运维甩锅神器---Jumpserver

简介jumpserver

也就是跳板机，堡垒机，主要用于免密钥登陆web终端，可以对所有操作进行记录，录像！对所有服务器进行资产管理，

给开发人员分配登陆主机的权限和sudo权限，为运维人员省了很多手动操作，加了二次认证暴露在公网也不怕了。

服务器环境

主机一台：192.168.1.8

系统：CentOS 7.5

基础优化~~~~关闭防火墙，selinux，文件描述符 等等等

安装准备环境

依赖环境和命令

yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git

python3

wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz
tar xvf Python-3.6.1.tar.xz && cd Python-3.6.1
./configure && make && make install

简历python3虚拟环境

cd /opt

python3 -m venv py3

source /opt/py3/bin/activate

(py3) [root@localhost py3]   #   看到提示符代表成功

配置自动载入python虚拟环境

cd /opt
git clone git://github.com/kennethreitz/autoenv.git
echo 'source /opt/autoenv/activate.sh' >> ~/.bashrc
source ~/.bashrc

安装jumpserver

git clone https://github.com/jumpserver/jumpserver.git && cd jumpserver && git checkout master
echo "source /opt/py3/bin/activate" > /opt/jumpserver/.env

安装依赖 RPM 包

cd /opt/jumpserver/requirements
$ yum -y install $(cat rpm_requirements.txt) # 如果没有任何报错请继续

安装 Python 库依赖

pip install -r requirements.txt

安装 Redis 和 MySQL

yum -y install redis
systemctl start redis

yum -y install mariadb mariadb-devel mariadb-server
systemctl enable mariadb
systemctl start mariadb

创建库

mysql
> create database jumpserver default charset 'utf8';
> grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by 'jumpserver';       #by后边是密码
> flush privileges;

修改 Jumpserver 配置文件

cd /opt/jumpserver
cp config_example.py config.py
vi config.py

class Config:
# Use it to encrypt or decrypt data
# SECURITY WARNING: keep the secret key used in production secret!
#SECRET_KEY = os.environ.get('SECRET_KEY') or '2vym+ky!997d5kkcc64mnz06y1mmui3lut#(^wd=%s_qj$1%x'
SECRET_KEY = 'wwwwwwwwww'                                 #内测环境写一个简单的key
# Django security setting, if your disable debug model, you should setting that
ALLOWED_HOSTS = ['*']

# Development env open this, when error occur display the full process track, Production disable it
DEBUG = True

# DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/
LOG_LEVEL = 'ERROR'
LOG_DIR = os.path.join(BASE_DIR, 'logs')

# Database setting, Support sqlite3, mysql, postgres ....
# See https://docs.djangoproject.com/en/1.10/ref/settings/#databases

# SQLite setting:
#DB_ENGINE = 'sqlite3'
#DB_NAME = os.path.join(BASE_DIR, 'data', 'db.sqlite3')

# MySQL or postgres setting like:             #数据库配置
DB_ENGINE = 'mysql'
DB_HOST = '127.0.0.1'
DB_PORT = 3306
DB_USER = 'root'
DB_PASSWORD = 'jumpserver'
DB_NAME = 'jumpserver'

# When Django start it will bind this host and port       #web（django 框架）配置
# ./manage.py runserver 127.0.0.1:8080
HTTP_BIND_HOST = '0.0.0.0'
HTTP_LISTEN_PORT = 8080

# Use Redis as broker for celery and web socket   #redis缓存配置
REDIS_HOST = '127.0.0.1'
REDIS_PORT = 6379
REDIS_PASSWORD = ''

生成数据库表结构和初始化数据

cd /opt/jumpserver/utils

bash make_migrations.sh

运行jumpserver

cd /opt/jumpserver
./jms start all -d

运行不报错，请浏览器访问 http://192.168.244.144:8080/ 默认账号: admin 密码: admin 页面显示不正常先不用处理，跟着教程继续操作就行，后面搭建 nginx 代理就可以正常访问了

安装 SSH Server 和 WebSocket Server: Coco

cd /opt
source /opt/py3/bin/activate
git clone https://github.com/jumpserver/coco.git && cd coco && git checkout master
echo "source /opt/py3/bin/activate" > /opt/coco/.env # 进入 coco 目录时将自动载入 python 虚拟环境

# 首次进入 coco 文件夹会有提示，按 y 即可
# Are you sure you want to allow this? (y/N) y
安装依赖
cd /opt/coco/requirements
yum -y install $(cat rpm_requirements.txt)
pip install -r requirements.txt -i https://pypi.org/simple

修改配置文件并运行
cd /opt/coco
cp conf_example.py conf.py # 如果 coco 与 jumpserver 分开部署，请手动修改 conf.py
vi conf.py
class Config:
"""
Coco config file, coco also load config from server update setting below
"""
# 项目名称, 会用来向Jumpserver注册, 识别而已, 不能重复
NAME = "coco"

# Jumpserver项目的url, api请求注册会使用
# CORE_HOST = os.environ.get("CORE_HOST") or 'http://127.0.0.1:8080'
CORE_HOST = 'http://127.0.0.1:8080'

./cocod start -d
启动成功后去Jumpserver 会话管理-终端管理（http://192.168.244.144:8080/terminal/terminal/）接受coco的注册，如果页面不正常可以等部署完成后再处理

安装 Web Terminal 前端: Luna

cd /opt
wget https://github.com/jumpserver/luna/releases/download/1.3.2/luna.tar.gz
tar xvf luna.tar.gz
chown -R root:root luna

配置 Nginx 整合各组件

vim /etc/nginx/conf.d/jumpserver.conf
server {
listen 80; # 代理端口，以后将通过此端口进行访问，不再通过8080端口

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/;
}

location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/;
}

location /static/ {
root /opt/jumpserver/data/;
}

location /socket.io/ {
proxy_pass http://localhost:5000/socket.io/; # 如果coco安装在别的服务器，请填写它的ip
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}

# location /guacamole/ {
# proxy_pass http://localhost:8081/; # 如果guacamole安装在别的服务器，请填写它的ip
# proxy_buffering off;
# proxy_http_version 1.1;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection $http_connection;
# access_log off;
# client_max_body_size 100m; # Windows 文件上传大小限制
# }

location / {
proxy_pass http://localhost:8080; # 如果jumpserver安装在别的服务器，请填写它的ip
}
}

启动nginx

systemctl start nginx
systemctl enable nginx

检查进程

/opt/jumpserver/jms status
/opt/coco/cocod status

访问：http://192.168.1.8/

用户名密码默认admin，可以开始点点点了

使用教程

首先去设置，配置url和邮箱

url：可以写域名然后去dns解析到这个ip

邮箱设置

SMTP服务器，端口默认25，发邮件的SMTP账号和密码，如果用25端口 ssl不钩

安全设置  jumpserver二次认证

如果机器在公网谁都可以访问 建议开始打开，然后重新登陆会让你去下载一个谷歌的app，扫码绑定，然后再登录jumpserver输入账号密码之后就会让你再输入一个随机生成有时间限制的6位数字密码。

 其他的大家可以自己去点点，搞明白python如何实现的到时候出问题也好排查