GitHub地址: https://github.com/jumpserver/Dockerfile

创建目录

创建持久化目录

1
mkdir -pv /data/jumpserver/SECRET

创建docker-compose目录

1
mkdir -pv /data/docker-compose/jumpserver

生成密钥

生成SECRET_KEY和BOOTSTRAP_TOKEN

1
2
3
4
5
# 生成SECRET_KEY
if [ "$SECRET_KEY" = "" ]; then SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`; echo "SECRET_KEY=$SECRET_KEY" >> /data/docker-compose/jumpserver/BOOTSTRAP_TOKEN; echo "$SECRET_KEY" >> /data/jumpserver/SECRET/SECRET_KEY ;echo $SECRET_KEY; else echo $SECRET_KEY; fi

# 生成BOOTSTRAP_TOKEN
if [ "$BOOTSTRAP_TOKEN" = "" ]; then BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`; echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> /data/docker-compose/jumpserver/BOOTSTRAP_TOKEN; echo "$BOOTSTRAP_TOKEN" >> /data/jumpserver/SECRET/BOOTSTRAP_TOKEN;echo $BOOTSTRAP_TOKEN; else echo $BOOTSTRAP_TOKEN; fi

创建变量文件.env

  • 文件名不可随意更改, docker-compose会自动加载.env作为环境变量
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# 版本号可以自己根据项目的版本修改
Version=v2.24.0
TZ=Asia/Shanghai

# Compose
COMPOSE_PROJECT_NAME=jms
COMPOSE_HTTP_TIMEOUT=3600
DOCKER_CLIENT_TIMEOUT=3600
DOCKER_SUBNET=172.16.240.0/24

# 持久化存储
VOLUME_DIR=/data/jumpserver

# MySQL  # 填写你的 Mysql 服务器信息
DB_HOST=jms_db
DB_PORT=3306
DB_ROOT_PASSWORD=Aa123456
DB_USER=jumpserver
DB_PASSWORD=jumpserver
DB_NAME=jumpserver

# Redis  # 填写你的 Redis 服务器信息
REDIS_HOST=jms_redis
REDIS_PORT=6379
REDIS_PASSWORD=8URXPL2x3HZMi7xoGTdk3Upj

# Core
UI_PORT=8088
SECRET_KEY=B3f2w8P2PfxIAS7s4URrD9YmSbtqX4vXdPUL217kL9XPUOWrmy
BOOTSTRAP_TOKEN=7Q11Vz6R2J6BLAdO
DEBUG=FALSE
LOG_LEVEL=ERROR

# SECRET_KEY 保护签名数据的密匙, 首次安装请一定要修改并牢记, 后续升级和迁移不可更改, 否则将导致加密的数据不可解密。
# BOOTSTRAP_TOKEN 为组件认证使用的密钥, 仅组件注册时使用。组件指 koko、guacamole
SECRET_KEY=C72P84gH0RzQCYGW4nINLUZMKKzWwsnntzBiWK3jo4g0vWq71V
BOOTSTRAP_TOKEN=nKp3K2P0oSDuIS2u

docker-compose编排

示例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
version: '3'
services:
  jms_db:
    container_name: jms_db
    image: mysql:8.0
    restart: always
    # docker安全验证
    security_opt:
      - seccomp:unconfined
    volumes:
      - /etc/localtime:/etc/localtime
      - $VOLUME_DIR/mysql:/var/lib/mysql
    environment:
      TZ: Asia/Shanghai
      MYSQL_ROOT_PASSWORD: ${DB_ROOT_PASSWORD}
      MYSQL_USER: ${DB_USER}
      MYSQL_PASSWORD: ${DB_PASSWORD}
      MYSQL_DATABASE: ${DB_NAME}
    command: --character-set-server=utf8 --collation-server=utf8_general_ci --default-authentication-plugin=mysql_native_password --skip-name-resolve
    deploy:
      resources:
        limits:
           memory: 4G
    networks:
      - jumpserver
  jms_redis:
    container_name: jms_redis
    image: redis:6.2.1
    restart: always
    command: redis-server --requirepass $REDIS_PASSWORD --loglevel warning --maxmemory-policy allkeys-lru
    environment:
      REDIS_PORT: $REDIS_PORT
      REDIS_PASSWORD: $REDIS_PASSWORD
    healthcheck:
      test: "redis-cli -h 127.0.0.1 -p $$REDIS_PORT -a $$REDIS_PASSWORD info Replication"
      interval: 10s
      timeout: 5s
      retries: 3
      start_period: 10s
    volumes:
      - $VOLUME_DIR/redis:/data
    networks:
      - jumpserver
  core:
    image: jumpserver/core:${Version}
    container_name: jms_core
    restart: always
    tty: true
    command: start web
    environment:
      SECRET_KEY: $SECRET_KEY
      BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN
      DEBUG: $DEBUG
      LOG_LEVEL: $LOG_LEVEL
      DB_HOST: $DB_HOST
      DB_PORT: $DB_PORT
      DB_USER: $DB_USER
      DB_PASSWORD: $DB_PASSWORD
      DB_NAME: $DB_NAME
      REDIS_HOST: $REDIS_HOST
      REDIS_PORT: $REDIS_PORT
      REDIS_PASSWORD: $REDIS_PASSWORD
    healthcheck:
      test: "curl -fsL http://localhost:8080/api/health/ > /dev/null"
      interval: 10s
      timeout: 5s
      retries: 3
      start_period: 90s
    volumes:
      - ${VOLUME_DIR}/core/data:/opt/jumpserver/data
      - ${VOLUME_DIR}/core/logs:/opt/jumpserver/logs
    networks:
      - jumpserver

  celery:
    image: jumpserver/core:${Version}
    container_name: jms_celery
    restart: always
    tty: true
    command: start task
    environment:
      SECRET_KEY: $SECRET_KEY
      BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN
      DEBUG: $DEBUG
      LOG_LEVEL: $LOG_LEVEL
      DB_HOST: $DB_HOST
      DB_PORT: $DB_PORT
      DB_USER: $DB_USER
      DB_PASSWORD: $DB_PASSWORD
      DB_NAME: $DB_NAME
      REDIS_HOST: $REDIS_HOST
      REDIS_PORT: $REDIS_PORT
      REDIS_PASSWORD: $REDIS_PASSWORD
    depends_on:
      core:
        condition: service_healthy
    healthcheck:
      test: "bash /opt/jumpserver/utils/check_celery.sh"
      interval: 10s
      timeout: 5s
      retries: 3
      start_period: 30s
    volumes:
      - ${VOLUME_DIR}/core/data:/opt/jumpserver/data
      - ${VOLUME_DIR}/core/logs:/opt/jumpserver/logs
    networks:
      - jumpserver

  koko:
    image: jumpserver/koko:${Version}
    container_name: jms_koko
    restart: always
    privileged: true
    tty: true
    environment:
      CORE_HOST: http://core:8080
      BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN
      LOG_LEVEL: $LOG_LEVEL
    depends_on:
      core:
        condition: service_healthy
    healthcheck:
      test: "curl -fsL http://localhost:5000/koko/health/ > /dev/null"
      interval: 10s
      timeout: 5s
      retries: 3
      start_period: 10s
    volumes:
      - ${VOLUME_DIR}/koko/data:/opt/koko/data
    ports:
      - 2222:2222
    networks:
      - jumpserver

  lion:
    image: jumpserver/lion:${Version}
    container_name: jms_lion
    restart: always
    tty: true
    environment:
      CORE_HOST: http://core:8080
      BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN
      LOG_LEVEL: $LOG_LEVEL
    depends_on:
      core:
        condition: service_healthy
    healthcheck:
      test: "curl -fsL http://localhost:8081/lion/health/ > /dev/null"
      interval: 10s
      timeout: 5s
      retries: 3
      start_period: 10s
    volumes:
      - ${VOLUME_DIR}/lion/data:/opt/lion/data
    networks:
      - jumpserver

  magnus:
    image: jumpserver/magnus:${Version}
    container_name: jms_magnus
    restart: always
    tty: true
    environment:
      CORE_HOST: http://core:8080
      BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN
      LOG_LEVEL: $LOG_LEVEL
    depends_on:
      core:
        condition: service_healthy
    healthcheck:
      test: "ps axu | grep -v 'grep' | grep magnus"
      interval: 10s
      timeout: 5s
      retries: 3
      start_period: 10s
    volumes:
      - ${VOLUME_DIR}/magnus/data:/opt/magnus/data
    ports:
      - 33060:33060
      - 33061:33061
    networks:
      - jumpserver

  web:
    image: jumpserver/web:${Version}
    container_name: jms_web
    restart: always
    tty: true
    depends_on:
      core:
        condition: service_healthy
    healthcheck:
      test: "curl -fsL http://localhost/ > /dev/null"
      interval: 10s
      timeout: 5s
      retries: 3
      start_period: 10s
    volumes:
      - ${VOLUME_DIR}/core/data:/opt/jumpserver/data
      - ${VOLUME_DIR}/nginx/data/logs:/var/log/nginx
    ports:
      - $UI_PORT:80
    networks:
      - jumpserver
networks:
  jumpserver:

启动JMS

1
2
3
4
5
6
7
8
创建容器:
docker-compose up -d

稍等一会, docker-compose ps查看, jms_core健康监测为healthy后, 所有服务将会启动成功

验证:
http://ip:端口
认证: admin/admin