首页 > 编程学习 > 部署jumpserver-v2.16.3

部署jumpserver-v2.16.3

发布时间:2022/1/17 12:49:35

部署jumpser-v2.16.3版本

  • 系统环境
  • 系统版本:CentOS Linux release 7.6.1810 (Core)
  • Python: Python 3.6.8
  • Docker:Docker version 20.10.11, build dea9396
  • 数据库:10.4.22-MariaDB
  • nginx: nginx version: nginx/1.20.1
  • jumpserver-v2.16.3
  • redis: 5.0.14

说明:jumpserver包官方地址为:https://github.com/jumpserver/jumpserver

安装python3环境

yum install wget zlib-devel bzip2-devel openssl-devel ncurses-devel sqlite-devel readline-devel tk-devel gcc make zlib zlib-devel -y

配置国内pip镜像加速

mkdir ~/.pip
vim ~/.pip/pip.conf
[global]
index-url = https://mirrors.aliyun.com/pypi/simple/

[install]
trusted-host=mirrors.aliyun.com

下载安装包

cd /opt/
wget https://www.python.org/ftp/python/3.6.8/Python-3.6.8.tar.xz

解压编译Python包,在opt目录下进行解压

tar xf Python-3.6.8.tar.xz 
cd Python-3.6.8
./configure && make -j 4 && make install

建立python3虚拟环境

因为 CentOS 6/7 自带的是 Python2,而 yum 等工具依赖原来的 Python,为了不扰乱原来的环境我们来使用 Python 虚拟环境

cd /opt
python3 -m venv py3
[root@i-ic6pktm9 opt]# source /opt/py3/bin/activate          #以后使用python3时都需要执行source /opt/py3/bin/activate命令
(py3) [root@i-ic6pktm9 opt]# pip -V
pip 18.1 from /opt/py3/lib/python3.6/site-packages/pip (python 3.6)
(py3) [root@i-ic6pktm9 opt]# python -V
Python 3.6.8

升级pip版本

(py3) [root@i-ic6pktm9 opt]# python -V
Python 3.6.8
(py3) [root@i-ic6pktm9 opt]#  pip install --upgrade pip
Looking in indexes: https://mirrors.aliyun.com/pypi/simple/
Collecting pip
  Downloading https://mirrors.aliyun.com/pypi/packages/a4/6d/6463d49a933f547439d6b5b98b46af8742cc03ae83543e4d7688c2420f8b/pip-21.3.1-py3-none-any.whl (1.7MB)
    100% |████████████████████████████████| 1.7MB 3.9MB/s 
Installing collected packages: pip
  Found existing installation: pip 18.1
    Uninstalling pip-18.1:
      Successfully uninstalled pip-18.1
Successfully installed pip-21.3.1
(py3) [root@i-ic6pktm9 opt]# pip -V
pip 21.3.1 from /opt/py3/lib/python3.6/site-packages/pip (python 3.6)

拉取jumPserver安装包

(py3) [root@kvm ~]# cd /opt/
(py3) [root@kvm opt]# yum -y install git
(py3) [root@kvm opt]# git clone  -b v2.16.3 --depth 1 https://github.com/jumpserver/jumpserver.git
(py3) [root@kvm opt]# cd jumpserver
(py3) [root@kvm opt]# wget https://download.jumpserver.org/files/GeoLite2-City.mmdb -O apps/common/utils/geoip/GeoLite2-City.mmdb

安装依赖rpm包

(py3) [root@kvm opt]# cd jumpserver/requirements/
(py3) [root@kvm requirements]# yum -y install $(cat rpm_requirements.txt)

安装python库依赖

(py3) [root@kvm requirements]# pip install -r requirements.txt

安装redis

规划安装目录

/data/soft  下载目录
/opt/redis_6379/{conf,logs,pid} 安装目录,日志目录,pid目录,配置目录
/data/redis_6379/  数据目录

安装命令

make install 默认安装路径为/usr/local/bin/;如需指定安装路径可加PREFIX=安装路径例如:make install PREFIX=/usr/local/redis/

mkdir -p /data/soft 
cd /data/soft/
wget http://download.redis.io/releases/redis-5.0.14.tar.gz
tar zxf redis-5.0.14.tar.gz -C /opt/
cd /opt/
mv redis-5.0.14 redis
cd redis
make
make install

编写配置文件

mkdir -p  /opt/redis_6379/{conf,logs,pid}
mkdir -p  /data/redis_6379/ 
cat >/opt/redis_6379/conf/redis_6379.conf<<EOF
daemonize yes
bind 127.0.0.1
port 6379
pidfile /opt/redis_6379/pid/redis_6379.pid
logfile /opt/redis_6379/logs/redis_6379.log
EOF

启动命令

redis-server /opt/redis_6379/conf/redis_6379.conf

检查端口是否启动

ps -ef|grep redis
netstat -tlunp |grep 6379

测试连接redis

[root@kvm ~]# redis-cli 
127.0.0.1:6379> set foo bar
OK
127.0.0.1:6379> get foo
"bar"

关闭命令

redis-cli shutdown

system启动配置

useradd -r redis -s /sbin/nologin 
chown -R redis:redis /opt/redis*
chown -R redis:redis /data/redis*
cat >/usr/lib/systemd/system/redis.service<<EOF
[Unit]
Description=Redis persistent key-value database
After=network.target
After=network-online.target
Wants=network-online.target

[Service]
ExecStart=/usr/local/bin/redis-server  /opt/redis_6379/conf/redis_6379.conf  --supervised systemd
ExecStop=/usr/local/bin/redis-cli shutdown
Type=notify
User=redis
Group=redis
RuntimeDirectory=redis
RuntimeDirectoryMode=0755

[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl start redis

安装并配置mysql数据库

(py3) [root@kvm requirements]# cat >/etc/yum.repos.d/MariaDB.repo<<EOF
# MariaDB 10.4 CentOS repository list - created 2019-11-05 11:56 UTC
# http://downloads.mariadb.org/mariadb/repositories/
[mariadb]
name = MariaDB
baseurl = https://mirrors.cloud.tencent.com/mariadb/yum/10.4/centos7-amd64
gpgkey=https://mirrors.cloud.tencent.com/mariadb/yum/RPM-GPG-KEY-MariaDB
gpgcheck=1
EOF
(py3) [root@kvm requirements]# yum  install mariadb mariadb-devel mariadb-server -y
(py3) [root@kvm requirements]# systemctl enable mariadb;systemctl start mariadb
(py3) [root@kvm requirements]# mysql
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 8
Server version: 10.4.22-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> create database jumpserver default charset 'utf8';
Query OK, 1 row affected (0.000 sec)

MariaDB [(none)]> grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '123456';
Query OK, 0 rows affected (0.001 sec)

MariaDB [(none)]> \q
Bye

修改jumpserver配置文件

(py3) [root@kvm requirements]# cd /opt/jumpserver/
(py3) [root@kvm jumpserver]# cp config_example.yml config.yml
(py3) [root@kvm jumpserver]# SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
(py3) [root@kvm jumpserver]# echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc
(py3) [root@kvm jumpserver]# BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
(py3) [root@kvm jumpserver]# echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
(py3) [root@kvm jumpserver]# sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml
(py3) [root@kvm jumpserver]# sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml 
(py3) [root@kvm jumpserver]# sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml 
(py3) [root@kvm jumpserver]# sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml 
(py3) [root@kvm jumpserver]# sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml 
(py3) [root@kvm jumpserver]# sed -i "s/DB_PASSWORD: /DB_PASSWORD: \'123456\'/g" /opt/jumpserver/config.yml 

image-20211208133813321

处理国际化

(py3) [root@kvm jumpserver]# rm -f apps/locale/zh/LC_MESSAGES/django.mo
(py3) [root@kvm jumpserver]# python apps/manage.py compilemessages

运行jumpserver

(py3) [root@kvm jumpserver]# ./jms start all -d

image-20211208113945464

浏览器访问:http://192.168.201.139:8080

看到页面访问不正常,是由于Debug 配置了false,此处不用理会,后续使用nginx代理访问

image-20211208113954372

安装koko组件

(py3) [root@kvm jumpserver]# cd /opt/
(py3) [root@kvm opt]# wget https://github.com/jumpserver/koko/releases/download/v2.16.3/koko-v2.16.3-linux-amd64.tar.gz
(py3) [root@kvm opt]# tar -xf koko-v2.16.3-linux-amd64.tar.gz
(py3) [root@kvm opt]# mv koko-v2.16.3-linux-amd64 koko
(py3) [root@kvm opt]# chown -R root:root koko
(py3) [root@kvm opt]# cd koko
(py3) [root@kvm koko]# cp config_example.yml config.yml

修改配置文件

(py3) [root@kvm koko]# TOKEN=`awk '/BOOTSTRAP_TOKEN/ {print $2}' /opt/jumpserver/config.yml`
(py3) [root@kvm koko]# sed -i " s/BOOTSTRAP_TOKEN: .*/BOOTSTRAP_TOKEN: ${TOKEN}/" config.yml

启动koko

(py3) [root@kvm koko]# ./koko -d
(py3) [root@kvm koko]# netstat -tlunp |grep koko
tcp6       0      0 :::5000                 :::*                    LISTEN      10383/./koko        
tcp6       0      0 :::2222                 :::*                    LISTEN      10383/./koko        

部署guacamole

docker方式部署

基于 HTML 5 和 JavaScript 的 VNC 查看器 建议使用 Docker 部署 Guacamole 组件 , 部分环境可能无法正常编译安装

安装docker

一,确保没有安装docker,使用以下命令移除docker

yum remove docker* -y

二,安装docker需要使用的依赖

yum install -y yum-utils

三,下载国内镜像加速docker,repo源

yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

四,安装docker

yum install docker-ce docker-ce-cli containerd.io -y

五,启动docker并设为开机自启

[root@kvm ~]# systemctl start docker
[root@kvm ~]# systemctl enable docker

配置国内镜像加速

[root@kvm ~]# sudo tee /etc/docker/daemon.json <<-'EOF'
{
   "registry-mirrors": ["https://1me84w5g.mirror.aliyuncs.com"]
}
EOF
[root@kvm ~]# systemctl daemon-reload && systemctl restart docker

安装示例

docker run --name jms_guacamole -d 
  -p 127.0.0.1:8081:8080 
  -e JUMPSERVER_SERVER=http://<Jumpserver_url> 
  -e BOOTSTRAP_TOKEN=<g8N451h8LANTeREJ> 
  -e GUACAMOLE_LOG_LEVEL=ERROR 
  jumpserver/jms_guacamole:<Tag>
<Jumpserver_url> 为 JumpServer 的 url 地址, <Jumpserver_BOOTSTRAP_TOKEN> 需要从 jumpserver/config.yml 里面获取, 保证一致, <Tag> 是版本

docker安装运行guacamole

docker run --name jms_guacamole -d \
  -p 0.0.0.0:8081:8080  \
  -e JUMPSERVER_SERVER=http://192.168.201.139:8080 \
  -e BOOTSTRAP_TOKEN=2KINETqOmzkXLdLI \
  -e GUACAMOLE_LOG_LEVEL=ERROR \
  jumpserver/jms_guacamole:latest

部署lina和luna组件

我nginx用root启动的,所以赋权root

部署luna

(py3) [root@kvm koko]# cd /opt/
(py3) [root@kvm opt]# wget https://github.com/jumpserver/luna/releases/download/v2.16.3/luna-v2.16.3.tar.gz
(py3) [root@kvm opt]# tar -xf luna-v2.16.3.tar.gz 
(py3) [root@kvm opt]# mv luna-v2.16.3 luna
(py3) [root@kvm opt]# chown -R root:root luna

lina部署

(py3) [root@kvm opt]# cd /opt/
(py3) [root@kvm opt]# wget https://github.com/jumpserver/lina/releases/download/v2.16.3/lina-v2.16.3.tar.gz
(py3) [root@kvm opt]# tar -xf lina-v2.16.3.tar.gz 
(py3) [root@kvm opt]# mv lina-v2.16.3 lina
(py3) [root@kvm opt]# chown -R root:root lina

配置nginx

(py3) [root@kvm opt]# yum -y install epel-release
(py3) [root@kvm opt]# yum -y install nginx
(py3) [root@kvm opt]# vim /etc/nginx/conf.d/jumpserver.conf
server {
    listen 80;
    client_max_body_size 100m;  # 录像及文件上传大小限制
    location /ui/ {
        try_files $uri / /index.html;
        alias /opt/lina/;
    }

    location /luna/ {
        try_files $uri / /index.html;
        alias /opt/luna/;  # luna 路径, 如果修改安装目录, 此处需要修改
    }

    location /media/ {
        add_header Content-Encoding gzip;
        root /opt/jumpserver/data/;  # 录像位置, 如果修改安装目录, 此处需要修改
    }
    location /static/ {
        root /opt/jumpserver/data/;  # 静态资源, 如果修改安装目录, 此处需要修改
    }

    location /koko/ {
        proxy_pass       http://localhost:5000;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location /guacamole/ {
        proxy_pass       http://localhost:8081/;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location /ws/ {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://localhost:8070;
        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
    
    location /api/ {
        proxy_pass http://localhost:8080;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    location /core/ {
        proxy_pass http://localhost:8080;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    location / {
        rewrite ^/(.*)$ /ui/$1 last;
    }
}
(py3) [root@kvm opt]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
(py3) [root@kvm opt]# systemctl start nginx && systemctl enable nginx

浏览器访问http://192.168.201.139 用户名:admin 密码:admin,不要使用8080访问

image-20211208124226810

image-20211208124327438

测试ssh连接

ssh admin@192.168.201.139 2222

image-20211208124443488

Copyright © 2010-2022 ngui.cc 版权所有 |关于我们| 联系方式| 豫B2-20100000