其实运维工作,出现各种问题是在所难免的,不仅要有很好的分析处理能力,而且还要避免问题再次发生。
要清楚认识到出现问题的真实原因:
支持对X11、Linux、Unix、数据库、网络设备、安全设备等一系列授权账号进行密码的自动化周期更改,简化密码管理,让使用者无需记忆众多系统密码,即可实现自动登录目标设备,便捷安全;
设备支持统一账户管理策略,能够实现对所有服务器、网路设备、安全设备等账号进行集中管理,完成对账号整个生命周期的监控,并且可以对设备进行特殊角设置,如:审计巡检员、运维操作员、设备管理员等自定义,以满足审计需求;
设备提供统一的认证接口,对用户进行认证,支持身份认证模式包括动态口令、静态密码、硬件key、生物特征等多种认证方式,设备具有灵活的定制接口,可以与其他第三方认证服务器直接结合;
安全的认证模式,有效提高了认证的安全性和可靠性;
设备提供基于用户、目标设备、时间、协议类型IP、行为等要素实现细粒度的操作授权,最大限度保护用户资源的安全;
设备支持对不同用户进行不同策略的制定,细粒度的访问控制能够最大限度的保护用户资源的安全,严防非法、越权访问事件的发生;
设备能够对字符串、图形、文件传输、数据库等安全操作进行行为审计;通过设备录像方式监控运维人员对操作系统、安全设备、网络设备、数据库等进行的各种操作,对违规行为进行事中控制;对终端指令信息能够进行精确搜索,进行录像精确定位;
多出现在同一工作组中,由于工作需要,同时系统管理员账号唯一,因此只能多用户共享同一账号;如果发生安全事故,不仅难以定位账号的实际使用者和责任人,而且无法对账号的使用范围进行有效控制,存在较大的安全风险和隐患;
目前一个维护人员使用多个账号时较为普遍的情况,用户需要记忆多套口令同时在多套主机系统、网络设备之间切换,降低工作效率,增加工作复杂度;
维护人员的权限大多是粗放管理,无基于最小权限分配原则的用户权限管理,难以实现更细粒度的命令权限控制,系统安全性无法充分保证;
各个网络设备、主机系统、数据库是分别单独审计记录访问行为,由于没有统一审计策略,而且各系统自身审计日志内容深浅不一,难以及时通过系统自身审计发现违规操作行为和追查取证;
[root@JumpServer ~]# cat /etc/redhat-release CentOS Linux release 7.9.2009 (Core) [root@JumpServer ~]# uname -r 3.10.0-1160.el7.x86_64 [root@JumpServer ~]# setenforce 0 [root@JumpServer ~]# systemctl stop friewalld [root@JumpServer ~]# hostname -I 172.16.70.181 [root@JumpServer ~]# yum update -y [root@JumpServer ~]# yum install wget curl tar gettext iptables vim net-tools lrzsz tree -y
[root@JumpServer ~]# cd /opt [root@JumpServer opt]# wget https://github.com/jumpserver/installer/releases/download/v2.28.6/jumpserver-installer-v2.28.6.tar.gz [root@JumpServer opt]# tar -xf jumpserver-installer-v2.28.6.tar.gz [root@JumpServer opt]# mv jumpserver-installer-v2.28.6 jumpserver [root@JumpServer opt]# ls jumpserver compose config-example.txt config_init jmsctl.sh LICENSE locale quick_start.sh README.md scripts static.env utils [root@JumpServer opt]# tree jumpserver jumpserver ├── compose │ ├── docker-compose-app.yml │ ├── docker-compose-db-tls.yml │ ├── docker-compose-es.yml │ ├── docker-compose-init-db.yml │ ├── docker-compose-init-tls.yml │ ├── docker-compose-init-xpack.yml │ ├── docker-compose-lb.yml │ ├── docker-compose-mariadb.yml │ ├── docker-compose-minio.yml │ ├── docker-compose-mysql.yml │ ├── docker-compose-network_ipv6.yml │ ├── docker-compose-network.yml │ ├── docker-compose-redis.yml │ ├── docker-compose-task.yml │ └── docker-compose-xpack.yml ├── config-example.txt ├── config_init │ ├── core │ │ └── config.yml │ ├── koko │ │ └── config.yml │ ├── mariadb │ │ └── mariadb.cnf │ ├── mysql │ │ └── my.cnf │ ├── nginx │ │ ├── cert │ │ │ ├── server.crt │ │ │ └── server.key │ │ └── lb_http_server.conf │ ├── README.md │ └── redis │ └── redis.conf ├── jmsctl.sh ├── LICENSE ├── locale │ ├── en │ │ └── LC_MESSAGES │ │ ├── jumpserver-installer.mo │ │ └── jumpserver-installer.po │ └── zh_CN │ └── LC_MESSAGES │ ├── jumpserver-installer.mo │ └── jumpserver-installer.po ├── quick_start.sh ├── README.md ├── scripts │ ├── 0_prepare.sh │ ├── 1_config_jumpserver.sh │ ├── 2_install_docker.sh │ ├── 3_load_images.sh │ ├── 4_install_jumpserver.sh │ ├── 5_db_backup.sh │ ├── 6_db_restore.sh │ ├── 7_upgrade.sh │ ├── 8_uninstall.sh │ ├── const.sh │ ├── docker.service │ └── utils.sh ├── static.env └── utils ├── build.sh └── messages.sh 16 directories, 48 files
[root@JumpServer opt]# ls jumpserver/config-example.txt jumpserver/config-example.txt
[root@JumpServer opt]# bash jumpserver/jmsctl.sh install ██╗██╗ ██╗███╗ ███╗██████╗ ███████╗███████╗██████╗ ██╗ ██╗███████╗██████╗ ██║██║ ██║████╗ ████║██╔══██╗██╔════╝██╔════╝██╔══██╗██║ ██║██╔════╝██╔══██╗ ██║██║ ██║██╔████╔██║██████╔╝███████╗█████╗ ██████╔╝██║ ██║█████╗ ██████╔╝ ██ ██║██║ ██║██║╚██╔╝██║██╔═══╝ ╚════██║██╔══╝ ██╔══██╗╚██╗ ██╔╝██╔══╝ ██╔══██╗ ╚█████╔╝╚██████╔╝██║ ╚═╝ ██║██║ ███████║███████╗██║ ██║ ╚████╔╝ ███████╗██║ ██║ ╚════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚══════╝╚══════╝╚═╝ ╚═╝ ╚═══╝ ╚══════╝╚═╝ ╚═╝ Version: v2.28.6 1. Check Configuration File Path to Configuration file: /opt/jumpserver/config /opt/jumpserver/config/config.txt [ √ ] /opt/jumpserver/config/nginx/cert/server.crt [ √ ] /opt/jumpserver/config/nginx/cert/server.key [ √ ] complete >>> Install and Configure Docker 1. Install Docker Starting to download Docker engine ... Starting to download Docker Compose binary ... complete 2. Configure Docker Do you want to support IPv6? (y/n) (default n): complete 3. Start Docker Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /etc/systemd/system/docker.service. complete >>> Loading Docker Image [jumpserver/redis:6.2] ...... [jumpserver/mariadb:10.6] ...... [jumpserver/core:v2.28.6] ...... [jumpserver/koko:v2.28.6] ...... [jumpserver/lion:v2.28.6] ...... [jumpserver/magnus:v2.28.6] ...... [jumpserver/web:v2.28.6] ...... complete >>> Install and Configure JumpServer 1. Configure Private Key SECRETE_KEY: NmUxMzRkNTYtNTk5MS1kM2I0LWJiZTUtZmIwMWE0YzNhYWM1 BOOTSTRAP_TOKEN: NmUxMzRkNTYtNTk5MS1kM2I0 complete 2. Configure Persistent Directory Do you need custom persistent store, will use the default directory /data/jumpserver? (y/n) (default n): complete 3. Configure MySQL Do you want to use external MySQL? (y/n) (default n): complete 4. Configure Redis Do you want to use external Redis? (y/n) (default n): complete 5. Configure External Port Do you need to customize the JumpServer external port? (y/n) (default n): complete 6. Init JumpServer Database ...... complete >>> The Installation is Complete 1. You can use the following command to start, and then visit cd /opt/jumpserver ./jmsctl.sh start 2. Other management commands ./jmsctl.sh stop ./jmsctl.sh restart ./jmsctl.sh backup ./jmsctl.sh upgrade For more commands, you can enter ./jmsctl.sh --help to understand 3. Web access http://172.16.70.181:80 Default username: admin Default password: admin 4. SSH/SFTP access ssh -p2222 admin@172.16.70.181 sftp -P2222 admin@172.16.70.181 5. More information Official Website: https://www.jumpserver.org/ Documentation: https://docs.jumpserver.org/
[root@JumpServer opt]# cat jumpserver/config/config.txt # JumpServer configuration file example. # # 如果不了解用途可以跳过修改此配置文件, 系统会自动填入 # 完整参数文档 https://docs.jumpserver.org/zh/master/admin-guide/env/ ################################## 镜像配置 ################################### # # 国内连接 docker.io 会超时或下载速度较慢, 开启此选项使用华为云镜像加速 # 取代旧版本 DOCKER_IMAGE_PREFIX # # DOCKER_IMAGE_MIRROR=1 ################################## 安装配置 ################################### # # JumpServer 数据库持久化目录, 默认情况下录像、任务日志都在此目录 # 请根据实际情况修改, 升级时备份的数据库文件(.sql)和配置文件也会保存到该目录 # VOLUME_DIR=/data/jumpserver # 加密密钥, 迁移请保证 SECRET_KEY 与旧环境一致, 请勿使用特殊字符串 # (*) Warning: Keep this value secret. # (*) 勿向任何人泄露 SECRET_KEY # SECRET_KEY=NmUxMzRkNTYtNTk5MS1kM2I0LWJiZTUtZmIwMWE0YzNhYWM1 # 组件向 core 注册使用的 token, 迁移请保持 BOOTSTRAP_TOKEN 与旧环境一致, # 请勿使用特殊字符串 # (*) Warning: Keep this value secret. # (*) 勿向任何人泄露 BOOTSTRAP_TOKEN # BOOTSTRAP_TOKEN=NmUxMzRkNTYtNTk5MS1kM2I0 # 日志等级 INFO, WARN, ERROR # LOG_LEVEL=ERROR # JumpServer 容器使用的网段, 请勿与现有的网络冲突, 根据实际情况自行修改 # DOCKER_SUBNET=192.168.250.0/24 # ipv6 nat, 正常情况下无需开启 # 如果宿主不支持 ipv6 开启此选项将会导致无法获取真实的客户端 ip 地址 # USE_IPV6=0 DOCKER_SUBNET_IPV6=fc00:1010:1111:200::/64 ################################# MySQL 配置 ################################## # 外置 MySQL 需要输入正确的 MySQL 信息, 内置 MySQL 系统会自动处理 # DB_HOST=mysql DB_PORT=3306 DB_USER=root DB_PASSWORD=NmUxMzRkNTYtNTk5MS1kM2I0LW DB_NAME=jumpserver # 如果外置 MySQL 需要开启 TLS/SSL 连接, 参考 https://docs.jumpserver.org/zh/master/install/install_security/#ssl # # DB_USE_SSL=True ################################# Redis 配置 ################################## # 外置 Redis 需要请输入正确的 Redis 信息, 内置 Redis 系统会自动处理 # REDIS_HOST=redis REDIS_PORT=6379 REDIS_PASSWORD=NmUxMzRkNTYtNTk5MS1kM2I0LW # 如果使用外置 Redis Sentinel, 请手动填写下面内容 # # REDIS_SENTINEL_HOSTS=mymaster/192.168.100.1:26379,192.168.100.1:26380,192.168.100.1:26381 # REDIS_SENTINEL_PASSWORD=your_sentinel_password # REDIS_PASSWORD=your_redis_password # REDIS_SENTINEL_SOCKET_TIMEOUT=5 # 如果外置 Redis 需要开启 TLS/SSL 连接, 参考 https://docs.jumpserver.org/zh/master/install/install_security/#redis-ssl # # REDIS_USE_SSL=True ################################## 访问配置 ################################### # 对外提供服务端口, 如果与现有服务冲突请自行修改 # 如果不想对外提供访问可以使用 127.0.0.1:<port>, eg: 127.0.0.1:33060 # HTTP_PORT=80 SSH_PORT=2222 MAGNUS_PORTS=30000-30100 ################################# HTTPS 配置 ################################# # 参考 https://docs.jumpserver.org/zh/master/admin-guide/proxy/ 配置 # # HTTPS_PORT=443 # SERVER_NAME=your_domain_name # SSL_CERTIFICATE=your_cert # SSL_CERTIFICATE_KEY=your_cert_key # # Nginx 文件上传下载大小限制 # CLIENT_MAX_BODY_SIZE=4096m ################################## 组件配置 ################################### # 组件注册使用, 默认情况下向 core 容器注册, 集群环境需要修改为集群 vip 地址 # CORE_HOST=http://core:8080 PERIOD_TASK_ENABLED=True # Core Session 定义, # SESSION_COOKIE_AGE 表示闲置多少秒后 session 过期, # SESSION_EXPIRE_AT_BROWSER_CLOSE=true 表示关闭浏览器即 session 过期 # # SESSION_COOKIE_AGE=86400 SESSION_EXPIRE_AT_BROWSER_CLOSE=True # Lion 开启字体平滑, 优化体验 # JUMPSERVER_ENABLE_FONT_SMOOTHING=True ################################# XPack 配置 ################################# # XPack 包, 开源版本设置无效 # RDP_PORT=3389 ################################## 其他配置 ################################## # 终端使用宿主 HOSTNAME 标识, 首次安装自动生成 # SERVER_HOSTNAME=JumpServer # 当前运行的 JumpServer 版本号, 安装和升级完成后自动生成 # CURRENT_VERSION=v2.28.6 ============================================================================== # 配置文件前后对比如下 [root@JumpServer opt]# diff jumpserver/config-example.txt jumpserver/config/config.txt 24c24 < SECRET_KEY= --- > SECRET_KEY=NmUxMzRkNTYtNTk5MS1kM2I0LWJiZTUtZmIwMWE0YzNhYWM1 31c31 < BOOTSTRAP_TOKEN= --- > BOOTSTRAP_TOKEN=NmUxMzRkNTYtNTk5MS1kM2I0 53c53 < DB_PASSWORD= --- > DB_PASSWORD=NmUxMzRkNTYtNTk5MS1kM2I0LW 65c65 < REDIS_PASSWORD= --- > REDIS_PASSWORD=NmUxMzRkNTYtNTk5MS1kM2I0LW 124c124 < SERVER_HOSTNAME=${HOSTNAME} --- > SERVER_HOSTNAME=JumpServer 128c128 < CURRENT_VERSION= --- > CURRENT_VERSION=v2.28.6 ============================================================================= [root@JumpServer opt]# tree jumpserver/config jumpserver/config ├── config.txt # 主配置文件 ├── core │ └── config.yml # core yml 格式配置文件,可以留空,使用 config.txt 设置 ├── koko │ └── config.yml # koko yml 格式配置文件,可以留空,使用 config.txt 设置 ├── mariadb │ └── mariadb.cnf # mariadb 配置文件 ├── mysql │ └── my.cnf # mysql 配置文件 ├── nginx # nginx 配置文件 │ ├── cert │ │ ├── server.crt │ │ └── server.key │ └── lb_http_server.conf └── redis └── redis.conf # redis 配置文件 7 directories, 9 files
[root@JumpServer opt]# bash jumpserver/jmsctl.sh --help 或 [root@JumpServer opt]# jmsctl --help JumpServer Deployment Management Script Usage: ./jmsctl.sh [COMMAND] [ARGS...] ./jmsctl.sh --help Installation Commands: install Install JumpServer upgrade [version] Upgrade JumpServer check_update Check for updates JumpServer reconfig Reconfiguration JumpServer Management Commands: start Start JumpServer stop Stop JumpServer close Close JumpServer restart Restart JumpServer status Check JumpServer down Offline JumpServer uninstall Uninstall JumpServer More Commands: load_image Loading docker image backup_db Backup database restore_db [file] Data recovery through database backup file raw Execute the original docker-compose command tail [service] View log
[root@JumpServer opt]# jmsctl status NAME IMAGE COMMAND SERVICE CREATED STATUS PORTS jms_mysql jumpserver/mariadb:10.6 "docker-entrypoint.s…" mysql 13 minutes ago Up 13 minutes (healthy) 3306/tcp jms_redis jumpserver/redis:6.2 "docker-entrypoint.s…" redis 13 minutes ago Up 13 minutes (healthy) 6379/tcp [root@JumpServer opt]# jmsctl start [+] Running 8/8 ⠿ Container jms_redis Healthy 0.6s ⠿ Container jms_mysql Healthy 0.6s ⠿ Container jms_core Healthy 11.9s ⠿ Container jms_magnus Started 14.1s ⠿ Container jms_celery Started 12.4s ⠿ Container jms_web Started 12.6s ⠿ Container jms_koko Started 12.4s ⠿ Container jms_lion Started 12.5s [root@JumpServer opt]# jmsctl status NAME IMAGE COMMAND SERVICE CREATED STATUS PORTS jms_celery jumpserver/core:v2.28.6 "./entrypoint.sh sta…" celery About a minute ago Up About a minute (healthy) 8070/tcp, 8080/tcp jms_core jumpserver/core:v2.28.6 "./entrypoint.sh sta…" core About a minute ago Up About a minute (healthy) 8070/tcp, 8080/tcp jms_koko jumpserver/koko:v2.28.6 "./entrypoint.sh" koko About a minute ago Up About a minute (healthy) 0.0.0.0:2222->2222/tcp, :::2222->2222/tcp, 5000/tcp jms_lion jumpserver/lion:v2.28.6 "./entrypoint.sh" lion About a minute ago Up About a minute (healthy) 4822/tcp, 8081/tcp jms_magnus jumpserver/magnus:v2.28.6 "./entrypoint.sh" magnus About a minute ago Up About a minute (healthy) 0.0.0.0:30000-30100->30000-30100/tcp, :::30000-30100->30000-30100/tcp jms_mysql jumpserver/mariadb:10.6 "docker-entrypoint.s…" mysql 15 minutes ago Up 15 minutes (healthy) 3306/tcp jms_redis jumpserver/redis:6.2 "docker-entrypoint.s…" redis 15 minutes ago Up 15 minutes (healthy) 6379/tcp jms_web jumpserver/web:v2.28.6 "/docker-entrypoint.…" web About a minute ago Up About a minute (healthy) 0.0.0.0:80->80/tcp, :::80->80/tcp