18张图带你入门最新版JumpServer
环境要求
- docker-ce
- Python3+
- mysql5.6+
- Redis
1 Ubuntu 安装 docker-ce 环境
参考文档
//docs.docker.com/engine/install/debian/
//mirrors.tuna.tsinghua.edu.cn/help/docker-ce/
卸载旧版
sudo apt-get remove docker docker-engine docker.io containerd runc
安装依赖
sudo apt install apt-transport-https ca-certificates curl gnupg2 software-properties-common
信任 Docker 的 GPG 公钥(发行版不同,下面的内容也有所不同)
curl -fsSL //download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
添加仓库(发行版不同,下面的内容也有所不同)
sudo add-apt-repository \
"deb [arch=amd64] //mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu \
$(lsb_release -cs) \
stable"
安装docker-ce
sudo apt update
sudo apt install docker-ce docker-ce-cli containerd.io
检查是否安装成功
root@song-VirtualBox:~# docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
b8dfde127a29: Pull complete
Digest: sha256:f2266cbfc127c960fd30e76b7c792dc23b588c0db76233517e1891a4e357d519
Status: Downloaded newer image for hello-world:latest
Hello from Docker!
This message shows that your installation appears to be working correctly.
To generate this message, Docker took the following steps:
1. The Docker client contacted the Docker daemon.
2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
(amd64)
3. The Docker daemon created a new container from that image which runs the
executable that produces the output you are currently reading.
4. The Docker daemon streamed that output to the Docker client, which sent it
to your terminal.
To try something more ambitious, you can run an Ubuntu container with:
$ docker run -it ubuntu bash
Share images, automate workflows, and more with a free Docker ID:
//hub.docker.com/
For more examples and ideas, visit:
//docs.docker.com/get-started/
root@song-VirtualBox:~# hostnamectl set-hostname ubuntu20
root@song-VirtualBox:~#
root@ubuntu20:~# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
hello-world latest d1165f221234 2 months ago 13.3kB
root@ubuntu20:~#
2 Python 安装
Ubuntu20 自带的 Python 版本即可满足,只需要做一个软连接即可
ln -s /usr/bin/python3 /usr/bin/python
3 mysql5.7 安装
root@ubuntu20:~# docker pull mysql:5.7
5.7: Pulling from library/mysql
f7ec5a41d630: Pull complete
9444bb562699: Pull complete
6a4207b96940: Pull complete
181cefd361ce: Pull complete
8a2090759d8a: Pull complete
15f235e0d7ee: Pull complete
d870539cd9db: Pull complete
cb7af63cbefa: Pull complete
151f1721bdbf: Pull complete
fcd19c3dd488: Pull complete
415af2aa5ddc: Pull complete
Digest: sha256:a655529fdfcbaf0ef28984d68a3e21778e061c886ff458b677391924f62fb457
Status: Downloaded newer image for mysql:5.7
docker.io/library/mysql:5.7
root@ubuntu20:~#
# 配置 mysql 服务端
root@ubuntu20:~# mkdir -pv /etc/mysql/mysql.conf.d
root@ubuntu20:~# cat /etc/mysql/mysql.conf.d/mysqld.cnf
pid-file = /var/run/mysqld/mysqld.pid
socket = /var/run/mysqld/mysqld.sock
datadir = /var/lib/mysql
character-set-server=utf8
root@ubuntu20:~#
# 配置 mysql 客户端
root@ubuntu20:~# cat /etc/mysql/conf.d/mysql.cnf
[mysql]
default-character-set=utf8
root@ubuntu20:~#
# 创建数据存放目录
root@ubuntu20:~# mkdir -pv /data/mysql
mkdir: created directory '/data/mysql'
root@ubuntu20:~#
# 运行 mysql 镜像
docker run -it \
--name mysql_jump \
-p 14306:3306 \
-v /etc/mysql/mysql.conf.d/mysqld.cnf:/etc/mysql/mysql.conf.d/mysqld.cnf \
-v /etc/mysql/conf.d/mysql.cnf:/etc/mysql/conf.d/mysql.cnf \
-v /data/mysql:/var/lib/mysql \
-e MYSQL_ROOT_PASSWORD="song123" \
-d mysql:5.7
# 连接mysql
# 注意:需要指定 -h宿主机IP
root@ubuntu20:/data# mysql -uroot -psong123 -P14306 -h10.0.0.16
# 创建 jumpserver 数据库
mysql> create database jumpserver default charset 'utf8';
Query OK, 1 row affected (0.00 sec)
# 授权
mysql> grant all privileges on jumpserver.* to 'jumpserver'@'%' identified by 'song123';
Query OK, 0 rows affected, 1 warning (0.01 sec)
# 验证授权用户是否可以登录查看 jumpserver 数据库
root@ubuntu20:~# mysql -ujumpserver -psong123 -P14306 -h10.0.0.16
# 查看
mysql> show databases;
4. Redis 安装
# 下载最新版 redis 镜像
docker pull redis
# 新建 redis 配置和数据目录
mkdir -pv /data/redis/{conf,data}
# redis 配置
cat /data/redis/conf/redis.conf
protected-mode no
daemonize no
databases 16
dir ./
appendonly yes
# 运行 redis 容器
docker run \
--privileged \
--name redis_jump \
-p 6379:6379 \
-v /data/redis/conf/redis.conf:/usr/local/etc/redis/redis.conf \
-v /data/redis/data:/data \
-d redis redis-server /usr/local/etc/redis/redis.conf --appendonly yes
# 在宿主机安装 reids,主要是使用其客户端工具 redis-cli
apt -y install redis
# 验证是否可以登录 redis
root@ubuntu20:/data/redis/conf# redis-cli -h 10.0.0.16
10.0.0.16:6379> info # 查看 redis 信息
# Server
redis_version:6.2.3
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:ff251c3aac5814bc
... 省略部分 ...
5 安装 jumpserver
# 下载 jumpserver 镜像
docker pull jumpserver/jms_all:latest
# 生成随机加密秘钥和初始化 token
root@ubuntu20:~# if [ "$SECRET_KEY" = "" ];then SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`; \
echo "SECRET_KEY=$ECRET_KEY" >> ~/.bashrc; echo $SECRET_KEY; else echo $SECRET_KEY; fi
sii4P5BCRfho4kqRIoGMZsvnrkbbNcRMIOFWRl5aN6gGeCFmRQ # 秘钥
root@ubuntu20:~# if [ "$BOOTSTRAP_TOKEN" = "" ];then BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`; \
echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc; echo $BOOTSTRAP_TOKEN; else echo $BOOTSTRAP_TOKEN; fi
AiElOlVO8Ey9mCBg # TOKEN
运行 jumpserver
docker run --name pc_jump \
-v /opt/jumpserver:/opt/jumpserver/data/media \
-p 80:80 \
-p 2222:2222 \
-e SECRET_KEY=sii4P5BCRfho4kqRIoGMZsvnrkbbNcRMIOFWRl5aN6gGeCFmRQ \
-e BOOTSTRAP_TOKEN=AiElOlVO8Ey9mCBg \
-e DB_HOST=10.0.0.16 \
-e DB_PORT=14306 \
-e DB_USER='jumpserver' \
-e DB_PASSWORD='song123' \
-e DB_NAME=jumpserver \
-e REDIS_HOST=10.0.0.16 \
-e REDIS_PORT=6379 \
-e REDIS_PASSWORD= \
jumpserver/jms_all:latest
6 详细图解
- JumpServer 原始的用户名和密码都是 admin,最新版的 JumpServer 为了安全考虑在初次登录时候会要求修改密码,请自行设置
- 为每个组创建一个使用 JumpServer 管理各自组名下机器的账号
- 创建一个可以登录真实机器的账户,此账户必须是真实存在的,同时必须拥有 root 权限
- 创建系统用户,此用户是一个登录(被管理端)机器的普通用户
- 添加(被管理端)机器
- 添加后测试 JumpServer 到(被管理端)机器是否能通
- 测试通过之后,就需要授权什么账号可以登录(被管理端)机器了
- 出于安全考虑,可以在(被管理端)的机器上禁止一些命令
- 将禁止的命令和系统用户做一个关联
-
使用给每个组创建的 JumpServer 账户登录
-
点击 “web终端” 登录机器进行管理
- 确认使用 web 账户登录成功
- 可以确认禁止的命令已无法使用
