背景

nas開啟nfs存儲共享，默認情況下只能給IP/24做限制, 達不到安全效果

需要增加kerberos策略校驗，并且持久化kerberos數(shù)據(jù)，避免容器重啟丟失數(shù)據(jù)

環(huán)境描述

宿主機系統(tǒng)：CentOS Linux release 7.9.2009 (Core)

Docker版本：Docker version 20.10.6, build 370c289

一、容器部署kerberos

?# 注意添加 /etc/hosts
192.168.10.10 kerberosclient.wo.com
192.168.10.10 kerberosserver.wo.com

1.kerberos配置文件

mkdir -p /data/kerberos/dockerfilecd /data/kerberos/dockerfile

@FQDN@ 后面使用sed更改為大寫域名 = WO.COM

@fqdn@ 后面使用sed更改為小寫域名 = wo.com

@kdc_server@ kdc服務(wù)器地址 = kerberosclient.wo.com

krb5.conf

[logging]default = FILE:/var/log/krb5libs.logkdc = FILE:/var/log/krb5kdc.logadmin_server = FILE:/var/log/kadmind.log[libdefaults]dns_lookup_realm = falseticket_lifetime = 24hrenew_lifetime = 7dforwardable = truerdns = falsepkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crtdefault_realm = @FQDN@default_ccache_name = FILE:/tmp/krb5cc_cli_%{uid}[realms]@FQDN@ = {kdc = @kdc_server@admin_server = @kdc_server@admin_keytab = /var/lib/krb5kdc/admin.keytabdatabase_name = /var/lib/krb5kdc/principal}[domain_realm].@fqdn@ = @FQDN@

kadm5.acl

*/admin@@FQDN@ *

kerberos.sh

#!/bin/bash
fqdn="wo.com"
FQDN="WO.COM"
kdc_server="kerberosserver.wo.com"
PASS="Fa1Q@D@N"KRB5_KTNAME="/var/lib/krb5kdc/admin.keytab"
inited="/var/lib/krb5kdc/inited"sed -i "s#@kdc_server@#${kdc_server}#g" /etc/krb5kdc/kdc.conf
sed -i "s#@fqdn@#${fqdn}#g" /etc/krb5kdc/kdc.conf
sed -i "s#@FQDN@#${FQDN}#g" /etc/krb5kdc/kdc.conf
sed -i "s#@FQDN@#${FQDN}#g" /etc/krb5kdc/kadm5.aclfunction init_user() {if [ -f "${inited}" ];then# TODO沒找到指定該文件的配置項, 將該文件還原到/etc/目錄cp /var/lib/krb5kdc/.k5.${FQDN} /etc/krb5kdc/.k5.${FQDN}echo "kerberos已存在, 跳過初始化"return;fiecho "begin init user"# create kerberos databaseecho -e "${PASS}\n${PASS}" | kdb5_util create -s# create adminecho -e "${PASS}\n${PASS}" | kadmin.local -q "addprinc root/admin"kadmin.local -q "ktadd -k /var/lib/krb5kdc/admin.keytab root/admin"# create clientecho -e "${PASS}\n${PASS}" | kadmin.local -q "addprinc -randkey nfs/kerberosclient.${fqdn}"# create client keytabkadmin.local -q "ktadd -norandkey -k ${KRB5_KTNAME} nfs/kerberosclient.${fqdn}"kadmin.local -q "xst -k /app/cert/krb5.keytab -norandkey nfs/kerberosclient.${fqdn}"# client使用cp /etc/krb5kdc/kdc.conf /app/cert/krb5.conf# 將該文件持久化存儲cp /etc/krb5kdc/.k5.${FQDN} /var/lib/krb5kdc/.k5.${FQDN}touch "${inited}"echo "user inite success"
}function main() {init_user/usr/local/bin/supervisord -n -c /etc/supervisord.conf
}main

supervisord.conf

[supervisord]
logfile=/var/log/supervisord/supervisord.log    ; supervisord log file
logfile_maxbytes=50MB                           ; maximum size of logfile before rotation
logfile_backups=10                              ; number of backed up logfiles
loglevel=error                                  ; info, debug, warn, trace
pidfile=/var/run/supervisord.pid                ; pidfile location
nodaemon=false                                  ; run supervisord as a daemon
minfds=1024                                     ; number of startup file descriptors
minprocs=200                                    ; number of process descriptors
user=root                                       ; default user
childlogdir=/var/log/supervisord/               ; where child log files will live[program:krb5-kdc]
command=service krb5-kdc start
autostart=true
autorestart=true[program:krb5-admin-server]
command=service krb5-admin-server start
autostart=true
autorestart=true[supervisorctl]

dockerfile

FROM ubuntu:xenialENV DEBIAN_FRONTEND noninteractiveRUN sed -i s@/archive.ubuntu.com/@/mirrors.aliyun.com/@g /etc/apt/sources.list \&& sed -i s@/security.ubuntu.com/@/mirrors.aliyun.com/@g /etc/apt/sources.list \&& apt update \&& apt install -y python-dev python-pip python-wheel python-setuptools python-pkg-resources krb5-admin-server krb5-kdc \&& rm -rf /var/lib/apt/lists/* \&& mkdir -p /var/log/supervisord /app/cert \&& pip install supervisor==4.2.4COPY krb5.conf /etc/krb5kdc/kdc.conf
COPY kadm5.acl /etc/krb5kdc/kadm5.acl
COPY krb5.conf /etc/krb5.conf
COPY kerberos.sh /app/kerberos.sh
COPY supervisord.conf /etc/supervisord.confWORKDIR /appCMD ["/bin/bash", "/app/kerberos.sh"]

2.構(gòu)建鏡像

docker build -t kerberos:1.0.0 .

3.運行鏡像

mkdir -p /data/kerberos/data
cd /data/kerberos

start.sh

#!/bin/bash
docker rm -f kerberos# 持久化數(shù)據(jù), 避免容器重啟數(shù)據(jù)庫丟失
# /app/cert 用于給client的keytab和conf配置
# /var/lib/krb5kdc 數(shù)據(jù)庫文件存放路徑
# /etc/krb5kdc/.k5.xxx master文件, 也需要持久化
# 在kerberos.sh腳本時, 會將.k5文件放到/var/lib/krb5kdcdocker run -itd  \-p 88:88 \-p 749:749 \-v /data/kerberos/data/cert:/app/cert \-v /data/kerberos/data/db:/var/lib/krb5kdc \--name=kerberos \kerberos:1.0.0

二、nas配置krb5.keytab

/data/kerberos/data/cert/krb5.keytab

將krb5.keytab上傳到nas

# 開啟krb5校驗

三、nfs客戶端機器

1.安裝krb5

yum -y install  krb5-workstation ufs-utils文件從kerberos服務(wù)端獲取，拷貝到客戶端(注意區(qū)分機器)
cp /data/kerberos/data/cert/krb5.conf  /etc/krb5.conf
cp /data/kerberos/data/cert/krb5.keytab /etc/krb5.keytab客戶端啟動rpc-gssd
systemctl restart rpc-gssd

2.驗證

kinit -kt /etc/krb5.keytab nfs/kerberosclient.wo.com@WO.COMklist掛載
mount -o vers=4,sec=krb5 kerberosclient.wo.com:/volume1/data /mnt

四、參考文檔

如何配置 NFS 共享文件夾以使用 Kerberos？ - Synology 知識中心

Synology NAS NFS Kerberos 配置與使用 – 個人筆記分享

NFS | DSM - Synology 知識中心

使用Docker快速搭建Kerberos環(huán)境 - 知乎

基于Kerberos認證的NFS服務(wù)器_nfs kerberos_黑色蒲G英~的博客-CSDN博客

五、其他報錯信息

1.用戶和組顯示nobody

用戶和組顯示nobody

更改/etc/idmapd.conf 將Domain 改為fqdn 的域名

systemctl restart rpcidmapd

2.創(chuàng)建文件提示權(quán)限不足

在nas上,上傳kerberos密鑰對的配置，增加ID映射，對應(yīng)用那個user

3.access denied by server while mounting

# 查看kerberos應(yīng)用日志
tail -f  /var/log/k*

4.mount.nfs an incorrect mount option was specified

# 沒有krb5.conf krb5.keytab 2個文件# 然后啟動rpc-gssd
systemctl restart rpc-gssd

?5.掛載后文件都顯示777權(quán)限

?改為無映射