安装JumpServer

基本要求

环境：centos7.7 + python3.6硬件配置: 2个CPU核心, 4G 内存, 50G 硬盘（最低）操作系统: Linux 发行版 x86_64Python = 3.6.xMariadb Server ≥ 5.5.56RedisNginx

服务器简单初始化

# yum install wget # mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup # wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo # yum makecache # systemctl stop firewalld # systemctl disable firewalld # vi /etc/selinux/config # setenforce 0 # yum install python3 ntpdate lrzsz mariadb-devel python36-devel gcc openldap-devel # ntpdate ntp1.aliyun.com # echo '*/1 * * * * /usr/sbin/ntpdate ntp1.aliyun.com &>/dev/null' >> /var/spool/cron/root # cat >pip.conf<< EOF [global] index-url = http://pypi.douban.com/simple [install] use-mirrors =true mirrors =http://pypi.douban.com/simple/ trusted-host =pypi.douban.com EOF # pip3 install --upgrade pip

安装nginx

yum install nginx systemctl start nginx systemctl enable nginx

安装数据库

# yum install mariadb-server # systemctl start mariadb # mysqladmin -u root -p password 123456 # mysql -uroot -p123456 > create database jumpserver default charset 'utf8' collate 'utf8_bin'; > grant all on jumpserver.* to jumpserver@127.0.0.1 identified by 'jumpserver'; > flush privileges; 相关端口 3306

安装redis

# yum install epel-release # yum install redis # vi /etc/redis.conf requirepass 123456 # systemctl start redis # systemctl enable redis ## 相关端口 6379

创建 Python 虚拟环境（目录可以/data/soft/py3）

python3.6 -m venv /opt/py3

载入 Python 虚拟环境

source /opt/py3/bin/activate

每次操作 JumpServer 都需要先载入 py3 虚拟环境

获取 JumpServer 代码

cd /opt && \ wget https://github.com/jumpserver/jumpserver/releases/download/v2.1.0/jumpserver-v2.1.0.tar.gz tar xf jumpserver-v2.1.0.tar.gz mv jumpserver-v2.1.0 jumpserver

安装编译环境依赖

cd /opt/jumpserver/requirements && \ pip3 install --upgrade pip && \ pip install pyasn1==0.1.2 && \ pip install six==1.5.0 && \ pip install cffi && \ pip install pbr && \ pip install wheel && \ pip3 install --upgrade setuptools && \ pip install -r requirements.txt

修改配置文件

cd /opt/jumpserver && \ cp config_example.yml config.yml && \ vi config.yml SECRET_KEY: tgvAPABVkCO2xCwYz1h3gUrhiGtW2yX33Cz2Q9C0M64S2U93V BOOTSTRAP_TOKEN: tSQ1yPvs0UPeKSaG DEBUG: fasle LOG_LEVEL: ERROR DB_ENGINE: mysql DB_HOST: 127.0.0.1 DB_PORT: 3306 DB_USER: jumpserver DB_PASSWORD: jumpserver DB_NAME: jumpserver HTTP_BIND_HOST: 0.0.0.0 HTTP_LISTEN_PORT: 8080 WS_LISTEN_PORT: 8070 REDIS_HOST: 127.0.0.1 REDIS_PORT: 6379 REDIS_PASSWORD: 123456

启动 JumpServer

# cd /opt/jumpserver # ./jms start # ./jms start -d 后台运行 ##相关端口 8080

正常部署 KoKo 组件(go语言写的ssh客户端)

cd /opt && \ wget https://github.com/jumpserver/koko/releases/download/v2.1.0/koko-v2.1.0-linux-amd64.tar.gz tar -xf koko-v2.1.0-linux-amd64.tar.gz && \ mv koko-v2.1.0-linux-amd64 koko && \ chown -R root:root koko && \ cd koko && \ cp config_example.yml config.yml vi config.yml CORE_HOST: http://127.0.0.1:8080 BOOTSTRAP_TOKEN: tSQ1yPvs0UPeKSaG ##BOOTSTRAP_TOKEN 需要从 jumpserver/config.yml 里面获取, 保证一致 LOG_LEVEL: ERROR SHARE_ROOM_TYPE: redis REDIS_HOST: 127.0.0.1 REDIS_PORT: 6379 REDIS_PASSWORD: 123456 REDIS_DB_ROOM: 6 ./koko -d ##相关端口 SSHD_PORT: 2222 HTTPD_PORT: 5000

正常部署 Guacamole 组件（类似远程桌面协议）

开始安装Guacamole 组件

rpm --import http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-1.el7.nux.noarch.rpm yum -y install ffmpeg-devel freerdp-devel pango-devel libssh2-devel libtelnet-devel libvncserver-devel libwebsockets-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-devel cd /opt && \ wget -O /opt/guacamole.tar.gz https://github.com/jumpserver/docker-guacamole/archive/v2.1.0.tar.gz tar -xf guacamole.tar.gz && \ mv docker-guacamole-2.1.0 guacamole && \ cd /opt/guacamole && \ tar -xf guacamole-server-1.2.0.tar.gz && \ tar -xf ssh-forward.tar.gz -C /bin/ && \ chmod +x /bin/ssh-forward cd /opt/guacamole/guacamole-server-1.2.0 ./configure --with-init-dir=/etc/init.d && \ make && \ make install

安装java

yum install -y java-1.8.0-openjdk

创建相关目录

mkdir -p /config/guacamole /config/guacamole/extensions /config/guacamole/record /config/guacamole/drive && \ chown daemon:daemon /config/guacamole/record /config/guacamole/drive && \ cd /config

安装tomcat9

wget http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-9/v9.0.36/bin/apache-tomcat-9.0.36.tar.gz tar -xf apache-tomcat-9.0.36.tar.gz && \ mv apache-tomcat-9.0.36 tomcat9 && \ rm -rf /config/tomcat9/webapps/* && \ sed -i 's/Connector port="8080"/Connector port="8081"/g' /config/tomcat9/conf/server.xml && \ echo "java.util.logging.ConsoleHandler.encoding = UTF-8" >> /config/tomcat9/conf/logging.properties && \ ln -sf /opt/guacamole/guacamole-1.0.0.war /config/tomcat9/webapps/ROOT.war && \ ln -sf /opt/guacamole/guacamole-auth-jumpserver-1.0.0.jar /config/guacamole/extensions/guacamole-auth-jumpserver-1.0.0.jar && \ ln -sf /opt/guacamole/root/app/guacamole/guacamole.properties /config/guacamole/guacamole.properties

设置 Guacamole 环境

export JUMPSERVER_SERVER=http://127.0.0.1:8080 echo "export JUMPSERVER_SERVER=http://127.0.0.1:8080" >> ~/.bashrc export BOOTSTRAP_TOKEN=zxffNymGjP79j6BN echo "export BOOTSTRAP_TOKEN=zxffNymGjP79j6BN" >> ~/.bashrc export JUMPSERVER_KEY_DIR=/config/guacamole/keys echo "export JUMPSERVER_KEY_DIR=/config/guacamole/keys" >> ~/.bashrc export GUACAMOLE_HOME=/config/guacamole echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc export GUACAMOLE_LOG_LEVEL=ERROR echo "export GUACAMOLE_LOG_LEVEL=ERROR" >> ~/.bashrc export JUMPSERVER_ENABLE_DRIVE=true echo "export JUMPSERVER_ENABLE_DRIVE=true" >> ~/.bashrc

Guacamole环境变量说明

JUMPSERVER_SERVER 指 core 访问地址 BOOTSTRAP_TOKEN 为 Jumpserver/config.yml 里面的 BOOTSTRAP_TOKEN 值 JUMPSERVER_KEY_DIR 认证成功后 key 存放目录 GUACAMOLE_HOME 为 guacamole.properties 配置文件所在目录 GUACAMOLE_LOG_LEVEL 为生成日志的等级 JUMPSERVER_ENABLE_DRIVE 为 rdp 协议挂载共享盘

启动 Guacamole

/etc/init.d/guacd start sh /config/tomcat9/bin/startup.sh

下载 Lina 组件

cd /opt wget https://github.com/jumpserver/lina/releases/download/v2.1.0/lina-v2.1.0.tar.gz tar -xf lina-v2.1.0.tar.gz mv lina-v2.1.0 lina chown -R nginx:nginx lina

下载 luna组件

cd /opt wget https://github.com/jumpserver/luna/releases/download/v2.1.0/luna-v2.1.0.tar.gz tar -xf luna-v2.1.0.tar.gz mv luna-v2.1.0 luna chown -R nginx:nginx luna

配置 Nginx 整合各组件

echo > /etc/nginx/conf.d/default.conf vi nginx.conf #删除里面的server主机 vi /etc/nginx/conf.d/jumpserver.conf server { listen 80; client_max_body_size 100m; # 录像及文件上传大小限制 location /ui/ { try_files $uri / /index.html; alias /opt/lina/; } location /luna/ { try_files $uri / /index.html; alias /opt/luna/; # luna 路径, 如果修改安装目录, 此处需要修改 } location /media/ { add_header Content-Encoding gzip; root /opt/jumpserver/data/; # 录像位置, 如果修改安装目录, 此处需要修改 } location /static/ { root /opt/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改 } location /koko/ { proxy_pass http://localhost:5000; proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } location /guacamole/ { proxy_pass http://localhost:8081/; proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } location /ws/ { proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://localhost:8070; proxy_http_version 1.1; proxy_buffering off; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } location /api/ { proxy_pass http://localhost:8080; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location /core/ { proxy_pass http://localhost:8080; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location / { rewrite ^/(.*)$ /ui/$1 last; } } nginx -t nginx -s reload

登陆

http://192.168.4.246 默认用户/密码 admin/admin