堡垒机-jumpserver

概述目录 官方网站 Jumpserver 软件包环境要求： 环境 手动本地jumpserver-服务端搭建 初始化一些系统环境设置： 安装相关软件 安装 组件 官方网站 http://jumpserver.org Jumpserver 软件包环境要求： Python = 3.6.x Mysql Server ≥ 5.6 Mariadb Server ≥ 5.5.56 Redis ** 生产环境部署建议

目录

官方网站 Jumpserver 软件包环境要求： 环境 手动本地jumpserver-服务端搭建 初始化一些系统环境设置： 安装相关软件 安装 组件 官方网站

http://jumpserver.org

Jumpserver 软件包环境要求：

Python = 3.6.x
MysqL Server ≥ 5.6
Mariadb Server ≥ 5.5.56
Redis

** 生产环境部署建议部署 1.4.8 版本 **

环境

jumpserver服务端：

[[email protected] ~]# cat /etc/redhat-release CentOS linux release 7.4.1708 (Core) [[email protected] ~]# uname -r3.10.0-693.el7.x86_64[[email protected] ~]# uname -njumpserver[[email protected] ~]# uname -mx86_64[[email protected] ~]# ifconfig ens33 | grep "inet "|awk '{print }'10.0.0.161

jumpserver被管理端：

[[email protected] ~]# cat /etc/redhat-release CentOS linux release 7.4.1708 (Core) [[email protected] ~]# uname -r3.10.0-693.el7.x86_64[[email protected] ~]# uname -njumpserver-clIEnt[[email protected] ~]# uname -mx86_64[[email protected] ~]# ifconfig ens33 | grep "inet " | awk '{ print }'10.0.0.162

准备所需软件：

jumpserver： https://github.com/jumpserver/jumpserver
luna： https://demo.jumpserver.org/download/luna
coco： https://github.com/jumpserver/coco

? 在线下载代码：# git clone
? https://github.com/jumpserver/coco.git && cd coco && git

python： wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz

手动本地jumpserver-服务端搭建 初始化一些系统环境设置： 1. 创建软件包放置目录：

[[email protected] ~]# mkdir /server/sources -p

将所需软件全部放在/server/sources/ 目录里

软件包打包下载：
链接：https://pan.baIDu.com/s/1ZJzXrLnsXqsqIMkLjKbrIw
提取码：be45
复制这段内容后打开百度网盘手机App， *** 作更方便哦

[[email protected] ~]# cd /server/sources/[[email protected] sources]# lscoco        luna.tar.gz   Python-3.6.1.tar.xzjumpserver  python-package

2. 关闭防火墙

[[email protected] sources]# systemctl stop firewalld[[email protected] sources]# systemctl disable firewalld [[email protected] sources]# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; Disabled; vendor preset: enabled)   Active: inactive (dead)     Docs: man:firewalld(1)[[email protected] sources]# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; Disabled; vendor preset: enabled)   Active: inactive (dead)     Docs: man:firewalld(1)

3. 关闭selinux

[[email protected] sources]# setenforce 0[[email protected] sources]# getenforce只要显示Permissive或者Disabled就是成功将SEliNUX=enforcing改为SEliNUX=Disabled[[email protected] sources]# cat /etc/selinux/config # This file controls the state of SElinux on the system.# SEliNUX= can take one of these three values:#     enforcing - SElinux security policy is enforced.#     permissive - SElinux prints warnings instead of enforcing.#     Disabled - No SElinux policy is loaded.SEliNUX=Disabled# SEliNUXTYPE= can take one of three two values:#     targeted - Targeted processes are protected,#     minimum - Modification of targeted policy. Only selected processes are protected. #     mls - Multi Level Security protection.SEliNUXTYPE=targeted

4. 如果生产环境需要开启selinux和防火墙的情况下则使用(直接复制整段进命令行运行即可)：

echo -e "3[31m 1. 防火墙 Selinux 设置 3[0m"   && if [ "$(systemctl status firewalld | grep running)" != "" ]; then firewall-cmd --zone=public --add-port=80/tcp --permanent; firewall-cmd --zone=public --add-port=2222/tcp --permanent; firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="172.17.0.0/16" port protocol="tcp" port="8080" accept"; firewall-cmd --reload; fi   && if [ "$(getenforce)" != "Disabled" ]; then setsebool -P httpd_can_network_connect 1; fi

5. 配置中文环境（整段复制到命令行运行即可）：

ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && yum -y install kde-l10n-Chinese && localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8 && export LC_ALL=zh_CN.UTF-8 && echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf

重新来登录即可

安装相关软件 依赖软件

wget #下载；epel-release #扩展源；sqlite-devel #数据库；xz #解压；gcc #编译器；automake #编译相关；zlib-devel #压缩；openssl-devel #加密；git #git相关

[[email protected] ~]# yum -y install wget epel-release sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git......更新完毕:  git.x86_64 0:1.8.3.1-20.el7                              作为依赖被升级:  e2fsprogs.x86_64 0:1.42.9-13.el7                           e2fsprogs-libs.x86_64 0:1.42.9-13.el7                      krb5-libs.x86_64 0:1.15.1-37.el7_6                         libcom_err.x86_64 0:1.42.9-13.el7                          libselinux.x86_64 0:2.5-14.1.el7                           libselinux-python.x86_64 0:2.5-14.1.el7                    libselinux-utils.x86_64 0:2.5-14.1.el7                     libsepol.x86_64 0:2.5-10.el7                               libss.x86_64 0:1.42.9-13.el7                               openssl.x86_64 1:1.0.2k-16.el7_6.1                         openssl-libs.x86_64 1:1.0.2k-16.el7_6.1                    perl-Git.noarch 0:1.8.3.1-20.el7                           zlib.x86_64 0:1.2.7-18.el7                               完毕！

编译安装python3.6.1

[[email protected] ~]# cd /server/sources/[[email protected] sources]# lscoco        luna.tar.gz          python-packagejumpserver  Python-3.6.1.tar.xz[[email protected] sources]# ./configure  &&  make  && make install [[email protected] ~]# cd /server/sources/[[email protected] sources]# tar xf Python-3.6.1.tar.xz[[email protected] sources]# cd Python-3.6.1 cd /opt  tar xvf Python-3.6.1.tar.xz  && cd Python-3.6.1 ./configure  &&  make  -j 4 && make install

使用 Python 虚拟环境（使多版本的python互不影响，共存）

[[email protected] Python-3.6.1]# cd /opt/  [[email protected] opt]# python3 -m venv py3   #在opt目录下创建一个py3的虚拟环境[[email protected] opt]# source /opt/py3/bin/activate          easy_install-3.6  pythonactivate.csh      pip               python3activate.fish     pip3              easy_install      pip3.6            [[email protected] opt]# source /opt/py3/bin/activate(py3) [[email protected] opt]#    #切换成功的，前面有一个(py3)标识

安装 Jumpserver

这里用的版本是 Jumpserver 1.0.0
重新打开一个10.0.0.161的shell连接窗口（注意前面没有py3所以不是在python3的虚拟环境下运行）
①. 安装rpm依赖

[[email protected] ~]# cd /server/sources/jumpserver/requirements[[email protected] requirements]# cat rpm_requirements.txt libtiff-devel libjpeg-devel libzip-devel freetype-devel lCMS2-devel libwebp-devel tcl-devel tk-devel sshpass openldap-devel MysqL-devel libffi-devel openssh-clIEnts[[email protected] requirements]# yum install -y `cat rpm_requirements.txt`

②. 安装 Python 库依赖
在之前的 (py3) [[email protected] ~]# 窗口下进行
确保是这样的提示状态：
(py3) [[email protected] ~]#

如果不是请运行
[[email protected] ~]# source /opt/py3/bin/activate
(py3) [@L_404_45@ ~]# #进入py3虚拟环境

(py3) [[email protected] ~]# pip -Vpip 9.0.1 from /opt/py3/lib/python3.6/site-packages (python 3.6)(py3) [[email protected] requirements]# cd /server/sources/jumpserver/requirements  #pip在线安装(py3) [[email protected] ~]# pip install --upgrade pip  -i https://mirrors.aliyun.com/pypi/simple/v(py3) [[email protected] ~]# pip install -r /opt/jumpserver/requirements/requirements.txt -i https://mirrors.aliyun.com/pypi/simple/

③. 安装 Redis,Jumpserver 使用 Redis 做 cache 和 celery broke
（注意命令行的提示前缀；这里都不是py3虚拟环境）

[[email protected] requirements]# yum  -y install redis[[email protected] requirements]# systemctl enable redisCreated symlink from /etc/systemd/system/multi-user.target.wants/redis.service to /usr/lib/systemd/system/redis.service.[[email protected] requirements]# systemctl start redis

④. 安装 MysqL

[[email protected] requirements]# yum  install mariadb mariadb-devel mariadb-server   -y[[email protected] requirements]#  systemctl enable mariadb;systemctl start mariadb

⑤. 建数据库 Jumpserver 并授权

[[email protected] requirements]# MysqLWelcome to the MariaDB monitor.  Commands end with ; or \g.Your MariaDB connection ID is 2Server version: 5.5.60-MariaDB MariaDB Servercopyright (c) 2000,2018,Oracle,MariaDB Corporation Ab and others.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.MariaDB [(none)]> create database jumpserver default charset 'utf8';query OK,1 row affected (0.00 sec)MariaDB [(none)]> grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' IDentifIEd by '123456';query OK,0 rows affected (0.00 sec)MariaDB [(none)]> exit;Bye

⑥. 改 Jumpserver 配置文件
将下载来的jumpserver移动到app目录下

[[email protected] requirements]# mkdir -p /server/app[[email protected] requirements]# cd /server/app/[[email protected] app]# cp -r /server/sources/jumpserver/ .[[email protected] app]# lsjumpserver[[email protected] jumpserver]#  cp config_example.py config.py[[email protected] jumpserver]# vim config.py  #编辑class DevelopmentConfig(Config):这一段；因为默认使用该配置class DevelopmentConfig(Config):    DEBUG = True    DB_ENGINE = 'MysqL'    DB_HOST = '127.0.0.1'    DB_PORT = 3306    DB_USER = 'jumpserver'    DB_PASSWORD = '123456'    DB_name = 'jumpserver'最终效果：[[email protected] jumpserver]# cat config.py """    jumpserver.config    ~~~~~~~~~~~~~~~~~    Jumpserver project setting file    :copyright: (c) 2014-2017 by Jumpserver Team    :license: GPL v2,see liCENSE for more details."""import osBASE_DIR = os.path.dirname(os.path.abspath(__file__))class Config:    # Use it to encrypt or decrypt data    # Security WARNING: keep the secret key used in production secret!    SECRET_KEY = os.environ.get('SECRET_KEY') or '2vym+ky!997d5kkcc64mnz06y1mmui3lut#(^wd=%s_qj%x'    # Django security setting,if your disable deBUG model,you should setting that    ALLOWED_HOSTS = ['*']    # Development env open this,when error occur display the full process track,Production disable it    DEBUG = True    # DEBUG,INFO,WARNING,ERROR,CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/    LOG_LEVEL = 'DEBUG'    LOG_DIR = os.path.join(BASE_DIR,'logs')    # Database setting,Support sqlite3,MysqL,postgres ....    # See https://docs.djangoproject.com/en/1.10/ref/settings/#databases    # sqlite setting:    DB_ENGINE = 'sqlite3'    DB_name = os.path.join(BASE_DIR,'data','db.sqlite3')    # MysqL or postgres setting like:    # DB_ENGINE = 'MysqL'    # DB_HOST = '127.0.0.1'    # DB_PORT = 3306    # DB_USER = 'root'    # DB_PASSWORD = ''    # DB_name = 'jumpserver'    # When Django start it will bind this host and port    # ./manage.py runserver 127.0.0.1:8080    http_BIND_HOST = '0.0.0.0'    http_ListEN_PORT = 8080    # Use Redis as broker for celery and web socket    REdis_HOST = '127.0.0.1'    REdis_PORT = 6379    REdis_PASSWORD = ''    broKER_URL = 'redis://%(password)s%(host)s:%(port)s/3' % {        'password': REdis_PASSWORD,'host': REdis_HOST,'port': REdis_PORT,}    def __init__(self):        pass    def __getattr__(self,item):        return None#class DevelopmentConfig(Config):#    passclass DevelopmentConfig(Config):    DEBUG = True    DB_ENGINE = 'MysqL'    DB_HOST = '127.0.0.1'    DB_PORT = 3306    DB_USER = 'jumpserver'    DB_PASSWORD = '123456'    DB_name = 'jumpserver'class TestConfig(Config):    passclass ProductionConfig(Config):    pass# Default using Config settings,you can write if/else for different envconfig = DevelopmentConfig()

⑦. 数据库表结构和初始化数据
(py3)虚拟环境下进行；且确保之前的pip已经安装完成了

(py3) [[email protected] jumpserver]# cd /server/app/jumpserver/utils(py3) [[email protected] utils]#  bash make_migrations.sh

⑧. 运行jumpserver

(py3) [[email protected] utils]# cd /server/app/jumpserver/(py3) [[email protected] jumpserver]# chmod +x jms (py3) [[email protected] jumpserver]# ./jms start all -d   #-d后台运行

jumpserver的使用方法：./jms start|stop|status|restart all

⑨. 访问测试
http://10.0.0.161:8080/
默认 账号：admin
密码：admin

安装 组件

在web页面上点击web终端

会看到：

Luna是单独部署的一个程序，你需要部署luna，coco，配置Nginx做url分发,如果你看到了这个页面，证明你访问的不是Nginx监听的端口，祝你好运

所以接下来，我们安装luna和coco

安装coco

coco实现了
SSH Server 和 Web Terminal Server 的组件，提供 SSH 和 WebSocket 接口,
使用 Paramiko 和 Flask 开发

(py3) [[email protected] coco]# cd /server/sources/coco/requirements/(py3) [[email protected] requirements]# yum install `cat rpm_requirements.txt`(py3) [[email protected] requirements]# pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/(py3) [[email protected] requirements]# cp -r /server/sources/coco/ /server/app/(py3) [[email protected] requirements]# cd /server/app/coco/(py3) [[email protected] coco]# cp conf_example.py conf.py(py3) [[email protected] coco]# chmod +x cocod (py3) [[email protected] coco]# ./cocod start -dStart coco process

使用方法：./cocod start|stop|status|restart

安装Web-Terminal前端-Luna组件

Luna概述：Luna现在是 Web Terminal 前端，计划前端页面都由该项目提供，Jumpserver 只提供 API，不再负责后台渲染HTML等

(py3) [[email protected] coco]# cd /server/sources/(py3) [[email protected] sources]# tar xf luna.tar.gz (py3) [[email protected] sources]# cp -r luna /server/app/

配置Nginx整合各组件

(py3) [[email protected] sources]#  yum -y install Nginx(py3) [[email protected] sources]# vim /etc/Nginx/^Cinx.conf将原先的server{} 段全部替换掉

** 最终的结果如下：**

(py3) [[email protected] Nginx]# grep -Ev "#|^$" /etc/Nginx/Nginx.confuser Nginx;worker_processes auto;error_log /var/log/Nginx/error.log;pID /run/Nginx.pID;include /usr/share/Nginx/modules/*.conf;events {    worker_connections 1024;}http {    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '                      '$status $body_bytes_sent "$http_referer" '                      '"$http_user_agent" "$http_x_forwarded_for"';    access_log  /var/log/Nginx/access.log  main;    sendfile            on;    tcp_nopush          on;    tcp_nodelay         on;    keepalive_timeout   65;    types_hash_max_size 2048;    include             /etc/Nginx/mime.types;    default_type        application/octet-stream;    include /etc/Nginx/conf.d/*.conf;server {    Listen 80;    proxy_set_header X-Real-IP $remote_addr;    proxy_set_header Host $host;    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;    location /luna/ {        try_files $uri / /index.HTML;        alias /server/app/luna/;    }    location /media/ {        add_header content-encoding gzip;        root /server/app/jumpserver/data/;    }    location /static/ {        root /server/app/jumpserver/data/;    }    location /socket.io/ {        proxy_buffering off;        proxy_http_version 1.1;        proxy_set_header Upgrade $http_upgrade;        proxy_set_header Connection "upgrade";    }    location / {    }}}

(py3) [[email protected] sources]# Nginx -tNginx: the configuration file /etc/Nginx/Nginx.conf Syntax is okNginx: configuration file /etc/Nginx/Nginx.conf test is successful

运行 Nginx

(py3) [[email protected] Nginx]# systemctl start Nginx (py3) [[email protected] Nginx]# systemctl enable Nginx Created symlink from /etc/systemd/system/multi-user.target.wants/Nginx.service to /usr/lib/systemd/system/Nginx.service.

在web页面上点击

默认信息，确认即可

服务器终端测试：

(py3) [[email protected] Nginx]# ssh -p2222 [email protected]The authenticity of host '[10.0.0.161]:2222 ([10.0.0.161]:2222)' can't be established.RSA key fingerprint is SHA256:8MCnHK0t1yfaxyf6fFq1e93fE9JDBc4hG00olnWelXY.RSA key fingerprint is MD5:b5:6d:74:d6:00:90:f4:93:8f:b8:de:33:14:ea:6b:ee.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '[10.0.0.161]:2222' (RSA) to the List of kNown hosts.[email protected]'s password:       #admin的密码admin    administrator,欢迎使用Jumpserver开源跳板机系统      1) 输入 ID 直接登录 或 输入部分 IP,主机名,备注 进行搜索登录(如果唯一).    2) 输入 / + IP,主机名 or 备注 搜索. 如: /ip    3) 输入 P/p 显示您有权限的主机.    4) 输入 G/g 显示您有权限的主机组.    5) 输入 G/g + 组ID 显示该组下主机. 如: g1    6) 输入 H/h 帮助.    0) 输入 Q/q 退出.

用10.0.0.161就可以直接访问了，不需要再加8080

到此安装成功

总结

以上是内存溢出为你收集整理的堡垒机-jumpserver全部内容，希望文章能够帮你解决堡垒机-jumpserver所遇到的程序开发问题。

如果觉得内存溢出网站内容还不错，欢迎将内存溢出网站推荐给程序员好友。