运行环境
系统版本:CentOS Linux release 7.6.1810 (Core)
软件版本:JumpServer-1.4.8
硬件要求:最低2核4GB
官方文档:https://docs.jumpserver.org/zh/docs/setup_by_centos7.html
安装过程
1、系统配置
[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# systemctl disable firewalld
[root@localhost ~]# setenforce 0
[root@localhost ~]# sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/sysconfig/selinux
2、安装依赖
[root@localhost ~]# yum -y install wget gcc epel-release git
3、安装Redis
[root@localhost ~]# yum -y install redis
[root@localhost ~]# systemctl enable redis
[root@localhost ~]# systemctl start redis
[root@localhost ~]# systemctl status redis
[root@localhost ~]# netstat -lnupt |grep redis
tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 19387/redis-server
4、安装Mariadb(MYSQL)
[root@localhost ~]# yum -y install mariadb mariadb-devel mariadb-server MariaDB-shared
[root@localhost ~]# systemctl enable mariadb
[root@localhost ~]# systemctl start mariadb
[root@localhost ~]# netstat -lnupt |grep mysqld
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 19721/mysqld
#设置Mariadb数据库管理员密码
[root@localhost ~]# mysqladmin -uroot -p password 'ABCabc-123'
#创建JumpServer所使用的数据库用户,并授权
[root@localhost ~]# mysql -uroot -p'ABCabc-123'
MariaDB [(none)]> create database jumpserver default charset 'utf8';
MariaDB [(none)]> grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by 'ABCabc-123';
MariaDB [(none)]> flush privileges;
MariaDB [(none)]> exit
5、安装Nginx
[root@localhost ~]# yum -y install nginx
[root@localhost ~]# systemctl enable nginx
6、安装Docker
[root@localhost ~]# yum -y install epel-release.noarch yum-utils
[root@localhost ~]# yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
[root@localhost ~]# yum -y install device-mapper-persistent-data lvm2
[root@localhost ~]# yum -y install docker-ce
[root@localhost ~]# systemctl start docker
[root@localhost ~]# systemctl enable docker
[root@localhost ~]# curl -sSL https://get.daocloud.io/daotools/set_mirror.sh | sh -s http://f1361db2.m.daocloud.io
[root@localhost ~]# systemctl restart docker
[root@localhost ~]# systemctl status docker
7、安装Python3.6
JumpServer基于Python3.6开发,所以需要Python3.6运行环境。
[root@localhost ~]# yum -y install python36 python36-devel
#开启Python3.6虚拟运行环境,"py3"是这个虚拟环境名,可以自定义
[root@localhost ~]# cd /opt
[root@localhost opt]# python3.6 -m venv py3
#退出虚拟环境可以使用"deactivate"命令
[root@localhost opt]# source /opt/py3/bin/activate
#看到下面的提示符代表成功, 以后运行JumpServer都要先运行以上"source"命令, 载入环境后默认以下所有命令均在该虚拟环境中运行
(py3) [root@localhost opt]#
8、安装JumpServer
JumpServer系统的核心后端应用服务。
#下载JumpServer
(py3) [root@localhost opt]# git clone --depth=1 https://github.com/jumpserver/jumpserver.git
#安装软件包依赖
(py3) [root@localhost opt]# yum -y install $(cat /opt/jumpserver/requirements/rpm_requirements.txt)
#安装Python依赖
(py3) [root@localhost opt]# pip install --upgrade pip setuptools
(py3) [root@localhost opt]# pip install -r /opt/jumpserver/requirements/requirements.txt
#生成加密密钥
[root@localhost jumpserver]# cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 49
mTUbunBOhz6FqY06MWidwklGzROg3Od9k68FDJQda044CLRRH
#生成引导令牌
[root@localhost jumpserver]# cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16
4dNPSDcgKguMLx0b
#配置JumpServer
(py3) [root@localhost opt]# cd jumpserver/
(py3) [root@localhost jumpserver]# cp config_example.yml config.yml
(py3) [root@localhost jumpserver]# vim config.yml
SECRET_KEY: mTUbunBOhz6FqY06MWidwklGzROg3Od9k68FDJQda044CLRRH #设置加密密钥
BOOTSTRAP_TOKEN: 4dNPSDcgKguMLx0b #设置引导令牌
DEBUG: false #设置禁用调试模式
LOG_LEVEL: ERROR #设置日志级别为ERROR级别
SESSION_EXPIRE_AT_BROWSER_CLOSE: true #设置当浏览器关闭时Session过期
DB_ENGINE: mysql #设置使用的数据库为MYSQL(Mariadb)
DB_HOST: 127.0.0.1 #设置MYSQL数据库连接地址
DB_PORT: 3306 #设置MYSQL数据库连接端口
DB_USER: jumpserver #设置MYSQL数据库连接账号
DB_PASSWORD: ABCabc-123 #设置MYSQL数据库连接密码
DB_NAME: jumpserver #设置MYSQL数据库名
HTTP_BIND_HOST: 0.0.0.0 #设置JumpServer WEB服务监听地址
HTTP_LISTEN_PORT: 8080 #设置JumpServer WEB服务监听端口
REDIS_HOST: 127.0.0.1 #设置Redis连接地址
REDIS_PORT: 6379 #设置Redis连接端口
#将JumpServer服务交给系统管理(system),并运行服务
(py3) [root@localhost jumpserver]# wget -O /usr/lib/systemd/system/jms.service https://demo.jumpserver.org/download/shell/centos/jms.service
(py3) [root@localhost jumpserver]# chmod 755 /usr/lib/systemd/system/jms.service
(py3) [root@localhost jumpserver]# vim /usr/lib/systemd/system/jms.service
[Unit]
Description=jms
After=network.target mariadb.service redis.service docker.service
Wants=mariadb.service redis.service docker.service
[Service]
Type=forking
Environment="PATH=/opt/py3/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin"
ExecStart=/opt/jumpserver/jms start -d
ExecReload=
ExecStop=/opt/jumpserver/jms stop
[Install]
WantedBy=multi-user.target
(py3) [root@localhost jumpserver]# systemctl daemon-reload
(py3) [root@localhost jumpserver]# systemctl start jms
(py3) [root@localhost jumpserver]# systemctl enable jms
(py3) [root@localhost jumpserver]# systemctl status jms
(py3) [root@localhost jumpserver]# netstat -lnupt |grep 8080
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 36499/python3.6
9、安装koko和guacamole
在Docker中运行koko和guacamole应用服务。
koko :基于SSH协议,为用户提供JumpServer的操作终端。
guacamole :基于HTML5的VNC查看器,允许用户在WEB-UI管理控制台中进行VNC远程操作。
(py3) [root@localhost jumpserver]# Server_IP=`ip addr | grep inet | egrep -v '(127.0.0.1|inet6|docker)' | awk '{print $2}' | tr -d "addr:" | head -n 1 | cut -d / -f1`
(py3) [root@localhost jumpserver]# BOOTSTRAP_TOKEN='4dNPSDcgKguMLx0b'
(py3) [root@localhost jumpserver]# docker run --name jms_koko -d -p 2222:2222 -p 127.0.0.1:5000:5000 -e CORE_HOST=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN --restart=always jumpserver/jms_koko:1.5.2
(py3) [root@localhost jumpserver]# docker run --name jms_guacamole -d -p 127.0.0.1:8081:8081 -e JUMPSERVER_SERVER=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN --restart=always jumpserver/jms_guacamole:1.5.2
(py3) [root@localhost jumpserver]# docker ps
[root@localhost ~]# netstat -lnupt |grep 5000
tcp 0 0 127.0.0.1:5000 0.0.0.0:* LISTEN 37806/docker-proxy
[root@localhost ~]# netstat -lnupt |grep 8081
tcp 0 0 127.0.0.1:8081 0.0.0.0:* LISTEN 38042/docker-proxy
10、下载管理控制台-luna(前端页面)
luna为JumpServer提供一个WEB-UI的管理控制台。
(py3) [root@localhost jumpserver]# cd /opt
(py3) [root@localhost opt]# wget https://demo.jumpserver.org/download/luna/1.5.2/luna.tar.gz
(py3) [root@localhost opt]# tar xf luna.tar.gz
(py3) [root@localhost opt]# chown -R root:root luna
11、配置Nginx
配置Nginx发布前端页面和反代后端应用服务(jumpserver、koko、guacamole)。
(py3) [root@localhost opt]# rm -rf /etc/nginx/conf.d/default.conf
(py3) [root@localhost opt]# vim /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
}
(py3) [root@localhost opt]# vim /etc/nginx/conf.d/jumpserver.conf
server {
listen 80;
client_max_body_size 100m;
#限制文件上传大小。
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/;
}
#前端页面-luna目录路径
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/;
}
#录像数据。
location /static/ {
root /opt/jumpserver/data/;
}
#静态数据。
location /socket.io/ {
proxy_pass http://localhost:5000/socket.io/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /coco/ {
proxy_pass http://localhost:5000/coco/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location / {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
(py3) [root@localhost opt]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
(py3) [root@localhost opt]# systemctl start nginx
(py3) [root@localhost opt]# systemctl enable nginx
(py3) [root@localhost opt]# systemctl status nginx
12、访问JumpServer管理控制台(luna)
在浏览器中直接输入"http://服务器地址/luna"即可。
默认管理员账号:admin
默认管理员密码:admin
13、访问JumpServer操作终端(koko)
使用SSH的方式访问到JumpServer操作终端。
[root@localhost ~]# ssh -p 2222 admin@172.16.254.128
admin@172.16.254.128's password:
Administrator, 欢迎使用Jumpserver开源堡垒机系统
1) 输入 ID 进行直接登陆.
2) 输入 部分IP、主机名、备注 进行进行搜索登录(如果唯一).
3) 输入 / + IP, 主机名 or 备注 进行搜索, 如: /192.168.
4) 输入 p 进行显示您有权限的主机.
5) 输入 g 进行显示您有权限的节点.
6) 输入 r 进行刷新最新的机器和节点信息.
7) 输入 h 进行显示帮助.
8) 输入 q 进行退出.
Opt> q