Posts tagged ‘运维管理’

Zabbix5.0+Grafana可视化试用(三):通过SNMP添加华为S5700交换机实现数据采集及监控

zabbix5.0的设备添加并实现采集数据与监控的操作与4.x基本一样,首先交换机启用SNMP:

[Lan-center-s5700]snmp-agent
[Lan-center-s5700]snmp-agent community read cipher lsywsnmp123
[Lan-center-s5700]snmp-agent sys-info version all

启动SNMP后,在zabbix5.0中开始添加交换机,操作如下:

进入【配置】-【主机】配置界面,点击右上角的【创建主机】按扭,如下图所示

zabbix5.0_18

主机名称中输入全英文的名称,可见的名称中输入页面最终显示的中文名称,如下图所示,群组中选择网络群组,并移除agent代理程序的接口,SNMP接口点【添加】,并输入交换机的管理地址192.168.10.253,端口使用161默认不变。

zabbix5.0_19

再切换至模板选项栏,在Link new templates中选择【Template Net Huawei VRP SNMPv3】,如下图所示

zabbix5.0_20

切换至宏选项栏,在宏一栏中输入{$SNMP_COMMUNITY},在值一栏中输入刚才交换机设置的SNMP密码lsywsnmp123,如下图所示,完成后,点击【更新】按扭完成添加。

zabbix5.0_21

至此,交换机添加完成,过一段时间,列表中就有华为S5700核心交换机清单,监控项、触发器、图形等都有内容,如下图。

zabbix5.0_22

Zabbix5.0+Grafana可视化试用(二):将图形界面中的乱码修复为中文显示

默认zabbix在图形显示中中文显示为乱码,需要修复才能正常显示,如下图红框所示:

zabbix5.0_12

操作如下:

首先将WINDOWS FONTS文件夹中的黑体字复制至本机硬盘

zabbix5.0_13

将本地电脑上的黑体字体文件simhei.ttf复制到/usr/share/zabbix/assets/fonts/目录下,如下图

zabbix5.0_15

再通过vi修改/usr/share/zabbix/include目录下的defines.inc.php文件,将红框位置中原graphfont修改为simhei,如下图,完成后保存退出。

zabbix5.0_16

刷新图形界面,已能显示中文,如下。

zabbix5.0_17

Zabbix5.0+Grafana可视化试用(一):在CentOS8(1911)上采用二进制包安装Zabbix5.0.1

1、完成CentOS8(1911)安装

[root@localhost ~]# cat /etc/redhat-release
CentOS Linux release 8.1.1911 (Core)
[root@localhost ~]# hostnamectl
   Static hostname: localhost.localdomain
          Icon name: computer-vm
           Chassis: vm
        Machine ID: f8712212dcd94fe0915ce5c9250b8d39
           Boot ID: fa1e9af220c349e4a760f3053ef4bee0
    Virtualization: vmware
  Operating System: CentOS Linux 8 (Core)
       CPE OS Name: cpe:/o:centos:centos:8
            Kernel: Linux 4.18.0-147.el8.x86_64
      Architecture: x86-64
[root@localhost ~]#

2、关闭防火墙及SElinux

[root@localhost ~]# systemctl stop firewalld.service
[root@localhost ~]# systemctl disable firewalld.service

接着将SELinux关闭,运行如下命令编辑SELINUX配置文件:

[root@localhost ~]# vi /etc/selinux/config

并将SELINUX=enforcing改成SELINUX=disable,如下:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing – SELinux security policy is enforced.
#     permissive – SELinux prints warnings instead of enforcing.
#     disabled – No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these three values:
#     targeted – Targeted processes are protected,
#     minimum – Modification of targeted policy. Only selected processes are protected.
#     mls – Multi Level Security protection.
SELINUXTYPE=targeted

修改完成后,重启机器,重启后运行getenforce命令查看已经关闭SELinux。

3、修改主机名hostname

[root@localhost ~]# hostnamectl –static set-hostname zabbixserver
[root@localhost ~]#
[root@localhost ~]# hostnamectl
    Static hostname: zabbixserver
         Icon name: computer-vm
           Chassis: vm
        Machine ID: f8712212dcd94fe0915ce5c9250b8d39
           Boot ID: fa1e9af220c349e4a760f3053ef4bee0
    Virtualization: vmware
  Operating System: CentOS Linux 8 (Core)
       CPE OS Name: cpe:/o:centos:centos:8
            Kernel: Linux 4.18.0-147.el8.x86_64
      Architecture: x86-64
[root@localhost ~]#
[root@localhost ~]# more /etc/hostname
zabbixserver
[root@localhost ~]#
[root@localhost ~]# reboot

完成以上操作后重启系统。

4、安装依赖包

[root@zabbixserver ~]# yum install -y httpd mariadb-server mariadb php php-gd libjpeg* php-ldap php-odbc php-pear php-xml php-xmlrpc php-mhash

[root@zabbixserver ~]# rpm -qa httpd php mariadb
mariadb-10.3.17-1.module_el8.1.0+257+48736ea6.x86_64
httpd-2.4.37-16.module_el8.1.0+256+ae790463.x86_64
php-7.2.11-2.module_el8.1.0+209+03b9a8ff.x86_64
[root@zabbixserver ~]#

5、相关配置

[root@zabbixserver ~]# vi /etc/httpd/conf/httpd.conf

将servername设置为192.168.10.218:80,在DirectoryIndex中添加index.php,如下:

# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn’t have a registered DNS name, enter its IP address here.
#
ServerName 192.168.10.218:80

# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
< IfModule dir_module>
    DirectoryIndex index.html index.php
< /IfModule>

接着配置php.ini,如下:

[root@zabbixserver ~]# vi /etc/php.ini

将date.timezone设置为PRC:

[Date]
; Defines the default timezone used by the date functions
; http://php.net/date.timezone
date.timezone = PRC

开始启动http和mysql数据库:

[root@zabbixserver ~]# systemctl start httpd
[root@zabbixserver ~]# systemctl start mariadb
[root@zabbixserver ~]#
[root@zabbixserver ~]# ss -naplt | grep httpd
LISTEN   0         128                       *:80                     *:*        users:(("httpd",pid=31049,fd=4),("httpd",pid=31048,fd=4),("httpd",pid=31047,fd=4),("httpd",pid=31045,fd=4))
[root@zabbixserver ~]# ss -naplt | grep mysqld
LISTEN   0         80                        *:3306                   *:*        users:(("mysqld",pid=31397,fd=22))
[root@zabbixserver ~]#

设置开机自启动模式:

[root@zabbixserver ~]# systemctl enable httpd
[root@zabbixserver ~]#
[root@zabbixserver ~]# systemctl enable mariadb
Created symlink /etc/systemd/system/mysql.service 鈫/usr/lib/systemd/system/mariadb.service.
Created symlink /etc/systemd/system/mysqld.service 鈫/usr/lib/systemd/system/mariadb.service.
Created symlink /etc/systemd/system/multi-user.target.wants/mariadb.service 鈫/usr/lib/systemd/system/mariadb.service.
[root@zabbixserver ~]#

开始测试PHP功能:

[root@zabbixserver ~]# vi /var/www/html/index.php

输入以下内容:

<?php
phpinfo();
?>

打开http://192.168.10.218,显示如下界面说明PHP运行正常。

zabbix5.0_01

最后在centos8上安装中文语言包:

[root@zabbixserver ~]# yum install langpacks-zh_CN.noarch

6、配置并初始化数据库

设置mysql数据库root密码为zabbixroot,如下:

[root@zabbixserver ~]# mysqladmin -u root password zabbixroot
[root@zabbixserver ~]#
[root@zabbixserver ~]# mysql -u root -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 9
Server version: 10.3.17-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

MariaDB [(none)]> CREATE DATABASE zabbix character set utf8 collate utf8_bin;
Query OK, 1 row affected (0.001 sec)

MariaDB [(none)]>
MariaDB [(none)]>
MariaDB [(none)]> GRANT all ON zabbix.* TO ‘zabbix’@’zabbixserver’ IDENTIFIED BY ‘zabbix123’;
Query OK, 0 rows affected (0.001 sec)

MariaDB [(none)]>
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.001 sec)

MariaDB [(none)]>
MariaDB [(none)]> quit
Bye
[root@zabbixserver ~]#
[root@zabbixserver ~]#

7、安装依赖包

[root@zabbixserver ~]# yum -y install net-snmp net-snmp-devel curl curl-devel libxml2 libxml2-devel libevent-devel.x86_64

8、安装并配置zabbix5.0

[root@zabbixserver ~]# rpm -ivh https://repo.zabbix.com/zabbix/5.0/rhel/8/x86_64/zabbix-release-5.0-1.el8.noarch.rpm
Retrieving https://repo.zabbix.com/zabbix/5.0/rhel/8/x86_64/zabbix-release-5.0-1.el8.noarch.rpm
warning: /var/tmp/rpm-tmp.3RlAnb: Header V4 RSA/SHA512 Signature, key ID a14fe591: NOKEY
Verifying…                          ################################# [100%]
Preparing…                          ################################# [100%]
Updating / installing…
   1:zabbix-release-5.0-1.el8         ################################# [100%]

[root@zabbixserver ~]# yum clean all
20 files removed
[root@zabbixserver ~]#

开始安装以下组件:

[root@zabbixserver ~]# yum install -y zabbix-server-mysql zabbix-web-mysql zabbix-apache-conf zabbix-agent

导入初始架构和数据:

[root@zabbixserver ~]# cat /usr/share/doc/zabbix-server-mysql*/create.sql.gz | mysql -uzabbix -p -h 192.168.10.218 zabbix
Enter password:

输入zabbix用户的密码zabbix123,开始导入。

完成后开始配置zabbix server的配置文件,使配置文件中引用刚才创建的数据库,编辑/etc/zabbix/zabbix_server.conf文件:

[root@zabbixserver ~]# vi /etc/zabbix/zabbix_server.conf

完成如下DBHost、DBName、DBUser、DBPassword配置:

### Option: DBHost
#       Database host name.
#       If set to localhost, socket is used for MySQL.
#       If set to empty string, socket is used for PostgreSQL.
#
# Mandatory: no
# Default:
DBHost=zabbixserver

### Option: DBName
#       Database name.
#
# Mandatory: yes
# Default:
# DBName=

DBName=zabbix

### Option: DBSchema
#       Schema name. Used for PostgreSQL.
#
# Mandatory: no
# Default:
# DBSchema=

### Option: DBUser
#       Database user.
#
# Mandatory: no
# Default:
# DBUser=

DBUser=zabbix

### Option: DBPassword
#       Database password.
#       Comment this line if no password is used.
#
# Mandatory: no
# Default:
DBPassword=zabbix123

接着配置zabbix配置文件zabbix.conf:

[root@zabbixserver ~]# vi /etc/php-fpm.d/zabbix.conf

将date.timezone设置成Asia/Shanghai,如下:

php_value[date.timezone] = Asia/Shanghai

启动zabbix程序:

[root@zabbixserver ~]# systemctl restart zabbix-server zabbix-agent httpd php-fpm
[root@zabbixserver ~]#
[root@zabbixserver ~]#
[root@zabbixserver ~]# systemctl enable zabbix-server zabbix-agent httpd php-fpm
Created symlink /etc/systemd/system/multi-user.target.wants/zabbix-server.service 鈫/usr/lib/systemd/system/zabbix-server.service.
Created symlink /etc/systemd/system/multi-user.target.wants/zabbix-agent.service 鈫/usr/lib/systemd/system/zabbix-agent.service.
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service 鈫/usr/lib/systemd/system/httpd.service.
Created symlink /etc/systemd/system/multi-user.target.wants/php-fpm.service 鈫/usr/lib/systemd/system/php-fpm.service.
[root@zabbixserver ~]#

查看日志文件zabbix_server.log,没有相关错误,说明运行正常

[root@zabbixserver ~]# more /var/log/zabbix/zabbix_server.log
  7323:20200531:164159.807 Starting Zabbix Server. Zabbix 5.0.1 (revision c2a0b03480).
  7323:20200531:164159.807 ****** Enabled features ******
  7323:20200531:164159.807 SNMP monitoring:           YES
  7323:20200531:164159.807 IPMI monitoring:           YES
  7323:20200531:164159.807 Web monitoring:            YES
  7323:20200531:164159.807 VMware monitoring:         YES
  7323:20200531:164159.807 SMTP authentication:       YES
  7323:20200531:164159.807 ODBC:                      YES
  7323:20200531:164159.807 SSH support:               YES
  7323:20200531:164159.807 IPv6 support:              YES
  7323:20200531:164159.807 TLS support:               YES
  7323:20200531:164159.807 ******************************
  7323:20200531:164159.807 using configuration file: /etc/zabbix/zabbix_server.conf
  7323:20200531:164159.867 current database version (mandatory/optional): 05000000/05000000
  7323:20200531:164159.867 required mandatory version: 05000000
  7323:20200531:164159.961 server #0 started [main process]
  7346:20200531:164159.962 server #1 started [configuration syncer #1]
  7349:20200531:164200.074 server #3 started [timer #1]
  7350:20200531:164200.075 server #4 started [http poller #1]
  7348:20200531:164200.076 server #2 started [housekeeper #1]
  7351:20200531:164200.077 server #5 started [discoverer #1]
  7353:20200531:164200.079 server #7 started [history syncer #2]
  7354:20200531:164200.080 server #8 started [history syncer #3]
  7352:20200531:164200.080 server #6 started [history syncer #1]
  7355:20200531:164200.081 server #9 started [history syncer #4]
  7357:20200531:164200.083 server #11 started [proxy poller #1]
  7356:20200531:164200.084 server #10 started [escalator #1]
  7362:20200531:164200.087 server #14 started [poller #1]
  7360:20200531:164200.091 server #12 started [self-monitoring #1]
  7367:20200531:164200.091 server #17 started [poller #4]
  7363:20200531:164200.099 server #15 started [poller #2]
  7361:20200531:164200.106 server #13 started [task manager #1]
  7372:20200531:164200.108 server #20 started [trapper #1]
  7364:20200531:164200.109 server #16 started [poller #3]
  7374:20200531:164200.119 server #22 started [trapper #3]
  7370:20200531:164200.124 server #18 started [poller #5]
  7373:20200531:164200.132 server #21 started [trapper #2]
  7378:20200531:164200.136 server #25 started [icmp pinger #1]
  7380:20200531:164200.137 server #26 started [alert manager #1]
  7383:20200531:164200.139 server #29 started [alerter #3]
  7371:20200531:164200.140 server #19 started [unreachable poller #1]
  7375:20200531:164200.142 server #23 started [trapper #4]
  7382:20200531:164200.150 server #28 started [alerter #2]
  7389:20200531:164200.162 server #35 started [lld worker #1]
  7390:20200531:164200.163 server #36 started [lld worker #2]
  7391:20200531:164200.164 server #37 started [alert syncer #1]
  7384:20200531:164200.164 server #30 started [preprocessing manager #1]
  7385:20200531:164200.165 server #31 started [preprocessing worker #1]
  7386:20200531:164200.166 server #32 started [preprocessing worker #2]
  7376:20200531:164200.167 server #24 started [trapper #5]
  7387:20200531:164200.184 server #33 started [preprocessing worker #3]
  7388:20200531:164200.188 server #34 started [lld manager #1]
  7381:20200531:164200.189 server #27 started [alerter #1]
  7362:20200531:164201.305 enabling Zabbix agent checks on host "Zabbix server": host became available
  7355:20200531:164242.192 item "Zabbix server:zabbix[process,ipmi poller,avg,busy]" became not supported:
No "ipmi poller" processes started.
  7354:20200531:164243.199 item "Zabbix server:zabbix[process,java poller,avg,busy]" became not supported:
No "java poller" processes started.
  7354:20200531:164247.346 item "Zabbix server:zabbix[process,snmp trapper,avg,busy]" became not supported:
  No "snmp trapper" processes started.
  7354:20200531:164247.346 item "Zabbix server:zabbix[process,ipmi manager,avg,busy]" became not supported:
  No "ipmi manager" processes started.
  7354:20200531:164248.448 item "Zabbix server:zabbix[process,vmware collector,avg,busy]" became not suppor
ted: No "vmware collector" processes started.
  7354:20200531:164255.770 item "Zabbix server:zabbix[vmware,buffer,pused]" became not supported: No "vmwar
e collector" processes started.
  7355:20200531:164320.376 item "Zabbix server:vfs.dev.read.await[sda]" became not supported: Cannot evalua
te expression: "Cannot evaluate function "last()": not enough data.".
  7355:20200531:164321.527 item "Zabbix server:vfs.dev.write.await[sda]" became not supported: Cannot evalu
ate expression: "Cannot evaluate function "last()": not enough data.".
  7353:20200531:164620.339 item "Zabbix server:vfs.dev.read.await[sda]" became supported
  7353:20200531:164621.449 item "Zabbix server:vfs.dev.write.await[sda]" became supported
  7348:20200531:171200.339 executing housekeeper
  7348:20200531:171200.360 housekeeper [deleted 0 hist/trends, 0 items/triggers, 0 events, 0 problems, 0 se
ssions, 0 alarms, 0 audit, 0 records in 0.013464 sec, idle for 1 hour(s)]

接着开始配置zabbix,输入http://192.168.10.218/zabbix,如下:

zabbix5.0_02

zabbix5.0_03

zabbix5.0_04

zabbix5.0_05

zabbix5.0_06

zabbix5.0_07

zabbix5.0_08

zabbix5.0_09

设置为中文界面,如下图。

zabbix5.0_10

zabbix5.0_11

Zabbix 4.4试用(五):通过SNMP监控CentOS7服务器

通过SNMP来监控LINUX服务器,首先在CENTOS服务器上安装SNMP,如下:

[root@localhost ~]# yum -y install net-snmp net-snmp-utils
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
  * base: mirrors.cn99.com
  * extras: mirrors.nju.edu.cn
  * updates: mirrors.nju.edu.cn
base

[root@localhost ~]# rpm -qa | grep snmp
net-snmp-libs-5.7.2-43.el7_7.3.x86_64
net-snmp-5.7.2-43.el7_7.3.x86_64
net-snmp-utils-5.7.2-43.el7_7.3.x86_64
net-snmp-agent-libs-5.7.2-43.el7_7.3.x86_64

zabbix4.4config_20

zabbix4.4config_21

通过snmpd -v查看SNMP版本:

[root@localhost ~]# snmpd -v

NET-SNMP version:  5.7.2
Web:               http://www.net-snmp.org/
Email:             net-snmp-coders@lists.sourceforge.net

[root@localhost ~]#

zabbix4.4config_22

开始更改团体名,更改为lsywsnmp123:

[root@localhost ~]# vi /etc/snmp/snmpd.conf

com2sec notConfigUser  default       public

更改为

com2sec notConfigUser  default       lsywsnmp123

重启SNMP服务,并设置为开机启动,如下:

[root@localhost ~]# systemctl start snmpd.service
[root@localhost ~]#
[root@localhost ~]# systemctl enable snmpd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/snmpd.service to /usr/lib/systemd/system/snmpd.service.
[root@localhost ~]#
[root@localhost ~]#

zabbix4.4config_23

接着开始ZABBIX端的设置,添加这台CENTOS服务器:

zabbix4.4config_24

模块设置:

zabbix4.4config_27

设置宏中的团体名

zabbix4.4config_26

完成后,清单中已有服务器,SNMP监控也显示绿色,正常。

zabbix4.4config_28

Zabbix 4.4试用(四):通过SNMP监控Windows 2008R2

ZABBIX支持通过zabbix agent或SNMP来添加和监控WINDOWS服务器,本次将以WINDOWS 2008R2为例 ,通过SNMP来实现WINDOWS服务器的监控,操作如下:

首先在WINDOWS服务器上启用SNMP,打开服务器管理器,在【功能】选项栏上,选择【添加功能】,如下图

zabbix4.4config_12

选择SNMP服务,如下图

zabbix4.4config_13

完成后,进入【服务】界面,在SNMP Service右键,选择【属性】,如下图

zabbix4.4config_14

在安全选项中,设置相关参数,在社区名称中设置lsywsnmp123,在接受主机一栏中选择ZABBIX SERVER的IP 192.168.10.217,如下图所示,完成后点击确定。

zabbix4.4config_15

接着进入ZABBIX配置界面开始添加这台服务器,方法和添加华交换机一样,选择添加主机按扭,如下图,输入主机名称、可见的名称、群组和SNMP接口信息等

zabbix4.4config_16

在链接的模板中选择Template OS Windows SNMPv2,如下图

zabbix4.4config_17

在宏选项栏中,宏中输入{$SNMP_COMMUNITY},值中输入lsywsnmp123,如下图

zabbix4.4config_18

完成后,清单中就能看到添加的备份服务器,且SNMP监控为绿色,监控正常。

zabbix4.4config_19

Zabbix 4.4试用(三):通过SNMP监控华为交换机S5700

zabbix支持通过SNMP或ZABBIX AGENT采集设备信息,交换机自带SNMP,且不能安装ZABBIX AGENT组件,故交换机一般通过SNMP来管理,首先配置交换机,启用SNMP,操作如下:

[Lan-center-s5700]snmp-agent
[Lan-center-s5700]snmp-agent community read cipher lsywsnmp123
[Lan-center-s5700]snmp-agent sys-info version all

zabbix4.4config_06

启用SNMP后,在zabbix中添加此交换机,开始监控,操作如下:

进入【配置】-【主机】配置界面,点击右上角的【创建主机】按扭,如下图所示

zabbix4.4config_07

主机名称中输入全英文的名称,可见的名称中输入页面最终显示的中文名称,如下图所示,群组中选择网络群组,并移除agent代理程序的接口,SNMP接口点【添加】,并输入交换机的管理地址192.168.10.253,端口使用161默认不变。

zabbix4.4config_08

再切换至模板选项栏,在Link new templates中选择【Template Net Huawei VRP SNMPv3】,如下图所示

zabbix4.4config_09

切换至宏选项栏,在宏一栏中输入{$SNMP_COMMUNITY},在值一栏中输入刚才交换机设置的SNMP密码lsywsnmp123,如下图所示,完成后,点击【更新】按扭完成添加。

zabbix4.4config_10

过一估时间,列表中就有华为S5700核心交换机清单,监控项、触发器、图形等都有内容,如下图。

zabbix4.4config_11

至此,交换机添加完成。

Zabbix 4.4试用(二):将图形界面中的乱码修复为中文显示

默认zabbix在图形显示中中文显示为乱码,需要修复才能正常显示,如下图红框所示:

zabbix4.4config_01

操作如下:

首先将WINDOWS FONTS文件夹中的黑体字复制至本机硬盘

zabbix4.4config_02

然后在服务器上操作zabbix-web-nginx-mysql容器,通过docker ps查看zabbix-web-nginx-mysql容器的ID,如下图,这里为48a2c96acc9c

zabbix4.4config_03

通过docker exec进入进入zabbix-web-nginx-mysql容器进行操作,首先查询需要修改的DejaVuSans.ttf和defines.inc.php两个文件的位置,操作如下:

[root@localhost zabbix]# docker exec -it 48a2c96acc9c bash
bash-5.0# find / -name DejaVuSans.ttf
/usr/share/zabbix/assets/fonts/DejaVuSans.ttf
bash-5.0#
bash-5.0# find / -name defines.inc.php
/usr/share/zabbix/include/defines.inc.php
bash-5.0#

然后将刚才本地电脑上的黑体字体文件simhei.ttf复制到/usr/share/zabbix/assets/fonts/目录下,然后通过vi修改defines.inc.php文件,将红框位置中原DejaVuSans修改为simhei,如下图,完成后保存退出。

zabbix4.4config_04

再次刷新图形,已能显示中文,如下图所示。至此修改完成。

zabbix4.4config_05

Centos8上试用开源堡垒机Jumpserver 1.5.6(八):创建用户时使用密码链接并发邮件给用户功能

===================================================================

开源堡垒机Jumpserver安装/配置系列:

1、Centos8上试用开源堡垒机Jumpserver 1.5.6(一):堡垒机概述
2、Centos8上试用开源堡垒机Jumpserver 1.5.6(二):安装Centos8(CentOS-8.1.1911-x86_64-dvd1.iso)
3、Centos8上试用开源堡垒机Jumpserver 1.5.6(三):在Centos8上安装Jumpserver
4、Centos8上试用开源堡垒机Jumpserver 1.5.6(四):添加被管资源与运维帐户权限分配
5、Centos8上试用开源堡垒机Jumpserver 1.5.6(五):通过堡垒机进行运维管理
6、Centos8上试用开源堡垒机Jumpserver 1.5.6(六):试用批量命令和命令过滤功能
7、Centos8上试用开源堡垒机Jumpserver 1.5.6(七):服务器重启后的恢复操作(手工启动jumpserver等程序)
8、Centos8上试用开源堡垒机Jumpserver 1.5.6(八):创建用户时使用密码链接并发邮件给用户功能

===================================================================

Jumpserver在创建用户时密码策略支持“生成重置密码链接,通过邮件发送给用户”功能,如下图所示,用户收到邮件后,直接修改成自己的密码即可

jumpserver0221_51

需要启用此功能,需要进行相关设置,具体操作如下:

进入“系统设置”->“基本设置”,在当前站点URL中输入访问地址http://192.168.10.216,Email主题前缀设置为“你好,”,如下图所示

jumpserver0221_52

设置“邮件设置”,如下图,需要配置SMTP主机、端口、账号等

jumpserver0221_53

本案例使用126邮箱,登陆126邮箱,进入设置->POP3/SMTP/IMAP,开启SMTP服务,SMTP地址为smtp.126.com,如下图所示

jumpserver0221_54

服务器地址:
POP3服务器: pop.126.com
SMTP服务器: smtp.126.com
IMAP服务器: imap.126.com

jumpserver0221_56

126邮箱对第三方邮件客户端提供POP3\SMTP\IMAP有授权码要求,开启授权码,如下图

jumpserver0221_55

126邮箱设置好后,开始进行邮件设置

SMTP主机:smtp.126.com
SMTP端口:465
SMTP账号:funpower@126.com
SMTP密码:********
发送账号:funpower@126.com
测试收件人:funpower@qq.com
使用SSL:启用SSL,端口465

如下图,输入内容后点击“测试链接”,显示已发送邮件后,点击“提交”保存。

jumpserver0221_57

点击测试连接,右上角出现已发送消息,如下图

jumpserver0221_58

邮件中收到了TEST测试邮件,说明邮件设置正确。

jumpserver0221_59

接着完成“邮件内容设置”,如下图

jumpserver0221_60

最后,重启服务器,确保设置生效。

进入创建用户界面,输入用户相关信息,在密码策略中选择“生成重置密码链接,通过邮件发送给用户”,点“提交”按扭,如下图所示

jumpserver0221_61

点提交后,正常会收到一封用户创建成功的信,点击信中的密码链接进行密码重置,如下图

jumpserver0221_62

重置,设置新密码

jumpserver0221_63

使用新设置的密码进入管理系统

jumpserver0221_64

至此,创建用户完成。

Centos8上试用开源堡垒机Jumpserver 1.5.6(七):服务器重启后的恢复操作(手工启动jumpserver等程序)

===================================================================

开源堡垒机Jumpserver安装/配置系列:

1、Centos8上试用开源堡垒机Jumpserver 1.5.6(一):堡垒机概述
2、Centos8上试用开源堡垒机Jumpserver 1.5.6(二):安装Centos8(CentOS-8.1.1911-x86_64-dvd1.iso)
3、Centos8上试用开源堡垒机Jumpserver 1.5.6(三):在Centos8上安装Jumpserver
4、Centos8上试用开源堡垒机Jumpserver 1.5.6(四):添加被管资源与运维帐户权限分配
5、Centos8上试用开源堡垒机Jumpserver 1.5.6(五):通过堡垒机进行运维管理
6、Centos8上试用开源堡垒机Jumpserver 1.5.6(六):试用批量命令和命令过滤功能
7、Centos8上试用开源堡垒机Jumpserver 1.5.6(七):服务器重启后的恢复操作(手工启动jumpserver等程序)
8、Centos8上试用开源堡垒机Jumpserver 1.5.6(八):创建用户时使用密码链接并发邮件给用户功能

===================================================================

服务器出现硬件故障或维护等原因需要关闭或重启jumpserver服务器,而重启后,由于一些程序不是开机自动启动,需要手工,具体重启后恢复操作如下:

1、检查防火墙及SELinux状态

正常在安装时这两个功能为关闭状态,检查是否为关闭状态:

[root@localhost ~]# getenforce
Disabled
[root@localhost ~]#
[root@localhost ~]# firewall-cmd –state
not running
[root@localhost ~]#
[root@localhost ~]#

jumpserver0221_38

如上所示,检查都为关闭状态。

2、检查redis、mariadb、nginx启动状态

由于redis、mariadb、nginx这三个程序在安装时是启用开机自启动模式,故正常应该都为运行状态,检查如下:

[root@localhost ~]# systemctl status redis
鈼[0m redis.service – Redis persistent key-value database
   Loaded: loaded (/usr/lib/systemd/system/redis.service; enabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/redis.service.d
           鈹斺攢limit.conf
    Active: active (running) since Sat 2020-02-22 06:58:41 CST; 18min ago
  Main PID: 1300 (redis-server)
    Tasks: 4 (limit: 26213)
   Memory: 10.4M
   CGroup: /system.slice/redis.service
            鈹斺攢1300 /usr/bin/redis-server 127.0.0.1:6379

Feb 22 06:58:41 localhost.localdomain systemd[1]: Starting Redis persistent key-value database…
Feb 22 06:58:41 localhost.localdomain systemd[1]: Started Redis persistent key-value database.
[root@localhost ~]#
[root@localhost ~]# systemctl status mariadb
鈼[0m mariadb.service – MariaDB 10.3 database server
   Loaded: loaded (/usr/lib/systemd/system/mariadb.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2020-02-22 06:58:44 CST; 18min ago
     Docs: man:mysqld(8)
           https://mariadb.com/kb/en/library/systemd/
  Process: 1714 ExecStartPost=/usr/libexec/mysql-check-upgrade (code=exited, status=0/SUCCESS)
  Process: 1344 ExecStartPre=/usr/libexec/mysql-prepare-db-dir mariadb.service (code=exited, status=0/SUCCESS)
  Process: 1299 ExecStartPre=/usr/libexec/mysql-check-socket (code=exited, status=0/SUCCESS)
  Main PID: 1414 (mysqld)
   Status: "Taking your SQL requests now…"
    Tasks: 30 (limit: 26213)
   Memory: 122.4M
   CGroup: /system.slice/mariadb.service
           鈹斺攢1414 /usr/libexec/mysqld –basedir=/usr

Feb 22 06:58:41 localhost.localdomain systemd[1]: Starting MariaDB 10.3 database server…
Feb 22 06:58:42 localhost.localdomain mysql-prepare-db-dir[1344]: Database MariaDB is probably initialized in /var/lib/mysql already, nothing is done.
Feb 22 06:58:42 localhost.localdomain mysql-prepare-db-dir[1344]: If this is not the case, make sure the /var/lib/mysql is empty before running mysql-prepare-db-dir.
Feb 22 06:58:43 localhost.localdomain mysqld[1414]: 2020-02-22  6:58:43 0 [Note] /usr/libexec/mysqld (mysqld 10.3.17-MariaDB) starting as process 1414 …
Feb 22 06:58:43 localhost.localdomain mysqld[1414]: 2020-02-22  6:58:43 0 [Warning] Could not increase number of max_open_files to more than 1024 (request: 4186)
Feb 22 06:58:43 localhost.localdomain mysqld[1414]: 2020-02-22  6:58:43 0 [Warning] Changed limits: max_open_files: 1024  max_connections: 151 (was 151)  table_cache: 421 (was 2000)
Feb 22 06:58:44 localhost.localdomain systemd[1]: Started MariaDB 10.3 database server.
[root@localhost ~]#
[root@localhost ~]# systemctl status nginx
鈼[0m nginx.service – nginx – high performance web server
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2020-02-22 06:58:43 CST; 19min ago
     Docs: http://nginx.org/en/docs/
  Process: 1565 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=0/SUCCESS)
  Main PID: 1641 (nginx)
    Tasks: 2 (limit: 26213)
   Memory: 3.7M
   CGroup: /system.slice/nginx.service
           鈹溾攢1641 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
           鈹斺攢1642 nginx: worker process

Feb 22 06:58:43 localhost.localdomain systemd[1]: Starting nginx – high performance web server…
Feb 22 06:58:43 localhost.localdomain systemd[1]: Started nginx – high performance web server.
[root@localhost ~]#
[root@localhost ~]#

jumpserver0221_39

如上所示,redis、mariadb、nginx都为运行中,状态正常。

3、检查jumpserver程序

jms没有设置为自启动,需要手工启动,首先进入python环境:

[root@localhost ~]# source /opt/py3/bin/activate
(py3) [root@localhost ~]#
(py3) [root@localhost ~]#

然后进入jumpserver程序目录/opt/jumpserver,使用./jms status –d检查程序是否启动,操作如下:

(py3) [root@localhost ~]# cd /opt/jumpserver
(py3) [root@localhost jumpserver]#
(py3) [root@localhost jumpserver]# ls
Dockerfile  LICENSE  README.md  README_EN.md  Vagrantfile  apps  build.sh  config.yml  config_example.yml  data  docs  entrypoint.sh  jms  logs  requirements  run_server.py  tmp  utils
(py3) [root@localhost jumpserver]#
(py3) [root@localhost jumpserver]# ./jms status -d
gunicorn is stopped
celery_ansible is stopped
celery_default is stopped
beat is stopped
flower is stopped
daphne is stopped
(py3) [root@localhost jumpserver]#

jumpserver0221_40

如上,显示都为stopped,未启动,故页面也无法打开,如下:

jumpserver0221_42

使用./jms start –d启动jumpserver程序,如下:

(py3) [root@localhost jumpserver]# ./jms start -d
2020-02-22 07:29:47 Sat Feb 22 07:29:47 2020
2020-02-22 07:29:47 Jumpserver version 1.5.6, more see https://www.jumpserver.org

– Start Gunicorn WSGI HTTP Server
2020-02-22 07:29:47 Check database connection …
users
  [X] 0001_initial
  [X] 0002_auto_20171225_1157_squashed_0019_auto_20190304_1459 (18 squashed migrations)
  [X] 0020_auto_20190612_1825
  [X] 0021_auto_20190625_1104
  [X] 0022_auto_20190625_1105
  [X] 0023_auto_20190724_1525
  [X] 0024_auto_20191118_1612
2020-02-22 07:30:04 Database connect success
2020-02-22 07:30:04 Check database structure change …
2020-02-22 07:30:04 Migrate model change to database …
Operations to perform:
  Apply all migrations: admin, applications, assets, audits, auth, authentication, captcha, common, contenttypes, django_celery_beat, ops, orgs, perms, sessions, settings, terminal, tickets, users
Running migrations:
  No migrations to apply.
2020-02-22 07:30:11 Collect static files
2020-02-22 07:30:17 Collect static files done

– Start Celery as Distributed Task Queue: Ansible

– Start Celery as Distributed Task Queue: Celery

– Start Beat as Periodic Task Scheduler

– Start Flower as Task Monitor

– Start Daphne ASGI WS Server
gunicorn is running: 2498
celery_ansible is running: 2509
celery_default is running: 2517
beat is running: 2528
flower is running: 2532
daphne is running: 2539
(py3) [root@localhost jumpserver]#

jumpserver0221_41

完成启动,再次打开主界面http://192.168.10.216,显示正常,如下:

jumpserver0221_43

jumpserver正常后,使用admin用户登陆管理主界面,进入“会话管理”->”终端管理”,如下图,在线状态栏中显示红色小圆点,即为未在线,说明koko和guacamole没有启动

jumpserver0221_45

检查koko和guacamole镜像,如下,说明镜像存在:

(py3) [root@localhost ~]# docker images
REPOSITORY                                         TAG     IMAGE ID       CREATED       SIZE
dockerhub.azk8s.cn/wojiushixiaobai/jms_guacamole   1.5.6   af71674d07a4   2 weeks ago   678 MB
dockerhub.azk8s.cn/wojiushixiaobai/jms_koko        1.5.6   2561f1397767   2 weeks ago   367 MB
(py3) [root@localhost ~]#
(py3) [root@localhost ~]#

使用docker ps查看运行中的容器,发现没有运行中的容器,如下:

(py3) [root@localhost ~]# docker ps
CONTAINER ID  IMAGE  COMMAND  CREATED  STATUS  PORTS  NAMES
(py3) [root@localhost ~]#
(py3) [root@localhost ~]#

使用docker ps -a查看所有创建的容器(包括未运行的容器),如下:

(py3) [root@localhost ~]# docker ps -a
CONTAINER ID  IMAGE                                                   COMMAND          CREATED      STATUS                          PORTS                                             NAMES
9107b7603bf2  dockerhub.azk8s.cn/wojiushixiaobai/jms_guacamole:1.5.6  ./entrypoint.sh  12 days ago  Exited (143) About an hour ago  127.0.0.1:8081->8080/tcp                          jms_guacamole
769148c0cec1  dockerhub.azk8s.cn/wojiushixiaobai/jms_koko:1.5.6       ./entrypoint.sh  12 days ago  Exited (0) About an hour ago    0.0.0.0:2222->2222/tcp, 127.0.0.1:5000->5000/tcp  jms_koko
(py3) [root@localhost ~]#
(py3) [root@localhost ~]#

如上所示,发现STATUS中状态为Exited,正常应该为up,应该是容器没有启动,手工启动koko和guacamole,操作如下:

(py3) [root@localhost ~]# docker start 9107b7603bf2
9107b7603bf25c48bb939907882591cee524e22bd5c399781694863152fae72f
(py3) [root@localhost ~]#
(py3) [root@localhost ~]#
(py3) [root@localhost ~]# docker start 769148c0cec1
769148c0cec1cc8a6b227e9946f48613e3670c33b347862ae07e53d6b2e1ac99
(py3) [root@localhost ~]#
(py3) [root@localhost ~]#

start后面为容器的id,通过docker ps -a的第一列可以查看到。

完成后再次运行docker ps,可以看到STATUS状态为UP About……,如下所示,即为启动运行中。

(py3) [root@localhost ~]# docker ps
CONTAINER ID  IMAGE                                                   COMMAND          CREATED      STATUS                 PORTS                                             NAMES
9107b7603bf2  dockerhub.azk8s.cn/wojiushixiaobai/jms_guacamole:1.5.6  ./entrypoint.sh  12 days ago  Up About a minute ago  127.0.0.1:8081->8080/tcp                          jms_guacamole
769148c0cec1  dockerhub.azk8s.cn/wojiushixiaobai/jms_koko:1.5.6       ./entrypoint.sh  12 days ago  Up About a minute ago  0.0.0.0:2222->2222/tcp, 127.0.0.1:5000->5000/tcp  jms_koko
(py3) [root@localhost ~]#

jumpserver0221_46

再次查看管理主界面的终端列表,“在线”一列中已为在线状态,说明koko和guacamole终端注册成功,运行正常。

jumpserver0221_47

最后,测试用户端运维管理是否正常,使用user01用户登陆,管理jumpserver和网管两台服务器,都可以连接和管理,如下:

jumpserver0221_48

jumpserver0221_49

历史会话记录也正常,能够回放

jumpserver0221_50

至此,整个jumpserver服务器重启后的操作全部完成,功能恢复正常。

Centos8上试用开源堡垒机Jumpserver 1.5.6(三):在Centos8上安装Jumpserver

===================================================================

开源堡垒机Jumpserver安装/配置系列:

1、Centos8上试用开源堡垒机Jumpserver 1.5.6(一):堡垒机概述
2、Centos8上试用开源堡垒机Jumpserver 1.5.6(二):安装Centos8(CentOS-8.1.1911-x86_64-dvd1.iso)
3、Centos8上试用开源堡垒机Jumpserver 1.5.6(三):在Centos8上安装Jumpserver
4、Centos8上试用开源堡垒机Jumpserver 1.5.6(四):添加被管资源与运维帐户权限分配
5、Centos8上试用开源堡垒机Jumpserver 1.5.6(五):通过堡垒机进行运维管理
6、Centos8上试用开源堡垒机Jumpserver 1.5.6(六):试用批量命令和命令过滤功能
7、Centos8上试用开源堡垒机Jumpserver 1.5.6(七):服务器重启后的恢复操作(手工启动jumpserver等程序)
8、Centos8上试用开源堡垒机Jumpserver 1.5.6(八):创建用户时使用密码链接并发邮件给用户功能

===================================================================

目前Jumpserver开源堡垒机的最新版本为1.5.6,本次将按照官方“CentOS 8 安装文档”来进行配置,具体配置如下(root用户登陆):

1、更新软件库

通过以下命令完成更新:

[root@localhost ~]# yum update –y

jumpserver27

2、关闭防火墙和关闭SELinux

Jumpserver需要开放80(nginx)和2222(SSH登陆端口koko)两个端口,后期远程管理也需要开放相应端口,这里直接将防火墙关闭:

[root@localhost ~]# firewall-cmd –state
running
[root@localhost ~]#

关闭firewall,并禁止防火墙开机启动,命令如下:

[root@localhost ~]# systemctl stop firewalld.service
[root@localhost ~]# systemctl disable firewalld.service

接着将SELinux关闭,运行如下命令编辑SELINUX配置文件:

[root@localhost ~]# vi /etc/selinux/config

并将SELINUX=enforcing改成SELINUX=disable,如下:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing – SELinux security policy is enforced.
#     permissive – SELinux prints warnings instead of enforcing.
#     disabled – No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these three values:
#     targeted – Targeted processes are protected,
#     minimum – Modification of targeted policy. Only selected processes are protected.
#     mls – Multi Level Security protection.
SELINUXTYPE=targeted

jumpserver29

修改完成后,重启机器,重启后运行getenforce命令查看已经关闭SELinux。

3、安装依赖包

安装wget、gcc等依赖包:

[root@localhost ~]# yum -y install wget gcc epel-release git

jumpserver30

4、安装Redis

Jumpserver使用Redis做cache和celery broke,,安装redis,设置为开机启动模式,并启动程序,操作如下:

[root@localhost ~]# yum -y install redis
[root@localhost ~]# systemctl enable redis
Created symlink /etc/systemd/system/multi-user.target.wants/redis.service 鈫/usr/lib/systemd/system/redis.service.
[root@localhost ~]# systemctl start redis
[root@localhost ~]#

jumpserver31

5、安装并配置MySQL数据库

开始安装mysql,开源也叫mariadb,操作如下:

[root@localhost ~]# systemctl enable mariadb
[root@localhost ~]# systemctl enable mariadb
Created symlink /etc/systemd/system/mysql.service 鈫/usr/lib/systemd/system/mariadb.service.
Created symlink /etc/systemd/system/mysqld.service 鈫/usr/lib/systemd/system/mariadb.service.
Created symlink /etc/systemd/system/multi-user.target.wants/mariadb.service 鈫/usr/lib/systemd/system/mariadb.service.
[root@localhost ~]#
[root@localhost ~]# systemctl start mariadb
[root@localhost ~]#

接着开始创建数据库,并将数据库授权,操作如下:

生成随机数据库密码:

[root@localhost ~]# DB_PASSWORD=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24`
[root@localhost ~]#
[root@localhost ~]# echo -e “\033[31m 你的数据库密码是 $DB_PASSWORD \033[0m”
  你的数据库密码是 vqMlQ8FhEkhXVCZHGgRatXIp
[root@localhost ~]#
[root@localhost ~]#

jumpserver32

创建jumpserver数据库,如下:

[root@localhost ~]# mysql -uroot -e “create database jumpserver default charset ‘utf8’; grant all on jumpserver.* to ‘jumpserver’@’127.0.0.1’ identified by ‘$DB_PASSWORD’; flush privileges;”
[root@localhost ~]#

到此,数据库创建完成。

6、安装Nginx

由于jumpserver整个软件安装了多个组件,除了jumpserver主站点外,还有koko、guacamole等,通过Nginx来整合各个组件,操作如下:

创建repo文件:

[root@localhost ~]# vi /etc/yum.repos.d/nginx.repo

输入如下内容:

[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

开始安装nginx,并设置为开机自启动:

[root@localhost ~]# yum -y install nginx
[root@localhost ~]# systemctl enable nginx
Created symlink /etc/systemd/system/multi-user.target.wants/nginx.service 鈫/usr/lib/systemd/system/nginx.service.
[root@localhost ~]#

7、安装Python3.6

开始安装:

[root@localhost ~]# yum -y install python36 python36-devel

jumpserver33

配置并进入Python3虚拟环境,首先定义一个虚拟环境名称,本例为py3,如下:

[root@localhost opt]# cd /opt
[root@localhost opt]# python3.6 -m venv py3
[root@localhost opt]#

jumpserver34

接着进入py3虚拟环境,看到py3开头的提示符号代表成功进入,以后运行jumpserver都要先进入py3环境。

[root@localhost opt]# source /opt/py3/bin/activate
(py3) [root@localhost opt]#
(py3) [root@localhost opt]#

jumpserver35

注意:以下开始的步骤都需要在py3环境中执行。

8、安装Jumpserver

下载jumpserver,完成后/opt目录下会产生一个jumpserver的文件夹:

(py3) [root@localhost opt]# git clone –depth=1 https://github.com/jumpserver/jumpserver.git

jumpserver40

安装依据包:

[root@localhost opt]# yum -y install gcc krb5-devel libtiff-devel libjpeg-devel libzip-devel freetype-devel libwebp-devel tcl-devel tk-devel sshpass openldap-devel mariadb-devel libffi-devel openssh-clients telnet openldap-clients

接着安装Python库依赖包:

(py3) [root@localhost opt]#
(py3) [root@localhost opt]# pip install wheel

(py3) [root@localhost opt]# pip install –upgrade pip

编辑依赖包清单requirements.txt文件,暂时去掉python-gssapi==0.6.4:

(py3) [root@localhost opt]# vi /opt/jumpserver/requirements/requirements.txt

jumpserver42

安装依赖包清单里的软件:

(py3) [root@localhost opt]# pip install -r /opt/jumpserver/requirements/requirements.txt -i https://mirrors.aliyun.com/pypi/simple/

jumpserver43

完成后,将requirements.txt中将python-gssapi-0.6.4的注释去掉,再执行一次安装命令,完成安装。

(py3) [root@localhost opt]# pip install -r /opt/jumpserver/requirements/requirements.txt -i https://mirrors.aliyun.com/pypi/simple/

jumpserver44

9、配置和启动jumpserver

修改jumpserver配置文件,复制一份示例文件:

(py3) [root@localhost opt]# cd jumpserver
(py3) [root@localhost jumpserver]# cp config_example.yml config.yml
(py3) [root@localhost jumpserver]#

jumpserver45

然后对配置文件作如下修改:

(py3) [root@localhost jumpserver]#
(py3) [root@localhost jumpserver]# SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
(py3) [root@localhost jumpserver]# echo “SECRET_KEY=$SECRET_KEY” >> ~/.bashrc
(py3) [root@localhost jumpserver]# BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
(py3) [root@localhost jumpserver]# echo “BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN” >> ~/.bashrc
(py3) [root@localhost jumpserver]#
(py3) [root@localhost jumpserver]# sed -i “s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g” /opt/jumpserver/config.yml
(py3) [root@localhost jumpserver]# sed -i “s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g” /opt/jumpserver/config.yml
(py3) [root@localhost jumpserver]# sed -i “s/# DEBUG: true/DEBUG: false/g” /opt/jumpserver/config.yml
(py3) [root@localhost jumpserver]# sed -i “s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g” /opt/jumpserver/config.yml
(py3) [root@localhost jumpserver]# sed -i “s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g” /opt/jumpserver/config.yml
(py3) [root@localhost jumpserver]# sed -i “s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g” /opt/jumpserver/config.yml
(py3) [root@localhost jumpserver]# echo -e “\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m”
  你的SECRET_KEY是 fKk8ZyJlq6UCQZqowD3tOHXoJ86BfEaY6fMVsMfDzY4kTLQLja
(py3) [root@localhost jumpserver]# echo -e “\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m”
  你的BOOTSTRAP_TOKEN是 H4x1afiqgY3MXCiD
(py3) [root@localhost jumpserver]#

修改完成后,检查下配置,特别是以下行中DB_PASSWORD中是否有密码,正常是有刚才随机的密码:

DB_HOST: 127.0.0.1
DB_PORT: 3306
DB_USER: jumpserver
DB_PASSWORD: vqMlQ8FhEkhXVCZHGgRatXIp
DB_NAME: jumpserver

最后启动jumpserver,通过./jms start –d命令,如下:

(py3) [root@localhost /]# cd /opt/jumpserver/
(py3) [root@localhost jumpserver]#
(py3) [root@localhost jumpserver]# ./jms start -d
2020-02-09 09:32:35 Sun Feb  9 09:32:35 2020
2020-02-09 09:32:35 Jumpserver version 1.5.6, more see https://www.jumpserver.org

– Start Gunicorn WSGI HTTP Server
2020-02-09 09:32:35 Check database connection …
users
  [ ] 0001_initial
  [ ] 0002_auto_20171225_1157_squashed_0019_auto_20190304_1459 (18 squashed migrations)
  [ ] 0020_auto_20190612_1825
  [ ] 0021_auto_20190625_1104
  [ ] 0022_auto_20190625_1105
  [ ] 0023_auto_20190724_1525
  [ ] 0024_auto_20191118_1612
2020-02-09 09:32:41 Database connect success
2020-02-09 09:32:41 Check database structure change …
2020-02-09 09:32:41 Migrate model change to database …
Operations to perform:
   Apply all migrations: admin, applications, assets, audits, auth, authentication, captcha, common, contenttypes, django_celery_beat, ops, orgs, perms, sessions, settings, terminal, tickets, users
Running migrations:
   Applying contenttypes.0001_initial… OK
   Applying contenttypes.0002_remove_content_type_name… OK
   Applying auth.0001_initial… OK
   Applying auth.0002_alter_permission_name_max_length… OK
   Applying auth.0003_alter_user_email_max_length… OK
   Applying auth.0004_alter_user_username_opts… OK
   Applying auth.0005_alter_user_last_login_null… OK
   Applying auth.0006_require_contenttypes_0002… OK
   Applying auth.0007_alter_validators_add_error_messages… OK
   Applying auth.0008_alter_user_username_max_length… OK
   Applying users.0001_initial… OK
   Applying admin.0001_initial… OK
   Applying admin.0002_logentry_remove_auto_add… OK
   Applying admin.0003_logentry_add_action_flag_choices… OK
   Applying users.0002_auto_20171225_1157_squashed_0019_auto_20190304_1459… OK
   Applying assets.0001_initial… OK
   Applying perms.0001_initial… OK
   Applying assets.0002_auto_20180105_1807_squashed_0009_auto_20180307_1212… OK
   Applying assets.0010_auto_20180307_1749_squashed_0019_auto_20180816_1320… OK
   Applying perms.0002_auto_20171228_0025_squashed_0009_auto_20180903_1132… OK
   Applying perms.0003_action… OK
   Applying perms.0004_assetpermission_actions… OK
   Applying assets.0020_auto_20180816_1652… OK
   Applying assets.0021_auto_20180903_1132… OK
   Applying assets.0022_auto_20181012_1717… OK
   Applying assets.0023_auto_20181016_1650… OK
   Applying assets.0024_auto_20181219_1614… OK
   Applying assets.0025_auto_20190221_1902… OK
   Applying assets.0026_auto_20190325_2035… OK
   Applying applications.0001_initial… OK
   Applying perms.0005_auto_20190521_1619… OK
   Applying perms.0006_auto_20190628_1921… OK
   Applying perms.0007_remove_assetpermission_actions… OK
   Applying perms.0008_auto_20190911_1907… OK
   Applying assets.0027_auto_20190521_1703… OK
   Applying assets.0028_protocol… OK
   Applying assets.0029_auto_20190522_1114… OK
   Applying assets.0030_auto_20190619_1135… OK
   Applying assets.0031_auto_20190621_1332… OK
   Applying assets.0032_auto_20190624_2108… OK
   Applying assets.0033_auto_20190624_2108… OK
   Applying assets.0034_auto_20190705_1348… OK
   Applying assets.0035_auto_20190711_2018… OK
   Applying assets.0036_auto_20190716_1535… OK
   Applying assets.0037_auto_20190724_2002… OK
   Applying assets.0038_auto_20190911_1634… OK
   Applying perms.0009_remoteapppermission_system_users… OK
   Applying applications.0002_remove_remoteapp_system_user… OK
   Applying applications.0003_auto_20191210_1659… OK
   Applying applications.0004_auto_20191218_1705… OK
   Applying assets.0039_authbook_is_active… OK
   Applying assets.0040_auto_20190917_2056… OK
   Applying assets.0041_gathereduser… OK
   Applying assets.0042_favoriteasset… OK
   Applying assets.0043_auto_20191114_1111… OK
   Applying assets.0044_platform… OK
   Applying assets.0045_auto_20191206_1607… OK
   Applying assets.0046_auto_20191218_1705… OK
   Applying audits.0001_initial… OK
   Applying audits.0002_ftplog_org_id… OK
   Applying audits.0003_auto_20180816_1652… OK
   Applying audits.0004_operatelog_passwordchangelog_userloginlog… OK
   Applying audits.0005_auto_20190228_1715… OK
   Applying audits.0006_auto_20190726_1753… OK
   Applying audits.0007_auto_20191202_1010… OK
   Applying auth.0009_alter_user_last_name_max_length… OK
   Applying authentication.0001_initial… OK
   Applying authentication.0002_auto_20190729_1423… OK
   Applying authentication.0003_loginconfirmsetting… OK
   Applying captcha.0001_initial… OK
   Applying common.0001_initial… OK
   Applying common.0002_auto_20180111_1407… OK
   Applying common.0003_setting_category… OK
   Applying common.0004_setting_encrypted… OK
   Applying common.0005_auto_20190221_1902… OK
   Applying common.0006_auto_20190304_1515… OK
   Applying django_celery_beat.0001_initial… OK
   Applying django_celery_beat.0002_auto_20161118_0346… OK
   Applying django_celery_beat.0003_auto_20161209_0049… OK
   Applying django_celery_beat.0004_auto_20170221_0000… OK
   Applying django_celery_beat.0005_add_solarschedule_events_choices_squashed_0009_merge_20181012_1416… OK
   Applying django_celery_beat.0006_periodictask_priority… OK
   Applying ops.0001_initial… OK
   Applying ops.0002_celerytask… OK
   Applying ops.0003_auto_20181207_1744… OK
   Applying ops.0004_adhoc_run_as… OK
   Applying ops.0005_auto_20181219_1807… OK
   Applying ops.0006_auto_20190318_1023… OK
   Applying ops.0007_auto_20190724_2002… OK
   Applying ops.0008_auto_20190919_2100… OK
   Applying ops.0009_auto_20191217_1713… OK
   Applying ops.0010_auto_20191217_1758… OK
   Applying orgs.0001_initial… OK
   Applying orgs.0002_auto_20180903_1132… OK
   Applying orgs.0003_auto_20190916_1057… OK
   Applying users.0020_auto_20190612_1825… OK
   Applying users.0021_auto_20190625_1104… OK
   Applying users.0022_auto_20190625_1105… OK
   Applying users.0023_auto_20190724_1525… OK
   Applying users.0024_auto_20191118_1612… OK
   Applying perms.0010_auto_20191218_1705… OK
   Applying sessions.0001_initial… OK
   Applying settings.0001_initial… OK
   Applying terminal.0001_initial… OK
   Applying terminal.0002_auto_20171228_0025_squashed_0009_auto_20180326_0957… OK
   Applying terminal.0010_auto_20180423_1140… OK
   Applying terminal.0011_auto_20180807_1116… OK
   Applying terminal.0012_auto_20180816_1652… OK
   Applying terminal.0013_auto_20181123_1113… OK
   Applying terminal.0014_auto_20181226_1441… OK
   Applying terminal.0015_auto_20190923_1529… OK
   Applying terminal.0016_commandstorage_replaystorage… OK
   Applying terminal.0017_auto_20191125_0931… OK
   Applying terminal.0018_auto_20191202_1010… OK
   Applying terminal.0019_auto_20191206_1000… OK
   Applying terminal.0020_auto_20191218_1721… OK
   Applying tickets.0001_initial… OK
2020-02-09 09:34:58 Collect static files
2020-02-09 09:35:03 Collect static files done

– Start Celery as Distributed Task Queue: Ansible

– Start Celery as Distributed Task Queue: Celery

– Start Beat as Periodic Task Scheduler

– Start Flower as Task Monitor

– Start Daphne ASGI WS Server
gunicorn is running: 1353
celery_ansible is running: 1364
celery_default is running: 1372
beat is running: 1383
flower is running: 1388
daphne is running: 1402
(py3) [root@localhost jumpserver]#

jumpserver46


如上,完成了jumpserver的启动。

10、部署koko和guacamole

koko和guacamole用于远程管理LINUX或WINDOWS主机时使用的连接组件,有本地安装和docker两种方式,本次和官网文档相同,使用docker,不过不使用docker软件,使用podman,原理基本相同。

首先安装podman:

(py3) [root@localhost jumpserver]# yum install -y podman-docker

jumpserver47

修改别名,这样可以使用docker开头的命令,符合使用习惯:

(py3) [root@localhost jumpserver]# alias docker=podman
(py3) [root@localhost jumpserver]# echo “alias docker=podman” >> ~/.bashrc

配置podman镜像源,编辑/etc/containers/registries.conf文件,将

registries = [‘registry.access.redhat.com’, ‘registry.fedoraproject.org’, ‘registry.centos.org’, ‘docker.io’]

修改为

registries = [‘dockerhub.azk8s.cn’, ‘docker.mirrors.ustc.edu.cn’, ‘docker.io’]

获取服务器IP地址并输入koko和guacamole镜像:

(py3) [root@localhost jumpserver]# Server_IP=`ip addr | grep ‘state UP’ -A2 | grep inet | egrep -v ‘(127.0.0.1|inet6|docker)’ | awk ‘{print $2}’ | tr -d “addr:” | head -n 1 | cut -d / -f1`
(py3) [root@localhost jumpserver]# echo -e “\033[31m 你的服务器IP是 $Server_IP \033[0m”
  你的服务器IP是 192.168.10.216
(py3) [root@localhost jumpserver]#
(py3) [root@localhost jumpserver]#
(py3) [root@localhost jumpserver]# docker run –name jms_koko -d -p 2222:2222 -p 127.0.0.1:5000:5000 -e CORE_HOST=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN wojiushixiaobai/jms_koko:1.5.6
Trying to pull dockerhub.azk8s.cn/wojiushixiaobai/jms_koko:1.5.6…
Getting image source signatures
Copying blob c6b215e57460 done
Copying blob 2f770ee5b9cf done
Copying blob ab5ef0e58194 done
Copying blob 5192265494e0 done
Copying config 2561f13977 done
Writing manifest to image destination
Storing signatures
769148c0cec1cc8a6b227e9946f48613e3670c33b347862ae07e53d6b2e1ac99
(py3) [root@localhost jumpserver]#
(py3) [root@localhost jumpserver]#
(py3) [root@localhost jumpserver]#
(py3) [root@localhost jumpserver]# docker run –name jms_guacamole -d -p 127.0.0.1:8081:8080 -e JUMPSERVER_SERVER=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN wojiushixiaobai/jms_guacamole:1.5.6
Trying to pull dockerhub.azk8s.cn/wojiushixiaobai/jms_guacamole:1.5.6…
Getting image source signatures
Copying blob ab5ef0e58194 skipped: already exists
Copying blob 7e663ccfc7bd done
Copying blob 923a0bfa2671 done
Copying blob 9391bafc9b01 done
Copying config af71674d07 done
Writing manifest to image destination
Storing signatures
9107b7603bf25c48bb939907882591cee524e22bd5c399781694863152fae72f
(py3) [root@localhost jumpserver]#
(py3) [root@localhost jumpserver]#
(py3) [root@localhost jumpserver]# docker ps
CONTAINER ID  IMAGE                                                   COMMAND          CREATED         STATUS             PORTS                                             NAMES
9107b7603bf2  dockerhub.azk8s.cn/wojiushixiaobai/jms_guacamole:1.5.6  ./entrypoint.sh  21 minutes ago  Up 21 minutes ago  127.0.0.1:8081->8080/tcp                          jms_guacamole
769148c0cec1  dockerhub.azk8s.cn/wojiushixiaobai/jms_koko:1.5.6       ./entrypoint.sh  25 minutes ago  Up 25 minutes ago  0.0.0.0:2222->2222/tcp, 127.0.0.1:5000->5000/tcp  jms_koko
(py3) [root@localhost jumpserver]#
(py3) [root@localhost jumpserver]#
(py3) [root@localhost jumpserver]# docker images
REPOSITORY                                         TAG     IMAGE ID       CREATED      SIZE
dockerhub.azk8s.cn/wojiushixiaobai/jms_guacamole   1.5.6   af71674d07a4   7 days ago   678 MB
dockerhub.azk8s.cn/wojiushixiaobai/jms_koko        1.5.6   2561f1397767   7 days ago   367 MB
(py3) [root@localhost jumpserver]#

jumpserver48

11、安装WEB Terminal

(py3) [root@localhost jumpserver]# cd /opt
(py3) [root@localhost opt]# wget https://github.com/jumpserver/luna/releases/download/1.5.6/luna.tar.gz
(py3) [root@localhost opt]#
(py3) [root@localhost opt]# tar xf luna.tar.gz
(py3) [root@localhost opt]#
(py3) [root@localhost opt]# ls
jumpserver  luna  luna.tar.gz  py3
(py3) [root@localhost opt]#
(py3) [root@localhost opt]# chown -R root:root luna
(py3) [root@localhost opt]#

jumpserver49

12、配置并运行Nginx

通过NGINX来整合之前安装的各种组件,确保统一访问路径,操作如下:

(py3) [root@localhost opt]# rm -rf /etc/nginx/conf.d/default.conf
(py3) [root@localhost opt]#
(py3) [root@localhost opt]# vi /etc/nginx/conf.d/jumpserver.conf

添加如下内容:

server {
     listen 80;
     # server_name _;

    client_max_body_size 100m;  # 录像及文件上传大小限制

    location /luna/ {
         try_files $uri / /index.html;
         alias /opt/luna/;  # luna 路径, 如果修改安装目录, 此处需要修改
     }

    location /media/ {
         add_header Content-Encoding gzip;
         root /opt/jumpserver/data/;  # 录像位置, 如果修改安装目录, 此处需要修改
     }

    location /static/ {
         root /opt/jumpserver/data/;  # 静态资源, 如果修改安装目录, 此处需要修改
     }

    location /koko/ {
         proxy_pass       http://localhost:5000;
         proxy_buffering off;
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection “upgrade”;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header Host $host;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         access_log off;
     }

    location /guacamole/ {
         proxy_pass       http://localhost:8081/;
         proxy_buffering off;
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection $http_connection;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header Host $host;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         access_log off;
     }

    location /ws/ {
         proxy_pass http://localhost:8070;
         proxy_http_version 1.1;
         proxy_buffering off;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection “upgrade”;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header Host $host;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         access_log off;
     }

    location / {
         proxy_pass http://localhost:8080;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header Host $host;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         access_log off;
     }
}

完成后开始运行Nginx,先运行nginx -t查看,确保配置没有问题:

(py3) [root@localhost opt]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
(py3) [root@localhost opt]#
(py3) [root@localhost opt]#

jumpserver50

没问题后运行nginx:

(py3) [root@localhost opt]# systemctl start nginx
(py3) [root@localhost opt]#
(py3) [root@localhost opt]# systemctl status nginx
鈼[0m nginx.service – nginx – high performance web server
    Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disable>
    Active: active (running) since Sun 2020-02-09 10:36:28 CST; 6s ago
      Docs: http://nginx.org/en/docs/
   Process: 3559 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=0>
  Main PID: 3560 (nginx)
     Tasks: 2 (limit: 26213)
    Memory: 2.3M
    CGroup: /system.slice/nginx.service
            鈹溾攢3560 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
            鈹斺攢3561 nginx: worker process

Feb 09 10:36:28 localhost.localdomain systemd[1]: Starting nginx – high performance web s>
Feb 09 10:36:28 localhost.localdomain systemd[1]: Started nginx – high performance web se>

(py3) [root@localhost opt]#

jumpserver51

完成后,打开浏览器,输入http://192.168.10.216,出现登陆界面,用户名密码默认都为admin,如下图,

jumpserver53

jumpserver54

进入后,打开“会话管理”->“终端管理”,由于装了KOKO和guacamole,故正常情况下会有两个终端设备,如下,若没有出现,则koko和guacamole可能安装没成功,如下图所示。

jumpserver55

至此,jumpserver在centos8上的部署已完成 ,下步就需要添加用户和设备资源,使jumpserver可以远程管理相应设备或系统。

参考文章:
1、CentOS 8 安装文档
https://jumpserver.readthedocs.io/zh/master/setup_by_centos8.html

2、Docker 使用说明
https://jumpserver.readthedocs.io/zh/master/faq_docker.html

3、pip install -r /opt/jumpserver/requirements/requirements.txt 安装python-gssapi-0.6.4报错
https://blog.csdn.net/a13568hki/article/details/103259532

4、Jumpserver单机快速部署前的准备工作及部署流程