Centos 7.* Jumserver安裝日誌審計和資產管理
阿新 • • 發佈:2020-11-20
1.部署redis nginx mysql python3環境,安裝git
# 安裝應用 yum install -y redis nginx yum install -y mariadb-server mariadb yum install -y python3 yum -y install git
# 啟動服務 systemctl start redis systemctl start mariadb
# 建立jumpserver使用的資料庫 mysql -e "create database jumpserver default charset 'utf8' collate 'utf8_bin';"
2.建立 py3 虛擬環境 -- 載入 py3 虛擬環境
python3.6 -m venv /opt/py3 source /opt/py3/bin/activate
3.獲取jumpserver程式碼 安裝依賴
# 進入py3虛擬環境,進行操作 source /opt/py3/bin/activate cd /opt
# --depth用於指定克隆深度,為1即表示只克隆最近一次commit. # git clone --depth=1 https://github.com/jumpserver/jumpserver.git
tar xf jumpserver_source.tar.gz -C /opt
cd /opt/jumpserver/requirements yum install-y $(cat rpm_requirements.txt) python36-devel openssl-devel gcc*
pip3 install wheel -i https://mirrors.aliyun.com/pypi/simple/
pip3 install --upgrade pip setuptools -i https://mirrors.aliyun.com/pypi/simple/
pip3 install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
4.修改jumpserver配置檔案
# 進入py3虛擬環境,進行操作source /opt/py3/bin/activate # 生成SECRET_KEY和BOOTSTRAP_TOKEN #[root@jumpserver ~]# cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 49;echo #YL3rJbUvpy9QFo9zmYrLXf4PKvs1fo9K1AC01XyWc9Wp1Cb02 #[root@jumpserver ~]# cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 17;echo #mCXCv0QYlHYuCYkuu cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 49;echo cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 17;echo # 修改配置檔案 cd /opt/jumpserver cp config_example.yml config.yml sed -i "s/SECRET_KEY:/SECRET_KEY: 'YL3rJbUvpy9QFo9zmYrLXf4PKvs1fo9K1AC01XyWc9Wp1Cb02'/g" config.yml sed -i 's/DB_USER: jumpserver/DB_USER: root/g' config.yml sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: 'mCXCv0QYlHYuCYkuu'/g" config.yml
5.啟動jumpserver
source /opt/py3/bin/activate && cd /opt/jumpserver && ./jms start -d
6.部署koko服務並啟動【xshell連線koko服務埠2222,可彈出jumpserver資產列表】
#koko功能: 實現了 SSH Server 和 Web Terminal Server 的元件,提供 SSH 和 WebSocket 介面, 使用 Paramiko 和 Flask 開發
# 進入沙盒環境,進行操作 source /opt/py3/bin/activate cd /opt
wget https://github.com/jumpserver/koko/releases/download/v2.3.0/koko-v2.3.0-linux-amd64.tar.gz
tar xf `find / -name "koko-v2.3.0-linux-amd64.tar.gz"` -C ./
mv koko-v2.3.0-linux-amd64 kokodir
chown -R root:root kokodir cd kokodir cp config_example.yml config.yml
cp kubectl /usr/local/bin/
sed -i "s/BOOTSTRAP_TOKEN: <PleasgeChangeSameWithJumpserver>/BOOTSTRAP_TOKEN: 'mCXCv0QYlHYuCYkuu'/g" config.yml
cd /opt/kokodir
wget https://download.jumpserver.org/public/kubectl.tar.gz
tar -xf kubectl.tar.gz
chmod 755 kubectl
mv kubectl /usr/local/bin/rawkubectl
cd /opt/kokodir && ./koko -d
7.安裝並啟動 guacamole 元件
#guacamole功能: Apache 跳板機專案,Jumpserver 使用其元件實現 RDP 功能,Jumpserver 並沒有修改其程式碼而是添加了額外的外掛,支援 Jumpserver 呼叫
# 進入py3虛擬環境,進行操作
source /opt/py3/bin/activate
cd /opt
#git clone --depth=1 https://github.com/jumpserver/docker-guacamole.git
wget -O guacamole-v2.3.0.tar.gz https://github.com/jumpserver/docker-guacamole/archive/master.tar.gz
mkdir /opt/docker-guacamole
tar xf `find / -name "guacamole-v2.3.0.tar.gz"` -C /opt/docker-guacamole --strip-components 1
cd /opt/docker-guacamole
wget http://download.jumpserver.org/public/guacamole-server-1.2.0.tar.gz
wget http://download.jumpserver.org/public/ssh-forward.tar.gz
tar -xf ssh-forward.tar.gz -C /bin/
chmod +x /bin/ssh-forward
#tar xf guacamole-server-1.2.0.tar.gz
cd /opt/docker-guacamole/guacamole-server-1.2.0
yum install -y cairo-devel libjpeg-turbo-devel libpng-devel uuid-devel
yum install -y ffmpeg-devel freerdp1.2-devel pango-devel libssh2-devel libtelnet-devel libvncserver-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-devel >/dev/null && \
ln -s /usr/local/lib/freerdp/*.so /usr/lib64/freerdp/
autoreconf -fi
yum install -y make
./configure --with-init-dir=/etc/init.d
make && make install
# 先在當前環境配置好 jdk8 jre8
yum install -y java-1.8.0-openjdk
mkdir -p /config/guacamole/{lib,extensions,record,drive,data/log/}
chown daemon:daemon /config/guacamole/{record,drive}
cd /config
tar xf `find / -name "apache-tomcat-9.0.27.tar.gz"` -C ./
mv apache-tomcat-9.0.27 tomcat9
rm -rf /config/tomcat9/webapps/*
sed -i 's/Connector port="8080"/Connector port="8081"/g' /config/tomcat9/conf/server.xml
echo "java.util.logging.ConsoleHandler.encoding = UTF-8" >> /config/tomcat9/conf/logging.properties
wget http://download.jumpserver.org/release/v2.3.0/guacamole-client-v2.3.0.tar.gz
tar -xf guacamole-client-v2.3.0.tar.gz
cp guacamole-client-v2.3.0/guacamole-*.war /config/tomcat9/webapps/ROOT.war
cp guacamole-client-v2.3.0/guacamole-*.jar /config/guacamole/extensions/
mv /opt/docker-guacamole/guacamole.properties /config/guacamole
ln -sf /opt/docker-guacamole/guacamole-1.0.0.war /config/tomcat9/webapps/ROOT.war
ln -sf /opt/docker-guacamole/guacamole-auth-jumpserver-1.0.0.jar /config/guacamole/extensions/guacamole-auth-jumpserver-1.0.0.jar
ln -sf /opt/docker-guacamole/root/app/guacamole/guacamole.properties /config/guacamole/guacamole.properties
# 設定 guacamole 環境
# http://127.0.0.1:8080 指 jumpserver 訪問地址
source /opt/py3/bin/activate &&
export JUMPSERVER_SERVER=http://127.0.0.1:8080
echo "export JUMPSERVER_SERVER=http://127.0.0.1:8080" >> ~/.bashrc
# BOOTSTRAP_TOKEN 為 Jumpserver/config.yml 裡面的 BOOTSTRAP_TOKEN 值
export BOOTSTRAP_TOKEN=mCXCv0QYlHYuCYkuu
echo "export BOOTSTRAP_TOKEN=mCXCv0QYlHYuCYkuu" >> ~/.bashrc
export JUMPSERVER_KEY_DIR=/config/guacamole/keys
echo "export JUMPSERVER_KEY_DIR=/config/guacamole/keys" >> ~/.bashrc
export GUACAMOLE_HOME=/config/guacamole && \
echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc
export GUACAMOLE_LOG_LEVEL=ERROR
echo "export GUACAMOLE_LOG_LEVEL=ERROR" >> ~/.bashrc
/etc/init.d/guacd start
sh /config/tomcat9/bin/startup.sh
8.部署luna外掛
#luna功能: 現在是 Web Terminal 前端,計劃前端頁面都由該專案提供,Jumpserver 只提供 API,不再負責後臺渲染html等
source /opt/py3/bin/activate cd /opt tar xf `find / -name "luna.tar.gz"` -C ./ chown -R root:root luna
9.生成nginx代理jumpserver配置檔案
source /opt/py3/bin/activate echo 'server { listen 80; server_name alpha.example.com client_max_body_size 100m; # 錄影及檔案上傳大小限制 location / { proxy_pass http://localhost:8080; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location /luna/ { try_files $uri / /index.html; alias /opt/luna/; # luna 路徑, 如果修改安裝目錄, 此處需要修改 } location /media/ { add_header Content-Encoding gzip; root /opt/jumpserver/data/; # 錄影位置, 如果修改安裝目錄, 此處需要修改 } location /static/ { root /opt/jumpserver/data/; # 靜態資源, 如果修改安裝目錄, 此處需要修改 } location /koko/ { proxy_pass http://localhost:5000; proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } location /guacamole/ { proxy_pass http://localhost:8081/; proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } location /ws/ { proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://localhost:8070; proxy_http_version 1.1; proxy_buffering off; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } }' >/etc/nginx/conf.d/jumpserver.conf nginx -t && nginx