mirror of
https://github.com/openimsdk/open-im-server.git
synced 2025-06-19 17:59:41 +08:00
1baf9a8e0f
* feat: Implement etcd and kafka auth. * Update etcd command contents. * update contents. * feat: update auth logic to compatible old version. * update comment. * update contents.
318 lines
12 KiB
YAML
318 lines
12 KiB
YAML
networks:
|
|
openim:
|
|
driver: bridge
|
|
|
|
services:
|
|
mongodb:
|
|
image: "${MONGO_IMAGE}"
|
|
ports:
|
|
- "37017:27017"
|
|
container_name: mongo
|
|
command: >
|
|
bash -c '
|
|
docker-entrypoint.sh mongod --wiredTigerCacheSizeGB $$wiredTigerCacheSizeGB --auth &
|
|
until mongosh -u $$MONGO_INITDB_ROOT_USERNAME -p $$MONGO_INITDB_ROOT_PASSWORD --authenticationDatabase admin --eval "db.runCommand({ ping: 1 })" &>/dev/null; do
|
|
echo "Waiting for MongoDB to start..."
|
|
sleep 1
|
|
done &&
|
|
mongosh -u $$MONGO_INITDB_ROOT_USERNAME -p $$MONGO_INITDB_ROOT_PASSWORD --authenticationDatabase admin --eval "
|
|
db = db.getSiblingDB(\"$$MONGO_INITDB_DATABASE\");
|
|
if (!db.getUser(\"$$MONGO_OPENIM_USERNAME\")) {
|
|
db.createUser({
|
|
user: \"$$MONGO_OPENIM_USERNAME\",
|
|
pwd: \"$$MONGO_OPENIM_PASSWORD\",
|
|
roles: [{role: \"readWrite\", db: \"$$MONGO_INITDB_DATABASE\"}]
|
|
});
|
|
print(\"User created successfully: \");
|
|
print(\"Username: $$MONGO_OPENIM_USERNAME\");
|
|
print(\"Password: $$MONGO_OPENIM_PASSWORD\");
|
|
print(\"Database: $$MONGO_INITDB_DATABASE\");
|
|
} else {
|
|
print(\"User already exists in database: $$MONGO_INITDB_DATABASE, Username: $$MONGO_OPENIM_USERNAME\");
|
|
}
|
|
" &&
|
|
tail -f /dev/null
|
|
'
|
|
volumes:
|
|
- "${DATA_DIR}/components/mongodb/data/db:/data/db"
|
|
- "${DATA_DIR}/components/mongodb/data/logs:/data/logs"
|
|
- "${DATA_DIR}/components/mongodb/data/conf:/etc/mongo"
|
|
- "${MONGO_BACKUP_DIR}:/data/backup"
|
|
environment:
|
|
- TZ=Asia/Shanghai
|
|
- wiredTigerCacheSizeGB=1
|
|
- MONGO_INITDB_ROOT_USERNAME=root
|
|
- MONGO_INITDB_ROOT_PASSWORD=openIM123
|
|
- MONGO_INITDB_DATABASE=openim_v3
|
|
- MONGO_OPENIM_USERNAME=openIM
|
|
- MONGO_OPENIM_PASSWORD=openIM123
|
|
restart: always
|
|
networks:
|
|
- openim
|
|
|
|
redis:
|
|
image: "${REDIS_IMAGE}"
|
|
container_name: redis
|
|
ports:
|
|
- "16379:6379"
|
|
volumes:
|
|
- "${DATA_DIR}/components/redis/data:/data"
|
|
- "${DATA_DIR}/components/redis/config/redis.conf:/usr/local/redis/config/redis.conf"
|
|
environment:
|
|
TZ: Asia/Shanghai
|
|
restart: always
|
|
sysctls:
|
|
net.core.somaxconn: 1024
|
|
command: redis-server /usr/local/redis/config/redis.conf --requirepass openIM123 --appendonly yes
|
|
networks:
|
|
- openim
|
|
|
|
etcd:
|
|
image: "${ETCD_IMAGE}"
|
|
container_name: etcd
|
|
ports:
|
|
- "12379:2379"
|
|
- "12380:2380"
|
|
environment:
|
|
- ETCD_NAME=s1
|
|
- ETCD_DATA_DIR=/etcd-data
|
|
- ETCD_LISTEN_CLIENT_URLS=http://0.0.0.0:2379
|
|
- ETCD_ADVERTISE_CLIENT_URLS=http://0.0.0.0:2379
|
|
- ETCD_LISTEN_PEER_URLS=http://0.0.0.0:2380
|
|
- ETCD_INITIAL_ADVERTISE_PEER_URLS=http://0.0.0.0:2380
|
|
- ETCD_INITIAL_CLUSTER=s1=http://0.0.0.0:2380
|
|
- ETCD_INITIAL_CLUSTER_TOKEN=tkn
|
|
- ETCD_INITIAL_CLUSTER_STATE=new
|
|
- ALLOW_NONE_AUTHENTICATION=no
|
|
|
|
## Optional: Enable etcd authentication by setting the following credentials
|
|
# - ETCD_ROOT_USER=root
|
|
# - ETCD_ROOT_PASSWORD=openIM123
|
|
# - ETCD_USERNAME=openIM
|
|
# - ETCD_PASSWORD=openIM123
|
|
volumes:
|
|
- "${DATA_DIR}/components/etcd:/etcd-data"
|
|
command: >
|
|
/bin/sh -c '
|
|
etcd &
|
|
export ETCDCTL_API=3
|
|
echo "Waiting for etcd to become healthy..."
|
|
until etcdctl --endpoints=http://127.0.0.1:2379 endpoint health &>/dev/null; do
|
|
echo "Waiting for ETCD to start..."
|
|
sleep 1
|
|
done
|
|
|
|
echo "etcd is healthy."
|
|
|
|
if [ -n "$${ETCD_ROOT_USER}" ] && [ -n "$${ETCD_ROOT_PASSWORD}" ] && [ -n "$${ETCD_USERNAME}" ] && [ -n "$${ETCD_PASSWORD}" ]; then
|
|
echo "Authentication credentials provided. Setting up authentication..."
|
|
|
|
echo "Checking authentication status..."
|
|
if ! etcdctl --endpoints=http://127.0.0.1:2379 auth status | grep -q "Authentication Status: true"; then
|
|
echo "Authentication is disabled. Creating users and enabling..."
|
|
|
|
# Create users and setup permissions
|
|
etcdctl --endpoints=http://127.0.0.1:2379 user add $${ETCD_ROOT_USER} --new-user-password=$${ETCD_ROOT_PASSWORD} || true
|
|
etcdctl --endpoints=http://127.0.0.1:2379 user add $${ETCD_USERNAME} --new-user-password=$${ETCD_PASSWORD} || true
|
|
|
|
etcdctl --endpoints=http://127.0.0.1:2379 role add openim-role || true
|
|
etcdctl --endpoints=http://127.0.0.1:2379 role grant-permission openim-role --prefix=true readwrite / || true
|
|
etcdctl --endpoints=http://127.0.0.1:2379 role grant-permission openim-role --prefix=true readwrite "" || true
|
|
etcdctl --endpoints=http://127.0.0.1:2379 user grant-role $${ETCD_USERNAME} openim-role || true
|
|
|
|
etcdctl --endpoints=http://127.0.0.1:2379 user grant-role $${ETCD_ROOT_USER} $${ETCD_USERNAME} root || true
|
|
|
|
echo "Enabling authentication..."
|
|
etcdctl --endpoints=http://127.0.0.1:2379 auth enable
|
|
echo "Authentication enabled successfully"
|
|
else
|
|
echo "Authentication is already enabled. Checking OpenIM user..."
|
|
|
|
# Check if openIM user exists and can perform operations
|
|
if ! etcdctl --endpoints=http://127.0.0.1:2379 --user=$${ETCD_USERNAME}:$${ETCD_PASSWORD} put /test/auth "auth-check" &>/dev/null; then
|
|
echo "OpenIM user test failed. Recreating user with root credentials..."
|
|
|
|
# Try to create/update the openIM user using root credentials
|
|
etcdctl --endpoints=http://127.0.0.1:2379 --user=$${ETCD_ROOT_USER}:$${ETCD_ROOT_PASSWORD} user add $${ETCD_USERNAME} --new-user-password=$${ETCD_PASSWORD} --no-password-file || true
|
|
etcdctl --endpoints=http://127.0.0.1:2379 --user=$${ETCD_ROOT_USER}:$${ETCD_ROOT_PASSWORD} role add openim-role || true
|
|
etcdctl --endpoints=http://127.0.0.1:2379 --user=$${ETCD_ROOT_USER}:$${ETCD_ROOT_PASSWORD} role grant-permission openim-role --prefix=true readwrite / || true
|
|
etcdctl --endpoints=http://127.0.0.1:2379 --user=$${ETCD_ROOT_USER}:$${ETCD_ROOT_PASSWORD} role grant-permission openim-role --prefix=true readwrite "" || true
|
|
etcdctl --endpoints=http://127.0.0.1:2379 --user=$${ETCD_ROOT_USER}:$${ETCD_ROOT_PASSWORD} user grant-role $${ETCD_USERNAME} openim-role || true
|
|
etcdctl --endpoints=http://127.0.0.1:2379 user grant-role $${ETCD_ROOT_USER} $${ETCD_USERNAME} root || true
|
|
|
|
echo "OpenIM user recreated with required permissions"
|
|
else
|
|
echo "OpenIM user exists and has correct permissions"
|
|
etcdctl --endpoints=http://127.0.0.1:2379 --user=$${ETCD_USERNAME}:$${ETCD_PASSWORD} del /test/auth &>/dev/null
|
|
fi
|
|
fi
|
|
echo "Testing authentication with OpenIM user..."
|
|
if etcdctl --endpoints=http://127.0.0.1:2379 --user=$${ETCD_USERNAME}:$${ETCD_PASSWORD} put /test/auth "auth-works"; then
|
|
echo "Authentication working properly"
|
|
etcdctl --endpoints=http://127.0.0.1:2379 --user=$${ETCD_USERNAME}:$${ETCD_PASSWORD} del /test/auth
|
|
else
|
|
echo "WARNING: Authentication test failed"
|
|
fi
|
|
else
|
|
echo "No authentication credentials provided. Running in no-auth mode."
|
|
echo "To enable authentication, set ETCD_ROOT_USER, ETCD_ROOT_PASSWORD, ETCD_USERNAME, and ETCD_PASSWORD environment variables."
|
|
fi
|
|
|
|
tail -f /dev/null
|
|
'
|
|
restart: always
|
|
networks:
|
|
- openim
|
|
|
|
kafka:
|
|
image: "${KAFKA_IMAGE}"
|
|
container_name: kafka
|
|
user: root
|
|
restart: always
|
|
ports:
|
|
- "19094:9094"
|
|
volumes:
|
|
- "${DATA_DIR}/components/kafka:/bitnami/kafka"
|
|
environment:
|
|
#KAFKA_HEAP_OPTS: "-Xms128m -Xmx256m"
|
|
TZ: Asia/Shanghai
|
|
KAFKA_CFG_NODE_ID: 0
|
|
KAFKA_CFG_PROCESS_ROLES: controller,broker
|
|
KAFKA_CFG_CONTROLLER_QUORUM_VOTERS: 0@kafka:9093
|
|
KAFKA_CFG_CONTROLLER_LISTENER_NAMES: CONTROLLER
|
|
KAFKA_NUM_PARTITIONS: 8
|
|
KAFKA_CFG_AUTO_CREATE_TOPICS_ENABLE: "true"
|
|
|
|
KAFKA_CFG_LISTENERS: "PLAINTEXT://:9092,CONTROLLER://:9093,EXTERNAL://:9094"
|
|
KAFKA_CFG_ADVERTISED_LISTENERS: "PLAINTEXT://kafka:9092,EXTERNAL://localhost:19094"
|
|
KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP: "CONTROLLER:PLAINTEXT,EXTERNAL:PLAINTEXT,PLAINTEXT:PLAINTEXT"
|
|
KAFKA_CFG_INTER_BROKER_LISTENER_NAME: "PLAINTEXT"
|
|
|
|
# Authentication configuration variables - comment out to disable auth
|
|
# KAFKA_USERNAME: "openIM"
|
|
# KAFKA_PASSWORD: "openIM123"
|
|
command: >
|
|
/bin/sh -c '
|
|
if [ -n "$${KAFKA_USERNAME}" ] && [ -n "$${KAFKA_PASSWORD}" ]; then
|
|
echo "=== Kafka SASL Authentication ENABLED ==="
|
|
echo "Username: $${KAFKA_USERNAME}"
|
|
|
|
# Set environment variables for SASL authentication
|
|
export KAFKA_CFG_LISTENERS="SASL_PLAINTEXT://:9092,CONTROLLER://:9093,EXTERNAL://:9094"
|
|
export KAFKA_CFG_ADVERTISED_LISTENERS="SASL_PLAINTEXT://kafka:9092,EXTERNAL://localhost:19094"
|
|
export KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP="CONTROLLER:PLAINTEXT,EXTERNAL:SASL_PLAINTEXT,SASL_PLAINTEXT:SASL_PLAINTEXT"
|
|
export KAFKA_CFG_SASL_ENABLED_MECHANISMS="PLAIN"
|
|
export KAFKA_CFG_SASL_MECHANISM_INTER_BROKER_PROTOCOL="PLAIN"
|
|
export KAFKA_CFG_INTER_BROKER_LISTENER_NAME="SASL_PLAINTEXT"
|
|
export KAFKA_CLIENT_USERS="$${KAFKA_USERNAME}"
|
|
export KAFKA_CLIENT_PASSWORDS="$${KAFKA_PASSWORD}"
|
|
fi
|
|
|
|
# Start Kafka with the configured environment
|
|
exec /opt/bitnami/scripts/kafka/entrypoint.sh /opt/bitnami/scripts/kafka/run.sh
|
|
'
|
|
networks:
|
|
- openim
|
|
|
|
minio:
|
|
image: "${MINIO_IMAGE}"
|
|
ports:
|
|
- "10005:9000"
|
|
- "19090:9090"
|
|
container_name: minio
|
|
volumes:
|
|
- "${DATA_DIR}/components/mnt/data:/data"
|
|
- "${DATA_DIR}/components/mnt/config:/root/.minio"
|
|
environment:
|
|
TZ: Asia/Shanghai
|
|
MINIO_ROOT_USER: root
|
|
MINIO_ROOT_PASSWORD: openIM123
|
|
restart: always
|
|
command: minio server /data --console-address ':9090'
|
|
networks:
|
|
- openim
|
|
|
|
openim-web-front:
|
|
image: ${OPENIM_WEB_FRONT_IMAGE}
|
|
container_name: openim-web-front
|
|
restart: always
|
|
ports:
|
|
- "11001:80"
|
|
networks:
|
|
- openim
|
|
|
|
openim-admin-front:
|
|
image: ${OPENIM_ADMIN_FRONT_IMAGE}
|
|
container_name: openim-admin-front
|
|
restart: always
|
|
ports:
|
|
- "11002:80"
|
|
networks:
|
|
- openim
|
|
|
|
prometheus:
|
|
image: ${PROMETHEUS_IMAGE}
|
|
container_name: prometheus
|
|
restart: always
|
|
user: root
|
|
profiles:
|
|
- m
|
|
volumes:
|
|
- ./config/prometheus.yml:/etc/prometheus/prometheus.yml
|
|
- ./config/instance-down-rules.yml:/etc/prometheus/instance-down-rules.yml
|
|
- ${DATA_DIR}/components/prometheus/data:/prometheus
|
|
command:
|
|
- "--config.file=/etc/prometheus/prometheus.yml"
|
|
- "--storage.tsdb.path=/prometheus"
|
|
- "--web.listen-address=:${PROMETHEUS_PORT}"
|
|
network_mode: host
|
|
|
|
alertmanager:
|
|
image: ${ALERTMANAGER_IMAGE}
|
|
container_name: alertmanager
|
|
restart: always
|
|
profiles:
|
|
- m
|
|
volumes:
|
|
- ./config/alertmanager.yml:/etc/alertmanager/alertmanager.yml
|
|
- ./config/email.tmpl:/etc/alertmanager/email.tmpl
|
|
command:
|
|
- "--config.file=/etc/alertmanager/alertmanager.yml"
|
|
- "--web.listen-address=:${ALERTMANAGER_PORT}"
|
|
network_mode: host
|
|
|
|
grafana:
|
|
image: ${GRAFANA_IMAGE}
|
|
container_name: grafana
|
|
user: root
|
|
restart: always
|
|
profiles:
|
|
- m
|
|
environment:
|
|
- GF_SECURITY_ALLOW_EMBEDDING=true
|
|
- GF_SESSION_COOKIE_SAMESITE=none
|
|
- GF_SESSION_COOKIE_SECURE=true
|
|
- GF_AUTH_ANONYMOUS_ENABLED=true
|
|
- GF_AUTH_ANONYMOUS_ORG_ROLE=Admin
|
|
- GF_SERVER_HTTP_PORT=${GRAFANA_PORT}
|
|
volumes:
|
|
- ${DATA_DIR:-./}/components/grafana:/var/lib/grafana
|
|
network_mode: host
|
|
|
|
node-exporter:
|
|
image: ${NODE_EXPORTER_IMAGE}
|
|
container_name: node-exporter
|
|
restart: always
|
|
profiles:
|
|
- m
|
|
volumes:
|
|
- /proc:/host/proc:ro
|
|
- /sys:/host/sys:ro
|
|
- /:/rootfs:ro
|
|
command:
|
|
- "--path.procfs=/host/proc"
|
|
- "--path.sysfs=/host/sys"
|
|
- "--path.rootfs=/rootfs"
|
|
- "--web.listen-address=:19100"
|
|
network_mode: host
|