sursenbaota
容器化部署的安装指南 安全仓
目录结构,如果有变动需要修改对应配置文件里面的位置.
SafeWarehouse/
├── docker-compose.yml # Docker容器启动主要配置文件
├── mysql/ # 存放初始化 SQL 文件
│ ├── sursen_admin.sql # 数据库 sursen_admin 的初始化脚本
│ ├── ystar_db.sql # 数据库 ystar_db 的初始化脚本
│ ├── kms_db.sql # 数据库 kms_db 的初始化脚本
│ └── init.sh # 初始化执行脚本(创建库+导入SQL)
│ └── my.cnf # mysql配置文件,可以没有.如果有特殊配置在此创建即可
├── filebeat/ #
│ └── filebeat.yml # filebeat配置文件.如果没有,服务不可用.
├── kibana/ #
│ └── kibana.yml # kibana.如果没有,服务不可用.会提示Kibana server is not ready yet.
├── nginx/ #
│ └── conf/ # conf目录存放Nginx的主配置文件nginx.conf 该文件定义了全局配置参数如工作进程数、事件处理模型等
│ ├── conf.d/ # conf.d目录用于存放虚拟主机配置和站点配置文件,Nginx会自动加载该目录下所有.conf文件作为配置片段
│ ├── html/ # html目录作为Nginx的默认站点根目录,用于存放静态网页文件、CSS样式表和JavaScript脚本等前端资源
│ ├── logs/ # logs目录保存Nginx的运行日志,包括访问日志和错误日志,便于问题排查和性能监控
│ └── ssh/ # ssl目录专门用于存放SSL/TLS证书文件,包括公钥、私钥和中间证书,用于配置HTTPS服务
├── sursen-admin/ # 安全仓服务
│ └── config.docker.yaml # 安全仓服务配置文件.如果没有,服务不可用.
│ ├── log/ # log目录
│ ├── uploads/ # uploads目录存放配置文件,策略文件等
│ └── resource/ # resource目录存放授权文件,SSH证书等
1.准备好相关脚本,sql文件,以及各个服务所需的配置文件
2.给脚本添加执行权限
chmod +x mysql/init.sh
3.
常见问题
- ✘ Network safe_net Error
- failed to create network safe_net: Error response from daemon: Failed to Setup IP tables: Unable to enable SKIP DNAT rule: (iptables failed: iptables --wait -t nat -I DOCKER -i br-c3d769b24698 -j RETURN: iptables: No chain/target/match by that name. (exit status 1))
systemctl restart docker
- 如果不行 清理并重置 Docker 网络
Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting "/root/SafeWarehouse/mysql/my.cnf" to rootfs at "/etc/my.cnf": mount /root/SafeWarehouse/mysql/my.cnf:/etc/my.cnf (via /proc/self/fd/6), flags: 0x5000: not a directory: unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type
- 解决办法创建mysql配置文件放到指定目录,或者docker-compose文件中注释掉映射配置文件目录的设置
Exception in thread "main" java.lang.RuntimeException: starting java failed with [1] output: [0.000s][error][logging] Error opening log file 'logs/gc.log': Permission denied [0.001s][error][logging] Initialization of output 'file=logs/gc.log' using options 'filecount=32,filesize=64m' failed. error: Invalid -Xlog option '-Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m', see error log for details. Error: Could not create the Java Virtual Machine. Error: A fatal exception has occurred. Program will exit.
- 解决办法一般是目录权限问题 chmod -R 777 elasticsearch 重启即可
访问kibana 提示:Kibana server is not ready yet.
- 解决办法 排除网络连接问题,应该是用户权限问题
docker exec -it elasticsearch sh
./bin/elasticsearch-setup-passwords auto
- Changed password for user apm_system
- PASSWORD apm_system = 7ndg1kN7etoINwmQOWHH
- Changed password for user kibana_system
- PASSWORD kibana_system = S4RxpICZUPEnLOKFt8rX
- Changed password for user kibana
- PASSWORD kibana = S4RxpICZUPEnLOKFt8rX
- Changed password for user logstash_system
- PASSWORD logstash_system = rVVJAetOM6y9T9ylIll2
- Changed password for user beats_system
- PASSWORD beats_system = AazfDCH34e4nsp48IKd5
- Changed password for user remote_monitoring_user
- PASSWORD remote_monitoring_user = clVb4aJsb1GY2FXietpY
- Changed password for user elastic
- PASSWORD elastic = izy9mTmw5ukDDU3z2Xto
- 用elastic用户和密码登录kibana的前端页面
- kibana 8.X 版本之后必须使用kibana_system这个用户连接es
- 用上面得到的kibana_system用户替换kibana.yml中用户和密码重启kibana
#
server.name: kibana
server.host: "0.0.0.0"
# http://ip:9200 TODO 修改为自己的ip
elasticsearch.hosts: [ "http://elasticsearch:9200" ]
xpack.monitoring.ui.container.elasticsearch.enabled: true
elasticsearch.username: "kibana_system" # es账号
elasticsearch.password: "xxxxxx" # es密码
i18n.locale: zh-CN # 中文
validating /root/SafeWarehouse/sursen-admin/docker-compose.yml: (root) Additional property server is not allowed
- 解决办法,检测yaml文件结构结构或语法是否正确.此类错误通常是由于配置文件结构或语法错误导致的
安装张旭网络传输网关服务需要在服务器上预先做以下几件事
- 并确保宿主机已加载 TUN 模块。
# 检查 TUN 模块是否已加载
lsmod | grep tun
# 如果未加载,手动加载(需要 root 权限)
modprobe tun
# 确认设备文件存在
ls -l /dev/net/tun
# 正常输出应为:crw-rw-rw- 1 root root 10, 200 ... /dev/net/tun
- 在宿主机上临时修改内核参数
# 编辑配置文件(如果不存在则创建)
vi /etc/sysctl.d/99-surguard.conf
# 添加以下内容
net.ipv4.conf.all.rp_filter=0
# 加载配置使其生效
sysctl -p /etc/sysctl.d/99-surguard.conf