Jumpserver部署(Centos7环境)一、Jumpserver概述Jumpserver是全球第一款完全开源的堡垒机,采用GNUGPLv2.0开源协议,是符合4A的专业运维审计系统。Jumpserver使用Python/Django进行开发,遵循Web2.0规范,配备业界领先的WebTerminal解决方案,交互界面美观,用户体验好Jumpserver采用分布式架构,支持多机房跨区域部署,中心节点提供API,各机房部署登录节点,可横向扩展,无并发访问受限组件说明:Jumpserver现指Jumpserver管理后台,为核心组件(Core)。它以DjangoClassBasedView风格开发,支持RestfulAPI。Coco实现了SSHServer和WebTerminalServer的组件,提供SSH和WebSocket接口,使用Paramiko和Flask开发Luna,现在是WebTerminal的前端。计划由项目提供前端页面。Jumpserver只提供API,不再负责后台渲染html。①关闭防火墙和selinux[root@localhost~]#sed-i'/SELINUX/s/enforcing/disabled/g'/etc/sysconfig/selinux[root@localhost~]#systemctldisablefirewalld&&reboot②修改字符集或者可能是报了input/outputerror的问题,因为log里面打印的是中文[root@localhost~]#localedef-c-fUTF-8-izh_CNzh_CN.UTF-8[root@localhost~]#exportLC_ALL=zh_CN.UTF-8[root@localhost~]#echo'LANG="zh_CN.UTF-8"'>/etc/locale.conf③准备python3和python虚拟环境[root@localhost~]#yum-yinstallwgetsqlite-develxzgccautomakezlib-developenssl-develepel-releasegit[root@localhost~]#wgethttps://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz[root@localhost~]#mvPython-3.6.1.tar.xz/usr/src&&cd/usr/src/&&tarxvfPython-3.6.1.tar.xz&&cdPython-3.6.1[root@localhostPython-3.6.1]#./configure&&make&&makeinstall④搭建环境[root@localhostPython-3.6.1]#cd/opt/[root@localhostopt]#python3-mvenvpy3[root@localhostopt]#./opt/py3/bin/activate(py3)[root@localhostopt]#看到下面的提示就代表成功了,你会在future先运行上面的source命令,下面的所有命令都是在虚拟环境(py3)中运行[root@localhostpy3]⑤自动加载虚拟环境(py3)[root@localhostopt]#gitclonegit://github.com/kennethreitz/autoenv.git~/.autoenv(py3)[root@localhostopt]#echo'source~/.autoenv/activate.sh'>>~/.bashrc(py3)[root@localhostopt]#source~/.bashrc3.安装jumpserver的步骤:①下载Clone工程(py3)[root@localhost~]#cd/opt/(py3)[root@localhostopt]#gitclone--depth=1https://github.com/jumpserver/jumpserver.git&&cdjumpserver&&gitcheckoutmaster(py3)[root@localhostjumpserver]#echo"source/opt/py3/bin/activate">/opt/jumpserver/.env②安装依赖(py3)[root@localhostjumpserver]#cdrequirements/第一次进入jumpserver目录时可能会有提示y(py3)[root@localhostrequirements]#yum-yinstall$(catrpm_requirements.txt)(py3)[root@localhostrequirements]#pipinstall-rrequirements.txt③安装redis,Jumpserver使用Redis作为缓存和celerybroker(python分布式调度module)(py3)[root@localhost~]#yum-yinstallredis(py3)[root@localhost~]#systemctlstartredis④安装Mysql(py3)[root@localhost~]#yum-yinstallmariadb*(py3)[root@localhost~]#systemctlstartmariadb(py3)[root@localhost~]#systemctlenablemariadb⑤授权jumpserver(py3)[root@localhost~]#mysqlMariaDB[(none)]>createdatabasejumpserverdefaultcharset'utf8';MariaDB[(none)]>grantallonjumpserver.*tojumpserver@'127.0.0.1'identifiedby'123.com';MariaDB[(none)]>flushprivileges;⑥修改jumpserver配置文件(py3)[root@localhost~]#cd/opt/jumpserver/(py3)[root@localhostjumpserver]#cpconfig_example.pyconfig.py(py3)[root@localhostjumpserver]#viconfig.py......#去掉参数pass,添加classDevelopmentConfig(Config):DEBUG=TrueDB_EN??GINE='mysql'DB_HOST='127.0.0.1'DB_PORT=3306DB_USER='jumpserver'DB_PASSWORD='123.com'DB_NAME='jumpserver'......⑦生成数据库表结构并初始化数据文件(py3)[root@localhostjumpserver]#cd/opt/jumpserver/utils/(py3)[root@localhostutils]#bashmake_migrations.sh⑧runjumpserver(py3)[root@localhostutils]#cd/opt/jumpserver/(py3)[root@localhostjumpserver]#./jmsstartall./jmsstart|stop|status|restartall如果运行到后台,报错就加上-d选项,不报错就关闭再运行,请使用浏览器访问http://192.168.2.5:8080。默认账号admin,密码admin4.安装ssh服务器和websocket服务器:Coco步骤:①下载Clone工程(新开一个终端,不要忘记加载虚拟环境)[root@localhost~]#cd/opt/[root@localhostopt]#.py3/bin/activate(py3)[root@localhostopt]#gitclonehttps://github.com/jumpserver/coco.git&&cdcoco&&gitcheckoutmaster(py3)[root@localhostcoco]#echo"source/opt/py3/bin/activate">/opt/coco/.env②安装依赖(py3)[root@localhostcoco]#cd/opt/coco/requirements/首次进入提示y即可(py3)[root@localhostrequirements]#yum-yinstall$(catrpm_requirements.txt)(py3)[root@localhostrequirements]#pipinstall-rrequirements.txt-ihttps://pypi.org/simple③查看配置文件并运行coco(py3)[root@本地主机要求]#cd/opt/coco/(py3)[root@localhostcoco]#cpconf_example.pyconf.py(py3)[root@localhostcoco]#./cocodstart./cocodstart|stop|status|restartStartcocoprocess2018-05-2816:14:25[serviceDEBUG]Initialappservice2018-05-2816:14:25[serviceDEBUG]Loadaccesskey2018-05-2816:14:25[serviceINFO]无法访问找到密钥,注册它2018-05-2816:14:25[服务信息]“终端尚未被接受”2018-05-2816:14:28[服务信息]“终端未被接受acceptedyet”提示终端没有license,去http://192.168.2.5:8080/terminal/terminal申请权限5.安装web终端前端:Luna(新开一个终端)Luna已经改为纯前端,需要Nginxagent访问[root@localhost~]#cd/opt/[root@localhostopt]#wgethttps://github.com/jumpserver/luna/releases/download/1.3.0/dist.tar.gz[root@localhostopt]#tarzxfdist.tar.gz[root@localhostopt]#mvdistluna[root@localhostopt]#ls/opt/luna/.....6、配置Nginx集成组件步骤:①下载源码安装[root@localhostopt]#useradd-s/sbin/nologinwww[root@localhostopt]#wgethttp://nginx.org/download/nginx-1.14。0.tar.gz[root@localhostopt]#tarzxfnginx-1.14.0.tar.gz&&cdnginx-1.14.0[root@localhostnginx-1.14.0]#./configure--prefix=/usr/local/nginx--user=www--group=www--withhttp_stub_status_module--with-http_realip_module--with-http_ssl_module--with-http_gzip_static_module--with-pcre--with-http_flv_module[root@localhostnginx-1.14.0]#make&&makeinstall[root@localhostnginx-1.14.0]#ln-s/usr/local/nginx/sbin/nginx/usr/local/sbin/[root@localhostnginx-1.14.0]#cd/usr/local/nginx/conf/&&vimnginx.conf②修改配置文件http{.....#省略http上下文,修改server为这个服务器{听80;proxy_set_headerX-Real-IP$remote_addr;proxy_set_header主机$host;proxy_set_headerX-Forwarded-For$proxy_add_x_forwarded_for;location/luna/{try_files$uri//index.html;别名/opt/luna/;}location/media/{add_header内容编码gzip;根/opt/jumpserver/data/;}location/static/{root/opt/jumpserver/data/;}location/socket.io/{proxy_passhttp://localhost:5000/socket.io/;#如果coco安装在其他服务器上,请填写其ipproxy_bufferingoff;proxy_http_version1.1;proxy_set_header升级$http_upgrade;proxy_set_header连接“升级”;}location/{proxy_passhttp://localhost:8080;#如果jumpserver安装在其他服务器上,请填写其ip}}}[root@localhostconf]#nginx-t#确认后启动[root@localhostconf]#nginx③确保服务正确,开始使用jumpserver[root@localhostconf]#cd/opt/jumpserver/(py3)[root@localhostjumpserver]#./jmsstatusgunicornisrunning:33734celeryisrunning:33627beatisrunning:33629(py3)[root@localhostjumpserver]#cd../coco/(py3)[root@localhostcoco]#./cocodstatusCocoisrunning:57935访问http://192.168.2.5默认账号admin密码管理员七。测试连接是通过服务器资产机器或客户端macOS或Linux。登录语法如下$ssh-p2222admin@192.168.2.5$sftp-P2222admin@192.168.2.5密码:admin如果登录客户端是Windows,XshellTerminal登录语法如下$sshadmin@192.168.2.52222$sftpadmin@192.168.2.52222密码:admin如果可以登录,说明部署成功。sftp默认上传位置在资产的/tmp目录下。特别感谢jumpserver的开源使用。本文转官网文档http://docs.jumpserver.org/zh...具体使用方法在下文档
