jumserver 3.0安装及采坑记录
搜集各方资料
以及官方文档 https://www.jishuchi.com/read/Jumpserver-148/2102
补充笔者采坑处理
1.安装python3环境
1>更新epel-release
$yum install -y python36 python36-devel python36-pip
2>安装python后,还要修改以下两个文件内容:
a)/usr/bin/yum
将第一行 #!/usr/bin/yum修改为:#!/usr/bin/python2.7
b) /usr/libexec/urlgrabber-ext-down
将 第一行#!/usr/bin/python修改为了#!/usr/bin/python2.7
再使用yum进行后面的安装
2.安装redis
#1.检查是否有redis yum 源 yum install redis #2.下载fedora的epel仓库 yum install epel-release #3.安装redis数据库 yum install redis #4.安装完毕后,使用下面的命令启动redis服务 service redis start service redis stop #查看redis进程 service redis status ps -ef | grep redis
3.安装mysql
建议使用已装好的mysql
# 生成随机数据库密码 DB_PASSWORD=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24` echo -e "\033[31m 你的数据库密码是 $DB_PASSWORD \033[0m" # 创建jumpserver用户及赋予权限 (创建完成后建议测试一下账号是否能用) mysql -uuser -ppwd -e "create database jumpserver default charset 'utf8'; grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '$DB_PASSWORD'; flush privileges;"
4.安装jumpserver
1> git clone --depth=1 https://github.com/jumpserver/jumpserver.git
或者手动去github下载zip包,解压到服务器即可
2>进入解压后的jumpserver路径,安装依赖和模块,因此处用到pip命令,默认是国外的源,安装起来就比较慢,配置pip加速
$ mkdir ~/.pip $ cat > ~/.pip/pip.conf << EOF > [global] > trusted-host=mirrors.aliyun.com > index-url=https://mirrors.aliyun.com/pypi/simple/ EOF
3>安装python3虚拟环境(避免和本地python环境冲突) 重点:后续操作均在虚拟环境中进行
# 配置 py3 虚拟环境 $ python3.6 -m venv /soft/py3 $ source /soft/py3/bin/activate
效果图:
如果想退出虚拟环境:
$deactivate
4>安装所需依赖包
$ yum -y install $(cat /soft/jumpserver-master/requirements/rpm_requirements.txt)
$ pip install -r
敲黑板!!!
采坑:笔者在安装requirement.txt 中的依赖包时,每次跑到python-gssapi==0.6.4就会报错
解决办法:先将此注释掉,执行安装命令,完成后放开注释,再次执行安装,即可成功;后面安装coco依赖时,处理方式一样
原因猜测:这个包需要最后安装
5>修改jumpserver配置文件
$ cd /soft/junpserver-master $ cp config_example.yml config.yml $ SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50` # 生成随机SECRET_KEY $ echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc $ BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16` # 生成随机BOOTSTRAP_TOKEN $ echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc $ sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" config.yml $ sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" config.yml $ sed -i "s/# DEBUG: true/DEBUG: false/g" config.yml $ sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" config.yml $ sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" config.yml $ sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" config.yml $ echo -e "\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m" $ echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
操作完成后打开config.yml文件检查下是否有错
SECURITY WARNING: keep the secret key used in production secret! 加密秘钥 生产环境中请修改为随机字符串, 请勿外泄, PS: 纯数字不可以 SECRET_KEY: SECURITY WARNING: keep the bootstrap token used in production secret! 预共享Token coco和guacamole用来注册服务账号, 不在使用原来的注册接受机制BOOTSTRAP_TOKEN: Development env open this, when error occur display the full process track, Production disable it DEBUG 模式 开启DEBUG后遇到错误时可以看到更多日志 DEBUG: true DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/ 日志级别 LOG_LEVEL: ERROR LOG_DIR: Session expiration setting, Default 24 hour, Also set expired on on browser close 浏览器Session过期时间, 默认24小时, 也可以设置浏览器关闭则过期# SESSION_COOKIE_AGE: 86400 SESSION_EXPIRE_AT_BROWSER_CLOSE: true Database setting, Support sqlite3, mysql, postgres .... 数据库设置# See https://docs.djangoproject.com/en/1.10/ref/settings/#databases SQLite setting:# 使用单文件sqlite数据库 DB_ENGINE: sqlite3# DB_NAME: MySQL or postgres setting like: 使用Mysql作为数据库~~~~ DB_ENGINE: mysql DB_HOST: 127.0.0.1 DB_PORT: 3306 DB_USER: jumpserver DB_PASSWORD: #此处为随机生成的密码 DB_NAME: jumpserver When Django start it will bind this host and port ./manage.py runserver 127.0.0.1:8000 运行时绑定端口 HTTP_BIND_HOST: 127.0.0.1 HTTP_LISTEN_PORT: 8000 Use Redis as broker for celery and web socket# Redis配置 REDIS_HOST: 127.0.0.1 REDIS_PORT: 6379 REDIS_PASSWORD:# REDIS_DB_CELERY: 3 REDIS_DB_CACHE: 4 Use OpenID authorization 使用OpenID 来进行认证设置# BASE_SITE_URL: http://localhost:8080# AUTH_OPENID: false # True or False# AUTH_OPENID_SERVER_URL: https://openid-auth-server.com/ AUTH_OPENID_REALM_NAME: realm-name AUTH_OPENID_CLIENT_ID: client-id AUTH_OPENID_CLIENT_SECRET: client-secret OTP settings# OTP/MFA 配置 OTP_VALID_WINDOW: 0 OTP_ISSUER_NAME: Jumpserver
5.启动jumpserver -d后台启动
$ ./jms start -d
采坑:执行过程中报django模块找不到
处理:修改jms文件的内容中运行manage.py的命令改为python3,不然运行报错没有django模
其他:启动过程中会去连接 redis 和 mysql ,启动前保证 redis 已启动,以及 mysql 配置的用户能够正常连接
6.安装luna
通过git 或手动下载zip包,只需要将luna用户属性修改为root即可
https://github.com/jumpserver/luna/releases
$ unzip /soft/luna.tar.gz
$ chmod -R root:root /soft/luna
7.安装coco
1>老样子,git 或手动下载
git clone https://github.com/jumpserver/coco.git
$ cd /soft/jumpserver-master/coco/requirements $ yum -y install $(cat rpm_requirements.txt) $ pip install -r requirements.txt $ cd .. $ cp config_example.yml config.yml
coco密钥: $ sed -i "s/BOOTSTRAP_TOKEN: <PleasgeChangeSameWithJumpserver>/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" config.yml $ sed -i "s/# LOG_LEVEL: INFO/LOG_LEVEL: ERROR/g" config.yml $ vim config.yml (BOOTSTRAP_TOKEN与jumpserver的config.yml保持一致)
采坑:参照jumpserver 依赖安装的坑位
2>安装成功后,运行coco
./cocod start -d
8.安装配置nginx
$ yum install nginx -y ##安装
$ vi /etc/nginx/conf.d/jumpserver.conf ##编写jumpserver相关配置
此配置只是将8080端口隐藏掉
server { listen 80; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; location /luna/ { try_files $uri / /index.html; alias /soft/luna/; } location /media/ { add_header Content-Encoding gzip; root /soft/jumpserver-master/data/; } location /static/ { root /soft/jumpserver-master/data/; } location /socket.io/ { proxy_pass http://localhost:5000/socket.io/; proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } location /guacamole/ { proxy_pass http://localhost:8081/; proxy_buffering off; proxy_http_version 1.1; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; access_log off; } location / { proxy_pass http://localhost:8080; } }
注意要将 /etc/nginx/nginx.conf 文件中server 的配置全部注掉
$ systemctl start nginix ##启动
$ systemctl enable nginx ##设置开机启动
9.访问服务器ip(不需要加8080端口)
见证奇迹的时刻到了!!!