Article Directory
-
- Architecture diagram
- Component introduction
- Component deployment
-
- 1. Environmental requirements
- 2. System environment update
- 3. Environment dependent packages
- 4. Install Python, Mysql, Redis, Nginx components
- 5. Redis settings
- 6. Mysql settings
- 7. Python virtual environment configuration
- 8. JumpServer deployment
- 9. Docker deploys KOKO components
- 10. Docker deploy Guacamole components
- 11. Lina component deployment
- 12. Luna component deployment
- 13. Nginx integrates the configuration of each component
- 14. Jumpserver login verification
- Safety advice
- Other supplements
Architecture diagram
Component introduction
- JumpServer => now refers to the Jumpserver management backend, which is the core component (Core), developed in the style of Django Class Based View, and supports Restful API.
- koko => implements the components of SSH Server and Web Terminal Server, provides SSH and WebSocket interfaces, and is developed using Paramiko and Flask.
- Luna => Now it is the front end of Web Terminal. It is planned that all front-end pages will be provided by this project. Jumpserver only provides API and is no longer responsible for rendering html in the background.
- Guacamole => Apache springboard project, Jumpserver uses its components to implement RDP functions. Jumpserver does not modify its code but adds additional plug-ins to support Jumpserver calls.
Component deployment
1. Environmental requirements
Hardware configuration: 2 CPU cores, 4G memory, 50G hard disk (minimum)
Operating system: Linux distribution x86_64
Other configuration: Turn off SELinux and firewall (the production environment needs to be turned on carefully)
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
systemctl status firewalld.service
systemctl start firewalld.service
systemctl stop firewalld.service
systemctl disable firewalld.service
2. System environment update
yum -y update
3. Environment dependent packages
yum -y install wget gcc epel-release git gcc krb5-devel libtiff-devel libjpeg-devel libzip-devel freetype-devel libwebp-devel tcl-devel tk-devel sshpass openldap-devel mariadb-devel libffi-devel openssh-clients telnet openldap-clients docker
4. Install Python, Mysql, Redis, Nginx components
yum -y install python3.6 python36-devel mariadb mariadb-server.x86_64 redis nginx
5. Redis settings
systemctl enable redis
systemctl start redis
6. Mysql settings
systemctl enable mariadb
systemctl start mariadb
DB_PASSWORD=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24`
echo -e "\033[31m 你的数据库密码是 $DB_PASSWORD \033[0m"
mysql -uroot -e "create database jumpserver default charset 'utf8' collate 'utf8_bin'; grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '$DB_PASSWORD'; flush privileges;"
The default root password is empty. Here is how to modify the password:
mysqladmin -u root -p password ericzhong
7. Python virtual environment configuration
cd /opt
python3.6 -m venv py3
source /opt/py3/bin/activate
Every time you operate jumpserver, you need to load the py3 virtual environment first
8. JumpServer deployment
- Download program and deployment
cd /opt && \
wget -O jumpserver.tar.gz https://github.com/jumpserver/jumpserver/archive/2.0.1.tar.gz
tar xf jumpserver.tar.gz
ln -s /opt/jumpserver-2.0.1 /opt/jumpserver
- Install compilation environment dependencies
yum install -y $(cat rpm_requirements.txt)
pip install wheel -i https://mirrors.aliyun.com/pypi/simple/
pip install --upgrade pip setuptools -i https://mirrors.aliyun.com/pypi/simple/
pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
- Configuration modification
cd /opt/jumpserver/
cp config_example.yml config.yml
SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc
BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml
sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml
echo -e "\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m"
echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
- starting program
cd /opt/jumpserver/
./jms start -d
Log output:
(py3) [root@jumpserver01 jumpserver]# ./jms start -d
2020-06-23 14:13:41 Tue Jun 23 14:13:41 2020
2020-06-23 14:13:41 Jumpserver version 2.0.0, more see https://www.jumpserver.org
- Start Gunicorn WSGI HTTP Server
2020-06-23 14:13:41 Check database connection ...
users
[ ] 0001_initial
[ ] 0002_auto_20171225_1157_squashed_0019_auto_20190304_1459 (18 squashed migrations)
[ ] 0020_auto_20190612_1825
[ ] 0021_auto_20190625_1104
[ ] 0022_auto_20190625_1105
[ ] 0023_auto_20190724_1525
[ ] 0024_auto_20191118_1612
[ ] 0025_auto_20200206_1216
[ ] 0026_auto_20200508_2105
[ ] 0027_auto_20200616_1503
2020-06-23 14:13:48 Database connect success
2020-06-23 14:13:48 Check database structure change ...
2020-06-23 14:13:48 Migrate model change to database ...
Operations to perform:
Apply all migrations: admin, applications, assets, audits, auth, authentication, captcha, common, contenttypes, django_cas_ng, django_celery_beat, jms_oidc_rp, ops, orgs, perms, sessions, settings, terminal, tickets, users
Running migrations:
Applying contenttypes.0001_initial... OK
Applying contenttypes.0002_remove_content_type_name... OK
Applying auth.0001_initial... OK
Applying auth.0002_alter_permission_name_max_length... OK
Applying auth.0003_alter_user_email_max_length... OK
Applying auth.0004_alter_user_username_opts... OK
Applying auth.0005_alter_user_last_login_null... OK
Applying auth.0006_require_contenttypes_0002... OK
Applying auth.0007_alter_validators_add_error_messages... OK
Applying auth.0008_alter_user_username_max_length... OK
Applying users.0001_initial... OK
Applying admin.0001_initial... OK
Applying admin.0002_logentry_remove_auto_add... OK
Applying admin.0003_logentry_add_action_flag_choices... OK
Applying users.0002_auto_20171225_1157_squashed_0019_auto_20190304_1459... OK
Applying assets.0001_initial... OK
Applying perms.0001_initial... OK
Applying assets.0002_auto_20180105_1807_squashed_0009_auto_20180307_1212... OK
Applying assets.0010_auto_20180307_1749_squashed_0019_auto_20180816_1320... OK
Applying perms.0002_auto_20171228_0025_squashed_0009_auto_20180903_1132... OK
Applying perms.0003_action... OK
Applying perms.0004_assetpermission_actions... OK
Applying assets.0020_auto_20180816_1652... OK
Applying assets.0021_auto_20180903_1132... OK
Applying assets.0022_auto_20181012_1717... OK
Applying assets.0023_auto_20181016_1650... OK
Applying assets.0024_auto_20181219_1614... OK
Applying assets.0025_auto_20190221_1902... OK
Applying assets.0026_auto_20190325_2035... OK
Applying applications.0001_initial... OK
Applying perms.0005_auto_20190521_1619... OK
Applying perms.0006_auto_20190628_1921... OK
Applying perms.0007_remove_assetpermission_actions... OK
Applying perms.0008_auto_20190911_1907... OK
Applying assets.0027_auto_20190521_1703... OK
Applying assets.0028_protocol... OK
Applying assets.0029_auto_20190522_1114... OK
Applying assets.0030_auto_20190619_1135... OK
Applying assets.0031_auto_20190621_1332... OK
Applying assets.0032_auto_20190624_2108... OK
Applying assets.0033_auto_20190624_2108... OK
Applying assets.0034_auto_20190705_1348... OK
Applying assets.0035_auto_20190711_2018... OK
Applying assets.0036_auto_20190716_1535... OK
Applying assets.0037_auto_20190724_2002... OK
Applying assets.0038_auto_20190911_1634... OK
Applying perms.0009_remoteapppermission_system_users... OK
Applying applications.0002_remove_remoteapp_system_user... OK
Applying applications.0003_auto_20191210_1659... OK
Applying applications.0004_auto_20191218_1705... OK
Applying assets.0039_authbook_is_active... OK
Applying assets.0040_auto_20190917_2056... OK
Applying assets.0041_gathereduser... OK
Applying assets.0042_favoriteasset... OK
Applying assets.0043_auto_20191114_1111... OK
Applying assets.0044_platform... OK
Applying assets.0045_auto_20191206_1607... OK
Applying assets.0046_auto_20191218_1705... OK
Applying assets.0047_assetuser... OK
Applying assets.0048_auto_20191230_1512... OK
Applying assets.0049_systemuser_sftp_root... OK
Applying audits.0001_initial... OK
Applying audits.0002_ftplog_org_id... OK
Applying audits.0003_auto_20180816_1652... OK
Applying audits.0004_operatelog_passwordchangelog_userloginlog... OK
Applying audits.0005_auto_20190228_1715... OK
Applying audits.0006_auto_20190726_1753... OK
Applying audits.0007_auto_20191202_1010... OK
Applying audits.0008_auto_20200508_2105... OK
Applying auth.0009_alter_user_last_name_max_length... OK
Applying auth.0010_alter_group_name_max_length... OK
Applying auth.0011_update_proxy_permissions... OK
Applying authentication.0001_initial... OK
Applying authentication.0002_auto_20190729_1423... OK
Applying authentication.0003_loginconfirmsetting... OK
Applying captcha.0001_initial... OK
Applying common.0001_initial... OK
Applying common.0002_auto_20180111_1407... OK
Applying common.0003_setting_category... OK
Applying common.0004_setting_encrypted... OK
Applying common.0005_auto_20190221_1902... OK
Applying common.0006_auto_20190304_1515... OK
Applying django_cas_ng.0001_initial... OK
Applying django_celery_beat.0001_initial... OK
Applying django_celery_beat.0002_auto_20161118_0346... OK
Applying django_celery_beat.0003_auto_20161209_0049... OK
Applying django_celery_beat.0004_auto_20170221_0000... OK
Applying django_celery_beat.0005_add_solarschedule_events_choices_squashed_0009_merge_20181012_1416... OK
Applying django_celery_beat.0006_periodictask_priority... OK
Applying jms_oidc_rp.0001_initial... OK
Applying ops.0001_initial... OK
Applying ops.0002_celerytask... OK
Applying ops.0003_auto_20181207_1744... OK
Applying ops.0004_adhoc_run_as... OK
Applying ops.0005_auto_20181219_1807... OK
Applying ops.0006_auto_20190318_1023... OK
Applying ops.0007_auto_20190724_2002... OK
Applying ops.0008_auto_20190919_2100... OK
Applying ops.0009_auto_20191217_1713... OK
Applying ops.0010_auto_20191217_1758... OK
Applying ops.0011_auto_20200106_1534... OK
Applying ops.0012_auto_20200108_1659... OK
Applying ops.0013_auto_20200108_1706... OK
Applying ops.0014_auto_20200108_1749... OK
Applying ops.0015_auto_20200108_1809... OK
Applying ops.0016_commandexecution_org_id... OK
Applying ops.0017_auto_20200306_1747... OK
Applying ops.0018_auto_20200509_1434... OK
Applying orgs.0001_initial... OK
Applying orgs.0002_auto_20180903_1132... OK
Applying orgs.0003_auto_20190916_1057... OK
Applying users.0020_auto_20190612_1825... OK
Applying users.0021_auto_20190625_1104... OK
Applying users.0022_auto_20190625_1105... OK
Applying users.0023_auto_20190724_1525... OK
Applying users.0024_auto_20191118_1612... OK
Applying perms.0010_auto_20191218_1705... OK
Applying sessions.0001_initial... OK
Applying settings.0001_initial... OK
Applying terminal.0001_initial... OK
Applying terminal.0002_auto_20171228_0025_squashed_0009_auto_20180326_0957... OK
Applying terminal.0010_auto_20180423_1140... OK
Applying terminal.0011_auto_20180807_1116... OK
Applying terminal.0012_auto_20180816_1652... OK
Applying terminal.0013_auto_20181123_1113... OK
Applying terminal.0014_auto_20181226_1441... OK
Applying terminal.0015_auto_20190923_1529... OK
Applying terminal.0016_commandstorage_replaystorage... OK
Applying terminal.0017_auto_20191125_0931... OK
Applying terminal.0018_auto_20191202_1010... OK
Applying terminal.0019_auto_20191206_1000... OK
Applying terminal.0020_auto_20191218_1721... OK
Applying terminal.0021_auto_20200213_1316... OK
Applying terminal.0022_session_is_success... OK
Applying terminal.0023_command_risk_level... OK
Applying tickets.0001_initial... OK
Applying users.0025_auto_20200206_1216... OK
Applying users.0026_auto_20200508_2105... OK
Applying users.0027_auto_20200616_1503... OK
2020-06-23 14:14:12 Collect static files
2020-06-23 14:14:18 Collect static files done
- Start Celery as Distributed Task Queue: Ansible
- Start Celery as Distributed Task Queue: Celery
- Start Beat as Periodic Task Scheduler
- Start Flower as Task Monitor
- Start Daphne ASGI WS Server
gunicorn is running: 3881
celery_ansible is running: 3892
celery_default is running: 3896
beat is running: 3900
flower is running: 3904
daphne is running: 3908
- Jumpserver automatic startup settings
echo 'source /opt/py3/bin/activate && /opt/jumpserver/jms start -d' >> /etc/rc.local \
&& chmod +x /etc/rc.d/rc.local
9. Docker deploys KOKO components
systemctl enable docker
systemctl daemon-reload
systemctl restart docker.service
cd /opt
Server_IP=`ip addr | grep 'state UP' -A2 | grep inet \
| egrep -v '(127.0.0.1|inet6|docker)' | awk '{print $2}' | tr -d "addr:" \
| head -n 1 | cut -d / -f1` \
&& echo -e "\033[31m 你的服务器IP是 $Server_IP \033[0m" \
&& echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
docker run --name jms_koko -d \
-p 2222:2222 -p 127.0.0.1:5000:5000 \
-e CORE_HOST=http://$Server_IP:8080 \
-e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN \
-e LOG_LEVEL=ERROR \
--restart=always \
jumpserver/jms_koko:2.0.1
10. Docker deploy Guacamole components
cd /opt
docker run --name jms_guacamole -d \
-p 127.0.0.1:8081:8080 \
-e JUMPSERVER_SERVER=http://$Server_IP \
-e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN \
-e GUACAMOLE_LOG_LEVEL=ERROR \
jumpserver/jms_guacamole:2.0.1
- Check Docker status
docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
36a58481a02e jumpserver/jms_guacamole:2.0.1 "./entrypoint.sh" About a minute ago Up About a minute 127.0.0.1:8081->8080/tcp jms_guacamole
7a77d4c2aea4 jumpserver/jms_koko:2.0.1 "./entrypoint.sh" 9 minutes ago Up 9 minutes 0.0.0.0:2222->2222/tcp, 127.0.0.1:5000->5000/tcp jms_koko
docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/jumpserver/jms_koko 2.0.1 141f4ce1e18c 4 hours ago 356 MB
docker.io/jumpserver/jms_guacamole 2.0.1 b1eecc36e7a2 4 hours ago 659 MB
11. Lina component deployment
cd /opt
wget http://demo.jumpserver.org/download/lina/2.0.1/lina.tar.gz
tar -xf lina.tar.gz
chown -R nginx:nginx lina
12. Luna component deployment
cd /opt
wget http://demo.jumpserver.org/download/luna/2.0.1/luna.tar.gz
tar -xf luna.tar.gz
chown -R nginx:nginx luna
13. Nginx integrates the configuration of each component
# nginx默认配置
cat > /usr/local/nginx/nginx.conf << EOF
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '\$remote_addr - \$remote_user [\$time_local] "\$request" '
'\$status \$body_bytes_sent "\$http_referer" '
'"\$http_user_agent" "\$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /usr/local/nginx/mime.types;
default_type application/octet-stream;
include /usr/local/nginx/conf.d/*.conf;
}
EOF
# 清空默认虚拟主机配置
echo > /etc/nginx/conf.d/default.conf
# jumpserver虚拟主机配置
vi /etc/nginx/conf.d/jumpserver.conf
server {
listen 80;
client_max_body_size 500m; # 录像及文件上传大小限制
location /ui/ {
try_files $uri / /index.html;
alias /opt/lina/;
}
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; # luna 路径, 如果修改安装目录, 此处需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 录像位置, 如果修改安装目录, 此处需要修改
}
location /static/ {
root /opt/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改
}
location /koko/ {
proxy_pass http://localhost:5000;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /ws/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8070;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /api/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /core/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
rewrite ^/(.*)$ /ui/$1 last;
}
}
- Service start
systemctl enable nginx
systemctl start nginx
systemctl status nginx
nginx -t
nginx -s reload
14. Jumpserver login verification
Default account and password: admin
Safety advice
- A firewall is placed on the front of JumpServer to prohibit unnecessary port access. External access only needs to open ports 80 and 2222. If SSL is configured, port 443 needs to be opened.
- The operating system of the server where JumpServer resides should be upgraded to the latest.
- The software that JumpServer relies on prohibits weak passwords and default passwords, and regularly updates the software to the latest version.
- It is recommended to enable the MFA function to avoid security problems caused by password leakage
Other supplements
- Docker solves "net/http: TLS handshake timeout"
This problem is caused by some indescribable network problems, and can be solved by the following methods.
vi /etc/docker/daemon.json
{
"registry-mirrors": ["https://registry.docker-cn.com","https://pee6w651.mirror.aliyuncs.com"] }
service docker restart
- IPv6 feature service disabled
# 内核参数禁用
echo "net.ipv4.ip_forward=1" >> /etc/sysconfig/network
echo "net.ipv6.conf.all.disable_ipv6=1" >> /etc/sysconfig/network
echo "NETWORKING_IPV6=no" >> /etc/sysconfig/network
sysctl -p
# 启动参数禁用
vi /etc/default/grub
GRUB_CMDLINE_LINUX="ipv6.disable=1 ..."
grub2-mkconfig -o /boot/grub2/grub.cfg
reboot
- Koko component is abnormal and cannot be used normally
- Koko component log query:
docker logs -f jms_koko
- Koko component reconstruction method Since the
koko component is deployed in Docker, there is no problem that cannot be solved by reconstruction. If so, then the Nginx configuration is incorrect, please check the Nginx configuration.
cd /opt
docker stop jms_koko
docker rm jms_koko
Server_IP=`ip addr | grep 'state UP' -A2 | grep inet \
| egrep -v '(127.0.0.1|inet6|docker)' | awk '{print $2}' | tr -d "addr:" \
| head -n 1 | cut -d / -f1` \
&& echo -e "\033[31m 你的服务器IP是 $Server_IP \033[0m" \
&& echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
docker run --name jms_koko -d \
-p 2222:2222 -p 127.0.0.1:5000:5000 \
-e CORE_HOST=http://$Server_IP:8080 \
-e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN \
-e LOG_LEVEL=ERROR \
--restart=always \
jumpserver/jms_koko:2.0.1