一锯厢、簡(jiǎn)介

jumpserver 概述
Jumpserver 是一款使用 Python, Django 開發(fā)的開源跳板機(jī)系統(tǒng), 為互聯(lián)網(wǎng)企業(yè)提供了認(rèn)證枯冈，授權(quán)茵瀑，審計(jì)腕铸，自動(dòng)化運(yùn)維等功能贮乳，基于ssh協(xié)議來管理，客戶端無需安裝agent恬惯。

jumpserver 的功能特點(diǎn)

• 完全開源向拆，GPL授權(quán)
• Python編寫，容易再次開發(fā)
• 實(shí)現(xiàn)了跳板機(jī)基本功能酪耳，身份認(rèn)證浓恳、訪問控制、授權(quán)碗暗、審計(jì) 颈将、批量操作等。
• 集成了Ansible言疗，批量命令等
• 支持WebTerminal
• Bootstrap編寫晴圾，界面美觀
• 自動(dòng)收集硬件信息
• 錄像回放
• 命令搜索
• 實(shí)時(shí)監(jiān)控
• 批量上傳下載

二、安裝

安裝jumpserver 3.0版本噪奄，相對(duì)于jumpserver 2.0版本死姚，在新的版本3.0中取消了LDAP授權(quán)，取而代之的是ssh進(jìn)行推送勤篮；界面也有所變化都毒，功能更完善，安裝更簡(jiǎn)單碰缔。

1账劲、環(huán)境配置

1.1關(guān)閉jumpserver部署機(jī)的防火墻和selinux

[root@xyw-dev ~]# getenforce
Disabled
[root@xyw-dev ~]# systemctl stop firewalld.service

1.2修改字符集
如果用的云服務(wù)器，云服務(wù)器默認(rèn)是英文字符集。否則可能報(bào) input/output error的問題瀑焦，因?yàn)槿罩纠锎蛴×酥形?/p>

[root@xyw-dev ~]# localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8
[root@xyw-dev ~]# export LC_ALL=zh_CN.UTF-8
[root@xyw-dev ~]# echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf

1.3安裝依賴包

[root@xyw-dev ~]# yum -y install epel-release
[root@xyw-dev ~]# yum clean all && yum makecache
[root@xyw-dev ~]# yum -y update
[root@xyw-dev ~]# yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git

1.4編譯安裝python-3.6.1

[root@xyw-dev ~]# wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz
[root@xyw-dev ~]# tar xf Python-3.6.1.tar.xz  && cd Python-3.6.1
[root@xyw-dev Python-3.6.1]#  ./configure && make && make install
這里必須執(zhí)行編譯安裝腌且，否則在安裝 Python 庫依賴時(shí)會(huì)有麻煩...
?
[root@xyw-dev Python-3.6.1]# cd /opt
[root@xyw-dev opt]# python3 -m venv py3
[root@xyw-dev opt]# source /opt/py3/bin/activate
(py3) [root@xyw-dev opt]#
?
(py3) [root@xyw-dev opt]# git clone git://github.com/kennethreitz/autoenv.git
正克隆到 'autoenv'...
remote: Enumerating objects: 671, done.
remote: Total 671 (delta 0), reused 0 (delta 0), pack-reused 671
接收對(duì)象中: 100% (671/671), 103.92 KiB | 115.00 KiB/s, done.
處理 delta 中: 100% (356/356), done.
(py3) [root@xyw-dev opt]#
(py3) [root@xyw-dev opt]# echo 'source /opt/autoenv/activate.sh' >> ~/.bashrc
(py3) [root@xyw-dev opt]# source ~/.bashrc
(py3) [root@xyw-dev opt]#

2、下載Jumpserver

2.1下載clone項(xiàng)目

(py3) [root@xyw-dev ~]# cd /opt/
(py3) [root@xyw-dev opt]# git clone https://github.com/jumpserver/jumpserver.git && cd jumpserver && git checkout master
正克隆到 'jumpserver'...
remote: Enumerating objects: 79, done.
remote: Counting objects: 100% (79/79), done.
remote: Compressing objects: 100% (68/68), done.
remote: Total 41282 (delta 19), reused 20 (delta 5), pack-reused 41203
接收對(duì)象中: 100% (41282/41282), 52.05 MiB | 79.00 KiB/s, done.
處理 delta 中: 100% (28176/28176), done.
已經(jīng)位于 'master'
(py3) [root@xyw-dev jumpserver]#

2.2安裝所需的python modules

(py3) [root@xyw-dev jumpserver]#  echo "source /opt/py3/bin/activate" > /opt/jumpserver/.env
(py3) [root@xyw-dev jumpserver]# cd requirements/
autoenv:
autoenv: WARNING:
autoenv: This is the first time you are about to source /opt/jumpserver/.env:
autoenv:
autoenv:   --- (begin contents) ---------------------------------------
autoenv:     source /opt/py3/bin/activate$
autoenv:
autoenv:   --- (end contents) -----------------------------------------
autoenv:
autoenv: Are you sure you want to allow this? (y/N) y
(py3) [root@xyw-dev requirements]#
?

(py3) [root@xyw-dev requirements]#  yum -y install $(cat rpm_requirements.txt)
(py3) [root@xyw-dev requirements]# pip install --upgrade pip setuptools
(py3) [root@xyw-dev requirements]# pip install wheel
(py3) [root@xyw-dev requirements]#  pip install -r requirements.txt -i https://pypi.douban.com/simple/
下載的很慢會(huì)有超時(shí)報(bào)錯(cuò)榛瓮，加上源铺董，會(huì)快一些。

2.3安裝Redis

(py3) [root@xyw-dev requirements]#  yum -y install redis
(py3) [root@xyw-dev requirements]#  systemctl enable redis
Created symlink from /etc/systemd/system/multi-user.target.wants/redis.service to /usr/lib/systemd/system/redis.service.
(py3) [root@xyw-dev requirements]# systemctl start redis

2.4安裝MySQL

(py3) [root@xyw-dev requirements]# yum -y install mariadb mariadb-devel mariadb-server
(py3) [root@xyw-dev requirements]# systemctl enable mariadb
Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service.
(py3) [root@xyw-dev requirements]# systemctl start mariadb
(py3) [root@xyw-dev requirements]#

2.5創(chuàng)建jumpserver數(shù)據(jù)庫并授權(quán)

(py3) [root@xyw-dev requirements]# mysql
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 2
Server version: 5.5.60-MariaDB MariaDB Server
?
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
?
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
?
MariaDB [(none)]>  create database jumpserver default charset 'utf8';
Query OK, 1 row affected (0.00 sec)

?設(shè)置用戶jumpserver@127.0.0.1對(duì)jumpserver數(shù)據(jù)庫所有表都有權(quán)限,并設(shè)置密碼為123456
MariaDB [(none)]> grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '123456';
Query OK, 0 rows affected (0.00 sec)
?
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
?
MariaDB [(none)]> \q
Bye
(py3) [root@xyw-dev requirements]#

3榆芦、配置Jumpserver

(py3) [root@xyw-dev requirements]# pwd
/opt/jumpserver/requirements
(py3) [root@xyw-dev requirements]# cd ..
(py3) [root@xyw-dev jumpserver]# ls
apps      config_example.yml  Dockerfile  entrypoint.sh  LICENSE  README_EN.md  requirements   tmp
build.sh  data                docs        jms            logs     README.md     run_server.py  utils
(py3) [root@xyw-dev jumpserver]# cp config_example.yml config.yml
(py3) [root@xyw-dev jumpserver]#
(py3) [root@xyw-dev jumpserver]# SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
(py3) [root@xyw-dev jumpserver]# echo $SECRET_KEY
8gl0TchtJrblmAXaI2kbcVti1NoGO6dfJiiu4Or5SROHyPQE2q
(py3) [root@xyw-dev jumpserver]# echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc
(py3) [root@xyw-dev jumpserver]# BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
(py3) [root@xyw-dev jumpserver]# echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
(py3) [root@xyw-dev jumpserver]# echo $BOOTSTRAP_TOKEN
PWy55TLKsWANkSSx
(py3) [root@xyw-dev jumpserver]# sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml
(py3) [root@xyw-dev jumpserver]# sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
(py3) [root@xyw-dev jumpserver]# sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
(py3) [root@xyw-dev jumpserver]# sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
(py3) [root@xyw-dev jumpserver]#  sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
(py3) [root@xyw-dev jumpserver]# echo -e "\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m"
 你的SECRET_KEY是 8gl0TchtJrblmAXaI2kbcVti1NoGO6dfJiiu4Or5SROHyPQE2q
(py3) [root@xyw-dev jumpserver]# echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
 你的BOOTSTRAP_TOKEN是 PWy55TLKsWANkSSx
(py3) [root@xyw-dev jumpserver]# vi config.yml
(py3) [root@xyw-dev jumpserver]# sed -n '/^DB_/p' /opt/jumpserver/config.yml
DB_ENGINE: mysql
DB_HOST: 127.0.0.1
DB_PORT: '3306'
DB_USER: jumpserver
DB_PASSWORD: '123456'
DB_NAME: jumpserver
(py3) [root@xyw-dev jumpserver]#

注意：mysql配置這一塊端口和密碼都要加上單引號(hào)柄粹！否則啟動(dòng)不起來。

4匆绣、啟動(dòng)/關(guān)閉Jumpserver

(py3) [root@xyw-dev jumpserver]# ./jms start
......
?
(py3) [root@xyw-dev jumpserver]# ./jms stop
Stop service: gunicorn
Stop service: celery
Stop service: beat
(py3) [root@xyw-dev jumpserver]#

#后臺(tái)啟動(dòng)
(py3) [root@xyw-dev jumpserver]# ./jms start -d

5驻右、部署koko

部署docker
支持終端管理，默認(rèn)port為2222
5.1docker 部署koko

[root@xyw-dev ~]# systemctl start docker
[root@xyw-dev ~]#
[root@xyw-dev ~]# Server_IP=192.168.2.37
[root@xyw-dev ~]# BOOTSTRAP_TOKEN=PWy55TLKsWANkSSx
[root@xyw-dev ~]# docker run --name jms_koko -d -p 2222:2222 -p 5000:5000 -e CORE_HOST=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN jumpserver/jms_koko:1.5.5
Unable to find image 'jumpserver/jms_koko:1.5.5' locally
1.5.2: Pulling from jumpserver/jms_koko
050382585609: Pull complete
f6e2d22aa00f: Pull complete
8c86c00c5332: Pull complete
6b9c6941a89d: Pull complete
a10054b94acf: Pull complete
4005724a64ff: Pull complete
446406ca2953: Pull complete
716a981c63ee: Pull complete
41a65efed49e: Pull complete
Digest: sha256:ac6258fe46165860289410970e124031aa74a380cb3e1ad97348feb2c9265cbc
Status: Downloaded newer image for jumpserver/jms_koko:1.5.5
31fc5862ea104946590c232f16dab366d55823e559e256c5208a3720be9406ba
[root@xyw-dev ~]#

5.2手工部署koko (coco 目前已經(jīng)被 koko 取代)

cd /opt
wget https://github.com/jumpserver/koko/releases/download/1.5.2/koko-master-37daa82-linux-amd64.tar.gz
tar xf koko-master-37daa82-linux-amd64.tar.gz
chown -R root:root kokodir
cd kokodir
chown -R root:root /opt/kokodir
cd /opt/kokodir
cp config_example.yml config.yml
vim config.yml  # BOOTSTRAP_TOKEN 需要從 jumpserver/config.yml 里面獲取, 保證一致
./koko 

6崎淳、部署guacamole

基于 HTML 5 和 JavaScript 的 VNC 查看器

[root@xyw-dev ~]# docker run --name jms_guacamole -d -p 8081:8081 -e JUMPSERVER_SERVER=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN jumpserver/jms_guacamole:1.5.5
Unable to find image 'jumpserver/jms_guacamole:1.5.5' locally
1.5.5: Pulling from jumpserver/jms_guacamole
8ba884070f61: Pull complete
74b389e6937e: Pull complete
41f5461bfc2f: Pull complete
f693f2484212: Pull complete
246835158fe4: Pull complete
Digest: sha256:de0b74e33c9991181eb507d768df73fb05932f3b4722dc36ecdca4e358fdce8d
Status: Downloaded newer image for jumpserver/jms_guacamole:1.5.5
f4d0c314c5fb840e42ea7e284f5349c571039bb1e3af2f3f8377b7a2c5f53f82
[root@xyw-dev ~]#

手工部署guacamole

$ cd /opt
$ git clone --depth=1 https://github.com/jumpserver/docker-guacamole.git
$ cd /opt/docker-guacamole
$ tar xf guacamole-server-1.0.0.tar.gz
$ cd /opt/docker-guacamole/guacamole-server-1.0.0
# 根據(jù) http://guacamole.apache.org/doc/gug/installing-guacamole.html 文檔安裝對(duì)應(yīng)的依賴包
$ autoreconf -fi
$ ./configure --with-init-dir=/etc/init.d
$ make
$ make install

訪問 https://mirror.bit.edu.cn/apache/tomcat/tomcat-9/v9.0.35/bin/apache-tomcat-9.0.35-fulldocs.tar.gz 下載最新的 tomcat9（tomcat隨時(shí)有更新堪夭，下面命令中請(qǐng)自行更改）

$ mkdir -p /config/guacamole /config/guacamole/lib /config/guacamole/extensions /config/guacamole/data/log/
$ cd /config
$ wget http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-9/v9.0.35/bin/apache-tomcat-9.0.35.tar.gz
$ tar xf apache-tomcat-9.0.35.tar.gz
$ mv apache-tomcat-9.0.35 tomcat9
$ rm -rf /config/tomcat9/webapps/*
$ sed -i 's/Connector port="8080"/Connector port="8081"/g' /config/tomcat9/conf/server.xml
$ echo "java.util.logging.ConsoleHandler.encoding = UTF-8" >> /config/tomcat9/conf/logging.properties
$ ln -sf /opt/docker-guacamole/guacamole-1.0.0.war /config/tomcat9/webapps/ROOT.war
$ ln -sf /opt/docker-guacamole/guacamole-auth-jumpserver-1.0.0.jar /config/guacamole/extensions/guacamole-auth-jumpserver-1.0.0.jar
$ ln -sf /opt/docker-guacamole/root/app/guacamole/guacamole.properties /config/guacamole/guacamole.properties
$ wget https://github.com/ibuler/ssh-forward/releases/download/v0.0.5/linux-amd64.tar.gz
$ tar xf linux-amd64.tar.gz -C /bin/
$ chmod +x /bin/ssh-forward

# 設(shè)置 guacamole 環(huán)境
$ export JUMPSERVER_SERVER=http://127.0.0.1:8080  # http://127.0.0.1:8080 指 jumpserver 訪問地址
$ echo "export JUMPSERVER_SERVER=http://127.0.0.1:8080" >> ~/.bashrc

# BOOTSTRAP_TOKEN 為 Jumpserver/config.yml 里面的 BOOTSTRAP_TOKEN 值
$ export BOOTSTRAP_TOKEN=******
$ echo "export BOOTSTRAP_TOKEN=******" >> ~/.bashrc
$ export JUMPSERVER_KEY_DIR=/config/guacamole/keys
$ echo "export JUMPSERVER_KEY_DIR=/config/guacamole/keys" >> ~/.bashrc
$ export GUACAMOLE_HOME=/config/guacamole
$ echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc

$ /etc/init.d/guacd start
$ sh /config/tomcat9/bin/startup.sh

10、部署luna

與nginx結(jié)合支持Web Terminal前端

[root@xyw-dev ~]# cd /opt/
[root@xyw-dev opt]# wget https://github.com/jumpserver/luna/releases/download/1.5.5/luna.tar.gz
[root@xyw-dev opt]# tar xf luna.tar.gz
[root@xyw-dev opt]# chown -R root:root luna

11拣凹、配置nginx

[root@xyw-dev opt]# cd /usr/local/nginx/conf/
[root@xyw-dev conf]# ls
fastcgi.conf            koi-utf             nginx.conf           uwsgi_params
fastcgi.conf.default    koi-win             nginx.conf.default   uwsgi_params.default
fastcgi_params          mime.types          scgi_params          win-utf
fastcgi_params.default  mime.types.default  scgi_params.default
[root@xyw-dev conf]# mkdir conf.d
[root@xyw-dev conf]# cd conf.d/
[root@xyw-dev conf.d]# vim jumpserver.conf
[root@xyw-dev conf.d]# ls
jumpserver.conf
[root@xyw-dev conf.d]# cat jumpserver.conf
server {
    listen 80;
    # server_name _;
    server_name bastion.qf.com;

    client_max_body_size 100m;  # 錄像及文件上傳大小限制

    location /luna/ {
        try_files $uri / /index.html;
        alias /opt/luna/;  # luna 路徑, 如果修改安裝目錄, 此處需要修改
    }

    location /media/ {
        add_header Content-Encoding gzip;
        root /opt/jumpserver/data/;  # 錄像位置, 如果修改安裝目錄, 此處需要修改
    }

    location /static/ {
        root /opt/jumpserver/data/;  # 靜態(tài)資源, 如果修改安裝目錄, 此處需要修改
    }

    location /koko/ {
        proxy_pass       http://localhost:5000;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location /guacamole/ {
        proxy_pass       http://localhost:8081/;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location /ws/ {
        proxy_pass http://localhost:8070;
        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }
}
[root@xyw-dev conf.d]#
[root@xyw-dev conf.d]# cd ..
[root@xyw-dev conf]# vim nginx.conf
[root@xyw-dev conf]# grep -Pv "^($| *#)" nginx.conf
worker_processes  1;
events {
    worker_connections  1024;
}
http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;
    include /usr/local/nginx/conf/conf.d/*.conf;
}
[root@xyw-dev conf]# cd ..
[root@xyw-dev nginx]# sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xyw-dev nginx]#

12森爽、Jumpserver 登錄測(cè)試

• 檢查應(yīng)用是否已經(jīng)正常運(yùn)行
• 服務(wù)全部啟動(dòng)后, 訪問 jumpserver 服務(wù)器 nginx 代理的 80 端口, 不要通過8080端口訪問
• 默認(rèn)賬號(hào): admin 密碼: admin

下一篇：基于Centos7安裝部署使用Jumpserver堡壘機(jī)（二）