您的位置: 首页  >  IT文章  >  Jumpserver(堡垒机)的安装与应用

Jumpserver(堡垒机)的安装与应用

分类: IT文章 2024-06-30 19:26:43

官网:http://docs.jumpserver.org/zh/docs/introduce.html

参考:https://www.cnblogs.com/mushou/p/9484317.html

 作者:邓聪聪

环境

  • 系统: CentOS 7.6
  • IP: 172.16.16.2
  • 关闭 selinux 和防火墙
  • jumpserver和coco、luna的版本必须保持一致
[root@bogon ~]# setenforce 0
[root@bogon ~]# sed -i "s/enforcing/disabled/g" /etc/selinux/config
[root@bogon ~]# iptables -F

1.准备 Python3 和 Python 虚拟环境

  1. 安装依赖包 
    [root@bogon ~]# yum -y install wget gcc epel-release git
  2. 安装 Python3.6 
    [root@bogon ~]# yum -y install python36 python36-devel
  3. 建立 Python 虚拟环境 
    [root@bogon ~]#  cd /opt
[root@bogon opt]#  python3.6 -m venv py3
[root@bogon opt]#  source /opt/py3/bin/activate
# 看到下面的提示符代表成功,以后运行 Jumpserver 都要先运行以上 source 命令,以下所有命令均在该虚拟环境中运行
(py3)[root@bogon opt]#

2.安装 Jumpserver

  1. Clone 项目也可以选择去 Github 项目页面直接下载zip包 
    (py3)[root@bogon opt]# git clone https://github.com/jumpserver/jumpserver.git
  2. 安装依赖 RPM 包 
    (py3)[root@bogon opt]#cd /opt/jumpserver/requirements
(py3)[root@bogon requirements]#yum -y install $(cat rpm_requirements.txt)
  3. 安装 Python 库依赖 
    (py3)[root@bogon requirements]#pip install --upgrade pip setuptools
(py3)[root@bogon requirements]#pip install -r requirements.txt
  4. 安装 Redis, Jumpserver 使用 Redis 做 cache 和 celery broke 
    (py3)[root@bogon requirements]#yum -y install redis
(py3)[root@bogon requirements]#systemctl start redis
  5.  安装 MySQL

    (py3) [root@bogon requirements]# yum -y install mariadb mariadb-devel mariadb-server # centos7下安装的是mariadb
    (py3) [root@bogon requirements]# systemctl start mariadb

  6. 创建数据库 Jumpserver 并授权 
    (py3) [root@bogon requirements]#mysql -uroot
mysql> create database jumpserver default charset 'utf8';
mysql> grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by 'weakPassword';
mysql> flush privileges;
mysql> quit
  7. 修改 Jumpserver 配置文件    注意: 配置文件是 Python 格式,不要用 TAB,而要用空 
    (py3) [root@bogon requirements]#cd  ..
(py3) [root@bogon jumpserver]# cp config_example.py config.py
(py3) [root@bogon jumpserver]# vi config.py
    #!/usr/bin/env python3
# -*- coding: utf-8 -*-
"""
    jumpserver.config
    ~~~~~~~~~~~~~~~~~

    Jumpserver project setting file

    :copyright: (c) 2014-2017 by Jumpserver Team
    :license: GPL v2, see LICENSE for more details.
"""
import os

BASE_DIR = os.path.dirname(os.path.abspath(__file__))


class Config:
    """
    Jumpserver Config File
    Jumpserver 配置文件

    Jumpserver use this config for drive django framework running,
    You can set is value or set the same envirment value,
    Jumpserver look for config order: file => env => default

    Jumpserver使用配置来驱动Django框架的运行,
    你可以在该文件中设置,或者设置同样名称的环境变量,
    Jumpserver使用配置的顺序: 文件 => 环境变量 => 默认值
    """
    # SECURITY WARNING: keep the secret key used in production secret!
    # 加密秘钥 生产环境中请修改为随机字符串,请勿外泄
    SECRET_KEY = '2vym+ky!997d5kkcc64mnz06y1mmui3lut#(^wd=%s_qj$1%x'
    ALLOWED_HOSTS = ['*']

    # SECURITY WARNING: keep the bootstrap token used in production secret!
    # 预共享Token coco和guacamole用来注册服务账号,不在使用原来的注册接受机制
    BOOTSTRAP_TOKEN = 'nwv4RdXpM82LtSvmV'

    # Development env open this, when error occur display the full process track, Production disable it
    # DEBUG 模式 开启DEBUG后遇到错误时可以看到更多日志
    # DEBUG = True
    DEBUG = False

    # DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/
    # 日志级别
    # LOG_LEVEL = 'DEBUG'
    # LOG_DIR = os.path.join(BASE_DIR, 'logs')
    LOG_LEVEL = 'ERROR'
    LOG_DIR = os.path.join(BASE_DIR, 'logs')

    # Session expiration setting, Default 24 hour, Also set expired on on browser close
    # 浏览器Session过期时间,默认24小时, 也可以设置浏览器关闭则过期
    # SESSION_COOKIE_AGE = 3600 * 24
    # SESSION_EXPIRE_AT_BROWSER_CLOSE = False
    SESSION_EXPIRE_AT_BROWSER_CLOSE = True
    # Database setting, Support sqlite3, mysql, postgres ....
    # 数据库设置
    # See https://docs.djangoproject.com/en/1.10/ref/settings/#databases

    # SQLite setting:
    # 使用单文件sqlite数据库
    # DB_ENGINE = 'sqlite3'
    # DB_NAME = os.path.join(BASE_DIR, 'data', 'db.sqlite3')

    # MySQL or postgres setting like:
    # 使用Mysql作为数据库
    DB_ENGINE = 'mysql'
    DB_HOST = '127.0.0.1'
    DB_PORT = 3306
    DB_USER = 'jumpserver'
    DB_PASSWORD = '123456'
    DB_NAME = 'jumpserver'

    # When Django start it will bind this host and port
    # ./manage.py runserver 127.0.0.1:8080
    # 运行时绑定端口
    HTTP_BIND_HOST = '0.0.0.0'
    HTTP_LISTEN_PORT = 8080

    # Use Redis as broker for celery and web socket
    # Redis配置
    REDIS_HOST = '127.0.0.1'
    REDIS_PORT = 6379
    # REDIS_PASSWORD = ''
    # REDIS_DB_CELERY = 3
    # REDIS_DB_CACHE = 4

    # Use OpenID authorization
    # 使用OpenID 来进行认证设置
    # BASE_SITE_URL = 'http://localhost:8080'
    # AUTH_OPENID = False  # True or False
    # AUTH_OPENID_SERVER_URL = 'https://openid-auth-server.com/'
    # AUTH_OPENID_REALM_NAME = 'realm-name'
    # AUTH_OPENID_CLIENT_ID = 'client-id'
    # AUTH_OPENID_CLIENT_SECRET = 'client-secret'

    #
    # OTP_VALID_WINDOW = 0

    def __init__(self):
        pass

    def __getattr__(self, item):
        return None


class DevelopmentConfig(Config):
    pass


class TestConfig(Config):
    pass


class ProductionConfig(Config):
    pass


# Default using Config settings, you can write if/else for different env
config = DevelopmentConfig()
    View Code
  • 运行 Jumpserver 
    (py3) [root@bogon jumpserver]#./jms start all   #后台运行使用 -d 参数./jms start all -d
(py3) [root@bogon jumpserver]#./jms start|stop|status|restart all  #其他参数

    • 3.安装 SSH Server 和 WebSocket Server: Coco

    1.  Clone 项目 
      (py3) [root@bogon jumpserver]# cd ..
(py3) [root@bogon opt]# git clone https://github.com/jumpserver/coco.git
(py3) [root@bogon opt]#cd /opt/coco/requirements
(py3) [root@bogon requirements]#yum -y  install $(cat rpm_requirements.txt)
(py3) [root@bogon requirements]#pip install -r requirements.txt
    2. 修改配置文件并运行  
      (py3) [root@bogon requirements]#cd /opt/coco 
      [root@bogon coco]#       mkdir keys logs 
      [root@bogon coco]#       cp conf_example.py conf.py 
      [root@bogon coco]#       vi conf.py
      #!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
import os

BASE_DIR = os.path.dirname(__file__)

class Config:
    """
    Coco config file, coco also load config from server update setting below
    """
    # 项目名称, 会用来向Jumpserver注册, 识别而已, 不能重复
    # NAME = "localhost"
    # Jumpserver项目的url, api请求注册会使用
    # CORE_HOST = os.environ.get("CORE_HOST") or 'http://127.0.0.1:8080'
    CORE_HOST = 'http://127.0.0.1:8080'
    # Bootstrap Token, 预共享秘钥, 用来注册coco使用的service account和terminal
    # 请和jumpserver 配置文件中保持一致,注册完成后可以删除
    # BOOTSTRAP_TOKEN = "PleaseChangeMe"
    BOOTSTRAP_TOKEN = "nwv4RdXpM82LtSvmV"
    # 启动时绑定的ip, 默认 0.0.0.0
    # BIND_HOST = '0.0.0.0'
    # 监听的SSH端口号, 默认2222
    # SSHD_PORT = 2222
    # 监听的HTTP/WS端口号,默认5000
    # HTTPD_PORT = 5000
    # 项目使用的ACCESS KEY, 默认会注册,并保存到 ACCESS_KEY_STORE中,
    # 如果有需求, 可以写到配置文件中, 格式 access_key_id:access_key_secret
    # ACCESS_KEY = None
    # ACCESS KEY 保存的地址, 默认注册后会保存到该文件中
    # ACCESS_KEY_STORE = os.path.join(BASE_DIR, 'keys', '.access_key')
    # 加密密钥
    # SECRET_KEY = None
    # 设置日志级别 ['DEBUG', 'INFO', 'WARN', 'ERROR', 'FATAL', 'CRITICAL']
    # LOG_LEVEL = 'INFO'
    LOG_LEVEL = 'ERROR'
    # 日志存放的目录
    # LOG_DIR = os.path.join(BASE_DIR, 'logs')
    # Session录像存放目录
    # SESSION_DIR = os.path.join(BASE_DIR, 'sessions')
    # 资产显示排序方式, ['ip', 'hostname']
    # ASSET_LIST_SORT_BY = 'ip'
    # 登录是否支持密码认证
    # PASSWORD_AUTH = True
    # 登录是否支持秘钥认证
    # PUBLIC_KEY_AUTH = True
    # SSH白名单
    # ALLOW_SSH_USER = 'all'  # ['test', 'test2']
    # SSH黑名单, 如果用户同时在白名单和黑名单,黑名单优先生效
    # BLOCK_SSH_USER = []
    # 和Jumpserver 保持心跳时间间隔
    # HEARTBEAT_INTERVAL = 5

    # Admin的名字,出问题会提示给用户
    # ADMINS = ''
    COMMAND_STORAGE = {
        "TYPE": "server"
    }
    REPLAY_STORAGE = {
        "TYPE": "server"
    }

    # SSH连接超时时间 (default 15 seconds)
    # SSH_TIMEOUT = 15
    # 语言 = en
    LANGUAGE_CODE = 'zh'

config = Config()
      View Code 
    (py3) [root@bogon coco]#./cocod start      #后台运行使用 -d 参数./cocod start -d
(py3) [root@bogon coco]#./cocod start|stop|status|restart  #脚本使用方式

    4.安装 Web Terminal 前端: Luna

    1. (py3) [root@bogon opt]# cd /opt
# 访问(https://github.com/jumpserver/luna/releases)下载对应版本的 release 包,直接解压,不需要编译
(py3) [root@bogon opt]# wget https://github.com/jumpserver/luna/releases/download/1.4.6/luna.tar.gz
(py3) [root@bogon opt]# tar -xf luna.tar.gz
(py3) [root@bogon opt]# chown -R root:root luna

    5.配置 Nginx 整合各组件

    1. 安装 Nginx 
      vi /etc/yum.repos.d/nginx.repo

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/7/$basearch/
gpgcheck=0
enabled=1
      View Code

    (py3) [root@bogon opt]# yum install -y nginx
    (py3) [root@bogon opt]# rm -rf /etc/nginx/conf.d/default.conf
    (py3) [root@bogon opt]# vi /etc/nginx/conf.d/jumpserver.conf

    server {
    listen 80;  # 代理端口,以后将通过此端口进行访问,不再通过8080端口
    server_name demo.jumpserver.org;  # 修改成你的域名
 
    client_max_body_size 100m;  # 录像及文件上传大小限制
 
    location /luna/ {
        try_files $uri / /index.html;
        alias /opt/luna/;  # luna 路径,如果修改安装目录,此处需要修改
    }
 
    location /media/ {
        add_header Content-Encoding gzip;
        root /opt/jumpserver/data/;  # 录像位置,如果修改安装目录,此处需要修改
    }
 
    location /static/ {
        root /opt/jumpserver/data/;  # 静态资源,如果修改安装目录,此处需要修改
    }
 
    location /socket.io/ {
        proxy_pass       http://localhost:5000/socket.io/;  # 如果coco安装在别的服务器,请填写它的ip
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }
 
    location /coco/ {
        proxy_pass       http://localhost:5000/coco/;  # 如果coco安装在别的服务器,请填写它的ip
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }
 
    location /guacamole/ {
        proxy_pass       http://localhost:8081/;  # 如果guacamole安装在别的服务器,请填写它的ip
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }
 
    location / {
        proxy_pass http://localhost:8080;  # 如果jumpserver安装在别的服务器,请填写它的ip
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}
    View Code
  • 运行nginx 
    (py3) [root@bogon opt]#nginx -t   # 确保配置没有问题, 有问题请先解决
(py3) [root@bogon opt]#systemctl start nginx
  • 使用 Jumpserver,服务全部启动后,访问 http://IP
  • jumpsever的服务启动流程 
    [root@bogon ~]#  cd /opt
[root@bogon opt]#  source /opt/py3/bin/activate  #进入python环境
(py3)[root@bogon opt]#systemctl start redis         #启动redis
(py3)[root@bogon opt]#systemctl start mariadb    #启动数据库服务
(py3)[root@bogon opt]#cd /opt/jumpserver
(py3)[root@bogon jumpserver]# ./jms start -d     #启动jumpserver服务,后台运行
(py3)[root@bogon coco]#./coco start -d          #后台运行coco服务
(py3)[root@bogon coco]#systemctl start nginx     #启动nginx服务
    (py3)[root@bogon coco]#systemctl enable nginx    #开机自启动
    (py3)[root@bogon coco]#systemctl enable mariadb 
    (py3)[root@bogon coco]#systemctl enable redis

    • 使用jumpserver时,打开会话管理-web终端无显示可能由于浏览器造成的,更换其他第三方浏览下即可

    6.Jumpserver的使用

    1. 登陆后创建用户组,方便以后的授权操作Jumpserver(堡垒机)的安装与应用

      Jumpserver(堡垒机)的安装与应用

    2. 添加系统用户Jumpserver(堡垒机)的安装与应用Jumpserver(堡垒机)的安装与应用

       Jumpserver(堡垒机)的安装与应用

      Jumpserver(堡垒机)的安装与应用

     为了更方便快捷的使用jumpserver,默认管理员无法直接生成密码给用户,有大拿提供了一下修改配置文件的办法,直接创建密码给用户,感觉挺好用就分享给大家

        配置文件路径:/opt/jumpserver/apps/users/templates/users

    (py3) [root@bogon users]# more _user.html
{% extends '_base_create_update.html' %}
{% load i18n %}
{% load static %}
{% load bootstrap3 %}
{% block form %}
    {% if form.non_field_errors %}
         <div class="alert alert-danger">
            {{ form.non_field_errors }}
         </div>
    {% endif %}
    <form method="post" class="form-horizontal" action="" enctype="multipart/form-data">
        {% csrf_token %}
        <h3>{% trans 'Account' %}</h3>
        {% bootstrap_field form.name layout="horizontal" %}
        {% bootstrap_field form.username layout="horizontal" %}
        {% bootstrap_field form.email layout="horizontal" %}
        {% bootstrap_field form.groups layout="horizontal" %}

        <div class="hr-line-dashed"></div>

        <h3>{% trans 'Auth' %}</h3>
        {#{% block password %}{% endblock %}#}    #注释该行
        {% bootstrap_field form.password layout="horizontal" %}    #追加的行内容
        {% bootstrap_field form.otp_level layout="horizontal" %}

        <div class="hr-line-dashed"></div>
        <h3>{% trans 'Security and Role' %}</h3>
        {% bootstrap_field form.role layout="horizontal" %}
        <div class="form-group {% if form.date_expired.errors %} has-error {% endif %}" id="date_5">
            <label for="{{ form.date_expired.id_for_label }}" class="col-sm-2 control-label">{{ form.date_expired.label }}</label>
            <div class="col-sm-9">
                <div class="input-group date">
                    <span class="input-group-addon"><i class="fa fa-calendar"></i></span>
                    {% if form.errors %}
                    <input id="{{ form.date_expired.id_for_label }}" name="{{ form.date_expired.html_name }}" type="text" class="form-control"  value="{{ form.date_exp
ired.value }}">
                    {% else %}
                    <input id="{{ form.date_expired.id_for_label }}" name="{{ form.date_expired.html_name }}" type="text" class="form-control"  value="{{ form.date_exp
ired.value|date:'Y-m-d H:i' }}">
                    {% endif %}
                </div>
                <span class="help-block ">{{ form.date_expired.errors }}</span>
            </div>
         </div>
        <div class="hr-line-dashed"></div>
        <h3>{% trans 'Profile' %}</h3>
        {% bootstrap_field form.phone layout="horizontal" %}
        {% bootstrap_field form.wechat layout="horizontal" %}
        {% bootstrap_field form.comment layout="horizontal" %}
        <div class="hr-line-dashed"></div>
        <div class="form-group">
            <div class="col-sm-4 col-sm-offset-2">
                <button class="btn btn-white" type="reset">{% trans 'Reset' %}</button>
                <button id="submit_button" class="btn btn-primary" type="submit">{% trans 'Submit' %}</button>
            </div>
        </div>
    </form>

{% endblock %}
{% block custom_foot_js %}
    <script src="{% static 'js/plugins/datepicker/bootstrap-datepicker.js' %}"></script>
    <script type="text/javascript" src='{% static "js/plugins/daterangepicker/moment.min.js" %}'></script>
    <script type="text/javascript" src='{% static "js/plugins/daterangepicker/daterangepicker.min.js" %}'></script>
    <link rel="stylesheet" type="text/css" href={% static "css/plugins/daterangepicker/daterangepicker.css" %} />

    <script>
        var dateOptions = {
            singleDatePicker: true,
            showDropdowns: true,
            timePicker: true,
            timePicker24Hour: true,
            autoApply: true,
            locale: {
                format: 'YYYY-MM-DD HH:mm'
            }
        };
        $(document).ready(function () {
            $('.select2').select2();
            $('#id_date_expired').daterangepicker(dateOptions);
        })
    </script>
{% endblock %}

     ***升级篇***

      升级 Jumpserver

    cd /opt/jumpserver
source /opt/py3/bin/activate
./jms stop
git fetch
git pull

pip install -r requirements/requirements.txt

启动 jumpserver
cd ../
./jms start all -d

      升级coco

    cd /opt/coco
git pull
source /opt/py3/bin/activate
./cocod stop

pip install -r requirements/requirements.txt
./cocod start -d

      升级luna

    cd /opt
rm -rf luna
wget https://github.com/jumpserver/luna/releases/download/1.4.8/luna.tar.gz

# 如果网络有问题导致下载无法完成可以使用下面地址
$ wget https://demo.jumpserver.org/download/luna/1.4.8/luna.tar.gz

tar xf luna.tar.gz
chown -R root:root luna
     

      

    相关推荐