[docker]一些经常或不经常用到的镜像启动方法-一些常用的docker启动方式
mysql
docker run \
-itd \
-p 3306:3306 \
--restart always \
-e MYSQL_ROOT_PASSWORD=root \
-e TZ=Asia/Shanghai \
-v ${HOME}/mysql:/var/lib/mysql \
--name mysql57 \
mysql:5.7 \
--character-set-server=utf8mb4 \
--collation-server=utf8mb4_unicode_ci \
--character-set-client-handshake=FALSE
docker run -it --rm mysql:5.7 mysql -h172.17.0.2 -uroot -proot
一些经常或不经常用到的镜像启动方法
## mongo
docker run \
-d \
--restart=always \
-v /data/mongo:/data/db -d mongo \
-p 27017:27017 \
mongo
## 单机版etcd-使用host网络, 监控四个0
export NODE1=0.0.0.0
docker run \
-d \
--net=host \
--restart=always \
--volume=${DATA_DIR}:/etcd-data \
--name etcd quay.io/coreos/etcd:latest \
/usr/local/bin/etcd \
--data-dir=/etcd-data --name node1 \
--initial-advertise-peer-urls http://${NODE1}:2380 --listen-peer-urls http://${NODE1}:2380 \
--advertise-client-urls http://${NODE1}:2379 --listen-client-urls http://${NODE1}:2379 \
--initial-cluster node1=http://${NODE1}:2380
etcdctl --endpoints=http://${NODE1}:2379 member list
## 设置容器的TZ另一种办法
参考: https://github.com/spujadas/elk-docker/blob/master/start.sh
override default time zone (Etc/UTC) if TZ variable is set
if [ ! -z "$TZ" ]; then
ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
fi
## 带ssh的centos
docker run -d -p 0.0.0.0:2222:22 tutum/centos6
docker run -d -p 0.0.0.0:2222:22 tutum/centos
docker run -d -p 0.0.0.0:2222:22 -v /etc/localtime:/etc/localtime:ro -v /etc/timezone:/etc/timezone:ro tutum/centos6
docker run -d -p 0.0.0.0:2222:22 -v /etc/localtime:/etc/localtime:ro -v /etc/timezone:/etc/timezone:ro tutum/centos
支持两种验证方式:
docker run -d -p 0.0.0.0:2222:22 -v /etc/localtime:/etc/localtime:ro -v /etc/timezone:/etc/timezone:ro -e ROOT_PASS="mypass" tutum/centos
docker run -d -p 2222:22 -e AUTHORIZED_KEYS="cat ~/.ssh/id_rsa.pub
" tutum/centos
docker logs <CONTAINER_ID>
ssh -p
参考: https://hub.docker.com/r/tutum/centos/
## 带ping/curl/nslookup的busybox
docker run -itd --name=test1 --net=test-network radial/busyboxplus /bin/sh
## nginx
mkdir -p /data/nginx-html
echo "maotai" > /data/nginx-html/index.html
docker run -d
--net=host
--restart=always
-v /etc/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
-v /etc/localtime:/etc/localtime:ro
-v /data/nginx-html:/usr/share/nginx/html
--name nginx
nginx
## portainer多单节点管理界面的部署
cp /etc/docker/daemon.json /etc/docker/daemon.json.bak.$(date +%F)
cat >/etc/docker/daemon.json<<EOF
{
"registry-mirrors": ["https://registry.docker-cn.com"],
"hosts": [
"tcp://0.0.0.0:2375",
"unix:///var/run/docker.sock"
]
}
EOF
systemctl daemon-reload
systemctl restart docker && systemctl enable docker
docker run -d
-p 9000:9000
--restart=always
-v /etc/localtime:/etc/localtime:ro
-v /var/run/docker.sock:/var/run/docker.sock
portainer/portainer
#### nginx配置
```bash
mv /etc/nginx /etc/nginx_$(date +%F)
mkdir -p /etc/nginx/conf.d/
mkdir -p /data/nginx-html
echo "maotai" > /data/nginx-html/index.html
cat >> /etc/nginx/nginx.conf<<EOF
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
server_name_in_redirect off;
client_max_body_size 20m;
client_header_buffer_size 16k;
large_client_header_buffers 4 16k;
sendfile on;
tcp_nopush on;
keepalive_timeout 65;
server_tokens off;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_proxied any;
gzip_http_version 1.1;
gzip_comp_level 3;
gzip_types text/plain application/x-javascript text/css application/xml;
gzip_vary on;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format json '{"@timestamp": "$time_iso8601",'
'"@version": "1",'
'"client": "$remote_addr",'
'"url": "$uri", '
'"status": $status, '
'"domain": "$host", '
'"host": "$server_addr",'
'"size":"$body_bytes_sent", '
'"response_time": $request_time, '
'"referer": "$http_referer", '
'"http_x_forwarded_for": "$http_x_forwarded_for", '
'"ua": "$http_user_agent" } ';
access_log /var/log/nginx/access.log json;
include /etc/nginx/conf.d/*.conf;
}
EOF
tree /etc/nginx/
cat >> /etc/nginx/conf.d/default.conf <<EOF
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log /var/log/nginx/host.access.log json;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
EOF
tree /etc/nginx/
nginx-lb
docker run --name nginx-lb \
-d \
-v /etc/nginx/nginx.conf:/etc/nginx/nginx.conf:ro \
--net=host \
--restart=always \
-v /etc/localtime:/etc/localtime \
nginx:1.13.3-alpine
lnmp(每个组件独立)
参考: https://github.com/micooz/docker-lnmp
docker-compose up
启动一个mysql
cat /root/dockerfile/mysql/start.sh
docker run -p 3306:3306 -v /data/mysql:/var/lib/mysql -v /etc/localtime:/etc/localtime --name mysql5 --restart=always -d mysql:5.6.23 --character-set-server=utf8 --collation-server=utf8_general_ci
docker run \
-p 3306:3306 \
-v /data/mysql:/var/lib/mysql \
-v /etc/localtime:/etc/localtime \
--name mysql5 \
--restart=always \
-e MYSQL_ROOT_PASSWORD=123456 \
-d mysql:5.6.23 --character-set-server=utf8 --collation-server=utf8_general_ci
show VARIABLES like '%max_allowed_packet%';
show variables like '%storage_engine%';
show variables like 'collation_%';
show variables like 'character_set_%';
mysql主从库
#+++++++++++++++++++++++++++
# mysql主从库
#+++++++++++++++++++++++++++
docker run -d -e REPLICATION_MASTER=true -e REPLICATION_PASS=mypass -p 3306:3306 --name mysql tutum/mysql
docker run -d -e REPLICATION_SLAVE=true -p 3307:3306 --link mysql:mysql tutum/mysql
gogs安装(不过建议用gitlab)
docker run -itd \
-p 53000:3000 -p 50022:22 \
-v /data/gogs:/data \
-v /etc/localtime:/etc/localtime \
--restart=always \
gogs/gogs
cowcloud
docker run -v /data/owncloud-data:/var/www/html -v /etc/localtime:/etc/localtime -v :/var/www/html/config --restart=always -itd -p 8000:80 owncloud
nextcloud(和owncloud一样,据说这个支持在线md记录笔记,总之感觉功能更强大)
参考: https://hub.docker.com/_/nextcloud/
docker run -d \
-p 8080:80
-v nextcloud:/var/www/html \
nextcloud
安装confluence
docker run \
-v /data/confluence/conflu_data:/var/atlassian/application-data/confluence \
-v /etc/localtime:/etc/localtime \
-v /data/confluence/server.xml:/opt/atlassian/confluence/conf/server.xml \
--restart=always \
--link mysql5:db \
--name="confluence" -d \
-p 8090:8090 \
-p 8091:8091 \
cptactionhank/atlassian-confluence
参考:http://wuyijun.cn/shi-yong-dockerfang-shi-an-zhuang-he-yun-xing-confluence/
- 配置confluence
- 创建数据库
create database confluence default character set utf8 collate utf8_bin;
grant all on confluence.* to 'confluence'@"172.17.0.%" identified by "confluenceman";
grant all on confluence.* to 'confluence'@"192.168.6.%";
grant all on confluence.* to 'confluence'@"192.168.8.%";
- 安装破解
1.导出后用破机器破解
docker cp confluence:/opt/atlassian/confluence/confluence/WEB-INF/lib/atlassian-extras-decoder-v2-3.2.jar ./
mv atlassian-extras-decoder-v2-3.2.jar atlassian-extras-2.4.jar
2. 将破解文件导入系统
mv atlassian-extras-2.4.jar atlassian-extras-decoder-v2-3.2.jar
docker cp ./atlassian-extras-decoder-v2-3.2.jar confluence:/opt/atlassian/confluence/confluence/WEB-INF/lib/
3.重启confluence
docker stop confluence
docker start confluence
- 1.贴上破机器的序列号
- 2.选jdbc连mysql url写:
jdbc:mysql://db:3306/confluence?sessionVariables=storage_engine%3DInnoDB&amp;useUnicode=true&amp;characterEncoding=utf8
-
3.导入既有的数据
参考:https://www.ilanni.com/?p=11989
如:xmlexport-20170902-100808-153.zip
这里包含了数据库数据. -
4.安装完毕
管理员帐号密码登陆 http://192.168.x.x:8090
admin
xxxxx
- 5.配置邮箱
这里我没用server.xml里配置(配了测试有问题),直接smtp用新浪邮箱配的
smtp.sina.com
mt@sina.com
123456
phabricator审计系统(客服给开发提bug)
docker run -d \
-p 9080:80 -p 9443:443 -p 9022:22 \
--env PHABRICATOR_HOST=sj.pp100.net \
--env MYSQL_HOST=192.168.x.x \
--env MYSQL_USER=root \
--env MYSQL_PASS=elc123 \
--env PHABRICATOR_REPOSITORY_PATH=/repos \
--env PHABRICATOR_HOST_KEYS_PATH=/hostkeys/persisted \
-v /data/phabricator/hostkeys:/hostkeys \
-v /data/phabricator/repo:/repos \
redpointgames/phabricator
hackmarkdown安装(内网markdown服务器,支持贴图权限,还有专门的客户端等)
https://github.com/hackmdio/docker-hackmd/blob/master/docker-compose.yml
docker-compose up -d
参考: 数据的备份等都有.
https://github.com/hackmdio/docker-hackmd
https://hub.docker.com/r/hackmdio/hackmd/
容器启动常用选项
- 1, 时区
- 2, 自动重启
- 3, 日志
docker run \
-v /etc/localtime:/etc/localtime:ro
-v /etc/timezone:/etc/timezone:ro
--restart=always \
docker run \
-v /etc/localtime:/etc/localtime:ro
-v /etc/timezone:/etc/timezone:ro
-v /etc/localtime:/etc/localtime:ro -v /etc/timezone:/etc/timezone:ro
记录两份 一份是前台输出,另一份
docker run -it --rm -p 80:80 nginx
ll /var/lib/docker/containers/*/*.log
针对容器的日志切割(不然日志越滚越大)
容器日志目录: /var/lib/docker/containers//.log.*
docker run -d -v /var/lib/docker/containers:/var/lib/docker/containers:rw \
-v /etc/localtime:/etc/localtime:ro \
--restart=always \
tutum/logrotate
- 原理(logrotated的一个copytruncate选项很好,不截断日志情况下滚动日志)
## 可以进到容器里看看日志滚动策略.
#https://hub.docker.com/r/tutum/logrotate/
/ # cat /etc/logrotate.conf
/var/lib/docker/containers/*/*.log {
rotate 0
copytruncate
sharedscripts
maxsize 10M
postrotate
rm -f /var/lib/docker/containers/*/*.log.*
endscript
#logrotate说明copytruncate
# http://www.lightxue.com/how-logrotate-works
#让我联想起了nginx日志切割
cat > /etc/logrotate.d/nginx
/usr/local/nginx/logs/*.log {
daily
missingok
rotate 7
dateext
compress
delaycompress
notifempty
sharedscripts
postrotate
if [ -f /usr/local/nginx/logs/nginx.pid ]; then
kill -USR1 `cat /usr/local/nginx/logs/nginx.pid`
fi
endscript
}
清理长时间不用的镜像和volumes
docker run -d \
--privileged \
-v /var/run:/var/run:rw \
-v /var/lib/docker:/var/lib/docker:rw \
-e IMAGE_CLEAN_INTERVAL=1 \
-e IMAGE_CLEAN_DELAYED=1800 \
-e VOLUME_CLEAN_INTERVAL=1800 \
-e IMAGE_LOCKED="ubuntu:trusty, tutum/curl:trusty" \
tutum/cleanup
# https://hub.docker.com/r/tutum/cleanup/
# IMAGE_CLEAN_INTERVAL (optional) How long to wait between cleanup runs (in seconds), 1 by default.
# IMAGE_CLEAN_DELAYED (optional) How long to wait to consider an image unused (in seconds), 1800 by default.
# VOLUME_CLEAN_INTERVAL (optional) How long to wait to consider a volume unused (in seconds), 1800 by default.
# IMAGE_LOCKED (optional) A list of images that will not be cleaned by this container, separated by ,
- 原理:调用二进制程序
/ # cat run.sh
#!/bin/sh
if [ ! -e "/var/run/docker.sock" ]; then
echo "=> Cannot find docker socket(/var/run/docker.sock), please check the command!"
exit 1
fi
if [ "${IMAGE_LOCKED}" == "**None**" ]; then
exec /cleanup \
-imageCleanInterval ${IMAGE_CLEAN_INTERVAL} \
-imageCleanDelayed ${IMAGE_CLEAN_DELAYED}
else
exec /cleanup \
-imageCleanInterval ${IMAGE_CLEAN_INTERVAL} \
-imageCleanDelayed ${IMAGE_CLEAN_DELAYED} \
-imageLocked "${IMAGE_LOCKED}"
fi
zk集群
参考: https://segmentfault.com/a/1190000006907443
version: '2'
services:
zoo1:
image: zookeeper
restart: always
container_name: zoo1
volumes:
- /etc/localtime:/etc/localtime
ports:
- "2181:2181"
environment:
ZOO_MY_ID: 1
ZOO_SERVERS: server.1=zoo1:2888:3888 server.2=zoo2:2888:3888 server.3=zoo3:2888:3888
zoo2:
image: zookeeper
restart: always
container_name: zoo2
volumes:
- /etc/localtime:/etc/localtime
ports:
- "2182:2181"
environment:
ZOO_MY_ID: 2
ZOO_SERVERS: server.1=zoo1:2888:3888 server.2=zoo2:2888:3888 server.3=zoo3:2888:3888
zoo3:
image: zookeeper
restart: always
volumes:
- /etc/localtime:/etc/localtime
container_name: zoo3
ports:
- "2183:2181"
environment:
ZOO_MY_ID: 3
ZOO_SERVERS: server.1=zoo1:2888:3888 server.2=zoo2:2888:3888 server.3=zoo3:2888:3888
检查:
echo stat|nc127.0.0.1 2181
或者进入到容器去看
#docker exec zoo1 /zookeeper-3.4.10/bin/zkCli.sh -server 127.0.0.1:2181
#/zookeeper-3.4.10/bin/zkCli.sh -server 127.0.0.1:2181
zabbix(monitoringartist这小伙把组件搞在一个镜像了)
docker run \
-d \
--name dockbix-db \
-v /backups:/backups \
-v /etc/localtime:/etc/localtime:ro \
--volumes-from dockbix-db-storage \
--env="MARIADB_USER=zabbix" \
--env="MARIADB_PASS=my_password" \
monitoringartist/zabbix-db-mariadb
# Start Dockbix linked to the started DB
docker run \
-d \
--name dockbix \
-p 80:80 \
-p 10051:10051 \
-v /etc/localtime:/etc/localtime:ro \
--link dockbix-db:dockbix.db \
--env="ZS_DBHost=dockbix.db" \
--env="ZS_DBUser=zabbix" \
--env="ZS_DBPassword=my_password" \
--env="XXL_zapix=true" \
--env="XXL_grapher=true" \
monitoringartist/dockbix-xxl:latest
分开的zabbix,这个我没测
docker run --name zabbix-server-mysql -t \
-v /etc/localtime:/etc/localtime:ro \
-v /data/zabbix-alertscripts:/usr/lib/zabbix/alertscripts \
-v /etc/zabbix/zabbix_server.conf:/etc/zabbix/zabbix_server.conf \
-e DB_SERVER_HOST="192.168.14.132" \
-e MYSQL_DATABASE="zabbix" \
-e MYSQL_USER="zabbix" \
-e MYSQL_PASSWORD="Tx66sup" \
-e MYSQL_ROOT_PASSWORD="Tinsu" \
-e ZBX_JAVAGATEWAY="127.0.0.1" \
--network=host \
-d registry.docker-cn.com/zabbix/zabbix-server-mysql:ubuntu-3.4.0
docker run --name mysql-server -t \
-v /etc/localtime:/etc/localtime:ro \
-v /etc/my.cnf:/etc/my.cnf \
-v /data/mysql-data:/var/lib/mysql \
-e MYSQL_DATABASE="zabbix" \
-e MYSQL_USER="zabbix" \
-e MYSQL_PASSWORD="bix66sup" \
-e MYSQL_ROOT_PASSWORD="adminsu" \
-p 3306:3306 \
-d registry.docker-cn.com/mysql/mysql-server:5.7
docker run --name zabbix-java-gateway -t \
-v /etc/localtime:/etc/localtime:ro \
--network=host \
-d registry.docker-cn.com/zabbix/zabbix-java-gateway:latest
bdocker run --name zabbix-web-nginx-mysql -t \
-v /etc/localtime:/etc/localtime:ro \
-e DB_SERVER_HOST="192.168.14.132" \
-e MYSQL_DATABASE="zabbix" \
-e MYSQL_USER="zabbix" \
-e MYSQL_PASSWORD="TCzp" \
-e MYSQL_ROOT_PASSWORD="TC6u" \
-e PHP_TZ="Asia/Shanghai" \
--network=host \
-d registry.docker-cn.com/zabbix/zabbix-web-nginx-mysql:ubuntu-3.4.0
docker监控advisor
docker run \
--volume=/:/rootfs:ro \
--volume=/var/run:/var/run:rw \
--volume=/sys:/sys:ro \
--volume=/var/lib/docker/:/var/lib/docker:ro \
--publish=8080:8080 \
--detach=true \
--name=cadvisor \
google/cadvisor:latest
http://192.168.14.133:8080/
centos7跑cAdvisor-InfluxDB-Grafana
- 参考
http://www.pangxie.space/docker/456
https://www.brianchristner.io/how-to-setup-docker-monitoring/
https://github.com/vegasbrianc/docker-monitoring/blob/master/docker-monitoring-0.9.json
- 启动influxdb(使用最新的发现不好使)
docker run -d -p 8083:8083 -p 8086:8086 --expose 8090 --expose 8099 --name influxsrv tutum/influxdb:0.10
- 创建db
docker exec -it influxsrv bash
use cadvisor
CREATE USER "root" WITH PASSWORD 'root' WITH ALL PRIVILEGES
CREATE DATABASE cadvisor
show users
- 启动cadvisor
docker run --volume=/:/rootfs:ro --volume=/var/run:/var/run:rw --volume=/sys:/sys:ro --volume=/var/lib/docker/:/var/lib/docker:ro --publish=8080:8080 --detach=true --link influxsrv:influxsrv --name=cadvisor google/cadvisor:latest -storage_driver=influxdb -storage_driver_db=cadvisor -storage_driver_host=influxsrv:8086
- 启动grafna, 加db源.导入dashboard
docker run -d -p 3000:3000 -e INFLUXDB_HOST=192.168.14.133 -e INFLUXDB_PORT=8086 -e INFLUXDB_NAME=cadvisor -e INFLUXDB_USER=root -e INFLUXDB_PASS=root --link influxsrv:influxsrv --name grafana grafana/grafana
Prometheus+Grafana(这个比cAdvisor-InfluxDB-Grafana展示效果更好一些)
A Prometheus & Grafana docker-compose stack
参考: https://github.com/vegasbrianc/prometheus
docker-compose up -d
elk
elk容器要占2g内存,vm分配至少给2g
参考:http://elk-docker.readthedocs.io/#installation
https://github.com/gregbkr/elk-dashboard-v5-docker
sysctl -w vm.max_map_count=262144
docker run -d -v /etc/localtime:/etc/localtime --restart=always -p 5601:5601 -p 9200:9200 -p 5044:5044 -it --name elk sebp/elk
docker run -d -v /etc/localtime:/etc/localtime --restart=always -p 9100:9100 mobz/elasticsearch-head:5
或
docker-compose up -d
纯手动安装elastic+kibana(elk)
useradd elk
cd /usr/local/src/
tar xf elasticsearch-5.6.4.tar.gz -C /usr/local/
tar xf kibana-5.6.4-linux-x86_64.tar.gz -C /usr/local/
ln -s /usr/local/elasticsearch-5.6.4 /usr/local/elasticsearch
ln -s /usr/local/kibana-5.6.4-linux-x86_64 /usr/local/kibana
chown -R elk. /usr/local/elasticsearch
chown -R elk. /usr/local/elasticsearch/
chown -R elk. /usr/local/kibana
chown -R elk. /usr/local/kibana/
mkdir /data/es/{data,logs} -p
chown -R elk. /data
修改es配置
0.0.0.0
http.cors.enabled: true
http.cors.allow-origin: "*"
修改内核:
vim /etc/security/limits.conf
* soft nproc 65536
* hard nproc 65536
* soft nofile 65536
* hard nofile 65536
sysctl -w vm.max_map_count=262144
sysctl -p
nohup /bin/su - elk -c "/usr/local/elasticsearch/bin/elasticsearch" > /data/es/es-start.log 2>&1 &
nohup /bin/su - elk -c "/usr/local/kibana/bin/kibana" > /data/es/kibana-start.log 2>&1 &
docker run -d -v /etc/localtime:/etc/localtime --restart=always -p 9100:9100 mobz/elasticsearch-head:5
安装elk的head插件
先修改es的配置文件: elasticsearch.yml追加
http.cors.enabled: true
http.cors.allow-origin: "*"
docker run -d -v /etc/localtime:/etc/localtime --restart=always -p 9100:9100 mobz/elasticsearch-head:5
物理机安装elk之前的优化操作
sudo sysctl -w vm.max_map_count=262144
make it persistent:
$ vim /etc/sysctl.conf
vm.max_map_count=262144
es常用操作参考: http://www.cnblogs.com/lishouguang/p/4560930.html
## 备份,扩容等脚本,有点老,但是思路可以参考,https://github.com/gregbkr/docker-elk-cadvisor-dashboards
http://192.168.14.133:9200/_cat/health?v #查看集群状态
http://192.168.14.133:9200/_cat/nodes?v #查看节点状态
http://192.168.14.133:9200/_cat/indices?v #查看index列表
#创建index
curl -XPUT http://vm1:9200/customer?pretty
#添加一个document
[es@vm1 ~]$ curl -XPUT vm1:9200/customer/external/1?pretty -d '{"name":"lisg"}'
#检索一个document
[es@vm1 ~]$ curl -XGET vm1:9200/customer/external/1?pretty
#删除一个document
[es@vm1 ~]$ curl -XDELETE vm1:9200/customer/external/1?pretty
#删除一个type
[es@vm1 ~]$ curl -XDELETE vm1:9200/customer/external?pretty
#删除一个index
[es@vm1 ~]$ curl -XDELETE vm1:9200/customer?pretty
#POST方式可以添加一个document,不用指定ID
[es@vm1 ~]$ curl -XPOST vm1:9200/customer/external?pretty -d '{"name":"zhangsan"}'
#使用doc更新document
[es@vm1 ~]$ curl -XPUT vm1:9200/customer/external/1?pretty -d '{"name":"lisg4", "age":28}'
#使用script更新document(1.4.3版本动态脚本是被禁止的)
[es@vm1 ~]$ curl -XPOST vm1:9200/customer/external/1/_update?pretty -d '{"script":"ctx._source.age += 5"}'
启动jenkins
docker run -d -u root \
-p 8080:8080 \
-v /var/run/docker.sock:/var/run/docker.sock \
-v $(which docker):/bin/docker \
-v /var/jenkins_home:/var/jenkins_home \
jenkins
带ssh的tomcat
之前一直使用单个app的容器,如tomcat,我只需要catalina.sh run来启动前台容器.其中方法:我可以CMD ['run.sh'],其中run.sh有了我想执行的命令.
我也可以通过ENTRYPOINT ["docker-entrypoint.sh"],这样更加灵活了.可以通过CMD往这个脚本传参了.
后台tomcat容器需要ssh进去管理.这就意味着必须sshd也要同时前台启动,只能用supervisor来管理了.
参考:http://blog.csdn.net/iiiiher/article/details/70918045,其中包含了,
但是我感觉还是不太完善.
- 1,熟悉dockerfile语法
- 2,手动构建centos7
- 3,使用官网centos7
- 4,系统层--基于官网cenos7 添加 supervisor+ssh,启动后即启动ssh
- 5,运行层—安装jdk
- 6,app层安装tomcat,暴露8080.—supervisor接管.
新总结下supervisord.conf的配置(tomcat+ssh镜像)
参考: https://github.com/zabbix/zabbix-docker/blob/3.4/web-apache-mysql/alpine/conf/etc/supervisor/conf.d/supervisord_zabbix.conf
[supervisord]
nodaemon = true
[program:sshd]
command=/usr/sbin/sshd -D
process_name=%(program_name)s
auto_start = true
autorestart = true
[program:tomcat]
command=/data/tomcat/bin/catalina.sh run
process_name=%(program_name)s
auto_start = true
autorestart = true
stdout_logfile = /dev/stdout
stdout_logfile_maxbytes = 0
stderr_logfile = /dev/stderr
stderr_logfile_maxbytes = 0
这是tomcat的dockerfile[tomcat+ssh镜像],
其中要准备,下载解压这些目录到Dockerfile所在目录, jdk, tomcat,tomcat的server.xml(后期我k8s集群使用cm来覆盖)
Dockerfile
FROM centos:6.8
# Init centos
ENV TERM="linux"
ENV TERMINFO="/etc/terminfo"
ENV LANG="en_US.UTF-8"
ENV LANGUAGE="en_US.UTF-8"
ENV LC_ALL="en_US.UTF-8"
ENV TZ="PRC"
COPY localtime /etc/localtime
#ssh
RUN yum -y install openssh-server epel-release && \
rm -f /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_rsa_key && \
ssh-keygen -q -N "" -t dsa -f /etc/ssh/ssh_host_dsa_key && \
ssh-keygen -q -N "" -t rsa -f /etc/ssh/ssh_host_rsa_key && \
sed -i "s/#UsePrivilegeSeparation.*/UsePrivilegeSeparation no/g" /etc/ssh/sshd_config && \
sed -i "s/UsePAM.*/UsePAM yes/g" /etc/ssh/sshd_config && \
sed -i 's#\#UseDNS yes#UseDNS no#g' /etc/ssh/sshd_config && \
sed -i 's#GSSAPIAuthentication yes#GSSAPIAuthentication no#g' /etc/ssh/sshd_config && \
echo "root:123456" | chpasswd && \
yum clean all
#supervisor
RUN yum -y install supervisor && \
mkdir -p /etc/supervisor/
COPY supervisord.conf /etc/supervisor/
# Prepare jdk and tomcat environment
ENV JAVA_HOME /usr/local/jdk
ENV CLASSPATH .:$JAVA_HOME/lib:$JAVA_HOME/jre/lib:$JAVA_HOME/lib/tools.jar
ENV TOMCAT_HOME /data/tomcat
ENV PATH $JAVA_HOME/bin:$TOMCAT_HOME/bin:$PATH
ENV CATALINA_HOME=/data/tomcat
ENV ENVCATALINA_BASE=/data/tomcat
#RUN export JAVA_HOME CLASSPATH TOMCAT_HOME PATH CATALINA_HOME ENVCATALINA_BASE
# Install Oracle jdk-8u25
COPY jdk /usr/local/jdk
# Install apache-tomcat-7.0.62
RUN mkdir -p /data/tomcat && mkdir -p /data/web/elc/ && \
ulimit -SHn 65535 && \
echo '* - nofile 65536' >>/etc/security/limits.conf
COPY tomcat /data/tomcat
COPY server.xml /tmp/server.xml
RUN ln -s /tmp/server.xml /data/tomcat/conf/server.xml
WORKDIR /data/tomcat
EXPOSE 8080 22
CMD ["supervisord","-c","/etc/supervisor/supervisord.conf"]
其中centos的dockerfile参考: https://github.com/tutumcloud/tutum-centos/blob/master/centos6/Dockerfile
这里可以指定ssh的密码,你也可以使用pwdgen(yum install)工具随机生成密码,打印在console口通过docker logs -f来查看到密码,后期直接自己改密码.参考那个github吧.
docker容器volume从容器里挂文件到宿主机
参考: 这几篇Dockerfile最佳实践很有必要去读一读.
http://blog.csdn.net/shanyongxu/article/details/51456444
http://blog.csdn.net/shanyongxu/article/details/51456592
http://blog.csdn.net/shanyongxu/article/details/51460930
http://blog.csdn.net/shanyongxu/article/details/51476997
后来发现,-v选项 之前是把容器外的数据挂容器里用 刚想把容器里的某个文件挂到宿主机用,
只能挂出 run之后容器产生的数据,
如nginx: 可以获取到nginx的access日志和error日志,因为这些日志都是容器启动后生成的
docker run -itd -v /tmp/nginx/:/var/log/nginx/ -p 80:80 nginx
在比如centos: 我只在宿主机/tmp下发现hostname hosts resolv.conf这三个文件,这些文件是容器run之后产生的文件.
docker run -itd -v /tmp/etc/:/tmp/etc/ centos
nginx基于centos的dockerfile
FROM centos:6.8
ENV NGINX_VERSION 1.13.6
RUN CONFIG="\
--user=nginx \
--group=nginx \
--prefix=/usr/local/nginx \
--with-http_stub_status_module \
--with-http_ssl_module \
" \
&& useradd nginx -s /sbin/nologin \
&& yum install openssl openssl-devel pcre pcre-devel gcc c++ -y \
&& curl -fSL http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz -o /usr/local/src/nginx-${NGINX_VERSION}.tar.gz \
&& tar -xvf /usr/local/src/nginx-$NGINX_VERSION.tar.gz -C /usr/local/src \
&& cd /usr/local/src/nginx-$NGINX_VERSION \
&& ./configure $CONFIG \
&& make \
&& make install \
&& rm -rf /usr/local/src/*
RUN ln -sf /dev/stdout /usr/local/nginx/log/access.log \
&& ln -sf /dev/stderr /usr/local/nginx/log/error.log
EXPOSE 80 443
CMD ["/usr/local/nginx/sbin/nginx", "-g", "daemon off;"]
linux一键初始化linux
#!/bin/bash
# 近400行shell脚本分享:一键优化系统,安全设置、安装、配置常见服务lnmp,redis,mongodb,vpn,帮助开发迅速搭建开发环境,也可用于单机版生产环境。
echo "This script is for centos7"
function check {
if [ $? -ne 0 ];then
echo -e "\033[31m\n the last command exec failed,please check it \033[0m \n"
sleep 1
exit -1
fi
}
function initialize_system {
echo -e "\033[32m 1.关闭selinux \033[0m"
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
setenforce 0
echo -e "\033[32m 2.开启时间同步 \033[0m"
cat /var/spool/cron/root|grep -w "/usr/sbin/ntpdate pool.ntp.org > /dev/null 2>&1"
[ $? -ne 0 ] && echo "0 0 * * * /usr/sbin/ntpdate pool.ntp.org > /dev/null 2>&1" >>/var/spool/cron/root
echo -e "\033[32m crontab has been added successfully \033[0m"
echo -e "\033[32m 3.修改最大连接数unlimt=102400 \033[0m"
ulimit -n 102400
cat /etc/security/limits.conf |grep -w "* soft nofile 102400"
[ $? -ne 0 ] && echo "* soft nofile 102400" >>/etc/security/limits.conf
cat /etc/security/limits.conf |grep -w "* hard nofile 102400"
[ $? -ne 0 ] && echo "* hard nofile 102400" >>/etc/security/limits.conf
echo -e "\033[32m file handel has been successfully changed \033[0m"
echo -e "\033[32m 4.增加114.114.114.114的dns \033[0m"
cat /etc/resolv.conf|grep -w "nameserver=114.114.114.114"
[ $? -ne 0 ] && echo "nameserver=114.114.114.114" >>/etc/resolv.conf
echo -e "\033[32m dns successful \033[0m"
echo -e "\033[32m 5.设置ts=4 \033[0m"
cat /etc/vimrc|grep -w "set ts=4"
[ $? -ne 0 ] && echo "set ts=4" >>/etc/vimrc
echo "install software dos2unix,telnet,lrzsz,wget,git,unzip,zip, crontabs openssl-devel gcc gcc-c++"
yum install dos2unix vim telnet lrzsz wget git unzip zip openssl-devel gcc gcc-c++ -y
}
function install_nginx {
echo "\033[36m\n 安装nginx \033[0 \n"
rpm -qa|grep nginx-release-centos-7-0.el7.ngx.noarch
if [ $? -ne 0 ];then
rpm -Uvh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm
check;
fi
yum install -y nginx
check;
sed -i 's/user nginx nginx/user www www/g' /etc/nginx/nginx.conf
sed -i 's/worker_connections 1024/worker_connections 51024/g' /etc/nginx/nginx.conf
sed -i 's/worker_processes 1/worker_processes auto/g' /etc/nginx/nginx.conf
cat /etc/nginx/nginx.conf |grep -w "fastcgi_buffers 8 128k"
[ $? -ne 0 ] && sed -i '25ifastcgi_buffers 8 128k;' /etc/nginx/nginx.conf
cat /etc/nginx/nginx.conf |grep -w "client_max_body_size 8M;"
[ $? -ne 0 ] && sed -i '26iclient_max_body_size 8M;' /etc/nginx/nginx.conf
mv /etc/nginx/conf.d/default.conf{,.bak}
useradd www
service nginx restart
echo -e "\033[36m nginx install finished for the latest!配置文件位于/etc/nginx/ \033[0m "
echo -e "\033[36m\n ---请自行配置nginx--- \033[0m \n"
}
function install_php71 {
echo -e "\033[36m\n安装php7.1和php7.1的全部扩展\033[0m \n"
rpm -qa|grep epel-release-7
if [ $? -ne 0 ];then
rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
check;
fi
rpm -qa|grep webtatic-release
if [ $? -ne 0 ];then
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
check;
fi
yum install -y php71w* --skip-broken
check;
echo -e "\033[36m\n 修改session权限 \033[0m \n"
useradd www
chown -R www.www /var/lib/php/
sed -i 's/user = apache/user = www/g' /etc/php-fpm.d/www.conf
sed -i 's/group = apache/group = www/g' /etc/php-fpm.d/www.conf
sed -i 's/pm.max_children = 50/pm.max_children = 1500/g' /etc/php-fpm.d/www.conf
sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 10M/g' /etc/php.ini
echo -e "\033[36m user=www,group=www \033[0m"
echo -e "\033[36m php7.1 install finished!配置文件位于/etc/php.ini,/etc/php-fpm.conf \033[0m "
echo -e "\033[36m\n ---请自行配置php--- \033[0m \n"
service php-fpm restart
}
function install_php72 {
echo -e "\033[36m\n安装php7.2和php7.2的全部扩展\033[0m \n"
rpm -qa|grep epel-release-7
if [ $? -ne 0 ];then
rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
check;
fi
rpm -qa|grep webtatic-release
if [ $? -ne 0 ];then
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
check;
fi
yum install -y php72w* --skip-broken
check;
echo -e "\033[36m\n 修改session权限 \033[0m \n"
useradd www
chown -R www.www /var/lib/php/
sed -i 's/user = apache/user = www/g' /etc/php-fpm.d/www.conf
sed -i 's/group = apache/group = www/g' /etc/php-fpm.d/www.conf
sed -i 's/pm.max_children = 50/pm.max_children = 1500/g' /etc/php-fpm.d/www.conf
sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 10M/g' /etc/php.ini
echo -e "\033[36m user=www,group=www \033[0m"
echo -e "\033[36m php7.1 install finished!配置文件位于/etc/php.ini,/etc/php-fpm.conf \033[0m "
echo -e "\033[36m\n ---请自行配置php--- \033[0m \n"
service php-fpm restart
}
function install_mysql57 {
echo " 安装mysql5.7"
rpm -qa|grep mysql-community-release-el7-5.noarch
if [ $? -ne 0 ];then
rpm -Uvh https://dev.mysql.com/get/mysql57-community-release-el7-11.noarch.rpm
check;
fi
yum install -y mysql-community-server
check;
service mysqld start
check;
# 配置mysql
mkdir -p /data/mysqllog
mkdir -p /data/mysqldata
chown -R mysql.mysql /data/mysqldata
chown -R mysql.mysql /data/mysqllog
echo "优化参数:最大连接数,设置编码utf8"
cat /etc/my.cnf |grep -w "max_connections = 1000"
[ $? -ne 0 ] && sed -i '/\[mysqld\]/a\max_connections = 1000' /etc/my.cnf
cat /etc/my.cnf |grep -w "character_set_server=utf8"
[ $? -ne 0 ] && sed -i '/\[mysqld\]/a\character_set_server=utf8' /etc/my.cnf
echo -e "\033[36m mysql install finished!配置文件位于/etc/my.cnf,密码为空\033[0m"
echo -e "\033[36m ---请自行配置mysql,如字符集utf8--- \033[0m"
}
function install_mysql56 {
echo " 安装mysql5.6"
rpm -qa|grep mysql-community-release-el7-5.noarch
if [ $? -ne 0 ];then
rpm -Uvh http://repo.mysql.com/mysql-community-release-el7-5.noarch.rpm
check;
fi
yum install -y mysql-community-server
check;
# 创建mysql数据,日志目录
mkdir -p /data/mysqllog
mkdir -p /data/mysqldata
chown -R mysql.mysql /data/mysqldata
chown -R mysql.mysql /data/mysqllog
echo "创建mysql初始用户root 密码b9LdPvwyZEW>=o"
mysql -e "grant all privileges on *.* to root@'localhost' identified by 'b9LdPvwyZEW>=o'";
service mysqld start
check;
echo "优化参数:最大连接数,设置编码utf8"
cat /etc/my.cnf |grep -w "max_connections = 1000"
[ $? -ne 0 ] && sed -i '/\[mysqld\]/a\max_connections = 1000' /etc/my.cnf
cat /etc/my.cnf |grep -w "character_set_server=utf8"
[ $? -ne 0 ] && sed -i '/\[mysqld\]/a\character_set_server=utf8' /etc/my.cnf
echo -e "\033[36m mysql install finished!配置文件位于/etc/my.cnf,密码为空\033[0m"
echo -e "\033[36m ---请自行配置mysql,如字符集utf8--- \033[0m"
}
function modify_ssh {
echo " 修改ssh默认端口为8622"
sed -i 's/#Port 22/Port 8622/g' /etc/ssh/sshd_config
echo -e "\033[36m 关闭iptables/firewalld\033[0m"
service firewalld stop
checkconfig firewalld off
service sshd restart
service iptables restart
}
function add_ssh_key {
echo "add user of www ssh-key"
useradd www
mkdir -p /home/www/.ssh
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqtBbOblU3zGch5MxJWFEJWneX3n6nSzZ1ii4c1JilgsbtfqaAVTh4IL6rVYZlJaKSAtQBy2fQ6HRhhGjghbVvfIRbV1nj1NiOMz9u0aEdq4NaSyehNAzFT2w2BZ7t6jYNavOkOm4ieO3lKO+hH5PIZNAcBvdCWn1FdSAB2NhfhazXVIHQGUSpuYuKR17bwsJjxlwI8tLm+6E1bt7OzxMalCBPre13RbxN1aJt9MZqQOkFopuIBcbhOj0v2E+8B1rYFx4QYazl3U8HEq6tWJxpEOLCTqMeD0YkjOik8kKjGxR+B57nhepidsIz1rUlnsc/2lCXv1mSKKAfUtl8wtmbaL" >/home/www/.ssh/authorized_keys
chown -R www.www /home/www/
chmod 600 /home/www/.ssh/authorized_keys
echo -e "\033[36m ---www用户的公钥添加到服务器成功,可以用证书登陆---\033[0m"
}
function install_mongodb4 {
echo "
[mongodb-org-4.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/\$releasever/mongodb-org/4.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc">/etc/yum.repos.d/mongodb-org-4.0.repo
yum install -y mongodb-org
sed -i 's/^#security:/security:/g' /etc/mongod.conf
cat /etc/mongod.conf |grep "authorization: enabled"
[ $? -ne 0 ] && sed -i '/^security:/a\ authorization: enabled' /etc/mongod.conf
systemctl start mongod
}
function install_redis50() {
echo “获取服务器eth0网口IP”
host=`/usr/sbin/ip addr |grep inet |grep -v inet6 |grep eth0|awk '{print $2}' |awk -F "/" '{print $1}'`
echo "redis相关系统优化"
cat /etc/sysctl.conf |grep "^net.core.somaxconn="
[ $? -ne 0 ] && echo "net.core.somaxconn=5000" >> /etc/sysctl.conf
cat /etc/sysctl.conf |grep "^vm.overcommit_memory="
[ $? -ne 0 ] && echo "vm.overcommit_memory=1" >> /etc/sysctl.conf
sysctl -p
echo never > /sys/kernel/mm/transparent_hugepage/enabled
cat /etc/rc.local |grep -w "echo never > /sys/kernel/mm/transparent_hugepage/enabled"
[ $? -ne 0 ] && echo "echo never > /sys/kernel/mm/transparent_hugepage/enabled" >>/etc/rc.local
echo ""1.安装redis依赖
yum install -y gcc tcl
echo "2.下载redis安装包"
cd /usr/local/src/
if [ ! -f ./redis-5.0.0.tar.gz ];then
wget http://download.redis.io/releases/redis-5.0.0.tar.gz
mkdir /usr/local/redis
tar -zxvf redis-5.0.0.tar.gz -C /usr/local/
mv /usr/local/redis-5.0.0 /usr/local/redis
cd /usr/local/redis
make
make install
echo "创建redis配置文件"
mkdir /etc/redis/
cp /usr/local/redis/redis.conf /etc/redis/
echo "修改bind ip,"
sed -i "s/^bind 127.0.0.1/bind $host/g" /etc/redis/redis.conf
sed -i "s/^daemonize no/daemonize yes/g" /etc/redis/redis.conf
sed -i "s/^protected-mode yes/protected-mode no/g" /etc/redis/redis.conf
cat /etc/redis/redis.conf |grep -w "^requirepass weqFcx12fds"
[ $? -ne 0 ] && echo "requirepass weqFcx12fds" >> /etc/redis/redis.conf
echo "启动redis"
/usr/local/redis/src/redis-server /etc/redis/redis.conf
else
echo "安装包已存在,只修改配置"
echo "修改bind ip,"
sed -i "s/^bind 127.0.0.1/bind $host/g" /etc/redis/redis.conf
sed -i "s/^daemonize no/daemonize yes/g" /etc/redis/redis.conf
sed -i "s/^protected-mode yes/protected-mode no/g" /etc/redis/redis.conf
cat /etc/redis/redis.conf |grep -w "^requirepass dsf3#fs"
[ $? -ne 0 ] && echo "requirepass dsf3#fs" >> /etc/redis/redis.conf
fi
}
function install_openvpn(){
echo "1.安装openvpn依赖"
yum install openssl* gcc -y
echo "2.安装lzo库"
cd /usr/local/src
if [ ! -f ./lzo-2.09.tar.gz ];then
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.09.tar.gz
tar xf lzo-2.09.tar.gz
cd zo-2.09
./configure -prefix=/usr/local/lzo
make && make install
fi
echo "3.下载openvpn"
cd /usr/local/src
if [ ! -f ./openvpn-2.2.2.tar.gz ];then
wget http://oss.aliyuncs.com/aliyunecs/openvpn-2.2.2.tar.gz
tar xf openvpn-2.2.2.tar.gz
cd openvpn-2.2.2
./configure --prefix=/usr/local/openvpn --with-lzo-headers=/usr/local/lzo/include --with-lzo-lib=/usr/local/lzo/lib --with-ssl-headers=/usr/include/openssl --with-ssl-lib=/usr/lib64/openssl
make && make install
echo "配置openvpn,初始化证书"
mkdir /etc/openvpn
cp /usr/local/openvpn/easy-rsa /etc/openvpn
cd /etc/openvpn/easy-rsa/2.0
echo "生成服务器证书,dh,ca证书"
source ./vars
./clean-all
./build-dh
echo -e "\033[32m 开始生成ca证书 \033[0m"
./build-ca
echo -e "\033[32m 开始生成server证书 \033[0m"
./build-key-server server
echo "拷贝证书文件到/etc/openvpn"
cd keys
cp ca.* server.* dh1024.pem /etc/openvpn
echo "获取内网地址段"
host=`/usr/sbin/ip addr |grep inet |grep -v inet6 |grep eth0|awk '{print $2}' |awk -F "/" '{print $1}'`
intranet=`echo $host|awk -F [.] '{print $1 "." $2 ".0.0"}'`
echo "生成服务端配置文件server.conf"
echo -e "port 1194 \nproto udp \ndev tuni \nca /etc/openvpn/ca.crt \ncert /etc/openvpn/server.crt \nkey /etc/openvpn/server.key \ndh /etc/openvpn/dh1024.pem \nserver 10.10.0.0 255.255.255.0 \nifconfig-pool-persist ipp.txt \npush 'route $intranet 255.255.0.0' \npush 'dhcp-option DNS 8.8.8.8' \npush 'dhcp-option DNS 114.114.114.114' \npush 'dhcp-option DNS 74.207.242.5' \nclient-to-client \nduplicate-cn \nkeepalive 10 120 \ncomp-lzo \nuser nobody \ngroup nobody \npersist-key \npersist-tun \nstatus /var/log/openvpn-status.log \nlog /var/log/openvpn.log \nlog-append /var/log/openvpn.log \n#crl-verify /etc/openvpn/easy-rsa/2.0/keys/crl.pem \n" >/etc/openvpn/server.conf
# 创建openvpn客户端证书
create_openvpn_client_key
echo "开启ip转发"
cat /etc/sysctl.conf|grep -w "net.ipv4.ip_forward = 1"
[ $? -ne 0 ] && echo "net.ipv4.ip_forward = 1" >>/etc/sysctl.conf
sysctl -p
echo "iptables开启vpn流量转发"
echo "禁止firewall"
systemctl stop firewalld.service
systemctl disable firewalld.service
yum install iptables-services -y
sed -i 's/^-A INPUT -j REJECT --reject-with icmp-host-prohibited/#-A INPUT -j REJECT --reject-with icmp-host-prohibited/g' /etc/sysconfig/iptables
sed -i 's/^-A FORWARD -j REJECT --reject-with icmp-host-prohibited/#-A FORWARD -j REJECT --reject-with icmp-host-prohibited/g' /etc/sysconfig/iptables
cat /etc/sysconfig/iptables |grep -w "A POSTROUTING -s 10.10.0.0/24 -o eth0 -j MASQUERADE"
if [ $? -ne 0 ];then
iptables -t nat -A POSTROUTING -s 10.10.0.0/24 -o eth0 -j MASQUERADE
service iptables save
chkconfig iptables on
service iptables restart
fi
echo -e "\033[32m 启动openvpn \033[0m"
/usr/local/openvpn/sbin/openvpn --daemon --config /etc/openvpn/server.conf
cat /etc/rc.local |grep -w "/usr/local/openvpn/sbin/openvpn --daemon --config /etc/openvpn/server.conf"
[ $? -ne 0 ] && echo "/usr/local/openvpn/sbin/openvpn --daemon --config /etc/openvpn/server.conf" >>/etc/rc.local
echo -e "\033[31m\n 防火墙开启udp:1194端口 \033[0m \n"
else
echo "安装文件已存在"
fi
}
function create_openvpn_client_key(){
#获取公网IP
public_ip=`curl http://members.3322.org/dyndns/getip`
echo -e "\033[32m 开始创建openvpn客户端证书 \033[0m"
read -p "请输入你的key名: " keyname
cd /etc/openvpn/easy-rsa/2.0
source ./vars
./build-key $keyname
echo "生成windows客户端client.ovpn文件"
cd /etc/openvpn/easy-rsa/2.0/keys
echo -e "client \ndev tun \nproto udp \nremote $public_ip 1194 \nresolv-retry infinite \nnobind \npersist-key \npersist-tun \nca ca.crt \ncert ${keyname}.crt \nkey ${keyname}.key \nremote-cert-tls server \ncomp-lzo \nverb 3" > client.ovpn
echo -e "\033[32m 打包证书 \033[0m"
tar -zcvf ${keyname}.tar.gz ca.* ${keyname}.crt ${keyname}.key client.ovpn
echo -e "\033[32m 下载证书 \033[0m"
sz ${keyname}.tar.gz
}
echo -e "\033[31m\n----选择你想安装的软件----\033[0m \n"
echo -e "\033[32m \"0. initialize_system(优化系统)\" input \"0\" \033[0m \n"
echo -e "\033[32m \"1. Nginx for latest\" input \"1\" \033[0m \n"
echo -e "\033[32m \"2. php7.1\" input \"2\" \033[0m \n"
echo -e "\033[32m \"3. mysql5.7\" input \"3\" \033[0m \n"
echo -e "\033[32m \"4. modify ssh port to 8622\" input \"4\" \033[0m \n"
echo -e "\033[32m \"5. add ssh-key\" input \"5\" \033[0m \n"
echo -e "\033[32m \"6. install mongodb4\" input \"6\" \033[0m \n"
echo -e "\033[32m \"7. install mysql5.6\" input \"7\" \033[0m \n"
echo -e "\033[32m \"8. install php7.2\" input \"8\" \033[0m \n"
echo -e "\033[32m \"9. install redis5.0\" input \"9\" \033[0m \n"
echo -e "\033[32m \"10. install openvpn2.2\" input \"10\" \033[0m \n"
echo -e "\033[32m \"11. create openvpn客户端证书\" input \"11\" \033[0m \n"
read -p "please choice which software do you want to install ?" input
case "$input" in
0) initialize_system;
;;
1) install_nginx;
;;
2) install_php71;
;;
3) install_mysql57;
;;
4) modify_ssh;
;;
5) add_ssh_key;
;;
6) install_mongodb4;
;;
7) install_mysql56;
;;
8) install_php72;
;;
9) install_redis50;
;;
10) install_openvpn;
;;
11) create_openvpn_client_key;
;;
*) echo -e "\033[31m Input Error! \033[0m" && exit -1;;
esac