作者:Teo

Nacos 搭建




Nacos 搭建


Mysql 8.0安装   yum安装

    # wget https://dev.mysql.com/get/mysql80-community-release-el7-3.noarch.rpm
    # rpm -ivh mysql80-community-release-el7-3.noarch.rpm
    # yum install mysql-server
    # systemctl restart mysqld
    # systemctl enable mysqld
    # grep "password" /var/log/mysqld.log             \\ 最后的是初始密码
    # mysql -uroot -p
        set global validate_password.policy=0;
        set global validate_password.length=1;
        alter user user() identified by "123456";
        CREATE USER 'root'@'%' IDENTIFIED BY '123456';                  \\ 给所有用户权限
        GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' WITH GRANT OPTION;     \\ 给所有用户权限


Java 1.8  jdk 安装

    # tar zxvf jdk-8u271-linux-x64.tar.gz -C /usr/local
    # ln -s /usr/local/jdk1.8.0_271 /usr/local/java
    # vim /etc/profile
        export JAVA_HOME=/usr/local/java
        export CLASSPATH=$JAVA_HOME/lib/tools.jar:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib
        export PATH=$JAVA_HOME/bin:/usr/local/nginx/sbin:/usr/local/mysql/bin:$PATH
    # source /etc/profile
    # java -version                                                   \\ java version "1.8.0_271"


Nacos 1.2.1 单机安装

    # wget https://github.com/alibaba/nacos/releases/download/1.2.1/nacos-server-1.2.1.tar.gz
    # tar zxvf nacos-server-1.2.1.tar.gz -C /usr/local/
    # cd /usr/local/nacos/conf/
    # mysql -uroot -p
        CREATE DATABASE IF NOT EXISTS nacos default charset utf8 COLLATE utf8_bin;
        use nacos;
        source nacos-mysql.sql;
        exit
    # vim /usr/local/nacos/conf/application.properties             \\ 主 配置文件
        server.port=8848
        spring.datasource.platform=mysql
        db.url.0=jdbc:mysql://127.0.0.1:3306/nacos?serverTimezone=GMT%2B8&characterEncoding=utf8&connectTimeout=1000&socketTimeout=3000&autoReconnect=true
        db.user=root
        db.password=123456
    # mkdir -p /usr/local/nacos/plugins/mysql/
    # wget https://cdn.mysql.com//Downloads/Connector-J/mysql-connector-java-8.0.22.tar.gz
    # tar zxf mysql-connector-java-8.0.22.tar.gz         \\ 注意包 与mysql的版本一致  与mysql8连接需要 mysql5.7不需要
    # cd mysql-connector-java-8.0.22/
    # cp mysql-connector-java-8.0.22.jar /usr/local/nacos/plugins/mysql/
    # sh /usr/local/nacos/bin/startup.sh -m standalone   \\ 单台 启动
    # /usr/local/nacos/bin/shutdown.sh                    \\ 停止
    # vim /etc/rc.local
        /usr/local/nacos/bin/startup.sh -m standalone       \\ 开机启动
    # tail -f /usr/local/nacos/logs/start.out                \\ 启动日志
    # tail /usr/local/nacos/logs/nacos.log                    \\ 日志
    # ss -tnl                                                  \\ 8848被监听

    http://192.168.10.13:8848/nacos/index.html#/login            \\ 浏览器访问
        用户名: nacos
        密  码: nacos


注:  
    1. jdk下载地址    不能使用其他版本的jdk(不能使用openjdk)    k051535@kok.work    Teo@1234
        https://www.oracle.com/java/technologies/javase/javase-jdk8-downloads.html#license-lightbox
    2. 官网地址 https://nacos.io/zh-cn/docs/quick-start.html
    3. nacos下载地址 https://github.com/alibaba/nacos
    4. https://dev.mysql.com/downloads/connector/j/
        Platform independent --> mysql-connector-java-8.0.22.tar.gz --> No thanks, just start my download
    5.  查看日志文件 报错 是由于nacos与mysql8 之间缺少 mysql-connector-java-8.0.22.jar 
        at com.alibaba.nacos.config.server.service.LocalDataSourceServiceImpl.reload
        at com.alibaba.nacos.config.server.service.LocalDataSourceServiceImpl.init
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.springframework.beans.factory.annotation... ...
        at org.springframework.beans.factory.annotation... ...
        at org.springframework.beans.factory.annotation... ...






Jumpsever 部署




Jumpsever 部署
    

    # yum install git wget
    # yum install epel-release.noarch
    # yum update
    # yum makecache fast
    # yum install python36 python36-devel
    # yum install redis
    # yum install mariadb-devel mariadb-server mariadb
    # systemctl enable redis
    # systemctl enable mariadb
    # systemctl start redis mariadb                      \\ 3306    6379 被监听
    # mysql_secure_installation
    # mysql -uroot -p123456
        create database jumpserver default charset 'utf8' collate 'utf8_bin';
        grant all privileges on jumpserver.* to 'jumpserver'@'%' identified by 'teo1234';

    # python3.6 -m venv /opt/py3              \\ 创建 Python 虚拟环境
    # source /opt/py3/bin/activate             \\ 每次操作 JumpServer 都需要先载入 py3 虚拟环境
    # cd /opt                                   \\ 下载jumpeserver 安装包
    # wget https://github.com/jumpserver/jumpserver/releases/download/v2.3.1/jumpserver-v2.3.1.tar.gz
    # tar xf jumpserver-v2.3.1.tar.gz
    # mv jumpserver-v2.3.1 jumpserver
    # cd /opt/jumpserver/requirements
    # yum install -y $(cat rpm_requirements.txt)
    # pip install wheel && \
      pip install --upgrade pip setuptools && \
      pip install -r requirements.txt
    # cd /opt/jumpserver
    # cp config_example.yml config.yml
    # vi config.yml
        SECRET_KEY: ZlQfo1LmgvZEhxofwnnDpKtwKOM8WuQeJeNXG2DVkaTnYuoQBw             \\ 50 位 key
        BOOTSTRAP_TOKEN: N1s8L7d6UCiSRWd7PbcyA9HN                                   \\ 24 位 token
        DEBUG: false
        LOG_LEVEL: ERROR
        SESSION_EXPIRE_AT_BROWSER_CLOSE: true
        DB_PASSWORD: teo1234
        WINDOWS_SKIP_ALL_MANUAL_PASSWORD: true
    # cd /opt/jumpserver
    # ./jms start
    # ./jms start -d                                \\ 后台运行

    # cd /opt                                         \\ 安装koko组件  正常安装
    # wget https://github.com/jumpserver/koko/releases/download/v2.3.1/koko-v2.3.1-linux-amd64.tar.gz
    # tar -xf koko-v2.3.1-linux-amd64.tar.gz && \
        mv koko-v2.3.1-linux-amd64 koko && \
        chown -R root:root koko && \
        cd koko \
        mv kubectl /usr/local/bin/ && \
        wget https://download.jumpserver.org/public/kubectl.tar.gz && \
        tar -xf kubectl.tar.gz && \
        chmod 755 kubectl && \
        mv kubectl /usr/local/bin/rawkubectl && \
        rm -rf kubectl.tar.gz
    # cp config_example.yml config.yml
    # vi config.yml
        BOOTSTRAP_TOKEN: N1s8L7d6UCiSRWd7PbcyA9HN          \\ 24 位 token
        LOG_LEVEL: ERROR
    # ./koko                                                 \\ 启动
    # ./koko -s stop                                          \\ 停止
    # ./koko -d                                                \\ 后台运行

    # cd /opt                                                    \\ 安装guacamole组件  正常安装
    # wget -O docker-guacamole-v2.3.1.tar.gz https://github.com/jumpserver/docker-guacamole/archive/master.tar.gz
    # mkdir /opt/docker-guacamole && \
        tar -xf docker-guacamole-v2.3.1.tar.gz -C /opt/docker-guacamole --strip-components 1 && \
        rm -rf /opt/docker-guacamole-v2.3.1.tar.gz && \
        cd /opt/docker-guacamole && \
        wget http://download.jumpserver.org/public/guacamole-server-1.2.0.tar.gz && \
        tar -xf guacamole-server-1.2.0.tar.gz && \
        wget http://download.jumpserver.org/public/ssh-forward.tar.gz && \
        tar -xf ssh-forward.tar.gz -C /bin/ && \
        chmod +x /bin/ssh-forward
    # cd /opt/docker-guacamole/guacamole-server-1.2.0
    # yum install cairo-devel libjpeg-devel libpng-devel uuid-devel ffmpeg-devel  freerdp-devel pango-devel 
    # yum install libssh2-devel libtelnet-devel libvncserver-devel pulseaudio-libs-devel openssl-devel libvorbis-devel 
    # yum install libwebp-devel install freerdp-plugins
    # ./configure --with-init-dir=/etc/init.d && \                             \\ 编译安装 guacamole
        make && \
        make install

    # yum install java-1.8.0-openjdk
    # mkdir -p /config/guacamole /config/guacamole/extensions /config/guacamole/record /config/guacamole/drive && \
        chown daemon:daemon /config/guacamole/record /config/guacamole/drive && \
        cd /config
    # wget http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-9/v9.0.38/bin/apache-tomcat-9.0.38.tar.gz
    # tar -xf apache-tomcat-9.0.38.tar.gz && \
        mv apache-tomcat-9.0.38 tomcat9 && \
        rm -rf /config/tomcat9/webapps/* && \
        sed -i 's/Connector port="8080"/Connector port="8081"/g' /config/tomcat9/conf/server.xml && \
        echo "java.util.logging.ConsoleHandler.encoding = UTF-8" >> /config/tomcat9/conf/logging.properties && \
        wget http://download.jumpserver.org/release/v2.3.1/guacamole-client-v2.3.1.tar.gz && \
        tar -xf guacamole-client-v2.3.1.tar.gz && \
        rm -rf guacamole-client-v2.3.1.tar.gz && \
        cp guacamole-client-v2.3.1/guacamole-*.war /config/tomcat9/webapps/ROOT.war && \
        cp guacamole-client-v2.3.1/guacamole-*.jar /config/guacamole/extensions/ && \
        mv /opt/docker-guacamole/guacamole.properties /config/guacamole/ && \
        rm -rf /opt/docker-guacamole
    # export JUMPSERVER_SERVER=http://127.0.0.1:8080
    # echo "export JUMPSERVER_SERVER=http://127.0.0.1:8080" >> ~/.bashrc
    # export BOOTSTRAP_TOKEN=N1s8L7d6UCiSRWd7PbcyA9HN                                   \\ 密码与上面设置的相对应
    # echo "export export BOOTSTRAP_TOKEN=N1s8L7d6UCiSRWd7PbcyA9HN" >> ~/.bashrc         \\ 密码与上面设置的相对应
    # export JUMPSERVER_KEY_DIR=/config/guacamole/data/keys
    # echo "export JUMPSERVER_KEY_DIR=/config/guacamole/data/keys" >> ~/.bashrc
    # export GUACAMOLE_HOME=/config/guacamole
    # echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc
    # export GUACAMOLE_LOG_LEVEL=ERROR
    # echo "export GUACAMOLE_LOG_LEVEL=ERROR" >> ~/.bashrc
    # export JUMPSERVER_ENABLE_DRIVE=true
    # echo "export JUMPSERVER_ENABLE_DRIVE=true" >> ~/.bashrc
    # /etc/init.d/guacd start
    # sh /config/tomcat9/bin/startup.sh
    # vim /etc/profile.d/jumpserver.sh                                                          \\ 开机启动脚本
        #!/bin/bash
        source /opt/py3/bin/activate
        /opt/jumpserver/jms start -d
        /opt/koko/koko -d
        /etc/init.d/guacd start

    # vim /etc/yum.repos.d/nginx.repo
        [nginx-stable]
        name=nginx stable repo
        baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
        gpgcheck=1
        enabled=1
        gpgkey=https://nginx.org/keys/nginx_signing.key
        module_hotfixes=true
    # yum install nginx
    # cd /opt
    # wget https://github.com/jumpserver/lina/releases/download/v2.3.1/lina-v2.3.1.tar.gz
    # tar -xf lina-v2.3.1.tar.gz
    # mv lina-v2.3.1 lina
    # chown -R nginx:nginx lina
    # cd /opt
    # wget https://github.com/jumpserver/luna/releases/download/v2.3.1/luna-v2.3.1.tar.gz
    # tar -xf luna-v2.3.1.tar.gz
    # mv luna-v2.3.1 luna
    # chown -R nginx:nginx luna
    # echo > /etc/nginx/conf.d/default.conf
    # vi /etc/nginx/conf.d/jumpserver.conf
        server {
            listen 80;

            client_max_body_size 100m;  # 录像及文件上传大小限制

            location /ui/ {
                try_files $uri / /index.html;
                alias /opt/lina/;
            }

            location /luna/ {
                try_files $uri / /index.html;
                alias /opt/luna/;  # luna 路径, 如果修改安装目录, 此处需要修改
            }

            location /media/ {
                add_header Content-Encoding gzip;
                root /opt/jumpserver/data/;  # 录像位置, 如果修改安装目录, 此处需要修改
            }

            location /static/ {
                root /opt/jumpserver/data/;  # 静态资源, 如果修改安装目录, 此处需要修改
            }

            location /koko/ {
                proxy_pass       http://localhost:5000;
                proxy_buffering off;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                access_log off;
            }

            location /guacamole/ {
                proxy_pass       http://localhost:8081/;
                proxy_buffering off;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $http_connection;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                access_log off;
            }

            location /ws/ {
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_pass http://localhost:8070;
                proxy_http_version 1.1;
                proxy_buffering off;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
            }

            location /api/ {
                proxy_pass http://localhost:8080;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            }

            location /core/ {
                proxy_pass http://localhost:8080;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            }

            location / {
                rewrite ^/(.*)$ /ui/$1 last;
            }
        }
    # nginx -t
    # systemctl start nginx
    # systemctl enable nginx
    http://192.168.10.10                                \\ 登陆jumpserver 用户名 admin 密码 admin


    使用秘钥
        # cd ~/.ssh
        # ssh-keygen -t rsa                                       \\ 会生成 公钥id_rsa.pub    私钥id_rsa(重要)  
        # touch authorized_keys                                    \\ 可以把  公钥 拷贝到 需要登录的服务器上 执行
        # chmod 600 /root/.ssh/authorized_keys                      \\ 必须为600权限           
        # cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys   

        # ssh -i /root/.ssh/id_rsa root@192.168.10.11                 \\ 可以远程到有公钥的服务器上 


    使用jumpserver

        1 用户管理 --> 用 户 组 --> 创建               \\ 用于用户权限分类
        2 用户管理 --> 用户列表 --> 创建                \\ 用于 登陆jumpserver 可以开启多因子认证MFA
        3 资产管理 --> 管理用户 --> 创建                 \\ 仅仅用于 测试服务器是否 可用 输入服务器账号密码或者秘钥
        4 资产管理 --> 资产列表 --> default --> 创建节点  \\ 用于 资产分类
        5 资产管理 --> 资产列表 --> 创建资产               \\ 主机
        6 资产管理 --> 系统用户 --> 创建                    \\ 用于登陆 主机 输入服务器账号密码或者秘钥
        7 授权管理 --> 资产授权 --> 创建                     \\ 把 系统用户 授权给 主机 及 哪些 用户或组可以访问
        8 会话中心 --> web终端                               \\ 可以连接


        MFA: 多因子认证 在 创建用户 或者 更新用户 时可以指定 启用多因子认证
            如果是管理员忘记了 MFA, 可以通过控制台重置
                # source /opt/py3/bin/activate
                # cd /opt/jumpserver/apps
                # python manage.py shell

                    from users.models import User
                    u = User.objects.get(username='admin')
                    u.mfa_level='0'
                    u.otp_secret_key=''
                    u.save()

    注:
        官方文档 https://jumpserver.readthedocs.io/zh/master/install/step_by_step/
        安装视频 https://www.bilibili.com/video/BV1VV411C797

        防火墙放行
            # firewall-cmd --zone=public --add-port=80/tcp --permanent
            # setsebool -P httpd_can_network_connect 1
            # firewall-cmd --reload
        
        部署系统为 CentOS 7.8