【DB宝48】JumpServer:多云环境下更好用的堡垒机(上)

一、JumpServer简介

JumpServer 是全球首款开源的堡垒机,使用 GNU GPL v2.0 开源协议,是符合 4A 规范的运维安全审计系统。

JumpServer 使用 Python / Django 为主进行开发,遵循 Web 2.0 规范,配备了业界领先的 Web Terminal 方案,交互界面美观、用户体验好。

JumpServer 采纳分布式架构,支持多机房跨区域部署,支持横向扩展,无资产数量及并发限制。

**官网网址:**https://www.jumpserver.org/

文档:https://docs.jumpserver.org/zh/master/

GitHub:https://github.com/jumpserver/jumpserver

1.1、页面展示

1.2、特色优势

  • 开源: 零门槛,线上快速获取和安装;
  • 分布式: 轻松支持大规模并发访问;
  • 无插件: 仅需浏览器,极致的 Web Terminal 使用体验;
  • 多云支持: 一套系统,同时管理不同云上面的资产;
  • 云端存储: 审计录像云端存储,永不丢失;
  • 多租户: 一套系统,多个子公司和部门同时使用;
  • 多应用支持: 数据库,Windows远程应用,Kubernetes。

1.3、功能列表

身份认证
Authentication
登录认证 资源统一登录与认证
LDAP/AD 认证
RADIUS 认证
OpenID 认证(实现单点登录)
CAS 认证 (实现单点登录)
MFA认证 MFA 二次认证(Google Authenticator)
RADIUS 二次认证
登录复核 用户登录行为受管理员的监管与控制:small_orange_diamond:
账号管理
Account
集中账号 管理用户管理
系统用户管理
统一密码 资产密码托管
自动生成密码
自动推送密码
密码过期设置
批量改密 定期批量改密:small_orange_diamond:
多种密码策略:small_orange_diamond:
多云纳管 对私有云、公有云资产自动统一纳管:small_orange_diamond:
收集用户 自定义任务定期收集主机用户:small_orange_diamond:
密码匣子 统一对资产主机的用户密码进行查看、更新、测试操作:small_orange_diamond:
授权控制
Authorization
多维授权 对用户、用户组、资产、资产节点、应用以及系统用户进行授权
资产授权 资产以树状结构进行展示
资产和节点均可灵活授权
节点内资产自动继承授权
子节点自动继承父节点授权
应用授权 实现更细粒度的应用级授权
MySQL 数据库应用、RemoteApp 远程应用:small_orange_diamond:
动作授权 实现对授权资产的文件上传、下载以及连接动作的控制
时间授权 实现对授权资源使用时间段的限制
特权指令 实现对特权指令的使用(支持黑白名单)
命令过滤 实现对授权系统用户所执行的命令进行控制
文件传输 SFTP 文件上传/下载
文件管理 实现 Web SFTP 文件管理
工单 管理 支持对用户登录请求行为进行控制:small_orange_diamond:
组织管理 实现多租户管理与权限隔离:small_orange_diamond:
安全审计
Audit
操作审计 用户操作行为审计
会话审计 在线会话内容审计
历史会话内容审计
录像审计 支持对 Linux、Windows 等资产操作的录像进行回放审计
支持对 RemoteApp:small_orange_diamond:、MySQL 等应用操作的录像进行回放审计
指令审计 支持对资产和应用等操作的命令进行审计
文件传输 可对文件的上传、下载记录进行审计
数据库审计
Database
连接方式 命令方式
Web UI方式 :small_orange_diamond:
支持的数据库 MySQL
Oracle :small_orange_diamond:
MariaDB :small_orange_diamond:
PostgreSQL :small_orange_diamond:
功能亮点 语法高亮
SQL格式化
支持快捷键
支持选中执行
SQL历史查询
支持页面创建 DB, TABLE
会话审计 命令记录
录像回放

1.4、架构图

  • 首先前端是nginx提供的动态页面,可以通过浏览器来进行访问;
  • 接着jumpserver为管理后台,管理员可以通过web页面进行资产管理、用户管理、资产授权等操作,用户可以通过web页面进行资产登录、文件管理等操作;
  • coco 为ssh server和 web terminal server,用户可以使用自己的账户通过ssh或者web terminal访问ssh协议和telnet协议资产;
  • Luna 为web terminal server前端页面,用户使用web terminal方式登录所需要的组件;
  • Guacamole 为RDP协议和vnc协议资产组件,用户可以通过web terminal来连接RDP协议和vnc协议资产(暂时只能通过web terminal来访问);

1.5、端口说明

端口涉及如下端口:

  • Jumpserver 默认端口为 8080/tcp ,浏览器访问的端口
  • Coco 默认 SSH 端口为 2222/tcp,Web Terminal默认 端口为 5000/tcp ,通过ssh连接的时候使用的端口
  • Guacamole 默认端口为 8081/tcp
  • Nginx 默认端口为 80/tcp
  • Redis 默认端口为 6379/tcp
  • Mysql/Mariadb 默认端口为 3306/tcp

1.6、产品组件

  • Jumpserver:管理后台,是核心组件(Core), 使用 Django Class Based View 风格开发,支持 Restful API。

  • Coco:Coco为 SSH Server 和 Web Terminal Server。用户可以通过使用自己的账户登录 SSH 或者 Web Terminal直接访问被授权的资产。不需要知道服务器的账户和密码,现在 Coco 已经被 koko 取代。

  • Luna:luna 为 Web Terminal Server 前端页面,用户使用 Web Terminal 方式登录时所需要的插件。

  • Guacamole:Guacamole是一个开源项目,为远程桌面提供解决方案。Jumpserver 使用其组件实现 RDP和VNC 功能,Jumpserver 并没有修改其代码而是添加了额外的插件,支持 Jumpserver 调用。

二、安装JumpServer

有2种安装方式,可以一键自动部署,也可以手动部署,建议一键自动部署。

2.1、一键自动部署

仅需两步快速安装 JumpServer:

  1. 准备一台 2核4G (最低)且可以访问互联网的 64 位 Linux 主机;
  2. 以 root 用户执行如下命令一键安装 JumpServer。
-- 一键安装启动
curl -sSL https://github.com/jumpserver/jumpserver/releases/download/v2.8.2/quick_start.sh | bash

-- 注意:安装过程需要下载docker环境,重启docker,下载很多镜像,最后大约占用空间3g左右,安装时间大约30分钟。
[root@docker36 jumpserver-installer-v2.8.2]# docker images | grep jumpserver
jumpserver/core                                                          v2.8.2              f3dd5c1946ec        2 days ago          1.01GB
jumpserver/guacamole                                                     v2.8.2              8869e8512eec        2 days ago          824MB
jumpserver/lina                                                          v2.8.2              98abb9179db1        2 days ago          27.9MB
jumpserver/luna                                                          v2.8.2              d2e17fada2f6        2 days ago          27MB
jumpserver/koko                                                          v2.8.2              40cdabc32153        2 days ago          426MB
jumpserver/mysql                                                         5                   697daaecf703        3 months ago        448MB
jumpserver/redis                                                         6-alpine            f731cd48185c        3 months ago        31.6MB
jumpserver/nginx                                                         alpine2             b47070d178ad        18 months ago       18.5MB


-- 若不能下载,请添加以下解析:
echo "
13.229.188.59 github.com
199.232.4.133 raw.githubusercontent.com
" >> /etc/hosts

echo "
nameserver 114.114.114.114
nameserver 8.8.8.8
nameserver 223.5.5.5
" > /etc/resolv.conf



-- 启动
cd /opt/jumpserver-installer-v2.8.2/
./jmsctl.sh start
-- 会启动9个容器,创建一个网络叫jms_net,子网为:"192.168.250.0/24"
-- 首次启动可能会报错,可以使用命令“docker logs -f jms_core --tail 200”查看,等表结构合并完毕后,确定该命令输出都是 ok, 没有 error, 重新 start 即可,详见https://docs.jumpserver.org/zh/master/install/setup_by_fast/


-- Web访问
http://192.168.66.36:8080
https://192.168.66.36:8443
(默认用户名密码为:admin/admin)


-- 启动后的容器和状态
[root@docker36 jumpserver-installer-v2.8.2]# docker ps
CONTAINER ID        IMAGE                         COMMAND                  CREATED              STATUS                        PORTS                                         NAMES
26b95ecb8900        jumpserver/nginx:alpine2      "sh -c 'crond -b -d …"   57 seconds ago       Up 51 seconds (healthy)       0.0.0.0:8080->80/tcp, 0.0.0.0:8443->443/tcp   jms_nginx
9c25659c23c4        jumpserver/luna:v2.8.2        "/docker-entrypoint.…"   About a minute ago   Up About a minute (healthy)   80/tcp                                        jms_luna
c8d74738aaa2        jumpserver/lina:v2.8.2        "/docker-entrypoint.…"   About a minute ago   Up About a minute (healthy)   80/tcp                                        jms_lina
bc24581c6d0a        jumpserver/koko:v2.8.2        "./entrypoint.sh"        About a minute ago   Up About a minute (healthy)   0.0.0.0:2222->2222/tcp, 5000/tcp              jms_koko
cc17285dc6ec        jumpserver/guacamole:v2.8.2   "/init"                  About a minute ago   Up About a minute (healthy)   8080/tcp                                      jms_guacamole
edac0a216aa3        jumpserver/core:v2.8.2        "./entrypoint.sh sta…"   About a minute ago   Up About a minute (healthy)   8070/tcp, 8080/tcp                            jms_celery
2ca03ab4d62d        jumpserver/core:v2.8.2        "./entrypoint.sh sta…"   11 minutes ago       Up 11 minutes (healthy)       8070/tcp, 8080/tcp                            jms_core
69e9bdede65f        jumpserver/redis:6-alpine     "docker-entrypoint.s…"   13 minutes ago       Up 13 minutes (healthy)       6379/tcp                                      jms_redis
c73896dc22ad        jumpserver/mysql:5            "docker-entrypoint.s…"   13 minutes ago       Up 13 minutes (healthy)       3306/tcp, 33060/tcp                           jms_mysql
[root@docker36 jumpserver-installer-v2.8.2]# 
[root@docker36 jumpserver-installer-v2.8.2]# ./jmsctl.sh status
    Name                   Command                  State                          Ports                   
-----------------------------------------------------------------------------------------------------------
jms_celery      ./entrypoint.sh start task       Up (healthy)   8070/tcp, 8080/tcp                         
jms_core        ./entrypoint.sh start web        Up (healthy)   8070/tcp, 8080/tcp                         
jms_guacamole   /init                            Up (healthy)   8080/tcp                                   
jms_koko        ./entrypoint.sh                  Up (healthy)   0.0.0.0:2222->2222/tcp, 5000/tcp           
jms_lina        /docker-entrypoint.sh ngin ...   Up (healthy)   80/tcp                                     
jms_luna        /docker-entrypoint.sh ngin ...   Up (healthy)   80/tcp                                     
jms_mysql       docker-entrypoint.sh --cha ...   Up (healthy)   3306/tcp, 33060/tcp                        
jms_nginx       sh -c crond -b -d 8 && ngi ...   Up (healthy)   0.0.0.0:8443->443/tcp, 0.0.0.0:8080->80/tcp
jms_redis       docker-entrypoint.sh redis ...   Up (healthy)   6379/tcp  

执行过程:

[root@docker36 ~]# curl -sSL https://github.com/jumpserver/jumpserver/releases/download/v2.8.2/quick_start.sh | bash
download install script to /opt/jumpserver-installe (开始下载安装脚本到 /opt/jumpserver-installe)


       ██╗██╗   ██╗███╗   ███╗██████╗ ███████╗███████╗██████╗ ██╗   ██╗███████╗██████╗
       ██║██║   ██║████╗ ████║██╔══██╗██╔════╝██╔════╝██╔══██╗██║   ██║██╔════╝██╔══██╗
       ██║██║   ██║██╔████╔██║██████╔╝███████╗█████╗  ██████╔╝██║   ██║█████╗  ██████╔╝
  ██   ██║██║   ██║██║╚██╔╝██║██╔═══╝ ╚════██║██╔══╝  ██╔══██╗╚██╗ ██╔╝██╔══╝  ██╔══██╗
  ╚█████╔╝╚██████╔╝██║ ╚═╝ ██║██║     ███████║███████╗██║  ██║ ╚████╔╝ ███████╗██║  ██║
  ╚════╝  ╚═════╝ ╚═╝     ╚═╝╚═╝     ╚══════╝╚══════╝╚═╝  ╚═╝  ╚═══╝  ╚══════╝╚═╝  ╚═╝

                                                                   Version:  v2.8.2  

语言 Language  (cn/en)  (default cn): 

>>> Install and Configure Docker
1. Install Docker
Starting to download Docker engine ...
complete
Starting to download Docker Compose binary ...
complete

2. Configure Docker
是否需要自定义 Docker 数据目录, 默认将使用 /var/lib/docker 目录? (y/n)  (default n): complete

3. Start Docker
Docker version has changed or Docker configuration file has been changed, do you want to restart? (y/n)  (default y): complete

>>> Loading Docker Image
[jumpserver/redis:6-alpine]
6-alpine: Pulling from jumpserver/redis
05e7bc50f07f: Pull complete 
14c9d57a1c7f: Pull complete 
ccd033d7ec06: Pull complete 
6ff79b059f99: Pull complete 
d91237314b77: Pull complete 
c47d41ba6aa8: Pull complete 
Digest: sha256:4920debee18fad71841ce101a7867743ff8fe7d47e6191b750c3edcfffc1cb18
Status: Downloaded newer image for swr.cn-south-1.myhuaweicloud.com/jumpserver/redis:6-alpine
Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/redis:6-alpine
Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/redis@sha256:4920debee18fad71841ce101a7867743ff8fe7d47e6191b750c3edcfffc1cb18

[jumpserver/mysql:5]
5: Pulling from jumpserver/mysql
6ec7b7d162b2: Pull complete 
fedd960d3481: Pull complete 
7ab947313861: Pull complete 
64f92f19e638: Pull complete 
3e80b17bff96: Pull complete 
014e976799f9: Pull complete 
59ae84fee1b3: Pull complete 
7d1da2a18e2e: Pull complete 
301a28b700b9: Pull complete 
979b389fc71f: Pull complete 
403f729b1bad: Pull complete 
Digest: sha256:b3b2703de646600b008cbb2de36b70b21e51e7e93a7fca450d2b08151658b2dd
Status: Downloaded newer image for swr.cn-south-1.myhuaweicloud.com/jumpserver/mysql:5
Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/mysql:5
Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/mysql@sha256:b3b2703de646600b008cbb2de36b70b21e51e7e93a7fca450d2b08151658b2dd

[jumpserver/nginx:alpine2]
alpine2: Pulling from jumpserver/nginx
c87736221ed0: Pull complete 
6ff0ab02fe54: Pull complete 
e5b318df7728: Pull complete 
b7a5a4fe8726: Pull complete 
Digest: sha256:d25ed0a8c1b4957f918555c0dbda9d71695d7b336d24f7017a87b2081baf1112
Status: Downloaded newer image for swr.cn-south-1.myhuaweicloud.com/jumpserver/nginx:alpine2
Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/nginx:alpine2
Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/nginx@sha256:d25ed0a8c1b4957f918555c0dbda9d71695d7b336d24f7017a87b2081baf1112

[jumpserver/luna:v2.8.2]
v2.8.2: Pulling from jumpserver/luna
801bfaa63ef2: Pull complete 
b1242e25d284: Pull complete 
7453d3e6b909: Pull complete 
07ce7418c4f8: Pull complete 
e295e0624aa3: Pull complete 
4363a3b6ab61: Pull complete 
7270d1c7bfd7: Pull complete 
Digest: sha256:47f6bc784a2c8b0bfdfdfc465bb5b62012122dc1cd83257afa09edb7d027bdca
Status: Downloaded newer image for swr.cn-south-1.myhuaweicloud.com/jumpserver/luna:v2.8.2
Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/luna:v2.8.2
Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/luna@sha256:47f6bc784a2c8b0bfdfdfc465bb5b62012122dc1cd83257afa09edb7d027bdca

[jumpserver/core:v2.8.2]
v2.8.2: Pulling from jumpserver/core
6ec7b7d162b2: Already exists 
80ff6536d04b: Pull complete 
2d04da85e485: Pull complete 
998aa32a5c8a: Pull complete 
7733ef26f344: Pull complete 
d441f02b2497: Pull complete 
64cad81ca92c: Pull complete 
cf134c77199b: Pull complete 
5c09bcf88bcf: Pull complete 
fe2b4e1dc49b: Pull complete 
328b09a36265: Pull complete 
c5b2c15fd6d6: Pull complete 
88d58a6b84f5: Pull complete 
Digest: sha256:13a53d3ad8e67c7e25890e44aeaac0dfe9d0f23d75f420bd536181897a0a57a2
Status: Downloaded newer image for swr.cn-south-1.myhuaweicloud.com/jumpserver/core:v2.8.2
Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/core:v2.8.2
Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/core@sha256:13a53d3ad8e67c7e25890e44aeaac0dfe9d0f23d75f420bd536181897a0a57a2

[jumpserver/koko:v2.8.2]
v2.8.2: Pulling from jumpserver/koko
6d28e14ab8c8: Pull complete 
0df8b93ef734: Pull complete 
64e864129ede: Pull complete 
0a873335f747: Pull complete 
72734be47e36: Pull complete 
210e6f3fd739: Pull complete 
68eb2bfabdf9: Pull complete 
2b514aadeb8d: Pull complete 
b06884356f2d: Pull complete 
48b4106b3314: Pull complete 
c06b5a09cb3a: Pull complete 
52981c83908c: Pull complete 
4a31deb17aed: Pull complete 
8080af3428ec: Pull complete 
d45214541239: Pull complete 
Digest: sha256:0e6b2c718c2bbc046d22240d245014361c4f151d0668efab3a0bdc3d6025fd27
Status: Downloaded newer image for swr.cn-south-1.myhuaweicloud.com/jumpserver/koko:v2.8.2
Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/koko:v2.8.2
Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/koko@sha256:0e6b2c718c2bbc046d22240d245014361c4f151d0668efab3a0bdc3d6025fd27

[jumpserver/guacamole:v2.8.2]
v2.8.2: Pulling from jumpserver/guacamole
6c33745f49b4: Pull complete 
ef072fc32a84: Pull complete 
c0afb8e68e0b: Pull complete 
d599c07d28e6: Pull complete 
e8a829023b97: Pull complete 
2709df21cc5c: Pull complete 
3bfb431a8cf5: Pull complete 
bb9822eef866: Pull complete 
5842bda2007b: Pull complete 
453a23f25fcb: Pull complete 
95325cfda054: Pull complete 
d0bba8ca7733: Pull complete 
77ed1f7e99c3: Pull complete 
7c218a3bc8c8: Pull complete 
b9b23e074906: Pull complete 
6eb77dc135e9: Pull complete 
5805059e25b4: Pull complete 
8687f3be3de5: Pull complete 
b3a371cb4926: Pull complete 
0e0115337931: Pull complete 
8871470a6d50: Pull complete 
0983df4b79d8: Pull complete 
97e3ae311d7b: Pull complete 
033a9d7411c6: Pull complete 
Digest: sha256:f6587bb65eb40dd101144ee89432a0310c46b245dcebc61965ae4de34fd82775
Status: Downloaded newer image for swr.cn-south-1.myhuaweicloud.com/jumpserver/guacamole:v2.8.2
Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/guacamole:v2.8.2
Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/guacamole@sha256:f6587bb65eb40dd101144ee89432a0310c46b245dcebc61965ae4de34fd82775

[jumpserver/lina:v2.8.2]
v2.8.2: Pulling from jumpserver/lina
801bfaa63ef2: Already exists 
b1242e25d284: Already exists 
7453d3e6b909: Already exists 
07ce7418c4f8: Already exists 
e295e0624aa3: Already exists 
f2cd4bacfc5e: Pull complete 
16594fe0b0fc: Pull complete 
Digest: sha256:f809b70fcdcbb9216dfa40c6ab1bd293ca85e3eaf2d2c4d77ae9a1e80e0c82e5
Status: Downloaded newer image for swr.cn-south-1.myhuaweicloud.com/jumpserver/lina:v2.8.2
Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/lina:v2.8.2
Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/lina@sha256:f809b70fcdcbb9216dfa40c6ab1bd293ca85e3eaf2d2c4d77ae9a1e80e0c82e5


>>> Install and Configure JumpServer
1. Check Configuration File
Path to Configuration file: /opt/jumpserver/config
/opt/jumpserver/config/config.txt  []
/opt/jumpserver/config/nginx/lb_http_server.conf  []
/opt/jumpserver/config/nginx/lb_ssh_server.conf  []
/opt/jumpserver/config/core/config.yml  []
/opt/jumpserver/config/koko/config.yml  []
/opt/jumpserver/config/mysql/my.cnf  []
/opt/jumpserver/config/redis/redis.conf  []
complete

2. Configure Nginx
configuration file: /opt/jumpserver/config/nginx/cert
/opt/jumpserver/config/nginx/cert/server.crt  []
/opt/jumpserver/config/nginx/cert/server.key  []
complete

3. Backup Configuration File
Back up to /opt/jumpserver/config/backup/config.txt.2021-03-26_10-26-53
complete

4. Configure Network
Do you want to support IPv6? (y/n)  (default n): complete

5. Configure Private Key
SECRETE_KEY:     ICAgICAgICBUWCBlcnJvcnMgMCAgZHJvcHBlZCAwIG92ZXJyd
BOOTSTRAP_TOKEN: ICAgICAgICBUWCBl
complete

6. Configure Persistent Directory
Do you need custom persistent store, will use the default directory /opt/jumpserver? (y/n)  (default n): complete

7. Configure MySQL
Do you want to use external MySQL? (y/n)  (default n): complete

8. Configure Redis
Do you want to use external Redis? (y/n)  (default n): complete

>>> The Installation is Complete
1. You can use the following command to start, and then visit
./jmsctl.sh start

2. Other management commands
./jmsctl.sh stop
./jmsctl.sh restart
./jmsctl.sh backup
./jmsctl.sh upgrade
For more commands, you can enter ./jmsctl.sh --help to understand

3. Web access
http://172.17.0.3:8080
https://172.17.0.3:8443
Default username: admin  Default password: admin

4. SSH/SFTP access
ssh admin@172.17.0.3 -p2222
sftp -P2222 admin@172.17.0.3

5. More information
Offical Website: https://www.jumpserver.org/
Documentation: https://docs.jumpserver.org/


[root@docker36 ~]# cd /opt/jumpserver-installer-v2.8.2/
[root@docker36 jumpserver-installer-v2.8.2]# ll
总用量 28
drwxrwxr-x 3 root root 4096 318 14:41 compose
-rw-rw-r-- 1 root root 1863 3月  18 14:41 config-example.txt
drwxrwxr-x 7 root root   80 318 14:41 config_init
-rwxrwxr-x 1 root root 5503 318 14:41 jmsctl.sh
drwxrwxr-x 4 root root   27 318 14:41 locale
-rw-rw-r-- 1 root root 2603 3月  18 14:41 README.md
drwxrwxr-x 2 root root 4096 318 14:41 scripts
-rw-rw-r-- 1 root root   46 3月  26 11:54 static.env
drwxrwxr-x 2 root root   39 318 14:41 utils

[root@docker36 jumpserver-installer-v2.8.2]# ./jmsctl.sh start              
Creating network "jms_net" with driver "bridge"
Creating jms_redis ... done
Creating jms_mysql ... done
Creating jms_core  ... done
Creating jms_celery    ... done
Creating jms_guacamole ... done
Creating jms_lina      ... done
Creating jms_koko      ... done
Creating jms_luna      ... done
Creating jms_nginx     ... done

https://192.168.66.36:8443

http://192.168.66.36:8080/

提示:第一次登陆时,它会让我们重设密码;

提示:重设密码后,重新登录,jumpserver的首页就是下图这样;后续我们就可以在这个界面来管理内网服务器了;到此jumpserver服务器就搭建好了;

2.2、手动部署

cd /opt
yum -y install wget
wget https://github.com/jumpserver/installer/releases/download/v2.8.2/jumpserver-installer-v2.8.2.tar.gz
tar -xf jumpserver-installer-v2.8.2.tar.gz
cd jumpserver-installer-v2.8.2

cat config-example.txt
# 以下设置如果为空系统会自动生成随机字符串填入
## 迁移请修改 SECRET_KEY 和 BOOTSTRAP_TOKEN 为原来的设置

## 安装配置
DOCKER_IMAGE_PREFIX=swr.cn-south-1.myhuaweicloud.com
VOLUME_DIR=/opt/jumpserver
DOCKER_DIR=/var/lib/docker
SECRET_KEY=
BOOTSTRAP_TOKEN=
LOG_LEVEL=ERROR

## 使用外置 MySQL 配置
USE_EXTERNAL_MYSQL=0
DB_HOST=mysql
DB_PORT=3306
DB_USER=root
DB_PASSWORD=
DB_NAME=jumpserver

## 使用外置 Redis 配置
USE_EXTERNAL_REDIS=0
REDIS_HOST=redis
REDIS_PORT=6379
REDIS_PASSWORD=

## Compose 项目设置
COMPOSE_PROJECT_NAME=jms
COMPOSE_HTTP_TIMEOUT=3600
DOCKER_CLIENT_TIMEOUT=3600
DOCKER_SUBNET=192.168.250.0/24

## IPV6
DOCKER_SUBNET_IPV6=2001:db8:10::/64
USE_IPV6=0

## Nginx 配置,这个 Nginx 是用来分发路径到不同的服务
HTTP_PORT=80
HTTPS_PORT=443
SSH_PORT=2222

## LB 配置, 这个 Nginx 是 HA 时可以启动负载均衡到不同的主机
USE_LB=0
LB_HTTP_PORT=80
LB_HTTPS_PORT=443
LB_SSH_PORT=2222

## Task 配置
USE_TASK=1

## XPack
USE_XPACK=0

# Mysql 容器配置
MYSQL_ROOT_PASSWORD=
MYSQL_DATABASE=jumpserver

# Core 配置
# SESSION_COOKIE_AGE=86400
SESSION_EXPIRE_AT_BROWSER_CLOSE=true

### Keycloak 配置方式
### AUTH_OPENID=true
### BASE_SITE_URL=https://jumpserver.company.com/
### AUTH_OPENID_SERVER_URL=https://keycloak.company.com/auth
### AUTH_OPENID_REALM_NAME=cmp
### AUTH_OPENID_CLIENT_ID=jumpserver
### AUTH_OPENID_CLIENT_SECRET=
### AUTH_OPENID_SHARE_SESSION=true
### AUTH_OPENID_IGNORE_SSL_VERIFICATION=true

# Koko 配置
CORE_HOST=http://core:8080

# Guacamole 配置
JUMPSERVER_SERVER=http://core:8080
JUMPSERVER_KEY_DIR=/config/guacamole/data/key/
JUMPSERVER_RECORD_PATH=/config/guacamole/data/record/
JUMPSERVER_DRIVE_PATH=/config/guacamole/data/drive/
JUMPSERVER_ENABLE_DRIVE=true
JUMPSERVER_CLEAR_DRIVE_SESSION=true
JUMPSERVER_CLEAR_DRIVE_SCHEDULE=24
(完)