Jumpserver 1.4.10版本单节点部署
强烈建议使用jumpserver最新版本,此文档只是记录下老版本安装过程,不建议在生产环境中使用过于陈旧的版本
系统环境
组件
| 组件 | 版本 | 其它 |
|---|---|---|
| OS | CentOS7.9 x86_64 | 最小化安装 |
| Jumpserver | 1.4.10 | - |
| Nginx | 1.20.1 | YUM安装 |
| MariaDB | 5.5.68 | YUM安装 |
| Redis | 3.2.12 | YUM安装 |
虚拟机规格推荐8c16G
磁盘/分区
推荐使用LVM,方便以后扩容
| 挂载点 | 大小 | 其它 |
|---|---|---|
| /boot | 1024 M | - |
| swap | 8 G | - |
| / | 100 G | - |
| /data | 100 G + | 推荐使用单独的磁盘并使用单独的逻辑卷卷组;存放SSH会话media |
系统初始化
关闭SElinux,调整SSH配置
setenforce 0
sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
sed -i 's%#UseDNS yes%UseDNS no%' /etc/ssh/sshd_config
sed -i 's%#AllowAgentForwarding yes%AllowAgentForwarding no%' /etc/ssh/sshd_config
sed -i 's%#AllowTcpForwarding yes%AllowTcpForwarding no%' /etc/ssh/sshd_config
sed -i 's%X11Forwarding yes%X11Forwarding no%' /etc/ssh/sshd_config
systemctl stop postfix
systemctl disable postfix
调整防火墙
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-cmd --zone=public --add-port=2222/tcp --permanent
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="172.17.0.0/16" port protocol="tcp" port="8080" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="172.18.0.0/16" port protocol="tcp" port="8080" accept"
firewall-cmd --reload
systemctl start firewalld
安装必要的包
yum -y install epel-release
yum -y install yum-utils curl wget vim lsof net-tools openssl openssh chrony gcc python36 python36-devel
调整时间同步服务
cat > /etc/chrony.conf << EOF
server ntp.aliyun.com iburst
server ntp.ntsc.ac.cn iburst
driftfile /var/lib/chrony/drift
makestep 1.0 3
rtcsync
logdir /var/log/chrony
EOF
timedatectl set-timezone Asia/Shanghai
timedatectl set-local-rtc 0
systemctl restart chronyd
systemctl enable chronyd
调整文件句柄
cat >> /etc/security/limits.conf << EOF
* soft nproc 65535
* hard nproc 65535
* soft nofile 65535
* hard nofile 65535
EOF
调整内核参数
cat > /etc/sysctl.d/jumpserver.conf <<EOF
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_keepalive_probes = 10
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv4.neigh.default.gc_stale_time = 120
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.conf.all.arp_announce = 2
net.ipv4.ip_forward = 1
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_synack_retries = 2
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-arptables = 1
net.netfilter.nf_conntrack_max = 2310720
fs.inotify.max_user_watches=89100
fs.file-max = 52706963
fs.nr_open = 52706963
vm.swappiness = 0
vm.overcommit_memory=1
kernel.panic=10
EOF
安装Docker
yum-config-manager --add-repo https://mirrors.cloud.tencent.com/docker-ce/linux/centos/docker-ce.repo
sed -i 's+download.docker.com+mirrors.cloud.tencent.com/docker-ce+' /etc/yum.repos.d/docker-ce.repo
yum -y install device-mapper-persistent-data lvm2 docker-ce docker-ce-cli docker-compose
systemctl enable docker.service
调整Docker配置
mkdir -p /etc/docker
cat > /etc/docker/daemon.json <<EOF
{
"exec-opts": [
"native.cgroupdriver=systemd"
],
"registry-mirrors" : [
"http://docker.mirrors.ustc.edu.cn"
],
"insecure-registries": [
"registry.corpintra.plus",
"harbor.corpintra.plus"
],
"graph": "/var/lib/docker",
"max-concurrent-downloads": 20,
"max-concurrent-uploads": 10,
"default-ulimits": {
"nofile": {
"Name": "nofile",
"Hard": 655360,
"Soft": 655360
}
},
"log-driver": "json-file",
"log-opts": {
"max-size": "20m",
"max-file": "5"
},
"storage-driver": "overlay2",
"ipv6": false
}
EOF
重启节点
sync && reboot
安装Mariadb, Redis, Nginx
yum -y install redis mariadb mariadb-devel mariadb-server nginx*
systemctl enable --now redis.service mariadb.service
安装Jumpserver Core
安装jumpserver
cd /opt
python3.6 -m venv py3
source /opt/py3/bin/activate
curl -L https://github.com/jumpserver/luna/releases/download/1.4.10/luna.tar.gz -o luna.tar.gz
tar -zxf luna.tar.gz
chown -Rf root:root luna
curl -L https://github.com/jumpserver/jumpserver/archive/refs/tags/1.4.10.tar.gz -o jumpserver-1.4.10.tar.gz
tar -zxf jumpserver-1.4.10.tar.gz
mv jumpserver-1.4.10 jumpserver
chown -Rf root:root jumpserver
yum -y install $(cat /opt/jumpserver/requirements/rpm_requirements.txt)
pip install -i https://pypi.tuna.tsinghua.edu.cn/simple wheel
pip install -i https://pypi.tuna.tsinghua.edu.cn/simple --upgrade pip setuptools==45.2.0
pip install -i https://pypi.tuna.tsinghua.edu.cn/simple -r /opt/jumpserver/requirements/requirements.txt
mv /opt/jumpserver/data/media /data/
ln -s /data/media /opt/jumpserver/data/media
deactivate
配置jumpserver
cd /opt/jumpserver
cp config_example.yml config.yml
DB_PASSWORD=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24`
echo -e "\033[31m 你的DB_PASSWORD是 $DB_PASSWORD \033[0m"
mysql -uroot -e "create database jumpserver default charset 'utf8'; grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '$DB_PASSWORD'; flush privileges;"
SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
echo -e "\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m"
BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml
sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml
配置开机自启
cat > /usr/lib/systemd/system/jms.service <<EOF
[Unit]
Description=Jumpserver jms
After=network.target mariadb.service redis.service docker.service
Wants=mariadb.service redis.service docker.service
[Service]
Type=forking
Environment="PATH=/opt/py3/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin"
ExecStart=/opt/jumpserver/jms start all -d
ExecStop=/opt/jumpserver/jms stop
LimitNOFILE=65535
StandardOutput=null
StandardError=null
[Install]
WantedBy=multi-user.target
EOF
启动服务
这个会进行数据库初始化操作需要一点时间,请耐心等待,请不要Ctrl-C
systemctl enable --now jms.service
安装coco与guacamole
官方是使用的docker run的方式进行启动,我这里推荐使用docker-compose, 后期配合systemd配置开机自启动
创建docker网络
docker network create -d bridge --subnet 172.18.0.0/16 --gateway 172.18.0.1 --opt "com.docker.network.bridge.name"="jms-network" jms-network
配置coco docker-compose.yaml
cat > /opt/jumpserver/docker-compose-jmscoco.yaml <<EOF
version: '3.4'
networks:
default:
external:
name: jms-network
services:
jms_coco_01:
container_name: jms_coco_01
image: jumpserver/jms_coco:1.4.10
environment:
CORE_HOST: http://172.18.0.1:8080
BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN
TZ: Asia/Shanghai
restart: always
ports:
- 2223:2222
- 5001:5000
tty: false
jms_coco_02:
container_name: jms_coco_02
image: jumpserver/jms_coco:1.4.10
environment:
CORE_HOST: http://172.18.0.1:8080
BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN
TZ: Asia/Shanghai
restart: always
ports:
- 2224:2222
- 5002:5000
tty: false
EOF
配置coco systemd
cat > /usr/lib/systemd/system/jmscoco.service <<EOF
[Unit]
Description=Jumpserver coco
After=rsyslog.service network.target network.service docker.service jms.service
Wants=network-online.target network.service docker.service jms.service
Requires=docker.socket
[Service]
Type=oneshot
RemainAfterExit=yes
WorkingDirectory=/opt/jumpserver
ExecStart=/usr/bin/docker-compose -f docker-compose-jmscoco.yaml -p jmscoco up -d --remove-orphans
ExecStop=/usr/bin/docker-compose -f docker-compose-jmscoco.yaml -p jmscoco down
User=root
Group=root
[Install]
WantedBy=multi-user.target
EOF
配置guacamole docker-compose.yaml
cat > /opt/jumpserver/docker-compose-jmsguacamole.yaml <<EOF
version: '3.4'
networks:
default:
external:
name: jms-network
services:
jms_guacamole_01:
container_name: jms_guacamole_01
image: jumpserver/jms_guacamole:1.4.10
environment:
JUMPSERVER_SERVER: http://172.18.0.1:8080
BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN
TZ: Asia/Shanghai
restart: always
ports:
- 8082:8081
tty: false
jms_guacamole_02:
container_name: jms_guacamole_02
image: jumpserver/jms_guacamole:1.4.10
environment:
JUMPSERVER_SERVER: http://172.18.0.1:8080
BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN
TZ: Asia/Shanghai
restart: always
ports:
- 8083:8081
tty: false
EOF
配置guacamole systemd
cat > /usr/lib/systemd/system/jmsguacamole.service <<EOF
[Unit]
Description=Jumpserver guacamole
After=rsyslog.service network.target network.service docker.service jms.service jmscoco.service
Wants=network-online.target network.service docker.service jms.service jmscoco.service
Requires=docker.socket
[Service]
Type=oneshot
RemainAfterExit=yes
WorkingDirectory=/opt/jumpserver
ExecStartPre=/usr/bin/docker volume prune
ExecStart=/usr/bin/docker-compose -f docker-compose-jmsguacamole.yaml -p jmsguacamole up -d --remove-orphans
ExecStop=/usr/bin/docker-compose -f docker-compose-jmsguacamole.yaml -p jmsguacamole down
User=root
Group=root
[Install]
WantedBy=multi-user.target
EOF
启动coco, guacamole
systemctl enable --now jmscoco.service jmsguacamole.service
可以使用docker ps -a查看coco与guacamole服务容器运行情况了
安装NGINX
配置Stream TCP转发
需要在nginx.conf中添加stream配置来转发SSH连接
stream {
log_format proxy '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time "$upstream_addr" '
'"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
access_log /var/log/nginx/tcp-access.log proxy;
open_log_file_cache off;
upstream cocossh {
server 127.0.0.1:2223 weight=1;
server 127.0.0.1:2224 weight=1;
hash $remote_addr;
}
server {
listen 2222;
proxy_pass cocossh;
proxy_connect_timeout 10s;
access_log /var/log/nginx/jms_cocossh_access.log proxy;
}
}
配置 jumpserver web portal
vim /etc/nginx/conf.d/jumpserver.conf
写入以下文件
upstream jumpserver {
server 127.0.0.1:8080;
}
upstream cocows {
server 127.0.0.1:5001 weight=1;
server 127.0.0.1:5002 weight=1;
ip_hash;
}
upstream guacamole {
server 127.0.0.1:8082 weight=1;
server 127.0.0.1:8083 weight=1;
ip_hash;
}
server {
listen 80;
server_name localhost;
client_max_body_size 100m;
location / {
proxy_pass http://jumpserver;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/;
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/;
}
location /static/ {
root /opt/jumpserver/data/;
}
location /socket.io/ {
proxy_pass http://cocows/socket.io/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /coco/ {
proxy_pass http://cocows/coco/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://guacamole/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
}
启动NGINX
systemctl enable --now nginx.service
需要注意的地方
网络
- 文中提到的
172.17.0.0/16与172.18.0.0/16仅时写文档需要,这个必须要与实际网络环境避免冲突; 172.17.0.0/16是docker网桥默认IP段,如需要修改此IP段请翻阅docker修改bip172.18.0.0/16是创建jms-network网桥时指定的IP,请根据实际网络环境自主选择是否更换- 如果以上地址确定更换,请注意替换文中的
172.17.0.1与172.18.0.1两个IP,并适当调整Firewalld防火墙规则
负载均衡
- 文档中
coco和guacamole分别启动了两个容器实例,可以根据实际需要减少或增加服务容器实例数量 - 文档中使用了
nginx stream功能代理了SSH的四层TCP转发,这里可以使用HAproxy或者类似软件代替,公有云上可以使用四层LB代替
数据库
- 文档中使用了本地MariaDB与Redis,请根据实际需要选择外部或公有云版本数据库
本文来自博客园,作者:银河系派件员,转载请注明原文链接:https://www.cnblogs.com/zhaojli/p/16949639.html
分类:
JumpServer
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 分享一个免费、快速、无限量使用的满血 DeepSeek R1 模型,支持深度思考和联网搜索!
· 使用C#创建一个MCP客户端
· 基于 Docker 搭建 FRP 内网穿透开源项目(很简单哒)
· ollama系列1:轻松3步本地部署deepseek,普通电脑可用
· 按钮权限的设计及实现