从零到一部署企业级堡垒机 JumpServer
企业级堡垒机 JumpServer部署
JumpServer 是目前市场上广受欢迎的开源堡垒机,符合 4A 规范的专业运维安全审计系统。可以帮助企业以更安全的方式管控和登录所有类型的资产,实现事前授权、事中监察、事后审计,满足等保合规要求
在企业中部署JumpServer有以下几点优势和功能
● 开源: 零门槛,线上快速获取和安装
● 分布式: 轻松支持大规模并发访问;
● 无插件: 仅需浏览器,极致的 Web Terminal 使用体验
● 多云支持: 一套系统,同时管理不同云上面的资产
● 云端存储: 审计录像云端存储,永不丢失
● 多租户: 一套系统,多个子公司和部门同时使用
此文档可实现企业级堡垒机的安装部署,以下示例均在个人测试环境中部署。若在实际生产环境可结合企业实际需求进行适当调整
1、JumpServer部署
1.1、部署环境准备
- 硬件配置: 2个CPU核心, 4G 内存, 50G 硬盘等为基础
- 操作系统:Ubuntu2204 X86_64
- Python版本环境 = 3.6.x
- MySQL环境准备:MySQL Server ≥ 5.6 或者 Mariadb Server ≥ 5.5.56 数据库编码要求 uft8,新版要求5.7以上
- Redis版本: 新版要求6.0以上
1.2、基于Docker部署
环境说明
使用外置的MySQL和Redis
- 外置数据库要求 MySQL 版本大于等于 5.7
- 外置 Redis 要求 Redis 版本大于等于 6.0
# 自行部署 MySQL 可以参考
(https://docs.jumpserver.org/zh/master/install/setup_by_lb/#mysql)
# mysql 创建用户并赋予权限, 请自行替换 nu4x599Wq7u0Bn8EABh3J91G 为自己的密码
mysql -u root -p
create database jumpserver default charset 'utf8';
create user 'jumpserver'@'%' identified by 'nu4x599Wq7u0Bn8EABh3J91G';
grant all on jumpserver.* to 'jumpserver'@'%';
flush privileges;
# 自行部署 Redis 可以参考
(https://docs.jumpserver.org/zh/master/install/setup_by_lb/#redis)
基于容器,安装完毕后可以通过以下方式访问
● 浏览器访问: http://<容器所在服务器IP>
● 默认管理员账户 admin 密码 admin
● SSH 访问: ssh -p 2222 <容器所在服务器IP>
● XShell 等工具请添加 connection 连接, 默认 ssh 端口 2222
1.3、安装Docker环境
apt update && apt list docker.io
apt -y install docker.io
[root@localhost ~]# docker version
Client: Docker Engine - Community
Version: 24.0.5
API version: 1.44
Go version: go1.21.6
Git commit: 29cf629
Built: Tue Jan 23 23:10:32 2024
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 24.0.5
API version: 1.44 (minimum version 1.24)
Go version: go1.21.6
Git commit: 71fa3ab
Built: Tue Jan 23 23:09:31 2024
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.27
GitCommit: a1496014c916f9e62104b33d1bb5bd03b0858e59
runc:
Version: 1.1.11
GitCommit: v1.1.11-0-g4bccb38
docker-init:
Version: 0.19.0
GitCommit: de40ad0
[root@localhost ~]#
1.4、安装MySQL服务
注:JumpServer-v3.8.1版本支持MySQL8.0,但默认MySQL8.0插件是Caching_sha2_password,不符合要求,需要修改为mysql_native_password
JumpServer-v2.28.7之前版本默认不支持MySQL8.0,选择MySQL5.7
MySQL要求:
create database jumpserver default charset 'utf8';
create user 'jumpserver'@'%' identified by 'nu4x599Wq7u0Bn8EABh3J91G';
grant all on jumpserver.* to 'jumpserver'@'%';
flush privileges;
1)在宿主机上准备MySQL配置文件在容器启动时进行挂载
准备相关目录
[root@Ubuntu2204 ~]#mkdir -p /etc/mysql/mysql.conf.d/
[root@Ubuntu2204 ~]#mkdir -p /etc/mysql/conf.d/
生成服务器配置文件,并指定字符集
[root@Ubuntu2204 ~]#tee /etc/mysql/mysql.conf.d/mysqld.cnf <<EOF
> [mysqld]
pid-file= /var/run/mysqld/mysqld.pid
socket= /var/run/mysqld/mysqld.sock
datadir= /var/lib/mysql
symbolic-links=0
character-set-server=utf8 #添加此行,指定字符集
> EOF
#生成客户端配置文件,指定字符集
[root@Ubuntu2204 ~]#tee /etc/mysql/conf.d/mysql.cnf <<EOF
[mysql]
default-character-set=utf8
> EOF
查看配置文件列表
[root@Ubuntu2204 ~]#tree /etc/mysql/
/etc/mysql/
├── conf.d
│ └── mysql.cnf
└── mysql.conf.d
└── mysqld.cnf
2 directories, 2 files
2)启动MySQL容器
将上面宿主机设置好的配置文件挂载至MySQL容器(使用MySQL8.0默认字符集utf-8就能满足要求,无需在进行修改,但需要修改验证插件)
#默认MySQL8.0的验证插件是caching_sha2_password,不符合要求,需要修改
mysql_native_password
[root@ubuntu2204 ~]#cat mysqld.cnf
[mysqld]
default_authentication_plugin=mysql_native_password
#启动MySQL容器
[root@Ubuntu2204 ~]#docker run -d -p 3306:3306 --name mysql --restart always \
-e MYSQL_ROOT_PASSWORD=123456 \
-e MYSQL_DATABASE=jumpserver \
-e MYSQL_USER=jumpserver \
-e MYSQL_PASSWORD=123456 \
-v /data/mysql:/var/lib/mysql \
-v /etc/mysql/mysql.conf.d/mysqld.cnf:/etc/mysql/mysql.conf.d/mysqld.cnf \
-v /etc/mysql/conf.d/mysql.cnf:/etc/mysql/conf.d/mysql.cnf mysql:8.0.29-oracle
3)验证MySQL
[root@Ubuntu2204 ~]#docker exec -it mysql bash
bash-4.4# mysql -p123456 -e 'show variables like "charater%"'
mysql: [Warning] Using a password on the command line interface can be insecure.
bash-4.4# mysql -p123456 -e 'show variables like "character%"'
mysql: [Warning] Using a password on the command line interface can be insecure.
+--------------------------+--------------------------------+
| Variable_name | Value |
+--------------------------+--------------------------------+
| character_set_client | utf8mb3 |
| character_set_connection | utf8mb3 |
| character_set_database | utf8mb4 |
| character_set_filesystem | binary |
| character_set_results | utf8mb3 |
| character_set_server | utf8mb4 |
| character_set_system | utf8mb3 |
| character_sets_dir | /usr/share/mysql-8.0/charsets/ |
+--------------------------+--------------------------------+
bash-4.4# mysql -p123456 -e 'show variables like "collation%"'
mysql: [Warning] Using a password on the command line interface can be insecure.
+----------------------+--------------------+
| Variable_name | Value |
+----------------------+--------------------+
| collation_connection | utf8_general_ci |
| collation_database | utf8mb4_0900_ai_ci |
| collation_server | utf8mb4_0900_ai_ci |
+----------------------+--------------------+
bash-4.4# mysql -p123456
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 11
Server version: 8.0.29 MySQL Community Server - GPL
Copyright (c) 2000, 2022, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| jumpserver |
| mysql |
| performance_schema |
| sys |
+--------------------+
5 rows in set (0.01 sec)
mysql> use jumpserver
Database changed
mysql> show tables;
Empty set (0.00 sec)
#测试连接MySQL
[root@node2 ~]#mysql -ujumpserver -p123456 -h10.0.0.207
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 12
Server version: 8.0.29 MySQL Community Server - GPL
Copyright (c) 2000, 2024, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| jumpserver |
+--------------------+
2 rows in set (0.01 sec)
mysql> use jumpserver;
Database changed
mysql> show tables;
Empty set (0.00 sec)
mysql>
1.5、安装Redis服务
外置Redis要求Redis版本大于等于6.0
注意:不支持Redis7.0
1)启动Redis服务
docker run -d -p 6379:6379 --name redis --restart always redis:6.2.14
2)验证Redis连接
#客户端连接Redis需先安装Redis客户端
[root@node2 ~]#redis-cli -h 10.0.0.207
10.0.0.207:6379> info
# Server
redis_version:6.2.14
redis_git_sha1:00000000
redis_git_dirty:0
1.6、部署JumpServer
1)生成key和token
一键生成key脚本
[root@ubuntu2204 ~]#cat key.sh
#!/bin/bash
if [ ! "$SECRET_KEY" ]; then
SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`;
echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc;
echo SECRET_KEY=$SECRET_KEY;
else
echo SECRET_KEY=$SECRET_KEY;
fi
if [ ! "$BOOTSTRAP_TOKEN" ]; then
BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`;
echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc;
echo BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN;
else
echo BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN;
fi
[root@ubuntu2204 ~]#bash key.sh
[root@Ubuntu2204 ~]#tail -n2 .bashrc
SECRET_KEY=JjQEhtXDV9UtQOa88XmdrqBxrNnlSlBc71aD7tSYBa6U7cRscI
BOOTSTRAP_TOKEN=8gjc18GkkAWvIou2
[root@Ubuntu2204 ~]#
2)运行容器
[root@ubuntu2204 ~]#docker run --name jms_all -d \
-p 80:80 \
-p 2222:2222 \
-p 30000-30100:30000-30100 \
-e SECRET_KEY=JjQEhtXDV9UtQOa88XmdrqBxrNnlSlBc71aD7tSYBa6U7cRscI \
-e BOOTSTRAP_TOKEN=8gjc18GkkAWvIou2 \
-e LOG_LEVEL=ERROR \
-e DB_HOST=10.0.0.207 \
-e DB_PORT=3306 \
-e DB_USER=jumpserver \
-e DB_PASSWORD=123456 \
-e DB_NAME=jumpserver \
-e REDIS_HOST=10.0.0.207 \
-e REDIS_PORT=6379 \
-e REDIS_PASSWORD='' \
--privileged=true \
-v /opt/jumpserver/core/data:/opt/jumpserver/data \
-v /opt/jumpserver/koko/data:/opt/koko/data \
-v /opt/jumpserver/lion/data:/opt/lion/data \
-v /opt/jumpserver/magnus/data:/opt/magnus/data \
-v /opt/jumpserver/kael/data:/opt/kael/data \
-v /opt/jumpserver/chen/data:/opt/chen/data \
-v /opt/jumpserver/web/log:/var/log/nginx \
jumpserver/jms_all:v3.8.1
3)检验是否成功
[root@Ubuntu2204 ~]#docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
61b529747cb2 jumpserver/jms_all:v3.8.1 "./entrypoint.sh" About a minute ago Up About a minute 0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:2222->2222/tcp, :::2222->2222/tcp, 0.0.0.0:30000-30100->30000-30100/tcp, :::30000-30100->30000-30100/tcp jms_all
a3bba6de5346 redis:6.2.14 "docker-entrypoint.s…" 16 minutes ago Up 16 minutes 0.0.0.0:6379->6379/tcp, :::6379->6379/tcp redis
a8c19fdfd2c1 mysql:8.0.29-oracle "docker-entrypoint.s…" 37 minutes ago Up 37 minutes 0.0.0.0:3306->3306/tcp, :::3306->3306/tcp, 33060/tcp mysql
1.7、验证登录