该博客介绍了如何使用Docker来搭建ocserv服务。首先,通过安装Docker和创建Dockerfile来构建镜像,然后详细阐述了镜像的创建、查看、保存和上传到仓库的过程。接着,说明了如何配置ocserv、开启防火墙端口以及设置系统自启。最后,列举了一些常用的Docker命令。
docker 教程:http://www.runoob.com/docker/docker-hello-world.html
1.安装docker
yum install docker
2.使用Dockerfile 来创建镜像
FROM centos:6.7 MAINTAINER liuyuanzhen "1057110618@qq.com" RUN /bin/echo 'root:123456' |chpasswd RUN useradd liuyuanzhen RUN /bin/echo 'liuyuanzhen:123456' |chpasswd RUN /bin/echo -e "LANG=\"en_US.UTF-8\"" >/etc/default/local EXPOSE 22 EXPOSE 80 EXPOSE 443 CMD /usr/sbin/sshd -D
3.启动docker
systemctl start docker
4.构建镜像 -t :指定要创建的目标镜像名 . :Dockerfile 文件所在目录,可以指定Dockerfile 的绝对路径
docker build -t centos:6.7 .
5.查看镜像
docker images
6.用新生成的镜像创建容器
docker run -t -i centos:6.7 /bin/bash
7.配置ocserv:http://www.cnblogs.com/yuanzhenliu/p/8763138.html
8.保存镜像,设置镜像标签(docker tag 9e6a62c09d6c centos:dev)
exit
docker commit ac3113ceda97 docker.io/liuyuanzhen/ocserv-docker:v0
9.把镜像上传到仓库(需要docker.io/liuyuanzhen/ocserv-docker 存在)
docker push liuyuanzhen/ocesrv-docker:v0
10.删除本地镜像,从仓库下载并运行
docker rmi docker.io/liuyuanzhen/ocserv-docker:v0
docker pull docker.io/liuyuanzhen/ocserv-docker:v0
启动容器:
docker run -d --privileged -p 443:443 docker.io/liuyuanzhen/ocserv-docker:v0 /bin/bash /root/firewell.sh
如果还不能访问可能是本地防火墙没有开443端口:
运行下列代码:sh firewell.sh
#!/bin/bash echo """# sysctl settings are defined through files in # /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/. # # Vendors settings live in /usr/lib/sysctl.d/. # To override a whole file, create a new file with the same in # /etc/sysctl.d/ and put new settings there. To override # only specific settings, add a file with a lexically later # name in /etc/sysctl.d/ and put new settings there. # # For more information, see sysctl.conf(5) and sysctl.d(5). # Accept IPv6 advertisements when forwarding is enabled # Protect from IP Spoofing net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 # Ignore ICMP broadcast requests net.ipv4.icmp_echo_ignore_broadcasts = 1 # Protect from bad icmp error messages net.ipv4.icmp_ignore_bogus_error_responses = 1 # Disable source packet routing net.ipv4.conf.all.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 # Turn on exec shield kernel.exec-shield = 1 kernel.randomize_va_space = 1 # Block SYN attacks net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_max_syn_backlog = 2048 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_syn_retries = 5 # Log Martians net.ipv4.conf.all.log_martians = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 # Ignore send redirects net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 # Ignore ICMP redirects net.ipv4.conf.all.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 net.ipv6.conf.all.accept_ra = 2 net.ipv6.conf.eth0.accept_ra = 2 net.ipv4.ip_forward = 1""" > /etc/sysctl.conf sysctl -p service iptables start echo """# sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration #*filter #:INPUT ACCEPT [0:0] #:FORWARD ACCEPT [0:0] #:OUTPUT ACCEPT [0:0] #-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #-A INPUT -p icmp -j ACCEPT #-A INPUT -i lo -j ACCEPT #-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT #-A INPUT -j REJECT --reject-with icmp-host-prohibited #-A FORWARD -j REJECT --reject-with icmp-host-prohibited #COMMIT # *nat :INPUT ACCEPT [0:0] :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] # Generic NAT for LAN Network 192.168.5.0/24 -A POSTROUTING -s 192.168.5.0/24 -o eth0 -j MASQUERADE COMMIT *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # START INPUT RULES # Stateful Rule - INPUT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # ACCEPT traffic from Loopback interface -A INPUT -i lo -j ACCEPT # ACCEPT SSH from LAN -A INPUT -p tcp -m tcp -i eth0 --dport 22 -j ACCEPT # ACCEPT DHCP from LAN -A INPUT -p udp -m udp -i eth1 --dport 67:68 -j ACCEPT # ACCEPT Webmin from LAN (Optional, only for Webmin users) -A INPUT -p tcp -m tcp -i eth1 --dport 10000 -j ACCEPT # ACCEPT DNS UDP From LAN -A INPUT -p udp -m udp -i eth1 --dport 53 -j ACCEPT # ACCEPT DNS TCP From LAN -A INPUT -p tcp -m tcp -i eth1 --dport 53 -j ACCEPT # ACCEPT ping from LAN -A INPUT -p icmp --icmp-type echo-request -i eth1 -j ACCEPT # ACCEPT OpenConnect TCP From WAN -A INPUT -p tcp -m tcp -i eth0 --dport 443 -j ACCEPT # ACCEPT OpenConnect UPD From WAN -A INPUT -p udp -m udp -i eth0 --dport 443 -j ACCEPT # DROP wan traffic -A INPUT -i eth0 -j DROP # LOG LAN -A INPUT -i eth1 -j LOG --log-prefix "IPTABLES-LOG-INPUT-LAN:" --log-level 4 # ACCEPT LAN traffic - Learning rule - Should be changed to DROP once custom rules are created. -A INPUT -i eth1 -j ACCEPT # LAST RULE - DROP all traffic -A INPUT -j DROP # END INPUT RULES # START FORWARD RULES # Stateful Rule - FORWARD -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ACCEPT LAN to WAN -A FORWARD -s 192.168.5.0/24 -j ACCEPT # LOG Forwarded traffic -A FORWARD -j LOG --log-prefix "IPTABLES-LOG-FORWARD:" --log-level 4 # LAST RULE - ACCEPT all traffic - Should be changed to DROP once custom rules are created. -A FORWARD -j ACCEPT # END FORWARD RULES # START OUTPUT RULES # Stateful Rule - OUTPUT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # LOG Outgoing traffic -A OUTPUT -j LOG --log-prefix "IPTABLES-LOG-OUTPUT:" --log-level 4 # LAST RULE - ACCEPT all traffic -
最低0.47元/天 解锁文章
431
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
