博文大綱:
一、Jumpserver簡介
二、安裝Jumpserver準備環境
三、配置Python 3環境
四、安裝Jumpserver
五、安裝mariadb、redis並配置jumpserver
六、安裝coco組件並配置
七、安裝guacamole及luna
八、安裝nginx
九、客戶端訪問測試
一、Jumpserver簡介
Jumpserver是全球首款完全開源的堡壘機,使用GNU GPL v2.0開源協議,是符合4A的專業運維審計系統。
Jumpserver 使用 Python / Django 進行開發, 遵循 Web 2.0 規範, 配備了業界領先的 Web Terminal 解決方案, 交互界面美觀、用戶體驗好。
Jumpserver 採納分佈式架構, 支持多機房跨區域部署, 中心節點提供 API, 各機房部署登錄節點, 可橫向擴展、無併發訪問限制。
Jumpserver 現已支持管理 SSH、 Telnet、 RDP、 VNC 協議資產。
Jumpserver的特點:
- 完全開源;
- Python編寫,易於二次開發;
- 實現跳板機的基本功能、認證、授權、審計;
- 集成了Ansiable,實現批量操作命令等;
- 支持web終端;
- Bootstrap編寫,界面美觀;
- 自動收集硬件信息;
- 錄像回放、命令搜索、實時監控;
二、安裝Jumpserver準備環境
下載所需軟件包
(1)安裝環境要求
- 硬件配置:2個CPU核心、4G內存、50G硬盤(最低);
- 操作系統:Linux 發行版 x86_64;
- python環境3.6.x以上;
- 數據庫:msyq或者mariadb,l版本必須是5.6以上;
- Redis;
(2)Jumpserver的相關組件
- Jumpserver:管理後臺,管理員可以通過Web頁面進行資產管理、用戶管理、資產授權等操作;用戶可以通過Web頁面進行資產登錄、文件管理等操作;
- koko:提供SSH Server 和 Web Terminal Server 。用戶可以使用自己的賬戶通過 SSH 或者 Web Terminal 訪問 SSH 協議和 Telnet 協議資產;
- Luna:提供Web Terminal Server前端頁面,用戶使用Web Termina方式登錄所需組件;
- Guacamole:爲 RDP 協議和 VNC 協議資產組件, 用戶可以通過 Web Terminal 來連接 RDP 協議和 VNC 協議資產(常用於windows服務器);
(3)相關組件端口、配置文件說明
如圖:
- Jumpserver默認Web端口爲8080/tcp、默認WS端口爲8070/tcp;配置文件爲jumpserver/config.yml;
- koko默認SSH端口爲2222/tcp、默認爲Web Terninal端口爲5000/tcp;配置文件爲koko/config.yml;
- Guacamole默認端口爲 8081/tcp; 配置文件爲/config/tomcat9/conf/server.xml
- Nginx默認端口爲 80/tcp;
- Redis默認端口爲 6379/tcp;
- Mysql/mariadb默認端口爲 3306/tcp;
(4)使系統支持中文環境
[root@jumpserver ~]# localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8
[root@jumpserver ~]# export LC_ALL=zh_CN.UTF-8
[root@jumpserver ~]# echo 'LC_ALL=zh_CN.UTF-8' > /etc/locale.conf 三、配置Python 3環境
[root@jumpserver ~]# yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git
//下載所需依賴
[root@jumpserver ~]# tar xf Python-3.6.1.tar.xz -C /usr/src
[root@jumpserver ~]# cd /usr/src/Python-3.6.1/
[root@jumpserver Python-3.6.1]# ./configure && make && make install
//編譯安裝python 3環境
[root@jumpserver Python-3.6.1]# cd /opt
[root@jumpserver opt]# python3 -m venv py3
[root@jumpserver opt]# source /opt/py3/bin/activate
(py3) [root@jumpserver opt]#
//出現這樣的字符表示在python 3虛擬環境成功
(py3) [root@jumpserver opt]# unzip autoenv.zip
(py3) [root@jumpserver opt]# echo "source /opt/autoenv/activate.sh" >> /root/.bashrc
(py3) [root@jumpserver opt]# source /root/.bashrc
//使用autoenv設置爲自動載入python 3的虛擬環境四、安裝Jumpserver
(py3) [root@jumpserver opt]# unzip jumpserver.zip
(py3) [root@jumpserver opt]# echo "source /opt/py3/bin/activate" > /opt/jumpserver/.env
(py3) [root@jumpserver opt]# cd jumpserver/
autoenv:
autoenv: WARNING:
autoenv: This is the first time you are about to source /opt/jumpserver/.env:
autoenv:
autoenv: --- (begin contents) ---------------------------------------
autoenv: source /opt/py3/bin/activate$
autoenv:
autoenv: --- (end contents) -----------------------------------------
autoenv:
autoenv: Are you sure you want to allow this? (y/N) y //輸入“y”表示自動載入python3環境
(py3) [root@jumpserver jumpserver]# cd requirements/
(py3) [root@jumpserver requirements]# yum -y install $(cat rpm_requirements.txt)
//安裝所需依賴
(py3) [root@jumpserver requirements]# pip install --upgrade pip
(py3) [root@jumpserver requirements]# pip install wheel
(py3) [root@jumpserver requirements]# pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
//安裝python所需依賴五、安裝mariadb、redis並配置jumpserver
安裝mariadb
(py3) [root@jumpserver requirements]# yum -y install mariadb mariadb-devel mariadb-server
(py3) [root@jumpserver requirements]# systemctl start mariadb
(py3) [root@jumpserver requirements]# mysqladmin -u root password 123.com
(py3) [root@jumpserver requirements]# mysql -u root -p123.com
MariaDB [(none)]> create database jumpserver default charset 'utf8' ;
MariaDB [(none)]> grant all on jumpserver.* to [email protected] identified by '123.com';
MariaDB [(none)]> flush privileges;
(py3) [root@jumpserver requirements]# ss -lnt | grep 3306
LISTEN 0 50 *:3306 *:* 安裝redis
(py3) [root@jumpserver requirements]# yum -y install redis
(py3) [root@jumpserver requirements]# systemctl start redis
(py3) [root@jumpserver requirements]# ss -lnt | grep 6379
LISTEN 0 128 127.0.0.1:6379 *:* 配置jumpserver
(py3) [root@jumpserver ~]# cd /opt/jumpserver/
(py3) [root@jumpserver jumpserver]# cp config_example.yml config.yml
#生成祕鑰令牌
(py3) [root@jumpserver jumpserver]# SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
(py3) [root@jumpserver jumpserver]# echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc
(py3) [root@jumpserver jumpserver]# BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
(py3) [root@jumpserver jumpserver]# echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
(py3) [root@jumpserver jumpserver]# sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml
(py3) [root@jumpserver jumpserver]# sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
(py3) [root@jumpserver jumpserver]# sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
(py3) [root@jumpserver jumpserver]# sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
(py3) [root@jumpserver jumpserver]# sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: False/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
(py3) [root@jumpserver jumpserver]# sed -i "s/DB_PASSWORD: /DB_PASSWORD: 123.com/g" /opt/jumpserver/config.yml
(py3) [root@jumpserver jumpserver]# echo -e "\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m"
你的SECRET_KEY是 UmIWcyEGJN6JfCbCYnthtlK7z4wQ8HwlEL2DagdBxPJjWWRdSN
(py3) [root@jumpserver jumpserver]# echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
你的BOOTSTRAP_TOKEN是 qFs86ALWXpamrBaH
(py3) [root@jumpserver jumpserver]# egrep -v '^$|^#' config.yml
SECRET_KEY: UmIWcyEGJN6JfCbCYnthtlK7z4wQ8HwlEL2DagdBxPJjWWRdSN
BOOTSTRAP_TOKEN: qFs86ALWXpamrBaH
DEBUG: false
LOG_LEVEL: ERROR
DB_ENGINE: mysql
DB_HOST: 127.0.0.1
DB_PORT: 3306
DB_USER: jumpserver
DB_PASSWORD: 123.com
DB_NAME: jumpserver
HTTP_BIND_HOST: 0.0.0.0
HTTP_LISTEN_PORT: 8080
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
(py3) [root@jumpserver jumpserver]# ./jms start all -d
(py3) [root@jumpserver jumpserver]# ss -lnt | grep 8080
LISTEN 0 128 *:8080 *:* 六、安裝coco組件並配置
(py3) [root@jumpserver opt]# unzip coco.zip
(py3) [root@jumpserver opt]# cd coco
(py3) [root@jumpserver coco]# echo "source /opt/py3/bin/activate" > /opt/coco/.env
(py3) [root@jumpserver coco]# cd requirements/
autoenv:
autoenv: WARNING:
autoenv: This is the first time you are about to source /opt/coco/.env:
autoenv:
autoenv: --- (begin contents) ---------------------------------------
autoenv: source /opt/py3/bin/activate$
autoenv:
autoenv: --- (end contents) -----------------------------------------
autoenv:
autoenv: Are you sure you want to allow this? (y/N) y
(py3) [root@jumpserver requirements]# yum -y install $(cat rpm_requirements.txt)
(py3) [root@jumpserver requirements]# pip install -r requirements.txt
(py3) [root@jumpserver requirements]# cd ..
(py3) [root@jumpserver coco]# cp config_example.yml config.yml
(py3) [root@jumpserver coco]# echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
你的BOOTSTRAP_TOKEN是 qFs86ALWXpamrBaH
(py3) [root@jumpserver coco]# sed -i "s/BOOTSTRAP_TOKEN: <PleasgeChangeSameWithJumpserver>/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" config.yml
(py3) [root@jumpserver coco]# sed -i "s/# LOG_LEVEL: INFO/LOG_LEVEL: ERROR/g" config.yml
(py3) [root@jumpserver coco]# egrep -v '^$|^#' config.yml
CORE_HOST: http://127.0.0.1:8080
BOOTSTRAP_TOKEN: qFs86ALWXpamrBaH
//注意保證16個隨機字符保證與jumpserver配置文件中的16個隨機字符保證一致
LOG_LEVEL: ERROR
(py3) [root@jumpserver coco]# ./cocod start -d
(py3) [root@jumpserver coco]# ss -lnt | grep 2222
LISTEN 0 5 *:2222 *:* 七、安裝guacamole及luna
(py3) [root@jumpserver ~]# yum install -y yum-utils device-mapper-persistent-data lvm2
(py3) [root@jumpserver ~]# yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
(py3) [root@jumpserver ~]# yum makecache fast
(py3) [root@jumpserver ~]# yum -y install docker-ce
(py3) [root@jumpserver ~]# systemctl start docker
(py3) [root@jumpserver ~]# docker load < guacamole.tar
(py3) [root@jumpserver ~]# docker run --name jms_guacamole -d \
-p 8081:8080 -v /opt/guacamole/key:/config/guacamole/key \
-e JUMPSERVER_KEY_DIR=/config/guacamole/key \
-e JUMPSERVER_SERVER=http://192.168.1.10:8080 \
jumpserver/guacamole:latest
(py3) [root@jumpserver ~]# ss -lnt | grep 8081
LISTEN 0 128 :::8081 :::*
(py3) [root@jumpserver ~]# tar zxf luna.tar.gz -C /opt八、安裝nginx
(py3) [root@jumpserver ~]# tar zxf nginx-1.2.4.tar.gz -C /usr/src
(py3) [root@jumpserver ~]# cd /usr/src/nginx-1.2.4/
(py3) [root@jumpserver nginx-1.2.4]# ./configure && make && make install
(py3) [root@jumpserver nginx-1.2.4]# ln -sf /usr/local/nginx/sbin/nginx /usr/local/bin/
(py3) [root@jumpserver nginx-1.2.4]# cd /usr/local/nginx/conf/
(py3) [root@jumpserver conf]# cp nginx.conf nginx.conf.bak
(py3) [root@jumpserver conf]# mv /root/nginx.conf .
mv:是否覆蓋"./nginx.conf"? y
(py3) [root@jumpserver conf]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
(py3) [root@jumpserver conf]# nginx
(py3) [root@jumpserver conf]# ss -lnt | grep -w 80
LISTEN 0 128 *:80 *:* 九、客戶端訪問測試
如圖:
(1)創建普通用戶
此用戶用於登錄Jumpserver web頁面的用戶,創建過程如下:
(2)創建管理用戶
此用戶主要用於管理後端資源,創建方法如下:
(3)創建系統用戶
此用戶主要用於登錄後端資產,創建方法如下:
(4)創建後端資產
實驗環境,所以就開啓一臺虛擬機192.168.1.1作爲測試(web頁面的客戶端與後端資產肯定不在同一網段,因爲用戶是通過公網登錄到jumpserver纔可以對後端服務器進行操作的)!
(5)創建授權規則
(6)連接後端資產
最後,雖然寫文檔花費了不少時間,但是還是建議大家參考Jumpserver官方文檔
————————————本文到此結束,感謝閱讀——————————————