环境  

  虚拟机  系统:centos 7

  IP:192.168.168.8
  目录:/opt
  代理:nginx
  数据库:mysql 版本大于等于 5.6    mariadb 版本大于等于 5.5.6

更新yum
  yum update -y

关闭防火墙与selinux
  firewall-cmd --state
  systemctl stop firewalld
  systemctl disable firewalld

  vi /etc/sysconfig/selinux
  SELINUX=enforcing 改为 SELINUX=disabled


  reboot

修改字符集,否则可能报 input/output error的问题,因为日志里打印了中文
  localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8
  export LC_ALL=zh_CN.UTF-8
  echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf

安装依赖包
  yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git

安装redis,Jumpserver 使用 Redis 做 cache 和 celery broke
  yum -y install redis
  systemctl enable redis
  systemctl start redis

安装Mysql 作为数据库,如果不使用 Mysql 可以跳过相关 Mysql 安装和配置
  yum -y install mariadb mariadb-devel mariadb-server # centos7下安装的是mariadb
  systemctl enable mariadb
  systemctl start mariadb

创建数据库 Jumpserver 并授权
  mysql -uroot
  > create database jumpserver default charset 'utf8';
  > grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by 'weakPassword';
  > flush privileges;
  > quit

安装 Nginx,用代理服务器整合Jumpserver与各个组件
  yum -y install nginx
  systemctl enable nginx

下载编译Python3.6.1
  cd /opt
  wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz
  tar xf Python-3.6.1.tar.xz && cd Python-3.6.1
  ./configure && make && make install

配置并载入Python3虚拟环境
  cd /opt
  python3 -m venv py3
  source /opt/py3/bin/activate
  # 看到下面的提示符代表成功,以后运行 Jumpserver 都要先运行以上 source 命令,以下所有命令均在该虚拟环境中运行
  (py3) [root@localhost opt]#

自动载入Python虚拟环境
  cd /opt
  git clone git://github.com/kennethreitz/autoenv.git
  echo 'source /opt/autoenv/activate.sh' >> ~/.bashrc
  source ~/.bashrc

下载Jumpserver 与 Coco
  cd /opt
  git clone https://github.com/jumpserver/jumpserver.git 
  echo "source /opt/py3/bin/activate" > /opt/jumpserver/.env

  cd /opt
  git clone https://github.com/jumpserver/coco.git 
  echo "source /opt/py3/bin/activate" > /opt/coco/.env

安装依赖 RPM 包
  yum -y install $(cat /opt/jumpserver/requirements/rpm_requirements.txt)
  yum -y install $(cat /opt/coco/requirements/rpm_requirements.txt)

安装python库依赖
  pip install --upgrade pip
  pip install -r /opt/jumpserver/requirements/requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
  pip install -r /opt/coco/requirements/requirements.txt

修改 Jumpserver 配置文件
  cd /opt/jumpserver
  cp config_example.py config.py

       vi config.py

注意: 配置文件是 Python 格式,不要用 TAB,而要用空格

#!/usr/bin/env python3

# -*- coding: utf-8 -*-

"""

    jumpserver.config

    ~~~~~~~~~~~~~~~~~

    Jumpserver project setting file

    :copyright: (c) 2014-2017 by Jumpserver Team

    :license: GPL v2, see LICENSE for more details.

"""

import os

BASE_DIR = os.path.dirname(os.path.abspath(__file__))

class Config:

    """

    Jumpserver Config File

    Jumpserver 配置文件

    Jumpserver use this config for drive django framework running,

    You can set is value or set the same envirment value,

    Jumpserver look for config order: file => env => default

    Jumpserver使用配置来驱动Django框架的运行,

    你可以在该文件中设置,或者设置同样名称的环境变量,

    Jumpserver使用配置的顺序: 文件 => 环境变量 => 默认值

    """

    # SECURITY WARNING: keep the secret key used in production secret!

    # 加密秘钥 生产环境中请修改为随机字符串,请勿外泄

    SECRET_KEY = '2vym+ky!997d5kkcc64mnz06y1mmui3lut#(^wd=%s_qj$1%x'

    # SECURITY WARNING: keep the bootstrap token used in production secret!

    # 预共享Token coco和guacamole用来注册服务账号,不在使用原来的注册接受机制

    # BOOTSTRAP_TOKEN = 'PleaseChangeMe'

    ALLOWED_HOSTS = ['*']

    # Development env open this, when error occur display the full process track, Production disable it

    # DEBUG 模式 开启DEBUG后遇到错误时可以看到更多日志

    DEBUG = False

    # DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/

    # 日志级别

    LOG_LEVEL = 'ERROR'

    LOG_DIR = os.path.join(BASE_DIR, 'logs')

    # Session expiration setting, Default 24 hour, Also set expired on on browser close

    # 浏览器Session过期时间,默认24小时, 也可以设置浏览器关闭则过期

    # SESSION_COOKIE_AGE = 3600 * 24

    # SESSION_EXPIRE_AT_BROWSER_CLOSE = False

    SESSION_EXPIRE_AT_BROWSER_CLOSE = True 

    # Database setting, Support sqlite3, mysql, postgres ....

    # 数据库设置

    # See https://docs.djangoproject.com/en/1.10/ref/settings/#databases

    # SQLite setting:

    # 使用单文件sqlite数据库

    # DB_ENGINE = 'sqlite3'

    # DB_NAME = os.path.join(BASE_DIR, 'data', 'db.sqlite3')

    # MySQL or postgres setting like:

    # 使用Mysql作为数据库

    DB_ENGINE = 'mysql'

    DB_HOST = '127.0.0.1'

    DB_PORT = 3306

    DB_USER = 'jumpserver'

    DB_PASSWORD = 'weakPassword'

    DB_NAME = 'jumpserver'

    # When Django start it will bind this host and port

    # ./manage.py runserver 127.0.0.1:8080

    # 运行时绑定端口

    HTTP_BIND_HOST = '0.0.0.0'

    HTTP_LISTEN_PORT = 8080

    # Use Redis as broker for celery and web socket

    # Redis配置

    REDIS_HOST = '127.0.0.1'

    REDIS_PORT = 6379

    REDIS_PASSWORD = '':

    REDIS_DB_CELERY = 3

    REDIS_DB_CACHE = 4

    # Use OpenID authorization

    # 使用OpenID 来进行认证设置

    # BASE_SITE_URL = 'http://localhost:8080'

    # AUTH_OPENID = False  # True or False

    # AUTH_OPENID_SERVER_URL = 'https://openid-auth-server.com/'

    # AUTH_OPENID_REALM_NAME = 'realm-name'

    # AUTH_OPENID_CLIENT_ID = 'client-id'

    # AUTH_OPENID_CLIENT_SECRET = 'client-secret'

    #

    # OTP_VALID_WINDOW = 0

    def __init__(self):

        pass

    def __getattr__(self, item):

        return None

class DevelopmentConfig(Config):

    pass

class TestConfig(Config):

    pass

class ProductionConfig(Config):

    pass

# Default using Config settings, you can write if/else for different env

config = DevelopmentConfig()

修改Coco配置文件
  cd /opt/coco
  cp conf_example.py conf.py # 如果 coco 与 jumpserver 分开部署,请手动修改 conf.py
  vi conf.py
# 注意对齐,不要直接复制本文档的内容

#!/usr/bin/env python3

# -*- coding: utf-8 -*-

#

import os

BASE_DIR = os.path.dirname(__file__)

class Config:

    """

    Coco config file, coco also load config from server update setting below

    """

    # 项目名称, 会用来向Jumpserver注册, 识别而已, 不能重复

    NAME = "coco"

    # Jumpserver项目的url, api请求注册会使用

    CORE_HOST = os.environ.get("CORE_HOST") or 'http://127.0.0.1:8080'

    # Bootstrap Token, 预共享秘钥, 用来注册coco使用的service account和terminal

    # 请和jumpserver 配置文件中保持一致,注册完成后可以删除

    # BOOTSTRAP_TOKEN = "PleaseChangeMe"

    # 启动时绑定的ip, 默认 0.0.0.0

    # BIND_HOST = '0.0.0.0'

    # 监听的SSH端口号, 默认2222

    # SSHD_PORT = 2222

    # 监听的HTTP/WS端口号,默认5000

    # HTTPD_PORT = 5000

    # 项目使用的ACCESS KEY, 默认会注册,并保存到 ACCESS_KEY_STORE中,

    # 如果有需求, 可以写到配置文件中, 格式 access_key_id:access_key_secret

    # ACCESS_KEY = None

    # ACCESS KEY 保存的地址, 默认注册后会保存到该文件中

    # ACCESS_KEY_STORE = os.path.join(BASE_DIR, 'keys', '.access_key')

    # 加密密钥

    # SECRET_KEY = None

    # 设置日志级别 ['DEBUG', 'INFO', 'WARN', 'ERROR', 'FATAL', 'CRITICAL']

    LOG_LEVEL = 'ERROR'

    # 日志存放的目录

    # LOG_DIR = os.path.join(BASE_DIR, 'logs')

    # Session录像存放目录

    # SESSION_DIR = os.path.join(BASE_DIR, 'sessions')

    # 资产显示排序方式, ['ip', 'hostname']

    # ASSET_LIST_SORT_BY = 'ip'

    # 登录是否支持密码认证

    # PASSWORD_AUTH = True

    # 登录是否支持秘钥认证

    # PUBLIC_KEY_AUTH = True

    # SSH白名单

    # ALLOW_SSH_USER = 'all'  # ['test', 'test2']

    # SSH黑名单, 如果用户同时在白名单和黑名单,黑名单优先生效

    # BLOCK_SSH_USER = []

    # 和Jumpserver 保持心跳时间间隔

    # HEARTBEAT_INTERVAL = 5

    # Admin的名字,出问题会提示给用户

    # ADMINS = ''

    COMMAND_STORAGE = {

        "TYPE": "server"

    }

    REPLAY_STORAGE = {

        "TYPE": "server"

    }

    # SSH连接超时时间 (default 15 seconds)

    # SSH_TIMEOUT = 15

    # 语言 = en

    LANGUAGE_CODE = 'zh'

config = Config()

安装 Web Terminal 前端: Luna
  cd /opt
  wget https://github.com/jumpserver/luna/releases/download/1.4.1/luna.tar.gz
  tar xf luna.tar.gz
  chown -R root:root luna

安装windows支持组件
  yum remove docker-latest-logrotate docker-logrotate docker-selinux dockdocker-engine
  yum install -y yum-utils device-mapper-persistent-data lvm2
  yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
  yum makecache fast
  yum -y install docker-ce
  systemctl start docker -d
  docker pull jumpserver/guacamole:latest

重新打开一个终端
配置Nginx整合组件
  source /opt/py3/bin/activate
  cd /opt/
  vi /etc/nginx/conf.d/jumpserver.conf

server {

    listen 80;  # 代理端口,以后将通过此端口进行访问,不再通过8080端口

    # server_name demo.jumpserver.org;  # 修改成你的域名或者注释掉

    client_max_body_size 100m;  # 录像及文件上传大小限制

    location /luna/ {

        try_files $uri / /index.html;

        alias /opt/luna/;  # luna 路径,如果修改安装目录,此处需要修改

    }

    location /media/ {

        add_header Content-Encoding gzip;

        root /opt/jumpserver/data/;  # 录像位置,如果修改安装目录,此处需要修改

    }

    location /static/ {

        root /opt/jumpserver/data/;  # 静态资源,如果修改安装目录,此处需要修改

    }

    location /socket.io/ {

        proxy_pass       http://localhost:5000/socket.io/;  # 如果coco安装在别的服务器,请填写它的ip

        proxy_buffering off;

        proxy_http_version 1.1;

        proxy_set_header Upgrade $http_upgrade;

        proxy_set_header Connection "upgrade";

        proxy_set_header X-Real-IP $remote_addr;

        proxy_set_header Host $host;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        access_log off;

    }

    location /coco/ {

        proxy_pass       http://localhost:5000/coco/;  # 如果coco安装在别的服务器,请填写它的ip

        proxy_set_header X-Real-IP $remote_addr;

        proxy_set_header Host $host;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        access_log off;

    }

    location /guacamole/ {

        proxy_pass       http://localhost:8081/;  # 如果guacamole安装在别的服务器,请填写它的ip

        proxy_buffering off;

        proxy_http_version 1.1;

        proxy_set_header Upgrade $http_upgrade;

        proxy_set_header Connection $http_connection;

        proxy_set_header X-Real-IP $remote_addr;

        proxy_set_header Host $host;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        access_log off;

    }

    location / {

        proxy_pass http://localhost:8080;  # 如果jumpserver安装在别的服务器,请填写它的ip

        proxy_set_header X-Real-IP $remote_addr;

        proxy_set_header Host $host;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    }

}

  cd /opt/
  cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
  vim /etc/nginx/nginx.conf

# For more information on configuration, see:

    #   * Official English Documentation: http://nginx.org/en/docs/

    #   * Official Russian Documentation: http://nginx.org/ru/docs/

    user nginx;

    worker_processes auto;

    error_log /var/log/nginx/error.log;

    pid /run/nginx.pid;

    # Load dynamic modules. See /usr/share/nginx/README.dynamic.

    include /usr/share/nginx/modules/*.conf;

    events {

        worker_connections 1024;

    }

    http {

        log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '

                          '$status $body_bytes_sent "$http_referer" '

                          '"$http_user_agent" "$http_x_forwarded_for"';

        access_log  /var/log/nginx/access.log  main;

        sendfile            on;

        tcp_nopush          on;

        tcp_nodelay         on;

        keepalive_timeout   65;

        types_hash_max_size 2048;

        include             /etc/nginx/mime.types;

        default_type        application/octet-stream;

        # Load modular configuration files from the /etc/nginx/conf.d directory.

        # See http://nginx.org/en/docs/ngx_core_module.html#include

        # for more information.

        include /etc/nginx/conf.d/*.conf;

        #server {

            #listen       80 default_server;

            #listen       [::]:80 default_server;

            #server_name  _;

            #root         /usr/share/nginx/html;

            # Load configuration files for the default server block.

            #include /etc/nginx/default.d/*.conf;

            #location / {

           # }

            #error_page 404 /404.html;

                #location = /40x.html {

            #}

            #error_page 500 502 503 504 /50x.html;

                #location = /50x.html {

            #}

        #}

    # Settings for a TLS enabled server.

    #

    #    server {

    #        listen       443 ssl http2 default_server;

    #        listen       [::]:443 ssl http2 default_server;

    #        server_name  _;

    #        root         /usr/share/nginx/html;

    #

    #        ssl_certificate "/etc/pki/nginx/server.crt";

    #        ssl_certificate_key "/etc/pki/nginx/private/server.key";

    #        ssl_session_cache shared:SSL:1m;

    #        ssl_session_timeout  10m;

    #        ssl_ciphers HIGH:!aNULL:!MD5;

    #        ssl_prefer_server_ciphers on;

    #

    #        # Load configuration files for the default server block.

    include /etc/nginx/default.d/*.conf;

    #

    #        location / {

    #        }

    #

    #        error_page 404 /404.html;

    #            location = /40x.html {

    #        }

    #

    #        error_page 500 502 503 504 /50x.html;

    #            location = /50x.html {

    #        }

    #    }

    }

  nginx -t


生成数据库表结构和初始化数据
  cd /opt/jumpserver/utils
  bash make_migrations.sh

运行 Jumpserver
  cd ..
  ./jms start all -d
# 新版本更新了运行脚本,使用方式./jms start|stop|status|restart all 后台运行请添加 -d 参数

  运行Coco
  cd /opt/coco
  ./cocod start -d

#在第一个终端里
启动 Guacamole
# 注意:这里需要修改下 http://<填写jumpserver的url地址> 例: http://192.168.168.8, 否则会出错
# 不能使用 127.0.0.1 ,可以更换 registry.jumpserver.org/public/guacamole:latest

  docker run --name jms_guacamole -d \
  -p 8081:8080 -v /opt/guacamole/key:/config/guacamole/key \
  -e JUMPSERVER_KEY_DIR=/config/guacamole/key \
  -e JUMPSERVER_SERVER=http://192.168.168.8:8080 \
  jumpserver/guacamole:latest

  systemctl start nginx

  登录Web管理界面:192.168.168.8

参考链接1:http://docs.jumpserver.org/zh/docs/step_by_step.html

参考链接2:http://docs.jumpserver.org/zh/docs/setup_by_centos7.html

参考链接3:https://www.cnblogs.com/bigdevilking/p/9427941.html

参考链接4:http://docs.jumpserver.org/zh/docs/faq_install.html

 

centos 7.x 安装开源堡垒机Jumpserver的更多相关文章

  1. 开源堡垒机jumpserver

    开源堡垒机jumpserver 开源堡垒机jumpserver的安装 开源堡垒机jumpserver的配置和使用

  2. 开源堡垒机jumpserver的安装

    开源跳板机jumpserver安装 简介 Jumpserver 是全球首款完全开源的堡垒机, 使用GNU GPL v2.0 开源协议, 是符合4A 的专业运维审计系统 Jumpserver 使用Pyt ...

  3. 分享一款开源堡垒机-jumpserver

    本文主文章地址为:https://blog.csdn.net/KH_FC JumpServer是由FIT2CLOUD(飞致远)公司旗下一款开源的堡垒机,这款也是全球首款开源的堡垒机,使用 GNU GP ...

  4. 开源堡垒机jumpserver的配置和使用

    开源跳板机jumpserver配置和使用 http://docs.jumpserver.org/zh/docs/quick_start.html#id9 系统设置 基本设置 # 修改url 的&quo ...

  5. centos 6.5 搭建开源堡垒机 Teleport 遇到的问题解决

    几款开源的堡垒机 下面进行 teleport 的安装: https://docs.tp4a.com/install/#11 异常1:libc.so.6: version `GLIBC_2.14' no ...

  6. Centos下堡垒机Jumpserver V3.0环境部署完整记录(2)-配置篇

    前面已经介绍了Jumpserver V3.0的安装,基于这篇安装文档,下面说下Jumpserver安装后的的功能使用: 一.jumpserver的启动 Jumpserver的启动和重启 [root@t ...

  7. CentOS7 开源跳板机(堡垒机) Jumpserver

    开源跳板机(堡垒机)Jumpserver 环境 CentOS 7   x64       关闭 selinux  firewalld jumpserver: 172.24.0.14 testserve ...

  8. jumpserver开源堡垒机部署安装

    0x01.前言 Jumpserver 是全球首款完全开源的堡垒机,使用 GNU GPL v2.0 开源协议,是符合 4A 的专业运维审计系统. Jumpserver 使用 Python / Djang ...

  9. Centos下堡垒机Jumpserver V3.0环境部署完整记录(1)-安装篇

    由于来源身份不明.越权操作.密码泄露.数据被窃.违规操作等因素都可能会使运营的业务系统面临严重威胁,一旦发生事故,如果不能快速定位事故原因,运维人员往往就会背黑锅.几种常见的运维人员背黑锅场景:1)由 ...

随机推荐

  1. js 实现replaceAll

    须要替换到字符串里面的多个双引號,不废话,直接上代码: var filePath = '"d:/img/1.jgp"'; filePath = filePath.replace(n ...

  2. linux命令:find命令

    http://blog.csdn.net/pipisorry/article/details/39831419 linux find命令语法 find [起始文件夹] 寻找条件 操作 find PAT ...

  3. 通达OA 小飞鱼老师OA工作流设计课程教学网络公开课之HTML基础(一)

    通达OA网络教学公开课開始了.有须要的小伙伴们抓住机会奥. 8月29号晚8点不见不散.本次课程的主要内容是通达OA工作流设计课程中须要用到的Html部分学习. 帮忙转发的朋友加送一节VIP课程.

  4. [NOIP2003普及组]麦森数(快速幂+高精度)

    [NOIP2003普及组]麦森数(快速幂+高精度) Description 形如2^P-1的素数称为麦森数,这时P一定也是个素数.但反过来不一定,即如果P是个素数,2^P-1不一定也是素数.到1998 ...

  5. CodeForces - 557D Vitaly and Cycle(二分图)

    Vitaly and Cycle time limit per test 1 second memory limit per test 256 megabytes input standard inp ...

  6. e.printStackTrace()介绍

    public void printStackTrace()将此 throwable 及其追踪输出至标准错误流.此方法将此 Throwable 对象的堆栈跟踪输出至错误输出流,作为字段 System.e ...

  7. Oracle group by分组拼接字符串

    select wm_concat(id),depon  from test_1  group by depon

  8. BZOJ 5277 IQ题orz

    思路: 首先我们注意到,对一个序列按分割点分开以后分别冒泡其实就相当于对整个序列进行冒泡.每一个元素都会对复杂度贡献1,除非一个元素两边的分割点都出现了.因此我们可以完全忽略快排的递归过程.只需考虑每 ...

  9. flask中内置的session

    Flask中的Session非常的奇怪,他会将你的SessionID存放在客户端的Cookie中,使用起来也非常的奇怪 1. Flask 中 session 是需要 secret_key 的 from ...

  10. 第10篇 WINDOWS2003服务器 IIS上配置404页面的图文教程

    打开IIS 找到你的网站,点右键,选择属性 选择“自定义错误”标签页,找到404的那一项,点“编辑属性”按钮 (方案一)在“消息类型”里选“URL”,然后在下面的“URL”输入框里,填上你的404错误 ...