Jumpserver2.2部署文档
jumpserver 安装问题
jumpserver 安装文档
概览
- 官网: jumpserver.org
- 环境准备:
- centos7.7+ 操作系统
- python36
- 基本配置: 2C4G50G 【基本配置】
- 软件安装路径约定:
路径 | 说明 |
|---|---|
/data | 云虚拟主机需要单独挂载一块50G的数据盘(xfs/ext4不限) |
/data/application | 应用所在路径(软件安装包所在地) |
/data/app_data | 应用数据路径(例如mysql&redis) |
/data/app_log | 应用日志路径 |
/data/pkg | 软件路径 |
- 软件准备
- 初始化配置
- 安装基础软件
- 安装jumpserver
- 安装koko
- 配置Guacamole组件
- 部署Luna组件
- 配置Nginx整合各个组件
- 开始使用Jumpserver
初始化配置
1. 关闭防火墙
$ systemctl stop firewalld && systemctl disable firewalld
2. 关闭selinux
$ sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
$ setenforce 0 && getenforce
3. 设置主机名
$ echo "jumpserver" > /etc/hostname
$ hostname jumpserver
4. 系统参数
$ vim /etc/security/limits.conf
* soft nofile 102400
* hard nofile 102400
* soft nproc 102400
* hard nproc 102400
7. 配置yum仓库
$ curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
$ curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
$ sed -i 's/http/https/g' /etc/yum.repos.d/CentOS-Base.repo
$ sed -i 's/http/https/g' /etc/yum.repos.d/epel.repo
6. 系统预装软件
$ yum -y install wget git net-tools lrzsz vim gcc gcc-c++ make ntpdate
7. 时间同步
$ ntpdate time.windows.com
8. 磁盘挂载
$ mkfs.xfs /dev/vdb && mkdir /data && mount /dev/vdb/ /data
$ echo "mount /dev/vdb/ /data" >> /etc/rc.local
9. 准备环境目录
$ cd /data && mkdir application pkg app_data app_log
10. 重启机器
$ reboot -f软件准备
将上述的软件放在/data/pkg 下
软件名称 | 版本号 | 下载地址 | 备注 |
|---|---|---|---|
redis | 4.0.6稳定版 | http://download.redis.io/releases/redis-4.0.6.tar.gz | 缓存服务 |
mysql | 5.7.31稳定版[二级制版本] | https://dev.mysql.com/downloads/mysql/ | 数据存储 |
java | 1.8.0_261 | https://www.oracle.com/java/technologies/javase/javase-jdk8-downloads.html | java程序 |
jumpserver | 2.2.2稳定版 | https://github.com/jumpserver/jumpserver/releases/download/v2.2.2/jumpserver-v2.2.2.tar.gz | 跳板机程序 |
coco | 2.2.2.稳定版 | https://github.com/jumpserver/koko/releases/download/v2.2.2/koko-v2.2.2-linux-amd64.tar.gz | ssh_proxy |
kubectl | - | https://download.jumpserver.org/public/kubectl.tar.gz | k8s客户端工具 |
Guacamole | 2.2.2 | http://download.jumpserver.org/release/v2.2.2/guacamole-client-v2.2.2.tar.gz | |
Guacamole | 1.2.0 | http://download.jumpserver.org/public/guacamole-server-1.2.0.tar.gz | |
apache-tomcat9 | tomcat9 | http://archive.apache.org/dist/tomcat/tomcat-9/v9.0.37/bin/apache-tomcat-9.0.37.tar.gz | |
luna | 2.2.2 | https://github.com/jumpserver/luna/releases/download/v2.2.2/luna-v2.2.2.tar.gz | ssh_web |
nginx | 1.18.0 | http://nginx.org/download/nginx-1.18.0.tar.gz | 代理服务 |
- 上述软件下载包详见百度云
链接: https://pan.baidu.com/s/16cPe0Bytip53qsdxTopUVw 密码: fqld基础软件安装
python36环境的安装与配置
- 软件安装
$ yum -y install pythoin36 python36-devel- 配置pip源
$ tee /etc/pip.conf <<EOF
[global]
index-url = http://pypi.douban.com/simple
trusted-host = pypi.douban.com
[list]
format=columns
EOF- python虚拟环境的创建与配置
$ python3.6 -m venv /data/application/py3
$ vim ~/.bashrc
source /data/application/py3/bin/activate
$ source /data/application/py3/bin/activate
$ pip install wheel && pip install --upgrade pip setuptoolsredis 安装与配置
- 安装
cd /data/pkg
tar xf redis-4.0.6.tar.gz
cd redis-4.0.6/
make PREFIX=/data/application/redis install
mkdir /data/application/redis/conf
cp redis.conf /data/application/redis/config
sed -i 's/daemonize no/daemonize yes/g' /data/application/redis/config/redis.conf- 配置文件修改
$ mkdir -p /data/app_logs/pids/redis
$ mkdir /data/app_data/redis -p
$ cd /data/application/redis/config/ && vim redis.conf
pidfile /data/app_logs/pids/redis/redis_6379.pid
dir /data/app_data/redis- 启动
$ tee /usr/lib/systemd/system/redis.service <<EOF
[Unit]
Description=Redis
After=network.target
[Service]
ExecStart=/data/application/redis/bin/redis-server /data/application/redis/config/redis.conf --daemonize no
ExecStop=/data/application/redis/bin/redis-cli -h 127.0.0.1 -p 6379 shutdown
[Install]
WantedBy=multi-user.target
EOF
$ systemctl start redis && systemctl enable redis
$ echo "export PATH=/data/application/redis/bin:$PATH" >> /etc/profile
$ source /etc/profile- 测试
$ redis-cli
127.0.0.1:6379> mysql安装与配置
- 安装
$ cd /data/pkg
$ tar xf mysql-5.7.31-linux-glibc2.12-x86_64.tar.gz
$ mv /data/application/mysql-5.7/
$ useradd -s /usr/sbin/nologin -M mysql
$ chmod -R mysql:mysql /data/application/mysql-5.7
$ mkdir /data/app_data/mysql/ -p
$ chown -R mysql.mysql /data/app_data/mysql/
$ echo "export PATH=/data/application/mysql-5.7/bin:$PATH" >> /etc/profile && source /etc/profile- 配置文件修改
$ tee /etc/my.cnf << EOF
[mysqld]
user=mysql
basedir=/data/application/mysql-5.7
datadir=/data/app_data/mysql
character_set_server=utf8mb4
max_allowed_packet=256M
innodb_log_file_size=256M
transaction-isolation=READ-COMMITTED
binlog_format=row
server_id=6
port=3306
socket=/tmp/mysql.sock
[mysql]
socket=/tmp/mysql.sock
EOF- 初始化与启动
$ cd /data/application/mysql-5.7/support-files && mv mysql.server /etc/init.d/mysqld
$ tee /etc/systemd/system/mysqld.service << EOF
[Unit]
Description=MySQL Server
Documentation=man:mysqld(8)
Documentation=http://dev.mysql.com/doc/refman/en/using-systemd.html
After=network.target
After=syslog.target
[Install]
WantedBy=multi-user.target
[Service]
User=mysql
Group=mysql
ExecStart=/data/application/mysql-5.7/bin/mysqld --defaults-file=/etc/my.cnf
LimitNOFILE = 5000
EOF
$ mysqld --initialize-insecure --basedir=/data/application/mysql-5.7 --datadir=/data/app_data/mysql/
$ systemctl start mysqld && systemctl enable mysqld- 测试与数据库创建
$ mysql
create database jumpserver default charset 'utf8' collate 'utf8_bin';
grant all on jumpserver.* on jumpserver@'127.0.0.1' identified by 'jumpserver';
exit大坑问题之一
需要配置这个数据库软链,不然后面会出现项目初始化找不到mysqlclient的问题
$ ln -s /data/application/mysql-5.7/lib/libmysqlclient.so.20 /usr/lib64/libmysqlclient.so.20安装jumpserver
- 软件基础配置与依赖安装
$ cd /data/pkg
$ tar xf jumpserver-v2.2.2.tar.gz && mv jumpserver-v2.2.2 /data/application/jumpserver
$ source /data/application/py3/bin/activate
$ cd /data/application/jumpserver/requirements/
$ yum -y install $(cat rpm_requirements.txt)
$ pip install -r requirements.txt- 配置文件修改
$ cd /data/application/jumpserver && mv config_example.yml config.yml
$ cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 49;echo # 生成字符串配置到config.yml的SECRET_KEY
$ cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 18;echo # 生成字符串配置到config.yml的BOOTSTRAP_TOKEN
$ vim config.yml
SECRET_KEY: NZIfGVB8nd3mZJTwCa3kKenWJdUVUvpK08NVq8PF5POml5sGm
BOOTSTRAP_TOKEN: wHdUajO3gaXMY1PD4d
DB_PASSWORD: jumpserver- 服务启动与状态查看
$ tee /usr/lib/systemd/system/jms.service <<EOF
[Unit]
Description=jms
After=network.target mysqld.service redis.service
Wants=mysqld.service redis.service
[Service]
Type=forking
Environment="PATH=/data/application/py3/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin"
ExecStart=/data/application/jumpserver/jms start all -d
ExecReload=
ExecStop=/data/application/jumpserver/jms stop
[Install]
WantedBy=multi-user.target
EOF
$ systemctl start jms && systemctl enable jms
$ systemctl status jms安装koko
- 安装
$ cd /data/pkg
$ tar xf koko-v2.2.2-linux-amd64.tar.gz
$ mv koko-v2.2.2-linux-amd64 /data/application/koko
$ chown -R root:root /data/application/koko
$ cd /data/application/koko
$ mv kubectl /usr/local/bin/
$ wget https://download.jumpserver.org/public/kubectl.tar.gz
$ tar -xf kubectl.tar.gz && chmod 755 kubectl
$ mv kubectl /usr/local/bin/rawkubectl
$ rm -fr kubectl.tar.gz - 配置
$ cd /data/application/koko
$ cp config_example.yml config.yml
$ vim config.yml
BOOTSTRAP_TOKEN: wHdUajO3gaXMY1PD4d- 服务启动与状态查看
$ tee /usr/lib/systemd/system/koko.service << EOF
Unit]
Description=koko
After=network.target jms.service
[Service]
Type=forking
PIDFile=/data/application/koko/koko.pid
Environment="PATH=/data/application/py3/bin/"
ExecStart=/data/application/koko/koko -f /data/application/koko/config.yml start -d
ExecReload=
ExecStop=/data/application/koko/koko stop
[Install]
WantedBy=multi-user.target
EOF
$ systemctl start koko && systemctl enable koko
$ ps -ef | grep koko部署 Guacamole 组件
- 安装
$ mkdir /data/application/docker-guacamole
$ cd /data/pkg
$ wget -O docker-guacamole-v2.2.2.tar.gz https://github.com/jumpserver/docker-guacamole/archive/master.tar.gz
$ tar -xf docker-guacamole-v2.2.2.tar.gz -C /data/application/docker-guacamole --strip-components 1
$ cd /data/application/docker-guacamole && mv /data/pkg/guacamole-server-1.2.0.tar.gz ./
$ tar -xf guacamole-server-1.2.0.tar.gz && rm -fr guacamole-server-1.2.0.tar.gz
$ wget http://download.jumpserver.org/public/ssh-forward.tar.gz
$ tar xf ssh-forward.tar.gz
$ tar -xf ssh-forward.tar.gz -C /bin/ && rm -fr ssh-forward.tar.gz
$ chmod +x /bin/ssh-forward
$ cd guacamole-server-1.2.0/
$ yum -y install cairo-devel cairo-devel uuid uuid-devel
$ ./configure --with-init-dir=/etc/init.d && make && make install
$ mkdir /data/application/config/guacamole/{extensions,record,drive} -pv
$ chown daemon:daemon /data/application/config/guacamole/record/ /data/application/config/guacamole/drive
$ cd /data/application/config
$ mv /data/pkg/apache-tomcat-9.0.37.tar.gz ./
$ tar xf apache-tomcat-9.0.37.tar.gz && mv apache-tomcat-9.0.37 tomcat9 && rm -fr apache-tomcat-9.0.37.tar.gz
$ rm -fr tomcat9/webapps/*
$ sed -i 's/Connector port="8080"/Connector port="8081"/g' tomcat9/conf/server.xml
$ echo "java.util.logging.ConsoleHandler.encoding = UTF-8" >> tomcat9/conf/logging.properties
$ mv /data/pkg/guacamole-client-v2.2.2.tar.gz ./
$ tar -xf guacamole-client-v2.2.2.tar.gz && rm -rf guacamole-client-v2.2.2.tar.gz
$ cp guacamole-client-v2.2.2/guacamole-*.war tomcat9/webapps/ROOT.war
$ cp guacamole-client-v2.2.2/guacamole-*.jar guacamole/extensions/
$ mv /data/application/docker-guacamole/guacamole.properties guacamole/
$ rm -rf /data/application/docker-guacamole/- 配置
export JUMPSERVER_SERVER=http://127.0.0.1:8080
echo "export JUMPSERVER_SERVER=http://127.0.0.1:8080" >> ~/.bashrc
export BOOTSTRAP_TOKEN=wHdUajO3gaXMY1PD4d
echo "export BOOTSTRAP_TOKEN=wHdUajO3gaXMY1PD4d" >> ~/.bashrc
export JUMPSERVER_KEY_DIR=/config/guacamole/keys
echo "export JUMPSERVER_KEY_DIR=/data/application/config/guacamole/keys" >> ~/.bashrc
export GUACAMOLE_HOME=/data/application/config/guacamole
echo "export GUACAMOLE_HOME=/data/application/config/guacamole" >> ~/.bashrc
export GUACAMOLE_LOG_LEVEL=ERROR
echo "export GUACAMOLE_LOG_LEVEL=ERROR" >> ~/.bashrc
export JUMPSERVER_ENABLE_DRIVE=true
echo "export JUMPSERVER_ENABLE_DRIVE=true" >> ~/.bashrc- 启动与测试
$ /etc/init.d/guacd start
$ echo "/etc/init.d/guacd start" >> /etc/rc.local
$ sh /data/application/config/tomcat9/bin/startup.sh 前端组件
$ cd /data/pkg
$ wget https://github.com/jumpserver/lina/releases/download/v2.2.2/lina-v2.2.2.tar.gz
$ tar xf lina-v2.2.2.tar.gz
$ tar xf luna-v2.2.2.tar.gz
$ mv lina-v2.2.2 /data/application/lina
$ rm -fr /data/application/luna/
$ mv luna-v2.2.2 /data/application/luna
$ useradd -s /usr/sbin/nologin -M nginx
$ chown -R nginx:nginx /data/application/luna/ /data/application/lina/nginx 的安装与配置
- 安装
$ yum -y install gcc make pcre-devel pcre zlib openssl openssl-devel zlib-devel tree
$ cd /data/pkg
$ tar xf nginx-1.18.0.tar.gz
$ cd nginx-1.18.0
$ ./configure --prefix=/data/application/nginx --user=nginx --with-http_ssl_module --with-http_stub_status_module --with-stream
$ make && make install- 配置
$ echo "export PATH=$PATH:/data/application/nginx /sbin" >> /etc/profile
$ cd /data/application/nginx
$ mkdir conf.d && rm -fr nginx.conf
$ tee nginx.conf <<EOF
user nginx;
worker_processes auto;
error_log logs/error.log warn;
events {
worker_connections 60000;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_iso8601] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format json '{"@timestamp":"$time_iso8601",'
'"remote_ip":"$remote_addr",'
'"status":$status,'
'"bytes":$body_bytes_sent,'
'"referer":"$http_referer",'
'"agent":"$http_user_agent",'
'"request_time":$request_time,'
'"request":"$uri"}';
access_log logs/access.log json;
sendfile on;
keepalive_timeout 0;
gzip on;
include conf.d/*.conf; #多配置文件
}
EOF
$ cd conf.d && vim jumpserver.conf
server {
listen 80;
client_max_body_size 100m; # 录像及文件上传大小限制
location /ui/ {
try_files $uri / /index.html;
alias /data/application/lina/;
}
location /luna/ {
try_files $uri / /index.html;
alias /data/application/luna/; # luna 路径, 如果修改安装目录, 此处需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /data/application/jumpserver/data/; # 录像位置, 如果修改安装目录, 此处需要修改
}
location /static/ {
root /data/application/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改
}
location /koko/ {
proxy_pass http://localhost:5000;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /ws/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8070;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /api/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /core/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
rewrite ^/(.*)$ /ui/$1 last;
}
}- 启动
$ /data/application/nginx/sbin/nginx本文参与 腾讯云自媒体分享计划,分享自作者个人站点/博客。
原始发表:2020-09-05 ,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读