docker部署rocketmq 4.9.7 并开启ACL 和 dashboard 账号密码

外网部署mq不开启ACL很容易被扫出来,强烈建议开启ACL 安全组限制ip!!

准备工作

docker pull apache/rocketmq:4.9.7
docker pull apacherocketmq/rocketmq-dashboard:latest
docker network create rocketmq
比如挂载配置放在/home/rocketmq-4.9.7 新建相应的目录 注意文件夹权限是否是777

安装namesrc

docker run -d --restart=always --name rocketmq-namesrv --network rocketmq -p 9876:9876 -v /home/rocketmq-4.9.7/namesrv/logs:/home/rocketmq/logs -v /home/rocketmq-4.9.7/namesrv/store:/home/rocketmq/store -e "MAX_POSSIBLE_HEAP=100000000" apache/rocketmq:4.9.7 sh mqnamesrv

配置broker.conf

先将配置文件拷到broker/broker-a

docker cp c727ffbe482d:/home/rocketmq/rocketmq-4.9.7/conf /opt/model/rocketmq-4.9.7/broker/broker-a/

进入conf目录编辑broker.conf

# 所属集群名称,如果节点较多可以配置多个
brokerClusterName = DefaultCluster
#broker名称,master和slave使用相同的名称,表明他们的主从关系
brokerName = broker-a
#0表示Master,大于0表示不同的slave
brokerId = 0
#表示几点做消息删除动作,默认是凌晨4点
deleteWhen = 04
#在磁盘上保留消息的时长,单位是小时
fileReservedTime = 48
#有三个值:SYNC_MASTER,ASYNC_MASTER,SLAVE;同步和异步表示Master和Slave之间同步数据的机制;
brokerRole = ASYNC_MASTER
#刷盘策略,取值为:ASYNC_FLUSH,SYNC_FLUSH表示同步刷盘和异步刷盘;SYNC_FLUSH消息写入磁盘后才返回成功状态,ASYNC_FLUSH不需要;
flushDiskType = ASYNC_FLUSH
#设置broker节点所在服务器的ip地址(**这个非常重要,主从模式下,从节点会根据主节点的brokerIP2来同步数据,如果不配置,主从无法同步,brokerIP1设置为自己外网能访问的ip,服务器双网卡情况下必须配置,比如阿里云这种,主节点需要配置ip1和ip2,从节点只需要配置ip1即可)
brokerIP1 = XX.XX.XX.XX
#nameServer地址,分号分割
namesrvAddr=XX.XX.XX.XX:9876
#Broker 对外服务的监听端口,
#listenPort = 10911
#是否允许Broker自动创建Topic 上线为false 测试可开启
autoCreateTopicEnable = false
#是否允许 Broker 自动创建订阅组 上线为false 测试可开启
autoCreateSubscriptionGroup = false
#开启鉴权
aclEnable=true

编辑ACL权限配置文件plain_acl.yml

globalWhiteRemoteAddresses:
  #- 10.10.103.*
  #- 192.168.0.*

accounts:
  - accessKey: thirdpart
    secretKey: XXXXXX
    whiteRemoteAddress:
    admin: false
    defaultTopicPerm: DENY
    defaultGroupPerm: SUB
    topicPerms:
      - sysx_categoryorg=SUB
    groupPerms:
      # the group should convert to retry topic
      - thirdPartGroup=SUB

  - accessKey: mqadmin1
    secretKey: XXXXXX
    whiteRemoteAddress:
    # if it is admin, it could access all resources
    admin: true

配置参考官方文档acl配置

启动broker

docker run -d --restart=always --name rocketmq-broker-a --network rocketmq -p 10909:10909 -p 10911:10911 -v /home/rocketmq-4.9.7/broker/broker-a/logs:/home/rocketmq/logs -v  /home/rocketmq-4.9.7/broker/broker-a/store:/home/rocketmq/store -v /home/rocketmq-4.9.7/broker/broker-a/conf:/home/rocketmq/rocketmq-4.9.7/conf -e "MAX_POSSIBLE_HEAP=200000000" apache/rocketmq:4.9.7 sh mqbroker -c /home/rocketmq/rocketmq-4.9.7/conf/broker.conf

挂载的logs和store目录注意设置777权限

部署dashboard

建立配置目录

/home/rocketmq-4.9.7/console/data

新建users.properties文件并写入账号密码

admin=123456,1

部署

docker run -d --restart=always --name rocketmq-console --network rocketmq -v /opt/model/rocketmq-4.9.7/console/data:/tmp/rocketmq-console/data -e "JAVA_OPTS=-Drocketmq.namesrv.addr=XX.XX.XX.XX:9876 -Dcom.rocketmq.sendMessageWithVIPChannel=false -Drocketmq.config.loginRequired=true -Drocketmq.config.accessKey=mqadmin1-Drocketmq.config.secretKey=XXXXXX" -p 8082:8080 apacherocketmq/rocketmq-dashboard:latest

docker部署rocketmq 4.9.7 并开启ACL 和 dashboard 账号密码_第1张图片

你可能感兴趣的:(rocketmq,docker,rocketmq,acl)