Jumpserver 部署及使用
jumpserver部署说明:
本次安装最新的v2.13.2,按照官网文档进行安装部署(https://jumpserver.readthedocs.io/zh/master/install/setup_by_fast/)
说明:数据库使用外部数据库,其余的都使用容器部署
部署步骤
1、安装数据库
centos7下默认安装有mariadb数据库,但是是旧版本,在安装新版本前需要先把旧版本删除,有些系统还默认安装mysql,也必须删除,否则与mariadb会产生冲突,如下命令过程 rpm -qa | grep mariadb 使用yum remove 删除 创建MariaDB.repo [mariadb] name = MariaDB baseurl = http://mirrors.aliyun.com/mariadb/yum/10.3/centos7-amd64/ gpgkey = http://mirrors.aliyun.com/mariadb/yum/RPM-GPG-KEY-MariaDB gpgcheck = 1 安装 yum install MariaDB-server MariaDB-client 启动 systemctl start mariadb 设置开机自启 systemctl enable mariadb 进行MariaDB的相关简单配置 mysql_secure_installation 根据提示设置root密码,删除匿名用户等等 登录测试 mysql -u root -p 创建jumpserver数据库、jumpserver用户 create database jumpserver default charset 'utf8'; create user jumpserver@127.0.0.1 identified by 'passwd'; grant all privileges on jumpserver.* to jumpserver@127.0.0.1 identified by 'passwd'; grant all privileges on *.* to 'jumpserver'@'%' identified by 'passwd'; FLUSH PRIVILEGES;
2、安装jumpserver
官网有各种部署方式,本次选择手动部署方式 cd /opt wget https://github.com/jumpserver/installer/releases/download/v2.13.2/jumpserver-installer-v2.13.2.tar.gz tar -xf jumpserver-installer-v2.13.2.tar.gz cd jumpserver-installer-v2.13.2 # 根据需要修改配置文件模板, 如果不清楚用途可以跳过修改 主要修改数据库使用外部数据库 cat config-example.txt # 以下设置如果为空系统会自动生成随机字符串填入 ## 迁移请修改 SECRET_KEY 和 BOOTSTRAP_TOKEN 为原来的设置 ## 完整参数文档 https://docs.jumpserver.org/zh/master/admin-guide/env/ ## 安装配置, amd64 默认使用华为云加速下载, arm64 请注释掉 DOCKER_IMAGE_PREFIX=swr.cn-south-1.myhuaweicloud.com # DOCKER_IMAGE_PREFIX=swr.cn-south-1.myhuaweicloud.com VOLUME_DIR=/opt/jumpserver DOCKER_DIR=/var/lib/docker SECRET_KEY= BOOTSTRAP_TOKEN= LOG_LEVEL=ERROR ## MySQL 配置, USE_EXTERNAL_MYSQL=1 表示使用外置数据库, 请输入正确的 MySQL 信息 USE_EXTERNAL_MYSQL=0 DB_HOST=mysql DB_PORT=3306 DB_USER=root DB_PASSWORD= DB_NAME=jumpserver ## Redis 配置, USE_EXTERNAL_REDIS=1 表示使用外置数据库, 请输入正确的 Redis 信息 USE_EXTERNAL_REDIS=0 REDIS_HOST=redis REDIS_PORT=6379 REDIS_PASSWORD= ## Compose 项目设置, 如果 192.168.250.0/24 网段与你现有网段冲突, 请修改然后重启 JumpServer COMPOSE_PROJECT_NAME=jms COMPOSE_HTTP_TIMEOUT=3600 DOCKER_CLIENT_TIMEOUT=3600 DOCKER_SUBNET=192.168.250.0/24 ## IPV6 设置, 容器是否开启 ipv6 nat, USE_IPV6=1 表示开启, 为 0 的情况下 DOCKER_SUBNET_IPV6 定义不生效 USE_IPV6=0 DOCKER_SUBNET_IPV6=2001:db8:10::/64 ## Nginx 配置, USE_LB=1 表示开启, 为 0 的情况下, HTTPS_PORT 定义不生效 HTTP_PORT=80 SSH_PORT=2222 RDP_PORT=3389 USE_LB=0 HTTPS_PORT=443 ## Task 配置, 是否启动 jms_celery 容器, 单节点必须开启 USE_TASK=1 ## XPack, USE_XPACK=1 表示开启, 开源版本设置无效 USE_XPACK=0 # Core 配置, Session 定义, SESSION_COOKIE_AGE 表示闲置多少秒后 session 过期, SESSION_EXPIRE_AT_BROWSER_CLOSE=true 表示关闭浏览器即 session 过期 # SESSION_COOKIE_AGE=86400 SESSION_EXPIRE_AT_BROWSER_CLOSE=true # Koko Lion XRDP 组件配置 CORE_HOST=http://core:8080 # 额外的配置 CURRENT_VERSION= # 安装 ./jmsctl.sh install 按照提示进行操作即可,注意数据库选择使用外部数据库 # 启动 ./jmsctl.sh start 默认会安装到/opt/jumpserver 安装完成后配置文件 /opt/jumpserver/config/config.txt 常用的一些指令 cd /opt/jumpserver-installer-v2.13.2 # 启动 ./jmsctl.sh start # 停止 ./jmsctl.sh down # 卸载 ./jmsctl.sh uninstall # 帮助 ./jmsctl.sh -h check_update 检查 JumpServer [root@localhost jumpserver-installer-v2.13.2]# ./jmsctl.sh check_update 当前版本已是最新: v2.13.2 backup_db 备份数据库 [root@localhost jumpserver-installer-v2.13.2]# ./jmsctl.sh backup_db 正在备份... mysqldump: [Warning] Using a password on the command line interface can be insecure. [SUCCESS] 备份成功! 备份文件已存放至: /opt/jumpserver/db_backup/jumpserver-v2.13.2-2021-09-13_09:49:39.sql status 检查 JumpServer [root@localhost jumpserver-installer-v2.13.2]# ./jmsctl.sh status Name Command State Ports --------------------------------------------------------------------------------------------- jms_celery ./entrypoint.sh start task Up (healthy) 8070/tcp, 8080/tcp jms_core ./entrypoint.sh start web Up (healthy) 8070/tcp, 8080/tcp jms_koko ./entrypoint.sh Up (healthy) 0.0.0.0:2222->2222/tcp, 5000/tcp jms_lion /usr/bin/supervisord Up (healthy) 4822/tcp jms_redis docker-entrypoint.sh redis ... Up (healthy) 6379/tcp jms_web /docker-entrypoint.sh ngin ... Up (healthy) 0.0.0.0:80->80/tcp tail [service] 查看日志 ./jmsctl.sh tail jms_web 通过docker ps可以看到相关的容器 CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 534d2612080a jumpserver/koko:v2.13.2 "./entrypoint.sh" 2 hours ago Up 2 hours (healthy) 0.0.0.0:2222->2222/tcp, 5000/tcp jms_koko 4048af6cf657 jumpserver/web:v2.13.2 "/docker-entrypoint.…" 2 hours ago Up 2 hours (healthy) 0.0.0.0:80->80/tcp jms_web 31dce29019c6 jumpserver/core:v2.13.2 "./entrypoint.sh sta…" 2 hours ago Up 2 hours (healthy) 8070/tcp, 8080/tcp jms_celery c13025a1e708 jumpserver/lion:v2.13.2 "/usr/bin/supervisord" 2 hours ago Up 2 hours (healthy) 4822/tcp jms_lion c1822b9c6450 jumpserver/core:v2.13.2 "./entrypoint.sh sta…" 2 hours ago Up 2 hours (healthy) 8070/tcp, 8080/tcp jms_core 4bb5b74d6e52 jumpserver/redis:6-alpine "docker-entrypoint.s…" 13 hours ago Up 13 hours (healthy) 6379/tcp jms_redis 查看各组件状态 root@localhost config]# cd /opt/jumpserver-installer-v2.13.2 [root@localhost jumpserver-installer-v2.13.2]# ./jmsctl.sh status Name Command State Ports --------------------------------------------------------------------------------------------- jms_celery ./entrypoint.sh start task Up (healthy) 8070/tcp, 8080/tcp jms_core ./entrypoint.sh start web Up (healthy) 8070/tcp, 8080/tcp jms_koko ./entrypoint.sh Up (healthy) 0.0.0.0:2222->2222/tcp, 5000/tcp jms_lion /usr/bin/supervisord Up (healthy) 4822/tcp jms_redis docker-entrypoint.sh redis ... Up (healthy) 6379/tcp jms_web /docker-entrypoint.sh ngin ... Up (healthy) 0.0.0.0:80->80/tcp
3、配置ssl及ip白名单配置
ssl配置可以使用jumpserver自带的配置,也可以使用统一外部nginx代理,因为还要通过nginx做ip白名单限制,所以我们采用外部nginx代理的方式 1、nginx部署 yum install nginx -y 安装自己需求修改配置文件 systemctl start nginx && systemctl enable nginx 2、配置ssl 删除default.conf配置,添加自己的配置 vim /etc/nginx/conf.d/jumpserver.conf server { listen 443 ssl; server_name xxxxxxx; # 自行修改成你的域名 ssl_certificate /etc/nginx/ssl/cloud-control.crt; # 自行设置证书 ssl_certificate_key /etc/nginx/ssl/cloud-control.key; # 自行设置证书 ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; ssl_protocols TLSv1.1 TLSv1.2; add_header Strict-Transport-Security "max-age=63072000" always; client_max_body_size 4096m; # 录像及文件上传大小限制 if ( $geo = 1 ) { return 403; } location / { # 这里的 ip 是后端 JumpServer nginx 的 ip proxy_pass http://x.x.x.x; proxy_http_version 1.1; proxy_buffering off; proxy_request_buffering off; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } 3、ip白名单配置 ######################nginx.conf部分配置################### geo $remote_addr $geo { default 1; include conf/jumpserver_whitelist.conf; } ######################nginx.conf部分配置################### ######################conf/jumpserver_whitelist.conf配置################### 192.168.0.0/24 0; # ######################conf/jumpserver_whitelist.conf配置###################
