如何在Centos7中安装配置Jumpserver堡垒机

Jumpserver 是全球首款完全开源、符合 4A 规范（包含认证Authentication 、授权 Authorization、账号 Accounting 和审计 Auditing）的运维安全审计系统，Jumpserver 通过软件订阅服务或者软硬件一体机的方式，向企业级用户交付多云环境下更好用的堡垒机。与传统堡垒机相比， Jumpserver 采用了分布式架构设计，支持多云环境并可灵活扩展。资产管理方面， Jumpserver 无并发和资产数量限制，支持水平扩容。 Jumpserver 采用了业界领先的容器化部署方式，并且提供体验极佳的 Web Terminal 。 Jumpserver 还可实现基于 Web 的文件传输，并且支持用户将运维审计录像保存在云端。

堡垒机 ：baole.yimitest.com 192.168.20.153

Jumpserver 环境要求：

• 硬件配置: 2个CPU核心, 4G 内存, 50G 硬盘（最低）

• 操作系统: Linux 发行版 x86_64

• Python = 3.6.x

• Mysql Server ≥ 5.6

• Mariadb Server ≥ 5.5.56

• Redis

1、安装 python3.6 mysql Redis

Centos7安装Python3.6

Centos7安装Mariadb 或 Centos7安装Mysql

Centos7安装Redis

2.创建 py3 虚拟环境

python3.6 -m venv /opt/py3

载入 py3 虚拟环境

source /opt/py3/bin/activate

cd /opt

yum install git -y

git clone --depth=1 https://github.com/jumpserver/jumpserver.git

cd /opt/jumpserver/requirements

pip install --upgrade pip

pip install wheel

yum install mysql-devel

pip install django==2.2

pip install future==0.16.0

pip install cryptography==2.7

cd /opt/jumpserver/requirements

yum install -y $(cat rpm_requirements.txt)

pip install -r requirements.txt

mysql -uroot -p

create database jumpserver default charset 'utf8';

grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by 'yimitest';

flush privileges;

cd /opt/jumpserver

cp config_example.yml config.yml

vim config.yml

SECRET_KEY: yimitest

BOOTSTRAP_TOKEN: yimitesttoken

DB_ENGINE: mysql

DB_HOST: 127.0.0.1

DB_PORT: 3306

DB_USER: jumpserver

DB_PASSWORD: yimitest

DB_NAME: jumpserver

./jms start

cd /opt

wget https://github.com/jumpserver/koko/releases/download/1.5.5/koko-master-linux-amd64.tar.gz

tar xf koko-master-linux-amd64.tar.gz

chown -R root:root kokodir
cd kokodir

cp config_example.yml config.yml

vim config.yml

BOOTSTRAP_TOKEN: yimitesttoken // 需要从 jumpserver/config.yml 里面获取, 保证一致

./koko # 可以 -d 参数在后台运行 ./koko -d

cd /opt

git clone --depth=1 https://github.com/jumpserver/docker-guacamole.git
cd /opt/docker-guacamole
tar xf guacamole-server-1.0.0.tar.gz

cd /opt/docker-guacamole/guacamole-server-1.0.0

yum -y localinstall --nogpgcheck https://mirrors.aliyun.com/rpmfusion/free/el/rpmfusion-free-release-7.noarch.rpm https://mirrors.aliyun.com/rpmfusion/nonfree/el/rpmfusion-nonfree-release-7.noarch.rpm

yum install -y cairo-devel libjpeg-turbo-devel libpng-devel uuid-devel

yum install -y ffmpeg-devel freerdp1.2-devel pango-devel libssh3-devel libtelnet-devel libvncserver-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-devel

yum install -y libtool

ln -s /usr/local/lib/freerdp /usr/lib64/freerdp

$ autoreconf -fi

$ ./configure --with-init-dir=/etc/init.d
$ make

$ make install

yum install -y java-1.8.0-openjdk

$ mkdir -p /config/guacamole /config/guacamole/extensions /config/guacamole/record
$ chown daemon:daemon /config/guacamole/record /config/guacamole/drive
$ cd /config
$ wget http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-9/v9.0.30/bin/apache-tomcat-9.0.30.tar.gz
$ tar xf apache-tomcat-9.0.30.tar.gz
$ mv apache-tomcat-9.0.30 tomcat9
$ rm -rf /config/tomcat9/webapps/*
$ sed -i 's/Connector port="8080"/Connector port="8081"/g' /config/tomcat9/conf/server.xml
$ echo "java.util.logging.ConsoleHandler.encoding = UTF-8" >> /config/tomcat9/conf/logging.properties
$ ln -sf /opt/docker-guacamole/guacamole-1.0.0.war /config/tomcat9/webapps/ROOT.war
$ ln -sf /opt/docker-guacamole/guacamole-auth-jumpserver-1.0.0.jar /config/guacamole/extensions/guacamole-auth-jumpserver-1.0.0.jar
$ ln -sf /opt/docker-guacamole/root/app/guacamole/guacamole.properties /config/guacamole/guacamole.properties
$ wget https://github.com/ibuler/ssh-forward/releases/download/v0.0.5/linux-amd64.tar.gz
$ tar xf linux-amd64.tar.gz -C /bin/

$ chmod +x /bin/ssh-forward

# 设置 guacamole 环境

$ export JUMPSERVER_SERVER=http://127.0.0.1:8080 # http://127.0.0.1:8080 指 jumpserver 访问地址

$ echo "export JUMPSERVER_SERVER=http://127.0.0.1:8080" >> ~/.bashrc

# BOOTSTRAP_TOKEN 为 Jumpserver/config.yml 里面的 BOOTSTRAP_TOKEN 值$ export BOOTSTRAP_TOKEN=******
$ echo "export BOOTSTRAP_TOKEN=yimitesttoken" >> ~/.bashrc
$ export JUMPSERVER_KEY_DIR=/config/guacamole/keys
$ echo "export JUMPSERVER_KEY_DIR=/config/guacamole/keys" >> ~/.bashrc
$ export GUACAMOLE_HOME=/config/guacamole
$ echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc
$ export GUACAMOLE_LOG_LEVEL=ERROR
$ echo "export GUACAMOLE_LOG_LEVEL=ERROR" >> ~/.bashrc
$ export JUMPSERVER_CLEAR_DRIVE_SESSION=true$ echo "export JUMPSERVER_CLEAR_DRIVE_SESSION=true" >> ~/.bashrc

$ export JUMPSERVER_ENABLE_DRIVE=true

$ echo "export JUMPSERVER_ENABLE_DRIVE=true" >> ~/.bashrc

$ /etc/init.d/guacd start
$ sh /config/tomcat9/bin/startup.sh

$ cd /opt

# 访问 https://github.com/jumpserver/luna/releases 获取

$ wget https://github.com/jumpserver/luna/releases/download/1.5.5/luna.tar.gz

$ tar xf luna.tar.gz
$ chown -R root:root luna

# 参考 http://nginx.org/en/linux_packages.html 文档安装最新的稳定版 nginx$ rm -rf /etc/nginx/conf.d/default.confyum install yum-utilsvim /etc/yum.repos.d/nginx.repo[nginx-stable]name=nginx stable repobaseurl=http://nginx.org/packages/centos/$releasever/$basearch/gpgcheck=1enabled=1gpgkey=https://nginx.org/keys/nginx_signing.keymodule_hotfixes=true[nginx-mainline]name=nginx mainline repobaseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/gpgcheck=1enabled=0gpgkey=https://nginx.org/keys/nginx_signing.keymodule_hotfixes=trueyum install nginx$ rm -rf /etc/nginx/conf.d/default.conf$ vim /etc/nginx/conf.d/jumpserver.confserver {    listen 80;    client_max_body_size 100m;  # 录像及文件上传大小限制    location /luna/ {        try_files $uri / /index.html;        alias /opt/luna/;  # luna 路径, 如果修改安装目录, 此处需要修改    }    location /media/ {        add_header Content-Encoding gzip;        root /opt/jumpserver/data/;  # 录像位置, 如果修改安装目录, 此处需要修改    }    location /static/ {        root /opt/jumpserver/data/;  # 静态资源, 如果修改安装目录, 此处需要修改    }    location /koko/ {        proxy_pass       http://localhost:5000;        proxy_buffering off;        proxy_http_version 1.1;        proxy_set_header Upgrade $http_upgrade;        proxy_set_header Connection "upgrade";        proxy_set_header X-Real-IP $remote_addr;        proxy_set_header Host $host;        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;        access_log off;    }    location /guacamole/ {        proxy_pass       http://localhost:8081/;        proxy_buffering off;        proxy_http_version 1.1;        proxy_set_header Upgrade $http_upgrade;        proxy_set_header Connection $http_connection;        proxy_set_header X-Real-IP $remote_addr;        proxy_set_header Host $host;        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;        access_log off;    }    location /ws/ {        proxy_set_header X-Real-IP $remote_addr;        proxy_set_header Host $host;        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;        proxy_pass http://localhost:8070;        proxy_http_version 1.1;        proxy_buffering off;        proxy_set_header Upgrade $http_upgrade;        proxy_set_header Connection "upgrade";    }    location / {        proxy_pass http://localhost:8080;        proxy_set_header X-Real-IP $remote_addr;        proxy_set_header Host $host;        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;    }}

$ nginx -c /etc/nginx/nginx.conf$ nginx -t$ nginx -s reloadsystemctl enable nginx

访问 http://192.168.20.153

配置 自启动

$ echo -e "\033[31m 6. 配置自启 \033[0m" \  && if [ ! -f "/usr/lib/systemd/system/jms.service" ]; then wget -O /usr/lib/systemd/system/jms.service https://demo.jumpserver.org/download/shell/centos/jms.service; chmod 755 /usr/lib/systemd/system/jms.service; systemctl enable jms; fi