Répertoire d'articles
-
- Diagramme d'architecture
- Introduction des composants
- Déploiement de composants
-
- 1. Exigences environnementales
- 2. Mise à jour de l'environnement système
- 3. Paquets dépendant de l'environnement
- 4. Installez les composants Python, Mysql, Redis, Nginx
- 5. Paramètres Redis
- 6. Paramètres MySQL
- 7. Configuration de l'environnement virtuel Python
- 8. Déploiement de JumpServer
- 9. Docker déploie les composants KOKO
- 10. Docker déploie les composants Guacamole
- 11. Déploiement des composants Lina
- 12. Déploiement du composant Luna
- 13. Nginx intègre la configuration de chaque composant
- 14. Vérification de la connexion Jumpserver
- Conseils de sécurité
- Autres suppléments
Diagramme d'architecture
Introduction des composants
- JumpServer => fait maintenant référence au backend de gestion Jumpserver, qui est le composant principal (Core), développé dans le style de Django Class Based View, et prend en charge l'API Restful.
- koko => implémente les composants de SSH Server et Web Terminal Server, fournit des interfaces SSH et WebSocket, et est développé à l'aide de Paramiko et Flask.
- Luna => Maintenant c'est le front-end de Web Terminal. Il est prévu que toutes les pages front-end soient fournies par ce projet. Jumpserver fournit uniquement l'API et n'est plus responsable du rendu html en arrière-plan.
- Guacamole => Apache Springboard Project, Jumpserver utilise ses composants pour implémenter les fonctions RDP Jumpserver ne modifie pas son code mais ajoute des plug-ins supplémentaires pour supporter les appels Jumpserver.
Déploiement de composants
1. Exigences environnementales
Configuration matérielle: 2 cœurs de processeur, mémoire 4G, disque dur 50G (minimum)
Système d'exploitation: distribution Linux x86_64
Autre configuration: désactivez SELinux et le pare-feu (l'environnement de production doit être activé avec précaution)
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
systemctl status firewalld.service
systemctl start firewalld.service
systemctl stop firewalld.service
systemctl disable firewalld.service
2. Mise à jour de l'environnement système
yum -y update
3. Paquets dépendant de l'environnement
yum -y install wget gcc epel-release git gcc krb5-devel libtiff-devel libjpeg-devel libzip-devel freetype-devel libwebp-devel tcl-devel tk-devel sshpass openldap-devel mariadb-devel libffi-devel openssh-clients telnet openldap-clients docker
4. Installez les composants Python, Mysql, Redis, Nginx
yum -y install python3.6 python36-devel mariadb mariadb-server.x86_64 redis nginx
5. Paramètres Redis
systemctl enable redis
systemctl start redis
6. Paramètres MySQL
systemctl enable mariadb
systemctl start mariadb
DB_PASSWORD=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24`
echo -e "\033[31m 你的数据库密码是 $DB_PASSWORD \033[0m"
mysql -uroot -e "create database jumpserver default charset 'utf8' collate 'utf8_bin'; grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '$DB_PASSWORD'; flush privileges;"
Le mot de passe root par défaut est vide. Voici comment modifier le mot de passe:
mysqladmin -u root -p mot de passe ericzhong
7. Configuration de l'environnement virtuel Python
cd /opt
python3.6 -m venv py3
source /opt/py3/bin/activate
Chaque fois que vous utilisez jumpserver, vous devez d'abord charger l'environnement virtuel py3
8. Déploiement de JumpServer
- Télécharger le programme et le déploiement
cd /opt && \
wget -O jumpserver.tar.gz https://github.com/jumpserver/jumpserver/archive/2.0.1.tar.gz
tar xf jumpserver.tar.gz
ln -s /opt/jumpserver-2.0.1 /opt/jumpserver
- Installer les dépendances de l'environnement de compilation
yum install -y $(cat rpm_requirements.txt)
pip install wheel -i https://mirrors.aliyun.com/pypi/simple/
pip install --upgrade pip setuptools -i https://mirrors.aliyun.com/pypi/simple/
pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
- Modification de la configuration
cd /opt/jumpserver/
cp config_example.yml config.yml
SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc
BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml
sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml
echo -e "\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m"
echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
- programme de démarrage
cd /opt/jumpserver/
./jms start -d
Sortie du journal:
(py3) [root@jumpserver01 jumpserver]# ./jms start -d
2020-06-23 14:13:41 Tue Jun 23 14:13:41 2020
2020-06-23 14:13:41 Jumpserver version 2.0.0, more see https://www.jumpserver.org
- Start Gunicorn WSGI HTTP Server
2020-06-23 14:13:41 Check database connection ...
users
[ ] 0001_initial
[ ] 0002_auto_20171225_1157_squashed_0019_auto_20190304_1459 (18 squashed migrations)
[ ] 0020_auto_20190612_1825
[ ] 0021_auto_20190625_1104
[ ] 0022_auto_20190625_1105
[ ] 0023_auto_20190724_1525
[ ] 0024_auto_20191118_1612
[ ] 0025_auto_20200206_1216
[ ] 0026_auto_20200508_2105
[ ] 0027_auto_20200616_1503
2020-06-23 14:13:48 Database connect success
2020-06-23 14:13:48 Check database structure change ...
2020-06-23 14:13:48 Migrate model change to database ...
Operations to perform:
Apply all migrations: admin, applications, assets, audits, auth, authentication, captcha, common, contenttypes, django_cas_ng, django_celery_beat, jms_oidc_rp, ops, orgs, perms, sessions, settings, terminal, tickets, users
Running migrations:
Applying contenttypes.0001_initial... OK
Applying contenttypes.0002_remove_content_type_name... OK
Applying auth.0001_initial... OK
Applying auth.0002_alter_permission_name_max_length... OK
Applying auth.0003_alter_user_email_max_length... OK
Applying auth.0004_alter_user_username_opts... OK
Applying auth.0005_alter_user_last_login_null... OK
Applying auth.0006_require_contenttypes_0002... OK
Applying auth.0007_alter_validators_add_error_messages... OK
Applying auth.0008_alter_user_username_max_length... OK
Applying users.0001_initial... OK
Applying admin.0001_initial... OK
Applying admin.0002_logentry_remove_auto_add... OK
Applying admin.0003_logentry_add_action_flag_choices... OK
Applying users.0002_auto_20171225_1157_squashed_0019_auto_20190304_1459... OK
Applying assets.0001_initial... OK
Applying perms.0001_initial... OK
Applying assets.0002_auto_20180105_1807_squashed_0009_auto_20180307_1212... OK
Applying assets.0010_auto_20180307_1749_squashed_0019_auto_20180816_1320... OK
Applying perms.0002_auto_20171228_0025_squashed_0009_auto_20180903_1132... OK
Applying perms.0003_action... OK
Applying perms.0004_assetpermission_actions... OK
Applying assets.0020_auto_20180816_1652... OK
Applying assets.0021_auto_20180903_1132... OK
Applying assets.0022_auto_20181012_1717... OK
Applying assets.0023_auto_20181016_1650... OK
Applying assets.0024_auto_20181219_1614... OK
Applying assets.0025_auto_20190221_1902... OK
Applying assets.0026_auto_20190325_2035... OK
Applying applications.0001_initial... OK
Applying perms.0005_auto_20190521_1619... OK
Applying perms.0006_auto_20190628_1921... OK
Applying perms.0007_remove_assetpermission_actions... OK
Applying perms.0008_auto_20190911_1907... OK
Applying assets.0027_auto_20190521_1703... OK
Applying assets.0028_protocol... OK
Applying assets.0029_auto_20190522_1114... OK
Applying assets.0030_auto_20190619_1135... OK
Applying assets.0031_auto_20190621_1332... OK
Applying assets.0032_auto_20190624_2108... OK
Applying assets.0033_auto_20190624_2108... OK
Applying assets.0034_auto_20190705_1348... OK
Applying assets.0035_auto_20190711_2018... OK
Applying assets.0036_auto_20190716_1535... OK
Applying assets.0037_auto_20190724_2002... OK
Applying assets.0038_auto_20190911_1634... OK
Applying perms.0009_remoteapppermission_system_users... OK
Applying applications.0002_remove_remoteapp_system_user... OK
Applying applications.0003_auto_20191210_1659... OK
Applying applications.0004_auto_20191218_1705... OK
Applying assets.0039_authbook_is_active... OK
Applying assets.0040_auto_20190917_2056... OK
Applying assets.0041_gathereduser... OK
Applying assets.0042_favoriteasset... OK
Applying assets.0043_auto_20191114_1111... OK
Applying assets.0044_platform... OK
Applying assets.0045_auto_20191206_1607... OK
Applying assets.0046_auto_20191218_1705... OK
Applying assets.0047_assetuser... OK
Applying assets.0048_auto_20191230_1512... OK
Applying assets.0049_systemuser_sftp_root... OK
Applying audits.0001_initial... OK
Applying audits.0002_ftplog_org_id... OK
Applying audits.0003_auto_20180816_1652... OK
Applying audits.0004_operatelog_passwordchangelog_userloginlog... OK
Applying audits.0005_auto_20190228_1715... OK
Applying audits.0006_auto_20190726_1753... OK
Applying audits.0007_auto_20191202_1010... OK
Applying audits.0008_auto_20200508_2105... OK
Applying auth.0009_alter_user_last_name_max_length... OK
Applying auth.0010_alter_group_name_max_length... OK
Applying auth.0011_update_proxy_permissions... OK
Applying authentication.0001_initial... OK
Applying authentication.0002_auto_20190729_1423... OK
Applying authentication.0003_loginconfirmsetting... OK
Applying captcha.0001_initial... OK
Applying common.0001_initial... OK
Applying common.0002_auto_20180111_1407... OK
Applying common.0003_setting_category... OK
Applying common.0004_setting_encrypted... OK
Applying common.0005_auto_20190221_1902... OK
Applying common.0006_auto_20190304_1515... OK
Applying django_cas_ng.0001_initial... OK
Applying django_celery_beat.0001_initial... OK
Applying django_celery_beat.0002_auto_20161118_0346... OK
Applying django_celery_beat.0003_auto_20161209_0049... OK
Applying django_celery_beat.0004_auto_20170221_0000... OK
Applying django_celery_beat.0005_add_solarschedule_events_choices_squashed_0009_merge_20181012_1416... OK
Applying django_celery_beat.0006_periodictask_priority... OK
Applying jms_oidc_rp.0001_initial... OK
Applying ops.0001_initial... OK
Applying ops.0002_celerytask... OK
Applying ops.0003_auto_20181207_1744... OK
Applying ops.0004_adhoc_run_as... OK
Applying ops.0005_auto_20181219_1807... OK
Applying ops.0006_auto_20190318_1023... OK
Applying ops.0007_auto_20190724_2002... OK
Applying ops.0008_auto_20190919_2100... OK
Applying ops.0009_auto_20191217_1713... OK
Applying ops.0010_auto_20191217_1758... OK
Applying ops.0011_auto_20200106_1534... OK
Applying ops.0012_auto_20200108_1659... OK
Applying ops.0013_auto_20200108_1706... OK
Applying ops.0014_auto_20200108_1749... OK
Applying ops.0015_auto_20200108_1809... OK
Applying ops.0016_commandexecution_org_id... OK
Applying ops.0017_auto_20200306_1747... OK
Applying ops.0018_auto_20200509_1434... OK
Applying orgs.0001_initial... OK
Applying orgs.0002_auto_20180903_1132... OK
Applying orgs.0003_auto_20190916_1057... OK
Applying users.0020_auto_20190612_1825... OK
Applying users.0021_auto_20190625_1104... OK
Applying users.0022_auto_20190625_1105... OK
Applying users.0023_auto_20190724_1525... OK
Applying users.0024_auto_20191118_1612... OK
Applying perms.0010_auto_20191218_1705... OK
Applying sessions.0001_initial... OK
Applying settings.0001_initial... OK
Applying terminal.0001_initial... OK
Applying terminal.0002_auto_20171228_0025_squashed_0009_auto_20180326_0957... OK
Applying terminal.0010_auto_20180423_1140... OK
Applying terminal.0011_auto_20180807_1116... OK
Applying terminal.0012_auto_20180816_1652... OK
Applying terminal.0013_auto_20181123_1113... OK
Applying terminal.0014_auto_20181226_1441... OK
Applying terminal.0015_auto_20190923_1529... OK
Applying terminal.0016_commandstorage_replaystorage... OK
Applying terminal.0017_auto_20191125_0931... OK
Applying terminal.0018_auto_20191202_1010... OK
Applying terminal.0019_auto_20191206_1000... OK
Applying terminal.0020_auto_20191218_1721... OK
Applying terminal.0021_auto_20200213_1316... OK
Applying terminal.0022_session_is_success... OK
Applying terminal.0023_command_risk_level... OK
Applying tickets.0001_initial... OK
Applying users.0025_auto_20200206_1216... OK
Applying users.0026_auto_20200508_2105... OK
Applying users.0027_auto_20200616_1503... OK
2020-06-23 14:14:12 Collect static files
2020-06-23 14:14:18 Collect static files done
- Start Celery as Distributed Task Queue: Ansible
- Start Celery as Distributed Task Queue: Celery
- Start Beat as Periodic Task Scheduler
- Start Flower as Task Monitor
- Start Daphne ASGI WS Server
gunicorn is running: 3881
celery_ansible is running: 3892
celery_default is running: 3896
beat is running: 3900
flower is running: 3904
daphne is running: 3908
- Paramètres de démarrage automatique de Jumpserver
echo 'source /opt/py3/bin/activate && /opt/jumpserver/jms start -d' >> /etc/rc.local \
&& chmod +x /etc/rc.d/rc.local
9. Docker déploie les composants KOKO
systemctl enable docker
systemctl daemon-reload
systemctl restart docker.service
cd /opt
Server_IP=`ip addr | grep 'state UP' -A2 | grep inet \
| egrep -v '(127.0.0.1|inet6|docker)' | awk '{print $2}' | tr -d "addr:" \
| head -n 1 | cut -d / -f1` \
&& echo -e "\033[31m 你的服务器IP是 $Server_IP \033[0m" \
&& echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
docker run --name jms_koko -d \
-p 2222:2222 -p 127.0.0.1:5000:5000 \
-e CORE_HOST=http://$Server_IP:8080 \
-e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN \
-e LOG_LEVEL=ERROR \
--restart=always \
jumpserver/jms_koko:2.0.1
10. Docker déploie les composants Guacamole
cd /opt
docker run --name jms_guacamole -d \
-p 127.0.0.1:8081:8080 \
-e JUMPSERVER_SERVER=http://$Server_IP \
-e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN \
-e GUACAMOLE_LOG_LEVEL=ERROR \
jumpserver/jms_guacamole:2.0.1
- Vérifier l'état de Docker
docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
36a58481a02e jumpserver/jms_guacamole:2.0.1 "./entrypoint.sh" About a minute ago Up About a minute 127.0.0.1:8081->8080/tcp jms_guacamole
7a77d4c2aea4 jumpserver/jms_koko:2.0.1 "./entrypoint.sh" 9 minutes ago Up 9 minutes 0.0.0.0:2222->2222/tcp, 127.0.0.1:5000->5000/tcp jms_koko
docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/jumpserver/jms_koko 2.0.1 141f4ce1e18c 4 hours ago 356 MB
docker.io/jumpserver/jms_guacamole 2.0.1 b1eecc36e7a2 4 hours ago 659 MB
11. Déploiement des composants Lina
cd /opt
wget http://demo.jumpserver.org/download/lina/2.0.1/lina.tar.gz
tar -xf lina.tar.gz
chown -R nginx:nginx lina
12. Déploiement du composant Luna
cd /opt
wget http://demo.jumpserver.org/download/luna/2.0.1/luna.tar.gz
tar -xf luna.tar.gz
chown -R nginx:nginx luna
13. Nginx intègre la configuration de chaque composant
# nginx默认配置
cat > /usr/local/nginx/nginx.conf << EOF
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '\$remote_addr - \$remote_user [\$time_local] "\$request" '
'\$status \$body_bytes_sent "\$http_referer" '
'"\$http_user_agent" "\$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /usr/local/nginx/mime.types;
default_type application/octet-stream;
include /usr/local/nginx/conf.d/*.conf;
}
EOF
# 清空默认虚拟主机配置
echo > /etc/nginx/conf.d/default.conf
# jumpserver虚拟主机配置
vi /etc/nginx/conf.d/jumpserver.conf
server {
listen 80;
client_max_body_size 500m; # 录像及文件上传大小限制
location /ui/ {
try_files $uri / /index.html;
alias /opt/lina/;
}
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; # luna 路径, 如果修改安装目录, 此处需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 录像位置, 如果修改安装目录, 此处需要修改
}
location /static/ {
root /opt/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改
}
location /koko/ {
proxy_pass http://localhost:5000;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /ws/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8070;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /api/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /core/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
rewrite ^/(.*)$ /ui/$1 last;
}
}
- Début du service
systemctl enable nginx
systemctl start nginx
systemctl status nginx
nginx -t
nginx -s reload
14. Vérification de la connexion Jumpserver
Compte et mot de passe par défaut: admin
Conseils de sécurité
- Un pare-feu est placé à l'avant du JumpServer pour interdire l'accès inutile aux ports. L'accès externe ne doit ouvrir que les ports 80 et 2222. Si SSL est configuré, le port 443 doit être ouvert.
- Le système d'exploitation du serveur sur lequel réside JumpServer doit être mis à niveau vers la dernière version.
- Le logiciel sur lequel JumpServer s'appuie interdit les mots de passe faibles et les mots de passe par défaut, et met régulièrement à jour le logiciel avec la dernière version.
- Il est recommandé d'activer la fonction MFA pour éviter les problèmes de sécurité causés par une fuite de mot de passe
Autres suppléments
- Docker résout "net / http: délai de prise de contact TLS"
Ce problème est causé par certains problèmes de réseau indescriptibles et peut être résolu par les méthodes suivantes.
vi /etc/docker/daemon.json
{
"registry-mirrors": ["https://registry.docker-cn.com","https://pee6w651.mirror.aliyuncs.com"] }
service docker restart
- Service de fonctionnalités IPv6 désactivé
# 内核参数禁用
echo "net.ipv4.ip_forward=1" >> /etc/sysconfig/network
echo "net.ipv6.conf.all.disable_ipv6=1" >> /etc/sysconfig/network
echo "NETWORKING_IPV6=no" >> /etc/sysconfig/network
sysctl -p
# 启动参数禁用
vi /etc/default/grub
GRUB_CMDLINE_LINUX="ipv6.disable=1 ..."
grub2-mkconfig -o /boot/grub2/grub.cfg
reboot
- Le composant Koko est anormal et ne peut pas être utilisé normalement
- Requête du journal des composants Koko:
docker logs -f jms_koko
- Méthode de reconstruction du composant Koko Le composant
koko étant déployé dans Docker, il n'y a pas de problème qui ne puisse être résolu par la reconstruction. Si tel est le cas, la configuration Nginx est incorrecte, veuillez vérifier la configuration Nginx.
cd /opt
docker stop jms_koko
docker rm jms_koko
Server_IP=`ip addr | grep 'state UP' -A2 | grep inet \
| egrep -v '(127.0.0.1|inet6|docker)' | awk '{print $2}' | tr -d "addr:" \
| head -n 1 | cut -d / -f1` \
&& echo -e "\033[31m 你的服务器IP是 $Server_IP \033[0m" \
&& echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
docker run --name jms_koko -d \
-p 2222:2222 -p 127.0.0.1:5000:5000 \
-e CORE_HOST=http://$Server_IP:8080 \
-e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN \
-e LOG_LEVEL=ERROR \
--restart=always \
jumpserver/jms_koko:2.0.1