Centos环境部署jumpserver开源堡垒机(1.4.8版本)
一、jumpserver部署文档(1.4.8版本)
1.部署前配置好yum源以及docker源(此步骤省略)
2.安装依赖包以及数据库相关依赖包
yum -y install wget gcc epel-release git redis mariadb mariadb-devel mariadb-server MariaDB-shared
3.开启数据库并且设置开机自启
systemctl enable redis && systemctl start redis
systemctl enable mariadb && systemctl start mariadb
4.创建数据库 Jumpserver 并授权(DB_PASSWORD为数据库密码,可自行设定)
mysql -uroot -e "create database jumpserver default charset 'utf8'; grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '$DB_PASSWORD'; flush privileges;"
5.安装 Nginx设置开机自启, 用作代理服务器整合 Jumpserver 与各个组件;这里只做安装启动,后续部署组件
yum -y install nginx && systemctl start nginx && systemctl enable nginx
6.安装 Python3.6
1)yum -y install python36 python36-devel
2)进入python环境
cd /opt/
python3.6 -m venv py3 #为虚拟环境定义名称,随意
source /opt/py3/bin/activate #进入虚拟环境
以下步骤均在python环境操作
7.下载 Jumpserver(我提前下载好的;可以自行下载)
cd /opt/ && git clone https://github.com/jumpserver/jumpserver.git #下载目录可自行定义
cd /opt/jumpserver && git checkout 1.4.8 #部署1.4.8版本,因此需要切换分支
8.安装所需依赖包
yum -y install $(cat /opt/jumpserver/requirements/rpm_requirements.txt)
9.安装 Python 库依赖
pip install --upgrade pip setuptools
pip install -r /opt/jumpserver/requirements/requirements.txt
如报错可能网络延迟可重复执行或手动安装缺少的依赖(pip install )
10.修改jumpserver配置文件
1)生成SECRET_KEY与BOOTSTRAP_TOKEN密钥
SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50` # 生成随机SECRET_KEY
BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16` #生成随机BOOTSTRAP_TOKEN
echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc
echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
2)修改配置文件
vim /opt/jumpserver/config.yaml
4 SECRET_KEY: 与生成密钥一致
8 BOOTSTRAP_TOKEN: 与生成密钥一致
12 DEBUG: false
16 LOG_LEVEL: ERROR
22 SESSION_EXPIRE_AT_BROWSER_CLOSE: true
35 DB_ENGINE: mysql
36 DB_HOST: 127.0.0.1
37 DB_PORT: 3306
38 DB_USER: jumpserver
39 DB_PASSWORD: $DB_PASSWORD
40 DB_NAME: jumpserver
50 REDIS_HOST: 127.0.0.1
51 REDIS_PORT: 6379
11.运行jumpserver服务
cd /opt/jumpserver
./jms start -d
12.安装docker;部署coco与guacamole组件
1)安装依赖包
yum install -y yum-utils device-mapper-persistent-data lvm2 docker-ce
systemctl enable docker && systemctl start docker #设置开机自启
2)coco与guacamole组件下载;自行docker pull拉取;提前配置好docker源,这里不做详细说明
3)提取服务器IP地址
Server_IP=`ip addr | grep inet | egrep -v '(127.0.0.1|inet6|docker)' | awk '{print $2}' | tr -d "addr:" | head -n 1 | cut -d / -f1`
echo Server_IP=$Server_IP >> ~/.bashrc #保存变量
4)docker运行coco与guacamole组件
coco组件运行(BOOTSTRAP_TOKEN必须与jumpserver的config.yaml里的BOOTSTRAP_TOKEN一致)
docker run --name jms_coco -d -p 2222:2222 -p 5000:5000 -e CORE_HOST=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN jumpserver/jms_coco:1.4.8
guacamole同理运行
docker run --name jms_guacamole -d -p 8081:8081 -e JUMPSERVER_SERVER=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN jumpserver/jms_guacamole:1.4.8
13.安装 Web Terminal 前端: Luna。直接解压不需要编译;
cd /opt/ && wget https://github.com/jumpserver/luna/releases/download/1.4.8/luna.tar.gz
tar xf luna.tar.gz
chown -R root.root luna
14.修改nginx配置文件
vim /etc/nginx/nginx.conf
...
...
server {
listen 80;
client_max_body_size 100m; # 录像及文件上传大小限制
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; # luna 路径, 如果修改安装目录, 此处需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 录像位置, 如果修改安装目录, 此处需要修改
}
location /static/ {
root /opt/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改
}
location /socket.io/ {
proxy_pass http://localhost:5000/socket.io/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /coco/ {
proxy_pass http://localhost:5000/coco/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location / {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
14.重启nginx服务
nginx -t #测试
systemctl restart nginx
14.关闭selinux以及防火墙(或者开放相应端口),这里不做过多说明
访问web服务查看
相关报错应该如何处理以及数据迁移会在后续更新;都是本人在实际搭建中总结经验。