Directorio de artículos
-
- Diagrama de arquitectura
- Introducción de componentes
- Despliegue de componentes
-
- 1. Requisitos ambientales
- 2. Actualización del entorno del sistema
- 3. Paquetes que dependen del entorno
- 4. Instale los componentes de Python, Mysql, Redis, Nginx
- 5. Configuración de Redis
- 6. Configuración de Mysql
- 7. Configuración del entorno virtual de Python
- 8. Implementación de JumpServer
- 9. Docker implementa componentes KOKO
- 10. Docker implementa componentes de Guacamole
- 11. Despliegue del componente Lina
- 12. Despliegue del componente Luna
- 13. Nginx integra la configuración de cada componente
- 14. Verificación de inicio de sesión de Jumpserver
- Consejo de Seguridad
- Otros suplementos
Diagrama de arquitectura
Introducción de componentes
- JumpServer => ahora se refiere al backend de administración de Jumpserver, que es el componente central (Core), desarrollado al estilo de Django Class Based View, y es compatible con Restful API.
- koko => implementa los componentes de SSH Server y Web Terminal Server, proporciona interfaces SSH y WebSocket, y se desarrolla utilizando Paramiko y Flask.
- Luna => Ahora es el front-end de Web Terminal. Está previsto que este proyecto proporcione todas las páginas de front-end. Jumpserver solo proporciona API y ya no es responsable de renderizar html en segundo plano.
- Guacamole => Apache Springboard Project, Jumpserver usa sus componentes para implementar funciones RDP. Jumpserver no modifica su código pero agrega complementos adicionales para soportar llamadas de Jumpserver.
Despliegue de componentes
1. Requisitos ambientales
Configuración de hardware: 2 núcleos de CPU, memoria 4G, disco duro 50G (mínimo)
Sistema operativo: distribución Linux x86_64
Otra configuración: Apague SELinux y el firewall (el entorno de producción debe encenderse con cuidado)
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
systemctl status firewalld.service
systemctl start firewalld.service
systemctl stop firewalld.service
systemctl disable firewalld.service
2. Actualización del entorno del sistema
yum -y update
3. Paquetes que dependen del entorno
yum -y install wget gcc epel-release git gcc krb5-devel libtiff-devel libjpeg-devel libzip-devel freetype-devel libwebp-devel tcl-devel tk-devel sshpass openldap-devel mariadb-devel libffi-devel openssh-clients telnet openldap-clients docker
4. Instale los componentes de Python, Mysql, Redis, Nginx
yum -y install python3.6 python36-devel mariadb mariadb-server.x86_64 redis nginx
5. Configuración de Redis
systemctl enable redis
systemctl start redis
6. Configuración de Mysql
systemctl enable mariadb
systemctl start mariadb
DB_PASSWORD=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24`
echo -e "\033[31m 你的数据库密码是 $DB_PASSWORD \033[0m"
mysql -uroot -e "create database jumpserver default charset 'utf8' collate 'utf8_bin'; grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '$DB_PASSWORD'; flush privileges;"
La contraseña de root predeterminada está vacía. Aquí se explica cómo modificar la contraseña:
mysqladmin -u root -p contraseña ericzhong
7. Configuración del entorno virtual de Python
cd /opt
python3.6 -m venv py3
source /opt/py3/bin/activate
Cada vez que opere el servidor de salto, primero debe cargar el entorno virtual py3
8. Implementación de JumpServer
- Descargar programa e implementación
cd /opt && \
wget -O jumpserver.tar.gz https://github.com/jumpserver/jumpserver/archive/2.0.1.tar.gz
tar xf jumpserver.tar.gz
ln -s /opt/jumpserver-2.0.1 /opt/jumpserver
- Instalar dependencias del entorno de compilación
yum install -y $(cat rpm_requirements.txt)
pip install wheel -i https://mirrors.aliyun.com/pypi/simple/
pip install --upgrade pip setuptools -i https://mirrors.aliyun.com/pypi/simple/
pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
- Modificación de configuración
cd /opt/jumpserver/
cp config_example.yml config.yml
SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc
BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml
sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml
echo -e "\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m"
echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
- programa de inicio
cd /opt/jumpserver/
./jms start -d
Salida de registro:
(py3) [root@jumpserver01 jumpserver]# ./jms start -d
2020-06-23 14:13:41 Tue Jun 23 14:13:41 2020
2020-06-23 14:13:41 Jumpserver version 2.0.0, more see https://www.jumpserver.org
- Start Gunicorn WSGI HTTP Server
2020-06-23 14:13:41 Check database connection ...
users
[ ] 0001_initial
[ ] 0002_auto_20171225_1157_squashed_0019_auto_20190304_1459 (18 squashed migrations)
[ ] 0020_auto_20190612_1825
[ ] 0021_auto_20190625_1104
[ ] 0022_auto_20190625_1105
[ ] 0023_auto_20190724_1525
[ ] 0024_auto_20191118_1612
[ ] 0025_auto_20200206_1216
[ ] 0026_auto_20200508_2105
[ ] 0027_auto_20200616_1503
2020-06-23 14:13:48 Database connect success
2020-06-23 14:13:48 Check database structure change ...
2020-06-23 14:13:48 Migrate model change to database ...
Operations to perform:
Apply all migrations: admin, applications, assets, audits, auth, authentication, captcha, common, contenttypes, django_cas_ng, django_celery_beat, jms_oidc_rp, ops, orgs, perms, sessions, settings, terminal, tickets, users
Running migrations:
Applying contenttypes.0001_initial... OK
Applying contenttypes.0002_remove_content_type_name... OK
Applying auth.0001_initial... OK
Applying auth.0002_alter_permission_name_max_length... OK
Applying auth.0003_alter_user_email_max_length... OK
Applying auth.0004_alter_user_username_opts... OK
Applying auth.0005_alter_user_last_login_null... OK
Applying auth.0006_require_contenttypes_0002... OK
Applying auth.0007_alter_validators_add_error_messages... OK
Applying auth.0008_alter_user_username_max_length... OK
Applying users.0001_initial... OK
Applying admin.0001_initial... OK
Applying admin.0002_logentry_remove_auto_add... OK
Applying admin.0003_logentry_add_action_flag_choices... OK
Applying users.0002_auto_20171225_1157_squashed_0019_auto_20190304_1459... OK
Applying assets.0001_initial... OK
Applying perms.0001_initial... OK
Applying assets.0002_auto_20180105_1807_squashed_0009_auto_20180307_1212... OK
Applying assets.0010_auto_20180307_1749_squashed_0019_auto_20180816_1320... OK
Applying perms.0002_auto_20171228_0025_squashed_0009_auto_20180903_1132... OK
Applying perms.0003_action... OK
Applying perms.0004_assetpermission_actions... OK
Applying assets.0020_auto_20180816_1652... OK
Applying assets.0021_auto_20180903_1132... OK
Applying assets.0022_auto_20181012_1717... OK
Applying assets.0023_auto_20181016_1650... OK
Applying assets.0024_auto_20181219_1614... OK
Applying assets.0025_auto_20190221_1902... OK
Applying assets.0026_auto_20190325_2035... OK
Applying applications.0001_initial... OK
Applying perms.0005_auto_20190521_1619... OK
Applying perms.0006_auto_20190628_1921... OK
Applying perms.0007_remove_assetpermission_actions... OK
Applying perms.0008_auto_20190911_1907... OK
Applying assets.0027_auto_20190521_1703... OK
Applying assets.0028_protocol... OK
Applying assets.0029_auto_20190522_1114... OK
Applying assets.0030_auto_20190619_1135... OK
Applying assets.0031_auto_20190621_1332... OK
Applying assets.0032_auto_20190624_2108... OK
Applying assets.0033_auto_20190624_2108... OK
Applying assets.0034_auto_20190705_1348... OK
Applying assets.0035_auto_20190711_2018... OK
Applying assets.0036_auto_20190716_1535... OK
Applying assets.0037_auto_20190724_2002... OK
Applying assets.0038_auto_20190911_1634... OK
Applying perms.0009_remoteapppermission_system_users... OK
Applying applications.0002_remove_remoteapp_system_user... OK
Applying applications.0003_auto_20191210_1659... OK
Applying applications.0004_auto_20191218_1705... OK
Applying assets.0039_authbook_is_active... OK
Applying assets.0040_auto_20190917_2056... OK
Applying assets.0041_gathereduser... OK
Applying assets.0042_favoriteasset... OK
Applying assets.0043_auto_20191114_1111... OK
Applying assets.0044_platform... OK
Applying assets.0045_auto_20191206_1607... OK
Applying assets.0046_auto_20191218_1705... OK
Applying assets.0047_assetuser... OK
Applying assets.0048_auto_20191230_1512... OK
Applying assets.0049_systemuser_sftp_root... OK
Applying audits.0001_initial... OK
Applying audits.0002_ftplog_org_id... OK
Applying audits.0003_auto_20180816_1652... OK
Applying audits.0004_operatelog_passwordchangelog_userloginlog... OK
Applying audits.0005_auto_20190228_1715... OK
Applying audits.0006_auto_20190726_1753... OK
Applying audits.0007_auto_20191202_1010... OK
Applying audits.0008_auto_20200508_2105... OK
Applying auth.0009_alter_user_last_name_max_length... OK
Applying auth.0010_alter_group_name_max_length... OK
Applying auth.0011_update_proxy_permissions... OK
Applying authentication.0001_initial... OK
Applying authentication.0002_auto_20190729_1423... OK
Applying authentication.0003_loginconfirmsetting... OK
Applying captcha.0001_initial... OK
Applying common.0001_initial... OK
Applying common.0002_auto_20180111_1407... OK
Applying common.0003_setting_category... OK
Applying common.0004_setting_encrypted... OK
Applying common.0005_auto_20190221_1902... OK
Applying common.0006_auto_20190304_1515... OK
Applying django_cas_ng.0001_initial... OK
Applying django_celery_beat.0001_initial... OK
Applying django_celery_beat.0002_auto_20161118_0346... OK
Applying django_celery_beat.0003_auto_20161209_0049... OK
Applying django_celery_beat.0004_auto_20170221_0000... OK
Applying django_celery_beat.0005_add_solarschedule_events_choices_squashed_0009_merge_20181012_1416... OK
Applying django_celery_beat.0006_periodictask_priority... OK
Applying jms_oidc_rp.0001_initial... OK
Applying ops.0001_initial... OK
Applying ops.0002_celerytask... OK
Applying ops.0003_auto_20181207_1744... OK
Applying ops.0004_adhoc_run_as... OK
Applying ops.0005_auto_20181219_1807... OK
Applying ops.0006_auto_20190318_1023... OK
Applying ops.0007_auto_20190724_2002... OK
Applying ops.0008_auto_20190919_2100... OK
Applying ops.0009_auto_20191217_1713... OK
Applying ops.0010_auto_20191217_1758... OK
Applying ops.0011_auto_20200106_1534... OK
Applying ops.0012_auto_20200108_1659... OK
Applying ops.0013_auto_20200108_1706... OK
Applying ops.0014_auto_20200108_1749... OK
Applying ops.0015_auto_20200108_1809... OK
Applying ops.0016_commandexecution_org_id... OK
Applying ops.0017_auto_20200306_1747... OK
Applying ops.0018_auto_20200509_1434... OK
Applying orgs.0001_initial... OK
Applying orgs.0002_auto_20180903_1132... OK
Applying orgs.0003_auto_20190916_1057... OK
Applying users.0020_auto_20190612_1825... OK
Applying users.0021_auto_20190625_1104... OK
Applying users.0022_auto_20190625_1105... OK
Applying users.0023_auto_20190724_1525... OK
Applying users.0024_auto_20191118_1612... OK
Applying perms.0010_auto_20191218_1705... OK
Applying sessions.0001_initial... OK
Applying settings.0001_initial... OK
Applying terminal.0001_initial... OK
Applying terminal.0002_auto_20171228_0025_squashed_0009_auto_20180326_0957... OK
Applying terminal.0010_auto_20180423_1140... OK
Applying terminal.0011_auto_20180807_1116... OK
Applying terminal.0012_auto_20180816_1652... OK
Applying terminal.0013_auto_20181123_1113... OK
Applying terminal.0014_auto_20181226_1441... OK
Applying terminal.0015_auto_20190923_1529... OK
Applying terminal.0016_commandstorage_replaystorage... OK
Applying terminal.0017_auto_20191125_0931... OK
Applying terminal.0018_auto_20191202_1010... OK
Applying terminal.0019_auto_20191206_1000... OK
Applying terminal.0020_auto_20191218_1721... OK
Applying terminal.0021_auto_20200213_1316... OK
Applying terminal.0022_session_is_success... OK
Applying terminal.0023_command_risk_level... OK
Applying tickets.0001_initial... OK
Applying users.0025_auto_20200206_1216... OK
Applying users.0026_auto_20200508_2105... OK
Applying users.0027_auto_20200616_1503... OK
2020-06-23 14:14:12 Collect static files
2020-06-23 14:14:18 Collect static files done
- Start Celery as Distributed Task Queue: Ansible
- Start Celery as Distributed Task Queue: Celery
- Start Beat as Periodic Task Scheduler
- Start Flower as Task Monitor
- Start Daphne ASGI WS Server
gunicorn is running: 3881
celery_ansible is running: 3892
celery_default is running: 3896
beat is running: 3900
flower is running: 3904
daphne is running: 3908
- Configuración de inicio automático de Jumpserver
echo 'source /opt/py3/bin/activate && /opt/jumpserver/jms start -d' >> /etc/rc.local \
&& chmod +x /etc/rc.d/rc.local
9. Docker implementa componentes KOKO
systemctl enable docker
systemctl daemon-reload
systemctl restart docker.service
cd /opt
Server_IP=`ip addr | grep 'state UP' -A2 | grep inet \
| egrep -v '(127.0.0.1|inet6|docker)' | awk '{print $2}' | tr -d "addr:" \
| head -n 1 | cut -d / -f1` \
&& echo -e "\033[31m 你的服务器IP是 $Server_IP \033[0m" \
&& echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
docker run --name jms_koko -d \
-p 2222:2222 -p 127.0.0.1:5000:5000 \
-e CORE_HOST=http://$Server_IP:8080 \
-e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN \
-e LOG_LEVEL=ERROR \
--restart=always \
jumpserver/jms_koko:2.0.1
10. Docker implementa componentes de Guacamole
cd /opt
docker run --name jms_guacamole -d \
-p 127.0.0.1:8081:8080 \
-e JUMPSERVER_SERVER=http://$Server_IP \
-e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN \
-e GUACAMOLE_LOG_LEVEL=ERROR \
jumpserver/jms_guacamole:2.0.1
- Verificar el estado de Docker
docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
36a58481a02e jumpserver/jms_guacamole:2.0.1 "./entrypoint.sh" About a minute ago Up About a minute 127.0.0.1:8081->8080/tcp jms_guacamole
7a77d4c2aea4 jumpserver/jms_koko:2.0.1 "./entrypoint.sh" 9 minutes ago Up 9 minutes 0.0.0.0:2222->2222/tcp, 127.0.0.1:5000->5000/tcp jms_koko
docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/jumpserver/jms_koko 2.0.1 141f4ce1e18c 4 hours ago 356 MB
docker.io/jumpserver/jms_guacamole 2.0.1 b1eecc36e7a2 4 hours ago 659 MB
11. Despliegue del componente Lina
cd /opt
wget http://demo.jumpserver.org/download/lina/2.0.1/lina.tar.gz
tar -xf lina.tar.gz
chown -R nginx:nginx lina
12. Despliegue del componente Luna
cd /opt
wget http://demo.jumpserver.org/download/luna/2.0.1/luna.tar.gz
tar -xf luna.tar.gz
chown -R nginx:nginx luna
13. Nginx integra la configuración de cada componente
# nginx默认配置
cat > /usr/local/nginx/nginx.conf << EOF
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '\$remote_addr - \$remote_user [\$time_local] "\$request" '
'\$status \$body_bytes_sent "\$http_referer" '
'"\$http_user_agent" "\$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /usr/local/nginx/mime.types;
default_type application/octet-stream;
include /usr/local/nginx/conf.d/*.conf;
}
EOF
# 清空默认虚拟主机配置
echo > /etc/nginx/conf.d/default.conf
# jumpserver虚拟主机配置
vi /etc/nginx/conf.d/jumpserver.conf
server {
listen 80;
client_max_body_size 500m; # 录像及文件上传大小限制
location /ui/ {
try_files $uri / /index.html;
alias /opt/lina/;
}
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; # luna 路径, 如果修改安装目录, 此处需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 录像位置, 如果修改安装目录, 此处需要修改
}
location /static/ {
root /opt/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改
}
location /koko/ {
proxy_pass http://localhost:5000;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /ws/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8070;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /api/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /core/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
rewrite ^/(.*)$ /ui/$1 last;
}
}
- Inicio del servicio
systemctl enable nginx
systemctl start nginx
systemctl status nginx
nginx -t
nginx -s reload
14. Verificación de inicio de sesión de Jumpserver
Cuenta y contraseña predeterminadas: admin
Consejo de Seguridad
- Se coloca un firewall en la parte frontal de JumpServer para prohibir el acceso innecesario al puerto. El acceso externo solo necesita abrir los puertos 80 y 2222. Si se configura SSL, es necesario abrir el puerto 443.
- El sistema operativo del servidor donde reside JumpServer debe actualizarse a la última versión.
- El software en el que se basa JumpServer prohíbe las contraseñas débiles y las predeterminadas, y actualiza periódicamente el software a la última versión.
- Se recomienda habilitar la función MFA para evitar problemas de seguridad causados por fugas de contraseña
Otros suplementos
- Docker resuelve "net / http: TLS handshake timeout"
Este problema es causado por algunos problemas de red indescriptibles y puede resolverse mediante los siguientes métodos.
vi /etc/docker/daemon.json
{
"registry-mirrors": ["https://registry.docker-cn.com","https://pee6w651.mirror.aliyuncs.com"] }
service docker restart
- Servicio de funciones IPv6 deshabilitado
# 内核参数禁用
echo "net.ipv4.ip_forward=1" >> /etc/sysconfig/network
echo "net.ipv6.conf.all.disable_ipv6=1" >> /etc/sysconfig/network
echo "NETWORKING_IPV6=no" >> /etc/sysconfig/network
sysctl -p
# 启动参数禁用
vi /etc/default/grub
GRUB_CMDLINE_LINUX="ipv6.disable=1 ..."
grub2-mkconfig -o /boot/grub2/grub.cfg
reboot
- El componente de Koko es anormal y no se puede usar normalmente
- Consulta de registro de componentes de Koko:
docker logs -f jms_koko
- Método de reconstrucción del componente Koko Dado que el
componente koko se implementa en Docker, no hay ningún problema que no pueda resolverse mediante la reconstrucción. Si es así, la configuración de Nginx es incorrecta, verifique la configuración de Nginx.
cd /opt
docker stop jms_koko
docker rm jms_koko
Server_IP=`ip addr | grep 'state UP' -A2 | grep inet \
| egrep -v '(127.0.0.1|inet6|docker)' | awk '{print $2}' | tr -d "addr:" \
| head -n 1 | cut -d / -f1` \
&& echo -e "\033[31m 你的服务器IP是 $Server_IP \033[0m" \
&& echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
docker run --name jms_koko -d \
-p 2222:2222 -p 127.0.0.1:5000:5000 \
-e CORE_HOST=http://$Server_IP:8080 \
-e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN \
-e LOG_LEVEL=ERROR \
--restart=always \
jumpserver/jms_koko:2.0.1