背景:
想把账户对立治理起来,jenkins,gitlab,jumpserver甚至kibana,kubernetes等等。原本搭建过openldap。昨天小伙伴强烈推荐我用一下freeipa......又进入了盲区,没有听过的货色都比拟好奇,浅浅的体验一下!freeipa服务就不想部署在kubernetes中了 也筹备docker形式启动部署。毕竟这样不便降级还原。kubernetes中部署了还要额定映射端口啥的麻烦......偷懒一下!
Freeipa装置
注: 操作系统rockylinux9.0,以docker-compose形式启动freeipa!。主机内网ip 10.0.4.52.
装置docker docker-compose
docker装置
增加docker-ce国内源,这里应用了阿里云的源,装置docker-ce:
dnf config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repodnf -y install docker-ce docker-ce-cli containerd.io装置docker-compose
拜访github仓库:https://github.com/docker/compose/releases/,抉择对应版本针对零碎的版本进行下载(会很慢,能够迷信上网,或者跟我一样,提前下载了放在对象存储下面!)
curl "https://github.com/docker/compose/releases/download/v2.16.0/docker-compose-linux-x86_64" -o /usr/local/bin/docker-composechmod +x /usr/local/bin/docker-composedocker-compose --version配置docker镜像减速,设置docker服务开机启动:
能够跟据本人的阿里亚账户的容器镜像服务-镜像攻打-镜像加速器,配置镜像减速:
sudo mkdir -p /etc/dockersudo tee /etc/docker/daemon.json <<-'EOF'{ "registry-mirrors": ["https://7zk8hbh7.mirror.aliyuncs.com"], "features": { "buildkit": true }, "experimental": true, "cgroup-parent": "docker.slice", "exec-opts": ["native.cgroupdriver=systemd"]}EOFsudo systemctl daemon-reloadsudo systemctl restart docker注:registry-mirrors上面的忘了那里复制来的了 就间接带着了!
docker infodocker -vdocker-compose 搭建freeipa服务:
创立数据目录,编写docker-compose.yaml文件
偷懒了docker-compose.yaml寄存在了/data/freeipa目录。freeipa数据目录/data/free-ipa/data /data/free-ipa/data/logs:
mkdir -p /data/free-ipa/data mkdir -p /data/free-ipa/logs
docker-compose.yaml如下(小伙伴的文件间接拿来用的):
version: "3.3"services: freeipa: image: freeipa/freeipa-server:almalinux-8-4.9.8 container_name: xxxx.xxxx.com domainname: xxxx.xxxx.com container_name: freeipa_idc ports: - "80:80/tcp" - "443:443/tcp" # DNS - "53:53/tcp" - "53:53/udp" # LDAP(S) - "389:389/tcp" - "636:636/tcp" # Kerberos - "88:88/tcp" - "88:88/udp" - "464:464/tcp" - "464:464/udp" # NTP - "123:123/udp" dns: - 127.0.0.1 - 183.60.82.98 - 183.60.83.19 - 114.114.114.114 tty: true stdin_open: true environment: IPA_SERVER_HOSTNAME: xxxx.xxxx.com IPA_SERVER_IP: 10.0.4.52 TZ: "Asia/Shanghai" command: - --domain=xxxx.com - --realm=xxx.com - --admin-password=xxxx #freeapi的admin管理员账号 - --http-pin=xxxx - --dirsrv-pin=xxxx - --ds-password=xxxx - --no-dnssec-validation - --no-host-dns - --setup-dns - --auto-forwarders - --allow-zone-overlap - --unattended # 主动无人工干预装置 cap_add: - SYS_TIME - NET_ADMIN restart: unless-stopped volumes: - /etc/localtime:/etc/localtime:ro - /sys/fs/cgroup:/sys/fs/cgroup:ro - /data/free-ipa/data:/data - /data/free-ipa/logs:/var/logs sysctls: - net.ipv6.conf.all.disable_ipv6=0 - net.ipv6.conf.lo.disable_ipv6=0 security_opt: - "seccomp:unconfined" labels: - idc-freeipa extra_hosts: - "xxxx.xxxx.com:10.0.4.52 "就默认批改了一下 域名 ip dns 明码 domain realm 等xxx局部!
cgroup v2带来的无奈启动
docker-compose up -d docker logs -f freeipa_idc
网上看了很多文章根本是cgroup的问题:https://serverfault.com/questions/1053187/systemd-fails-to-run-in-a-docker-container-when-using-cgroupv2-cgroupns-priva.https://github.com/freeipa/freeipa-container/issues/520
服务器查看了一眼的确零碎默认cgroup v2版本:
mount |grep cgroup
批改systemd.unified_cgroup_hierarchy=0 并重启服务器:
grubby --update-kernel=ALL --args="systemd.unified_cgroup_hierarchy=0"reboot查看cgroup能够反对V1了 持续启动服务
mount |grep cgroupdocker-compose down docker-compose up -d 期待服务启动........
拜访freeipa域名:
第一次拜访点两次勾销进入登陆页面
第一次拜访很坑爹:右上角会弹出一个登陆框让输出用户名明码,连着输出都是谬误的,都狐疑人生筹备重新部署了,看到一篇文章说要点两次勾销就能够呈现上面的页面登陆框:搭建freeIPA服务器实现用户治理
输出用户名admin ,明码是docker-compose.yaml中设置的admin-password变量
不出意外输出可能会显示明码谬误.....日志也不打出新的...怎么破?
docker-compose.yaml中admin-password 变量尽量别加特殊符号貌似(登陆了后盾能够控制台批改明码!)
登陆控制台根本是如下页面:
用户 用户组集体关注的就这两个关键词。持续强迫症批改https证书:
批改freeipa https证书筹备
参照:https://computingforgeeks.com/secure-freeipa-server-with-lets-encrypt-ssl-certificate/文中是宿主机装置的形式,当然了docker中也是实用!
进入freeipa容器
docker exec -it freeipa_idc bash进入容器后,通过管理员用户身份获取 Kerberos 票据来确认它正在运行:
sudo kinit adminsudo klist
装置epel repo与certbot:
sudo yum install epel-releasesudo yum install certbot python3-certbot-apachecertbot --version应用 Let's Encrypt SSL 证书爱护 FreeIPA 服务器
首先备份以后的 FreeIPA 服务器私钥和证书,装置 git、vim 或 nano 文件编辑器(可选次要是git vim )
sudo cp -r /var/lib/ipa/certs{,.bak}sudo cp -r /var/lib/ipa/private{,.bak}sudo yum -y install vim nano git
应用手动办法应用 Let's Encrypt 爱护 FreeIPA 服务器:
创立证书目录:
sudo su -mkdir freeipa-certscd freeipa-certs
下载 Let's Encrypt CA 证书:
CERTS=("isrgrootx1.pem" "isrg-root-x2.pem" "lets-encrypt-r3.pem" "lets-encrypt-e1.pem" "lets-encrypt-r4.pem" "lets-encrypt-e2.pem")for CERT in "${CERTS[@]}"do curl -o $CERT "https://letsencrypt.org/certs/$CERT"done
将 Let's Encrypt CA 证书装置到 FreeIPA 证书存储中:
CERTS=("isrgrootx1.pem" "isrg-root-x2.pem" "lets-encrypt-r3.pem" "lets-encrypt-e1.pem" "lets-encrypt-r4.pem" "lets-encrypt-e2.pem")for CERT in "${CERTS[@]}"do ipa-cacert-manage install $CERTdone预期会呈现一下输入:
应用来自服务器的证书更新本地 IPA 证书数据库:
sudo ipa-certupdate
获取 Let's Encrypt 证书
进行 httpd 服务以开释获取证书所需的端口 80:
sudo systemctl stop httpd而后运行 Certbot 获取 Let's Encrypt 证书:
EMAIL="820042728@qq.com"DOMAIN="xxx.xxxx.com"sudo certbot certonly --standalone --preferred-challenges http --agree-tos -n -d $DOMAIN -m $EMAIL
您的证书应存储在 /etc/letsencrypt/live/xxx.xxx.com 目录中
[root@86ca990dc234 freeipa-certs]# ls /etc/letsencrypt/live/xxx.xxxx.com/README cert.pem chain.pem fullchain.pem privkey.pem确认生成所需的证书后启动 httpd 服务器:
sudo systemctl restart httpd增加 Let's Encrypt SSL 证书以在 FreeIPA Web UI 中应用:
DOMAIN="xxx.xxx.com" # Set correct IdM hostnamesudo ipa-server-certinstall -w -d /etc/letsencrypt/live/$DOMAIN/privkey.pem /etc/letsencrypt/live/$DOMAIN/cert.pem --pin=''
重启 FreeIPA 服务:
[root@86ca990dc234 freeipa-certs]# sudo ipactl restartRestarting Directory ServiceRestarting krb5kdc ServiceRestarting kadmin ServiceRestarting named ServiceRestarting httpd ServiceRestarting ipa-custodia ServiceRestarting pki-tomcatd ServiceRestarting ipa-otpd ServiceRestarting ipa-dnskeysyncd Serviceipa: INFO: The ipactl command was successfu能够从终端或网络浏览器确认以后应用的 SSL 证书。 应用 OpenSSL:
openssl s_client -showcerts -verify 5 -connect $(hostname -f):443
浏览器拜访:
应用 bash 脚本应用 Let's Encrypt 爱护 FreeIPA 服务器:
github 克隆官网 FreeIPA Let's Encrypt 治理脚本代码:
git clone https://github.com/freeipa/freeipa-letsencrypt.git
切换到freeipa-letsencrypt目录,编辑 renew-le.sh 脚本并设置 EMAIL 变量::
cd freeipa-letsencrypt$ vim renew-le.shEMAIL="820042728@qq.com"在 setup-le.sh 脚本中,FreeIPA 服务器 FQDN 设置为服务器的主机名(确保hostname -f命令将主机名作为 FQDN 返回:):
FQDN=$(hostname -f)hostname -f
运行 setup-le.sh 脚本:
sudo bash setup-le.sh该脚本将执行以下操作:
- 将 Let's Encrypt CA 证书装置到 FreeIPA 证书存储中
- 为 FreeIPA Web 界面申请新证书
会呈现一下提醒让输出pass:
Enter pass phrase for /var/lib/ipa/private/httpd.key:尝试了好屡次没有找到这个pass,最初参照:https://github.com/freeipa/freeipa-letsencrypt/issues/18。找到此pass:
cat /var/lib/ipa/passwds/xxx.xxxx.com-443-RSA
重启httpd服务,确认 ipa-certupdate 命令执行胜利:
sudo systemctl restart httpdsudo ipa-certupdate批改 Apache Web 服务器配置文件以设置 SSL 证书和密钥:
如果只对在浏览器页面上应用 Let's Encrypt SSL 感兴趣,您能够手动批改 ssl.conf 文件并设置以下指令(然而文章中说不举荐?):
$ sudo vim /etc/httpd/conf.d/ssl.confSSLCertificateFile /etc/letsencrypt/live/xxxx.xxxx.com/fullchain.pemSSLCertificateKeyFile /etc/letsencrypt/live/xxxx.xxxx.com/privkey.pem
重启httpd服务:
systemctl restart httpd更新 FreeIPA Let's Encrypt 证书:
每当续订 SSL 证书时,运行以下命令以在 FreeIPA 端更新:
DOMAIN="xxxx.xxxx.com" # Set correct IdM hostnamesudo ipa-server-certinstall -w -d /etc/letsencrypt/live/$DOMAIN/privkey.pem /etc/letsencrypt/live/$DOMAIN/cert.pem --pin=''依据须要输出目录管理员明码:
而后在装置证书后持续重启 FreeIPA 服务:
sudo ipactl restart跑了一遍流程了晓得怎么偷懒换成本人的证书了试一下:
腾讯云下载了nginx证书:
批改/etc/httpd/conf.d/ssl.conf对应地位:
SSLCertificateFile 对应上图pem文件,SSLCertificateKeyFile对应下面key文件(能够间接批改后缀!)
重启apache服务:
systemctl restart httpd胜利批改成本人的泛域名证书:
留神
对于证书还是主动生成应用 Let's Encrypt SSL 不要本人上传本人的证书,会呈现无奈登陆的问题:
[remote xxx.xxx.xxx.xxxx:3045] ipa: INFO: 401 Unauthorized: HTTPSConnectionPool(host='xxx.xxx.com', port=443): Max retries exceeded with url: /ipa/session/cookie (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)'),))我过后呈现了web ui登陆的谬误:记一次FreeIPA WEBUI 登陆谬误 Login failed due to an unkno,根本也是这样的样子,前面将证书从新应用 Let's Encrypt SSL 生成后解决问题!