Docker compose
Docker
Fuente: https://docs.docker.com/engine/install/ubuntu/
Quitamos dependencias antiguas
for pkg in docker.io docker-doc docker-compose docker-compose-v2 podman-docker containerd runc; do sudo apt-get remove $pkg; doneActualizamos repositorios
# Add Docker's official GPG key:
sudo apt-get update
sudo apt-get install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc
# Add the repository to Apt sources:
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get updateInstalamos docker
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-pluginUsuario sin sudo
sudo vi /etc/group
docker:x:988:soffid01
sudo systemctl restart docker
sudo usermod -aG docker soffid01
exit > login
docker psDocker compose
Documentación Soffid: https://bookstack.soffid.com/books/installation/page/installing-soffid
Documentación Docker compose: https://docs.docker.com/reference/cli/docker/compose/
sudo vi docker-compose.yaml
services:
mariadb:
image: mariadb:11.1.2
environment:
MYSQL_ROOT_PASSWORD: dkF45.r4f
MYSQL_DATABASE: soffid
MYSQL_USER: soffid
MYSQL_PASSWORD: 98nds.D3
ports:
- 3306:3306
healthcheck:
test: "/usr/bin/mariadb --user=root --password=dkF45.r4f --execute \"SHOW DATABASES;\""
interval: 2s
timeout: 20s
retries: 10
command:
- --max_allowed_packet=128M
- --innodb_log_file_size=256M
- --character-set-server=utf8mb4
- --collation-server=utf8mb4_general_ci
- --server-id=1
- --log-bin
- --binlog-format=row
- --expire-logs-days=15
- --max-binlog-size=1000M
- --replicate-ignore-table=soffid.SC_SEQUENCE
- --slave-skip-errors=1032,1053,1062
networks:
- network
volumes:
- mariadb_data:/var/lib/mysql
console:
image: soffid/iam-console:3.6.17
environment:
DB_URL: jdbc:mariadb://mariadb/soffid
DB_USER: soffid
DB_PASSWORD: 98nds.D3
ports:
- 8080:8080
networks:
- network
healthcheck:
test: bash -c "(echo 'GET /soffid/anonymous/logo.svg HTTP/1.1' >&0; echo >&0; cat >&2;) <> /dev/tcp/localhost/8080"
interval: 10s
timeout: 20s
retries: 10
start_period: 40s
volumes:
- console_trust:/opt/soffid/iam-console-3/trustedcerts
- console_conf:/opt/soffid/iam-console-3/conf
- console_logs:/opt/soffid/iam-console-3/logs
- console_index:/opt/soffid/iam-console-3/index
depends_on:
mariadb:
condition: service_healthy
sync-server:
image: soffid/iam-sync:3.6.14
hostname: sync-server
environment:
SOFFID_PORT: 1760
SOFFID_HOSTNAME: sync-server.netcompose
SOFFID_MAIN: yes
DB_URL: jdbc:mysql://mariadb/soffid
DB_USER: soffid
DB_PASSWORD: 98nds.D3
ports:
- 1760:1760
networks:
- network
volumes:
- sync_conf:/opt/soffid/iam-sync/conf
depends_on:
mariadb:
condition: service_healthy
console:
condition: service_healthy
networks:
network:
name: netcompose
driver: bridge
volumes:
mariadb_data:
name: compose_mariadbdata
console_trust:
name: compose_console_trustedcerts
console_conf:
name: compose_console_conf
console_logs:
name: compose_console_logs
console_index:
name: compose_console_index
sync_conf:
name: compose_sync_confEn la máquina 2 hay un campo diferentes (ver sección réplica base de datos).
- --server-id=2Iniciamos los contenedores.
docker compose up -dComandos útiles.
docker compose ps
docker compose logs -f console
docker compose logs -f sync-server
docker compose exec -it console bash
docker compose exec -it sync-server bashHabilitar port forwarding
Primero hay que confirmar o actualizar la configuración del port forwarding del servidor.
sudo vi /etc/ssh/sshd_config
AllowTcpForwarding yes
sudo systemctl restart sshAbrimos el puerto por port forwarding mediante una conexión ssh.
ssh -L 8080:localhost:8080 soffid01@172.16.9.20Ahora accedemos a través del navegador.
http://localhost:8080Usuarios admin y svives creados y con password en el vault.
Replica de BBDD
Documentación Soffid: https://bookstack.soffid.com/books/installation/page/creating-a-multimaster-mariadb-replica-2b4
Documentación EMASA: https://bookstack.soffid.com/books/emasa/page/sincronizar-bases-de-datos
Paso 1: actualizar la configuración del yaml para incluir parámetros de configuración de Mariadb
Añadir estos parámetros en el servidor 1.
- --server-id=1
- --log-bin
- --binlog-format=row
- --expire-logs-days=15
- --max-binlog-size=1000M
- --replicate-ignore-table=soffid.SC_SEQUENCE
- --slave-skip-errors=1032,1053,1062En el servidor 2.
- --server-id=2
- --log-bin
- --binlog-format=row
- --expire-logs-days=15
- --max-binlog-size=1000M
- --replicate-ignore-table=soffid.SC_SEQUENCE
- --slave-skip-errors=1032,1053,1062Paso 2: tenemos que clonar la base de datos 1 en la 2
Hacemos un backup de la base de datos del servidor 1.
docker compose exec -it mariadb bash -c 'mariadb-dump -u root --password="dkF45.r4f" soffid' > mariadb-backup.sqlCopiamos el fichero al servidor 2.
scp mariadb-backup.sql soffid02@172.16.9.35:/home/soffid02/Cargamos el backup en el servidor 2.
docker compose cp mariadb-backup.sql mariadb:/tmp
docker compose exec -it mariadb bash
mariadb -u soffid -p soffid < /tmp/mariadb-backup.sqlPaso 3: creamos los usuarios de base de datos que ejecutarán las réplicas
Creamos en el servidor 1 un usuario para replicar los datos que usará el servidor 2.
NOTA: es importante que las contraseñas sean las mismas porque las replicas sobre-escribirán el usuario.
docker compose exec -it mariadb bash
mariadb -u root --password="$MYSQL_ROOT_PASSWORD"
create user replication_user@172.16.9.35 identified by 'SDfh.343';
grant replication slave on *.* to replication_user@172.16.9.35;
set password for replication_user@172.16.9.35 = password('SDfh.343');Y en el servidor 1.
docker compose exec -it mariadb bash
mariadb -u root --password="$MYSQL_ROOT_PASSWORD"
create user replication_user@172.16.9.20 identified by 'SDfh.343';
grant replication slave on *.* to replication_user@172.16.9.20;
set password for replication_user@172.16.9.20 = password('SDfh.343');Paso 4: creamos de los procesos slave
Consultamos la base de datos 1.
MariaDB [soffid]> show master status;
+-------------------+----------+--------------+------------------+
| File | Position | Binlog_Do_DB | Binlog_Ignore_DB |
+-------------------+----------+--------------+------------------+
| mysqld-bin.000001 | 1335314 | | |
+-------------------+----------+--------------+------------------+Configuramos la replica en la base de datos 2.
CHANGE MASTER TO
MASTER_HOST='172.16.9.20',
MASTER_USER='replication_user',
MASTER_PASSWORD='Adfv45.d',
MASTER_PORT=3306,
MASTER_LOG_FILE='mysqld-bin.000001',
MASTER_LOG_POS=1335314,
MASTER_CONNECT_RETRY=10;Consultamos si está activo.
*************************** 1. row ***************************
Slave_IO_State: Waiting for master to send event
Master_Host: 172.16.9.35
Master_User: replication_user
Master_Port: 3306
Connect_Retry: 10
Master_Log_File: mysqld-bin.000002
Read_Master_Log_Pos: 1408
Relay_Log_File: mysqld-relay-bin.000002
Relay_Log_Pos: 1485
Relay_Master_Log_File: mysqld-bin.000002
Slave_IO_Running: Yes
Slave_SQL_Running: Yes
Replicate_Rewrite_DB:
Replicate_Do_DB:
Replicate_Ignore_DB:
Replicate_Do_Table:
Replicate_Ignore_Table: soffid.SC_SEQUENCE
Replicate_Wild_Do_Table:
Replicate_Wild_Ignore_Table:
Last_Errno: 0
Last_Error:
Skip_Counter: 0
Exec_Master_Log_Pos: 1408
Relay_Log_Space: 1795
Until_Condition: None
Until_Log_File:
Until_Log_Pos: 0
Master_SSL_Allowed: No
Master_SSL_CA_File:
Master_SSL_CA_Path:
Master_SSL_Cert:
Master_SSL_Cipher:
Master_SSL_Key:
Seconds_Behind_Master: 0
Master_SSL_Verify_Server_Cert: No
Last_IO_Errno: 0
Last_IO_Error:
Last_SQL_Errno: 0
Last_SQL_Error:
Replicate_Ignore_Server_Ids:
Master_Server_Id: 2
Master_SSL_Crl:
Master_SSL_Crlpath:
Using_Gtid: No
Gtid_IO_Pos:
Replicate_Do_Domain_Ids:
Replicate_Ignore_Domain_Ids:
Parallel_Mode: optimistic
SQL_Delay: 0
SQL_Remaining_Delay: NULL
Slave_SQL_Running_State: Slave has read all relay log; waiting for more updates
Slave_DDL_Groups: 3
Slave_Non_Transactional_Groups: 0
Slave_Transactional_Groups: 2
1 row in set (0.001 sec)Si no funciona, podemos volver a arrancarlo (o pararlo).
start slave;
stop slave;Cuando funcione aparecerá esto.
Slave_IO_Running: Yes
Slave_SQL_Running: Yes
Seconds_Behind_Master: 0Ahora lo hacemos en la máquina 1.
Consultamos el estado de la maquina 2.
MariaDB [(none)]> show master status;
+-------------------+----------+--------------+------------------+
| File | Position | Binlog_Do_DB | Binlog_Ignore_DB |
+-------------------+----------+--------------+------------------+
| mysqld-bin.000002 | 343 | | |
+-------------------+----------+--------------+------------------+Iniciamos replica en el servidor 1.
CHANGE MASTER TO
MASTER_HOST='172.16.9.35',
MASTER_USER='replication_user',
MASTER_PASSWORD='SDfh.343',
MASTER_PORT=3306,
MASTER_LOG_FILE='mysqld-bin.000002',
MASTER_LOG_POS=343,
MASTER_CONNECT_RETRY=10;Consultamos si está activo.
*************************** 1. row ***************************
Slave_IO_State: Waiting for master to send event
Master_Host: 172.16.9.20
Master_User: replication_user
Master_Port: 3306
Connect_Retry: 10
Master_Log_File: mysqld-bin.000002
Read_Master_Log_Pos: 1181913
Relay_Log_File: mysqld-relay-bin.000004
Relay_Log_Pos: 682878
Relay_Master_Log_File: mysqld-bin.000002
Slave_IO_Running: Yes
Slave_SQL_Running: Yes
Replicate_Rewrite_DB:
Replicate_Do_DB:
Replicate_Ignore_DB:
Replicate_Do_Table:
Replicate_Ignore_Table: soffid.SC_SEQUENCE
Replicate_Wild_Do_Table:
Replicate_Wild_Ignore_Table:
Last_Errno: 0
Last_Error:
Skip_Counter: 0
Exec_Master_Log_Pos: 1181913
Relay_Log_Space: 6085768
Until_Condition: None
Until_Log_File:
Until_Log_Pos: 0
Master_SSL_Allowed: No
Master_SSL_CA_File:
Master_SSL_CA_Path:
Master_SSL_Cert:
Master_SSL_Cipher:
Master_SSL_Key:
Seconds_Behind_Master: 0
Master_SSL_Verify_Server_Cert: No
Last_IO_Errno: 0
Last_IO_Error:
Last_SQL_Errno: 0
Last_SQL_Error:
Replicate_Ignore_Server_Ids:
Master_Server_Id: 1
Master_SSL_Crl:
Master_SSL_Crlpath:
Using_Gtid: No
Gtid_IO_Pos:
Replicate_Do_Domain_Ids:
Replicate_Ignore_Domain_Ids:
Parallel_Mode: optimistic
SQL_Delay: 0
SQL_Remaining_Delay: NULL
Slave_SQL_Running_State: Slave has read all relay log; waiting for more updates
Slave_DDL_Groups: 0
Slave_Non_Transactional_Groups: 0
Slave_Transactional_Groups: 15288
1 row in set (0.001 sec)Paso 5: actualizamos la tabla de secuencias
Si no hemos iniciado la Consola hay que crear la tabla SC_SECUENCIAS, pero en este caso ya existía por haber arrancado la Consola, en este caso hay tabla con un registro superior al anterior (incluyendo la suma de la caché), uno impar, el otro par, y ambos que aumenten de dos en dos.
DELETE FROM SC_SEQUENCE WHERE SEQ_NEXT=31801;
DELETE FROM SC_SEQUENCE WHERE SEQ_NEXT=16201;
INSERT INTO SC_SEQUENCE VALUES (32000, 100, 2);
INSERT INTO SC_SEQUENCE VALUES (32001, 100, 2);
(mejor hacerlo con un UPDATE con un única sql)Paso 6: acceso a las bases de datos de forma secuencial
Hay que cambiar la cadena de conexión de las Consolas y Syncservers para apuntar primero a la base de datos 1 y en caso de fallo que vaya a la base de datos 2.
jdbc:mariadb:sequential://172.16.9.20,172.16.9.35/soffidCertificados
Los certificados están en la máquina 1 en la carpeta "/ssl-2024/".
Pruebas para validar que podemos abrir el certificado.
docker compose cp /ssl-2024/unal.pfx console:/opt/soffid/iam-console-3/trustedcerts/
docker compose exec -it console /bin/bash
cd /opt/soffid/iam-console-3/trustedcerts/
keytool -v -list -keystore unal.pfxBalanceador
Pendientes de saber si hay un balanceador en la infraestructura.
Soffid LDAP
Documentación: https://bookstack.soffid.com/books/soffid-ldap/page/how-to-install-soffid-ldap
Creado primero como un fichero independiente, luego se mergeará con el anterior (docker-compose.yaml.backup).
healthcheck:
test: bash -c "(echo 'GET https://sync-server.netcompose:1760/status HTTP/1.1' >&0; echo >&0; cat >&2;) <> /dev/tcp/localhost/8080"
interval: 10s
timeout: 20s
retries: 10
start_period: 40s
soffid-ldap:
image: soffid/soffidldap:15
environment:
SOFFID_SERVER=https://sync-server.netcompose:1760
SOFFID_AGENT=soffidldap
USER=admin
PASSWORD=4T.g345f
DN=o=unal.edu.co
ports:
- 1389:389
networks:
- network
volumes:
- ldapconf:/etc/ldap/slapd.d
- ldapdata:ldapdata
depends_on:
sync-server:
condition: service_healthy
ldapconf:
name: compose_ldapconf
ldapdata:
name: compose_ldapdata
------------------------------------------------------------
services:
soffid-ldap:
image: soffid/soffidldap:15
environment:
SOFFID_SERVER: https://sync-server.netcompose:1760
SOFFID_AGENT: soffidldap
USER: cn=admin
PASSWORD: RTZlv6EkNACdN7xsd4jVRt3D
DN: o=unal.edu.co
ports:
- 389:389
networks:
- network
volumes:
- ldapconf:/etc/ldap/slapd.d
- ldapdata:/var/lib/ldap
networks:
network:
name: netcompose
driver: bridge
volumes:
ldapconf:
name: compose_ldapconf
ldapdata:
name: compose_ldapdata
Acceder.
ssh -L 1389:localhost:389 soffid01@172.16.9.20
Crear dn raíz.
Carga de la configuración de LDAP de UNAL.
ownCloud/soffid/proyectos/UNAL
ldapmcloud02-unal-2023-06-05-0318.ldif
scp /home/svives/ownCloud/Soffid/Proyectos/UNAL/schema.sh soffid01@172.16.9.20:/home/soffid01/
scp /home/svives/ownCloud/Soffid/Proyectos/UNAL/import.sh soffid01@172.16.9.20:/home/soffid01/
scp /home/svives/ownCloud/Soffid/Proyectos/UNAL/ldapmcloud02-unal-2023-06-05-0318.ldif soffid01@172.16.9.20:/home/soffid01/
chmod 777 schema.sh
chmod 777 import.sh
sudo vim import.sh ---> -H ldap://localhost/
docker compose cp schema.sh soffid-ldap:/tmp
docker compose cp import.sh soffid-ldap:/tmp
docker compose cp ldapmcloud02-unal-2023-06-05-0318.ldif soffid-ldap:/tmp
docker compose exec -it soffid-ldap bash
cd /tmp
./schema.sh
./import.sh
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) ---> revisar la cadena de conexión en el import.sh
root@026789f55d0c:/# cat import.sh
cat: import.sh: No such file or directory
root@026789f55d0c:/# cd /tmp
root@026789f55d0c:/tmp# ./import.sh
adding new entry "o=unal.edu.co"
ldap_add: Already exists (68)
soffid01@soffid01:~$ docker compose exec -it soffid-ldap bash
root@026789f55d0c:/# cd /tmp
root@026789f55d0c:/tmp# ./schema.sh
modifying entry "cn={0}core,cn=schema,cn=config"
ldap_modify: Insufficient access (50)
adding new entry "cn=Administracion Usuarios,o=unal.edu.co"
ldap_add: Object class violation (65)
additional info: no structural object class provided