JumpServer堡垒机安装笔记

厂商文档--一步一步安装CentOS（https://jumpserver.readthedocs.io/zh/master/setup_by_centos.html）

厂商文档--简单优化（https://jumpserver.readthedocs.io/zh/master/setup_by_optimization.html）

厂商文档--自动启动（https://jumpserver.readthedocs.io/zh/master/start_automatically.html）

• 1、推荐系统配置
• 2、准备python3和Python虚拟环境
  • 安装依赖包
  • 安装python36
  • 运行虚拟环境
• 3、安装Jumpserver
  • 下载Jumpserver
  • 安装依赖包
  • #安装python库依赖
• 4、安装Redis
• 5、安装Mysql（mariadb）
  • 创建数据库Jumpserver并授权
  • 修改Jumpserver配置文件
  • 修改"/opt/jumpserver/config.yml"中的参数
  • 逐一确认修改的参数
  • 运行Jumpserver，注意，要在python3虚拟环境下运行
• 6、安装SSH Server和WebSocket Server:Coco
  • 下载或克隆coco项目
  • 安装coco依赖
  • 修改配置文件并运行
• 7、安装Windows组件
  • 安装依赖
• 8、编译安装guacamole服务
  • 配置Tomcat，先准备好运行目录和环境
  • 下载ssh-forward
  • 配置环境变量（只需配置一次，配置玩检查是否正确配置即可）
  • 启动Guacamole
• 9、配置Nginx整合各组件
  • 运行Nginx
• 10、性能优化
• 11、开机自启动
  • 生成启动文件
  • 开机自启
  • 启停服务(这些命令不要再生产环境使用，会引起错误，只有在不能自启动时才用)

1、推荐系统配置

x86_64 双核/4G RAM/mysql(maridb)/centos7

如果你打开了防火墙，则：

firewall-cmd --zone=public --add-port=80/tcp --permanent  #开放80端口

firewall-cmd --zone=public --add-port=2222/tcp --permanent  #用户ssh端口

firewall-cmd --reload    #重新载入防火墙规则

关闭selinux：

setenforce 0

sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config

2、准备python3和Python虚拟环境

安装依赖包

yum -y install wget gcc epel-release git

安装python36

wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo

yum -y install python36 python36-devel

运行虚拟环境

由于CentOS自带python2.7所以运行python3最好使用虚拟环境

cd /opt

python3.6 -m venv py3

source /opt/py3/bin/activate

#运行后看到"(py3) [root@localhost py3]" 表示  成功。以后运行junpserver都要先用source进入py3虚拟环境。

#退出虚拟环境“deactivate”，但进去就不要退出了。

3、安装Jumpserver

下载Jumpserver

cd /opt/

#由于github clone比较大（比较安全），如果不需要完整代码，下载zip文件较好

#git clone 项目

git clone --depth=1 https://github.com/jumpserver/jumpserver.git

#下载zip文件

 wget https://github.com/jumpserver/jumpserver/archive/master.zip

安装依赖包

cd /opt/jumpserver/requirements

yum -y install $(cat rpm_requirements.txt)   #依赖包都写在文件里

#安装python库依赖

pip install --upgrade pip setuptools -i https://mirrors.aliyun.com/pypi/simple/  #使用国内安装源

pip install -r requirements.txt  -i https://mirrors.aliyun.com/pypi/simple/  #使用国内安装源

4、安装Redis

#Jumpserver使用Redis座cache和celery broke

yum -y install redis

systemctl enable redis

systemctl start redis

5、安装Mysql（mariadb）

yum -y install mariadb mariadb-devel mariadb-server mariadb-shared

systemctl enable mariadb

systemctl start mariadb

创建数据库Jumpserver并授权

DB_PASSWORD=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24`   #生成24位伪随机数密码

echo -e "33[31m 你的数据库密码是 $DB_PASSWORD 33[0m"   #显示你的密码

mysql -uroot -e "create database jumpserver default charset 'utf8'; grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '$DB_PASSWORD'; flush privileges;"   #创建jumpserver数据库

修改Jumpserver配置文件

cd /opt/jumpserver

cp config_example.yml config.yml  #复制配置文件

SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`   #生成50位伪随机密钥

echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc    #把密钥复制到home目录的.bashrc中

BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`    #生出16位伪随机

echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc   #把这个16位伪随机数追加到home目录的.bashrc中

修改"/opt/jumpserver/config.yml"中的参数

sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml

sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml

sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml

sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml

sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml

sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml

逐一确认修改的参数

vim /opt/jumpserver/config.yml

#上面列出的6条已经更改。

运行Jumpserver，注意，要在python3虚拟环境下运行

cd /opt/jumpserver

./jms start all -d  #说明：./jms start|stop|status all  后台运行请添加 -d 参数

6、安装SSH Server和WebSocket Server:Coco

下载或克隆coco项目

cd /opt

source /opt/py3/bin/activate  #确保在虚拟py3的环境中

git clone --depth=1 https://github.com/jumpserver/coco.git

安装coco依赖

cd /opt/coco/requirements

yum -y install $(cat rpm_requirements.txt)

pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/  #果然使用国内源飞快

修改配置文件并运行

cd /opt/coco

cp config_example.yml config.yml

sed -i "s/BOOTSTRAP_TOKEN: <PleasgeChangeSameWithJumpserver>/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/coco/config.yml

sed -i "s/# LOG_LEVEL: INFO/LOG_LEVEL: ERROR/g" /opt/coco/config.yml

vim config.yml    #逐项检查上面两个参数是否已更新上去

./cocod start -d  #在py3虚拟环境下面运行coco，使用方式./cocod start|stop|status  后台运行请添加 -d 参数

安装WebTerminal 前端 Luna，需要Nginx来访问，直接解压不需要编译

cd /opt

wget https://demo.jumpserver.org/download/luna/1.5.0/luna.tar.gz

tar -vxf luna.tar.gz

chown -R root:root luna

7、安装Windows组件

安装依赖

rpm --import http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro

rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm

yum -y localinstall --nogpgcheck https://download1.rpmfusion.org/free/el/rpmfusion-free-release-7.noarch.rpm https://download1.rpmfusion.org/nonfree/el/rpmfusion-nonfree-release-7.noarch.rpm

yum install -y java-1.8.0-openjdk libtool

yum install -y cairo-devel libjpeg-turbo-devel libpng-devel uuid-devel

yum install -y ffmpeg-devel freerdp-devel freerdp-plugins pango-devel libssh2-devel libtelnet-devel libvncserver-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-devel ghostscript

8、编译安装guacamole服务

cd /opt

git clone --depth=1 https://github.com/jumpserver/docker-guacamole.git

cd /opt/docker-guacamole

tar -xf guacamole-server-0.9.14.tar.gz

cd guacamole-server-0.9.14

autoreconf -fi

./configure --with-init-dir=/etc/init.d

make && make install

ln -s /usr/local/lib/freerdp/*.so /usr/lib64/freerdp/

cd ..

rm -rf guacamole-server-0.9.14

ldconfig

配置Tomcat，先准备好运行目录和环境

mkdir -p /config/guacamole /config/guacamole/lib /config/guacamole/extensions

ln -sf /opt/docker-guacamole/guacamole-auth-jumpserver-0.9.14.jar /config/guacamole/extensions/guacamole-auth-jumpserver-0.9.14.jar

ln -sf /opt/docker-guacamole/root/app/guacamole/guacamole.properties /config/guacamole/guacamole.properties

cd /config

#下载tomcat

wget http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-8/v8.5.41/bin/apache-tomcat-8.5.41.tar.gz

tar -vxf tomcat-8.5.41.tar.gz

rm tomcat-8.5.41.tar.gz

mv appache-tomcat-8.5.41 tomcat8  #重新命名为一个好记的名字

rm -rf /config/tomcat8/webapps/*   #删掉例子

ln -sf /opt/docker-guacamole/guacamole-0.9.14.war /config/tomcat8/webapps/ROOT.war    #连接guacamole的客户端

sed -i 's/Connector port="8080"/Connector port="8081"/g' /config/tomcat8/conf/server.xml   #修改配置文件，把默认端口改成8081

sed -i 's/FINE/WARNING/g' /config/tomcat8/conf/logging.properties  #修改日志级别为warning

wget https://demo.jumpserver.org/download/ssh-forward/v0.0.5/linux-amd64.tar.gz

下载ssh-forward

cd /config

wget https://demo.jumpserver.org/download/ssh-forward/v0.0.5/linux-amd64.tar.gz

tar -vxf linux-and64.tar.gz -C /bin/

chmod +x /bin/ssh-forward

配置环境变量（只需配置一次，配置玩检查是否正确配置即可）

export JUMPSERVER_SERVER=http://127.0.0.1:8080  #即使生效

echo "export JUMPSERVER_SERVER=http://127.0.0.1:8080" >> ~/.bashrc  #写入配置文件

export BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN

echo "export BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc

export JUMPSERVER_KEY_DIR=/config/guacamole/keys

echo "export JUMPSERVER_KEY_DIR=/config/guacamole/keys" >> ~/.bashrc

export GUACAMOLE_HOME=/config/guacamole

echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc

启动Guacamole

/etc/init.d/guacd start

sh /config/tomcat8/bin/startup.sh

9、配置Nginx整合各组件

yum install yum-utils

vi /etc/yum.repos.d/nginx.repo

[nginx-stable]

name=nginx stable repo

baseurl=http://nginx.org/packages/centos/$releasever/$basearch/

gpgcheck=1

enabled=1

gpgkey=https://nginx.org/keys/nginx_signing.key

yum makecache fast

yum install -y nginx

rm -rf /etc/nginx/conf.d/default.conf

systemctl enable nginx

修改nginx的配置配置文件“/etc/nginx/conf.d/jumpserver.conf”

vi /etc/nginx/conf.d/jumpserver.conf

server {

    listen 80;  # 代理端口, 以后将通过此端口进行访问, 不再通过8080端口

    # server_name demo.jumpserver.org;  # 修改成你的域名或者注释掉

    client_max_body_size 100m;  # 录像及文件上传大小限制

    location /luna/ {

        try_files $uri / /index.html;

        alias /opt/luna/;  # luna 路径, 如果修改安装目录, 此处需要修改

    }

    location /media/ {

        add_header Content-Encoding gzip;

        root /opt/jumpserver/data/;  # 录像位置, 如果修改安装目录, 此处需要修改

    }

    location /static/ {

        root /opt/jumpserver/data/;  # 静态资源, 如果修改安装目录, 此处需要修改

    }

    location /socket.io/ {

        proxy_pass       http://localhost:5000/socket.io/;  # 如果coco安装在别的服务器, 请填写它的ip

        proxy_buffering off;

        proxy_http_version 1.1;

        proxy_set_header Upgrade $http_upgrade;

        proxy_set_header Connection "upgrade";

        proxy_set_header X-Real-IP $remote_addr;

        proxy_set_header Host $host;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        access_log off;

    }

    location /coco/ {

        proxy_pass       http://localhost:5000/coco/;  # 如果coco安装在别的服务器, 请填写它的ip

        proxy_set_header X-Real-IP $remote_addr;

        proxy_set_header Host $host;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        access_log off;

    }

    location /guacamole/ {

        proxy_pass       http://localhost:8081/;  # 如果guacamole安装在别的服务器, 请填写它的ip

        proxy_buffering off;

        proxy_http_version 1.1;

        proxy_set_header Upgrade $http_upgrade;

        proxy_set_header Connection $http_connection;

        proxy_set_header X-Real-IP $remote_addr;

        proxy_set_header Host $host;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        access_log off;

    }

    location / {

        proxy_pass http://localhost:8080;  # 如果jumpserver安装在别的服务器, 请填写它的ip

        proxy_set_header X-Real-IP $remote_addr;

        proxy_set_header Host $host;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    }

}

运行Nginx

systemctl start nginx

systemctl enable nginx

10、性能优化

vim /opt/jumpserver/config.yml

DEBUG: flase

LOG_LEVEL: ERROR

vim /opt/coco/config.yml

LOG_LEVEL: ERROR

重启jumpserver和coco服务

./jms start all -d

./cocod start -d

11、开机自启动

生成启动文件

#jms（Jumpserver）服务

vi /usr/lib/systemd/system/jms.service

[Unit]

Description=jms

After=network.target mariadb.service redis.service

Wants=mariadb.service redis.service

[Service]

Type=forking

Environment="PATH=/opt/py3/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin"

ExecStart=/opt/jumpserver/jms start all -d

ExecReload=

ExecStop=/opt/jumpserver/jms stop

[Install]

WantedBy=multi-user.target

#CoCo服务

vi /usr/lib/systemd/system/coco.service

[Unit]

Description=coco

After=network.target jms.service

[Service]

Type=forking

PIDFile=/opt/coco/coco.pid

Environment="PATH=/opt/py3/bin"

ExecStart=/opt/coco/cocod start -d

ExecReload=

ExecStop=/opt/coco/cocod stop

[Install]

WantedBy=multi-user.target

#Guacamole服务

chkconfig guacd on

vi /usr/lib/systemd/system/guacamole.service

[Unit]

Description=guacamole

After=network.target jms.service

Wants=jms.service

[Service]

Type=forking

# PIDFile=/config/tomcat8/tomcat.pid

# BOOTSTRAP_TOKEN 根据实际情况修改可以在～/.bashrc中找到

Environment="JUMPSERVER_SERVER=http://127.0.0.1:8080" "JUMPSERVER_KEY_DIR=/config/guacamole/keys" "GUACAMOLE_HOME=/config/guacamole" "BOOTSTRAP_TOKEN=******"

ExecStart=/config/tomcat8/bin/startup.sh

ExecReload=

ExecStop=/config/tomcat8/bin/shutdown.sh

[Install]

WantedBy=multi-user.target

开机自启

systemctl enable jms

systemctl enable coco

systemctl enable guacamole

启停服务(这些命令不要再生产环境使用，会引起错误，只有在不能自启动时才用)

systemctl start/stop jms

systemctl start/stop coco

systemctl start/stop guacamole