基于centos7.9容器编排Jumpserver堡垒机
Jum
- 基础环境
- 容器化部署MySQL
- 容器化部署Redis
- 容器化部署Nginx
- 容器化部署Koko
- 容器化部署Guacamole
- 容器化部署Core
- 编排compose文件
基础环境
基于centos7.9容器化部署jumpserver
tar -xf JumpServer.tar.gz
导入centos7.9 docker镜像
docker load -i images/centos_7.9.2009.tar
容器化部署MySQL
[root@k8s-master-node1 JumpServer]# pwd
/root/JumpServer
vi local.repo
[jumpserver]
name=jumpserver
baseurl=file:///opt/jumpserverrepo
enabled=1
gpgcheck=0
数据库初始化脚本
vi mysql_init.sh
#!/bin/bash
sed -i "10i port=3306" /etc/my.cnf
mysqld --initialize-insecure --user=mysql --datadir=/var/lib/mysql
mysqld --daemonize --user=mysql
sleep 5s
mysql -uroot -e "create database root default charset 'utf8' collate 'utf8_bin';grant all on root.* to 'root'@'%' identified by '000000';flush privileges;"
mysql --version
tail -f /var/log/mysqld.log
vi Dockerfile-mysql
FROM centos:7.9.2009
MAINTAINER Chinaskills
WORKDIR /opt
ARG Version=v2.5.3
ENV Version=${Version} \
LANG=en_US.utf8
ADD jumpserverrepo.tar.gz .
RUN rm -rf /etc/yum.repos.d/*
COPY local.repo /etc/yum.repos.d/
RUN set -ex \
&& ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
&& yum install -y mysql-community-server \
&& yum clean all
COPY mysql_init.sh .
RUN chmod 755 ./mysql_init.sh
CMD ["./mysql_init.sh"]
docker build -t jms_mysql:v1.0 -f Dockerfile-mysql .
容器化部署Redis
编写Redis初始化脚本
vi redis_init.sh
#!/bin/bash
sed -i "/requirepass/c requirepass 8URXPL2x3HZMi7xoGTdk3Upj" /etc/redis.conf
redis-server /etc/redis.conf
vi Dockerfile-redis
FROM centos:7.9.2009
WORKDIR /opt
ARG Version=v2.5.3
ENV Version=${Version} \
LANG=en_US.utf8
ADD jumpserverrepo.tar.gz .
RUN rm -rf /etc/yum.repos.d/*
COPY local.repo /etc/yum.repos.d/
RUN set -ex \
&& ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
&& echo "net.core.somaxconn = 1024" >> /etc/sysctl.conf \
&& echo "vm.overcommit_memory = 1" >> /etc/sysctl.conf \
&& yum install -y redis \
&& sed -i "s/protected-mode yes/protected-mode no/g" /etc/redis.conf \
&& sed -i "s/bind 127.0.0.1/bind 0.0.0.0/g" /etc/redis.conf \
&& sed -i "561i maxmemory-policy allkeys-lru" /etc/redis.conf \
&& yum clean all
COPY redis_init.sh .
RUN chmod 755 ./redis_init.sh
CMD ["./redis_init.sh"]
docker build -t jms_redis:v1.0 -f Dockerfile-redis .
容器化部署Nginx
vi Dockerfile-nginx
FROM centos:7.9.2009
WORKDIR /opt
ARG Version=v2.5.3
ENV Version=${Version} \
LANG=en_US.utf8
ADD jumpserverrepo.tar.gz .
RUN rm -rf /etc/yum.repos.d/*
COPY local.repo /etc/yum.repos.d/
ADD nginx/lina-v2.5.3.tar.gz .
ADD nginx/luna-v2.5.3.tar.gz .
RUN set -ex \
&& ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
&& yum install -y nginx \
&& echo > /etc/nginx/conf.d/default.conf \
&& mv luna-v2.5.3 luna \
&& mv lina-v2.5.3 lina \
&& rm -rf /opt/*.tar.gz \
&& yum clean all
COPY nginx/nginx.conf /etc/nginx/
CMD ["nginx", "-g", "daemon off;"]
docker build -t jms_nginx:v1.0 -f Dockerfile-nginx .
容器化部署Koko
vi koko_init.sh
#!/bin/bash
sleep 5s
while [ "$(curl -I -m 10 -L -k -o /dev/null -s -w %{http_code} ${CORE_HOST}/api/health/)" != "200" ]; do
echo "wait for jms_core ready"
sleep 2
done
export LOG_LEVEL=ERROR
cd /opt/koko
./koko
vi Dockerfile-koko
FROM centos:7.9.2009
WORKDIR /opt
ARG Version=v2.5.3
ENV Version=${Version} \
LANG=en_US.utf8
ADD koko/kubectl.tar.gz .
ADD koko/koko-v2.5.3-linux-amd64.tar.gz .
RUN mkdir /opt/kubectl-aliases/
ADD koko/kubectl_aliases.tar.gz /opt/kubectl-aliases/
ADD jumpserverrepo.tar.gz .
RUN rm -rf /etc/yum.repos.d/*
COPY local.repo /etc/yum.repos.d/
RUN set -ex \
&& ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
&& yum install -y mysql-community-client bash-completion \
&& mv koko-${Version}-linux-amd64 koko \
&& chown -R root:root koko \
&& mv /opt/koko/kubectl /usr/local/bin/ \
&& chmod 755 ./kubectl \
&& chown root:root ./kubectl \
&& mv kubectl /usr/local/bin/rawkubectl \
&& chown -R root:root /opt/kubectl-aliases/ \
&& chmod 755 /opt/koko/init-kubectl.sh \
&& rm -rf /opt/*.tar.gz \
&& yum clean all
COPY koko_init.sh .
RUN chmod 755 ./koko_init.sh
CMD [ "./koko_init.sh" ]
docker build -t jms_koko:v1.0 -f Dockerfile-koko .
容器化部署Guacamole
编写Guacamole初始化脚本
vi guacamole_init.sh
#!/bin/bash
export JUMPSERVER_KEY_DIR=${JUMPSERVER_KEY_DIR:-/config/guacamole/data/keys}
export GUACAMOLE_HOME=${GUACAMOLE_HOME:-/config/guacamole}
export GUACAMOLE_LOG_LEVEL=${GUACAMOLE_LOG_LEVEL:-ERROR}
export JUMPSERVER_ENABLE_DRIVE=${JUMPSERVER_ENABLE_DRIVE:-true}
export JUMPSERVER_RECORD_PATH=${JUMPSERVER_RECORD_PATH:-/config/guacamole/data/record}
export JUMPSERVER_DRIVE_PATH=${JUMPSERVER_DRIVE_PATH:-/config/guacamole/data/drive}
export JUMPSERVER_CLEAR_DRIVE_SESSION=${JUMPSERVER_CLEAR_DRIVE_SESSION:-true}
export JUMPSERVER_CLEAR_DRIVE_SCHEDULE=${JUMPSERVER_CLEAR_DRIVE_SCHEDULE:-24}
rm -rf /config/tomcat9/logs/*
sleep 5s
while [ "$(curl -I -m 10 -L -k -o /dev/null -s -w %{http_code} ${JUMPSERVER_SERVER}/api/health/)" != "200" ]
do
echo "Waiting for jms_core to be ready..."
sleep 2
done
# 启动 guacd 和 Tomcat
/etc/init.d/guacd start
cd /config/tomcat9/bin && ./startup.sh
echo "" > /config/guacamole/data/log/info.log
tail -f /config/guacamole/data/log/info.log
vi Dockerfile-guacamole
FROM centos:7.9.2009
WORKDIR /opt
ARG Version=v2.5.3
ENV Version=${Version} \
LANG=en_US.utf8
ADD guacamole/apache-tomcat-7.0.33.tar.gz /config
COPY guacamole/ssh-forward.tar.gz /config
COPY guacamole/guacamole-client-v2.5.3.tar.gz /config
COPY guacamole/guacamole-server-1.5.0.tar.gz /config
COPY guacamole/docker-guacamole-v2.5.3.tar.gz /config
ADD jumpserverrepo.tar.gz .
RUN rm -rf /etc/yum.repos.d/*
COPY local.repo /etc/yum.repos.d/
RUN set -ex \
&& yum clean all \
&& ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
&& yum install -y make gcc java-1.8.0-openjdk \
&& yum install -y cairo-devel libjpeg-turbo-devel libpng-devel libtool uuid-devel \
&& yum install -y ffmpeg-devel freerdp-devel pango-devel libssh2-devel libtelnet-devel libvncserver-devel libwebsockets-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-devel \
&& mkdir -p /config/guacamole/lib /config/guacamole/extensions /config/guacamole/data/log/ /config/guacamole/data/record /config/guacamole/data/drive \
&& cd /config \
&& mv apache-tomcat-7.0.33 tomcat9 \
&& rm -rf tomcat9/webapps/* \
&& sed -i 's/# export/export/g' /root/.bashrc \
&& sed -i 's/# alias l/alias l/g' /root/.bashrc \
&& echo "java.util.logging.ConsoleHandler.encoding = UTF-8" >> /config/tomcat9/conf/logging.properties \
&& mkdir /config/docker-guacamole \
&& tar -xf docker-guacamole-${Version}.tar.gz -C /config/docker-guacamole --strip-components 1 \
&& rm -rf docker-guacamole-${Version}.tar.gz \
&& chown -R root:root /config/docker-guacamole \
&& tar -xf guacamole-server-1.5.0.tar.gz -C /config/docker-guacamole \
&& cd /config/docker-guacamole \
&& cd guacamole-server-1.5.0 \
&& ./configure --with-init-dir=/etc/init.d \
&& make \
&& make install \
&& ldconfig \
&& cd /config \
&& tar -xf ssh-forward.tar.gz -C /bin/ \
&& chmod 755 /bin/ssh-forward \
&& tar -xf guacamole-client-${Version}.tar.gz \
&& cp guacamole-client-${Version}/guacamole-*.war /config/tomcat9/webapps/ROOT.war \
&& cp guacamole-client-${Version}/guacamole-*.jar /config/guacamole/extensions/ \
&& cd /config \
&& mv /config/docker-guacamole/guacamole.properties /config/guacamole/ \
&& yum -y remove libwinpr \
&& rm -rf /config/docker-guacamole \
&& yum clean all
COPY guacamole_init.sh .
RUN chmod 755 ./guacamole_init.sh
CMD ["./guacamole_init.sh"]
docker build -t jms_guacamole:v1.0 -f Dockerfile-guacamole .
容器化部署Core
vi core_init.sh
#!/bin/bash
sleep 5s
while ! nc -z mysql 3306;
do
echo "wait for jms_mysql ready"
sleep 2s
done
while ! nc -z redis 6379;
do
echo "wait for jms_redis ready"
sleep 2s
done
# 如果配置文件不存在,则创建一个空的配置文件
[ ! -f "jumpserver/config.yml" ] && echo > jumpserver/config.yml
export LOG_LEVEL=ERROR
export WINDOWS_SKIP_ALL_MANUAL_PASSWORD=True
source /opt/py3/bin/activate
cd /opt/jumpserver && ./jms start
vi Dockerfile-core
FROM centos:7.9.2009
ARG Version=v2.5.3
ENV Version=${Version} \
LANG=en_US.utf8
WORKDIR /opt
ADD core/packages.tar.gz .
ADD jumpserverrepo.tar.gz .
RUN rm -rf /etc/yum.repos.d/*
COPY local.repo /etc/yum.repos.d/
ADD core/jumpserver-v2.5.3.tar.gz .
RUN set -ex \
&& ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
&& yum install -y gcc nc \
&& yum install -y python36 python36-devel \
&& mv jumpserver-${Version} jumpserver \
&& chown -R root:root jumpserver \
&& yum install -y $(cat /opt/jumpserver/requirements/rpm_requirements.txt) \
&& python3.6 -m venv /opt/py3 \
&& source /opt/py3/bin/activate \
&& pip3 install --no-index --find-links=/opt/packages/ -r /opt/jumpserver/requirements/requirements.txt \
&& yum clean all \
&& rm -rf /opt/*.tar.gz \
&& rm -rf /var/cache/yum* \
&& rm -rf ~/.cache/pip
COPY core_init.sh .
RUN chmod 755 ./core_init.sh
CMD ["./core_init.sh"]
docker build -t jms_core:v1.0 -f Dockerfile-core .
编排compose文件
[root@k8s-master-node1 JumpServer]# docker-compose ps
Name Command State Ports
---------------------------------------------------------------------------------------
jms_core ./core_init.sh Up
jms_guacamole ./guacamole_init.sh Up
jms_koko ./koko_init.sh Up 0.0.0.0:2222->2222/tcp,:::2222->2222/tcp
jms_mysql ./mysql_init.sh Up
jms_nginx nginx -g daemon off; Up 0.0.0.0:81->80/tcp,:::81->80/tcp
jms_redis ./redis_init.sh Up
界面访问:IP:81 (admin/admin)
重置密码后登录
