1、OneTerm简介
OneTerm 是一款由国内运维团队"维易(VeOps)"开发的开源企业级堡垒机。它基于 4A(认证、授权、账号、审计)理念设计,旨在为企业提供一个统一、安全、可审计的运维入口。
2、核心功能与特色
OneTerm 的设计强调"简单、轻量、灵活",其主要功能亮点如下:
广泛的多协议支持:支持通过 Web 方式管理多种资产,覆盖了绝大多数运维场景。
核心运维协议:SSH、RDP、VNC、Telnet。
数据库协议:MySQL、PostgreSQL、Redis、MongoDB。
Web 协议:HTTP/HTTPS。
强大的安全审计:这是堡垒机的核心价值,所有通过 OneTerm 的操作都会被记录,并提供会话录像和命令历史回放,实现操作过程100%可追溯。
灵活的权限管理:通过独立的 ACL 模块,可以从节点、资产、账号三个维度,结合时间模版、命令模版、IP白名单等策略,精细控制用户"连接、分享、上传、下载、复制、粘贴"等操作权限。
便捷的用户体验:提供现代化的 Web 工作台,内置上百种终端主题,并支持批量命令执行、可视化文件传输、资产快捷分享等实用功能,提升运维效率。
3、拉取oneterm镜像
bash
docker pull registry.cn-hangzhou.aliyuncs.com/veops/oneterm-api:24.3
docker pull registry.cn-hangzhou.aliyuncs.com/veops/oneterm-ssh:24.3.1
docker pull registry.cn-hangzhou.aliyuncs.com/veops/oneterm-guacd:24.3
docker pull registry.cn-hangzhou.aliyuncs.com/qiluo-images/mysql:8.4.5
docker pull registry.cn-hangzhou.aliyuncs.com/qiluo-images/redis:latest
docker pull registry.cn-hangzhou.aliyuncs.com/veops/oneterm-ui:24.3
docker pull registry.cn-hangzhou.aliyuncs.com/veops/acl-api:1.14、部署oneterm服务
bash
cd /data
git clone https://github.com/veops/oneterm.git
cd oneterm/deploy
cat docker-compose.yaml
bash
version: "3.0"
services:
oneterm-api:
image: registry.cn-hangzhou.aliyuncs.com/veops/oneterm-api:v25.2.1
container_name: oneterm-api
volumes:
- ./volume/replay:/replay
- ./config.yaml:/oneterm/config.yaml
depends_on:
- mysql
- redis
- oneterm-guacd
restart: always
networks:
new:
aliases:
- oneterm-api
tty: true
ports:
- "2222:2222"
oneterm-guacd:
image: registry.cn-hangzhou.aliyuncs.com/veops/oneterm-guacd:latest
container_name: oneterm-guacd
user: root
restart: always
volumes:
- ./volume/replay:/replay
networks:
new:
aliases:
- oneterm-guacd
mysql:
image: registry.cn-hangzhou.aliyuncs.com/qiluo-images/mysql:8.4.5
container_name: oneterm-mysql
environment:
TZ: Asia/Shanghai
MYSQL_ROOT_PASSWORD: '123456'
MYSQL_DATABASE: 'oneterm'
volumes:
- ./volume/mysql:/var/lib/mysql
- ./mysqld.cnf:/etc/mysql/conf.d/mysqld.cnf
- ./acl.sql:/docker-entrypoint-initdb.d/2-acl.sql
- ./create-users.sql:/docker-entrypoint-initdb.d/1-create-users.sql
command: --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci
restart: always
networks:
new:
aliases:
- mysql
redis:
image: registry.cn-hangzhou.aliyuncs.com/qiluo-images/redis:latest
container_name: oneterm-redis
restart: always
environment:
TZ: Asia/Shanghai
networks:
new:
aliases:
- redis
oneterm-ui:
image: registry.cn-hangzhou.aliyuncs.com/veops/oneterm-ui:v25.2.1
container_name: oneterm-ui
depends_on:
- oneterm-api
environment:
TZ: Asia/Shanghai
ONETERM_API_HOST: oneterm-api:8888
ACL_API_HOST: acl-api:5000
NGINX_PORT: 80
volumes:
- ./nginx.oneterm.conf.example:/etc/nginx/conf.d/nginx.oneterm.conf.example
restart: always
command:
- /bin/sh
- -c
- |
envsubst '$$ONETERM_API_HOST $$ACL_API_HOST $$NGINX_PORT' < /etc/nginx/conf.d/nginx.oneterm.conf.example > /etc/nginx/conf.d/oneterm.conf
nginx -g 'daemon off;'
nginx -s reload
networks:
- new
ports:
- "8666:80"
acl-api:
image: registry.cn-hangzhou.aliyuncs.com/veops/acl-api:latest
container_name: oneterm-acl-api
environment:
TZ: Asia/Shanghai
WAIT_HOSTS: mysql:3306, redis:6379
volumes:
- ./.env:/data/apps/acl/.env
restart: always
command:
- /bin/sh
- -c
- |
sleep 2
flask db-setup
flask common-check-new-columns
flask init-acl
flask init-department
gunicorn --workers=3 autoapp:app -b 0.0.0.0:5000 -D --access-logfile logs/access.log --error-logfile logs/error.log
celery -A celery_worker.celery worker -E -Q acl_async --logfile=one_acl_async.log --autoscale=2,1
depends_on:
- mysql
- redis
networks:
new:
aliases:
- acl-api
networks:
new:
driver: bridge
name: oneterm_network
ipam:
config:
- subnet: 172.30.0.0/245、启动oneterm容器
bash
docker-compose up -d
docker-compose ps
docker logs -f oneterm-ui6、访问oneterm服务
浏览器访问: http://192.168.152.115:8666
帐号密码:admin/123456
