Today we’re going to talk about JumpServer, a software program that has similar features to OpenVPN. Jumpserver and OpenVPN both allow users to connect to corporate Intranet servers from the Internet; But JumpServer doesn’t usually live on the Internet; It is mainly used for operation and maintenance, development, and testing related personnel to use it to connect to the company Intranet server, so as to achieve centralized management of the company Intranet server; Jumpserver also has access management, user management, and monitoring playback capabilities.
[root@node02 ~]# cat /etc/yum.repos.d/mariadb.repo[mariadb]name=mariadb repobaseurl=https://mirrors.tuna.tsinghua.edu.cn/mariadb//mariadb-10.1.46/yum/centos/7/x86_64/gpgcheck=0 root @ node02 ~ #Install MariaDB server. –[root@node02 ~]# yum install -y MariaDB-serverConfigure Mariadb to ignore name resolution
Start the mariadb
Connect to Mariadb to create the database and users[root@node02 ~]# mysqlWelcome to the MariaDB monitor. Commands end with ; or \g.Your MariaDB connection id is 3Server version: 10.1.46-MariaDB MariaDB Server Copyright (C) 2000, 2018, Oracle, MariaDB Corporation Ab and Others. Type 'help; ' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> create database jumpserver default charset 'utf8' collate 'utf8_bin'; Query OK, 1 row affected (0.00 SEC) MariaDB [(none)]> Grant all on jumpServer.* to 'jumpServer '@'%' identified by 'admin123.com'; Query OK, 0 rows affected (0.00 SEC) MariaDB [(none)]> Flush PRIVILEGES; Query OK, 0 rows affected (0.00 SEC) MariaDB [(none)]>Validation: Log in to the database using JumpServer[root@node02 ~]# mysql-ujumpserver-padmin123.com -h192.168.0.42Welcome to the MariaDB monitor. Commands end with; or \g.Your MariaDB connection id is 4Server version: 10.1.46-MariaDB MariaDB Server Copyright (C) 2000, 2018, Oracle, MariaDB Corporation Ab and Others. Type 'help; ' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> show databases; +--------------------+| Database |+--------------------+| information_schema || jumpserver || test | + -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- + 3 rows in the set (0.01 SEC) MariaDB [(none)] > exitBye root @ node02 ~ #Ok, at this point the data service is ready; Install Redis on node02[root@node02 ~]# yum -y install redisConfigure Redis to listen to all addresses of the machine and set passwords/ root @ node02 ~ # grep - Ei "^ (bind | requirepass)"/etc/redis confbind 0.0.0.0 requirepass admin123.com/root @ node02 ~ #Start the redis
Verify: Log in to Redis/ root @ node02 ~ # redis - cli - h 192.168.0.42192.168.0.42:6379 > KEYS * (error) NOAUTH Authentication Required. 192.168.0.42:6379 > AUTH admin123.com OK192.168.0.42:6379 > KEYS * (the empty list or set) 192.168.0.42:6379 > exit[root@node02 ~]#Deploy the JumpServer Web container on node01 to configure the YUM source of docker-CE[root@node01 ~]# cat /etc/yum.repos.d/docker-ce.repo[docker-ce-stable]name=Docker CE Stable - $basearchbaseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/$basearch/stableenabled=1gpgcheck=1gpgkey=https://m irrors.aliyun.com/docker-ce/linux/centos/gpg [docker-ce-stable-debuginfo]name=Docker CE Stable - Debuginfo $basearchbaseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/debug-$basearch/stableenabled=0gpgcheck=1gpgkey=htt ps://mirrors.aliyun.com/docker-ce/linux/centos/gpg [docker-ce-stable-source]name=Docker CE Stable - Sourcesbaseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/source/stableenabled=0gpgcheck=1gpgkey=https://mirror s.aliyun.com/docker-ce/linux/centos/gpg [docker-ce-edge]name=Docker CE Edge - $basearchbaseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/$basearch/edgeenabled=0gpgcheck=1gpgkey=https://mir rors.aliyun.com/docker-ce/linux/centos/gpg [docker-ce-edge-debuginfo]name=Docker CE Edge - Debuginfo $basearchbaseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/debug-$basearch/edgeenabled=0gpgcheck=1gpgkey=https ://mirrors.aliyun.com/docker-ce/linux/centos/gpg [docker-ce-edge-source]name=Docker CE Edge - Sourcesbaseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/source/edgeenabled=0gpgcheck=1gpgkey=https://mirrors. aliyun.com/docker-ce/linux/centos/gpg [docker-ce-test]name=Docker CE Test - $basearchbaseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/$basearch/testenabled=0gpgcheck=1gpgkey=https://mir rors.aliyun.com/docker-ce/linux/centos/gpg [docker-ce-test-debuginfo]name=Docker CE Test - Debuginfo $basearchbaseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/debug-$basearch/testenabled=0gpgcheck=1gpgkey=https ://mirrors.aliyun.com/docker-ce/linux/centos/gpg [docker-ce-test-source]name=Docker CE Test - Sourcesbaseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/source/testenabled=0gpgcheck=1gpgkey=https://mirrors. aliyun.com/docker-ce/linux/centos/gpg [docker-ce-nightly]name=Docker CE Nightly - $basearchbaseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/$basearch/nightlyenabled=0gpgcheck=1gpgkey=https:// mirrors.aliyun.com/docker-ce/linux/centos/gpg [docker-ce-nightly-debuginfo]name=Docker CE Nightly - Debuginfo $basearchbaseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/debug-$basearch/nightlyenabled=0gpgcheck=1gpgkey=ht tps://mirrors.aliyun.com/docker-ce/linux/centos/gpg [docker-ce-nightly-source]name=Docker CE Nightly - Sourcesbaseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/source/nightlyenabled=0gpgcheck=1gpgkey=https://mirro rs.aliyun.com/docker-ce/linux/centos/gpg[root@node01 ~]#Install the docker – ce[root@node01 ~]# yum install -y docker-ceStart the docker[root@node01 ~]# systemctl start docker[root@node01 ~]# docker infoClient: Debug Mode: false Server: Containers: 0 Running: 0 Paused: 0 Stopped: 0 Images: 0 Server Version: 19.03.13 Storage Driver: overlay2 Backing Filesystem: xfs Supports d_type: true Native Overlay Diff: true Logging Driver: json-file Cgroup Driver: cgroupfs Plugins: Volume: local Network: bridge host ipvlan macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog Swarm: inactive Runtimes: runc Default Runtime: runc Init Binary: docker-init containerd version: 8fba4e9a7d01810a393d5d25a3621dc101981175 runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd init version: Fec3683 Security Options: seccomp Profile: default Kernel Version: 3.10.0-693.el7.x86_64 Operating System: fec3683 Security Options: seccomp Profile: default Kernel Version: 3.10.0-693.el7.x86_64 CentOS Linux 7 (Core) OSType: Linux Architecture: x86_64 CPUs: 2 Total Memory: 1.781GiB Name: node01.test.org ID: JQY2:LCCM:EU6J:ARI7:UCEL:5HUV:FGE4:6RTY:PWR3:NKJI:EA3K:BKSA Docker Root Dir: /var/lib/docker Debug Mode: false Registry: https://index.docker.io/v1/ Labels: Experimental: false Insecure Registries: 127.0.0.0/8 Live Restore Enabled: false [root@node01 ~]#Configure the Docker accelerator[root@node01 ~]# cat /etc/docker/daemon.json{ "registry-mirrors": ["https://registry.docker-cn.com","https://cyr1uljt.mirror.aliyuncs.com"]}[root@node01 ~]#Restart the docker[root@node01 ~]# systemctl restart dockerUse the doker info command to verify that the accelerator address is applied
Download the JumpServer Web image[root@node01 ~]# docker imagesREPOSITORY TAG IMAGE ID CREATED SIZE[root@node01 ~]# docker pull Jumpserver/JMS_ALL :v2.4.0v2.4.0: Pulling from JumpServer/jMS_ALL75F829a71a1c: Pull CompleteF9c494d6DF5d: Pull complete5135b4193f02: Pull complete918e815b1dc8: Pull complete0334369c4479: Pull complete64a0f2a7663a: Pull completeDigest: sha256:2081c88eca6dffb41bc42d8fe06d18c4379eacdbb354fa56dffd2a918738274dStatus: Downloaded newer image for jumpserver/jms_all: v2.4.0 docker. IO/jumpserver/jms_all: v2.4.0 root @ node01 ~ # docker ImagesREPOSITORY TAG IMAGE ID CREATED SIZEjumpserver/ jMS_all V2.4.0 3418bbaaded1 9 days ago 1.54GB[root@node01 ~]#Write the generatedSECRET_KEY and BOOTSTRAP_TOKEN scripts [root@node01 ~]# cat key_gen. Sh#! /bin/bashif [ ! "$SECRET_KEY" ]; then SECRET_KEY=cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50; echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc; echo $SECRET_KEY; else echo $SECRET_KEY; fi if [ ! "$BOOTSTRAP_TOKEN" ]; then BOOTSTRAP_TOKEN=cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16; echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc; echo $BOOTSTRAP_TOKEN; else echo $BOOTSTRAP_TOKEN; fi[root@node01 ~]#SECRET_KEY = BOOTSTRAP = BOOTSTRAP = BOOTSTRAP = BOOTSTRAP = BOOTSTRAP = BOOTSTRAP = BOOTSTRAP = BOOTSTRAP = BOOTSTRAP = BOOTSTRAP = BOOTSTRAP = BOOTSTRAP = BOOTSTRAP = BOOTSTRAP Run script generationSECRET_KEY and 'BOOTSTRAP_TOKEN' [root@node01 ~]# bash key_gen.shwIUaeZtCbtTNUDL9igEIImALjjaMo9ygPwfMWmPZcyWD0c3K9QLx15DW9xDxqOkiCq[root@node01 ~]#Note: these two random keys are very important, it is used to encrypt the database field, so in the environment migration and upgrade will use these two keys; Create a directory for users to save data in the JumpServer container[root@node01 ~]# mkdir /data/jumpserver/ -pvmkdir: created directory '/data' mkdir: Created the directory '/ data/jumpserver/root @ node01 ~ #Start JumpServer/JMS_ALL: V2.4.0 image as container[root@node01 ~]# docker run --name jms_all -d \> -v /data/jumpserver/:/opt/jumpserver/data \> -p 80:80 \> -p 2222:2222 \> -e SECRET_KEY=wIUaeZtCbtTNUDL9igEIImALjjaMo9ygPwfMWmPZcyWD0c3K9Q \> -e BOOTSTRAP_TOKEN=Lx15DW9xDxqOkiCq \> -e DB_HOST=192.168.0.42 \> -e DB_PORT=3306 \> -e DB_USER=jumpserver \> -e DB_PASSWORD=admin123.com \> -e DB_NAME=jumpserver \> -e REDIS_HOST=192.168.0.42 \> -e REDIS_PORT=6379 \> -e REDIS_PASSWORD=admin123.com \> --privileged=true \> jumpserver/jms_all:v2.4.08974115a714c5000bac47a8a457190408861ad1967429435ad4f6a0b838c2fe3[root@node01 ~]# docker psCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES8974115a714c jumpserver/jms_all:v2.4.0 "./entrypoint.sh" 14 seconds ago Up 12 seconds 0.0.0.0:80->80/tcp, 0.0.0.0:2222->2222/tcp jms_all[root@node01 ~]# ss -tnlState Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:22 *:* LISTEN 0 100 127.0.0.1:25 *:* LISTEN 0 128 :::2222 :::* LISTEN 0 128 :::80 :::* LISTEN 0 128 :::22 :::* LISTEN 0 100 ::1:25 :::* [root@node01 ~]#Note: the above startup container mainly specifies the mariadb and Redis server address and password port information; Ports 80 and 2222 are exposed on the host; See the log
Use docker logs -f container ID to see the above information, indicating that the JumpServer container is running. Access to jumpserver
Tip: Access the JumpServer by accessing the IP address of the host where the JumpServer container resides. The default user name and password are admin.
Hint: The first time you log in, it asks you to reset your password;
Tip: After resetting your password, log in again, and jumpServer’s home page looks like the one above; Later we can manage Intranet server in this interface; At this point the JumpServer is set up;
Tip: The basic Settings are that you must set the CURRENT JUMPServer URL and mail subject prefix; The link in the user’s mail will point to the JumpServer URL; 2. Configure the mail server and username and password for JumpServer to send emails
Tips: In system Settings –> Mail Settings, fill in the corresponding account information and mail server information, and then test the connection. If the mail can be received normally, it indicates that there is no problem with the mail server information and mail user name and password; Last point submission; 3, create a user prompt: in user Management –> User List –> create; After filling in the user information, click submit at the bottom; Tip: When a user is successfully created, a jumpServer email is sent to the user’s email address. The user can click the link in the email to set the password. Tip: Password set, click Settings; The user receives an email indicating that the password has been successfully updated;
4. Create a user group and add the test user to the group.
Tips: User management –> user group —-> Create, fill in the group information and select a good user, click submit; Jumpserver Asset Management –> Manage user creation
Tip: Asset management —-> Manage User —-> Create, fill in the administrator and password of the managed terminal, and click Submit. The administrative user is either root on the asset (the controlled server) or a user with NOPASSWD: ALL sudo permission that JumpServer uses to access the assetPush system user,Obtain asset hardware informationAnd so on. 6. Create a system user, which is the user we use to log in to the corresponding managed host using JumpServer
Tip: Asset Management –> System User –> New, fill in the user name, check automatic push and automatic generation of key, click the bottom of submit; The user specified here will be used as the user to log in to the corresponding host on jumpServer. If the managed side does not have this user, JumpServer will create a system user from the admin user we just added. 7. Create assets
Tip: Asset Management –> Asset List –> New, fill in the corresponding managed host information and IP address information, and manage users, click submit at the bottom;
Tip: Once the commit is complete, we can see in the asset list that we just added to the host; 8. Asset authorization
Tips: Permission management –> Asset authorization –> Create, fill in the name, to select users and groups and assets and system users, and then click the bottom submit; At this point a resource is authorized to the test user and members of the Test group; Here need to note that a node has a lot of server, if you want to authorize a single server to a user, the following node is left blank, if you want to be authorized to the user you can select a node, the assets can be left blank, if you want to authorize a single asset and a node to the user, the choice of the corresponding assets and node; If the default node is selected, all hosts under the default node are authorized to users. Default The default node contains all hosts. Verify: Log in to JumpServer as the Test user and see if the test user can see the resources we created? Tip: the first login, it will let us update the user’s information, and then the same terms, we can modify according to the actual information; In my assets you can see that the current user has some assets; Verify: Connect to node01 as user test to see if you can connect to node01? Tip: You can see that the test user is properly connected to node01 using the jumpServer user we configured. 9. View playback of user operations
Tips: Click session management —-> Session Management —-> Historical session —-> Find the playback behind the corresponding session to view the operations performed by the corresponding user in the past session.
Well, that’s the end of jumpServer’s basic operations, and the rest of the logs can be viewed on the Web by clicking on the corresponding menu, which I won’t elaborate on here