CentOS7安装Puppet+GitLab+Bind
添加Puppet官方源
rpm -Uvh https://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm
安装Puppet
yum -y install puppet puppet-server facter
安装配置GitLab依赖软件
yum -y install curl policycoreutils openssh-server openssh-clients systemctl enable sshd systemctl start sshd yum install postfix systemctl enable postfix systemctl start postfix firewall-cmd --permanent --add-service=http systemctl reload firewalld
添加GitLab清华源
#vi /etc/yum.repos.d/gitlab-ce.repo
[gitlab-ce] name=gitlab-ce baseurl=http://mirrors.tuna.tsinghua.edu.cn/gitlab-ce/yum/el7 repo_gpgcheck=0 gpgcheck=0 enabled=1 gpgkey=https://packages.gitlab.com/gpg.key
安装GitLab
yum -y install gitlab-ce
修改/etc/gitlab/gitlab.rb
文件
external_url "https://gitlab.example.com:2443"
生成ssl证书
openssl genrsa -des3 -out gitlab.example.com.key 1024 SUBJECT="/C=CN/ST=China/L=Shanghai/O=example.com/OU=example.com/CN=gitlab.example.com" openssl req -new -subj $SUBJECT -key gitlab.example.com.key -out gitlab.example.com.csr openssl rsa -in gitlab.example.com.key -out gitlab.example.com.key openssl x509 -req -days 3650 -in gitlab.example.com.csr -signkey gitlab.example.com.key -out gitlab.example.com.crt
将证书移动到/etc/gitlab/ssl目录下
mkdir -p /etc/gitlab/ssl mv gitlab.example.com.key gitlab.example.com.crt /etc/gitlab/ssl/
如果8080端口被别的程序占用,还需要将unicorn端口修改成别的为占用端口
unicorn['port'] = 8081
配置启动GitLab
gitlab-ctl reconfigure
效果图:
第一次登陆需要修改管理员密码,管理员帐号名为root
安装Bind Chroot DNS服务器
yum -y install bind-chroot bind
拷贝bind相关文件,准备bind chroot 环境
cp -R /usr/share/doc/bind-*/sample/var/named/* /var/named/chroot/var/named
在bind chroot的目录中创建相关文件
touch /var/named/chroot/var/named/data/cache_dump.db touch /var/named/chroot/var/named/data/named_stats.txt touch /var/named/chroot/var/named/data/named_mem_stats.txt touch /var/named/chroot/var/named/data/named.run mkdir /var/named/chroot/var/named/dynamic touch /var/named/chroot/var/named/dynamic/managed-keys.bind
将Bind锁定文件设置为可写,并将selinux标签改成named_cache_t
chmod -R 777 /var/named/chroot/var/named/data chmod -R 777 /var/named/chroot/var/named/dynamic chcon -R -t named_cache_t /var/named/chroot/var/named/data chcon -R -t named_cache_t /var/named/chroot/var/named/dynamic
将/etc/named.conf拷贝到bind chroot目录
cp -p /etc/named.conf /var/named/chroot/etc/named.conf
在/etc/named.conf中对bind进行配置
# vi /var/named/chroot/etc/named.conf
完全配置如下:
// // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { any; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; zone "example.com" { type master; file "example.com.zone"; }; zone "10.10.10.in-addr.arpa" IN { type master; file "10.10.10.zone"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
为 example.com域名创建转发域与反向域文件
a)创建转发域
# vi /var/named/chroot/var/named/example.com.zone
; ; Addresses and other host information. ; $TTL 86400 @ IN SOA example.com. hostmaster.example.com. ( 2014101901 ; Serial 43200 ; Refresh 3600 ; Retry 3600000 ; Expire 2592000 ) ; Minimum ; Define the nameservers and the mail servers IN NS ns1.example.com. IN A 10.10.10.20 IN MX 10 mx.example.com. centos7 IN A 10.10.10.20 mx IN A 10.10.10.20 ns1 IN A 10.10.10.20 gitlab IN A 10.10.10.20
b)创建反向域
# vi /var/named/chroot/var/named/10.10.10.zone
; ; Addresses and other host information. ; $TTL 86400 @ IN SOA example.com. hostmaster.example.com. ( 2014101901 ; Serial 43200 ; Refresh 3600 ; Retry 3600000 ; Expire 2592000 ) ; Minimum 10.10.10.in-addr.arpa. IN NS centos7.example.com. 20.10.10.10.in-addr.arpa. IN PTR mx.example.com. 20.10.10.10.in-addr.arpa. IN PTR ns1.example.com. 20.10.10.10.in-addr.arpa. IN PTR gitlab.example.com.
停止并禁用named服务,启动bind-chroot服务并设置为自启动
/usr/libexec/setup-named-chroot.sh /var/named/chroot on systemctl stop named systemctl disable named systemctl start named-chroot systemctl enable named-chroot