Machine Management fortress built jumperserver million servers (1)

1 Jumpserver fortress machine overview - operating environment deployment Jumpserver

Coco mounting assembly 2

3 Installation Web-Terminal -Luna distal assembly - Integration of the components arranged Nginx

4 jumpserver platform system initialization

5 combat: manage tens of thousands of servers using jumpserver

  Deployment Readiness:

 

1.1 Overview of stepping stones

Springboard machine is a server, development or operation and maintenance personnel in the maintenance process must first unified login to this server, and then log on to the target devices for maintenance and operation;

Stepping stones Cons: not implemented for operation and maintenance personnel operating behavior of the control and audit, process or use springboard machine appears to misuse, abuse accident caused once the operation is difficult to quickly locate the cause of the accident and those responsible;

 

Fortress machine Overview:

Fortress machine, that is, in a specific network environment, in order to protect against network and data from external and internal users of the invasion and destruction, and the use of various techniques to collect and monitor real-time network environment each component part of the state system, security events, network activity in order to focus alarm, and audit will be responsible for timely processing.

Fortress machine more than stepping stones to collect real-time, monitor network environment, centralized alarm.

 Jumpserver Overview:

Jumpserver is a use of Python, Django springboard for the development of open-source systems for Internet companies provide authentication, authorization, auditing, automated operation and maintenance functions.

 

jumpserver fortress assembly instructions:

1、Jumpserver：

Now refers to Jumpserver management background, it is a core component (Core), using Django Class Based View-style development, support Restful API.

2、Coco：

SSH Server implements components and Web Terminal Server provides SSH and WebSocket interface and use Paramiko Flask development.

3、Luna：

Now is the front-end Web Terminal, planned by the front page of the project, Jumpserver only provide API, no longer responsible for background rendering html and so on.

1.2 deployment Jumpserver operating environment

Installation Notes:

Server Name: K5       ip: 10.27.17.42 content: jumpserver server     

Server Name: hero3     ip: 10.27.17.43 content: jumpserver client resources, the management server  

Server ready:

Upload software to rely on Linux systems "rz" upload, / opt on

Turn off the firewall and clear rules

[root@k5 opt]# systemctl stop firewalld

[root@k5 opt]# systemctl disable firewalld

[root@k5 opt]# iptables -F

Close SELINUX

[root@k5 opt]# vim /etc/selinux/config

Modify the character set

[root@k5 opt]# localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8
[root@k5 opt]# export LC_ALL=zh_CN.UTF-8
[root@k5 opt]# echo 'LANG=zh_CN.UTF-8' > /etc/locale.conf

1.3 install Python 3 and python virtual environment

(1), the installation dependencies

 

[root@k5 ~]# yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git

 

(2), compile and install python3.6.1

 

[root@k5 ~]# cd /opt

[root@k5 ~]# tar xvf Python-3.6.1.tar.xz  && cd Python-3.6.1

[root@k5 ~]# ./configure  &&  make  -j 4 && make install

 

(3) to establish a virtual Python environment

Because CentOS 6/7 comes with a Python2, while Yum and other tools rely on the original Python2, in order not to disturb the original environment we use Python virtual environment

[root@k5 ~]# cd /opt

[root@k5 ~]# python3 -m venv py3

[root@k5 ~]# source /opt/py3/bin/activate

After (py3) [root @ k5 ~] # # handover is successful, there is a front identification py3

# See the following prompt on behalf of success, they have to run after run Jumpserver source command above, all of the following commands are run in the virtual environment

1.4 Installation Jumpserver 1.0.0

1, download or Clone project

Method 1: When the project submitted more git clone larger, you can choose to go directly to Github project page to download the zip package.

(Py3) [root @ k5 ~] # cd / opt / jumpserver / # We've already downloaded

Note: The online download method:

Method 2:

(py3) [root@k5 ~]#git clone --depth=1 https://github.com/jumpserver/jumpserver.git && cd jumpserver && git checkout master

Note: depth clone specifies the depth of 1 means that the last commit cloned

 

2, dependent on the installation package RPM

(py3) [root@k5 jumpserver]# cd /opt/jumpserver/requirements

(py3) [root@k5 requirements]# yum -y install $(cat rpm_requirements.txt) 

 

3, install Python library dependencies

(py3) [root@k5 requirements]# cd /opt/jumpserver/requirements

(py3) [root@k5 requirements]# source /opt/py3/bin/activate

(py3) [root@k5 requirements]# pip -V

pip 9.0.1 from /opt/py3/lib/python3.6/site-packages (python 3.6) 

Method 1: offline installation:

(py3) [root@k5  python-package]# cd /opt/python-package

(py3) [root@k5  ~]# pip install  ./*

 

Method 2: Online installation:

(py3) [root@k5~]#  pip install -r requirements.txt 

pip is a Python package installation and management tools, the equivalent of the command yum

 Select the method recommended here

4, install Redis, Jumpserver make use Redis cache and celery broke

(py3) [root@k5 requirements]# rpm -ivh http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

(py3) [root@k5 requirements]# yum  -y install redis

(py3) [root@k5 requirements]# systemctl enable redis  ;  systemctl start redis

6, build the database and authorize Jumpserver

(py3) [root@k5 ~]# mysql

MariaDB [(none)]> create database jumpserver default charset 'utf8';

MariaDB [(none)]> grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '123456';

MariaDB [(none)]> flush privileges;

7, Jumpserver change the configuration file, so that you can connect to the database Jumpserver

(py3) [root@k5 ~]# cd /opt/jumpserver

(py3) [root@k5 jumpserver]# cp config_example.py config.py

(py3) [root@k5 jumpserver]# vim config.py

Review: 38-43 as follows

# We plan to modify DevelopmentConfig configuration, since the default Jumpserver Using this configuration, it inherited from the Config

Note: The configuration file is a Python format, do not use TAB, but rather use the space

34 DB_ENGINE = 'sqlite3'
35 DB_NAME = os.path.join(BASE_DIR, 'data', 'db.sqlite3')
36
37 # MySQL or postgres setting like:
38 DB_ENGINE = 'mysql'
39 DB_HOST = '127.0.0.1'
40 DB_PORT = 3306
41 DB_USER = 'jumpserver'
42 DB_PASSWORD = '123456'
43 DB_NAME = 'jumpserver'

 

8, create a database table structure and data initialization

(py3) [root@k5 jumpserver]# cd /opt/jumpserver/utils

(Py3) [root @ k5 utils] # bash make_migrations.sh # Note, before executing a command that, before the guarantee will continue pip install ./* orders have been finished.

 

9, run Jumpserver certain execution environment in python3

(py3) [root@k5 utils]# source  /opt/py3/bin/activate

(py3) [root@k5 utils]# cd /opt/jumpserver

(py3) [root@k5 jumpserver]# chmod +x jms

(Py3) [root @ k5 jumpserver] # ./jms start all -d # running in the background using the -d parameter

Note: ./jms start all # foreground

If you fail, an error such as this:

- Start Beat as Periodic Task Scheduler

Error: celery start error

Stop service: gunicorn热

celery is stopped

beat is stopped

Solution: restart

test:

jumpserver fortress machine test link: http: //10.27.17.62: 8080 User: admin password: admin

 

 

 

2 mounted Coco assembly

 

 

 

Overview coco: coco components to achieve the SSH Server and Web Terminal Server provides SSH and WebSocket interface and use Paramiko Flask development.

 

(Py3) [root @ k5 jumpserver] # cd / opt / coco # codes directly offline

(py3) [root@k5 coco]# source /opt/py3/bin/activate 

Method 1: a: the code for download: # git clone https://github.com/jumpserver/coco.git && cd coco && git checkout master

2, the installation coco dependencies, and the main rpm package python

(py3) [root@k5 coco]# cd /opt/coco/requirements
(py3) [root@k5 requirements]# yum -y install $(cat rpm_requirements.txt) 
(py3) [root@k5 requirements]# pip install -r requirements.txt

Note: Extended: pip download -r requirements.txt # can be downloaded using the download package to a local python

3, view the configuration file and run

(py3) [root@k5 requirements]# cd /opt/coco
(py3) [root@k5 coco]# cp conf_example.py conf.py 
(py3) [root@k5 coco]# chmod +x cocod        

# If the coco and jumpserver deployed separately, manually modify conf.py

(py3) [root @ k5 coco ] # ./cocod restart -d # start
(py3) [root @ k5 coco ] # netstat -antup | grep 5000 # will not succeed this time, when you successfully activated, this time We will be successful.

3 Installation Web-Terminal -Luna distal assembly - Integration of the components arranged Nginx

Luna Overview: Luna is now front-end Web Terminal, planned by the front page of the project, Jumpserver only provide API, no longer responsible for background rendering html and so on.

Access ( https://github.com/jumpserver/luna/releases ) download the corresponding version of the release package, directly extract, not need to compile

 Decompression Luna

(py3) [root@k5 ~]# cd /opt

(py3) [root@k5  ~ ]# tar zxvf luna.tar.gz

(py3) [root@k5 ~]# ls /opt/luna

Note: Download Online

#wget https://github.com/jumpserver/luna/releases/download/v1.0.0/luna.tar.gz

 

3.2 Configuring Nginx integration of the components

Installation choose to install Nginx way and according to the preferences version

(py3) [root@k5 jumpserver]# yum -y install nginx

In preparation Profiles

(py3) [root@k5 opt]#  vim /etc/nginx/nginx.conf

Comment out the following:

#server {
72 # listen 80 default_server;
73 # listen [::]:80 default_server;
74 # server_name _;
75 # root /usr/share/nginx/html;
76
77 # # Load configuration files for the default server block.
78 # include /etc/nginx/default.d/*.conf;
79
80 # location / {
81 # }
82
83 # error_page 404 /404.html;
84 # location = /40x.html {
85 # }
86
87 # error_page 500 502 503 504 /50x.html;
88 # location = /50x.html {
89 # }
90 ## }

Add the following:

server {

    listen 80;

    proxy_set_header X-Real-IP $remote_addr;

    proxy_set_header Host $host;

    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location /luna/ {

        try_files $uri / /index.html;

        alias /opt/luna/;

    }

    location /media/ {

        add_header Content-Encoding gzip;

        root /opt/jumpserver/data/;

    }

    location /static/ {

        root /opt/jumpserver/data/;

    }

    location /socket.io/ {

        proxy_pass http: // localhost: 5000 / socket.io /; # if coco installed on other servers, please fill out its ip

        proxy_buffering off;

        proxy_http_version 1.1;

        proxy_set_header Upgrade $http_upgrade;

        proxy_set_header Connection "upgrade";

    }

    location / {

        proxy_pass http: // localhost: 8080; # if jumpserver installed on other servers, please fill out its ip

    }

}

3.3 running Nginx

(Py3) [root @ k5 opt] # nginx -t # detection profile

(py3) [root@k5 jumpserver]# systemctl start nginx  ;  systemctl enable nginx

 

3.4 coco registration accepted

Login: http: //10.27.17.62/ to session management - terminal management to accept registration of Coco. Point accepted.

 

 

 

And then refresh the page:

(Py3) [root @ k5 nginx] # ssh -p2222 [email protected] # password: admin