手动部署JumpServer
一、
[root@sdp-dev ~]# getenforce Disabled [root@sdp-dev ~]# systemctl stop firewalld.service # 修改字符集,否则可能报 input/output error的问题,因为日志里打印了中文 [root@sdp-dev ~]# localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8 [root@sdp-dev ~]# export LC_ALL=zh_CN.UTF-8 [root@sdp-dev ~]# echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf [root@sdp-dev ~]# yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git
# 编译安装,否则后面安装python依赖库时可能会有麻烦 [root@sdp-dev ~]# wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz #尽量使用最新版本,否则部分依赖包无法下载 [root@sdp-dev ~]# tar xf Python-3.6.1.tar.xz && cd Python-3.6.1 [root@sdp-dev Python-3.6.1]# ./configure && make && make install # 安装python虚拟环境 [root@sdp-dev Python-3.6.1]# cd /opt [root@sdp-dev opt]# python3 -m venv py3 [root@sdp-dev opt]# source /opt/py3/bin/activate (py3) [root@sdp-dev opt]#
# 使用懒人 autoenv 配置虚拟环境 (py3) [root@sdp-dev opt]# git clone git://github.com/kennethreitz/autoenv.git 正克隆到 'autoenv'... remote: Enumerating objects: 671, done. remote: Total 671 (delta 0), reused 0 (delta 0), pack-reused 671 接收对象中: 100% (671/671), 103.92 KiB | 115.00 KiB/s, done. 处理 delta 中: 100% (356/356), done. (py3) [root@sdp-dev opt]# (py3) [root@sdp-dev opt]# echo 'source /opt/autoenv/activate.sh' >> ~/.bashrc (py3) [root@sdp-dev opt]# source ~/.bashrc
(py3) [root@sdp-dev opt]# git clone https://github.com/jumpserver/jumpserver.git && cd jumpserver && git checkout master 正克隆到 'jumpserver'... remote: Enumerating objects: 79, done. remote: Counting objects: 100% (79/79), done. remote: Compressing objects: 100% (68/68), done. remote: Total 41282 (delta 19), reused 20 (delta 5), pack-reused 41203 接收对象中: 100% (41282/41282), 52.05 MiB | 79.00 KiB/s, done. 处理 delta 中: 100% (28176/28176), done. 已经位于 'master' (py3) [root@sdp-dev jumpserver]#
三、
(py3) [root@sdp-dev jumpserver]# echo "source /opt/py3/bin/activate" > /opt/jumpserver/.env (py3) [root@sdp-dev jumpserver]# cd requirements/ autoenv: autoenv: WARNING: autoenv: This is the first time you are about to source /opt/jumpserver/.env: autoenv: autoenv: --- (begin contents) --------------------------------------- autoenv: source /opt/py3/bin/activate$ autoenv: autoenv: --- (end contents) ----------------------------------------- autoenv: autoenv: Are you sure you want to allow this? (y/N) y (py3) [root@sdp-dev requirements]# (py3) [root@sdp-dev requirements]# yum -y install $(cat rpm_requirements.txt) (py3) [root@sdp-dev requirements]# pip install --upgrade pip (py3) [root@sdp-dev requirements]# pip install -r requirements.txt -i https://pypi.tuna.tsinghua.edu.cn/simple
(py3) [root@sdp-dev requirements]# yum -y install redis (py3) [root@sdp-dev requirements]# systemctl enable redis Created symlink from /etc/systemd/system/multi-user.target.wants/redis.service to /usr/lib/systemd/system/redis.service. (py3) [root@sdp-dev requirements]# systemctl start redis
(py3) [root@sdp-dev requirements]# yum -y install mariadb mariadb-devel mariadb-server (py3) [root@sdp-dev requirements]# systemctl enable mariadb Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service. (py3) [root@sdp-dev requirements]# systemctl start mariadb (py3) [root@sdp-dev requirements]# (py3) [root@sdp-dev requirements]# mysql Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 2 Server version: 5.5.60-MariaDB MariaDB Server Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> create database jumpserver default charset 'utf8'; Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> grant all on jumpserver.* to 'jumpserveradmin'@'127.0.0.1' identified by 'jumpserverpwd'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> flush privileges; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> \q Bye (py3) [root@sdp-dev requirements]#
六、
(py3) [root@sdp-dev requirements]# pwd /opt/jumpserver/requirements (py3) [root@sdp-dev requirements]# cd .. (py3) [root@sdp-dev jumpserver]# ls apps config_example.yml Dockerfile entrypoint.sh LICENSE README_EN.md requirements tmp build.sh data docs jms logs README.md run_server.py utils (py3) [root@sdp-dev jumpserver]# cp config_example.yml config.yml (py3) [root@sdp-dev jumpserver]# (py3) [root@sdp-dev jumpserver]# SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50` (py3) [root@sdp-dev jumpserver]# echo $SECRET_KEY vFjo4WEMRWNinXMconEXodf3VeEaRStkDzo6SpIfNxphYEEMUZ (py3) [root@sdp-dev jumpserver]# echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc (py3) [root@sdp-dev jumpserver]# BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16` (py3) [root@sdp-dev jumpserver]# echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc (py3) [root@sdp-dev jumpserver]# echo $BOOTSTRAP_TOKEN yBCVQ9WHA9phTZ21 (py3) [root@sdp-dev jumpserver]# sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml (py3) [root@sdp-dev jumpserver]# sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml (py3) [root@sdp-dev jumpserver]# sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml (py3) [root@sdp-dev jumpserver]# sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml (py3) [root@sdp-dev jumpserver]# sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml (py3) [root@sdp-dev jumpserver]# echo -e "\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m" 你的SECRET_KEY是 vFjo4WEMRWNinXMconEXodf3VeEaRStkDzo6SpIfNxphYEEMUZ (py3) [root@sdp-dev jumpserver]# echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m" 你的BOOTSTRAP_TOKEN是 yBCVQ9WHA9phTZ21 (py3) [root@sdp-dev jumpserver]# vi config.yml (py3) [root@sdp-dev jumpserver]# sed -n '/^DB_/p' /opt/jumpserver/config.yml DB_ENGINE: mysql DB_HOST: 127.0.0.1 DB_PORT: 3306 DB_USER: jumpserveradmin DB_PASSWORD: jumpserverpwd DB_NAME: jumpserver (py3) [root@sdp-dev jumpserver]#
七、
(py3) [root@sdp-dev jumpserver]# ./jms start ...... (py3) [root@sdp-dev jumpserver]# ./jms stop Stop service: gunicorn Stop service: celery Stop service: beat (py3) [root@sdp-dev jumpserver]#
后台启动
(py3) [root@sdp-dev jumpserver]# ./jms start -d
八、
[root@sdp-dev ~]# systemctl start docker [root@sdp-dev ~]# [root@sdp-dev ~]# Server_IP=192.168.20.32 [root@sdp-dev ~]# BOOTSTRAP_TOKEN=yBCVQ9WHA9phTZ21 [root@sdp-dev ~]# docker run --name jms_koko -d -p 2222:2222 -p 5000:5000 -e CORE_HOST=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN jumpserver/jms_koko:1.5.5 Unable to find image 'jumpserver/jms_koko:1.5.5' locally 1.5.2: Pulling from jumpserver/jms_koko 050382585609: Pull complete f6e2d22aa00f: Pull complete 8c86c00c5332: Pull complete 6b9c6941a89d: Pull complete a10054b94acf: Pull complete 4005724a64ff: Pull complete 446406ca2953: Pull complete 716a981c63ee: Pull complete 41a65efed49e: Pull complete Digest: sha256:ac6258fe46165860289410970e124031aa74a380cb3e1ad97348feb2c9265cbc Status: Downloaded newer image for jumpserver/jms_koko:1.5.5 31fc5862ea104946590c232f16dab366d55823e559e256c5208a3720be9406ba [root@sdp-dev ~]#
cd /opt wget https://github.com/jumpserver/koko/releases/download/1.5.2/koko-master-37daa82-linux-amd64.tar.gz tar xf koko-master-37daa82-linux-amd64.tar.gz chown -R root:root kokodir cd kokodir chown -R root:root /opt/kokodir cd /opt/kokodir cp config_example.yml config.yml vim config.yml # BOOTSTRAP_TOKEN 需要从 jumpserver/config.yml 里面获取, 保证一致 ./koko
九、
[root@sdp-dev ~]# docker run --name jms_guacamole -d -p 8081:8081 -e JUMPSERVER_SERVER=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN jumpserver/jms_guacamole:1.5.5 Unable to find image 'jumpserver/jms_guacamole:1.5.5' locally 1.5.5: Pulling from jumpserver/jms_guacamole 8ba884070f61: Pull complete 74b389e6937e: Pull complete 41f5461bfc2f: Pull complete f693f2484212: Pull complete 246835158fe4: Pull complete Digest: sha256:de0b74e33c9991181eb507d768df73fb05932f3b4722dc36ecdca4e358fdce8d Status: Downloaded newer image for jumpserver/jms_guacamole:1.5.5 f4d0c314c5fb840e42ea7e284f5349c571039bb1e3af2f3f8377b7a2c5f53f82 [root@sdp-dev ~]#
手工部署guacamole
$ cd /opt $ git clone --depth=1 https://github.com/jumpserver/docker-guacamole.git $ cd /opt/docker-guacamole $ tar xf guacamole-server-1.0.0.tar.gz $ cd /opt/docker-guacamole/guacamole-server-1.0.0 # 根据 http://guacamole.apache.org/doc/gug/installing-guacamole.html 文档安装对应的依赖包 $ autoreconf -fi $ ./configure --with-init-dir=/etc/init.d $ make $ make install # 访问 https://tomcat.apache.org/download-90.cgi 下载最新的 tomcat9 $ mkdir -p /config/guacamole /config/guacamole/lib /config/guacamole/extensions /config/guacamole/data/log/ $ cd /config $ wget http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-9/v9.0.22/bin/apache-tomcat-9.0.22.tar.gz $ tar xf apache-tomcat-9.0.22.tar.gz $ mv apache-tomcat-9.0.22 tomcat9 $ rm -rf /config/tomcat9/webapps/* $ sed -i 's/Connector port="8080"/Connector port="8081"/g' /config/tomcat9/conf/server.xml $ echo "java.util.logging.ConsoleHandler.encoding = UTF-8" >> /config/tomcat9/conf/logging.properties $ ln -sf /opt/docker-guacamole/guacamole-1.0.0.war /config/tomcat9/webapps/ROOT.war $ ln -sf /opt/docker-guacamole/guacamole-auth-jumpserver-1.0.0.jar /config/guacamole/extensions/guacamole-auth-jumpserver-1.0.0.jar $ ln -sf /opt/docker-guacamole/root/app/guacamole/guacamole.properties /config/guacamole/guacamole.properties $ wget https://github.com/ibuler/ssh-forward/releases/download/v0.0.5/linux-amd64.tar.gz $ tar xf linux-amd64.tar.gz -C /bin/ $ chmod +x /bin/ssh-forward # 设置 guacamole 环境 $ export JUMPSERVER_SERVER=http://127.0.0.1:8080 # http://127.0.0.1:8080 指 jumpserver 访问地址 $ echo "export JUMPSERVER_SERVER=http://127.0.0.1:8080" >> ~/.bashrc # BOOTSTRAP_TOKEN 为 Jumpserver/config.yml 里面的 BOOTSTRAP_TOKEN 值 $ export BOOTSTRAP_TOKEN=****** $ echo "export BOOTSTRAP_TOKEN=******" >> ~/.bashrc $ export JUMPSERVER_KEY_DIR=/config/guacamole/keys $ echo "export JUMPSERVER_KEY_DIR=/config/guacamole/keys" >> ~/.bashrc $ export GUACAMOLE_HOME=/config/guacamole $ echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc $ /etc/init.d/guacd start $ sh /config/tomcat9/bin/startup.sh
十、
与nginx结合支持Web Terminal前端
[root@sdp-dev ~]# cd /opt/ [root@sdp-dev opt]# wget https://github.com/jumpserver/luna/releases/download/1.5.5/luna.tar.gz [root@sdp-dev opt]# tar xf luna.tar.gz [root@sdp-dev opt]# chown -R root:root luna
十一、
[root@sdp-dev opt]# cd /usr/local/nginx/conf/ [root@sdp-dev conf]# ls fastcgi.conf koi-utf nginx.conf uwsgi_params fastcgi.conf.default koi-win nginx.conf.default uwsgi_params.default fastcgi_params mime.types scgi_params win-utf fastcgi_params.default mime.types.default scgi_params.default [root@sdp-dev conf]# mkdir conf.d [root@sdp-dev conf]# cd conf.d/ [root@sdp-dev conf.d]# vim jumpserver.conf [root@sdp-dev conf.d]# ls jumpserver.conf [root@sdp-dev conf.d]# cat jumpserver.conf server { listen 80; # server_name _; server_name bastion.qf.com; client_max_body_size 100m; # 录像及文件上传大小限制 location /luna/ { try_files $uri / /index.html; alias /opt/luna/; # luna 路径, 如果修改安装目录, 此处需要修改 } location /media/ { add_header Content-Encoding gzip; root /opt/jumpserver/data/; # 录像位置, 如果修改安装目录, 此处需要修改 } location /static/ { root /opt/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改 } location /koko/ { proxy_pass http://localhost:5000; proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } location /guacamole/ { proxy_pass http://localhost:8081/; proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } location /ws/ { proxy_pass http://localhost:8070; proxy_http_version 1.1; proxy_buffering off; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } location / { proxy_pass http://localhost:8080; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } } [root@sdp-dev conf.d]# [root@sdp-dev conf.d]# cd .. [root@sdp-dev conf]# vim nginx.conf [root@sdp-dev conf]# grep -Pv "^($| *#)" nginx.conf worker_processes 1; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; include /usr/local/nginx/conf/conf.d/*.conf; } [root@sdp-dev conf]# cd .. [root@sdp-dev nginx]# sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@sdp-dev nginx]#
- # 检查应用是否已经正常运行
- # 服务全部启动后, 访问 jumpserver 服务器 nginx 代理的 80 端口, 不要通过8080端口访问
- # 默认账号: admin 密码: admin
十三、
系统设置
设置用户访问的URL
设置邮件地址及验证
设置邮件内容
配置LDAP
导入LDAP用户
终端设置
安全设置
用户管理
用户组设置
用户设置
资产管理
资产管理--管理用户
资产管理--系统用户
资产管理--网域列表
资产管理--资产列表
权限管理
会话管理
会话管理--Web终端
windows终端
会话管理--命令记录
会话管理--历史记录
会话管理--文件管理
会话管理--终端管理
作业中心
作业中心--批量命令
作业中心--任务列表
日志审计
日志审计--登录日志
日志审计--操作日志
日志审计--批量命令
仪表盘
14、排错
(1)koko 不在线
原因:版本不匹配
解决过程如下:
(py3) [root@qa95-devel jumpserver]# Server_IP=`ip addr | grep 'state UP' -A2 | grep inet | egrep -v '(127.0.0.1|inet6|docker)' | awk '{print $2}' | tr -d "addr:" | head -n 1 | cut -d / -f1` (py3) [root@qa95-devel jumpserver]# docker run --name jms_koko -d -p 2222:2222 -p 127.0.0.1:5000:5000 -e CORE_HOST=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN --restart=always jumpserver/jms_koko:1.5.5 Unable to find image 'jumpserver/jms_koko:1.5.5' locally 1.5.5: Pulling from jumpserver/jms_koko e7c96db7181b: Pull complete 579b06fc1e6a: Pull complete 1a195461e3ce: Pull complete cb544743625b: Pull complete ec65f2bdce0b: Pull complete Digest: sha256:e6c35bd8a9f7be72055be21380344c81c4a6330efa254aabf60b8a4796d508c5 Status: Downloaded newer image for jumpserver/jms_koko:1.5.5 a42306dc4572b58dff389a0d0bf7c62dda0251800039345c17a84cda87734739 (py3) [root@qa95-devel jumpserver]#
然后koko注册成功,并处于在线状态:
(2)Guacamole 注册失败
原因:版本不匹配
解决过程如下:
(py3) [root@qa95-devel jumpserver]# docker stop jms_guacamole jms_guacamole (py3) [root@qa95-devel jumpserver]# docker rm jms_guacamole jms_guacamole (py3) [root@qa95-devel jumpserver]# docker run --name jms_guacamole -d -p 127.0.0.1:8081:8080 -e JUMPSERVER_SERVER=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN --restart=always jumpserver/jms_guacamole:1.5.5 Unable to find image 'jumpserver/jms_guacamole:1.5.5' locally 1.5.5: Pulling from jumpserver/jms_guacamole ab5ef0e58194: Pull complete edf7bc06322e: Pull complete 2034ec367e45: Pull complete e75756b89a95: Pull complete f04c5d071413: Pull complete 2599c3a6a821: Pull complete 52a073ddf64c: Pull complete 805616d72c12: Pull complete 3c40529b36f6: Pull complete 3044f8f99b07: Pull complete d97561b081f3: Pull complete Digest: sha256:667651fd4fe9836d6c4121c66cde25095dce966e9610035da512af25cbe00b79 Status: Downloaded newer image for jumpserver/jms_guacamole:1.5.5 71f7e22b7b0e1687b55f79063b3fe9c699286157c1efd361e4a68ee4ad141a95 (py3) [root@qa95-devel jumpserver]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 71f7e22b7b0e jumpserver/jms_guacamole:1.5.5 "./entrypoint.sh" 4 minutes ago Up 4 minutes 127.0.0.1:8081->8080/tcp jms_guacamole a42306dc4572 jumpserver/jms_koko:1.5.5 "./entrypoint.sh" 29 minutes ago Up 29 minutes 0.0.0.0:2222->2222/tcp, 127.0.0.1:5000->5000/tcp jms_koko (py3) [root@qa95-devel jumpserver]#
排错参考:https://docs.jumpserver.org/zh/docs/faq.html
"一劳永逸" 的话,有是有的,而 "一劳永逸" 的事却极少