使用docker部署JumpServer堡垒机
一、安装Docker
1.安装需要的软件包, yum-util 提供yum-config-manager功能,另两个是devicemapper驱动依赖
yum install -y yum-utils device-mapper-persistent-data lvm2
2.设置yum源
yum-config-manager --add-repo http://download.docker.com/linux/centos/docker-ce.repo(中央仓库)
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo(阿里仓库)
3.选择docker版本并安装
yum list docker-ce --showduplicates | sort -r
yum install docker-ce-版本号
4、启动 Docker 并设置开机自启
systemctl start docker
systemctl enable docker
二、部署mysql说明
1.下载mysql dockerfile
docker pull mysql:5.7
2、部署mysql:5.7
docker run -it -d --name mysql \
--restart=always \
-p 3306:3306 \
-v /opt/jumpserver/mysql/conf:/etc/mysql/conf.d \ #持久化存储mysql配置
-v /opt/jumpserver/mysql/logs:/var/log/mysql \ #持久化存储mysql日志
-v /opt/jumpserver/mysql/data:/var/lib/mysql \ #持久化存储mysql数据
-e MYSQL_ROOT_PASSWORD="xxxxxx" \ #生成mysql root密码
mysql:5.7
3、初始化jumpserver的docker镜像数据库
docker exec -ti mysql mysql -uroot -pxxxxxx -e "
create database jumpserver default charset 'utf8';
grant all on jumpserver.* to 'root'@'%';
flush privileges;
quit"
三、部署redis说明,
1.下载redis dockerfile
docker pull redis
2、部署redis,密码为xxxxxx
docker run -it -d --name redis --restart=always \
-p 6379:6379 redis \
--requirepass "xxxxxx"
四、部署jumpserver
1、下载jumpServer镜像
docker pull jumpserver/jms_all:latest
2、生成随机加密秘钥和初始化token
#/bin/sh
if [ ! "$SECRET_KEY" ]; then
SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`;
echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc;
echo $SECRET_KEY;
else
echo $SECRET_KEY;
fi
if [ ! "$BOOTSTRAP_TOKEN" ]; then
BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`;
echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc;
echo $BOOTSTRAP_TOKEN;
else
echo $BOOTSTRAP_TOKEN;
fi
EOBhaGJrj2PKorzVmlzyOsbtqqn4UwQdpqCDneOghAS2fFQj2w
kkUVjid3aZVFWp01
3、部署jumpserver
docker run --name jumpserver -d --restart=always \
-v /opt/jumpserver/data:/opt/jumpserver/data \
-v /opt/jumpserver/koko:/opt/koko/data \
-v /opt/jumpserver/lion:/opt/lion/data \
-p 80:80 \
-p 2222:2222 \
-e SECRET_KEY=EOBhaGJrj2PKorzVmlzyOsbtqqn4UwQdpqCDneOghAS2fFQj2w \ #SECRET_KEY
-e BOOTSTRAP_TOKEN=kkUVjid3aZVFWp01 \ #BOOTSTRAP_TOKEN
-e DB_HOST=172.17.0.1 \ #docker0 ip或者其它主机IP
-e DB_PORT=3306 \
-e DB_USER=root \
-e DB_PASSWORD=xxxxxx \
-e DB_NAME=jumpserver \
-e REDIS_HOST=172.17.0.1 \ #docker0 ip或者其它主机IP
-e REDIS_PORT=6379 \
-e REDIS_PASSWORD=xxxxxx \
jumpserver/jms_all
五、配置防火墙
为了堡垒机安全,应该禁止mysql和redis的外部访问链接,脚本如下:
#!/bin/sh
iptables -F INPUT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i docker0 -j ACCEPT
#允许22、80、443
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
#deny all
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
六、部署完毕,查看日志!
docker logs -f jumpserver