Jumpserver堡垒机v2.4.4升级到v2.10.4

说明

  • jumpserver服务器环境
    • CentOS-7.9
    • Docker-CE 20.10.6
    • MySQL-5.7.31
      • 使用MySQL社区版
    • Redis-3.12.0
      • CentOS自带Redis-3.12.0
  • jumpserver部署情况,参考这里
    • 版本从原先的v2.0.1升级到了v2.4.4,改变镜像TAG就升级完成了
    • 从v2.6.0开始统一采用新的部署项目来管理社区版和企业版,以前的项目不维护了
    • 鉴于新的部署方式,容器镜像也不一样了,需要重新梳理一下jumpserver的部署
  • 新版本对基础设施版本的需求

    • 数据库:MySQL >= 5.7 或者 MariaDB >= 10.2
      • 之前部署的时候已经是MySQL-5.7.31,不需要升级数据库版本
    • 缓存:Redis >= 6.0
      • CentOS7自带的是3.12.0,需要更新Redis版本
    • docker版本
      • jmsctl.sh会检查docker-ce和docker-compose版本
      • 自动更新docker-ce和docker-compose版本为18.06.3-ce和1.27.4
      • CentOS自带的docker-compose为1.18.0,执行命令会提示ERROR: Version in "././compose/docker-compose-app.yml" is unsupported.
  • 文档参考

升级过程要求

  • 保证旧版本的jumpserver保持在线不影响业务,升级平滑
  • 保证回退老版本时不影响jumpserver使用
  • 这里是另起一套环境练过手,才在正式环境上面做升级!

基础设施升级

Docker-compose升级

当前版本

1
2
docker-compose -v
# docker-compose version 1.18.0, build 8dd22a9

下载1.29.2版本

1
wget https://get.daocloud.io/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m) -O /usr/bin/docker-compose-1.29.2

替换系统自带docker-compose

1
2
mv /usr/bin/docker-compose /usr/bin/docker-compose-1.18.0
ln -svf /usr/bin/docker-compose-1.29.2 /usr/bin/docker-compose

确认docker-compose版本

1
2
docker-compose -v
# docker-compose version 1.29.2, build 5becea4c

MySQL数据库迁移

数据库备份

1
mysqldump -u 用户名 -p 密码 -h 主机 -P 端口 --no-create-db --set-gtid-purged=ON --single-transaction --triggers --routines --events jumpserver > jumpserver-full-dump.sql

修改数据库字符集

1
2
3
4
5
6
if grep -q 'COLLATE=utf8_bin' jmsdump.sql; then
cp /opt/jumpserver.sql jmsdump.sql
sed -e 's@COLLATE=utf8_bin@@g' -e 's@COLLATE utf8_bin@@g' -i.bak jmsdump.sql
else
echo "备份数据库字符集正确";
fi

确认数据库配置

参考部署项目的数据库配置文件my.cnf,针对性的修改一下数据库

这里只列举此文需要修改的配置项,不要照抄!!!!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[mysqld]
...
character-set-server = utf8
collation-server = utf8_bin
#collation-server = utf8_general_ci
sql_mode=NO_ENGINE_SUBSTITUTION,STRICT_TRANS_TABLES
...
[mysqldump]
quick
quote-names
max_allowed_packet = 16M
[client]
default-character-set = utf8
[mysql]
default-character-set = utf8
确保配置生效,重启数据库
1
systemctl restart mysqld.service
确认数据库配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
> SHOW VARIABLES LIKE '%character%';
+--------------------------+----------------------------+
| Variable_name | Value |
+--------------------------+----------------------------+
| character_set_client | utf8 |
| character_set_connection | utf8 |
| character_set_database | utf8 |
| character_set_filesystem | binary |
| character_set_results | utf8 |
| character_set_server | utf8 |
| character_set_system | utf8 |
| character_sets_dir | /usr/share/mysql/charsets/ |
+--------------------------+----------------------------+
> SELECT @@sql_mode;
+--------------------------------------------+
| @@sql_mode |
+--------------------------------------------+
| STRICT_TRANS_TABLES,NO_ENGINE_SUBSTITUTION |
+--------------------------------------------+

创建数据库

这里主要用于隔离新旧jumpserver的数据库,方便回退

1
CREATE DATABASE newDB;

授权数据库

1
GRANT ALL PRIVILEGES ON newDB.* to newUser@'%' identified by 'newPass';

导入数据

1
mysql -u new_jms_user -p new_jms_db < jmsdump.sql

Redis升级

下载新版本Redis

1
2
wget https://download.redis.io/releases/redis-6.2.3.tar.gz -O - | tar xz
cd redis-6.2.3

编译安装

1
2
3
make distclean && make MALLOC=jemalloc && make test
cp src/{redis-benchmark,redis-check-aof,redis-check-rdb,redis-cli,redis-sentinel,redis-server} /usr/local/bin/
chown -R redis:redis /usr/local/bin/redis-*

配置Redis

  • /etc/redis/redis_6380.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
bind 0.0.0.0
protected-mode yes
port 6380
tcp-backlog 511
timeout 0
tcp-keepalive 300
daemonize no
supervised systemd
pidfile /var/run/redis_6380.pid
loglevel notice
logfile ""
databases 16
always-show-logo no
set-proc-title yes
proc-title-template "{title} {listen-addr} {server-mode}"
save 3600 1
save 300 100
save 60 10000
stop-writes-on-bgsave-error yes
rdbcompression yes
rdbchecksum yes
dbfilename dump_6380.rdb
rdb-del-sync-files no
dir /var/lib/redis
replica-serve-stale-data yes
replica-read-only yes
repl-diskless-sync no
repl-diskless-sync-delay 5
repl-diskless-load disabled
repl-disable-tcp-nodelay no
replica-priority 100
acllog-max-len 128
requirepass newPass
maxmemory 1G
maxmemory-policy noeviction
maxmemory-samples 5
maxmemory-eviction-tenacity 10
replica-ignore-maxmemory yes
active-expire-effort 1
lazyfree-lazy-eviction no
lazyfree-lazy-expire no
lazyfree-lazy-server-del no
replica-lazy-flush no
lazyfree-lazy-user-del no
lazyfree-lazy-user-flush no
oom-score-adj no
oom-score-adj-values 0 200 800
disable-thp yes
appendonly no
appendfilename "appendonly_6380.aof"
appendfsync everysec
no-appendfsync-on-rewrite no
auto-aof-rewrite-percentage 100
auto-aof-rewrite-min-size 64mb
aof-load-truncated yes
aof-use-rdb-preamble yes
lua-time-limit 5000
slowlog-log-slower-than 10000
slowlog-max-len 128
latency-monitor-threshold 0
notify-keyspace-events ""
hash-max-ziplist-entries 512
hash-max-ziplist-value 64
list-max-ziplist-size -2
list-compress-depth 0
set-max-intset-entries 512
zset-max-ziplist-entries 128
zset-max-ziplist-value 64
hll-sparse-max-bytes 3000
stream-node-max-bytes 4096
stream-node-max-entries 100
activerehashing yes
client-output-buffer-limit normal 0 0 0
client-output-buffer-limit replica 256mb 64mb 60
client-output-buffer-limit pubsub 32mb 8mb 60
hz 10
dynamic-hz yes
aof-rewrite-incremental-fsync yes
rdb-save-incremental-fsync yes
jemalloc-bg-thread yes

systemd配置

/usr/lib/systemd/system/redis_multiple_servers@.service

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[Unit]
Description=Redis data structure server - instance %i
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
ExecStart=/usr/local/bin/redis-server /etc/redis/redis_%i.conf --supervised systemd
Pidfile=/var/run/redis_6380.pid
Type=notify
User=redis
Group=redis
RuntimeDirectory=redis
RuntimeDirectoryMode=0755
LimitNOFILE=10240

启动Redis

1
2
systemctl daemon-reload
systemctl enable --now redis_multiple_servers@6380.service

停用CentOS自带Redis

1
2
systemctl disable --now redis.service
cp /etc/redis.conf /etc/redis/redis_6379.conf

切换到新的Redis

1
systemctl enable --now redis_multiple_servers@6379.service

jumpserver升级

下载安装包

1
2
3
cd /opt
wget https://github.com/jumpserver/installer/releases/download/v2.10.4/jumpserver-installer-v2.10.4.tar.gz -O - | tar xz
cd jumpserver-installer-v2.10.4

配置jumpserver

创建配置目录

1
mkdir -p /opt/jumpserver/config

修改配置文件

vim /opt/jumpserver/config/config.txt

各组件参数列表

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
## 安装配置
DOCKER_IMAGE_PREFIX=swr.cn-south-1.myhuaweicloud.com
VOLUME_DIR=/opt/jumpserver
DOCKER_DIR=/var/lib/docker
### 启动后不能再修改,否则密码等等信息无法解密
SECRET_KEY=# 从旧版本的配置文件获取后填入 (*)
BOOTSTRAP_TOKEN=# 从旧版本的配置文件获取后填入 (*)
LOG_LEVEL=INFO
# 这里跟旧版本的jumpserver兼容,所以用不同的端口
LB_HTTP_PORT=8080
LB_HTTPS_PORT=8443
LB_SSH_PORT=2223

## 使用外置 MySQL 配置
USE_EXTERNAL_MYSQL=1
DB_HOST=MYSQL地址
DB_PORT=3306
DB_USER=newUser
DB_PASSWORD=newPass
DB_NAME=newDB

## 使用外置 Redis 配置
USE_EXTERNAL_REDIS=1
REDIS_HOST=Redis地址
REDIS_PORT=6380
REDIS_PASSWORD=newPass
#
## Compose 项目设置
COMPOSE_PROJECT_NAME=jms
COMPOSE_HTTP_TIMEOUT=3600
DOCKER_CLIENT_TIMEOUT=3600
DOCKER_SUBNET='172.19.0.0/24'

## IPV6
DOCKER_SUBNET_IPV6=2001:db8:10::/64
USE_IPV6=0

## Nginx 配置,这个 Nginx 是用来分发路径到不同的服务
HTTP_PORT=80
HTTPS_PORT=443
SSH_PORT=2222

## LB 配置, 这个 Nginx 是 HA 时可以启动负载均衡到不同的主机
USE_LB=0

## Task 配置
USE_TASK=1

## XPack
USE_XPACK=0

# Mysql 容器配置
MYSQL_ROOT_PASSWORD=
MYSQL_DATABASE=jumpserver

# Core 配置
SESSION_COOKIE_AGE=86400
SESSION_EXPIRE_AT_BROWSER_CLOSE=true

### Keycloak 配置方式
### AUTH_OPENID=true
### BASE_SITE_URL=https://jumpserver.company.com/
### AUTH_OPENID_SERVER_URL=https://keycloak.company.com/auth
### AUTH_OPENID_REALM_NAME=cmp
### AUTH_OPENID_CLIENT_ID=jumpserver
### AUTH_OPENID_CLIENT_SECRET=
### AUTH_OPENID_SHARE_SESSION=true
### AUTH_OPENID_IGNORE_SSL_VERIFICATION=true

# Koko 配置
CORE_HOST=http://core:8080

# lion 配置
CORE_HOST=http://core:8080

部署jumpserver

执行脚本

这里会识别到/opt/jumpserver/config/config.txt里面配置好的变量,可以直接用

./jmsctl.sh install

向导安装

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
       ██╗██╗   ██╗███╗   ███╗██████╗ ███████╗███████╗██████╗ ██╗   ██╗███████╗██████╗
██║██║ ██║████╗ ████║██╔══██╗██╔════╝██╔════╝██╔══██╗██║ ██║██╔════╝██╔══██╗
██║██║ ██║██╔████╔██║██████╔╝███████╗█████╗ ██████╔╝██║ ██║█████╗ ██████╔╝
██ ██║██║ ██║██║╚██╔╝██║██╔═══╝ ╚════██║██╔══╝ ██╔══██╗╚██╗ ██╔╝██╔══╝ ██╔══██╗
╚█████╔╝╚██████╔╝██║ ╚═╝ ██║██║ ███████║███████╗██║ ██║ ╚████╔╝ ███████╗██║ ██║
╚════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚══════╝╚══════╝╚═╝ ╚═╝ ╚═══╝ ╚══════╝╚═╝ ╚═╝

Version: v2.10.4


>>> 安装配置 Docker
1. 安装 Docker
开始下载 Docker 程序 ...
完成
开始下载 Docker Compose 程序 ...
完成

2. 配置 Docker
是否需要自定义 Docker 数据目录, 默认将使用 /var/lib/docker 目录? (y/n) (默认为 n): n
完成

3. 启动 Docker
Docker 版本发生改变 或 Docker 配置文件发生变化,是否要重启? (y/n) (默认为 y): y
完成

>>> 加载 Docker 镜像
Docker: Pulling from jumpserver/core:v2.10.4 [ OK ]
Docker: Pulling from jumpserver/koko:v2.10.4 [ OK ]
Docker: Pulling from jumpserver/luna:v2.10.4 [ OK ]
Docker: Pulling from jumpserver/nginx:alpine2 [ OK ]
Docker: Pulling from jumpserver/redis:6-alpine [ OK ]
Docker: Pulling from jumpserver/lina:v2.10.4 [ OK ]
Docker: Pulling from jumpserver/mysql:5 [ OK ]
Docker: Pulling from jumpserver/lion:v2.10.4 [ OK ]

>>> 安装配置 JumpServer
1. 检查配置文件
配置文件位置: /opt/jumpserver/config
/opt/jumpserver/config/config.txt [ √ ]
/opt/jumpserver/config/nginx/lb_http_server.conf [ √ ]
/opt/jumpserver/config/nginx/lb_ssh_server.conf [ √ ]
/opt/jumpserver/config/core/config.yml [ √ ]
/opt/jumpserver/config/koko/config.yml [ √ ]
/opt/jumpserver/config/mysql/my.cnf [ √ ]
/opt/jumpserver/config/redis/redis.conf [ √ ]
完成

2. 配置 Nginx
配置文件位置:: /opt/jumpserver/config/nginx/cert
/opt/jumpserver/config/nginx/cert/server.crt [ √ ]
/opt/jumpserver/config/nginx/cert/server.key [ √ ]
完成

3. 备份配置文件
备份至 /opt/jumpserver/config/backup/config.txt.2021-03-19_08-01-51
完成

4. 配置网络
是否需要支持 IPv6? (y/n) (默认为 n): n
完成

5. 配置加密密钥
完成

6. 配置持久化目录
是否需要自定义持久化存储, 默认将使用目录 /opt/jumpserver? (y/n) (默认为 n): n
完成

7. 配置 MySQL
是否使用外部mysql (y/n) (默认为y): y
请输入mysql的主机地址 (默认为MySQL地址): MySQL地址
请输入mysql的端口 (默认为3306): 3306
请输入mysql的数据库(事先做好授权) (默认为new_db): newDB
请输入mysql的用户名 (默认为new_user): newUser
请输入mysql的密码 (默认为new_pass): newPass
完成

8. 配置 Redis
是否使用外部redis (y/n) (默认为y): y
请输入redis的主机地址 (默认为): Redis地址
请输入redis的端口 (默认为6380): 6380
请输入redis的密码 (默认为NewJMSRedisPass): newPass
完成

>>> 安装完成了

修改Nginx配置

这里主要修改主机名和SSL证书

1
vim /opt/jumpserver-installer-v2.10.4/compose/config_static/http_server.conf

添加HTTPS证书

这里通过acme脚本部署证书到jumpserver目录

添加更新证书的操作,让Nginx重新加载证书

1
2
3
4
5
6
7
~/.acme.sh/acme.sh --installcert \
-d "jumpserver.example.com" \
--ecc \
--fullchainpath /opt/jumpserver/config/nginx/cert/jumpserver.crt \
--keypath /opt/jumpserver/config/nginx/cert/jumpserver.key \
--reloadcmd "/usr/bin/docker exec jms_nginx /usr/sbin/nginx -s reload" \
--renew-hook "/usr/bin/docker exec jms-nginx /usr/sbin/nginx -s reload"

启动jumpserver

1
./jmsctl.sh start

验证jumpserver

查看服务器证书

1
openssl s_client -showcerts -connect jumpserver.example.com:8443

测试连接jumpserver

1
ssh 用户名@jumpserver.example.com -p 2223

登录网页端

浏览器打开 https://jumpserver.example.com:8443

升级过程中碰到的问题

jms_core无法启动

  • 查看core日志/opt/jumpserver/core/logs/jumpserver.log

  • django做db migrate操作失败,导致jms_core无法完成db migration阻塞了启动

解决方法

  • ./jmsctl.sh stop关闭堡垒机容器
  • 重新导入数据库
  • ./jmsctl.sh start重新启动堡垒机容器

网页打开提示500内部错误

  • 浏览器按F12打开调试窗口,发现是/api/v1/index/?total_count=1请求500了

  • 查看core日志/opt/jumpserver/core/logs/jumpserver.log

  • 发现是Redis命令的错误,这个是Redis版本问题

解决方法

  • 更新Redis版本>=6.0

正式迁移

简单测试jumpserver-v2.10.4版本,没什么大问题之后,就把老版本的jumpserver停了

修改新版本配置文件,用回正常的80/443/2222端口