JumpServer部署与管理
一、JumpServer 堡垒机概述
JumpServer由Python/Django进行开发、使用GNU GPL v2.0开源协议、也是全球首款完全开源的堡垒机、同时配备了业界领先的Web Terminal解决方案、交互界面非常美观、用户体验完好
其特点:分布式架构、可横向扩展、支持多机房跨区域部署、在Linux中基于SSH协议进行管理、客户端无需安装Agent、同时也有着日志审计、实时监控、录像回放、身份认证、硬件信息收集等功能
1)JumpServer 组件说明
1、JumpServer
为Jumpserver管理后台、是核心组件、使用 Django Class Based View 风格开发、支持 Restful API
2、Coco
实现了 SSH Server和Web Terminal Server的组件、提供SSH和WebSocket 接口、使用 Paramiko和Flask开发
3、Luna
现在为Web Terminal 前端、前端页面都由该项目提供、Jumpserver只提供 API、不负责后台渲染HTML
4、Guacamole
Jumpserver使用其组件实现 RDP功能、JumpServer没有修改其代码而是添加了额外的插件、支持Jumpserver调用
二、JumpServer 堡垒机部署
1)测试环境概述
1、主机端口说明
主机 | 系统 | 地址 | 端口 | 角色 |
JumpServer | CentOS-7.5 | 10.2.3.11 |
Nginx:80 Redis:6379 MySQL:3635 Guacamole:8081/TCP JumpServer:8080/TCP Coco:2222/TCP、5000/TCP |
堡垒机 |
Video | CentOS-7.5 | 10.2.3.12 | Apache:80 | 视频服务器 |
CentOS-7.5 | 10.2.3.13 | Postfix:465 | 邮件服务器 |
2、部署注意事项
服务器内存建议大于或者等于4G、64位双核处理器
数据库版本建议大于或者等于5.6、生产环境中、数据库建议使用MySQL、版本5.6或5.7均可
关闭防火墙、或者放行相应的流量、并且更换PIP源为国内的、否则下载依赖包的时候会很慢
此次所部署的JumpServer版本为1.4.9、新增加了登录日志的定时清理、以及登录日志的导入与导出等功能、同时数据库也支持SSL
3、软件下载链接
Nginx: http://nginx.org/download/nginx-1.16.1.tar.gz MySQL: https://downloads.mysql.com/archives/get/file/mysql-5.6.45.tar.gz Redis: http://download.redis.io/releases/redis-3.2.13.tar.gz Python: https://www.python.org/ftp/python/3.6.9/Python-3.6.9.tar.xz JumpServer: https://github.com/jumpserver/jumpserver/archive/1.4.9.zip Coco: https://github.com/jumpserver/coco/archive/1.4.9.zip Luna: https://github.com/jumpserver/luna/releases/download/1.4.9/luna.tar.gz Guacamole: https://github.com/jumpserver/docker-guacamole/archive/1.4.9.zip
2)解决先决条件
1、更换PIP源
提示:PIP源如果不更换为国内的、在装JumpServer依赖包的时候、将会很慢
[root@jumpserver ~]# mkdir .pip && cd .pip/ [root@jumpserver .pip]# cat > pip.conf << EOF [global] timeout = 900 index-url = https://mirrors.aliyun.com/pypi/simple/ [install] use-mirrors = true trusted-host = mirrors.aliyun.com mirrors = https://mirrors.aliyun.com/pypi/simple/ EOF [root@jumpserver .pip]# cd ~
2、定义系统中的字符集
[root@jumpserver ~]# localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8 [root@jumpserver ~]# export LC_ALL=zh_CN.UTF-8 [root@jumpserver ~]# echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf
3、配置host映射
[root@jumpserver ~]# vim /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 183.3.225.42 smtp.qq.com 220.181.12.11 smtp.163.com
4、安装相应的依赖包
[root@jumpserver ~]# yum makecache fast [root@jumpserver ~]# yum -y install git epel-release lrzsz xz gcc gcc-c++ libselinux-python sqlite sqlite-devel automake zlib-devel pcre-devel openssl openssl-devel [root@jumpserver ~]# yum makecache fast
3)部署MySQL
1、下载软件包
[root@jumpserver ~]# wget -c https://downloads.mysql.com/archives/get/file/mysql-5.7.27.tar.gz [root@jumpserver ~]# wget -c https://nchc.dl.sourceforge.net/project/boost/boost/1.59.0/boost_1_59_0.tar.gz
2、安装相应的依赖包
[root@jumpserver ~]# yum -y install ncurses ncurses-devel cmake libaio libaio-devel pcre pcre-devel \ zlib zlib-devel bison bison-devel libverto libverto-devel libstdc++ libstdc++-devel \ dbus dbus-devel libss libss-devel gcc gcc-c++ autoconf m4 libgcc e2fsprogs perl-Data-Dumper
3、为MySQL创建运行用户与组
[root@jumpserver ~]# groupadd mysql [root@jumpserver ~]# useradd -M -s /sbin/nologin mysql -g mysql
4、解压boost工具、并移动到指定位置即可、无需编译安装
[root@jumpserver ~]# tar xf boost_1_59_0.tar.gz [root@jumpserver ~]# mv boost_1_59_0 /usr/local/boost
5、源码编译MySQL
[root@jumpserver ~]# tar xf mysql-5.7.27.tar.gz -C /usr/src/ [root@jumpserver ~]# cd /usr/src/mysql-5.7.27/ [root@mysql mysql-5.7.27]# cmake -DCMAKE_INSTALL_PREFIX=/usr/local/mysql \ -DMYSQL_DATADIR=/usr/local/mysql/data \ -DSYSCONFDIR=/etc \ -DDEFAULT_CHARSET=utf8 \ -DDEFAULT_COLLATION=utf8_general_ci \ -DWITH_EXTRA_CHARSETS=all \ -DENABLED_LOCAL_INFILE=ON \ -DWITH_DEBUG=0 \ -DWITH_BOOST=/usr/local/boost \ -DWITH_FEDERATED_STORAGE_ENGINE=1 \ -DMYSQL_UNIX_ADDR=/usr/local/mysql/tmp/mysql.sock make -j 8 && make install -j 8 && cd ~
6、编译安装完成以后、创建对应的目录、并调整相应的参数
[root@jumpserver ~]# mkdir /usr/local/mysql/pid [root@jumpserver ~]# mkdir /usr/local/mysql/logs [root@jumpserver ~]# mkdir /usr/local/mysql/socket [root@jumpserver ~]# mkdir /usr/local/mysql/tmp [root@jumpserver ~]# mkdir /usr/local/mysql/ibtmp [root@jumpserver ~]# mkdir /usr/local/mysql/binlog [root@jumpserver ~]# mkdir /usr/local/mysql/relaylog [root@jumpserver ~]# mkdir /usr/local/mysql/outcsv/ [root@jumpserver ~]# mkdir /usr/local/mysql/ibdata [root@jumpserver ~]# mkdir /usr/local/mysql/undolog [root@jumpserver ~]# mkdir /usr/local/mysql/redolog [root@jumpserver ~]# chown -R mysql:mysql /usr/local/mysql [root@jumpserver ~]# chmod -R 750 /usr/local/mysql/outcsv [root@jumpserver ~]# echo 'export PATH=/usr/local/mysql/bin:$PATH' >> /etc/profile [root@jumpserver ~]# source /etc/profile
7、定义MySQL的配置文件
注意:下面的字符集一定要设置为UTF-8、否则在JumpServer创建组的时候会报错、具体提示见其底部提示即可
[root@jumpserver ~]# cat > /etc/my.cnf << EOF [client] port = 3635 socket = /usr/local/mysql/socket/mysql.sock [mysqld] user = mysql port = 3635 federated skip_ssl bind_address = 0.0.0.0 max_connections = 3600 max_connect_errors = 200 autocommit = ON skip-name-resolve symbolic-links = 0 skip-external-locking log_timestamps = system explicit_defaults_for_timestamp = ON transaction_isolation = read-committed binlog_gtid_simple_recovery = ON show_compatibility_56 = ON transaction_write_set_extraction = OFF socket = /usr/local/mysql/socket/mysql.sock pid-file = /usr/local/mysql/pid/mysql.pid log-error = /usr/local/mysql/logs/mysql_error.log secure-file-priv = /usr/local/mysql/outcsv innodb_tmpdir = /usr/local/mysql/ibtmp basedir = /usr/local/mysql datadir = /usr/local/mysql/data tmpdir = /usr/local/mysql/tmp character-set-server = utf8 init_connect = SET NAMES utf8 collation-server = utf8_general_ci slow_query_log = ON long_query_time = 1 min_examined_row_limit = 960 log_slow_admin_statements = ON log_slow_slave_statements = ON log_queries_not_using_indexes = OFF slow_query_log_file = /usr/local/mysql/logs/mysql_slow.log back_log = 360 tmp_table_size = 64M max_allowed_packet = 64M max_heap_table_size = 64M sort_buffer_size = 1M join_buffer_size = 1M read_buffer_size = 2M read_rnd_buffer_size = 2M thread_cache_size = 64 thread_stack = 256K query_cache_size = 32M query_cache_limit = 2M query_cache_min_res_unit = 2K table_open_cache = 4096 open_files_limit = 65535 connect_timeout = 9 interactive_timeout = 21600 wait_timeout = 21600 innodb_data_file_path = ibdata1:12M;ibdata:12M:autoextend innodb_autoextend_increment = 12 innodb_data_home_dir = /usr/local/mysql/ibdata innodb_undo_tablespaces = 4 innodb_undo_logs = 128 innodb_max_undo_log_size = 1G innodb_undo_log_truncate = ON innodb_purge_rseg_truncate_frequency = 10 innodb_undo_directory = /usr/local/mysql/undolog innodb_log_file_size = 128M innodb_log_buffer_size = 16M innodb_log_files_in_group = 3 innodb_flush_log_at_trx_commit = 2 innodb_flush_log_at_timeout = 1 innodb_flush_method = O_DIRECT innodb_log_group_home_dir = /usr/local/mysql/redolog innodb_temp_data_file_path = ibtmp1:12M:autoextend:max:5G innodb_fast_shutdown = 0 default-storage-engine = InnoDB innodb_buffer_pool_size = 2G table_open_cache_instances = 8 innodb_buffer_pool_chunk_size = 256MB innodb_page_size = 16k innodb_sort_buffer_size = 1MB innodb_file_per_table = ON innodb_large_prefix = ON innodb_purge_threads = 8 innodb_page_cleaners = 8 innodb_read_io_threads = 8 innodb_write_io_threads = 8 innodb_thread_concurrency = 16 innodb_flush_neighbors = 0 innodb_lru_scan_depth = 1024 innodb_lock_wait_timeout = 60 innodb_print_all_deadlocks = ON innodb_deadlock_detect = ON innodb_strict_mode = ON innodb_buffer_pool_load_at_startup = ON innodb_buffer_pool_dump_at_shutdown = ON EOF
8、对MySQL进行初始化
[root@jumpserver ~]# /usr/local/mysql/bin/mysqld --initialize-insecure --user=mysql --basedir=/usr/local/mysql --datadir=/usr/local/mysql/data [root@jumpserver ~]# echo $? 0
9、将MySQL添加为系统服务、后期使用systemctl工具对其进行管理
[root@jumpserver ~]# cp /usr/local/mysql/support-files/mysql.server /usr/local/mysql/bin/mysql.sh [root@jumpserver ~]# chmod +x /usr/local/mysql/bin/mysql.sh [root@jumpserver ~]# cat > /usr/lib/systemd/system/mysql.service << EOF [Unit] Description=MySQL After=network.target [Service] User=mysql Group=mysql Type=forking PrivateTmp=false LimitNOFILE=65535 ExecStart=/usr/local/mysql/bin/mysql.sh start ExecStop=/usr/local/mysql/bin/mysql.sh stop [Install] WantedBy=multi-user.target EOF
10、启动MySQL并为root用户设置密码
[root@jumpserver ~]# systemctl start mysql [root@jumpserver ~]# systemctl enable mysql [root@jumpserver ~]# netstat -anput | grep mysql tcp 0 0 0.0.0.0:3635 0.0.0.0:* LISTEN 34411/mysqld [root@jumpserver ~]# mysql -e"update mysql.user set authentication_string=password('abc-123') where user='root';flush privileges;"
11、为JumpServer创建相应的数据库以及用户
[root@jumpserver ~]# mysql -uroot -pabc-123 -e"create database jumpserver;" 2> /dev/null [root@jumpserver ~]# mysql -uroot -pabc-123 -e"grant all privileges on jumpserver.* to 'jumpserver'@'10.2.3.%' identified by 'abc-123';" 2> /dev/null [root@jumpserver ~]# mysql -ujumpserver -pabc-123 -h10.2.3.11 -P3635 -Djumpserver 2> /dev/null Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 8 Server version: 5.7.27-log Source distribution Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> select database(); +------------+ | database() | +------------+ | jumpserver | +------------+ 1 row in set (0.00 sec)
4)部署Redis
1、安装依赖包
[root@jumpserver ~]# yum -y install gcc gcc-c++ pcre pcre-devel zlib zlib-devel tcl tcl-devel
2、下载软件包
[root@jumpserver ~]# wget -c http://download.redis.io/releases/redis-3.2.13.tar.gz
3、安装redis
[root@jumpserver ~]# tar xf redis-3.2.13.tar.gz -C /usr/src/ [root@jumpserver ~]# cd /usr/src/redis-3.2.13/ [root@jumpserver redis-3.2.13]# make -j 8 && make PREFIX=/usr/local/redis install && cd ~
4、创建对应的存储目录
提示:依次排序、目录为:配置文件目录、PID目录、日志文件目录、数据存储目录、socket文件存储目录
[root@jumpserver ~]# mkdir /usr/local/redis/conf [root@jumpserver ~]# mkdir /usr/local/redis/pid [root@jumpserver ~]# mkdir /usr/local/redis/logs [root@jumpserver ~]# mkdir /usr/local/redis/data [root@jumpserver ~]# mkdir /usr/local/redis/socket
5、复制范本文件
[root@jumpserver ~]# cp /usr/local/redis/bin/* /usr/local/bin/ [root@jumpserver ~]# cp /usr/src/redis-3.2.13/redis.conf /usr/local/redis/conf/ [root@jumpserver ~]# cp /usr/local/redis/conf/redis.conf /usr/local/redis/conf/redis.conf.bak
6、将redis添加为系统服务
[root@jumpserver ~]# cat > /usr/lib/systemd/system/redis.service << EOF [Unit] Description=redis After=network.target [Service] Type=forking LimitNOFILE=65535 ExecStart=/usr/local/bin/redis-server /usr/local/redis/conf/redis.conf [Install] WantedBy=multi-user.target EOF
7、定义redis配置文件
[root@jumpserver ~]# cat > /usr/local/redis/conf/redis.conf << EOF bind 0.0.0.0 port 6379 timeout 180 daemonize yes maxclients 6500 protected-mode yes requirepass abc-123 tcp-backlog 2048 tcp-keepalive 300 databases 16 supervised no syslog-enabled yes syslog-ident redis syslog-facility local0 loglevel notice logfile "/usr/local/redis/logs/redis.log" pidfile "/usr/local/redis/pid/redis.pid" unixsocketperm 755 unixsocket "/usr/local/redis/socket/redis.sock" slowlog-log-slower-than 5000 slowlog-max-len 128 dir "/usr/local/redis/data" save 900 1 save 300 10 save 60 10000 rdbcompression yes rdbchecksum no dbfilename dump.rdb stop-writes-on-bgsave-error no appendonly yes appendfsync everysec aof-load-truncated yes appendfilename appendonly.aof no-appendfsync-on-rewrite no auto-aof-rewrite-percentage 100 auto-aof-rewrite-min-size 64mb aof-rewrite-incremental-fsync yes repl-diskless-sync no repl-diskless-sync-delay 5 repl-disable-tcp-nodelay no repl-backlog-size 1mb repl-backlog-ttl 3600 slave-priority 100 hz 10 maxmemory-policy noeviction activerehashing yes hash-max-ziplist-value 64 hash-max-ziplist-entries 512 list-compress-depth 0 lua-time-limit 5000 notify-keyspace-events "" list-max-ziplist-size -2 latency-monitor-threshold 0 set-max-intset-entries 512 zset-max-ziplist-entries 128 zset-max-ziplist-value 64 hll-sparse-max-bytes 3000 client-output-buffer-limit normal 0 0 0 client-output-buffer-limit pubsub 32mb 8mb 60 client-output-buffer-limit slave 256mb 64mb 60 EOF
8、启动redis服务并将其设置为开机自启
[root@jumpserver ~]# systemctl start redis [root@jumpserver ~]# systemctl enable redis Created symlink from /etc/systemd/system/multi-user.target.wants/redis.service to /usr/lib/systemd/system/redis.service. [root@jumpserver ~]# [root@jumpserver ~]# netstat -anput | grep redis tcp 0 0 0.0.0.0:6379 0.0.0.0:* LISTEN 4244/redis-server 0
9、解决redis警告
[root@jumpserver ~]# echo never > /sys/kernel/mm/transparent_hugepage/enabled [root@jumpserver ~]# echo "echo never > /sys/kernel/mm/transparent_hugepage/enabled" >> /etc/rc.local [root@jumpserver ~]# echo net.core.somaxconn = 4096 >> /etc/sysctl.conf [root@jumpserver ~]# echo vm.overcommit_memory = 1 >> /etc/sysctl.conf [root@jumpserver ~]# echo vm.swappiness = 0 >> /etc/sysctl.conf [root@jumpserver ~]# sysctl -p [root@jumpserver ~]# systemctl restart redis
10、最后查看状态并确认无警告日志
[root@jumpserver ~]# systemctl status redis ● redis.service - redis Loaded: loaded (/usr/lib/systemd/system/redis.service; enabled; vendor preset: disabled) Active: active (running) since 一 2020-02-17 15:17:03 CST; 3s ago Process: 5795 ExecStart=/usr/local/bin/redis-server /usr/local/redis/conf/redis.conf (code=exited, status=0/SUCCESS) Main PID: 5796 (redis-server) CGroup: /system.slice/redis.service └─5796 /usr/local/bin/redis-server 0.0.0.0:6379 2月 17 15:17:03 jumpserver systemd[1]: Starting redis... 2月 17 15:17:03 jumpserver systemd[1]: Started redis. 2月 17 15:17:03 jumpserver redis[5796]: Redis 3.2.13 (00000000/0) 64 bit, standalone mode, port 6379, pid 5796 ready to start. 2月 17 15:17:03 jumpserver redis[5796]: Server started, Redis version 3.2.13 2月 17 15:17:03 jumpserver redis[5796]: The server is now ready to accept connections on port 6379 2月 17 15:17:03 jumpserver redis[5796]: The server is now ready to accept connections at /usr/local/redis/socket/redis.sock [root@jumpserver ~]# [root@jumpserver ~]# tail -f /usr/local/redis/logs/redis.log 5766:M 17 Feb 15:17:03.315 * Calling fsync() on the AOF file. 5766:M 17 Feb 15:17:03.315 * Saving the final RDB snapshot before exiting. 5766:M 17 Feb 15:17:03.316 * DB saved on disk 5766:M 17 Feb 15:17:03.316 * Removing the pid file. 5766:M 17 Feb 15:17:03.316 * Removing the unix socket file. 5766:M 17 Feb 15:17:03.316 # Redis is now ready to exit, bye bye... 5796:M 17 Feb 15:17:03.324 * Redis 3.2.13 (00000000/0) 64 bit, standalone mode, port 6379, pid 5796 ready to start. 5796:M 17 Feb 15:17:03.324 # Server started, Redis version 3.2.13 5796:M 17 Feb 15:17:03.324 * The server is now ready to accept connections on port 6379 5796:M 17 Feb 15:17:03.324 * The server is now ready to accept connections at /usr/local/redis/socket/redis.sock
5)部署Python
1、下载Python软件包
[root@jumpserver ~]# wget -c https://www.python.org/ftp/python/3.6.9/Python-3.6.9.tar.xz
2、安装Python
[root@jumpserver ~]# tar xf Python-3.6.9.tar.xz -C /usr/src/ [root@jumpserver ~]# cd /usr/src/Python-3.6.9/ [root@jumpserver Python-3.6.9]# ./configure && make -j 8 && make install -j 8 && cd
3、配置Python
提示:下面为设置虚拟环境、设置完成以后、以下的所有操作均在虚拟环境下完成
[root@jumpserver ~]# python3.6 -m venv /opt/py3 [root@jumpserver ~]# source /opt/py3/bin/activate (py3) [root@jumpserver ~]# echo "source /opt/py3/bin/activate" >> /root/.bashrc
6)部署JumpServer
1、安装JumpServer
注意:下载下来的JumpServer自己可以命名、这主要是个人习惯、改完之后到时候Nginx配置文件中的路径也要跟着变
(py3) [root@jumpserver ~]# tar xf jumpserver-1.4.9.tar.gz -C /opt/ (py3) [root@jumpserver ~]# yum -y install $(cat /opt/jumpserver-1.4.9/requirements/rpm_requirements.txt) (py3) [root@jumpserver ~]# pip3 install --upgrade pip setuptools (py3) [root@jumpserver ~]# pip3 install wheel (py3) [root@jumpserver ~]# pip3 install pymysql (py3) [root@jumpserver ~]# pip3 install mysqlclient (py3) [root@jumpserver ~]# pip3 install pyasn1==0.4.6 (py3) [root@jumpserver ~]# pip3 install future==0.16.0 (py3) [root@jumpserver ~]# pip3 install django==2.2 (py3) [root@jumpserver ~]# pip3 install -r /opt/jumpserver-1.4.9/requirements/requirements.txt
2、生成随机秘钥、这个主要用于后面的认证
(py3) [root@jumpserver ~]# SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50` (py3) [root@jumpserver ~]# BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16` (py3) [root@jumpserver ~]# echo "SECRET_KEY=$SECRET_KEY" >> /root/.bashrc (py3) [root@jumpserver ~]# echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> /root/.bashrc
3、配置JumpServer
提示:SECRET_KEY与BOOTSTRAP_TOKEN的值、只需引用上面定义的变量即可,因为后面我要部署Guacamole、所以这里我就直接用了Sed进行替换
(py3) [root@jumpserver ~]# cp /opt/jumpserver-1.4.9/config_example.yml /opt/jumpserver-1.4.9/config.yml (py3) [root@jumpserver ~]# sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver-1.4.9/config.yml (py3) [root@jumpserver ~]# sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver-1.4.9/config.yml (py3) [root@jumpserver ~]# sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver-1.4.9/config.yml (py3) [root@jumpserver ~]# sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver-1.4.9/config.yml (py3) [root@jumpserver ~]# sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver-1.4.9/config.yml (py3) [root@jumpserver ~]# vim /opt/jumpserver-1.4.9/config.yml #MySQL设置 DB_ENGINE: mysql DB_HOST: 10.2.3.11 DB_PORT: 3635 DB_USER: jumpserver DB_PASSWORD: abc-123 DB_NAME: jumpserver #Redis设置 REDIS_HOST: 10.2.3.11 REDIS_PORT: 6379 REDIS_PASSWORD: abc-123
4、生成JumpServer的表结构并启动JumpServer
(py3) [root@jumpserver ~]# sed -i '8i import pymysql' /opt/jumpserver-1.4.9/apps/orgs/models.py (py3) [root@jumpserver ~]# sed -i '9i pymysql.install_as_MySQLdb()' /opt/jumpserver-1.4.9/apps/orgs/models.py (py3) [root@jumpserver ~]# cd /opt/jumpserver-1.4.9/utils/ && bash make_migrations.sh && cd ~ No changes detected Operations to perform: Apply all migrations: admin, assets, audits, auth, authentication, captcha, common, contenttypes, django_celery_beat, ops, orgs, perms, sessions, settings, terminal, users Running migrations: Applying contenttypes.0001_initial... OK Applying contenttypes.0002_remove_content_type_name... OK Applying auth.0001_initial... OK Applying auth.0002_alter_permission_name_max_length... OK Applying auth.0003_alter_user_email_max_length... OK Applying auth.0004_alter_user_username_opts... OK Applying auth.0005_alter_user_last_login_null... OK Applying auth.0006_require_contenttypes_0002... OK Applying auth.0007_alter_validators_add_error_messages... OK Applying auth.0008_alter_user_username_max_length... OK Applying users.0001_initial... OK Applying admin.0001_initial... OK Applying admin.0002_logentry_remove_auto_add... OK Applying admin.0003_logentry_add_action_flag_choices... OK Applying assets.0001_initial... OK Applying assets.0002_auto_20180105_1807_squashed_0009_auto_20180307_1212... OK Applying assets.0010_auto_20180307_1749_squashed_0019_auto_20180816_1320... OK Applying assets.0020_auto_20180816_1652... OK Applying assets.0021_auto_20180903_1132... OK Applying assets.0022_auto_20181012_1717... OK Applying assets.0023_auto_20181016_1650... OK Applying assets.0024_auto_20181219_1614... OK Applying assets.0025_auto_20190221_1902... OK Applying assets.0026_auto_20190325_2035... OK Applying users.0002_auto_20171225_1157... OK Applying users.0003_auto_20180101_0046... OK Applying users.0004_auto_20180125_1218... OK Applying users.0005_auto_20180306_1804... OK Applying users.0006_auto_20180411_1135... OK Applying users.0007_auto_20180419_1036... OK Applying users.0008_auto_20180425_1516... OK Applying users.0009_auto_20180517_1537... OK Applying users.0010_auto_20180606_1505... OK Applying users.0011_user_source... OK Applying users.0012_auto_20180710_1641... OK Applying users.0013_auto_20180807_1116... OK Applying users.0014_auto_20180816_1652... OK Applying users.0015_auto_20181105_1112... OK Applying users.0016_auto_20181109_1505... OK Applying users.0017_auto_20181123_1113... OK Applying users.0018_auto_20190107_1912... OK Applying users.0019_auto_20190304_1459... OK Applying audits.0001_initial... OK Applying audits.0002_ftplog_org_id... OK Applying audits.0003_auto_20180816_1652... OK Applying audits.0004_operatelog_passwordchangelog_userloginlog... OK Applying audits.0005_auto_20190228_1715... OK Applying auth.0009_alter_user_last_name_max_length... OK Applying authentication.0001_initial... OK Applying captcha.0001_initial... OK Applying common.0001_initial... OK Applying common.0002_auto_20180111_1407... OK Applying common.0003_setting_category... OK Applying common.0004_setting_encrypted... OK Applying common.0005_auto_20190221_1902... OK Applying common.0006_auto_20190304_1515... OK Applying django_celery_beat.0001_initial... OK Applying django_celery_beat.0002_auto_20161118_0346... OK Applying django_celery_beat.0003_auto_20161209_0049... OK Applying django_celery_beat.0004_auto_20170221_0000... OK Applying django_celery_beat.0005_add_solarschedule_events_choices_squashed_0009_merge_20181012_1416... OK Applying django_celery_beat.0006_periodictask_priority... OK Applying ops.0001_initial... OK Applying ops.0002_celerytask... OK Applying ops.0003_auto_20181207_1744... OK Applying ops.0004_adhoc_run_as... OK Applying ops.0005_auto_20181219_1807... OK Applying ops.0006_auto_20190318_1023... OK Applying orgs.0001_initial... OK Applying orgs.0002_auto_20180903_1132... OK Applying perms.0001_initial... OK Applying perms.0002_auto_20171228_0025_squashed_0009_auto_20180903_1132... OK Applying sessions.0001_initial... OK Applying settings.0001_initial... OK Applying terminal.0001_initial... OK Applying terminal.0002_auto_20171228_0025_squashed_0009_auto_20180326_0957... OK Applying terminal.0010_auto_20180423_1140... OK Applying terminal.0011_auto_20180807_1116... OK Applying terminal.0012_auto_20180816_1652... OK Applying terminal.0013_auto_20181123_1113... OK Applying terminal.0014_auto_20181226_1441... OK No conflicts detected to merge. (py3) [root@jumpserver ~]# cd /opt/jumpserver-1.4.9/ && ./jms start all -d && cd ~ Tue Feb 18 18:31:26 2020 Jumpserver version 1.4.9, more see https://www.jumpserver.org - Start Gunicorn WSGI HTTP Server Check database connection ... users [X] 0001_initial [X] 0002_auto_20171225_1157 [X] 0003_auto_20180101_0046 [X] 0004_auto_20180125_1218 [X] 0005_auto_20180306_1804 [X] 0006_auto_20180411_1135 [X] 0007_auto_20180419_1036 [X] 0008_auto_20180425_1516 [X] 0009_auto_20180517_1537 [X] 0010_auto_20180606_1505 [X] 0011_user_source [X] 0012_auto_20180710_1641 [X] 0013_auto_20180807_1116 [X] 0014_auto_20180816_1652 [X] 0015_auto_20181105_1112 [X] 0016_auto_20181109_1505 [X] 0017_auto_20181123_1113 [X] 0018_auto_20190107_1912 [X] 0019_auto_20190304_1459 Database connect success Check database structure change ... Migrate model change to database ... Operations to perform: Apply all migrations: admin, assets, audits, auth, authentication, captcha, common, contenttypes, django_celery_beat, ops, orgs, perms, sessions, settings, terminal, users Running migrations: No migrations to apply. Collect static files 552 static files copied to '/opt/jumpserver-1.4.9/data/static'. - Start Celery as Distributed Task Queue - Start Beat as Periodic Task Scheduler gunicorn is running: 4480 celery is running: 4502 beat is running: 4504 (py3) [root@jumpserver ~]# ps -elf | grep -v grep | grep jumpserver | wc -l 12 (py3) [root@jumpserver ~]# netstat -anput | grep 8080 tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 4480/python3.6
7)部署Coco、Luna、Guacamole
提示1:下面我演示了两种部署Coco的方法、其一是直接部署、其二是容器部署、两者任选其一即可
提示2:无论是直接部署还是容器部署、Coco里面BOOTSTRAP_TOKEN的值、需要和JumpServer配置文件里面的一样、我们只需引用变量并替换即可
1、直接部署Coco
(py3) [root@jumpserver ~]# tar xf coco-1.4.9.tar.gz -C /opt/ (py3) [root@jumpserver ~]# yum -y install $(cat /opt/coco-1.4.9/requirements/rpm_requirements.txt) (py3) [root@jumpserver ~]# pip3 install -r /opt/coco-1.4.9/requirements/requirements.txt (py3) [root@jumpserver ~]# cp /opt/coco-1.4.9/config_example.yml /opt/coco-1.4.9/config.yml (py3) [root@jumpserver ~]# sed -i "s/# NAME: {{ Hostname }}/NAME: Coco/g" /opt/coco-1.4.9/config.yml (py3) [root@jumpserver ~]# sed -i "s/BOOTSTRAP_TOKEN: <PleasgeChangeSameWithJumpserver>/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/coco-1.4.9/config.yml (py3) [root@jumpserver ~]# sed -i "s/# LOG_LEVEL: INFO/LOG_LEVEL: ERROR/g" /opt/coco-1.4.9/config.yml (py3) [root@jumpserver ~]# cd /opt/coco-1.4.9/ && ./cocod start -d && cd ~ (py3) [root@jumpserver ~]# ps -elf | grep -v grep | grep coco 5 S root 4728 1 1 80 0 - 87217 ep_pol 18:42 ? 00:00:00 python3 ./cocod start -d (py3) [root@jumpserver ~]# netstat -anput | grep 5000 tcp 0 0 0.0.0.0:5000 0.0.0.0:* LISTEN 6287/python3 (py3) [root@jumpserver ~]# netstat -anput | grep 2222 tcp 0 0 0.0.0.0:2222 0.0.0.0:* LISTEN 6287/python3
2、容器部署Coco
#下载Docker源 (py3) [root@jumpserver ~]# wget -O /etc/yum.repos.d/docker-ce.repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo #配置Docker加速 (py3) [root@jumpserver ~]# mkdir /etc/docker (py3) [root@jumpserver ~]# cat > /etc/docker/daemon.json << EOF { "registry-mirrors": [ "https://dockerhub.azk8s.cn", "https://reg-mirror.qiniu.com", "https://registry.docker-cn.com" ] } EOF #安装Docker (py3) [root@jumpserver ~]# yum -y install yum-utils device-mapper-persistent-data lvm2 lvm2-devel docker-ce #启动Docker、并设置为开机自启 (py3) [root@jumpserver ~]# systemctl start docker (py3) [root@jumpserver ~]# systemctl enable docker #下载镜像以后启动容器 (py3) [root@jumpserver ~]# docker run --name jms_coco -d -p 2222:2222 -p 5000:5000 -e CORE_HOST=http://10.2.3.11:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN --restart=always jumpserver/jms_coco:1.4.9 #查看下载的镜像 (py3) [root@jumpserver ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE jumpserver/jms_coco 1.4.9 f8193f7a7114 10 months ago 475MB #查看容器的状态 (py3) [root@jumpserver ~]# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES fe2e51d1d83f jumpserver/jms_coco:1.4.9 "entrypoint.sh" 34 seconds ago Up 33 seconds 0.0.0.0:2222->2222/tcp, 0.0.0.0:5000->5000/tcp jms_coco #进入Coco容器 (py3) [root@jumpserver ~]# docker exec -it jms_coco /bin/bash #进入容器之后阅读说明 [root@fe2e51d1d83f opt]# cat readme.txt Coco Version 1.4.9 项目默认目录 /opt/coco/ log 位置 /opt/coco/data/logs/ 确保BOOTSTRAP_TOKEN与jumpserver/config.yml里面的一致 官网 http://www.jumpserver.org 文档 http://docs.jumpserver.org 有问题请参考 http://docs.jumpserver.org/zh/docs/faq.html 进入容器命令 docker exec -it jms_coco /bin/bash #进入容器之后确认是否有5000端口 [root@fe2e51d1d83f opt]# netstat -anput | grep 5000 tcp 0 0 0.0.0.0:5000 0.0.0.0:* LISTEN 19/python3 #进入容器之后确认是否有5000端口 [root@fe2e51d1d83f opt]# netstat -anput | grep 2222 tcp 0 0 0.0.0.0:2222 0.0.0.0:* LISTEN 19/python3 #如果需要部署多节点、只需把名字与前面所映射的端口更改一下即可、然后去Nginx当中做负载、如下所示: (py3) [root@jumpserver ~]# docker run --name jms_coco1 -d -p 2223:2222 -p 5001:5000 -e CORE_HOST=http://10.2.3.11:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN --restart=always jumpserver/jms_coco:1.4.9
3、部署Luna、只需解压即可
(py3) [root@jumpserver ~]# tar xf luna-1.4.9.tar.gz -C /opt/ (py3) [root@jumpserver ~]# chown -R root:root /opt/luna/
4、容器部署Guacamole
提示:部署Guacamole组件只为实现RDP功能(从Web界面管理Windows资产)、如果管理的资产当中没有Windows服务器、那么这一步可以跳过
#下载镜像以后启动容器 (py3) [root@jumpserver ~]# docker run --name jms_guacamole -d -p 8081:8081 -e JUMPSERVER_SERVER=http://10.2.3.11:8080 -e JUMPSERVER_KEY_DIR=/config/guacamole/key -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN --restart=always jumpserver/jms_guacamole:1.4.9 #查看容器的运行状态 (py3) [root@jumpserver ~]# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 7750c0ad4508 jumpserver/jms_guacamole:1.4.9 "entrypoint.sh" About a minute ago Up About a minute 4822/tcp, 0.0.0.0:8081->8081/tcp jms_guacamole ae0b8c3900e7 jumpserver/jms_coco:1.4.9 "entrypoint.sh" 4 minutes ago Up 4 minutes 0.0.0.0:2222->2222/tcp, 0.0.0.0:5000->5000/tcp jms_coco #进入Guacamole容器 (py3) [root@jumpserver ~]# docker exec -it jms_guacamole /bin/bash #阅读说明 [root@7750c0ad4508 config]# cat readme.txt Guacamole Version 1.4.9 项目默认目录 /config log 位置 /config/tomcat8/logs/catalina.out 确保BOOTSTRAP_TOKEN与jumpserver/config.yml里面的一致 官网 http://www.jumpserver.org 文档 http://docs.jumpserver.org 有问题请参考 http://docs.jumpserver.org/zh/docs/faq.html 进入容器命令 docker exec -it jms_guacamole /bin/bash #查看日志、如下所示Guacamole注册成功 [root@7750c0ad4508 config]# tail -f /config/guacamole/data/log/info.log 2020-02-18 22:02:47,053 [localhost-startStop-1] INFO o.a.g.environment.LocalEnvironment 106 - GUACAMOLE_HOME is "/config/guacamole". 2020-02-18 22:02:48,675 [localhost-startStop-1] INFO o.a.g.a.j.r.JumpserverRegisterService 147 - 获取终端配置: {code:403,result:{"detail":"Access key id invalid"}} 2020-02-18 22:02:48,678 [Thread-6] INFO o.a.g.a.j.r.JumpserverRegisterService 165 - 开始心跳,间隔: 10000毫秒 2020-02-18 22:02:48,682 [Thread-6] INFO o.a.g.a.j.r.JumpserverRegisterService 192 - 等待心跳,AccessKey验证未通过 2020-02-18 22:02:48,688 [Thread-7] INFO o.a.g.a.j.s.JumpserverSessionService 44 - 开始处理Session队列 2020-02-18 22:02:48,688 [localhost-startStop-1] INFO o.a.g.extension.ExtensionModule 402 - Extension "JumpServer Authentication" loaded. 2020-02-18 22:02:48,691 [localhost-startStop-1] INFO o.a.g.environment.LocalEnvironment 106 - GUACAMOLE_HOME is "/config/guacamole". 2020-02-18 22:02:48,843 [localhost-startStop-1] INFO o.a.g.t.w.WebSocketTunnelModule 69 - Loading JSR-356 WebSocket support... 2020-02-18 22:02:48,866 [Thread-5] INFO o.a.g.a.j.r.JumpserverRegisterService 124 - 注册终端,获取Access Key成功 #确认是否有8081端口 [root@7750c0ad4508 config]# netstat -anput | grep 8081 tcp 0 0 0.0.0.0:8081 0.0.0.0:* LISTEN 35/java #如果需要部署多节点、只需把名字与前面所映射的端口更改一下即可、然后去Nginx当中做负载、如下所示: (py3) [root@jumpserver ~]# docker run --name jms_guacamole1 -d -p 8082:8081 -e JUMPSERVER_SERVER=http://10.2.3.11:8080 -e JUMPSERVER_KEY_DIR=/config/guacamole/key -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN --restart=always jumpserver/jms_guacamole:1.4.9
8)部署Nginx
1、下载Nginx软件包、并安装
(py3) [root@jumpserver ~]# useradd -M -s /sbin/nologin nginx (py3) [root@jumpserver ~]# wget -c http://nginx.org/download/nginx-1.16.1.tar.gz (py3) [root@jumpserver ~]# tar xf nginx-1.16.1.tar.gz -C /usr/src/ (py3) [root@jumpserver ~]# cd /usr/src/nginx-1.16.1/ (py3) [root@jumpserver nginx-1.16.1]# ./configure --prefix=/etc/nginx --user=nginx --group=nginx --with-http_ssl_module --with-http_stub_status_module (py3) [root@jumpserver nginx-1.16.1]# make -j 8 && make install -j 8 && cd ~
2、添加Nginx到环境变量、将将其添加到系统服务、后期使用systemctl工具对其进行管理
(py3) [root@jumpserver ~]# echo 'export PATH=/etc/nginx/sbin:$PATH' >> /etc/profile (py3) [root@jumpserver ~]# source /etc/profile && nginx (py3) [root@jumpserver ~]# cat > /usr/lib/systemd/system/nginx.service << EOF [Unit] Description=nginx After=network.target [Service] Type=forking PIDFile=/etc/nginx/logs/nginx.pid ExecStart=/etc/nginx/sbin/nginx ExecReload=killall -s HUP $(cat /etc/nginx/logs/nginx.pid) ExecStop=killall -s QUIT $(cat /etc/nginx/logs/nginx.pid) PrivateTmp=Flase [Install] WantedBy=multi-user.target EOF (py3) [root@jumpserver ~]# systemctl daemon-reload && pkill -9 nginx (py3) [root@jumpserver ~]# systemctl restart nginx && systemctl enable nginx (py3) [root@jumpserver ~]# cp /etc/nginx/conf/nginx.conf /etc/nginx/conf/nginx.conf.bak
3、定义Nginx配置文件、配置Nginx做URL分发、最后重启Nginx服务即可
提示:我已经对软件进行了重命名、所以在Nginx的配置文件当中我也更改了路径
user nginx; worker_processes auto; worker_cpu_affinity auto; worker_rlimit_nofile 65535; pid /etc/nginx/logs/nginx.pid; #路径根据情况自定义 error_log /etc/nginx/logserror.log info; #路径根据情况自定义 events { use epoll; worker_connections 65535; } http { include mime.types; default_type application/octet-stream; log_format mds '$remote_addr - $remote_user [$time_local] "$request"' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log logs/access.log mds; sendfile on; tcp_nopush on; tcp_nodelay on; send_timeout 10; keepalive_timeout 60; server_tokens off; client_max_body_size 512m; fastcgi_buffers 64 4K; client_header_buffer_size 15k; large_client_header_buffers 4 128k; open_file_cache_valid 30s; open_file_cache_min_uses 2; open_file_cache max=65535 inactive=20s; gzip on; gzip_min_length 3k; gzip_buffers 4 16k; gzip_http_version 1.1; gzip_comp_level 1; gzip_vary on; gzip_types text/plain application/x-javascript text/css application/xml; upstream cocows { server 10.2.3.11:5000 weight=1; server 10.2.3.11:5001 weight=1; ip_hash; } upstream guacamole { server 10.2.3.11:8081 weight=1; server 10.2.3.11:8082 weight=1; ip_hash; } server { listen 80; #端口根据情况自定义 charset utf-8; client_max_body_size 8192m; #录像及文件上传大小限制 location /luna/ { try_files $uri / /index.html; alias /opt/luna/; #Luna路径、如果修改安装目录,此处需要修改 } location /media/ { add_header Content-Encoding gzip; root /opt/jumpserver-1.4.9/data/; #录像位置、如果修改安装目录、此处需要修改 } location /static/ { root /opt/jumpserver-1.4.9/data/; #静态资源、如果修改安装目录、此处需要修改 } location /socket.io/ { proxy_pass http://cocows/socket.io/; proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } location /coco/ { proxy_pass http://cocows/coco/; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } location /guacamole/ { proxy_pass http://guacamole/; proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } location / { proxy_pass http://localhost:8080; #如果JumpServer部署在其它的节点、则填写它的IP proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } } (py3) [root@jumpserver ~]# nginx -t nginx: the configuration file /etc/nginx/conf/nginx.conf syntax is ok nginx: configuration file /etc/nginx/conf/nginx.conf test is successful (py3) [root@jumpserver ~]# systemctl restart nginx (py3) [root@jumpserver ~]# netstat -anput | grep nginx tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 9435/nginx: master
提示:到这里为止、JumpServer的部署工作已经做完了、大家可以去浏览器进行访问了、用户名与密码均为admin
三、JumpServer 堡垒机管理
1)入门配置
以上配置完成以后、在浏览器访问:http://10.2.3.11、即可出现以下内容
用户:admin
密码:admin
登录进来之后、我们先进入终端管理、查看注册状态、如下所示四个节点均为注册成功
1、系统设置
提示:如果在服务端与客户端中做了hosts映射、那就填写域名、没有则填写JumpServer服务器的IP地址即可
2、邮件设置
注意:默认为25号端口、建议勾上465、邮箱的密码为令牌、而非登录邮箱的密码、这里一定要注意
2)用户管理
1、用户概念
在创建用户之前、我们先来了解几个概念、在JumpServer中、分别有三种用户、下面我们来看一下
登录用户:即登录JumpServer的用户、比如上面的admin、即刚刚从Web页面登录的用户
管理用户:即资产上的root、拥有NOPASSWD:ALL sudo权限的用户、JumpServer使用该用户来推送系统用户
系统用户:即JumpServer跳转登录时所使用的用户、简单来说就是登录资产的用户、由上面的管理用户所创建
2、创建登录用户
注意:这里的邮箱要填写正确、因为创建用户之后、这个用户的密码会发送到你所定义的邮箱
注意:可能有些朋友创建完用户之后收不到邮件、又或者收的到测试邮件但是收不到创建用户之后的邮件、坑踩多了、下面几点需要特别注意: 1、是否在JumpServer服务器上做了与第三方邮件服务器的映射、反复测试以后、如果不做也可以发送、但是有时候会堵塞 2、如果是云服务器、则需要勾选465、而非使用25号端口 3、在上面的步骤当中、邮件设置里面的邮箱是否填写正确、填写完邮件以后那个邮件是否开启了POP3/SMTP/IMAP
知道了以后、下面我们通过链接来重置新建用户的密码
更改完密码之后、就使用mds用户登录、然后去JumpServer服务器上生成密钥
(py3) [root@jumpserver ~]# ssh-keygen > /dev/null Enter passphrase (empty for no passphrase): Enter same passphrase again: (py3) [root@jumpserver ~]# (py3) [root@jumpserver ~]# cat /root/.ssh/id_rsa.pub #复制下面的公钥 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFBkReUMMmntPw8KZE9Y+docn0tpCvMeRFZcoV5OWxHIWx6sHVLdu+FFEWRccaCkzKvs/yb/N6YwiM1BtLKv0Xrh09tx6JSKy0nMmCbUaUQVI9HmRR+FmEgyW690yhTNolehwUQ8LWElFJkODcklJWTOjxcp6+FW9tS0wRvAOhAYVyQWrgMg7QTjZOZomzvauPjx3NWdIlAmxwgmMCLsIap1UJ59lKqunkzDWdrvHhN4wCjCPiNiLXc9UDkzrswyXgvsHd8GvgCt0l2eDbVzd6hDTrZY8QJ4MvP8Hl41LhQrG51a/7yGa1tF/syBuHpn9sLEO10Ce9OcKpHHJSrip3 root@jumpserver
复制好之后、我们使用新建的用户的用户进行登录、登录之后来到以下场景、我们把上面复制的密钥粘贴进来即可、如下所示
3、创建用户组
3)资产管理
1、管理用户
2、系统用户
3、资产列表
提示:右键Default创建节点、并选择新建的节点创建资产即可
提示:按照同样的方法、再添加node3即可、这里我将不再赘述、最后的效果如下所示:
4)权限管理
1、资产授权
提示:这里选择刚刚创建的节点、然后选择创建授权规则即可
提示:这里的授权就是:胖林可以管理node2与node3这两台服务器、而Administrator不行、但是如果把它添加到运维组、它也能管理
5)会话管理
1、Web终端
提示:选择会话管理、选择Web终端、即可看见刚刚添加的节点、不过需要提前安装Luna这个组件
2、在线会话
提示:开两个窗口、可以看见两个在线会话、如果异常、可以选择终止
3、历史会话
6)Linux终端登录
注意:登录时所使用的用户为从Web页面登录时所使用的用户、比如刚刚我们新建的mds
1、用户登录
2、资产跳转
7)管理Windows资产
1、创建Windows系统用户
提示:由于Windows不支持自动推送、所以需要在Windows系统上提前创建一个系统用户、当然那个系统用户也可以是管理员本身
2、创建Windows管理用户
提示:Windows管理用户填写Windows系统上的那个管理员即可、比如Administrator、我的是MDS、因为我已经对用户进行了重命名
3、授权用户
4、测试在Web端管理Windows资产
【只是为了打发时间】
JumpServer部署与管理的更多相关文章
- 堡垒机环境-jumpserver部署
1:安装数据库 这里是提前安装,也可以不安装,在安装jumpserver主程序的时候,他会询问你是否安装 yum -y install ncurses-devel cmake echo 'export ...
- jumpserver部署0.3版本 =====( ̄▽ ̄*)b
jumpserver概述 跳板机概述: 跳板机就是一台服务器,开发或运维人员在维护过程中首先要统一登录到这台服务器,然后再登录到目标设备进行维护和操作: 跳板机缺点:没有实现对运维人员操作行为的控制和 ...
- 使用Cloudera部署,管理Hadoop集群
Hadoop系列之(三):使用Cloudera部署,管理Hadoop集群 http://www.cnblogs.com/ee900222/p/hadoop_3.html Hadoop系列之(一):Ha ...
- Redis Cluster部署、管理和测试
背景: Redis 3.0之后支持了Cluster,大大增强了Redis水平扩展的能力.Redis Cluster是Redis官方的集群实现方案,在此之前已经有第三方Redis集群解决方案,如Twen ...
- ASP.NET Core在Azure Kubernetes Service中的部署和管理
目录 ASP.NET Core在Azure Kubernetes Service中的部署和管理 目标 准备工作 注册 Azure 账户 AKS文档 进入Azure门户(控制台) 安装 Azure Cl ...
- 微服务下的容器部署和管理平台Rancher
Rancher是什么 Rancher是一个开源的企业级容器管理平台.通过Rancher,企业再也不必自己使用一系列的开源软件去从头搭建容器服务平台.Rancher提供了在生产环境中使用的管理Docke ...
- kubernetes有状态集群服务部署与管理
有状态集群服务的两个需求:一个是存储需求,另一个是集群需求.对存储需求,Kubernetes的解决方案是:Volume.Persistent Volume .对PV,除了手动创建PV池外,还可以通过S ...
- LDAP落地实战(一):OpenLDAP部署及管理维护
公司内部会有许多第三方系统或服务,例如Svn,Git,VPN,Jira,Jenkins等等,每个系统都需要维护一份账号密码以支持用户认证,当然公司也会有许多的主机或服务器,需要开放登录权限给用户登录使 ...
- 【精华】部署与管理ZooKeeper(转)
部署与管理ZooKeeper(转) 本文以ZooKeeper3.4.3版本的官方指南为基础:http://zookeeper.apache.org/doc/r3.4.3/zookeeperAdmin. ...
随机推荐
- three.js入门第一个案例
准备工作 1.运用three.js进行3d开发,其实和页面编程一样,首先需要在html文件中引入three.js.Three.js使用面向对象的方式来构建程序,它包含3个基本对象: 场景(scene) ...
- C++Primer第五版 3.5.1节练习
练习 3.27:假设txt_size是一个无参数的函数,它的返回值是int.请回答下列哪个定义是非法的?为什么? Unsigned buf_size = 1024; (a) int ia[buf_si ...
- max_element( )
直接用这个函数 , 会比自己写个for 判断快的多了 . position=max_element(a,a+n)-a; position 代表找到最大元素的位置 , max_element( ) 的 ...
- Kaggle竞赛丨入门手写数字识别之KNN、CNN、降维
引言 这段时间来,看了西瓜书.蓝皮书,各种机器学习算法都有所了解,但在实践方面却缺乏相应的锻炼.于是我决定通过Kaggle这个平台来提升一下自己的应用能力,培养自己的数据分析能力. 我个人的计划是先从 ...
- sqlalchemy 单表增删改查
1.连接数据库,并创建session from sqlalchemy.orm import sessionmaker from sqlalchemy import create_engine engi ...
- Vue 组件 传值
注意 Vue模板只能有一个对象,要想用多个对象时用div包裹 一.父组件->子组件 通过props 1.子组件: 声明:proprs =[‘xx’],xx是在父组件中引用子组件,子组件的属性(t ...
- 第二阶段冲刺个人任务——four
今日任务: 优化统计团队博客结果界面的显示. 昨日成果: 优化统计个人博客结果页面的显示.
- [JSOI2008]最大数(并查集)
并查集的神奇用法:[JSOI2008]最大数 Description 现在请求你维护一个数列,要求提供以下两种操作: 1. 查询操作. 语法:Q L 功能:查询当前数列中末尾L个数中的最大的数,并输出 ...
- 微信小程序8种数据通信的方式
前言 数据通信在开发中是必不可少的一个环节,也是我们必须掌握的知识.知道得越多的数据通信方式,实现业务会更加得心应手. 下面我将这些通信方式归类介绍: 组件通信 全局通信 页面通信 组件通信 prop ...
- 基本库使用(urllib,requests)
urllib(request,error,parse,robotparse) request模块 方法:urlopen() {read(),readinto(),getheader(name), ...