zoukankan      html  css  js  c++  java
  • 部署Jumpserver环境

    官网推荐安装环境

    操作系统: Centos7

    CPU: 64位双核处理器

    内存: 4G DDR3

    数据库:mysql 版本大于等于 5.6 mariadb 版本大于等于 5.5.6

    1、搭建环境前期准备

    关闭防火墙和selinux

    hostname jumpserver

    bash

    systemctl stop firewalld

    iptables -F

    setenforce 0

    修改字符集,否则可能报 input/output error的问题, 因为日志里打印了中文

    localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8

    export LC_ALL=zh_CN.UTF-8

    echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf

    2、准备Python3和Python虚拟环境

    安装依赖包

    yum -y install wget gcc git

    rpm -ivh epel-release-latest-7.noarch.rpm

    cd /etc/yum.repos.d/

    mv backup/CentOS-Base.repo ./

    cd

    安装 Python3.6

    yum -y install python36 python36-devel python-pip

    建立 Python 虚拟环境

    因为 CentOS 7 自带的是 Python2,而 Yum 等工具依赖原来的 Python, 为了不扰乱原来的环境我们来使用 Python虚拟环境

    cd /opt

    python3.6 -m venv py3

    source /opt/py3/bin/activate

    看到下面的提示符代表成功, 以后运行 Jumpserver 都要先运行以上 source 命令, 以下所有命令均在该虚拟环境中运行

    (py3) [root@jumpserver opt]#

    3、安装Jumpserver

    下载或 Clone 项目

    cd /opt/

    git clone --depth=1 https://github.com/jumpserver/jumpserver.git

    安装依赖 RPM 包

    cd /opt/jumpserver/requirements

    yum -y install $(cat rpm_requirements.txt)

    安装 Python 库依赖

    pip install --upgrade pip setuptools -i https://mirrors.aliyun.com/pypi/simple/

    pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/

    安装 Redis, Jumpserver 使用 Redis 做 cache 和 celery broke

    yum -y install redis

    systemctl enable redis

    systemctl start redis

    4、安装 MySQL

    centos7下安装的是mariadb

    yum -y install mariadb mariadb-devel mariadb-server

    systemctl enable mariadb

    systemctl start mariadb

     

    创建数据库 Jumpserver 并授权,生成随机数据库密码

    DB_PASSWORD=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24`

    echo -e "33[31m 你的数据库密码是 $DB_PASSWORD 33[0m"

    mysql -uroot -e "create database jumpserver default charset 'utf8'; grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '$DB_PASSWORD'; flush privileges;"

     

    5、修改 Jumpserver 配置文件

    cd /opt/jumpserver

    cp config_example.yml config.yml

     

    生成随机SECRET_KEY

    SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`

    echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc

     

    生成随机BOOTSTRAP_TOKEN

    BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`

    echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc

     

    修改配置文件内容

    sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml

    sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml

    sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml

    sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml

    sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml

    sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml

    echo -e "33[31m 你的SECRET_KEY是 $SECRET_KEY 33[0m"

    echo -e "33[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN 33[0m"

     

    确认内容有没有错误

    cat config.yml

    # SECURITY WARNING: keep the secret key used in production secret!

    # 加密秘钥 生产环境中请修改为随机字符串, 请勿外泄

    SECRET_KEY:

     

    # SECURITY WARNING: keep the bootstrap token used in production secret!

    # 预共享Token coco和guacamole用来注册服务账号, 不在使用原来的注册接受机制

    BOOTSTRAP_TOKEN:

     

    # Development env open this, when error occur display the full process track, Production disable it

    # DEBUG 模式 开启DEBUG后遇到错误时可以看到更多日志

    DEBUG: false

     

    # DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/

    # 日志级别

    LOG_LEVEL: ERROR

    # LOG_DIR:

     

    # Session expiration setting, Default 24 hour, Also set expired on on browser close

    # 浏览器Session过期时间, 默认24小时, 也可以设置浏览器关闭则过期

    # SESSION_COOKIE_AGE: 86400

    SESSION_EXPIRE_AT_BROWSER_CLOSE: true

     

    # Database setting, Support sqlite3, mysql, postgres ....

    # 数据库设置

    # See https://docs.djangoproject.com/en/1.10/ref/settings/#databases

     

    # SQLite setting:

    # 使用单文件sqlite数据库

    # DB_ENGINE: sqlite3

    # DB_NAME:

     

    # MySQL or postgres setting like:

    # 使用Mysql作为数据库

    DB_ENGINE: mysql

    DB_HOST: 127.0.0.1

    DB_PORT: 3306

    DB_USER: jumpserver

    DB_PASSWORD:

    DB_NAME: jumpserver

     

    # When Django start it will bind this host and port

    # ./manage.py runserver 127.0.0.1:8080

    # 运行时绑定端口

    HTTP_BIND_HOST: 0.0.0.0

    HTTP_LISTEN_PORT: 8080

     

    # Use Redis as broker for celery and web socket

    # Redis配置

    REDIS_HOST: 127.0.0.1

    REDIS_PORT: 6379

    # REDIS_PASSWORD:

    # REDIS_DB_CELERY: 3

    # REDIS_DB_CACHE: 4

     

    # Use OpenID authorization

    # 使用OpenID 来进行认证设置

    # BASE_SITE_URL: http://localhost:8080

    # AUTH_OPENID: false  # True or False

    # AUTH_OPENID_SERVER_URL: https://openid-auth-server.com/

    # AUTH_OPENID_REALM_NAME: realm-name

    # AUTH_OPENID_CLIENT_ID: client-id

    # AUTH_OPENID_CLIENT_SECRET: client-secret

     

    # OTP settings

    # OTP/MFA 配置

    # OTP_VALID_WINDOW: 0

    # OTP_ISSUER_NAME: Jumpserver

    6、运行 Jumpserver

    新版本更新了运行脚本,使用方式./jms start|stop|status all  后台运行添加 -d 参数

    cd /opt/jumpserver

    ./jms start all -d

    7、安装 SSH Server 和 WebSocket Server: Coco

    下载或 Clone 项目

    cd /opt

    source /opt/py3/bin/activate

    git clone --depth=1 https://github.com/jumpserver/coco.git

    安装依赖

    cd /opt/coco/requirements

    yum -y install $(cat rpm_requirements.txt)

    pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/

    修改配置文件并运行

    cd /opt/coco

    cp config_example.yml config.yml

    sed -i "s/BOOTSTRAP_TOKEN: <PleasgeChangeSameWithJumpserver>/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/coco/config.yml

    sed -i "s/# LOG_LEVEL: INFO/LOG_LEVEL: ERROR/g" /opt/coco/config.yml

    查看配置文件

    cat config.yml

    # 项目名称, 会用来向Jumpserver注册, 识别而已, 不能重复

    # NAME: {{ Hostname }}

     

    # Jumpserver项目的url, api请求注册会使用

    CORE_HOST: http://127.0.0.1:8080

     

    # Bootstrap Token, 预共享秘钥, 用来注册coco使用的service account和terminal

    # 请和jumpserver 配置文件中保持一致, 注册完成后可以删除

    BOOTSTRAP_TOKEN: <PleasgeChangeSameWithJumpserver>

     

    # 启动时绑定的ip, 默认 0.0.0.0

    # BIND_HOST: 0.0.0.0

     

    # 监听的SSH端口号, 默认2222

    # SSHD_PORT: 2222

     

    # 监听的HTTP/WS端口号, 默认5000

    # HTTPD_PORT: 5000

     

    # 项目使用的ACCESS KEY, 默认会注册, 并保存到 ACCESS_KEY_STORE中,

    # 如果有需求, 可以写到配置文件中, 格式 access_key_id:access_key_secret

    # ACCESS_KEY: null

     

    # ACCESS KEY 保存的地址, 默认注册后会保存到该文件中

    # ACCESS_KEY_STORE: data/keys/.access_key

     

    # 加密密钥

    # SECRET_KEY: null

     

    # 设置日志级别 [DEBUG, INFO, WARN, ERROR, FATAL, CRITICAL]

    LOG_LEVEL: ERROR

     

    # 日志存放的目录

    # LOG_DIR: logs

     

    # SSH白名单

    # ALLOW_SSH_USER: all

     

    # SSH黑名单, 如果用户同时在白名单和黑名单, 黑名单优先生效

    # BLOCK_SSH_USER:

    #   -

     

    # 和Jumpserver 保持心跳时间间隔

    # HEARTBEAT_INTERVAL: 5

     

    # Admin的名字, 出问题会提示给用户

    # ADMINS: ''

     

    # SSH连接超时时间 (default 15 seconds)

    # SSH_TIMEOUT: 15

     

    # 语言 [en, zh]

    # LANGUAGE_CODE: zh

     

    # SFTP的根目录, 可选 /tmp, Home其他自定义目录

    # SFTP_ROOT: /tmp

     

    # SFTP是否显示隐藏文件

    # SFTP_SHOW_HIDDEN_FILE: false

    新版本更新了运行脚本, 使用方式./cocod start|stop|status  后台运行请添加 -d 参数

    ./cocod start -d

    7、安装 Web Terminal 前端: Luna

    Luna 已改为纯前端, 需要 Nginx 来运行访问

    访问(https://github.com/jumpserver/luna/releases)下载对应版本的 release 包, 直接解压不需要编译

    cd /opt

    wget https://demo.jumpserver.org/download/luna/1.4.9/luna.tar.gz

    tar xf luna.tar.gz

    chown -R root:root luna

    8、安装 Windows 支持组件

    安装依赖

    rpm --import http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro

    rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm

    yum -y localinstall --nogpgcheck https://download1.rpmfusion.org/free/el/rpmfusion-free-release-7.noarch.rpm https://download1.rpmfusion.org/nonfree/el/rpmfusion-nonfree-release-7.noarch.rpm

     

    yum install -y java-1.8.0-openjdk libtool

    yum install -y cairo-devel libjpeg-turbo-devel libpng-devel uuid-devel

    yum install -y ffmpeg-devel freerdp-devel freerdp-plugins pango-devel libssh2-devel libtelnet-devel libvncserver-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-devel ghostscript uuid-devel

    ln -s /usr/local/lib/freerdp/*.so /usr/lib64/freerdp

    编译安装 guacamole 服务(这个包比较难下载)

    cd /opt

    git clone --depth=1 https://github.com/jumpserver/docker-guacamole.git

    cd /opt/docker-guacamole/

    tar -xf guacamole-server-1.0.0.tar.gz

    cd guacamole-server-1.0.0

    autoreconf -fi

    ./configure --with-init-dir=/etc/init.d

    make && make install

    cd ..

    rm -rf guacamole-server-1.0.0

    ldconfig

    配置 Tomcat

    创建 guacamole 目录

    mkdir -p /config/guacamole /config/guacamole/lib /config/guacamole/extensions

    ln -sf /opt/docker-guacamole/guacamole-auth-jumpserver-0.9.14.jar /config/guacamole/extensions/guacamole-auth-jumpserver-0.9.14.jar

    guacamole 配置文件

    ln -sf /opt/docker-guacamole/root/app/guacamole/guacamole.properties /config/guacamole/guacamole.properties 

    上传tomcat并部署

    cd /config

    wget http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-8/v8.5.40/bin/apache-tomcat-8.5.16.tar.gz

    tar xf apache-tomcat-8.5.16.tar.gz

    rm -rf apache-tomcat-8.5.16.tar.gz

    mv apache-tomcat-8.5.16  /config/tomcat8

    rm -rf /config/tomcat8/webapps/*

     

    guacamole client

    ln -sf /opt/docker-guacamole/guacamole-0.9.14.war /config/tomcat8/webapps/ROOT.war

     

    修改默认端口为 8081

    sed -i 's/Connector port="8080"/Connector port="8081"/g' /config/tomcat8/conf/server.xml

     

    修改 log 等级为 WARNING

    sed -i 's/FINE/WARNING/g' /config/tomcat8/conf/logging.properties

    cd /config                                      

    wget https://demo.jumpserver.org/download/ssh-forward/v0.0.5/linux-amd64.tar.gz

    tar xf linux-amd64.tar.gz -C /bin/

    chmod +x /bin/ssh-forward

    配置环境变量

    勿多次执行以下环境设置,http://127.0.0.1:8080 指 jumpserver 访问地址

    export JUMPSERVER_SERVER=http://127.0.0.1:8080

    echo "export JUMPSERVER_SERVER=http://127.0.0.1:8080" >> ~/.bashrc

     

    BOOTSTRAP_TOKEN 为 Jumpserver/config.yml 里面的 BOOTSTRAP_TOKEN

    export BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN

    echo "export BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc

    export JUMPSERVER_KEY_DIR=/config/guacamole/keys

    echo "export JUMPSERVER_KEY_DIR=/config/guacamole/keys" >> ~/.bashrc

    export GUACAMOLE_HOME=/config/guacamole

    echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc

    启动 Guacamole

    /etc/init.d/guacd start

    sh /config/tomcat8/bin/startup.sh

    9、配置 Nginx 整合各组件

    安装 Nginx

    yum -y install yum-utils

    rpm -ivh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm

    yum makecache fast       

    yum install -y nginx

    rm -rf /etc/nginx/conf.d/default.conf

    systemctl enable nginx

    准备配置文件 修改 /etc/nginx/conf.d/jumpserver.conf

    vim /etc/nginx/conf.d/jumpserver.conf

    server {

        # 代理端口, 以后将通过此端口进行访问, 不再通过8080端口

        listen 80;

        # 修改成你的域名或者注释掉

        # server_name demo.jumpserver.org;

        # 录像及文件上传大小限制

        client_max_body_size 100m;

     

        location /luna/ {

            try_files $uri / /index.html;

            # luna 路径, 如果修改安装目录, 此处需要修改

            alias /opt/luna/;

        }

     

        location /media/ {

            add_header Content-Encoding gzip;

            # 录像位置, 如果修改安装目录, 此处需要修改

            root /opt/jumpserver/data/;

        }       

     

        location /static/ {

            # 静态资源, 如果修改安装目录, 此处需要修改

            root /opt/jumpserver/data/;

        }

     

        location /socket.io/ {

            # 如果coco安装在别的服务器, 请填写它的ip

            proxy_pass       http://localhost:5000/socket.io/;

            proxy_buffering off;

            proxy_http_version 1.1;

            proxy_set_header Upgrade $http_upgrade;

            proxy_set_header Connection "upgrade";

            proxy_set_header X-Real-IP $remote_addr;

            proxy_set_header Host $host;

            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

            access_log off;

        }

     

        location /coco/ {

            # 如果coco安装在别的服务器, 请填写它的ip

            proxy_pass       http://localhost:5000/coco/;

            proxy_set_header X-Real-IP $remote_addr;

            proxy_set_header Host $host;

            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

            access_log off;

        }

     

        location /guacamole/ {

            # 如果guacamole安装在别的服务器, 请填写它的ip

            proxy_pass       http://localhost:8081/;

            proxy_buffering off;

            proxy_http_version 1.1;

            proxy_set_header Upgrade $http_upgrade;

            proxy_set_header Connection $http_connection;

            proxy_set_header X-Real-IP $remote_addr;

            proxy_set_header Host $host;

            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

            access_log off;

        }

     

        location / {

            # 如果jumpserver安装在别的服务器, 请填写它的ip

            proxy_pass http://localhost:8080;

            proxy_set_header X-Real-IP $remote_addr;

            proxy_set_header Host $host;

            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        }

    }

    运行 Nginx

    nginx -t

    systemctl start nginx

    systemctl enable nginx

    10、开始使用 Jumpserver

    浏览器访问http://192.168.200.111,默认账号: admin 密码: admin

    到Jumpserver 会话管理-终端管理 检查 Coco Guacamole 等应用的注册

    11、测试连接

    1、如果登录客户端是 macOS 或 Linux, 登录语法如下

    ssh -p2222 admin@IP

    sftp -P2222 admin@IP

    密码: admin

    2、如果登录客户端是 Windows, Xshell Terminal 登录语法如下

    $ ssh admin@IP 2222

    $ sftp admin@IP 2222

    密码: admin

    [root@localhost ~]# ssh -p2222 admin@192.168.200.111

    The authenticity of host '[192.168.200.111]:2222 ([192.168.200.111]:2222)' can't be established.

    RSA key fingerprint is SHA256:nFzD9nQeSYjrS2n20ZvglhauaiWuRUPU7tWyVDeRNE4.

    RSA key fingerprint is MD5:2f:72:d6:94:c6:d0:f1:90:9e:df:68:99:67:48:26:13.

    Are you sure you want to continue connecting (yes/no)? yes

    Warning: Permanently added '[192.168.200.111]:2222' (RSA) to the list of known hosts.

    admin@192.168.200.111's password:

     

                        Administrator, 欢迎使用Jumpserver开源跳板机系统

     

             1) 输入 ID 直接登录 输入部分 IP,主机名,备注 进行搜索登录(如果唯一).

             2) 输入 / + IP, 主机名 or 备注 搜索. 如: /ip

             3) 输入 p 显示您有权限的主机.

             4) 输入 g 显示您有权限的节点.

             5) 输入 g + 节点ID 显示节点下主机. 如: g1

             6) 输入 s 中/英文切换.

             7) 输入 h 帮助.

             8) 输入 r 刷新最新的机器和节点信息.

             0) 输入 q 退出.

     

    Opt>

    如果能登陆代表部署成功

    # sftp默认上传的位置在资产的 /tmp 目录下

    # windows拖拽上传的位置在资产的 Guacamole RDP上的 G 目录下

  • 相关阅读:
    构建Web API服务
    AutoMapper(七)
    AutoMapper(六)
    AutoMapper(五)
    AutoMapper(四)
    AutoMapper(三)
    递归函数练习:输出菲波拉契(Fibonacci)数列的前N项数据
    递归程序练习:输出十进制数的二进制表示
    递归函数练习——累乘
    递归练习——累加和
  • 原文地址:https://www.cnblogs.com/2567xl/p/11767659.html
Copyright © 2011-2022 走看看