jumpserver 2.4.0 部署
Jumpserver介紹
JumpServer 是全球首款完全開源的堡壘機, 使用 GNU GPL v2.0 開源協議, 是符合 4A 的專業運維審計系統,使用 Python / Django 進行開發, 遵循 Web 2.0 規範, 配備了業界領先的 Web Terminal 解決方案, 互動介面美觀、使用者體驗好,支援管理 SSH、 Telnet、 RDP、 VNC 協議資產
Jumpserver 的優勢
- 開源: 零門檻,線上快速獲取和安裝
- 分散式: 輕鬆支援大規模併發訪問
- 無外掛: 僅需瀏覽器,極致的 Web Terminal 使用體驗
- 多雲支援: 一套系統,同時管理不同雲上面的資產
- 雲端儲存: 審計錄影雲端儲存,永不丟失
- 多租戶: 一套系統,多個子公司和部門同時使用; 多應用支援: 資料庫,Windows遠端應用,Kubernetes
系統硬體需求
- Centos7.6 系統
- 硬體配置 : 2個CPU核心, 4G 記憶體, 50G 硬碟(最低)
- 作業系統: Linux 發行版 x86_64
基礎環境部署
# 下載aliyun源
cp /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.bak
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
# 清理原來快取,重新快取
yum clean all
yum makecache
# 系統更新
yum -y update
# 關閉防火牆
systemctl stop firewalld.service
systemctl disable firewalld.service
# 設定selinux
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
安裝 python3.6 mysql redis nginx元件
yum -y install python3.6 python36-devel mariadb mariadb-server.x86_64 redis nginx
啟動redis並配置
systemctl enable redis
systemctl start redis
# 配置redis vim /etc/redis.conf
# bind 127.0.0.1 註釋,否則只有本機才能訪問
protected-mode no # 保護模式修改為no
port 6379 # redis 預設埠
requirepass redis123 # 設定redis密碼
aof-rewrite-incremental-fsync yes
# 重啟redis
systemctl restart redis
# 進入redis
redis-cli -h 127.0.0.1 -p 6379
# 輸入info,提示驗證
auth redis123
# 再次輸入:info
# 通過 key * 檢視所有鍵
啟動mysql並授權
systemctl enable mariadb
systemctl start mariadb
# 設定mysql登入root密碼
mysqladmin -uroot -p password admin123 # 回車即可
# 登入mysql
mysql -uroot -padmin123
# 建立jumpserver庫
create database jumpserver default charset 'utf8' collate 'utf8_bin';
# 授權jumpserver使用者
grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by 'jumpserver123';
flush privileges;
Python 虛擬環境配置
cd /opt
python3.6 -m venv py3
source /opt/py3/bin/activate
以下操作均在Python虛擬環境
jumpserver 程式碼包下載並安裝依賴
# 進入opt目錄
cd /opt
# 獲取tar包
wget https://github.com/jumpserver/jumpserver/releases/download/v2.4.0/jumpserver-v2.4.0.tar.gz
# 解壓
tar xf jumpserver-v2.4.0.tar.gz
mv jumpserver-v2.4.0 jumpserver
# 安裝編譯環境依賴
cd /opt/jumpserver/requirements
yum install -y $(cat rpm_requirements.txt)
pip install wheel -i https://mirrors.aliyun.com/pypi/simple/
pip install --upgrade pip setuptools -i https://mirrors.aliyun.com/pypi/simple/
pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
# 如果報錯:找不到對應版本可用如何命令安裝報錯的包
pip install six --upgrade --ignore-installed six
cd /opt/jumpserver && cp config_example.yml config.yml && vi config.yml
# 生成key: cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50
SECRET_KEY: W5Ic3fMXNZ0p5RIy5DhJYJllppTfcfkW8Yuf94VBMfpcssbfu
# 生成token:cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16
BOOTSTRAP_TOKEN: zxffNymGjP79j6BN
# DEBUG 模式 開啟DEBUG後遇到錯誤時可以看到更多日誌
DEBUG: false
# 日誌級別
LOG_LEVEL: ERROR
# 瀏覽器Session過期時間,預設24小時, 也可以設定瀏覽器關閉則過期
SESSION_EXPIRE_AT_BROWSER_CLOSE: true
# 使用Mysql作為資料庫
DB_ENGINE: mysql
DB_HOST: 127.0.0.1
DB_PORT: 3306
DB_USER: jumpserver
DB_PASSWORD: jumpserver123
DB_NAME: jumpserver
# 執行時繫結埠
HTTP_BIND_HOST: 0.0.0.0
HTTP_LISTEN_PORT: 8080
WS_LISTEN_PORT: 8070
# Redis配置
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
REDIS_PASSWORD: redis123
# Windows 登入跳過手動輸入密碼
WINDOWS_SKIP_ALL_MANUAL_PASSWORD: True
# 注意必須在py3虛擬環境: source /opt/py3/bin/activate
cd /opt/jumpserver
./jms start -d
部署koko元件
# 下載tar包
cd /opt && wget https://github.com/jumpserver/koko/releases/download/v2.4.0/koko-v2.4.0-linux-amd64.tar.gz
# 解壓
tar -xf koko-v2.4.0-linux-amd64.tar.gz
mv koko-v2.4.0-linux-amd64 koko
# 修改屬組,屬主
chown -R root:root koko
# kubectl配置
cd koko && mv kubectl /usr/local/bin/
wget https://download.jumpserver.org/public/kubectl.tar.gz
tar -xf kubectl.tar.gz
chmod 755 kubectl
mv kubectl /usr/local/bin/rawkubectl
rm -rf kubectl.tar.gz
cd /opt/koko && cp config_example.yml config.yml && vi config.yml
# Jumpserver專案的url, api請求註冊會使用
CORE_HOST: http://127.0.0.1:8080
# 請和jumpserver 配置檔案中保持一致,註冊完成後可以刪除
BOOTSTRAP_TOKEN: zxffNymGjP79j6BN
# 設定日誌級別 [DEBUG, INFO, WARN, ERROR, FATAL, CRITICAL]
LOG_LEVEL: ERROR
# 會話共享使用的型別 [local, redis], 預設local
SHARE_ROOM_TYPE: redis
# Redis配置
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
REDIS_PASSWORD: redis123
REDIS_DB_ROOM: 6
cd /opt/koko && ./koko -d
部署Guacamole 元件
# 下載tar包
cd /opt && wget -O docker-guacamole-v2.4.0.tar.gz https://github.com/jumpserver/docker-guacamole/archive/master.tar.gz
# 建立對應目錄並和依賴包
mkdir /opt/docker-guacamole
tar -xf docker-guacamole-v2.4.0.tar.gz -C /opt/docker-guacamole --strip-components 1
rm -rf /opt/docker-guacamole-v2.4.0.tar.gz && cd /opt/docker-guacamole
wget http://download.jumpserver.org/public/guacamole-server-1.2.0.tar.gz
tar -xf guacamole-server-1.2.0.tar.gz
wget http://download.jumpserver.org/public/ssh-forward.tar.gz
tar -xf ssh-forward.tar.gz -C /bin/ && chmod +x /bin/ssh-forward
# 安裝依賴包
yum -y install cairo-devel libjpeg-turbo-devel libpng-devel libtool uuid-devel ffmpeg-devel freerdp-devel pango-devel libssh2-devel libtelnet-devel libvncserver-devel libwebsockets-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-devel
# 安裝
cd /opt/docker-guacamole/guacamole-server-1.2.0
# 預編譯
./configure --with-init-dir=/etc/init.d
# 二進位制編譯及安裝
make && make install
yum install -y java-1.8.0-openjdk
# 建立對應目錄
mkdir -p /config/guacamole /config/guacamole/extensions /config/guacamole/record /config/guacamole/drive && chown daemon:daemon /config/guacamole/record /config/guacamole/drive && cd /config
# 下載tomcat
wget http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-9/v9.0.38/bin/apache-tomcat-9.0.38.tar.gz
# 解壓
tar -xf apache-tomcat-9.0.36.tar.gz
mv apache-tomcat-9.0.36 tomcat9
rm -rf /config/tomcat9/webapps/*
# 修改配置檔案
sed -i 's/Connector port="8080"/Connector port="8081"/g' /config/tomcat9/conf/server.xml && \
echo "java.util.logging.ConsoleHandler.encoding = UTF-8" >> /config/tomcat9/conf/logging.properties
# 其他設定
wget http://download.jumpserver.org/release/v2.4.0/guacamole-client-v2.4.0.tar.gz && \
tar -xf guacamole-client-v2.4.0.tar.gz && \
rm -rf guacamole-client-v2.4.0.tar.gz && \
cp guacamole-client-v2.4.0/guacamole-*.war /config/tomcat9/webapps/ROOT.war && \
cp guacamole-client-v2.4.0/guacamole-*.jar /config/guacamole/extensions/ && \
mv /opt/docker-guacamole/guacamole.properties /config/guacamole/ && \
rm -rf /opt/docker-guacamole
export JUMPSERVER_SERVER=http://127.0.0.1:8080
echo "export JUMPSERVER_SERVER=http://127.0.0.1:8080" >> ~/.bashrc
export BOOTSTRAP_TOKEN=zxffNymGjP79j6BN
echo "export BOOTSTRAP_TOKEN=zxffNymGjP79j6BN" >> ~/.bashrc
export JUMPSERVER_KEY_DIR=/config/guacamole/data/keys
echo "export JUMPSERVER_KEY_DIR=/config/guacamole/data/keys" >> ~/.bashrc
export GUACAMOLE_HOME=/config/guacamole
echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc
export GUACAMOLE_LOG_LEVEL=ERROR
echo "export GUACAMOLE_LOG_LEVEL=ERROR" >> ~/.bashrc
export JUMPSERVER_ENABLE_DRIVE=true
echo "export JUMPSERVER_ENABLE_DRIVE=true" >> ~/.bashrc
# 環境變數說明
JUMPSERVER_SERVER 指 core 訪問地址
BOOTSTRAP_TOKEN 為 Jumpserver/config.yml 裡面的 BOOTSTRAP_TOKEN 值
JUMPSERVER_KEY_DIR 認證成功後 key 存放目錄
GUACAMOLE_HOME 為 guacamole.properties 配置檔案所在目錄
GUACAMOLE_LOG_LEVEL 為生成日誌的等級
JUMPSERVER_ENABLE_DRIVE 為 rdp 協議掛載共享盤
# 啟動
/etc/init.d/guacd start
sh /config/tomcat9/bin/startup.sh
下載lina元件
cd /opt
# 下載tar包
wget https://github.com/jumpserver/lina/releases/download/v2.4.0/lina-v2.4.0.tar.gz
# 解壓
tar -xf lina-v2.4.0.tar.gz
mv lina-v2.4.0 lina
# 修改屬組屬主
chown -R nginx:nginx lina
下載luna元件
cd /opt
# 下載tar包
wget https://github.com/jumpserver/luna/releases/download/v2.4.0/luna-v2.4.0.tar.gz
# 解壓
tar -xf luna-v2.4.0.tar.gz
mv luna-v2.4.0 luna
# 修改屬組屬主
chown -R nginx:nginx luna
配置nginx整合各元件
- vim /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 65535;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 120;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
}
- vim /etc/nginx/conf.d/jumpserver.conf
server {
listen 80;
client_max_body_size 100m; # 錄影及檔案上傳大小限制
location /ui/ {
try_files $uri / /index.html;
alias /opt/lina/;
}
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; # luna 路徑, 如果修改安裝目錄, 此處需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 錄影位置, 如果修改安裝目錄, 此處需要修改
}
location /static/ {
root /opt/jumpserver/data/; # 靜態資源, 如果修改安裝目錄, 此處需要修改
}
location /koko/ {
proxy_pass http://localhost:5000;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /ws/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8070;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /api/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /core/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
rewrite ^/(.*)$ /ui/$1 last;
}
}
啟動nginx
systemctl start nginx
服務全部啟動後, 訪問 JumpServer 伺服器 nginx 代理的 80 埠, 不要通過8080埠訪問
預設賬號: admin 密碼: admin
瀏覽器登入報錯:Server error occur, contact administrator
解決辦法: 清理redis;重啟redis,重啟jms,重新登入即可