In the previous article, we introduced how to configure the server, how to install the system and security hardening: Dell server configuration and installation of the Ubuntu Server20.04 operating system, super detailed! . Today's article will introduce how to build a production environment in a stable and orderly manner on a blank server, so that you can avoid a series of troubles caused by a complex development environment. This mainly involves the direction of software engineering, including: Java, Node, Docker, MySQL, Redis, Gitlab, RabbitMQ... The
configuration of GPU servers in the direction of AI (CUDA, cuDNN, LXD virtualization, etc.) will be updated in a separate article later , because the two uses are very different, generally not on one machine.
Pre-planning
Our software development pays attention to the top-down design scheme, and it is no exception in the process of configuring the server. We need to configure the underlying software first. In this way, some software packages that depend on the underlying SDK can also run freely. For example, you must have a Java environment before running Nacos. So I have listed a basic installation and configuration sequence here, which can be installed and configured sequentially from bottom to top.
Since my computer is installed with Ubuntu Server 20.04 system, I won't say much about the existing basic environment. Next, I will follow this server as the main one to operate and install the configuration process.
1. The underlying foundation
1.1 Java
In the last article, I said why I like to use apt installation, so if there is apt, I will basically install it in this way.
Just one command, no need to wget, no need to configure environment variables, just so worry-free.
sudo apt install openjdk-11-jdk
java -version
java version "11.0.12" 2021-07-20 LTS
Java(TM) SE Runtime Environment 18.9 (build 11.0.12+8-LTS-237)
Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.12+8-LTS-237, mixed mode)
1.2 Maven
sudo apt install maven
mvn -version
Maven home: /usr/share/maven
Java version: 11.0.12, vendor: Oracle Corporation, runtime: /data/src/jdk-11.0.12
Default locale: en_US, platform encoding: UTF-8
OS name: "linux", version: "5.4.0-81-generic", arch: "amd64", family: "unix"
Maven Here we configure the Maven source of Alibaba Cloud, open /etc/maven/settings.xmlthe file, and add the following content:
<mirror>
<id>aliyun</id>
<mirrorOf>central</mirrorOf>
<name>aliyun-nexus</name>
<url>http://maven.aliyun.com/nexus/content/groups/public/</url>
</mirror>
1.3 Node
sudo apt install nodejs npm
nodejs --version
npm --version
1.4 Docker
Here it is recommended to follow the official website step by step and install Docker in Ubuntu . I will also explain each step twice here.
First, use the official script to uninstall the old version, and it’s okay to run without it:
sudo apt-get remove docker docker-engine docker.io containerd runc
Install the apt dependency package for retrieving the warehouse via HTTPS:
sudo apt-get update
sudo apt-get install \
apt-transport-https \
ca-certificates \
curl \
gnupg \
lsb-release
Add Docker's official GPG key:
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
Set up a stable repository:
echo \
"deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
Install the latest version of Docker Engine-Community and Containerd:
sudo apt-get install docker-ce docker-ce-cli containerd.io
After the installation is complete, we can run this command to test it:
sudo docker run hello-world
If you can see the following information, it means the installation is successful!
Finally, let's configure Docker's remote access and enable Remote API to access port 2375, so that the API can be used to control Docker.
# vim /usr/lib/systemd/system/docker.service
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix://var/run/docker.sock
Mainly in the [Service] section, add the following sentence: -H tcp://0.0.0.0:2375 -H unix://var/run/docker.sock, and then restart:
systemctl daemon-reload
systemctl restart docker
1.5 Docker-Compose
How to fly Docker without Compose, install it next! You can also refer to the official documentation .
First use curl to download the Compose file to the /usr/local/bin directory:
sudo curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
After the download is complete, apply executable permissions to the file:
sudo chmod +x /usr/local/bin/docker-compose
Then the configuration is successful, verify it:
docker-compose --version
2. System support
2.1 Nginx
sudo apt install nginx
sudo systemctl status nginx
After installation, don’t rush to visit. Don’t forget that we opened the UFW firewall in the previous article. Let’s open it here. You can open it directly with an alias:
sudo ufw allow 'Nginx Full'
Nginx common commands:
# 停止服务
systemctl stop nginx
# 启动服务
systemctl start nginx
# 重启服务
systemctl restart nginx
# 重新加载配置文件
nginx -s reload -c /etc/nginx/nginx.conf
After modifying the Nginx configuration file, you can perform a reload without restarting the service.
2.2 MySQL
sudo apt install mysql-server
Once the installation is complete, the MySQL service will start automatically. To verify that the MySQL server is running, enter:
sudo systemctl status mysql
The output should show that the service is enabled and running:
● mysql.service - MySQL Community Server
Loaded: loaded (/lib/systemd/system/mysql.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2021-08-27 11:15:38 UTC; 2 days ago
Main PID: 1796 (mysqld)
Status: "Server is operational"
Tasks: 58 (limit: 76922)
Memory: 513.4M
CGroup: /system.slice/mysql.service
└─1796 /usr/sbin/mysqld
After installation, you can use the security script that comes with MySQL to configure security:
sudo mysql_secure_installation
Then fill in your password strength, root password, and online related configurations according to the requirements.
Securing the MySQL server deployment.
Connecting to MySQL using a blank password.
VALIDATE PASSWORD COMPONENT can be used to test passwords
and improve security. It checks the strength of password
and allows the users to set only those passwords which are
secure enough. Would you like to setup VALIDATE PASSWORD component?
Press y|Y for Yes, any other key for No: y
There are three levels of password validation policy:
LOW Length >= 8
MEDIUM Length >= 8, numeric, mixed case, and special characters
STRONG Length >= 8, numeric, mixed case, special characters and dictionary file
Please enter 0 = LOW, 1 = MEDIUM and 2 = STRONG: 2
Please set the password for root here.
New password:
Re-enter new password:
After the configuration is complete, you sudo mysqlcan directly execute it to enter mysql. You are not required to enter the password you just entered. This is because the default authentication method of MySQL 8 is the auth_socketmethod, not the username and password. You can modify the root authentication method in the User table. :
ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'very_strong_password';
FLUSH PRIVILEGES;
Of course, it is recommended that you create a new administrator account, which is safer:
# 创建账户:
create user '用户名'@'访问主机' identified by '密码';
# 赋予权限:
grant 权限列表 on 数据库 to '用户名'@'访问主机' WITH GRANT OPTION; ;
Finally, if you want to access remotely, don't forget to configure the mysql configuration file:
vim /etc/mysql/mysql.conf.d/mysqld.cnf
# 将下面这句话注释
# bind-adress = 127.0.0.1
service mysql restart
After restarting, you can access remotely.
2.3 Redis
sudo apt install redis-server
Check if it runs successfully:
sudo systemctl status redis-server
In order to ensure security, we configure a password here:
vim /etc/redis.conf
# 取消注释下面这行配置
requirepass YOUR_PASSWORD
Restart the Redis service:
systemctl restart redis-server
A free and open source Redis client is recommended here: AnotherRedisDesktopManager , which is not worse than the paid RDM at all.
2.4 Harbor
Harbor is an open source enterprise-level Registry project of VMware, whose goal is to help users quickly build an enterprise-level Docker registry service. It can be installed and deployed through docker-compose.
Download the running package from the official Github warehouse: goharbor/harbor , you can download it directly with wget, or you can download it on your computer and upload it to the server.
# 解压缩包
tar xvf harbor-offline-installer-v2.3.2.tgz
# 修改配置文件
vim harbor/harbor.cfg
# hostname 设置访问地址,支持IP,域名,主机名,禁止设置127.0.0.1
hostname = reg.mydomain.com
# 访问协议,可设置 http,https
ui_url_protocol = http
# 邮件通知, 配置邮件通知。
email_identity =
email_server = smtp.mydomain.com
email_server_port = 25
email_username = [email protected]
email_password = abc
email_from = admin <[email protected]>
email_ssl = false
email_insecure = false
# harbor WEB UI登陆使用的密码
harbor_admin_password = Harbor12345
# 认证方式,这里支持多种认证方式,默认是 db_auth ,既mysql数据库存储认证。
# 这里还支持 ldap 以及 本地文件存储方式。
auth_mode = db_auth
# ldap 服务器访问地址。
ldap_url = ldaps://ldap.mydomain.com
ldap_basedn = uid=%s,ou=people,dc=mydomain,dc=com
Configuration settings complete run the install script:
sudo ./install.sh
This script will help you generate a Docker-Compose.yaml file and start it automatically, and you can directly operate this compose in the future. To change Harbor's configuration, first stop the existing Harbor instance and update harbor.cfg. Then run preparethe script to populate the configuration, and finally recreate and start the Harbor instance:
docker-compose down -v
# 注:其实上面是停止 docker-compose.yml 中定义的所有容器
vim harbor.cfg
prepare
docker-compose up -d
Docker service needs to log in first to use Harbor:
# 镜像推送
docker login https://***.com:8001
# 查看 cat ~/.docker/config.json
# 镜像打包时候需要按一定规则 tag
docker pull nginx
docker tag nginx ***.com:8001/library/nginx:latest
docker push ***.com:8001/library/nginx
docker rmi -f ***.com:8001/library/nginx:latest
Note: If https is not configured, Docker will fail to log in by default. Here you need to configure it according to this blog post .
You can click the pull command directly on the page in the Harbor drop-down image:
2.5 Nexus
Here we can directly create a docker-compose.yml file, the configuration is as follows:
version: '3.1'
services:
nexus:
restart: always
image: sonatype/nexus3
container_name: nexus
ports:
- 6005:8081
volumes:
- /data/Docker/nexus/data:/nexus-data
Pay attention to replace the last line to mount the volume with the path you want, and then directly execute: docker-compose up -d.
3. Basic application
3.1 GitLab
There are two situations here. If you already have a GitLab warehouse and want to switch to a new server, you need to keep the GitLab version consistent so that you can restore the backup file. If it is a new installation, you can directly use the latest version according to the official website documentation .
$ GITLAB_HOME = /home/docker/gitlab # 建立gitlab本地目录
$ docker run -d \
--hostname gitlab.example.com\ # 指定容器域名,创建镜像仓库用
-p 8443:443 \ # 容器443端口映射到主机8443端口(https)
-p 8080:80 \ # 容器80端口映射到主机8080端口(http)
-p 2222:22 \ # 容器22端口映射到主机2222端口(ssh)
--name gitlab \ # 容器名称
--restart always \ # 容器退出后自动重启
-v $GITLAB_HOME/config:/etc/gitlab \ # 挂载本地目录到容器配置目录
-v $GITLAB_HOME/logs:/var/log/gitlab \ # 挂载本地目录到容器日志目录
-v $GITLAB_HOME/data:/var/opt/gitlab \ # 挂载本地目录到容器数据目录
gitlab/gitlab-ce:latest # 使用的镜像:版本
Modify the configuration file:
sudo vi /home/docker/gitlab/config
# 修改完成后可以直接重启容器
docker restart gitlab
There are too many things that GitLab can configure, so I won't expand here. Mainly talk about backup, you can enter the container to execute: gitlab-rake gitlab:backup:createcommand, which will divide all the content into the gitlab/backups/ directory. After copying to the new machine, you need to set the permissions: chomd 777 1561597102_2021_07_21_22.0.1_gitlab_backup.tar.
gitlab-ctl stop unicorn
gitlab-ctl stop sidekiq
# 例如:备份文件名为1561597102_2021_07_21_22.0.1_gitlab_backup.tar,则编号为1561597102_2021_07_21_22.0.1。
gitlab-rake gitlab:backup:restore BACKUP=备份文件编号
After the recovery is complete, restart the container directly.
3.2 GitLab Runner
Here we directly use GitLab Runner to build CI/CD, you can choose to use Jenkins.
# 添加GitLab官方库:
curl -L https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.deb.sh | sudo bash
# 通过命令安装
sudo apt-get install gitlab-ci-multi-runner
This is installed. For the specific Gitlab Runner tutorial, please refer to my article: Quickly implement the automatic deployment of Spring project Gitlab based on Docker .
3.3 MINIMUM
To install here, we also have to use the form of a compressed package, the official document .
wget http://dl.minio.org.cn/server/minio/release/darwin-amd64/minio
chmod +x minio
Execution I suggest you can make a shell script:
vim ./start.sh
# 复制到sh文件中
export MINIO_ACCESS_KEY=username
export MINIO_SECRET_KEY=password
nohup sudo /usr/local/minio/minio server --address=0.0.0.0:9000 --config-dir /etc/minio /data/minioData > /usr/local/minio/minio.log 2>&1&
Assign the execution permission to the user chmod u+x *.sh, and then execute it to run. You can directly open port 9000 to view it.
MINIO client:
wget https://dl.min.io/client/mc/release/linux-amd64/mc
chmod +x mc
./mc --help
You can log in to MINIO directly through the following commands.
mc config host add minio http://xxx:7002 minioadmin minioadmin --api s3v4
After successful login, you can perform some configurations on MINIO.
# 查看现有桶
./mc ls minio
# 设置每个桶的访问权限
mc policy set public minio/video
Code example of Java accessing MINIO:
MinioClient minioClient = MinioClient.builder()
.endpoint("http://xxx:6002")
.credentials("minioadmin", "minioadmin")
.build();
minioClient.putObject(
PutObjectArgs.builder().bucket("bucket").object(filename).stream(
file.getResource().getInputStream(), -1, 10485760)
.contentType("image/" + suffix)
.build());
String imageUrl = "https://xxx:6002/bucket/" + filename;
3.4 Nacos
Since Nacos is not yet compatible with JDK 11, we ran directly in Docker. Official installation documentation
git clone --depth 1 https://github.com/nacos-group/nacos-docker.git
cd nacos-docker
docker-compose -f example/standalone-derby.yaml up
3.5 RabbitMQ
Deploy directly with Docker, the following is the compose file:
docker run -d \
--restart=always \
--name rmqnamesrv \
-p 7008:9876 \
-v /usr/local/docker/rocketmq/namesrv/logs:/root/logs \
-v /usr/local/docker/rocketmq/namesrv/store:/root/store \
-e "MAX_POSSIBLE_HEAP=100000000" \
rocketmqinc/rocketmq \
sh mqnamesrv
docker run -d \
--restart=always \
--name rmqbroker \
--link rmqnamesrv:namesrv \
-p 7009:7009 \
-p 10909:10909 \
-v /usr/local/docker/rocketmq/broker/logs:/root/logs \
-v /usr/local/docker/rocketmq/broker/store:/root/store \
-v /usr/local/docker/rocketmq/broker/conf/broker.conf:/opt/rocketmq-4.4.0/conf/broker.conf \
-e "NAMESRV_ADDR=namesrv:9876" \
-e "MAX_POSSIBLE_HEAP=200000000" \
rocketmqinc/rocketmq \
sh mqbroker -c /opt/rocketmq-4.4.0/conf/broker.conf
docker run -d \
--restart=always \
--name rmqadmin \
-e "JAVA_OPTS=-Drocketmq.namesrv.addr=xxx:7008 \
-Dcom.rocketmq.sendMessageWithVIPChannel=false" \
-p 6001:8080 \
pangliang/rocketmq-console-ng
Broker configuration file:
# 所属集群名称,如果节点较多可以配置多个
brokerClusterName = DefaultCluster
#broker名称,master和slave使用相同的名称,表明他们的主从关系
brokerName = broker-a
#0表示Master,大于0表示不同的slave
brokerId = 0
#表示几点做消息删除动作,默认是凌晨4点
deleteWhen = 04
#在磁盘上保留消息的时长,单位是小时
fileReservedTime = 48
#有三个值:SYNC_MASTER,ASYNC_MASTER,SLAVE;同步和异步表示Master和Slave之间同步数据的机制;
brokerRole = ASYNC_MASTER
#刷盘策略,取值为:ASYNC_FLUSH,SYNC_FLUSH表示同步刷盘和异步刷盘;SYNC_FLUSH消息写入磁盘后才返回成功状态,ASYNC_FLUSH不需要;
flushDiskType = ASYNC_FLUSH
# 设置broker节点所在服务器的ip地址
brokerIP1 = xxx
listenPort=7009
4. Upper application
At this point, you can actually install whatever you want. What I install here are all software that is strongly related to the development business. For example, the application deployed through GitLab Runner, the YAPI of the interface document for front-end and back-end viewing, and the ELK of log analysis...
end
This is a record article of a server I just installed over the weekend. If it is helpful to you, please give me a thumbs up. If you have any questions, you can leave a message to communicate~