Jumpserver部署笔记
组件介绍
核心架构
安装环境
基本环境准备
1.环境准备
非常重要:若是基础环境没有正确安装,后边编译安装软件会报错~
**这是我的实验硬件配置,记得初始化好系统,永久关掉防火墙跟selinux那些,不要装docker,会冲突,然后重启一下再进行部署操作~
hostnamectl set-hostname Jumpserver #更改主机名
yum源配置
机器提前装好wget工具,便于进行下载
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
2.基础环境安装
yum install -y bash-completion vim lrzsz wget expect nettools nc nmap tree dos2unix htop iftop iotop unzip telnet slpsmisc nethogs glances bc ntpdate openldap-devel
3.第一个里程:需要部署跳板机以来软件,重要*
yum -y install git python-pip gcc automake autoconf pythondevel vim sshpass lrzsz readline-devel zlib zlib-devel openssl openssl-devel
4.修改系统字符集为中文
localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8
export LC_ALL=zh_CN.UTF-8
echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf #写入配置文件,永久生效
#检查系统字符集
locale
部署mysql15.6
1.获取mysql15.6软件包
wget https://cdn.mysql.com//Downloads/MySQL-5.6/MySQL-5.6.49-1.el7.x86_64.rpm-bundle.tar
2.创建个目录指定解压
mkdir mysql_rpm
tar -xf MySQL-5.6.49-1.el7.x86_64.rpm-bundle.tar -C ./mysql_rpm/
cd mysql_rpm/
3.yum本地批量安装
yum localinstall -y ./*
4.查看mysql默认配置文件
vim /etc/my.cnf #作如下修改
log-error=/var/log/mysql/mysql.log
pid-file=/var/run/mysql/mysql.pid
5.查看密码后进行修改
mysql15.6版本默认会生产随机密码,密码文件在
/root/.mysql_secret
*注意-p参数后没有空格,该方式是不安全的,密码会暴露
mysqladmin -uroot -pybZ1U3SFa7RQJCRj password xuyuhan #z注意修改成自己的密码再复制
最好的方式是进入mysql后再修改密码
mysql -uroot -p #回车输入密码后登陆
update mysql.user set password=password('xuyuhan') where user='root';
flush privileges; #必须刷新后,数据库密码才会改变
6.创建jumpserver数据库,修改字符集
create database jumpserver default charset 'utf8'collate 'utf8_bin';
7.创建jumpserver普通用户
create user 'jumpserver'@'%' IDENTIFIED BY 'chaoge888'; #这里我的密码设置为chaoge888
8.给jumpserver用户授权
grant all privileges on jumpserver.* to'jumpserver'@'%' identified by 'chaoge888';
flush privileges;
部署python3.6.10
1.下载
cd /opt && wget https://www.python.org/ftp/python/3.6.10/Python-3.6.10.tgz
tar -zxf Python-3.6.10.tgz
cd Python-3.6.10/
ls
#指定位置安装,大概一分钟
./configure --prefix=/opt/python3-6-10/
ls
#编译安装,过程大概三分钟
make && make install
#配置环境变量
echo PATH="/opt/python3-6-10/bin:$PATH" >> /etc/profile
tail -1 /etc/profile
重新登录会话,可重启下主机
python #此时按tab键
2.创建python虚拟环境
python3.6 -m venv /opt/py3
#激活虚拟环境,此时PATH变量已经变化,只会影响python命令
3.更换pip下载源
mkdir ~/.pip
vim ~/.pip/pip.conf
#添加以下内容,把pypi默认的下载源换成国内源,一劳永逸解决pypi下载慢的问题
[global]
index-url = https://mirrors.aliyun.com/pypi/simple/
部署redis
#安装
yum install redis -y
#启动
systemctl start redis
#设置开机自启
systemctl enable redis
部署jumpserver
1.下载jumpserver程序
#还是下载到/opt这里
cd /opt && wget https://github.com/jumpserver/jumpserver/releases/download/v2.1.0/jumpserver-v2.1.0.tar.gz
#解压
tar -zxvf jumpserver-v2.1.0.tar.gz
#建立软连接
ln -s /opt/jumpserver-v2.1.0//opt/jumpserver
2.安装jumpserver代码依赖模块
#可能需要再次尝试这一步,我这里没报错
#先激活python3虚拟环境,然后安装
source /opt/py3/bin/activate
yum install -y bash-completion vim lrzsz wget expect net-tools nc nmap tree dos2unix htop iftop iotop unzip telnet sl psmisc nethogs glances bc ntpdate openldap-devel
cd /opt/jumpserver-v2.1.0/requirements/
pip install wheel
pip install --upgrade pip setuptools
pip install -r requirements.txt
下边的过程比较漫长,装完该txt列表所有软件,大概4分钟
3.修改jumpserver配置文件
if [ "$SECRET_KEY" = "" ]; then SECRET_KEY=`cat /dev/urandom |tr -dc A-Za-z0-9 | head -c 50`; echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc; echo $SECRET_KEY; else echo $SECRET_KEY; fi
if [ "$BOOTSTRAP_TOKEN" = "" ]; then BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`; echo
"BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc; echo $BOOTSTRAP_TOKEN; else echo $BOOTSTRAP_TOKEN; fi
备份配置文件
cd /opt/jumpserver-v2.1.0 && cp config_example.yml config.yml #切记要备份成config.yml 这名称,不然迁移数据库会报错,检查了好久
#修改配置文件,有如下修改
grep -Ev '^#|^$'config.yml
SECRET_KEY: "$SECRET_KEY"
BOOTSTRAP_TOKEN: "$BOOTSTRAP_TOKEN"
DEBUG: true
LOG_LEVEL: DEBUG
SESSION_EXPIRE_AT_BROWSER_CLOSE: false
DB_ENGINE: mysql
DB_HOST: 127.0.0.1
DB_PORT: 3306
DB_USER: jumpserver
DB_PASSWORD: chaoge888
DB_NAME: jumpserver
HTTP_BIND_HOST: 0.0.0.0
HTTP_LISTEN_PORT: 8080
WS_LISTEN_PORT: 8070
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
4.数据库迁移
python3 /opt/jumpserver-v2.1.0/apps/manage.py makemigrations
python3 /opt/jumpserver-v2.1.0/apps/manage.py migrate
5.启动jms
#确保都是在python虚拟环境下进行
(py3) [root@jumpserver jumpserver-v2.1.0]# cd /opt/jumpserver-v2.1.0
(py3) [root@jumpserver jumpserver-v2.1.0]# ./jms start -d
部署koko
1.下载源代码
#j记得koko版本要跟jumpserver一致,否则无法进行web端远程连接
cd /opt && wget https://github.com/jumpserver/koko/releases/download/v2.21.0/koko-v2.21.0-linux-amd64.tar.gz
2.解压缩并改名
[root@jumpserver opt]# tar -xf koko-v2.21.0-linux-amd64.tar.gz
[root@jumpserver opt]# mv koo koko
[root@jumpserver opt]# cd koko
[root@jumpserver koko]# ls
3.修改配置文件
[root@jumpserver koko]# cp config_example.yml config.yml
[root@jumpserver koko]# vim config.yml
#修改后如下
(py3) [root@jumpserver koko 09:45:20]$grep -Ev '^#|^$'/opt/koko/config.yml
CORE_HOST: http://127.0.0.1:8080
BOOTSTRAP_TOKEN: "$BOOTSTRAP_TOKEN"
LOG_LEVEL: INFO
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
REDIS_PASSWORD:
REDIS_CLUSTERS:
REDIS_DB_ROOM:
4.运行koko
(py3) [root@jumpserver koko]# /opt/koko/koko -d #让koko后台运行
(py3) [root@jumpserver koko]#
后边要能在web端打开这个文件管理才可以,非正常安装会出现502报错
部署Guacamole
1.下载guacamole
该软件包github已经找不到了,可以通过docker下载,这里直接提供网盘链接
链接: https://pan.baidu.com/s/1nVuD2NEYfEXkb80DPA0rtQ?pwd=2hwd 提取码: 2hwd 复制这段内容后打开百度网盘手机App,操作更方便哦
2.解压缩并改名
(py3) [root@jumpserver opt]# tar -xf guacamole-v2.1.0.tar.gz
(py3) [root@jumpserver opt]# mv docker-guacamole-2.1.0 guacamole
3.解压执行程序
(py3) [root@jumpserver opt]# cd /opt/guacamole && tar -xf guacamole-server-1.2.0.tar.gz && tar -xf ssh-forward.tar.gz -C /bin/
(py3) [root@jumpserver guacamole]# chmod +x /bin/ssh-forward
4.编译安装程序
(py3) [root@jumpserver guacamole]# cd /opt/guacamole/guacamole-server-1.2.0/
5.安装编译所需的依赖环境
根据官方文档的要求来
http://guacamole.apache.org/doc/gug/installing-guacamole.html
#非常重要,必须安装
yum install cairo-devel libjpeg-turbo-devel libpng-devel libtool uuid-devel -y
#可选的依赖环境
yum install freerdp-devel pango-devel libssh2-devel libtelnet-devel libvncserver-devel libwebsockets-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-devel -y
sudo yum install epel-release -y
sudo rpm -v --import http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro
sudo rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm
yum install ffmpeg ffmpeg-devell -y
#检查ffmpeg安装
ffmpeg -version
6.编译安装guacamole
cd /opt/guacamole/guacamole-server-1.2.0
./configure --with-init-dir=/etc/init.d
make && make install
7.配置好java环境
yum install -y java-1.8.0-openjdk
8.创建guacamole所需的文件夹
mkdir -p /config/guacamole /config/guacamole/extensions /config/guacamole/record /config/guacamole/drive
chown daemon:daemon /config/guacamole/record /config/guacamole/drive
cd /config
9.下载tomcat
(py3) [root@jumpserver opt]# cd /opt/ && wget https://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-9/v9.0.62/bin/apache-tomcat-9.0.62.tar.gz
10.部署tomcat与guacamole结合
cd /opt
tar -xf apache-tomcat-9.0.62.tar.gz
mv apache-tomcat-9.0.62 tomcat9
rm -rf /opt/tomcat9/webapps/*
sed -i 's/Connector port="8080"/Connector port="8081"/g' /opt/tomcat9/conf/server.xml
echo "java.util.logging.ConsoleHandler.encoding = UTF-8" >> /opt/tomcat9/conf/logging.properties
ln -sf /opt/guacamole/guacamole-1.0.0.war /opt/tomcat9/webapps/ROOT.war
ln -sf /opt/guacamole/guacamole-auth-jumpserver-1.0.0.jar /config/guacamole/extensions/guacamole-auth-jumpserver-1.0.0.jar
ln -sf /opt/guacamole/root/app/guacamole/guacamole.properties /config/guacamole/guacamole.properties
12.设置Guacamole运行环境
export JUMPSERVER_SERVER=http://127.0.0.1:8080
echo "export JUMPSERVER_SERVER=http://127.0.0.1:8080" >> ~/.bashrc
export BOOTSTRAP_TOKEN=FBEVLP0OKHmNqRMl
export BOOTSTRAP_TOKEN=FBEVLP0OKHmNqRMl >> ~/.bashrc
export JUMPSERVER_KEY_DIR=/config/guacamole/keys
echo "export JUMPSERVER_KEY_DIR=/config/guacamole/keys" >>~/.bashrc
export GUACAMOLE_HOME=/config/guacamole
echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc
export GUACAMOLE_LOG_LEVEL=ERROR
echo "export GUACAMOLE_LOG_LEVEL=ERROR" >> ~/.bashrc
export JUMPSERVER_ENABLE_DRIVE=true
echo "export JUMPSERVER_ENABLE_DRIVE=true" >> ~/.bashrc
(py3) [root@jumpserver opt]# tail -8 ~/.bashrc
文件内容为
13.启动服务
/etc/init.d/guacd start
sh /opt/tomcat9/bin/startup.sh
部署Lina组件
cd /opt &&wget https://github.com/jumpserver/lina/releases/download/v2.21.0/lina-v2.21.0.tar.gz
tar -xf lina-v2.21.0.tar.gz
mv lina-v2.21.0.tar.gz lina
#安装nginx
yum install nginx -y
systemctl start nginx
systemctl enable nginx
chown -R nginx:nginx lina # 需要提前装好nginx
部署luna
下载地址:https://github.com/jumpserver/luna/releases
cd /opt && wget https://github.com/jumpserver/luna/releases/download/v2.21.0/luna-v2.21.0.tar.gz
tar -zxf luna-v2.21.0.tar.gz
mv /opt/luna-v2.21.0 /opt/luna
chown -R root.root /opt/luna/
部署nginx
1.修改nginx.conf
#修改nginx.conf,去掉原有的虚拟主机地址
cd /etc/nginx/nginx.conf
sed -i '38,58d' /etc/nginx/nginx.conf
2.新建一个jumpserver.conf配置文件
vim /etc/nginx/conf.d/jumpserver.conf
server {
listen 80;
client_max_body_size 100m; #录像及文件上传大小限制
location /ui/ {
try_files $uri / /index.html;
alias /opt/lina/;
}
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; #luna路径,如果修改安装目录,此处需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver-v2.1.0/data/; #录像位置,如果修改安装目录,此处需要修改
}
location /static/ {
root /opt/jumpserver-v2.1.0/data/; #静态资源,如果修改安装目录,此处需要修改
}
location /koko/ {
proxy_pass http://localhost:5000;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
access_log off;
}
location /ws/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_pass http://localhost:8070;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /api/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
}
location /core/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
}
location / {
rewrite ^/(.*)$ /ui/$1 last;
}
}
3.重启nginx服务
nginx -t
nginx -s reload
##执行nginx -t 测试时如果出现错误,记得检查好jumpserver.conf配置文件内容格式,不要少了括号啥的~
至此部署完成jumpserver正确启动
1、访问入口
192.168.230.206:80 #我的主机地址
***记录下这个错误解决方法,部署过程有重启过主机或者nginx服务的,记得要重新进入python3虚拟环境环境重新启动下jms
[root@jumpserver jumpserver-v2.1.0]# source /opt/py3/bin/activate
(py3) [root@jumpserver jumpserver-v2.1.0]# ./jms start -d
再刷新~
2.解决koko组件无法运行方法
至此koko组件其实没法正常运行,导致无法使用权限管理的文件管理以及web端远程连接功能,需要做以下操作解决~ 懒得写了,截图哈哈哈
#执行命令重新生成前请先删掉原本的密钥
if [ "$SECRET_KEY" = "" ]; then SECRET_KEY=`cat /dev/urandom |tr -dc A-Za-z0-9 | head -c 50`; echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc; echo $SECRET_KEY; else echo $SECRET_KEY; fi
if [ "$BOOTSTRAP_TOKEN" = "" ]; then BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`; echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc; echo $BOOTSTRAP_TOKEN; else echo $BOOTSTRAP_TOKEN; fi
各组件启动命令
1、mysql
systemctl start mysql #启动
systemctl enable mysql #设置开机自启
2、jms
#确保都是在python虚拟环境下进行
[root@jumpserver jumpserver-v2.1.0]# source /opt/py3/bin/activate
(py3) [root@jumpserver jumpserver-v2.1.0]# /opt/jumpserver-v2.1.0/jms start -d
3、redis
#启动
systemctl start redis
#设置开机自启
systemctl enable redis
4、koko
source /opt/py3/bin/activate #先进入python3虚拟环境
(py3) [root@jumpserver jumpserver-v2.1.0]# /opt/koko/koko -d #没报错
5、Guacamole与tomcat
/etc/init.d/guacd start
sh /opt/tomcat9/bin/startup.sh
6、nginx
systemctl start nginx #启动
systemctl status nginx #查看状态
systemctl restart nginx #重启
nginx -t #测试config文件是否正常
nginx -s reload #重新加载