Shulou(Shulou.com)06/03 Report--

This article focuses on how to deploy JumpServer in CentOS 7.7. There is a certain reference value, friends in need can refer to, follow the editor to see the solution.

System: CentOS 7IP: 172.16.75.1 Directory: / opt Database: mariadb Agent: nginx

1. Start installation

Firewall and selinux setting instructions. If you have turned off the firewall and Selinux, please skip the setting.

Systemctl stop firewalldsetenfore 0sed-I "s/SELINUX=enforcing/SELINUX=disabled/g" / etc/selinux/configyum update-y # installation dependency package yum-y install wget gcc epel-release git

Install Redis, JumpServer uses Redis for cache and celery broke

Yum-y install redissystemctl enable redissystemctl start redis

Install mysql5.7

Wget-nc http://dev.mysql.com/get/mysql57-community-release-el7-8.noarch.rpmrpm-ivh mysql-community-release-el6-5.noarch.rpmyum-y install mysql-community-server mysql-community-develsystemctl enable mysqld# adjusts the configuration of mysql [root@192 conf.d] # cat / etc/ my.cnf [mysqld] character_set_server = utf8mb4collation_server=utf8mb4_unicode_cidatadir=/var/lib/mysqlsocket=/var/lib/mysql/mysql.sockuser=mysqlmax_connections=3000# Disabling symbolic-links Is recommended to prevent assorted security riskssymbolic-links=0#log-bin=mysql-binskip-name-resolvekey_buffer_size = 32M# default 2G 70%innodb_buffer_pool_size = 2048M#innodb_log_file_size = 512M#, which can be adjusted according to memory size, is important in the case of high write loads, especially large datasets. The higher this value, the higher the performance, but be aware that recovery time may be increased. I often set it to 64-512MB, depending on the size of the server. # the size of the buffer used to buffer log data. # when this value is almost full, InnoDB will have to refresh the data to disk. Innodb _ log_buffer_size = 8Minnodb_flush_log_at_trx_commit = is Innodb 1000 times slower than MyISAM and its head is larger? Maybe you forgot to change this parameter. The default value is 1, which means that each committed update transaction (or statements other than each transaction) is flushed to disk, which is quite resource-intensive, especially if there is no battery spare cache. Many applications, especially those transitioned from MyISAM, can simply set its value to 2, that is, instead of flushing logs to disk, they will only flush them to the operating system's cache. Logs are still flushed to disk every second, so you don't usually lose the cost of 1-2 updates per second. Setting it to 0 is much faster, but it's also relatively insecure-some transactions are lost when the MySQL server crashes. Set to 2 to direct the part of the transaction that is lost and flushed to the operating system cache. Sort_buffer_size = the size of the buffer that can be used when sorting 6M# queries. Note: the allocated memory corresponding to this parameter is exclusive per connection! If there are 100 connections, the total sort buffer size actually allocated is 100x6 = 600MB. Therefore, it is recommended to set 6-8Mquery_cache_size = 64M# to specify the size of the MySQL query buffer # the maximum size of the internal (in-memory) temporary table tmp _ table_size = 128m [mysqld _ safe] log-error=/var/log/mysqld.logpid-file=/var/run/mysqld/mysqld.pid

Start mysql

Systemctl start mysqld# creates database JumpServer and authorizes DB_PASSWORD= `cat / dev/urandom | tr-dc A-Za-z0-9 | head-c 24` # to generate random database password echo-e "\ 033 [31m your database password is $DB_PASSWORD\ 033 [0m" mysql-uroot-e "create database jumpserver default charset 'utf8'; grant all on jumpserver.* to' jumpserver'@'127.0.0.1' identified by'$DB_PASSWORD'; flush privileges "# install Nginx through epel, use it as a proxy server to integrate JumpServer with various components yum-y install nginxsystemctl enable nginx#, install Python3.6yum-y install python3 python3-devel# configuration and load Python3 virtual environment cd / optpython3.6-m venv py3 # py3 as the virtual environment name, customizable source / opt/py3/bin/activate # exit the virtual environment by using the deactivate command # see the following prompt for success In order to run JumpServer, you have to run the above source command first. After loading the environment, all of the following commands are run in the virtual environment by default (py3) [root@localhost py3] # download JumpServercd / opt/git clone-- depth=1 https://github.com/jumpserver/jumpserver.git# installation depends on the RPM package yum-y install $(cat / opt/jumpserver/requirements/rpm_requirements.txt) # install the Python library depends on pip install wheelpip install-- upgrade pip setuptoolssed-I s/MarkupSafe==1.0/MarkupSafe==1.1.0/g / opt/jumpserver/requirements/requirements.txtpip install-r / opt/jumpserver/requirements/requirements.txt

Open a new xshell

# modify JumpServer configuration file cd / opt/jumpservercp config_example.yml config.ymlSECRET_KEY= `cat / dev/urandom | tr-dc A-Za-z0-9 | head-c 50` # generate random SECRET_KEYecho "SECRET_KEY=$SECRET_KEY" > ~ / .bashrcBOOTSTRAP_TOKEN= `cat / dev/urandom | tr-dc A-Za-z0-9 | head-c 16` # generate random BOOTSTRAP_TOKENecho "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" > > ~ / .cat-I "s/SECRET_KEY:/ SECRET_KEY: $SECRET_KEY/g "/ opt/jumpserver/config.ymlsed-I" s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g "/ opt/jumpserver/config.ymlsed-I" s opt/jumpserver/config.ymlsed # DEBUG: true/DEBUG: false/g "/ opt/jumpserver/config.ymlsed-I" s ERROR/g # LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g "/ opt/jumpserver/config.ymlsed-I" s ERROR/g # SESSION_EXPIRE_AT_BROWSER_CLOSE: false/ SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g "/ opt/jumpserver/config.ymlsed-I" s/DB_PASSWORD: / DB_PASSWORD: $DB_PASSWORD/g "/ opt/jumpserver/config.ymlecho-e"\ 033 [31m your SECRET_KEY is $SECRET_KEY\ 033 [0m "echo-e"\ 033 [31m your BOOTSTRAP_TOKEN is $BOOTSTRAP_TOKEN\ 033 [0m "vi config.yml # confirm that there is no error in the content

Profile exampl

# SECURITY WARNING: keep the secret key used in production secretly # modify it to a random string in the encryption key production environment, do not leak it. PS: pure numbers cannot be SECRET_KEY:# SECURITY WARNING: keep the bootstrap token used in production secretly # pre-shared Token koko and guacamole are used to register service accounts, and the original registration acceptance mechanisms BOOTSTRAP_TOKEN:# Development env open this and when error occur display the full process track are no longer used. You can see more DEBUG when you encounter errors when DEBUG is enabled in Production disable it# DEBUG mode: false# DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/# log level LOG_LEVEL: ERROR# LOG_DIR:# Session expiration setting, Default 24 hour, Also set expired on on browser close# browser Session expiration time (24 hours by default). You can also set the expiration time when the browser is closed # SESSION_COOKIE_AGE: 86400SESSION_EXPIRE_AT_BROWSER_CLOSE: true# Database setting, Support sqlite3, mysql Postgres.... # Database Settings # See https://docs.djangoproject.com/en/1.10/ref/settings/#databases# SQLite setting:# uses a single file sqlite database # DB_ENGINE: sqlite3# DB_NAME:# MySQL or postgres setting like:# uses Mysql as the database DB_ENGINE: mysqlDB_HOST: 127.0.0.1DB_PORT: 3306DB_USER: jumpserverDB_PASSWORD:DB_NAME: jumpserver# When Django start it will bind this host and Port#. / manage.py runserver 127.0.0.1 Use Redis as broker for celery and web socket# Redis run time binding port HTTP_BIND_HOST: 0.0.0.0HTTP_LISTEN_PORT: 808 configuration REDIS_HOST: 127.0.0.1REDIS_PORT: 637 configuration REDIS_PASSWORD:# REDIS_DB_CELERY: authentication Use OpenID authorization# uses OpenID for authentication settings # BASE_SITE_URL: http : / / localhost:8080# AUTH_OPENID: false # True or False# AUTH_OPENID_SERVER_URL: https://openid-auth-server.com/# AUTH_OPENID_REALM_NAME: realm-name# AUTH_OPENID_CLIENT_ID: client-id# AUTH_OPENID_CLIENT_SECRET: client-secret# OTP settings# OTP/MFA configuration # OTP_VALID_WINDOW: OTP_ISSUER_NAME: Jumpserver

Configure jms program startup and boot self-startup (executed under the first shell)

(py3) [root@localhost py3] cd / opt/jumpserver./jms start-d # background running updates the run script with the new version of. / jms start-d # with the-d parameter Usage. / jms start | stop | status all background operation. Please add the-d parameter wget-O / usr/lib/systemd/system/jms.service https://demo.jumpserver.org/download/shell/centos/jms.servicechmod 755 / usr/lib/systemd/system/jms.servicesystemctl enable jms # to configure self-startup.

Install docker deploy koko and guacamole

Yum install-y yum-utils device-mapper-persistent-data lvm2yum-config-manager-- add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repoyum makecache fastrpm-- import https://mirrors.aliyun.com/docker-ce/linux/centos/gpgyum-y install docker-cesystemctl enable dockermkdir / etc/dockerwget-O / etc/docker/daemon.json http://demo.jumpserver.org/download/docker/daemon.jsonsystemctl restart docker# allows container ip access to host port 8080 (the ip of the container can be viewed in the container) firewall-cmd-- permanent-- add-rich-rule= "rule family=" ipv4 "source address=" 172.17.0.0 firewall-cmd 16 "port protocol=" tcp "port=" 8080 "accept" firewall-cmd-reload# 172.17.0.x is the default IP pool for the docker container. Here laziness directly authorizes the ip segment. You can authorize IP# to obtain the current server IPServer_IP= `ip addr | grep 'state UP'-A2 | grep inet | egrep-v' (127.0.0.1 | inet6 | docker)'| awk'{print $2}'| tr-d "addr:" | head-n 1 | cut-d /-f1`echo-e "\ 033 [31m your server IP is the service port of $Server_IP\ 033 [0m" # http:// pointing to jumpserver For example, http://172.16.75.5:8080# BOOTSTRAP_TOKEN is the BOOTSTRAP_TOKENdocker run in Jumpserver/config.yml-- name jms_koko-d-p 2222 Jumpserver/config.yml 2222-p 127.0.0.1 BOOTSTRAP_TOKEN 5000-e CORE_HOST= http://$Server_IP:8080-e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN-- restart=always wojiushixiaobai/jms_koko:1.5.6docker run-- name jms_guacamole-d-p 127.0.1 BOOTSTRAP_TOKEN 8081 BOOTSTRAP_TOKEN 8080-e JUMPSERVER_SERVER=http: / / $Server_IP:8080-e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN-- restart=always wojiushixiaobai/jms_guacamole:1.5.6

Install luna

# install Web Terminal frontend: Luna requires Nginx to run access (https://github.com/jumpserver/luna/releases) downloads the corresponding version of the release package, and decompresses it directly There is no need to compile cd / optwget https://github.com/jumpserver/luna/releases/download/1.5.6/luna.tar.gz#. If the download cannot be completed due to network problems, you can use the following address: wget https://demo.jumpserver.org/download/luna/1.5.6/luna.tar.gztar xf luna.tar.gzchown-R root:root luna

Configure nginx

Vi / etc/nginx/conf.d/jumpserver.confserver {listen 80; # server_name _; client_max_body_size 100m; # Video and file upload size limit location / luna/ {try_files $uri / / index.html; alias / opt/luna/; # luna path, if you modify the installation directory, you need to modify} location / media/ {add_header Content-Encoding gzip Root / opt/jumpserver/data/; # video location. If you modify the installation directory, you need to modify} location / static/ {root / opt/jumpserver/data/; # static resources. If you modify the installation directory, you need to modify} location / koko/ {proxy_pass http://localhost:5000; proxy_buffering off. Proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off } location / guacamole/ {proxy_pass http://localhost:8081/; proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host Proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off;} location / ws/ {proxy_pass http://localhost:8070; proxy_http_version 1.1; proxy_buffering off; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Real-IP $remote_addr Proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off;} location / {proxy_pass http://localhost:8080; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off }}

Run nginx

# run Nginxnginx-t # to make sure there is no problem with the configuration If you have any problems, please first solve the systemctl start nginx# access http://172.16.75.5 (note: 8080 access through the nginx proxy port) # default account: admin password: admin to session management-terminal management to accept registration of applications such as koko Guacamole # Test connection ssh-p2222 admin@172.16.75.5sftp-P2222 admin@172.16.75.5 password: if admin# is used under Windows The Xshell Terminal login syntax is as follows: ssh admin@172.16.75.5 2222sftp admin@172.16.75.5 2222 password: if admin is successfully deployed, the default upload location of # sftp is in the / tmp directory of the asset. # the location of windows drag upload is in the G directory on the Guacamole RDP of the asset.

Example

[C:\ ~] ssh admin@172.16.75.5 2222Connecting to 172.16.75.5:2222...Connection established.To escape to local shell, press' Ctrl+Alt+] '.warning! The remote SSH server rejected X11 forwarding request. Administrator, welcome to Jumpserver open source fortress system 1) enter some IP, hostname, comments for search login (if unique). 2) enter / + IP, and search with the hostname or comment, such as / 192.168. 3) enter p to display the host to which you have permission. 4) enter g to display the nodes you have permission to. 5) enter d to display the database you have permission to. 6) enter r to refresh the latest machine and node information. 7) enter h to display help. 8) enter Q to exit.

After reading the above, have you mastered the method of deploying JumpServer in CentOS 7.7? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.