Jumpserver 部署及使用
阿新 • • 發佈:2022-12-01
jumpserver部署說明:
本次安裝最新的v2.13.2,按照官網文件進行安裝部署(https://jumpserver.readthedocs.io/zh/master/install/setup_by_fast/)
說明:資料庫使用外部資料庫,其餘的都使用容器部署
部署步驟
1、安裝資料庫
centos7下預設安裝有mariadb資料庫,但是是舊版本,在安裝新版本前需要先把舊版本刪除,有些系統還預設安裝mysql,也必須刪除,否則與mariadb會產生衝突,如下命令過程 rpm -qa | grep mariadb 使用yum remove 刪除 建立MariaDB.repo [mariadb] nameView Code= MariaDB baseurl = http://mirrors.aliyun.com/mariadb/yum/10.3/centos7-amd64/ gpgkey = http://mirrors.aliyun.com/mariadb/yum/RPM-GPG-KEY-MariaDB gpgcheck = 1 安裝 yum install MariaDB-server MariaDB-client 啟動 systemctl start mariadb 設定開機自啟 systemctl enable mariadb 進行MariaDB的相關簡單配置 mysql_secure_installation 根據提示設定root密碼,刪除匿名使用者等等 登入測試 mysql-u root -p 建立jumpserver資料庫、jumpserver使用者 create database jumpserver default charset 'utf8'; create user jumpserver@127.0.0.1 identified by 'passwd'; grant all privileges on jumpserver.* to jumpserver@127.0.0.1 identified by 'passwd'; grant all privileges on *.* to 'jumpserver'@'%' identified by 'passwd'; FLUSH PRIVILEGES;
2、安裝jumpserver
官網有各種部署方式,本次選擇手動部署方式 cd /opt wget https://github.com/jumpserver/installer/releases/download/v2.13.2/jumpserver-installer-v2.13.2.tar.gz tar -xf jumpserver-installer-v2.13.2.tar.gz cd jumpserver-installer-v2.13.2 # 根據需要修改配置檔案模板, 如果不清楚用途可以跳過修改 主要修改資料庫使用外部資料庫 cat config-example.txt # 以下設定如果為空系統會自動生成隨機字串填入 ## 遷移請修改 SECRET_KEY 和 BOOTSTRAP_TOKEN 為原來的設定 ## 完整引數文件 https://docs.jumpserver.org/zh/master/admin-guide/env/ ## 安裝配置, amd64 預設使用華為雲加速下載, arm64 請註釋掉 DOCKER_IMAGE_PREFIX=swr.cn-south-1.myhuaweicloud.com # DOCKER_IMAGE_PREFIX=swr.cn-south-1.myhuaweicloud.com VOLUME_DIR=/opt/jumpserver DOCKER_DIR=/var/lib/docker SECRET_KEY= BOOTSTRAP_TOKEN= LOG_LEVEL=ERROR ## MySQL 配置, USE_EXTERNAL_MYSQL=1 表示使用外接資料庫, 請輸入正確的 MySQL 資訊 USE_EXTERNAL_MYSQL=0 DB_HOST=mysql DB_PORT=3306 DB_USER=root DB_PASSWORD= DB_NAME=jumpserver ## Redis 配置, USE_EXTERNAL_REDIS=1 表示使用外接資料庫, 請輸入正確的 Redis 資訊 USE_EXTERNAL_REDIS=0 REDIS_HOST=redis REDIS_PORT=6379 REDIS_PASSWORD= ## Compose 專案設定, 如果 192.168.250.0/24 網段與你現有網段衝突, 請修改然後重啟 JumpServer COMPOSE_PROJECT_NAME=jms COMPOSE_HTTP_TIMEOUT=3600 DOCKER_CLIENT_TIMEOUT=3600 DOCKER_SUBNET=192.168.250.0/24 ## IPV6 設定, 容器是否開啟 ipv6 nat, USE_IPV6=1 表示開啟, 為 0 的情況下 DOCKER_SUBNET_IPV6 定義不生效 USE_IPV6=0 DOCKER_SUBNET_IPV6=2001:db8:10::/64 ## Nginx 配置, USE_LB=1 表示開啟, 為 0 的情況下, HTTPS_PORT 定義不生效 HTTP_PORT=80 SSH_PORT=2222 RDP_PORT=3389 USE_LB=0 HTTPS_PORT=443 ## Task 配置, 是否啟動 jms_celery 容器, 單節點必須開啟 USE_TASK=1 ## XPack, USE_XPACK=1 表示開啟, 開源版本設定無效 USE_XPACK=0 # Core 配置, Session 定義, SESSION_COOKIE_AGE 表示閒置多少秒後 session 過期, SESSION_EXPIRE_AT_BROWSER_CLOSE=true 表示關閉瀏覽器即 session 過期 # SESSION_COOKIE_AGE=86400 SESSION_EXPIRE_AT_BROWSER_CLOSE=true # Koko Lion XRDP 元件配置 CORE_HOST=http://core:8080 # 額外的配置 CURRENT_VERSION= # 安裝 ./jmsctl.sh install 按照提示進行操作即可,注意資料庫選擇使用外部資料庫 # 啟動 ./jmsctl.sh start 預設會安裝到/opt/jumpserver 安裝完成後配置檔案 /opt/jumpserver/config/config.txt 常用的一些指令 cd /opt/jumpserver-installer-v2.13.2 # 啟動 ./jmsctl.sh start # 停止 ./jmsctl.sh down # 解除安裝 ./jmsctl.sh uninstall # 幫助 ./jmsctl.sh -h check_update 檢查 JumpServer [root@localhost jumpserver-installer-v2.13.2]# ./jmsctl.sh check_update 當前版本已是最新: v2.13.2 backup_db 備份資料庫 [root@localhost jumpserver-installer-v2.13.2]# ./jmsctl.sh backup_db 正在備份... mysqldump: [Warning] Using a password on the command line interface can be insecure. [SUCCESS] 備份成功! 備份檔案已存放至: /opt/jumpserver/db_backup/jumpserver-v2.13.2-2021-09-13_09:49:39.sql status 檢查 JumpServer [root@localhost jumpserver-installer-v2.13.2]# ./jmsctl.sh status Name Command State Ports --------------------------------------------------------------------------------------------- jms_celery ./entrypoint.sh start task Up (healthy) 8070/tcp, 8080/tcp jms_core ./entrypoint.sh start web Up (healthy) 8070/tcp, 8080/tcp jms_koko ./entrypoint.sh Up (healthy) 0.0.0.0:2222->2222/tcp, 5000/tcp jms_lion /usr/bin/supervisord Up (healthy) 4822/tcp jms_redis docker-entrypoint.sh redis ... Up (healthy) 6379/tcp jms_web /docker-entrypoint.sh ngin ... Up (healthy) 0.0.0.0:80->80/tcp tail [service] 檢視日誌 ./jmsctl.sh tail jms_web 通過docker ps可以看到相關的容器 CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 534d2612080a jumpserver/koko:v2.13.2 "./entrypoint.sh" 2 hours ago Up 2 hours (healthy) 0.0.0.0:2222->2222/tcp, 5000/tcp jms_koko 4048af6cf657 jumpserver/web:v2.13.2 "/docker-entrypoint.…" 2 hours ago Up 2 hours (healthy) 0.0.0.0:80->80/tcp jms_web 31dce29019c6 jumpserver/core:v2.13.2 "./entrypoint.sh sta…" 2 hours ago Up 2 hours (healthy) 8070/tcp, 8080/tcp jms_celery c13025a1e708 jumpserver/lion:v2.13.2 "/usr/bin/supervisord" 2 hours ago Up 2 hours (healthy) 4822/tcp jms_lion c1822b9c6450 jumpserver/core:v2.13.2 "./entrypoint.sh sta…" 2 hours ago Up 2 hours (healthy) 8070/tcp, 8080/tcp jms_core 4bb5b74d6e52 jumpserver/redis:6-alpine "docker-entrypoint.s…" 13 hours ago Up 13 hours (healthy) 6379/tcp jms_redis 檢視各元件狀態 root@localhost config]# cd /opt/jumpserver-installer-v2.13.2 [root@localhost jumpserver-installer-v2.13.2]# ./jmsctl.sh status Name Command State Ports --------------------------------------------------------------------------------------------- jms_celery ./entrypoint.sh start task Up (healthy) 8070/tcp, 8080/tcp jms_core ./entrypoint.sh start web Up (healthy) 8070/tcp, 8080/tcp jms_koko ./entrypoint.sh Up (healthy) 0.0.0.0:2222->2222/tcp, 5000/tcp jms_lion /usr/bin/supervisord Up (healthy) 4822/tcp jms_redis docker-entrypoint.sh redis ... Up (healthy) 6379/tcp jms_web /docker-entrypoint.sh ngin ... Up (healthy) 0.0.0.0:80->80/tcp
3、配置ssl及ip白名單配置
ssl配置可以使用jumpserver自帶的配置,也可以使用統一外部nginx代理,因為還要通過nginx做ip白名單限制,所以我們採用外部nginx代理的方式 1、nginx部署 yum install nginx -y 安裝自己需求修改配置檔案 systemctl start nginx && systemctl enable nginx 2、配置ssl 刪除default.conf配置,新增自己的配置 vim /etc/nginx/conf.d/jumpserver.conf server { listen 443 ssl; server_name xxxxxxx; # 自行修改成你的域名 ssl_certificate /etc/nginx/ssl/cloud-control.crt; # 自行設定證書 ssl_certificate_key /etc/nginx/ssl/cloud-control.key; # 自行設定證書 ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; ssl_protocols TLSv1.1 TLSv1.2; add_header Strict-Transport-Security "max-age=63072000" always; client_max_body_size 4096m; # 錄影及檔案上傳大小限制 if ( $geo = 1 ) { return 403; } location / { # 這裡的 ip 是後端 JumpServer nginx 的 ip proxy_pass http://x.x.x.x; proxy_http_version 1.1; proxy_buffering off; proxy_request_buffering off; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } 3、ip白名單配置 ######################nginx.conf部分配置################### geo $remote_addr $geo { default 1; include conf/jumpserver_whitelist.conf; } ######################nginx.conf部分配置################### ######################conf/jumpserver_whitelist.conf配置################### 192.168.0.0/24 0; # ######################conf/jumpserver_whitelist.conf配置###################