Jumpserver v2.0.1 安装实践【!!废弃!!】

发表于 | 更新于: | 分类于 | 阅读次数:
字数统计: 2.9k

说明

软件版本

  • 操作系统版本:CentOS-7.8.2003
  • JumpServer版本:2.0.1
  • MySQL数据库版本:5.7.30
  • Redis版本(CentOS7自带):3.2.12
  • Nginx版本(CentOS7自带):1.16.1

部署方式

  • 单机部署
  • 容器化jumpserverKoKoGuacamol
  • MySQL数据库使用yum安装
  • Redis使用yum安装
  • Nginx使用yum安装,托管JumpServer前端静态资源lina ,通过websocket方式访问luna

安全加固

  • 强制HTTP跳转HTTPS
  • 使用acme申请HTTPS证书,用于Nginx配置HTTPS
  • 暴露公网,因此禁ping,降低被扫几率

操作系统环境准备

更新操作系统

1
yum update -y

安装base包

1
yum groups install base -y

安装常用工具

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
yum install -y nc \
            git \
            vim \
            tree \
            dstat \
            iotop \
            htop \
            socat \
            ipset \
            conntrack \
            bash-completion-extras \
            tcpdump \
            wireshark \
            bcc-tools \
            perf \
            trace-cmd \
            systemtap \
            nethogs

配置禁ping

1
2
3
4
cat > /etc/sysctl.d/99-disable-icmp.conf <<EOF
net.ipv4.icmp_echo_ignore_all=1
net.ipv4.icmp_echo_ignore_broadcasts=1
EOF

安装Docker-CE

卸载旧版本

1
2
3
4
5
6
7
8
9
10
yum remove -y docker \
              docker-client \
              docker-client-latest \
              docker-common \
              docker-latest \
              docker-latest-logrotate \
              docker-logrotate \
              docker-selinux \
              docker-engine-selinux \
              docker-engine

安装依赖

1
yum install -y yum-utils device-mapper-persistent-data lvm2

添加YUM源

1
yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

使用阿里云的YUM源

1
sed -e 's,https://download.docker.com,https://mirrors.aliyun.com/docker-ce,g' -i /etc/yum.repos.d/docker-ce.repo

安装Docker-CE

1
yum install -y docker-ce

添加配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
mkdir -p /etc/docker
cat > /etc/docker/daemon.json <<EOF
{
    "exec-opts": ["native.cgroupdriver=systemd"],
    "registry-mirrors": ["https://pqbap4ya.mirror.aliyuncs.com"],
    "insecure-registries": [],
    "log-driver": "json-file",
    "log-opts": {
        "max-size": "100m",
        "max-file": "3"
    },
    "storage-driver": "overlay2",
    "storage-opts": [
        "overlay2.override_kernel_check=true"
    ],
    "data-root": "/var/lib/docker",
    "max-concurrent-downloads": 10
}
EOF

安装MySQL

添加YUM源

1
yum install https://dev.mysql.com/get/mysql80-community-release-el7-3.noarch.rpm

禁用MySQL-8.0源

1
yum-config-manager --disable mysql80-community

启用MySQL-5.7源

1
yum-config-manager --enable mysql57-community

安装MySQL-5.7

1
2
3
4
5
6
yum install -y mysql-community-server-5.7.30-1.el7.x86_64 \
               mysql-community-libs-5.7.30-1.el7.x86_64 \
               mysql-community-libs-compat-5.7.30-1.el7.x86_64 \
               mysql-community-client-5.7.30-1.el7.x86_64 \
               mysql-community-common-5.7.30-1.el7.x86_64 \
               mysql-community-devel-5.7.30-1.el7

配置MySQL

  • 修改/etc/my.cnf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
[client]
port = 3306

[mysql]
prompt="\u@JumpServerDB \R:\m:\s [\d]> "
no-auto-rehash

[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
symbolic-links=0
log-error=/var/log/mysqld.log
slow_query_log = 1
slow_query_log_file = slow.log
pid-file=/var/run/mysqld/mysqld.pid
character-set-server = utf8mb4
skip_name_resolve = 1
back_log = 1024
max_connections = 512
max_connect_errors = 1000000
table_open_cache = 1024
table_definition_cache = 1024
table_open_cache_instances = 64
thread_stack = 512K
external-locking = FALSE
max_allowed_packet = 32M
sort_buffer_size = 16M
join_buffer_size = 16M
thread_cache_size = 768
interactive_timeout = 600
wait_timeout = 600
tmp_table_size = 96M
max_heap_table_size = 96M
long_query_time = 0.1
log_queries_not_using_indexes =1
log_throttle_queries_not_using_indexes = 60
min_examined_row_limit = 100
log_slow_admin_statements = 1
log_slow_slave_statements = 1
server-id = 3306
log-bin = binlog
sync_binlog = 1
binlog_cache_size = 4M
max_binlog_cache_size = 1G
max_binlog_size = 1G
expire_logs_days = 3
master_info_repository = TABLE
relay_log_info_repository = TABLE
gtid_mode = on
enforce_gtid_consistency = 1
binlog_format = row
binlog_checksum = 1
relay_log_recovery = 1
relay-log-purge = 1
key_buffer_size = 32M
read_buffer_size = 8M
read_rnd_buffer_size = 16M
bulk_insert_buffer_size = 64M
lock_wait_timeout = 3600
explicit_defaults_for_timestamp = 1
transaction_isolation = REPEATABLE-READ
#innodb_additional_mem_pool_size = 16M

[mysqld_safe]

[mysqld_multi]

[mysqldump]
quick
max_allowed_packet = 32M

启动MySQL

1
systemctl start mysqld.service

设置开机启动

1
systemctl enable mysqld.service

获取数据库root密码

1
grep 'temporary password' /var/log/mysqld.log

安全设置

  • 这里使用上面获取的root密码
1
mysql_secure_installation

添加数据库和用户

  • 这里根据JumpServer的要求创建
1
2
3
CREATE DATABASE jumpserver DEFAULT CHARSET 'utf8' COLLATE 'utf8_bin';
GRANT ALL PRIVILEGES ON jumpserver.* to 'jumpserver'@'%' IDENTIFIED BY '这里填密码';
FLUSH PRIVILEGES;

安装Redis

YUM安装

1
yum install -y redis

配置Redis

  • /etc/redis.conf添加一行
1
requirepass "Redis连接密码"

创建jumpserver目录

1
2
3
4
mkdir -p /opt/jumpserver /opt/jumpserver/data
mkdir -p /opt/koko /opt/koko/data
mkdir -p /opt/guacamol /opt/guacamol/keys /opt/guacamol/data
mkdir -p /opt/nginx /opt/nginx/tls.d

部署证书

安装acme.sh

1
curl -sSL https://get.acme.sh | sh

生成证书

  • 这里用阿里云的AccessKey和AccessSecretKey访问
1
2
3
4
5
6
7
8
export Ali_Key="阿里云Accesskey"
export Ali_Secret="阿里云Secret"

~/.acme.sh/acme.sh --issue \
                   -d "jumpserver.example.com" \
                   --dns dns_ali \
                   --standalone \
                   -k ec-256

安装证书

1
2
3
4
~/.acme.sh/acme.sh --installcert \
                   -d "jumpserver.example.com" \
                   --fullchainpath /opt/jms_nginx/tls.d/jumpserver.crt \
                   --keypath /opt/jms_nginx/tls.d/jumpserver.key --ecc

配置acme.sh自动更新

由于 acme 协议和 Let’sEncrypt CA 都在频繁的更新, 因此 acme.sh 也经常更新以保持同步!

1
~/.acme.sh/acme.sh --upgrade --auto-upgrade

容器化部署

JumpServer

下载镜像

1
docker pull jumpserver/jms_core:2.0.1

创建配置文件

  • /opt/jumpserver/config.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
# SECURITY WARNING: keep the secret key used in production secret!
# 加密秘钥 生产环境中请修改为随机字符串,请勿外泄, 可使用命令生成 
# $ cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 49;echo
SECRET_KEY: 这里替换成上一步生成的随机字符串
# SECURITY WARNING: keep the bootstrap token used in production secret!
# 预共享Token coco和guacamole用来注册服务账号,不在使用原来的注册接受机制
BOOTSTRAP_TOKEN: 这里替换成上一步生成的随机字符串
# Development env open this, when error occur display the full process track, Production disable it
# DEBUG 模式 开启DEBUG后遇到错误时可以看到更多日志
DEBUG: false
# DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/
# 日志级别
LOG_LEVEL: INFO
# LOG_DIR: 
# Session expiration setting, Default 24 hour, Also set expired on on browser close
# 浏览器Session过期时间,默认24小时, 也可以设置浏览器关闭则过期
# SESSION_COOKIE_AGE: 86400
# SESSION_EXPIRE_AT_BROWSER_CLOSE: false
# Database setting, Support sqlite3, mysql, postgres ....
# 数据库设置
# See https://docs.djangoproject.com/en/1.10/ref/settings/#databases
# SQLite setting:
# 使用单文件sqlite数据库
# DB_ENGINE: sqlite3
# DB_NAME: 
# MySQL or postgres setting like:
# 使用Mysql作为数据库
DB_ENGINE: mysql
DB_HOST: 127.0.0.1
DB_PORT: 3306
DB_USER: jumpserver
DB_PASSWORD: "数据库密码"
DB_NAME: jumpserver
# When Django start it will bind this host and port
# ./manage.py runserver 127.0.0.1:8080
# 运行时绑定端口
HTTP_BIND_HOST: 127.0.0.1
HTTP_LISTEN_PORT: 8079
WS_LISTEN_PORT: 8070
# Use Redis as broker for celery and web socket
# Redis配置
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
REDIS_PASSWORD: "Redis密码"
# REDIS_DB_CELERY: 3
# REDIS_DB_CACHE: 4
# Use OpenID Authorization
# 使用 OpenID 进行认证设置
# BASE_SITE_URL: http://localhost:8080
# AUTH_OPENID: false  # True or False
# AUTH_OPENID_SERVER_URL: https://openid-auth-server.com/
# AUTH_OPENID_REALM_NAME: realm-name
# AUTH_OPENID_CLIENT_ID: client-id
# AUTH_OPENID_CLIENT_SECRET: client-secret
# AUTH_OPENID_IGNORE_SSL_VERIFICATION: True
# AUTH_OPENID_SHARE_SESSION: True
# Perm show single asset to ungrouped node
# 是否把未授权节点资产放入到 未分组 节点中
# PERM_SINGLE_ASSET_TO_UNGROUP_NODE: false
# 启用定时任务
# PERIOD_TASK_ENABLE: True
# 启用二次复合认证配置
# LOGIN_CONFIRM_ENABLE: False
# Windows 登录跳过手动输入密码
WINDOWS_SKIP_ALL_MANUAL_PASSWORD: True
LOGIN_LOG_KEEP_DAYS: 180
TASK_LOG_KEEP_DAYS: 15
DISPLAY_PER_PAGE: 50

运行容器

1
2
3
4
5
6
7
8
9
10
11
docker run -itd \
           --name jms_core \
           --restart=always \
           --net=host \
           -v /etc/localtime:/etc/localtime:ro \
           -v /opt/jumpserver/config.yml:/opt/jumpserver/config.yml:ro \
           -v /opt/jumpserver/data:/opt/jumpserver/data \
           -v /opt/jumpserver/logs:/opt/jumpserver/logs \
           -w /opt/jumpserver \
           jumpserver/jms_core:2.0.1 \
           /bin/bash -c "source /opt/py3/bin/activate && ./jms start"

KoKo

下载镜像

1
docker pull jumpserver/jms_koko:2.0.1

创建配置文件

1
vim /opt/koko/config.yml
  • 配置如下
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
# NAME: {{ Hostname }}
# Jumpserver项目的url, api请求注册会使用
CORE_HOST: http://127.0.0.1:8079
# Bootstrap Token, 预共享秘钥, 用来注册coco使用的service account和terminal
# 请和jumpserver 配置文件中保持一致,注册完成后可以删除
BOOTSTRAP_TOKEN: "这里跟JumpServer的配置一样"
# 启动时绑定的ip, 默认 0.0.0.0
BIND_HOST: 127.0.0.1
# 监听的SSH端口号, 默认2222
SSHD_PORT: 2222
# 监听的HTTP/WS端口号,默认5000
HTTPD_PORT: 5000
# 项目使用的ACCESS KEY, 默认会注册,并保存到 ACCESS_KEY_STORE中,
# 如果有需求, 可以写到配置文件中, 格式 access_key_id:access_key_secret
# ACCESS_KEY: null
# ACCESS KEY 保存的地址, 默认注册后会保存到该文件中
# ACCESS_KEY_FILE: data/keys/.access_key
# 设置日志级别 [DEBUG, INFO, WARN, ERROR, FATAL, CRITICAL]
LOG_LEVEL: INFO
# SSH连接超时时间 (default 15 seconds)
SSH_TIMEOUT: 15
# 语言 [en,zh]
LANG: zh
# SFTP的根目录, 可选 /tmp, Home其他自定义目录
SFTP_ROOT: /opt/kokodata/data/tmp
# SFTP是否显示隐藏文件
# SFTP_SHOW_HIDDEN_FILE: false
# 是否复用和用户后端资产已建立的连接(用户不会复用其他用户的连接)
# REUSE_CONNECTION: true
# 资产加载策略, 可根据资产规模自行调整. 默认异步加载资产, 异步搜索分页; 如果为all, 则资产全部加载, 本地搜索分页.
# ASSET_LOAD_POLICY:
# zip压缩的最大额度 (单位: M)
ZIP_MAX_SIZE: 1024M
# zip压缩存放的临时目录 /tmp
# ZIP_TMP_PATH: /tmp
# 向 SSH Client 连接发送心跳的时间间隔 (单位: 秒),默认为30, 0则表示不发送
CLIENT_ALIVE_INTERVAL: 30
# 向资产发送心跳包的重试次数,默认为3
RETRY_ALIVE_COUNT_MAX: 3
# 会话共享使用的类型 [local, redis], 默认local
SHARE_ROOM_TYPE: redis
# Redis配置
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
REDIS_PASSWORD: "Redis连接密码"
# REDIS_CLUSTERS:
REDIS_DB_ROOM: 6

运行容器

1
2
3
4
5
6
7
8
9
10
docker run -itd \
           --name=jms_koko \
           --restart=always \
           --net=host \
           -v /etc/localtime:/etc/localtime:ro \
           -v /opt/koko/config.yml:/opt/koko/config.yml:ro \
           -v /opt/koko/data:/opt/koko/data \
           -w /opt/koko \
           jumpserver/jms_koko:2.0.1 \
           /opt/koko/koko -s start

Guacamol

下载镜像

1
docker pull jumpserver/jms_guacamol:2.0.1

运行容器

  • 需要启动guacd,监听127.0.0.1:4822
  • 修改tomcat9默认启动端口,从8080改成8081
  • 前台启动tomcat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
docker run -itd \
           --name=jms_guacamol \
           --restart=always \
           --net=host \
           -e JUMPSERVER_SERVER="http://127.0.0.1:8079" \
           -e BOOTSTRAP_TOKEN="这里跟JumpServer的BOOTSTRAP_TOKEN一样" \
           -e GUACAMOLE_LOG_LEVEL="INFO" \
           -e JUMPSERVER_KEY_DIR="/config/guacamole/keys" \
           -e GUACAMOLE_HOME="/config/guacamole" \
           -e JUMPSERVER_ENABLE_DRIVE=true \
           -e JUMPSERVER_CLEAR_DRIVE_SESSION=true \
           -v /etc/localtime:/etc/localtime:ro \
           -v /opt/guacamol/keys:/config/guacamole/keys \
           -v /opt/guacamol/data:/config/guacamole/data \
           -v /opt/guacamol/drive:/config/guacamole/drive \
           -v /opt/guacamol/record:/config/guacamole/record \
           -w /config/tomcat9/bin \
           jumpserver/jms_guacamole:2.0.1 \
           /bin/bash \
           -c \
           "sed -i 's/Connector port="8080"/Connector port="8081"/g' /config/tomcat9/conf/server.xml && /usr/local/sbin/guacd -l 4822 -b 127.0.0.1 -L debug && /config/tomcat9/bin/catalina.sh run"

Nginx

包含了LunaLina两个项目的代码

下载镜像

1
docker pull jumpserver/jms_nginx:2.0.1

创建配置文件

1
vim /opt/jms_nginx/nginx.conf
  • 添加以下内容
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" "$upstream_addr"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;
    # include /etc/nginx/conf.d/*.conf;
    server {
        listen 80;
        server_name jumpserver.example.com;
        return 301 https://$server_name$request_uri;
    }
    server {
        listen 443 ssl http2;
        server_name jumpserver.example.com;
        ssl_certificate tls.d/jumpserver.crt;
        ssl_certificate_key tls.d/jumpserver.key;
        ssl_session_timeout 1d;
        ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
        ssl_session_tickets off;
        ssl_ecdh_curve prime256v1:secp384r1;
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
        ssl_prefer_server_ciphers off;
        add_header Strict-Transport-Security "max-age=63072000" always;
        ssl_stapling on;
        ssl_stapling_verify on;
        client_max_body_size 100m;  # 录像及文件上传大小限制

        location /ui/ {
            try_files $uri / /index.html;
            alias /opt/lina/;
        }
        location /luna/ {
            try_files $uri / /index.html;
            alias /opt/luna/;
        }
        location /media/ {
            add_header Content-Encoding gzip;
            root /opt/jumpserver/data/;
        }
        location /static/ {
            root /opt/jumpserver/data/;
        }
        location /koko/ {
            proxy_pass       http://jms_koko:5000;
            proxy_buffering off;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            access_log off;
        }
        location /guacamole/ {
            proxy_pass       http://jms_guacamole:8080/;
            proxy_buffering off;
            proxy_http_version 1.1;
            proxy_request_buffering off;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $http_connection;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            access_log off;
        }
        location /ws/ {
            proxy_pass http://jms_core:8070;
            proxy_buffering off;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            access_log off;
        }
        location /api/ {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass http://jms_core:8080;
        }
        location /core/ {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass http://jms_core:8080;
        }
        location / {
            rewrite ^/(.*)$ /ui/$1 last;
        }
    }
}

运行容器

1
2
3
4
5
6
7
8
9
10
docker run -itd \
           --name=jms_nginx \
           --restart=always \
           --net=host \
           -e TZ=Asia/Shanghai \
           -v /etc/localtime:/etc/localtime:ro \
           -v /opt/jumpserver/data:/opt/jumpserver/data \
           -v /opt/jms_nginx/nginx.conf:/etc/nginx/nginx.conf \
           -v /opt/jms_nginx/tls.d:/etc/nginx/tls.d \
           jumpserver/jms_nginx:2.0.1

Docker-compose统一管理

官方提供了Docker-Compose方式启动,这里配合上面的写好的配置文件魔改一下

.env文件

1
2
3
4
# 版本号可以自己根据项目的版本修改
Version=v2.0.1
BOOTSTRAP_TOKEN=随机字符串
LOG_LEVEL=DEBUG

docker-compose文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
version: "3"
# networks:
#   jumpserver:
services:
  jms_core:
    command:
      - /bin/bash
      - "-c"
      - "source /opt/py3/bin/activate && ./jms start"
    container_name: jms_core
    environment:
      TZ: Asia/Shanghai
    image: "jumpserver/jms_core:${Version}"
    network_mode: host
    # networks:
    #   - jumpserver
    restart: always
    tty: true
    volumes:
      - "/etc/localtime:/etc/localtime:ro"
      - "/opt/jumpserver/config.yml:/opt/jumpserver/config.yml"
      - "/opt/jumpserver/data:/opt/jumpserver/data"
      - "/opt/jumpserver/logs:/opt/jumpserver/logs"
    working_dir: /opt/jumpserver

  jms_guacamole:
    command:
      - /bin/bash
      - "-c"
      - "/usr/local/sbin/guacd -l 4822 -b 127.0.0.1 -L debug && /config/tomcat9/bin/catalina.sh run"
    container_name: jms_guacamole
    depends_on:
      - jms_core
    environment:
      BOOTSTRAP_TOKEN: "$BOOTSTRAP_TOKEN"
      GUACAMOLE_HOME: "/config/guacamole"
      GUACAMOLE_LOG_LEVEL: "$LOG_LEVEL"
      JUMPSERVER_CLEAR_DRIVE_SESSION: "true"
      JUMPSERVER_ENABLE_DRIVE: "true"
      JUMPSERVER_KEY_DIR: "/config/guacamole/keys"
      JUMPSERVER_SERVER: "http://jms_core:8080"
      TZ: Asia/Shanghai
    image: "jumpserver/jms_guacamole:${Version}"
    network_mode: host
    # networks:
    #   - jumpserver
    restart: always
    tty: true
    volumes:
      - "/etc/localtime:/etc/localtime:ro"
      - "/opt/guacamol/keys:/config/guacamole/keys"
      - "/opt/guacamol/data:/config/guacamole/data"
      - "/opt/guacamol/drive:/config/guacamole/drive"
      - "/opt/guacamol/record:/config/guacamole/record"
    working_dir: /config/tomcat9/bin

  jms_koko:
    command:
      - /opt/koko/koko
      - "-s"
      - start
    container_name: jms_koko
    depends_on:
      - jms_core
    environment:
      TZ: Asia/Shanghai
    image: "jumpserver/jms_koko:${Version}"
    network_mode: host
    # networks:
    #   - jumpserver
    # ports:
    #   - "2222:2222"
    privileged: true
    restart: always
    tty: true
    volumes:
      - "/etc/localtime:/etc/localtime:ro"
      - "/opt/koko/config.yml:/opt/koko/config.yml"
      - "/opt/koko/data:/opt/koko/data"
    working_dir: /opt/koko

  jms_nginx:
    container_name: jms_nginx
    depends_on:
      - jms_core
      - jms_koko
    environment:
      TZ: Asia/Shanghai
    image: "jumpserver/jms_nginx:${Version}"
    network_mode: host
    # networks:
    #   - jumpserver
    # ports:
    #   - "80:80"
    #   - "443:443"
    restart: always
    tty: true
    volumes:
      - "/etc/localtime:/etc/localtime:ro"
      - "/opt/jumpserver/data:/opt/jumpserver/data"

配置Gitlab Oauth2登录

Gitlab添加Application

  • Callback URL
1
https://jumpserver.example.com/core/auth/openid/callback/
  • Scopes
    • api
    • openid
    • profile
    • email

修改jumpserver

  • /opt/jumpserver/config.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
SITE_URL: https://jumpserver.example.com
BASE_SITE_URL: https://jumpserver.example.com
AUTH_OPENID: true
AUTH_OPENID_CLIENT_ID: GITLAB_CLIENT_ID
AUTH_OPENID_CLIENT_SECRET: GITLAB_CLIENT_SECRET
AUTH_OPENID_PROVIDER_ENDPOINT: https://gitlab.example.com
AUTH_OPENID_PROVIDER_AUTHORIZATION_ENDPOINT: /oauth/authorize
AUTH_OPENID_PROVIDER_TOKEN_ENDPOINT: /oauth/token
AUTH_OPENID_PROVIDER_JWKS_ENDPOINT: /oauth/discovery/keys
AUTH_OPENID_PROVIDER_USERINFO_ENDPOINT: /oauth/userinfo
AUTH_OPENID_PROVIDER_END_SESSION_ENDPOINT: None
AUTH_OPENID_PROVIDER_SIGNATURE_ALG: HS256
AUTH_OPENID_PROVIDER_SIGNATURE_KEY: None
AUTH_OPENID_SCOPES: openid profile email
AUTH_OPENID_ID_TOKEN_MAX_AGE: 60
AUTH_OPENID_ID_TOKEN_INCLUDE_CLAIM: True
AUTH_OPENID_USE_STATE: True
AUTH_OPENID_USE_NONCE: True
AUTH_OPENID_SHARE_SESSION: True
AUTH_OPENID_IGNORE_SSL_VERIFICATION: True
AUTH_OPENID_ALWAYS_UPDATE_USER: True

重启jumpserver

1
docker restart jms_core

OpenID Connect测试结果

  • 文档不详细,callback地址看源码才知道
  • 通过OpenID获取的用户信息不正确