Shulou(Shulou.com)06/02 Report--

From March to April every year, all colleges and universities begin the annual preparation stage of graduate defense, and now graduation thesis or graduation project is also closer to the trend of interconnection development. Many schools have begun to do the hottest topic, the implementation of cloud computing openstack architecture and the construction of cloud computing environment. Let's not say whether the entry point of this graduation project is correct, let's just say how do you start after choosing this topic? The following is to share with you the contents of the cloud computing graduation design thesis prepared by lecturer Qianfeng to the students: documents on jumpserver installation.

Step by step installation (CentOS)

The purpose of this document is to help customers understand the relationship between components. Advanced installation is recommended for deployment in production environment.

File

Rapid deployment of CVM reference extreme installation

If you encounter problems during installation, please refer to the problems often encountered during installation.

Test recommended environment

CPU: 64-bit dual-core processor

Memory: 4G DDR3

Database: mysql version equals 5.6 mariadb version equals 5.5.6

Environment

System: CentOS 7

IP: 192.168.244.144

Set up selinux and bulkhead walls

$fifirewall-cmd-zone=public-add-port=80/tcp-permanent # nginx terminal

$fifirewall-cmd-- zone=public-- add-port=2222/tcp-- permanent # subscriber SSH login

End-end coco

$fifirewall-cmd-- reload # reload rules

$setenforce 0

$sed-I "s/SELINUX=enforcing/SELINUX=disabled/g" / etc/selinux/confifig

Thank you. Prepare the Python3 and Python virtual environment

1.1 install dependency packages

$yum-y install wget gcc epel-release git

1.2 install Python3.6

$yum-y install python36 python36-devel

# if the download speed is slow, you can switch to domestic sources

$wget-O / etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo

$yum-y install python36 python36-devel

1.3 Building a Python virtual environment

Because CentOS 7 is equipped with Python2, Yum and other devices rely on the original Python, in order not to disturb

Messing up the original environment, let's make the Python virtual environment $cd / opt

$python3.6-m venv py3

$source / opt/py3/bin/activate

# when you see the prompt of the following Jumpserver indicates success, you have to use the above source life first to run the following source.

All of the following commands are run in this virtual environment

(py3) [root@localhost py3]

Thank you. Install Jumpserver

2.1download or Clone entry

It is more difficult to submit more git clone. You can choose to download the zip package directly by going to the Github item.

$cd / opt/

$git clone-- depth=1 https://github.com/jumpserver/jumpserver.git

2.2 install dependent RPM packages

$cd / opt/jumpserver/requirements

$yum-y install $(cat rpm_requirements.txt) # if there are no errors, please continue.

2.3 install Python library dependencies

$pip install-upgrade pip setuptools

$pip install-r requirements.txt

# if the download speed is slow, you can switch to domestic sources

$pip install-- upgrade pip setuptools-I https://mirrors.aliyun.com/pypi/simple/

$pip install-r requirements.txt-I https://mirrors.aliyun.com/pypi/simple/

2.4install Redis and Jumpserver to make Redis do cache and celery broke

$yum-y install redis

$systemctl enable redis

$systemctl start redis

2.5 install MySQL

In this tutorial, you can skip the installation and configuration of Mysql if you do not enable Mysql to be used as a database.

Set

$yum-y install mariadb mariadb-devel mariadb-server mariadb-shared #

Mariadb is installed under centos7

$systemctl enable mariadb

$systemctl start mariadb

2.6 create a database Jumpserver and authorize $DB_PASSWORD= `cat / dev/urandom | tr-dc A-Za-z0-9 | head-c 24` # license

Computer database password

$echo-e "\ 033 [31m your database password is $DB_PASSWORD\ 033 [0m"

$mysql-uroot-e "create database jumpserver default charset 'utf8'; grant all on

Jumpserver.* to 'jumpserver'@'127.0.0.1' identifified by' $DB_PASSWORD'; flflush

Privileges; "

2.7Modification of Jumpserver configuration package

$cd / opt/jumpserver

$cp confifig_example.yml confifig.yml

$SECRET_KEY= `cat / dev/urandom | tr-dc A-Za-z0-9 | head-c 50` # is random

SECRET_KEY

$echo "SECRET_KEY=$SECRET_KEY" > > ~ / .bashrc

$BOOTSTRAP_TOKEN= `cat / dev/urandom | tr-dc A-Za-z0-9 | head-c 16` #

Random BOOTSTRAP_TOKEN

$echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" > > ~ / .bashrc

$sed-I "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" / opt/jumpserver/

Confifig.yml

$sed-I "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN:

$BOOTSTRAP_TOKEN/g "/ opt/jumpserver/confifig.yml

$sed-I "sram # DEBUG: true/DEBUG: false/g" / opt/jumpserver/confifig.yml

$sed-I "sram # LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" / opt/jumpserver/

Confifig.yml

$sed-I "sbat # SESSION_EXPIRE_AT_BROWSER_CLOSE: false/

SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g "/ opt/jumpserver/

Confifig.yml

$sed-I "s/DB_PASSWORD: / DB_PASSWORD: $DB_PASSWORD/g" / opt/

Jumpserver/confifig.yml

$echo-e "\ 033 [31m your SECRET_KEY is $SECRET_KEY\ 033 [0m"

$echo-e "\ 033 [31m your BOOTSTRAP_TOKEN is $BOOTSTRAP_TOKEN

\ 033 [0m "

$vi confifig.yml # confirm whether there are any errors in the content

# SECURITY WARNING: keep the secret key used in production secret!

# change the encryption key to a random string in the production environment. Do not leak.

SECRET_KEY:

# SECURITY WARNING: keep the bootstrap token used in production secret!

# pre-share Token coco and guacamole accounts to register service accounts, instead of the original registration acceptance mechanism

BOOTSTRAP_TOKEN:

# Development env open this, when error occur display the full process track

Production disable it

# you can see more blogs when you encounter an error after enabling DEBUG in DEBUG mode

DEBUG: false

# DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://

Docs.djangoproject.com/en/1.10/topics/logging/

# blog level

LOG_LEVEL: ERROR

# LOG_DIR:

# Session expiration setting, Default 24 hour, Also set expired on on browser

Close

# browser Session expiration time. Default is 24: 00. You can also set the browser to expire when it is closed.

# SESSION_COOKIE_AGE: 86400

SESSION_EXPIRE_AT_BROWSER_CLOSE: true

# Database setting, Support sqlite3, mysql, postgres....

# Database Settings

# See https://docs.djangoproject.com/en/1.10/ref/settings/#databases

# SQLite setting:

# make "single" sqlite database

# DB_ENGINE: sqlite3

# DB_NAME:

# MySQL or postgres setting like:

# use Mysql as the database

DB_ENGINE: mysql

DB_HOST: 127.0.0.1

DB_PORT: 3306

DB_USER: jumpserver

DB_PASSWORD:

DB_NAME: jumpserver

# When Django start it will bind this host and port

#. / manage.py runserver 127.0.0.1:8080

# bind client when you run the server

HTTP_BIND_HOST: 0.0.0.0HTTP_LISTEN_PORT: 8080

# Use Redis as broker for celery and web socket

# Redis configuration

REDIS_HOST: 127.0.0.1

REDIS_PORT: 6379

# REDIS_PASSWORD:

# REDIS_DB_CELERY: 3

# REDIS_DB_CACHE: 4

# Use OpenID authorization

# enable "OpenID to enter" authentication settings

# BASE_SITE_URL: http://localhost:8080

# AUTH_OPENID: false # True or False

# AUTH_OPENID_SERVER_URL: https://openid-auth-server.com/

# AUTH_OPENID_REALM_NAME: realm-name

# AUTH_OPENID_CLIENT_ID: client-id

# AUTH_OPENID_CLIENT_SECRET: client-secret

# OTP settings

# OTP/MFA configuration

# OTP_VALID_WINDOW: 0

# OTP_ISSUER_NAME: Jumpserver

2.8Operation Jumpserver

$cd / opt/jumpserver

$. / jms start all-d # background operation makes the jms start all-d parameter. / jms start all-d

# the new version updates the running script to make it. / jms start | stop | add-d for backend operation of status all

Parameters.

The operation does not report an error, please continue to operate.

three。 Install SSH Server and WebSocket Server: Coco

3.1download or Clone items

$cd / opt

$source / opt/py3/bin/activate

$git clone-- depth=1 https://github.com/jumpserver/coco.git

3.2 installation dependency

$cd / opt/coco/requirements

$yum-y install $(cat rpm_requirements.txt) $pip install-r requirements.txt

# if the download speed is slow, you can switch to domestic sources

$pip install-r requirements.txt-I https://mirrors.aliyun.com/pypi/simple/

3.3 modify the configuration package and run it

$cd / opt/coco

$cp confifig_example.yml confifig.yml

$sed-I "s/BOOTSTRAP_TOKEN: /

BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g "/ opt/coco/confifig.yml

$sed-I "sram # LOG_LEVEL: INFO/LOG_LEVEL: ERROR/g" / opt/coco/confifig.yml

$vi confifig.yml

# item name, which will be registered with Jumpserver, and cannot be repeated.

# NAME: {{Hostname}}

# url of the Jumpserver key, api request for registration will make the license

CORE_HOST: http://127.0.0.1:8080

# Bootstrap Token, pre-shared key, "to register service account and terminal of coco to enable"

# Please keep it in the jumpserver configuration file, which can be deleted after registration

BOOTSTRAP_TOKEN:

# ip bound at startup. Default is 0.0.0.0

# BIND_HOST: 0.0.0.0

# SSH number for monitoring. Default is 2222.

# SSHD_PORT: 2222

# HTTP/WS number for monitoring. Default is 5000.

# HTTPD_PORT: 5000

The ACCESS KEY of # items is registered by default and saved to ACCESS_KEY_STORE

# if you have a need, you can write it to the configuration package in the format access_key_id:access_key_secret

# ACCESS_KEY: null

# the address saved by ACCESS KEY, which will be saved to this document after registration by default

# ACCESS_KEY_STORE: data/keys/.access_key

# encryption key

# SECRET_KEY: null# sets the blog level [DEBUG, INFO, WARN, ERROR, FATAL, CRITICAL]

LOG_LEVEL: ERROR

# Records stored in blogs

# LOG_DIR: logs

# SSH lists

# ALLOW_SSH_USER: all

# SSH list. If the customer is on both the list and the list, the list will take precedence.

# BLOCK_SSH_USER:

#-

# and Jumpserver keep hops interval

# HEARTBEAT_INTERVAL: 5

The name of # Admin. If there is a problem, it will be prompted to the customer.

# ADMINS:''

# SSH connection timeout (default 15 seconds)

# SSH_TIMEOUT: 15

# language en, zh]

# LANGUAGE_CODE: zh

# SFTP root record, optional / tmp, Home other "definition" record

# SFTP_ROOT: / tmp

# whether SFTP shows hidden artifacts

# SFTP_SHOW_HIDDEN_FILE: false

# whether to restore the connection to "the customer's back-end assets have been established" (the customer will not repeat the connection of other customers)

# REUSE_CONNECTION: true

$. / cocod start-d # background operation makes the cocod start-d parameter. / cocod start-d

# the new version updates the running script to make it. / cocod start | stop | add-d for backend operation of status

Parameters.

four。 Install the Web Terminal front end: Luna

Luna has been changed to a pure front end, which requires Nginx to transport and access (https://github.com/jumpserver/luna/releases) downloads the corresponding version of the release package, directly

Decompression does not require compilation

4.1 decompress Luna

$cd / opt

$wget https://github.com/jumpserver/luna/releases/download/1.5.0/luna.tar.gz

# if the download method is completed due to a problem with the network, you can make the "down" address

$wget https://demo.jumpserver.org/download/luna/1.5.0/luna.tar.gz

$tar xf luna.tar.gz

$chown-R root:root luna

five。 Install Windows holding components (if you do not need to manage windows assets, you can skip this option directly

Step)

5.1 installation dependency

$rpm-- import http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro

$rpm-Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop

Release-0-5.el7.nux.noarch.rpm

$yum-y localinstall-- nogpgcheck https://download1.rpmfusion.org/free/el/

Rpmfusion-free-release-7.noarch.rpm https://download1.rpmfusion.org/nonfree/

El/rpmfusion-nonfree-release-7.noarch.rpm

$yum install-y java-1.8.0-openjdk libtool

$yum install-y cairo-devel libjpeg-turbo-devel libpng-devel uuid-devel

$yum install-y ffmpeg-devel freerdp-devel freerdp-plugins pango-devel libssh3-

Devel libtelnet-devel libvncserver-devel pulseaudio-libs-devel openssl-devel

Libvorbis-devel libwebp-devel ghostscript

5.2 compile and install the guacamole service

$cd / opt

$git clone-- depth=1 https://github.com/jumpserver/docker-guacamole.git

$cd / opt/docker-guacamole/

$tar-xf guacamole-server-0.9.14.tar.gz

$cd guacamole-server-0.9.14

$autoreconf-fifi

$. / confifigure-with-init-dir=/etc/init.d

$make & & make install

$ln-s / usr/local/lib/freerdp/*.so / usr/lib64/freerdp/

$cd..

$rm-rf guacamole-server-0.9.14$ ldconfifig

5.3 configure Tomcat

$mkdir-p / confifig/guacamole/ confifig/guacamole/lib / confifig/guacamole/

Extensions # create a guacamole directory

$ln-sf / opt/docker-guacamole/guacamole-auth-jumpserver-0.9.14.jar / confifig/

Guacamole/extensions/guacamole-auth-jumpserver-0.9.14.jar

$ln-sf / opt/docker-guacamole/root/app/guacamole/guacamole.properties /

Confifig/guacamole/guacamole.properties # guacamole configuration package

$cd / confifig

$wget http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-8/v8.5.40/bin/

Apache-tomcat-8.5.40.tar.gz

$tar xf apache-tomcat-8.5.40.tar.gz

$rm-rf apache-tomcat-8.5.40.tar.gz

$mv apache-tomcat-8.5.40 tomcat8

$rm-rf / confifig/tomcat8/webapps/*

$ln-sf / opt/docker-guacamole/guacamole-0.9.14.war / confifig/tomcat8/webapps/

ROOT.war # guacamole client

$sed-I 's/Connector port= "8080" / Connector port= "8081" / g' / confifig/tomcat8/

Conf/server.xml # modifies the default value to 8081

$sed-I's Universe FINE Universe WARNING G'/ confifig/tomcat8/conf/logging.properties # modify log

The level is WARNING

$cd / confifig

$wget https://github.com/ibuler/ssh-forward/releases/download/v0.0.5/linux

Amd64.tar.gz

# if the download method is completed due to a problem with the network, you can make the "down" address

$wget https://demo.jumpserver.org/download/ssh-forward/v0.0.5/linux

Amd64.tar.gz

$tar xf linux-amd64.tar.gz-C / bin/

$chmod + x / bin/ssh-forward

5.4 configure environment variables

# do not adhere to the following environment settings multiple times

$export JUMPSERVER_SERVER= http://127.0.0.1:8080 # http://

127.0.0.1 8080 refers to the jumpserver access address

$echo "export JUMPSERVER_SERVER= http://127.0.0.1:8080" > > ~ / .bashrc

# BOOTSTRAP_TOKEN is the BOOTSTRAP_TOKEN of Jumpserver/confifig.yml customers

$export BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN

$echo "export BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" > > ~ / .bashrc

$export JUMPSERVER_KEY_DIR=/confifig/guacamole/keys

$echo "export JUMPSERVER_KEY_DIR=/confifig/guacamole/keys" > >

~ / .bashrc

$export GUACAMOLE_HOME=/confifig/guacamole

$echo "export GUACAMOLE_HOME=/confifig/guacamole" > > ~ / .bashrc

5.5 start Guacamole

$/ etc/init.d/guacd start

$sh / confifig/tomcat8/bin/startup.sh

six。 Configure Nginx to integrate components

6.1 install Nginx

$yum install yum-utils

$vi / etc/yum.repos.d/nginx.repo

[nginx-stable]

Name=nginx stable repo

Baseurl= http://nginx.org/packages/centos/$releasever/$basearch/

Gpgcheck=1

Enabled=1

Gpgkey= https://nginx.org/keys/nginx_signing.key

$yum makecache fast

$yum install-y nginx

$rm-rf / etc/nginx/conf.d/default.conf

$systemctl enable nginx

6.3 prepare for configuration changes / etc/nginx/conf.d/jumpserver.conf

$vi / etc/nginx/conf.d/jumpserver.conf

Server {

Listen 80; # proxy side, which will be accessed later through this side, not through the 8080 side.

# server_name demo.jumpserver.org; # modify your domain name or comment it out

Client_max_body_size 100m; # Video and upload restrictions

Location / luna/ {

Try_fifiles $uri / / index.html

Alias / opt/luna/; # luna path. If you modify the installation directory, you need to modify it here.

Location / media/ {

Add_header Content-Encoding gzip

Root / opt/jumpserver/data/; # recording location. If you modify the installation recording, you need to modify it here.

}

Location / static/ {

Root / opt/jumpserver/data/; # static resources. If you modify the installation directory, you need to modify it here.

}

Location / socket.io/ {

Proxy_pass http://localhost:5000/socket.io/; # if coco is installed on another service

Server, please fill in its ip

Proxy_buffering off

Proxy_http_version 1.1

Proxy_set_header Upgrade $http_upgrade

Proxy_set_header Connection "upgrade"

Proxy_set_header X-Real-IP $remote_addr

Proxy_set_header Host $host

Proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for

Access_log off

}

Location / coco/ {

Proxy_pass http://localhost:5000/coco/; # if coco is installed on another server

Please fill in its ip

Proxy_set_header X-Real-IP $remote_addr

Proxy_set_header Host $host

Proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for

Access_log off

}

Location / guacamole/ {

Proxy_pass http://localhost:8081/; # if guacamole is installed on another server

Please fill in its ip

Proxy_buffering off

Proxy_http_version 1.1

Proxy_set_header Upgrade $http_upgrade

Proxy_set_header Connection $http_connection

Proxy_set_header X-Real-IP $remote_addr

Proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for

Access_log off

}

Location / {

Proxy_pass http://localhost:8080; # if jumpserver is installed on another server, please

Fill in its ip

Proxy_set_header X-Real-IP $remote_addr

Proxy_set_header Host $host

Proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for

}

}

6.3 running Nginx

Nginx-t # ensure that there is no problem with the configuration. If there is any problem, please solve it first.

# CentOS 7

$systemctl start nginx

$systemctl enable nginx

6.4. start to make Jumpserver

Check to see if Ying is in normal operation.

After all the services are started, visit http://192.168.244.144, to access the client of the nginx agent, and do not use the

8080 terminal access

Default account: admin password: admin

To Jumpserver session Management-Terminal Management checks the registration of Coco Guacamole and other applications.

Test connection

If the login client is macOS or Linux, the login syntax is as follows

$ssh-p2222 admin@192.168.244.144

$sftp-P2222 admin@192.168.244.144

Password: admin

If the login client is Windows, the Xshell Terminal login syntax is as follows

$ssh admin@192.168.244.144 2222

$sftp admin@192.168.244.144 2222

Password: if admin can log in, it means deployment is successful.

# the location where sftp is uploaded by default is recorded in / tmp upload of the asset.

# windows drag-and-drop upload location is recorded in G upload on the Guacamole RDP of the asset

If you encounter any problems, please refer to FAQ.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.