主要參考官方文檔https://jumpserver.readthedocs.io/zh/master/step_by_step.html
*
*一. 生産環境部署
**
Jumpserver 是一款使用 Python, Django 開發的開源跳闆機系統, 為虧聯網企業提供了認證,授權,審計,自動化運維等功能,可以實作實時收集、監控網絡環境、集中報警。
Jumpserver 環境要求:
硬體配置: 2個CPU核心, 4G 記憶體, 50G 硬碟(最低)
作業系統: Linux 發行版 x86_64
Python = 3.6.x
Mysql Server ≥ 5.6
Mariadb Server ≥ 5.5.56
Redis
docker
-
安裝mysql
]# tar -xf /root/mysql-5.7.17.tar
]# yum -y install mysql-community-*
]#systemclt start mysqld
]# systemctl enable mysqld
-
安裝redis
]# yum -y install gcc
]# tar -zxf redis-4.0.8.tar.gz
]# cd redis-4.0.8/
]# make && make install
]# cd utils/
utils]# ./install_server.sh
]# ss -antupl | grep :6379 檢視服務端口是否開啟
-
安裝nginx
]# yum -y install gcc pcre-devel openssl-devel 有的依賴前面已經裝過不用重裝
]# tar -xf nginx-1.12.2.tar.gz
]# cd nginx-1.12.2/
]# ./configure
]# make && make install
]# /usr/local/nginx/sbin/nginx
-
安裝docker
[^先配置docker安裝倉庫]
]# yum -y install docker
]# systemctl start docker
]#systemctl enable docker
5. 安裝python3
]# yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git 安裝依賴包
]# wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz
]# tar -xf Python-3.6.1.tar.xz
]# cd Python-3.6.1/
Python-3.6.1]# ./configure && make && make install
]# python3.6 -m venv /opt/mypython 建立python3虛拟環境(Centos7自帶python2,需要在python3虛拟環境中運作)
]# source /opt/mypython/bin/activate [^載入虛拟環境]
*
*二. 安裝Jumpserver
**
- 建立資料庫 Jumpserver 并授權
]#mysql -uroot -p
.> create database jumpserver default charset 'utf8;
.>grant all on jumpserver.* to ‘jumpserver’@‘127.0.0.1’ identified by ‘123qqq…A’
.>flush privileges
- 擷取jumpserver代碼
]#cd /opt
]#git clone --depth=1 https://github.com/jumpserver/jumpserver.git
- 安裝依賴
(mypython) [[email protected] bin]# cd /opt/jumpserver/requirements
(mypython) [[email protected] requirements]# yum install -y $(cat rpm_requirements.txt)
(mypython) [[email protected] requirements]# pip install -r requirements.txt
Collecting amqp==2.1.4 (from -r requirements.txt (line 1))
Using cached https://files.pythonhosted.org/packages/7e/4b/ac7afb11b57f237e3c1c64b5408c5d229bf5d4b42af6cb6e683c7690ca4f/amqp-2.1.4-py2.py3-none-any.whl
Collecting ansible==2.8.0 (from -r requirements.txt (line 2))
Downloading https://files.pythonhosted.org/packages/17/c9/d379b76ecaa42f4ee08b01c365e9ed1be0b302ff8a26eef120d481b144fa/ansible-2.8.0.tar.gz (14.3MB)
|████████████████████████████████| 14.3MB 22kB/s
Requirement already satisfied: asn1crypto==0.24.0 in /root/mypython/lib/python3.6/site-packages (from -r requirements.txt (line 3)) (0.24.0)
......
Running setup.py install for ipip-ipdb ... done
Running setup.py install for django-redis-sessions ... done
Running setup.py install for unicodecsv ... done
Successfully installed Django-2.1.7 ForgeryPy-0.1 Jinja2-2.10.1 MarkupSafe-1.0 Pillow-4.3.0 PyNaCl-1.2.1 PyYAML-5.1 We
......
(mypython) [[email protected] requirements]# cd /opt/jumpserver/
(mypython) [[email protected] requirements]# ls
apps data entrypoint.sh logs requirements utils
build.sh Dockerfile jms README_EN.md run_server.py Vagrantfile
config_example.yml docs LICENSE README.md tmp
(mypython) [[email protected] jumpserver]# cp config_example.yml config.yml
]# cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 49 # 安全起見,生成随機密碼給下面配置檔案使用,可以生成兩個
Ow0FuFPTs0SU948jdsfbybc7fY5MxPlGwV7572V8d0PTDeKfe 和 ftWB0FNJCJVPMPyAsmPli4HONhsXMqA2zu0AVbfzAbdSw1tn0
(mypython) [[email protected] jumpserver]# vim config.yml
# SECURITY WARNING: keep the secret key used in production secret!
# 加密秘鑰 生産環境中請修改為随機字元串,請勿外洩, 可使用指令生成
# $ cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 49;echo
SECRET_KEY: Ow0FuFPTs0SU948jdsfbybc7fY5MxPlGwV7572V8d0PTDeKfe
# SECURITY WARNING: keep the bootstrap token used in production secret!
# 預共享Token coco和guacamole用來注冊服務賬号,不在使用原來的注冊接受機制
BOOTSTRAP_TOKEN: ftWB0FNJCJVPMPyAsmPli4HONhsXMqA2zu0AVbfzAbdSw1tn0
# Development env open this, when error occur display the full process track, Production disable it
# DEBUG 模式 開啟DEBUG後遇到錯誤時可以看到更多日志
# DEBUG: true
# DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/
# 日志級别
# LOG_LEVEL: DEBUG
# LOG_DIR:
# Session expiration setting, Default 24 hour, Also set expired on on browser close
# 浏覽器Session過期時間,預設24小時, 也可以設定浏覽器關閉則過期
# SESSION_COOKIE_AGE: 86400
# SESSION_EXPIRE_AT_BROWSER_CLOSE: false
# Database setting, Support sqlite3, mysql, postgres ....
# 資料庫設定
# See https://docs.djangoproject.com/en/1.10/ref/settings/#databases
# SQLite setting:
# 使用單檔案sqlite資料庫
# DB_ENGINE: sqlite3
# DB_NAME:
# MySQL or postgres setting like:
# 使用Mysql作為資料庫
DB_ENGINE: mysql
DB_HOST: 127.0.0.1
DB_PORT: 3306
DB_USER: jumpserver
DB_PASSWORD: '123qqq...A'
DB_NAME: jumpserver
# When Django start it will bind this host and port
# ./manage.py runserver 127.0.0.1:8080
# 運作時綁定端口
HTTP_BIND_HOST: 0.0.0.0
HTTP_LISTEN_PORT: 8080
# Use Redis as broker for celery and web socket
# Redis配置
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
# REDIS_PASSWORD:
# REDIS_DB_CELERY: 3
# REDIS_DB_CACHE: 4
......
- 啟動 jumpserver
(mypython) [[email protected] jumpserver]# ./jms start 可以加 -d 參數在背景運作 ./jms start -d
Mon Sep 23 14:12:31 2019
Jumpserver version 1.5.2, more see https://www.jumpserver.org
- Start Gunicorn WSGI HTTP Server
Check database connection ...
2019-09-23 14:12:33 [signals_handler DEBUG] Monkey patch settings
users
[ ] 0001_initial
[ ] 0002_auto_20171225_1157_squashed_0019_auto_20190304_1459 (18 squashed migrations)
[ ] 0020_auto_20190612_1825
[ ] 0021_auto_20190625_1104
[ ] 0022_auto_20190625_1105
.....
Applying terminal.0013_auto_20181123_1113... OK
Applying terminal.0014_auto_20181226_1441... OK
Applying users.0020_auto_20190612_1825... OK
Applying users.0021_auto_20190625_1104... OK
......
[2019-09-23 14:15:37 +0800] [18720] [INFO] Booting worker with pid: 18720
celery beat v4.1.0 (latentcall) is starting.
*三.用浏覽器即可通路jumpserver
**
127.0.0.1:8080 admin 登入 密碼:admin
**
四,使用web終端還需要安裝如下元件
**
koko 元件, guacamole 元件,luna 元件,nginx 整合各元件
使用docker安裝更簡單
- 部署 koko 元件
]#docker run --name jms_koko -d -p 2222:2222 -p 127.0.0.1:5000:5000 -e CORE_HOST=http://127.0.0.1:8080 -e BOOTSTRAP_TOKEN=ftWB0FNJCJVPMPyAsmPli4HONhsXMqA2zu0AVbfzAbdSw1tn0 --restart=always jumpserver/jms_koko:1.5.2
- 部署 guacamole 元件
]#docker run --name jms_guacamole -d -p 127.0.0.1:8081:8081 -e JUMPSERVER_SERVER=http://127.0.0.1:8080 -e BOOTSTRAP_TOKEN=ftWB0FNJCJVPMPyAsmPli4HONhsXMqA2zu0AVbfzAbdSw1tn0 jumpserver/jms_guacamole:1.5.2
- 下載下傳 luna 元件
]# wget https://github.com/jumpserver/luna/releases/download/1.5.2/luna.tar.gz ]# tar xf luna.tar.gz ]# chown -R root:root luna
-
配置 nginx 整合各元件
]# vim /usr/local/nginx/conf/nginx.conf
...... server { listen 80; client_max_body_size 100m; # 錄像及檔案上傳大小限制 location /luna/ { try_files $uri / /index.html; alias /opt/luna/; # luna 路徑, 如果修改安裝目錄, 此處需要修改 } location /media/ { add_header Content-Encoding gzip; root /opt/jumpserver/data/; # 錄像位置, 如果修改安裝目錄, 此處需要修改 } location /static/ { root /opt/jumpserver/data/; # 靜态資源, 如果修改安裝目錄, 此處需要修改 } location /socket.io/ { proxy_pass http://localhost:5000/socket.io/; proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } location /coco/ { proxy_pass http://localhost:5000/coco/; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } location /guacamole/ { proxy_pass http://localhost:8081/; proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } location / { proxy_pass http://localhost:8080; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; }
]# /usr/local/nginx/sbin/nginx -t # 檢查文法
]# /usr/local/nginx/sbin/nginx -s reload
*
*五.登入 Jumpserver
**(服務全部啟動後, 通路 jumpserver 伺服器 nginx 代理的 80 端口, 不要通過8080端口)
http://127.0.0.1:80
admin登入 密碼admin