RocketMQ的Docker镜像部署（以及Dashboard的部署、ACL配置）

RocketMQ的Docker镜像部署（以及Dashboard、ACL）

准备

• 包含RocketMQ部署（NameServer、Broker）、Dashboard、ACL
• 拉取镜像
  • RocketMQ$ docker pull apache/rocketmq:5.1.4
  • Dashboard$ docker pull apacherocketmq/rocketmq-dashboard:latest
• 创建docker-network$ docker network create rocketmq-net （如果都部署在同一节点的话需要这样做）

部署 NameServer

• 创建目录和修改权限

# 创建目录
mkdir -p /opt/soft/rocketmq-5.1.4-docker/namesrv/logs

# 修改权限，便于docker容器写入文件
chmod 777 /opt/soft/rocketmq-5.1.4-docker/namesrv/logs

• 启动 NameServer

docker run -d --name rocketmq-namesrv \
--network rocketmq-net \
--restart=always \
-p 9876:9876 \
-v /opt/soft/rocketmq-5.1.4-docker/namesrv/logs:/home/rocketmq/logs \
-e "MAX_POSSIBLE_HEAP=100000000" \
apache/rocketmq:5.1.4 \
sh mqnamesrv

• 注意：
  • Docker容器需要有对服务器目录 /opt/soft/rocketmq-5.1.4-docker/namesrv/logs 的写入权限，例如可以提前创建该目录，并设置777 权限。后续的-v挂载同理。

部署 Broker

• 拷贝NameServer容器的中的配置文件到Broker

mkdir -p /opt/soft/rocketmq-5.1.4-docker/broker/broker-a-0
docker cp <NameServer的容器ID>:/home/rocketmq/rocketmq-5.1.4/conf /opt/soft/rocketmq-5.1.4-docker/broker/broker-a-0

• 修改Broker配置$ vim /opt/soft/rocketmq-5.1.4-docker/broker/broker-a/conf/broker.conf

# 所属集群名称
brokerClusterName = DefaultCluster
# Broker名称，Master和Slave使用相同的名称（主从关系）
brokerName = broker-a
# 0表示Master，大于0表示不同的Slave
brokerId = 0
# 删除消息的时机，默认是4点
deleteWhen = 04
# 消息持久化在磁盘上的时长（小时）
fileReservedTime = 48
# Master和Slave之间同步数据的机制：SYNC_MASTER、ASYNC_MASTER、SLAVE
brokerRole = ASYNC_MASTER
# 刷盘策略：SYNC_FLUSH 消息写入磁盘后才返回成功状态；ASYNC_FLUSH 不需要等返回成功。
flushDiskType = ASYNC_FLUSH
# 设置Broker节点所在服务器的IP地址（需要连该MQ的外网应当能访问该IP）
brokerIP1 = XXX.XXX.XXX.XXX
# NameServer地址，用分号分割，我们通过Docker的环境变量指定
# namesrvAddr = XXX.XXX.XXX.XXX:9876
# Broker 对外服务的监听端口，默认即可
# listenPort = 10911
# 是否允许 Broker 自动创建 Topic
# autoCreateTopicEnable = true
# 是否允许 Broker 自动创建 订阅组
# autoCreateSubscriptionGroup = true
# 开启鉴权
# aclEnable = true

• 创建目录和修改权限

# 创建目录
mkdir -p /opt/soft/rocketmq-5.1.4-docker/broker/broker-a-0/conf
mkdir -p /opt/soft/rocketmq-5.1.4-docker/broker/broker-a-0/logs
mkdir -p /opt/soft/rocketmq-5.1.4-docker/broker/broker-a-0/store

# 修改权限，便于docker容器写入文件
chmod 777 /opt/soft/rocketmq-5.1.4-docker/broker/broker-a-0/conf
chmod 777 /opt/soft/rocketmq-5.1.4-docker/broker/broker-a-0/logs
chmod 777 /opt/soft/rocketmq-5.1.4-docker/broker/broker-a-0/store

• 启动 Broker

docker run -d --name rocketmq-broker-a-0 \
--network rocketmq-net \
--restart=always \
--privileged=true \
-p 10911:10911 -p 10909:10909 \
-v /opt/soft/rocketmq-5.1.4-docker/broker/broker-a-0/conf:/home/rocketmq/rocketmq-5.1.4/conf \
-v /opt/soft/rocketmq-5.1.4-docker/broker/broker-a-0/logs:/home/rocketmq/logs \
-v /opt/soft/rocketmq-5.1.4-docker/broker/broker-a-0/store:/home/rocketmq/store \
-e "NAMESRV_ADDR=rocketmq-namesrv:9876" \
-e "MAX_POSSIBLE_HEAP=200000000" \
apache/rocketmq:5.1.4 \
sh mqbroker -c /home/rocketmq/rocketmq-5.1.4/conf/broker.conf

-e "BROKER_IP_1=10.113.75.113" \

部署 其他Broker

• 和上面的配置类似
• 调整 broker.conf 中的brokerName、brokerId即可
• 如果在不同的服务器的话
  • 不用使用 --network rocketmq-net
  • -e "NAMESRV_ADDR=rocketmq-namesrv:9876"中的 rocketmq-namesrv 需要修改为对应服务器的IP
  • 后面Dashboard中的配置同理

部署 Dashboard

• 创建目录和修改权限

mkdir -p /opt/soft/rocketmq-5.1.4-docker/console/data
chmod 777 /opt/soft/rocketmq-5.1.4-docker/console/data

• 配置用户名和密码 $ vim /opt/soft/rocketmq-5.1.4-docker/console/data/users.properties

# This file supports hot change, any change will be auto-reloaded without Console restarting.
# Format: a user per line, username=password[,N] #N is optional, 0 (Normal User); 1 (Admin)
# Define Admin
# === 规则「用户名=密码,权限」。权限为1表示管理员，为0表示普通用户 ===
admin=admin123,1
# Define Users
# === 屏蔽下边两个账户 ==
#user1=user1
#user2=user2

• 启动 Dashboard

docker run -d --name rocketmq-console \
--network rocketmq-net \
--restart=always \
-p 10100:8080 \
-v /opt/soft/rocketmq-5.1.4-docker/console/data:/tmp/rocketmq-console/data \
-e "JAVA_OPTS=-Drocketmq.namesrv.addr=rocketmq-namesrv:9876 -Dcom.rocketmq.sendMessageWithVIPChannel=false -Drocketmq.config.loginRequired=true" \
apacherocketmq/rocketmq-dashboard:latest

# 当-Drocketmq.config.loginRequired为false时，则Dashboard不需要登录用户和密码
# 这里的 rocketmq-namesrv 是NameServer的地址

• 直接访问http://<Dashboard的IP>:10100，输入前面配置的用户、密码
• 现在已经可以正常使用了

开启 ACL

修改所有Broker节点

• 编辑Broker配置文件，命令样例 vim /opt/soft/rocketmq-5.1.4-docker/broker/broker-a/conf/broker.conf

# 配置下面这段
# 开启鉴权
aclEnable = true

• 编辑ACL配置文件，命令样例 vim /opt/soft/rocketmq-5.1.4-docker/broker/broker-a/conf/plain_acl.yml

globalWhiteRemoteAddresses:
  # 注释掉全局白名单，所有IP皆可访问，根据自己需求进行控制
  #- 10.10.103.*
  #- 192.168.0.*

accounts:
  - accessKey: RocketMQ
    secretKey: 12345678
    whiteRemoteAddress:
    admin: false
    defaultTopicPerm: DENY
    defaultGroupPerm: SUB
    topicPerms:
      - topicA=DENY
      - topicB=PUB|SUB
      - topicC=SUB
    groupPerms:
      # the group should convert to retry topic
      - groupA=DENY
      - groupB=PUB|SUB
      - groupC=SUB

  - accessKey: rocketmq2
    secretKey: 12345678
    whiteRemoteAddress: 192.168.1.*
    # if it is admin, it could access all resources
    admin: true

  # 添加一个给Dashboard使用的用户
  - accessKey: console
    secretKey: 12345678
    whiteRemoteAddress:
    admin: true

• 重启Broker节点 $ docker restart <容器ID>

修改 Dashboard 启动命令

• 移除已部署的Dashboard，样例命令 $ docker rm -f <容器ID>
• 在启动命令中添加accessKey、secretKey

docker run -d --name rocketmq-console \
--network rocketmq-net \
--restart=always \
-p 10100:8080 \
-v /opt/soft/rocketmq-5.1.4-docker/console/data:/tmp/rocketmq-console/data \
-e "JAVA_OPTS=-Drocketmq.namesrv.addr=rocketmq-namesrv:9876 -Dcom.rocketmq.sendMessageWithVIPChannel=false -Drocketmq.config.loginRequired=true -Drocketmq.config.accessKey=console -Drocketmq.config.secretKey=12345678" \
apacherocketmq/rocketmq-dashboard:latest

参考

• https://github.com/apache/rocketmq-dashboard/blob/master/docs/1_0_0/UserGuide_CN.md
• https://blog.csdn.net/qq_28929579/article/details/132337504