Jumpserver实战之容器化(Docker)安装

Githua网址:https://github.com/jumpserver/jumpserver/releases ##最新版本为2.14.2
官方网址:https://docs.jumpserver.org/zh/master ##官方文档
Docker网址:https://hub.docker.com/r/jumpservre/jms_all #

安装要求

  • 硬件配置:2c8G,50G ##内存小了jumpserver很卡4-8G
  • 操作系统:linux发型版X86_64(ubuntu18.04)
  • Python=3.6.x
  • Mysql server >= 5.6或者mariadb >=5.5.56
  • redis

安装方法

  • 手动部署:逐步部署
  • 极速部署:官方脚本部署
  • 容器部署:docker
  • 分部署部署:适用于大环境

安装部署

  • redis 单独安装
  • mysql单独安装

1、Docker安装

此处省略

2、安装Mysql

docker run --rm --name mysql -e MYSQL_ROOT_PASSWORD=123456 -e MYSQL_DATABASE=jumpserver -e MYSQL_USER=jumpserver -e MYSQL_PASSWORD=123456 -d -p 3306:3306 mysql:5.7.30
root@qjzhao-virtual-machine:~# docker ps
CONTAINER ID   IMAGE          COMMAND                  CREATED              STATUS              PORTS                                                  NAMES
992347b920ae   mysql:5.7.30   "docker-entrypoint.s…"   About a minute ago   Up About a minute   0.0.0.0:3306->3306/tcp, :::3306->3306/tcp, 33060/tcp   mysql
root@qjzhao-virtual-machine:~# docker exec -it mysql sh
# mysql -uroot -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.7.30 MySQL Community Server (GPL)
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
-----------------------------------------
mysql> show create database jumpserver;
+------------+-----------------------------------------------------------------------+
| Database   | Create Database                                                       |
+------------+-----------------------------------------------------------------------+
| jumpserver | CREATE DATABASE `jumpserver` /*!40100 DEFAULT CHARACTER SET latin1 */ |
+------------+-----------------------------------------------------------------------+
1 row in set (0.00 sec)
2.1 安装宿主机mysql映射目录
mkdir -p /etc/mysql/mysql.conf.d/
mkdir -p /etc/mysql/conf.d/
2.2 配置mysql映射配置文件(宿主机)
root@qjzhao-virtual-machine:~# tee /etc/mysql/mysql.conf.d/mysql.cnf <<EOF
[mysqld]
pid-file= /var/run/mysqld/mysqld.pid
socket= /var/run/mysqld/mysqld.sock
datadir= /var/lib/mysql
symbolic-links=0
character-set-server=utf8 ##添加此行指定字符集
EOF
root@qjzhao-virtual-machine:~# tee /etc/mysql/conf.d/mysql.cnf <<EOF
[mysql]
default-character-set=utf8  #添加此行,指定字符集
2.3 docker启动mysql
docker run -d -p 3306:3306 --name mysql --restart always \
-e MYSQL_ROOT_PASSWORD=123456 \
-e MYSQL_DATABASE=jumpserver \
-e MYSQL_USER=jumpserver  \
-e MYSQL_PASSWORD=123456 \
-v /data/mysql:/var/lib/mysql \
-v /etc/mysql/mysql.conf.d/mysql.cnf:/etc/mysql/mysql.conf.d/mysqld.cnf \
-v /etc/mysql/conf.d/mysql.cnf:/etc/mysql/conf.d/mysql.cnf  mysql:5.7.30
2.4 docker mysql验证
root@qjzhao-virtual-machine:/# docker exec -it mysql bash
root@ddfecdb1c841:/# mysql -uroot -p123456
mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| jumpserver         |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
5 rows in set (0.00 sec)
mysql> show create database  jumpserver;
+------------+---------------------------------------------------------------------+
| Database   | Create Database                                                     |
+------------+---------------------------------------------------------------------+
| jumpserver | CREATE DATABASE `jumpserver` /*!40100 DEFAULT CHARACTER SET utf8 */ |
+------------+---------------------------------------------------------------------+
1 row in set (0.00 sec)
2.4.1 docker mysql验证
apt install mysql-client-core-5.7
root@qjzhao-virtual-machine:/# mysql -ujumpserver -p123456 -h188.188.188.170
mysql> show create database jumpserver;
+------------+---------------------------------------------------------------------+
| Database   | Create Database                                                     |
+------------+---------------------------------------------------------------------+
| jumpserver | CREATE DATABASE `jumpserver` /*!40100 DEFAULT CHARACTER SET utf8 */ |
+------------+---------------------------------------------------------------------+
1 row in set (0.00 sec)

3、安装redis

docker run -d -p 6379:6379 --name redis --restart always redis:5.0.9

4、jumpserver部署

4.1生成key
root@qjzhao-virtual-machine:/# tee key.sh <<EOF 
#!/bin/bash
if [ ! "$SECRET_KEY" ];then 
	SECRET_KEY=`cat /dev/urandom |tr -dc A-Za-z0-9|head -c 50`;
	echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc;
	echo $SECRET_KEY;
else
        echo $SECRET_KEY;
fi


if [ ! "$BOOTSTRAP_TOEKN" ];then
	BOOTSTRAP_TOEKN=`cat /dev/urandom |tr -dc A-Za-z0-9|head -c 16`;
	echo "BOOTSTRAP_TOEKN=$BOOTSTRAP_TOEKN" >> ~/.bashrc;
	echo $BOOTSTRAP_TOEKN;
else
        echo $BOOTSTRAP_TOEKN;
fi

EOF
4.2启动jumpserver
root@qjzhao-virtual-machine:/# docker run --name jms_all -d \
-v /opt/jumpserver/data:/opt/jumpserver/data \
-p 80:80   \
-p 2222:2222   \
--restart always  \
-e SECRET_KEY=djAqKG37xHcnHr9UvQxO0LkNJYPMCUZhiy2OfCnhdJl2wGPtoV   \
-e BOOTSTRAP_TOEKN=uSY4gL5uWolP7g6v   \
-e DB_HOST=188.188.188.170 \
-e DB_PORT=3306  \
-e DB_USER=root  \
-e DB_PASSWORD=123456 \
-e DB_NAME=jumpserver  \
-e  REDIS_HOST=188.188.188.170 \
-e REDIS_PORT=6379  \
-e REDIS_PASSWORD='' \
--privileged=true \
jumpserver/jms_all:v2.5.3
4.3验证jumpserver启动是否成功
root@qjzhao-virtual-machine:/# docker logs -f jms_all
  Applying terminal.0024_auto_20200715_1713... OK
  Applying terminal.0025_auto_20200810_1735... OK
  Applying terminal.0026_auto_20201027_1905... OK
  Applying terminal.0027_auto_20201102_1651... OK
  Applying terminal.0028_auto_20201110_1918... OK
  Applying terminal.0029_auto_20201116_1757... OK
  Applying tickets.0001_initial... OK
  Applying tickets.0002_auto_20200728_1146... OK
  Applying tickets.0003_auto_20200804_1551... OK
  Applying tickets.0004_ticket_comment... OK
  Applying tickets.0005_ticket_meta_confirmed_system_users... OK
  Applying tickets.0006_auto_20201023_1628... OK
2021-10-17 19:16:43 Collect static files
2021-10-17 19:16:45 Collect static files done
guacd[85]: INFO:	Guacamole proxy daemon (guacd) version 1.2.0 started
Starting guacd: SUCCESS
Tomcat started.
Jumpserver ALL v2.5.3
官网 http://www.jumpserver.org
文档 http://docs.jumpserver.org

进入容器命令 docker exec -it jms_all /bin/bash
root@qjzhao-virtual-machine:/# ss -ntl|egrep "80|2222"
LISTEN   0         4096                0.0.0.0:2222             0.0.0.0:*       
LISTEN   0         4096                0.0.0.0:80               0.0.0.0:*       
LISTEN   0         4096                   [::]:2222                [::]:*       
LISTEN   0         4096                   [::]:80                  [::]:*
4.3登陆jumpserver

http://188.188.188.170/core/auth/login/(注:2222端口为命令界面登陆使用)jumpserver 解析docker coreip错误 jumpserver docker安装_运维

4.4初始化jumpserver

默认账号、密码:admin/admin;修改免密为:abcd@1234

jumpserver 解析docker coreip错误 jumpserver docker安装_mysql_02


jumpserver 解析docker coreip错误 jumpserver docker安装_docker_03

4.5常用业务操作
4.5.1邮箱设置

smtp_address=smtp.qq.com

smtp_port=465

smtp_user_name=283899333@qq.com

smtp_password=gfvsixonktzscbcc

jumpserver 解析docker coreip错误 jumpserver docker安装_mysql_04

4.5.1账号创建

jumpserver 解析docker coreip错误 jumpserver docker安装_容器_05


jumpserver 解析docker coreip错误 jumpserver docker安装_运维_06


在这里开启多因子认证需要进行如下操作

jumpserver 解析docker coreip错误 jumpserver docker安装_容器_07

4.5.2组的创建

将用户添加到不同的组

jumpserver 解析docker coreip错误 jumpserver docker安装_docker_08


jumpserver 解析docker coreip错误 jumpserver docker安装_容器_09

4.5.3系统审计员

也许用户管理创建一个角色,系统角色设置为系统审计员。

4.5.3资产管理
4.5.3.1创建管理用户
  • 资产管理账号!=登陆账号
  • 管理账号一般指linux服务器root、administrator
  • 通指服务器账号
  • 资产管理→管理用户
  • 可以设置多个管理用户管理用户是资产(被控服务器)上的 root,或拥有 NOPASSWD: ALL sudo 权限的用户, JumpServer 使用该用户来 推送系统用户、获取资产硬件信息等。
  • jumpserver 解析docker coreip错误 jumpserver docker安装_运维_10


4.5.3.2创建资产列表

jumpserver 解析docker coreip错误 jumpserver docker安装_mysql_11


jumpserver 解析docker coreip错误 jumpserver docker安装_Database_12

4.5.3.3系统用户

**系统用户通俗来讲是指服务器的登陆用户,运维人员、开发人员通过此账号部署、运维相关应用**

jumpserver 解析docker coreip错误 jumpserver docker安装_docker_13


系统用户是 JumpServer 跳转登录资产时使用的用户,可以理解为登录资产用户,如 web,sa,dba(ssh web@some-host),而不是使用某个用户的用户名跳转登录服务器(ssh xiaoming@some-host); 简单来说是用户使用自己的用户名登录 JumpServer,JumpServer 使用系统用户登录资产。 系统用户创建时,如果选择了自动推送,JumpServer 会使用 Ansible 自动推送系统用户到资产中,如果资产(交换机)不支持 Ansible,请手动填写账号密码。

4.5.3.3资产授权

资产授权可以用户、组来分配、控制资产

jumpserver 解析docker coreip错误 jumpserver docker安装_docker_14

4.5.3.4 应用管理-数据库

需要在数据中预先创建数据库、账户、密码

jumpserver 解析docker coreip错误 jumpserver docker安装_容器_15

4.5.3.5 资产管理-系统用户

此处的系统用户与数据库创建的账户、密码一致

jumpserver 解析docker coreip错误 jumpserver docker安装_mysql_16

4.5.3.6权限管理-数据库

jumpserver 解析docker coreip错误 jumpserver docker安装_Database_17