一、bind9安装部署
首先需要保证所有的主机的环境防火墙是关闭的
systemctl status firewalld ##查看没有关闭的关掉它
getenforce
1、安装epel-release 源 安装所有的主机必要的工具
yum install epel-release
或者用
curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
yum install wget net-tools telnet tree nmap sysstat lrzsz dos2unix bind-utils -y
下面是顺利安装后的截图,需要注意的是在在/etc/yum.repos.d目录下需要有下面的源才能顺利安装
[root@hdss7-22 yum.repos.d]# cat CentOS7-Base-163.repo
# CentOS-Base.repo
#
# The mirror system uses the connecting IP address of the client and the
# update status of each mirror to pick mirrors that are updated to and
# geographically close to the client. You should use this for CentOS updates
# unless you are manually picking other mirrors.
#
# If the mirrorlist= does not work for you, as a fall back you can try the
# remarked out baseurl= line instead.
#
#
[base]
name=CentOS-$releasever - Base - 163.com
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
baseurl=http://mirrors.163.com/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=http://mirrors.163.com/centos/RPM-GPG-KEY-CentOS-7
#released updates
[updates]
name=CentOS-$releasever - Updates - 163.com
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
baseurl=http://mirrors.163.com/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=http://mirrors.163.com/centos/RPM-GPG-KEY-CentOS-7
#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras - 163.com
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras
baseurl=http://mirrors.163.com/centos/$releasever/extras/$basearch/
gpgcheck=1
gpgkey=http://mirrors.163.com/centos/RPM-GPG-KEY-CentOS-7
#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus - 163.com
baseurl=http://mirrors.163.com/centos/$releasever/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=http://mirrors.163.com/centos/RPM-GPG-KEY-CentOS-7
2、安装bind9那个DNS服务
因为需要用ingress 做七层的流量调度用的着
这个仅仅需要在hdss7-11上安装就行
[root@hdss7-11 ~]# yum -y install bind
[root@hdss7-11 ~]# rpm -qa bind
bind-9.11.4-26.P2.el7_9.5.x86_64
然后进行配置文件的配置
[root@hdss7-11 ~]# vim /etc/named.conf
options {
listen-on port 53 { 10.4.7.11; }; ##监听本机地址 ipv6的删掉
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; }; #允许本内网机器都可以查看
forwarders { 10.4.7.2; }; #新增这行,让它自动指向上级dns
.........
recursion yes; # dns采用递归算法帮你查询
dnssec-enable no; # 节省资源关掉
dnssec-validation no; #关掉
检查下配置
[root@hdss7-11 ~]# named-checkconf
配置区域配置文件
2 配置区域配置文件
~]# vim /etc/named.rfc1912.zones
尾行添加下面内容
zone "host.com" IN {
type master;
file "host.com.zone";
allow-update { 10.4.7.11; };
};
zone "od.com" IN {
type master;
file "od.com.zone";
allow-update { 10.4.7.11; };
};
3 编辑区域配置文件
~]# vim /var/named/host.com.zone
[root@hdss7-11 ~]# cat /var/named/host.com.zone
$ORIGIN host.com.
$TTL 600 ; 10 minutes
@ IN SOA dns.host.com. dnsadmin.host.com. (
2021082401 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.host.com.
$TTL 60 ; 1 minute
dns A 10.4.7.11
HDSS7-11 A 10.4.7.11
HDSS7-12 A 10.4.7.12
HDSS7-21 A 10.4.7.21
HDSS7-22 A 10.4.7.22
HDSS7-200 A 10.4.7.200
4 配置业务域数据文件,启动,检查named服务
[root@hdss7-11 ~]# vim /var/named/od.com.zone
[root@hdss7-11 ~]# cat /var/named/od.com.zone
$ORIGIN od.com.
$TTL 600 ; 10 minutes
@ IN SOA dns.od.com. dnsadmin.od.com. (
2021052301 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.od.com.
$TTL 60 ; 1 minute
dns A 10.4.7.11
5、开启dns并进行相应的测试
[root@hdss7-11 ~]# named-checkconf
[root@hdss7-11 ~]# systemctl start named
[root@hdss7-11 ~]# systemctl enable named
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.
[root@hdss7-11 ~]# netstat -luntp |grep 53
tcp 0 0 10.4.7.11:53 0.0.0.0:* LISTEN 85876/named
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 10295/dnsmasq
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 85876/named
tcp6 0 0 ::1:953 :::* LISTEN 85876/named
udp 0 0 0.0.0.0:5353 0.0.0.0:* 8695/avahi-daemon:
udp 0 0 10.4.7.11:53 0.0.0.0:* 85876/named
udp 0 0 192.168.122.1:53 0.0.0.0:* 10295/dnsmasq
[root@hdss7-11 ~]# dig -t A hdss7-21.host.com @10.4.7.11 +short
10.4.7.21
6 给其他的4台服务器都进行dns的解析设置
首先需要德惠配置短域名
[root@hdss7-11 ~]# vim /etc/resolv.conf 四台主机都进行更改下
# Generated by NetworkManager
search host.com ##添加端域名的配置,一般情况下主机域用短域名,业务域不怎么用
nameserver 10.4.7.2
然后需要去把network里面的dns指定自己建立的dns服务
[root@hdss7-11 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33
UUID=34ebe056-30b4-4122-879e-a1646679d92f
DEVICE=ens33
ONBOOT=yes
IPADDR=10.4.7.11
NETWORK=255.255.255.0
GATEWAY=10.4.7.2
DNS1=10.4.7.11
重启下network应该是可以ping通百度的,,但是其他没有改的主机无法ping通,所以都要改下
[root@hdss7-11 ~]# systemctl restart network
[root@hdss7-11 ~]# ping www.baidu.com
PING www.a.shifen.com (36.152.44.96) 56(84) bytes of data.
64 bytes from 36.152.44.96 (36.152.44.96): icmp_seq=1 ttl=128 time=13.9 ms
注意哦哦哦:::::其他的四台也要改下
改完之后可以看到所有的dns1都是11了 --如下例
[root@hdss7-11 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search host.com
nameserver 10.4.7.11
让后去winds上更改先相关的参数
添加首先dns服务器
如果上面无法ping域名的去更改下自动越点改为10,就是本地那个,能同就不用改了
二、准备签发证书环境
dns.od.com 主机域,主要是为了好记忆,因为主机很可能会坏,要让它于业务域毫无关联才更加的好。
1、在运维主机hdss7-200上执行
1.1 安装CFSSL
- 证书签发工具CFSSL:R1.2
-
- cfssl 下载地址 、cfss-json下载地址 、cfssl-certinfo下载地址如下
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/bin/cfssl
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/bin/cfssl-json
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/bin/cfssl-certinfo
到主机上去执行
[root@hdss7-200 ~]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/bin/cfssl
[root@hdss7-200 ~]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/bin/cfssl-json
[root@hdss7-200 ~]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/bin/cfssl-certinfo
下载后去查看下是否下载好了
注意:一定要检查,因为它有可能会欺骗你
[root@hdss7-200 ~]# ls -l /usr/bin/cfssl*
红色框住的一定要有数据,没有数据可能是你网速不好,需要重新下载
1.2 创建生成CA证书签名请求(csr)的JSON配置文件
[root@hdss7-200 ~]# mkdir -pv /opt/certs
mkdir: created directory ‘/opt/certs’
[root@hdss7-200 ~]# vim /opt/certs/ca-csr.json
[root@hdss7-200 ~]# cat /opt/certs/ca-csr.json
{
"CN": "OldboyEdu",
"hosts": [
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
],
"ca": {
"expiry": "175200h"
}
}
注解
CN: Common Name,浏览器使用该字段验证网站是否合法,一般写的是域名。非常重要。浏览器使用该字段验证网站是否合法
C: Country ,国家
ST: State ,州,省
L: Locality,地区,城市
O:Organization Name,组织名称,公司名称
OU: Organization Unit Name,组织单位名称,公司部门
1.3、生成CA证书和私钥
[root@hdss7-200 certs]# cfssl gencert -initca ca-csr.json | cfssl-json -bare ca ##这个执行两次比较好,因为两次下面能有1679,一次可能是1675
然后检查一下
[root@hdss7-200 certs]# ll
total 16
-rw-r--r-- 1 root root 993 Aug 24 21:33 ca.csr
-rw-r--r-- 1 root root 328 Aug 24 21:30 ca-csr.json
-rw------- 1 root root 1679 Aug 24 21:33 ca-key.pem
-rw-r--r-- 1 root root 1346 Aug 24 21:33 ca.pem
三、部署docker环境
需要在hdss7-21 ; hdss7-22 ;hdss7-200上都安装docker
1安装方法如下
注意有的第一可能安装不成功是因为你上面有local.repo这文件删除或者移动到其他目录就行
root@hdss7-21 ~]# rm -f /etc/yum.repos.d/local.repo
[root@hdss7-21 yum.repos.d]# curl -fsSL https://get.docker.com | bash -s docker --mirrir Aliyun
安装好后出现的结果如下图
2配置下docker文件
首先需要创建需要的文件,,三台几乎一样这里以200为例
[root@hdss7-200 yum.repos.d]# mkdir /etc/docker
[root@hdss7-200 yum.repos.d]# mkdir -pv /data/docker
mkdir: created directory ‘/data’
mkdir: created directory ‘/data/docker’
[root@hdss7-200 yum.repos.d]# cat /etc/docker/daemon.json
{
"graph": "/data/docker",
"storage-driver": "overlay2",
"insecure-registries": ["registry.access.redhat.com","quay.io","hardor.od.com"],
"registry-mirrors": ["https://7lkjwk2y.mirror.aliyuncs.com"],
"bip": "172.7.200.1/24",
"exec-opts": ["native.cgroupdriver=systemd"],
"live-restore": true
}
随后启动docker
[root@hdss7-200 yum.repos.d]# systemctl start docker
[root@hdss7-200 yum.repos.d]# systemctl enable docker
Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
然后可以检查下版本和容器
docker version
docker ps -a
三、私有镜像仓库harbor搭建
部署在HDSS7-200上进行操作
1、在hdss7-200上安装部署私有仓库
https://github.com/goharbor/harbor/releases?after=v1.9.4-rc1
下载软件二进制包并解压
安装协作网站https://www.cnblogs.com/leoyang63/articles/14183156.html
或者是https://www.cnblogs.com/yaozhenfa/p/13638381.html
2、下载地址
https://storage.googleapis.com/harbor-releases/release-1.8.0/harbor-offline-installer-v1.8.3.tgz
3、下载harbor的压缩包到/opt/src里面。解压等
[root@hdss7-200 src]# rz -E
rz waiting to receive.
[root@hdss7-200 src]# ll
total 566432
-rw-r--r-- 1 root root 580021898 May 24 23:37 harbor-offline-installer-v1.8.3.tgz
[root@hdss7-200 src]# tar zxf harbor-offline-installer-v1.8.3.tgz -C /opt/
更改名称做个软链接便于操作和后续升级
[root@hdss7-200 opt]# mv harbor/ harbor-v1.8.3
[root@hdss7-200 opt]# ln -s /opt/harbor-v1.8.3/ /opt/harbor
[root@hdss7-200 opt]# ll
total 20
drwxr-xr-x 2 root root 4096 Aug 24 21:33 certs
drwx--x--x 4 root root 4096 Aug 24 22:01 containerd
lrwxrwxrwx 1 root root 19 Aug 24 22:17 harbor -> /opt/harbor-v1.8.3/
drwxr-xr-x 2 root root 4096 Aug 24 22:14 harbor-v1.8.3
drwxr-xr-x. 2 root root 4096 Oct 31 2018 rh
drwxr-xr-x 2 root root 4096 Aug 24 22:12 src
5、修改配置文件
[root@hdss7-200 harbor]# vi harbor.yml
5 hostname: harbor.od.com
10 port: 180
27 harbor_admin_password: Harbor12345
35 data_volume: /data/harbor
82 location: /data/harbor/logs
创建需要的目录
6、创建日志目录,并安装docker-compose
[root@hdss7-200 harbor]# mkdir -p /data/harbor/logs
[root@hdss7-200 harbor]# yum -y install docker-compose
[root@hdss7-200 harbor]# rpm -aq docker-compose
docker-compose-1.18.0-4.el7.noarch
[root@hdss7-200 harbor]# pwd
/opt/harbor
[root@hdss7-200 harbor]# ./install.sh
[root@hdss7-200 harbor]# docker-compose ps
检查一下,如下就是好的了
[root@hdss7-200 harbor]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6d8b41c0ff44 goharbor/nginx-photon:v1.8.3 "nginx -g 'daemon of…" 23 seconds ago Up 22 seconds (health: starting) 0.0.0.0:180->80/tcp, :::180->80/tcp nginx
155ad13f4b34 goharbor/harbor-portal:v1.8.3 "nginx -g 'daemon of…" 24 seconds ago Up 22 seconds (health: starting) 80/tcp harbor-portal
9645aa8a9eb5 goharbor/harbor-jobservice:v1.8.3 "/harbor/start.sh" 24 seconds ago Up 22 seconds harbor-jobservice
33dd3db8f0d6 goharbor/harbor-core:v1.8.3 "/harbor/start.sh" 24 seconds ago Up 23 seconds (health: starting) harbor-core
e9ef6e5b41aa goharbor/redis-photon:v1.8.3 "docker-entrypoint.s…" 25 seconds ago Up 23 seconds 6379/tcp redis
4d877e1023c0 goharbor/harbor-db:v1.8.3 "/entrypoint.sh post…" 25 seconds ago Up 23 seconds (health: starting) 5432/tcp harbor-db
23f463f0a849 goharbor/registry-photon:v2.7.1-patch-2819-v1.8.3 "/entrypoint.sh /etc…" 25 seconds ago Up 23 seconds (health: starting) 5000/tcp registry
1b33aa1652ee goharbor/harbor-registryctl:v1.8.3 "/harbor/start.sh" 25 seconds ago Up 23 seconds (health: starting) registryctl
2c0af554361d goharbor/harbor-log:v1.8.3 "/bin/sh -c /usr/loc…" 25 seconds ago Up 24 seconds (health: starting) 127.0.0.1:1514->10514/tcp harbor-log
[root@hdss7-200 harbor]#
7、安装nginx、编辑nginx的配置文件
[root@hdss7-200 harbor]# yum -y install nginx
[root@hdss7-200 harbor]# vi /etc/nginx/conf.d/harbor.od.com.conf
server {
listen 80;
server_name harbor.od.com;
client_max_body_size 1000m;
location / {
proxy_pass http://127.0.0.1:180;
}
}
[root@hdss7-200 harbor]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@hdss7-200 harbor]# systemctl start nginx
[root@hdss7-200 harbor]# systemctl status nginx
[root@hdss7-200 harbor]# systemctl enable nginx
[root@hdss7-200 harbor]# curl harbor.od.com #访问看下不行
curl: (6) Could not resolve host: harbor.od.com; Name or service not known
8、去到hdss7-11上进行相关的dns配置更改
注意去把dns服务器上更改下named
在10.4.7.11上更改named配置
[root@hdss7-11 ~]# vi /var/named/od.com.zone
2021052301 改为2021052302
最下面新增下面的
harbor A 10.4.7.200
[root@hdss7-11 ~]# systemctl restart named
[root@hdss7-11 ~]# dig -t A harbor.od.com +short ##查看下
10.4.7.200
9、在200上进行dns测试
[root@hdss7-200 harbor]# curl harbor.od.com
10、在浏览器上访问,并在私有仓库中创建新的项目
harbor.od.com 能访问说明正常
说明登录的用户admin 密码是Harbor12345
新建项目---》项目名称public 点公开 创建后后更改配置
11、下载一个nginx的pull的地址
[root@hdss7-200 harbor]# docker pull nginx:1.7.9
docker pull nginx:1.7.9 <==> docker pull docker.io/library/nginx:1.7.9
[root@hdss7-200 harbor]# docker images |grep 1.7.9
nginx 1.7.9 84581e99d807 6 years ago 91.7MB
[root@hdss7-200 harbor]# docker tag 84581e99d807 harbor.od.com/public/nginx:v1.7.9
这个时候直接push上传到自己的仓库会出现错误,因为需要下面的登录
[root@hdss7-200 harbor]# docker login harbor.od.com
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
很多时候可能会出现登录失败的,这个时候参考文档更改配置即可:https://blog.csdn.net/Laiyunpeng666/article/details/118004347
查看是否推送好了