feizhiyun/jumpserver 容器化部署:Docker Compose方案
【免费下载链接】JumpServer 广受欢迎的开源堡垒机 
项目地址: https://gitcode.com/feizhiyun/jumpserver
前言:为什么选择容器化部署?
在企业级IT运维环境中,JumpServer作为一款广受欢迎的开源堡垒机(Bastion Host),承担着关键基础设施的访问控制和安全审计重任。传统部署方式虽然稳定,但在快速迭代、环境一致性、资源隔离等方面存在诸多挑战。
痛点场景:你是否遇到过以下问题?
- 部署过程复杂,依赖环境配置繁琐
- 版本升级困难,容易引入兼容性问题
- 多环境部署一致性难以保证
- 资源隔离不足,影响系统稳定性
Docker Compose方案正是为解决这些问题而生,提供了一站式的容器化部署解决方案。
架构设计:理解JumpServer容器化架构
核心组件关系图
服务依赖关系表
| 服务名称 | 端口 | 依赖服务 | 功能描述 |
|---|---|---|---|
| Core | 8080 | MySQL, Redis | 核心业务逻辑处理 |
| MySQL | 3306 | - | 数据持久化存储 |
| Redis | 6379 | - | 会话缓存和消息队列 |
| ElasticSearch | 9200 | - | 审计日志存储 |
| Nginx | 80, 443 | Core, Lina, Luna | 反向代理和负载均衡 |
环境准备:部署前检查清单
系统要求
| 资源类型 | 最低配置 | 推荐配置 | 生产环境配置 |
|---|---|---|---|
| CPU | 4核 | 8核 | 16核 |
| 内存 | 8GB | 16GB | 32GB |
| 存储 | 100GB | 200GB | 500GB+ |
| 网络 | 千兆 | 万兆 | 万兆冗余 |
软件依赖
# 检查Docker版本
docker --version
# Docker version 20.10.0+
# 检查Docker Compose版本
docker-compose --version
# Docker Compose version 2.0.0+
# 检查系统内核版本
uname -r
# 4.15.0+ (推荐5.4+)
Docker Compose部署实战
1. 创建项目目录结构
mkdir -p jumpserver-docker/{data,config,certs}
cd jumpserver-docker
2. 编写docker-compose.yml文件
version: '3.8'
services:
# MySQL数据库服务
mysql:
image: mysql:8.0
container_name: jumpserver-mysql
environment:
MYSQL_ROOT_PASSWORD: jumpserver
MYSQL_DATABASE: jumpserver
MYSQL_USER: jumpserver
MYSQL_PASSWORD: jumpserver
volumes:
- ./data/mysql:/var/lib/mysql
- ./config/mysql.cnf:/etc/mysql/conf.d/custom.cnf
networks:
- jumpserver-net
restart: unless-stopped
healthcheck:
test: ["CMD", "mysqladmin", "ping", "-h", "localhost", "-u", "root", "-p$$MYSQL_ROOT_PASSWORD"]
interval: 30s
timeout: 10s
retries: 3
# Redis缓存服务
redis:
image: redis:7-alpine
container_name: jumpserver-redis
command: redis-server --appendonly yes
volumes:
- ./data/redis:/data
networks:
- jumpserver-net
restart: unless-stopped
healthcheck:
test: ["CMD", "redis-cli", "ping"]
interval: 30s
timeout: 10s
retries: 3
# ElasticSearch审计服务
elasticsearch:
image: elasticsearch:8.11.0
container_name: jumpserver-es
environment:
- discovery.type=single-node
- xpack.security.enabled=false
- "ES_JAVA_OPTS=-Xms1g -Xmx1g"
volumes:
- ./data/elasticsearch:/usr/share/elasticsearch/data
networks:
- jumpserver-net
restart: unless-stopped
ulimits:
memlock:
soft: -1
hard: -1
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:9200"]
interval: 30s
timeout: 10s
retries: 3
# JumpServer核心服务
core:
image: jumpserver/jms_all:latest
container_name: jumpserver-core
depends_on:
mysql:
condition: service_healthy
redis:
condition: service_healthy
elasticsearch:
condition: service_healthy
environment:
- DB_ENGINE=mysql
- DB_HOST=mysql
- DB_PORT=3306
- DB_NAME=jumpserver
- DB_USER=jumpserver
- DB_PASSWORD=jumpserver
- REDIS_HOST=redis
- REDIS_PORT=6379
- ELASTICSEARCH_HOST=elasticsearch
- ELASTICSEARCH_PORT=9200
- SECRET_KEY=your-secret-key-here
- BOOTSTRAP_TOKEN=your-bootstrap-token-here
volumes:
- ./data/core:/opt/jumpserver/data
- ./config/core.yml:/opt/jumpserver/config.yml
- /etc/localtime:/etc/localtime:ro
ports:
- "8080:8080"
networks:
- jumpserver-net
restart: unless-stopped
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:8080/api/v1/health/"]
interval: 30s
timeout: 10s
retries: 3
# Nginx反向代理
nginx:
image: nginx:alpine
container_name: jumpserver-nginx
depends_on:
- core
volumes:
- ./config/nginx.conf:/etc/nginx/nginx.conf
- ./certs:/etc/nginx/certs
ports:
- "80:80"
- "443:443"
networks:
- jumpserver-net
restart: unless-stopped
networks:
jumpserver-net:
driver: bridge
ipam:
config:
- subnet: 172.28.0.0/16
3. 配置核心配置文件
创建 config/core.yml:
# JumpServer 核心配置
server:
bind: 0.0.0.0
port: 8080
debug: false
database:
engine: mysql
host: mysql
port: 3306
name: jumpserver
user: jumpserver
password: jumpserver
redis:
host: redis
port: 6379
password: ""
elasticsearch:
hosts: ["http://elasticsearch:9200"]
index_prefix: "jumpserver"
security:
secret_key: "your-very-secure-secret-key-change-in-production"
bootstrap_token: "your-bootstrap-token-for-initial-setup"
logging:
level: INFO
file: /opt/jumpserver/data/logs/jumpserver.log
4. 配置Nginx反向代理
创建 config/nginx.conf:
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
keepalive_timeout 65;
# 上游服务配置
upstream jumpserver_core {
server core:8080;
}
server {
listen 80;
server_name _;
# 重定向到HTTPS
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name _;
ssl_certificate /etc/nginx/certs/server.crt;
ssl_certificate_key /etc/nginx/certs/server.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# 静态资源缓存
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
expires 1y;
add_header Cache-Control "public, immutable";
}
# API请求代理
location /api/ {
proxy_pass http://jumpserver_core;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# WebSocket支持
location /ws/ {
proxy_pass http://jumpserver_core;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# 静态文件服务
location / {
proxy_pass http://jumpserver_core;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
}
部署执行流程
初始化部署步骤
具体执行命令
# 1. 生成安全密钥
openssl rand -base64 48 > config/secret_key
openssl rand -base64 24 > config/bootstrap_token
# 2. 替换配置中的密钥
sed -i "s/your-secret-key-here/$(cat config/secret_key)/" docker-compose.yml
sed -i "s/your-bootstrap-token-here/$(cat config/bootstrap_token)/" docker-compose.yml
# 3. 创建SSL证书(开发环境)
mkdir -p certs
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout certs/server.key -out certs/server.crt \
-subj "/CN=localhost"
# 4. 启动所有服务
docker-compose up -d
# 5. 查看服务状态
docker-compose ps
# 6. 查看日志
docker-compose logs -f core
运维管理指南
日常运维命令
# 查看服务状态
docker-compose ps
# 查看实时日志
docker-compose logs -f
# 重启特定服务
docker-compose restart core
# 停止所有服务
docker-compose down
# 备份数据
docker-compose exec mysql mysqldump -u jumpserver -pjumpserver jumpserver > backup.sql
# 升级版本
docker-compose pull
docker-compose up -d
监控和告警配置
创建 monitor/docker-compose.monitor.yml:
version: '3.8'
services:
prometheus:
image: prom/prometheus:latest
ports:
- "9090:9090"
volumes:
- ./monitor/prometheus.yml:/etc/prometheus/prometheus.yml
networks:
- jumpserver-net
grafana:
image: grafana/grafana:latest
ports:
- "3000:3000"
environment:
- GF_SECURITY_ADMIN_PASSWORD=admin
volumes:
- ./monitor/grafana:/var/lib/grafana
networks:
- jumpserver-net
node-exporter:
image: prom/node-exporter:latest
volumes:
- /proc:/host/proc:ro
- /sys:/host/sys:ro
- /:/rootfs:ro
command:
- '--path.procfs=/host/proc'
- '--path.sysfs=/host/sys'
- '--collector.filesystem.ignored-mount-points'
- '^/(sys|proc|dev|host|etc|rootfs/var/lib/docker/containers|rootfs/var/lib/docker/overlay2|rootfs/run/docker/netns|rootfs/var/lib/docker/aufs)($$|/)'
networks:
- jumpserver-net
cadvisor:
image: gcr.io/cadvisor/cadvisor:latest
volumes:
- /:/rootfs:ro
- /var/run:/var/run:rw
- /sys:/sys:ro
- /var/lib/docker/:/var/lib/docker:ro
ports:
- "8088:8080"
networks:
- jumpserver-net
故障排查和优化
常见问题解决方案
| 问题现象 | 可能原因 | 解决方案 |
|---|---|---|
| 容器启动失败 | 端口冲突 | 检查端口占用,修改docker-compose端口映射 |
| 数据库连接超时 | MySQL未就绪 | 增加depends_on健康检查,延长启动等待时间 |
| 内存不足 | 容器资源限制 | 调整docker-compose资源限制参数 |
| 性能瓶颈 | 资源配置不足 | 优化ElasticSearch和Redis配置 |
性能优化建议
# 在docker-compose.yml中添加资源限制
services:
core:
deploy:
resources:
limits:
cpus: '4'
memory: 8G
reservations:
cpus: '2'
memory: 4G
elasticsearch:
deploy:
resources:
limits:
cpus: '2'
memory: 4G
安全加固措施
1. 网络隔离策略
# 创建专用网络
networks:
jumpserver-internal:
internal: true
jumpserver-external:
driver: bridge
# 服务网络配置
services:
mysql:
networks:
- jumpserver-internal
core:
networks:
- jumpserver-internal
- jumpserver-external
2. 安全密钥管理
# 使用Docker Secrets管理敏感信息
echo "jumpserver-db-password" | docker secret create db_password -
echo "jumpserver-redis-password" | docker secret create redis_password -
总结与展望
通过Docker Compose方案部署JumpServer,我们实现了:
✅ 环境一致性:消除"在我机器上能运行"的问题 ✅ 快速部署:从几小时缩短到几分钟 ✅ 易于维护:版本升级和回滚变得简单 ✅ 资源隔离:避免服务间相互影响 ✅ 高可用性:支持快速扩展和故障转移
未来可以考虑进一步优化:
- 集成Kubernetes实现自动扩缩容
- 添加CI/CD流水线实现自动部署
- 完善监控告警体系
- 实现多机房容灾部署
JumpServer的容器化之旅才刚刚开始,期待你在实践中发现更多可能性!
部署成功提示:访问 https://your-server-ip/ 使用默认账号 admin/ChangeMe 登录,记得第一时间修改密码哦!
下期预告:我们将深入探讨JumpServer在高可用Kubernetes集群中的部署方案,敬请期待!
【免费下载链接】JumpServer 广受欢迎的开源堡垒机 项目地址: https://gitcode.com/feizhiyun/jumpserver
创作声明:本文部分内容由AI辅助生成(AIGC),仅供参考
