Browsed by
Tag: 堡垒机

使用脚本一键部署堡垒机

使用脚本一键部署堡垒机

部门领导要求研究一下堡垒机的使用,所以花了两天时间研究了一下开源堡垒机的部署和使用。因为官方文档中有些已经有了部分错误,现在以官方的CentOS8版本的安装文档为蓝本把部署过程以脚本的形式备份一下。
其中,主要的变化是使用了官方源的nginx、修改了python安装的几个组件的版本、部署了堡垒机jms服务、koko服务和guacamole服务的systemd自启动脚本。

#!/bin/bash

# 2020.01.15
# sujx@live.cn

# 安装依赖包
yum update -y
yum -y install wget gcc epel-release git telnet openssh-clients dnf-utils vim 
yum update -y

# 下载 Jumpserver
cd /opt/
git clone --depth=1 https://github.com/jumpserver/jumpserver.git

# 防火墙 与 selinux 设置说明, 如果已经关闭了 防火墙 和 Selinux 的用户请跳过设置
systemctl start firewalld
# nginx 端口
firewall-cmd --zone=public --add-service=http --permanent  
# 用户SSH登录端口 koko
firewall-cmd --zone=public --add-port=2222/tcp --permanent  
# 重新载入规则
firewall-cmd --reload  
# SElinux配置
setsebool -P httpd_can_network_connect 1

# 安装 Redis, Jumpserver 使用 Redis 做 cache 和 celery broke
yum -y install redis
systemctl enable redis --now

# 安装 MySQL, 如果不使用 Mysql 可以跳过相关 Mysql 安装和配置, 支持sqlite3, mysql, postgres等
yum -y install mariadb mariadb-devel mariadb-server sshpass
systemctl enable mariadb --now

# 创建数据库 Jumpserver 并授权
DB_PASSWORD=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24`  # 生成随机数据库密码

cat >~/passwd.txt<<EOF
数据库密码是 DB_PASSWORD
EOF

mysql -uroot -e "create database jumpserver default charset 'utf8'; grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by 'DB_PASSWORD'; flush privileges;"

# 安装 Nginx, 用作代理服务器整合 Jumpserver 与各个组件

yum -y install nginx
systemctl enable nginx --now

# 安装 Python3.6
yum -y install python36 python36-devel
yum -y install krb5-devel libtiff-devel libjpeg-devel libzip-devel freetype-devel libwebp-devel tcl-devel tk-devel openldap-devel libffi-devel openldap-clients

# 安装 Python 库依赖
# 配置使用华为python源
mkdir ~/.pip
cat >~/.pip/pip.conf<<EOF
[global]
index-url = https://mirrors.huaweicloud.com/repository/pypi/simple
trusted-host = mirrors.huaweicloud.com
timeout = 120 
EOF

# 配置并载入 Python3 虚拟环境
cd /opt
# py3 为虚拟环境名称, 可自定义
python3 -m venv py3  
# 退出虚拟环境可以使用 deactivate 命令
source /opt/py3/bin/activate  

pip install wheel setuptools
pip install pip --upgrade
pip install python-gssapi

# 修改依赖包版本
sed -i "s/Django==2.1.11/Django==2.2/g" /opt/jumpserver/requirements/requirements.txt
sed -i "s/cryptography==2.3.1/cryptography==2.7/g" /opt/jumpserver/requirements/requirements.txt
sed -i "s/pyasn1==0.4.2/pyasn1==0.4.6/g" /opt/jumpserver/requirements/requirements.txt

pip install -r /opt/jumpserver/requirements/requirements.txt

# 修改 Jumpserver 配置文件
cd /opt/jumpserver
cp config_example.yml config.yml

# 生成随机SECRET_KEY
SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`  
echo "SECRET_KEY=SECRET_KEY" >> ~/.bashrc

# 生成随机BOOTSTRAP_TOKEN
BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`  
echo "BOOTSTRAP_TOKEN=BOOTSTRAP_TOKEN" >> ~/.bashrc

sed -i "s/SECRET_KEY:/SECRET_KEY: SECRET_KEY/g" /opt/jumpserver/config.yml
sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN:BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
sed -i "s/DB_PASSWORD: /DB_PASSWORD: DB_PASSWORD/g" /opt/jumpserver/config.yml

echo -e "SECRET_KEY是SECRET_KEY" >> ~/passwd.txt
echo -e "BOOTSTRAP_TOKEN是 BOOTSTRAP_TOKEN" >> ~/passwd.txt

# 退出虚拟环境可以使用 deactivate 命令

# 运行 Jumpserver
#cd /opt/jumpserver
#./jms start -d  # 后台运行使用 -d 参数./jms start -d
# 新版本更新了运行脚本, 使用方式./jms start|stop|status all  后台运行请添加 -d 参数
cat >/usr/lib/systemd/system/jms.service<<EOF
[Unit]
Description=jms
After=network.target mariadb.service redis.service
Wants=mariadb.service redis.service

[Service]
Type=forking
Environment="PATH=/opt/py3/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin"
ExecStart=/opt/jumpserver/jms start -d
ExecReload=
ExecStop=/opt/jumpserver/jms stop

[Install]
WantedBy=multi-user.target
EOF
systemctl enable jms.service --now

# 安装 podman 部署 koko 与 guacamole
yum install -y podman-docker
alias docker=podman
echo "alias docker=podman" >> ~/.bashrc

# 配置 podman 镜像源
sed -i "s/registry.redhat.io/dockerhub.azk8s.cn/g" /etc/containers/registries.conf
sed -i "s/registry.access.redhat.com/docker.mirrors.ustc.edu.cn/g" /etc/containers/registries.conf

# 允许 容器ip 访问宿主 8080 端口, (容器的 ip 可以进入容器查看)
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.88.0.0/16" port protocol="tcp" port="8080" accept"
firewall-cmd --reload
# 10.88.0.x 是 podman 容器默认的IP池, 这里偷懒直接授权ip段了, 可以根据实际情况单独授权IP

# 获取当前服务器 IP
Server_IP=`ip addr | grep 'state UP' -A2 | grep inet | egrep -v '(127.0.0.1|inet6|docker)' | awk '{print2}' | tr -d "addr:" | head -n 1 | cut -d / -f1`
echo -e "服务器IP是 Server_IP" >> ~/passwd.txt

# http://<Jumpserver_url> 指向 jumpserver 的服务端口, 如 http://192.168.244.144:8080
# BOOTSTRAP_TOKEN 为 Jumpserver/config.yml 里面的 BOOTSTRAP_TOKEN
docker run --name jms_koko -d -p 2222:2222 -p 127.0.0.1:5000:5000 -e CORE_HOST=http://Server_IP:8080 -e BOOTSTRAP_TOKEN=BOOTSTRAP_TOKEN jumpserver/jms_koko:1.5.6
docker run --name jms_guacamole -d -p 127.0.0.1:8081:8080 -e JUMPSERVER_SERVER=http://Server_IP:8080 -e BOOTSTRAP_TOKEN=BOOTSTRAP_TOKEN jumpserver/jms_guacamole:1.5.6

# 配置KOKO自启动
cat>/usr/lib/systemd/system/koko.service << EOF
[Unit]
Description=Podman JMS_koko Service
After=network.target
After=network-online.target

[Service]
Type=simple
ExecStart=/usr/bin/podman start -a jms_koko
ExecStop=/usr/bin/podman stop -t 10 jms_koko
Restart=always

[Install]
WantedBy=multi-user.target
EOF

systemctl enable koko.service

# 配置guacamole自启动
cat>/usr/lib/systemd/system/guacamole.service << EOF
[Unit]
Description=Podman JMS_guacamole Service
After=network.target
After=network-online.target

[Service]
Type=simple
ExecStart=/usr/bin/podman start -a jms_guacamole
ExecStop=/usr/bin/podman stop -t 10 jms_guacamole
Restart=always

[Install]
WantedBy=multi-user.target
EOF

systemctl enable guacamole.service

# 安装 Web Terminal 前端: Luna  需要 Nginx 来运行访问 访问(https://github.com/jumpserver/luna/releases)下载对应版本的 release 包, 直接解压, 不需要编译
cd /opt
# wget https://github.com/jumpserver/luna/releases/download/1.5.6/luna.tar.gz

# 如果网络有问题导致下载无法完成可以使用下面地址
wget https://demo.jumpserver.org/download/luna/1.5.6/luna.tar.gz

tar xvzf luna.tar.gz
chown -R root:root luna

# 配置 Nginx 整合各组件
rm -rf /etc/nginx/conf.d/default.conf

cp /etc/nginx/nginx.conf /etc/nginx.conf.bak
sed -i "38,58d" /etc/nginx/nginx.conf
cat>/etc/nginx/conf.d/jumpserver.conf << "EOF"
server {
    listen 80;
    # server_name _;

    client_max_body_size 100m;  # 录像及文件上传大小限制

    location /luna/ {
        try_filesuri / /index.html;
        alias /opt/luna/;  # luna 路径, 如果修改安装目录, 此处需要修改
    }

    location /media/ {
        add_header Content-Encoding gzip;
        root /opt/jumpserver/data/;  # 录像位置, 如果修改安装目录, 此处需要修改
    }

    location /static/ {
        root /opt/jumpserver/data/;  # 静态资源, 如果修改安装目录, 此处需要修改
    }

    location /koko/ {
        proxy_pass       http://localhost:5000;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IPremote_addr;
        proxy_set_header Host host;
        proxy_set_header X-Forwarded-Forproxy_add_x_forwarded_for;
        access_log off;
    }

    location /guacamole/ {
        proxy_pass       http://localhost:8081/;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade http_upgrade;
        proxy_set_header Connectionhttp_connection;
        proxy_set_header X-Real-IP remote_addr;
        proxy_set_header Hosthost;
        proxy_set_header X-Forwarded-For proxy_add_x_forwarded_for;
        access_log off;
    }

    location /ws/ {
        proxy_pass http://localhost:8070;
        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_set_header Upgradehttp_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP remote_addr;
        proxy_set_header Hosthost;
        proxy_set_header X-Forwarded-For proxy_add_x_forwarded_for;
        access_log off;
    }

    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header X-Real-IPremote_addr;
        proxy_set_header Host host;
        proxy_set_header X-Forwarded-Forproxy_add_x_forwarded_for;
        access_log off;
             }
}
EOF

# 确保配置没有问题, 有问题请先解决
nginx -t   
systemctl restart nginx

然后网页访问主机地址.
jumpserver


另外,脚本的下载地址如下:
jumpserver安装脚本