Gravitational Teleport docker-compose组件独立部署运行

Gravitational Teleport 可以作为堡垒机进行使用，上次写过一个all in one 的，这次参考官方
的配置运行一个proxy node auth 分离的应用
备注： 基于docker-compose 运行

环境准备

• docker-compose 文件

 

version: '2'

services:

  two-auth:

    mem_limit: 300m

    image: quay.io/gravitational/teleport:3.1.1

    container_name: two-auth

    volumes:

      - ./data/two/auth:/var/lib/teleport

      - ./two-auth.yaml:/etc/teleport/teleport.yaml

    networks:

      teleport:

        ipv4_address: 172.10.1.2

  two-proxy:

    mem_limit: 300m

    image: quay.io/gravitational/teleport:3.1.1

    container_name: two-proxy

    ports:

      - "5080:5080"

      - "5023:5023"

    volumes:

      - ./data/two/proxy:/var/lib/teleport

      - ./two-proxy.yaml:/etc/teleport/teleport.yaml

    networks:

      teleport:

        ipv4_address: 172.10.1.3

  two-node:

    mem_limit: 300m

    image: quay.io/gravitational/teleport:3.1.1

    container_name: two-node

    volumes:

      - ./data/two/node:/var/lib/teleport

      - ./two-node.yaml:/etc/teleport/teleport.yaml

    networks:

      teleport:

        ipv4_address: 172.10.1.4

networks:

  teleport:

    ipam:

      driver: default

      config:

      - subnet: 172.10.1.0/16

        ip_range: 172.10.1.0/24

        gateway: 172.10.1.254

volumes:

  certs:

 

• auth 配置文件
  two-auth.yaml: 同时运行在node 角色

 

# Auth server for cluster "two". Also runs "node" role

teleport:

  nodename: two-auth

  log:

    output: /var/lib/teleport/teleport.log

    severity: INFO

​

  data_dir: /var/lib/teleport

  storage:

      path: /var/lib/teleport/backend

      type: dir

​

auth_service:

  enabled: yes

​

  authentication:

    type: local

    second_factor: off

​

  cluster_name: two

  tokens: 

       - "node,auth,proxy:foo"

​

  listen_addr: 172.10.1.2:3025

​

ssh_service:

  enabled: yes

  labels:

      cluster: two

      role: auth+node

  commands:

      - name: kernel

        command: [/bin/uname, -r]

        period: 5m

​

proxy_service:

  enabled: no

​

• proxy 配置文件
  two-proxy.yaml 文件：同时运行node 角色，注意指定了auth 服务同时使用静态token 进行
  加入

 

# Proxy server for cluster "two". Also runs "node" role

teleport:

  nodename: two-proxy

  auth_servers: ["two-auth"]

  auth_token: foo

  log:

    output: /var/lib/teleport/teleport.log

    severity: INFO

  data_dir: /var/lib/teleport

  storage:

      path: /var/lib/teleport/backend

      type: dir

auth_service:

  enabled: no

ssh_service:

  enabled: yes

  labels:

      cluster: two

      role: proxy+node

  commands:

      - name: kernel

        command: [/bin/uname, -r]

        period: 5m

proxy_service:

   enabled: yes

   listen_addr: 0.0.0.0:5023

   web_listen_addr: 0.0.0.0:5080

 

 

• node 配置
  two-node.yaml，同时使用静态token 进行加入

 

# Dumb SSH node for cluster "two"

teleport:

  nodename: node-on-second-cluster

  auth_servers: ["two-auth"]

  auth_token: foo

  advertise_ip: 172.10.1.4

  log:

    output: /var/lib/teleport/teleport.log

    severity: INFO

  data_dir: /var/lib/teleport

  storage:

      path: /var/lib/teleport/backend

      type: dir

​

ssh_service:

  enabled: yes

  labels:

      cluster: two

      role: dumb_node

​

proxy_service:

   enabled: no

​

auth_service:

  enabled: no

​

 

 

运行&&测试

• 运行

docker-compose up -d

• 添加用户
  auth server inside 容器

 

tctl -c /etc/teleport/teleport.yaml users add root

Signup token has been created and is valid for 1 hours. Share this URL with the user:

https://localhost:3080/web/newuser/54ac1593143d9a44a497c1346f9e0fc9

​

NOTE: Make sure two-proxy:3080 points at a Teleport proxy which users can access.

 

 

• 访问连接

• 历史回放功能

参考资料

https://gravitational.com/teleport/docs/quickstart/