Installation and configuration CentOS JumpServer 7

surroundings

• system

# cat /etc/redhat-release 
CentOS Linux release 7.4.1708 (Core) 
# uname -r
3.10.0-693.21.1.el7.x86_64

• Close Selinux and firewall

# systemctl stop firewalld.service
# sed -i '/^SELINUX/s/enforcing/disabled/g' /etc/selinux/config
# grep -i ^selinux /etc/selinux/config
SELINUX=disabled
SELINUXTYPE=targeted

• Modify the character set (because the Chinese print log, or willing to be an error: input / output error problem)

# localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8
# export LC_ALL=zh_CN.UTF-8 # echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf

Python virtual environment and prepare Python3

• Installation dependencies

# yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git

• Compile and install

# wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz
# tar xvf Python-3.6.1.tar.xz  && cd Python-3.6.1 # ./configure && make && make install

• Python establish a virtual environment

# cd /opt
# python3 -m venv py3 # source /opt/py3/bin/activate

See the following prompt on behalf of success, they have to run after run Jumpserver source command above, all of the following commands are run in the virtual environment
(py3) [root @ localhost py3 ]

• Phthon virtual environment automatically load
  forget loaded Python virtual run-time environment can not lead to prevent run Jumpserver.

# cd /opt
# git clone git://github.com/kennethreitz/autoenv.git # echo 'source /opt/autoenv/activate.sh' >> ~/.bashrc # source ~/.bashrc

Installation Jumpserver

• Download or Clone project
  can choose to download the zip package itself or directly to the local Clone

# cd /opt/
# git clone https://github.com/jumpserver/jumpserver.git && cd jumpserver && git checkout master # echo "source /opt/py3/bin/activate" > /opt/jumpserver/.env # 进入 jumpserver 目录时将自动载入 python 虚拟环境

• RPM package install dependencies

# cd /opt/jumpserver/requirements
# yum -y install $(cat rpm_requirements.txt) # 如果没有任何报错请继续

• Installing Python library dependencies
  default Python library is a foreign site, because the network reasons, may be slow to download. Here to change the use of domestic sources.

# pip install -r requirements.txt -i http://pypi.douban.com/simple --trusted-host pypi.douban.com

The above is only temporary use, if you want to configure the default source, as follows:

We need to create or modify configuration file (usually created)

Linux in ~ / .pip / pip.conf /

Modify the content as follows:

[global]
index-url = http://pypi.douban.com/simple
[install]
trusted-host=pypi.douban.com

• Install Redis, Jumpserver make use Redis cache and celery broke

# yum -y install redis
# systemctl enable redis # systemctl start redis

• Mysql installation

# yum -y install mariadb mariadb-devel mariadb-server
# systemctl enable mariadb # systemctl start mariadb

• Initialization mysql, create a database and authorize Jumpserver

# mysql_secure_installation #设置root登录密码，然后一路回车
# mysql -uroot -p123456 > create database jumpserver default charset 'utf8'; > grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '123456'; > flush privileges;

• Jumpserver modify configuration files

# cd /opt/jumpserver
# cp config_example.py config.py # vim config.py

Note: The configuration file is a Python format, do not use TAB, but rather use the space

"""
    jumpserver.config
    ~~~~~~~~~~~~~~~~~

    Jumpserver project setting file

    :copyright: (c) 2014-2017 by Jumpserver Team
    :license: GPL v2, see LICENSE for more details.
"""
import os

BASE_DIR = os.path.dirname(os.path.abspath(__file__))

class Config: # Use it to encrypt or decrypt data # Jumpserver 使用 SECRET_KEY 进行加密，请务必修改以下设置 # SECRET_KEY = os.environ.get('SECRET_KEY') or '2vym+ky!997d5kkcc64mnz06y1mmui3lut#(^wd=%s_qj$1%x' SECRET_KEY = '2vym+ky!997d5kkcc64mnz06y1mmui3lut#(^wd=%s_qj$1%x' '请随意输入随机字符串（推荐字符大于等于 50位）' # Django security setting, if your disable debug model, you should setting that ALLOWED_HOSTS = ['*'] # DEBUG 模式 True为开启 False为关闭，默认开启，生产环境推荐关闭 # 注意：如果设置了DEBUG = False，访问8080端口页面会显示不正常，需要搭建 nginx 代理才可以正常访问 DEBUG = False # 日志级别，默认为DEBUG，可调整为INFO, WARNING, ERROR, CRITICAL，默认INFO LOG_LEVEL = 'WARNING' LOG_DIR = os.path.join(BASE_DIR, 'logs') # 使用的数据库配置，支持sqlite3, mysql, postgres等，默认使用sqlite3 # See https://docs.djangoproject.com/en/1.10/ref/settings/#databases # 默认使用SQLite3，如果使用其他数据库请注释下面两行 # DB_ENGINE = 'sqlite3' # DB_NAME = os.path.join(BASE_DIR, 'data', 'db.sqlite3') # 如果需要使用mysql或postgres，请取消下面的注释并输入正确的信息,本例使用mysql做演示(mariadb也是mysql) DB_ENGINE = 'mysql' DB_HOST = '127.0.0.1' DB_PORT = 3306 DB_USER = 'jumpserver' DB_PASSWORD = '123456' DB_NAME = 'jumpserver' # Django 监听的ip和端口，生产环境推荐把0.0.0.0修改成127.0.0.1，这里的意思是允许x.x.x.x访问，127.0.0.1表示仅允许自身访问 # ./manage.py runserver 127.0.0.1:8080 HTTP_BIND_HOST = '127.0.0.1' HTTP_LISTEN_PORT = 8080 # Redis 相关设置 REDIS_HOST = '127.0.0.1' REDIS_PORT = 6379 REDIS_PASSWORD = '' REDIS_DB_CELERY = 3 REDIS_DB_CACHE = 4 def __init__(self): pass def __getattr__(self, item): return None class DevelopmentConfig(Config): pass class TestConfig(Config): pass class ProductionConfig(Config): pass # Default using Config settings, you can write if/else for different env config = DevelopmentConfig()

• Generating a data initialization, and the database table structure

# cd /opt/jumpserver/utils
# bash make_migrations.sh

• Run Jumpserver

# cd /opt/jumpserver
# ./jms start all # 后台运行使用 -d 参数./jms start all -d

Not being given run, the browser visit http: // IP Address: 8080 default account: admin password: admin

Install SSH Server and WebSocket Server: Coco

• Download or CLone project
  to open a new terminal, do not forget

souce /opt/py3/bin/activate

# cd /opt
# source /opt/py3/bin/activate # git clone https://github.com/jumpserver/coco.git && cd coco && git checkout master # echo "source /opt/py3/bin/activate" > /opt/coco/.env # 进入 coco 目录时将自动载入 python 虚拟环境

• Installation depends

# cd /opt/coco/requirements
# yum -y install $(cat rpm_requirements.txt) # pip install -r requirements.txt

• Modify the configuration file and run

# cd /opt/coco
# cp conf_example.py conf.py # 如果 coco 与 jumpserver 分开部署，请手动修改 conf.py # vim conf.py

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#

import os

BASE_DIR = os.path.dirname(__file__)

class Config: """ Coco config file, coco also load config from server update setting below """ # 项目名称, 会用来向Jumpserver注册, 识别而已, 不能重复 # NAME = "localhost" NAME = "coco" # Jumpserver项目的url, api请求注册会使用, 如果Jumpserver没有运行在127.0.0.1:8080，请修改此处 # CORE_HOST = os.environ.get("CORE_HOST") or 'http://127.0.0.1:8080' CORE_HOST = 'http://127.0.0.1:8080' # 启动时绑定的ip, 默认 0.0.0.0 # BIND_HOST = '0.0.0.0' # 监听的SSH端口号, 默认2222 # SSHD_PORT = 2222 # 监听的HTTP/WS端口号，默认5000 # HTTPD_PORT = 5000 # 项目使用的ACCESS KEY, 默认会注册,并保存到 ACCESS_KEY_STORE中, # 如果有需求, 可以写到配置文件中, 格式 access_key_id:access_key_secret # ACCESS_KEY = None # ACCESS KEY 保存的地址, 默认注册后会保存到该文件中 # ACCESS_KEY_STORE = os.path.join(BASE_DIR, 'keys', '.access_key') # 加密密钥 # SECRET_KEY = None # 设置日志级别 ['DEBUG', 'INFO', 'WARN', 'ERROR', 'FATAL', 'CRITICAL'] # LOG_LEVEL = 'INFO' LOG_LEVEL = 'WARN' # 日志存放的目录 # LOG_DIR = os.path.join(BASE_DIR, 'logs') # Session录像存放目录 # SESSION_DIR = os.path.join(BASE_DIR, 'sessions') # 资产显示排序方式, ['ip', 'hostname'] # ASSET_LIST_SORT_BY = 'ip' # 登录是否支持密码认证 # PASSWORD_AUTH = True # 登录是否支持秘钥认证 # PUBLIC_KEY_AUTH = True # 和Jumpserver 保持心跳时间间隔 # HEARTBEAT_INTERVAL = 5 # Admin的名字，出问题会提示给用户 # ADMINS = '' COMMAND_STORAGE = { "TYPE": "server" } REPLAY_STORAGE = { "TYPE": "server" } config = Config()

# ./cocod start  # 后台运行使用 -d 参数./cocod start -d

After a successful start to Jumpserver session management - Terminal Management ( HTTP: // IP Address: 8080 / Terminal / Terminal / ) to accept the registration of coco.

Installation of front-end Web Terminal: Luna

Luna has been changed to pure front-end, we need to run Nginx access

• Download and unzip Luna

# cd /opt
# wget https://github.com/jumpserver/luna/releases/download/1.3.3/luna.tar.gz # tar xvf luna.tar.gz # chown -R root:root luna

Installing Windows support components (if required can be skipped)

Since complicated manual installation guacamole assembly, there is provided the use of docker packaged, start guacamole

• Docker installation

# yum remove docker-latest-logrotate  docker-logrotate  docker-selinux dockdocker-engine
# yum install -y yum-utils   device-mapper-persistent-data   lvm2
# yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo # rpm --import http://mirrors.aliyun.com/docker-ce/linux/centos/gpg # yum makecache fast # yum -y install docker-ce # systemctl start docker # systemctl status docker

• Start Guacamole

It should be noted here that the guacamole is exposed port 8081, if your other port on the host custom conflict

After a successful start to Jumpserver session management - Terminal Management ( HTTP: // IP Address: 8080 / Terminal / Terminal / ) to accept [Gua] at the beginning of a registered

# docker run --name jms_guacamole -d \
  -p 8081:8080 -v /opt/guacamole/key:/config/guacamole/key \ -e JUMPSERVER_KEY_DIR=/config/guacamole/key \ -e JUMPSERVER_SERVER=http://IP地址 \ jumpserver/guacamole:latest

Configure Nginx integration of the components

• Install Nginx

# yum -y install nginx

• Modify the configuration file

# vim /etc/nginx/nginx.conf

... 省略
# 把默认server配置块改成这样，原有的内容请保持不动

server {
    listen 80;  # 代理端口，以后将通过此端口进行访问，不再通过8080端口

    location /luna/ {
        try_files $uri / /index.html;
        alias /opt/luna/;  # luna 路径，如果修改安装目录，此处需要修改
    }

    location /media/ {
        add_header Content-Encoding gzip;
        root /opt/jumpserver/data/;  # 录像位置，如果修改安装目录，此处需要修改 } location /static/ { root /opt/jumpserver/data/; # 静态资源，如果修改安装目录，此处需要修改 } location /socket.io/ { proxy_pass http://localhost:5000/socket.io/; # 如果coco安装在别的服务器，请填写它的ip proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } location /guacamole/ { proxy_pass http://localhost:8081/; # 如果guacamole安装在别的服务器，请填写它的ip proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; client_max_body_size 100m; # Windows 文件上传大小限制 } location / { proxy_pass http://localhost:8080; # 如果jumpserver安装在别的服务器，请填写它的ip proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } ... 省略

• Running Nginx

# nginx -t   # 确保配置没有问题, 有问题请先解决

# systemctl start nginx
# systemctl enable nginx

• Started Jumpserver
  check whether the application is running properly

# cd /opt/jumpserver
# ./jms status # 确定jumpserver已经运行，如果没有运行请重新启动jumpserver # cd /opt/coco # ./cocod status # 确定jumpserver已经运行，如果没有运行请重新启动coco # 如果安装了 Guacamole # docker ps # 检查容器是否已经正常运行，如果没有运行请重新启动Guacamole

After all the services start, visit http: // ip, access Nginx proxy port, not to port access by 8080.

If the deployment process, did not accept the registration application, you need to Jumpserver session management - such as terminal management accepted Coco Guacamode registration applications.

Test Connection

如果登录客户端是 macOS 或 Linux ，登录语法如下
$ ssh -p2222 admin@IP
$ sftp -P2222 admin@IP
密码: admin

如果登录客户端是 Windows ，Xshell Terminal 登录语法如下
$ ssh admin@IP 2222 $ sftp admin@IP 2222 密码: admin 如果能登陆代表部署成功  # sftp默认上传的位置在资产的 /tmp 目录下 # windows拖拽上传的位置在资产的 Guacamole RDP上的 G 目录下