goteleport10.0本地安装使用
环境说明
master:192.168.8.132
node1:192.168.8.131
node2:192.168.8.133
master本地生成域名证书
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/teleport2.key -out /etc/pki/tls/certs/teleport2.crt
三台服务器修改/etc/hosts
vi /etc/hosts
192.168.8.132 teleports.com
master安装teleport
yum -y install yum-utils
sudo yum-config-manager --add-repo https://rpm.releases.teleport.dev/teleport.repo
sudo yum install teleport
自签证书1
openssl genrsa -out privkey.pem 2048
openssl req -new -key privkey.pem -out fullchain.csr
openssl req -new -x509 -key privkey.pem -out fullchain.pem -days 1095
mkdir -p /var/lib/teleport/
mv privkey.pem /var/lib/teleport/privkey.pem
mv fullchain.pem /var/lib/teleport/fullchain.pem
配置teleport
sudo teleport configure -o file \
--cluster-name=tele.guanxiapp.cn \
--public-addr=tele.guanxiapp.cn:443 \
--cert-file=/home/lucas/fullchain.pem \
--key-file=/home/lucas/cert.pem
vi /etc/teleport.yaml
teleport:
data_dir: /var/lib/teleport
auth_service:
enabled: true
cluster_name: "teleport-quickstart"
listen_addr: 0.0.0.0:3025
tokens:
- proxy,node,app:f7adb7ccdf04037bcd2b52ec6010fd6f0caec94ba190b765
public_addr: teleports.com:3025 #或域名加端口
ssh_service:
enabled: true
labels:
env: staging
app_service:
enabled: true
debug_app: true
proxy_service:
enabled: true
listen_addr: 0.0.0.0:3023
web_listen_addr: 0.0.0.0:3080
tunnel_listen_addr: 0.0.0.0:3024
public_addr: teleports.com:3080 #或域名加端口
启动teleport
sudo systemctl start teleport
访问teleport web ui
https://teleports.com:3080
创建teleport用户
sudo tctl users add teleport-admin --roles=editor,access --logins=root,lucas
#用户必须在linux存在
#直接访问生成的web链接
User "teleport-admin" has been created but requires a password. Share this URL with the user to complete user setup, link is valid for 1h:
https://teleports.com:3080/web/invite/123abc456def789ghi123abc456def78
NOTE: Make sure teleport.example.com:443 points at a Teleport proxy which users can access.
安装tsh
curl -O https://get.gravitational.com/teleport-v10.0.0-linux-amd64-bin.tar.gz
tar -xzf teleport-v10.0.0-linux-amd64-bin.tar.gz
cd teleport
sudo ./install
tsh status
tsh ls
tsh ssh root@mynode
添加节点到集群
node节点安装teleport
yum-config-manager --add-repo https://rpm.releases.teleport.dev/teleport.repo
yum install teleport
在master创建链接令牌
tctl tokens add --type=node | grep -oP '(?<=token:\s).*' > token.file
令牌文件scp到node节点
scp token.file root@192.168.8.133:/path/to
scp token.file root@192.168.8.131:/path/to
在node节点执行命令加入节点
mkdir -p /path/to
teleport start \
--roles=node \
--token=/path/to/token.file \
--auth-server=teleports.com:3080
报错及处理方法
ERRO [PROC:1] Failed to resolve tunnel address Get "https://teleports.com:3080/webapi/find": x509: certificate relies on legacy Common Name field, use SANs instead pid:9510.1 reversetunnel/transport.go:90
ERRO [PROC:1] Node failed to establish connection to cluster: <nil>. pid:9510.1 service/connect.go:113
ERRO [PROC:1] Instance failed to establish connection to cluster: <nil>. pid:9510.1 service/connect.go:113
删除/var/lib/teleport/*
rm -rf /var/lib/teleport/*
重启teleport服务
systemctl restart teleport
再运行加入集群命令 teleport start \
--roles=node \
--token=/path/to/token.file \
--auth-server=teleports.com:3080
user:teleport-admin
passwd:djhskeushdnsjshyd
teleport:
nodename: teleport.example.org
data_dir: /var/lib/teleport
log:
output: /var/lib/teleport/teleport.log
severity: INFO
format:
output: text
ca_pin: []
diag_addr: ""
auth_service:
enabled: "yes"
# ProxyProtocol enables support for HAProxy proxy protocol version 1 when it is turned 'on'.
# Verify whether the service is in front of a trusted load balancer.
# The default value is 'on'.
proxy_protocol: on
listen_addr: 0.0.0.0:3025
cluster_name: teleport.example.org
# Optional setting for configuring session recording. Possible values are:
# "node" : sessions will be recorded on the node level (the default)
# "proxy" : recording on the proxy level, see "Recording Proxy Mode"
# (https://goteleport.com/docs/architecture/proxy/#recording-proxy-mode).
# "off" : session recording is turned off
#
# EXPERIMENTAL *-sync modes
# Proxy and node send logs directly to S3 or other storage without
# storing the records on disk at all. *-sync requires all nodes to be
# upgraded to 4.4.
#
# "node-sync" : session recordings will be streamed from node -> auth -> storage service
# "proxy-sync : session recordings will be streamed from proxy -> auth -> storage service
#
session_recording: node
# Determines if SSH sessions to cluster nodes are forcefully terminated
# after no activity from a client (idle client).
# Examples: "30m", "1h" or "1h30m"
client_idle_timeout: never
# Send a custom message to the client when they are disconnected due to
# inactivity. The empty string indicates that no message will be sent.
# (Currently only supported for SSH connections)
client_idle_timeout_message: ""
# Determines if the clients will be forcefully disconnected when their
# certificates expire in the middle of an active SSH session. (default is 'no')
disconnect_expired_cert: no
# -------
# This applies for end-nodes only
# -------------------
ssh_service:
enabled: "yes"
labels:
env: teleport_server
commands:
- name: hostname
command: [hostname]
period: 1m0s
proxy_service:
enabled: "yes"
listen_addr: 0.0.0.0:3023
web_listen_addr: 0.0.0.0:443
public_addr: teleport.example.org:443
# https_keypairs:
# - key_file: /var/lib/teleport/sh_wild.key
# cert_file: /var/lib/teleport/sh_wild.crt
acme:
enabled: "yes"
email: user@example.org