博客

Docker-compose方式启动Sentry +ldap登录验证

一，安装Docker

sudo yum install -y yum-utils
sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum-config-manager --enable docker-ce-edge
yum -y install docker-ce
systemctl start docker.service
docker --version

配置加速

sudo mkdir -p /etc/docker
sudo tee /etc/docker/daemon.json <<-'EOF'
{
  "registry-mirrors": ["https://hkoa9dfz.mirror.aliyuncs.com"]
}
EOF

sudo systemctl daemon-reload
sudo systemctl restart docker.service

二，安装docker-compose

下载：

wget https://github.com/docker/compose/releases/download/1.24.0/docker-compose-Linux-x86_64
chmod +x docker-compose-Linux-x86_64 && mv docker-compose-Linux-x86_64 /usr/local/bin/docker-compose

查看版本

docker-compose -v

git clone https://github.com/getsentry/onpremise.git

cd onpremise

./install.sh

启动所有服务

docker-compose up -d

验证docker启动状态

docker ps

三，配置ldap统一认证登录

官方自带的ldap插件不支持openldap，用第三方插件，第三方插件在官方提供的docker集成里面安装并不是那么方便

由于用的是docker-compose，重启后docker会销毁重来，如果直接进去系统安装，那么会导致重启后依赖环境丢失，

重新build镜像

Dockerfile如下：

FROM getsentry/sentry:nightly
RUN apt-getupdate &&\
    apt-getinstall-y --no-install-recommends gcc libsasl2-dev python-dev libldap2-dev libssl-dev &&\
    rm-r /var/lib/apt/lists/*
ENTRYPOINT ["/entrypoint.sh"]

#重新打镜镜

docker build -t getsentry/sentry:new .

[root@suc01:/root/onpremise]# docker images
REPOSITORY                               TAG                 IMAGE ID            CREATED             SIZE
sentry-cleanup-self-hosted-local         latest              a174b274a692        About an hour ago   1.12GB
getsentry/sentry                         new                 708cb68c8127        3 hours ago         1.12GB
snuba-cleanup-self-hosted-local          latest              acc60791fd00        4 hours ago         935MB
symbolicator-cleanup-self-hosted-local   latest              79dc15c75d19        4 hours ago         189MB
<none>                                   <none>              ba0a68c1140a        4 hours ago         452MB
nginx                                    1.21.6-alpine       51696c87e77e        10 days ago         23.4MB
getsentry/sentry                         nightly             50aafae28c26        3 months ago        934MB
getsentry/symbolicator                   nightly             22fb79d6a206        3 months ago        188MB
getsentry/snuba                          nightly             60c296733972        3 months ago        450MB
postgres                                 9.6                 c5e8774084fa        3 months ago        200MB
busybox                                  latest              beae173ccac6        3 months ago        1.24MB

重新构造后有两个选择

1，可以把原镜像打个新的tag，然后把新构造的打原镜像的tag，这样就不用修改.env的配置

2，如果镜像重新打tag，修要修改.env内容，SENTRY_IMAGE=getsentry/sentry:nightly 改成 SENTRY_IMAGE=getsentry/sentry:new

添加如下配置

cd onpremise/目录下

echo “sentry-ldap-auth” >>sentry/requirements.txt

我选后者：

# cat /onpremise/.env
COMPOSE_PROJECT_NAME=sentry-self-hosted
SENTRY_EVENT_RETENTION_DAYS=90
# You can either use a port number or an IP:PORT combo for SENTRY_BIND
# See https://docs.docker.com/compose/compose-file/#ports for more
SENTRY_BIND=9000
# Set SENTRY_MAIL_HOST to a valid FQDN (host/domain name) to be able to send emails!
# SENTRY_MAIL_HOST=example.com
SENTRY_IMAGE=getsentry/sentry:new    #修改这里的镜像版本
SNUBA_IMAGE=getsentry/sentry:nightly
RELAY_IMAGE=getsentry/relay:nightly
SYMBOLICATOR_IMAGE=getsentry/symbolicator:nightly
WAL2JSON_VERSION=latest
HEALTHCHECK_INTERVAL=30s
HEALTHCHECK_TIMEOUT=60s
HEALTHCHECK_RETRIES=5

修改onpremise/sentry/sentry.conf.py ,加入LDAP配置

#############
# LDAP auth #
#############

import ldap
from django_auth_ldap.config import LDAPSearch, GroupOfUniqueNamesType

# ldap服务器，需要更改
AUTH_LDAP_SERVER_URI = 'ldap://192.168.3.100:389'
# 用户名，需要更改
AUTH_LDAP_BIND_DN = 'cn=admin,dc=nedy,dc=com'
# 密码，需要更改
AUTH_LDAP_BIND_PASSWORD = 'ER#Bad$2Fish'

# 用户检索目录，需要更改
AUTH_LDAP_USER_SEARCH = LDAPSearch(
    'ou=people,dc=eyolo,dc=net',
    ldap.SCOPE_SUBTREE,
    '(uid=%(user)s)',
)

# 组织检索目录，需要更改
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
    'ou=sentry,ou=group,dc=nedy,dc=com',
    ldap.SCOPE_SUBTREE,
    '(objectClass=groupOfUniqueNames)'
)

AUTH_LDAP_GROUP_TYPE = GroupOfUniqueNamesType()
AUTH_LDAP_REQUIRE_GROUP = None
AUTH_LDAP_DENY_GROUP = None

AUTH_LDAP_USER_ATTR_MAP = {
    'name': 'description',
    'email': 'mail'
}

AUTH_LDAP_FIND_GROUP_PERMS = False
AUTH_LDAP_CACHE_GROUPS = True
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600

AUTH_LDAP_DEFAULT_SENTRY_ORGANIZATION = u'Sentry'
AUTH_LDAP_SENTRY_ORGANIZATION_ROLE_TYPE = 'member'
AUTH_LDAP_SENTRY_ORGANIZATION_GLOBAL_ACCESS = True
AUTH_LDAP_SENTRY_SUBSCRIBE_BY_DEFAULT = True

AUTH_LDAP_SENTRY_USERNAME_FIELD = 'cn'
SENTRY_MANAGED_USER_FIELDS = ('email', 'first_name', 'last_name', 'password', )

AUTHENTICATION_BACKENDS = AUTHENTICATION_BACKENDS + (
    'sentry_ldap_auth.backend.SentryLdapBackend',
)

# optional, for debugging
import logging
logger = logging.getLogger('django_auth_ldap')
logger.addHandler(logging.StreamHandler())
logger.addHandler(logging.FileHandler('/tmp/ldap2.log'))
logger.setLevel('DEBUG')

LOGGING['overridable'] = ['sentry', 'django_auth_ldap']
LOGGING['loggers']['django_auth_ldap'] = {
    'handlers': ['console'],
    'level': 'DEBUG'
}

重启

cd onpremise/目录下

docker-compose down

docker-compose build

docker-compose up -d