一.简介
前面我们聊到了openvpn的部署和使用,它能够实现从互联网通过openvpn连接到公司内网服务器,从而进行远程管理。
但openvpn有一个缺点不能记录用户内部网服务器上操作了什么,拥有客户端的证书和私钥以及ca的证书和客户端配置,就可以直接连接到公司内网,这从某些角度讲不是一个安全的解决方案。

今天我们来聊了一台和openvpn有类似功能的软件jumpserver。jumpserver和openvpn都可以让用户从互联网连接公司内部网服务器,但通常jumpserver都不会放在互联网上。
它主要用于运维、开发,以及测试相关人员来利用它连接公司内部网服务器,从而实现集中管理公司内部网服务器。同时跳转服务器还具有权限管理,用户管理以及监控重定向等功能。

二.jumpserver架构图


三.jumpserver服务器安装
环境说明:
主机名称 | 角色 | ip地址 |
节点01 | Jumpserver网站 | 192.168.0.41 |
节点02 | mysql / redis | 192.168.0.42 |
1.在node02上部署mariadb
(版本最低5.5.6,如果是mysql版本最低5.6)
配置mariadb yum仓库:
[root@node02 ~]# cat /etc/yum.repos.d/mariadb.repo[mariadb]name=mariadb repobaseurl=https://mirrors.tuna.tsinghua.edu.cn/mariadb//mariadb-10.1.46/yum/centos/7/x86_64/gpgcheck=0[root@node02 ~]#
[root@node02 ~]# yum install -y MariaDB-server配置mariadb忽略名称解析:


[root@node02 ~]# mysqlWelcome to the MariaDB monitor. Commands end with ; or \g.Your MariaDB connection id is 3Server version: 10.1.46-MariaDB MariaDB ServerCopyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.MariaDB [(none)]> create database jumpserver default charset 'utf8' collate 'utf8_bin';Query OK, 1 row affected (0.00 sec)MariaDB [(none)]> grant all on jumpserver.* to 'jumpserver'@'%' identified by 'admin123.com';Query OK, 0 rows affected (0.00 sec)MariaDB [(none)]> flush privileges;Query OK, 0 rows affected (0.00 sec)MariaDB [(none)]>
[root@node02 ~]# mysql -ujumpserver -padmin123.com -h192.168.0.42Welcome to the MariaDB monitor. Commands end with ; or \g.Your MariaDB connection id is 4Server version: 10.1.46-MariaDB MariaDB ServerCopyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.MariaDB [(none)]> show databases;+--------------------+| Database |+--------------------+| information_schema || jumpserver || test |+--------------------+3 rows in set (0.01 sec)MariaDB [(none)]> exitBye[root@node02 ~]#
[root@node02 ~]# yum -y install redis[root@node02 ~]# grep -Ei "^(bind|requirepass)" /etc/redis.confbind 0.0.0.0requirepass admin123.com[root@node02 ~]#启动redis:

[root@node02 ~]# redis-cli -h 192.168.0.42192.168.0.42:6379> KEYS *(error) NOAUTH Authentication required.192.168.0.42:6379> AUTH admin123.comOK192.168.0.42:6379> KEYS *(empty list or set)192.168.0.42:6379> exit[root@node02 ~]#
[root@node01 ~]# cat /etc/yum.repos.d/docker-ce.repo[docker-ce-stable]name=Docker CE Stable - $basearchbaseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/$basearch/stableenabled=1gpgcheck=1gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg[docker-ce-stable-debuginfo]name=Docker CE Stable - Debuginfo $basearchbaseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/debug-$basearch/stableenabled=0gpgcheck=1gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg[docker-ce-stable-source]name=Docker CE Stable - Sourcesbaseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/source/stableenabled=0gpgcheck=1gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg[docker-ce-edge]name=Docker CE Edge - $basearchbaseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/$basearch/edgeenabled=0gpgcheck=1gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg[docker-ce-edge-debuginfo]name=Docker CE Edge - Debuginfo $basearchbaseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/debug-$basearch/edgeenabled=0gpgcheck=1gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg[docker-ce-edge-source]name=Docker CE Edge - Sourcesbaseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/source/edgeenabled=0gpgcheck=1gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg[docker-ce-test]name=Docker CE Test - $basearchbaseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/$basearch/testenabled=0gpgcheck=1gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg[docker-ce-test-debuginfo]name=Docker CE Test - Debuginfo $basearchbaseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/debug-$basearch/testenabled=0gpgcheck=1gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg[docker-ce-test-source]name=Docker CE Test - Sourcesbaseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/source/testenabled=0gpgcheck=1gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg[docker-ce-nightly]name=Docker CE Nightly - $basearchbaseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/$basearch/nightlyenabled=0gpgcheck=1gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg[docker-ce-nightly-debuginfo]name=Docker CE Nightly - Debuginfo $basearchbaseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/debug-$basearch/nightlyenabled=0gpgcheck=1gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg[docker-ce-nightly-source]name=Docker CE Nightly - Sourcesbaseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/source/nightlyenabled=0gpgcheck=1gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg[root@node01 ~]#
[root@node01 ~]# yum install -y docker-ce[root@node01 ~]# systemctl start docker[root@node01 ~]# docker infoClient:Debug Mode: falseServer:Containers: 0Running: 0Paused: 0Stopped: 0Images: 0Server Version: 19.03.13Storage Driver: overlay2Backing Filesystem: xfsSupports d_type: trueNative Overlay Diff: trueLogging Driver: json-fileCgroup Driver: cgroupfsPlugins:Volume: localNetwork: bridge host ipvlan macvlan null overlayLog: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslogSwarm: inactiveRuntimes: runcDefault Runtime: runcInit Binary: docker-initcontainerd version: 8fba4e9a7d01810a393d5d25a3621dc101981175runc version: dc9208a3303feef5b3839f4323d9beb36df0a9ddinit version: fec3683Security Options:seccompProfile: defaultKernel Version: 3.10.0-693.el7.x86_64Operating System: CentOS Linux 7 (Core)OSType: linuxArchitecture: x86_64CPUs: 2Total Memory: 1.781GiBName: node01.test.orgID: JQY2:LCCM:EU6J:ARI7:UCEL:5HUV:FGE4:6RTY:PWR3:NKJI:EA3K:BKSADocker Root Dir: /var/lib/dockerDebug Mode: falseRegistry: https://index.docker.io/v1/Labels:Experimental: falseInsecure Registries:127.0.0.0/8Live Restore Enabled: false[root@node01 ~]#
[root@node01 ~]# cat /etc/docker/daemon.json{"registry-mirrors": ["https://registry.docker-cn.com","https://cyr1uljt.mirror.aliyuncs.com"]}[root@node01 ~]#
[root@node01 ~]# systemctl restart docker

[root@node01 ~]# docker imagesREPOSITORY TAG IMAGE ID CREATED SIZE[root@node01 ~]# docker pull jumpserver/jms_all:v2.4.0v2.4.0: Pulling from jumpserver/jms_all75f829a71a1c: Pull completef9c494d6df5d: Pull complete5135b4193f02: Pull complete918e815b1dc8: Pull complete0334369c4479: Pull complete64a0f2a7663a: Pull completeDigest: sha256:2081c88eca6dffb41bc42d8fe06d18c4379eacdbb354fa56dffd2a918738274dStatus: Downloaded newer image for jumpserver/jms_all:v2.4.0docker.io/jumpserver/jms_all:v2.4.0[root@node01 ~]# docker imagesREPOSITORY TAG IMAGE ID CREATED SIZEjumpserver/jms_all v2.4.0 3418bbaaded1 9 days ago 1.54GB[root@node01 ~]#
[root@node01 ~]# cat key_gen.sh#!/bin/bashif [ ! "$SECRET_KEY" ]; thenSECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`;echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc;echo $SECRET_KEY;elseecho $SECRET_KEY;fiif [ ! "$BOOTSTRAP_TOKEN" ]; thenBOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`;echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc;echo $BOOTSTRAP_TOKEN;elseecho $BOOTSTRAP_TOKEN;fi[root@node01 ~]#
[root@node01 ~]# bash key_gen.shwIUaeZtCbtTNUDL9igEIImALjjaMo9ygPwfMWmPZcyWD0c3K9QLx15DW9xDxqOkiCq[root@node01 ~]#
[root@node01 ~]# mkdir /data/jumpserver/ -pvmkdir: created directory ‘/data’mkdir: created directory ‘/data/jumpserver/’[root@node01 ~]#
[root@node01 ~]# docker run --name jms_all -d \> -v /data/jumpserver/:/opt/jumpserver/data \> -p 80:80 \> -p 2222:2222 \> -e SECRET_KEY=wIUaeZtCbtTNUDL9igEIImALjjaMo9ygPwfMWmPZcyWD0c3K9Q \> -e BOOTSTRAP_TOKEN=Lx15DW9xDxqOkiCq \> -e DB_HOST=192.168.0.42 \> -e DB_PORT=3306 \> -e DB_USER=jumpserver \> -e DB_PASSWORD=admin123.com \> -e DB_NAME=jumpserver \> -e REDIS_HOST=192.168.0.42 \> -e REDIS_PORT=6379 \> -e REDIS_PASSWORD=admin123.com \> --privileged=true \> jumpserver/jms_all:v2.4.08974115a714c5000bac47a8a457190408861ad1967429435ad4f6a0b838c2fe3[root@node01 ~]# docker psCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES8974115a714c jumpserver/jms_all:v2.4.0 "./entrypoint.sh" 14 seconds ago Up 12 seconds 0.0.0.0:80->80/tcp, 0.0.0.0:2222->2222/tcp jms_all[root@node01 ~]# ss -tnlState Recv-Q Send-Q Local Address:Port Peer Address:PortLISTEN 0 128 *:22 *:*LISTEN 0 100 127.0.0.1:25 *:*LISTEN 0 128 :::2222 :::*LISTEN 0 128 :::80 :::*LISTEN 0 128 :::22 :::*LISTEN 0 100 ::1:25 :::*[root@node01 ~]#





四.jumpserver使用


















文章来源网络 侵删