最低配置要求:
硬件配置: 2个CPU核心, 4G 内存, 50G 硬盘(最低)
操作系统: Linux 发行版 x86_64
1、搭建环境前期准备
关闭selinux与防火墙
setenforce 0 sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
systemctl stop firewalld.service
systemctl disable firewalld.service
安装环境依赖包
yum -y install wget gcc epel-release git gcc krb5-devel libtiff-devel libjpeg-devel libzip-devel freetype-devel libwebp-devel tcl-devel tk-devel sshpass openldap-devel mariadb-devel libffi-devel openssh-clients telnet openldap-clients docker
修改字符集,否则可能报 input/output error的问题,因为日志里打印了中文
localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8 export LC_ALL=zh_CN.UTF-8 echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf
2、安装Python3和Python虚拟环境,并安装jumpserver
安装python3.6
yum -y install python3.6 python36-devel python-pip
建立虚拟化环境(因为 CentOS 7 自带的是 Python2,而 Yum 等工具依赖原来的 Python, 为了不扰乱原来的环境我们来使用 Python虚拟环境)
cd /opt/ python3.6 -m venv py3 source /opt/py3/bin/activate
安装jumpserver
git clone --depth=1 https://github.com/jumpserver/jumpserver.git
安装RPM包
cd /opt/jumpserver/requirements/ yum -y install $(cat rpm_requirements.txt)
pip install wheel -i https://mirrors.aliyun.com/pypi/simple/
pip install --upgrade pip setuptools -i https://mirrors.aliyun.com/pypi/simple/
安装python库依赖(推荐换源)
cd ~ mkdir .pip ls ~/.pip vi ~/.pip/pip.conf 添加配置如下: [global] index-url = http://mirrors.aliyun.com/pypi/simple/ [install] trusted-host=mirrors.aliyun.com
换源成功,添加依赖
pip install -r requirements.txt # 不要指定-i参数,因为镜像上可能没有最新的包,如果没有任何报错请继续
在这里遇到了python-gssapi-0.6.4.tar.gz怎么也安装不了的问题,这就需要用到之前下好的rz命令了
① 首先找到这个包并注释掉 vim jumpserver/requirements/requirements.txt ② 然后运行 pip install -r /opt/jumpserver/requirements/requirements.txt -i https://mirrors.aliyun.com/pypi/simple/ ③ 安装完毕后,取消注释 vim jumpserver/requirements/requirements.txt ④ 取消注释后,有再尝试上面的命令安装,如果仍然失败,则选择电脑本机手动下载,然后使用rz -be上传包 #一定注意是使用rz -be,这是二进制上传的方式 ⑤ 手动安装rpm包 pip install python-gssapi-0.6.4.tar.gz
配置修改(记住 SECRET_KEY和BOOTSTRAP_TOKE)
cd /opt/jumpserver/ cp config_example.yml config.yml SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50` echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16` echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml echo -e "�33[31m 你的SECRET_KEY是 $SECRET_KEY �33[0m" echo -e "�33[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN �33[0m"
启动程序,在启动成功后设置开机自启
cd /opt/jumpserver/ ./jms start -d
echo 'source /opt/py3/bin/activate && /opt/jumpserver/jms start -d' >> /etc/rc.local && chmod +x /etc/rc.d/rc.local
3.安装 SSH Server 和 WebSocket Server: koko
下载docker容器项目
(这里有尝试下coco作为websocket,但是怎么下启动都报错,所以选择了koko作为组件)
cd /opt
Server_IP=`ip addr | grep 'state UP' -A2 | grep inet
| egrep -v '(127.0.0.1|inet6|docker)' | awk '{print $2}' | tr -d "addr:"
| head -n 1 | cut -d / -f1` && echo -e "�33[31m 你的服务器IP是 $Server_IP �33[0m" && echo -e "�33[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN �33[0m"
docker run --name jms_koko -d -p 2222:2222 -p 127.0.0.1:5000:5000 -e CORE_HOST=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN -e LOG_LEVEL=ERROR --restart=always jumpserver/jms_koko:2.0.1
开启ipv4
echo "net.ipv4.ip_forward=1" >>/usr/lib/sysctl.d/00-system.conf
systemctl restart network && systemctl restart docker
4.安装 Web Terminal 前端: Luna
下载安装
cd /opt/ wget https://github.com/jumpserver/luna/releases/download/1.3.3/luna.tar.gz tar xf luna.tar.gz chown -R root:root luna
5.Docker部署Guacamole组件
cd /opt docker run --name jms_guacamole -d -p 127.0.0.1:8081:8080 -e JUMPSERVER_SERVER=http://$Server_IP #必须修改为自身的ip地址 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN #必须填入自身的TOKEN -e GUACAMOLE_LOG_LEVEL=ERROR jumpserver/jms_guacamole:2.0.1
6.lina组件部署
cd /opt wget https://demo.jumpserver.org/download/lina/latest/lina-v2.2.3.tar.gz tar -xf lina-v2.2.3.tar.gz mv lina-v2.2.3 lina chown -R nginx:nginx lina
7.Nginx 整合各组件配置
server {
listen 80;
client_max_body_size 500m; # 录像及文件上传大小限制
location /ui/ {
try_files $uri / /index.html;
alias /opt/lina/;
}
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; # luna 路径, 如果修改安装目录, 此处需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 录像位置, 如果修改安装目录, 此处需要修改
}
location /static/ {
root /opt/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改
}
location /koko/ {
proxy_pass http://localhost:5000;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /ws/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8070;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /api/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /core/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
rewrite ^/(.*)$ /ui/$1 last;
}
}
8.启用nginx
systemctl enable nginx systemctl start nginx systemctl status nginx nginx -t nginx -s reload