[docker]一些经常或不经常用到的镜像启动方法-一些常用的docker启动方式

mysql

docker run \
-itd \
-p 3306:3306 \
--restart always \
-e MYSQL_ROOT_PASSWORD=root \
-e TZ=Asia/Shanghai \
-v ${HOME}/mysql:/var/lib/mysql \
--name mysql57 \
mysql:5.7 \
--character-set-server=utf8mb4 \
--collation-server=utf8mb4_unicode_ci \
--character-set-client-handshake=FALSE


docker run -it --rm mysql:5.7 mysql -h172.17.0.2 -uroot -proot

一些经常或不经常用到的镜像启动方法

## mongo
docker run \
    -d \
    --restart=always \
    -v /data/mongo:/data/db -d mongo \
    -p 27017:27017 \
    mongo

## 单机版etcd-使用host网络, 监控四个0
export NODE1=0.0.0.0
docker run \
  -d \
  --net=host \
  --restart=always \
  --volume=${DATA_DIR}:/etcd-data \
  --name etcd quay.io/coreos/etcd:latest \
  /usr/local/bin/etcd \
  --data-dir=/etcd-data --name node1 \
  --initial-advertise-peer-urls http://${NODE1}:2380 --listen-peer-urls http://${NODE1}:2380 \
  --advertise-client-urls http://${NODE1}:2379 --listen-client-urls http://${NODE1}:2379 \
  --initial-cluster node1=http://${NODE1}:2380

etcdctl --endpoints=http://${NODE1}:2379 member list





## 设置容器的TZ另一种办法
参考: https://github.com/spujadas/elk-docker/blob/master/start.sh

override default time zone (Etc/UTC) if TZ variable is set

if [ ! -z "$TZ" ]; then
ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
fi

## 带ssh的centos

docker run -d -p 0.0.0.0:2222:22 tutum/centos6
docker run -d -p 0.0.0.0:2222:22 tutum/centos

docker run -d -p 0.0.0.0:2222:22 -v /etc/localtime:/etc/localtime:ro -v /etc/timezone:/etc/timezone:ro tutum/centos6
docker run -d -p 0.0.0.0:2222:22 -v /etc/localtime:/etc/localtime:ro -v /etc/timezone:/etc/timezone:ro tutum/centos

支持两种验证方式:
docker run -d -p 0.0.0.0:2222:22 -v /etc/localtime:/etc/localtime:ro -v /etc/timezone:/etc/timezone:ro -e ROOT_PASS="mypass" tutum/centos
docker run -d -p 2222:22 -e AUTHORIZED_KEYS="cat ~/.ssh/id_rsa.pub" tutum/centos

docker logs <CONTAINER_ID>
ssh -p root@

参考: https://hub.docker.com/r/tutum/centos/

## 带ping/curl/nslookup的busybox

docker run -itd --name=test1 --net=test-network radial/busyboxplus /bin/sh

## nginx

mkdir -p /data/nginx-html
echo "maotai" > /data/nginx-html/index.html

docker run -d
--net=host
--restart=always
-v /etc/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
-v /etc/localtime:/etc/localtime:ro
-v /data/nginx-html:/usr/share/nginx/html
--name nginx
nginx


## portainer多单节点管理界面的部署

cp /etc/docker/daemon.json /etc/docker/daemon.json.bak.$(date +%F)
cat >/etc/docker/daemon.json<<EOF
{
"registry-mirrors": ["https://registry.docker-cn.com"],
"hosts": [
"tcp://0.0.0.0:2375",
"unix:///var/run/docker.sock"
]
}
EOF
systemctl daemon-reload
systemctl restart docker && systemctl enable docker

docker run -d
-p 9000:9000
--restart=always
-v /etc/localtime:/etc/localtime:ro
-v /var/run/docker.sock:/var/run/docker.sock
portainer/portainer


#### nginx配置
```bash
mv /etc/nginx /etc/nginx_$(date +%F)
mkdir -p /etc/nginx/conf.d/

mkdir -p /data/nginx-html
echo "maotai" > /data/nginx-html/index.html

cat >> /etc/nginx/nginx.conf<<EOF
user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include                       mime.types;
    default_type                  application/octet-stream;
    server_name_in_redirect       off;
    client_max_body_size          20m;
    client_header_buffer_size     16k;
    large_client_header_buffers 4 16k;
    sendfile                      on;
    tcp_nopush                    on;
    keepalive_timeout             65;
    server_tokens                 off;
    gzip                          on;
    gzip_min_length               1k;
    gzip_buffers                  4 16k;
    gzip_proxied                  any;
    gzip_http_version             1.1;
    gzip_comp_level               3;
    gzip_types                    text/plain application/x-javascript text/css application/xml;
    gzip_vary                     on;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    log_format json '{"@timestamp": "$time_iso8601",'
    '"@version": "1",'
    '"client": "$remote_addr",'
    '"url": "$uri", '
    '"status": $status, '
    '"domain": "$host", '
    '"host": "$server_addr",'
    '"size":"$body_bytes_sent", '
    '"response_time": $request_time, '
    '"referer": "$http_referer", '
    '"http_x_forwarded_for": "$http_x_forwarded_for", '
    '"ua": "$http_user_agent" } ';
    access_log  /var/log/nginx/access.log  json;


    include /etc/nginx/conf.d/*.conf;
}
EOF
tree /etc/nginx/



cat >> /etc/nginx/conf.d/default.conf <<EOF
server {
    listen       80;
    server_name  localhost;

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  json;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    #location ~ \.php$ {
    #    root           html;
    #    fastcgi_pass   127.0.0.1:9000;
    #    fastcgi_index  index.php;
    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
    #    include        fastcgi_params;
    #}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #    deny  all;
    #}
}
EOF
tree /etc/nginx/

nginx-lb

docker run --name nginx-lb \
    -d \
    -v /etc/nginx/nginx.conf:/etc/nginx/nginx.conf:ro \
    --net=host \
    --restart=always \
    -v /etc/localtime:/etc/localtime \
nginx:1.13.3-alpine

lnmp(每个组件独立)

参考: https://github.com/micooz/docker-lnmp

docker-compose up

启动一个mysql

cat /root/dockerfile/mysql/start.sh

docker run  -p 3306:3306 -v /data/mysql:/var/lib/mysql -v /etc/localtime:/etc/localtime --name mysql5 --restart=always -d mysql:5.6.23 --character-set-server=utf8 --collation-server=utf8_general_ci
docker run  \
-p 3306:3306 \
-v /data/mysql:/var/lib/mysql \
-v /etc/localtime:/etc/localtime \
--name mysql5 \
--restart=always \
-e MYSQL_ROOT_PASSWORD=123456 \
-d mysql:5.6.23 --character-set-server=utf8 --collation-server=utf8_general_ci

show VARIABLES like '%max_allowed_packet%';

show variables like '%storage_engine%';
show variables like 'collation_%';
show variables like 'character_set_%';

mysql主从库

#+++++++++++++++++++++++++++
# mysql主从库
#+++++++++++++++++++++++++++
  docker run -d -e REPLICATION_MASTER=true -e REPLICATION_PASS=mypass -p 3306:3306 --name mysql tutum/mysql
  docker run -d -e REPLICATION_SLAVE=true -p 3307:3306 --link mysql:mysql tutum/mysql

gogs安装(不过建议用gitlab)

docker run -itd \
    -p 53000:3000 -p 50022:22 \
    -v /data/gogs:/data  \
    -v /etc/localtime:/etc/localtime \
    --restart=always \
    gogs/gogs

cowcloud

docker run -v /data/owncloud-data:/var/www/html -v /etc/localtime:/etc/localtime -v :/var/www/html/config --restart=always -itd -p 8000:80 owncloud

nextcloud(和owncloud一样,据说这个支持在线md记录笔记,总之感觉功能更强大)

参考: https://hub.docker.com/_/nextcloud/

docker run -d \
-p 8080:80
-v nextcloud:/var/www/html \
nextcloud

安装confluence

docker run \
    -v /data/confluence/conflu_data:/var/atlassian/application-data/confluence \
    -v /etc/localtime:/etc/localtime \
    -v /data/confluence/server.xml:/opt/atlassian/confluence/conf/server.xml \
    --restart=always \
    --link mysql5:db \
    --name="confluence" -d \
    -p 8090:8090 \
    -p 8091:8091 \
    cptactionhank/atlassian-confluence

参考:http://wuyijun.cn/shi-yong-dockerfang-shi-an-zhuang-he-yun-xing-confluence/

  • 配置confluence
    • 创建数据库
create database confluence default character set utf8 collate utf8_bin;
grant all on confluence.* to 'confluence'@"172.17.0.%" identified by "confluenceman";
grant all on confluence.* to 'confluence'@"192.168.6.%";
grant all on confluence.* to 'confluence'@"192.168.8.%";
  • 安装破解
1.导出后用破机器破解
docker cp confluence:/opt/atlassian/confluence/confluence/WEB-INF/lib/atlassian-extras-decoder-v2-3.2.jar ./
mv atlassian-extras-decoder-v2-3.2.jar atlassian-extras-2.4.jar

2. 将破解文件导入系统
mv atlassian-extras-2.4.jar atlassian-extras-decoder-v2-3.2.jar
docker cp ./atlassian-extras-decoder-v2-3.2.jar  confluence:/opt/atlassian/confluence/confluence/WEB-INF/lib/

3.重启confluence
docker stop confluence
docker start confluence
  • 1.贴上破机器的序列号
  • 2.选jdbc连mysql url写:
jdbc:mysql://db:3306/confluence?sessionVariables=storage_engine%3DInnoDB&amp;amp;useUnicode=true&amp;amp;characterEncoding=utf8
管理员帐号密码登陆 http://192.168.x.x:8090
admin
xxxxx
  • 5.配置邮箱
    这里我没用server.xml里配置(配了测试有问题),直接smtp用新浪邮箱配的
smtp.sina.com
mt@sina.com
123456

phabricator审计系统(客服给开发提bug)

docker run -d \
    -p 9080:80 -p 9443:443 -p 9022:22 \
    --env PHABRICATOR_HOST=sj.pp100.net \
    --env MYSQL_HOST=192.168.x.x \
    --env MYSQL_USER=root \
    --env MYSQL_PASS=elc123 \
    --env PHABRICATOR_REPOSITORY_PATH=/repos \
    --env PHABRICATOR_HOST_KEYS_PATH=/hostkeys/persisted \
    -v /data/phabricator/hostkeys:/hostkeys \
    -v /data/phabricator/repo:/repos \
   redpointgames/phabricator

hackmarkdown安装(内网markdown服务器,支持贴图权限,还有专门的客户端等)

https://github.com/hackmdio/docker-hackmd/blob/master/docker-compose.yml

docker-compose up -d

参考: 数据的备份等都有.
https://github.com/hackmdio/docker-hackmd
https://hub.docker.com/r/hackmdio/hackmd/

容器启动常用选项

  • 1, 时区
  • 2, 自动重启
  • 3, 日志
docker run \
-v /etc/localtime:/etc/localtime:ro
-v /etc/timezone:/etc/timezone:ro
--restart=always \

docker run \
-v /etc/localtime:/etc/localtime:ro
-v /etc/timezone:/etc/timezone:ro

-v /etc/localtime:/etc/localtime:ro -v /etc/timezone:/etc/timezone:ro

记录两份  一份是前台输出,另一份
docker run -it --rm -p 80:80 nginx
ll /var/lib/docker/containers/*/*.log

针对容器的日志切割(不然日志越滚越大)

容器日志目录: /var/lib/docker/containers//.log.*

docker run -d -v /var/lib/docker/containers:/var/lib/docker/containers:rw \
-v /etc/localtime:/etc/localtime:ro \
--restart=always \
tutum/logrotate
  • 原理(logrotated的一个copytruncate选项很好,不截断日志情况下滚动日志)
## 可以进到容器里看看日志滚动策略.
#https://hub.docker.com/r/tutum/logrotate/

/ # cat /etc/logrotate.conf
/var/lib/docker/containers/*/*.log {
  rotate 0
  copytruncate
  sharedscripts
  maxsize 10M
  postrotate
    rm -f /var/lib/docker/containers/*/*.log.*
  endscript

#logrotate说明copytruncate
#    http://www.lightxue.com/how-logrotate-works

#让我联想起了nginx日志切割
cat > /etc/logrotate.d/nginx
/usr/local/nginx/logs/*.log {
    daily
    missingok
    rotate 7
    dateext
    compress
    delaycompress
    notifempty
    sharedscripts
    postrotate
        if [ -f /usr/local/nginx/logs/nginx.pid ]; then
            kill -USR1 `cat /usr/local/nginx/logs/nginx.pid`
        fi
    endscript
}

清理长时间不用的镜像和volumes

docker run -d \
  --privileged \
  -v /var/run:/var/run:rw \
  -v /var/lib/docker:/var/lib/docker:rw \
  -e IMAGE_CLEAN_INTERVAL=1 \
  -e IMAGE_CLEAN_DELAYED=1800 \
  -e VOLUME_CLEAN_INTERVAL=1800 \
  -e IMAGE_LOCKED="ubuntu:trusty, tutum/curl:trusty" \
  tutum/cleanup

#    https://hub.docker.com/r/tutum/cleanup/
#    IMAGE_CLEAN_INTERVAL   (optional) How long to wait between cleanup runs (in seconds), 1 by default.
#    IMAGE_CLEAN_DELAYED    (optional) How long to wait to consider an image unused (in seconds), 1800 by default.
#    VOLUME_CLEAN_INTERVAL  (optional) How long to wait to consider a volume unused (in seconds), 1800 by default.
#    IMAGE_LOCKED   (optional) A list of images that will not be cleaned by this container, separated by ,
  • 原理:调用二进制程序
/ # cat run.sh
#!/bin/sh

if [ ! -e "/var/run/docker.sock" ]; then
    echo "=> Cannot find docker socket(/var/run/docker.sock), please check the command!"
    exit 1
fi

if [ "${IMAGE_LOCKED}" == "**None**" ]; then
    exec /cleanup \
        -imageCleanInterval ${IMAGE_CLEAN_INTERVAL} \
        -imageCleanDelayed ${IMAGE_CLEAN_DELAYED}
else
    exec /cleanup \
        -imageCleanInterval ${IMAGE_CLEAN_INTERVAL} \
        -imageCleanDelayed ${IMAGE_CLEAN_DELAYED} \
        -imageLocked "${IMAGE_LOCKED}"
fi

zk集群

参考: https://segmentfault.com/a/1190000006907443

version: '2'
services:
    zoo1:
        image: zookeeper
        restart: always
        container_name: zoo1
        volumes:
            - /etc/localtime:/etc/localtime
        ports:
            - "2181:2181"
        environment:
            ZOO_MY_ID: 1
            ZOO_SERVERS: server.1=zoo1:2888:3888 server.2=zoo2:2888:3888 server.3=zoo3:2888:3888

    zoo2:
        image: zookeeper
        restart: always
        container_name: zoo2
        volumes:
            - /etc/localtime:/etc/localtime
        ports:
            - "2182:2181"
        environment:
            ZOO_MY_ID: 2
            ZOO_SERVERS: server.1=zoo1:2888:3888 server.2=zoo2:2888:3888 server.3=zoo3:2888:3888

    zoo3:
        image: zookeeper
        restart: always
        volumes:
            - /etc/localtime:/etc/localtime
        container_name: zoo3
        ports:
            - "2183:2181"
        environment:
            ZOO_MY_ID: 3
            ZOO_SERVERS: server.1=zoo1:2888:3888 server.2=zoo2:2888:3888 server.3=zoo3:2888:3888

检查:

echo stat|nc127.0.0.1 2181

或者进入到容器去看
#docker exec zoo1 /zookeeper-3.4.10/bin/zkCli.sh  -server 127.0.0.1:2181
#/zookeeper-3.4.10/bin/zkCli.sh  -server 127.0.0.1:2181

zabbix(monitoringartist这小伙把组件搞在一个镜像了)

docker run \
    -d \
    --name dockbix-db \
    -v /backups:/backups \
    -v /etc/localtime:/etc/localtime:ro \
    --volumes-from dockbix-db-storage \
    --env="MARIADB_USER=zabbix" \
    --env="MARIADB_PASS=my_password" \
    monitoringartist/zabbix-db-mariadb

# Start Dockbix linked to the started DB
docker run \
    -d \
    --name dockbix \
    -p 80:80 \
    -p 10051:10051 \
    -v /etc/localtime:/etc/localtime:ro \
    --link dockbix-db:dockbix.db \
    --env="ZS_DBHost=dockbix.db" \
    --env="ZS_DBUser=zabbix" \
    --env="ZS_DBPassword=my_password" \
    --env="XXL_zapix=true" \
    --env="XXL_grapher=true" \
    monitoringartist/dockbix-xxl:latest

分开的zabbix,这个我没测

docker run --name zabbix-server-mysql -t \
      -v /etc/localtime:/etc/localtime:ro \
      -v /data/zabbix-alertscripts:/usr/lib/zabbix/alertscripts \
      -v /etc/zabbix/zabbix_server.conf:/etc/zabbix/zabbix_server.conf \
      -e DB_SERVER_HOST="192.168.14.132" \
      -e MYSQL_DATABASE="zabbix" \
      -e MYSQL_USER="zabbix" \
      -e MYSQL_PASSWORD="Tx66sup" \
      -e MYSQL_ROOT_PASSWORD="Tinsu" \
      -e ZBX_JAVAGATEWAY="127.0.0.1" \
      --network=host \
      -d registry.docker-cn.com/zabbix/zabbix-server-mysql:ubuntu-3.4.0
      
docker run --name mysql-server -t \
      -v /etc/localtime:/etc/localtime:ro \
      -v /etc/my.cnf:/etc/my.cnf        \
      -v /data/mysql-data:/var/lib/mysql \
      -e MYSQL_DATABASE="zabbix" \
      -e MYSQL_USER="zabbix" \
      -e MYSQL_PASSWORD="bix66sup" \
      -e MYSQL_ROOT_PASSWORD="adminsu" \
      -p 3306:3306 \
      -d registry.docker-cn.com/mysql/mysql-server:5.7

docker run --name zabbix-java-gateway -t \
       -v /etc/localtime:/etc/localtime:ro \
      --network=host \
      -d registry.docker-cn.com/zabbix/zabbix-java-gateway:latest

bdocker run --name zabbix-web-nginx-mysql -t \
      -v /etc/localtime:/etc/localtime:ro \
      -e DB_SERVER_HOST="192.168.14.132" \
      -e MYSQL_DATABASE="zabbix" \
      -e MYSQL_USER="zabbix" \
      -e MYSQL_PASSWORD="TCzp" \
      -e MYSQL_ROOT_PASSWORD="TC6u" \
      -e PHP_TZ="Asia/Shanghai" \
      --network=host \
      -d registry.docker-cn.com/zabbix/zabbix-web-nginx-mysql:ubuntu-3.4.0

docker监控advisor

docker run  \
    --volume=/:/rootfs:ro \
    --volume=/var/run:/var/run:rw \
    --volume=/sys:/sys:ro \
    --volume=/var/lib/docker/:/var/lib/docker:ro \
    --publish=8080:8080 \
    --detach=true \
    --name=cadvisor  \
google/cadvisor:latest

http://192.168.14.133:8080/

centos7跑cAdvisor-InfluxDB-Grafana

  • 参考
http://www.pangxie.space/docker/456
https://www.brianchristner.io/how-to-setup-docker-monitoring/
https://github.com/vegasbrianc/docker-monitoring/blob/master/docker-monitoring-0.9.json
  • 启动influxdb(使用最新的发现不好使)
docker run -d -p 8083:8083 -p 8086:8086 --expose 8090 --expose 8099 --name influxsrv tutum/influxdb:0.10
  • 创建db
docker exec -it influxsrv bash
use cadvisor
CREATE USER "root" WITH PASSWORD 'root' WITH ALL PRIVILEGES
CREATE DATABASE cadvisor
show users
  • 启动cadvisor
docker run --volume=/:/rootfs:ro --volume=/var/run:/var/run:rw --volume=/sys:/sys:ro --volume=/var/lib/docker/:/var/lib/docker:ro --publish=8080:8080 --detach=true --link influxsrv:influxsrv --name=cadvisor google/cadvisor:latest -storage_driver=influxdb -storage_driver_db=cadvisor -storage_driver_host=influxsrv:8086
  • 启动grafna, 加db源.导入dashboard
docker run -d -p 3000:3000 -e INFLUXDB_HOST=192.168.14.133 -e INFLUXDB_PORT=8086 -e INFLUXDB_NAME=cadvisor -e INFLUXDB_USER=root -e INFLUXDB_PASS=root --link influxsrv:influxsrv --name grafana grafana/grafana

Prometheus+Grafana(这个比cAdvisor-InfluxDB-Grafana展示效果更好一些)

A Prometheus & Grafana docker-compose stack

参考: https://github.com/vegasbrianc/prometheus

docker-compose up -d

elk

elk容器要占2g内存,vm分配至少给2g
参考:http://elk-docker.readthedocs.io/#installation
https://github.com/gregbkr/elk-dashboard-v5-docker

sysctl -w vm.max_map_count=262144

docker run -d -v /etc/localtime:/etc/localtime --restart=always -p 5601:5601 -p 9200:9200 -p 5044:5044 -it --name elk sebp/elk

docker run -d -v /etc/localtime:/etc/localtime --restart=always -p 9100:9100 mobz/elasticsearch-head:5



或
docker-compose up -d

纯手动安装elastic+kibana(elk)

useradd elk
cd /usr/local/src/
tar xf elasticsearch-5.6.4.tar.gz -C /usr/local/
tar xf kibana-5.6.4-linux-x86_64.tar.gz -C /usr/local/

ln -s /usr/local/elasticsearch-5.6.4 /usr/local/elasticsearch
ln -s /usr/local/kibana-5.6.4-linux-x86_64 /usr/local/kibana

chown -R elk. /usr/local/elasticsearch
chown -R elk. /usr/local/elasticsearch/
chown -R elk. /usr/local/kibana
chown -R elk. /usr/local/kibana/


mkdir /data/es/{data,logs} -p
chown -R elk. /data

修改es配置
0.0.0.0
http.cors.enabled: true
http.cors.allow-origin: "*"

修改内核:
vim /etc/security/limits.conf
*               soft    nproc           65536
*               hard    nproc           65536
*               soft    nofile          65536
*               hard    nofile          65536


sysctl -w vm.max_map_count=262144
sysctl -p

nohup /bin/su - elk -c "/usr/local/elasticsearch/bin/elasticsearch" > /data/es/es-start.log 2>&1 &
nohup /bin/su - elk -c "/usr/local/kibana/bin/kibana" > /data/es/kibana-start.log 2>&1 &

docker run -d -v /etc/localtime:/etc/localtime --restart=always -p 9100:9100 mobz/elasticsearch-head:5

安装elk的head插件

先修改es的配置文件: elasticsearch.yml追加
http.cors.enabled: true
http.cors.allow-origin: "*"


docker run -d -v /etc/localtime:/etc/localtime --restart=always -p 9100:9100 mobz/elasticsearch-head:5
物理机安装elk之前的优化操作
sudo sysctl -w vm.max_map_count=262144

make it persistent:
$ vim /etc/sysctl.conf
vm.max_map_count=262144

es常用操作参考: http://www.cnblogs.com/lishouguang/p/4560930.html

## 备份,扩容等脚本,有点老,但是思路可以参考,https://github.com/gregbkr/docker-elk-cadvisor-dashboards

http://192.168.14.133:9200/_cat/health?v   #查看集群状态
http://192.168.14.133:9200/_cat/nodes?v    #查看节点状态
http://192.168.14.133:9200/_cat/indices?v  #查看index列表

#创建index
curl -XPUT http://vm1:9200/customer?pretty

#添加一个document
[es@vm1 ~]$ curl -XPUT vm1:9200/customer/external/1?pretty -d '{"name":"lisg"}'

#检索一个document
[es@vm1 ~]$ curl -XGET vm1:9200/customer/external/1?pretty

#删除一个document
[es@vm1 ~]$ curl -XDELETE vm1:9200/customer/external/1?pretty

#删除一个type
[es@vm1 ~]$ curl -XDELETE vm1:9200/customer/external?pretty

#删除一个index
[es@vm1 ~]$ curl -XDELETE vm1:9200/customer?pretty

#POST方式可以添加一个document,不用指定ID
[es@vm1 ~]$ curl -XPOST vm1:9200/customer/external?pretty -d '{"name":"zhangsan"}'

#使用doc更新document
[es@vm1 ~]$ curl -XPUT vm1:9200/customer/external/1?pretty -d '{"name":"lisg4", "age":28}'

#使用script更新document(1.4.3版本动态脚本是被禁止的)
[es@vm1 ~]$ curl -XPOST vm1:9200/customer/external/1/_update?pretty -d '{"script":"ctx._source.age += 5"}'

启动jenkins

docker run -d -u root \
-p 8080:8080 \
-v /var/run/docker.sock:/var/run/docker.sock \
-v $(which docker):/bin/docker \
-v /var/jenkins_home:/var/jenkins_home \
jenkins

带ssh的tomcat

之前一直使用单个app的容器,如tomcat,我只需要catalina.sh run来启动前台容器.其中方法:我可以CMD ['run.sh'],其中run.sh有了我想执行的命令.
我也可以通过ENTRYPOINT ["docker-entrypoint.sh"],这样更加灵活了.可以通过CMD往这个脚本传参了.

后台tomcat容器需要ssh进去管理.这就意味着必须sshd也要同时前台启动,只能用supervisor来管理了.
参考:http://blog.csdn.net/iiiiher/article/details/70918045,其中包含了,
但是我感觉还是不太完善.

  • 1,熟悉dockerfile语法
  • 2,手动构建centos7
  • 3,使用官网centos7
  • 4,系统层--基于官网cenos7 添加 supervisor+ssh,启动后即启动ssh
  • 5,运行层—安装jdk
  • 6,app层安装tomcat,暴露8080.—supervisor接管.

新总结下supervisord.conf的配置(tomcat+ssh镜像)
参考: https://github.com/zabbix/zabbix-docker/blob/3.4/web-apache-mysql/alpine/conf/etc/supervisor/conf.d/supervisord_zabbix.conf

[supervisord]
nodaemon = true


[program:sshd]
command=/usr/sbin/sshd -D
process_name=%(program_name)s
auto_start = true
autorestart = true

[program:tomcat]
command=/data/tomcat/bin/catalina.sh run
process_name=%(program_name)s
auto_start = true
autorestart = true


stdout_logfile = /dev/stdout
stdout_logfile_maxbytes = 0
stderr_logfile = /dev/stderr
stderr_logfile_maxbytes = 0

这是tomcat的dockerfile[tomcat+ssh镜像],
其中要准备,下载解压这些目录到Dockerfile所在目录, jdk, tomcat,tomcat的server.xml(后期我k8s集群使用cm来覆盖)

Dockerfile

FROM centos:6.8

# Init centos
ENV TERM="linux"
ENV TERMINFO="/etc/terminfo"
ENV LANG="en_US.UTF-8"
ENV LANGUAGE="en_US.UTF-8"
ENV LC_ALL="en_US.UTF-8"
ENV TZ="PRC"
COPY localtime /etc/localtime

#ssh
RUN yum -y install openssh-server epel-release && \
    rm -f /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_rsa_key && \
    ssh-keygen -q -N "" -t dsa -f /etc/ssh/ssh_host_dsa_key && \
    ssh-keygen -q -N "" -t rsa -f /etc/ssh/ssh_host_rsa_key && \
    sed -i "s/#UsePrivilegeSeparation.*/UsePrivilegeSeparation no/g" /etc/ssh/sshd_config && \
    sed -i "s/UsePAM.*/UsePAM yes/g" /etc/ssh/sshd_config && \
    sed -i 's#\#UseDNS yes#UseDNS no#g' /etc/ssh/sshd_config && \
    sed -i 's#GSSAPIAuthentication yes#GSSAPIAuthentication no#g' /etc/ssh/sshd_config && \
    echo "root:123456" | chpasswd && \
    yum clean all

#supervisor
RUN yum -y install supervisor && \
    mkdir -p /etc/supervisor/
COPY supervisord.conf /etc/supervisor/


# Prepare jdk and tomcat environment
ENV JAVA_HOME /usr/local/jdk
ENV CLASSPATH .:$JAVA_HOME/lib:$JAVA_HOME/jre/lib:$JAVA_HOME/lib/tools.jar
ENV TOMCAT_HOME /data/tomcat
ENV PATH $JAVA_HOME/bin:$TOMCAT_HOME/bin:$PATH
ENV CATALINA_HOME=/data/tomcat
ENV ENVCATALINA_BASE=/data/tomcat
#RUN export JAVA_HOME CLASSPATH TOMCAT_HOME PATH CATALINA_HOME ENVCATALINA_BASE

# Install Oracle jdk-8u25
COPY jdk /usr/local/jdk

# Install apache-tomcat-7.0.62
RUN mkdir -p /data/tomcat && mkdir -p /data/web/elc/ && \
    ulimit -SHn 65535  && \
    echo '* - nofile 65536' >>/etc/security/limits.conf
COPY tomcat /data/tomcat
COPY server.xml /tmp/server.xml
RUN ln -s /tmp/server.xml /data/tomcat/conf/server.xml

WORKDIR /data/tomcat

EXPOSE 8080 22

CMD ["supervisord","-c","/etc/supervisor/supervisord.conf"]

其中centos的dockerfile参考: https://github.com/tutumcloud/tutum-centos/blob/master/centos6/Dockerfile
这里可以指定ssh的密码,你也可以使用pwdgen(yum install)工具随机生成密码,打印在console口通过docker logs -f来查看到密码,后期直接自己改密码.参考那个github吧.

docker容器volume从容器里挂文件到宿主机

参考: 这几篇Dockerfile最佳实践很有必要去读一读.
http://blog.csdn.net/shanyongxu/article/details/51456444
http://blog.csdn.net/shanyongxu/article/details/51456592
http://blog.csdn.net/shanyongxu/article/details/51460930
http://blog.csdn.net/shanyongxu/article/details/51476997

后来发现,-v选项 之前是把容器外的数据挂容器里用 刚想把容器里的某个文件挂到宿主机用,
只能挂出 run之后容器产生的数据,
如nginx: 可以获取到nginx的access日志和error日志,因为这些日志都是容器启动后生成的

 docker run -itd -v /tmp/nginx/:/var/log/nginx/ -p 80:80 nginx

在比如centos: 我只在宿主机/tmp下发现hostname hosts resolv.conf这三个文件,这些文件是容器run之后产生的文件.

docker run -itd -v /tmp/etc/:/tmp/etc/ centos

nginx基于centos的dockerfile

参考: https://github.com/nginxinc/docker-nginx/blob/3ba04e37d8f9ed7709fd30bf4dc6c36554e578ac/mainline/stretch/Dockerfile

FROM centos:6.8

ENV NGINX_VERSION 1.13.6

RUN CONFIG="\
        --user=nginx \
        --group=nginx \
        --prefix=/usr/local/nginx \
        --with-http_stub_status_module \
        --with-http_ssl_module \
        " \
        && useradd nginx -s /sbin/nologin \
        && yum install openssl openssl-devel pcre pcre-devel gcc c++ -y \
        && curl -fSL http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz -o /usr/local/src/nginx-${NGINX_VERSION}.tar.gz  \
        && tar -xvf /usr/local/src/nginx-$NGINX_VERSION.tar.gz  -C /usr/local/src \
        && cd /usr/local/src/nginx-$NGINX_VERSION \
        && ./configure $CONFIG \
        && make \
        && make install \
        && rm -rf /usr/local/src/*
        
RUN ln -sf /dev/stdout /usr/local/nginx/log/access.log \
    && ln -sf /dev/stderr /usr/local/nginx/log/error.log
  
EXPOSE 80 443
CMD ["/usr/local/nginx/sbin/nginx", "-g", "daemon off;"]

linux一键初始化linux

#!/bin/bash

# 近400行shell脚本分享:一键优化系统,安全设置、安装、配置常见服务lnmp,redis,mongodb,vpn,帮助开发迅速搭建开发环境,也可用于单机版生产环境。
echo "This script is for centos7"
function check {
  if [ $? -ne 0 ];then
  echo -e "\033[31m\n the last command exec failed,please check it \033[0m \n"
  sleep 1
  exit -1
  fi
}
function initialize_system {
  echo -e "\033[32m 1.关闭selinux \033[0m"
  sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
  setenforce 0
  echo -e "\033[32m 2.开启时间同步 \033[0m"
  cat /var/spool/cron/root|grep -w "/usr/sbin/ntpdate pool.ntp.org > /dev/null 2>&1"
  [ $? -ne 0 ] && echo "0 0 * * * /usr/sbin/ntpdate pool.ntp.org > /dev/null 2>&1" >>/var/spool/cron/root
  echo -e "\033[32m crontab has been added successfully \033[0m"
  echo -e "\033[32m 3.修改最大连接数unlimt=102400 \033[0m"
  ulimit -n 102400
  cat /etc/security/limits.conf |grep -w "* soft nofile 102400"
  [ $? -ne 0 ] && echo "* soft nofile 102400" >>/etc/security/limits.conf
  cat /etc/security/limits.conf |grep -w "* hard nofile 102400"
  [ $? -ne 0 ] && echo "* hard nofile 102400" >>/etc/security/limits.conf
  echo -e "\033[32m file handel has been successfully changed \033[0m"
  echo -e "\033[32m 4.增加114.114.114.114的dns \033[0m"
  cat /etc/resolv.conf|grep -w "nameserver=114.114.114.114"
  [ $? -ne 0 ] && echo "nameserver=114.114.114.114" >>/etc/resolv.conf
  echo -e "\033[32m dns successful \033[0m"
  echo -e "\033[32m 5.设置ts=4 \033[0m"
  cat /etc/vimrc|grep -w "set ts=4"
  [ $? -ne 0 ] && echo "set ts=4" >>/etc/vimrc

  echo "install software dos2unix,telnet,lrzsz,wget,git,unzip,zip, crontabs openssl-devel gcc gcc-c++"
  yum install dos2unix vim telnet lrzsz wget git unzip zip openssl-devel gcc gcc-c++  -y
}
function install_nginx {
  echo "\033[36m\n 安装nginx \033[0 \n"
  rpm -qa|grep nginx-release-centos-7-0.el7.ngx.noarch
  if [ $? -ne 0 ];then
    rpm -Uvh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm
    check;
  fi
  yum install -y nginx
  check;
  sed -i 's/user  nginx nginx/user  www www/g' /etc/nginx/nginx.conf
  sed -i 's/worker_connections  1024/worker_connections  51024/g' /etc/nginx/nginx.conf
  sed -i 's/worker_processes  1/worker_processes  auto/g' /etc/nginx/nginx.conf
  cat /etc/nginx/nginx.conf |grep -w "fastcgi_buffers 8 128k"
  [ $? -ne 0 ] && sed -i '25ifastcgi_buffers 8 128k;' /etc/nginx/nginx.conf
  cat /etc/nginx/nginx.conf |grep -w "client_max_body_size 8M;"
  [ $? -ne 0 ] && sed -i '26iclient_max_body_size 8M;' /etc/nginx/nginx.conf
  mv /etc/nginx/conf.d/default.conf{,.bak}
  useradd www
  service nginx restart
  echo -e "\033[36m nginx install finished for the latest!配置文件位于/etc/nginx/ \033[0m "
  echo -e "\033[36m\n ---请自行配置nginx--- \033[0m \n"
}
function install_php71 {
  echo -e "\033[36m\n安装php7.1和php7.1的全部扩展\033[0m \n"
  rpm -qa|grep epel-release-7
  if [ $? -ne 0 ];then
    rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
    check;
  fi
  rpm -qa|grep webtatic-release
  if [ $? -ne 0 ];then
    rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
    check;
  fi
  yum install -y php71w* --skip-broken
  check;
  echo -e "\033[36m\n 修改session权限 \033[0m \n"
  useradd www
  chown -R www.www /var/lib/php/
  sed -i 's/user = apache/user = www/g' /etc/php-fpm.d/www.conf
  sed -i 's/group = apache/group = www/g' /etc/php-fpm.d/www.conf
  sed -i 's/pm.max_children = 50/pm.max_children = 1500/g' /etc/php-fpm.d/www.conf
  sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 10M/g' /etc/php.ini
  echo -e "\033[36m user=www,group=www  \033[0m"
  echo -e "\033[36m php7.1 install finished!配置文件位于/etc/php.ini,/etc/php-fpm.conf \033[0m "
  echo -e "\033[36m\n ---请自行配置php--- \033[0m \n"
  service php-fpm restart
}
function install_php72 {
  echo -e "\033[36m\n安装php7.2和php7.2的全部扩展\033[0m \n"
  rpm -qa|grep epel-release-7
  if [ $? -ne 0 ];then
  rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
  check;
  fi
  rpm -qa|grep webtatic-release
  if [ $? -ne 0 ];then
  rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
  check;
  fi
  yum install -y php72w* --skip-broken
  check;
  echo -e "\033[36m\n 修改session权限 \033[0m \n"
  useradd www
  chown -R www.www /var/lib/php/
  sed -i 's/user = apache/user = www/g' /etc/php-fpm.d/www.conf
  sed -i 's/group = apache/group = www/g' /etc/php-fpm.d/www.conf
  sed -i 's/pm.max_children = 50/pm.max_children = 1500/g' /etc/php-fpm.d/www.conf
  sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 10M/g' /etc/php.ini
  echo -e "\033[36m user=www,group=www  \033[0m"
  echo -e "\033[36m php7.1 install finished!配置文件位于/etc/php.ini,/etc/php-fpm.conf \033[0m "
  echo -e "\033[36m\n ---请自行配置php--- \033[0m \n"
  service php-fpm restart
}
function install_mysql57 {
  echo " 安装mysql5.7"
  rpm -qa|grep mysql-community-release-el7-5.noarch
  if [ $? -ne 0 ];then
    rpm -Uvh https://dev.mysql.com/get/mysql57-community-release-el7-11.noarch.rpm
    check;
  fi
  yum install -y mysql-community-server
  check;
  service mysqld start
  check;

  # 配置mysql
  mkdir -p /data/mysqllog
  mkdir -p /data/mysqldata
  chown -R mysql.mysql /data/mysqldata
  chown -R mysql.mysql /data/mysqllog
  echo "优化参数:最大连接数,设置编码utf8"
  cat /etc/my.cnf |grep -w "max_connections = 1000"
  [ $? -ne 0 ] &&  sed -i '/\[mysqld\]/a\max_connections = 1000' /etc/my.cnf
  cat /etc/my.cnf |grep -w "character_set_server=utf8"
  [ $? -ne 0 ] && sed -i '/\[mysqld\]/a\character_set_server=utf8' /etc/my.cnf
  echo -e "\033[36m mysql install finished!配置文件位于/etc/my.cnf,密码为空\033[0m"
  echo -e "\033[36m ---请自行配置mysql,如字符集utf8--- \033[0m"
}
function install_mysql56 {
  echo " 安装mysql5.6"
  rpm -qa|grep mysql-community-release-el7-5.noarch
  if [ $? -ne 0 ];then
  rpm -Uvh http://repo.mysql.com/mysql-community-release-el7-5.noarch.rpm
  check;
  fi
  yum install -y mysql-community-server
  check;
  # 创建mysql数据,日志目录
  mkdir -p /data/mysqllog
  mkdir -p /data/mysqldata
  chown -R mysql.mysql /data/mysqldata
  chown -R mysql.mysql /data/mysqllog

  echo "创建mysql初始用户root 密码b9LdPvwyZEW>=o"
  mysql -e "grant all privileges on *.* to root@'localhost' identified by 'b9LdPvwyZEW>=o'";

  service mysqld start
  check;
  echo "优化参数:最大连接数,设置编码utf8"
  cat /etc/my.cnf |grep -w "max_connections = 1000"
  [ $? -ne 0 ] &&  sed -i '/\[mysqld\]/a\max_connections = 1000' /etc/my.cnf
  cat /etc/my.cnf |grep -w "character_set_server=utf8"
  [ $? -ne 0 ] && sed -i '/\[mysqld\]/a\character_set_server=utf8' /etc/my.cnf
  echo -e "\033[36m mysql install finished!配置文件位于/etc/my.cnf,密码为空\033[0m"
  echo -e "\033[36m ---请自行配置mysql,如字符集utf8--- \033[0m"
}
function modify_ssh {
  echo " 修改ssh默认端口为8622"
  sed -i 's/#Port 22/Port 8622/g' /etc/ssh/sshd_config
  echo -e "\033[36m 关闭iptables/firewalld\033[0m"
  service firewalld stop
  checkconfig firewalld off
  service sshd restart
  service iptables restart
}
function add_ssh_key {
  echo "add user of www ssh-key"
  useradd www
  mkdir -p /home/www/.ssh
  echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqtBbOblU3zGch5MxJWFEJWneX3n6nSzZ1ii4c1JilgsbtfqaAVTh4IL6rVYZlJaKSAtQBy2fQ6HRhhGjghbVvfIRbV1nj1NiOMz9u0aEdq4NaSyehNAzFT2w2BZ7t6jYNavOkOm4ieO3lKO+hH5PIZNAcBvdCWn1FdSAB2NhfhazXVIHQGUSpuYuKR17bwsJjxlwI8tLm+6E1bt7OzxMalCBPre13RbxN1aJt9MZqQOkFopuIBcbhOj0v2E+8B1rYFx4QYazl3U8HEq6tWJxpEOLCTqMeD0YkjOik8kKjGxR+B57nhepidsIz1rUlnsc/2lCXv1mSKKAfUtl8wtmbaL" >/home/www/.ssh/authorized_keys
  chown -R www.www /home/www/
  chmod 600 /home/www/.ssh/authorized_keys
  echo -e "\033[36m ---www用户的公钥添加到服务器成功,可以用证书登陆---\033[0m"
}
function install_mongodb4 {
  echo "
  [mongodb-org-4.0]
  name=MongoDB Repository
  baseurl=https://repo.mongodb.org/yum/redhat/\$releasever/mongodb-org/4.0/x86_64/
  gpgcheck=1
  enabled=1
  gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc">/etc/yum.repos.d/mongodb-org-4.0.repo
  yum install -y mongodb-org
  sed -i 's/^#security:/security:/g' /etc/mongod.conf

  cat /etc/mongod.conf |grep "authorization: enabled"
  [ $? -ne 0 ] && sed -i '/^security:/a\ authorization: enabled' /etc/mongod.conf
  systemctl start mongod
}
function install_redis50() {
  echo “获取服务器eth0网口IP”
  host=`/usr/sbin/ip addr |grep inet |grep -v inet6 |grep eth0|awk '{print $2}' |awk -F "/" '{print $1}'`

  echo "redis相关系统优化"
  cat /etc/sysctl.conf |grep "^net.core.somaxconn="
  [ $? -ne 0 ] && echo "net.core.somaxconn=5000" >> /etc/sysctl.conf

  cat /etc/sysctl.conf |grep "^vm.overcommit_memory="
  [ $? -ne 0 ] && echo "vm.overcommit_memory=1" >> /etc/sysctl.conf
  sysctl -p
  echo never > /sys/kernel/mm/transparent_hugepage/enabled
  cat /etc/rc.local |grep -w "echo never > /sys/kernel/mm/transparent_hugepage/enabled"
  [ $? -ne 0 ] && echo "echo never > /sys/kernel/mm/transparent_hugepage/enabled" >>/etc/rc.local

  echo ""1.安装redis依赖
  yum install -y gcc tcl

  echo "2.下载redis安装包"
  cd /usr/local/src/

  if [ ! -f ./redis-5.0.0.tar.gz ];then
  wget http://download.redis.io/releases/redis-5.0.0.tar.gz
  mkdir /usr/local/redis
  tar -zxvf redis-5.0.0.tar.gz -C /usr/local/
  mv /usr/local/redis-5.0.0 /usr/local/redis
  cd /usr/local/redis
  make
  make install

  echo "创建redis配置文件"
  mkdir /etc/redis/
  cp /usr/local/redis/redis.conf /etc/redis/

  echo "修改bind ip,"
  sed -i "s/^bind 127.0.0.1/bind $host/g" /etc/redis/redis.conf
  sed -i "s/^daemonize no/daemonize yes/g" /etc/redis/redis.conf
  sed -i "s/^protected-mode yes/protected-mode no/g" /etc/redis/redis.conf

  cat /etc/redis/redis.conf |grep -w "^requirepass weqFcx12fds"
  [ $? -ne 0 ] && echo "requirepass weqFcx12fds" >> /etc/redis/redis.conf
  echo "启动redis"
  /usr/local/redis/src/redis-server /etc/redis/redis.conf

  else
  echo "安装包已存在,只修改配置"
  echo "修改bind ip,"
  sed -i "s/^bind 127.0.0.1/bind $host/g" /etc/redis/redis.conf
  sed -i "s/^daemonize no/daemonize yes/g" /etc/redis/redis.conf
  sed -i "s/^protected-mode yes/protected-mode no/g" /etc/redis/redis.conf
  cat /etc/redis/redis.conf |grep -w "^requirepass dsf3#fs"
  [ $? -ne 0 ] && echo "requirepass dsf3#fs" >> /etc/redis/redis.conf
  fi
}
function install_openvpn(){
  echo "1.安装openvpn依赖"
  yum install openssl* gcc -y

  echo "2.安装lzo库"
  cd /usr/local/src
  if [ ! -f ./lzo-2.09.tar.gz ];then
  wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.09.tar.gz
  tar xf lzo-2.09.tar.gz
  cd zo-2.09
  ./configure -prefix=/usr/local/lzo
  make && make install
  fi
  echo "3.下载openvpn"
  cd /usr/local/src
  if [ ! -f ./openvpn-2.2.2.tar.gz ];then
  wget http://oss.aliyuncs.com/aliyunecs/openvpn-2.2.2.tar.gz
  tar xf openvpn-2.2.2.tar.gz
  cd openvpn-2.2.2
  ./configure --prefix=/usr/local/openvpn --with-lzo-headers=/usr/local/lzo/include --with-lzo-lib=/usr/local/lzo/lib --with-ssl-headers=/usr/include/openssl --with-ssl-lib=/usr/lib64/openssl
  make  && make install

  echo "配置openvpn,初始化证书"
  mkdir /etc/openvpn
  cp /usr/local/openvpn/easy-rsa /etc/openvpn
  cd /etc/openvpn/easy-rsa/2.0

  echo "生成服务器证书,dh,ca证书"
  source ./vars
  ./clean-all
  ./build-dh
  echo -e "\033[32m 开始生成ca证书 \033[0m"
  ./build-ca
  echo -e "\033[32m 开始生成server证书 \033[0m"
  ./build-key-server server
  echo "拷贝证书文件到/etc/openvpn"
  cd keys
  cp ca.* server.* dh1024.pem /etc/openvpn
  echo "获取内网地址段"
  host=`/usr/sbin/ip addr |grep inet |grep -v inet6 |grep eth0|awk '{print $2}' |awk -F "/" '{print $1}'`
  intranet=`echo $host|awk -F [.] '{print $1 "." $2 ".0.0"}'`
  echo "生成服务端配置文件server.conf"
  echo -e "port 1194 \nproto udp \ndev tuni \nca /etc/openvpn/ca.crt \ncert /etc/openvpn/server.crt \nkey /etc/openvpn/server.key \ndh /etc/openvpn/dh1024.pem \nserver 10.10.0.0 255.255.255.0 \nifconfig-pool-persist ipp.txt \npush 'route $intranet 255.255.0.0' \npush 'dhcp-option DNS 8.8.8.8' \npush 'dhcp-option DNS 114.114.114.114' \npush 'dhcp-option DNS 74.207.242.5' \nclient-to-client \nduplicate-cn \nkeepalive 10 120 \ncomp-lzo \nuser nobody \ngroup nobody \npersist-key \npersist-tun \nstatus /var/log/openvpn-status.log \nlog /var/log/openvpn.log \nlog-append /var/log/openvpn.log \n#crl-verify /etc/openvpn/easy-rsa/2.0/keys/crl.pem \n" >/etc/openvpn/server.conf


  # 创建openvpn客户端证书
  create_openvpn_client_key
  echo "开启ip转发"
  cat /etc/sysctl.conf|grep -w "net.ipv4.ip_forward = 1"
  [ $? -ne 0 ] && echo "net.ipv4.ip_forward = 1" >>/etc/sysctl.conf
  sysctl -p

  echo "iptables开启vpn流量转发"
  echo "禁止firewall"
  systemctl stop firewalld.service
  systemctl disable firewalld.service
  yum install iptables-services -y
  sed -i 's/^-A INPUT -j REJECT --reject-with icmp-host-prohibited/#-A INPUT -j REJECT --reject-with icmp-host-prohibited/g' /etc/sysconfig/iptables
  sed -i 's/^-A FORWARD -j REJECT --reject-with icmp-host-prohibited/#-A FORWARD -j REJECT --reject-with icmp-host-prohibited/g' /etc/sysconfig/iptables
  cat /etc/sysconfig/iptables |grep -w "A POSTROUTING -s 10.10.0.0/24 -o eth0 -j MASQUERADE"
  if [ $? -ne 0 ];then
  iptables -t nat -A POSTROUTING -s 10.10.0.0/24 -o eth0 -j MASQUERADE
  service iptables save
           chkconfig iptables on
           service iptables restart
  fi

  echo -e "\033[32m 启动openvpn \033[0m"
  /usr/local/openvpn/sbin/openvpn --daemon --config /etc/openvpn/server.conf
  cat /etc/rc.local |grep -w "/usr/local/openvpn/sbin/openvpn --daemon --config /etc/openvpn/server.conf"
  [ $? -ne 0 ] && echo "/usr/local/openvpn/sbin/openvpn --daemon --config /etc/openvpn/server.conf" >>/etc/rc.local

  echo -e "\033[31m\n 防火墙开启udp:1194端口 \033[0m \n"
  else
    echo "安装文件已存在"

  fi

}
function create_openvpn_client_key(){
  #获取公网IP
  public_ip=`curl http://members.3322.org/dyndns/getip`

  echo -e "\033[32m 开始创建openvpn客户端证书 \033[0m"
  read -p "请输入你的key名: " keyname
  cd /etc/openvpn/easy-rsa/2.0
  source ./vars
  ./build-key $keyname

  echo "生成windows客户端client.ovpn文件"
  cd /etc/openvpn/easy-rsa/2.0/keys
  echo -e "client \ndev tun \nproto udp \nremote $public_ip 1194 \nresolv-retry infinite \nnobind \npersist-key \npersist-tun \nca ca.crt \ncert ${keyname}.crt \nkey ${keyname}.key \nremote-cert-tls server \ncomp-lzo \nverb 3" > client.ovpn
  echo -e "\033[32m 打包证书 \033[0m"
  tar -zcvf ${keyname}.tar.gz ca.* ${keyname}.crt ${keyname}.key client.ovpn

  echo -e "\033[32m 下载证书 \033[0m"
  sz ${keyname}.tar.gz
}
echo -e "\033[31m\n----选择你想安装的软件----\033[0m \n"
echo -e "\033[32m \"0. initialize_system(优化系统)\" input \"0\" \033[0m \n"
echo -e "\033[32m \"1. Nginx for latest\" input \"1\" \033[0m \n"
echo -e "\033[32m \"2. php7.1\" input \"2\" \033[0m \n"
echo -e "\033[32m \"3. mysql5.7\" input \"3\" \033[0m \n"
echo -e "\033[32m \"4. modify ssh port to 8622\" input \"4\" \033[0m \n"
echo -e "\033[32m \"5. add ssh-key\" input \"5\" \033[0m \n"
echo -e "\033[32m \"6. install mongodb4\" input \"6\" \033[0m \n"
echo -e "\033[32m \"7. install mysql5.6\" input \"7\" \033[0m \n"
echo -e "\033[32m \"8. install php7.2\" input \"8\" \033[0m \n"
echo -e "\033[32m \"9. install redis5.0\" input \"9\" \033[0m \n"
echo -e "\033[32m \"10. install openvpn2.2\" input \"10\" \033[0m \n"
echo -e "\033[32m \"11. create openvpn客户端证书\" input \"11\" \033[0m \n"
read -p "please choice which software do you want to install ?" input

case "$input" in
  0)  initialize_system;
           ;;
  1)  install_nginx;
          ;;
  2)  install_php71;
              ;;
  3)  install_mysql57;
  ;;
  4)  modify_ssh;
  ;;
  5)  add_ssh_key;
  ;;
  6)  install_mongodb4;
  ;;
  7)  install_mysql56;
  ;;
  8)  install_php72;
  ;;
  9)  install_redis50;
  ;;
  10)  install_openvpn;
  ;;
  11) create_openvpn_client_key;
  ;;
  *)  echo -e "\033[31m Input Error! \033[0m" && exit -1;;
esac
posted @ 2017-11-12 12:41  _毛台  阅读(525)  评论(0编辑  收藏