###
1.部署redis nginx mysql python3环境,安装git
# 安装应用 yum install -y redis nginx yum install -y mariadb-server mariadb yum install -y python3 yum -y install git
# 启动服务 systemctl start redis systemctl start mariadb
# 创建jumpserver使用的数据库 mysql -e "create database jumpserver default charset 'utf8' collate 'utf8_bin';"
2.创建 py3 虚拟环境 -- 载入 py3 虚拟环境
python3.6 -m venv /opt/py3 source /opt/py3/bin/activate
3.获取jumpserver代码 安装依赖
# 进入py3虚拟环境,进行操作 source /opt/py3/bin/activate cd /opt
# --depth用于指定克隆深度,为1即表示只克隆最近一次commit. # git clone --depth=1 https://github.com/jumpserver/jumpserver.git
tar xf jumpserver_source.tar.gz -C /opt
cd /opt/jumpserver/requirements yum install -y $(cat rpm_requirements.txt) python36-devel openssl-devel gcc*
pip3 install wheel -i https://mirrors.aliyun.com/pypi/simple/
pip3 install --upgrade pip setuptools -i https://mirrors.aliyun.com/pypi/simple/
pip3 install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
4.修改jumpserver配置文件
# 进入py3虚拟环境,进行操作 source /opt/py3/bin/activate # 生成SECRET_KEY和BOOTSTRAP_TOKEN #[root@jumpserver ~]# cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 49;echo #YL3rJbUvpy9QFo9zmYrLXf4PKvs1fo9K1AC01XyWc9Wp1Cb02 #[root@jumpserver ~]# cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 17;echo #mCXCv0QYlHYuCYkuu cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 49;echo cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 17;echo # 修改配置文件 cd /opt/jumpserver cp config_example.yml config.yml sed -i "s/SECRET_KEY:/SECRET_KEY: 'YL3rJbUvpy9QFo9zmYrLXf4PKvs1fo9K1AC01XyWc9Wp1Cb02'/g" config.yml sed -i 's/DB_USER: jumpserver/DB_USER: root/g' config.yml sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: 'mCXCv0QYlHYuCYkuu'/g" config.yml
5.启动jumpserver
source /opt/py3/bin/activate && cd /opt/jumpserver && ./jms start -d
6.部署koko服务并启动【xshell连接koko服务端口2222,可弹出jumpserver资产列表】
#koko功能: 实现了 SSH Server 和 Web Terminal Server 的组件,提供 SSH 和 WebSocket 接口, 使用 Paramiko 和 Flask 开发
# 进入沙盒环境,进行操作 source /opt/py3/bin/activate cd /opt
wget https://github.com/jumpserver/koko/releases/download/v2.3.0/koko-v2.3.0-linux-amd64.tar.gz
tar xf `find / -name "koko-v2.3.0-linux-amd64.tar.gz"` -C ./
mv koko-v2.3.0-linux-amd64 kokodir
chown -R root:root kokodir cd kokodir cp config_example.yml config.yml
cp kubectl /usr/local/bin/
sed -i "s/BOOTSTRAP_TOKEN: <PleasgeChangeSameWithJumpserver>/BOOTSTRAP_TOKEN: 'mCXCv0QYlHYuCYkuu'/g" config.yml
cd /opt/kokodir
wget https://download.jumpserver.org/public/kubectl.tar.gz
tar -xf kubectl.tar.gz
chmod 755 kubectl
mv kubectl /usr/local/bin/rawkubectl
cd /opt/kokodir && ./koko -d
7.安装并启动 guacamole 组件
#guacamole功能: Apache 跳板机项目,Jumpserver 使用其组件实现 RDP 功能,Jumpserver 并没有修改其代码而是添加了额外的插件,支持 Jumpserver 调用
# 进入py3虚拟环境,进行操作
source /opt/py3/bin/activate
cd /opt
#git clone --depth=1 https://github.com/jumpserver/docker-guacamole.git
wget -O guacamole-v2.3.0.tar.gz https://github.com/jumpserver/docker-guacamole/archive/master.tar.gz
mkdir /opt/docker-guacamole
tar xf `find / -name "guacamole-v2.3.0.tar.gz"` -C /opt/docker-guacamole --strip-components 1
cd /opt/docker-guacamole
wget http://download.jumpserver.org/public/guacamole-server-1.2.0.tar.gz
wget http://download.jumpserver.org/public/ssh-forward.tar.gz
tar -xf ssh-forward.tar.gz -C /bin/
chmod +x /bin/ssh-forward
#tar xf guacamole-server-1.2.0.tar.gz
cd /opt/docker-guacamole/guacamole-server-1.2.0
yum install -y cairo-devel libjpeg-turbo-devel libpng-devel uuid-devel
yum install -y ffmpeg-devel freerdp1.2-devel pango-devel libssh2-devel libtelnet-devel libvncserver-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-devel >/dev/null &&
ln -s /usr/local/lib/freerdp/*.so /usr/lib64/freerdp/
autoreconf -fi
yum install -y make
./configure --with-init-dir=/etc/init.d
make && make install
# 先在当前环境配置好 jdk8 jre8
yum install -y java-1.8.0-openjdk
mkdir -p /config/guacamole/{lib,extensions,record,drive,data/log/}
chown daemon:daemon /config/guacamole/{record,drive}
cd /config
tar xf `find / -name "apache-tomcat-9.0.27.tar.gz"` -C ./
mv apache-tomcat-9.0.27 tomcat9
rm -rf /config/tomcat9/webapps/*
sed -i 's/Connector port="8080"/Connector port="8081"/g' /config/tomcat9/conf/server.xml
echo "java.util.logging.ConsoleHandler.encoding = UTF-8" >> /config/tomcat9/conf/logging.properties
wget http://download.jumpserver.org/release/v2.3.0/guacamole-client-v2.3.0.tar.gz
tar -xf guacamole-client-v2.3.0.tar.gz
cp guacamole-client-v2.3.0/guacamole-*.war /config/tomcat9/webapps/ROOT.war
cp guacamole-client-v2.3.0/guacamole-*.jar /config/guacamole/extensions/
mv /opt/docker-guacamole/guacamole.properties /config/guacamole
ln -sf /opt/docker-guacamole/guacamole-1.0.0.war /config/tomcat9/webapps/ROOT.war
ln -sf /opt/docker-guacamole/guacamole-auth-jumpserver-1.0.0.jar /config/guacamole/extensions/guacamole-auth-jumpserver-1.0.0.jar
ln -sf /opt/docker-guacamole/root/app/guacamole/guacamole.properties /config/guacamole/guacamole.properties
# 设置 guacamole 环境
# http://127.0.0.1:8080 指 jumpserver 访问地址
source /opt/py3/bin/activate &&
export JUMPSERVER_SERVER=http://127.0.0.1:8080
echo "export JUMPSERVER_SERVER=http://127.0.0.1:8080" >> ~/.bashrc
# BOOTSTRAP_TOKEN 为 Jumpserver/config.yml 里面的 BOOTSTRAP_TOKEN 值
export BOOTSTRAP_TOKEN=mCXCv0QYlHYuCYkuu
echo "export BOOTSTRAP_TOKEN=mCXCv0QYlHYuCYkuu" >> ~/.bashrc
export JUMPSERVER_KEY_DIR=/config/guacamole/keys
echo "export JUMPSERVER_KEY_DIR=/config/guacamole/keys" >> ~/.bashrc
export GUACAMOLE_HOME=/config/guacamole &&
echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc
export GUACAMOLE_LOG_LEVEL=ERROR
echo "export GUACAMOLE_LOG_LEVEL=ERROR" >> ~/.bashrc
/etc/init.d/guacd start
sh /config/tomcat9/bin/startup.sh
8.部署luna插件
#luna功能: 现在是 Web Terminal 前端,计划前端页面都由该项目提供,Jumpserver 只提供 API,不再负责后台渲染html等
source /opt/py3/bin/activate cd /opt tar xf `find / -name "luna.tar.gz"` -C ./ chown -R root:root luna
9.生成nginx代理jumpserver配置文件
source /opt/py3/bin/activate echo 'server { listen 80; server_name alpha.example.com client_max_body_size 100m; # 录像及文件上传大小限制 location / { proxy_pass http://localhost:8080; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location /luna/ { try_files $uri / /index.html; alias /opt/luna/; # luna 路径, 如果修改安装目录, 此处需要修改 } location /media/ { add_header Content-Encoding gzip; root /opt/jumpserver/data/; # 录像位置, 如果修改安装目录, 此处需要修改 } location /static/ { root /opt/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改 } location /koko/ { proxy_pass http://localhost:5000; proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } location /guacamole/ { proxy_pass http://localhost:8081/; proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } location /ws/ { proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://localhost:8070; proxy_http_version 1.1; proxy_buffering off; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } }' >/etc/nginx/conf.d/jumpserver.conf nginx -t && nginx
10.关于日志存储
在 Jumpserver 中,有登陆日志、FTP日志、操作日志、改密日志、批量命令,还有Windows操作录屏。这些日志都会占用磁盘空间,数据库记录。
用户登录日志:jumpserver库下audits_userloginlog表
改密日志:jumpserver库下audits_passwordchangelog表
审计操作日志(管理员操作创用户分权限日志): jumpserver库下audits_operatelog表
ftp文件上传下载日志: jumpserver库下audits_ftplog表
执行终端命令日志: jumpserver库下terminal_command表
终端会话连接:jumpserver库下terminal_session表
###