合 从0开始搭建并使用Jumpserver堡垒机
Tags: JumpServer堡垒机
- 1、Jumpserver简单介绍
- 2、架构图如下
- 3、组件说明
- 参考文章:http://docs.jumpserver.org/zh/latest/admin_instruction.html
- 4、安装环境准备
- 系统环境说明
- 关闭防火墙与selinux
- 准备 Python3 和 Python 虚拟环境
- 安装依赖包
- 编译安装python
- 建立 Python 虚拟环境
- 5、安装jumpserver
- 安装依赖 RPM 包
- 安装 Python 库依赖
- 安装 Redis
- 安装 MySQL
- 创建数据库 Jumpserver 并授权
- 修改 Jumpserver 配置文件
- 生成数据库表结构和初始化数据
- 运行jumpserver
- 安装 SSH Server 和 WebSocket Server: Coco
- 下载项目文件
- 安装依赖
- 测试连接
- 安装 Web Terminal 前端: Luna
- 配置 Nginx 整合各组件
- 简单使用配置
- 系统几个用户的区别
- 管理用户和系统用户的关系:
- 测试登录效果
1、Jumpserver简单介绍
Jumpserver 是全球首款完全开源的堡垒机,使用 GNU GPL v2.0 开源协议,是符合 4A 的专业运维审计系统。Jumpserver 使用 Python / Django 进行开发,遵循 Web 2.0 规范,配备了业界领先的 Web Terminal 解决方案,交互界面美观、用户体验好。
Jumpserver 采纳分布式架构,支持多机房跨区域部署,中心节点提供 API,各机房部署登录节点,可横向扩展、无并发访问限制。
2、架构图如下
3、组件说明
- Jumpserver
现指 Jumpserver 管理后台,是核心组件(Core), 使用 Django Class Based View 风格开发,支持 Restful API。- Coco
实现了 SSH Server 和 Web Terminal Server 的组件,提供 SSH 和 WebSocket 接口, 使用 Paramiko 和 Flask 开发。- Luna
现在是 Web Terminal 前端,计划前端页面都由该项目提供,Jumpserver 只提供 API,不再负责后台渲染html等。- Guacamole
Apache 跳板机项目,Jumpserver 使用其组件实现 RDP 功能,Jumpserver 并没有修改其代码而是添加了额外的插件,支持 Jumpserver 调用。- Jumpserver-Python-SDK
Jumpserver API Python SDK,Coco 目前使用该 SDK 与 Jumpserver API 交互。参考文章:http://docs.jumpserver.org/zh/latest/admin_instruction.html
4、安装环境准备
系统环境说明
1 2 3 4 5 6 | [root@test ~]# cat /etc/redhat-release CentOS Linux release 7.4.1708 (Core) [root@test ~]# uname -r 3.10.0-693.el7.x86_64 [root@test ~]# ip add|grep 192.168.22 inet 192.168.22.175/24 brd 192.168.22.255 scope global ens32 |
关闭防火墙与selinux
1 2 3 4 5 6 7 | [root@test ~]# systemctl stop firewalld [root@test ~]# systemctl disable firewalld [root@test ~]# sed -i "s#SELINUX=enforcing#SELINUX=disabled#g" /etc/selinux/config [root@master ~]# grep "SELINUX=" /etc/selinux/config # SELINUX= can take one of these three values: SELINUX=disabled [root@test ~]# reboot |
准备 Python3 和 Python 虚拟环境
安装依赖包
1 | [root@test ~]# yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git |
编译安装python
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | [root@test ~]# wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz [root@test ~]# tar xf Python-3.6.1.tar.xz [root@test ~]# cd Python-3.6.1 [root@test Python-3.6.1]# ./configure [root@test Python-3.6.1]# echo $? 0 [root@test Python-3.6.1]# make && make install -------------------过程部分省略 fi Collecting setuptools Collecting pip Installing collected packages: setuptools, pip Successfully installed pip-9.0.1 setuptools-28.8.0 [root@test Python-3.6.1]# echo $? 0 |
建立 Python 虚拟环境
因为 CentOS 6/7 自带的是 Python2,而 Yum 等工具依赖原来的 Python,为了不扰乱原来的环境我们来使用 Python 虚拟环境
1 2 3 4 5 | [root@test Python-3.6.1]# cd /opt/ [root@test opt]# python3 -m venv py3 [root@test opt]# source /opt/py3/bin/activate (py3) [root@test opt]# # 看到上面的提示符代表成功,以后运行 Jumpserver 都要先运行以上 source 命令,以下所有命令均在该虚拟环境中运行(py3) [root@localhost py3] |
5、安装jumpserver
1 2 3 4 5 6 7 8 9 10 11 12 | (py3) [root@test opt]# pwd /opt (py3) [root@test opt]# git clone --depth=1 https://github.com/jumpserver/jumpserver.git Cloning into 'jumpserver'... remote: Counting objects: 718, done. remote: Compressing objects: 100% (652/652), done. remote: Total 718 (delta 95), reused 380 (delta 22), pack-reused 0 Receiving objects: 100% (718/718), 5.31 MiB | 440.00 KiB/s, done. Resolving deltas: 100% (95/95), done. (py3) [root@test opt]# cd jumpserver/ (py3) [root@test jumpserver]# git checkout master Already on 'master' |
安装依赖 RPM 包
1 2 3 | (py3) [root@test jumpserver]# cd /opt/jumpserver/requirements/ (py3) [root@test requirements]# yum -y install $(cat rpm_requirements.txt) #无任何报错即可完成 |
安装 Python 库依赖
1 2 | (py3) [root@test requirements]# pip install -r requirements.txt |
这里官方比较坑,说不要指定源,不指定源根本装不了,可根据实际情况指定相关的新pip源进行安装,实在安装不了的,下载源码包手工安装。
安装 Redis
1 2 3 4 5 6 7 | Jumpserver 使用 Redis 做 cache 和 celery broke (py3) [root@master opt]# yum -y install redis (py3) [root@master opt]# service redis start Redirecting to /bin/systemctl start redis.service (py3) [root@master opt]# lsof -i :6379 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME redis-ser 22530 redis 4u IPv4 71615 0t0 TCP localhost:6379 (LISTEN) |
安装 MySQL
这里直接使用二进制安装包安装,具体可参考之前的文章
1 2 3 4 5 | (py3) [root@master opt]# /etc/init.d/mysqld start Starting MySQL SUCCESS! (py3) [root@master opt]# lsof -i :3306 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME mysqld 23081 mysql 17u IPv6 73467 0t0 TCP *:mysql (LISTEN) |
创建数据库 Jumpserver 并授权
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | (py3) [root@master opt]# mysql -uroot -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MySQL connection id is 4 Server version: 5.7.17 MySQL Community Server (GPL) Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MySQL [(none)]> create database jumpserver default charset 'utf8'; Query OK, 1 row affected (0.00 sec) MySQL [(none)]> grant all on jumpserver.* to 'jumpserver'@'localhost' identified by '123456'; Query OK, 0 rows affected, 1 warning (0.00 sec) MySQL [(none)]> flush privileges; Query OK, 0 rows affected (0.00 sec) |
修改 Jumpserver 配置文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | (py3) [root@master opt]# cd /opt/jumpserver/ (py3) [root@master jumpserver]# cp config_example.py config.py (py3) [root@master jumpserver]# vim config.py -------------------- # Default using Config settings, you can write if/else for different env class DevelopmentConfig(Config): DEBUG = True DB_ENGINE = 'mysql' DB_HOST = '127.0.0.1' DB_PORT = 3306 DB_USER = 'jumpserver' DB_PASSWORD = '123456' DB_NAME = 'jumpserver' config = DevelopmentConfig() #增加上面的内容 |
生成数据库表结构和初始化数据
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 | (py3) [root@master jumpserver]# cd /opt/jumpserver/utils/ (py3) [root@master utils]# bash make_migrations.sh 2018-05-09 13:51:48 [signals_handler DEBUG] Receive django ready signal 2018-05-09 13:51:48 [signals_handler DEBUG] - fresh all settings Migrations for 'assets': /opt/jumpserver/apps/assets/migrations/0002_auto_20180509_1351.py --------------------中间省略 Running migrations: Applying assets.0001_initial... OK Applying assets.0002_auto_20180509_1351... OK Applying audits.0001_initial... OK Applying contenttypes.0001_initial... OK Applying contenttypes.0002_remove_content_type_name... OK Applying auth.0001_initial... OK Applying auth.0002_alter_permission_name_max_length... OK Applying auth.0003_alter_user_email_max_length... OK Applying auth.0004_alter_user_username_opts... OK Applying auth.0005_alter_user_last_login_null... OK Applying auth.0006_require_contenttypes_0002... OK Applying auth.0007_alter_validators_add_error_messages... OK Applying auth.0008_alter_user_username_max_length... OK Applying captcha.0001_initial... OK Applying common.0001_initial... OK Applying django_celery_beat.0001_initial... OK Applying django_celery_beat.0002_auto_20161118_0346... OK Applying django_celery_beat.0003_auto_20161209_0049... OK Applying django_celery_beat.0004_auto_20170221_0000... OK Applying django_celery_beat.0005_add_solarschedule_events_choices... OK Applying django_celery_beat.0006_auto_20180210_1226... OK Applying ops.0001_initial... OK Applying ops.0002_celerytask... OK Applying users.0001_initial... OK Applying users.0002_auto_20171225_1157... OK Applying users.0003_auto_20180509_1351... OK Applying perms.0001_initial... OK Applying perms.0002_auto_20180509_1351... OK Applying sessions.0001_initial... OK Applying terminal.0001_initial... OK Applying terminal.0002_auto_20180509_1351... OK |
运行jumpserver
1 2 3 4 5 6 7 8 9 10 11 | (py3) [root@master utils]# cd /opt/jumpserver/ (py3) [root@master jumpserver]# python run_server.py all Wed May 9 13:53:15 2018 Jumpserver version 1.3.0, more see https://www.jumpserver.org - Start Gunicorn WSGI HTTP Server Check database structure change ... 2018-05-09 13:53:17 [signals_handler DEBUG] Receive django ready signal 2018-05-09 13:53:17 [signals_handler DEBUG] - fresh all settings --------------- Task terminal.tasks.clean_orphan_session[eb960461-07a0-4b42-a5bb-96fdd94fabcd] succeeded in 0.11468194000190124s: None |
运行之后没有报错信息,就可以使用浏览器访问了http://server_ip:8080
默认用户名/密码:admin/admin此时运行的只是jumpserver的WEB端,如果需要访问访问 Web Terminal 会报错如下
安装 SSH Server 和 WebSocket Server: Coco
新打开一个 SSH终端连接去安装
下载项目文件
1 2 3 4 5 6 7 8 9 10 | [root@master ~]# source /opt/py3/bin/activate (py3) [root@master ~]# cd /opt/ (py3) [root@master opt]# git clone https://github.com/jumpserver/coco.git Cloning into 'coco'... remote: Counting objects: 1276, done. remote: Total 1276 (delta 0), reused 0 (delta 0), pack-reused 1276 Receiving objects: 100% (1276/1276), 272.18 KiB | 39.00 KiB/s, done. Resolving deltas: 100% (901/901), done. (py3) [root@master opt]# cd coco && git checkout master Already on 'master' |
安装依赖
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | (py3) [root@master coco]# cd /opt/coco/requirements/ (py3) [root@master requirements]# yum -y install $(cat rpm_requirements.txt) (py3) [root@master requirements]# pip install -r requirements.txt (py3) [root@master requirements]# echo $? 0 (py3) [root@master requirements]# cd /opt/coco/ (py3) [root@master coco]# cp conf_example.py conf.py (py3) [root@master coco]# python run_server.py Start coco process 2018-05-09 14:19:44 [service DEBUG] Initial app service 2018-05-09 14:19:44 [service DEBUG] Load access key 2018-05-09 14:19:44 [service INFO] No access key found, register it 2018-05-09 14:19:44 [service INFO] "Terminal was not accepted yet" 2018-05-09 14:19:48 [service INFO] "Terminal was not accepted yet" #此时需要去WEB管理后台确认注册信息 |
点击确认之后会出现下面的提示
1 2 3 4 5 6 7 8 9 10 | 2018-05-09 14:21:23 [service DEBUG] Set app service auth: 9f13a90b-80e4-47ae-b0ad-d825cff70ff0 2018-05-09 14:21:23 [service DEBUG] Service http auth: <jms.auth.AccessKeyAuth object at 0x7f5d1b18de10> 2018-05-09 14:21:23 [app DEBUG] Loading config from server: {"COMMAND_STORAGE": {"TYPE": "server"}, "REPLAY_STORAGE": {"TYPE": "server"}} Wed May 9 14:21:23 2018 Coco version 1.3.0, more see https://www.jumpserver.org Quit the server with CONTROL-C. Starting ssh server at 0.0.0.0:2222 WebSocket transport not available. Install eventlet or gevent and gevent-websocket for improved performance. * Running on http://0.0.0.0:5000/ (Press CTRL+C to quit) #出现上面的提示表示成功 |
测试连接
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | [root@testLinux1 ~]# ssh -p2222 admin@192.168.3.82 The authenticity of host '[192.168.3.82]:2222 ([192.168.3.82]:2222)' can't be established. RSA key fingerprint is SHA256:Dw9BcxNFFZtgc1EpavxUeamzKT1VoX6UAPNIyzaEhpw. RSA key fingerprint is MD5:16:d8:05:5e:12:9d:e5:54:ee:96:97:21:ab:33:2c:7e. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[192.168.3.82]:2222' (RSA) to the list of known hosts. admin@192.168.3.82's password: Administrator, 欢迎使用Jumpserver开源跳板机系统 1) 输入 ID 直接登录 或 输入部分 IP,主机名,备注 进行搜索登录(如果唯一). 2) 输入 / + IP, 主机名 or 备注 搜索. 如: /ip 3) 输入 P/p 显示您有权限的主机. 4) 输入 G/g 显示您有权限的主机组. 5) 输入 G/g + 组ID 显示该组下主机. 如: g1 6) 输入 H/h 帮助. 0) 输入 Q/q 退出. Opt> #能成功登录的表示安装部署成功 |
安装 Web Terminal 前端: Luna
Luna 已改为纯前端,需要 Nginx 来运行访问,访问(https://github.com/jumpserver/luna/releases)下载对应版本的 release 包,直接解压,不需要编译。