Posted Updated 8 minutes read (About 1134 words)

Docker 部署 NeuVector

Docker 部署 NeuVector 适用于简单测试或功能验证场景。本文记录在 Docker 环境中部署、升级 NeuVector,以及从 v5.4.2 之前版本升级时证书相关的注意事项。

单点部署

单点部署时,可以在一台节点上部署 All-in-One 容器,并根据需要额外部署 Enforcer 和 Scanner。

部署 All-in-One 容器

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
docker run -d --name allinone \
  --pid=host \
  --privileged \
  -e CLUSTER_JOIN_ADDR=172.16.16.142 \
  -e NV_PLATFORM_INFO=platform=Docker \
  -e CTRL_PERSIST_CONFIG=1 \
  -p 18300:18300 \
  -p 18301:18301 \
  -p 18400:18400 \
  -p 18401:18401 \
  -p 10443:10443 \
  -p 18301:18301/udp \
  -p 8443:8443 \
  -v /lib/modules:/lib/modules:ro \
  -v /var/neuvector:/var/neuvector \
  -v /var/run/docker.sock:/var/run/docker.sock:ro \
  -v /sys/fs/cgroup:/host/cgroup:ro \
  -v /proc:/host/proc:ro \
  neuvector/allinone:5.4.1

部署 Enforcer 容器

1
2
3
4
5
6
7
8
9
10
11
12
13
docker run -d --name enforcer \
  --pid=host \
  --privileged \
  -e CLUSTER_JOIN_ADDR=172.16.16.142 \
  -e NV_PLATFORM_INFO=platform=Docker \
  -p 18301:18301 \
  -p 18401:18401 \
  -p 18301:18301/udp \
  -v /lib/modules:/lib/modules:ro \
  -v /var/run/docker.sock:/var/run/docker.sock:ro \
  -v /sys/fs/cgroup:/host/cgroup:ro \
  -v /proc:/host/proc:ro \
  neuvector/enforcer:5.4.1

部署 Scanner 容器

1
2
3
4
5
6
docker run -td --name scanner \
  -e CLUSTER_JOIN_ADDR=172.16.16.142 \
  -e NV_PLATFORM_INFO=platform=Docker \
  -p 18402:18402 \
  -v /var/run/docker.sock:/var/run/docker.sock:ro \
  harbor.warnerchen.com/rancher/neuvector-scanner:6

高可用部署

高可用部署时,需要分别在多台节点上部署 All-in-One 容器,并在 CLUSTER_JOIN_ADDR 中配置所有控制节点地址。

部署 All-in-One 容器

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
docker run -d --name allinone \
  --pid=host \
  --privileged \
  -e CLUSTER_JOIN_ADDR=172.16.16.141,172.16.16.142,172.16.16.143 \
  -e NV_PLATFORM_INFO=platform=Docker \
  -e CTRL_PERSIST_CONFIG=1 \
  -p 18300:18300 \
  -p 18301:18301 \
  -p 18400:18400 \
  -p 18401:18401 \
  -p 10443:10443 \
  -p 18301:18301/udp \
  -p 8443:8443 \
  -v /lib/modules:/lib/modules:ro \
  -v /var/neuvector:/var/neuvector \
  -v /var/run/docker.sock:/var/run/docker.sock:ro \
  -v /sys/fs/cgroup:/host/cgroup:ro \
  -v /proc:/host/proc:ro \
  neuvector/allinone:5.4.1

部署 Enforcer 容器

1
2
3
4
5
6
7
8
9
10
11
12
13
docker run -d --name enforcer \
  --pid=host \
  --privileged \
  -e CLUSTER_JOIN_ADDR=172.16.16.141,172.16.16.142,172.16.16.143 \
  -e NV_PLATFORM_INFO=platform=Docker \
  -p 18301:18301 \
  -p 18401:18401 \
  -p 18301:18301/udp \
  -v /lib/modules:/lib/modules:ro \
  -v /var/run/docker.sock:/var/run/docker.sock:ro \
  -v /sys/fs/cgroup:/host/cgroup:ro \
  -v /proc:/host/proc:ro \
  neuvector/enforcer:5.4.1

部署 Scanner 容器

1
2
3
4
5
6
docker run -td --name scanner \
  -e CLUSTER_JOIN_ADDR=172.16.16.141,172.16.16.142,172.16.16.143 \
  -e NV_PLATFORM_INFO=platform=Docker \
  -p 18402:18402 \
  -v /var/run/docker.sock:/var/run/docker.sock:ro \
  harbor.warnerchen.com/rancher/neuvector-scanner:6

升级 NeuVector

升级前需要先停止并重命名旧容器,然后使用新版本镜像重新创建容器。

升级 All-in-One 容器

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
docker stop allinone

docker rename allinone allinone-5.2.1

docker run -d --name allinone \
  --pid=host \
  --privileged \
  -e CLUSTER_JOIN_ADDR=172.16.16.141,172.16.16.142,172.16.16.143 \
  -e NV_PLATFORM_INFO=platform=Docker \
  -e CTRL_PERSIST_CONFIG=1 \
  -p 18300:18300 \
  -p 18301:18301 \
  -p 18400:18400 \
  -p 18401:18401 \
  -p 10443:10443 \
  -p 18301:18301/udp \
  -p 8443:8443 \
  -v /lib/modules:/lib/modules:ro \
  -v /var/neuvector:/var/neuvector \
  -v /var/run/docker.sock:/var/run/docker.sock:ro \
  -v /sys/fs/cgroup:/host/cgroup:ro \
  -v /proc:/host/proc:ro \
  neuvector/allinone:5.4.1

升级 Enforcer 容器

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
docker stop enforcer

docker rename enforcer enforcer-5.2.1

docker run -d --name enforcer \
  --pid=host \
  --privileged \
  -e CLUSTER_JOIN_ADDR=172.16.16.141,172.16.16.142,172.16.16.143 \
  -e NV_PLATFORM_INFO=platform=Docker \
  -p 18301:18301 \
  -p 18401:18401 \
  -p 18301:18301/udp \
  -v /lib/modules:/lib/modules:ro \
  -v /var/run/docker.sock:/var/run/docker.sock:ro \
  -v /sys/fs/cgroup:/host/cgroup:ro \
  -v /proc:/host/proc:ro \
  neuvector/enforcer:5.4.1

使用 v5.4.2 版本起的注意事项

NeuVector 包含用于 Manager(控制台/UI 访问)、Controller(REST API、内部通信)、Enforcer(内部通信)和 Scanner(内部通信)的通信加密证书。

从 v5.4.2 开始,这些证书默认不会自动生成,在部署/升级前,需要手动准备并挂载证书。

参考文档:

https://open-docs.neuvector.com/5.4/deploying/production/internal

准备证书

准备 ca.cfg 文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
cat <<EOF > ca.cfg
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = California
L = San Jose
O = NeuVector Inc.
OU = Neuvector
CN = Neuvector
[v3_req]
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = Neuvector
EOF

生成证书和私钥:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
openssl genrsa -out ca.key 2048

openssl req -x509 -sha256 -new -nodes -key ca.key -days 3650 -out ca.crt
...
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Guangdong
Locality Name (eg, city) []:Shenzhen
Organization Name (eg, company) [Internet Widgits Pty Ltd]:NeuVector Inc.
Organizational Unit Name (eg, section) []:NeuVector
Common Name (e.g. server FQDN or YOUR name) []:NeuVector
Email Address []:

openssl genrsa -out tls.key 2048

openssl req -new -key tls.key -sha256 -out cert.csr -config ca.cfg

openssl req -in cert.csr -noout -text

openssl x509 -req -sha256 -in cert.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out tls.crt -days 3650 -extensions 'v3_req' -extfile ca.cfg

openssl x509 -in tls.crt -text

文件示例:

1
2
3
4
5
6
7
ls -lh
-rw-r--r-- 1 root root  369 May 16 14:05 ca.cfg
-rw-r--r-- 1 root root 1.4K May 16 14:05 ca.crt
-rw------- 1 root root 1.7K May 16 14:05 ca.key
-rw-r--r-- 1 root root 1.1K May 16 14:05 cert.csr
-rw-r--r-- 1 root root 1.5K May 16 14:05 tls.crt
-rw------- 1 root root 1.7K May 16 14:05 tls.key

挂载内部通信证书

部署/升级步骤与前文一致,但所有 NeuVector 容器(All-in-One、Enforcer、Scanner)都需要额外挂载内部通信证书。

1
2
3
-v /<your_path>/ca.crt:/etc/neuvector/certs/internal/ca.cert
-v /<your_path>/tls.crt:/etc/neuvector/certs/internal/cert.pem
-v /<your_path>/tls.key:/etc/neuvector/certs/internal/cert.key

例如:

1
2
3
4
5
6
docker run -d --name allinone \
  ...
  -v /<your_path>/ca.crt:/etc/neuvector/certs/internal/ca.cert \
  -v /<your_path>/tls.crt:/etc/neuvector/certs/internal/cert.pem \
  -v /<your_path>/tls.key:/etc/neuvector/certs/internal/cert.key \
  neuvector/allinone:5.4.9

Docker 部署 NeuVector

https://warnerchen.github.io/2024/11/07/Docker-部署-NeuVector/

Author

Warner Chen

Posted on

2024-11-07

Updated on

2026-05-16

Licensed under

#
You need to set install_url to use ShareThis. Please set it in _config.yml.

Like this article? Support the author with

You forgot to set the business or currency_code for Paypal. Please set it in _config.yml.

Comments

You forgot to set the shortname for Disqus. Please set it in _config.yml.
Follow

Links

Subscribe for updates

You need to set client_id and slot_id to show this AD unit. Please set it in _config.yml.

follow.it

Recents

Archives

Tags

about1
ai6
cloud native41
coding1
google1
linux12
network1
others2
redhat1
suse56
面试1
×