From 0263b909e2179e071d5eca09bd937a9db113011d Mon Sep 17 00:00:00 2001 From: GitHub Date: Sun, 5 Nov 2023 20:48:30 +0000 Subject: [PATCH] Auto deploy from GitHub Actions build 361 [0eb1aee] iBug: pve: Add vmbr numbering scheme, move pve-[24] to discontinued --- infrastructure/discontinued/index.html | 11 +++ infrastructure/proxmox/pve/index.html | 89 +++++++++++++++++++------ search/search_index.json | 2 +- sitemap.xml.gz | Bin 611 -> 611 bytes 4 files changed, 79 insertions(+), 23 deletions(-) diff --git a/infrastructure/discontinued/index.html b/infrastructure/discontinued/index.html index a33f87b1..0e79b52b 100644 --- a/infrastructure/discontinued/index.html +++ b/infrastructure/discontinued/index.html @@ -2382,6 +2382,13 @@ vSphere 集群 + + +
  • + + pve-2, pve-4 + +
  • @@ -2412,6 +2419,10 @@

    SaltStackvSphere 集群

    我们从 2015 年(或更早)开始使用 vSphere 平台(ESXi + vCenter)运行虚拟机。由于 VMware 专有平台的复杂性难以维护,我们已于 2022 年 1 月全面迁移至开源的、基于 Debian GNU/Linux 的虚拟化平台 Proxmox VE。

    +

    pve-2, pve-4

    +

    pve-2 和 pve-4 也位于东图,是两台未知品牌、未知型号的旧机器,配置为 2× Xeon E5420 (Very old 4C4T, 2.50 GHz), 16 GB 内存(DDR2 667 MHz)和一块 16 GB 的 SanDisk SSD。该型号机器没有 IPMI

    +

    由于配置低下,我们手动安装了 Proxmox VE,没有使用 LVM,分配了 1 GB 的 swap,剩下全部给 rootfs。

    +

    机器的网卡有两个 1 Gbps 的接口,与 pve-6 相同,都接在同一个交换机上。

    diff --git a/infrastructure/proxmox/pve/index.html b/infrastructure/proxmox/pve/index.html index 266898b9..b5054d20 100644 --- a/infrastructure/proxmox/pve/index.html +++ b/infrastructure/proxmox/pve/index.html @@ -731,6 +731,13 @@ 网络配置 + + +
  • + + 虚拟机网桥 + +
  • @@ -839,13 +846,6 @@ pve-6 -
  • - -
  • - - pve-2, pve-4 - -
  • @@ -2567,6 +2567,13 @@ 网络配置 + + +
  • + + 虚拟机网桥 + +
  • @@ -2675,13 +2682,6 @@ pve-6 -
  • - -
  • - - pve-2, pve-4 - -
  • @@ -2719,10 +2719,11 @@

    Proxmox Virtual Environment (PVE)
  • -

    pve-2, pve-4, pve-6 是几台较老的服务器,在改装前都运行 ESXi 6.0,因此主机名曾经分别是 esxi-2, esxi-4, esxi-6。

    +

    pve-6 是一台较老的服务器,在改装前运行 ESXi 6.0,因此主机名曾经是 esxi-6。

    -

    pve-1 和 pve-3 去哪了?

    +

    pve-1 到 pve-4 去哪了?

    esxi-1 和 esxi-3 已经坏掉很多年了,同批次 5 台机器已经坏掉了 3 台(另外一个是 vm-nfs,esxi-6 不属于该批次)。

    +

    pve-2 和 pve-4 由 esxi-2 和 esxi-4 改装而来,由于过于古老(2007 年),即使没坏,我们也将它们下架处理掉了。

  • @@ -2747,7 +2748,55 @@

    网络配置
    echo "20.205.243.166 github.com" >> /etc/hosts
     ip route replace 20.205.243.166 via (?) dev (?)
     
    -

    其中 via 选择 gateway-el 或 gateway-nic 的内网地址,dev 选择桥接内网的 vmbr。

    +

    其中 via 选择 gateway-el 或 gateway-nic 的内网地址,dev 选择桥接内网的 vmbr(见下)。

    +

    虚拟机网桥

    +

    Proxmox VE 要求为虚拟机接入的网桥必须命名为 vmbrN,其中 N 是 0-4094 之间的整数。方便起见,我们在两个机房分别统一 vmbr 的编号:

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    编号东图网络中心
    vmbr0校园网(教育网)校园网(教育网)
    vmbr1内网内网
    vmbr2电信+移动电信
    vmbr3-联通
    vmbr4-移动
    vmbr5-特殊用途
    vmbr10备用-

    防火墙

    我们不使用 Proxmox 自带的防火墙功能,但 pve-firewall 仍然会尝试部署或恢复防火墙设置,因此需要禁用相关设置及服务:

    /etc/pve/nodes/$(hostname -s)/host.fw
    [OPTIONS]
    @@ -2821,7 +2870,7 @@ 

    SSL 证书

    pve-5

    pve-5 位于网络中心,配置为 2× Xeon E5-2603 v4 (Broadwell 6C6T, 1.70 GHz, no HT, no Turbo Boost) Xeon E5-2667 v4 (Broadwell 8C16T, 3.20 GHz, Max 3.60 GHz),256 GB 内存和一大堆 SSD(2× 三星 240 GB SATA + 10x Intel DC S4500 1.92 TB SATA)。我们将两块 240 GB 的盘组成一个 LVM VG,分配 16 GB 的 rootfs(LVM mirror)和 8 GB 的 swap,其余空间给一个 thinpool。十块 1.92 TB 的盘组成一个 RAIDZ2 的 zpool,用于存储虚拟机等数据。

    -

    其连接的单根 10 Gbps 的光纤,桥接出 vmbr0(Cernet), vmbr2(Telecom), vmbr3(Unicom), vmbr4(Mobile)四个不同 VLAN 的网桥,另有一个 vmbr1(Ustclug)的无头网桥用于从 gateway-nic 桥接 Tinc。

    +

    其连接的单根 10 Gbps 的光纤,桥接出 vmbr0vmbr4 等网桥(线路定义见上)。其中无头网桥用于从 gateway-nic 桥接 Tinc。

    硬盘控制器不要使用 VirtIO SCSI Single 或 LSI 开头的选项

    可能由于 ZFS 模块的 bug 或者内存条故障,使用这些模式在虚拟机重启时会导致整个 Proxmox VE 主机卡住而不得不重启。请使用 VirtIO SCSI(不带 Single)。同样原因创建虚拟机硬盘时也不要勾选 iothread。

    @@ -2904,10 +2953,6 @@

    pve-6&

    HP Smart Array

    HP 的自带 RAID 卡管理软件可以在 http://downloads.linux.hpe.com/SDR/repo/mcp/Debian/pool/non-free/ 下载,安装 ssacli 软件包。相关使用方法可以参考 https://sleeplessbeastie.eu/2017/03/06/how-to-use-hp-command-line-array-configuration-utility/

    -

    pve-2, pve-4

    -

    pve-2 和 pve-4 也位于东图,是两台未知品牌、未知型号的旧机器,配置为 2× Xeon E5420 (Very old 4C4T, 2.50 GHz), 16 GB 内存(DDR2 667 MHz)和一块 16 GB 的 SanDisk SSD。该型号机器没有 IPMI

    -

    由于配置低下,我们手动安装了 Proxmox VE,没有使用 LVM,分配了 1 GB 的 swap,剩下全部给 rootfs。

    -

    机器的网卡有两个 1 Gbps 的接口,与 pve-6 相同,都接在同一个交换机上。

    diff --git a/search/search_index.json b/search/search_index.json index 6d4db1f4..38175ab0 100644 --- a/search/search_index.json +++ b/search/search_index.json @@ -1 +1 @@ -{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"]},"docs":[{"location":"","title":"LUG @ USTC Documentation","text":"

    Documentation for LUG @ USTC technical infrastructure.

    "},{"location":"#layout","title":"Layout","text":"

    Our documentation is divided into these sections, as laid out on the left navigation menu:

    "},{"location":"#links","title":"References","text":""},{"location":"faq/dns/","title":"DNS \u57df\u540d\u89e3\u6790\u95ee\u9898","text":""},{"location":"faq/dns/#wrong-dns-result","title":"\u9519\u8bef\u7684\u89e3\u6790\u7ed3\u679c","text":"

    \u6211\u4eec\u7684 DNS \u662f\u5206\u6821\u5185\u5916\u3001\u5206 ISP \u89e3\u6790\u7684\u3002\u6709\u65f6\u5019\u4f1a\u9047\u5230\u6821\u5185\u8bbf\u95ee\u89e3\u6790\u5230\u6821\u5916\uff0c\u53ef\u80fd\u7684\u539f\u56e0\u662f

    /etc/resolv.conf \u987a\u5e8f\u4e0d\u5bf9

    iBug \u5728 2020 \u5e74 5 \u6708 21 \u65e5\u4fee\u4e86 gw-el \u548c mirrors2\uff0c\u8fd9\u4e24\u4e2a\u673a\u5668\u4e0a\u539f\u5148\u6392\u5728\u6700\u524d\u9762\u7684 nameserver \u5c31\u662f 8.8.4.4 \u6216\u8005 1.1.1.1 \u4e4b\u7c7b\u7684

    \u6211\u4eec\u7684\u6743\u5a01\u670d\u52a1\u5668\u4e24\u4e2a\u5728\u6821\u5185\u4e00\u4e2a\u5728\u56fd\u5185\uff0c\u56e0\u6b64\u6821\u5185\u673a\u5668\u5e94\u8be5\u4f18\u5148\u4ece\u6821\u5185\u89e3\u6790\u3002\u628a 202.38.64.1 / 2001:da8:d800::1\uff08\u5b66\u6821\u7684 DNS\uff09\u653e\u6700\u524d\u9762\u80af\u5b9a\u6ca1\u9519

    \u5982\u679c IPv4 \u89e3\u6790\u6b63\u786e\u4f46\u662f IPv6 \u8fd8\u662f\u89e3\u6790\u5230\u6821\u5916\u7684\u8bdd\uff0c

    /etc/resolv.conf \u7f3a\u5c11 IPv6 \u6761\u76ee

    taoky \u5728 2020 \u5e74 5 \u6708 29 \u65e5\u53d1\u73b0\u7684\uff0cmirrors2 \u4e0a\u8bbf\u95ee servers.ustclug.org \u8fd4\u56de Cloudflare \u7684 522 \u9519\u8bef\u9875\u9762\uff08\u6b64\u65f6\u65e5\u672c\u53cd\u4ee3\u6302\u6389\u4e86\uff09\uff0c\u7ecf\u67e5\u5c3d\u7ba1 IPv4 \u6b63\u786e\u89e3\u6790\u5230\u4e86 gw-el \u4e0a\uff0c\u4f46\u662f IPv6 \u8fd8\u662f\u89e3\u6790\u5230\u4e86 Cloudflare \u4e0a\uff0c\u4e14 nslookup \u548c dig \u7b49\u5de5\u5177\u8f93\u51fa\u770b\u8d77\u6765\u90fd\u662f\u5bf9\u7684\u3002

    \u6392\u67e5\u53d1\u73b0 /etc/resolv.conf \u91cc\u6ca1\u6709 IPv6 \u7684\u670d\u52a1\u5668\u6761\u76ee\uff0c\u5728\u9760\u524d\u7684\u4f4d\u7f6e\u63d2\u5165 nameserver 2001:da8:d800::1 \u540e\u89e3\u51b3\u3002

    \u624b\u52a8\u6e05\u7a7a\u672c\u673a\u7684 DNS \u7f13\u5b58\uff1anscd -i hosts

    \u6709\u65f6\u5019\u53ef\u80fd\u4f1a\u5728 DNS \u66f4\u65b0\u540e\u968f\u673a\u89e3\u6790\u51fa\u65b0\u65e7\u7ed3\u679c\uff0c\u53ef\u80fd\u7684\u539f\u56e0\u662f

    ns-a \u6ca1\u66f4\u65b0

    ns-a \u673a\u5668\u6bd4\u8f83\u8001\u65e7\uff0c\u7f51\u7edc\u53ef\u80fd\u4e0d\u987a\u7545\uff0c\u624b\u52a8\u628a ns-a \u66f4\u65b0\u4e00\u4e0b\u5c31\u884c\u4e86\uff08

    "},{"location":"faq/docker/","title":"Docker \u76f8\u5173\u95ee\u9898","text":""},{"location":"faq/docker/#debian-11-aufs","title":"Debian 11 \u4e2d\u4e0d\u518d\u652f\u6301 aufs","text":"

    \u4ece Debian 10 \u5347\u7ea7\u5230 Debian 11 \u65f6\uff0caufs-dkms \u4e0d\u518d\u5305\u542b\u5728\u65b0\u5185\u6838\u4e2d\uff1a

    aufs-dkms \u8f6f\u4ef6\u5305\u5c06\u4e0d\u4f5c\u4e3a bullseye \u7684\u4e00\u90e8\u5206\u51fa\u73b0\u3002\u5927\u591a\u6570 aufs-dkms \u7528\u6237\u5e94\u5f53\u5207\u6362\u81f3 overlayfs\uff0c\u540e\u8005\u63d0\u4f9b\u4e86\u76f8\u4f3c\u7684\u529f\u80fd\u4e14\u5177\u6709\u5185\u6838\u7684\u652f\u6301\u3002\u7136\u800c\uff0c\u67d0\u4e9b Debian \u5b89\u88c5\u5b9e\u4f8b\u53ef\u80fd\u4f7f\u7528\u4e86\u4e0d\u517c\u5bb9 overlayfs \u7684\u6587\u4ef6\u7cfb\u7edf\uff0c\u5982\u4e0d\u5e26\u6709 d_type \u7684 xfs\u3002\u6211\u4eec\u5efa\u8bae\u9700\u8981\u4f7f\u7528 aufs-dkms \u7684\u7528\u6237\u5728\u5347\u7ea7\u81f3 bullseye \u4e4b\u524d\u5148\u8fdb\u884c\u8fc1\u79fb\u3002

    (https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.zh-cn.html)

    \u5bf9\u4e8e\u8001\u673a\u5668\u6765\u8bf4\u9700\u8981\u63d0\u524d\u786e\u8ba4 Docker \u7684 storage driver\uff1a

    $ sudo docker info\n// ...\nServer:\n // ...\n Storage Driver: overlay2\n  Backing Filesystem: extfs\n  Supports d_type: true\n  Native Overlay Diff: true\n  userxattr: false\n

    \u8fd9\u91cc\u5982\u679c\u662f overlay2 \u90a3\u4e48\u5c31\u6ca1\u95ee\u9898\uff0c\u5982\u679c\u662f aufs \u7684\u8bdd\u5c31\u9700\u8981\u63d0\u524d\u786e\u8ba4\uff0c\u56e0\u4e3a\u5207\u6362\u5230 overlay2 \u4e4b\u540e\u73b0\u6709\u7684\u5bb9\u5668\u548c\u5bb9\u5668\u955c\u50cf\u90fd\u4f1a\u4e22\u5931\uff0c\u9700\u8981\u91cd\u65b0\u521b\u5efa\u3002\u6240\u4ee5\u9700\u8981\u786e\u4fdd\u5bb9\u5668\uff08container\uff09\u548c\u955c\u50cf\uff08image\uff09\u662f\u53ef\u590d\u73b0\u7684\u3002

    \u5728\u5347\u7ea7\u7cfb\u7edf\u540e\uff0c\u7f16\u8f91 /etc/docker/daemon.json\uff0c\u52a0\u4e0a\uff1a

    \"storage-driver\": \"overlay2\"\n

    \u7136\u540e\u542f\u52a8 docker\uff0c\u91cd\u65b0\u521b\u5efa\u5bb9\u5668\u3002

    "},{"location":"faq/ldap/","title":"LDAP \u5957\u4ef6\u95ee\u9898","text":""},{"location":"faq/ldap/#gosa","title":"GOsa \u95ee\u9898","text":"

    User \u754c\u9762\u6253\u5f00\u65f6\u62a5\u9519

    \u5982\u679c\u5728 GOsa \u4e2d\u521b\u5efa\u4e86\u4e00\u4e2a\u65b0\u7528\u6237\uff0c\u5374\u6ca1\u6709\u5728\u6700\u540e\u4e3a\u4ed6\u8bbe\u7f6e\u5bc6\u7801\uff0c\u5c31\u4f1a\u51fa\u73b0\u6b64\u95ee\u9898\uff0c\u6253\u5f00 User \u754c\u9762\u540e\u4f1a\u6709\u62a5\u9519\uff1a

    Fatal error: Uncaught ArgumentCountError: Too few arguments to function userManagement::filterLockLabel(), 0 passed in /usr/share/gosa/include/class_listing.inc on line 856 and exactly 1 expected in /usr/share/gosa/plugins/admin/users/class_userManagement.inc:856\nStack trace:\n#0 /usr/share/gosa/include/class_listing.inc(856): userManagement::filterLockLabel()\n#1 /usr/share/gosa/include/class_listing.inc(980): listing->processElementFilter('%{filter:lockLa...', Array, 50)\n#2 /usr/share/gosa/include/class_listing.inc(853): listing->filterActions('cn=...,ou=...', 50, Array)\n#3 /usr/share/gosa/include/class_listing.inc(764): listing->processElementFilter('%{filter:action...', Array, 50)\n#4 /usr/share/gosa/include/class_listing.inc(407): listing->renderCell('%{filter:action...', Array, 50)\n#5 /usr/share/gosa/include/class_management.inc(233): listing->render()\n#6 /usr/share/gosa/include/class_management.inc(222): management->renderList()\n#7 /usr/share/gosa/plugins/admin/users/main.inc(44): management->execute()\n#8 /usr/sh in /usr/share/gosa/plugins/admin/users/class_userManagement.inc on line 856\n

    \u8fd9\u662f\u56e0\u4e3a GOsa \u65e0\u6cd5\u8bfb\u53d6\u5230\u7528\u6237\u5bc6\u7801\u7684 Hash\uff0c\u800c LDAP \u5374\u5141\u8bb8\u7528\u6237\u6ca1\u6709\u5bc6\u7801\u3002 \u53ea\u9700\u4e3a\u65b0\u7684\u7528\u6237\u8bbe\u7f6e\u5bc6\u7801\u6216\u5220\u9664\u65b0\u7684\u7528\u6237\u5373\u53ef\u3002

    "},{"location":"faq/ldap/#slapd","title":"Slapd","text":"

    Slapd \u662f openldap \u7684\u670d\u52a1\u7aef daemon\u3002\u6b63\u5e38\u60c5\u51b5\u4e0b\u4e0d\u9700\u8981\u78b0\uff0c\u4f46\u662f\u5982\u679c\u8981\u78b0\u7684\u65f6\u5019\uff0c\u4f60\u4f1a\u53d1\u73b0\u5b83\u7684\u914d\u7f6e\u6781\u5176\u590d\u6742\u9ebb\u70e6\u3002

    \u4fee\u6539\u524d\u4e00\u5b9a\u8981\u5148\u6253\u865a\u62df\u673a\u5feb\u7167\uff01\uff01\uff01

    \u5c0f\u5fc3\u5ef6\u6bd5

    "},{"location":"faq/ldap/#migrate-hdb-to-mdb","title":"Migrate hdb to mdb","text":"

    slapd-hdb \u5728 Debian 11 \u5373\u5c06\u88ab deprecate\uff0c\u6240\u4ee5\u5728 2021/08/15 \u7ec4\u7ec7\u4e86\u4e00\u6b21 migrate\u3002

    \u7f51\u4e0a\u8d44\u6599\u5f88\u5c11\uff0c\u53c2\u8003\u4e86\uff1a

    1. https://github.com/osixia/docker-openldap/issues/97
    2. https://gist.github.com/wenzhixin/4705697206cdbf61bc88

    \u6b65\u9aa4\uff1a

    1. \u865a\u62df\u673a\u5feb\u7167\u6253\u597d\u3002
    2. \u5907\u4efd\u6570\u636e\u5e93\uff1aslapcat -v -l dump.ldif
    3. \u5907\u4efd /etc/ldap \u4ee5\u53ca /var/lib/ldap
    4. \u628a /etc/ldap/slapd.d \u4ee5\u53ca /var/lib/ldap \u5220\u6389\uff08\u6216\u8005\u6539\u540d\uff09
    5. \u8fd0\u884c dpkg-reconfigure slapd
    6. \u521b\u5efa /tmp/ldapconvert \u76ee\u5f55\uff0c\u8fd0\u884c slaptest -f /etc/ldap/convert.conf -F /tmp/ldapconvert
    7. \u6e05\u7a7a /etc/ldap/slapd.d/cn=config/cn=schema/ \u4e0b\u7684\u6587\u4ef6\uff0c\u5c06 /tmp/ldapconvert/slapd.d/cn=config/cn=schema/ \u4e0b\u7684\u6587\u4ef6\u590d\u5236\u5230 /etc/ldap/slapd.d/cn=config/cn=schema/ \u5c06 slapd.d \u5907\u4efd\u4e2d cn=config/cn=schema/ \u7684\u6587\u4ef6\u590d\u5236\u5230\u65b0\u7684 slapd.d \u5bf9\u5e94\u7684\u76ee\u5f55\u4e0b\uff0c\u5e76\u4e14\u4fee\u6539 owner \u4e3a openldap:openldap
    8. \u91cd\u542f slapd\uff0c\u5982\u679c\u542f\u52a8\u5931\u8d25\uff0c\u770b systemctl status slapd \u7684\u65e5\u5fd7\u8f93\u51fa debug\u3002
    9. \u6062\u590d\u6570\u636e\u5e93\uff1aslapadd -l dump.ldif\u3002\u6ce8\u610f\uff0cmdb \u6ca1\u6709\u4e8b\u52a1\uff01\u5982\u679c\u4e2d\u95f4\u51fa\u9519\u4e86\uff0c\u6392\u67e5\u95ee\u9898\u540e\uff0c\u6e05\u7a7a /var/lib/ldap\uff0c\u91cd\u542f slapd \u91cd\u6765\u3002

    \u6062\u590d\u6210\u529f\u540e\uff0c\u6709\u4e9b\u914d\u7f6e\u9700\u8981\u624b\u52a8\u8bbe\u7f6e\uff1a

    1. TLS/SSL

      # ldapmodify -H ldapi:/// -Y EXTERNAL << EOF\n> dn: cn=config\n> changetype: modify\n> replace: olcTLSCertificateFile\n> olcTLSCertificateFile: /etc/ldap/ssl/slapd-server.crt\n> -\n> replace: olcTLSCACertificateFile\n> olcTLSCACertificateFile: /etc/ldap/ssl/slapd-ca-cert.pem\n> -\n> replace: olcTLSCertificateKeyFile\n> olcTLSCertificateKeyFile: /etc/ldap/ssl/slapd-server.key\n>\n> EOF\n
    2. \u52a0\u8f7d pw-sha2.la\uff08\u82e5\u4f7f\u7528 ssha512/256 \u5219\u9700\u8981\u52a0\u8f7d\uff09

      # ldapmodify -H ldapi:/// -Y EXTERNAL << EOF\n> dn: cn=module,cn=config\n> cn: module\n> objectClass: olcModuleList\n> olcModulePath: /usr/lib/ldap/\n> olcModuleLoad: pw-sha2.la\n>\n> EOF\n
    3. \u4e3a sudoUser \u8bbe\u7f6e index

      # ldapadd -Y EXTERNAL -H ldapi:/// << EOF\n> dn: olcDatabase={1}mdb,cn=config\n> changetype: modify\n> add: olcDbIndex\n> olcDbIndex: sudoUser eq,sub\n>\n> EOF\n
    4. \u66f4\u6539\u9ed8\u8ba4\u5bc6\u7801\u5b58\u50a8\u9009\u9879\uff08\u53ef\u9009\uff09

      \u66f4\u6539\u4e3a crypt/yescrypt

      # ldapmodify -Y EXTERNAL -H ldapi:/// << EOF\n> dn: olcDatabase={-1}frontend,cn=config\n> add: olcPasswordHash\n> olcPasswordHash: {CRYPT}\n> \n> dn: cn=config\n> add: olcPasswordCryptSaltFormat\n> olcPasswordCryptSaltFormat: $y$j9T$%s\n

      \u66f4\u6539\u4e3a ssha512\uff08\u9700\u8981 pw-sha2.la\uff0c\u4e5f\u53ef\u53c2\u7167\u4e0a\u8ff0 yescrypt \u7684\u914d\u7f6e\u66f4\u6539\u4e3a crypt/ssha512\uff09

      # ldapmodify -Y EXTERNAL -H ldapi:/// << EOF\n> dn: olcDatabase={-1}frontend,cn=config\n> add: olcPasswordHash\n> olcPasswordHash: {SSHA512}\n

      \u5982\u679c\u62a5\u9519\u5df2\u7ecf\u5b58\u5728\uff0c\u53ef\u4ee5\u7528 replace \u9009\u9879\uff0c\u4ee5 crypt/yescrypt \u4e3a\u4f8b\uff1a

      # ldapmodify -Y EXTERNAL -H ldapi:/// << EOF\n> dn: olcDatabase={-1}frontend,cn=config\n> changetype: modify\n> replace: olcPasswordHash\n> olcPasswordHash: {CRYPT}\n> \n> dn: cn=config\n> changetype: modify\n> replace: olcPasswordCryptSaltFormat\n> olcPasswordCryptSaltFormat: $y$j9T$%s\n

      \u6ce8\u610f\u5728\u4f7f\u7528\u4e0a\u8ff0 hash \u65b9\u5f0f\u7684\u65f6\u5019\u8fdb\u5165 gosa \u7528\u6237\u9875\u9762\u65f6\u53ef\u80fd\u4f1a\u62a5\u9519 Cannot find a suitable password method for the current hash

    "},{"location":"faq/nginx/","title":"Nginx \u76f8\u5173\u914d\u7f6e","text":""},{"location":"faq/nginx/#git-host-specific","title":"\u4f7f\u7528 Git \u540c\u6b65\u914d\u7f6e\uff0c\u4f46\u9700\u8981 host-specific \u7684\u914d\u7f6e","text":"
    1. Nginx \u81ea\u5e26\u4e00\u4e2a\u53d8\u91cf $hostname \u53ef\u4ee5\u5728\u5408\u9002\u7684\u5730\u65b9\u7528\u6765 if \u6216\u8005 map\uff0c\u4f46\u662f\u5728\u8fd9\u4e2a\u529e\u6cd5\u4e0d\u9876\u7528\u7684\u65f6\u5019\uff08\u4f8b\u5982\uff0cresolver \u4e0d\u652f\u6301\u53d8\u91cf\uff09\u5c31\u53ea\u80fd\u7528\u4e0b\u9762\u8fd9\u4e2a\u7b28\u529e\u6cd5\u4e86\u3002
    2. \u628a\u9700\u8981 host-specific \u7684\u90a3\u4e2a\u6587\u4ef6\u52a0\u5165 .gitignore\uff0c\u7136\u540e\u5728\u5408\u9002\u7684\u4f4d\u7f6e\u7559\u4e0b\u4e00\u4e2a README\u3002
    "},{"location":"faq/nginx/#_1","title":"\u6587\u4ef6\u6253\u5f00\u6570\u5927\u5c0f\u9650\u5236","text":"

    \u5728\u9ed8\u8ba4\u8bbe\u7f6e\u4e2d\uff0cnginx \u7684\u6700\u5927\u6587\u4ef6\u6253\u5f00\u6570\u4e0a\u9650\u5e76\u4e0d\u5927\u3002\u5f53\u6709\u5927\u91cf\u8bbf\u95ee\u65f6\uff0c\u6587\u4ef6\u6253\u5f00\u6570\u53ef\u80fd\u4f1a\u8d85\u8fc7\u9650\u989d\uff0c\u5bfc\u81f4\u7f51\u7ad9\u54cd\u5e94\u7f13\u6162\u3002\u5728\u65b0\u914d\u7f6e\u670d\u52a1\u5668\u65f6\uff0c\u8fd9\u4e00\u9879\u8bbe\u7f6e\u5f88\u5bb9\u6613\u88ab\u5ffd\u7565\u6389\u3002

    \u89e3\u51b3\u65b9\u6cd5\uff1a

    1. sudo systemctl edit nginx.service\uff08\u90e8\u5206\u673a\u5668\u4e0a\u7684\u670d\u52a1\u540d\u53ef\u80fd\u4e3a openresty.service\uff09
    2. \u5728\u6253\u5f00\u7684 override \u6587\u4ef6\u7684 [Service] \u4e0b\u65b9\u6dfb\u52a0 LimitNOFILE=524288\uff08\u89c6\u60c5\u51b5\u8fd9\u4e2a\u503c\u53ef\u4ee5\u76f8\u5e94\u8c03\u6574\uff09
    "},{"location":"faq/nginx/#gateway-tmpmem","title":"\u5173\u4e8e gateway \u914d\u7f6e\u4e2d\u7684 /tmp/mem \u8def\u5f84","text":"

    \u66f4\u65b0

    \u6211\u4eec\u5df2\u4e0d\u518d\u5728 nginx.conf \u91cc\u4f7f\u7528 /tmp/mem \u4e86\uff0c\u4ee5\u4e0b\u5185\u5bb9\u4ec5\u4f5c\u5b58\u6863\u3002

    \u9519\u8bef\u8868\u73b0\u662f systemctl start nginx.service \u5931\u8d25\uff0c\u4f7f\u7528 status \u6216 journalctl \u53ef\u4ee5\u770b\u5230\u4ee5\u4e0b\u4fe1\u606f\uff1a

    [emerg] mkdir() \"/tmp/mem/nginx_temp\" failed (2: No such file or directory)\n

    \u8fd9\u662f\u56e0\u4e3a\u6211\u4eec\u7684 nginx.conf \u4e2d\u94a6\u70b9\u4e86 proxy_temp /tmp/mem/nginx_temp\uff0c\u800c /tmp/mem \u662f\u6211\u4eec\u81ea\u5df1\u5efa\u7684\u4e00\u4e2a tmpfs \u6302\u8f7d\u70b9\uff0c\u5b83\u4e0d\u662f\u4efb\u4f55\u53d1\u884c\u7248\u7684\u9ed8\u8ba4\u914d\u7f6e\uff0c\u6240\u4ee5\u65b0\u88c5\u7684\u7cfb\u7edf\u5982\u679c\u76f4\u63a5 pull \u4e86\u8fd9\u4efd nginx config \u5c31\u4f1a\u62a5\u4ee5\u4e0a\u9519\u8bef\u3002

    \uff08\u4f7f\u7528 /tmp/mem \u7684\u539f\u56e0\u662f\uff0c\u7531\u4e8e nginx \u53cd\u4ee3\u9700\u8981\u9891\u7e41\u8bfb\u5199\u4e34\u65f6\u6587\u4ef6\uff0c\u4e3a\u4e86\u51cf\u5c11\u78c1\u76d8 IO \u5360\u7528\uff0c\u6545\u5c06\u5176\u4e34\u65f6\u6587\u4ef6\u653e\u5165\u5185\u5b58\u4e2d\uff09

    \u6b63\u786e\u7684\u89e3\u51b3\u65b9\u6cd5\u662f\u8865\u4e0a\u5bf9\u5e94\u7684 fstab \u884c\uff1a

    tmpfs   /tmp/mem    tmpfs   0   0\n

    \u5982\u679c\u521b\u5efa/\u6302\u8f7d\u4e86 /tmp/mem \u540e\uff0c\u542f\u52a8\u4ecd\u7136\u51fa\u9519\uff0c\u5219\u9700\u8981\u68c0\u67e5 openresty.service/nginx.service \u6587\u4ef6\u4e2d\u662f\u5426\u5305\u542b PrivateTmp=yes\u3002\u5982\u679c\u5305\u542b\uff0c\u5219\u9700\u8981 systemctl edit\uff0c\u5c06\u6b64\u9879\u8bbe\u7f6e\u4e3a false\u3002

    fstab \u4e0e systemd

    \u8c03\u6574 fstab \u4e4b\u540e\uff0c\u9700\u8981\u6267\u884c systemctl daemon-reload\uff0c\u5426\u5219 systemd \u53ef\u80fd\u4f1a\u5728\u7b2c\u4e8c\u65e5\u51cc\u6668\u6302\u8f7d\u5df2\u88ab\u6ce8\u91ca\u7684\u78c1\u76d8\u9879\u3002

    "},{"location":"faq/systemd-timer/","title":"Systemd-timer \u53c2\u8003\u6a21\u677f","text":"

    Systemd-timer \u4f5c\u4e3a crontab \u7684\u66ff\u4ee3\u54c1\uff0c\u6709\u4e00\u7cfb\u5217\u7684\u4f18\u70b9\uff1a

    \u5f53\u7136\u76f8\u6bd4\u4e8e crontab\uff0c\u7f3a\u70b9\u4e5f\u5f88\u660e\u663e\uff1a

    \u6240\u4ee5\u4ee5\u4e0b\u7ed9\u51fa\u4e00\u4e2a\u6a21\u677f\uff0c\u65b9\u4fbf\u5728\u521b\u5efa\u65b0\u5b9a\u65f6\u4efb\u52a1\u7684\u65f6\u5019\u4f7f\u7528\u3002\u8fd9\u91cc\u7684\u4f8b\u5b50\u662f mirrors2 \u4ece mirrors4 \u83b7\u53d6\u538b\u7f29\u540e\u7684\u65e5\u5fd7\u3002\u4ee5\u4e0b\u6587\u4ef6\u5747\u653e\u5728 /etc/systemd/system\u3002

    m4log.service
    [Unit]\nDescription=Mirrors4 log backup\nDocumentation=man:rsync(1)\nAfter=network.target\nStartLimitIntervalSec=0\n\n[Service]\nType=simple\nUser=mirror\nGroup=mirror\nExecStart=rsync -rltpv --include=*/ --include=*.xz --exclude=* m4log:/ /var/m4log/\nRestart=on-failure\nRestartSec=3\n
    m4log.timer
    [Unit]\nDescription=Mirrors4 log backup timer\nDocumentation=man:rsync(1)\nAfter=network.target\nStartLimitIntervalSec=0\n\n[Timer]\nOnCalendar=*-*-* 7:13:00\nRandomizedDelaySec=60s\nPersistent=true\nUnit=m4log.service\n\n[Install]\nWantedBy=timer.target\n

    \u5173\u4e8e OnCalendar \u7684\u89e6\u53d1\u65f6\u95f4\uff0c\u53ef\u4ee5\u53c2\u8003 systemd \u7684 Calendar Events \u8bf4\u660e\uff0c\u5e76\u7528 systemd-analyze calendar \u6765\u68c0\u9a8c\u6b63\u786e\u6027\uff0c\u4e5f\u53ef\u4ee5\u7528 systemctl list-timers \u89c2\u5bdf Timer \u4e0b\u6b21\u89e6\u53d1\u7684\u65f6\u95f4\u662f\u5426\u7b26\u5408\u9884\u671f\u3002

    \u4e0b\u9762\u662f\u4e00\u4e9b\u5e38\u7528\u547d\u4ee4\uff1a

    "},{"location":"faq/vm/","title":"\u865a\u62df\u5316\u76f8\u5173","text":""},{"location":"faq/vm/#_2","title":"\u6269\u76d8","text":"

    \u6269\u5927\u865a\u62df\u78c1\u76d8\u7684\u5927\u5c0f\u540e\uff0c\u53ef\u4ee5\u91c7\u7528\u4ee5\u4e0b\u76f8\u5bf9\u7b80\u5355\u7684\u65b9\u5f0f\u6269\u5c55\u5206\u533a\u5927\u5c0f\uff1a

    \u8bf7\u786e\u4fdd\u7406\u89e3\u547d\u4ee4\u540e\u518d\u6267\u884c

    $ # \u5b89\u88c5 growpart\n$ sudo apt install cloud-guest-utils\n$ # \u6269\u5c55 /dev/sdb1\n$ sudo growpart /dev/sdb 1\n$ # \u73b0\u5728\u5206\u533a\u8868\u4ee5\u53ca\u5206\u533a\u6269\u5c55\u4e86\uff0c\u4f46\u662f\u5206\u533a\u91cc\u9762\u7684\u6587\u4ef6\u7cfb\u7edf\u7684\u5927\u5c0f\u8fd8\u6ca1\u6709\u6269\u5c55\n$ # \u4ee5 ext4 \u4e3a\u4f8b\n$ sudo resize2fs /dev/sdb1\n
    "},{"location":"infrastructure/auth-dns/","title":"Authoritative DNS","text":"

    Services (Servers):

    "},{"location":"infrastructure/auth-dns/#deploy","title":"Deploy","text":"

    The bind configuration repository is only visible to admins because private key is included.

    # copy the ssh key https://github.com/ustclug/auth-dns/blob/master/git_pull_key\n# to ~/.ssh/id_ed25519\n\n# now get the conf\ngit clone git@github.com:ustclug/auth-dns.git /var/lib/bind\n\n# delete the ssh key\nrm ~/.ssh/id_ed25519\n
    docker run --restart=always -v /var/lib/bind/:/etc/bind \\\n       --net host -it -d --name=auth-dns zhusj/bind9\n
    "},{"location":"infrastructure/auth-dns/#update-dns-record","title":"Update DNS Record","text":"

    Just commit your changes to the configuration repository. More details can be found in the repository.

    "},{"location":"infrastructure/auth-dns/#webhook","title":"Webhook","text":"

    Please add a webhook in the configuration repository, so that the DNS record can be automatically updated when commits are pushed.

    The webhook endpoint is http://<server_ip>:9000/hooks/bind, see https://github.com/ustclug/auth-dns/settings/hooks for examples.

    "},{"location":"infrastructure/dockerhub/","title":"Docker Hub","text":""},{"location":"infrastructure/dockerhub/#dsos","title":"Docker-Sponsored Open-Source program (DSOS) application","text":"Item Reference response First Name Jiawei (Use your own name) Last Name Fu (Use your own name) Email Address redacted (Use your own email address) Role Tech Lead (or anything that makes sense) Company or Organization Name Linux User Group of University of Science and Technology of China Country (Select) China What is the name of your project? Various: USTC Open Source Software Mirror, USTC Network Boot Service, etc. Please link the public repository of your OSS organization (github, gitlab, etc.) https://github.com/ustclug Please provide a link to your project website. https://lug.ustc.edu.cn/ Enter your user Docker ID (aka username). ibugone (Use your own Docker ID) Do you have an existing Organization? (Select) Yes Enter the existing Docker ID for your organization on Docker Hub. ustclug What is the goal of this project? Ease the use of many Linux distros and open-source software, as well as advocate the spirit of Free Software What types of user(s) benefit from this project? Linux users and developers in mainland China What is the code distribution license for your OSS project? (Select) MIT License To what industry does your project or organization belong? (Select) Academic/research To what industry does your project or organization belong? 6 (Adjust as needed) Please list all sponsors for this project (patreon and other microdonations can be listed as one). USTC Network Information Center, USTC Library Does this project have a pathway to commercialization? ... (Select) No If approved, do you agree to the ...? (Tick the checkbox) Press Submit"},{"location":"infrastructure/dockerhub/#notes","title":"Notes","text":"

    The first application on October 25, 2023 was declined with the following reason (emphasis mine):

    During our review of your application for Various (USTC Open Source Soft[sic], we determined that while your project meets most of the program requirements, there is a lack of documentation in one or more of your repositories on Docker Hub.

    Before resubmitting the application, I deleted a few obsolete repositories and filled in the \"Repository overview\" for the rest, asking ChatGPT to produce it when needed. Afterwards, the second submission was approved in just 3 hours.

    "},{"location":"infrastructure/github/","title":"GitHub Organization","text":"

    ustclug @ GitHub

    "},{"location":"infrastructure/github/#github-actions","title":"GitHub Actions","text":"

    GitHub Actions \u5bf9\u516c\u5f00\u4ed3\u5e93\u514d\u8d39\uff0c\u5bf9\u79c1\u6709\u4ed3\u5e93\u6bcf\u6708\u6709 3000 \u5206\u949f\u7684\u9650\u989d\uff08\u6ce8\uff1a\u6211\u4eec\u662f\u5b66\u6821\u5e2e\u5fd9\u7533\u8bf7\u7684 GitHub Education\uff0c\u6240\u4ee5\u6211\u4eec\u5728\u529f\u80fd\u4e0a\u76f8\u5f53\u4e8e\u4ed8\u8d39\u7684 GitHub Team\uff09\u3002\u76ee\u524d\u6211\u4eec\u6709\u591a\u4e2a\u9879\u76ee\u4f7f\u7528 GitHub Actions \u90e8\u7f72\uff0c\u4f8b\u5982 Linux 101 \u7684\u8bb2\u4e49\u3002

    \u6211\u4eec\u66fe\u7ecf\u4f7f\u7528 Travis CI\uff08\u73b0\u5728\u4e5f\u5728\u90e8\u5206\u516c\u5f00\u4ed3\u5e93\u4e2d\u4f7f\u7528\uff09\uff0c\u56e0\u4e3a\uff08\u4e0d\u4f1a\u5b9a\u671f\u91cd\u7f6e\u7684\uff09\u6570\u91cf\u9650\u5236\u800c\u5c06\u79c1\u6709\u4ed3\u5e93\u5168\u90e8\u8fc1\u51fa\uff0c\u8ba8\u8bba\u89c1 Discussion #308.

    "},{"location":"infrastructure/github/#2fa","title":"\u4e24\u6b65\u8ba4\u8bc1\uff082FA\uff09","text":"

    \u6211\u4eec\u5f3a\u70c8\u5efa\u8bae\u52a0\u5165 ustclug \u7ec4\u7ec7\u7684\u7528\u6237\u4e3a\u81ea\u5df1\u7684 GitHub \u8d26\u53f7\u914d\u7f6e\u4e24\u6b65\u8ba4\u8bc1\uff1a

    "},{"location":"infrastructure/ldap/","title":"LDAP \u670d\u52a1\u4f7f\u7528\u53ca\u914d\u7f6e\u8bf4\u660e","text":"

    LDAP \u662f\u8f7b\u91cf\u76ee\u5f55\u8bbf\u95ee\u534f\u8bae\uff0c\u6211\u4eec\u7528\u7684\u8f6f\u4ef6\u662f OpenLDAP\u3002

    LDAP \u7684\u914d\u7f6e\u5f88\u9ebb\u70e6\uff0c\u6240\u4ee5\u88c5\u4e86\u4e00\u4e2a\u7f51\u9875\u524d\u7aef\u6765\u914d\u7f6e\u5b83\uff0c\u7f51\u9875\u524d\u7aef\u662f GOsa\u00b2\u3002

    "},{"location":"infrastructure/ldap/#_1","title":"\u5bc6\u7801\u4fee\u6539","text":"

    \u767b\u5f55\u4efb\u610f\u4e00\u53f0\u670d\u52a1\u5668\u4f7f\u7528 passwd \u5c31\u53ef\u4ee5\u4fee\u6539\u5bc6\u7801\uff0c\u4fee\u6539\u7684\u5bc6\u7801\u5728\u6240\u6709\u673a\u5668\u4e0a\u5b9e\u65f6\u751f\u6548\uff08\u56e0\u4e3a\u5b9e\u9645\u662f\u5b58\u5728 LDAP \u6570\u636e\u5e93\u91cc\u7684\uff09\u3002

    "},{"location":"infrastructure/ldap/#gosa","title":"GOsa \u4f7f\u7528","text":"

    \u7f51\u9875\u754c\u9762\u4f4d\u4e8e ldap.lug.ustc.edu.cn\u3002

    \u7528\u4f60\u7684\u8d26\u53f7\u767b\u5f55\u8fdb\u53bb\u4e4b\u540e\uff0c\u53ef\u4ee5\u5728\u53f3\u4e0a\u89d2\u9000\u51fa\uff0c\u53f3\u4e0a\u89d2\u8fd8\u6709\u4e24\u4e2a\u6309\u94ae\u5206\u522b\u662f\u4fee\u6539\u8d26\u53f7\u4fe1\u606f\u548c\u4fee\u6539\u5bc6\u7801\u3002\u8d26\u53f7\u4fe1\u606f\u7b2c\u4e00\u9875\u5927\u90e8\u5206\u662f\u6ca1\u7528\u7684\uff0c\u53ea\u6709\u4e00\u4e2a\u767b\u5f55\u540d\u662f\u6709\u7528\u7684\uff0c\u8fd9\u662f\u4f60\u767b\u5f55\u4efb\u4f55\u5730\u65b9\u7684\u7528\u6237\u540d\u3002

    "},{"location":"infrastructure/ldap/#ldap-users-and-groups","title":"Users \u548c Groups","text":"

    Users \u662f\u7528\u6765\u6dfb\u52a0\u548c\u914d\u7f6e\u7528\u6237\u4fe1\u606f\u7684\u5730\u65b9\u3002\u6700\u4e3b\u8981\u7684\u529f\u80fd\u4f4d\u4e8e\u6bcf\u4e2a User \u7684\u7b2c\u4e8c\u9875 POSIX\uff0c\u8fd9\u91cc\u53ef\u4ee5\u8bbe\u7f6e\u7528\u6237\u7684\u5bb6\u76ee\u5f55\uff0cUID\uff0cGID\uff0c\u4ee5\u53ca\u6240\u5c5e\u7684\u7528\u6237\u7ec4\u3002\u8fd9\u91cc\u9700\u8981\u6ce8\u610f\u7684\u5730\u65b9\u5982\u4e0b\uff1a

    Groups \u4e2d\u4ee5 ssh \u5f00\u5934\u7684\u7ec4\u63a7\u5236\u5bf9\u5e94\u673a\u5668\u7684 ssh \u6743\u9650\uff0csudo \u5f00\u5934\u540c\u7406\u3002super_maneger \u7ec4\u5305\u542b\u6240\u6709\u673a\u5668\u7684\u6743\u9650\uff0c\u4ee5\u53ca LDAP \u7684 admin \u8eab\u4efd\u3002\u52a0\u5165\u5bf9\u5e94\u7684\u7ec4\u5373\u6388\u4e88\u76f8\u5e94\u6743\u9650\u3002\u5df2\u77e5\u7684 GID

    "},{"location":"infrastructure/ldap/#access-control","title":"Access Control","text":"

    \u8fd9\u91cc\u53ef\u4ee5\u914d\u7f6e GOsa \u7684\u7f16\u8f91\u6743\u9650\uff0c\u73b0\u5728\u8fd9\u91cc\u9762\u53ea\u6709\u4e00\u4e2a\u7ec4\uff0c\u662f\u5b8c\u5168\u6743\u9650\u7684\u3002\u53e6\u5916\uff0c\u6bcf\u4e2a\u9879\u53ef\u4ee5\u8bbe\u7f6e\u4e13\u95e8\u9488\u5bf9\u8fd9\u4e2a\u9879\u7684 ACL\u3002

    "},{"location":"infrastructure/ldap/#sudo-rules","title":"Sudo rules","text":"

    \u8fd9\u91cc\u914d\u7f6e sudo \u6743\u9650\u3002\u8fd9\u91cc\u7684\u8bed\u6cd5\u548c sudoers \u4e00\u6837\uff08\u8bf7\u65e0\u89c6 System trust\uff09\u3002\u7279\u522b\u8981\u8bf4\u7684\u4e00\u70b9\u662f\u901a\u8fc7\u5728 System \u4e2d\u52a0\u5165\u4e3b\u673a\u540d\u53ef\u4ee5\u9488\u5bf9\u6bcf\u4e2a\u4e3b\u673a\u914d\u7f6e\u6743\u9650\uff0c\u8fd9\u91cc\u8981\u586b\u7684\u662f\u4e3b\u673a\u540d\u800c\u4e0d\u662f\u57df\u540d\uff0c\u5177\u4f53\u8303\u4f8b\u8bf7\u770b\u91cc\u9762\u7684 lugsu wikimanager \u7b49\u9879\u3002

    \u5176\u5b83\u6211\u6ca1\u63d0\u5230\u7684\u9879\u6211\u4e5f\u6ca1\u641e\u660e\u767d\u600e\u4e48\u7528\u3002\u3002\u3002

    gosa \u7684\u914d\u7f6e\u6587\u4ef6\u5728 /etc/gosa/gosa.conf\uff0c\u5b83\u662f\u5728\u7b2c\u4e00\u6b21\u8fd0\u884c gosa \u65f6\u5019\u81ea\u52a8\u751f\u6210\u7684\uff0c\u4f46\u5728\u4e4b\u540e\u5c31\u53ea\u80fd\u901a\u8fc7\u624b\u52a8\u7f16\u8f91\u6765\u4fee\u6539\u3002\u7531\u4e8e\u914d\u7f6e\u6587\u4ef6\u51e0\u4e4e\u6ca1\u6709\u6587\u6863\uff0c\u5b98\u65b9\u7684 FAQ \u6709\u597d\u591a\u662f\u9519\u7684\uff0c\u6240\u4ee5\u6211\u57fa\u672c\u6ca1\u52a8:-D\u3002

    "},{"location":"infrastructure/ldap/#_2","title":"\u7ef4\u62a4\u5907\u6ce8","text":"

    \u5982\u679c\u53d1\u73b0\u66f4\u65b0 GOsa \u4e4b\u540e\uff0c/gosa \u6ca1\u6709\u6b63\u5e38\u5de5\u4f5c\uff08\u6bd4\u5982\u8bf4\u76f4\u63a5\u663e\u793a\u4e86 PHP \u7684\u6e90\u4ee3\u7801\uff09\uff0c\u53ef\u4ee5\u5c1d\u8bd5\u5220\u9664 /var/spool/gosa/ \u4e2d\u7684\u6240\u6709\u6587\u4ef6\uff0c\u8be6\u89c1 Gosa broken in Debian stretch\u3002

    "},{"location":"infrastructure/ldap/#ldap_1","title":"LDAP \u5ba2\u6237\u7aef\u914d\u7f6e","text":""},{"location":"infrastructure/ldap/#debian","title":"Debian \u914d\u7f6e\u65b9\u6cd5","text":""},{"location":"infrastructure/ldap/#_3","title":"\u8f6f\u4ef6\u5305\u5b89\u88c5","text":"

    Debian 7 \u4ee5\u4e0a\u7cfb\u7edf\u5b89\u88c5 libnss-ldapd\u3001libpam-ldapd\u3001sudo-ldap

    Note

    \u66f4\u65b0\u8fd9\u4e9b\u8f6f\u4ef6\u5305\u65f6\uff0c\u6ce8\u610f\u4fdd\u7559\u4e00\u4e2a root \u7ec8\u7aef\uff0c\u66f4\u65b0\u540e\u53ef\u80fd\u9700\u8981\u91cd\u542f daemon \u8fdb\u7a0b

    \u5728\u5b89\u88c5\u8fc7\u7a0b\u4e2d\u4f1a\u88ab\u95ee\u4e00\u4e9b\u95ee\u9898\uff08\u4e0d\u540c\u7248\u672c\u7684 Debian \u7684\u95ee\u9898\u53ef\u80fd\u4e0d\u540c\uff09\uff1a

    "},{"location":"infrastructure/ldap/#etcldapldapconf","title":"/etc/ldap/ldap.conf","text":"

    \u7f16\u8f91\u5185\u5bb9\u5982\u4e0b\uff1a

    /etc/ldap/ldap.conf
    BASE dc=lug,dc=ustc,dc=edu,dc=cn\nURI ldaps://ldap.lug.ustc.edu.cn\nSSL yes\nTLS_CACERT /etc/ldap/slapd-ca-cert.pem\nTLS_REQCERT demand\nSUDOERS_BASE ou=sudoers,dc=lug,dc=ustc,dc=edu,dc=cn\n

    \u4e3a\u4e86\u5b89\u5168\u6027\u8003\u8651\uff0c\u8981\u4ee5 ldaps \u7684\u65b9\u5f0f\u8fde\u63a5 ldap \u670d\u52a1\u5668\uff0c\u540c\u65f6\u5e94\u914d\u7f6e\u597d\u8bc1\u4e66 (/etc/ldap/slapd-ca-cert.pem, \u4ece\u5176\u5b83\u670d\u52a1\u5668\u590d\u5236\u4e00\u4e2a)

    "},{"location":"infrastructure/ldap/#etcsudo-ldapconf","title":"/etc/sudo-ldap.conf","text":"

    \u8fd9\u4e2a\u6587\u4ef6\u5e94\u8be5\u76f4\u63a5\u8f6f\u94fe\u63a5\u5230 /etc/ldap/ldap.conf\uff0c\u901a\u5e38 dpkg \u5df2\u7ecf\u4e3a\u4f60\u521b\u5efa\u597d\u4e86\u3002

    "},{"location":"infrastructure/ldap/#etcnslcdconf","title":"/etc/nslcd.conf","text":"

    \u6ce8\u610f\u68c0\u67e5\u4e00\u4e0b\u6b64\u914d\u7f6e\u6587\u4ef6\u662f\u5426\u4e0e /etc/ldap/ldap.conf \u4e0b\u7684\u5185\u5bb9\u76f8\u4e00\u81f4\uff0c\u5982

    /etc/nslcd.conf
    uid nslcd\ngid nslcd\nuri ldaps://ldap.lug.ustc.edu.cn\nbase dc=lug,dc=ustc,dc=edu,dc=cn\nssl on\ntls_reqcert demand\ntls_cacertfile /etc/ldap/slapd-ca-cert.pem\n
    "},{"location":"infrastructure/ldap/#etcnsswitchconf","title":"/etc/nsswitch.conf","text":"

    \u5b89\u88c5\u8f6f\u4ef6\u5305\u65f6\uff0c\u5b89\u88c5\u811a\u672c\u5df2\u7ecf\u5904\u7406\u8fc7\u8be5\u6587\u4ef6\u3002\u68c0\u67e5\u4e00\u4e0b\u5185\u5bb9\uff0c\u5927\u81f4\u4e3a\uff1a

    passwd:         compat ldap\ngroup:          compat ldap\nshadow:         compat ldap\n......\nsudoers:        files ldap\n

    \u6ce8\u610f\u6bcf\u4e00\u9879\u540e\u9762\u7684 ldap\uff0c\u5982\u679c\u6ca1\u6709\u8981\u624b\u52a8\u52a0\u4e0a\u3002\u4e0d\u592a\u6e05\u695a\u5177\u4f53\u542b\u4e49\uff0c\u53cd\u6b63\u7ed9\u6bcf\u4e00\u9879\u90fd\u52a0\u4e0a ldap \u662f\u6ca1\u6709\u95ee\u9898\u7684\u3002

    Debian 10 \u8981\u6539\u4e00\u4e0b sudoers \u90a3\u4e00\u884c

    \u628a ldap \u653e\u524d\u9762\uff0c\u540c\u65f6\u52a0\u4e0a [SUCCESS=return] \u5e94\u8be5\u50cf\u4e0b\u9762\u8fd9\u6837\uff1a

    sudoers:        ldap [SUCCESS=return] files\n

    \u91cd\u542f\u4e00\u4e0b nscd \u548c nslcd \u670d\u52a1\uff0c\u6b64\u65f6\u8fd0\u884c getent passwd\uff0c\u5e94\u8be5\u53ef\u4ee5\u770b\u5230\u6bd4 /etc/passwd \u66f4\u591a\u7684\u5185\u5bb9\uff0c\u8fd9\u5c31\u8bf4\u660e\u914d\u7f6e\u6b63\u786e\u4e86\u3002

    "},{"location":"infrastructure/ldap/#pam","title":"PAM \u914d\u7f6e","text":"

    \u5982\u679c PAM \u914d\u7f6e\u9519\u8bef\uff0c\u53ef\u80fd\u5bfc\u81f4\u7528\u6237\u65e0\u6cd5\u4f7f\u7528 SSH \u767b\u5f55\uff0c\u751a\u81f3\u8fde sudo \u4e5f\u53ef\u80fd\u6302\u6389\u3002\u6240\u4ee5\u4fee\u6539 PAM \u914d\u7f6e\u65f6\uff1a

    1. \u8bf7\u505a\u597d\u6587\u4ef6\u5907\u4efd\uff1b
    2. \u8bf7\u53e6\u5f00\u4e00\u4e2a root \u7ec8\u7aef\u4ee5\u9632\u4e07\u4e00\u3002

    \u5bf9\u4e8e Debian 7+\uff0c\u53ea\u9700\u8bbe\u7f6e\u4e00\u5904\u3002\u4e3a\u4e86\u767b\u5f55\u65f6\u81ea\u52a8\u521b\u5efa\u5bb6\u76ee\u5f55\uff0c\u5728 /etc/pam.d/common-session \u4e2d\u6dfb\u52a0\u4e0b\u9762\u8fd9\u53e5\uff1a

    session required    pam_mkhomedir.so skel=/etc/skel umask=0022\n

    \u5bf9\u4e8e Debian 5\uff0c\u8bf7\u67e5\u9605\u672c\u6587\u6863\u7684 Git \u8bb0\u5f55\u3002

    "},{"location":"infrastructure/ldap/#centos","title":"CentOS \u914d\u7f6e\u65b9\u6cd5","text":"

    \u901a\u8fc7 yum \u5b89\u88c5 openldap openldap-clients nss_ldap nss-pam-ldap

    \u4ee5 root \u8eab\u4efd\u6267\u884c

    authconfig --enablecache \\\n       --enableldap \\\n       --enableldapauth \\\n       --ldapserver=\"ldaps://ldap.lug.ustc.edu.cn/\" \\\n       --ldapbasedn=\"dc=lug,dc=ustc,dc=edu,dc=cn\" \\\n       --enableshadow \\\n       --enablemkhomedir \\\n       --enablelocauthorize \\\n       --update\n

    \u6ce8\u610f\uff0c\u7531\u4e8e authconfig \u7684 bug\uff0c\u4e0a\u4e00\u6761\u547d\u4ee4\u7684\u6267\u884c\u73af\u5883\u5fc5\u987b\u662f LC_ALL=en_US.UTF-8

    Sudo \u7684\u914d\u7f6e\u662f\u901a\u8fc7 sssd \u5b9e\u73b0\u7684\uff0c\u53c2\u8003 https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-ldap-sudo.html

    \u5b89\u88c5 sssd libsss_sudo \u5c06 /usr/share/doc/sssd-common/sssd-example.conf \u590d\u5236\u5230 /etc/sssd/sssd.conf \u5e76\u4fee\u6539\u6743\u9650\u4e3a 600\u3002

    [taoky@gateway-nic ~]$ sudo diff /usr/share/doc/sssd-common/sssd-example.conf /etc/sssd/sssd.conf\n3c3\n< services = nss, pam\n---\n> services = nss, pam, sudo\n8c8\n< ; domains = LDAP\n---\n> domains = LDAP\n13a14,15\n> [sudo]\n>\n15,17c17,19\n< ; [domain/LDAP]\n< ; id_provider = ldap\n< ; auth_provider = ldap\n---\n> [domain/LDAP]\n> id_provider = ldap\n> auth_provider = ldap\n22,24c24,27\n< ; ldap_schema = rfc2307\n< ; ldap_uri = ldap://ldap.mydomain.org\n< ; ldap_search_base = dc=mydomain,dc=org\n---\n> ldap_schema = rfc2307\n> ldap_uri = ldaps://ldap.lug.ustc.edu.cn\n> ldap_search_base = dc=lug,dc=ustc,dc=edu,dc=cn\n> ldap_sudo_search_base = ou=sudoers,dc=lug,dc=ustc,dc=edu,dc=cn\n30c33\n< ; cache_credentials = true\n---\n> cache_credentials = true\n35c38\n< # you must install Microsoft Services For UNIX and map LDAP attributes onto\n---\n> # you must install Microsoft Services For Unix and map LDAP attributes onto\n

    \u5751

    \u9700\u8981\u52a0\u4e0a [sudo]\uff0c\u5426\u5219 sudo \u914d\u7f6e\u4f3c\u4e4e\u4e0d\u4f1a\u751f\u6548\uff0c\u8fd9\u4e2a\u914d\u7f6e\u95ee\u9898\u5bfc\u81f4\u4e86\u4fee\u6539\u524d\u5728 gateway-nic \u4e0a\u7528\u6237\u65e0\u6cd5\u4f7f\u7528 sudo\u3002

    \u53e6\u5916\u8bb0\u5f97\u50cf\u524d\u9762\u5728 Debian \u4e2d\u5b89\u88c5\u4ecb\u7ecd\u5230\u7684\u90a3\u6837\u4fee\u6539 /etc/nsswitch.conf \u4ee5\u53ca /etc/nslcd.conf.

    "},{"location":"infrastructure/ldap/#nscd","title":"NSCD \u4f7f\u7528\u8bf4\u660e","text":"

    NSCD \u662f\u7528\u4e8e LDAP \u7f13\u5b58\u7684\u670d\u52a1\uff0c\u76ee\u524d\u5728 mirrors \u4e0a\u7684\u914d\u7f6e\u662f\u4fdd\u6301 30 \u5929\u3002\u8fd9\u5bfc\u81f4\u7684\u95ee\u9898\u662f\u6bcf\u5f53 ldap \u670d\u52a1\u5668\u4e0a\u505a\u51fa\u4fee\u6539\u7684\u65f6\u5019\u9700\u8981\u5728 mirrors \u4e0a\u6267\u884c\uff0c\u6e05\u9664\u6307\u5b9a\u7c7b\u578b\u7684\u7f13\u5b58(\u76ee\u524d mirrors \u670d\u52a1\u5668\u6682\u672a\u914d\u7f6e LDAP \u8ba4\u8bc1\u3002)

    nscd -i passwd\nnscd -i group\n

    \u53c2\u8003\uff1ahttps://wiki.debian.org/LDAP/NSS

    "},{"location":"infrastructure/ldap/#ldap-cli","title":"LDAP CLI \u5de5\u5177\u4f7f\u7528\u8bf4\u660e","text":"

    \u8fd9\u91cc\u4ee5 ldappasswd \u4e3a\u4f8b\uff0c\u5176\u4f59 ldap \u7cfb\u5217\u6307\u4ee4\u4e0e\u5176\u5927\u81f4\u76f8\u540c\uff1a

    LDAP \u5229\u7528 dn \u6765\u5b9a\u4f4d\u4e00\u4e2a\u7528\u6237\uff0c\u4ee5\u4e0b\u6307\u4ee4\u53ef\u4ee5\u5217\u51fa\u6240\u6709\u7528\u6237\u53ca\u5176 dn\uff1a

    ldapsearch -x -LLL uid=* uid\n

    -x \u6307\u5b9a\u4f7f\u7528 Simple authentication\uff0c\u5373\u4f7f\u7528\u5bc6\u7801\u8ba4\u8bc1\u3002

    \u5982\u679c\u8981\u4fee\u6539\u4e00\u4e2a\u7528\u6237\u7684\u5bc6\u7801\uff0c\u4f7f\u7528\uff1a

    ldappasswd -x -D '<executor dn>' -W -S '<target user dn>'\n

    -D '<executor dn>' \u6307\u5b9a\u4e86\u6267\u884c\u8005\u7684\u8eab\u4efd\uff0c-W/-S \u6307\u5b9a\u4e86\u63a5\u4e0b\u6765\u8be2\u95ee\u6267\u884c\u8005/\u76ee\u6807\u7528\u6237\u7684\u5bc6\u7801/\u65e7\u5bc6\u7801\u3002

    \u9700\u8981\u989d\u5916\u6ce8\u610f\u7684\u662f\uff0c\u5728 CLI \u4e2d\u6dfb\u52a0/\u5220\u9664\u7528\u6237\u6216\u66f4\u6539\u7528\u6237\u5bc6\u7801\u65f6\u9700\u8981\u4ee5 LDAP admin \u6267\u884c\uff0c\u5426\u5219\u4f1a\u6709\u62a5\u9519\uff1a

    Insufficient access (50) additional info: no write access to parent\n

    \u6216\u662f\u5176\u4ed6\u7684\u6743\u9650\u4e0d\u8db3\u7684\u9519\u8bef\u3002

    "},{"location":"infrastructure/ldap/#_4","title":"\u90e8\u7f72\u60c5\u51b5","text":"

    \u76ee\u524d\u6240\u6709\u670d\u52a1\u5668\u5747\u5df2\u90e8\u7f72 LDAP

    "},{"location":"infrastructure/ldap/#ldap-known-gids","title":"\u5df2\u77e5\u7684 GID","text":"

    GID \u4fe1\u606f\u5df2\u8fc7\u65f6\uff0c\u4ee5 LDAP \u5b9e\u9645\u914d\u7f6e\u4e3a\u51c6\u3002

    GID \u540d\u79f0 \u8bf4\u660e 2001 ldap_users \u6240\u6709\u7528\u6237\u90fd\u5728\u8fd9\u4e2a\u7ec4\u91cc 1001 ssh_docker2 - 2013 ssh_bbs - 2014 ssh_linode - 2101 ssh_ldap - 2102 ssh_blog - 2103 ssh_dns - 2104 ssh_gitlab - 2105 ssh_lug - 2106 ssh_vpn - 2107 ssh_mirrors - 2108 ssh_pxe - 2109 ssh_freeshell - 2110 ssh_backup - 2112 ssh_vmnfs - 2113 ssh_homepage - 2201 sudo_ldap - 2202 sudo_blog - 2203 sudo_dns - 2204 sudo_gitlab - 2205 sudo_lug - 2206 sudo_vpn - 2207 sudo_mirrors - 2208 sudo_pxe - 2209 sudo_freeshell - 2210 sudo_backup - 2212 sudo_vmnfs - 2213 sudo_homepage - 2000 super_manager - 2999 nologin \u4e0d\u786e\u5b9a\u8fd9\u4e2a\u7ec4\u6709\u6ca1\u6709\u7528

    \u6ce8\u610f\u4e8b\u9879

    LDAP \u914d\u7f6e\u5b8c\u6210\u540e\uff0c\u52a1\u5fc5\u786e\u8ba4 sshd_config \u5df2\u7ecf\u9650\u5236\u4e86\u516c\u7f51\u767b\u5f55\u3002

    \u672c\u6587\u6863\u539f\u59cb\u7248\u672c\u590d\u5236\u81ea LUG wiki\uff0c\u7531\u5f20\u5149\u5b87\u3001\u5d14\u704f\u3001\u6731\u665f\u83c1\u3001\u5de6\u683c\u975e\u64b0\u5199\u3002

    "},{"location":"infrastructure/mail/","title":"Mail Agent","text":"

    \u53ef\u4ee5\u914d\u7f6e\u673a\u5668\u901a\u8fc7 mail.ustclug.org \u53d1\u4ef6\uff0c\u5b9e\u73b0\u8b66\u62a5\u7684\u90ae\u4ef6\u63d0\u9192\uff08\u6536\u4ef6\u4eba\u8bbe\u7f6e\u4e3a alert AT ustclug DOT org\uff09\u3002\u914d\u7f6e\u65f6\u9700\u8981\u5728 mail.s.ustclug.org \u4e0a\u8bbe\u7f6e postfix \u767d\u540d\u5355\u3002

    "},{"location":"infrastructure/mail/#_1","title":"\u5e38\u7528\u547d\u4ee4","text":"

    \u4ece\u961f\u5217\u4e2d\u5220\u9664\u90ae\u4ef6\uff1asudo postsuper -d <\u90ae\u4ef6 ID>\uff08\u90ae\u4ef6 ID \u53ef\u4ee5\u65e5\u5fd7\u4e2d\u770b\u5230\uff09

    \u66f4\u65b0 virtual \u8868\u6620\u5c04\uff1asudo postmap /etc/postfix/virtual \u540e\u91cd\u542f postfix \u670d\u52a1\u3002

    "},{"location":"infrastructure/mail/#mailustclugorg-dkim","title":"mail.ustclug.org \u7684 DKIM \u7b7e\u540d","text":"

    \u7f16\u8f91 /etc/opendkim/TrustedHosts\uff0c\u6dfb\u52a0\u5185\u90e8\u670d\u52a1\u5bf9\u5e94\u7684 IP\uff08\u6bb5\uff09\u5230\u5176\u4e2d\uff0c\u5e76 reload opendkim \u5373\u53ef\u3002

    "},{"location":"infrastructure/monitor/","title":"\u76d1\u63a7\u7cfb\u7edf\u4f7f\u7528\u53ca\u914d\u7f6e\u8bf4\u660e","text":"

    \u76d1\u63a7\u7cfb\u7edf\u7531\u4ee5\u4e0b\u51e0\u4e2a\u7ec4\u4ef6\u7ec4\u6210\uff1a

    "},{"location":"infrastructure/monitor/#configure-influxdb","title":"Configure InfluxDB","text":"

    \u7279\u522b\u6ce8\u610f \uff1aInfluxDB \u9ed8\u8ba4\u6ca1\u6709\u5f00\u542f\u8ba4\u8bc1\u3002

    \u9996\u6b21\u8fd0\u884c\u65f6\uff0c\u521b\u5efa\u597d\u7ba1\u7406\u8d26\u53f7\uff08admin\uff09\uff0c\u53ea\u8bfb\u8d26\u53f7\uff08grafana\uff09\u548c\u5199\u5165\u8d26\u53f7\uff08telegraf\uff09\u3002

    \u7136\u540e\u4fee\u6539\u4f4d\u4e8e /srv/docker/influxdb/conf/influxdb.conf \u7684\u914d\u7f6e\uff0c\u4fee\u6539\u4ee5\u542f\u7528\u8ba4\u8bc1\uff1a

    /srv/docker/influxdb/conf/influxdb.conf
    [http]\n# ...\n# Determines whether HTTP authentication is enabled.\nauth-enabled = true\n

    \u6b64\u5916\uff0c\u53c2\u8003 https://docs.influxdata.com/influxdb/v1.8/administration/authentication_and_authorization/#set-up-authentication\uff0c\u8003\u8651\u5173\u95ed\u90e8\u5206\u529f\u80fd\uff1a

    /srv/docker/influxdb/conf/influxdb.conf
    [http]\n# Determines whether the pprof endpoint is enabled.  This endpoint is used for\n# troubleshooting and monitoring.\npprof-enabled = false\n
    "},{"location":"infrastructure/monitor/#install-telegraf","title":"Install telegraf","text":"

    \u5b89\u88c5\u65b9\u6cd5\u89c1 https://docs.influxdata.com/telegraf/v1.21/introduction/installation/

    \u4e00\u4e2a\u5178\u578b\u7684\u5b89\u88c5\u547d\u4ee4\u662f\uff1a

    wget https://dl.influxdata.com/telegraf/releases/telegraf_1.21.2-1_amd64.deb\nsudo dpkg -i telegraf_1.21.2-1_amd64.deb\n

    \u66f4\u52a0\u63a8\u8350\u7684\u505a\u6cd5\u662f\u52a0\u5165\u8f6f\u4ef6\u6e90\u540e\u5b89\u88c5

    curl -sL https://repos.influxdata.com/influxdb.key | sudo gpg --dearmor -o /usr/share/keyrings/influxdb.gpg\necho \"deb [signed-by=/usr/share/keyrings/influxdb.gpg] https://mirrors.ustc.edu.cn/influxdata/debian buster stable\" | sudo tee /etc/apt/sources.list.d/influxdb.list\nsudo apt-get update && sudo apt-get install telegraf\n
    "},{"location":"infrastructure/monitor/#configure-telegraf","title":"Configure telegraf","text":"

    \u914d\u7f6e\u6587\u4ef6\u5728 /etc/telegraf/ \u76ee\u5f55\u4e0b\uff0c\u7528 root \u6743\u9650\u4fee\u6539\uff1a

    \u5728 /etc/telegraf/telegraf.d/ \u4e0b\u589e\u52a0 net.conf \u7528\u6765\u5f00\u542f\u7f51\u7edc\u76d1\u63a7\uff0c\u5185\u5bb9\u5982\u4e0b\uff1a

    /etc/telegraf/telegraf.d/net.conf
    [[inputs.net]]\n

    \u5728 /etc/telegraf/telegraf.conf \u4e2d\u7684[[outputs.influxdb]] \u4e2d\u589e\u52a0 influxdb \u7684\u5730\u5740\uff1a

    /etc/telegraf/telegraf.conf
    [[outputs.influxdb]]\n  urls = [\"http://influxdb.ustclug.org:8086\"]\n  username = \"${INFLUX_USERNAME}\"\n  password = \"${INFLUXDB_PASSWORD}\"\n

    \u5176\u4e2d INFLUX_USERNAME \u548c INFLUXDB_PASSWORD \u5e94\u4f7f\u7528\u5bf9 telegraf \u6570\u636e\u5e93\u5199\u6743\u9650\u7684\u8d26\u53f7\uff0c\u5426\u5219\u65e0\u6cd5\u5199\u5165\u6570\u636e\u3002

    \u914d\u7f6e\u5b8c\u6210\u4e4b\u540e\uff0c\u91cd\u542f telegraf \u670d\u52a1\uff0c\u5e76\u786e\u4fdd\u670d\u52a1\u8fd0\u884c\u6b63\u5e38\u3002

    sudo systemctl restart telegraf\nsudo systemctl status telegraf\n

    \u5efa\u8bae\u5728\u88ab\u76d1\u63a7\u673a\u5668\u4e0a\u914d\u7f6e NTP\uff08\u53ef\u4ee5\u4f7f\u7528 systemd-timesyncd\uff0c\u8bbe\u7f6e NTP \u670d\u52a1\u5668\u4e3a time.ustc.edu.cn\uff09\uff0c\u4ee5\u907f\u514d\u65f6\u95f4\u4e0d\u540c\u6b65\u53ef\u80fd\u5e26\u6765\u7684\u95ee\u9898\u3002

    "},{"location":"infrastructure/monitor/#web","title":"Web","text":"

    Web \u7aef\u76d1\u63a7\u4f4d\u4e8e https://monitor.ustclug.org\uff0c\u8d26\u53f7\u7cfb\u7edf\u4f7f\u7528 LDAP\uff0c\u53ef\u4ee5\u5728\u8fd9\u91cc\u8bbe\u7f6e\u9884\u8b66\u63d0\u793a\u7b49\u3002

    Warning

    \u914d\u7f6e InfluxDB \u6570\u636e\u6e90\u65f6\uff0c\u53ea\u80fd\u4f7f\u7528\u53ea\u8bfb\u8d26\u53f7\uff0c\u5426\u5219\u4f1a\u5e26\u6765\u4e25\u91cd\u7684\u5b89\u5168\u95ee\u9898\u3002

    "},{"location":"infrastructure/office/","title":"Office 365","text":""},{"location":"infrastructure/office/#application","title":"\u7533\u8bf7\u65b9\u5f0f","text":"

    \u7406\u8bba\u4e0a\u4efb\u4f55\u793e\u56e2\u8d1f\u8d23\u4eba\u6216\u8005\u5728\u793e\u56e2\u4e2d\u8d1f\u8d23\u91cd\u8981\u9879\u76ee\u7684\u4eba\u5458\u90fd\u53ef\u4ee5\u7533\u8bf7\uff0c\u539f\u5219\u662f\u6309\u9700\u5206\u914d\uff0c\u56e0\u4e3a\u90ae\u7bb1\u662f\u5de5\u4f5c\u5de5\u5177\uff0c\u800c\u4e0d\u662f\u798f\u5229\u8d44\u6e90\u3002

    \u540c\u7406\uff0c\u4e0d\u518d\u62c5\u4efb\u8d1f\u8d23\u4eba\u4e14\u4e0d\u518d\u5904\u7406\u4e8b\u52a1\u7684\u540c\u5b66\u4f7f\u7528\u7684\u90ae\u7bb1\u5e94\u8be5\u6536\u56de\uff08\u89c1\u4e0b\u65b9 \u9ed8\u8ba4\u5730\u5740 \u4e00\u8282\uff09\u3002

    "},{"location":"infrastructure/office/#email-etiquette","title":"\u90ae\u4ef6\u793c\u4eea","text":"

    CC\uff08\u6284\u9001\uff09\u548c\u8bbe\u7f6e\u56de\u590d\u5730\u5740\u7684\u76ee\u7684\u90fd\u662f\u4e3a\u4e86\u8ba9\u6240\u6709 LUG \u8d1f\u8d23\u7684\u540c\u5b66\u53ef\u4ee5\u770b\u5230\u4e8b\u4ef6\u6700\u65b0\u7684\u8fdb\u5c55

    \u6284\u9001\u4f1a\u628a\u4f60\u53d1\u7684\u90ae\u4ef6\u7ed9\u6240\u6709\u7684\u8d1f\u8d23\u4eba\uff1b\u56de\u590d\u5730\u5740\uff08Reply-To\uff09\u8bbe\u7f6e\u4e4b\u540e\uff0c\u5bf9\u65b9\u5c31\u77e5\u9053\u8fd9\u662f\u4f60\u4ee3\u8868 LUG \u5199\u7684\u90ae\u4ef6\uff0c\u5e76\u4e14\u9ed8\u8ba4\u56de\u590d\u90ae\u4ef6\u7684\u65f6\u5019\u5730\u5740\u5c31\u662f\u6240\u6709\u8d1f\u8d23\u4eba\u7684\u90ae\u4ef6\u5217\u8868\u3002\u6240\u4ee5\u4e0b\u6587\u4e2d\u8981\u6c42\u8bbe\u7f6e\u8fd9\u4e9b\u5185\u5bb9\u3002

    \u5982\u679c\u9047\u5230\u9700\u8981\u4ee5\u79c1\u4eba\u8eab\u4efd\uff0c\u6216\u8005\u4ee5\u5176\u4ed6\u975e LUG \u4ee3\u8868\u8d1f\u8d23\u4eba\u7684\u8eab\u4efd\u56de\u590d\u90ae\u4ef6\u7684\u573a\u5408\uff0c\u8bf7\u4fee\u6539\u56de\u590d\u5730\u5740\u4fe1\u606f\u3002\u56e0\u4e3a Outlook \u7f51\u9875\u7248\u4e0d\u4fbf\u4e8e\u4fee\u6539\u8fd9\u4e9b\u5185\u5bb9\uff0c\u5efa\u8bae\u4f7f\u7528\u90ae\u4ef6\u5ba2\u6237\u7aef\u5904\u7406\u3002\uff08\u4e2a\u4eba\u63a8\u8350 ThunderBird\uff09\u3002

    \u5bf9\u4e8e\u9700\u8981\u5411\u975e\u90ae\u4ef6\u5217\u8868\u7684\u4e0d\u7279\u5b9a\u7fa4\u4f53\u7fa4\u53d1\u7684\u90ae\u4ef6\uff08\u4f8b\u5982\u901a\u77e5\u7c7b\u6d88\u606f\uff09\uff0c\u8bf7\u6ce8\u610f\u4e0d\u8981\u5c06\u6240\u6709\u90ae\u7bb1\u90fd\u653e\u5728\u6536\u4ef6\u4eba\u91cc\uff0c\u5426\u5219\u6240\u6709\u6536\u5230\u90ae\u4ef6\u7684\u4eba\u90fd\u80fd\u770b\u5230\u5176\u4ed6\u6536\u4ef6\u4eba\u7684\u90ae\u7bb1\uff08\u9690\u79c1\u95ee\u9898\uff09\uff1b\u5e76\u4e14\u6536\u4ef6\u4eba\u5982\u679c\u56de\u590d\u90ae\u4ef6\u4e0d\u5f53\uff0c\u5176\u4ed6\u7684\u6536\u4ef6\u4eba\u4e5f\u4f1a\u6536\u5230\u5176\u56de\u590d\u3002\u4e00\u79cd\u65b9\u4fbf\u7684\u505a\u6cd5\u662f\uff1a\u5c06\u6240\u6709\u9700\u8981\u6536\u5230\u901a\u77e5\u7684\u6536\u4ef6\u4eba\u653e\u5728\u5bc6\u9001 (BCC)\u4e00\u680f\u4e2d\uff0c\u6536\u4ef6\u4eba\u586b\u5199\u539f\u6284\u9001\u5730\u5740\u3002

    \u6211\u4eec\u52a0\u5165\u4e86\u5f88\u591a\u90ae\u4ef6\u5217\u8868\uff0c\u5176\u4e2d\u7ecf\u5e38\u6709\u5404\u79cd\u5f80\u6765\u90ae\u4ef6\uff08\u7279\u522b\u662f CentOS mirror announcement \u8fd9\u4e2a\u5217\u8868\uff0c\u5df2\u9000\uff09\uff0c\u5b83\u4eec\u5927\u591a\u6570\u4e0d\u9700\u8981\u6211\u4eec\u7406\u4f1a\u3002

    \u603b\u4e4b\uff0c\u4e0d\u77e5\u9053\u600e\u4e48\u5904\u7406\u7684\u90ae\u4ef6\u4e0d\u8981\u8d38\u7136\u56de\u590d\u3002\u5982\u679c\u4f60\u8ba4\u4e3a\u67d0\u4e00\u5c01\u90ae\u4ef6\u9700\u8981\u6211\u4eec\u5904\u7406\u4f46\u4e0d\u77e5\u9053\u600e\u4e48\u5904\u7406\uff0c\u8bf7\u8f6c\u544a\u7ed9\u5176\u4ed6\u76f8\u5173\u540c\u5b66\u3002

    \u4ee5\u4e0b\u5185\u5bb9\u4ece Hypercude \u7f16\u5199\u7684\u5185\u5bb9\u4e2d\u622a\u53d6\uff1a

    \u56de\u590d\u4efb\u4f55\u90ae\u4ef6\u65f6\uff0c\u8bf7\u6284\u9001 / CC\uff08\u4e0d\u662f\u5bc6\u9001 / BCC\uff09\u7ed9\u539f\u90ae\u4ef6\u7684\u6536\u4ef6\u5730\u5740\uff01\uff08\u6bd4\u5982\u522b\u4eba\u53d1\u5230 lug A ustc.edu.cn \uff0c\u56de\u590d\u65f6\u4e5f\u8bf7 CC \u5230 lug A ustc.edu.cn\uff09

    \u8bf7\u4e0d\u8981\u201c\u53ea\u56de\u590d\u90ae\u4ef6\u201d\u3002\u5982\u679c\u5728\u56de\u590d\u4e2d\u8bf4\u201c\u6211\u4eec\u4f1a\u505a\u67d0\u67d0\u4e8b\u201d\uff0c\u8bf7\u6ce8\u610f\u9664\u975e\u4f60\u660e\u786e\u8f6c\u4ea4\u7ed9\u4e86\u522b\u4eba\uff0c\u8fd9\u4ef6\u4e8b\u5e94\u5f53\u7531\u4f60\u6765\u5b8c\u6210\u3002

    "},{"location":"infrastructure/office/#email-signature","title":"\u90ae\u4ef6\u7b7e\u540d","text":"

    Outlook \u65e0\u6cd5\u76f4\u63a5\u901a\u8fc7\u7f51\u9875\u7aef\u6dfb\u52a0\u53d1\u4ef6\u4eba\u540d\u79f0\u3001\u8bbe\u7f6e\u56de\u590d\u5730\u5740\uff0c\u56e0\u6b64\u53ea\u80fd\u901a\u8fc7\u90ae\u4ef6\u5ba2\u6237\u7aef\u8fdb\u884c\u4f7f\u7528\u3002\u5728\u4e0b\u4e00\u7ae0\u8282\u7684 Thunderbird \u4e2d\u8fdb\u884c\u8be6\u7ec6\u9610\u8ff0\u3002

    "},{"location":"infrastructure/office/#thunderbird","title":"Thunderbird \u914d\u7f6e","text":""},{"location":"infrastructure/office/#tb-login","title":"\u767b\u5f55","text":"

    \u5728\u767b\u5f55\u65f6\uff0c\u8f93\u5165\u4e86\u7528\u6237\u540d\u3001\u5bc6\u7801\u540e\uff0c\u4f1a\u663e\u793a\u65e0\u6cd5\u627e\u5230\u5bf9\u5e94\u7684\u90ae\u7bb1\u914d\u7f6e

    \u8fdb\u884c\u5982\u4e0b\u7684\u624b\u52a8\u914d\u7f6e\uff1a

    \u5982\u4e0b\u56fe\uff1a

    \u7136\u540e\u70b9\u5de6\u4e0b\u89d2\u7684 Re-test\uff0c\u91cd\u65b0\u641c\u7d22\u5230\u914d\u7f6e\u540e\uff0c\u5728\u4e24\u4e2a Authentication method \u4e2d\u5747\u9009\u62e9 OAuth2\u3002

    \u7136\u540e\u70b9 Done\u3002\u5728\u5f39\u51fa\u7684\u7a97\u53e3\u4e2d\u5b8c\u6210\u8ba4\u8bc1\u3002

    "},{"location":"infrastructure/office/#tb-signature","title":"\u7b7e\u540d\u4e0e\u53d1\u4ef6\u8eab\u4efd","text":"

    \u5728\u53f3\u4e0a\u89d2\u4e2d\u9009\u62e9\u8d26\u6237\u8bbe\u7f6e\uff0c\u5728\u9ed8\u8ba4\u8eab\u4efd\u4e2d

    \u7ed3\u679c\u5982\u56fe\uff1a

    "},{"location":"infrastructure/office/#tb-folders","title":"\u6587\u4ef6\u5939","text":"

    Thunderbird \u7ef4\u62a4\u4e86\u81ea\u5df1\u7684\u6587\u4ef6\u5939\uff0c\u5982\u679c\u9700\u8981\u4e0e\u4e91\u7aef\u7684\u6587\u4ef6\u5939\u540c\u6b65\uff0c\u53ef\u4ee5\u8fdb\u884c\u5982\u4e0b\u64cd\u4f5c

    \u5728\u8d26\u6237\u4e0a\u53f3\u952e\uff0c\u5728\u5f39\u51fa\u7684\u83dc\u5355\u4e2d\u70b9\u51fb Subscribe\u3002\u5f39\u51fa\u7684\u7a97\u53e3\u4e2d\u5305\u542b\u4e86\u4e91\u7aef\u7684\u6587\u4ef6\u5939\uff0c\u7531\u4e8e Thunderbird \u4f1a\u81ea\u884c\u7ef4\u62a4\u5783\u573e\u7bb1\u548c\u5df2\u53d1\u90ae\u4ef6\uff0c\u56e0\u6b64\u53ef\u80fd\u4f1a\u6709\u4e24\u4e2a\u5783\u573e\u7bb1\uff0cDeleted Items \u548c Trash\uff0c\u53ef\u4ee5\u5728\u7f51\u9875\u7aef\u5220\u9664\u4e0d\u9700\u8981\u7684\u6587\u4ef6\u5939\uff0c\u5e76\u5728 Thunderbird \u4e2d\u9009\u62e9\u9700\u8981\u7684\u3002

    \u7136\u540e\u6253\u5f00\u8d26\u6237\u8bbe\u7f6e\uff0c\u8fdb\u884c\u5982\u4e0b\u4fee\u6539

    1. \u5728 Server Settings \u4e0b\uff0c\u4fee\u6539 When I delete a message \u4e3a Move it to this folder: Deleted Items

    2. \u5728 Copies & Folders \u4e0b\uff0c\u4fee\u6539 Place a copy\u3001Keep message archives in\u3001Keep draft messages in \u4e3a\u5bf9\u5e94\u7684\u8fdc\u7aef\u670d\u52a1\u5668\u6587\u4ef6\u5939

    "},{"location":"infrastructure/office/#tb-junk","title":"\u5783\u573e\u90ae\u4ef6","text":"

    Outlook \u4e91\u7aef\u5df2\u7ecf\u5e26\u6709\u4e86\u5783\u573e\u90ae\u4ef6\u5206\u7c7b\u529f\u80fd\uff0c\u4e0d\u9700\u8981 Thunderbird \u81ea\u5df1\u7684\u5783\u573e\u90ae\u4ef6\u5206\u7c7b\u529f\u80fd\u3002

    \u5728\u8d26\u6237\u8bbe\u7f6e\u7684 Local Folders \u4e0b\u7684 Junk Settings \u4e2d\uff0c\u53d6\u6d88\u9009\u4e2d Enable adaptive junk mail controls for this account\u3002

    \u8bf7\u5728\u4e0a\u9762\u7684 Subscribe \u4e2d\u5c06\u5783\u573e\u90ae\u4ef6\u9009\u4e2d\u4ee5\u540c\u6b65\u3002\u6b64\u5916\uff0c\u7531\u4e8e Outlook \u76ee\u524d\u4f1a\u5c06\u51e0\u4e4e\u6240\u6709\u90ae\u4ef6\u90fd\u6254\u8fdb\u5783\u573e\u90ae\u4ef6\u7bb1\uff08\u539f\u56e0\u4f3c\u4e4e\u662f M365 \u7684\u673a\u5668\u5b66\u4e60\u6a21\u578b\u4f1a\u628a\u6240\u6709\u79d1\u5927\u7684\u90ae\u4ef6\u6254\u8fdb\u5783\u573e\u7bb1\uff09\uff0c\u56e0\u6b64\u8bbe\u7f6e\u62c9\u53d6\u90ae\u4ef6\u65f6\u603b\u662f\u68c0\u67e5\u5783\u573e\u90ae\u4ef6\u7bb1\u3002\u8bbe\u7f6e\u65b9\u6cd5\u4e3a\u5728\u5783\u573e\u90ae\u4ef6\u76ee\u5f55\u4e0a\u70b9\u51fb\u53f3\u952e \u2192 \u5c5e\u6027\uff0c\u7136\u540e\u9009\u62e9\u8fd9\u91cc\u7b2c\u4e8c\u4e2a\u52fe\uff1a

    \u6ce8\u610f

    \u4e0d\u8981\u67e5\u770b\u5783\u573e\u90ae\u4ef6\u7684\u8fdc\u7a0b\u5185\u5bb9\u3002\u4e0d\u8981\u56de\u590d\u5783\u573e\u90ae\u4ef6\u3002\u6b63\u5e38\u90ae\u4ef6\u9700\u8981\u624b\u52a8\u79fb\u52a8\u5230\u6536\u4ef6\u7bb1\u3002

    "},{"location":"infrastructure/office/#tb-profiles","title":"\u4f7f\u7528 Thunderbird \u914d\u7f6e\u4e0d\u540c\u7684\u8eab\u4efd","text":"

    (written by taoky)

    \u5728\u67d0\u4e9b\u60c5\u51b5\u4e0b\uff0c\u9700\u8981\u8bbe\u7f6e\u65b0\u7684\u53d1\u4ef6\u4eba\u540d\u79f0\u548c\u56de\u590d\u5730\u5740\uff08\u4f8b\u5982 hackergame staff \u9700\u8981\u4e00\u5957\u4e0d\u540c\u7684\u8bbe\u7f6e\uff09\u3002\u7531\u4e8e Gmail \u7f51\u9875\u7aef\u4fee\u6539\u914d\u7f6e\u5f88\u9ebb\u70e6\uff08\u800c\u4e14\u5f88\u5bb9\u6613\u5fd8\u8bb0\u6539\u56de\u6765\uff09\uff0c\u5f3a\u70c8\u5efa\u8bae\u4f7f\u7528\u90ae\u4ef6\u5ba2\u6237\u7aef\u3002\u4e2a\u4eba\u4f7f\u7528\u7684\u662f Thunderbird\uff0c\u4e0b\u9762\u4e5f\u4ee5\u5b83\u4e3a\u4f8b\u5b50\u3002

    \u5728\u8d26\u53f7\u52a0\u4e0a\u90ae\u7bb1\u4e4b\u540e\uff0c\u70b9\u51fb\u53f3\u952e \u2192 \u5c5e\u6027\uff0c\u9ed8\u8ba4\u914d\u7f6e\uff08LUG Staff\uff09\u5982\u56fe\uff1a

    \u9700\u8981\u6dfb\u52a0\u65b0\u8eab\u4efd\u65f6\uff0c\u70b9\u51fb\u53f3\u4e0b\u89d2\u300c\u7ba1\u7406\u6807\u8bc6\u300d\uff0c\u6dfb\u52a0\u5bf9\u5e94\u7684\u6807\u8bc6\u3002\u5bf9\u4e8e hackergame\uff0c\u53ef\u4ee5\u914d\u7f6e\u5982\u4e0b\uff1a

    \u914d\u7f6e\u5b8c\u6210\u540e\uff0c\u5728\u7f16\u5199\u90ae\u4ef6\u65f6\uff0c\u5c31\u53ef\u4ee5\u9009\u62e9\u65b0\u7684\u6807\u8bc6\u4e86\uff0c\u5e76\u4e14\u53d1\u4ef6\u4eba\u540d\u79f0\u3001\u56de\u590d\u5730\u5740\u548c\u7b7e\u540d\u90fd\u4f1a\u81ea\u52a8\u8bbe\u7f6e\u597d\uff08\u6284\u9001\u8fd8\u662f\u8981\u81ea\u5df1\u8bbe\u7f6e\uff0c\u522b\u5fd8\u4e86\uff01\uff09

    \u4f7f\u7528 Thunderbird \u914d\u7f6e\u5b66\u6821\u90ae\u7bb1\u9700\u8981\u7684\u989d\u5916\u8bbe\u7f6e

    james: \"thunderbird\u67d0\u6b21\u5347\u7ea7\u540e\u51fa\u4e86\u4e00\u4e2abug\uff0c\u8fde\u63a5\u65f6\u670d\u52a1\u5668\u8fd4\u56de\u652f\u6301utf8\uff0ctb\u53d1\u4e86\u4e00\u4e2a\u547d\u4ee4enable utf8\uff0c\u670d\u52a1\u5668\u6b63\u5e38\u8fd4\u56de\u540e\uff0ctb\u6709bug\u8ba4\u4e3a\u4e00\u76f4\u5728\u7b49\u670d\u52a1\u5668\u5e94\u7b54\u3002\"

    \u6240\u4ee5\u5982\u679c\u9700\u8981\u4f7f\u7528 Thunderbird \u4ece mail.ustc.edu.cn \u6536\u53d1\u90ae\u4ef6\uff0c\u9700\u8981\u505a\u4ee5\u4e0b\u7684\u914d\u7f6e\uff1aEdit -> Settings\uff0c\u5728 \"General\" \u4e2d\u62d6\u5230\u6700\u4e0b\u9762\u9009\u62e9 \"Config Editor...\"\u3002\u5728\u65b0\u5f39\u51fa\u7684\u9ad8\u7ea7\u914d\u7f6e\u7684\u6807\u7b7e\u4e2d\u8f93\u5165 utf8\uff0c\u5c06 mail.server.default.allow_utf8_accept \u7684\u503c\u4ece true \u6539\u6210 false\u3002\u8fd9\u4e2a\u8bbe\u7f6e\u4e0d\u4f1a\u5f71\u54cd\u5176\u4ed6\u90ae\u7bb1\u7684\u4f7f\u7528\u3002

    "},{"location":"infrastructure/office/#gmail","title":"Gmail","text":"

    Warning

    \u7531\u4e8e Google \u5c06 G Suite \u5168\u9762\u8f6c\u5411\u4ed8\u8d39\u670d\u52a1\uff0c\u6211\u4eec\u5df2\u5728 2022 \u5e74 3 \u6708 31 \u65e5\u540e\u505c\u6b62\u4f7f\u7528 G Suite \u76f8\u5173\u670d\u52a1\u3002\u8f6c\u5411 Office 365 \u63d0\u4f9b\u7684\u670d\u52a1\u3002\u4ee5\u4e0b\u5185\u5bb9\u4ec5\u4f5c\u4e3a\u5b58\u6863\u4e0e\u53c2\u8003

    \u4ee5\u4e0b\u539f\u6587\u7531 Hypercube \u7f16\u5199

    \u5927\u5bb6\u597d\uff0c

    \u8bf7\u5404\u4f4d\u9605\u8bfb\u4e0b\u65b9\u5185\u5bb9\uff0c\u5e76\u6309\u6307\u793a\u914d\u7f6e\u81ea\u5df1\u7684\u90ae\u7bb1\uff1a

    \u767b\u5f55\u7f51\u9875\u7248 Gmail\uff0c\u5728\u53f3\u4e0a\u89d2\u70b9\u5f00\u8bbe\u7f6e\uff0c\u4e8e\u201c\u5e38\u89c4\u201d\u6807\u7b7e\u9875\u4e2d\u8bbe\u7f6e\u201c\u7b7e\u540d\u201d\u4e3a\u7eaf\u6587\u672c\u5982\u4e0b\u5185\u5bb9\uff08\u5171 5 \u884c\uff0c\u5c06\u6700\u540e\u4e00\u884c\u6362\u6210\u81ea\u5df1\u7684\u4fe1\u606f\uff09\uff1a

    Linux User Group University of Science and Technology of China Homepage: https://lug.ustc.edu.cn/ E-Mail: lug@ustc.edu.cn Zibo Wang (\u738b\u5b50\u535a) <example@ustclug.org>

    \u4e8e\u201c\u8d26\u53f7\u201d\u6807\u7b7e\u9875\u4e2d\u201c\u7528\u8fd9\u4e2a\u5730\u5740\u53d1\u9001\u90ae\u4ef6\u201d\u5185\u70b9\u201c\u4fee\u6539\u4fe1\u606f\u201d\uff0c\u5728\u5f39\u51fa\u7a97\u53e3\u4e2d\u8f93\u5165\u540d\u79f0\u201cZibo Wang on behalf of USTC LUG\u201d\uff08\u8bf7\u6362\u6210\u81ea\u5df1\u7684\u540d\u5b57\uff09\uff0c\u8f93\u5165\u56de\u590d\u5730\u5740\u201clug@ustc.edu.cn\u201d\u3002

    \u8fd8\u53ef\u4ee5\u89c6\u81ea\u5df1\u9700\u8981\u5728\u201c\u8f6c\u53d1\u548c POP / IMAP\u201d\u6807\u7b7e\u9875\u4e2d\u914d\u7f6e\u81ea\u52a8\u8f6c\u53d1\uff0c\u4f46\u8bf7\u6ce8\u610f\uff0c\u5982\u679c\u4f60\u914d\u7f6e\u4e86\u8f6c\u53d1\u5230\u81ea\u5df1\u7684\u5e38\u7528\u90ae\u7bb1\uff0c\u8bf7\u4e0d\u8981\u76f4\u63a5\u4ece\u5e38\u7528\u90ae\u7bb1\u56de\u590d\u90ae\u4ef6\uff0c\u800c\u5e94\u8be5\u767b\u5f55 LUG \u90ae\u7bb1\u56de\u590d\u3002 \u56de\u590d\u4efb\u4f55\u90ae\u4ef6\u65f6\uff0c\u8bf7\u6284\u9001 / CC\uff08\u4e0d\u662f\u5bc6\u9001 / BCC\uff09\u7ed9\u539f\u90ae\u4ef6\u7684\u6536\u4ef6\u5730\u5740\uff01\uff08\u6bd4\u5982\u522b\u4eba\u53d1\u5230 lug A ustc.edu.cn \uff0c\u56de\u590d\u65f6\u4e5f\u8bf7 CC \u5230 lug A ustc.edu.cn\uff09

    \u8bf7\u4e0d\u8981\u201c\u53ea\u56de\u590d\u90ae\u4ef6\u201d\u3002\u5982\u679c\u5728\u56de\u590d\u4e2d\u8bf4\u201c\u6211\u4eec\u4f1a\u505a\u67d0\u67d0\u4e8b\u201d\uff0c\u8bf7\u6ce8\u610f\u9664\u975e\u4f60\u660e\u786e\u8f6c\u4ea4\u7ed9\u4e86\u522b\u4eba\uff0c\u8fd9\u4ef6\u4e8b\u5e94\u5f53\u7531\u4f60\u6765\u5b8c\u6210\u3002

    \u5728\u6dfb\u52a0\u4e86\u7b7e\u540d\u540e\uff0c\u5728\u4e0b\u9762\u7684\u201c\u9ed8\u8ba4\u7b7e\u540d\u8bbe\u7f6e\u201d\u4e2d\uff0c\u5c06\u201c\u7528\u4e8e\u65b0\u7535\u5b50\u90ae\u4ef6\u201d\u4ee5\u53ca\u201c\u7528\u4e8e\u56de\u590d/\u8f6c\u53d1\u201d\u5747\u9009\u62e9\u4e3a\u4e0a\u9762\u6dfb\u52a0\u7684\u7b7e\u540d\u3002

    \u8bb0\u5f97\u6eda\u52a8\u5230\u9875\u9762\u6700\u4e0b\u65b9\u70b9\u51fb\u201c\u4fdd\u5b58\u9875\u9762\u201d\uff01

    "},{"location":"infrastructure/office/#lug-ustc-mailing-list","title":"\u52a0\u5165 lug @ ustc \u5217\u8868","text":"

    \u82e5\u8981\u6536\u5230\u53d1\u5f80 lug A ustc.edu.cn \u7684\u90ae\u4ef6\uff0c\u9700\u8981\u5728 \u7fa4\u7ec4\u7ba1\u7406 \u8fd9\u91cc\u5c06\u7528\u6237\u52a0\u5165 USTC LUG Staff \u7ec4\u3002\u8fd9\u4e2a\u7fa4\u7ec4\u5c31\u662f lug \u548c mirrors \u5728\u5b66\u6821\u90ae\u7bb1\u8bbe\u7f6e\u7684\u8f6c\u53d1\u76ee\u6807\u3002

    "},{"location":"infrastructure/office/#default-route","title":"\u8bbe\u7f6e\u9ed8\u8ba4\u5730\u5740","text":"

    G Suite \u652f\u6301\u5c06\u5355\u4e2a\u5730\u5740\u8bbe\u4e3a\u201c\u9ed8\u8ba4\u5730\u5740\u201d\uff0c\u7528\u4e8e\u63a5\u53d7\u53d1\u5f80\u4e0d\u5b58\u5728\u7684\u5730\u5740\u7684\u90ae\u4ef6\u3002

    \u53c2\u8003\u8d44\u6599\uff1ahttps://support.google.com/a/answer/2368153

    \u5bf9\u4e8e\u4e2d\u6587\u754c\u9762\uff0c\u5e94\u8be5\u4ece Google Admin \u63a7\u5236\u53f0\u6309\u987a\u5e8f\u9009\u62e9 \u5e94\u7528 \u2192 G Suite \u2192 Gmail \u2192 \u9ad8\u7ea7\u8bbe\u7f6e\uff0c\u5176\u4e2d\u7684 \u65e0\u9650\u522b\u540d\u5730\u5740 \u5c31\u662f\u8fd9\u4e2a\u9009\u9879\uff0c\u4e00\u822c\u53d1\u7ed9\u4f1a\u957f\u6216 CTO\u3002

    "},{"location":"infrastructure/raid/","title":"RAID","text":""},{"location":"infrastructure/raid/#megaraid","title":"MegaRAID \u5e38\u7528\u547d\u4ee4","text":"

    MegaRAID \u6e90\u91cc\u6ca1\u6709\uff0c\u9700\u8981\u4ece\u5b98\u7f51\u4e0b\u8f7d RPM \u5305\u540e\u624b\u52a8\u89e3\u538b\u3002Debian 10 \u5b89\u88c5 libncurses5 \u540e\u53ef\u4f7f\u7528\u3002

    sudo /opt/MegaRAID/MegaCli/MegaCli64 -adpallinfo -aAll  # \u67e5\u770b\u6240\u6709\u4fe1\u606f\nsudo /opt/MegaRAID/MegaCli/MegaCli64 -pdlist -aall  # \u67e5\u770b\u7269\u7406\u76d8\u4fe1\u606f\n
    "},{"location":"infrastructure/raid/#_1","title":"\u76d1\u63a7","text":"

    \u73b0\u5728\u90e8\u7f72\u7684\u65b9\u6848\u662f\u7531 telegraf \u6267\u884c\u89e3\u6790\u811a\u672c\uff0c\u5c06\u6570\u636e\u53d1\u9001\u5230 influxdb\uff0c\u7531 grafana \u62a5\u8b66\u3002

    \u811a\u672c\uff1a

    "},{"location":"infrastructure/raid/#esxi","title":"ESXi","text":"

    https://docs.broadcom.com/docs-and-downloads/raid-controllers/raid-controllers-common-files/8-07-07_MegaCLI.zip

    ESXi 5 \u7684 binary \u548c ESXi 6.0 \u517c\u5bb9\u3002

    esxcli software vib install -v=/tmp/vmware-esx-MegaCli-8.07.07.vib --no-sig-check\n

    \u7136\u540e\u8fdb\u5165 /opt/lsi/MegaCLI \u76ee\u5f55\u6267\u884c MegaCli.

    "},{"location":"infrastructure/raid/#ssacli-hpe-smart-array","title":"ssacli (HPE Smart Array)","text":"

    pve-6 \u7684 RAID \u65b9\u6848\u662f HPE Smart Array\u3002\u5bf9\u5e94\u4f7f\u7528\u65b9\u6cd5\u53ef\u4ee5\u53c2\u8003 https://gist.github.com/mrpeardotnet/a9ce41da99936c0175600f484fa20d03\u3002

    \u5bf9\u5e94\u4e3b\u673a\u9700\u8981\u5b89\u88c5 https://downloads.linux.hpe.com/SDR/repo/mcp/Debian/pool/non-free/ssacli-5.30-6.0_amd64.deb\uff08HPE \u6e90\u5b9e\u5728\u592a\u6162\u4e86\uff09\u3002

    "},{"location":"infrastructure/sshca/","title":"SSH Certificate Authentication","text":"

    Discussion: SSH \u5347\u7ea7\u5230\u8bc1\u4e66\u767b\u9646\u65b9\u6848\u8ba8\u8bba

    Usage: SSH \u8bc1\u4e66\u8ba4\u8bc1\u7684\u4f7f\u7528\u65b9\u6cd5 (See also: iBug's blog)

    "},{"location":"infrastructure/sshca/#introduction","title":"Introduction","text":"

    An SSH Certificate Authority (CA) is a trusted key pair that issues certificates. It has the same format as a regular SSH private-public key pair (it is, in fact).

    Certificates can be used for authentication on both the server side and the client side. But certificates cannot issue new certificates (i.e. no chains), it is the very difference from X.509 certificate system.

    "},{"location":"infrastructure/sshca/#server-setup","title":"Server setup","text":""},{"location":"infrastructure/sshca/#trustedusercakeys","title":"Configure server to accept client certificates","text":"

    First drop our public key to /etc/ssh/ssh_user_ca:

    /etc/ssh/ssh_user_ca
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1Bxw9AXoZvc9HTe5o4f7/qOROcmzvlcO5oofoF3pewtRnhNpcd/DwmxSblqpj/cjLYkE32mSCzMYY8X0CRFyMJsgSIDC4i4LXDNU0e8PbB2NIQAAeyfJEU5m/Dn1tPw9WvPtPqHCRvgSwnRfzYngMVWROgV2Qe6pOqTTgetEYfb5gkDc2i1M7yfTp3H3ExfrDKwOKPc/9UYOADMFU6u1fJN+4epLETilHC1ubtBeVi23pn1K+LDy06Gwhq1MLljCM7gFBMrmv894HrOHU4WrzLUlfkiDt2cyXLb4qPWYqilBFLUjU92kjmiI/EwB/8pR1WmdU7FoYpdgBHNr3NT53 LUG-CA\n

    Then add the following line to sshd config (Debian 11+):

    /etc/ssh/sshd_config.d/ustclug.conf
    TrustedUserCAKeys /etc/ssh/ssh_user_ca\n

    Old version config (<= Debian 10)

    On Debian 10 (buster) or older, sshd_config does not support the Include directive. Thus any extra setting must be added in the main sshd_config file directly.

    "},{"location":"infrastructure/sshca/#issue-a-server-certificate","title":"Issue a server certificate","text":"

    Warning

    When signing certificates using OpenSSH <= 8.1, add -t rsa-sha2-512 to the ssh-keygen command. More details can be found here: https://ibug.io/p/35

    Note

    Some of our servers may still be running Debian Jessie, which has OpenSSH 6.7 that does not support SHA-2 certificate algorithms (OpenSSH 7.2 required). Sign with -t ssh-rsa instead if you want to log in to such servers.

    January 2022 update: We believe we have got rid of all Jessie systems, so this should no longer be the case.

    Copy the file /etc/ssh/ssh_host_rsa_key.pub from target server.

    Then, run ssh-keygen to issue a public key. For example:

    ssh-keygen -s /path/to/ssh_ca \\\n           -I blog \\\n           -h \\\n           -n blog.s.ustclug.org,blog.p.ustclug.org,10.254.0.15,202.141.176.98,202.141.160.98 \\\n           ssh_host_rsa_key.pub\n

    Then, copy the certificate file ssh_host_rsa_key-cert.pub back to target server.

    At last, add the following lines to sshd config:

    /etc/ssh/sshd_config.d/ustclug.conf
    HostKey /etc/ssh/ssh_host_rsa_key\nHostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub\n

    Warning

    See the same warning block above.

    Certificate will take effect after SSH daemon is reloaded (systemctl reload ssh).

    "},{"location":"infrastructure/sshca/#client-setup","title":"Client setup","text":"

    Add the following line to your known_hosts:

    ~/.ssh/known_hosts
    @cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1Bxw9AXoZvc9HTe5o4f7/qOROcmzvlcO5oofoF3pewtRnhNpcd/DwmxSblqpj/cjLYkE32mSCzMYY8X0CRFyMJsgSIDC4i4LXDNU0e8PbB2NIQAAeyfJEU5m/Dn1tPw9WvPtPqHCRvgSwnRfzYngMVWROgV2Qe6pOqTTgetEYfb5gkDc2i1M7yfTp3H3ExfrDKwOKPc/9UYOADMFU6u1fJN+4epLETilHC1ubtBeVi23pn1K+LDy06Gwhq1MLljCM7gFBMrmv894HrOHU4WrzLUlfkiDt2cyXLb4qPWYqilBFLUjU92kjmiI/EwB/8pR1WmdU7FoYpdgBHNr3NT53 LUG-CA\n

    And when you log in to a LUG server, it is automatically trusted. If you find a machine that does not support this setup, report it to CTO.

    "},{"location":"infrastructure/sshca/#issue-a-client-certificate","title":"Issue a client certificate","text":"
    ssh-keygen -s /path/to/ssh_ca \\\n           -I certificate_identity \\\n           -n principals \\\n          [-O options] \\\n          [-V validity_interval] \\\n           public_key_file\n

    For example:

    ssh-keygen -s /path/to/ssh_ca -I \"Yifan Gao\" -n yifan -V -5m:+365d yifan.pub\n

    In general, certificate_identity is the user's full name, and principals is the system username. The certificate identity is used to identify certificates and is logged in system logs. In addition, one certificate can carry multiply principals, like:

    ssh-keygen -s /path/to/ssh_ca -I \"Yifan Gao\" -n yifan,root,liims -V -5m:+365d yifan.pub\n

    It authorizes the certificate owner to login to any server as yifan, root or liims user.

    Note

    The liims principal is used to log into library inquiry machines.

    Tip

    The validity interval by default starts at the current system time. Using -5m:+365d creates a certificate valid from 5 minutes ago to make up for offset times on other systems. Otherwise it's not much useful to have a validity period starting from a long time ago.

    For security purposes, avoid creating certificates without a defined validity period. It's also recommended to keep validity periods as short as necessary.

    "},{"location":"infrastructure/ssl/","title":"SSL Certificates","text":"

    Discussion: #224

    Our SSL certificates are automatically renewed on GitHub ustclug/ssl-cert ( Private).

    We delegate the subdomain ssl-digitalocean.ustclug.org to DigitalOcean DNS hosting, and use acme.sh DNS alias mode to issue certificates. For this to work, we have the following CNAME records in place:

    _acme-challenge.lug.ustc.edu.cn    ->  lug.ssl-digitalocean.ustclug.org\n_acme-challenge.ustclug.org        ->  lug.ssl-digitalocean.ustclug.org\n_acme-challenge.proxy.ustclug.org  ->  lug.ssl-digitalocean.ustclug.org\n\n_acme-challenge.mirrors.ustc.edu.cn  ->  mirrors.ssl-digitalocean.ustclug.org\n

    Individual machines that use SSL certificates should pull from the said repository (branch cert). Certificates may be loaded via symbolic links (for processes running on the host system directly), or copied around from within the updater script (when there are path constraints, e.g. in a Docker container). The update task is managed by cron.

    Update script for reference:

    /etc/ssl/private/.git/update.sh
    #!/bin/sh\n\ncd \"/etc/ssl/private\"\n\ngit fetch -q\nif [ \"$(git rev-parse HEAD)\" = \"$(git rev-parse '@{u}')\" ]; then\n  exit 0\nfi\ngit reset --hard '@{u}'\n\n# Display certificate dates. This section is optional\nif command -v openssl >/dev/null 2>&1; then\n  echo \"Cert has been updated. New expiry:\"\n  for f in */cert.pem; do\n    echo \"$f:\"\n    openssl x509 -in \"$f\" -noout -dates\n  done\nelse\n  echo \"Cert has been updated.\"\nfi\n\nsystemctl reload openresty.service\n# Other `cp -a` or `docker restart` commands, etc.\n

    The DigitalOcean account we use is owned by iBug and has nothing else running.

    Plan B

    Hurricane Electric provides hosted DNS zones for free, which is also supported by acme.sh. This makes HE DNS a feasible alternative should our current dependency (DigitalOcean) fails.

    "},{"location":"infrastructure/tinc/","title":"Tinc VPN \u914d\u7f6e\u8bf4\u660e","text":"

    Tinc VPN \u662f LUG \u5185\u7f51\u7684\u4e3b\u8981\u6784\u6210\u8f6f\u4ef6\uff0cLDAP \u9700\u8981\u7528\u5230\u5b83\uff08\u56e0\u4e3a ldap \u670d\u52a1\u5668\u662f\u4e2a\u5185\u7f51\u670d\u52a1\u5668\uff09

    "},{"location":"infrastructure/tinc/#_1","title":"\u5b89\u88c5","text":"

    Debian 9+ \u53ef\u4ee5\u76f4\u63a5\u4ece apt \u6e90\u5b89\u88c5 tinc \u5305\u3002

    \u4e0d\u65e9\u8bf4\u8fd9\u73a9\u610f\u6709\u4e2a Git \u4ed3\u5e93\uff1f\uff1fhttps://git.lug.ustc.edu.cn/ustclug/tinc-configure

    \u65e2\u7136\u6709\u4ed3\u5e93\u6240\u4ee5\u8981\u505a\u7684\u4e8b\u60c5\u6bd4\u8f83\u7b80\u5355\uff0c\u8fdb\u5165 /etc/tinc \u76ee\u5f55\u51c6\u5907\u548c Git \u4ed3\u5e93\u540c\u6b65\u914d\u7f6e\uff1a

    git init\ngit remote add origin https://git.lug.ustc.edu.cn/ustclug/tinc-configure.git\ngit fetch origin master\ngit reset --hard FETCH_HEAD\n

    \u6ce8\u610f git reset \u4f1a\u8986\u76d6\u90e8\u5206\u6587\u4ef6\uff0c\u5efa\u8bae\u5728\u5168\u65b0\u5b89\u88c5 tinc \u4e4b\u540e\u8fdb\u884c\u540c\u6b65\u914d\u7f6e\u3002

    \u914d\u7f6e\u5b8c\u6210\u540e\u6267\u884c systemctl enable tinc@ustclug.service \u4f7f tinc \u80fd\u591f\u5f00\u673a\u542f\u52a8\u3002

    "},{"location":"infrastructure/tinc/#_2","title":"\u52a0\u5165\u4e3b\u673a","text":"

    \u9996\u5148\u9700\u8981\u5728\u65b0\u4e3b\u673a\u4e0a\u751f\u6210\u5bc6\u94a5\uff1a

    tincd -n ustclug -K\n

    \u7136\u540e\u5728 /etc/tinc/ustclug/hosts/$HOST \u6700\u540e\u8865\u4e0a\u4e00\u884c\uff1a

    Address = [\u8fd9\u53f0\u673a\u5668\u7684\u516c\u7f51IP]\n

    \u628a\u65b0\u589e\u7684\u8fd9\u4e2a\u6587\u4ef6\u63d0\u4ea4\u8fdb Git \u4ed3\u5e93\uff0c\u5e76\u5728 {ldap,board,gateway-el,gateway-nic}.s.ustclug.org \u7b49\u591a\u53f0\u673a\u5668\u4e0a\u901a\u8fc7 git pull \u66f4\u65b0\uff0c\u5e76 systemctl reload tinc@ustclug.service\u3002

    "},{"location":"infrastructure/tinc/#ip","title":"\u5185\u7f51 IP","text":"

    \u6d4b\u8bd5\u7684\u65f6\u5019\uff0c\u4f60\u53ef\u4ee5\u76f4\u63a5\u901a\u8fc7 ifconfig \u7b49\u65b9\u5f0f\u6307\u5b9a\u4e00\u4e2a\u4e34\u65f6\u7684 IP\uff0c\u6ce8\u610f\u4e0d\u8981\u4e0e\u5df2\u6709\u7684\u5185\u7f51 IP \u51b2\u7a81\uff1a

    ifconfig 10.254.0.xxx/21 ustclug\n

    \u8fd9\u65f6\u5019\u5e94\u8be5\u80fd\u4ece\u5176\u4ed6\u673a\u5668 ping \u901a\u8fd9\u4e2a IP\u3002

    \u6307\u5b9a\u9759\u6001\u5185\u7f51 IP \u7684\u6b63\u786e\u65b9\u6cd5\u662f\u5728 DNS \u4e2d\u6dfb\u52a0\u4e00\u6761\u8fd9\u6837\u7684\u8bb0\u5f55\uff1a

    $ORIGIN s.ustclug.org\n<HOST>  600     IN A    <Intranet IP>\n

    \u7136\u540e\u5728\u673a\u5668\u4e0a\u91cd\u542f systemctl restart tinc@ustclug.service \u5c31\u80fd\u81ea\u52a8\u83b7\u53d6\u4e86\u3002

    "},{"location":"infrastructure/tinc/#ssh","title":"\u914d\u7f6e SSH \u4fa6\u542c\u5185\u7f51\u5730\u5740","text":"

    Tip

    \u5bf9\u4e8e Debian 11+ \u7684\u7cfb\u7edf\uff0c\u5efa\u8bae\u4fdd\u6301 sshd_config \u4e0d\u52a8\uff0c\u5c06\u81ea\u5b9a\u4e49\u7684\u914d\u7f6e\u5199\u5165 sshd_config.d/ustclug.conf\uff0c\u4ee5\u51cf\u5c11\u66f4\u65b0 ssh \u8f6f\u4ef6\u5305\u65f6\u7684\u914d\u7f6e\u6587\u4ef6\u51b2\u7a81\u3002\u6ce8\u610f\u5982\u679c\u8fd9\u4e48\u505a\u7684\u8bdd\u9700\u8981\u628a\u914d\u7f6e\u6587\u4ef6\u91cc\u7684 Subsystem sftp \u5220\u6389\uff0c\u5426\u5219 sshd \u4f1a\u62a5\u9519\u201c\u91cd\u590d\u6307\u5b9a\u4e86 Subsystem sshd\u201d\u3002

    \u4ee5\u4e0b\u914d\u7f6e\u4f9b\u53c2\u8003\uff0c\u590d\u5236\u65f6\u6ce8\u610f\u4fee\u6539 Match LocalAddress \u540e\u9762\u7684\u5185\u5bb9\uff08\u5185\u7f51\u5730\u5740\u548c AllowGroups \u6700\u540e\u7684\u540d\u79f0\uff09\uff1a

    /etc/ssh/sshd_config
    AddressFamily inet\nUseDNS no\n\nHostKey /etc/ssh/ssh_host_rsa_key\nHostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub\nTrustedUserCAKeys /etc/ssh/ssh_user_ca\nRevokedKeys /etc/ssh/ssh_revoked_keys\n\nPasswordAuthentication no\nPubkeyAuthentication no\nChallengeResponseAuthentication no\nUsePAM yes # LDAP for Debian\n\nAcceptEnv LANG LC_*\nX11Forwarding yes\nPrintLastLog no\nPrintMotd no\nSubsystem sftp /usr/lib/openssh/sftp-server\n\nMatch LocalAddress 10.254.0.0\n    AllowGroups ssh_local super_manager ssh_groupname\n    PasswordAuthentication yes\n    PubkeyAuthentication yes\n\n# Public IP access = root-only\nMatch LocalAddress 202.38.95.110,202.141.160.110,202.141.176.110,218.104.71.170\n    AllowUsers root\n    PubkeyAuthentication yes\n    AuthorizedKeysFile none  # \u5c4f\u853d\u516c\u94a5\uff0c\u4ec5\u5141\u8bb8\u8bc1\u4e66\u767b\u5f55\n\n# For SSH Push trigger\nMatch User mirror\n    AllowUsers mirror\n    AuthenticationMethods publickey\n    PermitTTY no\n    PermitTunnel no\n    X11Forwarding no\n\nMatch All #(1)\n
    1. OpenSSH 6.5p1 \u4ee5\u4e0a\u53ef\u4ee5\u4f7f\u7528 Match All \u6765\u7ed3\u675f\u4e0a\u9762\u7684 Match \u5757\u3002\u7531\u4e8e Include \u6307\u4ee4\u51fa\u73b0\u5728 /etc/ssh/sshd_config \u7684\u6700\u4e0a\u9762\uff0c\u800c\u63a5\u4e0b\u6765\u7684\u5185\u5bb9\u90fd\u662f\u5168\u5c40\u8bbe\u7f6e\uff0c\u56e0\u6b64\u4f7f\u7528 Match All \u4fdd\u8bc1\u539f\u5148\u7684\u5185\u5bb9\u7ee7\u7eed\u4f5c\u7528\u4e8e\u5168\u5c40\uff0c\u800c\u4e0d\u662f\u50cf\u4e0a\u9762\u8fd9\u4e2a\u4f8b\u5b50\u4e00\u6837\u53d8\u6210 Match User mirror \u7684\u8bbe\u7f6e\u3002

    \u6ce8\u610f HostCertificate, TrustedUserCAKeys \u548c RevokedKeys \u8fd9\u4e09\u4e2a\u6587\u4ef6\u5fc5\u987b\u5b58\u5728\uff0c\u5426\u5219 SSH \u4f1a\u51fa\u4e00\u4e9b\u95ee\u9898\uff0c\u4f8b\u5982\u4e0d\u80fd\u5bc6\u94a5\u767b\u5f55\u53ea\u80fd\u5bc6\u7801\u767b\u5f55\u3002

    HostCertificate \u9700\u8981\u624b\u52a8\u7b7e\u53d1\u4e00\u4e2a\uff0c\u53e6\u5916\u4e24\u4e2a\u6587\u4ef6\u4ece\u522b\u7684\u673a\u5668\u4e0a\u590d\u5236\u5c31\u884c\u3002

    "},{"location":"infrastructure/discontinued/","title":"\u4e0d\u518d\u4f7f\u7528\u7684\u57fa\u7840\u8bbe\u65bd","text":"

    Warning

    Content under this section is not necessarily up-to-date.

    "},{"location":"infrastructure/discontinued/#saltstack","title":"SaltStack","text":"

    \u76ee\u524d\u4e0d\u77e5 SaltStack \u4f55\u65f6\u5f00\u59cb\u4f7f\u7528\uff0c\u4f46\u662f\u6211\u4eec\u6ca1\u6709\u4efb\u4f55\u4f9d\u8d56\u4e8e salt \u7684\u914d\u7f6e\u3002\u51fa\u4e8e\u8003\u8651\u5230 salt \u51fa\u73b0\u8fc7\u975e\u5e38\u4e25\u91cd\u7684 CVE\uff0csaltstack \u5df2\u4e0d\u518d\u8003\u8651\u4f7f\u7528\uff0c\u4e14\u5728\u5df2\u77e5\u7684\u673a\u5668\u4e0a\u90fd\u5df2\u5220\u9664\u3002\u5982\u679c\u4f60\u53d1\u73b0\u67d0\u53f0 lug \u7684\u673a\u5668\u4e0a\u5b89\u88c5\u4e86 salt\uff0c\u8bf7\u901a\u77e5 CTO \u4ee5\u5c06\u5176\u5220\u9664\u3002

    \u5728\u81ea\u52a8\u5316\u8fd0\u7ef4\u65b9\u9762\uff0c\u672a\u6765\u4f1a\u8c03\u7814 ansible\u3002

    "},{"location":"infrastructure/discontinued/#vsphere","title":"vSphere \u96c6\u7fa4","text":"

    \u6211\u4eec\u4ece 2015 \u5e74\uff08\u6216\u66f4\u65e9\uff09\u5f00\u59cb\u4f7f\u7528 vSphere \u5e73\u53f0\uff08ESXi + vCenter\uff09\u8fd0\u884c\u865a\u62df\u673a\u3002\u7531\u4e8e VMware \u4e13\u6709\u5e73\u53f0\u7684\u590d\u6742\u6027\u96be\u4ee5\u7ef4\u62a4\uff0c\u6211\u4eec\u5df2\u4e8e 2022 \u5e74 1 \u6708\u5168\u9762\u8fc1\u79fb\u81f3\u5f00\u6e90\u7684\u3001\u57fa\u4e8e Debian GNU/Linux \u7684\u865a\u62df\u5316\u5e73\u53f0 Proxmox VE\u3002

    "},{"location":"infrastructure/discontinued/vsphere/esxi/","title":"ESXi","text":"

    \u73b0\u5f79\u7684 ESXi \u6709 3 \u53f0\uff1aesxi-2 \u548c esxi-6 \u4f4d\u4e8e\u4e1c\u56fe\u673a\u623f\uff0cesxi-5 \u4f4d\u4e8e\u7f51\u7edc\u4fe1\u606f\u4e2d\u5fc3\u673a\u623f\u3002

    esxi-2 \u4e0a\u8fd0\u884c\u4e1c\u56fe\u7f51\u5173\u7b49\u670d\u52a1\uff0cesxi-6 \u4e0a\u8fd0\u884c ustclug gitlab\u3002esxi-5 \u4e0a\u8fd0\u884c\u8bf8\u5982 vcenter, \u90ae\u4ef6\u7f51\u5173, ldap, \u5907\u7528\u7f51\u5173, vSphereDataProtection \u5907\u4efd\u670d\u52a1\u7b49\u3002

    \u76ee\u524d\uff0c\u6709\u8ba1\u5212\u5c06\u865a\u62df\u5316\u65b9\u6848\u66f4\u6539\u4e3a Proxmox Virtual Environment\u3002

    "},{"location":"infrastructure/discontinued/vsphere/esxi/#about-snapshot","title":"\u5173\u4e8e\u5feb\u7167","text":"

    Best practices: https://kb.vmware.com/s/article/1025279\uff0c\u7ba1\u7406\u865a\u62df\u673a\u524d\u52a1\u5fc5\u9605\u8bfb\u3002

    "},{"location":"infrastructure/discontinued/vsphere/esxi/#_1","title":"\u673a\u5668\u914d\u7f6e\u7ec6\u8282","text":""},{"location":"infrastructure/discontinued/vsphere/esxi/#esxi-5","title":"esxi-5","text":"

    esxi-5 \u4e0a\u4e8e 2021/8 \u53d1\u73b0\u81ea\u5e26\u9635\u5217\u6709\u4e24\u5757\u574f\u76d8\uff0c\u5728\u66f4\u6362\u540e\u53d1\u73b0 storage \"root\"\uff08\u5b58\u653e vcenter \u865a\u62df\u673a\uff0c\u7ec4 RAID 1 \u540e\u5927\u5c0f 1.8TB\uff09\u65e0\u6cd5\u6b63\u5e38 rebuild\uff0c\u5e76\u4e14 vcenter \u865a\u62df\u673a\u7684 vmdk \u6587\u4ef6\u6709 4 \u4e2a\u51fa\u73b0 I/O error\u3002\u76ee\u524d vcenter \u865a\u62df\u673a\u5df2\u7ecf\u8fc1\u79fb\u5230 storage \"data\" (RAID10, 7.2 TB)\uff0c\u5de5\u4f5c\u6b63\u5e38\u3002

    "},{"location":"infrastructure/discontinued/vsphere/vcenter/","title":"vCenter","text":"

    vCenter \u4e3a\u7ef4\u62a4\u4eba\u5458\u63d0\u4f9b\u4e86\u65b9\u4fbf\u7684\u7ba1\u7406\u6240\u6709 ESXi \u670d\u52a1\u5668\u7684\u754c\u9762\u3002\u9700\u8981\u6ce8\u610f\uff1a

    "},{"location":"infrastructure/discontinued/vsphere/vcenter/#patch","title":"\u5b89\u88c5 patch","text":"

    \u5f53\u51fa\u73b0\u4e25\u91cd\u7684 CVE \u4e14\u65e0\u6cd5\u7b80\u5355 workaround \u65f6\uff0c\u5efa\u8bae\u5b89\u88c5 patch\uff0c\u5927\u81f4\u65b9\u6cd5\uff1a

    1. \u6253\u5feb\u7167\uff0c\u6700\u597d\u80fd\u624b\u52a8\u5907\u4efd\u4e00\u4e0b\u3002
    2. \u524d\u5f80 https://my.vmware.com/group/vmware/patch \u4e0b\u8f7d\u6700\u65b0\u7248 patch ISO \u6587\u4ef6\uff08\u5206\u7c7b\u4e3a VC\uff0c\u9700\u8981\u6ce8\u518c\u514d\u8d39\u8d26\u53f7\uff09\uff1b
    3. \u4e0a\u4f20 ISO \u6587\u4ef6\u5230 esxi-5 \u67d0\u4e2a datastore \u4e2d\uff0c\u5c06 ISO \u6302\u8f7d\u5230 VMware vCenter Server Appliance \u865a\u62df\u673a\u4e2d\uff1b
    4. \u767b\u5f55 esxi-5 \u7ba1\u7406\u754c\u9762\uff08\u4e0d\u662f vcenter \u754c\u9762\uff0c\u56e0\u4e3a\u66f4\u65b0\u7684\u65f6\u5019 vcenter \u4f1a\u4e0b\u7ebf\uff09\uff0c\u8fdb\u5165 vcenter console\u3002
    5. software-packages stage --iso \u52a0\u8f7d\u8865\u4e01\u6587\u4ef6\uff08\u5b9e\u8d28\u662f\u4e00\u5806 rpm\uff09\u3002
    6. software-packages install --iso \u5b89\u88c5\u8865\u4e01\u6587\u4ef6\u3002
    7. shell \u8fdb\u5165 bash\uff0creboot \u91cd\u542f\u3002
    8. \u91cd\u542f\u540e\u5982\u679c\u8fdb\u5165 5480 \u7aef\u53e3\u53d1\u73b0\u670d\u52a1\u72b6\u6001\u4e3a\u672a\u77e5\uff0c\u624b\u52a8\u91cd\u542f\u6240\u6709\u670d\u52a1\uff1aservice-control --start --all
    9. \u7b49\u5f85\u4e00\u6bb5\u65f6\u95f4\uff08\u6bd4\u8f83\u957f\uff09\uff0c\u671f\u95f4\u53ef\u80fd 503/\u663e\u793a\u670d\u52a1\u6b63\u5728\u52a0\u8f7d\u4e2d\uff0c\u7b49\u7b49\uff0c\u4e4b\u540e\u5c31\u5e94\u8be5\u6b63\u5e38\u4e86\u3002
    10. \u522b\u5fd8\u4e86\u624b\u52a8\u5907\u4efd\u3002

    \u5347\u7ea7\u65f6\u9047\u5230\u7684\u95ee\u9898\uff1a

    1. \u65e0\u6cd5\u8bc6\u522b ISO \u4e3a\u66f4\u65b0\u7684\u7248\u672c\uff1ahttps://kb.vmware.com/s/article/59659?lang=zh_CN
    2. \u300c\u73af\u5883\u5c1a\u672a\u51c6\u5907\u597d\u66f4\u65b0\u300d\uff1a\u4f7f\u7528 console \u7684 software-packages \u66f4\u65b0\uff0c\u67e5\u770b\u539f\u56e0\u3002\u5982\u679c\u662f root \u5bc6\u7801\u8fc7\u671f\uff0c\u8fdb\u5165 bash\uff0c\u4f7f\u7528 passwd \u5148\u91cd\u7f6e\u6210\u65b0\u7684\uff08\u7136\u540e\u518d\u6539\u56de\u6765\uff09\uff0c\u4f7f\u7528 chage -I -1 -m 0 -M 99999 -E -1 root \u8bbe\u7f6e\u6c38\u4e0d\u8fc7\u671f\u3002
    "},{"location":"infrastructure/discontinued/vsphere/vdp/","title":"VDP","text":"

    \u5f53\u6211\u4eec\u8bf4\u5230 VDP \u7684\u65f6\u5019\uff0c\u6211\u4eec\u5230\u5e95\u5728\u6307\u4ec0\u4e48\uff1f\u4e3a\u4e86\u907f\u514d\u6b67\u4e49\uff0c\u4ee5\u4e0b\u505a\u4e86\u4e00\u4e9b\u5b9a\u4e49\uff1a

    vdp2 \u6302\u63a5\u5728 esxi-5 \u4e0a\uff0cesxi-5 \u6e90\u4e8e\u8001 mirrors\uff08mirrors2 \u4e4b\u524d\u7684\u4e00\u4ee3\u673a\u5668\uff09\u3002vSphereDataProtection \u7248\u672c\u4e3a 6.1.5\u3002

    \u5f53 vdp \u5907\u4efd\u7a0b\u5e8f\u51fa\u73b0\u5947\u602a\u7684\u95ee\u9898\u7684\u65f6\u5019\uff0c\u91cd\u542f vdp \u5907\u4efd\u865a\u62df\u673a\u7edd\u5927\u591a\u6570\u65f6\u5019\u80fd\u591f\u89e3\u51b3\u95ee\u9898\u3002\u91cd\u542f\u8017\u65f6\u975e\u5e38\u957f\uff0c\u9700\u8981\u505a\u597d\u5fc3\u7406\u51c6\u5907\u3002

    \u5907\u4efd\u65f6\uff0cvdp \u5907\u4efd\u7a0b\u5e8f\u4f1a\u4e3a\u865a\u62df\u673a\u65b0\u5efa\u4e00\u4e2a snapshot\uff0c\u4e4b\u540e\u4ece snapshot \u4f20\u8f93\u5907\u4efd\u3002\u5076\u5c14 snapshot \u4e0d\u4f1a\u88ab\u6b63\u5e38\u5220\u9664\uff0c\u800c\u5927\u91cf\u6216\u957f\u65f6\u95f4\u5b58\u653e\u7684 snapshot \u4f1a\u7ed9\u6027\u80fd\u5e26\u6765\u8d1f\u9762\u5f71\u54cd\uff0c\u6240\u4ee5\u5982\u679c\u53d1\u73b0\u6b64\u7c7b\u60c5\u51b5\uff0c\u5728\u786e\u8ba4\u5907\u4efd\u4e0d\u518d\u8fdb\u884c\u540e\uff0c\u9700\u8981\u5220\u9664 snapshot\uff0c\u540c\u65f6\u4fdd\u6301\u673a\u5668\u5728\u7ebf\uff08\u5728\u5173\u673a\u60c5\u51b5\u4e0b\u6574\u5408\u78c1\u76d8\u65f6\u65e0\u6cd5\u5f00\u673a\uff01\uff09\u3002

    \u53c2\u8003\u8d44\u6599\uff1ahttps://docs.vmware.com/en/VMware-vSphere/6.5/rn/data-protection-615-release-notes.html

    VDP \u5907\u4efd\u865a\u62df\u673a\u5df2\u7ecf EOL\u3002\u8bbf\u95ee vcenter \u4e2d\u7684 VDP \u63d2\u4ef6\u9700\u8981\u4f7f\u7528 Adobe Flash\u3002

    "},{"location":"infrastructure/discontinued/vsphere/vdp/#_1","title":"\u5907\u4efd\u8ba1\u5212","text":"

    \u76ee\u524d\u7684\u5907\u4efd\u8ba1\u5212\u5982\u4e0b\uff1a

    "},{"location":"infrastructure/discontinued/vsphere/vdp/#_2","title":"\u9ad8\u7ea7\u547d\u4ee4","text":"

    \u67e5\u770b\u5f53\u524d\u4efb\u52a1\uff1a

    # mccli activity show | grep Running\n

    \u67e5\u770b\u670d\u52a1\u60c5\u51b5\uff1a

    # dpnctl status\n# status.dpn\n
    "},{"location":"infrastructure/discontinued/vsphere/vdp/#vspheredataprotection-on-virtio-scsi","title":"vSphereDataProtection on VirtIO SCSI","text":"

    vdp \u7684\u64cd\u4f5c\u7cfb\u7edf\u662f SLES 11 SP3\uff0c\u8fd9\u4e2a\u64cd\u4f5c\u9700\u8981\u7cfb\u7edf\u76d8\u7684\u524d\u4e24\u4e2a\u5206\u533a\uff08/boot \u548c /\uff09\u3002

    1. \u53c2\u8003 https://www.suse.com/support/kb/doc/?id=000016530\uff0c\u89e3\u538b initrd \u5230\u67d0\u4e2a\u76ee\u5f55\u3002
    2. \u4ece rootfs \u7684 /lib/modules/3.0.101-0.47.99-default/kernel/drivers/ \u91cc\u53d6\u51fa virtio \u7684\u5185\u6838\u6a21\u5757\uff08block \u91cc\u9762\u4e00\u4e2a\uff0cvirtio \u6574\u4e2a\u76ee\u5f55\uff0c\u4ee5\u53ca scsi \u91cc\u9762\u4e00\u4e2a\uff09\uff0c\u653e\u5728 initrd \u89e3\u538b\u540e\u7684\u5bf9\u5e94\u4f4d\u7f6e\u3002
    3. rootfs \u7684 /lib/modules/3.0.101-0.47.99-default/modules.dep* \u590d\u5236\u5230 initrd \u91cc\u3002
    4. \u4fee\u6539 initrd \u91cc\u7684 config/start.sh \u548c run_all.sh\uff0c\u5728 RESOLVED_INITRD_MODULES \u53d8\u91cf\u4e2d\u6dfb\u52a0 virtio_pci virtio virtio_scsi virtio_blk\uff08\u5373\u4fee\u6539\u4e3a RESOLVED_INITRD_MODULES='virtio_pci virtio virtio_scsi virtio_blk cifs ext2 ext3 ext4 fat nfs reiserfs ufs xfs'\uff09\u3002
    5. \u53c2\u8003 https://www.suse.com/support/kb/doc/?id=000016530 \u91cd\u65b0\u6253\u5305\uff0c\u653e\u5728\u7b2c\u4e00\u4e2a\u5206\u533a (/boot) \u91cc\u9762\uff0c\u5efa\u8bae\u4e0d\u8981\u8986\u76d6\u539f\u6765\u7684 initrd\u3002
    6. \u4fee\u6539\u7b2c\u4e00\u4e2a\u5206\u533a\u91cc grub/menu.lst\uff0c\u5c06 initrd \u4fee\u6539\u4e3a\u4f60\u6240\u6253\u5305\u7684\u6587\u4ef6\u540d\u3002
    "},{"location":"infrastructure/intranet/","title":"Servers Intranet","text":"

    Servers Intranet connects all the servers together, including physical servers and virtual machines.

    "},{"location":"infrastructure/intranet/#network-topology","title":"Network Topology","text":"

    \u4ee5\u4e0a\u67b6\u6784\u56fe\u7531 iBug \u5728 2023 \u5e74 11 \u6708\u66f4\u65b0\u3002

    \u6b64\u5904\u662f\u4e00\u4e9b\u8fc7\u65f6\u7684\u4fe1\u606f\uff0c\u4e5f\u8bb8\u8fd8\u6709\u70b9\u53c2\u8003\u4ef7\u503c

    The network contains three parts:

    tincVPN is a mesh VPN, which can be abstracted as a virtual Switch.

    vm-nfs.s.ustclug.org runs a layer 2 bridge, connecting tincVPN and SRW2024 (physical switch).

    It is obvious that vm-nfs is a single point of failure of communicating between tinc host and vSphere virtual machine. I had tried to add another bridge node, but resulted in a broadcast storm. Maybe we can fix it by MPLS (merged in mainline kernel 4.3). But it isn't a right timing at this time.

    "},{"location":"infrastructure/intranet/#network-information","title":"Network information","text":"

    The network contains one single subnet: 10.254.0.0/21

    Every server and service binds to one and only one IP address, used to communicate with each other.

    "},{"location":"infrastructure/intranet/#address-planning","title":"Address planning","text":""},{"location":"infrastructure/intranet/gateway/","title":"Intranet Gateway","text":"

    We run gateways in each colocation to provide internet access to intranet-only hosts (VMs and containers).

    When configuring VMs and containers, set their gateway according to their colocation:

    Gateway-JP is mainly used for HTTP reverse proxy, so that we can provide HTTP services in compliance with PRC regulations.

    For server configuration on each gateway, refer to their corresponding documentation:

    "},{"location":"infrastructure/intranet/gateway/#tinc-workaround-1","title":"Tinc \"received packet on ustclug with own address as source address\" workaround","text":"

    After migrating to PVE, we found that sometimes tinc works abnormally within gateway-el and gateway-nic, with following kernel log:

    bridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nnet_ratelimit: 2 callbacks suppressed\n

    We still don't know the source of this issue. To workaround that, following self-check timer is deployed now:

    /opt/tinc-check.sh
    #!/bin/bash\n\nrestart() {\n  systemctl stop tinc@ustclug.service\n  sleep 3  # avoid race condition\n  systemctl start tinc@ustclug.service\n  echo \"tinc restarted\"\n}\n\ndmesg | tail -n 2 | grep 'received packet on ustclug with own address as source address' && restart ||  echo \"tinc OK now\";\n
    /etc/systemd/system/tinc-check.service
    [Unit]\nDescription=Tinc Check and Auto-Restart\n\n[Service]\nType=oneshot\nExecStart=/opt/tinc-check.sh\n
    /etc/systemd/system/tinc-check.timer
    [Unit]\nDescription=Tinc Check and Auto-Restart Timer\n\n[Timer]\nOnCalendar=minutely\nPersistent=true\n\n[Install]\nWantedBy=timers.target\n
    "},{"location":"infrastructure/intranet/lugivpn/","title":"LUG Intranet VPN","text":"

    service: intranet.ustclug.org

    server: board.s.ustclug.org

    "},{"location":"infrastructure/intranet/lugivpn/#introduction","title":"Introduction","text":"

    Server intranet is a closed network, which cannot be accessed from Internet. LUGI VPN helps maintainer get access to intranet temporarily.

    LUGI VPN is running in Banana Pi Raspberry Pi 3B+, the only ARM architecture device we owned. Using OpenVPN protocal, authorizing via LDAP.

    The original Banana Pi was down in April 2021.

    "},{"location":"infrastructure/intranet/lugivpn/#configuration","title":"Configuration","text":"

    OpenVPN LDAP auth plugin config /etc/openvpn/auth-ldap.conf:

    <LDAP>\n    URL             ldaps://ldap.ustclug.org\n    Timeout         15\n    FollowReferrals yes\n    TLSCACertFile   /etc/ldap/ssl/slapd-ca-cert.pem\n</LDAP>\n\n<Authorization>\n    BaseDN          \"ou=people,dc=lug,dc=ustc,dc=edu,dc=cn\"\n    SearchFilter    \"(uid=%u)\"\n    RequireGroup    false\n</Authorization>\n

    In openvpn configuration:

    ...\nplugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth-ldap.conf\n

    Servers intranet is a layer 2 network without default gateway. So NAT is needed:

    iptables -t nat -A POSTROUTING -s 10.254.248.0/22 -d 10.254.0.0/21 -j MASQUERADE\n
    "},{"location":"infrastructure/proxmox/nfs/","title":"NFS","text":"

    NFS \u670d\u52a1\u5668\uff08\"vdp\"\uff09\u662f\u4e1c\u56fe\u4e09\u4e2a PVE \u673a\u5668\u7684\u865a\u62df\u673a\u5b58\u50a8\uff0c\u578b\u53f7\u4e3a DELL PowerEdge R510\u3002\u78c1\u76d8\u9635\u5217\u7531\u4e8e\u5728 2021 \u5e74 3 \u6708\u521d\u635f\u574f\uff0c\u76ee\u524d\u5bb9\u91cf\u7f29\u51cf\u5230 8T\uff084 \u5757 4T \u84dd\u76d8 RAID10\uff09\u3002\u9664\u865a\u62df\u673a\u5916\uff0cNFS \u4e5f\u5b58\u50a8 LUG \u6210\u5458\u7684\u4e2a\u4eba\u6570\u636e\u53ca LUG FTP\u3002NFS \u670d\u52a1\u6062\u590d\u540e\uff0c\u4e3a\u4e86\u4fdd\u8bc1\u6570\u636e\u5197\u4f59\u6027\uff0c\u4f7f\u7528\u79d1\u5927 Office 365 A1 \u8d26\u53f7\u548c Rclone \u6bcf\u5929\u589e\u91cf\u5907\u4efd LUG FTP \u548c LUG \u6210\u5458\u7684\u516c\u5f00\u6570\u636e\u3002

    vdp \u7684\u5185\u7f51\u8fde\u63a5\u4f9d\u8d56\u4e8e gateway-el\u3002

    \u53ef\u80fd\u7684\u7f51\u7edc\u95ee\u9898

    \u5728 2021 \u5e74\u4e5d\u6708\u4efd\u4e1c\u56fe\u7684 ESXi \u4e0e NFS \u8fde\u63a5\u4f1a\u51fa\u73b0\u4e0d\u7a33\u5b9a\u7684\u95ee\u9898\uff0c\u539f\u56e0\u76ee\u524d\u4e0d\u660e\u3002\u5728\u8fde\u63a5\u65b9\u5f0f\u4ece NFS 4.1 \u66f4\u6362\u5230 NFS 3 \u4e4b\u540e\uff0c\u8fde\u63a5\u7684\u4e0d\u7a33\u5b9a\u4e0d\u4f1a\u5bfc\u81f4\u865a\u62df\u673a\u88ab\u5173\u95ed\u3002

    2021/09/29 \u66f4\u65b0\uff1a\u8fd9\u4e24\u5929\u518d\u6b21\u51fa\u73b0\u4e86\u4e25\u91cd\u7684\u8fde\u63a5\u95ee\u9898\u3002\u8c03\u8bd5\u540e\u53d1\u73b0 192.168.93.0/24 \u7684\u7f51\u5173 192.168.93.254 (Cisco \u8bbe\u5907) \u4e22\u5305\u4e25\u91cd\uff0c\u800c NFS \u7684\u51fa\u53e3 IP \u9519\u8bef\u88ab\u8bbe\u7f6e\u5230\u4e86\u4e0e\u56fe\u4e66\u9986\u4ea4\u6362\u673a\u76f8\u8fde\u63a5\u7684 eno1\uff0c\u5bfc\u81f4\u8bf7\u6c42\u9700\u8981\u7ed5\u8def\u3002\u5c06\u6b64 IP \u79fb\u52a8\u81f3 eno2\uff0c\u4fee\u6539 sysctl \u8bbe\u7f6e ARP \u8fc7\u6ee4\u5e76\u91cd\u542f\u540e\uff0c\u76ee\u524d\u6682\u65f6\u89e3\u51b3\u4e86\u95ee\u9898\u3002

    "},{"location":"infrastructure/proxmox/nfs/#pve","title":"PVE \u78c1\u76d8\u8def\u5f84\u4e0e\u6302\u8f7d\u53c2\u6570","text":"

    \u5728 storage.cfg \u8bbe\u7f6e\u4e2d\uff0cNFS \u6302\u8f7d\u5230 /mnt/nfs-el\uff0c\u8bbe\u7f6e\u7684\u53c2\u6570\u4e3a soft,noexec,nosuid,nodev\u3002\u8bbe\u7f6e\u4e3a hard \u4f1a\u5bfc\u81f4 NFS \u4e0b\u7ebf\u65f6\u91cd\u8bd5\u65e0\u9650\u6b21\uff0c\u5927\u6982\u7387\u5bfc\u81f4\u7cfb\u7edf\u5361\u6b7b\uff0c\u5176\u4ed6\u51e0\u4e2a\u53c2\u6570\u4e3b\u8981\u662f\u4e3a\u4e86\u5b89\u5168\u3002

    \u5176\u4e2d\uff0c\u6839\u636e PVE \u7684\u8981\u6c42\uff0c\u865a\u62df\u673a\u78c1\u76d8\u6587\u4ef6\u9700\u8981\u653e\u5728 images/<vmid> \u76ee\u5f55\u4e0b\u624d\u4f1a\u88ab\u81ea\u52a8\u68c0\u6d4b\u5230\u3002\u82e5\u4e00\u5f00\u59cb\u6ca1\u6709\u6309\u8981\u6c42\u653e\u7f6e\u6587\u4ef6\u6216\u6dfb\u52a0\u4e86\u65b0\u6587\u4ef6\uff0c\u53ef\u4ee5\u4f7f\u7528 qm rescan \u626b\u63cf\u65b0\u7684\u78c1\u76d8\u6587\u4ef6\u3002\u4e5f\u53ef\u4ee5\u76f4\u63a5\u4f7f\u7528 qm set \u547d\u4ee4\u6216\u624b\u52a8\u7f16\u8f91\u865a\u62df\u673a\u914d\u7f6e\u6587\u4ef6\u6307\u5b9a\u78c1\u76d8\u6587\u4ef6\u7684\u8def\u5f84\uff0c\u8fd9\u4e24\u79cd\u65b9\u6cd5\u6ca1\u6709\u6b64\u9650\u5236\u3002

    \u53e6\u5916\uff0c\u7531\u4e8e\u6574\u4e2a storage.cfg \u6587\u4ef6\u5728\u96c6\u7fa4\u4e2d\u5171\u4eab\uff0c\u9700\u8981\u624b\u52a8\u6307\u5b9a nodes \u4ee5\u514d NIC \u7684\u4e24\u53f0 PVE \u4e3b\u673a\u5c1d\u8bd5\u6302\u8f7d\u3002

    /etc/pve/storage.cfg
    nfs: nfs-el\n        export /media/vdp/pve\n        path /mnt/nfs-el\n        server nfs-el.vm.ustclug.org\n        options soft,noexec,nosuid,nodev\n        content iso,images\n        nodes pve-2,pve-4,pve-6\n        shared 1\n        prune-backups keep-all=1\n

    storage.cfg \u7684\u5168\u90e8\u914d\u7f6e\u5185\u5bb9\u53ef\u4ee5\u53c2\u8003 https://pve.proxmox.com/wiki/Storage\u3002

    "},{"location":"infrastructure/proxmox/pbs/","title":"Proxmox Backup Server (PBS)","text":"

    PBS \u73b0\u5728\u90e8\u7f72\u5728 esxi-5 \u4e0a\u9762\uff0c\u7528\u4f5c\u865a\u62df\u673a\u5907\u4efd\uff0cweb \u754c\u9762\u7684\u7aef\u53e3\u53f7\u4e3a 8007\uff08HTTPS only\uff09\u3002

    Info

    \u672c\u9875\u9762\u8bb0\u5f55 Proxmox Backup Server \u8f6f\u4ef6\u76f8\u5173\uff0c\u4ee5\u53ca Proxmox VE \u865a\u62df\u673a\u76f8\u5173\u7684\u8d44\u6599\u3002\u5173\u4e8e esxi-5 \u7684\u7cfb\u7edf\u914d\u7f6e\u4fe1\u606f\u8bb0\u5f55\u5728 Proxmox VE \u9875\u9762\u3002

    "},{"location":"infrastructure/proxmox/pbs/#pbs","title":"\u5b89\u88c5 PBS","text":"

    PBS \u53ef\u4ee5\u4f7f\u7528\u5b89\u88c5\u5149\u76d8 iso \u5b89\u88c5\u6216\u76f4\u63a5\u52a0\u88c5\u5728\u73b0\u6709\u7684\u5bf9\u5e94\u7248\u672c\u7684 Debian \u7cfb\u7edf\u4e0a\uff0c\u8fd9\u4e24\u79cd\u5b89\u88c5\u65b9\u5f0f\u90fd\u6709\u5b98\u65b9\u7684\u8bf4\u660e\u6587\u6863\u3002

    \u6211\u4eec\u7684 esxi-5 \u662f\u4f7f\u7528 PVE \u7684\u5b89\u88c5\u76d8\u5148\u88c5\u6210 PVE\uff0c\u518d\u5728\u4e0a\u9762\u989d\u5916\u52a0\u88c5 PBS \u7684\u3002\u7531\u4e8e PVE \u548c PBS \u5171\u4eab\u4e86\u5927\u91cf\u7ec4\u4ef6\uff0c\u56e0\u6b64\u5728 PVE \u4e0a\u52a0\u88c5 PBS \u5c31\u53ea\u5269\u4e0b\u5f88\u7b80\u5355\u7684\u4e00\u4e9b\u6b65\u9aa4\u4e86\uff1a

    echo \"deb http://mirrors.ustc.edu.cn/proxmox/debian/pbs bullseye pbs-no-subscription\" > /etc/apt/sources.list.d/pbs.list\napt update\napt install proxmox-backup\n

    \u8be5\u8fc7\u7a0b\u4ec5\u5b89\u88c5\u4e86\u603b\u91cf\u4e3a 150+ MB \u7684 8 \u4e2a\u5305\uff0c\u5c31\u6709 PBS \u53ef\u7528\u4e86\u3002

    "},{"location":"infrastructure/proxmox/pbs/#pbs-new-user","title":"\u521b\u5efa\u65b0\u7528\u6237","text":"

    PBS \u81ea\u5df1\u7684\u8d26\u53f7\u4f53\u7cfb (Realm pbs) \u4e0e PVE (Realm pve) \u4e92\u76f8\u4e0d\u901a\uff0c\u5982\u679c\u9700\u8981\u521b\u5efa\u65b0\u7684 PBS \u7528\u6237\uff0c\u53ef\u4ee5\u901a\u8fc7 SSH \u767b\u5f55\uff0c\u7136\u540e\u53c2\u8003\u4ee5\u4e0b\u6b65\u9aa4\uff1a

    1. proxmox-backup-manager user create \u7528\u6237\u540d@pbs --email \u90ae\u7bb1\u5730\u5740@ustclug.org
    2. proxmox-backup-manager user update \u7528\u6237\u540d@pbs --password '\u4e00\u4e2a\u4e34\u65f6\u7684\u5bc6\u7801'
    3. \u4f7f\u7528\u8be5\u7528\u6237\u767b\u5f55 PBS\uff08\u6b64\u65f6\u7528\u6237\u65e0\u6743\u9650\uff09\uff0c\u4fee\u6539\u5bc6\u7801\uff1b
    4. \u8d4b\u4e88\u6743\u9650\u3002\u8d85\u7ea7\u7ba1\u7406\u5458\u5bf9\u5e94\u7684\u547d\u4ee4\u662f proxmox-backup-manager acl update / Admin --auth-id \u7528\u6237\u540d@pbs
    5. \u4f7f\u7528 proxmox-backup-manager acl list \u786e\u8ba4\u6743\u9650\u5217\u8868\u3002

    \u53c2\u8003\uff1ahttps://pbs.proxmox.com/docs/user-management.html

    Tip

    \u5f53\u7136\uff0c\u4f60\u4e5f\u53ef\u4ee5 SSH \u767b\u5f55\u540e\u4fee\u6539 root \u5bc6\u7801\uff0c\u518d\u7528 root@pam \u7684\u8d26\u53f7\u767b\u5f55 web \u754c\u9762\u8fdb\u884c\u64cd\u4f5c\u3002\u8be5\u65b9\u6cd5\u540c\u65f6\u9002\u7528\u4e8e PVE \u548c PBS\u3002\u64cd\u4f5c\u5b8c\u6210\u540e\u8bf7\u6062\u590d root \u5bc6\u7801\uff08passwd -d root\uff09\u3002

    \u5982\u679c\u4f60\u9700\u8981\u7ecf\u5e38\u767b\u5f55 Web \u754c\u9762\u64cd\u4f5c\uff0c\u6700\u597d\u521b\u5efa\u4e00\u4e2a Realm pve/pbs \u800c\u4e0d\u662f\u4f9d\u8d56\u4e8e\u4f7f\u7528 root \u5bc6\u7801\u3002

    \u7279\u522b\u5730\uff0c\u7531\u4e8e PBS \u548c PVE \u540c\u65f6\u5b89\u88c5\u5728 esxi-5 \u4e0a\uff0c\u56e0\u6b64\u5b83\u4eec\u53ef\u4ee5\u5171\u4eab esxi-5 \u4e0a\u7684 Linux \u7528\u6237\uff08\u5373 Linux PAM standard authentication\uff09\u3002

    "},{"location":"infrastructure/proxmox/pbs/#pbs-add-datastore","title":"\u8bbe\u7f6e Datastore","text":"

    PBS \u4e0a\u7684\u865a\u62df\u673a\u5907\u4efd\u5355\u5143\u662f\u5c0f\u5757\u7684 chunk\uff0c\u4e5f\u4f9d\u8d56\u8fd9\u4e2a\u8bbe\u8ba1\u5b9e\u73b0\u589e\u91cf\u5907\u4efd\uff0c\u6240\u4ee5\u865a\u62df\u673a\u5907\u4efd\uff08Datastore\uff09\u7684\u540e\u7aef\u90fd\u662f\u76ee\u5f55\u3002\u6dfb\u52a0 Datastore \u53ea\u9700\u8981\u6307\u5b9a\u4e00\u4e2a\u76ee\u5f55\uff0c\u53d6\u4e00\u4e2a\uff08\u7b80\u77ed\u7684\uff09\u540d\u5b57\u5c31\u53ef\u4ee5\u4e86\u3002\u5efa\u8bae\u4e0d\u8981\u4f7f\u7528\u6587\u4ef6\u7cfb\u7edf\u7684\u6839\u76ee\u5f55\u4f5c\u4e3a Datastore\uff0c\u53ef\u4ee5\u521b\u5efa\u4e00\u4e2a pbs \u6587\u4ef6\u5939\u7528\u4f5c Datastore\uff0c\u53c2\u8003\u4e0b\u9762\u6240\u8ff0\u7684 esxi-5 \u4e0a\u7684\u914d\u7f6e\u3002

    \u76ee\u524d\u5728 esxi-5 \u4e0a\u914d\u7f6e\u4e86\u4ee5\u4e0b datastore\uff1a

    "},{"location":"infrastructure/proxmox/pve/","title":"Proxmox Virtual Environment (PVE)","text":"

    LUG \u76ee\u524d\u670d\u5f79\u7684 Proxmox VE \u4e3b\u673a\u6709\uff1a

    \u8fd9\u4e9b PVE \u4e3b\u673a\u914d\u7f6e\u4e3a\u4e00\u4e2a\u96c6\u7fa4\uff0c\u53ef\u4ee5\u5171\u4eab\u4e00\u4e9b\u914d\u7f6e\u4fe1\u606f\u5e76\u4e92\u76f8\u8fc1\u79fb\u865a\u62df\u673a\u3002\u7279\u522b\u5730\uff0cProxmox VE Authentication Server\uff08Realm \u4e3a pve\uff09\u7684\u8d26\u53f7\u5728 PVE \u4e3b\u673a\u4e4b\u95f4\u662f\u5171\u4eab\u7684\uff0c\u5e76\u4e14\u6dfb\u52a0\u7684 PBS \u5b58\u50a8\u540e\u7aef\u4e5f\u662f\u5171\u4eab\u7684\uff0c\u5373\u5927\u5bb6\u90fd\u53ef\u4ee5\u5f80\u76f8\u540c\u7684 PBS \u4e0a\u5907\u4efd\u865a\u62df\u673a\u3002

    \u4e0d\u540c\u4e3b\u673a\u4e4b\u95f4\u7684 Linux PAM \u7528\u6237\u662f\u4e0d\u76f8\u901a\u7684

    \u6240\u6709 Proxmox \u4e3b\u673a\u7684\u4e3b\u673a\u540d\uff08hostname\uff09\u90fd\u8bbe\u4e3a <hostname>.vm.ustclug.org\uff0c\u5bf9\u5e94\u7684 IP \u5730\u5740\u8bb0\u5f55\u5728 DNS \u4e2d\u3002

    "},{"location":"infrastructure/proxmox/pve/#common","title":"\u516c\u7528\u914d\u7f6e","text":""},{"location":"infrastructure/proxmox/pve/#root","title":"root \u8d26\u6237","text":"

    \u5df2\u5e9f\u5f03\u7684\u5185\u5bb9

    \u4e3a\u4e86\u4fbf\u4e8e\u901a\u8fc7 IPMI \u7b49\u65b9\u5f0f\u7ef4\u62a4\uff0c\u6211\u4eec\u7ea6\u5b9a\u6240\u6709 Proxmox \u4e3b\u673a\u7684 root \u8d26\u6237\u5bc6\u7801\u4fdd\u6301\u4e3a\u7a7a\u3002\u82e5\u6709\u64cd\u4f5c\u9700\u8981\u4f7f\u7528 root \u5bc6\u7801\uff08\u5982\u521b\u5efa\u548c\u52a0\u5165\u96c6\u7fa4\u65f6\uff09\uff0c\u8bf7\u901a\u8fc7 SSH \u6216 IPMI \u767b\u5f55\uff0c\u4e34\u65f6\u8bbe\u7f6e\u4e00\u4e2a root \u5bc6\u7801\uff0c\u5e76\u5728\u4fee\u6539\u5b8c PVE / PBS \u7684\u914d\u7f6e\u540e\u5c06\u5bc6\u7801\u5220\u9664\uff08passwd -d\uff09\u3002PVE / PBS \u6ca1\u6709\u4f9d\u8d56\u4e8e\u56fa\u5b9a\u4e0d\u53d8\u7684 root \u5bc6\u7801\u624d\u80fd\u6b63\u5e38\u8fd0\u884c\u7684\u7ec4\u4ef6\uff0c\u56e0\u6b64\u8fd9\u6837\u505a\u5bf9 PVE / PBS \u6765\u8bf4\u662f\u6ca1\u95ee\u9898\u7684\u3002

    "},{"location":"infrastructure/proxmox/pve/#networking","title":"\u7f51\u7edc\u914d\u7f6e","text":"

    \u5b89\u5168\u8d77\u89c1\uff0cPVE / PBS \u4e3b\u673a\u4f7f\u7528 RFC 1918 \u6bb5\u7684\u6821\u56ed\u7f51 IP\uff0c\u4e0d\u8fde\u63a5\u516c\u7f51\u3002

    Debian \u548c Proxmox \u7684\u8f6f\u4ef6\u66f4\u65b0\u4f7f\u7528 mirrors.ustc.edu.cn \u5373\u53ef\uff0c\u82e5\u6709\u9700\u8981\u8bbf\u95ee\u6821\u5916\uff08\u5982 GitHub \u7b49\uff09\uff0c\u8bf7\u5199 hosts \u5e76\u914d\u7f6e\u8def\u7531\uff0c\u4ee5 GitHub \u4e3a\u4f8b\uff1a

    echo \"20.205.243.166 github.com\" >> /etc/hosts\nip route replace 20.205.243.166 via (?) dev (?)\n

    \u5176\u4e2d via \u9009\u62e9 gateway-el \u6216 gateway-nic \u7684\u5185\u7f51\u5730\u5740\uff0cdev \u9009\u62e9\u6865\u63a5\u5185\u7f51\u7684 vmbr\u3002

    "},{"location":"infrastructure/proxmox/pve/#pve-firewall","title":"\u9632\u706b\u5899","text":"

    \u6211\u4eec\u4e0d\u4f7f\u7528 Proxmox \u81ea\u5e26\u7684\u9632\u706b\u5899\u529f\u80fd\uff0c\u4f46 pve-firewall \u4ecd\u7136\u4f1a\u5c1d\u8bd5\u90e8\u7f72\u6216\u6062\u590d\u9632\u706b\u5899\u8bbe\u7f6e\uff0c\u56e0\u6b64\u9700\u8981\u7981\u7528\u76f8\u5173\u8bbe\u7f6e\u53ca\u670d\u52a1\uff1a

    /etc/pve/nodes/$(hostname -s)/host.fw
    [OPTIONS]\nenable: 0\n
    systemctl stop pve-firewall.service\nsystemctl disable pve-firewall.service\nsystemctl mask pve-firewall.service\n

    \u53ef\u9009\u5185\u5bb9\uff1a\u540c\u65f6\u5b89\u88c5 iptables-persistent \u8f6f\u4ef6\u5305\uff0c\u5e76\u5229\u7528 iptables \u5c06 443 \u7aef\u53e3\u8f6c\u53d1\u5230 8006 \u7aef\u53e3\u65b9\u4fbf\u4f7f\u7528\u3002

    update-alternatives --set iptables /usr/sbin/iptables-nft\nupdate-alternatives --set ip6tables /usr/sbin/ip6tables-nft\n
    /etc/iptables/rules.v4
    *nat\nPREROUTING ACCEPT [0:0]\nINPUT ACCEPT [0:0]\nOUTPUT ACCEPT [0:0]\nPOSTROUTING ACCEPT [0:0]\n-A PREROUTING -p tcp --dport 443 -m addrtype --dst-type LOCAL -j REDIRECT --to-ports 8006\nCOMMIT\n

    \u5220\u6389 rules.v6 \u6587\u4ef6\uff0c\u7136\u540e\u8fd0\u884c systemctl restart netfilter-persistent.service \u8f7d\u5165 iptables \u89c4\u5219\u3002

    "},{"location":"infrastructure/proxmox/pve/#ntp","title":"NTP \u65f6\u95f4","text":"

    Proxmox \u9ed8\u8ba4\u4f7f\u7528 chrony \u8f6f\u4ef6\u548c Debian \u63d0\u4f9b\u7684 NTP pool\uff0c\u8fd9\u4e9b\u670d\u52a1\u5668\u90fd\u5728\u6821\u5916\uff0c\u4f7f\u7528\u6821\u56ed\u7f51 IP \u65e0\u6cd5\u8fde\u901a\uff0c\u9700\u8981\u6539\u6210\u6821\u56ed\u7f51\u7684 NTP \u670d\u52a1\u5668\uff1a

    /etc/chrony/chrony.conf
    # Use Debian vendor zone.\n#pool 2.debian.pool.ntp.org iburst\nserver time.ustc.edu.cn iburst\n

    \u7136\u540e\u8fd0\u884c systemctl restart chrony.service \u91cd\u542f\u670d\u52a1\u3002

    "},{"location":"infrastructure/proxmox/pve/#ssl","title":"SSL \u8bc1\u4e66","text":"

    \u53c2\u89c1 SSL \u8bc1\u4e66\uff0c\u6b63\u597d vdp \u4e0a\u9762\u8fd0\u884c\u4e86 LUG FTP \u800c\u56e0\u6b64\u914d\u7f6e\u4e86\u8bc1\u4e66\u7684\u81ea\u52a8\u66f4\u65b0\uff0c\u5229\u7528 vdp \u63d0\u4f9b\u7684 NFS \u670d\u52a1\uff0c\u6211\u4eec\u5728 vdp \u4e0a\u7684\u8bc1\u4e66\u66f4\u65b0\u811a\u672c\u4e2d\u6dfb\u52a0\u4e86\u5c06 vm \u8bc1\u4e66\u590d\u5236\u5230 NFS \u76ee\u5f55\u7684\u529f\u80fd\uff0c\u7136\u540e\u7531 pve-6 \u90e8\u7f72\u5230\u5404\u4e2a\u4e3b\u673a\u4e0a\u3002

    \u4e0b\u9762\u662f pve-6 \u4e0a\u7684\u811a\u672c\uff1a

    /etc/cron.daily/sync-cert
    #!/bin/bash -e\n\nSRC=\"/etc/pve/nodes/$(hostname -s)\"\nDSTROOT=\"/etc/pve/nodes\"\nCERTSRC=\"/mnt/nfs-el/cert\"\n\ncp -u \"$CERTSRC/privkey.pem\" \"$SRC/pveproxy-ssl.key\"\ncp -u \"$CERTSRC/fullchain.pem\" \"$SRC/pveproxy-ssl.pem\"\nsystemctl reload pveproxy.service\n\nfor DST in \"$DSTROOT\"/*; do\n  [ \"$DST\" = \"$SRC\" ] && continue\n  node=\"$(basename \"$DST\")\"\n  cp \"$SRC/pveproxy-ssl.key\" \"$SRC/pveproxy-ssl.pem\" \"$DST/\"\n  ssh \"$node\" 'systemctl reload pveproxy.service' &\ndone\nwait\n

    \u7531\u4e8e PVE \u548c PBS \u7684\u6570\u636e\u4e0d\u4e92\u901a\uff0c\u56e0\u6b64 esxi-5 \u4e0a\u7684\u76f8\u540c\u4f4d\u7f6e\u6709\u53e6\u4e00\u4e2a\u811a\u672c\u4e3a PBS \u90e8\u7f72\u8bc1\u4e66\uff1a

    /etc/cron.daily/sync-cert
    #!/bin/bash\n\nSRC=\"/etc/pve/nodes/$(hostname -s)\"\nDST=\"/etc/proxmox-backup\"\n\nif ! cmp -s \"$SRC/pveproxy-ssl.pem\" \"$DST/proxy.pem\"; then\n  cp \"$SRC/pveproxy-ssl.key\" \"$DST/proxy.key\"\n  cp \"$SRC/pveproxy-ssl.pem\" \"$DST/proxy.pem\"\n  systemctl reload proxmox-backup-proxy.service\nfi\nexit 0\n\n# Unreachable code, leaving here for reference\nif command -v openssl 2>/dev/null; then\n  FP=\"$(openssl x509 -noout -fingerprint -sha256 -inform pem -in \"$DST/proxy.pem\")\"\n  FP=\"${FP##*=}\"\n  pvesm set esxi-5-data --finerprint \"$FP\"\n  pvesm set esxi-5-vdp2 --finerprint \"$FP\"\nfi\n
    "},{"location":"infrastructure/proxmox/pve/#pve-5","title":"pve-5","text":"

    pve-5 \u4f4d\u4e8e\u7f51\u7edc\u4e2d\u5fc3\uff0c\u914d\u7f6e\u4e3a 2\u00d7 Xeon E5-2603 v4 (Broadwell 6C6T, 1.70 GHz, no HT, no Turbo Boost) Xeon E5-2667 v4 (Broadwell 8C16T, 3.20 GHz, Max 3.60 GHz)\uff0c256 GB \u5185\u5b58\u548c\u4e00\u5927\u5806 SSD\uff082\u00d7 \u4e09\u661f 240 GB SATA + 10x Intel DC S4500 1.92 TB SATA\uff09\u3002\u6211\u4eec\u5c06\u4e24\u5757 240 GB \u7684\u76d8\u7ec4\u6210\u4e00\u4e2a LVM VG\uff0c\u5206\u914d 16 GB \u7684 rootfs\uff08LVM mirror\uff09\u548c 8 GB \u7684 swap\uff0c\u5176\u4f59\u7a7a\u95f4\u7ed9\u4e00\u4e2a thinpool\u3002\u5341\u5757 1.92 TB \u7684\u76d8\u7ec4\u6210\u4e00\u4e2a RAIDZ2 \u7684 zpool\uff0c\u7528\u4e8e\u5b58\u50a8\u865a\u62df\u673a\u7b49\u6570\u636e\u3002

    \u5176\u8fde\u63a5\u7684\u5355\u6839 10 Gbps \u7684\u5149\u7ea4\uff0c\u6865\u63a5\u51fa vmbr0\uff08Cernet\uff09, vmbr2\uff08Telecom\uff09, vmbr3\uff08Unicom\uff09, vmbr4\uff08Mobile\uff09\u56db\u4e2a\u4e0d\u540c VLAN \u7684\u7f51\u6865\uff0c\u53e6\u6709\u4e00\u4e2a vmbr1\uff08Ustclug\uff09\u7684\u65e0\u5934\u7f51\u6865\u7528\u4e8e\u4ece gateway-nic \u6865\u63a5 Tinc\u3002

    \u786c\u76d8\u63a7\u5236\u5668\u4e0d\u8981\u4f7f\u7528 VirtIO SCSI Single \u6216 LSI \u5f00\u5934\u7684\u9009\u9879

    \u53ef\u80fd\u7531\u4e8e ZFS \u6a21\u5757\u7684 bug \u6216\u8005\u5185\u5b58\u6761\u6545\u969c\uff0c\u4f7f\u7528\u8fd9\u4e9b\u6a21\u5f0f\u5728\u865a\u62df\u673a\u91cd\u542f\u65f6\u4f1a\u5bfc\u81f4\u6574\u4e2a Proxmox VE \u4e3b\u673a\u5361\u4f4f\u800c\u4e0d\u5f97\u4e0d\u91cd\u542f\u3002\u8bf7\u4f7f\u7528 VirtIO SCSI\uff08\u4e0d\u5e26 Single\uff09\u3002\u540c\u6837\u539f\u56e0\u521b\u5efa\u865a\u62df\u673a\u786c\u76d8\u65f6\u4e5f\u4e0d\u8981\u52fe\u9009 iothread\u3002

    \u4e3b\u673a\u4f7f\u7528 ZFS\uff08Zvol\uff09\u4f5c\u4e3a\u865a\u62df\u673a\u7684\u865a\u62df\u786c\u76d8\uff0c\u5728\u865a\u62df\u673a\u4e2d\u542f\u7528 fstrim.timer\uff08systemd \u7684 fstrim \u5b9a\u65f6\u4efb\u52a1\uff0c\u7531 util-linux \u63d0\u4f9b\uff09\u53ef\u4ee5\u5b9a\u671f\u817e\u51fa\u4e0d\u7528\u7684\u7a7a\u95f4\uff0c\u5e2e\u52a9 ZFS \u66f4\u597d\u5730\u89c4\u5212\u7a7a\u95f4\u3002\u542f\u7528 fstrim \u7684\u865a\u62df\u786c\u76d8\u9700\u8981\u5728 PVE \u4e0a\u542f\u7528 discard \u9009\u9879\uff0c\u5426\u5219 fstrim \u4e0d\u8d77\u4f5c\u7528\u3002\u8be5\u7279\u6027\u662f\u7531\u4e8e ZFS \u662f CoW \u7684\uff0c\u4e0e ZFS \u5e95\u5c42\u4f7f\u7528 SSD \u6ca1\u6709\u592a\u5927\u5173\u8054\u3002

    "},{"location":"infrastructure/proxmox/pve/#esxi-5","title":"esxi-5","text":"

    esxi-5 \u4e5f\u4f4d\u4e8e\u7f51\u7edc\u4e2d\u5fc3\uff0c\u914d\u7f6e\u4e3a 2\u00d7 Xeon E5620\uff08Westmere-EP 4C8T, 2.40~2.66 GHz\uff09\uff0c48 GB \u5185\u5b58\uff0c\u4e24\u5757 240 GB SATA SSD \u548c\u4e00\u4e9b\u4e0d\u77e5\u9053\u574f\u4e86\u591a\u5c11\u7684 1 TB \u548c 2 TB HDD\uff08\u89c1\u4e0b\uff09\u3002\u7531\u4e8e\u673a\u8eab\u81ea\u5e26\u7684 RAID \u5361\u4e0d\u652f\u6301\u786c\u76d8\u76f4\u901a\uff08JBOD \u6a21\u5f0f\uff09\uff0c\u56e0\u6b64\u6211\u4eec\u5c06\u4e24\u5757 SSD \u5206\u522b\u505a\u6210\u5355\u76d8\u201c\u9635\u5217\u201d\u7136\u540e\u5728\u7cfb\u7edf\u91cc\u4f7f\u7528 LVM\uff08LVM \u89c4\u683c\u4e0e pve-5 \u76f8\u540c\uff09

    \u987e\u540d\u601d\u4e49\u672c\u673a\u5668\u66fe\u7ecf\u8fd0\u884c\u7684\u662f VMware ESXi\uff0c\u5728 2022 \u5e74 1 \u6708\u91cd\u88c5\u4e3a Proxmox VE 7.1\uff0c\u56e0\u4e3a\u54b1\u4eec\u90fd\u662f\u7ea0\u7ed3\u602a\u6240\u4ee5\u51b3\u5b9a\u4e0d\u6539\u540d\uff0c\u8fd8\u53eb esxi-5\u3002\u8003\u8651\u5230\u8be5\u673a\u5668\u914d\u7f6e\u4e86\u591a\u4e2a\u786c\u76d8\u9635\u5217\uff0c\u4e14\u9635\u5217\u7684\u53ef\u7528\u5bb9\u91cf\u6bd4 pve-5 \u7684\u786c\u76d8\u7684\u539f\u59cb\u5bb9\u91cf\u8fd8\u5927\uff0c\u6211\u4eec\u5728\u4e0a\u9762\u52a0\u88c5 Proxmox Backup Server \u8f6f\u4ef6\uff0c\u4e3b\u8981\u7528\u4f5c\u865a\u62df\u673a\u5907\u4efd\uff0c\u66ff\u4ee3\u539f\u5148\u8fd0\u884c\u5728 ESXi \u4e0a\u7684 vSphereDataProtection \u865a\u62df\u673a\u3002

    "},{"location":"infrastructure/proxmox/pve/#_1","title":"\u7f51\u7edc","text":"

    \u7f51\u7edc\u914d\u7f6e\u4e0e pve-5 \u76f8\u4f3c\uff0c\u5176\u4e0a\u6709\u4e24\u4e2a\u5343\u5146\u7f51\u5361 enp3s0 \u548c enp4s0\u3002enp3s0 \u8fde\u63a5\u7f51\u7edc\u4e2d\u5fc3\u7684\u4ea4\u6362\u673a\uff0c\u6865\u63a5\u4e0d\u540c\u7684 VLAN \u7f51\u7edc\u7ed9\u865a\u62df\u673a\uff0c\u5e76\u4e14\u5404 vmbrX \u7684\u6570\u5b57\u548c\u7aef\u53e3\u4e0e pve-5 \u4e00\u81f4\uff1b\u800c enp4s0 \u8fde\u63a5\u4e00\u4e2a\u5916\u90e8\u9635\u5217\uff08vdp2\uff09\uff0c\u4f7f\u7528 iSCSI \u8bbf\u95ee\u8be5\u9635\u5217\u3002

    \u7531\u4e8e\u6211\u4eec\u53ea\u6709\u4e00\u4e2a gateway-nic\uff0c\u800c pve-5 \u548c esxi-5 \u4e24\u4e2a\u4e3b\u673a\u90fd\u4f9d\u8d56 gw-nic \u6865\u63a5\u7684 tinc \u6765\u63a5\u5165\u5185\u7f51\uff0c\u56e0\u6b64\u6211\u4eec\u5728 pve-5 \u548c esxi-5 \u4e4b\u95f4\u62c9\u4e86\u4e00\u6761 GRETAP \u96a7\u9053\uff0c\u5e76\u5728\u4e24\u4e2a\u4e3b\u673a\u4e0a\u5206\u522b\u5c06 VTEP \u6865\u63a5\u5230 vmbr1\u3002

    \u53c2\u8003\u914d\u7f6e\uff1a

    pve-5:/etc/network/interfaces
    auto gretap0esxi-5\niface gretap0esxi-5 inet manual\n    pre-up ip link add name $IFACE mtu $IF_MTU type gretap local 10.38.95.115 remote 10.38.95.111\n    post-down ip link delete $IFACE\n    mtu 1500\n\nauto vmbr1\niface vmbr1 inet static\n    address 10.254.0.240/21\n    bridge-ports gretap0esxi-5\n    bridge-stp off\n    bridge-fd 0\n

    esxi-5 \u8fd9\u7aef\u7684\u914d\u7f6e\u5219\u5c06\u5bf9\u5e94\u7684 iface \u540d\u79f0\u548c IP \u5730\u5740\u7b49\u5168\u90e8\u5bf9\u6362\u5373\u53ef\u3002

    MTU \u95ee\u9898

    2022 \u5e74 2 \u6708\u5904\u7406\u5185\u7f51 tinc ARP \u95ee\u9898\u65f6\u53d1\u73b0 esxi-5 \u548c pve-5 \u7684 vmbr1 MTU \u90fd\u88ab\u8bbe\u7f6e\u6210\u4e86 1462\uff08GRETAP \u7684\u9ed8\u8ba4 MTU\uff09\u3002\u6211\u4eec\u4e0d\u786e\u5b9a MTU \u95ee\u9898\u4e0e tinc \u662f\u5426\u76f8\u5173\uff0c\u4f46\u4fdd\u9669\u8d77\u89c1\u6211\u4eec\u8fd8\u662f\u5c06\u8be5 GRETAP \u754c\u9762\u7684 MTU \u8bbe\u7f6e\u6210\u4e86 1500\uff08GRE \u5177\u6709\u5206\u7247\u529f\u80fd\uff09\u3002

    -pre-up ip link add name $IFACE type gretap local 10.38.95.115 remote 10.38.95.111\n+pre-up ip link add name $IFACE mtu $IF_MTU type gretap local 10.38.95.115 remote 10.38.95.111\n post-down ip link delete $IFACE\n+mtu 1500\n
    "},{"location":"infrastructure/proxmox/pve/#iscsi","title":"iSCSI","text":"

    \u8bbe\u7f6e iSCSI \u5f00\u673a\u81ea\u52a8\u767b\u5f55\uff1a

    iscsiadm -m node -T iqn.2002-10.com.infortrend:raid.sn8223150.001 -p 192.168.10.1:3260 -o update -n node.startup -v automatic\niscsiadm -m node -T iqn.2002-10.com.infortrend:raid.sn8223150.001 -p 192.168.10.1:3260 -o update -n node.conn[0].startup -v automatic\n

    \u53c2\u8003\u94fe\u63a5\uff1ahttps://library.netapp.com/ecmdocs/ECMP1654943/html/GUID-8EC685B4-8CB6-40D8-A8D5-031A3899BCDC.html

    \u8fc7\u65f6\u4fe1\u606f

    \u7531\u4e8e\u6211\u4eec\u6ca1\u6709\u7814\u7a76\u6e05\u695a open-iscsi \u7684\u5f00\u673a\u81ea\u52a8\u6302\u8f7d\u673a\u5236\uff0c\u56e0\u6b64\u6211\u4eec\u9009\u62e9\u76f4\u63a5 override \u5bf9\u5e94\u7684 service \u6765\u5b8c\u6210\u8fd9\u4e2a\u4efb\u52a1\uff1a

    $ systemctl edit open-iscsi.service
    [Service]\nExecStart=\nExecStart=/sbin/iscsiadm -d8 -m node -T iqn.2002-10.com.infortrend:raid.sn8223150.001 -p 192.168.10.1:3260 --login\nExecStart=/lib/open-iscsi/activate-storage.sh\n

    \u82e5 iSCSI \u8fde\u63a5\u6210\u529f\uff0c\u5e94\u8be5\u53ef\u4ee5\u5728\u7cfb\u7edf\u4e2d\u770b\u5230\u4e00\u4e2a\u65b0\u7684\u786c\u76d8\uff0c\u5bb9\u91cf\u4e3a 14.55 TiB\uff0c\u578b\u53f7\u663e\u793a\u4e3a RS-3116I-S42-6\u3002

    "},{"location":"infrastructure/proxmox/pve/#rootfs-backup","title":"rootfs \u5907\u4efd","text":"

    \u5c3d\u7ba1 esxi-5 \u7684 rootfs \u4e5f\u4f7f\u7528\u4e86 LVM mirror \u5728\u4e24\u5757 SSD \u4e0a\u955c\u50cf\uff0c\u4f46\u662f\u6211\u4eec\u4e0d\u592a\u4fe1\u4efb\u8fd9\u5757 RAID \u5361\uff0c\u56e0\u6b64\u6211\u4eec\u5c06 esxi-5 \u7684 rootfs \u6bcf\u5929\u5907\u4efd\u5230 vdp2 \u4e0a\u3002\u4e3a\u4e86\u907f\u514d\u5728 vdp2 \u6389\u7ebf\u7684\u65f6\u5019\u4e71\u201c\u5907\u4efd\u201d\uff0c\u6211\u4eec\u4f7f\u7528\u4e00\u4e2a systemd \u670d\u52a1\uff0c\u8bbe\u7f6e\u4e86 RequiresMountsFor \u4f9d\u8d56\uff1a

    /etc/systemd/system/rootfs-backup.service
    [Unit]\nDescription=Backup rootfs to vdp2\nRequiresMountsFor=/mnt/vdp2\n\n[Service]\nType=oneshot\nExecStart=/usr/bin/rsync -aHAXx --delete / /mnt/vdp2/rootfs/\n
    crontab
    21 4 * * * systemctl start rootfs-backup.service\n
    "},{"location":"infrastructure/proxmox/pve/#esxi-5-others","title":"\u5176\u4ed6\u8bb0\u5f55","text":"

    esxi-5 \u4e8e 2021/8 \u53d1\u73b0\u81ea\u5e26\u9635\u5217\u6709\u4e24\u5757\u574f\u76d8\uff0c\u5728\u66f4\u6362\u540e\u53d1\u73b0 storage \"root\"\uff08\u5b58\u653e vcenter \u865a\u62df\u673a\uff0c\u7ec4\u5efa RAID 1 \u540e\u5927\u5c0f 1.8 TB\uff09\u65e0\u6cd5\u6b63\u5e38 rebuild\uff0c\u5e76\u4e14 vcenter \u865a\u62df\u673a\u7684 vmdk \u6587\u4ef6\u6709 4 \u4e2a\u51fa\u73b0 I/O error\u3002\u6b64\u540e vcenter \u865a\u62df\u673a\u5df2\u7ecf\u8fc1\u79fb\u5230 storage \"data\" (RAID10, 7.2 TB) \u5e76\u6b63\u5e38\u5de5\u4f5c\u3002

    "},{"location":"infrastructure/proxmox/pve/#records","title":"\u5de5\u4f5c\u8bb0\u5f55","text":""},{"location":"infrastructure/proxmox/pve/#migrate-docker2","title":"2021-12-31 \u8fc1\u79fb docker2","text":"

    docker2 \u539f\u5148\u4f7f\u7528 QEMU \u76f4\u63a5\u8fd0\u884c\u5728 mirrors2 \u4e0a\uff0c\u4e0b\u5c42\u5b58\u50a8\u4e3a ZFS Zvol\uff08pool0/qemu/docker2\uff09\uff0c\u7531\u4e8e ZFS \u8c03\u53c2\u4e0d\u5f53\u4f7f\u5176\u5360\u7528\u4e86 3 \u500d\u7684\u786c\u76d8\u7a7a\u95f4\uff08\u89c1\u8fd9\u4e2a Reddit \u8d34\u5b50\uff09\uff0c\u52a0\u4e0a mirrors2 \u672c\u8eab\u5bf9\u5916\u63d0\u4f9b Rsync \u670d\u52a1\uff0c\u786c\u76d8\u8d1f\u8f7d\u6781\u9ad8\uff0c\u6240\u4ee5\u957f\u671f\u4ee5\u6765 docker2 \u7684 I/O \u6027\u80fd\u5341\u5206\u4f4e\u4e0b\u3002\u6b63\u597d\u501f\u8fd9\u6b21\u5168\u95ea\u7684\u65b0\u5bbf\u4e3b\u673a\u5c06\u5176\u8fc1\u79fb\u8fc7\u53bb\u3002

    \u8fc1\u79fb\u65f6\u9700\u8981\u4fdd\u8bc1\u5b8c\u6574\u6027\u7684\u4e3b\u8981\u5185\u5bb9\u5c31\u662f\u865a\u62df\u673a\u5185\u7684\u4e1a\u52a1\uff0c\u56e0\u6b64\u9700\u8981\u5728\u4e3b\u673a\u95f4\u4f20\u8f93\u7684\u5185\u5bb9\u5c31\u662f\u865a\u62df\u78c1\u76d8\uff0c\u5176\u4ed6\u914d\u7f6e\uff08CPU\u3001\u5185\u5b58\u3001\u7f51\u5361\u7b49\uff09\u90fd\u53ef\u4ee5\u76f4\u63a5\u5728\u65b0\u5e73\u53f0\u4e0a\u521b\u5efa\u65b0\u865a\u62df\u673a\u65f6\u4fee\u6539\u3002\u539f\u672c\u6211\u4eec\u6253\u7b97\u4f7f\u7528 rsync \u6216\u8005 dd \u7684\u65b9\u5f0f\u590d\u5236\u78c1\u76d8\uff0c\u4f46\u662f\u8003\u8651\u5230\u4e24\u8fb9\u90fd\u662f ZFS\uff0c\u4f7f\u7528 zfs send \u662f\u4e00\u4e2a\u66f4\u597d\u7684\u65b9\u6848\u3002

    \u6211\u4eec\u5728 pve-5 \u4e0a\u8fd0\u884c nc -l -p 9999 </dev/null | pv | zfs recv rpool/data/docker2\uff0c\u7136\u540e\u5728 mirrors2 \u4e0a\u5bf9 zvol \u5148\u6253\u4e2a\u5feb\u7167\uff0c\u8fd0\u884c zfs send pool0/qemu/docker2@20211230 > /dev/tcp/{pve-5}/9999 \u5c06\u5feb\u7167\u5185\u5bb9\u53d1\u9001\u5230 pve-5 \u4e0a\uff08300 GiB \u7684\u6570\u636e\u82b1\u8d39\u4e86 16 \u5c0f\u65f6\uff09\uff0c\u7136\u540e\u518d\u5c06 docker2 \u5173\u673a\u5e76\u589e\u91cf\u4f20\u8f93\uff0czfs send -i @20211230 pool0/qemu/docker2 > /dev/tcp/{pve-5}/9999\uff08\u589e\u91cf\u4f20\u8f93\u53ea\u53d1\u9001\u4e86 10 GB \u6570\u636e\uff09\u3002\u540c\u65f6\u6211\u4eec\u5728 Proxmox \u7684 web \u754c\u9762\u4e0a\u521b\u5efa\u4e00\u4e2a\u65b0\u865a\u62df\u673a\uff0c\u914d\u597d CPU \u5185\u5b58\u7f51\u5361\u7b49\uff0c\u5206\u914d 300 GiB \u7684\u786c\u76d8\u3002

    \u7531\u4e8e zfs send \u662f\u539f\u6837\u53d1\u9001\u7684\uff0c\u56e0\u6b64\u63a5\u6536\u5230\u7684 zvol \u786c\u76d8\u5360\u7528\u91cf\u4ecd\u7136\u6709 712 GB\u3002Proxmox \u65b0\u5efa\u7684 zvol \u53c2\u6570\u5c31\u6bd4\u8f83\u5408\u7406\uff08volblocksize=16k\uff09\uff0c\u6ca1\u6709\u4e25\u91cd\u653e\u5927\u7684\u95ee\u9898\uff0c\u56e0\u6b64\u6211\u4eec\u518d\u5c06\u63a5\u6536\u5230\u7684 zvol \u7ed9 dd \u8fdb\u65b0\u865a\u62df\u673a\u7684 zvol \u800c\u4e0d\u662f\u76f4\u63a5\u4f7f\u7528\u3002dd \u7ed3\u679c\u7ea6 345 GiB\uff08\u5341\u5206\u5408\u7406\uff09\uff0c\u5f00\u673a\u8fdb\u7cfb\u7edf\u8fd0\u884c fstrim \u4e4b\u540e\u5360\u7528\u91cf\u7ea6\u4e3a 240 GiB\uff08\u66f4\u52a0\u5408\u7406\u4e86\uff09\u3002

    \u8fc1\u79fb\u8fc7\u7a0b\u6ca1\u6709\u9047\u5230\u4efb\u4f55\u5751\uff0c\u4ec5\u6709\u7684\u6ce8\u610f\u4e8b\u9879\u5c31\u662f zvol \u8c03\u53c2\u9700\u8981\u91cd\u65b0 dd \u800c\u4e0d\u80fd\u76f4\u63a5\u6539\uff0c\u4ee5\u53ca\u521b\u5efa\u7f51\u5361\u7684\u987a\u5e8f\uff08\u4f1a\u5f71\u54cd\u865a\u62df\u673a\u5185\u90e8 eth0 \u548c eth1 \u7684\u987a\u5e8f\uff0c\u9664\u975e\u865a\u62df\u673a\u5185\u90e8\u4f7f\u7528 udev persistent net \u65b9\u5f0f\u6839\u636e MAC \u5730\u5740\u5c06\u7f51\u5361\u6539\u540d\uff09\u3002

    "},{"location":"infrastructure/proxmox/pve/#esxi-5-syslog-zfs-error-cannot-open-rpool-no-such-pool","title":"esxi-5 \u7684 syslog \u4e00\u76f4\u51fa\u73b0 zfs error: cannot open 'rpool': no such pool","text":"

    \u8fd9\u662f\u56e0\u4e3a esxi-5 \u4e0a\u9762\u6839\u672c\u5c31\u6ca1\u6709\u4f7f\u7528 ZFS\uff0c\u800c\u52a0\u5165 pve-5 \u7684\u96c6\u7fa4\u65f6\u865a\u62df\u673a\u7684\u5b58\u50a8\u4fe1\u606f\uff08/etc/pve/storage.cfg\uff09\u4e5f\u4ece pve-5 \u540c\u6b65\u8fc7\u6765\u5408\u5e76\u4e86\uff0c\u56e0\u6b64 esxi-5 \u5728\u6839\u636e pve-5 \u7684\u914d\u7f6e\u5c1d\u8bd5\u542f\u7528 zfs \u5b58\u50a8\u3002

    \u89e3\u51b3\u529e\u6cd5\uff1a\u7531\u4e8e /etc/pve \u4e0b\u5927\u591a\u6570\u5185\u5bb9\u5728\u96c6\u7fa4\u95f4\u662f\u540c\u6b65\u7684\uff0c\u6253\u5f00 storage.cfg\uff0c\u5728 zfspool: local-zfs \u4e0b\u9762\u52a0\u5165\u4e00\u884c\uff0c\u7f29\u8fdb\u4e00\u4e2a Tab \u5e76\u52a0\u4e0a nodes pve-5\uff0c\u8868\u793a\u8fd9\u4e2a storage \u53ea\u5728 pve-5 \u4e0a\u4f7f\u7528\u3002

    "},{"location":"infrastructure/proxmox/pve/#pve-6","title":"pve-6","text":"

    pve-6 \u4f4d\u4e8e\u4e1c\u56fe\uff0c\u662f\u4e00\u53f0 HP DL380G6\uff0c\u914d\u7f6e\u4e3a 2\u00d7 Xeon E5620 (Westmere 4C8T, 2.50 GHz), 72 GB \u5185\u5b58\u548cl\u4e24\u5757 300 GB \u7684 SAS \u786c\u76d8\u3002\u66fe\u7ecf\u53eb\u505a esxi-6\uff0c\u5728 2022 \u5e74 1 \u6708\u7edf\u4e00\u66f4\u6362\u4e3a Proxmox VE\u3002

    \u673a\u5668\u6709\u4e24\u4e2a\u7f51\u5361\uff0c\u5171\u6709 4 \u4e2a 1 Gbps \u7684\u63a5\u53e3\uff0c\u5176\u4e2d 3 \u4e2a\u90fd\u63a5\u5728 VLAN \u4ea4\u6362\u673a\u4e0a\uff08\u53e6\u4e00\u4e2a\u4e0d\u77e5\u9053\u63a5\u4e86\u5565\uff09\uff0c\u901a\u8fc7 VLAN \u540c\u65f6\u8fde\u63a5\u56fe\u4e66\u9986\u7684\u4e24\u4e2a\u7f51\u6bb5\u4ee5\u53ca\u7ecf\u7531 gateway-el \u6865\u63a5\u7684\u5185\u7f51\uff0c\u4ee5\u53ca\u8fde\u63a5 vdp \u6302\u8f7d NFS\u3002

    HP Smart Array

    HP \u7684\u81ea\u5e26 RAID \u5361\u7ba1\u7406\u8f6f\u4ef6\u53ef\u4ee5\u5728 http://downloads.linux.hpe.com/SDR/repo/mcp/Debian/pool/non-free/ \u4e0b\u8f7d\uff0c\u5b89\u88c5 ssacli \u8f6f\u4ef6\u5305\u3002\u76f8\u5173\u4f7f\u7528\u65b9\u6cd5\u53ef\u4ee5\u53c2\u8003 https://sleeplessbeastie.eu/2017/03/06/how-to-use-hp-command-line-array-configuration-utility/\u3002

    "},{"location":"infrastructure/proxmox/pve/#pve-2-pve-4","title":"pve-2, pve-4","text":"

    pve-2 \u548c pve-4 \u4e5f\u4f4d\u4e8e\u4e1c\u56fe\uff0c\u662f\u4e24\u53f0\u672a\u77e5\u54c1\u724c\u3001\u672a\u77e5\u578b\u53f7\u7684\u65e7\u673a\u5668\uff0c\u914d\u7f6e\u4e3a 2\u00d7 Xeon E5420 (Very old 4C4T, 2.50 GHz), 16 GB \u5185\u5b58\uff08DDR2 667 MHz\uff09\u548c\u4e00\u5757 16 GB \u7684 SanDisk SSD\u3002\u8be5\u578b\u53f7\u673a\u5668\u6ca1\u6709 IPMI\u3002

    \u7531\u4e8e\u914d\u7f6e\u4f4e\u4e0b\uff0c\u6211\u4eec\u624b\u52a8\u5b89\u88c5\u4e86 Proxmox VE\uff0c\u6ca1\u6709\u4f7f\u7528 LVM\uff0c\u5206\u914d\u4e86 1 GB \u7684 swap\uff0c\u5269\u4e0b\u5168\u90e8\u7ed9 rootfs\u3002

    \u673a\u5668\u7684\u7f51\u5361\u6709\u4e24\u4e2a 1 Gbps \u7684\u63a5\u53e3\uff0c\u4e0e pve-6 \u76f8\u540c\uff0c\u90fd\u63a5\u5728\u540c\u4e00\u4e2a\u4ea4\u6362\u673a\u4e0a\u3002

    "},{"location":"services/discontinued/","title":"Discontinued Services","text":"

    \u672c\u9875\u9762\u8bb0\u8f7d\u66fe\u7ecf\u63d0\u4f9b\u7684\u670d\u52a1\uff0c\u4f46\u662f\u7531\u4e8e\u67b6\u6784\u6539\u53d8\u6216\u670d\u52a1\u8fc1\u79fb\uff0c\u8fd9\u4e9b\u670d\u52a1\u4e0d\u518d\u4ee5\u539f\u6765\u7684\u5f62\u5f0f\u63d0\u4f9b\uff0c\u5e76\u53ef\u80fd\u5728\u539f\u5904\u6709\u6b8b\u7559\u7684\u914d\u7f6e\u6587\u4ef6\u3002

    \u901a\u5e38\u60c5\u51b5\u4e0b\u6b8b\u7559\u7684\u914d\u7f6e\u6587\u4ef6\u53ef\u4ee5\u76f4\u63a5\u5220\u9664\uff0c\u4f46\u662f\u4fdd\u9669\u8d77\u89c1\uff0c\u4ecd\u7136\u5efa\u8bae\u5728 Internals \u7fa4\u91cc\u5148\u8be2\u95ee\u4e00\u4e0b\u518d\u5904\u7406\u3002

    "},{"location":"services/discontinued/#docker-registry","title":"Docker Registry","text":"

    \u66fe\u7ecf\u8fd0\u884c\u5728 docker2 \u4e0a\uff0c\u73b0\u5728 LUG \u7684 Docker \u955c\u50cf\u5df2\u8f6c\u79fb\u81f3 Docker Hub\u3002

    "},{"location":"services/discontinued/#freeshell","title":"Freeshell","text":"

    \uff08\u672a\u5b8c\u5f85\u7eed\uff0c\u914d\u7f6e\u6587\u4ef6\u5148\u4fdd\u7559\uff09

    "},{"location":"services/discontinued/#ustc-blog","title":"USTC Blog","text":"

    Refer to Gitlab Wiki.

    "},{"location":"services/discontinued/#telegram-web","title":"Telegram Web","text":"

    Service\uff1atelegram.ustclug.org

    Repository\uff1agithub.com/ustclug/telegram-web

    DockerHub\uff1austclug/telegram-web

    Deployment\uff1atelegram-web.sh

    Servers\uff1a

    Blog\uff1aadd-telegram-web-service

    "},{"location":"services/discontinued/#ustc-life","title":"USTC Life","text":"

    USTC Life is a navigation page, which included useful sites in USTC.

    2020-04-09 \u66f4\u65b0\u4fe1\u606f

    \u76ee\u524d\uff0cUSTC Life \u670d\u52a1\u6258\u7ba1\u5728 GitHub Pages \u4e0a\u3002\u4ee5\u4e0b\u5185\u5bb9\u4ec5\u4e3a\u5386\u53f2\u8bb0\u5f55\u3002

    service: ustc.life

    Git Repository: github.com/ustclug/ustclife

    DockerHub: ustclug/ustclife

    server: docker2.s.ustclug.org

    deploy: /srv/webhook/ustclife.sh

    webhook from DockerHub: /srv/webhook/hooks.json

    "},{"location":"services/docker2/","title":"Docker services","text":"

    Server: docker2.s.ustclug.org

    Provides Docker container environment for other services. All non-system services should be run as Docker containers on this host.

    Methods to run individual containers are maintained in the ustclug/docker-run-script repository.

    "},{"location":"services/docker2/#special-configurations","title":"Special configurations","text":""},{"location":"services/docker2/#network-interfaces","title":"Network interfaces","text":"

    We use udev rules to assign consistent names to network interfaces, identified by their MAC addresses.

    /etc/udev/rules.d/70-persistent-net.rules
    SUBSYSTEM==\"net\", ACTION==\"add\", DRIVERS==\"?*\", ATTR{address}==\"00:50:56:9f:00:22\", NAME=\"Telecom\"\nSUBSYSTEM==\"net\", ACTION==\"add\", DRIVERS==\"?*\", ATTR{address}==\"00:50:56:9f:00:5b\", NAME=\"Mobile\"\nSUBSYSTEM==\"net\", ACTION==\"add\", DRIVERS==\"?*\", ATTR{address}==\"00:50:56:9f:00:5d\", NAME=\"ustclug\"\n

    We then refer to these interfaces using their new names in /etc/network/interfaces to ensure consistent network configuration.

    2022 \u5e74 2 \u6708 21 \u65e5\u66f4\u65b0

    \u4eca\u65e5\u53d1\u73b0 docker2 \u65e0\u6cd5\u8fde\u63a5\u5bb9\u5668\u7f51\u7edc\uff0810.254.1.0/21\uff09\uff0c\u8c03\u8bd5\u540e\u53d1\u73b0\u4e3a Linux macvlan \u7f51\u7edc\u7279\u6027\uff08Stack Overflow\uff09\u3002\u4e3a\u4e86\u4fee\u590d\u8fde\u63a5\u95ee\u9898\uff0c\u8fdb\u884c\u4e86\u4ee5\u4e0b\u4fee\u6539\uff1a

    1. \u5c06 /etc/udev/rules.d/70-persistent-net.rules \u4e2d Policy \u66f4\u540d\u4e3a ustclug\uff1b
    2. \u5728 /etc/network/interfaces \u4e2d\u8bbe\u7f6e Policy \u548c ustclug \u4e24\u4e2a interface \u7684\u76f8\u5173\u914d\u7f6e\u5982\u4e0b\uff1a

      auto Policy\niface Policy inet static\n    address 10.254.0.16/21\n    pre-up ip link add $IFACE link ustclug type macvlan mode bridge\n    post-down ip link del $IFACE\n\nauto ustclug\niface ustclug inet manual\n
    "},{"location":"services/docker2/#docker-daemon-service","title":"Docker daemon service","text":"

    docker2 \u4e0a\u9762\u7684 Docker \u4f7f\u7528 macvlan \u6765\u5c06\u865a\u62df\u673a\u63a5\u5165 lugi \u5185\u7f51\uff0c\u56e0\u6b64\u5c06 macvlan \u7684\u4e3b\u7aef\u53e3 Policy \u914d\u7f6e\u4e3a docker.service \u7684\u5f3a\u4f9d\u8d56\u3002

    systemctl edit docker.service
    [Unit]\nBindsTo=sys-subsystem-net-devices-Policy.device\nAfter=sys-subsystem-net-devices-Policy.device\n

    \u5b9e\u9645\u4e0a After=network-online.target \u5c31\u591f\u4e86\uff0c\u4f46\u662f\u51fa\u4e8e\u5386\u53f2\u539f\u56e0\u4f7f\u7528\u4e86 BindsTo \u5f3a\u4f9d\u8d56\u5185\u7f51\u7aef\u53e3\uff0c\u8fd9\u662f\u56e0\u4e3a docker2 \u66fe\u7ecf\u5355\u72ec\u8fd0\u884c tinc \u63a5\u5165\u5185\u7f51\uff0c\u800c tinc \u7684\u7aef\u53e3\u53ea\u5728 tinc \u542f\u52a8\u540e\u624d\u4f1a\u51fa\u73b0\uff08\u624d\u80fd\u5206\u51fa macvlan \u5b50\u7aef\u53e3\uff09\uff0c\u56e0\u6b64\u4f7f\u7528 BindsTo \u4fdd\u8bc1 docker \u968f\u8be5\u7aef\u53e3\u7684\u51fa\u73b0\u548c\u6d88\u5931\u800c\u542f\u52a8/\u505c\u6b62\u3002

    2022 \u5e74 1 \u6708 15 \u65e5\u4ee5\u540e docker2 \u4e0e\u5176\u4ed6\u865a\u62df\u673a\u4e00\u6837\u901a\u8fc7 gateway-nic \u6865\u63a5\u7684 tinc \u63a5\u5165\u5185\u7f51\uff0c\u4e0d\u518d\u5355\u72ec\u8fd0\u884c tinc\u3002

    "},{"location":"services/docker2/#opensuse-guide-qtguide","title":"opensuse-guide \u4e0e qtguide \u6bcf\u65e5\u66f4\u65b0","text":"

    \u7531\u4e8e\u6ca1\u6709\u8bbe\u7f6e webhook\uff0c\u76ee\u524d\u914d\u7f6e\u4e86 systemd timer\uff0c\u6267\u884c /srv/docker/guide \u4e2d\u7684\u811a\u672c\uff0c\u4ee5\u5206\u522b\u5728\u6bcf\u65e5\u665a\u4e0a 23:15 \u548c 23:30 \u66f4\u65b0 opensuse-guide \u548c qtguide \u4e24\u4e2a\u5bb9\u5668\u7684 image \u5e76\u91cd\u542f\u5bb9\u5668\u3002

    \u8be6\u7ec6\u7684\u914d\u7f6e\u6587\u4ef6\u53ef\u67e5\u770b docker-run-script \u4e2d\u7684 opensuse-guide \u548c qtguide \u4e24\u4e2a\u6587\u4ef6\u5939\u3002

    "},{"location":"services/docker2/#workflows-troubleshooting","title":"Workflows & Troubleshooting","text":""},{"location":"services/docker2/#docker-pingd","title":"Docker \"pingd\"","text":"

    \u66f4\u65b0

    \u95ee\u9898\u5df2\u7ecf\u67e5\u660e\u4e3a Debian \u7684 Linux \u5185\u6838 bug (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952660)\uff0c\u5df2\u7ecf\u901a\u8fc7\u66f4\u65b0\u5185\u6838\u5e76\u91cd\u542f\u800c\u89e3\u51b3\u3002\u4ee5\u4e0b\u5185\u5bb9\u4ec5\u4f5c\u5b58\u6863\u3002

    \u51fa\u4e8e\u672a\u77e5\u539f\u56e0\u6709\u65f6\u5019\u5916\u90e8\u4e3b\u673a\u4f1a\u65e0\u6cd5\u4e3b\u52a8\u8fde\u901a Docker \u5bb9\u5668\uff08\u53ef\u80fd\u4e0e ARP \u6709\u5173\uff09\uff0c\u4f46\u662f\u5982\u679c\u67d0\u4e2a\u5bb9\u5668\u5148 ping \u4e86\u4e00\u4e0b\u5916\u90e8\u4e3b\u673a\uff0c\u5c31\u80fd\u53cc\u5411\u8fde\u901a\u4e86\u3002

    \u7531\u4e8e\u6211\u4eec\u6682\u672a\u627e\u5230\u6b63\u5e38\u7684\u89e3\u51b3\u65b9\u6848\uff0c\u56e0\u6b64\u4f7f\u7528 \u201cping daemon\u201d \u4f5c\u4e3a\u4e00\u4e2a workaround\uff0c\u5728\u5bb9\u5668\u4e2d\u8fd0\u884c ping \u4fdd\u6301\u5916\u90e8\u4e3b\u673a\u7684\u8fde\u901a\u6027\u3002

    docker-pingd@.service
    [Unit]\nDescription=Docker pingd service %I\nDocumentation=man:ping(8)\nAfter=network.target\nStartLimitIntervalSec=0\n\n[Service]\nType=simple\nUser=root\nGroup=root\nExecStart=/bin/sh -c 'IVAR=\"%i\"; exec /usr/bin/docker exec \"$${IVAR%:*}\" ping -q -s 32 \"$${IVAR#*:}\"'\nExecStop=/bin/kill -s INT $MAINPID\nRestart=on-failure\nRestartSec=3\n\n[Install]\nWantedBy=multi-user.target\nAlias=docker-ping@.service\n

    \u4f7f\u7528\u65b9\u5f0f\uff1asystemctl enable docker-pingd@container:host.service\uff0ccontainer \u6362\u6210\u5bb9\u5668\u540d\uff0chost \u6362\u6210 ping \u7684\u76ee\u6807\u3002

    Trick \u4ecb\u7ecd\uff1aSystemd service \u914d\u7f6e\u6682\u4e0d\u652f\u6301\u591a\u4e2a\u6a21\u677f\u53c2\u6570 %i\uff0c\u56e0\u6b64\u8c03\u7528 shell \u6765\u89e3\u6790\u53c2\u6570\u3002Ref: https://github.com/systemd/systemd/issues/14895#issuecomment-612270690

    "},{"location":"services/docker2/#wordpress","title":"WordPress \u5347\u7ea7","text":"

    taoky

    \u5f88\u9ebb\u70e6\uff0c\u5efa\u8bae lug \u4ee5\u540e\u518d\u4e5f\u522b\u7528\uff08\u522b\u5f00\u65b0\u7684\uff09wordpress \u4e86\u3002

    servers \u4e0e\u65e7 planet \u4f7f\u7528 WordPress\uff0c\u6258\u7ba1\u5728 docker2 \u4e0a\u3002\u56e0\u4e3a docker2 \u73b0\u5728\u78c1\u76d8 IO \u5f88\u6162\uff0c\u6240\u4ee5\u53ef\u80fd\u4f1a\u51fa\u73b0\u4e00\u4e9b\u989d\u5916\u7684\u95ee\u9898\u3002

    \u63a8\u8350\u4f7f\u7528 https://wp-cli.org/#installing\u3002\u547d\u4ee4\uff1a

    chmod +x wp-cli.phar\nmv wp-cli.phar /usr/local/bin/wp\ncd /var/www/public/\nsudo -u www-data -- wp core update --version=5.8.1 /tmp/wordpress-5.8.1.zip\n

    \u5bb9\u5668\u91cc sudo \u8981\u624b\u52a8\u88c5\u3002

    \u4ee5\u4e0b\u5185\u5bb9\u4ec5\u4f9b\u53c2\u8003\u3002

    \u5c1d\u8bd5\u5347\u7ea7\u65f6\u5982\u679c\u672a\u51fa\u73b0\u5347\u7ea7\u63d0\u793a\uff0c\u53ef\u4ee5\u4fee\u6539\uff1a

    \u5982\u679c\u51fa\u73b0\u300c\u53e6\u4e00\u66f4\u65b0\u6b63\u5728\u8fd0\u884c\u300d\uff0c\u4e14\u786e\u8ba4\u4e0d\u5728\u66f4\u65b0\uff0c\u53ef\u4ee5\u5728\u6570\u636e\u5e93\u7684 wordpress \u8868\u4e2d\u6267\u884c\uff1a

    DELETE FROM wp_options WHERE option_name = 'core_updater.lock';\n
    "},{"location":"services/docker2/#docker","title":"\u770b\u8d77\u6765\u6b63\u5728\u8fd0\u884c\u4f46\u662f\u6ca1\u6709\u8fdb\u7a0b\u7684 Docker \u5bb9\u5668","text":"

    2021/10/25 \u53d1\u73b0\u67d0\u5bb9\u5668\u663e\u793a\u6b63\u5728\u8fd0\u884c\uff0c\u4f46\u662f\u5b9e\u9645\u6ca1\u6709\u8fdb\u7a0b\u3002\u540e\u53d1\u73b0\u4e3a Docker \u7684 bug\uff0c\u5728\u5bb9\u5668\u8fdb\u7a0b\u88ab cgroups \u5e72\u6389\u4e4b\u540e\u53ef\u80fd\u4f1a\u51fa\u73b0\u6b64\u60c5\u51b5\u3002

    \u5bf9\u5e94 issue\uff1ahttps://github.com/moby/moby/issues/38501

    \u89e3\u51b3\u65b9\u6cd5\uff1a\u5c06\u5bb9\u5668 ID \u5bf9\u5e94\u7684 containerd-shim \u6740\u6b7b\u5373\u53ef\u8ba9 Docker \u66f4\u65b0\u5176\u72b6\u6001\u4e3a\u5df2\u505c\u6b62\uff0c\u7136\u540e\u91cd\u65b0\u5f00\u542f\u5373\u53ef\u3002

    "},{"location":"services/documentations/","title":"LUG \u6587\u6863","text":""},{"location":"services/ftp/","title":"LUG FTP","text":"

    Services: FTP/FTPS, SFTP, HTTP, HTTPS, AFP

    Git repository: ustclug/lugftp

    Docker Hub: ustclug/ftp

    Server: vdp.s.ustclug.org (management ssh port 2222)

    Theme: h5ai

    Deploy: ftp.sh

    "},{"location":"services/ftp/#notes","title":"Notes","text":"
    1. SSL cert is required when running LUG FTP.
    2. ssh-keygen -A is required to be manually run when initializing.
    3. About directory permission:
      1. It is strongly suggested to keep permission & owner metadata when backing up/restoring.
      2. Public folder root: set owner root:root and permission 0755.
      3. Subfolders: set owner to 1000:1000. _h5ai and wp-content needs to be set to a different owner (misconfigured?). And Incoming shall be set to 0775.
    4. Do not use Google DNS in host, as China Mobile network may drop UDP packets to 8.8.8.8. A misconfigured DNS may lead to LDAP in container broken.
    5. Port 22 is delegated to the LUG FTP container for SFTP, and SSH access to the host has been reassigned to port 2222.
    "},{"location":"services/gateway-el/","title":"Gateway: East Campus Library (gateway-el)","text":"

    Todo

    Currently systemctl restart networking is required after a reboot to set up tunnel. This bug should be fixed.

    "},{"location":"services/gateway-el/#configurations","title":"Configurations","text":""},{"location":"services/gateway-el/#ip-virtual-server","title":"IP Virtual Server","text":"

    gateway-el uses IPVS to send requests from one port to other machines directly. IPVS is a Linux kernel feature. Use ipvsadm -Ln to get its status.

    "},{"location":"services/gateway-el/#tunnelmonitor","title":"tunnelmonitor","text":"

    The tunnels used by gateway-el is mainly maintained by tunnelmonitor. Its config files are in /etc/tunnelmonitor, service is tunnelmonitor.service, and log is /var/log/tunnel_monitor.log.

    When starting, netfilter-persistent.service should be run before tunnelmonitor. tunnelmonitor generates new mangle chains when starting, and pings all tunnels periodically and selects all available tunnels, and generates statistc rules.

    You check check /var/log/tunnel_monitor.log to see if one tunnel has been down. Currently (2021/09), only one tunnel is available among all tunnel settings in /etc/tunnelmonitor/tunnel.ini.

    "},{"location":"services/gateway-el/#iptables-mangle-rt_tables-and-ip-rule","title":"iptables mangle, rt_tables and ip rule","text":"

    The following example is for demonstration purposes only.

    You can get current status by iptables -t mangle -S. It is expected to see something like this:

    -A DemonstrateManglePrerouting -m statistic --mode nth --every 1 --packet 0 -j MARK --set-xmark 0x12345/0xffffffff\n// ...\n-A PREOUT -m mark --mark 0x0 -j DemonstrateManglePrerouting\n

    In this case, all packages to DemonstrateManglePrerouting chain will get fwmark 0x12345 (= 74565).

    Check ip rule for that:

    // ...\n10: from all fwmark 0x12345 lookup ExtraDemoTunnel\n// ...\n

    You can get tunnel information in ip a:

    29: ExtraDemoTunnel: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000\n    link/none\n    inet 192.168.252.17 peer 192.168.253.17/32 brd 192.168.252.17 scope global ExtraDemoTunnel\n       valid_lft forever preferred_lft forever\n

    Here 192.168.252.17 is the local server of tunnel, and 192.168.253.17 is the remote server.

    Let's check /etc/network/interfaces.d:

    /etc/network/interfaces.d/03ExtraDemoTunnel
    auto ExtraDemoTunnel\niface ExtraDemoTunnel inet static\n    address 192.168.252.17\n    netmask 255.255.255.255\n    pre-up ip link add dev $IFACE type wireguard\n    post-down ip link del dev $IFACE\n    up wg set $IFACE listen-port 4601 private-key /etc/wireguard/privkey peer pkeypkeypkeypkeypkeypkeypkeypkeypkeypkeypkey endpoint 23.3.3.3:4600 allowed-ips 0.0.0.0/0\n    up ip route replace default dev $IFACE table $IFACE\n    up ip rule add from all fwmark 74565 table $IFACE prio 10\n    pointopoint 192.168.253.17\n

    Here we know that this is a wireguard tunnel, and the endpoint is 23.3.3.3:4600. The fwmark here is 74565 (in decimal).

    Why is 74565 set? Let's check /etc/iproute2/rt_tables!

    // ...\n74565   ExtraDemoTunnel\n// ...\n

    For wireguard, you can use wg to check status. If you find that the \"received\" is 0 in transferred, something is going wrong.

    "},{"location":"services/gateway-el/#issues","title":"Issues & resolution","text":""},{"location":"services/gateway-el/#ipvs-conntrack","title":"IPVS Conntrack","text":"

    In early March 2022 we noticed Light connectivity issues from outside USTCnet, which was narrowed down to connections bypassing Linux Conntrack mechanism.

    Thanks to TUNA group we learned about /proc/sys/net/ipv4/vs/conntrack, which at the time the problem was located, was zero. Settings this to 1 solved the problem.

    However after writing net.ipv4.vs.conntrack = 1 to /etc/sysctl.d/10-ipvs-conntrack.conf and rebooting, the problem returned. Checking systemctl status systemd-sysctl.service we noticed this:

    Mar 05 00:00:00 gateway-el systemd-sysctl[218]: Couldn't write '0' to 'net/ipv4/vs/conntrack', ignoring: No such file or directory\n

    Adding ip_vs to /etc/modules and rebooting again correctly fixed the problem.

    This is because the module was automatically loaded the first time ipvsadm is called (namely, /etc/init.d/ipvsadm), which happened at a very late stage. Adding to /etc/modules gets the module loaded earlier (and before systemd-sysctl.service) so it worked.

    "},{"location":"services/gateway-el/#tinc-issue","title":"Tinc issue","text":"

    See gateway

    "},{"location":"services/gateway-jp/","title":"Gateway: Japan (gateway-jp)","text":"

    This page is currently a stub.

    "},{"location":"services/gateway-nic/","title":"Gateway: Network Information Center (gateway-nic)","text":"

    Previously gateway-nic used CentOS 7 to 8 to Stream, to \"avoid putting all eggs in one basket\". This VM was replaced by a newly setup Debian Bullseye VM on January 2022 during migration from ESXi to Proxmox VE.

    The virtual disk of the old gateway-nic was copied onto pve-5, located at ZFS Zvol rpool/data/gateway-nic. The current VM uses rpool/data/vm-200-disk-0 instead (Proxmox naming convention).

    "},{"location":"services/gateway-nic/#config-file-management","title":"Config file management","text":"

    Git repositories exist for these directories:

    /etc/nginx\n/etc/systemd/network\n/etc/tinc\n
    "},{"location":"services/gateway-nic/#networking","title":"Networking","text":"

    We use systemd-networkd to configure network on gateway-nic. This replaces both ifupdown (config file /etc/network/interfaces)

    $ systemctl edit systemd-networkd.service
    [Service]\nExecStartPre=-/sbin/ip -4 rule flush\nExecStartPre=-/sbin/ip -6 rule flush\n\n[Install]\nAlias=networkd.service\n

    The ExecStartPre= commands flush (clear) existing rules so that systemd-networkd can fully manage all rules. This is because ManageForeignRoutingPolicyRules is a new setting in systemd 249, while Debian Bullseye uses systemd 247, so we have to do this manually.

    We then load the regular \"main\" and \"default\" rules on the loopback interface (routing rules aren't bound to interfaces, but are added/removed when the configured interface is brought up/turned down).

    /etc/systemd/network/00-lo.network
    [Match]\nName=lo\n\n# Route \"main\"\n[RoutingPolicyRule]\nFamily=both\nTable=254\nPriority=2\nSuppressPrefixLength=1\n\n# Route \"Special\"\n[RoutingPolicyRule]\nFamily=both\nTable=1000\nPriority=5\nSuppressPrefixLength=1\n\n# Route \"default\"\n[RoutingPolicyRule]\nFamily=both\nTable=253\nPriority=32767\n
    "},{"location":"services/gateway-nic/#interfaces","title":"Interfaces","text":"

    Systemd-networkd has built-in capability to rename interfaces, so there's no need to use udev rules.

    For example, to assign a name for the cernet interface, we use:

    /etc/systemd/network/12-Cernet.link
    [Match]\nPermanentMACAddress=00:50:56:a2:02:8c\n\n[Link]\nName=Cernet\n

    We then configure addresses and routing rules for this interface:

    /etc/systemd/network/12-Cernet.network
    [Match]\nName=Cernet\n\n[Network]\nAddress=202.38.95.102/25\nAddress=2001:da8:d800:95::102/64\nIPv6AcceptRA=no\n\n[Route]\nGateway=202.38.95.126\nTable=253\nMetric=2\n\n[Route]\nGateway=2001:da8:d800:95::1\nTable=253\nMetric=2\n\n[Route]\nGateway=202.38.95.126\nTable=1002\n\n[Route]\nGateway=2001:da8:d800:95::1\nTable=1002\n\n[RoutingPolicyRule]\nFrom=202.38.95.102\nTable=1002\nPriority=3\n\n[RoutingPolicyRule]\nFrom=2001:da8:d800:95::102\nTable=1002\nPriority=3\n\n[RoutingPolicyRule]\nFamily=both\nOutgoingInterface=Cernet\nTable=1002\nPriority=3\n\n[RoutingPolicyRule]\nFamily=both\nFirewallMark=0x2\nTable=1002\nPriority=4\n

    This config file assigns one IPv4 and one IPv6 address to the interface, as well as one IPv4 route and one IPv6 route for both the default routing table and an interface-specific routing table. It then adds three routing rules in both IPv4 and IPv6 for replying on the same interface, for sockets bound to this interfaces, and for firewall mark routing.

    Other interfaces are configured similarly, so just refer to their configuration files for details.

    "},{"location":"services/gateway-nic/#routes","title":"Routes","text":"

    Outgoing connections are routed through different ISPs. We use ISP IP data from gaoyifan/china-operator-ip. Relevant files are located under /usr/local/network_config.

    The said repository (branch ip-lists) is cloned and we symlink select files to iplist directory for consumption. A custom script converts these IP data into additional systemd-networkd config files (under /run/systemd).

    $ ls -l /usr/local/network_config/iplist/
    lrwxrwxrwx cernet.txt -> ../china-operator-ip/cernet.txt\nlrwxrwxrwx cernet6.txt -> ../china-operator-ip/cernet6.txt\nlrwxrwxrwx china.txt -> ../china-operator-ip/china.txt\nlrwxrwxrwx china6.txt -> ../china-operator-ip/china6.txt\nlrwxrwxrwx cstnet.txt -> ../china-operator-ip/cstnet.txt\nlrwxrwxrwx cstnet6.txt -> ../china-operator-ip/cstnet6.txt\nlrwxrwxrwx mobile.txt -> ../china-operator-ip/cmcc.txt\nlrwxrwxrwx telecom.txt -> ../china-operator-ip/chinanet.txt\nlrwxrwxrwx unicom.txt -> ../china-operator-ip/unicom.txt\n-rw-r--r-- ustcnet.txt\n-rw-r--r-- ustcnet6.txt\n
    /usr/local/network_config/route-all.sh
    #!/bin/bash\n\n[ -n \"$BASH_VERSION\" ] || exit 1\n\nWD=\"$(dirname \"$0\")\"\nROOT_IP_LIST=\"$WD/iplist\"\nROOT_CONF=/etc/systemd/network\nROOT_RT=/run/systemd/network\n\ngen_route() {\n  local DEVFILE=\"$1\"\n  local DEV=\"$(awk -F = '/^Name=/{print $2; exit}' \"$ROOT_CONF/$DEVFILE.network\")\"\n  local GW=\"$2\" FAMILY=ipv4 V6\n  if [[ \"$GW\" =~ : ]]; then\n    FAMILY=ipv6\n    V6=\"-v6\"\n  fi\n  # Convert table to number\n  local TABLENAME=\"$3\"\n  local TABLE=\"$(awk 'substr($0, 1, 1) != \"#\" && $2 == \"'\"$TABLENAME\"'\" { print $1 }' /etc/iproute2/rt_tables | head -1)\"\n  local PRIORITY=\"$4\"\n  shift 4\n\n  F=\"$ROOT_RT/$DEVFILE.network.d\"\n  mkdir -p \"$F\"\n  F=\"$F/route-${TABLENAME,,}${V6}.conf\"\n  echo -e \"[RoutingPolicyRule]\\nFamily=$FAMILY\\nTable=$TABLE\\nPriority=$PRIORITY\\n\" > \"$F\"\n\n  awk '{ print \"[Route]\\nDestination=\" $1 \"\\nGateway='\"$GW\"'\\nTable='\"$TABLE\"'\\n\" }' \"${@/#/$ROOT_IP_LIST/}\" >> \"$F\"\n}\n\ngen_route 12-Cernet 202.38.95.126 ustcnet 5 ustcnet.txt\ngen_route 12-Cernet 2001:da8:d800:95::1 ustcnet 5 ustcnet6.txt\ngen_route 12-Cernet 202.38.95.126 cernet 6 cernet.txt cstnet.txt\ngen_route 12-Cernet 2001:da8:d800:95::1 cernet 6 cernet6.txt cstnet6.txt\ngen_route 13-Telecom 202.141.160.126 telecom 6 telecom.txt unicom.txt\ngen_route 14-Mobile 202.141.176.126 mobile 6 mobile.txt\ngen_route 12-Cernet 202.38.95.126 china 7 china.txt\ngen_route 12-Cernet 2001:da8:d800:95::1 china 7 china6.txt\n

    We then use a systemd service to ensure additional files for systemd-networkd are generated before it starts.

    /etc/systemd/system/route-all.service
    [Unit]\nDescription=Generate routes for systemd-networkd\nBefore=systemd-networkd.service\n\n[Service]\nType=oneshot\nExecStart=/bin/bash /usr/local/network_config/route-all.sh\n#ExecStart=/usr/local/network_config/special.rb\nRemainAfterExit=true\n\n[Install]\nWantedBy=network.target systemd-networkd.service\n

    Updating routes from upstream is easy:

    /usr/local/network_config/update.sh
    #!/bin/sh\n\ncd \"$(dirname \"$0\")\"\n\ngit -C china-operator-ip pull\nsystemctl restart route-all.service\n

    The resulting routing policies look like this:

    $ ip rule
    0:      from all lookup local\n2:      from all lookup main suppress_prefixlength 1\n3:      from 172.16.0.2 lookup Warp\n3:      from all oif Warp lookup Warp\n3:      from 202.141.176.102 lookup Mobile\n3:      from all oif Mobile lookup Mobile\n3:      from 202.141.160.102 lookup Telecom\n3:      from all oif Telecom lookup Telecom\n3:      from 202.38.95.102 lookup Cernet\n3:      from all oif Cernet lookup Cernet\n4:      from all fwmark 0x5 lookup Warp\n4:      from all fwmark 0x4 lookup Mobile\n4:      from all fwmark 0x3 lookup Telecom\n4:      from all fwmark 0x2 lookup Cernet\n5:      from all lookup Special suppress_prefixlength 1\n5:      from all lookup Ustcnet\n6:      from all lookup mobile\n6:      from all lookup telecom\n6:      from all lookup cernet\n7:      from all lookup china\n32767:  from all lookup default\n
    "},{"location":"services/gateway-nic/#tinc-vpn","title":"Tinc VPN","text":"

    Gateway-NIC connects to intranet with Tinc. There's no special Tinc configuration other than those described at the Tinc VPN page.

    Because Tinc now uses systemd services instead of System V init.d scripts, we need to systemctl enable tinc@ustclug.service to make it start on boot. Everything is managed through this templated systemd service.

    "},{"location":"services/gateway-nic/#systemd-networkd-wait-onlineservice","title":"systemd-networkd-wait-online.service","text":"

    We also override systemd-networkd's online detection for goodness' sake, so it doesn't block booting. Note that it may interfere with services depending on network-online.target, though we have yet to discover any issues.

    $ systemctl edit systemd-networkd-wait-online.service
    [Service]\nExecStart=\nExecStart=/bin/sleep 1\n
    "},{"location":"services/gateway-nic/#iptables","title":"iptables","text":"

    All iptables firewall rules are managed manually. We use iptables-persistent to automatically load firewall rules on boot.

    To change the rules, manually edit /root/iptables/rules.v4 or rules.v6 and then run apply.sh to apply the changes.

    "},{"location":"services/gateway-nic/#fail2ban","title":"Fail2ban","text":"

    We use fail2ban to stop SSH scanning and brute-force attempts.

    Because fail2ban relies on changing iptables to work, to improve its performance as well as minimize its tampering of iptables rules, we use ipsets for fail2ban.

    After stock installation of fail2ban package, remove defaults-debian.conf and add this file to secure SSH daemon:

    /etc/fail2ban/jail.d/sshd.conf
    [sshd]\nenabled = true\nmode    = aggressive\nfilter  = sshd[mode=%(mode)s]\nlogpath = /var/log/auth.log\nbackend = pyinotify\naction  = iptables-ipset-proto6[chain=\"fail2ban\"]\n

    We provide a pre-created empty chain named fail2ban for fail2ban to manipulate (see iptables above).

    To make sure fail2ban rules can be re-applied after reloading iptables manually, we override the systemd service so that fail2ban is restarted whenever the iptables service is restarted.

    $ systemctl edit fail2ban.service
    [Unit]\nAfter=netfilter-persistent.service\nBindsTo=netfilter-persistent.service\n

    For some servers where we want to manually start fail2ban, we use Requires= + PartOf=. This will propagate \"restart\" event from iptables to fail2ban, but not \"start\".

    $ systemctl edit fail2ban.service
    [Unit]\nAfter=netfilter-persistent.service\nRequires=netfilter-persistent.service\nPartOf=netfilter-persistent.service\n
    "},{"location":"services/generate-204/","title":"Generate 204","text":"

    Service: 204.ustclug.org (HTTP / HTTPS)

    Server: (gateway)

    Blog: add-http-204-service

    "},{"location":"services/generate-204/#configration","title":"Configration","text":"/etc/nginx/sites-available/204.ustclug.org
    server {\n    listen      80;\n    listen      [::]:80;\n    listen      443 ssl http2;\n    listen      [::]:443 ssl http2;\n    server_name 204.ustclug.org;\n    access_log  /var/log/nginx/204_access.log;\n    error_log   /var/log/nginx/204_error.log;\n    return 204;\n}\n

    The authoritative copy is on LUG GitLab.

    "},{"location":"services/gitlab/","title":"GitLab","text":"

    Server: gitlab.s.ustclug.org (management ssh port 2222)

    Git Repository: gitlab-scripts

    "},{"location":"services/gitlab/#gitlab-security","title":"GitLab & Security","text":"

    GitLab \u7ef4\u62a4\u8005\u9700\u8981\u8ba2\u9605\uff1a

    1. GitLab Security Notices \u90ae\u4ef6\u5217\u8868 (https://about.gitlab.com/company/contact/ \u53f3\u4fa7 \"Sign up for security notices\")
    2. sameersbn/docker-gitlab Releases (Watch \u2192 Custom \u2192 Releases)

    \u5728 GitLab \u6709 Security Release \u4e14 docker-gitlab \u53d1\u5e03\u65b0\u7248\u672c\u4e4b\u540e\u9700\u8981\u5b89\u6392\u65f6\u95f4\u66f4\u65b0\u3002\u5c24\u5176 Critical Security Release \u9700\u8981\u5c3d\u5feb\u627e\u65f6\u95f4\u66f4\u65b0\u3002

    "},{"location":"services/gitlab/#_1","title":"\u66f4\u65b0","text":"

    \uff08\u5efa\u8bae\u9605\u8bfb https://docs.gitlab.com/ee/update/index.html\uff09

    \u7531\u4e8e\u5df2\u7ecf docker \u5316\uff0c\u56e0\u6b64\u6211\u4eec\u7684\u66f4\u65b0\u662f\u901a\u8fc7\u62c9\u53d6 sameersbn/docker-gitlab \u7684 docker image\uff0c\u8fdb\u884c\u6570\u636e\u5e93\u51c6\u5907\u4ee5\u53ca\u542f\u52a8\u955c\u50cf\u5b9e\u4f8b\u6765\u8fdb\u884c\u66f4\u65b0\uff0cZack Zeng \u5b66\u957f\u5df2\u7ecf\u5199\u597d\u4e86\u4e00\u5957\u811a\u672c\u7cfb\u7edf\uff1agitlab-scripts\uff0c\u56e0\u6b64\u66f4\u65b0\u65f6\u53ea\u8981\u8dd1\u811a\u672c\u5c31\u53ef\u4ee5\u4e86\u3002

    \u7531\u4e8e\u66f4\u65b0\u9700\u8981\u505c\u6b62\u670d\u52a1\uff0c\u56e0\u6b64\u8bf7\u4e8e\u66f4\u65b0\u524d\u81f3\u5c11\u51e0\u5c0f\u65f6\u53d1\u5e03\u66f4\u65b0\u516c\u544a\uff08\u5305\u62ec\u5177\u4f53\u65f6\u95f4\u7b49\uff09\uff0c\u5e76\u68c0\u67e5 Admin -> Monitoring -> Background Migrations \u4e2d\u6240\u6709 migration \u662f\u5426\u90fd\u5df2\u7ecf\u6210\u529f\u5b8c\u6210\u3002

    \u66f4\u65b0\u524d\u8bf7\u5148\u63d0\u524d\u4e8e Proxmox VE \u4e0a\u5bf9\u865a\u62df\u673a\u6253\u5feb\u7167\uff08\u6253\u5feb\u7167\u65f6\u670d\u52a1\u4f1a\u6682\u65f6\u505c\u6b62\uff09

    \u6253\u5b8c\u5feb\u7167\u4e4b\u540e\u4f7f\u7528\u811a\u672c\u8fdb\u884c\u66f4\u65b0\uff08\u76ee\u524d\u811a\u672c\u4f4d\u4e8e /home/sirius/gitlab-scripts\uff09\uff0c\u9996\u5148\u4f7f\u7528 ./gitlab.sh db \u8fdb\u884c\u6570\u636e\u5e93\u7684\u51c6\u5907\u5de5\u4f5c\u3002\u4e4b\u540e\u53ef\u4ee5\u901a\u8fc7 ./gitlab.sh run <\u7248\u672c\u53f7> \u6765\u8fdb\u884c docker container \u7684\u66ff\u6362\u3002\u66f4\u6362\u524d\u811a\u672c\u4f1a\u81ea\u52a8\u62c9\u53d6\u76f8\u5e94\u7248\u672c\u53f7\u7684 docker \u955c\u50cf\uff0c\u5982\u679c\u62c5\u5fc3\u62c9\u53d6\u65f6\u95f4\u8fc7\u957f\u53ef\u4ee5\u5728\u6253\u5feb\u7167\u524d\u63d0\u524d\u901a\u8fc7 docker pull sameersbn/gitlab:<\u7248\u672c\u53f7> \u6765\u62c9\u53d6\u76f8\u5e94\u7684\u955c\u50cf\u3002

    \u4e00\u822c\u60c5\u51b5\u4e0b\u7ecf\u4ee5\u4e0a\u64cd\u4f5c\u540e\u66f4\u65b0\u5c31\u6b63\u5e38\u7ed3\u675f\uff0c\u5982\u679c\u957f\u65f6\u95f4\u65e0\u6cd5\u542f\u52a8\uff0c\u53ef\u4ee5\u901a\u8fc7 docker logs gitlab \u67e5\u770b\u65e5\u5fd7\uff0c\u5982\u679c\u53d1\u73b0\u66f4\u65b0\u540e\u7684\u542f\u52a8\u51fa\u73b0\u95ee\u9898\uff0c\u53ef\u4ee5\u5230 sameersbn/docker-gitlab \u7684 issue \u533a\u7b49\u5730\u67e5\u770b\u76f8\u5173 issue\uff0c\u4ee5\u53ca\u901a\u8fc7\u5bf9\u51fa\u9519\u65e5\u5fd7\u8fdb\u884c Google \u53ef\u80fd\u4f1a\u53d1\u73b0\u662f gitlab \u4e0a\u6e38\u7b49\u51fa\u73b0\u7684\u95ee\u9898\u3002\u5982\u679c\u6709\u89e3\u51b3\u529e\u6cd5\uff0c\u53ef\u4ee5\u6309\u7167\u76f8\u5e94\u89e3\u51b3\u529e\u6cd5\u89e3\u51b3\uff0c\u5982\u679c\u6ca1\u6709\u3002\u53ef\u4ee5\u901a\u8fc7\u627e\u5230\u6709\u76f8\u5e94\u95ee\u9898\u524d\u7684\u6b63\u5e38\u7248\u672c\u53f7\uff0c\u56de\u6eda\u5feb\u7167\uff0c\u4e4b\u540e\u66f4\u5230\u8868\u73b0\u6b63\u5e38\u7684\u7248\u672c\u3002\uff08\u6700\u8fd1\u7684\u66f4\u65b0\u4f1a\u5728\u542f\u52a8\u4e4b\u540e\u77ed\u6682\u51fa\u73b0 502 \u7684\u60c5\u51b5\uff0c\u4f46\u5f88\u5feb\u5c31\u4f1a\u6062\u590d\uff0c\u9047\u5230\u8fd9\u79cd\u60c5\u51b5\u65f6\u4e0d\u8981\u60ca\u614c\uff09\u3002

    \u7531\u4e8e\u66f4\u65b0\u53ef\u80fd\u4f1a\u51fa\u73b0\u95ee\u9898\u5bfc\u81f4\u670d\u52a1\u4e0d\u53ef\u7528\uff0c\u56e0\u6b64\u4e0d\u5efa\u8bae\u901a\u8fc7 cron \u7b49\u65b9\u5f0f\u81ea\u52a8\u8fdb\u884c\u66f4\u65b0\u3002

    \u5efa\u8bae\u5728\u66f4\u65b0\u5b8c\u6210 72 \u5c0f\u65f6\u5185\u5220\u9664\u5feb\u7167\uff0c\u8be6\u89c1 \u5173\u4e8e\u5feb\u7167\u3002

    "},{"location":"services/gitlab/#postgresql-redis","title":"postgresql \u4e0e redis \u7684\u66f4\u65b0","text":"

    \u7531\u4e8e gitlab \u66f4\u65b0\u540e\u53ef\u80fd\u5bf9 postgresql \u4e0e redis \u7684\u7248\u672c\u6709\u8981\u6c42\uff0c\u56e0\u6b64\u6709\u53ef\u80fd\u9700\u8981\u5b9a\u671f\u66f4\u65b0 redis \u4e0e postgresql\u3002

    \u66f4\u65b0\u524d\u8bf7\u5148\u505c\u6b62 gitlab \u7684 container\u3002

    \u66f4\u65b0\u65f6\u53ef\u4ee5\u6309\u7167\u5b98\u7f51\u6559\u7a0b docker-postgresql \u8fdb\u884c\u66f4\u65b0\uff0c\u53ef\u4ee5\u901a\u8fc7\u62c9\u53d6 latest \u6807\u7b7e\u7684\u955c\u50cf\uff0c\u5220\u9664\u539f\u6765\u7684 container\uff0c\u518d\u901a\u8fc7\u811a\u672c ./gitlab.sh db \u81ea\u52a8\u542f\u52a8\uff0c\u6570\u636e\u5e93\u66f4\u65b0\u65f6\u53ef\u80fd\u4f1a\u9700\u8981\u4e00\u5b9a\u65f6\u95f4\u6765\u8fc1\u79fb\u6570\u636e\uff0c\u8bf7\u901a\u8fc7 docker logs -f gitlab-postgresql \u547d\u4ee4\u6765\u67e5\u770b\u8fc1\u79fb\u8fdb\u5ea6\uff0c\u5f85\u8fc1\u79fb\u5b8c\u6210\u540e\u518d\u8fd0\u884c GitLab \u7684 container\u3002

    "},{"location":"services/gitlab/#rails-console","title":"\u8bbf\u95ee Rails console","text":"

    Rails console \u53ef\u4ee5\u5b8c\u6210\u4e00\u4e9b\u9ad8\u7ea7\u7684\u7ef4\u62a4\u4efb\u52a1\u3002\u5728 gitlab \u5bb9\u5668\u4e2d\u6267\u884c bin/rails console \u542f\u52a8\u3002\u6ce8\u610f console \u7684\u542f\u52a8\u65f6\u95f4\u5f88\u957f\uff08 1 \u5206\u949f\u4ee5\u4e0a\uff09\uff0c\u9700\u8981\u6709\u8010\u5fc3\u3002

    \u53ef\u4ee5\u6267\u884c\u7684\u547d\u4ee4\u53ef\u53c2\u8003 https://docs.gitlab.com/ee/administration/troubleshooting/gitlab_rails_cheat_sheet.html\u3002

    "},{"location":"services/gitlab/#_2","title":"\u67e5\u8be2","text":""},{"location":"services/gitlab/#hashed-storage","title":"\u67e5\u8be2 Hashed storage \u4e0b\u4ed3\u5e93\u5bf9\u5e94\u7684\u9879\u76ee","text":"
    ProjectRepository.find_by(disk_path: '@hashed/23/33/2333333333333333333333333333333333333333333333333333333333333333').project\n

    \u5982\u679c\u5b58\u5728\uff0c\u4f1a\u8fd4\u56de\u7c7b\u4f3c\u4ee5\u4e0b\u7684\u5185\u5bb9\uff1a

    => #<Project id:23333 username/project>>\n
    "},{"location":"services/gitlab/#sql-like","title":"\u67e5\u8be2\u65e0\u9879\u76ee\u4e14\u90ae\u7bb1\u6ee1\u8db3\u6761\u4ef6\u7684\u7528\u6237 (SQL like)","text":"
    users = User.where('id NOT IN (select distinct(user_id) from project_authorizations)')\nusers = users.where('email like ?', '%.ru')\nusers.count\n\nusers.each do |user|\n    puts user.last_activity_on\nend\n
    "},{"location":"services/gitlab/#_3","title":"\u5237\u65b0\u67d0\u4e2a\u9879\u76ee\u7684\u7edf\u8ba1\u4fe1\u606f","text":"
    p = Project.find_by_full_path('<namespace>/<project>')\npp p.statistics\np.statistics.refresh!\npp p.statistics\n
    "},{"location":"services/gitlab/#lfs-id","title":"\u83b7\u53d6\u6240\u6709\u5305\u542b LFS \u7684\u9879\u76ee ID","text":"
    LfsObject.all.each do |lo|\n    puts LfsObjectsProject.find_by_lfs_object_id(lo.id).project_id\nend\n

    \u8f93\u51fa\u8f83\u591a\u3002\u53ef\u4ee5\u4f7f\u7528 rails r xxx.rb \u8fd0\u884c\uff0c\u91cd\u5b9a\u5411\u5230\u6587\u4ef6\uff0c\u53bb\u91cd\u540e\u67e5\u770b\u6240\u6709\u5305\u542b LFS \u7684\u9879\u76ee\u3002

    "},{"location":"services/gitlab/#rake-tasks","title":"\u4f7f\u7528 Rake tasks","text":"

    \u8be6\u89c1 https://github.com/sameersbn/docker-gitlab#rake-tasks\u3002\u548c Rails console \u4e00\u6837\uff0c\u521d\u59cb\u5316\u5f88\u6162\u3002

    \u5f53\u524d\u5b9e\u4f8b\u4fe1\u606f\uff1a

    docker exec --user git -it gitlab bundle exec rake gitlab:env:info RAILS_ENV=production\n
    "},{"location":"services/gitlab/#_4","title":"\u6e05\u7406","text":"

    \u53c2\u8003 https://github.com/gitlabhq/gitlabhq/blob/master/doc/raketasks/cleanup.md\u3002

    \u4e0d\u8fc7\u4f5c\u7528\u6709\u9650\u3002

    "},{"location":"services/gitlab/#_5","title":"\u6e05\u7406\u4e0a\u4f20\u76ee\u5f55","text":"

    \u67e5\u770b\u4f1a\u88ab\u6e05\u7406\u7684\u6587\u4ef6\uff1a

    docker exec --user git -it gitlab bundle exec rake gitlab:cleanup:project_uploads RAILS_ENV=production\n

    \u6e05\u7406\uff08\u79fb\u52a8\u5230 /-/project-lost-found/\uff09\uff1a

    docker exec --user git -it gitlab bundle exec rake gitlab:cleanup:project_uploads RAILS_ENV=production DRY_RUN=false\n
    "},{"location":"services/gitlab/#artifact","title":"\u6e05\u7406\u672a\u88ab\u5f15\u7528\u7684 artifact \u6587\u4ef6","text":"

    \u67e5\u770b\u4f1a\u88ab\u6e05\u7406\u7684 artifact \u6570\u91cf\uff1a

    docker exec --user git -it gitlab bundle exec rake gitlab:cleanup:orphan_job_artifact_files RAILS_ENV=production\n

    \u6e05\u7406\uff1a

    docker exec --user git -it gitlab bundle exec rake gitlab:cleanup:orphan_job_artifact_files RAILS_ENV=production DRY_RUN=false\n

    \u6ce8\u610f\uff0c\u65b0\u8bbe\u7f6e\u7684 expire \u671f\u9650\u4e0d\u4f1a\u5f71\u54cd\u4ee5\u524d\u7684 artifact\uff0c\u8fd9\u91cc\u7684\u547d\u4ee4\u4e5f\u65e0\u6cd5\u6e05\u7406\u3002

    "},{"location":"services/gitlab/#lfs-reference","title":"\u6e05\u7406\u65e0\u6548\u7684 LFS reference","text":"
    for i in `cat projectid_lfs`; do docker exec --user git -it gitlab bundle exec rake gitlab:cleanup:orphan_lfs_file_references PROJECT_ID=$i RAILS_ENV=production DRY_RUN=false; done\n

    projectid_lfs \u662f\u4e0a\u6587\u4e2d\u300c\u83b7\u53d6\u6240\u6709\u5305\u542b LFS \u7684\u9879\u76ee ID\u300d\u7684\u53bb\u91cd\u540e\u7684\u8f93\u51fa\u3002

    \u65e0 reference \u7684 LFS \u6587\u4ef6\u6bcf\u65e5 GitLab \u4f1a\u81ea\u52a8\u6e05\u9664\u3002\u5982\u679c\u9700\u8981\u7acb\u523b\u5220\u9664\uff0c\u53ef\u4ee5\u4f7f\u7528 gitlab:cleanup:orphan_lfs_files\u3002

    "},{"location":"services/gitlab/#_6","title":"\u7d27\u6025\u64cd\u4f5c","text":""},{"location":"services/gitlab/#_7","title":"\u8bbe\u7f6e\u4e3a\u53ea\u8bfb","text":"

    Ref: https://docs.gitlab.com/ee/administration/read_only_gitlab.html

    docker exec --user git -it gitlab bin/rails console\n

    \u4e4b\u540e\u6267\u884c

    Project.all.find_each { |project| puts project.name; project.update!(repository_read_only: true) }\n

    \u5c06\u6240\u6709\u4ed3\u5e93\u8bbe\u7f6e\u4e3a\u53ea\u8bfb\u3002\u5982\u679c\u4e2d\u95f4\u51fa\u73b0\u9519\u8bef\uff08\u7279\u6b8a\u7684\u9879\u76ee\u540d\u53ef\u80fd\u4f1a\u5bfc\u81f4\u8fd0\u884c\u4e2d\u65ad\uff09\uff0c\u91cd\u547d\u540d\u6700\u540e\u8f93\u51fa\u5bf9\u5e94\u7684\u9879\u76ee\u3002

    \u5728\u8bbe\u7f6e\u524d\uff0c\u9700\u8981\u6dfb\u52a0 Messages \u901a\u77e5\u7528\u6237\u3002

    \u6b64\u65f6\u6570\u636e\u5e93\u4ecd\u7136\u53ef\u5199\u5165\u3002\u5982\u679c\u9700\u8981\u6570\u636e\u5e93\u53ea\u8bfb\uff0c\u53c2\u8003\u4ee5\u4e0a\u94fe\u63a5\u914d\u7f6e\u3002

    "},{"location":"services/light/","title":"Light Accelerator","text":"

    Service: light.ustclug.org

    Git Repository:

    Docker Hub:

    Mailing list: \u8f7b\u91cf\u7ea7\u7f51\u7edc\u52a0\u901f\u670d\u52a1

    Servers:

    "},{"location":"services/light/#deploy","title":"Deploy","text":"

    Deploy script: docker-run-script/light

    Deploy order:

    1. mysql
    2. freeradius, light-web
    3. squid
    "},{"location":"services/light/#add-new-domain","title":"Add new domain","text":"
    git clone https://github.com/ustclug/light-list\ncd accelerate-list\n./tools/add-domain.sh accelerate.list www.example.com\ngit commit -v -a\ngit push origin master\n

    GitHub Actions will update PAC files in LUG FTP automatically.

    "},{"location":"services/light/#database-maintenance","title":"Database maintenance","text":"

    Example:

    select count(*) from radacct where acctstoptime < '2021-01-01 00:00:00';\ninsert into radacct_backup select * from radacct where acctstoptime < '2021-01-01 00:00:00';\ndelete from radacct where acctstoptime < '2021-01-01 00:00:00';\ndelete from radacct_backup where acctstoptime < '2020-06-01 00:00:00';\noptimize table radacct;\noptimize table radacct_backup;\n
    "},{"location":"services/light/#shutdown","title":"Shutdown","text":"
    1. Stop two containers: light-server & light-socks
    2. Set restart policy to no (See Docker Documentation)
    "},{"location":"services/light/#logs","title":"Logs","text":"

    Proxy related log is under /srv/docker/light/log. Container log (stdout & stderr) is under /srv/docker/docker/containers/<container id>/*.log* (use docker logs <container> to view).

    Logrotate is configured to save logs for 180 days. Please manually backup logs when removing the container.

    "},{"location":"services/neat-dns/","title":"Neat DNS","text":"

    Services: neatdns.ustclug.org (UDP, TCP, HTTPS, DNSCrypt)

    Server: docker2

    Deploy: docker-run-script/neatdns

    "},{"location":"services/neat-dns/#notes","title":"Notes","text":"

    Previously all containers on docker2 had gateway-el as their gateway, which generated heavy load on the Tinc network. Docker2 has since been updated to use gateway-nic as gateway for containers, bypassing Tinc for most of the traffic. This, however, broke NAT-based service like Neat DNS, which required that reply traffic goes back through gateway-el (but now gateway-nic).

    What's worse, Docker doesn't support setting gateways for individual containers, nor can network config be changed from within the container (default setup). So we chose to selectively route traffic back to gateway-el on gateway-nic. This is accomplished with two parts:

    "},{"location":"services/vpn/","title":"LUG VPN","text":""},{"location":"services/vpn/#iptables","title":"iptables \u9632\u706b\u5899\u7ba1\u7406","text":"

    \u672c\u8282\u5185\u5bb9\u9002\u7528\u4e8e\u5305\u62ec VPN \u5728\u5185\u7684\u591a\u4e2a\u670d\u52a1\u5668

    "},{"location":"services/mirrors/","title":"\u5f00\u6e90\u955c\u50cf\u7ad9","text":""},{"location":"services/mirrors/#_2","title":"\u5386\u53f2","text":""},{"location":"services/mirrors/#debianustceducn","title":"debian.ustc.edu.cn","text":"

    2000 \u5e74\u5de6\u53f3\uff0c\u79d1\u5927\u6821\u5185\u7684 Debian \u7231\u597d\u8005\u4f7f\u7528\u81ea\u5df1\u5b9e\u9a8c\u5ba4\u7684\u673a\u5668\u4e3a\u5927\u5bb6\u63d0\u4f9b Debian \u955c\u50cf\u670d\u52a1\u3002\u968f\u7740\u4e00\u5c4a\u5c4a\u5e08\u5144\u7684\u6bd5\u4e1a\uff0c\u670d\u52a1\u5668\u5728\u5404\u5b9e\u9a8c\u5ba4\u95f4\u63a5\u529b\u3002

    2002 \u5e74 5 \u6708\uff0cDebian \u955c\u50cf\u7ad9\u6709\u4e86\u81ea\u5df1\u7684\u57df\u540d debian.ustc.edu.cn\uff0c\u4f46\u670d\u52a1\u5668\u4ecd\u5728\u5b9e\u9a8c\u5ba4\u95f4\u8f97\u8f6c\u3002

    2002 \u5e74 6 \u6708 23 \u65e5\uff0c\u79d1\u5927Debian\u955c\u50cf\u7ad9\u5f00\u59cb\u63d0\u4f9b\u975e\u5b98\u65b9(UO)\u8f6f\u4ef6\u4ed3\u5e93\u30022004\u5e744\u670823\u65e5\uff0c\u63d0\u4f9b\u65b0\u7684UO\u4ed3\u5e93\u3002

    2005 \u5e74 6 \u6708 20 \u65e5\uff0c\u79d1\u5927 LUG \u53d1\u8d77\u4e3a\u79d1\u5927 Debian \u955c\u50cf\u7ad9\u6350\u6b3e\u7684\u5021\u8bae\uff0c\u622a\u81f3 10 \u6708 1 \u65e5\u52df\u6350\u6d3b\u52a8\u505c\u6b62\uff0cLUG \u5171\u6536\u5230 2922.05 \u5143\u6350\u6b3e\u300210 \u6708 6 \u65e5\u65b0\u673a\u5668\u5b89\u88c5\u914d\u7f6e\u5230\u4f4d\u3002\u5728\u5927\u5bb6\u7684\u9f50\u5fc3\u52aa\u529b\u4e4b\u4e0b\uff0c\u79d1\u5927 Debian \u955c\u50cf\u7ad9\u6709\u4e86\u4e00\u4e2a\u76f8\u5bf9\u56fa\u5b9a\u7684\u201c\u5bb6\u201d\u3002

    2009 \u5e74\u5e95\uff0cdebian.ustc \u843d\u6237\u56fe\u4e66\u9986\u6280\u672f\u90e8\u3002

    "},{"location":"services/mirrors/#ossustceducn","title":"oss.ustc.edu.cn","text":"

    2008 \u5e74 12 \u6708 25 \u65e5\uff0c\u79d1\u5927\u5f00\u6e90\u8f6f\u4ef6 (OSS) \u955c\u50cf\u7ad9\u6b63\u5f0f\u542f\u7528\u3002\u5176\u670d\u52a1\u5668\u7531\u5434\u5cf0\u5149\u5e08\u5144\u63d0\u4f9b\u3002Novell \u516c\u53f8\u4e3a\u6211\u4eec\u63d0\u4f9b\u4e86\u4e00\u57571.5T \u7684\u786c\u76d8\u3002

    2009 \u5e74 12 \u6708\uff0c\u5f20\u6210\u5e08\u5144\u4e3a OSS \u955c\u50cf\u7ad9\u63d0\u4f9b\u6350\u8d60 1T \u786c\u76d8\u3002

    2010 \u5e74 6 \u6708\uff0c\u79d1\u5927 LUG \u4f7f\u7528\u51fa\u552e\u7248\u886b\u4f59\u4e0b\u7684\u94b1\u4e3a OSS \u955c\u50cf\u7ad9\u6dfb\u7f6e\u4e86\u4e00\u5757 2T \u786c\u76d8\u3002

    "},{"location":"services/mirrors/#mirrorsustceducn","title":"mirrors.ustc.edu.cn","text":"

    2011 \u5e74 4 \u6708 8 \u65e5\uff0c\u79d1\u5927 LUG \u4ece\u7f51\u7edc\u4e2d\u5fc3\u5904\u83b7\u5f97\u4e86\u65b0\u7684\u670d\u52a1\u5668\uff0c\u5e76\u7533\u8bf7\u5230\u4e86 mirrors.ustc \u7684\u57df\u540d\u3002debian.ustc \u4e0e oss.ustc \u5f00\u59cb\u5411 mirrors.ustc \u8fc1\u79fb\u3002

    \u540c\u5e74 4 \u6708 15 \u65e5\uff0c\u51e0\u5927\u70ed\u95e8\u53d1\u884c\u7248\u955c\u50cf\u540c\u6b65\u5b8c\u6bd5\uff0cmirrors \u5f00\u59cb\u6b63\u5f0f\u5bf9\u5916\u63d0\u4f9b\u670d\u52a1\uff0c\u540c\u65f6 debian.ustc \u4e0e oss.ustc \u9000\u51fa\u4e86\u5386\u53f2\u821e\u53f0\u3002

    2013 \u5e74 1 \u6708 6 \u65e5\uff0c\u79d1\u5927 LUG \u4ece\u7f51\u7edc\u4e2d\u5fc3\u5904\u83b7\u5f97\u4e86\u65b0\u7684\u78c1\u76d8\u9635\u5217\uff0c\u5927\u5927\u7f13\u89e3\u4e86 mirrors \u56e0\u78c1\u76d8\u7a7a\u95f4\u4e0d\u8db3\u800c\u5e26\u6765\u7684\u538b\u529b\u3002

    2016 \u5e74 12 \u6708 29 \u65e5\uff0c\u79d1\u5927 LUG \u4ece\u7f51\u7edc\u4e2d\u5fc3\u5904\u83b7\u5f97\u4e86\u65b0\u7684\u670d\u52a1\u5668\u3002\u89e3\u51b3\u4e86\u8fd1\u4e00\u5e74\u6765\u7531\u4e8e\u670d\u52a1\u5668\u548c\u9635\u5217\u8001\u5316\u5e26\u6765\u7684\u7a33\u5b9a\u6027\u95ee\u9898\u3002

    2019 \u5e74 6 \u6708\uff0c\u79d1\u5927 LUG \u4ece\u56fe\u4e66\u9986\u6280\u672f\u90e8\u83b7\u5f97\u4e86\u4e00\u53f0\u65e7\u670d\u52a1\u5668\uff0c\u7f13\u89e3\u4e86 mirrors \u5bb9\u91cf\u7d27\u5f20\u7684\u95ee\u9898\u3002

    2020 \u5e74 3 \u6708 24 \u65e5\uff0c\u79d1\u5927 LUG \u518d\u6b21\u4ece\u7f51\u7edc\u4e2d\u5fc3\u5904\u83b7\u5f97\u4e86\u65b0\u7684\u670d\u52a1\u5668\uff0c\u89e3\u51b3\u4e86\u591a\u5e74\u6765\u7531\u4e8e\u670d\u52a1\u5668\u5bb9\u91cf\u4e0d\u8db3\u548c\u8d1f\u8f7d\u8fc7\u5927\u5e26\u6765\u7684\u538b\u529b\u3002

    "},{"location":"services/mirrors/#hardware","title":"\u786c\u4ef6\u914d\u7f6e","text":""},{"location":"services/mirrors/docker/","title":"Docker","text":""},{"location":"services/mirrors/docker/#networking","title":"Networking","text":"

    Docker \u9ed8\u8ba4\u521b\u5efa\u4e00\u4e2a\u540d\u4e3a bridge \u7684\u7f51\u7edc\uff0c\u4e3b\u673a\u754c\u9762\u4e3a docker0\uff0cIP \u5730\u5740\u6bb5\u4e3a 172.17.0.0/16\u3002

    \u6211\u4eec\u5c06 Docker Registry \u7684\u53cd\u4ee3\u6302\u5728\u53e6\u5916\u4e00\u4e2a\u5b50\u7f51\u4e0b\uff0c\u9700\u8981\u5148\u884c\u521b\u5efa\u3002

    docker network create \\\n  --opt com.docker.network.bridge.name=docker1 \\\n  --subnet=172.18.0.0/16 \\\n  --gateway=172.18.0.1 \\\n  docker-registry\n
    "},{"location":"services/mirrors/docker/#routing","title":"Routing","text":"

    \u4e00\u4e9b\u540c\u6b65\u7a0b\u5e8f\u4e0d\u652f\u6301 bindIP \u7684\u914d\u7f6e\uff0c\u5bf9\u4e8e\u8fd9\u4e9b\u540c\u6b65\u7a0b\u5e8f\uff0c\u6211\u4eec\u901a\u8fc7\u521b\u5efa\u591a\u4e2a Docker network\uff0c\u7136\u540e\u5728\u4e3b\u673a\u4e0a\u6839\u636e Docker network \u8fdb\u884c\u7b56\u7565\u8def\u7531\uff0c\u8fbe\u5230\u9009\u62e9\u51fa\u53e3\u7684\u6548\u679c\u3002

    \u521b\u5efa Docker network \u7684\u547d\u4ee4\u5982\u4e0b\uff1a

    docker network create --driver=bridge --subnet=172.17.4.1/24 -o \"com.docker.network.bridge.name=dockerC\" cernet\ndocker network create --driver=bridge --subnet=172.17.5.1/24 -o \"com.docker.network.bridge.name=dockerT\" telecom\ndocker network create --driver=bridge --subnet=172.17.6.1/24 -o \"com.docker.network.bridge.name=dockerM\" mobile\ndocker network create --driver=bridge --subnet=172.17.7.1/24 -o \"com.docker.network.bridge.name=dockerU\" unicom\n

    \u5bf9\u5e94\u5730\uff0c\u4e3b\u673a\u4e0a\u4e5f\u914d\u7f6e\u597d\u4e86\u7b56\u7565\u8def\u7531\uff0c\u4f8b\u5982\uff1a

    /etc/systemd/network/cernet.network
    # Docker Cernet\n[RoutingPolicyRule]\nFrom=172.17.4.0/24\nTable=1011\nPriority=5\n[RoutingPolicyRule]\nFrom=172.17.8.0/24\nTable=1011\nPriority=5\n
    /etc/systemd/network/telecom.network
    # Docker Telecom\n[RoutingPolicyRule]\nFrom=172.17.5.0/24\nTable=1012\nPriority=5\n

    mobile.network \u548c unicom.network \u4e5f\u7c7b\u4f3c\u3002

    \u9700\u8981\u4f7f\u7528\u8fd9\u79cd\u65b9\u5f0f\u8fdb\u884c\u8def\u7531\u7684\u540c\u6b65\u955c\u50cf\uff0c\u53ef\u4ee5\u5728 YAML \u4e2d\u6307\u5b9a network\uff0c\u4f8b\u5982\uff1a

    adoptium.yum.yaml
    network: telecom\n
    "},{"location":"services/mirrors/genindex/","title":"\u9996\u9875\u751f\u6210","text":"

    \u955c\u50cf\u7ad9\u4e3b\u9875\u662f\u9759\u6001\u7684\uff0c\u7531 https://git.lug.ustc.edu.cn/mirrors/mirrors-index \u811a\u672c\u751f\u6210\u3002

    crontab \u4f1a\u5b9a\u65f6\u8fd0\u884c\u8be5\u811a\u672c\uff0c\u751f\u6210\u9996\u9875\u548c mirrorz \u9879\u76ee\u9700\u8981\u7684\u6570\u636e\u3002

    \u5728\u9996\u9875\u5c55\u793a\u7684\u300c\u83b7\u53d6\u5b89\u88c5\u955c\u50cf\u300d\u3001\u300c\u83b7\u53d6\u5f00\u6e90\u8f6f\u4ef6\u300d\u3001\u300c\u53cd\u5411\u4ee3\u7406\u5217\u8868\u300d\u5206\u522b\u7531 config \u5185\u914d\u7f6e\u6307\u5b9a\uff0c\u300c\u6587\u4ef6\u5217\u8868\u300d\u5185\u5bb9\u5219\u4f1a\u4ece\u540c\u6b65\u7a0b\u5e8f yuki \u7684 api \u4e2d\u83b7\u53d6\u3002

    "},{"location":"services/mirrors/ipmi/","title":"IPMI","text":""},{"location":"services/mirrors/ipmi/#mirrors4","title":"Mirrors4","text":"

    \u8fd9\u53f0\u673a\u5668\u7684 IPMI \u6709 HTML5 KVM\uff0c\u53ef\u4ee5\u76f4\u63a5\u7f51\u9875\u4f7f\u7528\uff0c\u6bd4\u8f83\u65b9\u4fbf\u3002

    "},{"location":"services/mirrors/ipmi/#mirrors23","title":"Mirrors2/3","text":"

    \u767b\u5f55 IPMI \u540e\uff0c\u4e3a\u4e86\u4f7f\u7528\u8fdc\u7a0b Shell\uff0c\u9700\u8981\u8fd0\u884c\u4e00\u4e2a jnlp \u6587\u4ef6\u3002 \u6b64\u6587\u4ef6\u4e0b\u8f7d\u65f6\u4f1a\u88ab Chrome \u62e6\u622a\uff0c\u9700\u8981\u989d\u5916\u5141\u8bb8\u4e00\u4e0b\u3002

    \u6b64 jnlp \u6587\u4ef6\u9700\u8981 Oracle JDK 7 \u8fd0\u884c\uff0cOpenJDK 7 \u65e0\u6cd5\u8fd0\u884c\u3002 \u6307\u4ee4\u7528 javaws a.jnlp \u5373\u53ef\u3002

    Java 8 \u53ca\u4e4b\u524d Java \u7684\u5404\u4e2a\u5de5\u5177\u662f\u6253\u5305\u5728 JDK \u4e2d\u7684\uff0c\u5305\u62ec Java Web Starter\uff0c\u5373\u6211\u4eec\u7528\u7684 javaws\u3002 \u6240\u4ee5\u53ea\u9700\u8981\u5b89\u88c5 Oracle JDK 7 \u5373\u53ef\uff0c\u65e0\u9700\u5b89\u88c5\u5176\u4ed6\u7684\u3001\u9488\u5bf9 Java 9 \u53ca\u4e4b\u540e\u7248\u672c\u7684\u5176\u4ed6\u5de5\u5177\u3002

    "},{"location":"services/mirrors/limiter/","title":"\u9650\u5236\u7b56\u7565","text":"

    \u7531\u4e8e mirrors \u5c5e\u4e8e I/O\u3001\u7f51\u7edc\u5bc6\u96c6\u578b\u670d\u52a1\uff0c\u5728\u90e8\u5206\u7684\u8d1f\u8f7d\u573a\u666f\u4e0b\u6781\u6613\u51fa\u73b0 I/O \u6216\u7f51\u7edc\u8fc7\u8f7d\u3002\u9650\u5236\u7b56\u7565\u4e3b\u8981\u662f\u4e3a\u4e86\u51cf\u5f31\u4ee5\u4e0b\u51e0\u7c7b\u8bf7\u6c42\u5bf9 mirrors \u6574\u4f53\u670d\u52a1\u8d28\u91cf\u7684\u5f71\u54cd\uff1a

    1. \u7a81\u53d1\u6027\u7684\u9ad8\u5e76\u53d1\u8bf7\u6c42
    2. \u722c\u866b\u7c7b\u6d41\u91cf
    3. \u4e0d\u5408\u7406\u7684\u8bf7\u6c42\uff08\u5982\uff1a\u6781\u5c11\u6570\u7528\u6237\u7684\u5927\u91cf\u8bf7\u6c42\uff09
    "},{"location":"services/mirrors/limiter/#whitelists","title":"\u767d\u540d\u5355","text":"

    \u4e00\u822c\u800c\u8a00\uff0c\u79d1\u5927\u6821\u5185\u7684\u5730\u5740\u4f4d\u4e8e\u9650\u5236\u89c4\u5219\u7684\u767d\u540d\u5355\u4e2d\uff0c\u4e0d\u53d7\u5230\u9650\u5236\u7b56\u7565\u7684\u5f71\u54cd\u3002\u5982\u679c\u6ca1\u6709\u7279\u6b8a\u8bf4\u660e\uff0c\u79d1\u5927\u5730\u5740\u9ed8\u8ba4\u4e0d\u53d7\u9650\u5236\u3002

    \u767d\u540d\u5355\u4f4d\u4e8e\uff1a

    "},{"location":"services/mirrors/limiter/#firewall","title":"\u9632\u706b\u5899\u7ea7\u522b\u9650\u5236","text":"

    \u9632\u706b\u5899 (iptables) \u76ee\u524d\u53ea\u8d1f\u8d23\u9650\u5236\u5355 IP \u7684\u5e76\u53d1\u94fe\u63a5\u6570\u3002\u8fd9\u662f\u4e3a\u4e86\u9632\u6b62\u540c\u65f6\u6d8c\u5165\u5927\u91cf\u5e76\u53d1\u8fde\u63a5\uff0c\u5bfc\u81f4\u540e\u7aef\u5e94\u7528\u8017\u8d39\u5927\u91cf CPU \u548c I/O \u8d44\u6e90\u5904\u7406\u8fd9\u4e9b\u4e0d\u5408\u5e38\u7406\u7684\u8bf7\u6c42\u3002

    \u5e8f\u53f7 \u7aef\u53e3 \u670d\u52a1 \u6700\u5927\u8fde\u63a5\u6570 IPv4 CIDR IPv6 CIDR 1 80,443 HTTP/HTTPS 12 29 64 2 20,21,50100:50200 FTP 4* 32 64 3 873 Rsync 5* 32 64 4 9418 Git 10 32 64

    \u6ce8\u610f\u4e8b\u9879

    \u8fde\u63a5\u6570\u9650\u5236\u4ec5\u9650\u5236\u77ac\u65f6\u5e76\u53d1\uff08connlimit\uff09\u3002

    \u8bf7\u6ce8\u610f\uff0c\u540c\u7ec4\u5185\u7684\u8fde\u63a5\u5171\u4eab\u8fde\u63a5\u6570\u914d\u989d\u3002\u5982\uff1a

    \u8d85\u8fc7\u914d\u989d\u7684\u8fde\u63a5\u4f1a\u8fd4\u56de TCP Reset\u3002

    * FTP \u670d\u52a1\u5df2\u505c\u6b62\u63d0\u4f9b\uff0cRsync \u4ec5\u4ece mirrors2 \u63d0\u4f9b\uff0cmirrors4 \u4e0a\u7684 Rsync \u7aef\u53e3\u9650\u5236\u53ea\u80fd\u4ece mirrors2 \u4e0a\u8bbf\u95ee\u3002

    "},{"location":"services/mirrors/limiter/#application","title":"\u5e94\u7528\u7ea7\u522b\u9650\u5236","text":"

    \u6b64\u7c7b\u9650\u5236\u89c4\u5219\u4f4d\u4e8e\u5e94\u7528\u7a0b\u5e8f\u5185\u3002\u7531\u4e8e\u5728\u7528\u6237\u6001\u7a0b\u5e8f\u4e2d\u5b9e\u73b0\uff0c\u56e0\u6b64\u66f4\u52a0\u7075\u6d3b\u3002

    "},{"location":"services/mirrors/limiter/#nginx-mod-lua","title":"Nginx LUA \u7ec4\u4ef6","text":"

    \u4ee3\u7801\u4f4d\u4e8e /etc/nginx/lua/access.lua

    \u76ee\u524d\u4f7f\u7528\u4e86 Nginx \u7684 lua \u8bed\u8a00\u6269\u5c55\u5b9e\u73b0\u5bf9\u8bf7\u6c42\u7684\u9650\u5236\u3002\u4e3b\u8981\u6709\u4ee5\u4e0b\u4e09\u7c7b\u9650\u5236\u65b9\u5f0f\uff1a

    1. \u6309\u8fde\u63a5\u6570\u9650\u5236\uff08\u5373\uff1a\u5e76\u53d1\u8bf7\u6c42\u6570\uff09
    2. \u6309\u8bf7\u6c42\u901f\u7387\u9650\u5236
    3. \u6309\u7d2f\u8ba1\u8bf7\u6c42\u6570\u9650\u5236\uff08\u5468\u671f\u6027\u91cd\u7f6e\u8ba1\u6570\u5668\uff09

    \u76ee\u524d\uff0c\u955c\u50cf\u7ad9\u914d\u7f6e\u4e86\u4ee5\u4e0b\u51e0\u79cd\u529f\u80fd\u7684\u9650\u5236\u5668\uff1a

    1. \u5168\u5c40\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668\uff1a\u5bf9\u6240\u6709\u8bf7\u6c42\uff0c\u9650\u5236\u5355 IP \u7684\u8bf7\u6c42\u901f\u7387\u3002
    2. \u5168\u5c40\u8bf7\u6c42\u6570\u9650\u5236\u5668\uff1a\u5bf9\u4e8e\u6240\u6709\u8bf7\u6c42\uff0c\u68c0\u6d4b\u5355 IP \u5728\u4e00\u5929\u5185\u7684\u7d2f\u8ba1\u8bf7\u6c42\u6570\u3002\u8d85\u8fc7\u9608\u503c\u540e\uff0c\u964d\u4f4e\u8be5 IP \u7684\u5168\u5c40\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668\u7684\u9608\u503c\u3002
    3. HEAD \u8bf7\u6c42\u6570\u9650\u5236\u5668\uff1a\u5bf9\u4e8e HTTP Method == HEAD \u7c7b\u578b\u7684\u8bf7\u6c42\uff0c\u68c0\u6d4b\u5355 IP \u5728\u4e00\u5929\u5185\u7684\u7d2f\u8ba1\u8bf7\u6c42\u6570\u3002\u8d85\u8fc7\u9608\u503c\u540e\uff0c\u5f00\u542f HEAD \u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668\u3002
    4. HEAD \u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668\uff1a\u5bf9\u4e8e HTTP Method == HEAD \u7c7b\u578b\u7684\u8bf7\u6c42\uff0c\u9650\u5236\u5355 IP \u7684\u8bf7\u6c42\u901f\u7387\u3002\u8be5\u9650\u5236\u5668\u9ed8\u8ba4\u5173\u95ed\u3002
    5. \u65ad\u70b9\u7eed\u4f20\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668\uff1a\u5bf9\u4e8e\u65ad\u70b9\u7eed\u4f20\u7c7b\u578b\u7684\u8bf7\u6c42\uff0c\u9650\u5236\u5355 IP \u7684\u8bf7\u6c42\u901f\u7387\u3002
    6. \u65ad\u70b9\u7eed\u4f20\u8fde\u63a5\u6570\u9650\u5236\u5668\uff1a\u5bf9\u4e8e\u65ad\u70b9\u7eed\u4f20\u7c7b\u578b\u7684\u8bf7\u6c42\uff0c\u9650\u5236\u5355 IP \u5355 URI \u7684\u8fde\u63a5\u6570\u3002
    7. \u76ee\u5f55\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668\uff1a\u5bf9\u4e8e\u5217\u76ee\u5f55\u7c7b\u578b\u7684\u8bf7\u6c42\uff0c\u9650\u5236\u5355 IP \u8bf7\u6c42\u901f\u7387\u3002
    8. \u6587\u4ef6\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668\uff1a\u5bf9\u4e8e\u975e\u76ee\u5f55\u7c7b\u578b\u7684\u8bf7\u6c42\uff0c\u9650\u5236\u5355\u6587\u4ef6\u8bf7\u6c42\u901f\u7387\u3002\u5373\uff1a\u6240\u6709\u7528\u6237\u4e4b\u95f4\u5171\u4eab\u540c\u4e00\u4e2a\u914d\u989d\u3002

    \u5907\u6ce8\uff1a

    \u5177\u4f53\u53c2\u6570\u53c2\u8003\u4e0b\u8868\uff1a

    \u9650\u5236\u5668\u540d\u79f0 \u9608\u503c\u5355\u4f4d \u9608\u503c \u7a81\u53d1\u91cf \u8ba1\u6570\u5668\u91cd\u7f6e\u5468\u671f \u52a8\u4f5c \u5168\u5c40\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668 \u6b21/\u79d2 40 100 / \u8fd4\u56de 429 \u9519\u8bef \u5168\u5c40\u8bf7\u6c42\u6570\u9650\u5236\u5668 \u6b21 15000 / 1 \u5929 \u8bbe\u7f6e\u5168\u5c40\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668\u9608\u503c\u4e3a 0.2 HEAD \u8bf7\u6c42\u6570\u9650\u5236\u5668 \u6b21 300 / 1 \u5929 \u5f00\u542f HEAD \u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668 HEAD \u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668 \u6b21/\u79d2 0.05 5 / \u8fd4\u56de 429 \u9519\u8bef \u65ad\u70b9\u7eed\u4f20\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668 \u6b21/\u79d2 1 10 / \u8fd4\u56de 429 \u9519\u8bef \u65ad\u70b9\u7eed\u4f20\u8fde\u63a5\u6570\u9650\u5236\u5668 \u6761 1 0 / \u8fd4\u56de 429 \u9519\u8bef \u76ee\u5f55\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668 \u6b21/\u79d2 0.5 10 / \u8fd4\u56de 429 \u9519\u8bef \u6587\u4ef6\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668 \u6b21/\u79d2 5 25 / \u8fd4\u56de 429 \u9519\u8bef

    \u5230\u8fbe\u9608\u503c\u540e\u4f1a\u53d1\u751f\u4ec0\u4e48\uff1f

    \u9650\u5236\u5668\u4e4b\u95f4\u76f8\u4e92\u72ec\u7acb\uff0c\u5f53\u88ab\u89e6\u53d1\u7684\u6240\u6709\u9650\u5236\u5668\u4ea7\u751f\u4e0d\u4e00\u81f4\u7684\u7b49\u5f85\u65f6\u95f4\u65f6\uff0c\u5e94\u7528\u6700\u957f\u7684\u7b49\u5f85\u65f6\u95f4\u3002

    "},{"location":"services/mirrors/limiter/#large-files","title":"\u5927\u6587\u4ef6\u4e0b\u8f7d\u901f\u5ea6\u9650\u5236","text":"

    \u4ee3\u7801\u4f4d\u4e8e /etc/nginx/lua/header_filter.lua

    \u9488\u5bf9\u5927\u6587\u4ef6\u4e0b\u8f7d\uff0c\u9650\u5236\u6bcf\u4e2a \u4ed3\u5e93 \u6587\u4ef6\u7684\u603b\u5e26\u5bbd\u4e3a 1Gbps\uff0c\u4ee5\u907f\u514d\u5927\u6587\u4ef6\u6d41\u91cf\u5360\u6ee1\u603b\u5e26\u5bbd\u3002

    \u6ce8\u610f\u4e8b\u9879

    \u5982\u679c\u6709\u591a\u4e2a \u4ed3\u5e93 \u6587\u4ef6\u9762\u4e34\u9ad8\u538b\u529b\u8bbf\u95ee\uff0c\u603b\u5e26\u5bbd\u4f9d\u7136\u53ef\u80fd\u88ab\u5360\u6ee1

    \u5177\u4f53\u505a\u6cd5\u4e3a\uff0c\u8bbe\u7f6e\u4e0b\u8f7d\u901f\u5ea6\u9608\u503c = 1Gbps / (\u8be5 \u4ed3\u5e93 \u5927\u6587\u4ef6\u7684\u540c\u65f6\u8fde\u63a5\u6570 +1)

    \u5f53\u4e0b\u8f7d\u7684\u6587\u4ef6\u65e0\u7a77\u5927\u65f6\uff0c\u5c06\u51fa\u73b0\u6700\u5dee\u60c5\u5f62\uff0c\u5373\u7528\u6237\u88ab\u5206\u914d\u5230\u7684\u4e0b\u8f7d\u901f\u7387\u670d\u4ece\u7c7b\u8c03\u548c\u7ea7\u6570\uff0c\u51fd\u6570\u53d1\u6563\u3002\u5b9e\u9645\u60c5\u51b5\u4e0b\uff0c\u65e9\u671f\u7528\u6237\u4e0b\u8f7d\u5b8c\u6210\u540e\u8fde\u63a5\u91ca\u653e\uff0c\u6700\u7ec8\u5e26\u5bbd\u5c06\u6536\u655b\u5230 1Gbps\u3002

    \u6ce8\uff1a\u5927\u6587\u4ef6\u5b9a\u4e49\u53c2\u7167\u76ee\u524d\u7684 lua \u811a\u672c\u914d\u7f6e\u3002

    "},{"location":"services/mirrors/limiter/#nginx-js-challenge","title":"Nginx JavaScript \u6311\u6218","text":"

    \u4ee3\u7801\u4f4d\u4e8e /etc/nginx/sites-available/iso.mirrors.ustc.edu.cn

    \u4e3a\u4e86\u62b5\u6297\u201c\u8fc5\u96f7\u653b\u51fb\u201d\u3002\u5bf9\u4e8e\u7279\u5b9a\u7c7b\u578b\u7684\u6587\u4ef6\uff0c\u5f00\u542f\u4e86 JS \u6311\u6218\u3002\u5982\u679c\u5ba2\u6237\u7aef User-Agent \u4e3a Mozilla\uff08\u5373\u6d4f\u89c8\u5668\uff09\uff0c\u5219\u53d1\u9001\u4e00\u6bb5\u5305\u542b JS \u811a\u672c\u7684\u9875\u9762\uff0c\u68c0\u9a8c\u8fd0\u884c\u7684\u7ed3\u679c\u3002\u5982\u679c\u6311\u6218\u5931\u8d25\uff0c\u5219\u8fd4\u56de\u9519\u8bef\u3002

    \u88ab\u4fdd\u62a4\u7684\u6587\u4ef6\u7c7b\u578b\u6709\uff1a

    "},{"location":"services/mirrors/limiter/#robots","title":"\u722c\u866b\u9650\u5236","text":"

    \u4ee3\u7801\u4f4d\u4e8e /etc/nginx/snippets/robots

    \u5982\u679c\u5ba2\u6237\u7aef User-Agent \u5305\u542b Spider\u3001Robot \u5173\u952e\u5b57\uff0c\u5219\u7981\u6b62\u5176\u8bbf\u95ee\u4ed3\u5e93\u5185\u5bb9\u3002\u907f\u514d\u7531\u4e8e\u9891\u7e41\u5217\u76ee\u5f55\u5e26\u6765\u5927\u91cf IO \u8d1f\u8f7d\u3002

    "},{"location":"services/mirrors/limiter/#rsync-connections","title":"Rsync \u603b\u8fde\u63a5\u6570\u9650\u5236","text":"

    Rsync \u670d\u52a1\u8bbe\u7f6e\u4e86\u603b\u8fde\u63a5\u6570\u9650\u5236\u3002\u5373\uff1a\u5f53\u5efa\u7acb\u7684\u8fde\u63a5\u6570\u5230\u8fbe\u67d0\u4e2a\u9608\u503c\u540e\uff0c\u62d2\u7edd\u4e4b\u540e\u6536\u5230\u7684\u8fde\u63a5\u3002

    \u5386\u53f2\u8bb0\u5f55

    \u4ee5\u524d HTTP \u548c Rsync \u670d\u52a1\u7531\u540c\u4e00\u53f0\u670d\u52a1\u5668\u63d0\u4f9b\uff0c\u7531\u4e8e\u767d\u5929 HTTP \u8bbf\u95ee\u538b\u529b\u8f83\u5927\uff0c\u591c\u665a HTTP \u8bbf\u95ee\u91cf\u8f83\u5c0f\uff0c\u4e3a\u4e86\u5b9e\u73b0\u9519\u5cf0\u540c\u6b65\uff0c\u4fdd\u8bc1\u767d\u5929 HTTP \u7684\u670d\u52a1\u8d28\u91cf\uff0c\u56e0\u6b64\u9488\u5bf9\u4e0d\u540c\u65f6\u6bb5\u8bbe\u7f6e\u4e86\u4e0d\u540c\u7684\u9608\u503c\uff0c\u5177\u4f53\u5982\u4e0b\uff1a

    \u5728 2020 \u5e74 8 \u6708 25 \u65e5\u540e\uff0c\u7531\u4e8e\u66f4\u6362\u4e86\u65b0\u670d\u52a1\u5668\uff0cRsync \u7531\u5355\u72ec\u673a\u5668\u63d0\u4f9b\u670d\u52a1\uff0c\u603b\u8fde\u63a5\u6570\u63d0\u5347\u5230\u4e86\u5168\u5929 60 \u4e2a\u8fde\u63a5\u3002

    \u7279\u522b\u7684\uff0c\u79d1\u5927\u6821\u5185 IP \u5730\u5740\u53d7\u5230 rsync \u8fde\u63a5\u6570\u9650\u5236\u3002

    "},{"location":"services/mirrors/limiter/#interface-limit","title":"\u7f51\u7edc\u63a5\u53e3\u7ea7\u522b\u9650\u5236","text":"

    mirrors \u5e38\u6001\u4e0b\u6ca1\u6709\u7f51\u7edc\u63a5\u53e3\u9650\u5236\uff0c\u4f46\u5728\u9700\u8981\u4e34\u65f6\u5bf9\u67d0\u4e00\u63a5\u53e3\u8fdb\u884c\u9650\u5236\u65f6\uff0c\u53ef\u4ee5\u4f7f\u7528 tc \u6765\u5b8c\u6210\u3002

    \u4f8b\u5982\u53ef\u4ee5\u53c2\u8003\u8fd9\u4efd\u56de\u7b54\uff1aiptables - Limiting interface bandwidth with tc under Linux - Server Fault\uff0c\u4f7f\u7528\u5982\u4e0b\u6307\u4ee4\u9650\u5236\u67d0\u4e00\u63a5\u53e3\u7684\u7f51\u7edc\u901f\u7387\u4e3a 1.5Gbps\uff1a

    tc qdisc add dev <interface> root handle 1: tbf rate 1500Mbit burst 750K latency 14ms\n

    \u8fd9\u91cc\u4f7f\u7528\u4e86 TBF\uff08\u4ee4\u724c\u6876\uff09\u7b97\u6cd5\uff0c\u540e\u9762\u7684 burst \u548c latency \u53c2\u6570\u610f\u4e49\u53ef\u4ee5\u53c2\u89c1 man tc-tbf\u3002 \u5177\u4f53\u800c\u8a00\uff0clatency \u6ca1\u6709\u63a8\u8350\u503c\uff0c\u4f46 burst \u8981\u6c42\u81f3\u5c11\u4e3a rate / HZ\uff0cHZ = 100 \u65f6 10Mbps \u81f3\u5c11\u7ea6 10MB\u3002 HZ \u7684\u503c\u9700\u8981\u4ece\u5185\u6838\u7684\u7f16\u8bd1\u53c2\u6570\u4e2d\u67e5\u770b\uff1aegrep '^CONFIG_HZ_[0-9]+' /boot/config-`uname -r`\u3002\u73b0\u4ee3\u53d1\u884c\u7248\u63d0\u4f9b\u7684\u5185\u6838\u4e2d\u8fd9\u4e2a\u503c\u4e00\u822c\u4e3a 250\u3002

    \u53c2\u8003\u8d44\u6599\uff1aBucket size in tbf

    \u76ee\u524d\u90e8\u7f72\u7684\u9650\u5236\u6709\uff1a

    \u5728 mirrors4 \u4e0a\u8be5\u914d\u7f6e\u7684\u5f00\u673a\u81ea\u542f\u5206\u522b\u4f4d\u4e8e tc-unicom.service \u548c tc-telecom.service \u4e24\u4e2a\u670d\u52a1\u4e2d\uff0c\u5176\u4e2d tc-unicom.service \u914d\u7f6e\u5982\u4e0b\uff1a

    [Unit]\nDescription=Rate Limiting for Unicom Interface\n\n[Service]\nType=oneshot\nRemainAfterExit=true\nExecStart=/usr/sbin/tc qdisc replace dev unicom root handle 1: tbf rate 1500Mbit burst 750K latency 14ms\nExecStop=/usr/sbin/tc qdisc delete dev unicom root handle 1\n\n[Install]\nWantedBy=sys-subsystem-net-devices-unicom.device\n

    Install \u90e8\u5206\u7684 WantedBy \u4f7f\u7528\u8fd9\u79cd\u5199\u6cd5\u53ef\u4ee5\u4f7f\u8be5\u670d\u52a1\u4f9d\u8d56\u4e8e\u540d\u4e3a unicom \u7684\u7f51\u53e3\uff0c\u8be6\u7ec6\u56de\u7b54\u53ef\u4ee5\u770b What is the systemd-networkd equivalent of post-up?\u3002

    "},{"location":"services/mirrors/limiter/#blacklists","title":"IP \u9ed1\u540d\u5355\u9650\u5236","text":"

    \u5bf9\u4e8e\u6ee5\u7528\u7684 IP \u6bb5\uff0c\u53ef\u4ee5\u4f7f\u7528 ipset \u548c iptables \u5b9e\u73b0\u9ed1\u540d\u5355\u9650\u5236\u3002 ipset \u5c06\u67d0\u4e2a IP \u5339\u914d\u5230\u4e00\u4e2a\u96c6\u5408\u4e2d\uff0ciptables \u518d\u9488\u5bf9\u67d0\u4e00\u96c6\u5408\u8fdb\u884c\u9650\u5236\u3002

    ipset \u548c iptables \u7684\u4f7f\u7528\u53ef\u4ee5\u53c2\u8003\uff1aIpset - Arch Wiki \u3002

    \u6211\u4eec\u5df2\u5728 mirrors4 \u4e0a\u914d\u7f6e\u4e86 blacklist \u548c blacklist6 \u96c6\u5408\uff0c\u82e5\u8981\u5c01\u7981\u67d0\u4e2a IP \u6216\u7f51\u6bb5\uff0c\u53ef\u4ee5\u76f4\u63a5\u5c06\u8be5\u7f51\u6bb5\u52a0\u5165\u96c6\u5408\uff0c\u4f8b\u5982\uff1a

    ipset add blacklist 192.0.2.0/24\nipset add blacklist6 2001:db8:114:514::/64\n

    \u4e0e iptables \u7c7b\u4f3c\uff0cipset \u4e5f\u9700\u8981\u6301\u4e45\u5316\u3002\u5c01\u7981\u540d\u5355\u7684\u6587\u4ef6\u4f4d\u4e8e\uff08mirrors4\uff09/usr/local/network_config/iptables/blacklist.list\uff0c\u4fee\u6539\u6b64\u6587\u4ef6\u589e\u51cf\u6761\u76ee\u540e\u8fd0\u884c\u8be5\u76ee\u5f55\u4e0b\u7684 apply.sh \u5373\u53ef\u3002

    \u7531\u4e8e\u5c01\u7981\u4ec5\u5bf9\u65b0\u5efa\u7acb\u7684\u8fde\u63a5\u6709\u6548\uff0c\u8bf7\u5728\u4fee\u6539\u5c01\u7981\u540d\u5355\u540e\uff0c\u4f7f\u7528 ss -K dst \u5bf9\u5e94\u7684\u7f51\u6bb5 \u5173\u95ed\u5df2\u7ecf\u5efa\u7acb\u7684\u8fde\u63a5\uff08\u4f8b\u5982\u5bf9\u4e8e\u4ee5\u4e0a\u4e24\u884c\u89c4\u5219\uff0c\u547d\u4ee4\u5206\u522b\u4e3a ss -K dst 192.0.2.0/24 \u4e0e ss -K dst 2001:db8:114:514::/64\uff09\u3002

    "},{"location":"services/mirrors/limiter/#ipset-persistent","title":"ipset \u6301\u4e45\u5316","text":"

    \u6211\u4eec\u4f7f\u7528\u8f6f\u4ef6\u6e90\u91cc\u7684 ipset-persistent \u5305\u6765\u5e2e\u52a9 ipset \u5728\u5f00\u673a\u65f6\u81ea\u52a8\u6062\u590d\uff0c\u8be5\u8f6f\u4ef6\u5305\u4f1a\u5728\u5f00\u673a\u52a0\u8f7d iptables \u524d\u5148\u4ece /etc/iptables/ipsets \u4e2d\u6062\u590d ipset \u4ee5\u786e\u4fdd iptables \u4e2d\u7684\u5f15\u7528\u80fd\u6b63\u786e\u5904\u7406\u3002

    \u56e0\u4e3a ipset-persistent \u5728\u5f00\u673a\u65f6\u81ea\u52a8\u52a0\u8f7d\uff0c\u6211\u4eec\u9009\u62e9\u4ec5\u52a0\u8f7d\u4e00\u4e2a\u8f83\u5c0f\u7684\u5b50\u96c6\uff0c\u5305\u542b\u5fc5\u8981\u914d\u7f6e\uff08create set\uff09\u548c\u8f83\u5c11\u53d1\u751f\u53d8\u5316\u7684\u5185\u5bb9\uff08\u5982 ustcnet \u7684\u7f51\u6bb5\uff09\u3002\u76ee\u524d /etc/iptables/ipsets \u5305\u542b\u4ee5\u4e0b\u5185\u5bb9\uff1a

    create ustcnet hash:net family inet hashsize 1024 maxelem 65536\ncreate f2b-sshd hash:ip family inet hashsize 1024 maxelem 65536 timeout 3600\ncreate blacklist hash:net family inet hashsize 1024 maxelem 65536\ncreate blacklist6 hash:net family inet6 hashsize 1024 maxelem 65536\n\nadd ustcnet 202.38.64.0/19\n# more ustcnet entries...\n
    "},{"location":"services/mirrors/mail-list/","title":"Mail List","text":"

    Plugin Email Subscribers & Newsletters on servers.ustclug.org sends a mail to Google Group when a new article posted on mirrors catalogue.

    The mails are sent from servers@ustclug.org, which is a member of Google Group with write permission.

    Google Group: ustc-mirrors@googlegroups.com

    "},{"location":"services/mirrors/zfs/","title":"ZFS","text":""},{"location":"services/mirrors/zfs/#configuration","title":"Configuration","text":"

    /etc/modprobe.d/zfs.conf

    options zfs zfs_arc_max=137438953472\noptions zfs l2arc_write_max=52428800\noptions zfs zfs_arc_meta_min=17179869184\noptions zfs l2arc_noprefetch=0\n

    refer to man zfs-module-parameters.

    "},{"location":"services/mirrors/zfs/#common-operations","title":"Common Operations","text":""},{"location":"services/mirrors/zfs/#get-zpool-status","title":"Get zpool status","text":"
    zpool status\n
    "},{"location":"services/mirrors/zfs/#get-io-status","title":"Get IO status","text":"
    zpool iostat -v 1\n
    "},{"location":"services/mirrors/zfs/#replace-disk","title":"Replace Disk","text":"
    zpool replace pool0 old-disk new-disk\n
    "},{"location":"services/mirrors/zfs/#new-zfs-file-system","title":"New ZFS file system","text":"
    zfs create [-o mountpoint=$mountpoint] $filesystem\n

    Example:

    zfs create -o mountpoint=/srv/repo/debian pool0/repo/debian\n

    If mountpoint is not specified, then it's inherited from the parent with a subpath appended, e.g. when pool0/example is mounted on /mnt/haha then pool0/example/test will by default mount on /mnt/haha/test.

    "},{"location":"services/mirrors/zfs/#destory-zfs-file-system","title":"Destory ZFS file system","text":"
    zfs destroy $filesystem\n

    Example:

    zfs destroy pool0/repo/debian\n
    "},{"location":"services/mirrors/zfs/#traps","title":"Traps","text":"

    Do NOT install zfs-dkms and related packages from Debian backports repositories. They'll easily break when upgrading.

    As of Debian Buster the ZFS packages from the mainstream repository is stable and new enough for our use.

    \u4ecd\u7136\u5efa\u8bae\u5b89\u88c5 Backports \u7248\u672c\u7684 ZFS\u3002\u300cStable \u8d8a\u5f80\u540e\uff08\u5bf9 ZFS \u76f8\u5173\u8f6f\u4ef6\u5305\u7684\uff09\u7ef4\u62a4\u8d8a\u5f31\u300d\uff0c\u4ece\u800c\u5bfc\u81f4 stable \u7684 ZFS \u53cd\u800c\u8d28\u91cf\u4e0d\u5982 backports \u7248\u672c\u7684\u3002

    "},{"location":"services/mirrors/1/","title":"mirrors1","text":"

    mirrors1 \u662f 2011 \u5e74\u7f51\u7edc\u4fe1\u606f\u4e2d\u5fc3\u63d0\u4f9b\u7ed9 LUG \u7528\u4f5c\u521d\u4ee3 mirrors.ustc.edu.cn \u670d\u52a1\u7684\u673a\u5668\uff0c\u662f\u4e00\u53f0\u66d9\u5149 i620r-G

    \u53c2\u6570 \u914d\u7f6e CPU Intel(R) Xeon(R) CPU E5620 @ 2.40GHz x 2 \u5185\u5b58 48 GB \u5b58\u50a8 LSI Logic MegaRAID SAS 8708EM2 x 2 DFT RS-3016I-S/D30 \u78c1\u76d8\u9635\u5217 \u7f51\u7edc Ethernet Intel 82574L Gigabit x 2

    \u7528\u6237\u624b\u518c

    \u7531\u4e8e\u672c\u6587\u7f16\u5199\u65f6\uff082020 \u5e74\uff09\u8be5\u670d\u52a1\u5668\u65e9\u5df2\u4e0d\u518d\u7528\u4f5c mirrors\uff08\u73b0\u5728\u662f esxi-5\uff09\uff0c\u56e0\u6b64\u66f4\u591a\u7684\u4fe1\u606f\u6682\u65e0\u4ece\u8003\u5bdf\u3002

    "},{"location":"services/mirrors/2/","title":"mirrors2","text":"

    2016 \u5e74\u5e95\u4ece\u7f51\u7edc\u4fe1\u606f\u4e2d\u5fc3\u83b7\u5f97\u7684\u65b0\u673a\u5668\uff0c\u8fd0\u884c\u81f3\u4eca\uff0c\u627f\u62c5\u4e86\u76ee\u524d mirrors \u7684 rsync \u6d41\u91cf\u3002

    \u53c2\u6570 \u914d\u7f6e CPU \u53cc\u8def E5-2620 v4 \u5185\u5b58 256GB DDR4 \u5b58\u50a8 6T*12(HDD), 250G*2(SSD) \u7f51\u7edc 1 Gbps * 2

    \u66d9\u5149 I620-G20 \u5bfc\u822a\u5149\u76d8

    "},{"location":"services/mirrors/2/networking/","title":"Networking on mirrors2","text":"

    mirrors2 \u4e0a\u7684\u7f51\u7edc\u4f7f\u7528\u9ed8\u8ba4\u7684 ifupdown \u914d\u7f6e\u3002

    \u5728 /etc/network/interfaces.d \u4e2d\u5b58\u653e\u7740\u63a5\u53e3\u914d\u7f6e\uff0c\u4f7f\u7528 ifup/ifdown \u6765\u542f\u7528/\u505c\u7528\u67d0\u4e00\u63a5\u53e3\u3002

    \u91cd\u542f\u6240\u6709\u7f51\u7edc\u63a5\u53e3

    \u5728\u67d0\u6b21 mirrors2 \u79bb\u7ebf\u6545\u969c\u4e2d\uff0c\u8bef\u64cd\u4f5c\u7684 systemctl restart networking \u8fd4\u56de\u4e86\u5931\u8d25\u7684\u7ed3\u679c\uff0c\u4ece\u800c\u5bfc\u81f4\u4e86 mirrors2 \u4ece\u67d0\u4e00\u7f51\u7edc\u63a5\u53e3\u65ad\u5f00\uff08\u731c\u6d4b\uff09\uff08\u5b9e\u9645\u539f\u56e0\u89c1\u4e0b\uff09\uff0c\u91cd\u542f\u6240\u6709\u63a5\u53e3\u4fee\u590d\u4e86\u95ee\u9898\uff1aifdown -a && ifup -a

    \u5b9e\u9645\u539f\u56e0\u662f bridge interface \u8fde\u63a5\u7684\u90a3\u4e2a interface \u5728 ifupdown \u7684 config \u91cc\u7684\u914d\u7f6e\u65b9\u5f0f\u662f static \u7684\uff0c\u5728\u542f\u7528 bridge interface \u65f6\u4f1a\u81ea\u52a8\u66f4\u6539\u914d\u7f6e\u5bfc\u81f4 offline\u3002\u6539\u6210 manual \u7981\u6b62\u5b83\u7684\u81ea\u52a8\u884c\u4e3a\u4e4b\u540e\u5c31\u6ca1\u4e8b\u4e86\u3002

    "},{"location":"services/mirrors/3/","title":"mirrors3","text":"

    2020 \u5e74\u521d\u4ece\u56fe\u4e66\u9986\u6280\u672f\u90e8\u83b7\u5f97\u7684\u4e00\u53f0\u65e7\u670d\u52a1\u5668\uff0c\u4e3a\u6234\u5c14 PowerEdge R510\uff0c\u8d1f\u8f7d\u6bd4\u8f83\u6742\u4e71\u3002

    \u53c2\u6570 \u914d\u7f6e CPU \u53cc\u8def\u81f3\u5f3a E5620 \u5185\u5b58 32 GB DDR3 \u5b58\u50a8 1 TB*2 (HDD), 2 TB*5 (HDD), 3 TB*1 (HDD) 1 TB (SAS HDD), 1.8 TB* 3 (SATA HDD), 1 TB (SATA HDD) \u540c\u53cb iSCSI \u9635\u5217\uff0c4 TB*16 (HDD) \u7f51\u7edc 1 Gbps * 2

    \u5b58\u50a8\u7ed3\u6784\uff1a

    \u6ce8\u610f\u4e8b\u9879

    \u7531\u4e8e PERC 6/i \u9635\u5217\u5361\u7684\u9650\u5236\uff0c\u7269\u7406\u78c1\u76d8\u5927\u5c0f\u6700\u5927\u652f\u6301 2TB\uff08SAS 4TB \u76d8\u65e0\u6cd5\u8bc6\u522b\u5927\u5c0f\uff09\u3002\u5728\u5c06 SAS \u574f\u76d8\u79fb\u9664\u540e\uff0c\u76ee\u524d\uff082022/5/10\uff09rootfs VD \u5904\u4e8e degraded \u72b6\u6001\u3002

    PERC H700 \u9635\u5217\u5361\u7531\u4e8e\u7f3a\u5c11\u4e24\u6839 SAS \u8f6c\u63a5\u7ebf\uff0c\u5e76\u4e14 mirrors3 \u673a\u67b6\u524d\u53f3\u4fa7\u8f68\u9053\u5904\u65e0\u6cd5\u89e3\u9664\u9501\u5b9a\uff0c\u4e14\u66f4\u6362\u9635\u5217\u5361\u9700\u8981\u5c06\u5176\u4ed6\u6269\u5c55\u5361\u5168\u90e8\u79fb\u9664\uff08\u53c2\u89c1 PowerEdge R510 \u786c\u4ef6\u7528\u6237\u624b\u518c\uff09\uff0c\u7ed9\u65b0\u9635\u5217\u5361\u5b89\u88c5\u5e26\u6765\u4e86\u5f88\u5927\u7684\u96be\u5ea6\u3002

    1 TB * 2

    \u4f4d\u4e8e\u673a\u8eab\uff0c\u7ec4\u6210 RAID1 \u5b89\u88c5\u64cd\u4f5c\u7cfb\u7edf\uff0c\u6302\u8f7d\u4e3a rootfs

    2 TB * 5 + 3 TB * 1

    \u540c\u6837\u4f4d\u4e8e\u673a\u8eab\uff0c\u7ec4\u6210 RAID6 \u5b58\u653e\u8d44\u6599\uff08\u6240\u4ee5\u552f\u4e00\u4e00\u5757 3 TB \u7684\u786c\u76d8\u5b9e\u9645\u4e0a\u5f53\u505a 2 TB \u7684\u6765\u7528\uff09

    \u5916\u90e8\u9635\u5217\uff0c4 TB * 16

    \u901a\u8fc7 SFP+ \u5149\u7ea4\u6302\u8f7d\u4e3a iSCSI \u8bbe\u5907\uff0c\u5206\u4e3a\u4e24\u7ec4 RAID60\uff08\u53ef\u7528\u5bb9\u91cf\u4e3a 12 \u5757\u76d8\uff09\u5b58\u50a8\u8d44\u6599

    "},{"location":"services/mirrors/4/","title":"mirrors4","text":"

    mirrors4 \u662f 2020 \u5e74 3 \u6708 24 \u65e5\u7f51\u7edc\u4fe1\u606f\u4e2d\u5fc3\u63d0\u4f9b\u7ed9 LUG \u7684\u65b0\u673a\u5668\uff0c\u662f\u4e00\u53f0\u6d6a\u6f6e NF5280M5\u3002

    "},{"location":"services/mirrors/4/#_1","title":"\u786c\u4ef6\u914d\u7f6e","text":"CPU

    \u53cc\u8def Intel Xeon Gold 6230

    \u5185\u5b58

    256 GB DDR4 2933 (8 * 32 GB SKHynix)

    \u786c\u76d8

    \u4e00\u5757\u4e09\u661f PM883 2TB

    12 \u5757 HGST HUH721010AL (10 TB)

    \u4e24\u4e2a\u786c\u76d8\u63a7\u5236\u5668 MegaRAID SAS-3 3108

    \u786c\u76d8\u63a7\u5236\u5668

    \u7531\u4e8e\u4e0d\u80fd\u8de8\u63a7\u5236\u5668\u7ec4 RAID \u6216 LUN\uff0c\u4e14\u6bcf\u4e2a\u63a7\u5236\u5668\u53ea\u6709 8 \u4e2a\u63d2\u69fd\uff0c\u56e0\u6b64\u5c06 12 \u5757 HDD \u5206\u4e3a 6 \u5757\u4e00\u7ec4\u63d2\u5728\u4e24\u4e2a\u63a7\u5236\u5668\u4e0a\u7ec4\u6210 RAID6\uff0c\u4ee5\u4e24\u4e2a\u903b\u8f91\u5377\u5448\u73b0\u7ed9\u64cd\u4f5c\u7cfb\u7edf\uff0c\u4e0a\u5c42\u7528 LVM \u5904\u7406\u3002SSD \u5355\u72ec\u521b\u5efa\u4e00\u4e2a\u903b\u8f91\u5377\u7ed9\u64cd\u4f5c\u7cfb\u7edf\u3002

    \u7f51\u5361

    \u677f\u8f7d Intel X722 GbE (4 \u4e2a\u5343\u5146\u7f51\u53e3)

    PCI-e \u6269\u5c55\u5361\uff1aIntel X520 (82599ES) SFP+ (2 \u4e2a\u4e07\u5146\u5149\u53e3)

    "},{"location":"services/mirrors/4/repos/","title":"Repositories","text":"

    mirrors4 \u4e0a\u7684\u4ed3\u5e93\u548c mirrors2/3 \u4e00\u6837\uff0c\u4f4d\u4e8e /srv/repo\u3002\u4ed3\u5e93\u5bb9\u91cf\u4f7f\u7528 XFS \u7684 quota \u529f\u80fd\u76d1\u89c6\u3002

    Todo

    \u9700\u8981\u8865\u5145\uff1a\u5220\u9664\u4ed3\u5e93\u4e0e\u91cd\u547d\u540d\u4ed3\u5e93 (mv \u548c rm \u53ef\u80fd\u592a\u6162\u4e86)

    "},{"location":"services/mirrors/4/repos/#_1","title":"\u6dfb\u52a0\u4e00\u4e2a\u65b0\u4ed3\u5e93","text":""},{"location":"services/mirrors/4/repos/#xfs-project","title":"\u521b\u5efa XFS project","text":"

    \u4e3a\u65b0\u4ed3\u5e93\u521b\u5efa XFS quota \u4ee5\u4fbf\u4e8e\u76d1\u89c6\u5bb9\u91cf\u3002\u9996\u5148\u68c0\u67e5 /etc/projects \u548c /etc/projid\uff0c\u627e\u5230\u5927\u4e8e 1000 \u7684 ID \u5e8f\u5217\uff0c\u627e\u51fa\u4e0b\u4e00\u4e2a ID\uff08\u4f8b\u5982 1111\uff0c\u4e0b\u9762\u4f7f\u7528\u8fd9\u4e2a\u4f5c\u4e3a\u4f8b\u5b50\uff09\u3002

    mkdir /srv/repo/example\n

    \u7f16\u8f91 /etc/projects\uff0c\u52a0\u5165\u5982\u4e0b\u4e00\u884c

    1111:/srv/repo/example\n

    \u7136\u540e\u6267\u884c\uff1a

    xfs_quota -x -c 'project -s 1111'\n

    \u7f16\u8f91 /etc/projid\uff0c\u52a0\u5165\u5982\u4e0b\u4e00\u884c

    example:1111\n

    \u4fe1\u606f

    \u6211\u4eec\u7684\u955c\u50cf\u7ba1\u7406\u5668 Yuki \u6839\u636e\u955c\u50cf\u76ee\u5f55\u7684\u6700\u540e\u4e00\u6bb5\u540d\u79f0\uff08\u5373 basename\uff09\u6765\u4ece XFS \u4e2d\u83b7\u53d6\u5bb9\u91cf\u4fe1\u606f\uff0c\u56e0\u6b64 /etc/projid \u6587\u4ef6\u5185\u5bb9\u6b63\u786e\u624d\u80fd\u4f7f Yuki \u5f97\u5230\u6b63\u786e\u7684\u5bb9\u91cf\u3002

    "},{"location":"services/mirrors/4/repos/#_2","title":"\u4fbf\u6377\u914d\u7f6e\u811a\u672c","text":"
    #!/bin/bash\n\n# Determine largest project ID\nnext_id() {\n  local PROJID=$(cut -d':' -f1 /etc/projects | sort -n | tail -1)\n  echo $((++PROJID))\n}\n\nBASE=\"/srv/repo\"\nreadonly BASE\n\nif [ \"$1\" = \"-m\" ]; then\n  MKDIR=yes\n  shift\nfi\n\nwhile [ $# -ne 0 ]; do\n  N=\"${1//\\//}\"\n  shift\n  if grep -q \"$BASE/$N\\$\" /etc/projects; then\n    echo \"Repo $N exists, skipped.\" >&2\n    continue\n  fi\n\n  if [ ! -e \"$BASE/$N\" ]; then\n    if [ -n \"$MKDIR\" ]; then\n      echo \"Path $BASE/$N does not exist, creating directory.\" >&2\n      mkdir -p \"$BASE/$N\"\n    else\n      echo \"Path $BASE/$N does not exist, ignored.\" >&2\n      continue\n    fi\n  elif [ ! -d \"$BASE/$N\" ]; then\n    echo \"Path $BASE/$N is not a directory, ignored.\" >&2\n    continue\n  fi\n\n  ID=\"$(next_id)\"\n  echo \"$ID:$BASE/$N\" >> /etc/projects\n  echo \"$N:$ID\" >> /etc/projid\n  xfs_quota -x -c \"project -s $ID\" &>/dev/null\n  echo \"Added $N (ID $ID)\"\ndone\n
    "},{"location":"services/mirrors/4/repos/#_3","title":"\u6dfb\u52a0\u540c\u6b65\u914d\u7f6e","text":"

    \u7167\u7740 /home/mirror/repos \u4e0b\u7684\u73b0\u6709\u6587\u4ef6\u81ea\u5df1\u7814\u7a76\u4e00\u4e0b\u5427\uff0c\u8fd9\u4e2a\u4e0d\u96be\u3002\u9700\u8981\u6ce8\u610f\u7684\u5c31\u4e00\u70b9\uff0c\u6587\u4ef6\u540d\u7ed3\u5c3e\u5fc5\u987b\u662f .yaml\uff08\u800c\u4e0d\u80fd\u662f .yml\uff09\uff0c\u8fd9\u662f Yuki \u4ee3\u7801\u91cc\u5199\u7684\u3002

    \u5199\u597d\u65b0\u4ed3\u5e93\u7684\u914d\u7f6e\u6587\u4ef6\u4e4b\u540e\u8fd0\u884c yuki reload\uff0c\u7136\u540e yuki sync <repo> \u5c31\u53ef\u4ee5\u5f00\u59cb\u521d\u6b21\u540c\u6b65\u4e86\u3002

    "},{"location":"services/mirrors/4/repos/#git-srvgit","title":"\u4e3a Git \u7c7b\u578b\u4ed3\u5e93\u6dfb\u52a0\u8f6f\u94fe\u63a5\u81f3 /srv/git","text":"

    git-daemon.service \u6839\u636e /srv/git \u4e0b\u7684\u5185\u5bb9\u5bf9\u5916\u63d0\u4f9b Git \u670d\u52a1\u3002\u6240\u4ee5\u5982\u679c\u662f git \u7c7b\u578b\u7684\u4ed3\u5e93\uff0c\u9700\u8981\u6dfb\u52a0\u8f6f\u94fe\u63a5\uff0c\u5426\u5219\u65e0\u6cd5\u4f7f\u7528 git:// \u7684\u534f\u8bae\u8bbf\u95ee\u3002\uff08http(s):// \u534f\u8bae\u6ca1\u6709\u95ee\u9898\uff09

    Git \u4ed3\u5e93\u670d\u52a1\u7684\u5176\u4ed6\u76f8\u5173\u914d\u7f6e

    \u90e8\u5206\u514b\u9686\u914d\u7f6e (See https://github.com/ustclug/discussions/issues/432)\uff1a

    /etc/gitconfig
    [uploadpack]\n    allowfilter = true\n
    "},{"location":"services/mirrors/4/repos/#quota","title":"\u67e5\u770b quota \u60c5\u51b5","text":"

    \u8fd0\u884c\u4ee5\u4e0b\u547d\u4ee4\uff1a

    xfs_quota -c 'df -h'\n
    "},{"location":"services/mirrors/4/volumes/","title":"Volumes on mirrors4","text":"

    \u4ecb\u7ecd\u9875\u8bb2\u8fc7\u4e86\uff0c\u63a7\u5236\u5668\u7684\u5751\u5bfc\u81f4\u4e0d\u80fd\u76f4\u63a5\u628a 12 \u5757\u786c\u76d8\u7ec4\u6210\u4e00\u4e2a\u903b\u8f91\u78c1\u76d8\uff0c\u56e0\u6b64\u6211\u4eec\u5728\u4e0a\u5c42\u4f7f\u7528 LVM \u6765\u89e3\u51b3\u8fd9\u4e2a\u95ee\u9898\u3002

    "},{"location":"services/mirrors/4/volumes/#_1","title":"\u78c1\u76d8\u5206\u533a","text":"

    \u6ce8\u610f

    \u8fd9\u91cc\u7ed9\u51fa\u7684\u547d\u4ee4\u4ec5\u7528\u4e8e\u5c55\u793a\u5206\u533a\uff08\u5377\uff09\u7684\u521b\u5efa\u65b9\u5f0f\uff0c\u9664\u975e\u5b8c\u5168\u91cd\u88c5\uff0c\u5426\u5219\u4e0d\u5e94\u8be5\u6267\u884c\u5176\u4e2d\u4efb\u4f55\u4e00\u6761\u6709\u526f\u4f5c\u7528\u7684\u547d\u4ee4\u3002

    \u64cd\u4f5c\u7cfb\u7edf\u770b\u5230\u4e09\u4e2a\u786c\u76d8\uff1a\u4e24\u4e2a RAID6 \u5927\u76d8\uff0840 TB / 36.4 TiB\uff09\u548c\u4e00\u4e2a SSD\uff082 TB / 1.86 TiB\uff09\u3002\u8bbe\u4e24\u4e2a\u5927\u76d8\u4e3a /dev/sda \u548c /dev/sdb\uff0cSSD \u4e3a /dev/sdc\u3002

    \u7531\u4e8e\u542f\u52a8\u5206\u533a\u4e0d\u80fd\u653e\u5728 LVM \u4e0a\uff0c\u56e0\u6b64\u4ee5\u5982\u4e0b\u65b9\u5f0f\u521b\u5efa\u5206\u533a\uff1a

    root@mirrors4:~# fdisk -l /dev/sda\nDisk /dev/sda: 36.4 TiB, 40001177911296 bytes, 78127300608 sectors\nDisk model: MR9361-8i\nUnits: sectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 4096 bytes\nI/O size (minimum/optimal): 262144 bytes / 262144 bytes\nDisklabel type: gpt\nDisk identifier: AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA\n\nDevice       Start         End     Sectors  Size Type\n/dev/sda1     2048        4095        2048    1M BIOS boot\n/dev/sda2     4096     1052671     1048576  512M EFI System\n/dev/sda3  1052672 78127300574 78126247903 36.4T Linux LVM\n

    sdb \u7684\u53c2\u6570\u5b8c\u5168\u4e00\u6837\u3002

    \u5b9e\u9645\u7684\u542f\u52a8\u5206\u533a\u4e3a /dev/sda2\uff0c\u5c06\u5176 dd \u5230 /dev/sdb2 \u505a\u5907\u4efd\u3002

    \u7136\u540e\u662f SSD \u7684\u5206\u533a\uff1a

    Disk /dev/sdc: 1.8 TiB, 1919816826880 bytes, 3749642240 sectors\nDisk model: MR9361-8i\nUnits: sectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 4096 bytes\nI/O size (minimum/optimal): 65536 bytes / 65536 bytes\nDisklabel type: gpt\nDisk identifier: AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA\n\nDevice     Start        End    Sectors  Size Type\n/dev/sdc1   2048 3749642206 3749640159  1.8T Linux LVM\n
    "},{"location":"services/mirrors/4/volumes/#lvm","title":"LVM","text":"

    \u628a sda3 \u548c sdb3 \u90fd\u653e\u8fdb LVM\uff1a

    # fdisk \u5206\u533a\u5b8c\u6bd5\uff0cw \u5199\u5165\u9000\u51fa\npvcreate /dev/sda3 /dev/sdb3\nvgcreate lug /dev/sda3 /dev/sdb3\n

    \u521b\u5efa rootfs\uff0c\u8fd9\u91cc\u4ee5 RAID1 \u7684\u65b9\u5f0f\uff08--type mirror \u6216 --type raid1\uff09\u521b\u5efa\u8fd9\u4e2a\u5206\u533a\uff0c\u8fd9\u6837\u5373\u4f7f sda / sdb \u574f\u6389\u4e00\u6574\u7ec4\u4e4b\u540e\u8fd8\u6709 rootfs \u53ef\u4ee5\u7528\u3002

    lvcreate -n root -L 32G --type mirror -m 2 lug\nmkfs.ext4 /dev/lug/root\n

    \u521b\u5efa home\uff0c\u8fd9\u91cc\u53cd\u6b63\u4e0d\u6015\u574f\uff0c\u7528 RAID0\uff08--type striped \u6216 --type raid0\uff09\u3002

    lvcreate -n root -L 64G --type striped -i 2 lug\nmkfs.ext4 /dev/lug/home\n

    \u521b\u5efa\u653e\u955c\u50cf\u7684\u5206\u533a\uff0c\u8fd9\u6b21\u8981\u7528 xfs

    XFS \u4e0d\u652f\u6301\u7f29\u5c0f

    \u56e0\u6b64\u6211\u4eec\u5728\u521d\u88c5\u65f6\u9009\u62e9\u4e3a\u5176\u5206\u914d 48 TiB \u7684\u7a7a\u95f4\uff0c\u800c\u4e0d\u662f VG lug \u7684\u5269\u4f59\u5168\u90e8\u2014\u2014\u8fd9\u6837\u65b9\u4fbf\u4ee5\u540e\u7ef4\u62a4

    lvcreate -n repo -L 48T --type striped -i 2 lug\nmkfs.xfs /dev/lug/repo\n

    \u5176\u5b9e\u672c\u6765\u8981\u8c03\u4e00\u4e0b\u53c2\u7684\uff0c\u4e0d\u8fc7\u6839\u636e Arch Wiki\uff0cmkfs.xfs \u7684\u9ed8\u8ba4\u53c2\u6570\u5c31\u662f\u6700\u4f18\u7684\uff0c\u6240\u4ee5\u6211\u4eec\u51b3\u5b9a\u4e0d\u52a8\u4e86\u3002

    "},{"location":"services/mirrors/4/volumes/#ssd","title":"SSD","text":"

    SSD \u7684\u7528\u9014\u4e3a\u5b58\u653e Docker \u6570\u636e /var/lib/docker\uff088 GiB \u5c31\u591f\u4e86\uff0c\u4f46\u662f overlay2 \u7684\u540e\u7aef\u7528 ext4 \u66f4\u597d\uff09\uff0c\u5269\u4e0b\u7528\u4f5c lvmcache(7)\u3002

    iBug \u5907\u6ce8

    \u867d\u7136\u4f3c\u4e4e\u6ca1\u6709\u8fd9\u6837\u505a\uff08\u5148\u521b\u5efa\u5355\u72ec\u7684 VG \u518d\u5408\u5e76\uff09\u7684\u5fc5\u8981\uff0c\u4f46\u662f\u8fd9\u4e48\u505a\u4e00\u5b9a\u4e0d\u4f1a\u51fa\u9519\uff0c\u5c31\u8fd9\u6837\u5427\u3002

    \u5728 SSD \u4e0a\u65b0\u5efa\u4e00\u4e2a VG\uff1a

    # fdisk \u521b\u5efa\u552f\u4e00\u4e00\u4e2a\u5206\u533a sdc1\uff0c\u4fdd\u5b58\u9000\u51fa\npvcreate /dev/sdc1\nvgcreate ssd /dev/sdc1\n

    \u521b\u5efa Docker \u6570\u636e\u76d8\uff1a

    lvcreate -L 8G -n docker ssd\nmkfs.ext4 /dev/ssd/docker\n

    \u91cd\u8981\uff1a\u521b\u5efa\u7f13\u5b58\u76d8\u548c\u7f13\u5b58\u5143\u6570\u636e\u76d8\u3002\u6839\u636e Red Hat Documentation \u7684\u4ecb\u7ecd\uff0c\u5148\u624b\u52a8\u521b\u5efa\u6570\u636e\u76d8\u548c\u5143\u6570\u636e\u76d8\uff0c\u7136\u540e\u5c06\u4ed6\u4eec\u5408\u5e76\u4e3a\u4e00\u4e2a cache pool\u3002\u5927\u5c0f\u65b9\u9762\uff0c\u6587\u7ae0\u7684\u53c2\u8003\u662f 2G data \u2194 12M meta\uff0c\u8fd9\u91cc\u6211\u4eec\u6709\u63a5\u8fd1 2 TB \u7684 data\uff0c\u5c31\u5206\u914d 16 GB \u4f5c\u4e3a meta \u5427\u3002

    lvcreate -L 16G -n mcache_meta ssd\nlvcreate -l 100%FREE -n mcache ssd\nlvreduce -l -2048 ssd/mcache\nlvconvert --type cache-pool --poolmetadata ssd/mcache_meta --cachemode writethrough -c 1M --config allocation/cache_pool_max_chunks=2000000 ssd/mcache\n

    \u8fd9\u91cc\u7684\u7f13\u5b58\u6a21\u5f0f\u91c7\u7528 passthrough\uff0c\u5373\u5199\u5165\u52a8\u4f5c\u7ed5\u8fc7\u7f13\u5b58\u76f4\u63a5\u5199\u56de\u539f\u8bbe\u5907\uff08\u5f53\u7136\u5566\uff0c\u5199\u5165\u90fd\u662f\u7531\u4ece\u4e0a\u6e38\u540c\u6b65\u4ea7\u751f\u7684\uff09\uff0c\u53e6\u5916\u4e24\u79cd writeback \u548c writethrough \u90fd\u4f1a\u5199\u5165\u7f13\u5b58\uff0c\u4e0d\u662f\u6211\u4eec\u60f3\u8981\u7684\u3002 passthrough \u6a21\u5f0f\u4e2d\uff0c\u8bfb\u5199\u90fd\u4f1a\u7ed5\u8fc7 cache\uff0c\u552f\u4e00\u7684\u4f5c\u7528\u662f write hit \u4f1a\u4f7f\u5f97 cache \u5bf9\u5e94\u7684\u5757\u5931\u6548\u3002

    \u8fd9\u91cc\u4f7f\u7528 writeback \u6a21\u5f0f\uff0c\u56e0\u4e3a\u4ed3\u5e93\u6570\u636e\u6ca1\u4e86\u8fd8\u80fd\u518d\u540c\u6b65\uff0c\u4f7f\u7528 writeback \u63d0\u5347\u6027\u80fd\u66f4\u5408\u9002\u3002

    \u51fa\u4e8e\u7a33\u5b9a\u8003\u8651\uff0c\u4f7f\u7528 writethrough \u6a21\u5f0f\u3002\uff08\u6211\u4eec\u7684 Cache \u592a\u5927\u4e86\uff0cwriteback \u53ef\u80fd\u4f1a\u5f04\u574f\u4e0d\u5c11\u4e1c\u897f\uff0c\u5982\u679c metadata \u574f\u4e86\u5c31\u66f4\u9ebb\u70e6\u4e86\uff09

    \u5751

    \u76f4\u63a5\u4f7f\u7528 lvconvert(8) \u5c1d\u8bd5\u5408\u5e76\u4f1a\u5bfc\u81f4\u5410\u69fd\uff0c\u8fd9\u662f\u4e0a\u9762 lvreduce(8) \u7684\u539f\u56e0\u3002

    Volume group \"ssd\" has insufficient free space (0 extents): 2048 required.\n

    iBug \u5907\u6ce8

    LVM \u63a8\u8350\u7684\u662f\u4e00\u4e2a\u7f13\u5b58\u6c60\u91cc\u4e0d\u8d85\u8fc7 100 \u4e07\u4e2a chunk\uff08\u8fd9\u4e5f\u662f allocation/cache_pool_max_chunks \u7684\u9ed8\u8ba4\u503c\uff09\uff0c\u4f46\u662f\u8fd9\u6837\u6bcf\u4e2a chunk \u7684\u6700\u5c0f\u5927\u5c0f\u4e3a 1.84 MiB \u592a\u5927\u4e86\uff0c\u8003\u8651\u5230\u6211\u4eec\u6709\u8db3\u591f\u7684 CPU \u548c\u5185\u5b58\uff0c\u8fd9\u91cc\u5c31\u94e4\u800c\u8d70\u9669\u5c1d\u8bd5\u4e00\u4e0b\u8f83\u5927\u7684 chunk count\u3002

    \u5751 2

    \u7f13\u5b58\u76d8\uff08cache pool\uff09\u548c\u88ab\u7f13\u5b58\u7684\u5377\u5fc5\u987b\u5728\u540c\u4e00\u4e2a VG \u4e2d\u3002

    \u5751 3 (taoky \u5907\u6ce8)

    LVM Cache \u7684\u5e95\u5c42\u662f\u5728\u5185\u6838\u5b9e\u73b0\u7684 dm-cache\u3002\u76ee\u524d\u5df2\u77e5\u7684\u5751\u5982\u4e0b\uff1a

    1. \u5f53\u51fa\u73b0 dirty blocks\uff08\u4e14 cache policy \u4e3a cleaner \u65f6\uff09\uff0c\u65e0\u6cd5\u6b63\u5e38 flush\u3002\u7f51\u7edc\u4e0a\u53ef\u4ee5\u627e\u5230\u7684\u8fd9\u4e2a bug \u7684\u89e3\u51b3\u65b9\u6cd5\u662f\u589e\u5927 migration_threshold \u7684\u503c\uff08\u5728\u65b0\u7248\u672c LVM \u4e2d\uff0cmigration_threshold \u9ed8\u8ba4\u81f3\u5c11\u4f1a\u662f chunk size \u7684 8 \u500d\uff0c\u5728\u6211\u4eec\u7684\u914d\u7f6e\u4e0b\u5c31\u662f 16384 = 2048 * 8\u3002\u8fd9\u4e2a\u7248\u672c\u7684 LVM \u6682\u65f6\u4e0d\u5728 Buster \u4e2d\uff09\uff0c\u4f46\u662f\u7ecf\u8fc7\u6d4b\u8bd5\uff0c\u5355\u7eaf\u589e\u5927 migration_threshold \u6ca1\u6709\u4efb\u4f55\u6548\u679c\u3002Jiahao \u7ffb\u4e86\u4e00\u4e0b dm-cache \u7684\u6e90\u4ee3\u7801\uff0c\u53d1\u73b0 flush \u7684\u6761\u4ef6\u5728 https://elixir.bootlin.com/linux/latest/source/drivers/md/dm-cache-target.c#L1649\uff0c\u53ea\u5728\u72b6\u6001\u4e3a IDLE \u65f6\u624d\u4f1a flush\u3002IDLE \u7684\u7b2c\u4e00\u4e2a\u6761\u4ef6\u9700\u8981 inflight io = 0\uff0c\u6bd4\u8f83\u82db\u523b\uff0c\u53ef\u80fd\u662f\u65e0\u6cd5\u6b63\u5e38 flush \u7684\u539f\u56e0\u3002

      \u4e00\u4e2a\u626d\u66f2\u7684\u89e3\u51b3\u65b9\u6cd5\u662f\uff1a\u5148\u628a migration_threshold \u8bbe\u7f6e\u5f97\u5f88\u5927\uff08\u8bbe\u5927\u5c0f\u4e3a x\uff09\uff0c\u7136\u540e\u9a6c\u4e0a\u7f29\u5c0f\uff0c\u8fd9\u6837\u5c31\u80fd\u628a x \u90a3\u4e48\u591a\u5927\u5c0f\u7684\u810f\u5757\u5f04\u6389\uff08\u539f\u7406\u6682\u65f6\u4e0d\u660e\uff0c\u9700\u8981\u8865\u5145\uff09\u3002\u57fa\u4e8e\u8fd9\u4e2a\u65b9\u6cd5\uff0c\u53ef\u4ee5\u5199\u4e00\u4e2a\u811a\u672c\u6765\u505a flush \u7684\u5de5\u4f5c\uff1a

      # dirty hack\nsudo lvchange --cachepolicy cleaner lug/repo\nfor i in `seq 1 1500`; do sudo lvchange --cachesettings migration_threshold=2113536 lug/repo && sudo lvchange --cachesettings migration_threshold=16384 lug/repo && echo $i && sleep 15; done;\n# \u9700\u8981\u786e\u8ba4\u6ca1\u6709\u810f\u5757\u3002\u5982\u679c\u8fd8\u6709\u7684\u8bdd\u7ee7\u7eed\u6267\u884c\uff08\u6b21\u6570\u8c03\u5c0f\u4e00\u4e9b\uff09\n# \u5982\u679c\u662f\u4ece writeback \u5207\u6362\uff0c\u9700\u8981\u5148\u628a\u6a21\u5f0f\u5207\u5230 writethrough\n# \u7136\u540e\u518d\u4fee\u6539 cachepolicy \u5230 smq\nsudo lvchange --cachepolicy smq lug/repo\n

      \u5728\u6267\u884c\u65f6\uff0c\u53ef\u4ee5\u67e5\u770b\uff1a

      sudo dmsetup status lug-repo\n# \u5728 \"metadata2\" \u524d\u9762\u7684\u524d\u9762\u7684\u6570\u5b57\u5c31\u662f dirty block \u7684\u6570\u91cf\n# \u5982\u679c\u4e0d\u5728\u6267\u884c lvchange\uff08\u6ca1\u6709\u8fdb\u7a0b\u62a2\u5360\u4e86 LVM \u7684\u9501\uff09\uff0c\u53ef\u4ee5\u6267\u884c\u4ee5\u4e0b\u547d\u4ee4\u786e\u8ba4\u810f\u5757\u6570\u91cf\u4ee5\u53ca\u5176\u4ed6\u4e00\u4e9b\u53c2\u6570\u3002\nsudo lvs -o name,cache_policy,cache_settings,chunk_size,cache_used_blocks,cache_dirty_blocks /dev/mapper/lug-repo\n
    2. \u6bcf\u6b21 unclean shutdown \u4e4b\u540e\uff0ccache \u4e2d\u6240\u6709\u5757\u90fd\u4f1a\u88ab\u6807\u8bb0\u4e3a dirty\u3002\u5c3d\u7ba1\u4e0d\u592a\u53ef\u80fd\u963b\u585e\u7cfb\u7edf\u542f\u52a8\uff0c\u8fd9\u53ef\u80fd\u4f1a\u7ed9 HDD \u4e00\u5b9a\u7684\u538b\u529b\u3002

    3. \u6269\u5927 lug/repo \u7684\u5927\u5c0f\u524d\u9700\u8981 uncache\uff0c\u4e14 uncache \u7684\u524d\u63d0\u6761\u4ef6\u662f\u6ca1\u6709\u810f\u5757\u3002

    \u5751 4

    \u4fee\u6539 migration_threshold \u7b49\u8bbe\u7f6e\u4f1a\u5bfc\u81f4\u76ee\u524d\u7248\u672c\u7684 GRUB \u65e0\u6cd5\u6b63\u786e\u8bc6\u522b LVM \u5143\u6570\u636e\u3002

    \u4e34\u65f6\u4fee\u590d\u7248\u672c\uff1ahttps://github.com/taoky/grub/releases/tag/2.02%2Bdfsg1-20%2Bdeb10u4taoky3_amd64\u3002\u76ee\u524d\u5df2\u90e8\u7f72\uff0c\u4e14\u8bbe\u7f6e\u4e86 apt hold\u3002

    \u6240\u4ee5\u63a5\u4e0b\u6765\u8981\u5408\u5e76 VG\uff0c\u7136\u540e\u624d\u80fd\u4e3a\u4ed3\u5e93\u5377\u52a0\u4e0a\u7f13\u5b58\u3002

    lvchange -a n ssd/docker\nvgmerge lug ssd\nlvconvert --type cache --cachepool lug/mcache lug/repo\n

    \u63a5\u4e0b\u6765\u6302\u4e0a Docker \u5377\uff08\u6ce8\u610f VG \u540d\u5df2\u7ecf\u4ece ssd \u53d8\u6210\u4e86 lug\uff09\uff1a

    lvchange -a y lug/docker\nmount /dev/lug/docker /var/lib/docker\n
    "},{"location":"services/mirrors/4/volumes/#repo","title":"repo \u6269\u5bb9","text":"

    \u67e5\u770b\u5f53\u524d\u903b\u8f91\u5377\u4fe1\u606f\uff1a

    # lvs -a -o +devices\n  LV              VG  Attr       LSize   Pool     Origin       Data%  Meta%  Move Log         Cpy%Sync Convert Devices\n  backup          lug -wi-ao----   8.00g                                                                       /dev/sda3(6307840)\n  docker          lug -wi-ao----  64.00g                                                                       /dev/sdc1(0)\n  docker2         lug -wi-a----- 300.00g                                                                       /dev/sda3(7925248)\n  home            lug -wi-ao----  64.00g                                                                       /dev/sda3(8192),/dev/sdb3(8193)\n  log             lug -wi-ao---- 300.00g                                                                       /dev/sda3(6309888),/dev/sdb3(6307841)\n  log             lug -wi-ao---- 300.00g                                                                       /dev/sda3(7888896),/dev/sdb3(7882753)\n  [lvol0_pmspare] lug ewi-------  16.00g                                                                       /dev/sda3(7884800)\n  [mcache]        lug Cwi---C---   1.50t                       99.99  0.12                    0.00             mcache_cdata(0)\n  [mcache_cdata]  lug Cwi-ao----   1.50t                                                                       /dev/sdc1(20480)\n  [mcache_cmeta]  lug ewi-ao----  16.00g                                                                       /dev/sdc1(16384)\n  repo            lug Cwi-aoC---  60.00t [mcache] [repo_corig] 99.99  0.12                    0.00             repo_corig(0)\n  [repo_corig]    lug owi-aoC---  60.00t                                                                       /dev/sda3(16384),/dev/sdb3(16385)\n  [repo_corig]    lug owi-aoC---  60.00t                                                                       /dev/sda3(6311936),/dev/sdb3(6309889)\n  root            lug mwi-aom---  32.00g                                          [root_mlog] 100.00           root_mimage_0(0),root_mimage_1(0)\n  [root_mimage_0] lug iwi-aom---  32.00g                                                                       /dev/sda3(0)\n  [root_mimage_1] lug iwi-aom---  32.00g                                                                       /dev/sdb3(0)\n  [root_mlog]     lug lwi-aom---   4.00m                                                                       /dev/sdb3(8192)\n

    \u68c0\u67e5 cache \u662f\u5426\u6709 dirty block\uff1a

    $ sudo lvs -o name,cache_policy,cache_settings,chunk_size,cache_used_blocks,cache_dirty_blocks /dev/mapper/lug-repo\n  LV   CachePolicy CacheSettings Chunk CacheUsedBlocks  CacheDirtyBlocks\n  repo smq                       1.00m          1048551                0\n

    \uff08\u6b63\u5e38\u91cd\u542f\u4e4b\u540e\u53ef\u80fd\u4f1a\u51fa\u73b0 dirty block\uff0c\u539f\u56e0\u4e0d\u660e\u3002\u5982\u679c\u770b\u5230\u6709\u7684\u8bdd\uff0c\u90a3\u53ea\u80fd \u518d\u6b21\u8fdb\u5165\u75db\u82e6\u7684\u8f6e\u56de \u7528\u4e0a\u8ff0\u7684\u65b9\u6cd5\u6e05\u9664\uff0c\u5e76\u4e14\u6e05\u9664\u7684\u65f6\u5019\u5bf9\u7cfb\u7edf\u8d1f\u8f7d\u5f71\u54cd\u5f88\u5927\uff0c\u56e0\u4e3a\u843d\u76d8\u7684\u65f6\u5019\u5176\u4ed6\u8fdb\u7a0b\u5bf9\u5e94\u7684 IO \u4f1a\u88ab\u6682\u505c\uff0c\u5728\u76f8\u5bf9\u5e73\u8861\u65f6\u95f4\u548c\u8d1f\u8f7d\u7684\u547d\u4ee4\u4e0b\uff0c\u4f30\u8ba1\u9700\u8981 10 \u5c0f\u65f6\u7684\u65f6\u95f4\u3002\uff09

    \u7136\u540e uncache\u3001\u6269\u5bb9\uff1a

    # lvconvert --uncache lug/repo\n# lvextend -L +5T lug/repo\n# xfs_growfs /srv\n

    \u7136\u540e\u6062\u590d cache\uff08\u53c2\u8003\u4e0a\u9762 mcache_meta \u548c mcache \u903b\u8f91\u5377\u7684\u914d\u7f6e\uff0c\u8bf7\u6ce8\u610f\u5728\u7406\u89e3\u547d\u4ee4\u540e\u518d\u6267\u884c\uff01\uff09\uff1a

    # lvcreate -L 16G -n mcache_meta lug /dev/sdc1  # SSD \u8bbe\u5907\u8def\u5f84\u91cd\u542f\u540e\u53ef\u80fd\u4f1a\u53d8\u5316\n# lvcreate -l 100%FREE -n mcache lug /dev/sdc1\n# lvreduce -l -2048 lug/mcache\n# lvconvert --type cache-pool --poolmetadata lug/mcache_meta --cachemode writethrough -c 1M --config allocation/cache_pool_max_chunks=2000000 lug/mcache\n# lvconvert --type cache --cachepool lug/mcache lug/repo\n

    \u5751 5

    \u65b0\u5efa\u65f6\u5728\u5012\u6570\u7b2c\u4e8c\u6b65\u7684 lvconvert \u53ef\u80fd\u4f1a\u5361\u6b7b\u8d85\u8fc7\u534a\u5c0f\u65f6\uff08\u4f46\u662f\u6700\u540e\u8fd8\u662f\u80fd\u5b8c\u6210\u7684\uff09\uff0c\u6808\u7684\u4fe1\u606f\u663e\u793a\u6808\u9876\u51fd\u6570\u662f submit_bio_wait()\uff0c\u5728\u6e05\u96f6\u5bf9\u5e94\u7684 block range\uff0c\u56e0\u4e3a RAID \u5361\u4e0d\u652f\u6301\u4e0b\u4f20 discarding \u6240\u4ee5\u4f1a\u5f88\u6162\uff0c\u9700\u8981\u7b49\u4e00\u6bb5\u65f6\u95f4\u3002

    "},{"location":"services/mirrors/4/volumes/#fstab","title":"fstab","text":"

    \u5206\u533a\u5b8c\u6bd5\u540e\u7ed9 /etc/fstab \u8865\u4e0a\u76f8\u5173\u7684\u5185\u5bb9\u5e76\u6302\u8f7d\uff1a

    /dev/mapper/lug-home   /home           ext4 defaults             0 2\n/dev/mapper/lug-docker /var/lib/docker ext4 defaults             0 2\n/dev/mapper/lug-repo   /srv            xfs  defaults,pqnoenforce 0 2\n/dev/mapper/lug-log    /var/log        ext4 defaults             0 2\n

    \uff08\u8fd9\u4e2a log \u5206\u533a\u524d\u9762\u6ca1\u63d0\uff0c\u53cd\u6b63\u50cf\u6a21\u50cf\u6837\u77e5\u9053\u5c31\u884c\u4e86\uff09

    "},{"location":"services/mirrors/4/networking/","title":"Networking on mirrors4","text":"

    \u51fa\u4e8e\u597d\u7528\u7684\u8003\u8651\uff0cmirrors4 \u4e0a\u7684\u7f51\u7edc\u4f7f\u7528 systemd-networkd \u914d\u7f6e\u3002\u4f5c\u4e3a\u5165\u95e8\uff0c\u4e0b\u9762\u662f\u4e24\u4e2a\u53c2\u8003\u94fe\u63a5\uff1a

    Debian \u9ed8\u8ba4\u7528\u7684\u662f ifupdown\uff0c\u628a\u5b83\u76f4\u63a5\u5378\u6389\u5c31\u884c\u4e86\u3002\u5168\u90e8\u914d\u7f6e\u5b8c\u6bd5\u4e4b\u540e\u9700\u8981 systemctl enable systemd-networkd.service \u5e76\u4e14 start \u4e00\u4e0b\uff08\u6216\u8005\u76f4\u63a5\u91cd\u542f\uff09\u3002

    /etc/systemd/network \u76ee\u5f55\u4e0b\u6709\u4e2a Git \u4ed3\u5e93\uff0c\u65b9\u4fbf\u4fdd\u5b58\u4e0e\u6062\u590d

    "},{"location":"services/mirrors/4/networking/#bond","title":"Bond","text":"

    Bond \u7528\u4e8e\u5c06\u591a\u4e2a\u7f51\u5361\u805a\u5408\u5f53\u4f5c\u4e00\u4e2a\u4f7f\u7528\u3002

    "},{"location":"services/mirrors/4/networking/#_1","title":"\u5b50\u7f51\u5361","text":"

    \u5411 /etc/systemd/network/ens41f0.network \u5199\u5165\u5982\u4e0b\u5185\u5bb9\uff1a

    [Match]\nName=ens41f0\n\n[Network]\nBond=bond1\n\n[Link]\nRequiredForOnline=no\n

    \u5373\u53ef\u5c06\u5176\u8bbe\u7f6e\u4e3a bond1 \u7684\u4e00\u4e2a\u5b50\u7f51\u5361\u3002\u7528\u540c\u6837\u65b9\u5f0f\u628a ens41f1 \u4e5f\u8bbe\u4e3a\u5b50\u7f51\u5361\u3002

    \u4e00\u4e2a\u5c0f\u5751

    systemd-networkd \u6709\u4e00\u4e2a\u9ed8\u8ba4\u7684 bond0 \u805a\u5408\u7f51\u5361\uff0c\u6a21\u5f0f\u6c38\u8fdc\u662f round-robin\uff0c\u800c\u4e14\u5c1d\u8bd5\u8bbe\u7f6e\u8fd9\u4e2a\u7f51\u5361\u5f88\u5bb9\u6613\u51fa\u95ee\u9898\uff0c\u6240\u4ee5\u6211\u4eec\u907f\u5f00\u8fd9\u4e2a\u540d\u5b57\uff0c\u7528 bond1\u3002

    "},{"location":"services/mirrors/4/networking/#bond1","title":"bond1 \u805a\u5408\u7f51\u5361","text":"

    \u5199\u5165 /etc/systemd/network/bond1.netdev\uff1a

    [NetDev]\nName=bond1\nKind=bond\n\n[Bond]\nMode=balance-tlb\nMIIMonitorSec=1\n

    \u5173\u4e8e bond \u6a21\u5f0f\uff08balance-tlb vs balance-alb\uff09\uff0c\u53c2\u8003\u8fd9\u4e2a Server Fault \u4e0a\u7684\u56de\u7b54\u3002

    \u7136\u540e\u521b\u5efa VLAN\uff0c\u5199\u5165 /etc/systemd/network/bond1.network\uff1a

    [Match]\nName=bond1\n\n[Network]\nDHCP=no\nVLAN=cernet\nVLAN=telecom\nVLAN=mobile\nVLAN=unicom\n
    "},{"location":"services/mirrors/4/networking/#vlan","title":"VLAN","text":"

    NIC \u673a\u623f\u6709 4 \u4e2a VLAN\uff0c\u5206\u522b\u662f

    \u6ce8\u610f\u8fd9\u51e0\u4e2a\u7f51\u6bb5\u90fd\u6ca1\u6709 DHCP\uff0c\u53ea\u6709\u6559\u80b2\u7f51 VLAN \u6709 IPv6 RA\u3002

    \u4e0b\u9762\u4ee5\u6559\u80b2\u7f51 VLAN \u4e3a\u4f8b\u3002

    \u56e0\u4e3a VLAN \u5728\u7269\u7406\u4e0a\u5c5e\u4e8e\u4e00\u4e2a\u7f51\u5361\uff0c\u56e0\u6b64\u5411\u5bf9\u5e94\u7f51\u5361\u7684 .network \u6587\u4ef6\u7684 [Network] \u6bb5\u8ffd\u52a0\u4e00\u884c\uff08\u89c1\u4e0a\u9762\u4e00\u8282 bond1.network \u6587\u4ef6\uff09\uff1a

    VLAN=cernet\n

    \u521b\u5efa VLAN \u754c\u9762\uff0c\u521b\u5efa cernet.netdev \u5e76\u5199\u5165

    [NetDev]\nName=cernet\nKind=vlan\n\n[VLAN]\nId=95\n

    \u7136\u540e\u5c31\u53ef\u4ee5\u6307\u5b9a IP \u5730\u5740\u7b49\u5177\u4f53\u4fe1\u606f\u4e86\uff0c\u521b\u5efa\u4e00\u4e2a\u540d\u5b57\u76f8\u540c\uff0c\u540e\u7f00\u6362\u6210 .network \u7684\u6587\u4ef6\u5e76\u5199\u5165

    [Match]\nName=cernet\n\n[Network]\nDHCP=no\nAddress=202.38.95.110/25\n#Gateway=202.38.95.126\nAddress=2001:da8:d800:95::110/64\n#Gateway=2001:da8:d800:95::1\nIPv6AcceptRA=false\n

    \u4fdd\u5b58\u540e\u91cd\u542f systemd-networkd.service \u5c31\u53ef\u4ee5\u770b\u5230\u6548\u679c\u4e86\u3002

    \u4e3a\u4ec0\u4e48 Gateway \u88ab\u6ce8\u91ca\u6389\u4e86

    \u6839\u636e systemd \u5b98\u65b9\u6587\u6863\uff0c\u5728 [Network] \u4e00\u8282\u51fa\u73b0\u7684 Gateway= \u7b49\u4ef7\u4e8e\u4e00\u4e2a\u5355\u72ec\u7684\u3001\u4ec5\u5305\u542b\u4e00\u884c Gateway= \u7684 [Route] \u8282\u3002\u7531\u4e8e\u6211\u4eec\u9700\u8981\u6df1\u5ea6\u81ea\u5b9a\u4e49\u8def\u7531\uff0c\u8fd9\u91cc\u4e0d\u65b9\u4fbf\u91c7\u7528\u8fd9\u4e2a\u8fc7\u4e8e\u7b80\u6d01\u7684\u8bbe\u5b9a\uff08\u4f8b\u5982\u5404\u79cd\u9ed8\u8ba4\u503c Table=main \u7b49\uff09\u3002

    "},{"location":"services/mirrors/4/networking/#docker-network","title":"Docker network","text":"

    \u9488\u5bf9\u4e2a\u522b\u4e0d\u652f\u6301 bind address \u7684\u540c\u6b65\u5de5\u5177\uff0c\u6211\u4eec\u901a\u8fc7\u5c06\u5176\u653e\u5165\u7279\u5b9a\u7684 docker network \u6765\u5b9e\u73b0\u9009\u62e9\u7ebf\u8def\u7684\u529f\u80fd\u3002

    \u521b\u5efa\u547d\u4ee4
    docker network create --driver=bridge --subnet=172.17.4.1/24 -o \"com.docker.network.bridge.name=dockerC\" cernet\ndocker network create --driver=bridge --subnet=172.17.5.1/24 -o \"com.docker.network.bridge.name=dockerT\" telecom\ndocker network create --driver=bridge --subnet=172.17.6.1/24 -o \"com.docker.network.bridge.name=dockerM\" mobile\ndocker network create --driver=bridge --subnet=172.17.7.1/24 -o \"com.docker.network.bridge.name=dockerU\" unicom\ndocker network create --driver=bridge --ipv6 --subnet=172.17.8.1/24 --subnet=fd00:6::/64 -o \"com.docker.network.bridge.name=dockerC6\" cernet6\ndocker network create --driver=bridge --subnet=172.17.9.1/24 -o \"com.docker.network.bridge.name=dockerV\" lugvpn\n

    \u7136\u540e\u4f7f\u7528 systemd-networkd \u5bf9\u521b\u5efa\u597d\u7684 docker network \u7f51\u6bb5\u914d\u7f6e\u89c4\u5219\u8def\u7531\u3002

    /etc/systemd/network/cernet.network
    # Docker Cernet\n[RoutingPolicyRule]\nFrom=172.17.4.0/24\nTable=1011\nPriority=5\n\n[RoutingPolicyRule]\nFrom=172.17.8.0/24\nTable=1011\nPriority=5\n

    \u5176\u4ed6\u51e0\u4e2a\u6587\u4ef6\u7c7b\u4f3c\uff0c\u53ea\u9700\u8981\u4fee\u6539\u7f51\u6bb5\u548c Table \u5373\u53ef\u3002

    "},{"location":"services/mirrors/4/networking/#docker-network-cernet6","title":"Docker network: cernet6","text":"

    \u7531\u4e8e\u4e00\u4e9b\u7a0b\u5e8f\u6216\u7cfb\u7edf\u73af\u5883\u5728\u53cc\u6808\u7f51\u7edc\u4e2d\u4ecd\u7136\u4f1a\u4f18\u5148\u5c1d\u8bd5 IPv4\uff0c\u6211\u4eec\u5c06 cernet6 \u7f51\u7edc\u7684 v4 \u516c\u7f51\u8bbf\u95ee\u5c4f\u853d\u6389\u3002

    rules.v4
    *filter\n:FORWARD DROP [0:0]\n# ...\n-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n-A FORWARD -i dockerC6 -j REJECT\n-A FORWARD -i docker+ -j ACCEPT\n
    "},{"location":"services/mirrors/4/networking/misc/","title":"mirrors \u7f51\u7edc\u914d\u7f6e\u6742\u9879","text":""},{"location":"services/mirrors/4/networking/misc/#sniproxy","title":"sniproxy","text":"

    Sniproxy \u7528\u4e8e\u4e3a Docker \u5bb9\u5668\u63d0\u4f9b\u65b9\u4fbf\u7684 HTTP(S) \u7f51\u7edc\u5206\u6d41\u3002\u76ee\u524d\u5728 mirrors \u4e0a\u7528\u4e8e\u4e3a dockerhub \u5bb9\u5668\u63d0\u4f9b\uff08\u5230 Cloudflare \u7684\uff09IPv6 \u63a5\u5165\uff08Docker \u505a IPv6 NAT \u975e\u5e38\u4e0d\u65b9\u4fbf\uff0c\u6240\u4ee5\u4ee5\u6b64\u4e3a\u6743\u5b9c\u4e4b\u4e3e\uff09\uff0c\u4ee5\u63d0\u9ad8\u6821\u5185\u8bbf\u95ee\u65f6\u7684\u901f\u5ea6\u3002

    "},{"location":"services/mirrors/4/networking/misc/#_1","title":"\u914d\u7f6e","text":"

    \u5b89\u88c5 sniproxy\uff0c\u5e76\u4e14 mask \u539f\u670d\u52a1\u914d\u7f6e\uff08\u6211\u4eec\u81ea\u5df1\u5199\u4e00\u4e2a\uff09\uff1a

    sudo apt install sniproxy\nsudo mkdir -p /etc/sniproxy\nsudo systemctl mask sniproxy.service\n

    \u521b\u5efa /etc/systemd/system/sniproxy@.service\uff1a

    [Unit]\nDescription=SNIProxy (%i.conf)\nAfter=network.target network-online.target\nStartLimitIntervalSec=1\n\n[Service]\nType=simple\nExecStart=/usr/sbin/sniproxy -f -c /etc/sniproxy/%i.conf\nRestart=on-failure\nRestartSec=3\n\n[Install]\nWantedBy=multi-user.target\n

    \u5728 /etc/sniproxy \u4e2d\u521b\u5efa\u914d\u7f6e\u3002\u4ee5\u4e0b\u4e3a IPv6 + TLS (443) only \u7684\u914d\u7f6e\u4f8b\u5b50\uff1a

    resolver {\n    nameserver 2001:da8:d800::1\n    mode ipv6_only\n}\n\naccess_log {\n    filename /dev/null\n}\n\nlisten <Bind \u5230\u7684 IP \u5730\u5740>:443 {\n    proto tls\n    reuseport yes\n    table all\n    source <IPv6 \u51fa\u53e3\u5730\u5740>\n}\n\ntable all {\n    .* *\n}\n

    \u6700\u540e\u542f\u52a8\u670d\u52a1\uff1a

    sudo systemctl enable sniproxy@\u914d\u7f6e\u6587\u4ef6\u540d.service\nsudo systemctl start sniproxy@\u914d\u7f6e\u6587\u4ef6\u540d.service\n
    "},{"location":"services/mirrors/4/networking/route/","title":"Routing on mirrors4","text":"

    \u7531\u4e8e mirrors4 \u6ca1\u6709\u4f7f\u7528 ifupdown \u4f5c\u4e3a\u7f51\u7edc\u7ba1\u7406\u7cfb\u7edf\uff0c\u800c\u662f\u91c7\u7528 systemd-networkd\uff0c\u56e0\u6b64\u6211\u4eec\u6ca1\u6709 pre-up, up, down, post-down \u7b49\u8fd0\u884c\u547d\u4ee4\u7684\u65b9\u5f0f\uff0c\u6240\u4ee5 mirrors2 \u4e0a\u4f7f\u7528\u7684\u90a3\u5957\u811a\u672c\uff08ip-route.sh \u7b49\uff09\u65e0\u6cd5\u76f4\u63a5\u5728 mirrors4 \u4e0a\u7ee7\u7eed\u4f7f\u7528\u3002

    \u597d\u5728\u6211\u4eec\u4f7f\u7528 up \u7b49\u8fd0\u884c\u547d\u4ee4\u53ea\u662f\u4e3a\u4e86\u914d\u7f6e\u8def\u7531\uff0c\u56e0\u6b64\u6362\u4e86\u4e2a\u529e\u6cd5\uff0c\u6574\u4e86\u4e2a\u65b0\u811a\u672c\u628a IP \u5730\u5740\u5217\u8868\uff08\u6765\u81ea gaoyifan/china-operator-ip\uff09\u8f6c\u6362\u6210 networkd \u6240\u4f7f\u7528\u7684\u914d\u7f6e\u6587\u4ef6\u683c\u5f0f\u3002\u4ee3\u7801\u4e0d\u957f\uff1a

    #!/bin/bash\n\nROOT_IP_LIST=/usr/local/network_config/iplist\nROOT_RT=/run/systemd/network\n\ngen_route() {\n  IPLIST=\"$ROOT_IP_LIST/$1\"\n  GW=\"$2\"\n  DEV=\"$3\"\n  # Convert table to number\n  TABLENAME=\"$4\"\n  TABLE=\"$(awk 'substr($0, 1, 1) != \"#\" && $2 == \"'\"$TABLENAME\"'\" { print $1 }' /etc/iproute2/rt_tables | head -1)\"\n  PRIORITY=\"$5\"\n\n  F=\"$ROOT_RT/$DEV.network.d\"\n  mkdir -p \"$F\"\n  F=\"$F/route-${TABLENAME,,}.conf\"\n\n  echo -e \"[RoutingPolicyRule]\\nTable=$TABLE\\nPriority=$PRIORITY\\n\" > \"$F\"\n  awk '{ print \"[Route]\\nDestination=\" $1 \"\\nGateway='\"$GW\"'\\nTable='\"$TABLE\"'\\n\" }' \"$IPLIST\" >> \"$F\"\n}\n\ngen_route ustcnet.txt 202.38.95.126 cernet Ustcnet 5\ngen_route cernet.txt 202.38.95.126 cernet Cernet 6\ngen_route telecom.txt 202.141.160.126 telecom Telecom 6\ngen_route mobile.txt 202.141.176.126 mobile Mobile 6\ngen_route unicom.txt 218.104.71.161 unicom Unicom 6\ngen_route china.txt 218.104.71.161 unicom China 7\n

    \u8fd9\u4e2a\u4ed3\u5e93\u91cc\u6709\u5f88\u591a\u4e2a txt \u6587\u4ef6\uff0c\u6bcf\u4e2a\u6587\u4ef6\u5bf9\u5e94\u4e00\u4e2a ISP \u7684\u5730\u5740\u5217\u8868\uff0c\u6bcf\u884c\u4e00\u4e2a CIDR\u3002\u811a\u672c\u4e2d\u7684 gen_route \u51fd\u6570\u6839\u636e\u53c2\u6570\u8bfb\u53d6\u6587\u4ef6\uff0c\u5e76\u8f6c\u6362\u6210\u4e0b\u9762\u8fd9\u6837\u7684\u683c\u5f0f\uff1a

    [Route]\nDestination=1.0.0.0/24\nGateway=202.38.95.126\nTable=1011\n

    \u8fd9\u6837\u4e00\u4e2a [Route] \u8282\u5bf9\u5e94\u4e00\u6761\u8def\u7531\u89c4\u5219\uff0c\u6574\u4e2a txt \u7684\u8f6c\u6362\u7ed3\u679c\u8f93\u51fa\u5230 /run/systemd/network/cernet.network.d/route-example.conf\u3002\u5176\u4e2d cernet.network.d/*.conf \u7528\u4e8e\u5411\u73b0\u6709\u7684\u914d\u7f6e\u4e2d\u6dfb\u52a0\u5185\u5bb9\uff08\u4e0e systemd service \u7c7b\u4f3c\uff09\uff0c\u800c /run \u76ee\u5f55\uff08\u6309\u7406\u6765\u8bf4\uff09\u91cd\u542f\u4f1a\u6e05\u7a7a\uff0c\u9002\u5408\u653e\u7f6e\u8fd9\u4e9b\u7528\u4e8e\u52a8\u6001\u751f\u6210\u7684\u5185\u5bb9\u3002\u53e6\u5916\u7531\u4e8e\u8def\u7531\u89c4\u5219\uff08ip rule\uff09\u4e5f\u7531 networkd \u7ba1\u7406\u548c\u751f\u6210\u4e86\uff0c\u56e0\u6b64\u6bcf\u4e2a route-xxx.conf \u5f00\u5934\u4f1a\u5305\u542b\u4e00\u4e2a [RoutingPolicyRule] \u8282\u7528\u4e8e\u751f\u6210\u8def\u7531\u8868\u5bf9\u5e94\u7684\u8def\u7531\u89c4\u5219\u3002

    \u6ce8\u610f\u8def\u7531\u8868\u662f\u7528\u540d\u79f0\u6307\u5b9a\u7684\uff0c\u4ece /etc/iproute2/rt_tables \u4e2d\u67e5\u51fa\u5bf9\u5e94\u7684\u6570\u5b57 ID\u3002\u8fd9\u4e2a\u6587\u4ef6\u672c\u6765\u4e5f\u662f ip \u547d\u4ee4\u6240\u4f7f\u7528\u7684\uff08\u6ce8\u610f\u5b83\u7684\u76ee\u5f55\u540d\u53eb iproute2\uff09\u3002

    \u6700\u540e\u7ed9\u8fd9\u4e2a\u811a\u672c\u914d\u4e2a service\uff0c\u8ba9\u5b83\u5728 networkd \u4e4b\u524d\u8fd0\u884c\uff1a

    # WARNING: This is NOT the final configuration file!\n[Unit]\nDescription=Generate routes for systemd-networkd\nBefore=systemd-networkd.service\n\n[Service]\nType=oneshot\nExecStart=/bin/bash /usr/local/network_config/route-all.sh\nRemainAfterExit=true\n\n[Install]\nWantedBy=network.target systemd-networkd.service\nWants=systemd-networkd.service\n

    \u8fd9\u4e2a\u6587\u4ef6\u5b58\u5230 /etc/systemd/system/route-all.service\uff0creload \u518d enable \u5c31\u53ef\u4ee5\u4e86\u3002

    \u6539 systemd-networkd.service \u9700\u8981\u989d\u5916\u6ce8\u610f

    \u8fd9\u4e2a\u81ea\u5e26\u7684\u670d\u52a1\u6709\u4e00\u4e2a User=systemd-networkd\uff0c\u4f60\u65e2\u4e0d\u80fd ip rule \u4e5f\u4e0d\u80fd\u5199\u5165 /run/systemd \u7b49\uff0c\u4f1a\u5bfc\u81f4\u670d\u52a1\u70b8\u6389\uff0c\u7136\u540e\u7f51\u4e5f\u70b8\u4e86\u3002\u3002\u3002

    \u5982\u679c\u8981\u6539 networkd \u670d\u52a1\u64cd\u4f5c ip rule \u7684\u8bdd\uff0c\u9700\u8981\u5728\u547d\u4ee4\u884c\u524d\u9762\u52a0\u4e00\u4e2a + \u8868\u793a\u8be5\u547d\u4ee4\u4e0d\u53d7 User= \u7b49\u6743\u9650\u8bbe\u7f6e\u5f71\u54cd\uff0c\u8be6\u7ec6\u89e3\u91ca\u89c1 systemd.service \u6587\u6863\u3002

    "},{"location":"services/mirrors/4/networking/route/#special-routing","title":"Special routing","text":"

    \u90e8\u5206 IP \u9700\u8981\u914d\u7f6e\u7279\u6b8a\u8def\u7531\u89c4\u5219\u65f6\uff08\u800c\u4e0d\u662f\u4f7f\u7528\u9ed8\u8ba4\uff09\uff0c\u7f16\u8f91 /usr/local/network_config/special.yml\uff0c\u5176\u683c\u5f0f\u5982\u4e0b\uff1a

    routes: # Root key\uff0c\u4fdd\u7559\n  lugvpn: # /etc/systemd/network \u4e2d\u5bf9\u5e94\u7684 .network \u6587\u4ef6\u540d\n    # \u4e0b\u9762\u662f\u4e00\u4e2a\u8def\u7531\u6587\u4ef6\u7684\u914d\u7f6e\uff0c\u4e00\u4e2a\u6587\u4ef6\u5171\u4eab\u4e00\u4e2a table \u548c gateway \u8bbe\u7f6e\n    - name: route-special # \u5c06\u8981\u521b\u5efa\u7684 .conf \u6587\u4ef6\u540d\uff0c\u53ef\u4ee5\u968f\u610f\n      table: Special # \u8def\u7531\u8868\uff0c\u5373 ip route add table \u540e\u9762\u7684\u53c2\u6570\uff0c\u6570\u5b57\u6216\u8868\u540d\n      gateway: false # \u662f\u5426\u5305\u542b\u7f51\u5173\uff0c\u6216\u8005 ip route \u7684 via \u53c2\u6570\n      routes: # \u6240\u6709\u7684\u8def\u7531\u6761\u76ee\n        - 1.2.3.4\n        - 5.6.7.8/28\n        - 2001:db8::2333/64\n\n  cernet: # \u66f4\u591a\u7684\u914d\u7f6e\n    - ...\n

    \u4fee\u6539 special.yml \u4e4b\u540e\u91cd\u542f route-all.service\u3002\u8be5\u670d\u52a1\u4f1a\u81ea\u52a8\u5bfc\u81f4 systemd-networkd.service \u91cd\u542f\u5e76\u8f7d\u5165\u65b0\u7684\u8def\u7531\u914d\u7f6e\u4fe1\u606f\u3002

    special.rb \u5904\u7406\u811a\u672c\uff08\u653e\u5728\u8fd9\u5907\u4efd\uff09
    #!/usr/bin/ruby\n\nrequire 'fileutils'\nrequire 'yaml'\n\nBASEDIR = '/run/systemd/network'\nRT_TABLES = '/etc/iproute2/rt_tables'\n\nrt_tables = Hash.new\nFile.readlines(RT_TABLES).each do |l|\n  next if l =~ /^\\s*#/\n  id, name = l.split\n  rt_tables[name] = id\nend\n\ndata = YAML.load_file File.join(__dir__, 'special.yml')\ndata['routes'].each do |fn, setups|\n  confdir = File.join(BASEDIR, \"#{fn}.network.d\")\n  FileUtils.mkdir_p confdir\n\n  setups.each do |config|\n    table = config['table']\n    gateway = config['gateway']\n    File.open File.join(confdir, \"#{config['name']}.conf\"), 'w' do |f|\n      config['routes'].each do |dst|\n        t = \"[Route]\\nDestination=#{dst}\\n\"\n        t += \"Table=#{rt_tables.fetch table, table}\\n\" if table\n        t += \"Gateway=#{gateway}\\n\" if gateway\n        f.write t + \"\\n\"\n      end\n    end\n  end\nend\n

    route-all.service \u6709\u5f88\u591a\u6ce8\u610f\u4e8b\u9879

    \u4e3a\u4e86\u6e05\u7406\u5f00\u673a\u81ea\u52a8\u4ea7\u751f\u7684 32766 \u548c 32767 \u4e24\u6761\u8def\u7531\u89c4\u5219\uff0c\u6211\u4eec\u540c\u65f6\u4e3a systemd-networkd.service \u6dfb\u52a0\u4e86\u4e24\u4e2a ExecStartPre \u5982\u4e0b\uff1a

    [Service]\nExecStartPre=-+/sbin/ip rule delete from all table main pref 32766\nExecStartPre=-+/sbin/ip rule delete from all table default pref 32767\n

    \u53e6\u9644\u5b8c\u6574\u7684 route-all.service \u6587\u4ef6\uff1a

    [Unit]\nDescription=Generate routes for systemd-networkd\nBefore=systemd-networkd.service\n\n[Service]\nType=oneshot\nExecStart=/bin/bash /usr/local/network_config/route-all.sh\nExecStart=/usr/local/network_config/special.rb\nRemainAfterExit=true\n\n[Install]\nWantedBy=network.target systemd-networkd.service\nWants=systemd-networkd.service\n
    "},{"location":"services/pxe/","title":"PXE","text":"

    \u5bf9\u6821\u56ed\u7f51\u7528\u6237\u4e0e\u6821\u5916\u7528\u6237\u516c\u5f00\u7684 PXE \u670d\u52a1\u3002LIIMS \u4e0e\u76ee\u524d\u7684 PXE \u867d\u7136\u8fd0\u884c\u5728\u540c\u4e00\u53f0\u670d\u52a1\u5668\u4e0a\uff0c\u4f46\u662f\u914d\u7f6e\u6709\u6240\u4e0d\u540c\u3002

    \u672c\u6587\u6863\u9700\u8981\u5927\u5e45\u6269\u5145

    "},{"location":"services/pxe/#intro","title":"Intro","text":"

    https://lug.ustc.edu.cn/wiki/server/pxe/

    https://lug.ustc.edu.cn/planet/2018/10/PXE-intro/

    \u5173\u4e8e FAQ

    https://lug.ustc.edu.cn/wiki/server/pxe/faq/ \u592a\u8001\u4e86\uff0c\u5982\u679c\u6709\u65f6\u95f4\u7684\u8bdd\u5efa\u8bae\u5199\u4e2a\u65b0\u7684\u3002

    \u4e00\u822c\u7684\u542f\u52a8\u6d41\u7a0b\u662f\uff1a

    1. iPXE \u52a0\u8f7d GRUB \u76f8\u5173\u6587\u4ef6\u3002
    2. GRUB \u52a0\u8f7d Linux \u5185\u6838\u4e0e initramfs\u3002
    3. Initramfs \u4ece\u542f\u52a8\u53c2\u6570\u6302\u8f7d NFS \u4e3a rootfs\uff0c\u8fdb\u884c\u4e0b\u4e00\u6b65\u7684\u542f\u52a8\u3002
    "},{"location":"services/pxe/#_1","title":"\u4f7f\u7528/\u8c03\u8bd5","text":"

    PXE \u5728\u6821\u56ed\u7f51\u4e2d\u76f4\u63a5\u53ef\u7528\uff0c\u56e0\u4e3a\u5b66\u6821\u7684 DHCP \u670d\u52a1\u5668\u7ecf\u8fc7\u4e86\u914d\u7f6e\u3002

    \u5982\u679c\u9700\u8981\u5728\u865a\u62df\u673a\u4e2d\u8c03\u8bd5\uff0c\u4e0b\u8f7d IPXE \u7684 ISO\uff08http://boot.ipxe.org/ipxe.iso\uff09\uff0c\u6302\u8f7d\u5728\u865a\u62df\u673a\u4e2d\u6d4b\u8bd5\u3002

    \u63a8\u8350\u4f7f\u7528\u7684\u865a\u62df\u673a\u65b9\u6848

    PXE \u80fd\u591f\u6210\u529f\u8fd0\u884c\u4e0e\u5426\u548c\u865a\u62df\u673a\u73af\u5883\uff08\u7279\u522b\u662f\u865a\u62df\u7f51\u5361\u578b\u53f7\uff09\u9ad8\u5ea6\u76f8\u5173\u3002\u9700\u8981\u627e\u5230\u4e00\u4e2a\u7a33\u5b9a\u7684\u914d\u7f6e\u65b9\u6848\uff08\u6bd4\u5982\u7528 qemu\uff1f\uff09

    \u5176\u4e2d\u4e3b\u8981\u4f7f\u7528\u7684\u662f\u65b0 PXE \u65b9\u6848\uff08pxelinux.0\uff0csimple-pxe\uff09\u3002

    \u8001 PXE \u65b9\u6848\uff08lpxelinux.0\uff09\u76ee\u524d\u4ec5\u7528\u4e8e\u56fe\u4e66\u9986\u67e5\u8be2\u673a\u3002

    "},{"location":"services/pxe/#_2","title":"\u67b6\u6784","text":"

    \u65b0 PXE \u65b9\u6848\u7684 HTTP \u670d\u52a1\u5668\u4e3a Apache\uff08Nginx \u53ef\u80fd\u662f\u4ee5\u524d\u5f03\u7528\u7684\u914d\u7f6e\uff09\u3002URL \u4e2d\u7684 boot2 \u5bf9\u5e94 /nfsroot/pxe

    \u5982\u679c\u51fa\u73b0\u95ee\u9898\u9700\u8981\u8c03\u8bd5\uff0c\u5efa\u8bae\u6293\u5305\uff08\u53ef\u4ee5\u4f7f\u7528 Wireshark\uff09\u770b\u662f\u5426\u6b63\u5e38\u3002

    \u6bcf\u5929\u51cc\u6668\uff0cpxe \u7528\u6237\u7684 crontab \u4efb\u52a1\u4f1a\u6267\u884c https://github.com/ustclug/simple-pxe/blob/master/simple-pxe-in-docker\uff08\u6587\u4ef6\u4f4d\u4e8e pxe \u7528\u6237\u7684 home \u4e2d\uff09\uff0c\u5b9e\u73b0 PXE \u76f8\u5173\u6587\u4ef6\u7684\u66f4\u65b0\u3002

    "},{"location":"services/pxe/#faults","title":"\u6545\u969c","text":"

    pxe \u670d\u52a1\u5668\u5728\u5347\u7ea7\u5230 Debian Bullseye (11) \u540e\u65e0\u6cd5\u6b63\u5e38\u5f00\u673a\uff0c\u7ecf\u8fc7 GRUB \u8fdb\u5165\u5185\u6838\u540e\u6bcf 5 \u79d2\u5237\u51fa\u4ee5\u4e0b\u4fe1\u606f\uff1a

    DMAR: DRHD: handling fault status reg 2\nDMAR: [DMA Read] Request device [03:00.0] PASID ffffffff fault addr cb2f0000 [fault reason 06] PTE Read access is not set\nDMAR: DRHD: handling fault status reg 102\n

    \u7531\u4e8e\u6b64\u65f6\u521a\u5347\u7ea7\u81f3 Debian Bullseye\uff0c\u6240\u4ee5\u7cfb\u7edf\u4ecd\u7136\u4fdd\u7559\u4e86 Debian Buster \u7684 4.19 \u7248\u5185\u6838\u3002\u91cd\u542f\u8fdb\u8be5\u5185\u6838\u53ef\u6b63\u5e38\u542f\u52a8\u5e76\u8fd0\u884c\u670d\u52a1\uff0c\u4f46\u53ea\u8981\u8fdb 5.10 \u7684\u5185\u6838\u5c31\u4f1a\u51fa\u73b0\u4ee5\u4e0a\u9519\u8bef\u3002\u6d4b\u8bd5 Proxmox VE \u63d0\u4f9b\u7684 pve-kernel-5.15 \u4e5f\u662f\u540c\u6837\u95ee\u9898\u3002

    \u641c\u7d22\u53d1\u73b0\u4e3b\u673a\u4f7f\u7528\u7684 RAID \u5361 PERC H310 \u4e0d\u652f\u6301\u76f4\u901a\uff08IOMMU \u865a\u62df\u5316\uff09\uff0c\u914d\u7f6e GRUB \u52a0\u5165 intel_iommu=off \u540e\u53ef\u4ee5\u6b63\u5e38\u8fdb\u5165 5.10 \u7684\u5185\u6838\uff0c\u4f5c\u4e3a\u89e3\u51b3\u65b9\u6848\u3002

    \u8c03\u67e5\u7ed3\u679c

    \u6309\u8bf4 IOMMU\uff08VT-d\uff09\u4e0d\u5e94\u8be5\u9ed8\u8ba4\u542f\u7528\uff0c\u56e0\u6b64\u731c\u6d4b 5.10+ \u7684\u5185\u6838\u4f1a\u4e3b\u52a8\u5c1d\u8bd5\u5f00\u542f IOMMU\uff0c\u5bfc\u81f4 RAID \u5361\u51fa\u9519\u3002

    \u6bd4\u8f83 /boot/config-4.19.0-18-amd64 \u548c /boot/config-5.10.0-11-amd64 \u540e\u53d1\u73b0 5.10 \u7248\u7684 config \u591a\u4e86\u4e00\u884c CONFIG_INTEL_IOMMU_DEFAULT_ON_INTGPU_OFF=y\uff0c\u641c\u7d22\u53d1\u73b0 Debian bug #932086\uff0c\u5373 Debian \u9ed8\u8ba4\u5bf9\u9664\u4e86 Intel GPU \u4ee5\u5916\u7684\u8bbe\u5907\u542f\u7528 IOMMU\uff08linux 5.2.9-2\uff09\u3002

    \u53c2\u8003\u94fe\u63a5\uff1a

    "},{"location":"services/pxe/liims/","title":"LIIMS","text":"

    Short for Libray Independent Inquery Machine System.

    Server: pxe.s.ustclug.org

    Git Repository:

    It is strongly advised to clone liimstrap and read through it when reading this document.

    "},{"location":"services/pxe/liims/#add-machine","title":"\u542f\u52a8\u914d\u7f6e","text":"

    \u914d\u7f6e\u6587\u4ef6\u5728 /home/pxe/tftp/grub/grub.cfg.d\uff0c\u82e5\u8981\u5141\u8bb8\u65b0\u673a\u5668\u542f\u52a8 liims \u955c\u50cf\uff0c\u521b\u5efa\u4e00\u4e2a\u7b26\u53f7\u94fe\u63a5\u5230\u5bf9\u5e94\u7684\u914d\u7f6e\u6587\u4ef6\u3002\u4f8b\u5982\uff1a

    ln -s common_el 02:23:45:67:89:ab\n

    \u76ee\u524d\u6211\u4eec\u901a\u8fc7\u51e0\u4e2a\u7b26\u53f7\u94fe\u63a5\u5c06\u914d\u7f6e\u6587\u4ef6\u201c\u5206\u7ec4\u201d\uff0cMAC \u5730\u5740\u5bf9\u5e94\u7684\u7b26\u53f7\u94fe\u63a5\u5e94\u8be5\u94fe\u63a5\u5230\u8fd9\u4e9b\u5206\u7ec4\u4e0a\u3002\u5df2\u6709\u7684\u5206\u7ec4\u5982\u4e0b\uff1a

    \u9664\u6b64\u4e4b\u5916\uff0c\u8fd8\u9700\u8981\u5728\u67e5\u8be2\u673a\u76d1\u63a7\u7a0b\u5e8f\u4e2d\u6dfb\u52a0\u8be5 MAC \u5730\u5740\uff0c\u89c1\u4e0b\u65b9\u67e5\u8be2\u673a\u76d1\u63a7\u3002

    "},{"location":"services/pxe/liims/#lib-api","title":"\u4e3a\u56fe\u4e66\u9986\u8001\u5e08\u5f00\u653e\u7684\u63a5\u53e3","text":"

    \u56fe\u4e66\u9986\u8001\u5e08\u53ef\u4ee5\u901a\u8fc7 SSH \u767b\u5f55\u673a\u5668\u76f4\u63a5\u521b\u5efa\u6240\u9700\u7684\u7b26\u53f7\u94fe\u63a5\uff08\u4f46\u662f\u8fd8\u9700\u8981\u6211\u4eec\u6765\u6539\u76d1\u63a7\u7a0b\u5e8f\u7684 json\uff09\u3002\u76f8\u5173\u914d\u7f6e\u5982\u4e0b\uff1a

    /etc/sudoers.d/sonnie
    sonnie ALL=(pxe) NOPASSWD: /home/pxe/tftp/grub/grub.cfg.d/add_host.py *\n
    /etc/ssh/sshd_config
    Match User sonnie\n    AllowUsers sonnie\n    PubkeyAuthentication yes\n    AuthorizedKeysFile .ssh/authorized_keys\n

    /etc/nsswitch.conf

    \u628a sudoers \u4e00\u884c\u4e2d\u7684 ldap \u79fb\u5230 files \u524d\u9762\u3002

    \u9ed8\u8ba4\u60c5\u51b5\u4e0b ldap \u5728 files \u540e\u9762\uff0c\u90a3\u4e48\u6765\u81ea LDAP \u7684 sudo rules \u4f1a\u6392\u5728 sudoers \u6587\u4ef6\u4e2d\u7684 rules \u7684\u540e\u9762\uff0c\u800c sudo \u662f\u540e\u9762\u7684\u89c4\u5219\u4f18\u5148\u7ea7\u66f4\u9ad8\uff0c\u4f1a\u5bfc\u81f4\u65e0\u6cd5 NOPASSWD \u8fd0\u884c\u811a\u672c\u3002

    "},{"location":"services/pxe/liims/#_1","title":"\u542f\u52a8\u955c\u50cf","text":"

    \u4f4d\u4e8e /home/pxe/nfsroot/<category>/<name>\uff0c\u5176\u4e2d <name> \u5c31\u662f\u955c\u50cf\u540d\u79f0\uff08\u4f8b\u5982 liims160909\uff09\u3002\u76ee\u524d\u6709\u4e24\u79cd\u90e8\u7f72\u65b9\u5f0f\uff1a\u4e00\u79cd\u662f NFS as rootfs\uff0c\u6587\u4ef6\u5939\u4e2d\u5c31\u662f\u6574\u4e2a rootfs\uff0c\u76f4\u63a5\u4fee\u6539\u8fd9\u91cc\u7684\u6587\u4ef6\uff0c\u673a\u5668\u91cd\u542f\u540e\u5c31\u4f1a\u8f7d\u5165\u3002\uff08\u6ce8\u610f\uff1a\u8986\u76d6\u6587\u4ef6\u53ef\u80fd\u5bfc\u81f4\u5df2\u6709\u7684\u673a\u5668\u8fd0\u884c\u9519\u8bef\uff09

    \u53e6\u4e00\u79cd\u662f\u6253\u5305\u538b\u7f29\u4e3a squashfs\uff0c\u6b64\u65f6\u6587\u4ef6\u5939\u4e0b\u4e09\u4e2a\u6587\u4ef6\u5206\u522b\u4e3a vmlinuz\uff08kernel\uff09, initrd.img \u548c root.sfs\uff08squashfs \u955c\u50cf\uff09\u3002\u5982\u679c\u9700\u8981\u4fee\u6539\uff0c\u53ef\u4ee5\u4f7f\u7528 unsquashfs \u89e3\u538b\u7f29\uff0c\u4fee\u6539\u5b8c\u6210\u540e\u53c2\u8003\u4ed3\u5e93\u4e2d deploy \u6587\u4ef6\u518d\u538b\u7f29\u4e3a squashfs\u3002

    IP \u767d\u540d\u5355\u91c7\u7528 iptables \u5b9e\u73b0\uff0c\u4fee\u6539 rootfs \u4e0b\u7684 etc/iptables/rules.v4 \u548c rules.v6 \u53ef\u4fee\u6539\u7b56\u7565\u3002\u6ce8\u610f\uff1a\u9632\u706b\u5899\u7b56\u7565\u4ec5\u5728\u673a\u5668\u542f\u52a8\u65f6\u4f1a\u8f7d\u5165\u4e00\u6b21\u3002

    "},{"location":"services/pxe/liims/#_2","title":"\u955c\u50cf\u6784\u5efa","text":"

    \u5907\u6ce8

    \u6b64\u8282\u7684\u5185\u5bb9\u4ec5\u9002\u7528\u4e8e 2022 \u4e4b\u524d\u7684\u8001\u7248\u672c\uff0c\u65b0\u7248\u672c\u6709\u5173\u6784\u5efa\u3001\u8c03\u8bd5\u7b49\u5185\u5bb9\u8bf7\u76f4\u63a5\u9605\u8bfb liimstrap \u4ed3\u5e93 README\u3002

    \u4f7f\u7528 liimstrap \u5728 ArchLinux \u4e0b\u8fdb\u884c\u6784\u5efa\uff0cliimstrap \u4f7f\u7528\u65b9\u6cd5\u53c2\u8003\u4ed3\u5e93\u4e2d\u7684\u8bf4\u660e\u3002

    \u6784\u5efa\u540e\u9700\u8981\u63a8\u9001\u5230\u670d\u52a1\u5668\u4e0a\u7684 /nfsroot/liims \u4e0b\uff0c\u5e76\u8bbe\u7f6e /usr \u7684\u6240\u6709\u8005\u4e3a liims\u3002\u673a\u5668\u7684\u9ed8\u8ba4 pxe \u542f\u52a8\u914d\u7f6e\u5728 /home/pxe/tftp/pxelinux.cfg/ \u4e0b

    "},{"location":"services/pxe/liims/#qemu","title":"\u793a\u4f8b qemu \u8c03\u8bd5\u65b9\u6cd5","text":"

    \u521b\u5efa\u5e76\u6302\u8f7d\u4e34\u65f6\u955c\u50cf:

    dd if=/dev/zero of=liims.img bs=4k count=1200000\nmkfs.ext4 liims.img\nmount -o loop liims.img /mnt\n

    \u5047\u8bbe\u5f53\u524d\u8def\u5f84\u4e3a liimstrap\uff0c\u4fee\u6539 initcpio/mkinitcpio.conf\uff0c\u53bb\u6389 HOOKS \u4e2d\u7684 liims_root\uff0c\u589e\u52a0 block\uff08\u4ec5\u8c03\u8bd5\u65f6\u9700\u8981\uff09\u3002 \u4f7f\u7528 liimstrap \u5236\u4f5c\u955c\u50cf ./liimstrap /mnt\u3002\u5b8c\u6210\u540e\u4f7f\u7528 qemu \u6253\u5f00\u8c03\u8bd5:

    qemu -kernel /mnt/boot/vmlinuz-lts\\\n     -initrd /mnt/boot/initramfs-linux-lts.img\\\n     -hda liims.img\\\n     -netdev user,id=mynet0,net=114.214.188.0/24,dhcpstart=114.214.188.9\\\n     -device i82557a,netdev=mynet0\\\n     -append \"root=/dev/sda rootflags=rw\"\n

    \u6ce8\uff1a\u5176\u4e2d netdev \u4e2d\u7684 ip \u6bb5\u53ef\u4ee5\u81ea\u7531\u9009\u53d6\uff0cdevice \u4e2d\u7684\u8bbe\u5907\u540d\u901a\u8fc7 qemu -device \\? \u67e5\u770b\u540e\u9009\u62e9\u4efb\u4e00\u7f51\u7edc\u8bbe\u5907\u5373\u53ef

    "},{"location":"services/pxe/liims/#monitor","title":"\u67e5\u8be2\u673a\u76d1\u63a7","text":"

    http://pxe.ustc.edu.cn:3000/

    2022 \u5e74\u524d\uff0c\u63d0\u4f9b\u670d\u52a1\u7684\u662f\u4e00\u4e2a Docker \u5bb9\u5668\u3002\u5728 iBug \u7528 Go \u91cd\u5199\u4e4b\u540e\uff0c\u76ee\u524d\u76f4\u63a5\u8dd1\u5728 host \u4e0a\u3002

    \u6dfb\u52a0\u65b0\u673a\u5668

    \u4fee\u6539 https://github.com/ustclug/liimstrap/blob/master/monitor/clients.json \u540e\uff0c\u5728 pxe \u4e0a clone \u5e76\u5728\u5f53\u524d\u76ee\u5f55 build\u3002\u4f7f\u7528 docker-run-script \u4e2d\u5bf9\u5e94\u811a\u672c\u6267\u884c\u5bb9\u5668\u5373\u53ef\u3002

    \u4fee\u6539 /etc/liims-monitor/clients.json \u4e4b\u540e systemctl reload liims-monitor.service \u5373\u53ef\u3002

    /etc/liims-monitor/clients.json
    {\n    \"name\": \"\u4e1c\u533a\u4e09\u697c\u4e1c01\",\n    \"mac\": \"0223456789ab\"\n}\n
    "},{"location":"workflow/new-server/","title":"New Server Setup Checklist","text":""},{"location":"workflow/new-server/#ntp-date","title":"NTP Date","text":"

    Install either chrony or systemd-timesyncd. Usually chrony comes pre-installed so it's easily forgot.

    Replace the default NTP pool with USTC's NTP server time.ustc.edu.cn, like this:

    /etc/chrony/chrony.conf
    # Use Debian vendor zone.\n#pool 2.debian.pool.ntp.org iburst\nserver time.ustc.edu.cn iburst\n
    "},{"location":"workflow/new-server/#time-zone","title":"Time zone","text":"

    Run dpkg-reconfigure tzdata and select Asia/Shanghai as the timezone. Reboot the server.

    "},{"location":"workflow/new-server/#use-nft-backend-for-iptables","title":"Use nft-backend for iptables","text":"
    update-alternatives --set iptables /usr/sbin/iptables-nft\nupdate-alternatives --set ip6tables /usr/sbin/ip6tables-nft\n
    "},{"location":"workflow/new-server/#update-resolvconf","title":"Update resolv.conf","text":""},{"location":"workflow/new-server/#install-console-setup","title":"Install console-setup","text":"

    This may have already come with the base system. It's more likely missed if the system is installed from scratch (bootstrapped).

    "},{"location":"workflow/new-vm/","title":"Create new server in LUGi","text":"

    We no longer have a vSphere cluster, so anything mentioning vSphere is left only for references.

    "},{"location":"workflow/new-vm/#create-vm-in-vcenter","title":"Create VM in vCenter","text":"

    vCenter \u5730\u5740\uff1avcenter2.vm.ustclug.org

    \u6309\u7167\u63d0\u793a\u521b\u5efa\u865a\u62df\u673a

    "},{"location":"workflow/new-vm/#install-os-vsphere","title":"Install OS (vSphere)","text":"

    Note

    \u5c06\u7f51\u7edc\u6539\u4e3a cernet\uff0c\u4ee5\u4fbf\u7528 DHCP \u83b7\u5f97 IP \u5730\u5740\uff0c\u7528 PXE \u5b89\u88c5\u7cfb\u7edf\u3002

    \u51e0\u4e2a\u5173\u952e\u914d\u7f6e\uff1a

    "},{"location":"workflow/new-vm/#create-vm-on-proxmox-ve","title":"Create VM on Proxmox VE","text":"

    \u6211\u4eec\u76ee\u524d\u4e0d\u4f7f\u7528 PVE \u8fd0\u884c LXC \u5bb9\u5668\uff0c\u56e0\u6b64\u672c\u6587\u6863\u53ea\u4ecb\u7ecd\u521b\u5efa KVM \u865a\u62df\u673a\u7684\u6b65\u9aa4\u3002\u63a8\u8350\u4f7f\u7528 web \u754c\u9762\u64cd\u4f5c\uff0c\u9664\u975e\u4f60\u9700\u8981\u6279\u91cf\u521b\u5efa\u865a\u62df\u673a\uff08\u6b64\u65f6\u901a\u8fc7 SSH \u767b\u5f55\u540e\u53ef\u4ee5\u4f7f\u7528 qm \u547d\u4ee4\u6279\u5904\u7406\uff09\u3002

    \u767b\u5f55 web \u754c\u9762\uff0c\u70b9\u51fb\u53f3\u4e0a\u89d2\u7684 Create VM\uff0c\u5f39\u51fa\u521b\u5efa\u865a\u62df\u673a\u7684\u5bf9\u8bdd\u6846\u3002

    General

    \u6b63\u786e\u9009\u62e9\u865a\u62df\u673a\u6240\u5728\u7684 Node\uff08\u5373 Host\uff09\uff0c\u5e76\u6307\u5b9a\u4e00\u4e2a VMID\u3002\u76ee\u524d VMID \u7684\u5206\u914d\u65b9\u6848\u662f\u4e1c\u56fe 300-399\uff0cNIC 200-299\uff0c\u5728\u6b64\u57fa\u7840\u4e0a\u9012\u589e\u5373\u53ef\u3002\u7ed9 VM \u8d77\u4e2a\u6613\u4e8e\u8fa8\u8bc6\u7684\u540d\u79f0\uff0c\u4e0d\u8981\u4e0e\u5df2\u6709 VM \u91cd\u590d\u3002Resource Pool \u7559\u7a7a\u5373\u53ef\u3002

    OS

    \u9664\u975e\u4f60\u8981\u4f7f\u7528 iso \u955c\u50cf\u624b\u52a8\u5b89\u88c5\u7cfb\u7edf\uff0c\u5426\u5219\u8bf7\u9009\u62e9\u300cDo not use any media\u300d\u3002\u6b63\u786e\u9009\u62e9 Guest OS \u7684\u7c7b\u578b\u548c\u7248\u672c\u3002

    System

    \u5c06 SCSI Controller \u8bbe\u4e3a VirtIO SCSI\uff08\u6ce8\u610f\u4e0d\u8981\u9009 VirtIO SCSI Single\uff09\uff0c\u52fe\u4e0a Qemu Agent \u9009\u9879\uff0c\u5176\u4ed6\u9009\u9879\u90fd\u9009 Default \u5373\u53ef\u3002

    Disks, CPU, Memory

    \u6309\u9700\u5206\u914d\uff0c\u78c1\u76d8\u5bb9\u91cf\u5efa\u8bae\u63a7\u5236\u5728 10 GB \u4ee5\u5185\uff08\u4ec5\u7cfb\u7edf\u76d8\uff0c\u53ef\u53e6\u52a0\u6570\u636e\u76d8\uff09\uff0c\u5176\u4e2d Disk \u52fe\u9009\u4e0a Discard\uff0cCPU Type \u63a8\u8350\u9009\u62e9 Host\u3002

    Network

    \u6309\u9700\u9009\u62e9\uff0cModel \u9009 VirtIO\uff0c\u7136\u540e\u53d6\u6d88\u52fe\u9009 Firewall\u3002

    \u8bb0\u5f97\u5728\u865a\u62df\u673a\u7684 Options \u91cc\u5c06 Start at boot \u8bbe\u4e3a Yes

    \u5728 Proxmox VE \u4e0a\uff0c\u901a\u8fc7 web \u754c\u9762\u521b\u5efa\u65b0\u865a\u62df\u673a\u540e\uff0c\u53ef\u4ee5\u4f7f\u7528\u666e\u901a\u65b9\u5f0f\u5b89\u88c5\u7cfb\u7edf\uff0c\u4e5f\u53ef\u4ee5\u76f4\u63a5\u5bfc\u5165\u53d1\u884c\u7248\u63d0\u4f9b\u7684\u865a\u62df\u673a\u955c\u50cf\uff08\u9700\u8981\u901a\u8fc7 SSH \u767b\u5f55 Proxmox VE \u6216 NFS \u670d\u52a1\u5668\uff09\u3002

    \u4e0b\u9762\u4ee5 Debian \u4e3a\u4f8b\uff0c\u521b\u5efa\u4e00\u4e2a\u65b0\u865a\u62df\u673a\uff0c\u7136\u540e\u6253\u5f00 https://mirrors.ustc.edu.cn/debian-cdimage/cloud/bullseye/\uff0c\u70b9\u51fb\u6700\u65b0\u7684\u76ee\u5f55\uff08\u51fa\u4e8e\u672a\u77e5\u539f\u56e0 latest \u94fe\u63a5\u662f\u574f\u7684\uff09\uff0c\u590d\u5236 debian-11-genericcloud-amd64-<date>-<rev> \u7684\u94fe\u63a5\uff08\u63a8\u8350\u4f7f\u7528 genericcloud \u800c\u4e0d\u662f generic\uff0c\u5176\u9884\u88c5 linux-image-cloud-amd64\uff0c\u76f8\u6bd4\u4e8e\u201c\u5b8c\u6574\u7248\u201d\u5185\u6838\u7cbe\u7b80\u6389\u4e86\u5927\u90e8\u5206\u7269\u7406\u8bbe\u5907\u7684\u9a71\u52a8\u7a0b\u5e8f\uff0c\u9002\u7528\u4e8e\u865a\u62df\u673a\u73af\u5883\uff09\uff0c\u7136\u540e\u767b\u5f55 Proxmox VE \u6216 vdp\uff08NFS \u670d\u52a1\u5668\uff09\uff0c\u4f7f\u7528\u4ee5\u4e0b\u547d\u4ee4\u76f4\u63a5\u4e0b\u8f7d\u955c\u50cf\u81f3\u865a\u62df\u673a\u78c1\u76d8\uff1a

    # Proxmox VE (ZFS / LVM), use RAW\nwget -O /dev/zvol/rpool/data/vm-<id>-disk-0 https://mirrors.ustc.edu.cn/<...>.raw\nwget -O /dev/<vg>/<lv> https://mirrors.ustc.edu.cn/<...>.raw\n\n# vdp over NFS, use QCOW2\nwget -O /media/vdp/pve/images/<path>.qcow2 https://mirrors.ustc.edu.cn/<...>.qcow2\n

    \u7136\u540e\u5728 web \u754c\u9762\u6307\u5b9a\u865a\u62df\u673a\u7684\u78c1\u76d8\uff08\u5982\u6709\u9700\u8981\uff09\u3002

    "},{"location":"workflow/new-vm/#reset-password","title":"Reset password","text":"

    \u7531\u4e8e Debian \u63d0\u4f9b\u7684 cloud image \u9ed8\u8ba4\u7981\u7528\u4e86 root \u7528\u6237\uff0c\u9700\u8981\u624b\u52a8\u6302\u8f7d\u78c1\u76d8\uff0c\u7f16\u8f91\u78c1\u76d8\u4e2d\u7684 /etc/shadow \u6587\u4ef6\uff0c\u5c06\u7b2c\u4e00\u884c\u7684 root:*:... \u6539\u4e3a root::...\uff08\u5373\u5220\u6389\u661f\u53f7\uff09\u3002\u6ce8\u610f\u4e0d\u8981\u8bef\u6539\u4e3b\u673a\u7684 shadow \u6587\u4ef6\u3002

    Tip

    \u6b64\u6b65\u9aa4\u4e5f\u53ef\u4ee5\u66ff\u6362\u4e3a chroot \u8fdb\u53bb\u540e\u4f7f\u7528 passwd \u4fee\u6539\u6216\u6e05\u7a7a\u5bc6\u7801\u3002\u5982\u679c\u4f60\u4e0d\u591f\u719f\u6089 shadow \u6587\u4ef6\u7684\u683c\u5f0f\uff0c\u8fd9\u6837\u505a\u66f4\u5b89\u5168\u3002

    \u5bf9\u4e8e ZFS \u548c LVM \u5b58\u50a8\u7684\u78c1\u76d8\uff0c\u53ef\u4ee5\u76f4\u63a5\u6302\u8f7d /dev/zvol/<...> \u6216 /dev/<vg>/<lv>\uff08\u4f60\u53ef\u80fd\u9700\u8981\u4f7f\u7528 kpartx \u5de5\u5177\u52a0\u8f7d\u5206\u533a\uff09\u3002\u5bf9\u4e8e Qcow2 \u6587\u4ef6\u7684\u78c1\u76d8\uff0c\u53ef\u4ee5\u53c2\u8003\u8fd9\u4e2a Gist \u4f7f\u7528 qemu-nbd \u5de5\u5177\u6765\u6302\u8f7d\u3002\u5176\u4e2d nbd \u662f Linux \u539f\u751f\u7684\u5185\u6838\u6a21\u5757\uff0c\u53ef\u4ee5\u653e\u5fc3 modprobe\u3002

    \u4f60\u4e5f\u53ef\u4ee5\u5728\u8fd9\u4e00\u6b65\u540c\u65f6\u4fee\u6539\u522b\u7684\u914d\u7f6e\u6587\u4ef6\uff0c\u4f8b\u5982\u628a /etc/apt/sources.list \u6362\u6389\u7b49\u3002\u4fee\u6539\u5b8c\u6210\u540e\u4e0d\u8981\u5fd8\u8bb0 umount\u3002

    "},{"location":"workflow/new-vm/#extra-configurations-for-cloud-images","title":"Extra configurations for cloud images","text":"

    The first two or three boots may hang or end up in kernel panic - this is completely normal. The cloud image will grow the root partition and filesystem to the virtual disk size. After it's all set, purge everything related to cloud-init.

    For better console experiences, install and configure console-setup, and add vga=792 to GRUB_CMDLINE_LINUX in /etc/default/grub. Then run update-grub and reboot.

    "},{"location":"workflow/new-vm/#configure-network","title":"Configure network","text":""},{"location":"workflow/new-vm/#install-software","title":"Install software","text":""},{"location":"workflow/new-vm/#configure-ldap-and-ssh-ca","title":"Configure LDAP and SSH CA","text":"

    \u89c1 LDAP \u670d\u52a1\u4f7f\u7528\u53ca\u914d\u7f6e\u8bf4\u660e \u548c \u4e3a\u670d\u52a1\u5668\u8bbe\u7f6e SSH CA

    "},{"location":"workflow/ldap/add-new-user/","title":"\u5728 LDAP \u4e2d\u6dfb\u52a0\u65b0\u7528\u6237","text":""},{"location":"workflow/ldap/add-new-user/#ldap_1","title":"\u65b0\u5efa LDAP \u7528\u6237","text":"
    1. \u767b\u9646\u7f51\u9875\u754c\u9762
    2. Users > Actions > Create > User
    3. Generic: \u8f93\u5165 Last name\uff0cFirst name\uff0cLogin\uff08\u767b\u5f55\u540d\uff09
    4. POSIX > Generic\uff1a\u8f93\u5165 Home directory\u3002\u4f7f\u7528 Force UID/GID \uff0c\u5177\u4f53\u8bf4\u660e\u8be6\u89c1 LDAP Users \u548c Groups
    "},{"location":"workflow/ldap/add-new-user/#ldap_2","title":"\u6dfb\u52a0 LDAP \u7528\u6237\u6743\u9650","text":"

    POSIX > Group membership > Add\uff1a\u6839\u636e\u9700\u8981\u6dfb\u52a0\u7684\u6743\u9650\u9009\u62e9\u5bf9\u5e94\u7684\u7ec4\uff0c\u5177\u4f53\u8bf4\u660e\u8be6\u89c1 LDAP Users \u548c Groups

    LDAP \u7f13\u5b58

    \u82e5\u53d1\u73b0\u7528\u6237\u65e0\u6cd5\u767b\u9646\u7b49\u60c5\u51b5\uff0c\u53ef\u80fd\u662f\u7f13\u5b58\u670d\u52a1 NSCD \u5bfc\u81f4\u7684\uff0c\u5177\u4f53\u53c2\u8003 LDAP Users \u548c Groups\uff1a

    "},{"location":"workflow/mirrors/maintenance/","title":"\u5f00\u6e90\u8f6f\u4ef6\u955c\u50cf\u7ad9\u7ef4\u62a4\u65b9\u5f0f","text":"

    \u79d1\u5927\u5f00\u6e90\u8f6f\u4ef6\u955c\u50cf\u7ad9\u662f LUG \u6700\u91cd\u8981\u7684\u670d\u52a1\u4e4b\u4e00\uff0c\u56e0\u6b64\u7ef4\u62a4\u64cd\u4f5c\u5fc5\u987b\u8c28\u614e\u3002

    "},{"location":"workflow/mirrors/maintenance/#_2","title":"\u91cd\u542f\u7cfb\u7edf","text":"

    \u7531\u4e8e mirrors \u670d\u52a1\u91cf\u5927\uff0c\u91cd\u542f\u5e94\u63d0\u524d\u5728 LUG \u670d\u52a1\u5668\u65b0\u95fb\u7ad9 \u53d1\u5e03\u516c\u544a\u3002

    "},{"location":"workflow/mirrors/maintenance/#_3","title":"\u5b89\u88c5\u66f4\u65b0","text":""},{"location":"workflow/mirrors/maintenance/#_4","title":"\u666e\u901a\u66f4\u65b0","text":"

    \u591a\u6570\u66f4\u65b0\u53ef\u4ee5\u76f4\u63a5\u4ece apt \u6e90\u5b89\u88c5\uff0c\u4f46\u662f\u90e8\u5206\u8f6f\u4ef6\u5e76\u975e\u6765\u81ea Debian \u5b98\u65b9\u4ed3\u5e93\uff08\u4f8b\u5982 OpenResty\uff09\uff0c\u56e0\u6b64\u66f4\u65b0\u7b56\u7565\u53ef\u80fd\u4e0d\u50cf Debian \u90a3\u4e48\u7a33\u5b9a\u3002\u5982\u679c\u9047\u5230\u63d0\u793a\u914d\u7f6e\u6587\u4ef6\u51b2\u7a81\uff0c\u8bf7\u5c3d\u91cf\u9009\u62e9 3-way merge\uff0c\u5982\u679c\u5931\u8d25\u7684\u8bdd\u53ef\u4ee5\u5148 keep local version\uff0c\u7136\u540e\u624b\u52a8\u89e3\u51b3\u5408\u5e76\u51b2\u7a81\u3002

    "},{"location":"workflow/mirrors/maintenance/#_5","title":"\u5185\u6838\u66f4\u65b0","text":"

    mirrors \u4f7f\u7528\u4e86\u5185\u6838\u6a21\u5757\u63d0\u4f9b\u4e00\u4e9b\u529f\u80fd\u652f\u6301\uff0c\u5982 ZFS\u3002\u56e0\u6b64\u53ea\u8981\u66f4\u65b0\u4e86\u5185\u6838\uff0c\u5c31\u4e00\u5b9a\u8981\u6ce8\u610f\u5185\u6838\u6a21\u5757\u662f\u5426\u5b89\u88c5\u6210\u529f\uff0c\u5982\u679c apt \u5b89\u88c5\u5931\u8d25\u53ef\u4ee5\u624b\u52a8\u8fd0\u884c dkms autoinstall\uff0c\u4ee5\u786e\u4fdd\u65b0\u5185\u6838\u91cd\u542f\u65f6\u80fd\u6b63\u786e\u52a0\u8f7d\u5fc5\u987b\u7684\u5185\u6838\u6a21\u5757\u3002

    "},{"location":"workflow/mirrors/maintenance/#ipmi","title":"IPMI","text":"

    \u5730\u5740\u6682\u65e0\uff0c\u4e00\u822c\u7528\u6d4f\u89c8\u5668\u76f4\u63a5\u8bbf\u95ee\u5c31\u884c\u4e86\u3002\u5982\u679c\u9700\u8981\u63a5\u5165\u7ec8\u7aef\uff0cDashboard \u5de6\u8fb9\u7684 Remote Control \u6709 Launch \u6309\u94ae\u3002\u5982\u679c\u6d4f\u89c8\u5668\u4e0d\u652f\u6301 Java \u5c31\u4f1a\u4e0b\u8f7d\u4e00\u4e2a jviewer.jnlp\uff0c\u81ea\u884c\u89e3\u51b3 Java \u7684\u5b89\u5168\u8b66\u544a\u5373\u53ef\u4f7f\u7528\u3002

    \u5f53\u7136\u5982\u679c\u4f1a\u7528 ipmitool \u66f4\u597d\uff0c\u90a3\u8fd9\u4e00\u6bb5\u7684\u8bf4\u660e\u5c31\u4ea4\u7ed9\u4f60\u6765\u8865\u5145\u4e86 :)

    "},{"location":"workflow/mirrors/maintenance/#ipmitool","title":"ipmitool \u7b80\u4ecb","text":"

    \u5c3d\u7ba1\u51e0\u4e4e\u6211\u4eec\u673a\u5668\u7684 IPMI \u90fd\u6709 Web \u754c\u9762\uff0c\u4f46\u662f Web \u754c\u9762\u4e0d\u4e00\u5b9a\u9760\u8c31\uff0c\u53ef\u80fd\u4f1a\u51fa\u73b0\u6545\u969c\u3002\u6b64\u65f6\uff0c\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528 ipmitool \u91cd\u7f6e IPMI \u7684\u72b6\u6001\uff08\u7cfb\u7edf\u914d\u7f6e\u4e0d\u4f1a\u6539\u53d8\uff09

    \u53c2\u8003\u547d\u4ee4\uff1a

    # \u4e00\u90e8\u5206 IPMI \u7684 interface \u662f lanplus \u800c\u4e0d\u662f lan\uff0c\u6bd4\u5982\u8bf4 mirrors3\nipmitool -I lan -H IPMI\u7684IP -U \u7528\u6237\u540d -a mc reset cold\n

    \u5177\u4f53\u8be6\u60c5\u53ef\u4ee5\u770b ipmitool \u7684 manpage\u3002

    \u53e6\u5916:

    "}]} \ No newline at end of file +{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"]},"docs":[{"location":"","title":"LUG @ USTC Documentation","text":"

    Documentation for LUG @ USTC technical infrastructure.

    "},{"location":"#layout","title":"Layout","text":"

    Our documentation is divided into these sections, as laid out on the left navigation menu:

    "},{"location":"#links","title":"References","text":""},{"location":"faq/dns/","title":"DNS \u57df\u540d\u89e3\u6790\u95ee\u9898","text":""},{"location":"faq/dns/#wrong-dns-result","title":"\u9519\u8bef\u7684\u89e3\u6790\u7ed3\u679c","text":"

    \u6211\u4eec\u7684 DNS \u662f\u5206\u6821\u5185\u5916\u3001\u5206 ISP \u89e3\u6790\u7684\u3002\u6709\u65f6\u5019\u4f1a\u9047\u5230\u6821\u5185\u8bbf\u95ee\u89e3\u6790\u5230\u6821\u5916\uff0c\u53ef\u80fd\u7684\u539f\u56e0\u662f

    /etc/resolv.conf \u987a\u5e8f\u4e0d\u5bf9

    iBug \u5728 2020 \u5e74 5 \u6708 21 \u65e5\u4fee\u4e86 gw-el \u548c mirrors2\uff0c\u8fd9\u4e24\u4e2a\u673a\u5668\u4e0a\u539f\u5148\u6392\u5728\u6700\u524d\u9762\u7684 nameserver \u5c31\u662f 8.8.4.4 \u6216\u8005 1.1.1.1 \u4e4b\u7c7b\u7684

    \u6211\u4eec\u7684\u6743\u5a01\u670d\u52a1\u5668\u4e24\u4e2a\u5728\u6821\u5185\u4e00\u4e2a\u5728\u56fd\u5185\uff0c\u56e0\u6b64\u6821\u5185\u673a\u5668\u5e94\u8be5\u4f18\u5148\u4ece\u6821\u5185\u89e3\u6790\u3002\u628a 202.38.64.1 / 2001:da8:d800::1\uff08\u5b66\u6821\u7684 DNS\uff09\u653e\u6700\u524d\u9762\u80af\u5b9a\u6ca1\u9519

    \u5982\u679c IPv4 \u89e3\u6790\u6b63\u786e\u4f46\u662f IPv6 \u8fd8\u662f\u89e3\u6790\u5230\u6821\u5916\u7684\u8bdd\uff0c

    /etc/resolv.conf \u7f3a\u5c11 IPv6 \u6761\u76ee

    taoky \u5728 2020 \u5e74 5 \u6708 29 \u65e5\u53d1\u73b0\u7684\uff0cmirrors2 \u4e0a\u8bbf\u95ee servers.ustclug.org \u8fd4\u56de Cloudflare \u7684 522 \u9519\u8bef\u9875\u9762\uff08\u6b64\u65f6\u65e5\u672c\u53cd\u4ee3\u6302\u6389\u4e86\uff09\uff0c\u7ecf\u67e5\u5c3d\u7ba1 IPv4 \u6b63\u786e\u89e3\u6790\u5230\u4e86 gw-el \u4e0a\uff0c\u4f46\u662f IPv6 \u8fd8\u662f\u89e3\u6790\u5230\u4e86 Cloudflare \u4e0a\uff0c\u4e14 nslookup \u548c dig \u7b49\u5de5\u5177\u8f93\u51fa\u770b\u8d77\u6765\u90fd\u662f\u5bf9\u7684\u3002

    \u6392\u67e5\u53d1\u73b0 /etc/resolv.conf \u91cc\u6ca1\u6709 IPv6 \u7684\u670d\u52a1\u5668\u6761\u76ee\uff0c\u5728\u9760\u524d\u7684\u4f4d\u7f6e\u63d2\u5165 nameserver 2001:da8:d800::1 \u540e\u89e3\u51b3\u3002

    \u624b\u52a8\u6e05\u7a7a\u672c\u673a\u7684 DNS \u7f13\u5b58\uff1anscd -i hosts

    \u6709\u65f6\u5019\u53ef\u80fd\u4f1a\u5728 DNS \u66f4\u65b0\u540e\u968f\u673a\u89e3\u6790\u51fa\u65b0\u65e7\u7ed3\u679c\uff0c\u53ef\u80fd\u7684\u539f\u56e0\u662f

    ns-a \u6ca1\u66f4\u65b0

    ns-a \u673a\u5668\u6bd4\u8f83\u8001\u65e7\uff0c\u7f51\u7edc\u53ef\u80fd\u4e0d\u987a\u7545\uff0c\u624b\u52a8\u628a ns-a \u66f4\u65b0\u4e00\u4e0b\u5c31\u884c\u4e86\uff08

    "},{"location":"faq/docker/","title":"Docker \u76f8\u5173\u95ee\u9898","text":""},{"location":"faq/docker/#debian-11-aufs","title":"Debian 11 \u4e2d\u4e0d\u518d\u652f\u6301 aufs","text":"

    \u4ece Debian 10 \u5347\u7ea7\u5230 Debian 11 \u65f6\uff0caufs-dkms \u4e0d\u518d\u5305\u542b\u5728\u65b0\u5185\u6838\u4e2d\uff1a

    aufs-dkms \u8f6f\u4ef6\u5305\u5c06\u4e0d\u4f5c\u4e3a bullseye \u7684\u4e00\u90e8\u5206\u51fa\u73b0\u3002\u5927\u591a\u6570 aufs-dkms \u7528\u6237\u5e94\u5f53\u5207\u6362\u81f3 overlayfs\uff0c\u540e\u8005\u63d0\u4f9b\u4e86\u76f8\u4f3c\u7684\u529f\u80fd\u4e14\u5177\u6709\u5185\u6838\u7684\u652f\u6301\u3002\u7136\u800c\uff0c\u67d0\u4e9b Debian \u5b89\u88c5\u5b9e\u4f8b\u53ef\u80fd\u4f7f\u7528\u4e86\u4e0d\u517c\u5bb9 overlayfs \u7684\u6587\u4ef6\u7cfb\u7edf\uff0c\u5982\u4e0d\u5e26\u6709 d_type \u7684 xfs\u3002\u6211\u4eec\u5efa\u8bae\u9700\u8981\u4f7f\u7528 aufs-dkms \u7684\u7528\u6237\u5728\u5347\u7ea7\u81f3 bullseye \u4e4b\u524d\u5148\u8fdb\u884c\u8fc1\u79fb\u3002

    (https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.zh-cn.html)

    \u5bf9\u4e8e\u8001\u673a\u5668\u6765\u8bf4\u9700\u8981\u63d0\u524d\u786e\u8ba4 Docker \u7684 storage driver\uff1a

    $ sudo docker info\n// ...\nServer:\n // ...\n Storage Driver: overlay2\n  Backing Filesystem: extfs\n  Supports d_type: true\n  Native Overlay Diff: true\n  userxattr: false\n

    \u8fd9\u91cc\u5982\u679c\u662f overlay2 \u90a3\u4e48\u5c31\u6ca1\u95ee\u9898\uff0c\u5982\u679c\u662f aufs \u7684\u8bdd\u5c31\u9700\u8981\u63d0\u524d\u786e\u8ba4\uff0c\u56e0\u4e3a\u5207\u6362\u5230 overlay2 \u4e4b\u540e\u73b0\u6709\u7684\u5bb9\u5668\u548c\u5bb9\u5668\u955c\u50cf\u90fd\u4f1a\u4e22\u5931\uff0c\u9700\u8981\u91cd\u65b0\u521b\u5efa\u3002\u6240\u4ee5\u9700\u8981\u786e\u4fdd\u5bb9\u5668\uff08container\uff09\u548c\u955c\u50cf\uff08image\uff09\u662f\u53ef\u590d\u73b0\u7684\u3002

    \u5728\u5347\u7ea7\u7cfb\u7edf\u540e\uff0c\u7f16\u8f91 /etc/docker/daemon.json\uff0c\u52a0\u4e0a\uff1a

    \"storage-driver\": \"overlay2\"\n

    \u7136\u540e\u542f\u52a8 docker\uff0c\u91cd\u65b0\u521b\u5efa\u5bb9\u5668\u3002

    "},{"location":"faq/ldap/","title":"LDAP \u5957\u4ef6\u95ee\u9898","text":""},{"location":"faq/ldap/#gosa","title":"GOsa \u95ee\u9898","text":"

    User \u754c\u9762\u6253\u5f00\u65f6\u62a5\u9519

    \u5982\u679c\u5728 GOsa \u4e2d\u521b\u5efa\u4e86\u4e00\u4e2a\u65b0\u7528\u6237\uff0c\u5374\u6ca1\u6709\u5728\u6700\u540e\u4e3a\u4ed6\u8bbe\u7f6e\u5bc6\u7801\uff0c\u5c31\u4f1a\u51fa\u73b0\u6b64\u95ee\u9898\uff0c\u6253\u5f00 User \u754c\u9762\u540e\u4f1a\u6709\u62a5\u9519\uff1a

    Fatal error: Uncaught ArgumentCountError: Too few arguments to function userManagement::filterLockLabel(), 0 passed in /usr/share/gosa/include/class_listing.inc on line 856 and exactly 1 expected in /usr/share/gosa/plugins/admin/users/class_userManagement.inc:856\nStack trace:\n#0 /usr/share/gosa/include/class_listing.inc(856): userManagement::filterLockLabel()\n#1 /usr/share/gosa/include/class_listing.inc(980): listing->processElementFilter('%{filter:lockLa...', Array, 50)\n#2 /usr/share/gosa/include/class_listing.inc(853): listing->filterActions('cn=...,ou=...', 50, Array)\n#3 /usr/share/gosa/include/class_listing.inc(764): listing->processElementFilter('%{filter:action...', Array, 50)\n#4 /usr/share/gosa/include/class_listing.inc(407): listing->renderCell('%{filter:action...', Array, 50)\n#5 /usr/share/gosa/include/class_management.inc(233): listing->render()\n#6 /usr/share/gosa/include/class_management.inc(222): management->renderList()\n#7 /usr/share/gosa/plugins/admin/users/main.inc(44): management->execute()\n#8 /usr/sh in /usr/share/gosa/plugins/admin/users/class_userManagement.inc on line 856\n

    \u8fd9\u662f\u56e0\u4e3a GOsa \u65e0\u6cd5\u8bfb\u53d6\u5230\u7528\u6237\u5bc6\u7801\u7684 Hash\uff0c\u800c LDAP \u5374\u5141\u8bb8\u7528\u6237\u6ca1\u6709\u5bc6\u7801\u3002 \u53ea\u9700\u4e3a\u65b0\u7684\u7528\u6237\u8bbe\u7f6e\u5bc6\u7801\u6216\u5220\u9664\u65b0\u7684\u7528\u6237\u5373\u53ef\u3002

    "},{"location":"faq/ldap/#slapd","title":"Slapd","text":"

    Slapd \u662f openldap \u7684\u670d\u52a1\u7aef daemon\u3002\u6b63\u5e38\u60c5\u51b5\u4e0b\u4e0d\u9700\u8981\u78b0\uff0c\u4f46\u662f\u5982\u679c\u8981\u78b0\u7684\u65f6\u5019\uff0c\u4f60\u4f1a\u53d1\u73b0\u5b83\u7684\u914d\u7f6e\u6781\u5176\u590d\u6742\u9ebb\u70e6\u3002

    \u4fee\u6539\u524d\u4e00\u5b9a\u8981\u5148\u6253\u865a\u62df\u673a\u5feb\u7167\uff01\uff01\uff01

    \u5c0f\u5fc3\u5ef6\u6bd5

    "},{"location":"faq/ldap/#migrate-hdb-to-mdb","title":"Migrate hdb to mdb","text":"

    slapd-hdb \u5728 Debian 11 \u5373\u5c06\u88ab deprecate\uff0c\u6240\u4ee5\u5728 2021/08/15 \u7ec4\u7ec7\u4e86\u4e00\u6b21 migrate\u3002

    \u7f51\u4e0a\u8d44\u6599\u5f88\u5c11\uff0c\u53c2\u8003\u4e86\uff1a

    1. https://github.com/osixia/docker-openldap/issues/97
    2. https://gist.github.com/wenzhixin/4705697206cdbf61bc88

    \u6b65\u9aa4\uff1a

    1. \u865a\u62df\u673a\u5feb\u7167\u6253\u597d\u3002
    2. \u5907\u4efd\u6570\u636e\u5e93\uff1aslapcat -v -l dump.ldif
    3. \u5907\u4efd /etc/ldap \u4ee5\u53ca /var/lib/ldap
    4. \u628a /etc/ldap/slapd.d \u4ee5\u53ca /var/lib/ldap \u5220\u6389\uff08\u6216\u8005\u6539\u540d\uff09
    5. \u8fd0\u884c dpkg-reconfigure slapd
    6. \u521b\u5efa /tmp/ldapconvert \u76ee\u5f55\uff0c\u8fd0\u884c slaptest -f /etc/ldap/convert.conf -F /tmp/ldapconvert
    7. \u6e05\u7a7a /etc/ldap/slapd.d/cn=config/cn=schema/ \u4e0b\u7684\u6587\u4ef6\uff0c\u5c06 /tmp/ldapconvert/slapd.d/cn=config/cn=schema/ \u4e0b\u7684\u6587\u4ef6\u590d\u5236\u5230 /etc/ldap/slapd.d/cn=config/cn=schema/ \u5c06 slapd.d \u5907\u4efd\u4e2d cn=config/cn=schema/ \u7684\u6587\u4ef6\u590d\u5236\u5230\u65b0\u7684 slapd.d \u5bf9\u5e94\u7684\u76ee\u5f55\u4e0b\uff0c\u5e76\u4e14\u4fee\u6539 owner \u4e3a openldap:openldap
    8. \u91cd\u542f slapd\uff0c\u5982\u679c\u542f\u52a8\u5931\u8d25\uff0c\u770b systemctl status slapd \u7684\u65e5\u5fd7\u8f93\u51fa debug\u3002
    9. \u6062\u590d\u6570\u636e\u5e93\uff1aslapadd -l dump.ldif\u3002\u6ce8\u610f\uff0cmdb \u6ca1\u6709\u4e8b\u52a1\uff01\u5982\u679c\u4e2d\u95f4\u51fa\u9519\u4e86\uff0c\u6392\u67e5\u95ee\u9898\u540e\uff0c\u6e05\u7a7a /var/lib/ldap\uff0c\u91cd\u542f slapd \u91cd\u6765\u3002

    \u6062\u590d\u6210\u529f\u540e\uff0c\u6709\u4e9b\u914d\u7f6e\u9700\u8981\u624b\u52a8\u8bbe\u7f6e\uff1a

    1. TLS/SSL

      # ldapmodify -H ldapi:/// -Y EXTERNAL << EOF\n> dn: cn=config\n> changetype: modify\n> replace: olcTLSCertificateFile\n> olcTLSCertificateFile: /etc/ldap/ssl/slapd-server.crt\n> -\n> replace: olcTLSCACertificateFile\n> olcTLSCACertificateFile: /etc/ldap/ssl/slapd-ca-cert.pem\n> -\n> replace: olcTLSCertificateKeyFile\n> olcTLSCertificateKeyFile: /etc/ldap/ssl/slapd-server.key\n>\n> EOF\n
    2. \u52a0\u8f7d pw-sha2.la\uff08\u82e5\u4f7f\u7528 ssha512/256 \u5219\u9700\u8981\u52a0\u8f7d\uff09

      # ldapmodify -H ldapi:/// -Y EXTERNAL << EOF\n> dn: cn=module,cn=config\n> cn: module\n> objectClass: olcModuleList\n> olcModulePath: /usr/lib/ldap/\n> olcModuleLoad: pw-sha2.la\n>\n> EOF\n
    3. \u4e3a sudoUser \u8bbe\u7f6e index

      # ldapadd -Y EXTERNAL -H ldapi:/// << EOF\n> dn: olcDatabase={1}mdb,cn=config\n> changetype: modify\n> add: olcDbIndex\n> olcDbIndex: sudoUser eq,sub\n>\n> EOF\n
    4. \u66f4\u6539\u9ed8\u8ba4\u5bc6\u7801\u5b58\u50a8\u9009\u9879\uff08\u53ef\u9009\uff09

      \u66f4\u6539\u4e3a crypt/yescrypt

      # ldapmodify -Y EXTERNAL -H ldapi:/// << EOF\n> dn: olcDatabase={-1}frontend,cn=config\n> add: olcPasswordHash\n> olcPasswordHash: {CRYPT}\n> \n> dn: cn=config\n> add: olcPasswordCryptSaltFormat\n> olcPasswordCryptSaltFormat: $y$j9T$%s\n

      \u66f4\u6539\u4e3a ssha512\uff08\u9700\u8981 pw-sha2.la\uff0c\u4e5f\u53ef\u53c2\u7167\u4e0a\u8ff0 yescrypt \u7684\u914d\u7f6e\u66f4\u6539\u4e3a crypt/ssha512\uff09

      # ldapmodify -Y EXTERNAL -H ldapi:/// << EOF\n> dn: olcDatabase={-1}frontend,cn=config\n> add: olcPasswordHash\n> olcPasswordHash: {SSHA512}\n

      \u5982\u679c\u62a5\u9519\u5df2\u7ecf\u5b58\u5728\uff0c\u53ef\u4ee5\u7528 replace \u9009\u9879\uff0c\u4ee5 crypt/yescrypt \u4e3a\u4f8b\uff1a

      # ldapmodify -Y EXTERNAL -H ldapi:/// << EOF\n> dn: olcDatabase={-1}frontend,cn=config\n> changetype: modify\n> replace: olcPasswordHash\n> olcPasswordHash: {CRYPT}\n> \n> dn: cn=config\n> changetype: modify\n> replace: olcPasswordCryptSaltFormat\n> olcPasswordCryptSaltFormat: $y$j9T$%s\n

      \u6ce8\u610f\u5728\u4f7f\u7528\u4e0a\u8ff0 hash \u65b9\u5f0f\u7684\u65f6\u5019\u8fdb\u5165 gosa \u7528\u6237\u9875\u9762\u65f6\u53ef\u80fd\u4f1a\u62a5\u9519 Cannot find a suitable password method for the current hash

    "},{"location":"faq/nginx/","title":"Nginx \u76f8\u5173\u914d\u7f6e","text":""},{"location":"faq/nginx/#git-host-specific","title":"\u4f7f\u7528 Git \u540c\u6b65\u914d\u7f6e\uff0c\u4f46\u9700\u8981 host-specific \u7684\u914d\u7f6e","text":"
    1. Nginx \u81ea\u5e26\u4e00\u4e2a\u53d8\u91cf $hostname \u53ef\u4ee5\u5728\u5408\u9002\u7684\u5730\u65b9\u7528\u6765 if \u6216\u8005 map\uff0c\u4f46\u662f\u5728\u8fd9\u4e2a\u529e\u6cd5\u4e0d\u9876\u7528\u7684\u65f6\u5019\uff08\u4f8b\u5982\uff0cresolver \u4e0d\u652f\u6301\u53d8\u91cf\uff09\u5c31\u53ea\u80fd\u7528\u4e0b\u9762\u8fd9\u4e2a\u7b28\u529e\u6cd5\u4e86\u3002
    2. \u628a\u9700\u8981 host-specific \u7684\u90a3\u4e2a\u6587\u4ef6\u52a0\u5165 .gitignore\uff0c\u7136\u540e\u5728\u5408\u9002\u7684\u4f4d\u7f6e\u7559\u4e0b\u4e00\u4e2a README\u3002
    "},{"location":"faq/nginx/#_1","title":"\u6587\u4ef6\u6253\u5f00\u6570\u5927\u5c0f\u9650\u5236","text":"

    \u5728\u9ed8\u8ba4\u8bbe\u7f6e\u4e2d\uff0cnginx \u7684\u6700\u5927\u6587\u4ef6\u6253\u5f00\u6570\u4e0a\u9650\u5e76\u4e0d\u5927\u3002\u5f53\u6709\u5927\u91cf\u8bbf\u95ee\u65f6\uff0c\u6587\u4ef6\u6253\u5f00\u6570\u53ef\u80fd\u4f1a\u8d85\u8fc7\u9650\u989d\uff0c\u5bfc\u81f4\u7f51\u7ad9\u54cd\u5e94\u7f13\u6162\u3002\u5728\u65b0\u914d\u7f6e\u670d\u52a1\u5668\u65f6\uff0c\u8fd9\u4e00\u9879\u8bbe\u7f6e\u5f88\u5bb9\u6613\u88ab\u5ffd\u7565\u6389\u3002

    \u89e3\u51b3\u65b9\u6cd5\uff1a

    1. sudo systemctl edit nginx.service\uff08\u90e8\u5206\u673a\u5668\u4e0a\u7684\u670d\u52a1\u540d\u53ef\u80fd\u4e3a openresty.service\uff09
    2. \u5728\u6253\u5f00\u7684 override \u6587\u4ef6\u7684 [Service] \u4e0b\u65b9\u6dfb\u52a0 LimitNOFILE=524288\uff08\u89c6\u60c5\u51b5\u8fd9\u4e2a\u503c\u53ef\u4ee5\u76f8\u5e94\u8c03\u6574\uff09
    "},{"location":"faq/nginx/#gateway-tmpmem","title":"\u5173\u4e8e gateway \u914d\u7f6e\u4e2d\u7684 /tmp/mem \u8def\u5f84","text":"

    \u66f4\u65b0

    \u6211\u4eec\u5df2\u4e0d\u518d\u5728 nginx.conf \u91cc\u4f7f\u7528 /tmp/mem \u4e86\uff0c\u4ee5\u4e0b\u5185\u5bb9\u4ec5\u4f5c\u5b58\u6863\u3002

    \u9519\u8bef\u8868\u73b0\u662f systemctl start nginx.service \u5931\u8d25\uff0c\u4f7f\u7528 status \u6216 journalctl \u53ef\u4ee5\u770b\u5230\u4ee5\u4e0b\u4fe1\u606f\uff1a

    [emerg] mkdir() \"/tmp/mem/nginx_temp\" failed (2: No such file or directory)\n

    \u8fd9\u662f\u56e0\u4e3a\u6211\u4eec\u7684 nginx.conf \u4e2d\u94a6\u70b9\u4e86 proxy_temp /tmp/mem/nginx_temp\uff0c\u800c /tmp/mem \u662f\u6211\u4eec\u81ea\u5df1\u5efa\u7684\u4e00\u4e2a tmpfs \u6302\u8f7d\u70b9\uff0c\u5b83\u4e0d\u662f\u4efb\u4f55\u53d1\u884c\u7248\u7684\u9ed8\u8ba4\u914d\u7f6e\uff0c\u6240\u4ee5\u65b0\u88c5\u7684\u7cfb\u7edf\u5982\u679c\u76f4\u63a5 pull \u4e86\u8fd9\u4efd nginx config \u5c31\u4f1a\u62a5\u4ee5\u4e0a\u9519\u8bef\u3002

    \uff08\u4f7f\u7528 /tmp/mem \u7684\u539f\u56e0\u662f\uff0c\u7531\u4e8e nginx \u53cd\u4ee3\u9700\u8981\u9891\u7e41\u8bfb\u5199\u4e34\u65f6\u6587\u4ef6\uff0c\u4e3a\u4e86\u51cf\u5c11\u78c1\u76d8 IO \u5360\u7528\uff0c\u6545\u5c06\u5176\u4e34\u65f6\u6587\u4ef6\u653e\u5165\u5185\u5b58\u4e2d\uff09

    \u6b63\u786e\u7684\u89e3\u51b3\u65b9\u6cd5\u662f\u8865\u4e0a\u5bf9\u5e94\u7684 fstab \u884c\uff1a

    tmpfs   /tmp/mem    tmpfs   0   0\n

    \u5982\u679c\u521b\u5efa/\u6302\u8f7d\u4e86 /tmp/mem \u540e\uff0c\u542f\u52a8\u4ecd\u7136\u51fa\u9519\uff0c\u5219\u9700\u8981\u68c0\u67e5 openresty.service/nginx.service \u6587\u4ef6\u4e2d\u662f\u5426\u5305\u542b PrivateTmp=yes\u3002\u5982\u679c\u5305\u542b\uff0c\u5219\u9700\u8981 systemctl edit\uff0c\u5c06\u6b64\u9879\u8bbe\u7f6e\u4e3a false\u3002

    fstab \u4e0e systemd

    \u8c03\u6574 fstab \u4e4b\u540e\uff0c\u9700\u8981\u6267\u884c systemctl daemon-reload\uff0c\u5426\u5219 systemd \u53ef\u80fd\u4f1a\u5728\u7b2c\u4e8c\u65e5\u51cc\u6668\u6302\u8f7d\u5df2\u88ab\u6ce8\u91ca\u7684\u78c1\u76d8\u9879\u3002

    "},{"location":"faq/systemd-timer/","title":"Systemd-timer \u53c2\u8003\u6a21\u677f","text":"

    Systemd-timer \u4f5c\u4e3a crontab \u7684\u66ff\u4ee3\u54c1\uff0c\u6709\u4e00\u7cfb\u5217\u7684\u4f18\u70b9\uff1a

    \u5f53\u7136\u76f8\u6bd4\u4e8e crontab\uff0c\u7f3a\u70b9\u4e5f\u5f88\u660e\u663e\uff1a

    \u6240\u4ee5\u4ee5\u4e0b\u7ed9\u51fa\u4e00\u4e2a\u6a21\u677f\uff0c\u65b9\u4fbf\u5728\u521b\u5efa\u65b0\u5b9a\u65f6\u4efb\u52a1\u7684\u65f6\u5019\u4f7f\u7528\u3002\u8fd9\u91cc\u7684\u4f8b\u5b50\u662f mirrors2 \u4ece mirrors4 \u83b7\u53d6\u538b\u7f29\u540e\u7684\u65e5\u5fd7\u3002\u4ee5\u4e0b\u6587\u4ef6\u5747\u653e\u5728 /etc/systemd/system\u3002

    m4log.service
    [Unit]\nDescription=Mirrors4 log backup\nDocumentation=man:rsync(1)\nAfter=network.target\nStartLimitIntervalSec=0\n\n[Service]\nType=simple\nUser=mirror\nGroup=mirror\nExecStart=rsync -rltpv --include=*/ --include=*.xz --exclude=* m4log:/ /var/m4log/\nRestart=on-failure\nRestartSec=3\n
    m4log.timer
    [Unit]\nDescription=Mirrors4 log backup timer\nDocumentation=man:rsync(1)\nAfter=network.target\nStartLimitIntervalSec=0\n\n[Timer]\nOnCalendar=*-*-* 7:13:00\nRandomizedDelaySec=60s\nPersistent=true\nUnit=m4log.service\n\n[Install]\nWantedBy=timer.target\n

    \u5173\u4e8e OnCalendar \u7684\u89e6\u53d1\u65f6\u95f4\uff0c\u53ef\u4ee5\u53c2\u8003 systemd \u7684 Calendar Events \u8bf4\u660e\uff0c\u5e76\u7528 systemd-analyze calendar \u6765\u68c0\u9a8c\u6b63\u786e\u6027\uff0c\u4e5f\u53ef\u4ee5\u7528 systemctl list-timers \u89c2\u5bdf Timer \u4e0b\u6b21\u89e6\u53d1\u7684\u65f6\u95f4\u662f\u5426\u7b26\u5408\u9884\u671f\u3002

    \u4e0b\u9762\u662f\u4e00\u4e9b\u5e38\u7528\u547d\u4ee4\uff1a

    "},{"location":"faq/vm/","title":"\u865a\u62df\u5316\u76f8\u5173","text":""},{"location":"faq/vm/#_2","title":"\u6269\u76d8","text":"

    \u6269\u5927\u865a\u62df\u78c1\u76d8\u7684\u5927\u5c0f\u540e\uff0c\u53ef\u4ee5\u91c7\u7528\u4ee5\u4e0b\u76f8\u5bf9\u7b80\u5355\u7684\u65b9\u5f0f\u6269\u5c55\u5206\u533a\u5927\u5c0f\uff1a

    \u8bf7\u786e\u4fdd\u7406\u89e3\u547d\u4ee4\u540e\u518d\u6267\u884c

    $ # \u5b89\u88c5 growpart\n$ sudo apt install cloud-guest-utils\n$ # \u6269\u5c55 /dev/sdb1\n$ sudo growpart /dev/sdb 1\n$ # \u73b0\u5728\u5206\u533a\u8868\u4ee5\u53ca\u5206\u533a\u6269\u5c55\u4e86\uff0c\u4f46\u662f\u5206\u533a\u91cc\u9762\u7684\u6587\u4ef6\u7cfb\u7edf\u7684\u5927\u5c0f\u8fd8\u6ca1\u6709\u6269\u5c55\n$ # \u4ee5 ext4 \u4e3a\u4f8b\n$ sudo resize2fs /dev/sdb1\n
    "},{"location":"infrastructure/auth-dns/","title":"Authoritative DNS","text":"

    Services (Servers):

    "},{"location":"infrastructure/auth-dns/#deploy","title":"Deploy","text":"

    The bind configuration repository is only visible to admins because private key is included.

    # copy the ssh key https://github.com/ustclug/auth-dns/blob/master/git_pull_key\n# to ~/.ssh/id_ed25519\n\n# now get the conf\ngit clone git@github.com:ustclug/auth-dns.git /var/lib/bind\n\n# delete the ssh key\nrm ~/.ssh/id_ed25519\n
    docker run --restart=always -v /var/lib/bind/:/etc/bind \\\n       --net host -it -d --name=auth-dns zhusj/bind9\n
    "},{"location":"infrastructure/auth-dns/#update-dns-record","title":"Update DNS Record","text":"

    Just commit your changes to the configuration repository. More details can be found in the repository.

    "},{"location":"infrastructure/auth-dns/#webhook","title":"Webhook","text":"

    Please add a webhook in the configuration repository, so that the DNS record can be automatically updated when commits are pushed.

    The webhook endpoint is http://<server_ip>:9000/hooks/bind, see https://github.com/ustclug/auth-dns/settings/hooks for examples.

    "},{"location":"infrastructure/dockerhub/","title":"Docker Hub","text":""},{"location":"infrastructure/dockerhub/#dsos","title":"Docker-Sponsored Open-Source program (DSOS) application","text":"Item Reference response First Name Jiawei (Use your own name) Last Name Fu (Use your own name) Email Address redacted (Use your own email address) Role Tech Lead (or anything that makes sense) Company or Organization Name Linux User Group of University of Science and Technology of China Country (Select) China What is the name of your project? Various: USTC Open Source Software Mirror, USTC Network Boot Service, etc. Please link the public repository of your OSS organization (github, gitlab, etc.) https://github.com/ustclug Please provide a link to your project website. https://lug.ustc.edu.cn/ Enter your user Docker ID (aka username). ibugone (Use your own Docker ID) Do you have an existing Organization? (Select) Yes Enter the existing Docker ID for your organization on Docker Hub. ustclug What is the goal of this project? Ease the use of many Linux distros and open-source software, as well as advocate the spirit of Free Software What types of user(s) benefit from this project? Linux users and developers in mainland China What is the code distribution license for your OSS project? (Select) MIT License To what industry does your project or organization belong? (Select) Academic/research To what industry does your project or organization belong? 6 (Adjust as needed) Please list all sponsors for this project (patreon and other microdonations can be listed as one). USTC Network Information Center, USTC Library Does this project have a pathway to commercialization? ... (Select) No If approved, do you agree to the ...? (Tick the checkbox) Press Submit"},{"location":"infrastructure/dockerhub/#notes","title":"Notes","text":"

    The first application on October 25, 2023 was declined with the following reason (emphasis mine):

    During our review of your application for Various (USTC Open Source Soft[sic], we determined that while your project meets most of the program requirements, there is a lack of documentation in one or more of your repositories on Docker Hub.

    Before resubmitting the application, I deleted a few obsolete repositories and filled in the \"Repository overview\" for the rest, asking ChatGPT to produce it when needed. Afterwards, the second submission was approved in just 3 hours.

    "},{"location":"infrastructure/github/","title":"GitHub Organization","text":"

    ustclug @ GitHub

    "},{"location":"infrastructure/github/#github-actions","title":"GitHub Actions","text":"

    GitHub Actions \u5bf9\u516c\u5f00\u4ed3\u5e93\u514d\u8d39\uff0c\u5bf9\u79c1\u6709\u4ed3\u5e93\u6bcf\u6708\u6709 3000 \u5206\u949f\u7684\u9650\u989d\uff08\u6ce8\uff1a\u6211\u4eec\u662f\u5b66\u6821\u5e2e\u5fd9\u7533\u8bf7\u7684 GitHub Education\uff0c\u6240\u4ee5\u6211\u4eec\u5728\u529f\u80fd\u4e0a\u76f8\u5f53\u4e8e\u4ed8\u8d39\u7684 GitHub Team\uff09\u3002\u76ee\u524d\u6211\u4eec\u6709\u591a\u4e2a\u9879\u76ee\u4f7f\u7528 GitHub Actions \u90e8\u7f72\uff0c\u4f8b\u5982 Linux 101 \u7684\u8bb2\u4e49\u3002

    \u6211\u4eec\u66fe\u7ecf\u4f7f\u7528 Travis CI\uff08\u73b0\u5728\u4e5f\u5728\u90e8\u5206\u516c\u5f00\u4ed3\u5e93\u4e2d\u4f7f\u7528\uff09\uff0c\u56e0\u4e3a\uff08\u4e0d\u4f1a\u5b9a\u671f\u91cd\u7f6e\u7684\uff09\u6570\u91cf\u9650\u5236\u800c\u5c06\u79c1\u6709\u4ed3\u5e93\u5168\u90e8\u8fc1\u51fa\uff0c\u8ba8\u8bba\u89c1 Discussion #308.

    "},{"location":"infrastructure/github/#2fa","title":"\u4e24\u6b65\u8ba4\u8bc1\uff082FA\uff09","text":"

    \u6211\u4eec\u5f3a\u70c8\u5efa\u8bae\u52a0\u5165 ustclug \u7ec4\u7ec7\u7684\u7528\u6237\u4e3a\u81ea\u5df1\u7684 GitHub \u8d26\u53f7\u914d\u7f6e\u4e24\u6b65\u8ba4\u8bc1\uff1a

    "},{"location":"infrastructure/ldap/","title":"LDAP \u670d\u52a1\u4f7f\u7528\u53ca\u914d\u7f6e\u8bf4\u660e","text":"

    LDAP \u662f\u8f7b\u91cf\u76ee\u5f55\u8bbf\u95ee\u534f\u8bae\uff0c\u6211\u4eec\u7528\u7684\u8f6f\u4ef6\u662f OpenLDAP\u3002

    LDAP \u7684\u914d\u7f6e\u5f88\u9ebb\u70e6\uff0c\u6240\u4ee5\u88c5\u4e86\u4e00\u4e2a\u7f51\u9875\u524d\u7aef\u6765\u914d\u7f6e\u5b83\uff0c\u7f51\u9875\u524d\u7aef\u662f GOsa\u00b2\u3002

    "},{"location":"infrastructure/ldap/#_1","title":"\u5bc6\u7801\u4fee\u6539","text":"

    \u767b\u5f55\u4efb\u610f\u4e00\u53f0\u670d\u52a1\u5668\u4f7f\u7528 passwd \u5c31\u53ef\u4ee5\u4fee\u6539\u5bc6\u7801\uff0c\u4fee\u6539\u7684\u5bc6\u7801\u5728\u6240\u6709\u673a\u5668\u4e0a\u5b9e\u65f6\u751f\u6548\uff08\u56e0\u4e3a\u5b9e\u9645\u662f\u5b58\u5728 LDAP \u6570\u636e\u5e93\u91cc\u7684\uff09\u3002

    "},{"location":"infrastructure/ldap/#gosa","title":"GOsa \u4f7f\u7528","text":"

    \u7f51\u9875\u754c\u9762\u4f4d\u4e8e ldap.lug.ustc.edu.cn\u3002

    \u7528\u4f60\u7684\u8d26\u53f7\u767b\u5f55\u8fdb\u53bb\u4e4b\u540e\uff0c\u53ef\u4ee5\u5728\u53f3\u4e0a\u89d2\u9000\u51fa\uff0c\u53f3\u4e0a\u89d2\u8fd8\u6709\u4e24\u4e2a\u6309\u94ae\u5206\u522b\u662f\u4fee\u6539\u8d26\u53f7\u4fe1\u606f\u548c\u4fee\u6539\u5bc6\u7801\u3002\u8d26\u53f7\u4fe1\u606f\u7b2c\u4e00\u9875\u5927\u90e8\u5206\u662f\u6ca1\u7528\u7684\uff0c\u53ea\u6709\u4e00\u4e2a\u767b\u5f55\u540d\u662f\u6709\u7528\u7684\uff0c\u8fd9\u662f\u4f60\u767b\u5f55\u4efb\u4f55\u5730\u65b9\u7684\u7528\u6237\u540d\u3002

    "},{"location":"infrastructure/ldap/#ldap-users-and-groups","title":"Users \u548c Groups","text":"

    Users \u662f\u7528\u6765\u6dfb\u52a0\u548c\u914d\u7f6e\u7528\u6237\u4fe1\u606f\u7684\u5730\u65b9\u3002\u6700\u4e3b\u8981\u7684\u529f\u80fd\u4f4d\u4e8e\u6bcf\u4e2a User \u7684\u7b2c\u4e8c\u9875 POSIX\uff0c\u8fd9\u91cc\u53ef\u4ee5\u8bbe\u7f6e\u7528\u6237\u7684\u5bb6\u76ee\u5f55\uff0cUID\uff0cGID\uff0c\u4ee5\u53ca\u6240\u5c5e\u7684\u7528\u6237\u7ec4\u3002\u8fd9\u91cc\u9700\u8981\u6ce8\u610f\u7684\u5730\u65b9\u5982\u4e0b\uff1a

    Groups \u4e2d\u4ee5 ssh \u5f00\u5934\u7684\u7ec4\u63a7\u5236\u5bf9\u5e94\u673a\u5668\u7684 ssh \u6743\u9650\uff0csudo \u5f00\u5934\u540c\u7406\u3002super_maneger \u7ec4\u5305\u542b\u6240\u6709\u673a\u5668\u7684\u6743\u9650\uff0c\u4ee5\u53ca LDAP \u7684 admin \u8eab\u4efd\u3002\u52a0\u5165\u5bf9\u5e94\u7684\u7ec4\u5373\u6388\u4e88\u76f8\u5e94\u6743\u9650\u3002\u5df2\u77e5\u7684 GID

    "},{"location":"infrastructure/ldap/#access-control","title":"Access Control","text":"

    \u8fd9\u91cc\u53ef\u4ee5\u914d\u7f6e GOsa \u7684\u7f16\u8f91\u6743\u9650\uff0c\u73b0\u5728\u8fd9\u91cc\u9762\u53ea\u6709\u4e00\u4e2a\u7ec4\uff0c\u662f\u5b8c\u5168\u6743\u9650\u7684\u3002\u53e6\u5916\uff0c\u6bcf\u4e2a\u9879\u53ef\u4ee5\u8bbe\u7f6e\u4e13\u95e8\u9488\u5bf9\u8fd9\u4e2a\u9879\u7684 ACL\u3002

    "},{"location":"infrastructure/ldap/#sudo-rules","title":"Sudo rules","text":"

    \u8fd9\u91cc\u914d\u7f6e sudo \u6743\u9650\u3002\u8fd9\u91cc\u7684\u8bed\u6cd5\u548c sudoers \u4e00\u6837\uff08\u8bf7\u65e0\u89c6 System trust\uff09\u3002\u7279\u522b\u8981\u8bf4\u7684\u4e00\u70b9\u662f\u901a\u8fc7\u5728 System \u4e2d\u52a0\u5165\u4e3b\u673a\u540d\u53ef\u4ee5\u9488\u5bf9\u6bcf\u4e2a\u4e3b\u673a\u914d\u7f6e\u6743\u9650\uff0c\u8fd9\u91cc\u8981\u586b\u7684\u662f\u4e3b\u673a\u540d\u800c\u4e0d\u662f\u57df\u540d\uff0c\u5177\u4f53\u8303\u4f8b\u8bf7\u770b\u91cc\u9762\u7684 lugsu wikimanager \u7b49\u9879\u3002

    \u5176\u5b83\u6211\u6ca1\u63d0\u5230\u7684\u9879\u6211\u4e5f\u6ca1\u641e\u660e\u767d\u600e\u4e48\u7528\u3002\u3002\u3002

    gosa \u7684\u914d\u7f6e\u6587\u4ef6\u5728 /etc/gosa/gosa.conf\uff0c\u5b83\u662f\u5728\u7b2c\u4e00\u6b21\u8fd0\u884c gosa \u65f6\u5019\u81ea\u52a8\u751f\u6210\u7684\uff0c\u4f46\u5728\u4e4b\u540e\u5c31\u53ea\u80fd\u901a\u8fc7\u624b\u52a8\u7f16\u8f91\u6765\u4fee\u6539\u3002\u7531\u4e8e\u914d\u7f6e\u6587\u4ef6\u51e0\u4e4e\u6ca1\u6709\u6587\u6863\uff0c\u5b98\u65b9\u7684 FAQ \u6709\u597d\u591a\u662f\u9519\u7684\uff0c\u6240\u4ee5\u6211\u57fa\u672c\u6ca1\u52a8:-D\u3002

    "},{"location":"infrastructure/ldap/#_2","title":"\u7ef4\u62a4\u5907\u6ce8","text":"

    \u5982\u679c\u53d1\u73b0\u66f4\u65b0 GOsa \u4e4b\u540e\uff0c/gosa \u6ca1\u6709\u6b63\u5e38\u5de5\u4f5c\uff08\u6bd4\u5982\u8bf4\u76f4\u63a5\u663e\u793a\u4e86 PHP \u7684\u6e90\u4ee3\u7801\uff09\uff0c\u53ef\u4ee5\u5c1d\u8bd5\u5220\u9664 /var/spool/gosa/ \u4e2d\u7684\u6240\u6709\u6587\u4ef6\uff0c\u8be6\u89c1 Gosa broken in Debian stretch\u3002

    "},{"location":"infrastructure/ldap/#ldap_1","title":"LDAP \u5ba2\u6237\u7aef\u914d\u7f6e","text":""},{"location":"infrastructure/ldap/#debian","title":"Debian \u914d\u7f6e\u65b9\u6cd5","text":""},{"location":"infrastructure/ldap/#_3","title":"\u8f6f\u4ef6\u5305\u5b89\u88c5","text":"

    Debian 7 \u4ee5\u4e0a\u7cfb\u7edf\u5b89\u88c5 libnss-ldapd\u3001libpam-ldapd\u3001sudo-ldap

    Note

    \u66f4\u65b0\u8fd9\u4e9b\u8f6f\u4ef6\u5305\u65f6\uff0c\u6ce8\u610f\u4fdd\u7559\u4e00\u4e2a root \u7ec8\u7aef\uff0c\u66f4\u65b0\u540e\u53ef\u80fd\u9700\u8981\u91cd\u542f daemon \u8fdb\u7a0b

    \u5728\u5b89\u88c5\u8fc7\u7a0b\u4e2d\u4f1a\u88ab\u95ee\u4e00\u4e9b\u95ee\u9898\uff08\u4e0d\u540c\u7248\u672c\u7684 Debian \u7684\u95ee\u9898\u53ef\u80fd\u4e0d\u540c\uff09\uff1a

    "},{"location":"infrastructure/ldap/#etcldapldapconf","title":"/etc/ldap/ldap.conf","text":"

    \u7f16\u8f91\u5185\u5bb9\u5982\u4e0b\uff1a

    /etc/ldap/ldap.conf
    BASE dc=lug,dc=ustc,dc=edu,dc=cn\nURI ldaps://ldap.lug.ustc.edu.cn\nSSL yes\nTLS_CACERT /etc/ldap/slapd-ca-cert.pem\nTLS_REQCERT demand\nSUDOERS_BASE ou=sudoers,dc=lug,dc=ustc,dc=edu,dc=cn\n

    \u4e3a\u4e86\u5b89\u5168\u6027\u8003\u8651\uff0c\u8981\u4ee5 ldaps \u7684\u65b9\u5f0f\u8fde\u63a5 ldap \u670d\u52a1\u5668\uff0c\u540c\u65f6\u5e94\u914d\u7f6e\u597d\u8bc1\u4e66 (/etc/ldap/slapd-ca-cert.pem, \u4ece\u5176\u5b83\u670d\u52a1\u5668\u590d\u5236\u4e00\u4e2a)

    "},{"location":"infrastructure/ldap/#etcsudo-ldapconf","title":"/etc/sudo-ldap.conf","text":"

    \u8fd9\u4e2a\u6587\u4ef6\u5e94\u8be5\u76f4\u63a5\u8f6f\u94fe\u63a5\u5230 /etc/ldap/ldap.conf\uff0c\u901a\u5e38 dpkg \u5df2\u7ecf\u4e3a\u4f60\u521b\u5efa\u597d\u4e86\u3002

    "},{"location":"infrastructure/ldap/#etcnslcdconf","title":"/etc/nslcd.conf","text":"

    \u6ce8\u610f\u68c0\u67e5\u4e00\u4e0b\u6b64\u914d\u7f6e\u6587\u4ef6\u662f\u5426\u4e0e /etc/ldap/ldap.conf \u4e0b\u7684\u5185\u5bb9\u76f8\u4e00\u81f4\uff0c\u5982

    /etc/nslcd.conf
    uid nslcd\ngid nslcd\nuri ldaps://ldap.lug.ustc.edu.cn\nbase dc=lug,dc=ustc,dc=edu,dc=cn\nssl on\ntls_reqcert demand\ntls_cacertfile /etc/ldap/slapd-ca-cert.pem\n
    "},{"location":"infrastructure/ldap/#etcnsswitchconf","title":"/etc/nsswitch.conf","text":"

    \u5b89\u88c5\u8f6f\u4ef6\u5305\u65f6\uff0c\u5b89\u88c5\u811a\u672c\u5df2\u7ecf\u5904\u7406\u8fc7\u8be5\u6587\u4ef6\u3002\u68c0\u67e5\u4e00\u4e0b\u5185\u5bb9\uff0c\u5927\u81f4\u4e3a\uff1a

    passwd:         compat ldap\ngroup:          compat ldap\nshadow:         compat ldap\n......\nsudoers:        files ldap\n

    \u6ce8\u610f\u6bcf\u4e00\u9879\u540e\u9762\u7684 ldap\uff0c\u5982\u679c\u6ca1\u6709\u8981\u624b\u52a8\u52a0\u4e0a\u3002\u4e0d\u592a\u6e05\u695a\u5177\u4f53\u542b\u4e49\uff0c\u53cd\u6b63\u7ed9\u6bcf\u4e00\u9879\u90fd\u52a0\u4e0a ldap \u662f\u6ca1\u6709\u95ee\u9898\u7684\u3002

    Debian 10 \u8981\u6539\u4e00\u4e0b sudoers \u90a3\u4e00\u884c

    \u628a ldap \u653e\u524d\u9762\uff0c\u540c\u65f6\u52a0\u4e0a [SUCCESS=return] \u5e94\u8be5\u50cf\u4e0b\u9762\u8fd9\u6837\uff1a

    sudoers:        ldap [SUCCESS=return] files\n

    \u91cd\u542f\u4e00\u4e0b nscd \u548c nslcd \u670d\u52a1\uff0c\u6b64\u65f6\u8fd0\u884c getent passwd\uff0c\u5e94\u8be5\u53ef\u4ee5\u770b\u5230\u6bd4 /etc/passwd \u66f4\u591a\u7684\u5185\u5bb9\uff0c\u8fd9\u5c31\u8bf4\u660e\u914d\u7f6e\u6b63\u786e\u4e86\u3002

    "},{"location":"infrastructure/ldap/#pam","title":"PAM \u914d\u7f6e","text":"

    \u5982\u679c PAM \u914d\u7f6e\u9519\u8bef\uff0c\u53ef\u80fd\u5bfc\u81f4\u7528\u6237\u65e0\u6cd5\u4f7f\u7528 SSH \u767b\u5f55\uff0c\u751a\u81f3\u8fde sudo \u4e5f\u53ef\u80fd\u6302\u6389\u3002\u6240\u4ee5\u4fee\u6539 PAM \u914d\u7f6e\u65f6\uff1a

    1. \u8bf7\u505a\u597d\u6587\u4ef6\u5907\u4efd\uff1b
    2. \u8bf7\u53e6\u5f00\u4e00\u4e2a root \u7ec8\u7aef\u4ee5\u9632\u4e07\u4e00\u3002

    \u5bf9\u4e8e Debian 7+\uff0c\u53ea\u9700\u8bbe\u7f6e\u4e00\u5904\u3002\u4e3a\u4e86\u767b\u5f55\u65f6\u81ea\u52a8\u521b\u5efa\u5bb6\u76ee\u5f55\uff0c\u5728 /etc/pam.d/common-session \u4e2d\u6dfb\u52a0\u4e0b\u9762\u8fd9\u53e5\uff1a

    session required    pam_mkhomedir.so skel=/etc/skel umask=0022\n

    \u5bf9\u4e8e Debian 5\uff0c\u8bf7\u67e5\u9605\u672c\u6587\u6863\u7684 Git \u8bb0\u5f55\u3002

    "},{"location":"infrastructure/ldap/#centos","title":"CentOS \u914d\u7f6e\u65b9\u6cd5","text":"

    \u901a\u8fc7 yum \u5b89\u88c5 openldap openldap-clients nss_ldap nss-pam-ldap

    \u4ee5 root \u8eab\u4efd\u6267\u884c

    authconfig --enablecache \\\n       --enableldap \\\n       --enableldapauth \\\n       --ldapserver=\"ldaps://ldap.lug.ustc.edu.cn/\" \\\n       --ldapbasedn=\"dc=lug,dc=ustc,dc=edu,dc=cn\" \\\n       --enableshadow \\\n       --enablemkhomedir \\\n       --enablelocauthorize \\\n       --update\n

    \u6ce8\u610f\uff0c\u7531\u4e8e authconfig \u7684 bug\uff0c\u4e0a\u4e00\u6761\u547d\u4ee4\u7684\u6267\u884c\u73af\u5883\u5fc5\u987b\u662f LC_ALL=en_US.UTF-8

    Sudo \u7684\u914d\u7f6e\u662f\u901a\u8fc7 sssd \u5b9e\u73b0\u7684\uff0c\u53c2\u8003 https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-ldap-sudo.html

    \u5b89\u88c5 sssd libsss_sudo \u5c06 /usr/share/doc/sssd-common/sssd-example.conf \u590d\u5236\u5230 /etc/sssd/sssd.conf \u5e76\u4fee\u6539\u6743\u9650\u4e3a 600\u3002

    [taoky@gateway-nic ~]$ sudo diff /usr/share/doc/sssd-common/sssd-example.conf /etc/sssd/sssd.conf\n3c3\n< services = nss, pam\n---\n> services = nss, pam, sudo\n8c8\n< ; domains = LDAP\n---\n> domains = LDAP\n13a14,15\n> [sudo]\n>\n15,17c17,19\n< ; [domain/LDAP]\n< ; id_provider = ldap\n< ; auth_provider = ldap\n---\n> [domain/LDAP]\n> id_provider = ldap\n> auth_provider = ldap\n22,24c24,27\n< ; ldap_schema = rfc2307\n< ; ldap_uri = ldap://ldap.mydomain.org\n< ; ldap_search_base = dc=mydomain,dc=org\n---\n> ldap_schema = rfc2307\n> ldap_uri = ldaps://ldap.lug.ustc.edu.cn\n> ldap_search_base = dc=lug,dc=ustc,dc=edu,dc=cn\n> ldap_sudo_search_base = ou=sudoers,dc=lug,dc=ustc,dc=edu,dc=cn\n30c33\n< ; cache_credentials = true\n---\n> cache_credentials = true\n35c38\n< # you must install Microsoft Services For UNIX and map LDAP attributes onto\n---\n> # you must install Microsoft Services For Unix and map LDAP attributes onto\n

    \u5751

    \u9700\u8981\u52a0\u4e0a [sudo]\uff0c\u5426\u5219 sudo \u914d\u7f6e\u4f3c\u4e4e\u4e0d\u4f1a\u751f\u6548\uff0c\u8fd9\u4e2a\u914d\u7f6e\u95ee\u9898\u5bfc\u81f4\u4e86\u4fee\u6539\u524d\u5728 gateway-nic \u4e0a\u7528\u6237\u65e0\u6cd5\u4f7f\u7528 sudo\u3002

    \u53e6\u5916\u8bb0\u5f97\u50cf\u524d\u9762\u5728 Debian \u4e2d\u5b89\u88c5\u4ecb\u7ecd\u5230\u7684\u90a3\u6837\u4fee\u6539 /etc/nsswitch.conf \u4ee5\u53ca /etc/nslcd.conf.

    "},{"location":"infrastructure/ldap/#nscd","title":"NSCD \u4f7f\u7528\u8bf4\u660e","text":"

    NSCD \u662f\u7528\u4e8e LDAP \u7f13\u5b58\u7684\u670d\u52a1\uff0c\u76ee\u524d\u5728 mirrors \u4e0a\u7684\u914d\u7f6e\u662f\u4fdd\u6301 30 \u5929\u3002\u8fd9\u5bfc\u81f4\u7684\u95ee\u9898\u662f\u6bcf\u5f53 ldap \u670d\u52a1\u5668\u4e0a\u505a\u51fa\u4fee\u6539\u7684\u65f6\u5019\u9700\u8981\u5728 mirrors \u4e0a\u6267\u884c\uff0c\u6e05\u9664\u6307\u5b9a\u7c7b\u578b\u7684\u7f13\u5b58(\u76ee\u524d mirrors \u670d\u52a1\u5668\u6682\u672a\u914d\u7f6e LDAP \u8ba4\u8bc1\u3002)

    nscd -i passwd\nnscd -i group\n

    \u53c2\u8003\uff1ahttps://wiki.debian.org/LDAP/NSS

    "},{"location":"infrastructure/ldap/#ldap-cli","title":"LDAP CLI \u5de5\u5177\u4f7f\u7528\u8bf4\u660e","text":"

    \u8fd9\u91cc\u4ee5 ldappasswd \u4e3a\u4f8b\uff0c\u5176\u4f59 ldap \u7cfb\u5217\u6307\u4ee4\u4e0e\u5176\u5927\u81f4\u76f8\u540c\uff1a

    LDAP \u5229\u7528 dn \u6765\u5b9a\u4f4d\u4e00\u4e2a\u7528\u6237\uff0c\u4ee5\u4e0b\u6307\u4ee4\u53ef\u4ee5\u5217\u51fa\u6240\u6709\u7528\u6237\u53ca\u5176 dn\uff1a

    ldapsearch -x -LLL uid=* uid\n

    -x \u6307\u5b9a\u4f7f\u7528 Simple authentication\uff0c\u5373\u4f7f\u7528\u5bc6\u7801\u8ba4\u8bc1\u3002

    \u5982\u679c\u8981\u4fee\u6539\u4e00\u4e2a\u7528\u6237\u7684\u5bc6\u7801\uff0c\u4f7f\u7528\uff1a

    ldappasswd -x -D '<executor dn>' -W -S '<target user dn>'\n

    -D '<executor dn>' \u6307\u5b9a\u4e86\u6267\u884c\u8005\u7684\u8eab\u4efd\uff0c-W/-S \u6307\u5b9a\u4e86\u63a5\u4e0b\u6765\u8be2\u95ee\u6267\u884c\u8005/\u76ee\u6807\u7528\u6237\u7684\u5bc6\u7801/\u65e7\u5bc6\u7801\u3002

    \u9700\u8981\u989d\u5916\u6ce8\u610f\u7684\u662f\uff0c\u5728 CLI \u4e2d\u6dfb\u52a0/\u5220\u9664\u7528\u6237\u6216\u66f4\u6539\u7528\u6237\u5bc6\u7801\u65f6\u9700\u8981\u4ee5 LDAP admin \u6267\u884c\uff0c\u5426\u5219\u4f1a\u6709\u62a5\u9519\uff1a

    Insufficient access (50) additional info: no write access to parent\n

    \u6216\u662f\u5176\u4ed6\u7684\u6743\u9650\u4e0d\u8db3\u7684\u9519\u8bef\u3002

    "},{"location":"infrastructure/ldap/#_4","title":"\u90e8\u7f72\u60c5\u51b5","text":"

    \u76ee\u524d\u6240\u6709\u670d\u52a1\u5668\u5747\u5df2\u90e8\u7f72 LDAP

    "},{"location":"infrastructure/ldap/#ldap-known-gids","title":"\u5df2\u77e5\u7684 GID","text":"

    GID \u4fe1\u606f\u5df2\u8fc7\u65f6\uff0c\u4ee5 LDAP \u5b9e\u9645\u914d\u7f6e\u4e3a\u51c6\u3002

    GID \u540d\u79f0 \u8bf4\u660e 2001 ldap_users \u6240\u6709\u7528\u6237\u90fd\u5728\u8fd9\u4e2a\u7ec4\u91cc 1001 ssh_docker2 - 2013 ssh_bbs - 2014 ssh_linode - 2101 ssh_ldap - 2102 ssh_blog - 2103 ssh_dns - 2104 ssh_gitlab - 2105 ssh_lug - 2106 ssh_vpn - 2107 ssh_mirrors - 2108 ssh_pxe - 2109 ssh_freeshell - 2110 ssh_backup - 2112 ssh_vmnfs - 2113 ssh_homepage - 2201 sudo_ldap - 2202 sudo_blog - 2203 sudo_dns - 2204 sudo_gitlab - 2205 sudo_lug - 2206 sudo_vpn - 2207 sudo_mirrors - 2208 sudo_pxe - 2209 sudo_freeshell - 2210 sudo_backup - 2212 sudo_vmnfs - 2213 sudo_homepage - 2000 super_manager - 2999 nologin \u4e0d\u786e\u5b9a\u8fd9\u4e2a\u7ec4\u6709\u6ca1\u6709\u7528

    \u6ce8\u610f\u4e8b\u9879

    LDAP \u914d\u7f6e\u5b8c\u6210\u540e\uff0c\u52a1\u5fc5\u786e\u8ba4 sshd_config \u5df2\u7ecf\u9650\u5236\u4e86\u516c\u7f51\u767b\u5f55\u3002

    \u672c\u6587\u6863\u539f\u59cb\u7248\u672c\u590d\u5236\u81ea LUG wiki\uff0c\u7531\u5f20\u5149\u5b87\u3001\u5d14\u704f\u3001\u6731\u665f\u83c1\u3001\u5de6\u683c\u975e\u64b0\u5199\u3002

    "},{"location":"infrastructure/mail/","title":"Mail Agent","text":"

    \u53ef\u4ee5\u914d\u7f6e\u673a\u5668\u901a\u8fc7 mail.ustclug.org \u53d1\u4ef6\uff0c\u5b9e\u73b0\u8b66\u62a5\u7684\u90ae\u4ef6\u63d0\u9192\uff08\u6536\u4ef6\u4eba\u8bbe\u7f6e\u4e3a alert AT ustclug DOT org\uff09\u3002\u914d\u7f6e\u65f6\u9700\u8981\u5728 mail.s.ustclug.org \u4e0a\u8bbe\u7f6e postfix \u767d\u540d\u5355\u3002

    "},{"location":"infrastructure/mail/#_1","title":"\u5e38\u7528\u547d\u4ee4","text":"

    \u4ece\u961f\u5217\u4e2d\u5220\u9664\u90ae\u4ef6\uff1asudo postsuper -d <\u90ae\u4ef6 ID>\uff08\u90ae\u4ef6 ID \u53ef\u4ee5\u65e5\u5fd7\u4e2d\u770b\u5230\uff09

    \u66f4\u65b0 virtual \u8868\u6620\u5c04\uff1asudo postmap /etc/postfix/virtual \u540e\u91cd\u542f postfix \u670d\u52a1\u3002

    "},{"location":"infrastructure/mail/#mailustclugorg-dkim","title":"mail.ustclug.org \u7684 DKIM \u7b7e\u540d","text":"

    \u7f16\u8f91 /etc/opendkim/TrustedHosts\uff0c\u6dfb\u52a0\u5185\u90e8\u670d\u52a1\u5bf9\u5e94\u7684 IP\uff08\u6bb5\uff09\u5230\u5176\u4e2d\uff0c\u5e76 reload opendkim \u5373\u53ef\u3002

    "},{"location":"infrastructure/monitor/","title":"\u76d1\u63a7\u7cfb\u7edf\u4f7f\u7528\u53ca\u914d\u7f6e\u8bf4\u660e","text":"

    \u76d1\u63a7\u7cfb\u7edf\u7531\u4ee5\u4e0b\u51e0\u4e2a\u7ec4\u4ef6\u7ec4\u6210\uff1a

    "},{"location":"infrastructure/monitor/#configure-influxdb","title":"Configure InfluxDB","text":"

    \u7279\u522b\u6ce8\u610f \uff1aInfluxDB \u9ed8\u8ba4\u6ca1\u6709\u5f00\u542f\u8ba4\u8bc1\u3002

    \u9996\u6b21\u8fd0\u884c\u65f6\uff0c\u521b\u5efa\u597d\u7ba1\u7406\u8d26\u53f7\uff08admin\uff09\uff0c\u53ea\u8bfb\u8d26\u53f7\uff08grafana\uff09\u548c\u5199\u5165\u8d26\u53f7\uff08telegraf\uff09\u3002

    \u7136\u540e\u4fee\u6539\u4f4d\u4e8e /srv/docker/influxdb/conf/influxdb.conf \u7684\u914d\u7f6e\uff0c\u4fee\u6539\u4ee5\u542f\u7528\u8ba4\u8bc1\uff1a

    /srv/docker/influxdb/conf/influxdb.conf
    [http]\n# ...\n# Determines whether HTTP authentication is enabled.\nauth-enabled = true\n

    \u6b64\u5916\uff0c\u53c2\u8003 https://docs.influxdata.com/influxdb/v1.8/administration/authentication_and_authorization/#set-up-authentication\uff0c\u8003\u8651\u5173\u95ed\u90e8\u5206\u529f\u80fd\uff1a

    /srv/docker/influxdb/conf/influxdb.conf
    [http]\n# Determines whether the pprof endpoint is enabled.  This endpoint is used for\n# troubleshooting and monitoring.\npprof-enabled = false\n
    "},{"location":"infrastructure/monitor/#install-telegraf","title":"Install telegraf","text":"

    \u5b89\u88c5\u65b9\u6cd5\u89c1 https://docs.influxdata.com/telegraf/v1.21/introduction/installation/

    \u4e00\u4e2a\u5178\u578b\u7684\u5b89\u88c5\u547d\u4ee4\u662f\uff1a

    wget https://dl.influxdata.com/telegraf/releases/telegraf_1.21.2-1_amd64.deb\nsudo dpkg -i telegraf_1.21.2-1_amd64.deb\n

    \u66f4\u52a0\u63a8\u8350\u7684\u505a\u6cd5\u662f\u52a0\u5165\u8f6f\u4ef6\u6e90\u540e\u5b89\u88c5

    curl -sL https://repos.influxdata.com/influxdb.key | sudo gpg --dearmor -o /usr/share/keyrings/influxdb.gpg\necho \"deb [signed-by=/usr/share/keyrings/influxdb.gpg] https://mirrors.ustc.edu.cn/influxdata/debian buster stable\" | sudo tee /etc/apt/sources.list.d/influxdb.list\nsudo apt-get update && sudo apt-get install telegraf\n
    "},{"location":"infrastructure/monitor/#configure-telegraf","title":"Configure telegraf","text":"

    \u914d\u7f6e\u6587\u4ef6\u5728 /etc/telegraf/ \u76ee\u5f55\u4e0b\uff0c\u7528 root \u6743\u9650\u4fee\u6539\uff1a

    \u5728 /etc/telegraf/telegraf.d/ \u4e0b\u589e\u52a0 net.conf \u7528\u6765\u5f00\u542f\u7f51\u7edc\u76d1\u63a7\uff0c\u5185\u5bb9\u5982\u4e0b\uff1a

    /etc/telegraf/telegraf.d/net.conf
    [[inputs.net]]\n

    \u5728 /etc/telegraf/telegraf.conf \u4e2d\u7684[[outputs.influxdb]] \u4e2d\u589e\u52a0 influxdb \u7684\u5730\u5740\uff1a

    /etc/telegraf/telegraf.conf
    [[outputs.influxdb]]\n  urls = [\"http://influxdb.ustclug.org:8086\"]\n  username = \"${INFLUX_USERNAME}\"\n  password = \"${INFLUXDB_PASSWORD}\"\n

    \u5176\u4e2d INFLUX_USERNAME \u548c INFLUXDB_PASSWORD \u5e94\u4f7f\u7528\u5bf9 telegraf \u6570\u636e\u5e93\u5199\u6743\u9650\u7684\u8d26\u53f7\uff0c\u5426\u5219\u65e0\u6cd5\u5199\u5165\u6570\u636e\u3002

    \u914d\u7f6e\u5b8c\u6210\u4e4b\u540e\uff0c\u91cd\u542f telegraf \u670d\u52a1\uff0c\u5e76\u786e\u4fdd\u670d\u52a1\u8fd0\u884c\u6b63\u5e38\u3002

    sudo systemctl restart telegraf\nsudo systemctl status telegraf\n

    \u5efa\u8bae\u5728\u88ab\u76d1\u63a7\u673a\u5668\u4e0a\u914d\u7f6e NTP\uff08\u53ef\u4ee5\u4f7f\u7528 systemd-timesyncd\uff0c\u8bbe\u7f6e NTP \u670d\u52a1\u5668\u4e3a time.ustc.edu.cn\uff09\uff0c\u4ee5\u907f\u514d\u65f6\u95f4\u4e0d\u540c\u6b65\u53ef\u80fd\u5e26\u6765\u7684\u95ee\u9898\u3002

    "},{"location":"infrastructure/monitor/#web","title":"Web","text":"

    Web \u7aef\u76d1\u63a7\u4f4d\u4e8e https://monitor.ustclug.org\uff0c\u8d26\u53f7\u7cfb\u7edf\u4f7f\u7528 LDAP\uff0c\u53ef\u4ee5\u5728\u8fd9\u91cc\u8bbe\u7f6e\u9884\u8b66\u63d0\u793a\u7b49\u3002

    Warning

    \u914d\u7f6e InfluxDB \u6570\u636e\u6e90\u65f6\uff0c\u53ea\u80fd\u4f7f\u7528\u53ea\u8bfb\u8d26\u53f7\uff0c\u5426\u5219\u4f1a\u5e26\u6765\u4e25\u91cd\u7684\u5b89\u5168\u95ee\u9898\u3002

    "},{"location":"infrastructure/office/","title":"Office 365","text":""},{"location":"infrastructure/office/#application","title":"\u7533\u8bf7\u65b9\u5f0f","text":"

    \u7406\u8bba\u4e0a\u4efb\u4f55\u793e\u56e2\u8d1f\u8d23\u4eba\u6216\u8005\u5728\u793e\u56e2\u4e2d\u8d1f\u8d23\u91cd\u8981\u9879\u76ee\u7684\u4eba\u5458\u90fd\u53ef\u4ee5\u7533\u8bf7\uff0c\u539f\u5219\u662f\u6309\u9700\u5206\u914d\uff0c\u56e0\u4e3a\u90ae\u7bb1\u662f\u5de5\u4f5c\u5de5\u5177\uff0c\u800c\u4e0d\u662f\u798f\u5229\u8d44\u6e90\u3002

    \u540c\u7406\uff0c\u4e0d\u518d\u62c5\u4efb\u8d1f\u8d23\u4eba\u4e14\u4e0d\u518d\u5904\u7406\u4e8b\u52a1\u7684\u540c\u5b66\u4f7f\u7528\u7684\u90ae\u7bb1\u5e94\u8be5\u6536\u56de\uff08\u89c1\u4e0b\u65b9 \u9ed8\u8ba4\u5730\u5740 \u4e00\u8282\uff09\u3002

    "},{"location":"infrastructure/office/#email-etiquette","title":"\u90ae\u4ef6\u793c\u4eea","text":"

    CC\uff08\u6284\u9001\uff09\u548c\u8bbe\u7f6e\u56de\u590d\u5730\u5740\u7684\u76ee\u7684\u90fd\u662f\u4e3a\u4e86\u8ba9\u6240\u6709 LUG \u8d1f\u8d23\u7684\u540c\u5b66\u53ef\u4ee5\u770b\u5230\u4e8b\u4ef6\u6700\u65b0\u7684\u8fdb\u5c55

    \u6284\u9001\u4f1a\u628a\u4f60\u53d1\u7684\u90ae\u4ef6\u7ed9\u6240\u6709\u7684\u8d1f\u8d23\u4eba\uff1b\u56de\u590d\u5730\u5740\uff08Reply-To\uff09\u8bbe\u7f6e\u4e4b\u540e\uff0c\u5bf9\u65b9\u5c31\u77e5\u9053\u8fd9\u662f\u4f60\u4ee3\u8868 LUG \u5199\u7684\u90ae\u4ef6\uff0c\u5e76\u4e14\u9ed8\u8ba4\u56de\u590d\u90ae\u4ef6\u7684\u65f6\u5019\u5730\u5740\u5c31\u662f\u6240\u6709\u8d1f\u8d23\u4eba\u7684\u90ae\u4ef6\u5217\u8868\u3002\u6240\u4ee5\u4e0b\u6587\u4e2d\u8981\u6c42\u8bbe\u7f6e\u8fd9\u4e9b\u5185\u5bb9\u3002

    \u5982\u679c\u9047\u5230\u9700\u8981\u4ee5\u79c1\u4eba\u8eab\u4efd\uff0c\u6216\u8005\u4ee5\u5176\u4ed6\u975e LUG \u4ee3\u8868\u8d1f\u8d23\u4eba\u7684\u8eab\u4efd\u56de\u590d\u90ae\u4ef6\u7684\u573a\u5408\uff0c\u8bf7\u4fee\u6539\u56de\u590d\u5730\u5740\u4fe1\u606f\u3002\u56e0\u4e3a Outlook \u7f51\u9875\u7248\u4e0d\u4fbf\u4e8e\u4fee\u6539\u8fd9\u4e9b\u5185\u5bb9\uff0c\u5efa\u8bae\u4f7f\u7528\u90ae\u4ef6\u5ba2\u6237\u7aef\u5904\u7406\u3002\uff08\u4e2a\u4eba\u63a8\u8350 ThunderBird\uff09\u3002

    \u5bf9\u4e8e\u9700\u8981\u5411\u975e\u90ae\u4ef6\u5217\u8868\u7684\u4e0d\u7279\u5b9a\u7fa4\u4f53\u7fa4\u53d1\u7684\u90ae\u4ef6\uff08\u4f8b\u5982\u901a\u77e5\u7c7b\u6d88\u606f\uff09\uff0c\u8bf7\u6ce8\u610f\u4e0d\u8981\u5c06\u6240\u6709\u90ae\u7bb1\u90fd\u653e\u5728\u6536\u4ef6\u4eba\u91cc\uff0c\u5426\u5219\u6240\u6709\u6536\u5230\u90ae\u4ef6\u7684\u4eba\u90fd\u80fd\u770b\u5230\u5176\u4ed6\u6536\u4ef6\u4eba\u7684\u90ae\u7bb1\uff08\u9690\u79c1\u95ee\u9898\uff09\uff1b\u5e76\u4e14\u6536\u4ef6\u4eba\u5982\u679c\u56de\u590d\u90ae\u4ef6\u4e0d\u5f53\uff0c\u5176\u4ed6\u7684\u6536\u4ef6\u4eba\u4e5f\u4f1a\u6536\u5230\u5176\u56de\u590d\u3002\u4e00\u79cd\u65b9\u4fbf\u7684\u505a\u6cd5\u662f\uff1a\u5c06\u6240\u6709\u9700\u8981\u6536\u5230\u901a\u77e5\u7684\u6536\u4ef6\u4eba\u653e\u5728\u5bc6\u9001 (BCC)\u4e00\u680f\u4e2d\uff0c\u6536\u4ef6\u4eba\u586b\u5199\u539f\u6284\u9001\u5730\u5740\u3002

    \u6211\u4eec\u52a0\u5165\u4e86\u5f88\u591a\u90ae\u4ef6\u5217\u8868\uff0c\u5176\u4e2d\u7ecf\u5e38\u6709\u5404\u79cd\u5f80\u6765\u90ae\u4ef6\uff08\u7279\u522b\u662f CentOS mirror announcement \u8fd9\u4e2a\u5217\u8868\uff0c\u5df2\u9000\uff09\uff0c\u5b83\u4eec\u5927\u591a\u6570\u4e0d\u9700\u8981\u6211\u4eec\u7406\u4f1a\u3002

    \u603b\u4e4b\uff0c\u4e0d\u77e5\u9053\u600e\u4e48\u5904\u7406\u7684\u90ae\u4ef6\u4e0d\u8981\u8d38\u7136\u56de\u590d\u3002\u5982\u679c\u4f60\u8ba4\u4e3a\u67d0\u4e00\u5c01\u90ae\u4ef6\u9700\u8981\u6211\u4eec\u5904\u7406\u4f46\u4e0d\u77e5\u9053\u600e\u4e48\u5904\u7406\uff0c\u8bf7\u8f6c\u544a\u7ed9\u5176\u4ed6\u76f8\u5173\u540c\u5b66\u3002

    \u4ee5\u4e0b\u5185\u5bb9\u4ece Hypercude \u7f16\u5199\u7684\u5185\u5bb9\u4e2d\u622a\u53d6\uff1a

    \u56de\u590d\u4efb\u4f55\u90ae\u4ef6\u65f6\uff0c\u8bf7\u6284\u9001 / CC\uff08\u4e0d\u662f\u5bc6\u9001 / BCC\uff09\u7ed9\u539f\u90ae\u4ef6\u7684\u6536\u4ef6\u5730\u5740\uff01\uff08\u6bd4\u5982\u522b\u4eba\u53d1\u5230 lug A ustc.edu.cn \uff0c\u56de\u590d\u65f6\u4e5f\u8bf7 CC \u5230 lug A ustc.edu.cn\uff09

    \u8bf7\u4e0d\u8981\u201c\u53ea\u56de\u590d\u90ae\u4ef6\u201d\u3002\u5982\u679c\u5728\u56de\u590d\u4e2d\u8bf4\u201c\u6211\u4eec\u4f1a\u505a\u67d0\u67d0\u4e8b\u201d\uff0c\u8bf7\u6ce8\u610f\u9664\u975e\u4f60\u660e\u786e\u8f6c\u4ea4\u7ed9\u4e86\u522b\u4eba\uff0c\u8fd9\u4ef6\u4e8b\u5e94\u5f53\u7531\u4f60\u6765\u5b8c\u6210\u3002

    "},{"location":"infrastructure/office/#email-signature","title":"\u90ae\u4ef6\u7b7e\u540d","text":"

    Outlook \u65e0\u6cd5\u76f4\u63a5\u901a\u8fc7\u7f51\u9875\u7aef\u6dfb\u52a0\u53d1\u4ef6\u4eba\u540d\u79f0\u3001\u8bbe\u7f6e\u56de\u590d\u5730\u5740\uff0c\u56e0\u6b64\u53ea\u80fd\u901a\u8fc7\u90ae\u4ef6\u5ba2\u6237\u7aef\u8fdb\u884c\u4f7f\u7528\u3002\u5728\u4e0b\u4e00\u7ae0\u8282\u7684 Thunderbird \u4e2d\u8fdb\u884c\u8be6\u7ec6\u9610\u8ff0\u3002

    "},{"location":"infrastructure/office/#thunderbird","title":"Thunderbird \u914d\u7f6e","text":""},{"location":"infrastructure/office/#tb-login","title":"\u767b\u5f55","text":"

    \u5728\u767b\u5f55\u65f6\uff0c\u8f93\u5165\u4e86\u7528\u6237\u540d\u3001\u5bc6\u7801\u540e\uff0c\u4f1a\u663e\u793a\u65e0\u6cd5\u627e\u5230\u5bf9\u5e94\u7684\u90ae\u7bb1\u914d\u7f6e

    \u8fdb\u884c\u5982\u4e0b\u7684\u624b\u52a8\u914d\u7f6e\uff1a

    \u5982\u4e0b\u56fe\uff1a

    \u7136\u540e\u70b9\u5de6\u4e0b\u89d2\u7684 Re-test\uff0c\u91cd\u65b0\u641c\u7d22\u5230\u914d\u7f6e\u540e\uff0c\u5728\u4e24\u4e2a Authentication method \u4e2d\u5747\u9009\u62e9 OAuth2\u3002

    \u7136\u540e\u70b9 Done\u3002\u5728\u5f39\u51fa\u7684\u7a97\u53e3\u4e2d\u5b8c\u6210\u8ba4\u8bc1\u3002

    "},{"location":"infrastructure/office/#tb-signature","title":"\u7b7e\u540d\u4e0e\u53d1\u4ef6\u8eab\u4efd","text":"

    \u5728\u53f3\u4e0a\u89d2\u4e2d\u9009\u62e9\u8d26\u6237\u8bbe\u7f6e\uff0c\u5728\u9ed8\u8ba4\u8eab\u4efd\u4e2d

    \u7ed3\u679c\u5982\u56fe\uff1a

    "},{"location":"infrastructure/office/#tb-folders","title":"\u6587\u4ef6\u5939","text":"

    Thunderbird \u7ef4\u62a4\u4e86\u81ea\u5df1\u7684\u6587\u4ef6\u5939\uff0c\u5982\u679c\u9700\u8981\u4e0e\u4e91\u7aef\u7684\u6587\u4ef6\u5939\u540c\u6b65\uff0c\u53ef\u4ee5\u8fdb\u884c\u5982\u4e0b\u64cd\u4f5c

    \u5728\u8d26\u6237\u4e0a\u53f3\u952e\uff0c\u5728\u5f39\u51fa\u7684\u83dc\u5355\u4e2d\u70b9\u51fb Subscribe\u3002\u5f39\u51fa\u7684\u7a97\u53e3\u4e2d\u5305\u542b\u4e86\u4e91\u7aef\u7684\u6587\u4ef6\u5939\uff0c\u7531\u4e8e Thunderbird \u4f1a\u81ea\u884c\u7ef4\u62a4\u5783\u573e\u7bb1\u548c\u5df2\u53d1\u90ae\u4ef6\uff0c\u56e0\u6b64\u53ef\u80fd\u4f1a\u6709\u4e24\u4e2a\u5783\u573e\u7bb1\uff0cDeleted Items \u548c Trash\uff0c\u53ef\u4ee5\u5728\u7f51\u9875\u7aef\u5220\u9664\u4e0d\u9700\u8981\u7684\u6587\u4ef6\u5939\uff0c\u5e76\u5728 Thunderbird \u4e2d\u9009\u62e9\u9700\u8981\u7684\u3002

    \u7136\u540e\u6253\u5f00\u8d26\u6237\u8bbe\u7f6e\uff0c\u8fdb\u884c\u5982\u4e0b\u4fee\u6539

    1. \u5728 Server Settings \u4e0b\uff0c\u4fee\u6539 When I delete a message \u4e3a Move it to this folder: Deleted Items

    2. \u5728 Copies & Folders \u4e0b\uff0c\u4fee\u6539 Place a copy\u3001Keep message archives in\u3001Keep draft messages in \u4e3a\u5bf9\u5e94\u7684\u8fdc\u7aef\u670d\u52a1\u5668\u6587\u4ef6\u5939

    "},{"location":"infrastructure/office/#tb-junk","title":"\u5783\u573e\u90ae\u4ef6","text":"

    Outlook \u4e91\u7aef\u5df2\u7ecf\u5e26\u6709\u4e86\u5783\u573e\u90ae\u4ef6\u5206\u7c7b\u529f\u80fd\uff0c\u4e0d\u9700\u8981 Thunderbird \u81ea\u5df1\u7684\u5783\u573e\u90ae\u4ef6\u5206\u7c7b\u529f\u80fd\u3002

    \u5728\u8d26\u6237\u8bbe\u7f6e\u7684 Local Folders \u4e0b\u7684 Junk Settings \u4e2d\uff0c\u53d6\u6d88\u9009\u4e2d Enable adaptive junk mail controls for this account\u3002

    \u8bf7\u5728\u4e0a\u9762\u7684 Subscribe \u4e2d\u5c06\u5783\u573e\u90ae\u4ef6\u9009\u4e2d\u4ee5\u540c\u6b65\u3002\u6b64\u5916\uff0c\u7531\u4e8e Outlook \u76ee\u524d\u4f1a\u5c06\u51e0\u4e4e\u6240\u6709\u90ae\u4ef6\u90fd\u6254\u8fdb\u5783\u573e\u90ae\u4ef6\u7bb1\uff08\u539f\u56e0\u4f3c\u4e4e\u662f M365 \u7684\u673a\u5668\u5b66\u4e60\u6a21\u578b\u4f1a\u628a\u6240\u6709\u79d1\u5927\u7684\u90ae\u4ef6\u6254\u8fdb\u5783\u573e\u7bb1\uff09\uff0c\u56e0\u6b64\u8bbe\u7f6e\u62c9\u53d6\u90ae\u4ef6\u65f6\u603b\u662f\u68c0\u67e5\u5783\u573e\u90ae\u4ef6\u7bb1\u3002\u8bbe\u7f6e\u65b9\u6cd5\u4e3a\u5728\u5783\u573e\u90ae\u4ef6\u76ee\u5f55\u4e0a\u70b9\u51fb\u53f3\u952e \u2192 \u5c5e\u6027\uff0c\u7136\u540e\u9009\u62e9\u8fd9\u91cc\u7b2c\u4e8c\u4e2a\u52fe\uff1a

    \u6ce8\u610f

    \u4e0d\u8981\u67e5\u770b\u5783\u573e\u90ae\u4ef6\u7684\u8fdc\u7a0b\u5185\u5bb9\u3002\u4e0d\u8981\u56de\u590d\u5783\u573e\u90ae\u4ef6\u3002\u6b63\u5e38\u90ae\u4ef6\u9700\u8981\u624b\u52a8\u79fb\u52a8\u5230\u6536\u4ef6\u7bb1\u3002

    "},{"location":"infrastructure/office/#tb-profiles","title":"\u4f7f\u7528 Thunderbird \u914d\u7f6e\u4e0d\u540c\u7684\u8eab\u4efd","text":"

    (written by taoky)

    \u5728\u67d0\u4e9b\u60c5\u51b5\u4e0b\uff0c\u9700\u8981\u8bbe\u7f6e\u65b0\u7684\u53d1\u4ef6\u4eba\u540d\u79f0\u548c\u56de\u590d\u5730\u5740\uff08\u4f8b\u5982 hackergame staff \u9700\u8981\u4e00\u5957\u4e0d\u540c\u7684\u8bbe\u7f6e\uff09\u3002\u7531\u4e8e Gmail \u7f51\u9875\u7aef\u4fee\u6539\u914d\u7f6e\u5f88\u9ebb\u70e6\uff08\u800c\u4e14\u5f88\u5bb9\u6613\u5fd8\u8bb0\u6539\u56de\u6765\uff09\uff0c\u5f3a\u70c8\u5efa\u8bae\u4f7f\u7528\u90ae\u4ef6\u5ba2\u6237\u7aef\u3002\u4e2a\u4eba\u4f7f\u7528\u7684\u662f Thunderbird\uff0c\u4e0b\u9762\u4e5f\u4ee5\u5b83\u4e3a\u4f8b\u5b50\u3002

    \u5728\u8d26\u53f7\u52a0\u4e0a\u90ae\u7bb1\u4e4b\u540e\uff0c\u70b9\u51fb\u53f3\u952e \u2192 \u5c5e\u6027\uff0c\u9ed8\u8ba4\u914d\u7f6e\uff08LUG Staff\uff09\u5982\u56fe\uff1a

    \u9700\u8981\u6dfb\u52a0\u65b0\u8eab\u4efd\u65f6\uff0c\u70b9\u51fb\u53f3\u4e0b\u89d2\u300c\u7ba1\u7406\u6807\u8bc6\u300d\uff0c\u6dfb\u52a0\u5bf9\u5e94\u7684\u6807\u8bc6\u3002\u5bf9\u4e8e hackergame\uff0c\u53ef\u4ee5\u914d\u7f6e\u5982\u4e0b\uff1a

    \u914d\u7f6e\u5b8c\u6210\u540e\uff0c\u5728\u7f16\u5199\u90ae\u4ef6\u65f6\uff0c\u5c31\u53ef\u4ee5\u9009\u62e9\u65b0\u7684\u6807\u8bc6\u4e86\uff0c\u5e76\u4e14\u53d1\u4ef6\u4eba\u540d\u79f0\u3001\u56de\u590d\u5730\u5740\u548c\u7b7e\u540d\u90fd\u4f1a\u81ea\u52a8\u8bbe\u7f6e\u597d\uff08\u6284\u9001\u8fd8\u662f\u8981\u81ea\u5df1\u8bbe\u7f6e\uff0c\u522b\u5fd8\u4e86\uff01\uff09

    \u4f7f\u7528 Thunderbird \u914d\u7f6e\u5b66\u6821\u90ae\u7bb1\u9700\u8981\u7684\u989d\u5916\u8bbe\u7f6e

    james: \"thunderbird\u67d0\u6b21\u5347\u7ea7\u540e\u51fa\u4e86\u4e00\u4e2abug\uff0c\u8fde\u63a5\u65f6\u670d\u52a1\u5668\u8fd4\u56de\u652f\u6301utf8\uff0ctb\u53d1\u4e86\u4e00\u4e2a\u547d\u4ee4enable utf8\uff0c\u670d\u52a1\u5668\u6b63\u5e38\u8fd4\u56de\u540e\uff0ctb\u6709bug\u8ba4\u4e3a\u4e00\u76f4\u5728\u7b49\u670d\u52a1\u5668\u5e94\u7b54\u3002\"

    \u6240\u4ee5\u5982\u679c\u9700\u8981\u4f7f\u7528 Thunderbird \u4ece mail.ustc.edu.cn \u6536\u53d1\u90ae\u4ef6\uff0c\u9700\u8981\u505a\u4ee5\u4e0b\u7684\u914d\u7f6e\uff1aEdit -> Settings\uff0c\u5728 \"General\" \u4e2d\u62d6\u5230\u6700\u4e0b\u9762\u9009\u62e9 \"Config Editor...\"\u3002\u5728\u65b0\u5f39\u51fa\u7684\u9ad8\u7ea7\u914d\u7f6e\u7684\u6807\u7b7e\u4e2d\u8f93\u5165 utf8\uff0c\u5c06 mail.server.default.allow_utf8_accept \u7684\u503c\u4ece true \u6539\u6210 false\u3002\u8fd9\u4e2a\u8bbe\u7f6e\u4e0d\u4f1a\u5f71\u54cd\u5176\u4ed6\u90ae\u7bb1\u7684\u4f7f\u7528\u3002

    "},{"location":"infrastructure/office/#gmail","title":"Gmail","text":"

    Warning

    \u7531\u4e8e Google \u5c06 G Suite \u5168\u9762\u8f6c\u5411\u4ed8\u8d39\u670d\u52a1\uff0c\u6211\u4eec\u5df2\u5728 2022 \u5e74 3 \u6708 31 \u65e5\u540e\u505c\u6b62\u4f7f\u7528 G Suite \u76f8\u5173\u670d\u52a1\u3002\u8f6c\u5411 Office 365 \u63d0\u4f9b\u7684\u670d\u52a1\u3002\u4ee5\u4e0b\u5185\u5bb9\u4ec5\u4f5c\u4e3a\u5b58\u6863\u4e0e\u53c2\u8003

    \u4ee5\u4e0b\u539f\u6587\u7531 Hypercube \u7f16\u5199

    \u5927\u5bb6\u597d\uff0c

    \u8bf7\u5404\u4f4d\u9605\u8bfb\u4e0b\u65b9\u5185\u5bb9\uff0c\u5e76\u6309\u6307\u793a\u914d\u7f6e\u81ea\u5df1\u7684\u90ae\u7bb1\uff1a

    \u767b\u5f55\u7f51\u9875\u7248 Gmail\uff0c\u5728\u53f3\u4e0a\u89d2\u70b9\u5f00\u8bbe\u7f6e\uff0c\u4e8e\u201c\u5e38\u89c4\u201d\u6807\u7b7e\u9875\u4e2d\u8bbe\u7f6e\u201c\u7b7e\u540d\u201d\u4e3a\u7eaf\u6587\u672c\u5982\u4e0b\u5185\u5bb9\uff08\u5171 5 \u884c\uff0c\u5c06\u6700\u540e\u4e00\u884c\u6362\u6210\u81ea\u5df1\u7684\u4fe1\u606f\uff09\uff1a

    Linux User Group University of Science and Technology of China Homepage: https://lug.ustc.edu.cn/ E-Mail: lug@ustc.edu.cn Zibo Wang (\u738b\u5b50\u535a) <example@ustclug.org>

    \u4e8e\u201c\u8d26\u53f7\u201d\u6807\u7b7e\u9875\u4e2d\u201c\u7528\u8fd9\u4e2a\u5730\u5740\u53d1\u9001\u90ae\u4ef6\u201d\u5185\u70b9\u201c\u4fee\u6539\u4fe1\u606f\u201d\uff0c\u5728\u5f39\u51fa\u7a97\u53e3\u4e2d\u8f93\u5165\u540d\u79f0\u201cZibo Wang on behalf of USTC LUG\u201d\uff08\u8bf7\u6362\u6210\u81ea\u5df1\u7684\u540d\u5b57\uff09\uff0c\u8f93\u5165\u56de\u590d\u5730\u5740\u201clug@ustc.edu.cn\u201d\u3002

    \u8fd8\u53ef\u4ee5\u89c6\u81ea\u5df1\u9700\u8981\u5728\u201c\u8f6c\u53d1\u548c POP / IMAP\u201d\u6807\u7b7e\u9875\u4e2d\u914d\u7f6e\u81ea\u52a8\u8f6c\u53d1\uff0c\u4f46\u8bf7\u6ce8\u610f\uff0c\u5982\u679c\u4f60\u914d\u7f6e\u4e86\u8f6c\u53d1\u5230\u81ea\u5df1\u7684\u5e38\u7528\u90ae\u7bb1\uff0c\u8bf7\u4e0d\u8981\u76f4\u63a5\u4ece\u5e38\u7528\u90ae\u7bb1\u56de\u590d\u90ae\u4ef6\uff0c\u800c\u5e94\u8be5\u767b\u5f55 LUG \u90ae\u7bb1\u56de\u590d\u3002 \u56de\u590d\u4efb\u4f55\u90ae\u4ef6\u65f6\uff0c\u8bf7\u6284\u9001 / CC\uff08\u4e0d\u662f\u5bc6\u9001 / BCC\uff09\u7ed9\u539f\u90ae\u4ef6\u7684\u6536\u4ef6\u5730\u5740\uff01\uff08\u6bd4\u5982\u522b\u4eba\u53d1\u5230 lug A ustc.edu.cn \uff0c\u56de\u590d\u65f6\u4e5f\u8bf7 CC \u5230 lug A ustc.edu.cn\uff09

    \u8bf7\u4e0d\u8981\u201c\u53ea\u56de\u590d\u90ae\u4ef6\u201d\u3002\u5982\u679c\u5728\u56de\u590d\u4e2d\u8bf4\u201c\u6211\u4eec\u4f1a\u505a\u67d0\u67d0\u4e8b\u201d\uff0c\u8bf7\u6ce8\u610f\u9664\u975e\u4f60\u660e\u786e\u8f6c\u4ea4\u7ed9\u4e86\u522b\u4eba\uff0c\u8fd9\u4ef6\u4e8b\u5e94\u5f53\u7531\u4f60\u6765\u5b8c\u6210\u3002

    \u5728\u6dfb\u52a0\u4e86\u7b7e\u540d\u540e\uff0c\u5728\u4e0b\u9762\u7684\u201c\u9ed8\u8ba4\u7b7e\u540d\u8bbe\u7f6e\u201d\u4e2d\uff0c\u5c06\u201c\u7528\u4e8e\u65b0\u7535\u5b50\u90ae\u4ef6\u201d\u4ee5\u53ca\u201c\u7528\u4e8e\u56de\u590d/\u8f6c\u53d1\u201d\u5747\u9009\u62e9\u4e3a\u4e0a\u9762\u6dfb\u52a0\u7684\u7b7e\u540d\u3002

    \u8bb0\u5f97\u6eda\u52a8\u5230\u9875\u9762\u6700\u4e0b\u65b9\u70b9\u51fb\u201c\u4fdd\u5b58\u9875\u9762\u201d\uff01

    "},{"location":"infrastructure/office/#lug-ustc-mailing-list","title":"\u52a0\u5165 lug @ ustc \u5217\u8868","text":"

    \u82e5\u8981\u6536\u5230\u53d1\u5f80 lug A ustc.edu.cn \u7684\u90ae\u4ef6\uff0c\u9700\u8981\u5728 \u7fa4\u7ec4\u7ba1\u7406 \u8fd9\u91cc\u5c06\u7528\u6237\u52a0\u5165 USTC LUG Staff \u7ec4\u3002\u8fd9\u4e2a\u7fa4\u7ec4\u5c31\u662f lug \u548c mirrors \u5728\u5b66\u6821\u90ae\u7bb1\u8bbe\u7f6e\u7684\u8f6c\u53d1\u76ee\u6807\u3002

    "},{"location":"infrastructure/office/#default-route","title":"\u8bbe\u7f6e\u9ed8\u8ba4\u5730\u5740","text":"

    G Suite \u652f\u6301\u5c06\u5355\u4e2a\u5730\u5740\u8bbe\u4e3a\u201c\u9ed8\u8ba4\u5730\u5740\u201d\uff0c\u7528\u4e8e\u63a5\u53d7\u53d1\u5f80\u4e0d\u5b58\u5728\u7684\u5730\u5740\u7684\u90ae\u4ef6\u3002

    \u53c2\u8003\u8d44\u6599\uff1ahttps://support.google.com/a/answer/2368153

    \u5bf9\u4e8e\u4e2d\u6587\u754c\u9762\uff0c\u5e94\u8be5\u4ece Google Admin \u63a7\u5236\u53f0\u6309\u987a\u5e8f\u9009\u62e9 \u5e94\u7528 \u2192 G Suite \u2192 Gmail \u2192 \u9ad8\u7ea7\u8bbe\u7f6e\uff0c\u5176\u4e2d\u7684 \u65e0\u9650\u522b\u540d\u5730\u5740 \u5c31\u662f\u8fd9\u4e2a\u9009\u9879\uff0c\u4e00\u822c\u53d1\u7ed9\u4f1a\u957f\u6216 CTO\u3002

    "},{"location":"infrastructure/raid/","title":"RAID","text":""},{"location":"infrastructure/raid/#megaraid","title":"MegaRAID \u5e38\u7528\u547d\u4ee4","text":"

    MegaRAID \u6e90\u91cc\u6ca1\u6709\uff0c\u9700\u8981\u4ece\u5b98\u7f51\u4e0b\u8f7d RPM \u5305\u540e\u624b\u52a8\u89e3\u538b\u3002Debian 10 \u5b89\u88c5 libncurses5 \u540e\u53ef\u4f7f\u7528\u3002

    sudo /opt/MegaRAID/MegaCli/MegaCli64 -adpallinfo -aAll  # \u67e5\u770b\u6240\u6709\u4fe1\u606f\nsudo /opt/MegaRAID/MegaCli/MegaCli64 -pdlist -aall  # \u67e5\u770b\u7269\u7406\u76d8\u4fe1\u606f\n
    "},{"location":"infrastructure/raid/#_1","title":"\u76d1\u63a7","text":"

    \u73b0\u5728\u90e8\u7f72\u7684\u65b9\u6848\u662f\u7531 telegraf \u6267\u884c\u89e3\u6790\u811a\u672c\uff0c\u5c06\u6570\u636e\u53d1\u9001\u5230 influxdb\uff0c\u7531 grafana \u62a5\u8b66\u3002

    \u811a\u672c\uff1a

    "},{"location":"infrastructure/raid/#esxi","title":"ESXi","text":"

    https://docs.broadcom.com/docs-and-downloads/raid-controllers/raid-controllers-common-files/8-07-07_MegaCLI.zip

    ESXi 5 \u7684 binary \u548c ESXi 6.0 \u517c\u5bb9\u3002

    esxcli software vib install -v=/tmp/vmware-esx-MegaCli-8.07.07.vib --no-sig-check\n

    \u7136\u540e\u8fdb\u5165 /opt/lsi/MegaCLI \u76ee\u5f55\u6267\u884c MegaCli.

    "},{"location":"infrastructure/raid/#ssacli-hpe-smart-array","title":"ssacli (HPE Smart Array)","text":"

    pve-6 \u7684 RAID \u65b9\u6848\u662f HPE Smart Array\u3002\u5bf9\u5e94\u4f7f\u7528\u65b9\u6cd5\u53ef\u4ee5\u53c2\u8003 https://gist.github.com/mrpeardotnet/a9ce41da99936c0175600f484fa20d03\u3002

    \u5bf9\u5e94\u4e3b\u673a\u9700\u8981\u5b89\u88c5 https://downloads.linux.hpe.com/SDR/repo/mcp/Debian/pool/non-free/ssacli-5.30-6.0_amd64.deb\uff08HPE \u6e90\u5b9e\u5728\u592a\u6162\u4e86\uff09\u3002

    "},{"location":"infrastructure/sshca/","title":"SSH Certificate Authentication","text":"

    Discussion: SSH \u5347\u7ea7\u5230\u8bc1\u4e66\u767b\u9646\u65b9\u6848\u8ba8\u8bba

    Usage: SSH \u8bc1\u4e66\u8ba4\u8bc1\u7684\u4f7f\u7528\u65b9\u6cd5 (See also: iBug's blog)

    "},{"location":"infrastructure/sshca/#introduction","title":"Introduction","text":"

    An SSH Certificate Authority (CA) is a trusted key pair that issues certificates. It has the same format as a regular SSH private-public key pair (it is, in fact).

    Certificates can be used for authentication on both the server side and the client side. But certificates cannot issue new certificates (i.e. no chains), it is the very difference from X.509 certificate system.

    "},{"location":"infrastructure/sshca/#server-setup","title":"Server setup","text":""},{"location":"infrastructure/sshca/#trustedusercakeys","title":"Configure server to accept client certificates","text":"

    First drop our public key to /etc/ssh/ssh_user_ca:

    /etc/ssh/ssh_user_ca
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1Bxw9AXoZvc9HTe5o4f7/qOROcmzvlcO5oofoF3pewtRnhNpcd/DwmxSblqpj/cjLYkE32mSCzMYY8X0CRFyMJsgSIDC4i4LXDNU0e8PbB2NIQAAeyfJEU5m/Dn1tPw9WvPtPqHCRvgSwnRfzYngMVWROgV2Qe6pOqTTgetEYfb5gkDc2i1M7yfTp3H3ExfrDKwOKPc/9UYOADMFU6u1fJN+4epLETilHC1ubtBeVi23pn1K+LDy06Gwhq1MLljCM7gFBMrmv894HrOHU4WrzLUlfkiDt2cyXLb4qPWYqilBFLUjU92kjmiI/EwB/8pR1WmdU7FoYpdgBHNr3NT53 LUG-CA\n

    Then add the following line to sshd config (Debian 11+):

    /etc/ssh/sshd_config.d/ustclug.conf
    TrustedUserCAKeys /etc/ssh/ssh_user_ca\n

    Old version config (<= Debian 10)

    On Debian 10 (buster) or older, sshd_config does not support the Include directive. Thus any extra setting must be added in the main sshd_config file directly.

    "},{"location":"infrastructure/sshca/#issue-a-server-certificate","title":"Issue a server certificate","text":"

    Warning

    When signing certificates using OpenSSH <= 8.1, add -t rsa-sha2-512 to the ssh-keygen command. More details can be found here: https://ibug.io/p/35

    Note

    Some of our servers may still be running Debian Jessie, which has OpenSSH 6.7 that does not support SHA-2 certificate algorithms (OpenSSH 7.2 required). Sign with -t ssh-rsa instead if you want to log in to such servers.

    January 2022 update: We believe we have got rid of all Jessie systems, so this should no longer be the case.

    Copy the file /etc/ssh/ssh_host_rsa_key.pub from target server.

    Then, run ssh-keygen to issue a public key. For example:

    ssh-keygen -s /path/to/ssh_ca \\\n           -I blog \\\n           -h \\\n           -n blog.s.ustclug.org,blog.p.ustclug.org,10.254.0.15,202.141.176.98,202.141.160.98 \\\n           ssh_host_rsa_key.pub\n

    Then, copy the certificate file ssh_host_rsa_key-cert.pub back to target server.

    At last, add the following lines to sshd config:

    /etc/ssh/sshd_config.d/ustclug.conf
    HostKey /etc/ssh/ssh_host_rsa_key\nHostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub\n

    Warning

    See the same warning block above.

    Certificate will take effect after SSH daemon is reloaded (systemctl reload ssh).

    "},{"location":"infrastructure/sshca/#client-setup","title":"Client setup","text":"

    Add the following line to your known_hosts:

    ~/.ssh/known_hosts
    @cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1Bxw9AXoZvc9HTe5o4f7/qOROcmzvlcO5oofoF3pewtRnhNpcd/DwmxSblqpj/cjLYkE32mSCzMYY8X0CRFyMJsgSIDC4i4LXDNU0e8PbB2NIQAAeyfJEU5m/Dn1tPw9WvPtPqHCRvgSwnRfzYngMVWROgV2Qe6pOqTTgetEYfb5gkDc2i1M7yfTp3H3ExfrDKwOKPc/9UYOADMFU6u1fJN+4epLETilHC1ubtBeVi23pn1K+LDy06Gwhq1MLljCM7gFBMrmv894HrOHU4WrzLUlfkiDt2cyXLb4qPWYqilBFLUjU92kjmiI/EwB/8pR1WmdU7FoYpdgBHNr3NT53 LUG-CA\n

    And when you log in to a LUG server, it is automatically trusted. If you find a machine that does not support this setup, report it to CTO.

    "},{"location":"infrastructure/sshca/#issue-a-client-certificate","title":"Issue a client certificate","text":"
    ssh-keygen -s /path/to/ssh_ca \\\n           -I certificate_identity \\\n           -n principals \\\n          [-O options] \\\n          [-V validity_interval] \\\n           public_key_file\n

    For example:

    ssh-keygen -s /path/to/ssh_ca -I \"Yifan Gao\" -n yifan -V -5m:+365d yifan.pub\n

    In general, certificate_identity is the user's full name, and principals is the system username. The certificate identity is used to identify certificates and is logged in system logs. In addition, one certificate can carry multiply principals, like:

    ssh-keygen -s /path/to/ssh_ca -I \"Yifan Gao\" -n yifan,root,liims -V -5m:+365d yifan.pub\n

    It authorizes the certificate owner to login to any server as yifan, root or liims user.

    Note

    The liims principal is used to log into library inquiry machines.

    Tip

    The validity interval by default starts at the current system time. Using -5m:+365d creates a certificate valid from 5 minutes ago to make up for offset times on other systems. Otherwise it's not much useful to have a validity period starting from a long time ago.

    For security purposes, avoid creating certificates without a defined validity period. It's also recommended to keep validity periods as short as necessary.

    "},{"location":"infrastructure/ssl/","title":"SSL Certificates","text":"

    Discussion: #224

    Our SSL certificates are automatically renewed on GitHub ustclug/ssl-cert ( Private).

    We delegate the subdomain ssl-digitalocean.ustclug.org to DigitalOcean DNS hosting, and use acme.sh DNS alias mode to issue certificates. For this to work, we have the following CNAME records in place:

    _acme-challenge.lug.ustc.edu.cn    ->  lug.ssl-digitalocean.ustclug.org\n_acme-challenge.ustclug.org        ->  lug.ssl-digitalocean.ustclug.org\n_acme-challenge.proxy.ustclug.org  ->  lug.ssl-digitalocean.ustclug.org\n\n_acme-challenge.mirrors.ustc.edu.cn  ->  mirrors.ssl-digitalocean.ustclug.org\n

    Individual machines that use SSL certificates should pull from the said repository (branch cert). Certificates may be loaded via symbolic links (for processes running on the host system directly), or copied around from within the updater script (when there are path constraints, e.g. in a Docker container). The update task is managed by cron.

    Update script for reference:

    /etc/ssl/private/.git/update.sh
    #!/bin/sh\n\ncd \"/etc/ssl/private\"\n\ngit fetch -q\nif [ \"$(git rev-parse HEAD)\" = \"$(git rev-parse '@{u}')\" ]; then\n  exit 0\nfi\ngit reset --hard '@{u}'\n\n# Display certificate dates. This section is optional\nif command -v openssl >/dev/null 2>&1; then\n  echo \"Cert has been updated. New expiry:\"\n  for f in */cert.pem; do\n    echo \"$f:\"\n    openssl x509 -in \"$f\" -noout -dates\n  done\nelse\n  echo \"Cert has been updated.\"\nfi\n\nsystemctl reload openresty.service\n# Other `cp -a` or `docker restart` commands, etc.\n

    The DigitalOcean account we use is owned by iBug and has nothing else running.

    Plan B

    Hurricane Electric provides hosted DNS zones for free, which is also supported by acme.sh. This makes HE DNS a feasible alternative should our current dependency (DigitalOcean) fails.

    "},{"location":"infrastructure/tinc/","title":"Tinc VPN \u914d\u7f6e\u8bf4\u660e","text":"

    Tinc VPN \u662f LUG \u5185\u7f51\u7684\u4e3b\u8981\u6784\u6210\u8f6f\u4ef6\uff0cLDAP \u9700\u8981\u7528\u5230\u5b83\uff08\u56e0\u4e3a ldap \u670d\u52a1\u5668\u662f\u4e2a\u5185\u7f51\u670d\u52a1\u5668\uff09

    "},{"location":"infrastructure/tinc/#_1","title":"\u5b89\u88c5","text":"

    Debian 9+ \u53ef\u4ee5\u76f4\u63a5\u4ece apt \u6e90\u5b89\u88c5 tinc \u5305\u3002

    \u4e0d\u65e9\u8bf4\u8fd9\u73a9\u610f\u6709\u4e2a Git \u4ed3\u5e93\uff1f\uff1fhttps://git.lug.ustc.edu.cn/ustclug/tinc-configure

    \u65e2\u7136\u6709\u4ed3\u5e93\u6240\u4ee5\u8981\u505a\u7684\u4e8b\u60c5\u6bd4\u8f83\u7b80\u5355\uff0c\u8fdb\u5165 /etc/tinc \u76ee\u5f55\u51c6\u5907\u548c Git \u4ed3\u5e93\u540c\u6b65\u914d\u7f6e\uff1a

    git init\ngit remote add origin https://git.lug.ustc.edu.cn/ustclug/tinc-configure.git\ngit fetch origin master\ngit reset --hard FETCH_HEAD\n

    \u6ce8\u610f git reset \u4f1a\u8986\u76d6\u90e8\u5206\u6587\u4ef6\uff0c\u5efa\u8bae\u5728\u5168\u65b0\u5b89\u88c5 tinc \u4e4b\u540e\u8fdb\u884c\u540c\u6b65\u914d\u7f6e\u3002

    \u914d\u7f6e\u5b8c\u6210\u540e\u6267\u884c systemctl enable tinc@ustclug.service \u4f7f tinc \u80fd\u591f\u5f00\u673a\u542f\u52a8\u3002

    "},{"location":"infrastructure/tinc/#_2","title":"\u52a0\u5165\u4e3b\u673a","text":"

    \u9996\u5148\u9700\u8981\u5728\u65b0\u4e3b\u673a\u4e0a\u751f\u6210\u5bc6\u94a5\uff1a

    tincd -n ustclug -K\n

    \u7136\u540e\u5728 /etc/tinc/ustclug/hosts/$HOST \u6700\u540e\u8865\u4e0a\u4e00\u884c\uff1a

    Address = [\u8fd9\u53f0\u673a\u5668\u7684\u516c\u7f51IP]\n

    \u628a\u65b0\u589e\u7684\u8fd9\u4e2a\u6587\u4ef6\u63d0\u4ea4\u8fdb Git \u4ed3\u5e93\uff0c\u5e76\u5728 {ldap,board,gateway-el,gateway-nic}.s.ustclug.org \u7b49\u591a\u53f0\u673a\u5668\u4e0a\u901a\u8fc7 git pull \u66f4\u65b0\uff0c\u5e76 systemctl reload tinc@ustclug.service\u3002

    "},{"location":"infrastructure/tinc/#ip","title":"\u5185\u7f51 IP","text":"

    \u6d4b\u8bd5\u7684\u65f6\u5019\uff0c\u4f60\u53ef\u4ee5\u76f4\u63a5\u901a\u8fc7 ifconfig \u7b49\u65b9\u5f0f\u6307\u5b9a\u4e00\u4e2a\u4e34\u65f6\u7684 IP\uff0c\u6ce8\u610f\u4e0d\u8981\u4e0e\u5df2\u6709\u7684\u5185\u7f51 IP \u51b2\u7a81\uff1a

    ifconfig 10.254.0.xxx/21 ustclug\n

    \u8fd9\u65f6\u5019\u5e94\u8be5\u80fd\u4ece\u5176\u4ed6\u673a\u5668 ping \u901a\u8fd9\u4e2a IP\u3002

    \u6307\u5b9a\u9759\u6001\u5185\u7f51 IP \u7684\u6b63\u786e\u65b9\u6cd5\u662f\u5728 DNS \u4e2d\u6dfb\u52a0\u4e00\u6761\u8fd9\u6837\u7684\u8bb0\u5f55\uff1a

    $ORIGIN s.ustclug.org\n<HOST>  600     IN A    <Intranet IP>\n

    \u7136\u540e\u5728\u673a\u5668\u4e0a\u91cd\u542f systemctl restart tinc@ustclug.service \u5c31\u80fd\u81ea\u52a8\u83b7\u53d6\u4e86\u3002

    "},{"location":"infrastructure/tinc/#ssh","title":"\u914d\u7f6e SSH \u4fa6\u542c\u5185\u7f51\u5730\u5740","text":"

    Tip

    \u5bf9\u4e8e Debian 11+ \u7684\u7cfb\u7edf\uff0c\u5efa\u8bae\u4fdd\u6301 sshd_config \u4e0d\u52a8\uff0c\u5c06\u81ea\u5b9a\u4e49\u7684\u914d\u7f6e\u5199\u5165 sshd_config.d/ustclug.conf\uff0c\u4ee5\u51cf\u5c11\u66f4\u65b0 ssh \u8f6f\u4ef6\u5305\u65f6\u7684\u914d\u7f6e\u6587\u4ef6\u51b2\u7a81\u3002\u6ce8\u610f\u5982\u679c\u8fd9\u4e48\u505a\u7684\u8bdd\u9700\u8981\u628a\u914d\u7f6e\u6587\u4ef6\u91cc\u7684 Subsystem sftp \u5220\u6389\uff0c\u5426\u5219 sshd \u4f1a\u62a5\u9519\u201c\u91cd\u590d\u6307\u5b9a\u4e86 Subsystem sshd\u201d\u3002

    \u4ee5\u4e0b\u914d\u7f6e\u4f9b\u53c2\u8003\uff0c\u590d\u5236\u65f6\u6ce8\u610f\u4fee\u6539 Match LocalAddress \u540e\u9762\u7684\u5185\u5bb9\uff08\u5185\u7f51\u5730\u5740\u548c AllowGroups \u6700\u540e\u7684\u540d\u79f0\uff09\uff1a

    /etc/ssh/sshd_config
    AddressFamily inet\nUseDNS no\n\nHostKey /etc/ssh/ssh_host_rsa_key\nHostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub\nTrustedUserCAKeys /etc/ssh/ssh_user_ca\nRevokedKeys /etc/ssh/ssh_revoked_keys\n\nPasswordAuthentication no\nPubkeyAuthentication no\nChallengeResponseAuthentication no\nUsePAM yes # LDAP for Debian\n\nAcceptEnv LANG LC_*\nX11Forwarding yes\nPrintLastLog no\nPrintMotd no\nSubsystem sftp /usr/lib/openssh/sftp-server\n\nMatch LocalAddress 10.254.0.0\n    AllowGroups ssh_local super_manager ssh_groupname\n    PasswordAuthentication yes\n    PubkeyAuthentication yes\n\n# Public IP access = root-only\nMatch LocalAddress 202.38.95.110,202.141.160.110,202.141.176.110,218.104.71.170\n    AllowUsers root\n    PubkeyAuthentication yes\n    AuthorizedKeysFile none  # \u5c4f\u853d\u516c\u94a5\uff0c\u4ec5\u5141\u8bb8\u8bc1\u4e66\u767b\u5f55\n\n# For SSH Push trigger\nMatch User mirror\n    AllowUsers mirror\n    AuthenticationMethods publickey\n    PermitTTY no\n    PermitTunnel no\n    X11Forwarding no\n\nMatch All #(1)\n
    1. OpenSSH 6.5p1 \u4ee5\u4e0a\u53ef\u4ee5\u4f7f\u7528 Match All \u6765\u7ed3\u675f\u4e0a\u9762\u7684 Match \u5757\u3002\u7531\u4e8e Include \u6307\u4ee4\u51fa\u73b0\u5728 /etc/ssh/sshd_config \u7684\u6700\u4e0a\u9762\uff0c\u800c\u63a5\u4e0b\u6765\u7684\u5185\u5bb9\u90fd\u662f\u5168\u5c40\u8bbe\u7f6e\uff0c\u56e0\u6b64\u4f7f\u7528 Match All \u4fdd\u8bc1\u539f\u5148\u7684\u5185\u5bb9\u7ee7\u7eed\u4f5c\u7528\u4e8e\u5168\u5c40\uff0c\u800c\u4e0d\u662f\u50cf\u4e0a\u9762\u8fd9\u4e2a\u4f8b\u5b50\u4e00\u6837\u53d8\u6210 Match User mirror \u7684\u8bbe\u7f6e\u3002

    \u6ce8\u610f HostCertificate, TrustedUserCAKeys \u548c RevokedKeys \u8fd9\u4e09\u4e2a\u6587\u4ef6\u5fc5\u987b\u5b58\u5728\uff0c\u5426\u5219 SSH \u4f1a\u51fa\u4e00\u4e9b\u95ee\u9898\uff0c\u4f8b\u5982\u4e0d\u80fd\u5bc6\u94a5\u767b\u5f55\u53ea\u80fd\u5bc6\u7801\u767b\u5f55\u3002

    HostCertificate \u9700\u8981\u624b\u52a8\u7b7e\u53d1\u4e00\u4e2a\uff0c\u53e6\u5916\u4e24\u4e2a\u6587\u4ef6\u4ece\u522b\u7684\u673a\u5668\u4e0a\u590d\u5236\u5c31\u884c\u3002

    "},{"location":"infrastructure/discontinued/","title":"\u4e0d\u518d\u4f7f\u7528\u7684\u57fa\u7840\u8bbe\u65bd","text":"

    Warning

    Content under this section is not necessarily up-to-date.

    "},{"location":"infrastructure/discontinued/#saltstack","title":"SaltStack","text":"

    \u76ee\u524d\u4e0d\u77e5 SaltStack \u4f55\u65f6\u5f00\u59cb\u4f7f\u7528\uff0c\u4f46\u662f\u6211\u4eec\u6ca1\u6709\u4efb\u4f55\u4f9d\u8d56\u4e8e salt \u7684\u914d\u7f6e\u3002\u51fa\u4e8e\u8003\u8651\u5230 salt \u51fa\u73b0\u8fc7\u975e\u5e38\u4e25\u91cd\u7684 CVE\uff0csaltstack \u5df2\u4e0d\u518d\u8003\u8651\u4f7f\u7528\uff0c\u4e14\u5728\u5df2\u77e5\u7684\u673a\u5668\u4e0a\u90fd\u5df2\u5220\u9664\u3002\u5982\u679c\u4f60\u53d1\u73b0\u67d0\u53f0 lug \u7684\u673a\u5668\u4e0a\u5b89\u88c5\u4e86 salt\uff0c\u8bf7\u901a\u77e5 CTO \u4ee5\u5c06\u5176\u5220\u9664\u3002

    \u5728\u81ea\u52a8\u5316\u8fd0\u7ef4\u65b9\u9762\uff0c\u672a\u6765\u4f1a\u8c03\u7814 ansible\u3002

    "},{"location":"infrastructure/discontinued/#vsphere","title":"vSphere \u96c6\u7fa4","text":"

    \u6211\u4eec\u4ece 2015 \u5e74\uff08\u6216\u66f4\u65e9\uff09\u5f00\u59cb\u4f7f\u7528 vSphere \u5e73\u53f0\uff08ESXi + vCenter\uff09\u8fd0\u884c\u865a\u62df\u673a\u3002\u7531\u4e8e VMware \u4e13\u6709\u5e73\u53f0\u7684\u590d\u6742\u6027\u96be\u4ee5\u7ef4\u62a4\uff0c\u6211\u4eec\u5df2\u4e8e 2022 \u5e74 1 \u6708\u5168\u9762\u8fc1\u79fb\u81f3\u5f00\u6e90\u7684\u3001\u57fa\u4e8e Debian GNU/Linux \u7684\u865a\u62df\u5316\u5e73\u53f0 Proxmox VE\u3002

    "},{"location":"infrastructure/discontinued/#pve-2-pve-4","title":"pve-2, pve-4","text":"

    pve-2 \u548c pve-4 \u4e5f\u4f4d\u4e8e\u4e1c\u56fe\uff0c\u662f\u4e24\u53f0\u672a\u77e5\u54c1\u724c\u3001\u672a\u77e5\u578b\u53f7\u7684\u65e7\u673a\u5668\uff0c\u914d\u7f6e\u4e3a 2\u00d7 Xeon E5420 (Very old 4C4T, 2.50 GHz), 16 GB \u5185\u5b58\uff08DDR2 667 MHz\uff09\u548c\u4e00\u5757 16 GB \u7684 SanDisk SSD\u3002\u8be5\u578b\u53f7\u673a\u5668\u6ca1\u6709 IPMI\u3002

    \u7531\u4e8e\u914d\u7f6e\u4f4e\u4e0b\uff0c\u6211\u4eec\u624b\u52a8\u5b89\u88c5\u4e86 Proxmox VE\uff0c\u6ca1\u6709\u4f7f\u7528 LVM\uff0c\u5206\u914d\u4e86 1 GB \u7684 swap\uff0c\u5269\u4e0b\u5168\u90e8\u7ed9 rootfs\u3002

    \u673a\u5668\u7684\u7f51\u5361\u6709\u4e24\u4e2a 1 Gbps \u7684\u63a5\u53e3\uff0c\u4e0e pve-6 \u76f8\u540c\uff0c\u90fd\u63a5\u5728\u540c\u4e00\u4e2a\u4ea4\u6362\u673a\u4e0a\u3002

    "},{"location":"infrastructure/discontinued/vsphere/esxi/","title":"ESXi","text":"

    \u73b0\u5f79\u7684 ESXi \u6709 3 \u53f0\uff1aesxi-2 \u548c esxi-6 \u4f4d\u4e8e\u4e1c\u56fe\u673a\u623f\uff0cesxi-5 \u4f4d\u4e8e\u7f51\u7edc\u4fe1\u606f\u4e2d\u5fc3\u673a\u623f\u3002

    esxi-2 \u4e0a\u8fd0\u884c\u4e1c\u56fe\u7f51\u5173\u7b49\u670d\u52a1\uff0cesxi-6 \u4e0a\u8fd0\u884c ustclug gitlab\u3002esxi-5 \u4e0a\u8fd0\u884c\u8bf8\u5982 vcenter, \u90ae\u4ef6\u7f51\u5173, ldap, \u5907\u7528\u7f51\u5173, vSphereDataProtection \u5907\u4efd\u670d\u52a1\u7b49\u3002

    \u76ee\u524d\uff0c\u6709\u8ba1\u5212\u5c06\u865a\u62df\u5316\u65b9\u6848\u66f4\u6539\u4e3a Proxmox Virtual Environment\u3002

    "},{"location":"infrastructure/discontinued/vsphere/esxi/#about-snapshot","title":"\u5173\u4e8e\u5feb\u7167","text":"

    Best practices: https://kb.vmware.com/s/article/1025279\uff0c\u7ba1\u7406\u865a\u62df\u673a\u524d\u52a1\u5fc5\u9605\u8bfb\u3002

    "},{"location":"infrastructure/discontinued/vsphere/esxi/#_1","title":"\u673a\u5668\u914d\u7f6e\u7ec6\u8282","text":""},{"location":"infrastructure/discontinued/vsphere/esxi/#esxi-5","title":"esxi-5","text":"

    esxi-5 \u4e0a\u4e8e 2021/8 \u53d1\u73b0\u81ea\u5e26\u9635\u5217\u6709\u4e24\u5757\u574f\u76d8\uff0c\u5728\u66f4\u6362\u540e\u53d1\u73b0 storage \"root\"\uff08\u5b58\u653e vcenter \u865a\u62df\u673a\uff0c\u7ec4 RAID 1 \u540e\u5927\u5c0f 1.8TB\uff09\u65e0\u6cd5\u6b63\u5e38 rebuild\uff0c\u5e76\u4e14 vcenter \u865a\u62df\u673a\u7684 vmdk \u6587\u4ef6\u6709 4 \u4e2a\u51fa\u73b0 I/O error\u3002\u76ee\u524d vcenter \u865a\u62df\u673a\u5df2\u7ecf\u8fc1\u79fb\u5230 storage \"data\" (RAID10, 7.2 TB)\uff0c\u5de5\u4f5c\u6b63\u5e38\u3002

    "},{"location":"infrastructure/discontinued/vsphere/vcenter/","title":"vCenter","text":"

    vCenter \u4e3a\u7ef4\u62a4\u4eba\u5458\u63d0\u4f9b\u4e86\u65b9\u4fbf\u7684\u7ba1\u7406\u6240\u6709 ESXi \u670d\u52a1\u5668\u7684\u754c\u9762\u3002\u9700\u8981\u6ce8\u610f\uff1a

    "},{"location":"infrastructure/discontinued/vsphere/vcenter/#patch","title":"\u5b89\u88c5 patch","text":"

    \u5f53\u51fa\u73b0\u4e25\u91cd\u7684 CVE \u4e14\u65e0\u6cd5\u7b80\u5355 workaround \u65f6\uff0c\u5efa\u8bae\u5b89\u88c5 patch\uff0c\u5927\u81f4\u65b9\u6cd5\uff1a

    1. \u6253\u5feb\u7167\uff0c\u6700\u597d\u80fd\u624b\u52a8\u5907\u4efd\u4e00\u4e0b\u3002
    2. \u524d\u5f80 https://my.vmware.com/group/vmware/patch \u4e0b\u8f7d\u6700\u65b0\u7248 patch ISO \u6587\u4ef6\uff08\u5206\u7c7b\u4e3a VC\uff0c\u9700\u8981\u6ce8\u518c\u514d\u8d39\u8d26\u53f7\uff09\uff1b
    3. \u4e0a\u4f20 ISO \u6587\u4ef6\u5230 esxi-5 \u67d0\u4e2a datastore \u4e2d\uff0c\u5c06 ISO \u6302\u8f7d\u5230 VMware vCenter Server Appliance \u865a\u62df\u673a\u4e2d\uff1b
    4. \u767b\u5f55 esxi-5 \u7ba1\u7406\u754c\u9762\uff08\u4e0d\u662f vcenter \u754c\u9762\uff0c\u56e0\u4e3a\u66f4\u65b0\u7684\u65f6\u5019 vcenter \u4f1a\u4e0b\u7ebf\uff09\uff0c\u8fdb\u5165 vcenter console\u3002
    5. software-packages stage --iso \u52a0\u8f7d\u8865\u4e01\u6587\u4ef6\uff08\u5b9e\u8d28\u662f\u4e00\u5806 rpm\uff09\u3002
    6. software-packages install --iso \u5b89\u88c5\u8865\u4e01\u6587\u4ef6\u3002
    7. shell \u8fdb\u5165 bash\uff0creboot \u91cd\u542f\u3002
    8. \u91cd\u542f\u540e\u5982\u679c\u8fdb\u5165 5480 \u7aef\u53e3\u53d1\u73b0\u670d\u52a1\u72b6\u6001\u4e3a\u672a\u77e5\uff0c\u624b\u52a8\u91cd\u542f\u6240\u6709\u670d\u52a1\uff1aservice-control --start --all
    9. \u7b49\u5f85\u4e00\u6bb5\u65f6\u95f4\uff08\u6bd4\u8f83\u957f\uff09\uff0c\u671f\u95f4\u53ef\u80fd 503/\u663e\u793a\u670d\u52a1\u6b63\u5728\u52a0\u8f7d\u4e2d\uff0c\u7b49\u7b49\uff0c\u4e4b\u540e\u5c31\u5e94\u8be5\u6b63\u5e38\u4e86\u3002
    10. \u522b\u5fd8\u4e86\u624b\u52a8\u5907\u4efd\u3002

    \u5347\u7ea7\u65f6\u9047\u5230\u7684\u95ee\u9898\uff1a

    1. \u65e0\u6cd5\u8bc6\u522b ISO \u4e3a\u66f4\u65b0\u7684\u7248\u672c\uff1ahttps://kb.vmware.com/s/article/59659?lang=zh_CN
    2. \u300c\u73af\u5883\u5c1a\u672a\u51c6\u5907\u597d\u66f4\u65b0\u300d\uff1a\u4f7f\u7528 console \u7684 software-packages \u66f4\u65b0\uff0c\u67e5\u770b\u539f\u56e0\u3002\u5982\u679c\u662f root \u5bc6\u7801\u8fc7\u671f\uff0c\u8fdb\u5165 bash\uff0c\u4f7f\u7528 passwd \u5148\u91cd\u7f6e\u6210\u65b0\u7684\uff08\u7136\u540e\u518d\u6539\u56de\u6765\uff09\uff0c\u4f7f\u7528 chage -I -1 -m 0 -M 99999 -E -1 root \u8bbe\u7f6e\u6c38\u4e0d\u8fc7\u671f\u3002
    "},{"location":"infrastructure/discontinued/vsphere/vdp/","title":"VDP","text":"

    \u5f53\u6211\u4eec\u8bf4\u5230 VDP \u7684\u65f6\u5019\uff0c\u6211\u4eec\u5230\u5e95\u5728\u6307\u4ec0\u4e48\uff1f\u4e3a\u4e86\u907f\u514d\u6b67\u4e49\uff0c\u4ee5\u4e0b\u505a\u4e86\u4e00\u4e9b\u5b9a\u4e49\uff1a

    vdp2 \u6302\u63a5\u5728 esxi-5 \u4e0a\uff0cesxi-5 \u6e90\u4e8e\u8001 mirrors\uff08mirrors2 \u4e4b\u524d\u7684\u4e00\u4ee3\u673a\u5668\uff09\u3002vSphereDataProtection \u7248\u672c\u4e3a 6.1.5\u3002

    \u5f53 vdp \u5907\u4efd\u7a0b\u5e8f\u51fa\u73b0\u5947\u602a\u7684\u95ee\u9898\u7684\u65f6\u5019\uff0c\u91cd\u542f vdp \u5907\u4efd\u865a\u62df\u673a\u7edd\u5927\u591a\u6570\u65f6\u5019\u80fd\u591f\u89e3\u51b3\u95ee\u9898\u3002\u91cd\u542f\u8017\u65f6\u975e\u5e38\u957f\uff0c\u9700\u8981\u505a\u597d\u5fc3\u7406\u51c6\u5907\u3002

    \u5907\u4efd\u65f6\uff0cvdp \u5907\u4efd\u7a0b\u5e8f\u4f1a\u4e3a\u865a\u62df\u673a\u65b0\u5efa\u4e00\u4e2a snapshot\uff0c\u4e4b\u540e\u4ece snapshot \u4f20\u8f93\u5907\u4efd\u3002\u5076\u5c14 snapshot \u4e0d\u4f1a\u88ab\u6b63\u5e38\u5220\u9664\uff0c\u800c\u5927\u91cf\u6216\u957f\u65f6\u95f4\u5b58\u653e\u7684 snapshot \u4f1a\u7ed9\u6027\u80fd\u5e26\u6765\u8d1f\u9762\u5f71\u54cd\uff0c\u6240\u4ee5\u5982\u679c\u53d1\u73b0\u6b64\u7c7b\u60c5\u51b5\uff0c\u5728\u786e\u8ba4\u5907\u4efd\u4e0d\u518d\u8fdb\u884c\u540e\uff0c\u9700\u8981\u5220\u9664 snapshot\uff0c\u540c\u65f6\u4fdd\u6301\u673a\u5668\u5728\u7ebf\uff08\u5728\u5173\u673a\u60c5\u51b5\u4e0b\u6574\u5408\u78c1\u76d8\u65f6\u65e0\u6cd5\u5f00\u673a\uff01\uff09\u3002

    \u53c2\u8003\u8d44\u6599\uff1ahttps://docs.vmware.com/en/VMware-vSphere/6.5/rn/data-protection-615-release-notes.html

    VDP \u5907\u4efd\u865a\u62df\u673a\u5df2\u7ecf EOL\u3002\u8bbf\u95ee vcenter \u4e2d\u7684 VDP \u63d2\u4ef6\u9700\u8981\u4f7f\u7528 Adobe Flash\u3002

    "},{"location":"infrastructure/discontinued/vsphere/vdp/#_1","title":"\u5907\u4efd\u8ba1\u5212","text":"

    \u76ee\u524d\u7684\u5907\u4efd\u8ba1\u5212\u5982\u4e0b\uff1a

    "},{"location":"infrastructure/discontinued/vsphere/vdp/#_2","title":"\u9ad8\u7ea7\u547d\u4ee4","text":"

    \u67e5\u770b\u5f53\u524d\u4efb\u52a1\uff1a

    # mccli activity show | grep Running\n

    \u67e5\u770b\u670d\u52a1\u60c5\u51b5\uff1a

    # dpnctl status\n# status.dpn\n
    "},{"location":"infrastructure/discontinued/vsphere/vdp/#vspheredataprotection-on-virtio-scsi","title":"vSphereDataProtection on VirtIO SCSI","text":"

    vdp \u7684\u64cd\u4f5c\u7cfb\u7edf\u662f SLES 11 SP3\uff0c\u8fd9\u4e2a\u64cd\u4f5c\u9700\u8981\u7cfb\u7edf\u76d8\u7684\u524d\u4e24\u4e2a\u5206\u533a\uff08/boot \u548c /\uff09\u3002

    1. \u53c2\u8003 https://www.suse.com/support/kb/doc/?id=000016530\uff0c\u89e3\u538b initrd \u5230\u67d0\u4e2a\u76ee\u5f55\u3002
    2. \u4ece rootfs \u7684 /lib/modules/3.0.101-0.47.99-default/kernel/drivers/ \u91cc\u53d6\u51fa virtio \u7684\u5185\u6838\u6a21\u5757\uff08block \u91cc\u9762\u4e00\u4e2a\uff0cvirtio \u6574\u4e2a\u76ee\u5f55\uff0c\u4ee5\u53ca scsi \u91cc\u9762\u4e00\u4e2a\uff09\uff0c\u653e\u5728 initrd \u89e3\u538b\u540e\u7684\u5bf9\u5e94\u4f4d\u7f6e\u3002
    3. rootfs \u7684 /lib/modules/3.0.101-0.47.99-default/modules.dep* \u590d\u5236\u5230 initrd \u91cc\u3002
    4. \u4fee\u6539 initrd \u91cc\u7684 config/start.sh \u548c run_all.sh\uff0c\u5728 RESOLVED_INITRD_MODULES \u53d8\u91cf\u4e2d\u6dfb\u52a0 virtio_pci virtio virtio_scsi virtio_blk\uff08\u5373\u4fee\u6539\u4e3a RESOLVED_INITRD_MODULES='virtio_pci virtio virtio_scsi virtio_blk cifs ext2 ext3 ext4 fat nfs reiserfs ufs xfs'\uff09\u3002
    5. \u53c2\u8003 https://www.suse.com/support/kb/doc/?id=000016530 \u91cd\u65b0\u6253\u5305\uff0c\u653e\u5728\u7b2c\u4e00\u4e2a\u5206\u533a (/boot) \u91cc\u9762\uff0c\u5efa\u8bae\u4e0d\u8981\u8986\u76d6\u539f\u6765\u7684 initrd\u3002
    6. \u4fee\u6539\u7b2c\u4e00\u4e2a\u5206\u533a\u91cc grub/menu.lst\uff0c\u5c06 initrd \u4fee\u6539\u4e3a\u4f60\u6240\u6253\u5305\u7684\u6587\u4ef6\u540d\u3002
    "},{"location":"infrastructure/intranet/","title":"Servers Intranet","text":"

    Servers Intranet connects all the servers together, including physical servers and virtual machines.

    "},{"location":"infrastructure/intranet/#network-topology","title":"Network Topology","text":"

    \u4ee5\u4e0a\u67b6\u6784\u56fe\u7531 iBug \u5728 2023 \u5e74 11 \u6708\u66f4\u65b0\u3002

    \u6b64\u5904\u662f\u4e00\u4e9b\u8fc7\u65f6\u7684\u4fe1\u606f\uff0c\u4e5f\u8bb8\u8fd8\u6709\u70b9\u53c2\u8003\u4ef7\u503c

    The network contains three parts:

    tincVPN is a mesh VPN, which can be abstracted as a virtual Switch.

    vm-nfs.s.ustclug.org runs a layer 2 bridge, connecting tincVPN and SRW2024 (physical switch).

    It is obvious that vm-nfs is a single point of failure of communicating between tinc host and vSphere virtual machine. I had tried to add another bridge node, but resulted in a broadcast storm. Maybe we can fix it by MPLS (merged in mainline kernel 4.3). But it isn't a right timing at this time.

    "},{"location":"infrastructure/intranet/#network-information","title":"Network information","text":"

    The network contains one single subnet: 10.254.0.0/21

    Every server and service binds to one and only one IP address, used to communicate with each other.

    "},{"location":"infrastructure/intranet/#address-planning","title":"Address planning","text":""},{"location":"infrastructure/intranet/gateway/","title":"Intranet Gateway","text":"

    We run gateways in each colocation to provide internet access to intranet-only hosts (VMs and containers).

    When configuring VMs and containers, set their gateway according to their colocation:

    Gateway-JP is mainly used for HTTP reverse proxy, so that we can provide HTTP services in compliance with PRC regulations.

    For server configuration on each gateway, refer to their corresponding documentation:

    "},{"location":"infrastructure/intranet/gateway/#tinc-workaround-1","title":"Tinc \"received packet on ustclug with own address as source address\" workaround","text":"

    After migrating to PVE, we found that sometimes tinc works abnormally within gateway-el and gateway-nic, with following kernel log:

    bridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nnet_ratelimit: 2 callbacks suppressed\n

    We still don't know the source of this issue. To workaround that, following self-check timer is deployed now:

    /opt/tinc-check.sh
    #!/bin/bash\n\nrestart() {\n  systemctl stop tinc@ustclug.service\n  sleep 3  # avoid race condition\n  systemctl start tinc@ustclug.service\n  echo \"tinc restarted\"\n}\n\ndmesg | tail -n 2 | grep 'received packet on ustclug with own address as source address' && restart ||  echo \"tinc OK now\";\n
    /etc/systemd/system/tinc-check.service
    [Unit]\nDescription=Tinc Check and Auto-Restart\n\n[Service]\nType=oneshot\nExecStart=/opt/tinc-check.sh\n
    /etc/systemd/system/tinc-check.timer
    [Unit]\nDescription=Tinc Check and Auto-Restart Timer\n\n[Timer]\nOnCalendar=minutely\nPersistent=true\n\n[Install]\nWantedBy=timers.target\n
    "},{"location":"infrastructure/intranet/lugivpn/","title":"LUG Intranet VPN","text":"

    service: intranet.ustclug.org

    server: board.s.ustclug.org

    "},{"location":"infrastructure/intranet/lugivpn/#introduction","title":"Introduction","text":"

    Server intranet is a closed network, which cannot be accessed from Internet. LUGI VPN helps maintainer get access to intranet temporarily.

    LUGI VPN is running in Banana Pi Raspberry Pi 3B+, the only ARM architecture device we owned. Using OpenVPN protocal, authorizing via LDAP.

    The original Banana Pi was down in April 2021.

    "},{"location":"infrastructure/intranet/lugivpn/#configuration","title":"Configuration","text":"

    OpenVPN LDAP auth plugin config /etc/openvpn/auth-ldap.conf:

    <LDAP>\n    URL             ldaps://ldap.ustclug.org\n    Timeout         15\n    FollowReferrals yes\n    TLSCACertFile   /etc/ldap/ssl/slapd-ca-cert.pem\n</LDAP>\n\n<Authorization>\n    BaseDN          \"ou=people,dc=lug,dc=ustc,dc=edu,dc=cn\"\n    SearchFilter    \"(uid=%u)\"\n    RequireGroup    false\n</Authorization>\n

    In openvpn configuration:

    ...\nplugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth-ldap.conf\n

    Servers intranet is a layer 2 network without default gateway. So NAT is needed:

    iptables -t nat -A POSTROUTING -s 10.254.248.0/22 -d 10.254.0.0/21 -j MASQUERADE\n
    "},{"location":"infrastructure/proxmox/nfs/","title":"NFS","text":"

    NFS \u670d\u52a1\u5668\uff08\"vdp\"\uff09\u662f\u4e1c\u56fe\u4e09\u4e2a PVE \u673a\u5668\u7684\u865a\u62df\u673a\u5b58\u50a8\uff0c\u578b\u53f7\u4e3a DELL PowerEdge R510\u3002\u78c1\u76d8\u9635\u5217\u7531\u4e8e\u5728 2021 \u5e74 3 \u6708\u521d\u635f\u574f\uff0c\u76ee\u524d\u5bb9\u91cf\u7f29\u51cf\u5230 8T\uff084 \u5757 4T \u84dd\u76d8 RAID10\uff09\u3002\u9664\u865a\u62df\u673a\u5916\uff0cNFS \u4e5f\u5b58\u50a8 LUG \u6210\u5458\u7684\u4e2a\u4eba\u6570\u636e\u53ca LUG FTP\u3002NFS \u670d\u52a1\u6062\u590d\u540e\uff0c\u4e3a\u4e86\u4fdd\u8bc1\u6570\u636e\u5197\u4f59\u6027\uff0c\u4f7f\u7528\u79d1\u5927 Office 365 A1 \u8d26\u53f7\u548c Rclone \u6bcf\u5929\u589e\u91cf\u5907\u4efd LUG FTP \u548c LUG \u6210\u5458\u7684\u516c\u5f00\u6570\u636e\u3002

    vdp \u7684\u5185\u7f51\u8fde\u63a5\u4f9d\u8d56\u4e8e gateway-el\u3002

    \u53ef\u80fd\u7684\u7f51\u7edc\u95ee\u9898

    \u5728 2021 \u5e74\u4e5d\u6708\u4efd\u4e1c\u56fe\u7684 ESXi \u4e0e NFS \u8fde\u63a5\u4f1a\u51fa\u73b0\u4e0d\u7a33\u5b9a\u7684\u95ee\u9898\uff0c\u539f\u56e0\u76ee\u524d\u4e0d\u660e\u3002\u5728\u8fde\u63a5\u65b9\u5f0f\u4ece NFS 4.1 \u66f4\u6362\u5230 NFS 3 \u4e4b\u540e\uff0c\u8fde\u63a5\u7684\u4e0d\u7a33\u5b9a\u4e0d\u4f1a\u5bfc\u81f4\u865a\u62df\u673a\u88ab\u5173\u95ed\u3002

    2021/09/29 \u66f4\u65b0\uff1a\u8fd9\u4e24\u5929\u518d\u6b21\u51fa\u73b0\u4e86\u4e25\u91cd\u7684\u8fde\u63a5\u95ee\u9898\u3002\u8c03\u8bd5\u540e\u53d1\u73b0 192.168.93.0/24 \u7684\u7f51\u5173 192.168.93.254 (Cisco \u8bbe\u5907) \u4e22\u5305\u4e25\u91cd\uff0c\u800c NFS \u7684\u51fa\u53e3 IP \u9519\u8bef\u88ab\u8bbe\u7f6e\u5230\u4e86\u4e0e\u56fe\u4e66\u9986\u4ea4\u6362\u673a\u76f8\u8fde\u63a5\u7684 eno1\uff0c\u5bfc\u81f4\u8bf7\u6c42\u9700\u8981\u7ed5\u8def\u3002\u5c06\u6b64 IP \u79fb\u52a8\u81f3 eno2\uff0c\u4fee\u6539 sysctl \u8bbe\u7f6e ARP \u8fc7\u6ee4\u5e76\u91cd\u542f\u540e\uff0c\u76ee\u524d\u6682\u65f6\u89e3\u51b3\u4e86\u95ee\u9898\u3002

    "},{"location":"infrastructure/proxmox/nfs/#pve","title":"PVE \u78c1\u76d8\u8def\u5f84\u4e0e\u6302\u8f7d\u53c2\u6570","text":"

    \u5728 storage.cfg \u8bbe\u7f6e\u4e2d\uff0cNFS \u6302\u8f7d\u5230 /mnt/nfs-el\uff0c\u8bbe\u7f6e\u7684\u53c2\u6570\u4e3a soft,noexec,nosuid,nodev\u3002\u8bbe\u7f6e\u4e3a hard \u4f1a\u5bfc\u81f4 NFS \u4e0b\u7ebf\u65f6\u91cd\u8bd5\u65e0\u9650\u6b21\uff0c\u5927\u6982\u7387\u5bfc\u81f4\u7cfb\u7edf\u5361\u6b7b\uff0c\u5176\u4ed6\u51e0\u4e2a\u53c2\u6570\u4e3b\u8981\u662f\u4e3a\u4e86\u5b89\u5168\u3002

    \u5176\u4e2d\uff0c\u6839\u636e PVE \u7684\u8981\u6c42\uff0c\u865a\u62df\u673a\u78c1\u76d8\u6587\u4ef6\u9700\u8981\u653e\u5728 images/<vmid> \u76ee\u5f55\u4e0b\u624d\u4f1a\u88ab\u81ea\u52a8\u68c0\u6d4b\u5230\u3002\u82e5\u4e00\u5f00\u59cb\u6ca1\u6709\u6309\u8981\u6c42\u653e\u7f6e\u6587\u4ef6\u6216\u6dfb\u52a0\u4e86\u65b0\u6587\u4ef6\uff0c\u53ef\u4ee5\u4f7f\u7528 qm rescan \u626b\u63cf\u65b0\u7684\u78c1\u76d8\u6587\u4ef6\u3002\u4e5f\u53ef\u4ee5\u76f4\u63a5\u4f7f\u7528 qm set \u547d\u4ee4\u6216\u624b\u52a8\u7f16\u8f91\u865a\u62df\u673a\u914d\u7f6e\u6587\u4ef6\u6307\u5b9a\u78c1\u76d8\u6587\u4ef6\u7684\u8def\u5f84\uff0c\u8fd9\u4e24\u79cd\u65b9\u6cd5\u6ca1\u6709\u6b64\u9650\u5236\u3002

    \u53e6\u5916\uff0c\u7531\u4e8e\u6574\u4e2a storage.cfg \u6587\u4ef6\u5728\u96c6\u7fa4\u4e2d\u5171\u4eab\uff0c\u9700\u8981\u624b\u52a8\u6307\u5b9a nodes \u4ee5\u514d NIC \u7684\u4e24\u53f0 PVE \u4e3b\u673a\u5c1d\u8bd5\u6302\u8f7d\u3002

    /etc/pve/storage.cfg
    nfs: nfs-el\n        export /media/vdp/pve\n        path /mnt/nfs-el\n        server nfs-el.vm.ustclug.org\n        options soft,noexec,nosuid,nodev\n        content iso,images\n        nodes pve-2,pve-4,pve-6\n        shared 1\n        prune-backups keep-all=1\n

    storage.cfg \u7684\u5168\u90e8\u914d\u7f6e\u5185\u5bb9\u53ef\u4ee5\u53c2\u8003 https://pve.proxmox.com/wiki/Storage\u3002

    "},{"location":"infrastructure/proxmox/pbs/","title":"Proxmox Backup Server (PBS)","text":"

    PBS \u73b0\u5728\u90e8\u7f72\u5728 esxi-5 \u4e0a\u9762\uff0c\u7528\u4f5c\u865a\u62df\u673a\u5907\u4efd\uff0cweb \u754c\u9762\u7684\u7aef\u53e3\u53f7\u4e3a 8007\uff08HTTPS only\uff09\u3002

    Info

    \u672c\u9875\u9762\u8bb0\u5f55 Proxmox Backup Server \u8f6f\u4ef6\u76f8\u5173\uff0c\u4ee5\u53ca Proxmox VE \u865a\u62df\u673a\u76f8\u5173\u7684\u8d44\u6599\u3002\u5173\u4e8e esxi-5 \u7684\u7cfb\u7edf\u914d\u7f6e\u4fe1\u606f\u8bb0\u5f55\u5728 Proxmox VE \u9875\u9762\u3002

    "},{"location":"infrastructure/proxmox/pbs/#pbs","title":"\u5b89\u88c5 PBS","text":"

    PBS \u53ef\u4ee5\u4f7f\u7528\u5b89\u88c5\u5149\u76d8 iso \u5b89\u88c5\u6216\u76f4\u63a5\u52a0\u88c5\u5728\u73b0\u6709\u7684\u5bf9\u5e94\u7248\u672c\u7684 Debian \u7cfb\u7edf\u4e0a\uff0c\u8fd9\u4e24\u79cd\u5b89\u88c5\u65b9\u5f0f\u90fd\u6709\u5b98\u65b9\u7684\u8bf4\u660e\u6587\u6863\u3002

    \u6211\u4eec\u7684 esxi-5 \u662f\u4f7f\u7528 PVE \u7684\u5b89\u88c5\u76d8\u5148\u88c5\u6210 PVE\uff0c\u518d\u5728\u4e0a\u9762\u989d\u5916\u52a0\u88c5 PBS \u7684\u3002\u7531\u4e8e PVE \u548c PBS \u5171\u4eab\u4e86\u5927\u91cf\u7ec4\u4ef6\uff0c\u56e0\u6b64\u5728 PVE \u4e0a\u52a0\u88c5 PBS \u5c31\u53ea\u5269\u4e0b\u5f88\u7b80\u5355\u7684\u4e00\u4e9b\u6b65\u9aa4\u4e86\uff1a

    echo \"deb http://mirrors.ustc.edu.cn/proxmox/debian/pbs bullseye pbs-no-subscription\" > /etc/apt/sources.list.d/pbs.list\napt update\napt install proxmox-backup\n

    \u8be5\u8fc7\u7a0b\u4ec5\u5b89\u88c5\u4e86\u603b\u91cf\u4e3a 150+ MB \u7684 8 \u4e2a\u5305\uff0c\u5c31\u6709 PBS \u53ef\u7528\u4e86\u3002

    "},{"location":"infrastructure/proxmox/pbs/#pbs-new-user","title":"\u521b\u5efa\u65b0\u7528\u6237","text":"

    PBS \u81ea\u5df1\u7684\u8d26\u53f7\u4f53\u7cfb (Realm pbs) \u4e0e PVE (Realm pve) \u4e92\u76f8\u4e0d\u901a\uff0c\u5982\u679c\u9700\u8981\u521b\u5efa\u65b0\u7684 PBS \u7528\u6237\uff0c\u53ef\u4ee5\u901a\u8fc7 SSH \u767b\u5f55\uff0c\u7136\u540e\u53c2\u8003\u4ee5\u4e0b\u6b65\u9aa4\uff1a

    1. proxmox-backup-manager user create \u7528\u6237\u540d@pbs --email \u90ae\u7bb1\u5730\u5740@ustclug.org
    2. proxmox-backup-manager user update \u7528\u6237\u540d@pbs --password '\u4e00\u4e2a\u4e34\u65f6\u7684\u5bc6\u7801'
    3. \u4f7f\u7528\u8be5\u7528\u6237\u767b\u5f55 PBS\uff08\u6b64\u65f6\u7528\u6237\u65e0\u6743\u9650\uff09\uff0c\u4fee\u6539\u5bc6\u7801\uff1b
    4. \u8d4b\u4e88\u6743\u9650\u3002\u8d85\u7ea7\u7ba1\u7406\u5458\u5bf9\u5e94\u7684\u547d\u4ee4\u662f proxmox-backup-manager acl update / Admin --auth-id \u7528\u6237\u540d@pbs
    5. \u4f7f\u7528 proxmox-backup-manager acl list \u786e\u8ba4\u6743\u9650\u5217\u8868\u3002

    \u53c2\u8003\uff1ahttps://pbs.proxmox.com/docs/user-management.html

    Tip

    \u5f53\u7136\uff0c\u4f60\u4e5f\u53ef\u4ee5 SSH \u767b\u5f55\u540e\u4fee\u6539 root \u5bc6\u7801\uff0c\u518d\u7528 root@pam \u7684\u8d26\u53f7\u767b\u5f55 web \u754c\u9762\u8fdb\u884c\u64cd\u4f5c\u3002\u8be5\u65b9\u6cd5\u540c\u65f6\u9002\u7528\u4e8e PVE \u548c PBS\u3002\u64cd\u4f5c\u5b8c\u6210\u540e\u8bf7\u6062\u590d root \u5bc6\u7801\uff08passwd -d root\uff09\u3002

    \u5982\u679c\u4f60\u9700\u8981\u7ecf\u5e38\u767b\u5f55 Web \u754c\u9762\u64cd\u4f5c\uff0c\u6700\u597d\u521b\u5efa\u4e00\u4e2a Realm pve/pbs \u800c\u4e0d\u662f\u4f9d\u8d56\u4e8e\u4f7f\u7528 root \u5bc6\u7801\u3002

    \u7279\u522b\u5730\uff0c\u7531\u4e8e PBS \u548c PVE \u540c\u65f6\u5b89\u88c5\u5728 esxi-5 \u4e0a\uff0c\u56e0\u6b64\u5b83\u4eec\u53ef\u4ee5\u5171\u4eab esxi-5 \u4e0a\u7684 Linux \u7528\u6237\uff08\u5373 Linux PAM standard authentication\uff09\u3002

    "},{"location":"infrastructure/proxmox/pbs/#pbs-add-datastore","title":"\u8bbe\u7f6e Datastore","text":"

    PBS \u4e0a\u7684\u865a\u62df\u673a\u5907\u4efd\u5355\u5143\u662f\u5c0f\u5757\u7684 chunk\uff0c\u4e5f\u4f9d\u8d56\u8fd9\u4e2a\u8bbe\u8ba1\u5b9e\u73b0\u589e\u91cf\u5907\u4efd\uff0c\u6240\u4ee5\u865a\u62df\u673a\u5907\u4efd\uff08Datastore\uff09\u7684\u540e\u7aef\u90fd\u662f\u76ee\u5f55\u3002\u6dfb\u52a0 Datastore \u53ea\u9700\u8981\u6307\u5b9a\u4e00\u4e2a\u76ee\u5f55\uff0c\u53d6\u4e00\u4e2a\uff08\u7b80\u77ed\u7684\uff09\u540d\u5b57\u5c31\u53ef\u4ee5\u4e86\u3002\u5efa\u8bae\u4e0d\u8981\u4f7f\u7528\u6587\u4ef6\u7cfb\u7edf\u7684\u6839\u76ee\u5f55\u4f5c\u4e3a Datastore\uff0c\u53ef\u4ee5\u521b\u5efa\u4e00\u4e2a pbs \u6587\u4ef6\u5939\u7528\u4f5c Datastore\uff0c\u53c2\u8003\u4e0b\u9762\u6240\u8ff0\u7684 esxi-5 \u4e0a\u7684\u914d\u7f6e\u3002

    \u76ee\u524d\u5728 esxi-5 \u4e0a\u914d\u7f6e\u4e86\u4ee5\u4e0b datastore\uff1a

    "},{"location":"infrastructure/proxmox/pve/","title":"Proxmox Virtual Environment (PVE)","text":"

    LUG \u76ee\u524d\u670d\u5f79\u7684 Proxmox VE \u4e3b\u673a\u6709\uff1a

    \u8fd9\u4e9b PVE \u4e3b\u673a\u914d\u7f6e\u4e3a\u4e00\u4e2a\u96c6\u7fa4\uff0c\u53ef\u4ee5\u5171\u4eab\u4e00\u4e9b\u914d\u7f6e\u4fe1\u606f\u5e76\u4e92\u76f8\u8fc1\u79fb\u865a\u62df\u673a\u3002\u7279\u522b\u5730\uff0cProxmox VE Authentication Server\uff08Realm \u4e3a pve\uff09\u7684\u8d26\u53f7\u5728 PVE \u4e3b\u673a\u4e4b\u95f4\u662f\u5171\u4eab\u7684\uff0c\u5e76\u4e14\u6dfb\u52a0\u7684 PBS \u5b58\u50a8\u540e\u7aef\u4e5f\u662f\u5171\u4eab\u7684\uff0c\u5373\u5927\u5bb6\u90fd\u53ef\u4ee5\u5f80\u76f8\u540c\u7684 PBS \u4e0a\u5907\u4efd\u865a\u62df\u673a\u3002

    \u4e0d\u540c\u4e3b\u673a\u4e4b\u95f4\u7684 Linux PAM \u7528\u6237\u662f\u4e0d\u76f8\u901a\u7684

    \u6240\u6709 Proxmox \u4e3b\u673a\u7684\u4e3b\u673a\u540d\uff08hostname\uff09\u90fd\u8bbe\u4e3a <hostname>.vm.ustclug.org\uff0c\u5bf9\u5e94\u7684 IP \u5730\u5740\u8bb0\u5f55\u5728 DNS \u4e2d\u3002

    "},{"location":"infrastructure/proxmox/pve/#common","title":"\u516c\u7528\u914d\u7f6e","text":""},{"location":"infrastructure/proxmox/pve/#root","title":"root \u8d26\u6237","text":"

    \u5df2\u5e9f\u5f03\u7684\u5185\u5bb9

    \u4e3a\u4e86\u4fbf\u4e8e\u901a\u8fc7 IPMI \u7b49\u65b9\u5f0f\u7ef4\u62a4\uff0c\u6211\u4eec\u7ea6\u5b9a\u6240\u6709 Proxmox \u4e3b\u673a\u7684 root \u8d26\u6237\u5bc6\u7801\u4fdd\u6301\u4e3a\u7a7a\u3002\u82e5\u6709\u64cd\u4f5c\u9700\u8981\u4f7f\u7528 root \u5bc6\u7801\uff08\u5982\u521b\u5efa\u548c\u52a0\u5165\u96c6\u7fa4\u65f6\uff09\uff0c\u8bf7\u901a\u8fc7 SSH \u6216 IPMI \u767b\u5f55\uff0c\u4e34\u65f6\u8bbe\u7f6e\u4e00\u4e2a root \u5bc6\u7801\uff0c\u5e76\u5728\u4fee\u6539\u5b8c PVE / PBS \u7684\u914d\u7f6e\u540e\u5c06\u5bc6\u7801\u5220\u9664\uff08passwd -d\uff09\u3002PVE / PBS \u6ca1\u6709\u4f9d\u8d56\u4e8e\u56fa\u5b9a\u4e0d\u53d8\u7684 root \u5bc6\u7801\u624d\u80fd\u6b63\u5e38\u8fd0\u884c\u7684\u7ec4\u4ef6\uff0c\u56e0\u6b64\u8fd9\u6837\u505a\u5bf9 PVE / PBS \u6765\u8bf4\u662f\u6ca1\u95ee\u9898\u7684\u3002

    "},{"location":"infrastructure/proxmox/pve/#networking","title":"\u7f51\u7edc\u914d\u7f6e","text":"

    \u5b89\u5168\u8d77\u89c1\uff0cPVE / PBS \u4e3b\u673a\u4f7f\u7528 RFC 1918 \u6bb5\u7684\u6821\u56ed\u7f51 IP\uff0c\u4e0d\u8fde\u63a5\u516c\u7f51\u3002

    Debian \u548c Proxmox \u7684\u8f6f\u4ef6\u66f4\u65b0\u4f7f\u7528 mirrors.ustc.edu.cn \u5373\u53ef\uff0c\u82e5\u6709\u9700\u8981\u8bbf\u95ee\u6821\u5916\uff08\u5982 GitHub \u7b49\uff09\uff0c\u8bf7\u5199 hosts \u5e76\u914d\u7f6e\u8def\u7531\uff0c\u4ee5 GitHub \u4e3a\u4f8b\uff1a

    echo \"20.205.243.166 github.com\" >> /etc/hosts\nip route replace 20.205.243.166 via (?) dev (?)\n

    \u5176\u4e2d via \u9009\u62e9 gateway-el \u6216 gateway-nic \u7684\u5185\u7f51\u5730\u5740\uff0cdev \u9009\u62e9\u6865\u63a5\u5185\u7f51\u7684 vmbr\uff08\u89c1\u4e0b\uff09\u3002

    "},{"location":"infrastructure/proxmox/pve/#vmbr","title":"\u865a\u62df\u673a\u7f51\u6865","text":"

    Proxmox VE \u8981\u6c42\u4e3a\u865a\u62df\u673a\u63a5\u5165\u7684\u7f51\u6865\u5fc5\u987b\u547d\u540d\u4e3a vmbrN\uff0c\u5176\u4e2d N \u662f 0-4094 \u4e4b\u95f4\u7684\u6574\u6570\u3002\u65b9\u4fbf\u8d77\u89c1\uff0c\u6211\u4eec\u5728\u4e24\u4e2a\u673a\u623f\u5206\u522b\u7edf\u4e00 vmbr \u7684\u7f16\u53f7\uff1a

    \u7f16\u53f7 \u4e1c\u56fe \u7f51\u7edc\u4e2d\u5fc3 vmbr0 \u6821\u56ed\u7f51\uff08\u6559\u80b2\u7f51\uff09 \u6821\u56ed\u7f51\uff08\u6559\u80b2\u7f51\uff09 vmbr1 \u5185\u7f51 \u5185\u7f51 vmbr2 \u7535\u4fe1+\u79fb\u52a8 \u7535\u4fe1 vmbr3 - \u8054\u901a vmbr4 - \u79fb\u52a8 vmbr5 - \u7279\u6b8a\u7528\u9014 vmbr10 \u5907\u7528 -"},{"location":"infrastructure/proxmox/pve/#pve-firewall","title":"\u9632\u706b\u5899","text":"

    \u6211\u4eec\u4e0d\u4f7f\u7528 Proxmox \u81ea\u5e26\u7684\u9632\u706b\u5899\u529f\u80fd\uff0c\u4f46 pve-firewall \u4ecd\u7136\u4f1a\u5c1d\u8bd5\u90e8\u7f72\u6216\u6062\u590d\u9632\u706b\u5899\u8bbe\u7f6e\uff0c\u56e0\u6b64\u9700\u8981\u7981\u7528\u76f8\u5173\u8bbe\u7f6e\u53ca\u670d\u52a1\uff1a

    /etc/pve/nodes/$(hostname -s)/host.fw
    [OPTIONS]\nenable: 0\n
    systemctl stop pve-firewall.service\nsystemctl disable pve-firewall.service\nsystemctl mask pve-firewall.service\n

    \u53ef\u9009\u5185\u5bb9\uff1a\u540c\u65f6\u5b89\u88c5 iptables-persistent \u8f6f\u4ef6\u5305\uff0c\u5e76\u5229\u7528 iptables \u5c06 443 \u7aef\u53e3\u8f6c\u53d1\u5230 8006 \u7aef\u53e3\u65b9\u4fbf\u4f7f\u7528\u3002

    update-alternatives --set iptables /usr/sbin/iptables-nft\nupdate-alternatives --set ip6tables /usr/sbin/ip6tables-nft\n
    /etc/iptables/rules.v4
    *nat\nPREROUTING ACCEPT [0:0]\nINPUT ACCEPT [0:0]\nOUTPUT ACCEPT [0:0]\nPOSTROUTING ACCEPT [0:0]\n-A PREROUTING -p tcp --dport 443 -m addrtype --dst-type LOCAL -j REDIRECT --to-ports 8006\nCOMMIT\n

    \u5220\u6389 rules.v6 \u6587\u4ef6\uff0c\u7136\u540e\u8fd0\u884c systemctl restart netfilter-persistent.service \u8f7d\u5165 iptables \u89c4\u5219\u3002

    "},{"location":"infrastructure/proxmox/pve/#ntp","title":"NTP \u65f6\u95f4","text":"

    Proxmox \u9ed8\u8ba4\u4f7f\u7528 chrony \u8f6f\u4ef6\u548c Debian \u63d0\u4f9b\u7684 NTP pool\uff0c\u8fd9\u4e9b\u670d\u52a1\u5668\u90fd\u5728\u6821\u5916\uff0c\u4f7f\u7528\u6821\u56ed\u7f51 IP \u65e0\u6cd5\u8fde\u901a\uff0c\u9700\u8981\u6539\u6210\u6821\u56ed\u7f51\u7684 NTP \u670d\u52a1\u5668\uff1a

    /etc/chrony/chrony.conf
    # Use Debian vendor zone.\n#pool 2.debian.pool.ntp.org iburst\nserver time.ustc.edu.cn iburst\n

    \u7136\u540e\u8fd0\u884c systemctl restart chrony.service \u91cd\u542f\u670d\u52a1\u3002

    "},{"location":"infrastructure/proxmox/pve/#ssl","title":"SSL \u8bc1\u4e66","text":"

    \u53c2\u89c1 SSL \u8bc1\u4e66\uff0c\u6b63\u597d vdp \u4e0a\u9762\u8fd0\u884c\u4e86 LUG FTP \u800c\u56e0\u6b64\u914d\u7f6e\u4e86\u8bc1\u4e66\u7684\u81ea\u52a8\u66f4\u65b0\uff0c\u5229\u7528 vdp \u63d0\u4f9b\u7684 NFS \u670d\u52a1\uff0c\u6211\u4eec\u5728 vdp \u4e0a\u7684\u8bc1\u4e66\u66f4\u65b0\u811a\u672c\u4e2d\u6dfb\u52a0\u4e86\u5c06 vm \u8bc1\u4e66\u590d\u5236\u5230 NFS \u76ee\u5f55\u7684\u529f\u80fd\uff0c\u7136\u540e\u7531 pve-6 \u90e8\u7f72\u5230\u5404\u4e2a\u4e3b\u673a\u4e0a\u3002

    \u4e0b\u9762\u662f pve-6 \u4e0a\u7684\u811a\u672c\uff1a

    /etc/cron.daily/sync-cert
    #!/bin/bash -e\n\nSRC=\"/etc/pve/nodes/$(hostname -s)\"\nDSTROOT=\"/etc/pve/nodes\"\nCERTSRC=\"/mnt/nfs-el/cert\"\n\ncp -u \"$CERTSRC/privkey.pem\" \"$SRC/pveproxy-ssl.key\"\ncp -u \"$CERTSRC/fullchain.pem\" \"$SRC/pveproxy-ssl.pem\"\nsystemctl reload pveproxy.service\n\nfor DST in \"$DSTROOT\"/*; do\n  [ \"$DST\" = \"$SRC\" ] && continue\n  node=\"$(basename \"$DST\")\"\n  cp \"$SRC/pveproxy-ssl.key\" \"$SRC/pveproxy-ssl.pem\" \"$DST/\"\n  ssh \"$node\" 'systemctl reload pveproxy.service' &\ndone\nwait\n

    \u7531\u4e8e PVE \u548c PBS \u7684\u6570\u636e\u4e0d\u4e92\u901a\uff0c\u56e0\u6b64 esxi-5 \u4e0a\u7684\u76f8\u540c\u4f4d\u7f6e\u6709\u53e6\u4e00\u4e2a\u811a\u672c\u4e3a PBS \u90e8\u7f72\u8bc1\u4e66\uff1a

    /etc/cron.daily/sync-cert
    #!/bin/bash\n\nSRC=\"/etc/pve/nodes/$(hostname -s)\"\nDST=\"/etc/proxmox-backup\"\n\nif ! cmp -s \"$SRC/pveproxy-ssl.pem\" \"$DST/proxy.pem\"; then\n  cp \"$SRC/pveproxy-ssl.key\" \"$DST/proxy.key\"\n  cp \"$SRC/pveproxy-ssl.pem\" \"$DST/proxy.pem\"\n  systemctl reload proxmox-backup-proxy.service\nfi\nexit 0\n\n# Unreachable code, leaving here for reference\nif command -v openssl 2>/dev/null; then\n  FP=\"$(openssl x509 -noout -fingerprint -sha256 -inform pem -in \"$DST/proxy.pem\")\"\n  FP=\"${FP##*=}\"\n  pvesm set esxi-5-data --finerprint \"$FP\"\n  pvesm set esxi-5-vdp2 --finerprint \"$FP\"\nfi\n
    "},{"location":"infrastructure/proxmox/pve/#pve-5","title":"pve-5","text":"

    pve-5 \u4f4d\u4e8e\u7f51\u7edc\u4e2d\u5fc3\uff0c\u914d\u7f6e\u4e3a 2\u00d7 Xeon E5-2603 v4 (Broadwell 6C6T, 1.70 GHz, no HT, no Turbo Boost) Xeon E5-2667 v4 (Broadwell 8C16T, 3.20 GHz, Max 3.60 GHz)\uff0c256 GB \u5185\u5b58\u548c\u4e00\u5927\u5806 SSD\uff082\u00d7 \u4e09\u661f 240 GB SATA + 10x Intel DC S4500 1.92 TB SATA\uff09\u3002\u6211\u4eec\u5c06\u4e24\u5757 240 GB \u7684\u76d8\u7ec4\u6210\u4e00\u4e2a LVM VG\uff0c\u5206\u914d 16 GB \u7684 rootfs\uff08LVM mirror\uff09\u548c 8 GB \u7684 swap\uff0c\u5176\u4f59\u7a7a\u95f4\u7ed9\u4e00\u4e2a thinpool\u3002\u5341\u5757 1.92 TB \u7684\u76d8\u7ec4\u6210\u4e00\u4e2a RAIDZ2 \u7684 zpool\uff0c\u7528\u4e8e\u5b58\u50a8\u865a\u62df\u673a\u7b49\u6570\u636e\u3002

    \u5176\u8fde\u63a5\u7684\u5355\u6839 10 Gbps \u7684\u5149\u7ea4\uff0c\u6865\u63a5\u51fa vmbr0 \u81f3 vmbr4 \u7b49\u7f51\u6865\uff08\u7ebf\u8def\u5b9a\u4e49\u89c1\u4e0a\uff09\u3002\u5176\u4e2d\u65e0\u5934\u7f51\u6865\u7528\u4e8e\u4ece gateway-nic \u6865\u63a5 Tinc\u3002

    \u786c\u76d8\u63a7\u5236\u5668\u4e0d\u8981\u4f7f\u7528 VirtIO SCSI Single \u6216 LSI \u5f00\u5934\u7684\u9009\u9879

    \u53ef\u80fd\u7531\u4e8e ZFS \u6a21\u5757\u7684 bug \u6216\u8005\u5185\u5b58\u6761\u6545\u969c\uff0c\u4f7f\u7528\u8fd9\u4e9b\u6a21\u5f0f\u5728\u865a\u62df\u673a\u91cd\u542f\u65f6\u4f1a\u5bfc\u81f4\u6574\u4e2a Proxmox VE \u4e3b\u673a\u5361\u4f4f\u800c\u4e0d\u5f97\u4e0d\u91cd\u542f\u3002\u8bf7\u4f7f\u7528 VirtIO SCSI\uff08\u4e0d\u5e26 Single\uff09\u3002\u540c\u6837\u539f\u56e0\u521b\u5efa\u865a\u62df\u673a\u786c\u76d8\u65f6\u4e5f\u4e0d\u8981\u52fe\u9009 iothread\u3002

    \u4e3b\u673a\u4f7f\u7528 ZFS\uff08Zvol\uff09\u4f5c\u4e3a\u865a\u62df\u673a\u7684\u865a\u62df\u786c\u76d8\uff0c\u5728\u865a\u62df\u673a\u4e2d\u542f\u7528 fstrim.timer\uff08systemd \u7684 fstrim \u5b9a\u65f6\u4efb\u52a1\uff0c\u7531 util-linux \u63d0\u4f9b\uff09\u53ef\u4ee5\u5b9a\u671f\u817e\u51fa\u4e0d\u7528\u7684\u7a7a\u95f4\uff0c\u5e2e\u52a9 ZFS \u66f4\u597d\u5730\u89c4\u5212\u7a7a\u95f4\u3002\u542f\u7528 fstrim \u7684\u865a\u62df\u786c\u76d8\u9700\u8981\u5728 PVE \u4e0a\u542f\u7528 discard \u9009\u9879\uff0c\u5426\u5219 fstrim \u4e0d\u8d77\u4f5c\u7528\u3002\u8be5\u7279\u6027\u662f\u7531\u4e8e ZFS \u662f CoW \u7684\uff0c\u4e0e ZFS \u5e95\u5c42\u4f7f\u7528 SSD \u6ca1\u6709\u592a\u5927\u5173\u8054\u3002

    "},{"location":"infrastructure/proxmox/pve/#esxi-5","title":"esxi-5","text":"

    esxi-5 \u4e5f\u4f4d\u4e8e\u7f51\u7edc\u4e2d\u5fc3\uff0c\u914d\u7f6e\u4e3a 2\u00d7 Xeon E5620\uff08Westmere-EP 4C8T, 2.40~2.66 GHz\uff09\uff0c48 GB \u5185\u5b58\uff0c\u4e24\u5757 240 GB SATA SSD \u548c\u4e00\u4e9b\u4e0d\u77e5\u9053\u574f\u4e86\u591a\u5c11\u7684 1 TB \u548c 2 TB HDD\uff08\u89c1\u4e0b\uff09\u3002\u7531\u4e8e\u673a\u8eab\u81ea\u5e26\u7684 RAID \u5361\u4e0d\u652f\u6301\u786c\u76d8\u76f4\u901a\uff08JBOD \u6a21\u5f0f\uff09\uff0c\u56e0\u6b64\u6211\u4eec\u5c06\u4e24\u5757 SSD \u5206\u522b\u505a\u6210\u5355\u76d8\u201c\u9635\u5217\u201d\u7136\u540e\u5728\u7cfb\u7edf\u91cc\u4f7f\u7528 LVM\uff08LVM \u89c4\u683c\u4e0e pve-5 \u76f8\u540c\uff09

    \u987e\u540d\u601d\u4e49\u672c\u673a\u5668\u66fe\u7ecf\u8fd0\u884c\u7684\u662f VMware ESXi\uff0c\u5728 2022 \u5e74 1 \u6708\u91cd\u88c5\u4e3a Proxmox VE 7.1\uff0c\u56e0\u4e3a\u54b1\u4eec\u90fd\u662f\u7ea0\u7ed3\u602a\u6240\u4ee5\u51b3\u5b9a\u4e0d\u6539\u540d\uff0c\u8fd8\u53eb esxi-5\u3002\u8003\u8651\u5230\u8be5\u673a\u5668\u914d\u7f6e\u4e86\u591a\u4e2a\u786c\u76d8\u9635\u5217\uff0c\u4e14\u9635\u5217\u7684\u53ef\u7528\u5bb9\u91cf\u6bd4 pve-5 \u7684\u786c\u76d8\u7684\u539f\u59cb\u5bb9\u91cf\u8fd8\u5927\uff0c\u6211\u4eec\u5728\u4e0a\u9762\u52a0\u88c5 Proxmox Backup Server \u8f6f\u4ef6\uff0c\u4e3b\u8981\u7528\u4f5c\u865a\u62df\u673a\u5907\u4efd\uff0c\u66ff\u4ee3\u539f\u5148\u8fd0\u884c\u5728 ESXi \u4e0a\u7684 vSphereDataProtection \u865a\u62df\u673a\u3002

    "},{"location":"infrastructure/proxmox/pve/#_1","title":"\u7f51\u7edc","text":"

    \u7f51\u7edc\u914d\u7f6e\u4e0e pve-5 \u76f8\u4f3c\uff0c\u5176\u4e0a\u6709\u4e24\u4e2a\u5343\u5146\u7f51\u5361 enp3s0 \u548c enp4s0\u3002enp3s0 \u8fde\u63a5\u7f51\u7edc\u4e2d\u5fc3\u7684\u4ea4\u6362\u673a\uff0c\u6865\u63a5\u4e0d\u540c\u7684 VLAN \u7f51\u7edc\u7ed9\u865a\u62df\u673a\uff0c\u5e76\u4e14\u5404 vmbrX \u7684\u6570\u5b57\u548c\u7aef\u53e3\u4e0e pve-5 \u4e00\u81f4\uff1b\u800c enp4s0 \u8fde\u63a5\u4e00\u4e2a\u5916\u90e8\u9635\u5217\uff08vdp2\uff09\uff0c\u4f7f\u7528 iSCSI \u8bbf\u95ee\u8be5\u9635\u5217\u3002

    \u7531\u4e8e\u6211\u4eec\u53ea\u6709\u4e00\u4e2a gateway-nic\uff0c\u800c pve-5 \u548c esxi-5 \u4e24\u4e2a\u4e3b\u673a\u90fd\u4f9d\u8d56 gw-nic \u6865\u63a5\u7684 tinc \u6765\u63a5\u5165\u5185\u7f51\uff0c\u56e0\u6b64\u6211\u4eec\u5728 pve-5 \u548c esxi-5 \u4e4b\u95f4\u62c9\u4e86\u4e00\u6761 GRETAP \u96a7\u9053\uff0c\u5e76\u5728\u4e24\u4e2a\u4e3b\u673a\u4e0a\u5206\u522b\u5c06 VTEP \u6865\u63a5\u5230 vmbr1\u3002

    \u53c2\u8003\u914d\u7f6e\uff1a

    pve-5:/etc/network/interfaces
    auto gretap0esxi-5\niface gretap0esxi-5 inet manual\n    pre-up ip link add name $IFACE mtu $IF_MTU type gretap local 10.38.95.115 remote 10.38.95.111\n    post-down ip link delete $IFACE\n    mtu 1500\n\nauto vmbr1\niface vmbr1 inet static\n    address 10.254.0.240/21\n    bridge-ports gretap0esxi-5\n    bridge-stp off\n    bridge-fd 0\n

    esxi-5 \u8fd9\u7aef\u7684\u914d\u7f6e\u5219\u5c06\u5bf9\u5e94\u7684 iface \u540d\u79f0\u548c IP \u5730\u5740\u7b49\u5168\u90e8\u5bf9\u6362\u5373\u53ef\u3002

    MTU \u95ee\u9898

    2022 \u5e74 2 \u6708\u5904\u7406\u5185\u7f51 tinc ARP \u95ee\u9898\u65f6\u53d1\u73b0 esxi-5 \u548c pve-5 \u7684 vmbr1 MTU \u90fd\u88ab\u8bbe\u7f6e\u6210\u4e86 1462\uff08GRETAP \u7684\u9ed8\u8ba4 MTU\uff09\u3002\u6211\u4eec\u4e0d\u786e\u5b9a MTU \u95ee\u9898\u4e0e tinc \u662f\u5426\u76f8\u5173\uff0c\u4f46\u4fdd\u9669\u8d77\u89c1\u6211\u4eec\u8fd8\u662f\u5c06\u8be5 GRETAP \u754c\u9762\u7684 MTU \u8bbe\u7f6e\u6210\u4e86 1500\uff08GRE \u5177\u6709\u5206\u7247\u529f\u80fd\uff09\u3002

    -pre-up ip link add name $IFACE type gretap local 10.38.95.115 remote 10.38.95.111\n+pre-up ip link add name $IFACE mtu $IF_MTU type gretap local 10.38.95.115 remote 10.38.95.111\n post-down ip link delete $IFACE\n+mtu 1500\n
    "},{"location":"infrastructure/proxmox/pve/#iscsi","title":"iSCSI","text":"

    \u8bbe\u7f6e iSCSI \u5f00\u673a\u81ea\u52a8\u767b\u5f55\uff1a

    iscsiadm -m node -T iqn.2002-10.com.infortrend:raid.sn8223150.001 -p 192.168.10.1:3260 -o update -n node.startup -v automatic\niscsiadm -m node -T iqn.2002-10.com.infortrend:raid.sn8223150.001 -p 192.168.10.1:3260 -o update -n node.conn[0].startup -v automatic\n

    \u53c2\u8003\u94fe\u63a5\uff1ahttps://library.netapp.com/ecmdocs/ECMP1654943/html/GUID-8EC685B4-8CB6-40D8-A8D5-031A3899BCDC.html

    \u8fc7\u65f6\u4fe1\u606f

    \u7531\u4e8e\u6211\u4eec\u6ca1\u6709\u7814\u7a76\u6e05\u695a open-iscsi \u7684\u5f00\u673a\u81ea\u52a8\u6302\u8f7d\u673a\u5236\uff0c\u56e0\u6b64\u6211\u4eec\u9009\u62e9\u76f4\u63a5 override \u5bf9\u5e94\u7684 service \u6765\u5b8c\u6210\u8fd9\u4e2a\u4efb\u52a1\uff1a

    $ systemctl edit open-iscsi.service
    [Service]\nExecStart=\nExecStart=/sbin/iscsiadm -d8 -m node -T iqn.2002-10.com.infortrend:raid.sn8223150.001 -p 192.168.10.1:3260 --login\nExecStart=/lib/open-iscsi/activate-storage.sh\n

    \u82e5 iSCSI \u8fde\u63a5\u6210\u529f\uff0c\u5e94\u8be5\u53ef\u4ee5\u5728\u7cfb\u7edf\u4e2d\u770b\u5230\u4e00\u4e2a\u65b0\u7684\u786c\u76d8\uff0c\u5bb9\u91cf\u4e3a 14.55 TiB\uff0c\u578b\u53f7\u663e\u793a\u4e3a RS-3116I-S42-6\u3002

    "},{"location":"infrastructure/proxmox/pve/#rootfs-backup","title":"rootfs \u5907\u4efd","text":"

    \u5c3d\u7ba1 esxi-5 \u7684 rootfs \u4e5f\u4f7f\u7528\u4e86 LVM mirror \u5728\u4e24\u5757 SSD \u4e0a\u955c\u50cf\uff0c\u4f46\u662f\u6211\u4eec\u4e0d\u592a\u4fe1\u4efb\u8fd9\u5757 RAID \u5361\uff0c\u56e0\u6b64\u6211\u4eec\u5c06 esxi-5 \u7684 rootfs \u6bcf\u5929\u5907\u4efd\u5230 vdp2 \u4e0a\u3002\u4e3a\u4e86\u907f\u514d\u5728 vdp2 \u6389\u7ebf\u7684\u65f6\u5019\u4e71\u201c\u5907\u4efd\u201d\uff0c\u6211\u4eec\u4f7f\u7528\u4e00\u4e2a systemd \u670d\u52a1\uff0c\u8bbe\u7f6e\u4e86 RequiresMountsFor \u4f9d\u8d56\uff1a

    /etc/systemd/system/rootfs-backup.service
    [Unit]\nDescription=Backup rootfs to vdp2\nRequiresMountsFor=/mnt/vdp2\n\n[Service]\nType=oneshot\nExecStart=/usr/bin/rsync -aHAXx --delete / /mnt/vdp2/rootfs/\n
    crontab
    21 4 * * * systemctl start rootfs-backup.service\n
    "},{"location":"infrastructure/proxmox/pve/#esxi-5-others","title":"\u5176\u4ed6\u8bb0\u5f55","text":"

    esxi-5 \u4e8e 2021/8 \u53d1\u73b0\u81ea\u5e26\u9635\u5217\u6709\u4e24\u5757\u574f\u76d8\uff0c\u5728\u66f4\u6362\u540e\u53d1\u73b0 storage \"root\"\uff08\u5b58\u653e vcenter \u865a\u62df\u673a\uff0c\u7ec4\u5efa RAID 1 \u540e\u5927\u5c0f 1.8 TB\uff09\u65e0\u6cd5\u6b63\u5e38 rebuild\uff0c\u5e76\u4e14 vcenter \u865a\u62df\u673a\u7684 vmdk \u6587\u4ef6\u6709 4 \u4e2a\u51fa\u73b0 I/O error\u3002\u6b64\u540e vcenter \u865a\u62df\u673a\u5df2\u7ecf\u8fc1\u79fb\u5230 storage \"data\" (RAID10, 7.2 TB) \u5e76\u6b63\u5e38\u5de5\u4f5c\u3002

    "},{"location":"infrastructure/proxmox/pve/#records","title":"\u5de5\u4f5c\u8bb0\u5f55","text":""},{"location":"infrastructure/proxmox/pve/#migrate-docker2","title":"2021-12-31 \u8fc1\u79fb docker2","text":"

    docker2 \u539f\u5148\u4f7f\u7528 QEMU \u76f4\u63a5\u8fd0\u884c\u5728 mirrors2 \u4e0a\uff0c\u4e0b\u5c42\u5b58\u50a8\u4e3a ZFS Zvol\uff08pool0/qemu/docker2\uff09\uff0c\u7531\u4e8e ZFS \u8c03\u53c2\u4e0d\u5f53\u4f7f\u5176\u5360\u7528\u4e86 3 \u500d\u7684\u786c\u76d8\u7a7a\u95f4\uff08\u89c1\u8fd9\u4e2a Reddit \u8d34\u5b50\uff09\uff0c\u52a0\u4e0a mirrors2 \u672c\u8eab\u5bf9\u5916\u63d0\u4f9b Rsync \u670d\u52a1\uff0c\u786c\u76d8\u8d1f\u8f7d\u6781\u9ad8\uff0c\u6240\u4ee5\u957f\u671f\u4ee5\u6765 docker2 \u7684 I/O \u6027\u80fd\u5341\u5206\u4f4e\u4e0b\u3002\u6b63\u597d\u501f\u8fd9\u6b21\u5168\u95ea\u7684\u65b0\u5bbf\u4e3b\u673a\u5c06\u5176\u8fc1\u79fb\u8fc7\u53bb\u3002

    \u8fc1\u79fb\u65f6\u9700\u8981\u4fdd\u8bc1\u5b8c\u6574\u6027\u7684\u4e3b\u8981\u5185\u5bb9\u5c31\u662f\u865a\u62df\u673a\u5185\u7684\u4e1a\u52a1\uff0c\u56e0\u6b64\u9700\u8981\u5728\u4e3b\u673a\u95f4\u4f20\u8f93\u7684\u5185\u5bb9\u5c31\u662f\u865a\u62df\u78c1\u76d8\uff0c\u5176\u4ed6\u914d\u7f6e\uff08CPU\u3001\u5185\u5b58\u3001\u7f51\u5361\u7b49\uff09\u90fd\u53ef\u4ee5\u76f4\u63a5\u5728\u65b0\u5e73\u53f0\u4e0a\u521b\u5efa\u65b0\u865a\u62df\u673a\u65f6\u4fee\u6539\u3002\u539f\u672c\u6211\u4eec\u6253\u7b97\u4f7f\u7528 rsync \u6216\u8005 dd \u7684\u65b9\u5f0f\u590d\u5236\u78c1\u76d8\uff0c\u4f46\u662f\u8003\u8651\u5230\u4e24\u8fb9\u90fd\u662f ZFS\uff0c\u4f7f\u7528 zfs send \u662f\u4e00\u4e2a\u66f4\u597d\u7684\u65b9\u6848\u3002

    \u6211\u4eec\u5728 pve-5 \u4e0a\u8fd0\u884c nc -l -p 9999 </dev/null | pv | zfs recv rpool/data/docker2\uff0c\u7136\u540e\u5728 mirrors2 \u4e0a\u5bf9 zvol \u5148\u6253\u4e2a\u5feb\u7167\uff0c\u8fd0\u884c zfs send pool0/qemu/docker2@20211230 > /dev/tcp/{pve-5}/9999 \u5c06\u5feb\u7167\u5185\u5bb9\u53d1\u9001\u5230 pve-5 \u4e0a\uff08300 GiB \u7684\u6570\u636e\u82b1\u8d39\u4e86 16 \u5c0f\u65f6\uff09\uff0c\u7136\u540e\u518d\u5c06 docker2 \u5173\u673a\u5e76\u589e\u91cf\u4f20\u8f93\uff0czfs send -i @20211230 pool0/qemu/docker2 > /dev/tcp/{pve-5}/9999\uff08\u589e\u91cf\u4f20\u8f93\u53ea\u53d1\u9001\u4e86 10 GB \u6570\u636e\uff09\u3002\u540c\u65f6\u6211\u4eec\u5728 Proxmox \u7684 web \u754c\u9762\u4e0a\u521b\u5efa\u4e00\u4e2a\u65b0\u865a\u62df\u673a\uff0c\u914d\u597d CPU \u5185\u5b58\u7f51\u5361\u7b49\uff0c\u5206\u914d 300 GiB \u7684\u786c\u76d8\u3002

    \u7531\u4e8e zfs send \u662f\u539f\u6837\u53d1\u9001\u7684\uff0c\u56e0\u6b64\u63a5\u6536\u5230\u7684 zvol \u786c\u76d8\u5360\u7528\u91cf\u4ecd\u7136\u6709 712 GB\u3002Proxmox \u65b0\u5efa\u7684 zvol \u53c2\u6570\u5c31\u6bd4\u8f83\u5408\u7406\uff08volblocksize=16k\uff09\uff0c\u6ca1\u6709\u4e25\u91cd\u653e\u5927\u7684\u95ee\u9898\uff0c\u56e0\u6b64\u6211\u4eec\u518d\u5c06\u63a5\u6536\u5230\u7684 zvol \u7ed9 dd \u8fdb\u65b0\u865a\u62df\u673a\u7684 zvol \u800c\u4e0d\u662f\u76f4\u63a5\u4f7f\u7528\u3002dd \u7ed3\u679c\u7ea6 345 GiB\uff08\u5341\u5206\u5408\u7406\uff09\uff0c\u5f00\u673a\u8fdb\u7cfb\u7edf\u8fd0\u884c fstrim \u4e4b\u540e\u5360\u7528\u91cf\u7ea6\u4e3a 240 GiB\uff08\u66f4\u52a0\u5408\u7406\u4e86\uff09\u3002

    \u8fc1\u79fb\u8fc7\u7a0b\u6ca1\u6709\u9047\u5230\u4efb\u4f55\u5751\uff0c\u4ec5\u6709\u7684\u6ce8\u610f\u4e8b\u9879\u5c31\u662f zvol \u8c03\u53c2\u9700\u8981\u91cd\u65b0 dd \u800c\u4e0d\u80fd\u76f4\u63a5\u6539\uff0c\u4ee5\u53ca\u521b\u5efa\u7f51\u5361\u7684\u987a\u5e8f\uff08\u4f1a\u5f71\u54cd\u865a\u62df\u673a\u5185\u90e8 eth0 \u548c eth1 \u7684\u987a\u5e8f\uff0c\u9664\u975e\u865a\u62df\u673a\u5185\u90e8\u4f7f\u7528 udev persistent net \u65b9\u5f0f\u6839\u636e MAC \u5730\u5740\u5c06\u7f51\u5361\u6539\u540d\uff09\u3002

    "},{"location":"infrastructure/proxmox/pve/#esxi-5-syslog-zfs-error-cannot-open-rpool-no-such-pool","title":"esxi-5 \u7684 syslog \u4e00\u76f4\u51fa\u73b0 zfs error: cannot open 'rpool': no such pool","text":"

    \u8fd9\u662f\u56e0\u4e3a esxi-5 \u4e0a\u9762\u6839\u672c\u5c31\u6ca1\u6709\u4f7f\u7528 ZFS\uff0c\u800c\u52a0\u5165 pve-5 \u7684\u96c6\u7fa4\u65f6\u865a\u62df\u673a\u7684\u5b58\u50a8\u4fe1\u606f\uff08/etc/pve/storage.cfg\uff09\u4e5f\u4ece pve-5 \u540c\u6b65\u8fc7\u6765\u5408\u5e76\u4e86\uff0c\u56e0\u6b64 esxi-5 \u5728\u6839\u636e pve-5 \u7684\u914d\u7f6e\u5c1d\u8bd5\u542f\u7528 zfs \u5b58\u50a8\u3002

    \u89e3\u51b3\u529e\u6cd5\uff1a\u7531\u4e8e /etc/pve \u4e0b\u5927\u591a\u6570\u5185\u5bb9\u5728\u96c6\u7fa4\u95f4\u662f\u540c\u6b65\u7684\uff0c\u6253\u5f00 storage.cfg\uff0c\u5728 zfspool: local-zfs \u4e0b\u9762\u52a0\u5165\u4e00\u884c\uff0c\u7f29\u8fdb\u4e00\u4e2a Tab \u5e76\u52a0\u4e0a nodes pve-5\uff0c\u8868\u793a\u8fd9\u4e2a storage \u53ea\u5728 pve-5 \u4e0a\u4f7f\u7528\u3002

    "},{"location":"infrastructure/proxmox/pve/#pve-6","title":"pve-6","text":"

    pve-6 \u4f4d\u4e8e\u4e1c\u56fe\uff0c\u662f\u4e00\u53f0 HP DL380G6\uff0c\u914d\u7f6e\u4e3a 2\u00d7 Xeon E5620 (Westmere 4C8T, 2.50 GHz), 72 GB \u5185\u5b58\u548cl\u4e24\u5757 300 GB \u7684 SAS \u786c\u76d8\u3002\u66fe\u7ecf\u53eb\u505a esxi-6\uff0c\u5728 2022 \u5e74 1 \u6708\u7edf\u4e00\u66f4\u6362\u4e3a Proxmox VE\u3002

    \u673a\u5668\u6709\u4e24\u4e2a\u7f51\u5361\uff0c\u5171\u6709 4 \u4e2a 1 Gbps \u7684\u63a5\u53e3\uff0c\u5176\u4e2d 3 \u4e2a\u90fd\u63a5\u5728 VLAN \u4ea4\u6362\u673a\u4e0a\uff08\u53e6\u4e00\u4e2a\u4e0d\u77e5\u9053\u63a5\u4e86\u5565\uff09\uff0c\u901a\u8fc7 VLAN \u540c\u65f6\u8fde\u63a5\u56fe\u4e66\u9986\u7684\u4e24\u4e2a\u7f51\u6bb5\u4ee5\u53ca\u7ecf\u7531 gateway-el \u6865\u63a5\u7684\u5185\u7f51\uff0c\u4ee5\u53ca\u8fde\u63a5 vdp \u6302\u8f7d NFS\u3002

    HP Smart Array

    HP \u7684\u81ea\u5e26 RAID \u5361\u7ba1\u7406\u8f6f\u4ef6\u53ef\u4ee5\u5728 http://downloads.linux.hpe.com/SDR/repo/mcp/Debian/pool/non-free/ \u4e0b\u8f7d\uff0c\u5b89\u88c5 ssacli \u8f6f\u4ef6\u5305\u3002\u76f8\u5173\u4f7f\u7528\u65b9\u6cd5\u53ef\u4ee5\u53c2\u8003 https://sleeplessbeastie.eu/2017/03/06/how-to-use-hp-command-line-array-configuration-utility/\u3002

    "},{"location":"services/discontinued/","title":"Discontinued Services","text":"

    \u672c\u9875\u9762\u8bb0\u8f7d\u66fe\u7ecf\u63d0\u4f9b\u7684\u670d\u52a1\uff0c\u4f46\u662f\u7531\u4e8e\u67b6\u6784\u6539\u53d8\u6216\u670d\u52a1\u8fc1\u79fb\uff0c\u8fd9\u4e9b\u670d\u52a1\u4e0d\u518d\u4ee5\u539f\u6765\u7684\u5f62\u5f0f\u63d0\u4f9b\uff0c\u5e76\u53ef\u80fd\u5728\u539f\u5904\u6709\u6b8b\u7559\u7684\u914d\u7f6e\u6587\u4ef6\u3002

    \u901a\u5e38\u60c5\u51b5\u4e0b\u6b8b\u7559\u7684\u914d\u7f6e\u6587\u4ef6\u53ef\u4ee5\u76f4\u63a5\u5220\u9664\uff0c\u4f46\u662f\u4fdd\u9669\u8d77\u89c1\uff0c\u4ecd\u7136\u5efa\u8bae\u5728 Internals \u7fa4\u91cc\u5148\u8be2\u95ee\u4e00\u4e0b\u518d\u5904\u7406\u3002

    "},{"location":"services/discontinued/#docker-registry","title":"Docker Registry","text":"

    \u66fe\u7ecf\u8fd0\u884c\u5728 docker2 \u4e0a\uff0c\u73b0\u5728 LUG \u7684 Docker \u955c\u50cf\u5df2\u8f6c\u79fb\u81f3 Docker Hub\u3002

    "},{"location":"services/discontinued/#freeshell","title":"Freeshell","text":"

    \uff08\u672a\u5b8c\u5f85\u7eed\uff0c\u914d\u7f6e\u6587\u4ef6\u5148\u4fdd\u7559\uff09

    "},{"location":"services/discontinued/#ustc-blog","title":"USTC Blog","text":"

    Refer to Gitlab Wiki.

    "},{"location":"services/discontinued/#telegram-web","title":"Telegram Web","text":"

    Service\uff1atelegram.ustclug.org

    Repository\uff1agithub.com/ustclug/telegram-web

    DockerHub\uff1austclug/telegram-web

    Deployment\uff1atelegram-web.sh

    Servers\uff1a

    Blog\uff1aadd-telegram-web-service

    "},{"location":"services/discontinued/#ustc-life","title":"USTC Life","text":"

    USTC Life is a navigation page, which included useful sites in USTC.

    2020-04-09 \u66f4\u65b0\u4fe1\u606f

    \u76ee\u524d\uff0cUSTC Life \u670d\u52a1\u6258\u7ba1\u5728 GitHub Pages \u4e0a\u3002\u4ee5\u4e0b\u5185\u5bb9\u4ec5\u4e3a\u5386\u53f2\u8bb0\u5f55\u3002

    service: ustc.life

    Git Repository: github.com/ustclug/ustclife

    DockerHub: ustclug/ustclife

    server: docker2.s.ustclug.org

    deploy: /srv/webhook/ustclife.sh

    webhook from DockerHub: /srv/webhook/hooks.json

    "},{"location":"services/docker2/","title":"Docker services","text":"

    Server: docker2.s.ustclug.org

    Provides Docker container environment for other services. All non-system services should be run as Docker containers on this host.

    Methods to run individual containers are maintained in the ustclug/docker-run-script repository.

    "},{"location":"services/docker2/#special-configurations","title":"Special configurations","text":""},{"location":"services/docker2/#network-interfaces","title":"Network interfaces","text":"

    We use udev rules to assign consistent names to network interfaces, identified by their MAC addresses.

    /etc/udev/rules.d/70-persistent-net.rules
    SUBSYSTEM==\"net\", ACTION==\"add\", DRIVERS==\"?*\", ATTR{address}==\"00:50:56:9f:00:22\", NAME=\"Telecom\"\nSUBSYSTEM==\"net\", ACTION==\"add\", DRIVERS==\"?*\", ATTR{address}==\"00:50:56:9f:00:5b\", NAME=\"Mobile\"\nSUBSYSTEM==\"net\", ACTION==\"add\", DRIVERS==\"?*\", ATTR{address}==\"00:50:56:9f:00:5d\", NAME=\"ustclug\"\n

    We then refer to these interfaces using their new names in /etc/network/interfaces to ensure consistent network configuration.

    2022 \u5e74 2 \u6708 21 \u65e5\u66f4\u65b0

    \u4eca\u65e5\u53d1\u73b0 docker2 \u65e0\u6cd5\u8fde\u63a5\u5bb9\u5668\u7f51\u7edc\uff0810.254.1.0/21\uff09\uff0c\u8c03\u8bd5\u540e\u53d1\u73b0\u4e3a Linux macvlan \u7f51\u7edc\u7279\u6027\uff08Stack Overflow\uff09\u3002\u4e3a\u4e86\u4fee\u590d\u8fde\u63a5\u95ee\u9898\uff0c\u8fdb\u884c\u4e86\u4ee5\u4e0b\u4fee\u6539\uff1a

    1. \u5c06 /etc/udev/rules.d/70-persistent-net.rules \u4e2d Policy \u66f4\u540d\u4e3a ustclug\uff1b
    2. \u5728 /etc/network/interfaces \u4e2d\u8bbe\u7f6e Policy \u548c ustclug \u4e24\u4e2a interface \u7684\u76f8\u5173\u914d\u7f6e\u5982\u4e0b\uff1a

      auto Policy\niface Policy inet static\n    address 10.254.0.16/21\n    pre-up ip link add $IFACE link ustclug type macvlan mode bridge\n    post-down ip link del $IFACE\n\nauto ustclug\niface ustclug inet manual\n
    "},{"location":"services/docker2/#docker-daemon-service","title":"Docker daemon service","text":"

    docker2 \u4e0a\u9762\u7684 Docker \u4f7f\u7528 macvlan \u6765\u5c06\u865a\u62df\u673a\u63a5\u5165 lugi \u5185\u7f51\uff0c\u56e0\u6b64\u5c06 macvlan \u7684\u4e3b\u7aef\u53e3 Policy \u914d\u7f6e\u4e3a docker.service \u7684\u5f3a\u4f9d\u8d56\u3002

    systemctl edit docker.service
    [Unit]\nBindsTo=sys-subsystem-net-devices-Policy.device\nAfter=sys-subsystem-net-devices-Policy.device\n

    \u5b9e\u9645\u4e0a After=network-online.target \u5c31\u591f\u4e86\uff0c\u4f46\u662f\u51fa\u4e8e\u5386\u53f2\u539f\u56e0\u4f7f\u7528\u4e86 BindsTo \u5f3a\u4f9d\u8d56\u5185\u7f51\u7aef\u53e3\uff0c\u8fd9\u662f\u56e0\u4e3a docker2 \u66fe\u7ecf\u5355\u72ec\u8fd0\u884c tinc \u63a5\u5165\u5185\u7f51\uff0c\u800c tinc \u7684\u7aef\u53e3\u53ea\u5728 tinc \u542f\u52a8\u540e\u624d\u4f1a\u51fa\u73b0\uff08\u624d\u80fd\u5206\u51fa macvlan \u5b50\u7aef\u53e3\uff09\uff0c\u56e0\u6b64\u4f7f\u7528 BindsTo \u4fdd\u8bc1 docker \u968f\u8be5\u7aef\u53e3\u7684\u51fa\u73b0\u548c\u6d88\u5931\u800c\u542f\u52a8/\u505c\u6b62\u3002

    2022 \u5e74 1 \u6708 15 \u65e5\u4ee5\u540e docker2 \u4e0e\u5176\u4ed6\u865a\u62df\u673a\u4e00\u6837\u901a\u8fc7 gateway-nic \u6865\u63a5\u7684 tinc \u63a5\u5165\u5185\u7f51\uff0c\u4e0d\u518d\u5355\u72ec\u8fd0\u884c tinc\u3002

    "},{"location":"services/docker2/#opensuse-guide-qtguide","title":"opensuse-guide \u4e0e qtguide \u6bcf\u65e5\u66f4\u65b0","text":"

    \u7531\u4e8e\u6ca1\u6709\u8bbe\u7f6e webhook\uff0c\u76ee\u524d\u914d\u7f6e\u4e86 systemd timer\uff0c\u6267\u884c /srv/docker/guide \u4e2d\u7684\u811a\u672c\uff0c\u4ee5\u5206\u522b\u5728\u6bcf\u65e5\u665a\u4e0a 23:15 \u548c 23:30 \u66f4\u65b0 opensuse-guide \u548c qtguide \u4e24\u4e2a\u5bb9\u5668\u7684 image \u5e76\u91cd\u542f\u5bb9\u5668\u3002

    \u8be6\u7ec6\u7684\u914d\u7f6e\u6587\u4ef6\u53ef\u67e5\u770b docker-run-script \u4e2d\u7684 opensuse-guide \u548c qtguide \u4e24\u4e2a\u6587\u4ef6\u5939\u3002

    "},{"location":"services/docker2/#workflows-troubleshooting","title":"Workflows & Troubleshooting","text":""},{"location":"services/docker2/#docker-pingd","title":"Docker \"pingd\"","text":"

    \u66f4\u65b0

    \u95ee\u9898\u5df2\u7ecf\u67e5\u660e\u4e3a Debian \u7684 Linux \u5185\u6838 bug (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952660)\uff0c\u5df2\u7ecf\u901a\u8fc7\u66f4\u65b0\u5185\u6838\u5e76\u91cd\u542f\u800c\u89e3\u51b3\u3002\u4ee5\u4e0b\u5185\u5bb9\u4ec5\u4f5c\u5b58\u6863\u3002

    \u51fa\u4e8e\u672a\u77e5\u539f\u56e0\u6709\u65f6\u5019\u5916\u90e8\u4e3b\u673a\u4f1a\u65e0\u6cd5\u4e3b\u52a8\u8fde\u901a Docker \u5bb9\u5668\uff08\u53ef\u80fd\u4e0e ARP \u6709\u5173\uff09\uff0c\u4f46\u662f\u5982\u679c\u67d0\u4e2a\u5bb9\u5668\u5148 ping \u4e86\u4e00\u4e0b\u5916\u90e8\u4e3b\u673a\uff0c\u5c31\u80fd\u53cc\u5411\u8fde\u901a\u4e86\u3002

    \u7531\u4e8e\u6211\u4eec\u6682\u672a\u627e\u5230\u6b63\u5e38\u7684\u89e3\u51b3\u65b9\u6848\uff0c\u56e0\u6b64\u4f7f\u7528 \u201cping daemon\u201d \u4f5c\u4e3a\u4e00\u4e2a workaround\uff0c\u5728\u5bb9\u5668\u4e2d\u8fd0\u884c ping \u4fdd\u6301\u5916\u90e8\u4e3b\u673a\u7684\u8fde\u901a\u6027\u3002

    docker-pingd@.service
    [Unit]\nDescription=Docker pingd service %I\nDocumentation=man:ping(8)\nAfter=network.target\nStartLimitIntervalSec=0\n\n[Service]\nType=simple\nUser=root\nGroup=root\nExecStart=/bin/sh -c 'IVAR=\"%i\"; exec /usr/bin/docker exec \"$${IVAR%:*}\" ping -q -s 32 \"$${IVAR#*:}\"'\nExecStop=/bin/kill -s INT $MAINPID\nRestart=on-failure\nRestartSec=3\n\n[Install]\nWantedBy=multi-user.target\nAlias=docker-ping@.service\n

    \u4f7f\u7528\u65b9\u5f0f\uff1asystemctl enable docker-pingd@container:host.service\uff0ccontainer \u6362\u6210\u5bb9\u5668\u540d\uff0chost \u6362\u6210 ping \u7684\u76ee\u6807\u3002

    Trick \u4ecb\u7ecd\uff1aSystemd service \u914d\u7f6e\u6682\u4e0d\u652f\u6301\u591a\u4e2a\u6a21\u677f\u53c2\u6570 %i\uff0c\u56e0\u6b64\u8c03\u7528 shell \u6765\u89e3\u6790\u53c2\u6570\u3002Ref: https://github.com/systemd/systemd/issues/14895#issuecomment-612270690

    "},{"location":"services/docker2/#wordpress","title":"WordPress \u5347\u7ea7","text":"

    taoky

    \u5f88\u9ebb\u70e6\uff0c\u5efa\u8bae lug \u4ee5\u540e\u518d\u4e5f\u522b\u7528\uff08\u522b\u5f00\u65b0\u7684\uff09wordpress \u4e86\u3002

    servers \u4e0e\u65e7 planet \u4f7f\u7528 WordPress\uff0c\u6258\u7ba1\u5728 docker2 \u4e0a\u3002\u56e0\u4e3a docker2 \u73b0\u5728\u78c1\u76d8 IO \u5f88\u6162\uff0c\u6240\u4ee5\u53ef\u80fd\u4f1a\u51fa\u73b0\u4e00\u4e9b\u989d\u5916\u7684\u95ee\u9898\u3002

    \u63a8\u8350\u4f7f\u7528 https://wp-cli.org/#installing\u3002\u547d\u4ee4\uff1a

    chmod +x wp-cli.phar\nmv wp-cli.phar /usr/local/bin/wp\ncd /var/www/public/\nsudo -u www-data -- wp core update --version=5.8.1 /tmp/wordpress-5.8.1.zip\n

    \u5bb9\u5668\u91cc sudo \u8981\u624b\u52a8\u88c5\u3002

    \u4ee5\u4e0b\u5185\u5bb9\u4ec5\u4f9b\u53c2\u8003\u3002

    \u5c1d\u8bd5\u5347\u7ea7\u65f6\u5982\u679c\u672a\u51fa\u73b0\u5347\u7ea7\u63d0\u793a\uff0c\u53ef\u4ee5\u4fee\u6539\uff1a

    \u5982\u679c\u51fa\u73b0\u300c\u53e6\u4e00\u66f4\u65b0\u6b63\u5728\u8fd0\u884c\u300d\uff0c\u4e14\u786e\u8ba4\u4e0d\u5728\u66f4\u65b0\uff0c\u53ef\u4ee5\u5728\u6570\u636e\u5e93\u7684 wordpress \u8868\u4e2d\u6267\u884c\uff1a

    DELETE FROM wp_options WHERE option_name = 'core_updater.lock';\n
    "},{"location":"services/docker2/#docker","title":"\u770b\u8d77\u6765\u6b63\u5728\u8fd0\u884c\u4f46\u662f\u6ca1\u6709\u8fdb\u7a0b\u7684 Docker \u5bb9\u5668","text":"

    2021/10/25 \u53d1\u73b0\u67d0\u5bb9\u5668\u663e\u793a\u6b63\u5728\u8fd0\u884c\uff0c\u4f46\u662f\u5b9e\u9645\u6ca1\u6709\u8fdb\u7a0b\u3002\u540e\u53d1\u73b0\u4e3a Docker \u7684 bug\uff0c\u5728\u5bb9\u5668\u8fdb\u7a0b\u88ab cgroups \u5e72\u6389\u4e4b\u540e\u53ef\u80fd\u4f1a\u51fa\u73b0\u6b64\u60c5\u51b5\u3002

    \u5bf9\u5e94 issue\uff1ahttps://github.com/moby/moby/issues/38501

    \u89e3\u51b3\u65b9\u6cd5\uff1a\u5c06\u5bb9\u5668 ID \u5bf9\u5e94\u7684 containerd-shim \u6740\u6b7b\u5373\u53ef\u8ba9 Docker \u66f4\u65b0\u5176\u72b6\u6001\u4e3a\u5df2\u505c\u6b62\uff0c\u7136\u540e\u91cd\u65b0\u5f00\u542f\u5373\u53ef\u3002

    "},{"location":"services/documentations/","title":"LUG \u6587\u6863","text":""},{"location":"services/ftp/","title":"LUG FTP","text":"

    Services: FTP/FTPS, SFTP, HTTP, HTTPS, AFP

    Git repository: ustclug/lugftp

    Docker Hub: ustclug/ftp

    Server: vdp.s.ustclug.org (management ssh port 2222)

    Theme: h5ai

    Deploy: ftp.sh

    "},{"location":"services/ftp/#notes","title":"Notes","text":"
    1. SSL cert is required when running LUG FTP.
    2. ssh-keygen -A is required to be manually run when initializing.
    3. About directory permission:
      1. It is strongly suggested to keep permission & owner metadata when backing up/restoring.
      2. Public folder root: set owner root:root and permission 0755.
      3. Subfolders: set owner to 1000:1000. _h5ai and wp-content needs to be set to a different owner (misconfigured?). And Incoming shall be set to 0775.
    4. Do not use Google DNS in host, as China Mobile network may drop UDP packets to 8.8.8.8. A misconfigured DNS may lead to LDAP in container broken.
    5. Port 22 is delegated to the LUG FTP container for SFTP, and SSH access to the host has been reassigned to port 2222.
    "},{"location":"services/gateway-el/","title":"Gateway: East Campus Library (gateway-el)","text":"

    Todo

    Currently systemctl restart networking is required after a reboot to set up tunnel. This bug should be fixed.

    "},{"location":"services/gateway-el/#configurations","title":"Configurations","text":""},{"location":"services/gateway-el/#ip-virtual-server","title":"IP Virtual Server","text":"

    gateway-el uses IPVS to send requests from one port to other machines directly. IPVS is a Linux kernel feature. Use ipvsadm -Ln to get its status.

    "},{"location":"services/gateway-el/#tunnelmonitor","title":"tunnelmonitor","text":"

    The tunnels used by gateway-el is mainly maintained by tunnelmonitor. Its config files are in /etc/tunnelmonitor, service is tunnelmonitor.service, and log is /var/log/tunnel_monitor.log.

    When starting, netfilter-persistent.service should be run before tunnelmonitor. tunnelmonitor generates new mangle chains when starting, and pings all tunnels periodically and selects all available tunnels, and generates statistc rules.

    You check check /var/log/tunnel_monitor.log to see if one tunnel has been down. Currently (2021/09), only one tunnel is available among all tunnel settings in /etc/tunnelmonitor/tunnel.ini.

    "},{"location":"services/gateway-el/#iptables-mangle-rt_tables-and-ip-rule","title":"iptables mangle, rt_tables and ip rule","text":"

    The following example is for demonstration purposes only.

    You can get current status by iptables -t mangle -S. It is expected to see something like this:

    -A DemonstrateManglePrerouting -m statistic --mode nth --every 1 --packet 0 -j MARK --set-xmark 0x12345/0xffffffff\n// ...\n-A PREOUT -m mark --mark 0x0 -j DemonstrateManglePrerouting\n

    In this case, all packages to DemonstrateManglePrerouting chain will get fwmark 0x12345 (= 74565).

    Check ip rule for that:

    // ...\n10: from all fwmark 0x12345 lookup ExtraDemoTunnel\n// ...\n

    You can get tunnel information in ip a:

    29: ExtraDemoTunnel: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000\n    link/none\n    inet 192.168.252.17 peer 192.168.253.17/32 brd 192.168.252.17 scope global ExtraDemoTunnel\n       valid_lft forever preferred_lft forever\n

    Here 192.168.252.17 is the local server of tunnel, and 192.168.253.17 is the remote server.

    Let's check /etc/network/interfaces.d:

    /etc/network/interfaces.d/03ExtraDemoTunnel
    auto ExtraDemoTunnel\niface ExtraDemoTunnel inet static\n    address 192.168.252.17\n    netmask 255.255.255.255\n    pre-up ip link add dev $IFACE type wireguard\n    post-down ip link del dev $IFACE\n    up wg set $IFACE listen-port 4601 private-key /etc/wireguard/privkey peer pkeypkeypkeypkeypkeypkeypkeypkeypkeypkeypkey endpoint 23.3.3.3:4600 allowed-ips 0.0.0.0/0\n    up ip route replace default dev $IFACE table $IFACE\n    up ip rule add from all fwmark 74565 table $IFACE prio 10\n    pointopoint 192.168.253.17\n

    Here we know that this is a wireguard tunnel, and the endpoint is 23.3.3.3:4600. The fwmark here is 74565 (in decimal).

    Why is 74565 set? Let's check /etc/iproute2/rt_tables!

    // ...\n74565   ExtraDemoTunnel\n// ...\n

    For wireguard, you can use wg to check status. If you find that the \"received\" is 0 in transferred, something is going wrong.

    "},{"location":"services/gateway-el/#issues","title":"Issues & resolution","text":""},{"location":"services/gateway-el/#ipvs-conntrack","title":"IPVS Conntrack","text":"

    In early March 2022 we noticed Light connectivity issues from outside USTCnet, which was narrowed down to connections bypassing Linux Conntrack mechanism.

    Thanks to TUNA group we learned about /proc/sys/net/ipv4/vs/conntrack, which at the time the problem was located, was zero. Settings this to 1 solved the problem.

    However after writing net.ipv4.vs.conntrack = 1 to /etc/sysctl.d/10-ipvs-conntrack.conf and rebooting, the problem returned. Checking systemctl status systemd-sysctl.service we noticed this:

    Mar 05 00:00:00 gateway-el systemd-sysctl[218]: Couldn't write '0' to 'net/ipv4/vs/conntrack', ignoring: No such file or directory\n

    Adding ip_vs to /etc/modules and rebooting again correctly fixed the problem.

    This is because the module was automatically loaded the first time ipvsadm is called (namely, /etc/init.d/ipvsadm), which happened at a very late stage. Adding to /etc/modules gets the module loaded earlier (and before systemd-sysctl.service) so it worked.

    "},{"location":"services/gateway-el/#tinc-issue","title":"Tinc issue","text":"

    See gateway

    "},{"location":"services/gateway-jp/","title":"Gateway: Japan (gateway-jp)","text":"

    This page is currently a stub.

    "},{"location":"services/gateway-nic/","title":"Gateway: Network Information Center (gateway-nic)","text":"

    Previously gateway-nic used CentOS 7 to 8 to Stream, to \"avoid putting all eggs in one basket\". This VM was replaced by a newly setup Debian Bullseye VM on January 2022 during migration from ESXi to Proxmox VE.

    The virtual disk of the old gateway-nic was copied onto pve-5, located at ZFS Zvol rpool/data/gateway-nic. The current VM uses rpool/data/vm-200-disk-0 instead (Proxmox naming convention).

    "},{"location":"services/gateway-nic/#config-file-management","title":"Config file management","text":"

    Git repositories exist for these directories:

    /etc/nginx\n/etc/systemd/network\n/etc/tinc\n
    "},{"location":"services/gateway-nic/#networking","title":"Networking","text":"

    We use systemd-networkd to configure network on gateway-nic. This replaces both ifupdown (config file /etc/network/interfaces)

    $ systemctl edit systemd-networkd.service
    [Service]\nExecStartPre=-/sbin/ip -4 rule flush\nExecStartPre=-/sbin/ip -6 rule flush\n\n[Install]\nAlias=networkd.service\n

    The ExecStartPre= commands flush (clear) existing rules so that systemd-networkd can fully manage all rules. This is because ManageForeignRoutingPolicyRules is a new setting in systemd 249, while Debian Bullseye uses systemd 247, so we have to do this manually.

    We then load the regular \"main\" and \"default\" rules on the loopback interface (routing rules aren't bound to interfaces, but are added/removed when the configured interface is brought up/turned down).

    /etc/systemd/network/00-lo.network
    [Match]\nName=lo\n\n# Route \"main\"\n[RoutingPolicyRule]\nFamily=both\nTable=254\nPriority=2\nSuppressPrefixLength=1\n\n# Route \"Special\"\n[RoutingPolicyRule]\nFamily=both\nTable=1000\nPriority=5\nSuppressPrefixLength=1\n\n# Route \"default\"\n[RoutingPolicyRule]\nFamily=both\nTable=253\nPriority=32767\n
    "},{"location":"services/gateway-nic/#interfaces","title":"Interfaces","text":"

    Systemd-networkd has built-in capability to rename interfaces, so there's no need to use udev rules.

    For example, to assign a name for the cernet interface, we use:

    /etc/systemd/network/12-Cernet.link
    [Match]\nPermanentMACAddress=00:50:56:a2:02:8c\n\n[Link]\nName=Cernet\n

    We then configure addresses and routing rules for this interface:

    /etc/systemd/network/12-Cernet.network
    [Match]\nName=Cernet\n\n[Network]\nAddress=202.38.95.102/25\nAddress=2001:da8:d800:95::102/64\nIPv6AcceptRA=no\n\n[Route]\nGateway=202.38.95.126\nTable=253\nMetric=2\n\n[Route]\nGateway=2001:da8:d800:95::1\nTable=253\nMetric=2\n\n[Route]\nGateway=202.38.95.126\nTable=1002\n\n[Route]\nGateway=2001:da8:d800:95::1\nTable=1002\n\n[RoutingPolicyRule]\nFrom=202.38.95.102\nTable=1002\nPriority=3\n\n[RoutingPolicyRule]\nFrom=2001:da8:d800:95::102\nTable=1002\nPriority=3\n\n[RoutingPolicyRule]\nFamily=both\nOutgoingInterface=Cernet\nTable=1002\nPriority=3\n\n[RoutingPolicyRule]\nFamily=both\nFirewallMark=0x2\nTable=1002\nPriority=4\n

    This config file assigns one IPv4 and one IPv6 address to the interface, as well as one IPv4 route and one IPv6 route for both the default routing table and an interface-specific routing table. It then adds three routing rules in both IPv4 and IPv6 for replying on the same interface, for sockets bound to this interfaces, and for firewall mark routing.

    Other interfaces are configured similarly, so just refer to their configuration files for details.

    "},{"location":"services/gateway-nic/#routes","title":"Routes","text":"

    Outgoing connections are routed through different ISPs. We use ISP IP data from gaoyifan/china-operator-ip. Relevant files are located under /usr/local/network_config.

    The said repository (branch ip-lists) is cloned and we symlink select files to iplist directory for consumption. A custom script converts these IP data into additional systemd-networkd config files (under /run/systemd).

    $ ls -l /usr/local/network_config/iplist/
    lrwxrwxrwx cernet.txt -> ../china-operator-ip/cernet.txt\nlrwxrwxrwx cernet6.txt -> ../china-operator-ip/cernet6.txt\nlrwxrwxrwx china.txt -> ../china-operator-ip/china.txt\nlrwxrwxrwx china6.txt -> ../china-operator-ip/china6.txt\nlrwxrwxrwx cstnet.txt -> ../china-operator-ip/cstnet.txt\nlrwxrwxrwx cstnet6.txt -> ../china-operator-ip/cstnet6.txt\nlrwxrwxrwx mobile.txt -> ../china-operator-ip/cmcc.txt\nlrwxrwxrwx telecom.txt -> ../china-operator-ip/chinanet.txt\nlrwxrwxrwx unicom.txt -> ../china-operator-ip/unicom.txt\n-rw-r--r-- ustcnet.txt\n-rw-r--r-- ustcnet6.txt\n
    /usr/local/network_config/route-all.sh
    #!/bin/bash\n\n[ -n \"$BASH_VERSION\" ] || exit 1\n\nWD=\"$(dirname \"$0\")\"\nROOT_IP_LIST=\"$WD/iplist\"\nROOT_CONF=/etc/systemd/network\nROOT_RT=/run/systemd/network\n\ngen_route() {\n  local DEVFILE=\"$1\"\n  local DEV=\"$(awk -F = '/^Name=/{print $2; exit}' \"$ROOT_CONF/$DEVFILE.network\")\"\n  local GW=\"$2\" FAMILY=ipv4 V6\n  if [[ \"$GW\" =~ : ]]; then\n    FAMILY=ipv6\n    V6=\"-v6\"\n  fi\n  # Convert table to number\n  local TABLENAME=\"$3\"\n  local TABLE=\"$(awk 'substr($0, 1, 1) != \"#\" && $2 == \"'\"$TABLENAME\"'\" { print $1 }' /etc/iproute2/rt_tables | head -1)\"\n  local PRIORITY=\"$4\"\n  shift 4\n\n  F=\"$ROOT_RT/$DEVFILE.network.d\"\n  mkdir -p \"$F\"\n  F=\"$F/route-${TABLENAME,,}${V6}.conf\"\n  echo -e \"[RoutingPolicyRule]\\nFamily=$FAMILY\\nTable=$TABLE\\nPriority=$PRIORITY\\n\" > \"$F\"\n\n  awk '{ print \"[Route]\\nDestination=\" $1 \"\\nGateway='\"$GW\"'\\nTable='\"$TABLE\"'\\n\" }' \"${@/#/$ROOT_IP_LIST/}\" >> \"$F\"\n}\n\ngen_route 12-Cernet 202.38.95.126 ustcnet 5 ustcnet.txt\ngen_route 12-Cernet 2001:da8:d800:95::1 ustcnet 5 ustcnet6.txt\ngen_route 12-Cernet 202.38.95.126 cernet 6 cernet.txt cstnet.txt\ngen_route 12-Cernet 2001:da8:d800:95::1 cernet 6 cernet6.txt cstnet6.txt\ngen_route 13-Telecom 202.141.160.126 telecom 6 telecom.txt unicom.txt\ngen_route 14-Mobile 202.141.176.126 mobile 6 mobile.txt\ngen_route 12-Cernet 202.38.95.126 china 7 china.txt\ngen_route 12-Cernet 2001:da8:d800:95::1 china 7 china6.txt\n

    We then use a systemd service to ensure additional files for systemd-networkd are generated before it starts.

    /etc/systemd/system/route-all.service
    [Unit]\nDescription=Generate routes for systemd-networkd\nBefore=systemd-networkd.service\n\n[Service]\nType=oneshot\nExecStart=/bin/bash /usr/local/network_config/route-all.sh\n#ExecStart=/usr/local/network_config/special.rb\nRemainAfterExit=true\n\n[Install]\nWantedBy=network.target systemd-networkd.service\n

    Updating routes from upstream is easy:

    /usr/local/network_config/update.sh
    #!/bin/sh\n\ncd \"$(dirname \"$0\")\"\n\ngit -C china-operator-ip pull\nsystemctl restart route-all.service\n

    The resulting routing policies look like this:

    $ ip rule
    0:      from all lookup local\n2:      from all lookup main suppress_prefixlength 1\n3:      from 172.16.0.2 lookup Warp\n3:      from all oif Warp lookup Warp\n3:      from 202.141.176.102 lookup Mobile\n3:      from all oif Mobile lookup Mobile\n3:      from 202.141.160.102 lookup Telecom\n3:      from all oif Telecom lookup Telecom\n3:      from 202.38.95.102 lookup Cernet\n3:      from all oif Cernet lookup Cernet\n4:      from all fwmark 0x5 lookup Warp\n4:      from all fwmark 0x4 lookup Mobile\n4:      from all fwmark 0x3 lookup Telecom\n4:      from all fwmark 0x2 lookup Cernet\n5:      from all lookup Special suppress_prefixlength 1\n5:      from all lookup Ustcnet\n6:      from all lookup mobile\n6:      from all lookup telecom\n6:      from all lookup cernet\n7:      from all lookup china\n32767:  from all lookup default\n
    "},{"location":"services/gateway-nic/#tinc-vpn","title":"Tinc VPN","text":"

    Gateway-NIC connects to intranet with Tinc. There's no special Tinc configuration other than those described at the Tinc VPN page.

    Because Tinc now uses systemd services instead of System V init.d scripts, we need to systemctl enable tinc@ustclug.service to make it start on boot. Everything is managed through this templated systemd service.

    "},{"location":"services/gateway-nic/#systemd-networkd-wait-onlineservice","title":"systemd-networkd-wait-online.service","text":"

    We also override systemd-networkd's online detection for goodness' sake, so it doesn't block booting. Note that it may interfere with services depending on network-online.target, though we have yet to discover any issues.

    $ systemctl edit systemd-networkd-wait-online.service
    [Service]\nExecStart=\nExecStart=/bin/sleep 1\n
    "},{"location":"services/gateway-nic/#iptables","title":"iptables","text":"

    All iptables firewall rules are managed manually. We use iptables-persistent to automatically load firewall rules on boot.

    To change the rules, manually edit /root/iptables/rules.v4 or rules.v6 and then run apply.sh to apply the changes.

    "},{"location":"services/gateway-nic/#fail2ban","title":"Fail2ban","text":"

    We use fail2ban to stop SSH scanning and brute-force attempts.

    Because fail2ban relies on changing iptables to work, to improve its performance as well as minimize its tampering of iptables rules, we use ipsets for fail2ban.

    After stock installation of fail2ban package, remove defaults-debian.conf and add this file to secure SSH daemon:

    /etc/fail2ban/jail.d/sshd.conf
    [sshd]\nenabled = true\nmode    = aggressive\nfilter  = sshd[mode=%(mode)s]\nlogpath = /var/log/auth.log\nbackend = pyinotify\naction  = iptables-ipset-proto6[chain=\"fail2ban\"]\n

    We provide a pre-created empty chain named fail2ban for fail2ban to manipulate (see iptables above).

    To make sure fail2ban rules can be re-applied after reloading iptables manually, we override the systemd service so that fail2ban is restarted whenever the iptables service is restarted.

    $ systemctl edit fail2ban.service
    [Unit]\nAfter=netfilter-persistent.service\nBindsTo=netfilter-persistent.service\n

    For some servers where we want to manually start fail2ban, we use Requires= + PartOf=. This will propagate \"restart\" event from iptables to fail2ban, but not \"start\".

    $ systemctl edit fail2ban.service
    [Unit]\nAfter=netfilter-persistent.service\nRequires=netfilter-persistent.service\nPartOf=netfilter-persistent.service\n
    "},{"location":"services/generate-204/","title":"Generate 204","text":"

    Service: 204.ustclug.org (HTTP / HTTPS)

    Server: (gateway)

    Blog: add-http-204-service

    "},{"location":"services/generate-204/#configration","title":"Configration","text":"/etc/nginx/sites-available/204.ustclug.org
    server {\n    listen      80;\n    listen      [::]:80;\n    listen      443 ssl http2;\n    listen      [::]:443 ssl http2;\n    server_name 204.ustclug.org;\n    access_log  /var/log/nginx/204_access.log;\n    error_log   /var/log/nginx/204_error.log;\n    return 204;\n}\n

    The authoritative copy is on LUG GitLab.

    "},{"location":"services/gitlab/","title":"GitLab","text":"

    Server: gitlab.s.ustclug.org (management ssh port 2222)

    Git Repository: gitlab-scripts

    "},{"location":"services/gitlab/#gitlab-security","title":"GitLab & Security","text":"

    GitLab \u7ef4\u62a4\u8005\u9700\u8981\u8ba2\u9605\uff1a

    1. GitLab Security Notices \u90ae\u4ef6\u5217\u8868 (https://about.gitlab.com/company/contact/ \u53f3\u4fa7 \"Sign up for security notices\")
    2. sameersbn/docker-gitlab Releases (Watch \u2192 Custom \u2192 Releases)

    \u5728 GitLab \u6709 Security Release \u4e14 docker-gitlab \u53d1\u5e03\u65b0\u7248\u672c\u4e4b\u540e\u9700\u8981\u5b89\u6392\u65f6\u95f4\u66f4\u65b0\u3002\u5c24\u5176 Critical Security Release \u9700\u8981\u5c3d\u5feb\u627e\u65f6\u95f4\u66f4\u65b0\u3002

    "},{"location":"services/gitlab/#_1","title":"\u66f4\u65b0","text":"

    \uff08\u5efa\u8bae\u9605\u8bfb https://docs.gitlab.com/ee/update/index.html\uff09

    \u7531\u4e8e\u5df2\u7ecf docker \u5316\uff0c\u56e0\u6b64\u6211\u4eec\u7684\u66f4\u65b0\u662f\u901a\u8fc7\u62c9\u53d6 sameersbn/docker-gitlab \u7684 docker image\uff0c\u8fdb\u884c\u6570\u636e\u5e93\u51c6\u5907\u4ee5\u53ca\u542f\u52a8\u955c\u50cf\u5b9e\u4f8b\u6765\u8fdb\u884c\u66f4\u65b0\uff0cZack Zeng \u5b66\u957f\u5df2\u7ecf\u5199\u597d\u4e86\u4e00\u5957\u811a\u672c\u7cfb\u7edf\uff1agitlab-scripts\uff0c\u56e0\u6b64\u66f4\u65b0\u65f6\u53ea\u8981\u8dd1\u811a\u672c\u5c31\u53ef\u4ee5\u4e86\u3002

    \u7531\u4e8e\u66f4\u65b0\u9700\u8981\u505c\u6b62\u670d\u52a1\uff0c\u56e0\u6b64\u8bf7\u4e8e\u66f4\u65b0\u524d\u81f3\u5c11\u51e0\u5c0f\u65f6\u53d1\u5e03\u66f4\u65b0\u516c\u544a\uff08\u5305\u62ec\u5177\u4f53\u65f6\u95f4\u7b49\uff09\uff0c\u5e76\u68c0\u67e5 Admin -> Monitoring -> Background Migrations \u4e2d\u6240\u6709 migration \u662f\u5426\u90fd\u5df2\u7ecf\u6210\u529f\u5b8c\u6210\u3002

    \u66f4\u65b0\u524d\u8bf7\u5148\u63d0\u524d\u4e8e Proxmox VE \u4e0a\u5bf9\u865a\u62df\u673a\u6253\u5feb\u7167\uff08\u6253\u5feb\u7167\u65f6\u670d\u52a1\u4f1a\u6682\u65f6\u505c\u6b62\uff09

    \u6253\u5b8c\u5feb\u7167\u4e4b\u540e\u4f7f\u7528\u811a\u672c\u8fdb\u884c\u66f4\u65b0\uff08\u76ee\u524d\u811a\u672c\u4f4d\u4e8e /home/sirius/gitlab-scripts\uff09\uff0c\u9996\u5148\u4f7f\u7528 ./gitlab.sh db \u8fdb\u884c\u6570\u636e\u5e93\u7684\u51c6\u5907\u5de5\u4f5c\u3002\u4e4b\u540e\u53ef\u4ee5\u901a\u8fc7 ./gitlab.sh run <\u7248\u672c\u53f7> \u6765\u8fdb\u884c docker container \u7684\u66ff\u6362\u3002\u66f4\u6362\u524d\u811a\u672c\u4f1a\u81ea\u52a8\u62c9\u53d6\u76f8\u5e94\u7248\u672c\u53f7\u7684 docker \u955c\u50cf\uff0c\u5982\u679c\u62c5\u5fc3\u62c9\u53d6\u65f6\u95f4\u8fc7\u957f\u53ef\u4ee5\u5728\u6253\u5feb\u7167\u524d\u63d0\u524d\u901a\u8fc7 docker pull sameersbn/gitlab:<\u7248\u672c\u53f7> \u6765\u62c9\u53d6\u76f8\u5e94\u7684\u955c\u50cf\u3002

    \u4e00\u822c\u60c5\u51b5\u4e0b\u7ecf\u4ee5\u4e0a\u64cd\u4f5c\u540e\u66f4\u65b0\u5c31\u6b63\u5e38\u7ed3\u675f\uff0c\u5982\u679c\u957f\u65f6\u95f4\u65e0\u6cd5\u542f\u52a8\uff0c\u53ef\u4ee5\u901a\u8fc7 docker logs gitlab \u67e5\u770b\u65e5\u5fd7\uff0c\u5982\u679c\u53d1\u73b0\u66f4\u65b0\u540e\u7684\u542f\u52a8\u51fa\u73b0\u95ee\u9898\uff0c\u53ef\u4ee5\u5230 sameersbn/docker-gitlab \u7684 issue \u533a\u7b49\u5730\u67e5\u770b\u76f8\u5173 issue\uff0c\u4ee5\u53ca\u901a\u8fc7\u5bf9\u51fa\u9519\u65e5\u5fd7\u8fdb\u884c Google \u53ef\u80fd\u4f1a\u53d1\u73b0\u662f gitlab \u4e0a\u6e38\u7b49\u51fa\u73b0\u7684\u95ee\u9898\u3002\u5982\u679c\u6709\u89e3\u51b3\u529e\u6cd5\uff0c\u53ef\u4ee5\u6309\u7167\u76f8\u5e94\u89e3\u51b3\u529e\u6cd5\u89e3\u51b3\uff0c\u5982\u679c\u6ca1\u6709\u3002\u53ef\u4ee5\u901a\u8fc7\u627e\u5230\u6709\u76f8\u5e94\u95ee\u9898\u524d\u7684\u6b63\u5e38\u7248\u672c\u53f7\uff0c\u56de\u6eda\u5feb\u7167\uff0c\u4e4b\u540e\u66f4\u5230\u8868\u73b0\u6b63\u5e38\u7684\u7248\u672c\u3002\uff08\u6700\u8fd1\u7684\u66f4\u65b0\u4f1a\u5728\u542f\u52a8\u4e4b\u540e\u77ed\u6682\u51fa\u73b0 502 \u7684\u60c5\u51b5\uff0c\u4f46\u5f88\u5feb\u5c31\u4f1a\u6062\u590d\uff0c\u9047\u5230\u8fd9\u79cd\u60c5\u51b5\u65f6\u4e0d\u8981\u60ca\u614c\uff09\u3002

    \u7531\u4e8e\u66f4\u65b0\u53ef\u80fd\u4f1a\u51fa\u73b0\u95ee\u9898\u5bfc\u81f4\u670d\u52a1\u4e0d\u53ef\u7528\uff0c\u56e0\u6b64\u4e0d\u5efa\u8bae\u901a\u8fc7 cron \u7b49\u65b9\u5f0f\u81ea\u52a8\u8fdb\u884c\u66f4\u65b0\u3002

    \u5efa\u8bae\u5728\u66f4\u65b0\u5b8c\u6210 72 \u5c0f\u65f6\u5185\u5220\u9664\u5feb\u7167\uff0c\u8be6\u89c1 \u5173\u4e8e\u5feb\u7167\u3002

    "},{"location":"services/gitlab/#postgresql-redis","title":"postgresql \u4e0e redis \u7684\u66f4\u65b0","text":"

    \u7531\u4e8e gitlab \u66f4\u65b0\u540e\u53ef\u80fd\u5bf9 postgresql \u4e0e redis \u7684\u7248\u672c\u6709\u8981\u6c42\uff0c\u56e0\u6b64\u6709\u53ef\u80fd\u9700\u8981\u5b9a\u671f\u66f4\u65b0 redis \u4e0e postgresql\u3002

    \u66f4\u65b0\u524d\u8bf7\u5148\u505c\u6b62 gitlab \u7684 container\u3002

    \u66f4\u65b0\u65f6\u53ef\u4ee5\u6309\u7167\u5b98\u7f51\u6559\u7a0b docker-postgresql \u8fdb\u884c\u66f4\u65b0\uff0c\u53ef\u4ee5\u901a\u8fc7\u62c9\u53d6 latest \u6807\u7b7e\u7684\u955c\u50cf\uff0c\u5220\u9664\u539f\u6765\u7684 container\uff0c\u518d\u901a\u8fc7\u811a\u672c ./gitlab.sh db \u81ea\u52a8\u542f\u52a8\uff0c\u6570\u636e\u5e93\u66f4\u65b0\u65f6\u53ef\u80fd\u4f1a\u9700\u8981\u4e00\u5b9a\u65f6\u95f4\u6765\u8fc1\u79fb\u6570\u636e\uff0c\u8bf7\u901a\u8fc7 docker logs -f gitlab-postgresql \u547d\u4ee4\u6765\u67e5\u770b\u8fc1\u79fb\u8fdb\u5ea6\uff0c\u5f85\u8fc1\u79fb\u5b8c\u6210\u540e\u518d\u8fd0\u884c GitLab \u7684 container\u3002

    "},{"location":"services/gitlab/#rails-console","title":"\u8bbf\u95ee Rails console","text":"

    Rails console \u53ef\u4ee5\u5b8c\u6210\u4e00\u4e9b\u9ad8\u7ea7\u7684\u7ef4\u62a4\u4efb\u52a1\u3002\u5728 gitlab \u5bb9\u5668\u4e2d\u6267\u884c bin/rails console \u542f\u52a8\u3002\u6ce8\u610f console \u7684\u542f\u52a8\u65f6\u95f4\u5f88\u957f\uff08 1 \u5206\u949f\u4ee5\u4e0a\uff09\uff0c\u9700\u8981\u6709\u8010\u5fc3\u3002

    \u53ef\u4ee5\u6267\u884c\u7684\u547d\u4ee4\u53ef\u53c2\u8003 https://docs.gitlab.com/ee/administration/troubleshooting/gitlab_rails_cheat_sheet.html\u3002

    "},{"location":"services/gitlab/#_2","title":"\u67e5\u8be2","text":""},{"location":"services/gitlab/#hashed-storage","title":"\u67e5\u8be2 Hashed storage \u4e0b\u4ed3\u5e93\u5bf9\u5e94\u7684\u9879\u76ee","text":"
    ProjectRepository.find_by(disk_path: '@hashed/23/33/2333333333333333333333333333333333333333333333333333333333333333').project\n

    \u5982\u679c\u5b58\u5728\uff0c\u4f1a\u8fd4\u56de\u7c7b\u4f3c\u4ee5\u4e0b\u7684\u5185\u5bb9\uff1a

    => #<Project id:23333 username/project>>\n
    "},{"location":"services/gitlab/#sql-like","title":"\u67e5\u8be2\u65e0\u9879\u76ee\u4e14\u90ae\u7bb1\u6ee1\u8db3\u6761\u4ef6\u7684\u7528\u6237 (SQL like)","text":"
    users = User.where('id NOT IN (select distinct(user_id) from project_authorizations)')\nusers = users.where('email like ?', '%.ru')\nusers.count\n\nusers.each do |user|\n    puts user.last_activity_on\nend\n
    "},{"location":"services/gitlab/#_3","title":"\u5237\u65b0\u67d0\u4e2a\u9879\u76ee\u7684\u7edf\u8ba1\u4fe1\u606f","text":"
    p = Project.find_by_full_path('<namespace>/<project>')\npp p.statistics\np.statistics.refresh!\npp p.statistics\n
    "},{"location":"services/gitlab/#lfs-id","title":"\u83b7\u53d6\u6240\u6709\u5305\u542b LFS \u7684\u9879\u76ee ID","text":"
    LfsObject.all.each do |lo|\n    puts LfsObjectsProject.find_by_lfs_object_id(lo.id).project_id\nend\n

    \u8f93\u51fa\u8f83\u591a\u3002\u53ef\u4ee5\u4f7f\u7528 rails r xxx.rb \u8fd0\u884c\uff0c\u91cd\u5b9a\u5411\u5230\u6587\u4ef6\uff0c\u53bb\u91cd\u540e\u67e5\u770b\u6240\u6709\u5305\u542b LFS \u7684\u9879\u76ee\u3002

    "},{"location":"services/gitlab/#rake-tasks","title":"\u4f7f\u7528 Rake tasks","text":"

    \u8be6\u89c1 https://github.com/sameersbn/docker-gitlab#rake-tasks\u3002\u548c Rails console \u4e00\u6837\uff0c\u521d\u59cb\u5316\u5f88\u6162\u3002

    \u5f53\u524d\u5b9e\u4f8b\u4fe1\u606f\uff1a

    docker exec --user git -it gitlab bundle exec rake gitlab:env:info RAILS_ENV=production\n
    "},{"location":"services/gitlab/#_4","title":"\u6e05\u7406","text":"

    \u53c2\u8003 https://github.com/gitlabhq/gitlabhq/blob/master/doc/raketasks/cleanup.md\u3002

    \u4e0d\u8fc7\u4f5c\u7528\u6709\u9650\u3002

    "},{"location":"services/gitlab/#_5","title":"\u6e05\u7406\u4e0a\u4f20\u76ee\u5f55","text":"

    \u67e5\u770b\u4f1a\u88ab\u6e05\u7406\u7684\u6587\u4ef6\uff1a

    docker exec --user git -it gitlab bundle exec rake gitlab:cleanup:project_uploads RAILS_ENV=production\n

    \u6e05\u7406\uff08\u79fb\u52a8\u5230 /-/project-lost-found/\uff09\uff1a

    docker exec --user git -it gitlab bundle exec rake gitlab:cleanup:project_uploads RAILS_ENV=production DRY_RUN=false\n
    "},{"location":"services/gitlab/#artifact","title":"\u6e05\u7406\u672a\u88ab\u5f15\u7528\u7684 artifact \u6587\u4ef6","text":"

    \u67e5\u770b\u4f1a\u88ab\u6e05\u7406\u7684 artifact \u6570\u91cf\uff1a

    docker exec --user git -it gitlab bundle exec rake gitlab:cleanup:orphan_job_artifact_files RAILS_ENV=production\n

    \u6e05\u7406\uff1a

    docker exec --user git -it gitlab bundle exec rake gitlab:cleanup:orphan_job_artifact_files RAILS_ENV=production DRY_RUN=false\n

    \u6ce8\u610f\uff0c\u65b0\u8bbe\u7f6e\u7684 expire \u671f\u9650\u4e0d\u4f1a\u5f71\u54cd\u4ee5\u524d\u7684 artifact\uff0c\u8fd9\u91cc\u7684\u547d\u4ee4\u4e5f\u65e0\u6cd5\u6e05\u7406\u3002

    "},{"location":"services/gitlab/#lfs-reference","title":"\u6e05\u7406\u65e0\u6548\u7684 LFS reference","text":"
    for i in `cat projectid_lfs`; do docker exec --user git -it gitlab bundle exec rake gitlab:cleanup:orphan_lfs_file_references PROJECT_ID=$i RAILS_ENV=production DRY_RUN=false; done\n

    projectid_lfs \u662f\u4e0a\u6587\u4e2d\u300c\u83b7\u53d6\u6240\u6709\u5305\u542b LFS \u7684\u9879\u76ee ID\u300d\u7684\u53bb\u91cd\u540e\u7684\u8f93\u51fa\u3002

    \u65e0 reference \u7684 LFS \u6587\u4ef6\u6bcf\u65e5 GitLab \u4f1a\u81ea\u52a8\u6e05\u9664\u3002\u5982\u679c\u9700\u8981\u7acb\u523b\u5220\u9664\uff0c\u53ef\u4ee5\u4f7f\u7528 gitlab:cleanup:orphan_lfs_files\u3002

    "},{"location":"services/gitlab/#_6","title":"\u7d27\u6025\u64cd\u4f5c","text":""},{"location":"services/gitlab/#_7","title":"\u8bbe\u7f6e\u4e3a\u53ea\u8bfb","text":"

    Ref: https://docs.gitlab.com/ee/administration/read_only_gitlab.html

    docker exec --user git -it gitlab bin/rails console\n

    \u4e4b\u540e\u6267\u884c

    Project.all.find_each { |project| puts project.name; project.update!(repository_read_only: true) }\n

    \u5c06\u6240\u6709\u4ed3\u5e93\u8bbe\u7f6e\u4e3a\u53ea\u8bfb\u3002\u5982\u679c\u4e2d\u95f4\u51fa\u73b0\u9519\u8bef\uff08\u7279\u6b8a\u7684\u9879\u76ee\u540d\u53ef\u80fd\u4f1a\u5bfc\u81f4\u8fd0\u884c\u4e2d\u65ad\uff09\uff0c\u91cd\u547d\u540d\u6700\u540e\u8f93\u51fa\u5bf9\u5e94\u7684\u9879\u76ee\u3002

    \u5728\u8bbe\u7f6e\u524d\uff0c\u9700\u8981\u6dfb\u52a0 Messages \u901a\u77e5\u7528\u6237\u3002

    \u6b64\u65f6\u6570\u636e\u5e93\u4ecd\u7136\u53ef\u5199\u5165\u3002\u5982\u679c\u9700\u8981\u6570\u636e\u5e93\u53ea\u8bfb\uff0c\u53c2\u8003\u4ee5\u4e0a\u94fe\u63a5\u914d\u7f6e\u3002

    "},{"location":"services/light/","title":"Light Accelerator","text":"

    Service: light.ustclug.org

    Git Repository:

    Docker Hub:

    Mailing list: \u8f7b\u91cf\u7ea7\u7f51\u7edc\u52a0\u901f\u670d\u52a1

    Servers:

    "},{"location":"services/light/#deploy","title":"Deploy","text":"

    Deploy script: docker-run-script/light

    Deploy order:

    1. mysql
    2. freeradius, light-web
    3. squid
    "},{"location":"services/light/#add-new-domain","title":"Add new domain","text":"
    git clone https://github.com/ustclug/light-list\ncd accelerate-list\n./tools/add-domain.sh accelerate.list www.example.com\ngit commit -v -a\ngit push origin master\n

    GitHub Actions will update PAC files in LUG FTP automatically.

    "},{"location":"services/light/#database-maintenance","title":"Database maintenance","text":"

    Example:

    select count(*) from radacct where acctstoptime < '2021-01-01 00:00:00';\ninsert into radacct_backup select * from radacct where acctstoptime < '2021-01-01 00:00:00';\ndelete from radacct where acctstoptime < '2021-01-01 00:00:00';\ndelete from radacct_backup where acctstoptime < '2020-06-01 00:00:00';\noptimize table radacct;\noptimize table radacct_backup;\n
    "},{"location":"services/light/#shutdown","title":"Shutdown","text":"
    1. Stop two containers: light-server & light-socks
    2. Set restart policy to no (See Docker Documentation)
    "},{"location":"services/light/#logs","title":"Logs","text":"

    Proxy related log is under /srv/docker/light/log. Container log (stdout & stderr) is under /srv/docker/docker/containers/<container id>/*.log* (use docker logs <container> to view).

    Logrotate is configured to save logs for 180 days. Please manually backup logs when removing the container.

    "},{"location":"services/neat-dns/","title":"Neat DNS","text":"

    Services: neatdns.ustclug.org (UDP, TCP, HTTPS, DNSCrypt)

    Server: docker2

    Deploy: docker-run-script/neatdns

    "},{"location":"services/neat-dns/#notes","title":"Notes","text":"

    Previously all containers on docker2 had gateway-el as their gateway, which generated heavy load on the Tinc network. Docker2 has since been updated to use gateway-nic as gateway for containers, bypassing Tinc for most of the traffic. This, however, broke NAT-based service like Neat DNS, which required that reply traffic goes back through gateway-el (but now gateway-nic).

    What's worse, Docker doesn't support setting gateways for individual containers, nor can network config be changed from within the container (default setup). So we chose to selectively route traffic back to gateway-el on gateway-nic. This is accomplished with two parts:

    "},{"location":"services/vpn/","title":"LUG VPN","text":""},{"location":"services/vpn/#iptables","title":"iptables \u9632\u706b\u5899\u7ba1\u7406","text":"

    \u672c\u8282\u5185\u5bb9\u9002\u7528\u4e8e\u5305\u62ec VPN \u5728\u5185\u7684\u591a\u4e2a\u670d\u52a1\u5668

    "},{"location":"services/mirrors/","title":"\u5f00\u6e90\u955c\u50cf\u7ad9","text":""},{"location":"services/mirrors/#_2","title":"\u5386\u53f2","text":""},{"location":"services/mirrors/#debianustceducn","title":"debian.ustc.edu.cn","text":"

    2000 \u5e74\u5de6\u53f3\uff0c\u79d1\u5927\u6821\u5185\u7684 Debian \u7231\u597d\u8005\u4f7f\u7528\u81ea\u5df1\u5b9e\u9a8c\u5ba4\u7684\u673a\u5668\u4e3a\u5927\u5bb6\u63d0\u4f9b Debian \u955c\u50cf\u670d\u52a1\u3002\u968f\u7740\u4e00\u5c4a\u5c4a\u5e08\u5144\u7684\u6bd5\u4e1a\uff0c\u670d\u52a1\u5668\u5728\u5404\u5b9e\u9a8c\u5ba4\u95f4\u63a5\u529b\u3002

    2002 \u5e74 5 \u6708\uff0cDebian \u955c\u50cf\u7ad9\u6709\u4e86\u81ea\u5df1\u7684\u57df\u540d debian.ustc.edu.cn\uff0c\u4f46\u670d\u52a1\u5668\u4ecd\u5728\u5b9e\u9a8c\u5ba4\u95f4\u8f97\u8f6c\u3002

    2002 \u5e74 6 \u6708 23 \u65e5\uff0c\u79d1\u5927Debian\u955c\u50cf\u7ad9\u5f00\u59cb\u63d0\u4f9b\u975e\u5b98\u65b9(UO)\u8f6f\u4ef6\u4ed3\u5e93\u30022004\u5e744\u670823\u65e5\uff0c\u63d0\u4f9b\u65b0\u7684UO\u4ed3\u5e93\u3002

    2005 \u5e74 6 \u6708 20 \u65e5\uff0c\u79d1\u5927 LUG \u53d1\u8d77\u4e3a\u79d1\u5927 Debian \u955c\u50cf\u7ad9\u6350\u6b3e\u7684\u5021\u8bae\uff0c\u622a\u81f3 10 \u6708 1 \u65e5\u52df\u6350\u6d3b\u52a8\u505c\u6b62\uff0cLUG \u5171\u6536\u5230 2922.05 \u5143\u6350\u6b3e\u300210 \u6708 6 \u65e5\u65b0\u673a\u5668\u5b89\u88c5\u914d\u7f6e\u5230\u4f4d\u3002\u5728\u5927\u5bb6\u7684\u9f50\u5fc3\u52aa\u529b\u4e4b\u4e0b\uff0c\u79d1\u5927 Debian \u955c\u50cf\u7ad9\u6709\u4e86\u4e00\u4e2a\u76f8\u5bf9\u56fa\u5b9a\u7684\u201c\u5bb6\u201d\u3002

    2009 \u5e74\u5e95\uff0cdebian.ustc \u843d\u6237\u56fe\u4e66\u9986\u6280\u672f\u90e8\u3002

    "},{"location":"services/mirrors/#ossustceducn","title":"oss.ustc.edu.cn","text":"

    2008 \u5e74 12 \u6708 25 \u65e5\uff0c\u79d1\u5927\u5f00\u6e90\u8f6f\u4ef6 (OSS) \u955c\u50cf\u7ad9\u6b63\u5f0f\u542f\u7528\u3002\u5176\u670d\u52a1\u5668\u7531\u5434\u5cf0\u5149\u5e08\u5144\u63d0\u4f9b\u3002Novell \u516c\u53f8\u4e3a\u6211\u4eec\u63d0\u4f9b\u4e86\u4e00\u57571.5T \u7684\u786c\u76d8\u3002

    2009 \u5e74 12 \u6708\uff0c\u5f20\u6210\u5e08\u5144\u4e3a OSS \u955c\u50cf\u7ad9\u63d0\u4f9b\u6350\u8d60 1T \u786c\u76d8\u3002

    2010 \u5e74 6 \u6708\uff0c\u79d1\u5927 LUG \u4f7f\u7528\u51fa\u552e\u7248\u886b\u4f59\u4e0b\u7684\u94b1\u4e3a OSS \u955c\u50cf\u7ad9\u6dfb\u7f6e\u4e86\u4e00\u5757 2T \u786c\u76d8\u3002

    "},{"location":"services/mirrors/#mirrorsustceducn","title":"mirrors.ustc.edu.cn","text":"

    2011 \u5e74 4 \u6708 8 \u65e5\uff0c\u79d1\u5927 LUG \u4ece\u7f51\u7edc\u4e2d\u5fc3\u5904\u83b7\u5f97\u4e86\u65b0\u7684\u670d\u52a1\u5668\uff0c\u5e76\u7533\u8bf7\u5230\u4e86 mirrors.ustc \u7684\u57df\u540d\u3002debian.ustc \u4e0e oss.ustc \u5f00\u59cb\u5411 mirrors.ustc \u8fc1\u79fb\u3002

    \u540c\u5e74 4 \u6708 15 \u65e5\uff0c\u51e0\u5927\u70ed\u95e8\u53d1\u884c\u7248\u955c\u50cf\u540c\u6b65\u5b8c\u6bd5\uff0cmirrors \u5f00\u59cb\u6b63\u5f0f\u5bf9\u5916\u63d0\u4f9b\u670d\u52a1\uff0c\u540c\u65f6 debian.ustc \u4e0e oss.ustc \u9000\u51fa\u4e86\u5386\u53f2\u821e\u53f0\u3002

    2013 \u5e74 1 \u6708 6 \u65e5\uff0c\u79d1\u5927 LUG \u4ece\u7f51\u7edc\u4e2d\u5fc3\u5904\u83b7\u5f97\u4e86\u65b0\u7684\u78c1\u76d8\u9635\u5217\uff0c\u5927\u5927\u7f13\u89e3\u4e86 mirrors \u56e0\u78c1\u76d8\u7a7a\u95f4\u4e0d\u8db3\u800c\u5e26\u6765\u7684\u538b\u529b\u3002

    2016 \u5e74 12 \u6708 29 \u65e5\uff0c\u79d1\u5927 LUG \u4ece\u7f51\u7edc\u4e2d\u5fc3\u5904\u83b7\u5f97\u4e86\u65b0\u7684\u670d\u52a1\u5668\u3002\u89e3\u51b3\u4e86\u8fd1\u4e00\u5e74\u6765\u7531\u4e8e\u670d\u52a1\u5668\u548c\u9635\u5217\u8001\u5316\u5e26\u6765\u7684\u7a33\u5b9a\u6027\u95ee\u9898\u3002

    2019 \u5e74 6 \u6708\uff0c\u79d1\u5927 LUG \u4ece\u56fe\u4e66\u9986\u6280\u672f\u90e8\u83b7\u5f97\u4e86\u4e00\u53f0\u65e7\u670d\u52a1\u5668\uff0c\u7f13\u89e3\u4e86 mirrors \u5bb9\u91cf\u7d27\u5f20\u7684\u95ee\u9898\u3002

    2020 \u5e74 3 \u6708 24 \u65e5\uff0c\u79d1\u5927 LUG \u518d\u6b21\u4ece\u7f51\u7edc\u4e2d\u5fc3\u5904\u83b7\u5f97\u4e86\u65b0\u7684\u670d\u52a1\u5668\uff0c\u89e3\u51b3\u4e86\u591a\u5e74\u6765\u7531\u4e8e\u670d\u52a1\u5668\u5bb9\u91cf\u4e0d\u8db3\u548c\u8d1f\u8f7d\u8fc7\u5927\u5e26\u6765\u7684\u538b\u529b\u3002

    "},{"location":"services/mirrors/#hardware","title":"\u786c\u4ef6\u914d\u7f6e","text":""},{"location":"services/mirrors/docker/","title":"Docker","text":""},{"location":"services/mirrors/docker/#networking","title":"Networking","text":"

    Docker \u9ed8\u8ba4\u521b\u5efa\u4e00\u4e2a\u540d\u4e3a bridge \u7684\u7f51\u7edc\uff0c\u4e3b\u673a\u754c\u9762\u4e3a docker0\uff0cIP \u5730\u5740\u6bb5\u4e3a 172.17.0.0/16\u3002

    \u6211\u4eec\u5c06 Docker Registry \u7684\u53cd\u4ee3\u6302\u5728\u53e6\u5916\u4e00\u4e2a\u5b50\u7f51\u4e0b\uff0c\u9700\u8981\u5148\u884c\u521b\u5efa\u3002

    docker network create \\\n  --opt com.docker.network.bridge.name=docker1 \\\n  --subnet=172.18.0.0/16 \\\n  --gateway=172.18.0.1 \\\n  docker-registry\n
    "},{"location":"services/mirrors/docker/#routing","title":"Routing","text":"

    \u4e00\u4e9b\u540c\u6b65\u7a0b\u5e8f\u4e0d\u652f\u6301 bindIP \u7684\u914d\u7f6e\uff0c\u5bf9\u4e8e\u8fd9\u4e9b\u540c\u6b65\u7a0b\u5e8f\uff0c\u6211\u4eec\u901a\u8fc7\u521b\u5efa\u591a\u4e2a Docker network\uff0c\u7136\u540e\u5728\u4e3b\u673a\u4e0a\u6839\u636e Docker network \u8fdb\u884c\u7b56\u7565\u8def\u7531\uff0c\u8fbe\u5230\u9009\u62e9\u51fa\u53e3\u7684\u6548\u679c\u3002

    \u521b\u5efa Docker network \u7684\u547d\u4ee4\u5982\u4e0b\uff1a

    docker network create --driver=bridge --subnet=172.17.4.1/24 -o \"com.docker.network.bridge.name=dockerC\" cernet\ndocker network create --driver=bridge --subnet=172.17.5.1/24 -o \"com.docker.network.bridge.name=dockerT\" telecom\ndocker network create --driver=bridge --subnet=172.17.6.1/24 -o \"com.docker.network.bridge.name=dockerM\" mobile\ndocker network create --driver=bridge --subnet=172.17.7.1/24 -o \"com.docker.network.bridge.name=dockerU\" unicom\n

    \u5bf9\u5e94\u5730\uff0c\u4e3b\u673a\u4e0a\u4e5f\u914d\u7f6e\u597d\u4e86\u7b56\u7565\u8def\u7531\uff0c\u4f8b\u5982\uff1a

    /etc/systemd/network/cernet.network
    # Docker Cernet\n[RoutingPolicyRule]\nFrom=172.17.4.0/24\nTable=1011\nPriority=5\n[RoutingPolicyRule]\nFrom=172.17.8.0/24\nTable=1011\nPriority=5\n
    /etc/systemd/network/telecom.network
    # Docker Telecom\n[RoutingPolicyRule]\nFrom=172.17.5.0/24\nTable=1012\nPriority=5\n

    mobile.network \u548c unicom.network \u4e5f\u7c7b\u4f3c\u3002

    \u9700\u8981\u4f7f\u7528\u8fd9\u79cd\u65b9\u5f0f\u8fdb\u884c\u8def\u7531\u7684\u540c\u6b65\u955c\u50cf\uff0c\u53ef\u4ee5\u5728 YAML \u4e2d\u6307\u5b9a network\uff0c\u4f8b\u5982\uff1a

    adoptium.yum.yaml
    network: telecom\n
    "},{"location":"services/mirrors/genindex/","title":"\u9996\u9875\u751f\u6210","text":"

    \u955c\u50cf\u7ad9\u4e3b\u9875\u662f\u9759\u6001\u7684\uff0c\u7531 https://git.lug.ustc.edu.cn/mirrors/mirrors-index \u811a\u672c\u751f\u6210\u3002

    crontab \u4f1a\u5b9a\u65f6\u8fd0\u884c\u8be5\u811a\u672c\uff0c\u751f\u6210\u9996\u9875\u548c mirrorz \u9879\u76ee\u9700\u8981\u7684\u6570\u636e\u3002

    \u5728\u9996\u9875\u5c55\u793a\u7684\u300c\u83b7\u53d6\u5b89\u88c5\u955c\u50cf\u300d\u3001\u300c\u83b7\u53d6\u5f00\u6e90\u8f6f\u4ef6\u300d\u3001\u300c\u53cd\u5411\u4ee3\u7406\u5217\u8868\u300d\u5206\u522b\u7531 config \u5185\u914d\u7f6e\u6307\u5b9a\uff0c\u300c\u6587\u4ef6\u5217\u8868\u300d\u5185\u5bb9\u5219\u4f1a\u4ece\u540c\u6b65\u7a0b\u5e8f yuki \u7684 api \u4e2d\u83b7\u53d6\u3002

    "},{"location":"services/mirrors/ipmi/","title":"IPMI","text":""},{"location":"services/mirrors/ipmi/#mirrors4","title":"Mirrors4","text":"

    \u8fd9\u53f0\u673a\u5668\u7684 IPMI \u6709 HTML5 KVM\uff0c\u53ef\u4ee5\u76f4\u63a5\u7f51\u9875\u4f7f\u7528\uff0c\u6bd4\u8f83\u65b9\u4fbf\u3002

    "},{"location":"services/mirrors/ipmi/#mirrors23","title":"Mirrors2/3","text":"

    \u767b\u5f55 IPMI \u540e\uff0c\u4e3a\u4e86\u4f7f\u7528\u8fdc\u7a0b Shell\uff0c\u9700\u8981\u8fd0\u884c\u4e00\u4e2a jnlp \u6587\u4ef6\u3002 \u6b64\u6587\u4ef6\u4e0b\u8f7d\u65f6\u4f1a\u88ab Chrome \u62e6\u622a\uff0c\u9700\u8981\u989d\u5916\u5141\u8bb8\u4e00\u4e0b\u3002

    \u6b64 jnlp \u6587\u4ef6\u9700\u8981 Oracle JDK 7 \u8fd0\u884c\uff0cOpenJDK 7 \u65e0\u6cd5\u8fd0\u884c\u3002 \u6307\u4ee4\u7528 javaws a.jnlp \u5373\u53ef\u3002

    Java 8 \u53ca\u4e4b\u524d Java \u7684\u5404\u4e2a\u5de5\u5177\u662f\u6253\u5305\u5728 JDK \u4e2d\u7684\uff0c\u5305\u62ec Java Web Starter\uff0c\u5373\u6211\u4eec\u7528\u7684 javaws\u3002 \u6240\u4ee5\u53ea\u9700\u8981\u5b89\u88c5 Oracle JDK 7 \u5373\u53ef\uff0c\u65e0\u9700\u5b89\u88c5\u5176\u4ed6\u7684\u3001\u9488\u5bf9 Java 9 \u53ca\u4e4b\u540e\u7248\u672c\u7684\u5176\u4ed6\u5de5\u5177\u3002

    "},{"location":"services/mirrors/limiter/","title":"\u9650\u5236\u7b56\u7565","text":"

    \u7531\u4e8e mirrors \u5c5e\u4e8e I/O\u3001\u7f51\u7edc\u5bc6\u96c6\u578b\u670d\u52a1\uff0c\u5728\u90e8\u5206\u7684\u8d1f\u8f7d\u573a\u666f\u4e0b\u6781\u6613\u51fa\u73b0 I/O \u6216\u7f51\u7edc\u8fc7\u8f7d\u3002\u9650\u5236\u7b56\u7565\u4e3b\u8981\u662f\u4e3a\u4e86\u51cf\u5f31\u4ee5\u4e0b\u51e0\u7c7b\u8bf7\u6c42\u5bf9 mirrors \u6574\u4f53\u670d\u52a1\u8d28\u91cf\u7684\u5f71\u54cd\uff1a

    1. \u7a81\u53d1\u6027\u7684\u9ad8\u5e76\u53d1\u8bf7\u6c42
    2. \u722c\u866b\u7c7b\u6d41\u91cf
    3. \u4e0d\u5408\u7406\u7684\u8bf7\u6c42\uff08\u5982\uff1a\u6781\u5c11\u6570\u7528\u6237\u7684\u5927\u91cf\u8bf7\u6c42\uff09
    "},{"location":"services/mirrors/limiter/#whitelists","title":"\u767d\u540d\u5355","text":"

    \u4e00\u822c\u800c\u8a00\uff0c\u79d1\u5927\u6821\u5185\u7684\u5730\u5740\u4f4d\u4e8e\u9650\u5236\u89c4\u5219\u7684\u767d\u540d\u5355\u4e2d\uff0c\u4e0d\u53d7\u5230\u9650\u5236\u7b56\u7565\u7684\u5f71\u54cd\u3002\u5982\u679c\u6ca1\u6709\u7279\u6b8a\u8bf4\u660e\uff0c\u79d1\u5927\u5730\u5740\u9ed8\u8ba4\u4e0d\u53d7\u9650\u5236\u3002

    \u767d\u540d\u5355\u4f4d\u4e8e\uff1a

    "},{"location":"services/mirrors/limiter/#firewall","title":"\u9632\u706b\u5899\u7ea7\u522b\u9650\u5236","text":"

    \u9632\u706b\u5899 (iptables) \u76ee\u524d\u53ea\u8d1f\u8d23\u9650\u5236\u5355 IP \u7684\u5e76\u53d1\u94fe\u63a5\u6570\u3002\u8fd9\u662f\u4e3a\u4e86\u9632\u6b62\u540c\u65f6\u6d8c\u5165\u5927\u91cf\u5e76\u53d1\u8fde\u63a5\uff0c\u5bfc\u81f4\u540e\u7aef\u5e94\u7528\u8017\u8d39\u5927\u91cf CPU \u548c I/O \u8d44\u6e90\u5904\u7406\u8fd9\u4e9b\u4e0d\u5408\u5e38\u7406\u7684\u8bf7\u6c42\u3002

    \u5e8f\u53f7 \u7aef\u53e3 \u670d\u52a1 \u6700\u5927\u8fde\u63a5\u6570 IPv4 CIDR IPv6 CIDR 1 80,443 HTTP/HTTPS 12 29 64 2 20,21,50100:50200 FTP 4* 32 64 3 873 Rsync 5* 32 64 4 9418 Git 10 32 64

    \u6ce8\u610f\u4e8b\u9879

    \u8fde\u63a5\u6570\u9650\u5236\u4ec5\u9650\u5236\u77ac\u65f6\u5e76\u53d1\uff08connlimit\uff09\u3002

    \u8bf7\u6ce8\u610f\uff0c\u540c\u7ec4\u5185\u7684\u8fde\u63a5\u5171\u4eab\u8fde\u63a5\u6570\u914d\u989d\u3002\u5982\uff1a

    \u8d85\u8fc7\u914d\u989d\u7684\u8fde\u63a5\u4f1a\u8fd4\u56de TCP Reset\u3002

    * FTP \u670d\u52a1\u5df2\u505c\u6b62\u63d0\u4f9b\uff0cRsync \u4ec5\u4ece mirrors2 \u63d0\u4f9b\uff0cmirrors4 \u4e0a\u7684 Rsync \u7aef\u53e3\u9650\u5236\u53ea\u80fd\u4ece mirrors2 \u4e0a\u8bbf\u95ee\u3002

    "},{"location":"services/mirrors/limiter/#application","title":"\u5e94\u7528\u7ea7\u522b\u9650\u5236","text":"

    \u6b64\u7c7b\u9650\u5236\u89c4\u5219\u4f4d\u4e8e\u5e94\u7528\u7a0b\u5e8f\u5185\u3002\u7531\u4e8e\u5728\u7528\u6237\u6001\u7a0b\u5e8f\u4e2d\u5b9e\u73b0\uff0c\u56e0\u6b64\u66f4\u52a0\u7075\u6d3b\u3002

    "},{"location":"services/mirrors/limiter/#nginx-mod-lua","title":"Nginx LUA \u7ec4\u4ef6","text":"

    \u4ee3\u7801\u4f4d\u4e8e /etc/nginx/lua/access.lua

    \u76ee\u524d\u4f7f\u7528\u4e86 Nginx \u7684 lua \u8bed\u8a00\u6269\u5c55\u5b9e\u73b0\u5bf9\u8bf7\u6c42\u7684\u9650\u5236\u3002\u4e3b\u8981\u6709\u4ee5\u4e0b\u4e09\u7c7b\u9650\u5236\u65b9\u5f0f\uff1a

    1. \u6309\u8fde\u63a5\u6570\u9650\u5236\uff08\u5373\uff1a\u5e76\u53d1\u8bf7\u6c42\u6570\uff09
    2. \u6309\u8bf7\u6c42\u901f\u7387\u9650\u5236
    3. \u6309\u7d2f\u8ba1\u8bf7\u6c42\u6570\u9650\u5236\uff08\u5468\u671f\u6027\u91cd\u7f6e\u8ba1\u6570\u5668\uff09

    \u76ee\u524d\uff0c\u955c\u50cf\u7ad9\u914d\u7f6e\u4e86\u4ee5\u4e0b\u51e0\u79cd\u529f\u80fd\u7684\u9650\u5236\u5668\uff1a

    1. \u5168\u5c40\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668\uff1a\u5bf9\u6240\u6709\u8bf7\u6c42\uff0c\u9650\u5236\u5355 IP \u7684\u8bf7\u6c42\u901f\u7387\u3002
    2. \u5168\u5c40\u8bf7\u6c42\u6570\u9650\u5236\u5668\uff1a\u5bf9\u4e8e\u6240\u6709\u8bf7\u6c42\uff0c\u68c0\u6d4b\u5355 IP \u5728\u4e00\u5929\u5185\u7684\u7d2f\u8ba1\u8bf7\u6c42\u6570\u3002\u8d85\u8fc7\u9608\u503c\u540e\uff0c\u964d\u4f4e\u8be5 IP \u7684\u5168\u5c40\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668\u7684\u9608\u503c\u3002
    3. HEAD \u8bf7\u6c42\u6570\u9650\u5236\u5668\uff1a\u5bf9\u4e8e HTTP Method == HEAD \u7c7b\u578b\u7684\u8bf7\u6c42\uff0c\u68c0\u6d4b\u5355 IP \u5728\u4e00\u5929\u5185\u7684\u7d2f\u8ba1\u8bf7\u6c42\u6570\u3002\u8d85\u8fc7\u9608\u503c\u540e\uff0c\u5f00\u542f HEAD \u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668\u3002
    4. HEAD \u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668\uff1a\u5bf9\u4e8e HTTP Method == HEAD \u7c7b\u578b\u7684\u8bf7\u6c42\uff0c\u9650\u5236\u5355 IP \u7684\u8bf7\u6c42\u901f\u7387\u3002\u8be5\u9650\u5236\u5668\u9ed8\u8ba4\u5173\u95ed\u3002
    5. \u65ad\u70b9\u7eed\u4f20\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668\uff1a\u5bf9\u4e8e\u65ad\u70b9\u7eed\u4f20\u7c7b\u578b\u7684\u8bf7\u6c42\uff0c\u9650\u5236\u5355 IP \u7684\u8bf7\u6c42\u901f\u7387\u3002
    6. \u65ad\u70b9\u7eed\u4f20\u8fde\u63a5\u6570\u9650\u5236\u5668\uff1a\u5bf9\u4e8e\u65ad\u70b9\u7eed\u4f20\u7c7b\u578b\u7684\u8bf7\u6c42\uff0c\u9650\u5236\u5355 IP \u5355 URI \u7684\u8fde\u63a5\u6570\u3002
    7. \u76ee\u5f55\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668\uff1a\u5bf9\u4e8e\u5217\u76ee\u5f55\u7c7b\u578b\u7684\u8bf7\u6c42\uff0c\u9650\u5236\u5355 IP \u8bf7\u6c42\u901f\u7387\u3002
    8. \u6587\u4ef6\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668\uff1a\u5bf9\u4e8e\u975e\u76ee\u5f55\u7c7b\u578b\u7684\u8bf7\u6c42\uff0c\u9650\u5236\u5355\u6587\u4ef6\u8bf7\u6c42\u901f\u7387\u3002\u5373\uff1a\u6240\u6709\u7528\u6237\u4e4b\u95f4\u5171\u4eab\u540c\u4e00\u4e2a\u914d\u989d\u3002

    \u5907\u6ce8\uff1a

    \u5177\u4f53\u53c2\u6570\u53c2\u8003\u4e0b\u8868\uff1a

    \u9650\u5236\u5668\u540d\u79f0 \u9608\u503c\u5355\u4f4d \u9608\u503c \u7a81\u53d1\u91cf \u8ba1\u6570\u5668\u91cd\u7f6e\u5468\u671f \u52a8\u4f5c \u5168\u5c40\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668 \u6b21/\u79d2 40 100 / \u8fd4\u56de 429 \u9519\u8bef \u5168\u5c40\u8bf7\u6c42\u6570\u9650\u5236\u5668 \u6b21 15000 / 1 \u5929 \u8bbe\u7f6e\u5168\u5c40\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668\u9608\u503c\u4e3a 0.2 HEAD \u8bf7\u6c42\u6570\u9650\u5236\u5668 \u6b21 300 / 1 \u5929 \u5f00\u542f HEAD \u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668 HEAD \u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668 \u6b21/\u79d2 0.05 5 / \u8fd4\u56de 429 \u9519\u8bef \u65ad\u70b9\u7eed\u4f20\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668 \u6b21/\u79d2 1 10 / \u8fd4\u56de 429 \u9519\u8bef \u65ad\u70b9\u7eed\u4f20\u8fde\u63a5\u6570\u9650\u5236\u5668 \u6761 1 0 / \u8fd4\u56de 429 \u9519\u8bef \u76ee\u5f55\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668 \u6b21/\u79d2 0.5 10 / \u8fd4\u56de 429 \u9519\u8bef \u6587\u4ef6\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668 \u6b21/\u79d2 5 25 / \u8fd4\u56de 429 \u9519\u8bef

    \u5230\u8fbe\u9608\u503c\u540e\u4f1a\u53d1\u751f\u4ec0\u4e48\uff1f

    \u9650\u5236\u5668\u4e4b\u95f4\u76f8\u4e92\u72ec\u7acb\uff0c\u5f53\u88ab\u89e6\u53d1\u7684\u6240\u6709\u9650\u5236\u5668\u4ea7\u751f\u4e0d\u4e00\u81f4\u7684\u7b49\u5f85\u65f6\u95f4\u65f6\uff0c\u5e94\u7528\u6700\u957f\u7684\u7b49\u5f85\u65f6\u95f4\u3002

    "},{"location":"services/mirrors/limiter/#large-files","title":"\u5927\u6587\u4ef6\u4e0b\u8f7d\u901f\u5ea6\u9650\u5236","text":"

    \u4ee3\u7801\u4f4d\u4e8e /etc/nginx/lua/header_filter.lua

    \u9488\u5bf9\u5927\u6587\u4ef6\u4e0b\u8f7d\uff0c\u9650\u5236\u6bcf\u4e2a \u4ed3\u5e93 \u6587\u4ef6\u7684\u603b\u5e26\u5bbd\u4e3a 1Gbps\uff0c\u4ee5\u907f\u514d\u5927\u6587\u4ef6\u6d41\u91cf\u5360\u6ee1\u603b\u5e26\u5bbd\u3002

    \u6ce8\u610f\u4e8b\u9879

    \u5982\u679c\u6709\u591a\u4e2a \u4ed3\u5e93 \u6587\u4ef6\u9762\u4e34\u9ad8\u538b\u529b\u8bbf\u95ee\uff0c\u603b\u5e26\u5bbd\u4f9d\u7136\u53ef\u80fd\u88ab\u5360\u6ee1

    \u5177\u4f53\u505a\u6cd5\u4e3a\uff0c\u8bbe\u7f6e\u4e0b\u8f7d\u901f\u5ea6\u9608\u503c = 1Gbps / (\u8be5 \u4ed3\u5e93 \u5927\u6587\u4ef6\u7684\u540c\u65f6\u8fde\u63a5\u6570 +1)

    \u5f53\u4e0b\u8f7d\u7684\u6587\u4ef6\u65e0\u7a77\u5927\u65f6\uff0c\u5c06\u51fa\u73b0\u6700\u5dee\u60c5\u5f62\uff0c\u5373\u7528\u6237\u88ab\u5206\u914d\u5230\u7684\u4e0b\u8f7d\u901f\u7387\u670d\u4ece\u7c7b\u8c03\u548c\u7ea7\u6570\uff0c\u51fd\u6570\u53d1\u6563\u3002\u5b9e\u9645\u60c5\u51b5\u4e0b\uff0c\u65e9\u671f\u7528\u6237\u4e0b\u8f7d\u5b8c\u6210\u540e\u8fde\u63a5\u91ca\u653e\uff0c\u6700\u7ec8\u5e26\u5bbd\u5c06\u6536\u655b\u5230 1Gbps\u3002

    \u6ce8\uff1a\u5927\u6587\u4ef6\u5b9a\u4e49\u53c2\u7167\u76ee\u524d\u7684 lua \u811a\u672c\u914d\u7f6e\u3002

    "},{"location":"services/mirrors/limiter/#nginx-js-challenge","title":"Nginx JavaScript \u6311\u6218","text":"

    \u4ee3\u7801\u4f4d\u4e8e /etc/nginx/sites-available/iso.mirrors.ustc.edu.cn

    \u4e3a\u4e86\u62b5\u6297\u201c\u8fc5\u96f7\u653b\u51fb\u201d\u3002\u5bf9\u4e8e\u7279\u5b9a\u7c7b\u578b\u7684\u6587\u4ef6\uff0c\u5f00\u542f\u4e86 JS \u6311\u6218\u3002\u5982\u679c\u5ba2\u6237\u7aef User-Agent \u4e3a Mozilla\uff08\u5373\u6d4f\u89c8\u5668\uff09\uff0c\u5219\u53d1\u9001\u4e00\u6bb5\u5305\u542b JS \u811a\u672c\u7684\u9875\u9762\uff0c\u68c0\u9a8c\u8fd0\u884c\u7684\u7ed3\u679c\u3002\u5982\u679c\u6311\u6218\u5931\u8d25\uff0c\u5219\u8fd4\u56de\u9519\u8bef\u3002

    \u88ab\u4fdd\u62a4\u7684\u6587\u4ef6\u7c7b\u578b\u6709\uff1a

    "},{"location":"services/mirrors/limiter/#robots","title":"\u722c\u866b\u9650\u5236","text":"

    \u4ee3\u7801\u4f4d\u4e8e /etc/nginx/snippets/robots

    \u5982\u679c\u5ba2\u6237\u7aef User-Agent \u5305\u542b Spider\u3001Robot \u5173\u952e\u5b57\uff0c\u5219\u7981\u6b62\u5176\u8bbf\u95ee\u4ed3\u5e93\u5185\u5bb9\u3002\u907f\u514d\u7531\u4e8e\u9891\u7e41\u5217\u76ee\u5f55\u5e26\u6765\u5927\u91cf IO \u8d1f\u8f7d\u3002

    "},{"location":"services/mirrors/limiter/#rsync-connections","title":"Rsync \u603b\u8fde\u63a5\u6570\u9650\u5236","text":"

    Rsync \u670d\u52a1\u8bbe\u7f6e\u4e86\u603b\u8fde\u63a5\u6570\u9650\u5236\u3002\u5373\uff1a\u5f53\u5efa\u7acb\u7684\u8fde\u63a5\u6570\u5230\u8fbe\u67d0\u4e2a\u9608\u503c\u540e\uff0c\u62d2\u7edd\u4e4b\u540e\u6536\u5230\u7684\u8fde\u63a5\u3002

    \u5386\u53f2\u8bb0\u5f55

    \u4ee5\u524d HTTP \u548c Rsync \u670d\u52a1\u7531\u540c\u4e00\u53f0\u670d\u52a1\u5668\u63d0\u4f9b\uff0c\u7531\u4e8e\u767d\u5929 HTTP \u8bbf\u95ee\u538b\u529b\u8f83\u5927\uff0c\u591c\u665a HTTP \u8bbf\u95ee\u91cf\u8f83\u5c0f\uff0c\u4e3a\u4e86\u5b9e\u73b0\u9519\u5cf0\u540c\u6b65\uff0c\u4fdd\u8bc1\u767d\u5929 HTTP \u7684\u670d\u52a1\u8d28\u91cf\uff0c\u56e0\u6b64\u9488\u5bf9\u4e0d\u540c\u65f6\u6bb5\u8bbe\u7f6e\u4e86\u4e0d\u540c\u7684\u9608\u503c\uff0c\u5177\u4f53\u5982\u4e0b\uff1a

    \u5728 2020 \u5e74 8 \u6708 25 \u65e5\u540e\uff0c\u7531\u4e8e\u66f4\u6362\u4e86\u65b0\u670d\u52a1\u5668\uff0cRsync \u7531\u5355\u72ec\u673a\u5668\u63d0\u4f9b\u670d\u52a1\uff0c\u603b\u8fde\u63a5\u6570\u63d0\u5347\u5230\u4e86\u5168\u5929 60 \u4e2a\u8fde\u63a5\u3002

    \u7279\u522b\u7684\uff0c\u79d1\u5927\u6821\u5185 IP \u5730\u5740\u53d7\u5230 rsync \u8fde\u63a5\u6570\u9650\u5236\u3002

    "},{"location":"services/mirrors/limiter/#interface-limit","title":"\u7f51\u7edc\u63a5\u53e3\u7ea7\u522b\u9650\u5236","text":"

    mirrors \u5e38\u6001\u4e0b\u6ca1\u6709\u7f51\u7edc\u63a5\u53e3\u9650\u5236\uff0c\u4f46\u5728\u9700\u8981\u4e34\u65f6\u5bf9\u67d0\u4e00\u63a5\u53e3\u8fdb\u884c\u9650\u5236\u65f6\uff0c\u53ef\u4ee5\u4f7f\u7528 tc \u6765\u5b8c\u6210\u3002

    \u4f8b\u5982\u53ef\u4ee5\u53c2\u8003\u8fd9\u4efd\u56de\u7b54\uff1aiptables - Limiting interface bandwidth with tc under Linux - Server Fault\uff0c\u4f7f\u7528\u5982\u4e0b\u6307\u4ee4\u9650\u5236\u67d0\u4e00\u63a5\u53e3\u7684\u7f51\u7edc\u901f\u7387\u4e3a 1.5Gbps\uff1a

    tc qdisc add dev <interface> root handle 1: tbf rate 1500Mbit burst 750K latency 14ms\n

    \u8fd9\u91cc\u4f7f\u7528\u4e86 TBF\uff08\u4ee4\u724c\u6876\uff09\u7b97\u6cd5\uff0c\u540e\u9762\u7684 burst \u548c latency \u53c2\u6570\u610f\u4e49\u53ef\u4ee5\u53c2\u89c1 man tc-tbf\u3002 \u5177\u4f53\u800c\u8a00\uff0clatency \u6ca1\u6709\u63a8\u8350\u503c\uff0c\u4f46 burst \u8981\u6c42\u81f3\u5c11\u4e3a rate / HZ\uff0cHZ = 100 \u65f6 10Mbps \u81f3\u5c11\u7ea6 10MB\u3002 HZ \u7684\u503c\u9700\u8981\u4ece\u5185\u6838\u7684\u7f16\u8bd1\u53c2\u6570\u4e2d\u67e5\u770b\uff1aegrep '^CONFIG_HZ_[0-9]+' /boot/config-`uname -r`\u3002\u73b0\u4ee3\u53d1\u884c\u7248\u63d0\u4f9b\u7684\u5185\u6838\u4e2d\u8fd9\u4e2a\u503c\u4e00\u822c\u4e3a 250\u3002

    \u53c2\u8003\u8d44\u6599\uff1aBucket size in tbf

    \u76ee\u524d\u90e8\u7f72\u7684\u9650\u5236\u6709\uff1a

    \u5728 mirrors4 \u4e0a\u8be5\u914d\u7f6e\u7684\u5f00\u673a\u81ea\u542f\u5206\u522b\u4f4d\u4e8e tc-unicom.service \u548c tc-telecom.service \u4e24\u4e2a\u670d\u52a1\u4e2d\uff0c\u5176\u4e2d tc-unicom.service \u914d\u7f6e\u5982\u4e0b\uff1a

    [Unit]\nDescription=Rate Limiting for Unicom Interface\n\n[Service]\nType=oneshot\nRemainAfterExit=true\nExecStart=/usr/sbin/tc qdisc replace dev unicom root handle 1: tbf rate 1500Mbit burst 750K latency 14ms\nExecStop=/usr/sbin/tc qdisc delete dev unicom root handle 1\n\n[Install]\nWantedBy=sys-subsystem-net-devices-unicom.device\n

    Install \u90e8\u5206\u7684 WantedBy \u4f7f\u7528\u8fd9\u79cd\u5199\u6cd5\u53ef\u4ee5\u4f7f\u8be5\u670d\u52a1\u4f9d\u8d56\u4e8e\u540d\u4e3a unicom \u7684\u7f51\u53e3\uff0c\u8be6\u7ec6\u56de\u7b54\u53ef\u4ee5\u770b What is the systemd-networkd equivalent of post-up?\u3002

    "},{"location":"services/mirrors/limiter/#blacklists","title":"IP \u9ed1\u540d\u5355\u9650\u5236","text":"

    \u5bf9\u4e8e\u6ee5\u7528\u7684 IP \u6bb5\uff0c\u53ef\u4ee5\u4f7f\u7528 ipset \u548c iptables \u5b9e\u73b0\u9ed1\u540d\u5355\u9650\u5236\u3002 ipset \u5c06\u67d0\u4e2a IP \u5339\u914d\u5230\u4e00\u4e2a\u96c6\u5408\u4e2d\uff0ciptables \u518d\u9488\u5bf9\u67d0\u4e00\u96c6\u5408\u8fdb\u884c\u9650\u5236\u3002

    ipset \u548c iptables \u7684\u4f7f\u7528\u53ef\u4ee5\u53c2\u8003\uff1aIpset - Arch Wiki \u3002

    \u6211\u4eec\u5df2\u5728 mirrors4 \u4e0a\u914d\u7f6e\u4e86 blacklist \u548c blacklist6 \u96c6\u5408\uff0c\u82e5\u8981\u5c01\u7981\u67d0\u4e2a IP \u6216\u7f51\u6bb5\uff0c\u53ef\u4ee5\u76f4\u63a5\u5c06\u8be5\u7f51\u6bb5\u52a0\u5165\u96c6\u5408\uff0c\u4f8b\u5982\uff1a

    ipset add blacklist 192.0.2.0/24\nipset add blacklist6 2001:db8:114:514::/64\n

    \u4e0e iptables \u7c7b\u4f3c\uff0cipset \u4e5f\u9700\u8981\u6301\u4e45\u5316\u3002\u5c01\u7981\u540d\u5355\u7684\u6587\u4ef6\u4f4d\u4e8e\uff08mirrors4\uff09/usr/local/network_config/iptables/blacklist.list\uff0c\u4fee\u6539\u6b64\u6587\u4ef6\u589e\u51cf\u6761\u76ee\u540e\u8fd0\u884c\u8be5\u76ee\u5f55\u4e0b\u7684 apply.sh \u5373\u53ef\u3002

    \u7531\u4e8e\u5c01\u7981\u4ec5\u5bf9\u65b0\u5efa\u7acb\u7684\u8fde\u63a5\u6709\u6548\uff0c\u8bf7\u5728\u4fee\u6539\u5c01\u7981\u540d\u5355\u540e\uff0c\u4f7f\u7528 ss -K dst \u5bf9\u5e94\u7684\u7f51\u6bb5 \u5173\u95ed\u5df2\u7ecf\u5efa\u7acb\u7684\u8fde\u63a5\uff08\u4f8b\u5982\u5bf9\u4e8e\u4ee5\u4e0a\u4e24\u884c\u89c4\u5219\uff0c\u547d\u4ee4\u5206\u522b\u4e3a ss -K dst 192.0.2.0/24 \u4e0e ss -K dst 2001:db8:114:514::/64\uff09\u3002

    "},{"location":"services/mirrors/limiter/#ipset-persistent","title":"ipset \u6301\u4e45\u5316","text":"

    \u6211\u4eec\u4f7f\u7528\u8f6f\u4ef6\u6e90\u91cc\u7684 ipset-persistent \u5305\u6765\u5e2e\u52a9 ipset \u5728\u5f00\u673a\u65f6\u81ea\u52a8\u6062\u590d\uff0c\u8be5\u8f6f\u4ef6\u5305\u4f1a\u5728\u5f00\u673a\u52a0\u8f7d iptables \u524d\u5148\u4ece /etc/iptables/ipsets \u4e2d\u6062\u590d ipset \u4ee5\u786e\u4fdd iptables \u4e2d\u7684\u5f15\u7528\u80fd\u6b63\u786e\u5904\u7406\u3002

    \u56e0\u4e3a ipset-persistent \u5728\u5f00\u673a\u65f6\u81ea\u52a8\u52a0\u8f7d\uff0c\u6211\u4eec\u9009\u62e9\u4ec5\u52a0\u8f7d\u4e00\u4e2a\u8f83\u5c0f\u7684\u5b50\u96c6\uff0c\u5305\u542b\u5fc5\u8981\u914d\u7f6e\uff08create set\uff09\u548c\u8f83\u5c11\u53d1\u751f\u53d8\u5316\u7684\u5185\u5bb9\uff08\u5982 ustcnet \u7684\u7f51\u6bb5\uff09\u3002\u76ee\u524d /etc/iptables/ipsets \u5305\u542b\u4ee5\u4e0b\u5185\u5bb9\uff1a

    create ustcnet hash:net family inet hashsize 1024 maxelem 65536\ncreate f2b-sshd hash:ip family inet hashsize 1024 maxelem 65536 timeout 3600\ncreate blacklist hash:net family inet hashsize 1024 maxelem 65536\ncreate blacklist6 hash:net family inet6 hashsize 1024 maxelem 65536\n\nadd ustcnet 202.38.64.0/19\n# more ustcnet entries...\n
    "},{"location":"services/mirrors/mail-list/","title":"Mail List","text":"

    Plugin Email Subscribers & Newsletters on servers.ustclug.org sends a mail to Google Group when a new article posted on mirrors catalogue.

    The mails are sent from servers@ustclug.org, which is a member of Google Group with write permission.

    Google Group: ustc-mirrors@googlegroups.com

    "},{"location":"services/mirrors/zfs/","title":"ZFS","text":""},{"location":"services/mirrors/zfs/#configuration","title":"Configuration","text":"

    /etc/modprobe.d/zfs.conf

    options zfs zfs_arc_max=137438953472\noptions zfs l2arc_write_max=52428800\noptions zfs zfs_arc_meta_min=17179869184\noptions zfs l2arc_noprefetch=0\n

    refer to man zfs-module-parameters.

    "},{"location":"services/mirrors/zfs/#common-operations","title":"Common Operations","text":""},{"location":"services/mirrors/zfs/#get-zpool-status","title":"Get zpool status","text":"
    zpool status\n
    "},{"location":"services/mirrors/zfs/#get-io-status","title":"Get IO status","text":"
    zpool iostat -v 1\n
    "},{"location":"services/mirrors/zfs/#replace-disk","title":"Replace Disk","text":"
    zpool replace pool0 old-disk new-disk\n
    "},{"location":"services/mirrors/zfs/#new-zfs-file-system","title":"New ZFS file system","text":"
    zfs create [-o mountpoint=$mountpoint] $filesystem\n

    Example:

    zfs create -o mountpoint=/srv/repo/debian pool0/repo/debian\n

    If mountpoint is not specified, then it's inherited from the parent with a subpath appended, e.g. when pool0/example is mounted on /mnt/haha then pool0/example/test will by default mount on /mnt/haha/test.

    "},{"location":"services/mirrors/zfs/#destory-zfs-file-system","title":"Destory ZFS file system","text":"
    zfs destroy $filesystem\n

    Example:

    zfs destroy pool0/repo/debian\n
    "},{"location":"services/mirrors/zfs/#traps","title":"Traps","text":"

    Do NOT install zfs-dkms and related packages from Debian backports repositories. They'll easily break when upgrading.

    As of Debian Buster the ZFS packages from the mainstream repository is stable and new enough for our use.

    \u4ecd\u7136\u5efa\u8bae\u5b89\u88c5 Backports \u7248\u672c\u7684 ZFS\u3002\u300cStable \u8d8a\u5f80\u540e\uff08\u5bf9 ZFS \u76f8\u5173\u8f6f\u4ef6\u5305\u7684\uff09\u7ef4\u62a4\u8d8a\u5f31\u300d\uff0c\u4ece\u800c\u5bfc\u81f4 stable \u7684 ZFS \u53cd\u800c\u8d28\u91cf\u4e0d\u5982 backports \u7248\u672c\u7684\u3002

    "},{"location":"services/mirrors/1/","title":"mirrors1","text":"

    mirrors1 \u662f 2011 \u5e74\u7f51\u7edc\u4fe1\u606f\u4e2d\u5fc3\u63d0\u4f9b\u7ed9 LUG \u7528\u4f5c\u521d\u4ee3 mirrors.ustc.edu.cn \u670d\u52a1\u7684\u673a\u5668\uff0c\u662f\u4e00\u53f0\u66d9\u5149 i620r-G

    \u53c2\u6570 \u914d\u7f6e CPU Intel(R) Xeon(R) CPU E5620 @ 2.40GHz x 2 \u5185\u5b58 48 GB \u5b58\u50a8 LSI Logic MegaRAID SAS 8708EM2 x 2 DFT RS-3016I-S/D30 \u78c1\u76d8\u9635\u5217 \u7f51\u7edc Ethernet Intel 82574L Gigabit x 2

    \u7528\u6237\u624b\u518c

    \u7531\u4e8e\u672c\u6587\u7f16\u5199\u65f6\uff082020 \u5e74\uff09\u8be5\u670d\u52a1\u5668\u65e9\u5df2\u4e0d\u518d\u7528\u4f5c mirrors\uff08\u73b0\u5728\u662f esxi-5\uff09\uff0c\u56e0\u6b64\u66f4\u591a\u7684\u4fe1\u606f\u6682\u65e0\u4ece\u8003\u5bdf\u3002

    "},{"location":"services/mirrors/2/","title":"mirrors2","text":"

    2016 \u5e74\u5e95\u4ece\u7f51\u7edc\u4fe1\u606f\u4e2d\u5fc3\u83b7\u5f97\u7684\u65b0\u673a\u5668\uff0c\u8fd0\u884c\u81f3\u4eca\uff0c\u627f\u62c5\u4e86\u76ee\u524d mirrors \u7684 rsync \u6d41\u91cf\u3002

    \u53c2\u6570 \u914d\u7f6e CPU \u53cc\u8def E5-2620 v4 \u5185\u5b58 256GB DDR4 \u5b58\u50a8 6T*12(HDD), 250G*2(SSD) \u7f51\u7edc 1 Gbps * 2

    \u66d9\u5149 I620-G20 \u5bfc\u822a\u5149\u76d8

    "},{"location":"services/mirrors/2/networking/","title":"Networking on mirrors2","text":"

    mirrors2 \u4e0a\u7684\u7f51\u7edc\u4f7f\u7528\u9ed8\u8ba4\u7684 ifupdown \u914d\u7f6e\u3002

    \u5728 /etc/network/interfaces.d \u4e2d\u5b58\u653e\u7740\u63a5\u53e3\u914d\u7f6e\uff0c\u4f7f\u7528 ifup/ifdown \u6765\u542f\u7528/\u505c\u7528\u67d0\u4e00\u63a5\u53e3\u3002

    \u91cd\u542f\u6240\u6709\u7f51\u7edc\u63a5\u53e3

    \u5728\u67d0\u6b21 mirrors2 \u79bb\u7ebf\u6545\u969c\u4e2d\uff0c\u8bef\u64cd\u4f5c\u7684 systemctl restart networking \u8fd4\u56de\u4e86\u5931\u8d25\u7684\u7ed3\u679c\uff0c\u4ece\u800c\u5bfc\u81f4\u4e86 mirrors2 \u4ece\u67d0\u4e00\u7f51\u7edc\u63a5\u53e3\u65ad\u5f00\uff08\u731c\u6d4b\uff09\uff08\u5b9e\u9645\u539f\u56e0\u89c1\u4e0b\uff09\uff0c\u91cd\u542f\u6240\u6709\u63a5\u53e3\u4fee\u590d\u4e86\u95ee\u9898\uff1aifdown -a && ifup -a

    \u5b9e\u9645\u539f\u56e0\u662f bridge interface \u8fde\u63a5\u7684\u90a3\u4e2a interface \u5728 ifupdown \u7684 config \u91cc\u7684\u914d\u7f6e\u65b9\u5f0f\u662f static \u7684\uff0c\u5728\u542f\u7528 bridge interface \u65f6\u4f1a\u81ea\u52a8\u66f4\u6539\u914d\u7f6e\u5bfc\u81f4 offline\u3002\u6539\u6210 manual \u7981\u6b62\u5b83\u7684\u81ea\u52a8\u884c\u4e3a\u4e4b\u540e\u5c31\u6ca1\u4e8b\u4e86\u3002

    "},{"location":"services/mirrors/3/","title":"mirrors3","text":"

    2020 \u5e74\u521d\u4ece\u56fe\u4e66\u9986\u6280\u672f\u90e8\u83b7\u5f97\u7684\u4e00\u53f0\u65e7\u670d\u52a1\u5668\uff0c\u4e3a\u6234\u5c14 PowerEdge R510\uff0c\u8d1f\u8f7d\u6bd4\u8f83\u6742\u4e71\u3002

    \u53c2\u6570 \u914d\u7f6e CPU \u53cc\u8def\u81f3\u5f3a E5620 \u5185\u5b58 32 GB DDR3 \u5b58\u50a8 1 TB*2 (HDD), 2 TB*5 (HDD), 3 TB*1 (HDD) 1 TB (SAS HDD), 1.8 TB* 3 (SATA HDD), 1 TB (SATA HDD) \u540c\u53cb iSCSI \u9635\u5217\uff0c4 TB*16 (HDD) \u7f51\u7edc 1 Gbps * 2

    \u5b58\u50a8\u7ed3\u6784\uff1a

    \u6ce8\u610f\u4e8b\u9879

    \u7531\u4e8e PERC 6/i \u9635\u5217\u5361\u7684\u9650\u5236\uff0c\u7269\u7406\u78c1\u76d8\u5927\u5c0f\u6700\u5927\u652f\u6301 2TB\uff08SAS 4TB \u76d8\u65e0\u6cd5\u8bc6\u522b\u5927\u5c0f\uff09\u3002\u5728\u5c06 SAS \u574f\u76d8\u79fb\u9664\u540e\uff0c\u76ee\u524d\uff082022/5/10\uff09rootfs VD \u5904\u4e8e degraded \u72b6\u6001\u3002

    PERC H700 \u9635\u5217\u5361\u7531\u4e8e\u7f3a\u5c11\u4e24\u6839 SAS \u8f6c\u63a5\u7ebf\uff0c\u5e76\u4e14 mirrors3 \u673a\u67b6\u524d\u53f3\u4fa7\u8f68\u9053\u5904\u65e0\u6cd5\u89e3\u9664\u9501\u5b9a\uff0c\u4e14\u66f4\u6362\u9635\u5217\u5361\u9700\u8981\u5c06\u5176\u4ed6\u6269\u5c55\u5361\u5168\u90e8\u79fb\u9664\uff08\u53c2\u89c1 PowerEdge R510 \u786c\u4ef6\u7528\u6237\u624b\u518c\uff09\uff0c\u7ed9\u65b0\u9635\u5217\u5361\u5b89\u88c5\u5e26\u6765\u4e86\u5f88\u5927\u7684\u96be\u5ea6\u3002

    1 TB * 2

    \u4f4d\u4e8e\u673a\u8eab\uff0c\u7ec4\u6210 RAID1 \u5b89\u88c5\u64cd\u4f5c\u7cfb\u7edf\uff0c\u6302\u8f7d\u4e3a rootfs

    2 TB * 5 + 3 TB * 1

    \u540c\u6837\u4f4d\u4e8e\u673a\u8eab\uff0c\u7ec4\u6210 RAID6 \u5b58\u653e\u8d44\u6599\uff08\u6240\u4ee5\u552f\u4e00\u4e00\u5757 3 TB \u7684\u786c\u76d8\u5b9e\u9645\u4e0a\u5f53\u505a 2 TB \u7684\u6765\u7528\uff09

    \u5916\u90e8\u9635\u5217\uff0c4 TB * 16

    \u901a\u8fc7 SFP+ \u5149\u7ea4\u6302\u8f7d\u4e3a iSCSI \u8bbe\u5907\uff0c\u5206\u4e3a\u4e24\u7ec4 RAID60\uff08\u53ef\u7528\u5bb9\u91cf\u4e3a 12 \u5757\u76d8\uff09\u5b58\u50a8\u8d44\u6599

    "},{"location":"services/mirrors/4/","title":"mirrors4","text":"

    mirrors4 \u662f 2020 \u5e74 3 \u6708 24 \u65e5\u7f51\u7edc\u4fe1\u606f\u4e2d\u5fc3\u63d0\u4f9b\u7ed9 LUG \u7684\u65b0\u673a\u5668\uff0c\u662f\u4e00\u53f0\u6d6a\u6f6e NF5280M5\u3002

    "},{"location":"services/mirrors/4/#_1","title":"\u786c\u4ef6\u914d\u7f6e","text":"CPU

    \u53cc\u8def Intel Xeon Gold 6230

    \u5185\u5b58

    256 GB DDR4 2933 (8 * 32 GB SKHynix)

    \u786c\u76d8

    \u4e00\u5757\u4e09\u661f PM883 2TB

    12 \u5757 HGST HUH721010AL (10 TB)

    \u4e24\u4e2a\u786c\u76d8\u63a7\u5236\u5668 MegaRAID SAS-3 3108

    \u786c\u76d8\u63a7\u5236\u5668

    \u7531\u4e8e\u4e0d\u80fd\u8de8\u63a7\u5236\u5668\u7ec4 RAID \u6216 LUN\uff0c\u4e14\u6bcf\u4e2a\u63a7\u5236\u5668\u53ea\u6709 8 \u4e2a\u63d2\u69fd\uff0c\u56e0\u6b64\u5c06 12 \u5757 HDD \u5206\u4e3a 6 \u5757\u4e00\u7ec4\u63d2\u5728\u4e24\u4e2a\u63a7\u5236\u5668\u4e0a\u7ec4\u6210 RAID6\uff0c\u4ee5\u4e24\u4e2a\u903b\u8f91\u5377\u5448\u73b0\u7ed9\u64cd\u4f5c\u7cfb\u7edf\uff0c\u4e0a\u5c42\u7528 LVM \u5904\u7406\u3002SSD \u5355\u72ec\u521b\u5efa\u4e00\u4e2a\u903b\u8f91\u5377\u7ed9\u64cd\u4f5c\u7cfb\u7edf\u3002

    \u7f51\u5361

    \u677f\u8f7d Intel X722 GbE (4 \u4e2a\u5343\u5146\u7f51\u53e3)

    PCI-e \u6269\u5c55\u5361\uff1aIntel X520 (82599ES) SFP+ (2 \u4e2a\u4e07\u5146\u5149\u53e3)

    "},{"location":"services/mirrors/4/repos/","title":"Repositories","text":"

    mirrors4 \u4e0a\u7684\u4ed3\u5e93\u548c mirrors2/3 \u4e00\u6837\uff0c\u4f4d\u4e8e /srv/repo\u3002\u4ed3\u5e93\u5bb9\u91cf\u4f7f\u7528 XFS \u7684 quota \u529f\u80fd\u76d1\u89c6\u3002

    Todo

    \u9700\u8981\u8865\u5145\uff1a\u5220\u9664\u4ed3\u5e93\u4e0e\u91cd\u547d\u540d\u4ed3\u5e93 (mv \u548c rm \u53ef\u80fd\u592a\u6162\u4e86)

    "},{"location":"services/mirrors/4/repos/#_1","title":"\u6dfb\u52a0\u4e00\u4e2a\u65b0\u4ed3\u5e93","text":""},{"location":"services/mirrors/4/repos/#xfs-project","title":"\u521b\u5efa XFS project","text":"

    \u4e3a\u65b0\u4ed3\u5e93\u521b\u5efa XFS quota \u4ee5\u4fbf\u4e8e\u76d1\u89c6\u5bb9\u91cf\u3002\u9996\u5148\u68c0\u67e5 /etc/projects \u548c /etc/projid\uff0c\u627e\u5230\u5927\u4e8e 1000 \u7684 ID \u5e8f\u5217\uff0c\u627e\u51fa\u4e0b\u4e00\u4e2a ID\uff08\u4f8b\u5982 1111\uff0c\u4e0b\u9762\u4f7f\u7528\u8fd9\u4e2a\u4f5c\u4e3a\u4f8b\u5b50\uff09\u3002

    mkdir /srv/repo/example\n

    \u7f16\u8f91 /etc/projects\uff0c\u52a0\u5165\u5982\u4e0b\u4e00\u884c

    1111:/srv/repo/example\n

    \u7136\u540e\u6267\u884c\uff1a

    xfs_quota -x -c 'project -s 1111'\n

    \u7f16\u8f91 /etc/projid\uff0c\u52a0\u5165\u5982\u4e0b\u4e00\u884c

    example:1111\n

    \u4fe1\u606f

    \u6211\u4eec\u7684\u955c\u50cf\u7ba1\u7406\u5668 Yuki \u6839\u636e\u955c\u50cf\u76ee\u5f55\u7684\u6700\u540e\u4e00\u6bb5\u540d\u79f0\uff08\u5373 basename\uff09\u6765\u4ece XFS \u4e2d\u83b7\u53d6\u5bb9\u91cf\u4fe1\u606f\uff0c\u56e0\u6b64 /etc/projid \u6587\u4ef6\u5185\u5bb9\u6b63\u786e\u624d\u80fd\u4f7f Yuki \u5f97\u5230\u6b63\u786e\u7684\u5bb9\u91cf\u3002

    "},{"location":"services/mirrors/4/repos/#_2","title":"\u4fbf\u6377\u914d\u7f6e\u811a\u672c","text":"
    #!/bin/bash\n\n# Determine largest project ID\nnext_id() {\n  local PROJID=$(cut -d':' -f1 /etc/projects | sort -n | tail -1)\n  echo $((++PROJID))\n}\n\nBASE=\"/srv/repo\"\nreadonly BASE\n\nif [ \"$1\" = \"-m\" ]; then\n  MKDIR=yes\n  shift\nfi\n\nwhile [ $# -ne 0 ]; do\n  N=\"${1//\\//}\"\n  shift\n  if grep -q \"$BASE/$N\\$\" /etc/projects; then\n    echo \"Repo $N exists, skipped.\" >&2\n    continue\n  fi\n\n  if [ ! -e \"$BASE/$N\" ]; then\n    if [ -n \"$MKDIR\" ]; then\n      echo \"Path $BASE/$N does not exist, creating directory.\" >&2\n      mkdir -p \"$BASE/$N\"\n    else\n      echo \"Path $BASE/$N does not exist, ignored.\" >&2\n      continue\n    fi\n  elif [ ! -d \"$BASE/$N\" ]; then\n    echo \"Path $BASE/$N is not a directory, ignored.\" >&2\n    continue\n  fi\n\n  ID=\"$(next_id)\"\n  echo \"$ID:$BASE/$N\" >> /etc/projects\n  echo \"$N:$ID\" >> /etc/projid\n  xfs_quota -x -c \"project -s $ID\" &>/dev/null\n  echo \"Added $N (ID $ID)\"\ndone\n
    "},{"location":"services/mirrors/4/repos/#_3","title":"\u6dfb\u52a0\u540c\u6b65\u914d\u7f6e","text":"

    \u7167\u7740 /home/mirror/repos \u4e0b\u7684\u73b0\u6709\u6587\u4ef6\u81ea\u5df1\u7814\u7a76\u4e00\u4e0b\u5427\uff0c\u8fd9\u4e2a\u4e0d\u96be\u3002\u9700\u8981\u6ce8\u610f\u7684\u5c31\u4e00\u70b9\uff0c\u6587\u4ef6\u540d\u7ed3\u5c3e\u5fc5\u987b\u662f .yaml\uff08\u800c\u4e0d\u80fd\u662f .yml\uff09\uff0c\u8fd9\u662f Yuki \u4ee3\u7801\u91cc\u5199\u7684\u3002

    \u5199\u597d\u65b0\u4ed3\u5e93\u7684\u914d\u7f6e\u6587\u4ef6\u4e4b\u540e\u8fd0\u884c yuki reload\uff0c\u7136\u540e yuki sync <repo> \u5c31\u53ef\u4ee5\u5f00\u59cb\u521d\u6b21\u540c\u6b65\u4e86\u3002

    "},{"location":"services/mirrors/4/repos/#git-srvgit","title":"\u4e3a Git \u7c7b\u578b\u4ed3\u5e93\u6dfb\u52a0\u8f6f\u94fe\u63a5\u81f3 /srv/git","text":"

    git-daemon.service \u6839\u636e /srv/git \u4e0b\u7684\u5185\u5bb9\u5bf9\u5916\u63d0\u4f9b Git \u670d\u52a1\u3002\u6240\u4ee5\u5982\u679c\u662f git \u7c7b\u578b\u7684\u4ed3\u5e93\uff0c\u9700\u8981\u6dfb\u52a0\u8f6f\u94fe\u63a5\uff0c\u5426\u5219\u65e0\u6cd5\u4f7f\u7528 git:// \u7684\u534f\u8bae\u8bbf\u95ee\u3002\uff08http(s):// \u534f\u8bae\u6ca1\u6709\u95ee\u9898\uff09

    Git \u4ed3\u5e93\u670d\u52a1\u7684\u5176\u4ed6\u76f8\u5173\u914d\u7f6e

    \u90e8\u5206\u514b\u9686\u914d\u7f6e (See https://github.com/ustclug/discussions/issues/432)\uff1a

    /etc/gitconfig
    [uploadpack]\n    allowfilter = true\n
    "},{"location":"services/mirrors/4/repos/#quota","title":"\u67e5\u770b quota \u60c5\u51b5","text":"

    \u8fd0\u884c\u4ee5\u4e0b\u547d\u4ee4\uff1a

    xfs_quota -c 'df -h'\n
    "},{"location":"services/mirrors/4/volumes/","title":"Volumes on mirrors4","text":"

    \u4ecb\u7ecd\u9875\u8bb2\u8fc7\u4e86\uff0c\u63a7\u5236\u5668\u7684\u5751\u5bfc\u81f4\u4e0d\u80fd\u76f4\u63a5\u628a 12 \u5757\u786c\u76d8\u7ec4\u6210\u4e00\u4e2a\u903b\u8f91\u78c1\u76d8\uff0c\u56e0\u6b64\u6211\u4eec\u5728\u4e0a\u5c42\u4f7f\u7528 LVM \u6765\u89e3\u51b3\u8fd9\u4e2a\u95ee\u9898\u3002

    "},{"location":"services/mirrors/4/volumes/#_1","title":"\u78c1\u76d8\u5206\u533a","text":"

    \u6ce8\u610f

    \u8fd9\u91cc\u7ed9\u51fa\u7684\u547d\u4ee4\u4ec5\u7528\u4e8e\u5c55\u793a\u5206\u533a\uff08\u5377\uff09\u7684\u521b\u5efa\u65b9\u5f0f\uff0c\u9664\u975e\u5b8c\u5168\u91cd\u88c5\uff0c\u5426\u5219\u4e0d\u5e94\u8be5\u6267\u884c\u5176\u4e2d\u4efb\u4f55\u4e00\u6761\u6709\u526f\u4f5c\u7528\u7684\u547d\u4ee4\u3002

    \u64cd\u4f5c\u7cfb\u7edf\u770b\u5230\u4e09\u4e2a\u786c\u76d8\uff1a\u4e24\u4e2a RAID6 \u5927\u76d8\uff0840 TB / 36.4 TiB\uff09\u548c\u4e00\u4e2a SSD\uff082 TB / 1.86 TiB\uff09\u3002\u8bbe\u4e24\u4e2a\u5927\u76d8\u4e3a /dev/sda \u548c /dev/sdb\uff0cSSD \u4e3a /dev/sdc\u3002

    \u7531\u4e8e\u542f\u52a8\u5206\u533a\u4e0d\u80fd\u653e\u5728 LVM \u4e0a\uff0c\u56e0\u6b64\u4ee5\u5982\u4e0b\u65b9\u5f0f\u521b\u5efa\u5206\u533a\uff1a

    root@mirrors4:~# fdisk -l /dev/sda\nDisk /dev/sda: 36.4 TiB, 40001177911296 bytes, 78127300608 sectors\nDisk model: MR9361-8i\nUnits: sectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 4096 bytes\nI/O size (minimum/optimal): 262144 bytes / 262144 bytes\nDisklabel type: gpt\nDisk identifier: AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA\n\nDevice       Start         End     Sectors  Size Type\n/dev/sda1     2048        4095        2048    1M BIOS boot\n/dev/sda2     4096     1052671     1048576  512M EFI System\n/dev/sda3  1052672 78127300574 78126247903 36.4T Linux LVM\n

    sdb \u7684\u53c2\u6570\u5b8c\u5168\u4e00\u6837\u3002

    \u5b9e\u9645\u7684\u542f\u52a8\u5206\u533a\u4e3a /dev/sda2\uff0c\u5c06\u5176 dd \u5230 /dev/sdb2 \u505a\u5907\u4efd\u3002

    \u7136\u540e\u662f SSD \u7684\u5206\u533a\uff1a

    Disk /dev/sdc: 1.8 TiB, 1919816826880 bytes, 3749642240 sectors\nDisk model: MR9361-8i\nUnits: sectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 4096 bytes\nI/O size (minimum/optimal): 65536 bytes / 65536 bytes\nDisklabel type: gpt\nDisk identifier: AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA\n\nDevice     Start        End    Sectors  Size Type\n/dev/sdc1   2048 3749642206 3749640159  1.8T Linux LVM\n
    "},{"location":"services/mirrors/4/volumes/#lvm","title":"LVM","text":"

    \u628a sda3 \u548c sdb3 \u90fd\u653e\u8fdb LVM\uff1a

    # fdisk \u5206\u533a\u5b8c\u6bd5\uff0cw \u5199\u5165\u9000\u51fa\npvcreate /dev/sda3 /dev/sdb3\nvgcreate lug /dev/sda3 /dev/sdb3\n

    \u521b\u5efa rootfs\uff0c\u8fd9\u91cc\u4ee5 RAID1 \u7684\u65b9\u5f0f\uff08--type mirror \u6216 --type raid1\uff09\u521b\u5efa\u8fd9\u4e2a\u5206\u533a\uff0c\u8fd9\u6837\u5373\u4f7f sda / sdb \u574f\u6389\u4e00\u6574\u7ec4\u4e4b\u540e\u8fd8\u6709 rootfs \u53ef\u4ee5\u7528\u3002

    lvcreate -n root -L 32G --type mirror -m 2 lug\nmkfs.ext4 /dev/lug/root\n

    \u521b\u5efa home\uff0c\u8fd9\u91cc\u53cd\u6b63\u4e0d\u6015\u574f\uff0c\u7528 RAID0\uff08--type striped \u6216 --type raid0\uff09\u3002

    lvcreate -n root -L 64G --type striped -i 2 lug\nmkfs.ext4 /dev/lug/home\n

    \u521b\u5efa\u653e\u955c\u50cf\u7684\u5206\u533a\uff0c\u8fd9\u6b21\u8981\u7528 xfs

    XFS \u4e0d\u652f\u6301\u7f29\u5c0f

    \u56e0\u6b64\u6211\u4eec\u5728\u521d\u88c5\u65f6\u9009\u62e9\u4e3a\u5176\u5206\u914d 48 TiB \u7684\u7a7a\u95f4\uff0c\u800c\u4e0d\u662f VG lug \u7684\u5269\u4f59\u5168\u90e8\u2014\u2014\u8fd9\u6837\u65b9\u4fbf\u4ee5\u540e\u7ef4\u62a4

    lvcreate -n repo -L 48T --type striped -i 2 lug\nmkfs.xfs /dev/lug/repo\n

    \u5176\u5b9e\u672c\u6765\u8981\u8c03\u4e00\u4e0b\u53c2\u7684\uff0c\u4e0d\u8fc7\u6839\u636e Arch Wiki\uff0cmkfs.xfs \u7684\u9ed8\u8ba4\u53c2\u6570\u5c31\u662f\u6700\u4f18\u7684\uff0c\u6240\u4ee5\u6211\u4eec\u51b3\u5b9a\u4e0d\u52a8\u4e86\u3002

    "},{"location":"services/mirrors/4/volumes/#ssd","title":"SSD","text":"

    SSD \u7684\u7528\u9014\u4e3a\u5b58\u653e Docker \u6570\u636e /var/lib/docker\uff088 GiB \u5c31\u591f\u4e86\uff0c\u4f46\u662f overlay2 \u7684\u540e\u7aef\u7528 ext4 \u66f4\u597d\uff09\uff0c\u5269\u4e0b\u7528\u4f5c lvmcache(7)\u3002

    iBug \u5907\u6ce8

    \u867d\u7136\u4f3c\u4e4e\u6ca1\u6709\u8fd9\u6837\u505a\uff08\u5148\u521b\u5efa\u5355\u72ec\u7684 VG \u518d\u5408\u5e76\uff09\u7684\u5fc5\u8981\uff0c\u4f46\u662f\u8fd9\u4e48\u505a\u4e00\u5b9a\u4e0d\u4f1a\u51fa\u9519\uff0c\u5c31\u8fd9\u6837\u5427\u3002

    \u5728 SSD \u4e0a\u65b0\u5efa\u4e00\u4e2a VG\uff1a

    # fdisk \u521b\u5efa\u552f\u4e00\u4e00\u4e2a\u5206\u533a sdc1\uff0c\u4fdd\u5b58\u9000\u51fa\npvcreate /dev/sdc1\nvgcreate ssd /dev/sdc1\n

    \u521b\u5efa Docker \u6570\u636e\u76d8\uff1a

    lvcreate -L 8G -n docker ssd\nmkfs.ext4 /dev/ssd/docker\n

    \u91cd\u8981\uff1a\u521b\u5efa\u7f13\u5b58\u76d8\u548c\u7f13\u5b58\u5143\u6570\u636e\u76d8\u3002\u6839\u636e Red Hat Documentation \u7684\u4ecb\u7ecd\uff0c\u5148\u624b\u52a8\u521b\u5efa\u6570\u636e\u76d8\u548c\u5143\u6570\u636e\u76d8\uff0c\u7136\u540e\u5c06\u4ed6\u4eec\u5408\u5e76\u4e3a\u4e00\u4e2a cache pool\u3002\u5927\u5c0f\u65b9\u9762\uff0c\u6587\u7ae0\u7684\u53c2\u8003\u662f 2G data \u2194 12M meta\uff0c\u8fd9\u91cc\u6211\u4eec\u6709\u63a5\u8fd1 2 TB \u7684 data\uff0c\u5c31\u5206\u914d 16 GB \u4f5c\u4e3a meta \u5427\u3002

    lvcreate -L 16G -n mcache_meta ssd\nlvcreate -l 100%FREE -n mcache ssd\nlvreduce -l -2048 ssd/mcache\nlvconvert --type cache-pool --poolmetadata ssd/mcache_meta --cachemode writethrough -c 1M --config allocation/cache_pool_max_chunks=2000000 ssd/mcache\n

    \u8fd9\u91cc\u7684\u7f13\u5b58\u6a21\u5f0f\u91c7\u7528 passthrough\uff0c\u5373\u5199\u5165\u52a8\u4f5c\u7ed5\u8fc7\u7f13\u5b58\u76f4\u63a5\u5199\u56de\u539f\u8bbe\u5907\uff08\u5f53\u7136\u5566\uff0c\u5199\u5165\u90fd\u662f\u7531\u4ece\u4e0a\u6e38\u540c\u6b65\u4ea7\u751f\u7684\uff09\uff0c\u53e6\u5916\u4e24\u79cd writeback \u548c writethrough \u90fd\u4f1a\u5199\u5165\u7f13\u5b58\uff0c\u4e0d\u662f\u6211\u4eec\u60f3\u8981\u7684\u3002 passthrough \u6a21\u5f0f\u4e2d\uff0c\u8bfb\u5199\u90fd\u4f1a\u7ed5\u8fc7 cache\uff0c\u552f\u4e00\u7684\u4f5c\u7528\u662f write hit \u4f1a\u4f7f\u5f97 cache \u5bf9\u5e94\u7684\u5757\u5931\u6548\u3002

    \u8fd9\u91cc\u4f7f\u7528 writeback \u6a21\u5f0f\uff0c\u56e0\u4e3a\u4ed3\u5e93\u6570\u636e\u6ca1\u4e86\u8fd8\u80fd\u518d\u540c\u6b65\uff0c\u4f7f\u7528 writeback \u63d0\u5347\u6027\u80fd\u66f4\u5408\u9002\u3002

    \u51fa\u4e8e\u7a33\u5b9a\u8003\u8651\uff0c\u4f7f\u7528 writethrough \u6a21\u5f0f\u3002\uff08\u6211\u4eec\u7684 Cache \u592a\u5927\u4e86\uff0cwriteback \u53ef\u80fd\u4f1a\u5f04\u574f\u4e0d\u5c11\u4e1c\u897f\uff0c\u5982\u679c metadata \u574f\u4e86\u5c31\u66f4\u9ebb\u70e6\u4e86\uff09

    \u5751

    \u76f4\u63a5\u4f7f\u7528 lvconvert(8) \u5c1d\u8bd5\u5408\u5e76\u4f1a\u5bfc\u81f4\u5410\u69fd\uff0c\u8fd9\u662f\u4e0a\u9762 lvreduce(8) \u7684\u539f\u56e0\u3002

    Volume group \"ssd\" has insufficient free space (0 extents): 2048 required.\n

    iBug \u5907\u6ce8

    LVM \u63a8\u8350\u7684\u662f\u4e00\u4e2a\u7f13\u5b58\u6c60\u91cc\u4e0d\u8d85\u8fc7 100 \u4e07\u4e2a chunk\uff08\u8fd9\u4e5f\u662f allocation/cache_pool_max_chunks \u7684\u9ed8\u8ba4\u503c\uff09\uff0c\u4f46\u662f\u8fd9\u6837\u6bcf\u4e2a chunk \u7684\u6700\u5c0f\u5927\u5c0f\u4e3a 1.84 MiB \u592a\u5927\u4e86\uff0c\u8003\u8651\u5230\u6211\u4eec\u6709\u8db3\u591f\u7684 CPU \u548c\u5185\u5b58\uff0c\u8fd9\u91cc\u5c31\u94e4\u800c\u8d70\u9669\u5c1d\u8bd5\u4e00\u4e0b\u8f83\u5927\u7684 chunk count\u3002

    \u5751 2

    \u7f13\u5b58\u76d8\uff08cache pool\uff09\u548c\u88ab\u7f13\u5b58\u7684\u5377\u5fc5\u987b\u5728\u540c\u4e00\u4e2a VG \u4e2d\u3002

    \u5751 3 (taoky \u5907\u6ce8)

    LVM Cache \u7684\u5e95\u5c42\u662f\u5728\u5185\u6838\u5b9e\u73b0\u7684 dm-cache\u3002\u76ee\u524d\u5df2\u77e5\u7684\u5751\u5982\u4e0b\uff1a

    1. \u5f53\u51fa\u73b0 dirty blocks\uff08\u4e14 cache policy \u4e3a cleaner \u65f6\uff09\uff0c\u65e0\u6cd5\u6b63\u5e38 flush\u3002\u7f51\u7edc\u4e0a\u53ef\u4ee5\u627e\u5230\u7684\u8fd9\u4e2a bug \u7684\u89e3\u51b3\u65b9\u6cd5\u662f\u589e\u5927 migration_threshold \u7684\u503c\uff08\u5728\u65b0\u7248\u672c LVM \u4e2d\uff0cmigration_threshold \u9ed8\u8ba4\u81f3\u5c11\u4f1a\u662f chunk size \u7684 8 \u500d\uff0c\u5728\u6211\u4eec\u7684\u914d\u7f6e\u4e0b\u5c31\u662f 16384 = 2048 * 8\u3002\u8fd9\u4e2a\u7248\u672c\u7684 LVM \u6682\u65f6\u4e0d\u5728 Buster \u4e2d\uff09\uff0c\u4f46\u662f\u7ecf\u8fc7\u6d4b\u8bd5\uff0c\u5355\u7eaf\u589e\u5927 migration_threshold \u6ca1\u6709\u4efb\u4f55\u6548\u679c\u3002Jiahao \u7ffb\u4e86\u4e00\u4e0b dm-cache \u7684\u6e90\u4ee3\u7801\uff0c\u53d1\u73b0 flush \u7684\u6761\u4ef6\u5728 https://elixir.bootlin.com/linux/latest/source/drivers/md/dm-cache-target.c#L1649\uff0c\u53ea\u5728\u72b6\u6001\u4e3a IDLE \u65f6\u624d\u4f1a flush\u3002IDLE \u7684\u7b2c\u4e00\u4e2a\u6761\u4ef6\u9700\u8981 inflight io = 0\uff0c\u6bd4\u8f83\u82db\u523b\uff0c\u53ef\u80fd\u662f\u65e0\u6cd5\u6b63\u5e38 flush \u7684\u539f\u56e0\u3002

      \u4e00\u4e2a\u626d\u66f2\u7684\u89e3\u51b3\u65b9\u6cd5\u662f\uff1a\u5148\u628a migration_threshold \u8bbe\u7f6e\u5f97\u5f88\u5927\uff08\u8bbe\u5927\u5c0f\u4e3a x\uff09\uff0c\u7136\u540e\u9a6c\u4e0a\u7f29\u5c0f\uff0c\u8fd9\u6837\u5c31\u80fd\u628a x \u90a3\u4e48\u591a\u5927\u5c0f\u7684\u810f\u5757\u5f04\u6389\uff08\u539f\u7406\u6682\u65f6\u4e0d\u660e\uff0c\u9700\u8981\u8865\u5145\uff09\u3002\u57fa\u4e8e\u8fd9\u4e2a\u65b9\u6cd5\uff0c\u53ef\u4ee5\u5199\u4e00\u4e2a\u811a\u672c\u6765\u505a flush \u7684\u5de5\u4f5c\uff1a

      # dirty hack\nsudo lvchange --cachepolicy cleaner lug/repo\nfor i in `seq 1 1500`; do sudo lvchange --cachesettings migration_threshold=2113536 lug/repo && sudo lvchange --cachesettings migration_threshold=16384 lug/repo && echo $i && sleep 15; done;\n# \u9700\u8981\u786e\u8ba4\u6ca1\u6709\u810f\u5757\u3002\u5982\u679c\u8fd8\u6709\u7684\u8bdd\u7ee7\u7eed\u6267\u884c\uff08\u6b21\u6570\u8c03\u5c0f\u4e00\u4e9b\uff09\n# \u5982\u679c\u662f\u4ece writeback \u5207\u6362\uff0c\u9700\u8981\u5148\u628a\u6a21\u5f0f\u5207\u5230 writethrough\n# \u7136\u540e\u518d\u4fee\u6539 cachepolicy \u5230 smq\nsudo lvchange --cachepolicy smq lug/repo\n

      \u5728\u6267\u884c\u65f6\uff0c\u53ef\u4ee5\u67e5\u770b\uff1a

      sudo dmsetup status lug-repo\n# \u5728 \"metadata2\" \u524d\u9762\u7684\u524d\u9762\u7684\u6570\u5b57\u5c31\u662f dirty block \u7684\u6570\u91cf\n# \u5982\u679c\u4e0d\u5728\u6267\u884c lvchange\uff08\u6ca1\u6709\u8fdb\u7a0b\u62a2\u5360\u4e86 LVM \u7684\u9501\uff09\uff0c\u53ef\u4ee5\u6267\u884c\u4ee5\u4e0b\u547d\u4ee4\u786e\u8ba4\u810f\u5757\u6570\u91cf\u4ee5\u53ca\u5176\u4ed6\u4e00\u4e9b\u53c2\u6570\u3002\nsudo lvs -o name,cache_policy,cache_settings,chunk_size,cache_used_blocks,cache_dirty_blocks /dev/mapper/lug-repo\n
    2. \u6bcf\u6b21 unclean shutdown \u4e4b\u540e\uff0ccache \u4e2d\u6240\u6709\u5757\u90fd\u4f1a\u88ab\u6807\u8bb0\u4e3a dirty\u3002\u5c3d\u7ba1\u4e0d\u592a\u53ef\u80fd\u963b\u585e\u7cfb\u7edf\u542f\u52a8\uff0c\u8fd9\u53ef\u80fd\u4f1a\u7ed9 HDD \u4e00\u5b9a\u7684\u538b\u529b\u3002

    3. \u6269\u5927 lug/repo \u7684\u5927\u5c0f\u524d\u9700\u8981 uncache\uff0c\u4e14 uncache \u7684\u524d\u63d0\u6761\u4ef6\u662f\u6ca1\u6709\u810f\u5757\u3002

    \u5751 4

    \u4fee\u6539 migration_threshold \u7b49\u8bbe\u7f6e\u4f1a\u5bfc\u81f4\u76ee\u524d\u7248\u672c\u7684 GRUB \u65e0\u6cd5\u6b63\u786e\u8bc6\u522b LVM \u5143\u6570\u636e\u3002

    \u4e34\u65f6\u4fee\u590d\u7248\u672c\uff1ahttps://github.com/taoky/grub/releases/tag/2.02%2Bdfsg1-20%2Bdeb10u4taoky3_amd64\u3002\u76ee\u524d\u5df2\u90e8\u7f72\uff0c\u4e14\u8bbe\u7f6e\u4e86 apt hold\u3002

    \u6240\u4ee5\u63a5\u4e0b\u6765\u8981\u5408\u5e76 VG\uff0c\u7136\u540e\u624d\u80fd\u4e3a\u4ed3\u5e93\u5377\u52a0\u4e0a\u7f13\u5b58\u3002

    lvchange -a n ssd/docker\nvgmerge lug ssd\nlvconvert --type cache --cachepool lug/mcache lug/repo\n

    \u63a5\u4e0b\u6765\u6302\u4e0a Docker \u5377\uff08\u6ce8\u610f VG \u540d\u5df2\u7ecf\u4ece ssd \u53d8\u6210\u4e86 lug\uff09\uff1a

    lvchange -a y lug/docker\nmount /dev/lug/docker /var/lib/docker\n
    "},{"location":"services/mirrors/4/volumes/#repo","title":"repo \u6269\u5bb9","text":"

    \u67e5\u770b\u5f53\u524d\u903b\u8f91\u5377\u4fe1\u606f\uff1a

    # lvs -a -o +devices\n  LV              VG  Attr       LSize   Pool     Origin       Data%  Meta%  Move Log         Cpy%Sync Convert Devices\n  backup          lug -wi-ao----   8.00g                                                                       /dev/sda3(6307840)\n  docker          lug -wi-ao----  64.00g                                                                       /dev/sdc1(0)\n  docker2         lug -wi-a----- 300.00g                                                                       /dev/sda3(7925248)\n  home            lug -wi-ao----  64.00g                                                                       /dev/sda3(8192),/dev/sdb3(8193)\n  log             lug -wi-ao---- 300.00g                                                                       /dev/sda3(6309888),/dev/sdb3(6307841)\n  log             lug -wi-ao---- 300.00g                                                                       /dev/sda3(7888896),/dev/sdb3(7882753)\n  [lvol0_pmspare] lug ewi-------  16.00g                                                                       /dev/sda3(7884800)\n  [mcache]        lug Cwi---C---   1.50t                       99.99  0.12                    0.00             mcache_cdata(0)\n  [mcache_cdata]  lug Cwi-ao----   1.50t                                                                       /dev/sdc1(20480)\n  [mcache_cmeta]  lug ewi-ao----  16.00g                                                                       /dev/sdc1(16384)\n  repo            lug Cwi-aoC---  60.00t [mcache] [repo_corig] 99.99  0.12                    0.00             repo_corig(0)\n  [repo_corig]    lug owi-aoC---  60.00t                                                                       /dev/sda3(16384),/dev/sdb3(16385)\n  [repo_corig]    lug owi-aoC---  60.00t                                                                       /dev/sda3(6311936),/dev/sdb3(6309889)\n  root            lug mwi-aom---  32.00g                                          [root_mlog] 100.00           root_mimage_0(0),root_mimage_1(0)\n  [root_mimage_0] lug iwi-aom---  32.00g                                                                       /dev/sda3(0)\n  [root_mimage_1] lug iwi-aom---  32.00g                                                                       /dev/sdb3(0)\n  [root_mlog]     lug lwi-aom---   4.00m                                                                       /dev/sdb3(8192)\n

    \u68c0\u67e5 cache \u662f\u5426\u6709 dirty block\uff1a

    $ sudo lvs -o name,cache_policy,cache_settings,chunk_size,cache_used_blocks,cache_dirty_blocks /dev/mapper/lug-repo\n  LV   CachePolicy CacheSettings Chunk CacheUsedBlocks  CacheDirtyBlocks\n  repo smq                       1.00m          1048551                0\n

    \uff08\u6b63\u5e38\u91cd\u542f\u4e4b\u540e\u53ef\u80fd\u4f1a\u51fa\u73b0 dirty block\uff0c\u539f\u56e0\u4e0d\u660e\u3002\u5982\u679c\u770b\u5230\u6709\u7684\u8bdd\uff0c\u90a3\u53ea\u80fd \u518d\u6b21\u8fdb\u5165\u75db\u82e6\u7684\u8f6e\u56de \u7528\u4e0a\u8ff0\u7684\u65b9\u6cd5\u6e05\u9664\uff0c\u5e76\u4e14\u6e05\u9664\u7684\u65f6\u5019\u5bf9\u7cfb\u7edf\u8d1f\u8f7d\u5f71\u54cd\u5f88\u5927\uff0c\u56e0\u4e3a\u843d\u76d8\u7684\u65f6\u5019\u5176\u4ed6\u8fdb\u7a0b\u5bf9\u5e94\u7684 IO \u4f1a\u88ab\u6682\u505c\uff0c\u5728\u76f8\u5bf9\u5e73\u8861\u65f6\u95f4\u548c\u8d1f\u8f7d\u7684\u547d\u4ee4\u4e0b\uff0c\u4f30\u8ba1\u9700\u8981 10 \u5c0f\u65f6\u7684\u65f6\u95f4\u3002\uff09

    \u7136\u540e uncache\u3001\u6269\u5bb9\uff1a

    # lvconvert --uncache lug/repo\n# lvextend -L +5T lug/repo\n# xfs_growfs /srv\n

    \u7136\u540e\u6062\u590d cache\uff08\u53c2\u8003\u4e0a\u9762 mcache_meta \u548c mcache \u903b\u8f91\u5377\u7684\u914d\u7f6e\uff0c\u8bf7\u6ce8\u610f\u5728\u7406\u89e3\u547d\u4ee4\u540e\u518d\u6267\u884c\uff01\uff09\uff1a

    # lvcreate -L 16G -n mcache_meta lug /dev/sdc1  # SSD \u8bbe\u5907\u8def\u5f84\u91cd\u542f\u540e\u53ef\u80fd\u4f1a\u53d8\u5316\n# lvcreate -l 100%FREE -n mcache lug /dev/sdc1\n# lvreduce -l -2048 lug/mcache\n# lvconvert --type cache-pool --poolmetadata lug/mcache_meta --cachemode writethrough -c 1M --config allocation/cache_pool_max_chunks=2000000 lug/mcache\n# lvconvert --type cache --cachepool lug/mcache lug/repo\n

    \u5751 5

    \u65b0\u5efa\u65f6\u5728\u5012\u6570\u7b2c\u4e8c\u6b65\u7684 lvconvert \u53ef\u80fd\u4f1a\u5361\u6b7b\u8d85\u8fc7\u534a\u5c0f\u65f6\uff08\u4f46\u662f\u6700\u540e\u8fd8\u662f\u80fd\u5b8c\u6210\u7684\uff09\uff0c\u6808\u7684\u4fe1\u606f\u663e\u793a\u6808\u9876\u51fd\u6570\u662f submit_bio_wait()\uff0c\u5728\u6e05\u96f6\u5bf9\u5e94\u7684 block range\uff0c\u56e0\u4e3a RAID \u5361\u4e0d\u652f\u6301\u4e0b\u4f20 discarding \u6240\u4ee5\u4f1a\u5f88\u6162\uff0c\u9700\u8981\u7b49\u4e00\u6bb5\u65f6\u95f4\u3002

    "},{"location":"services/mirrors/4/volumes/#fstab","title":"fstab","text":"

    \u5206\u533a\u5b8c\u6bd5\u540e\u7ed9 /etc/fstab \u8865\u4e0a\u76f8\u5173\u7684\u5185\u5bb9\u5e76\u6302\u8f7d\uff1a

    /dev/mapper/lug-home   /home           ext4 defaults             0 2\n/dev/mapper/lug-docker /var/lib/docker ext4 defaults             0 2\n/dev/mapper/lug-repo   /srv            xfs  defaults,pqnoenforce 0 2\n/dev/mapper/lug-log    /var/log        ext4 defaults             0 2\n

    \uff08\u8fd9\u4e2a log \u5206\u533a\u524d\u9762\u6ca1\u63d0\uff0c\u53cd\u6b63\u50cf\u6a21\u50cf\u6837\u77e5\u9053\u5c31\u884c\u4e86\uff09

    "},{"location":"services/mirrors/4/networking/","title":"Networking on mirrors4","text":"

    \u51fa\u4e8e\u597d\u7528\u7684\u8003\u8651\uff0cmirrors4 \u4e0a\u7684\u7f51\u7edc\u4f7f\u7528 systemd-networkd \u914d\u7f6e\u3002\u4f5c\u4e3a\u5165\u95e8\uff0c\u4e0b\u9762\u662f\u4e24\u4e2a\u53c2\u8003\u94fe\u63a5\uff1a

    Debian \u9ed8\u8ba4\u7528\u7684\u662f ifupdown\uff0c\u628a\u5b83\u76f4\u63a5\u5378\u6389\u5c31\u884c\u4e86\u3002\u5168\u90e8\u914d\u7f6e\u5b8c\u6bd5\u4e4b\u540e\u9700\u8981 systemctl enable systemd-networkd.service \u5e76\u4e14 start \u4e00\u4e0b\uff08\u6216\u8005\u76f4\u63a5\u91cd\u542f\uff09\u3002

    /etc/systemd/network \u76ee\u5f55\u4e0b\u6709\u4e2a Git \u4ed3\u5e93\uff0c\u65b9\u4fbf\u4fdd\u5b58\u4e0e\u6062\u590d

    "},{"location":"services/mirrors/4/networking/#bond","title":"Bond","text":"

    Bond \u7528\u4e8e\u5c06\u591a\u4e2a\u7f51\u5361\u805a\u5408\u5f53\u4f5c\u4e00\u4e2a\u4f7f\u7528\u3002

    "},{"location":"services/mirrors/4/networking/#_1","title":"\u5b50\u7f51\u5361","text":"

    \u5411 /etc/systemd/network/ens41f0.network \u5199\u5165\u5982\u4e0b\u5185\u5bb9\uff1a

    [Match]\nName=ens41f0\n\n[Network]\nBond=bond1\n\n[Link]\nRequiredForOnline=no\n

    \u5373\u53ef\u5c06\u5176\u8bbe\u7f6e\u4e3a bond1 \u7684\u4e00\u4e2a\u5b50\u7f51\u5361\u3002\u7528\u540c\u6837\u65b9\u5f0f\u628a ens41f1 \u4e5f\u8bbe\u4e3a\u5b50\u7f51\u5361\u3002

    \u4e00\u4e2a\u5c0f\u5751

    systemd-networkd \u6709\u4e00\u4e2a\u9ed8\u8ba4\u7684 bond0 \u805a\u5408\u7f51\u5361\uff0c\u6a21\u5f0f\u6c38\u8fdc\u662f round-robin\uff0c\u800c\u4e14\u5c1d\u8bd5\u8bbe\u7f6e\u8fd9\u4e2a\u7f51\u5361\u5f88\u5bb9\u6613\u51fa\u95ee\u9898\uff0c\u6240\u4ee5\u6211\u4eec\u907f\u5f00\u8fd9\u4e2a\u540d\u5b57\uff0c\u7528 bond1\u3002

    "},{"location":"services/mirrors/4/networking/#bond1","title":"bond1 \u805a\u5408\u7f51\u5361","text":"

    \u5199\u5165 /etc/systemd/network/bond1.netdev\uff1a

    [NetDev]\nName=bond1\nKind=bond\n\n[Bond]\nMode=balance-tlb\nMIIMonitorSec=1\n

    \u5173\u4e8e bond \u6a21\u5f0f\uff08balance-tlb vs balance-alb\uff09\uff0c\u53c2\u8003\u8fd9\u4e2a Server Fault \u4e0a\u7684\u56de\u7b54\u3002

    \u7136\u540e\u521b\u5efa VLAN\uff0c\u5199\u5165 /etc/systemd/network/bond1.network\uff1a

    [Match]\nName=bond1\n\n[Network]\nDHCP=no\nVLAN=cernet\nVLAN=telecom\nVLAN=mobile\nVLAN=unicom\n
    "},{"location":"services/mirrors/4/networking/#vlan","title":"VLAN","text":"

    NIC \u673a\u623f\u6709 4 \u4e2a VLAN\uff0c\u5206\u522b\u662f

    \u6ce8\u610f\u8fd9\u51e0\u4e2a\u7f51\u6bb5\u90fd\u6ca1\u6709 DHCP\uff0c\u53ea\u6709\u6559\u80b2\u7f51 VLAN \u6709 IPv6 RA\u3002

    \u4e0b\u9762\u4ee5\u6559\u80b2\u7f51 VLAN \u4e3a\u4f8b\u3002

    \u56e0\u4e3a VLAN \u5728\u7269\u7406\u4e0a\u5c5e\u4e8e\u4e00\u4e2a\u7f51\u5361\uff0c\u56e0\u6b64\u5411\u5bf9\u5e94\u7f51\u5361\u7684 .network \u6587\u4ef6\u7684 [Network] \u6bb5\u8ffd\u52a0\u4e00\u884c\uff08\u89c1\u4e0a\u9762\u4e00\u8282 bond1.network \u6587\u4ef6\uff09\uff1a

    VLAN=cernet\n

    \u521b\u5efa VLAN \u754c\u9762\uff0c\u521b\u5efa cernet.netdev \u5e76\u5199\u5165

    [NetDev]\nName=cernet\nKind=vlan\n\n[VLAN]\nId=95\n

    \u7136\u540e\u5c31\u53ef\u4ee5\u6307\u5b9a IP \u5730\u5740\u7b49\u5177\u4f53\u4fe1\u606f\u4e86\uff0c\u521b\u5efa\u4e00\u4e2a\u540d\u5b57\u76f8\u540c\uff0c\u540e\u7f00\u6362\u6210 .network \u7684\u6587\u4ef6\u5e76\u5199\u5165

    [Match]\nName=cernet\n\n[Network]\nDHCP=no\nAddress=202.38.95.110/25\n#Gateway=202.38.95.126\nAddress=2001:da8:d800:95::110/64\n#Gateway=2001:da8:d800:95::1\nIPv6AcceptRA=false\n

    \u4fdd\u5b58\u540e\u91cd\u542f systemd-networkd.service \u5c31\u53ef\u4ee5\u770b\u5230\u6548\u679c\u4e86\u3002

    \u4e3a\u4ec0\u4e48 Gateway \u88ab\u6ce8\u91ca\u6389\u4e86

    \u6839\u636e systemd \u5b98\u65b9\u6587\u6863\uff0c\u5728 [Network] \u4e00\u8282\u51fa\u73b0\u7684 Gateway= \u7b49\u4ef7\u4e8e\u4e00\u4e2a\u5355\u72ec\u7684\u3001\u4ec5\u5305\u542b\u4e00\u884c Gateway= \u7684 [Route] \u8282\u3002\u7531\u4e8e\u6211\u4eec\u9700\u8981\u6df1\u5ea6\u81ea\u5b9a\u4e49\u8def\u7531\uff0c\u8fd9\u91cc\u4e0d\u65b9\u4fbf\u91c7\u7528\u8fd9\u4e2a\u8fc7\u4e8e\u7b80\u6d01\u7684\u8bbe\u5b9a\uff08\u4f8b\u5982\u5404\u79cd\u9ed8\u8ba4\u503c Table=main \u7b49\uff09\u3002

    "},{"location":"services/mirrors/4/networking/#docker-network","title":"Docker network","text":"

    \u9488\u5bf9\u4e2a\u522b\u4e0d\u652f\u6301 bind address \u7684\u540c\u6b65\u5de5\u5177\uff0c\u6211\u4eec\u901a\u8fc7\u5c06\u5176\u653e\u5165\u7279\u5b9a\u7684 docker network \u6765\u5b9e\u73b0\u9009\u62e9\u7ebf\u8def\u7684\u529f\u80fd\u3002

    \u521b\u5efa\u547d\u4ee4
    docker network create --driver=bridge --subnet=172.17.4.1/24 -o \"com.docker.network.bridge.name=dockerC\" cernet\ndocker network create --driver=bridge --subnet=172.17.5.1/24 -o \"com.docker.network.bridge.name=dockerT\" telecom\ndocker network create --driver=bridge --subnet=172.17.6.1/24 -o \"com.docker.network.bridge.name=dockerM\" mobile\ndocker network create --driver=bridge --subnet=172.17.7.1/24 -o \"com.docker.network.bridge.name=dockerU\" unicom\ndocker network create --driver=bridge --ipv6 --subnet=172.17.8.1/24 --subnet=fd00:6::/64 -o \"com.docker.network.bridge.name=dockerC6\" cernet6\ndocker network create --driver=bridge --subnet=172.17.9.1/24 -o \"com.docker.network.bridge.name=dockerV\" lugvpn\n

    \u7136\u540e\u4f7f\u7528 systemd-networkd \u5bf9\u521b\u5efa\u597d\u7684 docker network \u7f51\u6bb5\u914d\u7f6e\u89c4\u5219\u8def\u7531\u3002

    /etc/systemd/network/cernet.network
    # Docker Cernet\n[RoutingPolicyRule]\nFrom=172.17.4.0/24\nTable=1011\nPriority=5\n\n[RoutingPolicyRule]\nFrom=172.17.8.0/24\nTable=1011\nPriority=5\n

    \u5176\u4ed6\u51e0\u4e2a\u6587\u4ef6\u7c7b\u4f3c\uff0c\u53ea\u9700\u8981\u4fee\u6539\u7f51\u6bb5\u548c Table \u5373\u53ef\u3002

    "},{"location":"services/mirrors/4/networking/#docker-network-cernet6","title":"Docker network: cernet6","text":"

    \u7531\u4e8e\u4e00\u4e9b\u7a0b\u5e8f\u6216\u7cfb\u7edf\u73af\u5883\u5728\u53cc\u6808\u7f51\u7edc\u4e2d\u4ecd\u7136\u4f1a\u4f18\u5148\u5c1d\u8bd5 IPv4\uff0c\u6211\u4eec\u5c06 cernet6 \u7f51\u7edc\u7684 v4 \u516c\u7f51\u8bbf\u95ee\u5c4f\u853d\u6389\u3002

    rules.v4
    *filter\n:FORWARD DROP [0:0]\n# ...\n-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n-A FORWARD -i dockerC6 -j REJECT\n-A FORWARD -i docker+ -j ACCEPT\n
    "},{"location":"services/mirrors/4/networking/misc/","title":"mirrors \u7f51\u7edc\u914d\u7f6e\u6742\u9879","text":""},{"location":"services/mirrors/4/networking/misc/#sniproxy","title":"sniproxy","text":"

    Sniproxy \u7528\u4e8e\u4e3a Docker \u5bb9\u5668\u63d0\u4f9b\u65b9\u4fbf\u7684 HTTP(S) \u7f51\u7edc\u5206\u6d41\u3002\u76ee\u524d\u5728 mirrors \u4e0a\u7528\u4e8e\u4e3a dockerhub \u5bb9\u5668\u63d0\u4f9b\uff08\u5230 Cloudflare \u7684\uff09IPv6 \u63a5\u5165\uff08Docker \u505a IPv6 NAT \u975e\u5e38\u4e0d\u65b9\u4fbf\uff0c\u6240\u4ee5\u4ee5\u6b64\u4e3a\u6743\u5b9c\u4e4b\u4e3e\uff09\uff0c\u4ee5\u63d0\u9ad8\u6821\u5185\u8bbf\u95ee\u65f6\u7684\u901f\u5ea6\u3002

    "},{"location":"services/mirrors/4/networking/misc/#_1","title":"\u914d\u7f6e","text":"

    \u5b89\u88c5 sniproxy\uff0c\u5e76\u4e14 mask \u539f\u670d\u52a1\u914d\u7f6e\uff08\u6211\u4eec\u81ea\u5df1\u5199\u4e00\u4e2a\uff09\uff1a

    sudo apt install sniproxy\nsudo mkdir -p /etc/sniproxy\nsudo systemctl mask sniproxy.service\n

    \u521b\u5efa /etc/systemd/system/sniproxy@.service\uff1a

    [Unit]\nDescription=SNIProxy (%i.conf)\nAfter=network.target network-online.target\nStartLimitIntervalSec=1\n\n[Service]\nType=simple\nExecStart=/usr/sbin/sniproxy -f -c /etc/sniproxy/%i.conf\nRestart=on-failure\nRestartSec=3\n\n[Install]\nWantedBy=multi-user.target\n

    \u5728 /etc/sniproxy \u4e2d\u521b\u5efa\u914d\u7f6e\u3002\u4ee5\u4e0b\u4e3a IPv6 + TLS (443) only \u7684\u914d\u7f6e\u4f8b\u5b50\uff1a

    resolver {\n    nameserver 2001:da8:d800::1\n    mode ipv6_only\n}\n\naccess_log {\n    filename /dev/null\n}\n\nlisten <Bind \u5230\u7684 IP \u5730\u5740>:443 {\n    proto tls\n    reuseport yes\n    table all\n    source <IPv6 \u51fa\u53e3\u5730\u5740>\n}\n\ntable all {\n    .* *\n}\n

    \u6700\u540e\u542f\u52a8\u670d\u52a1\uff1a

    sudo systemctl enable sniproxy@\u914d\u7f6e\u6587\u4ef6\u540d.service\nsudo systemctl start sniproxy@\u914d\u7f6e\u6587\u4ef6\u540d.service\n
    "},{"location":"services/mirrors/4/networking/route/","title":"Routing on mirrors4","text":"

    \u7531\u4e8e mirrors4 \u6ca1\u6709\u4f7f\u7528 ifupdown \u4f5c\u4e3a\u7f51\u7edc\u7ba1\u7406\u7cfb\u7edf\uff0c\u800c\u662f\u91c7\u7528 systemd-networkd\uff0c\u56e0\u6b64\u6211\u4eec\u6ca1\u6709 pre-up, up, down, post-down \u7b49\u8fd0\u884c\u547d\u4ee4\u7684\u65b9\u5f0f\uff0c\u6240\u4ee5 mirrors2 \u4e0a\u4f7f\u7528\u7684\u90a3\u5957\u811a\u672c\uff08ip-route.sh \u7b49\uff09\u65e0\u6cd5\u76f4\u63a5\u5728 mirrors4 \u4e0a\u7ee7\u7eed\u4f7f\u7528\u3002

    \u597d\u5728\u6211\u4eec\u4f7f\u7528 up \u7b49\u8fd0\u884c\u547d\u4ee4\u53ea\u662f\u4e3a\u4e86\u914d\u7f6e\u8def\u7531\uff0c\u56e0\u6b64\u6362\u4e86\u4e2a\u529e\u6cd5\uff0c\u6574\u4e86\u4e2a\u65b0\u811a\u672c\u628a IP \u5730\u5740\u5217\u8868\uff08\u6765\u81ea gaoyifan/china-operator-ip\uff09\u8f6c\u6362\u6210 networkd \u6240\u4f7f\u7528\u7684\u914d\u7f6e\u6587\u4ef6\u683c\u5f0f\u3002\u4ee3\u7801\u4e0d\u957f\uff1a

    #!/bin/bash\n\nROOT_IP_LIST=/usr/local/network_config/iplist\nROOT_RT=/run/systemd/network\n\ngen_route() {\n  IPLIST=\"$ROOT_IP_LIST/$1\"\n  GW=\"$2\"\n  DEV=\"$3\"\n  # Convert table to number\n  TABLENAME=\"$4\"\n  TABLE=\"$(awk 'substr($0, 1, 1) != \"#\" && $2 == \"'\"$TABLENAME\"'\" { print $1 }' /etc/iproute2/rt_tables | head -1)\"\n  PRIORITY=\"$5\"\n\n  F=\"$ROOT_RT/$DEV.network.d\"\n  mkdir -p \"$F\"\n  F=\"$F/route-${TABLENAME,,}.conf\"\n\n  echo -e \"[RoutingPolicyRule]\\nTable=$TABLE\\nPriority=$PRIORITY\\n\" > \"$F\"\n  awk '{ print \"[Route]\\nDestination=\" $1 \"\\nGateway='\"$GW\"'\\nTable='\"$TABLE\"'\\n\" }' \"$IPLIST\" >> \"$F\"\n}\n\ngen_route ustcnet.txt 202.38.95.126 cernet Ustcnet 5\ngen_route cernet.txt 202.38.95.126 cernet Cernet 6\ngen_route telecom.txt 202.141.160.126 telecom Telecom 6\ngen_route mobile.txt 202.141.176.126 mobile Mobile 6\ngen_route unicom.txt 218.104.71.161 unicom Unicom 6\ngen_route china.txt 218.104.71.161 unicom China 7\n

    \u8fd9\u4e2a\u4ed3\u5e93\u91cc\u6709\u5f88\u591a\u4e2a txt \u6587\u4ef6\uff0c\u6bcf\u4e2a\u6587\u4ef6\u5bf9\u5e94\u4e00\u4e2a ISP \u7684\u5730\u5740\u5217\u8868\uff0c\u6bcf\u884c\u4e00\u4e2a CIDR\u3002\u811a\u672c\u4e2d\u7684 gen_route \u51fd\u6570\u6839\u636e\u53c2\u6570\u8bfb\u53d6\u6587\u4ef6\uff0c\u5e76\u8f6c\u6362\u6210\u4e0b\u9762\u8fd9\u6837\u7684\u683c\u5f0f\uff1a

    [Route]\nDestination=1.0.0.0/24\nGateway=202.38.95.126\nTable=1011\n

    \u8fd9\u6837\u4e00\u4e2a [Route] \u8282\u5bf9\u5e94\u4e00\u6761\u8def\u7531\u89c4\u5219\uff0c\u6574\u4e2a txt \u7684\u8f6c\u6362\u7ed3\u679c\u8f93\u51fa\u5230 /run/systemd/network/cernet.network.d/route-example.conf\u3002\u5176\u4e2d cernet.network.d/*.conf \u7528\u4e8e\u5411\u73b0\u6709\u7684\u914d\u7f6e\u4e2d\u6dfb\u52a0\u5185\u5bb9\uff08\u4e0e systemd service \u7c7b\u4f3c\uff09\uff0c\u800c /run \u76ee\u5f55\uff08\u6309\u7406\u6765\u8bf4\uff09\u91cd\u542f\u4f1a\u6e05\u7a7a\uff0c\u9002\u5408\u653e\u7f6e\u8fd9\u4e9b\u7528\u4e8e\u52a8\u6001\u751f\u6210\u7684\u5185\u5bb9\u3002\u53e6\u5916\u7531\u4e8e\u8def\u7531\u89c4\u5219\uff08ip rule\uff09\u4e5f\u7531 networkd \u7ba1\u7406\u548c\u751f\u6210\u4e86\uff0c\u56e0\u6b64\u6bcf\u4e2a route-xxx.conf \u5f00\u5934\u4f1a\u5305\u542b\u4e00\u4e2a [RoutingPolicyRule] \u8282\u7528\u4e8e\u751f\u6210\u8def\u7531\u8868\u5bf9\u5e94\u7684\u8def\u7531\u89c4\u5219\u3002

    \u6ce8\u610f\u8def\u7531\u8868\u662f\u7528\u540d\u79f0\u6307\u5b9a\u7684\uff0c\u4ece /etc/iproute2/rt_tables \u4e2d\u67e5\u51fa\u5bf9\u5e94\u7684\u6570\u5b57 ID\u3002\u8fd9\u4e2a\u6587\u4ef6\u672c\u6765\u4e5f\u662f ip \u547d\u4ee4\u6240\u4f7f\u7528\u7684\uff08\u6ce8\u610f\u5b83\u7684\u76ee\u5f55\u540d\u53eb iproute2\uff09\u3002

    \u6700\u540e\u7ed9\u8fd9\u4e2a\u811a\u672c\u914d\u4e2a service\uff0c\u8ba9\u5b83\u5728 networkd \u4e4b\u524d\u8fd0\u884c\uff1a

    # WARNING: This is NOT the final configuration file!\n[Unit]\nDescription=Generate routes for systemd-networkd\nBefore=systemd-networkd.service\n\n[Service]\nType=oneshot\nExecStart=/bin/bash /usr/local/network_config/route-all.sh\nRemainAfterExit=true\n\n[Install]\nWantedBy=network.target systemd-networkd.service\nWants=systemd-networkd.service\n

    \u8fd9\u4e2a\u6587\u4ef6\u5b58\u5230 /etc/systemd/system/route-all.service\uff0creload \u518d enable \u5c31\u53ef\u4ee5\u4e86\u3002

    \u6539 systemd-networkd.service \u9700\u8981\u989d\u5916\u6ce8\u610f

    \u8fd9\u4e2a\u81ea\u5e26\u7684\u670d\u52a1\u6709\u4e00\u4e2a User=systemd-networkd\uff0c\u4f60\u65e2\u4e0d\u80fd ip rule \u4e5f\u4e0d\u80fd\u5199\u5165 /run/systemd \u7b49\uff0c\u4f1a\u5bfc\u81f4\u670d\u52a1\u70b8\u6389\uff0c\u7136\u540e\u7f51\u4e5f\u70b8\u4e86\u3002\u3002\u3002

    \u5982\u679c\u8981\u6539 networkd \u670d\u52a1\u64cd\u4f5c ip rule \u7684\u8bdd\uff0c\u9700\u8981\u5728\u547d\u4ee4\u884c\u524d\u9762\u52a0\u4e00\u4e2a + \u8868\u793a\u8be5\u547d\u4ee4\u4e0d\u53d7 User= \u7b49\u6743\u9650\u8bbe\u7f6e\u5f71\u54cd\uff0c\u8be6\u7ec6\u89e3\u91ca\u89c1 systemd.service \u6587\u6863\u3002

    "},{"location":"services/mirrors/4/networking/route/#special-routing","title":"Special routing","text":"

    \u90e8\u5206 IP \u9700\u8981\u914d\u7f6e\u7279\u6b8a\u8def\u7531\u89c4\u5219\u65f6\uff08\u800c\u4e0d\u662f\u4f7f\u7528\u9ed8\u8ba4\uff09\uff0c\u7f16\u8f91 /usr/local/network_config/special.yml\uff0c\u5176\u683c\u5f0f\u5982\u4e0b\uff1a

    routes: # Root key\uff0c\u4fdd\u7559\n  lugvpn: # /etc/systemd/network \u4e2d\u5bf9\u5e94\u7684 .network \u6587\u4ef6\u540d\n    # \u4e0b\u9762\u662f\u4e00\u4e2a\u8def\u7531\u6587\u4ef6\u7684\u914d\u7f6e\uff0c\u4e00\u4e2a\u6587\u4ef6\u5171\u4eab\u4e00\u4e2a table \u548c gateway \u8bbe\u7f6e\n    - name: route-special # \u5c06\u8981\u521b\u5efa\u7684 .conf \u6587\u4ef6\u540d\uff0c\u53ef\u4ee5\u968f\u610f\n      table: Special # \u8def\u7531\u8868\uff0c\u5373 ip route add table \u540e\u9762\u7684\u53c2\u6570\uff0c\u6570\u5b57\u6216\u8868\u540d\n      gateway: false # \u662f\u5426\u5305\u542b\u7f51\u5173\uff0c\u6216\u8005 ip route \u7684 via \u53c2\u6570\n      routes: # \u6240\u6709\u7684\u8def\u7531\u6761\u76ee\n        - 1.2.3.4\n        - 5.6.7.8/28\n        - 2001:db8::2333/64\n\n  cernet: # \u66f4\u591a\u7684\u914d\u7f6e\n    - ...\n

    \u4fee\u6539 special.yml \u4e4b\u540e\u91cd\u542f route-all.service\u3002\u8be5\u670d\u52a1\u4f1a\u81ea\u52a8\u5bfc\u81f4 systemd-networkd.service \u91cd\u542f\u5e76\u8f7d\u5165\u65b0\u7684\u8def\u7531\u914d\u7f6e\u4fe1\u606f\u3002

    special.rb \u5904\u7406\u811a\u672c\uff08\u653e\u5728\u8fd9\u5907\u4efd\uff09
    #!/usr/bin/ruby\n\nrequire 'fileutils'\nrequire 'yaml'\n\nBASEDIR = '/run/systemd/network'\nRT_TABLES = '/etc/iproute2/rt_tables'\n\nrt_tables = Hash.new\nFile.readlines(RT_TABLES).each do |l|\n  next if l =~ /^\\s*#/\n  id, name = l.split\n  rt_tables[name] = id\nend\n\ndata = YAML.load_file File.join(__dir__, 'special.yml')\ndata['routes'].each do |fn, setups|\n  confdir = File.join(BASEDIR, \"#{fn}.network.d\")\n  FileUtils.mkdir_p confdir\n\n  setups.each do |config|\n    table = config['table']\n    gateway = config['gateway']\n    File.open File.join(confdir, \"#{config['name']}.conf\"), 'w' do |f|\n      config['routes'].each do |dst|\n        t = \"[Route]\\nDestination=#{dst}\\n\"\n        t += \"Table=#{rt_tables.fetch table, table}\\n\" if table\n        t += \"Gateway=#{gateway}\\n\" if gateway\n        f.write t + \"\\n\"\n      end\n    end\n  end\nend\n

    route-all.service \u6709\u5f88\u591a\u6ce8\u610f\u4e8b\u9879

    \u4e3a\u4e86\u6e05\u7406\u5f00\u673a\u81ea\u52a8\u4ea7\u751f\u7684 32766 \u548c 32767 \u4e24\u6761\u8def\u7531\u89c4\u5219\uff0c\u6211\u4eec\u540c\u65f6\u4e3a systemd-networkd.service \u6dfb\u52a0\u4e86\u4e24\u4e2a ExecStartPre \u5982\u4e0b\uff1a

    [Service]\nExecStartPre=-+/sbin/ip rule delete from all table main pref 32766\nExecStartPre=-+/sbin/ip rule delete from all table default pref 32767\n

    \u53e6\u9644\u5b8c\u6574\u7684 route-all.service \u6587\u4ef6\uff1a

    [Unit]\nDescription=Generate routes for systemd-networkd\nBefore=systemd-networkd.service\n\n[Service]\nType=oneshot\nExecStart=/bin/bash /usr/local/network_config/route-all.sh\nExecStart=/usr/local/network_config/special.rb\nRemainAfterExit=true\n\n[Install]\nWantedBy=network.target systemd-networkd.service\nWants=systemd-networkd.service\n
    "},{"location":"services/pxe/","title":"PXE","text":"

    \u5bf9\u6821\u56ed\u7f51\u7528\u6237\u4e0e\u6821\u5916\u7528\u6237\u516c\u5f00\u7684 PXE \u670d\u52a1\u3002LIIMS \u4e0e\u76ee\u524d\u7684 PXE \u867d\u7136\u8fd0\u884c\u5728\u540c\u4e00\u53f0\u670d\u52a1\u5668\u4e0a\uff0c\u4f46\u662f\u914d\u7f6e\u6709\u6240\u4e0d\u540c\u3002

    \u672c\u6587\u6863\u9700\u8981\u5927\u5e45\u6269\u5145

    "},{"location":"services/pxe/#intro","title":"Intro","text":"

    https://lug.ustc.edu.cn/wiki/server/pxe/

    https://lug.ustc.edu.cn/planet/2018/10/PXE-intro/

    \u5173\u4e8e FAQ

    https://lug.ustc.edu.cn/wiki/server/pxe/faq/ \u592a\u8001\u4e86\uff0c\u5982\u679c\u6709\u65f6\u95f4\u7684\u8bdd\u5efa\u8bae\u5199\u4e2a\u65b0\u7684\u3002

    \u4e00\u822c\u7684\u542f\u52a8\u6d41\u7a0b\u662f\uff1a

    1. iPXE \u52a0\u8f7d GRUB \u76f8\u5173\u6587\u4ef6\u3002
    2. GRUB \u52a0\u8f7d Linux \u5185\u6838\u4e0e initramfs\u3002
    3. Initramfs \u4ece\u542f\u52a8\u53c2\u6570\u6302\u8f7d NFS \u4e3a rootfs\uff0c\u8fdb\u884c\u4e0b\u4e00\u6b65\u7684\u542f\u52a8\u3002
    "},{"location":"services/pxe/#_1","title":"\u4f7f\u7528/\u8c03\u8bd5","text":"

    PXE \u5728\u6821\u56ed\u7f51\u4e2d\u76f4\u63a5\u53ef\u7528\uff0c\u56e0\u4e3a\u5b66\u6821\u7684 DHCP \u670d\u52a1\u5668\u7ecf\u8fc7\u4e86\u914d\u7f6e\u3002

    \u5982\u679c\u9700\u8981\u5728\u865a\u62df\u673a\u4e2d\u8c03\u8bd5\uff0c\u4e0b\u8f7d IPXE \u7684 ISO\uff08http://boot.ipxe.org/ipxe.iso\uff09\uff0c\u6302\u8f7d\u5728\u865a\u62df\u673a\u4e2d\u6d4b\u8bd5\u3002

    \u63a8\u8350\u4f7f\u7528\u7684\u865a\u62df\u673a\u65b9\u6848

    PXE \u80fd\u591f\u6210\u529f\u8fd0\u884c\u4e0e\u5426\u548c\u865a\u62df\u673a\u73af\u5883\uff08\u7279\u522b\u662f\u865a\u62df\u7f51\u5361\u578b\u53f7\uff09\u9ad8\u5ea6\u76f8\u5173\u3002\u9700\u8981\u627e\u5230\u4e00\u4e2a\u7a33\u5b9a\u7684\u914d\u7f6e\u65b9\u6848\uff08\u6bd4\u5982\u7528 qemu\uff1f\uff09

    \u5176\u4e2d\u4e3b\u8981\u4f7f\u7528\u7684\u662f\u65b0 PXE \u65b9\u6848\uff08pxelinux.0\uff0csimple-pxe\uff09\u3002

    \u8001 PXE \u65b9\u6848\uff08lpxelinux.0\uff09\u76ee\u524d\u4ec5\u7528\u4e8e\u56fe\u4e66\u9986\u67e5\u8be2\u673a\u3002

    "},{"location":"services/pxe/#_2","title":"\u67b6\u6784","text":"

    \u65b0 PXE \u65b9\u6848\u7684 HTTP \u670d\u52a1\u5668\u4e3a Apache\uff08Nginx \u53ef\u80fd\u662f\u4ee5\u524d\u5f03\u7528\u7684\u914d\u7f6e\uff09\u3002URL \u4e2d\u7684 boot2 \u5bf9\u5e94 /nfsroot/pxe

    \u5982\u679c\u51fa\u73b0\u95ee\u9898\u9700\u8981\u8c03\u8bd5\uff0c\u5efa\u8bae\u6293\u5305\uff08\u53ef\u4ee5\u4f7f\u7528 Wireshark\uff09\u770b\u662f\u5426\u6b63\u5e38\u3002

    \u6bcf\u5929\u51cc\u6668\uff0cpxe \u7528\u6237\u7684 crontab \u4efb\u52a1\u4f1a\u6267\u884c https://github.com/ustclug/simple-pxe/blob/master/simple-pxe-in-docker\uff08\u6587\u4ef6\u4f4d\u4e8e pxe \u7528\u6237\u7684 home \u4e2d\uff09\uff0c\u5b9e\u73b0 PXE \u76f8\u5173\u6587\u4ef6\u7684\u66f4\u65b0\u3002

    "},{"location":"services/pxe/#faults","title":"\u6545\u969c","text":"

    pxe \u670d\u52a1\u5668\u5728\u5347\u7ea7\u5230 Debian Bullseye (11) \u540e\u65e0\u6cd5\u6b63\u5e38\u5f00\u673a\uff0c\u7ecf\u8fc7 GRUB \u8fdb\u5165\u5185\u6838\u540e\u6bcf 5 \u79d2\u5237\u51fa\u4ee5\u4e0b\u4fe1\u606f\uff1a

    DMAR: DRHD: handling fault status reg 2\nDMAR: [DMA Read] Request device [03:00.0] PASID ffffffff fault addr cb2f0000 [fault reason 06] PTE Read access is not set\nDMAR: DRHD: handling fault status reg 102\n

    \u7531\u4e8e\u6b64\u65f6\u521a\u5347\u7ea7\u81f3 Debian Bullseye\uff0c\u6240\u4ee5\u7cfb\u7edf\u4ecd\u7136\u4fdd\u7559\u4e86 Debian Buster \u7684 4.19 \u7248\u5185\u6838\u3002\u91cd\u542f\u8fdb\u8be5\u5185\u6838\u53ef\u6b63\u5e38\u542f\u52a8\u5e76\u8fd0\u884c\u670d\u52a1\uff0c\u4f46\u53ea\u8981\u8fdb 5.10 \u7684\u5185\u6838\u5c31\u4f1a\u51fa\u73b0\u4ee5\u4e0a\u9519\u8bef\u3002\u6d4b\u8bd5 Proxmox VE \u63d0\u4f9b\u7684 pve-kernel-5.15 \u4e5f\u662f\u540c\u6837\u95ee\u9898\u3002

    \u641c\u7d22\u53d1\u73b0\u4e3b\u673a\u4f7f\u7528\u7684 RAID \u5361 PERC H310 \u4e0d\u652f\u6301\u76f4\u901a\uff08IOMMU \u865a\u62df\u5316\uff09\uff0c\u914d\u7f6e GRUB \u52a0\u5165 intel_iommu=off \u540e\u53ef\u4ee5\u6b63\u5e38\u8fdb\u5165 5.10 \u7684\u5185\u6838\uff0c\u4f5c\u4e3a\u89e3\u51b3\u65b9\u6848\u3002

    \u8c03\u67e5\u7ed3\u679c

    \u6309\u8bf4 IOMMU\uff08VT-d\uff09\u4e0d\u5e94\u8be5\u9ed8\u8ba4\u542f\u7528\uff0c\u56e0\u6b64\u731c\u6d4b 5.10+ \u7684\u5185\u6838\u4f1a\u4e3b\u52a8\u5c1d\u8bd5\u5f00\u542f IOMMU\uff0c\u5bfc\u81f4 RAID \u5361\u51fa\u9519\u3002

    \u6bd4\u8f83 /boot/config-4.19.0-18-amd64 \u548c /boot/config-5.10.0-11-amd64 \u540e\u53d1\u73b0 5.10 \u7248\u7684 config \u591a\u4e86\u4e00\u884c CONFIG_INTEL_IOMMU_DEFAULT_ON_INTGPU_OFF=y\uff0c\u641c\u7d22\u53d1\u73b0 Debian bug #932086\uff0c\u5373 Debian \u9ed8\u8ba4\u5bf9\u9664\u4e86 Intel GPU \u4ee5\u5916\u7684\u8bbe\u5907\u542f\u7528 IOMMU\uff08linux 5.2.9-2\uff09\u3002

    \u53c2\u8003\u94fe\u63a5\uff1a

    "},{"location":"services/pxe/liims/","title":"LIIMS","text":"

    Short for Libray Independent Inquery Machine System.

    Server: pxe.s.ustclug.org

    Git Repository:

    It is strongly advised to clone liimstrap and read through it when reading this document.

    "},{"location":"services/pxe/liims/#add-machine","title":"\u542f\u52a8\u914d\u7f6e","text":"

    \u914d\u7f6e\u6587\u4ef6\u5728 /home/pxe/tftp/grub/grub.cfg.d\uff0c\u82e5\u8981\u5141\u8bb8\u65b0\u673a\u5668\u542f\u52a8 liims \u955c\u50cf\uff0c\u521b\u5efa\u4e00\u4e2a\u7b26\u53f7\u94fe\u63a5\u5230\u5bf9\u5e94\u7684\u914d\u7f6e\u6587\u4ef6\u3002\u4f8b\u5982\uff1a

    ln -s common_el 02:23:45:67:89:ab\n

    \u76ee\u524d\u6211\u4eec\u901a\u8fc7\u51e0\u4e2a\u7b26\u53f7\u94fe\u63a5\u5c06\u914d\u7f6e\u6587\u4ef6\u201c\u5206\u7ec4\u201d\uff0cMAC \u5730\u5740\u5bf9\u5e94\u7684\u7b26\u53f7\u94fe\u63a5\u5e94\u8be5\u94fe\u63a5\u5230\u8fd9\u4e9b\u5206\u7ec4\u4e0a\u3002\u5df2\u6709\u7684\u5206\u7ec4\u5982\u4e0b\uff1a

    \u9664\u6b64\u4e4b\u5916\uff0c\u8fd8\u9700\u8981\u5728\u67e5\u8be2\u673a\u76d1\u63a7\u7a0b\u5e8f\u4e2d\u6dfb\u52a0\u8be5 MAC \u5730\u5740\uff0c\u89c1\u4e0b\u65b9\u67e5\u8be2\u673a\u76d1\u63a7\u3002

    "},{"location":"services/pxe/liims/#lib-api","title":"\u4e3a\u56fe\u4e66\u9986\u8001\u5e08\u5f00\u653e\u7684\u63a5\u53e3","text":"

    \u56fe\u4e66\u9986\u8001\u5e08\u53ef\u4ee5\u901a\u8fc7 SSH \u767b\u5f55\u673a\u5668\u76f4\u63a5\u521b\u5efa\u6240\u9700\u7684\u7b26\u53f7\u94fe\u63a5\uff08\u4f46\u662f\u8fd8\u9700\u8981\u6211\u4eec\u6765\u6539\u76d1\u63a7\u7a0b\u5e8f\u7684 json\uff09\u3002\u76f8\u5173\u914d\u7f6e\u5982\u4e0b\uff1a

    /etc/sudoers.d/sonnie
    sonnie ALL=(pxe) NOPASSWD: /home/pxe/tftp/grub/grub.cfg.d/add_host.py *\n
    /etc/ssh/sshd_config
    Match User sonnie\n    AllowUsers sonnie\n    PubkeyAuthentication yes\n    AuthorizedKeysFile .ssh/authorized_keys\n

    /etc/nsswitch.conf

    \u628a sudoers \u4e00\u884c\u4e2d\u7684 ldap \u79fb\u5230 files \u524d\u9762\u3002

    \u9ed8\u8ba4\u60c5\u51b5\u4e0b ldap \u5728 files \u540e\u9762\uff0c\u90a3\u4e48\u6765\u81ea LDAP \u7684 sudo rules \u4f1a\u6392\u5728 sudoers \u6587\u4ef6\u4e2d\u7684 rules \u7684\u540e\u9762\uff0c\u800c sudo \u662f\u540e\u9762\u7684\u89c4\u5219\u4f18\u5148\u7ea7\u66f4\u9ad8\uff0c\u4f1a\u5bfc\u81f4\u65e0\u6cd5 NOPASSWD \u8fd0\u884c\u811a\u672c\u3002

    "},{"location":"services/pxe/liims/#_1","title":"\u542f\u52a8\u955c\u50cf","text":"

    \u4f4d\u4e8e /home/pxe/nfsroot/<category>/<name>\uff0c\u5176\u4e2d <name> \u5c31\u662f\u955c\u50cf\u540d\u79f0\uff08\u4f8b\u5982 liims160909\uff09\u3002\u76ee\u524d\u6709\u4e24\u79cd\u90e8\u7f72\u65b9\u5f0f\uff1a\u4e00\u79cd\u662f NFS as rootfs\uff0c\u6587\u4ef6\u5939\u4e2d\u5c31\u662f\u6574\u4e2a rootfs\uff0c\u76f4\u63a5\u4fee\u6539\u8fd9\u91cc\u7684\u6587\u4ef6\uff0c\u673a\u5668\u91cd\u542f\u540e\u5c31\u4f1a\u8f7d\u5165\u3002\uff08\u6ce8\u610f\uff1a\u8986\u76d6\u6587\u4ef6\u53ef\u80fd\u5bfc\u81f4\u5df2\u6709\u7684\u673a\u5668\u8fd0\u884c\u9519\u8bef\uff09

    \u53e6\u4e00\u79cd\u662f\u6253\u5305\u538b\u7f29\u4e3a squashfs\uff0c\u6b64\u65f6\u6587\u4ef6\u5939\u4e0b\u4e09\u4e2a\u6587\u4ef6\u5206\u522b\u4e3a vmlinuz\uff08kernel\uff09, initrd.img \u548c root.sfs\uff08squashfs \u955c\u50cf\uff09\u3002\u5982\u679c\u9700\u8981\u4fee\u6539\uff0c\u53ef\u4ee5\u4f7f\u7528 unsquashfs \u89e3\u538b\u7f29\uff0c\u4fee\u6539\u5b8c\u6210\u540e\u53c2\u8003\u4ed3\u5e93\u4e2d deploy \u6587\u4ef6\u518d\u538b\u7f29\u4e3a squashfs\u3002

    IP \u767d\u540d\u5355\u91c7\u7528 iptables \u5b9e\u73b0\uff0c\u4fee\u6539 rootfs \u4e0b\u7684 etc/iptables/rules.v4 \u548c rules.v6 \u53ef\u4fee\u6539\u7b56\u7565\u3002\u6ce8\u610f\uff1a\u9632\u706b\u5899\u7b56\u7565\u4ec5\u5728\u673a\u5668\u542f\u52a8\u65f6\u4f1a\u8f7d\u5165\u4e00\u6b21\u3002

    "},{"location":"services/pxe/liims/#_2","title":"\u955c\u50cf\u6784\u5efa","text":"

    \u5907\u6ce8

    \u6b64\u8282\u7684\u5185\u5bb9\u4ec5\u9002\u7528\u4e8e 2022 \u4e4b\u524d\u7684\u8001\u7248\u672c\uff0c\u65b0\u7248\u672c\u6709\u5173\u6784\u5efa\u3001\u8c03\u8bd5\u7b49\u5185\u5bb9\u8bf7\u76f4\u63a5\u9605\u8bfb liimstrap \u4ed3\u5e93 README\u3002

    \u4f7f\u7528 liimstrap \u5728 ArchLinux \u4e0b\u8fdb\u884c\u6784\u5efa\uff0cliimstrap \u4f7f\u7528\u65b9\u6cd5\u53c2\u8003\u4ed3\u5e93\u4e2d\u7684\u8bf4\u660e\u3002

    \u6784\u5efa\u540e\u9700\u8981\u63a8\u9001\u5230\u670d\u52a1\u5668\u4e0a\u7684 /nfsroot/liims \u4e0b\uff0c\u5e76\u8bbe\u7f6e /usr \u7684\u6240\u6709\u8005\u4e3a liims\u3002\u673a\u5668\u7684\u9ed8\u8ba4 pxe \u542f\u52a8\u914d\u7f6e\u5728 /home/pxe/tftp/pxelinux.cfg/ \u4e0b

    "},{"location":"services/pxe/liims/#qemu","title":"\u793a\u4f8b qemu \u8c03\u8bd5\u65b9\u6cd5","text":"

    \u521b\u5efa\u5e76\u6302\u8f7d\u4e34\u65f6\u955c\u50cf:

    dd if=/dev/zero of=liims.img bs=4k count=1200000\nmkfs.ext4 liims.img\nmount -o loop liims.img /mnt\n

    \u5047\u8bbe\u5f53\u524d\u8def\u5f84\u4e3a liimstrap\uff0c\u4fee\u6539 initcpio/mkinitcpio.conf\uff0c\u53bb\u6389 HOOKS \u4e2d\u7684 liims_root\uff0c\u589e\u52a0 block\uff08\u4ec5\u8c03\u8bd5\u65f6\u9700\u8981\uff09\u3002 \u4f7f\u7528 liimstrap \u5236\u4f5c\u955c\u50cf ./liimstrap /mnt\u3002\u5b8c\u6210\u540e\u4f7f\u7528 qemu \u6253\u5f00\u8c03\u8bd5:

    qemu -kernel /mnt/boot/vmlinuz-lts\\\n     -initrd /mnt/boot/initramfs-linux-lts.img\\\n     -hda liims.img\\\n     -netdev user,id=mynet0,net=114.214.188.0/24,dhcpstart=114.214.188.9\\\n     -device i82557a,netdev=mynet0\\\n     -append \"root=/dev/sda rootflags=rw\"\n

    \u6ce8\uff1a\u5176\u4e2d netdev \u4e2d\u7684 ip \u6bb5\u53ef\u4ee5\u81ea\u7531\u9009\u53d6\uff0cdevice \u4e2d\u7684\u8bbe\u5907\u540d\u901a\u8fc7 qemu -device \\? \u67e5\u770b\u540e\u9009\u62e9\u4efb\u4e00\u7f51\u7edc\u8bbe\u5907\u5373\u53ef

    "},{"location":"services/pxe/liims/#monitor","title":"\u67e5\u8be2\u673a\u76d1\u63a7","text":"

    http://pxe.ustc.edu.cn:3000/

    2022 \u5e74\u524d\uff0c\u63d0\u4f9b\u670d\u52a1\u7684\u662f\u4e00\u4e2a Docker \u5bb9\u5668\u3002\u5728 iBug \u7528 Go \u91cd\u5199\u4e4b\u540e\uff0c\u76ee\u524d\u76f4\u63a5\u8dd1\u5728 host \u4e0a\u3002

    \u6dfb\u52a0\u65b0\u673a\u5668

    \u4fee\u6539 https://github.com/ustclug/liimstrap/blob/master/monitor/clients.json \u540e\uff0c\u5728 pxe \u4e0a clone \u5e76\u5728\u5f53\u524d\u76ee\u5f55 build\u3002\u4f7f\u7528 docker-run-script \u4e2d\u5bf9\u5e94\u811a\u672c\u6267\u884c\u5bb9\u5668\u5373\u53ef\u3002

    \u4fee\u6539 /etc/liims-monitor/clients.json \u4e4b\u540e systemctl reload liims-monitor.service \u5373\u53ef\u3002

    /etc/liims-monitor/clients.json
    {\n    \"name\": \"\u4e1c\u533a\u4e09\u697c\u4e1c01\",\n    \"mac\": \"0223456789ab\"\n}\n
    "},{"location":"workflow/new-server/","title":"New Server Setup Checklist","text":""},{"location":"workflow/new-server/#ntp-date","title":"NTP Date","text":"

    Install either chrony or systemd-timesyncd. Usually chrony comes pre-installed so it's easily forgot.

    Replace the default NTP pool with USTC's NTP server time.ustc.edu.cn, like this:

    /etc/chrony/chrony.conf
    # Use Debian vendor zone.\n#pool 2.debian.pool.ntp.org iburst\nserver time.ustc.edu.cn iburst\n
    "},{"location":"workflow/new-server/#time-zone","title":"Time zone","text":"

    Run dpkg-reconfigure tzdata and select Asia/Shanghai as the timezone. Reboot the server.

    "},{"location":"workflow/new-server/#use-nft-backend-for-iptables","title":"Use nft-backend for iptables","text":"
    update-alternatives --set iptables /usr/sbin/iptables-nft\nupdate-alternatives --set ip6tables /usr/sbin/ip6tables-nft\n
    "},{"location":"workflow/new-server/#update-resolvconf","title":"Update resolv.conf","text":""},{"location":"workflow/new-server/#install-console-setup","title":"Install console-setup","text":"

    This may have already come with the base system. It's more likely missed if the system is installed from scratch (bootstrapped).

    "},{"location":"workflow/new-vm/","title":"Create new server in LUGi","text":"

    We no longer have a vSphere cluster, so anything mentioning vSphere is left only for references.

    "},{"location":"workflow/new-vm/#create-vm-in-vcenter","title":"Create VM in vCenter","text":"

    vCenter \u5730\u5740\uff1avcenter2.vm.ustclug.org

    \u6309\u7167\u63d0\u793a\u521b\u5efa\u865a\u62df\u673a

    "},{"location":"workflow/new-vm/#install-os-vsphere","title":"Install OS (vSphere)","text":"

    Note

    \u5c06\u7f51\u7edc\u6539\u4e3a cernet\uff0c\u4ee5\u4fbf\u7528 DHCP \u83b7\u5f97 IP \u5730\u5740\uff0c\u7528 PXE \u5b89\u88c5\u7cfb\u7edf\u3002

    \u51e0\u4e2a\u5173\u952e\u914d\u7f6e\uff1a

    "},{"location":"workflow/new-vm/#create-vm-on-proxmox-ve","title":"Create VM on Proxmox VE","text":"

    \u6211\u4eec\u76ee\u524d\u4e0d\u4f7f\u7528 PVE \u8fd0\u884c LXC \u5bb9\u5668\uff0c\u56e0\u6b64\u672c\u6587\u6863\u53ea\u4ecb\u7ecd\u521b\u5efa KVM \u865a\u62df\u673a\u7684\u6b65\u9aa4\u3002\u63a8\u8350\u4f7f\u7528 web \u754c\u9762\u64cd\u4f5c\uff0c\u9664\u975e\u4f60\u9700\u8981\u6279\u91cf\u521b\u5efa\u865a\u62df\u673a\uff08\u6b64\u65f6\u901a\u8fc7 SSH \u767b\u5f55\u540e\u53ef\u4ee5\u4f7f\u7528 qm \u547d\u4ee4\u6279\u5904\u7406\uff09\u3002

    \u767b\u5f55 web \u754c\u9762\uff0c\u70b9\u51fb\u53f3\u4e0a\u89d2\u7684 Create VM\uff0c\u5f39\u51fa\u521b\u5efa\u865a\u62df\u673a\u7684\u5bf9\u8bdd\u6846\u3002

    General

    \u6b63\u786e\u9009\u62e9\u865a\u62df\u673a\u6240\u5728\u7684 Node\uff08\u5373 Host\uff09\uff0c\u5e76\u6307\u5b9a\u4e00\u4e2a VMID\u3002\u76ee\u524d VMID \u7684\u5206\u914d\u65b9\u6848\u662f\u4e1c\u56fe 300-399\uff0cNIC 200-299\uff0c\u5728\u6b64\u57fa\u7840\u4e0a\u9012\u589e\u5373\u53ef\u3002\u7ed9 VM \u8d77\u4e2a\u6613\u4e8e\u8fa8\u8bc6\u7684\u540d\u79f0\uff0c\u4e0d\u8981\u4e0e\u5df2\u6709 VM \u91cd\u590d\u3002Resource Pool \u7559\u7a7a\u5373\u53ef\u3002

    OS

    \u9664\u975e\u4f60\u8981\u4f7f\u7528 iso \u955c\u50cf\u624b\u52a8\u5b89\u88c5\u7cfb\u7edf\uff0c\u5426\u5219\u8bf7\u9009\u62e9\u300cDo not use any media\u300d\u3002\u6b63\u786e\u9009\u62e9 Guest OS \u7684\u7c7b\u578b\u548c\u7248\u672c\u3002

    System

    \u5c06 SCSI Controller \u8bbe\u4e3a VirtIO SCSI\uff08\u6ce8\u610f\u4e0d\u8981\u9009 VirtIO SCSI Single\uff09\uff0c\u52fe\u4e0a Qemu Agent \u9009\u9879\uff0c\u5176\u4ed6\u9009\u9879\u90fd\u9009 Default \u5373\u53ef\u3002

    Disks, CPU, Memory

    \u6309\u9700\u5206\u914d\uff0c\u78c1\u76d8\u5bb9\u91cf\u5efa\u8bae\u63a7\u5236\u5728 10 GB \u4ee5\u5185\uff08\u4ec5\u7cfb\u7edf\u76d8\uff0c\u53ef\u53e6\u52a0\u6570\u636e\u76d8\uff09\uff0c\u5176\u4e2d Disk \u52fe\u9009\u4e0a Discard\uff0cCPU Type \u63a8\u8350\u9009\u62e9 Host\u3002

    Network

    \u6309\u9700\u9009\u62e9\uff0cModel \u9009 VirtIO\uff0c\u7136\u540e\u53d6\u6d88\u52fe\u9009 Firewall\u3002

    \u8bb0\u5f97\u5728\u865a\u62df\u673a\u7684 Options \u91cc\u5c06 Start at boot \u8bbe\u4e3a Yes

    \u5728 Proxmox VE \u4e0a\uff0c\u901a\u8fc7 web \u754c\u9762\u521b\u5efa\u65b0\u865a\u62df\u673a\u540e\uff0c\u53ef\u4ee5\u4f7f\u7528\u666e\u901a\u65b9\u5f0f\u5b89\u88c5\u7cfb\u7edf\uff0c\u4e5f\u53ef\u4ee5\u76f4\u63a5\u5bfc\u5165\u53d1\u884c\u7248\u63d0\u4f9b\u7684\u865a\u62df\u673a\u955c\u50cf\uff08\u9700\u8981\u901a\u8fc7 SSH \u767b\u5f55 Proxmox VE \u6216 NFS \u670d\u52a1\u5668\uff09\u3002

    \u4e0b\u9762\u4ee5 Debian \u4e3a\u4f8b\uff0c\u521b\u5efa\u4e00\u4e2a\u65b0\u865a\u62df\u673a\uff0c\u7136\u540e\u6253\u5f00 https://mirrors.ustc.edu.cn/debian-cdimage/cloud/bullseye/\uff0c\u70b9\u51fb\u6700\u65b0\u7684\u76ee\u5f55\uff08\u51fa\u4e8e\u672a\u77e5\u539f\u56e0 latest \u94fe\u63a5\u662f\u574f\u7684\uff09\uff0c\u590d\u5236 debian-11-genericcloud-amd64-<date>-<rev> \u7684\u94fe\u63a5\uff08\u63a8\u8350\u4f7f\u7528 genericcloud \u800c\u4e0d\u662f generic\uff0c\u5176\u9884\u88c5 linux-image-cloud-amd64\uff0c\u76f8\u6bd4\u4e8e\u201c\u5b8c\u6574\u7248\u201d\u5185\u6838\u7cbe\u7b80\u6389\u4e86\u5927\u90e8\u5206\u7269\u7406\u8bbe\u5907\u7684\u9a71\u52a8\u7a0b\u5e8f\uff0c\u9002\u7528\u4e8e\u865a\u62df\u673a\u73af\u5883\uff09\uff0c\u7136\u540e\u767b\u5f55 Proxmox VE \u6216 vdp\uff08NFS \u670d\u52a1\u5668\uff09\uff0c\u4f7f\u7528\u4ee5\u4e0b\u547d\u4ee4\u76f4\u63a5\u4e0b\u8f7d\u955c\u50cf\u81f3\u865a\u62df\u673a\u78c1\u76d8\uff1a

    # Proxmox VE (ZFS / LVM), use RAW\nwget -O /dev/zvol/rpool/data/vm-<id>-disk-0 https://mirrors.ustc.edu.cn/<...>.raw\nwget -O /dev/<vg>/<lv> https://mirrors.ustc.edu.cn/<...>.raw\n\n# vdp over NFS, use QCOW2\nwget -O /media/vdp/pve/images/<path>.qcow2 https://mirrors.ustc.edu.cn/<...>.qcow2\n

    \u7136\u540e\u5728 web \u754c\u9762\u6307\u5b9a\u865a\u62df\u673a\u7684\u78c1\u76d8\uff08\u5982\u6709\u9700\u8981\uff09\u3002

    "},{"location":"workflow/new-vm/#reset-password","title":"Reset password","text":"

    \u7531\u4e8e Debian \u63d0\u4f9b\u7684 cloud image \u9ed8\u8ba4\u7981\u7528\u4e86 root \u7528\u6237\uff0c\u9700\u8981\u624b\u52a8\u6302\u8f7d\u78c1\u76d8\uff0c\u7f16\u8f91\u78c1\u76d8\u4e2d\u7684 /etc/shadow \u6587\u4ef6\uff0c\u5c06\u7b2c\u4e00\u884c\u7684 root:*:... \u6539\u4e3a root::...\uff08\u5373\u5220\u6389\u661f\u53f7\uff09\u3002\u6ce8\u610f\u4e0d\u8981\u8bef\u6539\u4e3b\u673a\u7684 shadow \u6587\u4ef6\u3002

    Tip

    \u6b64\u6b65\u9aa4\u4e5f\u53ef\u4ee5\u66ff\u6362\u4e3a chroot \u8fdb\u53bb\u540e\u4f7f\u7528 passwd \u4fee\u6539\u6216\u6e05\u7a7a\u5bc6\u7801\u3002\u5982\u679c\u4f60\u4e0d\u591f\u719f\u6089 shadow \u6587\u4ef6\u7684\u683c\u5f0f\uff0c\u8fd9\u6837\u505a\u66f4\u5b89\u5168\u3002

    \u5bf9\u4e8e ZFS \u548c LVM \u5b58\u50a8\u7684\u78c1\u76d8\uff0c\u53ef\u4ee5\u76f4\u63a5\u6302\u8f7d /dev/zvol/<...> \u6216 /dev/<vg>/<lv>\uff08\u4f60\u53ef\u80fd\u9700\u8981\u4f7f\u7528 kpartx \u5de5\u5177\u52a0\u8f7d\u5206\u533a\uff09\u3002\u5bf9\u4e8e Qcow2 \u6587\u4ef6\u7684\u78c1\u76d8\uff0c\u53ef\u4ee5\u53c2\u8003\u8fd9\u4e2a Gist \u4f7f\u7528 qemu-nbd \u5de5\u5177\u6765\u6302\u8f7d\u3002\u5176\u4e2d nbd \u662f Linux \u539f\u751f\u7684\u5185\u6838\u6a21\u5757\uff0c\u53ef\u4ee5\u653e\u5fc3 modprobe\u3002

    \u4f60\u4e5f\u53ef\u4ee5\u5728\u8fd9\u4e00\u6b65\u540c\u65f6\u4fee\u6539\u522b\u7684\u914d\u7f6e\u6587\u4ef6\uff0c\u4f8b\u5982\u628a /etc/apt/sources.list \u6362\u6389\u7b49\u3002\u4fee\u6539\u5b8c\u6210\u540e\u4e0d\u8981\u5fd8\u8bb0 umount\u3002

    "},{"location":"workflow/new-vm/#extra-configurations-for-cloud-images","title":"Extra configurations for cloud images","text":"

    The first two or three boots may hang or end up in kernel panic - this is completely normal. The cloud image will grow the root partition and filesystem to the virtual disk size. After it's all set, purge everything related to cloud-init.

    For better console experiences, install and configure console-setup, and add vga=792 to GRUB_CMDLINE_LINUX in /etc/default/grub. Then run update-grub and reboot.

    "},{"location":"workflow/new-vm/#configure-network","title":"Configure network","text":""},{"location":"workflow/new-vm/#install-software","title":"Install software","text":""},{"location":"workflow/new-vm/#configure-ldap-and-ssh-ca","title":"Configure LDAP and SSH CA","text":"

    \u89c1 LDAP \u670d\u52a1\u4f7f\u7528\u53ca\u914d\u7f6e\u8bf4\u660e \u548c \u4e3a\u670d\u52a1\u5668\u8bbe\u7f6e SSH CA

    "},{"location":"workflow/ldap/add-new-user/","title":"\u5728 LDAP \u4e2d\u6dfb\u52a0\u65b0\u7528\u6237","text":""},{"location":"workflow/ldap/add-new-user/#ldap_1","title":"\u65b0\u5efa LDAP \u7528\u6237","text":"
    1. \u767b\u9646\u7f51\u9875\u754c\u9762
    2. Users > Actions > Create > User
    3. Generic: \u8f93\u5165 Last name\uff0cFirst name\uff0cLogin\uff08\u767b\u5f55\u540d\uff09
    4. POSIX > Generic\uff1a\u8f93\u5165 Home directory\u3002\u4f7f\u7528 Force UID/GID \uff0c\u5177\u4f53\u8bf4\u660e\u8be6\u89c1 LDAP Users \u548c Groups
    "},{"location":"workflow/ldap/add-new-user/#ldap_2","title":"\u6dfb\u52a0 LDAP \u7528\u6237\u6743\u9650","text":"

    POSIX > Group membership > Add\uff1a\u6839\u636e\u9700\u8981\u6dfb\u52a0\u7684\u6743\u9650\u9009\u62e9\u5bf9\u5e94\u7684\u7ec4\uff0c\u5177\u4f53\u8bf4\u660e\u8be6\u89c1 LDAP Users \u548c Groups

    LDAP \u7f13\u5b58

    \u82e5\u53d1\u73b0\u7528\u6237\u65e0\u6cd5\u767b\u9646\u7b49\u60c5\u51b5\uff0c\u53ef\u80fd\u662f\u7f13\u5b58\u670d\u52a1 NSCD \u5bfc\u81f4\u7684\uff0c\u5177\u4f53\u53c2\u8003 LDAP Users \u548c Groups\uff1a

    "},{"location":"workflow/mirrors/maintenance/","title":"\u5f00\u6e90\u8f6f\u4ef6\u955c\u50cf\u7ad9\u7ef4\u62a4\u65b9\u5f0f","text":"

    \u79d1\u5927\u5f00\u6e90\u8f6f\u4ef6\u955c\u50cf\u7ad9\u662f LUG \u6700\u91cd\u8981\u7684\u670d\u52a1\u4e4b\u4e00\uff0c\u56e0\u6b64\u7ef4\u62a4\u64cd\u4f5c\u5fc5\u987b\u8c28\u614e\u3002

    "},{"location":"workflow/mirrors/maintenance/#_2","title":"\u91cd\u542f\u7cfb\u7edf","text":"

    \u7531\u4e8e mirrors \u670d\u52a1\u91cf\u5927\uff0c\u91cd\u542f\u5e94\u63d0\u524d\u5728 LUG \u670d\u52a1\u5668\u65b0\u95fb\u7ad9 \u53d1\u5e03\u516c\u544a\u3002

    "},{"location":"workflow/mirrors/maintenance/#_3","title":"\u5b89\u88c5\u66f4\u65b0","text":""},{"location":"workflow/mirrors/maintenance/#_4","title":"\u666e\u901a\u66f4\u65b0","text":"

    \u591a\u6570\u66f4\u65b0\u53ef\u4ee5\u76f4\u63a5\u4ece apt \u6e90\u5b89\u88c5\uff0c\u4f46\u662f\u90e8\u5206\u8f6f\u4ef6\u5e76\u975e\u6765\u81ea Debian \u5b98\u65b9\u4ed3\u5e93\uff08\u4f8b\u5982 OpenResty\uff09\uff0c\u56e0\u6b64\u66f4\u65b0\u7b56\u7565\u53ef\u80fd\u4e0d\u50cf Debian \u90a3\u4e48\u7a33\u5b9a\u3002\u5982\u679c\u9047\u5230\u63d0\u793a\u914d\u7f6e\u6587\u4ef6\u51b2\u7a81\uff0c\u8bf7\u5c3d\u91cf\u9009\u62e9 3-way merge\uff0c\u5982\u679c\u5931\u8d25\u7684\u8bdd\u53ef\u4ee5\u5148 keep local version\uff0c\u7136\u540e\u624b\u52a8\u89e3\u51b3\u5408\u5e76\u51b2\u7a81\u3002

    "},{"location":"workflow/mirrors/maintenance/#_5","title":"\u5185\u6838\u66f4\u65b0","text":"

    mirrors \u4f7f\u7528\u4e86\u5185\u6838\u6a21\u5757\u63d0\u4f9b\u4e00\u4e9b\u529f\u80fd\u652f\u6301\uff0c\u5982 ZFS\u3002\u56e0\u6b64\u53ea\u8981\u66f4\u65b0\u4e86\u5185\u6838\uff0c\u5c31\u4e00\u5b9a\u8981\u6ce8\u610f\u5185\u6838\u6a21\u5757\u662f\u5426\u5b89\u88c5\u6210\u529f\uff0c\u5982\u679c apt \u5b89\u88c5\u5931\u8d25\u53ef\u4ee5\u624b\u52a8\u8fd0\u884c dkms autoinstall\uff0c\u4ee5\u786e\u4fdd\u65b0\u5185\u6838\u91cd\u542f\u65f6\u80fd\u6b63\u786e\u52a0\u8f7d\u5fc5\u987b\u7684\u5185\u6838\u6a21\u5757\u3002

    "},{"location":"workflow/mirrors/maintenance/#ipmi","title":"IPMI","text":"

    \u5730\u5740\u6682\u65e0\uff0c\u4e00\u822c\u7528\u6d4f\u89c8\u5668\u76f4\u63a5\u8bbf\u95ee\u5c31\u884c\u4e86\u3002\u5982\u679c\u9700\u8981\u63a5\u5165\u7ec8\u7aef\uff0cDashboard \u5de6\u8fb9\u7684 Remote Control \u6709 Launch \u6309\u94ae\u3002\u5982\u679c\u6d4f\u89c8\u5668\u4e0d\u652f\u6301 Java \u5c31\u4f1a\u4e0b\u8f7d\u4e00\u4e2a jviewer.jnlp\uff0c\u81ea\u884c\u89e3\u51b3 Java \u7684\u5b89\u5168\u8b66\u544a\u5373\u53ef\u4f7f\u7528\u3002

    \u5f53\u7136\u5982\u679c\u4f1a\u7528 ipmitool \u66f4\u597d\uff0c\u90a3\u8fd9\u4e00\u6bb5\u7684\u8bf4\u660e\u5c31\u4ea4\u7ed9\u4f60\u6765\u8865\u5145\u4e86 :)

    "},{"location":"workflow/mirrors/maintenance/#ipmitool","title":"ipmitool \u7b80\u4ecb","text":"

    \u5c3d\u7ba1\u51e0\u4e4e\u6211\u4eec\u673a\u5668\u7684 IPMI \u90fd\u6709 Web \u754c\u9762\uff0c\u4f46\u662f Web \u754c\u9762\u4e0d\u4e00\u5b9a\u9760\u8c31\uff0c\u53ef\u80fd\u4f1a\u51fa\u73b0\u6545\u969c\u3002\u6b64\u65f6\uff0c\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528 ipmitool \u91cd\u7f6e IPMI \u7684\u72b6\u6001\uff08\u7cfb\u7edf\u914d\u7f6e\u4e0d\u4f1a\u6539\u53d8\uff09

    \u53c2\u8003\u547d\u4ee4\uff1a

    # \u4e00\u90e8\u5206 IPMI \u7684 interface \u662f lanplus \u800c\u4e0d\u662f lan\uff0c\u6bd4\u5982\u8bf4 mirrors3\nipmitool -I lan -H IPMI\u7684IP -U \u7528\u6237\u540d -a mc reset cold\n

    \u5177\u4f53\u8be6\u60c5\u53ef\u4ee5\u770b ipmitool \u7684 manpage\u3002

    \u53e6\u5916:

    "}]} \ No newline at end of file diff --git a/sitemap.xml.gz b/sitemap.xml.gz index 9ea0ed300fe9fe0f7bfdd7a6b0f68fcd9cd01083..6e4958410603d7eb63984366aa6bdeb422bc82a7 100644 GIT binary patch delta 15 WcmaFN@|cB9zMF$%?*EN!u}lCgSp`7= delta 15 WcmaFN@|cB9zMF$%>bs3>u}lCf)CDL2