天天看點

jumpserver跳闆機安裝與配置實戰

jumpserver安裝與配置

參考jumpserver官網http://docs.jumpserver.org/zh/docs/step_by_step.html

一、準備python3和python虛拟環境

1.1安裝依賴包

yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git

1.2編譯安裝

wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz

tar xvf Python-3.6.1.tar.xz  && cd Python-3.6.1

./configure && make && make install

1.3建立python虛拟環境

cd /opt

python3 -m venv py3

source /opt/py3/bin/activate

1.4自動載入python虛拟環境

git clone git://github.com/kennethreitz/autoenv.git

echo 'source /opt/autoenv/activate.sh' >> ~/.bashrc

source ~/.bashrc

二、安裝Jumpserver

2.1下載下傳或Clone項目

git clone https://github.com/jumpserver/jumpserver.git && cd jumpserver && git checkout master

echo "source /opt/py3/bin/activate" > /opt/jumpserver/.env

2.2安裝依賴RPM包

cd /opt/jumpserver/requirements

yum -y install $(cat rpm_requirements.txt)

2.3安裝python庫依賴

pip install -r requirements.txt

2.4安裝Redis

yum -y install gcc

tar zxvf redis-3.2.12.tar.gz

cd redis-3.2.12

make PREFIX=/data/redis MALLOC=libc  install

mkdir -p /data/redis/etc

cd /data/redis/

mkdir logs

mkdir redisdbcache

mkdir var

配置檔案 vi /data/redis/etc/redis.conf

daemonize yes

pidfile "/data/redis/var/redis.pid"

bind 192.168.1.161

port 6379

tcp-backlog 2044

timeout 300

tcp-keepalive 0

loglevel notice

logfile "/data/redis/logs/redis.log"

databases 16

save 900 1

save 300 10

save 60 40000

stop-writes-on-bgsave-error yes

rdbcompression yes

rdbchecksum yes

dbfilename dump.rdb

#dir /dev/shm/

dir /data/redis/redisdbcache

slave-serve-stale-data yes

slave-read-only no

repl-disable-tcp-nodelay no

slave-priority 100

maxclients 1000

#這是個需要修改的地方

maxmemory 2GB

maxmemory-policy volatile-lru

maxmemory-samples 3

appendonly no

appendfilename "appendonly.aof"

appendfsync everysec

no-appendfsync-on-rewrite no

auto-aof-rewrite-percentage 100

auto-aof-rewrite-min-size 64mb

aof-load-truncated yes

lua-time-limit 5000

slowlog-log-slower-than 10000

slowlog-max-len 128

latency-monitor-threshold 0

notify-keyspace-events ""

hash-max-ziplist-entries 512

hash-max-ziplist-value 64

list-max-ziplist-entries 512

list-max-ziplist-value 64

set-max-intset-entries 512

zset-max-ziplist-entries 128

zset-max-ziplist-value 64

hll-sparse-max-bytes 3000

activerehashing yes

client-output-buffer-limit normal 0 0 0

client-output-buffer-limit slave 256mb 64mb 60

client-output-buffer-limit pubsub 32mb 8mb 60

hz 20

aof-rewrite-incremental-fsync yes

啟動檔案 vi /etc/init.d/redis

#!/bin/sh

#

# redis - this script starts and stops the redis-server daemon

# chkconfig:   - 85 15

# description:  Redis is a persistent key-value database

# processname: redis-server

# config:      /usr/local/redis/etc/redis.conf

# pidfile:     /usr/local/redis/var/redis.pid

# Source function library.

. /etc/rc.d/init.d/functions

# Source networking configuration.

. /etc/sysconfig/network

# Check that networking is up.

[ "$NETWORKING" = "no" ] && exit 0

redis="/data/redis/bin/redis-server"

prog=$(basename $redis)

REDIS_CONF_FILE="/data/redis/etc/redis.conf"

lockfile=/var/lock/subsys/redis

start() {

   [ -x $redis ] || exit 5

   [ -f $REDIS_CONF_FILE ] || exit 6

   echo -n $"Starting $prog: "

   daemon $redis $REDIS_CONF_FILE

   retval=$?

   echo

   [ $retval -eq 0 ] && touch $lockfile

   return $retval

}

stop() {

   echo -n $"Stopping $prog: "

   killproc $prog -QUIT

   [ $retval -eq 0 ] && rm -f $lockfile

restart() {

   stop

   start

reload() {

   echo -n $"Reloading $prog: "

   killproc $redis -HUP

   RETVAL=$?

force_reload() {

   restart

rh_status() {

   status $prog

rh_status_q() {

   rh_status >/dev/null 2>&1

case "$1" in

   start)

       rh_status_q && exit 0

       $1

       ;;

   stop)

       rh_status_q || exit 0

   restart|configtest)

   reload)

       rh_status_q || exit 7

   force-reload)

       force_reload

   status)

       rh_status

   condrestart|try-restart)

           ;;

   *)

       echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"

       exit 2

esac

增加執行權限

chmod +x /etc/init.d/redis

開機啟動

chkconfig redis on

啟動redis

/etc/init.d/redis start

2.5安裝MYSQL

2.6建立資料庫Jumpserver 并授權

#注意我的MYSQL是在另外一台機器上的

mysql -uroot -p

create database jumpserver default charset 'utf8';

grant all on jumpserver.* to 'jumpserver'@'%' identified by 'yb20180815';

flush privileges;

2.7修改Jumpserver配置檔案

cd /opt/jumpserver

cp config_example.py config.py

vi config.py 修改以下配置紅色是修改的内容

注意: 配置檔案是 Python 格式,不要用 TAB,而要用空格

"""

   jumpserver.config

   ~~~~~~~~~~~~~~~~~

   Jumpserver project setting file

   :copyright: (c) 2014-2017 by Jumpserver Team

   :license: GPL v2, see LICENSE for more details.

import os

BASE_DIR = os.path.dirname(os.path.abspath(__file__))

class Config:

   # Use it to encrypt or decrypt data

   # SECURITY WARNING: keep the secret key used in production secret!

   SECRET_KEY = os.environ.get('SECRET_KEY') or '2vym+ky!997d5kkcc64mnz06y1mmui3lut#(^wd=%s_qj$1%x'

   # Django security setting, if your disable debug model, you should setting that

   ALLOWED_HOSTS = ['*']

   # Development env open this, when error occur display the full process track, Production disable it

   DEBUG = os.environ.get("DEBUG") or True

   # DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/

   LOG_LEVEL = os.environ.get("LOG_LEVEL") or 'DEBUG'

   LOG_DIR = os.path.join(BASE_DIR, 'logs')

   # Database setting, Support sqlite3, mysql, postgres ....

   # See https://docs.djangoproject.com/en/1.10/ref/settings/#databases

   # SQLite setting:

   DB_ENGINE = 'sqlite3'

   DB_NAME = os.path.join(BASE_DIR, 'data', 'db.sqlite3')

   # MySQL or postgres setting like:

   DB_ENGINE = os.environ.get("DB_ENGINE") or 'mysql'

   DB_HOST = os.environ.get("DB_HOST") or '192.168.1.162'

   DB_PORT = os.environ.get("DB_PORT") or 3306

   DB_USER = os.environ.get("DB_USER") or 'jumpserver'

   DB_PASSWORD = os.environ.get("DB_PASSWORD") or 'yb20180815'

   DB_NAME = os.environ.get("DB_NAME") or 'jumpserver'

   # When Django start it will bind this host and port

   # ./manage.py runserver 127.0.0.1:8080

   HTTP_BIND_HOST = '0.0.0.0'

  HTTP_LISTEN_PORT = 8088

   # Use Redis as broker for celery and web socket

  REDIS_HOST = os.environ.get("REDIS_HOST") or '192.168.1.161'

   REDIS_PORT = os.environ.get("REDIS_PORT") or 6379

   REDIS_PASSWORD = os.environ.get("REDIS_PASSWORD") or ''

   REDIS_DB_CELERY = os.environ.get('REDIS_DB') or 3

   REDIS_DB_CACHE = os.environ.get('REDIS_DB') or 4

   def __init__(self):

       pass

   def __getattr__(self, item):

       return None

class DevelopmentConfig(Config):

   pass

class TestConfig(Config):

class ProductionConfig(Config):

# Default using Config settings, you can write if/else for different env

config = DevelopmentConfig()

2.8生成資料表結構和初始資料

cd /opt/jumpserver/utils

bash make_migrations.sh

2.9運作Jumpserver

./jms start all -d

三、安裝SSH server和webSocket Server:Coco

3.1下載下傳或clone項目

git clone https://github.com/jumpserver/coco.git && cd coco && git checkout master

echo "source /opt/py3/bin/activate" > /opt/coco/.env

3.2安裝依賴

cd /opt/coco/requirements

yum -y  install $(cat rpm_requirements.txt)

3.3修改配置檔案并運作

cd /opt/coco

cp conf_example.py conf.py

vi config.py

修改以下配置紅色是修改的内容

#!/usr/bin/env python3

# -*- coding: utf-8 -*-

BASE_DIR = os.path.dirname(__file__)

Coco config file, coco also load config from server update setting below

# 項目名稱, 會用來向Jumpserver注冊, 識别而已, 不能重複

NAME = "localhost"

# Jumpserver項目的url, api請求注冊會使用

CORE_HOST = os.environ.get("CORE_HOST") or 'http://127.0.0.1:8088'

# 啟動時綁定的ip, 預設 0.0.0.0

BIND_HOST = '0.0.0.0'

# 監聽的SSH端口号, 預設2222

SSHD_PORT = 2222

# 監聽的HTTP/WS端口号,預設5000

HTTPD_PORT = 5000

# 項目使用的ACCESS KEY, 預設會注冊,并儲存到 ACCESS_KEY_STORE中,

# 如果有需求, 可以寫到配置檔案中, 格式 access_key_id:access_key_secret

ACCESS_KEY = None

# ACCESS KEY 儲存的位址, 預設注冊後會儲存到該檔案中

ACCESS_KEY_STORE = os.path.join(BASE_DIR, 'keys', '.access_key')

# 加密密鑰

SECRET_KEY = None

# 設定日志級别 ['DEBUG', 'INFO', 'WARN', 'ERROR', 'FATAL', 'CRITICAL']

LOG_LEVEL = 'INFO'

# 日志存放的目錄

LOG_DIR = os.path.join(BASE_DIR, 'logs')

# Session錄像存放目錄

SESSION_DIR = os.path.join(BASE_DIR, 'sessions')

# 資産顯示排序方式, ['ip', 'hostname']

ASSET_LIST_SORT_BY = 'hostname'

# 登入是否支援密碼認證

PASSWORD_AUTH = True

# 登入是否支援秘鑰認證

PUBLIC_KEY_AUTH = True

# 和Jumpserver 保持心跳時間間隔

# HEARTBEAT_INTERVAL = 5

# Admin的名字,出問題會提示給使用者

# ADMINS = ''

COMMAND_STORAGE = {

"TYPE": "server"

REPLAY_STORAGE = {

config = Config()

啟動

./cocod start -d

四、安裝Web Terminal 前端:Luna

Luna已改為純前端,需要Nginx來運作通路

4.1解壓Luna

wget https://github.com/jumpserver/luna/releases/download/1.4.0/luna.tar.gz

tar zxvf luna.tar.gz

chown -R root:root luna

五、配置nignx

5.1 安裝nginx

yum -y install gd gd2 gd-devel gd2-devel pcre pcre-devel

tar zxvf openssl-1.0.2d.tar.gz

tar zxvf nginx-1.12.2.tar.gz

cd nginx-1.12.2

./configure --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --with-http_stub_status_module --with-http_ssl_module --with-openssl=/opt/openssl-1.0.2d --with-http_realip_module  --with-pcre --with-http_gzip_static_module

make && make install

5.2配置nginx

vi /etc/nginx/nginx.conf

user    nobody  nobody;

worker_processes  8;

error_log  /var/log/nginx/error.log;

pid        /var/run/nginx.pid;

worker_rlimit_nofile 102400;

events {

worker_connections  65535;

use epoll;

http {

include       /etc/nginx/mime.types;

default_type  application/octet-stream;

log_format  main  '$remote_addr - $remote_user [$time_local] [$request_time $upstream_response_time] "$request" '

'$status $body_bytes_sent "$http_referer" '

'"$http_user_agent" "$http_x_forwarded_for"';

log_format new      '$remote_addr^A$http_x_forwarded_for^A$host^A$time_local^A$status^A'

'$request_time^A$request_length^A$bytes_sent^A$http_referer^A$request^A$http_user_agent';

access_log off;

sendfile        on;

tcp_nopush      on;

tcp_nodelay     on;

server_tokens   off;

server_names_hash_bucket_size 128;

client_header_buffer_size 512k;

client_body_buffer_size 512k;

client_max_body_size 50m;

large_client_header_buffers 4 512k;

send_timeout 10000;

client_header_timeout 500;

client_body_timeout 500;

fastcgi_buffers 8 512k;

connection_pool_size 256;

request_pool_size 4k;

output_buffers 4 32k;

postpone_output 1460;

gzip on;

gzip_vary on;

gzip_static on;

gzip_min_length 1k;

gzip_buffers 4 16k;

gzip_http_version 1.0;

gzip_comp_level 6;

gzip_types text/plain application/x-javascript application/javascript text/css application/xml text/javascript ;

gzip_disable "MSIE [1-6]\.";

fastcgi_intercept_errors on;

keepalive_timeout  150;

proxy_buffering on;

proxy_buffer_size 512k;

proxy_buffers   32 256k;

proxy_busy_buffers_size 512k;

proxy_ignore_client_abort off;

proxy_intercept_errors    on;

proxy_redirect            off;

proxy_set_header          X-Forwarded-For $remote_addr;

proxy_connect_timeout     5000;

proxy_send_timeout        5000;

proxy_read_timeout        5000;

include /etc/nginx/conf.d/*.conf;

配置 jumpserver.conf

mkdir /etc/nginx/conf.d/

cd /etc/nginx/conf.d/

vi jumpserver.conf

server {

listen 8000;  # 代理端口,以後将通過此端口進行通路,不再通過8088端口

client_max_body_size 100m;  # 錄像上傳大小限制

location /luna/ {

try_files $uri / /index.html;

alias /opt/luna/;  # luna 路徑,如果修改安裝目錄,此處需要修改

location /media/ {

add_header Content-Encoding gzip;

root /opt/jumpserver/data/;  # 錄像位置,如果修改安裝目錄,此處需要修改

location /static/ {

root /opt/jumpserver/data/;  # 靜态資源,如果修改安裝目錄,此處需要修改

location /socket.io/ {

proxy_pass       http://localhost:5000/socket.io/;  # 如果coco安裝在别的伺服器,請填寫它的ip

proxy_buffering off;

proxy_http_version 1.1;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection "upgrade";

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header Host $host;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

location /guacamole/ {

proxy_pass       http://localhost:8081/;  # 如果guacamole安裝在别的伺服器,請填寫它的ip

proxy_set_header Connection $http_connection;

location / {

proxy_pass http://localhost:8088;  # 如果jumpserver安裝在别的伺服器,請填寫它的ip

啟動nignx

nignx

平滑重新開機nginx

nignx -s reload

登入http://192.168.1.161:8000 使用者名 admin 密碼 admin

jumpserver跳闆機安裝與配置實戰
jumpserver跳闆機安裝與配置實戰
jumpserver跳闆機安裝與配置實戰