使用脚本一键部署堡垒机 | Word Count: 1.7k | Reading Time: 8mins | Post Views:
部门领导要求研究一下堡垒机的使用,所以花了两天时间研究了一下开源堡垒机的部署和使用。因为官方文档中有些已经有了部分错误,现在以官方的CentOS8版本的安装文档为蓝本把部署过程以脚本的形式备份一下。 其中,主要的变化是使用了官方源的nginx、修改了python安装的几个组件的版本、部署了堡垒机jms服务、koko服务和guacamole服务的systemd自启动脚本。
# !/bin/bash # 2020.01.15 # sujx@live.cn # 安装依赖包 yum update -y yum -y install wget gcc epel-release git telnet openssh-clients dnf-utils vim yum update -y # 下载 Jumpserver cd /opt/ git clone --depth=1 https://github.com/jumpserver/jumpserver.git # 防火墙 与 selinux 设置说明, 如果已经关闭了 防火墙 和 Selinux 的用户请跳过设置 systemctl start firewalld # nginx 端口 firewall-cmd --zone=public --add-service=http --permanent # 用户SSH登录端口 koko firewall-cmd --zone=public --add-port=2222/tcp --permanent # 重新载入规则 firewall-cmd --reload # SElinux配置 setsebool -P httpd_can_network_connect 1 # 安装 Redis, Jumpserver 使用 Redis 做 cache 和 celery broke yum -y install redis systemctl enable redis --now # 安装 MySQL, 如果不使用 Mysql 可以跳过相关 Mysql 安装和配置, 支持sqlite3, mysql, postgres等 yum -y install mariadb mariadb-devel mariadb-server sshpass systemctl enable mariadb --now # 创建数据库 Jumpserver 并授权 DB_PASSWORD=`cat /dev/urandom tr -dc A-Za-z0-9 head -c 24` # 生成随机数据库密码 cat >~/passwd.txt<<EOF 数据库密码是 $DB_PASSWORD EOF mysql -uroot -e "create database jumpserver default charset 'utf8'; grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '$DB_PASSWORD'; flush privileges;" # 安装 Nginx, 用作代理服务器整合 Jumpserver 与各个组件 yum -y install nginx systemctl enable nginx --now # 安装 Python3.6 yum -y install python36 python36-devel yum -y install krb5-devel libtiff-devel libjpeg-devel libzip-devel freetype-devel libwebp-devel tcl-devel tk-devel openldap-devel libffi-devel openldap-clients # 安装 Python 库依赖 # 配置使用华为python源 mkdir ~/.pip cat >~/.pip/pip.conf<<EOF [global] index-url = https://mirrors.huaweicloud.com/repository/pypi/simple trusted-host = mirrors.huaweicloud.com timeout = 120 EOF # 配置并载入 Python3 虚拟环境 cd /opt # py3 为虚拟环境名称, 可自定义 python3 -m venv py3 # 退出虚拟环境可以使用 deactivate 命令 source /opt/py3/bin/activate pip install wheel setuptools pip install pip --upgrade pip install python-gssapi # 修改依赖包版本 sed -i "s/Django==2.1.11/Django==2.2/g" /opt/jumpserver/requirements/requirements.txt sed -i "s/cryptography==2.3.1/cryptography==2.7/g" /opt/jumpserver/requirements/requirements.txt sed -i "s/pyasn1==0.4.2/pyasn1==0.4.6/g" /opt/jumpserver/requirements/requirements.txt pip install -r /opt/jumpserver/requirements/requirements.txt # 修改 Jumpserver 配置文件 cd /opt/jumpserver cp config_example.yml config.yml # 生成随机SECRET_KEY SECRET_KEY=`cat /dev/urandom tr -dc A-Za-z0-9 head -c 50` echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc # 生成随机BOOTSTRAP_TOKEN BOOTSTRAP_TOKEN=`cat /dev/urandom tr -dc A-Za-z0-9 head -c 16` echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml echo -e "SECRET_KEY是 $SECRET_KEY" >> ~/passwd.txt echo -e "BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN" >> ~/passwd.txt # 退出虚拟环境可以使用 deactivate 命令 # 运行 Jumpserver # cd /opt/jumpserver# ./jms start -d # 新版本更新了运行脚本, 使用方式./jms startstopstatus all 后台运行请添加 -d 参数 cat >/usr/lib/systemd/system/jms.service<<EOF [Unit] Description=jms After=network.target mariadb.service redis.service Wants=mariadb.service redis.service [Service] Type=forking Environment="PATH=/opt/py3/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin" ExecStart=/opt/jumpserver/jms start -d ExecReload= ExecStop=/opt/jumpserver/jms stop [Install] WantedBy=multi-user.target EOF systemctl enable jms.service --now # 安装 podman 部署 koko 与 guacamole yum install -y podman-docker alias docker=podman echo "alias docker=podman" >> ~/.bashrc # 配置 podman 镜像源 sed -i "s/registry.redhat.io/dockerhub.azk8s.cn/g" /etc/containers/registries.conf sed -i "s/registry.access.redhat.com/docker.mirrors.ustc.edu.cn/g" /etc/containers/registries.conf # 允许 容器ip 访问宿主 8080 端口, (容器的 ip 可以进入容器查看) firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.88.0.0/16" port protocol="tcp" port="8080" accept" firewall-cmd --reload # 10.88.0.x 是 podman 容器默认的IP池, 这里偷懒直接授权ip段了, 可以根据实际情况单独授权IP # 获取当前服务器 IP Server_IP=`ip addr grep 'state UP' -A2 grep inet egrep -v '(127.0.0.1inet6docker)' awk '{print $2}' tr -d "addr:" head -n 1 cut -d / -f1` echo -e "服务器IP是 $Server_IP" >> ~/passwd.txt # http://<Jumpserver_url> 指向 jumpserver 的服务端口, 如 http://192.168.244.144:8080 # BOOTSTRAP_TOKEN 为 Jumpserver/config.yml 里面的 BOOTSTRAP_TOKEN docker run --name jms_koko -d -p 2222:2222 -p 127.0.0.1:5000:5000 -e CORE_HOST=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN jumpserver/jms_koko:1.5.6 docker run --name jms_guacamole -d -p 127.0.0.1:8081:8080 -e JUMPSERVER_SERVER=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN jumpserver/jms_guacamole:1.5.6 # 配置KOKO自启动 cat > /usr/lib/systemd/system/koko.service << EOF [Unit] Description=Podman JMS_koko Service After=network.target After=network-online.target [Service] Type=simple ExecStart=/usr/bin/podman start -a jms_koko ExecStop=/usr/bin/podman stop -t 10 jms_koko Restart=always [Install] WantedBy=multi-user.target EOF systemctl enable koko.service # 配置guacamole自启动 cat > /usr/lib/systemd/system/guacamole.service << EOF [Unit] Description=Podman JMS_guacamole Service After=network.target After=network-online.target [Service] Type=simple ExecStart=/usr/bin/podman start -a jms_guacamole ExecStop=/usr/bin/podman stop -t 10 jms_guacamole Restart=always [Install] WantedBy=multi-user.target EOF systemctl enable guacamole.service # 安装 Web Terminal 前端: Luna 需要 Nginx 来运行访问 访问(https://github.com/jumpserver/luna/releases)下载对应版本的 release 包, 直接解压, 不需要编译 cd /opt # wget https://github.com/jumpserver/luna/releases/download/1.5.6/luna.tar.gz # 如果网络有问题导致下载无法完成可以使用下面地址 wget https://demo.jumpserver.org/download/luna/1.5.6/luna.tar.gz tar xvzf luna.tar.gz chown -R root:root luna # 配置 Nginx 整合各组件 rm -rf /etc/nginx/conf.d/default.conf cp /etc/nginx/nginx.conf /etc/nginx.conf.bak sed -i "38,58d" /etc/nginx/nginx.conf cat > /etc/nginx/conf.d/jumpserver.conf << "EOF" server { listen 80; # server_name _; client_max_body_size 100m; # 录像及文件上传大小限制 location /luna/ { try_files $uri / /index.html; alias /opt/luna/; # luna 路径, 如果修改安装目录, 此处需要修改 } location /media/ { add_header Content-Encoding gzip; root /opt/jumpserver/data/; # 录像位置, 如果修改安装目录, 此处需要修改 } location /static/ { root /opt/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改 } location /koko/ { proxy_pass http://localhost:5000; proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } location /guacamole/ { proxy_pass http://localhost:8081/; proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } location /ws/ { proxy_pass http://localhost:8070; proxy_http_version 1.1; proxy_buffering off; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } location / { proxy_pass http://localhost:8080; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } } EOF # 确保配置没有问题, 有问题请先解决 nginx -t systemctl restart nginx
然后网页访问主机地址.
另外,脚本的下载地址如下: jumpserver安装脚本
