Jumpserver 是一款使用广泛的开源堡垒机软件
Jumpserver 是完全开源的堡垒机,使用 GNU GPL v2.0 开源协议,符合 4A 的运维审计系统
Jumpserver 基于 Python / Django 进行开发,遵循 Web 2.0 规范,配备了 Web Terminal 解决方案
Jumpserver 采纳分布式架构,支持多机房跨区域部署,中心节点提供 API,各机房部署登录节点,可横向扩展、无并发访问限制
这里就 Jumpserver 的安装作一个简单的演示
Tip: 当前的最新版本为 jumpserver 1.3.3
[root@h165 ~]# hostnamectl
Static hostname: h165
Icon name: computer-vm
Chassis: vm
Machine ID: 0b945835fbb54426b6f67a179adc93cf
Boot ID: 3605e751c5cb495ea414ef44dec6526f
Virtualization: kvm
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 3.10.0-862.2.3.el7.x86_64
Architecture: x86-64
[root@h165 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:c9:c7:04 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.15/24 brd 10.0.2.255 scope global noprefixroute dynamic eth0
valid_lft 82235sec preferred_lft 82235sec
inet6 fe80::5054:ff:fec9:c704/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:55:8b:d3 brd ff:ff:ff:ff:ff:ff
inet 192.168.56.165/24 brd 192.168.56.255 scope global noprefixroute eth1
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fe55:8bd3/64 scope link
valid_lft forever preferred_lft forever
[root@h165 ~]#
[root@h165 ~]# getenforce
Enforcing
[root@h165 ~]# setenforce 0
[root@h165 ~]# getenforce
Permissive
[root@h165 ~]#
Note: 如果 SELINUX 不关闭会无法访问 web 界面
[root@h165 ~]# systemctl stop firewalld.service
[root@h165 ~]# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
[root@h165 ~]#
[root@h165 ~]# localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8
[root@h165 ~]# export LC_ALL=zh_CN.UTF-8
-bash: warning: setlocale: LC_ALL: cannot change locale (zh_CN.UTF-8): No such file or directory
-bash: warning: setlocale: LC_ALL: cannot change locale (zh_CN.UTF-8)
[root@h165 ~]# echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf
[root@h165 ~]# env | grep LC
LC_ALL=zh_CN.UTF-8
[root@h165 ~]#
[root@h165 tmp]# yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git
Loaded plugins: fastestmirror
Dependency Updated:
e2fsprogs.x86_64 0:1.42.9-12.el7_5 e2fsprogs-libs.x86_64 0:1.42.9-12.el7_5
libcom_err.x86_64 0:1.42.9-12.el7_5 libgcc.x86_64 0:4.8.5-28.el7_5.1
libgomp.x86_64 0:4.8.5-28.el7_5.1 libss.x86_64 0:1.42.9-12.el7_5
Complete!
[root@h165 tmp]# echo $?
0
[root@h165 tmp]#
[root@h165 tmp]# wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz
--2018-07-22 12:46:12-- https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz
正在解析主机 www.python.org (www.python.org)... 151.101.24.223, 2a04:4e42:6::223
正在连接 www.python.org (www.python.org)|151.101.24.223|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:16872064 (16M) [application/octet-stream]
正在保存至: “Python-3.6.1.tar.xz”
100%[===============================================>] 16,872,064 3.26MB/s 用时 8.4s
2018-07-22 12:46:22 (1.92 MB/s) - 已保存 “Python-3.6.1.tar.xz” [16872064/16872064])
[root@h165 tmp]#
[root@h165 tmp]# tar xvf Python-3.6.1.tar.xz && cd Python-3.6.1
Python-3.6.1/
Python-3.6.1/Doc/
Python-3.6.1/Doc/c-api/
Python-3.6.1/Doc/c-api/sys.rst
Python-3.6.1/Doc/c-api/conversion.rst
Python-3.6.1/Doc/c-api/marshal.rst
Python-3.6.1/Doc/c-api/coro.rst
Python-3.6.1/Doc/c-api/method.rst
Python-3.6.1/Doc/c-api/index.rst
Python-3.6.1/Doc/c-api/bytearray.rst
Python-3.6.1/Doc/library/html.entities.rst
...
...
Python-3.6.1/Objects/methodobject.c
Python-3.6.1/Objects/tupleobject.c
Python-3.6.1/Objects/obmalloc.c
Python-3.6.1/Objects/object.c
Python-3.6.1/Objects/abstract.c
Python-3.6.1/Objects/listobject.c
Python-3.6.1/Objects/bytes_methods.c
Python-3.6.1/Objects/dictnotes.txt
Python-3.6.1/Objects/typeslots.inc
[root@h165 Python-3.6.1]#
[root@h165 Python-3.6.1]# ./configure && make && make install
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking for python3.6... no
checking for python3... no
checking for python... python
checking for --enable-universalsdk... no
checking for --with-universal-archs... no
checking MACHDEP... linux
checking for --without-gcc... no
checking for --with-icc... no
checking for gcc... gcc
...
...
rm -f /usr/local/bin/python3-config
(cd /usr/local/bin; ln -s python3.6-config python3-config)
rm -f /usr/local/lib/pkgconfig/python3.pc
(cd /usr/local/lib/pkgconfig; ln -s python-3.6.pc python3.pc)
rm -f /usr/local/bin/idle3
(cd /usr/local/bin; ln -s idle3.6 idle3)
rm -f /usr/local/bin/pydoc3
(cd /usr/local/bin; ln -s pydoc3.6 pydoc3)
rm -f /usr/local/bin/2to3
(cd /usr/local/bin; ln -s 2to3-3.6 2to3)
rm -f /usr/local/bin/pyvenv
(cd /usr/local/bin; ln -s pyvenv-3.6 pyvenv)
if test "x" != "x" ; then \
rm -f /usr/local/bin/python3-32; \
(cd /usr/local/bin; ln -s python3.6-32 python3-32) \
fi
rm -f /usr/local/share/man/man1/python3.1
(cd /usr/local/share/man/man1; ln -s python3.6.1 python3.1)
if test "xupgrade" != "xno" ; then \
case upgrade in \
upgrade) ensurepip="--upgrade" ;; \
install|*) ensurepip="" ;; \
esac; \
./python -E -m ensurepip \
$ensurepip --root=/ ; \
fi
Collecting setuptools
Collecting pip
Installing collected packages: setuptools, pip
Successfully installed pip-9.0.1 setuptools-28.8.0
[root@h165 Python-3.6.1]# echo $?
0
[root@h165 Python-3.6.1]#
为了不扰乱原来的环境我们来使用 Python 虚拟环境
[root@h165 Python-3.6.1]# cd /opt/
[root@h165 opt]#
[root@h165 opt]# python3 -m venv py3
[root@h165 opt]# source /opt/py3/bin/activate
(py3) [root@h165 opt]#
(py3) [root@h165 opt]#
(py3) [root@h165 opt]#
看到上面的提示符代表成功,以后运行 Jumpserver 都要先运行以上 source 命令,以下所有命令均在该虚拟环境中运行
[vagrant@h165 ~]$ cd /opt/
[vagrant@h165 opt]$ git clone git://github.com/kennethreitz/autoenv.git
fatal: could not create work tree dir 'autoenv'.: Permission denied
[vagrant@h165 opt]$ sudo git clone git://github.com/kennethreitz/autoenv.git
Cloning into 'autoenv'...
remote: Counting objects: 671, done.
remote: Total 671 (delta 0), reused 0 (delta 0), pack-reused 671
Receiving objects: 100% (671/671), 103.92 KiB | 0 bytes/s, done.
Resolving deltas: 100% (356/356), done.
[vagrant@h165 opt]$ echo 'source /opt/autoenv/activate.sh' >> ~/.bashrc
[vagrant@h165 opt]$ source ~/.bashrc
[vagrant@h165 opt]$
之后进入此目录,会有提醒
[vagrant@h165 ~]$ cd /opt/jumpserver/
autoenv:
autoenv: WARNING:
autoenv: This is the first time you are about to source /opt/jumpserver/.env:
autoenv:
autoenv: --- (begin contents) ---------------------------------------
autoenv: source /opt/py3/bin/activate$
autoenv:
autoenv: --- (end contents) -----------------------------------------
autoenv:
autoenv: Are you sure you want to allow this? (y/N) y
(py3) [vagrant@h165 jumpserver]$
(py3) [vagrant@h165 jumpserver]$
(py3) [vagrant@h165 jumpserver]$
[root@h165 ~]# cd /opt/
[root@h165 opt]# git clone https://github.com/jumpserver/jumpserver.git && cd jumpserver && git checkout master
正克隆到 'jumpserver'...
remote: Counting objects: 30587, done.
remote: Compressing objects: 100% (121/121), done.
remote: Total 30587 (delta 77), reused 95 (delta 42), pack-reused 30420
接收对象中: 100% (30587/30587), 40.98 MiB | 2.30 MiB/s, done.
处理 delta 中: 100% (21128/21128), done.
已经位于 'master'
[root@h165 jumpserver]#
[root@h165 ~]# cd /opt/jumpserver/requirements
[root@h165 requirements]# cat rpm_requirements.txt
libtiff-devel libjpeg-devel libzip-devel freetype-devel lcms2-devel libwebp-devel tcl-devel tk-devel sshpass openldap-devel mysql-devel libffi-devel openssh-clients
[root@h165 requirements]# yum -y install $(cat rpm_requirements.txt)
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
epel/x86_64/metalink | 6.4 kB 00:00:00
* base: mirror.pregi.net
Complete!
[root@h165 requirements]#
(py3) [root@h165 requirements]# pwd
/opt/jumpserver/requirements
(py3) [root@h165 requirements]# ls
deb_requirements.txt mac_requirements.txt rpm_requirements.txt
issues.txt requirements.txt
Collecting pip
Downloading https://files.pythonhosted.org/packages/5f/25/e52d3f31441505a5f3af41213346e5b6c221c9e086a166f3703d2ddaf940/pip-18.0-py2.py3-none-any.whl (1.3MB)
100% |████████████████████████████████| 1.3MB 543kB/s
Installing collected packages: pip
Found existing installation: pip 9.0.1
Uninstalling pip-9.0.1:
Successfully uninstalled pip-9.0.1
Successfully installed pip-18.0
(py3) [root@h165 requirements]#
Note: 不要指定-i参数,因为镜像上可能没有最新的包
Jumpserver 使用 Redis 做 cache 和 celery broke
(py3) [root@h165 requirements]# yum -y install redis
7月 22 13:57:35 h165 systemd[1]: Started Redis persistent key-value database.
7月 22 13:57:35 h165 systemd[1]: Starting Redis persistent key-value database...
(py3) [root@h165 requirements]#
使用 Mysql 作为数据库
(py3) [root@h165 ~]# yum -y install mariadb mariadb-devel mariadb-server
(py3) [root@h165 ~]#
(py3) [root@h165 ~]# mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 2
Server version: 5.5.56-MariaDB MariaDB Server
Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> create database jumpserver default charset 'utf8';
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by 'somepassword';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]>
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| jumpserver |
| mysql |
| performance_schema |
| test |
+--------------------+
5 rows in set (0.00 sec)
MariaDB [(none)]> show create database jumpserver;
+------------|---------------------------------------------------------------------+
| Database | Create Database |
+------------|---------------------------------------------------------------------+
| jumpserver | CREATE DATABASE `jumpserver` /*!40100 DEFAULT CHARACTER SET utf8 */ |
+------------|---------------------------------------------------------------------+
1 row in set (0.00 sec)
MariaDB [(none)]> exit
Bye
(py3) [root@h165 ~]#
(py3) [root@h165 ~]# cd /opt/jumpserver/
(py3) [root@h165 jumpserver]# cp config_example.py config.py
(py3) [root@h165 jumpserver]#
(py3) [root@h165 jumpserver]# vi config.py
(py3) [root@h165 jumpserver]#
(py3) [root@h165 jumpserver]# cat config.py
xxx
jumpserver.config
Jumpserver project setting file
:copyright: (c) 2014-2017 by Jumpserver Team
:license: GPL v2, see LICENSE for more details.
xxx
import os
BASE_DIR = os.path.dirname(os.path.abspath(__file__))
class Config:
# Use it to encrypt or decrypt data
# SECURITY WARNING: keep the secret key used in production secret!
#SECRET_KEY = os.environ.get('SECRET_KEY') or '2vym+ky!997d5kkcc64mnz06y1mmui3lut#(^wd=%s_qj$1%x'
SECRET_KEY = '2vym+ky!997d5kkcc64mnz06y1mmui3lut#(^wd=%s_qj$1%x'
# Django security setting, if your disable debug model, you should setting that
ALLOWED_HOSTS = ['*']
# Development env open this, when error occur display the full process track, Production disable it
DEBUG = os.environ.get("DEBUG") or False
# DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/
LOG_LEVEL = os.environ.get("LOG_LEVEL") or 'DEBUG'
LOG_DIR = os.path.join(BASE_DIR, 'logs')
# Database setting, Support sqlite3, mysql, postgres ....
# See https://docs.djangoproject.com/en/1.10/ref/settings/#databases
# SQLite setting:
#DB_ENGINE = 'sqlite3'
#DB_NAME = os.path.join(BASE_DIR, 'data', 'db.sqlite3')
# MySQL or postgres setting like:
DB_ENGINE = os.environ.get("DB_ENGINE") or 'mysql'
DB_HOST = os.environ.get("DB_HOST") or '127.0.0.1'
DB_PORT = os.environ.get("DB_PORT") or 3306
DB_USER = os.environ.get("DB_USER") or 'jumpserver'
DB_PASSWORD = os.environ.get("DB_PASSWORD") or 'weakPassword'
DB_NAME = os.environ.get("DB_NAME") or 'jumpserver'
# When Django start it will bind this host and port
# ./manage.py runserver 127.0.0.1:8080
HTTP_BIND_HOST = '0.0.0.0'
HTTP_LISTEN_PORT = 8080
# Use Redis as broker for celery and web socket
REDIS_HOST = os.environ.get("REDIS_HOST") or '127.0.0.1'
REDIS_PORT = os.environ.get("REDIS_PORT") or 6379
REDIS_PASSWORD = os.environ.get("REDIS_PASSWORD") or ''
REDIS_DB_CELERY = os.environ.get('REDIS_DB') or 3
REDIS_DB_CACHE = os.environ.get('REDIS_DB') or 4
def __init__(self):
pass
def __getattr__(self, item):
return None
class DevelopmentConfig(Config):
pass
class TestConfig(Config):
pass
class ProductionConfig(Config):
pass
# Default using Config settings, you can write if/else for different env
config = DevelopmentConfig()
(py3) [root@h165 jumpserver]#
(py3) [root@h165 ~]# cd /opt/jumpserver/utils
(py3) [root@h165 utils]# bash make_migrations.sh
0
(py3) [root@h165 utils]#
(py3) [root@h165 utils]# cd /opt/jumpserver
(py3) [root@h165 jumpserver]# ./jms start all
Sun Jul 22 17:52:27 2018
Jumpserver version 1.3.3, more see https://www.jumpserver.org
...
...
...
[root@h165 ~]# cd /opt
[root@h165 opt]# source /opt/py3/bin/activate
(py3) [root@h165 opt]# git clone https://github.com/jumpserver/coco.git && cd coco && git checkout master
Successfully installed Flask-1.0.2 Flask-SocketIO-2.9.2 Werkzeug-0.14.1 cachetools-2.0.1 click-6.7 dotmap-1.2.20 jumpserver-python-sdk-0.0.44 psutil-5.4.1 pyte-0.8.0 python-engineio-2.1.0 python-socketio-1.8.3 tornado-4.5.2 wcwidth-0.1.7
(py3) [root@h165 requirements]# echo $?
0
(py3) [root@h165 requirements]#
(py3) [root@h165 requirements]# cd /opt/coco
(py3) [root@h165 coco]# cp conf_example.py conf.py
(py3) [root@h165 coco]# vi conf.py
(py3) [root@h165 coco]# cat conf.py
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
import os
BASE_DIR = os.path.dirname(__file__)
class Config:
"""
Coco config file, coco also load config from server update setting below
"""
# 项目名称, 会用来向Jumpserver注册, 识别而已, 不能重复
# NAME = "localhost"
NAME = "coco"
# Jumpserver项目的url, api请求注册会使用
# CORE_HOST = os.environ.get("CORE_HOST") or 'http://127.0.0.1:8080'
CORE_HOST = os.environ.get("CORE_HOST") or 'http://127.0.0.1:8080'
# 启动时绑定的ip, 默认 0.0.0.0
# BIND_HOST = '0.0.0.0'
# 监听的SSH端口号, 默认2222
# SSHD_PORT = 2222
# 监听的HTTP/WS端口号,默认5000
# HTTPD_PORT = 5000
# 项目使用的ACCESS KEY, 默认会注册,并保存到 ACCESS_KEY_STORE中,
# 如果有需求, 可以写到配置文件中, 格式 access_key_id:access_key_secret
# ACCESS_KEY = None
# ACCESS KEY 保存的地址, 默认注册后会保存到该文件中
# ACCESS_KEY_STORE = os.path.join(BASE_DIR, 'keys', '.access_key')
# 加密密钥
# SECRET_KEY = None
# 设置日志级别 ['DEBUG', 'INFO', 'WARN', 'ERROR', 'FATAL', 'CRITICAL']
# LOG_LEVEL = 'INFO'
# 日志存放的目录
# LOG_DIR = os.path.join(BASE_DIR, 'logs')
# Session录像存放目录
# SESSION_DIR = os.path.join(BASE_DIR, 'sessions')
# 资产显示排序方式, ['ip', 'hostname']
# ASSET_LIST_SORT_BY = 'ip'
# 登录是否支持密码认证
# PASSWORD_AUTH = True
# 登录是否支持秘钥认证
# PUBLIC_KEY_AUTH = True
# 和Jumpserver 保持心跳时间间隔
# HEARTBEAT_INTERVAL = 5
# Admin的名字,出问题会提示给用户
# ADMINS = ''
COMMAND_STORAGE = {
"TYPE": "server"
}
REPLAY_STORAGE = {
"TYPE": "server"
}
config = Config()
(py3) [root@h165 coco]#
(py3) [root@h165 coco]# ./cocod start
Start coco process
2018-07-22 18:12:23 [service DEBUG] Initial app service
2018-07-22 18:12:23 [service DEBUG] Load access key
2018-07-22 18:12:23 [service INFO] No access key found, register it
2018-07-22 18:12:23 [service INFO] "Terminal was not accepted yet"
2018-07-22 18:12:26 [service INFO] "Terminal was not accepted yet"
...
...
...
[root@h165 ~]# cd /opt
[root@h165 opt]# wget https://github.com/jumpserver/luna/releases/download/1.3.3/luna.tar.gz
--2018-07-22 18:16:49-- https://github.com/jumpserver/luna/releases/download/1.3.3/luna.tar.gz
正在解析主机 github.com (github.com)... 52.74.223.119, 13.229.188.59, 13.250.177.223
正在连接 github.com (github.com)|52.74.223.119|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 302 Found
位置:https://github-production-release-asset-2e65be.s3.amazonaws.com/83748317/c44beea0-8b4f-11e8-8056-75da7b314d1f?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20180722%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20180722T181649Z&X-Amz-Expires=300&X-Amz-Signature=630ec697ea90ec5185482908192bef07ffe33d4e3430868db47b17c7ccf9f61b&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3Dluna.tar.gz&response-content-type=application%2Foctet-stream [跟随至新的 URL]
--2018-07-22 18:16:50-- https://github-production-release-asset-2e65be.s3.amazonaws.com/83748317/c44beea0-8b4f-11e8-8056-75da7b314d1f?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20180722%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20180722T181649Z&X-Amz-Expires=300&X-Amz-Signature=630ec697ea90ec5185482908192bef07ffe33d4e3430868db47b17c7ccf9f61b&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3Dluna.tar.gz&response-content-type=application%2Foctet-stream
正在解析主机 github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)... 54.231.97.232
正在连接 github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)|54.231.97.232|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:5335554 (5.1M) [application/octet-stream]
正在保存至: “luna.tar.gz”
luna/theme/default/
luna/theme/default/layer.css
[root@h165 opt]# chown -R root:root luna
[root@h165 opt]#
[root@h165 opt]# yum -y install nginx
Complete!
[root@h165 opt]#
[root@h165 ~]# vi /etc/nginx/nginx.conf
[root@h165 ~]# nginx -t -c /etc/nginx/nginx.conf
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@h165 ~]# cat /etc/nginx/nginx.conf
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
server {
listen 80; # 代理端口,以后将通过此端口进行访问,不再通过8080端口
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; # luna 路径,如果修改安装目录,此处需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 录像位置,如果修改安装目录,此处需要修改
}
location /static/ {
root /opt/jumpserver/data/; # 静态资源,如果修改安装目录,此处需要修改
}
location /socket.io/ {
proxy_pass http://localhost:5000/socket.io/; # 如果coco安装在别的服务器,请填写它的ip
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/; # 如果guacamole安装在别的服务器,请填写它的ip
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
client_max_body_size 100m; # Windows 文件上传大小限制
}
location / {
proxy_pass http://localhost:8080; # 如果jumpserver安装在别的服务器,请填写它的ip
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
# Settings for a TLS enabled server.
#
# server {
# listen 443 ssl http2 default_server;
# listen [::]:443 ssl http2 default_server;
# server_name _;
# root /usr/share/nginx/html;
#
# ssl_certificate "/etc/pki/nginx/server.crt";
# ssl_certificate_key "/etc/pki/nginx/private/server.key";
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 10m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
#
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
# location / {
# }
#
# error_page 404 /404.html;
# location = /40x.html {
# }
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
# }
}
[root@h165 ~]#
[root@h165 ~]# systemctl start nginx
[root@h165 ~]# systemctl enable nginx
Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service.
[root@h165 ~]# systemctl status nginx
● nginx.service - The nginx HTTP and reverse proxy server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
Active: active (running) since 日 2018-07-22 18:27:24 UTC; 9s ago
Main PID: 23715 (nginx)
CGroup: /system.slice/nginx.service
├─23715 nginx: master process /usr/sbin/nginx
├─23716 nginx: worker process
├─23717 nginx: worker process
├─23718 nginx: worker process
└─23719 nginx: worker process
7月 22 18:27:24 h165 systemd[1]: Starting The nginx HTTP and reverse proxy.....
7月 22 18:27:24 h165 nginx[23710]: nginx: the configuration file /etc/ngin...ok
7月 22 18:27:24 h165 nginx[23710]: nginx: configuration file /etc/nginx/ng...ul
7月 22 18:27:24 h165 systemd[1]: Started The nginx HTTP and reverse proxy ...r.
Hint: Some lines were ellipsized, use -l to show in full.
[root@h165 ~]#
...
...
...
2018-07-22 18:36:09 [service INFO] "Terminal was not accepted yet"
2018-07-22 18:36:12 [service INFO] "Terminal was not accepted yet"
2018-07-22 18:36:15 [service INFO] "Terminal was not accepted yet"
2018-07-22 18:36:18 [service DEBUG] Set app service auth: cd39df5d-a40b-4d8c-bd4c-f5617bbaa5e2
2018-07-22 18:36:18 [service DEBUG] Service http auth: <jms.auth.AccessKeyAuth object at 0x7fdf3c677cf8>
2018-07-22 18:36:18 [app DEBUG] Loading config from server: {"COMMAND_STORAGE": {"TYPE": "server"}, "REPLAY_STORAGE": {"TYPE": "server"}}
Sun Jul 22 18:36:18 2018
Coco version 1.3.3, more see https://www.jumpserver.org
Quit the server with CONTROL-C.
Starting ssh server at 0.0.0.0:2222
Starting websocket server at 0.0.0.0:5000
...
...
...
[vagrant@h105 ~]$ ssh -p2222 admin@192.168.56.165
admin@192.168.56.165's password:
...
...
...
默认密码为 admin/admin
Administrator, 欢迎使用Jumpserver开源跳板机系统
1) 输入 ID 直接登录 或 输入部分 IP,主机名,备注 进行搜索登录(如果唯一).
2) 输入 / + IP, 主机名 or 备注 搜索. 如: /ip
3) 输入 p 显示您有权限的主机.
4) 输入 g 显示您有权限的节点
5) 输入 g + 组ID 显示节点下主机. 如: g1
6) 输入 h 帮助.
0) 输入 q 退出.
Opt>
密码输入正确后,就有相应的登录界面了
[root@h165 ~]# yum remove docker-latest-logrotate docker-logrotate docker-selinux dockdocker-engine
Loaded plugins: fastestmirror
No Match for argument: docker-latest-logrotate
No Match for argument: docker-logrotate
No Match for argument: docker-selinux
No Match for argument: dockdocker-engine
No Packages marked for removal
[root@h165 ~]# yum install -y yum-utils device-mapper-persistent-data lvm2
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirror.pregi.net
* epel: mirror.pregi.net
* extras: mirror.pregi.net
* updates: mirror.pregi.net
Package yum-utils-1.1.31-45.el7.noarch already installed and latest version
Package device-mapper-persistent-data-0.7.3-3.el7.x86_64 already installed and latest version
Package 7:lvm2-2.02.177-4.el7.x86_64 already installed and latest version
Nothing to do
[root@h165 ~]# yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
Loaded plugins: fastestmirror
adding repo from: https://download.docker.com/linux/centos/docker-ce.repo
grabbing file https://download.docker.com/linux/centos/docker-ce.repo to /etc/yum.repos.d/docker-ce.repo
repo saved to /etc/yum.repos.d/docker-ce.repo
[root@h165 ~]# yum makecache fast
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
epel/x86_64/metalink | 6.1 kB 00:00
* base: mirror.pregi.net
* epel: mirror.pregi.net
* extras: mirror.pregi.net
* updates: mirror.pregi.net
base | 3.6 kB 00:00
docker-ce-stable | 2.9 kB 00:00
extras | 3.4 kB 00:00
updates | 3.4 kB 00:00
docker-ce-stable/x86_64/primary_db | 14 kB 00:00
Metadata Cache Created
[root@h165 ~]# yum install docker-ce
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirror.pregi.net
Complete!
[root@h165 ~]# echo $?
0
[root@h165 ~]#
[root@h165 ~]# systemctl start docker
[root@h165 ~]# systemctl status docker
● docker.service - Docker Application Container Engine
Loaded: loaded (/usr/lib/systemd/system/docker.service; disabled; vendor preset: disabled)
Active: active (running) since 日 2018-07-22 18:58:56 UTC; 4s ago
Docs: https://docs.docker.com
Main PID: 24622 (dockerd)
Tasks: 26
Memory: 46.6M
CGroup: /system.slice/docker.service
├─24622 /usr/bin/dockerd
└─24630 docker-containerd --config /var/run/docker/containerd/cont...
7月 22 18:58:56 h165 dockerd[24622]: time="2018-07-22T18:58:56.421854451Z"...pc
7月 22 18:58:56 h165 dockerd[24622]: time="2018-07-22T18:58:56.421897175Z"...pc
7月 22 18:58:56 h165 dockerd[24622]: time="2018-07-22T18:58:56.423786369Z"...pc
7月 22 18:58:56 h165 dockerd[24622]: time="2018-07-22T18:58:56.423851725Z"...."
7月 22 18:58:56 h165 dockerd[24622]: time="2018-07-22T18:58:56.574771896Z"...s"
7月 22 18:58:56 h165 dockerd[24622]: time="2018-07-22T18:58:56.623893983Z"...."
7月 22 18:58:56 h165 dockerd[24622]: time="2018-07-22T18:58:56.643650687Z"...ce
7月 22 18:58:56 h165 dockerd[24622]: time="2018-07-22T18:58:56.644194232Z"...n"
7月 22 18:58:56 h165 dockerd[24622]: time="2018-07-22T18:58:56.663163741Z"...k"
7月 22 18:58:56 h165 systemd[1]: Started Docker Application Container Engine.
Hint: Some lines were ellipsized, use -l to show in full.
[root@h165 ~]#
[root@h165 ~]# docker run --name jms_guacamole -d -p 8081:8080 -v /opt/guacamole/key:/config/guacamole/key -e JUMPSERVER_KEY_DIR=/config/guacamole/key -e JUMPSERVER_SERVER=http://127.0.0.1:8080 registry.jumpserver.org/public/guacamole:latest
Unable to find image 'registry.jumpserver.org/public/guacamole:latest' locally
latest: Pulling from public/guacamole
723254a2c089: Downloading 458.2kB/45.12MB
abe15a44e12f: Downloading 458.2kB/11.11MB
409a28e3cc3d: Downloading 392.7kB/4.335MB
a9511c68044a: Waiting
9d1b16e30bc8: Waiting
0fc5a09c9242: Waiting
d34976006493: Waiting
3b70003f0c10: Waiting
bc7887582e2e: Waiting
d2ab4f165865: Waiting
3882b23577d6: Waiting
9f8b758ebfa6: Waiting
ef5d2d838878: Waiting
310fa32446d6: Waiting
a23204f32cd2: Waiting
f3cba08c8ef8: Waiting
59073672f2e3: Waiting
86d50039bf5c: Waiting
7041bb4312f0: Waiting
4a7a284e984f: Waiting
2da6caf16c59: Waiting
c41fb67653ac: Waiting
1a457b98f2f8: Waiting
...
...
...
这个过程有些慢长
完成后,遵循 coco 一样的方法,在 jumpserver 中接受注册
总体来将 jumpserver 涉及的组件有点多
这些组件拼凑起来一起协同完成管理任务
所以要整体是否运行正常要考虑以下几个服务
这几个组件的用途这里作一个简要的说明
端口说明
本文系转载,前往查看
如有侵权,请联系 cloudcommunity@tencent.com 删除。
本文系转载,前往查看
如有侵权,请联系 cloudcommunity@tencent.com 删除。