Introduction to JumpServer
- Jumpserver is the world's first completely open-source bastion host, using the GNU GPL v2.0 open-source protocol, and is a professional operation and maintenance audit system that complies with 4A.
- Jumpserver uses Python / Django for development, follows the Web 2.0 specification, and is equipped with an industry-leading Web Terminal solution, with a beautiful interactive interface and good user experience.
- Jumpserver adopts a distributed architecture and supports cross-regional deployment of multiple computer rooms. The central node provides APIs, and each computer room deploys login nodes. It can be scaled horizontally and has no concurrent access restrictions.
- Jumpserver now supports management of SSH, Telnet, RDP, VNC protocol assets.
- The latest version of Jumpserver is: V1.5.5.
JumpServer official website documentation: https://jumpserver.readthedocs.io/zh/master/index.html
JumpServer open source code repository: https://github.com/jumpserver/jumpserver
JumpServer core function list
JumpServer installation environment requirements
- Hardware configuration: 2 CPU cores, 4G memory, 50G hard disk (minimum)
- OS: Linux distribution x86_64
- Python = 3.6.x
- Mysql Server ≥ 5.6
- Mariadb Server ≥ 5.5.56
- Redis
Component Description:
- JumpserverTo manage the background, administrators can perform operations such as asset management, user management, and asset authorization through the Web page, and users can perform asset login and file management operations through the Web page;
- sizefor SSH Server and Web Terminal Server. Users can use their own accounts to access SSH protocol and Telnet protocol assets through SSH or Web Terminal;
- LunaFor the front-end page of Web Terminal Server, the components required for users to log in using Web Terminal;
- GuacamoleFor RDP protocol and VNC protocol asset components, users can connect RDP protocol and VNC protocol assets through Web Terminal (temporarily, they can only be accessed through Web Terminal).
Port description:
- The default Web port of Jumpserver is 8080/tcp, the default WS port is 8070/tcp, the configuration file jumpserver/config.yml
- The default SSH port of koko is 2222/tcp, and the default Web Terminal port is 5000/tcp. The configuration file is in koko/config.yml
- The default port of Guacamole is 8081/tcp, configuration file /config/tomcat9/conf/server.xml
- Nginx default port is 80/tcp
- Redis default port is 6379/tcp
- Mysql default port is 3306/tcp
Deploy JumpServer
Firewall and "selinux" settings, if you have disabled "firewall and Selinux" ignore here
$ systemctl start firewalld
$ firewall-cmd --zone=public --add-port=80/tcp --permanent # nginx 端口
$ firewall-cmd --zone=public --add-port=2222/tcp --permanent # 用户SSH登录端口 koko
参数解释:
--permanent 永久生效,没有配置此参数将会在重启后失效
$ firewall-cmd --reload # 重新载入规则
$ setenforce 0 # 关闭"selinux"
$ sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config # 禁用"selinux"
Deploy Redis
- JumpServer uses Redis as a data cache plug-in, which can be installed using yum or compiled and installed through the "tar" package. Here I use compiled to install Redis
-
Compile and install Redis
[root@jump ~]# cd /usr/local/src/
[root@jump src]# wget http://download.redis.io/releases/redis-5.0.5.tar.gz
[root@jump src]# tar xf redis-5.0.5.tar.gz && cd redis-5.0.5
[root@jump redis-5.0.5]# make
[root@jump redis-5.0.5]# cd src/ && make install PREFIX=/usr/local/redis
[root@jump src]# mkdir /usr/local/redis/{etc,logs,run,data}
[root@jump src]# cat << EOF > /usr/local/redis/etc/redis.conf
daemonize yes
port 6379 #指定端口号
bind 10.0.0.9 # 节点IP
protected-mode yes
pidfile "/usr/local/redis/run/redis.pid" # 指定进程文件PID位置
loglevel notice
logfile "/usr/local/redis/logs/redis.log" # 指定日志文件位置
save 900 1
stop-writes-on-bgsave-error yes
rdbcompression yes
rdbchecksum yes
dbfilename dump.rdb
dir "/usr/local/redis/data/rdb/"
timeout 0
tcp-keepalive 300
requirepass 1qaz2wsx # 指定密码
EOF
[root@jump src]# mkdir /usr/local/redis/data/rdb/
[root@jump src]# /usr/local/redis/bin/redis-server /usr/local/redis/etc/redis.conf
[root@jump src]# netstat -anpl |grep redis
tcp 0 0 10.0.0.9:6379 0.0.0.0:* LISTEN 12565/redis-server
[root@jump src]# /usr/local/redis/bin/redis-cli -h 10.0.0.9 -p 6379 -a '1qaz2wsx'
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
10.0.0.9:6379> select 1
OK
10.0.0.9:6379[1]> exit
Deploy Mariadb
- Jumpserver uses a database, you can choose MySQL or Mariadb;
- Mariadb version needs to be greater than or equal to 5.5.56, MySQL version needs to be greater than or equal to 5.6
- Here use yum to deploy mariadb
-
Configure the Yum source, if the local Yum source is available, skip here
$ curl -o /etc/yum.repos.d/CentOS-Base-7.repo http://mirrors.aliyun.com/repo/Centos-7.repo
$ yum clean all && yum makecache
[root@jump src]# yum list | grep mariadb # 列出"mariadb"相关安装包
[root@jump src]# yum install mariadb.x86_64 mariadb-devel.x86_64 mariadb-server.x86_64 -y # 安装"mariadb"
[root@jump src]# systemctl enable mariadb && systemctl start mariadb # 启动"mariadb"并加入开机自启
Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service.
[root@jump src]# mysql -uroot -p
Enter password: #首次连接mariadb,直接回车进入数据库
MariaDB [(none)]> set password for 'root'@localhost=password('1qaz2wsx');
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> create database jumpserver character set='utf8' collate='utf8_general_ci';
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '1qaz2wsx';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> exit;
Bye
Deploy JumpServer
[root@jump src]# yum install wget gcc-c++ epel-release git -y # 安装依赖包
[root@jump src]# yum install python36 python36-devel -y # 安装 Python3.6
[root@jump src]# which python3.6
/bin/python3.6
[root@jump src]# python3.6 -V
Python 3.6.8
将python虚拟环境建立在/opt/py3目录下
[root@jump src]# python3.6 -m venv /opt/py3
每次操作 jumpserver 都需要使用下面的命令载入 py3 虚拟环境
载入环境后默认以下所有命令均在该虚拟环境中运行;看到下面的提示符代表成功
[root@jump src]# source /opt/py3/bin/activate
(py3) [root@jump src]#
退出 py3 虚拟环境可以使用 deactivate 命令
(py3) [root@jump src]# deactivate
[root@jump src]#
[root@jump src]# source /opt/py3/bin/activate
(py3) [root@jump src]# cd /opt/
(py3) [root@jump opt]# wget https://github.com/jumpserver/jumpserver/archive/1.5.5.zip
(py3) [root@jump opt]# unzip 1.5.5.zip -d /opt/
(py3) [root@jump opt]# mv jumpserver-1.5.5 jumpserver
安装依赖 RPM 包
(py3) [root@jump opt]# yum -y install $(cat /opt/jumpserver/requirements/rpm_requirements.txt)
安装 Python 库依赖
(py3) [root@jump opt]# pip install wheel
(py3) [root@jump opt]# pip install --upgrade pip setuptools
(py3) [root@jump opt]# pip install -r /opt/jumpserver/requirements/requirements.txt
拷贝配置文件"config.yml"
(py3) [root@jump opt]# cp -rf /opt/jumpserver/config_example.yml /opt/jumpserver/config.yml
生成随机-SECRET
(py3) [root@jump opt]# cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 49;echo
ugf0JnAD2xzvg5B3Sr0ihJ5JcwDZpx1dxgWcCyYIcsWHSBKGd
生成随机-TOKEN
(py3) [root@jump opt]# cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16;echo
KskXhqMV7GqTBluN
(py3) [root@jump opt]# cat << EOF > /opt/jumpserver/config.yml
> SECRET_KEY: ugf0JnAD2xzvg5B3Sr0ihJ5JcwDZpx1dxgWcCyYIcsWHSBKGd # 加密秘钥,可以使用配置文件中的命令生成
> BOOTSTRAP_TOKEN: KskXhqMV7GqTBluN # 预共享Token koko和guacamole用来注册服务账号, 不在使用原来的注册接受机制
> DEBUG: false # DEBUG模式,开启DEBUG后遇到错误时可以看到更多日志
> LOG_LEVEL: ERROR # 日志级别,ERROR错误才会打印到日志文件
> DB_ENGINE: mysql # 使用MySQL数据库
> DB_HOST: 127.0.0.1 # 数据库连接地址
> DB_PORT: 3306 # 数据库连接端口
> DB_USER: jumpserver # 数据库连接用户
> DB_PASSWORD: 1qaz2wsx # 数据库连接密码
> DB_NAME: jumpserver # 数据库名称
> HTTP_BIND_HOST: 0.0.0.0 # Jumpserver运行时绑定的地址,0.0.0.0表示所有地址都绑定
> HTTP_LISTEN_PORT: 8080 # Jumpserver运行时绑定的端口
> REDIS_HOST: 10.0.0.9 # Jumpserver连接redis主机地址
> REDIS_PORT: 6379 # Jumpserver连接redis主机端口
> REDIS_PASSWORD: 1qaz2wsx # Jumpserver连接redis主机密码
> EOF
-
Start JumpServer
- Make sure to start jumpserver after entering the py3 virtual environment, the -d option is to start in the background
(py3) [root@jump opt]# cd /opt/jumpserver
(py3) [root@jump jumpserver]# ./jms start -d
配置开机自启
(py3) [root@jump jumpserver]# wget -O /usr/lib/systemd/system/jms.service https://demo.jumpserver.org/download/shell/centos/jms.service
(py3) [root@jump jumpserver]# chmod 755 /usr/lib/systemd/system/jms.service
(py3) [root@jump jumpserver]# systemctl enable jms
Created symlink from /etc/systemd/system/multi-user.target.wants/jms.service to /usr/lib/systemd/system/jms.service.
JumpServer plugin deployment
KoKo component deployment
(py3) [root@jump jumpserver]# mkdir /opt/package
(py3) [root@jump jumpserver]# cd /opt/package/
(py3) [root@jump package]# wget https://github.com/jumpserver/koko/releases/download/1.5.5/koko-master-linux-amd64.tar.gz
(py3) [root@jump package]# tar xf koko-master-linux-amd64.tar.gz -C /opt/
(py3) [root@jump package]# chown -Rf root.root /opt/kokodir/
(py3) [root@jump package]# cp -rf /opt/kokodir/config_example.yml /opt/kokodir/config.yml
修改后的配置如下
(py3) [root@jump package]# grep -Ev "#|^$" /opt/kokodir/config.yml
CORE_HOST: http://127.0.0.1:8080 # Jumpserver项目的url, api请求注册会使用
BOOTSTRAP_TOKEN: KskXhqMV7GqTBluN # Bootstrap Token, 预共享秘钥, 用来注册coco使用的service account和terminal,请和jumpserver 配置文件中的 BOOTSTRAP_TOKEN 保持一致
(py3) [root@jump package]# cd /opt/kokodir/
(py3) [root@jump kokodir]# nohup ./koko start & # 后台启动
(py3) [root@jump kokodir]# tailf logs/koko.log # 通过日志可以查看koko是否有错误
(py3) [root@jump kokodir]# ss -anplt | grep koko # 查看koko服务占用端口号
LISTEN 0 128 :::5000 :::* users:(("koko",pid=30451,fd=7))
LISTEN 0 128 :::2222 :::* users:(("koko",pid=30451,fd=8))
(py3) [root@jump kokodir]# ps -ef | grep koko # 查看koko服务进程
root 30451 8220 0 15:56 pts/0 00:00:00 ./koko start
root 30484 8220 0 15:58 pts/0 00:00:00 grep --color=auto koko
Luna component deployment
(py3) [root@jump kokodir]# cd /opt/package/
(py3) [root@jump package]# wget https://github.com/jumpserver/luna/releases/download/1.5.5/luna.tar.gz
(py3) [root@jump package]# tar xf luna.tar.gz -C /opt/
(py3) [root@jump package]# chown -R root:root /opt/luna/
(py3) [root@jump package]# deactivate
[root@jump package]#
Guacamole component deployment
查看主机是否安装Docker
[root@jump package]# rpm -qa |grep docker
卸载老版本docker;如果没有此处忽略即可
[root@jump package]# yum remove docker docker-common docker-selinux docker-engine
安装依赖包
[root@jump package]# yum install -y yum-utils device-mapper-persistent-data lvm2
设置Yum仓库
[root@jump package]# yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
列出docker版本
[root@jump package]# yum list docker-ce --showduplicates | sort -r
安装最新 docker-ce 版本
[root@jump package]# yum install docker-ce -y
修改 docker pull 镜像时的加速文件
[root@jump package]# mkdir /etc/docker
[root@jump package]# cat << EOF > /etc/docker/daemon.json
> {
> "registry-mirrors": ["http://hub-mirror.c.163.com"]
> }
> EOF
启动 docker 并设置开机自启
[root@jump package]# systemctl start docker && systemctl enable docker
Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
由于网络问题,可能从DockerHub上pull镜像获取不到,我这里已将镜像上传到自己的aliyun镜像仓库中
下载使用即可
[root@jump package]# docker pull registry.cn-shanghai.aliyuncs.com/chiron1007/jumpserver_jms_guacamole:1.5.5
查看pull下来的镜像
[root@jump package]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry.cn-shanghai.aliyuncs.com/chiron1007/jumpserver_jms_guacamole 1.5.5 247c0b3bc67a 12 days ago 685MB
启动"Guacamol"容器
[root@jump package]# docker run --name jms_guacamole_V1 -d -p 8081:8081 -e JUMPSERVER_SERVER=http://10.0.0.9:8080 -e BOOTSTRAP_TOKEN=KskXhqMV7GqTBluN registry.cn-shanghai.aliyuncs.com/chiron1007/jumpserver_jms_guacamole:1.5.5
参数解释:
docker run:启动一个容器
--name:指定容器名称
-d:后台启动容器
-p:将容器的127.0.0.1监听的8081端口映射到宿主机的8081端口
-e:设置环境变量
-e JUMPSERVER_SERVER=http://127.0.0.1:8080:将值http://127.0.0.1:8080设置变量为JUMPSERVER_SERVER
-e BOOTSTRAP_TOKEN=KskXhqMV7GqTBluN :将值PleasgeChangeSameWithJumpserver设置变量为-e BOOTSTRAP_TOKEN
**jumpserver/jms__guacamole:1.5.5:下载镜像的名称及版本
查看运行容器
[root@jump package]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
339e0d1a3dc2 registry.cn-shanghai.aliyuncs.com/chiron1007/jumpserver_jms_guacamole:1.5.5 "./entrypoint.sh" 55 seconds ago Up 54 seconds 0.0.0.0:8081->8081/tcp jms_guacamole_V1
The result of the operation is as follows:
Configure Nginx; integrate various components
[root@jump package]# useradd -d /home/nginx -M -s /sbin/nologin nginx # 创建运行 nginx 服务的用户
[root@jump package]# id nginx
uid=996(nginx) gid=993(nginx) groups=993(nginx)
[root@jump package]# cd /usr/local/src/
[root@jump src]# wget http://nginx.org/download/nginx-1.15.10.tar.gz
[root@jump src]# tar xf nginx-1.15.10.tar.gz && cd nginx-1.15.10/
[root@jump nginx-1.15.10]# ./configure --prefix=/usr/local/nginx --sbin-path=/usr/local/nginx/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --pid-path=/usr/local/nginx/logs/nginx.pid --error-log-path=/usr/local/nginx/logs/error.log --http-log-path=/usr/local/nginx/logs/access.log --with-pcre --user=nginx --group=nginx --with-file-aio --with-http_gzip_static_module --with-http_stub_status_module --with-http_v2_module --with-threads --with-http_realip_module --with-http_ssl_module
[root@jump nginx-1.15.10]# make && make install
[root@jump nginx-1.15.10]# echo $?
备份 nginx.conf
[root@jump nginx-1.15.10]# mv /usr/local/nginx/conf/nginx.conf{,.bak}
创建存放 jumpserver.conf 文件的目录
[root@jump nginx-1.15.10]# mkdir /usr/local/nginx/conf/conf.d
下载事先准备好的 nginx 相关配置文件
[root@jump nginx-1.15.10]# cd /usr/local/src/
[root@jump src]# wget https://gitee.com/chironW/JumpServer_nginx/repository/archive/master.zip
[root@jump src]# unzip master.zip
[root@jump src]# ll JumpServer_nginx/
total 8
-rw-r--r-- 1 root root 2074 Dec 17 18:01 jumpserver.conf
-rw-r--r-- 1 root root 1729 Dec 17 18:01 nginx.conf
移动 JumpServer_nginx 目录下配置文件到指定位置
[root@jump src]# mv /usr/local/src/JumpServer_nginx/nginx.conf /usr/local/nginx/conf/nginx.conf
[root@jump src]# mv /usr/local/src/JumpServer_nginx/jumpserver.conf /usr/local/nginx/conf/conf.d/jumpserver.conf
# 检查配置文件是否存在语法错误
[root@jump nginx-1.15.10]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
启动 nginx 服务
[root@jump nginx-1.15.10]# /usr/local/nginx/sbin/nginx
# 查看进程与所占端口
[root@jump nginx-1.15.10]# ss -anplt | grep nginx
LISTEN 0 128 *:80 *:* users:(("nginx",pid=35414,fd=6),("nginx",pid=35413,fd=6))
Login to Jumpserver
-
Access address: http://10.0.0.9
Add all the services deployed above to boot automatically
cat << EOF >> /etc/rc.d/rc.local
#启动redis
/usr/local/redis/bin/redis-server /usr/local/redis/etc/redis.conf
#启动mariadb
systemctl start mariadb
#载入py3环境
source /opt/py3/bin/activate
#启动jumpserver
/opt/jumpserver/jms start -d
#启动koko组件
cd /opt/kokodir/ && nohup /opt/kokodir/koko &
#启动docker
systemctl start docker
#启动gucamole组件
docker start run jms_guacamole_V1
#启动nginx
/usr/local/nginx/sbin/nginx
EOF
references:
- JumpServer official documentation: https://jumpserver.readthedocs.io/zh/master/setup_by_centos7.html
- DockerHub-JumpServer code repository: https://github.com/jumpserver/jumpserver