centos7 jumpserver-1.4.8 开源跳板机搭建以及升级

一、背景

此处安装是1.4.8生产环境版本。

二、步骤

1.环境准备

yum -y install epel-release

# 设置防火墙, 开放 80 443 2222 端口
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-cmd --zone=public --add-port=2222/tcp --permanent
# 192.168.137.0/24 为整个 Jumpserver 网络网段, 这里就偷懒了, 自己根据实际情况修改即可
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.137.0/24" port protocol="tcp" port="3306" accept"
firewall-cmd --reload

#测试环境可直接关闭防火墙
systemctl stop firewalld
systemctl status firewalld
systemctl disable firewalld

#关闭selinux
setenforce 0
sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config

2.安装 nginx

yum install nginx -y
systemctl start nginx
systemctl enable nginx

3.下载 luna

cd /opt
wget https://github.com/jumpserver/luna/releases/download/1.4.8/luna.tar.gz
# 如果网络有问题导致下载无法完成可以使用下面地址
wget https://demo.jumpserver.org/download/luna/1.4.8/luna.tar.gz
tar xf luna.tar.gz
chown -R root:root luna

4.配置 Nginx

vim /etc/nginx/nginx.conf

server {
    server_name jumpserver.xxx.com; 
    listen 80;
    client_max_body_size 100m;  # 录像及文件上传大小限制
    access_log /etc/nginx/logs/jumpserver_access.log;
    error_log /etc/nginx/logs/jumpserver_error.log;

    location /luna/ {
        try_files $uri / /index.html;
        alias /opt/luna/;  # luna 路径, 如果修改安装目录, 此处需要修改
    }
    location /media/ {
        add_header Content-Encoding gzip;
        root /opt/jumpserver/data/;  # 录像位置, 如果修改安装目录, 此处需要修改
    }

    location /static/ {
        root /opt/jumpserver/data/;  # 静态资源, 如果修改安装目录, 此处需要修改
    }

    location /socket.io/ {
        proxy_pass       http://localhost:5000/socket.io/;
        proxy_buffering off;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        #启用支持websocket连接
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    location /coco/ {
        proxy_pass       http://localhost:5000/coco/;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location /guacamole/ {
        proxy_pass       http://localhost:8081/;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }
   
    location /ws/ {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://localhost:8070;
        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    } 

    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

nginx -t
nginx -s reload

5.数据库部署

wget http://dev.mysql.com/get/mysql57-community-release-el7-8.noarch.rpm
yum localinstall mysql57-community-release-el7-8.noarch.rpm -y
yum install mysql-community-server -y

systemctl start mysqld
systemctl status mysqld
systemctl enable mysqld
systemctl daemon-reload

#查看初始化mysql密码
grep 'temporary password' /var/log/mysqld.log
#2019-10-25T05:41:20.101126Z 1 [Note] A temporary password is generated for root@localhost: lHzzD1C(CdRs

#登录数据库
mysql -uroot -plHzzD1C(CdRs

#数据库密码较为随机以及复杂，我们可以改一个
vim /etc/my.cnf

#添加
validate_password_policy=0 #Low 等级密码验证，只需要字母或者数字即可

#重启
systemctl restart mysqld
systemctl status mysqld

#登录数据库
mysql -uroot -plHzzD1C(CdRs
#修改密码为我们自定义的，此处我的是c4xRVCY2uECX1XAqcJyQy
ALTER USER 'root'@'localhost' IDENTIFIED BY 'c4xRVCY2uECX1XAqcJyQy';

[root@zk1 opt]# DB_PASSWORD='c4xRVCY2uECX1XAqcJyQy'
[root@zk1 opt]# mysql -uroot -p$DB_PASSWORD -e "create database jumpserver default charset 'utf8'; grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '$DB_PASSWORD'; flush privileges;"

#到此数据库部署完毕

6.部署 redis

yum install -y redis
systemctl enable redis
systemctl start redis

7.安装python3，此处给大家准备了脚本，复制直接执行就好

#!/bin/bash
#下载python3环境

python3_dir="/usr/local/python3"
download_dir=`pwd`
#安装依赖
yum -y groupinstall "Development tools"
yum -y install zlib-devel bzip2-devel openssl-devel ncurses-devel sqlite-devel readline-devel tk-devel gdbm-devel db4-devel libpcap-devel xz-devel wget

if [ ! -f $python3_dir ];then
        echo "`date`: 新建python3目录: $python3_dir"
        mkdir $python3_dir
fi

#下载python3安装包
cd $download_dir
wget https://www.python.org/ftp/python/3.6.2/Python-3.6.2.tar.xz
tar -xvJf Python-3.6.2.tar.xz && cd Python-3.6.2 && ./configure --prefix="$python3_dir"
make && make install

#建立软连接
ln -s /usr/local/python3/bin/python3 /usr/bin/python3
ln -s /usr/local/python3/bin/pip3 /usr/bin/pip3

#测试
python3 -V

7.部署jumpserver

yum -y install gcc epel-release git

# 配置 py3 虚拟环境
python3 -m venv /opt/py3
source /opt/py3/bin/activate

cd /opt
git clone --depth=1 https://github.com/jumpserver/jumpserver.git
git checkout -b 1.4.8

#安装依赖
yum -y install $(cat /opt/jumpserver/requirements/rpm_requirements.txt)
pip3 install --upgrade pip setuptools
pip3 install -r /opt/jumpserver/requirements/requirements.txt

# 修改 jumpserver 配置文件
cd /opt/jumpserver
cp config_example.yml config.yml
SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50` 
BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml
sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml

#检查配置文件

## 运行 Jumpserver
cd /opt/jumpserver
./jms start -d  # 后台运行使用 -d 

8.coco部署

# 安装 docker
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum makecache fast
yum -y install docker-ce
curl -sSL https://get.daocloud.io/daotools/set_mirror.sh | sh -s http://f1361db2.m.daocloud.io
systemctl enable docker
systemctl start docker

docker run --name jms_coco -d \
    -p 2222:2222 \
    -p 5000:5000 \
    -e CORE_HOST=http://ip:8080 \
    -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN \
    jumpserver/jms_coco:1.4.8

9.guacamole 部署

docker run --name jms_guacamole -d \
    -p 8081:8081 \
    -e JUMPSERVER_KEY_DIR=/config/guacamole/key \
    -e JUMPSERVER_SERVER=http://ip:8080 \
    -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN\
    jumpserver/jms_guacamole:1.4.8

10.以上，1.4.8版本jumpserver已部署完毕。接下来升级到1.5.2。

cd /opt/jumpserver
source /opt/py3/bin/activate
./jms stop
git fetch
git checkout -b 1.5.2
pip3 install -r requirements/requirements.txt

#安装Luna
cd /opt
rm -rf luna luna.tar.gz
wget https://github.com/jumpserver/luna/releases/download/1.5.2/luna.tar.gz
# 如果网络有问题导致下载无法完成可以使用下面地址
wget https://demo.jumpserver.org/download/luna/1.5.2/luna.tar.gz
tar xf luna.tar.gz
chown -R root:root luna
# 注意把浏览器缓存清理下

#安装koko
cd /opt
wget https://github.com/jumpserver/koko/releases/download/1.5.2/koko-v52-1e1f1a8-linux-amd64.tar.gz
# 如果网络有问题导致下载无法完成可以使用下面地址
wget https://demo.jumpserver.org/download/koko/1.5.2/koko-v52-1e1f1a8-linux-amd64.tar.gz
tar xf koko-v52-1e1f1a8-linux-amd64.tar.gz
chown -R root:root kokodir
cd kokodir
cp config_example.yml config.yml
sed -i "s/BOOTSTRAP_TOKEN: <PleasgeChangeSameWithJumpserver>/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/kokodir/config.yml
sed -i "s/# LOG_LEVEL: INFO/LOG_LEVEL: ERROR/g" /opt/kokodir/config.yml

#检查配置文件

./koko
2019-10-25 15:16:54 [ERRO] POST http://127.0.0.1:8080/api/terminal/v2/terminal-registrations/ failed, get code: 400, {"name":["名称重复"]}
2019-10-25 15:16:54 [ERRO] register access key failed

#启动报以上错误，到jumpserver后台 终端管理删除服务器即可。

11.具体可查看https://docs.jumpserver.org

三、问题总结