本文发布于Cylon的收藏册,转载请著名原文链接~
What is an Uranus?
Uranus is a Linux firewalld central controller. In Greek mythology, Uranus king of gods. The firewall gateway is the Uranus for iptables.
Prerequisites
Hardware requirements
We recommend these hardware requirements for production systems or for development systems that are designed to demonstrate production use cases:
| Item | Description | Minimum requirements | Recommended |
|---|---|---|---|
| Per instance | You can install on one node but many features require at least one node. | 1 instance | > 1 instances |
| RAM per instance | Defining your RAM size must be part of the capacity planning for your Uranus usage. | 512 Mb | >= 1GB |
| Persistent Storage | The amount of storage space for each node. | 1 GB | >= 10GB |
Software requirements
| Item | Description | Recommended |
|---|---|---|
| OS / Platform | Linux, Kubernetes | Debian 11 Centos 7 |
| Firewalld | 0.6.3 0.9.2 |
Centos 7 default version Debian 11 default version |
Build and run Uranus
Setup an Uranus with Binary mode
Build and run Uranus backend
git clone https://github.com/cylonchau/firewalld-gateway.git
Compile
cd firewalld-gateway && make build
Frist time you need migrate database
# currently sql-driver support sqlite or mysql
./_output/firewalld-gateway --migration --sql-driver=sqlite --config firewalld-gateway.toml -v 10
Inital API Doc
swag init -g cmd/main.go --output ./docs/ --packageName docs
Run Uranus
./_output/firewalld-gateway --sql-driver=sqlite --config firewalld-gateway.toml -v 5
Setup Uranus frontend
Install Nginx
yum install nginx -y
# or
apt install nginx -y
Configure nginx
cd /etc/nginx/ && \
mv nginx.conf nginx.conf.default
grep -Ev '^$|#' nginx.conf.default > nginx.conf && \
sed -i '/include/i \ include /etc/nginx/conf.d/*.conf;' nginx.conf && \
cd conf.d
Create fw.conf in conf.d directory
cat <<EOF > fw.conf
server {
listen 80;
root /var/run/dist;
location / {
try_files \$uri \$uri/ @router;
index index.html;
}
location ~ /fw/(?<section>.*) {
proxy_pass http://10.0.0.1:2952/fw/\$section\$is_args\$args;
proxy_set_header X-Forwarded-Host \$server_name;
proxy_set_header X-Forwarded-Port \$server_port;
proxy_set_header X-Forwarded-Server \$host;
proxy_set_header X-Forwarded-Scheme \$scheme;
proxy_set_header X-Forwarded-URI \$request_uri;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
}
location ~ /security/(?<section>.*) {
proxy_pass http://10.0.0.1:2952/security/\$section\$is_args\$args;
proxy_set_header X-Forwarded-Host \$server_name;
proxy_set_header X-Forwarded-Port \$server_port;
proxy_set_header X-Forwarded-Server \$host;
proxy_set_header X-Forwarded-Scheme \$scheme;
proxy_set_header X-Forwarded-URI \$request_uri;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
}
location ~ /sso/(?<section>.*) {
proxy_pass http://10.0.0.1:2952/sso/\$section\$is_args\$args;
proxy_set_header X-Forwarded-Host \$server_name;
proxy_set_header X-Forwarded-Port \$server_port;
proxy_set_header X-Forwarded-Server \$host;
proxy_set_header X-Forwarded-Scheme \$scheme;
proxy_set_header X-Forwarded-URI \$request_uri;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
}
location /ping {
proxy_pass http://10.0.0.1:2952/ping;
proxy_set_header X-Forwarded-Port \$server_port;
proxy_set_header X-Forwarded-Server \$host;
proxy_set_header X-Forwarded-Scheme \$scheme;
proxy_set_header X-Forwarded-URI \$request_uri;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
}
}
EOF
Copy dist directory to /var/run/
mv dist /var/run/
Start nginx
systemctl start nginx
Setup an Uranus with Docker
build docker image
git clone https://github.com/cylonchau/firewalld-gateway.git
Build image
docker build -t cylonchau/uranus:v0.0.5 .
Run
docker run -d --rm --name uranus -p 2953:2953 cylonchau/uranus:v0.0.5
Notes: this mode default using sqlite, so if you want use external database, please change config file, then build image
Setup firewalld
Download
Default, we provide 2 version firewalld variant version
- Centos 7 or Centos 6
- Debian 11
You can download and install those firewalld vesion in you Linux
https://github.com/cylonchau/firewalld/releases
Install
Centos 7
rpm -e python-firewall-0.6.3-11 --nodeps &&
rpm -ivh python-firewall-0.6.3-4.el7.noarch.rpm
Debian 11
dpkg -r python3-firewall && \
dpkg -i python3-firewall_0.9.3-2_amd64.deb
Configure
Enable dbug remote mode
Centos
Edit /etc/dbus-1/system.conf
<!--
This configuration file is no longer required and may be removed.
In older versions of dbus, this file defined the behaviour of the well-known
system bus. That behaviour is now determined by
/usr/share/dbus-1/system.conf, which should not be edited.
For local configuration changes, create a file
system-local.conf or files matching system.d/*.conf in the same directory
as this one, with a <busconfig> element containing configuration directives.
These directives can override D-Bus or OS defaults.
For upstream or distribution-wide defaults that can be overridden
by a local sysadmin, create files matching
/usr/share/dbus-1/system.d/*.conf instead.
-->
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<listen>tcp:host=10.0.0.3,bind=*,port=55556,family=ipv4</listen>
<listen>unix:tmpdir=/tmp</listen>
<!-- Add this part -->
<policy context="default">
<allow user="root" />
<allow own="com.github.cylonchau.Uranus" /> <!-- allow uranus resiger to dbus-daemon -->
<!-- if requseter is com.github.cylonchau.Uranus and request path is /org/fedoraproject/FirewallD1, then allow -->
<allow receive_sender="com.github.cylonchau.Uranus" receive_path="/org/fedoraproject/FirewallD1" />
</policy>
<auth>ANONYMOUS</auth>
<allow_anonymous/>
</busconfig>
Enable dbus tcp port
Edit /usr/lib/systemd/system/dbus.socket
[Unit]
Description=D-Bus System Message Bus Socket
[Socket]
ListenStream=/var/run/dbus/system_bus_socket
ListenStream=55556 # <- Add this
Reload service
systemctl reload firewalld
Debian
Edit /etc/dbus-1/system.conf
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<listen>tcp:host=10.0.0.3,bind=*,port=55556,family=ipv4</listen>
<listen>unix:tmpdir=/tmp</listen>
<!-- Add this part -->
<policy context="default">
<allow user="root" />
<allow own="com.github.cylonchau.Uranus" /> <!-- allow uranus resiger to dbus-daemon -->
<!-- if requseter is com.github.cylonchau.Uranus and request path is /org/fedoraproject/FirewallD1, then allow -->
<allow receive_sender="com.github.cylonchau.Uranus" receive_path="/org/fedoraproject/FirewallD1" />
</policy>
<auth>ANONYMOUS</auth>
<allow_anonymous/>
</busconfig>
Edit /usr/lib/systemd/system/dbus.socket
[Unit]
Description=D-Bus System Message Bus Socket
# Add this part
[Socket]
ListenStream=/var/run/dbus/system_bus_socket
ListenStream=55556
Add managed firewalld Linux host to Uranus
Add host
本文发布于Cylon的收藏册,转载请著名原文链接~
链接:https://www.oomkill.com/2024/08/uranus-installation/
版权:本作品采用「署名-非商业性使用-相同方式共享 4.0 国际」 许可协议进行许可。