zoukankan      html  css  js  c++  java
  • 部署跳板机-JumpServer-Koko版

    jumpserever环境要求

    硬件配置: 2个CPU核心, 4G 内存, 50G 硬盘(最低)
    操作系统: Linux 发行版 x86_64
    
    Python = 3.6.x
    Mysql Server ≥ 5.6
    Mariadb Server ≥ 5.5.56
    Redis
    

    搭建jumpserver

    查看系统

    [root@host ~]# cat /etc/redhat-release 
    CentOS Linux release 7.5.1804 (Core) 
    [root@host ~]# uname -a
    Linux host 3.10.0-862.el7.x86_64 #1 SMP Fri Apr 20 16:44:24 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
    

    关闭防火墙

    [root@host ~]# getenforce 
    Disabled
    [root@host ~]# systemctl status firewalld
    [root@host ~]# systemctl stop firewalld
    

    修改字符集

    # 因为日志里打印了中文,否则可能报错:input/output error问题
    [root@host ~]# localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8
    [root@host ~]# cat /etc/profile
    	export LC_ALL=zh_CN.UTF-8
    [root@host ~]# echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf
    

    系统默认源更新

    # CentOS7系统默认的源更新
    curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
    
    # 增加epel源
    curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
    

    准备python3和python虚拟环境

    安装依赖包

    [root@host ~]# yum -y install wget vim lrzsz xz gcc git epel-release python-pip python-devel mysql-devel automake autoconf sqlite-devel zlib-devel openssl-devel sshpass readline-devel
    

    安装python

    [root@host ~]# yum -y install python36 python36-devel
    

    创建虚拟环境

    [root@host ~]# cd /opt
    [root@host /opt]# python3.6 -m venv py3
    [root@host /opt]# source /opt/py3/bin/activate
    # //看到这一行的提示符代表成功,以后运行 Jumpserver 都要先运行以上 source 命令
    (py3) [root@host opt]# 
    
    # 退出虚拟环境使用deactivate
    (py3) [root@host opt]# deactivate
    [root@host opt]# 
    

    安装jumpserver

    (py3) [root@host opt]# git clone --depth=1 https://github.com/jumpserver/jumpserver.git
    

    安装依赖包

    (py3) [root@host opt]# cd /opt/jumpserver/requirements
    (py3) [root@host requirements]# yum -y install $(cat rpm_requirements.txt)
    

    安装python库依赖

    (py3) [root@localhost  opt]# pip install --upgrade pip setuptools==45.2.0 -i 
    (py3) [root@localhost  opt]# pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
    

    安装数据库redis,mariadb

    (py3) [root@host  opt]# yum -y install redis mariadb mariadb-devel mariadb-server 
    (py3) [root@host  opt]# systemctl start mariadb redis
    (py3) [root@host  opt]# systemctl enable mariadb redis
    

    创建mariadb数据库

    (py3) [root@host  opt]# DB_PASSWORD=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24` 
    (py3) [root@host  opt]# mysql -uroot -e "create database jumpserver default charset 'utf8'; grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '$DB_PASSWORD'; flush privileges;"
    

    修改jumpserver配置文件

    (py3) [root@host opt]# cd /opt/jumpserver
    (py3) [root@host jumpserver]# cp config_example.yml config.yml
    
    (py3) [root@host jumpserver]# SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 49`
    (py3) [root@host jumpserver]# echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc
    
    (py3) [root@host jumpserver]# BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 49`
    (py3) [root@host jumpserver]# echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
    
    (py3) [root@host jumpserver]# sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml
    (py3) [root@host jumpserver]# sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
    (py3) [root@host jumpserver]# sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
    (py3) [root@host jumpserver]# sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
    (py3) [root@host jumpserver]# sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
    (py3) [root@host jumpserver]# 
    (py3) [root@host jumpserver]# sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml
    (py3) [root@host jumpserver]# grep '^[a-Z]' /opt/jumpserver/config.yml
    

    运行jumpserver

    # 后台启动
    (py3) [root@host jumpserver]# ./jms start all -d
    # // 新版本更新了运行脚本,使用方式./jms start|stop|status|restart all  后台运行请添加 -d 参数
    # 此时访问ip+端口号,可以看到网页需要登录,不用停止服务,继续往下操作
    

    配置文件说明

    # SECURITY WARNING: keep the secret key used in production secret!
    # 加密秘钥 生产环境中请修改为随机字符串,请勿外泄, 可使用命令生成
    # cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 49;echo
    SECRET_KEY: W5Ic3fMXNZ0p5RIy5DhJYJllppTfcfkW8Yuf94VBMfpcssbfu
    
    # SECURITY WARNING: keep the bootstrap token used in production secret!
    # 预共享Token coco和guacamole用来注册服务账号,不在使用原来的注册接受机制
    BOOTSTRAP_TOKEN: zxffNymGjP79j6BN
    
    # Development env open this, when error occur display the full process track, Production disable it
    # DEBUG 模式 开启DEBUG后遇到错误时可以看到更多日志
    DEBUG: false
    
    # DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/
    # 日志级别
    LOG_LEVEL: ERROR
    # LOG_DIR:
    
    # Session expiration setting, Default 24 hour, Also set expired on on browser close
    # 浏览器Session过期时间,默认24小时, 也可以设置浏览器关闭则过期
    # SESSION_COOKIE_AGE: 86400
    SESSION_EXPIRE_AT_BROWSER_CLOSE: true
    
    # Database setting, Support sqlite3, mysql, postgres ....
    # 数据库设置
    # See https://docs.djangoproject.com/en/1.10/ref/settings/#databases
    
    # SQLite setting:
    # 使用单文件sqlite数据库
    # DB_ENGINE: sqlite3
    # DB_NAME:
    
    # MySQL or postgres setting like:
    # 使用Mysql作为数据库
    DB_ENGINE: mysql
    DB_HOST: 127.0.0.1
    DB_PORT: 3306
    DB_USER: jumpserver
    DB_PASSWORD: rBi41SrDqlX4zsx9e1L0cqTP
    DB_NAME: jumpserver
    
    # When Django start it will bind this host and port
    # ./manage.py runserver 127.0.0.1:8080
    # 运行时绑定端口
    HTTP_BIND_HOST: 0.0.0.0
    HTTP_LISTEN_PORT: 8080
    WS_LISTEN_PORT: 8070
    
    # Use Redis as broker for celery and web socket
    # Redis配置
    REDIS_HOST: 127.0.0.1
    REDIS_PORT: 6379
    REDIS_PASSWORD: ZhYnLrodpmPncovxJTnRyiBs
    # REDIS_DB_CELERY: 3
    # REDIS_DB_CACHE: 4
    
    # Use OpenID authorization
    # 使用OpenID 来进行认证设置
    # BASE_SITE_URL: http://localhost:8080
    # AUTH_OPENID: false  # True or False
    # AUTH_OPENID_SERVER_URL: https://openid-auth-server.com/
    # AUTH_OPENID_REALM_NAME: realm-name
    # AUTH_OPENID_CLIENT_ID: client-id
    # AUTH_OPENID_CLIENT_SECRET: client-secret
    # AUTH_OPENID_IGNORE_SSL_VERIFICATION: True
    # AUTH_OPENID_SHARE_SESSION: True
    
    # Use Radius authorization
    # 使用Radius来认证
    # AUTH_RADIUS: false
    # RADIUS_SERVER: localhost
    # RADIUS_PORT: 1812
    # RADIUS_SECRET:
    
    # CAS 配置
    # AUTH_CAS': False,
    # CAS_SERVER_URL': "http://host/cas/",
    # CAS_ROOT_PROXIED_AS': 'http://jumpserver-host:port',  
    # CAS_LOGOUT_COMPLETELY': True,
    # CAS_VERSION': 3,
    
    # LDAP/AD settings
    # LDAP 搜索分页数量
    # AUTH_LDAP_SEARCH_PAGED_SIZE: 1000
    #
    # 定时同步用户
    # 启用 / 禁用
    # AUTH_LDAP_SYNC_IS_PERIODIC: True
    # 同步间隔 (单位: 时) (优先)
    # AUTH_LDAP_SYNC_INTERVAL: 12
    # Crontab 表达式
    # AUTH_LDAP_SYNC_CRONTAB: * 6 * * *
    #
    # LDAP 用户登录时仅允许在用户列表中的用户执行 LDAP Server 认证
    # AUTH_LDAP_USER_LOGIN_ONLY_IN_USERS: False
    #
    # LDAP 认证时如果日志中出现以下信息将参数设置为 0 (详情参见:https://www.python-ldap.org/en/latest/faq.html)
    # In order to perform this operation a successful bind must be completed on the connection
    # AUTH_LDAP_OPTIONS_OPT_REFERRALS: -1
    
    # OTP settings
    # OTP/MFA 配置
    # OTP_VALID_WINDOW: 0
    # OTP_ISSUER_NAME: Jumpserver
    
    # Perm show single asset to ungrouped node
    # 是否把未授权节点资产放入到 未分组 节点中
    # PERM_SINGLE_ASSET_TO_UNGROUP_NODE: false
    #
    # 启用定时任务
    # PERIOD_TASK_ENABLE: True
    #
    # 启用二次复合认证配置
    # LOGIN_CONFIRM_ENABLE: False
    #
    # Windows 登录跳过手动输入密码
    WINDOWS_SKIP_ALL_MANUAL_PASSWORD: True
    

    安装koko(coco的改进版,使用go语言写的)

    下载koko组件

    (py3)[root@host opt]# cd /opt 
    (py3)[root@host opt]# wget https://github.com/jumpserver/koko/releases/download/1.5.8/koko-master-linux-amd64.tar.gz
    (py3)[root@host opt]# tar -xf koko-master-linux-amd64.tar.gz 
    (py3)[root@host opt]# mv kokodir koko
    (py3)[root@host opt]# chown -R root:root koko
    

    修改配置文件

    (py3)[root@host opt]# cd koko
    (py3)[root@host koko]# cp config_example.yml config.yml 
    (py3) [root@host koko]# sed -i 's/BOOTSTRAP_TOKEN: <PleasgeChangeSameWithJumpserver>/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g' config.yml
    
    (py3) [root@host koko]#  sed -i "s/# LOG_LEVEL: INFO/LOG_LEVEL: ERROR/g" /opt/coco/config.yml
    # 后台启动
    (py3) [root@host koko]# ./koko  -d
    

    koko配置文件说明

    # 项目名称, 会用来向Jumpserver注册, 识别而已, 不能重复
    # NAME: {{ Hostname }}
    
    # Jumpserver项目的url, api请求注册会使用
    CORE_HOST: http://127.0.0.1:8080
    
    # Bootstrap Token, 预共享秘钥, 用来注册coco使用的service account和terminal
    # 请和jumpserver 配置文件中保持一致,注册完成后可以删除
    BOOTSTRAP_TOKEN: zxffNymGjP79j6BN
    
    # 启动时绑定的ip, 默认 0.0.0.0
    # BIND_HOST: 0.0.0.0
    
    # 监听的SSH端口号, 默认2222
    # SSHD_PORT: 2222
    
    # 监听的HTTP/WS端口号,默认5000
    # HTTPD_PORT: 5000
    
    # 项目使用的ACCESS KEY, 默认会注册,并保存到 ACCESS_KEY_STORE中,
    # 如果有需求, 可以写到配置文件中, 格式 access_key_id:access_key_secret
    # ACCESS_KEY: null
    
    # ACCESS KEY 保存的地址, 默认注册后会保存到该文件中
    # ACCESS_KEY_FILE: data/keys/.access_key
    
    # 设置日志级别 [DEBUG, INFO, WARN, ERROR, FATAL, CRITICAL]
    LOG_LEVEL: ERROR
    
    # SSH连接超时时间 (default 15 seconds)
    # SSH_TIMEOUT: 15
    
    # 语言 [en,zh]
    # LANG: zh
    
    # SFTP的根目录, 可选 /tmp, Home其他自定义目录
    # SFTP_ROOT: /tmp
    
    # SFTP是否显示隐藏文件
    # SFTP_SHOW_HIDDEN_FILE: false
    
    # 是否复用和用户后端资产已建立的连接(用户不会复用其他用户的连接)
    # REUSE_CONNECTION: true
    
    # 资产加载策略, 可根据资产规模自行调整. 默认异步加载资产, 异步搜索分页; 如果为all, 则资产全部加载, 本地搜索分页.
    # ASSET_LOAD_POLICY:
    
    # zip压缩的最大额度 (单位: M)
    # ZIP_MAX_SIZE: 1024M
    
    # zip压缩存放的临时目录 /tmp
    # ZIP_TMP_PATH: /tmp
    
    # 向 SSH Client 连接发送心跳的时间间隔 (单位: 秒),默认为30, 0则表示不发送
    # CLIENT_ALIVE_INTERVAL: 30
    
    # 向资产发送心跳包的重试次数,默认为3
    # RETRY_ALIVE_COUNT_MAX: 3
    
    # 会话共享使用的类型 [local, redis], 默认local
    SHARE_ROOM_TYPE: redis
    
    # Redis配置
    REDIS_HOST: 127.0.0.1
    REDIS_PORT: 6379
    REDIS_PASSWORD: ZhYnLrodpmPncovxJTnRyiBs
    # REDIS_CLUSTERS:
    REDIS_DB_ROOM: 6
    

    下载luna组件

    (py3)[root@host opt]# cd /opt 
    (py3)[root@host opt]# wget https://github.com/jumpserver/luna/releases/download/1.5.8/luna.tar.gz
    
    (py3)[root@host opt]# tar -xf luna.tar.gz
    (py3)[root@host opt]# chown -R root:root luna
    

    配置nginx

    安装nginx

    (py3)[root@host opt]# yum install yum-utils -y
    (py3)[root@host opt]# cat > /etc/yum.repos.d/nginx.repo << EOF
    [nginx-stable]
    name=nginx stable repo
    baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
    gpgcheck=1
    enabled=1
    gpgkey=https://nginx.org/keys/nginx_signing.key
    EOF
    
    (py3)[root@host opt]# yum makecache fast
    (py3)[root@host opt]# yum install -y nginx
    (py3)[root@host opt]# cp /etc/nginx/conf.d/default.conf{,.bak}
    (py3)[root@host opt]# rm -rf /etc/nginx/conf.d/default.conf
    (py3)[root@host opt]# systemctl enable nginx
    

    修改配置文件

    (py3)[root@host opt]# vim /etc/nginx/conf.d/jumpserver.conf  
    server {
        listen 80;
    
        client_max_body_size 100m;  # 录像及文件上传大小限制
    
        location /luna/ {
            try_files $uri / /index.html;
            alias /opt/luna/;  # luna 路径, 如果修改安装目录, 此处需要修改
        }
    
        location /media/ {
            add_header Content-Encoding gzip;
            root /opt/jumpserver/data/;  # 录像位置, 如果修改安装目录, 此处需要修改
        }
    
        location /static/ {
            root /opt/jumpserver/data/;  # 静态资源, 如果修改安装目录, 此处需要修改
        }
    
        location /koko/ {
            proxy_pass       http://localhost:5000;
            proxy_buffering off;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            access_log off;
        }
    
        location /guacamole/ {
            proxy_pass       http://localhost:8081/;
            proxy_buffering off;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $http_connection;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            access_log off;
        }
    
        location /ws/ {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass http://localhost:8070;
            proxy_http_version 1.1;
            proxy_buffering off;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
        }
    
        location / {
            proxy_pass http://localhost:8080;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
    }
    

    运行nginx

    (py3)[root@host opt]# nginx -t
    (py3)[root@host opt]# systemctl restart nginx
    

    测试jumpserver功能

    1、检查web页面是否已经正常运行
    服务全部启动后, 访问 http://192.168.0.1(ip地址是你配置的那台机器的ip), 访问nginx代理的端口, 不要再通过8080端口访问
    默认账号: admin 密码: admin
    到Jumpserver 会话管理-终端管理 检查 Coco Guacamole 等应用的注册。
    
    2、测试连接
    如果登录客户端是 macOS 或 Linux, 登录语法如下
    $ ssh -p2222 admin@192.168.0.1
    $ sftp -P2222 admin@192.168.0.1
    密码: admin
    如果登录客户端是 Windows, Xshell Terminal 登录语法如下
    $ ssh admin@192.168.0.1 2222
    $ sftp admin@192.168.0.1 2222
    密码: admin
    如果能登陆代表部署成功
    # sftp默认上传的位置在资产的 /tmp 目录下
    # windows拖拽上传的位置在资产的 Guacamole RDP上的 G 目录下
    
  • 相关阅读:
    c#自动更新+安装程序的制作
    VS2013项目受源代码管理向源代码管理注册此项目时出错
    WinDbg配置和使用基础
    InstallShield Limited Edition for Visual Studio 2013 图文教程(教你如何打包.NET程序)
    PowerDesigner 如何生成数据库更新脚本
    用户故事(User Story)
    Troubleshooting Record and Playback issues in Coded UI Test
    Coded UI
    compare two oracle database schemas
    How to: Use Schema Compare to Compare Different Database Definitions
  • 原文地址:https://www.cnblogs.com/wshlym/p/13159420.html
Copyright © 2011-2022 走看看