Jumpserver一站式部署安裝

發(fā)布時(shí)間：2020-07-20 02:44:00 來(lái)源：網(wǎng)絡(luò) 閱讀：736 作者：warrent 欄目：系統(tǒng)運(yùn)維

前言

我們對(duì)堡壘機(jī)（跳板機(jī)）不會(huì)陌生，為了保證服務(wù)器安全，加個(gè)堡壘機(jī)，所有ssh連接都通過(guò)堡壘機(jī)來(lái)完成，堡壘機(jī)也需要有身份認(rèn)證、授權(quán)、訪問(wèn)控制、審計(jì)等功能。

Jumpserver 是全球首款完全開源的堡壘機(jī), 是符合 4A 的專業(yè)運(yùn)維審計(jì)系統(tǒng)。

Jumpserver 使用 Python / Django 進(jìn)行開發(fā), 采納分布式架構(gòu), 支持多機(jī)房跨區(qū)域部署, 中心節(jié)點(diǎn)提供 API, 各機(jī)房部署登錄節(jié)點(diǎn), 可橫向擴(kuò)展、無(wú)并發(fā)訪問(wèn)限制。

Jumpserver 現(xiàn)已支持管理 SSH、 Telnet、 RDP、 VNC 協(xié)議資產(chǎn)。

架構(gòu)說(shuō)明

架構(gòu)示意圖如下：

Jumpserver一站式部署安裝

Jumpserver包含四個(gè)組件，各個(gè)組件的作用如下：

Jumpserver 為管理后臺(tái), 管理員可以通過(guò) Web 頁(yè)面進(jìn)行資產(chǎn)管理、用戶管理、資產(chǎn)授權(quán)等操作, 用戶可以通過(guò) Web 頁(yè)面進(jìn)行資產(chǎn)登錄, 文件管理等操作

Coco 為 SSH Server 和 Web Terminal Server 。用戶可以使用自己的賬戶通過(guò) SSH 或者 Web Terminal 訪問(wèn) SSH 協(xié)議和 Telnet 協(xié)議資產(chǎn)

Luna 為 Web Terminal Server 前端頁(yè)面, 用戶使用 Web Terminal 方式登錄所需要的組件

Guacamole 為 RDP 協(xié)議和 VNC 協(xié)議資產(chǎn)組件, 用戶可以通過(guò) Web Terminal 來(lái)連接 RDP 協(xié)議和 VNC 協(xié)議資產(chǎn) (暫時(shí)只能通過(guò) Web Terminal 來(lái)訪問(wèn))

端口說(shuō)明

各個(gè)組件的監(jiān)聽(tīng)端口如下：

Jumpserver 默認(rèn)端口為 8080/tcp 配置文件 jumpserver/config.yml

Coco 默認(rèn) SSH 端口為 2222/tcp, 默認(rèn) Web Terminal 端口為 5000/tcp 配置文件在 coco/config.yml

Guacamole 默認(rèn)端口為 8081/tcp, 配置文件 /config/tomcat8/conf/server.xml

Nginx 默認(rèn)端口為 80/tcp

Redis 默認(rèn)端口為 6379/tcp

Mysql 默認(rèn)端口為 3306/tcp

Jumpserver一站式部署安裝

這篇博文將采用一站式的方式部署Jumpserver，其實(shí)更建議取參考官方文檔部署Jumpserver。

博文大綱：
一、環(huán)境準(zhǔn)備
二、配置Python 3環(huán)境
三、安裝Jumpserver
四、安裝MySQL及Redis
五、安裝配置coco組件
六、安裝guacamole及l(fā)una
七、安裝Nginx
八、Client訪問(wèn)測(cè)試

一、環(huán)境準(zhǔn)備

系統(tǒng)：CentOS 7

IP：192.168.20.3

數(shù)據(jù)庫(kù)：mariadb

反向代理：nginx

注：若是測(cè)試環(huán)境，內(nèi)存最少4G，雙核CPU。

在進(jìn)行下面的操作前，請(qǐng)下載我提供的各個(gè)源碼包。

首先將環(huán)境字體設(shè)置成中文，因?yàn)閖umpserver的日志文件里面的內(nèi)容會(huì)包含中文字符，不支持可能會(huì)亂碼。

[root@jumpserver ~]# localedef -c -f UTF-8 -i  zh_CN  zh_CN.UTF-8
[root@jumpserver ~]# export LC_ALL=zh_CN.UTF-8
[root@jumpserver ~]# echo 'LC_ALL=zh_CN.UTF-8' > /etc/locale.conf

二、配置Python 3環(huán)境

[root@jumpserver ~]# wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
[root@jumpserver ~]# yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git
[root@jumpserver ~]# tar xf Python-3.6.1.tar.xz -C /usr/src
[root@jumpserver ~]# cd /usr/src/Python-3.6.1/
[root@jumpserver Python-3.6.1]# ./configure && make && make install
[root@jumpserver Python-3.6.1]# cd /opt
[root@jumpserver opt]# python3 -m venv py3
[root@jumpserver opt]# source /opt/py3/bin/activate   
#設(shè)置自動(dòng)載入py3虛擬環(huán)境（以后只要進(jìn)入這個(gè)目錄就是Py3的環(huán)境）
(py3) [root@jumpserver opt]# unzip autoenv.zip 
(py3) [root@jumpserver opt]# echo "source /opt/autoenv/activate.sh" >> /root/.bashrc
(py3) [root@jumpserver opt]# . ~/.bashrc

三、安裝Jumpserver

(py3) [root@jumpserver opt]# unzip jumpserver.zip 
(py3) [root@jumpserver opt]#  echo "source /opt/py3/bin/activate" > /opt/jumpserver/.env
(py3) [root@jumpserver opt]# cd jumpserver/
autoenv:
autoenv: WARNING:
autoenv: This is the first time you are about to source /opt/jumpserver/.env:
autoenv:
autoenv:   --- (begin contents) ---------------------------------------
autoenv:     source /opt/py3/bin/activate$
autoenv:
autoenv:   --- (end contents) -----------------------------------------
autoenv:
autoenv: Are you sure you want to allow this? (y/N) y   #這里輸入“y”，以便自動(dòng)載入py3環(huán)境
(py3) [root@jumpserver jumpserver]# cd requirements/
(py3) [root@jumpserver requirements]# yum -y install $(cat rpm_requirements.txt)
(py3) [root@jumpserver requirements]# pip install --upgrade pip
(py3) [root@jumpserver requirements]# pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/

四、安裝MySQL及Redis

#安裝MySQL
(py3) [root@jumpserver requirements]# yum -y install mariadb*
(py3) [root@jumpserver requirements]# systemctl start mariadb
(py3) [root@jumpserver requirements]# mysqladmin -u root password 123.com
(py3) [root@jumpserver requirements]# mysql -u root -p123.com
MariaDB [(none)]> create database jumpserver default charset 'utf8' ;
MariaDB [(none)]> grant all on jumpserver.* to jumpserver@127.0.0.1 identified by '123.com';
#安裝Redis
(py3) [root@jumpserver ~]# yum -y install redis
(py3) [root@jumpserver ~]# systemctl start redis
(py3) [root@jumpserver ~]# netstat -anput | grep 6379
#修改jumpserver配置文件
(py3) [root@jumpserver ~]# cd /opt/jumpserver/
(py3) [root@jumpserver jumpserver]# cp config_example.yml config.yml 
#生成秘鑰令牌
(py3) [root@jumpserver jumpserver]# SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
(py3) [root@jumpserver jumpserver]# echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc
(py3) [root@jumpserver jumpserver]# BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
(py3) [root@jumpserver jumpserver]# echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
(py3) [root@jumpserver jumpserver]# sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml
(py3) [root@jumpserver jumpserver]# sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
(py3) [root@jumpserver jumpserver]# sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
(py3) [root@jumpserver jumpserver]# sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
(py3) [root@jumpserver jumpserver]# sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: False/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml 
(py3) [root@jumpserver jumpserver]# sed -i "s/DB_PASSWORD: /DB_PASSWORD: 123.com/g" /opt/jumpserver/config.yml
(py3) [root@jumpserver jumpserver]# echo -e "\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m"
 你的SECRET_KEY是 Z6bUvXTZRpc73pnRp4qNwn1eMWNYrgzbEWkVJqIVXc6cXfpKDU 
(py3) [root@jumpserver jumpserver]# echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
 你的BOOTSTRAP_TOKEN是 aGXZtXKnhP3StNA3 
(py3) [root@jumpserver jumpserver]# egrep -v '^$|^#' config.yml     #確定配置文件修改無(wú)誤
SECRET_KEY: jS1ph0yvliBHdMV7YopAkBrEdIkZ3DjAq6HsftIPpQriNNBO2k
BOOTSTRAP_TOKEN: fUXgq00wg6XCD5lp
DEBUG: false
LOG_LEVEL: ERROR
SESSION_EXPIRE_AT_BROWSER_CLOSE: true
DB_ENGINE: mysql
DB_HOST: 127.0.0.1
DB_PORT: 3306
DB_USER: jumpserver
DB_PASSWORD: 123.com
DB_NAME: jumpserver
HTTP_BIND_HOST: 0.0.0.0
HTTP_LISTEN_PORT: 8080
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
(py3) [root@jumpserver jumpserver]# ./jms start all -d    #啟動(dòng)jumpserver
(py3) [root@jumpserver jumpserver]# netstat -anpt | grep 8080
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      17420/python3

五、安裝配置coco組件

(py3) [root@jumpserver opt]# unzip coco.zip 
(py3) [root@jumpserver opt]# cd coco
(py3) [root@jumpserver coco]# echo "source /opt/py3/bin/activate" > /opt/coco/.env
(py3) [root@jumpserver coco]# cd requirements/
autoenv:
autoenv: WARNING:
autoenv: This is the first time you are about to source /opt/coco/.env:
autoenv:
autoenv:   --- (begin contents) ---------------------------------------
autoenv:     source /opt/py3/bin/activate$
autoenv:
autoenv:   --- (end contents) -----------------------------------------
autoenv:
autoenv: Are you sure you want to allow this? (y/N) y   #輸入“y”
(py3) [root@jumpserver requirements]# yum -y install $(cat rpm_requirements.txt)
(py3) [root@jumpserver requirements]# pip install -r requirements.txt
#修改配置文件
(py3) [root@jumpserver requirements]# cd ..
(py3) [root@jumpserver coco]# cp config_example.yml config.yml 
(py3) [root@jumpserver coco]# echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
#查看BOOTSTRAP_TOKEN的值
 你的BOOTSTRAP_TOKEN是 fUXgq00wg6XCD5lp 
 #注意，執(zhí)行下面的命令時(shí)，需要自行修改為自己查看出來(lái)的值：
(py3) [root@jumpserver coco]# sed -i 's/BOOTSTRAP_TOKEN: <PleasgeChangeSameWithJumpserver>/BOOTSTRAP_TOKEN: fUXgq00wg6XCD5lp/g' config.yml 
(py3) [root@jumpserver coco]# sed -i 's/# LOG_LEVEL: INFO/LOG_LEVEL: ERROR/g' config.yml 
(py3) [root@jumpserver coco]# egrep -v '^$|^#' config.yml    #確定修改的配置文件
CORE_HOST: http://127.0.0.1:8080
BOOTSTRAP_TOKEN: fUXgq00wg6XCD5lp
LOG_LEVEL: ERROR
#后臺(tái)啟動(dòng)coco
(py3) [root@jumpserver coco]# ./cocod start -d

六、安裝guacamole及l(fā)una

這里采用docker容器的方式部署。

#部署docker環(huán)境
(py3) [root@jumpserver ~]# yum install -y yum-utils device-mapper-persistent-data lvm2
(py3) [root@jumpserver ~]# yum-config-manager  --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
(py3) [root@jumpserver ~]# yum makecache fast
(py3) [root@jumpserver ~]# yum -y install docker-ce
(py3) [root@jumpserver ~]# systemctl start docker
(py3) [root@jumpserver ~]# docker load  --input guacamole.tar
#啟動(dòng)容器
(py3) [root@jumpserver ~]# docker  run   --name  jms_guacamole   -d -p  8081:8080 -v /opt/guacamole/key:/config/guacamole/key  -e JUMPSERVER_KEY_DIR=/config/guacamole/key -e JUMPSERVER_SERVER=http://192.168.10.8:8080 jumpserver/guacamole:latest
(py3) [root@jumpserver ~]# netstat -anput | grep 8081   #確定端口在監(jiān)聽(tīng)
tcp6       0      0 :::8081                 :::*                    LISTEN      19162/docker-proxy  
(py3) [root@jumpserver ~]# tar zxf luna.tar.gz -C /opt/    #將luna解壓至/opt

七、安裝Nginx

(py3) [root@jumpserver /]# tar zxf nginx-1.2.4.tar.gz -C /usr/src
(py3) [root@jumpserver /]# cd /usr/src/nginx-1.2.4/
(py3) [root@jumpserver nginx-1.2.4]# ./configure --prefix=/usr/local/nginx && make && make install
(py3) [root@jumpserver nginx-1.2.4]# ln -sf /usr/local/nginx/sbin/nginx /usr/local/bin/
(py3) [root@jumpserver nginx-1.2.4]# cd /usr/local/nginx/conf/
(py3) [root@jumpserver conf]# mv nginx.conf nginx.conf.bak
(py3) [root@jumpserver conf]# rz    #上傳我提供的Nginx配置文件
(py3) [root@jumpserver conf]# ls | grep nginx.conf
nginx.conf     #在博文開頭的網(wǎng)盤鏈接中有此文件
nginx.conf.bak
nginx.conf.default
(py3) [root@jumpserver conf]# nginx -t     #確定Nginx配置無(wú)誤
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
(py3) [root@jumpserver conf]# nginx     #啟動(dòng)Nginx