio:latest server /data --console-address ":9001"

    设置 MinIO

    • 访问 ,输入刚才设置的 MinIO 账号密码登录
    • 点击左侧菜单的 Buckets,选择 Create Bucket 创建桶,Bucket Name 输入 jumpserver,然后点击 Save 保存

    设置 JumpServer

    • 访问 JumpServer Web 页面并使用管理员账号进行登录
    • 点击左侧菜单栏的 [终端管理],在页面的上方选择 [存储配置],在 [录像存储] 下方选择 [创建] 选择 [Ceph]
    • 根据下方的说明进行填写,保存后在 [终端管理] 页面对所有组件进行 [更新],录像存储选择 [jms-mino],提交
    1. 服务器: 192.168.100.51
    3. # 集群部署请参考 (https://www.elastic.co/guide/en/elasticsearch/reference/current/docker.html)

    安装 Docker

    1. yum install -y yum-utils device-mapper-persistent-data lvm2
    2. yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
    3. sed -i 's+download.docker.com+mirrors.aliyun.com/docker-ce+' /etc/yum.repos.d/docker-ce.repo
    4. yum makecache fast
    5. yum -y install docker-ce

    配置 Docker

    1. mkdir /etc/docker/
    2. vi /etc/docker/daemon.json
    1. {
    2.   "live-restore": true,
    3.   "registry-mirrors": ["https://hub-mirror.c.163.com", "https://bmtrgdvx.mirror.aliyuncs.com", "http://f1361db2.m.daocloud.io"],
    4.   "log-driver": "json-file",
    5.   "log-opts": {"max-file": "3", "max-size": "10m"}
    6. }

    启动 Docker

    1. systemctl enable docker
    2. systemctl start docker

    下载 Elasticsearch 镜像

    1. docker pull elasticsearch:7.14.0
    1. 7a0437f04f83: Pull complete
    2. 7718d2f58c47: Pull complete
    3. cc5c16bd8bb9: Pull complete
    4. e3d829b4b297: Pull complete
    5. 1ad944c92c79: Pull complete
    6. 373fb8fbaf74: Pull complete
    7. 5908d3eb2989: Pull complete
    8. Digest: sha256:81c126e4eddbc5576285670cb3e23d7ef7892ee5e757d6d9ba870b6fe99f1219
    9. Status: Downloaded newer image for elasticsearch:7.14.0
    10. docker.io/library/elasticsearch:7.14.0

    持久化数据目录

    1. mkdir -p /opt/jumpserver/elasticsearch/data /opt/jumpserver/elasticsearch/logs

    启动 Elasticsearch

    1. ## 请自行修改账号密码并牢记,丢失后可以删掉容器后重新用新密码创建,数据不会丢失
    2. # 9200                                  # Web 访问端口
    3. # 9300                                  # 集群通信
    4. # discovery.type=single-node            # 单节点
    5. # bootstrap.memory_lock="true"          # 锁定物理内存, 不使用 swap
    6. # xpack.security.enabled="true"         # 开启安全模块
    7. # TAKE_FILE_OWNERSHIP="true"            # 自动修改挂载文件夹的所属用户
    8. # ES_JAVA_OPTS="-Xms512m -Xmx512m"      # JVM 内存大小, 推荐设置为主机内存的一半
    9. # elastic                               # Elasticsearch 账号
    10. # ELASTIC_PASSWORD=KXOeyNgDeTdpeu9q     # Elasticsearch 密码
    1. docker run --name jms_es -d -p 9200:9200 -p 9300:9300 -e cluster.name=docker-cluster -e discovery.type=single-node -e network.host=0.0.0.0 -e bootstrap.memory_lock="true" -e xpack.security.enabled="true" -e TAKE_FILE_OWNERSHIP="true" -e ES_JAVA_OPTS="-Xms512m -Xmx512m" -e ELASTIC_PASSWORD=KXOeyNgDeTdpeu9q -v /opt/jumpserver/elasticsearch/data:/usr/share/elasticsearch/data -v /opt/jumpserver/elasticsearch/logs:/usr/share/elasticsearch/logs --restart=always elasticsearch:7.14.0

    设置 JumpServer

    • 访问 JumpServer Web 页面并使用管理员账号进行登录
    • 点击左侧菜单栏的 [终端管理],在页面的上方选择 [存储配置],在 [命令存储] 下方选择 [创建] 选择 [Elasticsearch]
    • 根据下方的说明进行填写,保存后在 [终端管理] 页面对所有组件进行 [更新],命令存储选择 [jms-es],提交

    升级 注意事项

    • 升级前请关闭所有 JumpServer 节点
    • 在任意一个 JumpServer 节点按照升级文档完成升级操作
    • 仔细检查该节点升级过程确保无异常
    • 然后按照升级文档对其他 JumpServer 节点升级即可
    1. cd /opt
    2. wget https://github.com/jumpserver/installer/releases/download/v2.14.2/jumpserver-installer-v2.14.2.tar.gz
    3. cd jumpserver-installer-v2.14.2