diff --git a/docker/Dockerfile b/docker/Dockerfile index 9b4f48e..a91082c 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -62,7 +62,7 @@ RUN apt-get update && \ nginx openssh-server \ && ssh-keygen -A \ && adduser --disabled-password --gecos "" omcuser \ - && echo 'omcuser:password' | chpasswd \ + && echo 'omcuser:a9tU53r' | chpasswd \ && mkdir -p /home/omcuser/.ssh \ && chmod 700 /home/omcuser/.ssh \ && touch /home/omcuser/.ssh/authorized_keys \ @@ -85,7 +85,7 @@ COPY --from=build-golang /docker/logs /var/log/omc COPY --from=build-golang /docker/nginx/cert /etc/nginx/cert COPY --from=build-golang /docker/nginx/nginx.conf /etc/nginx/nginx.conf -EXPOSE 33030 33033 33040 33060 80 22 +EXPOSE 22 80 443 33030 33443 33033 33060 CMD ["/bin/sh", "-c", "service ssh start && service nginx start && /usr/local/bin/omc --env ${APPENV} -c /usr/local/etc/omc/omc.yaml"] diff --git a/docker/README.md b/docker/README.md index 595f1f7..b6435df 100644 --- a/docker/README.md +++ b/docker/README.md @@ -26,13 +26,25 @@ probject | /var/log | 网管相关日志输出 | | /tmp/omc | 存放从网元拉取到本地的文件 | +端口声明 + +| 端口 | 说明 | +| ----- | ----------------------------- | +| 22 | 网管 容器内部 SSH 服务 | +| 80 | 网管 Nginx HTTP 服务 | +| 443 | 网管 Nginx HTTP2 服务 | +| 33030 | 网管后台 API HTTP 服务 | +| 33443 | 网管后台 API HTTP2 服务 | +| 33033 | 网管信令跟踪 UDP 协议接收服务 | +| 33060 | 网管性能分析监控 metrics 服务 | + ## 编译 - `VERSION` 变量是后端程序打包版本号注入 ```sh -docker build --build-arg VERSION="241211" -t omc:2.2412.1 . +docker build --build-arg VERSION="241212" -t omc:2.2412.1 . ``` @@ -47,12 +59,13 @@ docker run -d \ --restart=always \ -p 8822:22 \ -p 8880:80 \ +-p 8884:443 \ -p 8830:33030 \ -p 8833:33033 \ --p 8840:33040 \ -p 8860:33060 \ -v /home/manager/probject/omc_api/docker/omc:/usr/local/etc/omc \ -v /home/manager/probject/omc_api/docker/omc/logs:/var/log \ +-v /home/manager/probject/omc_api/docker/omc/tmp:/tmp/omc \ -v /home/manager/probject/omc_api/docker/omc/nginx/cert:/etc/nginx/cert \ -v /home/manager/probject/omc_api/docker/omc/nginx/nginx.conf:/etc/nginx/nginx.conf \ -e TZ="Asia/Shanghai" \ @@ -86,5 +99,9 @@ docker load -i redis_7.2.5.tar docker load -i mysql_8.0.39.tar docker load -i omc_2.2412.1.tar -sudo bash omc.sh install +sudo bash omc-docker.sh install + +mkdir omc-r2.2412.1-ub22-cloud +tar -czvf omc-r2.2412.1-ub22-cloud.tgz omc-r2.2412.1-ub22-cloud/ +tar -xzvf omc-r2.2412.1-ub22-cloud.tgz ``` diff --git a/docker/omc.sh b/docker/omc-docker.sh similarity index 76% rename from docker/omc.sh rename to docker/omc-docker.sh index 490ce9c..5ba1d37 100644 --- a/docker/omc.sh +++ b/docker/omc-docker.sh @@ -6,7 +6,7 @@ REDIS_CONTAINER_NAME="omc_redis" # usage usage() { - echo "Usage: bash omc.sh [install|uninstall|restart|start|stop]" + echo "Usage: bash omc-docker.sh [install|uninstall|restart|start|stop]" exit 1 } @@ -22,9 +22,17 @@ install(){ echo "Container time zone (Asia/Shanghai):" read OMC_TZ OMC_TZ=${OMC_TZ:-"Asia/Shanghai"} - echo "Container service port (80):" - read OMC_PORT - OMC_PORT=${OMC_PORT:-"80"} + echo "Container service http port (80):" + read OMC_HTTP_PORT + OMC_HTTP_PORT=${OMC_HTTP_PORT:-"80"} + echo "Container service https port (443):" + read OMC_HTTPS_PORT + OMC_HTTPS_PORT=${OMC_HTTPS_PORT:-"443"} + echo "Container name ($OMC_CONTAINER_NAME):" + read OMC_CONTAINER_NAME + OMC_CONTAINER_NAME=${OMC_CONTAINER_NAME:-"omc"} + echo "==> Checking Docker version $OMC_CONTAINER_NAME" + sed -i "s/^OMC_CONTAINER_NAME=.*/OMC_CONTAINER_NAME=\"$OMC_CONTAINER_NAME\"/" ./omc-docker.sh echo "===================== Install container omc service =====================" echo "==> Checking Docker version" @@ -34,7 +42,6 @@ install(){ echo "Docker is not available or sudo privileges are not granted." exit 1 fi - echo "" echo "==> Created service network" NETWORK="omcnet" @@ -53,13 +60,17 @@ install(){ mysql_container=$(docker ps --filter "name=$MYSQL_CONTAINER_NAME" --format "{{.Names}}") if [[ -z "$mysql_container" ]]; then echo "MySQL container is not running. Installing MySQL container..." + docker load --input $(pwd)/tar/mysql_8.0.39.tar MYSQL_IMAGE="mysql:8.0.39" MYSQL_ROOT_PASSWORD="1000omc@kp!" SQL_FILE_PATH="$(pwd)/sql/install/omc_db.sql" + MYSQL_DATA=/usr/local/etc/$MYSQL_CONTAINER_NAME/data + mkdir -p $MYSQL_DATA docker run --privileged=true --restart=always -e TZ="$OMC_TZ" \ -e MYSQL_ROOT_PASSWORD=$MYSQL_ROOT_PASSWORD \ -v $SQL_FILE_PATH:/docker-entrypoint-initdb.d/database.sql \ + -v $MYSQL_DATA:/var/lib/mysql \ --network $NETWORK \ --name $MYSQL_CONTAINER_NAME \ -d $MYSQL_IMAGE @@ -74,8 +85,11 @@ install(){ docker load --input $(pwd)/tar/redis_7.2.5.tar REDIS_IMAGE="redis:7.2.5" REDIS_PASSWORD="helloearth" + REDIS_DATA=/usr/local/etc/$REDIS_CONTAINER_NAME/data + mkdir -p $REDIS_DATA docker run --privileged=true --restart=always -e TZ="$OMC_TZ" \ -e REDIS_PASSWORD=$REDIS_PASSWORD \ + -v $REDIS_DATA:/data \ --network $NETWORK \ --name $REDIS_CONTAINER_NAME \ -d $REDIS_IMAGE @@ -98,21 +112,23 @@ install(){ docker run --privileged=true --restart=always -m 512M \ -v /usr/local/etc/omc:/usr/local/etc/omc \ -v /usr/local/etc/omc/logs:/var/log \ + -v /usr/local/etc/omc/tmp:/tmp/omc \ -v /usr/local/etc/omc/nginx/cert:/etc/nginx/cert \ -v /usr/local/etc/omc/nginx/nginx.conf:/etc/nginx/nginx.conf \ -e TZ=$OMC_TZ \ - -p $OMC_PORT:80 \ + -p $OMC_HTTP_PORT:80 \ + -p $OMC_HTTPS_PORT:443 \ --network $NETWORK \ --name $OMC_CONTAINER_NAME \ -d $OMC_IMAGE - echo "Running service $OMC_CONTAINER_NAME container port $OMC_PORT" + echo "Running service $OMC_CONTAINER_NAME container http port $OMC_PORT / https port $OMC_HTTPS_PORT" } # uninstall uninstall(){ docker stop $OMC_CONTAINER_NAME && docker rm $OMC_CONTAINER_NAME - docker stop $REDIS_CONTAINER_NAME && docker rm $REDIS_CONTAINER_NAME + docker stop $REDIS_CONTAINER_NAME && docker rm $REDIS_CONTAINER_NAME docker stop $MYSQL_CONTAINER_NAME && docker rm $MYSQL_CONTAINER_NAME } @@ -125,12 +141,15 @@ case "$1" in uninstall ;; "restart") + echo "restart container $OMC_CONTAINER_NAME" docker restart $OMC_CONTAINER_NAME ;; "start") + echo "start container $OMC_CONTAINER_NAME" docker start $OMC_CONTAINER_NAME ;; "stop") + echo "stop container $OMC_CONTAINER_NAME" docker stop $OMC_CONTAINER_NAME ;; *) diff --git a/docker/omc/nginx/cert/omc-server.crt b/docker/omc/nginx/cert/omc-server.crt new file mode 100644 index 0000000..eebe4b0 --- /dev/null +++ b/docker/omc/nginx/cert/omc-server.crt @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC2jCCAcKgAwIBAgIBAzANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQKEwlHbyBP +TUMgQ0EwHhcNMjQwMTA5MDcxMjU1WhcNMzQwMTA2MDcxMjU1WjAVMRMwEQYDVQQK +EwpPTUMgU2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApSTG +HNOWScYVHHiGw9z8q2u3ZMUaOFBm6+F4p4PrpM1h3FtHmYv5IWr5kqoMgCU/FmPG +HrSqDzrm+J4QMdguq40Jd4QOadiDg5oyLIM6Su32sjtG/y5an3abtY9hNCoWDdpy +kNRb1i9NQ2uTSBHm1lTVWutZWgm7D9jES8JB2byDwAOONwGlqAw6buxUlIP2vCtn +SpMF8Mqdypnw8K17DLXpP+D8Exw4mjOmJEVOGnw/pinjDCHm9SEiFtagdXIWliwl +DgbyVeSE70JhaGV2bGlmldV2sN2qPvG/W99pCeObxNcCko9JdJqsDVQTiOTY6uaH +o/GdDnzZh4TbbDutDQIDAQABozYwNDAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAww +CgYIKwYBBQUHAwEwDQYDVR0OBAYEBAECAwQwDQYJKoZIhvcNAQELBQADggEBAJY6 +eI54wSn+kNteFEdoFS2jVM+GAMS0x4blX2wzNro6HqhlYC6oJ8TxRS6V22ugWLFX +M/pcqV5FA1XCSibYdwscdaoUSUYc6inlkHxrbfSryiQqXAkEv8Ote3dqtOu7Z0BY +PkykdMrCUXn5ksYgoTa7G1CdAiaKMeuTz801l1g8AIOpNV1+Xhi29TKA134VDW9S +2aDcD6jEs63rqKx/knStli0F58N0kOKjmmt45stP90o5NsshAMumzP0xhfwC94Gg +eBXg6ThM3nuOBQyzPEtUZioRKKV4XmgZF/F4ePCnS4ST9ft09kx7UcR9MVzGIHov +whwVw6o5O7h1xQr6Pjw= +-----END CERTIFICATE----- diff --git a/docker/omc/nginx/cert/omc-server.key b/docker/omc/nginx/cert/omc-server.key new file mode 100644 index 0000000..b1b3a94 --- /dev/null +++ b/docker/omc/nginx/cert/omc-server.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEApSTGHNOWScYVHHiGw9z8q2u3ZMUaOFBm6+F4p4PrpM1h3FtH +mYv5IWr5kqoMgCU/FmPGHrSqDzrm+J4QMdguq40Jd4QOadiDg5oyLIM6Su32sjtG +/y5an3abtY9hNCoWDdpykNRb1i9NQ2uTSBHm1lTVWutZWgm7D9jES8JB2byDwAOO +NwGlqAw6buxUlIP2vCtnSpMF8Mqdypnw8K17DLXpP+D8Exw4mjOmJEVOGnw/pinj +DCHm9SEiFtagdXIWliwlDgbyVeSE70JhaGV2bGlmldV2sN2qPvG/W99pCeObxNcC +ko9JdJqsDVQTiOTY6uaHo/GdDnzZh4TbbDutDQIDAQABAoIBAHxE49+lSJ5TNGes +Op0AmhHUiLiHqWde+VPe4xALMTNeaZmMBqEAt4PyH8PBuo5jeMm8YsWQZbf4Nv42 +0zDu4I+vHcSV1tLHXo+VZNQiG6du0gjkmlRD6WW9twY00oySbu4Vx8g8RK80AQwO +01GURwRZ6gL0vtQGJoGSOIRZtXvGLltVR52OfkgNMjNepwtJvMV7PW5xYwEcnx+i +sZD/6hl49Qv5g4dCCGrnr8Garx9+cUkVP/ipkBnjyKACfzYQhoauo03Rv4iuNdy6 +QD9KB95ALHq66vYXF72YW75JQhQ3C1qGcghNn68RIlufSnA7D7J9VCG5VSXfVrk2 +a5Xw2HECgYEAzaXU75hl87fmf88X+8M6+OuaMnnLAwIadbcecakkO4bgzNF1SYwv +dbZ608LvdUt+BYVU43CCX3//a/MI+Ncp5sk85TLsXUxXGWonO1zXpa3+BAEXJe1n +xnWVdytWMeoyzhBZ/Vkx7/NAu5WSViXgQ3trB0Wr3OGw3Nksb4Son8cCgYEAzZQc +SlglEiU+Z+BsCV07FEkU6xgsmxQQuptPuGcm713Ik8c8a5KAyjbhpp+oBvn8v69i +hVGHcFmZYeazBL39dC4/6E/wDOVEwN2fY8oYBnrPvoz7FUTvObRjZakrgVj+XAjS +lg9RuMm1tYPFR52V5BTngJ9Rkj/AewxWnGMDtIsCgYEAng1i/5ZQXSUs+XPwCeY9 +b8yb4Ulr9u7p6SkJM+/8UefS5HfjPdiJLV5HPnOm2K5ht9qGqJrzCHT2mT/b2Gx9 +3ssxizI9KWOf2X+VkXFEqCh2fxtbcCHrTUNX0ZQ0Ff7adzdoAmhIEhQR31oQczd/ +Cj5Tvu4ULZoj9UjQdxEtDEcCgYAYrW3T8s7IZdYe7A6r9RgRcFBlhCpel0MG03v3 +W9KNq0lXi/QRya1SGNJviPzHkZyoeeourMHAV9EUsnfM2u2g06hyP55GPgNJz5DB +jtHhfT6Q1iWRwQuidqfz3SHOzhsCe0CkKMSblQMN/fphhWYn0eaURwuoraRyYOHI +tg4MzwKBgGImdyBx/l6bkWa4GywZ9iw5RDe7KYN9UclnBcHDkIELXskp8bTbwpBy +m/IyLC5eLOzdK7c2Odtd3LP/AG5fYPAzQ5S6YmSDPp1JEKODbg51wcMJpLSvG2Q/ +P5paV/ZAKbxgXpilBrjSejM/QLYqD8756z5lgo5biR7bGkBA+nkj +-----END RSA PRIVATE KEY----- diff --git a/docker/omc/nginx/nginx.conf b/docker/omc/nginx/nginx.conf index 6061310..5b0903d 100644 --- a/docker/omc/nginx/nginx.conf +++ b/docker/omc/nginx/nginx.conf @@ -4,8 +4,8 @@ pid /run/nginx.pid; include /etc/nginx/modules-enabled/*.conf; events { - worker_connections 1024; - # multi_accept on; + worker_connections 1024; + # multi_accept on; } http { @@ -64,23 +64,13 @@ http { listen 80; listen [::]:80; server_name localhost; - - # 修改允许最大请求体大小为100MB - client_max_body_size 100M; - # 持久连接的超时时间默认60s + #if ($scheme = "http") { + # return 301 https://$host$request_uri; + #} + + client_max_body_size 100M; keepalive_timeout 180s; - #access_log /var/log/nginx/host.access.log main; - - # ssl_certificate /etc/nginx/cert/www.x.cn_chain.crt; - # ssl_certificate_key /etc/nginx/cert/www.x.cn.key; - - # ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; - # ssl_session_timeout 5m; - # ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; - # ssl_prefer_server_ciphers on; - # ssl_dhparam /etc/nginx/cert/dhparams.pem; - # OMC location / { root /usr/local/bin/web; @@ -91,12 +81,6 @@ http { } location /omc-api/ { - proxy_pass http://127.0.0.1:33030/; - - proxy_connect_timeout 180s; # 默认60s - proxy_send_timeout 180s; # 默认60s - proxy_read_timeout 180s; # 默认60s - proxy_cache_bypass $http_upgrade; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; @@ -106,13 +90,15 @@ http { proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; + + proxy_connect_timeout 180s; + proxy_send_timeout 180s; + proxy_read_timeout 180s; + + proxy_pass http://127.0.0.1:33030/; } location /api/rest/ { - # 添加斜杠并重定向 - #rewrite ^([^.]*[^/])$ $1/ permanent; - proxy_pass http://127.0.0.1:33030/api/rest/; - proxy_cache_bypass $http_upgrade; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; @@ -122,6 +108,8 @@ http { proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; + + proxy_pass http://127.0.0.1:33030/api/rest/; } #error_page 404 /404.html; @@ -130,7 +118,72 @@ http { # error_page 500 502 503 504 /50x.html; location = /50x.html { - root /usr/local/etc/omc/frontend; + return 301 http://$host$request_uri; + } + } + + server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name localhost; + + client_max_body_size 100M; + keepalive_timeout 180s; + + ssl_certificate /etc/nginx/cert/omc-server.crt; + ssl_certificate_key /etc/nginx/cert/omc-server.key; + + ssl_session_timeout 5m; + ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; + + # OMC + location / { + root /usr/local/bin/web; + #root /usr/local/etc/omc/frontend; + + try_files $uri $uri/ /index.html; + index index.html index.htm; + } + + location /omc-api/ { + proxy_cache_bypass $http_upgrade; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + + proxy_connect_timeout 180s; + proxy_send_timeout 180s; + proxy_read_timeout 180s; + + proxy_pass https://127.0.0.1:33443/; + } + + location /api/rest/ { + proxy_cache_bypass $http_upgrade; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + + proxy_pass https://127.0.0.1:33443/api/rest/; + } + + #error_page 404 /404.html; + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + return 301 https://$host$request_uri; } } } diff --git a/docker/omc/omc.yaml b/docker/omc/omc.yaml index 27fbad3..7b6dc19 100644 --- a/docker/omc/omc.yaml +++ b/docker/omc/omc.yaml @@ -16,6 +16,15 @@ rest: - ipv4: 0.0.0.0 ipv6: port: 33030 + scheme: http + - ipv4: 0.0.0.0 + ipv6: + port: 33443 + scheme: https + clientAuthType: 0 + caFile: /etc/nginx/cert/omc-ca.crt + certFile: /etc/nginx/cert/omc-server.crt + keyFile: /etc/nginx/cert/omc-server.key webServer: enabled: false diff --git a/docker/omc/tmp/README.md b/docker/omc/tmp/README.md new file mode 100644 index 0000000..988618c --- /dev/null +++ b/docker/omc/tmp/README.md @@ -0,0 +1 @@ +# OMC tmp Dir