Jumpserver堡垒机部署

jumpserver部署(Centos7环境)

一、jumpserver概要

Jumpserver 是全球首款完全开源的堡垒机，使用 GNU GPL v2.0 开源协议，是符合 4A 的专业运维审计系统
Jumpserver 使用 Python / Django 进行开发，遵循 Web 2.0 规范，配备了业界领先的 Web Terminal
解决方案，交互界面美观、用户体验好
Jumpserver 采纳分布式架构，支持多机房跨区域部署，中心节点提供 API，各机房部署登录节点，可横向扩展、无并发访问限制

组件说明：
Jumpserver
现指 Jumpserver 管理后台，是核心组件（Core）, 使用 Django Class Based View 风格开发，支持 Restful API

Coco
实现了 SSH Server 和 Web Terminal Server 的组件，提供 SSH 和 WebSocket 接口, 使用 Paramiko 和 Flask 开发

Luna
现在是 Web Terminal 前端，计划前端页面都由该项目提供，Jumpserver 只提供 API，不再负责后台渲染html等

二、环境准备

环境：

角色	IP
jumpserver	192.168.2.5
web server(资产)	192.168.2.6

步骤：

①关闭防火墙以及selinux

1 2	[root@localhost ~]# sed -i '/SELINUX/s/enforcing/disabled/g' /etc/sysconfig/selinux [root@localhost ~]# systemctl disable firewalld && reboot

②修改字符集否则可能报 input/output error的问题，因为日志里打印了中文

1
2
3

[root@localhost ~]# `localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8`
[root@localhost ~]# export LC_ALL=zh_CN.UTF-8
[root@localhost ~]# echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf

③准备python3和python虚拟环境

[root@localhost ~]# yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git
[root@localhost ~]# `wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz`
[root@localhost ~]# `mv Python-3.6.1.tar.xz` /usr/src && `cd /usr/src/` && `tar xvf Python-3.6.1.tar.xz` && `cd Python-3.6.1`
[root@localhost Python-3.6.1]# ./configure && make && make install

④建立环境

[root@localhost Python-3.6.1]# cd /opt/
[root@localhost opt]# `python3 -m venv py3`
[root@localhost opt]# `. /opt/py3/bin/activate`
(py3) [root@localhost opt]#

看到下面的提示符代表成功，以后运行 Jumpserver 都要先运行以上 source 命令，以下所有命令均在该虚拟环境中运行**
(py3) [root@localhost py3]

⑤自动载入虚拟环境

1
2
3

(py3) [root@localhost opt]# git clone git://github.com/kennethreitz/autoenv.git ~/.autoenv
(py3) [root@localhost opt]# echo 'source ~/.autoenv/activate.sh' >> `~/.bashrc`
(py3) [root@localhost opt]# source ~/.bashrc

三、安装jumpserver

步骤：

①下载Clone项目

1
2
3

(py3) [root@localhost ~]# cd /opt/
(py3) [root@localhost opt]# `git clone --depth=1 https://github.com/jumpserver/jumpserver.git` && cd jumpserver && git checkout master
(py3) [root@localhost jumpserver]# echo "source /opt/py3/bin/activate" > /opt/jumpserver/.env

②安装依赖

(py3) [root@localhost jumpserver]# cd requirements/
首次进入jumpserver目录可能会有提示y即可
(py3) [root@localhost requirements]# yum -y install $(cat rpm_requirements.txt)
(py3) [root@localhost requirements]# `pip install -r requirements.txt`

③安装redis

Jumpserver 使用 Redis 做 cache 和 celery broke(python分布式调度模块)

1 2	(py3) [root@localhost ~]# yum -y install redis (py3) [root@localhost ~]# systemctl start redis

④安装Mysql

1
2
3

(py3) [root@localhost ~]# yum -y install `mariadb*`
(py3) [root@localhost ~]# systemctl start mariadb
(py3) [root@localhost ~]# systemctl enable mariadb

⑤为jumpserver授权

(py3) [root@localhost ~]# mysql
MariaDB [(none)]> create database jumpserver default charset 'utf8';
MariaDB [(none)]> `grant all on jumpserver.* to jumpserver@'127.0.0.1' identified by '123.com';`
MariaDB [(none)]> flush privileges;

⑥修改jumpserver配置文件

1
2
3

(py3) [root@localhost ~]# cd /opt/jumpserver/
(py3) [root@localhost jumpserver]# cp config_example.py config.py
(py3) [root@localhost jumpserver]# vi config.py

......    #将参数下pass去掉添加
class DevelopmentConfig(Config):
    DEBUG = True
    DB_ENGINE = 'mysql'
    DB_HOST = '127.0.0.1'
    DB_PORT = 3306
    DB_USER = 'jumpserver'
    DB_PASSWORD = '123.com'
DB_NAME = 'jumpserver'
......

⑦生成数据库表结构和初始化数据文件

1 2	(py3) [root@localhost jumpserver]# cd /opt/jumpserver/utils/ (py3) [root@localhost utils]# `bash make_migrations.sh`

⑧运行jumpserver

1
2
3

(py3) [root@localhost utils]# cd /opt/jumpserver/
(py3) [root@localhost jumpserver]# `./jms start all`
./jms start|stop|status|restart all

如果运行到后台添加-d选项
如果报错，关闭后再次运行

如果不报错，请使用浏览器访问http://192.168.2.5:8080。默认账号admin，密码admin
图片描述

图片描述

四、安装ssh server和websocket server:Coco

步骤：

①下载Clone项目(新开一个终端，别忘了载入虚拟环境)

[root@localhost ~]# cd /opt/
[root@localhost opt]# `. py3/bin/activate`
(py3) [root@localhost opt]# `git clone https://github.com/jumpserver/coco.git` && cd coco && git checkout master

(py3) [root@localhost coco]# echo "source /opt/py3/bin/activate" > /opt/coco/.env

②安装依赖

(py3) [root@localhost coco]# cd /opt/coco/requirements/
首次进入提示y即可
(py3) [root@localhost requirements]# yum -y install $(cat rpm_requirements.txt)
(py3) [root@localhost requirements]# `pip install -r requirements.txt -i https://pypi.org/simple`

③查看配置文件并且运行coco

(py3) [root@localhost requirements]# cd /opt/coco/
(py3) [root@localhost coco]# `cp conf_example.py conf.py`
(py3) [root@localhost coco]# `./cocod start`
./cocod start|stop|status|restart

Start coco process
2018-05-28 16:14:25 [service DEBUG] Initial app service
2018-05-28 16:14:25 [service DEBUG] Load access key
2018-05-28 16:14:25 [service INFO] No access key found, register it
2018-05-28 16:14:25 [service INFO] "Terminal was not accepted yet"
2018-05-28 16:14:28 [service INFO] "Terminal was not accepted yet"

提示信息终端没有许可，去到http://192.168.2.5:8080/terminal/terminal进行许可
图片描述

五、安装web terminal 前端：Luna

(开启新终端)Luna已改为纯前端，需要Nginx代理来访问

[root@localhost ~]# cd /opt/
[root@localhost opt]# `wget https://github.com/jumpserver/luna/releases/download/1.3.0/dist.tar.gz`
[root@localhost opt]# tar zxf dist.tar.gz 
[root@localhost opt]# `mv dist luna`
[root@localhost opt]# ls /opt/luna/
.....

六、配置Nginx整合各组件

步骤：

①下载源码安装

[root@localhost opt]# useradd -s /sbin/nologin www
[root@localhost opt]# `wget http://nginx.org/download/nginx-1.14.0.tar.gz`
[root@localhost opt]# tar zxf nginx-1.14.0.tar.gz && cd nginx-1.14.0
[root@localhost nginx-1.14.0]# `./configure --prefix=/usr/local/nginx --user=www --group=www --withhttp_stub_status_module --with-http_realip_module --with-http_ssl_module --with-http_gzip_static_module --with-pcre --with-http_flv_module`
[root@localhost nginx-1.14.0]# make && make install
[root@localhost nginx-1.14.0]# `ln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/`
[root@localhost nginx-1.14.0]# cd /usr/local/nginx/conf/ && vim nginx.conf

②修改配置文件

http {
.....     #省略http上下文，将server修改为此
server {
    listen 80;

    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location /luna/ {
        try_files $uri / /index.html;
        alias /opt/luna/;
    }

    location /media/ {
        add_header Content-Encoding gzip;
        root /opt/jumpserver/data/;
    }

    location /static/ {
        root /opt/jumpserver/data/;
    }

    location /socket.io/ {
        proxy_pass       http://localhost:5000/socket.io/;  # 如果coco安装在别的服务器，请填写它的ip
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
    location / {
        proxy_pass http://localhost:8080;  # 如果jumpserver安装在别的服务器，请填写它的ip
    }
}
}

1 2	[root@localhost conf]# `nginx -t #确认无误后启动` [root@localhost conf]# `nginx`

③确保服务无误，开始使用jumpserver

[root@localhost conf]# cd /opt/jumpserver/
(py3) [root@localhost jumpserver]# ./jms status
gunicorn is running: 33734
celery is running: 33627
beat is running: 33629

1
2
3

(py3) [root@localhost jumpserver]# cd ../coco/
(py3) [root@localhost coco]# ./cocod status
Coco is running: 57935

访问http://192.168.2.5
默认账户admin密码admin

七、测试连接

通过server资产机或是客户端 macOS 或 Linux ，登录语法如下

1 2	$ ssh -p2222 admin@192.168.2.5 $ sftp -P2222 admin@192.168.2.5

密码: admin

如果登录客户端是 Windows ，Xshell Terminal 登录语法如下

1 2	$ ssh admin@192.168.2.5 2222 $ sftp admin@192.168.2.5 2222

密码: admin
如果能登陆代表部署成功

sftp默认上传的位置在资产的 /tmp 目录下

特别鸣谢jumpserver的开源使用，本文翻至官网文档
http://docs.jumpserver.org/zh…