共计 7477 个字符,预计需要花费 19 分钟才能阅读完成。
registry
须要 443
1194:1194/udp
更换 来此加密 ssl 证书
\cp -a /free_cicdfs0/k8s_data/registry_ssl/certs/private.pem /free_cicdfs0/k8s_data/registry_ssl/certs/domain.key
\cp -a /free_cicdfs0/k8s_data/registry_ssl/certs/fullchain.crt /free_cicdfs0/k8s_data/registry_ssl/certs/domain.crt
失效 配置
kubectl apply -f /free_cicdfs0/k8s_ymls/app-yml/registry_ssl/registry_ssl.yml
kubectl replace --force -f /free_cicdfs0/k8s_ymls/app-yml/registry_ssl/registry_ssl.yml
批改配置文件
新版本 配置文件 大抵构造产生了一些扭转
cat /free_cicdfs0/k8s_data/bind9/etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
从 114 缓存 查问 数据
cat > /free_cicdfs0/k8s_data/bind9/etc/bind/named.conf.options <<"EOF"
# include "/etc/rndc.key";
controls {
inet 127.0.0.1 port 953
allow {127.0.0.1;} keys {"rndckey";};
};
options {
// set no
dnssec-enable no;
dnssec-validation no;
listen-on port 53 {any;};
allow-query {any;};
forwarders {114.114.114.114;};
};
EOF
chmod 777 -R /free_cicdfs0/k8s_data/bind9/
chown root:root -R /free_cicdfs0/k8s_data/bind9/
chown root:named -R /free_cicdfs0/k8s_data/bind9/
docker-compose up -d
# log error
couldn't add command channel 127.0.0.1#953: file not found
docker cp -a bind9:/etc/bind /free_cicdfs0/k8s_data/bind9/etc/
docker cp -a bind9:/var/lib/bind /free_cicdfs0/k8s_data/bind9/var/lib/
能够 dig 无奈 ping
broken trust chain resolving 'baidu.com/AAAA/IN': 114.114.114.114#53
解决:
因为是局域网内非法 DNS, 所以将 DNS 平安敞开.
[root@192-168-174-42 ~]# vim /etc/named.conf
将上面的两项设置为 no
dnssec-enable no;
dnssec-validation no;
查看 曾经 区域 解析,并增加 新的 解析 项
cat /free_cicdfs0/k8s_data/bind9/etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
https://nginx164190.zk.wh.com/
192.168.164.190 nginx164190.zk.wh.com
在 linux 装置 局域网 cert
# 增加 解析 条目
vi /etc/hosts
192.168.164.190 nginx164190.zk.wh.com
[root@node01 ~]# curl https://nginx164190.zk.wh.com/
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
curl -o install_cert_linux.zip http://192.168.164.190:40080/install_cert_linux.zip
unzip install_cert_linux.zip
cd install_cert_linux
./install_cert.sh
# 测试 成果
curl https://nginx164190.zk.wh.com/
<html>
<head><title>Index of /</title></head>
<body>
<h1>Index of /</h1><hr><pre><a href="../">../</a>
<a href="_wildcard.zk.wh.com.crt">_wildcard.zk.wh.com.crt</a> 18-Aug-2021 08:53 1464
<a href="_wildcard.zk.wh.com.pem">_wildcard.zk.wh.com.pem</a> 18-Aug-2021 08:53 1464
<a href="install_cert_linux.zip">install_cert_linux.zip</a> 19-Aug-2021 07:30 2M
<a href="rootCA-key.pem">rootCA-key.pem</a> 18-Aug-2021 08:53 2488
<a href="rootCA.pem">rootCA.pem</a> 18-Aug-2021 08:53 1635
<a href="test">test</a> 18-Aug-2021 08:47 7
</pre><hr></body>
</html>
rndc
1、953 端口是 rndc 的端口
2、rndc 是监控 bind 的统计数据用的, 同时不须要为了更新某个 zone 而重启 bind
查看 默认的 解析条目
cat /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
增加 本人的 解析条目
多台 dns 之间 进行 协同
SOA
NS
# A 代表 解析到 ipv4
@ IN A 127.0.0.1
# A 代表 解析到 ipv6
@ IN AAAA ::1
# ptr 代表 逆向解析
1.0.0 IN PTR localhost.
cat /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
// add you zones
include "/etc/bind/named.conf.my-zones";
# 模拟 /etc/bind/named.conf.default-zones 书写 新的 解析记录
cat > /etc/bind/named.conf.my-zones <<"EOF"
zone "zk.wh.com" {
type master;
file "/etc/bind/db.zk.wh.com";
};
zone "192.in-addr.arpa" {
type master;
file "/etc/bind/db.192";
};
EOF
# 模拟 db 文件
cat /etc/bind/db.local
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
@ IN A 127.0.0.1
@ IN AAAA ::1
cat > /etc/bind/db.zk.wh.com <<"EOF"
$TTL 86400
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
;
@ IN NS localhost.
nginx164190 IN A 192.168.164.190
zcloud164190 IN A 192.168.164.190
EOF
# 模拟 逆解 文件
cat /etc/bind/db.127
;
; BIND reverse data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
1.0.0 IN PTR localhost.
cat > /etc/bind/db.192 <<"EOF"
$TTL 86400
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
;
@ IN NS localhost.
190.164.168 IN PTR nginx164190.
EOF
更新 解析记录
# 局域网 x509 证书 无奈 信赖 多重域名
# Reminder: X.509 wildcards only go one level deep, so this won't match a.b.zk.wh.com ℹ️
cat > /free_cicdfs0/k8s_data/bind9/etc/bind/db.zk.wh.com <<"EOF"
$TTL 86400
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
;
@ IN NS localhost.
nginx164190 IN A 192.168.164.190
zcloud164190 IN A 192.168.164.190
hub-docker IN A 192.168.99.100
EOF
# 重启 容器 服务 即可失效
ssh root@192.168.99.2
cd /free_cicdfs0/composes/bind9
docker-compose restart
# test
ping hub-docker.zk.wh.com
PING hub-docker.zk.wh.com (192.168.99.100) 56(84) bytes of data.
64 bytes from 192.168.99.100: icmp_seq=1 ttl=64 time=0.172 ms
64 bytes from 192.168.99.100: icmp_seq=2 ttl=64 time=0.152 ms
危险
dns 尾缀过短 会导致 公网上的 .xyz 后缀 都无奈 解析,
应该批改为 one-k.xyz 作为 后缀
增加 新的 解析记录
one-k.xyz 192.168.99.100
vi /free_cicdfs0/k8s_data/bind9/etc/bind/named.conf.my-zones
cat > /etc/bind/named.conf.my-zones <<"EOF"
zone "one-k.xyz" {
type master;
file "/etc/bind/db.one-k.xyz";
};
zone "zk.wh.com" {
type master;
file "/etc/bind/db.zk.wh.com";
};
zone "192.in-addr.arpa" {
type master;
file "/etc/bind/db.192";
};
EOF
# @ 的 含意 代表 域名 自身
cat > /free_cicdfs0/k8s_data/bind9/etc/bind/db.one-k.xyz <<"EOF"
$TTL 86400
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
;
@ IN NS localhost.
@ IN A 192.168.99.100
k8s IN A 192.168.91.110
ingress IN A 192.168.99.200
test-nginx IN A 192.168.99.200
home-wuhan IN A 192.168.99.200
minio IN A 192.168.99.123
minio-one-node IN A 192.168.99.241
EOF
# Force replace, delete and then re-create the resource
kubectl replace --force -f /free_cicdfs0/k8s_ymls/app-yml/bind9.yml
deployment.apps "bind9-214-deployment" deleted
service "bind9-214-udp-deployment" deleted
deployment.apps/bind9-214-deployment replaced
service/bind9-214-udp-deployment replaced
测试
ssh node02
cd /free_cicdfs0/composes/bind9/
docker-compose restart
docker pull one-k.xyz/nginx
Using default tag: latest
latest: Pulling from nginx
Digest: sha256:61191087790c31e43eb37caa10de1135b002f10c09fdda7fa8a5989db74033aa
Status: Downloaded newer image for one-k.xyz/nginx:latest
one-k.xyz/nginx:latest
欢送进群交换
正文完
