centos安装jumpserver

summerinsist 2020-04-14

一、准备

1.修改字符集
localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8
export LC_ALL=zh_CN.UTF-8
echo ‘LANG="zh_CN.UTF-8"‘ > /etc/locale.conf

2.关闭selinux和防火墙
getenforce //查看selinux的状态
Disabled // 如果是Enable需要修改为Disabled,命令是“setenforce 0”
sed -i ‘/SELINUX/s/enforcing/disabled/‘ /etc/selinux/config
systemctl stop firewalld.service // 关闭防火墙

二、安装
1.准备Python3和Python虚拟环境
yum -y install wget vim lrzsz xz gcc git epel-release python-pip python-devel mysql-devel automake autoconf sqlite-devel zlib-devel openssl-devel sshpass readline-devel
yum -y install python36 python36-devel
cd /opt
python3.6 -m venv py3
source /opt/py3/bin/activate

2.安装 Jumpserver
git clone --depth=1 https://github.com/jumpserver/jumpserver.git
cd /opt/jumpserver/requirements
yum -y install $(cat rpm_requirements.txt)
pip install wheel
pip install --upgrade pip setuptools -i https://mirrors.aliyun.com/pypi/simple/
pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/

3.安装 Redis
yum -y install redis
systemctl enable redis
systemctl start redis

4.安装 MySQL
yum -y install mariadb mariadb-devel mariadb-server
systemctl enable mariadb
systemctl start mariadb

5.创建数据库 Jumpserver 并授权
DB_PASSWORD=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24`
mysql -uroot -e "create database jumpserver default charset ‘utf8‘; grant all on jumpserver.* to ‘jumpserver‘@‘127.0.0.1‘ identified by ‘$DB_PASSWORD‘; flush privileges;"

6.修改 Jumpserver 配置文件
cd /opt/jumpserver/
cp config_example.yml config.yml
SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50` // 生成随机的SECRET_KEY
echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc
BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16` // 生成随机BOOTSTRAP_TOKEN
echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml
sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml

7.运行 Jumpserver
cd /opt/jumpserver
./jms start all -d
echo "source /opt/py3/bin/activate && /opt/jumpserver/jms start all -d" >> /etc/rc.local
chmod +x /etc/rc.local

8.安装koko
docker run --name jms_koko -d -p 2222:2222 -p 127.0.0.1:5000:5000 -e CORE_HOST=http://10.10.10.102:8080 -e BOOTSTRAP_TOKEN=5fiEwUPK002OXzG1 -e LOG_LEVEL=ERROR --restart=always jumpserver/jms_koko:1.5.7

9.安装guacamole
docker run --name jms_guacamole -d -p 127.0.0.1:8081:8080 -e JUMPSERVER_SERVER=http://10.10.10.102:8080 -e BOOTSTRAP_TOKEN=5fiEwUPK002OXzG1 -e GUACAMOLE_LOG_LEVEL=ERROR --restart=always jumpserver/jms_guacamole:1.5.7

10.下载 luna 组件
cd /opt
wget https://github.com/jumpserver/luna/releases/download/1.5.7/luna.tar.gz
tar xf luna.tar.gz
chown -R root:root luna

11.安装配置 nginx 整合各组件
yum install yum-utils
vi /etc/yum.repos.d/nginx.repo
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
yum makecache fast
yum install -y nginx
rm -rf /etc/nginx/conf.d/default.conf
systemctl enable nginx
vim /etc/nginx/conf.d/jumpserver.conf
server {
listen 80;

client_max_body_size 100m; # 录像及文件上传大小限制

location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; # luna 路径, 如果修改安装目录, 此处需要修改
}

location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 录像位置, 如果修改安装目录, 此处需要修改
}

location /static/ {
root /opt/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改
}

location /koko/ {
proxy_pass http://localhost:5000;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}

location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}

location /ws/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8070;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}

location / {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
nginx -t
systemctl start nginx
systemctl enable nginx

三、测试
1.检查web页面是否已经正常运行
服务全部启动后, 访问 http://10.10.10.102(ip地址是你配置的那台机器的ip), 访问nginx代理的端口, 不要再通过8080端口访问
默认账号: admin 密码: admin
到Jumpserver 会话管理-终端管理 检查 Koko Guacamole 等应用的注册。

2.测试连接
如果登录客户端是 macOS 或 Linux, 登录语法如下
$ ssh -p2222
$ sftp -P2222
密码: admin
如果登录客户端是 Windows, Xshell Terminal 登录语法如下
$ ssh 2222
$ sftp 2222
密码: admin
如果能登陆代表部署成功
# sftp默认上传的位置在资产的 /tmp 目录下
# windows拖拽上传的位置在资产的 Guacamole RDP上的 G 目录下

相关推荐