JumpServer 服务端手动部署与配置指南
环境准备与系统优化
在部署前需确保系统安全策略兼容,禁用 SELinux 并停止防火墙服务:
[root@sdp-dev ~]# getenforce
Disabled
[root@sdp-dev ~]# systemctl stop firewalld.service
为避免日志中因中文输出导致的编码错误,设置 UTF-8 字符集:
[root@sdp-dev ~]# localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8
[root@sdp-dev ~]# export LC_ALL=zh_CN.UTF-8
[root@sdp-dev ~]# echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf
安装基础编译与依赖工具包:
[root@sdp-dev ~]# yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git
Python 环境构建
手动编译并安装 Python 3.6.1 以保证后续依赖兼容性:
[root@sdp-dev ~]# wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz
[root@sdp-dev ~]# tar xf Python-3.6.1.tar.xz && cd Python-3.6.1
[root@sdp-dev Python-3.6.1]# ./configure && make && make install
创建独立虚拟环境,并启用自动激活功能:
[root@sdp-dev Python-3.6.1]# cd /opt
[root@sdp-dev opt]# python3 -m venv py3
[root@sdp-dev opt]# source /opt/py3/bin/activate
(py3) [root@sdp-dev opt]# git clone git://github.com/kennethreitz/autoenv.git
(py3) [root@sdp-dev opt]# echo 'source /opt/autoenv/activate.sh' >> ~/.bashrc
(py3) [root@sdp-dev opt]# source ~/.bashrc
获取 JumpServer 源码
从官方仓库拉取最新代码并切换至主分支:
(py3) [root@sdp-dev opt]# git clone https://github.com/jumpserver/jumpserver.git && cd jumpserver && git checkout master
安装 Python 依赖项
配置虚拟环境并安装运行所需模块:
(py3) [root@sdp-dev opt]# echo "source /opt/py3/bin/activate" > /opt/jumpserver/.env
(py3) [root@sdp-dev jumpserver]# cd requirements/
(py3) [root@sdp-dev requirements]# yum -y install $(cat rpm_requirements.txt)
(py3) [root@sdp-dev requirements]# pip install --upgrade pip
(py3) [root@sdp-dev requirements]# pip install -r requirements.txt -i https://pypi.tuna.tsinghua.edu.cn/simple
数据库与缓存服务部署
安装并启动 Redis 服务:
(py3) [root@sdp-dev requirements]# yum -y install redis
(py3) [root@sdp-dev requirements]# systemctl enable redis
(py3) [root@sdp-dev requirements]# systemctl start redis
安装 MariaDB 并初始化数据库:
(py3) [root@sdp-dev requirements]# yum -y install mariadb mariadb-devel mariadb-server
(py3) [root@sdp-dev requirements]# systemctl enable mariadb
(py3) [root@sdp-dev requirements]# systemctl start mariadb
(py3) [root@sdp-dev requirements]# mysql
MariaDB [(none)]> CREATE DATABASE jumpserver DEFAULT CHARSET 'utf8';
MariaDB [(none)]> GRANT ALL ON jumpserver.* TO 'jumpserveradmin'@'127.0.0.1' IDENTIFIED BY 'jumpserverpwd';
MariaDB [(none)]> FLUSH PRIVILEGES;
MariaDB [(none)]> \q
JumpServer 核心配置
生成密钥与令牌并更新配置文件:
(py3) [root@sdp-dev jumpserver]# SECRET_KEY=$(openssl rand -base64 50)
(py3) [root@sdp-dev jumpserver]# BOOTSTRAP_TOKEN=$(openssl rand -base64 16)
(py3) [root@sdp-dev jumpserver]# echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc
(py3) [root@sdp-dev jumpserver]# echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
(py3) [root@sdp-dev jumpserver]# sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml
(py3) [root@sdp-dev jumpserver]# sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
(py3) [root@sdp-dev jumpserver]# sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
(py3) [root@sdp-dev jumpserver]# sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
(py3) [root@sdp-dev jumpserver]# sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
服务启动与后台运行
启动 JumpServer 主服务:
(py3) [root@sdp-dev jumpserver]# ./jms start
(py3) [root@sdp-dev jumpserver]# ./jms stop
以守护进程方式启动:
(py3) [root@sdp-dev jumpserver]# ./jms start -d
终端代理组件部署(Koko)
通过 Docker 快速部署 Koko 服务,支持 2222 端口接入:
[root@sdp-dev ~]# Server_IP=$(hostname -I | awk '{print $1}')
[root@sdp-dev ~]# BOOTSTRAP_TOKEN=yBCVQ9WHA9phTZ21
[root@sdp-dev ~]# docker run --name jms_koko -d -p 2222:2222 -p 5000:5000 \
-e CORE_HOST=http://$Server_IP:8080 \
-e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN \
--restart=always jumpserver/jms_koko:1.5.5
远程桌面网关部署(Guacamole)
使用容器化方式部署 Guacamole 以实现 HTML5 远程访问:
[root@sdp-dev ~]# docker run --name jms_guacamole -d -p 8081:8081 \
-e JUMPSERVER_SERVER=http://$Server_IP:8080 \
-e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN \
--restart=always jumpserver/jms_guacamole:1.5.5
Web 终端前端部署(Luna)
下载并解压 Luna 前端资源:
[root@sdp-dev opt]# wget https://github.com/jumpserver/luna/releases/download/1.5.5/luna.tar.gz
[root@sdp-dev opt]# tar xf luna.tar.gz
[root@sdp-dev opt]# chown -R root:root luna
Nginx 反向代理配置
配置 Nginx 路由规则,实现统一入口访问:
server {
listen 80;
server_name bastion.qf.com;
client_max_body_size 100m;
location /luna/ {
alias /opt/luna/;
try_files $uri / /index.html;
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/;
}
location /static/ {
root /opt/jumpserver/data/;
}
location /koko/ {
proxy_pass http://localhost:5000;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /ws/ {
proxy_pass http://localhost:8070;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location / {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
}
登录验证与功能测试
服务全部启动后,通过浏览器访问 http://bastion.qf.com,默认账号:admin,密码:admin。
常见问题排查
Koko 不在线:通常因版本不匹配或网络不通。确认容器启动参数正确且核心服务可达。
Guacamole 注册失败:检查环境变量中的 JUMPSERVER_SERVER 是否指向正确地址,同时确保 BOOTSTRAP_TOKEN 与 JumpServer 配置一致。