常用链接:
Jumpserver 项目地址:
Jumpserver 官方文档:
一、试验环境:
操作系统: CentOS 7.6
IP地址: 192.168.9.224
安装目录: /opt
数据库: mariadb
代理: nginx
# 关闭SELinux
[root@imzcy ~]# setenforce 0
[root@imzcy ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
# 关闭防火墙
[root@imzcy ~]# systemctl stop firewalld
[root@imzcy ~]# systemctl disable firewalld
# 修改字符集(因为日志里打印了中文,所以如果系统字符集不是UTF-8的话会报 input/output error的问题)
[root@imzcy ~]# localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8
[root@imzcy ~]# export LC_ALL=zh_CN.UTF-8
[root@imzcy ~]# echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf
# 添加阿里云yum源
[root@imzcy ~]# yum-config-manager --add-repo
二、准备Python3和Python虚拟环境
2.1、安装依赖包
[root@imzcy ~]# yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git
2.2、编译安装
[root@imzcy ~]# wget
[root@imzcy ~]# tar xf Python-3.6.1.tar.xz
[root@imzcy ~]# cd Python-3.6.1
[root@imzcy Python-3.6.1]# ./configure
[root@imzcy Python-3.6.1]# make
[root@imzcy Python-3.6.1]# make install
2.3、建立 Python 虚拟环境
因为 CentOS 6/7 自带的是 Python2,而 Yum 等工具依赖原来的 Python,为了不扰乱原来的环境我们来使用 Python 虚拟环境
[root@imzcy ~]# cd /opt/
[root@imzcy opt]# python3 -m venv py3
[root@imzcy opt]# source /opt/py3/bin/activate
(py3) [root@imzcy opt]#
(py3) [root@imzcy opt]#
#看到上面的(py3)提示符代表成功,以后运行 Jumpserver 都要先运行以上 source 命令,以下所有命令均在该虚拟环境中运行
使用 deactivate 命令退出python虚拟环境
(py3) [root@imzcy opt]# deactivate
[root@imzcy opt]#
三、安装Jumpserver
3.1、下载或Clone项目
[root@imzcy ~]# cd /opt/
[root@imzcy opt]# git clone /jumpserver.git
[root@imzcy opt]# cd jumpserver/
[root@imzcy jumpserver]# git checkout master
3.2、安装依赖 RPM 包
[root@imzcy ~]# cd /opt/jumpserver/requirements/
[root@imzcy requirements]# yum -y install $(cat rpm_requirements.txt)
3.3、安装python库依赖(安装过程中如果报错,重启系统)
[root@imzcy requirements]# source /opt/py3/bin/activate
(py3) [root@imzcy requirements]# pip install -r requirements.txt
# 安装最后看到下面提示则说明都安装成功了
Successfully installed Django-2.1 ForgeryPy-0.1 Jinja2-2.10 MarkupSafe-1.0 Pillow-4.3.0 PyNaCl-1.2.1 PyYAML-3.12 Werkzeug-0.14.1 amqp-2.1.4 ansible-2.4.2.0 asn1crypto-0.24.0 bcrypt-3.1.4 billiard-3.5.0.3 boto3-1.6.5 botocore-1.9.5 celery-4.1.0 certifi-2018.1.18 cffi-1.11.2 chardet-3.0.4 configparser-3.5.0 coreapi-2.3.3 coreschema-0.0.4 crcmod-1.7 cryptography-2.3.1 decorator-4.1.2 django-auth-ldap-1.3.0 django-bootstrap3-9.1.0 django-celery-beat-1.1.1 django-filter-2.0.0 django-formtools-2.1 django-ranged-response-0.2.0 django-redis-cache-1.7.1 django-rest-swagger-2.1.2 django-simple-captcha-0.5.6 djangorestframework-3.8.2 djangorestframework-bulk-0.2.1 dnspython-1.15.0 docutils-0.14 drf-nested-routers-0.90.2 drf-yasg-1.9.1 ecdsa-0.13 elasticsearch-6.1.1 enum-compat-0.0.2 ephem-3.7.6.0 eventlet-0.24.1 future-0.16.0 greenlet-0.4.14 gunicorn-19.9.0 idna-2.6 inflection-0.3.1 itsdangerous-0.24 itypes-1.1.0 jmespath-0.9.3 jms-storage-0.0.18 kombu-4.0.2 ldap3-2.4 monotonic-1.5 mysqlclient-1.3.12 olefile-0.44 openapi-codec-1.3.2 oss2-2.4.0 paramiko-2.4.1 passlib-1.7.1 pyasn1-0.4.2 pycparser-2.18 pycrypto-2.6.1 pyldap-2.4.45 pyotp-2.2.6 python-dateutil-2.6.1 python-gssapi-0.6.4 pytz-2018.3 redis-2.10.6 requests-2.18.4 ruamel.yaml-0.15.72 s3transfer-0.1.13 simplejson-3.13.2 six-1.11.0 sshpubkeys-2.2.0 uritemplate-3.0.0 urllib3-1.22 vine-1.1.4
You are using pip version 9.0.1, however version 18.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
(py3) [root@imzcy requirements]#
(py3) [root@imzcy requirements]# deactivate
[root@imzcy requirements]#
3.4、安装redis(Jumpserver 使用 Redis 做 cache 和 celery broke)
[root@imzcy ~]# yum -y install redis
[root@imzcy ~]# systemctl enable redis
[root@imzcy ~]# systemctl start redis
3.5、安装mysql
[root@imzcy ~]# yum -y install mariadb mariadb-devel mariadb-server
[root@imzcy ~]# systemctl enable mariadb
[root@imzcy ~]# systemctl start mariadb
3.6、创建数据库Jumpserver并授权
[root@imzcy ~]# mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 2
Server version: 5.5.60-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> create database jumpserver default charset 'utf8';
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by 'weakPassword';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> exit
Bye
[root@imzcy ~]#
3.7、修改 Jumpserver 配置文件
$ cd /opt/jumpserver
$ cp config_example.yml config.yml
$ SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50` # 生成随机SECRET_KEY
$ echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc
$ BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16` # 生成随机BOOTSTRAP_TOKEN
$ echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
$ sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml
$ sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
$ sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
$ sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
$ sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
$ sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml
$ echo -e "\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m"
$ echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
$ vi config.yml # 确认内容有没有错误
# SECURITY WARNING: keep the secret key used in production secret!
# 加密秘钥 生产环境中请修改为随机字符串, 请勿外泄, PS: 纯数字不可以
SECRET_KEY:
# SECURITY WARNING: keep the bootstrap token used in production secret!
# 预共享Token koko和guacamole用来注册服务账号, 不在使用原来的注册接受机制
BOOTSTRAP_TOKEN:
# Development env open this, when error occur display the full process track, Production disable it
# DEBUG 模式 开启DEBUG后遇到错误时可以看到更多日志
DEBUG: false
# DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See
# 日志级别
LOG_LEVEL: ERROR
# LOG_DIR:
# Session expiration setting, Default 24 hour, Also set expired on on browser close
# 浏览器Session过期时间, 默认24小时, 也可以设置浏览器关闭则过期
# SESSION_COOKIE_AGE: 86400
SESSION_EXPIRE_AT_BROWSER_CLOSE: true
# Database setting, Support sqlite3, mysql, postgres ....
# 数据库设置
# See
# SQLite setting:
# 使用单文件sqlite数据库
# DB_ENGINE: sqlite3
# DB_NAME:
# MySQL or postgres setting like:
# 使用Mysql作为数据库
DB_ENGINE: mysql
DB_HOST: 127.0.0.1
DB_PORT: 3306
DB_USER: jumpserver
DB_PASSWORD:
DB_NAME: jumpserver
# When Django start it will bind this host and port
# ./manage.py runserver 127.0.0.1:8080
# 运行时绑定端口
HTTP_BIND_HOST: 0.0.0.0
HTTP_LISTEN_PORT: 8080
# Use Redis as broker for celery and web socket
# Redis配置
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
# REDIS_PASSWORD:
# REDIS_DB_CELERY: 3
# REDIS_DB_CACHE: 4
# Use OpenID authorization
# 使用OpenID 来进行认证设置
# BASE_SITE_URL:
# AUTH_OPENID: false # True or False
# AUTH_OPENID_SERVER_URL:
# AUTH_OPENID_REALM_NAME: realm-name
# AUTH_OPENID_CLIENT_ID: client-id
# AUTH_OPENID_CLIENT_SECRET: client-secret
# OTP settings
# OTP/MFA 配置
# OTP_VALID_WINDOW: 0
# OTP_ISSUER_NAME: Jumpserver
3.8、生成数据库表结构和初始化数据
[root@imzcy ~]# source /opt/py3/bin/activate
(py3) [root@imzcy ~]# cd /opt/jumpserver/utils
(py3) [root@imzcy utils]# bash make_migrations.sh
3.9、启动Jumpserver
(py3) [root@imzcy utils]# cd /opt/jumpserver/
(py3) [root@imzcy jumpserver]# ./jms start -d
启动过程如果没有报错,并且使用 ss -tnl 查看8080端口也监听了。即可使用浏览器访问 默认账号: admin 密码: admin 页面显示不正常先不用处理,继续往下操作,后面搭建 nginx 代理后即可正常访问,原因是因为 django 无法在非 debug 模式下加载静态资源。
四、安装 SSH Server 和 WebSocket Server: Coco
4.1、下载或 Clone 项目
[root@imzcy ~]# cd /opt/
[root@imzcy opt]# git clone /coco.git
[root@imzcy opt]# cd coco
[root@imzcy coco]# git checkout master
4.2、 安装依赖
[root@imzcy coco]# cd requirements/
[root@imzcy requirements]# source /opt/py3/bin/activate
(py3) [root@imzcy requirements]# yum -y install $(cat rpm_requirements.txt)
(py3) [root@imzcy requirements]# pip install -r requirements.txt
(py3) [root@imzcy requirements]# cd ..
(py3) [root@imzcy coco]#
4.3、 修改配置文件并运行
如果 coco 与 jumpserver 分开部署,请手动修改 conf.py 。我们这里先不做修改,使用最简单默认配置文件启动cocod
123456789101112131415161718192021222324252627282930 (py3) [root@imzcy coco]# mkdir keys(py3) [root@imzcy coco]# vi conf.py#!/usr/bin/env python3# -*- coding: utf-8 -*-# import os BASE_DIR = os.path.dirname(__file__) class Config: """ Coco config file, coco also load config from server update setting below """ NAME = "coco" CORE_HOST = '' COMMAND_STORAGE = { "TYPE": "server" } REPLAY_STORAGE = { "TYPE": "server" } LANGUAGE_CODE = 'zh' config = Config()(py3) [root@imzcy coco]# (py3) [root@imzcy coco]# ./cocod start
启动成功后去Jumpserver 会话管理-终端管理()接受coco的注册(如果出现异常,可以重启系统)。
五、安装 Web Terminal 前端: Luna
> Luna 已改为纯前端,需要 Nginx 来运行访问。
> 访问(/luna/releases)下载对应版本的 release 包,直接解压,不需要编译
5.1、下载并解压Luna
[root@imzcy ~]# cd /opt/
[root@imzcy opt]# wget /luna/releases/download/1.5.2/luna.tar.gz
[root@imzcy opt]# tar xf luna.tar.gz
[root@imzcy opt]# chown -R root:root luna
六、安装 Windows 支持组件(如果不需要管理 windows 资产,可以直接跳过这一步)
因为手动安装 guacamole 组件比较复杂,这里提供打包好的 docker 使用, 启动 guacamole
6.1、 Docker安装 (仅针对CentOS7,CentOS6安装Docker相对比较复杂)
12 [root@imzcy ~]# yum remove docker-latest-logrotate docker-logrotate docker-selinux dockdocker-engine[root@imzcy ~]# yum install -y yum-utils device-mapper-persistent-data lvm2
添加docker官方源
123456 [root@imzcy ~]# yum-config-manager --add-repo [root@imzcy ~]# yum makecache fast[root@imzcy ~]# yum -y install docker-ce [root@imzcy ~]# systemctl enable docker[root@imzcy ~]# systemctl start docker
6.2、启动 Guacamole
> 这里所需要注意的是 guacamole 暴露出来的端口是 8081,若与主机上其他端口冲突请自定义。
> 注意:这里需要修改下 填写jumpserver的url地址> 例: 否则会出错(这里下载有点慢,需要等待一会儿)。
> 不能使用 127.0.0.1 ,可以更换 registry.jumpserver.org/public/guacamole:latest
12345 [root@imzcy ~]# docker run --name jms_guacamole -d \-p 8081:8080 -v /opt/guacamole/key:/config/guacamole/key \-e JUMPSERVER_KEY_DIR=/config/guacamole/key \-e JUMPSERVER_SERVER= \jumpserver/guacamole:latest
1234 [root@imzcy ~]# docker psCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES1e3fdc93e81b jumpserver/guacamole:latest "/init" 29 seconds ago Up 26 seconds 0.0.0.0:8081->8080/tcp jms_guacamole[root@imzcy ~]#
启动成功后去Jumpserver 会话管理-终端管理()接受[Gua]开头的一个注册
七、配置 Nginx 整合各组件
7.1、安装 Nginx 根据喜好选择安装方式和版本
[root@imzcy ~]# yum -y install nginx
7.2、准备配置文件
[root@imzcy ~]# cd /etc/nginx/
[root@imzcy nginx]# mv nginx.conf nginx.conf.bak
[root@imzcy nginx]# vi nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
}
[root@imzcy nginx]#
新增虚拟主机配置文件jumpserver.conf
[root@imzcy nginx]# cd conf.d/
[root@imzcy conf.d]# vim jumpserver.conf
server {
listen 80;
client_max_body_size 100m; # 录像及文件上传大小限制
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; # luna 路径, 如果修改安装目录, 此处需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 录像位置, 如果修改安装目录, 此处需要修改
}
location /static/ {
root /opt/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改
}
location /socket.io/ {
proxy_pass
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /coco/ {
proxy_pass
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location / {
proxy_pass ;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
7.3 运行 Nginx
$ nginx -t # 确保配置没有问题, 有问题请先解决
$ systemctl start nginx && systemctl enable nginx
7.4 开始使用 Jumpserver
检查应用是否已经正常运行
7.4.1、确定jumpserver已经运行,如果没有运行请重新启动jumpserver
[root@imzcy ~]# source /opt/py3/bin/activate
(py3) [root@imzcy ~]# cd /opt/jumpserver/
(py3) [root@imzcy jumpserver]# ./jms status
gunicorn is running: 44393
celery is running: 44394
beat is running: 44395
(py3) [root@imzcy jumpserver]#
7.4.2、确定jumpserver已经运行,如果没有运行请重新启动coco
(py3) [root@imzcy ~]# cd /opt/coco/
(py3) [root@imzcy coco]# ./cocod status
Failed register terminal imzcy exist already
(py3) [root@imzcy coco]#
7.4.3、检查容器是否已经正常运行,如果没有运行请重新启动Guacamole
[root@imzcy ~]# docker ps
服务全部启动后,访问 ,访问nginx代理的端口,不要再通过8080端口访问
默认账号: admin 密码: admin
如果部署过程中没有接受应用的注册,需要到Jumpserver 会话管理-终端管理 接受 Coco Guacamole 等应用的注册。
阅读(1298) | 评论(0) | 转发(0) |