安裝docker

官方建議在安裝docker前，要先把舊版移除，否則可能會產生一些衝突。 1. 移除舊版docker

yum remove docker docker-client docker-client-latest docker-common docker-latest docker-latest-logrotate docker-logrotate docker-engine

2. 安裝需要套件

yum install -y yum-utils device-mapper-persistent-data lvm2

3. 設定docker穩定版本的yum repo

yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo

4. 安裝docker

yum install -y docker-ce docker-ce-cli containerd.io

ps.中間如果詢問GPG key，請確認是否為 060A 61C5 1B55 8A7F 742B 77AA C52F EB6B 621E 9F35 如果確認是，就請選擇接受 5. 啟動docker

systemctl enable docker
systemctl start docker

5. 測試docker

docker run hello-world

# 以下指令可以列出docker一些相關資訊

docker info
docker version

參考資料： https://docs.docker.com/install/linux/docker-ce/centos/

安裝harbor

前置作業
1.移除舊版的docker 並且安裝新版的docker-ce
yum remove docker docker-client docker-client-latest docker-common docker-latest docker-latest-logrotate docker-logrotate docker-engine
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum install -y docker-ce
systemctl start docker
systemctl enable docker

2.安裝

curl -L "https://github.com/docker/compose/releases/download/v2.11.1/docker-compose-linux-x86_64" -o /usr/local/bin/docker-compose

chmod +x /usr/local/bin/docker-compose

ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose

docker-compose --version

1.建立一個CA憑證
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 \
 -subj "/C=TW/ST=Taiwan/L=Taipei/O=abow Inc./OU=IT/CN=abowspy.tw" \
 -key ca.key -out ca.crt

2.
openssl genrsa -out harbor.abowspy.tw.key 4096
openssl req -sha512 -new \
 -subj "/C=TW/ST=Taiwan/L=Taipei/O=abow Inc./OU=IT/CN=harbor.abowspy.tw" \
 -key harbor.abowspy.tw.key -out harbor.abowspy.tw.csr

cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=harbor.abowspy.tw
DNS.2=192.168.1.205
EOF

openssl x509 -req -sha512 -days 3650 -extfile v3.ext \
 -CA ca.crt -CAkey ca.key -CAcreateserial \
 -in harbor.abowspy.tw.csr -out harbor.abowspy.tw.crt

3.拷貝到某資料夾
mkdir -p /data/cert/
cp harbor.abowspy.tw.crt /data/cert/
cp harbor.abowspy.tw.key /data/cert/

4.轉換.crt變成.cert，因為docker服務預設會把.crt當作是CA憑證，.cert會當作server用憑證
openssl x509 -inform PEM -in harbor.abowspy.tw.crt -out harbor.abowspy.tw.cert
mkdir -p /etc/docker/certs.d/harbor.abowspy.tw/
cp harbor.abowspy.tw.cert /etc/docker/certs.d/harbor.abowspy.tw/
cp harbor.abowspy.tw.key /etc/docker/certs.d/harbor.abowspy.tw/
cp ca.crt /etc/docker/certs.d/harbor.abowspy.tw/

## 如果有Let's Encrypt的憑證

也可以這樣

# cp cert1.pem harbor.abow.online.crt

# cp chain1.pem ca.crt

# cp privkey1.pem harbor.abow.online.key

# openssl x509 -inform PEM -in harbor.abow.online.crt -out harbor.abow.online.cert

# cp harbor.abow.online.cert /etc/docker/certs.d/harbor.abow.online/

# cp harbor.abow.online.key /etc/docker/certs.d/harbor.abow.online/

# cp ca.crt /etc/docker/certs.d/harbor.abow.online/

4.取得安裝包並解壓縮
wget https://github.com/goharbor/harbor/releases/download/v2.6.0/harbor-offline-installer-v2.6.0.tgz
tar xvf harbor-offline-installer-v2.6.0.tgz


5.設定harbor安裝檔
cd harbor
vi harbor.yml
hostname: harbor.abowspy.tw
https:
  port: 443
  certificate: /data/cert/harbor.abowspy.tw.crt
  private_key: /data/cert/harbor.abowspy.tw.key

## 設定檔也能cp harbor.yml.tmpl harbor.yml
再去修改內容。

6.開始安裝

./prepare
./install.sh

補充：./prepare --with-trivy --with-chartmuseum

7.可以用以下指令確認是否安裝完成
docker ps
ss -ntlp

admin

Harbor12345

使用openssl自產憑證，並加入到https

#------------------------------------------------------------------------------------------------------
#1.建立 vim ssl.conf 設定檔
[req]
prompt = no
default_md = sha256
default_bits = 2048
distinguished_name = dn
x509_extensions = v3_req

[dn]
C = TW
ST = Taiwan
L = Taipei
O = Abow Inc.
OU = IT Department
emailAddress = abowspy@gmail.com
CN = www.abowspy.tw

[v3_req]
subjectAltName = @alt_names

[alt_names]
DNS.1 = www.abowspy.tw
DNS.2 = 192.168.1.201

#設定檔的 [alt_names] 區段，則是用來設定 SSL 憑證的域名，這部分設定相當重要，如果沒有設定的話，許多瀏覽器都會將憑證視為無效憑證。
#這部分你要設定幾組域名都可以，基本上沒有什麼上限，因為自簽憑證主要目的是用來開發測試之用，因此建議可以把可能會用到的本機域名 (localhost) 或是區域網路的 IP 地址都加上去，以便後續進行遠端連線測試。


#------------------------------------------------------------------------------------------------------
#2.透過 OpenSSL 命令產生出自簽憑證與相對應的私密金鑰，建立用domain名稱當作檔案名稱
openssl req -x509 -new -nodes -sha256 -utf8 -days 3650 -newkey rsa:2048 -keyout www.abowspy.tw.key -out www.abowspy.tw.crt -config ssl.conf

***   Nginx設定   ***
#------------------------------------------------------------------------------------------------------
#3.建立存放憑證的資料夾，並且把憑證copy過去，並且key給0600權限
mkdir -p /etc/nginx/ssl
cp *.key *.crt /etc/nginx/ssl/
chmod 0600 /etc/nginx/ssl/*.key

#------------------------------------------------------------------------------------------------------
#4.設定nginx設定檔案 vim /etc/nginx/conf.d/default.conf
在原本listen       80;底下加入這幾行
    listen       443 ssl;
    ssl_certificate /etc/nginx/ssl/www.abowspy.tw.crt;
    ssl_certificate_key /etc/nginx/ssl/www.abowspy.tw.key;

#------------------------------------------------------------------------------------------------------
#5.重新啟動 nginx
systemctl restart nginx





***   Apache設定   ***
#------------------------------------------------------------------------------------------------------
#1.要先確認mod_ssl有無安裝
yum -y install mod_ssl

#------------------------------------------------------------------------------------------------------
#3.建立存放憑證的資料夾，並且把憑證copy過去，並且key給0600權限
cp *.crt /etc/pki/tls/certs/
cp *.key /etc/pki/tls/private/
chmod 0600 /etc/pki/tls/private/*.key

#------------------------------------------------------------------------------------------------------
#3.編輯vim /etc/httpd/conf.d/vhosts.conf

<VirtualHost *:80>
  ServerName www.abowspy.tw
  DocumentRoot /var/www/html/
</VirtualHost>
<VirtualHost *:443>
  ServerName www.abowspy.tw
  SSLEngine on
  SSLProtocol all -SSLv2 -SSLv3
  SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
  SSLCertificateFile /etc/pki/tls/certs/www.abowspy.tw.crt
  SSLCertificateKeyFile /etc/pki/tls/private/www.abowspy.tw.key
  DocumentRoot /var/www/html/
</VirtualHost>

#------------------------------------------------------------------------------------------------------
#4.重新啟動 apache
systemctl restart httpd





  SSLCertificateChainFile /etc/pki/tls/certs/example-ca.crt

如何使用金鑰驗證的方式登入SSH

情境
client -> ssh登入 -> server

首先要再client端上建立ssh金鑰(私鑰+公鑰 一對)
然後再把建立好的ssh公開金鑰丟到server端



#---------------------------------------------------------------------------------------------------------
在client建立金鑰之前，先確認home目錄底下有沒有 .ssh 這個隱藏目錄，並權限通常是0600
並且確認~/.ssh底下有沒有id_rsa跟id_rsa.pub檔案

如果沒有可以用以下指令建立.ssh資料夾
mkdir -p ~/.ssh
chmod 700 ~/.ssh

如果有的話，表示先前已經建立過金鑰了，可以省略ssh-keygen這個步驟，直接把id_rsa.pub上傳到要登入的server上

#---------------------------------------------------------------------------------------------------------
使用 ssh-keygen 指令產生金鑰：
ssh-keygen

ssh-keygen過程中，會詢問一些問題，對於一般的使用者而言，全部都使用預設值（直接按下 Enter 鍵）即可。

首先指定金鑰儲存的位置，使用預設值，直接按下 Enter 鍵。
Generating public/private rsa key pair.
Enter file in which to save the key (/home/seal/.ssh/id_rsa):

指定金鑰保護密碼，如果有設定密碼的話，以後每次使用都要輸入密碼，直接按下 Enter 鍵即可。
Enter passphrase (empty for no passphrase):

再次輸入密碼，直接按下 Enter 鍵，接著就會產生一對金鑰了。
Enter same passphrase again:

完成之後再~/.ssh底下就會看到一對金鑰
id_rsa.pub：公開金鑰（public key），這是可以對外公開的金鑰，之後要將它放在遠端的 Linux 伺服器上作認證使用。
id_rsa：私密金鑰（private key），這是要保護好的金鑰，它等同於你的 Linux 密碼，放在自己的電腦中。

#---------------------------------------------------------------------------------------------------------
接著可以用以下三種方式將id_rsa.pub(公開金鑰public key)，複製到遠端server主機上的~/.ssh/authorized_keys
同樣的也是要先確認遠端server上，home目錄底下是不是也有.ssh 這個隱藏目錄，並且底下要有authorized_keys這個檔案

建議使用第二種方式

第一種方式：
ssh USER@HOST 'mkdir -p ~/.ssh;cat >> ~/.ssh/authorized_keys' < ~/.ssh/id_rsa.pub

第二種方式：
ssh-copy-id USER@HOST
使用 -i 參數，可以指定金鑰
ssh-copy-id -i ~/.ssh/id_rsa.pub USER@HOST

第三種方式：
把id_rsa.pub內容複製起來，然後登入到遠端server後，貼在~/.ssh/authorized_keys底下
[root@localhost .ssh]# cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCrEw9Zxvie+Uevw8rGArAYNuPF4GwwiHZ1m66XAAzp+jS09ATU/mlTUg91zJc8cSX8JwfJcBLCiY+hSuN/8rxQejLgXB9DFVJatz1/mOQs5QWGfgLUq4ml3hxhiBJxyE7k6r9yjrvf1cd9HS64CnpzENdcoR18gnlJdr+5xTm5nQyxlh7zv6Iel1ckU5I5vi/JuTYawKwVCTygSbXmnM7RR9VMHcca/n1HMS63c5xleylDl1XhjUQXahB3Xnd9YORlbTjYHPi6Dl9ZUpbuMefCPyoTI9aRVcFykxPUjLHsVFdUGo9fYLiLMWvjubMw9fjwDHomWNP2WJ6av9sy/Vjp root@localhost.localdomain

#---------------------------------------------------------------------------------------------------------
之後使用 ssh 帳號@主機 登入就可以不用輸入密碼了

安裝librenms

參考文章
https://docs.librenms.org/Installation/Installation-CentOS-7-Nginx/

1.安裝需求套件
yum install -y epel-release yum-utils
yum localinstall -y http://rpms.remirepo.net/enterprise/remi-release-7.rpm
yum-config-manager --enable remi-php73
yum install -y cronie fping git ImageMagick jwhois mariadb mariadb-server mtr MySQL-python net-snmp net-snmp-utils nginx nmap php-fpm php-cli php-common php-curl php-gd php-mbstring php-process php-snmp php-xml php-zip php-memcached php-mysqlnd python-memcached rrdtool

2.新增librenms使用者，並且加入nginx群組
useradd librenms -d /opt/librenms -M -r
usermod -a -G librenms nginx

3.下載librenms
cd /opt
git clone https://github.com/librenms/librenms.git

4.設定權限
chown -R librenms:librenms /opt/librenms
chmod 770 /opt/librenms
setfacl -d -m g::rwx /opt/librenms/rrd /opt/librenms/logs /opt/librenms/bootstrap/cache/ /opt/librenms/storage/
setfacl -R -m g::rwx /opt/librenms/rrd /opt/librenms/logs /opt/librenms/bootstrap/cache/ /opt/librenms/storage/
chgrp apache /var/lib/php/session/

5.安裝PHP相依套件
su - librenms
./scripts/composer_wrapper.php install --no-dev
exit

6.安裝資料庫&建立librenms相關資料
systemctl start mariadb
mysql -u root
CREATE DATABASE librenms CHARACTER SET utf8 COLLATE utf8_unicode_ci;
CREATE USER 'librenms'@'localhost' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON librenms.* TO 'librenms'@'localhost';
FLUSH PRIVILEGES;
exit

vi /etc/my.cnf
[mysqld]以下增加
innodb_file_per_table=1
lower_case_table_names=0


systemctl enable mariadb
systemctl restart mariadb

7.設定web server
vi /etc/php.ini
date.timezone = Asia/Taipei


vi /etc/php-fpm.d/www.conf
;user = apache
user = nginx
group = apache   ; keep group as apache
;listen = 127.0.0.1:9000
listen = /run/php-fpm/php-fpm.sock
listen.owner = nginx
listen.group = nginx
listen.mode = 0660


systemctl enable php-fpm
systemctl restart php-fpm


8.設定nginx
vi /etc/nginx/conf.d/librenms.conf
server {
 listen      80;
 server_name librenms.example.com;
 root        /opt/librenms/html;
 index       index.php;

 charset utf-8;
 gzip on;
 gzip_types text/css application/javascript text/javascript application/x-javascript image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon;
 location / {
  try_files $uri $uri/ /index.php?$query_string;
 }
 location /api/v0 {
  try_files $uri $uri/ /api_v0.php?$query_string;
 }
 location ~ \.php {
  include fastcgi.conf;
  fastcgi_split_path_info ^(.+\.php)(/.+)$;
  fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
 }
 location ~ /\.ht {
  deny all;
 }
}

systemctl enable nginx
systemctl restart nginx


9.設定selinux
yum install -y policycoreutils-python
semanage fcontext -a -t httpd_sys_content_t '/opt/librenms/logs(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/opt/librenms/logs(/.*)?'
restorecon -RFvv /opt/librenms/logs/
semanage fcontext -a -t httpd_sys_content_t '/opt/librenms/rrd(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/opt/librenms/rrd(/.*)?'
restorecon -RFvv /opt/librenms/rrd/
semanage fcontext -a -t httpd_sys_content_t '/opt/librenms/storage(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/opt/librenms/storage(/.*)?'
restorecon -RFvv /opt/librenms/storage/
semanage fcontext -a -t httpd_sys_content_t '/opt/librenms/bootstrap/cache(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/opt/librenms/bootstrap/cache(/.*)?'
restorecon -RFvv /opt/librenms/bootstrap/cache/
setsebool -P httpd_can_sendmail=1
setsebool -P httpd_execmem 1

10.設定fping
cd /tmp
vim http_fping.tt
內容如下
---------------------------------------------------------------------------------
module http_fping 1.0;

require {
type httpd_t;
class capability net_raw;
class rawip_socket { getopt create setopt write read };
}

#============= httpd_t ==============
allow httpd_t self:capability net_raw;
allow httpd_t self:rawip_socket { getopt create setopt write read };
-------------------------------------------------------------------------------
checkmodule -M -m -o http_fping.mod http_fping.tt
semodule_package -o http_fping.pp -m http_fping.mod
semodule -i http_fping.pp


11.關閉防火牆
firewall-cmd --zone public --add-service http
firewall-cmd --permanent --zone public --add-service http
firewall-cmd --zone public --add-service https
firewall-cmd --permanent --zone public --add-service https

12.設定snmpd
cp /opt/librenms/snmpd.conf.example /etc/snmp/snmpd.conf
vi /etc/snmp/snmpd.conf
com2sec readonly  default         public

curl -o /usr/bin/distro https://raw.githubusercontent.com/librenms/librenms-agent/master/snmp/distro
chmod +x /usr/bin/distro
systemctl enable snmpd
systemctl restart snmpd


13.設定排成
cp /opt/librenms/librenms.nonroot.cron /etc/cron.d/librenms


14.設定logrotate
cp /opt/librenms/misc/librenms.logrotate /etc/logrotate.d/librenms

15.開始設定
http://librenms.example.com/install.php
chown librenms:librenms /opt/librenms/config.php


16.以下這個葉面可以驗證
10.2.9.225/validate/

freeradius配合google-authenticator進行驗證

#前置作業
#---------------------------------------------------------------------------------------------------------
#關閉防火牆
systemctl disable firewalld
systemctl stop firewalld

#關閉 SElinux
setenforce 0
getenforce
修改 SElinux config 設定開機不要啟動SElinux
vim /etc/selinux/config

2.安裝freeradius跟google-authenticator
yum -y install freeradius freeradius-utils
yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum install -y google-authenticator

3.修改radiusd.conf
vim /etc/raddb/radiusd.conf
修改
user = root
group = root

4.修改/etc/raddb/sites-enabled/default
vim /etc/raddb/sites-enabled/default
找到
# pam
取消註解如下
        pam

5.freeradius啟用pam模組
ln -s /etc/raddb/mods-available/pam /etc/raddb/mods-enabled/pam

6.修改/etc/raddb/users，使用者預設使用PAM驗證
vim /etc/raddb/users
DEFAULT        Auth-Type := PAM

7.修改/etc/raddb/clients.conf，設定要驗證的來源主機
vim /etc/raddb/clients.conf
client myserver {
        ipaddr = 192.168.1.0/24
        secret = test123
        require_message_authenticator = no
}

8.修改PAM設定
vim /etc/pam.d/radiusd
將auth       include password-auth註解
#auth       include password-auth
並且在下面補上這一行
auth requisite pam_google_authenticator.so

9.重新啟動freeradius
systemctl enable radiusd
systemctl start radiusd


10.建立一個使用者來進行測試，並且幫使用者套上google驗證
useradd radtest
su - radtest
google-authenticator
預設回答都是y

補充：如果要整合linux本機帳密
#%PAM-1.0
#auth include password-auth
auth requisite pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass
account required pam_nologin.so
account include password-auth
#password include password-auth
session include password-auth

安裝PostgreSQL

參考
https://www.postgresql.org/download/linux/redhat/

1.安裝postgresql repo
yum install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-7-x86_64/pgdg-redhat-repo-latest.noarch.rpm


2.安裝postgresql
yum install -y postgresql12 postgresql12-server


3.初始化postgresq
/usr/pgsql-12/bin/postgresql-12-setup initdb

4.啟動postgresq
systemctl enable postgresql-12
systemctl start postgresql-12

安裝jenkins

#---------------------------------------------------------------------------------------------------------
#前置作業
yum install -y wget
systemctl stop firewalld
systemctl disable firewalld

#---------------------------------------------------------------------------------------------------------
#安裝openjdk
yum install -y java-11-openjdk

#---------------------------------------------------------------------------------------------------------
#設定jenkins的yum repo
wget -O /etc/yum.repos.d/jenkins.repo https://pkg.jenkins.io/redhat-stable/jenkins.repo
rpm --import https://pkg.jenkins.io/redhat-stable/jenkins.io.key


#---------------------------------------------------------------------------------------------------------
#安裝jenkins
yum install -y jenkins


#---------------------------------------------------------------------------------------------------------
#設定jenkins (以下步驟非必要，可以跳過)
4.jenkins預設是8080 port，可以利用以下設定檔去改變port
vi /etc/sysconfig/jenkins

加入以下設定可以預防發生Out of memory情況
JENKINS_JAVA_OPTIONS="-Djava.awt.headless=true -Xms1024m -Xmx1024m -XX:PermSize=128M -XX:PermSize=256M"

#---------------------------------------------------------------------------------------------------------
#啟動jenkins
systemctl start jenkins
systemctl enable jenkins

#---------------------------------------------------------------------------------------------------------
#最後打開網頁http://IP:8080/，一開始需要解鎖jenkins，密碼放在
cat /var/lib/jenkins/secrets/initialAdminPassword

#---------------------------------------------------------------------------------------------------------
補充：
記得要校時，否則jenkins的schedule job可能會異常。

sudo apt-get update
sudo apt install openjdk-11-jdk -y

sudo wget -O /usr/share/keyrings/jenkins-keyring.asc https://pkg.jenkins.io/debian-stable/jenkins.io-2023.key
echo deb [signed-by=/usr/share/keyrings/jenkins-keyring.asc] https://pkg.jenkins.io/debian-stable binary/ | sudo tee /etc/apt/sources.list.d/jenkins.list > /dev/null

sudo apt-get update
sudo apt-get install -y jenkins

systemctl start jenkins
systemctl enable jenkins

sudo timedatectl set-timezone Asia/Taipei
sudo timedatectl set-ntp yes
sudo systemctl enable systemd-timesyncd
sudo systemctl restart systemd-timesyncd
sudo systemctl status systemd-timesyncd
sudo timedatectl