离线部署CDH6.3

部署练习的环境有六台主机,主机的配置是4核心4G内存(内存还是低了,建议8G起步):

主机名 IP地址
Elephant 192.168.174.184
Lion 192.168.174.185
Horse 192.168.174.186
Monkey 192.168.174.187
Tiger 192.168.174.188

环境准备

  1. 主机环境配置

按照各个主机配置修改相应值,下面以elephant为例:

[root@localhost ~]# nmcli c m ens33 ipv4.method manual ipv4.addresses 192.168.174.184/24 ipv4.gateway 192.168.174.2 ipv4.dns 192.168.174.2
[root@localhost ~]# nmcli c d ens33 && nmcli c u ens33
[root@localhost ~]# hostnamectl set-hostname elephant
  1. 文件复制
    将离线部署CDH6.3.1的文件复制到每一台主机上。其中包括:
sujx@legion7000:/mnt/d/$ ls Cloudera
CDH-6.3.2-1.cdh6.3.2.p0.1605554-el7.parcel
cloudera-manager-agent-6.3.1-1466458.el7.x86_64.rpm
cloudera-manager-daemons-6.3.1-1466458.el7.x86_64.rpm
cloudera-manager-server-6.3.1-1466458.el7.x86_64.rpm
cloudera-manager-server-db-2-6.3.1-1466458.el7.x86_64.rpm
enterprise-debuginfo-6.3.1-1466458.el7.x86_64.rpm
jdk-8u202-linux-x64.rpm
manifest.json
mysql-connector-java-5.1.39-bin.jar

sujx@legion7000:/mnt/d/$ tar zcvf Cloudera cloudera.tar.gz
sujx@legion7000:/mnt/d/$ scp cloudera.tar.gz root@lion:/root/
  1. 免密登录设置

在lion主机上设置免密:

ssh-keygen -t rsa
ssh-copy-id {elephant\lion\horse\monkey\tiger}

# 使用ansible分发和管理文件,省略配置文件的建立
yum install -y ansible

ansible -m copy -a 'src=/root/cloudera.tar.gz dest=/root'

  1. 主机配置
    建立主机执行文件进行相关配置。
#!/bin/bash

# 安装必要组件
yum update -y
yum install -y mutt net-tools mlocate telnet curl wget ping vim open-vm-tools

systemctl disable firewalld.service --now
sed -i ':s/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux
updatedb && sync && ldconfig

# 配置时间服务器
cat >/etc/chrony.conf<<EOF
server ntp.aliyun.com iburst

driftfile /var/lib/chrony/drift
makestep 1.0 3
rtcsync
logdir /var/log/chrony

EOF

systemctl enable chronyd --now
timedatectl 

# 优化
# 修改swap配置
echo "vm.swappiness = 10" >> /etc/sysctl.conf
sysctl -p

# 修改大页内存的使用
echo never > /sys/kernel/mm/transparent_hugepage/defrag
echo never > /sys/kernel/mm/transparent_hugepage/enabled
echo 'echo never > /sys/kernel/mm/transparent_hugepage/defrag' >> /etc/rc.local
echo 'echo never > /sys/kernel/mm/transparent_hugepage/enabled' >> /etc/rc.local

# 安装JAVA
tar zxvf cloudera.tar.gz
yum localinstall -y Cloudera/jdk-8u202-linux-x64.rpm

java -version
echo $JAVA_HOME

# 建立安装文件源
wget https://archive.cloudera.com/cm6/6.3.1/redhat7/yum/RPM-GPG-KEY-cloudera
rpm --import RPM-GPG-KEY-cloudera
wget https://archive.cloudera.com/cm6/6.3.1/redhat7/yum/cloudera-manager.repo -O /etc/pki/rpm-gpg/RPM-GPG-KEY-cloudera
yum update -y

mkdir /usr/share/java/
cp Cloudera/mysql-connector-java-5.1.39-bin.jar  /usr/share/java/mysql-connector-java.jar

yum localinstall -y Cloudera/cloudera-manager-daemons* 
yum localinstall -y Cloudera/cloudera-manager-agent*

# 修改cloudera-scm客户端的服务器目标地址
sed -i ':s/localhost/lion/g' /etc/cloudera-scm-agent/config.ini
systemctl enable cloudera-scm-agent
systemctl restart cloudera-scm-agent

# 客户端配置完成

数据库安装

数据库将部署在Lion主机之上。
1. 数据库安装

yum install -y mariadb mariadb-server

# 增加MySQL配置文件
vim /etc/my.cnf.d/server.cnf
[mysqld]
key_buffer = 16M
key_buffer_size = 32M
max_allowed_packet = 32M
thread_stack = 256K
thread_cache_size = 64
query_cache_limit = 8M
query_cache_size = 64M
query_cache_type = 1

max_connections = 550
server_id=1

binlog_format = mixed

read_buffer_size = 2M
read_rnd_buffer_size = 16M
sort_buffer_size = 8M
join_buffer_size = 8M

# InnoDB settings
innodb_file_per_table = 1
innodb_flush_log_at_trx_commit  = 2
innodb_log_buffer_size = 64M
innodb_buffer_pool_size = 4G
innodb_thread_concurrency = 8
innodb_flush_method = O_DIRECT
innodb_log_file_size = 512M

# 启动数据库服务
systemctl enable mariadb --now

2. 建立数据库配置文件
vim /root/cdh.sql
CREATE DATABASE scm DEFAULT CHARACTER SET utf8 DEFAULT COLLATE utf8_general_ci;
GRANT ALL ON scm.* TO 'scm'@'%' IDENTIFIED BY 'passwd';
CREATE DATABASE amon DEFAULT CHARACTER SET utf8 DEFAULT COLLATE utf8_general_ci;
GRANT ALL ON amon.* TO 'amon'@'%' IDENTIFIED BY 'passwd';
CREATE DATABASE rman DEFAULT CHARACTER SET utf8 DEFAULT COLLATE utf8_general_ci;
GRANT ALL ON rman.* TO 'rman'@'%' IDENTIFIED BY 'passwd';
CREATE DATABASE hue DEFAULT CHARACTER SET utf8 DEFAULT COLLATE utf8_general_ci;
GRANT ALL ON hue.* TO 'hue'@'%' IDENTIFIED BY 'passwd';
CREATE DATABASE metastore DEFAULT CHARACTER SET utf8 DEFAULT COLLATE utf8_general_ci;
GRANT ALL ON metastore.* TO 'hive'@'%' IDENTIFIED BY 'passwd';
CREATE DATABASE sentry DEFAULT CHARACTER SET utf8 DEFAULT COLLATE utf8_general_ci;
GRANT ALL ON sentry.* TO 'sentry'@'%' IDENTIFIED BY 'passwd';
CREATE DATABASE nav DEFAULT CHARACTER SET utf8 DEFAULT COLLATE utf8_general_ci;
GRANT ALL ON nav.* TO 'nav'@'%' IDENTIFIED BY 'passwd';
CREATE DATABASE navms DEFAULT CHARACTER SET utf8 DEFAULT COLLATE utf8_general_ci;
GRANT ALL ON navms.* TO 'navms'@'%' IDENTIFIED BY 'passwd';
CREATE DATABASE oozie DEFAULT CHARACTER SET utf8 DEFAULT COLLATE utf8_general_ci;
GRANT ALL ON oozie.* TO 'oozie'@'%' IDENTIFIED BY 'passwd';

mysql -uroot -p < /root/cdh.sql
/opt/cloudera/cm/schema/scm_prepare_database.sh mysql scm scm

### 管理节点安装
```shell
yum localinstall -y Clouder/cloudera-manager-server.6*
cp Cloudera/CDH* /opt/cloudera/parcel-repo
cp Cloudera/main* /opt/cloudera/parcel-repo
cd /opt/cloudera/parcel-repo
# wget https://archive.cloudera.com/cdh6/6.3.2/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554-el6.parcel -P /opt/cloudera/parcel-repo
# wget https://archive.cloudera.com/cdh6/6.3.2/parcels/manifest.json -P /opt/cloudera/parcel-repo
sha1sum CDH-6.3.2-1.cdh6.3.2.p0.1605554-el7.parcel | awk '{ print $1 }' > CDH-6.3.2-1.cdh6.3.2.p0.1605554-el7.parcel.sha
chown -R cloudera-scm:cloudera-scm /opt/cloudera/parcel-repo/*
systemctl enable cloudera-scm-server --now
cd

群集配置

访问Lion主机的7180端口,然后使用web-gui界面进行配置。
start
start
start
start
start
start
start
start
start
start
start
start
start
start
start
start
start
start
start
start
start

Docker的快速练习

建立一个三节点的网络环境来进行docker的操作练习,其中master节点存储私有仓库镜像文件。

节点 IP 用途
master 192.168.174.181 管理节点和私有仓库
node1 192.168.174.180 节点一
node1 192.168.174.180 节点二

管理节点安装

docker程序的安装

[root@master ~]# yum install -y docker
[root@master ~]# fdisk -l
Disk /dev/sda: 10.7 GB, 10737418240 bytes, 20971520 sectors
Disk /dev/sdb: 10.7 GB, 10737418240 bytes, 20971520 sectors

# 这里我们将使用新增的/dev/sdb磁盘作为docker的存储

[root@master ~]# vim /etc/sysconfig/docker-storage-setup #使用:r 打开docker磁盘驱动模板文件/usr/share/container-storage-setup/container-storage-setup
#STORAGE_DRIVER=overlay2   #注释掉overlay2磁盘驱动
STORAGE_DRIVER=devicemapper #使用默认磁盘驱动
EXTRA_STORAGE_OPTIONS="--storage-opt dm.fs=xfs" #格式化为xfs
DEVS=/dev/sdb   #使用dev/sdb磁盘
CONTAINER_THINPOOL=container-thinpool   #thinpool的容器存储方式,也是lv的名字
VG=docker_VG    #存储的vg名称

[root@master ~]# container-storage-setup 
INFO: Writing zeros to first 4MB of device /dev/sdb
4+0 records in
4+0 records out
4194304 bytes (4.2 MB) copied, 0.00600853 s, 698 MB/s
INFO: Device node /dev/sdb1 exists.
  Physical volume "/dev/sdb1" successfully created.
  Volume group "docker_VG" successfully created
  Rounding up size to full physical extent 12.00 MiB
  Thin pool volume with chunk size 512.00 KiB can address at most 126.50 TiB of data.
  Logical volume "container-thinpool" created.
  Logical volume docker_VG/container-thinpool changed.
[root@master ~]# vgs
  VG        #PV #LV #SN Attr   VSize   VFree
  centos      1   2   0 wz--n-  <9.00g    0 
  docker_VG   1   1   0 wz--n- <10.00g 6.00g
[root@master ~]# lvs
  LV                 VG        Attr       LSize  Pool Origin Data%  Meta%  Move Log Cpy%Sync Convert
  root               centos    -wi-ao---- <8.00g                                                    
  swap               centos    -wi-ao----  1.00g                                                    
  container-thinpool docker_VG twi-a-t---  3.97g             0.00   10.29   
# 创建成功,启动docker服务
[root@master ~]# systemctl enable docker --now

系统配置

通过配置多个加速器实现不同网络环境下的快速部署。

# Docker加速器配置
cat>/etc/docker/daemon.json<<EOF
{
  "registry-mirrors": ["https://dockerhub.azk8s.cn","http://f1361db2.m.daocloud.io","https://d1a0f2854f4b44c2a3b3af4f5425db1a.mirror.swr.myhuaweicloud.com","https://hub-mirror.c.163.com","https://registry.docker-cn.com"],
  "insecure-registries": ["registry:5000"]
}
EOF
[root@master ~]# systemctl daemon-reload && systemctl restart docker

# 关闭防火墙
[root@master ~]# systemctl disable firewalld.service --now

# 关闭selinux
setenforce 0

Docker环境准备

镜像准备

# 拉取实验镜像
[root@master ~]# docker pull docker.io/centos
Using default tag: latest
Trying to pull repository docker.io/library/centos ... 
latest: Pulling from docker.io/library/centos
8a29a15cefae: Pull complete 
Digest: sha256:fe8d824220415eed5477b63addf40fb06c3b049404242b31982106ac204f6700
Status: Downloaded newer image for docker.io/centos:latest

# 镜像列表
[root@master ~]# docker images
REPOSITORY           TAG                 IMAGE ID            CREATED             SIZE
docker.io/nginx      latest              2073e0bcb60e        2 days ago          127 MB
docker.io/httpd      latest              c562eeace183        3 days ago          165 MB
docker.io/php        latest              7dc31b4f3403        3 days ago          405 MB
docker.io/mysql      latest              791b6e40940c        3 days ago          465 MB
docker.io/debian     latest              a8797652cfd9        3 days ago          114 MB
docker.io/registry   latest              708bc6af7e5e        12 days ago         25.7 MB
docker.io/centos     latest              470671670cac        2 weeks ago         237 MB
docker.io/mysql      5.5                 d404d78aa797        9 months ago        205 MB
docker.io/centos     6.10                48650444e419        10 months ago       194 MB

# 删除镜像
[root@master ~]# docker rmi docker.io/mysql
Untagged: docker.io/mysql:latest
Untagged: docker.io/mysql@sha256:6d0741319b6a2ae22c384a97f4bbee411b01e75f6284af0cce339fee83d7e314
Deleted: sha256:791b6e40940cd550af522eb4ffe995226798204504fe495743445b900e417a51
Deleted: sha256:a3c92ad464abbee6d08856efd404df8c43e9d991b9253bed8281e452d8021dfa
Deleted: sha256:3eb0379ecdc39f86da90c491765187e40dda381e57f319dd21afd0b1e2c40158
Deleted: sha256:fe814f19102e93fd9e2c12b4c864d110bbe4884ff4c5c34e2e1d96341ec17778
Deleted: sha256:f973fa93f201d11a3a6ccf900614fa6e25f4cf899da69f163510560263642d0e
Deleted: sha256:db53286cf6b77826bd35675098bfa76863ace9a04b4e28f4d8340d53c23821e8
Deleted: sha256:477e19600de637164faac8d2e39d4552fac8fbf3c4a9f29efe34072c0fd156e9
Deleted: sha256:2c109aa38ef35164d5adcabac202bde92420867a5839deb75f5ce034aacc00b4
Deleted: sha256:0de337169373e6779cb3ca09485e95fedd4ac98abee19b839cd46e294a64f363
Deleted: sha256:73f1cb0f35d3377b825488e38241d0e12c63e7d30946362402dd8ab2e9467d81
Deleted: sha256:5807022bbb80a63e78831d4dff1ac497a450287ce43fbb0381623b19f5d45c8a
Deleted: sha256:1aaef8d601e09d40fc66f3531268e837f4ae3eedf84f94359fa33177f0be4c6e
Deleted: sha256:e0db3ba0aaea8a01d5cb000aeb449c153be0a47a369cafc4e912b85fb18192cf

# 镜像导出
[root@master ~]# docker save docker.io/centos:6.10 > /tmp/sujxcentos.tar

# 镜像导入
[root@node2 ~]# docker load < /root/sujxcentos.tar
[root@node2 ~]# docker images
REPOSITORY                        TAG                 IMAGE ID            CREATED             SIZE
docker.io/centos                  6.10                48650444e419        10 months ago       194 MB

# 检索镜像
[root@master ~]# docker search oracle
INDEX       NAME                                            DESCRIPTION                                     STARS     OFFICIAL   AUTOMATED
docker.io   docker.io/oraclelinux                           Official Docker builds of Oracle Linux.         629       [OK]       
docker.io   docker.io/jaspeen/oracle-11g                    Docker image for Oracle 11g database            144                  [OK]
docker.io   docker.io/oracleinanutshell/oracle-xe-11g                                                       82                   
docker.io   docker.io/oracle/openjdk                        Docker images containing OpenJDK Oracle Linux   60                   [OK]
docker.io   docker.io/oracle/graalvm-ce                     GraalVM Community Edition Official Image        56                   [OK]
docker.io   docker.io/absolutapps/oracle-12c-ee             Oracle 12c EE image with web management co...   38                   
docker.io   docker.io/araczkowski/oracle-apex-ords          Oracle Express Edition 11g Release 2 on Ub...   27                   [OK]
docker.io   docker.io/bofm/oracle12c                        Docker image for Oracle Database                23                   [OK]
docker.io   docker.io/oracle/nosql                          Oracle NoSQL on a Docker Image with Oracle...   22                   [OK]
docker.io   docker.io/datagrip/oracle                       Oracle 11.2 & 12.1.0.2-se2 & 11.2.0.2-xe        14                   [OK]
docker.io   docker.io/oracle/weblogic-kubernetes-operator   Docker images containing the Oracle WebLog...   10                   
docker.io   docker.io/openweb/oracle-tomcat                 A fork off of Official tomcat image with O...   8                    [OK]
docker.io   docker.io/truevoly/oracle-12c                   Copy of sath89/oracle-12c image (https://g...   8                    
docker.io   docker.io/18fgsa/oracle-client                  Hosted version of the Oracle Container Ima...   2                    

建立本地私有仓库

[root@master ~]# docker run -d -p 5000:5000 --name=registry --restart=always docker.io/registry
345e05f68235687b47d2917fd0a86620ac2d6b40fbe7647063b817e0d690cf6b

# 打标
[root@master ~]# docker tag docker.io/mysql:5.5 registry:5000/sujx_images/mysql:5.5

#上传
[root@master ~]# docker push registry:5000/sujx_images/mysql:5.5
The push refers to a repository [registry:5000/sujx_images/mysql]
c9f3545812c8: Pushed 
f49eaacc87a0: Pushed 
a9c5a24e943f: Pushed 
90b4ae8695b5: Pushed 
4054cc666efd: Pushed 
f83622e85376: Pushed 
af84b063c827: Pushed 
ddc265b679cf: Pushed 
647245c554e4: Pushed 
432b5f62e513: Pushed 
6270adb5794c: Pushed 
5.5: digest: sha256:c9c671d0c959183154313d6830d46f9a00d5937f97415c15ebd3c6844f6f1467 size: 2619

# 本地其他客户端拉取
[root@node2 ~]# docker pull registry:5000/sujx_images/mysql:5.5
Trying to pull repository registry:5000/sujx_images/mysql ... 
5.5: Pulling from registry:5000/sujx_images/mysql
743f2d6c1f65: Pull complete 
3f0c413ee255: Pull complete 
aef1ef8f1aac: Pull complete 
f9ee573e34cb: Pull complete 
3f237e01f153: Pull complete 
03da1e065b16: Pull complete 
04087a801070: Pull complete 
7efd5395ab31: Pull complete 
1b5cc03aaac8: Pull complete 
2b7adaec9998: Pull complete 
385b8f96a9ba: Pull complete 
Digest: sha256:c9c671d0c959183154313d6830d46f9a00d5937f97415c15ebd3c6844f6f1467
Status: Downloaded newer image for registry:5000/sujx_images/mysql:5.5

# 本地其他节点上传镜像
[root@node2 ~]# docker tag docker.io/centos:6.10 registry:5000/sujx_images/centos:6.10
[root@node2 ~]# docker push registry:5000/sujx_images/centos:6.10
The push refers to a repository [registry:5000/sujx_images/centos]
8088cb617267: Pushed 
6.10: digest: sha256:7e53308393264c34359fbdf6d15d5c8c4985b8c2a58ee0ad4f7d5cc2e3c1577a size: 529

使用脚本一键部署堡垒机

部门领导要求研究一下堡垒机的使用,所以花了两天时间研究了一下开源堡垒机的部署和使用。因为官方文档中有些已经有了部分错误,现在以官方的CentOS8版本的安装文档为蓝本把部署过程以脚本的形式备份一下。
其中,主要的变化是使用了官方源的nginx、修改了python安装的几个组件的版本、部署了堡垒机jms服务、koko服务和guacamole服务的systemd自启动脚本。

#!/bin/bash

# 2020.01.15
# sujx@live.cn

# 安装依赖包
yum update -y
yum -y install wget gcc epel-release git telnet openssh-clients dnf-utils vim 
yum update -y

# 下载 Jumpserver
cd /opt/
git clone --depth=1 https://github.com/jumpserver/jumpserver.git

# 防火墙 与 selinux 设置说明, 如果已经关闭了 防火墙 和 Selinux 的用户请跳过设置
systemctl start firewalld
# nginx 端口
firewall-cmd --zone=public --add-service=http --permanent  
# 用户SSH登录端口 koko
firewall-cmd --zone=public --add-port=2222/tcp --permanent  
# 重新载入规则
firewall-cmd --reload  
# SElinux配置
setsebool -P httpd_can_network_connect 1

# 安装 Redis, Jumpserver 使用 Redis 做 cache 和 celery broke
yum -y install redis
systemctl enable redis --now

# 安装 MySQL, 如果不使用 Mysql 可以跳过相关 Mysql 安装和配置, 支持sqlite3, mysql, postgres等
yum -y install mariadb mariadb-devel mariadb-server sshpass
systemctl enable mariadb --now

# 创建数据库 Jumpserver 并授权
DB_PASSWORD=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24`  # 生成随机数据库密码

cat >~/passwd.txt<<EOF
数据库密码是 $DB_PASSWORD
EOF

mysql -uroot -e "create database jumpserver default charset 'utf8'; grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '$DB_PASSWORD'; flush privileges;"

# 安装 Nginx, 用作代理服务器整合 Jumpserver 与各个组件

yum -y install nginx
systemctl enable nginx --now

# 安装 Python3.6
yum -y install python36 python36-devel
yum -y install krb5-devel libtiff-devel libjpeg-devel libzip-devel freetype-devel libwebp-devel tcl-devel tk-devel openldap-devel libffi-devel openldap-clients

# 安装 Python 库依赖
# 配置使用华为python源
mkdir ~/.pip
cat >~/.pip/pip.conf<<EOF
[global]
index-url = https://mirrors.huaweicloud.com/repository/pypi/simple
trusted-host = mirrors.huaweicloud.com
timeout = 120 
EOF

# 配置并载入 Python3 虚拟环境
cd /opt
# py3 为虚拟环境名称, 可自定义
python3 -m venv py3  
# 退出虚拟环境可以使用 deactivate 命令
source /opt/py3/bin/activate  

pip install wheel setuptools
pip install pip --upgrade
pip install python-gssapi

# 修改依赖包版本
sed -i "s/Django==2.1.11/Django==2.2/g" /opt/jumpserver/requirements/requirements.txt
sed -i "s/cryptography==2.3.1/cryptography==2.7/g" /opt/jumpserver/requirements/requirements.txt
sed -i "s/pyasn1==0.4.2/pyasn1==0.4.6/g" /opt/jumpserver/requirements/requirements.txt

pip install -r /opt/jumpserver/requirements/requirements.txt

# 修改 Jumpserver 配置文件
cd /opt/jumpserver
cp config_example.yml config.yml

# 生成随机SECRET_KEY
SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`  
echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc

# 生成随机BOOTSTRAP_TOKEN
BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`  
echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc

sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml
sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml

echo -e "SECRET_KEY是 $SECRET_KEY" >> ~/passwd.txt
echo -e "BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN" >> ~/passwd.txt

# 退出虚拟环境可以使用 deactivate 命令

# 运行 Jumpserver
#cd /opt/jumpserver
#./jms start -d  # 后台运行使用 -d 参数./jms start -d
# 新版本更新了运行脚本, 使用方式./jms start|stop|status all  后台运行请添加 -d 参数
cat >/usr/lib/systemd/system/jms.service<<EOF
[Unit]
Description=jms
After=network.target mariadb.service redis.service
Wants=mariadb.service redis.service

[Service]
Type=forking
Environment="PATH=/opt/py3/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin"
ExecStart=/opt/jumpserver/jms start -d
ExecReload=
ExecStop=/opt/jumpserver/jms stop

[Install]
WantedBy=multi-user.target
EOF
systemctl enable jms.service --now

# 安装 podman 部署 koko 与 guacamole
yum install -y podman-docker
alias docker=podman
echo "alias docker=podman" >> ~/.bashrc

# 配置 podman 镜像源
sed -i "s/registry.redhat.io/dockerhub.azk8s.cn/g" /etc/containers/registries.conf
sed -i "s/registry.access.redhat.com/docker.mirrors.ustc.edu.cn/g" /etc/containers/registries.conf

# 允许 容器ip 访问宿主 8080 端口, (容器的 ip 可以进入容器查看)
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.88.0.0/16" port protocol="tcp" port="8080" accept"
firewall-cmd --reload
# 10.88.0.x 是 podman 容器默认的IP池, 这里偷懒直接授权ip段了, 可以根据实际情况单独授权IP

# 获取当前服务器 IP
Server_IP=`ip addr | grep 'state UP' -A2 | grep inet | egrep -v '(127.0.0.1|inet6|docker)' | awk '{print $2}' | tr -d "addr:" | head -n 1 | cut -d / -f1`
echo -e "服务器IP是 $Server_IP" >> ~/passwd.txt

# http://<Jumpserver_url> 指向 jumpserver 的服务端口, 如 http://192.168.244.144:8080
# BOOTSTRAP_TOKEN 为 Jumpserver/config.yml 里面的 BOOTSTRAP_TOKEN
docker run --name jms_koko -d -p 2222:2222 -p 127.0.0.1:5000:5000 -e CORE_HOST=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN jumpserver/jms_koko:1.5.6
docker run --name jms_guacamole -d -p 127.0.0.1:8081:8080 -e JUMPSERVER_SERVER=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN jumpserver/jms_guacamole:1.5.6

# 配置KOKO自启动
cat > /usr/lib/systemd/system/koko.service << EOF
[Unit]
Description=Podman JMS_koko Service
After=network.target
After=network-online.target

[Service]
Type=simple
ExecStart=/usr/bin/podman start -a jms_koko
ExecStop=/usr/bin/podman stop -t 10 jms_koko
Restart=always

[Install]
WantedBy=multi-user.target
EOF

systemctl enable koko.service

# 配置guacamole自启动
cat > /usr/lib/systemd/system/guacamole.service << EOF
[Unit]
Description=Podman JMS_guacamole Service
After=network.target
After=network-online.target

[Service]
Type=simple
ExecStart=/usr/bin/podman start -a jms_guacamole
ExecStop=/usr/bin/podman stop -t 10 jms_guacamole
Restart=always

[Install]
WantedBy=multi-user.target
EOF

systemctl enable guacamole.service

# 安装 Web Terminal 前端: Luna  需要 Nginx 来运行访问 访问(https://github.com/jumpserver/luna/releases)下载对应版本的 release 包, 直接解压, 不需要编译
cd /opt
# wget https://github.com/jumpserver/luna/releases/download/1.5.6/luna.tar.gz

# 如果网络有问题导致下载无法完成可以使用下面地址
wget https://demo.jumpserver.org/download/luna/1.5.6/luna.tar.gz

tar xvzf luna.tar.gz
chown -R root:root luna

# 配置 Nginx 整合各组件
rm -rf /etc/nginx/conf.d/default.conf

cp /etc/nginx/nginx.conf /etc/nginx.conf.bak
sed -i "38,58d" /etc/nginx/nginx.conf
cat > /etc/nginx/conf.d/jumpserver.conf << "EOF"
server {
    listen 80;
    # server_name _;

    client_max_body_size 100m;  # 录像及文件上传大小限制

    location /luna/ {
        try_files $uri / /index.html;
        alias /opt/luna/;  # luna 路径, 如果修改安装目录, 此处需要修改
    }

    location /media/ {
        add_header Content-Encoding gzip;
        root /opt/jumpserver/data/;  # 录像位置, 如果修改安装目录, 此处需要修改
    }

    location /static/ {
        root /opt/jumpserver/data/;  # 静态资源, 如果修改安装目录, 此处需要修改
    }

    location /koko/ {
        proxy_pass       http://localhost:5000;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location /guacamole/ {
        proxy_pass       http://localhost:8081/;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location /ws/ {
        proxy_pass http://localhost:8070;
        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
             }
}
EOF

# 确保配置没有问题, 有问题请先解决
nginx -t   
systemctl restart nginx

然后网页访问主机地址.
jumpserver


另外,脚本的下载地址如下:
jumpserver安装脚本

基于CentOS8快速部署iTop

iTop是一个用PHP编写的基于ITIL理念打造的开源ITSM系统。本次将在CentOS8的虚机上安装部署一套iTOP系统。

  1. 系统准备
    首先是准本LAMP环境,使用系统默认的Apache2.4.3、PHP7.2、Mariadb10.3.
yum update -y
yum install -y cmake make autoconf gcc gcc-g++ unzip graphviz libzip-devel libzip-tools
yum install -y httpd php php-fpm php-ldap php-soap
yum install -y php-xmlrpc php-gd php-opcache php-mysqlnd php-json php-devel
yum install -y libmcrypt libmcrypt-devel php-pecl-apcu mhash
yum install -y php-odbc php-mbstring php-snmp
yum install -y mariadb mariadb-server
firewall-cmd --permanent --add-service=http
firewall-cmd --reload
systemctl enable httpd php-fpm mariadb --now
  1. 上传iTop系统,修改配置文件
    我们把iTop的程序文件放置到/var/www/web目录下,修改/etc/httpd/conf/httpd.conf配置文件,使得根文件系统指向web目录,同时对web目录进行赋权。
unzip iTop-2.6.1-4463.zip
cp web/* /var/www/html/ -R
chown -R apache:apache /var/www/html/
mysql -uroot -p
MariaDB [(none)]> create database itop character set utf8 collate utf8_bin;
MariaDB [(none)]> grant all privileges on itop.* to itop@'localhost' identified by 'itop';
MariaDB [(none)]> flush privileges;
MariaDB [(none)]> exit;
  1. 编译PHP扩展实现支持zip
    使用YUM/DNF安装的PHP默认不支持zip扩展,因此默认配置下iTOP会出现白屏,日志报错:
    PHP Fatal error: Class 'DBBackup' not found in /var/www/html/itop/web/setup/applicationinstaller.class.inc.php
    所以,需要编译安装PHP的zip扩展。
wget http://pecl.php.net/get/zip
tar zxvf zip
cd zip-1.15.5
phpize
./configure 
make 
cp modules/zip.so /usr/lib64/php/modules/
touch /etc/php.d/20-zip.ini
echo 'extension=zip' >> /etc/php.d/20-zip.ini
vim /etc/php.ini
~~~~~~
## 开启zlib压缩支持
269 zlib.output_compression = On
~~~~~~
systemctl restart php-fpm

然后打开站点就可以进行安装了。

  1. iTOP部署
    iTopDeploy1
    iTopDeploy2
    iTopDeploy3
    iTopDeploy4
    iTopDeploy5
    iTopDeploy6
    iTopDeploy7
    iTopDeploy8
    iTopDeploy9
    iTopDeploy10
    iTopDeploy11
    iTopDeploy12
    iTopDeploy13
    iTopDeploy14
    iTopDeploy15

建立本地RPM包仓库

随着国内使用Linux的氛围日渐浓郁,各个大厂的源也如雨后春笋一般纷纷出现,下载速度也是越来越快。不过,在我司内部因为安全制度的限制,生产环境是不能直接连接互联网的,因此需要建立本地的源服务器。

建立服务环境

软件镜像需要通过HTTP/HTTPS环境来提供服务。

# 系统更新
yum update -y
# 安装RPM相关包
yum install -y zlib-devel openssl-devel gcc perl-devel pam-devel make autoconf
yum install -y rpm-build unzip rsync createrepo
# 安装HTTP服务器
yum install -y httpd mod_security
# 修改配置文件
touch /etc/httpd/conf.d/repos.conf
cat>>/etc/httpd/conf.d/repos.conf<<EOF
Alias /repos /var/www/repos
<directory /var/www/repos>
    Options +Indexes
    Require all granted
</directory>
EOF
#开启端口
firewall-cmd --permanent --add-service=http
firewall-cmd --reload
systemctl enable httpd --now
# 配置环境
mkdir -p /var/www/repos/{centos,epel,docker-ce,remi,mongodb,zabbix}
chown -R apache:apche /var/www/repos

同步官方安装源

下载脚本如下,其中使用到了清华大学的镜像源和中科大的镜像源,其中包含了CentOS、epel、Zabbix、MongoDB、PHP的镜像,整个占用存储空间不到800G。

#!/bin/bash
# CentOS
rsync -avrt --delete --exclude=isos --exclude=aarch64 --exclude=ppc64 --exclude=drpms/ --exclude=debug/ rsync://mirrors.ustc.edu.cn/centos/ /var/www/repos/centos/

#EPEL
rsync -avrt --delete --exclude=isos --exclude=aarch64 --exclude=ppc64 --exclude=drpms/ --exclude=debug/ rsync://mirrors.ustc.edu.cn/epel/ /var/www/repos/epel/

#Docker_CE
rsync -avrt --delete --exclude=test --exclude=nightly --exclude=edge --exclude=aarch64 --exclude=drpms/ --exclude=debug/ --exclude=source/ --exclude=debug-*/ rsync://mirrors.ustc.edu.cn/repo/docker-ce/linux/centos/ /var/www/repos/docker-ce/linux/centos/

#Zabbix
rsync -avrt --delete rsync://mirror.tuna.tsinghua.edu.cn/zabbix/ /var/www/repos/zabbix/

#Mongodb
rsync -avrt --delete  rsync://mirror.tuna.tsinghua.edu.cn/mongodb/yum/ /var/www/repos/mongodb/yum/

#Remi
rsync -avrt --delete  rsync://mirror.tuna.tsinghua.edu.cn/remi/ /var/www/repos/remi/

设置本地打包软件源

由于官方软件的更新策略和时间限制,我们需要给部分软件进行自打包和更新升级,所以需要建立单独的本地仓库

cd /var/www/repos
mkdir -p /var/www/repos/local/{6,7,8}/x86_64
creatrepo /var/www/repos/local/6/x86_64/
creatrepo /var/www/repos/local/7/x86_64/
creatrepo /var/www/repos/local/8/x86_64/