一、JumpServer 堡垒机概述

JumpServer由Python/Django进行开发、使用GNU GPL v2.0开源协议、也是全球首款完全开源的堡垒机、同时配备了业界领先的Web Terminal解决方案、交互界面非常美观、用户体验完好

其特点:分布式架构、可横向扩展、支持多机房跨区域部署、在Linux中基于SSH协议进行管理、客户端无需安装Agent、同时也有着日志审计、实时监控、录像回放、身份认证、硬件信息收集等功能


1)JumpServer 组件说明

1、JumpServer

为Jumpserver管理后台、是核心组件、使用 Django Class Based View 风格开发、支持 Restful API

2、Coco

实现了 SSH Server和Web Terminal Server的组件、提供SSH和WebSocket 接口、使用 Paramiko和Flask开发

3、Luna

现在为Web Terminal 前端、前端页面都由该项目提供、Jumpserver只提供 API、不负责后台渲染HTML

4、Guacamole

Jumpserver使用其组件实现 RDP功能、JumpServer没有修改其代码而是添加了额外的插件、支持Jumpserver调用


二、JumpServer 堡垒机部署

1)测试环境概述

1、主机端口说明

主机 系统 地址 端口 角色
JumpServer CentOS-7.5 10.2.3.11

Nginx:80

Redis:6379

MySQL:3635

Guacamole:8081/TCP

JumpServer:8080/TCP

Coco:2222/TCP、5000/TCP

堡垒机
Video CentOS-7.5 10.2.3.12 Apache:80 视频服务器
Mail CentOS-7.5 10.2.3.13 Postfix:465 邮件服务器

2、部署注意事项

服务器内存建议大于或者等于4G、64位双核处理器

数据库版本建议大于或者等于5.6、生产环境中、数据库建议使用MySQL、版本5.6或5.7均可

关闭防火墙、或者放行相应的流量、并且更换PIP源为国内的、否则下载依赖包的时候会很慢

此次所部署的JumpServer版本为1.4.9、新增加了登录日志的定时清理、以及登录日志的导入与导出等功能、同时数据库也支持SSL

3、软件下载链接

Nginx:        http://nginx.org/download/nginx-1.16.1.tar.gz

MySQL:        https://downloads.mysql.com/archives/get/file/mysql-5.6.45.tar.gz

Redis:        http://download.redis.io/releases/redis-3.2.13.tar.gz

Python:       https://www.python.org/ftp/python/3.6.9/Python-3.6.9.tar.xz

JumpServer:   https://github.com/jumpserver/jumpserver/archive/1.4.9.zip

Coco:         https://github.com/jumpserver/coco/archive/1.4.9.zip

Luna:         https://github.com/jumpserver/luna/releases/download/1.4.9/luna.tar.gz

Guacamole:    https://github.com/jumpserver/docker-guacamole/archive/1.4.9.zip  

2)解决先决条件

1、更换PIP源

提示:PIP源如果不更换为国内的、在装JumpServer依赖包的时候、将会很慢

[root@jumpserver ~]# mkdir .pip && cd .pip/
[root@jumpserver .pip]# cat > pip.conf << EOF
[global]
timeout = 900
index-url = https://mirrors.aliyun.com/pypi/simple/

[install]
use-mirrors = true
trusted-host = mirrors.aliyun.com
mirrors = https://mirrors.aliyun.com/pypi/simple/
EOF
[root@jumpserver .pip]# cd ~

2、定义系统中的字符集

[root@jumpserver ~]# localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8
[root@jumpserver ~]# export LC_ALL=zh_CN.UTF-8
[root@jumpserver ~]# echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf

3、配置host映射

[root@jumpserver ~]# vim /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
183.3.225.42    smtp.qq.com
220.181.12.11   smtp.163.com

4、安装相应的依赖包

[root@jumpserver ~]# yum makecache fast
[root@jumpserver ~]# yum -y install git epel-release lrzsz xz gcc gcc-c++ libselinux-python sqlite sqlite-devel automake zlib-devel pcre-devel openssl openssl-devel
[root@jumpserver ~]# yum makecache fast

3)部署MySQL

1、下载软件包

[root@jumpserver ~]# wget -c https://downloads.mysql.com/archives/get/file/mysql-5.7.27.tar.gz
[root@jumpserver ~]# wget -c https://nchc.dl.sourceforge.net/project/boost/boost/1.59.0/boost_1_59_0.tar.gz

2、安装相应的依赖包

[root@jumpserver ~]# yum -y install ncurses ncurses-devel cmake libaio libaio-devel pcre pcre-devel \
zlib zlib-devel bison bison-devel libverto libverto-devel libstdc++ libstdc++-devel \
dbus dbus-devel libss libss-devel gcc gcc-c++ autoconf m4 libgcc e2fsprogs perl-Data-Dumper

3、为MySQL创建运行用户与组

[root@jumpserver ~]# groupadd mysql
[root@jumpserver ~]# useradd -M -s /sbin/nologin mysql -g mysql

4、解压boost工具、并移动到指定位置即可、无需编译安装

[root@jumpserver ~]# tar xf boost_1_59_0.tar.gz
[root@jumpserver ~]# mv boost_1_59_0 /usr/local/boost

5、源码编译MySQL

[root@jumpserver ~]# tar xf mysql-5.7.27.tar.gz -C /usr/src/
[root@jumpserver ~]# cd /usr/src/mysql-5.7.27/
[root@mysql mysql-5.7.27]# cmake -DCMAKE_INSTALL_PREFIX=/usr/local/mysql \
-DMYSQL_DATADIR=/usr/local/mysql/data \
-DSYSCONFDIR=/etc \
-DDEFAULT_CHARSET=utf8 \
-DDEFAULT_COLLATION=utf8_general_ci \
-DWITH_EXTRA_CHARSETS=all \
-DENABLED_LOCAL_INFILE=ON \
-DWITH_DEBUG=0 \
-DWITH_BOOST=/usr/local/boost \
-DWITH_FEDERATED_STORAGE_ENGINE=1 \
-DMYSQL_UNIX_ADDR=/usr/local/mysql/tmp/mysql.sock
make -j 8 && make install -j 8 && cd ~

6、编译安装完成以后、创建对应的目录、并调整相应的参数

[root@jumpserver ~]# mkdir /usr/local/mysql/pid
[root@jumpserver ~]# mkdir /usr/local/mysql/logs
[root@jumpserver ~]# mkdir /usr/local/mysql/socket
[root@jumpserver ~]# mkdir /usr/local/mysql/tmp
[root@jumpserver ~]# mkdir /usr/local/mysql/ibtmp
[root@jumpserver ~]# mkdir /usr/local/mysql/binlog
[root@jumpserver ~]# mkdir /usr/local/mysql/relaylog
[root@jumpserver ~]# mkdir /usr/local/mysql/outcsv/
[root@jumpserver ~]# mkdir /usr/local/mysql/ibdata
[root@jumpserver ~]# mkdir /usr/local/mysql/undolog
[root@jumpserver ~]# mkdir /usr/local/mysql/redolog
[root@jumpserver ~]# chown -R mysql:mysql /usr/local/mysql
[root@jumpserver ~]# chmod -R 750 /usr/local/mysql/outcsv
[root@jumpserver ~]# echo 'export PATH=/usr/local/mysql/bin:$PATH' >> /etc/profile
[root@jumpserver ~]# source /etc/profile

7、定义MySQL的配置文件

注意:下面的字符集一定要设置为UTF-8、否则在JumpServer创建组的时候会报错、具体提示见其底部提示即可

[root@jumpserver ~]# cat > /etc/my.cnf << EOF
[client]
port = 3635
socket = /usr/local/mysql/socket/mysql.sock

[mysqld]
user = mysql
port = 3635
federated
skip_ssl
bind_address = 0.0.0.0
max_connections = 3600
max_connect_errors = 200
autocommit = ON
skip-name-resolve
symbolic-links = 0
skip-external-locking
log_timestamps = system
explicit_defaults_for_timestamp = ON
transaction_isolation = read-committed
binlog_gtid_simple_recovery = ON
show_compatibility_56 = ON
transaction_write_set_extraction = OFF
socket = /usr/local/mysql/socket/mysql.sock
pid-file = /usr/local/mysql/pid/mysql.pid
log-error = /usr/local/mysql/logs/mysql_error.log
secure-file-priv = /usr/local/mysql/outcsv
innodb_tmpdir = /usr/local/mysql/ibtmp
basedir = /usr/local/mysql
datadir = /usr/local/mysql/data
tmpdir = /usr/local/mysql/tmp

character-set-server = utf8
init_connect = SET NAMES utf8
collation-server = utf8_general_ci

slow_query_log = ON
long_query_time = 1
min_examined_row_limit = 960
log_slow_admin_statements = ON
log_slow_slave_statements = ON
log_queries_not_using_indexes = OFF
slow_query_log_file = /usr/local/mysql/logs/mysql_slow.log

back_log = 360
tmp_table_size = 64M
max_allowed_packet = 64M
max_heap_table_size = 64M
sort_buffer_size = 1M
join_buffer_size = 1M
read_buffer_size = 2M
read_rnd_buffer_size = 2M
thread_cache_size = 64
thread_stack = 256K
query_cache_size = 32M
query_cache_limit = 2M
query_cache_min_res_unit = 2K
table_open_cache = 4096
open_files_limit = 65535
connect_timeout = 9
interactive_timeout = 21600
wait_timeout = 21600

innodb_data_file_path = ibdata1:12M;ibdata:12M:autoextend
innodb_autoextend_increment = 12
innodb_data_home_dir = /usr/local/mysql/ibdata

innodb_undo_tablespaces = 4
innodb_undo_logs = 128
innodb_max_undo_log_size = 1G
innodb_undo_log_truncate = ON
innodb_purge_rseg_truncate_frequency = 10
innodb_undo_directory = /usr/local/mysql/undolog

innodb_log_file_size = 128M
innodb_log_buffer_size = 16M
innodb_log_files_in_group = 3
innodb_flush_log_at_trx_commit = 2
innodb_flush_log_at_timeout = 1
innodb_flush_method = O_DIRECT
innodb_log_group_home_dir = /usr/local/mysql/redolog

innodb_temp_data_file_path = ibtmp1:12M:autoextend:max:5G
innodb_fast_shutdown = 0

default-storage-engine = InnoDB
innodb_buffer_pool_size = 2G
table_open_cache_instances = 8
innodb_buffer_pool_chunk_size = 256MB
innodb_page_size = 16k
innodb_sort_buffer_size = 1MB
innodb_file_per_table = ON
innodb_large_prefix = ON
innodb_purge_threads = 8
innodb_page_cleaners = 8
innodb_read_io_threads = 8
innodb_write_io_threads = 8
innodb_thread_concurrency = 16
innodb_flush_neighbors = 0
innodb_lru_scan_depth = 1024
innodb_lock_wait_timeout = 60
innodb_print_all_deadlocks = ON
innodb_deadlock_detect = ON
innodb_strict_mode = ON
innodb_buffer_pool_load_at_startup = ON
innodb_buffer_pool_dump_at_shutdown = ON
EOF

8、对MySQL进行初始化

[root@jumpserver ~]# /usr/local/mysql/bin/mysqld --initialize-insecure --user=mysql --basedir=/usr/local/mysql --datadir=/usr/local/mysql/data
[root@jumpserver ~]# echo $?
0

9、将MySQL添加为系统服务、后期使用systemctl工具对其进行管理

[root@jumpserver ~]# cp /usr/local/mysql/support-files/mysql.server /usr/local/mysql/bin/mysql.sh
[root@jumpserver ~]# chmod +x /usr/local/mysql/bin/mysql.sh
[root@jumpserver ~]# cat > /usr/lib/systemd/system/mysql.service << EOF
[Unit]
Description=MySQL
After=network.target

[Service]
User=mysql
Group=mysql
Type=forking
PrivateTmp=false
LimitNOFILE=65535
ExecStart=/usr/local/mysql/bin/mysql.sh start
ExecStop=/usr/local/mysql/bin/mysql.sh stop

[Install]
WantedBy=multi-user.target
EOF

10、启动MySQL并为root用户设置密码

[root@jumpserver ~]# systemctl start mysql
[root@jumpserver ~]# systemctl enable mysql
[root@jumpserver ~]# netstat -anput | grep mysql
tcp        0      0 0.0.0.0:3635            0.0.0.0:*               LISTEN      34411/mysqld
[root@jumpserver ~]# mysql -e"update mysql.user set authentication_string=password('abc-123') where user='root';flush privileges;"

11、为JumpServer创建相应的数据库以及用户

[root@jumpserver ~]# mysql -uroot -pabc-123 -e"create database jumpserver;" 2> /dev/null
[root@jumpserver ~]# mysql -uroot -pabc-123 -e"grant all privileges on jumpserver.* to 'jumpserver'@'10.2.3.%' identified by 'abc-123';" 2> /dev/null
[root@jumpserver ~]# mysql -ujumpserver -pabc-123 -h10.2.3.11 -P3635 -Djumpserver 2> /dev/null
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 8
Server version: 5.7.27-log Source distribution

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> select database();
+------------+
| database() |
+------------+
| jumpserver |
+------------+
1 row in set (0.00 sec)

4)部署Redis

1、安装依赖包

[root@jumpserver ~]# yum -y install gcc gcc-c++ pcre pcre-devel zlib zlib-devel tcl tcl-devel

2、下载软件包

[root@jumpserver ~]# wget -c http://download.redis.io/releases/redis-3.2.13.tar.gz

3、安装redis

[root@jumpserver ~]# tar xf redis-3.2.13.tar.gz -C /usr/src/
[root@jumpserver ~]# cd /usr/src/redis-3.2.13/
[root@jumpserver  redis-3.2.13]# make -j 8 && make PREFIX=/usr/local/redis install && cd ~

4、创建对应的存储目录

提示:依次排序、目录为:配置文件目录、PID目录、日志文件目录、数据存储目录、socket文件存储目录

[root@jumpserver ~]# mkdir /usr/local/redis/conf
[root@jumpserver ~]# mkdir /usr/local/redis/pid
[root@jumpserver ~]# mkdir /usr/local/redis/logs
[root@jumpserver ~]# mkdir /usr/local/redis/data
[root@jumpserver ~]# mkdir /usr/local/redis/socket

5、复制范本文件

[root@jumpserver ~]# cp /usr/local/redis/bin/* /usr/local/bin/
[root@jumpserver ~]# cp /usr/src/redis-3.2.13/redis.conf /usr/local/redis/conf/
[root@jumpserver ~]# cp /usr/local/redis/conf/redis.conf /usr/local/redis/conf/redis.conf.bak

6、将redis添加为系统服务

[root@jumpserver ~]# cat > /usr/lib/systemd/system/redis.service << EOF
[Unit]
Description=redis
After=network.target

[Service]
Type=forking
LimitNOFILE=65535
ExecStart=/usr/local/bin/redis-server /usr/local/redis/conf/redis.conf

[Install]
WantedBy=multi-user.target
EOF

7、定义redis配置文件

[root@jumpserver ~]# cat > /usr/local/redis/conf/redis.conf << EOF
bind 0.0.0.0
port 6379
timeout 180
daemonize yes
maxclients 6500
protected-mode yes
requirepass abc-123
tcp-backlog 2048
tcp-keepalive 300
databases 16

supervised no
syslog-enabled yes
syslog-ident redis
syslog-facility local0
loglevel notice
logfile "/usr/local/redis/logs/redis.log"
pidfile "/usr/local/redis/pid/redis.pid"
unixsocketperm 755
unixsocket "/usr/local/redis/socket/redis.sock"
slowlog-log-slower-than 5000
slowlog-max-len 128
dir "/usr/local/redis/data"

save 900 1
save 300 10
save 60 10000
rdbcompression yes
rdbchecksum no
dbfilename dump.rdb
stop-writes-on-bgsave-error no

appendonly yes
appendfsync everysec
aof-load-truncated yes
appendfilename appendonly.aof
no-appendfsync-on-rewrite no
auto-aof-rewrite-percentage 100
auto-aof-rewrite-min-size 64mb
aof-rewrite-incremental-fsync yes

repl-diskless-sync no
repl-diskless-sync-delay 5
repl-disable-tcp-nodelay no
repl-backlog-size 1mb
repl-backlog-ttl 3600
slave-priority 100

hz 10
maxmemory-policy noeviction
activerehashing yes
hash-max-ziplist-value 64
hash-max-ziplist-entries 512
list-compress-depth 0
lua-time-limit 5000
notify-keyspace-events ""
list-max-ziplist-size -2
latency-monitor-threshold 0
set-max-intset-entries 512
zset-max-ziplist-entries 128
zset-max-ziplist-value 64
hll-sparse-max-bytes 3000
client-output-buffer-limit normal 0 0 0
client-output-buffer-limit pubsub 32mb 8mb 60
client-output-buffer-limit slave 256mb 64mb 60
EOF

8、启动redis服务并将其设置为开机自启

[root@jumpserver ~]# systemctl start redis
[root@jumpserver ~]# systemctl enable redis
Created symlink from /etc/systemd/system/multi-user.target.wants/redis.service to /usr/lib/systemd/system/redis.service.
[root@jumpserver ~]#
[root@jumpserver ~]# netstat -anput | grep redis
tcp        0      0 0.0.0.0:6379            0.0.0.0:*               LISTEN      4244/redis-server 0

9、解决redis警告

[root@jumpserver ~]# echo never > /sys/kernel/mm/transparent_hugepage/enabled
[root@jumpserver ~]# echo "echo never > /sys/kernel/mm/transparent_hugepage/enabled" >> /etc/rc.local
[root@jumpserver ~]# echo net.core.somaxconn = 4096 >> /etc/sysctl.conf
[root@jumpserver ~]# echo vm.overcommit_memory = 1 >> /etc/sysctl.conf
[root@jumpserver ~]# echo vm.swappiness = 0 >> /etc/sysctl.conf
[root@jumpserver ~]# sysctl -p
[root@jumpserver ~]# systemctl restart redis

10、最后查看状态并确认无警告日志

[root@jumpserver ~]# systemctl status redis
● redis.service - redis
   Loaded: loaded (/usr/lib/systemd/system/redis.service; enabled; vendor preset: disabled)
   Active: active (running) since 一 2020-02-17 15:17:03 CST; 3s ago
  Process: 5795 ExecStart=/usr/local/bin/redis-server /usr/local/redis/conf/redis.conf (code=exited, status=0/SUCCESS)
 Main PID: 5796 (redis-server)
   CGroup: /system.slice/redis.service
           └─5796 /usr/local/bin/redis-server 0.0.0.0:6379

2月 17 15:17:03 jumpserver systemd[1]: Starting redis...
2月 17 15:17:03 jumpserver systemd[1]: Started redis.
2月 17 15:17:03 jumpserver redis[5796]: Redis 3.2.13 (00000000/0) 64 bit, standalone mode, port 6379, pid 5796 ready to start.
2月 17 15:17:03 jumpserver redis[5796]: Server started, Redis version 3.2.13
2月 17 15:17:03 jumpserver redis[5796]: The server is now ready to accept connections on port 6379
2月 17 15:17:03 jumpserver redis[5796]: The server is now ready to accept connections at /usr/local/redis/socket/redis.sock
[root@jumpserver ~]#
[root@jumpserver ~]# tail -f /usr/local/redis/logs/redis.log
5766:M 17 Feb 15:17:03.315 * Calling fsync() on the AOF file.
5766:M 17 Feb 15:17:03.315 * Saving the final RDB snapshot before exiting.
5766:M 17 Feb 15:17:03.316 * DB saved on disk
5766:M 17 Feb 15:17:03.316 * Removing the pid file.
5766:M 17 Feb 15:17:03.316 * Removing the unix socket file.
5766:M 17 Feb 15:17:03.316 # Redis is now ready to exit, bye bye...
5796:M 17 Feb 15:17:03.324 * Redis 3.2.13 (00000000/0) 64 bit, standalone mode, port 6379, pid 5796 ready to start.
5796:M 17 Feb 15:17:03.324 # Server started, Redis version 3.2.13
5796:M 17 Feb 15:17:03.324 * The server is now ready to accept connections on port 6379
5796:M 17 Feb 15:17:03.324 * The server is now ready to accept connections at /usr/local/redis/socket/redis.sock

5)部署Python

1、下载Python软件包

[root@jumpserver ~]# wget -c https://www.python.org/ftp/python/3.6.9/Python-3.6.9.tar.xz

2、安装Python

[root@jumpserver ~]# tar xf Python-3.6.9.tar.xz -C /usr/src/
[root@jumpserver ~]# cd /usr/src/Python-3.6.9/
[root@jumpserver Python-3.6.9]# ./configure && make -j 8 && make install -j 8 && cd

3、配置Python

提示:下面为设置虚拟环境、设置完成以后、以下的所有操作均在虚拟环境下完成

[root@jumpserver ~]# python3.6 -m venv /opt/py3
[root@jumpserver ~]# source /opt/py3/bin/activate
(py3) [root@jumpserver ~]# echo "source /opt/py3/bin/activate" >> /root/.bashrc

6)部署JumpServer

1、安装JumpServer

注意:下载下来的JumpServer自己可以命名、这主要是个人习惯、改完之后到时候Nginx配置文件中的路径也要跟着变

(py3) [root@jumpserver ~]# tar xf jumpserver-1.4.9.tar.gz -C /opt/
(py3) [root@jumpserver ~]# yum -y install $(cat /opt/jumpserver-1.4.9/requirements/rpm_requirements.txt)
(py3) [root@jumpserver ~]# pip3 install --upgrade pip setuptools
(py3) [root@jumpserver ~]# pip3 install wheel
(py3) [root@jumpserver ~]# pip3 install pymysql
(py3) [root@jumpserver ~]# pip3 install mysqlclient
(py3) [root@jumpserver ~]# pip3 install pyasn1==0.4.6
(py3) [root@jumpserver ~]# pip3 install future==0.16.0
(py3) [root@jumpserver ~]# pip3 install django==2.2
(py3) [root@jumpserver ~]# pip3 install -r /opt/jumpserver-1.4.9/requirements/requirements.txt

2、生成随机秘钥、这个主要用于后面的认证

(py3) [root@jumpserver ~]# SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
(py3) [root@jumpserver ~]# BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
(py3) [root@jumpserver ~]# echo "SECRET_KEY=$SECRET_KEY" >> /root/.bashrc
(py3) [root@jumpserver ~]# echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> /root/.bashrc

3、配置JumpServer

提示:SECRET_KEY与BOOTSTRAP_TOKEN的值、只需引用上面定义的变量即可,因为后面我要部署Guacamole、所以这里我就直接用了Sed进行替换

(py3) [root@jumpserver ~]# cp /opt/jumpserver-1.4.9/config_example.yml /opt/jumpserver-1.4.9/config.yml

(py3) [root@jumpserver ~]# sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver-1.4.9/config.yml
(py3) [root@jumpserver ~]# sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver-1.4.9/config.yml
(py3) [root@jumpserver ~]# sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver-1.4.9/config.yml
(py3) [root@jumpserver ~]# sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver-1.4.9/config.yml
(py3) [root@jumpserver ~]# sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver-1.4.9/config.yml

(py3) [root@jumpserver ~]# vim /opt/jumpserver-1.4.9/config.yml
#MySQL设置
DB_ENGINE: mysql
DB_HOST: 10.2.3.11
DB_PORT: 3635
DB_USER: jumpserver
DB_PASSWORD: abc-123
DB_NAME: jumpserver

#Redis设置
REDIS_HOST: 10.2.3.11
REDIS_PORT: 6379
REDIS_PASSWORD: abc-123

4、生成JumpServer的表结构并启动JumpServer

(py3) [root@jumpserver ~]# sed -i '8i import pymysql' /opt/jumpserver-1.4.9/apps/orgs/models.py
(py3) [root@jumpserver ~]# sed -i '9i pymysql.install_as_MySQLdb()' /opt/jumpserver-1.4.9/apps/orgs/models.py

(py3) [root@jumpserver ~]# cd /opt/jumpserver-1.4.9/utils/ && bash make_migrations.sh && cd ~
No changes detected
Operations to perform:
  Apply all migrations: admin, assets, audits, auth, authentication, captcha, common, contenttypes, django_celery_beat, ops, orgs, perms, sessions, settings, terminal, users
Running migrations:
  Applying contenttypes.0001_initial... OK
  Applying contenttypes.0002_remove_content_type_name... OK
  Applying auth.0001_initial... OK
  Applying auth.0002_alter_permission_name_max_length... OK
  Applying auth.0003_alter_user_email_max_length... OK
  Applying auth.0004_alter_user_username_opts... OK
  Applying auth.0005_alter_user_last_login_null... OK
  Applying auth.0006_require_contenttypes_0002... OK
  Applying auth.0007_alter_validators_add_error_messages... OK
  Applying auth.0008_alter_user_username_max_length... OK
  Applying users.0001_initial... OK
  Applying admin.0001_initial... OK
  Applying admin.0002_logentry_remove_auto_add... OK
  Applying admin.0003_logentry_add_action_flag_choices... OK
  Applying assets.0001_initial... OK
  Applying assets.0002_auto_20180105_1807_squashed_0009_auto_20180307_1212... OK
  Applying assets.0010_auto_20180307_1749_squashed_0019_auto_20180816_1320... OK
  Applying assets.0020_auto_20180816_1652... OK
  Applying assets.0021_auto_20180903_1132... OK
  Applying assets.0022_auto_20181012_1717... OK
  Applying assets.0023_auto_20181016_1650... OK
  Applying assets.0024_auto_20181219_1614... OK
  Applying assets.0025_auto_20190221_1902... OK
  Applying assets.0026_auto_20190325_2035... OK
  Applying users.0002_auto_20171225_1157... OK
  Applying users.0003_auto_20180101_0046... OK
  Applying users.0004_auto_20180125_1218... OK
  Applying users.0005_auto_20180306_1804... OK
  Applying users.0006_auto_20180411_1135... OK
  Applying users.0007_auto_20180419_1036... OK
  Applying users.0008_auto_20180425_1516... OK
  Applying users.0009_auto_20180517_1537... OK
  Applying users.0010_auto_20180606_1505... OK
  Applying users.0011_user_source... OK
  Applying users.0012_auto_20180710_1641... OK
  Applying users.0013_auto_20180807_1116... OK
  Applying users.0014_auto_20180816_1652... OK
  Applying users.0015_auto_20181105_1112... OK
  Applying users.0016_auto_20181109_1505... OK
  Applying users.0017_auto_20181123_1113... OK
  Applying users.0018_auto_20190107_1912... OK
  Applying users.0019_auto_20190304_1459... OK
  Applying audits.0001_initial... OK
  Applying audits.0002_ftplog_org_id... OK
  Applying audits.0003_auto_20180816_1652... OK
  Applying audits.0004_operatelog_passwordchangelog_userloginlog... OK
  Applying audits.0005_auto_20190228_1715... OK
  Applying auth.0009_alter_user_last_name_max_length... OK
  Applying authentication.0001_initial... OK
  Applying captcha.0001_initial... OK
  Applying common.0001_initial... OK
  Applying common.0002_auto_20180111_1407... OK
  Applying common.0003_setting_category... OK
  Applying common.0004_setting_encrypted... OK
  Applying common.0005_auto_20190221_1902... OK
  Applying common.0006_auto_20190304_1515... OK
  Applying django_celery_beat.0001_initial... OK
  Applying django_celery_beat.0002_auto_20161118_0346... OK
  Applying django_celery_beat.0003_auto_20161209_0049... OK
  Applying django_celery_beat.0004_auto_20170221_0000... OK
  Applying django_celery_beat.0005_add_solarschedule_events_choices_squashed_0009_merge_20181012_1416... OK
  Applying django_celery_beat.0006_periodictask_priority... OK
  Applying ops.0001_initial... OK
  Applying ops.0002_celerytask... OK
  Applying ops.0003_auto_20181207_1744... OK
  Applying ops.0004_adhoc_run_as... OK
  Applying ops.0005_auto_20181219_1807... OK
  Applying ops.0006_auto_20190318_1023... OK
  Applying orgs.0001_initial... OK
  Applying orgs.0002_auto_20180903_1132... OK
  Applying perms.0001_initial... OK
  Applying perms.0002_auto_20171228_0025_squashed_0009_auto_20180903_1132... OK
  Applying sessions.0001_initial... OK
  Applying settings.0001_initial... OK
  Applying terminal.0001_initial... OK
  Applying terminal.0002_auto_20171228_0025_squashed_0009_auto_20180326_0957... OK
  Applying terminal.0010_auto_20180423_1140... OK
  Applying terminal.0011_auto_20180807_1116... OK
  Applying terminal.0012_auto_20180816_1652... OK
  Applying terminal.0013_auto_20181123_1113... OK
  Applying terminal.0014_auto_20181226_1441... OK
No conflicts detected to merge.

(py3) [root@jumpserver ~]# cd /opt/jumpserver-1.4.9/ && ./jms start all -d && cd ~
Tue Feb 18 18:31:26 2020
Jumpserver version 1.4.9, more see https://www.jumpserver.org

- Start Gunicorn WSGI HTTP Server
Check database connection ...
users
 [X] 0001_initial
 [X] 0002_auto_20171225_1157
 [X] 0003_auto_20180101_0046
 [X] 0004_auto_20180125_1218
 [X] 0005_auto_20180306_1804
 [X] 0006_auto_20180411_1135
 [X] 0007_auto_20180419_1036
 [X] 0008_auto_20180425_1516
 [X] 0009_auto_20180517_1537
 [X] 0010_auto_20180606_1505
 [X] 0011_user_source
 [X] 0012_auto_20180710_1641
 [X] 0013_auto_20180807_1116
 [X] 0014_auto_20180816_1652
 [X] 0015_auto_20181105_1112
 [X] 0016_auto_20181109_1505
 [X] 0017_auto_20181123_1113
 [X] 0018_auto_20190107_1912
 [X] 0019_auto_20190304_1459
Database connect success
Check database structure change ...
Migrate model change to database ...
Operations to perform:
  Apply all migrations: admin, assets, audits, auth, authentication, captcha, common, contenttypes, django_celery_beat, ops, orgs, perms, sessions, settings, terminal, users
Running migrations:
  No migrations to apply.
Collect static files

552 static files copied to '/opt/jumpserver-1.4.9/data/static'.

- Start Celery as Distributed Task Queue

- Start Beat as Periodic Task Scheduler

gunicorn is running: 4480
celery is running: 4502
beat is running: 4504

(py3) [root@jumpserver ~]# ps -elf | grep -v grep | grep jumpserver | wc -l
12

(py3) [root@jumpserver ~]# netstat -anput | grep 8080
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      4480/python3.6       

7)部署Coco、Luna、Guacamole

提示1:下面我演示了两种部署Coco的方法、其一是直接部署、其二是容器部署、两者任选其一即可

提示2:无论是直接部署还是容器部署、Coco里面BOOTSTRAP_TOKEN的值、需要和JumpServer配置文件里面的一样、我们只需引用变量并替换即可

1、直接部署Coco

(py3) [root@jumpserver ~]# tar xf coco-1.4.9.tar.gz -C /opt/
(py3) [root@jumpserver ~]# yum -y install $(cat /opt/coco-1.4.9/requirements/rpm_requirements.txt)
(py3) [root@jumpserver ~]# pip3 install -r /opt/coco-1.4.9/requirements/requirements.txt
(py3) [root@jumpserver ~]# cp /opt/coco-1.4.9/config_example.yml /opt/coco-1.4.9/config.yml

(py3) [root@jumpserver ~]# sed -i "s/# NAME: {{ Hostname }}/NAME: Coco/g" /opt/coco-1.4.9/config.yml
(py3) [root@jumpserver ~]# sed -i "s/BOOTSTRAP_TOKEN: <PleasgeChangeSameWithJumpserver>/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/coco-1.4.9/config.yml
(py3) [root@jumpserver ~]# sed -i "s/# LOG_LEVEL: INFO/LOG_LEVEL: ERROR/g" /opt/coco-1.4.9/config.yml

(py3) [root@jumpserver ~]# cd /opt/coco-1.4.9/ && ./cocod start -d && cd ~ 

(py3) [root@jumpserver ~]# ps -elf | grep -v grep | grep coco
5 S root       4728      1  1  80   0 - 87217 ep_pol 18:42 ?        00:00:00 python3 ./cocod start -d

(py3) [root@jumpserver ~]# netstat -anput | grep 5000
tcp        0      0 0.0.0.0:5000            0.0.0.0:*               LISTEN      6287/python3   

(py3) [root@jumpserver ~]# netstat -anput | grep 2222
tcp        0      0 0.0.0.0:2222            0.0.0.0:*               LISTEN      6287/python3

2、容器部署Coco

#下载Docker源
(py3) [root@jumpserver ~]# wget -O /etc/yum.repos.d/docker-ce.repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

#配置Docker加速
(py3) [root@jumpserver ~]# mkdir /etc/docker
(py3) [root@jumpserver ~]# cat > /etc/docker/daemon.json << EOF
{
  "registry-mirrors": [
    "https://dockerhub.azk8s.cn",
    "https://reg-mirror.qiniu.com",
    "https://registry.docker-cn.com"
  ]
}
EOF

#安装Docker
(py3) [root@jumpserver ~]# yum -y install yum-utils device-mapper-persistent-data lvm2 lvm2-devel docker-ce

#启动Docker、并设置为开机自启
(py3) [root@jumpserver ~]# systemctl start docker
(py3) [root@jumpserver ~]# systemctl enable docker

#下载镜像以后启动容器
(py3) [root@jumpserver ~]# docker run --name jms_coco -d -p 2222:2222 -p 5000:5000 -e CORE_HOST=http://10.2.3.11:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN --restart=always jumpserver/jms_coco:1.4.9

#查看下载的镜像
(py3) [root@jumpserver ~]# docker images
REPOSITORY            TAG                 IMAGE ID            CREATED             SIZE
jumpserver/jms_coco   1.4.9               f8193f7a7114        10 months ago       475MB

#查看容器的状态
(py3) [root@jumpserver ~]# docker ps -a
CONTAINER ID        IMAGE                       COMMAND             CREATED             STATUS              PORTS                                            NAMES
fe2e51d1d83f        jumpserver/jms_coco:1.4.9   "entrypoint.sh"     34 seconds ago      Up 33 seconds       0.0.0.0:2222->2222/tcp, 0.0.0.0:5000->5000/tcp   jms_coco

#进入Coco容器
(py3) [root@jumpserver ~]# docker exec -it jms_coco /bin/bash

#进入容器之后阅读说明
[root@fe2e51d1d83f opt]# cat readme.txt
Coco Version 1.4.9
项目默认目录 /opt/coco/
log 位置 /opt/coco/data/logs/
确保BOOTSTRAP_TOKEN与jumpserver/config.yml里面的一致

官网 http://www.jumpserver.org
文档 http://docs.jumpserver.org
有问题请参考 http://docs.jumpserver.org/zh/docs/faq.html

进入容器命令 docker exec -it jms_coco /bin/bash

#进入容器之后确认是否有5000端口
[root@fe2e51d1d83f opt]# netstat -anput | grep 5000
tcp        0      0 0.0.0.0:5000            0.0.0.0:*               LISTEN      19/python3          

#进入容器之后确认是否有5000端口
[root@fe2e51d1d83f opt]# netstat -anput | grep 2222
tcp        0      0 0.0.0.0:2222            0.0.0.0:*               LISTEN      19/python3 

#如果需要部署多节点、只需把名字与前面所映射的端口更改一下即可、然后去Nginx当中做负载、如下所示:
(py3) [root@jumpserver ~]# docker run --name jms_coco1 -d -p 2223:2222 -p 5001:5000 -e CORE_HOST=http://10.2.3.11:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN --restart=always jumpserver/jms_coco:1.4.9

3、部署Luna、只需解压即可

(py3) [root@jumpserver ~]# tar xf luna-1.4.9.tar.gz -C /opt/
(py3) [root@jumpserver ~]# chown -R root:root /opt/luna/

4、容器部署Guacamole

提示:部署Guacamole组件只为实现RDP功能(从Web界面管理Windows资产)、如果管理的资产当中没有Windows服务器、那么这一步可以跳过

#下载镜像以后启动容器
(py3) [root@jumpserver ~]# docker run --name jms_guacamole -d -p 8081:8081 -e JUMPSERVER_SERVER=http://10.2.3.11:8080 -e JUMPSERVER_KEY_DIR=/config/guacamole/key -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN --restart=always jumpserver/jms_guacamole:1.4.9

#查看容器的运行状态
(py3) [root@jumpserver ~]# docker ps -a
CONTAINER ID        IMAGE                            COMMAND             CREATED              STATUS              PORTS                                            NAMES
7750c0ad4508        jumpserver/jms_guacamole:1.4.9   "entrypoint.sh"     About a minute ago   Up About a minute   4822/tcp, 0.0.0.0:8081->8081/tcp                 jms_guacamole
ae0b8c3900e7        jumpserver/jms_coco:1.4.9        "entrypoint.sh"     4 minutes ago        Up 4 minutes        0.0.0.0:2222->2222/tcp, 0.0.0.0:5000->5000/tcp   jms_coco

#进入Guacamole容器
(py3) [root@jumpserver ~]# docker exec -it jms_guacamole /bin/bash

#阅读说明
[root@7750c0ad4508 config]# cat readme.txt
Guacamole Version 1.4.9
项目默认目录 /config
log 位置 /config/tomcat8/logs/catalina.out
确保BOOTSTRAP_TOKEN与jumpserver/config.yml里面的一致

官网 http://www.jumpserver.org
文档 http://docs.jumpserver.org
有问题请参考 http://docs.jumpserver.org/zh/docs/faq.html

进入容器命令 docker exec -it jms_guacamole /bin/bash

#查看日志、如下所示Guacamole注册成功
[root@7750c0ad4508 config]# tail -f /config/guacamole/data/log/info.log
2020-02-18 22:02:47,053 [localhost-startStop-1] INFO  o.a.g.environment.LocalEnvironment 106 - GUACAMOLE_HOME is "/config/guacamole".
2020-02-18 22:02:48,675 [localhost-startStop-1] INFO  o.a.g.a.j.r.JumpserverRegisterService 147 - 获取终端配置: {code:403,result:{"detail":"Access key id invalid"}}
2020-02-18 22:02:48,678 [Thread-6] INFO  o.a.g.a.j.r.JumpserverRegisterService 165 - 开始心跳,间隔: 10000毫秒
2020-02-18 22:02:48,682 [Thread-6] INFO  o.a.g.a.j.r.JumpserverRegisterService 192 - 等待心跳,AccessKey验证未通过
2020-02-18 22:02:48,688 [Thread-7] INFO  o.a.g.a.j.s.JumpserverSessionService 44 - 开始处理Session队列
2020-02-18 22:02:48,688 [localhost-startStop-1] INFO  o.a.g.extension.ExtensionModule 402 - Extension "JumpServer Authentication" loaded.
2020-02-18 22:02:48,691 [localhost-startStop-1] INFO  o.a.g.environment.LocalEnvironment 106 - GUACAMOLE_HOME is "/config/guacamole".
2020-02-18 22:02:48,843 [localhost-startStop-1] INFO  o.a.g.t.w.WebSocketTunnelModule 69 - Loading JSR-356 WebSocket support...
2020-02-18 22:02:48,866 [Thread-5] INFO  o.a.g.a.j.r.JumpserverRegisterService 124 - 注册终端,获取Access Key成功

#确认是否有8081端口
[root@7750c0ad4508 config]# netstat -anput | grep 8081
tcp        0      0 0.0.0.0:8081            0.0.0.0:*               LISTEN      35/java 

#如果需要部署多节点、只需把名字与前面所映射的端口更改一下即可、然后去Nginx当中做负载、如下所示:
(py3) [root@jumpserver ~]# docker run --name jms_guacamole1 -d -p 8082:8081 -e JUMPSERVER_SERVER=http://10.2.3.11:8080 -e JUMPSERVER_KEY_DIR=/config/guacamole/key -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN --restart=always jumpserver/jms_guacamole:1.4.9

8)部署Nginx

1、下载Nginx软件包、并安装

(py3) [root@jumpserver ~]# useradd -M -s /sbin/nologin nginx
(py3) [root@jumpserver ~]# wget -c http://nginx.org/download/nginx-1.16.1.tar.gz
(py3) [root@jumpserver ~]# tar xf nginx-1.16.1.tar.gz -C /usr/src/
(py3) [root@jumpserver ~]# cd /usr/src/nginx-1.16.1/
(py3) [root@jumpserver nginx-1.16.1]# ./configure --prefix=/etc/nginx --user=nginx --group=nginx --with-http_ssl_module --with-http_stub_status_module
(py3) [root@jumpserver nginx-1.16.1]# make -j 8 && make install -j 8 && cd ~

2、添加Nginx到环境变量、将将其添加到系统服务、后期使用systemctl工具对其进行管理

(py3) [root@jumpserver ~]# echo 'export PATH=/etc/nginx/sbin:$PATH' >> /etc/profile
(py3) [root@jumpserver ~]# source /etc/profile && nginx
(py3) [root@jumpserver ~]# cat > /usr/lib/systemd/system/nginx.service << EOF
[Unit]
Description=nginx
After=network.target

[Service]
Type=forking
PIDFile=/etc/nginx/logs/nginx.pid
ExecStart=/etc/nginx/sbin/nginx
ExecReload=killall -s HUP $(cat /etc/nginx/logs/nginx.pid)
ExecStop=killall -s QUIT $(cat /etc/nginx/logs/nginx.pid)
PrivateTmp=Flase

[Install]
WantedBy=multi-user.target
EOF
(py3) [root@jumpserver ~]# systemctl daemon-reload && pkill -9 nginx
(py3) [root@jumpserver ~]# systemctl restart nginx && systemctl enable nginx
(py3) [root@jumpserver ~]# cp /etc/nginx/conf/nginx.conf /etc/nginx/conf/nginx.conf.bak

3、定义Nginx配置文件、配置Nginx做URL分发、最后重启Nginx服务即可

提示:我已经对软件进行了重命名、所以在Nginx的配置文件当中我也更改了路径

user  nginx;

worker_processes  auto;
worker_cpu_affinity auto;
worker_rlimit_nofile 65535;

pid             /etc/nginx/logs/nginx.pid;              #路径根据情况自定义
error_log       /etc/nginx/logserror.log  info;         #路径根据情况自定义

events  {
        use epoll;
        worker_connections  65535;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    log_format  mds  '$remote_addr - $remote_user [$time_local] "$request"'
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

        access_log  logs/access.log  mds;
        sendfile                on;
        tcp_nopush              on;
        tcp_nodelay             on;
        send_timeout            10;
        keepalive_timeout       60;
        server_tokens           off;
        client_max_body_size    512m;
        fastcgi_buffers 64 4K;
        client_header_buffer_size  15k;
        large_client_header_buffers  4 128k;
        open_file_cache_valid  30s;
        open_file_cache_min_uses 2;
        open_file_cache max=65535 inactive=20s;

        gzip  on;
        gzip_min_length         3k;
        gzip_buffers     4      16k;
        gzip_http_version       1.1;
        gzip_comp_level         1;
        gzip_vary               on;
        gzip_types      text/plain application/x-javascript text/css application/xml;

	upstream cocows	{
		server 10.2.3.11:5000 weight=1;
		server 10.2.3.11:5001 weight=1;
		ip_hash;
	}

	upstream guacamole {
		server 10.2.3.11:8081 weight=1;
		server 10.2.3.11:8082 weight=1;
		ip_hash;
	}

    server {
        listen          80;                 		#端口根据情况自定义
        charset     	utf-8;
        client_max_body_size 8192m;             	#录像及文件上传大小限制

        location /luna/ {
                try_files $uri / /index.html;
                alias /opt/luna/;               	#Luna路径、如果修改安装目录,此处需要修改
        }

        location /media/ {
                add_header Content-Encoding gzip;
                root /opt/jumpserver-1.4.9/data/;       #录像位置、如果修改安装目录、此处需要修改
        }

        location /static/ {
                root /opt/jumpserver-1.4.9/data/;       #静态资源、如果修改安装目录、此处需要修改
        }

        location /socket.io/ {
                proxy_pass http://cocows/socket.io/;
                proxy_buffering off;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                access_log off;
        }

        location /coco/ {
                proxy_pass http://cocows/coco/;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                access_log off;
        }

	location /guacamole/ {
        	proxy_pass       http://guacamole/;
        	proxy_buffering off;
        	proxy_http_version 1.1;
        	proxy_set_header Upgrade $http_upgrade;
        	proxy_set_header Connection $http_connection;
        	proxy_set_header X-Real-IP $remote_addr;
        	proxy_set_header Host $host;
        	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        	access_log off;
    	}

        location / {
                proxy_pass http://localhost:8080;		#如果JumpServer部署在其它的节点、则填写它的IP
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
    }
}

(py3) [root@jumpserver ~]# nginx -t
nginx: the configuration file /etc/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/conf/nginx.conf test is successful

(py3) [root@jumpserver ~]# systemctl restart nginx

(py3) [root@jumpserver ~]# netstat -anput | grep nginx
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      9435/nginx: master 

提示:到这里为止、JumpServer的部署工作已经做完了、大家可以去浏览器进行访问了、用户名与密码均为admin

三、JumpServer 堡垒机管理

1)入门配置

以上配置完成以后、在浏览器访问:http://10.2.3.11、即可出现以下内容

用户:admin

密码:admin

登录进来之后、我们先进入终端管理、查看注册状态、如下所示四个节点均为注册成功

1、系统设置

提示:如果在服务端与客户端中做了hosts映射、那就填写域名、没有则填写JumpServer服务器的IP地址即可

2、邮件设置

注意:默认为25号端口、建议勾上465、邮箱的密码为令牌、而非登录邮箱的密码、这里一定要注意

2)用户管理

1、用户概念

在创建用户之前、我们先来了解几个概念、在JumpServer中、分别有三种用户、下面我们来看一下

登录用户:即登录JumpServer的用户、比如上面的admin、即刚刚从Web页面登录的用户

管理用户:即资产上的root、拥有NOPASSWD:ALL sudo权限的用户、JumpServer使用该用户来推送系统用户

系统用户:即JumpServer跳转登录时所使用的用户、简单来说就是登录资产的用户、由上面的管理用户所创建

2、创建登录用户

注意:这里的邮箱要填写正确、因为创建用户之后、这个用户的密码会发送到你所定义的邮箱

注意:可能有些朋友创建完用户之后收不到邮件、又或者收的到测试邮件但是收不到创建用户之后的邮件、坑踩多了、下面几点需要特别注意:

1、是否在JumpServer服务器上做了与第三方邮件服务器的映射、反复测试以后、如果不做也可以发送、但是有时候会堵塞

2、如果是云服务器、则需要勾选465、而非使用25号端口

3、在上面的步骤当中、邮件设置里面的邮箱是否填写正确、填写完邮件以后那个邮件是否开启了POP3/SMTP/IMAP

知道了以后、下面我们通过链接来重置新建用户的密码

更改完密码之后、就使用mds用户登录、然后去JumpServer服务器上生成密钥

(py3) [root@jumpserver ~]# ssh-keygen > /dev/null 

Enter passphrase (empty for no passphrase):
Enter same passphrase again:
(py3) [root@jumpserver ~]#
(py3) [root@jumpserver ~]# cat /root/.ssh/id_rsa.pub   #复制下面的公钥
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFBkReUMMmntPw8KZE9Y+docn0tpCvMeRFZcoV5OWxHIWx6sHVLdu+FFEWRccaCkzKvs/yb/N6YwiM1BtLKv0Xrh09tx6JSKy0nMmCbUaUQVI9HmRR+FmEgyW690yhTNolehwUQ8LWElFJkODcklJWTOjxcp6+FW9tS0wRvAOhAYVyQWrgMg7QTjZOZomzvauPjx3NWdIlAmxwgmMCLsIap1UJ59lKqunkzDWdrvHhN4wCjCPiNiLXc9UDkzrswyXgvsHd8GvgCt0l2eDbVzd6hDTrZY8QJ4MvP8Hl41LhQrG51a/7yGa1tF/syBuHpn9sLEO10Ce9OcKpHHJSrip3 root@jumpserver

复制好之后、我们使用新建的用户的用户进行登录、登录之后来到以下场景、我们把上面复制的密钥粘贴进来即可、如下所示

3、创建用户组

3)资产管理

1、管理用户

2、系统用户

3、资产列表

提示:右键Default创建节点、并选择新建的节点创建资产即可

提示:按照同样的方法、再添加node3即可、这里我将不再赘述、最后的效果如下所示:

4)权限管理

1、资产授权

提示:这里选择刚刚创建的节点、然后选择创建授权规则即可

提示:这里的授权就是:胖林可以管理node2与node3这两台服务器、而Administrator不行、但是如果把它添加到运维组、它也能管理

5)会话管理

1、Web终端

提示:选择会话管理、选择Web终端、即可看见刚刚添加的节点、不过需要提前安装Luna这个组件

2、在线会话

提示:开两个窗口、可以看见两个在线会话、如果异常、可以选择终止

3、历史会话

6)Linux终端登录

注意:登录时所使用的用户为从Web页面登录时所使用的用户、比如刚刚我们新建的mds

1、用户登录

2、资产跳转

7)管理Windows资产

1、创建Windows系统用户

提示:由于Windows不支持自动推送、所以需要在Windows系统上提前创建一个系统用户、当然那个系统用户也可以是管理员本身

2、创建Windows管理用户

提示:Windows管理用户填写Windows系统上的那个管理员即可、比如Administrator、我的是MDS、因为我已经对用户进行了重命名

3、授权用户

4、测试在Web端管理Windows资产

【只是为了打发时间】

JumpServer部署与管理的更多相关文章

  1. 堡垒机环境-jumpserver部署

    1:安装数据库 这里是提前安装,也可以不安装,在安装jumpserver主程序的时候,他会询问你是否安装 yum -y install ncurses-devel cmake echo 'export ...

  2. jumpserver部署0.3版本 =====( ̄▽ ̄*)b

    jumpserver概述 跳板机概述: 跳板机就是一台服务器,开发或运维人员在维护过程中首先要统一登录到这台服务器,然后再登录到目标设备进行维护和操作: 跳板机缺点:没有实现对运维人员操作行为的控制和 ...

  3. 使用Cloudera部署,管理Hadoop集群

    Hadoop系列之(三):使用Cloudera部署,管理Hadoop集群 http://www.cnblogs.com/ee900222/p/hadoop_3.html Hadoop系列之(一):Ha ...

  4. Redis Cluster部署、管理和测试

    背景: Redis 3.0之后支持了Cluster,大大增强了Redis水平扩展的能力.Redis Cluster是Redis官方的集群实现方案,在此之前已经有第三方Redis集群解决方案,如Twen ...

  5. ASP.NET Core在Azure Kubernetes Service中的部署和管理

    目录 ASP.NET Core在Azure Kubernetes Service中的部署和管理 目标 准备工作 注册 Azure 账户 AKS文档 进入Azure门户(控制台) 安装 Azure Cl ...

  6. 微服务下的容器部署和管理平台Rancher

    Rancher是什么 Rancher是一个开源的企业级容器管理平台.通过Rancher,企业再也不必自己使用一系列的开源软件去从头搭建容器服务平台.Rancher提供了在生产环境中使用的管理Docke ...

  7. kubernetes有状态集群服务部署与管理

    有状态集群服务的两个需求:一个是存储需求,另一个是集群需求.对存储需求,Kubernetes的解决方案是:Volume.Persistent Volume .对PV,除了手动创建PV池外,还可以通过S ...

  8. LDAP落地实战(一):OpenLDAP部署及管理维护

    公司内部会有许多第三方系统或服务,例如Svn,Git,VPN,Jira,Jenkins等等,每个系统都需要维护一份账号密码以支持用户认证,当然公司也会有许多的主机或服务器,需要开放登录权限给用户登录使 ...

  9. 【精华】部署与管理ZooKeeper(转)

    部署与管理ZooKeeper(转) 本文以ZooKeeper3.4.3版本的官方指南为基础:http://zookeeper.apache.org/doc/r3.4.3/zookeeperAdmin. ...

随机推荐

  1. three.js入门第一个案例

    准备工作 1.运用three.js进行3d开发,其实和页面编程一样,首先需要在html文件中引入three.js.Three.js使用面向对象的方式来构建程序,它包含3个基本对象: 场景(scene) ...

  2. C++Primer第五版 3.5.1节练习

    练习 3.27:假设txt_size是一个无参数的函数,它的返回值是int.请回答下列哪个定义是非法的?为什么? Unsigned buf_size = 1024; (a) int ia[buf_si ...

  3. max_element( )

    直接用这个函数 , 会比自己写个for 判断快的多了 . position=max_element(a,a+n)-a; position  代表找到最大元素的位置 , max_element( ) 的 ...

  4. Kaggle竞赛丨入门手写数字识别之KNN、CNN、降维

    引言 这段时间来,看了西瓜书.蓝皮书,各种机器学习算法都有所了解,但在实践方面却缺乏相应的锻炼.于是我决定通过Kaggle这个平台来提升一下自己的应用能力,培养自己的数据分析能力. 我个人的计划是先从 ...

  5. sqlalchemy 单表增删改查

    1.连接数据库,并创建session from sqlalchemy.orm import sessionmaker from sqlalchemy import create_engine engi ...

  6. Vue 组件 传值

    注意 Vue模板只能有一个对象,要想用多个对象时用div包裹 一.父组件->子组件 通过props 1.子组件: 声明:proprs =[‘xx’],xx是在父组件中引用子组件,子组件的属性(t ...

  7. 第二阶段冲刺个人任务——four

    今日任务: 优化统计团队博客结果界面的显示. 昨日成果: 优化统计个人博客结果页面的显示.

  8. [JSOI2008]最大数(并查集)

    并查集的神奇用法:[JSOI2008]最大数 Description 现在请求你维护一个数列,要求提供以下两种操作: 1. 查询操作. 语法:Q L 功能:查询当前数列中末尾L个数中的最大的数,并输出 ...

  9. 微信小程序8种数据通信的方式

    前言 数据通信在开发中是必不可少的一个环节,也是我们必须掌握的知识.知道得越多的数据通信方式,实现业务会更加得心应手. 下面我将这些通信方式归类介绍: 组件通信 全局通信 页面通信 组件通信 prop ...

  10. 基本库使用(urllib,requests)

    urllib(request,error,parse,robotparse) request模块 方法:urlopen()    {read(),readinto(),getheader(name), ...