【DB宝48】JumpServer:多云环境下更好用的堡垒机(上)
一、JumpServer简介
JumpServer 是全球首款开源的堡垒机,使用 GNU GPL v2.0 开源协议,是符合 4A 规范的运维安全审计系统。
JumpServer 使用 Python / Django 为主进行开发,遵循 Web 2.0 规范,配备了业界领先的 Web Terminal 方案,交互界面美观、用户体验好。
JumpServer 采纳分布式架构,支持多机房跨区域部署,支持横向扩展,无资产数量及并发限制。
**官网网址:**https://www.jumpserver.org/
文档:https://docs.jumpserver.org/zh/master/
GitHub:https://github.com/jumpserver/jumpserver
1.1、页面展示
1.2、特色优势
- 开源: 零门槛,线上快速获取和安装;
- 分布式: 轻松支持大规模并发访问;
- 无插件: 仅需浏览器,极致的 Web Terminal 使用体验;
- 多云支持: 一套系统,同时管理不同云上面的资产;
- 云端存储: 审计录像云端存储,永不丢失;
- 多租户: 一套系统,多个子公司和部门同时使用;
- 多应用支持: 数据库,Windows远程应用,Kubernetes。
1.3、功能列表
身份认证 Authentication |
登录认证 | 资源统一登录与认证 |
LDAP/AD 认证 | ||
RADIUS 认证 | ||
OpenID 认证(实现单点登录) | ||
CAS 认证 (实现单点登录) | ||
MFA认证 | MFA 二次认证(Google Authenticator) | |
RADIUS 二次认证 | ||
登录复核 | 用户登录行为受管理员的监管与控制:small_orange_diamond: | |
账号管理 Account |
集中账号 | 管理用户管理 |
系统用户管理 | ||
统一密码 | 资产密码托管 | |
自动生成密码 | ||
自动推送密码 | ||
密码过期设置 | ||
批量改密 | 定期批量改密:small_orange_diamond: | |
多种密码策略:small_orange_diamond: | ||
多云纳管 | 对私有云、公有云资产自动统一纳管:small_orange_diamond: | |
收集用户 | 自定义任务定期收集主机用户:small_orange_diamond: | |
密码匣子 | 统一对资产主机的用户密码进行查看、更新、测试操作:small_orange_diamond: | |
授权控制 Authorization |
多维授权 | 对用户、用户组、资产、资产节点、应用以及系统用户进行授权 |
资产授权 | 资产以树状结构进行展示 | |
资产和节点均可灵活授权 | ||
节点内资产自动继承授权 | ||
子节点自动继承父节点授权 | ||
应用授权 | 实现更细粒度的应用级授权 | |
MySQL 数据库应用、RemoteApp 远程应用:small_orange_diamond: | ||
动作授权 | 实现对授权资产的文件上传、下载以及连接动作的控制 | |
时间授权 | 实现对授权资源使用时间段的限制 | |
特权指令 | 实现对特权指令的使用(支持黑白名单) | |
命令过滤 | 实现对授权系统用户所执行的命令进行控制 | |
文件传输 | SFTP 文件上传/下载 | |
文件管理 | 实现 Web SFTP 文件管理 | |
工单 管理 | 支持对用户登录请求行为进行控制:small_orange_diamond: | |
组织管理 | 实现多租户管理与权限隔离:small_orange_diamond: | |
安全审计 Audit |
操作审计 | 用户操作行为审计 |
会话审计 | 在线会话内容审计 | |
历史会话内容审计 | ||
录像审计 | 支持对 Linux、Windows 等资产操作的录像进行回放审计 | |
支持对 RemoteApp:small_orange_diamond:、MySQL 等应用操作的录像进行回放审计 | ||
指令审计 | 支持对资产和应用等操作的命令进行审计 | |
文件传输 | 可对文件的上传、下载记录进行审计 | |
数据库审计 Database |
连接方式 | 命令方式 |
Web UI方式 :small_orange_diamond: | ||
支持的数据库 | MySQL | |
Oracle :small_orange_diamond: | ||
MariaDB :small_orange_diamond: | ||
PostgreSQL :small_orange_diamond: | ||
功能亮点 | 语法高亮 | |
SQL格式化 | ||
支持快捷键 | ||
支持选中执行 | ||
SQL历史查询 | ||
支持页面创建 DB, TABLE | ||
会话审计 | 命令记录 | |
录像回放 |
1.4、架构图
- 首先前端是nginx提供的动态页面,可以通过浏览器来进行访问;
- 接着jumpserver为管理后台,管理员可以通过web页面进行资产管理、用户管理、资产授权等操作,用户可以通过web页面进行资产登录、文件管理等操作;
- coco 为ssh server和 web terminal server,用户可以使用自己的账户通过ssh或者web terminal访问ssh协议和telnet协议资产;
- Luna 为web terminal server前端页面,用户使用web terminal方式登录所需要的组件;
- Guacamole 为RDP协议和vnc协议资产组件,用户可以通过web terminal来连接RDP协议和vnc协议资产(暂时只能通过web terminal来访问);
1.5、端口说明
端口涉及如下端口:
- Jumpserver 默认端口为 8080/tcp ,浏览器访问的端口
- Coco 默认 SSH 端口为 2222/tcp,Web Terminal默认 端口为 5000/tcp ,通过ssh连接的时候使用的端口
- Guacamole 默认端口为 8081/tcp
- Nginx 默认端口为 80/tcp
- Redis 默认端口为 6379/tcp
- Mysql/Mariadb 默认端口为 3306/tcp
1.6、产品组件
-
Jumpserver:管理后台,是核心组件(Core), 使用 Django Class Based View 风格开发,支持 Restful API。
-
Coco:Coco为 SSH Server 和 Web Terminal Server。用户可以通过使用自己的账户登录 SSH 或者 Web Terminal直接访问被授权的资产。不需要知道服务器的账户和密码,现在 Coco 已经被 koko 取代。
-
Luna:luna 为 Web Terminal Server 前端页面,用户使用 Web Terminal 方式登录时所需要的插件。
-
Guacamole:Guacamole是一个开源项目,为远程桌面提供解决方案。Jumpserver 使用其组件实现 RDP和VNC 功能,Jumpserver 并没有修改其代码而是添加了额外的插件,支持 Jumpserver 调用。
二、安装JumpServer
- 极速安装:https://docs.jumpserver.org/zh/master/install/setup_by_fast/
- 完整文档:https://docs.jumpserver.org
- 演示视频:https://www.bilibili.com/video/BV1ZV41127GB
有2种安装方式,可以一键自动部署,也可以手动部署,建议一键自动部署。
2.1、一键自动部署
仅需两步快速安装 JumpServer:
- 准备一台 2核4G (最低)且可以访问互联网的 64 位 Linux 主机;
- 以 root 用户执行如下命令一键安装 JumpServer。
-- 一键安装启动
curl -sSL https://github.com/jumpserver/jumpserver/releases/download/v2.8.2/quick_start.sh | bash
-- 注意:安装过程需要下载docker环境,重启docker,下载很多镜像,最后大约占用空间3g左右,安装时间大约30分钟。
[root@docker36 jumpserver-installer-v2.8.2]# docker images | grep jumpserver
jumpserver/core v2.8.2 f3dd5c1946ec 2 days ago 1.01GB
jumpserver/guacamole v2.8.2 8869e8512eec 2 days ago 824MB
jumpserver/lina v2.8.2 98abb9179db1 2 days ago 27.9MB
jumpserver/luna v2.8.2 d2e17fada2f6 2 days ago 27MB
jumpserver/koko v2.8.2 40cdabc32153 2 days ago 426MB
jumpserver/mysql 5 697daaecf703 3 months ago 448MB
jumpserver/redis 6-alpine f731cd48185c 3 months ago 31.6MB
jumpserver/nginx alpine2 b47070d178ad 18 months ago 18.5MB
-- 若不能下载,请添加以下解析:
echo "
13.229.188.59 github.com
199.232.4.133 raw.githubusercontent.com
" >> /etc/hosts
echo "
nameserver 114.114.114.114
nameserver 8.8.8.8
nameserver 223.5.5.5
" > /etc/resolv.conf
-- 启动
cd /opt/jumpserver-installer-v2.8.2/
./jmsctl.sh start
-- 会启动9个容器,创建一个网络叫jms_net,子网为:"192.168.250.0/24"
-- 首次启动可能会报错,可以使用命令“docker logs -f jms_core --tail 200”查看,等表结构合并完毕后,确定该命令输出都是 ok, 没有 error, 重新 start 即可,详见https://docs.jumpserver.org/zh/master/install/setup_by_fast/
-- Web访问
http://192.168.66.36:8080
https://192.168.66.36:8443
(默认用户名密码为:admin/admin)
-- 启动后的容器和状态
[root@docker36 jumpserver-installer-v2.8.2]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
26b95ecb8900 jumpserver/nginx:alpine2 "sh -c 'crond -b -d …" 57 seconds ago Up 51 seconds (healthy) 0.0.0.0:8080->80/tcp, 0.0.0.0:8443->443/tcp jms_nginx
9c25659c23c4 jumpserver/luna:v2.8.2 "/docker-entrypoint.…" About a minute ago Up About a minute (healthy) 80/tcp jms_luna
c8d74738aaa2 jumpserver/lina:v2.8.2 "/docker-entrypoint.…" About a minute ago Up About a minute (healthy) 80/tcp jms_lina
bc24581c6d0a jumpserver/koko:v2.8.2 "./entrypoint.sh" About a minute ago Up About a minute (healthy) 0.0.0.0:2222->2222/tcp, 5000/tcp jms_koko
cc17285dc6ec jumpserver/guacamole:v2.8.2 "/init" About a minute ago Up About a minute (healthy) 8080/tcp jms_guacamole
edac0a216aa3 jumpserver/core:v2.8.2 "./entrypoint.sh sta…" About a minute ago Up About a minute (healthy) 8070/tcp, 8080/tcp jms_celery
2ca03ab4d62d jumpserver/core:v2.8.2 "./entrypoint.sh sta…" 11 minutes ago Up 11 minutes (healthy) 8070/tcp, 8080/tcp jms_core
69e9bdede65f jumpserver/redis:6-alpine "docker-entrypoint.s…" 13 minutes ago Up 13 minutes (healthy) 6379/tcp jms_redis
c73896dc22ad jumpserver/mysql:5 "docker-entrypoint.s…" 13 minutes ago Up 13 minutes (healthy) 3306/tcp, 33060/tcp jms_mysql
[root@docker36 jumpserver-installer-v2.8.2]#
[root@docker36 jumpserver-installer-v2.8.2]# ./jmsctl.sh status
Name Command State Ports
-----------------------------------------------------------------------------------------------------------
jms_celery ./entrypoint.sh start task Up (healthy) 8070/tcp, 8080/tcp
jms_core ./entrypoint.sh start web Up (healthy) 8070/tcp, 8080/tcp
jms_guacamole /init Up (healthy) 8080/tcp
jms_koko ./entrypoint.sh Up (healthy) 0.0.0.0:2222->2222/tcp, 5000/tcp
jms_lina /docker-entrypoint.sh ngin ... Up (healthy) 80/tcp
jms_luna /docker-entrypoint.sh ngin ... Up (healthy) 80/tcp
jms_mysql docker-entrypoint.sh --cha ... Up (healthy) 3306/tcp, 33060/tcp
jms_nginx sh -c crond -b -d 8 && ngi ... Up (healthy) 0.0.0.0:8443->443/tcp, 0.0.0.0:8080->80/tcp
jms_redis docker-entrypoint.sh redis ... Up (healthy) 6379/tcp
执行过程:
[root@docker36 ~]# curl -sSL https://github.com/jumpserver/jumpserver/releases/download/v2.8.2/quick_start.sh | bash
download install script to /opt/jumpserver-installe (开始下载安装脚本到 /opt/jumpserver-installe)
██╗██╗ ██╗███╗ ███╗██████╗ ███████╗███████╗██████╗ ██╗ ██╗███████╗██████╗
██║██║ ██║████╗ ████║██╔══██╗██╔════╝██╔════╝██╔══██╗██║ ██║██╔════╝██╔══██╗
██║██║ ██║██╔████╔██║██████╔╝███████╗█████╗ ██████╔╝██║ ██║█████╗ ██████╔╝
██ ██║██║ ██║██║╚██╔╝██║██╔═══╝ ╚════██║██╔══╝ ██╔══██╗╚██╗ ██╔╝██╔══╝ ██╔══██╗
╚█████╔╝╚██████╔╝██║ ╚═╝ ██║██║ ███████║███████╗██║ ██║ ╚████╔╝ ███████╗██║ ██║
╚════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚══════╝╚══════╝╚═╝ ╚═╝ ╚═══╝ ╚══════╝╚═╝ ╚═╝
Version: v2.8.2
语言 Language (cn/en) (default cn):
>>> Install and Configure Docker
1. Install Docker
Starting to download Docker engine ...
complete
Starting to download Docker Compose binary ...
complete
2. Configure Docker
是否需要自定义 Docker 数据目录, 默认将使用 /var/lib/docker 目录? (y/n) (default n): complete
3. Start Docker
Docker version has changed or Docker configuration file has been changed, do you want to restart? (y/n) (default y): complete
>>> Loading Docker Image
[jumpserver/redis:6-alpine]
6-alpine: Pulling from jumpserver/redis
05e7bc50f07f: Pull complete
14c9d57a1c7f: Pull complete
ccd033d7ec06: Pull complete
6ff79b059f99: Pull complete
d91237314b77: Pull complete
c47d41ba6aa8: Pull complete
Digest: sha256:4920debee18fad71841ce101a7867743ff8fe7d47e6191b750c3edcfffc1cb18
Status: Downloaded newer image for swr.cn-south-1.myhuaweicloud.com/jumpserver/redis:6-alpine
Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/redis:6-alpine
Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/redis@sha256:4920debee18fad71841ce101a7867743ff8fe7d47e6191b750c3edcfffc1cb18
[jumpserver/mysql:5]
5: Pulling from jumpserver/mysql
6ec7b7d162b2: Pull complete
fedd960d3481: Pull complete
7ab947313861: Pull complete
64f92f19e638: Pull complete
3e80b17bff96: Pull complete
014e976799f9: Pull complete
59ae84fee1b3: Pull complete
7d1da2a18e2e: Pull complete
301a28b700b9: Pull complete
979b389fc71f: Pull complete
403f729b1bad: Pull complete
Digest: sha256:b3b2703de646600b008cbb2de36b70b21e51e7e93a7fca450d2b08151658b2dd
Status: Downloaded newer image for swr.cn-south-1.myhuaweicloud.com/jumpserver/mysql:5
Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/mysql:5
Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/mysql@sha256:b3b2703de646600b008cbb2de36b70b21e51e7e93a7fca450d2b08151658b2dd
[jumpserver/nginx:alpine2]
alpine2: Pulling from jumpserver/nginx
c87736221ed0: Pull complete
6ff0ab02fe54: Pull complete
e5b318df7728: Pull complete
b7a5a4fe8726: Pull complete
Digest: sha256:d25ed0a8c1b4957f918555c0dbda9d71695d7b336d24f7017a87b2081baf1112
Status: Downloaded newer image for swr.cn-south-1.myhuaweicloud.com/jumpserver/nginx:alpine2
Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/nginx:alpine2
Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/nginx@sha256:d25ed0a8c1b4957f918555c0dbda9d71695d7b336d24f7017a87b2081baf1112
[jumpserver/luna:v2.8.2]
v2.8.2: Pulling from jumpserver/luna
801bfaa63ef2: Pull complete
b1242e25d284: Pull complete
7453d3e6b909: Pull complete
07ce7418c4f8: Pull complete
e295e0624aa3: Pull complete
4363a3b6ab61: Pull complete
7270d1c7bfd7: Pull complete
Digest: sha256:47f6bc784a2c8b0bfdfdfc465bb5b62012122dc1cd83257afa09edb7d027bdca
Status: Downloaded newer image for swr.cn-south-1.myhuaweicloud.com/jumpserver/luna:v2.8.2
Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/luna:v2.8.2
Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/luna@sha256:47f6bc784a2c8b0bfdfdfc465bb5b62012122dc1cd83257afa09edb7d027bdca
[jumpserver/core:v2.8.2]
v2.8.2: Pulling from jumpserver/core
6ec7b7d162b2: Already exists
80ff6536d04b: Pull complete
2d04da85e485: Pull complete
998aa32a5c8a: Pull complete
7733ef26f344: Pull complete
d441f02b2497: Pull complete
64cad81ca92c: Pull complete
cf134c77199b: Pull complete
5c09bcf88bcf: Pull complete
fe2b4e1dc49b: Pull complete
328b09a36265: Pull complete
c5b2c15fd6d6: Pull complete
88d58a6b84f5: Pull complete
Digest: sha256:13a53d3ad8e67c7e25890e44aeaac0dfe9d0f23d75f420bd536181897a0a57a2
Status: Downloaded newer image for swr.cn-south-1.myhuaweicloud.com/jumpserver/core:v2.8.2
Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/core:v2.8.2
Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/core@sha256:13a53d3ad8e67c7e25890e44aeaac0dfe9d0f23d75f420bd536181897a0a57a2
[jumpserver/koko:v2.8.2]
v2.8.2: Pulling from jumpserver/koko
6d28e14ab8c8: Pull complete
0df8b93ef734: Pull complete
64e864129ede: Pull complete
0a873335f747: Pull complete
72734be47e36: Pull complete
210e6f3fd739: Pull complete
68eb2bfabdf9: Pull complete
2b514aadeb8d: Pull complete
b06884356f2d: Pull complete
48b4106b3314: Pull complete
c06b5a09cb3a: Pull complete
52981c83908c: Pull complete
4a31deb17aed: Pull complete
8080af3428ec: Pull complete
d45214541239: Pull complete
Digest: sha256:0e6b2c718c2bbc046d22240d245014361c4f151d0668efab3a0bdc3d6025fd27
Status: Downloaded newer image for swr.cn-south-1.myhuaweicloud.com/jumpserver/koko:v2.8.2
Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/koko:v2.8.2
Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/koko@sha256:0e6b2c718c2bbc046d22240d245014361c4f151d0668efab3a0bdc3d6025fd27
[jumpserver/guacamole:v2.8.2]
v2.8.2: Pulling from jumpserver/guacamole
6c33745f49b4: Pull complete
ef072fc32a84: Pull complete
c0afb8e68e0b: Pull complete
d599c07d28e6: Pull complete
e8a829023b97: Pull complete
2709df21cc5c: Pull complete
3bfb431a8cf5: Pull complete
bb9822eef866: Pull complete
5842bda2007b: Pull complete
453a23f25fcb: Pull complete
95325cfda054: Pull complete
d0bba8ca7733: Pull complete
77ed1f7e99c3: Pull complete
7c218a3bc8c8: Pull complete
b9b23e074906: Pull complete
6eb77dc135e9: Pull complete
5805059e25b4: Pull complete
8687f3be3de5: Pull complete
b3a371cb4926: Pull complete
0e0115337931: Pull complete
8871470a6d50: Pull complete
0983df4b79d8: Pull complete
97e3ae311d7b: Pull complete
033a9d7411c6: Pull complete
Digest: sha256:f6587bb65eb40dd101144ee89432a0310c46b245dcebc61965ae4de34fd82775
Status: Downloaded newer image for swr.cn-south-1.myhuaweicloud.com/jumpserver/guacamole:v2.8.2
Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/guacamole:v2.8.2
Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/guacamole@sha256:f6587bb65eb40dd101144ee89432a0310c46b245dcebc61965ae4de34fd82775
[jumpserver/lina:v2.8.2]
v2.8.2: Pulling from jumpserver/lina
801bfaa63ef2: Already exists
b1242e25d284: Already exists
7453d3e6b909: Already exists
07ce7418c4f8: Already exists
e295e0624aa3: Already exists
f2cd4bacfc5e: Pull complete
16594fe0b0fc: Pull complete
Digest: sha256:f809b70fcdcbb9216dfa40c6ab1bd293ca85e3eaf2d2c4d77ae9a1e80e0c82e5
Status: Downloaded newer image for swr.cn-south-1.myhuaweicloud.com/jumpserver/lina:v2.8.2
Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/lina:v2.8.2
Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/lina@sha256:f809b70fcdcbb9216dfa40c6ab1bd293ca85e3eaf2d2c4d77ae9a1e80e0c82e5
>>> Install and Configure JumpServer
1. Check Configuration File
Path to Configuration file: /opt/jumpserver/config
/opt/jumpserver/config/config.txt [ √ ]
/opt/jumpserver/config/nginx/lb_http_server.conf [ √ ]
/opt/jumpserver/config/nginx/lb_ssh_server.conf [ √ ]
/opt/jumpserver/config/core/config.yml [ √ ]
/opt/jumpserver/config/koko/config.yml [ √ ]
/opt/jumpserver/config/mysql/my.cnf [ √ ]
/opt/jumpserver/config/redis/redis.conf [ √ ]
complete
2. Configure Nginx
configuration file: /opt/jumpserver/config/nginx/cert
/opt/jumpserver/config/nginx/cert/server.crt [ √ ]
/opt/jumpserver/config/nginx/cert/server.key [ √ ]
complete
3. Backup Configuration File
Back up to /opt/jumpserver/config/backup/config.txt.2021-03-26_10-26-53
complete
4. Configure Network
Do you want to support IPv6? (y/n) (default n): complete
5. Configure Private Key
SECRETE_KEY: ICAgICAgICBUWCBlcnJvcnMgMCAgZHJvcHBlZCAwIG92ZXJyd
BOOTSTRAP_TOKEN: ICAgICAgICBUWCBl
complete
6. Configure Persistent Directory
Do you need custom persistent store, will use the default directory /opt/jumpserver? (y/n) (default n): complete
7. Configure MySQL
Do you want to use external MySQL? (y/n) (default n): complete
8. Configure Redis
Do you want to use external Redis? (y/n) (default n): complete
>>> The Installation is Complete
1. You can use the following command to start, and then visit
./jmsctl.sh start
2. Other management commands
./jmsctl.sh stop
./jmsctl.sh restart
./jmsctl.sh backup
./jmsctl.sh upgrade
For more commands, you can enter ./jmsctl.sh --help to understand
3. Web access
http://172.17.0.3:8080
https://172.17.0.3:8443
Default username: admin Default password: admin
4. SSH/SFTP access
ssh admin@172.17.0.3 -p2222
sftp -P2222 admin@172.17.0.3
5. More information
Offical Website: https://www.jumpserver.org/
Documentation: https://docs.jumpserver.org/
[root@docker36 ~]# cd /opt/jumpserver-installer-v2.8.2/
[root@docker36 jumpserver-installer-v2.8.2]# ll
总用量 28
drwxrwxr-x 3 root root 4096 3月 18 14:41 compose
-rw-rw-r-- 1 root root 1863 3月 18 14:41 config-example.txt
drwxrwxr-x 7 root root 80 3月 18 14:41 config_init
-rwxrwxr-x 1 root root 5503 3月 18 14:41 jmsctl.sh
drwxrwxr-x 4 root root 27 3月 18 14:41 locale
-rw-rw-r-- 1 root root 2603 3月 18 14:41 README.md
drwxrwxr-x 2 root root 4096 3月 18 14:41 scripts
-rw-rw-r-- 1 root root 46 3月 26 11:54 static.env
drwxrwxr-x 2 root root 39 3月 18 14:41 utils
[root@docker36 jumpserver-installer-v2.8.2]# ./jmsctl.sh start
Creating network "jms_net" with driver "bridge"
Creating jms_redis ... done
Creating jms_mysql ... done
Creating jms_core ... done
Creating jms_celery ... done
Creating jms_guacamole ... done
Creating jms_lina ... done
Creating jms_koko ... done
Creating jms_luna ... done
Creating jms_nginx ... done
提示:第一次登陆时,它会让我们重设密码;
提示:重设密码后,重新登录,jumpserver的首页就是下图这样;后续我们就可以在这个界面来管理内网服务器了;到此jumpserver服务器就搭建好了;
2.2、手动部署
cd /opt
yum -y install wget
wget https://github.com/jumpserver/installer/releases/download/v2.8.2/jumpserver-installer-v2.8.2.tar.gz
tar -xf jumpserver-installer-v2.8.2.tar.gz
cd jumpserver-installer-v2.8.2
cat config-example.txt
# 以下设置如果为空系统会自动生成随机字符串填入
## 迁移请修改 SECRET_KEY 和 BOOTSTRAP_TOKEN 为原来的设置
## 安装配置
DOCKER_IMAGE_PREFIX=swr.cn-south-1.myhuaweicloud.com
VOLUME_DIR=/opt/jumpserver
DOCKER_DIR=/var/lib/docker
SECRET_KEY=
BOOTSTRAP_TOKEN=
LOG_LEVEL=ERROR
## 使用外置 MySQL 配置
USE_EXTERNAL_MYSQL=0
DB_HOST=mysql
DB_PORT=3306
DB_USER=root
DB_PASSWORD=
DB_NAME=jumpserver
## 使用外置 Redis 配置
USE_EXTERNAL_REDIS=0
REDIS_HOST=redis
REDIS_PORT=6379
REDIS_PASSWORD=
## Compose 项目设置
COMPOSE_PROJECT_NAME=jms
COMPOSE_HTTP_TIMEOUT=3600
DOCKER_CLIENT_TIMEOUT=3600
DOCKER_SUBNET=192.168.250.0/24
## IPV6
DOCKER_SUBNET_IPV6=2001:db8:10::/64
USE_IPV6=0
## Nginx 配置,这个 Nginx 是用来分发路径到不同的服务
HTTP_PORT=80
HTTPS_PORT=443
SSH_PORT=2222
## LB 配置, 这个 Nginx 是 HA 时可以启动负载均衡到不同的主机
USE_LB=0
LB_HTTP_PORT=80
LB_HTTPS_PORT=443
LB_SSH_PORT=2222
## Task 配置
USE_TASK=1
## XPack
USE_XPACK=0
# Mysql 容器配置
MYSQL_ROOT_PASSWORD=
MYSQL_DATABASE=jumpserver
# Core 配置
# SESSION_COOKIE_AGE=86400
SESSION_EXPIRE_AT_BROWSER_CLOSE=true
### Keycloak 配置方式
### AUTH_OPENID=true
### BASE_SITE_URL=https://jumpserver.company.com/
### AUTH_OPENID_SERVER_URL=https://keycloak.company.com/auth
### AUTH_OPENID_REALM_NAME=cmp
### AUTH_OPENID_CLIENT_ID=jumpserver
### AUTH_OPENID_CLIENT_SECRET=
### AUTH_OPENID_SHARE_SESSION=true
### AUTH_OPENID_IGNORE_SSL_VERIFICATION=true
# Koko 配置
CORE_HOST=http://core:8080
# Guacamole 配置
JUMPSERVER_SERVER=http://core:8080
JUMPSERVER_KEY_DIR=/config/guacamole/data/key/
JUMPSERVER_RECORD_PATH=/config/guacamole/data/record/
JUMPSERVER_DRIVE_PATH=/config/guacamole/data/drive/
JUMPSERVER_ENABLE_DRIVE=true
JUMPSERVER_CLEAR_DRIVE_SESSION=true
JUMPSERVER_CLEAR_DRIVE_SCHEDULE=24
- 点赞
- 收藏
- 关注作者
评论(0)