zk启用SSL
zk启用SSL关键词:docker zk kafka 安全 SSL以docker方式部署zk和kafka服务器列表192.168.1.202 DB-6192.168.1.203 DB-7192.168.1.204 DB-8操作系统: Centos 7docker : 19.03.8zk:3.6.1kafka: wurstmeister/kafka:2.13-2.6.0漏洞描述ZooKeeper 未
·
zk启用SSL
关键词:docker zk kafka 安全 SSL
以docker方式部署zk
和kafka
服务器列表
- 192.168.1.202 DB-6
- 192.168.1.203 DB-7
- 192.168.1.204 DB-8
操作系统: Centos 7
docker : 19.03.8
zk:3.6.1
kafka: wurstmeister/kafka:2.13-2.6.0
漏洞描述
ZooKeeper 未授权访问【原理扫描】
...
前置任务:
1.设置环境变量
# 备份配置文件
cp -p ~/.bashrc ~/.bashrc.old
# 编辑~/.bashrc,在文件尾部增加如下内容:
ls_iface=`ls -l /sys/class/net/ |grep -v virtual |grep root|gawk '{print $9}'`
MYIP=`ip -h -4 -o address |grep $ls_iface|gawk '{print $4}'|sed 's/\// /'|gawk '{print $1}'`
export MYIP
export IMAGE_NAME=`echo $MYIP |gawk -F. '{print $4}'`
# 为每台服务器设置ZKID。
# 注意:每台服务器的ID必需不同且与配置文件中的ZOO_SERVERS的server.x的x要匹配
export myid=1
2.让环境变量生效
source ~/.bashrc
3.检查环境变量是否效
echo $MYIP $IMAGE_NAME $myid
通过启用ZK
的SSL,即kafka
必需通过SSL方式连接到ZK
参考文档:
https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+SSL+User+Guide
1.创建jks格式的密钥.密钥有效期10年
# 1.生成了一个密钥库文件zkserverkeystore
keytool -genkeypair -alias zkserver -keyalg RSA -validity 3650 -keystore zkkeystore.jks \
-keysize 4096 -storepass zkserver -keypass zkserver -storetype jks -v \
-dname CN=zk-test \
-ext san=dns:DB-6,dns:DB-7,dns:DB-8,ip:192.168.1.202,ip:192.168.1.203,ip:192.168.1.204,ip:127.0.0.1
# 2.导出公钥证书.导出的公钥文件是zkserver-public.cer
keytool -exportcert -alias zkserver -keystore zkkeystore.jks -rfc -file zkserver-public.cer \
-storepass zkserver -v
# 3.truststore的生成以及公钥证书的导入.信任库的密码是zkclient
keytool -importcert -alias zkserver -file zkserver-public.cer -keystore zktruststore.jks \
-storepass zkclient -storetype jks -noprompt
# 4.创建存放证书的目录,将上述证书拷贝到如下目录
mkdir -p /myhome/zk/cert
2.拷贝zk和kafka的配置
# 拷贝现有的配置,并修改
docker cp zk_${IMAGE_NAME}:/conf /myhome/zk
docker cp kafka_${IMAGE_NAME}:/opt/kafka/config /myhome/kafka
2.1 停止并删除zk和kafka容器
docker stop kafka_${IMAGE_NAME}
docker rm kafka_${IMAGE_NAME}
docker stop zk_${IMAGE_NAME}
docker rm zk_${IMAGE_NAME}
3. ZK
3.1 修改zk的配置文件
# 修改配置文件
tee -a >>/myhome/zk/conf/zoo.cfg<<EOF
# 为ssl启用新的端口号
secureClientPort=2182
# 如下为服务端证书
serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
ssl.keyStore.location=/mnt/zkkeystore.jks
ssl.keyStore.password=zkserver
ssl.trustStore.location=/mnt/zktruststore.jks
ssl.trustStore.password=zkclient
EOF
3.2 修改启动zk的命令
# --------192.168.1.202--------
# 客户端端口改为securityclientport:2182
# zk集群的端口也改为2182
# 增加映射conf和cert目录
docker run -d --name=zk_${IMAGE_NAME} \
--restart=always \
-p 2888:2888 \
-p 3888:3888 \
-p 2182:2182 \
-e ZOO_MY_ID=${myid} \
-e ZOO_SERVERS="server.1=0.0.0.0:2888:3888;2182 server.2=192.168.1.203:2888:3888;2182 server.3=192.168.1.204:2888:3888;2182" \
-e SERVER_JVMFLAGS="-Dzookeeper.4lw.commands.whitelist=*" \
-v /myhome/zk/data:/data \
-v /myhome/zk/datalog:/datalog \
-v /etc/localtime:/etc/localtime \
-v /myhome/zk/cert:/mnt \
-v /myhome/zk/conf:/conf \
zookeeper:3.6.1
# --------192.168.1.203--------
docker run -d --name=zk_${IMAGE_NAME} \
--restart=always \
-p 2888:2888 \
-p 3888:3888 \
-p 2182:2182 \
-e ZOO_MY_ID=${myid} \
-e ZOO_SERVERS="server.1=192.168.1.202:2888:3888;2182 server.2=0.0.0.0:2888:3888;2182 server.3=192.168.1.204:2888:3888;2182" \
-e SERVER_JVMFLAGS="-Dzookeeper.4lw.commands.whitelist=*" \
-v /myhome/zk/data:/data \
-v /myhome/zk/datalog:/datalog \
-v /etc/localtime:/etc/localtime \
-v /myhome/zk/cert:/mnt \
-v /myhome/zk/conf:/conf \
zookeeper:3.6.1
;;
# --------192.168.1.204--------
docker run -d --name=zk_${IMAGE_NAME} \
--restart=always \
-p 2888:2888 \
-p 3888:3888 \
-p 2182:2182 \
-e ZOO_MY_ID=${myid} \
-e ZOO_SERVERS="server.1=192.168.1.202:2888:3888;2182 server.2=192.168.1.203:2888:3888;2182 server.3=0.0.0.0:2888:3888;2182" \
-e SERVER_JVMFLAGS="-Dzookeeper.4lw.commands.whitelist=*" \
-v /myhome/zk/data:/data \
-v /myhome/zk/datalog:/datalog \
-v /etc/localtime:/etc/localtime \
-v /myhome/zk/cert:/mnt \
-v /myhome/zk/conf:/conf \
zookeeper:3.6.1
3.3 查看日志
docker logs -f zk_${IMAGE_NAME}
4. Kafka
4.1 修改kafka配置
# 向配置文件添加如下内容
tee -a >>/myhome/kafka/config/server.properties<<EOF
zookeeper.ssl.client.enable=true
zookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
zookeeper.ssl.keystore.location=/mnt/zkkeystore.jks
zookeeper.ssl.keystore.password=zkserver
zookeeper.ssl.truststore.location=/mnt/zktruststore.jks
zookeeper.ssl.truststore.password=zkclient
#zookeeper.set.acl=true
EOF
4.2 修改kafka启动命令
# 新增挂载cert和config目录
# 连接到zk的2182端口
docker run -d --name=kafka_${IMAGE_NAME} \
--restart=always \
-p 9092:9092 \
-v /etc/localtime:/etc/localtime \
-v /myhome/kafka/data:/kafka \
-v /myhome/kafka/logs:/opt/kafka/logs \
-v /myhome/zk/cert:/mnt \
-v /myhome/kafka/config:/opt/kafka/config \
-e KAFKA_ADVERTISED_HOST_NAME=${MYIP} \
-e HOST_IP=${MYIP} \
-e KAFKA_ADVERTISED_PORT=9092 \
-e KAFKA_ZOOKEEPER_CONNECT=192.168.253.15:2182,192.168.253.16:2182,192.168.253.17:2182 \
-e KAFKA_BROKER_ID=${myid} \
wurstmeister/kafka:2.13-2.6.0
4.3 查看日志
docker logs -f kafka_${IMAGE_NAME}
更多推荐
已为社区贡献1条内容
所有评论(0)