一、简介
前面我们聊到了openvpn的部署和使用,它能够实现从互联网通过openvpn连接到公司内网服务器,从而进行远程管理;但openvpn有一个缺点它不能记录哪些用户在内网服务器上操作了什么,拥有客户端的证书和私钥以及ca的证书和客户端配置,就可以直接连接到公司内网,这从某些角度讲不是一个安全的解决方案;
今天我们来聊一款和openvpn有类似功能的软件jumpserver;jumpserver和openvpn都可以让用户从互联网连接公司内网服务器;但通常jumpserver都不会放在互联网;它主要用作运维、开发、以及测试相关人员来利用它连接公司内网服务器,从而实现集中管理公司内网服务器;同时jumpserver还具有权限管理,用户管理,以及监控回放等等功能;
二、jumpserver架构图
三、jumpserver服务器安装
环境说明
主机名称 | 角色 | ip地址 |
node01 | jumpserver web | 192.168.0.41 |
node02 | mysql/redis | 192.168.0.42 |
1、在node02上部署mariadb(版本最低5.5.6,如果是mysql版本最低5.6)
配置mariadb yum仓库
[root@node02 ~]# cat /etc/yum.repos.d/mariadb.repo [mariadb] name=mariadb repo baseurl=https://mirrors.tuna.tsinghua.edu.cn/mariadb//mariadb-10.1.46/yum/centos/7/x86_64/ gpgcheck=0 [root@node02 ~]#
安装MariaDB-server
[root@node02 ~]# yum install -y MariaDB-server
配置mariadb 忽略名称解析
启动mariadb
连接mariadb 创建数据库和用户
[root@node02 ~]# mysql Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 3 Server version: 10.1.46-MariaDB MariaDB Server Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> create database jumpserver default charset 'utf8' collate 'utf8_bin'; Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> grant all on jumpserver.* to 'jumpserver'@'%' identified by 'admin123.com'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> flush privileges; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]>
验证:使用jumpserver登录数据库
[root@node02 ~]# mysql -ujumpserver -padmin123.com -h192.168.0.42 Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 4 Server version: 10.1.46-MariaDB MariaDB Server Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | jumpserver | | test | +--------------------+ 3 rows in set (0.01 sec) MariaDB [(none)]> exit Bye [root@node02 ~]#
ok,到此数据服务就准备好了;
2、在node02上部署redis
安装redis
[root@node02 ~]# yum -y install redis
配置redis监听本机所有地址,并设置密码
[root@node02 ~]# grep -Ei "^(bind|requirepass)" /etc/redis.conf bind 0.0.0.0 requirepass admin123.com [root@node02 ~]#
启动redis
验证:登录redis
[root@node02 ~]# redis-cli -h 192.168.0.42 192.168.0.42:6379> KEYS * (error) NOAUTH Authentication required. 192.168.0.42:6379> AUTH admin123.com OK 192.168.0.42:6379> KEYS * (empty list or set) 192.168.0.42:6379> exit [root@node02 ~]#
到此redis就准备好了
3、在node01上部署jumpserver web 容器
配置docker-ce的yum源
[root@node01 ~]# cat /etc/yum.repos.d/docker-ce.repo [docker-ce-stable] name=Docker CE Stable - $basearch baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/$basearch/stable enabled=1 gpgcheck=1 gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg [docker-ce-stable-debuginfo] name=Docker CE Stable - Debuginfo $basearch baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/debug-$basearch/stable enabled=0 gpgcheck=1 gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg [docker-ce-stable-source] name=Docker CE Stable - Sources baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/source/stable enabled=0 gpgcheck=1 gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg [docker-ce-edge] name=Docker CE Edge - $basearch baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/$basearch/edge enabled=0 gpgcheck=1 gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg [docker-ce-edge-debuginfo] name=Docker CE Edge - Debuginfo $basearch baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/debug-$basearch/edge enabled=0 gpgcheck=1 gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg [docker-ce-edge-source] name=Docker CE Edge - Sources baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/source/edge enabled=0 gpgcheck=1 gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg [docker-ce-test] name=Docker CE Test - $basearch baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/$basearch/test enabled=0 gpgcheck=1 gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg [docker-ce-test-debuginfo] name=Docker CE Test - Debuginfo $basearch baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/debug-$basearch/test enabled=0 gpgcheck=1 gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg [docker-ce-test-source] name=Docker CE Test - Sources baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/source/test enabled=0 gpgcheck=1 gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg [docker-ce-nightly] name=Docker CE Nightly - $basearch baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/$basearch/nightly enabled=0 gpgcheck=1 gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg [docker-ce-nightly-debuginfo] name=Docker CE Nightly - Debuginfo $basearch baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/debug-$basearch/nightly enabled=0 gpgcheck=1 gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg [docker-ce-nightly-source] name=Docker CE Nightly - Sources baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/source/nightly enabled=0 gpgcheck=1 gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg [root@node01 ~]#
安装docker-ce
[root@node01 ~]# yum install -y docker-ce
启动docker
[root@node01 ~]# systemctl start docker [root@node01 ~]# docker info Client: Debug Mode: false Server: Containers: 0 Running: 0 Paused: 0 Stopped: 0 Images: 0 Server Version: 19.03.13 Storage Driver: overlay2 Backing Filesystem: xfs Supports d_type: true Native Overlay Diff: true Logging Driver: json-file Cgroup Driver: cgroupfs Plugins: Volume: local Network: bridge host ipvlan macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog Swarm: inactive Runtimes: runc Default Runtime: runc Init Binary: docker-init containerd version: 8fba4e9a7d01810a393d5d25a3621dc101981175 runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd init version: fec3683 Security Options: seccomp Profile: default Kernel Version: 3.10.0-693.el7.x86_64 Operating System: CentOS Linux 7 (Core) OSType: linux Architecture: x86_64 CPUs: 2 Total Memory: 1.781GiB Name: node01.test.org ID: JQY2:LCCM:EU6J:ARI7:UCEL:5HUV:FGE4:6RTY:PWR3:NKJI:EA3K:BKSA Docker Root Dir: /var/lib/docker Debug Mode: false Registry: https://index.docker.io/v1/ Labels: Experimental: false Insecure Registries: 127.0.0.0/8 Live Restore Enabled: false [root@node01 ~]#
配置docker加速器
[root@node01 ~]# cat /etc/docker/daemon.json { "registry-mirrors": ["https://registry.docker-cn.com","https://cyr1uljt.mirror.aliyuncs.com"] } [root@node01 ~]#
重启docker
[root@node01 ~]# systemctl restart docker
使用doker info 命令验证加速器地址是否应用