A, jumpserver overview
jumpserver is the world's first fully open source fortress machine, using Python / django development, follow the GNU GPL v2.0 open source license, is in accordance with professional auditing system operation and maintenance 4A, following the Web 2.0 specification, with industry-leading the Web Terminal, interactive and beautiful, to support distributed architecture that can be deployed across the region for more than the room. jumpserver military circles like a Swiss Army knife, can improve our operation and maintenance management to a professional level, if still using CRT or Xshell also manage your batch, jumpserver is timely help.
1, jumpserver architecture description 
Component Description:
(1), Jumpserver: jumpserver is a management background, is a core component (Core), using Django Class Based View-style development, support Restful API, is the core of the system management terminal jumpserver
(2), Coco: to achieve the assembly SSH Server and Web Terminal Server provides SSH and WebSocket interface using Paramiko and Flask development, is a web page to achieve SSH key component in the most recent version, adopted koko replaced coco , but its role is consistent
(3), Guacamole: Jumpserver use of its components implement RDP functionality, Jumpserver did not modify its code but adds additional plug-ins, support Jumpserver calls. Role here is to collect asset information Windows, if you do not involve windows asset management can be ignored (recommended installation)
(4), Luna: front-end Web Terminal is now planned by the front page of the project, Jumpserver only provide API, no longer responsible for background rendering html, etc., using simple and beautiful Luna's page
(5), NGINX: WEB service software, using static and dynamic separation of thought, NGINX itself adept at handling of static resources (Luna), as well as interfaces for websocket achieve reverse proxy, is a powerful web server software
(6), DB: with built-yum install MySQL, which build process is not reflected in the article for the paper to build jumpserver, in fact, uses the connection information db
Second, the installation environment:
System: CentOS 7.4
IP: 172.16.29.80 (purchased Ali cloud ECS)
set up a firewall and selinux
1, turn off the firewall
$ systemctl stop firewall
settings boot does not start the firewall
$ systemctl disable firewalld
2、关闭selinux
$ setenforce 0
$ sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
3, # modify the character set, or it may report input / output error of the problem.
The localedef UTF--C -f $ -i. 8. 8-zh_CN zh_CN.UTF
$. 8-Export zh_CN.UTF the LC_ALL =
$ echo '= the LANG ". 8-zh_CN.UTF"'> /etc/locale.conf
4, ready Python environment
$ yum -y install wget SQLite gcc automake the xz-devel zlib-devel OpenSSL-devel-EPEL Release git
$ wget https://www.python.org/ftp/python/3.6.1/Python-3.6 .1.tar.xz
$ mv Python-3.6.1.tar.xz / usr / src && cd / usr / src / && xvf Python-3.6.1.tar.xz && cd Python-3.6.1 tar
$ ./ configure && make && make install
upper source by way of installation are Python3.6 installation may be installed Python3.6 environment yum, as follows:
$ yum the install python36 python36 -Y-devel
If the download speed is very slow, it can change the domestic source
$ wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
$ yum -y install python36 python36 -devel
ready Python virtual environment
$ cd / opt
$ python3.6 -m Venv Py3
$ source / opt / Py3 / bin / of an activate
see the following prompt on behalf of success, they have to run after run Jumpserver above source command, the following All commands are run in the virtual environment
(py3) [root @ localhost py3 ]
Third, the installation jumpserver
Online installation configuration jumpserver more, but this article is a reference to the official website, but the official website by way of deployment, there are some problems of access to github, slow slow. Therefore be resolved before full github problems, solutions are more, but more reliable transit Mirror recommendation, we recommend cloud yards transit.
Installation documentation official website address: https://jumpserver.readthedocs.io/zh/master/setup_by_localcloud.html, jumpserver article addresses the git used to https://github.com/jumpserver/jumpserver.git , take this as an example solve the problem of slow git clone
1, code to solve the problem of slow transit cloud git clone
register a cloud account code: https://gitee.com/
the figure is jumpserver address on github, and copy it https address 
the job code in the cloud Taiwan, click New warehouse 
import existing warehouse that jumpserver address github of 
the back when installing jumpserver github address will be modified to address domestic mirror, I jumpserver public transit in the cloud address code: https://gitee.com/yunwen_1_hlzhang /jumpserver.git
2, installation jumpserver
process reference jumpserver install the official document, not eleven here
(1) The following procedure can be executed directly
&& yum update -y \
&& ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
&& yum -y install kde-l10n-Chinese \
&& localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8 \
&& export LC_ALL=zh_CN.UTF-8 \
&& echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf \
&& yum -y install wget gcc epel-release git \
&& yum install -y yum-utils device-mapper-persistent-data lvm2 \
&& yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo \
&& yum makecache fast \
&& rpm --import https://mirrors.aliyun.com/docker-ce/linux/centos/gpg \
&& echo -e "[nginx-stable]\nname=nginx stable repo\nbaseurl=http://nginx.org/packages/centos/\$releasever/\$basearch/\ngpgcheck=1\nenabled=1\ngpgkey=https://nginx.org/keys/nginx_signing.key" > /etc/yum.repos.d/nginx.repo \
&& rpm --import https://nginx.org/keys/nginx_signing.key \
&& yum -y install redis mariadb mariadb-devel mariadb-server MariaDB-shared nginx docker-ce \
&& systemctl enable redis mariadb nginx docker \
&& systemctl start redis mariadb \
&& yum -y install python36 python36-devel \
&& python3.6 -m venv /opt/py3(2), the replacement address github, installation jumpserver, koko guacamole and assembly, and wherein koko guacamole mounted using docker
&& cd /opt \
&& if [ ! -d "/opt/jumpserver" ]; then git clone --depth=1 https://gitee.com/yunwen_1_hlzhang/jumpserver.git; fi \
&& if [ ! -f "/opt/luna.tar.gz" ]; then wget https://demo.jumpserver.org/download/luna/1.5.6/luna.tar.gz; tar xf luna.tar.gz; chown -R root:root luna; fi \
&& yum -y install $(cat /opt/jumpserver/requirements/rpm_requirements.txt) \
&& echo -e "[easy_install]\nindex_url = https://mirrors.aliyun.com/pypi/simple/" > ~/.pydistutils.cfg \
&& source /opt/py3/bin/activate \
&& pip install wheel -i https://mirrors.aliyun.com/pypi/simple/ \
&& pip install --upgrade pip setuptools -i https://mirrors.aliyun.com/pypi/simple/ \
&& pip install -r /opt/jumpserver/requirements/requirements.txt -i https://mirrors.aliyun.com/pypi/simple/ \
&& mkdir /etc/docker \
&& wget -O /etc/docker/daemon.json http://demo.jumpserver.org/download/docker/daemon.json \
&& systemctl restart docker \
&& docker pull wojiushixiaobai/jms_koko:1.5.6 \
&& docker pull wojiushixiaobai/jms_guacamole:1.5.6 \
&& rm -rf /etc/nginx/conf.d/default.conf \
&& wget -O /etc/nginx/conf.d/jumpserver.conf https://demo.jumpserver.org/download/nginx/conf.d/jumpserver.confWhen pip MarkupSafe installation error will be reported as follows: 
Since the python3 setuptools has been upgraded to more than 46, it is necessary generals network pip install --upgrade pip setuptools modify pip install --upgrade pip setuptools == 45.2.0 can, this article has been adjusted, this is the official website of the installation process of bug
-related plug-in version of the script above problems also exist, as shown below: 
You can use pip install pyasn1-modules == version number alone 
(3), after treatment installation configuration , using the following jumpserver official configuration, but for direct execution details thereof is not very clear, so this configuration used for manually, as follows jumpserver official website, refer to the reference document manual configuration: http://www.51niux.com/?id = 234 or https://segmentfault.com/a/1190000015086911 , both of which reference is the author of the blog more, after several combat singled out.
&& source ~/.bashrc \
&& if [ "$DB_PASSWORD" = "" ]; then DB_PASSWORD=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24`; fi \
&& if [ "$SECRET_KEY" = "" ]; then SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`; echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc; fi \
&& if [ "$BOOTSTRAP_TOKEN" = "" ]; then BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`; echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc; fi \
&& if [ "$Server_IP" = "" ]; then Server_IP=`ip addr | grep 'state UP' -A2 | grep inet | egrep -v '(127.0.0.1|inet6|docker)' | awk '{print $2}' | tr -d "addr:" | head -n 1 | cut -d / -f1`; fi \
&& if [ ! -d "/var/lib/mysql/jumpserver" ]; then mysql -uroot -e "create database jumpserver default charset 'utf8';grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '$DB_PASSWORD';flush privileges;"; fi \
&& if [ ! -f "/opt/jumpserver/config.yml" ]; then cp /opt/jumpserver/config_example.yml /opt/jumpserver/config.yml; sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml; sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml; sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml; sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml; sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml; sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml; fi(4), set the relevant boot entry
if [ ! -f "/usr/lib/systemd/system/jms.service" ]; then wget -O /usr/lib/systemd/system/jms.service https://demo.jumpserver.org/download/shell/centos/jms.service; chmod 755 /usr/lib/systemd/system/jms.service; systemctl enable jms; fi(5) to start the related services
A. Start nginx: nginx
B. Start jumpserver:
# ./jms start all
# ./jms start all -d -d参数为后台运行jumpserver3, Log jumpserver
the above steps, enter the IP address, you can enter jumpserver web login page, the default account password: admin / admin 
After logging in you can see the following background 
jumpserver back office services basic OK, but you will encounter a few problems :
(. 1), into the web terminal is empty, as shown below, and even with the addition of the host configuration is OK, the terminal does not display the web, note that: display the desired web asset terminal configured according to the authorization rights management. That is timely asset allocation so there is no problem, still empty are not displayed in the web terminal of reasons 
(2), document management 502 
Koko service may not be up and about the need to ensure normal service
docker start: systemctl Start docker
docker join boot entry inside: systemctl enable docker
Koko started and the boot is provided with docker start, add parameters: - the restart Always =
-p parameters: port mapping
CORE_HOST jumpserver to start ip and port
BOOTSTRAP_TOKEN reference /op/jumpserver/config.yml
docker run --name jms_koko -d -p 2222:2222 -p 5000:5000 -e CORE_HOST=http://172.16.29.80:8080 -e BOOTSTRAP_TOKEN=BLkJcpJooqdwXixq --restart=always wojiushixiaobai/jms_koko:1.5.6(3), support for Windows plug-ins: guacamole
start guacamole container services and set the boot:
docker run --name jms_guacamole -d -p 127.0.0.1:8081:8080 -e JUMPSERVER_SERVER=http://172.16.29.80:8080 -e BOOTSTRAP_TOKEN=BLkJcpJooqdwXixq --restart=always wojiushixiaobai/jms_guacamole:1.5.6Can be viewed by docker ps -a two services have been started 
on the deployment of jumpserver has ended talk, use the configuration on jumpserver will be described in the next section combat