jumpserver CentOS 7 安裝文檔(官方)
CentOS 7 安裝文檔
說明
- # 開頭的行表示注釋
- > 開頭的行表示需要在 mysql 中執(zhí)行
- $ 開頭的行表示需要執(zhí)行的命令
云服務器快速部署參考 極速安裝
安裝過程中遇到問題可參考 安裝過程中常見的問題
環(huán)境
- 系統(tǒng): CentOS 7
- IP: 192.168.244.144
- 目錄: /opt
- 數(shù)據庫: mariadb
- 代理: nginx
開始安裝
$ yum update -y
# 防火墻 與 selinux 設置說明, 如果已經關閉了 防火墻 和 Selinux 的用戶請?zhí)^設置
$ systemctl start firewalld
$ firewall-cmd --zone=public --add-port=80/tcp --permanent # nginx 端口
$ firewall-cmd --zone=public --add-port=2222/tcp --permanent # 用戶SSH登錄端口 coco
--permanent 永久生效, 沒有此參數(shù)重啟后失效
$ firewall-cmd --reload # 重新載入規(guī)則
$ setenforce 0
$ sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
# 安裝依賴包
$ yum -y install wget gcc epel-release git
# 安裝 Redis, Jumpserver 使用 Redis 做 cache 和 celery broke
$ yum -y install redis
$ systemctl enable redis
$ systemctl start redis
# 安裝 MySQL, 如果不使用 Mysql 可以跳過相關 Mysql 安裝和配置, 支持sqlite3, mysql, postgres等
$ yum -y install mariadb mariadb-devel mariadb-server MariaDB-shared # centos7下叫mariadb, 用法與mysql一致
$ systemctl enable mariadb
$ systemctl start mariadb
# 創(chuàng)建數(shù)據庫 Jumpserver 并授權
$ DB_PASSWORD=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24` # 生成隨機數(shù)據庫密碼
$ echo -e "\033[31m 你的數(shù)據庫密碼是 $DB_PASSWORD \033[0m"
$ mysql -uroot -e "create database jumpserver default charset 'utf8'; grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '$DB_PASSWORD'; flush privileges;"
# 安裝 Nginx, 用作代理服務器整合 Jumpserver 與各個組件
$ vi /etc/yum.repos.d/nginx.repo
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/7/$basearch/
gpgcheck=0
enabled=1
$ yum -y install nginx
$ systemctl enable nginx
# 安裝 Python3.6
$ yum -y install python36 python36-devel
# 配置并載入 Python3 虛擬環(huán)境
$ cd /opt
$ python3.6 -m venv py3 # py3 為虛擬環(huán)境名稱, 可自定義
$ source /opt/py3/bin/activate # 退出虛擬環(huán)境可以使用 deactivate 命令
# 看到下面的提示符代表成功, 以后運行 Jumpserver 都要先運行以上 source 命令, 載入環(huán)境后默認以下所有命令均在該虛擬環(huán)境中運行
(py3) [root@localhost py3]
# 下載 Jumpserver
$ cd /opt/
$ git clone https://github.com/jumpserver/jumpserver.git
$ cd /opt/jumpserver
$ git checkout 1.4.8
# 安裝依賴 RPM 包
$ yum -y install $(cat /opt/jumpserver/requirements/rpm_requirements.txt)
# 安裝 Python 庫依賴
$ pip install wheel
$ pip install --upgrade pip setuptools
$ pip install -r /opt/jumpserver/requirements/requirements.txt
# 修改 Jumpserver 配置文件
$ cd /opt/jumpserver
$ cp config_example.yml config.yml
$ SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50` # 生成隨機SECRET_KEY
$ echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc
$ BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16` # 生成隨機BOOTSTRAP_TOKEN
$ echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
$ sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml
$ sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
$ sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
$ sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
$ sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
$ sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml
$ echo -e "\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m"
$ echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
$ vi config.yml # 確認內容有沒有錯誤
# SECURITY WARNING: keep the secret key used in production secret!
# 加密秘鑰 生產環(huán)境中請修改為隨機字符串, 請勿外泄, PS: 純數(shù)字不可以
SECRET_KEY:
# SECURITY WARNING: keep the bootstrap token used in production secret!
# 預共享Token coco和guacamole用來注冊服務賬號, 不在使用原來的注冊接受機制
BOOTSTRAP_TOKEN:
# Development env open this, when error occur display the full process track, Production disable it
# DEBUG 模式 開啟DEBUG后遇到錯誤時可以看到更多日志
DEBUG: false
# DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/
# 日志級別
LOG_LEVEL: ERROR
# LOG_DIR:
# Session expiration setting, Default 24 hour, Also set expired on on browser close
# 瀏覽器Session過期時間, 默認24小時, 也可以設置瀏覽器關閉則過期
# SESSION_COOKIE_AGE: 86400
SESSION_EXPIRE_AT_BROWSER_CLOSE: true
# Database setting, Support sqlite3, mysql, postgres ....
# 數(shù)據庫設置
# See https://docs.djangoproject.com/en/1.10/ref/settings/#databases
# SQLite setting:
# 使用單文件sqlite數(shù)據庫
# DB_ENGINE: sqlite3
# DB_NAME:
# MySQL or postgres setting like:
# 使用Mysql作為數(shù)據庫
DB_ENGINE: mysql
DB_HOST: 127.0.0.1
DB_PORT: 3306
DB_USER: jumpserver
DB_PASSWORD:
DB_NAME: jumpserver
# When Django start it will bind this host and port
# ./manage.py runserver 127.0.0.1:8080
# 運行時綁定端口
HTTP_BIND_HOST: 0.0.0.0
HTTP_LISTEN_PORT: 8080
# Use Redis as broker for celery and web socket
# Redis配置
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
# REDIS_PASSWORD:
# REDIS_DB_CELERY: 3
# REDIS_DB_CACHE: 4
# Use OpenID authorization
# 使用OpenID 來進行認證設置
# BASE_SITE_URL: http://localhost:8080
# AUTH_OPENID: false # True or False
# AUTH_OPENID_SERVER_URL: https://openid-auth-server.com/
# AUTH_OPENID_REALM_NAME: realm-name
# AUTH_OPENID_CLIENT_ID: client-id
# AUTH_OPENID_CLIENT_SECRET: client-secret
# OTP settings
# OTP/MFA 配置
# OTP_VALID_WINDOW: 0
# OTP_ISSUER_NAME: Jumpserver
# 運行 Jumpserver
$ cd /opt/jumpserver
$ ./jms start -d # 后臺運行使用 -d 參數(shù)./jms start -d
# 新版本更新了運行腳本, 使用方式./jms start|stop|status all 后臺運行請?zhí)砑?-d 參數(shù)
# 安裝 docker 部署 coco 與 guacamole
$ yum install -y yum-utils device-mapper-persistent-data lvm2
$ yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
$ yum makecache fast
$ rpm --import https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
$ yum -y install docker-ce wget
$ systemctl enable docker
$ mkdir /etc/docker
$ wget -O /etc/docker/daemon.json http://demo.jumpserver.org/download/docker/daemon.json
$ systemctl restart docker
# 允許 容器ip 訪問宿主 8080 端口, (容器的 ip 可以進入容器查看)
$ firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="172.17.0.0/16" port protocol="tcp" port="8080" accept"
$ firewall-cmd --reload
# 172.17.0.x 是docker容器默認的IP池, 這里偷懶直接授權ip段了, 可以根據實際情況單獨授權IP
# 獲取當前服務器 IP
$ Server_IP=`ip addr | grep inet | egrep -v '(127.0.0.1|inet6|docker)' | awk '{print $2}' | tr -d "addr:" | head -n 1 | cut -d / -f1`
$ echo -e "\033[31m 你的服務器IP是 $Server_IP \033[0m"
# http://<Jumpserver_url> 指向 jumpserver 的服務端口, 如 http://192.168.244.144:8080
# BOOTSTRAP_TOKEN 為 Jumpserver/config.yml 里面的 BOOTSTRAP_TOKEN
$ docker run --name jms_coco -d -p 2222:2222 -p 5000:5000 -e CORE_HOST=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN jumpserver/jms_coco:1.4.8
$ docker run --name jms_guacamole -d -p 8081:8081 -e JUMPSERVER_SERVER=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN jumpserver/jms_guacamole:1.4.8
# 安裝 Web Terminal 前端: Luna 需要 Nginx 來運行訪問 訪問(https://github.com/jumpserver/luna/releases)下載對應版本的 release 包, 直接解壓, 不需要編譯
$ cd /opt
$ wget https://github.com/jumpserver/luna/releases/download/1.4.8/luna.tar.gz
# 如果網絡有問題導致下載無法完成可以使用下面地址
$ wget https://demo.jumpserver.org/download/luna/1.4.8/luna.tar.gz
$ tar xf luna.tar.gz
$ chown -R root:root luna
# 配置 Nginx 整合各組件
$ rm -rf /etc/nginx/conf.d/default.conf
$ vi /etc/nginx/conf.d/jumpserver.conf
server {
listen 80;
client_max_body_size 100m; # 錄像及文件上傳大小限制
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; # luna 路徑, 如果修改安裝目錄, 此處需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 錄像位置, 如果修改安裝目錄, 此處需要修改
}
location /static/ {
root /opt/jumpserver/data/; # 靜態(tài)資源, 如果修改安裝目錄, 此處需要修改
}
location /socket.io/ {
proxy_pass http://localhost:5000/socket.io/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /coco/ {
proxy_pass http://localhost:5000/coco/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location / {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
# 運行 Nginx
$ nginx -t # 確保配置沒有問題, 有問題請先解決
$ systemctl start nginx
# 訪問 http://192.168.244.144 (注意 沒有 :8080 通過 nginx 代理端口進行訪問)
# 默認賬號: admin 密碼: admin 到會話管理-終端管理 接受 coco Guacamole 等應用的注冊
# 測試連接
$ ssh -p2222 admin@192.168.244.144
$ sftp -P2222 admin@192.168.244.144
密碼: admin
# 如果是用在 Windows 下, Xshell Terminal 登錄語法如下
$ ssh admin@192.168.244.144 2222
$ sftp admin@192.168.244.144 2222
密碼: admin
如果能登陸代表部署成功
# sftp默認上傳的位置在資產的 /tmp 目錄下
# windows拖拽上傳的位置在資產的 Guacamole RDP上的 G 目錄下
多組件負載說明
# coco 服務默認運行在單核心下面, 當負載過高時會導致用戶訪問變慢, 這時可運行多個 docker 容器緩解
$ docker run --name jms_coco01 -d -p 2223:2222 -p 5001:5000 -e CORE_HOST=http://<Jumpserver_url> -e BOOTSTRAP_TOKEN=****** jumpserver/jms_coco:1.4.8
$ docker run --name jms_coco02 -d -p 2224:2222 -p 5002:5000 -e CORE_HOST=http://<Jumpserver_url> -e BOOTSTRAP_TOKEN=****** jumpserver/jms_coco:1.4.8
...
# guacamole 也是一樣
$ docker run --name jms_guacamole01 -d -p 8082:8081 -e JUMPSERVER_SERVER=http://<Jumpserver_url> -e BOOTSTRAP_TOKEN=****** jumpserver/jms_guacamole:1.4.8
$ docker run --name jms_guacamole02 -d -p 8083:8081 -e JUMPSERVER_SERVER=http://<Jumpserver_url> -e BOOTSTRAP_TOKEN=****** jumpserver/jms_guacamole:1.4.8
...
# nginx 代理設置
$ vi /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
# 加入 tcp 代理
stream {
log_format proxy '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time "$upstream_addr" '
'"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
access_log /var/log/nginx/tcp-access.log proxy;
open_log_file_cache off;
upstream cocossh {
server localhost:2222 weight=1;
server localhost:2223 weight=1; # 多節(jié)點
server localhost:2224 weight=1; # 多節(jié)點
# 這里是 coco ssh 的后端ip
hash $remote_addr;
}
server {
listen 2220; # 不能使用已經使用的端口, 自行修改, 用戶ssh登錄時的端口
proxy_pass cocossh;
proxy_connect_timeout 10s;
}
}
# 到此結束
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
# tcp_nopush on;
keepalive_timeout 65;
# 關閉版本顯示
server_tokens off;
include /etc/nginx/conf.d/*.conf;
}
$ firewall-cmd --zone=public --add-port=2220/tcp --permanent
$ firewall-cmd --reload
$ vi /etc/nginx/conf.d/jumpserver.conf
upstream jumpserver {
server localhost:8080;
# 這里是 jumpserver 的后端ip
}
upstream cocows {
server localhost:5000 weight=1;
server localhost:5001 weight=1; # 多節(jié)點
server localhost:5002 weight=1; # 多節(jié)點
# 這里是 coco ws 的后端ip
ip_hash;
}
upstream guacamole {
server localhost:8081 weight=1;
server localhost:8082 weight=1; # 多節(jié)點
server localhost:8083 weight=1; # 多節(jié)點
# 這里是 guacamole 的后端ip
ip_hash;
}
server {
listen 80;
server_name demo.jumpserver.org; # 自行修改成你的域名
client_max_body_size 100m; # 錄像上傳大小限制
location / {
proxy_pass http://jumpserver;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/;
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 錄像位置, 如果修改安裝目錄, 此處需要修改
}
location /static/ {
root /opt/jumpserver/data/; # 靜態(tài)資源, 如果修改安裝目錄, 此處需要修改
}
location /socket.io/ {
proxy_pass http://cocows/socket.io/; # coco
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /coco/ {
proxy_pass http://cocows/coco/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://guacamole/; # guacamole
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
}
$ nginx -t
$ nginx -s reload
浙公網安備 33010602011771號