centos7 jumpserver-1.4.8 開源跳板機搭建以及升級

一、背景

此處安裝是1.4.8生產環境版本。

二、步驟

1.環境準備

yum -y install epel-release

# 設置防火牆, 開放 80 443 2222 端口
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-cmd --zone=public --add-port=2222/tcp --permanent
# 192.168.137.0/24 爲整個 Jumpserver 網絡網段, 這裏就偷懶了, 自己根據實際情況修改即可
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.137.0/24" port protocol="tcp" port="3306" accept"
firewall-cmd --reload

#測試環境可直接關閉防火牆
systemctl stop firewalld
systemctl status firewalld
systemctl disable firewalld

#關閉selinux
setenforce 0
sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config

2.安裝 nginx

yum install nginx -y
systemctl start nginx
systemctl enable nginx

3.下載 luna

cd /opt
wget https://github.com/jumpserver/luna/releases/download/1.4.8/luna.tar.gz
# 如果網絡有問題導致下載無法完成可以使用下面地址
wget https://demo.jumpserver.org/download/luna/1.4.8/luna.tar.gz
tar xf luna.tar.gz
chown -R root:root luna

4.配置 Nginx

vim /etc/nginx/nginx.conf

server {
    server_name jumpserver.xxx.com; 
    listen 80;
    client_max_body_size 100m;  # 錄像及文件上傳大小限制
    access_log /etc/nginx/logs/jumpserver_access.log;
    error_log /etc/nginx/logs/jumpserver_error.log;

    location /luna/ {
        try_files $uri / /index.html;
        alias /opt/luna/;  # luna 路徑, 如果修改安裝目錄, 此處需要修改
    }
    location /media/ {
        add_header Content-Encoding gzip;
        root /opt/jumpserver/data/;  # 錄像位置, 如果修改安裝目錄, 此處需要修改
    }

    location /static/ {
        root /opt/jumpserver/data/;  # 靜態資源, 如果修改安裝目錄, 此處需要修改
    }

    location /socket.io/ {
        proxy_pass       http://localhost:5000/socket.io/;
        proxy_buffering off;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        #啓用支持websocket連接
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    location /coco/ {
        proxy_pass       http://localhost:5000/coco/;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location /guacamole/ {
        proxy_pass       http://localhost:8081/;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }
   
    location /ws/ {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://localhost:8070;
        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    } 

    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

nginx -t
nginx -s reload

5.數據庫部署

wget http://dev.mysql.com/get/mysql57-community-release-el7-8.noarch.rpm
yum localinstall mysql57-community-release-el7-8.noarch.rpm -y
yum install mysql-community-server -y

systemctl start mysqld
systemctl status mysqld
systemctl enable mysqld
systemctl daemon-reload

#查看初始化mysql密碼
grep 'temporary password' /var/log/mysqld.log
#2019-10-25T05:41:20.101126Z 1 [Note] A temporary password is generated for root@localhost: lHzzD1C(CdRs

#登錄數據庫
mysql -uroot -plHzzD1C(CdRs

#數據庫密碼較爲隨機以及複雜，我們可以改一個
vim /etc/my.cnf

#添加
validate_password_policy=0 #Low 等級密碼驗證，只需要字母或者數字即可

#重啓
systemctl restart mysqld
systemctl status mysqld

#登錄數據庫
mysql -uroot -plHzzD1C(CdRs
#修改密碼爲我們自定義的，此處我的是c4xRVCY2uECX1XAqcJyQy
ALTER USER 'root'@'localhost' IDENTIFIED BY 'c4xRVCY2uECX1XAqcJyQy';

[root@zk1 opt]# DB_PASSWORD='c4xRVCY2uECX1XAqcJyQy'
[root@zk1 opt]# mysql -uroot -p$DB_PASSWORD -e "create database jumpserver default charset 'utf8'; grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '$DB_PASSWORD'; flush privileges;"

#到此數據庫部署完畢

6.部署 redis

yum install -y redis
systemctl enable redis
systemctl start redis

7.安裝python3，此處給大家準備了腳本，複製直接執行就好

#!/bin/bash
#下載python3環境

python3_dir="/usr/local/python3"
download_dir=`pwd`
#安裝依賴
yum -y groupinstall "Development tools"
yum -y install zlib-devel bzip2-devel openssl-devel ncurses-devel sqlite-devel readline-devel tk-devel gdbm-devel db4-devel libpcap-devel xz-devel wget

if [ ! -f $python3_dir ];then
        echo "`date`: 新建python3目錄: $python3_dir"
        mkdir $python3_dir
fi

#下載python3安裝包
cd $download_dir
wget https://www.python.org/ftp/python/3.6.2/Python-3.6.2.tar.xz
tar -xvJf Python-3.6.2.tar.xz && cd Python-3.6.2 && ./configure --prefix="$python3_dir"
make && make install

#建立軟連接
ln -s /usr/local/python3/bin/python3 /usr/bin/python3
ln -s /usr/local/python3/bin/pip3 /usr/bin/pip3

#測試
python3 -V

7.部署jumpserver

yum -y install gcc epel-release git

# 配置 py3 虛擬環境
python3 -m venv /opt/py3
source /opt/py3/bin/activate

cd /opt
git clone --depth=1 https://github.com/jumpserver/jumpserver.git
git checkout -b 1.4.8

#安裝依賴
yum -y install $(cat /opt/jumpserver/requirements/rpm_requirements.txt)
pip3 install --upgrade pip setuptools
pip3 install -r /opt/jumpserver/requirements/requirements.txt

# 修改 jumpserver 配置文件
cd /opt/jumpserver
cp config_example.yml config.yml
SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50` 
BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml
sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml

#檢查配置文件

## 運行 Jumpserver
cd /opt/jumpserver
./jms start -d  # 後臺運行使用 -d 

8.coco部署

# 安裝 docker
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum makecache fast
yum -y install docker-ce
curl -sSL https://get.daocloud.io/daotools/set_mirror.sh | sh -s http://f1361db2.m.daocloud.io
systemctl enable docker
systemctl start docker

docker run --name jms_coco -d \
    -p 2222:2222 \
    -p 5000:5000 \
    -e CORE_HOST=http://ip:8080 \
    -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN \
    jumpserver/jms_coco:1.4.8

9.guacamole 部署

docker run --name jms_guacamole -d \
    -p 8081:8081 \
    -e JUMPSERVER_KEY_DIR=/config/guacamole/key \
    -e JUMPSERVER_SERVER=http://ip:8080 \
    -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN\
    jumpserver/jms_guacamole:1.4.8

10.以上，1.4.8版本jumpserver已部署完畢。接下來升級到1.5.2。

cd /opt/jumpserver
source /opt/py3/bin/activate
./jms stop
git fetch
git checkout -b 1.5.2
pip3 install -r requirements/requirements.txt

#安裝Luna
cd /opt
rm -rf luna luna.tar.gz
wget https://github.com/jumpserver/luna/releases/download/1.5.2/luna.tar.gz
# 如果網絡有問題導致下載無法完成可以使用下面地址
wget https://demo.jumpserver.org/download/luna/1.5.2/luna.tar.gz
tar xf luna.tar.gz
chown -R root:root luna
# 注意把瀏覽器緩存清理下

#安裝koko
cd /opt
wget https://github.com/jumpserver/koko/releases/download/1.5.2/koko-v52-1e1f1a8-linux-amd64.tar.gz
# 如果網絡有問題導致下載無法完成可以使用下面地址
wget https://demo.jumpserver.org/download/koko/1.5.2/koko-v52-1e1f1a8-linux-amd64.tar.gz
tar xf koko-v52-1e1f1a8-linux-amd64.tar.gz
chown -R root:root kokodir
cd kokodir
cp config_example.yml config.yml
sed -i "s/BOOTSTRAP_TOKEN: <PleasgeChangeSameWithJumpserver>/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/kokodir/config.yml
sed -i "s/# LOG_LEVEL: INFO/LOG_LEVEL: ERROR/g" /opt/kokodir/config.yml

#檢查配置文件

./koko
2019-10-25 15:16:54 [ERRO] POST http://127.0.0.1:8080/api/terminal/v2/terminal-registrations/ failed, get code: 400, {"name":["名稱重複"]}
2019-10-25 15:16:54 [ERRO] register access key failed

#啓動報以上錯誤，到jumpserver後臺 終端管理刪除服務器即可。

11.具體可查看https://docs.jumpserver.org

三、問題總結