荒岛
前言
Jumpserver是全球首款完全开源的堡垒机,是符合4A的专业运维审计系统,更多具体的内容看该项目页面的介绍吧:
https://github.com/jumpserver/jumpserver
这套系统部署起来比较麻烦,涉及到多个组件,官方的文档写的也算详细了,但我在Debian9上部署的时候遇到了一些小坑,这里记录下我的完整安装步骤。
系统这边是Debian9.9,内存至少2G,至少2G!
安装Jumpserver
更新源/安装依赖:
apt -y update apt -y install wget git build-essential nginx redis-server mariadb-server \ python3-dev python3-venv libffi-dev libtiff5-dev libjpeg62-turbo-dev zlib1g-dev \ libfreetype6-dev liblcms2-dev libwebp-dev tcl8.5-dev tk8.5-dev python-tk python-dev \ openssl libssl-dev libldap2-dev libsasl2-dev sqlite libkrb5-dev sshpass default-libmysqlclient-dev
启动Nginx/Redis/MariaDB:
systemctl enable nginx redis-server mariadb
初始化MariaDB:
mysql_secure_installation
登录到MariaDB的Shell:
mysql -u root -p
创建数据库/用户/授权:
CREATE DATABASE jumpserver CHARACTER SET utf8 COLLATE utf8_general_ci; CREATE USER 'jumpserver'@'127.0.0.1' IDENTIFIED BY '你的数据库用户密码'; GRANT ALL PRIVILEGES ON jumpserver.* TO 'jumpserver'@'127.0.0.1'; FLUSH PRIVILEGES; quit
创建Python3的虚拟环境:
cd /opt python3 -m venv imlala source /opt/imlala/bin/activate
拉取项目文件:
git clone https://github.com/jumpserver/jumpserver.git cd jumpserver
安装依赖:
pip install --upgrade pip setuptools pip install -r /opt/jumpserver/requirements/requirements.txt
一定要确保这些依赖全部都安装成功:
复制一份配置文件:
cp config_example.yml config.yml
更改一些配置设置:
sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
然后编辑配置文件:
nano config.yml
自己手动填写一下Key/Token:
然后继续往下翻,配置MySQL的连接信息:
新建systemd服务文件:
nano /etc/systemd/system/jms.service
写入:
[Unit] Description=jms After=network.target mariadb.service redis.service [Service] Type=forking User=root Environment="PATH=/opt/imlala/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin" PIDFile=/opt/jumpserver/tmp/celery.pid ExecStart=/opt/jumpserver/jms start all -d ExecReload=/opt/jumpserver/jms restart all ExecStop=/opt/jumpserver/jms stop all Restart=always [Install] WantedBy=multi-user.target
启动Jumpserver:
systemctl start jms systemctl enable jms
安装KoKo
其实这里也可以安装CoCo,KoKo和CoCo其实是一个东西,只是KoKo是用Go实现的,而CoCo是Python。
我感觉jumpserver的开发团队后续应该是准备用KoKo替代掉CoCo,所以这里我们还是部署KoKo吧。
下载:
cd /opt wget https://github.com/jumpserver/koko/releases/download/1.5.2/koko-master-9ab4ea6-linux-amd64.tar.gz tar -xzvf koko-master-9ab4ea6-linux-amd64.tar.gz rm -rf koko-master-9ab4ea6-linux-amd64.tar.gz chown -R root:root kokodir cd kokodir cp config_example.yml config.yml
编辑KoKo的配置文件:
nano config.yml
只需要更改里面的Token,一定要和之前在Jumpserver内的配置一致:
新建systemd服务文件:
nano /etc/systemd/system/koko.service
写入:
[Unit] Description=jumpserver koko server [Service] User=root WorkingDirectory=/opt/kokodir ExecStart=/opt/kokodir/koko Restart=on-abort [Install] WantedBy=multi-user.target
启动KoKo:
systemctl start koko systemctl enable koko
安装Guacamole
安装Java和依赖包:
apt -y install openjdk-8-jdk libcairo2-dev libpng-dev libossp-uuid-dev libavcodec-dev \ libavutil-dev libswscale-dev libfreerdp-dev libpango1.0-dev libssh2-1-dev libtelnet-dev \ libvncserver-dev libpulse-dev libvorbis-dev libwebp-dev libwebsockets-dev
下载guacamole-server源码编译安装:
cd /opt git clone https://github.com/jumpserver/docker-guacamole.git wget https://www-us.apache.org/dist/guacamole/1.0.0/source/guacamole-server-1.0.0.tar.gz tar -xzvf guacamole-server-1.0.0.tar.gz rm -rf guacamole-server-1.0.0.tar.gz cd guacamole-server-1.0.0 ./configure --with-init-dir=/etc/init.d make -j$(nproc) make install ldconfig
启动guacd:
systemctl start guacd systemctl enable guacd
安装Tomcat
下载:
cd /opt useradd -m -d /opt/tomcat -s /sbin/nologin -U tomcat wget https://www.apache.org/dist/tomcat/tomcat-9/v9.0.22/bin/apache-tomcat-9.0.22.tar.gz tar -xzvf apache-tomcat-9.0.22.tar.gz -C /opt cp -r /opt/apache-tomcat-9.0.22/. /opt/tomcat rm -rf /opt/apache-tomcat-9.0.22 rm -rf apache-tomcat-9.0.22.tar.gz chown -R tomcat:tomcat /opt/tomcat
修改Tomcat监听端口为8081,避免与Jumpserver冲突:
sed -i 's/Connector port="8080"/Connector port="8081"/g' /opt/tomcat/conf/server.xml
新建systemd服务文件:
nano /etc/systemd/system/tomcat.service
写入:
[Unit] Description=Apache Tomcat 9 Server After=network.target [Service] Type=forking User=tomcat Group=tomcat UMask=0007 RestartSec=10 Restart=always Environment=JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64/jre Environment="JAVA_OPTS=-Djava.security.egd=file:///dev/urandom" Environment=CATALINA_BASE=/opt/tomcat Environment=CATALINA_HOME=/opt/tomcat Environment=CATALINA_PID=/opt/tomcat/temp/tomcat.pid Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC" ExecStart=/opt/tomcat/bin/startup.sh ExecStop=/opt/tomcat/bin/shutdown.sh [Install] WantedBy=multi-user.target
启动Tomcat:
systemctl start tomcat systemctl enable tomcat
配置Guacamole
复制Guacamole客户端到Tomcat的WEB目录:
cp /opt/docker-guacamole/guacamole-1.0.0.war /opt/tomcat/webapps/guacamole.war
创建Guacamole需要用到的目录:
mkdir -p /etc/guacamole/ && mkdir -p /etc/guacamole/extensions && mkdir -p /etc/guacamole/lib
将jumpserver的验证扩展程序和Guacamole的配置文件移动到对应的目录:
cp /opt/docker-guacamole/guacamole-auth-jumpserver-1.0.0.jar /etc/guacamole/extensions cp /opt/docker-guacamole/root/app/guacamole/guacamole.properties /etc/guacamole
下载并配置ssh-forward:
cd /opt wget https://github.com/ibuler/ssh-forward/releases/download/v0.0.5/linux-amd64.tar.gz tar -xzvf linux-amd64.tar.gz -C /bin/ rm -rf linux-amd64.tar.gz chmod +x /bin/ssh-forward
新建一个环境变量配置文件:
nano /etc/profile.d/guacamole.sh
写入:
export GUACAMOLE_HOME=/etc/guacamole export JUMPSERVER_SERVER=http://127.0.0.1:8080 export BOOTSTRAP_TOKEN=imlalaNxje2wNDf5e # 和jumpserver/koko的token保持一致 export JUMPSERVER_KEY_DIR=/etc/guacamole/keys
使其生效:
chmod +x /etc/profile.d/guacamole.sh source /etc/profile.d/guacamole.sh
重启Tomcat:
systemctl restart tomcat
配置LUNA/Nginx
下载Luna组件:
cd /opt wget https://github.com/jumpserver/luna/releases/download/1.5.2/luna.tar.gz tar -xzvf luna.tar.gz rm -rf luna.tar.gz chown -R root:root luna
新建Nginx站点配置文件:
nano /etc/nginx/conf.d/jumpserver.conf
写入:
server {
listen 80;
server_name jumpserver.koko.cat;
client_max_body_size 100m; # 录像及文件上传大小限制
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; # luna 路径, 如果修改安装目录, 此处需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 录像位置, 如果修改安装目录, 此处需要修改
}
location /static/ {
root /opt/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改
}
location /socket.io/ {
proxy_pass http://localhost:5000/socket.io/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /coco/ {
proxy_pass http://localhost:5000/coco/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location / {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
最后重启Nginx:
systemctl restart nginx
简单使用Jumpserver
打开你的站点域名,应该可以看到Jumpserver的登录界面:
登进去之后第一件事更改你的管理员账号密码,然后创建一个管理用户,这里的管理用户直接填你待添加机器的ROOT账号密码,如果用的公钥验证,就上传私钥:
之后创建资产(也就是添加你的机器)这里的管理用户选择刚创建的:
如果一切正常,你可以在这里看到添加后的机器一些基本硬件信息:
现在我们需要创建一个系统用户,系统用户可以选择使用自动登录或者手动登录,自动登录需要你预先在这里填好账号密码,如果你只想用ROOT登录,那这里也可以直接填写ROOT的账号密码。
你还可以勾选自动推送,假设你勾选了自动推送,那么你在此处填写的账户登录信息如果目标机器内不存在,jumpserver会自动帮你创建此账户并完成登录:
最后将资产授权给刚创建的系统用户:
在会话管理-WEB终端就能连接到服务器了:
其实不难看到jumpserver也是结合了Guacamole的部分功能,如果没有太多的需求,也可以直接考虑用Guacamole,这样的话部署起来要简单许多:
堡垒机能干嘛?消灭家中蟑螂?效果好的话我也来一套
大佬,我有一个问题想请教你,可以加个QQ吗,或者tg:@laulzgoay
大佬能否出一篇docker快速部署的教程,我试了好久都没有成功