部署Jumpserver環境
官網推薦安裝環境html
操做系統: Centos7前端
CPU: 64位雙核處理器java
內存: 4G DDR3python
數據庫:mysql 版本大於等於 5.6 mariadb 版本大於等於 5.5.6mysql
一、搭建環境前期準備
關閉防火牆和selinuxlinux
hostname jumpservernginx
bashgit
systemctl stop firewalldgithub
iptables -Fweb
setenforce 0
修改字符集,不然可能報 input/output error的問題, 由於日誌裏打印了中文
localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8
export LC_ALL=zh_CN.UTF-8
echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf
二、準備Python3和Python虛擬環境
安裝依賴包
yum -y install wget gcc git
rpm -ivh epel-release-latest-7.noarch.rpm
cd /etc/yum.repos.d/
mv backup/CentOS-Base.repo ./
cd
安裝 Python3.6
yum -y install python36 python36-devel python-pip
創建 Python 虛擬環境
由於 CentOS 7 自帶的是 Python2,而 Yum 等工具依賴原來的 Python, 爲了避免擾亂原來的環境咱們來使用 Python虛擬環境
cd /opt
python3.6 -m venv py3
source /opt/py3/bin/activate
看到下面的提示符表明成功, 之後運行 Jumpserver 都要先運行以上 source 命令, 如下全部命令均在該虛擬環境中運行
(py3) [root@jumpserver opt]#
三、安裝Jumpserver
下載或 Clone 項目
cd /opt/
git clone --depth=1 https://github.com/jumpserver/jumpserver.git
安裝依賴 RPM 包
cd /opt/jumpserver/requirements
yum -y install $(cat rpm_requirements.txt)
安裝 Python 庫依賴
pip install --upgrade pip setuptools -i https://mirrors.aliyun.com/pypi/simple/
pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
安裝 Redis, Jumpserver 使用 Redis 作 cache 和 celery broke
yum -y install redis
systemctl enable redis
systemctl start redis
四、安裝 MySQL
centos7下安裝的是mariadb
yum -y install mariadb mariadb-devel mariadb-server
systemctl enable mariadb
systemctl start mariadb
建立數據庫 Jumpserver 並受權,生成隨機數據庫密碼
DB_PASSWORD=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24`
echo -e "\033[31m 你的數據庫密碼是 $DB_PASSWORD \033[0m"
mysql -uroot -e "create database jumpserver default charset 'utf8'; grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '$DB_PASSWORD'; flush privileges;"
五、修改 Jumpserver 配置文件
cd /opt/jumpserver
cp config_example.yml config.yml
生成隨機SECRET_KEY
SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc
生成隨機BOOTSTRAP_TOKEN
BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
修改配置文件內容
sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml
sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml
echo -e "\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m"
echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
確認內容有沒有錯誤
cat config.yml
# SECURITY WARNING: keep the secret key used in production secret!
# 加密祕鑰 生產環境中請修改成隨機字符串, 請勿外泄
SECRET_KEY:
# SECURITY WARNING: keep the bootstrap token used in production secret!
# 預共享Token coco和guacamole用來註冊服務帳號, 不在使用原來的註冊接受機制
BOOTSTRAP_TOKEN:
# Development env open this, when error occur display the full process track, Production disable it
# DEBUG 模式 開啓DEBUG後遇到錯誤時能夠看到更多日誌
DEBUG: false
# DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/
# 日誌級別
LOG_LEVEL: ERROR
# LOG_DIR:
# Session expiration setting, Default 24 hour, Also set expired on on browser close
# 瀏覽器Session過時時間, 默認24小時, 也能夠設置瀏覽器關閉則過時
# SESSION_COOKIE_AGE: 86400
SESSION_EXPIRE_AT_BROWSER_CLOSE: true
# Database setting, Support sqlite3, mysql, postgres ....
# 數據庫設置
# See https://docs.djangoproject.com/en/1.10/ref/settings/#databases
# SQLite setting:
# 使用單文件sqlite數據庫
# DB_ENGINE: sqlite3
# DB_NAME:
# MySQL or postgres setting like:
# 使用Mysql做爲數據庫
DB_ENGINE: mysql
DB_HOST: 127.0.0.1
DB_PORT: 3306
DB_USER: jumpserver
DB_PASSWORD:
DB_NAME: jumpserver
# When Django start it will bind this host and port
# ./manage.py runserver 127.0.0.1:8080
# 運行時綁定端口
HTTP_BIND_HOST: 0.0.0.0
HTTP_LISTEN_PORT: 8080
# Use Redis as broker for celery and web socket
# Redis配置
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
# REDIS_PASSWORD:
# REDIS_DB_CELERY: 3
# REDIS_DB_CACHE: 4
# Use OpenID authorization
# 使用OpenID 來進行認證設置
# BASE_SITE_URL: http://localhost:8080
# AUTH_OPENID: false # True or False
# AUTH_OPENID_SERVER_URL: https://openid-auth-server.com/
# AUTH_OPENID_REALM_NAME: realm-name
# AUTH_OPENID_CLIENT_ID: client-id
# AUTH_OPENID_CLIENT_SECRET: client-secret
# OTP settings
# OTP/MFA 配置
# OTP_VALID_WINDOW: 0
# OTP_ISSUER_NAME: Jumpserver
六、運行 Jumpserver
新版本更新了運行腳本,使用方式./jms start|stop|status all 後臺運行添加 -d 參數
cd /opt/jumpserver
./jms start all -d
七、安裝 SSH Server 和 WebSocket Server: Coco
下載或 Clone 項目
cd /opt
source /opt/py3/bin/activate
git clone --depth=1 https://github.com/jumpserver/coco.git
安裝依賴
cd /opt/coco/requirements
yum -y install $(cat rpm_requirements.txt)
pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
修改配置文件並運行
cd /opt/coco
cp config_example.yml config.yml
sed -i "s/BOOTSTRAP_TOKEN: <PleasgeChangeSameWithJumpserver>/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/coco/config.yml
sed -i "s/# LOG_LEVEL: INFO/LOG_LEVEL: ERROR/g" /opt/coco/config.yml
查看配置文件
cat config.yml
# 項目名稱, 會用來向Jumpserver註冊, 識別而已, 不能重複
# NAME: {{ Hostname }}
# Jumpserver項目的url, api請求註冊會使用
CORE_HOST: http://127.0.0.1:8080
# Bootstrap Token, 預共享祕鑰, 用來註冊coco使用的service account和terminal
# 請和jumpserver 配置文件中保持一致, 註冊完成後能夠刪除
BOOTSTRAP_TOKEN: <PleasgeChangeSameWithJumpserver>
# 啓動時綁定的ip, 默認 0.0.0.0
# BIND_HOST: 0.0.0.0
# 監聽的SSH端口號, 默認2222
# SSHD_PORT: 2222
# 監聽的HTTP/WS端口號, 默認5000
# HTTPD_PORT: 5000
# 項目使用的ACCESS KEY, 默認會註冊, 並保存到 ACCESS_KEY_STORE中,
# 若是有需求, 能夠寫到配置文件中, 格式 access_key_id:access_key_secret
# ACCESS_KEY: null
# ACCESS KEY 保存的地址, 默認註冊後會保存到該文件中
# ACCESS_KEY_STORE: data/keys/.access_key
# 加密密鑰
# SECRET_KEY: null
# 設置日誌級別 [DEBUG, INFO, WARN, ERROR, FATAL, CRITICAL]
LOG_LEVEL: ERROR
# 日誌存放的目錄
# LOG_DIR: logs
# SSH白名單
# ALLOW_SSH_USER: all
# SSH黑名單, 若是用戶同時在白名單和黑名單, 黑名單優先生效
# BLOCK_SSH_USER:
# -
# 和Jumpserver 保持心跳時間間隔
# HEARTBEAT_INTERVAL: 5
# Admin的名字, 出問題會提示給用戶
# ADMINS: ''
# SSH鏈接超時時間 (default 15 seconds)
# SSH_TIMEOUT: 15
# 語言 [en, zh]
# LANGUAGE_CODE: zh
# SFTP的根目錄, 可選 /tmp, Home其餘自定義目錄
# SFTP_ROOT: /tmp
# SFTP是否顯示隱藏文件
# SFTP_SHOW_HIDDEN_FILE: false
新版本更新了運行腳本, 使用方式./cocod start|stop|status 後臺運行請添加 -d 參數
./cocod start -d
七、安裝 Web Terminal 前端: Luna
Luna 已改成純前端, 須要 Nginx 來運行訪問
訪問(https://github.com/jumpserver/luna/releases)下載對應版本的 release 包, 直接解壓不須要編譯
cd /opt
wget https://demo.jumpserver.org/download/luna/1.4.9/luna.tar.gz
tar xf luna.tar.gz
chown -R root:root luna
八、安裝 Windows 支持組件
安裝依賴
rpm --import http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro
rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm
yum -y localinstall --nogpgcheck https://download1.rpmfusion.org/free/el/rpmfusion-free-release-7.noarch.rpm https://download1.rpmfusion.org/nonfree/el/rpmfusion-nonfree-release-7.noarch.rpm
yum install -y java-1.8.0-openjdk libtool
yum install -y cairo-devel libjpeg-turbo-devel libpng-devel uuid-devel
yum install -y ffmpeg-devel freerdp-devel freerdp-plugins pango-devel libssh2-devel libtelnet-devel libvncserver-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-devel ghostscript uuid-devel
ln -s /usr/local/lib/freerdp/*.so /usr/lib64/freerdp
編譯安裝 guacamole 服務(這個包比較難下載)
cd /opt
git clone --depth=1 https://github.com/jumpserver/docker-guacamole.git
cd /opt/docker-guacamole/
tar -xf guacamole-server-1.0.0.tar.gz
cd guacamole-server-1.0.0
autoreconf -fi
./configure --with-init-dir=/etc/init.d
make && make install
cd ..
rm -rf guacamole-server-1.0.0
ldconfig
配置 Tomcat
建立 guacamole 目錄
mkdir -p /config/guacamole /config/guacamole/lib /config/guacamole/extensions
ln -sf /opt/docker-guacamole/guacamole-auth-jumpserver-0.9.14.jar /config/guacamole/extensions/guacamole-auth-jumpserver-0.9.14.jar
guacamole 配置文件
ln -sf /opt/docker-guacamole/root/app/guacamole/guacamole.properties /config/guacamole/guacamole.properties
上傳tomcat並部署
cd /config
wget http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-8/v8.5.40/bin/apache-tomcat-8.5.16.tar.gz
tar xf apache-tomcat-8.5.16.tar.gz
rm -rf apache-tomcat-8.5.16.tar.gz
mv apache-tomcat-8.5.16 /config/tomcat8
rm -rf /config/tomcat8/webapps/*
guacamole client
ln -sf /opt/docker-guacamole/guacamole-0.9.14.war /config/tomcat8/webapps/ROOT.war
修改默認端口爲 8081
sed -i 's/Connector port="8080"/Connector port="8081"/g' /config/tomcat8/conf/server.xml
修改 log 等級爲 WARNING
sed -i 's/FINE/WARNING/g' /config/tomcat8/conf/logging.properties
cd /config
wget https://demo.jumpserver.org/download/ssh-forward/v0.0.5/linux-amd64.tar.gz
tar xf linux-amd64.tar.gz -C /bin/
chmod +x /bin/ssh-forward
配置環境變量
勿屢次執行如下環境設置,http://127.0.0.1:8080 指 jumpserver 訪問地址
export JUMPSERVER_SERVER=http://127.0.0.1:8080
echo "export JUMPSERVER_SERVER=http://127.0.0.1:8080" >> ~/.bashrc
BOOTSTRAP_TOKEN 爲 Jumpserver/config.yml 裏面的 BOOTSTRAP_TOKEN
export BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN
echo "export BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
export JUMPSERVER_KEY_DIR=/config/guacamole/keys
echo "export JUMPSERVER_KEY_DIR=/config/guacamole/keys" >> ~/.bashrc
export GUACAMOLE_HOME=/config/guacamole
echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc
啓動 Guacamole
/etc/init.d/guacd start
sh /config/tomcat8/bin/startup.sh
九、配置 Nginx 整合各組件
安裝 Nginx
yum -y install yum-utils
rpm -ivh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm
yum makecache fast
yum install -y nginx
rm -rf /etc/nginx/conf.d/default.conf
systemctl enable nginx
準備配置文件 修改 /etc/nginx/conf.d/jumpserver.conf
vim /etc/nginx/conf.d/jumpserver.conf
server {
# 代理端口, 之後將經過此端口進行訪問, 再也不經過8080端口
listen 80;
# 修改爲你的域名或者註釋掉
# server_name demo.jumpserver.org;
# 錄像及文件上傳大小限制
client_max_body_size 100m;
location /luna/ {
try_files $uri / /index.html;
# luna 路徑, 若是修改安裝目錄, 此處須要修改
alias /opt/luna/;
}
location /media/ {
add_header Content-Encoding gzip;
# 錄像位置, 若是修改安裝目錄, 此處須要修改
root /opt/jumpserver/data/;
}
location /static/ {
# 靜態資源, 若是修改安裝目錄, 此處須要修改
root /opt/jumpserver/data/;
}
location /socket.io/ {
# 若是coco安裝在別的服務器, 請填寫它的ip
proxy_pass http://localhost:5000/socket.io/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /coco/ {
# 若是coco安裝在別的服務器, 請填寫它的ip
proxy_pass http://localhost:5000/coco/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
# 若是guacamole安裝在別的服務器, 請填寫它的ip
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location / {
# 若是jumpserver安裝在別的服務器, 請填寫它的ip
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
運行 Nginx
nginx -t
systemctl start nginx
systemctl enable nginx
十、開始使用 Jumpserver
瀏覽器訪問http://192.168.200.111,默認帳號: admin 密碼: admin
到Jumpserver 會話管理-終端管理 檢查 Coco Guacamole 等應用的註冊
十一、測試鏈接
一、若是登陸客戶端是 macOS 或 Linux, 登陸語法以下
ssh -p2222 admin@IP
sftp -P2222 admin@IP
密碼: admin
二、若是登陸客戶端是 Windows, Xshell Terminal 登陸語法以下
$ ssh admin@IP 2222
$ sftp admin@IP 2222
密碼: admin
[root@localhost ~]# ssh -p2222 admin@192.168.200.111
The authenticity of host '[192.168.200.111]:2222 ([192.168.200.111]:2222)' can't be established.
RSA key fingerprint is SHA256:nFzD9nQeSYjrS2n20ZvglhauaiWuRUPU7tWyVDeRNE4.
RSA key fingerprint is MD5:2f:72:d6:94:c6:d0:f1:90:9e:df:68:99:67:48:26:13.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.200.111]:2222' (RSA) to the list of known hosts.
admin@192.168.200.111's password:
Administrator, 歡迎使用Jumpserver開源跳板機系統
1) 輸入 ID 直接登陸 或 輸入部分 IP,主機名,備註 進行搜索登陸(若是惟一).
2) 輸入 / + IP, 主機名 or 備註 搜索. 如: /ip
3) 輸入 p 顯示您有權限的主機.
4) 輸入 g 顯示您有權限的節點.
5) 輸入 g + 節點ID 顯示節點下主機. 如: g1
6) 輸入 s 中/英文切換.
7) 輸入 h 幫助.
8) 輸入 r 刷新最新的機器和節點信息.
0) 輸入 q 退出.
Opt>
若是能登錄表明部署成功
# sftp默認上傳的位置在資產的 /tmp 目錄下
# windows拖拽上傳的位置在資產的 Guacamole RDP上的 G 目錄下
- 1. jumpserver的部署
- 2. 部署jumpserver
- 3. Jumpserver安裝部署
- 4. Jumpserver部署實戰
- 5. JumpServer部署使用
- 6. Jumpserver雙機高可用環境部署筆記
- 7. Jenkins環境部署部署
- 8. 環境部署
- 9. 分佈式部署文檔 - jumpserver 部署
- 10. 基於docker-compose部署jumpserver
- 更多相關文章...
- • Maven 自動化部署 - Maven教程
- • C# 環境 - C#教程
- • 使用阿里雲OSS+CDN部署前端頁面與加速靜態資源
- • Docker容器實戰(一) - 封神Server端技術
-
每一个你不满意的现在,都有一个你没有努力的曾经。
- 1. jumpserver的部署
- 2. 部署jumpserver
- 3. Jumpserver安裝部署
- 4. Jumpserver部署實戰
- 5. JumpServer部署使用
- 6. Jumpserver雙機高可用環境部署筆記
- 7. Jenkins環境部署部署
- 8. 環境部署
- 9. 分佈式部署文檔 - jumpserver 部署
- 10. 基於docker-compose部署jumpserver