compose_install_safeline
Docker Compose 部署雷池 SafeLine WAF 安全防护
一键脚本
bash <(curl -sL gitee.com/meimolihan/linux-command_sh/raw/master/compose_install_safeline.sh) 9443 /vol1/1000/compose/safeline
| 传参方式 | 命令示例 | 说明 |
|---|---|---|
| 不传参(交互式) | 脚本.sh | 正常进入交互式流程 |
| 先目录,后端口 | 脚本.sh /vol1/1000/compose/safeline 9443 | 同时传入目录和端口 |
| 先端口,后目录 | 脚本.sh 8080 /vol1/1000/compose/safeline | 同时传入端口和目录 |
| 只传目录 | 脚本.sh /vol1/1000/compose/safeline | 仅传入目录参数 |
| 只传端口 | 脚本.sh 9443 | 仅传入端口参数 |
项目简介
雷池 SafeLine WAF 是一款由长亭科技开发的社区版 Web 应用防火墙,基于反向代理架构,提供全方位 Web 安全防护。它能够有效防御 SQL 注入、XSS 跨站脚本、命令执行、文件包含、恶意爬虫等多种 Web 攻击,具备高性能、易部署、可视化等优势。
- 🌐 雷池 WAF 官网地址:https://waf.chaitin.com/
- 🐱 GitHub 项目地址:https://github.com/chaitin/safeline
- 🐋 Docker 镜像仓库:华为云 SWR(swr.cn-east-3.myhuaweicloud.com/chaitin-safeline)
首次部署后,执行
docker exec safeline-mgt resetadmin查看管理员密码
效果预览
补充说明
该脚本用于一键部署雷池 SafeLine WAF 社区版安全防护系统,基于 Docker Compose 实现,采用多容器微服务架构,适合为 Web 应用提供企业级安全防护。
功能特点
- 支持交互式和传参两种部署模式(可指定目录和端口)
- 自动检查并安装 Docker 和 Docker Compose 环境
- 智能端口管理:自动开放并持久化 iptables 规则
- 清理旧容器:部署前自动清理所有 safeline 相关容器和镜像
- 自动生成 .env 环境变量配置文件和 docker-compose.yml
- 七容器微服务架构:PostgreSQL 数据库、管理后台、检测引擎、Tengine 网关、Luigi 调度、FVM 威胁情报、Chaos 数据处理
- 自定义隔离网络:safeline-ce 桥接网络,静态 IP 分配
- Tengine 使用 host 网络模式直通性能
- 华为云 SWR 镜像仓库,国内服务器拉取速度极快
- 自动生成 16 位随机数据库密码(数字+英文组合)
- 管理端口可自定义(默认 9443)
- 数据持久化:多目录分离存储(数据库、配置、日志、缓存等)
- 健康检查:PostgreSQL 就绪检测,保障服务启动顺序
- 日志轮转:json-file 驱动,限制单文件 100MB,保留 5-10 个文件
- 部署后显示容器状态和管理地址
输出说明
脚本输出包含以下字段:
| 字段 | 说明 |
|---|---|
| 项目标题 | 显示部署的项目名称 |
| Docker 环境检查 | 检查并自动安装 Docker/Docker Compose |
| 部署目录 | 显示 Compose 文件存放路径(默认 /vol1/1000/compose/safeline) |
| 管理端口 | 显示管理后台端口(默认 9443) |
| 数据库密码 | 显示自动生成或用户输入的 PostgreSQL 密码 |
| 端口状态 | 检查并开放防火墙端口 |
| 容器清理 | 显示 7 个旧容器的清理结果 |
| 配置文件 | 显示 .env 和 docker-compose.yml 创建状态 |
| 镜像拉取 | 首次部署拉取约 2GB 镜像 |
| 容器启动 | 显示容器启动结果 |
| 容器状态 | 显示所有 safeline 容器的 ID、名称、状态等信息 |
| 访问地址 | 显示管理后台 HTTPS 访问 URL |
系统架构
| 容器名称 | 服务角色 | 网络 IP | 说明 |
|---|---|---|---|
| safeline-pg | PostgreSQL 数据库 | 172.23.0.2 | 持久化存储配置和日志数据 |
| safeline-mgt | 管理后台 | 172.23.0.4 | Web 管理界面,端口 1443→9443 |
| safeline-detector | 检测引擎 | 172.23.0.5 | 流量检测和威胁分析 |
| safeline-tengine | 反向代理网关 | host 模式 | 流量入口,处理所有 HTTP/HTTPS 请求 |
| safeline-luigi | 调度任务 | 172.23.0.7 | 定时任务和策略更新 |
| safeline-fvm | 威胁情报 | 172.23.0.8 | 文件威胁检测 |
| safeline-chaos | 数据处理 | 172.23.0.10 | 日志聚合和数据分析 |
注意事项
- 脚本需要 root 权限或 sudo 权限来安装依赖和配置防火墙
- 默认使用华为云 SWR 镜像仓库(国内服务器强烈推荐,拉取速度快)
- 部署目录默认为 /vol1/1000/compose/safeline,可通过参数修改
- 管理端口默认为 9443(映射容器 1443),Tengine 使用 host 网络无需额外映射
- 数据库密码可自动生成 16 位随机密码,也可手动输入(仅支持数字+英文大小写,勿使用特殊字符)
- 子网前缀固定为 172.23.0,如需修改请在 .env 中调整 SUBNET_PREFIX
- 数据持久化:所有数据存储在部署目录下的 resources/ 和 logs/ 子目录
- 首次部署会拉取约 2GB 的 Docker 镜像,请确保网络畅通
- 首次登录需执行
docker exec safeline-mgt resetadmin查看管理员密码 - 管理后台使用 HTTPS 协议访问(https://IP:9443)
- 配置文件路径为部署目录下的 .env 文件,请妥善保管数据库密码
- 脚本会自动检测并开放防火墙端口(优先使用 iptables-save 保存规则,支持 netfilter-persistent 超时保护,避免卡死)
- 如需完全卸载,可使用文档末尾的一键卸载命令
脚本源码
#!/bin/bash
set -uo pipefail
# ====================== 【可自定义配置区】 在这里修改所有默认参数 ======================
# 项目标题
DEFAULT_TITLE="雷池 SafeLine WAF 一键部署"
# 部署目录(不传参时的默认路径)
DEFAULT_COMPOSE_DIR="/vol1/1000/compose/safeline"
# 默认管理端口(不传参时使用)
DEFAULT_PORT="9443"
# 默认容器名称(用于清理)
DEFAULT_CONTAINER_NAMES=("safeline-pg" "safeline-mgt" "safeline-detector" "safeline-tengine" "safeline-luigi" "safeline-fvm" "safeline-chaos")
# ====================================================================================
list_color_init() {
export gl_hui=$'\033[38;5;59m'
export gl_hong=$'\033[38;5;9m'
export gl_lv=$'\033[38;5;10m'
export gl_huang=$'\033[38;5;11m'
export gl_lan=$'\033[38;5;32m'
export gl_bai=$'\033[38;5;15m'
export gl_zi=$'\033[38;5;13m'
export gl_bufan=$'\033[38;5;14m'
export reset=$'\033[0m'
}
list_color_init
log_info() { echo -e "${gl_lan}[信息]${gl_bai} $*"; }
log_ok() { echo -e "${gl_lv}[成功]${gl_bai} $*"; }
log_warn() { echo -e "${gl_huang}[警告]${gl_bai} $*"; }
log_error() { echo -e "${gl_hong}[错误]${gl_bai} $*" >&2; }
break_end() {
echo -e "${gl_lv}操作完成${gl_bai}"
echo -e "${gl_bai}按任意键继续 ${gl_hong}.${gl_huang}.${gl_lv}.${gl_bai} \c"
read -r -n 1 -s -p ""
echo ""
clear
}
sleep_fractional() {
local seconds=$1
if sleep "$seconds" 2>/dev/null; then return 0; fi
if command -v perl >/dev/null 2>&1; then perl -e "select(undef, undef, undef, $seconds)"; return 0; fi
if command -v python3 >/dev/null 2>&1; then python3 -c "import time; time.sleep($seconds)"; return 0; fi
if command -v python >/dev/null 2>&1; then python -c "import time; time.sleep($seconds)"; return 0; fi
local int_seconds=$(echo "$seconds" | awk '{print int($1+0.999)}')
sleep "$int_seconds"
}
exit_animation() {
echo -ne "${gl_lv}即将退出 ${gl_hong}.${gl_huang}.${gl_lv}.${gl_bai}\c"
sleep_fractional 0.5
echo -ne "${gl_hong}.${gl_huang}.${gl_lv}.${gl_bai}\c"
sleep_fractional 0.6
echo ""
clear
}
exit_script() {
echo ""
echo -ne "${gl_hong}感谢使用,再见! ${gl_hong}.${gl_huang}.${gl_lv}.${gl_bai}\c"
sleep_fractional 0.5
echo -ne "${gl_hong}.${gl_huang}.${gl_lv}.${gl_bai}\c"
sleep_fractional 0.6
clear
exit 0
}
column_if_available() {
if command -v column &> /dev/null; then
column -t -s $'\t'
else
cat
fi
}
root_use() {
clear
if [ "$EUID" -ne 0 ]; then
echo -e "\n${gl_zi}>>> ROOT登录检查 ${gl_hong}.${gl_huang}.${gl_lv}.${gl_bai}"
echo -e "${gl_bufan}————————————————————————————————————————————————${gl_bai}"
echo -e "${gl_huang}提示: ${gl_bai}该功能需要root用户才能运行!"
echo -e "${gl_bufan}————————————————————————————————————————————————${gl_bai}"
break_end
return 1
fi
return 0
}
check_and_open_port() {
local PORT="$1"
if [[ -z "$PORT" ]]; then
log_error "未指定端口"
return 1
fi
log_info "检查端口 ${gl_huang}${PORT}${gl_bai} 是否放行 ${gl_hong}.${gl_huang}.${gl_lv}.${gl_bai}"
# 检查端口是否已放行
if iptables -L INPUT -n 2>/dev/null | grep -qE "dpt:${PORT}[[:space:]]|dpt:${PORT}$" 2>/dev/null; then
log_ok "端口 ${PORT} 已放行,无需操作"
return 0
fi
log_warn "端口 ${gl_hong}${PORT}${gl_bai} 未放行,正在开放 ${gl_hong}.${gl_huang}.${gl_lv}.${gl_bai}"
# 开放端口
iptables -I INPUT -p tcp --dport "${PORT}" -j ACCEPT 2>/dev/null
iptables -I INPUT -p udp --dport "${PORT}" -j ACCEPT 2>/dev/null
log_info "保存防火墙规则 ${gl_hong}.${gl_huang}.${gl_lv}.${gl_bai}"
# 方法1: 使用 iptables-save 保存到文件(最可靠,不会卡住)
local SAVED=0
if command -v iptables-save >/dev/null 2>&1; then
mkdir -p /etc/iptables 2>/dev/null
if iptables-save > /etc/iptables/rules.v4 2>/dev/null; then
log_ok "IPv4 规则已保存到 /etc/iptables/rules.v4"
SAVED=1
fi
if command -v ip6tables-save >/dev/null 2>&1; then
ip6tables-save > /etc/iptables/rules.v6 2>/dev/null
fi
fi
# 方法2: 尝试使用 netfilter-persistent(带超时,避免卡住)
if command -v netfilter-persistent >/dev/null 2>&1; then
log_info "尝试 netfilter-persistent 保存..."
(
timeout 5 netfilter-persistent save >/dev/null 2>&1
) &
local SAVE_PID=$!
local WAIT=0
while kill -0 $SAVE_PID 2>/dev/null && [ $WAIT -lt 6 ]; do
sleep 1
WAIT=$((WAIT + 1))
done
if kill -0 $SAVE_PID 2>/dev/null; then
kill -9 $SAVE_PID 2>/dev/null
log_warn "netfilter-persistent 保存超时,已跳过"
else
wait $SAVE_PID 2>/dev/null
if [ $? -eq 0 ]; then
log_ok "netfilter-persistent 保存成功"
SAVED=1
fi
fi
fi
# 方法3: 尝试使用 service iptables save(带超时)
if [ $SAVED -eq 0 ] && command -v service >/dev/null 2>&1; then
if service iptables status >/dev/null 2>&1; then
log_info "尝试 service iptables save..."
(
timeout 5 service iptables save >/dev/null 2>&1
) &
local SAVE_PID=$!
local WAIT=0
while kill -0 $SAVE_PID 2>/dev/null && [ $WAIT -lt 6 ]; do
sleep 1
WAIT=$((WAIT + 1))
done
if kill -0 $SAVE_PID 2>/dev/null; then
kill -9 $SAVE_PID 2>/dev/null
log_warn "service iptables save 超时"
else
wait $SAVE_PID 2>/dev/null
if [ $? -eq 0 ]; then
log_ok "service iptables save 成功"
SAVED=1
fi
fi
fi
fi
# 方法4: 尝试使用 iptables-persistent(Debian/Ubuntu)
if [ $SAVED -eq 0 ] && command -v iptables-save >/dev/null 2>&1 && [ -f /etc/iptables/rules.v4 ]; then
log_info "iptables 规则已通过文件备份: /etc/iptables/rules.v4"
log_info "重启后如需恢复规则,可执行: iptables-restore < /etc/iptables/rules.v4"
SAVED=1
fi
if [ $SAVED -eq 0 ]; then
log_warn "无法自动持久化保存规则,但端口已临时开放"
log_info "如需永久保存,请手动执行: iptables-save > /etc/iptables/rules.v4"
fi
log_ok "端口 ${gl_lv}${PORT}${gl_bai} 已开放"
}
check_port_available() {
local PORT="$1"
if ss -tuln | grep -q ":${PORT} "; then
return 1
elif netstat -tuln 2>/dev/null | grep -q ":${PORT} "; then
return 1
else
return 0
fi
}
get_free_port() {
local start_port=$1
local port=$start_port
while ! check_port_available $port; do
port=$((port + 1))
if [ $port -gt $((start_port + 100)) ]; then
echo ""
return 1
fi
done
echo $port
}
docker-ps-cn() {
{
local filter_name="$1"
local docker_filter=""
if [ -n "$filter_name" ]; then
docker_filter="--filter name=${filter_name}"
fi
printf "%s%s\t%s\t%s\t%s\t%s\t%s%s\n" "$gl_hui" "容器ID" "名称" "状态" "端口" "创建时间" "镜像" "$reset"
printf "%s%s\t%s\t%s\t%s\t%s\t%s%s\n" "$gl_hui" "----------" "----------" "----------" "----------" "----------" "----------" "$reset"
docker ps ${docker_filter} --format "{{.ID}}\t{{.Names}}\t{{.Status}}\t{{.Ports}}\t{{.RunningFor}}\t{{.Image}}" | \
awk -v green="$gl_lv" -v yellow="$gl_huang" -v cyan="$gl_bufan" -v blue="$gl_lan" -v white="$gl_bai" -v reset="$reset" -v gl_bai="$gl_bai" '
BEGIN {FS="\t"; OFS="\t"}
{
id = substr($1, 1, 12)
name = $2
status = $3
ports = $4
time = $5
image = $6
gsub(/ years ago/, "年前", time)
gsub(/ year ago/, "年前", time)
gsub(/ months ago/, "个月前", time)
gsub(/ month ago/, "个月前", time)
gsub(/ weeks ago/, "周前", time)
gsub(/ week ago/, "周前", time)
gsub(/ days ago/, "天前", time)
gsub(/ day ago/, "天前", time)
gsub(/ hours ago/, "小时前", time)
gsub(/ hour ago/, "小时前", time)
gsub(/ minutes ago/, "分钟前", time)
gsub(/ minute ago/, "分钟前", time)
gsub(/ seconds ago/, "秒前", time)
gsub(/ second ago/, "秒前", time)
gsub(/About /, "", time)
print cyan id reset, green name reset, yellow status reset, blue ports reset, white time reset, gl_bai image reset
}'
} | column_if_available
}
docker_check_env() {
if ! command -v docker &>/dev/null; then
log_info "正在检查 Docker 运行环境 ${gl_hong}.${gl_huang}.${gl_lv}.${gl_bai}"
log_warn "Docker 未安装,即将自动安装 Docker 环境 ${gl_hong}.${gl_huang}.${gl_lv}.${gl_bai}"
echo -e "${gl_bufan}————————————————————————————————————————————————${gl_bai}"
bash <(curl -sL gitee.com/meimolihan/linux-command_sh/raw/master/linux_install_docker.sh)
if ! command -v docker &>/dev/null; then
log_error "Docker 安装失败,请手动安装后重试!"
sleep 1
exit 1
fi
log_ok "Docker 安装成功!"
fi
if ! command -v docker-compose &>/dev/null; then
echo -e ""
log_info "正在检查 Docker Compose 环境 ${gl_hong}.${gl_huang}.${gl_lv}.${gl_bai}"
log_warn "Docker Compose 未安装,即将自动安装 ${gl_hong}.${gl_huang}.${gl_lv}.${gl_bai}"
echo -e "${gl_bufan}————————————————————————————————————————————————${gl_bai}"
bash <(curl -sL gitee.com/meimolihan/linux-command_sh/raw/master/linux_install_compose.sh)
if ! command -v docker-compose &>/dev/null; then
log_error "Docker Compose 安装失败,请手动安装后重试!"
sleep 1
exit 1
fi
log_ok "Docker Compose 安装成功!"
fi
}
clean_old_container() {
if [ $# -eq 0 ]; then
log_warn "未传入任何容器名称参数,跳过清理"
return 1
fi
local targets=("$@")
echo -e ""
echo -e "${gl_huang}>>> 清理容器与相关镜像(目标:${targets[*]})${gl_bai}"
echo -e "${gl_bufan}————————————————————————————————————————————————${gl_bai}"
for container_name in "${targets[@]}"; do
if docker ps -a --filter "name=^/${container_name}$" --format "{{.Names}}" | grep -q "^${container_name}$"; then
log_info "检测到容器 ${gl_huang}${container_name}${gl_bai},正在停止并删除 ${gl_hong}.${gl_huang}.${gl_lv}.${gl_bai}"
docker rm -f "${container_name}" >/dev/null 2>&1
log_ok "容器 ${container_name} 清理完成"
else
log_ok "容器 ${container_name} 不存在,跳过"
fi
done
log_info "开始模糊清理相关镜像(关键词:${targets[*]}) ${gl_hong}.${gl_huang}.${gl_lv}.${gl_bai}"
local image_ids=$(docker images --format "{{.ID}}" | grep -f <(printf "%s\n" "${targets[@]}" | sed 's/^/-i /;s/ / -i /g'))
if [ -n "$image_ids" ]; then
echo "$image_ids" | xargs docker rmi -f >/dev/null 2>&1
log_ok "相关镜像已全部删除"
else
log_ok "未找到相关镜像"
fi
log_info "清理悬空镜像与未使用镜像 ${gl_hong}.${gl_huang}.${gl_lv}.${gl_bai}"
docker image prune -a -f >/dev/null 2>&1
log_ok "未使用镜像清理完成"
log_info "清理Docker无用资源(容器/网络/卷/构建缓存) ${gl_hong}.${gl_huang}.${gl_lv}.${gl_bai}"
docker system prune -a -f --volumes >/dev/null 2>&1
docker builder prune -af >/dev/null 2>&1
log_ok "Docker系统资源清理完成"
log_info "验证清理结果 ${gl_hong}.${gl_huang}.${gl_lv}.${gl_bai}"
local remain=0
for name in "${targets[@]}"; do
docker ps -a --filter "name=^/${name}$" --format "{{.Names}}" | grep -q "^${name}$" && remain=$((remain+1))
done
if [ "$remain" -eq 0 ]; then
log_ok "所有指定容器、镜像、残留资源已彻底清理,无名称冲突"
else
log_warn "仍有 ${gl_huang}${remain}${gl_bai} 个相关容器未清理,请手动检查"
fi
}
generate_password() {
tr -dc 'A-Za-z0-9' < /dev/urandom 2>/dev/null | head -c 16
if [ $? -ne 0 ]; then
echo "SafeLine$(date +%s)"
fi
}
deploy_app() {
local COMPOSE_DIR=""
local HOST_PORT=""
root_use || return 1
clear
echo -e "${gl_zi}>>> ${DEFAULT_TITLE}${gl_bai}"
echo -e "${gl_bufan}————————————————————————————————————————————————${gl_bai}"
docker_check_env
for arg in "$@"; do
if [[ "$arg" =~ ^[0-9]+$ ]]; then
HOST_PORT="$arg"
else
COMPOSE_DIR="$arg"
fi
done
if [ -z "${COMPOSE_DIR}" ]; then
read -r -e -p "${gl_bai}请输入 docker-compose 存放路径(回车默认:${gl_huang}${DEFAULT_COMPOSE_DIR}${gl_bai})(${gl_hong}0${gl_bai} 退出安装):" input_dir
COMPOSE_DIR=${input_dir:-$DEFAULT_COMPOSE_DIR}
else
log_info "已通过传参指定部署目录:${gl_huang}${COMPOSE_DIR}${gl_bai}"
fi
if [ "$COMPOSE_DIR" = "0" ]; then
exit_script
return 1
fi
log_info "部署目录:${gl_huang}${COMPOSE_DIR}${gl_bai}"
mkdir -p "${COMPOSE_DIR}" || { log_error "目录创建失败"; break_end; return 1; }
cd "${COMPOSE_DIR}" || { log_error "进入目录失败"; break_end; return 1; }
if [ -z "${HOST_PORT}" ]; then
read -r -e -p "${gl_bai}请输入管理端口(回车默认:${gl_huang}${DEFAULT_PORT}${gl_bai})(${gl_hong}0${gl_bai} 退出安装):" input_port
HOST_PORT=${input_port:-$DEFAULT_PORT}
else
log_info "已通过传参指定端口:${gl_lv}${HOST_PORT}${gl_bai}"
fi
if [ "$HOST_PORT" = "0" ]; then
exit_script
rm -rf "${COMPOSE_DIR}"
return 1
fi
log_info "使用管理端口:${gl_lv}${HOST_PORT}${gl_bai}"
local POSTGRES_PASSWORD=""
read -r -e -p "${gl_bai}请输入数据库密码(回车自动生成 16 位随机密码):" input_pwd
if [ -z "$input_pwd" ]; then
POSTGRES_PASSWORD=$(generate_password)
log_info "已自动生成密码:${gl_huang}${POSTGRES_PASSWORD}${gl_bai}"
else
POSTGRES_PASSWORD="$input_pwd"
fi
if ! check_port_available $HOST_PORT; then
log_warn "端口 ${gl_hong}${HOST_PORT}${gl_bai} 已被占用"
NEW_PORT=$(get_free_port $((HOST_PORT + 1)))
if [ -n "$NEW_PORT" ]; then
log_info "自动分配新端口:${gl_lv}${NEW_PORT}${gl_bai}"
HOST_PORT=$NEW_PORT
else
log_error "无法找到可用端口,请手动指定"
break_end
return 1
fi
fi
check_and_open_port "${HOST_PORT}"
clean_old_container "${DEFAULT_CONTAINER_NAMES[@]}"
echo -e ""
echo -e "${gl_huang}>>> 生成 ${gl_lv}.env${gl_huang} 环境变量配置文件 ${gl_hong}.${gl_huang}.${gl_lv}.${gl_bai}"
echo -e "${gl_bufan}————————————————————————————————————————————————${gl_bai}"
cat > .env << EOF
SAFELINE_DIR=${COMPOSE_DIR}
IMAGE_TAG=latest
MGT_PORT=${HOST_PORT}
POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
SUBNET_PREFIX=172.23.0
IMAGE_PREFIX=swr.cn-east-3.myhuaweicloud.com/chaitin-safeline
ARCH_SUFFIX=
RELEASE=
REGION=
MGT_PROXY=0
EOF
if [ -f ".env" ]; then
log_ok ".env 环境变量文件创建成功"
else
log_error ".env 文件创建失败"
break_end
return 1
fi
echo -e ""
echo -e "${gl_huang}>>> 生成 ${gl_lv}docker-compose.yml${gl_huang} 配置文件 ${gl_hong}.${gl_huang}.${gl_lv}.${gl_bai}"
echo -e "${gl_bufan}————————————————————————————————————————————————${gl_bai}"
cat > docker-compose.yml << 'DOCKER_COMPOSE_EOF'
networks:
safeline-ce:
name: safeline-ce
driver: bridge
ipam:
driver: default
config:
- gateway: ${SUBNET_PREFIX}.1
subnet: ${SUBNET_PREFIX}.0/24
driver_opts:
com.docker.network.bridge.name: safeline-ce
services:
postgres:
container_name: safeline-pg
restart: always
image: ${IMAGE_PREFIX}/safeline-postgres${ARCH_SUFFIX}:15.2
volumes:
- ${SAFELINE_DIR}/resources/postgres/data:/var/lib/postgresql/data
- /etc/localtime:/etc/localtime:ro
environment:
- POSTGRES_USER=safeline-ce
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
networks:
safeline-ce:
ipv4_address: ${SUBNET_PREFIX}.2
command:
- postgres
- -c
- max_connections=600
healthcheck:
test: pg_isready -U safeline-ce -d safeline-ce
mgt:
container_name: safeline-mgt
restart: always
image: ${IMAGE_PREFIX}/safeline-mgt${REGION}${ARCH_SUFFIX}:${IMAGE_TAG}
volumes:
- /etc/localtime:/etc/localtime:ro
- ${SAFELINE_DIR}/resources/mgt:/app/data
- ${SAFELINE_DIR}/logs/nginx:/app/log/nginx:z
- ${SAFELINE_DIR}/resources/sock:/app/sock
- /var/run:/app/run
ports:
- ${MGT_PORT}:1443
healthcheck:
test: curl -k -f https://localhost:1443/api/open/health
environment:
- MGT_PG=postgres://safeline-ce:${POSTGRES_PASSWORD}@safeline-pg/safeline-ce?sslmode=disable
- MGT_PROXY=${MGT_PROXY}
depends_on:
- postgres
- fvm
logging:
driver: json-file
options:
max-size: 100m
max-file: "5"
networks:
safeline-ce:
ipv4_address: ${SUBNET_PREFIX}.4
detect:
container_name: safeline-detector
restart: always
image: ${IMAGE_PREFIX}/safeline-detector${REGION}${ARCH_SUFFIX}:${IMAGE_TAG}
volumes:
- ${SAFELINE_DIR}/resources/detector:/resources/detector
- ${SAFELINE_DIR}/logs/detector:/logs/detector
- /etc/localtime:/etc/localtime:ro
environment:
- LOG_DIR=/logs/detector
networks:
safeline-ce:
ipv4_address: ${SUBNET_PREFIX}.5
tengine:
container_name: safeline-tengine
restart: always
image: ${IMAGE_PREFIX}/safeline-tengine${REGION}${ARCH_SUFFIX}:${IMAGE_TAG}
volumes:
- /etc/localtime:/etc/localtime:ro
- /etc/resolv.conf:/etc/resolv.conf:ro
- ${SAFELINE_DIR}/resources/nginx:/etc/nginx
- ${SAFELINE_DIR}/resources/detector:/resources/detector
- ${SAFELINE_DIR}/resources/chaos:/resources/chaos
- ${SAFELINE_DIR}/logs/nginx:/var/log/nginx:z
- ${SAFELINE_DIR}/resources/cache:/usr/local/nginx/cache
- ${SAFELINE_DIR}/resources/sock:/app/sock
environment:
- TCD_MGT_API=https://${SUBNET_PREFIX}.4:1443/api/open/publish/server
- TCD_SNSERVER=${SUBNET_PREFIX}.5:8000
- SNSERVER_ADDR=${SUBNET_PREFIX}.5:8000
- CHAOS_ADDR=${SUBNET_PREFIX}.10
ulimits:
nofile: 131072
network_mode: host
luigi:
container_name: safeline-luigi
restart: always
image: ${IMAGE_PREFIX}/safeline-luigi${REGION}${ARCH_SUFFIX}:${IMAGE_TAG}
environment:
- MGT_IP=${SUBNET_PREFIX}.4
- LUIGI_PG=postgres://safeline-ce:${POSTGRES_PASSWORD}@safeline-pg/safeline-ce?sslmode=disable
volumes:
- /etc/localtime:/etc/localtime:ro
- ${SAFELINE_DIR}/resources/luigi:/app/data
logging:
driver: json-file
options:
max-size: 100m
max-file: "5"
depends_on:
- detect
- mgt
networks:
safeline-ce:
ipv4_address: ${SUBNET_PREFIX}.7
fvm:
container_name: safeline-fvm
restart: always
image: ${IMAGE_PREFIX}/safeline-fvm${REGION}${ARCH_SUFFIX}:${IMAGE_TAG}
volumes:
- /etc/localtime:/etc/localtime:ro
logging:
driver: json-file
options:
max-size: 100m
max-file: "5"
networks:
safeline-ce:
ipv4_address: ${SUBNET_PREFIX}.8
chaos:
container_name: safeline-chaos
restart: always
image: ${IMAGE_PREFIX}/safeline-chaos${REGION}${ARCH_SUFFIX}:${IMAGE_TAG}
logging:
driver: json-file
options:
max-size: 100m
max-file: "10"
environment:
- DB_ADDR=postgres://safeline-ce:${POSTGRES_PASSWORD}@safeline-pg/safeline-ce?sslmode=disable
volumes:
- ${SAFELINE_DIR}/resources/sock:/app/sock
- ${SAFELINE_DIR}/resources/chaos:/app/chaos
networks:
safeline-ce:
ipv4_address: ${SUBNET_PREFIX}.10
DOCKER_COMPOSE_EOF
if [ -f "docker-compose.yml" ]; then
log_ok "docker-compose.yml 配置文件创建成功"
else
log_error "docker-compose.yml 创建失败"
break_end
return 1
fi
echo -e ""
echo -e "${gl_huang}>>> 拉取镜像(首次部署需下载约 2GB 镜像) ${gl_hong}.${gl_huang}.${gl_lv}.${gl_bai}"
echo -e "${gl_bufan}————————————————————————————————————————————————${gl_bai}"
log_info "开始拉取镜像,请耐心等待 ${gl_hong}.${gl_huang}.${gl_lv}.${gl_bai}"
docker-compose pull 2>/dev/null || docker compose pull 2>/dev/null || log_warn "镜像拉取可能出现异常,继续尝试启动"
echo -e ""
echo -e "${gl_huang}>>> 尝试启动容器 ${gl_hong}.${gl_huang}.${gl_lv}.${gl_bai}"
echo -e "${gl_bufan}————————————————————————————————————————————————${gl_bai}"
if docker-compose up -d; then
log_ok "容器启动成功"
else
log_warn "docker-compose 启动失败,尝试兼容版 docker compose ${gl_hong}.${gl_huang}.${gl_lv}.${gl_bai}"
if docker compose up -d; then
log_ok "容器启动成功"
else
log_error "容器启动失败"
echo -e "${gl_bufan}————————————————————————————————————————————————${gl_bai}"
break_end
return 1
fi
fi
echo -e ""
echo -e "${gl_huang}>>> 容器运行状态${gl_bai}"
echo -e "${gl_bufan}————————————————————————————————————————————————${gl_bai}"
docker-ps-cn safeline
echo -e "${gl_bufan}————————————————————————————————————————————————${gl_bai}"
LOCAL_IP=$(hostname -I | awk '{print $1}')
log_info "部署完成!"
log_info "管理地址:${gl_lv}https://${LOCAL_IP}:${HOST_PORT}${gl_bai}"
echo -e ""
log_info "查看管理员密码(初始化后):"
log_info " ${gl_huang}docker exec safeline-mgt resetadmin${gl_bai}"
log_info "部署目录:${gl_huang}${COMPOSE_DIR}${gl_bai}"
echo -e ""
log_warn "密码配置文件路径:${gl_huang}${COMPOSE_DIR}/.env${gl_bai}"
log_warn "请妥善保管 ${gl_huang}POSTGRES_PASSWORD${gl_bai} 数据库密码!"
echo -e "${gl_bufan}————————————————————————————————————————————————${gl_bai}"
break_end
}
deploy_app "$@"
一键完全卸载命令
# 停止并删除所有容器 + 删除镜像 + 删除部署目录(按需修改)
docker rm -f safeline-pg safeline-mgt safeline-detector safeline-tengine safeline-luigi safeline-fvm safeline-chaos && docker network rm safeline-ce && rm -rf /vol1/1000/compose/safeline
创建本地脚本
new_script="new_test.sh"
cat > "$new_script" << 'EOF'
#!/bin/bash
# 粘贴脚本源码
EOF
# 保留本地脚本,去掉 rm -f "$new_script"
chmod +x "$new_script" && ./"$new_script" && rm -f "$new_script"