常用链接:
Jumpserver 项目地址:
Jumpserver 官方文档:
http://docs.jumpserver.org/zh/docs/
一、试验环境:
操作系统: CentOS 7.6
IP地址: 192.168.9.224
安装目录: /opt
数据库: mariadb
代理: nginx
# 关闭SELinux
[root@imzcy ~]# setenforce 0
[root@imzcy ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
# 关闭防火墙
[root@imzcy ~]# systemctl stop firewalld
[root@imzcy ~]# systemctl disable firewalld
# 修改字符集(因为日志里打印了中文,所以如果系统字符集不是UTF-8的话会报 input/output error的问题)
[root@imzcy ~]# localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8
[root@imzcy ~]# export LC_ALL=zh_CN.UTF-8
[root@imzcy ~]# echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf
# 添加阿里云yum源
[root@imzcy ~]# yum-config-manager --add-repo http://mirrors.aliyun.com/repo/Centos-7.repo
二、准备Python3和Python虚拟环境
2.1、安装依赖包
[root@imzcy ~]# yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git
2.2、编译安装
[root@imzcy ~]# wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz
[root@imzcy ~]# tar xf Python-3.6.1.tar.xz
[root@imzcy ~]# cd Python-3.6.1
[root@imzcy Python-3.6.1]# ./configure
[root@imzcy Python-3.6.1]# make
[root@imzcy Python-3.6.1]# make install
2.3、建立 Python 虚拟环境
因为 CentOS 6/7 自带的是 Python2,而 Yum 等工具依赖原来的 Python,为了不扰乱原来的环境我们来使用 Python 虚拟环境
[root@imzcy ~]# cd /opt/
[root@imzcy opt]# python3 -m venv py3
[root@imzcy opt]# source /opt/py3/bin/activate
(py3) [root@imzcy opt]#
(py3) [root@imzcy opt]#
#看到上面的(py3)提示符代表成功,以后运行 Jumpserver 都要先运行以上 source 命令,以下所有命令均在该虚拟环境中运行
使用 deactivate 命令退出python虚拟环境
(py3) [root@imzcy opt]# deactivate
[root@imzcy opt]#
三、安装Jumpserver
3.1、下载或Clone项目
[root@imzcy ~]# cd /opt/
[root@imzcy opt]# git clone https://github.com/jumpserver/jumpserver.git
[root@imzcy opt]# cd jumpserver/
[root@imzcy jumpserver]# git checkout master
3.2、安装依赖 RPM 包
[root@imzcy ~]# cd /opt/jumpserver/requirements/
[root@imzcy requirements]# yum -y install $(cat rpm_requirements.txt)
3.3、安装python库依赖(安装过程中如果报错,重启系统)
[root@imzcy requirements]# source /opt/py3/bin/activate
(py3) [root@imzcy requirements]# pip install -r requirements.txt
# 安装最后看到下面提示则说明都安装成功了
Successfully installed Django-2.1 ForgeryPy-0.1 Jinja2-2.10 MarkupSafe-1.0 Pillow-4.3.0 PyNaCl-1.2.1 PyYAML-3.12 Werkzeug-0.14.1 amqp-2.1.4 ansible-2.4.2.0 asn1crypto-0.24.0 bcrypt-3.1.4 billiard-3.5.0.3 boto3-1.6.5 botocore-1.9.5 celery-4.1.0 certifi-2018.1.18 cffi-1.11.2 chardet-3.0.4 configparser-3.5.0 coreapi-2.3.3 coreschema-0.0.4 crcmod-1.7 cryptography-2.3.1 decorator-4.1.2 django-auth-ldap-1.3.0 django-bootstrap3-9.1.0 django-celery-beat-1.1.1 django-filter-2.0.0 django-formtools-2.1 django-ranged-response-0.2.0 django-redis-cache-1.7.1 django-rest-swagger-2.1.2 django-simple-captcha-0.5.6 djangorestframework-3.8.2 djangorestframework-bulk-0.2.1 dnspython-1.15.0 docutils-0.14 drf-nested-routers-0.90.2 drf-yasg-1.9.1 ecdsa-0.13 elasticsearch-6.1.1 enum-compat-0.0.2 ephem-3.7.6.0 eventlet-0.24.1 future-0.16.0 greenlet-0.4.14 gunicorn-19.9.0 idna-2.6 inflection-0.3.1 itsdangerous-0.24 itypes-1.1.0 jmespath-0.9.3 jms-storage-0.0.18 kombu-4.0.2 ldap3-2.4 monotonic-1.5 mysqlclient-1.3.12 olefile-0.44 openapi-codec-1.3.2 oss2-2.4.0 paramiko-2.4.1 passlib-1.7.1 pyasn1-0.4.2 pycparser-2.18 pycrypto-2.6.1 pyldap-2.4.45 pyotp-2.2.6 python-dateutil-2.6.1 python-gssapi-0.6.4 pytz-2018.3 redis-2.10.6 requests-2.18.4 ruamel.yaml-0.15.72 s3transfer-0.1.13 simplejson-3.13.2 six-1.11.0 sshpubkeys-2.2.0 uritemplate-3.0.0 urllib3-1.22 vine-1.1.4
You are using pip version 9.0.1, however version 18.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
(py3) [root@imzcy requirements]#
(py3) [root@imzcy requirements]# deactivate
[root@imzcy requirements]#
3.4、安装redis(Jumpserver 使用 Redis 做 cache 和 celery broke)
[root@imzcy ~]# yum -y install redis
[root@imzcy ~]# systemctl enable redis
[root@imzcy ~]# systemctl start redis
3.5、安装mysql
[root@imzcy ~]# yum -y install mariadb mariadb-devel mariadb-server
[root@imzcy ~]# systemctl enable mariadb
[root@imzcy ~]# systemctl start mariadb
3.6、创建数据库Jumpserver并授权
[root@imzcy ~]# mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 2
Server version: 5.5.60-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> create database jumpserver default charset 'utf8';
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by 'weakPassword';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> exit
Bye
[root@imzcy ~]#
3.7、修改 Jumpserver 配置文件
$ cd /opt/jumpserver $ cp config_example.yml config.yml $ SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50` # 生成随机SECRET_KEY $ echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc $ BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16` # 生成随机BOOTSTRAP_TOKEN $ echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc $ sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml $ sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml $ sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml $ sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml $ sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml $ sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml $ echo -e "\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m" $ echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m" $ vi config.yml # 确认内容有没有错误
# SECURITY WARNING: keep the secret key used in production secret! # 加密秘钥 生产环境中请修改为随机字符串, 请勿外泄, PS: 纯数字不可以 SECRET_KEY: # SECURITY WARNING: keep the bootstrap token used in production secret! # 预共享Token koko和guacamole用来注册服务账号, 不在使用原来的注册接受机制 BOOTSTRAP_TOKEN: # Development env open this, when error occur display the full process track, Production disable it # DEBUG 模式 开启DEBUG后遇到错误时可以看到更多日志 DEBUG: false # DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/ # 日志级别 LOG_LEVEL: ERROR # LOG_DIR: # Session expiration setting, Default 24 hour, Also set expired on on browser close # 浏览器Session过期时间, 默认24小时, 也可以设置浏览器关闭则过期 # SESSION_COOKIE_AGE: 86400 SESSION_EXPIRE_AT_BROWSER_CLOSE: true # Database setting, Support sqlite3, mysql, postgres .... # 数据库设置 # See https://docs.djangoproject.com/en/1.10/ref/settings/#databases # SQLite setting: # 使用单文件sqlite数据库 # DB_ENGINE: sqlite3 # DB_NAME: # MySQL or postgres setting like: # 使用Mysql作为数据库 DB_ENGINE: mysql DB_HOST: 127.0.0.1 DB_PORT: 3306 DB_USER: jumpserver DB_PASSWORD: DB_NAME: jumpserver # When Django start it will bind this host and port # ./manage.py runserver 127.0.0.1:8080 # 运行时绑定端口 HTTP_BIND_HOST: 0.0.0.0 HTTP_LISTEN_PORT: 8080 # Use Redis as broker for celery and web socket # Redis配置 REDIS_HOST: 127.0.0.1 REDIS_PORT: 6379 # REDIS_PASSWORD: # REDIS_DB_CELERY: 3 # REDIS_DB_CACHE: 4 # Use OpenID authorization # 使用OpenID 来进行认证设置 # BASE_SITE_URL: http://localhost:8080 # AUTH_OPENID: false # True or False # AUTH_OPENID_SERVER_URL: https://openid-auth-server.com/ # AUTH_OPENID_REALM_NAME: realm-name # AUTH_OPENID_CLIENT_ID: client-id # AUTH_OPENID_CLIENT_SECRET: client-secret # OTP settings # OTP/MFA 配置 # OTP_VALID_WINDOW: 0 # OTP_ISSUER_NAME: Jumpserver
3.8、生成数据库表结构和初始化数据
[root@imzcy ~]# source /opt/py3/bin/activate
(py3) [root@imzcy ~]# cd /opt/jumpserver/utils
(py3) [root@imzcy utils]# bash make_migrations.sh
3.9、启动Jumpserver
(py3) [root@imzcy utils]# cd /opt/jumpserver/
(py3) [root@imzcy jumpserver]# ./jms start -d
启动过程如果没有报错,并且使用 ss -tnl 查看8080端口也监听了。即可使用浏览器访问 http://192.168.0.80:8080/ 默认账号: admin 密码: admin 页面显示不正常先不用处理,继续往下操作,后面搭建 nginx 代理后即可正常访问,原因是因为 django 无法在非 debug 模式下加载静态资源。
四、安装 SSH Server 和 WebSocket Server: Coco
4.1、下载或 Clone 项目
[root@imzcy ~]# cd /opt/
[root@imzcy opt]# git clone https://github.com/jumpserver/coco.git
[root@imzcy opt]# cd coco
[root@imzcy coco]# git checkout master
4.2、 安装依赖
[root@imzcy coco]# cd requirements/
[root@imzcy requirements]# source /opt/py3/bin/activate
(py3) [root@imzcy requirements]# yum -y install $(cat rpm_requirements.txt)
(py3) [root@imzcy requirements]# pip install -r requirements.txt
(py3) [root@imzcy requirements]# cd ..
(py3) [root@imzcy coco]#
4.3、 修改配置文件并运行
如果 coco 与 jumpserver 分开部署,请手动修改 conf.py 。我们这里先不做修改,使用最简单默认配置文件启动cocod
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | (py3) [root@imzcy coco]# mkdir keys (py3) [root@imzcy coco]# vi conf.py #!/usr/bin/env python3 # -*- coding: utf-8 -*- #
import os
BASE_DIR = os.path.dirname(__file__)
class Config: """ Coco config file, coco also load config from server update setting below """ NAME = "coco" CORE_HOST = 'http://127.0.0.1:8080' COMMAND_STORAGE = { "TYPE": "server" } REPLAY_STORAGE = { "TYPE": "server" }
LANGUAGE_CODE = 'zh'
config = Config() (py3) [root@imzcy coco]# (py3) [root@imzcy coco]# ./cocod start |
启动成功后去Jumpserver 会话管理-终端管理(http://192.168.244.144:8080/terminal/terminal/)接受coco的注册(如果出现异常,可以重启系统)。
五、安装 Web Terminal 前端: Luna
> Luna 已改为纯前端,需要 Nginx 来运行访问。
> 访问(https://github.com/jumpserver/luna/releases)下载对应版本的 release 包,直接解压,不需要编译
5.1、下载并解压Luna
[root@imzcy ~]# cd /opt/
[root@imzcy opt]# wget https://github.com/jumpserver/luna/releases/download/1.5.2/luna.tar.gz
[root@imzcy opt]# tar xf luna.tar.gz
[root@imzcy opt]# chown -R root:root luna
六、安装 Windows 支持组件(如果不需要管理 windows 资产,可以直接跳过这一步)
因为手动安装 guacamole 组件比较复杂,这里提供打包好的 docker 使用, 启动 guacamole
6.1、 Docker安装 (仅针对CentOS7,CentOS6安装Docker相对比较复杂)
| 1 2 | [root@imzcy ~]# yum remove docker-latest-logrotate docker-logrotate docker-selinux dockdocker-engine [root@imzcy ~]# yum install -y yum-utils device-mapper-persistent-data lvm2 |
添加docker官方源
| 1 2 3 4 5 6 | [root@imzcy ~]# yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo [root@imzcy ~]# yum makecache fast [root@imzcy ~]# yum -y install docker-ce
[root@imzcy ~]# systemctl enable docker [root@imzcy ~]# systemctl start docker |
6.2、启动 Guacamole
> 这里所需要注意的是 guacamole 暴露出来的端口是 8081,若与主机上其他端口冲突请自定义。
> 注意:这里需要修改下 http://<填写jumpserver的url地址> 例: http://192.168.244.144, 否则会出错(这里下载有点慢,需要等待一会儿)。
> 不能使用 127.0.0.1 ,可以更换 registry.jumpserver.org/public/guacamole:latest
| 1 2 3 4 5 | [root@imzcy ~]# docker run --name jms_guacamole -d \ -p 8081:8080 -v /opt/guacamole/key:/config/guacamole/key \ -e JUMPSERVER_KEY_DIR=/config/guacamole/key \ -e JUMPSERVER_SERVER=http://192.168.0.80 \ jumpserver/guacamole:latest |
| 1 2 3 4 | [root@imzcy ~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 1e3fdc93e81b jumpserver/guacamole:latest "/init" 29 seconds ago Up 26 seconds 0.0.0.0:8081->8080/tcp jms_guacamole [root@imzcy ~]# |
启动成功后去Jumpserver 会话管理-终端管理(http://192.168.244.144:8080/terminal/terminal/)接受[Gua]开头的一个注册
七、配置 Nginx 整合各组件
7.1、安装 Nginx 根据喜好选择安装方式和版本
[root@imzcy ~]# yum -y install nginx
7.2、准备配置文件
[root@imzcy ~]# cd /etc/nginx/
[root@imzcy nginx]# mv nginx.conf nginx.conf.bak
[root@imzcy nginx]# vi nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
}
[root@imzcy nginx]#
新增虚拟主机配置文件jumpserver.conf
[root@imzcy nginx]# cd conf.d/
[root@imzcy conf.d]# vim jumpserver.conf
server { listen 80; client_max_body_size 100m; # 录像及文件上传大小限制 location /luna/ { try_files $uri / /index.html; alias /opt/luna/; # luna 路径, 如果修改安装目录, 此处需要修改 } location /media/ { add_header Content-Encoding gzip; root /opt/jumpserver/data/; # 录像位置, 如果修改安装目录, 此处需要修改 } location /static/ { root /opt/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改 } location /socket.io/ { proxy_pass http://localhost:5000/socket.io/; proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } location /coco/ { proxy_pass http://localhost:5000/coco/; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } location /guacamole/ { proxy_pass http://localhost:8081/; proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } location / { proxy_pass http://localhost:8080; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } }
7.3 运行 Nginx $ nginx -t # 确保配置没有问题, 有问题请先解决 $ systemctl start nginx && systemctl enable nginx
7.4 开始使用 Jumpserver
检查应用是否已经正常运行
7.4.1、确定jumpserver已经运行,如果没有运行请重新启动jumpserver
[root@imzcy ~]# source /opt/py3/bin/activate
(py3) [root@imzcy ~]# cd /opt/jumpserver/
(py3) [root@imzcy jumpserver]# ./jms status
gunicorn is running: 44393
celery is running: 44394
beat is running: 44395
(py3) [root@imzcy jumpserver]#
7.4.2、确定jumpserver已经运行,如果没有运行请重新启动coco
(py3) [root@imzcy ~]# cd /opt/coco/
(py3) [root@imzcy coco]# ./cocod status
Failed register terminal imzcy exist already
(py3) [root@imzcy coco]#
7.4.3、检查容器是否已经正常运行,如果没有运行请重新启动Guacamole
[root@imzcy ~]# docker ps
服务全部启动后,访问 http://192.168.0.88,访问nginx代理的端口,不要再通过8080端口访问
默认账号: admin 密码: admin
如果部署过程中没有接受应用的注册,需要到Jumpserver 会话管理-终端管理 接受 Coco Guacamole 等应用的注册。
扫一扫
3150
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
