JumpServer v2 v3版本单机及多可用docker Compose离线安装
JumpServer简介
JumpServer是FIT2CLOUD飞致云旗下品牌
JumpServer 开源堡垒机是一款运维安全审计系统产品,提供身份验证、授权控制、账号管理、安全审计等功能支持,帮助企业 快速构建运维安全审计能力。
JumpServer 使用 Python 开发,配备了业界领先的 Web Terminal 方案,交互界面美观、用户体验好。
JumpServer 采纳分布式架构,支持多机房跨区域部署,支持横向扩展,无资产数量及并发限制。
官方网址
在线体验
当前最新版本
v3.10.7-lts
2024-03-27 10:25:04
v3.10.5-lts
2024-03-05 16:43:19
v2.28.21
2023-10-26 18:28:00
JumpServer V2版本(社区版)维护支持截止日期为2023年12月31日,JumpServer V2版本(企业版)维护支持截止日期为2025年12月31日.推荐安装v3版本。
企业版带X-Pack 增强包,按资产数包年付费
https://www.fit2cloud.com/jumpserver/enterprise.html
近期漏洞
JumpServer作业管理中文件管理批量传输功能存在不安全直接对象引用(IDOR)漏洞,CVE编号为CVE-2024-29024
JumpServer v3.0.0-v3.10.6版本
JumpServer 密码重置漏洞(CVE-2023-42820):
2.24 <= jumpserver v 2.x <= 2.28.20
jumpserver v 3.x <= 3.6.4
JumpServer 任意密码重置漏洞(CVE-2023-43650):
2.24 <= jumpserver v 2.x <= 2.28.20
jumpserver v 3.x <= 3.6.4
Jumpserver 目录遍历漏洞(CVE-2023-42819):
3.0.0 <= jumpserver <= 3.6.4
JumpServer koko 远程命令执行漏洞(CVE-2023-43651):
2.24 <= jumpserver v 2.x <= 2.28.20
jumpserver v 3.x <= 3.6.4
环境依赖
- Linux x86_64
- Kernel 大于 4.0
- Python>= 3.8版本必须3.6及以上
- mysql>=5.7 版本必须大于5.6,需要TLS/SSL
- redis>=6 支持Sentinel,不支持Cluster,需要TLS/SSL
all-in-one 部署方式不支持 Client 相关功能, 仅支持在 纯 B/S 架构 Web 端使用
- 外置数据库要求 MariaDB 版本大于等于 10.6;
- 外置 Redis 要求 Redis 版本大于等于 6.2。
组件项目
项目 状态 描述
Lina Lina release JumpServer Web UI 项目
Luna Luna release JumpServer Web Terminal 项目 Lina 和 Luna 为纯静态文件,最终由 nginx 整合
KoKo Koko release JumpServer 字符协议 Connector 项目,替代原来 Python 版本的 Coco
koko组件实现了SSH Server 和 Web Terminal Server的组件,提高SSH和WebSocket接口,使用Paramiko和Flask开发,可以让我们在线去像xshell一样在网页上去敲命令。他是golang编程语言开发的。和之前的coco组件(py写的)相比,性能更高。
Lion Lion release JumpServer 图形协议 Connector 项目,依赖 Apache Guacamole
Guacamole 为 RDP 协议和 VNC 协议资产组件, 用户可以通过 Web Terminal 来连接 RDP 协议和 VNC 协议资产 (暂时只能通过 Web Terminal 来访问)
Magnus Magnus release JumpServer 数据库代理 Connector 项目
Clients Clients release JumpServer 客户端 项目
Installer Installer release JumpServer 安装包 项目
端口说明
Jumpserver 默认 Web 端口为 8080/tcp, 默认 WS 端口为 8070/tcp, 配置文件 jumpserver/config.yml
koko 默认 SSH 端口为 2222/tcp, 默认 Web Terminal 端口为 5000/tcp 配置文件在 koko/config.yml
Guacamole 默认端口为 8081/tcp, 配置文件 /config/tomcat9/conf/server.xml
Nginx 默认端口为 80/tcp
Redis 默认端口为 6379/tcp
Mysql 默认端口为 3306/tcp
安装方式
Linux部署jumpserver堡垒机及问题汇总
https://blog.csdn.net/weixin_48878440/article/details/130836286?utm_medium=distribute.pc_relevant. none-task-blog-2~default~baidujs_baidulandingword~default-1-130836286-blog-98357973.235^v43^pc_blog_bottom_relevance_base1&spm=1001.2101.3001.4242.2&utm_relevant_index=4
[快速安装]https://docs.jumpserver.org/zh/master/install/setup_by_fast/
[负载均衡安装]https://docs.jumpserver.org/zh/master/install/setup_by_lb/
[编译安装]https://docs.jumpserver.org/zh/master/dev/build/#_5
-
方式一 标准安装分在线和离线,在线安装就是下载包后进行离线安装,
用docker compose管理多个docker,可以集成mysql和redis,也可以支持外部mysql和redis
安装完成后有./jmsctl.sh脚本进行控制。 -
方式二 all-in-one的dockifle,将db以外的服务装入一个docker中,使用docker自已控制,不支持 Client 相关功能.
-
方式三 helm方式为k8s中安装。
-
方式四 编译安装每个组件。
使用方式一标准离线安装。
标准离线安装内置mysql
标准离线安装外置mysql
基础准备
系统准备
cat /etc/redhat-release
Rocky Linux release 9.3 (Blue Onyx)
selinux
sestatus
cat /etc/selinux/config
sed -i '/^SELINUX=/c SELINUX=disabled' /etc/selinux/config
setenforce 0
网卡ip
ip a
Rocky Linux9之前
文件路径:/etc/sysconfig/network-scripts/
文件名格式:ifcfg-ens33
Rocky Linux9之后
/etc/NetworkManager/system-connections/
ens33.nmconnection
cat /etc/NetworkManager/system-connections/ens3.nmconnection
systemctl status NetworkManager //查看NetworkManager状态
systemctl restart NetworkManager //开启NetworkManager
ping www.baidu.com
更改主机名
hostnamectl set-hostname jump1
配置时间和ntp
timedatectl
timedatectl set-timezone Asia/Shanghai
cat /etc/chrony.conf |grep server
路由转发和优化
modprobe br_netfilter
cat > /etc/sysctl.d/k8s.conf << EOF
net.ipv4.tcp_keepalive_time=600
net.ipv4.tcp_keepalive_intvl=30
net.ipv4.tcp_keepalive_probes=10
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6=1
net.ipv4.neigh.default.gc_stale_time=120
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.default.arp_announce=2
net.ipv4.conf.lo.arp_announce=2
net.ipv4.conf.all.arp_announce=2
net.ipv4.ip_local_port_range= 32768 60999
net.ipv4.ip_forward=1
net.ipv4.tcp_tw_recycle=0
net.ipv4.tcp_tw_reuse=0
net.ipv4.tcp_max_tw_buckets=6000
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_synack_retries=2
net.bridge.bridge-nf-call-ip6tables=1
net.bridge.bridge-nf-call-iptables=1
net.netfilter.nf_conntrack_max=2310720
#net.netfilter.nf_conntrack_tcp_timeout_established=300
#net.netfilter.nf_conntrack_buckets=655360
net.ipv4.neigh.default.gc_thresh1=1024
net.ipv4.neigh.default.gc_thresh2=4096
net.ipv4.neigh.default.gc_thresh3=8192
net.ipv6.neigh.default.gc_thresh1=8192
net.ipv6.neigh.default.gc_thresh2=32768
net.ipv6.neigh.default.gc_thresh3=65536
net.core.netdev_max_backlog=16384
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_max_syn_backlog = 8096
net.core.somaxconn = 32768
fs.inotify.max_user_instances=8192
fs.inotify.max_user_watches=524288
fs.file-max=52706963
fs.nr_open=52706963
kernel.pid_max = 4194303
net.bridge.bridge-nf-call-arptables=1
vm.swappiness=0
vm.overcommit_memory=1
vm.panic_on_oom=0
vm.max_map_count = 262144
EOF
sysctl -p
sysctl –system
sysctl -a|grep vm.max_map_count
宿主ulimit
cat /etc/security/limits.conf
cat > /etc/security/limits.d/20-nofile.conf <<EOF
root soft nofile 65535
root hard nofile 65535
* soft nofile 65535
* hard nofile 65535
EOF
cat > /etc/security/limits.d/20-nproc.conf <<EOF
* - nproc 65535
root soft nproc unlimited
root hard nproc unlimited
EOF
echo "ulimit -HSn 65535" >> /etc/rc.local
ulimit -a
sysctl -p
system.conf
cat /etc/systemd/system.conf|grep DefaultLimitNOFILE
vi /etc/systemd/system.conf
DefaultLimitNOFILE=65335
或者sed替换
cat /etc/systemd/system.conf|grep DefaultLimitNOFILE
sed -n ‘s/#DefaultLimitNOFILE=/DefaultLimitNOFILE=65335/p’ /etc/systemd/system.conf
sed -i ‘s/^#DefaultLimitNOFILE=/DefaultLimitNOFILE=65335/’ /etc/systemd/system.conf
#rocky9
sed -n 's/#DefaultLimitNOFILE=1024/DefaultLimitNOFILE=65335/p' /etc/systemd/system.conf
sed -i 's/^#DefaultLimitNOFILE=1024/DefaultLimitNOFILE=65335/' /etc/systemd/system.conf
systemctl daemon-reexec
rocky9上打开加密兼容
兼容高低版本的ssh互连
update-crypto-policies --show
update-crypto-policies --set LEGACY
设置 swappiness(可选)
设置swappiness,控制运行时内存的相对权重,过多的交换空间会引起GC耗时的激增.
临时设置指令:
sysctl -w vm.swappiness=10
cat /proc/sys/vm/swappiness
永久设置指令:
echo vm.swappiness = 10 >> /etc/sysctl.conf
关闭透明大页面transparent_hugepage(可选)
临时关闭指令1:
echo never > /sys/kernel/mm/transparent_hugepage/enabled
临时关闭指令2:
echo never > /sys/kernel/mm/transparent_hugepage/defrag
永久关闭,配置信息落盘到配置文件,机器重新有效。
vi /etc/rc.d/rc.local
if test -f /sys/kernel/mm/transparent_hugepage/enabled;
then echo never > /sys/kernel/mm/transparent_hugepage/enabled
fi
if test -f /sys/kernel/mm/transparent_hugepage/defrag;
then echo never > /sys/kernel/mm/transparent_hugepage/defrag
fi
chmod +x /etc/rc.d/rc.local
yum
RHEL 8 / CentOS 8上的软件包管理工具 DNF(Dandified YUM)已设置为默认值。
但是,[yum]命令也作为指向[dnf]的链接而存在,因此可以以相同的用法使用[yum]或[dnf]。
# 设置镜像变量
MIRROR=mirrors.aliyun.com/rockylinux
# 执行替换
sed -i.bak \
-e "s|^mirrorlist=|#mirrorlist=|" \
-e "s|^#baseurl=|baseurl=|" \
-e "s|dl.rockylinux.org/\$contentdir|$MIRROR|" \
/etc/yum.repos.d/rocky*.repo
更新缓存
#yum makecache
#yum list
dnf makecache
dnf list
安装基码组件
dnf install -y bash-completion vim lrzsz expect net-tools nc nmap tree dos2unix iotop unzip openldap-devel
dnf install -y wget curl telnet make gcc perl rpm-build zlib zlib-devel gcc-c++ make autoconf automake pcre-devel pam-devel
dnf install -y gettext iptables iptables-services
dnf install -y glibc #可选
dnf install -y openssl openssl-devel #可选
关闭自带 firewall,切换成iptables
systemctl stop firewalld
systemctl mask firewalld
systemctl disable firewalld
#显示当前 firewall状态
systemctl status firewalld
开启iptables
#添加入开机自启
systemctl enable iptables
#启动 iptables
systemctl start iptables
#显示当前 iptables 状态
systemctl status iptables.service
#开放端口(根据自己需求删减)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
将iptables 中 reject-with icmp-host-prohibited 删除,影响mysql连接
iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited
iptables -nL
#保存防火墙配置
service iptables save
#设置默认规则
#iptables -P INPUT DROP //设置filter表INPUT默认规则是 DROP
内网中这里不设置默认DROP,默认都充许通过。
#显示活动的服务列表
systemctl -t service
python-pip安装
可以这里手功安装也可以让脚本自动安装
python -V
Python 3.9.18
dnf install python-pip
pip -V
pip 21.2.3 from /usr/lib/python3.9/site-packages/pip (python 3.9)
ssh -V
OpenSSH_8.7p1, OpenSSL 3.0.7 1 Nov 2022
更换pip3源
mkdir ~/.pip && cat > ~/.pip/pip.conf <<EOF
[global]
index-url = https://mirrors.aliyun.com/pypi/simple/
[install]
trusted-host = mirrors.aliyun.com
EOF
安装docker
cd && mkdir src && cd src
脚本安装失败
curl -fsSL https://get.docker.com -o install-docker.sh
sh install-docker.sh --dry-run --mirror Aliyun
ERROR: Unsupported distribution 'rocky'
添加docker用户和组
vi /etc/group
将docker gid指定成1000
groupadd -g 1000 docker
useradd -u 1000 -g docker -s /sbin/nologin docker
usermod -a -G docker andychu
安装yum-utils
dnf install yum-utils
添加docker仓库
dnf config-manager \
--add-repo \
https://download.docker.com/linux/centos/docker-ce.repo
安装最新版本的docker
#安装docker包括:docker Engine, containerd, and Docker Compose
dnf install docker-ce docker-ce-cli containerd.io docker-compose-plugin -y
配置docker-compose环境变量
echo 'export PATH="/usr/libexec/docker/cli-plugins:$PATH"' >> /etc/profile
#加载环境变量使其生效
source /etc/profile
添加软链接
ln -s /usr/libexec/docker/cli-plugins/docker-compose /usr/bin/
docker更改为国内腾讯镜像源
mkdir -p /etc/docker
cd /etc/docker
tee /etc/docker/daemon.json<<-'EOF'
{
"registry-mirrors": [
"https://mirror.ccs.tencentyun.com"
]
}
EOF
cat /etc/docker/daemon.json
增加limit
# containerd.service
sed -i 's/LimitNOFILE=infinity/LimitNOFILE=65535/' /usr/lib/systemd/system/containerd.service
systemctl daemon-reload
systemctl restart containerd
docker服务
# 重启daemon
systemctl daemon-reload
#启动docker
systemctl start docker
#查看docker 是否启动成功
ps -ef|grep docker
#设置开机自动启动docker服务
systemctl enable docker.service
# 查看docker信息
docker info
Client: Docker Engine - Community
Version: 25.0.3
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.12.1
Path: /usr/libexec/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.24.6
Path: /usr/libexec/docker/cli-plugins/docker-compose
验证安装
docker-compose –version
Docker Compose version v2.24.6
Docker 日志文件 /var/log/docker
下载jumpserver
自行选择安装什么版本,这里进行测试都下载。
https://github.com/jumpserver/installer
下载离线版,需注册一下用户.
https://community.fit2cloud.com/#/download/jumpserver/v2-28-21
https://community.fit2cloud.com/#/download/jumpserver/v3-10-5-lts
wget "https://cdn0-download-offline-installer.fit2cloud.com/jumpserver/jumpserver-offline-installer-v2.28.21-amd64.tar.gz" -O jumpserver-offline-installer-v2.28.21-amd64.tar.gz
wget "https://cdn0-download-offline-installer.fit2cloud.com/jumpserver/jumpserver-offline-installer-v3.10.5-amd64.tar.gz" -O jumpserver-offline-installer-v3.10.5-amd64.tar.gz
注意JumpServer v3.0.0-v3.10.6版本 含有漏洞,请使用最新版本。
jumpserver-offline-installer-v2.28.21 离线内置单机安装
解压到/opt目录下
tar zxf jumpserver-offline-installer-v2.28.21-amd64.tar.gz -C /opt/
cd /opt
ln -s jumpserver-offline-installer-v2.28.21-amd64 jumpserver
cd /opt/jumpserver-offline-installer-v2.28.21-amd64/
cat config-example.txt
# JumpServer configuration file example.
#
# 如果不了解用途可以跳过修改此配置文件, 系统会自动填入
# 完整参数文档 https://docs.jumpserver.org/zh/master/admin-guide/env/
################################## 镜像配置 ###################################
#
# 国内连接 docker.io 会超时或下载速度较慢, 开启此选项使用华为云镜像加速
# 取代旧版本 DOCKER_IMAGE_PREFIX
#
# DOCKER_IMAGE_MIRROR=1
################################## 安装配置 ###################################
#
# JumpServer 数据库持久化目录, 默认情况下录像、任务日志都在此目录
# 请根据实际情况修改, 升级时备份的数据库文件(.sql)和配置文件也会保存到该目录
#
VOLUME_DIR=/data/jumpserver
# 加密密钥, 迁移请保证 SECRET_KEY 与旧环境一致, 请勿使用特殊字符串
# (*) Warning: Keep this value secret.
# (*) 勿向任何人泄露 SECRET_KEY
#
SECRET_KEY=
# 组件向 core 注册使用的 token, 迁移请保持 BOOTSTRAP_TOKEN 与旧环境一致,
# 请勿使用特殊字符串
# (*) Warning: Keep this value secret.
# (*) 勿向任何人泄露 BOOTSTRAP_TOKEN
#
BOOTSTRAP_TOKEN=
# 日志等级 INFO, WARN, ERROR
#
LOG_LEVEL=ERROR
# JumpServer 容器使用的网段, 请勿与现有的网络冲突, 根据实际情况自行修改
#
DOCKER_SUBNET=192.168.250.0/24
# ipv6 nat, 正常情况下无需开启
# 如果宿主不支持 ipv6 开启此选项将会导致无法获取真实的客户端 ip 地址
#
USE_IPV6=0
DOCKER_SUBNET_IPV6=fc00:1010:1111:200::/64
################################# MySQL 配置 ##################################
# 外置 MySQL 需要输入正确的 MySQL 信息, 内置 MySQL 系统会自动处理
#
DB_HOST=mysql
DB_PORT=3306
DB_USER=root
DB_PASSWORD=
DB_NAME=jumpserver
# 如果外置 MySQL 需要开启 TLS/SSL 连接, 参考 https://docs.jumpserver.org/zh/mast er/install/install_security/#ssl
#
# DB_USE_SSL=True
################################# Redis 配置 ##################################
# 外置 Redis 需要请输入正确的 Redis 信息, 内置 Redis 系统会自动处理
#
REDIS_HOST=redis
REDIS_PORT=6379
REDIS_PASSWORD=
# 如果使用外置 Redis Sentinel, 请手动填写下面内容
#
# REDIS_SENTINEL_HOSTS=mymaster/192.168.100.1:26379,192.168.100.1:26380,192.168. 100.1:26381
# REDIS_SENTINEL_PASSWORD=your_sentinel_password
# REDIS_PASSWORD=your_redis_password
# REDIS_SENTINEL_SOCKET_TIMEOUT=5
# 如果外置 Redis 需要开启 TLS/SSL 连接, 参考 https://docs.jumpserver.org/zh/mast er/install/install_security/#redis-ssl
#
# REDIS_USE_SSL=True
################################## 访问配置 ###################################
# 对外提供服务端口, 如果与现有服务冲突请自行修改
# 如果不想对外提供访问可以使用 127.0.0.1:<port>, eg: 127.0.0.1:33060
#
HTTP_PORT=80
SSH_PORT=2222
MAGNUS_PORTS=30000-30100
################################# HTTPS 配置 #################################
# 参考 https://docs.jumpserver.org/zh/master/admin-guide/proxy/ 配置
#
# HTTPS_PORT=443
# SERVER_NAME=your_domain_name
# SSL_CERTIFICATE=your_cert
# SSL_CERTIFICATE_KEY=your_cert_key
#
# Nginx 文件上传下载大小限制
#
CLIENT_MAX_BODY_SIZE=4096m
################################## 组件配置 ###################################
# 组件注册使用, 默认情况下向 core 容器注册, 集群环境需要修改为集群 vip 地址
#
CORE_HOST=http://core:8080
PERIOD_TASK_ENABLED=True
# Core Session 定义,
# SESSION_COOKIE_AGE 表示闲置多少秒后 session 过期,
# SESSION_EXPIRE_AT_BROWSER_CLOSE=true 表示关闭浏览器即 session 过期
#
# SESSION_COOKIE_AGE=86400
SESSION_EXPIRE_AT_BROWSER_CLOSE=True
# Lion 开启字体平滑, 优化体验
#
JUMPSERVER_ENABLE_FONT_SMOOTHING=True
################################# XPack 配置 #################################
# XPack 包, 开源版本设置无效
#
RDP_PORT=3389
################################## 其他配置 ##################################
# 终端使用宿主 HOSTNAME 标识, 首次安装自动生成
#
SERVER_HOSTNAME=${HOSTNAME}
# 当前运行的 JumpServer 版本号, 安装和升级完成后自动生成
#
CURRENT_VERSION=
修改config.txt
安装时会自动生成配制文件到/opt/jumpserver/config/config.txt
mkdir -p /opt/jumpserver/config/
cp ./config-example.txt /opt/jumpserver/config/config.txt
修改网段,不要和现有网段冲突
- A类地址范围:10.0.0.0—10.255.255.255,即10.0.0.0/8
- B类地址范围:172.16.0.0—172.31.255.555,即172.16.0.0/12
- C类地址范围:192.168.0.0—192.168.255.255,即192.168.0.0/16
vi /opt/jumpserver/config/config.txt
DOCKER_SUBNET=172.30.75.0/24
- 大概步骤就是,先运行脚本让你选择是否使用mysql、redis外置服务器等。然后安装docker、docker-compose,+ 紧接着下载相关镜像然后部署docker-compose项目。
- 是否配置持久化目录(默认/opt/jumpserver)
- 是否配置支持IPV6(默认不配置)
- 是否配置外置MySQL数据库(默认不配置,可选择外部数据库,数据库集群等)
- 是否配置外置Redis(默认不配置,外部redis,redis主从、集群等)
- 是否配置对外端口(默认80)
安装,版本是在 static.env 指定的
./jmsctl.sh install
1. Check Configuration File
Path to Configuration file: /opt/jumpserver/config
/opt/jumpserver/config/config.txt [ √ ]
/opt/jumpserver/config/nginx/cert/server.crt [ √ ]
/opt/jumpserver/config/nginx/cert/server.key [ √ ]
complete
>>> Install and Configure JumpServer
1. Configure Private Key
SECRETE_KEY: MTA4kDahKurQSDV4f7CV7a2NxnvyXBin2xN9oUQz1JgKCTs4
BOOTSTRAP_TOKEN: UikuHUAnia08ZKyFHT4ZccJU
complete
2. Configure Persistent Directory
Do you need custom persistent store, will use the default directory /data/jumpserver? (y/n) (default n):
[+] Running 1/0
✘ Network jms_net Error 0.0s
failed to create network jms_net: Error response from daemon: Failed to Setup IP tables: Unable to enable SKIP DNAT rule: (iptables failed: iptables --wait -t nat -I DOCKER -i br-e252febdc69d -j RETURN: iptables: No chain/target/match by that name.
安装后mysql和redis密码会生成到config.txt
DB_USER=root
DB_PASSWORD=BMgqGBxJoIwaqqwgwLessz6kUw
REDIS_PASSWORD=P9Z3tV6WTK0il53CYRB8oAgqT0
测试连接
docker exec -it jms_mysql bash
mysql -uroot -p
BMgqGBxJoIwaqqwgwLessz6kUw
SHOW VARIABLES LIKE '%ssl%';
+---------------------+-----------------------------+
| have_openssl | YES |
| have_ssl | DISABLED |
管理jumpserver服务
# 启动
$ ./jmsctl.sh start
# 重启
$ ./jmsctl.sh restart
# 关闭, 不包含数据库
$ ./jmsctl.sh stop
# 关闭所有
$ ./jmsctl.sh down
# 备份数据库
$ ./jmsctl.sh backup_db
# 查看日志
$ ./jmsctl.sh tail
# 备份
$ ./jmsctl.sh backup
配置文件说明
配置文件将会放在 /opt/jumpserver/config 中
tree .
.
├── config.txt # 主配置文件
├── mysql
│ └── my.cnf # mysql 配置文件
|── mariadb
| └── mariadb.cnf # mariadb 配置文件
├── nginx # nginx 配置文件
│ ├── cert
│ │ ├── server.crt
│ │ └── server.key
│ ├── lb_http_server.conf
│ └── lb_ssh_server.conf
├── README.md
└── redis
└── redis.conf # redis 配置文件
6 directories, 11 files
Web access
http://192.168.244.10:80
Default username: admin Default password: admin
SSH/SFTP access
ssh -p2222 [email protected]
sftp -P2222 [email protected]
docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c0807fb55638 jumpserver/lion:v2.28.21 "./entrypoint.sh" 6 minutes ago Up 5 minutes (healthy) 4822/tcp, 8081/tcp jms_lion
f387025045e3 jumpserver/koko:v2.28.21 "./entrypoint.sh" 6 minutes ago Up 5 minutes (healthy) 0.0.0.0:2222->2222/tcp, 5000/tcp jms_koko
baf3dff0742e jumpserver/web:v2.28.21 "/docker-entrypoint.…" 6 minutes ago Up 5 minutes (healthy) 0.0.0.0:80->80/tcp jms_web
98dc4c33df81 jumpserver/magnus:v2.28.21 "./entrypoint.sh" 6 minutes ago Up 5 minutes (healthy) 0.0.0.0:30000-30100->30000-30100/tcp jms_magnus
5ce9d501748b jumpserver/core:v2.28.21 "./entrypoint.sh sta…" 6 minutes ago Up 5 minutes (healthy) 8070/tcp, 8080/tcp jms_celery
a0f24cdb8f8c jumpserver/core:v2.28.21 "./entrypoint.sh sta…" 6 minutes ago Up 6 minutes (healthy) 8070/tcp, 8080/tcp jms_core
ba76aec76c38 jumpserver/redis:6.2 "docker-entrypoint.s…" 14 minutes ago Up 14 minutes (healthy) 6379/tcp jms_redis
a3167ee779f6 jumpserver/mariadb:10.6 "docker-entrypoint.s…" 14 minutes ago Up 14 minutes (healthy) 3306/tcp jms_mysql
systemd开机启动
vi /usr/lib/systemd/system/jms.service
[Unit]
Description=jms
After=network.target
[Service]
Type=forking
Environment="PATH=/opt/py3/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin:/usr/libexec/docker/cli-plugins"
ExecStart=/opt/jumpserver/jmsctl.sh start
ExecReload=/opt/jumpserver/jmsctl.sh restart
ExecStop=/opt/jumpserver/jmsctl.sh down
PrivateTmp=true
[Install]
WantedBy=multi-user.target
systemctl daemon-reload
#启动服务
systemctl start jms.service
#设置开机自启动
systemctl enable jms.service
systemctl status jms.service
systemctl stop jms.service
失败,不能启动
systemv添加权限并设置开机自启
chmod +x /etc/rc.local
echo '/opt/jumpserver/jmsctl.sh start' >> /etc/rc.local
systemctl enable rc-local
systemctl start rc-local.service
#检查状态:
systemctl status rc-local.service
#更改自启脚本后,需要重新运行一下命令已使其生效
systemctl enable rc-local
systemctl start rc-local.service
访问地址
http://localhost
root/Pass1234
test/Pass123456
JumpServer 客户端
http://localhost/core/download/
JumpServer 客户端,目前用来唤起 特定客户端程序 连接资产, 目前仅支持 RDP SSH 客户端,Telnet 会在未来支持
=======================
jumpserver redis和mysql外部高可用安装
测试服务器
这里以四台机器进行测试
20C,8G,100G规格 rocky9.3
服务器名称 IP地址 备注
jump01 192.168.5.101 docker
jump02 192.168.5.102 docker+Sentinel+nfs
jumpdb01 192.168.5.103 Sentinel+redis副本节点+mysql master
jumpdb02 192.168.5.104 Sentinel+redis主节点+mysql slave
说明
jumpserver web 以docker方式部署在jump01和jump02,安装docker版jumperver,复制config目录,可以随时横向扩展。
数据放在jump02上通过nfs进行共享,正式使用应使用cephfs等更可靠方式。
redis使用主从2个主从节点+3个Sentinel,在jumpserver 的config中配置sentinel就行.如使用TLS验证那需要每年给全部客户端更换证书。
mysql使用主从复制,并可选配制SSL连接.
外部 redis+Sentinel 安装略过
获取Sentinel 的ip及访问密钥
mysql安装
jumpdb01+jumpdb02 上安装
添加用户
#groupadd mysql
#useradd mysql -M -g mysql -s /sbin/nologin
创建数据目录
mkdir -p /mysql/{data,tmpdir,logs}
chown -R mysql:mysql /mysql
chmod -R 775 /mysql
rpm安装 mysql-community-common-5.7.44-1
cd /root/src
wget http://mirrors.ustc.edu.cn/mysql-repo/mysql57-community-release-el7.rpm
yum -y localinstall mysql57-community-release-el7.rpm
rpm --import https://repo.mysql.com/RPM-GPG-KEY-mysql-2022
yum install mysql-community-server
卸载自带的connector包
报错
file /etc/my.cnf from install of mysql-community-server-5.7.44-1.el7.x86_64 conflicts with file from package mariadb-connector-c-config-3.2.6-1.el9_0.noarch
rpm -qa | grep mariadb
mariadb-connector-c-config-3.2.6-1.el9_0.noarch
mariadb-connector-c-3.2.6-1.el9_0.x86_64
yum remove mariadb-connector-c-config-3.2.6-1.el9_0
或者
rpm -e –nodeps mariadb-connector-c-config-3.2.6-1.el9_0.noarch
rpm -e –nodeps mariadb-connector-c-3.2.6-1.el9_0.x86_64
上传本地my.cnf,这里不提供
修改其中
bind-address = 0.0.0.0
初始化mysql
initialize-insecure的作用
initialize-insecure是MySQL安装程序的一个选项,它用于初始化MySQL数据库,使其处于可用状态。与其他初始化选项不同,initialize-insecure是一个不安全的选项,它将跳过常规的安全设置,如设置root密码和创建SSL证书。因此,只有在测试环境或临时环境中才应该使用这个选项
#mysqld --initialize-insecure --user=mysql --datadir=/mysql/data --basedir=/usr
mysqld --initialize --user=mysql --datadir=/mysql/data --basedir=/usr
cat /mysql/logs/error.err|grep 'temporary password'
SKg>2j*JhDBv
vi /usr/lib/systemd/system/mysqld.service
PIDFile=/mysql/data/mysql.pid
ExecStart=/usr/sbin/mysqld --daemonize --pid-file=/mysql/data/mysql.pid $MYSQLD_OPTS
启动测试
更改本地root密码
新增admin远程用户
新增jumserver远程用户
mysqld &
mysql -uroot -p
SKg>2j*JhDBv
set password for root@localhost = password('X1lrffa234b');
flush privileges;
GRANT ALL PRIVILEGES ON *.* TO 'admin'@'%' IDENTIFIED BY 'X1lrffa234b' WITH GRANT OPTION;
flush privileges;
create database jumpserver default charset 'utf8';
Query OK, 1 row affected (0.00 sec)
mysql> set global validate_password_policy=LOW;
Query OK, 0 rows affected (0.00 sec)
mysql> create user 'jumpserver'@'%' identified by 'fwJTx622g';
Query OK, 0 rows affected (0.00 sec)
mysql> grant all on jumpserver.* to 'jumpserver'@'%';
Query OK, 0 rows affected, 1 warning (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
mysql> exit
Bye
MySQL 5.7 新增默认账号 mysql.session和mysql.sys
mysql.infoschema:系统用户,管理和访问系统自带的information_schema数据库
mysql.session:mysql的插件将会使用该用户访问mysql数据库服务器。客户端不能直接使用该用户进行链接
mysql.sys:该用户避免数据库管理重命名或者删除root用户时发生的问题,客户端不能直接使用该用户进行链接
root:mysql的超级用户,用于管理mysql数据库,拥有所有权限,可执行任何操作,不建议使用该用户操作mysql数据库。
select * from sys.session\G;
启动 MySQL
systemctl daemon-reload
systemctl enable mysqld
systemctl start mysqld
systemctl stop mysqld
查看server_id,各mysql需唯一
mysql -S /mysql/data/mysql.sock -e "select @@server_id" -uroot -p
| @@server_id |
+-------------+
| 75102 |
记得修改server_id
iptables方式,根所系统中服务二选一
iptables -A INPUT -p tcp -s 192.168.5.0/24 -m multiport --dports 3306 -j ACCEPT
service iptables save
firewall 方式,根所系统中服务二选一
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.5.0/24" port protocol="tcp" port="3306" accept"
firewall-cmd --reload
文件权限
chown mysql:mysql /etc/my.cnf
jumpdb02上安装mysql
同上,略过
jumpdb01 master上添加repl复制用户
GRANT REPLICATION SLAVE ON *.* TO 'repl'@'%' IDENTIFIED BY 'g43^2rfsfRF';
FLUSH PRIVILEGES;
show processlist\G;
SHOW MASTER STATUS;
+------------------+----------+--------------+------------------+-------------------+
| File | Position | Binlog_Do_DB | Binlog_Ignore_DB | Executed_Gtid_Set |
+------------------+----------+--------------+------------------+-------------------+
| mysql-bin.000003 | 154 | | | |
+------------------+----------+--------------+------------------+-------------------+
jumpdb02 slave从机上配制复制
mysql -uroot -p
X1lrffa234b
# 配制复制
CHANGE MASTER TO
MASTER_HOST='192.168.5.102',
MASTER_USER='repl',
MASTER_PASSWORD='g43^2rfsfRF',
MASTER_LOG_FILE='mysql-bin.000003',
MASTER_LOG_POS=154;
# 开始复制
START SLAVE;
# 在slave上查看
show slave status\G;
Slave_IO_State: Connecting to master
Master_Host: 192.168.5.102
Master_User: repl
Master_Port: 3306
Connect_Retry: 60
Master_Log_File: mysql-bin.000003
Read_Master_Log_Pos: 154
Relay_Log_File: relay-bin.000001
Relay_Log_Pos: 4
Relay_Master_Log_File: mysql-bin.000003
Slave_IO_Running: Connecting
Slave_SQL_Running: Yes
SHOW PROCESSLIST;
show processlist\G;
主从复制完成
ssl主从复制查看,mysql是否支持have_ssl
SHOW VARIABLES LIKE '%ssl%';
+-------------------------------------+-----------------+
| Variable_name | Value |
+-------------------------------------+-----------------+
| have_openssl | YES |
| have_ssl | YES |
| performance_schema_show_processlist | OFF |
| ssl_ca | ca.pem |
| ssl_capath | |
| ssl_cert | server-cert.pem |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | server-key.pem |
+-------------------------------------+-----------------+
测试ssl,可以连本机,但ssl不能连slave
mysql -h192.168.5.102 -uadmin -p
mysql -h192.168.5.103 -uadmin -p
mysql --ssl-ca=/mysql/data/ca.pem -h192.168.5.102 -uadmin -p
mysql --ssl-ca=/mysql/data/ca.pem -h192.168.5.103 -uadmin -p
查看是否是ssl连接
SHOW SESSION STATUS LIKE 'Ssl_cipher';
\s;
在主 mysql jumpdb01 创建SSL/RSA 文件,并分发给从机
mysql_ssl_rsa_setup --user=mysql --basedir=/mysql/ssl
cd /mysql/data/
scp ca.pem client-cert.pem client-key.pem [email protected]:.
mysql主从增加证书路径
vi /etc/my.cnf
修改主配置文件,在[mysqld]中添加如下几项
ssl_ca=ca.pem
ssl_cert=client-cert.pem
ssl_key=client-key.pem
mysql主从复制证书并重启生效
systemctl stop mysqld
ll /root/*.pem
cp /root/*.pem /mysql/data/
systemctl start mysqld
测试复制
mysql -uroot -p
X1lrffa234b
show slave status\G;
STOP SLAVE;
show slave status\G;
Slave_IO_State:
Master_Host: 192.168.5.102
Master_User: repl
Master_Port: 3306
Connect_Retry: 60
Master_Log_File: mysql-bin.000006
Read_Master_Log_Pos: 28170819
Relay_Log_File: relay-bin.000013
Relay_Log_Pos: 27207
Relay_Master_Log_File: mysql-bin.000006
Slave_IO_Running: No
Slave_SQL_Running: No
Replicate_Do_DB:
CHANGE MASTER TO
MASTER_HOST='192.168.5.102',
MASTER_USER='repl',
MASTER_PASSWORD='g43^2rfsfRF',
MASTER_LOG_FILE='mysql-bin.000006',
MASTER_LOG_POS=28170819,
master_ssl=1,
master_ssl_cert='client-cert.pem',
master_ssl_key='client-key.pem',
master_ssl_ca='ca.pem';
START SLAVE;
主从ssl复制完成
如何设置某用户使用强制使用ssl
仅做示例,这里不强制
//新建用户
mysql> grant select on *.* to 'dba'@'%' identified by 'xxx' REQUIRE SSL;
//修改用户
mysql> ALTER USER 'dba'@'%' REQUIRE SSL;
flush privileges;
jumpserver web 端ssl
在jumpdb01上复制mysql的ssl证书给jumpserver web端
cd /mysql/data/
scp ca.pem [email protected]:.
scp ca.pem [email protected]:.
在jump01,jump02,当前web 前端还没安装,后续操作
mv ca.pem /opt/jumpserver/config/certs/db_ca.pem
vi /opt/jumpserver/config/config.txt
# 在配置文件配置使用 DB SSL
DB_USE_SSL=True
重新启动web服务
cd /opt/jumpserver
./jmsctl.sh down
./jmsctl.sh start
完成web数据库 SSL 连接
=======
nfs 共享数据节点
在jump02 192.168.5.101 上
yum install nfs-utils rpcbind
```
### 启动 NFS
systemctl enable rpcbind nfs-server
systemctl start rpcbind nfs-server
mkdir /data
chmod 777 -R /data
vi /etc/exports
设置 NFS 访问权限, /data 是刚才创建的将被共享的目录, 192.168.100. 表示整个 192.168.100. 的资产都有括号里面的权限
也可以写具体的授权对象 /data 192.168.100.30(rw,sync,no_root_squash) 192.168.100.31(rw,sync,no_root_squash)
注意挂载时用192.168.5.*会报没有权限
/data 192.168.5.0/24(rw,insecure,sync,no_root_squash)
```
exportfs -a
exportfs -rv
showmount -e
Export list for jump02.c1g.test.sh.local:
/data 192.168.5.0/24
rpcinfo -p
nfs客户端
jump01 192.168.5.100 上
安装
yum -y install nfs-utils
开启服务
systemctl enable rpcbind.service
systemctl start rpcbind.service
systemctl status rpcbind.service
修改默认挂载为Soft方式
echo 'Soft=True' >> /etc/nfsmount.conf
查看
showmount -e 192.168.5.101
Export list for 192.168.5.101:
/data 192.168.5.0/24
挂载
mkdir -p /opt/jumpdata
mount -t nfs 192.168.5.101:/data /opt/jumpdata
mount -t nfs -o nolock -o tcp 192.168.5.101:/data /opt/jumpdata
ll /opt/jumpdata
# 可以写入到 /etc/fstab, 重启自动挂载. 注意: 设置后如果 nfs 损坏或者无法连接该服务器将无法启动
echo "192.168.5.101:/data /opt/jumpdata nfs defaults 0 0" >> /etc/fstab
=========
jumpserver 前端web安装
jumpserver 离线版安装
分发离线文件到各web节点
scp -P 22 -r jumpserver-offline-installer-v3.10.5-amd64.tar.gz [email protected]:.
解压到/opt目录下
cd /root/src/
tar zxvf jumpserver-offline-installer-v3.10.5-amd64.tar.gz -C /opt/
cd /opt
ln -s jumpserver-offline-installer-v3.10.5-amd64 jumpserver
cd /opt/jumpserver-offline-installer-v3.10.5-amd64/
mkdir -p /opt/jumpserver/config/
cp ./config-example.txt /opt/jumpserver/config/config.txt
获取SECRET_KEY
很重要,记录下来,后续使用.
if [ "$SECRET_KEY" = "" ]; then SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50` ; echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc; echo $SECRET_KEY; else echo $SECRET_KEY; fi
5SV8k2BoYHGltlwJeQxMFDsQO0wFUzV2Dg33qa8N2exbpeHMuh
if [ "$BOOTSTRAP_TOKEN" = "" ]; then BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`; echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc; echo $BOOTSTRAP_TOKEN; else echo $BOOTSTRAP_TOKEN; fi
vBgHciALfP8dkQtU
修改jumpserver配制
修改SECRET_KEY,BOOTSTRAP_TOKEN,DOCKER_SUBNET
修改mysql及redis配制
vi /opt/jumpserver/config/config.txt
VOLUME_DIR=/opt/jumpdata
SECRET_KEY=5SV8k2BoYHGltlwJeQxMFDsQO0wFUzV2Dg33qa8N2exbpeHMuh
BOOTSTRAP_TOKEN=vBgHciALfP8dkQtU
DOCKER_SUBNET=172.30.75.0/24
DB_HOST=192.168.5.102
DB_PORT=3306
DB_USER=jumpserver
DB_PASSWORD=kx8wJTr8
DB_NAME=jumpserver
REDIS_SENTINEL_HOSTS=mymaster1/192.168.5.103:26379,192.168.5.102:26379,192.168.5.101:26379
RDIS_SENTINEL_PASSWORD=VBHMpbPXGltlwJe
REDIS_PASSWORD=VBHMpbPXGltlwJe
REDIS_SENTINEL_SOCKET_TIMEOUT=5
安装jumpser web端
注意确认安装过程中的信息
./jmsctl.sh install
django.db.utils.OperationalError: (1045, "Access denied for user 'jumpserver'@'192.168.5.100' (using password: YES)")
[ERROR] Failed to change the table structure!
重新设密码,可能密码中有$会出错
mysql -h 192.168.5.102 -uadmin -p
X1lrffa234b
SET PASSWORD FOR 'jumpserver'@'%' = PASSWORD('fwJTx622g');
flush privileges;
注意交互输入
File "/opt/py3/lib/python3.11/site-packages/django/db/backends/mysql/base.py", line 223, in get_connection_params
kwargs["port"] = int(settings_dict["PORT"])
^^^^^^^^^^^^^^^^^^^^^^^^^^
ValueError: invalid literal for int() with base 10: 'y'
[ERROR] Failed to change the table structure!
>>> The Installation is Complete
1. You can use the following command to start, and then visit
cd /opt/jumpserver
./jmsctl.sh start
2. Other management commands
./jmsctl.sh stop
./jmsctl.sh restart
./jmsctl.sh backup
./jmsctl.sh upgrade
For more commands, you can enter ./jmsctl.sh --help to understand
3. Web access
http://172.30.75.1:80
Default username: admin Default password: admin
4. SSH/SFTP access
ssh -p2222 [email protected]
sftp -P2222 [email protected]
5. More information
Official Website: https://www.jumpserver.org/
Documentation: https://docs.jumpserver.org/
防火墙iptables方式
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 2222 -j ACCEPT
iptables -A INPUT -p tcp --dport 33060 -j ACCEPT
iptables -A INPUT -p tcp --dport 33061 -j ACCEPT
service iptables save
防火墙firewall方式
firewall-cmd --permanent --zone=public --add-port=80/tcp
firewall-cmd --permanent --zone=public --add-port=443/tcp
firewall-cmd --permanent --zone=public --add-port=2222/tcp
firewall-cmd --permanent --zone=public --add-port=33060/tcp
firewall-cmd --permanent --zone=public --add-port=33061/tcp
访问密码
admin/Pass1234
test/Pass1234
No Responses (yet)
Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.