开源堡垒机Jumpserver安装
测试环境Centos7.7:
[root@magic ~]# cat /etc/redhat-release
CentOS Linux release 7.7.1908 (Core)
安装目录: /opt
数据库: mariadb
代理: nginx
代理: nginx
一、试验环境:
操作系统: CentOS 7.4
IP地址: 192.168.0.80
安装目录: /opt
数据库: mariadb
代理: nginx
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
# 关闭SELinux
[root@imzcy ~]# setenforce 0
[root@imzcy ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
# 关闭防火墙
[root@imzcy ~]# systemctl stop firewalld
[root@imzcy ~]# systemctl disable firewalld
# 修改字符集(因为日志里打印了中文,所以如果系统字符集不是UTF-8的话会报 input/output error的问题)
[root@imzcy ~]# localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8
[root@imzcy ~]# export LC_ALL=zh_CN.UTF-8
[root@imzcy ~]# echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf
# 添加阿里云yum源
[root@imzcy ~]# yum-config-manager --add-repo http://mirrors.aliyun.com/repo/Centos-7.repo
|
二、准备Python3和Python虚拟环境
2.1、安装依赖包
|
1
|
[root@imzcy ~]# yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git
|
2.2、编译安装
|
1
2
3
4
5
6
|
[root@imzcy ~]# wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz
[root@imzcy ~]# tar xf Python-3.6.1.tar.xz
[root@imzcy ~]# cd Python-3.6.1
[root@imzcy Python-3.6.1]# ./configure
[root@imzcy Python-3.6.1]# make
[root@imzcy Python-3.6.1]# make install
|
2.3、建立 Python 虚拟环境
因为 CentOS 6/7 自带的是 Python2,而 Yum 等工具依赖原来的 Python,为了不扰乱原来的环境我们来使用 Python 虚拟环境
|
1
2
3
4
5
6
|
[root@imzcy ~]# cd /opt/
[root@imzcy opt]# python3 -m venv py3
[root@imzcy opt]# source /opt/py3/bin/activate
(py3) [root@imzcy opt]#
(py3) [root@imzcy opt]#
#看到上面的(py3)提示符代表成功,以后运行 Jumpserver 都要先运行以上 source 命令,以下所有命令均在该虚拟环境中运行
|
使用 deactivate 命令退出python虚拟环境
|
1
2
|
(py3) [root@imzcy opt]# deactivate
[root@imzcy opt]#
|
三、安装Jumpserver
3.1、下载或Clone项目
|
1
2
3
4
|
[root@imzcy ~]# cd /opt/
[root@imzcy opt]# git clone https://github.com/jumpserver/jumpserver.git
[root@imzcy opt]# cd jumpserver/
[root@imzcy jumpserver]# git checkout master
|
3.2、安装依赖 RPM 包
|
1
2
|
[root@imzcy ~]# cd /opt/jumpserver/requirements/
[root@imzcy requirements]# yum -y install $(cat rpm_requirements.txt)
|
3.3、安装python库依赖
|
1
2
3
4
5
6
7
8
9
10
|
[root@imzcy requirements]# source /opt/py3/bin/activate
(py3) [root@imzcy requirements]# pip install -r requirements.txt
# 安装最后看到下面提示则说明都安装成功了
Successfully installed Django-2.1 ForgeryPy-0.1 Jinja2-2.10 MarkupSafe-1.0 Pillow-4.3.0 PyNaCl-1.2.1 PyYAML-3.12 Werkzeug-0.14.1 amqp-2.1.4 ansible-2.4.2.0 asn1crypto-0.24.0 bcrypt-3.1.4 billiard-3.5.0.3 boto3-1.6.5 botocore-1.9.5 celery-4.1.0 certifi-2018.1.18 cffi-1.11.2 chardet-3.0.4 configparser-3.5.0 coreapi-2.3.3 coreschema-0.0.4 crcmod-1.7 cryptography-2.3.1 decorator-4.1.2 django-auth-ldap-1.3.0 django-bootstrap3-9.1.0 django-celery-beat-1.1.1 django-filter-2.0.0 django-formtools-2.1 django-ranged-response-0.2.0 django-redis-cache-1.7.1 django-rest-swagger-2.1.2 django-simple-captcha-0.5.6 djangorestframework-3.8.2 djangorestframework-bulk-0.2.1 dnspython-1.15.0 docutils-0.14 drf-nested-routers-0.90.2 drf-yasg-1.9.1 ecdsa-0.13 elasticsearch-6.1.1 enum-compat-0.0.2 ephem-3.7.6.0 eventlet-0.24.1 future-0.16.0 greenlet-0.4.14 gunicorn-19.9.0 idna-2.6 inflection-0.3.1 itsdangerous-0.24 itypes-1.1.0 jmespath-0.9.3 jms-storage-0.0.18 kombu-4.0.2 ldap3-2.4 monotonic-1.5 mysqlclient-1.3.12 olefile-0.44 openapi-codec-1.3.2 oss2-2.4.0 paramiko-2.4.1 passlib-1.7.1 pyasn1-0.4.2 pycparser-2.18 pycrypto-2.6.1 pyldap-2.4.45 pyotp-2.2.6 python-dateutil-2.6.1 python-gssapi-0.6.4 pytz-2018.3 redis-2.10.6 requests-2.18.4 ruamel.yaml-0.15.72 s3transfer-0.1.13 simplejson-3.13.2 six-1.11.0 sshpubkeys-2.2.0 uritemplate-3.0.0 urllib3-1.22 vine-1.1.4
You are using pip version 9.0.1, however version 18.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
(py3) [root@imzcy requirements]#
(py3) [root@imzcy requirements]# deactivate
[root@imzcy requirements]#
|
3.4、安装redis(Jumpserver 使用 Redis 做 cache 和 celery broke)
|
1
2
3
|
[root@imzcy ~]# yum -y install redis
[root@imzcy ~]# systemctl enable redis
[root@imzcy ~]# systemctl start redis
|
3.5、安装mysql
|
1
2
3
|
[root@imzcy ~]# yum -y install mariadb mariadb-devel mariadb-server
[root@imzcy ~]# systemctl enable mariadb
[root@imzcy ~]# systemctl start mariadb
|
3.6、创建数据库Jumpserver并授权
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
[root@imzcy ~]# mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 2
Server version: 5.5.60-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> create database jumpserver default charset 'utf8';
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by 'weakPassword';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> exit
Bye
[root@imzcy ~]#
|
3.7、修改 Jumpserver 配置文件
|
1
2
3
|
[root@imzcy ~]# cd /opt/jumpserver/
[root@imzcy jumpserver]# cp config_example.py config.py
[root@imzcy jumpserver]# vi config.py
|
配置文件内容如下所示,可直接复制使用(注意远程连接linux服务器软件终端编码格式)
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
|
"""
jumpserver.config
~~~~~~~~~~~~~~~~~
Jumpserver project setting file
:copyright: (c) 2014-2017 by Jumpserver Team
:license: GPL v2, see LICENSE for more details.
"""
import os
BASE_DIR = os.path.dirname(os.path.abspath(__file__))
class Config:
# 1. BEGIN SECRET_KEY Setup
SECRET_KEY = 'www.imzcy.cn2vym+ky!997d5kkcc64mnz06y1mmui3lut#(^wd=%s_qj$1%x'
# END SECRET_KEY Setup
# 2. BEGIN Django Secure Setup
ALLOWED_HOSTS = ['*']
# END Django Secure Setup
# 3. BEGIN Debug Setup
DEBUG = os.environ.get("DEBUG") or True
# END Debug Setup
# 4. BEGIN Log Setup
LOG_LEVEL = os.environ.get("LOG_LEVEL") or 'WARNING'
LOG_DIR = os.path.join(BASE_DIR, 'logs')
# END Log Setup
# 5. BEGIN Database Setup
DB_ENGINE = os.environ.get("DB_ENGINE") or 'mysql'
DB_HOST = os.environ.get("DB_HOST") or '127.0.0.1'
DB_PORT = os.environ.get("DB_PORT") or 3306
DB_USER = os.environ.get("DB_USER") or 'jumpserver'
DB_PASSWORD = os.environ.get("DB_PASSWORD") or 'weakPassword'
DB_NAME = os.environ.get("DB_NAME") or 'jumpserver'
# END Database Setup
# 6. BEGIN HTTP Setup
HTTP_BIND_HOST = '0.0.0.0'
HTTP_LISTEN_PORT = 8080
# END HTTP Setup
# 7. BEGIN Redis Setup
REDIS_HOST = os.environ.get("REDIS_HOST") or '127.0.0.1'
REDIS_PORT = os.environ.get("REDIS_PORT") or 6379
REDIS_PASSWORD = os.environ.get("REDIS_PASSWORD") or ''
REDIS_DB_CELERY = os.environ.get('REDIS_DB') or 3
REDIS_DB_CACHE = os.environ.get('REDIS_DB') or 4
# END Redis Setup
def __init__(self):
pass
def __getattr__(self, item):
return None
class DevelopmentConfig(Config):
pass
class TestConfig(Config):
pass
class ProductionConfig(Config):
pass
# Default using Config settings, you can write if/else for different env
config = DevelopmentConfig()
|
1. BEGIN SECRET_KEY Setup
jumpserver使用 SECRET_KEY 来加密或解密数据。其值为随意输入随机字符串(推荐字符大于等于 50位)
2. BEGIN Django Secure SetupALLOWED_HOSTS 这个参数的设置是为了限制一些主机的访问的。当DEBUG=False的时候,这个值是必须要设定的,否则启动会报错。其值是一个列表,可以是ip地址,也可以是域名,还可以支持通配符,如['example.com','192.168.1.2','*.example.com'],如果希望所有人都可以访问,则将其值设置为['*']即可。
3. BEGIN Debug Setup
DEBUG 模式:True为开启, False为关闭,默认开启,当出现错误将显示完整的进程跟踪时。生产环境推荐关闭。
注意:如果设置了DEBUG = False,访问8080端口页面会显示不正常,需要搭建 nginx 代理才可以正常访问。(所以我们这里先设置为true,等nginx都配置完毕后,可以回来改为false在重启jumpserver即可。)
4. BEGIN Log Setup
日志级别,默认为DEBUG,可调整为INFO, WARNING, ERROR, CRITICAL
更多关于Django日志设置信息请查看此处
|
1
|
https://docs.djangoproject.com/en/1.10/topics/logging/
|
5. BEGIN Database Setup
使用的数据库配置,支持sqlite3, mysql, postgres等,默认使用sqlite3。本例使用的mysql数据库。已将sqlite3的配置项删除。
更多关于Django中数据库配置请参考此处:
|
1
|
https://docs.djangoproject.com/en/1.10/ref/settings/#databases
|
6. BEGIN HTTP Setup
Django 监听的ip和端口,生产环境推荐把0.0.0.0修改成127.0.0.1,这里的意思是允许x.x.x.x访问,127.0.0.1表示仅允许自身访问
7. BEGIN Redis Setup
Redis 的相关设置
3.8、生成数据库表结构和初始化数据
|
1
2
3
|
[root@imzcy ~]# source /opt/py3/bin/activate
(py3) [root@imzcy ~]# cd /opt/jumpserver/utils
(py3) [root@imzcy utils]# bash make_migrations.sh
|
3.9、启动Jumpserver
|
1
2
|
(py3) [root@imzcy utils]# cd /opt/jumpserver/
(py3) [root@imzcy jumpserver]# ./jms start all
|
启动过程如果没有报错,并且使用 ss -tnl 查看8080端口也监听了。即可使用浏览器访问 http://192.168.0.80:8080/ 默认账号: admin 密码: admin 页面显示不正常先不用处理,继续往下操作,后面搭建 nginx 代理后即可正常访问,原因是因为 django 无法在非 debug 模式下加载静态资源。
四、安装 SSH Server 和 WebSocket Server: Coco
4.1、下载或 Clone 项目
|
1
2
3
4
|
[root@imzcy ~]# cd /opt/
[root@imzcy opt]# git clone https://github.com/jumpserver/coco.git
[root@imzcy opt]# cd coco
[root@imzcy coco]# git checkout master
|
4.2、 安装依赖
|
1
2
3
4
5
6
|
[root@imzcy coco]# cd requirements/
[root@imzcy requirements]# source /opt/py3/bin/activate
(py3) [root@imzcy requirements]# yum -y install $(cat rpm_requirements.txt)
(py3) [root@imzcy requirements]# pip install -r requirements.txt
(py3) [root@imzcy requirements]# cd ..
(py3) [root@imzcy coco]#
|
4.3、 修改配置文件并运行
如果 coco 与 jumpserver 分开部署,请手动修改 conf.py 。我们这里先不做修改,使用最简单默认配置文件启动cocod
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
(py3) [root@imzcy coco]# mkdir keys
(py3) [root@imzcy coco]# vi conf.py
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
import os
BASE_DIR = os.path.dirname(__file__)
class Config:
"""
Coco config file, coco also load config from server update setting below
"""
NAME = "coco"
CORE_HOST = 'http://127.0.0.1:8080'
COMMAND_STORAGE = {
"TYPE": "server"
}
REPLAY_STORAGE = {
"TYPE": "server"
}
LANGUAGE_CODE = 'zh'
config = Config()
(py3) [root@imzcy coco]#
(py3) [root@imzcy coco]# ./cocod start
|
启动成功后去Jumpserver 会话管理-终端管理(http://192.168.244.144:8080/terminal/terminal/)接受coco的注册
五、安装 Web Terminal 前端: Luna
> Luna 已改为纯前端,需要 Nginx 来运行访问。
> 访问(https://github.com/jumpserver/luna/releases)下载对应版本的 release 包,直接解压,不需要编译
5.1、下载并解压Luna
|
1
2
3
4
|
[root@imzcy ~]# cd /opt/
[root@imzcy opt]# wget https://github.com/jumpserver/luna/releases/download/1.4.2/luna.tar.gz
[root@imzcy opt]# tar xf luna.tar.gz
[root@imzcy opt]# chown -R root:root luna
|
六、安装 Windows 支持组件(如果不需要管理 windows 资产,可以直接跳过这一步)
因为手动安装 guacamole 组件比较复杂,这里提供打包好的 docker 使用, 启动 guacamole
6.1、 Docker安装 (仅针对CentOS7,CentOS6安装Docker相对比较复杂)
|
1
2
|
[root@imzcy ~]# yum remove docker-latest-logrotate docker-logrotate docker-selinux dockdocker-engine
[root@imzcy ~]# yum install -y yum-utils device-mapper-persistent-data lvm2
|
添加docker官方源
|
1
2
3
4
5
6
|
[root@imzcy ~]# yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
[root@imzcy ~]# yum makecache fast
[root@imzcy ~]# yum -y install docker-ce
[root@imzcy ~]# systemctl enable docker
[root@imzcy ~]# systemctl start docker
|
6.2、启动 Guacamole
> 这里所需要注意的是 guacamole 暴露出来的端口是 8081,若与主机上其他端口冲突请自定义。
> 注意:这里需要修改下 http://<填写jumpserver的url地址> 例: http://192.168.244.144, 否则会出错(这里下载有点慢,需要等待一会儿)。
> 不能使用 127.0.0.1 ,可以更换 registry.jumpserver.org/public/guacamole:latest
|
1
2
3
4
5
|
[root@imzcy ~]# docker run --name jms_guacamole -d \
-p 8081:8080 -v /opt/guacamole/key:/config/guacamole/key \
-e JUMPSERVER_KEY_DIR=/config/guacamole/key \
-e JUMPSERVER_SERVER=http://192.168.0.80 \
jumpserver/guacamole:latest
|
|
1
2
3
4
|
[root@imzcy ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
1e3fdc93e81b jumpserver/guacamole:latest "/init" 29 seconds ago Up 26 seconds 0.0.0.0:8081->8080/tcp jms_guacamole
[root@imzcy ~]#
|
启动成功后去Jumpserver 会话管理-终端管理(http://192.168.244.144:8080/terminal/terminal/)接受[Gua]开头的一个注册
七、配置 Nginx 整合各组件
7.1、安装 Nginx 根据喜好选择安装方式和版本
|
1
|
[root@imzcy ~]# yum -y install nginx
|
7.2、准备配置文件
|
1
2
3
|
[root@imzcy ~]# cd /etc/nginx/
[root@imzcy nginx]# mv nginx.conf nginx.conf.bak
[root@imzcy nginx]# vi nginx.conf
|
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
}
[root@imzcy nginx]#
|
新增虚拟主机配置文件jumpserver.conf
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
|
[root@imzcy nginx]# cd conf.d/
[root@imzcy conf.d]# vim jumpserver.conf
server {
listen 80; # 代理端口,以后将通过此端口进行访问,不再通过8080端口
server_name demo.jumpserver.org; # 修改成你的域名
client_max_body_size 100m; # 录像及文件上传大小限制
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; # luna 路径,如果修改安装目录,此处需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 录像位置,如果修改安装目录,此处需要修改
}
location /static/ {
root /opt/jumpserver/data/; # 静态资源,如果修改安装目录,此处需要修改
}
location /socket.io/ {
proxy_pass http://localhost:5000/socket.io/; # 如果coco安装在别的服务器,请填写它的ip
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /coco/ {
proxy_pass http://localhost:5000/coco/; # 如果coco安装在别的服务器,请填写它的ip
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/; # 如果guacamole安装在别的服务器,请填写它的ip
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location / {
proxy_pass http://localhost:8080; # 如果jumpserver安装在别的服务器,请填写它的ip
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
|
检查nginx配置文件是否配置正常
|
1
2
3
4
5
|
[root@imzcy conf.d]# cd
[root@imzcy ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@imzcy ~]#
|
7.3 运行 Nginx
|
1
2
|
[root@imzcy ~]# systemctl enable nginx
[root@imzcy ~]# systemctl start nginx
|
7.4 开始使用 Jumpserver
检查应用是否已经正常运行
7.4.1、确定jumpserver已经运行,如果没有运行请重新启动jumpserver
|
1
2
3
4
5
6
7
|
[root@imzcy ~]# source /opt/py3/bin/activate
(py3) [root@imzcy ~]# cd /opt/jumpserver/
(py3) [root@imzcy jumpserver]# ./jms status
gunicorn is running: 44393
celery is running: 44394
beat is running: 44395
(py3) [root@imzcy jumpserver]#
|
7.4.2、确定jumpserver已经运行,如果没有运行请重新启动coco
|
1
2
3
4
|
(py3) [root@imzcy ~]# cd /opt/coco/
(py3) [root@imzcy coco]# ./cocod status
Failed register terminal imzcy exist already
(py3) [root@imzcy coco]#
|
7.4.3、检查容器是否已经正常运行,如果没有运行请重新启动Guacamole
|
1
|
[root@imzcy ~]# docker ps
|
服务全部启动后,访问 http://192.168.0.88,访问nginx代理的端口,不要再通过8080端口访问
默认账号: admin 密码: admin
如果部署过程中没有接受应用的注册,需要到Jumpserver 会话管理-终端管理 接受 Coco Guacamole 等应用的注册。
