文章目錄
組件介紹
組件部署
1. 環境要求
硬件配置: 2個CPU核心, 4G 內存, 50G 硬盤(最低)
操作系統: Linux 發行版 x86_64
其他配置: 關閉SELinux 與 防火牆 (生產環境需要謹慎開啓)
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
systemctl status firewalld.service
systemctl start firewalld.service
systemctl stop firewalld.service
systemctl disable firewalld.service
2. 系統環境更新
yum -y update
3. 環境依賴包
yum -y install wget gcc epel-release git gcc krb5-devel libtiff-devel libjpeg-devel libzip-devel freetype-devel libwebp-devel tcl-devel tk-devel sshpass openldap-devel mariadb-devel libffi-devel openssh-clients telnet openldap-clients docker
4. 安裝Python、Mysql、Redis、Nginx組件
yum -y install python3.6 python36-devel mariadb mariadb-server.x86_64 redis nginx
5. Redis設置
systemctl enable redis
systemctl start redis
6. Mysql設置
systemctl enable mariadb
systemctl start mariadb
DB_PASSWORD=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24`
echo -e "\033[31m 你的數據庫密碼是 $DB_PASSWORD \033[0m"
mysql -uroot -e "create database jumpserver default charset 'utf8' collate 'utf8_bin'; grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '$DB_PASSWORD'; flush privileges;"
默認root密碼是空,如下是密碼修改方法:
mysqladmin -u root -p password ericzhong
7. Python虛擬環境配置
cd /opt
python3.6 -m venv py3
source /opt/py3/bin/activate
每次操作 jumpserver 都需要先載入 py3 虛擬環境
8. JumpServer部署
- 下載程序與部署
cd /opt && \
wget -O jumpserver.tar.gz https://github.com/jumpserver/jumpserver/archive/2.0.0.tar.gz
tar xf jumpserver.tar.gz
mv jumpserver-2.0.0 jumpserver
- 安裝編譯環境依賴
yum install -y $(cat rpm_requirements.txt)
pip install wheel -i https://mirrors.aliyun.com/pypi/simple/
pip install --upgrade pip setuptools -i https://mirrors.aliyun.com/pypi/simple/
pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
- 配置修改
cd /opt/jumpserver/
cp config_example.yml config.yml
SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc
BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml
sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml
echo -e "\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m"
echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
- 啓動程序
cd /opt/jumpserver/
./jms start -d
日誌輸出:
(py3) [root@jumpserver01 jumpserver]# ./jms start -d
2020-06-23 14:13:41 Tue Jun 23 14:13:41 2020
2020-06-23 14:13:41 Jumpserver version 2.0.0, more see https://www.jumpserver.org
- Start Gunicorn WSGI HTTP Server
2020-06-23 14:13:41 Check database connection ...
users
[ ] 0001_initial
[ ] 0002_auto_20171225_1157_squashed_0019_auto_20190304_1459 (18 squashed migrations)
[ ] 0020_auto_20190612_1825
[ ] 0021_auto_20190625_1104
[ ] 0022_auto_20190625_1105
[ ] 0023_auto_20190724_1525
[ ] 0024_auto_20191118_1612
[ ] 0025_auto_20200206_1216
[ ] 0026_auto_20200508_2105
[ ] 0027_auto_20200616_1503
2020-06-23 14:13:48 Database connect success
2020-06-23 14:13:48 Check database structure change ...
2020-06-23 14:13:48 Migrate model change to database ...
Operations to perform:
Apply all migrations: admin, applications, assets, audits, auth, authentication, captcha, common, contenttypes, django_cas_ng, django_celery_beat, jms_oidc_rp, ops, orgs, perms, sessions, settings, terminal, tickets, users
Running migrations:
Applying contenttypes.0001_initial... OK
Applying contenttypes.0002_remove_content_type_name... OK
Applying auth.0001_initial... OK
Applying auth.0002_alter_permission_name_max_length... OK
Applying auth.0003_alter_user_email_max_length... OK
Applying auth.0004_alter_user_username_opts... OK
Applying auth.0005_alter_user_last_login_null... OK
Applying auth.0006_require_contenttypes_0002... OK
Applying auth.0007_alter_validators_add_error_messages... OK
Applying auth.0008_alter_user_username_max_length... OK
Applying users.0001_initial... OK
Applying admin.0001_initial... OK
Applying admin.0002_logentry_remove_auto_add... OK
Applying admin.0003_logentry_add_action_flag_choices... OK
Applying users.0002_auto_20171225_1157_squashed_0019_auto_20190304_1459... OK
Applying assets.0001_initial... OK
Applying perms.0001_initial... OK
Applying assets.0002_auto_20180105_1807_squashed_0009_auto_20180307_1212... OK
Applying assets.0010_auto_20180307_1749_squashed_0019_auto_20180816_1320... OK
Applying perms.0002_auto_20171228_0025_squashed_0009_auto_20180903_1132... OK
Applying perms.0003_action... OK
Applying perms.0004_assetpermission_actions... OK
Applying assets.0020_auto_20180816_1652... OK
Applying assets.0021_auto_20180903_1132... OK
Applying assets.0022_auto_20181012_1717... OK
Applying assets.0023_auto_20181016_1650... OK
Applying assets.0024_auto_20181219_1614... OK
Applying assets.0025_auto_20190221_1902... OK
Applying assets.0026_auto_20190325_2035... OK
Applying applications.0001_initial... OK
Applying perms.0005_auto_20190521_1619... OK
Applying perms.0006_auto_20190628_1921... OK
Applying perms.0007_remove_assetpermission_actions... OK
Applying perms.0008_auto_20190911_1907... OK
Applying assets.0027_auto_20190521_1703... OK
Applying assets.0028_protocol... OK
Applying assets.0029_auto_20190522_1114... OK
Applying assets.0030_auto_20190619_1135... OK
Applying assets.0031_auto_20190621_1332... OK
Applying assets.0032_auto_20190624_2108... OK
Applying assets.0033_auto_20190624_2108... OK
Applying assets.0034_auto_20190705_1348... OK
Applying assets.0035_auto_20190711_2018... OK
Applying assets.0036_auto_20190716_1535... OK
Applying assets.0037_auto_20190724_2002... OK
Applying assets.0038_auto_20190911_1634... OK
Applying perms.0009_remoteapppermission_system_users... OK
Applying applications.0002_remove_remoteapp_system_user... OK
Applying applications.0003_auto_20191210_1659... OK
Applying applications.0004_auto_20191218_1705... OK
Applying assets.0039_authbook_is_active... OK
Applying assets.0040_auto_20190917_2056... OK
Applying assets.0041_gathereduser... OK
Applying assets.0042_favoriteasset... OK
Applying assets.0043_auto_20191114_1111... OK
Applying assets.0044_platform... OK
Applying assets.0045_auto_20191206_1607... OK
Applying assets.0046_auto_20191218_1705... OK
Applying assets.0047_assetuser... OK
Applying assets.0048_auto_20191230_1512... OK
Applying assets.0049_systemuser_sftp_root... OK
Applying audits.0001_initial... OK
Applying audits.0002_ftplog_org_id... OK
Applying audits.0003_auto_20180816_1652... OK
Applying audits.0004_operatelog_passwordchangelog_userloginlog... OK
Applying audits.0005_auto_20190228_1715... OK
Applying audits.0006_auto_20190726_1753... OK
Applying audits.0007_auto_20191202_1010... OK
Applying audits.0008_auto_20200508_2105... OK
Applying auth.0009_alter_user_last_name_max_length... OK
Applying auth.0010_alter_group_name_max_length... OK
Applying auth.0011_update_proxy_permissions... OK
Applying authentication.0001_initial... OK
Applying authentication.0002_auto_20190729_1423... OK
Applying authentication.0003_loginconfirmsetting... OK
Applying captcha.0001_initial... OK
Applying common.0001_initial... OK
Applying common.0002_auto_20180111_1407... OK
Applying common.0003_setting_category... OK
Applying common.0004_setting_encrypted... OK
Applying common.0005_auto_20190221_1902... OK
Applying common.0006_auto_20190304_1515... OK
Applying django_cas_ng.0001_initial... OK
Applying django_celery_beat.0001_initial... OK
Applying django_celery_beat.0002_auto_20161118_0346... OK
Applying django_celery_beat.0003_auto_20161209_0049... OK
Applying django_celery_beat.0004_auto_20170221_0000... OK
Applying django_celery_beat.0005_add_solarschedule_events_choices_squashed_0009_merge_20181012_1416... OK
Applying django_celery_beat.0006_periodictask_priority... OK
Applying jms_oidc_rp.0001_initial... OK
Applying ops.0001_initial... OK
Applying ops.0002_celerytask... OK
Applying ops.0003_auto_20181207_1744... OK
Applying ops.0004_adhoc_run_as... OK
Applying ops.0005_auto_20181219_1807... OK
Applying ops.0006_auto_20190318_1023... OK
Applying ops.0007_auto_20190724_2002... OK
Applying ops.0008_auto_20190919_2100... OK
Applying ops.0009_auto_20191217_1713... OK
Applying ops.0010_auto_20191217_1758... OK
Applying ops.0011_auto_20200106_1534... OK
Applying ops.0012_auto_20200108_1659... OK
Applying ops.0013_auto_20200108_1706... OK
Applying ops.0014_auto_20200108_1749... OK
Applying ops.0015_auto_20200108_1809... OK
Applying ops.0016_commandexecution_org_id... OK
Applying ops.0017_auto_20200306_1747... OK
Applying ops.0018_auto_20200509_1434... OK
Applying orgs.0001_initial... OK
Applying orgs.0002_auto_20180903_1132... OK
Applying orgs.0003_auto_20190916_1057... OK
Applying users.0020_auto_20190612_1825... OK
Applying users.0021_auto_20190625_1104... OK
Applying users.0022_auto_20190625_1105... OK
Applying users.0023_auto_20190724_1525... OK
Applying users.0024_auto_20191118_1612... OK
Applying perms.0010_auto_20191218_1705... OK
Applying sessions.0001_initial... OK
Applying settings.0001_initial... OK
Applying terminal.0001_initial... OK
Applying terminal.0002_auto_20171228_0025_squashed_0009_auto_20180326_0957... OK
Applying terminal.0010_auto_20180423_1140... OK
Applying terminal.0011_auto_20180807_1116... OK
Applying terminal.0012_auto_20180816_1652... OK
Applying terminal.0013_auto_20181123_1113... OK
Applying terminal.0014_auto_20181226_1441... OK
Applying terminal.0015_auto_20190923_1529... OK
Applying terminal.0016_commandstorage_replaystorage... OK
Applying terminal.0017_auto_20191125_0931... OK
Applying terminal.0018_auto_20191202_1010... OK
Applying terminal.0019_auto_20191206_1000... OK
Applying terminal.0020_auto_20191218_1721... OK
Applying terminal.0021_auto_20200213_1316... OK
Applying terminal.0022_session_is_success... OK
Applying terminal.0023_command_risk_level... OK
Applying tickets.0001_initial... OK
Applying users.0025_auto_20200206_1216... OK
Applying users.0026_auto_20200508_2105... OK
Applying users.0027_auto_20200616_1503... OK
2020-06-23 14:14:12 Collect static files
2020-06-23 14:14:18 Collect static files done
- Start Celery as Distributed Task Queue: Ansible
- Start Celery as Distributed Task Queue: Celery
- Start Beat as Periodic Task Scheduler
- Start Flower as Task Monitor
- Start Daphne ASGI WS Server
gunicorn is running: 3881
celery_ansible is running: 3892
celery_default is running: 3896
beat is running: 3900
flower is running: 3904
daphne is running: 3908
9. Docker部署KOKO組件
systemctl enable docker
systemctl daemon-reload
systemctl restart docker.service
cd /opt
Server_IP=`ip addr | grep 'state UP' -A2 | grep inet | egrep -v '(127.0.0.1|inet6|docker)' | awk '{print $2}' | tr -d "addr:" | head -n 1 | cut -d / -f1`
echo -e "\033[31m 你的服務器IP是 $Server_IP \033[0m"
docker run --name jms_koko -d \
-p 2222:2222 -p 127.0.0.1:5000:5000 \
-e CORE_HOST=http://$Server_IP \
-e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN \
-e LOG_LEVEL=ERROR \
--restart=always \
jumpserver/jms_koko:2.0.0
10. Docker部署Guacamole組件
cd /opt
docker run --name jms_guacamole -d \
-p 127.0.0.1:8081:8080 \
-e JUMPSERVER_SERVER=http://$Server_IP \
-e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN \
-e GUACAMOLE_LOG_LEVEL=ERROR \
jumpserver/jms_guacamole:2.0.0
- 檢查Docker狀態
docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
36a58481a02e jumpserver/jms_guacamole:2.0.0 "./entrypoint.sh" About a minute ago Up About a minute 127.0.0.1:8081->8080/tcp jms_guacamole
7a77d4c2aea4 jumpserver/jms_koko:2.0.0 "./entrypoint.sh" 9 minutes ago Up 9 minutes 0.0.0.0:2222->2222/tcp, 127.0.0.1:5000->5000/tcp jms_koko
docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/jumpserver/jms_koko 2.0.0 141f4ce1e18c 4 hours ago 356 MB
docker.io/jumpserver/jms_guacamole 2.0.0 b1eecc36e7a2 4 hours ago 659 MB
11. Lina組件部署
cd /opt
wget http://demo.jumpserver.org/download/lina/2.0.1/lina.tar.gz
tar -xf lina.tar.gz
chown -R nginx:nginx lina
12. Luna組件部署
cd /opt
wget http://demo.jumpserver.org/download/luna/2.0.0/luna.tar.gz
tar -xf luna.tar.gz
chown -R nginx:nginx luna
13. Nginx 整合各組件配置
echo > /etc/nginx/conf.d/default.conf
vi /etc/nginx/conf.d/jumpserver.conf
server {
listen 80;
client_max_body_size 500m; # 錄像及文件上傳大小限制
location /ui/ {
try_files $uri / /index.html;
alias /opt/lina/;
}
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; # luna 路徑, 如果修改安裝目錄, 此處需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 錄像位置, 如果修改安裝目錄, 此處需要修改
}
location /static/ {
root /opt/jumpserver/data/; # 靜態資源, 如果修改安裝目錄, 此處需要修改
}
location /koko/ {
proxy_pass http://localhost:5000;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /ws/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8070;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /api/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /core/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
rewrite ^/(.*)$ /ui/$1 last;
}
}
- 服務啓動
systemctl enable nginx
systemctl start nginx
systemctl status nginx
nginx -t
nginx -s reload
14. Jumpserver登錄驗證
默認賬號與密碼:admin
安全建議
- JumpServer前端放置防火牆禁止不必要的端口訪問,外部訪問只需要開放80和2222端口,如果配置SSL需要額外開放443端口。
- JumpServer 所在服務器操作系統應該升級到最新。
- JumpServer 依賴的軟件禁止弱密碼、默認密碼,定期更新軟件到最新版本。
- 推薦開啓 MFA 功能,避免因密碼泄露導致的安全問題