JumpServer安装及应用
阅读原文时间:2023年08月21日阅读:3

安装所需软件包

[root@localhost ~]# yum -y update
[root@localhost ~]# dnf install -y wget  curl tar gettext iptables python3 gcc gcc-c++ make vim mariadb*

启动mariadb服务设置开机自启动

[root@localhost ~]# systemctl enable --now mariadb
Created symlink /etc/systemd/system/mysql.service → /usr/lib/systemd/system/mariadb.service.
Created symlink /etc/systemd/system/mysqld.service → /usr/lib/systemd/system/mariadb.service.
Created symlink /etc/systemd/system/multi-user.target.wants/mariadb.service → /usr/lib/systemd/system/mariadb.service.

#设置数据库密码并验证
[root@localhost ~]# mysql
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 8
Server version: 10.3.28-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> set password = password('Password@123!');
Query OK, 0 rows affected (0.000 sec)

MariaDB [(none)]> quit
Bye

#验证密码
[root@localhost ~]# mysql -uroot -pPassword@123!
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 9
Server version: 10.3.28-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>

创建jumpserver数据库

MariaDB [(none)]> create database jumpserver default charset 'utf8';
Query OK, 1 row affected (0.000 sec)

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| jumpserver         |
| mysql              |
| performance_schema |
+--------------------+
4 rows in set (0.000 sec)
MariaDB [(none)]> grant all on jumpserver.* to 'jumpserver'@'%' identified by '111111';
Query OK, 0 rows affected (0.000 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.000 sec)

上传redis和jumpserver软件包并解压

#redis版本一定要大于6.0,所以最新高版本的下载地址:https://redis.io/download/
#jumpserver下载地址:https://community.fit2cloud.com/#/products/jumpserver/downloads
#解压安装包
[root@localhost ~]# tar xf redis-7.0.11.tar.gz
[root@localhost ~]# tar xf jumpserver-offline-installer-v3.3.1-amd64-322.tar.gz
[root@localhost ~]# ls
anaconda-ks.cfg
jumpserver-offline-installer-v3.3.1-amd64-322
jumpserver-offline-installer-v3.3.1-amd64-322.tar.gz
redis-7.0.11
redis-7.0.11.tar.gz

编译安装redis

[root@localhost redis-7.0.11]# cd redis-7.0.11
[root@localhost redis-7.0.11]# ls
00-RELEASENOTES     COPYING   MANIFESTO   runtest-cluster    sentinel.conf  utils
BUGS                deps      README.md   runtest-moduleapi  src
CODE_OF_CONDUCT.md  INSTALL   redis.conf  runtest-sentinel   tests
CONTRIBUTING.md     Makefile  runtest     SECURITY.md        TLS.md
[root@localhost redis-7.0.11]# make -j 4
.......
     CC redis-benchmark.o
    LINK redis-server
    INSTALL redis-sentinel
    INSTALL redis-check-rdb
    INSTALL redis-check-aof
    LINK redis-benchmark
    LINK redis-cli

Hint: It's a good idea to run 'make test' ;)

make[1]: Leaving directory '/root/redis-7.0.11/src'

[root@localhost redis-7.0.11]# make test
cd src && make test
make[1]: Entering directory '/root/redis-7.0.11/src'
    CC Makefile.dep
You need tcl 8.5 or newer in order to run the Redis test
make[1]: *** [Makefile:427: test] Error 1
make[1]: Leaving directory '/root/redis-7.0.11/src'
make: *** [Makefile:6: test] Error 2

#会报一个错,此时需要安装依赖包
[root@localhost redis-7.0.11]# dnf search tcl
Last metadata expiration check: 0:53:49 ago on Thu 01 Jun 2023 04:07:46 PM CST.
====================== Name Exactly Matched: tcl =======================
tcl.i686 : Tool Command Language, pronounced tickle
tcl.x86_64 : Tool Command Language, pronounced tickle
===================== Name & Summary Matched: tcl ======================
jimtcl.i686 : A small embeddable Tcl interpreter
jimtcl.x86_64 : A small embeddable Tcl interpreter
postgresql-pltcl.x86_64 : The Tcl procedural language for PostgreSQL
tcl-brlapi.x86_64 : Tcl binding for BrlAPI
tcl-devel.i686 : Tcl scripting language development environment
tcl-devel.x86_64 : Tcl scripting language development environment
tcl-doc.noarch : Tcl documentation
========================== Name Matched: tcl ===========================
nvmetcli.noarch : An adminstration shell for NVMe storage targets
targetcli.noarch : An administration shell for storage targets
========================= Summary Matched: tcl =========================
target-restore.noarch : Systemd service for targetcli/rtslib
tk.i686 : The graphical toolkit for the Tcl scripting language
tk.x86_64 : The graphical toolkit for the Tcl scripting language

[root@localhost redis-7.0.11]# yum -y install tcl tcl-devel

#再次执行make test
[root@localhost redis-7.0.11]# make test
.....
\o/ All tests passed without errors!

Cleanup: may take some time... OK
make[1]: Leaving directory '/root/redis-7.0.11/src'

#make install 安装
[root@localhost ~]# cd redis-7.0.11
[root@localhost redis-7.0.11]# make install
cd src && make install
make[1]: Entering directory '/root/redis-7.0.11/src'

Hint: It's a good idea to run 'make test' ;)

    INSTALL redis-server
    INSTALL redis-benchmark
    INSTALL redis-cli
make[1]: Leaving directory '/root/redis-7.0.11/src'

#将redis.conf文件copy到/etc下
[root@localhost redis-7.0.11]# which redis-server
/usr/local/bin/redis-server
[root@localhost redis-7.0.11]# cp ~/redis-7.0.11/redis.conf /etc/

添加一块1000G硬盘

[root@localhost ~]# df -hT
Filesystem          Type      Size  Used Avail Use% Mounted on
devtmpfs            devtmpfs  3.9G     0  3.9G   0% /dev
tmpfs               tmpfs     3.9G     0  3.9G   0% /dev/shm
tmpfs               tmpfs     3.9G  9.0M  3.9G   1% /run
tmpfs               tmpfs     3.9G     0  3.9G   0% /sys/fs/cgroup
/dev/mapper/cs-root xfs        17G   11G  6.9G  60% /
/dev/sda1           xfs      1014M  235M  780M  24% /boot
tmpfs               tmpfs     793M     0  793M   0% /run/user/0
[root@localhost ~]# lsblk
NAME        MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda           8:0    0   20G  0 disk
├─sda1        8:1    0    1G  0 part /boot
└─sda2        8:2    0   19G  0 part
  ├─cs-root 253:0    0   17G  0 lvm  /
  └─cs-swap 253:1    0    2G  0 lvm  [SWAP]
sdb           8:16   0 1000G  0 disk
sr0          11:0    1 1024M  0 rom  

#创建物理卷,扩容卷组,扩容逻辑卷
[root@localhost ~]# pvcreate /dev/sdb
  Physical volume "/dev/sdb" successfully created.
[root@localhost ~]# vgextend cs /dev/sdb
  Volume group "cs" successfully extended
[root@localhost ~]# vgs
  VG #PV #LV #SN Attr   VSize    VFree
  cs   2   2   0 wz--n- 1018.99g <1000.00g
[root@localhost ~]# lvs
  LV   VG Attr       LSize   Pool Origin Data%  Meta%  Move Log Cpy%Sync Convert
  root cs -wi-ao---- <17.00g
  swap cs -wi-ao----   2.00g
[root@localhost ~]# lvextend -L +999G /dev/cs/root
  Size of logical volume cs/root changed from <17.00 GiB (4351 extents) to <1016.00 GiB (260095 extents).
  Logical volume cs/root successfully resized.
[root@localhost ~]# lvs
  LV   VG Attr       LSize     Pool Origin Data%  Meta%  Move Log Cpy%Sync Convert
  root cs -wi-ao---- <1016.00g
  swap cs -wi-ao----     2.00g

#格式化
[root@localhost ~]# df -hT
Filesystem          Type      Size  Used Avail Use% Mounted on
devtmpfs            devtmpfs  3.9G     0  3.9G   0% /dev
tmpfs               tmpfs     3.9G     0  3.9G   0% /dev/shm
tmpfs               tmpfs     3.9G  9.0M  3.9G   1% /run
tmpfs               tmpfs     3.9G     0  3.9G   0% /sys/fs/cgroup
/dev/mapper/cs-root xfs        17G   11G  6.9G  60% /
/dev/sda1           xfs      1014M  235M  780M  24% /boot
tmpfs               tmpfs     793M     0  793M   0% /run/user/0
[root@localhost ~]# xfs_growfs /dev/cs/root
meta-data=/dev/mapper/cs-root    isize=512    agcount=4, agsize=1113856 blks
         =                       sectsz=512   attr=2, projid32bit=1
         =                       crc=1        finobt=1, sparse=1, rmapbt=0
         =                       reflink=1    bigtime=0 inobtcount=0
data     =                       bsize=4096   blocks=4455424, imaxpct=25
         =                       sunit=0      swidth=0 blks
naming   =version 2              bsize=4096   ascii-ci=0, ftype=1
log      =internal log           bsize=4096   blocks=2560, version=2
         =                       sectsz=512   sunit=0 blks, lazy-count=1
realtime =none                   extsz=4096   blocks=0, rtextents=0
data blocks changed from 4455424 to 266337280
[root@localhost ~]# df -h
Filesystem           Size  Used Avail Use% Mounted on
devtmpfs             3.9G     0  3.9G   0% /dev
tmpfs                3.9G     0  3.9G   0% /dev/shm
tmpfs                3.9G  9.0M  3.9G   1% /run
tmpfs                3.9G     0  3.9G   0% /sys/fs/cgroup
/dev/mapper/cs-root 1016G   18G  999G   2% /
/dev/sda1           1014M  235M  780M  24% /boot
tmpfs                793M     0  793M   0% /run/user/0

编辑redis.conf文件

[root@localhost redis-7.0.11]# vim /etc/redis.conf 

requirepass redispass            #去掉注释,修改成这样
bind 0.0.0.0                    #修改成这样

启动redis

[root@localhost redis-7.0.11]# nohup redis-server /etc/redis.conf &
[1] 1603
[root@localhost redis-7.0.11]# nohup: ignoring input and appending output to 'nohup.out'

[root@localhost redis-7.0.11]# ss -antulp
Netid    State     Recv-Q    Send-Q       Local Address:Port       Peer Address:Port   Process
tcp      LISTEN    0         80                 0.0.0.0:3306            0.0.0.0:*       users:(("mysqld",pid=1149,fd=21))
tcp      LISTEN    0         511                0.0.0.0:6379            0.0.0.0:*       users:(("redis-server",pid=1603,fd=6))
tcp      LISTEN    0         128                0.0.0.0:22              0.0.0.0:*       users:(("sshd",pid=1074,fd=3))
tcp      LISTEN    0         128                   [::]:22                 [::]:*       users:(("sshd",pid=1074,fd=4))

查看防火墙

[root@localhost redis-7.0.11]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset:>
   Active: inactive (dead)
     Docs: man:firewalld(1)
[root@localhost redis-7.0.11]# getenforce
Disabled

#关闭命令
[root@localhost redis-7.0.11]# systemctl diable --now firewalld
[root@localhost redis-7.0.11]# vim /etc/selinux/config
SELINUX=disabled

配置jumpserver

[root@localhost ~]# cd jumpserver-offline-installer-v3.3.1-amd64-322
[root@localhost jumpserver-offline-installer-v3.3.1-amd64-322]# ls
cn-quick_start.sh   config_init  locale          scripts
compose             jmsctl.sh    quick_start.sh  static.env
config-example.txt  LICENSE      README.md       utils

[root@localhost jumpserver-offline-installer-v3.3.1-amd64-322]# vim config-example.txt
#搜索DB
DB_HOST=192.168.88.128
DB_PORT=3306
DB_USER=jumpserver
DB_PASSWORD=111111
DB_NAME=jumpserver

#搜索REDIS
REDIS_HOST=192.168.88.128
REDIS_PORT=6379
REDIS_PASSWORD=redispass

安装jumpserver

[root@localhost jumpserver-offline-installer-v3.3.1-amd64-322]# ./jmsctl.sh install
...........
  Applying terminal.0061_applet_can_concurrent... OK
  Applying tickets.0029_auto_20230110_1445... OK
  Applying users.0042_auto_20230203_1201... OK

After migration, update builtin role permissions
  - Update builtin roles
complete

>>> The Installation is Complete
1. You can use the following command to start, and then visit
cd /root/jumpserver-offline-installer-v3.3.1-amd64-322
./jmsctl.sh start

2. Other management commands
./jmsctl.sh stop
./jmsctl.sh restart
./jmsctl.sh backup
./jmsctl.sh upgrade
For more commands, you can enter ./jmsctl.sh --help to understand

3. Web access
http://192.168.250.1:80
Default username: admin  Default password: admin

4. SSH/SFTP access
ssh -p2222 admin@192.168.250.1
sftp -P2222 admin@192.168.250.1

5. More information
Official Website: https://www.jumpserver.org/
Documentation: https://docs.jumpserver.org/

#如果有以下报错
    raise ConnectionError(self._error_message(e))
redis.exceptions.ConnectionError: Error 111 connecting to 192.168.88.128:6379. Connection refused.
[ERROR] Failed to change the table structure!、

#那么大概率是redis服务未开启,或者jumpserver配置文件中,redis数据库密码不一致导致
#查看端口号,6379端口要有
[root@localhost jumpserver-offline-installer-v3.3.1-amd64-322]# ss -antlup
Netid   State    Recv-Q   Send-Q      Local Address:Port       Peer Address:Port   Process
tcp     LISTEN   0        128               0.0.0.0:22              0.0.0.0:*       users:(("sshd",pid=1096,fd=3))
tcp     LISTEN   0        80                0.0.0.0:3306            0.0.0.0:*       users:(("mysqld",pid=1173,fd=21))
tcp     LISTEN   0        511               0.0.0.0:6379            0.0.0.0:*       users:(("redis-server",pid=3894,fd=6))
tcp     LISTEN   0        128                  [::]:22                 [::]:*       users:(("sshd",pid=1096,fd=4))   

#redis服务开启
[root@localhost jumpserver-offline-installer-v3.3.1-amd64-322]# nohup redis-server /etc/redis.conf &

启动jumpserver

[root@localhost ~]# cd jumpserver-offline-installer-v3.3.1-amd64-322
[root@localhost jumpserver-offline-installer-v3.3.1-amd64-322]# ./jmsctl.sh start
[+] Running 6/6
  Container jms_core    Healthy                                             25.8s
  Container jms_web     Started                                             28.9s
  Container jms_celery  Started                                             29.4s
  Container jms_koko    Started                                             28.5s
  Container jms_lion    Started                                             28.7s
  Container jms_magnus  Started                                             28.5s
[root@localhost jumpserver-offline-installer-v3.3.1-amd64-322]# ss -antlup
Netid   State    Recv-Q   Send-Q     Local Address:Port        Peer Address:Port   Process
tcp     LISTEN   0        2048             0.0.0.0:80               0.0.0.0:*       users:(("docker-proxy",pid=5075,fd=4))
tcp     LISTEN   0        128              0.0.0.0:22               0.0.0.0:*       users:(("sshd",pid=1096,fd=3))
tcp     LISTEN   0        2048             0.0.0.0:33061            0.0.0.0:*       users:(("docker-proxy",pid=5194,fd=4))
tcp     LISTEN   0        2048             0.0.0.0:33062            0.0.0.0:*       users:(("docker-proxy",pid=5176,fd=4))
tcp     LISTEN   0        80               0.0.0.0:3306             0.0.0.0:*       users:(("mysqld",pid=1173,fd=21))
tcp     LISTEN   0        511              0.0.0.0:6379             0.0.0.0:*       users:(("redis-server",pid=3894,fd=6))
tcp     LISTEN   0        2048             0.0.0.0:63790            0.0.0.0:*       users:(("docker-proxy",pid=5136,fd=4))
tcp     LISTEN   0        2048             0.0.0.0:2222             0.0.0.0:*       users:(("docker-proxy",pid=5018,fd=4))
tcp     LISTEN   0        2048                [::]:80                  [::]:*       users:(("docker-proxy",pid=5080,fd=4))
tcp     LISTEN   0        128                 [::]:22                  [::]:*       users:(("sshd",pid=1096,fd=4))
tcp     LISTEN   0        2048                [::]:33061               [::]:*       users:(("docker-proxy",pid=5199,fd=4))
tcp     LISTEN   0        2048                [::]:33062               [::]:*       users:(("docker-proxy",pid=5181,fd=4))
tcp     LISTEN   0        2048                [::]:63790               [::]:*       users:(("docker-proxy",pid=5145,fd=4))
tcp     LISTEN   0        2048                [::]:2222                [::]:*       users:(("docker-proxy",pid=5043,fd=4))

web浏览

http://192.168.88.128

用户名:admin

密码:admin

停止jumpserver,启动redis,再重新启动

[root@localhost ~]# cd jumpserver-offline-installer-v3.3.1-amd64-322
[root@localhost jumpserver-offline-installer-v3.3.1-amd64-322]# ./jmsctl.sh stop
[+] Running 1/0
 ? Container jms_core  Stopped                                        0.0s
[+] Running 1/1
 ? Container jms_koko  Stopped                                       10.2s
[+] Running 1/1
 ? Container jms_lion  Stopped                                       10.1s
[+] Running 1/1
 ? Container jms_magnus  Stopped                                     10.1s
[+] Running 1/0
 ? Container jms_web  Stopped                                         0.1s
[+] Running 1/0
 ? Container jms_celery  Stopped                                      0.0s
[jms_core]
[+] Running 1/1
 ? Container jms_core  Removed1.1s
[jms_koko]
[+] Running 1/0
 ? Container jms_koko  Removed0.1s
[jms_lion]
[+] Running 1/0
 ? Container jms_lion  Removed0.1s
[jms_magnus]
[+] Running 1/0
 ? Container jms_magnus  Removed0.0s
[jms_web]
[+] Running 1/0
 ? Container jms_web  Removed0.0s
[jms_celery]
[+] Running 1/1
 ? Container jms_celery  Removed1.3s 

[root@localhost ~]# cd redis-7.0.11
[root@localhost redis-7.0.11]# nohup redis-server /etc/redis.conf &
[1] 7144
[root@localhost redis-7.0.11]# nohup: ignoring input and appending output to 'nohup.out'

[root@localhost redis-7.0.11]# ss -antlup
Netid State  Recv-Q Send-Q   Local Address:Port   Peer Address:Port Process
tcp   LISTEN 0      80             0.0.0.0:3306        0.0.0.0:*     users:(("mysqld",pid=1175,fd=55))
tcp   LISTEN 0      511            0.0.0.0:6379        0.0.0.0:*     users:(("redis-server",pid=7144,fd=6))
tcp   LISTEN 0      128            0.0.0.0:22          0.0.0.0:*     users:(("sshd",pid=1093,fd=3))
tcp   LISTEN 0      128               [::]:22             [::]:*     users:(("sshd",pid=1093,fd=4))

[root@localhost ~]# cd jumpserver-offline-installer-v3.3.1-amd64-322
[root@localhost jumpserver-offline-installer-v3.3.1-amd64-322]# ./jmsctl.sh start
[+] Running 6/6
  Container jms_core    Healthy                                         21.7s
  Container jms_lion    Started                                         24.5s
  Container jms_magnus  Started                                         25.1s
  Container jms_web     Started                                         24.8s
  Container jms_celery  Started                                         24.7s
  Container jms_koko    Started                                         24.1s

登录,设置密码:111111

创建用户组

创建用户

另启一台虚拟机作为被管理的虚拟,创建资产

添加账号

测试

资产授权

登录新建用户(密码:Password@123),查看

测试快捷命令

连接web终端

可上传文件

Xshell连接(用户名:admin,格式:ssh admin@192.168.88.128:2222,密码:111111)

查看资产(未授权的原因,看不到资产)

WARNING! The remote SSH server rejected X11 forwarding request.
        Administrator,  JumpServer 开源堡垒机

    1) 输入 部分IP,主机名,备注 进行搜索登录(如果唯一).
    2) 输入 / + IP,主机名,备注 进行搜索,如:/192.168.
    3) 输入 p 进行显示您有权限的资产.
    4) 输入 g 进行显示您有权限的节点.
    5) 输入 h 进行显示您有权限的主机.
    6) 输入 d 进行显示您有权限的数据库.
    7) 输入 k 进行显示您有权限的Kubernetes.
    8) 输入 r 进行刷新最新的机器和节点信息.
    9) 输入 s 进行中文-English-日本?语言切换.
    10) 输入 ? 进行显示帮助.
    11) 输入 q 进行退出.
Opt> p
没有资产
搜索:
[Host]>

切换用户登录(用户名:rainmom,格式:ssh rainmom@192.168.88.128:2222,密码:Password@123)

在当前页面上输入ID号,即可登录该虚拟机

  ID    | 名称                      | 地址                            | 协议                      | 平台                     | 组织                     | 备注
--------+---------------------------+---------------------------------+---------------------------+--------------------------+--------------------------+-------------------------
  1     | node1                     | 192.168.88.129                  | ssh                       | Linux                    | Default                  |
页码:1,每页行数:28,总页数:1,总数量:1
提示:输入资产ID直接登录 资产,二级搜索使用 // + 字段,如://192 上一页:b 下一页:n
搜索:
[Host]> 1
复用SSH连接(admin@192.168.88.129)[连接数量: 3]
Last login: Thu Jun  8 16:37:59 2023 from 192.168.88.128
[root@localhost ~]# ls
anaconda-ks.cfg  test
[root@localhost ~]# exit
logout
[Host]>

可添加授权

切换审计台,可查看记录