环境
centos7(4核8G一台)
升级内核
# 升级内核到5.4
rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
yum install https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
yum --disablerepo=\* --enablerepo=elrepo-kernel list kernel*
yum -y --enablerepo=elrepo-kernel install kernel-lt.x86_64 kernel-lt-devel.x86_64
grub2-set-default 0
# 升级工具
yum remove kernel-tools.x86_64 kernel-tools-libs.x86_64 -y
yum --enablerepo=elrepo-kernel install kernel-lt-tools.x86_64 kernel-lt-tools-libs.x86_64 -y
# 重启
安装依赖
yum install -y wget curl tar gettext python iptables-services
离线安装
从飞致云社区 下载最新的 linux/amd64 离线包, 并上传到部署服务器的 /opt 目录
- 解压
cd /opt
tar -xf jumpserver-offline-installer-v3.2.2-amd64-5.tar.gz
cd jumpserver-offline-installer-v3.2.2-amd64-5
- 配置config-example.txt根据需要修改配置文件模板, 本地直接使用默认,不需修改。线上使用:查看是否有端口冲突和,是否容器使用的网段有冲突,是否要加https域名。
- 安装
cd /opt/jumpserver-offline-installer-v3.2.2-amd64-5
./jmsctl.sh install
安装过程有几个选择,默认即可
- 启动
cd /opt/jumpserver-offline-installer-v3.2.2-amd64-5
./jmsctl.sh start
- 登陆
http://ip:80默认登陆和密码:admin
- 其他命令
# cd /opt/jumpserver-offline-installer-v3.2.2-amd64-5
# ./jmsctl.sh --help
JumpServer Deployment Management Script
Usage:
./jmsctl.sh [COMMAND] [ARGS...]
./jmsctl.sh --help
Installation Commands:
install Install JumpServer
upgrade [version] Upgrade JumpServer
check_update Check for updates JumpServer
reconfig Reconfiguration JumpServer
Management Commands:
start Start JumpServer
stop Stop JumpServer
close Close JumpServer
restart Restart JumpServer
status Check JumpServer
down Offline JumpServer
uninstall Uninstall JumpServer
More Commands:
load_image Loading docker image
backup_db Backup database
restore_db [file] Data recovery through database backup file
raw Execute the original docker-compose command
tail [service] View log
配置防火墙,禁止Docker使用iptables
- 配置防火墙开放docker端口
cat > /etc/sysconfig/iptables <<EOF
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-I FORWARD -s 192.168.250.0/24 -j ACCEPT
-I FORWARD -d 192.168.250.0/24 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 2222 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
EOF
systemctl restart iptables
- Docker禁止使用iptables
cat > /etc/docker/daemon.json <<EOF
{
"iptables":false,
"data-root": "/var/lib/docker",
"live-restore": true,
"log-driver": "json-file",
"log-opts": {
"max-file": "3",
"max-size": "10m"
}
}
EOF
systemctl restart docker
- 重启jumpserver
cd /opt/jumpserver-offline-installer-v3.2.2-amd64-5
./jmsctl.sh start