JumpServer介紹
- Jumpserver 是全球首款完全開源的堡壘機, 使用 GNU GPL v2.0 開源協議, 是符合 4A 的專業運維審計系統。
- Jumpserver 使用 Python / Django 進行開發, 遵循 Web 2.0 規範, 配備了業界領先的 Web Terminal 解決方案, 交互界面美觀、用戶體驗好。
- Jumpserver 採納分佈式架構, 支持多機房跨區域部署, 中心節點提供 API, 各機房部署登錄節點, 可橫向擴展、無併發訪問限制。
- Jumpserver 現已支持管理 SSH、 Telnet、 RDP、 VNC 協議資產。
- Jumpserver 目前最新版本是:V1.5.5。
JumpServer官網文檔:https://jumpserver.readthedocs.io/zh/master/index.html
JumpServer開源代碼倉庫:https://github.com/jumpserver/jumpserver
JumpServer核心功能列表
JumpServer安裝環境要求
- 硬件配置: 2個CPU核心, 4G 內存, 50G 硬盤(最低)
- 操作系統: Linux 發行版 x86_64
- Python = 3.6.x
- Mysql Server ≥ 5.6
- Mariadb Server ≥ 5.5.56
- Redis
組件說明:
- Jumpserver 爲管理後臺, 管理員可以通過 Web 頁面進行資產管理、用戶管理、資產授權等操作, 用戶可以通過 Web 頁面進行資產登錄, 文件管理等操作;
- koko 爲 SSH Server 和 Web Terminal Server 。用戶可以使用自己的賬戶通過 SSH 或者 Web Terminal 訪問 SSH 協議和 Telnet 協議資產;
- Luna 爲 Web Terminal Server 前端頁面, 用戶使用 Web Terminal 方式登錄所需要的組件;
- Guacamole 爲 RDP 協議和 VNC 協議資產組件, 用戶可以通過 Web Terminal 來連接 RDP 協議和 VNC 協議資產 (暫時只能通過 Web Terminal 來訪問)。
端口說明:
- Jumpserver 默認 Web 端口爲 8080/tcp, 默認 WS 端口爲 8070/tcp, 配置文件 jumpserver/config.yml
- koko 默認 SSH 端口爲 2222/tcp, 默認 Web Terminal 端口爲 5000/tcp 配置文件在 koko/config.yml
- Guacamole 默認端口爲 8081/tcp, 配置文件 /config/tomcat9/conf/server.xml
- Nginx 默認端口爲 80/tcp
- Redis 默認端口爲 6379/tcp
- Mysql 默認端口爲 3306/tcp
部署JumpServer
防火牆與"selinux"設置,如果已經停用了"防火牆和Selinux"忽略此處即可
$ systemctl start firewalld
$ firewall-cmd --zone=public --add-port=80/tcp --permanent # nginx 端口
$ firewall-cmd --zone=public --add-port=2222/tcp --permanent # 用戶SSH登錄端口 koko
參數解釋:
--permanent 永久生效,沒有配置此參數將會在重啓後失效
$ firewall-cmd --reload # 重新載入規則
$ setenforce 0 # 關閉"selinux"
$ sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config # 禁用"selinux"
部署Redis
[root@jump ~]# cd /usr/local/src/
[root@jump src]# wget http://download.redis.io/releases/redis-5.0.5.tar.gz
[root@jump src]# tar xf redis-5.0.5.tar.gz && cd redis-5.0.5
[root@jump redis-5.0.5]# make
[root@jump redis-5.0.5]# cd src/ && make install PREFIX=/usr/local/redis
[root@jump src]# mkdir /usr/local/redis/{etc,logs,run,data}
[root@jump src]# cat << EOF > /usr/local/redis/etc/redis.conf
daemonize yes
port 6379 #指定端口號
bind 10.0.0.9 # 節點IP
protected-mode yes
pidfile "/usr/local/redis/run/redis.pid" # 指定進程文件PID位置
loglevel notice
logfile "/usr/local/redis/logs/redis.log" # 指定日誌文件位置
save 900 1
stop-writes-on-bgsave-error yes
rdbcompression yes
rdbchecksum yes
dbfilename dump.rdb
dir "/usr/local/redis/data/rdb/"
timeout 0
tcp-keepalive 300
requirepass 1qaz2wsx # 指定密碼
EOF
[root@jump src]# mkdir /usr/local/redis/data/rdb/
[root@jump src]# /usr/local/redis/bin/redis-server /usr/local/redis/etc/redis.conf
[root@jump src]# netstat -anpl |grep redis
tcp 0 0 10.0.0.9:6379 0.0.0.0:* LISTEN 12565/redis-server
[root@jump src]# /usr/local/redis/bin/redis-cli -h 10.0.0.9 -p 6379 -a '1qaz2wsx'
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
10.0.0.9:6379> select 1
OK
10.0.0.9:6379[1]> exit
部署Mariadb
- Jumpserver使用數據庫,可以選擇MySQL或者Mariadb;
- Mariadb版本需要大於等於5.5.56,MySQL版本需要大於等於5.6
- 這裏使用yum方式部署mariadb
-
配置Yum源,如果本地Yum源可用,此處可跳過
$ curl -o /etc/yum.repos.d/CentOS-Base-7.repo http://mirrors.aliyun.com/repo/Centos-7.repo
$ yum clean all && yum makecache
[root@jump src]# yum list | grep mariadb # 列出"mariadb"相關安裝包
[root@jump src]# yum install mariadb.x86_64 mariadb-devel.x86_64 mariadb-server.x86_64 -y # 安裝"mariadb"
[root@jump src]# systemctl enable mariadb && systemctl start mariadb # 啓動"mariadb"並加入開機自啓
Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service.
[root@jump src]# mysql -uroot -p
Enter password: #首次連接mariadb,直接回車進入數據庫
MariaDB [(none)]> set password for 'root'@localhost=password('1qaz2wsx');
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> create database jumpserver character set='utf8' collate='utf8_general_ci';
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '1qaz2wsx';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> exit;
Bye
部署JumpServer
[root@jump src]# yum install wget gcc-c++ epel-release git -y # 安裝依賴包
[root@jump src]# yum install python36 python36-devel -y # 安裝 Python3.6
[root@jump src]# which python3.6
/bin/python3.6
[root@jump src]# python3.6 -V
Python 3.6.8
將python虛擬環境建立在/opt/py3目錄下
[root@jump src]# python3.6 -m venv /opt/py3
每次操作 jumpserver 都需要使用下面的命令載入 py3 虛擬環境
載入環境後默認以下所有命令均在該虛擬環境中運行;看到下面的提示符代表成功
[root@jump src]# source /opt/py3/bin/activate
(py3) [root@jump src]#
退出 py3 虛擬環境可以使用 deactivate 命令
(py3) [root@jump src]# deactivate
[root@jump src]#
[root@jump src]# source /opt/py3/bin/activate
(py3) [root@jump src]# cd /opt/
(py3) [root@jump opt]# wget https://github.com/jumpserver/jumpserver/archive/1.5.5.zip
(py3) [root@jump opt]# unzip 1.5.5.zip -d /opt/
(py3) [root@jump opt]# mv jumpserver-1.5.5 jumpserver
安裝依賴 RPM 包
(py3) [root@jump opt]# yum -y install $(cat /opt/jumpserver/requirements/rpm_requirements.txt)
安裝 Python 庫依賴
(py3) [root@jump opt]# pip install wheel
(py3) [root@jump opt]# pip install --upgrade pip setuptools
(py3) [root@jump opt]# pip install -r /opt/jumpserver/requirements/requirements.txt
拷貝配置文件"config.yml"
(py3) [root@jump opt]# cp -rf /opt/jumpserver/config_example.yml /opt/jumpserver/config.yml
生成隨機-SECRET
(py3) [root@jump opt]# cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 49;echo
ugf0JnAD2xzvg5B3Sr0ihJ5JcwDZpx1dxgWcCyYIcsWHSBKGd
生成隨機-TOKEN
(py3) [root@jump opt]# cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16;echo
KskXhqMV7GqTBluN
(py3) [root@jump opt]# cat << EOF > /opt/jumpserver/config.yml
> SECRET_KEY: ugf0JnAD2xzvg5B3Sr0ihJ5JcwDZpx1dxgWcCyYIcsWHSBKGd # 加密祕鑰,可以使用配置文件中的命令生成
> BOOTSTRAP_TOKEN: KskXhqMV7GqTBluN # 預共享Token koko和guacamole用來註冊服務賬號, 不在使用原來的註冊接受機制
> DEBUG: false # DEBUG模式,開啓DEBUG後遇到錯誤時可以看到更多日誌
> LOG_LEVEL: ERROR # 日誌級別,ERROR錯誤纔會打印到日誌文件
> DB_ENGINE: mysql # 使用MySQL數據庫
> DB_HOST: 127.0.0.1 # 數據庫連接地址
> DB_PORT: 3306 # 數據庫連接端口
> DB_USER: jumpserver # 數據庫連接用戶
> DB_PASSWORD: 1qaz2wsx # 數據庫連接密碼
> DB_NAME: jumpserver # 數據庫名稱
> HTTP_BIND_HOST: 0.0.0.0 # Jumpserver運行時綁定的地址,0.0.0.0表示所有地址都綁定
> HTTP_LISTEN_PORT: 8080 # Jumpserver運行時綁定的端口
> REDIS_HOST: 10.0.0.9 # Jumpserver連接redis主機地址
> REDIS_PORT: 6379 # Jumpserver連接redis主機端口
> REDIS_PASSWORD: 1qaz2wsx # Jumpserver連接redis主機密碼
> EOF
(py3) [root@jump opt]# cd /opt/jumpserver
(py3) [root@jump jumpserver]# ./jms start -d
配置開機自啓
(py3) [root@jump jumpserver]# wget -O /usr/lib/systemd/system/jms.service https://demo.jumpserver.org/download/shell/centos/jms.service
(py3) [root@jump jumpserver]# chmod 755 /usr/lib/systemd/system/jms.service
(py3) [root@jump jumpserver]# systemctl enable jms
Created symlink from /etc/systemd/system/multi-user.target.wants/jms.service to /usr/lib/systemd/system/jms.service.
JumpServer插件部署
KoKo組件部署
(py3) [root@jump jumpserver]# mkdir /opt/package
(py3) [root@jump jumpserver]# cd /opt/package/
(py3) [root@jump package]# wget https://github.com/jumpserver/koko/releases/download/1.5.5/koko-master-linux-amd64.tar.gz
(py3) [root@jump package]# tar xf koko-master-linux-amd64.tar.gz -C /opt/
(py3) [root@jump package]# chown -Rf root.root /opt/kokodir/
(py3) [root@jump package]# cp -rf /opt/kokodir/config_example.yml /opt/kokodir/config.yml
修改後的配置如下
(py3) [root@jump package]# grep -Ev "#|^$" /opt/kokodir/config.yml
CORE_HOST: http://127.0.0.1:8080 # Jumpserver項目的url, api請求註冊會使用
BOOTSTRAP_TOKEN: KskXhqMV7GqTBluN # Bootstrap Token, 預共享祕鑰, 用來註冊coco使用的service account和terminal,請和jumpserver 配置文件中的 BOOTSTRAP_TOKEN 保持一致
(py3) [root@jump package]# cd /opt/kokodir/
(py3) [root@jump kokodir]# nohup ./koko start & # 後臺啓動
(py3) [root@jump kokodir]# tailf logs/koko.log # 通過日誌可以查看koko是否有錯誤
(py3) [root@jump kokodir]# ss -anplt | grep koko # 查看koko服務佔用端口號
LISTEN 0 128 :::5000 :::* users:(("koko",pid=30451,fd=7))
LISTEN 0 128 :::2222 :::* users:(("koko",pid=30451,fd=8))
(py3) [root@jump kokodir]# ps -ef | grep koko # 查看koko服務進程
root 30451 8220 0 15:56 pts/0 00:00:00 ./koko start
root 30484 8220 0 15:58 pts/0 00:00:00 grep --color=auto koko
Luna 組件部署
(py3) [root@jump kokodir]# cd /opt/package/
(py3) [root@jump package]# wget https://github.com/jumpserver/luna/releases/download/1.5.5/luna.tar.gz
(py3) [root@jump package]# tar xf luna.tar.gz -C /opt/
(py3) [root@jump package]# chown -R root:root /opt/luna/
(py3) [root@jump package]# deactivate
[root@jump package]#
Guacamole 組件部署
查看主機是否安裝Docker
[root@jump package]# rpm -qa |grep docker
卸載老版本docker;如果沒有此處忽略即可
[root@jump package]# yum remove docker docker-common docker-selinux docker-engine
安裝依賴包
[root@jump package]# yum install -y yum-utils device-mapper-persistent-data lvm2
設置Yum倉庫
[root@jump package]# yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
列出docker版本
[root@jump package]# yum list docker-ce --showduplicates | sort -r
安裝最新 docker-ce 版本
[root@jump package]# yum install docker-ce -y
修改 docker pull 鏡像時的加速文件
[root@jump package]# mkdir /etc/docker
[root@jump package]# cat << EOF > /etc/docker/daemon.json
> {
> "registry-mirrors": ["http://hub-mirror.c.163.com"]
> }
> EOF
啓動 docker 並設置開機自啓
[root@jump package]# systemctl start docker && systemctl enable docker
Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
由於網絡問題,可能從DockerHub上pull鏡像獲取不到,我這裏已將鏡像上傳到自己的aliyun鏡像倉庫中
下載使用即可
[root@jump package]# docker pull registry.cn-shanghai.aliyuncs.com/chiron1007/jumpserver_jms_guacamole:1.5.5
查看pull下來的鏡像
[root@jump package]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry.cn-shanghai.aliyuncs.com/chiron1007/jumpserver_jms_guacamole 1.5.5 247c0b3bc67a 12 days ago 685MB
啓動"Guacamol"容器
[root@jump package]# docker run --name jms_guacamole_V1 -d -p 8081:8081 -e JUMPSERVER_SERVER=http://10.0.0.9:8080 -e BOOTSTRAP_TOKEN=KskXhqMV7GqTBluN registry.cn-shanghai.aliyuncs.com/chiron1007/jumpserver_jms_guacamole:1.5.5
參數解釋:
docker run:啓動一個容器
--name:指定容器名稱
-d:後臺啓動容器
-p:將容器的127.0.0.1監聽的8081端口映射到宿主機的8081端口
-e:設置環境變量
-e JUMPSERVER_SERVER=http://127.0.0.1:8080:將值http://127.0.0.1:8080設置變量爲JUMPSERVER_SERVER
-e BOOTSTRAP_TOKEN=KskXhqMV7GqTBluN :將值PleasgeChangeSameWithJumpserver設置變量爲-e BOOTSTRAP_TOKEN
**jumpserver/jms__guacamole:1.5.5:下載鏡像的名稱及版本
查看運行容器
[root@jump package]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
339e0d1a3dc2 registry.cn-shanghai.aliyuncs.com/chiron1007/jumpserver_jms_guacamole:1.5.5 "./entrypoint.sh" 55 seconds ago Up 54 seconds 0.0.0.0:8081->8081/tcp jms_guacamole_V1
運行結果如下圖:
配置Nginx;整合各個組件
[root@jump package]# useradd -d /home/nginx -M -s /sbin/nologin nginx # 創建運行 nginx 服務的用戶
[root@jump package]# id nginx
uid=996(nginx) gid=993(nginx) groups=993(nginx)
[root@jump package]# cd /usr/local/src/
[root@jump src]# wget http://nginx.org/download/nginx-1.15.10.tar.gz
[root@jump src]# tar xf nginx-1.15.10.tar.gz && cd nginx-1.15.10/
[root@jump nginx-1.15.10]# ./configure --prefix=/usr/local/nginx --sbin-path=/usr/local/nginx/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --pid-path=/usr/local/nginx/logs/nginx.pid --error-log-path=/usr/local/nginx/logs/error.log --http-log-path=/usr/local/nginx/logs/access.log --with-pcre --user=nginx --group=nginx --with-file-aio --with-http_gzip_static_module --with-http_stub_status_module --with-http_v2_module --with-threads --with-http_realip_module --with-http_ssl_module
[root@jump nginx-1.15.10]# make && make install
[root@jump nginx-1.15.10]# echo $?
備份 nginx.conf
[root@jump nginx-1.15.10]# mv /usr/local/nginx/conf/nginx.conf{,.bak}
創建存放 jumpserver.conf 文件的目錄
[root@jump nginx-1.15.10]# mkdir /usr/local/nginx/conf/conf.d
下載事先準備好的 nginx 相關配置文件
[root@jump nginx-1.15.10]# cd /usr/local/src/
[root@jump src]# wget https://gitee.com/chironW/JumpServer_nginx/repository/archive/master.zip
[root@jump src]# unzip master.zip
[root@jump src]# ll JumpServer_nginx/
total 8
-rw-r--r-- 1 root root 2074 Dec 17 18:01 jumpserver.conf
-rw-r--r-- 1 root root 1729 Dec 17 18:01 nginx.conf
移動 JumpServer_nginx 目錄下配置文件到指定位置
[root@jump src]# mv /usr/local/src/JumpServer_nginx/nginx.conf /usr/local/nginx/conf/nginx.conf
[root@jump src]# mv /usr/local/src/JumpServer_nginx/jumpserver.conf /usr/local/nginx/conf/conf.d/jumpserver.conf
# 檢查配置文件是否存在語法錯誤
[root@jump nginx-1.15.10]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
啓動 nginx 服務
[root@jump nginx-1.15.10]# /usr/local/nginx/sbin/nginx
# 查看進程與所佔端口
[root@jump nginx-1.15.10]# ss -anplt | grep nginx
LISTEN 0 128 *:80 *:* users:(("nginx",pid=35414,fd=6),("nginx",pid=35413,fd=6))
登錄Jumpserver
-
訪問地址:http://10.0.0.9
將上面部署的所有服務加入開機自啓
cat << EOF >> /etc/rc.d/rc.local
#啓動redis
/usr/local/redis/bin/redis-server /usr/local/redis/etc/redis.conf
#啓動mariadb
systemctl start mariadb
#載入py3環境
source /opt/py3/bin/activate
#啓動jumpserver
/opt/jumpserver/jms start -d
#啓動koko組件
cd /opt/kokodir/ && nohup /opt/kokodir/koko &
#啓動docker
systemctl start docker
#啓動gucamole組件
docker start run jms_guacamole_V1
#啓動nginx
/usr/local/nginx/sbin/nginx
EOF
參考文獻:
- JumpServer官方文檔:https://jumpserver.readthedocs.io/zh/master/setup_by_centos7.html
- DockerHub-JumpServer代碼倉庫:https://github.com/jumpserver/jumpserver