Jumpserver实战之容器化(Docker)安装
Githua网址:https://github.com/jumpserver/jumpserver/releases ##最新版本为2.14.2
官方网址:https://docs.jumpserver.org/zh/master ##官方文档
Docker网址:https://hub.docker.com/r/jumpservre/jms_all #
安装要求
- 硬件配置:2c8G,50G ##内存小了jumpserver很卡4-8G
- 操作系统:linux发型版X86_64(ubuntu18.04)
- Python=3.6.x
- Mysql server >= 5.6或者mariadb >=5.5.56
- redis
安装方法
- 手动部署:逐步部署
- 极速部署:官方脚本部署
- 容器部署:docker
- 分部署部署:适用于大环境
安装部署
- redis 单独安装
- mysql单独安装
1、Docker安装
此处省略
2、安装Mysql
docker run --rm --name mysql -e MYSQL_ROOT_PASSWORD=123456 -e MYSQL_DATABASE=jumpserver -e MYSQL_USER=jumpserver -e MYSQL_PASSWORD=123456 -d -p 3306:3306 mysql:5.7.30
root@qjzhao-virtual-machine:~# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
992347b920ae mysql:5.7.30 "docker-entrypoint.s…" About a minute ago Up About a minute 0.0.0.0:3306->3306/tcp, :::3306->3306/tcp, 33060/tcp mysql
root@qjzhao-virtual-machine:~# docker exec -it mysql sh
# mysql -uroot -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.7.30 MySQL Community Server (GPL)
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
-----------------------------------------
mysql> show create database jumpserver;
+------------+-----------------------------------------------------------------------+
| Database | Create Database |
+------------+-----------------------------------------------------------------------+
| jumpserver | CREATE DATABASE `jumpserver` /*!40100 DEFAULT CHARACTER SET latin1 */ |
+------------+-----------------------------------------------------------------------+
1 row in set (0.00 sec)
2.1 安装宿主机mysql映射目录
mkdir -p /etc/mysql/mysql.conf.d/
mkdir -p /etc/mysql/conf.d/
2.2 配置mysql映射配置文件(宿主机)
root@qjzhao-virtual-machine:~# tee /etc/mysql/mysql.conf.d/mysql.cnf <<EOF
[mysqld]
pid-file= /var/run/mysqld/mysqld.pid
socket= /var/run/mysqld/mysqld.sock
datadir= /var/lib/mysql
symbolic-links=0
character-set-server=utf8 ##添加此行指定字符集
EOF
root@qjzhao-virtual-machine:~# tee /etc/mysql/conf.d/mysql.cnf <<EOF
[mysql]
default-character-set=utf8 #添加此行,指定字符集
2.3 docker启动mysql
docker run -d -p 3306:3306 --name mysql --restart always \
-e MYSQL_ROOT_PASSWORD=123456 \
-e MYSQL_DATABASE=jumpserver \
-e MYSQL_USER=jumpserver \
-e MYSQL_PASSWORD=123456 \
-v /data/mysql:/var/lib/mysql \
-v /etc/mysql/mysql.conf.d/mysql.cnf:/etc/mysql/mysql.conf.d/mysqld.cnf \
-v /etc/mysql/conf.d/mysql.cnf:/etc/mysql/conf.d/mysql.cnf mysql:5.7.30
2.4 docker mysql验证
root@qjzhao-virtual-machine:/# docker exec -it mysql bash
root@ddfecdb1c841:/# mysql -uroot -p123456
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| jumpserver |
| mysql |
| performance_schema |
| sys |
+--------------------+
5 rows in set (0.00 sec)
mysql> show create database jumpserver;
+------------+---------------------------------------------------------------------+
| Database | Create Database |
+------------+---------------------------------------------------------------------+
| jumpserver | CREATE DATABASE `jumpserver` /*!40100 DEFAULT CHARACTER SET utf8 */ |
+------------+---------------------------------------------------------------------+
1 row in set (0.00 sec)
2.4.1 docker mysql验证
apt install mysql-client-core-5.7
root@qjzhao-virtual-machine:/# mysql -ujumpserver -p123456 -h188.188.188.170
mysql> show create database jumpserver;
+------------+---------------------------------------------------------------------+
| Database | Create Database |
+------------+---------------------------------------------------------------------+
| jumpserver | CREATE DATABASE `jumpserver` /*!40100 DEFAULT CHARACTER SET utf8 */ |
+------------+---------------------------------------------------------------------+
1 row in set (0.00 sec)
3、安装redis
docker run -d -p 6379:6379 --name redis --restart always redis:5.0.9
4、jumpserver部署
4.1生成key
root@qjzhao-virtual-machine:/# tee key.sh <<EOF
#!/bin/bash
if [ ! "$SECRET_KEY" ];then
SECRET_KEY=`cat /dev/urandom |tr -dc A-Za-z0-9|head -c 50`;
echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc;
echo $SECRET_KEY;
else
echo $SECRET_KEY;
fi
if [ ! "$BOOTSTRAP_TOEKN" ];then
BOOTSTRAP_TOEKN=`cat /dev/urandom |tr -dc A-Za-z0-9|head -c 16`;
echo "BOOTSTRAP_TOEKN=$BOOTSTRAP_TOEKN" >> ~/.bashrc;
echo $BOOTSTRAP_TOEKN;
else
echo $BOOTSTRAP_TOEKN;
fi
EOF
4.2启动jumpserver
root@qjzhao-virtual-machine:/# docker run --name jms_all -d \
-v /opt/jumpserver/data:/opt/jumpserver/data \
-p 80:80 \
-p 2222:2222 \
--restart always \
-e SECRET_KEY=djAqKG37xHcnHr9UvQxO0LkNJYPMCUZhiy2OfCnhdJl2wGPtoV \
-e BOOTSTRAP_TOEKN=uSY4gL5uWolP7g6v \
-e DB_HOST=188.188.188.170 \
-e DB_PORT=3306 \
-e DB_USER=root \
-e DB_PASSWORD=123456 \
-e DB_NAME=jumpserver \
-e REDIS_HOST=188.188.188.170 \
-e REDIS_PORT=6379 \
-e REDIS_PASSWORD='' \
--privileged=true \
jumpserver/jms_all:v2.5.3
4.3验证jumpserver启动是否成功
root@qjzhao-virtual-machine:/# docker logs -f jms_all
Applying terminal.0024_auto_20200715_1713... OK
Applying terminal.0025_auto_20200810_1735... OK
Applying terminal.0026_auto_20201027_1905... OK
Applying terminal.0027_auto_20201102_1651... OK
Applying terminal.0028_auto_20201110_1918... OK
Applying terminal.0029_auto_20201116_1757... OK
Applying tickets.0001_initial... OK
Applying tickets.0002_auto_20200728_1146... OK
Applying tickets.0003_auto_20200804_1551... OK
Applying tickets.0004_ticket_comment... OK
Applying tickets.0005_ticket_meta_confirmed_system_users... OK
Applying tickets.0006_auto_20201023_1628... OK
2021-10-17 19:16:43 Collect static files
2021-10-17 19:16:45 Collect static files done
guacd[85]: INFO: Guacamole proxy daemon (guacd) version 1.2.0 started
Starting guacd: SUCCESS
Tomcat started.
Jumpserver ALL v2.5.3
官网 http://www.jumpserver.org
文档 http://docs.jumpserver.org
进入容器命令 docker exec -it jms_all /bin/bash
root@qjzhao-virtual-machine:/# ss -ntl|egrep "80|2222"
LISTEN 0 4096 0.0.0.0:2222 0.0.0.0:*
LISTEN 0 4096 0.0.0.0:80 0.0.0.0:*
LISTEN 0 4096 [::]:2222 [::]:*
LISTEN 0 4096 [::]:80 [::]:*
4.3登陆jumpserver
http://188.188.188.170/core/auth/login/(注:2222端口为命令界面登陆使用)
4.4初始化jumpserver
默认账号、密码:admin/admin;修改免密为:abcd@1234
4.5常用业务操作
4.5.1邮箱设置
smtp_address=smtp.qq.com
smtp_port=465
smtp_user_name=283899333@qq.com
smtp_password=gfvsixonktzscbcc
4.5.1账号创建
在这里开启多因子认证需要进行如下操作
4.5.2组的创建
将用户添加到不同的组
4.5.3系统审计员
也许用户管理创建一个角色,系统角色设置为系统审计员。
4.5.3资产管理
4.5.3.1创建管理用户
资产管理账号!=登陆账号
管理账号一般指linux服务器root、administrator
通指服务器账号
资产管理→管理用户
可以设置多个管理用户
管理用户是资产(被控服务器)上的 root,或拥有 NOPASSWD: ALL sudo 权限的用户, JumpServer 使用该用户来 推送系统用户、获取资产硬件信息等。
4.5.3.2创建资产列表
4.5.3.3系统用户
**系统用户通俗来讲是指服务器的登陆用户,运维人员、开发人员通过此账号部署、运维相关应用**
系统用户是 JumpServer 跳转登录资产时使用的用户,可以理解为登录资产用户,如 web,sa,dba(
ssh web@some-host),而不是使用某个用户的用户名跳转登录服务器(
ssh xiaoming@some-host); 简单来说是用户使用自己的用户名登录 JumpServer,JumpServer 使用系统用户登录资产。 系统用户创建时,如果选择了自动推送,JumpServer 会使用 Ansible 自动推送系统用户到资产中,如果资产(交换机)不支持 Ansible,请手动填写账号密码。
4.5.3.3资产授权
资产授权可以用户、组来分配、控制资产
4.5.3.4 应用管理-数据库
需要在数据中预先创建数据库、账户、密码
4.5.3.5 资产管理-系统用户
此处的系统用户与数据库创建的账户、密码一致
4.5.3.6权限管理-数据库