Jumpserver在Centos7部署

本次部署基于官方文档总结，点击查看官方文档

组件说明

Jumpserver 为管理后台, 管理员可以通过 Web 页面进行资产管理、用户管理、资产授权等操作, 用户可以通过 Web 页面进行资产登录, 文件管理等操作
koko 为 SSH Server 和 Web Terminal Server 。用户可以使用自己的账户通过 SSH 或者 Web Terminal 访问 SSH 协议和 Telnet 协议资产
Luna 为 Web Terminal Server 前端页面, 用户使用 Web Terminal 方式登录所需要的组件
Guacamole 为 RDP 协议和 VNC 协议资产组件, 用户可以通过 Web Terminal 来连接 RDP 协议和 VNC 协议资产 (暂时只能通过 Web Terminal 来访问)

端口配置

Jumpserver 默认 Web 端口为 8080/tcp, 默认 WS 端口为 8070/tcp, 配置文件 jumpserver/config.yml
koko 默认 SSH 端口为 2222/tcp, 默认 Web Terminal 端口为 5000/tcp 配置文件在 koko/config.yml
Guacamole 默认端口为 8081/tcp, 配置文件 /config/tomcat9/conf/server.xml
Nginx 默认端口为 80/tcp,443/tcp
Redis 默认端口为 6379/tcp

Protocol	Server name	IP	Port
TCP	Jumpserver	172.100.0.1(容器网络对应IP)	8070(ws), 8080(http)
TCP	koko	172.100.0.2（容器网络对应IP）	2222, 5000
TCP	Guacamole	172.100.0.3（容器网络对应IP）	8081
TCP	sqlite3	db路径：/data/jumpserver/jumpserver/jumpserver.db
TCP	Redis	127.0.0.1	6379
TCP	Nginx	0.0.0.0	80,443

组件安装配置

Redis配置

yum -y install redis
# 修改 redis 配置文件
vim /etc/redis.conf
...
bind 127.0.0.1  # 注释这行, 新增如下内容
requirepass weakPassword  # redis 连接密码
maxmemory-policy allkeys-lru  # 清理策略, 优先移除最近未使用的key
...
systemctl enable redis
systemctl start redis
systemctl status redis

sqlite3配置

# SQLite 需要 3.8.3 或者最新版本，Centos7 默认版本 3.7.17 需要升级
cd /usr/local/src
wget https://www.sqlite.org/2019/sqlite-autoconf-3300100.tar.gz
tar  zxvf sqlite-autoconf-3300100.tar.gz
/usr/local/bin/sqlite3 -V
ln -s /usr/local/bin/sqlite3 /usr/bin/sqlite3
sqlite3 --version
ln -s /usr/local/lib/libsqlite3.so /usr/lib/libsqlite3.so
vim ~/.bashrc
export LD_LIBRARY_PATH="/usr/local/lib"
source ~/.bashrc
#生成jumpserver需要的sqlite文件
cd /data/jumpserver/jumpserver
sqlite3 jumpserver.db

Jumpserver 配置

#安装 Python3.6
$ yum -y install python36 python36-devel
#配置并载入 Python3 虚拟环境
$ cd /data/jumpserver/
$ python3.6 -m venv py3_venv# py3 为虚拟环境名称, 可自定义
$ source py3_venv/bin/activate  # 激活python虚拟环境，退出虚拟环境可以使用 deactivate 命令
# 看到下面的提示符代表成功, 以后运行 Jumpserver 都要先运行以上 source 命令, 载入环境后默认以下所有命令均在该虚拟环境中运行
(py3) [root@localhost py3]
# 下载 Jumpserver
$ cd /data/jumpserver/
$ git clone --depth=1 https://github.com/jumpserver/jumpserver.git
# 安装依赖 RPM 包
$ yum -y install $(cat /data/jumpserver/jumpserver/requirements/rpm_requirements.txt)
# 安装 Python 库依赖
$ pip install wheel
$ pip install --upgrade pip setuptools
#如果有报错，大多是三方依赖库版本问题，手动安装即可
$ pip install -r /data/jumpserver/jumpserver/requirements/requirements.txt
#注意有error的话，手动修正下版本号，再安装
# jumpserver配置文件修改
$ cd /opt/jumpserver
$ cp config_example.yml config.yml
$ SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`  # 生成随机SECRET_KEY
$ BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`  # 生成随机BOOTSTRAP_TOKEN
$ sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /data/jumpserver/jumpserver/config.yml
$ sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /data/jumpserver/jumpserver/config.yml
$ sed -i "s/# DEBUG: true/DEBUG: false/g" /data/jumpserver/jumpserver/config.yml
$ sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /data/jumpserver/jumpserver/config.yml
$ sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /data/jumpserver/jumpserver/config.yml
$ sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /data/jumpserver/jumpserver/config.yml/
$ echo -e "\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m"
$ echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
#配置存储为sqlite3，注释mysql配置
DB_ENGINE: sqlite3
DB_NAME: /data/jumpserver/jumpserver/jumpserver.db
#HTTP_BIND_HOST修改为127.0.0.1
HTTP_BIND_HOST: 127.0.0.1
$ vi config.yml  # 确认内容有没有错误

koko 和 Guacamole 配置

直接采用docker部署

#拉取镜像
docker pull docker.io/jumpserver/jms_koko:1.5.6
docker pull docker.io/jumpserver/jms_guacamole:1.5.6

docker-compose file

vim /data/jumpserver/docker-jumpserver-compose.yml
#写入如下内容

docker-jumpserver-compose.yml 内容如下：

version: "3"
services:
  guacamole:
    image: 'docker.io/jumpserver/jms_guacamole:1.5.6'
    restart: on-failure:3
    environment:
        JUMPSERVER_SERVER: 'http://172.100.0.1:8080'
        BOOTSTRAP_TOKEN: '上面生成的BOOTSTRAP_TOKEN'
    ports:
      - '127.0.0.1:8081:8080'
    networks:
      jumpserver:
        ipv4_address: 172.100.0.2
    #volumes:
    #  - '/etc/localtime:/etc/localtime:ro'
    #  - '/etc/timezone:/etc/timezone'
  koko:
    image: 'docker.io/jumpserver/jms_koko:1.5.6'
    restart: on-failure:3
    environment:
        CORE_HOST: 'http://172.100.0.1:8080'
        BOOTSTRAP_TOKEN: '上面生成的BOOTSTRAP_TOKEN'
    ports:
      - '127.0.0.1:5100:5000'
      - '2222:2222'
    networks:
      jumpserver:
        ipv4_address: 172.100.0.3
networks:
  jumpserver:
    driver: bridge
    ipam:
      driver: default
      config:
      -
        subnet: 172.100.0.1/24
##项目启动命令##
# docker-compose -f docker-jumpserver-compose.yml  -p jumpserver up  -d
  
##项目停止命令##
# docker-compose -f docker-jumpserver-compose.yml  -p jumpserver down

# 启动容器
cd /data/jumpserver/
docker-compose -f docker-jumpserver-compose.yml  -p jumpserver up  -d

nginx配置

vim /usr/local/nginx/conf/vhost/jms.test.com.conf
#nginx配置内容
...
server
{
	listen 80;
	server_name  jms.test.com;
	return       301 https://jms.test.com$request_uri;
	access_log off;
}
server
{
        listen 443;
        server_name jms.test.com;
        ssl on;
        ssl_certificate /usr/local/nginx/conf/cert/214235695130621.pem;
        ssl_certificate_key /usr/local/nginx/conf/cert/214235695130621.key;
        ssl_session_timeout 5m;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
		
	set $node_port 8100;
	client_max_body_size 100m;  # 录像及文件上传大小限制	
	
	location /luna/ {
        	try_files $uri / /index.html;
	        alias /data/jumpserver/luna/;  # luna 路径, 如果修改安装目录, 此处需要修改
    	}
    	location /media/ {
       		add_header Content-Encoding gzip;
	        root /data/jumpserver/jumpserver/data/;  # 录像位置, 如果修改安装目录, 此处需要修改
    	}
	location /static/ {
        	root /data/jumpserver/jumpserver/data/;  # 静态资源, 如果修改安装目录, 此处需要修改
	}
    	location /koko/ {
        	proxy_pass       http://127.0.0.1:5000;
        	proxy_buffering off;
        	proxy_http_version 1.1;
        	proxy_set_header Upgrade $http_upgrade;
        	proxy_set_header Connection "upgrade";
        	proxy_set_header X-Real-IP $remote_addr;
        	proxy_set_header Host $host;
        	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        	access_log off;
    	}
    	location /guacamole/ {
        	proxy_pass       http://127.0.0.1:8081/;
        	proxy_buffering off;
        	proxy_http_version 1.1;
        	proxy_set_header Upgrade $http_upgrade;
        	proxy_set_header Connection $http_connection;
        	proxy_set_header X-Real-IP $remote_addr;
        	proxy_set_header Host $host;
        	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        	access_log off;
    	}
    	location /ws/ {
        	proxy_set_header X-Real-IP $remote_addr;
        	proxy_set_header Host $host;
        	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        	proxy_pass http://172.100.0.1:8070;
        	proxy_http_version 1.1;
        	proxy_buffering off;
        	proxy_set_header Upgrade $http_upgrade;
        	proxy_set_header Connection "upgrade";
        }
    	location / {
        	proxy_pass http://172.100.0.1:8080;
	        proxy_set_header X-Real-IP $remote_addr;
        	proxy_set_header Host $host;
	        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    	}
	access_log logs/jms_access.log;
        error_log  logs/jms_error.log;
}
...