一、环境初始化
1. 创建目录结构
bash
mkdir -p /home/ops_app_user/middleware/mysql/config
mkdir -p /home/ops_app_user/middleware/redis/config
mkdir -p /home/ops_app_user/middleware/nacos
mkdir -p /home/ops_app_user/middleware/minio/data
mkdir -p /home/ops_app_user/middleware/minio/config2. 生成安全密钥
bash
openssl rand -base64 323. 创建自定义网络
bash
docker network create middleware-network4. 配置环境变量
bash
export MYSQL_ROOT_PASSWORD="强密码"
export REDIS_PASSWORD="强密码"
export MYSQL_NACOS_PASSWORD="强密码"
export MINIO_ROOT_USER="minioadmin"
export MINIO_ROOT_PASSWORD="强密码"
export MINIO_KMS_SECRET_KEY="my-key:上一步生成的密钥"
export RABBITMQ_USER="xxx"
export RABBITMQ_PASSWORD="xxxx"二、配置文件初始化
1. MySQL 配置文件
bash
docker run --rm \
-v /home/ops_app_user/middleware/mysql/config:/etc/mysql \
mysql:8.0.39 \
cat /etc/mysql/my.cnf > /home/ops_app_user/middleware/mysql/config/my.cnf2. Redis 配置文件
bash
cat > /home/ops_app_user/middleware/redis/config/redis.conf <<EOF
bind 0.0.0.0
protected-mode no
daemonize no
appendonly yes
appendfilename "appendonly.aof"
appendfsync everysec
auto-aof-rewrite-percentage 100
auto-aof-rewrite-min-size 64mb
EOF三、docker-compose.yaml 部署文件(优化版)
yaml
version: '3.8'
services:
# MySQL 8.0
mysql:
image: mysql:8.0.39
container_name: mysql
restart: always
ports:
- "3306:3306"
environment:
MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD}
TZ: Asia/Shanghai
volumes:
- /home/ops_app_user/middleware/mysql/config/conf.d:/etc/mysql/conf.d
- /home/ops_app_user/middleware/mysql/data:/var/lib/mysql
- /home/ops_app_user/middleware/mysql/config/my.cnf:/etc/mysql/my.cnf
- /home/ops_app_user/middleware/mysql/log:/var/log/mysql
- /etc/localtime:/etc/localtime:ro
- /etc/timezone:/etc/timezone:ro
command: --default-authentication-plugin=mysql_native_password --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci
networks:
- middleware-network
# Redis
redis:
image: redis:6.2-alpine
container_name: redis
restart: always
ports:
- "6379:6379"
volumes:
- /home/ops_app_user/middleware/redis/data:/data
- /home/ops_app_user/middleware/redis/config/redis.conf:/etc/redis/redis.conf
command: redis-server /etc/redis/redis.conf --requirepass ${REDIS_PASSWORD}
networks:
- middleware-network
# Nacos
nacos:
image: nacos/nacos-server:v2.3.2
container_name: nacos
restart: always
ports:
- "8848:8848"
- "9848:9848"
environment:
MODE: standalone
SPRING_DATASOURCE_PLATFORM: mysql
MYSQL_SERVICE_HOST: mysql
MYSQL_SERVICE_PORT: 3306
MYSQL_SERVICE_DB_NAME: nacos
MYSQL_SERVICE_USER: nacos_user
MYSQL_SERVICE_PASSWORD: ${MYSQL_NACOS_PASSWORD}
volumes:
- /home/ops_app_user/middleware/nacos/conf:/home/nacos/conf
- /home/ops_app_user/middleware/nacos/data:/home/nacos/data
- /home/ops_app_user/middleware/nacos/logs:/home/nacos/logs
depends_on:
- mysql
networks:
- middleware-network
# MinIO
minio:
restart: always
container_name: minio
image: minio/minio:latest
privileged: true
ports:
- "9100:9000"
- "9111:9111"
volumes:
- /home/ops_app_user/middleware/minio/data:/data
- /home/ops_app_user/middleware/minio/config:/root/.minio
- /etc/localtime:/etc/localtime:ro
environment:
TZ: Asia/Shanghai
MINIO_ROOT_USER: ${MINIO_ROOT_USER}
MINIO_ROOT_PASSWORD: ${MINIO_ROOT_PASSWORD}
MINIO_SERVER_URL: http://192.168.11.47:9100
MINIO_BROWSER_REDIRECT_URL: http://192.168.11.47:9111
MINIO_KMS_SECRET_KEY: ${MINIO_KMS_SECRET_KEY}
command: server /data --console-address ":9111"
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
interval: 5s
timeout: 3s
retries: 10
networks:
- middleware-network
rabbitmq:
image: rabbitmq:3.13-management
container_name: rabbitmq
restart: always
ports:
- "5672:5672" # 客户端连接端口
- "15672:15672" # Web 管理控制台端口
environment:
TZ: Asia/Shanghai
RABBITMQ_DEFAULT_USER: ${RABBITMQ_USER} # 管理员账号
RABBITMQ_DEFAULT_PASS: ${RABBITMQ_PASSWORD} # 管理员密码
volumes:
- /home/ops_app_user/middleware/rabbitmq/data:/var/lib/rabbitmq # 数据持久化
- /etc/localtime:/etc/localtime:ro
networks:
- middleware-network
networks:
middleware-network:
external: true四、MySQL 初始化 Nacos 库(安全版)
1. 创建数据库与用户
sql
CREATE DATABASE IF NOT EXISTS nacos DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
CREATE USER 'nacos_user'@'%' IDENTIFIED BY '${MYSQL_NACOS_PASSWORD}';
GRANT ALL PRIVILEGES ON nacos.* TO 'nacos_user'@'%';
FLUSH PRIVILEGES;2. 执行 Nacos 官方表结构
(直接使用你提供的 SQL 即可)
五、Nacos 配置修复(必须执行)
1. 删除错误配置
bash
rm -rf /home/ops_app_user/middleware/nacos/conf2. 从官方镜像复制标准配置
bash
docker run --rm --entrypoint /bin/sh nacos/nacos-server:v2.3.2 -c 'tar -cf - -C /home/nacos conf' | tar -xf - -C /home/ops_app_user/middleware/nacos/3. 重启 Nacos
bash
docker stop nacos
docker-compose up -d nacos六、Nacos 开启安全鉴权(加固)
修改 application.properties 添加:
properties
# 开启鉴权
nacos.core.auth.enabled=true
# 使用内置的鉴权系统(可选,默认就是true)
nacos.core.auth.system.type=nacos
# 设置JWT token的密钥(自定义,建议复杂一些)
nacos.core.auth.plugin.nacos.token.secret.key=VGhpc0lzTXlDdXN0b21TZWNyZXRLZXkwMTIzNDU2Nzg=
# token过期时间(默认18000秒,即5小时)
nacos.core.auth.plugin.nacos.token.expire.seconds=18000
# 开启控制台登录(默认就是true)
nacos.core.auth.enable.userAgentAuthWhite=false
# 是否开启服务身份识别(建议开启)
nacos.core.auth.server.identity.key=VGhpc0lzTXlDdXN0b21TZWNyZXRLZXkwMTIzNDU2Nzg=
nacos.core.auth.server.identity.value=VGhpc0lzTXlDdXN0b21TZWNyZXRLZXkwMTIzNDU2Nzg=七、Minio自动加解密
bash
bash-5.1# echo $MINIO_BROWSER_REDIRECT_URL
http://xxxx:9111
bash-5.1# echo $MINIO_SERVER_URL
http://xxx:9100
export MINIO_SERVER_URL="http://xxx:8001"
export MINIO_BROWSER_REDIRECT_URL="http://xxxx:8001"
mc encrypt set sse-s3 myminio/user-bucket
mc encrypt info myminio/user-bucket
# 查看KMS根密钥状态
mc admin kms key status myminio
mc encrypt set sse-s3 myminio/default-bucket
mc encrypt set sse-s3 myminio/draft-bucket
mc encrypt set sse-s3 myminio/system-bucket
mc encrypt set sse-s3 myminio/task-bucket