JumpServer高可用部署

2025-03-26 / 中间件

JumpServer高可用部署

科普

Jumpserver 是一个开源的堡垒机（也称为跳板机）系统，用于管理和审计服务器访问。它提供安全的登录入口，用户需要通过 Jumpserver 访问目标服务器，从而确保所有访问行为都被记录和监控。

关键特点包括：

权限控制：细粒度的用户权限管理，确保只有授权用户才能访问特定资源。

操作审计：记录用户的操作行为，便于追踪和审计。

多协议支持：支持 SSH、RDP 等多种协议，适用于不同类型的服务器。

便捷管理：提供图形化管理界面，简化服务器和用户的管理。

部署方式

单节点

太简单，略过

高可用

架构规划

主机名	IP	任务
jump-basicserver	192.168.31.66	NFS、Mysql
jump01	192.168.31.67	jumpserver
jump02	192.168.31.68	jumpserver
jump03	192.168.31.69	jumpserver
jump04	192.168.31.70	jumpserver
HAproxyjump	192.168.31.140	LoadBlance
minIOjump	192.168.31.141	Ceph
ElasticSearchjump	192.168.31.142	ElasticSearch

架构图

部署要求

软件要求
Mysql>=5.7
MariaDB>=10.2
Redis>=5

机器	硬件要求
Ha、jumpserver	2C 2G 50G
basicserver	4C 4G 50G
HAproxy	2C 2G 50G
MinIO	2C 2G 50G
ElasticSearch⚠	4C 4G 50G

部署流程

基本的防火墙，selinux，请关闭！ ⚠ 生产环境除外

配置基础的阿里yum源

https://developer.aliyun.com/mirror/centos?spm=a2c6h.13651102.0.0.3e221b11aMW5oE

基本服务

####jumpbasicserver
#NFS
yum -y install epel-release

yum makecache fast

yum install -y nfs-tools rpcbind

systemctl enable --now rpcbind nfs-server nfs-lock nfs-idmap

mkdir /data

chmod -R 777 /data

vi /etc/exports
/data 192.168.31.*(rw,sync,all_squash,anonuid=0,anongid=0)

exportfs -a

#MariaDB
yum -y localinstall http://mirrors.ustc.edu.cn/mysql-repo/mysql57-community-release-el7.rpm

rpm --import https://repo.mysql.com/RPM-GPG-KEY-mysql-2022

yum install mysql-community-server -y

if [ ! "$(cat /usr/bin/mysqld_pre_systemd | grep -v ^\# | grep initialize-insecure )" ]; then     sed -i "s@--initialize @--initialize-insecure @g" /usr/bin/mysqld_pre_systemd; fi

systemctl enable --now mysqld

mysql -uroot
    create database jumpserver default charset 'utf8';
    set global validate_password_policy=LOW;
    create user 'jumpserver'@'%' identified by '123456';
    grant all on jumpserver.* to 'jumpserver'@'%';
    flush privileges;
    
#Redis
wget http://download.redis.io/releases/redis-5.0.0.tar.gz

tar -xf redis-5.0.0.tar.gz -C /opt/

cd /opt/redis-5.0.0

make

make install PREFIX=/usr/local/redis

cd /usr/local/redis/bin/

cp /opt/redis-5.0.0/redis.conf .

vim redis.conf
     bind 0.0.0.0
     protected-mode no
     daemonize yes
     maxmemory-policy allkeys-lru
     requirepass 12345678
     
./redis-server ./redis.conf

ps aux|grep redis

vim /etc/systemd/system/redis.service
      # /etc/systemd/system/redis.service
    [Unit]
    Description=redis-server
    After=network.target

    [Service]
    Type=forking
    ExecStart=/usr/local/redis/bin/redis-server /usr/local/redis/bin/redis.conf
    PrivateTmp=true

    [Install]
    WantedBy=multi-user.target
    
systemctl daemon-reload

pkill redis

systemctl enable --now redis

Jumpserver

###jump01
mkdir -p /opt/jumpserver/core/data

mount -t nfs 192.168.31.66:/data /opt/jumpserver/core/data

echo "192.168.31.66:/data /opt/jumpserver/core/data nfs defaults 0 0" >> /etc/fstab

cd /opt/

wget http://github.com/jumpserver/installer/releases/download/v2.28.8/jumpserver-installer-v2.28.8.tar.gz

tar -xf jumpserver-installer-v2.28.8.tar.gz

#修改配置
cd jumpserver-installer-v2.28.8/

vi config-example.txt
    VOLUME_DIR=/opt/jumpserver
    SECRET_KEY=kWQdmdCQKjaWlHYpPhkNQDkfaRulM6YnHctsHLlSPs8287o2kW
    BOOTSTRAP_TOKEN=KXOeyNgDeTdpeu9q
    DB_HOST=192.168.31.66
    DB_PORT=3306
    DB_USER=jumpserver
    DB_PASSWORD=12345678
    DB_NAME=jumpserver
    REDIS_HOST=192.168.31.66
    REDIS_PORT=6379
    REDIS_PASSWORD=12345678
    ################################# KoKo 配置 #################################
    SHARE_ROOM_TYPE=redis
    REUSE_CONNECTION=False

#安装
./jmsctl.sh install

###jump02
mkdir -p /opt/jumpserver/core/data

mount -t nfs 192.168.31.66:/data /opt/jumpserver/core/data

echo "192.168.31.66:/data /opt/jumpserver/core/data nfs defaults 0 0" >> /etc/fstab

cd /opt/

wget http://github.com/jumpserver/installer/releases/download/v2.28.8/jumpserver-installer-v2.28.8.tar.gz

tar -xf jumpserver-installer-v2.28.8.tar.gz

#修改配置
    VOLUME_DIR=/opt/jumpserver
    SECRET_KEY=kWQdmdCQKjaWlHYpPhkNQDkfaRulM6YnHctsHLlSPs8287o2kW
    BOOTSTRAP_TOKEN=KXOeyNgDeTdpeu9q
    DB_HOST=192.168.31.66
    DB_PORT=3306
    DB_USER=jumpserver
    DB_PASSWORD=12345678
    DB_NAME=jumpserver
    USE_EXTERNAL_REDIS=1
    REDIS_HOST=192.168.31.66
    REDIS_PORT=6379
    REDIS_PASSWORD=12345678
    ################################## KoKo配置 ##################################
    SHARE_ROOM_TYPE=redis

#安装
./jmsctl.sh install

###jump03
mkdir -p /opt/jumpserver/core/data

mount -t nfs 192.168.31.66:/data /opt/jumpserver/core/data

echo "192.168.31.66:/data /opt/jumpserver/core/data nfs defaults 0 0" >> /etc/fstab

cd /opt/

wget http://github.com/jumpserver/installer/releases/download/v2.28.8/jumpserver-installer-v2.28.8.tar.gz

tar -xf jumpserver-installer-v2.28.8.tar.gz

#修改配置
    VOLUME_DIR=/opt/jumpserver
    SECRET_KEY=kWQdmdCQKjaWlHYpPhkNQDkfaRulM6YnHctsHLlSPs8287o2kW
    BOOTSTRAP_TOKEN=KXOeyNgDeTdpeu9q
    DB_HOST=192.168.31.66
    DB_PORT=3306
    DB_USER=jumpserver
    DB_PASSWORD=12345678
    DB_NAME=jumpserver
    USE_EXTERNAL_REDIS=1
    REDIS_HOST=192.168.31.66
    REDIS_PORT=6379
    REDIS_PASSWORD=12345678
    ################################# KoKo 配置 #################################
    SHARE_ROOM_TYPE=redis
    REUSE_CONNECTION=False

#安装
./jmsctl.sh install

###jump04
mkdir -p /opt/jumpserver/core/data

mount -t nfs 192.168.31.66:/data /opt/jumpserver/core/data

echo "192.168.31.66:/data /opt/jumpserver/core/data nfs defaults 0 0" >> /etc/fstab

cd /opt/

wget http://github.com/jumpserver/installer/releases/download/v2.28.8/jumpserver-installer-v2.28.8.tar.gz

tar -xf jumpserver-installer-v2.28.8.tar.gz

#修改配置
    VOLUME_DIR=/opt/jumpserver
    SECRET_KEY=kWQdmdCQKjaWlHYpPhkNQDkfaRulM6YnHctsHLlSPs8287o2kW
    BOOTSTRAP_TOKEN=KXOeyNgDeTdpeu9q
    DB_HOST=192.168.31.66
    DB_PORT=3306
    DB_USER=jumpserver
    DB_PASSWORD=12345678
    DB_NAME=jumpserver
    USE_EXTERNAL_REDIS=1
    REDIS_HOST=192.168.31.66
    REDIS_PORT=6379
    REDIS_PASSWORD=12345678
    ################################# KoKo 配置 #################################
    SHARE_ROOM_TYPE=redis
    REUSE_CONNECTION=False

#安装
./jmsctl.sh install

HAproxy

###HAproxyjump
yum -y install epel-release

yum install -y haproxy

#修改配置
vim /etc/haproxy/haproxy.cfg
#---------------------------------------------------------------------
# Example configuration for a possible web application.  See the
# full configuration options online.
#
#   http://haproxy.1wt.eu/download/1.4/doc/configuration.txt
#
#---------------------------------------------------------------------

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
    # to have these messages end up in /var/log/haproxy.log you will
    # need to:
    #
    # 1) configure syslog to accept network log events.  This is done
    #    by adding the '-r' option to the SYSLOGD_OPTIONS in
    #    /etc/sysconfig/syslog
    #
    # 2) configure local2 events to go to the /var/log/haproxy.log
    #   file. A line like the following can be added to
    #   /etc/sysconfig/syslog
    #
    #    local2.*                       /var/log/haproxy.log
    #
    log         127.0.0.1 local2

    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon

    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000

listen stats
    bind *:8080
    mode http
    stats enable
    stats uri /haproxy
    stats refresh 5s
    stats realm haproxy-status
    stats auth admin:12345678

#---------------------------------------------------------------------
# check  检活参数说明
# inter  间隔时间, 单位: 毫秒
# rise   连续成功的次数, 单位: 次
# fall   连续失败的次数, 单位: 次
# 例: inter 2s rise 2 fall 3
# 表示 2 秒检查一次状态, 连续成功 2 次服务正常, 连续失败 3 次服务异常
#
# server 服务参数说明
# server 192.168.31.67 192.168.31.67:80 weight 1 cookie web01
# 第一个 192.168.31.67 做为页面展示的标识, 可以修改为其他任意字符串
# 第二个 192.168.31.67:80 是实际的后端服务端口
# weight 为权重, 多节点时安装权重进行负载均衡
# cookie 用户侧的 cookie 会包含此标识, 便于区分当前访问的后端节点
# 例: server db01 192.168.31.67:3306 weight 1 cookie db_01
#---------------------------------------------------------------------
listen jms-web
    bind *:80
    mode http
    # redirect scheme https if !{ ssl_fc }  # 重定向到 https
    # bind *:443 ssl crt /opt/ssl.pem       # https 设置
    option httpclose
    option forwardfor
    option httpchk GET /api/health/         # Core 检活接口

    cookie SERVERID insert indirect
    hash-type consistent
    fullconn 500
    balance leastconn
    server 192.168.31.67 192.168.31.67:80 weight 1 cookie web01 check inter 2s rise 2 fall 3  # JumpServer 服务器
    server 192.168.31.68 192.168.31.68:80 weight 1 cookie web02 check inter 2s rise 2 fall 3
    server 192.168.31.69 192.168.31.69:80 weight 1 cookie web03 check inter 2s rise 2 fall 3
    server 192.168.31.70 192.168.31.70:80 weight 1 cookie web03 check inter 2s rise 2 fall 3

listen jms-ssh
    bind *:2222
    mode tcp

    option tcp-check

    fullconn 500
    balance source
    server 192.168.31.67 192.168.31.67:2222 weight 1 check inter 2s rise 2 fall 3 send-proxy
    server 192.168.31.68 192.168.31.68:2222 weight 1 check inter 2s rise 2 fall 3 send-proxy
    server 192.168.31.69 192.168.31.69:2222 weight 1 check inter 2s rise 2 fall 3 send-proxy
    server 192.168.31.70 192.168.31.70:2222 weight 1 check inter 2s rise 2 fall 3 send-proxy

listen jms-koko
    mode http

    option httpclose
    option forwardfor
    option httpchk GET /koko/health/ HTTP/1.1\r\nHost:\ 192.168.100.100  # KoKo 检活接口, host 填写 HAProxy 的 ip 地址

    cookie SERVERID insert indirect
    hash-type consistent
    fullconn 500
    balance leastconn
    server 192.168.31.67 192.168.31.67:80 weight 1 cookie web01 check inter 2s rise 2 fall 3
    server 192.168.31.68 192.168.31.68:80 weight 1 cookie web02 check inter 2s rise 2 fall 3
    server 192.168.31.69 192.168.31.69:80 weight 1 cookie web03 check inter 2s rise 2 fall 3
    server 192.168.31.70 192.168.31.70:80 weight 1 cookie web03 check inter 2s rise 2 fall 3

listen jms-lion
    mode http

    option httpclose
    option forwardfor
    option httpchk GET /lion/health/ HTTP/1.1\r\nHost:\ 192.168.100.100  # Lion 检活接口, host 填写 HAProxy 的 ip 地址

    cookie SERVERID insert indirect
    hash-type consistent
    fullconn 500
    balance leastconn
    server 192.168.31.67 192.168.31.67:80 weight 1 cookie web01 check inter 2s rise 2 fall 3
    server 192.168.31.68 192.168.31.68:80 weight 1 cookie web02 check inter 2s rise 2 fall 3
    server 192.168.31.69 192.168.31.69:80 weight 1 cookie web03 check inter 2s rise 2 fall 3
    server 192.168.31.70 192.168.31.70:80 weight 1 cookie web03 check inter 2s rise 2 fall 3

listen jms-magnus
    bind *:30000
    mode tcp

    option tcp-check

    fullconn 500
    balance source
    server 192.168.31.67 192.168.31.67:30000 weight 1 check inter 2s rise 2 fall 3 send-proxy
    server 192.168.31.68 192.168.31.68:30000 weight 1 check inter 2s rise 2 fall 3 send-proxy
    server 192.168.31.69 192.168.31.69:30000 weight 1 check inter 2s rise 2 fall 3 send-proxy
    server 192.168.31.70 192.168.31.70:30000 weight 1 check inter 2s rise 2 fall 3 send-proxy



#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend  main *:5000
    acl url_static       path_beg       -i /static /images /javascript /stylesheets
    acl url_static       path_end       -i .jpg .gif .png .css .js

    use_backend static          if url_static
    default_backend             app

#---------------------------------------------------------------------
# static backend for serving up images, stylesheets and such
#---------------------------------------------------------------------
backend static
    balance     roundrobin
    server      static 127.0.0.1:4331 check

#---------------------------------------------------------------------
# round robin balancing between the various backends
#---------------------------------------------------------------------
backend app
    balance     roundrobin
    server  app1 127.0.0.1:5001 check
    server  app2 127.0.0.1:5002 check
    server  app3 127.0.0.1:5003 check
    server  app4 127.0.0.1:5004 check

#测试
访问 http://192.168.31.140:8080/haproxy
访问 http://192.168.31.140
关闭 jump01,02服务
访问 http://192.168.31.140

MinIO

部署MinIOMinIO)

###miniojump
#安装docker
yum install -y yum-utils device-mapper-persistent-data lvm2

yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

sed -i 's+download.docker.com+mirrors.aliyun.com/docker-ce+' /etc/yum.repos.d/docker-ce.repo

yum makecache fast

yum -y install docker-ce

#配置docker
vi /etc/docker/daemon.json
{
  "live-restore": true,
  "registry-mirrors": ["https://hub-mirror.c.163.com", "https://bmtrgdvx.mirror.aliyuncs.com", "http://f1361db2.m.daocloud.io"],
  "log-driver": "json-file",
  "log-opts": {"max-file": "3", "max-size": "10m"}
}

#启动
systemctl enable docker

systemctl start docker

#minio镜像
docker pull minio/minio:latest

#持久化本地数据目录
mkdir -p /opt/jumpserver/minio/{data,config}

#创建容器
## 请自行修改账号密码并牢记，丢失后可以删掉容器后重新用新密码创建，数据不会丢失
# 9000                                  # api     访问端口
# 9001                                  # console 访问端口
# MINIO_ROOT_USER=minio                 # minio 账号
# MINIO_ROOT_PASSWORD=12345678  # minio 密码

docker run --name jms_minio -d -p 9000:9000 -p 9001:9001 -e MINIO_ROOT_USER=minio -e MINIO_ROOT_PASSWORD=12345678 -v /opt/jumpserver/minio/data:/data -v /opt/jumpserver/minio/config:/root/.minio --restart=always minio/minio:latest server /data --console-address ":9001"

#浏览器访问
http://192.168.31.141:9000

创建桶

http://192.168.31.141:9000

登录 ------> Buckets ------> Create Bucket -----> jumpserver

添加桶

http://192.168.31.140

登录 ------> 右上角齿轮 ------> 终端设置 -----> 录像存储 ------> 创建Ceph

选项值说明

名称 jms-minio 标识, 不可重复

桶名称 jumpserver Bucket Name

AK minio MINIO_ROOT_USER

SK 12345678 MINIO_ROOT_PASSWORD

端点 http://192.168.31.141:9000 minio 服务访问地址

默认存储 yes 新组件将自动使用该存储

选项	值	说明
名称	jms-minio	标识, 不可重复
桶名称	jumpserver	Bucket Name
AK	minio	MINIO_ROOT_USER
SK	12345678	MINIO_ROOT_PASSWORD
端点	http://192.168.31.141:9000	minio 服务访问地址
默认存储	yes	新组件将自动使用该存储

ElasticSearch

部署ElasticSearch

###elastcsearchjump
#安装docker
yum install -y yum-utils device-mapper-persistent-data lvm2

yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

sed -i 's+download.docker.com+mirrors.aliyun.com/docker-ce+' /etc/yum.repos.d/docker-ce.repo

yum makecache fast

yum -y install docker-ce

#配置docker
vi /etc/docker/daemon.json
{
  "live-restore": true,
  "registry-mirrors": ["https://hub-mirror.c.163.com", "https://bmtrgdvx.mirror.aliyuncs.com", "http://f1361db2.m.daocloud.io"],
  "log-driver": "json-file",
  "log-opts": {"max-file": "3", "max-size": "10m"}
}

#启动
systemctl enable docker

systemctl start docker

#下载镜像   elasticsearch的镜像版本和jumpserver版本有关联
docker pull docker.elastic.co/elasticsearch/elasticsearch:7.17.6

#持久化本地数据目录
mkdir -p /opt/jumpserver/elasticsearch/data /opt/jumpserver/elasticsearch/logs

#创建容器
## 请自行修改账号密码并牢记，丢失后可以删掉容器后重新用新密码创建，数据不会丢失
# 9200                                  # Web 访问端口
# 9300                                  # 集群通信
# discovery.type=single-node            # 单节点
# bootstrap.memory_lock="true"          # 锁定物理内存, 不使用 swap
# xpack.security.enabled="true"         # 开启安全模块
# TAKE_FILE_OWNERSHIP="true"            # 自动修改挂载文件夹的所属用户
# ES_JAVA_OPTS="-Xms512m -Xmx512m"      # JVM 内存大小, 推荐设置为主机内存的一半
# elastic                               # Elasticsearch 账号
# ELASTIC_PASSWORD=12345678     # Elasticsearch 密码

docker run --name jms_es -d -p 9200:9200 -p 9300:9300 -e cluster.name=docker-cluster -e discovery.type=single-node -e network.host=0.0.0.0 -e bootstrap.memory_lock="true" -e xpack.security.enabled="true" -e TAKE_FILE_OWNERSHIP="true" -e ES_JAVA_OPTS="-Xms512m -Xmx512m" -e ELASTIC_PASSWORD=12345678 -v /opt/jumpserver/elasticsearch/data:/usr/share/elasticsearch/data -v /opt/jumpserver/elasticsearch/logs:/usr/share/elasticsearch/logs --restart=always docker.elastic.co/elasticsearch/elasticsearch:7.17.6

添加ElasticSearch

http://192.168.31.140

登录 ------> 右上角齿轮 ------> 终端设置 -----> 命令存储 ------> ElasticSearch

选项值说明

名称 jms-es 标识, 不可重复

主机 http://elastic:12345678@192.168.31.142:9200 http://es_host:es_port

默认存储 yes 新组件将自动使用该存储

⚠️ 如果这台机器的配置不够，将会报错==无效的ElasticSearch配置==

选项	值	说明
名称	jms-es	标识, 不可重复
主机	http://elastic:12345678@192.168.31.142:9200	http://es_host:es_port
默认存储	yes	新组件将自动使用该存储

总结

Redis版本过低，会导致访问异常，日志提示：==redis不支持xxxx数据类型==
ElasticSearch机器配置不够，jumpserver控制台会出现：==无效的ElasticSearch配置==
HA高可用初次尝试

标题：JumpServer高可用部署
作者：jiu5
地址：http://solo.jiufog.space/articles/2025/03/26/1742958803257.html

Allen Blog

SELF SPACE

JumpServer高可用部署

JumpServer高可用部署

科普

部署方式

单节点

高可用

架构规划

架构图

部署要求

部署流程

基本服务

Jumpserver

HAproxy

MinIO

部署MinIOMinIO)

创建桶

添加桶

ElasticSearch

部署ElasticSearch

添加ElasticSearch

总结