zoukankan      html  css  js  c++  java
  • Jumpserver(堡垒机)的安装与应用

    官网:http://docs.jumpserver.org/zh/docs/introduce.html

    参考:https://www.cnblogs.com/mushou/p/9484317.html

     作者:邓聪聪

    环境

    • 系统: CentOS 7.6
    • IP: 172.16.16.2
    • 关闭 selinux 和防火墙
    • jumpserver和coco、luna的版本必须保持一致
    [root@bogon ~]# setenforce 0
    [root@bogon ~]# sed -i "s/enforcing/disabled/g" /etc/selinux/config
    [root@bogon ~]# iptables -F

    1.准备 Python3 和 Python 虚拟环境

    1. 安装依赖包
      [root@bogon ~]# yum -y install wget gcc epel-release git
    2. 安装 Python3.6
      [root@bogon ~]# yum -y install python36 python36-devel
    3. 建立 Python 虚拟环境
      [root@bogon ~]#  cd /opt
      [root@bogon opt]#  python3.6 -m venv py3
      [root@bogon opt]#  source /opt/py3/bin/activate
      # 看到下面的提示符代表成功,以后运行 Jumpserver 都要先运行以上 source 命令,以下所有命令均在该虚拟环境中运行
      (py3)[root@bogon opt]#

    2.安装 Jumpserver

    1. Clone 项目也可以选择去 Github 项目页面直接下载zip包
      (py3)[root@bogon opt]# git clone https://github.com/jumpserver/jumpserver.git
    2. 安装依赖 RPM 包
      (py3)[root@bogon opt]#cd /opt/jumpserver/requirements
      (py3)[root@bogon requirements]#yum -y install $(cat rpm_requirements.txt)
    3. 安装 Python 库依赖
      (py3)[root@bogon requirements]#pip install --upgrade pip setuptools
      (py3)[root@bogon requirements]#pip install -r requirements.txt
    4. 安装 Redis, Jumpserver 使用 Redis 做 cache 和 celery broke
      (py3)[root@bogon requirements]#yum -y install redis
      (py3)[root@bogon requirements]#systemctl start redis
    5.  安装 MySQL

      (py3) [root@bogon requirements]# yum -y install mariadb mariadb-devel mariadb-server # centos7下安装的是mariadb
      (py3) [root@bogon requirements]# systemctl start mariadb

    6. 创建数据库 Jumpserver 并授权
      (py3) [root@bogon requirements]#mysql -uroot
      mysql> create database jumpserver default charset 'utf8';
      mysql> grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by 'weakPassword';
      mysql> flush privileges;
      mysql> quit
    7. 修改 Jumpserver 配置文件    注意: 配置文件是 Python 格式,不要用 TAB,而要用空
      (py3) [root@bogon requirements]#cd  ..
      (py3) [root@bogon jumpserver]# cp config_example.py config.py
      (py3) [root@bogon jumpserver]# vi config.py
      #!/usr/bin/env python3
      # -*- coding: utf-8 -*-
      """
          jumpserver.config
          ~~~~~~~~~~~~~~~~~
      
          Jumpserver project setting file
      
          :copyright: (c) 2014-2017 by Jumpserver Team
          :license: GPL v2, see LICENSE for more details.
      """
      import os
      
      BASE_DIR = os.path.dirname(os.path.abspath(__file__))
      
      
      class Config:
          """
          Jumpserver Config File
          Jumpserver 配置文件
      
          Jumpserver use this config for drive django framework running,
          You can set is value or set the same envirment value,
          Jumpserver look for config order: file => env => default
      
          Jumpserver使用配置来驱动Django框架的运行,
          你可以在该文件中设置,或者设置同样名称的环境变量,
          Jumpserver使用配置的顺序: 文件 => 环境变量 => 默认值
          """
          # SECURITY WARNING: keep the secret key used in production secret!
          # 加密秘钥 生产环境中请修改为随机字符串,请勿外泄
          SECRET_KEY = '2vym+ky!997d5kkcc64mnz06y1mmui3lut#(^wd=%s_qj$1%x'
          ALLOWED_HOSTS = ['*']
      
          # SECURITY WARNING: keep the bootstrap token used in production secret!
          # 预共享Token coco和guacamole用来注册服务账号,不在使用原来的注册接受机制
          BOOTSTRAP_TOKEN = 'nwv4RdXpM82LtSvmV'
      
          # Development env open this, when error occur display the full process track, Production disable it
          # DEBUG 模式 开启DEBUG后遇到错误时可以看到更多日志
          # DEBUG = True
          DEBUG = False
      
          # DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/
          # 日志级别
          # LOG_LEVEL = 'DEBUG'
          # LOG_DIR = os.path.join(BASE_DIR, 'logs')
          LOG_LEVEL = 'ERROR'
          LOG_DIR = os.path.join(BASE_DIR, 'logs')
      
          # Session expiration setting, Default 24 hour, Also set expired on on browser close
          # 浏览器Session过期时间,默认24小时, 也可以设置浏览器关闭则过期
          # SESSION_COOKIE_AGE = 3600 * 24
          # SESSION_EXPIRE_AT_BROWSER_CLOSE = False
          SESSION_EXPIRE_AT_BROWSER_CLOSE = True
          # Database setting, Support sqlite3, mysql, postgres ....
          # 数据库设置
          # See https://docs.djangoproject.com/en/1.10/ref/settings/#databases
      
          # SQLite setting:
          # 使用单文件sqlite数据库
          # DB_ENGINE = 'sqlite3'
          # DB_NAME = os.path.join(BASE_DIR, 'data', 'db.sqlite3')
      
          # MySQL or postgres setting like:
          # 使用Mysql作为数据库
          DB_ENGINE = 'mysql'
          DB_HOST = '127.0.0.1'
          DB_PORT = 3306
          DB_USER = 'jumpserver'
          DB_PASSWORD = '123456'
          DB_NAME = 'jumpserver'
      
          # When Django start it will bind this host and port
          # ./manage.py runserver 127.0.0.1:8080
          # 运行时绑定端口
          HTTP_BIND_HOST = '0.0.0.0'
          HTTP_LISTEN_PORT = 8080
      
          # Use Redis as broker for celery and web socket
          # Redis配置
          REDIS_HOST = '127.0.0.1'
          REDIS_PORT = 6379
          # REDIS_PASSWORD = ''
          # REDIS_DB_CELERY = 3
          # REDIS_DB_CACHE = 4
      
          # Use OpenID authorization
          # 使用OpenID 来进行认证设置
          # BASE_SITE_URL = 'http://localhost:8080'
          # AUTH_OPENID = False  # True or False
          # AUTH_OPENID_SERVER_URL = 'https://openid-auth-server.com/'
          # AUTH_OPENID_REALM_NAME = 'realm-name'
          # AUTH_OPENID_CLIENT_ID = 'client-id'
          # AUTH_OPENID_CLIENT_SECRET = 'client-secret'
      
          #
          # OTP_VALID_WINDOW = 0
      
          def __init__(self):
              pass
      
          def __getattr__(self, item):
              return None
      
      
      class DevelopmentConfig(Config):
          pass
      
      
      class TestConfig(Config):
          pass
      
      
      class ProductionConfig(Config):
          pass
      
      
      # Default using Config settings, you can write if/else for different env
      config = DevelopmentConfig()
      View Code
    8. 运行 Jumpserver
      (py3) [root@bogon jumpserver]#./jms start all   #后台运行使用 -d 参数./jms start all -d
      (py3) [root@bogon jumpserver]#./jms start|stop|status|restart all  #其他参数

    3.安装 SSH Server 和 WebSocket Server: Coco

    1.  Clone 项目
      (py3) [root@bogon jumpserver]# cd ..
      (py3) [root@bogon opt]# git clone https://github.com/jumpserver/coco.git
      (py3) [root@bogon opt]#cd /opt/coco/requirements
      (py3) [root@bogon requirements]#yum -y  install $(cat rpm_requirements.txt)
      (py3) [root@bogon requirements]#pip install -r requirements.txt
    2. 修改配置文件并运行 
      (py3) [root@bogon requirements]#cd /opt/coco 
      [root@bogon coco]#
      mkdir keys logs
      [root@bogon coco]#
      cp conf_example.py conf.py
      [root@bogon coco]#
      vi conf.py
      #!/usr/bin/env python3
      # -*- coding: utf-8 -*-
      #
      import os
      
      BASE_DIR = os.path.dirname(__file__)
      
      class Config:
          """
          Coco config file, coco also load config from server update setting below
          """
          # 项目名称, 会用来向Jumpserver注册, 识别而已, 不能重复
          # NAME = "localhost"
          # Jumpserver项目的url, api请求注册会使用
          # CORE_HOST = os.environ.get("CORE_HOST") or 'http://127.0.0.1:8080'
          CORE_HOST = 'http://127.0.0.1:8080'
          # Bootstrap Token, 预共享秘钥, 用来注册coco使用的service account和terminal
          # 请和jumpserver 配置文件中保持一致,注册完成后可以删除
          # BOOTSTRAP_TOKEN = "PleaseChangeMe"
          BOOTSTRAP_TOKEN = "nwv4RdXpM82LtSvmV"
          # 启动时绑定的ip, 默认 0.0.0.0
          # BIND_HOST = '0.0.0.0'
          # 监听的SSH端口号, 默认2222
          # SSHD_PORT = 2222
          # 监听的HTTP/WS端口号,默认5000
          # HTTPD_PORT = 5000
          # 项目使用的ACCESS KEY, 默认会注册,并保存到 ACCESS_KEY_STORE中,
          # 如果有需求, 可以写到配置文件中, 格式 access_key_id:access_key_secret
          # ACCESS_KEY = None
          # ACCESS KEY 保存的地址, 默认注册后会保存到该文件中
          # ACCESS_KEY_STORE = os.path.join(BASE_DIR, 'keys', '.access_key')
          # 加密密钥
          # SECRET_KEY = None
          # 设置日志级别 ['DEBUG', 'INFO', 'WARN', 'ERROR', 'FATAL', 'CRITICAL']
          # LOG_LEVEL = 'INFO'
          LOG_LEVEL = 'ERROR'
          # 日志存放的目录
          # LOG_DIR = os.path.join(BASE_DIR, 'logs')
          # Session录像存放目录
          # SESSION_DIR = os.path.join(BASE_DIR, 'sessions')
          # 资产显示排序方式, ['ip', 'hostname']
          # ASSET_LIST_SORT_BY = 'ip'
          # 登录是否支持密码认证
          # PASSWORD_AUTH = True
          # 登录是否支持秘钥认证
          # PUBLIC_KEY_AUTH = True
          # SSH白名单
          # ALLOW_SSH_USER = 'all'  # ['test', 'test2']
          # SSH黑名单, 如果用户同时在白名单和黑名单,黑名单优先生效
          # BLOCK_SSH_USER = []
          # 和Jumpserver 保持心跳时间间隔
          # HEARTBEAT_INTERVAL = 5
      
          # Admin的名字,出问题会提示给用户
          # ADMINS = ''
          COMMAND_STORAGE = {
              "TYPE": "server"
          }
          REPLAY_STORAGE = {
              "TYPE": "server"
          }
      
          # SSH连接超时时间 (default 15 seconds)
          # SSH_TIMEOUT = 15
          # 语言 = en
          LANGUAGE_CODE = 'zh'
      
      config = Config()
      View Code
      (py3) [root@bogon coco]#./cocod start      #后台运行使用 -d 参数./cocod start -d
      (py3) [root@bogon coco]#./cocod start|stop|status|restart  #脚本使用方式

    4.安装 Web Terminal 前端: Luna

    1. (py3) [root@bogon opt]# cd /opt
      # 访问(https://github.com/jumpserver/luna/releases)下载对应版本的 release 包,直接解压,不需要编译
      (py3) [root@bogon opt]# wget https://github.com/jumpserver/luna/releases/download/1.4.6/luna.tar.gz
      (py3) [root@bogon opt]# tar -xf luna.tar.gz
      (py3) [root@bogon opt]# chown -R root:root luna

    5.配置 Nginx 整合各组件

    1. 安装 Nginx
      vi /etc/yum.repos.d/nginx.repo
      
      [nginx]
      name=nginx repo
      baseurl=http://nginx.org/packages/centos/7/$basearch/
      gpgcheck=0
      enabled=1
      View Code

      (py3) [root@bogon opt]# yum install -y nginx
      (py3) [root@bogon opt]# rm -rf /etc/nginx/conf.d/default.conf
      (py3) [root@bogon opt]# vi /etc/nginx/conf.d/jumpserver.conf

      server {
          listen 80;  # 代理端口,以后将通过此端口进行访问,不再通过8080端口
          server_name demo.jumpserver.org;  # 修改成你的域名
       
          client_max_body_size 100m;  # 录像及文件上传大小限制
       
          location /luna/ {
              try_files $uri / /index.html;
              alias /opt/luna/;  # luna 路径,如果修改安装目录,此处需要修改
          }
       
          location /media/ {
              add_header Content-Encoding gzip;
              root /opt/jumpserver/data/;  # 录像位置,如果修改安装目录,此处需要修改
          }
       
          location /static/ {
              root /opt/jumpserver/data/;  # 静态资源,如果修改安装目录,此处需要修改
          }
       
          location /socket.io/ {
              proxy_pass       http://localhost:5000/socket.io/;  # 如果coco安装在别的服务器,请填写它的ip
              proxy_buffering off;
              proxy_http_version 1.1;
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Connection "upgrade";
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header Host $host;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              access_log off;
          }
       
          location /coco/ {
              proxy_pass       http://localhost:5000/coco/;  # 如果coco安装在别的服务器,请填写它的ip
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header Host $host;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              access_log off;
          }
       
          location /guacamole/ {
              proxy_pass       http://localhost:8081/;  # 如果guacamole安装在别的服务器,请填写它的ip
              proxy_buffering off;
              proxy_http_version 1.1;
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Connection $http_connection;
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header Host $host;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              access_log off;
          }
       
          location / {
              proxy_pass http://localhost:8080;  # 如果jumpserver安装在别的服务器,请填写它的ip
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header Host $host;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          }
      }
      View Code
    2. 运行nginx
      (py3) [root@bogon opt]#nginx -t   # 确保配置没有问题, 有问题请先解决
      (py3) [root@bogon opt]#systemctl start nginx
    3. 使用 Jumpserver,服务全部启动后,访问 http://IP
    4. jumpsever的服务启动流程
      [root@bogon ~]#  cd /opt
      [root@bogon opt]#  source /opt/py3/bin/activate  #进入python环境
      (py3)[root@bogon opt]#systemctl start redis         #启动redis
      (py3)[root@bogon opt]#systemctl start mariadb    #启动数据库服务
      (py3)[root@bogon opt]#cd /opt/jumpserver
      (py3)[root@bogon jumpserver]# ./jms start -d     #启动jumpserver服务,后台运行
      (py3)[root@bogon coco]#./coco start -d          #后台运行coco服务
      (py3)[root@bogon coco]#systemctl start nginx     #启动nginx服务
      (py3)[root@bogon coco]#systemctl enable nginx #开机自启动
      (py3)[root@bogon coco]#systemctl enable mariadb
      (py3)[root@bogon coco]#systemctl enable redis

    使用jumpserver时,打开会话管理-web终端无显示可能由于浏览器造成的,更换其他第三方浏览下即可

    6.Jumpserver的使用

    1. 登陆后创建用户组,方便以后的授权操作

    2. 添加系统用户

       

     为了更方便快捷的使用jumpserver,默认管理员无法直接生成密码给用户,有大拿提供了一下修改配置文件的办法,直接创建密码给用户,感觉挺好用就分享给大家

        配置文件路径:/opt/jumpserver/apps/users/templates/users

    (py3) [root@bogon users]# more _user.html
    {% extends '_base_create_update.html' %}
    {% load i18n %}
    {% load static %}
    {% load bootstrap3 %}
    {% block form %}
        {% if form.non_field_errors %}
             <div class="alert alert-danger">
                {{ form.non_field_errors }}
             </div>
        {% endif %}
        <form method="post" class="form-horizontal" action="" enctype="multipart/form-data">
            {% csrf_token %}
            <h3>{% trans 'Account' %}</h3>
            {% bootstrap_field form.name layout="horizontal" %}
            {% bootstrap_field form.username layout="horizontal" %}
            {% bootstrap_field form.email layout="horizontal" %}
            {% bootstrap_field form.groups layout="horizontal" %}
    
            <div class="hr-line-dashed"></div>
    
            <h3>{% trans 'Auth' %}</h3>
            {#{% block password %}{% endblock %}#}    #注释该行
            {% bootstrap_field form.password layout="horizontal" %}    #追加的行内容
            {% bootstrap_field form.otp_level layout="horizontal" %}
    
            <div class="hr-line-dashed"></div>
            <h3>{% trans 'Security and Role' %}</h3>
            {% bootstrap_field form.role layout="horizontal" %}
            <div class="form-group {% if form.date_expired.errors %} has-error {% endif %}" id="date_5">
                <label for="{{ form.date_expired.id_for_label }}" class="col-sm-2 control-label">{{ form.date_expired.label }}</label>
                <div class="col-sm-9">
                    <div class="input-group date">
                        <span class="input-group-addon"><i class="fa fa-calendar"></i></span>
                        {% if form.errors %}
                        <input id="{{ form.date_expired.id_for_label }}" name="{{ form.date_expired.html_name }}" type="text" class="form-control"  value="{{ form.date_exp
    ired.value }}">
                        {% else %}
                        <input id="{{ form.date_expired.id_for_label }}" name="{{ form.date_expired.html_name }}" type="text" class="form-control"  value="{{ form.date_exp
    ired.value|date:'Y-m-d H:i' }}">
                        {% endif %}
                    </div>
                    <span class="help-block ">{{ form.date_expired.errors }}</span>
                </div>
             </div>
            <div class="hr-line-dashed"></div>
            <h3>{% trans 'Profile' %}</h3>
            {% bootstrap_field form.phone layout="horizontal" %}
            {% bootstrap_field form.wechat layout="horizontal" %}
            {% bootstrap_field form.comment layout="horizontal" %}
            <div class="hr-line-dashed"></div>
            <div class="form-group">
                <div class="col-sm-4 col-sm-offset-2">
                    <button class="btn btn-white" type="reset">{% trans 'Reset' %}</button>
                    <button id="submit_button" class="btn btn-primary" type="submit">{% trans 'Submit' %}</button>
                </div>
            </div>
        </form>
    
    {% endblock %}
    {% block custom_foot_js %}
        <script src="{% static 'js/plugins/datepicker/bootstrap-datepicker.js' %}"></script>
        <script type="text/javascript" src='{% static "js/plugins/daterangepicker/moment.min.js" %}'></script>
        <script type="text/javascript" src='{% static "js/plugins/daterangepicker/daterangepicker.min.js" %}'></script>
        <link rel="stylesheet" type="text/css" href={% static "css/plugins/daterangepicker/daterangepicker.css" %} />
    
        <script>
            var dateOptions = {
                singleDatePicker: true,
                showDropdowns: true,
                timePicker: true,
                timePicker24Hour: true,
                autoApply: true,
                locale: {
                    format: 'YYYY-MM-DD HH:mm'
                }
            };
            $(document).ready(function () {
                $('.select2').select2();
                $('#id_date_expired').daterangepicker(dateOptions);
            })
        </script>
    {% endblock %}

     ***升级篇***

      升级 Jumpserver

    cd /opt/jumpserver
    source /opt/py3/bin/activate
    ./jms stop
    git fetch
    git pull
    
    pip install -r requirements/requirements.txt
    
    启动 jumpserver
    cd ../
    ./jms start all -d

      升级coco

    cd /opt/coco
    git pull
    source /opt/py3/bin/activate
    ./cocod stop
    
    pip install -r requirements/requirements.txt
    ./cocod start -d

      升级luna

    cd /opt
    rm -rf luna
    wget https://github.com/jumpserver/luna/releases/download/1.4.8/luna.tar.gz
    
    # 如果网络有问题导致下载无法完成可以使用下面地址
    $ wget https://demo.jumpserver.org/download/luna/1.4.8/luna.tar.gz
    
    tar xf luna.tar.gz
    chown -R root:root luna
     

      

  • 相关阅读:
    dotnet 新项目格式与对应框架预定义的宏
    dotnet 线程静态字段
    dotnet 线程静态字段
    dotnet 通过 WMI 拿到显卡信息
    dotnet 通过 WMI 拿到显卡信息
    dotnet 通过 WMI 获取指定进程的输入命令行
    dotnet 通过 WMI 获取指定进程的输入命令行
    dotnet 通过 WMI 获取系统信息
    dotnet 通过 WMI 获取系统信息
    PHP show_source() 函数
  • 原文地址:https://www.cnblogs.com/dengcongcong/p/10271371.html
Copyright © 2011-2022 走看看