Environment
- System
# cat / etc/redhat-release CentOS Linux release 7.4.1708 (Core) # uname -r 3.10.0-693.21.1.el7.x86_64
- Turn off Selinux and firewall
# systemctl stop firewalld.service # sed -i'/^SELINUX/s/enforcing/disabled/g' /etc/selinux/config # grep- i ^selinux /etc/selinux/config SELINUX=disabled SELINUXTYPE=targeted
- Modify the character set (because Chinese is printed in the log, otherwise it will report an error: input/output error)
# localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8 # export LC_ALL=zh_CN.UTF-8 # < span class="hljs-built_ in">echo 'LANG="zh_CN.UTF-8"'> /etc/locale.conf
Prepare Python3 and Python virtual environment
- Install dependent packages li>
# yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git< /span>
- Compile and install
# wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz # tar xvf Python- 3.6.1.tar.xz && cd Python-3.6.1 # ./configure && make && make install
- Establish Python virtual environment
# cd /opt # python3 -m venv py3 # source /opt/py3/bin/activate
Seeing the following prompt means success. After running Jumpserver, you must run the above source command first. All the following commands are run in this virtual environment.
(py3) [[emailprotected ] py3]
- Automatically load the Phthon virtual environment
Preventing the inability to run Jumpserver because of forgetting to load the Python virtual environment when running Jumpserver.
# cd /opt # git clone git://github.com/kennethreitz/autoenv.git # echo 'source /opt/autoenv/activate.sh' >> ~/.bashrc # source ~/.bashrc
Install Jumpserver
- Download Or Clone project
You can choose to download the zip package or directly Clone to the local
# cd /opt/ # git clone https://github.com/ jumpserver/jumpserver.git && cd jumpserver && git checkout master # echo "source /opt/py3/bin/activate"> /opt/jumpserver/.env # Python will be automatically loaded when entering the jumpserver directory Virtual environment
- Install the dependent RPM package
# cd /opt/jumpserver/requirements # yum -y install $(cat rpm_requirements.txt) # If there is no error, please continue
- Install Python library dependencies
default The Python library is a foreign site, due to network reasons, it may be slow to download. Here change to use domestic sources.
# pip install -r requirements.txt -i http://pypi.douban.com /simple --trusted-host pypi.douban.com
The above is only for temporary use. If you want to configure it as the default source, the method is as follows:
Need to create or modify the configuration file (usually create)
Linux in ~/.pip/pip.conf/
The modified content is:< /p>
[global] index-url = http://pypi.douban.com/simple [install] trusted-host=pypi.douban.com
- < li>Install Redis, Jumpserver uses Redis as cache and celery broke
# yum -y install redis # systemctl enable redis # systemctl start redis
- Install Mysql
# yum -y install mariadb mariadb-devel mariadb-server # systemctl enable mariadb # systemctl start mariadb
- initialization mysql, create a database Jumpserver and authorize
# mysql_secure_installation #Settings Root login password, and then press Enter all the way # mysql -uroot -p123456 > create database jumpserver default charset 'utf8'; > grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '123456'; > flush privileges;< /span>
- Modify Jumpserver configuration file
# cd /opt /jumpserver # cp config_example.py config.py # vim config. py
Note: The configuration file is in Python format. Do not use TAB, but Use spaces
""" jumpserver.config ~~~~~~~~~~~~~~~~ Jumpserver project setting file :copyright: ( c) 2014-2017 by Jumpserver Team :license: GPL v2, see LICENSE for more details. """ import os BASE_DIR = os.path.dirname(os.path.abspath(__file__ )) class Config: # Use it to encrypt or decrypt data # Jumpserver uses SECRET_KEY for encryption, please be sure to modify the following settings# SECRET_KEY = os.environ.get('SECRET_KEY') or ' 2vym+ky!997d5kkcc64mnz06y1mmui3lut#(^wd=%s_qj$1%x' SECR ET_KEY = '2vym+ky!997d5kkcc64mnz06y1mmui3lut#(^wd=%s_qj$1%x' 'Please enter a random string at will (recommended characters are greater than Equal to 50 bits)' # Django security setting, if your disable debug model, you should setting that ALLOWED_HOSTS = ['*'] # DEBUG mode True is turned on, False is turned off, it is turned on by default, and it is recommended to turn off in production environment.# Note: If DEBUG = False is set, the port 8080 page will display Abnormal, you need to build an nginx proxy to access normally DEBUG = False # Log level, default is DEBUG, can be adjusted to INFO, WARNING, ERROR , CRITICAL, default INFO LOG_LEVEL = 'WARNING' LOG_DIR = os.path.join(BASE_DIR, 'logs') # The database configuration used, supports sqlite3, mysql, postgres, etc., sqlite3 is used by default # See https://docs.djangoproject.com/en/1.10/ref/settings /#databases # SQLite3 is used by default. If you use other databases, please comment the following two lines# DB_ENGINE ='sqlite3' # DB_NAME = os.path.join(BASE_DIR,'data','db.sqlite3') # If you need to use mysql or postgres, please cancel the comment below and enter it correctly This example uses mysql for demonstration (mariadb is also mysql) DB_ENGINE = 'mysql' DB_HOST = '127.0.0.1' DB_PORT = 3306 DB_USER = 'jumpserver' DB_PASSWORD = '123456' DB_NAME = 'jumpserver' # The ip and port that Django listens to. It is recommended to modify 0.0.0.0 to 127.0.0.1 in the production environment, which means that xxxx is allowed to access, and 127.0.0.1 means that only oneself is allowed Visit # ./manage.py runserver 127.0.0.1:8080 HTTP_BIND_HOST = '127.0.0.1' HTTP_LISTEN_PORT = 8080 # Redis related settings REDIS_HOST = '127.0.0.1' REDIS_PORT = 6379 REDIS_PASSWORD = < span class="hljs-string">" REDIS_DB_CELERY = 3 REDIS_DB_CACHE = 4 def __init__(self): pass def __getattr__(self, item): return None class DevelopmentConfig(Config): pass class TestConfig(Config): pass < span class="hljs-keyword">class ProductionConfig(Config): pass # Default using Config settings, you can write if/else for different env config = DevelopmentConfig() span> span>
- Generate database table structure and initialization data
# cd /opt/jumpserver/utils # bash make_migrations.sh< /span>
- Run Jumpserver
# cd /opt/jumpserver # ./jms start all # Use the -d parameter to run in the background. /jms start all -d
< p>No error is reported when running, the browser visits http://IP address:8080 Default account: admin Password: admin
Install SSH Server and WebSocket Server: Coco
- Download Or CLone project
open a new terminal, don’t forget
souce /opt/py3/bin/activate
# cd /opt # < span class="hljs-built_in">source /opt/py3/bin/activate # git clone https ://github.com/jumpserver/coco.git && cd coco && git checkout master # echo "source /opt/py3/bin/activate"> /opt/coco/.env # Enter The python virtual environment will be automatically loaded in the coco directory
- Installation dependencies
# cd /opt/coco/requirements # yum -y install $(cat rpm_requirements.txt) # pip install -r requirements.txt
- Modify the configuration file and run it
# cd /opt/coco # cp conf_example.py conf.py # If coco and jumpserver are deployed separately, please manually Modify conf.py # vim conf.py
#!/usr/bin/env python3 # -*- coding : utf-8 -*- # import os BASE_DIR = os.path.dirname(__file__) class Config: """ Coco config file, coco also load confi g from server update setting below """ # The name of the project, which will be used to register with Jumpserver for identification purposes, and cannot be repeated # NAME = "localhost "NAME = "coco" # Jumpserver project url, api request registration will be used, if Jumpserver is not running at 127.0.0.1:8080, please Modify here# CORE_HOST = os.environ.get("CORE_HOST") or'http://127.0.0.1:8080' CORE_HOST = 'http://127.0.0.1:8080' # The ip bound at startup, default 0.0.0.0 # BIND_HOST = '0.0.0.0 '# Monitoring SSH port number, default 2222 # SSHD_PORT = 2222 # Monitoring HTTP/WS Port number, default 5000 # HTTPD_PORT = 5000 # The ACCESS KEY used by the project will be registered by default and saved in ACCESS_KEY_STORE, # If you need it, you can write it in the configuration file, format access_key_id:access_key_secret # ACCESS_KEY = None # ACCESS KEY save The address, which will be saved to this file after registration by default # ACCESS_KEY_STORE = os.path.join(BASE_DIR,'keys','.access_key') # encryption key# SECRET_KEY = None # Set the log level ['DEBUG','INFO','WARN','ERROR','FATAL','CRITICAL'] < span class="hljs-comment"># LOG_LEVEL ='INFO' LOG_LEVEL = 'WARN' # Directory where logs are stored# LOG_DIR = os.path.join(BASE_DIR,'logs') # Session video storage directory# SESSION_DIR = os. path.join(BASE_DIR,'sessions') # Asset display sorting method, ['ip','hostname'] # ASSET_LIST_SORT_BY ='ip '# Whether login supports password authentication# PASSWORD_AUTH = True # Whether login supports secret key authentication# PUBLIC_KEY_AUTH = True # Keep heartbeat interval with Jumpserver# HEARTBEAT_INTERVAL = 5 # Admin’s name, if something goes wrong, the user will be prompted# ADMINS ='' COMMAND_STORAGE = {"TYPE": < span class="hljs-string">"server"} REPLAY_STORAGE = {"TYPE": "server"} config = Config()< /span>< /span>
# ./cocod start # Use the -d parameter for background operation. /cocod start -d span>
After the startup is successful, go to Jumpserver Session Management-Terminal Management (http://IP address:8080/terminal/terminal/) to accept the registration of coco.
Install the Web Terminal front-end: Luna
Luna has been changed to a pure front-end and requires Nginx to run and access
- Download and decompress Luna
# cd /opt # wget https://github.com/jumpserver/luna/releases/download/1.3.3/luna.tar.gz # tar xvf luna.tar.gz # chown -R root:root luna span>
Install Windows support components (you can skip if you don’t need it)
Because of manual Installing the guacamole component is more complicated. Here is a packaged docker to use, start guacamole
- Docker installation
# yum remove docker-latest-logrotate docker-logrotate docker-selinux dockdocker-engine # yum install -y yum-utils device-mapper-persistent-data lvm2 # yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce /linux/centos/ docker-ce.repo # rpm --import http://mirrors.aliyun.com/docker-ce/linux/centos/gpg # yum makecache fast # yum -y install docker-ce < /span>
- Start Guacamole
The port exposed by guacamole is 8081. If it conflicts with other ports on the host, please customize
After the startup is successful, go to Jumpserver Session Management-Terminal Management (http://IP address:8080/terminal/terminal/) to accept a registration starting with [Gua]
# docker run --name jms_guacamole -d -p 8081: 8080 -v /opt/guacamole/key:/config/guacamole/key -e JUMPSERVER_KEY_DIR=/config/guacamole/key -e JUMPSERVER_SERVER=http://IP address jumpserver/guacamole:latest
Configure Nginx to integrate components
- Install Nginx
# yum -y install nginx
< ul>
# vim /etc/nginx/nginx.conf
... omitted
# Change the default server configuration block to this, please keep the original content intact server {listen 80; # Proxy port, which will be accessed in the future, instead of port 8080 location /luna/ {try_files $uri / /index.html; alias /opt/luna/; # luna path, if you modify the installation directory, you need to modify it here} location /media/ {add_header Content-Encoding gzip; root /opt/jumpserver/data/; # Video location, if you modify the installation directory, you need to modify it here} location /static/ {root /opt/jumpserver/data/; # static resources If you modify the installation directory, you need to modify it here} location /socket.io/ {proxy_pass http://localhost:5000/socket.io/; # If coco is installed on another server , Please fill in its ip proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Real-IP $ remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ; access_log off;} location /guacamole/ {proxy_pass http://localhost:8081/; # If guacamole is installed on another server, please fill in its ip proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; client_max_body_size 100m; # Windows file upload size limit} location / {proxy_pass http://localhost:8080; # If jumpserver is installed on another server, please fill in its ip proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;}} ... omitted
- Run Nginx
< /ul >
# nginx -t # Make sure there is no problem with the configuration. If there is a problem, please solve it first
# systemctl start nginx #< span class="bash"> systemctl enable nginx
- Start using Jumpserver
Check if the application is running properly
# cd /opt/jumpserver # ./jms status # Make sure the jumpserver is running, if it is not running, please restart Start jumpserver # cd /opt/coco # ./cocod status # Make sure jumpserver is running, if it is not running, restart coco # If Guacamole is installed # docker ps # Check whether the container is running normally, if not, please restart Guacam ole< /span>
After the services are all started, visit http://ip to access the port of the Nginx proxy, and do not access through port 8080 anymore .
If the application registration is not accepted during the deployment process, you need to go to the session management-terminal management of Jumpserver to accept the registration of applications such as Coco Guacamode.
Test connection
If the login client is macOS or Linux, the login syntax is as follows
$ ssh -p2222 [email protected] $ sftp -P2222 [email protected] Password: admin If the login client is Windows, the Xshell Terminal login syntax is as follows$ ssh [emailprotected] 2222 $ sftp [email protected] 2222 Password: admin If you can log in, the deployment is successful # sftp The default upload location is under the asset's /tmp directory. # The drag and drop upload location for windows is under the G directory on the asset’s Guacamole RDP
p>