改造influxdb的镜像,设置用户认证
大部分的influxdb镜像默认是设置的允许空密码登录和访问的,例如我选择的tutum/influxdb。如果用于生产环境,需要设置用户认证,以保证安全。
默认情况下,在配置文件中,身份认证是关闭的。通过设置 [http] 中的 auth-enabled=true 来开启。
首先我们通过docker inspect $ImageID 来查看image中的配置文件。截取一段inspect的结果如下:
"Config": {
"Hostname": "9cdafcc41d7c",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"ExposedPorts": {
"8083/tcp": {},
"8086/tcp": {}
},
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"HOME=/",
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"INFLUXDB_VERSION=1.0.0",
"PRE_CREATE_DB=**None**",
"SSL_SUPPORT=**False**",
"SSL_CERT=**None**"
],
"Cmd": [
"/run.sh"
],
可以看到 image运行的CMD是 run.sh , 通过docker run来启动一个container查看run.sh。
MyMacBook-Pro:yamls $ docker run -d -p 8083:8083 -p 8086:8086 tutum/influxdb:latest
3a74f3463adc190ad44ce7c9c167dbf0a1563041a7f51bee17c1779bcf314d56
MyMacBook-Pro:yamls $ docker exec -it 3a74f /bin/bash
root@3a74f3463adc:/# ps aux |grep influxd
root 11 0.2 0.6 300764 12832 ? Sl 06:24 0:00 influxd -config=/config/config.toml
root 31 0.0 0.0 8868 828 pts/0 S+ 06:25 0:00 grep influxd
root@3a74f3463adc:/# vi run.sh
由container里的进程查看,可以看到配置文件是/config/config.toml。打开run.sh同样可以验证使用的配置文件为config.toml. 修改此配置文件中的auth-enabled=true.
不要关闭这个容器,commit一个新image保存对配置文件的修改。
docker commit 3a74f3463 tutum/influxdb:latest
打开用户认证后,如果我们需要预创建db,那么在预创建db的过程中就需要设置用户名密码。查看run.sh, 注意到这段代码:
# Pre create database on the initiation of the container
if [ -n "${PRE_CREATE_DB}" ]; then
echo "=> About to create the following database: ${PRE_CREATE_DB}"
if [ -f "/data/.pre_db_created" ]; then
echo "=> Database had been created before, skipping ..."
else
arr=$(echo ${PRE_CREATE_DB} | tr ";" "\n")
#wait for the startup of influxdb
RET=1
while [[ RET -ne 0 ]]; do
echo "=> Waiting for confirmation of InfluxDB service startup ..."
sleep 3
curl -k ${API_URL}/ping 2> /dev/null
RET=$?
done
echo ""
PASS=${INFLUXDB_INIT_PWD:-root}
if [ -n "${ADMIN_USER}" ]; then
echo "=> Creating admin user"
influx -host=${INFLUX_HOST} -port=${INFLUX_API_PORT} -execute="CREATE USER ${ADMIN_USER} WITH PASSWORD '${PASS}' WITH ALL PRIVILEGES"
for x in $arr
do
echo "=> Creating database: ${x}"
influx -host=${INFLUX_HOST} -port=${INFLUX_API_PORT} -username=${ADMIN_USER} -password="${PASS}" -execute="create database ${x}"
influx -host=${INFLUX_HOST} -port=${INFLUX_API_PORT} -username=${ADMIN_USER} -password="${PASS}" -execute="grant all PRIVILEGES on ${x} to ${ADMIN_USER}"
done
echo ""
else
for x in $arr
do
echo "=> Creating database: ${x}"
influx -host=${INFLUX_HOST} -port=${INFLUX_API_PORT} -execute="create database \"${x}\""
done
fi
touch "/data/.pre_db_created"
fi
else
echo "=> No database need to be pre-created"
fi
由此,我们可以得出,在运行image的时候需要配置三个环境变量:PRE_CREATE_DB, ADMIN_USER 和INFLUXDB_INIT_PWD。运行新的image:
MyMacBook-Pro:yamls $ docker run -d -p 8086:8086 -p 8083:8083 --env INFLUXDB_INIT_PWD='passw0rd' --env ADMIN_USER='admin' -e PRE_CREATE_DB='statsdb' -v /var/influxdb/data:/data tutum/influxdb:latest
通过docker exec进入容器查看influxdb启动后的情况:
MyMacBook-Pro:yamls $ docker exec -it 2f6d /bin/bash
root@2f6d0e33b757:/# influx -username=admin -password='passw0rd'
Visit https://enterprise.influxdata.com to register for updates, InfluxDB server management, and monitoring.
Connected to http://localhost:8086 version 1.0.0
InfluxDB shell version: 1.0.0
> show databases
name: databases
---------------
name
statsdb
_internal
可以看到预创建数据库创建成功。