您的位置：首页 > 其它

Jumpserver2.2部署文档

2020-09-05 14:32 295 查看

jumpserver 安装问题

jumpserver 安装文档

概览

官网： jumpserver.org
环境准备： centos7.7+ 操作系统
python36
基本配置： 2C4G50G 【基本配置】
软件安装路径约定：

路径	说明
/data	云虚拟主机需要单独挂载一块50G的数据盘（xfs/ext4不限）
/data/application	应用所在路径（软件安装包所在地）
/data/app_data	应用数据路径（例如mysql&redis）
/data/app_log	应用日志路径
/data/pkg	软件路径

软件准备
初始化配置
安装基础软件
安装jumpserver
安装koko
配置Guacamole组件
部署Luna组件
配置Nginx整合各个组件
开始使用Jumpserver

初始化配置

1. 关闭防火墙
$ systemctl stop firewalld && systemctl disable firewalld

2. 关闭selinux
$ sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
$ setenforce 0 && getenforce

3. 设置主机名
$ echo "jumpserver" > /etc/hostname
$ hostname jumpserver

4. 系统参数
$ vim /etc/security/limits.conf
*           soft   nofile       102400
*           hard   nofile       102400
*           soft   nproc        102400
*           hard   nproc        102400

7. 配置yum仓库
$ curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
$ curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
$ sed -i 's/http/https/g' /etc/yum.repos.d/CentOS-Base.repo
$ sed -i 's/http/https/g' /etc/yum.repos.d/epel.repo

6. 系统预装软件
$ yum -y install wget git net-tools lrzsz vim  gcc gcc-c++ make ntpdate

7. 时间同步
$ ntpdate time.windows.com

8. 磁盘挂载
$ mkfs.xfs /dev/vdb && mkdir /data && mount /dev/vdb/ /data
$ echo "mount /dev/vdb/ /data" >> /etc/rc.local

9. 准备环境目录
$ cd /data && mkdir application pkg app_data app_log

10. 重启机器
$ reboot -f

软件准备

将上述的软件放在/data/pkg 下

软件名称	版本号	下载地址	备注
redis	4.0.6稳定版	http://download.redis.io/releases/redis-4.0.6.tar.gz	缓存服务
mysql	5.7.31稳定版[二级制版本]	https://dev.mysql.com/downloads/mysql/	数据存储
java	1.8.0_261	https://www.oracle.com/java/technologies/javase/javase-jdk8-downloads.html	java程序
jumpserver	2.2.2稳定版	https://github.com/jumpserver/jumpserver/releases/download/v2.2.2/jumpserver-v2.2.2.tar.gz	跳板机程序
coco	2.2.2.稳定版	https://github.com/jumpserver/koko/releases/download/v2.2.2/koko-v2.2.2-linux-amd64.tar.gz	ssh_proxy
kubectl	-	https://download.jumpserver.org/public/kubectl.tar.gz	k8s客户端工具
Guacamole	2.2.2	http://download.jumpserver.org/release/v2.2.2/guacamole-client-v2.2.2.tar.gz
Guacamole	1.2.0	http://download.jumpserver.org/public/guacamole-server-1.2.0.tar.gz
apache-tomcat9	tomcat9	http://archive.apache.org/dist/tomcat/tomcat-9/v9.0.37/bin/apache-tomcat-9.0.37.tar.gz
luna	2.2.2	https://github.com/jumpserver/luna/releases/download/v2.2.2/luna-v2.2.2.tar.gz	ssh_web
nginx	1.18.0	http://nginx.org/download/nginx-1.18.0.tar.gz	代理服务

上述软件下载包详见百度云

链接: https://pan.baidu.com/s/16cPe0Bytip53qsdxTopUVw  密码: fqld

基础软件安装

python36环境的安装与配置

软件安装

$ yum -y install pythoin36 python36-devel

配置pip源

$ tee /etc/pip.conf <<EOF
[global]
index-url = http://pypi.douban.com/simple
trusted-host = pypi.douban.com
[list]
format=columns
EOF

python虚拟环境的创建与配置

$ python3.6 -m venv /data/application/py3
$ vim ~/.bashrc
source /data/application/py3/bin/activate
$ source /data/application/py3/bin/activate
$ pip install wheel && pip install --upgrade pip setuptools

redis 安装与配置

安装

cd /data/pkg
tar xf redis-4.0.6.tar.gz
cd redis-4.0.6/
make PREFIX=/data/application/redis install
mkdir /data/application/redis/conf
cp redis.conf /data/application/redis/config
sed -i 's/daemonize no/daemonize yes/g' /data/application/redis/config/redis.conf

配置文件修改

$ mkdir -p /data/app_logs/pids/redis
$ mkdir /data/app_data/redis -p
$ cd /data/application/redis/config/ && vim redis.conf
pidfile /data/app_logs/pids/redis/redis_6379.pid
dir /data/app_data/redis

启动

$ tee /usr/lib/systemd/system/redis.service <<EOF
[Unit]
Description=Redis
After=network.target

[Service]
ExecStart=/data/application/redis/bin/redis-server /data/application/redis/config/redis.conf --daemonize no
ExecStop=/data/application/redis/bin/redis-cli -h 127.0.0.1 -p 6379 shutdown

[Install]
WantedBy=multi-user.target
EOF

$ systemctl start redis && systemctl enable redis
$ echo "export PATH=/data/application/redis/bin:$PATH" >> /etc/profile
$ source /etc/profile

测试

$ redis-cli
127.0.0.1:6379>

mysql安装与配置

安装

$ cd /data/pkg
$ tar xf mysql-5.7.31-linux-glibc2.12-x86_64.tar.gz
$ mv /data/application/mysql-5.7/
$ useradd -s /usr/sbin/nologin -M mysql
$ chmod -R  mysql:mysql /data/application/mysql-5.7
$ mkdir /data/app_data/mysql/ -p
$ chown -R  mysql.mysql /data/app_data/mysql/
$ echo "export PATH=/data/application/mysql-5.7/bin:$PATH" >>  /etc/profile && source /etc/profile

配置文件修改

$ tee /etc/my.cnf << EOF
[mysqld]
user=mysql
basedir=/data/application/mysql-5.7
datadir=/data/app_data/mysql
character_set_server=utf8mb4
max_allowed_packet=256M
innodb_log_file_size=256M
transaction-isolation=READ-COMMITTED
binlog_format=row
server_id=6
port=3306
socket=/tmp/mysql.sock
[mysql]
socket=/tmp/mysql.sock
EOF

初始化与启动

$ cd /data/application/mysql-5.7/support-files && mv mysql.server /etc/init.d/mysqld
$ tee /etc/systemd/system/mysqld.service << EOF
[Unit]
Description=MySQL Server
Documentation=man:mysqld(8)
Documentation=http://dev.mysql.com/doc/refman/en/using-systemd.html
After=network.target
After=syslog.target
[Install]
WantedBy=multi-user.target
[Service]
User=mysql
Group=mysql
ExecStart=/data/application/mysql-5.7/bin/mysqld --defaults-file=/etc/my.cnf
LimitNOFILE = 5000
EOF

$ mysqld --initialize-insecure --basedir=/data/application/mysql-5.7 --datadir=/data/app_data/mysql/
$ systemctl start mysqld && systemctl enable mysqld

测试与数据库创建

$ mysql
create database jumpserver default charset 'utf8' collate 'utf8_bin';
grant all on jumpserver.* on jumpserver@'127.0.0.1' identified by 'jumpserver';
exit

大坑问题之一

需要配置这个数据库软链，不然后面会出现项目初始化找不到mysqlclient的问题

$ ln -s /data/application/mysql-5.7/lib/libmysqlclient.so.20

安装jumpserver

软件基础配置与依赖安装

$ cd /data/pkg
$ tar xf jumpserver-v2.2.2.tar.gz && mv jumpserver-v2.2.2 /data/application/jumpserver
$ source /data/application/py3/bin/activate
$ cd /data/application/jumpserver/requirements/
$ yum -y install $(cat rpm_requirements.txt)
$ pip install -r requirements.txt

配置文件修改

$ cd /data/application/jumpserver && mv config_example.yml config.yml
$ cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 49;echo    # 生成字符串配置到config.yml的SECRET_KEY
$ cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 18;echo    # 生成字符串配置到config.yml的BOOTSTRAP_TOKEN
$ vim config.yml
SECRET_KEY: NZIfGVB8nd3mZJTwCa3kKenWJdUVUvpK08NVq8PF5POml5sGm
BOOTSTRAP_TOKEN: wHdUajO3gaXMY1PD4d
DB_PASSWORD: jumpserver

服务启动与状态查看

$ tee /usr/lib/systemd/system/jms.service <<EOF
[Unit]
Description=jms
After=network.target mysqld.service redis.service
Wants=mysqld.service redis.service

[Service]
Type=forking
Environment="PATH=/data/application/py3/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin"
ExecStart=/data/application/jumpserver/jms start all -d
ExecReload=
ExecStop=/data/application/jumpserver/jms stop

[Install]
WantedBy=multi-user.target
EOF

$ systemctl start jms && systemctl enable jms
$ systemctl status jms

安装koko

安装

$ cd /data/pkg
$ tar xf koko-v2.2.2-linux-amd64.tar.gz
$ mv koko-v2.2.2-linux-amd64 /data/application/koko
$ chown -R root:root /data/application/koko
$ cd /data/application/koko
$ mv kubectl /usr/local/bin/
$ wget https://download.jumpserver.org/public/kubectl.tar.gz
$ tar -xf kubectl.tar.gz && chmod 755 kubectl
$ mv kubectl /usr/local/bin/rawkubectl
$ rm -fr kubectl.tar.gz

配置

$ cd /data/application/koko
$ cp config_example.yml config.yml
$ vim config.yml
BOOTSTRAP_TOKEN: wHdUajO3gaXMY1PD4d

服务启动与状态查看

$ tee /usr/lib/systemd/system/koko.service << EOF
Unit]
Description=koko
After=network.target jms.service

[Service]
Type=forking
PIDFile=/data/application/koko/koko.pid
Environment="PATH=/data/application/py3/bin/"
ExecStart=/data/application/koko/koko -f /data/application/koko/config.yml start -d
ExecReload=
ExecStop=/data/application/koko/koko stop

[Install]
WantedBy=multi-user.target
EOF

$ systemctl start koko && systemctl enable koko
$ ps -ef | grep koko

部署 Guacamole 组件

安装

$ mkdir /data/application/docker-guacamole
$ cd /data/pkg
$ wget -O docker-guacamole-v2.2.2.tar.gz https://github.com/jumpserver/docker-guacamole/archive/master.tar.gz
$ tar -xf docker-guacamole-v2.2.2.tar.gz -C /data/application/docker-guacamole --strip-components 1
$ cd /data/application/docker-guacamole && mv /data/pkg/guacamole-server-1.2.0.tar.gz ./
$ tar -xf guacamole-server-1.2.0.tar.gz && rm -fr guacamole-server-1.2.0.tar.gz
$ wget http://download.jumpserver.org/public/ssh-forward.tar.gz
$ tar xf ssh-forward.tar.gz
$ tar -xf ssh-forward.tar.gz -C /bin/   && rm -fr ssh-forward.tar.gz
$ chmod +x /bin/ssh-forward
$ cd guacamole-server-1.2.0/
$ yum -y install cairo-devel cairo-devel uuid uuid-devel
$ ./configure --with-init-dir=/etc/init.d && make && make install
$ mkdir /data/application/config/guacamole/{extensions,record,drive} -pv
$ chown daemon:daemon /data/application/config/guacamole/record/ /data/application/config/guacamole/drive
$ cd /data/application/config
$ mv /data/pkg/apache-tomcat-9.0.37.tar.gz ./
$ tar xf apache-tomcat-9.0.37.tar.gz && mv apache-tomcat-9.0.37 tomcat9 &&  rm -fr apache-tomcat-9.0.37.tar.gz
$ rm -fr tomcat9/webapps/*
$ sed -i 's/Connector port="8080"/Connector port="8081"/g' tomcat9/conf/server.xml
$ echo "java.util.logging.ConsoleHandler.encoding = UTF-8" >> tomcat9/conf/logging.properties
$ mv /data/pkg/guacamole-client-v2.2.2.tar.gz ./
$ tar -xf guacamole-client-v2.2.2.tar.gz && rm -rf guacamole-client-v2.2.2.tar.gz
$ cp guacamole-client-v2.2.2/guacamole-*.war tomcat9/webapps/ROOT.war
$ cp guacamole-client-v2.2.2/guacamole-*.jar guacamole/extensions/
$ mv /data/application/docker-guacamole/guacamole.properties guacamole/
$ rm -rf  /data/application/docker-guacamole/

配置

export JUMPSERVER_SERVER=http://127.0.0.1:8080
echo "export JUMPSERVER_SERVER=http://127.0.0.1:8080" >> ~/.bashrc
export BOOTSTRAP_TOKEN=wHdUajO3gaXMY1PD4d
echo "export BOOTSTRAP_TOKEN=wHdUajO3gaXMY1PD4d" >> ~/.bashrc
export JUMPSERVER_KEY_DIR=/config/guacamole/keys
echo "export JUMPSERVER_KEY_DIR=/data/application/config/guacamole/keys" >> ~/.bashrc
export GUACAMOLE_HOME=/data/application/config/guacamole
echo "export GUACAMOLE_HOME=/data/application/config/guacamole" >> ~/.bashrc
export GUACAMOLE_LOG_LEVEL=ERROR
echo "export GUACAMOLE_LOG_LEVEL=ERROR" >> ~/.bashrc
export JUMPSERVER_ENABLE_DRIVE=true
echo "export JUMPSERVER_ENABLE_DRIVE=true" >> ~/.bashrc

启动与测试

$ /etc/init.d/guacd start
$ echo "/etc/init.d/guacd start" >> /etc/rc.local
$ sh  /data/application/config/tomcat9/bin/startup.sh

前端组件

$ cd /data/pkg
$ wget https://github.com/jumpserver/lina/releases/download/v2.2.2/lina-v2.2.2.tar.gz
$ tar xf lina-v2.2.2.tar.gz
$ tar xf luna-v2.2.2.tar.gz
$ mv lina-v2.2.2 /data/application/lina
$ rm -fr /data/application/luna/
$ mv luna-v2.2.2 /data/application/luna
$ useradd -s /usr/sbin/nologin -M nginx
$ chown -R nginx:nginx /data/application/luna/ /data/application/lina/

nginx 的安装与配置

安装

$ yum -y install gcc make pcre-devel pcre zlib openssl openssl-devel zlib-devel tree
$ cd /data/pkg
$ tar xf nginx-1.18.0.tar.gz
$ cd nginx-1.18.0
$ ./configure --prefix=/data/application/nginx --user=nginx --with-http_ssl_module --with-http_stub_status_module --with-stream
$ make && make install

配置

$ echo "export PATH=$PATH:/data/application/nginx /sbin" >> /etc/profile
$ cd /data/application/nginx
$ mkdir conf.d && rm -fr nginx.conf
$ tee nginx.conf <<EOF
user  nginx;
worker_processes  auto;
error_log  logs/error.log warn;
events {
worker_connections  60000;
}
http {
include       mime.types;
default_type  application/octet-stream;
log_format  main  '$remote_addr - $remote_user [$time_iso8601] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

log_format json   '{"@timestamp":"$time_iso8601",'
'"remote_ip":"$remote_addr",'
'"status":$status,'
'"bytes":$body_bytes_sent,'
'"referer":"$http_referer",'
'"agent":"$http_user_agent",'
'"request_time":$request_time,'
'"request":"$uri"}';
access_log  logs/access.log  json;
sendfile        on;
keepalive_timeout  0;
gzip  on;
include conf.d/*.conf;     #多配置文件
}
EOF

$ cd conf.d && vim jumpserver.conf
server {
listen 80;

client_max_body_size 100m;  # 录像及文件上传大小限制

location /ui/ {
try_files $uri / /index.html;
alias /data/application/lina/;
}

location /luna/ {
try_files $uri / /index.html;
alias /data/application/luna/;  # luna 路径, 如果修改安装目录, 此处需要修改
}

location /media/ {
add_header Content-Encoding gzip;
root /data/application/jumpserver/data/;  # 录像位置, 如果修改安装目录, 此处需要修改
}

location /static/ {
root /data/application/jumpserver/data/;  # 静态资源, 如果修改安装目录, 此处需要修改
}

location /koko/ {
proxy_pass       http://localhost:5000;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}

location /guacamole/ {
proxy_pass       http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}

location /ws/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8070;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}

location /api/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

location /core/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

location / {
rewrite ^/(.*)$ /ui/$1 last;
}
}

启动

$ /data/application/nginx/sbin/nginx

内容来自用户分享和网络整理，不保证内容的准确性，如有侵权内容，可联系管理员处理

标签：

相关文章推荐

新的分享

章节导航