官网:http://docs.jumpserver.org/zh/docs/introduce.html
参考:https://www.cnblogs.com/mushou/p/9484317.html
作者:邓聪聪
环境
- 系统: CentOS 7.6
- IP: 172.16.16.2
- 关闭 selinux 和防火墙
- jumpserver和coco、luna的版本必须保持一致
[root@bogon ~]# setenforce 0 [root@bogon ~]# sed -i "s/enforcing/disabled/g" /etc/selinux/config
[root@bogon ~]# iptables -F
1.准备 Python3 和 Python 虚拟环境
- 安装依赖包
[root@bogon ~]# yum -y install wget gcc epel-release git
- 安装 Python3.6
[root@bogon ~]# yum -y install python36 python36-devel
- 建立 Python 虚拟环境
[root@bogon ~]# cd /opt [root@bogon opt]# python3.6 -m venv py3 [root@bogon opt]# source /opt/py3/bin/activate # 看到下面的提示符代表成功,以后运行 Jumpserver 都要先运行以上 source 命令,以下所有命令均在该虚拟环境中运行 (py3)[root@bogon opt]#
2.安装 Jumpserver
- Clone 项目也可以选择去 Github 项目页面直接下载zip包
(py3)[root@bogon opt]# git clone https://github.com/jumpserver/jumpserver.git
- 安装依赖 RPM 包
(py3)[root@bogon opt]#cd /opt/jumpserver/requirements (py3)[root@bogon requirements]#yum -y install $(cat rpm_requirements.txt)
- 安装 Python 库依赖
(py3)[root@bogon requirements]#pip install --upgrade pip setuptools (py3)[root@bogon requirements]#pip install -r requirements.txt
- 安装 Redis, Jumpserver 使用 Redis 做 cache 和 celery broke
(py3)[root@bogon requirements]#yum -y install redis (py3)[root@bogon requirements]#systemctl start redis
- 安装 MySQL
(py3) [root@bogon requirements]# yum -y install mariadb mariadb-devel mariadb-server # centos7下安装的是mariadb
(py3) [root@bogon requirements]# systemctl start mariadb - 创建数据库 Jumpserver 并授权
(py3) [root@bogon requirements]#mysql -uroot mysql> create database jumpserver default charset 'utf8'; mysql> grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by 'weakPassword'; mysql> flush privileges; mysql> quit
- 修改 Jumpserver 配置文件 注意: 配置文件是 Python 格式,不要用 TAB,而要用空
(py3) [root@bogon requirements]#cd .. (py3) [root@bogon jumpserver]# cp config_example.py config.py (py3) [root@bogon jumpserver]# vi config.py
View Code#!/usr/bin/env python3 # -*- coding: utf-8 -*- """ jumpserver.config ~~~~~~~~~~~~~~~~~ Jumpserver project setting file :copyright: (c) 2014-2017 by Jumpserver Team :license: GPL v2, see LICENSE for more details. """ import os BASE_DIR = os.path.dirname(os.path.abspath(__file__)) class Config: """ Jumpserver Config File Jumpserver 配置文件 Jumpserver use this config for drive django framework running, You can set is value or set the same envirment value, Jumpserver look for config order: file => env => default Jumpserver使用配置来驱动Django框架的运行, 你可以在该文件中设置,或者设置同样名称的环境变量, Jumpserver使用配置的顺序: 文件 => 环境变量 => 默认值 """ # SECURITY WARNING: keep the secret key used in production secret! # 加密秘钥 生产环境中请修改为随机字符串,请勿外泄 SECRET_KEY = '2vym+ky!997d5kkcc64mnz06y1mmui3lut#(^wd=%s_qj$1%x' ALLOWED_HOSTS = ['*'] # SECURITY WARNING: keep the bootstrap token used in production secret! # 预共享Token coco和guacamole用来注册服务账号,不在使用原来的注册接受机制 BOOTSTRAP_TOKEN = 'nwv4RdXpM82LtSvmV' # Development env open this, when error occur display the full process track, Production disable it # DEBUG 模式 开启DEBUG后遇到错误时可以看到更多日志 # DEBUG = True DEBUG = False # DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/ # 日志级别 # LOG_LEVEL = 'DEBUG' # LOG_DIR = os.path.join(BASE_DIR, 'logs') LOG_LEVEL = 'ERROR' LOG_DIR = os.path.join(BASE_DIR, 'logs') # Session expiration setting, Default 24 hour, Also set expired on on browser close # 浏览器Session过期时间,默认24小时, 也可以设置浏览器关闭则过期 # SESSION_COOKIE_AGE = 3600 * 24 # SESSION_EXPIRE_AT_BROWSER_CLOSE = False SESSION_EXPIRE_AT_BROWSER_CLOSE = True # Database setting, Support sqlite3, mysql, postgres .... # 数据库设置 # See https://docs.djangoproject.com/en/1.10/ref/settings/#databases # SQLite setting: # 使用单文件sqlite数据库 # DB_ENGINE = 'sqlite3' # DB_NAME = os.path.join(BASE_DIR, 'data', 'db.sqlite3') # MySQL or postgres setting like: # 使用Mysql作为数据库 DB_ENGINE = 'mysql' DB_HOST = '127.0.0.1' DB_PORT = 3306 DB_USER = 'jumpserver' DB_PASSWORD = '123456' DB_NAME = 'jumpserver' # When Django start it will bind this host and port # ./manage.py runserver 127.0.0.1:8080 # 运行时绑定端口 HTTP_BIND_HOST = '0.0.0.0' HTTP_LISTEN_PORT = 8080 # Use Redis as broker for celery and web socket # Redis配置 REDIS_HOST = '127.0.0.1' REDIS_PORT = 6379 # REDIS_PASSWORD = '' # REDIS_DB_CELERY = 3 # REDIS_DB_CACHE = 4 # Use OpenID authorization # 使用OpenID 来进行认证设置 # BASE_SITE_URL = 'http://localhost:8080' # AUTH_OPENID = False # True or False # AUTH_OPENID_SERVER_URL = 'https://openid-auth-server.com/' # AUTH_OPENID_REALM_NAME = 'realm-name' # AUTH_OPENID_CLIENT_ID = 'client-id' # AUTH_OPENID_CLIENT_SECRET = 'client-secret' # # OTP_VALID_WINDOW = 0 def __init__(self): pass def __getattr__(self, item): return None class DevelopmentConfig(Config): pass class TestConfig(Config): pass class ProductionConfig(Config): pass # Default using Config settings, you can write if/else for different env config = DevelopmentConfig()
- 运行 Jumpserver
(py3) [root@bogon jumpserver]#./jms start all #后台运行使用 -d 参数./jms start all -d (py3) [root@bogon jumpserver]#./jms start|stop|status|restart all #其他参数
3.安装 SSH Server 和 WebSocket Server: Coco
- Clone 项目
(py3) [root@bogon jumpserver]# cd .. (py3) [root@bogon opt]# git clone https://github.com/jumpserver/coco.git (py3) [root@bogon opt]#cd /opt/coco/requirements (py3) [root@bogon requirements]#yum -y install $(cat rpm_requirements.txt) (py3) [root@bogon requirements]#pip install -r requirements.txt
- 修改配置文件并运行
(py3) [root@bogon requirements]#cd /opt/coco
[root@bogon coco]# mkdir keys logs
[root@bogon coco]# cp conf_example.py conf.py
[root@bogon coco]# vi conf.py
View Code#!/usr/bin/env python3 # -*- coding: utf-8 -*- # import os BASE_DIR = os.path.dirname(__file__) class Config: """ Coco config file, coco also load config from server update setting below """ # 项目名称, 会用来向Jumpserver注册, 识别而已, 不能重复 # NAME = "localhost" # Jumpserver项目的url, api请求注册会使用 # CORE_HOST = os.environ.get("CORE_HOST") or 'http://127.0.0.1:8080' CORE_HOST = 'http://127.0.0.1:8080' # Bootstrap Token, 预共享秘钥, 用来注册coco使用的service account和terminal # 请和jumpserver 配置文件中保持一致,注册完成后可以删除 # BOOTSTRAP_TOKEN = "PleaseChangeMe" BOOTSTRAP_TOKEN = "nwv4RdXpM82LtSvmV" # 启动时绑定的ip, 默认 0.0.0.0 # BIND_HOST = '0.0.0.0' # 监听的SSH端口号, 默认2222 # SSHD_PORT = 2222 # 监听的HTTP/WS端口号,默认5000 # HTTPD_PORT = 5000 # 项目使用的ACCESS KEY, 默认会注册,并保存到 ACCESS_KEY_STORE中, # 如果有需求, 可以写到配置文件中, 格式 access_key_id:access_key_secret # ACCESS_KEY = None # ACCESS KEY 保存的地址, 默认注册后会保存到该文件中 # ACCESS_KEY_STORE = os.path.join(BASE_DIR, 'keys', '.access_key') # 加密密钥 # SECRET_KEY = None # 设置日志级别 ['DEBUG', 'INFO', 'WARN', 'ERROR', 'FATAL', 'CRITICAL'] # LOG_LEVEL = 'INFO' LOG_LEVEL = 'ERROR' # 日志存放的目录 # LOG_DIR = os.path.join(BASE_DIR, 'logs') # Session录像存放目录 # SESSION_DIR = os.path.join(BASE_DIR, 'sessions') # 资产显示排序方式, ['ip', 'hostname'] # ASSET_LIST_SORT_BY = 'ip' # 登录是否支持密码认证 # PASSWORD_AUTH = True # 登录是否支持秘钥认证 # PUBLIC_KEY_AUTH = True # SSH白名单 # ALLOW_SSH_USER = 'all' # ['test', 'test2'] # SSH黑名单, 如果用户同时在白名单和黑名单,黑名单优先生效 # BLOCK_SSH_USER = [] # 和Jumpserver 保持心跳时间间隔 # HEARTBEAT_INTERVAL = 5 # Admin的名字,出问题会提示给用户 # ADMINS = '' COMMAND_STORAGE = { "TYPE": "server" } REPLAY_STORAGE = { "TYPE": "server" } # SSH连接超时时间 (default 15 seconds) # SSH_TIMEOUT = 15 # 语言 = en LANGUAGE_CODE = 'zh' config = Config()
(py3) [root@bogon coco]#./cocod start #后台运行使用 -d 参数./cocod start -d (py3) [root@bogon coco]#./cocod start|stop|status|restart #脚本使用方式
4.安装 Web Terminal 前端: Luna
-
(py3) [root@bogon opt]# cd /opt # 访问(https://github.com/jumpserver/luna/releases)下载对应版本的 release 包,直接解压,不需要编译 (py3) [root@bogon opt]# wget https://github.com/jumpserver/luna/releases/download/1.4.6/luna.tar.gz (py3) [root@bogon opt]# tar -xf luna.tar.gz (py3) [root@bogon opt]# chown -R root:root luna
5.配置 Nginx 整合各组件
- 安装 Nginx
View Code
vi /etc/yum.repos.d/nginx.repo [nginx] name=nginx repo baseurl=http://nginx.org/packages/centos/7/$basearch/ gpgcheck=0 enabled=1
(py3) [root@bogon opt]# yum install -y nginx
(py3) [root@bogon opt]# rm -rf /etc/nginx/conf.d/default.conf
(py3) [root@bogon opt]# vi /etc/nginx/conf.d/jumpserver.conf
View Codeserver { listen 80; # 代理端口,以后将通过此端口进行访问,不再通过8080端口 server_name demo.jumpserver.org; # 修改成你的域名 client_max_body_size 100m; # 录像及文件上传大小限制 location /luna/ { try_files $uri / /index.html; alias /opt/luna/; # luna 路径,如果修改安装目录,此处需要修改 } location /media/ { add_header Content-Encoding gzip; root /opt/jumpserver/data/; # 录像位置,如果修改安装目录,此处需要修改 } location /static/ { root /opt/jumpserver/data/; # 静态资源,如果修改安装目录,此处需要修改 } location /socket.io/ { proxy_pass http://localhost:5000/socket.io/; # 如果coco安装在别的服务器,请填写它的ip proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } location /coco/ { proxy_pass http://localhost:5000/coco/; # 如果coco安装在别的服务器,请填写它的ip proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } location /guacamole/ { proxy_pass http://localhost:8081/; # 如果guacamole安装在别的服务器,请填写它的ip proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } location / { proxy_pass http://localhost:8080; # 如果jumpserver安装在别的服务器,请填写它的ip proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } }
- 运行nginx
(py3) [root@bogon opt]#nginx -t # 确保配置没有问题, 有问题请先解决 (py3) [root@bogon opt]#systemctl start nginx - 使用 Jumpserver,服务全部启动后,访问 http://IP
- jumpsever的服务启动流程
[root@bogon ~]# cd /opt [root@bogon opt]# source /opt/py3/bin/activate #进入python环境 (py3)[root@bogon opt]#systemctl start redis #启动redis (py3)[root@bogon opt]#systemctl start mariadb #启动数据库服务 (py3)[root@bogon opt]#cd /opt/jumpserver (py3)[root@bogon jumpserver]# ./jms start -d #启动jumpserver服务,后台运行 (py3)[root@bogon coco]#./coco start -d #后台运行coco服务 (py3)[root@bogon coco]#systemctl start nginx #启动nginx服务
(py3)[root@bogon coco]#systemctl enable nginx #开机自启动
(py3)[root@bogon coco]#systemctl enable mariadb
(py3)[root@bogon coco]#systemctl enable redis
使用jumpserver时,打开会话管理-web终端无显示可能由于浏览器造成的,更换其他第三方浏览下即可
6.Jumpserver的使用
- 登陆后创建用户组,方便以后的授权操作
- 添加系统用户
为了更方便快捷的使用jumpserver,默认管理员无法直接生成密码给用户,有大拿提供了一下修改配置文件的办法,直接创建密码给用户,感觉挺好用就分享给大家
配置文件路径:/opt/jumpserver/apps/users/templates/users
(py3) [root@bogon users]# more _user.html {% extends '_base_create_update.html' %} {% load i18n %} {% load static %} {% load bootstrap3 %} {% block form %} {% if form.non_field_errors %} <div class="alert alert-danger"> {{ form.non_field_errors }} </div> {% endif %} <form method="post" class="form-horizontal" action="" enctype="multipart/form-data"> {% csrf_token %} <h3>{% trans 'Account' %}</h3> {% bootstrap_field form.name layout="horizontal" %} {% bootstrap_field form.username layout="horizontal" %} {% bootstrap_field form.email layout="horizontal" %} {% bootstrap_field form.groups layout="horizontal" %} <div class="hr-line-dashed"></div> <h3>{% trans 'Auth' %}</h3> {#{% block password %}{% endblock %}#} #注释该行 {% bootstrap_field form.password layout="horizontal" %} #追加的行内容 {% bootstrap_field form.otp_level layout="horizontal" %} <div class="hr-line-dashed"></div> <h3>{% trans 'Security and Role' %}</h3> {% bootstrap_field form.role layout="horizontal" %} <div class="form-group {% if form.date_expired.errors %} has-error {% endif %}" id="date_5"> <label for="{{ form.date_expired.id_for_label }}" class="col-sm-2 control-label">{{ form.date_expired.label }}</label> <div class="col-sm-9"> <div class="input-group date"> <span class="input-group-addon"><i class="fa fa-calendar"></i></span> {% if form.errors %} <input id="{{ form.date_expired.id_for_label }}" name="{{ form.date_expired.html_name }}" type="text" class="form-control" value="{{ form.date_exp ired.value }}"> {% else %} <input id="{{ form.date_expired.id_for_label }}" name="{{ form.date_expired.html_name }}" type="text" class="form-control" value="{{ form.date_exp ired.value|date:'Y-m-d H:i' }}"> {% endif %} </div> <span class="help-block ">{{ form.date_expired.errors }}</span> </div> </div> <div class="hr-line-dashed"></div> <h3>{% trans 'Profile' %}</h3> {% bootstrap_field form.phone layout="horizontal" %} {% bootstrap_field form.wechat layout="horizontal" %} {% bootstrap_field form.comment layout="horizontal" %} <div class="hr-line-dashed"></div> <div class="form-group"> <div class="col-sm-4 col-sm-offset-2"> <button class="btn btn-white" type="reset">{% trans 'Reset' %}</button> <button id="submit_button" class="btn btn-primary" type="submit">{% trans 'Submit' %}</button> </div> </div> </form> {% endblock %} {% block custom_foot_js %} <script src="{% static 'js/plugins/datepicker/bootstrap-datepicker.js' %}"></script> <script type="text/javascript" src='{% static "js/plugins/daterangepicker/moment.min.js" %}'></script> <script type="text/javascript" src='{% static "js/plugins/daterangepicker/daterangepicker.min.js" %}'></script> <link rel="stylesheet" type="text/css" href={% static "css/plugins/daterangepicker/daterangepicker.css" %} /> <script> var dateOptions = { singleDatePicker: true, showDropdowns: true, timePicker: true, timePicker24Hour: true, autoApply: true, locale: { format: 'YYYY-MM-DD HH:mm' } }; $(document).ready(function () { $('.select2').select2(); $('#id_date_expired').daterangepicker(dateOptions); }) </script> {% endblock %}
***升级篇***
升级 Jumpserver
cd /opt/jumpserver source /opt/py3/bin/activate ./jms stop git fetch git pull pip install -r requirements/requirements.txt 启动 jumpserver cd ../ ./jms start all -d
升级coco
cd /opt/coco git pull source /opt/py3/bin/activate ./cocod stop pip install -r requirements/requirements.txt ./cocod start -d
升级luna
cd /opt rm -rf luna wget https://github.com/jumpserver/luna/releases/download/1.4.8/luna.tar.gz # 如果网络有问题导致下载无法完成可以使用下面地址 $ wget https://demo.jumpserver.org/download/luna/1.4.8/luna.tar.gz tar xf luna.tar.gz chown -R root:root luna