jumpserver堡垒机（有报错的解决方法）_jumpserver应急响应

系统: CentOS 7
开始安装

[root@ c7-41 ~]# systemctl start firewalld		# nginx 端口
[root@ c7-41 ~]# firewall-cmd --zone=public --add-port=80/tcp --permanent		# 用户SSH登录端口 koko
success
[root@ c7-41 ~]# firewall-cmd --zone=public --add-port=2222/tcp --permanent
success		# 用户SSH登录端口 koko
  --permanent  永久生效, 没有此参数重启后失效
[root@ c7-41 ~]# firewall-cmd --reload
success		# 重新载入规则
[root@ c7-41 ~]# setenforce 0
[root@ c7-41 ~]# sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
1
2
3
4
5
6
7
8
9
10

安装依赖包

[root@ c7-41 ~]# yum -y install wget gcc epel-release git
1

安装 Redis, JumpServer 使用 Redis 做 cache 和 celery broke

[root@ c7-41 ~]# yum -y install redis
[root@ c7-41 ~]# systemctl enable redis
[root@ c7-41 ~]# systemctl start redis
1
2
3

安装 MySQL, 如果不使用 Mysql 可以跳过相关 Mysql 安装和配置, 支持sqlite3, mysql, postgres等

[root@ c7-41 ~]# yum -y install mariadb mariadb-devel mariadb-server MariaDB-shared		# centos7下叫mariadb, 用法与mysql一致
[root@ c7-41 ~]# systemctl enable mariadb
[root@ c7-41 ~]# systemctl start mariadb
1
2
3

创建数据库 JumpServer 并授权

[root@ c7-41 ~]# DB_PASSWORD=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24`		 # 生成随机数据库密码
[root@ c7-41 ~]# echo -e "\033[31m 你的数据库密码是 （随机生成）
 你的数据库密码是 iqKtyYn5I8yigag0vLp3P0UQ
[root@ c7-41 ~]# mysql -uroot -e "create database jumpserver default charset 'utf8' collate 'utf8_bin'; grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '$DB_PASSWORD'; flush privileges;"
1
2
3
4

安装 Nginx, 用作代理服务器整合 JumpServer 与各个组件

[root@ c7-41 ~]# yum -y install nginx
[root@ c7-41 ~]# systemctl enable nginx
1
2

安装 Python3.6

[root@ c7-41 ~]# yum -y install python36 python36-devel
1

配置并载入 Python3 虚拟环境

[root@ c7-41 ~]# cd /opt
[root@ c7-41 opt]# python3.6 -m venv py3		# py3 为虚拟环境名称, 可自定义
[root@ c7-41 opt]# source /opt/py3/bin/activate		# 退出虚拟环境可以使用 deactivate 命令
#看到下面的提示符代表成功, 以后运行 JumpServer 都要先运行以上 source 命令, 载入环境后默认以下所有命令均在该虚拟环境中运行
(py3) [root@ c7-41 opt]#
1
2
3
4
5

下载 JumpServer

(py3) [root@ c7-41 opt]# cd /opt/
(py3) [root@ c7-41 opt]# git clone --depth=1 https://github.com/jumpserver/jumpserver.git
1
2

安装依赖 RPM 包

(py3) [root@ c7-41 opt]# yum -y install $(cat /opt/jumpserver/requirements/rpm_requirements.txt)
1

安装 Python 库依赖

(py3) [root@ c7-41 opt]# pip install wheel
  Downloading https://files.pythonhosted.org/packages/8c/23/848298cccf8e40f5bbb59009b32848a4c38f4e7f3364297ab3c3e2e2cd14/wheel-0.34.2-py2.py3-none-any.whl
Installing collected packages: wheel
Successfully installed wheel-0.34.2
#成功

(py3) [root@ c7-41 opt]# pip install --upgrade pip setuptools
  Downloading https://files.pythonhosted.org/packages/54/2e/df11ea7e23e7e761d484ed3740285a34e38548cf2bad2bed3dd5768ec8b9/pip-20.1-py2.py3-none-any.whl (1.5MB)
    100% |████████████████████████████████| 1.5MB 66kB/s
Collecting setuptools
  Downloading https://files.pythonhosted.org/packages/a0/df/635cdb901ee4a8a42ec68e480c49f85f4c59e8816effbf57d9e6ee8b3588/setuptools-46.1.3-py3-none-any.whl (582kB)
    100% |████████████████████████████████| 583kB 92kB/s
Installing collected packages: pip, setuptools
  Found existing installation: pip 9.0.3
    Uninstalling pip-9.0.3:
      Successfully uninstalled pip-9.0.3
  Found existing installation: setuptools 39.2.0
    Uninstalling setuptools-39.2.0:
      Successfully uninstalled setuptools-39.2.0
Successfully installed pip-20.1 setuptools-46.1.3
#成功，报错就多试几次


(py3) [root@ c7-41 opt]# pip install -r /opt/jumpserver/requirements/requirements.txt -i https://pypi.tuna.tsinghua.edu.cn/simple
#如果执行上面这个命令有报错的话
(py3) [root@ localhost opt]# vim /opt/jumpserver/requirements/requirements.txt	#进入
(py3) [root@ localhost opt]# cat /opt/jumpserver/requirements/requirements.txt
amqp==2.1.4
ansible==2.8.2
asn1crypto==0.24.0
bcrypt==3.1.4
billiard==3.5.0.3
boto3==1.12.14
botocore==1.15.26
celery==4.1.1
certifi==2018.1.18
cffi==1.13.2
chardet==3.0.4
configparser==3.5.0
coreapi==2.3.3
coreschema==0.0.4
cryptography==2.8
decorator==4.1.2
Django==2.2.10
django-auth-ldap==1.7.0
django-bootstrap3==9.1.0
django-celery-beat==1.4.0
django-filter==2.0.0
django-formtools==2.1
django-ranged-response==0.2.0
django-redis-cache==1.7.1
django-rest-swagger==2.1.2
django-simple-captcha==0.5.6
django-timezone-field==3.1
djangorestframework==3.9.4
djangorestframework-bulk==0.2.1
docutils==0.14
ecdsa==0.13.3
enum-compat==0.0.2
ephem==3.7.6.0
eventlet==0.24.1
future==0.16.0
ForgeryPy==0.1
greenlet==0.4.14
gunicorn==19.9.0
idna==2.6
itsdangerous==0.24
itypes==1.1.0
Jinja2==2.10.1
jmespath==0.9.3
kombu==4.2.1
ldap3==2.4
MarkupSafe==1.1.1
mysqlclient==1.3.14
olefile==0.44
openapi-codec==1.3.2
paramiko==2.4.2
passlib==1.7.1
Pillow==6.2.0
pyasn1==0.4.8
pycparser==2.19
pycrypto==2.6.1
pyotp==2.2.6
PyNaCl==1.2.1
python-dateutil==2.6.1
#python-gssapi==0.6.4
pytz==2018.3
PyYAML==5.1
redis==2.10.6
requests==2.22.0
jms-storage==0.0.29
s3transfer==0.3.3
simplejson==3.13.2
six==1.11.0
sshpubkeys==3.1.0
uritemplate==3.0.0
urllib3==1.25.2
vine==1.1.4
drf-yasg==1.9.1
Werkzeug==0.15.3
drf-nested-routers==0.91
aliyun-python-sdk-core-v3==2.9.1
aliyun-python-sdk-ecs==4.10.1
python-keycloak==0.13.3
#python-keycloak-client==0.1.3
rest_condition==1.0.3
python-ldap==3.1.0
tencentcloud-sdk-python==3.0.40
django-radius==1.4.0
ipip-ipdb==1.2.1
django-redis-sessions==0.6.1
unicodecsv==0.14.1
python-daemon==2.2.3
httpsig==1.3.0
treelib==1.5.3
django-proxy==1.2.1
flower==0.9.3
channels-redis==2.4.0
channels==2.3.0
daphne==2.3.0
psutil==5.6.5
django-cas-ng==4.0.1
python-cas==1.5.0
ipython
#huaweicloud-sdk-python==1.0.21
django-redis==4.11.0
python-redis-lock==3.5.0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127

我亲自做的时候这里报错，所以我们要把报错的注释掉，之后一步一步安装，上面可以看得到，注释了三个

这里分布安装，安装报错的话可以换个源，或者多试几次

(py3) [root@ localhost opt]# pip install huaweicloud-sdk-python==1.0.21 -i https://pypi.douban.com/simple/
Looking in indexes: https://pypi.douban.com/simple/
Collecting huaweicloud-sdk-python==1.0.21
  Downloading https://pypi.doubanio.com/packages/65/3f/aa5517e04412be21b636f8058e0265b9f7085b9794c62dceb64fbed6e426/huaweicloud-sdk-python-1.0.21.tar.gz (662 kB)
     |████████████████████████████████| 662 kB 1.1 MB/s
Collecting pbr!=2.1.0,>=2.0.0
  Downloading https://pypi.doubanio.com/packages/96/ba/aa953a11ec014b23df057ecdbc922fdb40ca8463466b1193f3367d2711a6/pbr-5.4.5-py2.py3-none-any.whl (110 kB)
     |████████████████████████████████| 110 kB 1.3 MB/s
Requirement already satisfied: six>=1.9.0 in ./py3/lib/python3.6/site-packages (from huaweicloud-sdk-python==1.0.21) (1.11.0)
Collecting stevedore>=1.20.0
  Downloading https://pypi.doubanio.com/packages/e6/49/a35dd566626892d577e426dbe5ea424dd7fbe10645f2c1070dcba474eca9/stevedore-1.32.0-py2.py3-none-any.whl (43 kB)
     |████████████████████████████████| 43 kB 1.0 MB/s
Collecting keystoneauth1<=3.4.0,>=3.0.0
  Downloading https://pypi.doubanio.com/packages/bc/dd/bd88049a5df70d4e23f9a82be35f5470c2f6e4bbc60d1fead0cc92e0470e/keystoneauth1-3.4.0-py2.py3-none-any.whl (282 kB)
     |████████████████████████████████| 282 kB 503 kB/s
Collecting deprecation>=1.0
  Downloading https://pypi.doubanio.com/packages/02/c3/253a89ee03fc9b9682f1541728eb66db7db22148cd94f89ab22528cd1e1b/deprecation-2.1.0-py2.py3-none-any.whl (11 kB)
Collecting iso8601>=0.1.11
  Downloading https://pypi.doubanio.com/packages/ef/57/7162609dab394d38bbc7077b7ba0a6f10fb09d8b7701ea56fa1edc0c4345/iso8601-0.1.12-py2.py3-none-any.whl (12 kB)
Requirement already satisfied: requests>=2.14.2 in ./py3/lib/python3.6/site-packages (from keystoneauth1<=3.4.0,>=3.0.0->huaweicloud-sdk-python==1.0.21) (2.22.0)
Collecting packaging
  Downloading https://pypi.doubanio.com/packages/62/0a/34641d2bf5c917c96db0ded85ae4da25b6cd922d6b794648d4e7e07c88e5/packaging-20.3-py2.py3-none-any.whl (37 kB)
Requirement already satisfied: chardet<3.1.0,>=3.0.2 in ./py3/lib/python3.6/site-packages (from requests>=2.14.2->keystoneauth1<=3.4.0,>=3.0.0->huaweicloud-sdk-python==1.0.21) (3.0.4)
Requirement already satisfied: idna<2.9,>=2.5 in ./py3/lib/python3.6/site-packages (from requests>=2.14.2->keystoneauth1<=3.4.0,>=3.0.0->huaweicloud-sdk-python==1.0.21) (2.6)
  quirement already satisfied: urllib3!=1.25.0,!=1.25.1,<1.26,>=1.21.1 in ./py3/lib/python3.6/site-packages (from requests>=2.14.2->keystoneauth1<=3.4.0,>=3.0.0->huaweicloud-sdk-python==1.0.21) (1.25.2)
Requirement already satisfied: certifi>=2017.4.17 in ./py3/lib/python3.6/site-packages (from requests>=2.14.2->keystoneauth1<=3.4.0,>=3.0.0->huaweicloud-sdk-python==1.0.21) (2018.1.18)
Collecting pyparsing>=2.0.2
  Downloading https://pypi.doubanio.com/packages/8a/bb/488841f56197b13700afd5658fc279a2025a39e22449b7cf29864669b15d/pyparsing-2.4.7-py2.py3-none-any.whl (67 kB)
     |████████████████████████████████| 67 kB 316 kB/s
Building wheels for collected packages: huaweicloud-sdk-python
  Building wheel for huaweicloud-sdk-python (setup.py) ... done
  Created wheel for huaweicloud-sdk-python: filename=huaweicloud_sdk_python-1.0.21-py2.py3-none-any.whl size=1275565 sha256=a744bd4da805ffd057d09b221f64ae126f3c7594d7178bee73b884a7de05be60
  Stored in directory: /root/.cache/pip/wheels/f6/db/27/860bbbc795f2b8124ef258e4839085e01c802e96aa023ac830
Successfully built huaweicloud-sdk-python
Installing collected packages: pbr, stevedore, iso8601, keystoneauth1, pyparsing, packaging, deprecation, huaweicloud-sdk-python
Successfully installed deprecation-2.1.0 huaweicloud-sdk-python-1.0.21 iso8601-0.1.12keystoneauth1-3.4.0 packaging-20.3 pbr-5.4.5 pyparsing-2.4.7 stevedore-1.32.0

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

安装第二个注释的

(py3) [root@ localhost opt]# pip install python-keycloak-client==0.1.3 -i https://pypi.douban.com/simple/
Looking in indexes: https://pypi.douban.com/simple/
Collecting python-keycloak-client==0.1.3
  Downloading https://pypi.doubanio.com/packages/17/0c/931050f9daf0ed619434780375b53d77d5037873ec64c69d7582ea46438f/python-keycloak-client-0.1.3.tar.gz (8.9 kB)
Requirement already satisfied: requests in ./py3/lib/python3.6/site-packages (from python-keycloak-client==0.1.3) (2.22.0)
Requirement already satisfied: python-jose in ./py3/lib/python3.6/site-packages (frompython-keycloak-client==0.1.3) (3.1.0)
Requirement already satisfied: idna<2.9,>=2.5 in ./py3/lib/python3.6/site-packages (from requests->python-keycloak-client==0.1.3) (2.6)
Requirement already satisfied: urllib3!=1.25.0,!=1.25.1,<1.26,>=1.21.1 in ./py3/lib/python3.6/site-packages (from requests->python-keycloak-client==0.1.3) (1.25.2)
  quirement already satisfied: certifi>=2017.4.17 in ./py3/lib/python3.6/site-packages (from requests->python-keycloak-client==0.1.3) (2018.1.18)
Requirement already satisfied: chardet<3.1.0,>=3.0.2 in ./py3/lib/python3.6/site-packages (from requests->python-keycloak-client==0.1.3) (3.0.4)
Requirement already satisfied: pyasn1 in ./py3/lib/python3.6/site-packages (from python-jose->python-keycloak-client==0.1.3) (0.4.8)
Requirement already satisfied: rsa in ./py3/lib/python3.6/site-packages (from python-jose->python-keycloak-client==0.1.3) (4.0)
Requirement already satisfied: ecdsa<1.0 in ./py3/lib/python3.6/site-packages (from python-jose->python-keycloak-client==0.1.3) (0.13.3)
Requirement already satisfied: six<2.0 in ./py3/lib/python3.6/site-packages (from python-jose->python-keycloak-client==0.1.3) (1.11.0)
Building wheels for collected packages: python-keycloak-client
  Building wheel for python-keycloak-client (setup.py) ... done
  Created wheel for python-keycloak-client: filename=python_keycloak_client-0.1.3-py3-none-any.whl size=12977 sha256=8e277766aea1d90d09919d4c81f4ae39b2ed6cae5b5a5108e15822b138be0558
  Stored in directory: /root/.cache/pip/wheels/6e/fb/76/8e821b80e9ec21d0f2d4a9a08c22f0e86e467f8f31dc3ddad0
Successfully built python-keycloak-client
Installing collected packages: python-keycloak-client
Successfully installed python-keycloak-client-0.1.3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

安装第三个注释的

(py3) [root@ localhost opt]# pip install python-gssapi==0.6.4 -i https://pypi.douban.com/simple/
  oking in indexes: https://pypi.douban.com/simple/
Collecting python-gssapi==0.6.4
  Downloading https://pypi.doubanio.com/packages/a4/9e/648b4e85235097edcee561c986f7075cb1606be24c514cfcdd2930e35c5e/python-gssapi-0.6.4.tar.gz (28 kB)
Requirement already satisfied: cffi>=0.8 in ./py3/lib/python3.6/site-packages (from python-gssapi==0.6.4) (1.13.2)
Requirement already satisfied: six>=1.5.0 in ./py3/lib/python3.6/site-packages (from python-gssapi==0.6.4) (1.11.0)
Requirement already satisfied: pyasn1>=0.1.2 in ./py3/lib/python3.6/site-packages (from python-gssapi==0.6.4) (0.4.8)
Requirement already satisfied: pycparser in ./py3/lib/python3.6/site-packages (from cffi>=0.8->python-gssapi==0.6.4) (2.19)
Building wheels for collected packages: python-gssapi
  Building wheel for python-gssapi (setup.py) ... done
  Created wheel for python-gssapi: filename=python_gssapi-0.6.4-cp36-cp36m-linux_x86_64.whl size=105096 sha256=e5f0e6ef183d6d6ce8736b8d4b5a365ade87a46def1d53189147107ba01f0c18
  Stored in directory: /root/.cache/pip/wheels/6e/93/93/2bfcdc3beef0bacd66f02124348a7224f81aea907cceb0a9c6
Successfully built python-gssapi
Installing collected packages: python-gssapi
Successfully installed python-gssapi-0.6.4

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

临时方法

所有的源地址都在这里，报错的话可以修改继续试

阿里云 https://mirrors.aliyun.com/pypi/simple/
中国科技大学 https://pypi.mirrors.ustc.edu.cn/simple/
豆瓣(douban) https://pypi.douban.com/simple/
清华大学 https://pypi.tuna.tsinghua.edu.cn/simple/
中国科学技术大学 http://pypi.mirrors.ustc.edu.cn/simple/
华中理工大学：http://pypi.hustunique.com/
山东理工大学：http://pypi.sdutlinux.org/

使用时直接 -i 加 url 即可如下安装：

pip install jupyter -i https://pypi.tuna.tsinghua.edu.cn/simple

修改 JumpServer 配置文件

(py3) [root@ localhost opt]# cd /opt/jumpserver/
(py3) [root@ localhost jumpserver]# \cp config_example.yml config.yml

1
2
3

生成随机SECRET_KEY

(py3) [root@ localhost jumpserver]# SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
(py3) [root@ localhost jumpserver]# echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc

1
2
3

生成随机BOOTSTRAP_TOKEN

(py3) [root@ localhost jumpserver]# BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
(py3) [root@ localhost jumpserver]# echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
(py3) [root@ localhost jumpserver]# sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g"/opt/jumpserver/config.yml
(py3) [root@ localhost jumpserver]# sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
(py3) [root@ localhost jumpserver]# sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
(py3) [root@ localhost jumpserver]# sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g"/opt/jumpserver/config.yml
(py3) [root@ localhost jumpserver]# sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
(py3) [root@ localhost jumpserver]# sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml
(py3) [root@ localhost jumpserver]# echo -e "\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m"
 你的SECRET_KEY是 RCyH7r54Giok6fe5psiS1oKnqjKpRRBzG7TNbQLnfQaXWBTGqr
 (py3) [root@ localhost jumpserver]# echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
 你的BOOTSTRAP_TOKEN是 ReeWAmsSlz6CGb31

1
2
3
4
5
6
7
8
9
10
11
12
13

确保配置文件没问题：

(py3) [root@ localhost jumpserver]# cat /opt/jumpserver/config.yml
# SECURITY WARNING: keep the secret key used in production secret!
# 加密秘钥 生产环境中请修改为随机字符串，请勿外泄, 可使用命令生成
# $ cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 49;echo
SECRET_KEY: RCyH7r54Giok6fe5psiS1oKnqjKpRRBzG7TNbQLnfQaXWBTGqr RCyH7r54Giok6fe5psiS1oKnqjKpRRBzG7TNbQLnfQaXWBTGqr

# SECURITY WARNING: keep the bootstrap token used in production secret!
# 预共享Token coco和guacamole用来注册服务账号，不在使用原来的注册接受机制
BOOTSTRAP_TOKEN: ReeWAmsSlz6CGb31 ReeWAmsSlz6CGb31

# Development env open this, when error occur display the full process track, Production disable it
# DEBUG 模式 开启DEBUG后遇到错误时可以看到更多日志
DEBUG: false

# DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/
# 日志级别
LOG_LEVEL: ERROR
# LOG_DIR:

# Session expiration setting, Default 24 hour, Also set expired on on browser close
# 浏览器Session过期时间，默认24小时, 也可以设置浏览器关闭则过期
# SESSION_COOKIE_AGE: 86400
SESSION_EXPIRE_AT_BROWSER_CLOSE: true

# Database setting, Support sqlite3, mysql, postgres ....
# 数据库设置
# See https://docs.djangoproject.com/en/1.10/ref/settings/#databases

# SQLite setting:
# 使用单文件sqlite数据库
# DB_ENGINE: sqlite3
# DB_NAME:

# MySQL or postgres setting like:
# 使用Mysql作为数据库
DB_ENGINE: mysql
DB_HOST: 127.0.0.1
DB_PORT: 3306
DB_USER: jumpserver
DB_PASSWORD: AvMLJxreyg7nss1eL2dtUkWzAvMLJxreyg7nss1eL2dtUkWz
DB_NAME: jumpserver

# When Django start it will bind this host and port
# ./manage.py runserver 127.0.0.1:8080
# 运行时绑定端口
HTTP_BIND_HOST: 0.0.0.0
HTTP_LISTEN_PORT: 8080
WS_LISTEN_PORT: 8070

# Use Redis as broker for celery and web socket
# Redis配置
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
# REDIS_PASSWORD:
# REDIS_DB_CELERY: 3
# REDIS_DB_CACHE: 4

# Use OpenID authorization
# 使用OpenID 来进行认证设置
# BASE_SITE_URL: http://localhost:8080
# AUTH_OPENID: false  # True or False
# AUTH_OPENID_SERVER_URL: https://openid-auth-server.com/
# AUTH_OPENID_REALM_NAME: realm-name
# AUTH_OPENID_CLIENT_ID: client-id
# AUTH_OPENID_CLIENT_SECRET: client-secret
# AUTH_OPENID_IGNORE_SSL_VERIFICATION: True
# AUTH_OPENID_SHARE_SESSION: True

# Use Radius authorization
# 使用Radius来认证
# AUTH_RADIUS: false
# RADIUS_SERVER: localhost
# RADIUS_PORT: 1812
# RADIUS_SECRET:

# CAS 配置
# AUTH_CAS': False,
# CAS_SERVER_URL': "http://host/cas/",
# CAS_ROOT_PROXIED_AS': 'http://jumpserver-host:port',
# CAS_LOGOUT_COMPLETELY': True,
# CAS_VERSION': 3,

# LDAP/AD settings
# LDAP 搜索分页数量
# AUTH_LDAP_SEARCH_PAGED_SIZE: 1000
#
# 定时同步用户
# 启用 / 禁用
# AUTH_LDAP_SYNC_IS_PERIODIC: True
# 同步间隔 (单位: 时) (优先）
# AUTH_LDAP_SYNC_INTERVAL: 12
# Crontab 表达式
# AUTH_LDAP_SYNC_CRONTAB: * 6 * * *
#
# LDAP 用户登录时仅允许在用户列表中的用户执行 LDAP Server 认证
# AUTH_LDAP_USER_LOGIN_ONLY_IN_USERS: False
#
# LDAP 认证时如果日志中出现以下信息将参数设置为 0 (详情参见：https://www.python-ldap.org/en/latest/faq.html)
# In order to perform this operation a successful bind must be completed on the connection
# AUTH_LDAP_OPTIONS_OPT_REFERRALS: -1

# OTP settings
# OTP/MFA 配置
# OTP_VALID_WINDOW: 0
# OTP_ISSUER_NAME: Jumpserver

# Perm show single asset to ungrouped node
# 是否把未授权节点资产放入到 未分组 节点中
# PERM_SINGLE_ASSET_TO_UNGROUP_NODE: false
#
# 启用定时任务
# PERIOD_TASK_ENABLE: True
#
# 启用二次复合认证配置
# LOGIN_CONFIRM_ENABLE: False
#
# Windows 登录跳过手动输入密码
# WINDOWS_SKIP_ALL_MANUAL_PASSWORD: False

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119

运行 JumpServer
#后台运行使用 -d 参数./jms start -d
#新版本更新了运行脚本, 使用方式./jms start|stop|status all 后台运行请添加 -d 参数
#cd /opt/jumpserver
#./jms start -d

#正常安装

(py3) [root@ localhost jumpserver]# wget -O /usr/lib/systemd/system/jms.service https://demo.jumpserver.org/download/shell/centos/jms.service
--2020-04-30 22:09:52--  https://demo.jumpserver.org/download/shell/centos/jms.service
Resolving demo.jumpserver.org (demo.jumpserver.org)... 47.98.186.19
Connecting to demo.jumpserver.org (demo.jumpserver.org)|47.98.186.19|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://134.175.107.119/download/shell/centos/jms.service [following]
--2020-04-30 22:09:54--  http://134.175.107.119/download/shell/centos/jms.service
Connecting to 134.175.107.119:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 491 [application/octet-stream]
Saving to: ‘/usr/lib/systemd/system/jms.service’

100%[===========================================>] 491         --.-K/s   in 0s

2020-04-30 22:09:54 (86.7 MB/s) - ‘/usr/lib/systemd/system/jms.service’ saved [491/491]
(py3) [root@ localhost jumpserver]# chmod 755 /usr/lib/systemd/system/jms.service
(py3) [root@ localhost jumpserver]# systemctl daemon-reload
(py3) [root@ localhost jumpserver]# systemctl enable jms
Created symlink from /etc/systemd/system/multi-user.target.wants/jms.service to /usr/lib/systemd/system/jms.service.
#如果启动的时候出现下面这种错误，别慌，往下看
(py3) [root@ localhost jumpserver]# ./jms start -d
2020-04-30 22:32:38 Thu Apr 30 22:32:38 2020
2020-04-30 22:32:38 Jumpserver version 1.5.8, more see https://www.jumpserver.or

- Start Gunicorn WSGI HTTP Server
2020-04-30 22:32:38 Check database connection ...
Traceback (most recent call last):
  File "/opt/py3/lib64/python3.6/site-packages/django/db/backends/base/base.py", 217, in ensure_connection
    self.connect()
  File "/opt/py3/lib64/python3.6/site-packages/django/db/backends/base/base.py", 195, in connect
    self.connection = self.get_new_connection(conn_params)
  File "/opt/py3/lib64/python3.6/site-packages/django/db/backends/mysql/base.py"e 227, in get_new_connection
    return Database.connect(**conn_params)
  File "/opt/py3/lib64/python3.6/site-packages/MySQLdb/__init__.py", line 85, inect
    return Connection(*args, **kwargs)
  File "/opt/py3/lib64/python3.6/site-packages/MySQLdb/connections.py", line 208__init__
    super(Connection, self).__init__(*args, **kwargs2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

jumpserver排错，如果上面的解决不了，可以尝试下面的操作，一一排查

[root@ localhost ~]# cd /opt/jumpserver/
[root@ localhost jumpserver]# rm -f config.yml		#删除配置文件
[root@ localhost jumpserver]# mysql -e "drop database jumpserver;"		#删除数据库
#创建数据库 JumpServer 并授权
[root@ localhost jumpserver]# DB_PASSWORD=`cat /dev/urandom | tr -dc A-Za-z0-9| head -c 24`
[root@ localhost jumpserver]# echo -e "\033[31m 你的数据库密码是 $DB_PASSWORD \033[0m"
 你的数据库密码是 cikcxnmJp8OLz80xvrfi4kvP
[root@ localhost jumpserver]# mysql -uroot -e "create database jumpserver default charset 'utf8' collate 'utf8_bin'; grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '$DB_PASSWORD'; flush privileges;"
#配置并载入pytjon3虚拟环境
[root@ localhost ~]# cd /opt/
# py3 为虚拟环境名称, 可自定义$ 
[root@ localhost opt]# python3.6 .m venv py3
[root@ localhost opt]# source /opt/py3/bin/activate
# 退出虚拟环境可以使用 deactivate 命令
# 看到下面的提示符代表成功, 以后运行 JumpServer 都要先运行以上 source 命令, 载入环境后默认以下所有命令均在该虚拟环境中运行
(py3) [root@ localhost opt]#
#删除秘钥
vim ~/.bashrc
#修改 JumpServer 配置文件
(py3) [root@ localhost opt]# cd /opt/jumpserver/
(py3) [root@ localhost jumpserver]# \cp config_example.yml config.yml
(py3) [root@ localhost jumpserver]# SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
(py3) [root@ localhost jumpserver]# echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc
(py3) [root@ localhost jumpserver]# BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
(py3) [root@ localhost jumpserver]# echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
(py3) [root@ localhost jumpserver]# sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g"/opt/jumpserver/config.yml
(py3) [root@ localhost jumpserver]# sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
(py3) [root@ localhost jumpserver]# sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
(py3) [root@ localhost jumpserver]# sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g"/opt/jumpserver/config.yml
(py3) [root@ localhost jumpserver]# sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
(py3) [root@ localhost jumpserver]# sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml
(py3) [root@ localhost jumpserver]# echo -e "\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m"
 你的SECRET_KEY是 RCyH7r54Giok6fe5psiS1oKnqjKpRRBzG7TNbQLnfQaXWBTGqr
 (py3) [root@ localhost jumpserver]# echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
 你的BOOTSTRAP_TOKEN是 ReeWAmsSlz6CGb31
 
 #看有没有报错 是否正常启动
./jms start -d

#获取ip
(py3) [root@ localhost opt]# Server_IP=`ip addr | grep 'state UP' -A2 | grep inet | egrep -v '(127.0.0.1|inet6|docker)' | awk '{print $2}' | tr -d "addr:" | head -n 1 | cut -d / -f1`
(py3) [root@ localhost opt]# echo -e "\033[31m 你的服务器IP是 $Server_IP \033[0m"
 你的服务器IP是 10.0.0.41
 
#运行容器
(py3) [root@ localhost opt]# docker ps -a
CONTAINER ID        IMAGE                            COMMAND             CREATED             STATUS              PORTS      NAMES
db92c8a789b2        jumpserver/jms_guacamole:1.5.8   "./entrypoint.sh"   3 hours ago         Up 3 hours          127.0.0.1:8081->8080/tcp      jms_guacamole
d894800cbbf6        jumpserver/jms_koko:1.5.8        "./entrypoint.sh"   3 hours ago         Up 3 hours          0.0.0.0:2222->2222/tcp, 127.0.0.1:5000->5000/tcp   jms_koko
(py3) [root@ localhost opt]# docker rm -f 容器
(py3) [root@ localhost jumpserver]# docker run --name jms_koko -d -p 2222:2222-p 127.0.0.1:5000:5000 -e CORE_HOST=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN -e LOG_LEVEL=ERROR --restart=always jumpserver/jms_koko:1.5.8
(py3) [root@ localhost jumpserver]# docker run --name jms_guacamole -d -p 127.0.0.1:8081:8080 -e JUMPSERVER_SERVER=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN -e GUACAMOLE_LOG_LEVEL=ERROR --restart=always jumpserver/jms_guacamole:1.5.8

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53

#排完错之后，继续往下走，执行

(py3) [root@ localhost jumpserver]# ./jms start -d
2020-04-30 23:41:06 Thu Apr 30 23:41:06 2020
2020-04-30 23:41:06 Jumpserver version 1.5.8, more see https://www.jumpserver.org

- Start Gunicorn WSGI HTTP Server
2020-04-30 23:41:06 Check database connection ...
users
 [ ] 0001_initial
 [ ] 0002_auto_20171225_1157_squashed_0019_auto_20190304_1459 (18 squashed migrations)
 [ ] 0020_auto_20190612_1825
 [ ] 0021_auto_20190625_1104
 [ ] 0022_auto_20190625_1105
 [ ] 0023_auto_20190724_1525
 [ ] 0024_auto_20191118_1612
 [ ] 0025_auto_20200206_1216
2020-04-30 23:41:09 Database connect success
2020-04-30 23:41:09 Check database structure change ...
2020-04-30 23:41:09 Migrate model change to database ...
Operations to perform:
  Apply all migrations: admin, applications, assets, audits, auth, authentication, captcha, common, contenttypes, django_cas_ng, django_celery_beat, ops, orgs, perms, sessions, settings, terminal, tickets, users
Running migrations:
  Applying contenttypes.0001_initial... OK
  Applying contenttypes.0002_remove_content_type_name... OK
  Applying auth.0001_initial... OK
  Applying auth.0002_alter_permission_name_max_length... OK
  Applying auth.0003_alter_user_email_max_length... OK
  Applying auth.0004_alter_user_username_opts... OK
  Applying auth.0005_alter_user_last_login_null... OK
  Applying auth.0006_require_contenttypes_0002... OK
  Applying auth.0007_alter_validators_add_error_messages... OK
  Applying auth.0008_alter_user_username_max_length... OK
  Applying users.0001_initial... OK
  Applying admin.0001_initial... OK
  Applying admin.0002_logentry_remove_auto_add... OK
  Applying admin.0003_logentry_add_action_flag_choices... OK
  Applying users.0002_auto_20171225_1157_squashed_0019_auto_20190304_1459... OK
  Applying assets.0001_initial... OK
  Applying perms.0001_initial... OK
  Applying assets.0002_auto_20180105_1807_squashed_0009_auto_20180307_1212... OK
  Applying assets.0010_auto_20180307_1749_squashed_0019_auto_20180816_1320... OK
  Applying perms.0002_auto_20171228_0025_squashed_0009_auto_20180903_1132... OK
  Applying perms.0003_action... OK
  Applying perms.0004_assetpermission_actions... OK
  Applying assets.0020_auto_20180816_1652... OK
  Applying assets.0021_auto_20180903_1132... OK
  Applying assets.0022_auto_20181012_1717... OK
  Applying assets.0023_auto_20181016_1650... OK
  Applying assets.0024_auto_20181219_1614... OK
  Applying assets.0025_auto_20190221_1902... OK
  Applying assets.0026_auto_20190325_2035... OK
  Applying applications.0001_initial... OK
  Applying perms.0005_auto_20190521_1619... OK
  Applying perms.0006_auto_20190628_1921... OK
  Applying perms.0007_remove_assetpermission_actions... OK
  Applying perms.0008_auto_20190911_1907... OK
  Applying assets.0027_auto_20190521_1703... OK
  Applying assets.0028_protocol... OK
  Applying assets.0029_auto_20190522_1114... OK
  Applying assets.0030_auto_20190619_1135... OK
  Applying assets.0031_auto_20190621_1332... OK
  Applying assets.0032_auto_20190624_2108... OK
  Applying assets.0033_auto_20190624_2108... OK
  Applying assets.0034_auto_20190705_1348... OK
  Applying assets.0035_auto_20190711_2018... OK
  Applying assets.0036_auto_20190716_1535... OK
  Applying assets.0037_auto_20190724_2002... OK
  Applying assets.0038_auto_20190911_1634... OK
  Applying perms.0009_remoteapppermission_system_users... OK
  Applying applications.0002_remove_remoteapp_system_user... OK
  Applying applications.0003_auto_20191210_1659... OK
  Applying applications.0004_auto_20191218_1705... OK
  Applying assets.0039_authbook_is_active... OK
  Applying assets.0040_auto_20190917_2056... OK
  Applying assets.0041_gathereduser... OK
  Applying assets.0042_favoriteasset... OK
  Applying assets.0043_auto_20191114_1111... OK
  Applying assets.0044_platform... OK
  Applying assets.0045_auto_20191206_1607... OK
  Applying assets.0046_auto_20191218_1705... OK
  Applying assets.0047_assetuser... OK
  Applying assets.0048_auto_20191230_1512... OK
  Applying assets.0049_systemuser_sftp_root... OK
  Applying audits.0001_initial... OK
  Applying audits.0002_ftplog_org_id... OK
  Applying audits.0003_auto_20180816_1652... OK
  Applying audits.0004_operatelog_passwordchangelog_userloginlog... OK
  Applying audits.0005_auto_20190228_1715... OK
  Applying audits.0006_auto_20190726_1753... OK
  Applying audits.0007_auto_20191202_1010... OK
  Applying auth.0009_alter_user_last_name_max_length... OK
  Applying auth.0010_alter_group_name_max_length... OK
  Applying auth.0011_update_proxy_permissions... OK
  Applying authentication.0001_initial... OK
  Applying authentication.0002_auto_20190729_1423... OK
  Applying authentication.0003_loginconfirmsetting... OK
  Applying captcha.0001_initial... OK
  Applying common.0001_initial... OK
  Applying common.0002_auto_20180111_1407... OK
  Applying common.0003_setting_category... OK
  Applying common.0004_setting_encrypted... OK
  Applying common.0005_auto_20190221_1902... OK
  Applying common.0006_auto_20190304_1515... OK
  Applying django_cas_ng.0001_initial... OK
  Applying django_celery_beat.0001_initial... OK
  Applying django_celery_beat.0002_auto_20161118_0346... OK
  Applying django_celery_beat.0003_auto_20161209_0049... OK
  Applying django_celery_beat.0004_auto_20170221_0000... OK
  Applying django_celery_beat.0005_add_solarschedule_events_choices_squashed_0009_merge_20181012_1416... OK
  Applying django_celery_beat.0006_periodictask_priority... OK
  Applying ops.0001_initial... OK
  Applying ops.0002_celerytask... OK
  Applying ops.0003_auto_20181207_1744... OK
  Applying ops.0004_adhoc_run_as... OK
  Applying ops.0005_auto_20181219_1807... OK
  Applying ops.0006_auto_20190318_1023... OK
  Applying ops.0007_auto_20190724_2002... OK
  Applying ops.0008_auto_20190919_2100... OK
  Applying ops.0009_auto_20191217_1713... OK
  Applying ops.0010_auto_20191217_1758... OK
  Applying ops.0011_auto_20200106_1534... OK
  Applying ops.0012_auto_20200108_1659... OK
  Applying ops.0013_auto_20200108_1706... OK
  Applying ops.0014_auto_20200108_1749... OK
  Applying ops.0015_auto_20200108_1809... OK
  Applying ops.0016_commandexecution_org_id... OK
  Applying ops.0017_auto_20200306_1747... OK
  Applying orgs.0001_initial... OK
  Applying orgs.0002_auto_20180903_1132... OK
  Applying orgs.0003_auto_20190916_1057... OK
  Applying users.0020_auto_20190612_1825... OK
  Applying users.0021_auto_20190625_1104... OK
  Applying users.0022_auto_20190625_1105... OK
  Applying users.0023_auto_20190724_1525... OK
  Applying users.0024_auto_20191118_1612... OK
  Applying perms.0010_auto_20191218_1705... OK
  Applying sessions.0001_initial... OK
  Applying settings.0001_initial... OK
  Applying terminal.0001_initial... OK
  Applying terminal.0002_auto_20171228_0025_squashed_0009_auto_20180326_0957... OK
  Applying terminal.0010_auto_20180423_1140... OK
  Applying terminal.0011_auto_20180807_1116... OK
  Applying terminal.0012_auto_20180816_1652... OK
  Applying terminal.0013_auto_20181123_1113... OK
  Applying terminal.0014_auto_20181226_1441... OK
  Applying terminal.0015_auto_20190923_1529... OK
  Applying terminal.0016_commandstorage_replaystorage... OK
  Applying terminal.0017_auto_20191125_0931... OK
  Applying terminal.0018_auto_20191202_1010... OK
  Applying terminal.0019_auto_20191206_1000... OK
  Applying terminal.0020_auto_20191218_1721... OK
  Applying terminal.0021_auto_20200213_1316... OK
  Applying terminal.0022_session_is_success... OK
  Applying terminal.0023_command_risk_level... OK
  Applying tickets.0001_initial... OK
  Applying users.0025_auto_20200206_1216... OK
2020-04-30 23:41:25 Collect static files
2020-04-30 23:41:28 Collect static files done

- Start Celery as Distributed Task Queue: Ansible

- Start Celery as Distributed Task Queue: Celery

- Start Beat as Periodic Task Scheduler

- Start Flower as Task Monitor

- Start Daphne ASGI WS Server
gunicorn is running: 44132
celery_ansible is running: 44143
celery_default is running: 44147
beat is running: 44154
flower is running: 44167
daphne is running: 44171
#这样是成功的
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174

安装 docker 部署 koko 与 guacamole

(py3) [root@ localhost opt]# yum install -y yum-utils device-mapper-persistent-data lvm2
(py3) [root@ localhost opt]# yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
(py3) [root@ localhost opt]# yum makecache fast
(py3) [root@ localhost opt]# rpm --import https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
(py3) [root@ localhost opt]# yum -y install docker-ce
(py3) [root@ localhost opt]# systemctl enable docker
(py3) [root@ localhost opt]# mkdir /etc/docker
(py3) [root@ localhost opt]# wget -O /etc/docker/daemon.json http://demo.jumpserver.org/download/docker/daemon.json
(py3) [root@ localhost opt]# systemctl restart docker
1
2
3
4
5
6
7
8
9

允许容器ip 访问宿主 8080 端口, (容器的 ip 可以进入容器查看)

(py3) [root@ localhost opt]# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="172.16.0.41/16" port protocol="tcp" port="8080" accept"
success
(py3) [root@ localhost opt]# firewall-cmd --reload
success
1
2
3
4

获取当前服务器 IP

(py3) [root@ localhost jumpserver]# Server_IP=`ip addr | grep 'state UP' -A2 |grep inet | egrep -v '(127.0.0.1|inet6|docker)' | awk '{print $2}' | tr -d "addr:" | head -n 1 | cut -d / -f1`
(py3) [root@ localhost jumpserver]# echo -e "\033[31m 你的服务器IP是 $Server_IP \033[0m"
 你的服务器IP是 10.0.0.41
1
2
3

运行koko 与 guacamole
由于网络问题；可以手动导入镜像。
#http://<Jumpserver_url> 指向 jumpserver 的服务端口, 如 http://192.168.244.144:8080
#BOOTSTRAP_TOKEN 为 Jumpserver/config.yml 里面的 BOOTSTRAP_TOKEN

(py3) [root@ localhost jumpserver]# cd
(py3) [root@ localhost ~]# rz

(py3) [root@ localhost ~]# docker load -i jms_koko-1.5.8.tar		#解压
77b174a6a187: Loading layer  211.2MB/211.2MB
8bf5a5b56e52: Loading layer  156.8MB/156.8MB
737a43fa3133: Loading layer  3.584kB/3.584kB
1e3d2fc477db: Loading layer  3.584kB/3.584kB
Loaded image: jumpserver/jms_koko:1.5.8

(py3) [root@ localhost jumpserver]# docker run --name jms_koko -d -p 2222:2222-p 127.0.0.1:5000:5000 -e CORE_HOST=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN -e LOG_LEVEL=ERROR --restart=always jumpserver/jms_koko:1.5.8

(py3) [root@ localhost ~]# rz

(py3) [root@ localhost ~]# docker load -i jms_guacamole-1.5.8.tar
89189d52c082: Loading layer  466.8MB/466.8MB
7a8b77920b07: Loading layer  3.072kB/3.072kB
f881ff09eaa8: Loading layer  3.072kB/3.072kB
Loaded image: jumpserver/jms_guacamole:1.5.8

(py3) [root@ localhost jumpserver]# docker run --name jms_guacamole -d -p 127.0.0.1:8081:8080 -e JUMPSERVER_SERVER=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN -e GUACAMOLE_LOG_LEVEL=ERROR --restart=always jumpserver/jms_guacamole:1.5.8

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

安装 Web Terminal 前端: Luna 需要 Nginx 来运行访问 访问(https://github.com/jumpserver/luna/releases)下载对应版本的 release 包, 直接解压, 不需要编译

(py3) [root@ localhost jumpserver]# cd /opt
(py3) [root@ localhost opt]# rz                  (py3) [root@ localhost opt]# rz -E
rz waiting to receive.
(py3) [root@ localhost opt]# ls
containerd  jumpserver  luna.tar.gz  py3
(py3) [root@ localhost opt]# tar -xf luna.tar.gz
(py3) [root@ localhost opt]# chown -R root.root luna

如果没有安装包，请尝试下面的命令

cd /opt
wget https://github.com/jumpserver/luna/releases/download/1.5.8/luna.tar.gz

# 如果网络有问题导致下载无法完成可以使用下面地址
wget https://demo.jumpserver.org/download/luna/1.5.8/luna.tar.gz
tar xf luna.tar.gz
chown -R root:root luna
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

配置 Nginx 整合各组件

(py3) [root@ localhost opt]# rm -rf /etc/nginx/conf.d/default.conf
(py3) [root@ localhost opt]# cat >/etc/nginx/nginx.conf<<EOF		#精简主配置文件
> user nginx;
> worker_processes auto;
> error_log /var/log/nginx/error.log;
> pid /run/nginx.pid;
> include /usr/share/nginx/modules/*.conf;
> events {
>     worker_connections 65535;
> }
> http {
>     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '>                        '$status $body_bytes_sent "$http_referer" '
>                       '"$http_user_agent" "$http_x_forwarded_for"';
>
>     access_log  /var/log/nginx/access.log  main;
>     sendfile            on;
>     tcp_nopush          on;
>     tcp_nodelay         on;
>     keepalive_timeout   120;
>     types_hash_max_size 2048;
>     include             /etc/nginx/mime.types;
>     default_type        application/octet-stream;
>     include /etc/nginx/conf.d/*.conf;
>  }
> EOF

(py3) [root@ localhost opt]# cat >/etc/nginx/conf.d/jumpserver.conf<<\EOF
> server {
>     listen 80;
>     server_name 10.0.0.41;
>     client_max_body_size 100m;
>     location /luna/ {
>         try_files $uri / /index.html;
>         alias /opt/luna/;
>     }
>     location /media/ {
>         add_header Content-Encoding gzip;
>         root /opt/jumpserver/data/;
>     }
>     location /static/ {
>         root /opt/jumpserver/data/;
>     }
>     location /koko/ {
>         proxy_pass       http://localhost:5000;
>         proxy_buffering off;
>         proxy_http_version 1.1;
>         proxy_set_header Upgrade $http_upgrade;
>         proxy_set_header Connection "upgrade";
>         proxy_set_header X-Real-IP $remote_addr;
>         proxy_set_header Host $host;
>         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>         access_log off;
>     }
>     location /guacamole/ {
>         proxy_pass       http://localhost:8081/;
>         proxy_buffering off;
>         proxy_http_version 1.1;
>         proxy_set_header Upgrade $http_upgrade;
>         proxy_set_header Connection $http_connection;
>         proxy_set_header X-Real-IP $remote_addr;
>         proxy_set_header Host $host;
>         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>         access_log off;
>     }
>     location /ws/ {
>         proxy_pass http://localhost:8070;
>         proxy_http_version 1.1;
>         proxy_buffering off;
>         proxy_set_header Upgrade $http_upgrade;
>         proxy_set_header Connection "upgrade";
>         proxy_set_header X-Real-IP $remote_addr;
>         proxy_set_header Host $host;
>         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>         access_log off;
>     }
>     location / {
>         proxy_pass http://localhost:8080;
>         proxy_set_header X-Real-IP $remote_addr;
>         proxy_set_header Host $host;
>         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>         access_log off;
>     }
> }
> EOF

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85

运行nginx

(py3) [root@ localhost opt]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
(py3) [root@ localhost opt]# sed -i 's/KillMode/#KillMode/g' /usr/lib/systemd/system/nginx.service
(py3) [root@ localhost opt]# systemctl daemon-reload
(py3) [root@ localhost opt]# systemctl start nginx

1
2
3
4
5
6
7

测试连接jumpserver

# 访问 http://10.0.0.41 (注意 没有 :8080 通过 nginx 代理端口进行访问)
# 默认账号: admin 密码: admin  到会话管理-终端管理 接受 koko Guacamole 等应用的注册
# 测试连接
(py3) [root@ localhost opt]# ssh -p2222 admin@10.0.0.41
The authenticity of host '[10.0.0.41]:2222 ([10.0.0.41]:2222)' can't be established.
RSA key fingerprint is SHA256:FKoWxEE+lf0nKALCiSDOyxaN1UFq8CuvxHTP3Sb7WF4.
RSA key fingerprint is MD5:6a:e4:b8:62:f6:99:77:50:cd:e3:60:4b:36:98:b0:85.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[10.0.0.41]:2222' (RSA) to the list of known hosts.
admin@10.0.0.41's password:	#密码是admin，能登陆则成功
		Administrator,  欢迎使用Jumpserver开源堡垒机系统

	1) 输入 部分IP、主机名、备注 进行搜索登录(如果唯一).
	2) 输入 / + IP，主机名 or 备注 进行搜索，如：/192.168.
	3) 输入 p 进行显示您有权限的主机.
	4) 输入 g 进行显示您有权限的节点.
	5) 输入 d 进行显示您有权限的数据库.
	6) 输入 r 进行刷新最新的机器和节点信息.
	7) 输入 h 进行显示帮助.
	8) 输入 q 进行退出.
Opt>
  ID    | 主机名               | IP                        | 备注            
+-------+----------------------+---------------------------+------------------+
  1     | c7-41                | 172.16.1.41               |
页码：1，每页行数：17，总页数：1，总数量：1
提示：输入资产ID直接登录，二级搜索使用 // + 字段，如：//192 上一页：b 下一页：n
搜索: 所有
Opt>

# sftp默认上传的位置在资产的 /tmp 目录下
# windows拖拽上传的位置在资产的 Guacamole RDP上的 G 目录下
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

web页面操作
登录
用户和密码都是admin
访问：http://10.0.0.41