Gravitational Teleport 可以作为堡垒机进行使用,为了测试方便使用docker-compose
运行一个all in one 的demo
备注: 官方提供的docker-compose 文件版太旧,而且复杂
环境准备
- docker-compose 文件
version: '2'
services:
one:
image: quay.io/gravitational/teleport:2.7.3
container_name: one
mem_limit: 300m
memswap_limit: 0
ports:
- "3080:3080"
- "3023:3023"
- "3025:3025"
- "3024:3024"
volumes:
- ./one.yaml:/etc/teleport/teleport.yaml
- ./data/one:/var/lib/teleport
- certs:/mnt/shared/certs
networks:
teleport:
ipv4_address: 172.10.1.1
aliases:
- one-lb
networks:
teleport:
driver: bridge
ipam:
driver: default
config:
- subnet: 172.10.1.0/16
ip_range: 172.10.1.0/24
gateway: 172.10.1.254
volumes:
certs:
- Teleport 配置文件
为了方便,关闭了2f,同时包好的node proxy auth 的role
teleport:
nodename: one
advertise_ip: 172.10.1.1
log:
output: /var/lib/teleport/teleport.log
severity: INFO
data_dir: /var/lib/teleport
storage:
path: /var/lib/teleport/backend
type: dir
auth_service:
enabled: yes
authentication:
type: local
second_factor: off
cluster_name: one
tokens:
- "node,auth,proxy:foo"
- "trustedcluster:bar"
ssh_service:
enabled: yes
labels:
cluster: one
commands:
- name: kernel
command: [/bin/uname, -r]
period: 5m
proxy_service:
enabled: yes
运行&&测试
- 启动
docker-compose up -d
- 添加用户
因为使用的local ,inside 容器
tctl users add root
Signup token has been created and is valid for 1 hours. Share this URL with the user:
https://one:3080/web/newuser/f14e192e8adc32a01d1f7ca945225ace
NOTE: Make sure one:3080 points at a Teleport proxy which users can access.
- 打开web 界面配置用户
open https://localhost:3080/web/newuser/f14e192e8adc32a01d1f7ca945225ace
- 效果
- 管理(web ssh)
说明
这个只是一个简单的all in one 的demo,实际上也可以管理k8s
参考资料
https://github.com/rongfengliang/teleport-docker-compose
https://gravitational.com/teleport/docs/quickstart/
https://gravitational.com/teleport/docs/admin-guide/#configuration
https://quay.io/repository/gravitational/teleport?tab=tags