jumpserver安装与配置
参考jumpserver官网http://docs.jumpserver.org/zh/docs/step_by_step.html
一、准备python3和python虚拟环境
1.1安装依赖包
yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git
1.2编译安装
wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz
tar xvf Python-3.6.1.tar.xz && cd Python-3.6.1
./configure && make && make install
1.3建立python虚拟环境
cd /opt
python3 -m venv py3
source /opt/py3/bin/activate
1.4自动载入python虚拟环境
git clone git://github.com/kennethreitz/autoenv.git
echo 'source /opt/autoenv/activate.sh' >> ~/.bashrc
source ~/.bashrc
二、安装Jumpserver
2.1下载或Clone项目
git clone https://github.com/jumpserver/jumpserver.git && cd jumpserver && git checkout master
echo "source /opt/py3/bin/activate" > /opt/jumpserver/.env
2.2安装依赖RPM包
cd /opt/jumpserver/requirements
yum -y install $(cat rpm_requirements.txt)
2.3安装python库依赖
pip install -r requirements.txt
2.4安装Redis
yum -y install gcc
tar zxvf redis-3.2.12.tar.gz
cd redis-3.2.12
make PREFIX=/data/redis MALLOC=libc install
mkdir -p /data/redis/etc
cd /data/redis/
mkdir logs
mkdir redisdbcache
mkdir var
配置文件 vi /data/redis/etc/redis.conf
daemonize yes
pidfile "/data/redis/var/redis.pid"
bind 192.168.1.161
port 6379
tcp-backlog 2044
timeout 300
tcp-keepalive 0
loglevel notice
logfile "/data/redis/logs/redis.log"
databases 16
save 900 1
save 300 10
save 60 40000
stop-writes-on-bgsave-error yes
rdbcompression yes
rdbchecksum yes
dbfilename dump.rdb
#dir /dev/shm/
dir /data/redis/redisdbcache
slave-serve-stale-data yes
slave-read-only no
repl-disable-tcp-nodelay no
slave-priority 100
maxclients 1000
#这是个需要修改的地方
maxmemory 2GB
maxmemory-policy volatile-lru
maxmemory-samples 3
appendonly no
appendfilename "appendonly.aof"
appendfsync everysec
no-appendfsync-on-rewrite no
auto-aof-rewrite-percentage 100
auto-aof-rewrite-min-size 64mb
aof-load-truncated yes
lua-time-limit 5000
slowlog-log-slower-than 10000
slowlog-max-len 128
latency-monitor-threshold 0
notify-keyspace-events ""
hash-max-ziplist-entries 512
hash-max-ziplist-value 64
list-max-ziplist-entries 512
list-max-ziplist-value 64
set-max-intset-entries 512
zset-max-ziplist-entries 128
zset-max-ziplist-value 64
hll-sparse-max-bytes 3000
activerehashing yes
client-output-buffer-limit normal 0 0 0
client-output-buffer-limit slave 256mb 64mb 60
client-output-buffer-limit pubsub 32mb 8mb 60
hz 20
aof-rewrite-incremental-fsync yes
启动文件 vi /etc/init.d/redis
#!/bin/sh
#
# redis - this script starts and stops the redis-server daemon
# chkconfig: - 85 15
# description: Redis is a persistent key-value database
# processname: redis-server
# config: /usr/local/redis/etc/redis.conf
# pidfile: /usr/local/redis/var/redis.pid
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ "$NETWORKING" = "no" ] && exit 0
redis="/data/redis/bin/redis-server"
prog=$(basename $redis)
REDIS_CONF_FILE="/data/redis/etc/redis.conf"
lockfile=/var/lock/subsys/redis
start() {
[ -x $redis ] || exit 5
[ -f $REDIS_CONF_FILE ] || exit 6
echo -n $"Starting $prog: "
daemon $redis $REDIS_CONF_FILE
retval=$?
echo
[ $retval -eq 0 ] && touch $lockfile
return $retval
}
stop() {
echo -n $"Stopping $prog: "
killproc $prog -QUIT
[ $retval -eq 0 ] && rm -f $lockfile
restart() {
stop
start
reload() {
echo -n $"Reloading $prog: "
killproc $redis -HUP
RETVAL=$?
force_reload() {
restart
rh_status() {
status $prog
rh_status_q() {
rh_status >/dev/null 2>&1
case "$1" in
start)
rh_status_q && exit 0
$1
;;
stop)
rh_status_q || exit 0
restart|configtest)
reload)
rh_status_q || exit 7
force-reload)
force_reload
status)
rh_status
condrestart|try-restart)
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
exit 2
esac
增加执行权限
chmod +x /etc/init.d/redis
开机启动
chkconfig redis on
启动redis
/etc/init.d/redis start
2.5安装MYSQL
2.6创建数据库Jumpserver 并授权
#注意我的MYSQL是在另外一台机器上的
mysql -uroot -p
create database jumpserver default charset 'utf8';
grant all on jumpserver.* to 'jumpserver'@'%' identified by 'yb20180815';
flush privileges;
2.7修改Jumpserver配置文件
cd /opt/jumpserver
cp config_example.py config.py
vi config.py 修改以下配置红色是修改的内容
注意: 配置文件是 Python 格式,不要用 TAB,而要用空格
"""
jumpserver.config
~~~~~~~~~~~~~~~~~
Jumpserver project setting file
:copyright: (c) 2014-2017 by Jumpserver Team
:license: GPL v2, see LICENSE for more details.
import os
BASE_DIR = os.path.dirname(os.path.abspath(__file__))
class Config:
# Use it to encrypt or decrypt data
# SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = os.environ.get('SECRET_KEY') or '2vym+ky!997d5kkcc64mnz06y1mmui3lut#(^wd=%s_qj$1%x'
# Django security setting, if your disable debug model, you should setting that
ALLOWED_HOSTS = ['*']
# Development env open this, when error occur display the full process track, Production disable it
DEBUG = os.environ.get("DEBUG") or True
# DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/
LOG_LEVEL = os.environ.get("LOG_LEVEL") or 'DEBUG'
LOG_DIR = os.path.join(BASE_DIR, 'logs')
# Database setting, Support sqlite3, mysql, postgres ....
# See https://docs.djangoproject.com/en/1.10/ref/settings/#databases
# SQLite setting:
DB_ENGINE = 'sqlite3'
DB_NAME = os.path.join(BASE_DIR, 'data', 'db.sqlite3')
# MySQL or postgres setting like:
DB_ENGINE = os.environ.get("DB_ENGINE") or 'mysql'
DB_HOST = os.environ.get("DB_HOST") or '192.168.1.162'
DB_PORT = os.environ.get("DB_PORT") or 3306
DB_USER = os.environ.get("DB_USER") or 'jumpserver'
DB_PASSWORD = os.environ.get("DB_PASSWORD") or 'yb20180815'
DB_NAME = os.environ.get("DB_NAME") or 'jumpserver'
# When Django start it will bind this host and port
# ./manage.py runserver 127.0.0.1:8080
HTTP_BIND_HOST = '0.0.0.0'
HTTP_LISTEN_PORT = 8088
# Use Redis as broker for celery and web socket
REDIS_HOST = os.environ.get("REDIS_HOST") or '192.168.1.161'
REDIS_PORT = os.environ.get("REDIS_PORT") or 6379
REDIS_PASSWORD = os.environ.get("REDIS_PASSWORD") or ''
REDIS_DB_CELERY = os.environ.get('REDIS_DB') or 3
REDIS_DB_CACHE = os.environ.get('REDIS_DB') or 4
def __init__(self):
pass
def __getattr__(self, item):
return None
class DevelopmentConfig(Config):
pass
class TestConfig(Config):
class ProductionConfig(Config):
# Default using Config settings, you can write if/else for different env
config = DevelopmentConfig()
2.8生成数据表结构和初始数据
cd /opt/jumpserver/utils
bash make_migrations.sh
2.9运行Jumpserver
./jms start all -d
三、安装SSH server和webSocket Server:Coco
3.1下载或clone项目
git clone https://github.com/jumpserver/coco.git && cd coco && git checkout master
echo "source /opt/py3/bin/activate" > /opt/coco/.env
3.2安装依赖
cd /opt/coco/requirements
yum -y install $(cat rpm_requirements.txt)
3.3修改配置文件并运行
cd /opt/coco
cp conf_example.py conf.py
vi config.py
修改以下配置红色是修改的内容
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
BASE_DIR = os.path.dirname(__file__)
Coco config file, coco also load config from server update setting below
# 项目名称, 会用来向Jumpserver注册, 识别而已, 不能重复
NAME = "localhost"
# Jumpserver项目的url, api请求注册会使用
CORE_HOST = os.environ.get("CORE_HOST") or 'http://127.0.0.1:8088'
# 启动时绑定的ip, 默认 0.0.0.0
BIND_HOST = '0.0.0.0'
# 监听的SSH端口号, 默认2222
SSHD_PORT = 2222
# 监听的HTTP/WS端口号,默认5000
HTTPD_PORT = 5000
# 项目使用的ACCESS KEY, 默认会注册,并保存到 ACCESS_KEY_STORE中,
# 如果有需求, 可以写到配置文件中, 格式 access_key_id:access_key_secret
ACCESS_KEY = None
# ACCESS KEY 保存的地址, 默认注册后会保存到该文件中
ACCESS_KEY_STORE = os.path.join(BASE_DIR, 'keys', '.access_key')
# 加密密钥
SECRET_KEY = None
# 设置日志级别 ['DEBUG', 'INFO', 'WARN', 'ERROR', 'FATAL', 'CRITICAL']
LOG_LEVEL = 'INFO'
# 日志存放的目录
LOG_DIR = os.path.join(BASE_DIR, 'logs')
# Session录像存放目录
SESSION_DIR = os.path.join(BASE_DIR, 'sessions')
# 资产显示排序方式, ['ip', 'hostname']
ASSET_LIST_SORT_BY = 'hostname'
# 登录是否支持密码认证
PASSWORD_AUTH = True
# 登录是否支持秘钥认证
PUBLIC_KEY_AUTH = True
# 和Jumpserver 保持心跳时间间隔
# HEARTBEAT_INTERVAL = 5
# Admin的名字,出问题会提示给用户
# ADMINS = ''
COMMAND_STORAGE = {
"TYPE": "server"
REPLAY_STORAGE = {
config = Config()
启动
./cocod start -d
四、安装Web Terminal 前端:Luna
Luna已改为纯前端,需要Nginx来运行访问
4.1解压Luna
wget https://github.com/jumpserver/luna/releases/download/1.4.0/luna.tar.gz
tar zxvf luna.tar.gz
chown -R root:root luna
五、配置nignx
5.1 安装nginx
yum -y install gd gd2 gd-devel gd2-devel pcre pcre-devel
tar zxvf openssl-1.0.2d.tar.gz
tar zxvf nginx-1.12.2.tar.gz
cd nginx-1.12.2
./configure --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --with-http_stub_status_module --with-http_ssl_module --with-openssl=/opt/openssl-1.0.2d --with-http_realip_module --with-pcre --with-http_gzip_static_module
make && make install
5.2配置nginx
vi /etc/nginx/nginx.conf
user nobody nobody;
worker_processes 8;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
worker_rlimit_nofile 102400;
events {
worker_connections 65535;
use epoll;
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] [$request_time $upstream_response_time] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format new '$remote_addr^A$http_x_forwarded_for^A$host^A$time_local^A$status^A'
'$request_time^A$request_length^A$bytes_sent^A$http_referer^A$request^A$http_user_agent';
access_log off;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
server_names_hash_bucket_size 128;
client_header_buffer_size 512k;
client_body_buffer_size 512k;
client_max_body_size 50m;
large_client_header_buffers 4 512k;
send_timeout 10000;
client_header_timeout 500;
client_body_timeout 500;
fastcgi_buffers 8 512k;
connection_pool_size 256;
request_pool_size 4k;
output_buffers 4 32k;
postpone_output 1460;
gzip on;
gzip_vary on;
gzip_static on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.0;
gzip_comp_level 6;
gzip_types text/plain application/x-javascript application/javascript text/css application/xml text/javascript ;
gzip_disable "MSIE [1-6]\.";
fastcgi_intercept_errors on;
keepalive_timeout 150;
proxy_buffering on;
proxy_buffer_size 512k;
proxy_buffers 32 256k;
proxy_busy_buffers_size 512k;
proxy_ignore_client_abort off;
proxy_intercept_errors on;
proxy_redirect off;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_connect_timeout 5000;
proxy_send_timeout 5000;
proxy_read_timeout 5000;
include /etc/nginx/conf.d/*.conf;
配置 jumpserver.conf
mkdir /etc/nginx/conf.d/
cd /etc/nginx/conf.d/
vi jumpserver.conf
server {
listen 8000; # 代理端口,以后将通过此端口进行访问,不再通过8088端口
client_max_body_size 100m; # 录像上传大小限制
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; # luna 路径,如果修改安装目录,此处需要修改
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 录像位置,如果修改安装目录,此处需要修改
location /static/ {
root /opt/jumpserver/data/; # 静态资源,如果修改安装目录,此处需要修改
location /socket.io/ {
proxy_pass http://localhost:5000/socket.io/; # 如果coco安装在别的服务器,请填写它的ip
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location /guacamole/ {
proxy_pass http://localhost:8081/; # 如果guacamole安装在别的服务器,请填写它的ip
proxy_set_header Connection $http_connection;
location / {
proxy_pass http://localhost:8088; # 如果jumpserver安装在别的服务器,请填写它的ip
启动nignx
nignx
平滑重启nginx
nignx -s reload
登录http://192.168.1.161:8000 用户名 admin 密码 admin
