centos7 설치 배치 jumpserver 1.5
11049 단어 Jumpserver
하드웨어 구성: CPU 코어 2개, 4G 메모리, 50G 하드 드라이브(최소) 운영 체제: Linux 릴리스 x8664 Python = 3.6.x Mysql Server ≥ 5.6 Mariadb Server ≥ 5.5.56 Redis
구성 요소 설명
$ yum update -y
selinux , Selinux
$ systemctl start firewalld
$ firewall-cmd --zone=public --add-port=80/tcp --permanent # nginx
$ firewall-cmd --zone=public --add-port=2222/tcp --permanent # SSH koko
--permanent ,
$ firewall-cmd --reload #
$ setenforce 0
$ sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
$ yum -y install wget gcc epel-release git
Redis, JumpServer Redis cache celery broke
$ yum -y install redis
$ systemctl enable redis
$ systemctl start redis
MySQL, Mysql Mysql , sqlite3, mysql, postgres
$ yum -y install mariadb mariadb-devel mariadb-server MariaDB-shared # centos7 mariadb, mysql
$ systemctl enable mariadb
$ systemctl start mariadb
JumpServer
$ DB_PASSWORD=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24` #
$ echo -e "\033[31m $DB_PASSWORD \033[0m"
$ mysql -uroot -e "create database jumpserver default charset 'utf8'; grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '$DB_PASSWORD'; flush privileges;"
Nginx, JumpServer
$ vi /etc/yum.repos.d/nginx.repo
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/7/$basearch/
gpgcheck=0
enabled=1
$ yum -y install nginx
$ systemctl enable nginx
Python3.6
$ yum -y install python36 python36-devel
Python3
$ cd /opt
$ python3.6 -m venv py3 # py3 ,
$ source /opt/py3/bin/activate # deactivate
, JumpServer source ,
(py3) [root@localhost py3]
JumpServer
$ cd /opt/
$ git clone --depth=1 https://github.com/jumpserver/jumpserver.git
RPM
$ yum -y install $(cat /opt/jumpserver/requirements/rpm_requirements.txt)
Python
$ pip install wheel
$ pip install --upgrade pip setuptools
$ pip install -r /opt/jumpserver/requirements/requirements.txt
( , :-i https://pypi.tuna.tsinghua.edu.cn/simple/)
:MarkupSafe==1.0( 1.1) python-gssapi==0.6.4 ,
·
JumpServer
$ cd /opt/jumpserver
$ cp config_example.yml config.yml
$ SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50` # SECRET_KEY
$ echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc
$ BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16` # BOOTSTRAP_TOKEN
$ echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
$ sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml
$ sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
$ sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
$ sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
$ sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
$ sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml
$ echo -e "\033[31m SECRET_KEY $SECRET_KEY \033[0m"
$ echo -e "\033[31m BOOTSTRAP_TOKEN $BOOTSTRAP_TOKEN \033[0m"
·
$ vi config.yml #
# SECURITY WARNING: keep the secret key used in production secret!
# , , PS:
SECRET_KEY:
# SECURITY WARNING: keep the bootstrap token used in production secret!
# Token koko guacamole ,
BOOTSTRAP_TOKEN:
# Development env open this, when error occur display the full process track, Production disable it
#DEBUG DEBUG
DEBUG: false
# DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/
#
LOG_LEVEL: ERROR
# LOG_DIR:
# Session expiration setting, Default 24 hour, Also set expired on on browser close
# Session , 24 ,
# SESSION_COOKIE_AGE: 86400
SESSION_EXPIRE_AT_BROWSER_CLOSE: true
# Database setting, Support sqlite3, mysql, postgres ....
#
# See https://docs.djangoproject.com/en/1.10/ref/settings/#databases
# SQLite setting:
# sqlite
# DB_ENGINE: sqlite3
# DB_NAME:
# MySQL or postgres setting like:
# Mysql
DB_ENGINE: mysql
DB_HOST: 127.0.0.1
DB_PORT: 3306
DB_USER: jumpserver
DB_PASSWORD:
DB_NAME: jumpserver
# When Django start it will bind this host and port
# ./manage.py runserver 127.0.0.1:8080
#
HTTP_BIND_HOST: 0.0.0.0
HTTP_LISTEN_PORT: 8080
# Use Redis as broker for celery and web socket
# Redis
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
# REDIS_PASSWORD:
# REDIS_DB_CELERY: 3
# REDIS_DB_CACHE: 4
# Use OpenID authorization
# OpenID
# BASE_SITE_URL: http://localhost:8080
# AUTH_OPENID: false # True or False
# AUTH_OPENID_SERVER_URL: https://openid-auth-server.com/
# AUTH_OPENID_REALM_NAME: realm-name
# AUTH_OPENID_CLIENT_ID: client-id
# AUTH_OPENID_CLIENT_SECRET: client-secret
# OTP settings
# OTP/MFA
# OTP_VALID_WINDOW: 0
# OTP_ISSUER_NAME: Jumpserver
·
JumpServer
$ cd /opt/jumpserver
$ ./jms start -d # -d ./jms start -d
# , ./jms start|stop|status all -d
$ wget -O /usr/lib/systemd/system/jms.service https://demo.jumpserver.org/download/shell/centos/jms.service
$ chmod 755 /usr/lib/systemd/system/jms.service
$ systemctl enable jms #
·
docker koko guacamole
$ yum install -y yum-utils device-mapper-persistent-data lvm2
$ yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
$ yum makecache fast
$ rpm --import https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
$ yum -y install docker-ce
$ systemctl enable docker
$ mkdir /etc/docker
$ wget -O /etc/docker/daemon.json http://demo.jumpserver.org/download/docker/daemon.json
$ systemctl restart docker
ip 8080 , ( ip )
$ firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="172.17.0.0/16" port protocol="tcp" port="8080" accept"
$ firewall-cmd --reload
172.17.0.x docker IP , ip , IP
IP
$ Server_IP=`ip addr | grep 'state UP' -A2 | grep inet | egrep -v '(127.0.0.1|inet6|docker)' | awk '{print $2}' | tr -d "addr:" | head -n 1 | cut -d / -f1`
$ echo -e "\033[31m IP $Server_IP \033[0m"
# http:// jumpserver , http://192.168.244.144:8080
# BOOTSTRAP_TOKEN Jumpserver/config.yml BOOTSTRAP_TOKEN
$ docker run --name jms_koko -d -p 2222:2222 -p 127.0.0.1:5000:5000 -e CORE_HOST=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN --restart=always wojiushixiaobai/jms_koko:1.5.7
$ docker run --name jms_guacamole -d -p 127.0.0.1:8081:8080 -e JUMPSERVER_SERVER=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN --restart=always wojiushixiaobai/jms_guacamole:1.5.7
·
Web Terminal : Luna Nginx (https://github.com/jumpserver/luna/releases) release , ,
$ cd /opt
$ wget https://github.com/jumpserver/luna/releases/download/1.5.6/luna.tar.gz
$ wget https://demo.jumpserver.org/download/luna/1.5.6/luna.tar.gz
$ tar xf luna.tar.gz
$ chown -R root:root luna
·
Nginx
$ rm -rf /etc/nginx/conf.d/default.conf
·
$ vi /etc/nginx/conf.d/jumpserver.conf
server {
listen 80;
# server_name _;
client_max_body_size 100m; #
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; # luna , ,
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # , ,
}
location /static/ {
root /opt/jumpserver/data/; # , ,
}
location /koko/ {
proxy_pass http://localhost:5000;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /ws/ {
proxy_pass http://localhost:8070;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location / {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
}
·
Nginx
$ nginx -t # ,
$ systemctl start nginx
# http://192.168.244.144 ( :8080 nginx )
# : admin : admin - koko Guacamole
#
$ ssh -p2222 [email protected]
$ sftp -P2222 [email protected]
: admin
( , , xshell , 2222, ( : 22 2222 80 ))
# Windows , Xshell Terminal
$ ssh [email protected] 2222
$ sftp [email protected] 2222
: admin
# sftp /tmp
# windows Guacamole RDP G
부록:
재부팅 명령
systemctl start mariadb
systemctl start redis
systemctl start jms
systemctl start coco
systemctl start nginx