• JumpServer的Docker部署实战案例


              JumpServer的Docker部署实战案例

                                  作者:尹正杰 

    版权声明:原创作品,谢绝转载!否则将追究法律责任。

    一.JumpServer概述

    1>.什么是JumpServer

      JumpServer是全球首款完全开源的堡垒机, 使用GNU GPL v2.0开源协议, 是符合4A的专业运维审计系统。
    
      JumpServer使用Python/Django进行开发, 遵循Web 2.0规范, 配备了业界领先的Web Terminal解决方案, 交互界面美观、用户体验好。
    
      JumpServer采纳分布式架构, 支持多机房跨区域部署, 中心节点提供API, 各机房部署登录节点, 可横向扩展、无并发访问限制。
    
      JumpServer现已支持管理 SSH、Telnet、RDP、VNC 协议资产。
    
    
      温馨提示(4A机制如下所示):
        身份认证(Authentication):
          支持LDAP/AD,支持OpenID,支持MFA等。
    
        账号管理(Account):
          支持账号集中管理、密码统一管理、资产用户收集等。
    
        授权控制(Authorization):
          支持资产授权、应用授权、动作授权、时间授权、特权授权等。
    
        安全审计(Audit):
          支持操作审计、会话审计、录像审计、指令审计和文件传输审计等。

    2>.JumpServer的特点

      开源
        零门槛,线上快速获取和安装
    
      分布式
        轻松支持大规模并发访问
    
      云端存储
        审计录像云端存储,永不丢失
     
      无插件
        仅需浏览器,极致的Web Terminal使用体验
    
      多云支持
        一套系统,同时管理不同云上面的资产
    
      多租户
        一套系统,多个子公司和部门同时使用

    3>.博主推荐阅读

      官网地址:
        https://jumpserver.org/
    
      官方文档:
        https://jumpserver.readthedocs.io/zh/master/

    二.JumpServer环境准备

    1>.JumpServer的部署方式说明

      不得不说JumpServer官方提供的部署方式真的非常Nice(其实我内心想说的是花里胡哨)。不过官网推荐首次安装的用户使用"极速安装"或者"docker 快速部署"其它的部署文档需要非常强的动手能力, 部署过程中你会面临各种各样的问题。
        极速部署:
          https://jumpserver.readthedocs.io/zh/master/install/setup_by_fast/
        Docker部署:
          https://jumpserver.readthedocs.io/zh/master/install/docker_install/
        标准部署:
          https://jumpserver.readthedocs.io/zh/master/install/step_by_step/
        分布式部署:
          https://jumpserver.readthedocs.io/zh/master/install/setup_by_prod/
        ansible部署:
          https://jumpserver.readthedocs.io/zh/master/install/ansible_install/
        卸载文档:
          https://jumpserver.readthedocs.io/zh/master/install/uninstall/
    
      博主推荐阅读:
        https://jumpserver.readthedocs.io/zh/master/admin-guide/quick_start/
        https://jumpserver.readthedocs.io/zh/master/user-guide/assets/user-asset/

    2>.安装docker环境

      博主推荐阅读:
        CemtOS环境:
          https://www.cnblogs.com/yinzhengjie/p/12178843.html
    
        Ubuntu环境:
          https://www.cnblogs.com/yinzhengjie/p/12182645.html

    3>.安装数据库

      博主推荐阅读:
        MySQL/MariaDB数据库安装:
          https://www.cnblogs.com/yinzhengjie/p/11733897.html
    
        Redis数据库安装:
          https://www.cnblogs.com/yinzhengjie/p/10555893.html

    三.基于Docker方式快速部署JumpServer

    1>.下载JumpServer镜像到本地(方便启动镜像)

    [root@yinzhengjie.com ~]# docker image ls
    REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
    [root@yinzhengjie.com ~]# 
    [root@yinzhengjie.com ~]# docker pull jumpserver/jms_all:latest
    latest: Pulling from jumpserver/jms_all
    ab5ef0e58194: Pull complete 
    193b02679001: Pull complete 
    a47baeaf6bd3: Pull complete 
    98d1e2ae778f: Pull complete 
    56bc08e705a4: Pull complete 
    bb7ad882de98: Pull complete 
    Digest: sha256:a82e17c70a27099dc510ef4cb079467be67cfca96f849ccd0a7728937b38c977
    Status: Downloaded newer image for jumpserver/jms_all:latest
    docker.io/jumpserver/jms_all:latest
    [root@yinzhengjie.com ~]# 
    [root@yinzhengjie.com ~]# docker image ls
    REPOSITORY           TAG                 IMAGE ID            CREATED             SIZE
    jumpserver/jms_all   latest              aebdcad38356        11 days ago         1.48GB
    [root@yinzhengjie.com ~]# 
    [root@yinzhengjie.com ~]# docker pull jumpserver/jms_all:latest

    2>.配置MysSQL数据库配置 

    [root@yinzhengjie.com ~]# mysql
    Welcome to the MariaDB monitor.  Commands end with ; or g.
    Your MariaDB connection id is 17
    Server version: 5.5.65-MariaDB MariaDB Server
    
    Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
    
    Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.
    
    MariaDB [(none)]> 
    MariaDB [(none)]> create database jumpserver default charset 'utf8' collate 'utf8_bin';                #创建数据库
    Query OK, 1 row affected (0.00 sec)
    
    MariaDB [(none)]> 
    MariaDB [(none)]> CREATE USER jumpserver@'%' IDENTIFIED BY 'yinzhengjie';                         #创建用户
    Query OK, 0 rows affected (0.00 sec)
    
    MariaDB [(none)]>
    MariaDB [(none)]> GRANT ALL ON jumpserver.* TO jumpserver@'%';                               #为创建的用户授权已创建的jumpserver数据库所有权限。
    Query OK, 0 rows affected (0.00 sec)
    
    MariaDB [(none)]> 
    MariaDB [(none)]> grant all on jumpserver.* to 'jumpserver'@'yinzhengjie.com' identified by 'yinzhengjie';     #如果执行上述命令本机如无法正常登录,执行该命令就好使了。
    Query OK, 0 rows affected (0.00 sec)
    
    MariaDB [(none)]> 
    MariaDB [(none)]> QUIT
    Bye
    [root@yinzhengjie.com ~]# 
    [root@yinzhengjie.com ~]# mysql -ujumpserver -pyinzhengjie -h 172.200.1.254
    Welcome to the MariaDB monitor.  Commands end with ; or g.
    Your MariaDB connection id is 27
    Server version: 5.5.65-MariaDB MariaDB Server
    
    Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
    
    Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.
    
    MariaDB [(none)]> 
    MariaDB [(none)]> SHOW DATABASES;
    +--------------------+
    | Database           |
    +--------------------+
    | information_schema |
    | jumpserver         |
    | test               |
    +--------------------+
    3 rows in set (0.00 sec)
    
    MariaDB [(none)]> 
    MariaDB [(none)]> QUIT
    Bye
    [root@yinzhengjie.com ~]# 
    [root@yinzhengjie.com ~]# mysql -ujumpserver -pyinzhengjie -h 172.200.1.254                      #测试授权用户是否有权限连接

    3>.配置Redis数据库

    [root@yinzhengjie.com ~]# hostname -i
    172.200.1.254
    [root@yinzhengjie.com ~]# 
    [root@yinzhengjie.com ~]# grep ^requirepass /etc/redis.conf 
    requirepass yinzhengjie
    [root@yinzhengjie.com ~]# 
    [root@yinzhengjie.com ~]# grep ^bind /etc/redis.conf 
    bind yinzhengjie.com
    [root@yinzhengjie.com ~]# 
    [root@yinzhengjie.com ~]# systemctl restart redis
    [root@yinzhengjie.com ~]# 
    [root@yinzhengjie.com ~]# ss -ntl
    State      Recv-Q Send-Q                                         Local Address:Port                                                        Peer Address:Port              
    LISTEN     0      50                                                         *:3306                                                                   *:*                  
    LISTEN     0      511                                            172.200.1.254:6379                                                                   *:*                  
    LISTEN     0      128                                                        *:22                                                                     *:*                  
    LISTEN     0      128                                                       :::22                                                                    :::*                  
    [root@yinzhengjie.com ~]# 
    [root@yinzhengjie.com ~]# 

    4>.Linux生成随机加密秘钥

    [root@yinzhengjie.com ~]# vim random_encryption.sh
    [root@yinzhengjie.com ~]# 
    [root@yinzhengjie.com ~]# cat random_encryption.sh
    if [ ! "$SECRET_KEY" ]; then
      SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`;
      echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc;
      echo $SECRET_KEY;
    else
      echo $SECRET_KEY;
    fi  
    if [ ! "$BOOTSTRAP_TOKEN" ]; then
      BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`;
      echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc;
      echo $BOOTSTRAP_TOKEN;
    else
      echo $BOOTSTRAP_TOKEN;
    fi
    [root@yinzhengjie.com ~]# 
    [root@yinzhengjie.com ~]# bash random_encryption.sh          #生成的密钥下一步会用到,执行一次即可,以后需要重复使用哟!
    dPl4pOanKynSt8Sjcr4GEJWW2bn0tbLU7ToSMF5b4nvmsLlppF
    cJUGaQa9Xu4dT4EV
    [root@yinzhengjie.com ~]# 

    5>.启动Docker镜像

    [root@yinzhengjie.com ~]# docker image ls
    REPOSITORY           TAG                 IMAGE ID            CREATED             SIZE
    jumpserver/jms_all   latest              aebdcad38356        11 days ago         1.48GB
    [root@yinzhengjie.com ~]# 
    [root@yinzhengjie.com ~]# docker container ls
    CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
    [root@yinzhengjie.com ~]# 
    [root@yinzhengjie.com ~]# mkdir /opt/jumpserver
    [root@yinzhengjie.com ~]# 
    [root@yinzhengjie.com ~]# docker run --name yinzhengjie-jumpserver -d 
    > -v /opt/jumpserver:/opt/jumpserver/data/media 
    > -p 80:80 
    > -p 2222:2222 
    > -e SECRET_KEY=dPl4pOanKynSt8Sjcr4GEJWW2bn0tbLU7ToSMF5b4nvmsLlppF 
    > -e BOOTSTRAP_TOKEN=cJUGaQa9Xu4dT4EV 
    > -e DB_HOST=172.200.1.254 
    > -e DB_PORT=3306 
    > -e DB_USER=jumpserver 
    > -e DB_PASSWORD=yinzhengjie 
    > -e DB_NAME=jumpserver 
    > -e REDIS_HOST=172.200.1.254 
    > -e REDIS_PORT=6379 
    > -e REDIS_PASSWORD=yinzhengjie 
    > jumpserver/jms_all:latest
    df53e78889e7ef7b081fc2fe7bc6088850441b160ec3e5bf61b447d99d5742fe
    [root@yinzhengjie.com ~]# 
    [root@yinzhengjie.com ~]# docker container ls
    CONTAINER ID        IMAGE                       COMMAND             CREATED             STATUS              PORTS                                        NAMES
    df53e78889e7        jumpserver/jms_all:latest   "./entrypoint.sh"   7 seconds ago       Up 5 seconds        0.0.0.0:80->80/tcp, 0.0.0.0:2222->2222/tcp   yinzhengjie-jumpserver
    [root@yinzhengjie.com
    ~]#
    [root@yinzhengjie.com ~]# docker logs -f df53e78889e7
    2020-05-16 14:26:55 Sat May 16 14:26:55 2020
    2020-05-16 14:26:55 Jumpserver version 1.5.8, more see https://www.jumpserver.org
    2020-05-16 14:26:55 Check database connection ...
    users
     [ ] 0001_initial
     [ ] 0002_auto_20171225_1157_squashed_0019_auto_20190304_1459 (18 squashed migrations)
     [ ] 0020_auto_20190612_1825
     [ ] 0021_auto_20190625_1104
     [ ] 0022_auto_20190625_1105
     [ ] 0023_auto_20190724_1525
     [ ] 0024_auto_20191118_1612
     [ ] 0025_auto_20200206_1216
    2020-05-16 14:26:59 Database connect success
    2020-05-16 14:26:59 Check database structure change ...
    2020-05-16 14:26:59 Migrate model change to database ...
    Operations to perform:
      Apply all migrations: admin, applications, assets, audits, auth, authentication, captcha, common, contenttypes, django_cas_ng, django_celery_beat, ops, orgs, perms, sessi
    ons, settings, terminal, tickets, usersRunning migrations:
      Applying contenttypes.0001_initial... OK
      Applying contenttypes.0002_remove_content_type_name... OK
      Applying auth.0001_initial... OK
      Applying auth.0002_alter_permission_name_max_length... OK
      Applying auth.0003_alter_user_email_max_length... OK
      Applying auth.0004_alter_user_username_opts... OK
      Applying auth.0005_alter_user_last_login_null... OK
      Applying auth.0006_require_contenttypes_0002... OK
      Applying auth.0007_alter_validators_add_error_messages... OK
      Applying auth.0008_alter_user_username_max_length... OK
      Applying users.0001_initial... OK
      Applying admin.0001_initial... OK
      Applying admin.0002_logentry_remove_auto_add... OK
      Applying admin.0003_logentry_add_action_flag_choices... OK
      Applying users.0002_auto_20171225_1157_squashed_0019_auto_20190304_1459... OK
      Applying assets.0001_initial... OK
      Applying perms.0001_initial... OK
      Applying assets.0002_auto_20180105_1807_squashed_0009_auto_20180307_1212... OK
      Applying assets.0010_auto_20180307_1749_squashed_0019_auto_20180816_1320... OK
      Applying perms.0002_auto_20171228_0025_squashed_0009_auto_20180903_1132... OK
      Applying perms.0003_action... OK
      Applying perms.0004_assetpermission_actions... OK
      Applying assets.0020_auto_20180816_1652... OK
      Applying assets.0021_auto_20180903_1132... OK
      Applying assets.0022_auto_20181012_1717... OK
      Applying assets.0023_auto_20181016_1650... OK
      Applying assets.0024_auto_20181219_1614... OK
      Applying assets.0025_auto_20190221_1902... OK
      Applying assets.0026_auto_20190325_2035... OK
      Applying applications.0001_initial... OK
      Applying perms.0005_auto_20190521_1619... OK
      Applying perms.0006_auto_20190628_1921... OK
      Applying perms.0007_remove_assetpermission_actions... OK
      Applying perms.0008_auto_20190911_1907... OK
      Applying assets.0027_auto_20190521_1703... OK
      Applying assets.0028_protocol... OK
      Applying assets.0029_auto_20190522_1114... OK
      Applying assets.0030_auto_20190619_1135... OK
      Applying assets.0031_auto_20190621_1332... OK
      Applying assets.0032_auto_20190624_2108... OK
      Applying assets.0033_auto_20190624_2108... OK
      Applying assets.0034_auto_20190705_1348... OK
      Applying assets.0035_auto_20190711_2018... OK
      Applying assets.0036_auto_20190716_1535... OK
      Applying assets.0037_auto_20190724_2002... OK
      Applying assets.0038_auto_20190911_1634... OK
      Applying perms.0009_remoteapppermission_system_users... OK
      Applying applications.0002_remove_remoteapp_system_user... OK
      Applying applications.0003_auto_20191210_1659... OK
      Applying applications.0004_auto_20191218_1705... OK
      Applying assets.0039_authbook_is_active... OK
      Applying assets.0040_auto_20190917_2056... OK
      Applying assets.0041_gathereduser... OK
      Applying assets.0042_favoriteasset... OK
      Applying assets.0043_auto_20191114_1111... OK
      Applying assets.0044_platform... OK
      Applying assets.0045_auto_20191206_1607... OK
      Applying assets.0046_auto_20191218_1705... OK
      Applying assets.0047_assetuser... OK
      Applying assets.0048_auto_20191230_1512... OK
      Applying assets.0049_systemuser_sftp_root... OK
      Applying audits.0001_initial... OK
      Applying audits.0002_ftplog_org_id... OK
      Applying audits.0003_auto_20180816_1652... OK
      Applying audits.0004_operatelog_passwordchangelog_userloginlog... OK
      Applying audits.0005_auto_20190228_1715... OK
      Applying audits.0006_auto_20190726_1753... OK
      Applying audits.0007_auto_20191202_1010... OK
      Applying auth.0009_alter_user_last_name_max_length... OK
      Applying auth.0010_alter_group_name_max_length... OK
      Applying auth.0011_update_proxy_permissions... OK
      Applying authentication.0001_initial... OK
      Applying authentication.0002_auto_20190729_1423... OK
      Applying authentication.0003_loginconfirmsetting... OK
      Applying captcha.0001_initial... OK
      Applying common.0001_initial... OK
      Applying common.0002_auto_20180111_1407... OK
      Applying common.0003_setting_category... OK
      Applying common.0004_setting_encrypted... OK
      Applying common.0005_auto_20190221_1902... OK
      Applying common.0006_auto_20190304_1515... OK
      Applying django_cas_ng.0001_initial... OK
      Applying django_celery_beat.0001_initial... OK
      Applying django_celery_beat.0002_auto_20161118_0346... OK
      Applying django_celery_beat.0003_auto_20161209_0049... OK
      Applying django_celery_beat.0004_auto_20170221_0000... OK
      Applying django_celery_beat.0005_add_solarschedule_events_choices_squashed_0009_merge_20181012_1416... OK
      Applying django_celery_beat.0006_periodictask_priority... OK
      Applying ops.0001_initial... OK
      Applying ops.0002_celerytask... OK
      Applying ops.0003_auto_20181207_1744... OK
      Applying ops.0004_adhoc_run_as... OK
      Applying ops.0005_auto_20181219_1807... OK
      Applying ops.0006_auto_20190318_1023... OK
      Applying ops.0007_auto_20190724_2002... OK
      Applying ops.0008_auto_20190919_2100... OK
      Applying ops.0009_auto_20191217_1713... OK
      Applying ops.0010_auto_20191217_1758... OK
      Applying ops.0011_auto_20200106_1534... OK
      Applying ops.0012_auto_20200108_1659... OK
      Applying ops.0013_auto_20200108_1706... OK
      Applying ops.0014_auto_20200108_1749... OK
      Applying ops.0015_auto_20200108_1809... OK
      Applying ops.0016_commandexecution_org_id... OK
      Applying ops.0017_auto_20200306_1747... OK
      Applying orgs.0001_initial... OK
      Applying orgs.0002_auto_20180903_1132... OK
      Applying orgs.0003_auto_20190916_1057... OK
      Applying users.0020_auto_20190612_1825... OK
      Applying users.0021_auto_20190625_1104... OK
      Applying users.0022_auto_20190625_1105... OK
      Applying users.0023_auto_20190724_1525... OK
      Applying users.0024_auto_20191118_1612... OK
      Applying perms.0010_auto_20191218_1705... OK
      Applying sessions.0001_initial... OK
      Applying settings.0001_initial... OK
      Applying terminal.0001_initial... OK
      Applying terminal.0002_auto_20171228_0025_squashed_0009_auto_20180326_0957... OK
      Applying terminal.0010_auto_20180423_1140... OK
      Applying terminal.0011_auto_20180807_1116... OK
      Applying terminal.0012_auto_20180816_1652... OK
      Applying terminal.0013_auto_20181123_1113... OK
      Applying terminal.0014_auto_20181226_1441... OK
      Applying terminal.0015_auto_20190923_1529... OK
      Applying terminal.0016_commandstorage_replaystorage... OK
      Applying terminal.0017_auto_20191125_0931... OK
      Applying terminal.0018_auto_20191202_1010... OK
      Applying terminal.0019_auto_20191206_1000... OK
      Applying terminal.0020_auto_20191218_1721... OK
      Applying terminal.0021_auto_20200213_1316... OK
      Applying terminal.0022_session_is_success... OK
      Applying terminal.0023_command_risk_level... OK
      Applying tickets.0001_initial... OK
      Applying users.0025_auto_20200206_1216... OK
    2020-05-16 14:27:15 Collect static files
    2020-05-16 14:27:17 Collect static files done
    guacd[104]: INFO:    Guacamole proxy daemon (guacd) version 1.0.0 started
    Starting guacd: SUCCESS
    Tomcat started.
    Jumpserver ALL 1.5.8
    官网 http://www.jumpserver.org
    文档 http://docs.jumpserver.org
    有问题请参考 http://docs.jumpserver.org/zh/docs/faq.html
    
    进入容器命令 docker exec -it jms_all /bin/bash
    [root@yinzhengjie.com ~]# docker logs -f df53e78889e7                #查看容器的日志信息

    6>.访问JumpServer的WebUI

    [root@yinzhengjie.com ~]# ss -ntl
    State      Recv-Q Send-Q                                         Local Address:Port   
    LISTEN     0      50                                                         *:3306   
    LISTEN     0      511                                            172.200.1.254:6379   
    LISTEN     0      128                                                        *:22     
    LISTEN     0      20480                                                     :::2222   
    LISTEN     0      20480                                                     :::80     
    LISTEN     0      128                                                       :::22     
    [root@yinzhengjie.com ~]# 
    [root@yinzhengjie.com ~]# hostname -i
    172.200.1.254
    [root@yinzhengjie.com ~]# 

    7>.JumpServer部署成功

    8>.博主推荐阅读

      JumpServer的用户管理:
        https://www.cnblogs.com/yinzhengjie/p/12380734.html
    
      JumpServer的资产管理:
        https://www.cnblogs.com/yinzhengjie/p/12386493.html
    
        JumpServer的权限管理:
            https://www.cnblogs.com/yinzhengjie/p/12764722.html
            
        JumpServer的会话管理及命令过滤器应用案例:
            https://www.cnblogs.com/yinzhengjie/p/12811794.html
  • 相关阅读:
    tryparse的用法,^0*[1-9]d*$
    寻找指定的进程然后杀死的代码写法
    P2421 [NOI2002]荒岛野人
    P2568 GCD
    P1445 [Violet]樱花
    P3119 [USACO15JAN]草鉴定Grass Cownoisseur
    P1314 聪明的质监员
    P3811 【模板】乘法逆元
    P3943 星空
    P3225 [HNOI2012]矿场搭建
  • 原文地址:https://www.cnblogs.com/yinzhengjie/p/12370104.html
Copyright © 2020-2023  润新知