“Jumpserver基础”的版本间的差异
跳到导航
跳到搜索
(未显示同一用户的28个中间版本) | |||
第1行: | 第1行: | ||
− | =install= | + | =jumpserver install= |
+ | <pre> | ||
+ | |||
+ | 加个开机启动 | ||
+ | |||
+ | #在运行docker容器时可以加如下参数来保证每次docker服务重启后容器也自动重启: | ||
+ | $docker run --restart=always | ||
+ | #如果已经启动了则可以使用如下命令: | ||
+ | $docker update --restart=always <CONTAINER ID> | ||
+ | |||
+ | 重启试一下 | ||
+ | </pre> | ||
+ | ==* init == | ||
+ | |||
+ | ==* ins mariadb redis == | ||
+ | <pre> | ||
+ | apt install mariadb-client mariadb-server redis -y | ||
+ | |||
+ | sudo mysql_secure_installation | ||
+ | |||
+ | cat /etc/redis/redis.conf | grep -v '#' | ||
+ | ··· | ||
+ | protected-mode no | ||
+ | requirepass foobareLXTXe2456 | ||
+ | ··· | ||
+ | |||
+ | 监控 LO 127.0.0.1 可关也可不关 | ||
+ | |||
+ | #默认开启了的 | ||
+ | # 启动&自启动Redis | ||
+ | systemctl restart redis | ||
+ | systemctl enable redis | ||
+ | |||
+ | update mysql.user set authentication_string=PASSWORD('OPS123456#') where user='root'; | ||
+ | flush privileges; | ||
+ | |||
+ | |||
+ | UPDATE user SET password=password('OPS123456#') WHERE user='root'; | ||
+ | |||
+ | |||
+ | #这个有效果 mariadb 10 | ||
+ | use mysql | ||
+ | SET password for 'root'@'localhost' = password('OPS123456#'); | ||
+ | |||
+ | |||
+ | create database jumpserver char set utf8; | ||
+ | grant all on jumpserver.* to jumpserver@'%' identified by 'jumpserverLXTX136'; | ||
+ | |||
+ | |||
+ | grant all on *.* to root@'127.0.0.1' identified by 'myFD23'; | ||
+ | |||
+ | 监控了 127.0.0.1 我去 改为 0.0.0.0 | ||
+ | cat /etc/mysql/mariadb.conf.d/50-server.cnf | ||
+ | |||
+ | bind-address = 127.0.0.1 | ||
+ | |||
+ | |||
+ | |||
+ | root@prod-fincy-jumpserver:~# netstat -nlpt | ||
+ | Active Internet connections (only servers) | ||
+ | Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name | ||
+ | tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 4129/exim4 | ||
+ | tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 12034/mysqld | ||
+ | |||
+ | |||
+ | systemctl restart mariadb | ||
+ | </pre> | ||
+ | |||
+ | ==* docker docker-compose ins== | ||
+ | |||
+ | |||
+ | ===* in jmp on docker === | ||
+ | <pre> | ||
+ | 所以随便映射一个端口8001用于Web访问,2222用户ssh访问,因为本服务器关闭了Selinux,如果没有关闭,还需要将8001与2222加入可http的端口,在Nginx服务器将会详细配置。 | ||
+ | |||
+ | #我用这个 注意这个 IP 特别是多个机器会不小心搞错 | ||
+ | docker run --name jms_all -d \ | ||
+ | -v /opt/jumpserver:/opt/jumpserver/data/media \ | ||
+ | -p 8080:80 \ | ||
+ | -p 2222:2222 \ | ||
+ | -e SECRET_KEY=secret \ | ||
+ | -e BOOTSTRAP_TOKEN=secret \ | ||
+ | -e DB_HOST=172.16.220.146 \ | ||
+ | -e DB_PORT=3306 \ | ||
+ | -e DB_USER=jumpserver \ | ||
+ | -e DB_PASSWORD=jumpserverLXTX136 \ | ||
+ | -e DB_NAME=jumpserver \ | ||
+ | -e REDIS_HOST=172.16.220.146 \ | ||
+ | -e REDIS_PORT=6379 \ | ||
+ | -e REDIS_PASSWORD=foobareLXTXe2456 \ | ||
+ | -e JUMPSERVER_KEY_DIR=/config/guacamole/keys \ | ||
+ | -e GUACAMOLE_HOME=/config/guacamole \ | ||
+ | -e JUMPSERVER_SERVER=http://127.0.0.1:8080 \ | ||
+ | jumpserver/jms_all:v2.2.1 | ||
+ | |||
+ | |||
+ | |||
+ | #官方文档的 | ||
+ | docker run --name jms_all -d \ | ||
+ | -v /opt/jumpserver/data:/opt/jumpserver/data \ | ||
+ | -p 80:80 \ | ||
+ | -p 2222:2222 \ | ||
+ | -e SECRET_KEY=xxxxxx \ | ||
+ | -e BOOTSTRAP_TOKEN=xxx \ | ||
+ | -e DB_HOST=192.168.x.x \ | ||
+ | -e DB_PORT=3306 \ | ||
+ | -e DB_USER=root \ | ||
+ | -e DB_PASSWORD=xxx \ | ||
+ | -e DB_NAME=jumpserver \ | ||
+ | -e REDIS_HOST=192.168.x.x \ | ||
+ | -e REDIS_PORT=6379 \ | ||
+ | -e REDIS_PASSWORD=xxx \ | ||
+ | --privileged=true \ | ||
+ | jumpserver/jms_all:v2.2.1 | ||
+ | |||
+ | |||
+ | https://spex.top/archives/docker-jumpserver.html | ||
+ | |||
+ | mysql 用户和密码写反了 | ||
+ | |||
+ | django.db.utils.OperationalError: (2006, "Access denied for user 'jumpserverLXTX136'@'172.17.0.2' (using password: YES)") | ||
+ | |||
+ | </pre> | ||
+ | |||
+ | ==api 添加host== | ||
+ | <pre> | ||
+ | #!/usr/bin/env python3 | ||
+ | # -*- coding:utf-8 -*- | ||
+ | # pip3 install httpsig | ||
+ | # usage # python3 addhost.py 'prod-mq' '172.16.0.12' | ||
+ | |||
+ | # 打开的你 URL 选择你的节点就行了 https://jump.com/ui/#/assets/assets?node=c81 | ||
+ | import requests, json | ||
+ | import datetime | ||
+ | from httpsig.requests_auth import HTTPSignatureAuth | ||
+ | import sys | ||
+ | |||
+ | def add_host(hostname, ip): | ||
+ | url = 'https://jump.com' + '/api/v1/assets/assets/' | ||
+ | #web页面可以查到各种ID信息 数据库不会用 | ||
+ | data = { | ||
+ | 'hostname': hostname, | ||
+ | 'ip': ip, | ||
+ | 'platform': 'Linux', | ||
+ | 'protocols': 'ssh/22', | ||
+ | 'nodes': ['c81xxxxxx'], #节点id | ||
+ | 'is_active': True | ||
+ | } | ||
+ | response = requests.post(url, auth=auth, headers=headers, data=data) | ||
+ | #state = json.loads(response.json()) | ||
+ | #print(state) | ||
+ | print(response.text) | ||
+ | #创建成功后返回主机id | ||
+ | return json.loads(response.text)['id'] | ||
+ | |||
+ | |||
+ | #需要先创建好,创建方式参考下面的截图 | ||
+ | auth = HTTPSignatureAuth(key_id='xxxx', secret='6xxxxx', | ||
+ | algorithm='hmac-sha256', headers=['(request-target)', 'accept', 'date']) | ||
+ | gmt_form = '%a, %d %b %Y %H:%M:%S GMT' | ||
+ | headers = { | ||
+ | 'Accept': 'application/json', | ||
+ | 'X-JMS-ORG': '00000000-0000-0000-0000-000000000002', | ||
+ | 'Date': datetime.datetime.utcnow().strftime(gmt_form) | ||
+ | } | ||
+ | |||
+ | if __name__ == '__main__': | ||
+ | add_host(sys.argv[1], sys.argv[2]) | ||
+ | </pre> | ||
+ | |||
+ | |||
+ | [https://blog.csdn.net/weixin_45574286/article/details/116595903 Jumpserver API调用 python] | ||
+ | |||
+ | [https://blog.csdn.net/EHOIST/article/details/106907295 Jumpserver API调用 python] | ||
+ | |||
+ | [https://www.jianshu.com/p/ae6f1710cfde Python3.7调用API批量添加资产主机到Jumpserver] | ||
+ | |||
+ | [https://codeleading.com/article/1294358106/ Jumpserver批量添加资产并授权 ] | ||
+ | |||
+ | [https://www.zze.xyz/archives/python-add-host-to-jumpserver.html 调用API批量添加主机到JumpServer中] | ||
+ | |||
+ | == USAGE == | ||
+ | <pre> | ||
+ | 要用空上格式 | ||
+ | 暂不支持OPENSSH格式的密钥,使用 ssh-keygen -t rsa -m pem生成 | ||
+ | |||
+ | |||
+ | |||
+ | grant all on *.* to lxtx@'%' identified by 'FINCy5609824hHixxxxx'; | ||
+ | |||
+ | |||
+ | 一个知识点 | ||
+ | |||
+ | 网域列表 | ||
+ | |||
+ | 网域功能是为了解决部分环境无法直接连接而新增的功能,原理是通过网关服务器进行跳转登录。 | ||
+ | |||
+ | 这个功能,一般情况不用到。 | ||
+ | |||
+ | 30分钟连接断开问题 | ||
+ | 在 系统设置--安全设置--连接最大空闲时间 默认的是30 可以改成你要的 | ||
+ | |||
+ | </pre> | ||
+ | ===Note=== | ||
+ | <pre> | ||
+ | |||
+ | |||
+ | 注意 | ||
+ | 问题: jumpserver error: 认证失败(用户名或密码错误 | ||
+ | 解决 | ||
+ | |||
+ | 系统用户用了个新的 devops | ||
+ | |||
+ | 然后这个用户添加prikey on web | ||
+ | |||
+ | 机器添加这个的pub buy | ||
+ | |||
+ | 过滤的命令 yum reboot halt poweroff rm 好像前几个没效果 | ||
+ | |||
+ | 用户列表里的用户是登录jumpserver的,系统用户是登录到jumpserver里以后再跳到系统里去登录的用户。 | ||
+ | </pre> | ||
+ | |||
[http://docs.jumpserver.org/zh/docs/dockerinstall.html Docker 安装] | [http://docs.jumpserver.org/zh/docs/dockerinstall.html Docker 安装] | ||
第25行: | 第246行: | ||
== sftp== | == sftp== | ||
sftp -P 大写的P 不是小写的p | sftp -P 大写的P 不是小写的p | ||
+ | |||
+ | =note= | ||
+ | <pre> | ||
+ | jumpserver | ||
+ | |||
+ | Django>=1.11 | ||
+ | django-bootstrap3>=8.2.2 | ||
+ | Pillow>=4.1.0 # 图像处理 | ||
+ | djangorestframework>=3.6.2 # Web API | ||
+ | ForgeryPy # 生成虚拟数据 | ||
+ | #openpyxl>=2.4.0 | ||
+ | celery>=4.0.2 # 完成异步任务 | ||
+ | paramiko>=2.1.2 # 远程连接服务器 | ||
+ | ansible>=2.2.2.0 # 自动化运维工具 | ||
+ | django-simple-captcha>=0.5.5 # 验证码插件 | ||
+ | django-formtools>=2.0 # 动态定义表单 | ||
+ | sshpubkeys>=2.2.0 | ||
+ | djangorestframework-bulk>=0.2.1 | ||
+ | django-redis-cache>=1.7.1 # 缓存 | ||
+ | requests>=2.13.0 | ||
+ | itsdangerous>=0.24 # 加密数据 | ||
+ | eventlet # 以协程方式实现并发 | ||
+ | django-filter>=1.0.2 | ||
+ | passlib>=1.7.1 # 生成hash密文 | ||
+ | gssapi | ||
+ | django-rest-swagger # API的管理 | ||
+ | django-auth-ldap # 登录验证 | ||
+ | ldap3 # 登录验证 | ||
+ | |||
+ | |||
+ | </pre> | ||
+ | =troubleshooting= | ||
+ | ==koko== | ||
+ | <pre> | ||
+ | Connecting to 1.231.144.243:2222... | ||
+ | Could not connect to '1.231.144.243' (port 2222): Connection failed. | ||
+ | |||
+ | 可见 不太正常 我在海外也 telnet 2222 不通 restart 搞定 | ||
+ | [root@ntos ~]# telnet 127.0.0.1 2222 | ||
+ | Trying 127.0.0.1... | ||
+ | Connected to 127.0.0.1. | ||
+ | Escape character is '^]'. | ||
+ | Connection closed by foreign host. | ||
+ | [roottos ~]# docker ps | ||
+ | CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES | ||
+ | f235b4dae318 jumpserver/jms_coco:1.4.9 "entrypoint.sh" 10 days ago Up 10 days 0.0.0.0:2222->2222/tcp, 0.0.0.0:5000->5000/tcp jms_coco | ||
+ | #重启这个 docker 容器正常了 | ||
+ | [root@tos ~]# docker restart f235b4dae318 | ||
+ | </pre> | ||
+ | |||
+ | ==jumpserver 密钥不合法== | ||
+ | 上传的秘钥在生成的时候不能设置密码,否则提示秘钥不正确。 | ||
=see also= | =see also= | ||
+ | |||
+ | [https://www.jianshu.com/p/81306abfba16 使用JumpServer管理你的服务器] | ||
+ | |||
+ | |||
[https://blog.csdn.net/wanglei_storage/article/details/51002206 jumpserver 堡垒机配置使用图文详解] | [https://blog.csdn.net/wanglei_storage/article/details/51002206 jumpserver 堡垒机配置使用图文详解] | ||
第32行: | 第309行: | ||
[https://blog.csdn.net/weixin_41004350/article/details/80183591 centos7 jumpserver安装与使用详解] | [https://blog.csdn.net/weixin_41004350/article/details/80183591 centos7 jumpserver安装与使用详解] | ||
+ | |||
+ | [https://docs.jumpserver.org/zh/master/admin-guide/quick_start/ 快速入门] | ||
+ | |||
+ | |||
+ | ==install== | ||
+ | |||
+ | [https://spex.top/archives/docker-jumpserver.html Docker部署JumpServer] | ||
+ | |||
+ | https://docs.jumpserver.org/zh/master/install/docker_install/ | ||
+ | |||
+ | [https://www.cnblogs.com/xiao987334176/p/12172811.html Jumpserver docker搭建] | ||
+ | |||
+ | [https://my.oschina.net/u/4313128/blog/4074012 jumpserver docker简单搭建] | ||
+ | |||
+ | [https://blog.51cto.com/14163901/2415413 docker下jumpserver跳板机 /堡垒机详细部署] | ||
+ | |||
+ | |||
+ | [https://www.jianshu.com/p/c9d5bbde7018 2018-ubuntu下jumpserver的安装和使用] | ||
+ | |||
+ | [https://blog.51cto.com/u_11451960/2640825 jumpserver介绍,安装,登录,用户管理,资产管理,客户端登录jumpserver] | ||
+ | |||
+ | [https://zhuanlan.zhihu.com/p/327940052 一键安装JumpServer(堡垒机)开源版本图文详解] | ||
+ | |||
+ | ==Usage== | ||
+ | |||
+ | [https://www.cnblogs.com/twobrother/p/11423818.html JumpServer简单使用 ] | ||
+ | |||
+ | |||
+ | [https://www.jianshu.com/p/832b1d6515dc jumpserver安装后遇到的死人坑] | ||
[[category:ops]] | [[category:ops]] |
2022年8月10日 (三) 11:23的最新版本
目录
jumpserver install
加个开机启动 #在运行docker容器时可以加如下参数来保证每次docker服务重启后容器也自动重启: $docker run --restart=always #如果已经启动了则可以使用如下命令: $docker update --restart=always <CONTAINER ID> 重启试一下
* init
* ins mariadb redis
apt install mariadb-client mariadb-server redis -y sudo mysql_secure_installation cat /etc/redis/redis.conf | grep -v '#' ··· protected-mode no requirepass foobareLXTXe2456 ··· 监控 LO 127.0.0.1 可关也可不关 #默认开启了的 # 启动&自启动Redis systemctl restart redis systemctl enable redis update mysql.user set authentication_string=PASSWORD('OPS123456#') where user='root'; flush privileges; UPDATE user SET password=password('OPS123456#') WHERE user='root'; #这个有效果 mariadb 10 use mysql SET password for 'root'@'localhost' = password('OPS123456#'); create database jumpserver char set utf8; grant all on jumpserver.* to jumpserver@'%' identified by 'jumpserverLXTX136'; grant all on *.* to root@'127.0.0.1' identified by 'myFD23'; 监控了 127.0.0.1 我去 改为 0.0.0.0 cat /etc/mysql/mariadb.conf.d/50-server.cnf bind-address = 127.0.0.1 root@prod-fincy-jumpserver:~# netstat -nlpt Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 4129/exim4 tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 12034/mysqld systemctl restart mariadb
* docker docker-compose ins
* in jmp on docker
所以随便映射一个端口8001用于Web访问,2222用户ssh访问,因为本服务器关闭了Selinux,如果没有关闭,还需要将8001与2222加入可http的端口,在Nginx服务器将会详细配置。 #我用这个 注意这个 IP 特别是多个机器会不小心搞错 docker run --name jms_all -d \ -v /opt/jumpserver:/opt/jumpserver/data/media \ -p 8080:80 \ -p 2222:2222 \ -e SECRET_KEY=secret \ -e BOOTSTRAP_TOKEN=secret \ -e DB_HOST=172.16.220.146 \ -e DB_PORT=3306 \ -e DB_USER=jumpserver \ -e DB_PASSWORD=jumpserverLXTX136 \ -e DB_NAME=jumpserver \ -e REDIS_HOST=172.16.220.146 \ -e REDIS_PORT=6379 \ -e REDIS_PASSWORD=foobareLXTXe2456 \ -e JUMPSERVER_KEY_DIR=/config/guacamole/keys \ -e GUACAMOLE_HOME=/config/guacamole \ -e JUMPSERVER_SERVER=http://127.0.0.1:8080 \ jumpserver/jms_all:v2.2.1 #官方文档的 docker run --name jms_all -d \ -v /opt/jumpserver/data:/opt/jumpserver/data \ -p 80:80 \ -p 2222:2222 \ -e SECRET_KEY=xxxxxx \ -e BOOTSTRAP_TOKEN=xxx \ -e DB_HOST=192.168.x.x \ -e DB_PORT=3306 \ -e DB_USER=root \ -e DB_PASSWORD=xxx \ -e DB_NAME=jumpserver \ -e REDIS_HOST=192.168.x.x \ -e REDIS_PORT=6379 \ -e REDIS_PASSWORD=xxx \ --privileged=true \ jumpserver/jms_all:v2.2.1 https://spex.top/archives/docker-jumpserver.html mysql 用户和密码写反了 django.db.utils.OperationalError: (2006, "Access denied for user 'jumpserverLXTX136'@'172.17.0.2' (using password: YES)")
api 添加host
#!/usr/bin/env python3 # -*- coding:utf-8 -*- # pip3 install httpsig # usage # python3 addhost.py 'prod-mq' '172.16.0.12' # 打开的你 URL 选择你的节点就行了 https://jump.com/ui/#/assets/assets?node=c81 import requests, json import datetime from httpsig.requests_auth import HTTPSignatureAuth import sys def add_host(hostname, ip): url = 'https://jump.com' + '/api/v1/assets/assets/' #web页面可以查到各种ID信息 数据库不会用 data = { 'hostname': hostname, 'ip': ip, 'platform': 'Linux', 'protocols': 'ssh/22', 'nodes': ['c81xxxxxx'], #节点id 'is_active': True } response = requests.post(url, auth=auth, headers=headers, data=data) #state = json.loads(response.json()) #print(state) print(response.text) #创建成功后返回主机id return json.loads(response.text)['id'] #需要先创建好,创建方式参考下面的截图 auth = HTTPSignatureAuth(key_id='xxxx', secret='6xxxxx', algorithm='hmac-sha256', headers=['(request-target)', 'accept', 'date']) gmt_form = '%a, %d %b %Y %H:%M:%S GMT' headers = { 'Accept': 'application/json', 'X-JMS-ORG': '00000000-0000-0000-0000-000000000002', 'Date': datetime.datetime.utcnow().strftime(gmt_form) } if __name__ == '__main__': add_host(sys.argv[1], sys.argv[2])
Python3.7调用API批量添加资产主机到Jumpserver
USAGE
要用空上格式 暂不支持OPENSSH格式的密钥,使用 ssh-keygen -t rsa -m pem生成 grant all on *.* to lxtx@'%' identified by 'FINCy5609824hHixxxxx'; 一个知识点 网域列表 网域功能是为了解决部分环境无法直接连接而新增的功能,原理是通过网关服务器进行跳转登录。 这个功能,一般情况不用到。 30分钟连接断开问题 在 系统设置--安全设置--连接最大空闲时间 默认的是30 可以改成你要的
Note
注意 问题: jumpserver error: 认证失败(用户名或密码错误 解决 系统用户用了个新的 devops 然后这个用户添加prikey on web 机器添加这个的pub buy 过滤的命令 yum reboot halt poweroff rm 好像前几个没效果 用户列表里的用户是登录jumpserver的,系统用户是登录到jumpserver里以后再跳到系统里去登录的用户。
端口
Jumpserver 默认 Web 端口为 8080/tcp, 默认 WS 端口为 8070/tcp, 配置文件 jumpserver/config.yml koko 默认 SSH 端口为 2222/tcp, 默认 Web Terminal 端口为 5000/tcp 配置文件在 koko/config.yml Guacamole 默认端口为 8081/tcp, 配置文件 /config/tomcat9/conf/server.xml Nginx 默认端口为 80/tcp Redis 默认端口为 6379/tcp Mysql 默认端口为 3306/tcp
ssh
ssh -p2222
sftp
sftp -P 大写的P 不是小写的p
note
jumpserver Django>=1.11 django-bootstrap3>=8.2.2 Pillow>=4.1.0 # 图像处理 djangorestframework>=3.6.2 # Web API ForgeryPy # 生成虚拟数据 #openpyxl>=2.4.0 celery>=4.0.2 # 完成异步任务 paramiko>=2.1.2 # 远程连接服务器 ansible>=2.2.2.0 # 自动化运维工具 django-simple-captcha>=0.5.5 # 验证码插件 django-formtools>=2.0 # 动态定义表单 sshpubkeys>=2.2.0 djangorestframework-bulk>=0.2.1 django-redis-cache>=1.7.1 # 缓存 requests>=2.13.0 itsdangerous>=0.24 # 加密数据 eventlet # 以协程方式实现并发 django-filter>=1.0.2 passlib>=1.7.1 # 生成hash密文 gssapi django-rest-swagger # API的管理 django-auth-ldap # 登录验证 ldap3 # 登录验证
troubleshooting
koko
Connecting to 1.231.144.243:2222... Could not connect to '1.231.144.243' (port 2222): Connection failed. 可见 不太正常 我在海外也 telnet 2222 不通 restart 搞定 [root@ntos ~]# telnet 127.0.0.1 2222 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. Connection closed by foreign host. [roottos ~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES f235b4dae318 jumpserver/jms_coco:1.4.9 "entrypoint.sh" 10 days ago Up 10 days 0.0.0.0:2222->2222/tcp, 0.0.0.0:5000->5000/tcp jms_coco #重启这个 docker 容器正常了 [root@tos ~]# docker restart f235b4dae318
jumpserver 密钥不合法
上传的秘钥在生成的时候不能设置密码,否则提示秘钥不正确。
see also
install
https://docs.jumpserver.org/zh/master/install/docker_install/
jumpserver介绍,安装,登录,用户管理,资产管理,客户端登录jumpserver