环境 | 版本 |
---|---|
Centos | 7.6 |
python | 3.6.1(虚拟环境) |
redis | 3.2.12 |
MariaDB | 5.5.65 |
jumpserver | v2.2.2 |
koko+kubectl | v2.2.2+kubectl |
guacamole | jms_guacamole:v2.2.2 |
lina+luna | v2.2.2 |
nginx | 1.19.2 |
点击软件下载安装包
一、关闭selinux和firewalld
禁用selinux
二、安装依赖和更改中文字符集
1.修改中文字符集
[root@vm ~]# localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8
[root@vm ~]# export LC_ALL=zh_CN.UTF-8
[root@vm ~]# echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf
2.安装依赖包
[root@vm ~]# yum -y install epel-release
[root@vm ~]# yum clean all && yum makecache
[root@vm ~]# yum -y update
[root@vm ~]# yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git
三、安装python
[root@vm ~]# wget https://mirrors.huaweicloud.com/python/3.6.1/Python-3.6.1.tar.xz
[root@vm ~]# tar xf Python-3.6.1.tar.xz && cd Python-3.6.1
[root@vm Python-3.6.1]# ./configure && make && make install
这里必须执行编译安装,否则在安装 Python 库依赖时会有麻烦...•
##yum安装
#yum -y install python36 python36-devel
[root@vm Python-3.6.1]# cd /opt
创建虚拟环境
[root@vm opt]# python3 -m venv py3
进入虚拟环境
[root@vm opt]# source /opt/py3/bin/activate
(py3) [root@vm opt]#
注意:每次操作 JumpServer 都需要先载入 py3 虚拟环境2、下载Jumpserver
四、进入虚拟环境配置jumpserver
py3) [root@vm ~]# cd /opt/
(py3) [root@vm opt]# wget https://github.com/jumpserver/jumpserver/releases/download/v2.2.2/jumpserver-v2.2.2.tar.gz
(py3) [root@vm opt]# tar xf jumpserver-v2.2.2.tar.gz
(py3) [root@vm opt]# mv jumpserver-v2.2.2 jumpserver
(py3) [root@vm opt]# cd /opt/jumpserver/requirements
(py3) [root@vm requirements]# yum install -y $(cat rpm_requirements.txt)
#-i 使用国内源快速安装
(py3) [root@jumpserver requirements]# pip install --upgrade pip 升级pip
(py3) [root@vm requirements]# pip install wheel -i https://mirrors.aliyun.com/pypi/simple/
(py3) [root@vm requirements]# pip install --upgrade pip setuptools -i https://mirrors.aliyun.com/pypi/simple/
(py3) [root@vm requirements]# pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
五、安装配置redis和mysql
1.安装redis
(py3) [root@vm requirements]# yum -y install redis
(py3) [root@vm requirements]# systemctl enable redis
Created symlink from /etc/systemd/system/multi-user.target.wants/redis.service to /usr/lib/systemd/system/redis.service.
(py3) [root@vm requirements]# systemctl start redis
2.安装mysql
(py3) [root@vm requirements]# yum -y install mariadb mariadb-devel mariadb-server
(py3) [root@vm requirements]# systemctl enable mariadb
Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service.
(py3) [root@vm requirements]# systemctl start mariadb
3.创建jumpserever数据库并授权
mysql建议还是使用最新版的,低版本线上容易扫出漏洞。
MySQL5 授权方式:
MariaDB [(none)]> create database jumpserver default charset 'utf8';
•设置用户jumpserver@127.0.0.1对jumpserver数据库所有表都有权限,并设置密码为123456
MariaDB [(none)]> grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by 'xxxxx';•
MariaDB [(none)]> flush privileges;
##给mysql设置密码
SET PASSWORD = PASSWORD('xxxxxxxx');
MySQL8.0 授权方式:
mysql> create database jumpserver default charset 'utf8';
#创建jumpserver用户,并设置密码123456,线上可以设置复杂点
mysql> CREATE USER 'jumpserver'@'%' IDENTIFIED BY '123456';
mysql> GRANT ALL PRIVILEGES ON jumpserver.* TO jumpserver@'%';
#注意:MySQL 8.0 必须还要给第三方登录的授权,否则jumpserver无法连接mysql
mysql> alter user jumpserver identified with mysql_native_password by '123456';
mysql> flush prilievges;
六、配置启动jumpserver
1.配置jumpserver
# 主要修改SECRET_KEY,BOOTSTRAP_TOKEN,MySQL配置,Redis配置
(py3) [root@vm jumpserver]# cd /opt/jumpserver
(py3) [root@vm jumpserver]# cp config_example.yml config.yml
(py3) [root@vm jumpserver]# vi config.yml
# 加密秘钥 生产环境中请修改为随机字符串,请勿外泄, 可使用命令生成 SECRET_KEY
# cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 49;echo
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# SECURITY WARNING: keep the bootstrap token used in production secret!
# 预共享Token coco和guacamole用来注册服务账号,不在使用原来的注册接受机制
# 可使用命令生成 BOOTSTRAP_TOKEN
# cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 12;echo
xxxxxxxxxxxxxxxxxx
# 使用Mysql作为数据库
DB_ENGINE: mysql
DB_HOST: 127.0.0.1
DB_PORT: 3306
DB_USER: jumpserver
#MySQL密码必须要用单引号括起来,否则启动jumpserver报错
DB_PASSWORD: 'xxxxxxx'
DB_NAME: jumpserver
# Redis配置
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
#如果redis设置了密码需要打开这个注释,redis密码可以不需要单引号
REDIS_PASSWORD: xxxxxx
注意:mysql配置密码要加上单引号!否则启动不起来。
2.启停jumpserver
#前台启动
(py3) [root@vm jumpserver]# ./jms start
......
•#后台启动
(py3) [root@vm jumpserver]# ./jms start -d
(py3) [root@vm jumpserver]# ./jms stop --这个停止只是演示,安装完jumpserver就可以直接启动了。
Stop service: gunicorn
Stop service: celery
Stop service: beat
七、部署koko组件 (coco 目前已经被 koko 取代)
1.手工部署koko
(py3) [root@vm jumpserver]# cd /opt
(py3) [root@vm opt]# wget https://github.com/jumpserver/koko/releases/download/v2.2.2/koko-v2.2.2-linux-amd64.tar.gz
(py3) [root@vm opt]# tar -xf koko-v2.2.2-linux-amd64.tar.gz
(py3) [root@vm opt]# mv koko-v2.2.2-linux-amd64 koko
(py3) [root@vm opt]# chown -R root:root koko
(py3) [root@vm opt]# cd koko
(py3) [root@vm opt]# mv kubectl /usr/local/bin/
(py3) [root@vm opt]# wget https://download.jumpserver.org/public/kubectl.tar.gz
(py3) [root@vm opt]# tar -xf kubectl.tar.gz &&
(py3) [root@vm opt]# chmod 755 kubectl &&
(py3) [root@vm opt]# mv kubectl /usr/local/bin/rawkubectl &&
(py3) [root@vm opt]# rm -rf kubectl.tar.gz
(py3) [root@vm opt]# cp config_example.yml config.yml &&
(py3) [root@vm opt]# vim config.yml
#主要修改和redis配置
#BOOTSTRAP_TOKEN 和jumpserver配置一样
BOOTSTRAP_TOKEN: xxxxxxxx
# Redis配置
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
REDIS_PASSWORD: xxxxxx
koko启停: (启动koko前要先把jumpserver服务器起来)不然报错
2020-09-22 16:18:38 [ERRO] Post http://127.0.0.1:8080/api/v2/terminal/terminal-registrations/: dial tcp 127.0.0.1:8080: connect: connection refused
2020-09-22 16:18:38 [ERRO] register access key failed
前台启动:
./koko
后台启动:
./koko -d
2. docker部署
如果前面已经正常部署了 KoKo, 可以跳过此步骤
例子:
docker run --name jms_koko -d
-p 2222:2222 -p 127.0.0.1:5000:5000
-e CORE_HOST=http://<Jumpserver_url>
-e BOOTSTRAP_TOKEN=<Jumpserver_BOOTSTRAP_TOKEN>
-e LOG_LEVEL=ERROR
--restart=always
--privileged=true
jumpserver/jms_koko:<Tag>
<Jumpserver_url> 为 jumpserver 的 url 地址, <Jumpserver_BOOTSTRAP_TOKEN> 需要从 jumpserver/config.yml 里面获取, 保证一致, <Tag> 是版本
实例:
docker run --name jms_koko -d
-p 2222:2222
-p 127.0.0.1:5000:5000
-e CORE_HOST=http://192.168.244.144:8080
-e BOOTSTRAP_TOKEN=zxffNymGjP79j6BN
-e LOG_LEVEL=ERROR
--privileged=true
--restart=always
jumpserver/jms_koko:v2.2.2
查看启动成功:
(py3) [root@vm opt]# docker ps -a
停止docker的koko
docker stop 上面查出的容器ID
启动docker
docker start 容器ID
八、部署guacamole
1.docker方式部署
基于 HTML 5 和 JavaScript 的 VNC 查看器 建议使用 Docker 部署 Guacamole 组件 , 部分环境可能无法正常编译安装
安装docker最新版
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo ##(阿里仓库)
yum install docker -y
systemctl enable docker
systemctl start docker.service
示例:
docker run --name jms_guacamole -d
-p 127.0.0.1:8081:8080
-e JUMPSERVER_SERVER=http://<Jumpserver_url>
-e BOOTSTRAP_TOKEN=<g8N451h8LANTeREJ>
-e GUACAMOLE_LOG_LEVEL=ERROR
jumpserver/jms_guacamole:<Tag>
<Jumpserver_url> 为 JumpServer 的 url 地址, <Jumpserver_BOOTSTRAP_TOKEN> 需要从 jumpserver/config.yml 里面获取, 保证一致, <Tag> 是版本
实例:
安装:
docker run --name jms_guacamole -d
-p 127.0.0.1:8081:8080
-e JUMPSERVER_SERVER=http://192.168.38.51:8080
-e BOOTSTRAP_TOKEN=5O4kuI4cFjk7
-e GUACAMOLE_LOG_LEVEL=ERROR
jumpserver/jms_guacamole:v2.2.2
2.手工部署guacamole(如果docker弄好了就忽略这步)
建议使用 Docker 部署 Guacamole 组件 , 部分环境可能无法正常编译安装
cd /opt &&
wget -O docker-guacamole-v2.2.2.tar.gz https://github.com/jumpserver/docker-guacamole/archive/master.tar.gz
mkdir /opt/docker-guacamole &&
tar -xf docker-guacamole-v2.2.2.tar.gz -C /opt/docker-guacamole --strip-components 1 &&
rm -rf /opt/docker-guacamole-v2.2.2.tar.gz &&
cd /opt/docker-guacamole &&
wget http://download.jumpserver.org/public/guacamole-server-1.2.0.tar.gz &&
tar -xf guacamole-server-1.2.0.tar.gz &&
wget http://download.jumpserver.org/public/ssh-forward.tar.gz &&
tar -xf ssh-forward.tar.gz -C /bin/ &&
chmod +x /bin/ssh-forward
cd /opt/docker-guacamole/guacamole-server-1.2.0
根据 Guacamole官方文档 文档安装对应的依赖包
./configure --with-init-dir=/etc/init.d &&
make &&
make install
需要先在当前环境配置好 Java
yum install -y java-1.8.0-openjdk
mkdir -p /config/guacamole /config/guacamole/extensions /config/guacamole/record /config/guacamole/drive &&
chown daemon:daemon /config/guacamole/record /config/guacamole/drive &&
cd /config
访问 https://mirror.bit.edu.cn/apache/tomcat/tomcat-9下载最新的 Tomcat9
tar -xf apache-tomcat-9.0.36.tar.gz &&
mv apache-tomcat-9.0.36 tomcat9 &&
rm -rf /config/tomcat9/webapps/* &&
sed -i 's/Connector port="8080"/Connector port="8081"/g' /config/tomcat9/conf/server.xml &&
echo "java.util.logging.ConsoleHandler.encoding = UTF-8" >> /config/tomcat9/conf/logging.properties &&
wget http://download.jumpserver.org/release/v2.2.2/guacamole-client-v2.2.2.tar.gz &&
tar -xf guacamole-client-v2.2.2.tar.gz &&
rm -rf guacamole-client-v2.2.2.tar.gz &&
cp guacamole-client-v2.2.2/guacamole-*.war /config/tomcat9/webapps/ROOT.war &&
cp guacamole-client-v2.2.2/guacamole-*.jar /config/guacamole/extensions/ &&
mv /opt/docker-guacamole/guacamole.properties /config/guacamole/ &&
rm -rf /opt/docker-guacamole &&
设置 Guacamole 环境
export JUMPSERVER_SERVER=http://127.0.0.1:8080
echo "export JUMPSERVER_SERVER=http://127.0.0.1:8080" >> ~/.bashrc
export BOOTSTRAP_TOKEN=zxffNymGjP79j6BN
echo "export BOOTSTRAP_TOKEN=zxffNymGjP79j6BN" >> ~/.bashrc
export JUMPSERVER_KEY_DIR=/config/guacamole/keys
echo "export JUMPSERVER_KEY_DIR=/config/guacamole/keys" >> ~/.bashrc
export GUACAMOLE_HOME=/config/guacamole
echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc
export GUACAMOLE_LOG_LEVEL=ERROR
echo "export GUACAMOLE_LOG_LEVEL=ERROR" >> ~/.bashrc
export JUMPSERVER_ENABLE_DRIVE=true
echo "export JUMPSERVER_ENABLE_DRIVE=true" >> ~/.bashrc
启动 Guacamole
/etc/init.d/guacd start
sh /config/tomcat9/bin/startup.sh
环境变量说明
JUMPSERVER_SERVER 指 core 访问地址
BOOTSTRAP_TOKEN 为 Jumpserver/config.yml 里面的 BOOTSTRAP_TOKEN 值
JUMPSERVER_KEY_DIR 认证成功后 key 存放目录
GUACAMOLE_HOME 为 guacamole.properties 配置文件所在目录
GUACAMOLE_LOG_LEVEL 为生成日志的等级
JUMPSERVER_ENABLE_DRIVE 为 rdp 协议挂载共享盘
九、部署lina和luna组件
lina部署:我nginx用root启动的,所以赋权root
cd /opt
wget https://github.com/jumpserver/lina/releases/download/v2.2.2/lina-v2.2.2.tar.gz
tar -xf lina-v2.2.2.tar.gz
mv lina-v2.2.2 lina
chown -R root:root lina
luna组件:与nginx结合支持Web Terminal前端,我nginx用root启动的,所以赋权root
cd /opt
wget https://github.com/jumpserver/luna/releases/download/v2.2.2/luna-v2.2.2.tar.gz
tar -xf luna-v2.2.2.tar.gz
mv luna-v2.2.2 luna
chown -R root:root luna
十、安装部署nginx
1.配置nginx源
yum install yum-utils
vim /etc/yum.repos.d/nginx.repo
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
yum安装nginx
yum-config-manager --enable nginx-mainline
yum install nginx -y
jumpserver.conf配置文件
echo > /etc/nginx/conf.d/default.conf ##清空default文件
vim /etc/nginx/conf.d/jumpserver.conf
server {
listen 80;
client_max_body_size 100m; # 录像及文件上传大小限制
location /ui/ {
try_files $uri / /index.html;
alias /opt/lina/;
}
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; # luna 路径, 如果修改安装目录, 此处需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 录像位置, 如果修改安装目录, 此处需要修改
}
location /static/ {
root /opt/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改
}
location /koko/ {
proxy_pass http://localhost:5000;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /ws/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8070;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /api/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /core/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
rewrite ^/(.*)$ /ui/$1 last;
}
}
检查语法
# /usr/sbin/nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
启动nginx
(py3) [root@localhost nginx]# systemctl enable nginx
Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service.
(py3) [root@localhost nginx]# systemctl start nginx
(py3) [root@localhost nginx]# systemctl status nginx
检查端口
十一、web登录检测
登陆方式:直接访问IP