jumpserver一站式部署安裝

時間 2019-11-09

標籤 jumpserver 部署安裝简体版

原文原文鏈接

前言

咱們對堡壘機（跳板機）不會陌生，爲了保證服務器安全，加個堡壘機，全部ssh鏈接都經過堡壘機來完成，堡壘機也須要有身份認證、受權、訪問控制、審計等功能。html

Jumpserver 是全球首款徹底開源的堡壘機, 是符合 4A 的專業運維審計系統。前端

Jumpserver 使用 Python / Django 進行開發, 採納分佈式架構, 支持多機房跨區域部署, 中心節點提供 API, 各機房部署登陸節點, 可橫向擴展、無併發訪問限制。python

Jumpserver 現已支持管理 SSH、 Telnet、 RDP、 VNC 協議資產。mysql

組件說明

Jumpserver包含四個組件，各個組件的做用以下：linux

Jumpserver 爲管理後臺, 管理員能夠經過 Web 頁面進行資產管理、用戶管理、資產受權等操做, 用戶能夠經過 Web 頁面進行資產登陸, 文件管理等操做

Coco 爲 SSH Server 和 Web Terminal Server 。用戶可使用本身的帳戶經過 SSH 或者 Web Terminal 訪問 SSH 協議和 Telnet 協議資產

Luna 爲 Web Terminal Server 前端頁面, 用戶使用 Web Terminal 方式登陸所須要的組件

Guacamole 爲 RDP 協議和 VNC 協議資產組件, 用戶能夠經過 Web Terminal 來鏈接 RDP 協議和 VNC 協議資產 (暫時只能經過 Web Terminal 來訪問)

端口說明

各個組件的監聽端口以下：nginx

Jumpserver 默認端口爲 8080/tcp 配置文件 jumpserver/config.yml

Coco 默認 SSH 端口爲 2222/tcp, 默認 Web Terminal 端口爲 5000/tcp 配置文件在 coco/config.yml

Guacamole 默認端口爲 8081/tcp, 配置文件 /config/tomcat8/conf/server.xml

Nginx 默認端口爲 80/tcp

Redis 默認端口爲 6379/tcp

Mysql 默認端口爲 3306/tcp

這篇博文將採用一站式的方式部署Jumpserver，其實更建議取參考官方文檔部署Jumpserver。git

1、環境準備

系統：CentOS 7

IP：192.168.20.6

數據庫：mariadb

反向代理：nginx

2、開始安裝Redis及mariadb

[root@jumpserver ~]# yum -y install wget gcc epel-release git
#安裝依賴包
#下載網絡yum源
[root@jumpserver ~]# wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
[root@jumpserver ~]# wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
[root@jumpserver ~]# yum makecache
安裝 Redis, Jumpserver 使用 Redis 作 cache 和 celery broke
[root@jumpserver ~]# yum -y install redis
[root@jumpserver ~]# systemctl enable redis
[root@jumpserver ~]# systemctl start redis
# 安裝 MySQL, 若是不使用 Mysql 能夠跳過相關 Mysql 安裝和配置, 支持sqlite3, mysql, postgres等
[root@jumpserver ~]# yum -y install mariadb*
[root@jumpserver ~]# systemctl enable mariadb
[root@jumpserver ~]# systemctl start mariadb
#啓動數據庫後，建立一個庫並添加一個受權用戶，設置密碼爲123.com
[root@jumpserver ~]# mysql -uroot -e "create database jumpserver default charset 'utf8'; grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '123.com'; flush privileges;"

3、安裝Nginx反向代理及配置Python3虛擬環境

#安裝 Nginx, 用做代理服務器整合 Jumpserver 與各個組件
[root@jumpserver conf.d]# vim /etc/yum.repos.d/nginx.repo
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/7/$basearch/
gpgcheck=0
enabled=1
[root@jumpserver ~]# yum -y install nginx
[root@jumpserver ~]# systemctl enable nginx
#安裝Python3.6
[root@jumpserver ~]# yum -y install python36 python36-devel
# 配置並載入 Python3 虛擬環境
[root@jumpserver ~]# cd /opt
[root@jumpserver opt]# python3 -m venv py3   # py3 爲虛擬環境名稱, 可自定義
#進入Python3.6虛擬環境
[root@jumpserver opt]# source /opt/py3/bin/activate    # 退出虛擬環境可使用 deactivate 命令
# 看到下面的提示符表明虛擬環境配置成功 
(py3) [root@jumpserver opt]#

4、部署Jumpserver服務

# 下載 Jumpserver
(py3) [root@jumpserver opt]# cd /opt
(py3) [root@jumpserver opt]# wget https://github.com/jumpserver/jumpserver/archive/1.4.7.tar.gz
(py3) [root@jumpserver opt]# tar zxf 1.4.7.tar.gz 
(py3) [root@jumpserver opt]# mv jumpserver-1.4.7 jumpserver
# 安裝依賴 RPM 包
(py3) [root@jumpserver opt]# yum -y install $(cat /opt/jumpserver/requirements/rpm_requirements.txt)
# 安裝 Python 庫依賴
(py3) [root@jumpserver opt]# pip install --upgrade pip setuptools
(py3) [root@jumpserver opt]# pip install -r /opt/jumpserver/requirements/requirements.txt
# 修改 Jumpserver 配置文件
(py3) [root@jumpserver opt]# cd /opt/jumpserver
(py3) [root@jumpserver jumpserver]# cp config_example.yml config.yml
#生成祕鑰令牌
(py3) [root@jumpserver jumpserver]# SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
(py3) [root@jumpserver jumpserver]# echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc
(py3) [root@jumpserver jumpserver]# BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
(py3) [root@jumpserver jumpserver]# echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
(py3) [root@jumpserver jumpserver]# sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml
(py3) [root@jumpserver jumpserver]# sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
(py3) [root@jumpserver jumpserver]# sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
(py3) [root@jumpserver jumpserver]# sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
(py3) [root@jumpserver jumpserver]# sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: False/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml 
(py3) [root@jumpserver jumpserver]# sed -i "s/DB_PASSWORD: /DB_PASSWORD: 123.com/g" /opt/jumpserver/config.yml
(py3) [root@jumpserver jumpserver]# echo -e "\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m"
 你的SECRET_KEY是 Z6bUvXTZRpc73pnRp4qNwn1eMWNYrgzbEWkVJqIVXc6cXfpKDU 
(py3) [root@jumpserver jumpserver]# echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
 你的BOOTSTRAP_TOKEN是 aGXZtXKnhP3StNA3 
(py3) [root@jumpserver jumpserver]# cat config.yml           # 確認內容有沒有錯誤
# SECURITY WARNING: keep the secret key used in production secret!
# 加密祕鑰 生產環境中請修改成隨機字符串，請勿外泄, PS: 純數字不能夠 
# $ cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 49;echo
SECRET_KEY: Z6bUvXTZRpc73pnRp4qNwn1eMWNYrgzbEWkVJqIVXc6cXfpKDU

# SECURITY WARNING: keep the bootstrap token used in production secret!
# 預共享Token coco和guacamole用來註冊服務帳號，不在使用原來的註冊接受機制
BOOTSTRAP_TOKEN: aGXZtXKnhP3StNA3

# Development env open this, when error occur display the full process track, Production disable it
# DEBUG 模式 開啓DEBUG後遇到錯誤時能夠看到更多日誌
DEBUG: false

# DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/
# 日誌級別
LOG_LEVEL: ERROR
# LOG_DIR: 

# Session expiration setting, Default 24 hour, Also set expired on on browser close
# 瀏覽器Session過時時間，默認24小時, 也能夠設置瀏覽器關閉則過時
# SESSION_COOKIE_AGE: 3600 * 24
SESSION_EXPIRE_AT_BROWSER_CLOSE: true

# Database setting, Support sqlite3, mysql, postgres ....
# 數據庫設置
# See https://docs.djangoproject.com/en/1.10/ref/settings/#databases

# SQLite setting:
# 使用單文件sqlite數據庫
# DB_ENGINE: sqlite3
# DB_NAME: 

# MySQL or postgres setting like:
# 使用Mysql做爲數據庫
DB_ENGINE: mysql
DB_HOST: 127.0.0.1
DB_PORT: 3306
DB_USER: jumpserver
DB_PASSWORD: 123.com
DB_NAME: jumpserver

# When Django start it will bind this host and port
# ./manage.py runserver 127.0.0.1:8080
# 運行時綁定端口
HTTP_BIND_HOST: 0.0.0.0
HTTP_LISTEN_PORT: 8080

# Use Redis as broker for celery and web socket
# Redis配置
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
# REDIS_PASSWORD: 
# REDIS_DB_CELERY: 3
# REDIS_DB_CACHE: 4

# Use OpenID authorization
# 使用OpenID 來進行認證設置
# BASE_SITE_URL: http://localhost:8080
# AUTH_OPENID: false  # True or False
# AUTH_OPENID_SERVER_URL: https://openid-auth-server.com/
# AUTH_OPENID_REALM_NAME: realm-name
# AUTH_OPENID_CLIENT_ID: client-id
# AUTH_OPENID_CLIENT_SECRET: client-secret

# OTP settings
# OTP/MFA 配置
# OTP_VALID_WINDOW: 0
# OTP_ISSUER_NAME: Jumpserver
# 運行 Jumpserver
(py3) [root@jumpserver jumpserver]# cd /opt/jumpserver
(py3) [root@jumpserver jumpserver]# ./jms start all -d  
#後臺運行，可將start更改換爲status、stop
#設置jumpserver開機自啓動
(py3) [root@jumpserver jumpserver]# wget -O /usr/lib/systemd/system/jms.service https://demo.jumpserver.org/download/shell/centos/jms.service
(py3) [root@jumpserver jumpserver]# chmod 755 /usr/lib/systemd/system/jms.service
(py3) [root@jumpserver jumpserver]# systemctl enable jms

5、安裝docker部署coco與guacamole

(py3) [root@jumpserver jumpserver]# yum install -y yum-utils device-mapper-persistent-data lvm2
(py3) [root@jumpserver jumpserver]# yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
(py3) [root@jumpserver jumpserver]# yum makecache fast
(py3) [root@jumpserver jumpserver]# rpm --import https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
(py3) [root@jumpserver jumpserver]# yum -y install docker-ce    #安裝docker社區版
(py3) [root@jumpserver jumpserver]# systemctl enable docker
#使用daocloud鏡像加速
(py3) [root@jumpserver jumpserver]# curl -sSL https://get.daocloud.io/daotools/set_mirror.sh | sh -s http://f1361db2.m.daocloud.io
(py3) [root@jumpserver jumpserver]# systemctl restart docker

#啓動coco和guacamole容器，「-e CORE_HOST」指定的是Jumpserver的服務端口
#「BOOTSTRAP_TOKEN」爲 Jumpserver/config.yml 裏面的 BOOTSTRAP_TOKEN值
(py3) [root@jumpserver jumpserver]# docker run --name jms_koko -d -p 2222:2222 -p 127.0.0.1:5000:5000 -e CORE_HOST=http://192.168.20.2:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN --restart=always jumpserver/jms_koko:1.5.4

(py3) [root@jumpserver jumpserver]# docker run --name jms_guacamole -d -p 127.0.0.1:8081:8080 -e JUMPSERVER_SERVER=http://192.168.20.2:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN --restart=always jumpserver/jms_guacamole:1.5.4

6、下載web Terminal前端

Luna 須要 Nginx 來運行訪問訪問(https://github.com/jumpserver/luna/releases)下載對應版本的 release 包, 直接解壓, 不須要編譯github

(py3) [root@jumpserver jumpserver]# cd /opt
(py3) [root@jumpserver opt]# wget https://demo.jumpserver.org/download/luna/1.4.7/luna.tar.gz
(py3) [root@jumpserver opt]# tar zxf luna.tar.gz 
(py3) [root@jumpserver opt]# chown -R root:root luna

7、配置Nginx以便整合各組件

(py3) [root@jumpserver opt]# deactivate      #退出Python3虛擬環境
#因爲在上面yum安裝的nginx可能有些問題，因此我選擇源碼從新安裝一下
[root@jumpserver ~]# tar zxf nginx-1.14.0.tar.gz -C /usr/src[root@jumpserver ~]# cd /usr/src/nginx-1.14.0/
[root@jumpserver nginx-1.14.0]# ./configure --prefix=/usr/local/nginx && make && make install
[root@jumpserver nginx-1.14.0]# cd /usr/local/nginx/conf/
[root@jumpserver conf]# vim nginx.conf    #nginx修改後的配置文件以下，可直接複製使用
worker_processes  1;
events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;
    server {
        listen       80;
        server_name  localhost;
        client_max_body_size 100m;  # 錄像及文件上傳大小限制

    location /luna/ {
        try_files $uri / /index.html;
        alias /opt/luna/;  # luna 路徑, 若是修改安裝目錄, 此處須要修改
    }

    location /media/ {
        add_header Content-Encoding gzip;
        root /opt/jumpserver/data/;  # 錄像位置, 若是修改安裝目錄, 此處須要修改
    }

    location /static/ {
        root /opt/jumpserver/data/;  # 靜態資源, 若是修改安裝目錄, 此處須要修改
    }

    location /koko/ {
        proxy_pass       http://localhost:5000;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location /guacamole/ {
        proxy_pass       http://localhost:8081/;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location /ws/ {
        proxy_pass http://localhost:8070;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    }
}

[root@jumpserver /]# ln -sf /usr/local/nginx/sbin/nginx /usr/local/sbin/
[root@jumpserver ~]# nginx -t       #檢查配置文件是否有誤
[root@jumpserver ~]# nginx       #啓動nginx服務