jumpserver 2.4.0 部署
Jumpserver介绍
JumpServer 是全球首款完全开源的堡垒机, 使用 GNU GPL v2.0 开源协议, 是符合 4A 的专业运维审计系统,使用 Python / Django 进行开发, 遵循 Web 2.0 规范, 配备了业界领先的 Web Terminal 解决方案, 交互界面美观、用户体验好,支持管理 SSH、 Telnet、 RDP、 VNC 协议资产
Jumpserver 的优势
- 开源: 零门槛,线上快速获取和安装
- 分布式: 轻松支持大规模并发访问
- 无插件: 仅需浏览器,极致的 Web Terminal 使用体验
- 多云支持: 一套系统,同时管理不同云上面的资产
- 云端存储: 审计录像云端存储,永不丢失
- 多租户: 一套系统,多个子公司和部门同时使用; 多应用支持: 数据库,Windows远程应用,Kubernetes
系统硬件需求
- Centos7.6 系统
- 硬件配置 : 2个CPU核心, 4G 内存, 50G 硬盘(最低)
- 操作系统: Linux 发行版 x86_64
基础环境部署
# 下载aliyun源
cp /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.bak
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
# 清理原来缓存,重新缓存
yum clean all
yum makecache
# 系统更新
yum -y update
# 关闭防火墙
systemctl stop firewalld.service
systemctl disable firewalld.service
# 设置selinux
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
安装 python3.6 mysql redis nginx组件
yum -y install python3.6 python36-devel mariadb mariadb-server.x86_64 redis nginx
启动redis并配置
systemctl enable redis
systemctl start redis
# 配置redis vim /etc/redis.conf
# bind 127.0.0.1 注释,否则只有本机才能访问
protected-mode no # 保护模式修改为no
port 6379 # redis 默认端口
requirepass redis123 # 设置redis密码
aof-rewrite-incremental-fsync yes
# 重启redis
systemctl restart redis
# 进入redis
redis-cli -h 127.0.0.1 -p 6379
# 输入info,提示验证
auth redis123
# 再次输入:info
# 通过 key * 查看所有键
启动mysql并授权
systemctl enable mariadb
systemctl start mariadb
# 设置mysql登录root密码
mysqladmin -uroot -p password admin123 # 回车即可
# 登录mysql
mysql -uroot -padmin123
# 创建jumpserver库
create database jumpserver default charset 'utf8' collate 'utf8_bin';
# 授权jumpserver用户
grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by 'jumpserver123';
flush privileges;
Python 虚拟环境配置
cd /opt
python3.6 -m venv py3
source /opt/py3/bin/activate
以下操作均在Python虚拟环境
jumpserver 代码包下载并安装依赖
# 进入opt目录
cd /opt
# 获取tar包
wget https://github.com/jumpserver/jumpserver/releases/download/v2.4.0/jumpserver-v2.4.0.tar.gz
# 解压
tar xf jumpserver-v2.4.0.tar.gz
mv jumpserver-v2.4.0 jumpserver
# 安装编译环境依赖
cd /opt/jumpserver/requirements
yum install -y $(cat rpm_requirements.txt)
pip install wheel -i https://mirrors.aliyun.com/pypi/simple/
pip install --upgrade pip setuptools -i https://mirrors.aliyun.com/pypi/simple/
pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
# 如果报错:找不到对应版本可用如何命令安装报错的包
pip install six --upgrade --ignore-installed six
cd /opt/jumpserver && cp config_example.yml config.yml && vi config.yml
# 生成key: cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50
SECRET_KEY: W5Ic3fMXNZ0p5RIy5DhJYJllppTfcfkW8Yuf94VBMfpcssbfu
# 生成token:cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16
BOOTSTRAP_TOKEN: zxffNymGjP79j6BN
# DEBUG 模式 开启DEBUG后遇到错误时可以看到更多日志
DEBUG: false
# 日志级别
LOG_LEVEL: ERROR
# 浏览器Session过期时间,默认24小时, 也可以设置浏览器关闭则过期
SESSION_EXPIRE_AT_BROWSER_CLOSE: true
# 使用Mysql作为数据库
DB_ENGINE: mysql
DB_HOST: 127.0.0.1
DB_PORT: 3306
DB_USER: jumpserver
DB_PASSWORD: jumpserver123
DB_NAME: jumpserver
# 运行时绑定端口
HTTP_BIND_HOST: 0.0.0.0
HTTP_LISTEN_PORT: 8080
WS_LISTEN_PORT: 8070
# Redis配置
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
REDIS_PASSWORD: redis123
# Windows 登录跳过手动输入密码
WINDOWS_SKIP_ALL_MANUAL_PASSWORD: True
# 注意必须在py3虚拟环境: source /opt/py3/bin/activate
cd /opt/jumpserver
./jms start -d
部署koko组件
# 下载tar包
cd /opt && wget https://github.com/jumpserver/koko/releases/download/v2.4.0/koko-v2.4.0-linux-amd64.tar.gz
# 解压
tar -xf koko-v2.4.0-linux-amd64.tar.gz
mv koko-v2.4.0-linux-amd64 koko
# 修改属组,属主
chown -R root:root koko
# kubectl配置
cd koko && mv kubectl /usr/local/bin/
wget https://download.jumpserver.org/public/kubectl.tar.gz
tar -xf kubectl.tar.gz
chmod 755 kubectl
mv kubectl /usr/local/bin/rawkubectl
rm -rf kubectl.tar.gz
cd /opt/koko && cp config_example.yml config.yml && vi config.yml
# Jumpserver项目的url, api请求注册会使用
CORE_HOST: http://127.0.0.1:8080
# 请和jumpserver 配置文件中保持一致,注册完成后可以删除
BOOTSTRAP_TOKEN: zxffNymGjP79j6BN
# 设置日志级别 [DEBUG, INFO, WARN, ERROR, FATAL, CRITICAL]
LOG_LEVEL: ERROR
# 会话共享使用的类型 [local, redis], 默认local
SHARE_ROOM_TYPE: redis
# Redis配置
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
REDIS_PASSWORD: redis123
REDIS_DB_ROOM: 6
cd /opt/koko && ./koko -d
部署Guacamole 组件
# 下载tar包
cd /opt && wget -O docker-guacamole-v2.4.0.tar.gz https://github.com/jumpserver/docker-guacamole/archive/master.tar.gz
# 创建对应目录并和依赖包
mkdir /opt/docker-guacamole
tar -xf docker-guacamole-v2.4.0.tar.gz -C /opt/docker-guacamole --strip-components 1
rm -rf /opt/docker-guacamole-v2.4.0.tar.gz && cd /opt/docker-guacamole
wget http://download.jumpserver.org/public/guacamole-server-1.2.0.tar.gz
tar -xf guacamole-server-1.2.0.tar.gz
wget http://download.jumpserver.org/public/ssh-forward.tar.gz
tar -xf ssh-forward.tar.gz -C /bin/ && chmod +x /bin/ssh-forward
# 安装依赖包
yum -y install cairo-devel libjpeg-turbo-devel libpng-devel libtool uuid-devel ffmpeg-devel freerdp-devel pango-devel libssh2-devel libtelnet-devel libvncserver-devel libwebsockets-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-devel
# 安装
cd /opt/docker-guacamole/guacamole-server-1.2.0
# 预编译
./configure --with-init-dir=/etc/init.d
# 二进制编译及安装
make && make install
yum install -y java-1.8.0-openjdk
# 创建对应目录
mkdir -p /config/guacamole /config/guacamole/extensions /config/guacamole/record /config/guacamole/drive && chown daemon:daemon /config/guacamole/record /config/guacamole/drive && cd /config
# 下载tomcat
wget http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-9/v9.0.38/bin/apache-tomcat-9.0.38.tar.gz
# 解压
tar -xf apache-tomcat-9.0.36.tar.gz
mv apache-tomcat-9.0.36 tomcat9
rm -rf /config/tomcat9/webapps/*
# 修改配置文件
sed -i 's/Connector port="8080"/Connector port="8081"/g' /config/tomcat9/conf/server.xml &&
echo "java.util.logging.ConsoleHandler.encoding = UTF-8" >> /config/tomcat9/conf/logging.properties
# 其他设置
wget http://download.jumpserver.org/release/v2.4.0/guacamole-client-v2.4.0.tar.gz &&
tar -xf guacamole-client-v2.4.0.tar.gz &&
rm -rf guacamole-client-v2.4.0.tar.gz &&
cp guacamole-client-v2.4.0/guacamole-*.war /config/tomcat9/webapps/ROOT.war &&
cp guacamole-client-v2.4.0/guacamole-*.jar /config/guacamole/extensions/ &&
mv /opt/docker-guacamole/guacamole.properties /config/guacamole/ &&
rm -rf /opt/docker-guacamole
export JUMPSERVER_SERVER=http://127.0.0.1:8080
echo "export JUMPSERVER_SERVER=http://127.0.0.1:8080" >> ~/.bashrc
export BOOTSTRAP_TOKEN=zxffNymGjP79j6BN
echo "export BOOTSTRAP_TOKEN=zxffNymGjP79j6BN" >> ~/.bashrc
export JUMPSERVER_KEY_DIR=/config/guacamole/data/keys
echo "export JUMPSERVER_KEY_DIR=/config/guacamole/data/keys" >> ~/.bashrc
export GUACAMOLE_HOME=/config/guacamole
echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc
export GUACAMOLE_LOG_LEVEL=ERROR
echo "export GUACAMOLE_LOG_LEVEL=ERROR" >> ~/.bashrc
export JUMPSERVER_ENABLE_DRIVE=true
echo "export JUMPSERVER_ENABLE_DRIVE=true" >> ~/.bashrc
# 环境变量说明
JUMPSERVER_SERVER 指 core 访问地址
BOOTSTRAP_TOKEN 为 Jumpserver/config.yml 里面的 BOOTSTRAP_TOKEN 值
JUMPSERVER_KEY_DIR 认证成功后 key 存放目录
GUACAMOLE_HOME 为 guacamole.properties 配置文件所在目录
GUACAMOLE_LOG_LEVEL 为生成日志的等级
JUMPSERVER_ENABLE_DRIVE 为 rdp 协议挂载共享盘
# 启动
/etc/init.d/guacd start
sh /config/tomcat9/bin/startup.sh
下载lina组件
cd /opt
# 下载tar包
wget https://github.com/jumpserver/lina/releases/download/v2.4.0/lina-v2.4.0.tar.gz
# 解压
tar -xf lina-v2.4.0.tar.gz
mv lina-v2.4.0 lina
# 修改属组属主
chown -R nginx:nginx lina
下载luna组件
cd /opt
# 下载tar包
wget https://github.com/jumpserver/luna/releases/download/v2.4.0/luna-v2.4.0.tar.gz
# 解压
tar -xf luna-v2.4.0.tar.gz
mv luna-v2.4.0 luna
# 修改属组属主
chown -R nginx:nginx luna
配置nginx整合各组件
- vim /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 65535;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 120;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
}
- vim /etc/nginx/conf.d/jumpserver.conf
server {
listen 80;
client_max_body_size 100m; # 录像及文件上传大小限制
location /ui/ {
try_files $uri / /index.html;
alias /opt/lina/;
}
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; # luna 路径, 如果修改安装目录, 此处需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 录像位置, 如果修改安装目录, 此处需要修改
}
location /static/ {
root /opt/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改
}
location /koko/ {
proxy_pass http://localhost:5000;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /ws/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8070;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /api/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /core/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
rewrite ^/(.*)$ /ui/$1 last;
}
}
启动nginx
systemctl start nginx
服务全部启动后, 访问 JumpServer 服务器 nginx 代理的 80 端口, 不要通过8080端口访问
默认账号: admin 密码: admin
解决办法: 清理redis;重启redis,重启jms,重新登录即可