JumpServer的Docker部署實戰案例
作者:尹正傑
版權聲明:原創作品,謝絕轉載!否則將追究法律責任。
一.JumpServer概述
1>.什么是JumpServer
JumpServer是全球首款完全開源的堡壘機, 使用GNU GPL v2.0開源協議, 是符合4A的專業運維審計系統。 JumpServer使用Python/Django進行開發, 遵循Web 2.0規范, 配備了業界領先的Web Terminal解決方案, 交互界面美觀、用戶體驗好。 JumpServer采納分布式架構, 支持多機房跨區域部署, 中心節點提供API, 各機房部署登錄節點, 可橫向擴展、無並發訪問限制。 JumpServer現已支持管理 SSH、Telnet、RDP、VNC 協議資產。 溫馨提示(4A機制如下所示): 身份認證(Authentication): 支持LDAP/AD,支持OpenID,支持MFA等。 賬號管理(Account): 支持賬號集中管理、密碼統一管理、資產用戶收集等。 授權控制(Authorization): 支持資產授權、應用授權、動作授權、時間授權、特權授權等。 安全審計(Audit): 支持操作審計、會話審計、錄像審計、指令審計和文件傳輸審計等。
2>.JumpServer的特點
開源
零門檻,線上快速獲取和安裝
分布式
輕松支持大規模並發訪問
雲端存儲
審計錄像雲端存儲,永不丟失
無插件
僅需瀏覽器,極致的Web Terminal使用體驗
多雲支持
一套系統,同時管理不同雲上面的資產
多租戶
一套系統,多個子公司和部門同時使用
3>.博主推薦閱讀
官網地址: https://jumpserver.org/ 官方文檔: https://jumpserver.readthedocs.io/zh/master/
二.JumpServer環境准備
1>.JumpServer的部署方式說明
不得不說JumpServer官方提供的部署方式真的非常Nice(其實我內心想說的是花里胡哨)。不過官網推薦首次安裝的用戶使用"極速安裝"或者"docker 快速部署"其它的部署文檔需要非常強的動手能力, 部署過程中你會面臨各種各樣的問題。 極速部署: https://jumpserver.readthedocs.io/zh/master/install/setup_by_fast/ Docker部署: https://jumpserver.readthedocs.io/zh/master/install/docker_install/ 標准部署: https://jumpserver.readthedocs.io/zh/master/install/step_by_step/ 分布式部署: https://jumpserver.readthedocs.io/zh/master/install/setup_by_prod/ ansible部署: https://jumpserver.readthedocs.io/zh/master/install/ansible_install/ 卸載文檔: https://jumpserver.readthedocs.io/zh/master/install/uninstall/ 博主推薦閱讀: https://jumpserver.readthedocs.io/zh/master/admin-guide/quick_start/ https://jumpserver.readthedocs.io/zh/master/user-guide/assets/user-asset/
2>.安裝docker環境
博主推薦閱讀: CemtOS環境: https://www.cnblogs.com/yinzhengjie/p/12178843.html Ubuntu環境: https://www.cnblogs.com/yinzhengjie/p/12182645.html
3>.安裝數據庫
博主推薦閱讀: MySQL/MariaDB數據庫安裝: https://www.cnblogs.com/yinzhengjie/p/11733897.html Redis數據庫安裝: https://www.cnblogs.com/yinzhengjie/p/10555893.html
三.基於Docker方式快速部署JumpServer
1>.下載JumpServer鏡像到本地(方便啟動鏡像)
[root@yinzhengjie.com ~]# docker image ls REPOSITORY TAG IMAGE ID CREATED SIZE [root@yinzhengjie.com ~]# [root@yinzhengjie.com ~]# docker pull jumpserver/jms_all:latest latest: Pulling from jumpserver/jms_all ab5ef0e58194: Pull complete 193b02679001: Pull complete a47baeaf6bd3: Pull complete 98d1e2ae778f: Pull complete 56bc08e705a4: Pull complete bb7ad882de98: Pull complete Digest: sha256:a82e17c70a27099dc510ef4cb079467be67cfca96f849ccd0a7728937b38c977 Status: Downloaded newer image for jumpserver/jms_all:latest docker.io/jumpserver/jms_all:latest [root@yinzhengjie.com ~]# [root@yinzhengjie.com ~]# docker image ls REPOSITORY TAG IMAGE ID CREATED SIZE jumpserver/jms_all latest aebdcad38356 11 days ago 1.48GB [root@yinzhengjie.com ~]#
2>.配置MysSQL數據庫配置
[root@yinzhengjie.com ~]# mysql Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 17 Server version: 5.5.65-MariaDB MariaDB Server Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> MariaDB [(none)]> create database jumpserver default charset 'utf8' collate 'utf8_bin'; #創建數據庫 Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> MariaDB [(none)]> CREATE USER jumpserver@'%' IDENTIFIED BY 'yinzhengjie'; #創建用戶 Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> MariaDB [(none)]> GRANT ALL ON jumpserver.* TO jumpserver@'%'; #為創建的用戶授權已創建的jumpserver數據庫所有權限。 Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> MariaDB [(none)]> grant all on jumpserver.* to 'jumpserver'@'yinzhengjie.com' identified by 'yinzhengjie'; #如果執行上述命令本機如無法正常登錄,執行該命令就好使了。 Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> MariaDB [(none)]> QUIT Bye [root@yinzhengjie.com ~]#
[root@yinzhengjie.com ~]# mysql -ujumpserver -pyinzhengjie -h 172.200.1.254 Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 27 Server version: 5.5.65-MariaDB MariaDB Server Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> MariaDB [(none)]> SHOW DATABASES; +--------------------+ | Database | +--------------------+ | information_schema | | jumpserver | | test | +--------------------+ 3 rows in set (0.00 sec) MariaDB [(none)]> MariaDB [(none)]> QUIT Bye [root@yinzhengjie.com ~]#
3>.配置Redis數據庫
[root@yinzhengjie.com ~]# hostname -i 172.200.1.254 [root@yinzhengjie.com ~]# [root@yinzhengjie.com ~]# grep ^requirepass /etc/redis.conf requirepass yinzhengjie [root@yinzhengjie.com ~]# [root@yinzhengjie.com ~]# grep ^bind /etc/redis.conf bind yinzhengjie.com [root@yinzhengjie.com ~]# [root@yinzhengjie.com ~]# systemctl restart redis [root@yinzhengjie.com ~]# [root@yinzhengjie.com ~]# ss -ntl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 50 *:3306 *:* LISTEN 0 511 172.200.1.254:6379 *:* LISTEN 0 128 *:22 *:* LISTEN 0 128 :::22 :::* [root@yinzhengjie.com ~]# [root@yinzhengjie.com ~]#
4>.Linux生成隨機加密秘鑰
[root@yinzhengjie.com ~]# vim random_encryption.sh [root@yinzhengjie.com ~]# [root@yinzhengjie.com ~]# cat random_encryption.sh if [ ! "$SECRET_KEY" ]; then SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`; echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc; echo $SECRET_KEY; else echo $SECRET_KEY; fi if [ ! "$BOOTSTRAP_TOKEN" ]; then BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`; echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc; echo $BOOTSTRAP_TOKEN; else echo $BOOTSTRAP_TOKEN; fi [root@yinzhengjie.com ~]# [root@yinzhengjie.com ~]# bash random_encryption.sh #生成的密鑰下一步會用到,執行一次即可,以后需要重復使用喲! dPl4pOanKynSt8Sjcr4GEJWW2bn0tbLU7ToSMF5b4nvmsLlppF cJUGaQa9Xu4dT4EV [root@yinzhengjie.com ~]#
5>.啟動Docker鏡像
[root@yinzhengjie.com ~]# docker image ls REPOSITORY TAG IMAGE ID CREATED SIZE jumpserver/jms_all latest aebdcad38356 11 days ago 1.48GB [root@yinzhengjie.com ~]# [root@yinzhengjie.com ~]# docker container ls CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES [root@yinzhengjie.com ~]# [root@yinzhengjie.com ~]# mkdir /opt/jumpserver [root@yinzhengjie.com ~]# [root@yinzhengjie.com ~]# docker run --name yinzhengjie-jumpserver -d \ > -v /opt/jumpserver:/opt/jumpserver/data/media \ > -p 80:80 \ > -p 2222:2222 \ > -e SECRET_KEY=dPl4pOanKynSt8Sjcr4GEJWW2bn0tbLU7ToSMF5b4nvmsLlppF \ > -e BOOTSTRAP_TOKEN=cJUGaQa9Xu4dT4EV \ > -e DB_HOST=172.200.1.254 \ > -e DB_PORT=3306 \ > -e DB_USER=jumpserver \ > -e DB_PASSWORD=yinzhengjie \ > -e DB_NAME=jumpserver \ > -e REDIS_HOST=172.200.1.254 \ > -e REDIS_PORT=6379 \ > -e REDIS_PASSWORD=yinzhengjie \ > jumpserver/jms_all:latest df53e78889e7ef7b081fc2fe7bc6088850441b160ec3e5bf61b447d99d5742fe [root@yinzhengjie.com ~]# [root@yinzhengjie.com ~]# docker container ls CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES df53e78889e7 jumpserver/jms_all:latest "./entrypoint.sh" 7 seconds ago Up 5 seconds 0.0.0.0:80->80/tcp, 0.0.0.0:2222->2222/tcp yinzhengjie-jumpserver
[root@yinzhengjie.com ~]#
[root@yinzhengjie.com ~]# docker logs -f df53e78889e7 2020-05-16 14:26:55 Sat May 16 14:26:55 2020 2020-05-16 14:26:55 Jumpserver version 1.5.8, more see https://www.jumpserver.org 2020-05-16 14:26:55 Check database connection ... users [ ] 0001_initial [ ] 0002_auto_20171225_1157_squashed_0019_auto_20190304_1459 (18 squashed migrations) [ ] 0020_auto_20190612_1825 [ ] 0021_auto_20190625_1104 [ ] 0022_auto_20190625_1105 [ ] 0023_auto_20190724_1525 [ ] 0024_auto_20191118_1612 [ ] 0025_auto_20200206_1216 2020-05-16 14:26:59 Database connect success 2020-05-16 14:26:59 Check database structure change ... 2020-05-16 14:26:59 Migrate model change to database ... Operations to perform: Apply all migrations: admin, applications, assets, audits, auth, authentication, captcha, common, contenttypes, django_cas_ng, django_celery_beat, ops, orgs, perms, sessi ons, settings, terminal, tickets, usersRunning migrations: Applying contenttypes.0001_initial... OK Applying contenttypes.0002_remove_content_type_name... OK Applying auth.0001_initial... OK Applying auth.0002_alter_permission_name_max_length... OK Applying auth.0003_alter_user_email_max_length... OK Applying auth.0004_alter_user_username_opts... OK Applying auth.0005_alter_user_last_login_null... OK Applying auth.0006_require_contenttypes_0002... OK Applying auth.0007_alter_validators_add_error_messages... OK Applying auth.0008_alter_user_username_max_length... OK Applying users.0001_initial... OK Applying admin.0001_initial... OK Applying admin.0002_logentry_remove_auto_add... OK Applying admin.0003_logentry_add_action_flag_choices... OK Applying users.0002_auto_20171225_1157_squashed_0019_auto_20190304_1459... OK Applying assets.0001_initial... OK Applying perms.0001_initial... OK Applying assets.0002_auto_20180105_1807_squashed_0009_auto_20180307_1212... OK Applying assets.0010_auto_20180307_1749_squashed_0019_auto_20180816_1320... OK Applying perms.0002_auto_20171228_0025_squashed_0009_auto_20180903_1132... OK Applying perms.0003_action... OK Applying perms.0004_assetpermission_actions... OK Applying assets.0020_auto_20180816_1652... OK Applying assets.0021_auto_20180903_1132... OK Applying assets.0022_auto_20181012_1717... OK Applying assets.0023_auto_20181016_1650... OK Applying assets.0024_auto_20181219_1614... OK Applying assets.0025_auto_20190221_1902... OK Applying assets.0026_auto_20190325_2035... OK Applying applications.0001_initial... OK Applying perms.0005_auto_20190521_1619... OK Applying perms.0006_auto_20190628_1921... OK Applying perms.0007_remove_assetpermission_actions... OK Applying perms.0008_auto_20190911_1907... OK Applying assets.0027_auto_20190521_1703... OK Applying assets.0028_protocol... OK Applying assets.0029_auto_20190522_1114... OK Applying assets.0030_auto_20190619_1135... OK Applying assets.0031_auto_20190621_1332... OK Applying assets.0032_auto_20190624_2108... OK Applying assets.0033_auto_20190624_2108... OK Applying assets.0034_auto_20190705_1348... OK Applying assets.0035_auto_20190711_2018... OK Applying assets.0036_auto_20190716_1535... OK Applying assets.0037_auto_20190724_2002... OK Applying assets.0038_auto_20190911_1634... OK Applying perms.0009_remoteapppermission_system_users... OK Applying applications.0002_remove_remoteapp_system_user... OK Applying applications.0003_auto_20191210_1659... OK Applying applications.0004_auto_20191218_1705... OK Applying assets.0039_authbook_is_active... OK Applying assets.0040_auto_20190917_2056... OK Applying assets.0041_gathereduser... OK Applying assets.0042_favoriteasset... OK Applying assets.0043_auto_20191114_1111... OK Applying assets.0044_platform... OK Applying assets.0045_auto_20191206_1607... OK Applying assets.0046_auto_20191218_1705... OK Applying assets.0047_assetuser... OK Applying assets.0048_auto_20191230_1512... OK Applying assets.0049_systemuser_sftp_root... OK Applying audits.0001_initial... OK Applying audits.0002_ftplog_org_id... OK Applying audits.0003_auto_20180816_1652... OK Applying audits.0004_operatelog_passwordchangelog_userloginlog... OK Applying audits.0005_auto_20190228_1715... OK Applying audits.0006_auto_20190726_1753... OK Applying audits.0007_auto_20191202_1010... OK Applying auth.0009_alter_user_last_name_max_length... OK Applying auth.0010_alter_group_name_max_length... OK Applying auth.0011_update_proxy_permissions... OK Applying authentication.0001_initial... OK Applying authentication.0002_auto_20190729_1423... OK Applying authentication.0003_loginconfirmsetting... OK Applying captcha.0001_initial... OK Applying common.0001_initial... OK Applying common.0002_auto_20180111_1407... OK Applying common.0003_setting_category... OK Applying common.0004_setting_encrypted... OK Applying common.0005_auto_20190221_1902... OK Applying common.0006_auto_20190304_1515... OK Applying django_cas_ng.0001_initial... OK Applying django_celery_beat.0001_initial... OK Applying django_celery_beat.0002_auto_20161118_0346... OK Applying django_celery_beat.0003_auto_20161209_0049... OK Applying django_celery_beat.0004_auto_20170221_0000... OK Applying django_celery_beat.0005_add_solarschedule_events_choices_squashed_0009_merge_20181012_1416... OK Applying django_celery_beat.0006_periodictask_priority... OK Applying ops.0001_initial... OK Applying ops.0002_celerytask... OK Applying ops.0003_auto_20181207_1744... OK Applying ops.0004_adhoc_run_as... OK Applying ops.0005_auto_20181219_1807... OK Applying ops.0006_auto_20190318_1023... OK Applying ops.0007_auto_20190724_2002... OK Applying ops.0008_auto_20190919_2100... OK Applying ops.0009_auto_20191217_1713... OK Applying ops.0010_auto_20191217_1758... OK Applying ops.0011_auto_20200106_1534... OK Applying ops.0012_auto_20200108_1659... OK Applying ops.0013_auto_20200108_1706... OK Applying ops.0014_auto_20200108_1749... OK Applying ops.0015_auto_20200108_1809... OK Applying ops.0016_commandexecution_org_id... OK Applying ops.0017_auto_20200306_1747... OK Applying orgs.0001_initial... OK Applying orgs.0002_auto_20180903_1132... OK Applying orgs.0003_auto_20190916_1057... OK Applying users.0020_auto_20190612_1825... OK Applying users.0021_auto_20190625_1104... OK Applying users.0022_auto_20190625_1105... OK Applying users.0023_auto_20190724_1525... OK Applying users.0024_auto_20191118_1612... OK Applying perms.0010_auto_20191218_1705... OK Applying sessions.0001_initial... OK Applying settings.0001_initial... OK Applying terminal.0001_initial... OK Applying terminal.0002_auto_20171228_0025_squashed_0009_auto_20180326_0957... OK Applying terminal.0010_auto_20180423_1140... OK Applying terminal.0011_auto_20180807_1116... OK Applying terminal.0012_auto_20180816_1652... OK Applying terminal.0013_auto_20181123_1113... OK Applying terminal.0014_auto_20181226_1441... OK Applying terminal.0015_auto_20190923_1529... OK Applying terminal.0016_commandstorage_replaystorage... OK Applying terminal.0017_auto_20191125_0931... OK Applying terminal.0018_auto_20191202_1010... OK Applying terminal.0019_auto_20191206_1000... OK Applying terminal.0020_auto_20191218_1721... OK Applying terminal.0021_auto_20200213_1316... OK Applying terminal.0022_session_is_success... OK Applying terminal.0023_command_risk_level... OK Applying tickets.0001_initial... OK Applying users.0025_auto_20200206_1216... OK 2020-05-16 14:27:15 Collect static files 2020-05-16 14:27:17 Collect static files done guacd[104]: INFO: Guacamole proxy daemon (guacd) version 1.0.0 started Starting guacd: SUCCESS Tomcat started. Jumpserver ALL 1.5.8 官網 http://www.jumpserver.org 文檔 http://docs.jumpserver.org 有問題請參考 http://docs.jumpserver.org/zh/docs/faq.html 進入容器命令 docker exec -it jms_all /bin/bash
6>.訪問JumpServer的WebUI
[root@yinzhengjie.com ~]# ss -ntl State Recv-Q Send-Q Local Address:Port LISTEN 0 50 *:3306 LISTEN 0 511 172.200.1.254:6379 LISTEN 0 128 *:22 LISTEN 0 20480 :::2222 LISTEN 0 20480 :::80 LISTEN 0 128 :::22 [root@yinzhengjie.com ~]# [root@yinzhengjie.com ~]# hostname -i 172.200.1.254 [root@yinzhengjie.com ~]#
7>.JumpServer部署成功
8>.博主推薦閱讀
JumpServer的用戶管理: https://www.cnblogs.com/yinzhengjie/p/12380734.html JumpServer的資產管理: https://www.cnblogs.com/yinzhengjie/p/12386493.html JumpServer的權限管理: https://www.cnblogs.com/yinzhengjie/p/12764722.html JumpServer的會話管理及命令過濾器應用案例: https://www.cnblogs.com/yinzhengjie/p/12811794.html