概述
之前說了國產良心kodexplorer,今天再說一個國內比較好的開源項目jumpserver,除此之外還可以的國內開源項目我覺得就是寶塔面板了。廢話不多說上教程搭建。 雖然說你可以看下面的教程不用聽我瞎扯
http://docs.jumpserver.org/zh/docs/step_by_step.html
雖然說我的教程基本都是複製這個文檔的,但是有的地方還是不一樣的
前期初始化
- 首先關閉selinux
vim /etc/selinux/config
SELINUX=enforcing
改爲
SELINUX=disabled
之後
setenforce 0
- 關閉防火牆
systemctl stop firewalld
systemctl disable firewalld
- 修改字符集
localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8
export LC_ALL=zh_CN.UTF-8
echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf
- 安裝python3和python編譯的依賴環境
首先安裝變異python3前的依賴環境
yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git
之後下載python3編譯安裝
wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz
解壓編譯安裝
tar xvf Python-3.6.1.tar.xz && cd Python-3.6.1 && ./configure && make && make install
- 建立python的虛擬環境
cd /opt && python3 -m venv py3 && source /opt/py3/bin/activate
- 自動載入 Python 虛擬環境配置
這個是爲了讓你進入jumpserver這個文件夾的時候可以自動載入環境變量
cd /opt && git clone git://github.com/kennethreitz/autoenv.git && echo 'source /opt/autoenv/activate.sh' >> ~/.bashrc && source ~/.bashrc
安裝jumpserver
- clone項目
cd /opt/ && git clone https://github.com/jumpserver/jumpserver.git && cd jumpserver && git checkout master && echo "source /opt/py3/bin/activate" > /opt/jumpserver/.env
之後進入jumpserver這個文件夾會有一個提示你輸入y就好,這樣之後每次進入這個文件夾就會自動導入py3的環境變量
- 安裝rpm包的依賴
cd /opt/jumpserver/requirements && yum -y install $(cat rpm_requirements.txt)
- 安裝python依賴
pip install -r requirements.txt -i https://pypi.douban.com/simple/
- 安裝 Redis, Jumpserver 使用 Redis 做 cache 和 celery broke
yum -y install redis && systemctl enable redis && systemctl start redis
- 安裝mariadb
yum -y install mariadb mariadb-devel mariadb-server && systemctl enable mariadb && systemctl start mariadb
- 設置mariadb的root密碼
執行mysql_secure_installation之後按照流程走就好了
[root@bboysoul-centos-vm ~]# mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
Set root password? [Y/n] y
New password:
Re-enter new password:
Sorry, passwords do not match.
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] n
... skipping.
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
- 創建數據庫 Jumpserver 並授權
[root@bboysoul-centos-vm ~]# mysql -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 9
Server version: 5.5.60-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> create database jumpserver default charset 'utf8';
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> grant all on jumpserver.* to 'jumpserver'@'%' identified by '你的密碼';
Query OK, 0 rows affected (0.01 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]>
- 修改 Jumpserver 配置文件
cd /opt/jumpserver && cp config_example.py config.py && vi config.py
下面是我的配置文件
"""
jumpserver.config
~~~~~~~~~~~~~~~~~
Jumpserver project setting file
:copyright: (c) 2014-2017 by Jumpserver Team
:license: GPL v2, see LICENSE for more details.
"""
import os
BASE_DIR = os.path.dirname(os.path.abspath(__file__))
class Config:
# Use it to encrypt or decrypt data
# SECURITY WARNING: keep the secret key used in production secret!
# 這個不用動,讓他默認就好
SECRET_KEY = os.environ.get('SECRET_KEY') or '2vym+ky!997d5kkcc64mnz06y1mmui3lut#(^wd=%s_qj$1%x'
# Django security setting, if your disable debug model, you should setting that
ALLOWED_HOSTS = ['*']
# 關閉debug模式,因爲之後我們要安裝nginx做代理的
# Development env open this, when error occur display the full process track, Production disable it
DEBUG = os.environ.get("DEBUG") or False
# 日誌級別變成警告就好,不然日誌太多
# DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/
LOG_LEVEL = os.environ.get("LOG_LEVEL") or 'WARNING'
LOG_DIR = os.path.join(BASE_DIR, 'logs')
# Database setting, Support sqlite3, mysql, postgres ....
# See https://docs.djangoproject.com/en/1.10/ref/settings/#databases
# SQLite setting:
#DB_ENGINE = 'sqlite3'
#DB_NAME = os.path.join(BASE_DIR, 'data', 'db.sqlite3')
# MySQL or postgres setting like:
# DB_ENGINE = os.environ.get("DB_ENGINE") or 'mysql'
# DB_HOST = os.environ.get("DB_HOST") or '127.0.0.1'
# DB_PORT = os.environ.get("DB_PORT") or 3306
# DB_USER = os.environ.get("DB_USER") or 'jumpserver'
# DB_PASSWORD = os.environ.get("DB_PASSWORD") or 'weakPassword'
# DB_NAME = os.environ.get("DB_NAME") or 'jumpserver'
# 數據庫設置,因爲我們使用的是mysql
DB_ENGINE = os.environ.get("DB_ENGINE") or 'mysql'
DB_HOST = os.environ.get("DB_HOST") or '127.0.0.1'
DB_PORT = os.environ.get("DB_PORT") or 3306
DB_USER = os.environ.get("DB_USER") or 'jumpserver'
DB_PASSWORD = os.environ.get("DB_PASSWORD") or '你的密碼'
DB_NAME = os.environ.get("DB_NAME") or 'jumpserver'
# When Django start it will bind this host and port
# ./manage.py runserver 127.0.0.1:8080
HTTP_BIND_HOST = '0.0.0.0'
HTTP_LISTEN_PORT = 8080
# Use Redis as broker for celery and web socket
REDIS_HOST = os.environ.get("REDIS_HOST") or '127.0.0.1'
REDIS_PORT = os.environ.get("REDIS_PORT") or 6379
REDIS_PASSWORD = os.environ.get("REDIS_PASSWORD") or ''
REDIS_DB_CELERY = os.environ.get('REDIS_DB') or 3
REDIS_DB_CACHE = os.environ.get('REDIS_DB') or 4
def __init__(self):
pass
def __getattr__(self, item):
return None
class DevelopmentConfig(Config):
pass
class TestConfig(Config):
pass
class ProductionConfig(Config):
pass
# Default using Config settings, you can write if/else for different env
config = DevelopmentConfig()
下面是官方的配置文件,可以做個參考
"""
jumpserver.config
~~~~~~~~~~~~~~~~~
Jumpserver project setting file
:copyright: (c) 2014-2017 by Jumpserver Team
:license: GPL v2, see LICENSE for more details.
"""
import os
BASE_DIR = os.path.dirname(os.path.abspath(__file__))
class Config:
# Use it to encrypt or decrypt data
# Jumpserver 使用 SECRET_KEY 進行加密,請務必修改以下設置
# SECRET_KEY = os.environ.get('SECRET_KEY') or '2vym+ky!997d5kkcc64mnz06y1mmui3lut#(^wd=%s_qj$1%x'
SECRET_KEY = '請隨意輸入隨機字符串(推薦字符大於等於 50位)'
# Django security setting, if your disable debug model, you should setting that
ALLOWED_HOSTS = ['*']
# DEBUG 模式 True爲開啓 False爲關閉,默認開啓,生產環境推薦關閉
# 注意:如果設置了DEBUG = False,訪問8080端口頁面會顯示不正常,需要搭建 nginx 代理纔可以正常訪問
DEBUG = os.environ.get("DEBUG") or True
# 日誌級別,默認爲DEBUG,可調整爲INFO, WARNING, ERROR, CRITICAL,默認INFO
LOG_LEVEL = os.environ.get("LOG_LEVEL") or 'WARNING'
LOG_DIR = os.path.join(BASE_DIR, 'logs')
# 使用的數據庫配置,支持sqlite3, mysql, postgres等,默認使用sqlite3
# See https://docs.djangoproject.com/en/1.10/ref/settings/#databases
# 默認使用SQLite3,如果使用其他數據庫請註釋下面兩行
# DB_ENGINE = 'sqlite3'
# DB_NAME = os.path.join(BASE_DIR, 'data', 'db.sqlite3')
# 如果需要使用mysql或postgres,請取消下面的註釋並輸入正確的信息,本例使用mysql做演示(mariadb也是mysql)
DB_ENGINE = os.environ.get("DB_ENGINE") or 'mysql'
DB_HOST = os.environ.get("DB_HOST") or '127.0.0.1'
DB_PORT = os.environ.get("DB_PORT") or 3306
DB_USER = os.environ.get("DB_USER") or 'jumpserver'
DB_PASSWORD = os.environ.get("DB_PASSWORD") or 'weakPassword'
DB_NAME = os.environ.get("DB_NAME") or 'jumpserver'
# Django 監聽的ip和端口,生產環境推薦把0.0.0.0修改成127.0.0.1,這裏的意思是允許x.x.x.x訪問,127.0.0.1表示僅允許自身訪問
# ./manage.py runserver 127.0.0.1:8080
HTTP_BIND_HOST = '0.0.0.0'
HTTP_LISTEN_PORT = 8080
# Redis 相關設置
REDIS_HOST = os.environ.get("REDIS_HOST") or '127.0.0.1'
REDIS_PORT = os.environ.get("REDIS_PORT") or 6379
REDIS_PASSWORD = os.environ.get("REDIS_PASSWORD") or ''
REDIS_DB_CELERY = os.environ.get('REDIS_DB') or 3
REDIS_DB_CACHE = os.environ.get('REDIS_DB') or 4
def __init__(self):
pass
def __getattr__(self, item):
return None
class DevelopmentConfig(Config):
pass
class TestConfig(Config):
pass
class ProductionConfig(Config):
pass
# Default using Config settings, you can write if/else for different env
config = DevelopmentConfig()
- 生成數據庫表結構和初始化數據
cd /opt/jumpserver/utils && bash make_migrations.sh
運行jumpserver
cd /opt/jumpserver && ./jms start all -d
默認的後臺賬號是admin admin 但是這個時候個人覺得不要去訪問,到最後安裝了nginx再去訪問
安裝 SSH Server 和 WebSocket Server: Coco
- 下載或 Clone 項目
cd /opt && source /opt/py3/bin/activate && git clone https://github.com/jumpserver/coco.git && cd coco && git checkout master && echo "source /opt/py3/bin/activate" > /opt/coco/.env
同樣首次進入這個coco文件夾也是會有個提示你輸入y就好
- 安裝依賴
cd /opt/coco/requirements && yum -y install $(cat rpm_requirements.txt) && pip install -r requirements.txt -i https://pypi.douban.com/simple/
- 修改配置文件並運行
cd /opt/coco && cp conf_example.py conf.py && vi conf.py
其實上面這個配置文件沒什麼好修改的,如果要修改可以修改一下日誌級別,其他的自己看着辦
之後運行coco
./cocod start -d
官方文檔會讓你在這個時候進入web界面接受什麼註冊,先別管他,直接進行下一步
安裝 Web Terminal 前端: Luna
- 安裝Luna
cd /opt && wget https://github.com/jumpserver/luna/releases/download/1.4.1/luna.tar.gz && tar xvf luna.tar.gz && chown -R root:root luna
安裝windows支持組建
就是可以管理windows服務器這樣,官方推薦使用docker了,所以那麼就使用docker鏡像來安裝就好了
- 安裝docker
yum install -y yum-utils device-mapper-persistent-data lvm2 && yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo && rpm --import http://mirrors.aliyun.com/docker-ce/linux/centos/gpg && yum makecache fast && yum -y install docker-ce && systemctl start docker && systemctl enable docker && systemctl status docker
- 啓動 Guacamole
注意下面的jumpserver地址不能寫127.0.0.1,因爲是容器運行的所以寫127.0.0.1就是容器本身了,寫宿主機ip或者url就好
docker run --name jms_guacamole -d \
-p 8081:8080 -v /opt/guacamole/key:/config/guacamole/key \
-e JUMPSERVER_KEY_DIR=/config/guacamole/key \
-e JUMPSERVER_SERVER=http://<填寫jumpserver的url地址> \
jumpserver/guacamole:latest
之後官方會說讓你去web界面接收什麼註冊先別管他,繼續下一步
配置 Nginx 整合各組件
- 安裝nginx
yum -y install nginx
- 配置nginx
首先新建下面這個文件
vim /etc/nginx/conf.d/jumpserver.conf
輸入
server {
listen 80; # 代理端口,以後將通過此端口進行訪問,不再通過8080端口
client_max_body_size 100m; # 錄像上傳大小限制
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; # luna 路徑,如果修改安裝目錄,此處需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 錄像位置,如果修改安裝目錄,此處需要修改
}
location /static/ {
root /opt/jumpserver/data/; # 靜態資源,如果修改安裝目錄,此處需要修改
}
location /socket.io/ {
proxy_pass http://localhost:5000/socket.io/; # 如果coco安裝在別的服務器,請填寫它的ip
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/; # 如果guacamole安裝在別的服務器,請填寫它的ip
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location / {
proxy_pass http://localhost:8080; # 如果jumpserver安裝在別的服務器,請填寫它的ip
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
保存退出之後編輯下面這個文件
vim /etc/nginx/nginx.conf
刪除其中的server字段,就是下面內容
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
保存退出
- 運行nginx
systemctl restart nginx && systemctl enable nginx
開始使用jumpserver
首先檢查各組件是不是正常
cd /opt/jumpserver && ./jms status
cd /opt/coco && ./cocod status
查看Guacamole是不是正常
docker ps
接着我們瀏覽器訪問服務器的ip,默認的賬號和密碼都是admin
登陸完成之後我們就可以註冊我們的兩個組件了,點擊會話管理->終端管理終端列表裏面有兩行全部點擊接受就好
如果沒有的話那麼按照下面的順序重新啓動一下服務
首先關閉所有的服務
cd /opt/jumpserver && ./jms stop all
cd /opt/coco && ./cocod stop
docker stop jms_guacamole
接着按照我的順序啓動服務
cd /opt/jumpserver && ./jms start all -d
尤其要注意這步,一定要確保啓動成功,尤其是配置低的機器很有可能啓動失敗的
cd /opt/jumpserver && ./jms status
cd /opt/coco && ./cocod start -d
docker start jms_guacamole
使用
關於使用我想說的是有兩個概念一個是資產管理中的管理用戶,一個是資產管理中的系統用戶。
什麼是管理用戶,管理用戶其實就是一臺服務器的root,擁有這臺服務器的最高權限,可以在這臺服務器中創建系統用戶。
什麼是系統用戶,系統用戶就是你想添加到服務器中的用戶,或者是系統中已經存在的用戶,它可以是root。如果它沒有被創建,那麼jumpserver可以使用用戶推送功能向服務器中創建用戶
關於資產授權,當你創建完成資產之後這個資產也就是服務器是不屬於任何用戶的,你必須要創建資產授權,把資產授權給這個用戶纔可以讓這個用戶去訪問
關於MFA二次認證,其實就是在登錄的時候還要下載一個谷歌驗證器使用裏面的數字登錄,就是類似以前的遊戲將軍令
歡迎關注Bboysoul的博客www.bboysoul.com Have Fun