首页 > 其他分享 >在内网部署支持ssl的docker私仓

在内网部署支持ssl的docker私仓

时间:2022-11-16 22:11:50浏览次数:139  
标签:named file etc bind zones ssl 私仓 conf docker

目录

registry

需要 443
1194:1194/udp

更换 来此加密 ssl 证书


\cp -a /free_cicdfs0/k8s_data/registry_ssl/certs/private.pem  /free_cicdfs0/k8s_data/registry_ssl/certs/domain.key
\cp -a /free_cicdfs0/k8s_data/registry_ssl/certs/fullchain.crt  /free_cicdfs0/k8s_data/registry_ssl/certs/domain.crt

生效 配置


kubectl apply -f /free_cicdfs0/k8s_ymls/app-yml/registry_ssl/registry_ssl.yml


kubectl replace --force -f   /free_cicdfs0/k8s_ymls/app-yml/registry_ssl/registry_ssl.yml


修改配置文件

新版本 配置文件 大致结构发生了一些改变


cat /free_cicdfs0/k8s_data/bind9/etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";



从 114 缓存 查询 数据


cat > /free_cicdfs0/k8s_data/bind9/etc/bind/named.conf.options <<"EOF"

# include "/etc/rndc.key";

controls {
    inet 127.0.0.1 port 953
    allow { 127.0.0.1; } keys { "rndckey"; };
};

options {
    
    // set no
    dnssec-enable no;
    dnssec-validation no;

    listen-on port 53 { any; };

    allow-query { any; };

    forwarders {
        114.114.114.114;
    };


};

EOF

chmod 777 -R  /free_cicdfs0/k8s_data/bind9/
chown root:root -R  /free_cicdfs0/k8s_data/bind9/

chown root:named -R  /free_cicdfs0/k8s_data/bind9/

docker-compose up -d 
# log error
couldn't add command channel 127.0.0.1#953: file not found


docker cp -a bind9:/etc/bind  /free_cicdfs0/k8s_data/bind9/etc/

docker cp -a bind9:/var/lib/bind  /free_cicdfs0/k8s_data/bind9/var/lib/

可以 dig 无法 ping

broken trust chain resolving 'baidu.com/AAAA/IN': 114.114.114.114#53

解决:
由于是局域网内非法DNS,所以将DNS安全关闭.
[root@192-168-174-42 ~]# vim /etc/named.conf
将下面的两项设置为no
        dnssec-enable no;
        dnssec-validation no;

查看 已经 区域 解析,并添加 新的 解析 项


cat /free_cicdfs0/k8s_data/bind9/etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/usr/share/dns/root.hints";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

https://nginx164190.zk.wh.com/

192.168.164.190 nginx164190.zk.wh.com

在 linux 安装 局域网 cert

# 添加 解析 条目
vi /etc/hosts
192.168.164.190  nginx164190.zk.wh.com
 
[root@node01 ~]# curl https://nginx164190.zk.wh.com/
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.


curl -o install_cert_linux.zip http://192.168.164.190:40080/install_cert_linux.zip
unzip install_cert_linux.zip

cd install_cert_linux
./install_cert.sh

# 测试 效果
curl https://nginx164190.zk.wh.com/
<html>
<head><title>Index of /</title></head>
<body>
<h1>Index of /</h1><hr><pre><a href="../">../</a>
<a href="_wildcard.zk.wh.com.crt">_wildcard.zk.wh.com.crt</a>                            18-Aug-2021 08:53    1464
<a href="_wildcard.zk.wh.com.pem">_wildcard.zk.wh.com.pem</a>                            18-Aug-2021 08:53    1464
<a href="install_cert_linux.zip">install_cert_linux.zip</a>                             19-Aug-2021 07:30      2M
<a href="rootCA-key.pem">rootCA-key.pem</a>                                     18-Aug-2021 08:53    2488
<a href="rootCA.pem">rootCA.pem</a>                                         18-Aug-2021 08:53    1635
<a href="test">test</a>                                               18-Aug-2021 08:47       7
</pre><hr></body>
</html>


rndc

1、953端口是rndc 的端口

2、rndc是监控bind的统计数据用的,同时不需要为了更新某个zone而重启bind

查看 默认的 解析条目

cat /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/usr/share/dns/root.hints";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

添加 自己的 解析条目


多台 dns 之间 进行 协同
SOA
NS

# A 代表 解析到 ipv4
@       IN      A       127.0.0.1

# A 代表 解析到 ipv6
@       IN      AAAA    ::1

# ptr 代表 逆向解析
1.0.0   IN      PTR     localhost.

cat /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

// add you zones
include "/etc/bind/named.conf.my-zones";


# 模仿 /etc/bind/named.conf.default-zones 书写 新的 解析记录
cat > /etc/bind/named.conf.my-zones <<"EOF"

zone "zk.wh.com" {
        type master;
        file "/etc/bind/db.zk.wh.com";
};

zone "192.in-addr.arpa" {
        type master;
        file "/etc/bind/db.192";
};

EOF

# 模仿db 文件
cat /etc/bind/db.local
;
; BIND data file for local loopback interface
;
$TTL    604800
@       IN      SOA     localhost. root.localhost. (
                              2         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      localhost.
@       IN      A       127.0.0.1
@       IN      AAAA    ::1


cat > /etc/bind/db.zk.wh.com <<"EOF"
$TTL 86400
@ IN SOA localhost. root.localhost. (
        1  ; Serial
    604800  ; Refresh
    86400  ; Retry
   2419200  ; Expire
    86400 ) ; Negative Cache TTL
;
@ IN NS localhost.
nginx164190       IN      A       192.168.164.190
zcloud164190       IN      A       192.168.164.190


EOF


# 模仿 逆解 文件
cat /etc/bind/db.127
;
; BIND reverse data file for local loopback interface
;
$TTL    604800
@       IN      SOA     localhost. root.localhost. (
                              1         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      localhost.
1.0.0   IN      PTR     localhost.


cat > /etc/bind/db.192 <<"EOF"
$TTL 86400
@ IN SOA localhost. root.localhost. (
        1  ; Serial
    604800  ; Refresh
    86400  ; Retry
   2419200  ; Expire
    86400 ) ; Negative Cache TTL
;
@ IN NS localhost.
190.164.168   IN      PTR     nginx164190.

EOF

更新 解析记录


# 局域网 x509 证书 无法 信任 多重域名
# Reminder: X.509 wildcards only go one level deep, so this won't match a.b.zk.wh.com ℹ️
cat > /free_cicdfs0/k8s_data/bind9/etc/bind/db.zk.wh.com <<"EOF"
$TTL 86400
@ IN SOA localhost. root.localhost. (
        1  ; Serial
    604800  ; Refresh
    86400  ; Retry
   2419200  ; Expire
    86400 ) ; Negative Cache TTL
;
@ IN NS localhost.
nginx164190       IN      A       192.168.164.190
zcloud164190      IN      A       192.168.164.190
hub-docker        IN      A       192.168.99.100
EOF


# 重启 容器 服务 即可生效
ssh [email protected]
cd /free_cicdfs0/composes/bind9
docker-compose restart



# test
ping hub-docker.zk.wh.com
PING hub-docker.zk.wh.com (192.168.99.100) 56(84) bytes of data.
64 bytes from 192.168.99.100: icmp_seq=1 ttl=64 time=0.172 ms
64 bytes from 192.168.99.100: icmp_seq=2 ttl=64 time=0.152 ms



风险

dns 尾缀过短 会导致 公网上的 .xyz 后缀 都无法 解析,
应该修改为 one-k.xyz 作为 后缀

添加 新的 解析记录

one-k.xyz 192.168.99.100


vi /free_cicdfs0/k8s_data/bind9/etc/bind/named.conf.my-zones

cat > /etc/bind/named.conf.my-zones <<"EOF"


zone "one-k.xyz" {
        type master;
        file "/etc/bind/db.one-k.xyz";
};


zone "zk.wh.com" {
        type master;
        file "/etc/bind/db.zk.wh.com";
};

zone "192.in-addr.arpa" {
        type master;
        file "/etc/bind/db.192";
};

EOF


#  @ 的 含义 代表 域名 本身
cat > /free_cicdfs0/k8s_data/bind9/etc/bind/db.one-k.xyz <<"EOF"
$TTL 86400
@ IN SOA localhost. root.localhost. (
        1  ; Serial
    604800  ; Refresh
    86400  ; Retry
   2419200  ; Expire
    86400 ) ; Negative Cache TTL
;
@ IN NS localhost.
@              IN      A       192.168.99.100
k8s            IN      A       192.168.91.110
ingress        IN      A       192.168.99.200
test-nginx     IN      A       192.168.99.200
home-wuhan     IN      A       192.168.99.200
minio          IN      A       192.168.99.123
minio-one-node   IN      A       192.168.99.241

EOF



# Force replace, delete and then re-create the resource
kubectl replace --force -f /free_cicdfs0/k8s_ymls/app-yml/bind9.yml
deployment.apps "bind9-214-deployment" deleted
service "bind9-214-udp-deployment" deleted
deployment.apps/bind9-214-deployment replaced
service/bind9-214-udp-deployment replaced

测试


ssh node02

cd /free_cicdfs0/composes/bind9/

docker-compose restart

docker pull one-k.xyz/nginx

Using default tag: latest
latest: Pulling from nginx
Digest: sha256:61191087790c31e43eb37caa10de1135b002f10c09fdda7fa8a5989db74033aa
Status: Downloaded newer image for one-k.xyz/nginx:latest
one-k.xyz/nginx:latest

欢迎进群交流
image

标签:named,file,etc,bind,zones,ssl,私仓,conf,docker
From: https://www.cnblogs.com/ltgybyb/p/16897703.html

相关文章

  • docker使用bind9实现域名解析
    目录刷新服务修改配置文件从114缓存查询数据可以dig无法ping查看已经区域解析,并添加新的解析项在linux安装局域网certrndc查看默认的解析条目添加自己......
  • 上篇:docker基础玩转
    使用容器的理由上线流程繁琐开发->测试->申请资源->审批->部署->测试等环节资源利用率低普遍服务器利用率低,造成过多浪费扩容/缩容不及时业务高峰期扩容流程繁琐,上......
  • Docker Network
    1、创建apline1alpine2 两个容器dockerrun-it--namealpine1-dalpinedockerrun-it--namealpine2-dalpine2、创建一个mynet网络dockernetworkcreate-d......
  • Docker-compose 安装 Nginx PHP MySQL
    1、创建mkdir-p/docker/wwwmkdir-p/docker/nginx/conf.d/2、配置vimnginx/conf.d/default.confserver{listen80;server_namelocalhost;location/{......
  • Centos 7 安装 docker-compose
    1、下载curl-Lhttps://github.com/docker/compose/releases\/download/1.21.2/docker-compose-`uname-s`-`uname-m`-o/usr/local/bin/docker-compose可能上面的下载比......
  • 使用ssh链接访问docker容器
    需求:  通过ssh链接docker容器 基础镜像-Centos:例:#拉取centos镜像dockerpullcentos#启动一个并访问centos容器dockerrun-itcentos/bin/bash ......
  • Docker基础知识 (19) - Kubernetes(二) | 搭建单个 Master 集群(一主一从)
    Kubernetes,也被称为K8s或Kube,是谷歌推出的业界最受欢迎的容器管理/运维工具(容器编排器)。它是一套自动化容器管理/运维的开源平台,包括部署、调度和节点集群的扩展等。Kub......
  • docker 容器和镜像的清理
    docker容器和镜像的清理环境:本地虚拟机ubuntu20.04背景根目录磁盘空间不多,就只剩5个G左右了,操作需要,涉及到频繁创建/删除容器,发现每创建一个容器,在删除后,磁盘空间并......
  • docker报错Got permission denied while trying to connect to the Docker daemon soc
    报错内容GotpermissiondeniedwhiletryingtoconnecttotheDockerdaemonsocketatunix:///var/run/docker.sock:Get"http://%2Fvar%2Frun%2Fdocker.sock/v1.......
  • docker docker和container的关系
    目录dockerdocker和container的关系命令区分常用命令文档参考dockerdocker和container的关系docker由docker-client,dockerd,containerd,docker-shim,runc组成,所......