部署Jumpsrver開源堡壘機

原創 烧脑的运维小赵 2020-07-04 08:47 
  <li><a href="index.html">Docs</a> »</li>
    
      <li><a href="step_by_step.html">安裝文檔</a> »</li>
    
      <li><a href="setup_by_prod.html">一站式、分佈式安裝文檔</a> »</li>
    
  <li>CentOS 7 安裝文檔</li>


  <li class="wy-breadcrumbs-aside">
    
        
        
          <a href="https://github.com/jumpserver/docs/blob/master/setup_by_centos7.rst" class="fa fa-github"> Edit on GitHub</a>
        
      
    
  </li>

CentOS 7 安裝文檔

說明

  • # 開頭的行表示註釋
  • > 開頭的行表示需要在 mysql 中執行
  • $ 開頭的行表示需要執行的命令

雲服務器快速部署參考 極速安裝

安裝過程中遇到問題可參考 FAQ 文檔

環境

  • 系統: CentOS 7
  • IP: 192.168.244.144
  • 目錄: /opt
  • 數據庫: mariadb
  • 代理: nginx

開始安裝

$ yum update -y

# 防火牆 與 selinux 設置說明, 如果已經關閉了 防火牆 和 Selinux 的用戶請跳過設置
$ systemctl start firewalld
$ firewall-cmd --zone=public --add-port=80/tcp --permanent # nginx 端口
$ firewall-cmd --zone=public --add-port=2222/tcp --permanent # 用戶SSH登錄端口 koko
–permanent 永久生效, 沒有此參數重啓後失效

$ firewall-cmd --reload # 重新載入規則

$ setenforce 0
$ sed -i “s/SELINUX=enforcing/SELINUX=disabled/g” /etc/selinux/config

# 安裝依賴包
$ yum -y install wget gcc epel-release git

# 安裝 Redis, JumpServer 使用 Redis 做 cache 和 celery broke
$ yum -y install redis
$ systemctl enable redis
$ systemctl start redis

# 安裝 MySQL, 如果不使用 Mysql 可以跳過相關 Mysql 安裝和配置, 支持sqlite3, mysql, postgres等
$ yum -y install mariadb mariadb-devel mariadb-server MariaDB-shared # centos7下叫mariadb, 用法與mysql一致
$ systemctl enable mariadb
$ systemctl start mariadb
# 創建數據庫 JumpServer 並授權
$ DB_PASSWORD=</span>cat /dev/urandom <span class="p">|</span> tr -dc A-Za-z0-9 <span class="p">|</span> head -c <span class="m">24</span><span class="sb"> # 生成隨機數據庫密碼
$ echo -e “\033[31m 你的數據庫密碼是 $DB_PASSWORD \033[0m”
$ mysql -uroot -e “create database jumpserver default charset ‘utf8’; grant all on jumpserver.* to ‘jumpserver’@‘127.0.0.1’ identified by ‘$DB_PASSWORD’; flush privileges;”

# 安裝 Nginx, 用作代理服務器整合 JumpServer 與各個組件
$ vi /etc/yum.repos.d/nginx.repo

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/7/$basearch/
gpgcheck=0
enabled=1

$ yum -y install nginx
$ systemctl enable nginx

# 安裝 Python3.6
$ yum -y install python36 python36-devel

# 配置並載入 Python3 虛擬環境
$ cd /opt
$ python3.6 -m venv py3 # py3 爲虛擬環境名稱, 可自定義
$ source /opt/py3/bin/activate # 退出虛擬環境可以使用 deactivate 命令

# 看到下面的提示符代表成功, 以後運行 JumpServer 都要先運行以上 source 命令, 載入環境後默認以下所有命令均在該虛擬環境中運行
(py3) [root@localhost py3]

# 下載 JumpServer
$ cd /opt/
$ git clone --depth=1 https://github.com/jumpserver/jumpserver.git

# 安裝依賴 RPM 包
$ yum -y install $(cat /opt/jumpserver/requirements/rpm_requirements.txt)

# 安裝 Python 庫依賴
$ pip install wheel
$ pip install --upgrade pip setuptools
$ pip install -r /opt/jumpserver/requirements/requirements.txt

# 修改 JumpServer 配置文件
$ cd /opt/jumpserver
$ cp config_example.yml config.yml

$ SECRET_KEY=</span>cat /dev/urandom <span class="p">|</span> tr -dc A-Za-z0-9 <span class="p">|</span> head -c <span class="m">50</span><span class="sb"> # 生成隨機SECRET_KEY
$ echo “SECRET_KEY=$SECRET_KEY >> ~/.bashrc
$ BOOTSTRAP_TOKEN=</span>cat /dev/urandom <span class="p">|</span> tr -dc A-Za-z0-9 <span class="p">|</span> head -c <span class="m">16</span><span class="sb"> # 生成隨機BOOTSTRAP_TOKEN
$ echo “BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN >> ~/.bashrc

$ sed -i “s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g” /opt/jumpserver/config.yml
$ sed -i “s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g” /opt/jumpserver/config.yml
$ sed -i “s/# DEBUG: true/DEBUG: false/g” /opt/jumpserver/config.yml
$ sed -i “s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g” /opt/jumpserver/config.yml
$ sed -i “s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g” /opt/jumpserver/config.yml
$ sed -i “s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g” /opt/jumpserver/config.yml

$ echo -e “\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m”
$ echo -e “\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m”

$ vi config.yml # 確認內容有沒有錯誤

# SECURITY WARNING: keep the secret key used in production secret!
# 加密祕鑰 生產環境中請修改爲隨機字符串, 請勿外泄, PS: 純數字不可以
SECRET_KEY:

# SECURITY WARNING: keep the bootstrap token used in production secret!
# 預共享Token koko和guacamole用來註冊服務賬號, 不在使用原來的註冊接受機制
BOOTSTRAP_TOKEN:

# Development env open this, when error occur display the full process track, Production disable it
# DEBUG 模式 開啓DEBUG後遇到錯誤時可以看到更多日誌
DEBUG: false

# DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/
# 日誌級別
LOG_LEVEL: ERROR
# LOG_DIR:

# Session expiration setting, Default 24 hour, Also set expired on on browser close
# 瀏覽器Session過期時間, 默認24小時, 也可以設置瀏覽器關閉則過期
# SESSION_COOKIE_AGE: 86400
SESSION_EXPIRE_AT_BROWSER_CLOSE: true

# Database setting, Support sqlite3, mysql, postgres …
# 數據庫設置
# See https://docs.djangoproject.com/en/1.10/ref/settings/#databases

# SQLite setting:
# 使用單文件sqlite數據庫
# DB_ENGINE: sqlite3
# DB_NAME:

# MySQL or postgres setting like:
# 使用Mysql作爲數據庫
DB_ENGINE: mysql
DB_HOST: 127.0.0.1
DB_PORT: 3306
DB_USER: jumpserver
DB_PASSWORD:
DB_NAME: jumpserver

# When Django start it will bind this host and port
# ./manage.py runserver 127.0.0.1:8080
# 運行時綁定端口
HTTP_BIND_HOST: 0.0.0.0
HTTP_LISTEN_PORT: 8080

# Use Redis as broker for celery and web socket
# Redis配置
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
# REDIS_PASSWORD:
# REDIS_DB_CELERY: 3
# REDIS_DB_CACHE: 4

# Use OpenID authorization
# 使用OpenID 來進行認證設置
# BASE_SITE_URL: http://localhost:8080
# AUTH_OPENID: false # True or False
# AUTH_OPENID_SERVER_URL: https://openid-auth-server.com/
# AUTH_OPENID_REALM_NAME: realm-name
# AUTH_OPENID_CLIENT_ID: client-id
# AUTH_OPENID_CLIENT_SECRET: client-secret

# OTP settings
# OTP/MFA 配置
# OTP_VALID_WINDOW: 0
# OTP_ISSUER_NAME: Jumpserver

# 運行 JumpServer
$ cd /opt/jumpserver
$ ./jms start -d  # 後臺運行使用 -d 參數./jms start -d
# 新版本更新了運行腳本, 使用方式./jms start|stop|status all  後臺運行請添加 -d 參數

$ wget -O /usr/lib/systemd/system/jms.service https://demo.jumpserver.org/download/shell/centos/jms.service
$ chmod 755 /usr/lib/systemd/system/jms.service
$ systemctl enable jms # 配置自啓

# 安裝 docker 部署 koko 與 guacamole
$ yum install -y yum-utils device-mapper-persistent-data lvm2
$ yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
$ yum makecache fast
$ rpm --import https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
$ yum -y install docker-ce
$ systemctl enable docker wget
$ mkdir /etc/docker
$ wget -O /etc/docker/daemon.json http://demo.jumpserver.org/download/docker/daemon.json
$ systemctl restart docker

# 允許 容器ip 訪問宿主 8080 端口, (容器的 ip 可以進入容器查看)
$ firewall-cmd --permanent --add-rich-rule=“rule family=“ipv4” source address=“172.17.0.0/16” port protocol=“tcp” port=“8080” accept”
$ firewall-cmd --reload
# 172.17.0.x 是docker容器默認的IP池, 這裏偷懶直接授權ip段了, 可以根據實際情況單獨授權IP

# 獲取當前服務器 IP
$ Server_IP=</span>ip addr <span class="p">|</span> grep <span class="s1">'state UP'</span> -A2 <span class="p">|</span> grep inet <span class="p">|</span> egrep -v <span class="s1">'(127.0.0.1|inet6|docker)'</span> <span class="p">|</span> awk <span class="s1">'{print $2}'</span> <span class="p">|</span> tr -d <span class="s2">"addr:"</span> <span class="p">|</span> head -n <span class="m">1</span> <span class="p">|</span> cut -d / -f1<span class="sb">
$ echo -e “\033[31m 你的服務器IP是 $Server_IP \033[0m”

# http://<Jumpserver_url> 指向 jumpserver 的服務端口, 如 http://192.168.244.144:8080
# BOOTSTRAP_TOKEN 爲 Jumpserver/config.yml 裏面的 BOOTSTRAP_TOKEN
$ docker run --name jms_koko -d -p 2222:2222 -p 127.0.0.1:5000:5000 -e CORE_HOST=http://ServerIP</span>:8080e<spanclass="nv">BOOTSTRAPTOKEN</span><spanclass="o">=</span><spanclass="nv">Server_IP</span>:8080 -e <span class="nv">BOOTSTRAP_TOKEN</span><span class="o">=</span><span class="nv">BOOTSTRAP_TOKEN --restart=always wojiushixiaobai/jms_koko:1.5.6
$ docker run --name jms_guacamole -d -p 127.0.0.1:8081:8080 -e JUMPSERVER_SERVER=http://ServerIP</span>:8080e<spanclass="nv">BOOTSTRAPTOKEN</span><spanclass="o">=</span><spanclass="nv">Server_IP</span>:8080 -e <span class="nv">BOOTSTRAP_TOKEN</span><span class="o">=</span><span class="nv">BOOTSTRAP_TOKEN --restart=always wojiushixiaobai/jms_guacamole:1.5.6

# 安裝 Web Terminal 前端: Luna  需要 Nginx 來運行訪問 訪問(https://github.com/jumpserver/luna/releases)下載對應版本的 release 包, 直接解壓, 不需要編譯
$ cd /opt
$ wget https://github.com/jumpserver/luna/releases/download/1.5.6/luna.tar.gz

# 如果網絡有問題導致下載無法完成可以使用下面地址
$ wget https://demo.jumpserver.org/download/luna/1.5.6/luna.tar.gz

$ tar xf luna.tar.gz
$ chown -R root:root luna

# 配置 Nginx 整合各組件
$ rm -rf /etc/nginx/conf.d/default.conf

$ vi /etc/nginx/conf.d/jumpserver.conf

server {
listen 80;
# server_name _;

client_max_body_size 100m<span class="p">;</span>  <span class="c1"># 錄像及文件上傳大小限制</span>

location /luna/ <span class="o">{</span>
    try_files <span class="nv">$uri</span> / /index.html<span class="p">;</span>
    <span class="nb">alias</span> /opt/luna/<span class="p">;</span>  <span class="c1"># luna 路徑, 如果修改安裝目錄, 此處需要修改</span>
<span class="o">}</span>

location /media/ <span class="o">{</span>
    add_header Content-Encoding gzip<span class="p">;</span>
    root /opt/jumpserver/data/<span class="p">;</span>  <span class="c1"># 錄像位置, 如果修改安裝目錄, 此處需要修改</span>
<span class="o">}</span>

location /static/ <span class="o">{</span>
    root /opt/jumpserver/data/<span class="p">;</span>  <span class="c1"># 靜態資源, 如果修改安裝目錄, 此處需要修改</span>
<span class="o">}</span>

location /koko/ <span class="o">{</span>
    proxy_pass       http://localhost:5000<span class="p">;</span>
    proxy_buffering off<span class="p">;</span>
    proxy_http_version <span class="m">1</span>.1<span class="p">;</span>
    proxy_set_header Upgrade <span class="nv">$http_upgrade</span><span class="p">;</span>
    proxy_set_header Connection <span class="s2">"upgrade"</span><span class="p">;</span>
    proxy_set_header X-Real-IP <span class="nv">$remote_addr</span><span class="p">;</span>
    proxy_set_header Host <span class="nv">$host</span><span class="p">;</span>
    proxy_set_header X-Forwarded-For <span class="nv">$proxy_add_x_forwarded_for</span><span class="p">;</span>
    access_log off<span class="p">;</span>
<span class="o">}</span>

location /guacamole/ <span class="o">{</span>
    proxy_pass       http://localhost:8081/<span class="p">;</span>
    proxy_buffering off<span class="p">;</span>
    proxy_http_version <span class="m">1</span>.1<span class="p">;</span>
    proxy_set_header Upgrade <span class="nv">$http_upgrade</span><span class="p">;</span>
    proxy_set_header Connection <span class="nv">$http_connection</span><span class="p">;</span>
    proxy_set_header X-Real-IP <span class="nv">$remote_addr</span><span class="p">;</span>
    proxy_set_header Host <span class="nv">$host</span><span class="p">;</span>
    proxy_set_header X-Forwarded-For <span class="nv">$proxy_add_x_forwarded_for</span><span class="p">;</span>
    access_log off<span class="p">;</span>
<span class="o">}</span>

location /ws/ <span class="o">{</span>
    proxy_pass http://localhost:8070<span class="p">;</span>
    proxy_http_version <span class="m">1</span>.1<span class="p">;</span>
    proxy_buffering off<span class="p">;</span>
    proxy_set_header Upgrade <span class="nv">$http_upgrade</span><span class="p">;</span>
    proxy_set_header Connection <span class="s2">"upgrade"</span><span class="p">;</span>
    proxy_set_header X-Real-IP <span class="nv">$remote_addr</span><span class="p">;</span>
    proxy_set_header Host <span class="nv">$host</span><span class="p">;</span>
    proxy_set_header X-Forwarded-For <span class="nv">$proxy_add_x_forwarded_for</span><span class="p">;</span>
    access_log off<span class="p">;</span>
<span class="o">}</span>

location / <span class="o">{</span>
    proxy_pass http://localhost:8080<span class="p">;</span>
    proxy_set_header X-Real-IP <span class="nv">$remote_addr</span><span class="p">;</span>
    proxy_set_header Host <span class="nv">$host</span><span class="p">;</span>
    proxy_set_header X-Forwarded-For <span class="nv">$proxy_add_x_forwarded_for</span><span class="p">;</span>
    access_log off<span class="p">;</span>
<span class="o">}</span>

}

# 運行 Nginx
$ nginx -t   # 確保配置沒有問題, 有問題請先解決
$ systemctl start nginx

# 訪問 http://192.168.244.144 (注意 沒有 :8080 通過 nginx 代理端口進行訪問)
# 默認賬號: admin 密碼: admin 到會話管理-終端管理 接受 koko Guacamole 等應用的註冊
# 測試連接
$ ssh -p2222 [email protected]
$ sftp -P2222 [email protected]
密碼: admin

# 如果是用在 Windows 下, Xshell Terminal 登錄語法如下
$ ssh [email protected] 2222
$ sftp [email protected] 2222
密碼: admin
如果能登陸代表部署成功

# sftp默認上傳的位置在資產的 /tmp 目錄下
# windows拖拽上傳的位置在資產的 Guacamole RDP上的 G 目錄下

後續的使用請參考 快速入門 如遇到問題可參考 FAQ

       </div>
       
      </div>
      <footer>

<div class="rst-footer-buttons" role="navigation" aria-label="footer navigation">
  
    <a href="setup_by_centos8.html" class="btn btn-neutral float-right" title="CentOS 8 安裝文檔" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right"></span></a>
  
  
    <a href="setup_by_prod.html" class="btn btn-neutral float-left" title="一站式、分佈式安裝文檔" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left"></span> Previous</a>
  
</div>

© Copyright 北京堆棧科技有限公司 © 2014-2018 

    <span class="commit">
      Revision <code>045fb80f</code>.
    </span>
  

</p>

Built with Sphinx using a theme provided by Read the Docs. 
    </div>
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

CentOS-7開源堡壘機Jumpserver V1.5.5環境部署

ChironW 2020-02-23 11:39:50