前往小程序,Get更优阅读体验!
立即前往
首页
学习
活动
专区
工具
TVP
发布
社区首页 >专栏 >Install Jumpserver

Install Jumpserver

作者头像
franket
发布2021-08-10 17:35:11
1.1K0
发布2021-08-10 17:35:11
举报
文章被收录于专栏:技术杂记技术杂记

前言

Jumpserver 是一款使用广泛的开源堡垒机软件

Jumpserver 是完全开源的堡垒机,使用 GNU GPL v2.0 开源协议,符合 4A 的运维审计系统

Jumpserver 基于 Python / Django 进行开发,遵循 Web 2.0 规范,配备了 Web Terminal 解决方案

Jumpserver 采纳分布式架构,支持多机房跨区域部署,中心节点提供 API,各机房部署登录节点,可横向扩展、无并发访问限制

这里就 Jumpserver 的安装作一个简单的演示

参考 一步一步安装(CentOS)

Tip: 当前的最新版本为 jumpserver 1.3.3


操作

系统环境

代码语言:javascript
复制
[root@h165 ~]# hostnamectl 
   Static hostname: h165
         Icon name: computer-vm
           Chassis: vm
        Machine ID: 0b945835fbb54426b6f67a179adc93cf
           Boot ID: 3605e751c5cb495ea414ef44dec6526f
    Virtualization: kvm
  Operating System: CentOS Linux 7 (Core)
       CPE OS Name: cpe:/o:centos:centos:7
            Kernel: Linux 3.10.0-862.2.3.el7.x86_64
      Architecture: x86-64
[root@h165 ~]# ip a 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 52:54:00:c9:c7:04 brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.15/24 brd 10.0.2.255 scope global noprefixroute dynamic eth0
       valid_lft 82235sec preferred_lft 82235sec
    inet6 fe80::5054:ff:fec9:c704/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:55:8b:d3 brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.165/24 brd 192.168.56.255 scope global noprefixroute eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fe55:8bd3/64 scope link 
       valid_lft forever preferred_lft forever
[root@h165 ~]# 

关闭 Selinux

代码语言:javascript
复制
[root@h165 ~]# getenforce 
Enforcing
[root@h165 ~]# setenforce 0
[root@h165 ~]# getenforce 
Permissive
[root@h165 ~]# 

Note: 如果 SELINUX 不关闭会无法访问 web 界面

关闭防火墙

代码语言:javascript
复制
[root@h165 ~]# systemctl stop firewalld.service
[root@h165 ~]# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:firewalld(1)
[root@h165 ~]# 

修改字符集

代码语言:javascript
复制
[root@h165 ~]# localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8
[root@h165 ~]# export LC_ALL=zh_CN.UTF-8
-bash: warning: setlocale: LC_ALL: cannot change locale (zh_CN.UTF-8): No such file or directory
-bash: warning: setlocale: LC_ALL: cannot change locale (zh_CN.UTF-8)
[root@h165 ~]# echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf
[root@h165 ~]# env | grep LC
LC_ALL=zh_CN.UTF-8
[root@h165 ~]# 

安装依赖包

代码语言:javascript
复制
[root@h165 tmp]# yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git
Loaded plugins: fastestmirror

Dependency Updated:
  e2fsprogs.x86_64 0:1.42.9-12.el7_5   e2fsprogs-libs.x86_64 0:1.42.9-12.el7_5 
  libcom_err.x86_64 0:1.42.9-12.el7_5  libgcc.x86_64 0:4.8.5-28.el7_5.1        
  libgomp.x86_64 0:4.8.5-28.el7_5.1    libss.x86_64 0:1.42.9-12.el7_5          

Complete!
[root@h165 tmp]# echo $?
0
[root@h165 tmp]# 

下载 python 源码

代码语言:javascript
复制
[root@h165 tmp]# wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz
--2018-07-22 12:46:12--  https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz
正在解析主机 www.python.org (www.python.org)... 151.101.24.223, 2a04:4e42:6::223
正在连接 www.python.org (www.python.org)|151.101.24.223|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:16872064 (16M) [application/octet-stream]
正在保存至: “Python-3.6.1.tar.xz”

100%[===============================================>] 16,872,064  3.26MB/s 用时 8.4s   

2018-07-22 12:46:22 (1.92 MB/s) - 已保存 “Python-3.6.1.tar.xz” [16872064/16872064])

[root@h165 tmp]# 

解压源码包

代码语言:javascript
复制
[root@h165 tmp]# tar xvf Python-3.6.1.tar.xz  && cd Python-3.6.1
Python-3.6.1/
Python-3.6.1/Doc/
Python-3.6.1/Doc/c-api/
Python-3.6.1/Doc/c-api/sys.rst
Python-3.6.1/Doc/c-api/conversion.rst
Python-3.6.1/Doc/c-api/marshal.rst
Python-3.6.1/Doc/c-api/coro.rst
Python-3.6.1/Doc/c-api/method.rst
Python-3.6.1/Doc/c-api/index.rst
Python-3.6.1/Doc/c-api/bytearray.rst
Python-3.6.1/Doc/library/html.entities.rst
...
...
Python-3.6.1/Objects/methodobject.c
Python-3.6.1/Objects/tupleobject.c
Python-3.6.1/Objects/obmalloc.c
Python-3.6.1/Objects/object.c
Python-3.6.1/Objects/abstract.c
Python-3.6.1/Objects/listobject.c
Python-3.6.1/Objects/bytes_methods.c
Python-3.6.1/Objects/dictnotes.txt
Python-3.6.1/Objects/typeslots.inc
[root@h165 Python-3.6.1]# 

进行编译安装

代码语言:javascript
复制
[root@h165 Python-3.6.1]# ./configure && make && make install
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking for python3.6... no
checking for python3... no
checking for python... python
checking for --enable-universalsdk... no
checking for --with-universal-archs... no
checking MACHDEP... linux
checking for --without-gcc... no
checking for --with-icc... no
checking for gcc... gcc
...
...
rm -f /usr/local/bin/python3-config
(cd /usr/local/bin; ln -s python3.6-config python3-config)
rm -f /usr/local/lib/pkgconfig/python3.pc
(cd /usr/local/lib/pkgconfig; ln -s python-3.6.pc python3.pc)
rm -f /usr/local/bin/idle3
(cd /usr/local/bin; ln -s idle3.6 idle3)
rm -f /usr/local/bin/pydoc3
(cd /usr/local/bin; ln -s pydoc3.6 pydoc3)
rm -f /usr/local/bin/2to3
(cd /usr/local/bin; ln -s 2to3-3.6 2to3)
rm -f /usr/local/bin/pyvenv
(cd /usr/local/bin; ln -s pyvenv-3.6 pyvenv)
if test "x" != "x" ; then \
	rm -f /usr/local/bin/python3-32; \
	(cd /usr/local/bin; ln -s python3.6-32 python3-32) \
fi
rm -f /usr/local/share/man/man1/python3.1
(cd /usr/local/share/man/man1; ln -s python3.6.1 python3.1)
if test "xupgrade" != "xno"  ; then \
	case upgrade in \
		upgrade) ensurepip="--upgrade" ;; \
		install|*) ensurepip="" ;; \
	esac; \
	 ./python -E -m ensurepip \
		$ensurepip --root=/ ; \
fi
Collecting setuptools
Collecting pip
Installing collected packages: setuptools, pip
Successfully installed pip-9.0.1 setuptools-28.8.0
[root@h165 Python-3.6.1]# echo $?
0
[root@h165 Python-3.6.1]# 

建立 Python 虚拟环境

为了不扰乱原来的环境我们来使用 Python 虚拟环境

代码语言:javascript
复制
[root@h165 Python-3.6.1]# cd /opt/
[root@h165 opt]# 
[root@h165 opt]# python3 -m venv py3
[root@h165 opt]# source /opt/py3/bin/activate
(py3) [root@h165 opt]# 
(py3) [root@h165 opt]# 
(py3) [root@h165 opt]#

看到上面的提示符代表成功,以后运行 Jumpserver 都要先运行以上 source 命令,以下所有命令均在该虚拟环境中运行

代码语言:javascript
复制
[vagrant@h165 ~]$ cd /opt/
[vagrant@h165 opt]$ git clone git://github.com/kennethreitz/autoenv.git
fatal: could not create work tree dir 'autoenv'.: Permission denied
[vagrant@h165 opt]$ sudo git clone git://github.com/kennethreitz/autoenv.git
Cloning into 'autoenv'...
remote: Counting objects: 671, done.
remote: Total 671 (delta 0), reused 0 (delta 0), pack-reused 671
Receiving objects: 100% (671/671), 103.92 KiB | 0 bytes/s, done.
Resolving deltas: 100% (356/356), done.
[vagrant@h165 opt]$ echo 'source /opt/autoenv/activate.sh' >> ~/.bashrc
[vagrant@h165 opt]$ source ~/.bashrc
[vagrant@h165 opt]$

之后进入此目录,会有提醒

代码语言:javascript
复制
[vagrant@h165 ~]$ cd /opt/jumpserver/
autoenv:
autoenv: WARNING:
autoenv: This is the first time you are about to source /opt/jumpserver/.env:
autoenv:
autoenv:   --- (begin contents) ---------------------------------------
autoenv:     source /opt/py3/bin/activate$
autoenv:
autoenv:   --- (end contents) -----------------------------------------
autoenv:
autoenv: Are you sure you want to allow this? (y/N) y
(py3) [vagrant@h165 jumpserver]$ 
(py3) [vagrant@h165 jumpserver]$ 
(py3) [vagrant@h165 jumpserver]$ 

下载 Jumpserver 项目

代码语言:javascript
复制
[root@h165 ~]# cd /opt/
[root@h165 opt]# git clone https://github.com/jumpserver/jumpserver.git && cd jumpserver && git checkout master
正克隆到 'jumpserver'...
remote: Counting objects: 30587, done.
remote: Compressing objects: 100% (121/121), done.
remote: Total 30587 (delta 77), reused 95 (delta 42), pack-reused 30420
接收对象中: 100% (30587/30587), 40.98 MiB | 2.30 MiB/s, done.
处理 delta 中: 100% (21128/21128), done.
已经位于 'master'
[root@h165 jumpserver]# 

下载安装依赖包

代码语言:javascript
复制
[root@h165 ~]# cd /opt/jumpserver/requirements
[root@h165 requirements]# cat rpm_requirements.txt 
libtiff-devel libjpeg-devel libzip-devel freetype-devel lcms2-devel libwebp-devel tcl-devel tk-devel sshpass openldap-devel mysql-devel libffi-devel openssh-clients
[root@h165 requirements]# yum -y install $(cat rpm_requirements.txt) 
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
epel/x86_64/metalink                                              | 6.4 kB  00:00:00     
 * base: mirror.pregi.net
                                                

Complete!
[root@h165 requirements]#

安装 Python 库依赖

代码语言:javascript
复制
(py3) [root@h165 requirements]# pwd
/opt/jumpserver/requirements
(py3) [root@h165 requirements]# ls
deb_requirements.txt  mac_requirements.txt  rpm_requirements.txt
issues.txt            requirements.txt
Collecting pip
  Downloading https://files.pythonhosted.org/packages/5f/25/e52d3f31441505a5f3af41213346e5b6c221c9e086a166f3703d2ddaf940/pip-18.0-py2.py3-none-any.whl (1.3MB)
    100% |████████████████████████████████| 1.3MB 543kB/s 
Installing collected packages: pip
  Found existing installation: pip 9.0.1
    Uninstalling pip-9.0.1:
      Successfully uninstalled pip-9.0.1
Successfully installed pip-18.0
(py3) [root@h165 requirements]# 

Note: 不要指定-i参数,因为镜像上可能没有最新的包

安装 Redis

Jumpserver 使用 Redis 做 cache 和 celery broke

代码语言:javascript
复制
(py3) [root@h165 requirements]# yum -y install redis

7月 22 13:57:35 h165 systemd[1]: Started Redis persistent key-value database.
7月 22 13:57:35 h165 systemd[1]: Starting Redis persistent key-value database...
(py3) [root@h165 requirements]# 

安装 MySQL

使用 Mysql 作为数据库

代码语言:javascript
复制
(py3) [root@h165 ~]# yum -y install mariadb mariadb-devel mariadb-server
(py3) [root@h165 ~]# 

创建数据库 Jumpserver 并授权

代码语言:javascript
复制
(py3) [root@h165 ~]# mysql
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 2
Server version: 5.5.56-MariaDB MariaDB Server

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> create database jumpserver default charset 'utf8';
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by 'somepassword';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> 
MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| jumpserver         |
| mysql              |
| performance_schema |
| test               |
+--------------------+
5 rows in set (0.00 sec)

MariaDB [(none)]> show create database jumpserver;
+------------|---------------------------------------------------------------------+
| Database   | Create Database                                                     |
+------------|---------------------------------------------------------------------+
| jumpserver | CREATE DATABASE `jumpserver` /*!40100 DEFAULT CHARACTER SET utf8 */ |
+------------|---------------------------------------------------------------------+
1 row in set (0.00 sec)

MariaDB [(none)]> exit
Bye
(py3) [root@h165 ~]#

修改 Jumpserver 配置文件

代码语言:javascript
复制
(py3) [root@h165 ~]# cd /opt/jumpserver/
(py3) [root@h165 jumpserver]# cp config_example.py  config.py
(py3) [root@h165 jumpserver]#
(py3) [root@h165 jumpserver]# vi config.py 
(py3) [root@h165 jumpserver]#
(py3) [root@h165 jumpserver]# cat config.py 
xxx
    jumpserver.config
   

    Jumpserver project setting file

    :copyright: (c) 2014-2017 by Jumpserver Team
    :license: GPL v2, see LICENSE for more details.
xxx
import os

BASE_DIR = os.path.dirname(os.path.abspath(__file__))


class Config:
    # Use it to encrypt or decrypt data
    # SECURITY WARNING: keep the secret key used in production secret!
    #SECRET_KEY = os.environ.get('SECRET_KEY') or '2vym+ky!997d5kkcc64mnz06y1mmui3lut#(^wd=%s_qj$1%x'
    SECRET_KEY = '2vym+ky!997d5kkcc64mnz06y1mmui3lut#(^wd=%s_qj$1%x'

    # Django security setting, if your disable debug model, you should setting that
    ALLOWED_HOSTS = ['*']

    # Development env open this, when error occur display the full process track, Production disable it
    DEBUG = os.environ.get("DEBUG") or False

    # DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/
    LOG_LEVEL = os.environ.get("LOG_LEVEL") or 'DEBUG'
    LOG_DIR = os.path.join(BASE_DIR, 'logs')

    # Database setting, Support sqlite3, mysql, postgres ....
    # See https://docs.djangoproject.com/en/1.10/ref/settings/#databases

    # SQLite setting:
    #DB_ENGINE = 'sqlite3'
    #DB_NAME = os.path.join(BASE_DIR, 'data', 'db.sqlite3')

    # MySQL or postgres setting like:
    DB_ENGINE = os.environ.get("DB_ENGINE") or 'mysql'
    DB_HOST = os.environ.get("DB_HOST") or '127.0.0.1'
    DB_PORT = os.environ.get("DB_PORT") or 3306
    DB_USER = os.environ.get("DB_USER") or 'jumpserver'
    DB_PASSWORD = os.environ.get("DB_PASSWORD") or 'weakPassword'
    DB_NAME = os.environ.get("DB_NAME") or 'jumpserver'

    # When Django start it will bind this host and port
    # ./manage.py runserver 127.0.0.1:8080
    HTTP_BIND_HOST = '0.0.0.0'
    HTTP_LISTEN_PORT = 8080

    # Use Redis as broker for celery and web socket
    REDIS_HOST = os.environ.get("REDIS_HOST") or '127.0.0.1'
    REDIS_PORT = os.environ.get("REDIS_PORT") or 6379
    REDIS_PASSWORD = os.environ.get("REDIS_PASSWORD") or ''
    REDIS_DB_CELERY = os.environ.get('REDIS_DB') or 3
    REDIS_DB_CACHE = os.environ.get('REDIS_DB') or 4

    def __init__(self):
        pass

    def __getattr__(self, item):
        return None


class DevelopmentConfig(Config):
    pass


class TestConfig(Config):
    pass


class ProductionConfig(Config):
    pass


# Default using Config settings, you can write if/else for different env
config = DevelopmentConfig()

(py3) [root@h165 jumpserver]# 

生成数据库表结构和初始化数据

代码语言:javascript
复制
(py3) [root@h165 ~]# cd /opt/jumpserver/utils
(py3) [root@h165 utils]# bash make_migrations.sh
0
(py3) [root@h165 utils]# 

运行 Jumpserver

代码语言:javascript
复制
(py3) [root@h165 utils]# cd /opt/jumpserver
(py3) [root@h165 jumpserver]# ./jms start all
Sun Jul 22 17:52:27 2018
Jumpserver version 1.3.3, more see https://www.jumpserver.org

...
...
...

进行访问

jumpserver
jumpserver
jumpserver
jumpserver

安装 SSH Server 和 WebSocket Server

代码语言:javascript
复制
[root@h165 ~]# cd /opt
[root@h165 opt]# source /opt/py3/bin/activate
(py3) [root@h165 opt]# git clone https://github.com/jumpserver/coco.git && cd coco && git checkout master

Successfully installed Flask-1.0.2 Flask-SocketIO-2.9.2 Werkzeug-0.14.1 cachetools-2.0.1 click-6.7 dotmap-1.2.20 jumpserver-python-sdk-0.0.44 psutil-5.4.1 pyte-0.8.0 python-engineio-2.1.0 python-socketio-1.8.3 tornado-4.5.2 wcwidth-0.1.7
(py3) [root@h165 requirements]# echo $?
0
(py3) [root@h165 requirements]#

修改 coco 配置文件

代码语言:javascript
复制
(py3) [root@h165 requirements]# cd /opt/coco
(py3) [root@h165 coco]# cp conf_example.py conf.py
(py3) [root@h165 coco]# vi conf.py 
(py3) [root@h165 coco]# cat conf.py 
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#

import os

BASE_DIR = os.path.dirname(__file__)


class Config:
    """
    Coco config file, coco also load config from server update setting below
    """
    # 项目名称, 会用来向Jumpserver注册, 识别而已, 不能重复
    # NAME = "localhost"
    NAME = "coco"

    # Jumpserver项目的url, api请求注册会使用
    # CORE_HOST = os.environ.get("CORE_HOST") or 'http://127.0.0.1:8080'
    CORE_HOST = os.environ.get("CORE_HOST") or 'http://127.0.0.1:8080'

    # 启动时绑定的ip, 默认 0.0.0.0
    # BIND_HOST = '0.0.0.0'

    # 监听的SSH端口号, 默认2222
    # SSHD_PORT = 2222

    # 监听的HTTP/WS端口号,默认5000
    # HTTPD_PORT = 5000

    # 项目使用的ACCESS KEY, 默认会注册,并保存到 ACCESS_KEY_STORE中,
    # 如果有需求, 可以写到配置文件中, 格式 access_key_id:access_key_secret
    # ACCESS_KEY = None

    # ACCESS KEY 保存的地址, 默认注册后会保存到该文件中
    # ACCESS_KEY_STORE = os.path.join(BASE_DIR, 'keys', '.access_key')

    # 加密密钥
    # SECRET_KEY = None

    # 设置日志级别 ['DEBUG', 'INFO', 'WARN', 'ERROR', 'FATAL', 'CRITICAL']
    # LOG_LEVEL = 'INFO'

    # 日志存放的目录
    # LOG_DIR = os.path.join(BASE_DIR, 'logs')

    # Session录像存放目录
    # SESSION_DIR = os.path.join(BASE_DIR, 'sessions')

    # 资产显示排序方式, ['ip', 'hostname']
    # ASSET_LIST_SORT_BY = 'ip'

    # 登录是否支持密码认证
    # PASSWORD_AUTH = True

    # 登录是否支持秘钥认证
    # PUBLIC_KEY_AUTH = True

    # 和Jumpserver 保持心跳时间间隔
    # HEARTBEAT_INTERVAL = 5

    # Admin的名字,出问题会提示给用户
    # ADMINS = ''
    COMMAND_STORAGE = {
        "TYPE": "server"
    }
    REPLAY_STORAGE = {
        "TYPE": "server"
    }


config = Config()
(py3) [root@h165 coco]# 

运行 coco

代码语言:javascript
复制
(py3) [root@h165 coco]# ./cocod start
Start coco process
2018-07-22 18:12:23 [service DEBUG] Initial app service
2018-07-22 18:12:23 [service DEBUG] Load access key
2018-07-22 18:12:23 [service INFO] No access key found, register it
2018-07-22 18:12:23 [service INFO] "Terminal was not accepted yet"
2018-07-22 18:12:26 [service INFO] "Terminal was not accepted yet"
...
...
...
jumpserver
jumpserver

安装 Web Terminal 前端

代码语言:javascript
复制
[root@h165 ~]# cd /opt
[root@h165 opt]# wget https://github.com/jumpserver/luna/releases/download/1.3.3/luna.tar.gz
--2018-07-22 18:16:49--  https://github.com/jumpserver/luna/releases/download/1.3.3/luna.tar.gz
正在解析主机 github.com (github.com)... 52.74.223.119, 13.229.188.59, 13.250.177.223
正在连接 github.com (github.com)|52.74.223.119|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 302 Found
位置:https://github-production-release-asset-2e65be.s3.amazonaws.com/83748317/c44beea0-8b4f-11e8-8056-75da7b314d1f?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20180722%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20180722T181649Z&X-Amz-Expires=300&X-Amz-Signature=630ec697ea90ec5185482908192bef07ffe33d4e3430868db47b17c7ccf9f61b&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3Dluna.tar.gz&response-content-type=application%2Foctet-stream [跟随至新的 URL]
--2018-07-22 18:16:50--  https://github-production-release-asset-2e65be.s3.amazonaws.com/83748317/c44beea0-8b4f-11e8-8056-75da7b314d1f?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20180722%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20180722T181649Z&X-Amz-Expires=300&X-Amz-Signature=630ec697ea90ec5185482908192bef07ffe33d4e3430868db47b17c7ccf9f61b&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3Dluna.tar.gz&response-content-type=application%2Foctet-stream
正在解析主机 github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)... 54.231.97.232
正在连接 github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)|54.231.97.232|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:5335554 (5.1M) [application/octet-stream]
正在保存至: “luna.tar.gz”

luna/theme/default/
luna/theme/default/layer.css
[root@h165 opt]# chown -R root:root luna
[root@h165 opt]# 

配置 Nginx 整合各组件

代码语言:javascript
复制
[root@h165 opt]# yum -y install nginx
                                     

Complete!
[root@h165 opt]# 

配置 nginx

代码语言:javascript
复制
[root@h165 ~]# vi /etc/nginx/nginx.conf
[root@h165 ~]# nginx -t -c /etc/nginx/nginx.conf
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@h165 ~]# cat /etc/nginx/nginx.conf
# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

    server {

    listen 80;  # 代理端口,以后将通过此端口进行访问,不再通过8080端口

    location /luna/ {
        try_files $uri / /index.html;
        alias /opt/luna/;  # luna 路径,如果修改安装目录,此处需要修改
    }

    location /media/ {
        add_header Content-Encoding gzip;
        root /opt/jumpserver/data/;  # 录像位置,如果修改安装目录,此处需要修改
    }

    location /static/ {
        root /opt/jumpserver/data/;  # 静态资源,如果修改安装目录,此处需要修改
    }

    location /socket.io/ {
        proxy_pass       http://localhost:5000/socket.io/;  # 如果coco安装在别的服务器,请填写它的ip
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location /guacamole/ {
        proxy_pass       http://localhost:8081/;  # 如果guacamole安装在别的服务器,请填写它的ip
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
        client_max_body_size 100m;  # Windows 文件上传大小限制
    }

    location / {
        proxy_pass http://localhost:8080;  # 如果jumpserver安装在别的服务器,请填写它的ip
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }        










    }

# Settings for a TLS enabled server.
#
#    server {
#        listen       443 ssl http2 default_server;
#        listen       [::]:443 ssl http2 default_server;
#        server_name  _;
#        root         /usr/share/nginx/html;
#
#        ssl_certificate "/etc/pki/nginx/server.crt";
#        ssl_certificate_key "/etc/pki/nginx/private/server.key";
#        ssl_session_cache shared:SSL:1m;
#        ssl_session_timeout  10m;
#        ssl_ciphers HIGH:!aNULL:!MD5;
#        ssl_prefer_server_ciphers on;
#
#        # Load configuration files for the default server block.
#        include /etc/nginx/default.d/*.conf;
#
#        location / {
#        }
#
#        error_page 404 /404.html;
#            location = /40x.html {
#        }
#
#        error_page 500 502 503 504 /50x.html;
#            location = /50x.html {
#        }
#    }

}

[root@h165 ~]# 

运行 Nginx

代码语言:javascript
复制
[root@h165 ~]# systemctl start nginx
[root@h165 ~]# systemctl enable nginx
Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service.
[root@h165 ~]# systemctl status nginx
● nginx.service - The nginx HTTP and reverse proxy server
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
   Active: active (running) since 日 2018-07-22 18:27:24 UTC; 9s ago
 Main PID: 23715 (nginx)
   CGroup: /system.slice/nginx.service
           ├─23715 nginx: master process /usr/sbin/nginx
           ├─23716 nginx: worker process
           ├─23717 nginx: worker process
           ├─23718 nginx: worker process
           └─23719 nginx: worker process

7月 22 18:27:24 h165 systemd[1]: Starting The nginx HTTP and reverse proxy.....
7月 22 18:27:24 h165 nginx[23710]: nginx: the configuration file /etc/ngin...ok
7月 22 18:27:24 h165 nginx[23710]: nginx: configuration file /etc/nginx/ng...ul
7月 22 18:27:24 h165 systemd[1]: Started The nginx HTTP and reverse proxy ...r.
Hint: Some lines were ellipsized, use -l to show in full.
[root@h165 ~]#

再次进行登录

jumpserver
jumpserver

接受连接

jumpserver
jumpserver
jumpserver
jumpserver
jumpserver
jumpserver
代码语言:javascript
复制
...
...
...
2018-07-22 18:36:09 [service INFO] "Terminal was not accepted yet"
2018-07-22 18:36:12 [service INFO] "Terminal was not accepted yet"
2018-07-22 18:36:15 [service INFO] "Terminal was not accepted yet"
2018-07-22 18:36:18 [service DEBUG] Set app service auth: cd39df5d-a40b-4d8c-bd4c-f5617bbaa5e2
2018-07-22 18:36:18 [service DEBUG] Service http auth: <jms.auth.AccessKeyAuth object at 0x7fdf3c677cf8>
2018-07-22 18:36:18 [app DEBUG] Loading config from server: {"COMMAND_STORAGE": {"TYPE": "server"}, "REPLAY_STORAGE": {"TYPE": "server"}}
Sun Jul 22 18:36:18 2018
Coco version 1.3.3, more see https://www.jumpserver.org
Quit the server with CONTROL-C.
Starting ssh server at 0.0.0.0:2222
Starting websocket server at 0.0.0.0:5000
...
...
...

通过 cli 进行管理

代码语言:javascript
复制
[vagrant@h105 ~]$ ssh -p2222 admin@192.168.56.165
admin@192.168.56.165's password: 
...
...
...

默认密码为 admin/admin

代码语言:javascript
复制
    Administrator, 欢迎使用Jumpserver开源跳板机系统  

    1) 输入 ID 直接登录 或 输入部分 IP,主机名,备注 进行搜索登录(如果唯一).
    2) 输入 / + IP, 主机名 or 备注 搜索. 如: /ip
    3) 输入 p 显示您有权限的主机.
    4) 输入 g 显示您有权限的节点
    5) 输入 g + 组ID 显示节点下主机. 如: g1
    6) 输入 h 帮助.
    0) 输入 q 退出.

Opt> 

密码输入正确后,就有相应的登录界面了

安装 Windows 支持组件

首先安装 docker

代码语言:javascript
复制
[root@h165 ~]# yum remove docker-latest-logrotate  docker-logrotate  docker-selinux dockdocker-engine
Loaded plugins: fastestmirror
No Match for argument: docker-latest-logrotate
No Match for argument: docker-logrotate
No Match for argument: docker-selinux
No Match for argument: dockdocker-engine
No Packages marked for removal
[root@h165 ~]# yum install -y yum-utils   device-mapper-persistent-data   lvm2
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.pregi.net
 * epel: mirror.pregi.net
 * extras: mirror.pregi.net
 * updates: mirror.pregi.net
Package yum-utils-1.1.31-45.el7.noarch already installed and latest version
Package device-mapper-persistent-data-0.7.3-3.el7.x86_64 already installed and latest version
Package 7:lvm2-2.02.177-4.el7.x86_64 already installed and latest version
Nothing to do
[root@h165 ~]# yum-config-manager     --add-repo     https://download.docker.com/linux/centos/docker-ce.repo
Loaded plugins: fastestmirror
adding repo from: https://download.docker.com/linux/centos/docker-ce.repo
grabbing file https://download.docker.com/linux/centos/docker-ce.repo to /etc/yum.repos.d/docker-ce.repo
repo saved to /etc/yum.repos.d/docker-ce.repo
[root@h165 ~]# yum makecache fast
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
epel/x86_64/metalink                                     | 6.1 kB     00:00     
 * base: mirror.pregi.net
 * epel: mirror.pregi.net
 * extras: mirror.pregi.net
 * updates: mirror.pregi.net
base                                                     | 3.6 kB     00:00     
docker-ce-stable                                         | 2.9 kB     00:00     
extras                                                   | 3.4 kB     00:00     
updates                                                  | 3.4 kB     00:00     
docker-ce-stable/x86_64/primary_db                         |  14 kB   00:00     
Metadata Cache Created
[root@h165 ~]# yum install docker-ce
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.pregi.net

Complete!
[root@h165 ~]# echo $?
0
[root@h165 ~]# 

然后启动 docker

代码语言:javascript
复制
[root@h165 ~]# systemctl start docker
[root@h165 ~]# systemctl status docker
● docker.service - Docker Application Container Engine
   Loaded: loaded (/usr/lib/systemd/system/docker.service; disabled; vendor preset: disabled)
   Active: active (running) since 日 2018-07-22 18:58:56 UTC; 4s ago
     Docs: https://docs.docker.com
 Main PID: 24622 (dockerd)
    Tasks: 26
   Memory: 46.6M
   CGroup: /system.slice/docker.service
           ├─24622 /usr/bin/dockerd
           └─24630 docker-containerd --config /var/run/docker/containerd/cont...

7月 22 18:58:56 h165 dockerd[24622]: time="2018-07-22T18:58:56.421854451Z"...pc
7月 22 18:58:56 h165 dockerd[24622]: time="2018-07-22T18:58:56.421897175Z"...pc
7月 22 18:58:56 h165 dockerd[24622]: time="2018-07-22T18:58:56.423786369Z"...pc
7月 22 18:58:56 h165 dockerd[24622]: time="2018-07-22T18:58:56.423851725Z"...."
7月 22 18:58:56 h165 dockerd[24622]: time="2018-07-22T18:58:56.574771896Z"...s"
7月 22 18:58:56 h165 dockerd[24622]: time="2018-07-22T18:58:56.623893983Z"...."
7月 22 18:58:56 h165 dockerd[24622]: time="2018-07-22T18:58:56.643650687Z"...ce
7月 22 18:58:56 h165 dockerd[24622]: time="2018-07-22T18:58:56.644194232Z"...n"
7月 22 18:58:56 h165 dockerd[24622]: time="2018-07-22T18:58:56.663163741Z"...k"
7月 22 18:58:56 h165 systemd[1]: Started Docker Application Container Engine.
Hint: Some lines were ellipsized, use -l to show in full.
[root@h165 ~]# 

创建 Guacamole 的容器

代码语言:javascript
复制
[root@h165 ~]# docker run --name jms_guacamole -d -p 8081:8080 -v /opt/guacamole/key:/config/guacamole/key -e JUMPSERVER_KEY_DIR=/config/guacamole/key -e JUMPSERVER_SERVER=http://127.0.0.1:8080 registry.jumpserver.org/public/guacamole:latest
Unable to find image 'registry.jumpserver.org/public/guacamole:latest' locally
latest: Pulling from public/guacamole
723254a2c089: Downloading  458.2kB/45.12MB
abe15a44e12f: Downloading  458.2kB/11.11MB
409a28e3cc3d: Downloading  392.7kB/4.335MB
a9511c68044a: Waiting 
9d1b16e30bc8: Waiting 
0fc5a09c9242: Waiting 
d34976006493: Waiting 
3b70003f0c10: Waiting 
bc7887582e2e: Waiting 
d2ab4f165865: Waiting 
3882b23577d6: Waiting 
9f8b758ebfa6: Waiting 
ef5d2d838878: Waiting 
310fa32446d6: Waiting 
a23204f32cd2: Waiting 
f3cba08c8ef8: Waiting 
59073672f2e3: Waiting 
86d50039bf5c: Waiting 
7041bb4312f0: Waiting 
4a7a284e984f: Waiting 
2da6caf16c59: Waiting 
c41fb67653ac: Waiting 
1a457b98f2f8: Waiting 
...
...
...

这个过程有些慢长

完成后,遵循 coco 一样的方法,在 jumpserver 中接受注册


总结

总体来将 jumpserver 涉及的组件有点多

这些组件拼凑起来一起协同完成管理任务

所以要整体是否运行正常要考虑以下几个服务

  • nginx
  • mysql
  • jumpserver
  • coco
  • guacamole

这几个组件的用途这里作一个简要的说明 

  • Jumpserver:为管理后台,管理员可以通过Web页面进行资产管理、用户管理、资产授权等操作
  • Coco: 为 SSH Server 和 Web Terminal Server 用户可以通过使用自己的账户登录 SSH 或者 Web Terminal 直接访问被授权的资产, 不需要知道服务器的账户密码
  • Luna: 为 Web Terminal Server 前端页面,用户使用 Web Terminal 方式登录所需要的组件
  • Guacamole: 为 Windows 组件,用户可以通过 Web Terminal 来连接 Windows 资产 ,暂时只能通过 Web Terminal 来访问

端口说明

本文系转载,前往查看

如有侵权,请联系 cloudcommunity@tencent.com 删除。

本文系转载前往查看

如有侵权,请联系 cloudcommunity@tencent.com 删除。

评论
登录后参与评论
0 条评论
热度
最新
推荐阅读
目录
  • 前言
  • 操作
    • 系统环境
      • 关闭 Selinux
        • 关闭防火墙
          • 修改字符集
            • 安装依赖包
              • 下载 python 源码
                • 解压源码包
                  • 进行编译安装
                    • 建立 Python 虚拟环境
                      • 下载 Jumpserver 项目
                        • 下载安装依赖包
                          • 安装 Python 库依赖
                            • 安装 Redis
                              • 安装 MySQL
                                • 创建数据库 Jumpserver 并授权
                                  • 修改 Jumpserver 配置文件
                                    • 生成数据库表结构和初始化数据
                                      • 运行 Jumpserver
                                        • 进行访问
                                          • 安装 SSH Server 和 WebSocket Server
                                            • 修改 coco 配置文件
                                              • 运行 coco
                                                • 安装 Web Terminal 前端
                                                  • 配置 Nginx 整合各组件
                                                    • 配置 nginx
                                                      • 运行 Nginx
                                                        • 再次进行登录
                                                          • 接受连接
                                                            • 通过 cli 进行管理
                                                              • 安装 Windows 支持组件
                                                                • 首先安装 docker
                                                                • 然后启动 docker
                                                                • 创建 Guacamole 的容器
                                                            • 总结
                                                            相关产品与服务
                                                            容器服务
                                                            腾讯云容器服务(Tencent Kubernetes Engine, TKE)基于原生 kubernetes 提供以容器为核心的、高度可扩展的高性能容器管理服务,覆盖 Serverless、边缘计算、分布式云等多种业务部署场景,业内首创单个集群兼容多种计算节点的容器资源管理模式。同时产品作为云原生 Finops 领先布道者,主导开源项目Crane,全面助力客户实现资源优化、成本控制。
                                                            领券
                                                            问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档