开源堡垒机:jumpserver
测试环境:CenOs7.2
- cpu: 1C 5U
- 内存: 4G DDR3
- 数据库:mysql 版本大于等于 5.6 mariadb 版本大于等于 5.5.6
1 准备py3和py虚拟环境
1.1 安装依赖包,设置selinux 和防火墙
# nginx 端口 firewall-cmd --zone=public --add-port=80/tcp --permanent # 用户SSH登录端口 coco firewall-cmd --zone=public --add-port=2222/tcp --permanent # 重新载入规则 firewall-cmd --reload setenforce 0 sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config # 修改字符集, 否则可能报 input/output error的问题, 因为日志里打印了中文 localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8 export LC_ALL=zh_CN.UTF-8 echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf ###安装依赖包 [root@localhost ~]# yum -y install wget gcc epel-release git
1.2 pa安装py3.6和建立py虚拟环境
###安装py3.6 [root@localhost ~]# yum -y install python36 python36-devel ###建立py虚拟环境 [root@localhost opt]# cd /opt/ [root@localhost opt]# python3.6 -m venv py3 [root@localhost opt]# source /opt/py3/bin/activate # 看到下面的提示符代表成功, 以后运行 Jumpserver 都要先运行以上 source 命令, 以下所有命令均在该虚拟环境中运行 (py3) [root@localhost py3]
2 安装Jumpserve
2.1 安装依赖rpm包,py依赖库
###下载或 Clone 项目 (py3) [root@localhost opt]# git clone https://github.com/jumpserver/jumpserver.git ###安装依赖rpm包 (py3) [root@localhost opt]# cd /opt/jumpserver/requirements # 如果没有任何报错请继续 (py3) [root@localhost requirements]# yum -y install $(cat rpm_requirements.txt) ###安装py依赖库 (py3) [root@localhost requirements]# pip install --upgrade pip setuptools 安装时间比较长,耐心等待 (py3) [root@localhost requirements]# pip install -r requirements.txt
报错:
django-radius 1.3.3 has requirement future==0.16.0, but you'll have future 0.17.1 which is incompatible.
2.2 安装redis
让jumpserver使用redis做cache和celery broker ###安装Redis (py3) [root@localhost requirements]# yum -y install redis (py3) [root@localhost requirements]# systemctl enable redis
2.3 mysql
###安装mysql # centos7下安装的是mariadb (py3) [root@localhost requirements]# yum -y install mariadb mariadb-devel mariadb-server (py3) [root@localhost requirements]# systemctl enable mariadb (py3) [root@localhost requirements]# systemctl start mariadb ###创建数据并授权 # 生成随机数据库密码 # DB_PASSWORD=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24` # echo -e "�33[31m 你的数据库密码是 $DB_PASSWORD �33[0m" # mysql -uroot -e "create database jumpserver default charset 'utf8'; grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '$DB_PASSWORD'; flush privileges;" ###修改jumpserver文件 (py3) [root@localhost requirements]# cd /opt/jumpserver (py3) [root@localhost jumpserver]# cp config_example.yml config.yml # 生成随机SECRET_KEY # SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50` # echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc # 生成随机BOOTSTRAP_TOKEN # BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16` # echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc # sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml # sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml # sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml # sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml # sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml # sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml # echo -e "�33[31m 你的SECRET_KEY是 $SECRET_KEY �33[0m" # echo -e "�33[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN �33[0m"
2.4 s运行jumpserver
###启动,不报错 (py3) [root@localhost jumpserver]# (py3) [root@localhost jumpserver]# ./jms start all -d
3 安装SSH Server 和 WebSocket Server: Coco
###下载Clone 项目 (py3) [root@localhost opt]# cd /opt (py3) [root@localhost opt]# source /opt/py3/bin/activate # git clone https://github.com/jumpserver/coco.git ###安装依赖 (py3) [root@localhost opt]# cd /opt/coco/requirements (py3) [root@localhost requirements]# yum -y install $(cat rpm_requirements.txt) (py3) [root@localhost requirements]# pip install -r requirements.txt ###修改配置文件并且运行 (py3) [root@localhost requirements]# cd /opt/coco (py3) [root@localhost coco]# cp config_example.yml config.yml # sed -i "s/BOOTSTRAP_TOKEN: <PleasgeChangeSameWithJumpserver>/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/coco/config.yml # sed -i "s/# LOG_LEVEL: INFO/LOG_LEVEL: ERROR/g" /opt/coco/config.yml ###启动 # 后台运行使用 -d 参数./cocod start -d ((py3) [root@localhost coco]# ./cocod start -d Use eventlet dispatch Start coco process # 新版本更新了运行脚本, 使用方式./cocod start|stop|status 后台运行请添加 -d 参数
4 安装Web Terminal 前端: Luna
##Luna 已改为纯前端, 需要 Nginx 来运行访问 访问(https://github.com/jumpserver/luna/releases)下载对应版本的 release 包, 直接解压不需要编译 ###下载解压 (py3) [root@localhost coco]# cd /opt # wget https://github.com/jumpserver/luna/releases/download/1.4.9/luna.tar.gz (py3) [root@localhost opt]# tar xf luna.tar.gz (py3) [root@localhost opt]# chown -R root:root luna
5 安装 Windows 支持组件
###安装依赖 [root@localhost opt]# mkdir /usr/local/lib/freerdp/ [root@localhost opt]# ln -s /usr/local/lib/freerdp /usr/lib64/freerdp [root@localhost opt]# rpm --import http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro [root@localhost opt]# rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm [root@localhost opt]# yum -y localinstall --nogpgcheck https://download1.rpmfusion.org/free/el/rpmfusion-free-release-7.noarch.rpm https://download1.rpmfusion.org/nonfree/el/rpmfusion-nonfree-release-7.noarch.rpm [root@localhost opt]# yum install -y java-1.8.0-openjdk libtool [root@localhost opt]# yum install -y cairo-devel libjpeg-turbo-devel libpng-devel uuid-devel [root@localhost opt]# yum install -y ffmpeg-devel freerdp-devel freerdp-plugins pango-devel libssh2-devel libtelnet-devel libvncserver-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-udio-libs-devel openssl-devel libvorbis-devel libwebp-devel ghostscript ###编译安装 guacamole 服务 [root@localhost opt]# cd /opt [root@localhost opt]# git clone https://github.com/jumpserver/docker-guacamole.git [root@localhost opt]# cd /opt/docker-guacamole/ [root@localhost docker-guacamole]# tar -xf guacamole-server-0.9.14.tar.gz [root@localhost docker-guacamole]# cd guacamole-server-0.9.14 [root@localhost guacamole-server-0.9.14]# autoreconf -fi # ./configure --with-init-dir=/etc/init.d # make && make install # cd .. && rm -rf guacamole-server-0.9.14 # ldconfig ###配置 Tomcat # 创建 guacamole 目录 # mkdir -p /config/guacamole /config/guacamole/lib /config/guacamole/extensions # ln -sf /opt/docker-guacamole/guacamole-auth-jumpserver-0.9.14.jar /config/guacamole/extensions/guacamole-auth-jumpserver-0.9.14.jar # guacamole 配置文件 # ln -sf /opt/docker-guacamole/root/app/guacamole/guacamole.properties /config/guacamole/guacamole.properties # cd /config && wget http://mirror.bit.edu.cn/apache/tomcat/tomcat-8/v8.5.39/bin/apache-tomcat-8.5.39.tar.gz # tar xf apache-tomcat-8.5.39.tar.gz && rm -rf apache-tomcat-8.5.39.tar.gz # mv apache-tomcat-8.5.39 tomcat8 # rm -rf /config/tomcat8/webapps/* # guacamole client # ln -sf /opt/docker-guacamole/guacamole-0.9.14.war /config/tomcat8/webapps/ROOT.war # 修改默认端口为 8081 # sed -i 's/Connector port="8080"/Connector port="8081"/g' /config/tomcat8/conf/server.xml # 修改 log 等级为 WARNING # sed -i 's/FINE/WARNING/g' /config/tomcat8/conf/logging.properties # cd /config && wget https://github.com/ibuler/ssh-forward/releases/download/v0.0.5/linux-amd64.tar.gz # tar xf linux-amd64.tar.gz -C /bin/ # chmod +x /bin/ssh-forward ###配置环境变量 # http://127.0.0.1:8080 指 jumpserver 访问地址 # export JUMPSERVER_SERVER=http://127.0.0.1:8080 # echo "export JUMPSERVER_SERVER=http://127.0.0.1:8080" >> ~/.bashrc # BOOTSTRAP_TOKEN 为 Jumpserver/config.yml 里面的 BOOTSTRAP_TOKEN # export BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN # echo "export BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc # export JUMPSERVER_KEY_DIR=/config/guacamole/keys # echo "export JUMPSERVER_KEY_DIR=/config/guacamole/keys" >> ~/.bashrc # export GUACAMOLE_HOME=/config/guacamole # echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc ###启动 Guacamole # /etc/init.d/guacd start # sh /config/tomcat8/bin/startup.sh
6 配置 Nginx 整合各组件
###安装nginx # yum install yum-utils # vi /etc/yum.repos.d/nginx.repo # yum install -y nginx # rm -rf /etc/nginx/conf.d/default.conf # systemctl enable nginx ###准备配置文件 修改 /etc/nginx/conf.d/jumpserver.conf # vi /etc/nginx/conf.d/jumpserver.conf ###运行nginx # 确保配置没有问题, 有问题请先解决 # nginx -t # CentOS 7 # systemctl start nginx # systemctl enable nginx ###开始使用 jumpserver