jumpserver部署(Centos7环境)
一、jumpserver概要
Jumpserver 是全球首款完全开源的堡垒机,使用 GNU GPL v2.0 开源协议,是符合 4A 的专业运维审计系统
Jumpserver 使用 Python / Django 进行开发,遵循 Web 2.0 规范,配备了业界领先的 Web Terminal
解决方案,交互界面美观、用户体验好
Jumpserver 采纳分布式架构,支持多机房跨区域部署,中心节点提供 API,各机房部署登录节点,可横向扩展、无并发访问限制
组件说明:
Jumpserver
现指 Jumpserver 管理后台,是核心组件(Core), 使用 Django Class Based View 风格开发,支持 Restful API
Coco
实现了 SSH Server 和 Web Terminal Server 的组件,提供 SSH 和 WebSocket 接口, 使用 Paramiko 和 Flask 开发
Luna
现在是 Web Terminal 前端,计划前端页面都由该项目提供,Jumpserver 只提供 API,不再负责后台渲染html等
二、环境准备
环境:
| 角色 | IP |
|---|---|
| jumpserver | 192.168.2.5 |
| web server(资产) | 192.168.2.6 |
步骤:
①关闭防火墙以及selinux
[root@localhost ~]# sed -i ‘/SELINUX/s/enforcing/disabled/g’ /etc/sysconfig/selinux
[root@localhost ~]# systemctl disable firewalld && reboot
②修改字符集否则可能报 input/output error的问题,因为日志里打印了中文
[root@localhost ~]# localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8
[root@localhost ~]# export LC_ALL=zh_CN.UTF-8
[root@localhost ~]# echo ‘LANG=”zh_CN.UTF-8″‘ > /etc/locale.conf
③准备python3和python虚拟环境
[root@localhost ~]# yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git
[root@localhost ~]# wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz
[root@localhost ~]# mv Python-3.6.1.tar.xz /usr/src && cd /usr/src/ && tar xvf Python-3.6.1.tar.xz && cd Python-3.6.1
[root@localhost Python-3.6.1]# ./configure && make && make install
④建立环境
[root@localhost Python-3.6.1]# cd /opt/
[root@localhost opt]# python3 -m venv py3
[root@localhost opt]# . /opt/py3/bin/activate
(py3) [root@localhost opt]#
看到下面的提示符代表成功,以后运行 Jumpserver 都要先运行以上 source 命令,以下所有命令均在该虚拟环境中运行
(py3) [root@localhost py3]
⑤自动载入虚拟环境
(py3) [root@localhost opt]# git clone git://github.com/kennethreitz/autoenv.git ~/.autoenv
(py3) [root@localhost opt]# echo ‘source ~/.autoenv/activate.sh’ >> ~/.bashrc
(py3) [root@localhost opt]# source ~/.bashrc
三、安装jumpserver
步骤:
①下载Clone项目
(py3) [root@localhost ~]# cd /opt/
(py3) [root@localhost opt]# git clone --depth=1 https://github.com/jumpserver/jumpserver.git && cd jumpserver && git checkout master
(py3) [root@localhost jumpserver]# echo “source /opt/py3/bin/activate” > /opt/jumpserver/.env
②安装依赖
(py3) [root@localhost jumpserver]# cd requirements/
首次进入jumpserver目录可能会有提示y即可
(py3) [root@localhost requirements]# yum -y install $(cat rpm_requirements.txt)
(py3) [root@localhost requirements]# pip install -r requirements.txt
③安装redis, Jumpserver 使用 Redis 做 cache 和 celery broke(python分布式调度模块)
(py3) [root@localhost ~]# yum -y install redis
(py3) [root@localhost ~]# systemctl start redis
④安装Mysql
(py3) [root@localhost ~]# yum -y install mariadb*
(py3) [root@localhost ~]# systemctl start mariadb
(py3) [root@localhost ~]# systemctl enable mariadb
⑤为jumpserver授权
(py3) [root@localhost ~]# mysql
MariaDB [(none)]> create database jumpserver default charset ‘utf8’;
MariaDB [(none)]> grant all on jumpserver.* to jumpserver@'127.0.0.1' identified by '123.com';
MariaDB [(none)]> flush privileges;
⑥修改jumpserver配置文件
(py3) [root@localhost ~]# cd /opt/jumpserver/
(py3) [root@localhost jumpserver]# cp config_example.py config.py
(py3) [root@localhost jumpserver]# vi config.py
...... #将参数下pass去掉添加
class DevelopmentConfig(Config):
DEBUG = True
DB_ENGINE = 'mysql'
DB_HOST = '127.0.0.1'
DB_PORT = 3306
DB_USER = 'jumpserver'
DB_PASSWORD = '123.com'
DB_NAME = 'jumpserver'
......
⑦生成数据库表结构和初始化数据文件
(py3) [root@localhost jumpserver]# cd /opt/jumpserver/utils/
(py3) [root@localhost utils]# bash make_migrations.sh
⑧运行jumpserver
(py3) [root@localhost utils]# cd /opt/jumpserver/
(py3) [root@localhost jumpserver]# ./jms start all
./jms start|stop|status|restart all如果运行到后台添加-d选项
如果报错,关闭后再次运行
如果不报错,请使用浏览器访问http://192.168.2.5:8080。默认账号admin,密码admin
四、安装ssh server和websocket server:Coco
步骤:
①下载Clone项目(新开一个终端,别忘了载入虚拟环境)
[root@localhost ~]# cd /opt/
[root@localhost opt]# . py3/bin/activate
(py3) [root@localhost opt]# git clone https://github.com/jumpserver/coco.git && cd coco && git checkout master
(py3) [root@localhost coco]# echo “source /opt/py3/bin/activate” > /opt/coco/.env
②安装依赖
(py3) [root@localhost coco]# cd /opt/coco/requirements/
首次进入提示y即可
(py3) [root@localhost requirements]# yum -y install $(cat rpm_requirements.txt)
(py3) [root@localhost requirements]# pip install -r requirements.txt -i https://pypi.org/simple
③查看配置文件并且运行coco
(py3) [root@localhost requirements]# cd /opt/coco/
(py3) [root@localhost coco]# cp conf_example.py conf.py
(py3) [root@localhost coco]# ./cocod start
./cocod start|stop|status|restart
Start coco process
2018-05-28 16:14:25 [service DEBUG] Initial app service
2018-05-28 16:14:25 [service DEBUG] Load access key
2018-05-28 16:14:25 [service INFO] No access key found, register it
2018-05-28 16:14:25 [service INFO] "Terminal was not accepted yet"
2018-05-28 16:14:28 [service INFO] "Terminal was not accepted yet"
提示信息终端没有许可,去到http://192.168.2.5:8080/terminal/terminal进行许可
五、安装web terminal 前端:Luna
(开启新终端)Luna已改为纯前端,需要Nginx代理来访问
[root@localhost ~]# cd /opt/
[root@localhost opt]# wget https://github.com/jumpserver/luna/releases/download/1.3.0/dist.tar.gz
[root@localhost opt]# tar zxf dist.tar.gz
[root@localhost opt]# mv dist luna
[root@localhost opt]# ls /opt/luna/
.....
六、配置Nginx整合各组件
步骤:
①下载源码安装
[root@localhost opt]# useradd -s /sbin/nologin www
[root@localhost opt]# wget http://nginx.org/download/nginx-1.14.0.tar.gz
[root@localhost opt]# tar zxf nginx-1.14.0.tar.gz && cd nginx-1.14.0
[root@localhost nginx-1.14.0]# ./configure --prefix=/usr/local/nginx --user=www --group=www --withhttp_stub_status_module --with-http_realip_module --with-http_ssl_module --with-http_gzip_static_module --with-pcre --with-http_flv_module
[root@localhost nginx-1.14.0]# make && make install
[root@localhost nginx-1.14.0]# ln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/
[root@localhost nginx-1.14.0]# cd /usr/local/nginx/conf/ && vim nginx.conf
②修改配置文件
http {
..... #省略http上下文,将server修改为此
server {
listen 80;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/;
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/;
}
location /static/ {
root /opt/jumpserver/data/;
}
location /socket.io/ {
proxy_pass http://localhost:5000/socket.io/; # 如果coco安装在别的服务器,请填写它的ip
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location / {
proxy_pass http://localhost:8080; # 如果jumpserver安装在别的服务器,请填写它的ip
}
}
}
[root@localhost conf]# nginx -t #确认无误后启动
[root@localhost conf]# nginx
③确保服务无误,开始使用jumpserver
[root@localhost conf]# cd /opt/jumpserver/
(py3) [root@localhost jumpserver]# ./jms status
gunicorn is running: 33734
celery is running: 33627
beat is running: 33629
(py3) [root@localhost jumpserver]# cd ../coco/
(py3) [root@localhost coco]# ./cocod status
Coco is running: 57935
访问http://192.168.2.5
默认账户admin密码admin
七、测试连接
通过server资产机或是客户端 macOS 或 Linux ,登录语法如下
$ ssh -p2222 admin@192.168.2.5
$ sftp -P2222 admin@192.168.2.5
密码: admin
如果登录客户端是 Windows ,Xshell Terminal 登录语法如下
$ ssh admin@192.168.2.5 2222
$ sftp admin@192.168.2.5 2222
密码: admin
如果能登陆代表部署成功
sftp默认上传的位置在资产的 /tmp 目录下
特别鸣谢jumpserver的开源使用,本文翻至官网文档
http://docs.jumpserver.org/zh…
