Linux操作技术文档——jumpserver平台系统部署与使用
jumpserver平台系统部署与使用
要求:
Python = 3.6.x
Mysql Server ≥ 5.6
Mariadb Server ≥ 5.5.56
Redis
一、部署Jumpserver运行环境
1、修改字符集
因为日志里打印了中文,否则可能报 input/output error的问题
[root@jump ~]# localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8
[root@jump ~]# export LC_ALL=zh_CN.UTF-8
[root@jump ~]# echo 'LANG=zh_CN.UTF-8' > /etc/locale.conf
[root@jump ~]# exit
2、准备 Python3 和 Python 虚拟环境
1、安装依赖包
[root@Jump ~]# vim /etc/yum.conf
keepcache=1 //开启yum缓存功能
[root@Jump ~]# yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git
2、编译安装python3.6.1
[root@Jump ~]# cd /opt/
[root@Jump opt]# wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz //在线下载方法
[root@Jump opt]# tar xf Python-3.6.1.tar.xz && cd Python-3.6.1
[root@Jump Python-3.6.1]# ./configure && make -j 4 && make install
3、建立 Python 虚拟环境
[root@Jump Python-3.6.1]# cd /opt/
[root@Jump opt]# python3 -m venv py3
[root@Jump opt]# source /opt/py3/bin/activate
3、安装 Jumpserver 2.1.1
1、下载或 Clone 项目(已有离线包可跳过)
(py3) [root@jump ~]# cd /opt/
(py3) [root@jump opt]# wget https://github.com/jumpserver/jumpserver/releases/download/v2.1.1/jumpserver-v2.1.1.tar.gz //在线下载方法
(py3) [root@jump opt]# tar xf jumpserver-v2.1.1.tar.gz
(py3) [root@jump opt]# mv jumpserver-v2.1.1 jumpserver
2、安装依赖 RPM 包
[root@jump ~]# cd /opt/jumpserver/requirements/
[root@jump requirements]# yum -y install $(cat rpm_requirements.txt)
3、安装 Python 库依赖
离线安装
[root@jump requirements]# source /opt/py3/bin/activate
(py3) [root@jump ~]# cd /opt/python-package/
(py3) [root@jump python-package]# pip install wheel -i https://mirrors.aliyun.com/pypi/simple
(py3) [root@jump python-package]# pip install --upgrade pip setuptools -i https://mirrors.aliyun.com/pypi/simple/
(py3) [root@jump python-package]# pip install ./*
在线安装
(py3) [root@jump python-package]# cd /opt/jumpserver/requirements/
(py3) [root@jump requirements]# pip install wheel -i https://mirrors.aliyun.com/pypi/simple
(py3) [root@jump requirements]# pip install --upgrade pip setuptools -i https://mirrors.aliyun.com/pypi/simple/
(py3) [root@jump requirements]# pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
4、安装 Redis,Jumpserver 使用 Redis 做 cache 和 celery broke
[root@jump ~]# yum -y install redis
[root@jump ~]# systemctl enable redis
Created symlink from /etc/systemd/system/multi-user.target.wants/redis.service to /usr/lib/systemd/system/redis.service.
[root@jump ~]# systemctl start redis
5、安装 MySQL,建数据库 Jumpserver 并授权
注意:定义变量一定要在同一个操作环境中,否则会导致失败
[root@jump ~]# yum -y install mariadb mariadb-devel mariadb-server
[root@jump ~]# systemctl enable mariadb
Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service.
[root@jump ~]# systemctl start mariadb
(py3) [root@jump01 requirements]# cd /opt/jumpserver/requirements/
(py3) [root@jump01 requirements]# DB_PASSWORD=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24`
(py3) [root@jump01 requirements]# echo -e "\033[31m 你的数据库密码是 $DB_PASSWORD \033[0m"
你的数据库密码是 pYPFRrdhgOu4FgB5Dg69SQS9
(py3) [root@jump01 requirements]# mysql -uroot -e "create database jumpserver default charset 'utf8'; grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '$DB_PASSWORD'; flush privileges;"
6、修改 Jumpserver 配置文件
(py3) [root@jump01 requirements]# cd ..
(py3) [root@jump01 jumpserver]# cp config_example.yml config.yml
(py3) [root@jump01 jumpserver]# SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
(py3) [root@jump01 jumpserver]# echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc
(py3) [root@jump01 jumpserver]# BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
(py3) [root@jump01 jumpserver]# echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
(py3) [root@jump01 jumpserver]# sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml
(py3) [root@jump01 jumpserver]# sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
(py3) [root@jump01 jumpserver]# sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
(py3) [root@jump01 jumpserver]# sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
(py3) [root@jump01 jumpserver]# sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
(py3) [root@jump01 jumpserver]# sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml
(py3) [root@jump01 jumpserver]# echo -e "\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m"
你的SECRET_KEY是 yZNPTdsr12jANSypVY4kxXzUg75kS49u5sch8TXwtzUbmTPNZe
(py3) [root@jump01 jumpserver]# echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
你的BOOTSTRAP_TOKEN是 5GLlmDN5mwwX1xUc
(py3) [root@jump01 jumpserver]# cat config.yml
8、运行 Jumpserver
(py3) [root@jump utils]# cd /opt/jumpserver
(py3) [root@jump jumpserver]# chmod +x jms
(py3) [root@jump jumpserver]# ./jms start all -d //后台运行使用,-d 参数
(py3) [root@jump jumpserver]# ./jms start|stop|status|restart all //启动|停止|状态|重启
访问 http://192.168.1.10:8080/
这里需要使用8080端口来访问页面,但是只有页面无法登陆。后期搭建 nginx 代理,就可以直接使用80端口正常访问了
二、安装 KoKo组件
(py3) [root@jump01 opt]# wget https://github.com/jumpserver/koko/releases/download/v2.1.1/koko-v2.1.1-linux-amd64.tar.gz
(py3) [root@jump01 opt]# tar -xf koko-v2.1.1-linux-amd64.tar.gz
(py3) [root@jump01 opt]# mv koko-v2.1.1-linux-amd64 koko
(py3) [root@jump01 opt]# chown -R root:root koko
(py3) [root@jump01 opt]# cd koko/
(py3) [root@jump01 koko]# cp config_example.yml config.yml
(py3) [root@jump01 koko]# sed -i "s/BOOTSTRAP_TOKEN: /BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/koko/config.yml
(py3) [root@jump01 koko]# sed -i "s/# LOG_LEVEL: INFO/LOG_LEVEL: ERROR/g" /opt/koko/config.yml
(py3) [root@jump01 opt]# cat /opt/jumpserver/config.yml | grep BOOTSTRAP_TOKEN
BOOTSTRAP_TOKEN: nCHJ41eI1Ot1NXGX
[root@jump01 koko]# vim config.yml
# 请和jumpserver 配置文件中保持一致,注册完成后可以删除
BOOTSTRAP_TOKEN: nCHJ41eI1Ot1NXGX
(py3) [root@jump01 koko]# chmod +x koko
(py3) [root@jump01 koko]# ./koko -d
三、部署 Guacamole 组件
1、下载组件需要软件包
(py3) [root@jump01 koko]# cd /opt/
(py3) [root@jump01 opt]# wget -O docker-guacamole-v2.1.1.tar.gz https://github.com/jumpserver/docker-guacamole/archive/master.tar.gz
(py3) [root@jump01 opt]# mkdir /opt/docker-guacamole
(py3) [root@jump01 opt]# tar -xf docker-guacamole-v2.1.1.tar.gz -C /opt/docker-guacamole --strip-components 1
(py3) [root@jump01 opt]# rm -rf /opt/docker-guacamole-v2.1.1.tar.gz
(py3) [root@jump01 opt]# cd /opt/docker-guacamole
(py3) [root@jump01 docker-guacamole]# wget http://download.jumpserver.org/public/guacamole-server-1.2.0.tar.gz
(py3) [root@jump01 docker-guacamole]# tar -xf guacamole-server-1.2.0.tar.gz
(py3) [root@jump01 docker-guacamole]# wget http://download.jumpserver.org/public/ssh-forward.tar.gz--2020-08-09 14:33:54-- http://download.jumpserver.org/public/ssh-forward.tar.gz
(py3) [root@jump01 docker-guacamole]# tar -xf ssh-forward.tar.gz -C /bin/
(py3) [root@jump01 docker-guacamole]# chmod +x /bin/ssh-forward
(py3) [root@jump01 docker-guacamole]# cd /opt/docker-guacamole/guacamole-server-1.2.0
2、安装所缺依赖包后编译安装
(py3) [root@jump01 guacamole-server-1.2.0]# yum -y install cairo-devel uuid uuid-devel
(py3) [root@jump01 guacamole-server-1.2.0]# ./configure --with-init-dir=/etc/init.d && make && make install
3、下载最新的 Tomcat9
(py3) [root@jump01 guacamole-server-1.2.0]# mkdir -p /config/guacamole /config/guacamole/extensions /config/guacamole/record /config/guacamole/drive && chown daemon:daemon /config/guacamole/record /config/guacamole/drive && cd /config
(py3) [root@jump01 config]# wget http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-9/v9.0.36/bin/apache-tomcat-9.0.36.tar.gz
(py3) [root@jump01 config]# tar -xf apache-tomcat-9.0.36.tar.gz && mv apache-tomcat-9.0.36 tomcat9 && rm -rf /config/tomcat9/webapps/* && sed -i 's/Connector port="8080"/Connector port="8081"/g' /config/tomcat9/conf/server.xml && echo "java.util.logging.ConsoleHandler.encoding = UTF-8" >> /config/tomcat9/conf/logging.properties && wget http://download.jumpserver.org/release/v2.1.1/guacamole-client-v2.1.1.tar.gz && tar -xf guacamole-client-v2.1.1.tar.gz && rm -rf guacamole-client-v2.1.1.tar.gz && cp guacamole-client-v2.1.1/guacamole-*.war /config/tomcat9/webapps/ROOT.war && cp guacamole-client-v2.1.1/guacamole-*.jar /config/guacamole/extensions/ && mv /opt/docker-guacamole/guacamole.properties /config/guacamole/ && rm -rf /opt/docker-guacamole
4、设置 Guacamole 环境
(py3) [root@jump01 opt]# export JUMPSERVER_SERVER=http://127.0.0.1:8080
(py3) [root@jump01 opt]# echo "export JUMPSERVER_SERVER=http://127.0.0.1:8080" >> ~/.bashrc
(py3) [root@jump01 opt]# export BOOTSTRAP_TOKEN=zxffNymGjP79j6BN //同上
(py3) [root@jump01 opt]# echo "export BOOTSTRAP_TOKEN=zxffNymGjP79j6BN" >> ~/.bashrc
(py3) [root@jump01 opt]# export JUMPSERVER_KEY_DIR=/config/guacamole/keys
(py3) [root@jump01 opt]# echo "export JUMPSERVER_KEY_DIR=/config/guacamole/keys" >> ~/.bashrc
(py3) [root@jump01 opt]# export GUACAMOLE_HOME=/config/guacamole
(py3) [root@jump01 opt]# echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc
(py3) [root@jump01 opt]# export GUACAMOLE_LOG_LEVEL=ERROR
(py3) [root@jump01 opt]# echo "export GUACAMOLE_LOG_LEVEL=ERROR" >> ~/.bashrc
(py3) [root@jump01 opt]# export JUMPSERVER_ENABLE_DRIVE=true
(py3) [root@jump01 opt]# echo "export JUMPSERVER_ENABLE_DRIVE=true" >> ~/.bashrc
(py3) [root@jump01 opt]# /etc/init.d/guacd start
Starting guacd: guacd[95399]: INFO: Guacamole proxy daemon (guacd) version 1.2.0 started
SUCCESS
(py3) [root@jump01 opt]# sh /config/tomcat9/bin/startup.sh
四、安装Lina组件-Luna组件-配置Nginx整合
1、下载 Lina 组件
(py3) [root@jump coco]# cd /opt/
(py3) [root@jump opt]# wget https://github.com/jumpserver/lina/releases/download/v2.1.1/lina-v2.1.1.tar.gz //在线下载
(py3) [root@jump01 opt]# tar -xf lina-v2.1.1.tar.gz //解压 Lina
(py3) [root@jump01 opt]# mv lina-v2.1.1 lina
2、下载 Luna 组件
(py3) [root@jump opt]# wget https://github.com/jumpserver/luna/releases/download/v2.1.1/luna-v2.1.1.tar.gz
(py3) [root@jump01 opt]# tar -xf luna-v2.1.1.tar.gz //解压 Luna
(py3) [root@jump01 opt]# mv luna-v2.1.1 luna
3、配置 Nginx 整合各组件
(py3) [root@jump01 opt]# vim /etc/yum.repos.d/nginx.repo
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=0
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
(py3) [root@jump01 opt]# yum -y install nginx
(py3) [root@jump01 opt]# echo > /etc/nginx/conf.d/default.conf
(py3) [root@jump01 opt]# vim /etc/nginx/conf.d/jumpserver.conf
server {
listen 80;
client_max_body_size 100m; # 录像及文件上传大小限制
location /ui/ {
try_files $uri / /index.html;
alias /opt/lina/;
}
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; # luna 路径, 如果修改安装目录, 此处需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 录像位置, 如果修改安装目录, 此处需要修改
}
location /static/ {
root /opt/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改
}
location /koko/ {
proxy_pass http://localhost:5000;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /ws/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8070;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /api/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /core/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
rewrite ^/(.*)$ /ui/$1 last;
}
}
(py3) [root@jump01 opt]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
(py3) [root@jump opt]# systemctl start nginx
(py3) [root@jump opt]# systemctl enable nginx
Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service.
4、访问HTTP://IP:80
(py3) [root@jump opt]# ssh -p2222 [email protected] //密码: admin
[email protected]'s password:
Administrator, 欢迎使用Jumpserver开源跳板机系统
1) 输入 ID 直接登录 或 输入部分 IP,主机名,备注 进行搜索登录(如果唯一).
2) 输入 / + IP, 主机名 or 备注 搜索. 如: /ip
3) 输入 P/p 显示您有权限的主机.
4) 输入 G/g 显示您有权限的主机组.
5) 输入 G/g + 组ID 显示该组下主机. 如: g1
6) 输入 H/h 帮助.
0) 输入 Q/q 退出.
Opt>
五、jumpserver平台系统初始化
1、系统基本设置
2、配置邮件发送服务器
点击测试连接收到如下内容邮件
(py3) [root@jump opt]# /opt/jumpserver/jms stop all -d
(py3) [root@jump opt]# /opt/jumpserver/jms start all -d
注意: 在使用jumpserver过程中,有一步是系统用户推送,要推送成功,client(后端服务器)要满足以下条件:
(1)后端服务器需要有python、sudo环境才能使用推送用户,批量命令等功能
(1)后端服务器如果开启了selinux,请安装libselinux-python。一般情况服务器上都关闭了selinux
六、使用jumpserver 管理服务器
1、用户管理
1、添加用户组
2、添加用户
其中,名称是真实姓名,用户名即 Jumpserver 登录账号
成功提交用户信息后,Jumpserver 会发送一条设置"用户密码"的邮件到您填写的用户邮箱
点击链接,开始修改密码
用户首次登录 Jumpserver,会被要求完善用户信息
[root@jump ~]# useradd zhangsan
[root@jump ~]# passwd zhangsan
[root@jump ~]# su - zhangsan
[zhangsan@jump ~]$ ssh-keygen
[zhangsan@jump ~]$ cat ~/.ssh/id_rsa.pub
生成SSH 密钥,方便后期登录
3、创建管理用户(更换回Administrator用户,由于zhangsan用户设置为管理员所以没有更换)
所有的服务器root用户密码都是:123456
前提,你的服务器节点中所有的服务器root用户密码都是:123456
4、创建系统用户
user 权限: /sbin/ifconfig,/usr/bin/top,/usr/bin/free
要写目录/bin/,必须在最后添加/
2、资产管理
1、创建资产
2、创建授权规则
[root@client ~]# tail /etc/passwd -n 5
lisi:x:1000:1000:lisi:/home/lisi:/bin/bash
zhangsan:x:1001:1001::/home/zhangsan:/bin/bash
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
www:x:1002:1002::/home/www:/bin/bash
manager:x:1003:1003::/home/manager:/bin/bash //自动推送一个帐号,自动在资产服务器上创建系统用户
[root@client ~]# visudo
manager ALL=(ALL) NOPASSWD: /sbin/,/bin/
3、用户使用资产
登录 Jumpserver
创建授权规则的时候,选择了用户组,所以这里需要登录所选用户组下面的用户才能看见相应的资产
3、其他连接方式及维护
1、在xshell字符终端下连接jumpserver管理服务器
使用jumpserver中登录的用户名和密码
2、查看历史命令记录
3、查看历史会话并回放视频
官方手册:http://docs.jumpserver.org/zh/docs/step_by_step.html