centos 7.x 安装开源堡垒机Jumpserver
环境
虚拟机 系统:centos 7
IP:192.168.168.8
目录:/opt
代理:nginx
数据库:mysql 版本大于等于 5.6 mariadb 版本大于等于 5.5.6
更新yum
yum update -y
关闭防火墙与selinux
firewall-cmd --state
systemctl stop firewalld
systemctl disable firewalld
vi /etc/sysconfig/selinux
SELINUX=enforcing 改为 SELINUX=disabled
reboot
修改字符集,否则可能报 input/output error的问题,因为日志里打印了中文
localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8
export LC_ALL=zh_CN.UTF-8
echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf
安装依赖包
yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git
安装redis,Jumpserver 使用 Redis 做 cache 和 celery broke
yum -y install redis
systemctl enable redis
systemctl start redis
安装Mysql 作为数据库,如果不使用 Mysql 可以跳过相关 Mysql 安装和配置
yum -y install mariadb mariadb-devel mariadb-server # centos7下安装的是mariadb
systemctl enable mariadb
systemctl start mariadb
创建数据库 Jumpserver 并授权
mysql -uroot
> create database jumpserver default charset 'utf8';
> grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by 'weakPassword';
> flush privileges;
> quit
安装 Nginx,用代理服务器整合Jumpserver与各个组件
yum -y install nginx
systemctl enable nginx
下载编译Python3.6.1
cd /opt
wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz
tar xf Python-3.6.1.tar.xz && cd Python-3.6.1
./configure && make && make install
配置并载入Python3虚拟环境
cd /opt
python3 -m venv py3
source /opt/py3/bin/activate
# 看到下面的提示符代表成功,以后运行 Jumpserver 都要先运行以上 source 命令,以下所有命令均在该虚拟环境中运行
(py3) [root@localhost opt]#
自动载入Python虚拟环境
cd /opt
git clone git://github.com/kennethreitz/autoenv.git
echo 'source /opt/autoenv/activate.sh' >> ~/.bashrc
source ~/.bashrc
下载Jumpserver 与 Coco
cd /opt
git clone https://github.com/jumpserver/jumpserver.git
echo "source /opt/py3/bin/activate" > /opt/jumpserver/.env
cd /opt
git clone https://github.com/jumpserver/coco.git
echo "source /opt/py3/bin/activate" > /opt/coco/.env
安装依赖 RPM 包
yum -y install $(cat /opt/jumpserver/requirements/rpm_requirements.txt)
yum -y install $(cat /opt/coco/requirements/rpm_requirements.txt)
安装python库依赖
pip install --upgrade pip
pip install -r /opt/jumpserver/requirements/requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
pip install -r /opt/coco/requirements/requirements.txt
修改 Jumpserver 配置文件
cd /opt/jumpserver
cp config_example.py config.py
vi config.py
注意: 配置文件是 Python 格式,不要用 TAB,而要用空格
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
"""
jumpserver.config
~~~~~~~~~~~~~~~~~ Jumpserver project setting file :copyright: (c) 2014-2017 by Jumpserver Team
:license: GPL v2, see LICENSE for more details.
"""
import os BASE_DIR = os.path.dirname(os.path.abspath(__file__)) class Config:
"""
Jumpserver Config File
Jumpserver 配置文件 Jumpserver use this config for drive django framework running,
You can set is value or set the same envirment value,
Jumpserver look for config order: file => env => default Jumpserver使用配置来驱动Django框架的运行,
你可以在该文件中设置,或者设置同样名称的环境变量,
Jumpserver使用配置的顺序: 文件 => 环境变量 => 默认值
"""
# SECURITY WARNING: keep the secret key used in production secret!
# 加密秘钥 生产环境中请修改为随机字符串,请勿外泄
SECRET_KEY = '2vym+ky!997d5kkcc64mnz06y1mmui3lut#(^wd=%s_qj$1%x' # SECURITY WARNING: keep the bootstrap token used in production secret!
# 预共享Token coco和guacamole用来注册服务账号,不在使用原来的注册接受机制
# BOOTSTRAP_TOKEN = 'PleaseChangeMe' ALLOWED_HOSTS = ['*'] # Development env open this, when error occur display the full process track, Production disable it
# DEBUG 模式 开启DEBUG后遇到错误时可以看到更多日志
DEBUG = False # DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/
# 日志级别
LOG_LEVEL = 'ERROR'
LOG_DIR = os.path.join(BASE_DIR, 'logs') # Session expiration setting, Default 24 hour, Also set expired on on browser close
# 浏览器Session过期时间,默认24小时, 也可以设置浏览器关闭则过期
# SESSION_COOKIE_AGE = 3600 * 24
# SESSION_EXPIRE_AT_BROWSER_CLOSE = False
SESSION_EXPIRE_AT_BROWSER_CLOSE = True # Database setting, Support sqlite3, mysql, postgres ....
# 数据库设置
# See https://docs.djangoproject.com/en/1.10/ref/settings/#databases # SQLite setting:
# 使用单文件sqlite数据库
# DB_ENGINE = 'sqlite3'
# DB_NAME = os.path.join(BASE_DIR, 'data', 'db.sqlite3') # MySQL or postgres setting like:
# 使用Mysql作为数据库
DB_ENGINE = 'mysql'
DB_HOST = '127.0.0.1'
DB_PORT = 3306
DB_USER = 'jumpserver'
DB_PASSWORD = 'weakPassword'
DB_NAME = 'jumpserver' # When Django start it will bind this host and port
# ./manage.py runserver 127.0.0.1:8080
# 运行时绑定端口
HTTP_BIND_HOST = '0.0.0.0'
HTTP_LISTEN_PORT = 8080 # Use Redis as broker for celery and web socket
# Redis配置
REDIS_HOST = '127.0.0.1'
REDIS_PORT = 6379
REDIS_PASSWORD = '':
REDIS_DB_CELERY = 3
REDIS_DB_CACHE = 4 # Use OpenID authorization
# 使用OpenID 来进行认证设置
# BASE_SITE_URL = 'http://localhost:8080'
# AUTH_OPENID = False # True or False
# AUTH_OPENID_SERVER_URL = 'https://openid-auth-server.com/'
# AUTH_OPENID_REALM_NAME = 'realm-name'
# AUTH_OPENID_CLIENT_ID = 'client-id'
# AUTH_OPENID_CLIENT_SECRET = 'client-secret' #
# OTP_VALID_WINDOW = 0 def __init__(self):
pass def __getattr__(self, item):
return None class DevelopmentConfig(Config):
pass class TestConfig(Config):
pass class ProductionConfig(Config):
pass # Default using Config settings, you can write if/else for different env
config = DevelopmentConfig()
修改Coco配置文件
cd /opt/coco
cp conf_example.py conf.py # 如果 coco 与 jumpserver 分开部署,请手动修改 conf.py
vi conf.py
# 注意对齐,不要直接复制本文档的内容
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# import os BASE_DIR = os.path.dirname(__file__) class Config:
"""
Coco config file, coco also load config from server update setting below
"""
# 项目名称, 会用来向Jumpserver注册, 识别而已, 不能重复
NAME = "coco" # Jumpserver项目的url, api请求注册会使用
CORE_HOST = os.environ.get("CORE_HOST") or 'http://127.0.0.1:8080' # Bootstrap Token, 预共享秘钥, 用来注册coco使用的service account和terminal
# 请和jumpserver 配置文件中保持一致,注册完成后可以删除
# BOOTSTRAP_TOKEN = "PleaseChangeMe" # 启动时绑定的ip, 默认 0.0.0.0
# BIND_HOST = '0.0.0.0' # 监听的SSH端口号, 默认2222
# SSHD_PORT = 2222 # 监听的HTTP/WS端口号,默认5000
# HTTPD_PORT = 5000 # 项目使用的ACCESS KEY, 默认会注册,并保存到 ACCESS_KEY_STORE中,
# 如果有需求, 可以写到配置文件中, 格式 access_key_id:access_key_secret
# ACCESS_KEY = None # ACCESS KEY 保存的地址, 默认注册后会保存到该文件中
# ACCESS_KEY_STORE = os.path.join(BASE_DIR, 'keys', '.access_key') # 加密密钥
# SECRET_KEY = None # 设置日志级别 ['DEBUG', 'INFO', 'WARN', 'ERROR', 'FATAL', 'CRITICAL']
LOG_LEVEL = 'ERROR' # 日志存放的目录
# LOG_DIR = os.path.join(BASE_DIR, 'logs') # Session录像存放目录
# SESSION_DIR = os.path.join(BASE_DIR, 'sessions') # 资产显示排序方式, ['ip', 'hostname']
# ASSET_LIST_SORT_BY = 'ip' # 登录是否支持密码认证
# PASSWORD_AUTH = True # 登录是否支持秘钥认证
# PUBLIC_KEY_AUTH = True # SSH白名单
# ALLOW_SSH_USER = 'all' # ['test', 'test2'] # SSH黑名单, 如果用户同时在白名单和黑名单,黑名单优先生效
# BLOCK_SSH_USER = [] # 和Jumpserver 保持心跳时间间隔
# HEARTBEAT_INTERVAL = 5 # Admin的名字,出问题会提示给用户
# ADMINS = ''
COMMAND_STORAGE = {
"TYPE": "server"
}
REPLAY_STORAGE = {
"TYPE": "server"
} # SSH连接超时时间 (default 15 seconds)
# SSH_TIMEOUT = 15 # 语言 = en
LANGUAGE_CODE = 'zh' config = Config()
安装 Web Terminal 前端: Luna
cd /opt
wget https://github.com/jumpserver/luna/releases/download/1.4.1/luna.tar.gz
tar xf luna.tar.gz
chown -R root:root luna
安装windows支持组件
yum remove docker-latest-logrotate docker-logrotate docker-selinux dockdocker-engine
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum makecache fast
yum -y install docker-ce
systemctl start docker -d
docker pull jumpserver/guacamole:latest
重新打开一个终端
配置Nginx整合组件
source /opt/py3/bin/activate
cd /opt/
vi /etc/nginx/conf.d/jumpserver.conf
server {
listen 80; # 代理端口,以后将通过此端口进行访问,不再通过8080端口
# server_name demo.jumpserver.org; # 修改成你的域名或者注释掉 client_max_body_size 100m; # 录像及文件上传大小限制 location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; # luna 路径,如果修改安装目录,此处需要修改
} location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 录像位置,如果修改安装目录,此处需要修改
} location /static/ {
root /opt/jumpserver/data/; # 静态资源,如果修改安装目录,此处需要修改
} location /socket.io/ {
proxy_pass http://localhost:5000/socket.io/; # 如果coco安装在别的服务器,请填写它的ip
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
} location /coco/ {
proxy_pass http://localhost:5000/coco/; # 如果coco安装在别的服务器,请填写它的ip
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
} location /guacamole/ {
proxy_pass http://localhost:8081/; # 如果guacamole安装在别的服务器,请填写它的ip
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
} location / {
proxy_pass http://localhost:8080; # 如果jumpserver安装在别的服务器,请填写它的ip
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
cd /opt/
cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
vim /etc/nginx/nginx.conf
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/ user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid; # Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf; events {
worker_connections 1024;
} http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048; include /etc/nginx/mime.types;
default_type application/octet-stream; # Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf; #server {
#listen 80 default_server;
#listen [::]:80 default_server;
#server_name _;
#root /usr/share/nginx/html; # Load configuration files for the default server block.
#include /etc/nginx/default.d/*.conf; #location / {
# } #error_page 404 /404.html;
#location = /40x.html {
#} #error_page 500 502 503 504 /50x.html;
#location = /50x.html {
#}
#} # Settings for a TLS enabled server.
#
# server {
# listen 443 ssl http2 default_server;
# listen [::]:443 ssl http2 default_server;
# server_name _;
# root /usr/share/nginx/html;
#
# ssl_certificate "/etc/pki/nginx/server.crt";
# ssl_certificate_key "/etc/pki/nginx/private/server.key";
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 10m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
#
# # Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
#
# location / {
# }
#
# error_page 404 /404.html;
# location = /40x.html {
# }
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
# } }
nginx -t
生成数据库表结构和初始化数据
cd /opt/jumpserver/utils
bash make_migrations.sh
运行 Jumpserver
cd ..
./jms start all -d
# 新版本更新了运行脚本,使用方式./jms start|stop|status|restart all 后台运行请添加 -d 参数
运行Coco
cd /opt/coco
./cocod start -d
#在第一个终端里
启动 Guacamole
# 注意:这里需要修改下 http://<填写jumpserver的url地址> 例: http://192.168.168.8, 否则会出错
# 不能使用 127.0.0.1 ,可以更换 registry.jumpserver.org/public/guacamole:latest
docker run --name jms_guacamole -d \
-p 8081:8080 -v /opt/guacamole/key:/config/guacamole/key \
-e JUMPSERVER_KEY_DIR=/config/guacamole/key \
-e JUMPSERVER_SERVER=http://192.168.168.8:8080 \
jumpserver/guacamole:latest
systemctl start nginx
登录Web管理界面:192.168.168.8
参考链接1:http://docs.jumpserver.org/zh/docs/step_by_step.html 参考链接2:http://docs.jumpserver.org/zh/docs/setup_by_centos7.html 参考链接3:https://www.cnblogs.com/bigdevilking/p/9427941.html 参考链接4:http://docs.jumpserver.org/zh/docs/faq_install.html
centos 7.x 安装开源堡垒机Jumpserver的更多相关文章
- 开源堡垒机jumpserver
开源堡垒机jumpserver 开源堡垒机jumpserver的安装 开源堡垒机jumpserver的配置和使用
- 开源堡垒机jumpserver的安装
开源跳板机jumpserver安装 简介 Jumpserver 是全球首款完全开源的堡垒机, 使用GNU GPL v2.0 开源协议, 是符合4A 的专业运维审计系统 Jumpserver 使用Pyt ...
- 分享一款开源堡垒机-jumpserver
本文主文章地址为:https://blog.csdn.net/KH_FC JumpServer是由FIT2CLOUD(飞致远)公司旗下一款开源的堡垒机,这款也是全球首款开源的堡垒机,使用 GNU GP ...
- 开源堡垒机jumpserver的配置和使用
开源跳板机jumpserver配置和使用 http://docs.jumpserver.org/zh/docs/quick_start.html#id9 系统设置 基本设置 # 修改url 的&quo ...
- centos 6.5 搭建开源堡垒机 Teleport 遇到的问题解决
几款开源的堡垒机 下面进行 teleport 的安装: https://docs.tp4a.com/install/#11 异常1:libc.so.6: version `GLIBC_2.14' no ...
- Centos下堡垒机Jumpserver V3.0环境部署完整记录(2)-配置篇
前面已经介绍了Jumpserver V3.0的安装,基于这篇安装文档,下面说下Jumpserver安装后的的功能使用: 一.jumpserver的启动 Jumpserver的启动和重启 [root@t ...
- CentOS7 开源跳板机(堡垒机) Jumpserver
开源跳板机(堡垒机)Jumpserver 环境 CentOS 7 x64 关闭 selinux firewalld jumpserver: 172.24.0.14 testserve ...
- jumpserver开源堡垒机部署安装
0x01.前言 Jumpserver 是全球首款完全开源的堡垒机,使用 GNU GPL v2.0 开源协议,是符合 4A 的专业运维审计系统. Jumpserver 使用 Python / Djang ...
- Centos下堡垒机Jumpserver V3.0环境部署完整记录(1)-安装篇
由于来源身份不明.越权操作.密码泄露.数据被窃.违规操作等因素都可能会使运营的业务系统面临严重威胁,一旦发生事故,如果不能快速定位事故原因,运维人员往往就会背黑锅.几种常见的运维人员背黑锅场景:1)由 ...
随机推荐
- LeetCode 21. Merge Two Sorted Lists (合并两个有序链表)
Merge two sorted linked lists and return it as a new list. The new list should be made by splicing t ...
- Android与IOS异同点对照(1)------ 显示
Android与IOS作为当前世界上最流行的两大移动端操作系统,都拥有无数的粉丝. 那么对于Android或者IOS的开发人员来说,这两个系统都拥有什么同样或者不同的地方那?如今让我们一起来了解一下A ...
- tiny4412 裸机程序 八、重定位到DRAM及LCD实验【转】
本文转载自:http://blog.csdn.net/eshing/article/details/37407423 版权声明:本文为博主原创文章,未经博主允许不得转载. 目录(?)[+] 一 ...
- 项目中如何使用NuGet添加类库
在项目上右键-->Manage NuGet Packages Browse 可以去搜索想要添加到项目的类库 Installed 已经添加到项目的类库 Updates 需要更新的类库
- [python基础] csv.wirterow()报错UnicodeEncodeError
python在安装时,默认的编码是ascii,当程序中出现非ascii编码时,python的处理常常会报这样的错,python没办法处理非ascii编码的,此时需要自己设置将python的默认编码,一 ...
- bzoj4668
并查集+最小生成树 首先我们发现这题可以lct维护最小生成树,但是发现如果生成树在之后是不会修改的,那么就想到了并查集,然后就不知道怎么做了... 其实当我们连接两个连通块的时候,两个连通块只能通过这 ...
- 使用 Jenkins + GitHub + Nginx + HTTPS 搭建静态网站
参考https://www.imooc.com/article/20079 http://www.haoduoyu.cc/
- cogs750栅格网络流(最小割)
750. 栅格网络流 ★★☆ 输入文件:flowa.in 输出文件:flowa.out 简单对比时间限制:1 s 内存限制:128 MB [问题描述] Bob 觉得一般图的最大流问题太 ...
- int(3)和int(11)区别
- $CF41D\ Pawn$
\(problem\) 与这题 灰常的相似 然后内存可能过大 开个滚动数组 因为数塔问题总是 只需要上面一行的两个状态(这题就是数塔问题) 下面的代码与原题不符.(原题要输出路径)想抄的可以走了 输出 ...