zoukankan      html  css  js  c++  java
  • Jumpserver(堡垒机)的安装与应用

    官网:http://docs.jumpserver.org/zh/docs/introduce.html

    参考:https://www.cnblogs.com/mushou/p/9484317.html

     作者:邓聪聪

    环境

    • 系统: CentOS 7.6
    • IP: 172.16.16.2
    • 关闭 selinux 和防火墙
    • jumpserver和coco、luna的版本必须保持一致
    [root@bogon ~]# setenforce 0
    [root@bogon ~]# sed -i "s/enforcing/disabled/g" /etc/selinux/config
    [root@bogon ~]# iptables -F

    1.准备 Python3 和 Python 虚拟环境

    1. 安装依赖包
      [root@bogon ~]# yum -y install wget gcc epel-release git
    2. 安装 Python3.6
      [root@bogon ~]# yum -y install python36 python36-devel
    3. 建立 Python 虚拟环境
      [root@bogon ~]#  cd /opt
      [root@bogon opt]#  python3.6 -m venv py3
      [root@bogon opt]#  source /opt/py3/bin/activate
      # 看到下面的提示符代表成功,以后运行 Jumpserver 都要先运行以上 source 命令,以下所有命令均在该虚拟环境中运行
      (py3)[root@bogon opt]#

    2.安装 Jumpserver

    1. Clone 项目也可以选择去 Github 项目页面直接下载zip包
      (py3)[root@bogon opt]# git clone https://github.com/jumpserver/jumpserver.git
    2. 安装依赖 RPM 包
      (py3)[root@bogon opt]#cd /opt/jumpserver/requirements
      (py3)[root@bogon requirements]#yum -y install $(cat rpm_requirements.txt)
    3. 安装 Python 库依赖
      (py3)[root@bogon requirements]#pip install --upgrade pip setuptools
      (py3)[root@bogon requirements]#pip install -r requirements.txt
    4. 安装 Redis, Jumpserver 使用 Redis 做 cache 和 celery broke
      (py3)[root@bogon requirements]#yum -y install redis
      (py3)[root@bogon requirements]#systemctl start redis
    5.  安装 MySQL

      (py3) [root@bogon requirements]# yum -y install mariadb mariadb-devel mariadb-server # centos7下安装的是mariadb
      (py3) [root@bogon requirements]# systemctl start mariadb

    6. 创建数据库 Jumpserver 并授权
      (py3) [root@bogon requirements]#mysql -uroot
      mysql> create database jumpserver default charset 'utf8';
      mysql> grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by 'weakPassword';
      mysql> flush privileges;
      mysql> quit
    7. 修改 Jumpserver 配置文件    注意: 配置文件是 Python 格式,不要用 TAB,而要用空
      (py3) [root@bogon requirements]#cd  ..
      (py3) [root@bogon jumpserver]# cp config_example.py config.py
      (py3) [root@bogon jumpserver]# vi config.py
      #!/usr/bin/env python3
      # -*- coding: utf-8 -*-
      """
          jumpserver.config
          ~~~~~~~~~~~~~~~~~
      
          Jumpserver project setting file
      
          :copyright: (c) 2014-2017 by Jumpserver Team
          :license: GPL v2, see LICENSE for more details.
      """
      import os
      
      BASE_DIR = os.path.dirname(os.path.abspath(__file__))
      
      
      class Config:
          """
          Jumpserver Config File
          Jumpserver 配置文件
      
          Jumpserver use this config for drive django framework running,
          You can set is value or set the same envirment value,
          Jumpserver look for config order: file => env => default
      
          Jumpserver使用配置来驱动Django框架的运行,
          你可以在该文件中设置,或者设置同样名称的环境变量,
          Jumpserver使用配置的顺序: 文件 => 环境变量 => 默认值
          """
          # SECURITY WARNING: keep the secret key used in production secret!
          # 加密秘钥 生产环境中请修改为随机字符串,请勿外泄
          SECRET_KEY = '2vym+ky!997d5kkcc64mnz06y1mmui3lut#(^wd=%s_qj$1%x'
          ALLOWED_HOSTS = ['*']
      
          # SECURITY WARNING: keep the bootstrap token used in production secret!
          # 预共享Token coco和guacamole用来注册服务账号,不在使用原来的注册接受机制
          BOOTSTRAP_TOKEN = 'nwv4RdXpM82LtSvmV'
      
          # Development env open this, when error occur display the full process track, Production disable it
          # DEBUG 模式 开启DEBUG后遇到错误时可以看到更多日志
          # DEBUG = True
          DEBUG = False
      
          # DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/
          # 日志级别
          # LOG_LEVEL = 'DEBUG'
          # LOG_DIR = os.path.join(BASE_DIR, 'logs')
          LOG_LEVEL = 'ERROR'
          LOG_DIR = os.path.join(BASE_DIR, 'logs')
      
          # Session expiration setting, Default 24 hour, Also set expired on on browser close
          # 浏览器Session过期时间,默认24小时, 也可以设置浏览器关闭则过期
          # SESSION_COOKIE_AGE = 3600 * 24
          # SESSION_EXPIRE_AT_BROWSER_CLOSE = False
          SESSION_EXPIRE_AT_BROWSER_CLOSE = True
          # Database setting, Support sqlite3, mysql, postgres ....
          # 数据库设置
          # See https://docs.djangoproject.com/en/1.10/ref/settings/#databases
      
          # SQLite setting:
          # 使用单文件sqlite数据库
          # DB_ENGINE = 'sqlite3'
          # DB_NAME = os.path.join(BASE_DIR, 'data', 'db.sqlite3')
      
          # MySQL or postgres setting like:
          # 使用Mysql作为数据库
          DB_ENGINE = 'mysql'
          DB_HOST = '127.0.0.1'
          DB_PORT = 3306
          DB_USER = 'jumpserver'
          DB_PASSWORD = '123456'
          DB_NAME = 'jumpserver'
      
          # When Django start it will bind this host and port
          # ./manage.py runserver 127.0.0.1:8080
          # 运行时绑定端口
          HTTP_BIND_HOST = '0.0.0.0'
          HTTP_LISTEN_PORT = 8080
      
          # Use Redis as broker for celery and web socket
          # Redis配置
          REDIS_HOST = '127.0.0.1'
          REDIS_PORT = 6379
          # REDIS_PASSWORD = ''
          # REDIS_DB_CELERY = 3
          # REDIS_DB_CACHE = 4
      
          # Use OpenID authorization
          # 使用OpenID 来进行认证设置
          # BASE_SITE_URL = 'http://localhost:8080'
          # AUTH_OPENID = False  # True or False
          # AUTH_OPENID_SERVER_URL = 'https://openid-auth-server.com/'
          # AUTH_OPENID_REALM_NAME = 'realm-name'
          # AUTH_OPENID_CLIENT_ID = 'client-id'
          # AUTH_OPENID_CLIENT_SECRET = 'client-secret'
      
          #
          # OTP_VALID_WINDOW = 0
      
          def __init__(self):
              pass
      
          def __getattr__(self, item):
              return None
      
      
      class DevelopmentConfig(Config):
          pass
      
      
      class TestConfig(Config):
          pass
      
      
      class ProductionConfig(Config):
          pass
      
      
      # Default using Config settings, you can write if/else for different env
      config = DevelopmentConfig()
      View Code
    8. 运行 Jumpserver
      (py3) [root@bogon jumpserver]#./jms start all   #后台运行使用 -d 参数./jms start all -d
      (py3) [root@bogon jumpserver]#./jms start|stop|status|restart all  #其他参数

    3.安装 SSH Server 和 WebSocket Server: Coco

    1.  Clone 项目
      (py3) [root@bogon jumpserver]# cd ..
      (py3) [root@bogon opt]# git clone https://github.com/jumpserver/coco.git
      (py3) [root@bogon opt]#cd /opt/coco/requirements
      (py3) [root@bogon requirements]#yum -y  install $(cat rpm_requirements.txt)
      (py3) [root@bogon requirements]#pip install -r requirements.txt
    2. 修改配置文件并运行 
      (py3) [root@bogon requirements]#cd /opt/coco 
      [root@bogon coco]#
      mkdir keys logs
      [root@bogon coco]#
      cp conf_example.py conf.py
      [root@bogon coco]#
      vi conf.py
      #!/usr/bin/env python3
      # -*- coding: utf-8 -*-
      #
      import os
      
      BASE_DIR = os.path.dirname(__file__)
      
      class Config:
          """
          Coco config file, coco also load config from server update setting below
          """
          # 项目名称, 会用来向Jumpserver注册, 识别而已, 不能重复
          # NAME = "localhost"
          # Jumpserver项目的url, api请求注册会使用
          # CORE_HOST = os.environ.get("CORE_HOST") or 'http://127.0.0.1:8080'
          CORE_HOST = 'http://127.0.0.1:8080'
          # Bootstrap Token, 预共享秘钥, 用来注册coco使用的service account和terminal
          # 请和jumpserver 配置文件中保持一致,注册完成后可以删除
          # BOOTSTRAP_TOKEN = "PleaseChangeMe"
          BOOTSTRAP_TOKEN = "nwv4RdXpM82LtSvmV"
          # 启动时绑定的ip, 默认 0.0.0.0
          # BIND_HOST = '0.0.0.0'
          # 监听的SSH端口号, 默认2222
          # SSHD_PORT = 2222
          # 监听的HTTP/WS端口号,默认5000
          # HTTPD_PORT = 5000
          # 项目使用的ACCESS KEY, 默认会注册,并保存到 ACCESS_KEY_STORE中,
          # 如果有需求, 可以写到配置文件中, 格式 access_key_id:access_key_secret
          # ACCESS_KEY = None
          # ACCESS KEY 保存的地址, 默认注册后会保存到该文件中
          # ACCESS_KEY_STORE = os.path.join(BASE_DIR, 'keys', '.access_key')
          # 加密密钥
          # SECRET_KEY = None
          # 设置日志级别 ['DEBUG', 'INFO', 'WARN', 'ERROR', 'FATAL', 'CRITICAL']
          # LOG_LEVEL = 'INFO'
          LOG_LEVEL = 'ERROR'
          # 日志存放的目录
          # LOG_DIR = os.path.join(BASE_DIR, 'logs')
          # Session录像存放目录
          # SESSION_DIR = os.path.join(BASE_DIR, 'sessions')
          # 资产显示排序方式, ['ip', 'hostname']
          # ASSET_LIST_SORT_BY = 'ip'
          # 登录是否支持密码认证
          # PASSWORD_AUTH = True
          # 登录是否支持秘钥认证
          # PUBLIC_KEY_AUTH = True
          # SSH白名单
          # ALLOW_SSH_USER = 'all'  # ['test', 'test2']
          # SSH黑名单, 如果用户同时在白名单和黑名单,黑名单优先生效
          # BLOCK_SSH_USER = []
          # 和Jumpserver 保持心跳时间间隔
          # HEARTBEAT_INTERVAL = 5
      
          # Admin的名字,出问题会提示给用户
          # ADMINS = ''
          COMMAND_STORAGE = {
              "TYPE": "server"
          }
          REPLAY_STORAGE = {
              "TYPE": "server"
          }
      
          # SSH连接超时时间 (default 15 seconds)
          # SSH_TIMEOUT = 15
          # 语言 = en
          LANGUAGE_CODE = 'zh'
      
      config = Config()
      View Code
      (py3) [root@bogon coco]#./cocod start      #后台运行使用 -d 参数./cocod start -d
      (py3) [root@bogon coco]#./cocod start|stop|status|restart  #脚本使用方式

    4.安装 Web Terminal 前端: Luna

    1. (py3) [root@bogon opt]# cd /opt
      # 访问(https://github.com/jumpserver/luna/releases)下载对应版本的 release 包,直接解压,不需要编译
      (py3) [root@bogon opt]# wget https://github.com/jumpserver/luna/releases/download/1.4.6/luna.tar.gz
      (py3) [root@bogon opt]# tar -xf luna.tar.gz
      (py3) [root@bogon opt]# chown -R root:root luna

    5.配置 Nginx 整合各组件

    1. 安装 Nginx
      vi /etc/yum.repos.d/nginx.repo
      
      [nginx]
      name=nginx repo
      baseurl=http://nginx.org/packages/centos/7/$basearch/
      gpgcheck=0
      enabled=1
      View Code

      (py3) [root@bogon opt]# yum install -y nginx
      (py3) [root@bogon opt]# rm -rf /etc/nginx/conf.d/default.conf
      (py3) [root@bogon opt]# vi /etc/nginx/conf.d/jumpserver.conf

      server {
          listen 80;  # 代理端口,以后将通过此端口进行访问,不再通过8080端口
          server_name demo.jumpserver.org;  # 修改成你的域名
       
          client_max_body_size 100m;  # 录像及文件上传大小限制
       
          location /luna/ {
              try_files $uri / /index.html;
              alias /opt/luna/;  # luna 路径,如果修改安装目录,此处需要修改
          }
       
          location /media/ {
              add_header Content-Encoding gzip;
              root /opt/jumpserver/data/;  # 录像位置,如果修改安装目录,此处需要修改
          }
       
          location /static/ {
              root /opt/jumpserver/data/;  # 静态资源,如果修改安装目录,此处需要修改
          }
       
          location /socket.io/ {
              proxy_pass       http://localhost:5000/socket.io/;  # 如果coco安装在别的服务器,请填写它的ip
              proxy_buffering off;
              proxy_http_version 1.1;
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Connection "upgrade";
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header Host $host;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              access_log off;
          }
       
          location /coco/ {
              proxy_pass       http://localhost:5000/coco/;  # 如果coco安装在别的服务器,请填写它的ip
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header Host $host;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              access_log off;
          }
       
          location /guacamole/ {
              proxy_pass       http://localhost:8081/;  # 如果guacamole安装在别的服务器,请填写它的ip
              proxy_buffering off;
              proxy_http_version 1.1;
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Connection $http_connection;
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header Host $host;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              access_log off;
          }
       
          location / {
              proxy_pass http://localhost:8080;  # 如果jumpserver安装在别的服务器,请填写它的ip
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header Host $host;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          }
      }
      View Code
    2. 运行nginx
      (py3) [root@bogon opt]#nginx -t   # 确保配置没有问题, 有问题请先解决
      (py3) [root@bogon opt]#systemctl start nginx
    3. 使用 Jumpserver,服务全部启动后,访问 http://IP
    4. jumpsever的服务启动流程
      [root@bogon ~]#  cd /opt
      [root@bogon opt]#  source /opt/py3/bin/activate  #进入python环境
      (py3)[root@bogon opt]#systemctl start redis         #启动redis
      (py3)[root@bogon opt]#systemctl start mariadb    #启动数据库服务
      (py3)[root@bogon opt]#cd /opt/jumpserver
      (py3)[root@bogon jumpserver]# ./jms start -d     #启动jumpserver服务,后台运行
      (py3)[root@bogon coco]#./coco start -d          #后台运行coco服务
      (py3)[root@bogon coco]#systemctl start nginx     #启动nginx服务
      (py3)[root@bogon coco]#systemctl enable nginx #开机自启动
      (py3)[root@bogon coco]#systemctl enable mariadb
      (py3)[root@bogon coco]#systemctl enable redis

    使用jumpserver时,打开会话管理-web终端无显示可能由于浏览器造成的,更换其他第三方浏览下即可

    6.Jumpserver的使用

    1. 登陆后创建用户组,方便以后的授权操作

    2. 添加系统用户

       

     为了更方便快捷的使用jumpserver,默认管理员无法直接生成密码给用户,有大拿提供了一下修改配置文件的办法,直接创建密码给用户,感觉挺好用就分享给大家

        配置文件路径:/opt/jumpserver/apps/users/templates/users

    (py3) [root@bogon users]# more _user.html
    {% extends '_base_create_update.html' %}
    {% load i18n %}
    {% load static %}
    {% load bootstrap3 %}
    {% block form %}
        {% if form.non_field_errors %}
             <div class="alert alert-danger">
                {{ form.non_field_errors }}
             </div>
        {% endif %}
        <form method="post" class="form-horizontal" action="" enctype="multipart/form-data">
            {% csrf_token %}
            <h3>{% trans 'Account' %}</h3>
            {% bootstrap_field form.name layout="horizontal" %}
            {% bootstrap_field form.username layout="horizontal" %}
            {% bootstrap_field form.email layout="horizontal" %}
            {% bootstrap_field form.groups layout="horizontal" %}
    
            <div class="hr-line-dashed"></div>
    
            <h3>{% trans 'Auth' %}</h3>
            {#{% block password %}{% endblock %}#}    #注释该行
            {% bootstrap_field form.password layout="horizontal" %}    #追加的行内容
            {% bootstrap_field form.otp_level layout="horizontal" %}
    
            <div class="hr-line-dashed"></div>
            <h3>{% trans 'Security and Role' %}</h3>
            {% bootstrap_field form.role layout="horizontal" %}
            <div class="form-group {% if form.date_expired.errors %} has-error {% endif %}" id="date_5">
                <label for="{{ form.date_expired.id_for_label }}" class="col-sm-2 control-label">{{ form.date_expired.label }}</label>
                <div class="col-sm-9">
                    <div class="input-group date">
                        <span class="input-group-addon"><i class="fa fa-calendar"></i></span>
                        {% if form.errors %}
                        <input id="{{ form.date_expired.id_for_label }}" name="{{ form.date_expired.html_name }}" type="text" class="form-control"  value="{{ form.date_exp
    ired.value }}">
                        {% else %}
                        <input id="{{ form.date_expired.id_for_label }}" name="{{ form.date_expired.html_name }}" type="text" class="form-control"  value="{{ form.date_exp
    ired.value|date:'Y-m-d H:i' }}">
                        {% endif %}
                    </div>
                    <span class="help-block ">{{ form.date_expired.errors }}</span>
                </div>
             </div>
            <div class="hr-line-dashed"></div>
            <h3>{% trans 'Profile' %}</h3>
            {% bootstrap_field form.phone layout="horizontal" %}
            {% bootstrap_field form.wechat layout="horizontal" %}
            {% bootstrap_field form.comment layout="horizontal" %}
            <div class="hr-line-dashed"></div>
            <div class="form-group">
                <div class="col-sm-4 col-sm-offset-2">
                    <button class="btn btn-white" type="reset">{% trans 'Reset' %}</button>
                    <button id="submit_button" class="btn btn-primary" type="submit">{% trans 'Submit' %}</button>
                </div>
            </div>
        </form>
    
    {% endblock %}
    {% block custom_foot_js %}
        <script src="{% static 'js/plugins/datepicker/bootstrap-datepicker.js' %}"></script>
        <script type="text/javascript" src='{% static "js/plugins/daterangepicker/moment.min.js" %}'></script>
        <script type="text/javascript" src='{% static "js/plugins/daterangepicker/daterangepicker.min.js" %}'></script>
        <link rel="stylesheet" type="text/css" href={% static "css/plugins/daterangepicker/daterangepicker.css" %} />
    
        <script>
            var dateOptions = {
                singleDatePicker: true,
                showDropdowns: true,
                timePicker: true,
                timePicker24Hour: true,
                autoApply: true,
                locale: {
                    format: 'YYYY-MM-DD HH:mm'
                }
            };
            $(document).ready(function () {
                $('.select2').select2();
                $('#id_date_expired').daterangepicker(dateOptions);
            })
        </script>
    {% endblock %}

     ***升级篇***

      升级 Jumpserver

    cd /opt/jumpserver
    source /opt/py3/bin/activate
    ./jms stop
    git fetch
    git pull
    
    pip install -r requirements/requirements.txt
    
    启动 jumpserver
    cd ../
    ./jms start all -d

      升级coco

    cd /opt/coco
    git pull
    source /opt/py3/bin/activate
    ./cocod stop
    
    pip install -r requirements/requirements.txt
    ./cocod start -d

      升级luna

    cd /opt
    rm -rf luna
    wget https://github.com/jumpserver/luna/releases/download/1.4.8/luna.tar.gz
    
    # 如果网络有问题导致下载无法完成可以使用下面地址
    $ wget https://demo.jumpserver.org/download/luna/1.4.8/luna.tar.gz
    
    tar xf luna.tar.gz
    chown -R root:root luna
     

      

  • 相关阅读:
    Centos7LDAP LDAPadmin的完整部署记录(改良版,其它文档太多坑)
    linux weblogic11g 部署
    redis离线集群安装
    Weblogic11g 10.3部署
    jdk安装部署
    tar.xz文件如何解压
    linux-Centos7安装python3并与python2共存
    ssh免密码登录配置方法
    Docker容器安装weblogic详细教程
    linux命令分块总结---多操作才是真理
  • 原文地址:https://www.cnblogs.com/dengcongcong/p/10271371.html
Copyright © 2011-2022 走看看