종합실습
<head cent7을 구성>
미니멀로 설치.
yum -y install bridge-utils net-tools virt-install virt-viewer virt-manager libguestfs* libvirt qemu-kvm wget unzip
[root@srv1 network-scripts]# cat ifcfg-br0
DEVICE=br0
TYPE=Bridge
BOOTPROTO=none
DEFROUTE=yes
NAME=br0
ONBOOT=yes
DNS1=8.8.8.8
IPADDR=211.183.3.100
PREFIX=24
GATEWAY=211.183.3.2
[root@srv1 network-scripts]# cat ifcfg-eth0
TYPE=Ethernet
DEVICE=eth0
ONBOOT=yes
BRIDGE=br0
cat <<EOF > kvmnet1.xml
<network>
<name>kvmnet1</name>
<bridge name='virbr1' stp='on' delay='0'/>
<domain name='kvmnet1'/>
<ip address='192.168.10.1' netmask='255.255.255.0'>
</ip>
</network>
EOF
cat <<EOF > kvmnet2.xml
<network>
<name>kvmnet2</name>
<bridge name='virbr2' stp='on' delay='0'/>
<domain name='kvmnet2'/>
<ip address='192.168.20.1' netmask='255.255.255.0'>
</ip>
</network>
EOF
[root@srv3 network-scripts]# systemctl restart network
[root@srv3 ~]# systemctl restart libvirtd
[root@srv3 ~]# systemctl enable libvirtd
[root@srv3 ~]# vi /etc/libvirt/qemu.conf
[root@srv3 ~]# virsh net-define /etc/libvirt/qemu/networks/kvmnet1.xml
[root@srv3 ~]# virsh net-define /etc/libvirt/qemu/networks/kvmnet2.xml
[root@srv3 ~]# virsh net-start kvmnet1
[root@srv3 ~]# virsh net-start kvmnet2
[root@srv3 ~]# virsh net-autostart kvmnet2
[root@srv3 ~]# virsh net-autostart kvmnet1
[root@srv3 ~]# virt-install --name vyos --vcpus 2 --ram 512 --cdrom=/remote/images/vyos.iso --disk path=/remote/vm/vyos.img,size=2 --noautoconsole --graphic vnc --network bridge=br0 --network network=kvmnet1 --network network=kvmnet2 --os-variant=debian8
# head vyos 설치.
[root@srv3 ~]# virsh console vyos
vyos@vyos# set int eth eth0 add 211.183.3.80/24
# 외부에서 접속할 주소가 80이라고 했기때문에
vyos@vyos# set int eth eth1 add 192.168.10.250/24
vyos@vyos# set int eth eth2 add 192.168.20.250/24
vyos@vyos# set ser ssh port 22
vyos@vyos# set system gateway-address 211.183.3.2
<VYOS-BRANCH>
set int eth eth0 add 211.183.3.90/24
set int eth eth1 add 192.168.30.250/24
set system gate 211.183.3.2
set ser ssh port 22
#기본 설정
set vpn ipsec esp-group branch-esp compression disable
set vpn ipsec esp-group branch-esp lifetime 1800
set vpn ipsec esp-group branch-esp mode tunnel
set vpn ipsec esp-group branch-esp pfs enable
set vpn ipsec esp-group branch-esp proposal 1 encryption aes256
set vpn ipsec esp-group branch-esp proposal 1 hash sha256
set vpn ipsec ike-group branch-ike ikev2-reauth no
set vpn ipsec ike-group branch-ike key-exchange ikev1
set vpn ipsec ike-group branch-ike lifetime 3600
set vpn ipsec ike-group branch-ike proposal 1 encryption aes256
set vpn ipsec ike-group branch-ike proposal 1 hash sha256
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec site-to-site peer 211.183.3.80 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 211.183.3.80 authentication pre-shared-secret rapa
set vpn ipsec site-to-site peer 211.183.3.80 ike-group branch-ike
set vpn ipsec site-to-site peer 211.183.3.80 local-address 211.183.3.90
set vpn ipsec site-to-site peer 211.183.3.80 tunnel 0 allow-nat-networks disable
set vpn ipsec site-to-site peer 211.183.3.80 tunnel 0 allow-public-networks disable
set vpn ipsec site-to-site peer 211.183.3.80 tunnel 0 esp-group branch-esp
set vpn ipsec site-to-site peer 211.183.3.80 tunnel 0 local prefix 192.168.30.0/24
set vpn ipsec site-to-site peer 211.183.3.80 tunnel 0 remote prefix 192.168.20.0/24
#vpn
set nat source rule 9 destination address 192.168.20.0/24
set nat source rule 9 exclude
set nat source rule 9 outbound-interface eth0
set nat source rule 9 source address 192.168.30.0/24
set nat source rule 10 outbound-interface eth0
set nat source rule 10 source address 192.168.30.0/24
set nat source rule 10 translation address masquerade
#nat
[root@varwp ~]# yum -y install mariadb-server
mysql
create database;
grant all privileges on tomdb.* to tomuser@'%' identified by '1234';
<tomcat>
[root@head-cent tomcat]# yum -y install java-11-openjdk
[root@head-cent tomcat]# wget http://dlcdn.apache.org/tomcat/tomcat-10/v10.1.23/bin/apache-tomcat-10.1.23.zip
[root@head-cent ~]# mv apache-tomcat-10.1.23 tomcat
[root@head-cent ~]# chmod 777 -R tomcat/
[root@head-cent tomcat]# cd /root/tomcat/lib/
[root@head-cent lib]# wget https://repo1.maven.org/maven2/mysql/mysql-connector-java/8.0.23/mysql-connector-java-8.0.23.jar
톰캣이 동작하는지 확인.
ss : socket statistics 소켓의 상태 확인.
[root@head-cent lib]# ss -tnlp
t : tcp
l : listen
p : port
n : 주소를 숫자로 표현.
[root@head-cent tomcat]# ./bin/startup.sh
yum remove java-1* -y
# 기존에 깔려있던 자바 삭제.
yum -y install java-11-openjdk
# 자바 설치
cat <<EOF > dbtest.jsp
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<%@ page import="java.sql.*"%>
<h1>DB</h2>
<%
Connection conn=null;
try{
String Url="jdbc:mysql://<DB주소>/<DB이름>";
String Id="<DB유저>";
String Pass="<유저암호>";
Class.forName("com.mysql.jdbc.Driver");
conn=DriverManager.getConnection(Url,Id,Pass);
out.println("was-db Connection Success!");
}catch(Exception e) {
e.printStackTrace();
}
%>
EOF
<VPN 구성>
<head>
set vpn ipsec esp-group head-esp compression disable
set vpn ipsec esp-group head-esp lifetime 1800
set vpn ipsec esp-group head-esp mode tunnel
set vpn ipsec esp-group head-esp pfs enable
set vpn ipsec esp-group head-esp proposal 1 encryption aes256
set vpn ipsec esp-group head-esp proposal 1 hash sha256
set vpn ipsec ike-group head-ike ikev2-reauth no
set vpn ipsec ike-group head-ike key-exchange ikev1
set vpn ipsec ike-group head-ike lifetime 3600
set vpn ipsec ike-group head-ike proposal 1 encryption aes256
set vpn ipsec ike-group head-ike proposal 1 hash sha256
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec site-to-site peer 211.183.3.90 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 211.183.3.90 authentication pre-shared-secret rapa
set vpn ipsec site-to-site peer 211.183.3.90 ike-group head-ike
set vpn ipsec site-to-site peer 211.183.3.90 local-address 211.183.3.80
set vpn ipsec site-to-site peer 211.183.3.90 tunnel 0 allow-nat-networks disable
set vpn ipsec site-to-site peer 211.183.3.90 tunnel 0 allow-public-networks disable
set vpn ipsec site-to-site peer 211.183.3.90 tunnel 0 esp-group head-esp
set vpn ipsec site-to-site peer 211.183.3.90 tunnel 0 local prefix 192.168.20.0/24
set vpn ipsec site-to-site peer 211.183.3.90 tunnel 0 remote prefix 192.168.30.0/24
set nat source rule 9 destination address 192.168.30.0/24
set nat source rule 9 exclude
set nat source rule 9 outbound-interface eth0
set nat source rule 9 source address 192.168.20.0/24
set nat source rule 10 outbound-interface eth0
set nat source rule 10 source address 192.168.20.0/24
set nat source rule 10 translation address masquerade
톰캣 커스터마이징 이미지 생성시 해야할것.
1.tomcat이라는 폴더를 내부로 옮겨줌(부팅전)
--copy-in /root/tomcat:/root
2.openjdk설치(부팅전)
--run-command 'yum -y install java-11-openjdk'
3.ifcfg 파일 넣어줘야함.(부팅전)
[root@head-cent ~]# vi /root/tomcat/ifcfg-eth0
TYPE=Ethernet
BOOTPROTO=none
DEFROUTE=yes
NAME=ens3
DEVICE=ens3
ONBOOT=yes
IPADDR=192.168.20.88
PREFIX=24
GATEWAY=192.168.20.250
DNS1=8.8.8.8
NM_CONTROLLED=no
--upload /root/tomcat/ifcfg-eth0:/etc/sysconfig/network-scripts/ifcfg-eth0
--run-command 'systemctl restart network'
# 필요한 옵션.
4.방화벽(첫부팅시), 셀리눅스 off(부팅전)
--run-command 'sed -i s/SELINUX=enforcing/SELINUX=disabled/g /etc/selinux/config' --firstboot-command 'systemctl disable --now firewalld'
5.tomcat동작(첫부팅시)
--firstboot-command '/root/tomcat/bin/startup.sh'
virt-customize -a /remote/images/centtom.img --copy-in /root/tomcat:/root --upload /root/tomcat/ifcfg-eth0:/etc/sysconfig/network-scripts/ifcfg-eth0 --run-command 'systemctl restart network' --run-command 'sed -i s/SELINUX=enforcing/SELINUX=disabled/g /etc/selinux/config' --firstboot-command 'systemctl disable --now firewalld' --selinux-relabel --run-command 'yum -y install java-11-openjdk' --firstboot-command '/root/tomcat/bin/startup.sh'
# tomcat 이미지 커스터마이징
virt-install --name=centtom --ram=2048 --network network=kvmnet2 --disk=/remote/images/centtom.img --import --noautoconsole --graphic=vnc
# kvmnet2 에 설치.
virsh console centtom
선후관계를 생각했을때
run : 이미지를 생성할때 실행할 명령어 (부팅이전)
firstboot : 첫부팅시에 실행될 명령어 (부팅이후)
이므로, selinux같은것들은 미리 비활성화를 시켜야하므로 --run-command로 하고, 톰캣을 동작시키는 스크립트의 경우 --firstboot-command로.
# conf파일 수정.
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
<VirtualHost *:80> # 80번 포트로 들어오는 모든 Ip에 대한 설정
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass /was http://192.168.20.88:8080/ disablereuse=on
ProxyPassReverse /was http://192.168.20.88:8080/
</VirtualHost>
[root@head-cent ~]# cp /etc/httpd/conf/httpd.conf /root/httpd.conf
# 위의 내용을 추가후, httpd.conf파일을 /root에 복사해둔다.
방화벽,셀리눅스 off,
웹서버 설치, httpd.conf 수정, 동작.
vi /root/ifcfg-eth0
TYPE=Ethernet
BOOTPROTO=none
DEFROUTE=yes
NAME=ens3
DEVICE=ens3
ONBOOT=yes
IPADDR=192.168.10.80
PREFIX=24
GATEWAY=192.168.10.250
NM_CONTROLLED=no
# root에 ifcfg-eth0를 만들어준다.
virt-customize -a /remote/images/centweb.img --run-command 'yum -y install httpd' --upload /root/httpd.conf:/etc/httpd/conf/httpd.conf --upload /root/ifcfg-eth0:/etc/sysconfig/network-scripts/ifcfg-eth0 --run-command 'systemctl restart network && systemctl restart httpd && systemctl enable httpd' --run-command 'sed -i s/SELINUX=enforcing/SELINUX=disabled/g /etc/selinux/config' --firstboot-command 'systemctl disable --now firewalld' --selinux-relabel --firstboot-command '/root/tomcat/bin/startup.sh'
virt-install --name=centweb --ram=2048 --network network=kvmnet1 --disk=/remote/images/centweb.img --import --noautoconsole --graphic=vnc
# web-tomcat-db 연동 확인
vyos@vyos# set nat destination rule 100 inbound-interface eth0
vyos@vyos# set nat destination rule 100 destination port 80
vyos@vyos# set nat destination rule 100 translation address 192.168.10.80
# 웹서버 접속을 위한 DNAT 설정
'AWS Cloud School' 카테고리의 다른 글
| [05.09-10] 서버 모니터링(telegraf, influxDB, grafana), 서버관리(ansible, playbook) (0) | 2024.05.10 |
|---|---|
| [05.07-08] Openvswitch, GRE tunneling, VLAN (0) | 2024.05.08 |
| [05.02] KVM 이미지 생성(CLI환경), kvmnet 네트워크 추가, virt-builder, virt-customize (0) | 2024.05.03 |
| [04.29-30] KVM, 하이퍼바이저, 전가상화, 반가상화, bridge대역 추가 (0) | 2024.04.29 |
| [04.26] VPN + 3-tier architecture 팀플 실습 (0) | 2024.04.28 |
