分布式部署文档 - jumpserver 部署

说明

  • # 开头的行表示注释
  • $ 开头的行表示需要执行的命令

环境

  • 系统: CentOS 7
  • IP: 192.168.100.30
Protocol ServerName IP Port Used By
TCP Jumpserver 192.168.100.30 80, 8080 Nginx, Coco, Guacamole

开始安装

  1. # 升级系统
  2. $ yum upgrade -y
  4. # 安装依赖包
  5. $ yum -y install gcc epel-release git
  7. # 设置防火墙, 开放 80 端口给 nginx 访问, 开放 8080 端口给 coco 和 guacamole 访问
  8. $ firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.100.100" port protocol="tcp" port="80" accept"
  9. $ firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.100.40" port protocol="tcp" port="8080" accept"
  10. $ firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.100.50" port protocol="tcp" port="8080" accept"
  11. $ firewall-cmd --reload
  13. # 安装 nginx
  14. $ yum -y install nginx
  15. $ systemctl enable nginx
  17. # 安装 Python3.6
  18. $ yum -y install python36 python36-devel
  20. # 配置 py3 虚拟环境
  21. $ python3.6 -m venv /opt/py3
  22. $ source /opt/py3/bin/activate
  24. # 下载 Jumpserver
  25. $ git clone https://github.com/jumpserver/jumpserver.git
  26. $ cd /opt/jumpserver
  27. $ git checkout 1.4.8
  29. # 安装依赖 RPM 包
  30. $ yum -y install $(cat /opt/jumpserver/requirements/rpm_requirements.txt)
  32. # 安装 Python 库依赖
  33. $ pip install --upgrade pip setuptools
  34. $ pip install -r /opt/jumpserver/requirements/requirements.txt
  36. # 修改 jumpserver 配置文件
  37. $ cd /opt/jumpserver
  38. $ cp config_example.yml config.yml
  40. $ SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`  # 生成随机SECRET_KEY
  41. $ echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc
  42. $ BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`  # 生成随机BOOTSTRAP_TOKEN
  43. $ echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
  45. $ sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml
  46. $ sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
  47. $ sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
  48. $ sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
  49. $ sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
  51. $ echo -e "\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m"
  52. $ echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
  54. $ vi config.yml
  1. # SECURITY WARNING: keep the secret key used in production secret!
  2. # 加密秘钥 生产环境中请修改为随机字符串, 请勿外泄, 升级或者迁移请保持不变
  3. SECRET_KEY:
  5. # SECURITY WARNING: keep the bootstrap token used in production secret!
  6. # 预共享Token coco和guacamole用来注册服务账号, 不在使用原来的注册接受机制
  7. BOOTSTRAP_TOKEN:
  9. # Development env open this, when error occur display the full process track, Production disable it
  10. # DEBUG 模式 开启DEBUG后遇到错误时可以看到更多日志
  11. DEBUG: false
  13. # DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/
  14. # 日志级别
  15. LOG_LEVEL: ERROR
  16. # LOG_DIR:
  18. # Session expiration setting, Default 24 hour, Also set expired on on browser close
  19. # 浏览器Session过期时间, 默认24小时, 也可以设置浏览器关闭则过期
  20. # SESSION_COOKIE_AGE: 86400
  21. SESSION_EXPIRE_AT_BROWSER_CLOSE: true
  23. # Database setting, Support sqlite3, mysql, postgres ....
  24. # 数据库设置
  25. # See https://docs.djangoproject.com/en/1.10/ref/settings/#databases
  27. # SQLite setting:
  28. # 使用单文件sqlite数据库
  29. # DB_ENGINE: sqlite3
  30. # DB_NAME:
  32. # MySQL or postgres setting like:
  33. # 使用Mysql作为数据库
  34. DB_ENGINE: mysql
  35. DB_HOST: 192.168.100.100
  36. DB_PORT: 3306
  37. DB_USER: jumpserver
  38. DB_PASSWORD: 你的数据库密码
  39. DB_NAME: jumpserver
  41. # When Django start it will bind this host and port
  42. # ./manage.py runserver 127.0.0.1:8080
  43. # 运行时绑定端口
  44. HTTP_BIND_HOST: 0.0.0.0
  45. HTTP_LISTEN_PORT: 8080
  47. # Use Redis as broker for celery and web socket
  48. # Redis配置
  49. REDIS_HOST: 127.0.0.1
  50. REDIS_PORT: 6379
  51. # REDIS_PASSWORD:
  52. # REDIS_DB_CELERY: 3
  53. # REDIS_DB_CACHE: 4
  55. # Use OpenID authorization
  56. # 使用OpenID 来进行认证设置
  57. # BASE_SITE_URL: http://localhost:8080
  58. # AUTH_OPENID: false  # True or False
  59. # AUTH_OPENID_SERVER_URL: https://openid-auth-server.com/
  60. # AUTH_OPENID_REALM_NAME: realm-name
  61. # AUTH_OPENID_CLIENT_ID: client-id
  62. # AUTH_OPENID_CLIENT_SECRET: client-secret
  64. # OTP settings
  65. # OTP/MFA 配置
  66. # OTP_VALID_WINDOW: 0
  67. # OTP_ISSUER_NAME: Jumpserver
  1. # 修改 nginx 配置文件(如果无法正常访问, 请注释掉 nginx.conf 的 server 所有字段)
  2. $ vi /etc/nginx/conf.d/jumpserver.conf
  4. server {
  5.     listen 80;
  7.     client_max_body_size 100m;  # 录像上传大小限制
  9.     location /media/ {
  10.         add_header Content-Encoding gzip;
  11.         root /opt/jumpserver/data/;  # 录像位置, 如果修改安装目录, 此处需要修改
  12.     }
  14.     location /static/ {
  15.         root /opt/jumpserver/data/;  # 静态资源, 如果修改安装目录, 此处需要修改
  16.     }
  18.     location / {
  19.         proxy_pass http://localhost:8080;
  20.         proxy_set_header X-Real-IP $remote_addr;
  21.         proxy_set_header Host $host;
  22.         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  23.     }
  24. }
  1. # nginx 测试并启动, 如果报错请按报错提示自行解决
  2. $ nginx -t
  3. $ systemctl start nginx
  5. # 运行 Jumpserver
  6. $ cd /opt/jumpserver
  7. $ ./jms start  # 后台运行使用 -d 参数./jms start -d
  8. # 新版本更新了运行脚本, 使用方式./jms start|stop|status all  后台运行请添加 -d 参数
  10. # 访问 http://192.168.100.30 默认账号: admin 密码: admin
  12. # 多节点部署, 请参考此文档, 设置数据库时请选择从库, 其他的一样