1,修改主机名称
~]# hostnamectl set-hostname hdss7-11.host.com
~]# hostnamectl set-hostname hdss7-12.host.com
~]# hostnamectl set-hostname hdss7-21.host.com
~]# hostnamectl set-hostname hdss7-22.host.com
~]# hostnamectl set-hostname hdss7-200.host.com
2, 永久关闭NetworkManager 服务
systemctl stop NetworkManager
systemctl disable NetworkManager
systemctl status NetworkManager
3,关闭selinux、防火墙
sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config
setenforce 0
getenforce
systemctl stop firewalld
systemctl disable firewalld
systemctl status firewalld
4, 安装epel源
yum -y install epel-release
5,安装必工具
yum install wget net-tools telnet tree nmap sysstat lrzsz dos2unix bind-utils -y
6,DNS服务安装部署
--------创建主机域host.com
--------创建业务域od.com
--------主辅同步(10.4.7.11主、10.4.7.12辅)
--------客户端配置指向自建DNS
~]# yum -y install bind
Installed: bind.x86_64 32:9.11.4-26.P2.el7_9.5
------A, 配置主配置文件
~]# cat /etc/named.conf ----修改主配置文件
options {
listen-on port 53 { 10.4.7.11; };
allow-query { any; };
forwarders { 10.4.7.254; }
recursion yes; # -----------开启递归查询
dnssec-enable no; #----关闭dns安全扩展
dnssec-validation no; # ----关闭dns安全扩展
}
~]# named-checkconf ------检查配置文件
------B,配置区域文件
~]# cat /etc/named.rfc1912.zones #--只添加内容,文档中的原有配置不动
zone "host.com" IN {
type master;
file "host.com.zone";
allow-update { 10.4.7.11; };
};
zone "od.com" IN {
type master;
file "od.com.zone";
allow-update { 10.4.7.11; };
};
-----C,添加A记录(主机域数据文件)
cat /var/named/host.com.zone
$ORIGIN host.com.
$TTL 600 ; 10 minutes
@ IN SOA dns.host.com. dnsadmin.host.com. (
2021032612 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.host.com.
$TTL 60 ; 1 minute
dns A 10.4.7.11
HDSS7-11 A 10.4.7.11
HDSS7-12 A 10.4.7.12
HDSS7-21 A 10.4.7.21
HDSS7-22 A 10.4.7.22
HDSS7-200 A 10.4.7.200
~]# cat /var/named/od.com.zone
$ORIGIN od.com.
$TTL 600 ; 10 minutes
@ IN SOA dns.od.com. dnsadmin.od.com. (
2021032614 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.od.com.
$TTL 60 ; 1 minute
dns A 10.4.7.11
检查请启动服务
named-checkconf
systemctl start named
systemctl enable named
systemctl status named
------D,在主机上添加
~]# cat /etc/resolv.conf
search host.com
nameserver 10.4.7.11
有个报错:
[root@hdss7-11 ~]# systemctl restart named
Job for named.service failed because the control process exited with error code. See "systemctl status named.service" and "journalctl -xe" for details.
[root@hdss7-11 ~]# systemctl status named -l
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Wed 2021-09-15 06:20:38 EDT; 24s ago
Process: 17323 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=1/FAILURE)
Sep 15 06:20:38 hdss7-11.host.com bash[17323]: zone host.com/IN: loaded serial 2021032613
Sep 15 06:20:38 hdss7-11.host.com bash[17323]: dns_master_load: od.com.zone:11: unexpected end of line
Sep 15 06:20:38 hdss7-11.host.com bash[17323]: dns_master_load: od.com.zone:11: unexpected end of input
Sep 15 06:20:38 hdss7-11.host.com bash[17323]: zone od.com/IN: loading from master file od.com.zone failed: unexpected end of input
Sep 15 06:20:38 hdss7-11.host.com bash[17323]: zone od.com/IN: not loaded due to errors.
Sep 15 06:20:38 hdss7-11.host.com bash[17323]: _default/od.com/IN: unexpected end of input
Sep 15 06:20:38 hdss7-11.host.com systemd[1]: named.service: control process exited, code=exited status=1
Sep 15 06:20:38 hdss7-11.host.com systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).
Sep 15 06:20:38 hdss7-11.host.com systemd[1]: Unit named.service entered failed state.
Sep 15 06:20:38 hdss7-11.host.com systemd[1]: named.service failed.
显然是od.com 这个域的配置文件有问题
在windows上
7,准备自签名证书 -----在200运维主机上操作
-----A,下载安装 cfssl、cfssl-json、cfssl-certinfo
下载cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
下载cfssl-json https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
下载cfssl-certinfo https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
由于网络的问题wget无法正常下载,现在浏览器中下载,然后上传的linux系统中
~]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/bin/cfssl
~]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/bin/cfssl-json
~]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/bin/cfssl-certinfo
~]# chmod +x /usr/bin/cfssl*
------B,创建生成CA证书签名请求(csr)的JSON配置文件
mkdir /opt/certs
cd /opt/certs
cat /opt/certs/ca-csr.json
{
"CN": "OldboyEdu",
"hosts": [
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
],
"ca": {
"expiry": "175200h"
}
}
CN:Common Name,浏览器使用该字段验证网站是否合法,一般写的是域名。非常重要。
C:Country。国家
ST:State,州,省
L:Locality,城区,城市
O:Organization Name,组织名称,公司名称
OU:Organization Unit Name。组织单位名称,公司部门
-----C, 生成CA证书和私钥
[root@hdss7-200 certs]# cd /opt/certs
[root@hdss7-200 certs]# cfssl gencert --initca ca-csr.json | cfssl-json -bare ca
[root@hdss7-200 certs]# ls -l
total 16
-rw-r--r--. 1 root root 993 Jul 25 18:15 ca.csr
-rw-r--r--. 1 root root 328 Jul 25 18:12 ca-csr.json
-rw-------. 1 root root 1675 Jul 25 18:15 ca-key.pem
-rw-r--r--. 1 root root 1346 Jul 25 18:15 ca.pem
可以看到生成了三个文件
8 , 安装docker 在21、22、200主机上
------A,安装docker
yum install yum-utils -y
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum list docker-ce --show-duplicates ----查看docker版本
yum install docker-ce -y
mkdir /etc/docker
cd /etc/docker
vi daemon.json
{
"graph": "/data/docker",
"storage-driver": "overlay2",
"insecure-registries": ["registry.access.redhat.com","quay.io","harbor.od.com"],
"registry-mirrors": ["https://tpmrvmq9.mirror.aliyuncs.com"],
"bip": "172.7.21.1/24",
"exec-opts": ["native.cgroupdriver=systemd"],
"live-restore": true
}
systemctl status docker
systemctl start docker
systemctl enable docker
9,部署docker镜像私有仓库harbor
-----A,下载上传harbor 文件:
官方链接: https://goharbor.io/
https://github.com/goharbor/harbor/releases
mkdir -p /opt/src/harbor
cd /opt/src/harbor
]# ls
harbor-offline-installer-v1.7.1.tgz
tar xvf harbor-offline-installer-v1.8.3.tgz -C /opt
mv /opt/harbor /opt/harbor-v1.8.3
ln -s /opt/harbor-v1.8.3 /opt/harbor
-----B,配置
cat /opt/harbor/harbor.yml
hostname: harbor.od.com
http:
port: 180
harbor_admin_password: Harbor12345
data_volume: /data/harbor
log:
level: info
rotate_count: 50
rotate_size: 200M
location: /data/harbor/logs
mkdir -p /data/harbor/logs
yum install docker-compose -y
]# rpm -qa docker-compose
docker-compose-1.18.0-4.el7.noarch
vi /opt/harbor/harbor.cfg
hostname = harbor.od.com
vi /opt/harbor/docker-compose.yml
ports:
- 180:80
- 1443:443
- 4443:4443
cd /opt/harbor
./install.sh
------C,检查harbor 启动的情况
docker-compose ps
docker-compose start
docker-compose --help
docker-compose stop
D,配置harbor的dns内网解析:
vi /var/named/od.com.zone
harbor A 10.4.7.11
重启named
systemctl restart named
测试:
dig -t A harbor.od.com +short
10.4.7.200
------D,安装并配置nginx
用nginx代理180端口:
yum -y install nginx -y
rpm -qa nginx
vi /etc/nginx/conf.d/harbor.od.com.conf
server {
listen 80;
server_name harbor.od.com;
client_max_body_size 1000m;
location / {
proxy_pass http://127.0.0.1:180;
}
}
nginx -t
systemctl start nginx
systemctl enable nginx
systemctl status nginx
-----E, 浏览器打开http://harbor.od.com
pull 一个镜像:
docker pull nginx:1.7.9
给pull下的镜像打个标签
docker tag images-ID harbor.od.com/library/nginx:1.7.9
docker push harbor.od.com/library/nginx:1.7.9