Jumpserver 部署安裝

相信各位對堡壘機（跳板機）不會陌生，爲了保證服務器安全，加個堡壘機，所有ssh連接都通過堡壘機來完成，堡壘機也需要有身份認證、授權、訪問控制、日誌審計等功能。

Jumpserver 是全球首款完全開源的堡壘機, 是符合 4A 的專業運維審計系統。

Jumpserver 使用 Python / Django 進行開發, 採納分佈式架構, 支持多機房跨區域部署, 中心節點提供 API, 各機房部署登錄節點, 可橫向擴展、無併發訪問限制。

Jumpserver 現已支持管理 SSH、 Telnet、 RDP、 VNC 協議資產。

架構圖如下：

Jumpserver包含四個組件，各個組件的作用如下：

Jumpserver 爲管理後臺, 管理員可以通過 Web 頁面進行資產管理、用戶管理、資產授權等操作, 用戶可以通過 Web 頁面進行資產登錄, 文件管理等操作

Coco 爲 SSH Server 和 Web Terminal Server 。用戶可以使用自己的賬戶通過 SSH 或者 Web Terminal 訪問 SSH 協議和 Telnet 協議資產

Luna 爲 Web Terminal Server 前端頁面, 用戶使用 Web Terminal 方式登錄所需要的組件

Guacamole 爲 RDP 協議和 VNC 協議資產組件, 用戶可以通過 Web Terminal 來連接 RDP 協議和 VNC 協議資產 (暫時只能通過 Web Terminal 來訪問)

端口說明

各個組件的監聽端口如下：

Jumpserver 默認端口爲 8080/tcp 配置文件 jumpserver/config.yml

Coco 默認 SSH 端口爲 2222/tcp, 默認 Web Terminal 端口爲 5000/tcp 配置文件在 coco/config.yml

Guacamole 默認端口爲 8081/tcp, 配置文件 /config/tomcat8/conf/server.xml

Nginx 默認端口爲 80/tcp

Redis 默認端口爲 6379/tcp

Mysql 默認端口爲 3306/tcp

一、環境如下

注：若是測試環境，內存最少4G，雙核CPU。

所需源碼包：https://pan.baidu.com/s/1PVebXabJpLH4wfTUL5d1Mw
提取碼：jy8m
首先需要將環境字體設置成中文，因爲jumpserver的日誌文件裏面的內容會包含中文字符，不支持可能會亂碼。

[root@jumpserver ~]# localedef -c -f UTF-8 -i  zh_CN  zh_CN.UTF-8
[root@jumpserver ~]# export LC_ALL=zh_CN.UTF-8
[root@jumpserver ~]# echo 'LC_ALL=zh_CN.UTF-8' > /etc/locale.conf

二、配置Python 3 環境

[root@jumpserver jumpserver]# wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo         # 下載所需yum源
[root@jumpserver jumpserver]# yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git      # 安裝依賴包
[root@jumpserver /]# mkdir jumpserver        # 個人習慣
[root@jumpserver /]# cd jumpserver/
[root@jumpserver jumpserver]# rz                 # 上傳所需軟件包
[root@jumpserver jumpserver]# tar xf Python-3.6.1.tar.xz           # 解包
[root@jumpserver jumpserver]# cd Python-3.6.1/
[root@jumpserver Python-3.6.1]# ./configure && make && make install                # 編譯並安裝
[root@jumpserver Python-3.6.1]# cd /opt/
[root@jumpserver opt]# python3 -m venv py3
[root@jumpserver opt]# source /opt/py3/bin/activate       # 執行腳本進入Python3 環境
#設置自動載入py3虛擬環境（以後只要進入這個目錄就是Py3的環境）
(py3) [root@jumpserver opt]# cd /jumpserver/
(py3) [root@jumpserver jumpserver]# unzip autoenv.zip -d /opt/
(py3) [root@jumpserver jumpserver]# cd /opt/autoenv
(py3) [root@jumpserver autoenv]# echo "source /opt/autoenv/activate.sh" >> /root/.bashrc 
(py3) [root@jumpserver autoenv]# . ~/.bashrc

三、安裝Jumpserver

(py3) [root@jumpserver autoenv]# cd /jumpserver/
(py3) [root@jumpserver jumpserver]# unzip jumpserver.zip -d /opt/
(py3) [root@jumpserver jumpserver]# cd /opt/
(py3) [root@jumpserver opt]# echo "source /opt/py3/bin/activate" > /opt/jumpserver/.env
(py3) [root@jumpserver opt]# cd jumpserver/
autoenv:
autoenv: WARNING:
autoenv: This is the first time you are about to source /opt/jumpserver/.env:
autoenv:
autoenv:   --- (begin contents) ---------------------------------------
autoenv:     source /opt/py3/bin/activate$
autoenv:
autoenv:   --- (end contents) -----------------------------------------
autoenv:
autoenv: Are you sure you want to allow this? (y/N) y         # 輸入Y 自動載入py3 環境
(py3) [root@jumpserver jumpserver]# cd requirements/
(py3) [root@jumpserver requirements]# yum -y install `cat rpm_requirements.txt`
(py3) [root@jumpserver requirements]# pip install --upgrade pip
(py3) [root@jumpserver requirements]# pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/

四、安裝MySQL及Redis

#安裝MySQL：
(py3) [root@jumpserver requirements]# yum -y install mariadb*
(py3) [root@jumpserver requirements]# systemctl start mariadb
(py3) [root@jumpserver /]# netstat -anput | grep 3306
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      21063/mysqld   
(py3) [root@jumpserver /]# mysqladmin -u root password 123.com
(py3) [root@jumpserver /]# mysql -u root -p
Enter password: 
MariaDB [(none)]> create database jumpserver default charset 'utf8';
MariaDB [(none)]> grant all on jumpserver.* to [email protected] identified by '123.com';
MariaDB [(none)]> exit
#安裝Redis
(py3) [root@jumpserver /]# yum -y install redis
(py3) [root@jumpserver /]# systemctl start redis
(py3) [root@jumpserver /]# netstat -anput | grep 6379
tcp        0      0 127.0.0.1:6379          0.0.0.0:*               LISTEN      21339/redis-server

五、修改jumpserver配置文件

(py3) [root@jumpserver /]# cd /opt/jumpserver/
(py3) [root@jumpserver jumpserver]# cp config_example.yml config.yml
#生成祕鑰令牌
(py3) [root@jumpserver jumpserver]# SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
(py3) [root@jumpserver jumpserver]# echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc
(py3) [root@jumpserver jumpserver]# BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
(py3) [root@jumpserver jumpserver]# echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
(py3) [root@jumpserver jumpserver]# sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml
(py3) [root@jumpserver jumpserver]# sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
(py3) [root@jumpserver jumpserver]# sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
(py3) [root@jumpserver jumpserver]# sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
(py3) [root@jumpserver jumpserver]# sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: False/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml 
(py3) [root@jumpserver jumpserver]# sed -i "s/DB_PASSWORD: /DB_PASSWORD: 123.com/g" /opt/jumpserver/config.yml
(py3) [root@jumpserver jumpserver]# echo -e "\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m"
 你的SECRET_KEY是 IGbsKK8366vW92hIk8IViTd8npO6Rf2d990jhnNNd3EWU6Kh7E 
(py3) [root@jumpserver jumpserver]# echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
 你的BOOTSTRAP_TOKEN是 t7SHqC5CKbMmsFVO 
(py3) [root@jumpserver jumpserver]# egrep -v '^$|^#' config.yml  
SECRET_KEY: IGbsKK8366vW92hIk8IViTd8npO6Rf2d990jhnNNd3EWU6Kh7E
BOOTSTRAP_TOKEN: t7SHqC5CKbMmsFVO
DEBUG: false
LOG_LEVEL: ERROR
DB_ENGINE: mysql
DB_HOST: 127.0.0.1
DB_PORT: 3306
DB_USER: jumpserver
DB_PASSWORD: 123.com
DB_NAME: jumpserver
HTTP_BIND_HOST: 0.0.0.0
HTTP_LISTEN_PORT: 8080
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
(py3) [root@jumpserver jumpserver]# ./jms start all -d       # 啓動jumpserver
(py3) [root@jumpserver jumpserver]# netstat -anput | grep 8080
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      78950/python3

六、安裝配置coco組件

(py3) [root@jumpserver jumpserver]# cd /jumpserver/
(py3) [root@jumpserver jumpserver]# unzip coco.zip -d /opt/
(py3) [root@jumpserver jumpserver]# cd /opt/
(py3) [root@jumpserver opt]# echo "source /opt/py3/bin/activate" > /opt/coco/.env
(py3) [root@jumpserver opt]# cd coco/requirements/
autoenv:
autoenv: WARNING:
autoenv: This is the first time you are about to source /opt/coco/.env:
autoenv:
autoenv:   --- (begin contents) ---------------------------------------
autoenv:     source /opt/py3/bin/activate$
autoenv:
autoenv:   --- (end contents) -----------------------------------------
autoenv:
autoenv: Are you sure you want to allow this? (y/N) y
(py3) [root@jumpserver requirements]# yum -y install `cat rpm_requirements.txt`
(py3) [root@jumpserver requirements]# pip install -r requirements.txt 
#修改配置文件
(py3) [root@jumpserver requirements]# cd ..
(py3) [root@jumpserver coco]# cp config_example.yml config.yml 
#查看BOOTSTRAP_TOKEN的值
(py3) [root@jumpserver coco]# echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
 你的BOOTSTRAP_TOKEN是 t7SHqC5CKbMmsFVO 
 #注意，執行下面的命令時，需要自行修改爲自己查看出來的值：
(py3) [root@jumpserver coco]# sed -i 's/BOOTSTRAP_TOKEN: <PleasgeChangeSameWithJumpserver>/BOOTSTRAP_TOKEN: t7SHqC5CKbMmsFVO/g' config.yml 
(py3) [root@jumpserver coco]# sed -i 's/# LOG_LEVEL: INFO/LOG_LEVEL: ERROR/g' config.yml 
(py3) [root@jumpserver coco]# egrep -v '^$|^#' config.yml
CORE_HOST: http://127.0.0.1:8080
BOOTSTRAP_TOKEN: t7SHqC5CKbMmsFVO
LOG_LEVEL: ERROR
(py3) [root@jumpserver coco]# ./cocod start -d           # 後臺啓動coco

七、安裝guacamole及luna
這裏採用docker容器的方式部署

(py3) [root@jumpserver /]# yum -y install yum-utils device-mapper-persistent-data lvm2                 # 安裝所需依賴
(py3) [root@jumpserver /]# yum-config-manager  --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
(py3) [root@jumpserver /]# yum makecache fast
(py3) [root@jumpserver /]# yum -y install docker-ce
(py3) [root@jumpserver /]# systemctl start docker
(py3) [root@jumpserver /]# docker load --input /jumpserver/guacamole.tar 
#啓動容器
(py3) [root@jumpserver /]# docker  run   --name  jms_guacamole   -d -p  8081:8080 -v /opt/guacamole/key:/config/guacamole/key  -e JUMPSERVER_KEY_DIR=/config/guacamole/key -e JUMPSERVER_SERVER=http://192.168.171.133:8080 jumpserver/guacamole:latest
(py3) [root@jumpserver /]# netstat -anput | grep 8081
tcp6       0      0 :::8081                 :::*                    LISTEN      80767/docker-proxy  
(py3) [root@jumpserver jumpserver]# tar zxf luna.tar.gz -C /opt/        # 解壓luna

八、安裝Nginx

(py3) [root@jumpserver jumpserver]# tar zxf nginx-1.2.4.tar.gz 
(py3) [root@jumpserver jumpserver]# cd nginx-1.2.4/
(py3) [root@jumpserver nginx-1.2.4]# ./configure --prefix=/usr/local/nginx && make && make install 
(py3) [root@jumpserver nginx-1.2.4]# ln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/
(py3) [root@jumpserver nginx-1.2.4]# cd /usr/local/nginx/conf/
(py3) [root@jumpserver conf]# mv nginx.conf nginx.conf.bak
(py3) [root@jumpserver conf]# mv /jumpserver/nginx.conf /usr/local/nginx/conf/
(py3) [root@jumpserver conf]# nginx -t            # 確認nginx配置無措
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
(py3) [root@jumpserver conf]# nginx          # 啓動Nginx

九、client訪問測試
訪問Nginx服務器的IP地址，即可看到登錄頁面（默認用戶名及密碼都是“admin”）：

1、創建用戶

2、創建管理用戶

3、創建系統用戶
用戶名儘量爲root，選擇手動登錄，這個用戶是用來連接後端資產的。

4、創建資產
這裏啓動了一臺IP爲192.168.171.134的主機來作爲後端資產

5、創建授權規則

6、連接後端資產測試