一、简介
jumpserver 概述
Jumpserver 是一款使用 Python, Django 开发的开源跳板机系统, 为亏联网企业提供了认证,授权,审计,自动化运维等功能,基于ssh协议来管理,客户端无需安装agent。
jumpserver 的功能特点
- 完全开源,GPL授权
- Python编写,容易再次开发
- 实现了跳板机基本功能,身份认证、访问控制、授权、审计 、批量操作等。
- 集成了Ansible,批量命令等
- 支持WebTerminal
- Bootstrap编写,界面美观
- 自动收集硬件信息
- 录像回放
- 命令搜索
- 实时监控
- 批量上传下载
二、安装
安装jumpserver 3.0版本,相对于jumpserver 2.0版本,在新的版本3.0中取消了LDAP授权,取而代之的是ssh进行推送;界面也有所变化,功能更完善,安装更简单。
1、环境配置
1.1关闭jumpserver部署机的防火墙和selinux
[root@xyw-dev ~]# getenforce
Disabled
[root@xyw-dev ~]# systemctl stop firewalld.service
1.2修改字符集
如果用的云服务器,云服务器默认是英文字符集。否则可能报 input/output error的问题,因为日志里打印了中文
[root@xyw-dev ~]# localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8
[root@xyw-dev ~]# export LC_ALL=zh_CN.UTF-8
[root@xyw-dev ~]# echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf
1.3安装依赖包
[root@xyw-dev ~]# yum -y install epel-release
[root@xyw-dev ~]# yum clean all && yum makecache
[root@xyw-dev ~]# yum -y update
[root@xyw-dev ~]# yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git
1.4编译安装python-3.6.1
[root@xyw-dev ~]# wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz
[root@xyw-dev ~]# tar xf Python-3.6.1.tar.xz && cd Python-3.6.1
[root@xyw-dev Python-3.6.1]# ./configure && make && make install
这里必须执行编译安装,否则在安装 Python 库依赖时会有麻烦...
[root@xyw-dev Python-3.6.1]# cd /opt
[root@xyw-dev opt]# python3 -m venv py3
[root@xyw-dev opt]# source /opt/py3/bin/activate
(py3) [root@xyw-dev opt]#
(py3) [root@xyw-dev opt]# git clone git://github.com/kennethreitz/autoenv.git
正克隆到 'autoenv'...
remote: Enumerating objects: 671, done.
remote: Total 671 (delta 0), reused 0 (delta 0), pack-reused 671
接收对象中: 100% (671/671), 103.92 KiB | 115.00 KiB/s, done.
处理 delta 中: 100% (356/356), done.
(py3) [root@xyw-dev opt]#
(py3) [root@xyw-dev opt]# echo 'source /opt/autoenv/activate.sh' >> ~/.bashrc
(py3) [root@xyw-dev opt]# source ~/.bashrc
(py3) [root@xyw-dev opt]#
2、下载Jumpserver
2.1下载clone项目
(py3) [root@xyw-dev ~]# cd /opt/
(py3) [root@xyw-dev opt]# git clone https://github.com/jumpserver/jumpserver.git && cd jumpserver && git checkout master
正克隆到 'jumpserver'...
remote: Enumerating objects: 79, done.
remote: Counting objects: 100% (79/79), done.
remote: Compressing objects: 100% (68/68), done.
remote: Total 41282 (delta 19), reused 20 (delta 5), pack-reused 41203
接收对象中: 100% (41282/41282), 52.05 MiB | 79.00 KiB/s, done.
处理 delta 中: 100% (28176/28176), done.
已经位于 'master'
(py3) [root@xyw-dev jumpserver]#
2.2安装所需的python modules
(py3) [root@xyw-dev jumpserver]# echo "source /opt/py3/bin/activate" > /opt/jumpserver/.env
(py3) [root@xyw-dev jumpserver]# cd requirements/
autoenv:
autoenv: WARNING:
autoenv: This is the first time you are about to source /opt/jumpserver/.env:
autoenv:
autoenv: --- (begin contents) ---------------------------------------
autoenv: source /opt/py3/bin/activate$
autoenv:
autoenv: --- (end contents) -----------------------------------------
autoenv:
autoenv: Are you sure you want to allow this? (y/N) y
(py3) [root@xyw-dev requirements]#
(py3) [root@xyw-dev requirements]# yum -y install $(cat rpm_requirements.txt)
(py3) [root@xyw-dev requirements]# pip install --upgrade pip setuptools
(py3) [root@xyw-dev requirements]# pip install wheel
(py3) [root@xyw-dev requirements]# pip install -r requirements.txt -i https://pypi.douban.com/simple/
下载的很慢会有超时报错,加上源,会快一些。
2.3安装Redis
(py3) [root@xyw-dev requirements]# yum -y install redis
(py3) [root@xyw-dev requirements]# systemctl enable redis
Created symlink from /etc/systemd/system/multi-user.target.wants/redis.service to /usr/lib/systemd/system/redis.service.
(py3) [root@xyw-dev requirements]# systemctl start redis
2.4安装MySQL
(py3) [root@xyw-dev requirements]# yum -y install mariadb mariadb-devel mariadb-server
(py3) [root@xyw-dev requirements]# systemctl enable mariadb
Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service.
(py3) [root@xyw-dev requirements]# systemctl start mariadb
(py3) [root@xyw-dev requirements]#
2.5创建jumpserver数据库并授权
(py3) [root@xyw-dev requirements]# mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 2
Server version: 5.5.60-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> create database jumpserver default charset 'utf8';
Query OK, 1 row affected (0.00 sec)
设置用户jumpserver@127.0.0.1对jumpserver数据库所有表都有权限,并设置密码为123456
MariaDB [(none)]> grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '123456';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> \q
Bye
(py3) [root@xyw-dev requirements]#
3、配置Jumpserver
(py3) [root@xyw-dev requirements]# pwd
/opt/jumpserver/requirements
(py3) [root@xyw-dev requirements]# cd ..
(py3) [root@xyw-dev jumpserver]# ls
apps config_example.yml Dockerfile entrypoint.sh LICENSE README_EN.md requirements tmp
build.sh data docs jms logs README.md run_server.py utils
(py3) [root@xyw-dev jumpserver]# cp config_example.yml config.yml
(py3) [root@xyw-dev jumpserver]#
(py3) [root@xyw-dev jumpserver]# SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
(py3) [root@xyw-dev jumpserver]# echo $SECRET_KEY
8gl0TchtJrblmAXaI2kbcVti1NoGO6dfJiiu4Or5SROHyPQE2q
(py3) [root@xyw-dev jumpserver]# echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc
(py3) [root@xyw-dev jumpserver]# BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
(py3) [root@xyw-dev jumpserver]# echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
(py3) [root@xyw-dev jumpserver]# echo $BOOTSTRAP_TOKEN
PWy55TLKsWANkSSx
(py3) [root@xyw-dev jumpserver]# sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml
(py3) [root@xyw-dev jumpserver]# sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
(py3) [root@xyw-dev jumpserver]# sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
(py3) [root@xyw-dev jumpserver]# sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
(py3) [root@xyw-dev jumpserver]# sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
(py3) [root@xyw-dev jumpserver]# echo -e "\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m"
你的SECRET_KEY是 8gl0TchtJrblmAXaI2kbcVti1NoGO6dfJiiu4Or5SROHyPQE2q
(py3) [root@xyw-dev jumpserver]# echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
你的BOOTSTRAP_TOKEN是 PWy55TLKsWANkSSx
(py3) [root@xyw-dev jumpserver]# vi config.yml
(py3) [root@xyw-dev jumpserver]# sed -n '/^DB_/p' /opt/jumpserver/config.yml
DB_ENGINE: mysql
DB_HOST: 127.0.0.1
DB_PORT: '3306'
DB_USER: jumpserver
DB_PASSWORD: '123456'
DB_NAME: jumpserver
(py3) [root@xyw-dev jumpserver]#
注意:mysql配置这一块端口和密码都要加上单引号!否则启动不起来。
4、启动/关闭Jumpserver
(py3) [root@xyw-dev jumpserver]# ./jms start
......
(py3) [root@xyw-dev jumpserver]# ./jms stop
Stop service: gunicorn
Stop service: celery
Stop service: beat
(py3) [root@xyw-dev jumpserver]#
#后台启动
(py3) [root@xyw-dev jumpserver]# ./jms start -d
5、部署koko
支持终端管理,默认port为2222
5.1docker 部署koko
[root@xyw-dev ~]# systemctl start docker
[root@xyw-dev ~]#
[root@xyw-dev ~]# Server_IP=192.168.2.37
[root@xyw-dev ~]# BOOTSTRAP_TOKEN=PWy55TLKsWANkSSx
[root@xyw-dev ~]# docker run --name jms_koko -d -p 2222:2222 -p 5000:5000 -e CORE_HOST=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN jumpserver/jms_koko:1.5.5
Unable to find image 'jumpserver/jms_koko:1.5.5' locally
1.5.2: Pulling from jumpserver/jms_koko
050382585609: Pull complete
f6e2d22aa00f: Pull complete
8c86c00c5332: Pull complete
6b9c6941a89d: Pull complete
a10054b94acf: Pull complete
4005724a64ff: Pull complete
446406ca2953: Pull complete
716a981c63ee: Pull complete
41a65efed49e: Pull complete
Digest: sha256:ac6258fe46165860289410970e124031aa74a380cb3e1ad97348feb2c9265cbc
Status: Downloaded newer image for jumpserver/jms_koko:1.5.5
31fc5862ea104946590c232f16dab366d55823e559e256c5208a3720be9406ba
[root@xyw-dev ~]#
5.2手工部署koko (coco 目前已经被 koko 取代)
cd /opt
wget https://github.com/jumpserver/koko/releases/download/1.5.2/koko-master-37daa82-linux-amd64.tar.gz
tar xf koko-master-37daa82-linux-amd64.tar.gz
chown -R root:root kokodir
cd kokodir
chown -R root:root /opt/kokodir
cd /opt/kokodir
cp config_example.yml config.yml
vim config.yml # BOOTSTRAP_TOKEN 需要从 jumpserver/config.yml 里面获取, 保证一致
./koko
6、部署guacamole
基于 HTML 5 和 JavaScript 的 VNC 查看器
[root@xyw-dev ~]# docker run --name jms_guacamole -d -p 8081:8081 -e JUMPSERVER_SERVER=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN jumpserver/jms_guacamole:1.5.5
Unable to find image 'jumpserver/jms_guacamole:1.5.5' locally
1.5.5: Pulling from jumpserver/jms_guacamole
8ba884070f61: Pull complete
74b389e6937e: Pull complete
41f5461bfc2f: Pull complete
f693f2484212: Pull complete
246835158fe4: Pull complete
Digest: sha256:de0b74e33c9991181eb507d768df73fb05932f3b4722dc36ecdca4e358fdce8d
Status: Downloaded newer image for jumpserver/jms_guacamole:1.5.5
f4d0c314c5fb840e42ea7e284f5349c571039bb1e3af2f3f8377b7a2c5f53f82
[root@xyw-dev ~]#
手工部署guacamole
$ cd /opt
$ git clone --depth=1 https://github.com/jumpserver/docker-guacamole.git
$ cd /opt/docker-guacamole
$ tar xf guacamole-server-1.0.0.tar.gz
$ cd /opt/docker-guacamole/guacamole-server-1.0.0
# 根据 http://guacamole.apache.org/doc/gug/installing-guacamole.html 文档安装对应的依赖包
$ autoreconf -fi
$ ./configure --with-init-dir=/etc/init.d
$ make
$ make install
访问 https://tomcat.apache.org/download-90.cgi 下载最新的 tomcat9
$ mkdir -p /config/guacamole /config/guacamole/lib /config/guacamole/extensions /config/guacamole/data/log/
$ cd /config
$ wget http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-9/v9.0.22/bin/apache-tomcat-9.0.22.tar.gz
$ tar xf apache-tomcat-9.0.22.tar.gz
$ mv apache-tomcat-9.0.22 tomcat9
$ rm -rf /config/tomcat9/webapps/*
$ sed -i 's/Connector port="8080"/Connector port="8081"/g' /config/tomcat9/conf/server.xml
$ echo "java.util.logging.ConsoleHandler.encoding = UTF-8" >> /config/tomcat9/conf/logging.properties
$ ln -sf /opt/docker-guacamole/guacamole-1.0.0.war /config/tomcat9/webapps/ROOT.war
$ ln -sf /opt/docker-guacamole/guacamole-auth-jumpserver-1.0.0.jar /config/guacamole/extensions/guacamole-auth-jumpserver-1.0.0.jar
$ ln -sf /opt/docker-guacamole/root/app/guacamole/guacamole.properties /config/guacamole/guacamole.properties
$ wget https://github.com/ibuler/ssh-forward/releases/download/v0.0.5/linux-amd64.tar.gz
$ tar xf linux-amd64.tar.gz -C /bin/
$ chmod +x /bin/ssh-forward
# 设置 guacamole 环境
$ export JUMPSERVER_SERVER=http://127.0.0.1:8080 # http://127.0.0.1:8080 指 jumpserver 访问地址
$ echo "export JUMPSERVER_SERVER=http://127.0.0.1:8080" >> ~/.bashrc
# BOOTSTRAP_TOKEN 为 Jumpserver/config.yml 里面的 BOOTSTRAP_TOKEN 值
$ export BOOTSTRAP_TOKEN=******
$ echo "export BOOTSTRAP_TOKEN=******" >> ~/.bashrc
$ export JUMPSERVER_KEY_DIR=/config/guacamole/keys
$ echo "export JUMPSERVER_KEY_DIR=/config/guacamole/keys" >> ~/.bashrc
$ export GUACAMOLE_HOME=/config/guacamole
$ echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc
$ /etc/init.d/guacd start
$ sh /config/tomcat9/bin/startup.sh
10、部署luna
与nginx结合支持Web Terminal前端
[root@xyw-dev ~]# cd /opt/
[root@xyw-dev opt]# wget https://github.com/jumpserver/luna/releases/download/1.5.5/luna.tar.gz
[root@xyw-dev opt]# tar xf luna.tar.gz
[root@xyw-dev opt]# chown -R root:root luna
11、配置nginx
[root@xyw-dev opt]# cd /usr/local/nginx/conf/
[root@xyw-dev conf]# ls
fastcgi.conf koi-utf nginx.conf uwsgi_params
fastcgi.conf.default koi-win nginx.conf.default uwsgi_params.default
fastcgi_params mime.types scgi_params win-utf
fastcgi_params.default mime.types.default scgi_params.default
[root@xyw-dev conf]# mkdir conf.d
[root@xyw-dev conf]# cd conf.d/
[root@xyw-dev conf.d]# vim jumpserver.conf
[root@xyw-dev conf.d]# ls
jumpserver.conf
[root@xyw-dev conf.d]# cat jumpserver.conf
server {
listen 80;
# server_name _;
server_name bastion.qf.com;
client_max_body_size 100m; # 录像及文件上传大小限制
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; # luna 路径, 如果修改安装目录, 此处需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 录像位置, 如果修改安装目录, 此处需要修改
}
location /static/ {
root /opt/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改
}
location /koko/ {
proxy_pass http://localhost:5000;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /ws/ {
proxy_pass http://localhost:8070;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location / {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
}
[root@xyw-dev conf.d]#
[root@xyw-dev conf.d]# cd ..
[root@xyw-dev conf]# vim nginx.conf
[root@xyw-dev conf]# grep -Pv "^($| *#)" nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
include /usr/local/nginx/conf/conf.d/*.conf;
}
[root@xyw-dev conf]# cd ..
[root@xyw-dev nginx]# sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xyw-dev nginx]#
12、Jumpserver 登录测试
- 检查应用是否已经正常运行
- 服务全部启动后, 访问 jumpserver 服务器 nginx 代理的 80 端口, 不要通过8080端口访问
- 默认账号: admin 密码: admin
网友评论