Gravitational Teleport docker-compose组件独立部署运行

Gravitational Teleport 可以作为堡垒机进行使用,上次写过一个all in one 的,这次参考官方
的配置运行一个proxy node auth 分离的应用
备注: 基于docker-compose 运行

环境准备

  • docker-compose 文件
 
version: '2'
services:
  two-auth:
    mem_limit: 300m
    image: quay.io/gravitational/teleport:3.1.1
    container_name: two-auth
    volumes:
      - ./data/two/auth:/var/lib/teleport
      - ./two-auth.yaml:/etc/teleport/teleport.yaml
    networks:
      teleport:
        ipv4_address: 172.10.1.2
  two-proxy:
    mem_limit: 300m
    image: quay.io/gravitational/teleport:3.1.1
    container_name: two-proxy
    ports:
      - "5080:5080"
      - "5023:5023"
    volumes:
      - ./data/two/proxy:/var/lib/teleport
      - ./two-proxy.yaml:/etc/teleport/teleport.yaml
    networks:
      teleport:
        ipv4_address: 172.10.1.3
  two-node:
    mem_limit: 300m
    image: quay.io/gravitational/teleport:3.1.1
    container_name: two-node
    volumes:
      - ./data/two/node:/var/lib/teleport
      - ./two-node.yaml:/etc/teleport/teleport.yaml
    networks:
      teleport:
        ipv4_address: 172.10.1.4
networks:
  teleport:
    ipam:
      driver: default
      config:
      - subnet: 172.10.1.0/16
        ip_range: 172.10.1.0/24
        gateway: 172.10.1.254
volumes:
  certs:
 
  • auth 配置文件
    two-auth.yaml: 同时运行在node 角色
 
# Auth server for cluster "two". Also runs "node" role
teleport:
  nodename: two-auth
  log:
    output: /var/lib/teleport/teleport.log
    severity: INFO
  data_dir: /var/lib/teleport
  storage:
      path: /var/lib/teleport/backend
      type: dir
auth_service:
  enabled: yes
  authentication:
    type: local
    second_factor: off
  cluster_name: two
  tokens: 
       - "node,auth,proxy:foo"
  listen_addr: 172.10.1.2:3025
ssh_service:
  enabled: yes
  labels:
      cluster: two
      role: auth+node
  commands:
      - name: kernel
        command: [/bin/uname, -r]
        period: 5m
proxy_service:
  enabled: no
  • proxy 配置文件
    two-proxy.yaml 文件:同时运行node 角色,注意指定了auth 服务同时使用静态token 进行
    加入
 
# Proxy server for cluster "two". Also runs "node" role
teleport:
  nodename: two-proxy
  auth_servers: ["two-auth"]
  auth_token: foo
  log:
    output: /var/lib/teleport/teleport.log
    severity: INFO
  data_dir: /var/lib/teleport
  storage:
      path: /var/lib/teleport/backend
      type: dir
auth_service:
  enabled: no
ssh_service:
  enabled: yes
  labels:
      cluster: two
      role: proxy+node
  commands:
      - name: kernel
        command: [/bin/uname, -r]
        period: 5m
proxy_service:
   enabled: yes
   listen_addr: 0.0.0.0:5023
   web_listen_addr: 0.0.0.0:5080
 
 
  • node 配置
    two-node.yaml,同时使用静态token 进行加入
 
# Dumb SSH node for cluster "two"
teleport:
  nodename: node-on-second-cluster
  auth_servers: ["two-auth"]
  auth_token: foo
  advertise_ip: 172.10.1.4
  log:
    output: /var/lib/teleport/teleport.log
    severity: INFO
  data_dir: /var/lib/teleport
  storage:
      path: /var/lib/teleport/backend
      type: dir
ssh_service:
  enabled: yes
  labels:
      cluster: two
      role: dumb_node
proxy_service:
   enabled: no
auth_service:
  enabled: no
 
 

运行&&测试

  • 运行
docker-compose up -d
  • 添加用户
    auth server inside 容器
 
tctl -c /etc/teleport/teleport.yaml users add root
Signup token has been created and is valid for 1 hours. Share this URL with the user:
https://localhost:3080/web/newuser/54ac1593143d9a44a497c1346f9e0fc9
NOTE: Make sure two-proxy:3080 points at a Teleport proxy which users can access.
 
 

Gravitational Teleport docker-compose组件独立部署运行_编程
Gravitational Teleport docker-compose组件独立部署运行_编程_02

  • 访问连接

Gravitational Teleport docker-compose组件独立部署运行_编程_03

  • 历史回放功能

Gravitational Teleport docker-compose组件独立部署运行_编程_04
Gravitational Teleport docker-compose组件独立部署运行_编程_05

参考资料

https://gravitational.com/teleport/docs/quickstart/