原文地址:https://lala.im/6110.html,請支持原作者!該處僅作轉載。
文章目录
Jumpserver是全球首款完全开源的堡垒机,是符合4A的专业运维审计系统,更多具体的内容看该项目页面的介绍吧:
https://github.com/jumpserver/jumpserver
这套系统部署起来比较麻烦,涉及到多个组件,官方的文档写的也算详细了,但我在Debian9上部署的时候遇到了一些小坑,这里记录下我的完整安装步骤。
系统这边是Debian9.9,内存至少2G,至少2G!
更新源/安装依赖:
apt -y update
apt -y install wget git build-essential nginx redis-server mariadb-server \
python3-dev python3-venv libffi-dev libtiff5-dev libjpeg62-turbo-dev zlib1g-dev \
libfreetype6-dev liblcms2-dev libwebp-dev tcl8.5-dev tk8.5-dev python-tk python-dev \
openssl libssl-dev libldap2-dev libsasl2-dev sqlite libkrb5-dev sshpass default-libmysqlclient-dev
启动Nginx/Redis/MariaDB:
systemctl enable nginx redis-server mariadb
初始化MariaDB:
mysql_secure_installation
登录到MariaDB的Shell:
mysql -u root -p
创建数据库/用户/授权:
CREATE DATABASE jumpserver CHARACTER SET utf8 COLLATE utf8_general_ci;
CREATE USER 'jumpserver'@'127.0.0.1' IDENTIFIED BY '你的数据库用户密码';
GRANT ALL PRIVILEGES ON jumpserver.* TO 'jumpserver'@'127.0.0.1';
FLUSH PRIVILEGES;
quit
创建Python3的虚拟环境:
cd /opt
python3 -m venv imlala
source /opt/imlala/bin/activate
拉取项目文件:
git clone https://github.com/jumpserver/jumpserver.git
cd jumpserver
安装依赖:
pip install --upgrade pip setuptools
pip install -r /opt/jumpserver/requirements/requirements.txt
一定要确保这些依赖全部都安装成功:
复制一份配置文件:
cp config_example.yml config.yml
更改一些配置设置:
sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
然后编辑配置文件:
nano config.yml
自己手动填写一下Key/Token:
然后继续往下翻,配置MySQL的连接信息:
新建systemd服务文件:
nano /etc/systemd/system/jms.service
写入:
[Unit]
Description=jms
After=network.target mariadb.service redis.service
[Service]
Type=forking
User=root
Environment="PATH=/opt/imlala/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin"
PIDFile=/opt/jumpserver/tmp/celery.pid
ExecStart=/opt/jumpserver/jms start all -d
ExecReload=/opt/jumpserver/jms restart all
ExecStop=/opt/jumpserver/jms stop all
Restart=always
[Install]
WantedBy=multi-user.target
启动Jumpserver:
systemctl start jms
systemctl enable jms
其实这里也可以安装CoCo,KoKo和CoCo其实是一个东西,只是KoKo是用Go实现的,而CoCo是Python。
我感觉jumpserver的开发团队后续应该是准备用KoKo替代掉CoCo,所以这里我们还是部署KoKo吧。
下载:
cd /opt
wget https://github.com/jumpserver/koko/releases/download/1.5.2/koko-master-9ab4ea6-linux-amd64.tar.gz
tar -xzvf koko-master-9ab4ea6-linux-amd64.tar.gz
rm -rf koko-master-9ab4ea6-linux-amd64.tar.gz
chown -R root:root kokodir
cd kokodir
cp config_example.yml config.yml
编辑KoKo的配置文件:
nano config.yml
只需要更改里面的Token,一定要和之前在Jumpserver内的配置一致:
新建systemd服务文件:
nano /etc/systemd/system/koko.service
写入:
[Unit]
Description=jumpserver koko server
[Service]
User=root
WorkingDirectory=/opt/kokodir
ExecStart=/opt/kokodir/koko
Restart=on-abort
[Install]
WantedBy=multi-user.target
启动KoKo:
systemctl start koko
systemctl enable koko
安装Java和依赖包:
apt -y install openjdk-8-jdk libcairo2-dev libpng-dev libossp-uuid-dev libavcodec-dev \
libavutil-dev libswscale-dev libfreerdp-dev libpango1.0-dev libssh2-1-dev libtelnet-dev \
libvncserver-dev libpulse-dev libvorbis-dev libwebp-dev libwebsockets-dev
下载guacamole-server源码编译安装:
cd /opt
git clone https://github.com/jumpserver/docker-guacamole.git
wget https://www-us.apache.org/dist/guacamole/1.0.0/source/guacamole-server-1.0.0.tar.gz
tar -xzvf guacamole-server-1.0.0.tar.gz
rm -rf guacamole-server-1.0.0.tar.gz
cd guacamole-server-1.0.0
./configure --with-init-dir=/etc/init.d
make -j$(nproc)
make install
ldconfig
启动guacd:
systemctl start guacd
systemctl enable guacd
下载:
cd /opt
useradd -m -d /opt/tomcat -s /sbin/nologin -U tomcat
wget https://www.apache.org/dist/tomcat/tomcat-9/v9.0.22/bin/apache-tomcat-9.0.22.tar.gz
tar -xzvf apache-tomcat-9.0.22.tar.gz -C /opt
cp -r /opt/apache-tomcat-9.0.22/. /opt/tomcat
rm -rf /opt/apache-tomcat-9.0.22
rm -rf apache-tomcat-9.0.22.tar.gz
chown -R tomcat:tomcat /opt/tomcat
修改Tomcat监听端口为8081,避免与Jumpserver冲突:
sed -i 's/Connector port="8080"/Connector port="8081"/g' /opt/tomcat/conf/server.xml
新建systemd服务文件:
nano /etc/systemd/system/tomcat.service
写入:
[Unit]
Description=Apache Tomcat 9 Server
After=network.target
[Service]
Type=forking
User=tomcat
Group=tomcat
UMask=0007
RestartSec=10
Restart=always
Environment=JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64/jre
Environment="JAVA_OPTS=-Djava.security.egd=file:///dev/urandom"
Environment=CATALINA_BASE=/opt/tomcat
Environment=CATALINA_HOME=/opt/tomcat
Environment=CATALINA_PID=/opt/tomcat/temp/tomcat.pid
Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC"
ExecStart=/opt/tomcat/bin/startup.sh
ExecStop=/opt/tomcat/bin/shutdown.sh
[Install]
WantedBy=multi-user.target
启动Tomcat:
systemctl start tomcat
systemctl enable tomcat
复制Guacamole客户端到Tomcat的WEB目录:
cp /opt/docker-guacamole/guacamole-1.0.0.war /opt/tomcat/webapps/guacamole.war
创建Guacamole需要用到的目录:
mkdir -p /etc/guacamole/ && mkdir -p /etc/guacamole/extensions && mkdir -p /etc/guacamole/lib
将jumpserver的验证扩展程序和Guacamole的配置文件移动到对应的目录:
cp /opt/docker-guacamole/guacamole-auth-jumpserver-1.0.0.jar /etc/guacamole/extensions
cp /opt/docker-guacamole/root/app/guacamole/guacamole.properties /etc/guacamole
下载并配置ssh-forward:
cd /opt
wget https://github.com/ibuler/ssh-forward/releases/download/v0.0.5/linux-amd64.tar.gz
tar -xzvf linux-amd64.tar.gz -C /bin/
rm -rf linux-amd64.tar.gz
chmod +x /bin/ssh-forward
新建一个环境变量配置文件:
nano /etc/profile.d/guacamole.sh
写入:
export GUACAMOLE_HOME=/etc/guacamole
export JUMPSERVER_SERVER=http://127.0.0.1:8080
export BOOTSTRAP_TOKEN=imlalaNxje2wNDf5e # 和jumpserver/koko的token保持一致
export JUMPSERVER_KEY_DIR=/etc/guacamole/keys
使其生效:
chmod +x /etc/profile.d/guacamole.sh
source /etc/profile.d/guacamole.sh
重启Tomcat:
systemctl restart tomcat
下载Luna组件:
cd /opt
wget https://github.com/jumpserver/luna/releases/download/1.5.2/luna.tar.gz
tar -xzvf luna.tar.gz
rm -rf luna.tar.gz
chown -R root:root luna
新建Nginx站点配置文件:
nano /etc/nginx/conf.d/jumpserver.conf
写入:
server {
listen 80;
server_name jumpserver.koko.cat;
client_max_body_size 100m; # 录像及文件上传大小限制
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; # luna 路径, 如果修改安装目录, 此处需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 录像位置, 如果修改安装目录, 此处需要修改
}
location /static/ {
root /opt/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改
}
location /socket.io/ {
proxy_pass http://localhost:5000/socket.io/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /coco/ {
proxy_pass http://localhost:5000/coco/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location / {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
最后重启Nginx:
systemctl restart nginx
打开你的站点域名,应该可以看到Jumpserver的登录界面:
登进去之后第一件事更改你的管理员账号密码,然后创建一个管理用户,这里的管理用户直接填你待添加机器的ROOT账号密码,如果用的公钥验证,就上传私钥:
之后创建资产(也就是添加你的机器)这里的管理用户选择刚创建的:
如果一切正常,你可以在这里看到添加后的机器一些基本硬件信息:
现在我们需要创建一个系统用户,系统用户可以选择使用自动登录或者手动登录,自动登录需要你预先在这里填好账号密码,如果你只想用ROOT登录,那这里也可以直接填写ROOT的账号密码。
你还可以勾选自动推送,假设你勾选了自动推送,那么你在此处填写的账户登录信息如果目标机器内不存在,jumpserver会自动帮你创建此账户并完成登录:
最后将资产授权给刚创建的系统用户:
在会话管理-WEB终端就能连接到服务器了:
其实不难看到jumpserver也是结合了Guacamole的部分功能,如果没有太多的需求,也可以直接考虑用Guacamole,这样的话部署起来要简单许多:
Apache Guacamole:网页云桌面