堡壘機-jumpserver

官方網站

http://jumpserver.org

Jumpserver 軟件包環境要求：

Python = 3.6.x
Mysql Server ≥ 5.6
Mariadb Server ≥ 5.5.56
Redis

** 生產環境部署建議部署 1.4.8 版本 **

環境

jumpserver服務端：

[root@jumpserver ~]# cat /etc/redhat-release 
CentOS Linux release 7.4.1708 (Core) 

[root@jumpserver ~]# uname -r
3.10.0-693.el7.x86_64

[root@jumpserver ~]# uname -n
jumpserver

[root@jumpserver ~]# uname -m
x86_64

[root@jumpserver ~]# ifconfig ens33 | grep "inet "|awk '{print $2}'
10.0.0.161

jumpserver被管理端：

[root@jumpserver-client ~]# cat /etc/redhat-release 
CentOS Linux release 7.4.1708 (Core) 

[root@jumpserver-client ~]# uname -r
3.10.0-693.el7.x86_64

[root@jumpserver-client ~]# uname -n
jumpserver-client

[root@jumpserver-client ~]# uname -m
x86_64

[root@jumpserver-client ~]# ifconfig ens33 | grep "inet " | awk '{ print $2}'
10.0.0.162

準備所需軟件：

jumpserver： https://github.com/jumpserver/jumpserver

luna： https://demo.jumpserver.org/download/luna

coco： https://github.com/jumpserver/coco

**在線下載代碼方式： **
                        git clone https://github.com/jumpserver/coco.git && cd coco && git

​
python： wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz

手動本地jumpserver-服務端搭建

初始化一些系統環境設置：

1. 建立軟件包放置目錄：

[root@jumpserver ~]# mkdir /server/sources -p

將所需軟件所有放在/server/sources/ 目錄裏

軟件包打包下載：

連接：https://pan.baidu.com/s/1ZJzXrLnsXqsqIMkLjKbrIw
提取碼：be45
複製這段內容後打開百度網盤手機App，操做更方便哦

[root@jumpserver ~]# cd /server/sources/
[root@jumpserver sources]# ls
coco        luna.tar.gz   Python-3.6.1.tar.xz
jumpserver  python-package

2. 關閉防火牆

[root@jumpserver sources]# systemctl stop firewalld
[root@jumpserver sources]# systemctl disable firewalld 
[root@jumpserver sources]# systemctl status firewalld 
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:firewalld(1)
[root@jumpserver sources]# systemctl status firewalld 
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:firewalld(1)

3. 關閉selinux

[root@jumpserver sources]# setenforce 0
[root@jumpserver sources]# getenforce
只要顯示Permissive或者Disabled就是成功

將/etc/selinux/config配置文件裏的SELINUX=enforcing改成SELINUX=disabled
使其永久生效

4. 若是生產環境須要開啓selinux和防火牆的狀況下則使用(直接複製整段進命令行運行便可)：

echo -e "\033[31m 1. 防火牆 Selinux 設置 \033[0m" \
&& if [ "$(systemctl status firewalld | grep running)" != "" ]; then firewall-cmd --zone=public --add-port=80/tcp --permanent; firewall-cmd --zone=public --add-port=2222/tcp --permanent; firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="172.17.0.0/16" port protocol="tcp" port="8080" accept"; firewall-cmd --reload; fi \
&& if [ "$(getenforce)" != "Disabled" ]; then setsebool -P httpd_can_network_connect 1; fi

5. 配置中文環境（整段複製到命令行運行便可）：

ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
&& yum -y install kde-l10n-Chinese \
&& localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8 \
&& export LC_ALL=zh_CN.UTF-8 \
&& echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf

從新登陸命令行終端便可生效

安裝相關軟件

依賴軟件

所需依賴軟件:

wget #下載；

epel-release #擴展源；

sqlite-devel #數據庫；

xz #解壓；

gcc #編譯器；

automake #編譯相關；

zlib-devel #壓縮；

openssl-devel #加密；

git #git相關

[root@jumpserver ~]# yum -y install wget epel-release sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git

編譯安裝python3.6.1

[root@jumpserver ~]# cd /server/sources/
[root@jumpserver sources]# ls
coco        luna.tar.gz          python-package
jumpserver  Python-3.6.1.tar.xz
[root@jumpserver sources]# ./configure  &&  make  && make install 

[root@jumpserver ~]# cd /server/sources/

[root@jumpserver sources]# tar xf Python-3.6.1.tar.xz

[root@jumpserver sources]# cd Python-3.6.1

[root@jumpserver sources]# ./configure  &&  make  -j 4 && make install

使用 Python 虛擬環境（使多版本的python互不影響，共存）

[root@jumpserver Python-3.6.1]# cd /opt/  
[root@jumpserver opt]# python3 -m venv py3   #在opt目錄下建立一個py3的虛擬環境
[root@jumpserver opt]# source /opt/py3/bin/
activate          easy_install-3.6  python
activate.csh      pip               python3
activate.fish     pip3              
easy_install      pip3.6            
[root@jumpserver opt]# source /opt/py3/bin/activate
(py3) [root@jumpserver opt]#    #切換成功的，前面有一個(py3)標識

安裝 Jumpserver

這裏用的版本是 Jumpserver 1.0.0

從新打開一個10.0.0.161的shell鏈接窗口（注意前面沒有py3因此不是在python3的虛擬環境下運行）

①. 安裝rpm依賴

[root@jumpserver ~]# cd /server/sources/jumpserver/requirements

[root@jumpserver requirements]# cat rpm_requirements.txt 
libtiff-devel libjpeg-devel libzip-devel freetype-devel lcms2-devel libwebp-devel tcl-devel tk-devel sshpass openldap-devel mysql-devel libffi-devel openssh-clients

[root@jumpserver requirements]# yum install -y `cat rpm_requirements.txt`

②. 安裝 Python 庫依賴

在以前的 (py3) [root@jumpserver ~]# 窗口下進行

確保是這樣的提示狀態：

(py3) [root@jumpserver ~]#

若是不是請運行

[root@jumpserver ~]# source /opt/py3/bin/activate

 (py3) [root@jumpserver ~]#    #進入py3虛擬環境

(py3) [root@jumpserver ~]# pip -V
pip 9.0.1 from /opt/py3/lib/python3.6/site-packages (python 3.6)

(py3) [root@jumpserver requirements]# cd /server/sources/jumpserver/requirements  #pip在線安裝

(py3) [root@jumpserver ~]# pip install --upgrade pip  -i https://mirrors.aliyun.com/pypi/simple/

(py3) [root@jumpserver ~]# pip install -r /opt/jumpserver/requirements/requirements.txt -i https://mirrors.aliyun.com/pypi/simple/

③. 安裝 Redis, Jumpserver 使用 Redis 作 cache 和 celery broke

（注意命令行的提示前綴；這裏都不是py3虛擬環境）

[root@jumpserver requirements]# yum  -y install redis

[root@jumpserver requirements]# systemctl enable redis
Created symlink from /etc/systemd/system/multi-user.target.wants/redis.service to /usr/lib/systemd/system/redis.service.

[root@jumpserver requirements]# systemctl start redis

④. 安裝 MySQL

[root@jumpserver requirements]# yum  install mariadb mariadb-devel mariadb-server   -y

[root@jumpserver requirements]#  systemctl enable mariadb;systemctl start mariadb

⑤. 建數據庫 Jumpserver 並受權

[root@jumpserver requirements]# mysql

MariaDB [(none)]> create database jumpserver default charset 'utf8';


MariaDB [(none)]> grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '123456';


MariaDB [(none)]> exit;

⑥. 改 Jumpserver 配置文件

將下載來的jumpserver移動到app目錄下

[root@jumpserver requirements]# mkdir -p /server/app

[root@jumpserver requirements]# cd /server/app/

[root@jumpserver app]# cp -r /server/sources/jumpserver/ .

[root@jumpserver app]# ls
jumpserver

[root@jumpserver jumpserver]#  cp config_example.py config.py

[root@jumpserver jumpserver]# vim config.py  

#編輯class DevelopmentConfig(Config):這一段；由於默認使用該配置

class DevelopmentConfig(Config):
    DEBUG = True
    DB_ENGINE = 'mysql'
    DB_HOST = '127.0.0.1'
    DB_PORT = 3306
    DB_USER = 'jumpserver'
    DB_PASSWORD = '123456'
    DB_NAME = 'jumpserver'


最終效果：

[root@jumpserver jumpserver]# cat config.py 
"""
    jumpserver.config
    ~~~~~~~~~~~~~~~~~

    Jumpserver project setting file

    :copyright: (c) 2014-2017 by Jumpserver Team
    :license: GPL v2, see LICENSE for more details.
"""
import os

BASE_DIR = os.path.dirname(os.path.abspath(__file__))


class Config:
    # Use it to encrypt or decrypt data
    # SECURITY WARNING: keep the secret key used in production secret!
    SECRET_KEY = os.environ.get('SECRET_KEY') or '2vym+ky!997d5kkcc64mnz06y1mmui3lut#(^wd=%s_qj$1%x'

    # Django security setting, if your disable debug model, you should setting that
    ALLOWED_HOSTS = ['*']

    # Development env open this, when error occur display the full process track, Production disable it
    DEBUG = True

    # DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/
    LOG_LEVEL = 'DEBUG'
    LOG_DIR = os.path.join(BASE_DIR, 'logs')

    # Database setting, Support sqlite3, mysql, postgres ....
    # See https://docs.djangoproject.com/en/1.10/ref/settings/#databases

    # SQLite setting:
    DB_ENGINE = 'sqlite3'
    DB_NAME = os.path.join(BASE_DIR, 'data', 'db.sqlite3')

    # MySQL or postgres setting like:
    # DB_ENGINE = 'mysql'
    # DB_HOST = '127.0.0.1'
    # DB_PORT = 3306
    # DB_USER = 'root'
    # DB_PASSWORD = ''
    # DB_NAME = 'jumpserver'

    # When Django start it will bind this host and port
    # ./manage.py runserver 127.0.0.1:8080
    HTTP_BIND_HOST = '0.0.0.0'
    HTTP_LISTEN_PORT = 8080

    # Use Redis as broker for celery and web socket
    REDIS_HOST = '127.0.0.1'
    REDIS_PORT = 6379
    REDIS_PASSWORD = ''
    BROKER_URL = 'redis://%(password)s%(host)s:%(port)s/3' % {
        'password': REDIS_PASSWORD,
        'host': REDIS_HOST,
        'port': REDIS_PORT,
    }

    def __init__(self):
        pass

    def __getattr__(self, item):
        return None


#class DevelopmentConfig(Config):
#    pass
class DevelopmentConfig(Config):
    DEBUG = True
    DB_ENGINE = 'mysql'
    DB_HOST = '127.0.0.1'
    DB_PORT = 3306
    DB_USER = 'jumpserver'
    DB_PASSWORD = '123456'
    DB_NAME = 'jumpserver'


class TestConfig(Config):
    pass


class ProductionConfig(Config):
    pass


# Default using Config settings, you can write if/else for different env
config = DevelopmentConfig()

⑦. 數據庫表結構和初始化數據

(py3)虛擬環境下進行；且確保以前的pip已經安裝完成了

(py3) [root@jumpserver jumpserver]# cd /server/app/jumpserver/utils

(py3) [root@jumpserver utils]#  bash make_migrations.sh

⑧. 運行jumpserver

(py3) [root@jumpserver utils]# cd /server/app/jumpserver/

(py3) [root@jumpserver jumpserver]# chmod +x jms 

(py3) [root@jumpserver jumpserver]# ./jms start all -d   #-d後臺運行

jumpserver的使用方法：./jms start|stop|status|restart all

⑨. 訪問測試

http://10.0.0.161:8080/

默認 帳號：admin

密碼：admin

安裝 組件

在web頁面上點擊web終端

會看到：

Luna是單獨部署的一個程序，你須要部署luna，coco，配置nginx作url分發, 若是你看到了這個頁面，證實你訪問的不是nginx監聽的端口，祝你好運

因此接下來，咱們安裝luna和coco

安裝coco

**coco實現了

SSH Server 和 Web Terminal Server 的組件，提供 SSH 和 WebSocket 接口,

使用 Paramiko 和 Flask 開發**

(py3) [root@jumpserver coco]# cd /server/sources/coco/requirements/

(py3) [root@jumpserver requirements]# yum install `cat rpm_requirements.txt`

(py3) [root@jumpserver requirements]# pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/

(py3) [root@jumpserver requirements]# cp -r /server/sources/coco/ /server/app/

(py3) [root@jumpserver requirements]# cd /server/app/coco/

(py3) [root@jumpserver coco]# cp conf_example.py conf.py

(py3) [root@jumpserver coco]# chmod +x cocod 

(py3) [root@jumpserver coco]# ./cocod start -d
Start coco process

使用方法：./cocod start|stop|status|restart

安裝Web-Terminal前端-Luna組件

Luna概述：Luna如今是 Web Terminal 前端，計劃前端頁面都由該項目提供，Jumpserver 只提供 API，再也不負責後臺渲染html等

(py3) [root@jumpserver coco]# cd /server/sources/

(py3) [root@jumpserver sources]# tar xf luna.tar.gz 

(py3) [root@jumpserver sources]# cp -r luna /server/app/

配置Nginx整合各組件

(py3) [root@jumpserver sources]#  yum -y install nginx

(py3) [root@jumpserver sources]# vim /etc/nginx/^Cinx.conf
將原先的server{} 段所有替換掉

** 最終的結果以下：**

(py3) [root@jumpserver nginx]# grep -Ev "#|^$" /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
    worker_connections 1024;
}
http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;
    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;
    include /etc/nginx/conf.d/*.conf;
server {
    listen 80;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    location /luna/ {
        try_files $uri / /index.html;
        alias /server/app/luna/;
    }
    location /media/ {
        add_header Content-Encoding gzip;
        root /server/app/jumpserver/data/;
    }
    location /static/ {
        root /server/app/jumpserver/data/;
    }
    location /socket.io/ {
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
    location / {
    }
}
}

語法檢查

(py3) [root@jumpserver sources]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

運行 Nginx

(py3) [root@jumpserver nginx]# systemctl start nginx 

(py3) [root@jumpserver nginx]# systemctl enable nginx 
Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service.

在web頁面上點擊

默認信息，確認便可

服務器命令行終端測試：

(py3) [root@jumpserver nginx]# ssh -p2222 admin@10.0.0.161
The authenticity of host '[10.0.0.161]:2222 ([10.0.0.161]:2222)' can't be established.
RSA key fingerprint is SHA256:8MCnHK0t1yfaxyf6fFq1e93fE9JDBc4hG00OlnWelXY.
RSA key fingerprint is MD5:b5:6d:74:d6:00:90:f4:93:8f:b8:de:33:14:ea:6b:ee.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[10.0.0.161]:2222' (RSA) to the list of known hosts.
admin@10.0.0.161's password: #填寫admin的密碼admin


    Administrator, 歡迎使用Jumpserver開源跳板機系統  

    1) 輸入 ID 直接登陸 或 輸入部分 IP,主機名,備註 進行搜索登陸(若是惟一).
    2) 輸入 / + IP, 主機名 or 備註 搜索. 如: /ip
    3) 輸入 P/p 顯示您有權限的主機.
    4) 輸入 G/g 顯示您有權限的主機組.
    5) 輸入 G/g + 組ID 顯示該組下主機. 如: g1
    6) 輸入 H/h 幫助.
    0) 輸入 Q/q 退出.

用10.0.0.161就能夠直接訪問了，不須要再加8080

到此安裝成功