首页 > 其他 > 详细

centos 7.x 安装开源堡垒机Jumpserver

时间:2019-01-23 16:23:56      阅读:191      评论:0      收藏:0      [点我收藏+]

环境  

  虚拟机  系统:centos 7

  IP:192.168.168.8
  目录:/opt
  代理:nginx
  数据库:mysql 版本大于等于 5.6    mariadb 版本大于等于 5.5.6

更新yum
  yum update -y

关闭防火墙与selinux
  firewall-cmd --state
  systemctl stop firewalld
  systemctl disable firewalld

  vi /etc/sysconfig/selinux
  SELINUX=enforcing 改为 SELINUX=disabled


  reboot

修改字符集,否则可能报 input/output error的问题,因为日志里打印了中文
  localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8
  export LC_ALL=zh_CN.UTF-8
  echo ‘LANG="zh_CN.UTF-8"‘ > /etc/locale.conf


安装依赖包
  yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git

安装redis,Jumpserver 使用 Redis 做 cache 和 celery broke
  yum -y install redis
  systemctl enable redis
  systemctl start redis

 安装Mysql 作为数据库,如果不使用 Mysql 可以跳过相关 Mysql 安装和配置
  yum -y install mariadb mariadb-devel mariadb-server # centos7下安装的是mariadb
  systemctl enable mariadb
  systemctl start mariadb

创建数据库 Jumpserver 并授权
  mysql -uroot
  > create database jumpserver default charset ‘utf8‘;
  > grant all on jumpserver.* to ‘jumpserver‘@‘127.0.0.1‘ identified by ‘weakPassword‘;
  > flush privileges;
  > quit

安装 Nginx,用代理服务器整合Jumpserver与各个组件
  yum -y install nginx
  systemctl enable nginx

下载编译Python3.6.1
  cd /opt
  wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz
  tar xf Python-3.6.1.tar.xz && cd Python-3.6.1
  ./configure && make && make install

配置并载入Python3虚拟环境
  cd /opt
  python3 -m venv py3
  source /opt/py3/bin/activate
  # 看到下面的提示符代表成功,以后运行 Jumpserver 都要先运行以上 source 命令,以下所有命令均在该虚拟环境中运行
  (py3) [root@localhost opt]#

自动载入Python虚拟环境
  cd /opt
  git clone git://github.com/kennethreitz/autoenv.git
  echo ‘source /opt/autoenv/activate.sh‘ >> ~/.bashrc
  source ~/.bashrc

下载Jumpserver 与 Coco
  cd /opt
  git clone https://github.com/jumpserver/jumpserver.git ----&& cd jumpserver && git checkout master
  echo "source /opt/py3/bin/activate" > /opt/jumpserver/.env

  cd /opt
  git clone https://github.com/jumpserver/coco.git ----&& cd coco && git checkout master && git pull
  echo "source /opt/py3/bin/activate" > /opt/coco/.env


安装依赖 RPM 包
  yum -y install $(cat /opt/jumpserver/requirements/rpm_requirements.txt)
  yum -y install $(cat /opt/coco/requirements/rpm_requirements.txt)

安装python库依赖
  pip install --upgrade pip
  pip install -r /opt/jumpserver/requirements/requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
  pip install -r /opt/coco/requirements/requirements.txt

 修改 Jumpserver 配置文件
  cd /opt/jumpserver
  cp config_example.py config.py

       vi config.py

注意: 配置文件是 Python 格式,不要用 TAB,而要用空格

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
"""
    jumpserver.config
    ~~~~~~~~~~~~~~~~~

    Jumpserver project setting file

    :copyright: (c) 2014-2017 by Jumpserver Team
    :license: GPL v2, see LICENSE for more details.
"""
import os

BASE_DIR = os.path.dirname(os.path.abspath(__file__))


class Config:
    """
    Jumpserver Config File
    Jumpserver 配置文件

    Jumpserver use this config for drive django framework running,
    You can set is value or set the same envirment value,
    Jumpserver look for config order: file => env => default

    Jumpserver使用配置来驱动Django框架的运行,
    你可以在该文件中设置,或者设置同样名称的环境变量,
    Jumpserver使用配置的顺序: 文件 => 环境变量 => 默认值
    """
    # SECURITY WARNING: keep the secret key used in production secret!
    # 加密秘钥 生产环境中请修改为随机字符串,请勿外泄
    SECRET_KEY = 2vym+ky!997d5kkcc64mnz06y1mmui3lut#(^wd=%s_qj$1%x

    # SECURITY WARNING: keep the bootstrap token used in production secret!
    # 预共享Token coco和guacamole用来注册服务账号,不在使用原来的注册接受机制
    # BOOTSTRAP_TOKEN = ‘PleaseChangeMe‘

    ALLOWED_HOSTS = [*]

    # Development env open this, when error occur display the full process track, Production disable it
    # DEBUG 模式 开启DEBUG后遇到错误时可以看到更多日志
    DEBUG = False

    # DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/
    # 日志级别
    LOG_LEVEL = ERROR
    LOG_DIR = os.path.join(BASE_DIR, logs)

    # Session expiration setting, Default 24 hour, Also set expired on on browser close
    # 浏览器Session过期时间,默认24小时, 也可以设置浏览器关闭则过期
    # SESSION_COOKIE_AGE = 3600 * 24
    # SESSION_EXPIRE_AT_BROWSER_CLOSE = False
    SESSION_EXPIRE_AT_BROWSER_CLOSE = True 


    # Database setting, Support sqlite3, mysql, postgres ....
    # 数据库设置
    # See https://docs.djangoproject.com/en/1.10/ref/settings/#databases

    # SQLite setting:
    # 使用单文件sqlite数据库
    # DB_ENGINE = ‘sqlite3‘
    # DB_NAME = os.path.join(BASE_DIR, ‘data‘, ‘db.sqlite3‘)

    # MySQL or postgres setting like:
    # 使用Mysql作为数据库
    DB_ENGINE = mysql
    DB_HOST = 127.0.0.1
    DB_PORT = 3306
    DB_USER = jumpserver
    DB_PASSWORD = weakPassword
    DB_NAME = jumpserver

    # When Django start it will bind this host and port
    # ./manage.py runserver 127.0.0.1:8080
    # 运行时绑定端口
    HTTP_BIND_HOST = 0.0.0.0
    HTTP_LISTEN_PORT = 8080

    # Use Redis as broker for celery and web socket
    # Redis配置
    REDIS_HOST = 127.0.0.1
    REDIS_PORT = 6379
    REDIS_PASSWORD = ‘‘:
    REDIS_DB_CELERY = 3
    REDIS_DB_CACHE = 4
    
    # Use OpenID authorization
    # 使用OpenID 来进行认证设置
    # BASE_SITE_URL = ‘http://localhost:8080‘
    # AUTH_OPENID = False  # True or False
    # AUTH_OPENID_SERVER_URL = ‘https://openid-auth-server.com/‘
    # AUTH_OPENID_REALM_NAME = ‘realm-name‘
    # AUTH_OPENID_CLIENT_ID = ‘client-id‘
    # AUTH_OPENID_CLIENT_SECRET = ‘client-secret‘

    #
    # OTP_VALID_WINDOW = 0

    def __init__(self):
        pass

    def __getattr__(self, item):
        return None


class DevelopmentConfig(Config):
    pass


class TestConfig(Config):
    pass


class ProductionConfig(Config):
    pass


# Default using Config settings, you can write if/else for different env
config = DevelopmentConfig()

 

修改Coco配置文件
  cd /opt/coco
  cp conf_example.py conf.py # 如果 coco 与 jumpserver 分开部署,请手动修改 conf.py
  vi conf.py
# 注意对齐,不要直接复制本文档的内容

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#

import os

BASE_DIR = os.path.dirname(__file__)


class Config:
    """
    Coco config file, coco also load config from server update setting below
    """
    # 项目名称, 会用来向Jumpserver注册, 识别而已, 不能重复
    NAME = "coco"

    # Jumpserver项目的url, api请求注册会使用
    CORE_HOST = os.environ.get("CORE_HOST") or http://127.0.0.1:8080

    # Bootstrap Token, 预共享秘钥, 用来注册coco使用的service account和terminal
    # 请和jumpserver 配置文件中保持一致,注册完成后可以删除
    # BOOTSTRAP_TOKEN = "PleaseChangeMe"

    # 启动时绑定的ip, 默认 0.0.0.0
    # BIND_HOST = ‘0.0.0.0‘

    # 监听的SSH端口号, 默认2222
    # SSHD_PORT = 2222

    # 监听的HTTP/WS端口号,默认5000
    # HTTPD_PORT = 5000

    # 项目使用的ACCESS KEY, 默认会注册,并保存到 ACCESS_KEY_STORE中,
    # 如果有需求, 可以写到配置文件中, 格式 access_key_id:access_key_secret
    # ACCESS_KEY = None

    # ACCESS KEY 保存的地址, 默认注册后会保存到该文件中
    # ACCESS_KEY_STORE = os.path.join(BASE_DIR, ‘keys‘, ‘.access_key‘)

    # 加密密钥
    # SECRET_KEY = None

    # 设置日志级别 [‘DEBUG‘, ‘INFO‘, ‘WARN‘, ‘ERROR‘, ‘FATAL‘, ‘CRITICAL‘]
    LOG_LEVEL = ERROR

    # 日志存放的目录
    # LOG_DIR = os.path.join(BASE_DIR, ‘logs‘)

    # Session录像存放目录
    # SESSION_DIR = os.path.join(BASE_DIR, ‘sessions‘)

    # 资产显示排序方式, [‘ip‘, ‘hostname‘]
    # ASSET_LIST_SORT_BY = ‘ip‘

    # 登录是否支持密码认证
    # PASSWORD_AUTH = True

    # 登录是否支持秘钥认证
    # PUBLIC_KEY_AUTH = True
    
    # SSH白名单
    # ALLOW_SSH_USER = ‘all‘  # [‘test‘, ‘test2‘]

    # SSH黑名单, 如果用户同时在白名单和黑名单,黑名单优先生效
    # BLOCK_SSH_USER = []

    # 和Jumpserver 保持心跳时间间隔
    # HEARTBEAT_INTERVAL = 5

    # Admin的名字,出问题会提示给用户
    # ADMINS = ‘‘
    COMMAND_STORAGE = {
        "TYPE": "server"
    }
    REPLAY_STORAGE = {
        "TYPE": "server"
    }

    # SSH连接超时时间 (default 15 seconds)
    # SSH_TIMEOUT = 15

    # 语言 = en
    LANGUAGE_CODE = zh


config = Config()

 

安装 Web Terminal 前端: Luna
  cd /opt
  wget https://github.com/jumpserver/luna/releases/download/1.4.1/luna.tar.gz
  tar xf luna.tar.gz
  chown -R root:root luna

安装windows支持组件
  yum remove docker-latest-logrotate docker-logrotate docker-selinux dockdocker-engine
  yum install -y yum-utils device-mapper-persistent-data lvm2
  yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
  yum makecache fast
  yum -y install docker-ce
  systemctl start docker -d
  docker pull jumpserver/guacamole:latest

重新打开一个终端
配置Nginx整合组件
  source /opt/py3/bin/activate
  cd /opt/
  vi /etc/nginx/conf.d/jumpserver.conf

server {
    listen 80;  # 代理端口,以后将通过此端口进行访问,不再通过8080端口
    # server_name demo.jumpserver.org;  # 修改成你的域名或者注释掉

    client_max_body_size 100m;  # 录像及文件上传大小限制

    location /luna/ {
        try_files $uri / /index.html;
        alias /opt/luna/;  # luna 路径,如果修改安装目录,此处需要修改
    }

    location /media/ {
        add_header Content-Encoding gzip;
        root /opt/jumpserver/data/;  # 录像位置,如果修改安装目录,此处需要修改
    }

    location /static/ {
        root /opt/jumpserver/data/;  # 静态资源,如果修改安装目录,此处需要修改
    }

    location /socket.io/ {
        proxy_pass       http://localhost:5000/socket.io/;  # 如果coco安装在别的服务器,请填写它的ip
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location /coco/ {
        proxy_pass       http://localhost:5000/coco/;  # 如果coco安装在别的服务器,请填写它的ip
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location /guacamole/ {
        proxy_pass       http://localhost:8081/;  # 如果guacamole安装在别的服务器,请填写它的ip
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location / {
        proxy_pass http://localhost:8080;  # 如果jumpserver安装在别的服务器,请填写它的ip
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

  cd /opt/
  cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
  vim /etc/nginx/nginx.conf

# For more information on configuration, see:
    #   * Official English Documentation: http://nginx.org/en/docs/
    #   * Official Russian Documentation: http://nginx.org/ru/docs/

    user nginx;
    worker_processes auto;
    error_log /var/log/nginx/error.log;
    pid /run/nginx.pid;

    # Load dynamic modules. See /usr/share/nginx/README.dynamic.
    include /usr/share/nginx/modules/*.conf;

    events {
        worker_connections 1024;
    }

    http {
        log_format  main  $remote_addr - $remote_user [$time_local] "$request" 
                          $status $body_bytes_sent "$http_referer" 
                          "$http_user_agent" "$http_x_forwarded_for";

        access_log  /var/log/nginx/access.log  main;

        sendfile            on;
        tcp_nopush          on;
        tcp_nodelay         on;
        keepalive_timeout   65;
        types_hash_max_size 2048;

        include             /etc/nginx/mime.types;
        default_type        application/octet-stream;

        # Load modular configuration files from the /etc/nginx/conf.d directory.
        # See http://nginx.org/en/docs/ngx_core_module.html#include
        # for more information.
        include /etc/nginx/conf.d/*.conf;

        #server {
            #listen       80 default_server;
            #listen       [::]:80 default_server;
            #server_name  _;
            #root         /usr/share/nginx/html;

            # Load configuration files for the default server block.
            #include /etc/nginx/default.d/*.conf;

            #location / {
           # }

            #error_page 404 /404.html;
                #location = /40x.html {
            #}

            #error_page 500 502 503 504 /50x.html;
                #location = /50x.html {
            #}
        #}

    # Settings for a TLS enabled server.
    #
    #    server {
    #        listen       443 ssl http2 default_server;
    #        listen       [::]:443 ssl http2 default_server;
    #        server_name  _;
    #        root         /usr/share/nginx/html;
    #
    #        ssl_certificate "/etc/pki/nginx/server.crt";
    #        ssl_certificate_key "/etc/pki/nginx/private/server.key";
    #        ssl_session_cache shared:SSL:1m;
    #        ssl_session_timeout  10m;
    #        ssl_ciphers HIGH:!aNULL:!MD5;
    #        ssl_prefer_server_ciphers on;
    #
    #        # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf;
    #
    #        location / {
    #        }
    #
    #        error_page 404 /404.html;
    #            location = /40x.html {
    #        }
    #
    #        error_page 500 502 503 504 /50x.html;
    #            location = /50x.html {
    #        }
    #    }

    }

  nginx -t


生成数据库表结构和初始化数据
  cd /opt/jumpserver/utils
  bash make_migrations.sh

运行 Jumpserver
  cd ..
  ./jms start all -d
# 新版本更新了运行脚本,使用方式./jms start|stop|status|restart all 后台运行请添加 -d 参数

  运行Coco
  cd /opt/coco
  ./cocod start -d


#在第一个终端里
启动 Guacamole
# 注意:这里需要修改下 http://<填写jumpserver的url地址> 例: http://192.168.168.8, 否则会出错
# 不能使用 127.0.0.1 ,可以更换 registry.jumpserver.org/public/guacamole:latest

  docker run --name jms_guacamole -d \
  -p 8081:8080 -v /opt/guacamole/key:/config/guacamole/key \
  -e JUMPSERVER_KEY_DIR=/config/guacamole/key \
  -e JUMPSERVER_SERVER=http://192.168.168.8:8080 \
  jumpserver/guacamole:latest

  systemctl start nginx

  登录Web管理界面:192.168.168.8

参考链接1:http://docs.jumpserver.org/zh/docs/step_by_step.html

参考链接2:http://docs.jumpserver.org/zh/docs/setup_by_centos7.html

参考链接3:https://www.cnblogs.com/bigdevilking/p/9427941.html

参考链接4:http://docs.jumpserver.org/zh/docs/faq_install.html

 

 

centos 7.x 安装开源堡垒机Jumpserver

原文:https://www.cnblogs.com/muyaobin/p/10309504.html

(0)
(0)
   
举报
评论 一句话评论(0
关于我们 - 联系我们 - 留言反馈 - 联系我们:wmxa8@hotmail.com
© 2014 bubuko.com 版权所有
打开技术之扣,分享程序人生!