关闭防火墙
setenforce 0
sed -i "s/SELINUX=enforcing/SELINUX=disabled/" /etc/selinux/config
systemctl stop firewalld && systemctl disable firewalld
yum -y install epel-release
#安装python3.6 (https://www.cnblogs.com/charles8866/p/8366695.html)
#安装依赖:
yum -y install openssl-devel bzip2-devel expat-devel gdbm-devel readline-devel sqlite-devel wget gcc gcc-c++ git python-devel python3-devel mysql-devel libffi-devel openldap-devel
#下载python源码包:
wget https://www.python.org/ftp/python/3.6.0/Python-3.6.0.tgz
tar -xzvf Python-3.6.0.tgz -C /usr/local
cd /usr/local/Python-3.6.0
./configure --prefix=/usr/local && make && make altinstall
#更改/usr/bin/python链接
ln -s /usr/local/bin/python3.6 /usr/bin/python3
cd
#安装MySQL5.7
wget https://repo.mysql.com//mysql57-community-release-el7-11.noarch.rpm
yum -y install mysql57-community-release-el7-11.noarch.rpm
yum -y install mysql-community-server
systemctl start mysqld && systemctl enable mysqld && systemctl daemon-reload
#查看数据库临时的root密码
cat /var/log/mysqld.log |grep "localhost"|awk -F 'localhost' '{print $2}'|awk -F ': ' '{print $2}'
#登录数据库
mysql -u root -p
#修改数据库root用户的默认密码
ALTER USER 'root'@'localhost' IDENTIFIED BY 'Flz_3qc.';
#设置root用户允许远程登录mysql(默认不允许)
GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'Flz_3qc.' WITH GRANT OPTION;
#配置数据库默认编码为UTF-8
vim /etc/my.cnf
[mysqld] #在该区域内添加以下2行
character_set_server=utf8
init_connect='SET NAMES utf8'
#重启MySQL
systemctl restart mysqld
#创建Jumpserver数据库并授权
mysql -uroot -p -e "create database jumpserver default charset 'utf8'; grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by 'Flz_3qc.'; flush privileges;"
安装redis
yum -y install redis
给redis添加访问密码
sed -i "s/# requirepass foobared/requirepass A123456/" /etc/redis.conf
systemctl start redis && systemctl enable redis && systemctl status redis
#安装jumeserver
先在本机生成秘钥
ssh-keygen -t rsa
#查看公钥并传到github上
cat ~/.ssh/id_rsa.pub
#克隆项目(py3虚拟环境下搭建)
cd /opt/
python3 -m venv py3
source /opt/py3/bin/activate
#获取 JumpServer 代码
wget -O jumpserver.tar.gz https://github.com/jumpserver/jumpserver/archive/2.0.1.tar.gz
tar -zxvf jumpserver.tar.gz
mv jumpserver-2.0.1 jumpserver
#安装编译环境依赖
cd /opt/jumpserver/requirements
确保已经载入 py3 虚拟环境, 国内可以使用镜像加速
pip install wheel -i https://mirrors.aliyun.com/pypi/simple/
pip install --upgrade pip setuptools -i https://mirrors.aliyun.com/pypi/simple/
pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
#修改配置文件
cd /opt/jumpserver && \
cp config_example.yml config.yml && \
vim config.yml
#命令:cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 49;echo
SECRET_KEY: CHMdppN1fErTbnBZbIJnPl1crTjZxOxstJUWsR8zDx0dp874c
#命令:cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 17;echo
BOOTSTRAP_TOKEN:tMd5Z8OIM5JlWndeY
DEBUG: false
LOG_LEVEL: ERROR
SESSION_EXPIRE_AT_BROWSER_CLOSE: true
DB_ENGINE: mysql
DB_HOST: 127.0.0.1
DB_PORT: 3306
DB_USER: jumpserver
DB_PASSWORD: Flz_3qc.
DB_NAME: jumpserver
HTTP_BIND_HOST: 0.0.0.0
HTTP_LISTEN_PORT: 8080
WS_LISTEN_PORT: 8070
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
REDIS_PASSWORD: A123456
WINDOWS_SKIP_ALL_MANUAL_PASSWORD: True
生成数据库表结构和初始化数据
cd /opt/jumpserver/utils
bash make_migrations.sh
cd ../
#启动 JumpServer
cd /opt/jumpserver
先前台启动,无问题后再加-d后台启动: ./jms start all
后台启动:./jms start all -d
#####################################################
遇到的问题:
1、ModuleNotFoundError: No module named 'psutil'
解决:pip install psutil -i https://mirrors.aliyun.com/pypi/simple/
2、ModuleNotFoundError: No module named 'daemon'
解决:pip install daemon -i https://mirrors.aliyun.com/pypi/simple/
3、ImportError: cannot import name 'pidfile'
解决:pip install pidfile -i https://mirrors.aliyun.com/pypi/simple/
4、ModuleNotFoundError: No module named 'django'
解决:pip install django -i http://pypi.douban.com/simple/ --trusted-host pypi.douban.com
5、ModuleNotFoundError: No module named 'yaml'
解决:pip install pyyaml -i https://mirrors.aliyun.com/pypi/simple/
#####################################################
#浏览器访问:http://IP:8080
安装到这里还打不开网页,会提示错误先不用处理,需要搭建 nginx 代理就可以正常访问了!!!帐密:admin / admin
Jumpserver 插件安装
Jumpserver本身的功能已经足够强大,但是加上以下几个组件更是让Jumpserver锦上添花。
组件如下:
Coco:Coco为 SSH Server 和 Web Terminal Server。用户可以通过使用自己的账户登录 SSH 或者 Web Terminal直接访问被授权的资产。不需要知道服务器的账户和密码,现在 Coco 已经被 koko 取代。
Luna:luna 为 Web Terminal Server 前端页面,用户使用 Web Terminal 方式登录时所需要的插件。
Guacamole:Guacamole 为 Windows 组件,用户可以通过 Web Terminal 来连接 Windows 资产(暂时只能通过 Web Terminal来访问)
各个组件所监听的端口如下:
Jumpserver:8080/tcp
Redis:6379/tcp
MySQL/Mariadb:3306/tcp
Nginx:80/tcp
Koko:SSH为2222/tcp,Web Terminal为5000/tcp
Guacamole:8081/tcp
如前台启动需强制将前台启动的jumpserver停止,ctrl + c
正常部署 koko 组件
cd /opt
# 访问 https://github.com/jumpserver/koko/releases 下载对应 release 包并解压到 /opt目录
wget https://github.com/jumpserver/koko/releases/download/2.0.1/koko-master-linux-amd64.tar.gz
tar -zxvf koko-master-linux-amd64.tar.gz
chown -R root:root kokodir
cd kokodir
cp config_example.yml config.yml
vim config.yml
NAME: "coco" #项目名称, 会用来向Jumpserver注册, 识别而已, 不能重复
CORE_HOST: http://127.0.0.1:8080 #Jumpserver项目的url, api请求注册会使用
BOOTSTRAP_TOKEN: tMd5Z8OIM5JlWndeY
注:BOOTSTRAP_TOKEN预共享秘钥, 用来注册coco使用的service account和terminal,请和jumpserver 配置文件中的 BOOTSTRAP_TOKEN 保持一致,注册完成后可以删除
LOG_LEVEL: ERROR
SHARE_ROOM_TYPE: redis
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
REDIS_PASSWORD: A123456
REDIS_DB_ROOM: 6
启动 Koko
#先重启下 Jumpserver, 切记!!!
/opt/jumpserver/jms restart
#先进行前台启动 koko,如果前台没问题,则使用 -d 选项来后台启动
/opt/kokodir/koko start #前台启动
/opt/kokodir/koko start -d & #后台启动
#查看koko进程
ps -ef|grep koko
ss -anplt | grep koko
测试连接(ssh -p2222 [email protected],账密:admin/admin)
#启动成功后去Jumpserver 会话管理-终端管理(http://192.168.100.129:8080/terminal/terminal/)接受coco的注册,如果页面不正常可以等部署完成后再处理
#安装 Web Terminal 前端: Luna
#Luna 已改为纯前端,需要 Nginx 来运行访问
cd /opt/
wget https://github.com/jumpserver/luna/releases/download/1.5.4/luna.tar.gz
tar -zxvf luna.tar.gz
chown -R root.root luna
#配置Nginx整合各组件
yum -y install yum-utils
echo "[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/\$releasever/\$basearch/
enabled=1
gpgcheck=0">>/etc/yum.repos.d/nginx.repo
yum makecache fast
yum -y install nginx
mv /etc/nginx/conf.d/default.conf{,.bak}
#准备配置文件,修改/etc/nginx/conf.d/jumpserver.conf
server {
listen 80;
# 录像及文件上传大小限制
client_max_body_size 100m;
error_log /var/log/jumpserver_error.log;
location /luna/ {
try_files $uri / /index.html;
# luna 路径, 如果修改安装目录,此处需要修改
alias /opt/luna/;
}
location /media/ {
add_header Content-Encoding gzip;
# 录像位置, 如果修改安装目录,此处需要修改
root /opt/jumpserver/data/;
}
location /static/ {
# 静态资源, 如果修改安装目录,此处需要修改
root /opt/jumpserver/data/;
}
location /socket.io/ {
proxy_pass http://localhost:5000/socket.io/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /coco/ {
proxy_pass http://localhost:5000/coco/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location / {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
#运行 Nginx
# 确保配置没有问题,有问题请先解决
nginx -t
systemctl start nginx && systemctl enable nginx
测试jumpser功能
1、检查web页面是否已经正常运行
服务全部启动后, 访问 http://192.168.1.101(ip地址是你安装Nginx的那台机器的ip), 访问nginx代理的端口(也就是80端口), 不要再通过8080端口访问
默认账号: admin 密码: admin
到Jumpserver 会话管理-终端管理 检查 Coco Guacamole 等应用的注册。
