CentOS7安装Puppet+GitLab+Bind

添加Puppet官方源

rpm -Uvh https://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm

安装Puppet

yum -y install puppet puppet-server facter

安装配置GitLab依赖软件

yum -y install curl policycoreutils openssh-server openssh-clients
systemctl enable sshd
systemctl start sshd
yum install postfix
systemctl enable postfix
systemctl start postfix
firewall-cmd --permanent --add-service=http
systemctl reload firewalld

添加GitLab清华源

#vi /etc/yum.repos.d/gitlab-ce.repo

[gitlab-ce]
name=gitlab-ce
baseurl=http://mirrors.tuna.tsinghua.edu.cn/gitlab-ce/yum/el7
repo_gpgcheck=0
gpgcheck=0
enabled=1
gpgkey=https://packages.gitlab.com/gpg.key

安装GitLab

yum -y install gitlab-ce

修改/etc/gitlab/gitlab.rb文件

external_url "https://gitlab.example.com:2443"

生成ssl证书

openssl genrsa -des3 -out gitlab.example.com.key 1024
SUBJECT="/C=CN/ST=China/L=Shanghai/O=example.com/OU=example.com/CN=gitlab.example.com"
openssl req -new -subj $SUBJECT -key gitlab.example.com.key -out gitlab.example.com.csr
openssl rsa -in gitlab.example.com.key -out gitlab.example.com.key
openssl x509 -req -days 3650 -in gitlab.example.com.csr -signkey gitlab.example.com.key -out gitlab.example.com.crt

将证书移动到/etc/gitlab/ssl目录下

mkdir -p /etc/gitlab/ssl
mv gitlab.example.com.key gitlab.example.com.crt /etc/gitlab/ssl/

如果8080端口被别的程序占用，还需要将unicorn端口修改成别的为占用端口

unicorn['port'] = 8081

配置启动GitLab

gitlab-ctl reconfigure

效果图：

第一次登陆需要修改管理员密码，管理员帐号名为root

安装Bind Chroot DNS服务器

yum -y install bind-chroot bind

拷贝bind相关文件,准备bind chroot 环境

cp -R /usr/share/doc/bind-*/sample/var/named/* /var/named/chroot/var/named

在bind chroot的目录中创建相关文件

touch /var/named/chroot/var/named/data/cache_dump.db
touch /var/named/chroot/var/named/data/named_stats.txt
touch /var/named/chroot/var/named/data/named_mem_stats.txt
touch /var/named/chroot/var/named/data/named.run
mkdir /var/named/chroot/var/named/dynamic
touch /var/named/chroot/var/named/dynamic/managed-keys.bind

将Bind锁定文件设置为可写，并将selinux标签改成named_cache_t

chmod -R 777 /var/named/chroot/var/named/data
chmod -R 777 /var/named/chroot/var/named/dynamic
chcon -R -t named_cache_t /var/named/chroot/var/named/data
chcon -R -t named_cache_t /var/named/chroot/var/named/dynamic

将/etc/named.conf拷贝到bind chroot目录

cp -p /etc/named.conf /var/named/chroot/etc/named.conf

在/etc/named.conf中对bind进行配置

# vi /var/named/chroot/etc/named.conf

完全配置如下：

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
	listen-on port 53 { any; };
	listen-on-v6 port 53 { ::1; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	allow-query     { any; };

	/*
	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
	 - If you are building a RECURSIVE (caching) DNS server, you need to enable
	   recursion.
	 - If your recursive DNS server has a public IP address, you MUST enable access
	   control to limit queries to your legitimate users. Failing to do so will
	   cause your server to become part of large scale DNS amplification
	   attacks. Implementing BCP38 within your network would greatly
	   reduce such attack surface
	*/
	recursion yes;

	dnssec-enable yes;
	dnssec-validation yes;
        dnssec-lookaside auto;

	/* Path to ISC DLV key */
	bindkeys-file "/etc/named.iscdlv.key";

	managed-keys-directory "/var/named/dynamic";

	pid-file "/run/named/named.pid";
	session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
	type hint;
	file "named.ca";
};

zone "example.com" {
    type master;
    file "example.com.zone";
};

zone "10.10.10.in-addr.arpa" IN {
    type master;
    file "10.10.10.zone";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

为 example.com域名创建转发域与反向域文件

a)创建转发域

# vi /var/named/chroot/var/named/example.com.zone

;
;       Addresses and other host information.
;
$TTL 86400
@       IN      SOA     example.com. hostmaster.example.com. (
                               2014101901      ; Serial
                               43200      ; Refresh
                               3600       ; Retry
                               3600000    ; Expire
                               2592000 )  ; Minimum

;       Define the nameservers and the mail servers

               IN      NS      ns1.example.com.
               IN      A       10.10.10.20
               IN      MX      10 mx.example.com.

centos7          IN      A       10.10.10.20
mx               IN      A       10.10.10.20
ns1              IN      A       10.10.10.20
gitlab           IN      A       10.10.10.20

b)创建反向域

# vi /var/named/chroot/var/named/10.10.10.zone

;
;       Addresses and other host information.
;
$TTL 86400
@       IN      SOA     example.com. hostmaster.example.com. (
                               2014101901      ; Serial
                               43200      ; Refresh
                               3600       ; Retry
                               3600000    ; Expire
                               2592000 )  ; Minimum
 
10.10.10.in-addr.arpa. IN      NS      centos7.example.com.
 
20.10.10.10.in-addr.arpa. IN PTR mx.example.com.
20.10.10.10.in-addr.arpa. IN PTR ns1.example.com.
20.10.10.10.in-addr.arpa. IN PTR gitlab.example.com.

停止并禁用named服务，启动bind-chroot服务并设置为自启动

/usr/libexec/setup-named-chroot.sh /var/named/chroot on
systemctl stop named
systemctl disable named
systemctl start named-chroot
systemctl enable named-chroot