使用docker部署JumpServer堡垒机(基于mysql5.7)

一、安装Docker

1.安装需要的软件包, yum-util 提供yum-config-manager功能,另两个是devicemapper驱动依赖

yum install -y yum-utils device-mapper-persistent-data lvm2

2.设置yum源 

yum-config-manager --add-repo http://download.docker.com/linux/centos/docker-ce.repo(中央仓库)

yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo(阿里仓库)

3.选择docker版本并安装

yum list docker-ce --showduplicates | sort -r

yum install docker-ce-版本号

4、启动 Docker 并设置开机自启

systemctl start docker

systemctl enable docker

二、部署mysql说明 

1.下载mysql dockerfile

docker pull mysql:5.7

2、部署mysql:5.7

docker run -it -d --name mysql         \
    --restart=always                   \
    -p 3306:3306                       \
    -v /opt/jumpserver/mysql/conf:/etc/mysql/conf.d  \  #持久化存储mysql配置
    -v /opt/jumpserver/mysql/logs:/var/log/mysql    \  #持久化存储mysql日志
    -v /opt/jumpserver/mysql/data:/var/lib/mysql     \  #持久化存储mysql数据
    -e MYSQL_ROOT_PASSWORD="love-520"        \  #生成mysql root密码
    mysql:5.7

 3、初始化jumpserver的docker镜像数据库

docker exec -ti mysql mysql -uroot -plove-520 -e "
create database jumpserver default charset 'utf8';
grant all on jumpserver.* to 'root'@'%';
flush privileges;
quit"

三、部署redis说明

1.下载redis dockerfile

docker pull redis

2、部署redis,密码为xxxxxx

docker run -it -d  --name redis --restart=always \
     -p 6379:6379 redis  \
     --requirepass "love-520"

 四、部署jumpserver

1、下载jumpServer镜像

docker pull jumpserver/jms_all:latest

2、生成随机加密秘钥和初始化token

#/bin/sh
if [ ! "$SECRET_KEY" ]; then
    SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`;  
    echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc;  
    echo $SECRET_KEY;
else
  echo $SECRET_KEY;
fi

if [ ! "$BOOTSTRAP_TOKEN" ]; then
    BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`;
    echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc;
    echo $BOOTSTRAP_TOKEN;
else
    echo $BOOTSTRAP_TOKEN;
fi
EOBhaGJrj2PKorzVmlzyOsbtqqn4UwQdpqCDneOghAS2fFQj2w
kkUVjid3aZVFWp01

 3、部署jumpserver

docker run --name jumpserver -d  --restart=always  \
    -v /opt/jumpserver/data:/opt/jumpserver/data  \
    -v /opt/jumpserver/koko:/opt/koko/data \
    -v /opt/jumpserver/lion:/opt/lion/data \
    -p 80:80  \
    -p 2222:2222 \
    -e SECRET_KEY=EOBhaGJrj2PKorzVmlzyOsbtqqn4UwQdpqCDneOghAS2fFQj2w  \ #SECRET_KEY
    -e BOOTSTRAP_TOKEN=kkUVjid3aZVFWp01  \                              #BOOTSTRAP_TOKEN
    -e DB_HOST=172.17.0.1  \      #docker0 ip或者其它主机IP
    -e DB_PORT=3306 \
    -e DB_USER=root  \
    -e DB_PASSWORD=xxxxxx  \
    -e DB_NAME=jumpserver \
    -e REDIS_HOST=172.17.0.1   \  #docker0 ip或者其它主机IP
    -e REDIS_PORT=6379  \
    -e REDIS_PASSWORD=xxxxxx  \
    jumpserver/jms_all

五、配置防火墙

为了堡垒机安全,应该禁止mysql和redis的外部访问链接,脚本如下:

#!/bin/sh
iptables -F INPUT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT  -i lo -j ACCEPT
iptables -A INPUT  -i docker0 -j ACCEPT

#允许22、80、443
iptables -A INPUT  -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT  -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
iptables -A INPUT  -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT


#deny all
iptables -A INPUT  -j REJECT --reject-with icmp-host-prohibited

六、部署完毕,查看日志!

docker logs -f jumpserver

七、建议命令(仅供参考可忽略) 

mkdir -p /opt/jumpserver/mysql/{conf,logs,data}
docker run -it -d --name mysql --restart=always -p 3306:3306 -v /opt/jumpserver/mysql/conf:/etc/mysql/conf.d  -v /opt/jumpserver/mysql/logs:/var/log/mysql -v /opt/jumpserver/mysql/data:/var/lib/mysql  -e MYSQL_ROOT_PASSWORD="love-520" mysql:5.7

[root@localhost data]# docker run --name jumpserver -d  --restart=always   -v /opt/jumpserver/data:/opt/jumpserver/data      -v /opt/jumpserver/koko:/opt/koko/data    -v /opt/jumpserver/lion:/opt/lion/data  -p 80:80 -p 2222:2222 -e SECRET_KEY=M0LoWZ0UlvuvhN962JD1FQTiBwxSWrS90xP729yLHSynD0Y9Sz -e BOOTSTRAP_TOKEN=w4QxKAeaaq6khcmm -e DB_HOST=172.17.0.1 -e DB_PORT=3306 -e DB_USER=root  -e DB_PASSWORD=love-520  -e DB_NAME=jumpserver -e REDIS_HOST=172.17.0.1 -e REDIS_PORT=6379 -e REDIS_PASSWORD=love-520 jumpserver/jms_all

你可能感兴趣的:(docker,运维,容器)