说明 1 2 3 # 开头的行表示注释 > 开头的行表示需要在 mysql 中执行 $ 开头的行表示需要执行的命令
环境信息 系统: CentOS 7.6.181
IP: 192.168.99.5
jms安装目录:/opt/jumpserver
jms配置文件名称:/opt/jumpserver/config.yml
数据库安装目录: /usr/local/mysql 版本:mysql5.7(解压安装)
数据库连接信息:
连接主机:192.168.99.5 —> 127.0.0.1
数据库名称:jumpserver
数据库用户名:jumpserver
数据库密码:cndsdis
前端代理: Nginx(yum安装) 配置文件路径:/etc/nginx/conf.d/jumpserver.conf
系统信息
IP
配置信息
操作系统
Firewalld开放端口
192.168.99.5
2核4G内存
CentOS 7.5.1804
8080、22、3306 2222
安装服务信息
服务名称
版本
安装目录
使用端口
Mysql
5.7.27
/usr/local/mysql/
3306
开始安装服务 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 $ yum update -y $ systemctl start firewalld $ firewall-cmd --zone =public --add-port =80 /tcp --permanent $ firewall-cmd --zone =public --add-port =2222 /tcp --permanent $ firewall-cmd --reload $ setenforce 0 $ sed -i "s /SELINUX =enforcing /SELINUX =disabled /g " /etc /selinux /config $ yum -y install wget gcc epel-release git $ cd /usr /local /src / $ wget http : $ tar xzvf redis-5 .0 .5 .tar .gz & & cd redis-5 .0 .5 $ make & & make install $ mkdir /usr /local /redis / $ cp ./redis .conf /usr /local /redis / $ egrep -v "^#|^$" /usr /local /redis /redis .conf bind 127.0 .0 .1 protected-mode no port 6379 daemonize yes logfile "/var /log /redis .log "$ egrep -v "^#|^$" /lib /systemd /system /redis .service [Unit] Description =Redis After =syslog .target network .target remote-fs .target nss-lookup .target [Service] Type =forking PIDFile =/var /run /redis_6379 .pid ExecStart =/usr /local /bin /redis-server /usr /local /redis /redis .conf ExecReload =/bin /kill -s HUP $MAINPID ExecStop =/bin /kill -s QUIT $MAINPID PrivateTmp =true [Install] WantedBy =multi-user .target $ systemctl daemon-reload $ systemctl enable redis $ systemctl start redis 安装步骤省略...... $ chkconfig mysqld on $ systemctl start mysqld sql > create database jumpserver default charset 'utf8 '; sql > grant all on jumpserver .* to 'jumpserver '@'127.0 .0 .1 ' identified by 'jumpserver '; sql > flush privileges ;"
安装Nginx 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 $ vi /etc /yum .repos .d /nginx .repo --------------------------------------------------------- [nginx] name =nginx repo baseurl =http :gpgcheck =0 enabled =1 $ yum -y install nginx $ systemctl enable nginx $ systemctl start nginx ```` ## **安装Python3 .6 ** ```less $ yum -y install python36 python36-devel $ cd /opt $ python3 .6 -m venv py3 $ source /opt /py3 /bin /activate (py3) [root@jumpserver /] #
部署Jumpserver
下载 Jumpserver
1 2 3 4 5 $ cd /opt / $ git clone https : $ cd /opt /jumpserver $ git checkout 1.4 .8
安装依赖 RPM 包
1 $ yum -y install $(cat /opt/jumpserver/requirements/rpm_requirements.txt)
安装 Python 库依赖
1 2 3 4 5 6 7 8 $ pip install --upgrade pip setuptools $ pip install -r /opt /jumpserver /requirements /requirements .txt $ vim ~/.pip /pip .conf -------------------------------------------------------------------- [global] index-url = https :
修改 Jumpserver 配置文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 $ cd /opt /jumpserver $ cp config_example .yml config .yml $ cat /opt /jumpserver /config .yml ----------------------------------------------------------------------------------------------- # SECURITY WARNING : keep the secret key used in production secret ! # 加密秘钥 生产环境中请修改为随机字符串,请勿外泄, 可使用命令生成 # $ cat /dev /urandom | tr -dc A -Za-z0-9 | head -c 49 ;echo SECRET_KEY : 7 eO6W2KDpJofvyxZ9xxpQCpqTeDdxEdS31u1YfJXRtZ1OOLSVw # SECURITY WARNING : keep the bootstrap token used in production secret ! # 预共享Token coco 和guacamole 用来注册服务账号,不在使用原来的注册接受机制 # $ cat /dev /urandom | tr -dc A -Za-z0-9 | head -c 16 BOOTSTRAP_TOKEN : K3k3NssvhGKnmokB # Development env open this , when error occur display the full process track, Production disable it # DEBUG 模式 开启DEBUG后遇到错误时可以看到更多日志 # DEBUG : true DEBUG : false# DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https : # 日志级别 # LOG_LEVEL : DEBUG LOG_LEVEL : ERROR# LOG_DIR : # Session expiration setting, Default 24 hour, Also set expired on on browser close # 浏览器Session过期时间,默认24 小时, 也可以设置浏览器关闭则过期 # SESSION_COOKIE_AGE : 86400 SESSION_EXPIRE_AT_BROWSER_CLOSE : true# Database setting, Support sqlite3, mysql, postgres .... # 数据库设置 # See https : # SQLite setting : # 使用单文件sqlite数据库 # DB_ENGINE : sqlite3 # DB_NAME : # MySQL or postgres setting like : # 使用Mysql作为数据库 DB_ENGINE : mysql DB_HOST : 127.0 .0.1 DB_PORT : 3306 DB_USER : jumpserver DB_PASSWORD : putianhui DB_NAME : jumpserver # When Django start it will bind this host and port # ./manage.py runserver 127.0 .0.1 :8080 # 运行时绑定端口 HTTP_BIND_HOST : 0.0 .0.0 HTTP_LISTEN_PORT : 8080 # Use Redis as broker for celery and web socket # Redis配置 REDIS_HOST : 127.0 .0.1 REDIS_PORT : 6379 # REDIS_PASSWORD : # REDIS_DB_CELERY : 3 # REDIS_DB_CACHE : 4 # Use OpenID authorization # 使用OpenID 来进行认证设置 # BASE_SITE_URL : http : # AUTH_OPENID : false # True or False # AUTH_OPENID_SERVER_URL : https : # AUTH_OPENID_REALM_NAME : realm-name # AUTH_OPENID_CLIENT_ID : client-id # AUTH_OPENID_CLIENT_SECRET : client-secret # OTP settings # OTP/MFA 配置 # OTP_VALID_WINDOW : 0 # OTP_ISSUER_NAME : Jumpserver
添加Jumpserver到系统服务
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 $ vim /lib /systemd /system /jms .service ---------------------------------------------------------- [Unit] Description =jms After =network .target mysql .service redis-server .service Wants =mysqld .service redis .service [Service] Type =forking Environment ="PATH =/opt /py3 /bin :/usr /local /sbin :/usr /local /bin :/usr /sbin :/usr /bin :/root /bin "ExecStart =/opt /jumpserver /jms start all -d ExecReload =ExecStop =/opt /jumpserver /jms stop [Install] WantedBy =multi-user .target
运行启动Jumpserver服务
1 2 $ systemctl daemon-reload $ systemctl start jms
安装 docker 部署 coco 与 guacamole
安装docker服务程序
1 2 3 4 5 6 7 8 $ yum install -y yum-utils device-mapper-persistent-data lvm2 $ yum-config-manager --add-repo http : $ yum makecache fast $ rpm --import https : $ yum -y install docker-ce $ systemctl enable docker $ curl -sSL https : $ systemctl restart docker
配置防火墙开放指定端口号
1 2 3 $ firewall-cmd --permanent --add-rich-rule ="rule family ="ipv4 " source address ="172.17 .0 .0 /16 " port protocol ="tcp " port ="8080 " accept " $ firewall-cmd --reload
3.使用docker运行coco与guacamole
1 2 3 4 5 6 7 8 9 10 11 $ docker run --name jms_coco -d --restart =always -p 2222 :2222 -p 5000 :5000 -e CORE_HOST =http : $ docker run --name jms_guacamole -d --restart =always -p 8081 :8081 -e JUMPSERVER_SERVER =http : $ cd /opt $ wget https : $ wget https : $ tar xf luna .tar .gz $ chown -R root :root luna
配置 Nginx 整合各组件 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 $ rm -rf /etc /nginx /conf .d /default .conf $ vi /etc /nginx /conf .d /jumpserver .conf ----------------------------------------------------------- server { listen 80 ; client_max_body_size 100 m ; location /luna / { try_files $uri / /index .html ; alias /opt /luna /; } location /media / { add_header Content-Encoding gzip ; root /opt /jumpserver /data /; } location /static / { root /opt /jumpserver /data /; } location /socket .io / { proxy_pass http : proxy_buffering off ; proxy_http_version 1.1 ; proxy_set_header Upgrade $http_upgrade ; proxy_set_header Connection "upgrade "; proxy_set_header X-Real-IP $remote_addr ; proxy_set_header Host $host ; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ; access_log off ; } location /coco / { proxy_pass http : proxy_set_header X-Real-IP $remote_addr ; proxy_set_header Host $host ; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ; access_log off ; } location /guacamole / { proxy_pass http : proxy_buffering off ; proxy_http_version 1.1 ; proxy_set_header Upgrade $http_upgrade ; proxy_set_header Connection $http_connection ; proxy_set_header X-Real-IP $remote_addr ; proxy_set_header Host $host ; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ; access_log off ; } location / { proxy_pass http : proxy_set_header X-Real-IP $remote_addr ; proxy_set_header Host $host ; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ; } } $ nginx -t $ systemctl start nginx $ ssh -p2222 admin @192.168 .99 .5 $ sftp -P2222 admin @192.168 .99 .5 密码: admin $ ssh admin @192.168 .99 .5 2222 $ sftp admin @192.168 .99 .5 2222