Jumpserver是一款由python编写, Django开发的开源跳板机/堡垒机系统, 助力互联网企业高效 用户、资产、权限、审计 管理。jumpserver实现了跳板机应有的功能,基于ssh协议来管理,客户端无需安装agent。
项目地址:https://github.com/jumpserver/jumpserver
Jumpserver特点:
1)完全开源,GPL授权
2)Python编写,容易再次开发
3)实现了跳板机基本功能,身份认证、访问控制、授权、审计 、批量操作等。
4)集成了Ansible,批量命令等
5)支持WebTerminal
6)Bootstrap编写,界面美观
7)自动收集硬件信息
8)录像回放
9)命令搜索
10)实时监控
11)批量上传下载
不多做介绍了,下面就Jumpserver安装及功能使用做一记录:
-
1)关闭jumpserver部署机的iptables和selinux
-
[root@jumpserver ~]# /etc/init.d/iptables stop
-
[root@jumpserver ~]# setenforce 0
-
2)安装依赖包
-
[root@jumpserver ~]# yum -y install epel-release
-
[root@jumpserver ~]# yum clean all && yum makecache
-
[root@jumpserver ~]# yum -y update
-
[root@jumpserver ~]# yum -y install git python-pip mysql-devel gcc automake autoconf python-devel vim sshpass lrzsz readline-devel
-
3)下载jumpserver
-
下载地址:https://pan.baidu.com/s/1jI7hL4q
-
提取密码:4c7s
-
[root@jumpserver ~]# tar -zvxf jumpserver-0.3.0.tar.gz
-
[root@jumpserver ~]# cd jumpserver-0.3.0-beta/install/
-
[root@jumpserver install]# ls
-
developer_doc.txt initial_data.yaml install.py next.py requirements.txt zzjumpserver.sh
-
4)执行快速安装脚本
-
[root@jumpserver install]#pip install --upgrade pip
-
[root@jumpserver install]# pip install -r requirements.txt
-
...........
-
...........
-
Running setup.py install for ansible
-
Running setup.py install for pyinotify
-
Found existing installation: argparse 1.2.1
-
Uninstalling argparse-1.2.1:
-
Successfully uninstalled argparse-1.2.1
-
Successfully installed MarkupSafe-1.0 MySQL-python-1.2.5 PyYAML-3.12 ansible-1.9.4 argparse-1.4.0 backports-abc-0.5 backports.ssl-match-hostname-3.5.0.1 certifi-2017.4.17 django-1.6 django-bootstrap-form-3.2 django-crontab-0.6.0 ecdsa-0.13 jinja2-2.9.6 paramiko-1.16.0 passlib-1.6.5 psutil-3.3.0 pycrypto-2.6.1 pyinotify-0.9.6 singledispatch-3.4.0.3 tornado-4.3 xlrd-0.9.4 xlsxwriter-0.7.7
-
5)查看安装的包
-
[root@jumpserver install]# pip freeze
-
You are using pip version 7.1.0, however version 9.0.1 is available.
-
You should consider upgrading via the 'pip install --upgrade pip' command.
-
ansible==1.9.4
-
argparse==1.4.0
-
backports-abc==0.5
-
backports.ssl-match-hostname==3.5.0.1
-
cas==0.15
-
certifi==2017.4.17
-
Django==1.6
-
django-bootstrap-form==3.2
-
django-crontab==0.6.0
-
ecdsa==0.13
-
ethtool==0.6
-
iniparse==0.3.1
-
iotop==0.3.2
-
iwlib==1.0
-
Jinja2==2.9.6
-
MarkupSafe==1.0
-
matplotlib==0.99.1.1
-
MySQL-python==1.2.5
-
nose==0.10.4
-
numpy==1.4.1
-
ordereddict==1.2
-
paramiko==1.16.0
-
passlib==1.6.5
-
psutil==3.3.0
-
pycrypto==2.6.1
-
pycurl==7.19.0
-
pygpgme==0.1
-
pyinotify==0.9.6
-
python-dateutil==1.4.1
-
python-dmidecode==3.10.15
-
pytz===2010h
-
PyYAML==3.12
-
singledispatch==3.4.0.3
-
six==1.9.0
-
tornado==4.3
-
urlgrabber==3.9.1
-
xlrd==0.9.4
-
XlsxWriter==0.7.7
-
yum-metadata-parser==1.1.2
-
6)由于本机已经提前安装了mysql (mysql安装参考:http://www.cnblogs.com/kevingrace/p/6109679.html)
-
需要提前在mysql数据库中创建jumpserver库,并授权连接。这样在jumpserver安装过程中就可以用到(如下)
-
mysql> create database jumpserver;
-
Query OK, 1 row affected (0.00 sec)
-
mysql> grant all on jumpserver.* to root@'182.48.115.%' identified by "123456";
-
Query OK, 0 rows affected (0.02 sec)
-
mysql> flush privileges;
-
Query OK, 0 rows affected (0.00 sec)
-
7)接着继续执行install安装
-
[root@jumpserver install]# python install.py
-
请务必先查看wiki https://github.com/ibuler/jumpserver/wiki/Quickinstall
-
开始关闭防火墙和selinux
-
请输入您服务器的IP地址,用户浏览器可以访问 [182.48.115.236]: //jumpserver访问地址
-
是否安装新的MySQL服务器? (y/n) [y]: n //由于本机已经提前安装了mysql,所以这里就不需要更新了
-
请输入数据库服务器IP [127.0.0.1]: 182.48.115.236 //输入本机的ip地址,以连接mysql。最好提前测试下用这个账号权限是否能正常连接
-
请输入数据库服务器端口 [3306]: 3306
-
请输入数据库服务器用户 [root]: root //使用上面授权信息
-
请输入数据库服务器密码: 123456
-
请输入使用的数据库 [jumpserver]: jumpserver
-
连接数据库成功
-
请输入SMTP地址: smtp.sina.com //接着进行发件邮箱设置(需要登陆到自己的邮箱下,将POP3/SMTP服务功能开启)
-
请输入SMTP端口 [25]: 25 //这个邮箱设置一定要正确通过,否则后续添加用户时就不能正常发送邮件!
-
请输入账户: wangjiuiuui@sina.com
-
请输入密码: 2hj12637JKDSJFKS
-
请登陆邮箱查收邮件, 然后确认是否继续安装 //登陆邮箱,会收到一封"Jumpserver Mail Test!"的邮件,说明邮件测试通过
-
是否继续? (y/n) [y]: y
-
开始写入配置文件
-
开始安装Jumpserver, 要求环境为 CentOS 6.5 x86_64
-
开始更新jumpserver
-
..........
-
..........
-
请输入管理员用户名 [admin]: admin //设置web管理员用户名和管理员密码
-
请输入管理员密码: [5Lov@wife]: admin
-
请再次输入管理员密码: [5Lov@wife]: admin
-
Starting jumpsever service: [确定]
-
安装成功,请访问web, 祝你使用愉快。
-
请访问 https://github.com/ibuler/jumpserver 查看文档
-
---------------------------------------------------------------------------------------------------------------
-
如果上面在执行install.py脚本中,出现下面报错:
-
1)报错1
-
Traceback (most recent call last):
-
File "install.py", line 8, in <module>
-
import MySQLdb
-
File "/usr/lib64/python2.6/site-packages/MySQLdb/__init__.py", line 19, in <module>
-
import _mysql
-
ImportError: libmysqlclient.so.18: cannot open shared object file: No such file or directory
-
解决办法:
-
查找这个libmysqlclient.so.18库文件,由于本机之前部署了mysql,所以可以查到这个文件(如果没有的话,可以安装mysql来获取这个文件)
-
[root@jumpserver install]# find / -name libmysqlclient.so.18
-
/usr/local/src/mysql-5.6.34/libmysql/libmysqlclient.so.18
-
/usr/local/src/mysql-5.6.34/libmysql/CMakeFiles/CMakeRelink.dir/libmysqlclient.so.18
-
/usr/local/mysql/lib/libmysqlclient.so.18
-
[root@jumpserver install]# ln -s /usr/local/mysql/lib/libmysqlclient.so.18 /usr/lib/libmysqlclient.so.18
-
[root@jumpserver install]# vim /etc/ld.so.conf
-
include ld.so.conf.d/*.conf
-
/usr/lib/
-
/usr/local/mysql/lib/
-
[root@jumpserver install]# ldconfig
-
然后再次执行上面的install.py脚本就OK了
-
2)报错2
-
开始写入配置文件
-
Traceback (most recent call last):
-
File "/root/jumpserver-0.3.0-beta/install/next.py", line 19, in <module>
-
from juser.user_api import db_add_user, get_object, User
-
File "/root/jumpserver-0.3.0-beta/juser/user_api.py", line 3, in <module>
-
from Crypto.PublicKey import RSA
-
File "/usr/lib64/python2.6/site-packages/Crypto/PublicKey/RSA.py", line 75, in <module>
-
from Crypto.Util.number import getRandomRange, bytes_to_long, long_to_bytes
-
File "/usr/lib64/python2.6/site-packages/Crypto/Util/number.py", line 56, in <module>
-
if _fastmath is not None and not _fastmath.HAVE_DECL_MPZ_POWM_SEC:
-
AttributeError: 'module' object has no attribute 'HAVE_DECL_MPZ_POWM_SEC'
-
原因:是python的pycrypto模块问题,需要卸载重装:
-
[root@jumpserver install]# pip uninstall pycrypto
-
[root@jumpserver install]# easy_install pycrypto
-
---------------------------------------------------------------------------------------------------------------
-
安装完成后,jumpserver程序会自动起来
-
[root@jumpserver install]# lsof -i:80
-
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
-
python 10533 root 3u IPv4 460687 0t0 TCP *:http (LISTEN)
-
[root@jumpserver install]# ps -ef|grep jumpserver
-
root 10520 1 0 18:40 pts/1 00:00:00 sh /root/jumpserver-0.3.0-beta/service.sh start
-
root 10521 1 0 18:40 pts/1 00:00:00 sh /root/jumpserver-0.3.0-beta/service.sh start
-
root 10525 10521 0 18:40 pts/1 00:00:00 /bin/bash -c ulimit -S -c 0 >/dev/null 2>&1 ; python /root/jumpserver-0.3.0-beta/run_websocket.py
-
root 10526 10520 0 18:40 pts/1 00:00:00 /bin/bash -c ulimit -S -c 0 >/dev/null 2>&1 ; python /root/jumpserver-0.3.0-beta/manage.py runserver 0.0.0.0:80
-
root 10527 10525 1 18:40 pts/1 00:00:00 python /root/jumpserver-0.3.0-beta/run_websocket.py
-
root 10528 10526 0 18:40 pts/1 00:00:00 python /root/jumpserver-0.3.0-beta/manage.py runserver 0.0.0.0:80
-
root 10533 10528 1 18:40 pts/1 00:00:01 /usr/bin/python /root/jumpserver-0.3.0-beta/manage.py runserver 0.0.0.0:80
-
root 10535 10527 0 18:40 pts/1 00:00:00 python /root/jumpserver-0.3.0-beta/run_websocket.py
-
root 10536 10527 0 18:40 pts/1 00:00:00 python /root/jumpserver-0.3.0-beta/run_websocket.py
-
root 10537 10527 0 18:40 pts/1 00:00:00 python /root/jumpserver-0.3.0-beta/run_websocket.py
-
root 10538 10527 0 18:40 pts/1 00:00:00 python /root/jumpserver-0.3.0-beta/run_websocket.py
-
root 10539 10527 0 18:40 pts/1 00:00:00 python /root/jumpserver-0.3.0-beta/run_websocket.py
-
root 10550 5272 0 18:41 pts/1 00:00:00 grep jumpserver
-
8)运行 crontab,定期处理失效连接,定期更新资产信息
-
执行下面的命令
-
[root@jumpserver ~]# python /root/jumpserver-0.3.0-beta/manage.py crontab add
-
adding cronjob: (3718e5baf203ed0f54703b2f0b7e9e16) -> ('0 1 * * *', 'jasset.asset_api.asset_ansible_update_all')
-
adding cronjob: (9956b75140f4453ab1dc4aeb62962a74) -> ('*/10 * * * *', 'jlog.log_api.kill_invalid_connection')
-
上面命令执行后,就会在crontab里自动添加定期处理任务,如下crontab -l查看
-
[root@jumpserver ~]# crontab -l
-
0 1 * * * /usr/bin/python /root/jumpserver-0.3.0-beta/manage.py crontab run 3718e5baf203ed0f54703b2f0b7e9e16 # django-cronjobs for jumpserver
-
*/10 * * * * /usr/bin/python /root/jumpserver-0.3.0-beta/manage.py crontab run 9956b75140f4453ab1dc4aeb62962a74 # django-cronjobs for jumpserver
如果启动失败,请返回上层目录,手动运行 ./service.sh start 启动 。
访问jumpserver(iptables若是开启,需里要开放80端口访问),使用安装过程中设置的用户名和密码登陆。
注意:
在使用jumpserver过程中,有一步是系统用户推送,要推送成功,client(后端服务器)要满足以下条件:
1)后端服务器需要有python、sudo环境才能使用推送用户,批量命令等功能
2)后端服务器如果开启了selinux,请安装libselinux-python
Jumpserver中的用户,系统用户,管理用户对比
1 2 3 4 5 6 |
|