未分类

How To Setup DNS Slave Auto Configuration Using Virtualmin/Webmin

实现步骤由于bind主从集群安装完成后，用webmin管理的话，在新创建主区域后，无法自动同步到从节点，现在找到解决办法了用Virtualmin去做主dns，去管理slave dns 在Post-Installation Wizard界面配置主从节点信息在server index里将从节点加入，用户名密码可以用webmin的主帐号 admin 在bind dns管理里在cluster slave servers里加入dns slave cluster改变的文件还是蛮多的：改变文件： /etc/webmin/virtual-server/config /etc/webmin/bind8/config /etc/webmin/servers/1592326172.serv /etc/named.rfc1912.zones /etc/named.conf 所以最好调cgi接口去做改动完了以后，就可以主从自动同步了其中修改完的virtual-server/config文件是这样的：

avail_mail=1
quotas=1
defnodbname=0
bccs=0
mail_system=0
clamscan_cmd=clamscan
sent_folder=Sent
bw_ftplog_rotated=1
avail_change-user=1
rs_endpoint=https://identity.api.rackspacecloud.com/v1.0
edit_quota=1
nopostfix_extra_user=0
show_mailuser=1
webmin=1
avail_webminlog=0
maillog_period=30
vpopmail_group=vchkpw
defmquota=51200
homes_dir=homes
postgres=0
dependent_mail=0
php_vars=+memory_limit=32M
nolink_certs=0
maillog_hide=0
reseller_template=none
rs_snet=0
dbfnorename=0
pbzip2=0
check_apache=0
backup_feature_logrotate=1
leave_acl=0
avail_phpini=1
spam_white=0
backup_feature_webalizer=1
secmx_nodns=0
newuser_to_mailbox=1
dir=3
remote_alias=1
virtual_skel=/etc/skel
groupsame=0
max_backups=3
mysql_chgrp=1
other_doms=0
show_sysinfo=2
auto_letsencrypt=0
defmongrelslimit=4
show_validation=0
gacl_root=${HOME}
edit_ftp=1
avail_mailboxes=1
delete_logs=0
show_uquotas=0
defforceunder=0
alias_types=1,2,5,6,7,8,9,10,11,12,13
spam_lock=0
postfix_ssl=1
spam_trap_black=0
avail_passwd=1
from_reseller=0
preload_mode=0
aliascopy=1
gzip_mysql=1
avail_filemin=1
show_nf=master,reseller,domain
vpopmail_user=vpopmail
vpopmail_owner=0
gacl_groups=${GROUP}
proxy_pass=0
other_users=0
show_lastlogin=0
display_max=
backup_feature_mysql=1
avail_file=1
vpopmail_maildir=mail
avail_bind8=1
collect_restart=0
default_procmail=0
tlsa_records=0
local_template=none
can_letsencrypt=0
dovecot_ssl=1
avail_webalizer=1
bw_backup=1
check_ports=1
defuquota=1048576
bind_sub=yes
mysql_mkdb=1
delete_indom=0
show_tabs=0
spamclear=none
newdom_aliases=postmaster=${EMAILTO}	webmaster=${EMAILTO}	abuse=${EMAILTO}	hostmaster=${EMAILTO}
clam_delivery=/dev/null
ftp_shell=/bin/false
avail_dns=1
usermin_switch=1
status=0
alias_mode=1
drafts_folder=Drafts
user_template=none
avail_mysql=1
shell=/dev/null
auto_redirect=0
show_ugroup=0
jailkit_root=/home/chroot
stats_noedit=1
domains_sort=sub
subdomain_template=none
unix=3
hard_quotas=1
ssl=0
logrotate=1
lookup_domain_serial=0
upload_tries=3
backup_feature_virtualmin=1
defujail=0
webalizer_nocron=0
update_template=default
generics=0
collect_noall=0
mysql=1
mysql_db=${PREFIX}
all_namevirtual=0
name_max=20
avail_postgres=1
hashpass=0
avail_custom=0
backup_onebyone=1
backup_feature_dir=1
show_features=0
disable_mail=0
web_admin=1
avail_updown=0
php_suexec=0
allow_upper=0
defquota=1048576
show_mailsize=0
home_backup=virtualmin-backup
avail_at=1
warnbw_template=default
key_size=2048
webmin_ssl=1
ldap=0
hashtypes=*
mysql_nouser=0
bw_maillog=auto
avail_cron=1
force_email=0
passwd_mode=0
bw_notify=24
usermin_ssl=1
apache_star=0
web_webmail=1
append_style=0
show_quotas=0
initsub_template=1
avail_shell=0
avail_proc=2
template_auto=1
name_mode=0
unix_shell=/bin/bash /bin/sh
edit_homes=0
backup_rotated=0
compression=0
web=0
bw_owner=1
logrotate_shared=yes
avail_telnet=1
iface=eth0
avail_web=1
collect_notemp=0
disable=unix,mail,web,dns,mysql,postgres,ftp
backup_feature_web=1
ip6enabled=0
ruby_suexec=-1
backuplog_days=7
output_command=0
dns_check=1
show_pass=1
stats_pass=1
mysql_nopass=0
apache_config=ServerName ${DOM}	ServerAlias www.${DOM}	ServerAlias mail.${DOM}	DocumentRoot ${HOME}/public_html	ErrorLog /var/log/virtualmin/${DOM}_error_log	CustomLog /var/log/virtualmin/${DOM}_access_log combined	ScriptAlias /cgi-bin/ ${HOME}/cgi-bin/	DirectoryIndex index.html index.htm index.php index.php4 index.php5	<Directory ${HOME}/public_html>	Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch 	allow from all	AllowOverride All	</Directory>	<Directory ${HOME}/cgi-bin>	allow from all	AllowOverride All	</Directory>
avail_htaccess-htpasswd=1
quota_commands=0
show_preview=2
dns=1
limitnoalias=0
bw_period=30
init_template=0
dns_prins=1
longname=0
proftpd_config=ServerName ${DOM}	<Anonymous ${HOME}/ftp>	User ftp	Group ftp	UserAlias anonymous ftp	<Limit WRITE>	DenyAll	</Limit>	RequireValidShell off	ExtendedLog ${HOME}/logs/ftp.log	</Anonymous>
mem_low=256
backup_feature_unix=1
capabilities=none
gacl_umode=1
jail_age=24
hide_alias=0
edit_afiles=1
trash_folder=Trash
plan_auto=1
backup_feature_dns=1
ldap_mail=0
post_check=1
domain_template=none
ldap_mailstore=$HOME/Maildir/
collect_interval=5
mx_validate=1
spam_client=spamassassin
nodeniedssh=1
cert_type=sha2
gacl_ugroups=${GROUP}
aws_cmd=aws
batch_create=1
vpopmail_dir=/home/vpopmail
index_cols=dom,user,owner,users,aliases
newupdate_to_mailbox=1
append=1
backup_feature_mail=1
backup_feature_ssl=1
webmin_theme=*
avail_spam=1
ldap_unix=1
ftp=0
spam=0
max_manual=0
ham_trap_white=0
reseller_unix=0
vpopmail_auto=/usr/local/bin/autorespond
ipfollow=0
mail=0
bw_template=default
backup_fmt=2
virus=0
pigz=0
statussslcert=1
avail_syslog=1
backup_feature_postgres=1
bw_nomailout=0
webalizer=0
max_all=1
delete_virts=0
dns_ip=*
virt6=1
virt=1
first_version=6.09
old_defip=172.20.47.59
old_defip6=fe80::487:3eff:fe00:aed
backup_feature_all=1
allow_subdoms=0
scriptlatest_enabled=1
allow_symlinks=0
allow_modphp=0
mysql_user_size=80
mysql_size=huge
stats_hdir=
domalias=
php_noedit=0
bind_dmarcruf=
disabled_web=
dnssec_alg=
othergroups=
logrotate_config=
statusemail=
html_dir=
defipfollow=
deftmpl_nousers=
php_ini_5.4=
dnssec=
php_ini_5.8=
web_sslport=443
php_ini_7.4=
mysql_conns=none
php_ini_7.9=
statustimeout=
tmpl_outlook_autoconfig=none
gacl_users=
php_ini_5.2=
namedconf=
bind_spfhosts=
ip_ranges6=
newuser_aliases=
phpver=
dns_view=
php_fpm=
php_ini_5.7=
web_urlport=
php_ini_5.9=
web_user=
web_urlsslport=
newdom_cc=
defsafeunder=
logrotate_files=
defaliasdomslimit=*
web_sslprotos=
web_admindom=
php_ini_7.1=
html_perms=750
statustmpl=
php_ini_7.3=
statusonly=0
defdomslimit=
phpchildren=
defmailboxlimit=
defcapabilities=none
bind_spfall=
tmpl_autoconfig=none
php_ini_7.8=
dns_ns=ns2.yyuap.com
apache_ssl_config=
default_exclude=
defresources=none
defaliaslimit=
domains_group=
dbgroup=
virtual_skel_subs=0
bccto=none
postgres_encoding=none
mysql_hosts=
mysql_wild=
namedconf_no_also_notify=
bind_dmarc=
php_ini_5=
def_webalizer=
web_ssi_suffix=
webmin_group=
bind_config=
spamtrap=none
php_ini_7.2=
defbwlimit=
bind_master=ns1.yyuap.com
mysql_charset=
php_ini_5.3=
extra_prefix=
php_ini_7.7=
defdbslimit=
web_ssi=2
bind_dmarcpct=100
namedconf_no_allow_transfer=
ftp_dir=
defushell=none
mysql_uconns=none
php_ini_7.6=
php_ini_5.6=
mailgroup=
web_writelogs=
web_webmaildom=
domalias_type=0
stats_dir=
web_port=80
ip_ranges=
bind_replace=
disabled_url=
defnorename=
featurelimits=none
mysql_collate=
bind_dmarcp=none
php_ini_7.0=
bind_dmarcextra=
php_ini_7.5=
mysql_suffix=
ftpgroup=
bind_spfincludes=
newdom_bcc=
virtual_skel_nosubs=
bind_indom=
defrealdomslimit=*
newdom_alias_bounce=0
bind_dmarcrua=
last_check=1592358795
php_ini_5.5=
bind_spf=
newdom_subject=虚拟服务器已创建
dns_ttl=
dns_records=
bind_mx=
dnssec_single=
defugroup=none
wizard_run=1
plugins_inactive=
plugins=
group_quotas=
mail_quotas=
home_quotas=

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

avail_mail=1

quotas=1

defnodbname=0

bccs=0

mail_system=0

clamscan_cmd=clamscan

sent_folder=Sent

bw_ftplog_rotated=1

avail_change-user=1

rs_endpoint=https://identity.api.rackspacecloud.com/v1.0

edit_quota=1

nopostfix_extra_user=0

show_mailuser=1

webmin=1

avail_webminlog=0

maillog_period=30

vpopmail_group=vchkpw

defmquota=51200

homes_dir=homes

postgres=0

dependent_mail=0

php_vars=+memory_limit=32M

nolink_certs=0

maillog_hide=0

reseller_template=none

rs_snet=0

dbfnorename=0

pbzip2=0

check_apache=0

backup_feature_logrotate=1

leave_acl=0

avail_phpini=1

spam_white=0

backup_feature_webalizer=1

secmx_nodns=0

newuser_to_mailbox=1

dir=3

remote_alias=1

virtual_skel=/etc/skel

groupsame=0

max_backups=3

mysql_chgrp=1

other_doms=0

show_sysinfo=2

auto_letsencrypt=0

defmongrelslimit=4

show_validation=0

gacl_root=${HOME}

edit_ftp=1

avail_mailboxes=1

delete_logs=0

show_uquotas=0

defforceunder=0

alias_types=1,2,5,6,7,8,9,10,11,12,13

spam_lock=0

postfix_ssl=1

spam_trap_black=0

avail_passwd=1

from_reseller=0

preload_mode=0

aliascopy=1

gzip_mysql=1

avail_filemin=1

show_nf=master,reseller,domain

vpopmail_user=vpopmail

vpopmail_owner=0

gacl_groups=${GROUP}

proxy_pass=0

other_users=0

show_lastlogin=0

display_max=

backup_feature_mysql=1

avail_file=1

vpopmail_maildir=mail

avail_bind8=1

collect_restart=0

default_procmail=0

tlsa_records=0

local_template=none

can_letsencrypt=0

dovecot_ssl=1

avail_webalizer=1

bw_backup=1

check_ports=1

defuquota=1048576

bind_sub=yes

mysql_mkdb=1

delete_indom=0

show_tabs=0

spamclear=none

newdom_aliases=postmaster=${EMAILTO} webmaster=${EMAILTO} abuse=${EMAILTO} hostmaster=${EMAILTO}

clam_delivery=/dev/null

ftp_shell=/bin/false

avail_dns=1

usermin_switch=1

status=0

alias_mode=1

drafts_folder=Drafts

user_template=none

avail_mysql=1

shell=/dev/null

auto_redirect=0

show_ugroup=0

jailkit_root=/home/chroot

stats_noedit=1

domains_sort=sub

subdomain_template=none

unix=3

hard_quotas=1

ssl=0

logrotate=1

lookup_domain_serial=0

upload_tries=3

backup_feature_virtualmin=1

defujail=0

webalizer_nocron=0

update_template=default

generics=0

collect_noall=0

mysql=1

mysql_db=${PREFIX}

all_namevirtual=0

name_max=20

avail_postgres=1

hashpass=0

avail_custom=0

backup_onebyone=1

backup_feature_dir=1

show_features=0

disable_mail=0

web_admin=1

avail_updown=0

php_suexec=0

allow_upper=0

defquota=1048576

show_mailsize=0

home_backup=virtualmin-backup

avail_at=1

warnbw_template=default

key_size=2048

webmin_ssl=1

ldap=0

hashtypes=*

mysql_nouser=0

bw_maillog=auto

avail_cron=1

force_email=0

passwd_mode=0

bw_notify=24

usermin_ssl=1

apache_star=0

web_webmail=1

append_style=0

show_quotas=0

initsub_template=1

avail_shell=0

avail_proc=2

template_auto=1

name_mode=0

unix_shell=/bin/bash /bin/sh

edit_homes=0

backup_rotated=0

compression=0

web=0

bw_owner=1

logrotate_shared=yes

avail_telnet=1

iface=eth0

avail_web=1

collect_notemp=0

disable=unix,mail,web,dns,mysql,postgres,ftp

backup_feature_web=1

ip6enabled=0

ruby_suexec=-1

backuplog_days=7

output_command=0

dns_check=1

show_pass=1

stats_pass=1

mysql_nopass=0

apache_config=ServerName ${DOM} ServerAlias www.${DOM} ServerAlias mail.${DOM} DocumentRoot ${HOME}/public_html ErrorLog /var/log/virtualmin/${DOM}_error_log CustomLog /var/log/virtualmin/${DOM}_access_log combined ScriptAlias /cgi-bin/ ${HOME}/cgi-bin/ DirectoryIndex index.html index.htm index.php index.php4 index.php5 <Directory ${HOME}/public_html> Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch allow from all AllowOverride All </Directory> <Directory ${HOME}/cgi-bin> allow from all AllowOverride All </Directory>

avail_htaccess-htpasswd=1

quota_commands=0

show_preview=2

dns=1

limitnoalias=0

bw_period=30

init_template=0

dns_prins=1

longname=0

proftpd_config=ServerName ${DOM} <Anonymous ${HOME}/ftp> User ftp Group ftp UserAlias anonymous ftp <Limit WRITE> DenyAll </Limit> RequireValidShell off ExtendedLog ${HOME}/logs/ftp.log </Anonymous>

mem_low=256

backup_feature_unix=1

capabilities=none

gacl_umode=1

jail_age=24

hide_alias=0

edit_afiles=1

trash_folder=Trash

plan_auto=1

backup_feature_dns=1

ldap_mail=0

post_check=1

domain_template=none

ldap_mailstore=$HOME/Maildir/

collect_interval=5

mx_validate=1

spam_client=spamassassin

nodeniedssh=1

cert_type=sha2

gacl_ugroups=${GROUP}

aws_cmd=aws

batch_create=1

vpopmail_dir=/home/vpopmail

index_cols=dom,user,owner,users,aliases

newupdate_to_mailbox=1

append=1

backup_feature_mail=1

backup_feature_ssl=1

webmin_theme=*

avail_spam=1

ldap_unix=1

ftp=0

spam=0

max_manual=0

ham_trap_white=0

reseller_unix=0

vpopmail_auto=/usr/local/bin/autorespond

ipfollow=0

mail=0

bw_template=default

backup_fmt=2

virus=0

pigz=0

statussslcert=1

avail_syslog=1

backup_feature_postgres=1

bw_nomailout=0

webalizer=0

max_all=1

delete_virts=0

dns_ip=*

virt6=1

virt=1

first_version=6.09

old_defip=172.20.47.59

old_defip6=fe80::487:3eff:fe00:aed

backup_feature_all=1

allow_subdoms=0

scriptlatest_enabled=1

allow_symlinks=0

allow_modphp=0

mysql_user_size=80

mysql_size=huge

stats_hdir=

domalias=

php_noedit=0

bind_dmarcruf=

disabled_web=

dnssec_alg=

othergroups=

logrotate_config=

statusemail=

html_dir=

defipfollow=

deftmpl_nousers=

php_ini_5.4=

dnssec=

php_ini_5.8=

web_sslport=443

php_ini_7.4=

mysql_conns=none

php_ini_7.9=

statustimeout=

tmpl_outlook_autoconfig=none

gacl_users=

php_ini_5.2=

namedconf=

bind_spfhosts=

ip_ranges6=

newuser_aliases=

phpver=

dns_view=

php_fpm=

php_ini_5.7=

web_urlport=

php_ini_5.9=

web_user=

web_urlsslport=

newdom_cc=

defsafeunder=

logrotate_files=

defaliasdomslimit=*

web_sslprotos=

web_admindom=

php_ini_7.1=

html_perms=750

statustmpl=

php_ini_7.3=

statusonly=0

defdomslimit=

phpchildren=

defmailboxlimit=

defcapabilities=none

bind_spfall=

tmpl_autoconfig=none

php_ini_7.8=

dns_ns=ns2.yyuap.com

apache_ssl_config=

default_exclude=

defresources=none

defaliaslimit=

domains_group=

dbgroup=

virtual_skel_subs=0

bccto=none

postgres_encoding=none

mysql_hosts=

mysql_wild=

namedconf_no_also_notify=

bind_dmarc=

php_ini_5=

def_webalizer=

web_ssi_suffix=

webmin_group=

bind_config=

spamtrap=none

php_ini_7.2=

defbwlimit=

bind_master=ns1.yyuap.com

mysql_charset=

php_ini_5.3=

extra_prefix=

php_ini_7.7=

defdbslimit=

web_ssi=2

bind_dmarcpct=100

namedconf_no_allow_transfer=

ftp_dir=

defushell=none

mysql_uconns=none

php_ini_7.6=

php_ini_5.6=

mailgroup=

web_writelogs=

web_webmaildom=

domalias_type=0

stats_dir=

web_port=80

ip_ranges=

bind_replace=

disabled_url=

defnorename=

featurelimits=none

mysql_collate=

bind_dmarcp=none

php_ini_7.0=

bind_dmarcextra=

php_ini_7.5=

mysql_suffix=

ftpgroup=

bind_spfincludes=

newdom_bcc=

virtual_skel_nosubs=

bind_indom=

defrealdomslimit=*

newdom_alias_bounce=0

bind_dmarcrua=

last_check=1592358795

php_ini_5.5=

bind_spf=

newdom_subject=虚拟服务器已创建

dns_ttl=

dns_records=

bind_mx=

dnssec_single=

defugroup=none

wizard_run=1

plugins_inactive=

plugins=

group_quotas=

mail_quotas=

home_quotas=

ansible-playbook实现 ansible-playbook是这样写的： bind.yml: 其中配置virtual server时，一开始本来想调用uri，但是发现步骤太多麻烦而不生效，后来就直接用模板来做了

---

- name: "create server id"
  shell: perl -e 'print (time()+int(rand(20)))'
  register: server_id
  with_items: 
    - "{{ groups['bind-dns'] }}"
  when: inventory_hostname in groups['bind-dns']

- set_fact:
    server_id: "{{ server_id['results'][0]['stdout']}}"
  when: inventory_hostname in groups['bind-dns']

- name: define paramiters for dns servers
  set_fact:
    server_id: "{{ server_id }}"
    prins: "ns1.{{ ns_domain }}"
    secns: "{{ secns|default([]) + ['ns' + (ansible_loop.index+1)|string + '.' + ns_domain] }}"
    old_defip: "{{ inventory_hostname }}"
  with_items: 
    - "{{ groups['bind-dns'] }}"
  loop_control:
    extended: yes
  when: inventory_hostname in groups['bind-dns']

- name: "add hosts into /etc/hosts for bind servers"
  lineinfile:
    dest: /etc/hosts
    regexp: '.*{{ item }}.*$'
    line: "{{ hostvars[item].inventory_hostname }} {{ hostvars[item].ansible_fqdn }} ns{{ ansible_loop.index }}.{{ ns_domain }}"
    state: present
  with_items: 
    - "{{ groups['bind-dns'] }}"
  loop_control:
    extended: yes
  when: inventory_hostname in groups['bind-dns']

- name: "login webmin to create a cookie"
  uri:
    url: http://127.0.0.1:20000/session_login.cgi
    method: POST
    body_format: form-urlencoded
    status_code: [301,302]
    body:
      user: admin
      pass: admin123
      enter: Sign in
    return_content: yes
    headers:
      Cookie: "testing=1"
  register: login
  run_once: true
  delegate_to: "{{ groups['bind-dns'][0] }}"


- name: config virtual-server
  template:
    src: virtual-server-config.j2
    dest: /etc/webmin/virtual-server/config
    mode: '0711'
  run_once: true
  delegate_to: "{{ groups['bind-dns'][0] }}"

- name: check and reload Virtualmin
  uri:
    url: http://127.0.0.1:20000/virtual-server/check.cgi?
    validate_certs: no
    method: GET
    #return_content: yes
    headers:
      Cookie: "{{ login.set_cookie }}"
    status_code: [200]
  run_once: true
  delegate_to: "{{ groups['bind-dns'][0] }}"

# - name: "config virtual-server step by step"
#   shell:
#     cmd: |
#       url='http://127.0.0.1:20000/virtual-server/wizard.cgi'
#       curl -H "Cookie: {{ login.set_cookie }}" $url?step=1&preload=0&parse=Next
#       curl -H "Cookie: {{ login.set_cookie }}" $url?step=2&mysql=0&postgres=0&parse=Next
#       curl -H "Cookie: {{ login.set_cookie }}" $url?step=3&prins={{ prins }}.&secns={{ secns }}.&prins_skip=1&parse=Next
#       curl -H "Cookie: {{ login.set_cookie }}" $url?step=4&hashpass=0&parse=Next
#       curl -H "Cookie: {{ login.set_cookie }}" $url?step=5&parse=Next
#   run_once: true
#   delegate_to: "{{ groups['bind-dns'][0] }}"
#   register: curl

# - name: config wizard
#   uri:
#     url: http://127.0.0.1:20000/virtual-server/wizard.cgi
#     validate_certs: no
#     method: POST
#     #return_content: yes
#     headers:
#       Cookie: "{{ login.set_cookie }}"
#     status_code: [200,301,302]
#     body_format: form-urlencoded
#     body:
#       mysql: 0
#       postgres: 0
#       preload: 0
#       lookup: 0
#       prins: "{{ prins }}"
#       prins_skip: 1
#       secns: "{{ secns }}"
#       hashpass: 0
#   run_once: true
#   delegate_to: "{{ groups['bind-dns'][0] }}"

# - name: modify virtual server plugin
#   uri:
#     url: http://127.0.0.1:20000/virtual-server/save_newfeatures.cgi
#     validate_certs: no
#     method: POST
#     #return_content: yes
#     headers:
#       Cookie: "{{ login.set_cookie }}"
#     status_code: [200,301,302]
#     body_format: form-urlencoded
#     body:
#       fmods: dns
#       factive: dns
#       save: '%E4%BF%9D%E5%AD%98'
#   run_once: true
#   delegate_to: "{{ groups['bind-dns'][0] }}"


# create server index
- name: "add servers to webmin cluster"
  shell:
    cmd: |
      cat > /etc/webmin/servers/{{ hostvars[item].server_id }}.serv << EOF
      pass=admin123
      ssl=0
      checkssl=
      port=20000
      host={{ item }}
      group=
      desc=
      user=admin
      id={{ hostvars[item].server_id }}
      type=centos
      fast=1
      EOF
  run_once: true
  delegate_to: "{{ groups['bind-dns'][0] }}"
  with_items: 
    - "{{ groups['bind-dns'][1:] }}"

- name: add dns slave servers to dns master server
  uri:
    url: http://127.0.0.1:20000/bind8/slave_add.cgi
    validate_certs: no
    method: POST
    #return_content: yes
    headers:
      Cookie: "{{ login.set_cookie }}"
    status_code: [200,301,302]
    body_format: form-urlencoded
    body:
      server: '{{ hostvars[item].server_id }}'
      view_def: 1
      view: ''
      sec: 1
      sync: 1
      name_def: 0
      name: "{{ secns[ansible_loop.index0] }}"
  run_once: true
  delegate_to: "{{ groups['bind-dns'][0] }}"
  with_items: 
    - "{{ groups['bind-dns'][1:] }}"
  loop_control:
    extended: yes

- name: "Setting the Master IP Address"
  lineinfile:
    dest: /etc/webmin/bind8/config
    regexp: '^this_ip.*$'
    line: "this_ip={{ groups['bind-dns'][0] }}"
    state: present
  run_once: true
  delegate_to: "{{ groups['bind-dns'][0] }}"

- name: Basic Setup of DNS server
  uri:
    url: http://127.0.0.1:20000/bind8/save_zonedef.cgi
    validate_certs: no
    method: POST
    #return_content: yes
    headers:
      Cookie: "{{ login.set_cookie }}"
    status_code: [200,301,302]
    body_format: form-urlencoded
    body:
      refresh: 10800
      refunit: ''
      retry: 3600
      retunit: ''
      expiry: 604800
      expunit:
      minimum: 38400
      minunit:
      name_0:
      type_0: A
      value_0_def: 1
      name_1:
      type_1: A
      value_1_def: 1
      include_def: 1
      email: 'iuap_admin@yonyou.com'
      prins_def: 0
      prins: '{{ prins }}'
      dnssec: 0
      alg: RSASHA1
      size_def: 1
      size: 
      single: 0
      allow-transfer_def: 0
      allow-transfer: acl1
      allow-query_def: 0
      allow-query: any
      also-notify_def: 1
      also-notify:
      master: ignore
      slave:
      response:
      notify:
  run_once: true
  delegate_to: "{{ groups['bind-dns'][0] }}"

- name: "add new user bind for manage dns"
  lineinfile:
    dest: /etc/webmin/miniserv.users
    line: "bind:$1$73641827$.K742ybaJY33hg1vQQlQL/::::::::0::::"
  run_once: true
  delegate_to: "{{item}}"
  loop: "{{ groups['bind-dns'] }}"

- name: "add user bind acl for manage dns"
  lineinfile:
    dest: /etc/webmin/webmin.acl
    line: "bind: bind8"
  run_once: true
  delegate_to: "{{item}}"
  loop: "{{ groups['bind-dns'] }}"

- name: "create bind.acl file"
  file:
    path: "/etc/webmin/bind.acl"
    state: touch
    mode: '0611'
  run_once: true
  delegate_to: "{{item}}"
  loop: "{{ groups['bind-dns'] }}"

- name: "add bind acl for user"
  shell:
    cmd: |
      cat > /etc/webmin/bind.acl << 'EOF'
      rpc=2
      nodot=0
      webminsearch=1
      uedit_mode=0
      gedit_mode=0
      feedback=2
      otherdirs=
      readonly=0
      fileunix=root
      uedit=
      negative=0
      root=/
      uedit2=
      gedit=
      gedit2=
      EOF
  run_once: true
  delegate_to: "{{item}}"
  loop: "{{ groups['bind-dns'] }}"

- name: "set language to zh_CN for user bind"
  lineinfile:
    dest: /etc/webmin/config
    line: 'lang_bind=zh_CN.UTF-8'
  run_once: true
  delegate_to: "{{item}}"
  loop: "{{ groups['bind-dns'] }}"

# add cron job for backup configure file
- name: define parameter for backup.pl
  set_fact:
    script_dir: "backup-config"
    script: "backup.pl"

- name: create backup script
  template:
    src: run_perl.j2
    dest: /etc/webmin/{{ script_dir }}/{{ script }}
    mode: '0755'
  run_once: true
  delegate_to: "{{item}}"
  loop: "{{ groups['bind-dns'] }}"

- name: "create cron jobs"
  shell:
    cmd: |
      cron_job_id=$(perl -e 'print time().$$')
      job_dir=/etc/webmin/{{ script_dir }}/backups
      backup_dir=/data/backup/bind
      mkdir -p $job_dir $backup_dir
      cat > $job_dir/${cron_job_id}.backup << EOF
      configfile=
      dest=/data/backup/bind/bind_config
      others=
      post=conf="$backup_dir/bind_config"; conf_time=\${conf}_\$(date +%F-%H-%M); [[ -f "\$conf" ]] && echo "move \$conf to \$conf_time" && mv \$conf \$conf_time
      pre=
      email=
      mins=0
      mods=bind8
      sched=1
      id=$cron_job_id
      hours=0
      days=*
      nofiles=
      emode=0
      weekdays=*
      months=*
      EOF
      grep -q "${cron_job_id}" /var/spool/cron/root || echo "0 0 * * * /etc/webmin/backup-config/backup.pl ${cron_job_id}" >> /var/spool/cron/root
  run_once: true
  delegate_to: "{{item}}"
  loop: "{{ groups['bind-dns'] }}"

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

---

- name: "create server id"

shell: perl -e 'print (time()+int(rand(20)))'

with_items:

- "{{ groups['bind-dns'] }}"

when: inventory_hostname in groups['bind-dns']

- set_fact:

server_id: "{{ server_id['results'][0]['stdout']}}"

when: inventory_hostname in groups['bind-dns']

- name: define paramiters for dns servers

set_fact:

server_id: "{{ server_id }}"

prins: "ns1.{{ ns_domain }}"

secns: "{{ secns|default([]) + ['ns' + (ansible_loop.index+1)|string + '.' + ns_domain] }}"

old_defip: "{{ inventory_hostname }}"

with_items:

- "{{ groups['bind-dns'] }}"

loop_control:

extended: yes

when: inventory_hostname in groups['bind-dns']

- name: "add hosts into /etc/hosts for bind servers"

lineinfile:

dest: /etc/hosts

regexp: '.*{{ item }}.*$'

line: "{{ hostvars[item].inventory_hostname }} {{ hostvars[item].ansible_fqdn }} ns{{ ansible_loop.index }}.{{ ns_domain }}"

state: present

with_items:

- "{{ groups['bind-dns'] }}"

loop_control:

extended: yes

when: inventory_hostname in groups['bind-dns']

- name: "login webmin to create a cookie"

uri:

url: http://127.0.0.1:20000/session_login.cgi

method: POST

body_format: form-urlencoded

status_code: [301,302]

body:

user: admin

pass: admin123

enter: Sign in

return_content: yes

headers:

Cookie: "testing=1"

run_once: true

delegate_to: "{{ groups['bind-dns'][0] }}"

- name: config virtual-server

template:

src: virtual-server-config.j2

dest: /etc/webmin/virtual-server/config

mode: '0711'

run_once: true

delegate_to: "{{ groups['bind-dns'][0] }}"

- name: check and reload Virtualmin

uri:

url: http://127.0.0.1:20000/virtual-server/check.cgi?

validate_certs: no

method: GET

#return_content: yes

headers:

Cookie: "{{ login.set_cookie }}"

status_code: [200]

run_once: true

delegate_to: "{{ groups['bind-dns'][0] }}"

# - name: "config virtual-server step by step"

# shell:

# cmd: |

# url='http://127.0.0.1:20000/virtual-server/wizard.cgi'

# curl -H "Cookie: {{ login.set_cookie }}" $url?step=1&preload=0&parse=Next

# curl -H "Cookie: {{ login.set_cookie }}" $url?step=2&mysql=0&postgres=0&parse=Next

# curl -H "Cookie: {{ login.set_cookie }}" $url?step=3&prins={{ prins }}.&secns={{ secns }}.&prins_skip=1&parse=Next

# curl -H "Cookie: {{ login.set_cookie }}" $url?step=4&hashpass=0&parse=Next

# curl -H "Cookie: {{ login.set_cookie }}" $url?step=5&parse=Next

# run_once: true

# delegate_to: "{{ groups['bind-dns'][0] }}"

# register: curl

# - name: config wizard

# uri:

# url: http://127.0.0.1:20000/virtual-server/wizard.cgi

# validate_certs: no

# method: POST

# #return_content: yes

# headers:

# Cookie: "{{ login.set_cookie }}"

# status_code: [200,301,302]

# body_format: form-urlencoded

# body:

# mysql: 0

# postgres: 0

# preload: 0

# lookup: 0

# prins: "{{ prins }}"

# prins_skip: 1

# secns: "{{ secns }}"

# hashpass: 0

# run_once: true

# delegate_to: "{{ groups['bind-dns'][0] }}"

# - name: modify virtual server plugin

# uri:

# url: http://127.0.0.1:20000/virtual-server/save_newfeatures.cgi

# validate_certs: no

# method: POST

# #return_content: yes

# headers:

# Cookie: "{{ login.set_cookie }}"

# status_code: [200,301,302]

# body_format: form-urlencoded

# body:

# fmods: dns

# factive: dns

# save: '%E4%BF%9D%E5%AD%98'

# run_once: true

# delegate_to: "{{ groups['bind-dns'][0] }}"

# create server index

- name: "add servers to webmin cluster"

shell:

cmd: |

cat > /etc/webmin/servers/{{ hostvars[item].server_id }}.serv << EOF

pass=admin123

ssl=0

checkssl=

port=20000

host={{ item }}

group=

desc=

user=admin

id={{ hostvars[item].server_id }}

type=centos

fast=1

EOF

run_once: true

delegate_to: "{{ groups['bind-dns'][0] }}"

with_items:

- "{{ groups['bind-dns'][1:] }}"

- name: add dns slave servers to dns master server

uri:

url: http://127.0.0.1:20000/bind8/slave_add.cgi

validate_certs: no

method: POST

#return_content: yes

headers:

Cookie: "{{ login.set_cookie }}"

status_code: [200,301,302]

body_format: form-urlencoded

body:

server: '{{ hostvars[item].server_id }}'

view_def: 1

view: ''

sec: 1

sync: 1

name_def: 0

run_once: true

delegate_to: "{{ groups['bind-dns'][0] }}"

with_items:

- "{{ groups['bind-dns'][1:] }}"

loop_control:

extended: yes

- name: "Setting the Master IP Address"

lineinfile:

dest: /etc/webmin/bind8/config

regexp: '^this_ip.*$'

line: "this_ip={{ groups['bind-dns'][0] }}"

state: present

run_once: true

delegate_to: "{{ groups['bind-dns'][0] }}"

- name: Basic Setup of DNS server

uri:

url: http://127.0.0.1:20000/bind8/save_zonedef.cgi

validate_certs: no

method: POST

#return_content: yes

headers:

Cookie: "{{ login.set_cookie }}"

status_code: [200,301,302]

body_format: form-urlencoded

body:

refresh: 10800

refunit: ''

retry: 3600

retunit: ''

expiry: 604800

expunit:

minimum: 38400

minunit:

name_0:

type_0: A

value_0_def: 1

name_1:

type_1: A

value_1_def: 1

include_def: 1

email: 'iuap_admin@yonyou.com'

prins_def: 0

prins: '{{ prins }}'

dnssec: 0

alg: RSASHA1

size_def: 1

size:

single: 0

allow-transfer_def: 0

allow-transfer: acl1

allow-query_def: 0

allow-query: any

also-notify_def: 1

also-notify:

master: ignore

slave:

response:

notify:

run_once: true

delegate_to: "{{ groups['bind-dns'][0] }}"

- name: "add new user bind for manage dns"

lineinfile:

dest: /etc/webmin/miniserv.users

line: "bind:$1$73641827$.K742ybaJY33hg1vQQlQL/::::::::0::::"

run_once: true

delegate_to: "{{item}}"

loop: "{{ groups['bind-dns'] }}"

- name: "add user bind acl for manage dns"

lineinfile:

dest: /etc/webmin/webmin.acl

line: "bind: bind8"

run_once: true

delegate_to: "{{item}}"

loop: "{{ groups['bind-dns'] }}"

- name: "create bind.acl file"

file:

path: "/etc/webmin/bind.acl"

state: touch

mode: '0611'

run_once: true

delegate_to: "{{item}}"

loop: "{{ groups['bind-dns'] }}"

- name: "add bind acl for user"

shell:

cmd: |

cat > /etc/webmin/bind.acl << 'EOF'

rpc=2

nodot=0

webminsearch=1

uedit_mode=0

gedit_mode=0

feedback=2

otherdirs=

readonly=0

fileunix=root

uedit=

negative=0

root=/

uedit2=

gedit=

gedit2=

EOF

run_once: true

delegate_to: "{{item}}"

loop: "{{ groups['bind-dns'] }}"

- name: "set language to zh_CN for user bind"

lineinfile:

dest: /etc/webmin/config

line: 'lang_bind=zh_CN.UTF-8'

run_once: true

delegate_to: "{{item}}"

loop: "{{ groups['bind-dns'] }}"

# add cron job for backup configure file

- name: define parameter for backup.pl

set_fact:

script_dir: "backup-config"

script: "backup.pl"

- name: create backup script

template:

src: run_perl.j2

dest: /etc/webmin/{{ script_dir }}/{{ script }}

mode: '0755'

run_once: true

delegate_to: "{{item}}"

loop: "{{ groups['bind-dns'] }}"

- name: "create cron jobs"

shell:

cmd: |

cron_job_id=$(perl -e 'print time().$$')

job_dir=/etc/webmin/{{ script_dir }}/backups

backup_dir=/data/backup/bind

mkdir -p $job_dir $backup_dir

cat > $job_dir/${cron_job_id}.backup << EOF

configfile=

dest=/data/backup/bind/bind_config

others=

post=conf="$backup_dir/bind_config"; conf_time=\${conf}_\$(date +%F-%H-%M); [[ -f "\$conf" ]] && echo "move \$conf to \$conf_time" && mv \$conf \$conf_time

pre=

email=

mins=0

mods=bind8

sched=1

id=$cron_job_id

hours=0

days=*

nofiles=

emode=0

weekdays=*

months=*

EOF

grep -q "${cron_job_id}" /var/spool/cron/root || echo "0 0 * * * /etc/webmin/backup-config/backup.pl ${cron_job_id}" >> /var/spool/cron/root

run_once: true

delegate_to: "{{item}}"

loop: "{{ groups['bind-dns'] }}"

templates/virtual-server-config.j2模板:

avail_mail=1
quotas=1
defnodbname=0
bccs=0
mail_system=0
clamscan_cmd=clamscan
sent_folder=Sent
bw_ftplog_rotated=1
avail_change-user=1
rs_endpoint=https://identity.api.rackspacecloud.com/v1.0
edit_quota=1
nopostfix_extra_user=0
show_mailuser=1
webmin=1
avail_webminlog=0
maillog_period=30
vpopmail_group=vchkpw
defmquota=51200
homes_dir=homes
postgres=0
dependent_mail=0
php_vars=+memory_limit=32M
nolink_certs=0
maillog_hide=0
reseller_template=none
rs_snet=0
dbfnorename=0
pbzip2=0
check_apache=0
backup_feature_logrotate=1
leave_acl=0
avail_phpini=1
spam_white=0
backup_feature_webalizer=1
secmx_nodns=0
newuser_to_mailbox=1
dir=3
remote_alias=1
virtual_skel=/etc/skel
groupsame=0
max_backups=3
mysql_chgrp=1
other_doms=0
show_sysinfo=2
auto_letsencrypt=0
defmongrelslimit=4
show_validation=0
gacl_root=${HOME}
edit_ftp=1
avail_mailboxes=1
delete_logs=0
show_uquotas=0
defforceunder=0
alias_types=1,2,5,6,7,8,9,10,11,12,13
spam_lock=0
postfix_ssl=1
spam_trap_black=0
avail_passwd=1
from_reseller=0
preload_mode=0
aliascopy=1
gzip_mysql=1
avail_filemin=1
show_nf=master,reseller,domain
vpopmail_user=vpopmail
vpopmail_owner=0
gacl_groups=${GROUP}
proxy_pass=0
other_users=0
show_lastlogin=0
display_max=
backup_feature_mysql=1
avail_file=1
vpopmail_maildir=mail
avail_bind8=1
collect_restart=0
default_procmail=0
tlsa_records=0
local_template=none
can_letsencrypt=0
dovecot_ssl=1
avail_webalizer=1
bw_backup=1
check_ports=1
defuquota=1048576
bind_sub=yes
mysql_mkdb=1
delete_indom=0
show_tabs=0
spamclear=none
newdom_aliases=postmaster=${EMAILTO}	webmaster=${EMAILTO}	abuse=${EMAILTO}	hostmaster=${EMAILTO}
clam_delivery=/dev/null
ftp_shell=/bin/false
avail_dns=1
usermin_switch=1
status=0
alias_mode=1
drafts_folder=Drafts
user_template=none
avail_mysql=1
shell=/dev/null
auto_redirect=0
show_ugroup=0
jailkit_root=/home/chroot
stats_noedit=1
domains_sort=sub
subdomain_template=none
unix=3
hard_quotas=1
ssl=0
logrotate=1
lookup_domain_serial=0
upload_tries=3
backup_feature_virtualmin=1
defujail=0
webalizer_nocron=0
update_template=default
generics=0
collect_noall=0
mysql=1
mysql_db=${PREFIX}
all_namevirtual=0
name_max=20
avail_postgres=1
hashpass=0
avail_custom=0
backup_onebyone=1
backup_feature_dir=1
show_features=0
disable_mail=0
web_admin=1
avail_updown=0
php_suexec=0
allow_upper=0
defquota=1048576
show_mailsize=0
home_backup=virtualmin-backup
avail_at=1
warnbw_template=default
key_size=2048
webmin_ssl=1
ldap=0
hashtypes=*
mysql_nouser=0
bw_maillog=auto
avail_cron=1
force_email=0
passwd_mode=0
bw_notify=24
usermin_ssl=1
apache_star=0
web_webmail=1
append_style=0
show_quotas=0
initsub_template=1
avail_shell=0
avail_proc=2
template_auto=1
name_mode=0
unix_shell=/bin/bash /bin/sh
edit_homes=0
backup_rotated=0
compression=0
web=0
bw_owner=1
logrotate_shared=yes
avail_telnet=1
iface=eth0
avail_web=1
collect_notemp=0
disable=unix,mail,web,dns,mysql,postgres,ftp
backup_feature_web=1
ip6enabled=0
ruby_suexec=-1
backuplog_days=7
output_command=0
dns_check=1
show_pass=1
stats_pass=1
mysql_nopass=0
apache_config=ServerName ${DOM}	ServerAlias www.${DOM}	ServerAlias mail.${DOM}	DocumentRoot ${HOME}/public_html	ErrorLog /var/log/virtualmin/${DOM}_error_log	CustomLog /var/log/virtualmin/${DOM}_access_log combined	ScriptAlias /cgi-bin/ ${HOME}/cgi-bin/	DirectoryIndex index.html index.htm index.php index.php4 index.php5	<Directory ${HOME}/public_html>	Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch 	allow from all	AllowOverride All	</Directory>	<Directory ${HOME}/cgi-bin>	allow from all	AllowOverride All	</Directory>
avail_htaccess-htpasswd=1
quota_commands=0
show_preview=2
dns=1
limitnoalias=0
bw_period=30
init_template=0
dns_prins=1
longname=0
proftpd_config=ServerName ${DOM}	<Anonymous ${HOME}/ftp>	User ftp	Group ftp	UserAlias anonymous ftp	<Limit WRITE>	DenyAll	</Limit>	RequireValidShell off	ExtendedLog ${HOME}/logs/ftp.log	</Anonymous>
mem_low=256
backup_feature_unix=1
capabilities=none
gacl_umode=1
jail_age=24
hide_alias=0
edit_afiles=1
trash_folder=Trash
plan_auto=1
backup_feature_dns=1
ldap_mail=0
post_check=1
domain_template=none
ldap_mailstore=$HOME/Maildir/
collect_interval=5
mx_validate=1
spam_client=spamassassin
nodeniedssh=1
cert_type=sha2
gacl_ugroups=${GROUP}
aws_cmd=aws
batch_create=1
vpopmail_dir=/home/vpopmail
index_cols=dom,user,owner,users,aliases
newupdate_to_mailbox=1
append=1
backup_feature_mail=1
backup_feature_ssl=1
webmin_theme=*
avail_spam=1
ldap_unix=1
ftp=0
spam=0
max_manual=0
ham_trap_white=0
reseller_unix=0
vpopmail_auto=/usr/local/bin/autorespond
ipfollow=0
mail=0
bw_template=default
backup_fmt=2
virus=0
pigz=0
statussslcert=1
avail_syslog=1
backup_feature_postgres=1
bw_nomailout=0
webalizer=0
max_all=1
delete_virts=0
dns_ip=*
virt6=1
virt=1
first_version=6.09
old_defip={{ old_defip }}
old_defip6=
backup_feature_all=1
allow_subdoms=0
scriptlatest_enabled=1
allow_symlinks=0
allow_modphp=0
mysql_user_size=80
mysql_size=huge
stats_hdir=
domalias=
php_noedit=0
bind_dmarcruf=
disabled_web=
dnssec_alg=
othergroups=
logrotate_config=
statusemail=
html_dir=
defipfollow=
deftmpl_nousers=
php_ini_5.4=
dnssec=
php_ini_5.8=
web_sslport=443
php_ini_7.4=
mysql_conns=none
php_ini_7.9=
statustimeout=
tmpl_outlook_autoconfig=none
gacl_users=
php_ini_5.2=
namedconf=
bind_spfhosts=
ip_ranges6=
newuser_aliases=
phpver=
dns_view=
php_fpm=
php_ini_5.7=
web_urlport=
php_ini_5.9=
web_user=
web_urlsslport=
newdom_cc=
defsafeunder=
logrotate_files=
defaliasdomslimit=*
web_sslprotos=
web_admindom=
php_ini_7.1=
html_perms=750
statustmpl=
php_ini_7.3=
statusonly=0
defdomslimit=
phpchildren=
defmailboxlimit=
defcapabilities=none
bind_spfall=
tmpl_autoconfig=none
php_ini_7.8=
dns_ns={% for s in secns %}{{ s }}. 
{% endfor %}
apache_ssl_config=
default_exclude=
defresources=none
defaliaslimit=
domains_group=
dbgroup=
virtual_skel_subs=0
bccto=none
postgres_encoding=none
mysql_hosts=
mysql_wild=
namedconf_no_also_notify=
bind_dmarc=
php_ini_5=
def_webalizer=
web_ssi_suffix=
webmin_group=
bind_config=
spamtrap=none
php_ini_7.2=
defbwlimit=
bind_master={{ prins }}
mysql_charset=
php_ini_5.3=
extra_prefix=
php_ini_7.7=
defdbslimit=
web_ssi=2
bind_dmarcpct=100
namedconf_no_allow_transfer=
ftp_dir=
defushell=none
mysql_uconns=none
php_ini_7.6=
php_ini_5.6=
mailgroup=
web_writelogs=
web_webmaildom=
domalias_type=0
stats_dir=
web_port=80
ip_ranges=
bind_replace=
disabled_url=
defnorename=
featurelimits=none
mysql_collate=
bind_dmarcp=none
php_ini_7.0=
bind_dmarcextra=
php_ini_7.5=
mysql_suffix=
ftpgroup=
bind_spfincludes=
newdom_bcc=
virtual_skel_nosubs=
bind_indom=
defrealdomslimit=*
newdom_alias_bounce=0
bind_dmarcrua=
last_check=1592358795
php_ini_5.5=
bind_spf=
newdom_subject=虚拟服务器已创建
dns_ttl=
dns_records=
bind_mx=
dnssec_single=
defugroup=none
wizard_run=1
plugins_inactive=
plugins=
group_quotas=
mail_quotas=
home_quotas=

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

avail_mail=1

quotas=1

defnodbname=0

bccs=0

mail_system=0

clamscan_cmd=clamscan

sent_folder=Sent

bw_ftplog_rotated=1

avail_change-user=1

rs_endpoint=https://identity.api.rackspacecloud.com/v1.0

edit_quota=1

nopostfix_extra_user=0

show_mailuser=1

webmin=1

avail_webminlog=0

maillog_period=30

vpopmail_group=vchkpw

defmquota=51200

homes_dir=homes

postgres=0

dependent_mail=0

php_vars=+memory_limit=32M

nolink_certs=0

maillog_hide=0

reseller_template=none

rs_snet=0

dbfnorename=0

pbzip2=0

check_apache=0

backup_feature_logrotate=1

leave_acl=0

avail_phpini=1

spam_white=0

backup_feature_webalizer=1

secmx_nodns=0

newuser_to_mailbox=1

dir=3

remote_alias=1

virtual_skel=/etc/skel

groupsame=0

max_backups=3

mysql_chgrp=1

other_doms=0

show_sysinfo=2

auto_letsencrypt=0

defmongrelslimit=4

show_validation=0

gacl_root=${HOME}

edit_ftp=1

avail_mailboxes=1

delete_logs=0

show_uquotas=0

defforceunder=0

alias_types=1,2,5,6,7,8,9,10,11,12,13

spam_lock=0

postfix_ssl=1

spam_trap_black=0

avail_passwd=1

from_reseller=0

preload_mode=0

aliascopy=1

gzip_mysql=1

avail_filemin=1

show_nf=master,reseller,domain

vpopmail_user=vpopmail

vpopmail_owner=0

gacl_groups=${GROUP}

proxy_pass=0

other_users=0

show_lastlogin=0

display_max=

backup_feature_mysql=1

avail_file=1

vpopmail_maildir=mail

avail_bind8=1

collect_restart=0

default_procmail=0

tlsa_records=0

local_template=none

can_letsencrypt=0

dovecot_ssl=1

avail_webalizer=1

bw_backup=1

check_ports=1

defuquota=1048576

bind_sub=yes

mysql_mkdb=1

delete_indom=0

show_tabs=0

spamclear=none

newdom_aliases=postmaster=${EMAILTO} webmaster=${EMAILTO} abuse=${EMAILTO} hostmaster=${EMAILTO}

clam_delivery=/dev/null

ftp_shell=/bin/false

avail_dns=1

usermin_switch=1

status=0

alias_mode=1

drafts_folder=Drafts

user_template=none

avail_mysql=1

shell=/dev/null

auto_redirect=0

show_ugroup=0

jailkit_root=/home/chroot

stats_noedit=1

domains_sort=sub

subdomain_template=none

unix=3

hard_quotas=1

ssl=0

logrotate=1

lookup_domain_serial=0

upload_tries=3

backup_feature_virtualmin=1

defujail=0

webalizer_nocron=0

update_template=default

generics=0

collect_noall=0

mysql=1

mysql_db=${PREFIX}

all_namevirtual=0

name_max=20

avail_postgres=1

hashpass=0

avail_custom=0

backup_onebyone=1

backup_feature_dir=1

show_features=0

disable_mail=0

web_admin=1

avail_updown=0

php_suexec=0

allow_upper=0

defquota=1048576

show_mailsize=0

home_backup=virtualmin-backup

avail_at=1

warnbw_template=default

key_size=2048

webmin_ssl=1

ldap=0

hashtypes=*

mysql_nouser=0

bw_maillog=auto

avail_cron=1

force_email=0

passwd_mode=0

bw_notify=24

usermin_ssl=1

apache_star=0

web_webmail=1

append_style=0

show_quotas=0

initsub_template=1

avail_shell=0

avail_proc=2

template_auto=1

name_mode=0

unix_shell=/bin/bash /bin/sh

edit_homes=0

backup_rotated=0

compression=0

web=0

bw_owner=1

logrotate_shared=yes

avail_telnet=1

iface=eth0

avail_web=1

collect_notemp=0

disable=unix,mail,web,dns,mysql,postgres,ftp

backup_feature_web=1

ip6enabled=0

ruby_suexec=-1

backuplog_days=7

output_command=0

dns_check=1

show_pass=1

stats_pass=1

mysql_nopass=0

avail_htaccess-htpasswd=1

quota_commands=0

show_preview=2

dns=1

limitnoalias=0

bw_period=30

init_template=0

dns_prins=1

longname=0

proftpd_config=ServerName ${DOM} <Anonymous ${HOME}/ftp> User ftp Group ftp UserAlias anonymous ftp <Limit WRITE> DenyAll </Limit> RequireValidShell off ExtendedLog ${HOME}/logs/ftp.log </Anonymous>

mem_low=256

backup_feature_unix=1

capabilities=none

gacl_umode=1

jail_age=24

hide_alias=0

edit_afiles=1

trash_folder=Trash

plan_auto=1

backup_feature_dns=1

ldap_mail=0

post_check=1

domain_template=none

ldap_mailstore=$HOME/Maildir/

collect_interval=5

mx_validate=1

spam_client=spamassassin

nodeniedssh=1

cert_type=sha2

gacl_ugroups=${GROUP}

aws_cmd=aws

batch_create=1

vpopmail_dir=/home/vpopmail

index_cols=dom,user,owner,users,aliases

newupdate_to_mailbox=1

append=1

backup_feature_mail=1

backup_feature_ssl=1

webmin_theme=*

avail_spam=1

ldap_unix=1

ftp=0

spam=0

max_manual=0

ham_trap_white=0

reseller_unix=0

vpopmail_auto=/usr/local/bin/autorespond

ipfollow=0

mail=0

bw_template=default

backup_fmt=2

virus=0

pigz=0

statussslcert=1

avail_syslog=1

backup_feature_postgres=1

bw_nomailout=0

webalizer=0

max_all=1

delete_virts=0

dns_ip=*

virt6=1

virt=1

first_version=6.09

old_defip={{ old_defip }}

old_defip6=

backup_feature_all=1

allow_subdoms=0

scriptlatest_enabled=1

allow_symlinks=0

allow_modphp=0

mysql_user_size=80

mysql_size=huge

stats_hdir=

domalias=

php_noedit=0

bind_dmarcruf=

disabled_web=

dnssec_alg=

othergroups=

logrotate_config=

statusemail=

html_dir=

defipfollow=

deftmpl_nousers=

php_ini_5.4=

dnssec=

php_ini_5.8=

web_sslport=443

php_ini_7.4=

mysql_conns=none

php_ini_7.9=

statustimeout=

tmpl_outlook_autoconfig=none

gacl_users=

php_ini_5.2=

namedconf=

bind_spfhosts=

ip_ranges6=

newuser_aliases=

phpver=

dns_view=

php_fpm=

php_ini_5.7=

web_urlport=

php_ini_5.9=

web_user=

web_urlsslport=

newdom_cc=

defsafeunder=

logrotate_files=

defaliasdomslimit=*

web_sslprotos=

web_admindom=

php_ini_7.1=

html_perms=750

statustmpl=

php_ini_7.3=

statusonly=0

defdomslimit=

phpchildren=

defmailboxlimit=

defcapabilities=none

bind_spfall=

tmpl_autoconfig=none

php_ini_7.8=

dns_ns={% for s in secns %}{{ s }}.

{% endfor %}

apache_ssl_config=

default_exclude=

defresources=none

defaliaslimit=

domains_group=

dbgroup=

virtual_skel_subs=0

bccto=none

postgres_encoding=none

mysql_hosts=

mysql_wild=

namedconf_no_also_notify=

bind_dmarc=

php_ini_5=

def_webalizer=

web_ssi_suffix=

webmin_group=

bind_config=

spamtrap=none

php_ini_7.2=

defbwlimit=

bind_master={{ prins }}

mysql_charset=

php_ini_5.3=

extra_prefix=

php_ini_7.7=

defdbslimit=

web_ssi=2

bind_dmarcpct=100

namedconf_no_allow_transfer=

ftp_dir=

defushell=none

mysql_uconns=none

php_ini_7.6=

php_ini_5.6=

mailgroup=

web_writelogs=

web_webmaildom=

domalias_type=0

stats_dir=

web_port=80

ip_ranges=

bind_replace=

disabled_url=

defnorename=

featurelimits=none

mysql_collate=

bind_dmarcp=none

php_ini_7.0=

bind_dmarcextra=

php_ini_7.5=

mysql_suffix=

ftpgroup=

bind_spfincludes=

newdom_bcc=

virtual_skel_nosubs=

bind_indom=

defrealdomslimit=*

newdom_alias_bounce=0

bind_dmarcrua=

last_check=1592358795

php_ini_5.5=

bind_spf=

newdom_subject=虚拟服务器已创建

dns_ttl=

dns_records=

bind_mx=

dnssec_single=

defugroup=none

wizard_run=1

plugins_inactive=

plugins=

group_quotas=

mail_quotas=

home_quotas=

defaults/main.yml

---
# defaults file for webmin
webmin_version: 1.941
virtualmin_version: 6.09.gpl
webmin_dir: /etc/webmin
uninstall_webmin: false
upgrade_webmin: false
webmin_packages:
  - perl
  - perl-libwww-perl
  - perl-DBI
  - perl-DBD-MySQL
  - perl-GD
  - perl-HTML-Parser
  - perl-devel
  - openssl
  - perl-Encode-Detect
  - perl-Net-SSLeay
  - perl-Socket6
  - perl-IO-Socket-INET6

mysql_database: 
ns_domain: yyuap.com

---

# defaults file for webmin

webmin_version: 1.941

virtualmin_version: 6.09.gpl

webmin_dir: /etc/webmin

uninstall_webmin: false

upgrade_webmin: false

webmin_packages:

- perl

- perl-libwww-perl

- perl-DBI

- perl-DBD-MySQL

- perl-GD

- perl-HTML-Parser

- perl-devel

- openssl

- perl-Encode-Detect

- perl-Net-SSLeay

- perl-Socket6

- perl-IO-Socket-INET6

mysql_database:

ns_domain: yyuap.com

参考以下文章： Introduction This tutorial will Read more…

By sean, 5 years06/17/2020 ago

未分类

创建虚拟环境: Ansible, Python3, and Virtualenvs on CentOS and RHEL and MacOS

要为ansible运行创建一个最新的虚拟环境, 以下是步骤: 下载最新的python3.8.3安装包:

wget https://www.python.org/ftp/python/3.9.0/Python-3.9.0.tgz

1	wget https://www.python.org/ftp/python/3.9.0/Python-3.9.0.tgz

解压:

xz -d Python-3.9.0.tar.xz && tar xvf Python-3.9.0.tar

1	xz -d Python-3.9.0.tar.xz && tar xvf Python-3.9.0.tar

创建虚拟环境目录: mkdir /root/.python_env 编译安装python

cd Python-3.9.0/
./configure --prefix=/root/.python_env && make && make install

1 2	cd Python-3.9.0/ ./configure --prefix=/root/.python_env && make && make install

配置一下pip国内源, 以增加安装速度

cat > $HOME/.config/pip/pip.conf << EOF
[global]
index-url = http://mirrors.aliyun.com/pypi/simple/
trusted-host = mirrors.aliyun.com
#proxy=http://xxx.xxx.xxx.xxx:8080 # 替换出自己的代理地址，格式为[user:passwd@]proxy.server:port

[install]
trusted-host=mirrors.aliyun.com
EOF

cat > $HOME/.config/pip/pip.conf << EOF

[global]

index-url = http://mirrors.aliyun.com/pypi/simple/

trusted-host = mirrors.aliyun.com

#proxy=http://xxx.xxx.xxx.xxx:8080 # 替换出自己的代理地址，格式为[user:passwd@]proxy.server:port

[install]

trusted-host=mirrors.aliyun.com

EOF

安装virtualenvwrapper

cd .python_env/bin/
ln -s python3 python
ln -s pip3 pip
./pip install virtualenvwrapper

cd .python_env/bin/

ln -s python3 python

ln -s pip3 pip

./pip install virtualenvwrapper

安装过程中报错: ImportError: No module named ‘_ctypes’, 解决方法是(参考https://stackoverflow.com/questions/27022373/python3-importerror-no-module-named-ctypes-when-using-value-from-module-mul):

sudo yum -y install gcc gcc-c++ 
sudo yum -y install zlib zlib-devel
sudo yum -y install libffi-devel

sudo yum -y install gcc gcc-c++

sudo yum -y install zlib zlib-devel

sudo yum -y install libffi-devel

然后重新编译安装python3 定义环境变量

cat >> /root/.bashrc << EOF
# virtualenv
#export PIP_REQUIRE_VIRTUALENV=true #pip安装东西的时候不安装到本地环境
#export PIP_RESPECT_VIRTUALENV=true #在执行pip的时候让系统自动开启虚拟环境
# virtualenv
export WORKON_HOME=/root/.python_env/.virtualenvs
export VIRTUALENVWRAPPER_PYTHON=/root/.python_env/bin/python
export PIP_VIRTUALENV_BASE=$WORKON_HOME
export VIRTUALENV_USE_DISTRIBUTE=1
export PATH="$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin:/root/.python_env/bin"
export VIRTUALENVWRAPPER_VIRTUALENV=/root/.python_env/bin/virtualenv
#export VIRTUALENVWRAPPER_VIRTUALENV=$(which virtualenv)
source $(which virtualenvwrapper.sh)
EOF

cat >> /root/.bashrc << EOF

# virtualenv

#export PIP_REQUIRE_VIRTUALENV=true #pip安装东西的时候不安装到本地环境

#export PIP_RESPECT_VIRTUALENV=true #在执行pip的时候让系统自动开启虚拟环境

# virtualenv

export WORKON_HOME=/root/.python_env/.virtualenvs

export VIRTUALENVWRAPPER_PYTHON=/root/.python_env/bin/python

export PIP_VIRTUALENV_BASE=$WORKON_HOME

export VIRTUALENV_USE_DISTRIBUTE=1

export PATH="$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin:/root/.python_env/bin"

export VIRTUALENVWRAPPER_VIRTUALENV=/root/.python_env/bin/virtualenv

#export VIRTUALENVWRAPPER_VIRTUALENV=$(which virtualenv)

source $(which virtualenvwrapper.sh)

EOF

创建ansible虚拟环境：

mkvirtualenv ansible

1	mkvirtualenv ansible

The prompt change tells us we’ve successfully made, and activated, our first python 3 virtualenv. Validate it is configured as Read more…

By sean, 5 years06/15/2020 ago

未分类

ansible sysctl模块使用

修改系统内核参数,可以使用ansible sysctl模块来做批量修改:

- hosts: test
  gather_facts: false
  vars:
    pana_sys_ctl:
      net.bridge.bridge-nf-call-ip6tables: 1
      net.bridge.bridge-nf-call-iptables: 1
      net.ipv4.ip_forward: 1
      net.ipv4.conf.all.forwarding: 1
      net.ipv4.neigh.default.gc_thresh1: 4096
      net.ipv4.neigh.default.gc_thresh2: 6144
      net.ipv4.neigh.default.gc_thresh3: 8192
      net.ipv4.neigh.default.gc_interval: 60
      net.ipv4.neigh.default.gc_stale_time: 120

      # 参考 https://github.com/prometheus/node_exporter#disabled-by-default
      kernel.perf_event_paranoid: -1

      #sysctls for k8s node config
      net.ipv4.tcp_slow_start_after_idle: 0
      net.core.rmem_max: 16777216
      fs.inotify.max_user_watches: 524288
      kernel.softlockup_all_cpu_backtrace: 1

      kernel.softlockup_panic: 0

      kernel.watchdog_thresh: 30
      fs.file-max: 2097152
      fs.inotify.max_user_instances: 8192
      fs.inotify.max_queued_events: 16384
      vm.max_map_count: 262144
      fs.may_detach_mounts: 1
      net.core.netdev_max_backlog: 16384
      net.ipv4.tcp_wmem: 4096 12582912 16777216
      net.core.wmem_max: 16777216
      net.core.somaxconn: 32768
      net.ipv4.ip_forward: 1
      net.ipv4.tcp_max_syn_backlog: 8096
      net.ipv4.tcp_rmem: 4096 12582912 16777216

      net.ipv6.conf.all.disable_ipv6: 1
      net.ipv6.conf.default.disable_ipv6: 1
      net.ipv6.conf.lo.disable_ipv6: 1

      kernel.yama.ptrace_scope: 0
      vm.swappiness: 0

      # 可以控制core文件的文件名中是否添加pid作为扩展。
      kernel.core_uses_pid: 1

      # Do not accept source routing
      net.ipv4.conf.default.accept_source_route: 0
      net.ipv4.conf.all.accept_source_route: 0

      # Promote secondary addresses when the primary address is removed
      net.ipv4.conf.default.promote_secondaries: 1
      net.ipv4.conf.all.promote_secondaries: 1

      # Enable hard and soft link protection
      fs.protected_hardlinks: 1
      fs.protected_symlinks: 1

      # 源路由验证
      # see details in https://help.aliyun.com/knowledge_detail/39428.html
      net.ipv4.conf.all.rp_filter: 0
      net.ipv4.conf.default.rp_filter: 0
      net.ipv4.conf.default.arp_announce :  2
      net.ipv4.conf.lo.arp_announce: 2
      net.ipv4.conf.all.arp_announce: 2

      # see details in https://help.aliyun.com/knowledge_detail/41334.html
      net.ipv4.tcp_max_tw_buckets: 5000
      net.ipv4.tcp_syncookies: 1
      net.ipv4.tcp_fin_timeout: 30
      net.ipv4.tcp_synack_retries: 2
      kernel.sysrq: 1

  tasks:
    - sysctl:
        name: "{{ item[0] }}"
        value: "{{ item[1] }}"
        state: present
        sysctl_set: yes
        reload: yes
      with_items:
        - "{{ pana_sys_ctl|dictsort }}"

- hosts: test

gather_facts: false

vars:

pana_sys_ctl:

net.bridge.bridge-nf-call-ip6tables: 1

net.bridge.bridge-nf-call-iptables: 1

net.ipv4.ip_forward: 1

net.ipv4.conf.all.forwarding: 1

net.ipv4.neigh.default.gc_thresh1: 4096

net.ipv4.neigh.default.gc_thresh2: 6144

net.ipv4.neigh.default.gc_thresh3: 8192

net.ipv4.neigh.default.gc_interval: 60

net.ipv4.neigh.default.gc_stale_time: 120

# 参考 https://github.com/prometheus/node_exporter#disabled-by-default

kernel.perf_event_paranoid: -1

#sysctls for k8s node config

net.ipv4.tcp_slow_start_after_idle: 0

net.core.rmem_max: 16777216

fs.inotify.max_user_watches: 524288

kernel.softlockup_all_cpu_backtrace: 1

kernel.softlockup_panic: 0

kernel.watchdog_thresh: 30

fs.file-max: 2097152

fs.inotify.max_user_instances: 8192

fs.inotify.max_queued_events: 16384

vm.max_map_count: 262144

fs.may_detach_mounts: 1

net.core.netdev_max_backlog: 16384

net.ipv4.tcp_wmem: 4096 12582912 16777216

net.core.wmem_max: 16777216

net.core.somaxconn: 32768

net.ipv4.ip_forward: 1

net.ipv4.tcp_max_syn_backlog: 8096

net.ipv4.tcp_rmem: 4096 12582912 16777216

net.ipv6.conf.all.disable_ipv6: 1

net.ipv6.conf.default.disable_ipv6: 1

net.ipv6.conf.lo.disable_ipv6: 1

kernel.yama.ptrace_scope: 0

vm.swappiness: 0

# 可以控制core文件的文件名中是否添加pid作为扩展。

kernel.core_uses_pid: 1

# Do not accept source routing

net.ipv4.conf.default.accept_source_route: 0

net.ipv4.conf.all.accept_source_route: 0

# Promote secondary addresses when the primary address is removed

net.ipv4.conf.default.promote_secondaries: 1

net.ipv4.conf.all.promote_secondaries: 1

# Enable hard and soft link protection

fs.protected_hardlinks: 1

fs.protected_symlinks: 1

# 源路由验证

# see details in https://help.aliyun.com/knowledge_detail/39428.html

net.ipv4.conf.all.rp_filter: 0

net.ipv4.conf.default.rp_filter: 0

net.ipv4.conf.default.arp_announce : 2

net.ipv4.conf.lo.arp_announce: 2

net.ipv4.conf.all.arp_announce: 2

# see details in https://help.aliyun.com/knowledge_detail/41334.html

net.ipv4.tcp_max_tw_buckets: 5000

net.ipv4.tcp_syncookies: 1

net.ipv4.tcp_fin_timeout: 30

net.ipv4.tcp_synack_retries: 2

kernel.sysrq: 1

tasks:

- sysctl:

value: "{{ item[1] }}"

state: present

sysctl_set: yes

reload: yes

with_items:

- "{{ pana_sys_ctl|dictsort }}"

测试发现, 运行很慢, 基本一条一秒, 要是这样, 还不如直接拷贝过去算了, 此模块适合修改条目比较少的选项

By sean, 5 years06/14/2020 ago

未分类

批量插入/替换整段代码到指定位置

需求是用ansible来修改nginx配置文件，添加代理gotty打开终端的逻辑，如下：

---

- name: modify nginx configure
  gather_facts: F
  hosts: nginx
  pre_tasks:
    - name: define variables
      set_fact:
        nginx_conf: /data/middleware/nginx/conf.d/upstream-tomcat.conf

  tasks:
    - name: "modify nginx configure - part 1"
      shell:
        cmd: |
          time=$(date +%F)
          sed -i "1i\# modified at $time" upstream-tomcat.conf
          Bstr='\# modified at'
          Estr='upstream dashboard'
          sed -n "
            /$Bstr/ {
              n
              :start
              /$Estr/! {
                N
                b start
              }
              p
            }
          " map.txt | sed "
            /$Bstr/ {
              n
              :start
              /$Estr/! {
                N
                b start
              }
              r /dev/stdin
              d
            }
          " {{ nginx_conf }} > {{ nginx_conf }}.new
          mv -f {{ nginx_conf }}.new {{ nginx_conf }}

    - name: "modify nginx configure - part 2"
      shell:
        cmd: |
          Bstr='# --- END FOR KUBOARD ---'
          Estr='location.*.\/redis\/'
          sed -n "
            /$Bstr/ {
              n
              :start
              /$Estr/! {
                N
                b start
              }
              p
            }
          " location.txt | sed "
            /$Bstr/ {
              n
              :start
              /$Estr/! {
                N
                b start
              }
              r /dev/stdin
              d
            }
          " {{ nginx_conf }} > {{ nginx_conf }}.new
          mv -f {{ nginx_conf }}.new {{ nginx_conf }}

---

- name: modify nginx configure

gather_facts: F

hosts: nginx

pre_tasks:

- name: define variables

set_fact:

nginx_conf: /data/middleware/nginx/conf.d/upstream-tomcat.conf

tasks:

- name: "modify nginx configure - part 1"

shell:

cmd: |

time=$(date +%F)

sed -i "1i\# modified at $time" upstream-tomcat.conf

Bstr='\# modified at'

Estr='upstream dashboard'

sed -n "

/$Bstr/ {

:start

/$Estr/! {

b start

}

" map.txt | sed "

/$Bstr/ {

:start

/$Estr/! {

b start

}

r /dev/stdin

}

" {{ nginx_conf }} > {{ nginx_conf }}.new

mv -f {{ nginx_conf }}.new {{ nginx_conf }}

- name: "modify nginx configure - part 2"

shell:

cmd: |

Bstr='# --- END FOR KUBOARD ---'

Estr='location.*.\/redis\/'

sed -n "

/$Bstr/ {

:start

/$Estr/! {

b start

}

" location.txt | sed "

/$Bstr/ {

:start

/$Estr/! {

b start

}

r /dev/stdin

}

" {{ nginx_conf }} > {{ nginx_conf }}.new

mv -f {{ nginx_conf }}.new {{ nginx_conf }}

map.txt:

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}
map $http_cookie $c_cookie {
    default "";
     ~*host=([^\;]*) $1;
}

map $args $r_host {
     default $c_cookie;
     ~*host=(.*) $1;
}

upstream dashboard {

map $http_upgrade $connection_upgrade {

default upgrade;

'' close;

}

map $http_cookie $c_cookie {

default "";

~*host=([^\;]*) $1;

}

map $args $r_host {

default $c_cookie;

~*host=(.*) $1;

}

upstream dashboard {

location.txt:

    # --- END FOR KUBOARD ---

    # --- START FOR gotty ---
   location ~ /webterminal/ {
        if ($uri = /webterminal/ ){
            set $hostip "$r_host";
            set_decode_base64 $hostip;
            proxy_pass http://$hostip:50000;
            rewrite /webterminal/(.*)$ /$1 break;
            add_header Set-Cookie "host=$hostip";
        }
        if ($uri ~ .js){
            proxy_pass http://$c_cookie:50000;
            rewrite /webterminal/(.*)$ /$1 break;
        }
        if ($uri ~ webterminal/ws){
            rewrite /(.*)$ /webterminalws last;
        }
    }

    location ~ /webterminalws {
        proxy_pass http://$c_cookie:50000/ws;

        proxy_http_version  1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;

        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
    }
    # --- END FOR gotty ---

    location ^~ /redis/ {

# --- END FOR KUBOARD ---

# --- START FOR gotty ---

location ~ /webterminal/ {

if ($uri = /webterminal/ ){

set $hostip "$r_host";

set_decode_base64 $hostip;

proxy_pass http://$hostip:50000;

rewrite /webterminal/(.*)$ /$1 break;

add_header Set-Cookie "host=$hostip";

}

if ($uri ~ .js){

proxy_pass http://$c_cookie:50000;

rewrite /webterminal/(.*)$ /$1 break;

}

if ($uri ~ webterminal/ws){

rewrite /(.*)$ /webterminalws last;

}

location ~ /webterminalws {

proxy_pass http://$c_cookie:50000/ws;

proxy_http_version 1.1;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection $connection_upgrade;

proxy_set_header Host $http_host;

proxy_set_header X-Real-IP $remote_addr;

}

# --- END FOR gotty ---

location ^~ /redis/ {

注意：需要插入/替换的新内容：map.txt和location.txt 开始和结束的匹配字段也要写上去（Bstr和Estr）

By sean, 5 years06/11/2020 ago

未分类

ansible – Appending To Lists And Dictionaries

今天在整理ansible安装k3s时，遇到了个问题，想法是在安装过程中对node能打多个label, 如：定义hosts.ini

[k3s_nodes]
172.20.47.254 k3s_control_node=true nodeRole=ingress,node ansible_ssh_user=root ansible_ssh_port=22
172.20.47.201 nodeRole=node  ansible_ssh_user=root ansible_ssh_port=22

[k3s_nodes]

172.20.47.254 k3s_control_node=true nodeRole=ingress,node ansible_ssh_user=root ansible_ssh_port=22

172.20.47.201 nodeRole=node ansible_ssh_user=root ansible_ssh_port=22

其中k3s.service.j2模块中的定义如下：

{% if k3s_node_labels is defined and k3s_node_labels is iterable %}
    {% for label in k3s_node_labels %}
        {% for key, value in label.items() %}
            --node-label {{ key }}={{ value }}
        {% endfor %}
    {% endfor %}
{% endif %}

{% if k3s_node_labels is defined and k3s_node_labels is iterable %}

{% for label in k3s_node_labels %}

{% for key, value in label.items() %}

--node-label {{ key }}={{ value }}

{% endfor %}

{% endif %}

而生成的k3s.service应是这个结果：

ExecStart=/usr/local/bin/k3s server \
          --disable-network-policy --flannel-backend none --cluster-cidr 10.42.0.0/16 --service-cidr 10.43.0.0/16 \
          --no-deploy traefik --docker --node-name 172.20.47.254 \
          --node-label node.kubernetes.io/ingress= \
          --node-label node.kubernetes.io/node=

ExecStart=/usr/local/bin/k3s server \

--disable-network-policy --flannel-backend none --cluster-cidr 10.42.0.0/16 --service-cidr 10.43.0.0/16 \

--no-deploy traefik --docker --node-name 172.20.47.254 \

--node-label node.kubernetes.io/ingress= \

--node-label node.kubernetes.io/node=

可以看到，应该给node打两个label, 经反复尝试，终于生成了，下面是我的k3s.yml:

- hosts: k3s_nodes
  vars:
    #k3s_control_node_address: 172.20.47.250
    # k3s_datastore_endpoint: "mysql://root:mypass@tcp(172.20.47.38:3306)/k3sdb"
    k3s_cluster_cidr: 10.42.0.0/16
    k3s_service_cidr: 10.43.0.0/16
    k3s_use_docker: true
    k3s_no_flannel: true
    k3s_no_traefik: true
    # k3s_control_node_address: "k8s.apiserver.io"
    ingress_http_port: 8000
    ingress_https_port: 4443

    # if set k3s_disable_network_policy=false,  
    # it will show error: User "system:k3s-controller" cannot get resource "nodes" in API group "" at the cluster scope
    # refer to: https://github.com/rancher/k3s/issues/1792
    k3s_disable_network_policy: true
    k3s_server_manifests_templates:
      - "manifests/calico.yaml.j2"
      - "manifests/coredns.yaml.j2"
      - "manifests/local-storage.yaml.j2"
      - "manifests/metrics-server-deployment.yaml.j2"
      - "manifests/nginx-ingress.yaml.j2"
      - "manifests/kuboard.yaml.j2"
      - "manifests/cert-manager-no-webhook.yaml.j2"

  pre_tasks:
    - name: Set k3s_node_name
      set_fact:
        k3s_node_name: "{{ inventory_hostname }}"

    - name: Set node labels
      set_fact:
        # k3s_node_labels: "{{ k3s_node_labels|default([]) | combine({'node.kubernetes.io/'+item: ''}) }}"
        k3s_node_labels: "{{ k3s_node_labels|default([]) + [{'node.kubernetes.io/'+item: ''}] }}"
      with_items: 
        - "{{ nodeRole.split(',') }}"
      when: nodeRole is defined

  # tasks:
  #   - debug: msg="{{ k3s_node_labels  }}"
  roles:
    - { role: k3s, k3s_release_version: v1.18.2+k3s1 }

- hosts: k3s_nodes

vars:

#k3s_control_node_address: 172.20.47.250

# k3s_datastore_endpoint: "mysql://root:mypass@tcp(172.20.47.38:3306)/k3sdb"

k3s_cluster_cidr: 10.42.0.0/16

k3s_service_cidr: 10.43.0.0/16

k3s_use_docker: true

k3s_no_flannel: true

k3s_no_traefik: true

# k3s_control_node_address: "k8s.apiserver.io"

ingress_http_port: 8000

ingress_https_port: 4443

# if set k3s_disable_network_policy=false,

# it will show error: User "system:k3s-controller" cannot get resource "nodes" in API group "" at the cluster scope

# refer to: https://github.com/rancher/k3s/issues/1792

k3s_disable_network_policy: true

k3s_server_manifests_templates:

- "manifests/calico.yaml.j2"

- "manifests/coredns.yaml.j2"

- "manifests/local-storage.yaml.j2"

- "manifests/metrics-server-deployment.yaml.j2"

- "manifests/nginx-ingress.yaml.j2"

- "manifests/kuboard.yaml.j2"

- "manifests/cert-manager-no-webhook.yaml.j2"

pre_tasks:

- name: Set k3s_node_name

set_fact:

k3s_node_name: "{{ inventory_hostname }}"

- name: Set node labels

set_fact:

# k3s_node_labels: "{{ k3s_node_labels|default([]) | combine({'node.kubernetes.io/'+item: ''}) }}"

k3s_node_labels: "{{ k3s_node_labels|default([]) + [{'node.kubernetes.io/'+item: ''}] }}"

with_items:

- "{{ nodeRole.split(',') }}"

when: nodeRole is defined

# tasks:

# - debug: msg="{{ k3s_node_labels }}"

roles:

- { role: k3s, k3s_release_version: v1.18.2+k3s1 }

定义了： k3s_node_labels: “{{ k3s_node_labels|default([]) + [{‘node.kubernetes.io/’+item: ”}] }}” 意思是定义一个列表k3s_node_labels，将with_items中的变量append到列表中，结果是这样：

[
        {
            "node.kubernetes.io/ingress": ""
        }, 
        {
            "node.kubernetes.io/node": ""
        }
]

[

{

"node.kubernetes.io/ingress": ""

{

"node.kubernetes.io/node": ""

}

]

除了用+号，也可以用union([item]) 而如果这样定义的话： k3s_node_labels: “{{ k3s_node_labels|default([]) | combine({‘node.kubernetes.io/’+item: ”}) }}” 或 k3s_node_labels: “{{ k3s_node_labels|default({}) | combine({‘node.kubernetes.io/’+item: ”}) }}” 都将会这种结果：

{
        "node.kubernetes.io/ingress": "", 
        "node.kubernetes.io/node": ""
}

{

"node.kubernetes.io/ingress": "",

"node.kubernetes.io/node": ""

}

未分类

WD Mycloud + Frp 内网穿透

Frp内网穿透这个真的是折腾了很久很久，WD MYycloud板块的各种帖子、Frp的Github中文文档、Issue页问答、各种技术博主的笔记、域名的配置等等，看的我晕头转向，期间还不断的被误导。总之折腾了很久总算把Frp内网穿透搞明白了，也稍微窥见了Linux的好玩之处。刚开始本来成功在路由器上配置了Frpc，看到说明页上写着必须使用虚拟内存，而陪伴我多年的U盘很争气的在格式化后光荣退伍。于是想到把Frpc运行到WD Mycloud上，看了那是云网站WD Mycloud板块非常含糊的教程后照猫画虎始终无法成功。最后看Frp的Github issue问答的时候才发现我从论坛附件下载的客户端文件版本太旧了。下载新版Frpc后成功穿透，然后开心的各种域名配置…… 服务端环境：CentOS7 + lnmp 1.4 客户端环境：WD Mycloud 顶级域名：需要有一个一、Frps 服务端的安装 1、用Putty登陆到VPS，依次输入以下代码

wget --no-check-certificate http://ftp.al/install-frps.sh -O ./install-frps.sh
chmod 700 ./install-frps.sh
./install-frps.sh install

wget --no-check-certificate http://ftp.al/install-frps.sh -O ./install-frps.sh

chmod 700 ./install-frps.sh

./install-frps.sh install

2、安装过程中需要手动输入一些参数 Please input frps bind_port [1-65535](Default Server Port: 7000): #输入frp提供服务的端口，用于服务器端和客户端通信 Please input frps dashboard_port [1-65535](Default dashboard_port: 7500): #输入frp的控制台服务端口，用于查看frp工作状态 Please input frps vhost_http_port [1-65535](Default vhost_http_port: 80): #输入frp进行http穿透的http服务端口 Please input frps vhost_https_port [1-65535](Default vhost_https_port: 443): Read more…

By sean, 5 years ago

未分类

nginx通过传参做动态代理

nginx通过传参做动态代理：可以访问http://172.20.47.38/console/?host=172.20.47.11, 来直接代理到gotty的172.20.47.11:50000 的websocket

map $http_cookie $c_cookie {
    default "";
     ~*host=([^\;]*) $1;
}


map $args $r_host {
     default $c_cookie;
     ~*host=(.*) $1;
}


#-------------
server { 
   listen 80;
   location ~ /console/ {
         if ($uri !~ console/ws){
            proxy_pass http://$r_host:50000;
            rewrite /console/(.*)$ /$1 break;
            add_header Set-Cookie "host=$r_host";
           }
            
           if ($uri ~ console/ws){
              #proxy_pass http://$c_cookie:50000/ws; 
              rewrite /(.*)$ /consolews last;
           }
        #proxy_http_version  1.1;
        #proxy_set_header Upgrade $http_upgrade;
        #proxy_set_header Connection $connection_upgrade;

        #proxy_set_header Host $http_host;
        #proxy_set_header X-Real-IP $remote_addr;
        
        }

    location ~ /consolews {
        proxy_pass http://$c_cookie:50000/ws;

        proxy_http_version  1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;

        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
    }
｝
#------------

map $http_cookie $c_cookie {

default "";

~*host=([^\;]*) $1;

}

map $args $r_host {

default $c_cookie;

~*host=(.*) $1;

}

#-------------

server {

listen 80;

location ~ /console/ {

if ($uri !~ console/ws){

proxy_pass http://$r_host:50000;

rewrite /console/(.*)$ /$1 break;

add_header Set-Cookie "host=$r_host";

}

if ($uri ~ console/ws){

#proxy_pass http://$c_cookie:50000/ws;

rewrite /(.*)$ /consolews last;

}

#proxy_http_version 1.1;

#proxy_set_header Upgrade $http_upgrade;

#proxy_set_header Connection $connection_upgrade;

#proxy_set_header Host $http_host;

#proxy_set_header X-Real-IP $remote_addr;

}

location ~ /consolews {

proxy_pass http://$c_cookie:50000/ws;

proxy_http_version 1.1;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection $connection_upgrade;

proxy_set_header Host $http_host;

proxy_set_header X-Real-IP $remote_addr;

}

｝

#------------

可以将参数进行base64加密, 如:

[root@dciuap2 nginx]# printf 172.20.47.38|base64|tr -d \\n
MTcyLjIwLjQ3LjM4
#注意base64加密会自动在字符后面添加空格, 要把空格删除

[root@dciuap2 nginx]# printf 172.20.47.38|base64|tr -d \\n

MTcyLjIwLjQ3LjM4

#注意base64加密会自动在字符后面添加空格, 要把空格删除

然后通过访问http://172.20.47.38/console/?host=MTcyLjIwLjQ3LjM4 来访问gotty: 参考: http://man.hubwiz.com/docset/OpenResty.docset/Contents/Resources/Documents/set-misc-nginx-module.html#set_unescape_uri nginx要添加set-misc-nginx-module模块, 具体安装方式如下:

 wget 'http://nginx.org/download/nginx-1.11.2.tar.gz'
 tar -xzvf nginx-1.11.2.tar.gz
 cd nginx-1.11.2/

 # Here we assume you would install you nginx under /opt/nginx/.
 ./configure --prefix=/opt/nginx \
     --with-http_ssl_module \
     --add-module=/path/to/ngx_devel_kit \
     --add-module=/path/to/set-misc-nginx-module

 make -j2
 make install

wget 'http://nginx.org/download/nginx-1.11.2.tar.gz'

tar -xzvf nginx-1.11.2.tar.gz

cd nginx-1.11.2/

# Here we assume you would install you nginx under /opt/nginx/.

./configure --prefix=/opt/nginx \

--with-http_ssl_module \

--add-module=/path/to/ngx_devel_kit \

--add-module=/path/to/set-misc-nginx-module

make -j2

make install

配置文件如下, 逻辑为: 第一次访问时, $uri是/console/ 则进行set_decode_base64解码,设置cookie 然后再访问几个js文件, 匹配.js, js再调用ws

map $http_cookie $c_cookie {
    default "";
     ~*host=([^\;]*) $1;
}


map $args $r_host {
     default $c_cookie;
     ~*host=(.*) $1;
}


server {
   listen 80;
   server_name 172.20.47.38;
   location ~ /console/ {
         if ($uri = /console/ ){
            set $hostip "$r_host";
            set_decode_base64 $hostip;
            proxy_pass http://$hostip:50000;
            rewrite /console/(.*)$ /$1 break;
            add_header Set-Cookie "host=$hostip";
         }
         if ($uri ~ .js){
            proxy_pass http://$c_cookie:50000;
            rewrite /console/(.*)$ /$1 break;
           }

           if ($uri ~ console/ws){
              #proxy_pass http://$c_cookie:50000/ws;
              rewrite /(.*)$ /consolews last;
           }

        }

    location ~ /consolews {
        proxy_pass http://$c_cookie:50000/ws;

        proxy_http_version  1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;

        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

map $http_cookie $c_cookie {

default "";

~*host=([^\;]*) $1;

}

map $args $r_host {

default $c_cookie;

~*host=(.*) $1;

}

server {

listen 80;

server_name 172.20.47.38;

location ~ /console/ {

if ($uri = /console/ ){

set $hostip "$r_host";

set_decode_base64 $hostip;

proxy_pass http://$hostip:50000;

rewrite /console/(.*)$ /$1 break;

add_header Set-Cookie "host=$hostip";

}

if ($uri ~ .js){

proxy_pass http://$c_cookie:50000;

rewrite /console/(.*)$ /$1 break;

}

if ($uri ~ console/ws){

#proxy_pass http://$c_cookie:50000/ws;

rewrite /(.*)$ /consolews last;

}

location ~ /consolews {

proxy_pass http://$c_cookie:50000/ws;

proxy_http_version 1.1;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection $connection_upgrade;

proxy_set_header Host $http_host;

proxy_set_header X-Real-IP $remote_addr;

}

—- 旧的请求根目录版：

map $http_upgrade $connection_upgrade {
  default upgrade;
  '' close;
}

map $args $r_host {
     default localhost;
     ~*host=(.*) $1;
}

map $http_cookie $c_cookie {
    default "";
     ~*host=(.*) $1;
  }
  
server {
    listen       8000;

	location / {

		proxy_pass http://$r_host:50000/;

		add_header Set-Cookie "host=$r_host";
	}

	location /ws {

		proxy_pass http://$c_cookie:50000;

		proxy_http_version  1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection $connection_upgrade;

		proxy_set_header Host $http_host;
		proxy_set_header X-Real-IP $remote_addr;
	}

	location ~ \.(gif|jpg|png|js|css)$ {
		proxy_pass http://$c_cookie:50000;
	}

}

map $http_upgrade $connection_upgrade {

default upgrade;

'' close;

}

map $args $r_host {

default localhost;

~*host=(.*) $1;

}

map $http_cookie $c_cookie {

default "";

~*host=(.*) $1;

}

server {

listen 8000;

location / {

proxy_pass http://$r_host:50000/;

add_header Set-Cookie "host=$r_host";

}

location /ws {

proxy_pass http://$c_cookie:50000;

proxy_http_version 1.1;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection $connection_upgrade;

proxy_set_header Host $http_host;

proxy_set_header X-Real-IP $remote_addr;

}

location ~ \.(gif|jpg|png|js|css)$ {

proxy_pass http://$c_cookie:50000;

}

By sean, 5 years05/14/2020 ago

未分类

容器集成sftp服务

有个需求，需要用户在调试时能方便地将文件拷贝到容器里，需要做个带ftp功能的容器，参考了： https://github.com/rlesouef/alpine-sftp 整个工程目录结构：

.
├── build.py
├── config
│   ├── config_arm64v8.yml
│   ├── config_redis_commander.yml
│   ├── config_x86_gpaas_lite.yml
│   ├── config_x86_gpaas_pro.yml
│   ├── config_x86_online.yml
│   └── config.yml
├── dockerfile
├── download
│   ├── font
│   │   └── ncc
│   │       ├── song
│   │       │   └── song.zip
│   │       └── yahei
│   │           └── yahei.zip
│   ├── get-pip.py
│   ├── go
│   │   ├── go1.10.1.linux-amd64.tar.gz
│   │   └── go1.10.1.linux-arm64.tar.gz
│   ├── java
│   │   ├── apache-tomcat-6.0.48.tar.gz
│   │   ├── apache-tomcat-7.0.85.tar.gz
│   │   ├── apache-tomcat-8.5.28.tar.gz
│   │   ├── apache-tomcat-9.0.5.tar.gz
│   │   ├── appupload
│   │   │   ├── catalina.properties.appupload
│   │   │   └── jfxrt.jar
│   │   ├── arthas-boot.jar
│   │   ├── etc
│   │   │   ├── authfile.properties
│   │   │   ├── inputrc
│   │   │   └── yhtauthfile.properties
│   │   ├── fonts.tar.gz
│   │   ├── java_options.sh
│   │   ├── jdk-6u45-linux-x64.bin
│   │   ├── jdk-7-linux-x64.tar.gz
│   │   ├── jdk-8-linux-x64.tar.gz
│   │   ├── jdk-8u202-linux-x64.tar.gz
│   │   ├── jdk-8u231-linux-arm64-vfp-hflt.tar.gz
│   │   ├── maven.tar.gz
│   │   ├── mount_app_file_log.sh
│   │   ├── phantomjs-2.1.1-linux-x86_64.tar.gz
│   │   ├── pinpoint-agent.tar.gz
│   │   ├── UnlimitedJCEPolicyJDK7
│   │   │   ├── 121
│   │   │   │   ├── local_policy.jar
│   │   │   │   └── US_export_policy.jar
│   │   │   ├── local_policy.jar
│   │   │   └── US_export_policy.jar
│   │   ├── UnlimitedJCEPolicyJDK8
│   │   │   ├── 121
│   │   │   │   ├── local_policy.jar
│   │   │   │   └── US_export_policy.jar
│   │   │   ├── local_policy.jar
│   │   │   └── US_export_policy.jar
│   │   └── yyy-probes.tar.gz
│   ├── nohup.out
│   ├── pip.conf
│   ├── public_packages
│   │   ├── color.awk
│   │   ├── confdownload
│   │   │   ├── confcenterdownload
│   │   │   ├── confcenterdownload_aarch64
│   │   │   └── confcenterdownload-online
│   │   ├── dumb-init_1.2.1_amd64
│   │   ├── dumb-init_1.2.2_aarch64
│   │   ├── entrypoint_ncc.sh
│   │   ├── entrypoint.sh
│   │   ├── fish_greeting.fish
│   │   ├── glibc
│   │   │   ├── aarch64
│   │   │   │   ├── glibc-2.26-r1.apk
│   │   │   │   ├── glibc-bin-2.26-r1.apk
│   │   │   │   └── glibc-i18n-2.26-r1.apk
│   │   │   └── x86_64
│   │   │       ├── APKINDEX.tar.gz
│   │   │       ├── glibc-2.28-r0.apk
│   │   │       ├── glibc-bin-2.28-r0.apk
│   │   │       ├── glibc-i18n-2.28-r0.apk
│   │   │       └── sgerrand.rsa.pub
│   │   ├── go1.10.1.linux-arm64.tar.gz
│   │   ├── offline_ncc.sh
│   │   ├── offline.sh
│   │   └── README.md
│   ├── python
│   │   ├── get-pip.py
│   │   └── pip.conf
│   ├── sftp
│   │   ├── bindmount.sh
│   │   ├── sftp-entrypoint.sh
│   │   └── sshd_config
│   ├── SimpleHTTPServerWithUpload.py
│   ├── supervisor
│   │   └── supervisord.conf
├── log
└── templates
    ├── alpine.j2
    ├── base_alpine.j2
    ├── header.j2
    ├── java.j2
    ├── nginx.j2
    ├── nginx-node.j2
    ├── node.j2
    ├── openresty.j2
    ├── php.j2
    ├── python_alpine.j2
    ├── python_debian.j2
    ├── redis-commander.j2
    ├── tomcat8-jdk8-alpine-appupload.j2
    ├── tomcat8-jdk8-centos.j2
    └── tomcat.j2

100

101

102

103

104

105

106

107

108

109

110

111

112

113

├── build.py

├── config

│ ├── config_arm64v8.yml

│ ├── config_redis_commander.yml

│ ├── config_x86_gpaas_lite.yml

│ ├── config_x86_gpaas_pro.yml

│ ├── config_x86_online.yml

│ └── config.yml

├── dockerfile

├── download

│ ├── font

│ │ └── ncc

│ │ ├── song

│ │ │ └── song.zip

│ │ └── yahei

│ │ └── yahei.zip

│ ├── get-pip.py

│ ├── go

│ │ ├── go1.10.1.linux-amd64.tar.gz

│ │ └── go1.10.1.linux-arm64.tar.gz

│ ├── java

│ │ ├── apache-tomcat-6.0.48.tar.gz

│ │ ├── apache-tomcat-7.0.85.tar.gz

│ │ ├── apache-tomcat-8.5.28.tar.gz

│ │ ├── apache-tomcat-9.0.5.tar.gz

│ │ ├── appupload

│ │ │ ├── catalina.properties.appupload

│ │ │ └── jfxrt.jar

│ │ ├── arthas-boot.jar

│ │ ├── etc

│ │ │ ├── authfile.properties

│ │ │ ├── inputrc

│ │ │ └── yhtauthfile.properties

│ │ ├── fonts.tar.gz

│ │ ├── java_options.sh

│ │ ├── jdk-6u45-linux-x64.bin

│ │ ├── jdk-7-linux-x64.tar.gz

│ │ ├── jdk-8-linux-x64.tar.gz

│ │ ├── jdk-8u202-linux-x64.tar.gz

│ │ ├── jdk-8u231-linux-arm64-vfp-hflt.tar.gz

│ │ ├── maven.tar.gz

│ │ ├── mount_app_file_log.sh

│ │ ├── phantomjs-2.1.1-linux-x86_64.tar.gz

│ │ ├── pinpoint-agent.tar.gz

│ │ ├── UnlimitedJCEPolicyJDK7

│ │ │ ├── 121

│ │ │ │ ├── local_policy.jar

│ │ │ │ └── US_export_policy.jar

│ │ │ ├── local_policy.jar

│ │ │ └── US_export_policy.jar

│ │ ├── UnlimitedJCEPolicyJDK8

│ │ │ ├── 121

│ │ │ │ ├── local_policy.jar

│ │ │ │ └── US_export_policy.jar

│ │ │ ├── local_policy.jar

│ │ │ └── US_export_policy.jar

│ │ └── yyy-probes.tar.gz

│ ├── nohup.out

│ ├── pip.conf

│ ├── public_packages

│ │ ├── color.awk

│ │ ├── confdownload

│ │ │ ├── confcenterdownload

│ │ │ ├── confcenterdownload_aarch64

│ │ │ └── confcenterdownload-online

│ │ ├── dumb-init_1.2.1_amd64

│ │ ├── dumb-init_1.2.2_aarch64

│ │ ├── entrypoint_ncc.sh

│ │ ├── entrypoint.sh

│ │ ├── fish_greeting.fish

│ │ ├── glibc

│ │ │ ├── aarch64

│ │ │ │ ├── glibc-2.26-r1.apk

│ │ │ │ ├── glibc-bin-2.26-r1.apk

│ │ │ │ └── glibc-i18n-2.26-r1.apk

│ │ │ └── x86_64

│ │ │ ├── APKINDEX.tar.gz

│ │ │ ├── glibc-2.28-r0.apk

│ │ │ ├── glibc-bin-2.28-r0.apk

│ │ │ ├── glibc-i18n-2.28-r0.apk

│ │ │ └── sgerrand.rsa.pub

│ │ ├── go1.10.1.linux-arm64.tar.gz

│ │ ├── offline_ncc.sh

│ │ ├── offline.sh

│ │ └── README.md

│ ├── python

│ │ ├── get-pip.py

│ │ └── pip.conf

│ ├── sftp

│ │ ├── bindmount.sh

│ │ ├── sftp-entrypoint.sh

│ │ └── sshd_config

│ ├── SimpleHTTPServerWithUpload.py

│ ├── supervisor

│ │ └── supervisord.conf

├── log

└── templates

├── alpine.j2

├── base_alpine.j2

├── header.j2

├── java.j2

├── nginx.j2

├── nginx-node.j2

├── node.j2

├── openresty.j2

├── php.j2

├── python_alpine.j2

├── python_debian.j2

├── redis-commander.j2

├── tomcat8-jdk8-alpine-appupload.j2

├── tomcat8-jdk8-centos.j2

└── tomcat.j2

其中download为各文件下载目录拿tomcat来作例：配置文件config_x86_online.yml：

registry:
- host: ycr.example.com
  repository: test
  username: admin
  password: xxxxxx

- image: "tomcat:8-jdk8-alpine-sftp"
  from_image: ycr.example.com/official/alpine/alpine:latest
  arch: x86_64
  template: tomcat-sftp.j2
  alpine_repo: mirrors.aliyun.com
  confcenterdownload: confcenterdownload-online
  dumb_init: dumb-init_1.2.1_amd64
  alpine_glibc_package_version: 2.28-r0
  version:
    tomcat: "8.5.28"
    jdk: "8u202"

- image: "nginx:1.15-alpine"
  template: nginx.j2
  from_image: ycr.example.com/official/nginx/nginx:1.15.8-alpine-perl
  arch: x86_64
  alpine_repo: mirrors.aliyun.com
  alpine_glibc_package_version: 2.28-r0
  dumb_init: dumb-init_1.2.1_amd64
  confcenterdownload: confcenterdownload-online

- image: "node:14-alpine"
  template: node.j2
  from_image: ycr.example.com/official/node/node:14.2.0-alpine3.11
  arch: x86_64
  alpine_repo: mirrors.aliyun.com
  alpine_glibc_package_version: 2.28-r0
  dumb_init: dumb-init_1.2.1_amd64
  confcenterdownload: confcenterdownload-online
  version:
    node: 14.2.0

registry:

- host: ycr.example.com

repository: test

username: admin

password: xxxxxx

- image: "tomcat:8-jdk8-alpine-sftp"

from_image: ycr.example.com/official/alpine/alpine:latest

arch: x86_64

alpine_repo: mirrors.aliyun.com

confcenterdownload: confcenterdownload-online

dumb_init: dumb-init_1.2.1_amd64

alpine_glibc_package_version: 2.28-r0

version:

tomcat: "8.5.28"

jdk: "8u202"

- image: "nginx:1.15-alpine"

from_image: ycr.example.com/official/nginx/nginx:1.15.8-alpine-perl

arch: x86_64

alpine_repo: mirrors.aliyun.com

alpine_glibc_package_version: 2.28-r0

dumb_init: dumb-init_1.2.1_amd64

confcenterdownload: confcenterdownload-online

- image: "node:14-alpine"

from_image: ycr.example.com/official/node/node:14.2.0-alpine3.11

arch: x86_64

alpine_repo: mirrors.aliyun.com

alpine_glibc_package_version: 2.28-r0

dumb_init: dumb-init_1.2.1_amd64

confcenterdownload: confcenterdownload-online

version:

node: 14.2.0

也可以定义arm64架构的config来构建：

registry:
- host: 172.20.11.11:88
  repository: base
  username: admin
  password: xxx

images:
- image: "nginx-node:financial-cloud"
  template: nginx-node.j2
  from_image: arm64v8/nginx:1.15-alpine
  arch: aarch64
  alpine_repo: mirrors.aliyun.com
  alpine_glibc_package_version: 2.28-r0
  dumb_init: dumb-init_1.2.2_aarch64
  confcenterdownload: confcenterdownload_aarch64

- image: "tomcat:8-jdk7-alpine-arm64v8"
  from_image: ycr.xxx.com/official/arm64v8/alpine:latest
  arch: aarch64
  template: tomcat.j2
  alpine_repo: mirrors.aliyun.com
  confcenterdownload: confcenterdownload_aarch64
  dumb_init: dumb-init_1.2.2_aarch64
  alpine_glibc_package_version: 2.26-r1
  version:
    tomcat: "8.5.28"
    jdk: 8u231

registry:

- host: 172.20.11.11:88

repository: base

username: admin

password: xxx

images:

- image: "nginx-node:financial-cloud"

from_image: arm64v8/nginx:1.15-alpine

arch: aarch64

alpine_repo: mirrors.aliyun.com

alpine_glibc_package_version: 2.28-r0

dumb_init: dumb-init_1.2.2_aarch64

confcenterdownload: confcenterdownload_aarch64

- image: "tomcat:8-jdk7-alpine-arm64v8"

from_image: ycr.xxx.com/official/arm64v8/alpine:latest

arch: aarch64

alpine_repo: mirrors.aliyun.com

confcenterdownload: confcenterdownload_aarch64

dumb_init: dumb-init_1.2.2_aarch64

alpine_glibc_package_version: 2.26-r1

version:

tomcat: "8.5.28"

jdk: 8u231

首先Dockerfile, 下面是Dockerfile模板： base_alpine.j2

FROM {{ from_image }}

ENV LANG=en_US.UTF-8 \
    LANGUAGE=en_US.UTF-8 \
    LC_CTYPE=en_US.UTF-8 \
    LC_ALL=en_US.UTF-8 \
    TZ="Asia/Shanghai" \
    BASE_IMAGE={{ image }}

ARG ALPINE_GLIBC_PACKAGE_VERSION="{{ alpine_glibc_package_version }}"
ARG DUMB_INIT={{ dumb_init }}
ARG CONFCENTERDOWNLOAD={{ confcenterdownload }}
ARG BASE_URL={{ base_url }}

{# 自定义环境变量 #}
{% block custom_env %}
{% endblock custom_env %}

WORKDIR ${WORKDIR:-/root}

RUN set -x \
    && sed -i 's/dl-cdn.alpinelinux.org/{{ alpine_repo }}/' /etc/apk/repositories \
    && echo 'http://{{ alpine_repo }}/alpine/edge/testing' >> /etc/apk/repositories \
    && apk update \
    && apk add --no-cache --allow-untrusted --update-cache \
        wget curl vim git \
        perl make less \
        bash bash-doc bash-completion \
        tmux fish mdocml-apropos \
        busybox-extras \
        coreutils \
        ca-certificates \
        tzdata \
        libtool \
        gcc \
        apk-tools \
        netcat-openbsd \
        bind-tools \
        supervisor \
        inotify-tools \
        shadow \
        openssh \
        openssh-sftp-server \
    {% block custom_pkg %}
    {% endblock custom_pkg %}
    \
    && ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
    && echo "Asia/Shanghai" > /etc/timezone \
    \
    && sed -i -e 's/\/bin\/ash/\/bin\/bash/' /etc/passwd \
    \
    \
    && echo '\
            PS1='\''\[\e[01;33m\][\h \u:\[\e[01;34m\]\w\[\e[01;33m\]]\[\e[00m\]\$ '\'' ; \
            eval `dircolors -b` ; \
            alias ls="ls --color=auto" ; \
            alias l="ls -lah" ; \
            alias ll="ls -lh" ; \
            alias l.="ls -d .* --color=auto" ; \
            alias mv="mv -i" ; \
            alias rm="rm -i" ; \
    ' >> /etc/profile \
    && echo '. ~/.bashrc' > /root/.bash_profile \
    && echo '. /etc/profile' > /root/.bashrc \
    && echo 'set-option -g default-shell /usr/bin/fish' > /root/.tmux.conf \
    && mkdir -p /root/.config/fish/functions \
    && echo '\
           function fish_prompt ;\
               if not set -q __fish_prompt_hostname ;\
                   set -g __fish_prompt_hostname (hostname) ;\
               end ;\
               set_color -o yellow ;\
               echo -n -s "$USER" @ "$__fish_prompt_hostname" " " ;\
               set_color -o blue ;\
               echo -n (prompt_pwd) ;\
               echo -n " # " ;\
               set_color normal ;\
           end ;\
           \
           alias l="ls -la" ;\
    ' > /root/.config/fish/functions/fish_prompt.fish \
    && ln -sf /bin/bash /bin/sh \
    \
    && echo 'hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4' >> /etc/nsswitch.conf \
    \
    \
    # --- start for glibc ---
    && ALPINE_GLIBC_BASE_DIR="$BASE_URL/public_packages/glibc/{{ arch }}" \
    && ALPINE_GLIBC_BASE_PACKAGE_FILENAME="$ALPINE_GLIBC_BASE_DIR/glibc-$ALPINE_GLIBC_PACKAGE_VERSION.apk" \
    && ALPINE_GLIBC_BIN_PACKAGE_FILENAME="$ALPINE_GLIBC_BASE_DIR/glibc-bin-$ALPINE_GLIBC_PACKAGE_VERSION.apk" \
    && ALPINE_GLIBC_I18N_PACKAGE_FILENAME="$ALPINE_GLIBC_BASE_DIR/glibc-i18n-$ALPINE_GLIBC_PACKAGE_VERSION.apk" \
    && wget $ALPINE_GLIBC_BASE_PACKAGE_FILENAME \
    && wget $ALPINE_GLIBC_BIN_PACKAGE_FILENAME \
    && wget $ALPINE_GLIBC_I18N_PACKAGE_FILENAME \
    && apk add --no-cache --allow-untrusted --force-overwrite \
        "glibc-$ALPINE_GLIBC_PACKAGE_VERSION.apk" \
        "glibc-bin-$ALPINE_GLIBC_PACKAGE_VERSION.apk" \
        "glibc-i18n-$ALPINE_GLIBC_PACKAGE_VERSION.apk" \
    \
    && rm -rf *.apk \
    && /usr/glibc-compat/bin/localedef --force --inputfile POSIX --charmap UTF-8 "$LANG" || true \
    && echo "export LANG=$LANG" > /etc/profile.d/locale.sh \
    && apk del glibc-i18n || true \
    \
    && mkdir -p $WORKDIR /usr/local/src/confdownload \
    && curl -SL $BASE_URL/public_packages/fish_greeting.fish -o /root/.config/fish/functions/fish_greeting.fish \
    && curl -SL $BASE_URL/public_packages/entrypoint.sh -o /usr/local/bin/entrypoint.sh \
    && curl -SL $BASE_URL/public_packages/confdownload/$CONFCENTERDOWNLOAD -o /usr/local/src/confdownload/confcenterdownload \
    && curl -SL $BASE_URL/public_packages/offline.sh -o /usr/local/bin/offline.sh \
    \
    && ln -sf /usr/local/src/confdownload/confcenterdownload /usr/local/bin/confcenterdownload \
    && ln -sf /usr/local/bin/offline.sh /bin/offline.sh \
    \
    # for supervisor
    && curl -SL $BASE_URL/supervisor/supervisord.conf -o /etc/supervisord.conf \
    && mkdir -p /etc/supervisor.d /etc/supervisor.user \         
    \
    # for sftp
    && curl -SL $BASE_URL/sftp/sshd_config -o /etc/ssh/sshd_config \
    && curl -SL $BASE_URL/sftp/sftp-entrypoint.sh -o /usr/local/bin/sftp-entrypoint.sh \
    && mkdir -p /etc/sftp.d \
    && curl -SL $BASE_URL/sftp/bindmount.sh -o /etc/sftp.d/bindmount.sh \
    && chmod +x /etc/sftp.d/bindmount.sh \
    && sed -i 's/GROUP=1000/GROUP=100/' /etc/default/useradd \
    && mkdir -p /var/run/sshd \
    && rm -f /etc/ssh/ssh_host_*key* \
    && printf '\
sftp-entrypoint.sh "$(env|grep SFTP|cut -d= -f2)" \n\
cat > /etc/supervisor.d/sftp.ini <<EOF\n\
[program:sftp] \n\
command=/usr/sbin/sshd -D -e \n\
priority=888 \n\
redirect_stderr=true \n\
EOF\n\
' > /etc/supervisor.user/sftp.ini.sh \
    \
    && printf '\
monitdirs=/etc/supervisor.user/monitdirs \n\
SFTP=$(env|grep SFTP|cut -d= -f2) \n\
SFTP_USER=$(echo $SFTP|cut -d: -f1) \n\
SFTP_DIRS=$(echo $SFTP|cut -d: -f5) \n\
IFS=";" read -a dirs <<< "$SFTP_DIRS" \n\
for dir in ${dirs[@]}; do echo $dir|cut -d, -f1 >> $monitdirs; done \n\
cat > /etc/supervisor.d/chmod.ini <<EOF\n\
[program:chmod] \n\
command=bash -c "while inotifywait -q -r -e create,delete,modify,move,attrib --fromfile $monitdirs; do chown -R $SFTP_USER:users /home/$SFTP_USER/*; done" \n\
priority=999 \n\
redirect_stderr=true \n\
EOF\n\
' > /etc/supervisor.user/chmod.ini.sh \
    && chmod +x /etc/supervisor.user/*.sh \
    {% block custom_run %}
    {% endblock custom_run %}
    \
    && chmod +x /usr/local/bin/* \
    && /bin/rm -rf /tmp/* /var/cache/apk/*

EXPOSE 22

ENTRYPOINT ["entrypoint.sh"]

{% block custom_cmd %}
{% endblock custom_cmd %}

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

FROM {{ from_image }}

ENV LANG=en_US.UTF-8 \

LANGUAGE=en_US.UTF-8 \

LC_CTYPE=en_US.UTF-8 \

LC_ALL=en_US.UTF-8 \

TZ="Asia/Shanghai" \

BASE_IMAGE={{ image }}

ARG ALPINE_GLIBC_PACKAGE_VERSION="{{ alpine_glibc_package_version }}"

ARG DUMB_INIT={{ dumb_init }}

ARG CONFCENTERDOWNLOAD={{ confcenterdownload }}

ARG BASE_URL={{ base_url }}

{# 自定义环境变量 #}

{% block custom_env %}

{% endblock custom_env %}

WORKDIR ${WORKDIR:-/root}

RUN set -x \

&& sed -i 's/dl-cdn.alpinelinux.org/{{ alpine_repo }}/' /etc/apk/repositories \

&& echo 'http://{{ alpine_repo }}/alpine/edge/testing' >> /etc/apk/repositories \

&& apk update \

&& apk add --no-cache --allow-untrusted --update-cache \

wget curl vim git \

perl make less \

bash bash-doc bash-completion \

tmux fish mdocml-apropos \

busybox-extras \

coreutils \

ca-certificates \

tzdata \

libtool \

gcc \

apk-tools \

netcat-openbsd \

bind-tools \

supervisor \

inotify-tools \

shadow \

openssh \

openssh-sftp-server \

{% block custom_pkg %}

{% endblock custom_pkg %}

&& ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \

&& echo "Asia/Shanghai" > /etc/timezone \

&& sed -i -e 's/\/bin\/ash/\/bin\/bash/' /etc/passwd \

&& echo '\

PS1='\''\[\e[01;33m\][\h \u:\[\e[01;34m\]\w\[\e[01;33m\]]\[\e[00m\]\$ '\'' ; \

eval `dircolors -b` ; \

alias ls="ls --color=auto" ; \

alias l="ls -lah" ; \

alias ll="ls -lh" ; \

alias l.="ls -d .* --color=auto" ; \

alias mv="mv -i" ; \

alias rm="rm -i" ; \

' >> /etc/profile \

&& echo '. ~/.bashrc' > /root/.bash_profile \

&& echo '. /etc/profile' > /root/.bashrc \

&& echo 'set-option -g default-shell /usr/bin/fish' > /root/.tmux.conf \

&& mkdir -p /root/.config/fish/functions \

&& echo '\

function fish_prompt ;\

if not set -q __fish_prompt_hostname ;\

set -g __fish_prompt_hostname (hostname) ;\

end ;\

set_color -o yellow ;\

echo -n -s "$USER" @ "$__fish_prompt_hostname" " " ;\

set_color -o blue ;\

echo -n (prompt_pwd) ;\

echo -n " # " ;\

set_color normal ;\

end ;\

alias l="ls -la" ;\

' > /root/.config/fish/functions/fish_prompt.fish \

&& ln -sf /bin/bash /bin/sh \

&& echo 'hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4' >> /etc/nsswitch.conf \

# --- start for glibc ---

&& ALPINE_GLIBC_BASE_DIR="$BASE_URL/public_packages/glibc/{{ arch }}" \

&& ALPINE_GLIBC_BASE_PACKAGE_FILENAME="$ALPINE_GLIBC_BASE_DIR/glibc-$ALPINE_GLIBC_PACKAGE_VERSION.apk" \

&& ALPINE_GLIBC_BIN_PACKAGE_FILENAME="$ALPINE_GLIBC_BASE_DIR/glibc-bin-$ALPINE_GLIBC_PACKAGE_VERSION.apk" \

&& ALPINE_GLIBC_I18N_PACKAGE_FILENAME="$ALPINE_GLIBC_BASE_DIR/glibc-i18n-$ALPINE_GLIBC_PACKAGE_VERSION.apk" \

&& wget $ALPINE_GLIBC_BASE_PACKAGE_FILENAME \

&& wget $ALPINE_GLIBC_BIN_PACKAGE_FILENAME \

&& wget $ALPINE_GLIBC_I18N_PACKAGE_FILENAME \

&& apk add --no-cache --allow-untrusted --force-overwrite \

"glibc-$ALPINE_GLIBC_PACKAGE_VERSION.apk" \

"glibc-bin-$ALPINE_GLIBC_PACKAGE_VERSION.apk" \

"glibc-i18n-$ALPINE_GLIBC_PACKAGE_VERSION.apk" \

&& rm -rf *.apk \

&& /usr/glibc-compat/bin/localedef --force --inputfile POSIX --charmap UTF-8 "$LANG" || true \

&& echo "export LANG=$LANG" > /etc/profile.d/locale.sh \

&& apk del glibc-i18n || true \

&& mkdir -p $WORKDIR /usr/local/src/confdownload \

&& curl -SL $BASE_URL/public_packages/fish_greeting.fish -o /root/.config/fish/functions/fish_greeting.fish \

&& curl -SL $BASE_URL/public_packages/entrypoint.sh -o /usr/local/bin/entrypoint.sh \

&& curl -SL $BASE_URL/public_packages/confdownload/$CONFCENTERDOWNLOAD -o /usr/local/src/confdownload/confcenterdownload \

&& curl -SL $BASE_URL/public_packages/offline.sh -o /usr/local/bin/offline.sh \

&& ln -sf /usr/local/src/confdownload/confcenterdownload /usr/local/bin/confcenterdownload \

&& ln -sf /usr/local/bin/offline.sh /bin/offline.sh \

# for supervisor

&& curl -SL $BASE_URL/supervisor/supervisord.conf -o /etc/supervisord.conf \

&& mkdir -p /etc/supervisor.d /etc/supervisor.user \

# for sftp

&& curl -SL $BASE_URL/sftp/sshd_config -o /etc/ssh/sshd_config \

&& curl -SL $BASE_URL/sftp/sftp-entrypoint.sh -o /usr/local/bin/sftp-entrypoint.sh \

&& mkdir -p /etc/sftp.d \

&& curl -SL $BASE_URL/sftp/bindmount.sh -o /etc/sftp.d/bindmount.sh \

&& chmod +x /etc/sftp.d/bindmount.sh \

&& sed -i 's/GROUP=1000/GROUP=100/' /etc/default/useradd \

&& mkdir -p /var/run/sshd \

&& rm -f /etc/ssh/ssh_host_*key* \

&& printf '\

sftp-entrypoint.sh "$(env|grep SFTP|cut -d= -f2)" \n\

cat > /etc/supervisor.d/sftp.ini <<EOF\n\

[program:sftp] \n\

command=/usr/sbin/sshd -D -e \n\

priority=888 \n\

redirect_stderr=true \n\

EOF\n\

' > /etc/supervisor.user/sftp.ini.sh \

&& printf '\

monitdirs=/etc/supervisor.user/monitdirs \n\

SFTP=$(env|grep SFTP|cut -d= -f2) \n\

SFTP_USER=$(echo $SFTP|cut -d: -f1) \n\

SFTP_DIRS=$(echo $SFTP|cut -d: -f5) \n\

IFS=";" read -a dirs <<< "$SFTP_DIRS" \n\

for dir in ${dirs[@]}; do echo $dir|cut -d, -f1 >> $monitdirs; done \n\

cat > /etc/supervisor.d/chmod.ini <<EOF\n\

[program:chmod] \n\

command=bash -c "while inotifywait -q -r -e create,delete,modify,move,attrib --fromfile $monitdirs; do chown -R $SFTP_USER:users /home/$SFTP_USER/*; done" \n\

priority=999 \n\

redirect_stderr=true \n\

EOF\n\

' > /etc/supervisor.user/chmod.ini.sh \

&& chmod +x /etc/supervisor.user/*.sh \

{% block custom_run %}

{% endblock custom_run %}

&& chmod +x /usr/local/bin/* \

&& /bin/rm -rf /tmp/* /var/cache/apk/*

EXPOSE 22

ENTRYPOINT ["entrypoint.sh"]

{% block custom_cmd %}

{% endblock custom_cmd %}

tomcat.j2

{% extends "base_alpine.j2" %}

{# ENV 自定义环境变量 #}
{% block custom_env %}
{% if version and version.jdk %}
ENV JAVA_HOME="/usr/local/java" \
    CATALINA_HOME="/usr/local/tomcat" \
    TOMCAT_VERSION={{ version.tomcat }} \
    JAVA_VERSION={{ version.jdk }} \
    JAVA_MAJOR={{ version.jdk|string|list|first }}

ENV JRE_HOME="${JAVA_HOME}/jre" \
    CLASSPATH="${JAVA_HOME}/lib/dt.jar:${JAVA_HOME}/lib/tools.jar" \
    PATH="${PATH}:${JAVA_HOME}/bin:${CATALINA_HOME}/lib:${CATALINA_HOME}/bin"

{# ENV for appupload #}
{% if image.endswith('appupload') %}
ENV MAVEN_HOME=/usr/local/maven \
    MAVEN_OPTS="-Dfile.encoding=UTF-8 -Xmx512m" \
    GOPATH=/usr/local/go \
    PATH="$PATH:$MAVEN_HOME/bin:$GOPATH/bin"
{% endif %}

{% else %}
ENV JAVA_MAJOR={{ version.jre }}
{% endif %}

ENV WORKDIR="/usr/local/tomcat"

{% endblock custom_env %}
{% block custom_pkg %}
        ttf-dejavu \
        fontconfig \
        wqy-zenhei@edge wqy-zenhei \
    {# PKG for appupload #}
    {% if image.endswith('appupload') %}
        subversion \
        zip unzip \
        python \
        lftp \
        pigz \
        nodejs nodejs-npm \
        axel \
        yarn \
    {% endif %}
{% endblock custom_pkg %}

{# RUN #}
{% block custom_run %}
    {% if tag and tag == 'youyunyin' %}
    {% set apm = 'yyy-probes' %}
    {% else %}
    {% set apm = 'pinpoint-agent' %}
    {% endif %}
    && mkdir -p /etc/config/download/ /usr/local/{{ apm }} \
    && curl -SL $BASE_URL/java/java_options.sh -o /usr/local/bin/java_options.sh \
    && curl -SL $BASE_URL/java/arthas-boot.jar -o /usr/local/bin/arthas-boot.jar \
    && curl -SL $BASE_URL/java/mount_app_file_log.sh -o /usr/bin/mount_app_file_log.sh \
    && wget $BASE_URL/java/{{ apm }}.tar.gz \
    && tar -zxvf {{ apm }}.tar.gz --strip-components=1 -C /usr/local/{{ apm }} \
    && rm -rf {{ apm }}.tar.gz \
    && curl -SL $BASE_URL/java/etc/authfile.properties -o /etc/config/download/authfile.properties \
    && curl -SL $BASE_URL/java/etc/yhtauthfile.properties -o /etc/config/download/yhtauthfile.properties \
    \
    \
    && mkdir -p  /usr/share/fonts/song \
    && cd /usr/share/fonts/song \
    && wget $BASE_URL/font/ncc/song/song.zip \
    && unzip song.zip && rm -f song.zip  \
    && mkfontscale && mkfontdir && fc-cache && cd  - \
    && mkdir -p /usr/share/fonts/MicrosoftYahei && cd /usr/share/fonts/MicrosoftYahei \
    && wget $BASE_URL/font/ncc/yahei/yahei.zip \
    && unzip yahei.zip && rm -f yahei.zip \
    && mkfontscale && mkfontdir && fc-cache && cd - \
    \
    {% if version and version.jdk %}
    && mkdir -p $JAVA_HOME \
    && curl -SL $BASE_URL/java/jdk-${JAVA_VERSION}-linux-{{ 'x64' if arch == "x86_64" else 'arm64-vfp-hflt' }}.tar.gz -o java.tar.gz \
    && tar -zxvf java.tar.gz --strip-components=1 -C $JAVA_HOME/ \
    \
    && rm -rf $JAVA_HOME/*src.zip \
       $JAVA_HOME/lib/missioncontrol \
       $JAVA_HOME/lib/visualvm \
       $JAVA_HOME/lib/*javafx* \
       $JAVA_HOME/jre/lib/ext/jfxrt.jar \
       $JAVA_HOME/jre/bin/javaws \
       $JAVA_HOME/jre/lib/javaws.jar \
       $JAVA_HOME/jre/lib/desktop \
       $JAVA_HOME/jre/plugin \
       $JAVA_HOME/jre/lib/deploy* \
       $JAVA_HOME/jre/lib/*javafx* \
       $JAVA_HOME/jre/lib/*jfx* \
    \
    && rm -rf java.tar.gz* \
    && curl -SL $BASE_URL/java/UnlimitedJCEPolicyJDK${JAVA_MAJOR}/local_policy.jar -o $JAVA_HOME/jre/lib/security/local_policy.jar \
    && curl -SL $BASE_URL/java/UnlimitedJCEPolicyJDK${JAVA_MAJOR}/US_export_policy.jar -o $JAVA_HOME/jre/lib/security/US_export_policy.jar \
    && sed -i  's/#crypto.policy=unlimited/crypto.policy=unlimited/g' /usr/local/java/jre/lib/security/java.security \
    \
    \
    && curl -SL $BASE_URL/java/apache-tomcat-$TOMCAT_VERSION.tar.gz -o tomcat.tar.gz \
    && tar -zxvf tomcat.tar.gz --strip-components=1 -C $CATALINA_HOME/ \
    && rm -rf tomcat.tar.gz* bin/*.bat $CATALINA_HOME/webapps/* \
    && echo 'export PATH="$PATH:$JAVA_HOME/bin:$CATALINA_HOME/lib:$CATALINA_HOME/bin"' >> /etc/profile \
    {% else %}
    && curl -SL $BASE_URL/java/UnlimitedJCEPolicyJDK${JAVA_MAJOR}/local_policy.jar -o $JAVA_HOME/lib/security/local_policy.jar \
    && curl -SL $BASE_URL/java/UnlimitedJCEPolicyJDK${JAVA_MAJOR}/US_export_policy.jar -o $JAVA_HOME/lib/security/US_export_policy.jar \
    {% endif %}
    \
    && sed -i '/tomcat.util.scan.StandardJarScanFilter.jarsToSkip=/a bootstrap.jar,commons-daemon.jar,tomcat-juli.jar,bcprov-*.jar,\\' \
              $CATALINA_HOME/conf/catalina.properties \
    && sed -i -e 's/<Connector port="8080"/& URIEncoding="UTF-8" maxPostSize="-1"/g' \
              -e '/protocol="AJP\/1.3"/s/^/<!--/' -e '/protocol="AJP\/1.3"/s/$/-->/' \
              -e '/pattern="%/s/.*/\t\tpattern="%{x-forwarded-for}i %h %l %u %t \&quot;%r\&quot; %s %b %{X-traceId}i %D" \/>/' \
              -e '/<\/Host>/i \\t<Valve className="org.apache.catalina.valves.RemoteIpValve"\n\t\tremoteIpHeader="x-forwarded-for"\n\t\tproxiesHeader="x-forwarded-by"\n\t\tprotocolHeader="x-forwarded-proto"/>' \
              -e '/<\/Host>/i \\t<Resources cachingAllowed="false" cacheMaxSize="0"/>' \
                 $CATALINA_HOME/conf/server.xml \
    \
    {% if apm == 'yyy-probes' %}
    && sed -i '/main()/i set_apm(){\n\tif [[ "${yyy_enable}" != "" && "$(echo $yyy_enable | tr [a-z] [A-Z])" == "TRUE" ]]; \
            then\n\t\texport JAVA_OPTS="$JAVA_OPTS -Xbootclasspath/a:/usr/local/yyy-probes/boot/boot.jar -javaagent:/usr/local/yyy-probes/yonyou-yyy.jar"\n\tfi\n}' \
            /usr/local/bin/entrypoint.sh \
    {% endif %}
    # && curl -SL $BASE_URL/supervisord/tomcat.ini -o /etc/supervisor.d/tomcat.ini \
    && ln -sf /usr/local/bin/entrypoint.sh $CATALINA_HOME/bin/entrypoint.sh \
    && rm -rf $CATALINA_HOME/bin/*.bat $CATALINA_HOME/webapps/* \
    \
    && app_name=$(echo $BASE_IMAGE|cut -d':' -f1) \
    && user_ini="/etc/supervisor.user/${app_name}.ini.sh" \
    && printf '\
cat > /etc/supervisor.d/tomcat.ini <<EOF\n\
[program:tomcat] \n\
command=/bin/bash -c "$@" \n\
environment=JAVA_OPTS="$JAVA_OPTS",JAVA_HOME="$JAVA_HOME" \n\
directory = $WORKDIR \n\
priority=1 \n\
redirect_stderr=true \n\
EOF\n\
' > $user_ini \
    && chmod +x /etc/supervisor.user/*.sh \
    \
    \
    # for appupload
    {% if image.endswith('appupload') %}
    {% if arch == "x86_64" %}
    && curl -SL $BASE_URL/go/go1.10.1.linux-amd64.tar.gz -o $WORKDIR/go.tar.gz \
    {% elif arch == "aarch64" %}
    && curl -SL $BASE_URL/go/go1.10.1.linux-arm64.tar.gz -o $WORKDIR/go.tar.gz \
    {% endif %}
    && mkdir -p $MAVEN_HOME $GOPATH \
    && curl -SL $BASE_URL/java/maven.tar.gz -o $WORKDIR/maven.tar.gz \
    && npm config set registry https://registry.npm.taobao.org \
    && yarn global add pm2 verdaccio \
    && apk add --no-cache --virtual .fetch-deps libressl \
    && wget -O /etc/pip.conf $BASE_URL/python/pip.conf \
	&& wget -O get-pip.py $BASE_URL/python/get-pip.py \
	&& apk del .fetch-deps \
    && python get-pip.py \
		--disable-pip-version-check \
		--no-cache-dir \
		"pip==9.0.1" \
    && pip install --no-cache-dir chardet \
    && mkdir -p $MAVEN_HOME/local/repo \
    && chmod 755 -R $MAVEN_HOME \
	&& echo -e "StrictHostKeyChecking no\nUserKnownHostsFile /dev/null" >> /etc/ssh/ssh_config \
    && curl -SL $BASE_URL/java/appupload/jfxrt.jar -o $JRE_HOME/lib/ext/jfxrt.jar \
    && tar -zxvf maven.tar.gz --strip-components=1 -C $MAVEN_HOME/ \
    && tar -zxvf go.tar.gz --strip-components=1 -C $GOPATH/ \
    && rm -rf maven.tar.gz* go.tar.gz* \
    && curl -SL $BASE_URL/java/appupload/catalina.properties.appupload -o $CATALINA_HOME/conf/catalina.properties \
    && sed -i '/set_dns/a pm2 start verdaccio' /usr/local/bin/entrypoint.sh \
    {% endif %}
{% endblock custom_run %}

{# CMD #}
{% block custom_cmd %}
EXPOSE 8080

CMD ["catalina.sh", "run"]
{% endblock custom_cmd %}

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

{% extends "base_alpine.j2" %}

{# ENV 自定义环境变量 #}

{% block custom_env %}

{% if version and version.jdk %}

ENV JAVA_HOME="/usr/local/java" \

CATALINA_HOME="/usr/local/tomcat" \

TOMCAT_VERSION={{ version.tomcat }} \

JAVA_VERSION={{ version.jdk }} \

JAVA_MAJOR={{ version.jdk|string|list|first }}

ENV JRE_HOME="${JAVA_HOME}/jre" \

CLASSPATH="${JAVA_HOME}/lib/dt.jar:${JAVA_HOME}/lib/tools.jar" \

PATH="${PATH}:${JAVA_HOME}/bin:${CATALINA_HOME}/lib:${CATALINA_HOME}/bin"

{# ENV for appupload #}

{% if image.endswith('appupload') %}

ENV MAVEN_HOME=/usr/local/maven \

MAVEN_OPTS="-Dfile.encoding=UTF-8 -Xmx512m" \

GOPATH=/usr/local/go \

PATH="$PATH:$MAVEN_HOME/bin:$GOPATH/bin"

{% endif %}

{% else %}

ENV JAVA_MAJOR={{ version.jre }}

{% endif %}

ENV WORKDIR="/usr/local/tomcat"

{% endblock custom_env %}

{% block custom_pkg %}

ttf-dejavu \

fontconfig \

wqy-zenhei@edge wqy-zenhei \

{# PKG for appupload #}

{% if image.endswith('appupload') %}

subversion \

zip unzip \

python \

lftp \

pigz \

nodejs nodejs-npm \

axel \

yarn \

{% endif %}

{% endblock custom_pkg %}

{# RUN #}

{% block custom_run %}

{% if tag and tag == 'youyunyin' %}

{% set apm = 'yyy-probes' %}

{% else %}

{% set apm = 'pinpoint-agent' %}

{% endif %}

&& mkdir -p /etc/config/download/ /usr/local/{{ apm }} \

&& curl -SL $BASE_URL/java/java_options.sh -o /usr/local/bin/java_options.sh \

&& curl -SL $BASE_URL/java/arthas-boot.jar -o /usr/local/bin/arthas-boot.jar \

&& curl -SL $BASE_URL/java/mount_app_file_log.sh -o /usr/bin/mount_app_file_log.sh \

&& wget $BASE_URL/java/{{ apm }}.tar.gz \

&& tar -zxvf {{ apm }}.tar.gz --strip-components=1 -C /usr/local/{{ apm }} \

&& rm -rf {{ apm }}.tar.gz \

&& curl -SL $BASE_URL/java/etc/authfile.properties -o /etc/config/download/authfile.properties \

&& curl -SL $BASE_URL/java/etc/yhtauthfile.properties -o /etc/config/download/yhtauthfile.properties \

&& mkdir -p /usr/share/fonts/song \

&& cd /usr/share/fonts/song \

&& wget $BASE_URL/font/ncc/song/song.zip \

&& unzip song.zip && rm -f song.zip \

&& mkfontscale && mkfontdir && fc-cache && cd - \

&& mkdir -p /usr/share/fonts/MicrosoftYahei && cd /usr/share/fonts/MicrosoftYahei \

&& wget $BASE_URL/font/ncc/yahei/yahei.zip \

&& unzip yahei.zip && rm -f yahei.zip \

&& mkfontscale && mkfontdir && fc-cache && cd - \

{% if version and version.jdk %}

&& mkdir -p $JAVA_HOME \

&& curl -SL $BASE_URL/java/jdk-${JAVA_VERSION}-linux-{{ 'x64' if arch == "x86_64" else 'arm64-vfp-hflt' }}.tar.gz -o java.tar.gz \

&& tar -zxvf java.tar.gz --strip-components=1 -C $JAVA_HOME/ \

&& rm -rf $JAVA_HOME/*src.zip \

$JAVA_HOME/lib/missioncontrol \

$JAVA_HOME/lib/visualvm \

$JAVA_HOME/lib/*javafx* \

$JAVA_HOME/jre/lib/ext/jfxrt.jar \

$JAVA_HOME/jre/bin/javaws \

$JAVA_HOME/jre/lib/javaws.jar \

$JAVA_HOME/jre/lib/desktop \

$JAVA_HOME/jre/plugin \

$JAVA_HOME/jre/lib/deploy* \

$JAVA_HOME/jre/lib/*javafx* \

$JAVA_HOME/jre/lib/*jfx* \

&& rm -rf java.tar.gz* \

&& curl -SL $BASE_URL/java/UnlimitedJCEPolicyJDK${JAVA_MAJOR}/local_policy.jar -o $JAVA_HOME/jre/lib/security/local_policy.jar \

&& curl -SL $BASE_URL/java/UnlimitedJCEPolicyJDK${JAVA_MAJOR}/US_export_policy.jar -o $JAVA_HOME/jre/lib/security/US_export_policy.jar \

&& sed -i 's/#crypto.policy=unlimited/crypto.policy=unlimited/g' /usr/local/java/jre/lib/security/java.security \

&& curl -SL $BASE_URL/java/apache-tomcat-$TOMCAT_VERSION.tar.gz -o tomcat.tar.gz \

&& tar -zxvf tomcat.tar.gz --strip-components=1 -C $CATALINA_HOME/ \

&& rm -rf tomcat.tar.gz* bin/*.bat $CATALINA_HOME/webapps/* \

&& echo 'export PATH="$PATH:$JAVA_HOME/bin:$CATALINA_HOME/lib:$CATALINA_HOME/bin"' >> /etc/profile \

{% else %}

&& curl -SL $BASE_URL/java/UnlimitedJCEPolicyJDK${JAVA_MAJOR}/local_policy.jar -o $JAVA_HOME/lib/security/local_policy.jar \

&& curl -SL $BASE_URL/java/UnlimitedJCEPolicyJDK${JAVA_MAJOR}/US_export_policy.jar -o $JAVA_HOME/lib/security/US_export_policy.jar \

{% endif %}

&& sed -i '/tomcat.util.scan.StandardJarScanFilter.jarsToSkip=/a bootstrap.jar,commons-daemon.jar,tomcat-juli.jar,bcprov-*.jar,\\' \

$CATALINA_HOME/conf/catalina.properties \

&& sed -i -e 's/<Connector port="8080"/& URIEncoding="UTF-8" maxPostSize="-1"/g' \

-e '/protocol="AJP\/1.3"/s/^//' \

-e '/pattern="%/s/.*/\t\tpattern="%{x-forwarded-for}i %h %l %u %t \"%r\" %s %b %{X-traceId}i %D" \/>/' \

-e '/<\/Host>/i \\t<Valve className="org.apache.catalina.valves.RemoteIpValve"\n\t\tremoteIpHeader="x-forwarded-for"\n\t\tproxiesHeader="x-forwarded-by"\n\t\tprotocolHeader="x-forwarded-proto"/>' \

-e '/<\/Host>/i \\t<Resources cachingAllowed="false" cacheMaxSize="0"/>' \

$CATALINA_HOME/conf/server.xml \

{% if apm == 'yyy-probes' %}

&& sed -i '/main()/i set_apm(){\n\tif [[ "${yyy_enable}" != "" && "$(echo $yyy_enable | tr [a-z] [A-Z])" == "TRUE" ]]; \

then\n\t\texport JAVA_OPTS="$JAVA_OPTS -Xbootclasspath/a:/usr/local/yyy-probes/boot/boot.jar -javaagent:/usr/local/yyy-probes/yonyou-yyy.jar"\n\tfi\n}' \

/usr/local/bin/entrypoint.sh \

{% endif %}

# && curl -SL $BASE_URL/supervisord/tomcat.ini -o /etc/supervisor.d/tomcat.ini \

&& ln -sf /usr/local/bin/entrypoint.sh $CATALINA_HOME/bin/entrypoint.sh \

&& rm -rf $CATALINA_HOME/bin/*.bat $CATALINA_HOME/webapps/* \

&& app_name=$(echo $BASE_IMAGE|cut -d':' -f1) \

&& user_ini="/etc/supervisor.user/${app_name}.ini.sh" \

&& printf '\

cat > /etc/supervisor.d/tomcat.ini <<EOF\n\

[program:tomcat] \n\

command=/bin/bash -c "$@" \n\

environment=JAVA_OPTS="$JAVA_OPTS",JAVA_HOME="$JAVA_HOME" \n\

directory = $WORKDIR \n\

priority=1 \n\

redirect_stderr=true \n\

EOF\n\

' > $user_ini \

&& chmod +x /etc/supervisor.user/*.sh \

# for appupload

{% if image.endswith('appupload') %}

{% if arch == "x86_64" %}

&& curl -SL $BASE_URL/go/go1.10.1.linux-amd64.tar.gz -o $WORKDIR/go.tar.gz \

{% elif arch == "aarch64" %}

&& curl -SL $BASE_URL/go/go1.10.1.linux-arm64.tar.gz -o $WORKDIR/go.tar.gz \

{% endif %}

&& mkdir -p $MAVEN_HOME $GOPATH \

&& curl -SL $BASE_URL/java/maven.tar.gz -o $WORKDIR/maven.tar.gz \

&& npm config set registry https://registry.npm.taobao.org \

&& yarn global add pm2 verdaccio \

&& apk add --no-cache --virtual .fetch-deps libressl \

&& wget -O /etc/pip.conf $BASE_URL/python/pip.conf \

&& wget -O get-pip.py $BASE_URL/python/get-pip.py \

&& apk del .fetch-deps \

&& python get-pip.py \

--disable-pip-version-check \

--no-cache-dir \

"pip==9.0.1" \

&& pip install --no-cache-dir chardet \

&& mkdir -p $MAVEN_HOME/local/repo \

&& chmod 755 -R $MAVEN_HOME \

&& echo -e "StrictHostKeyChecking no\nUserKnownHostsFile /dev/null" >> /etc/ssh/ssh_config \

&& curl -SL $BASE_URL/java/appupload/jfxrt.jar -o $JRE_HOME/lib/ext/jfxrt.jar \

&& tar -zxvf maven.tar.gz --strip-components=1 -C $MAVEN_HOME/ \

&& tar -zxvf go.tar.gz --strip-components=1 -C $GOPATH/ \

&& rm -rf maven.tar.gz* go.tar.gz* \

&& curl -SL $BASE_URL/java/appupload/catalina.properties.appupload -o $CATALINA_HOME/conf/catalina.properties \

&& sed -i '/set_dns/a pm2 start verdaccio' /usr/local/bin/entrypoint.sh \

{% endif %}

{% endblock custom_run %}

{# CMD #}

{% block custom_cmd %}

EXPOSE 8080

CMD ["catalina.sh", "run"]

{% endblock custom_cmd %}

sftp-entrypoint.sh改了一下，把后面启动sshd的删除了，放到了supervisor管理，另外增加了传环境变量来支持进行多目录挂载，比如传： -e “SFTP=sftp:sftp:1001:100:/usr/local/tomcat,tomcat;/etc/supervisor.d,supervisor.d” 可以将/usr/local/tomcat挂载到/home/sftp/tomcat 也可将/etc/supervisor.d挂载到/home/sftp/supervisor.d

#!/bin/bash
set -e

# Paths
userConfPath="/etc/sftp/users.conf"
userConfPathLegacy="/etc/sftp-users.conf"
userConfFinalPath="/var/run/sftp/users.conf"

# Extended regular expression (ERE) for arguments
reUser='[A-Za-z0-9._][A-Za-z0-9._-]{0,31}' # POSIX.1-2008
rePass='[^:]{0,255}'
reUid='[[:digit:]]*'
reGid='[[:digit:]]*'
reDir='[^:]*'
reArgs="^($reUser)(:$rePass)(:e)?(:$reUid)?(:$reGid)?(:$reDir)?$"
reArgsMaybe="^[^:[:space:]]+:.*$" # Smallest indication of attempt to use argument
reArgSkip='^([[:blank:]]*#.*|[[:blank:]]*)$' # comment or empty line

function log() {
    echo "[entrypoint] $@"
}

function validateArg() {
    name="$1"
    val="$2"
    re="$3"

    if [[ "$val" =~ ^$re$ ]]; then
        return 0
    else
        log "ERROR: Invalid $name \"$val\", do not match required regex pattern: $re"
        return 1
    fi
}

function createUser() {
    log "Parsing user data: \"$@\""

    IFS=':' read -a args <<< $@
    index=0

    user="${args[0]}"; validateArg "username" "$user" "$reUser" || return 1
    pass="${args[1]}"; validateArg "password" "$pass" "$rePass" || return 1

    if [ "${args[2]}" == "e" ]; then
        chpasswdOptions="-e"
        index=1
    fi

    uid="${args[$[$index+2]]}"; validateArg "UID" "$uid" "$reUid" || return 1
    gid="${args[$[$index+3]]}"; validateArg "GID" "$gid" "$reGid" || return 1
    dir="${args[$[$index+4]]}"; validateArg "dirs" "$dir" "$reDir" || return 1

    if getent passwd $user > /dev/null; then
        log "WARNING: User \"$user\" already exists. Skipping."
        return 0
    fi

    useraddOptions="--no-user-group"

    if [ -n "$uid" ]; then
        useraddOptions="$useraddOptions --non-unique --uid $uid"
    fi

    if [ -n "$gid" ]; then
        if ! getent group $gid > /dev/null; then
            groupadd --gid $gid "group_$gid"
        fi

        useraddOptions="$useraddOptions --gid $gid"
    fi

    useradd $useraddOptions $user
    mkdir -p /home/$user
    chown root:root /home/$user
    chmod 755 /home/$user

    # Retrieving user id to use it in chown commands instead of the user name
    # to avoid problems on alpine when the user name contains a '.'
    uid="$(id -u $user)"

    if [ -n "$pass" ]; then
        echo "$user:$pass" | chpasswd $chpasswdOptions
    else
        usermod -p "*" $user # disabled password
    fi

    # Add SSH keys to authorized_keys with valid permissions
    if [ -d /home/$user/.ssh/keys ]; then
        cat /home/$user/.ssh/keys/* >> /home/$user/.ssh/authorized_keys
        chown $uid /home/$user/.ssh/authorized_keys
        chmod 600 /home/$user/.ssh/authorized_keys
    fi

    # Make sure dirs exists
    # format example: $CATALINA_HOME,tomcat;/etc,etc
    if [ -n "$dir" ]; then
        IFS=';' read -a dirArgs <<< $dir
        for dirPath in ${dirArgs[@]}; do
            resPath=$(echo $dirPath|cut -d',' -f1)
            desPath=$(echo $dirPath|cut -d',' -f2)
            if [ -z "$desPath" ]; then
                desPath=$resPath
            fi
            dirPath="/home/$user/$desPath"
            if [ ! -d "$dirPath" ]; then
                log "Creating directory: $dirPath"
                mkdir -p $dirPath
                chown -R $uid:users $dirPath
            else
                log "Directory already exists: $dirPath"
            fi
        done
    fi
}

# Allow running other programs, e.g. bash
if [[ -z "$1" || "$1" =~ $reArgsMaybe ]]; then
    startSshd=true
else
    startSshd=false
fi

# Backward compatibility with legacy config path
if [ ! -f "$userConfPath" -a -f "$userConfPathLegacy" ]; then
    mkdir -p "$(dirname $userConfPath)"
    ln -s "$userConfPathLegacy" "$userConfPath"
fi

# Create users only on first run
if [ ! -f "$userConfFinalPath" ]; then
    mkdir -p "$(dirname $userConfFinalPath)"

    # Append mounted config to final config
    if [ -f "$userConfPath" ]; then
        cat "$userConfPath" | grep -v -E "$reArgSkip" > "$userConfFinalPath"
    fi

    # Append users from STDIN to final config
    # DEPRECATED on 2017-10-08, DO NOT USE
    # TODO: Remove code after 6-12 months
    if [ ! -t 0 ]; then
        while IFS= read -r user || [[ -n "$user" ]]; do
            echo "$user" >> "$userConfFinalPath"
        done
    fi

    if $startSshd; then
        # Append users from arguments to final config
        for user in "$@"; do
            echo "$user" >> "$userConfFinalPath"
        done
    fi

    # Check that we have users in config
    if [[ -f "$userConfFinalPath" && "$(cat "$userConfFinalPath" | wc -l)" > 0 ]]; then
        # Import users from final conf file
        while IFS= read -r user || [[ -n "$user" ]]; do
            createUser "$user"
        done < "$userConfFinalPath"
    elif $startSshd; then
        log "FATAL: No users provided!"
        exit 3
    fi

    # Generate unique ssh keys for this container, if needed
    if [ ! -f /etc/ssh/ssh_host_ed25519_key ]; then
        ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ''
    fi
    if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
        ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ''
    fi
fi

# Source custom scripts, if any
if [ -d /etc/sftp.d ]; then
    for f in /etc/sftp.d/*; do
        if [ -x "$f" ]; then
            log "Running $f ..."
            $f
        fi
    done
    unset f
fi

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

#!/bin/bash

set -e

# Paths

userConfPath="/etc/sftp/users.conf"

userConfPathLegacy="/etc/sftp-users.conf"

userConfFinalPath="/var/run/sftp/users.conf"

# Extended regular expression (ERE) for arguments

reUser='[A-Za-z0-9._][A-Za-z0-9._-]{0,31}' # POSIX.1-2008

rePass='[^:]{0,255}'

reUid='[[:digit:]]*'

reGid='[[:digit:]]*'

reDir='[^:]*'

reArgs="^($reUser)(:$rePass)(:e)?(:$reUid)?(:$reGid)?(:$reDir)?$"

reArgsMaybe="^[^:[:space:]]+:.*$" # Smallest indication of attempt to use argument

reArgSkip='^([[:blank:]]*#.*|[[:blank:]]*)$' # comment or empty line

function log() {

echo "[entrypoint] $@"

}

function validateArg() {

name="$1"

val="$2"

re="$3"

if [[ "$val" =~ ^$re$ ]]; then

return 0

else

log "ERROR: Invalid $name \"$val\", do not match required regex pattern: $re"

return 1

}

function createUser() {

log "Parsing user data: \"$@\""

IFS=':' read -a args <<< $@

index=0

user="${args[0]}"; validateArg "username" "$user" "$reUser" || return 1

pass="${args[1]}"; validateArg "password" "$pass" "$rePass" || return 1

if [ "${args[2]}" == "e" ]; then

chpasswdOptions="-e"

index=1

uid="${args[$[$index+2]]}"; validateArg "UID" "$uid" "$reUid" || return 1

gid="${args[$[$index+3]]}"; validateArg "GID" "$gid" "$reGid" || return 1

dir="${args[$[$index+4]]}"; validateArg "dirs" "$dir" "$reDir" || return 1

if getent passwd $user > /dev/null; then

log "WARNING: User \"$user\" already exists. Skipping."

return 0

useraddOptions="--no-user-group"

if [ -n "$uid" ]; then

useraddOptions="$useraddOptions --non-unique --uid $uid"

if [ -n "$gid" ]; then

if ! getent group $gid > /dev/null; then

groupadd --gid $gid "group_$gid"

useraddOptions="$useraddOptions --gid $gid"

useradd $useraddOptions $user

mkdir -p /home/$user

chown root:root /home/$user

chmod 755 /home/$user

# Retrieving user id to use it in chown commands instead of the user name

# to avoid problems on alpine when the user name contains a '.'

uid="$(id -u $user)"

if [ -n "$pass" ]; then

echo "$user:$pass" | chpasswd $chpasswdOptions

else

usermod -p "*" $user # disabled password

# Add SSH keys to authorized_keys with valid permissions

if [ -d /home/$user/.ssh/keys ]; then

cat /home/$user/.ssh/keys/* >> /home/$user/.ssh/authorized_keys

chown $uid /home/$user/.ssh/authorized_keys

chmod 600 /home/$user/.ssh/authorized_keys

# Make sure dirs exists

# format example: $CATALINA_HOME,tomcat;/etc,etc

if [ -n "$dir" ]; then

IFS=';' read -a dirArgs <<< $dir

for dirPath in ${dirArgs[@]}; do

resPath=$(echo $dirPath|cut -d',' -f1)

desPath=$(echo $dirPath|cut -d',' -f2)

if [ -z "$desPath" ]; then

desPath=$resPath

dirPath="/home/$user/$desPath"

if [ ! -d "$dirPath" ]; then

log "Creating directory: $dirPath"

mkdir -p $dirPath

chown -R $uid:users $dirPath

else

log "Directory already exists: $dirPath"

done

}

# Allow running other programs, e.g. bash

if [[ -z "$1" || "$1" =~ $reArgsMaybe ]]; then

startSshd=true

else

startSshd=false

# Backward compatibility with legacy config path

if [ ! -f "$userConfPath" -a -f "$userConfPathLegacy" ]; then

mkdir -p "$(dirname $userConfPath)"

ln -s "$userConfPathLegacy" "$userConfPath"

# Create users only on first run

if [ ! -f "$userConfFinalPath" ]; then

mkdir -p "$(dirname $userConfFinalPath)"

# Append mounted config to final config

if [ -f "$userConfPath" ]; then

cat "$userConfPath" | grep -v -E "$reArgSkip" > "$userConfFinalPath"

# Append users from STDIN to final config

# DEPRECATED on 2017-10-08, DO NOT USE

# TODO: Remove code after 6-12 months

if [ ! -t 0 ]; then

while IFS= read -r user || [[ -n "$user" ]]; do

echo "$user" >> "$userConfFinalPath"

done

if $startSshd; then

# Append users from arguments to final config

for user in "$@"; do

echo "$user" >> "$userConfFinalPath"

done

# Check that we have users in config

if [[ -f "$userConfFinalPath" && "$(cat "$userConfFinalPath" | wc -l)" > 0 ]]; then

# Import users from final conf file

while IFS= read -r user || [[ -n "$user" ]]; do

createUser "$user"

done < "$userConfFinalPath"

elif $startSshd; then

log "FATAL: No users provided!"

exit 3

# Generate unique ssh keys for this container, if needed

if [ ! -f /etc/ssh/ssh_host_ed25519_key ]; then

ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ''

if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then

ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ''

# Source custom scripts, if any

if [ -d /etc/sftp.d ]; then

for f in /etc/sftp.d/*; do

if [ -x "$f" ]; then

log "Running $f ..."

done

unset f

运行用户自定义的脚本bindmount.sh

#!/bin/bash
# File mounted as: /etc/sftp.d/bindmount.sh
# Just an example (make your own)

function bindmount() {
    user=$1
    resdir=$2
    desdir=$3
    # dest=/home/$user/$desdir
    if [ ! -d "$desdir" ]; then
        mkdir -p "$desdir"
    fi

    mount --bind $4 "$resdir" "$desdir"
    chown -R $user:users $resdir $desdir
}

# Remember permissions, you may have to fix them:

# bindmount /data/common /home/dave/common
# bindmount /data/common /home/peter/common
# bindmount /data/docs /home/peter/docs --read-only

# user=$(echo $SFTP | awk -F: '{print $1}')
# mountdir=$(echo $SFTP | awk -F: '{print $5}')
# #resdir=$CATALINA_HOME
# resdir=${dir:-/}
# desdir=${mountdir:-data}

# mount path which were given
# format example: SFTP="sftp:sftp:1001:100:$CATALINA_HOME,tomcat;/etc,etc"
user=$(echo $SFTP | awk -F: '{print $1}')
mountdir=$(echo $SFTP | awk -F: '{print $5}')

if [ -n "$mountdir" ]; then
    IFS=';' read -a dirArgs <<< $mountdir
    for dirPath in ${dirArgs[@]}; do
        resPath=$(echo $dirPath|cut -d',' -f1)
        desPath=$(echo $dirPath|cut -d',' -f2)
        if [ -z "$desPath" ]; then
            desPath=$resPath
        fi
        desPath="/home/$user/$desPath"
        if [ ! -d "$desPath" ]; then
            echo "Creating directory: $desPath"
            mkdir -p $desPath
            chown -R $uid:users $desPath
        else
            echo "Directory already exists: $dirPath"
        fi
        bindmount $user $resPath $desPath
    done
fi

#!/bin/bash

# File mounted as: /etc/sftp.d/bindmount.sh

# Just an example (make your own)

function bindmount() {

user=$1

resdir=$2

desdir=$3

# dest=/home/$user/$desdir

if [ ! -d "$desdir" ]; then

mkdir -p "$desdir"

mount --bind $4 "$resdir" "$desdir"

chown -R $user:users $resdir $desdir

}

# Remember permissions, you may have to fix them:

# bindmount /data/common /home/dave/common

# bindmount /data/common /home/peter/common

# bindmount /data/docs /home/peter/docs --read-only

# user=$(echo $SFTP | awk -F: '{print $1}')

# mountdir=$(echo $SFTP | awk -F: '{print $5}')

# #resdir=$CATALINA_HOME

# resdir=${dir:-/}

# desdir=${mountdir:-data}

# mount path which were given

# format example: SFTP="sftp:sftp:1001:100:$CATALINA_HOME,tomcat;/etc,etc"

user=$(echo $SFTP | awk -F: '{print $1}')

mountdir=$(echo $SFTP | awk -F: '{print $5}')

if [ -n "$mountdir" ]; then

IFS=';' read -a dirArgs <<< $mountdir

for dirPath in ${dirArgs[@]}; do

resPath=$(echo $dirPath|cut -d',' -f1)

desPath=$(echo $dirPath|cut -d',' -f2)

if [ -z "$desPath" ]; then

desPath=$resPath

desPath="/home/$user/$desPath"

if [ ! -d "$desPath" ]; then

echo "Creating directory: $desPath"

mkdir -p $desPath

chown -R $uid:users $desPath

else

echo "Directory already exists: $dirPath"

bindmount $user $resPath $desPath

done

总的entrypoint.sh：

#!/bin/sh

if [[ ! -z $MESOS_TASK_ID ]]; then
    AGENT_ID=$(echo "$MESOS_TASK_ID"|cut -d'.' -f 2|cut -d'-' -f 1,2,3) #mesos container
else
    AGENT_ID=$(echo "$LOG_INSTANCE_ID") #k8s container
fi
### 1. confcenter
confcenter(){
    /usr/local/src/confdownload/confcenterdownload
    if [[ $? -ne 0 ]];then
        echo -e "Download configuration file error!\n"
        exit 11
    fi
}

### 2. set log path
set_applog(){
    if [[ "X${xxxcloud_replace_path}" != "X" && "X${xxxucloud_replace_value}" != "X" ]]; then
        paths=(${xxxcloud_replace_path//;/ })
        values=(${xxxcloud_replace_value//;/ })
        for path in ${paths[@]}
        do
            if [[ -f "${path}" ]];then
                for value in ${values[@]}
                do
                   env_value=`eval echo '$'"${value}"`
                   if [[ ! -z "${env_value}" ]];then
                       replace_value="%$value%"
                       sed -i "s@${replace_value}@${env_value}@" $path
                   fi
                done
            fi
        done
    fi
    # 收集用户应用日志
    if [[ "X${developer_app_logs}" != "X" && "X${AGENT_ID}" != "X" ]]; then
       	arr=(${developer_app_logs//;/ })
        busiPath=${arr[2]}
        savePath="/developerMountData/log/datalog"
        logpath=${savePath}/${arr[0]}/${arr[1]}/$AGENT_ID
        # path统一为最后面没有/
        busiPath=${busiPath%/}
        mkdir -p $busiPath
        # 移除原来的日志文件夹
        mv "${busiPath}" "${busiPath}_$(date +'%Y%m%d%H%M%S.%N').bak"
        if [[ $? -eq 0 ]];then
            mkdir -p $logpath
            ln -sf $logpath $busiPath
        fi
    fi
}

#### 3. APM for java/tomcat
set_apm(){
    JAVA_OPTS="$JAVA_OPTS -Djava.security.egd=file:/dev/./urandom -Duser.timezone=GMT+08 -Ddefault.client.encoding=UTF-8 -Dfile.encoding=UTF-8 -Dsun.jnu.encoding=UTF8 -Duser.language=Zh"
    # ==enable pinpoint or not==
    if [[ "X${developer_apm_appId}" != "X" && "X${AGENT_ID}" != "X" ]]; then
        # strip spaces or tabs before or behind the string and cut to left 24 strings
        APPLICATION_NAME=$(echo "$developer_apm_appId" | awk 'gsub(/^ *| *$/,"")'  | cut -b -24)
        PINPOINT_COLLECTOR_IP=${PINPOINT_COLLECTOR_IP:-10.3.15.29}
        AGENT_ID_SHORT=$(echo "$AGENT_ID" | cut -b -24)
        APM_JAR="/usr/local/pinpoint-agent/pinpoint-bootstrap-1.7.4.jar"
        JAVA_OPTS="$JAVA_OPTS -javaagent:${APM_JAR} -Dpinpoint.agentId=${AGENT_ID_SHORT} -Dpinpoint.applicationName=${APPLICATION_NAME}"

        # configure pinpoint.config
        PINPOINT_CONFIG_FILE="/usr/local/pinpoint-agent/pinpoint.config"
        sed -i "s/profiler.collector.ip=127.0.0.1/profiler.collector.ip=${PINPOINT_COLLECTOR_IP}/g" ${PINPOINT_CONFIG_FILE}

        # Adjust pointpoint port.
        COLLECTOR_TCP_PORT=${PINPOINT_COLLECTOR_TCP_PORT:-9994}
        let COLLECTOR_STAT_PORT=${COLLECTOR_TCP_PORT}+1
        let COLLECTOR_SPAN_PORT=${COLLECTOR_TCP_PORT}+2
        sed -i "s/profiler.collector.tcp.port=.*/profiler.collector.tcp.port=${COLLECTOR_TCP_PORT}/g" ${PINPOINT_CONFIG_FILE}
        sed -i "s/profiler.collector.stat.port=.*/profiler.collector.stat.port=${COLLECTOR_STAT_PORT}/g" ${PINPOINT_CONFIG_FILE}
        sed -i "s/profiler.collector.span.port=.*/profiler.collector.span.port=${COLLECTOR_SPAN_PORT}/g" ${PINPOINT_CONFIG_FILE}

        # Configure log level for log4j
        PINPOINT_LOG_CONFIG_FILE="/usr/local/pinpoint-agent/lib/log4j.xml"
        PINPOINT_LOG_LEVEL=${PINPOINT_LOG_LEVEL:-ERROR}
        sed -i "s/ERROR/${PINPOINT_LOG_LEVEL}/g" ${PINPOINT_LOG_CONFIG_FILE}

        # profiler.sampling.rate：采样率（1/n，配置为2就是50%）
        [[ $SAMPLING_RATE =~ ^-?[0-9]+$ ]] && SAMPLING_RATE=${SAMPLING_RATE} || SAMPLING_RATE=20
        sed -i "s/profiler.sampling.rate=.*/profiler.sampling.rate=${SAMPLING_RATE}/g" ${PINPOINT_CONFIG_FILE}
        SAMPLING_RATE_PERCENT=`awk 'BEGIN{printf "%.2f%%\n",(1/'${SAMPLING_RATE}')*100}'`

        # RPC log sampling rate
        if [[ "X$SPAN_TRACE_RATIO" != "X" && $SPAN_TRACE_RATIO =~ ^-?[0-9]+$ ]]; then
            JAVA_OPTS="$JAVA_OPTS -Dspan.trace.ratio=$SPAN_TRACE_RATIO"
        else
            SPAN_TRACE_RATIO="100%"
        fi

        # Set Call Stack max depth（if -1 is unlimited and min is 2）
        [[ $CALLSTACK_MAX_DEPTH =~ ^-?[0-9]+$ ]] && CALLSTACK_MAX_DEPTH=${CALLSTACK_MAX_DEPTH} || CALLSTACK_MAX_DEPTH=64
        sed -i "s/profiler.callstack.max.depth=.*/profiler.callstack.max.depth=${CALLSTACK_MAX_DEPTH}/g" ${PINPOINT_CONFIG_FILE}

        # io.buffering.buffersize
        [[ $IO_BUFFERSIZE =~ ^-?[0-9]+$ ]] && IO_BUFFERSIZE=${IO_BUFFERSIZE} || IO_BUFFERSIZE=5
        sed -i "s/profiler.io.buffering.buffersize=.*/profiler.io.buffering.buffersize=${IO_BUFFERSIZE}/g" ${PINPOINT_CONFIG_FILE}


        # HTTPCLIENT4_SAMPLING_RATE
        [[ $HTTPCLIENT4_SAMPLING_RATE =~ ^-?[0-9]+$ ]] && HTTPCLIENT4_SAMPLING_RATE=${HTTPCLIENT4_SAMPLING_RATE} || HTTPCLIENT4_SAMPLING_RATE=1
        sed -i "s/profiler.apache.httpclient4.entity.sampling.rate=.*/profiler.apache.httpclient4.entity.sampling.rate=${HTTPCLIENT4_SAMPLING_RATE}/g" ${PINPOINT_CONFIG_FILE}
        HTTPCLIENT4_SAMPLING_RATE_PERCENT=`awk 'BEGIN{printf "%.2f%%\n",(1/'${HTTPCLIENT4_SAMPLING_RATE}')*100}'`

        echo "--------------------Pinpoint Enabled--------------------"
        echo "Pinpoint Application Name: $APPLICATION_NAME"
        echo "Pinpoint Agent Id:         $AGENT_ID"
        echo "Pinpoint Collector Ip:     $PINPOINT_COLLECTOR_IP  (can be overided by given ENV \$PINPOINT_COLLECTOR_IP)"
        echo "Pinpoint Log Level:        $PINPOINT_LOG_LEVEL     (can be overided by given ENV \$PINPOINT_LOG_LEVEL)"
        echo "Pinpoint Sampling.Rate:    $SAMPLING_RATE_PERCENT  (can be overided by given ENV \$SAMPLING_RATE, E.G.: set SAMPLING_RATE to 20, 1/n, then rate will be 5%)"
        echo "RPC log sampling rate:     $SPAN_TRACE_RATIO       (can be overided by given ENV \$SPAN_TRACE_RATIO, E.G.: set SAMPLING_RATE to 5, then rate will be 5%)"
        echo "Call Stack max depth:      $CALLSTACK_MAX_DEPTH    (can be overided by given ENV \$CALLSTACK_MAX_DEPTH, if -1 is unlimited and min is 2, default is 64)"
        echo "io.buffering.buffersize:   $IO_BUFFERSIZE          (can be overided by given ENV \$IO_BUFFERSIZE)"
        echo "httpclient4.entity.sampling.rate:$HTTPCLIENT4_SAMPLING_RATE_PERCENT (can be overided by given ENV \$HTTPCLIENT4_SAMPLING_RATE, 1 out of n entities will be sampled where n is the rate. (10: 10%))"
        echo "---------------------------------------------------------"
    fi
    export JAVA_OPTS="$JAVA_OPTS"
}

#### 4. set DNS servers
#### 传环境变量DNS_SERVER, 如果DNS_SERVER=default, 则用系统默认DNS; 如果DNS_SERVER为正确的IP,则设置为此IP; 如果不设,则用平台默认DNS
set_dns(){
    if [[ "X${DNS_SERVER}" != "X" ]]; then
        dns_lists=`echo $DNS_SERVER | sed "s/[\'\"]//g" | awk 'BEGIN{FS="[ ,;|]+"; OFS=" " } {for(i=1;i<=NF;i++){printf"%s ", $i}}'`
        #DNS_SERVER=DEFAULT, 则设置k8s默认cluster DNS
        if [[ "$(echo $dns_lists | awk 'gsub(/^ *| *$/,"")' | tr [a-z] [A-Z])" == "DEFAULT" ]]; then
            echo "using system default DNS server."
        #设置用户自定义DNS
        else
            for dns_ip in `echo $dns_lists`; do
                VALID_CHECK=$(echo $dns_ip|awk -F. '$1<=255&&$2<=255&&$3<=255&&$4<=255{print "yes"}')
                if echo $dns_ip|grep -E "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$" >/dev/null; then
                    if [ $VALID_CHECK == "yes" ]; then
                        echo "Adding DNS server: $dns_lists"
                        echo "options timeout:1 attempts:1 rotate" > /etc/resolv.conf
                        echo "nameserver $dns_ip" >> /etc/resolv.conf
                    else
                        echo "$dns_ip wrong, please correct the DNS server IP: $dns_ip, using system default DNS now."
                        echo "using system default DNS server."
                        break
                    fi
                else
                    echo "$dns_ip wrong, please correct the DNS server IP: $dns_ip, using system default DNS now."
                    echo "using system default DNS server."
                    break
                fi
            done
        fi
    #设置平台默认DNS
    else
        echo "using system default DNS server."
    fi
}

#### 5. add hosts to /etc/hosts if needed
#### 传环境变量ADD_HOST, 格式:host:ip, 多个解析之间用逗号,分号,或竖线分隔
add_host(){
    if [[ "X${ADD_HOST}" != "X" ]]; then
        hosts_list=`echo $ADD_HOST | sed "s/[\'\"]//g" | awk 'BEGIN{FS="[ ,;|]+"; OFS=" " } {for(i=1;i<=NF;i++){printf"%s ", $i}}'`
        for one_host in `echo $hosts_list`; do
            echo "$(echo $one_host|awk -F: '{print $2,$1}')" >> /etc/hosts
        done
    fi
}

#### 6. run sftp if needed for debug
set_sftp(){
    # sftp function can be opened by given an env, for example: 
    # SFTP="sftp:sftp:1001:100:$CATALINA_HOME,tomcat;/etc/nginx,nginx"
    # which has the following means:
    # user: sftp, pass: sftp, pid: 1001, gid: 100
    # mounted dir1: $CATALINA_HOME, mount to: /home/$user/tomcat
    # mounted dir2: /etc/nginx, mount to: /home/$user/nginx
    if [[ "X${SFTP}" != "X" ]]; then
        sh /etc/supervisor.user/sftp.ini.sh
        sh /etc/supervisor.user/chmod.ini.sh
    fi
}

#### 7. final run
run_supervisor(){
    if [[ "X$@" != "X" ]]; then
        app_name=$(echo $BASE_IMAGE|cut -d':' -f1)
        user_ini="/etc/supervisor.user/${app_name}.ini.sh"
        if [[ "$@" == "bash" || "$@" == "sh" || "$@" == "fish" ]]; then
            exec "$@"
        elif [[ -f "$user_ini" ]]; then
            sh $user_ini "$@"
            supervisord --nodaemon --configuration /etc/supervisord.conf
        fi
    elif [[ -f "/etc/supervisor.d/sftp.ini" ]]; then
        supervisord --nodaemon --configuration /etc/supervisord.conf
    else
        echo "please give command to run the contaniner."
    fi
}

set_dns
confcenter
set_applog
if java -version >/dev/null 2>&1; then source /usr/local/bin/java_options.sh; set_apm; fi
add_host
set_sftp

run_supervisor "$@"

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

#!/bin/sh

if [[ ! -z $MESOS_TASK_ID ]]; then

AGENT_ID=$(echo "$MESOS_TASK_ID"|cut -d'.' -f 2|cut -d'-' -f 1,2,3) #mesos container

else

AGENT_ID=$(echo "$LOG_INSTANCE_ID") #k8s container

### 1. confcenter

confcenter(){

/usr/local/src/confdownload/confcenterdownload

if [[ $? -ne 0 ]];then

echo -e "Download configuration file error!\n"

exit 11

}

### 2. set log path

set_applog(){

if [[ "X${xxxcloud_replace_path}" != "X" && "X${xxxucloud_replace_value}" != "X" ]]; then

paths=(${xxxcloud_replace_path//;/ })

values=(${xxxcloud_replace_value//;/ })

for path in ${paths[@]}

if [[ -f "${path}" ]];then

for value in ${values[@]}

env_value=`eval echo '$'"${value}"`

if [[ ! -z "${env_value}" ]];then

replace_value="%$value%"

sed -i "s@${replace_value}@${env_value}@" $path

done

# 收集用户应用日志

if [[ "X${developer_app_logs}" != "X" && "X${AGENT_ID}" != "X" ]]; then

arr=(${developer_app_logs//;/ })

busiPath=${arr[2]}

savePath="/developerMountData/log/datalog"

logpath=${savePath}/${arr[0]}/${arr[1]}/$AGENT_ID

# path统一为最后面没有/

busiPath=${busiPath%/}

mkdir -p $busiPath

# 移除原来的日志文件夹

mv "${busiPath}" "${busiPath}_$(date +'%Y%m%d%H%M%S.%N').bak"

if [[ $? -eq 0 ]];then

mkdir -p $logpath

ln -sf $logpath $busiPath

}

#### 3. APM for java/tomcat

set_apm(){

JAVA_OPTS="$JAVA_OPTS -Djava.security.egd=file:/dev/./urandom -Duser.timezone=GMT+08 -Ddefault.client.encoding=UTF-8 -Dfile.encoding=UTF-8 -Dsun.jnu.encoding=UTF8 -Duser.language=Zh"

# ==enable pinpoint or not==

if [[ "X${developer_apm_appId}" != "X" && "X${AGENT_ID}" != "X" ]]; then

# strip spaces or tabs before or behind the string and cut to left 24 strings

APPLICATION_NAME=$(echo "$developer_apm_appId" | awk 'gsub(/^ *| *$/,"")' | cut -b -24)

PINPOINT_COLLECTOR_IP=${PINPOINT_COLLECTOR_IP:-10.3.15.29}

AGENT_ID_SHORT=$(echo "$AGENT_ID" | cut -b -24)

APM_JAR="/usr/local/pinpoint-agent/pinpoint-bootstrap-1.7.4.jar"

JAVA_OPTS="$JAVA_OPTS -javaagent:${APM_JAR} -Dpinpoint.agentId=${AGENT_ID_SHORT} -Dpinpoint.applicationName=${APPLICATION_NAME}"

# configure pinpoint.config

PINPOINT_CONFIG_FILE="/usr/local/pinpoint-agent/pinpoint.config"

sed -i "s/profiler.collector.ip=127.0.0.1/profiler.collector.ip=${PINPOINT_COLLECTOR_IP}/g" ${PINPOINT_CONFIG_FILE}

# Adjust pointpoint port.

COLLECTOR_TCP_PORT=${PINPOINT_COLLECTOR_TCP_PORT:-9994}

let COLLECTOR_STAT_PORT=${COLLECTOR_TCP_PORT}+1

let COLLECTOR_SPAN_PORT=${COLLECTOR_TCP_PORT}+2

sed -i "s/profiler.collector.tcp.port=.*/profiler.collector.tcp.port=${COLLECTOR_TCP_PORT}/g" ${PINPOINT_CONFIG_FILE}

sed -i "s/profiler.collector.stat.port=.*/profiler.collector.stat.port=${COLLECTOR_STAT_PORT}/g" ${PINPOINT_CONFIG_FILE}

sed -i "s/profiler.collector.span.port=.*/profiler.collector.span.port=${COLLECTOR_SPAN_PORT}/g" ${PINPOINT_CONFIG_FILE}

# Configure log level for log4j

PINPOINT_LOG_CONFIG_FILE="/usr/local/pinpoint-agent/lib/log4j.xml"

PINPOINT_LOG_LEVEL=${PINPOINT_LOG_LEVEL:-ERROR}

sed -i "s/ERROR/${PINPOINT_LOG_LEVEL}/g" ${PINPOINT_LOG_CONFIG_FILE}

# profiler.sampling.rate：采样率（1/n，配置为2就是50%）

[[ $SAMPLING_RATE =~ ^-?[0-9]+$ ]] && SAMPLING_RATE=${SAMPLING_RATE} || SAMPLING_RATE=20

sed -i "s/profiler.sampling.rate=.*/profiler.sampling.rate=${SAMPLING_RATE}/g" ${PINPOINT_CONFIG_FILE}

SAMPLING_RATE_PERCENT=`awk 'BEGIN{printf "%.2f%%\n",(1/'${SAMPLING_RATE}')*100}'`

# RPC log sampling rate

if [[ "X$SPAN_TRACE_RATIO" != "X" && $SPAN_TRACE_RATIO =~ ^-?[0-9]+$ ]]; then

JAVA_OPTS="$JAVA_OPTS -Dspan.trace.ratio=$SPAN_TRACE_RATIO"

else

SPAN_TRACE_RATIO="100%"

# Set Call Stack max depth（if -1 is unlimited and min is 2）

[[ $CALLSTACK_MAX_DEPTH =~ ^-?[0-9]+$ ]] && CALLSTACK_MAX_DEPTH=${CALLSTACK_MAX_DEPTH} || CALLSTACK_MAX_DEPTH=64

sed -i "s/profiler.callstack.max.depth=.*/profiler.callstack.max.depth=${CALLSTACK_MAX_DEPTH}/g" ${PINPOINT_CONFIG_FILE}

# io.buffering.buffersize

[[ $IO_BUFFERSIZE =~ ^-?[0-9]+$ ]] && IO_BUFFERSIZE=${IO_BUFFERSIZE} || IO_BUFFERSIZE=5

sed -i "s/profiler.io.buffering.buffersize=.*/profiler.io.buffering.buffersize=${IO_BUFFERSIZE}/g" ${PINPOINT_CONFIG_FILE}

# HTTPCLIENT4_SAMPLING_RATE

[[ $HTTPCLIENT4_SAMPLING_RATE =~ ^-?[0-9]+$ ]] && HTTPCLIENT4_SAMPLING_RATE=${HTTPCLIENT4_SAMPLING_RATE} || HTTPCLIENT4_SAMPLING_RATE=1

sed -i "s/profiler.apache.httpclient4.entity.sampling.rate=.*/profiler.apache.httpclient4.entity.sampling.rate=${HTTPCLIENT4_SAMPLING_RATE}/g" ${PINPOINT_CONFIG_FILE}

HTTPCLIENT4_SAMPLING_RATE_PERCENT=`awk 'BEGIN{printf "%.2f%%\n",(1/'${HTTPCLIENT4_SAMPLING_RATE}')*100}'`

echo "--------------------Pinpoint Enabled--------------------"

echo "Pinpoint Application Name: $APPLICATION_NAME"

echo "Pinpoint Agent Id: $AGENT_ID"

echo "Pinpoint Collector Ip: $PINPOINT_COLLECTOR_IP (can be overided by given ENV \$PINPOINT_COLLECTOR_IP)"

echo "Pinpoint Log Level: $PINPOINT_LOG_LEVEL (can be overided by given ENV \$PINPOINT_LOG_LEVEL)"

echo "Pinpoint Sampling.Rate: $SAMPLING_RATE_PERCENT (can be overided by given ENV \$SAMPLING_RATE, E.G.: set SAMPLING_RATE to 20, 1/n, then rate will be 5%)"

echo "RPC log sampling rate: $SPAN_TRACE_RATIO (can be overided by given ENV \$SPAN_TRACE_RATIO, E.G.: set SAMPLING_RATE to 5, then rate will be 5%)"

echo "Call Stack max depth: $CALLSTACK_MAX_DEPTH (can be overided by given ENV \$CALLSTACK_MAX_DEPTH, if -1 is unlimited and min is 2, default is 64)"

echo "io.buffering.buffersize: $IO_BUFFERSIZE (can be overided by given ENV \$IO_BUFFERSIZE)"

echo "httpclient4.entity.sampling.rate:$HTTPCLIENT4_SAMPLING_RATE_PERCENT (can be overided by given ENV \$HTTPCLIENT4_SAMPLING_RATE, 1 out of n entities will be sampled where n is the rate. (10: 10%))"

echo "---------------------------------------------------------"

export JAVA_OPTS="$JAVA_OPTS"

}

#### 4. set DNS servers

#### 传环境变量DNS_SERVER, 如果DNS_SERVER=default, 则用系统默认DNS; 如果DNS_SERVER为正确的IP,则设置为此IP; 如果不设,则用平台默认DNS

set_dns(){

if [[ "X${DNS_SERVER}" != "X" ]]; then

dns_lists=`echo $DNS_SERVER | sed "s/[\'\"]//g" | awk 'BEGIN{FS="[ ,;|]+"; OFS=" " } {for(i=1;i<=NF;i++){printf"%s ", $i}}'`

#DNS_SERVER=DEFAULT, 则设置k8s默认cluster DNS

if [[ "$(echo $dns_lists | awk 'gsub(/^ *| *$/,"")' | tr [a-z] [A-Z])" == "DEFAULT" ]]; then

echo "using system default DNS server."

#设置用户自定义DNS

else

for dns_ip in `echo $dns_lists`; do

VALID_CHECK=$(echo $dns_ip|awk -F. '$1<=255&&$2<=255&&$3<=255&&$4<=255{print "yes"}')

if echo $dns_ip|grep -E "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$" >/dev/null; then

if [ $VALID_CHECK == "yes" ]; then

echo "Adding DNS server: $dns_lists"

echo "options timeout:1 attempts:1 rotate" > /etc/resolv.conf

echo "nameserver $dns_ip" >> /etc/resolv.conf

else

echo "$dns_ip wrong, please correct the DNS server IP: $dns_ip, using system default DNS now."

echo "using system default DNS server."

break

else

echo "$dns_ip wrong, please correct the DNS server IP: $dns_ip, using system default DNS now."

echo "using system default DNS server."

break

done

#设置平台默认DNS

else

echo "using system default DNS server."

}

#### 5. add hosts to /etc/hosts if needed

#### 传环境变量ADD_HOST, 格式:host:ip, 多个解析之间用逗号,分号,或竖线分隔

add_host(){

if [[ "X${ADD_HOST}" != "X" ]]; then

hosts_list=`echo $ADD_HOST | sed "s/[\'\"]//g" | awk 'BEGIN{FS="[ ,;|]+"; OFS=" " } {for(i=1;i<=NF;i++){printf"%s ", $i}}'`

for one_host in `echo $hosts_list`; do

echo "$(echo $one_host|awk -F: '{print $2,$1}')" >> /etc/hosts

done

}

#### 6. run sftp if needed for debug

set_sftp(){

# sftp function can be opened by given an env, for example:

# SFTP="sftp:sftp:1001:100:$CATALINA_HOME,tomcat;/etc/nginx,nginx"

# which has the following means:

# user: sftp, pass: sftp, pid: 1001, gid: 100

# mounted dir1: $CATALINA_HOME, mount to: /home/$user/tomcat

# mounted dir2: /etc/nginx, mount to: /home/$user/nginx

if [[ "X${SFTP}" != "X" ]]; then

sh /etc/supervisor.user/sftp.ini.sh

sh /etc/supervisor.user/chmod.ini.sh

}

#### 7. final run

run_supervisor(){

if [[ "X$@" != "X" ]]; then

app_name=$(echo $BASE_IMAGE|cut -d':' -f1)

user_ini="/etc/supervisor.user/${app_name}.ini.sh"

if [[ "$@" == "bash" || "$@" == "sh" || "$@" == "fish" ]]; then

exec "$@"

elif [[ -f "$user_ini" ]]; then

sh $user_ini "$@"

supervisord --nodaemon --configuration /etc/supervisord.conf

elif [[ -f "/etc/supervisor.d/sftp.ini" ]]; then

supervisord --nodaemon --configuration /etc/supervisord.conf

else

echo "please give command to run the contaniner."

}

set_dns

confcenter

set_applog

if java -version >/dev/null 2>&1; then source /usr/local/bin/java_options.sh; set_apm; fi

add_host

set_sftp

run_supervisor "$@"

总构建脚本build.py:

#!/usr/bin/python
# -*- coding: utf-8 -*-
#import commands

import jinja2
import yaml
import sys
import os
import re
#import traceback
import socket
import subprocess
import time
import json
import argparse

import logging

mdhms=time.strftime('%m-%d-%H-%M',time.localtime(time.time()))
logdir='./log'
if not os.path.exists(logdir):
    os.makedirs(logdir)
logfile=os.path.join(logdir, 'build_'+mdhms+'.log')
logfile_latest=os.path.join(logdir, 'latest.log')

logger = logging.getLogger(__name__)
logger.setLevel(logging.DEBUG)
BASIC_FORMAT = "%(asctime)s - %(levelname)s - %(message)s"
DATE_FORMAT = '%m/%d/%Y %H:%M:%S'
formatter = logging.Formatter(BASIC_FORMAT, DATE_FORMAT)
# StreamHandler
stream_handler = logging.StreamHandler()
stream_handler.setFormatter(formatter)
# stream_handler.setLevel(logging.INFO)
# FileHandler
file_handler = logging.FileHandler(logfile) 
file_handler.setFormatter(formatter)
file_handler.setLevel(logging.INFO)

logger.addHandler(stream_handler)
logger.addHandler(file_handler)

if os.path.exists('/root/.python_env/lib/python2.7/site-packages/'):
    sys.path.insert(0, "/root/.python_env/lib/python2.7/site-packages/")
try:
    import docker
except:
    print ("installing docker-py module, please wait a second...")
    sys.stdout.flush()
    os.system("pip install docker")
    import docker
    
# reload(sys)
# sys.setdefaultencoding('utf8')
current_dir = os.getcwd()
download_dir = os.path.join(current_dir,'download')
download_http_port = "8899"
dockerfile_dir = os.path.join(current_dir, 'dockerfile')
if not os.path.exists(dockerfile_dir):
    os.makedirs(dockerfile_dir)

#docker_client = docker.APIClient(base_url='unix://var/run/docker.sock',version='auto',timeout=5)
#docker_client = docker.from_env()

def get_host_ip():
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        s.connect(('8.8.8.8', 80))
        ip = s.getsockname()[0]
    finally:
        s.close()

    return ip

def start_download_http_server():
    check_http_process="ps -efa|grep SimpleHTTPServerWithUpload.py|grep -v grep"
    check_http_port="netstat -antp | grep %s | grep LISTEN >/dev/null 2>&1" % (download_http_port)
    start_server="nohup python SimpleHTTPServerWithUpload.py %s > /dev/null 2>&1 &" % (download_http_port)
    http_process = subprocess.call(check_http_process, shell=True)
    http_port = subprocess.call(check_http_port, shell=True)

    if http_process != 0 and http_port != 0:
        os.chdir(download_dir)
        subprocess.call(start_server, shell=True)
        os.chdir(current_dir)


def stop_download_http_server():
    kill_http_server = "kill -9 `ps -efa|grep SimpleHTTPServerWithUpload.py|grep -v grep|awk '{print $2}'`"
    subprocess.call(kill_http_server, shell=True)


def render_dockerfile(item):
    dockerfile = os.path.join(dockerfile_dir, 'Dockerfile.' + item['arch'] + '-' + item['image'].replace(':', '-'))
    profile = template_env.get_template(item['template'])
    content = profile.render(item)
    with open(dockerfile, 'w') as fp:
        fp.write(content)
    return dockerfile

class Docker_Client():
    def __init__(self):
        # self.client = docker.DockerClient(version='auto', base_url='unix://var/run/docker.sock')
        self.client = docker.APIClient(version='auto', **docker.utils.kwargs_from_env())
        #self.username = username
        #self.password = password

    def build_image(self, path, dockerfile, image, nocache=True, network_mode="host", memory_limit="3MB", buildargs=""):
        limits = {
            # Always disable memory swap for building, since mostly
            # nothing good can come of that.
            'memswap': -1
        }
        if memory_limit:
            limits['memory'] = memory_limit
        #client = docker.APIClient(version='auto', **docker.utils.kwargs_from_env())
        logger.info("--> Building %s" % image)
        try:
            build = self.client.build(
                    path=path,
                    dockerfile=dockerfile,
                    tag=image,
                    buildargs=buildargs,
                    decode=True,
                    forcerm=True,
                    container_limits=limits,
                    nocache=nocache,
                    network_mode=network_mode,
                    encoding="utf-8"
            )
            for line in build:
                logger.debug([line['stream'] if 'stream' in line else line][0])
        except Exception as e:
            logger.error("build %s failed: %s" % (image, e), exc_info=True)
            sys.exit(1)

    def push_image(self, image, full_image, registry, username="admin", password="Harbor12345"):
        # tag image
        logger.info("--> tag %s to %s" % (image, full_image))
        self.client.tag(image, full_image, force=True)

        try:
            # login registry
            self.client.login(username=username, password=password, email=None, registry=registry)

            # Build a progress setup for each layer, and only emit per-layer
            # info every 1.5s
            # layers = {}
            last_emit_time = time.time()
            for line in self.client.push(full_image, stream=True, decode=True):
                # progress = json.loads(line.decode('utf-8'))
                # # print '-'*5, progress
                # if 'error' in progress:
                #     logger.error(progress['error'], extra=dict(phase='failed'))
                #     sys.exit(1)
                # if 'id' not in progress:
                #     continue
                # if 'progressDetail' in progress and progress['progressDetail']:
                #     layers[progress['id']] = progress['progressDetail']
                # else:
                #     layers[progress['id']] = progress['status']
                # logger.debug('pushing %s' % layers)
                # if time.time() - last_emit_time > 1.5:
                #     print 'pushing %s' % layers
                #     last_emit_time = time.time()
                if time.time() - last_emit_time > 1.5:
                    logger.debug(line)
                    last_emit_time = time.time()
            logger.info('--> Pushed %s ' % full_image)
        except Exception as e:
            logger.error("push_image %s failed: %s" % (full_image, e), exc_info=True)
            sys.exit(1)


if __name__ == '__main__':
    try:
        parser = argparse.ArgumentParser(description = 'build')
        parser.add_argument ('--config', default = "./config/config.yml", type=str, help = 'please input config file.')
        parser.add_argument ('--enable-http-server', default = "true", type=str, help = 'auto start a http server for image build resources. default true')
        global args
        args = parser.parse_args()

        if args.enable_http_server == "true":
            start_download_http_server()
        template_loader = jinja2.FileSystemLoader(searchpath="./templates")
        template_env = jinja2.Environment(loader=template_loader)
        template_env.trim_blocks = True

        config_file = open(args.config)
        data_config = {}
        data_config.update(yaml.safe_load(config_file))

        download_http_ip = get_host_ip()
        base_url = 'http://' + download_http_ip + ':' + download_http_port

        data = {}
        data.update(data_config)
        docker_client = Docker_Client()
        for item in data['images']:
            item['base_url'] = base_url
            image = item['image']
            # image_tag = image.split(':')[1]
            dockerfile = render_dockerfile(item)
            logger.info('-'*20 + image + '-'*20)
            docker_client.build_image(dockerfile_dir, dockerfile, image)
            for registry in data['registry']:
                host = registry['host']
                username = registry['username']
                password = registry['password']
                repository = registry['repository']
                full_image = os.path.join(host, repository, image)
                docker_client.push_image(image, full_image, host, username, password)
            logger.info('-'*60 + '\n\n')
            #print("build image: " + full_image)
            #sys.stdout.flush()
            # if os.system("docker build --network=host -f %s %s -t %s" % (dockerfile, dockerfile_dir, target_image)) != 0:
            #     print("image %s build failed." % (full_image))
            #     sys.stdout.flush()
            #     sys.exit(1)
            # os.system("docker tag %s %s" % (target_image, full_image))
            # os.system("docker login %s --username %s --password %s" % (data['registry']['host'], data['registry']['username'], data['registry']['password']))
            # if os.system("docker push %s" % (full_image)) != 0:
            #     print("image %s push failed." % (full_image))
            #     sys.stdout.flush()
            #     sys.exit(1)
        os.system("ln -sf %s %s" % (os.path.abspath(logfile), os.path.abspath(logfile_latest)))
        if args.enable_http_server == "true":
            stop_download_http_server()
    except Exception as e:
        logger.error('Faild Info: %s' % e, exc_info=True)
        if args.enable_http_server == "true":
            stop_download_http_server()
        sys.exit(1)

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

#!/usr/bin/python

# -*- coding: utf-8 -*-

#import commands

import jinja2

import yaml

import sys

import os

import re

#import traceback

import socket

import subprocess

import time

import json

import argparse

import logging

mdhms=time.strftime('%m-%d-%H-%M',time.localtime(time.time()))

logdir='./log'

if not os.path.exists(logdir):

os.makedirs(logdir)

logfile=os.path.join(logdir, 'build_'+mdhms+'.log')

logfile_latest=os.path.join(logdir, 'latest.log')

logger = logging.getLogger(__name__)

logger.setLevel(logging.DEBUG)

BASIC_FORMAT = "%(asctime)s - %(levelname)s - %(message)s"

DATE_FORMAT = '%m/%d/%Y %H:%M:%S'

formatter = logging.Formatter(BASIC_FORMAT, DATE_FORMAT)

# StreamHandler

stream_handler = logging.StreamHandler()

stream_handler.setFormatter(formatter)

# stream_handler.setLevel(logging.INFO)

# FileHandler

file_handler = logging.FileHandler(logfile)

file_handler.setFormatter(formatter)

file_handler.setLevel(logging.INFO)

logger.addHandler(stream_handler)

logger.addHandler(file_handler)

if os.path.exists('/root/.python_env/lib/python2.7/site-packages/'):

sys.path.insert(0, "/root/.python_env/lib/python2.7/site-packages/")

try:

import docker

except:

print ("installing docker-py module, please wait a second...")

sys.stdout.flush()

os.system("pip install docker")

import docker

# reload(sys)

# sys.setdefaultencoding('utf8')

current_dir = os.getcwd()

download_dir = os.path.join(current_dir,'download')

download_http_port = "8899"

dockerfile_dir = os.path.join(current_dir, 'dockerfile')

if not os.path.exists(dockerfile_dir):

os.makedirs(dockerfile_dir)

#docker_client = docker.APIClient(base_url='unix://var/run/docker.sock',version='auto',timeout=5)

#docker_client = docker.from_env()

def get_host_ip():

try:

s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)

s.connect(('8.8.8.8', 80))

ip = s.getsockname()[0]

finally:

s.close()

return ip

def start_download_http_server():

check_http_process="ps -efa|grep SimpleHTTPServerWithUpload.py|grep -v grep"

check_http_port="netstat -antp | grep %s | grep LISTEN >/dev/null 2>&1" % (download_http_port)

start_server="nohup python SimpleHTTPServerWithUpload.py %s > /dev/null 2>&1 &" % (download_http_port)

http_process = subprocess.call(check_http_process, shell=True)

http_port = subprocess.call(check_http_port, shell=True)

if http_process != 0 and http_port != 0:

os.chdir(download_dir)

subprocess.call(start_server, shell=True)

os.chdir(current_dir)

def stop_download_http_server():

kill_http_server = "kill -9 `ps -efa|grep SimpleHTTPServerWithUpload.py|grep -v grep|awk '{print $2}'`"

subprocess.call(kill_http_server, shell=True)

def render_dockerfile(item):

dockerfile = os.path.join(dockerfile_dir, 'Dockerfile.' + item['arch'] + '-' + item['image'].replace(':', '-'))

profile = template_env.get_template(item['template'])

content = profile.render(item)

with open(dockerfile, 'w') as fp:

fp.write(content)

return dockerfile

class Docker_Client():

def __init__(self):

# self.client = docker.DockerClient(version='auto', base_url='unix://var/run/docker.sock')

self.client = docker.APIClient(version='auto', **docker.utils.kwargs_from_env())

#self.username = username

#self.password = password

def build_image(self, path, dockerfile, image, nocache=True, network_mode="host", memory_limit="3MB", buildargs=""):

limits = {

# Always disable memory swap for building, since mostly

# nothing good can come of that.

'memswap': -1

}

if memory_limit:

limits['memory'] = memory_limit

#client = docker.APIClient(version='auto', **docker.utils.kwargs_from_env())

logger.info("--> Building %s" % image)

try:

build = self.client.build(

path=path,

dockerfile=dockerfile,

tag=image,

buildargs=buildargs,

decode=True,

forcerm=True,

container_limits=limits,

nocache=nocache,

network_mode=network_mode,

encoding="utf-8"

)

for line in build:

logger.debug([line['stream'] if 'stream' in line else line][0])

except Exception as e:

logger.error("build %s failed: %s" % (image, e), exc_info=True)

sys.exit(1)

def push_image(self, image, full_image, registry, username="admin", password="Harbor12345"):

# tag image

logger.info("--> tag %s to %s" % (image, full_image))

self.client.tag(image, full_image, force=True)

try:

# login registry

self.client.login(username=username, password=password, email=None, registry=registry)

# Build a progress setup for each layer, and only emit per-layer

# info every 1.5s

# layers = {}

last_emit_time = time.time()

for line in self.client.push(full_image, stream=True, decode=True):

# progress = json.loads(line.decode('utf-8'))

# # print '-'*5, progress

# if 'error' in progress:

# logger.error(progress['error'], extra=dict(phase='failed'))

# sys.exit(1)

# if 'id' not in progress:

# continue

# if 'progressDetail' in progress and progress['progressDetail']:

# layers[progress['id']] = progress['progressDetail']

# else:

# layers[progress['id']] = progress['status']

# logger.debug('pushing %s' % layers)

# if time.time() - last_emit_time > 1.5:

# print 'pushing %s' % layers

# last_emit_time = time.time()

if time.time() - last_emit_time > 1.5:

logger.debug(line)

last_emit_time = time.time()

logger.info('--> Pushed %s ' % full_image)

except Exception as e:

logger.error("push_image %s failed: %s" % (full_image, e), exc_info=True)

sys.exit(1)

if __name__ == '__main__':

try:

parser = argparse.ArgumentParser(description = 'build')

parser.add_argument ('--config', default = "./config/config.yml", type=str, help = 'please input config file.')

parser.add_argument ('--enable-http-server', default = "true", type=str, help = 'auto start a http server for image build resources. default true')

global args

args = parser.parse_args()

if args.enable_http_server == "true":

start_download_http_server()

template_loader = jinja2.FileSystemLoader(searchpath="./templates")

template_env = jinja2.Environment(loader=template_loader)

template_env.trim_blocks = True

config_file = open(args.config)

data_config = {}

data_config.update(yaml.safe_load(config_file))

download_http_ip = get_host_ip()

base_url = 'http://' + download_http_ip + ':' + download_http_port

data = {}

data.update(data_config)

docker_client = Docker_Client()

for item in data['images']:

item['base_url'] = base_url

image = item['image']

# image_tag = image.split(':')[1]

dockerfile = render_dockerfile(item)

logger.info('-'*20 + image + '-'*20)

docker_client.build_image(dockerfile_dir, dockerfile, image)

for registry in data['registry']:

host = registry['host']

username = registry['username']

password = registry['password']

repository = registry['repository']

full_image = os.path.join(host, repository, image)

docker_client.push_image(image, full_image, host, username, password)

logger.info('-'*60 + '\n\n')

#print("build image: " + full_image)

#sys.stdout.flush()

# if os.system("docker build --network=host -f %s %s -t %s" % (dockerfile, dockerfile_dir, target_image)) != 0:

# print("image %s build failed." % (full_image))

# sys.stdout.flush()

# sys.exit(1)

# os.system("docker tag %s %s" % (target_image, full_image))

# os.system("docker login %s --username %s --password %s" % (data['registry']['host'], data['registry']['username'], data['registry']['password']))

# if os.system("docker push %s" % (full_image)) != 0:

# print("image %s push failed." % (full_image))

# sys.stdout.flush()

# sys.exit(1)

os.system("ln -sf %s %s" % (os.path.abspath(logfile), os.path.abspath(logfile_latest)))

if args.enable_http_server == "true":

stop_download_http_server()

except Exception as e:

logger.error('Faild Info: %s' % e, exc_info=True)

if args.enable_http_server == "true":

stop_download_http_server()

sys.exit(1)

后期可以基于base-alpine.j2来灵活定制，如nginx.j2模板

{% extends "base_alpine.j2" %}

{% block custom_pkg %}
{% if image.startswith('nginx-node') %}
    nodejs \
    nodejs-npm  \
    python \
    python-dev \
    python3 \
    python3-dev \
    gcc g++ \
    yarn \
{% endif %}
{% endblock custom_pkg %}

{% block custom_run %}
    {% if image.startswith('nginx-node') %}
    && npm config set registry https://registry.npm.taobao.org   \
    && yarn config set ignore-engines true \
    && yarn global add ynpm-tool@3.1.3 cnpm nrm \
    {% endif %}
    && rm -f /var/log/nginx/* \
    && app_name=$(echo $BASE_IMAGE|cut -d':' -f1) \
    && user_ini="/etc/supervisor.user/${app_name}.ini.sh" \
    && printf '\
cat > /etc/supervisor.d/nginx.ini <<EOF\n\
[program:nginx] \n\
command=/bin/bash -c "$@" \n\
EOF\n\
' > $user_ini \
  && chmod +x /etc/supervisor.user/*.sh \
{% endblock custom_run %}

{% block custom_cmd %}
EXPOSE 80

CMD ["nginx", "-g", "'daemon off;'"]
{% endblock custom_cmd %}

{% extends "base_alpine.j2" %}

{% block custom_pkg %}

{% if image.startswith('nginx-node') %}

nodejs \

nodejs-npm \

python \

python-dev \

python3 \

python3-dev \

gcc g++ \

yarn \

{% endif %}

{% endblock custom_pkg %}

{% block custom_run %}

{% if image.startswith('nginx-node') %}

&& npm config set registry https://registry.npm.taobao.org \

&& yarn config set ignore-engines true \

&& yarn global add ynpm-tool@3.1.3 cnpm nrm \

{% endif %}

&& rm -f /var/log/nginx/* \

&& app_name=$(echo $BASE_IMAGE|cut -d':' -f1) \

&& user_ini="/etc/supervisor.user/${app_name}.ini.sh" \

&& printf '\

cat > /etc/supervisor.d/nginx.ini <<EOF\n\

[program:nginx] \n\

command=/bin/bash -c "$@" \n\

EOF\n\

' > $user_ini \

&& chmod +x /etc/supervisor.user/*.sh \

{% endblock custom_run %}

{% block custom_cmd %}

EXPOSE 80

CMD ["nginx", "-g", "'daemon off;'"]

{% endblock custom_cmd %}

node.j2:

{% extends "base_alpine.j2" %}

{# 自定义环境变量 #}
{% block custom_env %}
{% if sftp %}
ENV SFTP="{{ sftp }}"
{% endif %}
{% endblock custom_env %}

{% block custom_pkg %}
        yarn \
{% endblock custom_pkg %}

{% block custom_run %}
    {% if arch == "x86_64" %}
    && [[ !-d "/lib64" ]] && mkdir /lib64 || true \
    && ln -sf /lib/libc.musl-x86_64.so.1 /lib64/ld-linux-x86-64.so.2 \
    {% endif %}
    && npm config set unsafe-perm true \
    && npm config set registry https://registry.npm.taobao.org \
    && yarn config set ignore-engines true \
    && yarn global add ynpm-tool@3.1.3 cnpm nrm pm2 \
    \
    && app_name=$(echo $BASE_IMAGE|cut -d':' -f1) \
    && user_ini="/etc/supervisor.user/${app_name}.ini.sh" \
    && printf '\
cat > /etc/supervisor.d/node.ini <<EOF\n\
[program:node] \n\
command=/bin/bash -c "$@" \n\
EOF\n\
' > $user_ini \
  && chmod +x /etc/supervisor.user/*.sh \
{% endblock custom_run %}

{% block custom_cmd %}

CMD [ "node" ]
{% endblock custom_cmd %}

{% extends "base_alpine.j2" %}

{# 自定义环境变量 #}

{% block custom_env %}

{% if sftp %}

ENV SFTP="{{ sftp }}"

{% endif %}

{% endblock custom_env %}

{% block custom_pkg %}

yarn \

{% endblock custom_pkg %}

{% block custom_run %}

{% if arch == "x86_64" %}

&& [[ !-d "/lib64" ]] && mkdir /lib64 || true \

&& ln -sf /lib/libc.musl-x86_64.so.1 /lib64/ld-linux-x86-64.so.2 \

{% endif %}

&& npm config set unsafe-perm true \

&& npm config set registry https://registry.npm.taobao.org \

&& yarn config set ignore-engines true \

&& yarn global add ynpm-tool@3.1.3 cnpm nrm pm2 \

&& app_name=$(echo $BASE_IMAGE|cut -d':' -f1) \

&& user_ini="/etc/supervisor.user/${app_name}.ini.sh" \

&& printf '\

cat > /etc/supervisor.d/node.ini <<EOF\n\

[program:node] \n\

command=/bin/bash -c "$@" \n\

EOF\n\

' > $user_ini \

&& chmod +x /etc/supervisor.user/*.sh \

{% endblock custom_run %}

{% block custom_cmd %}

CMD [ "node" ]

{% endblock custom_cmd %}

最后执行命令构建：python Read more…

By sean, 5 years05/14/2020 ago

未分类

在arm64机器上快速搭建openvpn

由于测试需要直接通过内网上华为云测试，需要搭建vpn进行访问，在arm64机器上搭建方法如下：下载openvpn aarch64架构的rpm包：

wget https://cbs.centos.org/kojifiles/packages/openvpn/2.4.1/2.el7/aarch64/openvpn-2.4.1-2.el7.aarch64.rpm

1	wget https://cbs.centos.org/kojifiles/packages/openvpn/2.4.1/2.el7/aarch64/openvpn-2.4.1-2.el7.aarch64.rpm

yum安装时会报pkcs11找不着，所以下载此包：

wget https://download-ib01.fedoraproject.org/pub/epel/7/aarch64/Packages/p/pkcs11-helper-1.11-3.el7.aarch64.rpm

1	wget https://download-ib01.fedoraproject.org/pub/epel/7/aarch64/Packages/p/pkcs11-helper-1.11-3.el7.aarch64.rpm

安装：

yum install pkcs11-helper-1.11-3.el7.aarch64.rpm openvpn-2.4.1-2.el7.aarch64.rpm

1	yum install pkcs11-helper-1.11-3.el7.aarch64.rpm openvpn-2.4.1-2.el7.aarch64.rpm

下载一键配置脚本：

curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh

1	curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh

在运行脚本之前，需要先创建目录：

mkdir /etc/openvpn/
sh openvpn-install.sh

1 2	mkdir /etc/openvpn/ sh openvpn-install.sh

server.conf配置：

duplicate-cn # 如过是多个用户共用一个认证来登录的话， 需要配置
max-clients 100 # 最多能连接的客户端

#配置路由

push "route 10.166.0.0 255.255.0.0"
push "route 10.3.0.0 255.255.0.0"
push "route 10.10.0.0 255.255.0.0"
push "route 172.0.0.0 255.0.0.0"
push "route 192.168.0.0 255.255.0.0"


push "dhcp-option DNS 10.10.6.11"
push "dhcp-option DNS 100.125.1.250"

status /var/log/openvpn/status.log
log-append /var/log/openvpn/openvpn.log

duplicate-cn # 如过是多个用户共用一个认证来登录的话，需要配置

max-clients 100 # 最多能连接的客户端

#配置路由

push "route 10.166.0.0 255.255.0.0"

push "route 10.3.0.0 255.255.0.0"

push "route 10.10.0.0 255.255.0.0"

push "route 172.0.0.0 255.0.0.0"

push "route 192.168.0.0 255.255.0.0"

push "dhcp-option DNS 10.10.6.11"

push "dhcp-option DNS 100.125.1.250"

status /var/log/openvpn/status.log

log-append /var/log/openvpn/openvpn.log

配置防火墙：

*nat
:PREROUTING ACCEPT [27:11935]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [598:57368]
:POSTROUTING ACCEPT [591:57092]
:DOCKER - [0:0]

#OpenVPN
-A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE

COMMIT

*nat

:PREROUTING ACCEPT [27:11935]

:INPUT ACCEPT [0:0]

:OUTPUT ACCEPT [598:57368]

:POSTROUTING ACCEPT [591:57092]

:DOCKER - [0:0]

#OpenVPN

-A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE

COMMIT

打开内核转发： net.ipv4.ip_forward = 1 也可以配置udp和tcp都监听, 方法如下：

把/etc/openvpn/server.conf复制一份，比如/etc/openvpn/tcp.conf，然后修改tcp.conf：

协议修改为TCP：proto tcp
IP地址修改略作修改，比如所有原来是10.8.0.x的地方，都改为10.8.1.x
2. 修改防火墙
然后修改iptables，增加一条nat规则-A POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE。
iptables -t nat -A POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE

3. 启动进程
 /usr/sbin/openvpn --cd /etc/openvpn/ --config tcp.conf
4. 添加开机启动
/etc/systemd/system/openvpntcp@.service

[Unit]
Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
After=network.target

[Service]
Type=notify
PrivateTmp=true
ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config tcp.conf

[Install]
WantedBy=multi-user.target
重载服务，添加为开启启动

systemctl daemon-reload
systemctl restart openvpntcp@server
systemctl enable openvpntcp@server
systemctl  list-unit-files |grep openvpntcp
客户端ovpn配置
生成的客户端配置，只需要修改udp为tcp.
其中如果remote有2个的话，代表负载均衡，如果其中一个连接不上，会自动连接另外一个

client
proto tcp
remote x.x.x.x 11111
remote x.x.x.x 12222 
......

把/etc/openvpn/server.conf复制一份，比如/etc/openvpn/tcp.conf，然后修改tcp.conf：

协议修改为TCP：proto tcp

IP地址修改略作修改，比如所有原来是10.8.0.x的地方，都改为10.8.1.x

2. 修改防火墙

然后修改iptables，增加一条nat规则-A POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE。

iptables -t nat -A POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE

3. 启动进程

/usr/sbin/openvpn --cd /etc/openvpn/ --config tcp.conf

4. 添加开机启动

/etc/systemd/system/openvpntcp@.service

[Unit]

Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I

After=network.target

[Service]

Type=notify

PrivateTmp=true

ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config tcp.conf

[Install]

WantedBy=multi-user.target

重载服务，添加为开启启动

systemctl daemon-reload

systemctl restart openvpntcp@server

systemctl enable openvpntcp@server

systemctl list-unit-files |grep openvpntcp

客户端ovpn配置

生成的客户端配置，只需要修改udp为tcp.

其中如果remote有2个的话，代表负载均衡，如果其中一个连接不上，会自动连接另外一个

client

proto tcp

remote x.x.x.x 11111

remote x.x.x.x 12222

......

By sean, 5 years04/21/2020 ago

未分类

KataContainer 实践

Kata container 简介 Kata Container 是两个现有的开源项目合并：Intel Clear Containers和Hyper runV。 Intel Clear Container项目的目标是通过英特尔®虚拟化技术（VT）解决容器内部的安全问题，并且能够将容器作为轻量级虚拟机（VM）启动，提供了一个可选的运行时间，专注于性能（<100ms启动时间），可与Kubernetes 和Docker 等常用容器环境互操作。英特尔®Clear Container表明，安全性和性能不必是一个折衷，将硬件隔离的安全性与容器的性能可以兼得。 hyper runV优先于技术无关支持许多不同的CPU架构和管理程序。容器安全使用Docker轻量级的容器时，最大的问题就是会碰到安全性的问题，其中几个不同的容器可以互相的进行攻击，如果把这个内核给攻掉了，其他所有容器都会崩溃。如果使用KVM等虚拟化技术，会完美解决安全性的问题，但响应的性能会受到一定的影响。单单就Docker来说，安全性可以概括为两点：不会对主机造成影响不会对其他容器造成影响所以安全性问题90%以上可以归结为隔离性问题。而Docker的安全问题本质上就是容器技术的安全性问题，这包括共用内核问题以及Namespace还不够完善的限制： /proc、/sys等未完全隔离 Top, free, iostat等命令展示的信息未隔离 Root用户未隔离 /dev设备未隔离内核模块未隔离 SELinux、time、syslog等所有现有Namespace之外的信息都未隔离当然，镜像本身不安全也会导致安全性问题。 kata 隔离技术我们都知道 Docker 等一类的容器使用 Cgroup 进行资源限制，使用 linux 的 namespace 机制对容器进行隔离，但在实际运行中，仍是由宿主机向容器直接提供网络、存储、计算等资源，虽然性能损失很小，但存在一定的安全问题。 Kata Containers是一个开放源代码社区，致力于通过轻量级虚拟机来构建安全的容器运行时，这些虚拟机的感觉和性能类似于容器，但是使用硬件虚拟化技术作为第二防御层，可以提供更强的工作负载隔离。 kata 底层实现了Intel Clear Containers的最佳部分与Hyper.sh RunV合并，并进行了扩展，以包括对主要架构的支持，包括x86_64之外的AMD64，ARM，IBM Read more…

By sean, 5 years04/03/2020 ago