Skip to content

J
jumpserver
Unverified Commit 54dd3aff authored by wojiushixiaobai's avatar wojiushixiaobai Committed by GitHub
Browse files
Options

Merge pull request #1976 from wojiushixiaobai/docs 

[Update]分布式部署文档更新
parents bdbe78df 48b60895
Show whitespace changes
Inline Side-by-side
Showing with 152 additions and 199 deletions
docs/distributed_02.rst
View file @ 54dd3aff
......@@ -82,9 +82,10 @@
open_log_file_cache off;
upstream cocossh {
server 192.168.100.12:2222 max_fails=1 fail_timeout=5s;
# server ip:port max_fails=1 fail_timeout=5s;
# 这里是 coco ssh 的后端ip ,max_fails=1 fail_timeout=5s 是 HA 参数
server 192.168.100.12:2222 weight=1;
server 192.168.100.12:2223 weight=1; # 多节点
# 这里是 coco ssh 的后端ip
least_conn;
}
server {
listen 2222;
......@@ -123,42 +124,29 @@
$ vim /etc/nginx/conf.d/jumpserver.conf
upstream jumpserver {
server 192.168.100.11:80 max_fails=1 fail_timeout=10s;
# server ip:port max_fails=1 fail_timeout=10s;
# 这里是 jumpserver 的后端ip ,max_fails=1 fail_timeout=10s 是 HA 参数
server 192.168.100.11:80;
# 这里是 jumpserver 的后端ip
}
upstream cocows {
server 192.168.100.12:5000 max_fails=1 fail_timeout=10s;
# server ip:port max_fails=1 fail_timeout=10s;
# 这里是 coco ws 的后端ip ,max_fails=1 fail_timeout=10s 是 HA 参数
server 192.168.100.12:5000 weight=1;
server 192.168.100.12:5001 weight=1; # 多节点
# 这里是 coco ws 的后端ip
ip_hash;
}
upstream guacamole {
server 192.168.100.13:8081 max_fails=1 fail_timeout=10s;
# server ip:port max_fails=1 fail_timeout=10s;
# 这里是 guacamole 的后端ip ,max_fails=1 fail_timeout=10s 是 HA 参数
server 192.168.100.13:8081 weight=1;
server 192.168.100.13:8082 weight=1; # 多节点
# 这里是 guacamole 的后端ip
ip_hash;
}
server {
listen 80;
server_name www.jumpserver.org; # 自行修改成你的域名
return https://www.jumpserver.org$request_uri;
}
server {
# 推荐使用 https 访问,如果不使用 https 请自行注释下面的选项
listen 443;
server_name www.jumpserver.org; # 自行修改成你的域名
ssl on;
ssl_certificate /etc/nginx/sslkey/1_jumpserver.org_bundle.crt; # 自行设置证书
ssl_certificate_key /etc/nginx/sslkey/2_jumpserver.org.key; # 自行设置证书
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
client_max_body_size 100m; # 录像上传大小限制
location / {
......@@ -185,7 +173,6 @@
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
# proxy_next_upstream http_500 http_502 http_503 http_504 http_404;
}
location /coco/ {
......@@ -206,7 +193,6 @@
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
# proxy_next_upstream http_500 http_502 http_503 http_504 http_404;
}
}
......
docs/distributed_05.rst
View file @ 54dd3aff
......@@ -28,138 +28,36 @@
$ firewall-cmd --zone=public --add-port=5000/tcp --permanent
$ firewall-cmd --reload
# 安装 Python3.6.1
$ wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz
$ tar xvf Python-3.6.1.tar.xz && cd Python-3.6.1
$ ./configure && make && make install
# 安装 docker
$ sudo yum install -y yum-utils device-mapper-persistent-data lvm2
$ yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
$ yum makecache fast
$ yum -y install docker-ce
$ systemctl start docker
# 通过 docker 部署
$ docker run --name jms_coco -d \
-p 2222:2222 \
-p 5000:5000 \
-e CORE_HOST=http://192.168.100.11 \
wojiushixiaobai/coco:1.4.3
# 配置 py3 虚拟环境
$ python3 -m venv /opt/py3
$ source /opt/py3/bin/activate
# 配置 autoenv
$ git clone https://github.com/kennethreitz/autoenv.git
$ echo 'source /opt/autoenv/activate.sh' >> ~/.bashrc
$ source ~/.bashrc
# 下载 coco
$ git clone https://github.com/jumpserver/coco.git
$ echo "source /opt/py3/bin/activate" > /opt/coco/.env
$ cd /opt/coco && git checkout master && git pull
# 首次进入 coco 文件夹会有提示,按 y 即可
# Are you sure you want to allow this? (y/N) y
# 安装依赖 RPM 包
$ yum -y install $(cat /opt/coco/requirements/rpm_requirements.txt)
# 安装 Python 库依赖
$ pip install --upgrade pip && pip install -r /opt/coco/requirements/requirements.txt
# # 修改 Coco 配置文件
$ cd /opt/coco
$ cp conf_example.py conf.py
$ vi conf.py
# 访问 http://192.168.100.100/terminal/terminal/ 接受 coco 注册
# 注意对齐,不要直接复制本文档的内容
**注意: 配置文件是 Python 格式,不要用 TAB,而要用空格**
多节点部署
~~~~~~~~~~~~~~~~~~
::
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
import os
BASE_DIR = os.path.dirname(__file__)
class Config:
"""
Coco config file, coco also load config from server update setting below
"""
# 项目名称, 会用来向Jumpserver注册, 识别而已, 不能重复
# NAME = "localhost"
NAME = "coco"
# Jumpserver项目的url, api请求注册会使用, 如果Jumpserver没有运行在127.0.0.1:8080,请修改此处
# CORE_HOST = os.environ.get("CORE_HOST") or 'http://127.0.0.1:8080'
CORE_HOST = 'http://192.168.100.100'
# 启动时绑定的ip, 默认 0.0.0.0
# BIND_HOST = '0.0.0.0'
# 监听的SSH端口号, 默认2222
# SSHD_PORT = 2222
# 监听的HTTP/WS端口号,默认5000
# HTTPD_PORT = 5000
# 项目使用的ACCESS KEY, 默认会注册,并保存到 ACCESS_KEY_STORE中,
# 如果有需求, 可以写到配置文件中, 格式 access_key_id:access_key_secret
# ACCESS_KEY = None
# ACCESS KEY 保存的地址, 默认注册后会保存到该文件中
# ACCESS_KEY_STORE = os.path.join(BASE_DIR, 'keys', '.access_key')
# 加密密钥
# SECRET_KEY = None
# 设置日志级别 ['DEBUG', 'INFO', 'WARN', 'ERROR', 'FATAL', 'CRITICAL']
# LOG_LEVEL = 'INFO'
LOG_LEVEL = 'WARN'
# 日志存放的目录
# LOG_DIR = os.path.join(BASE_DIR, 'logs')
# Session录像存放目录
# SESSION_DIR = os.path.join(BASE_DIR, 'sessions')
# 资产显示排序方式, ['ip', 'hostname']
# ASSET_LIST_SORT_BY = 'ip'
# 登录是否支持密码认证
# PASSWORD_AUTH = True
# 登录是否支持秘钥认证
# PUBLIC_KEY_AUTH = True
# SSH白名单
# ALLOW_SSH_USER = 'all' # ['test', 'test2']
# SSH黑名单, 如果用户同时在白名单和黑名单,黑名单优先生效
# BLOCK_SSH_USER = []
# 和Jumpserver 保持心跳时间间隔
# HEARTBEAT_INTERVAL = 5
# Admin的名字,出问题会提示给用户
# ADMINS = ''
COMMAND_STORAGE = {
"TYPE": "server"
}
REPLAY_STORAGE = {
"TYPE": "server"
}
# SSH连接超时时间 (default 15 seconds)
# SSH_TIMEOUT = 15
# 语言 = en
LANGUAGE_CODE = 'zh'
config = Config()
::
$ firewall-cmd --zone=public --add-port=2223/tcp --permanent
$ firewall-cmd --zone=public --add-port=5001/tcp --permanent
$ firewall-cmd --reload
# 运行 coco
$ cd /opt/coco
$ mkdir keys logs
$ ./cocod start # 后台运行使用 -d 参数./cocod start -d
# 新版本更新了运行脚本,使用方式./cocod start|stop|status 后台运行请添加 -d 参数
$ docker run --name jms_coco1 -d \
-p 2223:2222 \
-p 5001:5000 \
-e CORE_HOST=http://192.168.100.11 \
wojiushixiaobai/coco:1.4.3
# 访问 http://192.168.100.100/terminal/terminal/ 接受 coco 注册
# 多节点部署请参考此文档,部署方式一样,不需要做任何修改
docs/distributed_06.rst
View file @ 54dd3aff
......@@ -29,51 +29,34 @@
$ firewall-cmd --zone=public --add-port=8081/tcp --permanent
$ firewall-cmd --reload
$ yum -y localinstall --nogpgcheck https://download1.rpmfusion.org/free/el/rpmfusion-free-release-7.noarch.rpm https://download1.rpmfusion.org/nonfree/el/rpmfusion-nonfree-release-7.noarch.rpm
$ rpm --import http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro
$ rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm
$ yum install -y git gcc java-1.8.0-openjdk libtool
$ yum install -y cairo-devel libjpeg-turbo-devel libpng-devel uuid-devel
$ yum install -y ffmpeg-devel freerdp-devel pango-devel libssh2-devel libtelnet-devel libvncserver-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-devel
$ cd /opt
$ git clone https://github.com/jumpserver/docker-guacamole.git
$ cd /opt/docker-guacamole/
$ tar -xf guacamole-server-0.9.14.tar.gz
$ cd guacamole-server-0.9.14
$ autoreconf -fi
$ ./configure --with-init-dir=/etc/init.d
$ make && make install
$ cd ..
$ rm -rf guacamole-server-0.9.14.tar.gz guacamole-server-0.9.14
$ ldconfig
$ mkdir -p /config/guacamole /config/guacamole/lib /config/guacamole/extensions # 创建 guacamole 目录
$ cp /opt/docker-guacamole/guacamole-auth-jumpserver-0.9.14.jar /config/guacamole/extensions/guacamole-auth-jumpserver-0.9.14.jar
$ cp /opt/docker-guacamole/root/app/guacamole/guacamole.properties /config/guacamole/ # guacamole 配置文件
$ cd /config
$ wget http://mirror.bit.edu.cn/apache/tomcat/tomcat-8/v8.5.34/bin/apache-tomcat-8.5.34.tar.gz
$ tar xf apache-tomcat-8.5.34.tar.gz
$ rm -rf apache-tomcat-8.5.34.tar.gz
$ mv apache-tomcat-8.5.34 tomcat8
$ rm -rf /config/tomcat8/webapps/*
$ cp /opt/docker-guacamole/guacamole-0.9.14.war /config/tomcat8/webapps/ROOT.war # guacamole client
$ sed -i 's/Connector port="8080"/Connector port="8081"/g' `grep 'Connector port="8080"' -rl /config/tomcat8/conf/server.xml` # 修改默认端口为 8081
$ sed -i 's/FINE/WARNING/g' `grep 'FINE' -rl /config/tomcat8/conf/logging.properties` # 修改 log 等级为 WARNING
$ export JUMPSERVER_SERVER=http://192.168.100.100 # 192.168.100.100 指 jumpserver 访问地址
$ echo "export JUMPSERVER_SERVER=192.168.100.100" >> ~/.bashrc
$ export JUMPSERVER_KEY_DIR=/config/guacamole/keys
$ echo "export JUMPSERVER_KEY_DIR=/config/guacamole/keys" >> ~/.bashrc
$ export GUACAMOLE_HOME=/config/guacamole
$ echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc
$ /etc/init.d/guacd start
$ sh /config/tomcat8/bin/startup.sh
# 安装 docker
$ sudo yum install -y yum-utils device-mapper-persistent-data lvm2
$ yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
$ yum makecache fast
$ yum -y install docker-ce
$ systemctl start docker
# 通过 docker 部署
$ docker run --name jms_guacamole -d \
-p 8081:8080
-e JUMPSERVER_KEY_DIR=/config/guacamole/key \
-e JUMPSERVER_SERVER=http://192.168.100.11 \
wojiushixiaobai/guacamole:1.4.3
# 访问 http://192.168.100.100/terminal/terminal/ 接受 guacamole 注册
# 多节点部署请参考此文档,部署方式一样,不需要做任何修改
多节点部署
~~~~~~~~~~~~~~~~~~
::
$ firewall-cmd --zone=public --add-port=8082/tcp --permanent
$ firewall-cmd --reload
$ docker run --name jms_guacamole1 -d \
-p 8082:8080
-e JUMPSERVER_KEY_DIR=/config/guacamole/key \
-e JUMPSERVER_SERVER=http://192.168.100.11 \
wojiushixiaobai/guacamole:1.4.3
# 访问 http://192.168.100.100/terminal/terminal/ 接受 guacamole 注册
docs/faq.rst
View file @ 54dd3aff
......@@ -8,6 +8,7 @@ FAQ
TELNET 使用说明 <faq_telnet.rst>
Docker 使用说明 <faq_docker.rst>
安装过程 常见问题 <faq_install.rst>
Firewalld 使用说明 <faq_firewalld.rst>
RDP 协议资产连接说明 <faq_rdp.rst>
SSH 协议资产连接说明 <faq_ssh.rst>
添加组织 及 组织管理员说明 <faq_org.rst>
......
docs/faq_firewalld.rst 0 → 100644
View file @ 54dd3aff
Firewalld 使用说明
------------------------------
1. 打开 firewalld
::
$ systemctl start firewalld
2. 端口允许被某固定 IP 访问
::
$ firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="允许访问的IP" port protocol="tcp" port="端口" accept"
$ firewall-cmd --reload # 重载规则, 才能生效
$ firewall-cmd --list-all # 查看使用中的规则
# 举例
# 允许 192.168.100.166 访问 6379 端口
$ firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.100.166" port protocol="tcp" port="6379" accept"
# 允许 172.16.10.166 访问 3306 端口
$ firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="172.16.10.166" port protocol="tcp" port="3306" accept"
# 允许 10.10.10.166 访问 8080 端口
$ firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.10.10.166" port protocol="tcp" port="8080" accept"
$ firewall-cmd --reload # 重载规则, 才能生效
# 删除规则( add 改成 remove )
$ firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="192.168.100.166" port protocol="tcp" port="6379" accept"
$ firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="172.16.10.166" port protocol="tcp" port="3306" accept"
$ firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="10.10.10.166" port protocol="tcp" port="8080" accept"
$ firewall-cmd --reload # 重载规则, 才能生效
3. 端口允许所有 IP 访问
::
$ firewall-cmd --zone=public --add-port=端口/tcp --permanent
$ firewall-cmd --reload # 重载规则, 才能生效
$ firewall-cmd --list-all # 查看使用中的规则
# 举例
# 允许访问 2222 端口
$ firewall-cmd --zone=public --add-port=2222/tcp --permanent
# 允许访问 8080 端口
$ firewall-cmd --zone=public --add-port=8080/tcp --permanent
# 删除规则( add 改成 remove )
$ firewall-cmd --zone=public --remove-port=2222/tcp --permanent
$ firewall-cmd --zone=public --remove-port=8080/tcp --permanent
$ firewall-cmd --reload # 重载规则, 才能生效
docs/step_by_step.rst
View file @ 54dd3aff
......@@ -493,6 +493,33 @@ Guacamole 需要 Tomcat 来运行
$ yum -y install nginx
$ vim /etc/nginx/nginx.conf
... 原内容
include /etc/nginx/conf.d/*.conf;
# 注释掉整个server {}
# server {
# listen 80 default_server;
# listen [::]:80 default_server;
# server_name _;
# root /usr/share/nginx/html;
# Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
# location / {
# }
# error_page 404 /404.html;
# location = /40x.html {
# }
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
# }
... 原内容
**6.2 准备配置文件 修改 /etc/nginx/conf.d/jumpserver.conf**
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment