dienste:bytecluster0002:traefik

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Nächste Überarbeitung
Vorhergehende Überarbeitung
dienste:bytecluster0002:traefik [27.09.2020 19:29] – angelegt hipposendienste:bytecluster0002:traefik [12.12.2020 21:55] (aktuell) mape2k
Zeile 1: Zeile 1:
-create CT+====== Container 'traefik' ======
  
-Template Debian-10-bytecluster-with-users+===== Ressourcen =====
  
-Root Disk: 16G+  * 0.5 GB RAM 
 +  * 1 Cores 
 +  * 8 GB HDD (root-fs)
  
-Cpu: 1+===== System =====
  
-mem512mb+  * interne IPs 
 +    * 10.2.0.1, fd00:10:2:0::1
  
-Network+===== Dienste =====
  
-eth0 static with 10.2.0.1/24+  * Traefik (Loadbalancer, SSL-Terminierung)
  
-GW 10.2.0.254+===== Betrieb =====
  
-DNS use host+==== Routing für Domain anlegen ====
  
 +  - DNS-Eintrag anlegen
 +    * Name: **Subdomain** der entsprechenden Domain 
 +    * Typ: **CNAME**
 +    * Wert: **bytecluster0002.bytespeicher.org**
 +    * TTL: **3600**
 +  - Konfiguration anlegen
 +    - Beispiel für einfachen Webdienst auf einem anderen Port<file|/etc/traefik/conf/testwiki.conf>
 +[http.services]
 +  [http.services.testwiki.loadbalancer]
 +    [[http.services.testwiki.loadbalancer.servers]]
 +      # Internal Destination URL and port
 +      url = "http://10.2.0.10:8088"
  
-Login: +[http.routers]
  
 +  [http.routers.testwiki]
 +    entryPoints = [ "https"]
 +    # Domain used for service
 +    rule = "Host(`testwiki.technikkultur-erfurt.de`)"
 +    # Servicename used in http.services.SERVICENAME.loadbalancer above
 +    service = "testwiki"
 +    [http.routers.wiki.tls]
 +      # Use Let's Encrypt
 +      certResolver = "letsencrypt"
 +</file>
 +===== Installation =====
  
-wget https://github.com/traefik/traefik/releases/download/v2.3.0/traefik_v2.3.0_linux_amd64.tar.gz+  * Standard-Template mit Benutzern
  
-git clone https://github.com/Bytespeicher/traefik+==== Traefik ====
  
-cd traefik+  - Traefik herunterladen 
 +    * **wget https://github.com/traefik/traefik/releases/download/v2.3.1/traefik_v2.3.1_linux_amd64.tar.gz** 
 +  - Verzeichnisse erstellen 
 +    * **sudo mkdir /opt/traefik** 
 +    * **sudo mkdir -p /etc/traefik/{acme,conf}** 
 +    * **sudo mkdir /var/log/traefik** 
 +  - Traefik-Archiv auspacken und entfernen 
 +    * **<nowiki>sudo tar -xvzf traefik_v2.3.1_linux_amd64.tar.gz --directory=/opt/traefik</nowiki>** 
 +    * **rm traefik_v2.3.1_linux_amd64.tar.gz**  
 +  - Benutzer und Gruppe anlegen 
 +    * **<nowiki>sudo groupadd --gid 321 traefik</nowiki>** 
 +    * **<nowiki>sudo useradd --gid traefik --no-user-group --home-dir /opt/traefik --no-create-home --shell /usr/sbin/nologin --system --uid 321 traefik</nowiki>** 
 +  - Konfiguration anlegen 
 +    * **TODO**  
 +  - Service Unit anlegen<file|/etc/systemd/system/traefik.service> 
 +[Unit] 
 +Description=traefik proxy 
 +After=network-online.target 
 +Wants=network-online.target systemd-networkd-wait-online.service
  
-tar xfz traefik_v2.3.0_linux_amd64.tar.gz+[Service] 
 +Restart=on-abnormal
  
-rm traefik_v2.3.0_linux_amd64.tar.gz+; User and group the process will run as. 
 +User=traefik 
 +Group=traefik
  
-sudo cp /path/to/traefik /usr/local/bin+; Always set "-root" to something safe in case it gets forgotten in the traefikfile. 
 +ExecStart=/opt/traefik/traefik --configfile=/etc/traefik/traefik.toml
  
-sudo chown root:root /usr/local/bin/traefik+; Limit the number of file descriptors; see `man systemd.exec` for more limit settings. 
 +LimitNOFILE=1048576
  
-sudo chmod 755 /usr/local/bin/traefik+; Use private /tmp and /var/tmp, which are discarded after traefik stops. 
 +PrivateTmp=true 
 +; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.) 
 +PrivateDevices=false 
 +; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys. 
 +ProtectHome=true 
 +; Make /usr/boot, /etc and possibly some more folders read-only. 
 +ProtectSystem=full 
 +; ... except /etc/traefik/acme, because we want Letsencrypt-certificates there. 
 +;   This merely retains r/w access rights, it does not add any new. Must still be writable on the host! 
 +ReadWriteDirectories=/etc/traefik/acme
  
-sudo setcap 'cap_net_bind_service=+ep' /usr/local/bin/traefik+; The following additional security directives only work with systemd v229 or later. 
 +; They further restrict privileges that can be gained by traefik. Uncomment if you like. 
 +; Note that you may have to add capabilities required by any plugins in use. 
 +CapabilityBoundingSet=CAP_NET_BIND_SERVICE 
 +AmbientCapabilities=CAP_NET_BIND_SERVICE 
 +NoNewPrivileges=true
  
-sudo groupadd -g 321 traefik+[Install] 
 +WantedBy=multi-user.target 
 +</file> 
 +  - Berechtigungen setzen 
 +    * **sudo chown -R traefik:traefik /{opt,etc,var/log}/traefik** 
 +    * **sudo chmod 750 /opt/traefik/traefik** 
 +    * **sudo chmod 644 /etc/systemd/system/traefik.service** 
 +    * **sudo chown root:root /etc/systemd/system/traefik.service** 
 +    * **sudo chmod 644 /etc/logrotate.d/traefik** 
 +    * **sudo chown root:root /etc/logrotate.d/traefik** 
 +  - Traefik dauerhaft aktivieren und gleichzeitig starten 
 +    * **sudo systemctl daemon-reload** 
 +    * **sudo systemctl enable --now traefik.service**
  
-sudo useradd   -g traefik --no-user-group --home-dir /var/www --no-create-home   --shell /usr/sbin/nologin   --system --uid 321 traefik+==== Backup mit Borgmatic ====
  
-sudo mkdir /etc/traefik /var/lib/traefik /var/log/traefik+  * siehe [[mariadb]]
  
-sudo mkdir /etc/traefik/acme 
- 
-sudo chown -R root:root /etc/traefik 
- 
-sudo chown -R traefik:traefik /etc/traefik/acme 
- 
-sudo touch /var/log/traefik/traefik.log 
- 
-sudo chown traefik:traefik /var/log/traefik/traefik.log 
- 
- 
-sudo mv *.toml /etc/traefik/ 
- 
-sudo chown root:root /etc/traefik/*.toml 
- 
-sudo chmod 644 /etc/traefik/*.toml 
- 
-sudo mv traefik.service /etc/systemd/system/ 
- 
-sudo chown root:root /etc/systemd/system/traefik.service 
- 
-sudo chmod 644 /etc/systemd/system/traefik.service 
- 
-sudo systemctl daemon-reload 
- 
-sudo systemctl start traefik.service 
- 
-sudo systemctl enable traefik.service 
  • dienste/bytecluster0002/traefik.1601227777.txt.gz
  • Zuletzt geändert: 27.09.2020 19:29
  • von hipposen