Jump server安装部署的学习(一)Centos7环境

时间 2019-12-10

标签 jump server 安装部署学习 centos7 centos 环境栏目 Tomcat 繁體版

原文原文链接

jumpserver部署(Centos7环境)

1、jumpserver概要

Jumpserver 是全球首款彻底开源的堡垒机，使用 GNU GPL v2.0 开源协议，是符合 4A 的专业运维审计系统
Jumpserver 使用 Python / Django 进行开发，遵循 Web 2.0 规范，配备了业界领先的 Web Terminal
解决方案，交互界面美观、用户体验好
Jumpserver 采纳分布式架构，支持多机房跨区域部署，中心节点提供 API，各机房部署登陆节点，可横向扩展、无并发访问限制

组件说明：
Jumpserver
现指 Jumpserver 管理后台，是核心组件（Core）, 使用 Django Class Based View 风格开发，支持 Restful APIhtml

Coco
实现了 SSH Server 和 Web Terminal Server 的组件，提供 SSH 和 WebSocket 接口, 使用 Paramiko 和 Flask 开发前端

Luna
如今是 Web Terminal 前端，计划前端页面都由该项目提供，Jumpserver 只提供 API，再也不负责后台渲染html等python

2、环境准备

环境：mysql

角色	IP
jumpserver	192.168.2.5
web server(资产)	192.168.2.6

步骤：linux

①关闭防火墙以及selinux
[root@localhost ~]# sed -i '/SELINUX/s/enforcing/disabled/g' /etc/sysconfig/selinux
[root@localhost ~]# systemctl disable firewalld && rebootnginx

②修改字符集不然可能报 input/output error的问题，由于日志里打印了中文
[root@localhost ~]# localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8
[root@localhost ~]# export LC_ALL=zh_CN.UTF-8
[root@localhost ~]# echo 'LANG="zh_CN.UTF-8"' > /etc/locale.confgit

③准备python3和python虚拟环境
[root@localhost ~]# yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git
[root@localhost ~]# wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz
[root@localhost ~]# mv Python-3.6.1.tar.xz /usr/src && cd /usr/src/ && tar xvf Python-3.6.1.tar.xz && cd Python-3.6.1
[root@localhost Python-3.6.1]# ./configure && make && make installgithub

④创建环境
[root@localhost Python-3.6.1]# cd /opt/
[root@localhost opt]# python3 -m venv py3
[root@localhost opt]# . /opt/py3/bin/activate
(py3) [root@localhost opt]#
看到下面的提示符表明成功，之后运行 Jumpserver 都要先运行以上 source 命令，如下全部命令均在该虚拟环境中运行
(py3) [root@localhost py3]web

⑤自动载入虚拟环境
(py3) [root@localhost opt]# git clone git://github.com/kennethreitz/autoenv.git ~/.autoenv
(py3) [root@localhost opt]# echo 'source ~/.autoenv/activate.sh' >> ~/.bashrc
(py3) [root@localhost opt]# source ~/.bashrcredis

3、安装jumpserver

步骤：

①下载Clone项目
(py3) [root@localhost ~]# cd /opt/
(py3) [root@localhost opt]# git clone --depth=1 https://github.com/jumpserver/jumpserver.git && cd jumpserver && git checkout master
(py3) [root@localhost jumpserver]# echo "source /opt/py3/bin/activate" > /opt/jumpserver/.env

②安装依赖
(py3) [root@localhost jumpserver]# cd requirements/
首次进入jumpserver目录可能会有提示y便可
(py3) [root@localhost requirements]# yum -y install $(cat rpm_requirements.txt)
(py3) [root@localhost requirements]# pip install -r requirements.txt

③安装redis， Jumpserver 使用 Redis 作 cache 和 celery broke(python分布式调度模块)
(py3) [root@localhost ~]# yum -y install redis
(py3) [root@localhost ~]# systemctl start redis

④安装Mysql
(py3) [root@localhost ~]# yum -y install mariadb*
(py3) [root@localhost ~]# systemctl start mariadb
(py3) [root@localhost ~]# systemctl enable mariadb

⑤为jumpserver受权
(py3) [root@localhost ~]# mysql
MariaDB [(none)]> create database jumpserver default charset 'utf8';
MariaDB [(none)]> grant all on jumpserver.* to jumpserver@'127.0.0.1' identified by '123.com';
MariaDB [(none)]> flush privileges;

⑥修改jumpserver配置文件
(py3) [root@localhost ~]# cd /opt/jumpserver/
(py3) [root@localhost jumpserver]# cp config_example.py config.py
(py3) [root@localhost jumpserver]# vi config.py

......    #将参数下pass去掉添加
class DevelopmentConfig(Config):
    DEBUG = True
    DB_ENGINE = 'mysql'
    DB_HOST = '127.0.0.1'
    DB_PORT = 3306
    DB_USER = 'jumpserver'
    DB_PASSWORD = '123.com'
DB_NAME = 'jumpserver'
......

⑦生成数据库表结构和初始化数据文件
(py3) [root@localhost jumpserver]# cd /opt/jumpserver/utils/
(py3) [root@localhost utils]# bash make_migrations.sh

⑧运行jumpserver
(py3) [root@localhost utils]# cd /opt/jumpserver/
(py3) [root@localhost jumpserver]# ./jms start all

./jms start|stop|status|restart all

若是运行到后台添加-d选项
若是报错，关闭后再次运行

若是不报错，请使用浏览器访问http://192.168.2.5:8080。默认帐号admin，密码admin

4、安装ssh server和websocket server:Coco

步骤：

①下载Clone项目(新开一个终端，别忘了载入虚拟环境)
[root@localhost ~]# cd /opt/
[root@localhost opt]# . py3/bin/activate
(py3) [root@localhost opt]# git clone https://github.com/jumpserver/coco.git && cd coco && git checkout master

(py3) [root@localhost coco]# echo "source /opt/py3/bin/activate" > /opt/coco/.env

②安装依赖
(py3) [root@localhost coco]# cd /opt/coco/requirements/
首次进入提示y便可
(py3) [root@localhost requirements]# yum -y install $(cat rpm_requirements.txt)
(py3) [root@localhost requirements]# pip install -r requirements.txt -i https://pypi.org/simple

③查看配置文件而且运行coco
(py3) [root@localhost requirements]# cd /opt/coco/
(py3) [root@localhost coco]# cp conf_example.py conf.py
(py3) [root@localhost coco]# ./cocod start

./cocod start|stop|status|restart

Start coco process
2018-05-28 16:14:25 [service DEBUG] Initial app service
2018-05-28 16:14:25 [service DEBUG] Load access key
2018-05-28 16:14:25 [service INFO] No access key found, register it
2018-05-28 16:14:25 [service INFO] "Terminal was not accepted yet"
2018-05-28 16:14:28 [service INFO] "Terminal was not accepted yet"

提示信息终端没有许可，去到http://192.168.2.5:8080/terminal/terminal进行许可

5、安装web terminal 前端：Luna

(开启新终端)Luna已改成纯前端，须要Nginx代理来访问
[root@localhost ~]# cd /opt/
[root@localhost opt]# wget https://github.com/jumpserver/luna/releases/download/1.3.0/dist.tar.gz
[root@localhost opt]# tar zxf dist.tar.gz
[root@localhost opt]# mv dist luna
[root@localhost opt]# ls /opt/luna/

.....

6、配置Nginx整合各组件

步骤：

①下载源码安装
[root@localhost opt]# useradd -s /sbin/nologin www
[root@localhost opt]# wget http://nginx.org/download/nginx-1.14.0.tar.gz
[root@localhost opt]# tar zxf nginx-1.14.0.tar.gz && cd nginx-1.14.0
[root@localhost nginx-1.14.0]# ./configure --prefix=/usr/local/nginx --user=www --group=www --withhttp_stub_status_module --with-http_realip_module --with-http_ssl_module --with-http_gzip_static_module --with-pcre --with-http_flv_module
[root@localhost nginx-1.14.0]# make && make install
[root@localhost nginx-1.14.0]# ln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/
[root@localhost nginx-1.14.0]# cd /usr/local/nginx/conf/ && vim nginx.conf

②修改配置文件

http {
.....     #省略http上下文，将server修改成此
server {
    listen 80;

    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location /luna/ {
        try_files $uri / /index.html;
        alias /opt/luna/;
    }

    location /media/ {
        add_header Content-Encoding gzip;
        root /opt/jumpserver/data/;
    }

    location /static/ {
        root /opt/jumpserver/data/;
    }

    location /socket.io/ {
        proxy_pass       http://localhost:5000/socket.io/;  # 若是coco安装在别的服务器，请填写它的ip
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
    location / {
        proxy_pass http://localhost:8080;  # 若是jumpserver安装在别的服务器，请填写它的ip
    }
}
}

[root@localhost conf]# nginx -t #确认无误后启动
[root@localhost conf]# nginx

③确保服务无误，开始使用jumpserver
[root@localhost conf]# cd /opt/jumpserver/
(py3) [root@localhost jumpserver]# ./jms status

gunicorn is running: 33734
celery is running: 33627
beat is running: 33629

(py3) [root@localhost jumpserver]# cd ../coco/
(py3) [root@localhost coco]# ./cocod status

Coco is running: 57935

访问http://192.168.2.5
默认帐户admin密码admin

7、测试链接

经过server资产机或是客户端 macOS 或 Linux ，登陆语法以下
$ ssh -p2222 admin@192.168.2.5
$ sftp -P2222 admin@192.168.2.5
密码: admin

若是登陆客户端是 Windows ，Xshell Terminal 登陆语法以下
$ ssh admin@192.168.2.5 2222
$ sftp admin@192.168.2.5 2222
密码: admin
若是能登录表明部署成功

sftp默认上传的位置在资产的 /tmp 目录下

特别鸣谢jumpserver的开源使用，本文翻至官网文档
http://docs.jumpserver.org/zh...