JumpServer容器化部署:Docker Compose与K8s部署全解析
项目地址: https://gitcode.com/GitHub_Trending/ju/jumpserver 痛点:传统部署的运维困境
还在为JumpServer的复杂部署流程而头疼吗?传统部署方式需要手动安装Python环境、配置数据库、Redis、处理依赖冲突,每次升级都如履薄冰?容器化部署正是解决这些痛点的最佳方案!
通过本文,你将获得:
- 🚀 5分钟快速部署 JumpServer的完整方案
- 📦 生产级Docker Compose配置 模板
- ☸️ Kubernetes原生部署 最佳实践
- 🔧 持久化数据管理 和 高可用架构 设计
- 🛡️ 安全加固 和 监控方案 集成
JumpServer架构深度解析
在深入部署之前,让我们先理解JumpServer的架构组成:
核心组件说明
| 组件 | 作用 | 协议支持 |
|---|---|---|
| Jumpserver Core | 核心认证和权限管理 | HTTP/WebSocket |
| KoKo | 字符协议连接器 | SSH/Telnet |
| Lion | 图形协议连接器 | RDP/VNC |
| Chen | 数据库协议连接器 | MySQL/PostgreSQL |
| Lina | Web用户界面 | HTTP |
| Luna | Web终端界面 | WebSocket |
Docker Compose部署方案
基础环境准备
# 安装Docker和Docker Compose
curl -fsSL https://get.docker.com | sh
sudo systemctl enable --now docker
# 安装Docker Compose
sudo curl -L "https://github.com/docker/compose/releases/download/v2.24.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
Docker Compose配置文件
创建 docker-compose.yml 文件:
version: '3.8'
services:
# Redis服务
redis:
image: redis:6.2-alpine
container_name: jumpserver-redis
restart: unless-stopped
volumes:
- redis_data:/data
environment:
- REDIS_PASSWORD=jumpserver@redis
command: redis-server --requirepass $$REDIS_PASSWORD
networks:
- jumpserver-net
# PostgreSQL数据库
postgres:
image: postgres:13-alpine
container_name: jumpserver-postgres
restart: unless-stopped
environment:
POSTGRES_DB: jumpserver
POSTGRES_USER: jumpserver
POSTGRES_PASSWORD: jumpserver@postgres
volumes:
- postgres_data:/var/lib/postgresql/data
networks:
- jumpserver-net
# JumpServer核心服务
jms_core:
image: jumpserver/jms_all:latest
container_name: jumpserver-core
restart: unless-stopped
depends_on:
- redis
- postgres
ports:
- "8080:8080"
- "8070:8070"
volumes:
- jms_data:/opt/jumpserver/data
- ./config.yml:/opt/jumpserver/config.yml:ro
environment:
- DB_ENGINE=postgresql
- DB_HOST=postgres
- DB_PORT=5432
- DB_USER=jumpserver
- DB_PASSWORD=jumpserver@postgres
- DB_NAME=jumpserver
- REDIS_HOST=redis
- REDIS_PORT=6379
- REDIS_PASSWORD=jumpserver@redis
- BOOTSTRAP_TOKEN=jumpserver@bootstrap
- SECRET_KEY=your-secret-key-here
networks:
- jumpserver-net
volumes:
redis_data:
driver: local
postgres_data:
driver: local
jms_data:
driver: local
networks:
jumpserver-net:
driver: bridge
配置文件定制
创建 config.yml 配置文件:
# 加密密钥(生产环境必须修改)
SECRET_KEY: your-unique-secret-key-at-least-50-chars
# 服务注册Token
BOOTSTRAP_TOKEN: jumpserver@bootstrap
# 数据库配置
DB_ENGINE: postgresql
DB_HOST: postgres
DB_PORT: 5432
DB_USER: jumpserver
DB_PASSWORD: jumpserver@postgres
DB_NAME: jumpserver
# Redis配置
REDIS_HOST: redis
REDIS_PORT: 6379
REDIS_PASSWORD: jumpserver@redis
# 网络绑定
HTTP_BIND_HOST: 0.0.0.0
HTTP_LISTEN_PORT: 8080
WS_LISTEN_PORT: 8070
# 会话设置
SESSION_COOKIE_AGE: 3600
SESSION_EXPIRE_AT_BROWSER_CLOSE: false
# 日志配置
LOG_LEVEL: INFO
LOG_DIR: /opt/jumpserver/data/logs
启动与验证
# 生成安全的SECRET_KEY
SECRET_KEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 50 | head -n 1)
sed -i "s/your-unique-secret-key-at-least-50-chars/$SECRET_KEY/" config.yml
# 启动服务
docker-compose up -d
# 查看日志
docker-compose logs -f jms_core
# 检查服务状态
docker-compose ps
# 访问JumpServer
echo "访问地址: http://服务器IP:8080"
echo "初始账号: admin"
echo "初始密码: admin"
Kubernetes部署方案
Namespace和配置
创建 jumpserver-namespace.yaml:
apiVersion: v1
kind: Namespace
metadata:
name: jumpserver
labels:
name: jumpserver
Redis部署
创建 redis-deployment.yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: redis
namespace: jumpserver
spec:
replicas: 1
selector:
matchLabels:
app: redis
template:
metadata:
labels:
app: redis
spec:
containers:
- name: redis
image: redis:6.2-alpine
ports:
- containerPort: 6379
env:
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: jumpserver-secrets
key: redis-password
command: ["redis-server", "--requirepass", "$(REDIS_PASSWORD)"]
volumeMounts:
- name: redis-data
mountPath: /data
volumes:
- name: redis-data
persistentVolumeClaim:
claimName: redis-pvc
---
apiVersion: v1
kind: Service
metadata:
name: redis
namespace: jumpserver
spec:
selector:
app: redis
ports:
- port: 6379
targetPort: 6379
PostgreSQL部署
创建 postgres-deployment.yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: postgres
namespace: jumpserver
spec:
replicas: 1
selector:
matchLabels:
app: postgres
template:
metadata:
labels:
app: postgres
spec:
containers:
- name: postgres
image: postgres:13-alpine
env:
- name: POSTGRES_DB
value: jumpserver
- name: POSTGRES_USER
value: jumpserver
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: jumpserver-secrets
key: postgres-password
ports:
- containerPort: 5432
volumeMounts:
- name: postgres-data
mountPath: /var/lib/postgresql/data
volumes:
- name: postgres-data
persistentVolumeClaim:
claimName: postgres-pvc
---
apiVersion: v1
kind: Service
metadata:
name: postgres
namespace: jumpserver
spec:
selector:
app: postgres
ports:
- port: 5432
targetPort: 5432
JumpServer核心部署
创建 jumpserver-deployment.yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: jumpserver
namespace: jumpserver
spec:
replicas: 2
selector:
matchLabels:
app: jumpserver
template:
metadata:
labels:
app: jumpserver
spec:
containers:
- name: jumpserver
image: jumpserver/jms_all:latest
ports:
- containerPort: 8080
- containerPort: 8070
env:
- name: DB_ENGINE
value: postgresql
- name: DB_HOST
value: postgres
- name: DB_PORT
value: "5432"
- name: DB_USER
value: jumpserver
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: jumpserver-secrets
key: postgres-password
- name: DB_NAME
value: jumpserver
- name: REDIS_HOST
value: redis
- name: REDIS_PORT
value: "6379"
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: jumpserver-secrets
key: redis-password
- name: BOOTSTRAP_TOKEN
valueFrom:
secretKeyRef:
name: jumpserver-secrets
key: bootstrap-token
- name: SECRET_KEY
valueFrom:
secretKeyRef:
name: jumpserver-secrets
key: secret-key
volumeMounts:
- name: config-volume
mountPath: /opt/jumpserver/config.yml
subPath: config.yml
- name: data-volume
mountPath: /opt/jumpserver/data
volumes:
- name: config-volume
configMap:
name: jumpserver-config
- name: data-volume
persistentVolumeClaim:
claimName: jumpserver-pvc
---
apiVersion: v1
kind: Service
metadata:
name: jumpserver
namespace: jumpserver
spec:
selector:
app: jumpserver
ports:
- name: http
port: 8080
targetPort: 8080
- name: ws
port: 8070
targetPort: 8070
Ingress配置
创建 jumpserver-ingress.yaml:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: jumpserver-ingress
namespace: jumpserver
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: "1024m"
nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
spec:
rules:
- host: jumpserver.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: jumpserver
port:
number: 8080
部署执行脚本
创建部署脚本 deploy-jumpserver.sh:
#!/bin/bash
# 创建namespace
kubectl apply -f jumpserver-namespace.yaml
# 创建secret
kubectl create secret generic jumpserver-secrets -n jumpserver \
--from-literal=secret-key=$(head -c 50 /dev/urandom | base64 | tr -dc 'a-zA-Z0-9' | head -c 50) \
--from-literal=bootstrap-token=jumpserver@bootstrap \
--from-literal=redis-password=jumpserver@redis \
--from-literal=postgres-password=jumpserver@postgres
# 创建configmap
kubectl create configmap jumpserver-config -n jumpserver \
--from-file=config.yml=config.yml
# 部署存储
kubectl apply -f storage.yaml
# 部署服务
kubectl apply -f redis-deployment.yaml
kubectl apply -f postgres-deployment.yaml
kubectl apply -f jumpserver-deployment.yaml
# 部署ingress
kubectl apply -f jumpserver-ingress.yaml
echo "部署完成!"
echo "访问地址: http://jumpserver.example.com"
生产环境优化建议
资源限制配置
resources:
requests:
memory: "2Gi"
cpu: "1000m"
limits:
memory: "4Gi"
cpu: "2000m"
健康检查配置
livenessProbe:
httpGet:
path: /api/health/
port: 8080
initialDelaySeconds: 60
periodSeconds: 30
readinessProbe:
httpGet:
path: /api/health/
port: 8080
initialDelaySeconds: 30
periodSeconds: 10
监控和日志方案
# Prometheus监控注解
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "8080"
prometheus.io/path: "/metrics"
故障排查指南
常见问题解决
| 问题现象 | 可能原因 | 解决方案 |
|---|---|---|
| 容器启动失败 | 配置错误 | 检查环境变量和配置文件 |
| 数据库连接超时 | 网络问题 | 验证服务发现和网络策略 |
| 会话频繁断开 | 资源不足 | 调整资源限制和探针配置 |
| 上传文件失败 | 大小限制 | 调整Nginx Ingress配置 |
日志查看命令
# Docker Compose环境
docker-compose logs -f jms_core
docker-compose exec jms_core tail -f /opt/jumpserver/data/logs/jumpserver.log
# Kubernetes环境
kubectl logs -f deployment/jumpserver -n jumpserver
kubectl describe pod jumpserver-xxx -n jumpserver
总结与展望
通过本文的详细讲解,你已经掌握了JumpServer的两种容器化部署方案:
- Docker Compose方案:适合中小型环境和快速原型验证
- Kubernetes方案:适合生产环境和大型部署
两种方案都提供了完整的高可用、持久化、监控集成能力,你可以根据实际需求选择合适的部署方式。
下一步行动建议
- 安全加固:定期轮换密钥和证书
- 备份策略:建立数据库和配置文件的定期备份
- 监控告警:集成Prometheus和Grafana监控
- 自动化运维:建立CI/CD流水线实现自动部署
JumpServer的容器化部署不仅简化了运维复杂度,更为企业级安全运维提供了坚实的基础架构支撑。立即尝试文中的部署方案,开启你的现代化堡垒机之旅!
温馨提示:部署完成后请及时修改默认密码和密钥,确保生产环境安全。如遇部署问题,欢迎在社区交流讨论。
创作声明:本文部分内容由AI辅助生成(AIGC),仅供参考
