Skip to content

Core Deployment⚓︎

1 Core component description⚓︎

1.1 Enviroment Requirement⚓︎

Name Core Python
Version v3.10.5 3.9

1.2 Download SourceCode⚓︎

  • You can obtain the latest snapshot of the code Release from the Github website. The source downloaded from the project website will be in the form of a .tar.gz archive. You can extract this archive using the command line:
cd /opt
mkdir /opt/jumpserver-v3.10.5
wget -O /opt/jumpserver-v3.10.5.tar.gz https://github.com/jumpserver/jumpserver/archive/refs/tags/v3.10.5.tar.gz
tar -xf jumpserver-v3.10.5.tar.gz -C /opt/jumpserver-v3.10.5 --strip-components 1
cd jumpserver-v3.10.5
rm -f apps/common/utils/ip/geoip/GeoLite2-City.mmdb apps/common/utils/ip/ipip/ipipfree.ipdb
wget https://download.jumpserver.org/files/ip/GeoLite2-City.mmdb -O apps/common/utils/ip/geoip/GeoLite2-City.mmdb
wget https://download.jumpserver.org/files/ip/ipipfree.ipdb -O apps/common/utils/ip/ipip/ipipfree.ipdb

ls -l requirements/
requirements/           # Dependencies required for the corresponding operating system
├── apk_pkg.sh          # Alpine
├── deb_pkg.sh          # The released version based on Debian (e.g: Ubuntu)
├── issues.txt          # Some issues and solutions related to macOS
├── mac_pkg.sh          # macOS
├── requirements.txt    # python
└── rpm_pkg.sh          # The released version based on RedHat(e.g: CentOS)

apt-get install -y pkg-config libxmlsec1-dev libpq-dev libffi-dev libxml2 libxslt-dev libldap2-dev libsasl2-dev sshpass mariadb-client bash-completion g++ make sshpass

If you have installed MySQL, please replace the MariaDB development package with MySQL or avoid deploying the database and core together

apt-get install -y libmariadb-dev

1.3 Install Python3⚓︎

  • You can follow the deployment instructions for Python 3 from the Python website. Based on the Enviroment Requirement, you can determine if it's installed by using the command line:

apt-get install -y python3.9 python3.9-dev python3.9-venv
python3.9
Python 3.9.5 (default, Nov 23 2021, 15:27:38)
[GCC 9.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>

1.4 Install Python Dependency⚓︎

  • Create independent virtual enviroment for JumpServer.
python3.9 -m venv /opt/py3
source /opt/py3/bin/activate
  • Each time you run the project, you'll need to execute this command first source /opt/py3/bin/activate.
poetry install
  • Update configuration file

cp config_example.yml config.yml
vi config.yml
# SECURITY WARNING: keep the secret key used in production secret!
# In a production environment, please change the encryption key to a random string and do not disclose it. You can generate one using a command.
# $ cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 48;echo
SECRET_KEY: ****************  # Mandatory field, recommended length is over 50 characters.

# SECURITY WARNING: keep the bootstrap token used in production secret!
# The pre-shared tokens "koko" and "lion" are used to register service accounts. The original registration acceptance mechanism is no longer in use.
# $ cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24;echo
BOOTSTRAP_TOKEN: ***********  # Mandatory field, recomended length is over 20 characters.

# Development env open this, when error occur display the full process track, Production disable it
# DEBUG mode Enabling DEBUG allows you to view more detailed logs when encountering errors.
DEBUG: true                   # It's recommended to enable DEBUG in the development and disable it in the production environment. 

# DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/
# Log Level
LOG_LEVEL: DEBUG              # It's recommended to enable DEBUG in the development and disable it in the production environment.
# LOG_DIR:

# Session expiration setting, Default 24 hour, Also set expired on on browser close
# The default session expiration time in the browser is 24 hours, but you can also set it to expire when the browser is closed.
# SESSION_COOKIE_AGE: 86400
SESSION_EXPIRE_AT_BROWSER_CLOSE: true  # The session will be expired as soon as browser closed

# Database setting, Support sqlite3, mysql, postgres ....
# Database configuration
# See https://docs.djangoproject.com/en/1.10/ref/settings/#databases

# SQLite setting:
# Using a single-file SQLite database.
# DB_ENGINE: sqlite3
# DB_NAME:
# MySQL or postgres setting like:
# Using a Mysql database
DB_ENGINE: mysql
DB_HOST: 127.0.0.1       # Modify it according local configure
DB_PORT: 3306
DB_USER: jumpserver
DB_PASSWORD: ********
DB_NAME: jumpserver

# When Django start it will bind this host and port
# ./manage.py runserver 127.0.0.1:8080
# Running bound port, will be using 0.0.0.0:8080 0.0.0.0:8070 
HTTP_BIND_HOST: 0.0.0.0
HTTP_LISTEN_PORT: 8080
WS_LISTEN_PORT: 8070

# Use Redis as broker for celery and web socket
# Redis configuration
REDIS_HOST: 127.0.0.1    # Modify it according local Redis configure
REDIS_PORT: 6379
REDIS_PASSWORD: ********
# REDIS_DB_CELERY: 3
# REDIS_DB_CACHE: 4

# Use OpenID Authorization
# Authentication with OpenID 
# AUTH_OPENID: False # True or False
# BASE_SITE_URL: None
# AUTH_OPENID_CLIENT_ID: client-id
# AUTH_OPENID_CLIENT_SECRET: client-secret
# AUTH_OPENID_PROVIDER_ENDPOINT: https://op-example.com/
# AUTH_OPENID_PROVIDER_AUTHORIZATION_ENDPOINT: https://op-example.com/authorize
# AUTH_OPENID_PROVIDER_TOKEN_ENDPOINT: https://op-example.com/token
# AUTH_OPENID_PROVIDER_JWKS_ENDPOINT: https://op-example.com/jwks
# AUTH_OPENID_PROVIDER_USERINFO_ENDPOINT: https://op-example.com/userinfo
# AUTH_OPENID_PROVIDER_END_SESSION_ENDPOINT: https://op-example.com/logout
# AUTH_OPENID_PROVIDER_SIGNATURE_ALG: HS256
# AUTH_OPENID_PROVIDER_SIGNATURE_KEY: None
# AUTH_OPENID_SCOPES: "openid profile email"
# AUTH_OPENID_ID_TOKEN_MAX_AGE: 60
# AUTH_OPENID_ID_TOKEN_INCLUDE_CLAIMS: True
# AUTH_OPENID_USE_STATE: True
# AUTH_OPENID_USE_NONCE: True
# AUTH_OPENID_SHARE_SESSION: True
# AUTH_OPENID_IGNORE_SSL_VERIFICATION: True
# AUTH_OPENID_ALWAYS_UPDATE_USER: True

# Use Radius authorization
# Authentication with Radius
# AUTH_RADIUS: false
# RADIUS_SERVER: localhost
# RADIUS_PORT: 1812
# RADIUS_SECRET:

# CAS Configuration
# AUTH_CAS': False,
# CAS_SERVER_URL': "http://host/cas/",
# CAS_ROOT_PROXIED_AS': 'http://jumpserver-host:port',  
# CAS_LOGOUT_COMPLETELY': True,
# CAS_VERSION': 3,

# LDAP/AD settings
# The number of search results per page of LDAP
# AUTH_LDAP_SEARCH_PAGED_SIZE: 1000
#
# Scheduled user synchronization
# Enable / Disable
# AUTH_LDAP_SYNC_IS_PERIODIC: True
# Sync interval (unit: hour) (Priority)
# AUTH_LDAP_SYNC_INTERVAL: 12 
# Crontab Expression
# AUTH_LDAP_SYNC_CRONTAB: * 6 * * *
#
# LDAP user login is restricted to users listed in the user list for LDAP Server authentication
# AUTH_LDAP_USER_LOGIN_ONLY_IN_USERS: False
#
# If the following information appears in the LDAP authentication logs, set the parameter to 0 (Details refer to:https://www.python-ldap.org/en/latest/faq.html)
# In order to perform this operation a successful bind must be completed on the connection
# AUTH_LDAP_OPTIONS_OPT_REFERRALS: -1

# OTP settings
# OTP/MFA Configuration
# OTP_VALID_WINDOW: 0
# OTP_ISSUER_NAME: Jumpserver

# Perm show single asset to ungrouped node
# Should unauthorized node assets be placed into the "Unassigned" node?
# PERM_SINGLE_ASSET_TO_UNGROUP_NODE: False
#
# Allow only one device to be login per account
# USER_LOGIN_SINGLE_MACHINE_ENABLED: False
#
# Enable scheduled tasks
# PERIOD_TASK_ENABLE: True
#
# Enable two-factor authentication configuration
# LOGIN_CONFIRM_ENABLE: False
#
# Enable automatic login skipping manual password input for Windows
# WINDOWS_SKIP_ALL_MANUAL_PASSWORD: False

  • Internationalization Setting
rm -f apps/locale/zh/LC_MESSAGES/django.mo apps/locale/zh/LC_MESSAGES/djangojs.mo
python apps/manage.py compilemessages

1.5 Start Core⚓︎

  • It can add '-d' to run in the background ./jms start -d
./jms start