• CentOS7安装Puppet+GitLab+Bind

    添加Puppet官方源

    rpm -Uvh https://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm

    安装Puppet

    yum -y install puppet puppet-server facter

    安装配置GitLab依赖软件

    yum -y install curl policycoreutils openssh-server openssh-clients
systemctl enable sshd
systemctl start sshd
yum install postfix
systemctl enable postfix
systemctl start postfix
firewall-cmd --permanent --add-service=http
systemctl reload firewalld

    添加GitLab清华源

    #vi /etc/yum.repos.d/gitlab-ce.repo

    [gitlab-ce]
name=gitlab-ce
baseurl=http://mirrors.tuna.tsinghua.edu.cn/gitlab-ce/yum/el7
repo_gpgcheck=0
gpgcheck=0
enabled=1
gpgkey=https://packages.gitlab.com/gpg.key

    安装GitLab

    yum -y install gitlab-ce

    修改/etc/gitlab/gitlab.rb文件

    external_url "https://gitlab.example.com:2443"

    生成ssl证书

    openssl genrsa -des3 -out gitlab.example.com.key 1024
SUBJECT="/C=CN/ST=China/L=Shanghai/O=example.com/OU=example.com/CN=gitlab.example.com"
openssl req -new -subj $SUBJECT -key gitlab.example.com.key -out gitlab.example.com.csr
openssl rsa -in gitlab.example.com.key -out gitlab.example.com.key
openssl x509 -req -days 3650 -in gitlab.example.com.csr -signkey gitlab.example.com.key -out gitlab.example.com.crt

    将证书移动到/etc/gitlab/ssl目录下

    mkdir -p /etc/gitlab/ssl
mv gitlab.example.com.key gitlab.example.com.crt /etc/gitlab/ssl/

    如果8080端口被别的程序占用,还需要将unicorn端口修改成别的为占用端口

    unicorn['port'] = 8081

    配置启动GitLab

    gitlab-ctl reconfigure

    效果图:

    第一次登陆需要修改管理员密码,管理员帐号名为root

    安装Bind Chroot DNS服务器

    yum -y install bind-chroot bind

    拷贝bind相关文件,准备bind chroot 环境

    cp -R /usr/share/doc/bind-*/sample/var/named/* /var/named/chroot/var/named

    在bind chroot的目录中创建相关文件

    touch /var/named/chroot/var/named/data/cache_dump.db
touch /var/named/chroot/var/named/data/named_stats.txt
touch /var/named/chroot/var/named/data/named_mem_stats.txt
touch /var/named/chroot/var/named/data/named.run
mkdir /var/named/chroot/var/named/dynamic
touch /var/named/chroot/var/named/dynamic/managed-keys.bind

    将Bind锁定文件设置为可写,并将selinux标签改成named_cache_t

    chmod -R 777 /var/named/chroot/var/named/data
chmod -R 777 /var/named/chroot/var/named/dynamic
chcon -R -t named_cache_t /var/named/chroot/var/named/data
chcon -R -t named_cache_t /var/named/chroot/var/named/dynamic

    将/etc/named.conf拷贝到bind chroot目录

    cp -p /etc/named.conf /var/named/chroot/etc/named.conf

    在/etc/named.conf中对bind进行配置

    vi /var/named/chroot/etc/named.conf

    完全配置如下:

    //
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
	listen-on port 53 { any; };
	listen-on-v6 port 53 { ::1; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	allow-query     { any; };

	/*
	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
	 - If you are building a RECURSIVE (caching) DNS server, you need to enable
	   recursion.
	 - If your recursive DNS server has a public IP address, you MUST enable access
	   control to limit queries to your legitimate users. Failing to do so will
	   cause your server to become part of large scale DNS amplification
	   attacks. Implementing BCP38 within your network would greatly
	   reduce such attack surface
	*/
	recursion yes;

	dnssec-enable yes;
	dnssec-validation yes;
        dnssec-lookaside auto;

	/* Path to ISC DLV key */
	bindkeys-file "/etc/named.iscdlv.key";

	managed-keys-directory "/var/named/dynamic";

	pid-file "/run/named/named.pid";
	session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
	type hint;
	file "named.ca";
};

zone "example.com" {
    type master;
    file "example.com.zone";
};

zone "10.10.10.in-addr.arpa" IN {
    type master;
    file "10.10.10.zone";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

    为 example.com域名创建转发域与反向域文件

    a)创建转发域

    # vi /var/named/chroot/var/named/example.com.zone

    ;
;       Addresses and other host information.
;
$TTL 86400
@       IN      SOA     example.com. hostmaster.example.com. (
                               2014101901      ; Serial
                               43200      ; Refresh
                               3600       ; Retry
                               3600000    ; Expire
                               2592000 )  ; Minimum

;       Define the nameservers and the mail servers

               IN      NS      ns1.example.com.
               IN      A       10.10.10.20
               IN      MX      10 mx.example.com.

centos7          IN      A       10.10.10.20
mx               IN      A       10.10.10.20
ns1              IN      A       10.10.10.20
gitlab           IN      A       10.10.10.20

    b)创建反向域

    # vi /var/named/chroot/var/named/10.10.10.zone

    ;
;       Addresses and other host information.
;
$TTL 86400
@       IN      SOA     example.com. hostmaster.example.com. (
                               2014101901      ; Serial
                               43200      ; Refresh
                               3600       ; Retry
                               3600000    ; Expire
                               2592000 )  ; Minimum
 
10.10.10.in-addr.arpa. IN      NS      centos7.example.com.
 
20.10.10.10.in-addr.arpa. IN PTR mx.example.com.
20.10.10.10.in-addr.arpa. IN PTR ns1.example.com.
20.10.10.10.in-addr.arpa. IN PTR gitlab.example.com.

    停止并禁用named服务,启动bind-chroot服务并设置为自启动

    /usr/libexec/setup-named-chroot.sh /var/named/chroot on
systemctl stop named
systemctl disable named
systemctl start named-chroot
systemctl enable named-chroot
  • 相关阅读:
    Java获取输入
    [转载]Eclipse快捷键 10个最有用的快捷键
    运算符优先级
    Error:Cannot build artifact 'seckill:war' because it is included into a circular dependency (artifact 'seckill:war', artifact 'seckill:war exploded')
    spring boot 扫描不到controller情形一
    注解控制事物方法
    <转载>标签接口
    生成二维码(QRcode(for java version)生成二维码)
    Linux 常见命令
    【C#】File.WriteAllText 类的使用(实现自定义日志记录)
  • 原文地址:https://www.cnblogs.com/edward2013/p/5318019.html
Copyright © 2020-2023  润新知