Jumpserver源码手动部署
1. 环境说明
1.1 架构图
<img src="clip_1.png" alt="clip_1.png" title="clip_1.png" width="627" />
1.2 环境要求
<img src="clip.png" alt="clip.png" title="clip.png" />
2. 前置环境部署
2.1 内核升级
yum -y update
rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-3.el7.elrepo.noarch.rpm
yum --enablerepo=elrepo-kernel install kernel-ml
awk -F\' '=="menuentry " {print i++ " : " }' /etc/grub2.cfg
grub2-set-default 0
reboot
uname -r
2.2 mysql安装
wget https://dev.mysql.com/get/mysql57-community-release-el7-8.noarch.rpm
rpm -ivh mysql57-community-release-el7-8.noarch.rpm
cd /etc/yum.repos.d/
rpm --import https://repo.mysql.com/RPM-GPG-KEY-mysql-2022
yum -y install mysql-server
systemctl start mysqld
grep 'temporary password' /var/log/mysqld.log
mysql -uroot -p'Vm;?u/-Vs3-V'
set password for 'root'@'localhost'=password('00182.3 python3.9安装
18bB');
grant all privileges on *.* to 'root' identified by '0018yum install openssl openssl-devel -y #后续启动虚拟环境所需要的依赖
yum install zlib-devel bzip2-devel openssl-devel ncurses-devel sqlite-devel readline-devel tk-devel gcc make
cd /home/service
wget http://npm.taobao.org/mirrors/python/3.9.18/Python-3.9.18.tar.xz
xz -d Python-3.9.18.tar.xz
tar -xf Python-3.9.18.tar
cd Python-3.9.18
./configure prefix=/usr/local/python3
make && make install
mv /usr/bin/python /usr/bin/python.bak
ln -s /usr/local/python3/bin/python3.9 /usr/bin/python
#更改yum配置,因为其要用到python2才能执行,否则会导致yum不能正常使用
vi /usr/bin/yum
把#! /usr/bin/python修改为#! /usr/bin/python2
vi /usr/libexec/urlgrabber-ext-down
把#! /usr/bin/python 修改为#! /usr/bin/python2
18bB' with grant option;
flush privileges;
#创建 jumpserver数据库并配置用户
create database jumpserver default charset 'utf8' collate 'utf8_bin';
create user 'jumpserver'@'%' IDENTIFIED BY '00182.4 部署redis
18bB';
flush privileges;
yum install -y gcc
wget http://download.redis.io/releases/redis-6.2.5.tar.gz
tar -zxvf redis-6.2.5.tar.gz
make
make install PREFIX=/usr/local/redis
cd /usr/local/redis/bin/
cp /usr/local/redis-6.2.5/redis.conf /usr/local/redis/bin/
#修改 redis.conf 文件,把 daemonize no 改为 daemonize yes
./redis-server redis.conf
#开机自启
vi /etc/systemd/system/redis.service
[Unit]
Description=redis-server
After=network.target
[Service]
Type=forking
ExecStart=/usr/local/redis/bin/redis-server /usr/local/redis/bin/redis.conf
PrivateTmp=true
[Install]
WantedBy=multi-user.target
#restart redis
systemctl daemon-reload
systemctl start redis.service
systemctl enable redis.service
#1开放外部访问
vi /etc/redis.conf
bind 0.0.0.0
#防火墙开放6379端口
firewall-cmd --zone=public --add-port=6379/tcp --permanent
firewall-cmd --reload
redis
auth "123456"
#查看密码
config get requirepass
#目录:
/usr/local/redis/bin/
#服务与配置文件目录相同
2.5golang部署
cd /home/services
wget https://golang.google.cn/dl/go1.18.7.linux-amd64.tar.gz
tar -xf go1.18.7.linux-amd64.tar.gz -C /usr/local/
chown -R root:root /usr/local/go
export PATH=/usr/local/go/bin:$PATH
echo 'export PATH=/usr/local/go/bin:$PATH' >> ~/.bashrc
go version
3. 部署环境
3.1 Core部署
#更改pip3源
mkdir /root/.pip
touch /root/.pip/pip.conf
vim /root/.pip/pip.conf
[global]
index-url = https://mirrors.aliyun.com/pypi/simple/
#Python3.9虚拟环境配置
pip3 install virtualenv
python -m venv /opt/2py3 #python为3.9版本
source /opt/py3/bin/activate
cp config_example.yml config.yml
if [ "$SECRET_KEY" = "" ]; then SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50` ; echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc; echo $SECRET_KEY; else echo $SECRET_KEY; fi#生成SECRET_KEY密钥
if [ "$BOOTSTRAP_TOKEN" = "" ]; then BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`; echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc; echo $BOOTSTRAP_TOKEN; else echo $BOOTSTRAP_TOKEN; fi#TOKEN密钥生成
vim config.yml
修改端口,密钥,填写redis以及mysql信息
SECRET_KEY: 3u9Gt3kMSd7mZE5DXZjAqg0431QyQSqzoHBGDrCNku4iUJnK06
BOOTSTRAP_TOKEN: A1RQbiRo5jD6H8HA
LOG_LEVEL: ERROR
SESSION_EXPIRE_AT_BROWSER_CLOSE: true
DB_ENGINE: mysql
DB_HOST: 127.0.0.1
DB_PORT: 3306
DB_USER: jumpserver
DB_PASSWORD: 00183.2 Lina部署
18bB
DB_NAME: jumpserver
HTTP_BIND_HOST: 127.0.0.1
HTTP_LISTEN_PORT: 8080
WS_LISTEN_PORT: 8070
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
REDIS_PASSWORD: 0018#获取lina
cd /home/services
wget -O /home/services/lina-v3.6.4.tar.gz https://github.com/jumpserver/lina/archive/refs/tags/v3.6.4.tar.gz
tar -xf lina-v3.6.4.tar.gz -C /home/services/lina-v3.6.4 --strip-components 1
#安装node
tar -xf node-v18.17.1-linux-x64.tar.xz
mv node-v18.17.1 /usr/local/node
chown -R root:root /usr/local/node
export PATH=/usr/local/node/bin:$PATH
echo 'export PATH=/usr/local/node/bin:$PATH' >> ~/.bashrc
node -v
#安装依赖
cd /home/services/lina-v3.6.4
npm install -g yarn
yarn install
sed -i "s@Version <strong>.*</strong>@Version <strong>v3.6.4</strong>@g" src/layout/components/Footer/index.vue
mv .env.development.example .env.development
vim .env.development
SECRET_KEY: 3u9Gt3kMSd7mZE5DXZjAqg0431QyQSqzoHBGDrCNku4iUJnK06
BOOTSTRAP_TOKEN: A1RQbiRo5jD6H8HA
LOG_LEVEL: ERROR
SESSION_EXPIRE_AT_BROWSER_CLOSE: true
DB_ENGINE: mysql
DB_HOST: 127.0.0.1
DB_PORT: 3306
DB_USER: jumpserver
DB_PASSWORD: 00183.3 Luna部署
18bB
DB_NAME: jumpserver
HTTP_BIND_HOST: 127.0.0.1
HTTP_LISTEN_PORT: 8080
WS_LISTEN_PORT: 8070
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
REDIS_PASSWORD: 0018cd /home/services
wget https://github.com/jumpserver/luna/archive/refs/tags/v3.6.4.tar.gz
tar -xf luna-v3.6.4.tar.gz -C /home/service/luna-v3.6.4 --strip-components 1
cd luna-v3.6.4
sed -i "s@[0-9].[0-9].[0-9]@v3.6.4@g" src/environments/environment.prod.ts
vi proxy.conf.json
{
"/koko": {
"target": "http://localhost:5000", # KoKo 地址
"secure": false,
"ws": true
},
"/media/": {
"target": "http://localhost:8080", # Core 地址
"secure": false,
"changeOrigin": true
},
"/api/": {
"target": "http://localhost:8080", # Core 地址
"secure": false, # https ssl 需要开启
"changeOrigin": true
},
"/core": {
"target": "http://localhost:8080", # Core 地址
"secure": false,
"changeOrigin": true
},
"/static": {
"target": "http://localhost:8080", # Core 地址
"secure": false,
"changeOrigin": true
},
"/lion": {
"target": "http://localhost:9529", # Lion 地址
"secure": false,
"pathRewrite": {
"^/lion/monitor": "/monitor"
},
"ws": true,
"changeOrigin": true
},
"/omnidb": {
"target": "http://localhost:8082",
"secure": false,
"ws": true,
"changeOrigin": true
}
}
./node_modules/.bin/ng serve
yarn build
cp -R src/assets/i18n luna/
cp -rf luna luna-v3.6.4
tar -czf luna-v3.6.4.tar.gz luna-v3.6.4
18bB
[root@Jumpserver ~]# cat /home/services/lina-v3.6.4/.env.development | grep -v "#" | grep -v "^$"
ENV = 'development'
VUE_APP_BASE_API = ''
VUE_APP_PUBLIC_PATH = '/ui/'
VUE_CLI_BABEL_TRANSPILE_MODULES = true
VUE_APP_LOGIN_PATH = '/core/auth/login/'
VUE_APP_LOGOUT_PATH = '/core/auth/logout/'
VUE_APP_CORE_HOST = 'http://localhost:8080'
VUE_APP_CORE_WS = 'ws://localhost:8070'
VUE_APP_ENV = 'development'
yarn serve
yarn build
cp -rf lina lina-v3.6.4
tar -czf lina-v3.6.4.tar.gz lina-v3.6.4
18bB
#依赖安装
sudo yum -y install zlib-devel bzip2-devel openssl-devel ncurses-devel sqlite-devel readline-devel tk-devel gdbm-devel db4-devel libpcap-devel xz-devel gcc libffi-devel yum -y install zlib-devel bzip2-devel openssl-devel ncurses-devel sqlite-devel readline-devel tk-devel gdbm-devel db4-devel libpcap-devel xz-devel gcc libffi-devel
pip install --upgrade pip
pip install nes-py --no-cache-dir
pip install --upgrade pip setuptools wheel
pip install cryptography==38.0.4 channels_redis drf_writable_nested djangorestframework-bulk phonenumbers httpsig unicodecsv pyzipper
pip install openpyxl==3.0.10 pyexcel
pip install -r requirement.txt
#数据库迁移
cd /home/services
unzip jumpserver-3.6.4.zip
cd jumpserver-3.6.4/
rm -f apps/common/utils/ip/geoip/GeoLite2-City.mmdb apps/common/utils/ip/ipip/ipipfree.ipdb
python /home/services/jumpserver-3.6.4/apps/manage.py makemigrations
python /home/services/jumpserver-3.6.4/apps/manage.py migrate
#启动core服务(待配置完成niginx反向代理放可以进行web访问)
./jms start -d
3.4 Koko部署
#获取koko安装包
wget https://github.com/jumpserver/koko/archive/refs/tags/v3.6.4.tar.gz
cd /home/services
tar -xf koko-v3.6.4.tar.gz --strip-components 1
#安装client依赖
wget http://download.jumpserver.org/public/kubectl_aliases.tar.gz -O kubectl_aliases.tar.gz
tar -xf kubectl_aliases.tar.gz -C /home/services/kubectl-aliases
cd /home/services/koko-v3.6.4
make
cp build/koko-v3.6.4-linux-amd64.tar.gz /home/service
cp config_example.yml config.yml
vi config.yml
CORE_HOST: http://127.0.0.1:8080
BOOTSTRAP_TOKEN: A1RQbiRo5jD6H8HA
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
REDIS_PASSWORD: 00183.5 lion部署
18bB
REDIS_CLUSTERS:
REDIS_DB_ROOM:
#start koko
./koko
#1、guacd服务部署
mkdir /home/service/guacamole-v3.6.4
cd /home/service/guacamole-v3.6.4
wget http://download.jumpserver.org/public/guacamole-server-1.4.0.tar.gz
tar -xzf guacamole-server-1.4.0.tar.gz
cd guacamole-server-1.4.0/
#2、构建guacd服务
./configure --with-init-dir=/etc/init.d
make
make install
ldconfig
#3、获取lion
cd /home/service/
wget https://github.com/jumpserver/lion-release/releases/download/v3.6.4/lion-v3.6.4-linux-amd64.tar.gz
tar -xf lion-v3.6.4-linux-amd64.tar.gz
cd lion-v3.6.4-linux-amd64
#4、修改配置文件
cp config_example.yml config.yml
vim config.yml
CORE_HOST: http://127.0.0.1:8080
BOOTSTRAP_TOKEN: A1RQbiRo5jD6H8HA
BIND_HOST: 0.0.0.0
HTTPD_PORT: 8081
LOG_LEVEL: INFO
GUA_HOST: 127.0.0.1
GUA_PORT: 4822
#5、启动Guacd
/etc/init.d/guacd start
#6、start lion
./lion
3.6 Magnus部署
cd /home/services/
wget https://github.com/jumpserver/magnus-release/releases/download/v3.6.4/magnus-v3.6.4-linux-amd64.tar.gz
tar -xf magnus-v3.7.0-linux-amd64.tar.gz
cd magnus-v3.6.4-linux-amd64
wget https://github.com/jumpserver/wisp/releases/download/v0.1.15/wisp-v0.1.15-linux-amd64.tar.gz
tar -xf wisp-v0.1.15-linux-amd64.tar.gz
mv wisp-v0.1.15-linux-amd64/wisp /usr/local/bin/
chown root:root /usr/local/bin/wisp /home/services/magnus-v3.7.0-linux-amd64/magnus
chmod 755 /usr/local/bin/wisp /home/services/magnus-v3.7.0-linux-amd64/magnus
cp config_example.yml config.yml
vi config.yml
BIND_HOST: "0.0.0.0"
BOOTSTRAP_TOKEN: A1RQbiRo5jD6H8HA
MYSQL_PORT: 33060
MARIA_DB_PORT: 33061
POSTGRESQL_PORT: 54320
LOG_LEVEL: "info"
WISP_HOST: "localhost"
WISP_PORT: 9090
#start wisp
export CORE_HOST="http://127.0.0.1:8080" # Core 的地址
export BOOTSTRAP_TOKEN=******** # 和 Core config.yml 的值保持一致
export WORK_DIR="/opt/magnus-v3.7.0-linux-amd64"
export COMPONENT_NAME="magnus"
export EXECUTE_PROGRAM="/opt/magnus-v3.7.0-linux-amd64/magnus"
wisp
3.7 Nginx部署
yum -y install gcc gcc-c++ make libtool zlib zlib-devel openssl openssl-devel pcre pc
wget https://nginx.org/download/nginx-1.20.1.tar.gz
tar -zxvf nginx-1.20.1.tar.gz
mv nginx-1.20.1/ nginx
/configure --with-http_ssl_module
make&&make install
#也可以直接使用yum install -y nginx 部署
#默认配置文件#/etc/nginx/
4. 环境整合
server {
listen 80;
client_max_body_size 5000m; # 文件大小限制
# Luna 配置
#location /luna/ {
# 注意将模板中的组件名称替换为服务实际 ip 地址, 如都在本机部署
# proxy_pass http://127.0.0.1:4200;
#proxy_pass http://luna:4200;
# }
location /luna/ {
try_files $uri / /index.html;
alias /home/services/luna-3.6.4/luna/;
}
# Core data 静态资源
location /media/replay/ {
add_header Content-Encoding gzip;
root /home/services/jumpserver-3.6.4/data/;
}
location /static/ {
root /home/services/jumpserver-3.6.4/data/;
}
# KoKo Lion 配置
location /koko/ {
# 注意将模板中的组件名称替换为服务实际 ip 地址, 如都在本机部署
proxy_pass http://127.0.0.1:5000;
# proxy_pass http://koko:5000;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# lion 配置
location /lion/ {
# 注意将模板中的组件名称替换为服务实际 ip 地址, 如都在本机部署
proxy_pass http://127.0.0.1:8081;
# proxy_pass http://lion:8081;
proxy_buffering off;
proxy_request_buffering off;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_ignore_client_abort on;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 6000;
}
location /ws/ {
# 注意将模板中的组件名称替换为服务实际 ip 地址, 如都在本机部署
proxy_pass http://127.0.0.1:8080;
# proxy_pass http://core:8080;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location ~ ^/(core|api|media)/ {
# 注意将模板中的组件名称替换为服务实际 ip 地址, 如都在本机部署
proxy_pass http://127.0.0.1:8080;
# proxy_pass http://core:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# 前端 Lina
location /ui/ {
# 注意将模板中的组件名称替换为服务实际 ip 地址, 如都在本机部署
proxy_pass http://127.0.0.1:9528;
# proxy_pass http://lina:9528;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
rewrite ^/(.*)$ /ui/ last;
}
}
5. 启动脚本
cd /home/tank/script
vim jumpserver.sh
#!/bin/bash
#script for startup jumpserver
#start jumpserver core
source /opt/py3/bin/activate
cd /home/services/jumpserver-3.6.4
nohup python -u jms start >/tmp/jump.log 2>&1 &
#start koko
cd /home/services/koko-3.6.4/koko---linux-amd64
nohup ./koko >/tmp/koko.log 2>&1 &
#start magnus
cd /home/services/magnus-v3.6.4-linux-amd64
nohup wisp > /tmp/magnus.log 2>&1 &
/etc/init.d/guacd start
#start lion
cd /home/services/lion-v3.6.4-linux-amd64
nohup ./lion > /tmp/lion.log 2>&1 &
#start lina
cd /home/services/lina-v3.6.4
yarn config set ignore-engines true
export NODE_OPTIONS=--openssl-legacy-provider
nohup yarn serve >/tmp/lina.log 2>&1 &
#start luna
yarn config set ignore-engines true
export NODE_OPTIONS=--openssl-legacy-provider
cd /home/services/luna-3.6.4
./node_modules/.bin/ng serve 2>&1 &
chmod +x jumpserver.sh
./jumpserver.sh
6. 目录说明
/home/services/
├── data
├── guacamole-v3.6.4 (guacd服务安装目录 用于web 代理连接 )
├── jumpserver-3.6.4 (jumpserver核心组件,其他组件依赖此组件工作)
├── koko-3.6.4 (ssh,等shell终端连接组件)
├── lina-v3.6.4 (jumperserver的前端项目之一,主要使用vue,elementUI完成)
├── lion-v3.6.4-linux-amd64 (服务于windows的组件,用于web端访问windows资产)
├── luna-3.6.4 (jumpserver主要的前端项目,使用angular CLI完成。)
├── magnus-v3.6.4-linux-amd64 (数据库代理组件,用于客户端代理访问数据库)
├── node-v18.17.1 (依赖)
├── Python-3.9.18 (依赖,当前版本必须大于3.6)
└── redis-6.2.5 (由core等组件调用)
另:mysql使用5.7.43版本。详情可查看systemctl status mysqld
系统架构图
<img src="clip_2.png" alt="clip_2.png" title="clip_2.png" width="815" />
日志目录位于各组件的data/logs中
当前log等级均为error,可视情况更改,但本地磁盘不多,不建议使用info等级。 关于日志后期建议统一搭载日志平台。