如何在Centos7中安裝配置Jumpserver堡壘機

Jumpserver 是全球首款完全開源、符合 4A 規范（包含認證Authentication 、授權 Authorization、賬號 Accounting 和審計 Auditing）的運維安全審計系統，Jumpserver 通過軟件訂閱服務或者軟硬件一體機的方式，向企業級用戶交付多云環境下更好用的堡壘機。與傳統堡壘機相比， Jumpserver 采用了分布式架構設計，支持多云環境并可靈活擴展。資產管理方面， Jumpserver 無并發和資產數量限制，支持水平擴容。 Jumpserver 采用了業界領先的容器化部署方式，并且提供體驗極佳的 Web Terminal 。 Jumpserver 還可實現基于 Web 的文件傳輸，并且支持用戶將運維審計錄像保存在云端。

堡壘機 ：baole.yimitest.com    192.168.20.153

Jumpserver 環境要求：

• 硬件配置: 2個CPU核心, 4G 內存, 50G 硬盤（最低）

• 操作系統: Linux 發行版 x86_64

• Python = 3.6.x

• Mysql Server ≥ 5.6

• Mariadb Server ≥ 5.5.56

• Redis

1、安裝 python3.6 mysql Redis

Centos7安裝Python3.6

Centos7安裝Mariadb 或 Centos7安裝Mysql

Centos7安裝Redis

2.創建 py3 虛擬環境

python3.6 -m venv /opt/py3

載入 py3 虛擬環境

source /opt/py3/bin/activate

cd /opt

yum install git -y

git clone --depth=1 https://github.com/jumpserver/jumpserver.git

cd /opt/jumpserver/requirements

pip install --upgrade pip

pip install wheel

yum install mysql-devel

pip install django==2.2

 pip install future==0.16.0

pip install cryptography==2.7

cd /opt/jumpserver/requirements

yum install -y $(cat rpm_requirements.txt)

pip install -r requirements.txt

mysql -uroot -p

create database jumpserver default charset 'utf8';

grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by 'yimitest';

flush privileges;

cd /opt/jumpserver

cp config_example.yml config.yml

vim config.yml

SECRET_KEY: yimitest

BOOTSTRAP_TOKEN: yimitesttoken

DB_ENGINE: mysql

DB_HOST: 127.0.0.1

DB_PORT: 3306

DB_USER: jumpserver

DB_PASSWORD: yimitest

DB_NAME: jumpserver

./jms start

cd /opt

wget https://github.com/jumpserver/koko/releases/download/1.5.5/koko-master-linux-amd64.tar.gz

tar xf koko-master-linux-amd64.tar.gz

chown -R root:root kokodir
cd kokodir

cp config_example.yml config.yml

vim config.yml

BOOTSTRAP_TOKEN: yimitesttoken  // 需要從 jumpserver/config.yml 里面獲取, 保證一致

./koko  # 可以 -d 參數在后臺運行 ./koko -d

cd /opt

git clone --depth=1 https://github.com/jumpserver/docker-guacamole.git
cd /opt/docker-guacamole
tar xf guacamole-server-1.0.0.tar.gz

cd /opt/docker-guacamole/guacamole-server-1.0.0

yum -y localinstall --nogpgcheck https://mirrors.aliyun.com/rpmfusion/free/el/rpmfusion-free-release-7.noarch.rpm https://mirrors.aliyun.com/rpmfusion/nonfree/el/rpmfusion-nonfree-release-7.noarch.rpm

yum install -y cairo-devel libjpeg-turbo-devel libpng-devel uuid-devel

yum install -y ffmpeg-devel freerdp1.2-devel pango-devel libssh3-devel libtelnet-devel libvncserver-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-devel

yum install -y libtool

ln -s /usr/local/lib/freerdp /usr/lib64/freerdp

$ autoreconf -fi

$ ./configure --with-init-dir=/etc/init.d
$ make

$ make install

yum install -y java-1.8.0-openjdk

$ mkdir -p /config/guacamole /config/guacamole/extensions /config/guacamole/record
$ chown daemon:daemon /config/guacamole/record /config/guacamole/drive
$ cd /config
$ wget http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-9/v9.0.30/bin/apache-tomcat-9.0.30.tar.gz
$ tar xf apache-tomcat-9.0.30.tar.gz
$ mv apache-tomcat-9.0.30 tomcat9
$ rm -rf /config/tomcat9/webapps/*
$ sed -i 's/Connector port="8080"/Connector port="8081"/g' /config/tomcat9/conf/server.xml
$ echo "java.util.logging.ConsoleHandler.encoding = UTF-8" >> /config/tomcat9/conf/logging.properties
$ ln -sf /opt/docker-guacamole/guacamole-1.0.0.war /config/tomcat9/webapps/ROOT.war
$ ln -sf /opt/docker-guacamole/guacamole-auth-jumpserver-1.0.0.jar /config/guacamole/extensions/guacamole-auth-jumpserver-1.0.0.jar
$ ln -sf /opt/docker-guacamole/root/app/guacamole/guacamole.properties /config/guacamole/guacamole.properties
$ wget https://github.com/ibuler/ssh-forward/releases/download/v0.0.5/linux-amd64.tar.gz
$ tar xf linux-amd64.tar.gz -C /bin/

$ chmod +x /bin/ssh-forward

# 設置 guacamole 環境

$ export JUMPSERVER_SERVER=http://127.0.0.1:8080  # http://127.0.0.1:8080 指 jumpserver 訪問地址

$ echo "export JUMPSERVER_SERVER=http://127.0.0.1:8080" >> ~/.bashrc

# BOOTSTRAP_TOKEN 為 Jumpserver/config.yml 里面的 BOOTSTRAP_TOKEN 值$ export BOOTSTRAP_TOKEN=******
$ echo "export BOOTSTRAP_TOKEN=yimitesttoken" >> ~/.bashrc
$ export JUMPSERVER_KEY_DIR=/config/guacamole/keys
$ echo "export JUMPSERVER_KEY_DIR=/config/guacamole/keys" >> ~/.bashrc
$ export GUACAMOLE_HOME=/config/guacamole
$ echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc
$ export GUACAMOLE_LOG_LEVEL=ERROR
$ echo "export GUACAMOLE_LOG_LEVEL=ERROR" >> ~/.bashrc
$ export JUMPSERVER_CLEAR_DRIVE_SESSION=true$ echo "export JUMPSERVER_CLEAR_DRIVE_SESSION=true" >> ~/.bashrc

$ export JUMPSERVER_ENABLE_DRIVE=true

$ echo "export JUMPSERVER_ENABLE_DRIVE=true" >> ~/.bashrc

$ /etc/init.d/guacd start
$ sh /config/tomcat9/bin/startup.sh

$ cd /opt

# 訪問 https://github.com/jumpserver/luna/releases 獲取

$ wget https://github.com/jumpserver/luna/releases/download/1.5.5/luna.tar.gz

$ tar xf luna.tar.gz
$ chown -R root:root luna

# 參考 http://nginx.org/en/linux_packages.html 文檔安裝最新的穩定版 nginx$ rm -rf /etc/nginx/conf.d/default.conf

yum install yum-utils

vim /etc/yum.repos.d/nginx.repo

[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

yum install nginx


$ rm -rf /etc/nginx/conf.d/default.conf
$ vim /etc/nginx/conf.d/jumpserver.conf

server {
    listen 80;

    client_max_body_size 100m;  # 錄像及文件上傳大小限制

    location /luna/ {
        try_files $uri / /index.html;
        alias /opt/luna/;  # luna 路徑, 如果修改安裝目錄, 此處需要修改
    }

    location /media/ {
        add_header Content-Encoding gzip;
        root /opt/jumpserver/data/;  # 錄像位置, 如果修改安裝目錄, 此處需要修改
    }

    location /static/ {
        root /opt/jumpserver/data/;  # 靜態資源, 如果修改安裝目錄, 此處需要修改
    }

    location /koko/ {
        proxy_pass       http://localhost:5000;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location /guacamole/ {
        proxy_pass       http://localhost:8081/;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location /ws/ {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://localhost:8070;
        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }}

$ nginx -c /etc/nginx/nginx.conf
$ nginx -t
$ nginx -s reload
systemctl enable nginx

訪問 http://192.168.20.153

配置 自啟動

$ echo -e "\033[31m 6. 配置自啟 \033[0m" \
  && if [ ! -f "/usr/lib/systemd/system/jms.service" ]; then wget -O /usr/lib/systemd/system/jms.service https://demo.jumpserver.org/download/shell/centos/jms.service; chmod 755 /usr/lib/systemd/system/jms.service; systemctl enable jms; fi