jumpserver_install_step_by_step
- jumpserver_install_step_by_step
0.基础准备
0.1.官方文档
- 本文根据官方文档总结整理
0.2.适用系统
- CentOS7
- Ubuntu18
0.3.安装要求
Python = 3.6.x
Mysql Server ≥ 5.7
Redis
1.安装依赖软件,配置基础环境
1.1.关闭 selinux 和防火墙
- CentOS7 适用,如果已经关闭了 防火墙 和 Selinux 可以跳过
systemctl start firewalld
firewall-cmd --zone=public --add-port=80/tcp --permanent # nginx 端口
firewall-cmd --zone=public --add-port=2222/tcp --permanent # 用户SSH登录端口 koko
# --permanent 永久生效, 没有此参数重启后失效
# 重新载入规则
firewall-cmd --reload
setenforce 0
sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
- 修改字符集,早期版本需要操作,否则可能报 input/output error的问题,因为日志里打印了中文
# CentOS7
localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8
export LC_ALL=zh_CN.UTF-8
echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf
# CentOS6
localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8
export LC_ALL=zh_CN.UTF-8
echo 'LANG=zh_CN.UTF-8' > /etc/sysconfig/i18n
1.2 安装 Redis
- JumpServer 使用 Redis 做 cache 和 celery broke
- CentOS7
yum -y install redis-server
systemctl enable redis-server
systemctl start redis-server
- Ubuntu18
apt-get -y install redis-server
systemctl enable redis-server
systemctl start redis-server
1.3 安装 MySQL 创建数据库账号密码
-
支持sqlite3, mysql, postgres等
-
CentOS7
# 默认安装 mariadb-5.5.64-1.el7.x86_64
yum install wget gcc epel-release git -y
yum install mariadb-server mariadb -y
systemctl enable mariadb
systemctl start mariadb
systemctl status mariadb
- Ubuntu18
apt-get -y install mysql-server libmysqlclient-dev
- 创建数据库 JumpServer 并授权
DB_PASSWORD=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24` # 生成随机数据库密码
echo -e " 33[31m 你的数据库密码是 $DB_PASSWORD 33[0m"
mysql -uroot -p -e "create database jumpserver default charset 'utf8'; grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '$DB_PASSWORD'; flush privileges;"
# 或者执行以下命令
mysql
create database jumpserver default charset 'utf8';
grant all on jumpserver.* to 'jumpserver'@'%' identified by 'jump123456';
grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by 'jump123456';
flush privileges;
1.4.安装 nginx
- 安装 Nginx, 用作代理服务器整合 JumpServer 与各个组件
- CentOS7
vim /etc/yum.repos.d/nginx.repo
----------------------------
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/7/$basearch/
gpgcheck=0
enabled=1
----------------------------
yum -y install nginx
systemctl start nginx
systemctl enable nginx
systemctl status nginx
- 故障处理
# 这里修改nginx源后安装的nginx版本与默认nginx中的某些模块会有冲突导致无法正常启动nginx,可以卸载重装冲突的nginx模块
yum remove nginx-mod*
yum install nginx-module-*
- Ubuntu18
apt-get -y install curl gnupg2 ca-certificates lsb-release
add-apt-repository "deb http://nginx.org/packages/ubuntu/ $(lsb_release -cs) nginx"
curl -fsSL http://nginx.org/keys/nginx_signing.key | sudo apt-key add -
apt-get update
apt-get -y install nginx
1.5.安装 Python 配置虚拟环境
-
安装 Python3.6 并载入 Python3 虚拟环境
-
CentOS7
yum -y install wget gcc epel-release git
yum -y install python36 python36-devel
- Ubuntu18
apt-get update && apt-get -y upgrade
apt-get -y install wget gcc libffi-dev git
apt-get -y install python3.6-dev python3-venv
- 建立 Python 虚拟环境
cd /opt
python3.6 -m venv py3 # py3 为虚拟环境名称, 可自定义
source /opt/py3/bin/activate
# 退出虚拟环境可以使用以下命令
deactivate
# 出现以下提示符代表成功, 以后运行管理 jumpserver 都要先运行 source 命令
(py3) [root@localhost py3]
- 优化 bash 配置
echo "source /opt/py3/bin/activate" >> ~/.bashrc
source ~/.bashrc
1.6.安装 Docker
- Ubuntu18 安装 docker
apt-get -y install apt-transport-https ca-certificates curl software-properties-common
curl -fsSL http://mirrors.aliyun.com/docker-ce/linux/ubuntu/gpg | sudo apt-key add -
add-apt-repository "deb [arch=amd64] http://mirrors.aliyun.com/docker-ce/linux/ubuntu $(lsb_release -cs) stable"
apt-get -y update
apt-get -y install docker-ce wget
mkdir -p /etc/docker
wget -O /etc/docker/daemon.json http://demo.jumpserver.org/download/docker/daemon.json
systemctl restart docker.service
- CentOS7 安装 docker
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum makecache fast
rpm --import https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
yum -y install docker-ce
systemctl enable docker
mkdir /etc/docker
wget -O /etc/docker/daemon.json http://demo.jumpserver.org/download/docker/daemon.json
systemctl restart docker
2.安装 JumpServer
2.1 下载项目文件
- 在线下载仓库
cd /opt/
git clone --depth=1 https://github.com/jumpserver/jumpserver.git
- 或者下载离线安装包(需要确认最新版本)
cd /opt
wget https://github.com/jumpserver/jumpserver/releases/download/v2.5.2/jumpserver-v2.5.2.tar.gz
tar xf jumpserver-v2.5.2.tar.gz
mv jumpserver-v2.5.2 jumpserver
2.1.安装依赖软件
- CentOS7
cd /opt/jumpserver/requirements
yum install -y $(cat rpm_requirements.txt)
- Ubuntu18:
cd /opt/jumpserver/requirements
apt-get install -y $(cat deb_requirements.txt)
2.3 安装 Python 库依赖
pip install wheel &&
pip install --upgrade pip setuptools &&
pip install -r requirements.txt
- 安装失败,可以使用国内镜像加速
pip install wheel -i https://mirrors.aliyun.com/pypi/simple/
pip install --upgrade pip setuptools -i https://mirrors.aliyun.com/pypi/simple/
pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
2.4 修改配置文件
- 需要预先创建随机秘钥和 token
----------------------------------
# 生成随机 SECRET_KEY
SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc
# 生成随机 BOOTSTRAP_TOKEN
BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
echo -e " 33[31m 你的SECRET_KEY是 $SECRET_KEY 33[0m"
echo -e " 33[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN 33[0m"
- 创建配置文件,并修改配置信息
cd /opt/jumpserver
cp config_example.yml config.yml
sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml
sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml
- 检查配置文件确认内容有没有错误
vim config.yml
----------------------------------
# SECURITY WARNING: keep the secret key used in production secret!
# 加密秘钥 生产环境中请修改为随机字符串,请勿外泄, 可使用命令生成
# cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 49;echo
SECRET_KEY:
# SECURITY WARNING: keep the bootstrap token used in production secret!
# 预共享Token coco和guacamole用来注册服务账号,不在使用原来的注册接受机制
BOOTSTRAP_TOKEN:
# Development env open this, when error occur display the full process track, Production disable it
# DEBUG 模式 开启DEBUG后遇到错误时可以看到更多日志
DEBUG: false
# DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/
# 日志级别
LOG_LEVEL: ERROR
# LOG_DIR:
# Session expiration setting, Default 24 hour, Also set expired on on browser close
# 浏览器Session过期时间,默认24小时, 也可以设置浏览器关闭则过期
# SESSION_COOKIE_AGE: 86400
SESSION_EXPIRE_AT_BROWSER_CLOSE: true
# Database setting, Support sqlite3, mysql, postgres ....
# 数据库设置
# See https://docs.djangoproject.com/en/1.10/ref/settings/#databases
# SQLite setting:
# 使用单文件sqlite数据库
# DB_ENGINE: sqlite3
# DB_NAME:
# MySQL or postgres setting like:
# 使用Mysql作为数据库
DB_ENGINE: mysql
DB_HOST: 127.0.0.1
DB_PORT: 3306
DB_USER: jumpserver
DB_PASSWORD:
DB_NAME: jumpserver
# When Django start it will bind this host and port
# ./manage.py runserver 127.0.0.1:8080
# 运行时绑定端口
HTTP_BIND_HOST: 0.0.0.0
HTTP_LISTEN_PORT: 8080
WS_LISTEN_PORT: 8070
# Use Redis as broker for celery and web socket
# Redis配置
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
REDIS_PASSWORD:
# REDIS_DB_CELERY: 3
# REDIS_DB_CACHE: 4
# Use OpenID authorization
# 使用OpenID 来进行认证设置
# BASE_SITE_URL: http://localhost:8080
# AUTH_OPENID: false # True or False
# AUTH_OPENID_SERVER_URL: https://openid-auth-server.com/
# AUTH_OPENID_REALM_NAME: realm-name
# AUTH_OPENID_CLIENT_ID: client-id
# AUTH_OPENID_CLIENT_SECRET: client-secret
# AUTH_OPENID_IGNORE_SSL_VERIFICATION: True
# AUTH_OPENID_SHARE_SESSION: True
# Use Radius authorization
# 使用Radius来认证
# AUTH_RADIUS: false
# RADIUS_SERVER: localhost
# RADIUS_PORT: 1812
# RADIUS_SECRET:
# CAS 配置
# AUTH_CAS': False,
# CAS_SERVER_URL': "http://host/cas/",
# CAS_ROOT_PROXIED_AS': 'http://jumpserver-host:port',
# CAS_LOGOUT_COMPLETELY': True,
# CAS_VERSION': 3,
# LDAP/AD settings
# LDAP 搜索分页数量
# AUTH_LDAP_SEARCH_PAGED_SIZE: 1000
#
# 定时同步用户
# 启用 / 禁用
# AUTH_LDAP_SYNC_IS_PERIODIC: True
# 同步间隔 (单位: 时) (优先)
# AUTH_LDAP_SYNC_INTERVAL: 12
# Crontab 表达式
# AUTH_LDAP_SYNC_CRONTAB: * 6 * * *
#
# LDAP 用户登录时仅允许在用户列表中的用户执行 LDAP Server 认证
# AUTH_LDAP_USER_LOGIN_ONLY_IN_USERS: False
#
# LDAP 认证时如果日志中出现以下信息将参数设置为 0 (详情参见:https://www.python-ldap.org/en/latest/faq.html)
# In order to perform this operation a successful bind must be completed on the connection
# AUTH_LDAP_OPTIONS_OPT_REFERRALS: -1
# OTP settings
# OTP/MFA 配置
# OTP_VALID_WINDOW: 0
# OTP_ISSUER_NAME: Jumpserver
# Perm show single asset to ungrouped node
# 是否把未授权节点资产放入到 未分组 节点中
# PERM_SINGLE_ASSET_TO_UNGROUP_NODE: false
#
# 启用定时任务
# PERIOD_TASK_ENABLE: True
#
# 启用二次复合认证配置
# LOGIN_CONFIRM_ENABLE: False
#
# Windows 登录跳过手动输入密码
WINDOWS_SKIP_ALL_MANUAL_PASSWORD: True
2.5 启动 JumpServer
- 首次启动可以前台启动,可以看到初始化服务的过程,包括生成数据表等,mysql 数据库总计 89 张表
source /opt/py3/bin/activate
cd /opt/jumpserver
./jms start
- 日常启动可以选择后台运行,使用 -d 参数
./jms start -d
- 其他可用的命令参数
./jms start|stop|status all
- 配置系统级别启动管理脚本
wget -O /lib/systemd/system/jms.service https://demo.jumpserver.org/download/shell/ubuntu/jms.service
chmod 755 /lib/systemd/system/jms.service
systemctl enable jms
3.安装其他组件 koko 和 Guacamole
- BOOTSTRAP_TOKEN 为 Jumpserver/config.yml 里面的 BOOTSTRAP_TOKEN
Server_IP=`ip addr | grep 'state UP' -A2 | grep inet | egrep -v '(127.0.0.1|inet6|docker)' | awk '{print $2}' | tr -d "addr:" | head -n 1 | cut -d / -f1`
echo -e " 33[31m 你的服务器 IP 是 $Server_IP 33[0m"
echo -e " 33[31m 你的 SECRET_KEY 是 $SECRET_KEY 33[0m"
echo -e " 33[31m 你的 BOOTSTRAP_TOKEN 是 $BOOTSTRAP_TOKEN 33[0m"
3.1.部署 koko
- SSH Server 和 WebSocket Server:koko
docker run --name jms_koko -d -p 2222:2222 -p 127.0.0.1:5000:5000 -e CORE_HOST=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN -e LOG_LEVEL=ERROR --privileged=true --restart=always jumpserver/jms_koko:v2.5.2
3.2.部署 Guacamole
- RDP Server 和 VNC Server: Guacamole
docker run --name jms_guacamole -d -p 127.0.0.1:8081:8080 -e JUMPSERVER_SERVER=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN -e GUACAMOLE_LOG_LEVEL=ERROR --restart=always jumpserver/jms_guacamole:v2.5.2
4.部署 Web 组件
4.1.部署 Lina
- Terminal 前端: Lina
cd /opt
wget https://github.com/jumpserver/lina/releases/download/v2.5.2/lina-v2.5.2.tar.gz
rm -rf lina
tar -xf lina-v2.5.2.tar.gz
mv lina-v2.5.2 lina
chown -R root:root lina
4.2.部署 Luna
- Terminal 前端: Luna
cd /opt/
wget https://github.com/jumpserver/luna/releases/download/v2.5.2/luna-v2.5.2.tar.gz
rm -rf luna
tar -xf luna-v2.5.2.tar.gz
mv luna-v2.5.2 luna
chown -R root:root luna
- 或者访问 (https://github.com/jumpserver/luna/releases) 下载对应版本的 release 包,直接解压,不需要编译
wget https://github.com/jumpserver/luna/releases/download/1.5.9/luna.tar.gz
5.配置 Nginx 整合各组件
5.1.修改配置文件
rm -rf /etc/nginx/conf.d/default.conf
vim /etc/nginx/conf.d/jumpserver.conf
-------------------------------------
server {
listen 80;
client_max_body_size 100m; # 录像及文件上传大小限制
location /ui/ {
try_files $uri / /index.html;
alias /opt/lina/;
}
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; # luna 路径, 如果修改安装目录, 此处需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 录像位置, 如果修改安装目录, 此处需要修改
}
location /static/ {
root /opt/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改
}
location /koko/ {
proxy_pass http://localhost:5000;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /ws/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8070;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /api/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /core/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
rewrite ^/(.*)$ /ui/$1 last;
}
}
----------------------------------------
5.2.重启 Nginx
nginx -t
systemctl restart nginx
6.开始使用 JumpServer
-
服务全部启动后,访问 http://JumpserverIP:80
-
默认账号: admin 密码: admin
-
到 JumpServer 会话管理 - 终端管理 检查 koko Guacamole 等应用的注册
-
测试连接
# 如果登录客户端是 macOS 或 Linux, 登录语法如下
ssh -p2222 admin@192.168.244.144
sftp -P2222 admin@192.168.244.144
# 如果登录客户端是 Windows, Xshell Terminal 登录语法如下
ssh admin@192.168.244.144 2222
sftp admin@192.168.244.144 2222
-
sftp默认上传的位置在资产的 /tmp 目录下
-
windows拖拽上传的位置在资产的 Guacamole RDP上的 G 目录下