preface
In terms of environment deployment, we went through three stages: traditional installation, image recovery, automatic discovery registration + instruction delivery. At present, after the image is restored, start the VIRTUAL machine, and once the address of our company can be pinged, the machine will be automatically registered (even if there is no other access permission to the external network, and no external port is opened). Then we have the management permission of this machine, and can batch teamwork command delivery. (The second and third stages are designed by myself.)
background
We are a product + customization company, and once the project is completed, it will be directly deployed to the client server. Customers rarely choose cloud servers, because they have their own room and provide us with 1-2 virtual machines before deployment, and then the whole environment deployment problem is left to us.
The evolution of
Stage 1: Traditional installation
Usage time:? ~ 2016
- Party A is required to provide the remote connection mode of Windows or Linux server (here each party provides different, including fortress machine, VPN, direct directional open port, VPN + fortress machine, etc.). It is very complicated and can only be case by case
- Remote to the server
- Upload database, JDK, and Tomcat installation packages (often time consuming due to bandwidth limitations)
- Install the database.
- Install JDK, Tomcat, and nginx (Linux).
- Manually deploy war packages, etc
It’s an old one, and I’m not going to tell you more. Of course, as far as I know, there are still some small companies using this type of deployment, so I would encourage them to make the transition as soon as possible.
Phase 2: Mirror recovery
Use time: 2016 ~2017
- Party A is required to provide the remote connection mode of Windows or Linux server (here each party provides different, including fortress machine, VPN, direct directional open port, VPN + fortress machine, etc.). It is very complicated and can only be case by case
- Restore the VM using the VM image and set the IP (including Docker)
- Use the Deploy module to deploy the WAR package
At this time, our reliance on operations and maintenance personnel is greatly reduced, and the workload is greatly reduced to 2-6 hours. (At this stage, our company had no operations people and entered the DevOps era. In fact, at the beginning of this phase our operations staff left, which forced me to speed up the design.)
Stage 3: Automatic discovery registration + instruction issuing
Use time: 2017 ~2018
- Party A will use our VM image to recover and set the IP address to ensure that it can ping through our company’s address
- Automatic discovery registration + instruction issued
- Use the Deploy module to deploy the WAR package
At this stage, our deployment took 5-10 minutes, and we no longer needed party A to provide remote services. We could also manage all the machines in batches, which not only met the needs at this time, but also laid the groundwork for later expansion.
The specific technology
Here we mainly talk about two, three two stages
Because the traditional way has many shortcomings, so after I introduced the plan to the leader, the leader was very interested and soon arranged me to do it. In order to improve efficiency, the selection of multiple tools or framework of the scheme, this paper only describes the final selection of the design.
frp
FRP is an Intranet penetration software, which can expose a machine without an Internet IP to the Internet. However, this paper uses it to expose the port of an Intranet machine to another Intranet.
Install the FRP server
Select an Intranet server, such as 172.0.0.2, and ensure that the server uses a fixed public IP line
wget --no-check-certificate https://raw.githubusercontent.com/clangcn/onekey-install-shell/master/frps/install-frps.sh -O ./install-frps.sh
chmod 700 ./install-frps.sh
./install-frps.sh install
Copy the code
All parameters have default values. Press Enter to enter the default values:
Please input frps bind_port [1-65535](Default Server Port: 5443): Enter the port used by the FRP to provide service for the communication between the server and client. The default is fine
Please input frps vhost_http_port [1-65535](Default vhost_http_port: 80): Enter the HTTP service port for THE FRP to use for HTTP penetration
Please input frps vhost_https_port [1-65535](Default vhost_https_port: 443): Enter the HTTPS service port used by FRP for HTTPS penetration
Please input frps dashboard_port [1-65535](Default dashboard_port: 6443):Enter the console service port of FRP to view the working status of FRP, default is ok
Please input dashboard_user (Default: admin):User name used to log in to the console
Please input dashboard_pwd (Default: kpkpM7VZ):# Password for logging in to the console. If you can't remember the default password, change it
Please input privilege_token (Default: 9m2UAOWa6hx5Eise):# Enter the password for communication between the FRP server and the client. The default is random
Please input frps max_pool_count [1-200](Default max_pool_count: 50):Set the maximum number of connection pools each agent can create. The default is 50
##### Please select log_level #####
1: info
2: warn
3: error
4: debug
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #Please input FRPS log_max_days [1-30](default log_max_days: 1, 2, 3, 4 or exit. 3 day):##### Please select log_file #####
1: enable
2: disable
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #Enter your choice (1, 2 or exit.default [1])Copy the code
At this point, the FRP server is built
The client
Here we use Linux as an example
Open http://diannaobos.iok.la:81/frp/frp-v0.14.0/
Download the frp_0.14.0_linux_amd64.tar.gz file and keep only the files starting with FRPC (FRP client).
Decompress it into the Linux home directory as an FRP folder
Write the reg.sh script
Reg. sh is also in the Linux home directory
UUID = $(cat/sys/class/dmi/id/product_uuid) wget - O FRPC. Ini http://114.114.114.114/frp.php? file=$UUID;
a=`du -s frpc.ini | awk '{print $1}'`
if [ $a -lt1]then
echo "none"
else
echo "action"
pkill frpc
sleep 2s
rm -rf ~/frp/frpc.ini
cp frpc.ini ~/frp/frpc.ini
~/frp/./frp.sh
fi
Copy the code
The UUID is the unique IDENTIFIER of a server. Even if the VM image is the same, the UUID is different.
114.114.114.114 is the external registration center of the company
Write a crontab
crontab -e
*/5 * * * * ~/reg.sh
Copy the code
Every 5 minutes, means every 5 minutes to deregistration or to pull a change request, does not restart the service if the server configuration does not change.
The FRP starts automatically after starting
linux
chmod +x ~/frp/frp.sh
vi /etc/rc.d/rc.local
# Append to bottom of file
bash ~/frp/frp.sh
chmod +x /etc/rc.d/rc.local
# Restart
Copy the code
The simple version of frp.php is as follows
<? php$filename=$_GET['file'].'.ini';
$filename='frp/'.$filename;
if(! file_exists($filename)){
file_put_contents($filename."");
file_put_contents($filename.'.update'.$_SERVER['REMOTE_ADDR']);
}else{
if(! file_exists($filename.'.update')) {$str = file_get_contents($filename);
echo $str;
file_put_contents($filename.'.update'.$_SERVER['REMOTE_ADDR']); }}? >Copy the code
The.ini example
[common] Server_addr = 114.114.114 Server_port = 5443 Privilege_token = Key [webServer]type = tcp
local_ip = 127.0.0.1
local_port = 22
use_encryption = false
use_compression = false
remote_port = 7001
[a-web]
type = http
local_ip = 127.0.0.1
local_port = 80
use_encryption = false
use_compression = true
custom_domains = a.a.com
Copy the code
Common is the public part
The WebServer uses local port 22 tunneling technology to penetrate the company’s 172.0.0.2 machine
Intranet machines need only access port 7001 on 172.0.0.2 remotely
A-web is used to access url:a.a.com from the Intranet through port 80 on the local computer
At this point, we can remote machine, access the machine port 80, theoretically can access the machine all ports, such as new port penetration, just need to modify. Ini, this is a simple version of the introduction.
Ansible can be used for remote teamwork control.
ansible
Ansible is an automated operation and maintenance tool. For details on how to use ansible, please refer to my other blog post, Ansible In Practice.
Outside the network map
For example, if the external network is 114.114.114.114, map port 5443 of 114.114.114.114 to 5443 of 172.0.0.2, and do not map other ports.
docker
How can I refactor an entire R&D project to enable automated DevOps?
Portainer
Please refer to my other blog post Docker’s Web management Platform Comparison (DockerUI, Shipyard, Portainer, Daocloud)
deploy
Deploy is developed by ourselves. For details about the underlying principles, see Java Web Project WAR Package Automatic Upgrade Deployment Scheme.
conclusion
This paper mainly focuses on the use of FRP Intranet penetration and tunnel construction technology to achieve the deployment of the operation and maintenance of the machine without external network and port; Using Ansible tool to realize teamwork control; Rapid deployment with Docker; Version control is implemented through self-deploy.
This approach has significantly reduced our operations costs and enabled a small company like us to enter an era of no operations, DevOps.
If you have a similar scenario, I hope you found this helpful.