diff --git a/404.html b/404.html index 1661891f..90059aed 100644 --- a/404.html +++ b/404.html @@ -16,7 +16,7 @@ - + diff --git a/faq/apparmor/index.html b/faq/apparmor/index.html index c4d11e34..3f8ae4ab 100644 --- a/faq/apparmor/index.html +++ b/faq/apparmor/index.html @@ -20,7 +20,7 @@ - + diff --git a/faq/dns/index.html b/faq/dns/index.html index 0d4c6691..b4f19b37 100644 --- a/faq/dns/index.html +++ b/faq/dns/index.html @@ -22,7 +22,7 @@ - + diff --git a/faq/docker/index.html b/faq/docker/index.html index 58b82283..d53d3001 100644 --- a/faq/docker/index.html +++ b/faq/docker/index.html @@ -22,7 +22,7 @@ - + diff --git a/faq/ldap/index.html b/faq/ldap/index.html index 9cfea2fd..1c5b49f7 100644 --- a/faq/ldap/index.html +++ b/faq/ldap/index.html @@ -22,7 +22,7 @@ - + diff --git a/faq/nginx/index.html b/faq/nginx/index.html index c9731fc2..b2631a3a 100644 --- a/faq/nginx/index.html +++ b/faq/nginx/index.html @@ -22,7 +22,7 @@ - + diff --git a/faq/ssd/index.html b/faq/ssd/index.html index f7e0afdc..825a558e 100644 --- a/faq/ssd/index.html +++ b/faq/ssd/index.html @@ -22,7 +22,7 @@ - + diff --git a/faq/systemd-timer/index.html b/faq/systemd-timer/index.html index 5fc01ce4..0ca20272 100644 --- a/faq/systemd-timer/index.html +++ b/faq/systemd-timer/index.html @@ -22,7 +22,7 @@ - + diff --git a/faq/vm/index.html b/faq/vm/index.html index df87cf08..9ae97da2 100644 --- a/faq/vm/index.html +++ b/faq/vm/index.html @@ -22,7 +22,7 @@ - + diff --git a/index.html b/index.html index 00e6f7c2..0b73f1d0 100644 --- a/index.html +++ b/index.html @@ -20,7 +20,7 @@ - + diff --git a/infrastructure/auth-dns/index.html b/infrastructure/auth-dns/index.html index d95c6e15..4bc50513 100644 --- a/infrastructure/auth-dns/index.html +++ b/infrastructure/auth-dns/index.html @@ -22,7 +22,7 @@ - + diff --git a/infrastructure/discontinued/index.html b/infrastructure/discontinued/index.html index 52329d47..94d644e8 100644 --- a/infrastructure/discontinued/index.html +++ b/infrastructure/discontinued/index.html @@ -22,7 +22,7 @@ - + diff --git a/infrastructure/discontinued/vsphere/esxi/index.html b/infrastructure/discontinued/vsphere/esxi/index.html index 8032757f..3d7bc908 100644 --- a/infrastructure/discontinued/vsphere/esxi/index.html +++ b/infrastructure/discontinued/vsphere/esxi/index.html @@ -22,7 +22,7 @@ - + diff --git a/infrastructure/discontinued/vsphere/vcenter/index.html b/infrastructure/discontinued/vsphere/vcenter/index.html index d647e447..722ea09d 100644 --- a/infrastructure/discontinued/vsphere/vcenter/index.html +++ b/infrastructure/discontinued/vsphere/vcenter/index.html @@ -22,7 +22,7 @@ - + diff --git a/infrastructure/discontinued/vsphere/vdp/index.html b/infrastructure/discontinued/vsphere/vdp/index.html index 5d595e71..ccbb34c7 100644 --- a/infrastructure/discontinued/vsphere/vdp/index.html +++ b/infrastructure/discontinued/vsphere/vdp/index.html @@ -22,7 +22,7 @@ - + diff --git a/infrastructure/dockerhub/index.html b/infrastructure/dockerhub/index.html index 1f8c9e51..1677e8bd 100644 --- a/infrastructure/dockerhub/index.html +++ b/infrastructure/dockerhub/index.html @@ -22,7 +22,7 @@ - + diff --git a/infrastructure/github/index.html b/infrastructure/github/index.html index 10e45152..088a7a0f 100644 --- a/infrastructure/github/index.html +++ b/infrastructure/github/index.html @@ -22,7 +22,7 @@ - + diff --git a/infrastructure/google/index.html b/infrastructure/google/index.html index 795bf361..38a6eaff 100644 --- a/infrastructure/google/index.html +++ b/infrastructure/google/index.html @@ -22,7 +22,7 @@ - + diff --git a/infrastructure/intranet/gateway/index.html b/infrastructure/intranet/gateway/index.html index 7a4c1589..47f9472f 100644 --- a/infrastructure/intranet/gateway/index.html +++ b/infrastructure/intranet/gateway/index.html @@ -22,7 +22,7 @@ - + diff --git a/infrastructure/intranet/index.html b/infrastructure/intranet/index.html index 4b9ba421..2301c56d 100644 --- a/infrastructure/intranet/index.html +++ b/infrastructure/intranet/index.html @@ -22,7 +22,7 @@ - + diff --git a/infrastructure/intranet/lugivpn/index.html b/infrastructure/intranet/lugivpn/index.html index c20722e3..bbf8f89c 100644 --- a/infrastructure/intranet/lugivpn/index.html +++ b/infrastructure/intranet/lugivpn/index.html @@ -22,7 +22,7 @@ - + diff --git a/infrastructure/ldap/index.html b/infrastructure/ldap/index.html index 934d8bc7..2177af44 100644 --- a/infrastructure/ldap/index.html +++ b/infrastructure/ldap/index.html @@ -22,7 +22,7 @@ - + diff --git a/infrastructure/mail/index.html b/infrastructure/mail/index.html index f4f8122f..0e7b3554 100644 --- a/infrastructure/mail/index.html +++ b/infrastructure/mail/index.html @@ -22,7 +22,7 @@ - + diff --git a/infrastructure/monitor/index.html b/infrastructure/monitor/index.html index 59e9b17f..3bbcdda0 100644 --- a/infrastructure/monitor/index.html +++ b/infrastructure/monitor/index.html @@ -22,7 +22,7 @@ - + diff --git a/infrastructure/office/index.html b/infrastructure/office/index.html index b0da6512..b20ae698 100644 --- a/infrastructure/office/index.html +++ b/infrastructure/office/index.html @@ -22,7 +22,7 @@ - + @@ -980,7 +980,7 @@
在账户设置中,选择身份管理,点击编辑,选择 Copies and Folders, 启用 Cc these email addresses, 并输入默认抄送地址 lug A ustc.edu.cn
邮件可以以 HTML 方式编写,也可以只是纯文本内容。为了降低对方阅读出现麻烦的可能性,建议使用纯文本消息。使用纯文本消息的方法是:打开 Thunderbird 设置 ,打开 Account Settings ,打开对应邮件地址下的 Composition & Addressing 页面,在 Composition 节下找到 Compose messages in HTML format ,将其复选框去除勾选即可。
Thunderbird 维护了自己的文件夹,如果需要与云端的文件夹同步,可以进行如下操作
在账户上右键,在弹出的菜单中点击 Subscribe。弹出的窗口中包含了云端的文件夹,由于 Thunderbird 会自行维护垃圾箱和已发邮件,因此可能会有两个垃圾箱,Deleted Items 和 Trash,可以在网页端删除不需要的文件夹,并在 Thunderbird 中选择需要的。
+邮件文件夹术语
+请注意,以下两者是不同的:
+被邮件系统认为有问题的邮件会被扔进 垃圾邮件箱,而不是 垃圾箱。
+然后打开账户设置,进行如下修改
Outlook 云端已经带有了垃圾邮件分类功能,不需要 Thunderbird 自己的垃圾邮件分类功能。
在账户设置的 Local Folders 下的 Junk Settings 中,取消选中 Enable adaptive junk mail controls for this account。
-请在上面的 Subscribe 中将垃圾邮件选中以同步。此外,由于 Outlook 目前会将几乎所有邮件都扔进垃圾邮件箱(原因似乎是 M365 的机器学习模型会把所有科大的邮件扔进垃圾箱),因此设置拉取邮件时总是检查垃圾邮件箱。设置方法为在垃圾邮件目录上点击右键 → 属性,然后选择这里第二个勾:
+请在上面的 Subscribe(见 文件夹)中将垃圾邮件选中以同步。此外,由于 Outlook 目前会将几乎所有邮件都扔进垃圾邮件箱(原因似乎是 M365 的机器学习模型会把所有科大的邮件扔进垃圾箱),因此设置拉取邮件时总是检查垃圾邮件箱。设置方法为在垃圾邮件目录上点击右键 → 属性,然后选择这里第二个勾:
注意
diff --git a/infrastructure/proxmox/nfs/index.html b/infrastructure/proxmox/nfs/index.html index 8eb7a826..38676aa5 100644 --- a/infrastructure/proxmox/nfs/index.html +++ b/infrastructure/proxmox/nfs/index.html @@ -22,7 +22,7 @@ - + diff --git a/infrastructure/proxmox/pbs/index.html b/infrastructure/proxmox/pbs/index.html index f3738cb8..81bec656 100644 --- a/infrastructure/proxmox/pbs/index.html +++ b/infrastructure/proxmox/pbs/index.html @@ -22,7 +22,7 @@ - + diff --git a/infrastructure/proxmox/pve/index.html b/infrastructure/proxmox/pve/index.html index a96e49fc..22930007 100644 --- a/infrastructure/proxmox/pve/index.html +++ b/infrastructure/proxmox/pve/index.html @@ -22,7 +22,7 @@ - + diff --git a/infrastructure/raid/index.html b/infrastructure/raid/index.html index 4c1d5fb1..94b5d3f5 100644 --- a/infrastructure/raid/index.html +++ b/infrastructure/raid/index.html @@ -22,7 +22,7 @@ - + diff --git a/infrastructure/sshca/index.html b/infrastructure/sshca/index.html index e5a023e2..21cf3963 100644 --- a/infrastructure/sshca/index.html +++ b/infrastructure/sshca/index.html @@ -22,7 +22,7 @@ - + diff --git a/infrastructure/ssl/index.html b/infrastructure/ssl/index.html index 3395f795..2daaa904 100644 --- a/infrastructure/ssl/index.html +++ b/infrastructure/ssl/index.html @@ -22,7 +22,7 @@ - + diff --git a/infrastructure/tinc/index.html b/infrastructure/tinc/index.html index 7758a9d9..05393dd1 100644 --- a/infrastructure/tinc/index.html +++ b/infrastructure/tinc/index.html @@ -22,7 +22,7 @@ - + diff --git a/search/search_index.json b/search/search_index.json index bbdd3f61..ccec5c94 100644 --- a/search/search_index.json +++ b/search/search_index.json @@ -1 +1 @@ -{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"]},"docs":[{"location":"","title":"LUG @ USTC Documentation","text":"Documentation for LUG @ USTC technical infrastructure.
"},{"location":"#layout","title":"Layout","text":"Our documentation is divided into these sections, as laid out on the left navigation menu:
Proxmox \u4f7f\u7528 Ubuntu kernel\uff0c\u4f46\u662f Ubuntu kernel \u7684 apparmor \u76f8\u6bd4\u4e8e Debian kernel \u6dfb\u52a0\u4e86\u4e00\u4e9b feature\uff0c\u8bf8\u5982 Unix socket \u7ba1\u7406\u3002Debian \u7684 apparmor \u5305\u7684 /etc/apparmor/parser.conf
\u9ed8\u8ba4\u914d\u7f6e\u9650\u5236\u4e86\u529f\u80fd\u96c6\u5408\uff1a
## Pin feature set (avoid regressions when policy is lagging behind\n## the kernel)\npolicy-features=/usr/share/apparmor-features/features\n
Proxmox \u7684 lxc \u652f\u6301\u5305\u4f1a\u8986\u76d6 /usr/share/apparmor-features/features
\u4e3a Ubuntu \u7684\u7248\u672c\uff0c\u4f46\u662f\u5982\u679c\u53ea\u5b89\u88c5 Proxmox/Ubuntu kernel\uff0c\u5bf9\u5e94\u7684 features \u6587\u4ef6\u5c31\u4e0d\u5305\u542b Unix socket \u652f\u6301\uff0c\u8fd9\u4f1a\u76f4\u63a5\u5bfc\u81f4 Docker \u7b49\u7a0b\u5e8f\u5185\u90e8\u65e0\u6cd5\u521b\u5efa unix socket \u7b49\u3002
\u4e00\u4e2a workaround \u662f\u6ce8\u91ca\u6389 /etc/apparmor/parser.conf
\u7684\u5bf9\u5e94\u884c\u3002
\u540e\u7eed\u8c03\u67e5\u53d1\u73b0 lxc-pve
\u6253\u5305\u4e86\u81ea\u5df1\u7684 /usr/share/apparmor-features/features
\u5e76\u8986\u76d6\u4e86 Debian \u7684\u7248\u672c\uff0c\u56e0\u6b64\u6211\u4eec\u6a21\u4eff lxc-pve
\u7684\u505a\u6cd5\u628a Debian \u7684\u7248\u672c\u8986\u76d6\u6389\uff0c\u7136\u540e\u4e0b\u8f7d Proxmox \u7684\u7248\u672c\uff1a
dpkg-divert --package lxc-pve --rename --divert /usr/share/apparmor-features/features.stock --add /usr/share/apparmor-features/features\nwget -O /usr/share/apparmor-features/features https://github.com/proxmox/lxc/raw/master/debian/features\n
"},{"location":"faq/dns/","title":"DNS \u57df\u540d\u89e3\u6790\u95ee\u9898","text":""},{"location":"faq/dns/#wrong-dns-result","title":"\u9519\u8bef\u7684\u89e3\u6790\u7ed3\u679c","text":"\u6211\u4eec\u7684 DNS \u662f\u5206\u6821\u5185\u5916\u3001\u5206 ISP \u89e3\u6790\u7684\u3002\u6709\u65f6\u5019\u4f1a\u9047\u5230\u6821\u5185\u8bbf\u95ee\u89e3\u6790\u5230\u6821\u5916\uff0c\u53ef\u80fd\u7684\u539f\u56e0\u662f
/etc/resolv.conf
\u987a\u5e8f\u4e0d\u5bf9
iBug \u5728 2020 \u5e74 5 \u6708 21 \u65e5\u4fee\u4e86 gw-el \u548c mirrors2\uff0c\u8fd9\u4e24\u4e2a\u673a\u5668\u4e0a\u539f\u5148\u6392\u5728\u6700\u524d\u9762\u7684 nameserver \u5c31\u662f 8.8.4.4 \u6216\u8005 1.1.1.1 \u4e4b\u7c7b\u7684
\u6211\u4eec\u7684\u6743\u5a01\u670d\u52a1\u5668\u4e24\u4e2a\u5728\u6821\u5185\u4e00\u4e2a\u5728\u56fd\u5185\uff0c\u56e0\u6b64\u6821\u5185\u673a\u5668\u5e94\u8be5\u4f18\u5148\u4ece\u6821\u5185\u89e3\u6790\u3002\u628a 202.38.64.1 / 2001:da8:d800::1\uff08\u5b66\u6821\u7684 DNS\uff09\u653e\u6700\u524d\u9762\u80af\u5b9a\u6ca1\u9519
\u5982\u679c IPv4 \u89e3\u6790\u6b63\u786e\u4f46\u662f IPv6 \u8fd8\u662f\u89e3\u6790\u5230\u6821\u5916\u7684\u8bdd\uff0c
/etc/resolv.conf
\u7f3a\u5c11 IPv6 \u6761\u76ee
taoky \u5728 2020 \u5e74 5 \u6708 29 \u65e5\u53d1\u73b0\u7684\uff0cmirrors2 \u4e0a\u8bbf\u95ee servers.ustclug.org \u8fd4\u56de Cloudflare \u7684 522 \u9519\u8bef\u9875\u9762\uff08\u6b64\u65f6\u65e5\u672c\u53cd\u4ee3\u6302\u6389\u4e86\uff09\uff0c\u7ecf\u67e5\u5c3d\u7ba1 IPv4 \u6b63\u786e\u89e3\u6790\u5230\u4e86 gw-el \u4e0a\uff0c\u4f46\u662f IPv6 \u8fd8\u662f\u89e3\u6790\u5230\u4e86 Cloudflare \u4e0a\uff0c\u4e14 nslookup \u548c dig \u7b49\u5de5\u5177\u8f93\u51fa\u770b\u8d77\u6765\u90fd\u662f\u5bf9\u7684\u3002
\u6392\u67e5\u53d1\u73b0 /etc/resolv.conf
\u91cc\u6ca1\u6709 IPv6 \u7684\u670d\u52a1\u5668\u6761\u76ee\uff0c\u5728\u9760\u524d\u7684\u4f4d\u7f6e\u63d2\u5165 nameserver 2001:da8:d800::1
\u540e\u89e3\u51b3\u3002
\u624b\u52a8\u6e05\u7a7a\u672c\u673a\u7684 DNS \u7f13\u5b58\uff1anscd -i hosts
\u6709\u65f6\u5019\u53ef\u80fd\u4f1a\u5728 DNS \u66f4\u65b0\u540e\u968f\u673a\u89e3\u6790\u51fa\u65b0\u65e7\u7ed3\u679c\uff0c\u53ef\u80fd\u7684\u539f\u56e0\u662f
ns-a \u6ca1\u66f4\u65b0
ns-a \u673a\u5668\u6bd4\u8f83\u8001\u65e7\uff0c\u7f51\u7edc\u53ef\u80fd\u4e0d\u987a\u7545\uff0c\u624b\u52a8\u628a ns-a \u66f4\u65b0\u4e00\u4e0b\u5c31\u884c\u4e86\uff08
"},{"location":"faq/docker/","title":"Docker \u76f8\u5173\u95ee\u9898","text":""},{"location":"faq/docker/#debian-11-aufs","title":"Debian 11 \u4e2d\u4e0d\u518d\u652f\u6301 aufs","text":"\u4ece Debian 10 \u5347\u7ea7\u5230 Debian 11 \u65f6\uff0caufs-dkms
\u4e0d\u518d\u5305\u542b\u5728\u65b0\u5185\u6838\u4e2d\uff1a
aufs-dkms \u8f6f\u4ef6\u5305\u5c06\u4e0d\u4f5c\u4e3a bullseye \u7684\u4e00\u90e8\u5206\u51fa\u73b0\u3002\u5927\u591a\u6570 aufs-dkms \u7528\u6237\u5e94\u5f53\u5207\u6362\u81f3 overlayfs\uff0c\u540e\u8005\u63d0\u4f9b\u4e86\u76f8\u4f3c\u7684\u529f\u80fd\u4e14\u5177\u6709\u5185\u6838\u7684\u652f\u6301\u3002\u7136\u800c\uff0c\u67d0\u4e9b Debian \u5b89\u88c5\u5b9e\u4f8b\u53ef\u80fd\u4f7f\u7528\u4e86\u4e0d\u517c\u5bb9 overlayfs \u7684\u6587\u4ef6\u7cfb\u7edf\uff0c\u5982\u4e0d\u5e26\u6709 d_type \u7684 xfs\u3002\u6211\u4eec\u5efa\u8bae\u9700\u8981\u4f7f\u7528 aufs-dkms \u7684\u7528\u6237\u5728\u5347\u7ea7\u81f3 bullseye \u4e4b\u524d\u5148\u8fdb\u884c\u8fc1\u79fb\u3002
(https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.zh-cn.html)
\u5bf9\u4e8e\u8001\u673a\u5668\u6765\u8bf4\u9700\u8981\u63d0\u524d\u786e\u8ba4 Docker \u7684 storage driver\uff1a
$ sudo docker info\n// ...\nServer:\n // ...\n Storage Driver: overlay2\n Backing Filesystem: extfs\n Supports d_type: true\n Native Overlay Diff: true\n userxattr: false\n
\u8fd9\u91cc\u5982\u679c\u662f overlay2 \u90a3\u4e48\u5c31\u6ca1\u95ee\u9898\uff0c\u5982\u679c\u662f aufs \u7684\u8bdd\u5c31\u9700\u8981\u63d0\u524d\u786e\u8ba4\uff0c\u56e0\u4e3a\u5207\u6362\u5230 overlay2 \u4e4b\u540e\u73b0\u6709\u7684\u5bb9\u5668\u548c\u5bb9\u5668\u955c\u50cf\u90fd\u4f1a\u4e22\u5931\uff0c\u9700\u8981\u91cd\u65b0\u521b\u5efa\u3002\u6240\u4ee5\u9700\u8981\u786e\u4fdd\u5bb9\u5668\uff08container\uff09\u548c\u955c\u50cf\uff08image\uff09\u662f\u53ef\u590d\u73b0\u7684\u3002
\u5728\u5347\u7ea7\u7cfb\u7edf\u540e\uff0c\u7f16\u8f91 /etc/docker/daemon.json
\uff0c\u52a0\u4e0a\uff1a
\"storage-driver\": \"overlay2\"\n
\u7136\u540e\u542f\u52a8 docker\uff0c\u91cd\u65b0\u521b\u5efa\u5bb9\u5668\u3002
"},{"location":"faq/ldap/","title":"LDAP \u5957\u4ef6\u95ee\u9898","text":""},{"location":"faq/ldap/#gosa","title":"GOsa \u95ee\u9898","text":"User \u754c\u9762\u6253\u5f00\u65f6\u62a5\u9519
\u5982\u679c\u5728 GOsa \u4e2d\u521b\u5efa\u4e86\u4e00\u4e2a\u65b0\u7528\u6237\uff0c\u5374\u6ca1\u6709\u5728\u6700\u540e\u4e3a\u4ed6\u8bbe\u7f6e\u5bc6\u7801\uff0c\u5c31\u4f1a\u51fa\u73b0\u6b64\u95ee\u9898\uff0c\u6253\u5f00 User \u754c\u9762\u540e\u4f1a\u6709\u62a5\u9519\uff1a
Fatal error: Uncaught ArgumentCountError: Too few arguments to function userManagement::filterLockLabel(), 0 passed in /usr/share/gosa/include/class_listing.inc on line 856 and exactly 1 expected in /usr/share/gosa/plugins/admin/users/class_userManagement.inc:856\nStack trace:\n#0 /usr/share/gosa/include/class_listing.inc(856): userManagement::filterLockLabel()\n#1 /usr/share/gosa/include/class_listing.inc(980): listing->processElementFilter('%{filter:lockLa...', Array, 50)\n#2 /usr/share/gosa/include/class_listing.inc(853): listing->filterActions('cn=...,ou=...', 50, Array)\n#3 /usr/share/gosa/include/class_listing.inc(764): listing->processElementFilter('%{filter:action...', Array, 50)\n#4 /usr/share/gosa/include/class_listing.inc(407): listing->renderCell('%{filter:action...', Array, 50)\n#5 /usr/share/gosa/include/class_management.inc(233): listing->render()\n#6 /usr/share/gosa/include/class_management.inc(222): management->renderList()\n#7 /usr/share/gosa/plugins/admin/users/main.inc(44): management->execute()\n#8 /usr/sh in /usr/share/gosa/plugins/admin/users/class_userManagement.inc on line 856\n
\u8fd9\u662f\u56e0\u4e3a GOsa \u65e0\u6cd5\u8bfb\u53d6\u5230\u7528\u6237\u5bc6\u7801\u7684 Hash\uff0c\u800c LDAP \u5374\u5141\u8bb8\u7528\u6237\u6ca1\u6709\u5bc6\u7801\u3002 \u53ea\u9700\u4e3a\u65b0\u7684\u7528\u6237\u8bbe\u7f6e\u5bc6\u7801\u6216\u5220\u9664\u65b0\u7684\u7528\u6237\u5373\u53ef\u3002
\u65b0\u7248 GOsa \u65e0\u6cd5\u521b\u5efa/\u4fee\u6539\u7528\u6237
\u8868\u73b0\u4e3a\u62a5\u9519 Uncaught ReflectionException: Property LDAP::$count does not exist
\u3002
\u53c2\u89c1 Debian bug #1077759
\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\u4fee\u6539 /usr/share/gosa/plugins/personal/generic/class_user.inc
\uff0c\u5c06 1357 \u884c $ldap->cat($ldap->count)
\u4fee\u6539\u4e3a $ldap->cat($this->new_dn)
\uff0c\u4e14\u6ce8\u91ca\u6389\u4e0b\u4e00\u4e2a if
\u8bed\u53e5\uff08if ($ldap->count != 0
\u5f00\u5934\uff09\u3002
Slapd \u662f OpenLDAP \u7684\u670d\u52a1\u7aef daemon\u3002\u6b63\u5e38\u60c5\u51b5\u4e0b\u4e0d\u9700\u8981\u78b0\uff0c\u4f46\u662f\u5982\u679c\u8981\u78b0\u7684\u65f6\u5019\uff0c\u4f60\u4f1a\u53d1\u73b0\u5b83\u7684\u914d\u7f6e\u6781\u5176\u590d\u6742\u9ebb\u70e6\u3002
\u4fee\u6539\u524d\u4e00\u5b9a\u8981\u5148\u6253\u865a\u62df\u673a\u5feb\u7167\uff01\uff01\uff01
\u5c0f\u5fc3\u5ef6\u6bd5
"},{"location":"faq/ldap/#migrate-hdb-to-mdb","title":"Migrate hdb to mdb","text":"slapd-hdb
\u5728 Debian 11 \u5373\u5c06\u88ab deprecate\uff0c\u6240\u4ee5\u5728 2021/08/15 \u7ec4\u7ec7\u4e86\u4e00\u6b21 migrate\u3002
\u7f51\u4e0a\u8d44\u6599\u5f88\u5c11\uff0c\u53c2\u8003\u4e86\uff1a
\u6b65\u9aa4\uff1a
slapcat -v -l dump.ldif
/etc/ldap
\u4ee5\u53ca /var/lib/ldap
/etc/ldap/slapd.d
\u4ee5\u53ca /var/lib/ldap
\u5220\u6389\uff08\u6216\u8005\u6539\u540d\uff09dpkg-reconfigure slapd
/tmp/ldapconvert
\u76ee\u5f55\uff0c\u8fd0\u884c slaptest -f /etc/ldap/convert.conf -F /tmp/ldapconvert
/etc/ldap/slapd.d/cn=config/cn=schema/
\u4e0b\u7684\u6587\u4ef6\uff0c\u5c06 /tmp/ldapconvert/slapd.d/cn=config/cn=schema/
\u4e0b\u7684\u6587\u4ef6\u590d\u5236\u5230 /etc/ldap/slapd.d/cn=config/cn=schema/
\u5c06 slapd.d \u5907\u4efd\u4e2d cn=config/cn=schema/
\u7684\u6587\u4ef6\u590d\u5236\u5230\u65b0\u7684 slapd.d
\u5bf9\u5e94\u7684\u76ee\u5f55\u4e0b\uff0c\u5e76\u4e14\u4fee\u6539 owner \u4e3a openldap:openldap
slapd
\uff0c\u5982\u679c\u542f\u52a8\u5931\u8d25\uff0c\u770b systemctl status slapd
\u7684\u65e5\u5fd7\u8f93\u51fa debug\u3002slapadd -l dump.ldif
\u3002\u6ce8\u610f\uff0cmdb \u6ca1\u6709\u4e8b\u52a1\uff01\u5982\u679c\u4e2d\u95f4\u51fa\u9519\u4e86\uff0c\u6392\u67e5\u95ee\u9898\u540e\uff0c\u6e05\u7a7a /var/lib/ldap
\uff0c\u91cd\u542f slapd
\u91cd\u6765\u3002\u6062\u590d\u6210\u529f\u540e\uff0c\u6709\u4e9b\u914d\u7f6e\u9700\u8981\u624b\u52a8\u8bbe\u7f6e\uff1a
TLS/SSL
# ldapmodify -H ldapi:/// -Y EXTERNAL << EOF\n> dn: cn=config\n> changetype: modify\n> replace: olcTLSCertificateFile\n> olcTLSCertificateFile: /etc/ldap/ssl/slapd-server.crt\n> -\n> replace: olcTLSCACertificateFile\n> olcTLSCACertificateFile: /etc/ldap/ssl/slapd-ca-cert.pem\n> -\n> replace: olcTLSCertificateKeyFile\n> olcTLSCertificateKeyFile: /etc/ldap/ssl/slapd-server.key\n>\n> EOF\n
\u52a0\u8f7d pw-sha2.la\uff08\u82e5\u4f7f\u7528 ssha512/256 \u5219\u9700\u8981\u52a0\u8f7d\uff09
# ldapmodify -H ldapi:/// -Y EXTERNAL << EOF\n> dn: cn=module,cn=config\n> cn: module\n> objectClass: olcModuleList\n> olcModulePath: /usr/lib/ldap/\n> olcModuleLoad: pw-sha2.la\n>\n> EOF\n
\u4e3a sudoUser \u8bbe\u7f6e index
# ldapadd -Y EXTERNAL -H ldapi:/// << EOF\n> dn: olcDatabase={1}mdb,cn=config\n> changetype: modify\n> add: olcDbIndex\n> olcDbIndex: sudoUser eq,sub\n>\n> EOF\n
\u66f4\u6539\u9ed8\u8ba4\u5bc6\u7801\u5b58\u50a8\u9009\u9879\uff08\u53ef\u9009\uff09
\u66f4\u6539\u4e3a crypt/yescrypt
# ldapmodify -Y EXTERNAL -H ldapi:/// << EOF\n> dn: olcDatabase={-1}frontend,cn=config\n> add: olcPasswordHash\n> olcPasswordHash: {CRYPT}\n> \n> dn: cn=config\n> add: olcPasswordCryptSaltFormat\n> olcPasswordCryptSaltFormat: $y$j9T$%s\n
\u66f4\u6539\u4e3a ssha512\uff08\u9700\u8981 pw-sha2.la\uff0c\u4e5f\u53ef\u53c2\u7167\u4e0a\u8ff0 yescrypt \u7684\u914d\u7f6e\u66f4\u6539\u4e3a crypt/ssha512\uff09
# ldapmodify -Y EXTERNAL -H ldapi:/// << EOF\n> dn: olcDatabase={-1}frontend,cn=config\n> add: olcPasswordHash\n> olcPasswordHash: {SSHA512}\n
\u5982\u679c\u62a5\u9519\u5df2\u7ecf\u5b58\u5728\uff0c\u53ef\u4ee5\u7528 replace \u9009\u9879\uff0c\u4ee5 crypt/yescrypt \u4e3a\u4f8b\uff1a
# ldapmodify -Y EXTERNAL -H ldapi:/// << EOF\n> dn: olcDatabase={-1}frontend,cn=config\n> changetype: modify\n> replace: olcPasswordHash\n> olcPasswordHash: {CRYPT}\n> \n> dn: cn=config\n> changetype: modify\n> replace: olcPasswordCryptSaltFormat\n> olcPasswordCryptSaltFormat: $y$j9T$%s\n
\u6ce8\u610f\u5728\u4f7f\u7528\u4e0a\u8ff0 hash \u65b9\u5f0f\u7684\u65f6\u5019\u8fdb\u5165 gosa \u7528\u6237\u9875\u9762\u65f6\u53ef\u80fd\u4f1a\u62a5\u9519 Cannot find a suitable password method for the current hash
lastbind \u7528\u4e8e\u5728\u7528\u6237\u767b\u5f55\u65f6\u767b\u8bb0\u65f6\u95f4\u6233\uff0c\u4ee5\u65b9\u4fbf\u786e\u8ba4\u54ea\u4e9b\u7528\u6237\u957f\u65f6\u95f4\u6ca1\u6709\u767b\u5f55\uff0c\u4fbf\u4e8e\u6e05\u7406\u3002\u7531\u4e8e\u6211\u4eec\u4f7f\u7528 OLC (cn=config) \u914d\u7f6e\uff0c\u7f51\u7edc\u8d44\u6599\u4e0d\u591a\uff0c\u7279\u6b64\u8bb0\u5f55\u3002
\u52a0\u8f7d\u6a21\u5757
dn: cn=module{0},cn=config\nchangetype: modify\nadd: olcModuleLoad\nolcModuleLoad: lastbind.la\n
\u4fdd\u5b58\u5230 load_lastbind.ldif
\uff0c\u7136\u540e\uff1a
$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f load_lastbind.ldif\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nmodifying entry \"cn=module{0},cn=config\"\n
\u6dfb\u52a0 lastbind overlay
dn: olcOverlay=lastbind,olcDatabase={1}mdb,cn=config\nobjectClass: olcLastBindConfig\nobjectClass: olcOverlayConfig\nolcOverlay: lastbind\nolcLastBindPrecision: 60\n
\u4fdd\u5b58\u5230 add_lastbind.ldif
\uff0c\u7136\u540e\uff1a
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f add_lastbind.ldif\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nadding new entry \"olcOverlay=lastbind,olcDatabase={1}mdb,cn=config\"\n
\u53ef\u4ee5\u4f7f\u7528 ldapsearch
\u83b7\u53d6\u7528\u6237\u7684 authTimestamp
\u3002\u4ece\u672a\u767b\u5f55\u8fc7\u7684\u7528\u6237\u65e0\u8bb0\u5f55\uff1a
sudo ldapsearch -x -LLL -H ldapi:/// -b \"dc=lug,dc=ustc,dc=edu,dc=cn\" \"(authTimestamp=*)\" dn authTimestamp\n
"},{"location":"faq/nginx/","title":"Nginx \u76f8\u5173\u914d\u7f6e","text":""},{"location":"faq/nginx/#git-host-specific","title":"\u4f7f\u7528 Git \u540c\u6b65\u914d\u7f6e\uff0c\u4f46\u9700\u8981 host-specific \u7684\u914d\u7f6e","text":"$hostname
\u53ef\u4ee5\u5728\u5408\u9002\u7684\u5730\u65b9\u7528\u6765 if \u6216\u8005 map\uff0c\u4f46\u662f\u5728\u8fd9\u4e2a\u529e\u6cd5\u4e0d\u9876\u7528\u7684\u65f6\u5019\uff08\u4f8b\u5982\uff0cresolver
\u4e0d\u652f\u6301\u53d8\u91cf\uff09\u5c31\u53ea\u80fd\u7528\u4e0b\u9762\u8fd9\u4e2a\u7b28\u529e\u6cd5\u4e86\u3002.gitignore
\uff0c\u7136\u540e\u5728\u5408\u9002\u7684\u4f4d\u7f6e\u7559\u4e0b\u4e00\u4e2a README\u3002\u5728\u9ed8\u8ba4\u8bbe\u7f6e\u4e2d\uff0cnginx \u7684\u6700\u5927\u6587\u4ef6\u6253\u5f00\u6570\u4e0a\u9650\u5e76\u4e0d\u5927\u3002\u5f53\u6709\u5927\u91cf\u8bbf\u95ee\u65f6\uff0c\u6587\u4ef6\u6253\u5f00\u6570\u53ef\u80fd\u4f1a\u8d85\u8fc7\u9650\u989d\uff0c\u5bfc\u81f4\u7f51\u7ad9\u54cd\u5e94\u7f13\u6162\u3002\u5728\u65b0\u914d\u7f6e\u670d\u52a1\u5668\u65f6\uff0c\u8fd9\u4e00\u9879\u8bbe\u7f6e\u5f88\u5bb9\u6613\u88ab\u5ffd\u7565\u6389\u3002
\u89e3\u51b3\u65b9\u6cd5\uff1a
sudo systemctl edit nginx.service
\uff08\u90e8\u5206\u673a\u5668\u4e0a\u7684\u670d\u52a1\u540d\u53ef\u80fd\u4e3a openresty.service
\uff09[Service]
\u4e0b\u65b9\u6dfb\u52a0 LimitNOFILE=524288
\uff08\u89c6\u60c5\u51b5\u8fd9\u4e2a\u503c\u53ef\u4ee5\u76f8\u5e94\u8c03\u6574\uff09/tmp/mem
\u8def\u5f84","text":"\u66f4\u65b0
\u6211\u4eec\u5df2\u4e0d\u518d\u5728 nginx.conf \u91cc\u4f7f\u7528 /tmp/mem
\u4e86\uff0c\u4ee5\u4e0b\u5185\u5bb9\u4ec5\u4f5c\u5b58\u6863\u3002
\u9519\u8bef\u8868\u73b0\u662f systemctl start nginx.service
\u5931\u8d25\uff0c\u4f7f\u7528 status \u6216 journalctl \u53ef\u4ee5\u770b\u5230\u4ee5\u4e0b\u4fe1\u606f\uff1a
[emerg] mkdir() \"/tmp/mem/nginx_temp\" failed (2: No such file or directory)\n
\u8fd9\u662f\u56e0\u4e3a\u6211\u4eec\u7684 nginx.conf
\u4e2d\u94a6\u70b9\u4e86 proxy_temp /tmp/mem/nginx_temp
\uff0c\u800c /tmp/mem
\u662f\u6211\u4eec\u81ea\u5df1\u5efa\u7684\u4e00\u4e2a tmpfs \u6302\u8f7d\u70b9\uff0c\u5b83\u4e0d\u662f\u4efb\u4f55\u53d1\u884c\u7248\u7684\u9ed8\u8ba4\u914d\u7f6e\uff0c\u6240\u4ee5\u65b0\u88c5\u7684\u7cfb\u7edf\u5982\u679c\u76f4\u63a5 pull \u4e86\u8fd9\u4efd nginx config \u5c31\u4f1a\u62a5\u4ee5\u4e0a\u9519\u8bef\u3002
\uff08\u4f7f\u7528 /tmp/mem
\u7684\u539f\u56e0\u662f\uff0c\u7531\u4e8e nginx \u53cd\u4ee3\u9700\u8981\u9891\u7e41\u8bfb\u5199\u4e34\u65f6\u6587\u4ef6\uff0c\u4e3a\u4e86\u51cf\u5c11\u78c1\u76d8 IO \u5360\u7528\uff0c\u6545\u5c06\u5176\u4e34\u65f6\u6587\u4ef6\u653e\u5165\u5185\u5b58\u4e2d\uff09
\u6b63\u786e\u7684\u89e3\u51b3\u65b9\u6cd5\u662f\u8865\u4e0a\u5bf9\u5e94\u7684 fstab \u884c\uff1a
tmpfs /tmp/mem tmpfs 0 0\n
\u5982\u679c\u521b\u5efa/\u6302\u8f7d\u4e86 /tmp/mem \u540e\uff0c\u542f\u52a8\u4ecd\u7136\u51fa\u9519\uff0c\u5219\u9700\u8981\u68c0\u67e5 openresty.service/nginx.service \u6587\u4ef6\u4e2d\u662f\u5426\u5305\u542b PrivateTmp=yes
\u3002\u5982\u679c\u5305\u542b\uff0c\u5219\u9700\u8981 systemctl edit
\uff0c\u5c06\u6b64\u9879\u8bbe\u7f6e\u4e3a false
\u3002
fstab \u4e0e systemd
\u8c03\u6574 fstab \u4e4b\u540e\uff0c\u9700\u8981\u6267\u884c systemctl daemon-reload
\uff0c\u5426\u5219 systemd \u53ef\u80fd\u4f1a\u5728\u7b2c\u4e8c\u65e5\u51cc\u6668\u6302\u8f7d\u5df2\u88ab\u6ce8\u91ca\u7684\u78c1\u76d8\u9879\u3002
\u8fd9\u91cc\u5173\u6ce8\u4e09\u4e2a\u76f8\u5173\u7684\u6b65\u9aa4\uff1aaccess_by
, log_by
\u548c header_filter_by
\uff0c\u4ee5\u53ca ngx.ctx
\u548c ngx.var
\u7684\u6ce8\u610f\u4e8b\u9879\u3002
\u6d4b\u8bd5\u7528 server \u5757\uff1a
server {\n listen 80 default_server;\n listen [::]:80 default_server;\n\n root /var/www/html;\n\n index index.html index.htm index.nginx-debian.html;\n\n server_name _;\n\n set $testvar \"\";\n access_by_lua_file /etc/nginx/lua/access.lua;\n header_filter_by_lua_file /etc/nginx/lua/header_filter.lua;\n log_by_lua_file /etc/nginx/lua/log.lua;\n\n location / {\n try_files $uri $uri/ =404;\n }\n\n location /lua-test0 {\n return 302 /lua-test1;\n }\n\n location /lua-test1 {\n return 200;\n }\n\n location /lua-test2 {\n try_files $uri $uri/ @internal1;\n }\n\n location @internal1 {\n return 418;\n }\n}\n
\u4e09\u4e2a lua:
/etc/nginx/lua/access.lualocal ctx = ngx.ctx\nctx.testvar = \"testvar\"\nngx.var.testvar = \"testvar\"\nngx.log(ngx.ERR, \"ctx \", ctx.testvar)\nngx.log(ngx.ERR, \"var \", ngx.var.testvar)\n
/etc/nginx/lua/header_filter.lualocal ctx = ngx.ctx\n\nngx.log(ngx.ERR, \"ctx \", ctx.testvar)\nngx.log(ngx.ERR, \"var \", ngx.var.testvar)\n
/etc/nginx/lua/log.lualocal ctx = ngx.ctx\n\nngx.log(ngx.ERR, \"ctx \", ctx.testvar)\nngx.log(ngx.ERR, \"var \", ngx.var.testvar)\n
"},{"location":"faq/nginx/#rewritereturn-access_by","title":"rewrite/return \u4e0e access_by","text":"\u8bbf\u95ee localhost/lua-test0 \u6216\u8005 localhost/lua-test1\uff0c\u6ca1\u6709 access.lua \u7684\u8f93\u51fa\uff1a
2024/07/22 02:50:16 [error] 9465#9465: *12 [lua] header_filter.lua:3: ctx nil, client: 127.0.0.1, server: _, request: \"GET /lua-test0 HTTP/1.1\", host: \"localhost\"\n2024/07/22 02:50:16 [error] 9465#9465: *12 [lua] header_filter.lua:4: var nil, client: 127.0.0.1, server: _, request: \"GET /lua-test0 HTTP/1.1\", host: \"localhost\"\n2024/07/22 02:50:16 [error] 9465#9465: *12 [lua] log.lua:3: ctx nil while logging request, client: 127.0.0.1, server: _, request: \"GET /lua-test0 HTTP/1.1\", host: \"localhost\"\n2024/07/22 02:50:16 [error] 9465#9465: *12 [lua] log.lua:4: var nil while logging request, client: 127.0.0.1, server: _, request: \"GET /lua-test0 HTTP/1.1\", host: \"localhost\"\n
\u5982\u679c\u8bbf\u95ee localhost/somefile\uff0c\u662f\u6709\u8f93\u51fa\u7684\uff1a
2024/07/22 03:03:42 [error] 9628#9628: *19 [lua] access.lua:4: ctx testvar, client: 127.0.0.1, server: _, request: \"GET /somefile HTTP/1.1\", host: \"localhost\"\n2024/07/22 03:03:42 [error] 9628#9628: *19 [lua] access.lua:5: var testvar, client: 127.0.0.1, server: _, request: \"GET /somefile HTTP/1.1\", host: \"localhost\"\n2024/07/22 03:03:42 [error] 9628#9628: *19 [lua] header_filter.lua:3: ctx testvar, client: 127.0.0.1, server: _, request: \"GET /somefile HTTP/1.1\", host: \"localhost\"\n2024/07/22 03:03:42 [error] 9628#9628: *19 [lua] header_filter.lua:4: var testvar, client: 127.0.0.1, server: _, request: \"GET /somefile HTTP/1.1\", host: \"localhost\"\n2024/07/22 03:03:42 [error] 9628#9628: *19 [lua] log.lua:3: ctx testvar while logging request, client: 127.0.0.1, server: _, request: \"GET /somefile HTTP/1.1\", host: \"localhost\"\n2024/07/22 03:03:42 [error] 9628#9628: *19 [lua] log.lua:4: var testvar while logging request, client: 127.0.0.1, server: _, request: \"GET /somefile HTTP/1.1\", host: \"localhost\"\n
\u8fd9\u662f\u56e0\u4e3a return
\u8bed\u53e5\u53d1\u751f\u5728 rewrite
\u9636\u6bb5\uff0c\u56e0\u6b64\u8df3\u8fc7\u4e86 access
\u9636\u6bb5\uff0caccess_by_lua_block
\u5c31\u6ca1\u6709\u88ab\u6267\u884c\u3002\u56e0\u6b64 Content phase \u4e2d\u7684\u7a0b\u5e8f\u4e0d\u80fd\u5047\u8bbe access_by \u80af\u5b9a\u88ab\u6267\u884c\u4e86\u3002
ngx.ctx
","text":"https://github.com/openresty/lua-nginx-module?tab=readme-ov-file#ngxctx
\u652f\u6301\u4efb\u610f lua \u6570\u636e\u7ed3\u6784\u7684\uff0c\u4e0e\u5355\u72ec request \u7ed1\u5b9a\u7684\u72b6\u6001\u53d8\u91cf\u3002\u540c\u65f6\u4e5f\u4e0d\u9700\u8981\u50cf ngx.var
\u4e00\u6837\u63d0\u524d set
\u3002
\u5c0f\u5fc3\u5185\u90e8\u8df3\u8f6c
Internal redirects (triggered by nginx configuration directives like error_page
, try_files
, index
and etc) will destroy the original request ngx.ctx
data (if any) and the new request will have an empty ngx.ctx table.
\u8bbf\u95ee localhost/lua-test2\uff08\u5047\u8bbe\u524d\u9762\u7684 try_files
\u5931\u8d25\uff09\uff1a
2024/07/22 03:10:15 [error] 9630#9630: *22 [lua] access.lua:4: ctx testvar, client: 127.0.0.1, server: _, request: \"GET /lua-test2 HTTP/1.1\", host: \"localhost\"\n2024/07/22 03:10:15 [error] 9630#9630: *22 [lua] access.lua:5: var testvar, client: 127.0.0.1, server: _, request: \"GET /lua-test2 HTTP/1.1\", host: \"localhost\"\n2024/07/22 03:10:15 [error] 9630#9630: *22 [lua] header_filter.lua:3: ctx nil, client: 127.0.0.1, server: _, request: \"GET /lua-test2 HTTP/1.1\", host: \"localhost\"\n2024/07/22 03:10:15 [error] 9630#9630: *22 [lua] header_filter.lua:4: var testvar, client: 127.0.0.1, server: _, request: \"GET /lua-test2 HTTP/1.1\", host: \"localhost\"\n2024/07/22 03:10:15 [error] 9630#9630: *22 [lua] log.lua:3: ctx nil while logging request, client: 127.0.0.1, server: _, request: \"GET /lua-test2 HTTP/1.1\", host: \"localhost\"\n2024/07/22 03:10:15 [error] 9630#9630: *22 [lua] log.lua:4: var testvar while logging request, client: 127.0.0.1, server: _, request: \"GET /lua-test2 HTTP/1.1\", host: \"localhost\"\n
\u8fd9\u4e2a\u95ee\u9898\u5bf9\u4e00\u4e9b\u9700\u8981\u5728 access \u4e2d\u505a\u4e00\u4e9b\u4e8b\u60c5\uff0c\u5c06\u72b6\u6001\u5b58\u50a8\u5728 ngx.ctx
\u4e2d\uff0c\u7136\u540e\u5728 header_filter \u6216\u8005 log \u4e2d\u53d6\u6d88\u5bf9\u5e94\u6548\u679c\u7684\u903b\u8f91\uff08\u4f8b\u5982 resty.limit.conn \u5728\u8bbf\u95ee\u7684\u6587\u4ef6\u5f53\u524d\u4e0d\u5b58\u5728\u7684\u60c5\u51b5\u4e0b\uff09\u6765\u8bf4\u662f\u81f4\u547d\u7684\u3002
ngx.var
","text":"https://github.com/openresty/lua-nginx-module?tab=readme-ov-file#ngxvarvariable
\u4f7f\u7528\u6709\u4e00\u4e9b\u9ebb\u70e6\uff1a
ngx.ctx
\u6765\u8bf4\u4f4e\u4e00\u4e9b\uff0c\u5b98\u65b9\u6587\u6863\u4e0d\u5efa\u8bae\u5c06 ngx.var
\u4f7f\u7528\u5230\u5173\u952e\u8def\u5f84\u4e0a\u3002\u4f46\u662f\u76f8\u6bd4\u4e8e ngx.ctx
\uff0c\u6700\u5927\u7684\u4f18\u52bf\u5c31\u662f\u5373\u4f7f\u7ecf\u8fc7\u4e86 internal redirection\uff0cngx.var
\u7684\u5185\u5bb9\u4e5f\u4f1a\u4fdd\u7559\u3002
\u7531\u4e8e ngx.var
\u5176\u672c\u8eab\u4e0d\u9002\u5408\u5b58\u50a8\u590d\u6742\u7684\u7ed3\u6784\uff0c\u7b2c\u4e09\u65b9\u6a21\u5757 (lua-resty-ctxdump, 2-clause BSD license) \u5904\u7406\u8fd9\u4e2a\u95ee\u9898\u7684\u505a\u6cd5\u662f\uff1a\u5c06\u5b9e\u9645\u5185\u5bb9\u4fdd\u5b58\u5728\u6a21\u5757\u5185\u90e8\u7684 memo \u8868\u4e2d\uff0c\u800c\u9700\u8981\u5b58\u50a8\u5728 ngx.var \u91cc\u9762\u7684\u53ea\u662f memo \u8868\u7684 key\uff08\u6570\u5b57\uff09\u3002
OpenResty \u5b98\u65b9\u63a8\u8350\u4f7f\u7528 opm (openresty-opm
) \u7ba1\u7406\u6a21\u5757\u3002\u624b\u52a8\u7ef4\u62a4\u6a21\u5757\u7684\u8bdd\u9700\u8981\u81ea\u884c\u5904\u7406\u914d\u7f6e\uff0c\u5bf9\u5e94\u7684\u662f lua_package_path
\uff08http
\u5757\u5185\uff0c\u5206\u53f7\u5206\u5272\u8def\u5f84\uff0c\u6700\u540e ;;
\u4ee3\u8868\u5185\u7f6e\u7684\u539f\u59cb\u8def\u5f84\uff09\u3002
\u4f8b\u5982\uff1a
lua_package_path \"/etc/nginx/lua/module/?.lua;;\";\n
\u4ee5 https://github.com/tokers/lua-resty-ctxdump/blob/master/lib/resty/ctxdump.lua \u4e3a\u4f8b\uff0c\u4e0b\u8f7d\u5230 /etc/nginx/lua/module/
\u4e0b\u4e4b\u540e\uff0c\u5c31\u53ef\u4ee5\u5728\u5176\u4ed6 lua \u6587\u4ef6\u5185\u4f7f\u7528\u4e86\uff1a
local ctxdump = require \"ctxdump\"\nlocal ctx = ngx.ctx\nctx.testvar = {foo = \"bar\", num = 42}\n-- \u9700\u8981 set $ctx_ref \"\";\nngx.var.ctx_ref = ctxdump.stash_ngx_ctx()\nngx.log(ngx.ERR, \"ctx foo \", ctx.testvar.foo)\nngx.log(ngx.ERR, \"ctx num \", ctx.testvar.num)\nngx.log(ngx.ERR, \"var ctx_ref \", ngx.var.ctx_ref)\n
/etc/nginx/lua/log.lualocal ctxdump = require \"ctxdump\"\nngx.log(ngx.ERR, \"var ctx_ref \", ngx.var.ctx_ref)\nngx.ctx = ctxdump.apply_ngx_ctx(ngx.var.ctx_ref)\nlocal ctx = ngx.ctx\nngx.log(ngx.ERR, \"ctx foo \", ctx.testvar.foo)\nngx.log(ngx.ERR, \"ctx num \", ctx.testvar.num)\n
\u5982\u679c\u6ca1\u6709\u627e\u5230\u6587\u4ef6\uff0c\u62a5\u9519\u4fe1\u606f\u4e2d\u4f1a\u5305\u542b\u6240\u6709\u5c1d\u8bd5\u8fc7\u7684\u8def\u5f84\u3002
"},{"location":"faq/nginx/#_3","title":"\u4ee3\u7801\u590d\u7528\u4e0e\u6a21\u5757\u7f16\u5199","text":"\u6700\u7b80\u5355\u7684\u4ee3\u7801\u590d\u7528\u7684\u65b9\u6cd5\u662f\u4f7f\u7528 loadfile()
\u51fd\u6570\uff0c\u8fd9\u6837\u51e0\u4e4e\u4e0d\u9700\u8981\u4fee\u6539\u4ee3\u7801\u5185\u5bb9\u3002
local f = loadfile(\"/etc/nginx/lua/somefile.lua\")\nif f then\n f()\nelse\n ngx.log(ngx.ERR, \"failed to load somefile.lua\")\nend\n
\u4f46\u662f\u8fd9\u4e48\u505a\u662f\u6ca1\u6709 JIT \u7f13\u5b58\u7684\uff0c\u610f\u5473\u7740\u6bcf\u4e2a\u8bf7\u6c42\u90fd\u9700\u8981\u6574\u4e2a\u52a0\u8f7d\u4e00\u904d\u5bf9\u5e94\u7684\u539f\u59cb lua \u4ee3\u7801\u3002\u4e00\u4e2a\u57fa\u672c\u7684\u6a21\u5757\u7c7b\u4f3c\u4e8e\u4e0b\u9762\u8fd9\u6837\uff1a
local _M = {}\n\nlocal function some_internal_func(a)\n return a + a\nend\n\nfunction _M.f1(a, b)\n local aa = some_internal_func(a)\n local bb = some_internal_func(b)\n return aa + bb\nend\n\nreturn _M\n
"},{"location":"faq/ssd/","title":"SSD \u56fa\u4ef6","text":"\u6570\u636e\u4e2d\u5fc3\u76d8\u7684 SSD \u8fd1\u5e74\u6765\u6709\u591a\u8d77\u56e0\u4e3a\u56fa\u4ef6\u95ee\u9898\u5bfc\u81f4\u4f7f\u7528\u65f6\u95f4\u8fc7\u957f\uff08\u51e0\u4e07\u5c0f\u65f6\uff09\u540e\u76d8\u574f\u6389\u7684\u65b0\u95fb\u3002 \u8fd9\u7c7b\u4e8b\u4ef6\u4e00\u65e6\u53d1\u751f\uff0c\u540e\u679c\u6781\u5176\u4e25\u91cd\uff0c\u56e0\u4e3a\u914d\u7f6e\u65b0\u670d\u52a1\u5668\u65f6\uff0c\u4e00\u822c\u4f7f\u7528\u7684\u76d8\u578b\u53f7\u662f\u4e00\u6837\u7684\uff0c\u5e76\u4e14\u5f00\u673a\u65f6\u95f4\u4e5f\u662f\u4e00\u6837\u7684\uff0c \u56e0\u6b64\u51fa\u73b0\u95ee\u9898\u4e4b\u540e\uff0c\u6240\u6709\u76d8\u90fd\u4f1a\u5728\u77ed\u65f6\u95f4\u5185\u574f\u6389\uff0cRAID \u6839\u672c\u65e0\u529b\u56de\u5929\u3002 \u56e0\u6b64\u4ee5\u4e0b\u8bb0\u5f55\u4e00\u4e9b\u56fa\u4ef6\u5347\u7ea7\u7684\u65b9\u6cd5\u3002
"},{"location":"faq/ssd/#intel","title":"Intel","text":""},{"location":"faq/ssd/#_1","title":"\u80cc\u666f","text":"2024 \u5e74 1 \u6708 12 \u65e5\u51cc\u6668\uff0c\u5728\u53d1\u73b0\u4e24\u5757 Intel SSD S4510/S4610 \u51fa\u73b0 SMART \u9519\u8bef\u5e76\u4e14 ZFS \u63d0\u793a\u8bfb\u53d6\u9519\u8bef\u4e4b\u540e\u7d27\u6025\u8fdb\u884c\u4e86\u56fa\u4ef6\u5347\u7ea7\uff08\u5426\u5219\u8fd8\u6709 8 \u5757\u76d8\u4e5f\u4f1a\u5f88\u5feb\u56e0\u4e3a\u7c7b\u4f3c\u95ee\u9898\u635f\u574f\uff09\u3002\u7531\u4e8e\u7f3a\u5c11\u76f8\u5173\u8d44\u6599\uff0c\u5e76\u4e14 Intel \u4e0b\u67b6\u4e86\u5927\u91cf\u4fe1\u606f\uff0c\u56e0\u6b64\u82b1\u8d39\u4e86\u5f88\u591a\u65f6\u95f4\uff0c\u81f3\u51cc\u6668\u4e03\u70b9\u5b8c\u6210\u5347\u7ea7\u3002
Timeline2024/01/11 04:21 - \u6536\u5230 smartd \u90ae\u4ef6\u79f0 /dev/sdi
\u51fa\u73b0 End-to-End_Error_Count
\u9519\u8bef\u3002
\u4e4b\u540e\u672a\u6000\u7591\u662f\u56fa\u4ef6\u95ee\u9898\uff0c\u53ea\u8ba4\u4e3a\u662f\u5076\u53d1\u7684\u9519\u8bef\uff0c\u5e76\u4e14 SSD \u4ecd\u53ef\u6b63\u5e38\u8bfb\u53d6\uff0cZFS \u6b63\u5e38\u7ea0\u9519\uff0c\u56e0\u6b64\u5f53\u5929\u5f00\u59cb\u51c6\u5907\u91c7\u8d2d\u65b0 SSD\uff0c\u672a\u8fdb\u884c\u5176\u4ed6\u64cd\u4f5c\u3002
2024/01/12 02:51 - \u6536\u5230 smartd \u90ae\u4ef6\u79f0 /dev/sdh
\u51fa\u73b0 End-to-End_Error_Count
\u9519\u8bef\u3002
\u4e4b\u540e\u6000\u7591\u662f\u56fa\u4ef6\u95ee\u9898\uff0c\u5e76\u4ece\u6d6a\u6f6e\u7684\u7f51\u7ad9\u786e\u8ba4\u4e86\u8fd9\u4e00\u70b9\u3002 Dell \u63d0\u4f9b\u4e86\u4fee\u590d\u5305\uff0c\u4f46\u662f\u65e0\u6cd5\u5728 Debian \u4e0b\u5b89\u88c5\u3002Intel/Solidigm \u63d0\u4f9b\u7684\u5347\u7ea7\u5de5\u5177\u6709\u8bb8\u591a\u4e0d\u540c\u7248\u672c\uff0c\u5176\u4e2d isdct \u4e0e sst \u63d0\u793a\u5347\u7ea7\u5931\u8d25\uff0cintelmas \u63d0\u793a\u5f53\u524d\u4ea7\u54c1\u5df2\u4e0d\u518d\u652f\u6301\u3002
\u5728\u8fc1\u79fb\u90e8\u5206\u91cd\u8981\u865a\u62df\u673a\uff0c\u5e76\u786e\u8ba4\u5907\u4efd\u6b63\u5e38\u540e\uff08\u5927\u81f4\u82b1\u8d39\u4e86 2 \u5230 2.5 \u5c0f\u65f6\uff09\uff0c\u91cd\u542f\u5bf9\u5e94\u670d\u52a1\u5668\uff0c\u5c1d\u8bd5\u4f7f\u7528 Solidigm \u63d0\u4f9b\u7684\u300c\u5347\u7ea7\u542f\u52a8\u76d8\u300d\u5347\u7ea7\uff0c\u63d0\u793a\u627e\u4e0d\u5230 SSD \u800c\u5931\u8d25\u3002 \u4e4b\u540e\u4ece Solidigm \u8bba\u575b\u4e86\u89e3\u5230\u9700\u8981\u5173\u95ed\u76f4\u901a\u8bbe\u7f6e\u3002\u5148\u5bf9 /dev/sdi
\u8fdb\u884c\u4e86\u6d4b\u8bd5\uff08\u8be5\u76d8\u6709 SMART \u9519\u8bef\uff0c\u4f46\u662f\u4ecd\u53ef\u8bfb\u5199\uff09\uff0c\u5347\u7ea7\u6210\u529f\u3002\u4e4b\u540e\u5347\u7ea7\u4e86\u5168\u90e8 Intel SSD\u3002
\u76f8\u5173\u6d89\u95ee\u9898\u56fa\u4ef6\u7248\u672c\u4e3a XCV10100\u3002XCV10110 \u53ca\u4ee5\u4e0a\u4fee\u590d\u4e86\u95ee\u9898\u3002
"},{"location":"faq/ssd/#_2","title":"\u5347\u7ea7\u65b9\u6cd5","text":"Intel \u7684\u5b58\u50a8\u4e1a\u52a1\u5df2\u7ecf\u88ab SK Hynix \u5b50\u516c\u53f8 Solidigm \u6536\u8d2d\u3002\u5176\u63d0\u4f9b\u4e86\u76f8\u5173\u5de5\u5177\u8fdb\u884c\u5347\u7ea7\u3002
https://www.solidigm.com/us/en/support-page/product-doc-cert/ka-00099.html \u63d0\u4f9b\u4e86 Solidigm \u5de5\u5177\u652f\u6301\u7684\u4ea7\u54c1\u5217\u8868\u3002\u4e0b\u8f7d\u6700\u65b0\u7248\u672c Solidigm\u2122 Storage Tool \u4e4b\u540e\uff08\u652f\u6301 Debian/Ubuntu\uff09\uff0c\u4f7f\u7528\u4ee5\u4e0b\u65b9\u6cd5\u68c0\u67e5\u6240\u6709 SSD \u7684\u4fe1\u606f\uff1a
sst show -ssd\n
\u5173\u6ce8\u6bcf\u4e2a SSD \u7684 FirmwareUpdateAvailable
\u4e00\u884c\u662f\u5426\u6709\u66f4\u65b0\u4fe1\u606f\u3002
\u4f7f\u7528\u4ee5\u4e0b\u547d\u4ee4\u5347\u7ea7\uff1a
sst load -ssd <SSD \u7684\u7f16\u53f7>\n
\u8bf7\u6ce8\u610f\uff0c\u8be5\u5de5\u5177\u4e0d\u652f\u6301 RAID \u5361\u7684\u76f4\u901a\u6a21\u5f0f\u3002\u5bf9\u4e8e Dell \u670d\u52a1\u5668\u6765\u8bf4\uff0c\u9700\u8981\u8bbe\u7f6e\u5982\u4e0b\uff1a
sst set -system EnableLSIAdapter=True
sst
\u8fdb\u884c\u5347\u7ea7\u3002Systemd-timer \u4f5c\u4e3a crontab \u7684\u66ff\u4ee3\u54c1\uff0c\u6709\u4e00\u7cfb\u5217\u7684\u4f18\u70b9\uff1a
\u5f53\u7136\u76f8\u6bd4\u4e8e crontab\uff0c\u7f3a\u70b9\u4e5f\u5f88\u660e\u663e\uff1a
\u6240\u4ee5\u4ee5\u4e0b\u7ed9\u51fa\u4e00\u4e2a\u6a21\u677f\uff0c\u65b9\u4fbf\u5728\u521b\u5efa\u65b0\u5b9a\u65f6\u4efb\u52a1\u7684\u65f6\u5019\u4f7f\u7528\u3002\u8fd9\u91cc\u7684\u4f8b\u5b50\u662f mirrors2 \u4ece mirrors4 \u83b7\u53d6\u538b\u7f29\u540e\u7684\u65e5\u5fd7\u3002\u4ee5\u4e0b\u6587\u4ef6\u5747\u653e\u5728 /etc/systemd/system
\u3002
[Unit]\nDescription=Mirrors4 log backup\nDocumentation=man:rsync(1)\nAfter=network.target\nStartLimitIntervalSec=0\n\n[Service]\nType=simple\nUser=mirror\nGroup=mirror\nExecStart=rsync -rltpv --include=*/ --include=*.xz --exclude=* m4log:/ /var/m4log/\nRestart=on-failure\nRestartSec=3\n
m4log.timer[Unit]\nDescription=Mirrors4 log backup timer\nDocumentation=man:rsync(1)\nAfter=network.target\nStartLimitIntervalSec=0\n\n[Timer]\nOnCalendar=*-*-* 7:13:00\nRandomizedDelaySec=60s\nPersistent=true\nUnit=m4log.service\n\n[Install]\nWantedBy=timer.target\n
\u5173\u4e8e OnCalendar \u7684\u89e6\u53d1\u65f6\u95f4\uff0c\u53ef\u4ee5\u53c2\u8003 systemd \u7684 Calendar Events \u8bf4\u660e\uff0c\u5e76\u7528 systemd-analyze calendar
\u6765\u68c0\u9a8c\u6b63\u786e\u6027\uff0c\u4e5f\u53ef\u4ee5\u7528 systemctl list-timers
\u89c2\u5bdf Timer \u4e0b\u6b21\u89e6\u53d1\u7684\u65f6\u95f4\u662f\u5426\u7b26\u5408\u9884\u671f\u3002
\u4e0b\u9762\u662f\u4e00\u4e9b\u5e38\u7528\u547d\u4ee4\uff1a
systemctl enable m4log.timer
systemctl start m4log.timer
systemctl start m4log.service
systemctl status m4log.service
\u6269\u5927\u865a\u62df\u78c1\u76d8\u7684\u5927\u5c0f\u540e\uff0c\u53ef\u4ee5\u91c7\u7528\u4ee5\u4e0b\u76f8\u5bf9\u7b80\u5355\u7684\u65b9\u5f0f\u6269\u5c55\u5206\u533a\u5927\u5c0f\uff1a
\u8bf7\u786e\u4fdd\u7406\u89e3\u547d\u4ee4\u540e\u518d\u6267\u884c
$ # \u5b89\u88c5 growpart\n$ sudo apt install cloud-guest-utils\n$ # \u6269\u5c55 /dev/sdb1\n$ sudo growpart /dev/sdb 1\n$ # \u73b0\u5728\u5206\u533a\u8868\u4ee5\u53ca\u5206\u533a\u6269\u5c55\u4e86\uff0c\u4f46\u662f\u5206\u533a\u91cc\u9762\u7684\u6587\u4ef6\u7cfb\u7edf\u7684\u5927\u5c0f\u8fd8\u6ca1\u6709\u6269\u5c55\n$ # \u4ee5 ext4 \u4e3a\u4f8b\n$ sudo resize2fs /dev/sdb1\n
"},{"location":"infrastructure/auth-dns/","title":"Authoritative DNS","text":"Services (Servers):
All three servers are dedicated to DNS service and run no other services.
"},{"location":"infrastructure/auth-dns/#deploy","title":"Deploy","text":"The bind configuration repository is only visible to admins because private key is included.
# copy the ssh key https://github.com/ustclug/auth-dns/blob/master/git_pull_key\n# to ~/.ssh/id_ed25519\n\n# now get the conf\ngit clone git@github.com:ustclug/auth-dns.git /var/lib/bind\n\n# delete the ssh key\nrm ~/.ssh/id_ed25519\n
docker run --restart=always -v /var/lib/bind/:/etc/bind \\\n --net host -it -d --name=auth-dns zhusj/bind9\n
"},{"location":"infrastructure/auth-dns/#update-dns-record","title":"Update DNS Record","text":"Just commit your changes to the configuration repository. More details can be found in the repository.
"},{"location":"infrastructure/auth-dns/#webhook","title":"Webhook","text":"Please add a webhook in the configuration repository, so that the DNS record can be automatically updated when commits are pushed.
The webhook endpoint is http://<server_ip>:9000/hooks/bind
, see https://github.com/ustclug/auth-dns/settings/hooks for examples.
The first application on October 25, 2023 was declined with the following reason (emphasis mine):
During our review of your application for Various (USTC Open Source Soft[sic], we determined that while your project meets most of the program requirements, there is a lack of documentation in one or more of your repositories on Docker Hub.
Before resubmitting the application, I deleted a few obsolete repositories and filled in the \"Repository overview\" for the rest, asking ChatGPT to produce it when needed. Afterwards, the second submission was approved in just 3 hours.
"},{"location":"infrastructure/github/","title":"GitHub Organization","text":"ustclug @ GitHub
"},{"location":"infrastructure/github/#github-actions","title":"GitHub Actions","text":"GitHub Actions \u5bf9\u516c\u5f00\u4ed3\u5e93\u514d\u8d39\uff0c\u5bf9\u79c1\u6709\u4ed3\u5e93\u6bcf\u6708\u6709 3000 \u5206\u949f\u7684\u9650\u989d\uff08\u6ce8\uff1a\u6211\u4eec\u662f\u5b66\u6821\u5e2e\u5fd9\u7533\u8bf7\u7684 GitHub Education\uff0c\u6240\u4ee5\u6211\u4eec\u5728\u529f\u80fd\u4e0a\u76f8\u5f53\u4e8e\u4ed8\u8d39\u7684 GitHub Team\uff09\u3002\u76ee\u524d\u6211\u4eec\u6709\u591a\u4e2a\u9879\u76ee\u4f7f\u7528 GitHub Actions \u90e8\u7f72\uff0c\u4f8b\u5982 Linux 101 \u7684\u8bb2\u4e49\u3002
\u6211\u4eec\u66fe\u7ecf\u4f7f\u7528 Travis CI\uff08\u73b0\u5728\u4e5f\u5728\u90e8\u5206\u516c\u5f00\u4ed3\u5e93\u4e2d\u4f7f\u7528\uff09\uff0c\u56e0\u4e3a\uff08\u4e0d\u4f1a\u5b9a\u671f\u91cd\u7f6e\u7684\uff09\u6570\u91cf\u9650\u5236\u800c\u5c06\u79c1\u6709\u4ed3\u5e93\u5168\u90e8\u8fc1\u51fa\uff0c\u8ba8\u8bba\u89c1 Discussion #308.
"},{"location":"infrastructure/github/#2fa","title":"\u4e24\u6b65\u8ba4\u8bc1\uff082FA\uff09","text":"\u6211\u4eec\u5f3a\u70c8\u5efa\u8bae\u52a0\u5165 ustclug \u7ec4\u7ec7\u7684\u7528\u6237\u4e3a\u81ea\u5df1\u7684 GitHub \u8d26\u53f7\u914d\u7f6e\u4e24\u6b65\u8ba4\u8bc1\uff1a
\u7531\u4e8e G Suite \u81ea 2022 \u5e74 7 \u6708\u8d77\u4e0d\u518d\u63d0\u4f9b\u514d\u8d39\u7684 Teams\uff0c\u4e14\u5df2\u6709\u7684\u514d\u8d39 Teams \u4e5f\u5c06\u505c\u6b62\u670d\u52a1\uff0c\u6211\u4eec\u5df2\u4e8e 2022 \u5e74 3 \u6708\u5168\u9762\u8fc1\u79fb\u81f3 Office 365\u3002
\u8003\u8651\u5230\u6b64\u9875\u9762\u7684 URL \u8fd8\u6709\u4e00\u5b9a\u6570\u91cf\u7684\u5916\u94fe\uff0c\u6211\u4eec\u628a\u672c\u9875\u6587\u6863\u91cd\u65b0\u52a0\u4e86\u56de\u6765\uff0c\u4f46\u662f\u6240\u6709\u6709\u610f\u4e49\u7684\u5185\u5bb9\u90fd\u5df2\u7ecf\u79fb\u52a8\u5230\u4e86 Office 365 \u9875\u9762\u4e2d\u3002
"},{"location":"infrastructure/ldap/","title":"LDAP \u670d\u52a1\u4f7f\u7528\u53ca\u914d\u7f6e\u8bf4\u660e","text":"LDAP \u662f\u8f7b\u91cf\u76ee\u5f55\u8bbf\u95ee\u534f\u8bae\uff0c\u6211\u4eec\u7528\u7684\u8f6f\u4ef6\u662f OpenLDAP\u3002
LDAP \u7684\u914d\u7f6e\u5f88\u9ebb\u70e6\uff0c\u6240\u4ee5\u88c5\u4e86\u4e00\u4e2a\u7f51\u9875\u524d\u7aef\u6765\u914d\u7f6e\u5b83\uff0c\u7f51\u9875\u524d\u7aef\u662f GOsa\u00b2\u3002
"},{"location":"infrastructure/ldap/#_1","title":"\u5bc6\u7801\u4fee\u6539","text":"\u767b\u5f55\u4efb\u610f\u4e00\u53f0\u670d\u52a1\u5668\u4f7f\u7528 passwd
\u5c31\u53ef\u4ee5\u4fee\u6539\u5bc6\u7801\uff0c\u4fee\u6539\u7684\u5bc6\u7801\u5728\u6240\u6709\u673a\u5668\u4e0a\u5b9e\u65f6\u751f\u6548\uff08\u56e0\u4e3a\u5b9e\u9645\u662f\u5b58\u5728 LDAP \u6570\u636e\u5e93\u91cc\u7684\uff09\u3002
\u7f51\u9875\u754c\u9762\u4f4d\u4e8e ldap.lug.ustc.edu.cn\u3002
\u7528\u4f60\u7684\u8d26\u53f7\u767b\u5f55\u8fdb\u53bb\u4e4b\u540e\uff0c\u53ef\u4ee5\u5728\u53f3\u4e0a\u89d2\u9000\u51fa\uff0c\u53f3\u4e0a\u89d2\u8fd8\u6709\u4e24\u4e2a\u6309\u94ae\u5206\u522b\u662f\u4fee\u6539\u8d26\u53f7\u4fe1\u606f\u548c\u4fee\u6539\u5bc6\u7801\u3002\u8d26\u53f7\u4fe1\u606f\u7b2c\u4e00\u9875\u5927\u90e8\u5206\u662f\u6ca1\u7528\u7684\uff0c\u53ea\u6709\u4e00\u4e2a\u767b\u5f55\u540d\u662f\u6709\u7528\u7684\uff0c\u8fd9\u662f\u4f60\u767b\u5f55\u4efb\u4f55\u5730\u65b9\u7684\u7528\u6237\u540d\u3002
"},{"location":"infrastructure/ldap/#ldap-users-and-groups","title":"Users \u548c Groups","text":"Users \u662f\u7528\u6765\u6dfb\u52a0\u548c\u914d\u7f6e\u7528\u6237\u4fe1\u606f\u7684\u5730\u65b9\u3002\u6700\u4e3b\u8981\u7684\u529f\u80fd\u4f4d\u4e8e\u6bcf\u4e2a User \u7684\u7b2c\u4e8c\u9875 POSIX\uff0c\u8fd9\u91cc\u53ef\u4ee5\u8bbe\u7f6e\u7528\u6237\u7684\u5bb6\u76ee\u5f55\uff0cUID\uff0cGID\uff0c\u4ee5\u53ca\u6240\u5c5e\u7684\u7528\u6237\u7ec4\u3002\u8fd9\u91cc\u9700\u8981\u6ce8\u610f\u7684\u5730\u65b9\u5982\u4e0b\uff1a
UID\uff0cGID \u4ece 2000 \u5f00\u59cb\u8ba1\u6570\uff0c\u7531\u4e8e gosa \u4e0d\u80fd\u5bf9 UID \u81ea\u52a8\u589e\u957f\uff0c\u6240\u4ee5\u7ba1\u7406\u5458\u9700\u8981\u4eba\u5de5\u589e\u957f\u3002\u65b9\u6cd5\u662f\u767b\u5f55\u4efb\u610f\u4e00\u53f0\u673a\u5668\uff0c\u8fd0\u884c getent passwd
\u5e76\u89c2\u5bdf\u8f93\u51fa\uff0c\u53d6\u6700\u5927\u7684 UID + 1 \u5c31\u884c\u4e86\u3002
\u5751
\u5c0f\u5fc3\u8f93\u51fa\u7684\u987a\u5e8f\uff0c\u6700\u5927\u7684 UID \u4e0d\u4e00\u5b9a\u662f\u6700\u540e\u4e00\u4e2a\uff08\u800c\u4e14\u4e8b\u5b9e\u4e0a\u7ecf\u5e38\u4e0d\u662f\uff09\uff0c\u5efa\u8bae\u914d\u5408 sed, awk, sort \u4e4b\u7c7b\u7684\u547d\u4ee4\u59a5\u5584\u5904\u7406\uff0c\u4f8b\u5982
getent -s ldap passwd | cut -d: -f3 | sort -n\n
\u540c\u65f6\u8fd8\u6709\u82e5\u5e72 UID \u5f88\u5927\u4f46\u662f\u79bb\u6563\u7684\u7279\u6b8a\u8d26\u53f7\uff0c\u5f88\u5bb9\u6613\u5206\u8fa8\u3002\u663e\u7136\u65b0 UID \u662f 2000 \u5f00\u59cb\u8fde\u7eed\u7684\u6700\u5927 UID + 1.
GID \u5efa\u8bae\u4e0d\u8981\u6bcf\u4eba\u4e00\u4e2a\uff0c\u6211\u4eec\u5efa\u4e00\u4e2a group\uff0c\u7ed9\u5927\u5bb6\u90fd\u52a0\u8fdb\u6765\uff0c\u8fd9\u6837\u5c31\u53ea\u9700\u8981\u8003\u8651 UID \u7684\u589e\u957f\u4e86\u3002\u76ee\u524d\u8be5 group \u4e3a ldap_users
\uff0cGID \u4e3a 2001\u3002
\u5efa\u8d26\u53f7\u4e4b\u524d\u5148\u6ce8\u610f\u4e00\u4e0b\u5404\u4e2a\u670d\u52a1\u5668\u4e0a\u6709\u6ca1\u6709\u76f8\u540c\u7684\u7528\u6237\u540d\uff0c\u6709\u7684\u8bdd\u628a\u539f\u5bb6\u76ee\u5f55 chown \u5230\u65b0\u7684 UID GID\uff0c\u5220\u9664\u540c\u540d\u7528\u6237\u3002
Groups \u4e2d\u4ee5 ssh \u5f00\u5934\u7684\u7ec4\u63a7\u5236\u5bf9\u5e94\u673a\u5668\u7684 ssh \u6743\u9650\uff0csudo \u5f00\u5934\u540c\u7406\u3002super_maneger \u7ec4\u5305\u542b\u6240\u6709\u673a\u5668\u7684\u6743\u9650\uff0c\u4ee5\u53ca LDAP \u7684 admin \u8eab\u4efd\u3002\u52a0\u5165\u5bf9\u5e94\u7684\u7ec4\u5373\u6388\u4e88\u76f8\u5e94\u6743\u9650\u3002\u5df2\u77e5\u7684 GID
"},{"location":"infrastructure/ldap/#access-control","title":"Access Control","text":"\u8fd9\u91cc\u53ef\u4ee5\u914d\u7f6e GOsa \u7684\u7f16\u8f91\u6743\u9650\uff0c\u73b0\u5728\u8fd9\u91cc\u9762\u53ea\u6709\u4e00\u4e2a\u7ec4\uff0c\u662f\u5b8c\u5168\u6743\u9650\u7684\u3002\u53e6\u5916\uff0c\u6bcf\u4e2a\u9879\u53ef\u4ee5\u8bbe\u7f6e\u4e13\u95e8\u9488\u5bf9\u8fd9\u4e2a\u9879\u7684 ACL\u3002
"},{"location":"infrastructure/ldap/#sudo-rules","title":"Sudo rules","text":"\u8fd9\u91cc\u914d\u7f6e sudo \u6743\u9650\u3002\u8fd9\u91cc\u7684\u8bed\u6cd5\u548c sudoers \u4e00\u6837\uff08\u8bf7\u65e0\u89c6 System trust\uff09\u3002\u7279\u522b\u8981\u8bf4\u7684\u4e00\u70b9\u662f\u901a\u8fc7\u5728 System \u4e2d\u52a0\u5165\u4e3b\u673a\u540d\u53ef\u4ee5\u9488\u5bf9\u6bcf\u4e2a\u4e3b\u673a\u914d\u7f6e\u6743\u9650\uff0c\u8fd9\u91cc\u8981\u586b\u7684\u662f\u4e3b\u673a\u540d\u800c\u4e0d\u662f\u57df\u540d\uff0c\u5177\u4f53\u8303\u4f8b\u8bf7\u770b\u91cc\u9762\u7684 lugsu wikimanager \u7b49\u9879\u3002
\u5176\u5b83\u6211\u6ca1\u63d0\u5230\u7684\u9879\u6211\u4e5f\u6ca1\u641e\u660e\u767d\u600e\u4e48\u7528\u3002\u3002\u3002
gosa \u7684\u914d\u7f6e\u6587\u4ef6\u5728 /etc/gosa/gosa.conf
\uff0c\u5b83\u662f\u5728\u7b2c\u4e00\u6b21\u8fd0\u884c gosa \u65f6\u5019\u81ea\u52a8\u751f\u6210\u7684\uff0c\u4f46\u5728\u4e4b\u540e\u5c31\u53ea\u80fd\u901a\u8fc7\u624b\u52a8\u7f16\u8f91\u6765\u4fee\u6539\u3002\u7531\u4e8e\u914d\u7f6e\u6587\u4ef6\u51e0\u4e4e\u6ca1\u6709\u6587\u6863\uff0c\u5b98\u65b9\u7684 FAQ \u6709\u597d\u591a\u662f\u9519\u7684\uff0c\u6240\u4ee5\u6211\u57fa\u672c\u6ca1\u52a8 :-D
\u3002
\u5982\u679c\u53d1\u73b0\u66f4\u65b0 GOsa \u4e4b\u540e\uff0c/gosa
\u6ca1\u6709\u6b63\u5e38\u5de5\u4f5c\uff08\u6bd4\u5982\u8bf4\u76f4\u63a5\u663e\u793a\u4e86 PHP \u7684\u6e90\u4ee3\u7801\uff09\uff0c\u53ef\u4ee5\u5c1d\u8bd5\u5220\u9664 /var/spool/gosa/
\u4e2d\u7684\u6240\u6709\u6587\u4ef6\uff0c\u8be6\u89c1 Gosa broken in Debian stretch\u3002
Warning
Debian 13 Trixie \u662f\u6700\u540e\u4e00\u4e2a\u652f\u6301 sudo-ldap
\u7684\u7248\u672c\uff0cDebian 14 \u5c06\u5b8c\u5168\u79fb\u9664 sudo-ldap
\uff0c\u9700\u8981\u5c3d\u5feb\u8fc1\u79fb\u81f3 sssd
\u3002
\u6211\u4eec\u5927\u90e8\u5206\u73b0\u6709\u7684\u670d\u52a1\u5668\u4ecd\u5728\u4f7f\u7528 sudo-ldap
\uff0c\u5728\u4e0b\u6b21\u5927\u7248\u672c\u5347\u7ea7\u524d\u9700\u8981\u9010\u6b65\u8fc1\u79fb\u3002\u4ee5\u4e0b\u63d0\u4f9b\u4f7f\u7528 sssd
\u7684\u914d\u7f6e\u65b9\u6cd5\u3002
Ref: https://packages.debian.org/trixie/sudo-ldap
"},{"location":"infrastructure/ldap/#_3","title":"\u8f6f\u4ef6\u5305\u5b89\u88c5","text":"Debian 7 \u4ee5\u4e0a\u7cfb\u7edf\u5b89\u88c5 libnss-ldapd
\u3001libpam-ldapd
\u3001sssd-ldap
\u3001libsss-sudo
Note
\u66f4\u65b0\u8fd9\u4e9b\u8f6f\u4ef6\u5305\u65f6\uff0c\u6ce8\u610f\u4fdd\u7559\u4e00\u4e2a root \u7ec8\u7aef\uff0c\u66f4\u65b0\u540e\u53ef\u80fd\u9700\u8981\u91cd\u542f daemon \u8fdb\u7a0b\u3002
Note
\u5982\u679c\u5df2\u7ecf\u5b89\u88c5\u4e86 sudo-ldap
\uff0c\u8bf7\u5728\u5168\u90e8\u914d\u7f6e\u5b8c\u6210\u4e4b\u540e\u8fd0\u884c apt install sudo
\uff0c\u8fc1\u79fb\u56de\u539f sudo
\u3002
\u5728\u5b89\u88c5\u8fc7\u7a0b\u4e2d\u4f1a\u88ab\u95ee\u4e00\u4e9b\u95ee\u9898\uff08\u4e0d\u540c\u7248\u672c\u7684 Debian \u7684\u95ee\u9898\u53ef\u80fd\u4e0d\u540c\uff09\uff1a
ldaps://ldap.lug.ustc.edu.cn
dc=lug,dc=ustc,dc=edu,dc=cn
\u7f16\u8f91\u5185\u5bb9\u5982\u4e0b\uff1a
/etc/ldap/ldap.confBASE dc=lug,dc=ustc,dc=edu,dc=cn\nURI ldaps://ldap.lug.ustc.edu.cn\nSSL yes\nTLS_CACERT /etc/ldap/slapd-ca-cert.pem\nTLS_REQCERT demand\nSUDOERS_BASE ou=sudoers,dc=lug,dc=ustc,dc=edu,dc=cn\n
\u4e3a\u4e86\u5b89\u5168\u6027\u8003\u8651\uff0c\u8981\u4ee5 ldaps \u7684\u65b9\u5f0f\u8fde\u63a5 ldap \u670d\u52a1\u5668\uff0c\u540c\u65f6\u5e94\u914d\u7f6e\u597d\u8bc1\u4e66 (/etc/ldap/slapd-ca-cert.pem
, \u4ece\u5176\u5b83\u670d\u52a1\u5668\u590d\u5236\u4e00\u4e2a)
\u6ce8\u610f\u68c0\u67e5\u4e00\u4e0b\u6b64\u914d\u7f6e\u6587\u4ef6\u662f\u5426\u4e0e /etc/ldap/ldap.conf
\u4e0b\u7684\u5185\u5bb9\u76f8\u4e00\u81f4\uff0c\u5982
uid nslcd\ngid nslcd\nuri ldaps://ldap.lug.ustc.edu.cn\nbase dc=lug,dc=ustc,dc=edu,dc=cn\nssl on\ntls_reqcert demand\ntls_cacertfile /etc/ldap/slapd-ca-cert.pem\n
"},{"location":"infrastructure/ldap/#etcnsswitchconf","title":"/etc/nsswitch.conf","text":"\u5b89\u88c5\u8f6f\u4ef6\u5305\u65f6\uff0c\u5b89\u88c5\u811a\u672c\u5df2\u7ecf\u5904\u7406\u8fc7\u8be5\u6587\u4ef6\u3002\u68c0\u67e5\u4e00\u4e0b\u5185\u5bb9\uff0c\u5927\u81f4\u4e3a\uff1a
passwd: compat ldap\ngroup: compat ldap\nshadow: compat ldap\n......\nsudoers: files ldap\n
\u6ce8\u610f\u6bcf\u4e00\u9879\u540e\u9762\u7684 ldap
\uff0c\u5982\u679c\u6ca1\u6709\u8981\u624b\u52a8\u52a0\u4e0a\u3002\u4e0d\u592a\u6e05\u695a\u5177\u4f53\u542b\u4e49\uff0c\u53cd\u6b63\u7ed9\u6bcf\u4e00\u9879\u90fd\u52a0\u4e0a ldap
\u662f\u6ca1\u6709\u95ee\u9898\u7684\u3002
\u5bf9\u4e8e\u4f7f\u7528 sssd \u7684\u914d\u7f6e\uff0c\u6ce8\u610f sudoers
\u4e00\u884c\u9700\u8981\u6709 sss
\uff0c\u7c7b\u4f3c\u4e8e\u4e0b\u9762\u8fd9\u6837\uff1a
sudoers: files sss\n
\u800c\u5982\u679c\u4f7f\u7528\u4f20\u7edf\u7684 sudo-ldap
\uff0c\u90a3\u4e48 sudoers
\u4e00\u884c\u5e94\u8be5\u7c7b\u4f3c\u4e8e\u8fd9\u6837\uff1a
sudoers: ldap [SUCCESS=return] files\n
\u91cd\u542f\u4e00\u4e0b nscd
\u548c nslcd
\u670d\u52a1\uff0c\u6b64\u65f6\u8fd0\u884c getent passwd
\uff0c\u5e94\u8be5\u53ef\u4ee5\u770b\u5230\u6bd4 /etc/passwd
\u66f4\u591a\u7684\u5185\u5bb9\uff0c\u8fd9\u5c31\u8bf4\u660e\u914d\u7f6e\u6b63\u786e\u4e86\u3002
\u5982\u679c PAM \u914d\u7f6e\u9519\u8bef\uff0c\u53ef\u80fd\u5bfc\u81f4\u7528\u6237\u65e0\u6cd5\u4f7f\u7528 SSH \u767b\u5f55\uff0c\u751a\u81f3\u8fde sudo \u4e5f\u53ef\u80fd\u6302\u6389\u3002\u6240\u4ee5\u4fee\u6539 PAM \u914d\u7f6e\u65f6\uff1a
\u5bf9\u4e8e Debian 7+\uff0c\u53ea\u9700\u8bbe\u7f6e\u4e00\u5904\u3002\u4e3a\u4e86\u767b\u5f55\u65f6\u81ea\u52a8\u521b\u5efa\u5bb6\u76ee\u5f55\uff0c\u5728 /etc/pam.d/common-session
\u4e2d\u6dfb\u52a0\u4e0b\u9762\u8fd9\u53e5\uff1a
session required pam_mkhomedir.so skel=/etc/skel umask=0022\n
\u5bf9\u4e8e Debian 5\uff0c\u8bf7\u67e5\u9605\u672c\u6587\u6863\u7684 Git \u8bb0\u5f55\u3002
"},{"location":"infrastructure/ldap/#sssd","title":"SSSD \u914d\u7f6e","text":"\u7531\u4e8e sudo-ldap
\u672a\u6765\u88ab\u5e9f\u5f03\uff0csudo \u7684\u914d\u7f6e\u901a\u8fc7 sssd \u5b9e\u73b0\uff0c\u53c2\u8003 https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-ldap-sudo.html\u3002
\u5c06 /usr/share/doc/sssd-common/examples/sssd-example.conf
\u590d\u5236\u5230 /etc/sssd/sssd.conf
\u5e76\u4fee\u6539\u6743\u9650\u4e3a 600\u3002
[taoky@gateway-nic ~]$ sudo diff /usr/share/doc/sssd-common/examples/sssd-example.conf /etc/sssd/sssd.conf\n3c3\n< services = nss, pam\n---\n> services = nss, pam, sudo\n8c8,10\n< ; domains = LDAP\n---\n> domains = LDAP\n>\n> [sudo]\n15,17c17,19\n< ; [domain/LDAP]\n< ; id_provider = ldap\n< ; auth_provider = ldap\n---\n> [domain/LDAP]\n> id_provider = ldap\n> auth_provider = ldap\n22,24c24,26\n< ; ldap_schema = rfc2307\n< ; ldap_uri = ldap://ldap.mydomain.org\n< ; ldap_search_base = dc=mydomain,dc=org\n---\n> ldap_schema = rfc2307\n> ldap_uri = ldaps://ldap.lug.ustc.edu.cn\n> ldap_search_base = dc=lug,dc=ustc,dc=edu,dc=cn\n30c32\n< ; cache_credentials = true\n---\n> cache_credentials = true\n
\u5751
\u9700\u8981\u52a0\u4e0a [sudo]
\uff0c\u5426\u5219 sudo \u914d\u7f6e\u4e0d\u4f1a\u751f\u6548\uff0c\u8fd9\u4e2a\u914d\u7f6e\u95ee\u9898\u5bfc\u81f4\u4e86\u4fee\u6539\u524d\u5728 gateway-nic \u4e0a\u7528\u6237\u65e0\u6cd5\u4f7f\u7528 sudo\u3002
\u53e6\u5916\u8bb0\u5f97\u50cf\u524d\u9762\u5728 Debian \u4e2d\u5b89\u88c5\u4ecb\u7ecd\u5230\u7684\u90a3\u6837\u4fee\u6539 /etc/nsswitch.conf
\u4ee5\u53ca /etc/nslcd.conf
.
\u5728 SSSD \u672a\u5b89\u88c5\u7684\u60c5\u51b5\u4e0b\uff0cNSCD \u4f1a\u63d0\u4f9b LDAP \u7f13\u5b58\u670d\u52a1\u3002\u5982\u679c\u5728\u4f7f\u7528 NSCD \u7684\u673a\u5668\u4e0a\u9700\u8981\u6e05\u7a7a LDAP \u7f13\u5b58\uff0c\u6267\u884c\u4ee5\u4e0b\u547d\u4ee4\uff1a
nscd -i passwd\nnscd -i group\n
\u5982\u679c SSSD \u5b89\u88c5\uff0csystemctl status sssd
\u4f1a\u663e\u793a SSSD \u4e0e NSCD \u540c\u65f6\u63d0\u4f9b\u4e86\u76f8\u5173\u7f13\u5b58\uff0c\u53ef\u80fd\u5b58\u5728\u51b2\u7a81\u95ee\u9898\uff1a
NSCD socket was detected and seems to be configured to cache some of the databases controlled by SSSD [passwd,group,netgroup,services].\n
\u9700\u8981\u4fee\u6539 /etc/nscd.conf
\uff0c\u5c06\u63d0\u53ca\u7684 passwd
, group
, netgroup
\u548c services
\u7684 enable-cache
\u8bbe\u7f6e\u4e3a no
\u3002
\u8fd9\u91cc\u4ee5 ldappasswd
\u4e3a\u4f8b\uff0c\u5176\u4f59 ldap \u7cfb\u5217\u6307\u4ee4\u4e0e\u5176\u5927\u81f4\u76f8\u540c\uff1a
LDAP \u5229\u7528 dn \u6765\u5b9a\u4f4d\u4e00\u4e2a\u7528\u6237\uff0c\u4ee5\u4e0b\u6307\u4ee4\u53ef\u4ee5\u5217\u51fa\u6240\u6709\u7528\u6237\u53ca\u5176 dn\uff1a
ldapsearch -x -LLL uid=* uid\n
-x
\u6307\u5b9a\u4f7f\u7528 Simple authentication\uff0c\u5373\u4f7f\u7528\u5bc6\u7801\u8ba4\u8bc1\u3002
\u5982\u679c\u8981\u4fee\u6539\u4e00\u4e2a\u7528\u6237\u7684\u5bc6\u7801\uff0c\u4f7f\u7528\uff1a
ldappasswd -x -D '<executor dn>' -W -S '<target user dn>'\n
-D '<executor dn>'
\u6307\u5b9a\u4e86\u6267\u884c\u8005\u7684\u8eab\u4efd\uff0c-W
/-S
\u6307\u5b9a\u4e86\u63a5\u4e0b\u6765\u8be2\u95ee\u6267\u884c\u8005/\u76ee\u6807\u7528\u6237\u7684\u5bc6\u7801/\u65e7\u5bc6\u7801\u3002
\u9700\u8981\u989d\u5916\u6ce8\u610f\u7684\u662f\uff0c\u5728 CLI \u4e2d\u6dfb\u52a0/\u5220\u9664\u7528\u6237\u6216\u66f4\u6539\u7528\u6237\u5bc6\u7801\u65f6\u9700\u8981\u4ee5 LDAP admin \u6267\u884c\uff0c\u5426\u5219\u4f1a\u6709\u62a5\u9519\uff1a
Insufficient access (50) additional info: no write access to parent\n
\u6216\u662f\u5176\u4ed6\u7684\u6743\u9650\u4e0d\u8db3\u7684\u9519\u8bef\u3002
"},{"location":"infrastructure/ldap/#_4","title":"\u90e8\u7f72\u60c5\u51b5","text":"\u76ee\u524d\u6240\u6709\u670d\u52a1\u5668\u5747\u5df2\u90e8\u7f72 LDAP
"},{"location":"infrastructure/ldap/#ldap-known-gids","title":"\u5df2\u77e5\u7684 GID","text":"GID \u4fe1\u606f\u5df2\u8fc7\u65f6\uff0c\u4ee5 LDAP \u5b9e\u9645\u914d\u7f6e\u4e3a\u51c6\u3002
GID \u540d\u79f0 \u8bf4\u660e 2001 ldap_users \u6240\u6709\u7528\u6237\u90fd\u5728\u8fd9\u4e2a\u7ec4\u91cc 1001 ssh_docker2 - 2013 ssh_bbs - 2014 ssh_linode - 2101 ssh_ldap - 2102 ssh_blog - 2103 ssh_dns - 2104 ssh_gitlab - 2105 ssh_lug - 2106 ssh_vpn - 2107 ssh_mirrors - 2108 ssh_pxe - 2109 ssh_freeshell - 2110 ssh_backup - 2112 ssh_vmnfs - 2113 ssh_homepage - 2201 sudo_ldap - 2202 sudo_blog - 2203 sudo_dns - 2204 sudo_gitlab - 2205 sudo_lug - 2206 sudo_vpn - 2207 sudo_mirrors - 2208 sudo_pxe - 2209 sudo_freeshell - 2210 sudo_backup - 2212 sudo_vmnfs - 2213 sudo_homepage - 2000 super_manager - 2999 nologin \u4e0d\u786e\u5b9a\u8fd9\u4e2a\u7ec4\u6709\u6ca1\u6709\u7528\u6ce8\u610f\u4e8b\u9879
LDAP \u914d\u7f6e\u5b8c\u6210\u540e\uff0c\u52a1\u5fc5\u786e\u8ba4 sshd_config \u5df2\u7ecf\u9650\u5236\u4e86\u516c\u7f51\u767b\u5f55\u3002
\u672c\u6587\u6863\u539f\u59cb\u7248\u672c\u590d\u5236\u81ea LUG wiki\uff0c\u7531\u5f20\u5149\u5b87\u3001\u5d14\u704f\u3001\u6731\u665f\u83c1\u3001\u5de6\u683c\u975e\u64b0\u5199\u3002
"},{"location":"infrastructure/mail/","title":"Mail Agent","text":"\u53ef\u4ee5\u914d\u7f6e\u673a\u5668\u901a\u8fc7 mail.ustclug.org \u53d1\u4ef6\uff0c\u5b9e\u73b0\u8b66\u62a5\u7684\u90ae\u4ef6\u63d0\u9192\uff08\u6536\u4ef6\u4eba\u8bbe\u7f6e\u4e3a alert AT ustclug DOT org\uff09\u3002\u914d\u7f6e\u65f6\u9700\u8981\u5728 mail.s.ustclug.org \u4e0a\u8bbe\u7f6e postfix \u767d\u540d\u5355\u3002
"},{"location":"infrastructure/mail/#_1","title":"\u5e38\u7528\u547d\u4ee4","text":"\u4ece\u961f\u5217\u4e2d\u5220\u9664\u90ae\u4ef6\uff1asudo postsuper -d <\u90ae\u4ef6 ID>
\uff08\u90ae\u4ef6 ID \u53ef\u4ee5\u65e5\u5fd7\u4e2d\u770b\u5230\uff09
\u66f4\u65b0 virtual
\u8868\u6620\u5c04\uff1asudo postmap /etc/postfix/virtual
\u540e\u91cd\u542f postfix
\u670d\u52a1\u3002
\u7f16\u8f91 /etc/opendkim/TrustedHosts
\uff0c\u6dfb\u52a0\u5185\u90e8\u670d\u52a1\u5bf9\u5e94\u7684 IP\uff08\u6bb5\uff09\u5230\u5176\u4e2d\uff0c\u5e76 reload opendkim
\u5373\u53ef\u3002
\u76d1\u63a7\u7cfb\u7edf\u7531\u4ee5\u4e0b\u51e0\u4e2a\u7ec4\u4ef6\u7ec4\u6210\uff1a
\u7279\u522b\u6ce8\u610f \uff1aInfluxDB \u9ed8\u8ba4\u6ca1\u6709\u5f00\u542f\u8ba4\u8bc1\u3002
\u9996\u6b21\u8fd0\u884c\u65f6\uff0c\u521b\u5efa\u597d\u7ba1\u7406\u8d26\u53f7\uff08admin
\uff09\uff0c\u53ea\u8bfb\u8d26\u53f7\uff08grafana
\uff09\u548c\u5199\u5165\u8d26\u53f7\uff08telegraf
\uff09\u3002
\u7136\u540e\u4fee\u6539\u4f4d\u4e8e /srv/docker/influxdb/conf/influxdb.conf
\u7684\u914d\u7f6e\uff0c\u4fee\u6539\u4ee5\u542f\u7528\u8ba4\u8bc1\uff1a
[http]\n# ...\n# Determines whether HTTP authentication is enabled.\nauth-enabled = true\n
\u6b64\u5916\uff0c\u53c2\u8003 https://docs.influxdata.com/influxdb/v1.8/administration/authentication_and_authorization/#set-up-authentication\uff0c\u8003\u8651\u5173\u95ed\u90e8\u5206\u529f\u80fd\uff1a
/srv/docker/influxdb/conf/influxdb.conf[http]\n# Determines whether the pprof endpoint is enabled. This endpoint is used for\n# troubleshooting and monitoring.\npprof-enabled = false\n
"},{"location":"infrastructure/monitor/#install-telegraf","title":"Install telegraf","text":"\u5b98\u65b9\u6587\u6863\u89c1 https://docs.influxdata.com/telegraf/v1/install/
\u5178\u578b\u7684\u5b89\u88c5\u65b9\u5f0f\u662f\u4ece APT \u6e90\u5b89\u88c5\uff1a
wget -O /etc/apt/trusted.gpg.d/influxdb.asc https://repos.influxdata.com/influxdata-archive_compat.key\necho \"deb https://mirrors.ustc.edu.cn/influxdata/debian bullseye stable\" > /etc/apt/sources.list.d/influxdb.list\napt update\napt install --no-install-recommends telegraf\n
\u624b\u52a8\u5b89\u88c5\u65b9\u5f0f\uff08\u4e0d\u63a8\u8350\uff09 wget https://dl.influxdata.com/telegraf/releases/telegraf_1.28.2-1_amd64.deb\nsudo dpkg -i telegraf_1.28.2-1_amd64.deb\n
"},{"location":"infrastructure/monitor/#configure-telegraf","title":"Configure telegraf","text":"\u914d\u7f6e\u6587\u4ef6\u5728 ustclug/telegraf-config \u4ed3\u5e93\u4e2d\u7ba1\u7406\uff0c\u4f7f\u7528\u65b9\u6cd5\u5982\u4e0b\uff1a
/etc/telegraf/telegraf.conf
\uff08\u4f8b\u5982 truncate -s 0
\u6216\u8005 :>
\uff09\u628a\u4ed3\u5e93 clone \u5230 /etc/telegraf/repo
\uff0c\u4f8b\u5982\uff1a
mkdir /etc/telegraf/repo\ncd /etc/telegraf/repo\ngit init\ngit branch -M master\n\nssh-keygen -f .git/id_ed25519 -t ed25519 -N ''\ncat .git/id_ed25519.pub\n# Upload the output to https://github.com/ustclug/telegraf-config/settings/keys\ngit config core.sshCommand 'ssh -i .git/id_ed25519'\ngit remote add origin git@github.com:ustclug/telegraf-config.git\ngit pull origin master\ngit branch --set-upstream-to=origin/master master\n
\u56de\u5230 /etc/telegraf/telegraf.d
\uff0c\u4ece ../repo/*.conf
\u4e2d\u6309\u9700 symlink \u6587\u4ef6\u8fc7\u6765
\u914d\u7f6e\u5b8c\u6210\u4e4b\u540e\uff0c\u91cd\u542f telegraf \u670d\u52a1\uff0c\u5e76\u786e\u4fdd\u670d\u52a1\u8fd0\u884c\u6b63\u5e38\u3002
sudo systemctl restart telegraf\nsudo systemctl status telegraf\n
Tip
\u5efa\u8bae\u5728\u88ab\u76d1\u63a7\u673a\u5668\u4e0a\u914d\u7f6e NTP\uff08\u53ef\u4ee5\u4f7f\u7528 systemd-timesyncd
\uff0c\u8bbe\u7f6e NTP \u670d\u52a1\u5668\u4e3a time.ustc.edu.cn\uff09\uff0c\u4ee5\u907f\u514d\u65f6\u95f4\u4e0d\u540c\u6b65\u53ef\u80fd\u5e26\u6765\u7684\u95ee\u9898\u3002
Web \u7aef\u76d1\u63a7\u4f4d\u4e8e https://monitor.ustclug.org\uff0c\u8d26\u53f7\u7cfb\u7edf\u4f7f\u7528 LDAP\uff0c\u53ef\u4ee5\u5728\u8fd9\u91cc\u8bbe\u7f6e\u9884\u8b66\u63d0\u793a\u7b49\u3002
Warning
\u914d\u7f6e InfluxDB \u6570\u636e\u6e90\u65f6\uff0c\u53ea\u80fd\u4f7f\u7528\u53ea\u8bfb\u8d26\u53f7\uff0c\u5426\u5219\u4f1a\u5e26\u6765\u4e25\u91cd\u7684\u5b89\u5168\u95ee\u9898\u3002
"},{"location":"infrastructure/monitor/#_2","title":"\u66f4\u65b0\u8bb0\u5f55","text":""},{"location":"infrastructure/monitor/#unified-alerting","title":"\u8fc1\u79fb\u5230 Unified Alerting","text":"Grafana 11 \u8d77\u5c06\u5b8c\u5168\u5220\u9664\u65e7\u7684\u62a5\u8b66\u7cfb\u7edf\uff0c\u5168\u9762\u4f7f\u7528\u65b0\u7684\uff08\u96be\u7528\u7684\uff09Unified Alerting\u3002
\u6211\u4eec\u539f\u5148\u8fd0\u884c\u7684\u662f Grafana 9.3.8\uff0c\u6839\u636e\u66f4\u65b0\u8bb0\u5f55\uff0c\u53d1\u73b0 v10.4 \u63d0\u4f9b\u4e86\u4e00\u4e2a\u8fc1\u79fb\u5de5\u5177\uff0c\u53ef\u4ee5\u5c06\u539f\u5148\u7684\u62a5\u8b66\u8fc1\u79fb\u5230\u65b0\u7684 Unified Alerting \u7cfb\u7edf\uff0c\u56e0\u6b64\u5148\u5c06 Grafana \u66f4\u65b0\u5230 10.4.3\uff0c\u51c6\u5907\u8fc1\u79fb\u3002
\u5728 Alerting (legacy) \u83dc\u5355\u4e0b\u6709\u4e2a Upgrade rules \u754c\u9762\uff0c\u70b9\u8fdb\u53bb\u5c31\u53ef\u4ee5\u4f7f\u7528\u8fc1\u79fb\u5411\u5bfc\u3002\u9996\u5148\u8fc1\u79fb\u6211\u4eec\u552f\u4e00\u7684\u4e00\u4e2a Notification Channel\uff0c\u53d8\u6210\u4e00\u4e2a Contact Point\u3002\u7531\u4e8e \u5783\u573e\u7684\u65b0 alerting \u65b9\u6848\u6ca1\u6709\u63d0\u4f9b\u9ed8\u8ba4\u7684\u6d88\u606f\u6a21\u677f\uff0c\u56e0\u6b64\u6211\u4eec\u9700\u8981\u81ea\u5df1\u5199\u4e00\u4e2a\uff08\u6587\u6863\u4e5f\u6666\u6da9\u96be\u61c2\uff09\u3002
Notification templatetelegram.message
{{ define \"alert_list\" -}}\n{{ range . }}[{{ .Labels.alertname }}] {{ .Annotations.description }}\n{{ if or (gt (len .GeneratorURL) 0) (gt (len .SilenceURL) 0) (gt (len .DashboardURL) 0) (gt (len .PanelURL) 0) }}|{{- end }}\n{{- if gt (len .GeneratorURL) 0 }} <a href=\"{{ .GeneratorURL }}\">Source</a> | {{- end }}\n{{- if gt (len .SilenceURL) 0 }} <a href=\"{{ .SilenceURL }}\">Silence</a> | {{- end }}\n{{- if gt (len .DashboardURL) 0 }} <a href=\"{{ .DashboardURL }}\">Dashboard</a> | {{- end }}\n{{- if gt (len .PanelURL) 0 }} <a href=\"{{ .PanelURL }}\">Panel</a> | {{- end }}\n{{ end }}\n{{ end }}\n\n{{- define \"telegram.message\" }}\n{{- if gt (len .Alerts.Firing) 0 }}<strong>Firing</strong>\n{{ template \"alert_list\" .Alerts.Firing }}\n{{ if gt (len .Alerts.Resolved) 0 }}\n{{ end }}\n{{- end }}\n\n{{- if gt (len .Alerts.Resolved) 0 }}<strong>Resolved</strong>\n{{ template \"alert_list\" .Alerts.Resolved }}\n{{ end }}\n{{- end }}\n
\u7136\u540e\u56de\u5230 Contact point \u7f16\u8f91\uff0c\u5c55\u5f00 Optional Telegram settings\uff0c\u5728 Message \u4e2d\u586b\u5165 {{ template \"telegram.message\" . }}
\u6765\u5f15\u7528\u6211\u4eec\u521a\u521a\u5199\u7684\u6a21\u677f\uff0c\u5e76\u5c06 Parse mode \u8bbe\u4e3a HTML\u3002
\u63a5\u4e0b\u6765\u56de\u5230\u8fc1\u79fb Alerting \u7684\u5730\u65b9\uff0c\u9010\u4e2a\u8fc1\u79fb Alerting\uff1a
avg()
\u548c\u4e00\u4e2a\u6570\u503c\uff09\uff0c\u7136\u540e\u628a\u5b83\u5220\u6389\u5728 Go template \u4e2d\u53ef\u7528\u7684\u5e2e\u52a9\u51fd\u6570\u53c2\u89c1 https://grafana.com/docs/grafana/latest/alerting/alerting-rules/templating-labels-annotations/\u3002
{{ index $labels \"host\" }}: {{ humanize (index $values \"B\").Value }}\n\n{{ index $labels \"host\" }}: {{ humanizePercentage (index $values \"D\").Value }}\n\n{{ index $labels \"host\" }}: {{ humanizeDuration (index $values \"B\").Value }}\n
\u5176\u4e2d index $labels
\u540e\u9762\u7684\u53c2\u6570\u53ef\u4ee5\u662f\u524d\u9762 InfluxDB query \u4e2d GROUP BY \u7684 tag\uff0c\u53ef\u4ee5\u7075\u6d3b\u4f7f\u7528\u3002
\u624b\u5de5\u5904\u7406\u5b8c\u5168\u90e8 18 \u4e2a alert rules \u4e4b\u540e\uff08\u7d2f\u6b7b\u6211\u4e86\uff09\uff0c\u5c31\u53ef\u4ee5\u5f00\u59cb\u6d4b\u8bd5\u4e86\u3002
\u5148\u542f\u7528\u65b0\u7684 unified alerting\uff1a
/srv/docker/grafana/conf/grafana.ini[alerting]\nenabled = false\n\n[unified_alerting]\nenabled = true\n\n[unified_alerting.screenshots]\ncapture = true\n
\u7136\u540e\u627e\u4e2a\u673a\u5668\u91cd\u542f\u4e00\u4e0b\uff0c\u89e6\u53d1 Reboot alert\uff0c\u53bb Telegram \u7fa4\u91cc\u770b\u6d88\u606f\u548c\u56fe\u7247\u90fd\u6b63\u786e\u5192\u51fa\u6765\u4e86\uff0c\u5c31\u8bf4\u660e\u8fc1\u79fb\u6210\u529f\u4e86\u3002
Test alert \u4e0d\u4f1a\u89e6\u53d1\u622a\u56fe\uff0c\u5373\u4f7f\u8bbe\u7f6e\u4e86 Link dashboard and panel \u4e5f\u6ca1\u7528
"},{"location":"infrastructure/office/","title":"Office 365","text":""},{"location":"infrastructure/office/#application","title":"\u7533\u8bf7\u65b9\u5f0f","text":"\u7406\u8bba\u4e0a\u4efb\u4f55\u793e\u56e2\u8d1f\u8d23\u4eba\u6216\u8005\u5728\u793e\u56e2\u4e2d\u8d1f\u8d23\u91cd\u8981\u9879\u76ee\u7684\u4eba\u5458\u90fd\u53ef\u4ee5\u7533\u8bf7\uff0c\u539f\u5219\u662f\u6309\u9700\u5206\u914d\uff0c\u56e0\u4e3a\u90ae\u7bb1\u662f\u5de5\u4f5c\u5de5\u5177\uff0c\u800c\u4e0d\u662f\u798f\u5229\u8d44\u6e90\u3002
\u540c\u7406\uff0c\u4e0d\u518d\u62c5\u4efb\u8d1f\u8d23\u4eba\u4e14\u4e0d\u518d\u5904\u7406\u4e8b\u52a1\u7684\u540c\u5b66\u4f7f\u7528\u7684\u90ae\u7bb1\u5e94\u8be5\u6536\u56de\uff08\u89c1\u4e0b\u65b9 \u9ed8\u8ba4\u5730\u5740 \u4e00\u8282\uff09\u3002
"},{"location":"infrastructure/office/#email-etiquette","title":"\u90ae\u4ef6\u793c\u4eea","text":"CC\uff08\u6284\u9001\uff09\u548c\u8bbe\u7f6e\u56de\u590d\u5730\u5740\u7684\u76ee\u7684\u90fd\u662f\u4e3a\u4e86\u8ba9\u6240\u6709 LUG \u8d1f\u8d23\u7684\u540c\u5b66\u53ef\u4ee5\u770b\u5230\u4e8b\u4ef6\u6700\u65b0\u7684\u8fdb\u5c55
\u6284\u9001\u4f1a\u628a\u4f60\u53d1\u7684\u90ae\u4ef6\u7ed9\u6240\u6709\u7684\u8d1f\u8d23\u4eba\uff1b\u56de\u590d\u5730\u5740\uff08Reply-To\uff09\u8bbe\u7f6e\u4e4b\u540e\uff0c\u5bf9\u65b9\u5c31\u77e5\u9053\u8fd9\u662f\u4f60\u4ee3\u8868 LUG \u5199\u7684\u90ae\u4ef6\uff0c\u5e76\u4e14\u9ed8\u8ba4\u56de\u590d\u90ae\u4ef6\u7684\u65f6\u5019\u5730\u5740\u5c31\u662f\u6240\u6709\u8d1f\u8d23\u4eba\u7684\u90ae\u4ef6\u5217\u8868\u3002\u6240\u4ee5\u4e0b\u6587\u4e2d\u8981\u6c42\u8bbe\u7f6e\u8fd9\u4e9b\u5185\u5bb9\u3002
\u5982\u679c\u9047\u5230\u9700\u8981\u4ee5\u79c1\u4eba\u8eab\u4efd\uff0c\u6216\u8005\u4ee5\u5176\u4ed6\u975e LUG \u4ee3\u8868\u8d1f\u8d23\u4eba\u7684\u8eab\u4efd\u56de\u590d\u90ae\u4ef6\u7684\u573a\u5408\uff0c\u8bf7\u4fee\u6539\u56de\u590d\u5730\u5740\u4fe1\u606f\u3002\u56e0\u4e3a Outlook \u7f51\u9875\u7248\u4e0d\u4fbf\u4e8e\u4fee\u6539\u8fd9\u4e9b\u5185\u5bb9\uff0c\u5efa\u8bae\u4f7f\u7528\u90ae\u4ef6\u5ba2\u6237\u7aef\u5904\u7406\u3002\uff08\u4e2a\u4eba\u63a8\u8350 ThunderBird\uff09\u3002
\u5bf9\u4e8e\u9700\u8981\u5411\u975e\u90ae\u4ef6\u5217\u8868\u7684\u4e0d\u7279\u5b9a\u7fa4\u4f53\u7fa4\u53d1\u7684\u90ae\u4ef6\uff08\u4f8b\u5982\u901a\u77e5\u7c7b\u6d88\u606f\uff09\uff0c\u8bf7\u6ce8\u610f\u4e0d\u8981\u5c06\u6240\u6709\u90ae\u7bb1\u90fd\u653e\u5728\u6536\u4ef6\u4eba\u91cc\uff0c\u5426\u5219\u6240\u6709\u6536\u5230\u90ae\u4ef6\u7684\u4eba\u90fd\u80fd\u770b\u5230\u5176\u4ed6\u6536\u4ef6\u4eba\u7684\u90ae\u7bb1\uff08\u9690\u79c1\u95ee\u9898\uff09\uff1b\u5e76\u4e14\u6536\u4ef6\u4eba\u5982\u679c\u56de\u590d\u90ae\u4ef6\u4e0d\u5f53\uff0c\u5176\u4ed6\u7684\u6536\u4ef6\u4eba\u4e5f\u4f1a\u6536\u5230\u5176\u56de\u590d\u3002\u4e00\u79cd\u65b9\u4fbf\u7684\u505a\u6cd5\u662f\uff1a\u5c06\u6240\u6709\u9700\u8981\u6536\u5230\u901a\u77e5\u7684\u6536\u4ef6\u4eba\u653e\u5728\u5bc6\u9001 (BCC)\u4e00\u680f\u4e2d\uff0c\u6536\u4ef6\u4eba\u586b\u5199\u539f\u6284\u9001\u5730\u5740\u3002
\u6211\u4eec\u52a0\u5165\u4e86\u5f88\u591a\u90ae\u4ef6\u5217\u8868\uff0c\u5176\u4e2d\u7ecf\u5e38\u6709\u5404\u79cd\u5f80\u6765\u90ae\u4ef6\uff08\u7279\u522b\u662f CentOS mirror announcement \u8fd9\u4e2a\u5217\u8868\uff0c\u5df2\u9000\uff09\uff0c\u5b83\u4eec\u5927\u591a\u6570\u4e0d\u9700\u8981\u6211\u4eec\u7406\u4f1a\u3002
\u603b\u4e4b\uff0c\u4e0d\u77e5\u9053\u600e\u4e48\u5904\u7406\u7684\u90ae\u4ef6\u4e0d\u8981\u8d38\u7136\u56de\u590d\u3002\u5982\u679c\u4f60\u8ba4\u4e3a\u67d0\u4e00\u5c01\u90ae\u4ef6\u9700\u8981\u6211\u4eec\u5904\u7406\u4f46\u4e0d\u77e5\u9053\u600e\u4e48\u5904\u7406\uff0c\u8bf7\u8f6c\u544a\u7ed9\u5176\u4ed6\u76f8\u5173\u540c\u5b66\u3002
\u4ee5\u4e0b\u5185\u5bb9\u4ece Hypercube \u7f16\u5199\u7684\u5185\u5bb9\u4e2d\u622a\u53d6\uff1a
\u56de\u590d\u4efb\u4f55\u90ae\u4ef6\u65f6\uff0c\u8bf7\u6284\u9001 / CC\uff08\u4e0d\u662f\u5bc6\u9001 / BCC\uff09\u7ed9\u539f\u90ae\u4ef6\u7684\u6536\u4ef6\u5730\u5740\uff01\uff08\u6bd4\u5982\u522b\u4eba\u53d1\u5230 lug A ustc.edu.cn
\uff0c\u56de\u590d\u65f6\u4e5f\u8bf7 CC \u5230 lug A ustc.edu.cn
\uff09
\u8bf7\u4e0d\u8981\u201c\u53ea\u56de\u590d\u90ae\u4ef6\u201d\u3002\u5982\u679c\u5728\u56de\u590d\u4e2d\u8bf4\u201c\u6211\u4eec\u4f1a\u505a\u67d0\u67d0\u4e8b\u201d\uff0c\u8bf7\u6ce8\u610f\u9664\u975e\u4f60\u660e\u786e\u8f6c\u4ea4\u7ed9\u4e86\u522b\u4eba\uff0c\u8fd9\u4ef6\u4e8b\u5e94\u5f53\u7531\u4f60\u6765\u5b8c\u6210\u3002
"},{"location":"infrastructure/office/#lug-ustc-mailing-list","title":"\u52a0\u5165 LUG @ USTC \u5217\u8868","text":"\u672c\u8282\u9700\u8981\u7531 Microsoft 365 \u7684\u7ba1\u7406\u5458\u64cd\u4f5c
\u90ae\u4ef6\u5217\u8868\u7ba1\u7406\u5728 Microsoft Admin Portal \u7684 Distribution list \u9875\u9762\uff0c\u5176\u4e2d Staff \u7ec4\u548c Mirrors \u7ec4\u7684\u90ae\u4ef6\u5730\u5740\u5206\u522b\u662f lug A ustc.edu.cn
\u548c mirrors A ustc.edu.cn
\u7684\u8f6c\u53d1\u76ee\u6807\u3002
Outlook \u65e0\u6cd5\u76f4\u63a5\u901a\u8fc7\u7f51\u9875\u7aef\u6dfb\u52a0\u53d1\u4ef6\u4eba\u540d\u79f0\u3001\u8bbe\u7f6e\u56de\u590d\u5730\u5740\uff0c\u56e0\u6b64\u53ea\u80fd\u901a\u8fc7\u90ae\u4ef6\u5ba2\u6237\u7aef\u8fdb\u884c\u4f7f\u7528\u3002\u5728\u4e0b\u4e00\u7ae0\u8282\u7684 Thunderbird \u4e2d\u8fdb\u884c\u8be6\u7ec6\u9610\u8ff0\u3002
"},{"location":"infrastructure/office/#thunderbird","title":"Thunderbird \u914d\u7f6e","text":""},{"location":"infrastructure/office/#tb-login","title":"\u767b\u5f55","text":"\u5728\u767b\u5f55\u65f6\uff0c\u8f93\u5165\u4e86\u7528\u6237\u540d\u3001\u5bc6\u7801\u540e\uff0c\u4f1a\u663e\u793a\u65e0\u6cd5\u627e\u5230\u5bf9\u5e94\u7684\u90ae\u7bb1\u914d\u7f6e
\u8fdb\u884c\u5982\u4e0b\u7684\u624b\u52a8\u914d\u7f6e\uff1a
outlook.office365.com
smtp.office365.com
\u5982\u4e0b\u56fe\uff1a
\u7136\u540e\u70b9\u5de6\u4e0b\u89d2\u7684 Re-test\uff0c\u91cd\u65b0\u641c\u7d22\u5230\u914d\u7f6e\u540e\uff0c\u5728\u4e24\u4e2a Authentication method \u4e2d\u5747\u9009\u62e9 OAuth2\u3002
\u7136\u540e\u70b9 Done\u3002\u5728\u5f39\u51fa\u7684\u7a97\u53e3\u4e2d\u5b8c\u6210\u8ba4\u8bc1\u3002
"},{"location":"infrastructure/office/#tb-signature","title":"\u7b7e\u540d\u4e0e\u53d1\u4ef6\u8eab\u4efd","text":"\u5728\u53f3\u4e0a\u89d2\u4e2d\u9009\u62e9\u8d26\u6237\u8bbe\u7f6e\uff0c\u5728\u9ed8\u8ba4\u8eab\u4efd\u4e2d
Zeyu Gao on behalf of USTC LUG
\uff08\u8bf7\u6362\u6210\u81ea\u5df1\u7684\u540d\u5b57\uff09lug@ustc.edu.cn
\u4fee\u6539 Signature text (\u7b7e\u540d\u6587\u5b57) \u4e3a\uff08\u6700\u540e\u4e00\u884c\u6362\u6210\u81ea\u5df1\u7684\u4fe1\u606f\uff09
Linux User Group\nUniversity of Science and Technology of China\nHomepage: https://lug.ustc.edu.cn/\nE-Mail: lug@ustc.edu.cn\nZeyu Gao (\u9ad8\u6cfd\u8c6b) <zeyugao@ustclug.org>\n
\u7ed3\u679c\u5982\u56fe\uff1a
"},{"location":"infrastructure/office/#tb-cc","title":"\u6284\u9001\u8bbe\u7f6e","text":"\u5728\u8d26\u6237\u8bbe\u7f6e\u4e2d\uff0c\u9009\u62e9\u8eab\u4efd\u7ba1\u7406\uff0c\u70b9\u51fb\u7f16\u8f91\uff0c\u9009\u62e9 Copies and Folders, \u542f\u7528 Cc these email addresses, \u5e76\u8f93\u5165\u9ed8\u8ba4\u6284\u9001\u5730\u5740 lug A ustc.edu.cn
\u90ae\u4ef6\u53ef\u4ee5\u4ee5 HTML \u65b9\u5f0f\u7f16\u5199\uff0c\u4e5f\u53ef\u4ee5\u53ea\u662f\u7eaf\u6587\u672c\u5185\u5bb9\u3002\u4e3a\u4e86\u964d\u4f4e\u5bf9\u65b9\u9605\u8bfb\u51fa\u73b0\u9ebb\u70e6\u7684\u53ef\u80fd\u6027\uff0c\u5efa\u8bae\u4f7f\u7528\u7eaf\u6587\u672c\u6d88\u606f\u3002\u4f7f\u7528\u7eaf\u6587\u672c\u6d88\u606f\u7684\u65b9\u6cd5\u662f\uff1a\u6253\u5f00 Thunderbird \u8bbe\u7f6e \uff0c\u6253\u5f00 Account Settings \uff0c\u6253\u5f00\u5bf9\u5e94\u90ae\u4ef6\u5730\u5740\u4e0b\u7684 Composition & Addressing \u9875\u9762\uff0c\u5728 Composition \u8282\u4e0b\u627e\u5230 Compose messages in HTML format \uff0c\u5c06\u5176\u590d\u9009\u6846\u53bb\u9664\u52fe\u9009\u5373\u53ef\u3002
"},{"location":"infrastructure/office/#tb-folders","title":"\u6587\u4ef6\u5939","text":"Thunderbird \u7ef4\u62a4\u4e86\u81ea\u5df1\u7684\u6587\u4ef6\u5939\uff0c\u5982\u679c\u9700\u8981\u4e0e\u4e91\u7aef\u7684\u6587\u4ef6\u5939\u540c\u6b65\uff0c\u53ef\u4ee5\u8fdb\u884c\u5982\u4e0b\u64cd\u4f5c
\u5728\u8d26\u6237\u4e0a\u53f3\u952e\uff0c\u5728\u5f39\u51fa\u7684\u83dc\u5355\u4e2d\u70b9\u51fb Subscribe\u3002\u5f39\u51fa\u7684\u7a97\u53e3\u4e2d\u5305\u542b\u4e86\u4e91\u7aef\u7684\u6587\u4ef6\u5939\uff0c\u7531\u4e8e Thunderbird \u4f1a\u81ea\u884c\u7ef4\u62a4\u5783\u573e\u7bb1\u548c\u5df2\u53d1\u90ae\u4ef6\uff0c\u56e0\u6b64\u53ef\u80fd\u4f1a\u6709\u4e24\u4e2a\u5783\u573e\u7bb1\uff0cDeleted Items \u548c Trash\uff0c\u53ef\u4ee5\u5728\u7f51\u9875\u7aef\u5220\u9664\u4e0d\u9700\u8981\u7684\u6587\u4ef6\u5939\uff0c\u5e76\u5728 Thunderbird \u4e2d\u9009\u62e9\u9700\u8981\u7684\u3002
\u7136\u540e\u6253\u5f00\u8d26\u6237\u8bbe\u7f6e\uff0c\u8fdb\u884c\u5982\u4e0b\u4fee\u6539
\u5728 Server Settings \u4e0b\uff0c\u4fee\u6539 When I delete a message \u4e3a Move it to this folder: Deleted Items
\u5728 Copies & Folders \u4e0b\uff0c\u4fee\u6539 Place a copy\u3001Keep message archives in\u3001Keep draft messages in \u4e3a\u5bf9\u5e94\u7684\u8fdc\u7aef\u670d\u52a1\u5668\u6587\u4ef6\u5939
Outlook \u4e91\u7aef\u5df2\u7ecf\u5e26\u6709\u4e86\u5783\u573e\u90ae\u4ef6\u5206\u7c7b\u529f\u80fd\uff0c\u4e0d\u9700\u8981 Thunderbird \u81ea\u5df1\u7684\u5783\u573e\u90ae\u4ef6\u5206\u7c7b\u529f\u80fd\u3002
\u5728\u8d26\u6237\u8bbe\u7f6e\u7684 Local Folders \u4e0b\u7684 Junk Settings \u4e2d\uff0c\u53d6\u6d88\u9009\u4e2d Enable adaptive junk mail controls for this account\u3002
\u8bf7\u5728\u4e0a\u9762\u7684 Subscribe \u4e2d\u5c06\u5783\u573e\u90ae\u4ef6\u9009\u4e2d\u4ee5\u540c\u6b65\u3002\u6b64\u5916\uff0c\u7531\u4e8e Outlook \u76ee\u524d\u4f1a\u5c06\u51e0\u4e4e\u6240\u6709\u90ae\u4ef6\u90fd\u6254\u8fdb\u5783\u573e\u90ae\u4ef6\u7bb1\uff08\u539f\u56e0\u4f3c\u4e4e\u662f M365 \u7684\u673a\u5668\u5b66\u4e60\u6a21\u578b\u4f1a\u628a\u6240\u6709\u79d1\u5927\u7684\u90ae\u4ef6\u6254\u8fdb\u5783\u573e\u7bb1\uff09\uff0c\u56e0\u6b64\u8bbe\u7f6e\u62c9\u53d6\u90ae\u4ef6\u65f6\u603b\u662f\u68c0\u67e5\u5783\u573e\u90ae\u4ef6\u7bb1\u3002\u8bbe\u7f6e\u65b9\u6cd5\u4e3a\u5728\u5783\u573e\u90ae\u4ef6\u76ee\u5f55\u4e0a\u70b9\u51fb\u53f3\u952e \u2192 \u5c5e\u6027\uff0c\u7136\u540e\u9009\u62e9\u8fd9\u91cc\u7b2c\u4e8c\u4e2a\u52fe\uff1a
\u6ce8\u610f
\u4e0d\u8981\u67e5\u770b\u5783\u573e\u90ae\u4ef6\u7684\u8fdc\u7a0b\u5185\u5bb9\u3002\u4e0d\u8981\u56de\u590d\u5783\u573e\u90ae\u4ef6\u3002\u6b63\u5e38\u90ae\u4ef6\u9700\u8981\u624b\u52a8\u79fb\u52a8\u5230\u6536\u4ef6\u7bb1\u3002
"},{"location":"infrastructure/office/#tb-profiles","title":"\u4f7f\u7528 Thunderbird \u914d\u7f6e\u4e0d\u540c\u7684\u8eab\u4efd","text":"(written by taoky)
\u5728\u67d0\u4e9b\u60c5\u51b5\u4e0b\uff0c\u9700\u8981\u8bbe\u7f6e\u65b0\u7684\u53d1\u4ef6\u4eba\u540d\u79f0\u548c\u56de\u590d\u5730\u5740\uff08\u4f8b\u5982 hackergame staff \u9700\u8981\u4e00\u5957\u4e0d\u540c\u7684\u8bbe\u7f6e\uff09\u3002\u7531\u4e8e Gmail \u7f51\u9875\u7aef\u4fee\u6539\u914d\u7f6e\u5f88\u9ebb\u70e6\uff08\u800c\u4e14\u5f88\u5bb9\u6613\u5fd8\u8bb0\u6539\u56de\u6765\uff09\uff0c\u5f3a\u70c8\u5efa\u8bae\u4f7f\u7528\u90ae\u4ef6\u5ba2\u6237\u7aef\u3002\u4e2a\u4eba\u4f7f\u7528\u7684\u662f Thunderbird\uff0c\u4e0b\u9762\u4e5f\u4ee5\u5b83\u4e3a\u4f8b\u5b50\u3002
\u5728\u8d26\u53f7\u52a0\u4e0a\u90ae\u7bb1\u4e4b\u540e\uff0c\u70b9\u51fb\u53f3\u952e \u2192 \u5c5e\u6027\uff0c\u9ed8\u8ba4\u914d\u7f6e\uff08LUG Staff\uff09\u5982\u56fe\uff1a
\u9700\u8981\u6dfb\u52a0\u65b0\u8eab\u4efd\u65f6\uff0c\u70b9\u51fb\u53f3\u4e0b\u89d2\u300c\u7ba1\u7406\u6807\u8bc6\u300d\uff0c\u6dfb\u52a0\u5bf9\u5e94\u7684\u6807\u8bc6\u3002\u5bf9\u4e8e hackergame\uff0c\u53ef\u4ee5\u914d\u7f6e\u5982\u4e0b\uff1a
\u5e76\u53c2\u8003\u6284\u9001\u8bbe\u7f6e \u914d\u7f6e\u9ed8\u8ba4\u6284\u9001\u5730\u5740 (hackergame A ustclug.org
)
\u914d\u7f6e\u5b8c\u6210\u540e\uff0c\u5728\u7f16\u5199\u90ae\u4ef6\u65f6\uff0c\u5c31\u53ef\u4ee5\u9009\u62e9\u65b0\u7684\u6807\u8bc6\u4e86\uff0c\u5e76\u4e14\u53d1\u4ef6\u4eba\u540d\u79f0\u3001\u56de\u590d\u5730\u5740\u548c\u7b7e\u540d\u90fd\u4f1a\u81ea\u52a8\u8bbe\u7f6e\u597d\u3002
\u4f7f\u7528 Thunderbird \u914d\u7f6e\u5b66\u6821\u90ae\u7bb1\u9700\u8981\u7684\u989d\u5916\u8bbe\u7f6ejames: \"thunderbird\u67d0\u6b21\u5347\u7ea7\u540e\u51fa\u4e86\u4e00\u4e2abug\uff0c\u8fde\u63a5\u65f6\u670d\u52a1\u5668\u8fd4\u56de\u652f\u6301utf8\uff0ctb\u53d1\u4e86\u4e00\u4e2a\u547d\u4ee4enable utf8\uff0c\u670d\u52a1\u5668\u6b63\u5e38\u8fd4\u56de\u540e\uff0ctb\u6709bug\u8ba4\u4e3a\u4e00\u76f4\u5728\u7b49\u670d\u52a1\u5668\u5e94\u7b54\u3002\"
\u6240\u4ee5\u5982\u679c\u9700\u8981\u4f7f\u7528 Thunderbird \u4ece mail.ustc.edu.cn \u6536\u53d1\u90ae\u4ef6\uff0c\u9700\u8981\u505a\u4ee5\u4e0b\u7684\u914d\u7f6e\uff1aEdit -> Settings\uff0c\u5728 \"General\" \u4e2d\u62d6\u5230\u6700\u4e0b\u9762\u9009\u62e9 \"Config Editor...\"\u3002\u5728\u65b0\u5f39\u51fa\u7684\u9ad8\u7ea7\u914d\u7f6e\u7684\u6807\u7b7e\u4e2d\u8f93\u5165 utf8\uff0c\u5c06 mail.server.default.allow_utf8_accept
\u7684\u503c\u4ece true \u6539\u6210 false\u3002\u8fd9\u4e2a\u8bbe\u7f6e\u4e0d\u4f1a\u5f71\u54cd\u5176\u4ed6\u90ae\u7bb1\u7684\u4f7f\u7528\u3002
Warning
\u7531\u4e8e Google \u5c06 G Suite \u5168\u9762\u8f6c\u5411\u4ed8\u8d39\u670d\u52a1\uff0c\u6211\u4eec\u5df2\u5728 2022 \u5e74 3 \u6708 31 \u65e5\u540e\u505c\u6b62\u4f7f\u7528 G Suite \u76f8\u5173\u670d\u52a1\u3002\u8f6c\u5411 Office 365 \u63d0\u4f9b\u7684\u670d\u52a1\u3002\u4ee5\u4e0b\u5185\u5bb9\u4ec5\u4f5c\u4e3a\u5b58\u6863\u4e0e\u53c2\u8003
\u4ee5\u4e0b\u539f\u6587\u7531 Hypercube \u7f16\u5199
\u5927\u5bb6\u597d\uff0c
\u8bf7\u5404\u4f4d\u9605\u8bfb\u4e0b\u65b9\u5185\u5bb9\uff0c\u5e76\u6309\u6307\u793a\u914d\u7f6e\u81ea\u5df1\u7684\u90ae\u7bb1\uff1a
\u767b\u5f55\u7f51\u9875\u7248 Gmail\uff0c\u5728\u53f3\u4e0a\u89d2\u70b9\u5f00\u8bbe\u7f6e\uff0c\u4e8e\u201c\u5e38\u89c4\u201d\u6807\u7b7e\u9875\u4e2d\u8bbe\u7f6e\u201c\u7b7e\u540d\u201d\u4e3a\u7eaf\u6587\u672c\u5982\u4e0b\u5185\u5bb9\uff08\u5171 5 \u884c\uff0c\u5c06\u6700\u540e\u4e00\u884c\u6362\u6210\u81ea\u5df1\u7684\u4fe1\u606f\uff09\uff1a
Linux User Group University of Science and Technology of China Homepage: https://lug.ustc.edu.cn/ E-Mail: lug@ustc.edu.cn Zibo Wang (\u738b\u5b50\u535a) <example@ustclug.org>
\u4e8e\u201c\u8d26\u53f7\u201d\u6807\u7b7e\u9875\u4e2d\u201c\u7528\u8fd9\u4e2a\u5730\u5740\u53d1\u9001\u90ae\u4ef6\u201d\u5185\u70b9\u201c\u4fee\u6539\u4fe1\u606f\u201d\uff0c\u5728\u5f39\u51fa\u7a97\u53e3\u4e2d\u8f93\u5165\u540d\u79f0\u201cZibo Wang on behalf of USTC LUG\u201d\uff08\u8bf7\u6362\u6210\u81ea\u5df1\u7684\u540d\u5b57\uff09\uff0c\u8f93\u5165\u56de\u590d\u5730\u5740\u201clug@ustc.edu.cn
\u201d\u3002
\u8fd8\u53ef\u4ee5\u89c6\u81ea\u5df1\u9700\u8981\u5728\u201c\u8f6c\u53d1\u548c POP / IMAP\u201d\u6807\u7b7e\u9875\u4e2d\u914d\u7f6e\u81ea\u52a8\u8f6c\u53d1\uff0c\u4f46\u8bf7\u6ce8\u610f\uff0c\u5982\u679c\u4f60\u914d\u7f6e\u4e86\u8f6c\u53d1\u5230\u81ea\u5df1\u7684\u5e38\u7528\u90ae\u7bb1\uff0c\u8bf7\u4e0d\u8981\u76f4\u63a5\u4ece\u5e38\u7528\u90ae\u7bb1\u56de\u590d\u90ae\u4ef6\uff0c\u800c\u5e94\u8be5\u767b\u5f55 LUG \u90ae\u7bb1\u56de\u590d\u3002 \u56de\u590d\u4efb\u4f55\u90ae\u4ef6\u65f6\uff0c\u8bf7\u6284\u9001 / CC\uff08\u4e0d\u662f\u5bc6\u9001 / BCC\uff09\u7ed9\u539f\u90ae\u4ef6\u7684\u6536\u4ef6\u5730\u5740\uff01\uff08\u6bd4\u5982\u522b\u4eba\u53d1\u5230 lug A ustc.edu.cn \uff0c\u56de\u590d\u65f6\u4e5f\u8bf7 CC \u5230 lug A ustc.edu.cn\uff09
\u8bf7\u4e0d\u8981\u201c\u53ea\u56de\u590d\u90ae\u4ef6\u201d\u3002\u5982\u679c\u5728\u56de\u590d\u4e2d\u8bf4\u201c\u6211\u4eec\u4f1a\u505a\u67d0\u67d0\u4e8b\u201d\uff0c\u8bf7\u6ce8\u610f\u9664\u975e\u4f60\u660e\u786e\u8f6c\u4ea4\u7ed9\u4e86\u522b\u4eba\uff0c\u8fd9\u4ef6\u4e8b\u5e94\u5f53\u7531\u4f60\u6765\u5b8c\u6210\u3002
\u5728\u6dfb\u52a0\u4e86\u7b7e\u540d\u540e\uff0c\u5728\u4e0b\u9762\u7684\u201c\u9ed8\u8ba4\u7b7e\u540d\u8bbe\u7f6e\u201d\u4e2d\uff0c\u5c06\u201c\u7528\u4e8e\u65b0\u7535\u5b50\u90ae\u4ef6\u201d\u4ee5\u53ca\u201c\u7528\u4e8e\u56de\u590d/\u8f6c\u53d1\u201d\u5747\u9009\u62e9\u4e3a\u4e0a\u9762\u6dfb\u52a0\u7684\u7b7e\u540d\u3002
\u8bb0\u5f97\u6eda\u52a8\u5230\u9875\u9762\u6700\u4e0b\u65b9\u70b9\u51fb\u201c\u4fdd\u5b58\u9875\u9762\u201d\uff01
"},{"location":"infrastructure/office/#default-route","title":"\u8bbe\u7f6e\u9ed8\u8ba4\u5730\u5740","text":"\u672c\u8282\u5199\u7684\u662f G Suite \u7528\u6cd5\uff0c\u9700\u8981\u66f4\u65b0\u6210 Office 365
G Suite \u652f\u6301\u5c06\u5355\u4e2a\u5730\u5740\u8bbe\u4e3a\u201c\u9ed8\u8ba4\u5730\u5740\u201d\uff0c\u7528\u4e8e\u63a5\u53d7\u53d1\u5f80\u4e0d\u5b58\u5728\u7684\u5730\u5740\u7684\u90ae\u4ef6\u3002
\u53c2\u8003\u8d44\u6599\uff1ahttps://support.google.com/a/answer/2368153
\u5bf9\u4e8e\u4e2d\u6587\u754c\u9762\uff0c\u5e94\u8be5\u4ece Google Admin \u63a7\u5236\u53f0\u6309\u987a\u5e8f\u9009\u62e9 \u5e94\u7528 \u2192 G Suite \u2192 Gmail \u2192 \u9ad8\u7ea7\u8bbe\u7f6e\uff0c\u5176\u4e2d\u7684 \u65e0\u9650\u522b\u540d\u5730\u5740 \u5c31\u662f\u8fd9\u4e2a\u9009\u9879\uff0c\u4e00\u822c\u53d1\u7ed9\u4f1a\u957f\u6216 CTO\u3002
"},{"location":"infrastructure/raid/","title":"RAID","text":""},{"location":"infrastructure/raid/#megaraid","title":"MegaRAID \u5e38\u7528\u547d\u4ee4","text":"MegaRAID \u6e90\u91cc\u6ca1\u6709\uff0c\u9700\u8981\u4ece\u5b98\u7f51\u4e0b\u8f7d RPM \u5305\u540e\u624b\u52a8\u89e3\u538b\u3002Debian 10 \u5b89\u88c5 libncurses5 \u540e\u53ef\u4f7f\u7528\u3002
sudo /opt/MegaRAID/MegaCli/MegaCli64 -adpallinfo -aAll # \u67e5\u770b\u6240\u6709\u4fe1\u606f\nsudo /opt/MegaRAID/MegaCli/MegaCli64 -pdlist -aall # \u67e5\u770b\u7269\u7406\u76d8\u4fe1\u606f\n
"},{"location":"infrastructure/raid/#_1","title":"\u76d1\u63a7","text":"\u73b0\u5728\u90e8\u7f72\u7684\u65b9\u6848\u662f\u7531 telegraf \u6267\u884c\u89e3\u6790\u811a\u672c\uff0c\u5c06\u6570\u636e\u53d1\u9001\u5230 influxdb\uff0c\u7531 grafana \u62a5\u8b66\u3002
\u811a\u672c\uff1a
https://docs.broadcom.com/docs-and-downloads/raid-controllers/raid-controllers-common-files/8-07-07_MegaCLI.zip
ESXi 5 \u7684 binary \u548c ESXi 6.0 \u517c\u5bb9\u3002
esxcli software vib install -v=/tmp/vmware-esx-MegaCli-8.07.07.vib --no-sig-check\n
\u7136\u540e\u8fdb\u5165 /opt/lsi/MegaCLI
\u76ee\u5f55\u6267\u884c MegaCli
.
pve-6 \u7684 RAID \u65b9\u6848\u662f HPE Smart Array\u3002\u5bf9\u5e94\u4f7f\u7528\u65b9\u6cd5\u53ef\u4ee5\u53c2\u8003 https://gist.github.com/mrpeardotnet/a9ce41da99936c0175600f484fa20d03\u3002
\u5bf9\u5e94\u4e3b\u673a\u9700\u8981\u5b89\u88c5 https://downloads.linux.hpe.com/SDR/repo/mcp/Debian/pool/non-free/ssacli-5.30-6.0_amd64.deb\uff08HPE \u6e90\u5b9e\u5728\u592a\u6162\u4e86\uff09\u3002
"},{"location":"infrastructure/sshca/","title":"SSH Certificate Authentication","text":"Discussion: SSH \u5347\u7ea7\u5230\u8bc1\u4e66\u767b\u9646\u65b9\u6848\u8ba8\u8bba
Usage: SSH \u8bc1\u4e66\u8ba4\u8bc1\u7684\u4f7f\u7528\u65b9\u6cd5 (See also: iBug's blog)
"},{"location":"infrastructure/sshca/#introduction","title":"Introduction","text":"An SSH Certificate Authority (CA) is a trusted key pair that issues certificates. It has the same format as a regular SSH private-public key pair (it is, in fact).
Certificates can be used for authentication on both the server side and the client side. But certificates cannot issue new certificates (i.e. no chains), it is the very difference from X.509 certificate system.
"},{"location":"infrastructure/sshca/#server-setup","title":"Server setup","text":""},{"location":"infrastructure/sshca/#trustedusercakeys","title":"Configure server to accept client certificates","text":"First drop our public key to /etc/ssh/ssh_user_ca
:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1Bxw9AXoZvc9HTe5o4f7/qOROcmzvlcO5oofoF3pewtRnhNpcd/DwmxSblqpj/cjLYkE32mSCzMYY8X0CRFyMJsgSIDC4i4LXDNU0e8PbB2NIQAAeyfJEU5m/Dn1tPw9WvPtPqHCRvgSwnRfzYngMVWROgV2Qe6pOqTTgetEYfb5gkDc2i1M7yfTp3H3ExfrDKwOKPc/9UYOADMFU6u1fJN+4epLETilHC1ubtBeVi23pn1K+LDy06Gwhq1MLljCM7gFBMrmv894HrOHU4WrzLUlfkiDt2cyXLb4qPWYqilBFLUjU92kjmiI/EwB/8pR1WmdU7FoYpdgBHNr3NT53 LUG-CA\n
Then add the following line to sshd config (Debian 11+):
/etc/ssh/sshd_config.d/ustclug.confTrustedUserCAKeys /etc/ssh/ssh_user_ca\n
Old version config (<= Debian 10)
On Debian 10 (buster) or older, sshd_config
does not support the Include
directive. Thus any extra setting must be added in the main sshd_config
file directly.
Warning
When signing certificates using OpenSSH <= 8.1, add -t rsa-sha2-512
to the ssh-keygen
command. More details can be found here: https://ibug.io/p/35
Note
Some of our servers may still be running Debian Jessie, which has OpenSSH 6.7 that does not support SHA-2 certificate algorithms (OpenSSH 7.2 required). Sign with -t ssh-rsa
instead if you want to log in to such servers.
January 2022 update: We believe we have got rid of all Jessie systems, so this should no longer be the case.
Copy the file /etc/ssh/ssh_host_rsa_key.pub
from target server.
Then, run ssh-keygen
to issue a public key. For example:
ssh-keygen -s /path/to/ssh_ca \\\n -I blog \\\n -h \\\n -n blog.s.ustclug.org,blog.p.ustclug.org,10.254.0.15,202.141.176.98,202.141.160.98 \\\n ssh_host_rsa_key.pub\n
Then, copy the certificate file ssh_host_rsa_key-cert.pub
back to target server.
At last, add the following lines to sshd config:
/etc/ssh/sshd_config.d/ustclug.confHostKey /etc/ssh/ssh_host_rsa_key\nHostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub\n
Warning
See the same warning block above.
Certificate will take effect after SSH daemon is reloaded (systemctl reload ssh
).
Add the following line to your known_hosts
:
@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1Bxw9AXoZvc9HTe5o4f7/qOROcmzvlcO5oofoF3pewtRnhNpcd/DwmxSblqpj/cjLYkE32mSCzMYY8X0CRFyMJsgSIDC4i4LXDNU0e8PbB2NIQAAeyfJEU5m/Dn1tPw9WvPtPqHCRvgSwnRfzYngMVWROgV2Qe6pOqTTgetEYfb5gkDc2i1M7yfTp3H3ExfrDKwOKPc/9UYOADMFU6u1fJN+4epLETilHC1ubtBeVi23pn1K+LDy06Gwhq1MLljCM7gFBMrmv894HrOHU4WrzLUlfkiDt2cyXLb4qPWYqilBFLUjU92kjmiI/EwB/8pR1WmdU7FoYpdgBHNr3NT53 LUG-CA\n
And when you log in to a LUG server, it is automatically trusted. If you find a machine that does not support this setup, report it to CTO.
"},{"location":"infrastructure/sshca/#issue-a-client-certificate","title":"Issue a client certificate","text":"ssh-keygen -s /path/to/ssh_ca \\\n -I certificate_identity \\\n -n principals \\\n [-O options] \\\n [-V validity_interval] \\\n public_key_file\n
For example:
ssh-keygen -s /path/to/ssh_ca -I \"Yifan Gao\" -n yifan -V -5m:+365d yifan.pub\n
In general, certificate_identity is the user's full name, and principals is the system username. The certificate identity is used to identify certificates and is logged in system logs. In addition, one certificate can carry multiply principals, like:
ssh-keygen -s /path/to/ssh_ca -I \"Yifan Gao\" -n yifan,root,liims -V -5m:+365d yifan.pub\n
It authorizes the certificate owner to login to any server as yifan
, root
or liims
user.
Note
The liims
principal is used to log into library inquiry machines.
Tip
The validity interval by default starts at the current system time. Using -5m:+365d
creates a certificate valid from 5 minutes ago to make up for offset times on other systems. Otherwise it's not much useful to have a validity period starting from a long time ago.
For security purposes, avoid creating certificates without a defined validity period. It's also recommended to keep validity periods as short as necessary.
"},{"location":"infrastructure/ssl/","title":"SSL Certificates","text":"Discussion: #224
Our SSL certificates are automatically renewed on GitHub ustclug/ssl-cert ( Private).
We delegate the subdomain ssl-digitalocean.ustclug.org
to DigitalOcean DNS hosting, and use acme.sh DNS alias mode to issue certificates. For this to work, we have the following CNAME records in place:
_acme-challenge.lug.ustc.edu.cn -> lug.ssl-digitalocean.ustclug.org\n_acme-challenge.ustclug.org -> lug.ssl-digitalocean.ustclug.org\n_acme-challenge.proxy.ustclug.org -> lug.ssl-digitalocean.ustclug.org\n\n_acme-challenge.vpn.lug.ustc.edu.cn -> lugvpn.ssl-digitalocean.ustclug.org\n_acme-challenge.vpn.ustclug.org -> lugvpn.ssl-digitalocean.ustclug.org\n\n_acme-challenge.mirrors.ustc.edu.cn -> mirrors.ssl-digitalocean.ustclug.org\n
Individual machines that use SSL certificates should pull from the said repository (branch cert
). Certificates may be loaded via symbolic links (for processes running on the host system directly), or copied around from within the updater script (when there are path constraints, e.g. in a Docker container). The update task is managed by cron.
Update script for reference:
/etc/ssl/private/.git/update.sh#!/bin/sh\n\ncd \"/etc/ssl/private\"\n\ngit fetch -q\nif [ \"$(git rev-parse HEAD)\" = \"$(git rev-parse '@{u}')\" ]; then\n exit 0\nfi\ngit reset --hard '@{u}'\n\n# Display certificate dates. This section is optional\nif command -v openssl >/dev/null 2>&1; then\n echo \"Cert has been updated. New expiry:\"\n for f in */cert.pem; do\n echo \"$f:\"\n openssl x509 -in \"$f\" -noout -dates\n done\nelse\n echo \"Cert has been updated.\"\nfi\n\nsystemctl reload openresty.service\n# Other `cp -a` or `docker restart` commands, etc.\n
The DigitalOcean account we use is owned by iBug and has nothing else running.
Plan B
Hurricane Electric provides hosted DNS zones for free, which is also supported by acme.sh
. This makes HE DNS a feasible alternative should our current dependency (DigitalOcean) fails.
PXE manages its own certificates with acme.sh
and validates via HTTP-01 challenge. The certificates are stored in /etc/acme.sh/pxe.ustc.edu.cn/
.
Tinc VPN \u662f LUG \u5185\u7f51\u7684\u4e3b\u8981\u6784\u6210\u8f6f\u4ef6\uff0cLDAP \u9700\u8981\u7528\u5230\u5b83\uff08\u56e0\u4e3a ldap \u670d\u52a1\u5668\u662f\u4e2a\u5185\u7f51\u670d\u52a1\u5668\uff09
"},{"location":"infrastructure/tinc/#_1","title":"\u5b89\u88c5","text":"Debian 9+ \u53ef\u4ee5\u76f4\u63a5\u4ece apt \u6e90\u5b89\u88c5 tinc
\u5305\u3002
\u4e0d\u65e9\u8bf4\u8fd9\u73a9\u610f\u6709\u4e2a Git \u4ed3\u5e93\uff1f\uff1fhttps://git.lug.ustc.edu.cn/ustclug/tinc-configure
\u65e2\u7136\u6709\u4ed3\u5e93\u6240\u4ee5\u8981\u505a\u7684\u4e8b\u60c5\u6bd4\u8f83\u7b80\u5355\uff0c\u8fdb\u5165 /etc/tinc
\u76ee\u5f55\u51c6\u5907\u548c Git \u4ed3\u5e93\u540c\u6b65\u914d\u7f6e\uff1a
git init\ngit remote add origin https://git.lug.ustc.edu.cn/ustclug/tinc-configure.git\ngit fetch origin master\ngit reset --hard FETCH_HEAD\n
\u6ce8\u610f git reset
\u4f1a\u8986\u76d6\u90e8\u5206\u6587\u4ef6\uff0c\u5efa\u8bae\u5728\u5168\u65b0\u5b89\u88c5 tinc
\u4e4b\u540e\u8fdb\u884c\u540c\u6b65\u914d\u7f6e\u3002
\u914d\u7f6e\u5b8c\u6210\u540e\u6267\u884c systemctl enable tinc@ustclug.service
\u4f7f tinc \u80fd\u591f\u5f00\u673a\u542f\u52a8\u3002
\u9996\u5148\u9700\u8981\u5728\u65b0\u4e3b\u673a\u4e0a\u751f\u6210\u5bc6\u94a5\uff1a
tincd -n ustclug -K\n
\u7136\u540e\u5728 /etc/tinc/ustclug/hosts/$HOST
\u6700\u540e\u8865\u4e0a\u4e00\u884c\uff1a
Address = [\u8fd9\u53f0\u673a\u5668\u7684\u516c\u7f51IP]\n
\u628a\u65b0\u589e\u7684\u8fd9\u4e2a\u6587\u4ef6\u63d0\u4ea4\u8fdb Git \u4ed3\u5e93\uff0c\u5e76\u5728 {ldap,board,gateway-el,gateway-nic}.s.ustclug.org
\u7b49\u591a\u53f0\u673a\u5668\u4e0a\u901a\u8fc7 git pull
\u66f4\u65b0\uff0c\u5e76 systemctl reload tinc@ustclug.service
\u3002
\u6d4b\u8bd5\u7684\u65f6\u5019\uff0c\u4f60\u53ef\u4ee5\u76f4\u63a5\u901a\u8fc7 ifconfig
\u7b49\u65b9\u5f0f\u6307\u5b9a\u4e00\u4e2a\u4e34\u65f6\u7684 IP\uff0c\u6ce8\u610f\u4e0d\u8981\u4e0e\u5df2\u6709\u7684\u5185\u7f51 IP \u51b2\u7a81\uff1a
ifconfig 10.254.0.xxx/21 ustclug\n
\u8fd9\u65f6\u5019\u5e94\u8be5\u80fd\u4ece\u5176\u4ed6\u673a\u5668 ping \u901a\u8fd9\u4e2a IP\u3002
\u6307\u5b9a\u9759\u6001\u5185\u7f51 IP \u7684\u6b63\u786e\u65b9\u6cd5\u662f\u5728 DNS \u4e2d\u6dfb\u52a0\u4e00\u6761\u8fd9\u6837\u7684\u8bb0\u5f55\uff1a
$ORIGIN s.ustclug.org\n<HOST> 600 IN A <Intranet IP>\n
\u7136\u540e\u5728\u673a\u5668\u4e0a\u91cd\u542f systemctl restart tinc@ustclug.service
\u5c31\u80fd\u81ea\u52a8\u83b7\u53d6\u4e86\u3002
Tip
\u5bf9\u4e8e Debian 11+ \u7684\u7cfb\u7edf\uff0c\u5efa\u8bae\u4fdd\u6301 sshd_config
\u4e0d\u52a8\uff0c\u5c06\u81ea\u5b9a\u4e49\u7684\u914d\u7f6e\u5199\u5165 sshd_config.d/ustclug.conf
\uff0c\u4ee5\u51cf\u5c11\u66f4\u65b0 ssh \u8f6f\u4ef6\u5305\u65f6\u7684\u914d\u7f6e\u6587\u4ef6\u51b2\u7a81\u3002\u6ce8\u610f\u5982\u679c\u8fd9\u4e48\u505a\u7684\u8bdd\u9700\u8981\u628a\u914d\u7f6e\u6587\u4ef6\u91cc\u7684 Subsystem sftp
\u5220\u6389\uff0c\u5426\u5219 sshd \u4f1a\u62a5\u9519\u201c\u91cd\u590d\u6307\u5b9a\u4e86 Subsystem sshd\u201d\u3002
\u4ee5\u4e0b\u914d\u7f6e\u4f9b\u53c2\u8003\uff0c\u590d\u5236\u65f6\u6ce8\u610f\u4fee\u6539 Match LocalAddress
\u540e\u9762\u7684\u5185\u5bb9\uff08\u5185\u7f51\u5730\u5740\u548c AllowGroups \u6700\u540e\u7684\u540d\u79f0\uff09\uff1a
AddressFamily inet\nUseDNS no\n\nHostKey /etc/ssh/ssh_host_rsa_key\nHostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub\nTrustedUserCAKeys /etc/ssh/ssh_user_ca\nRevokedKeys /etc/ssh/ssh_revoked_keys\n\nPasswordAuthentication no\nPubkeyAuthentication no\nChallengeResponseAuthentication no\nUsePAM yes # LDAP for Debian\n\nAcceptEnv LANG LC_*\nX11Forwarding yes\nPrintLastLog no\nPrintMotd no\nSubsystem sftp /usr/lib/openssh/sftp-server\n\nMatch LocalAddress 10.254.0.0\n AllowGroups ssh_local super_manager ssh_groupname\n PasswordAuthentication yes\n PubkeyAuthentication yes\n\n# Public IP access = root-only\nMatch LocalAddress 202.38.95.110,202.141.160.110,202.141.176.110,218.104.71.170\n AllowUsers root\n PubkeyAuthentication yes\n AuthorizedKeysFile none # \u5c4f\u853d\u516c\u94a5\uff0c\u4ec5\u5141\u8bb8\u8bc1\u4e66\u767b\u5f55\n\n# For SSH Push trigger\nMatch User mirror\n AllowUsers mirror\n AuthenticationMethods publickey\n PermitTTY no\n PermitTunnel no\n X11Forwarding no\n\nMatch All #(1)\n
Match All
\u6765\u7ed3\u675f\u4e0a\u9762\u7684 Match \u5757\u3002\u7531\u4e8e Include
\u6307\u4ee4\u51fa\u73b0\u5728 /etc/ssh/sshd_config
\u7684\u6700\u4e0a\u9762\uff0c\u800c\u63a5\u4e0b\u6765\u7684\u5185\u5bb9\u90fd\u662f\u5168\u5c40\u8bbe\u7f6e\uff0c\u56e0\u6b64\u4f7f\u7528 Match All
\u4fdd\u8bc1\u539f\u5148\u7684\u5185\u5bb9\u7ee7\u7eed\u4f5c\u7528\u4e8e\u5168\u5c40\uff0c\u800c\u4e0d\u662f\u50cf\u4e0a\u9762\u8fd9\u4e2a\u4f8b\u5b50\u4e00\u6837\u53d8\u6210 Match User mirror
\u7684\u8bbe\u7f6e\u3002\u6ce8\u610f HostCertificate, TrustedUserCAKeys \u548c RevokedKeys \u8fd9\u4e09\u4e2a\u6587\u4ef6\u5fc5\u987b\u5b58\u5728\uff0c\u5426\u5219 SSH \u4f1a\u51fa\u4e00\u4e9b\u95ee\u9898\uff0c\u4f8b\u5982\u4e0d\u80fd\u5bc6\u94a5\u767b\u5f55\u53ea\u80fd\u5bc6\u7801\u767b\u5f55\u3002
HostCertificate \u9700\u8981\u624b\u52a8\u7b7e\u53d1\u4e00\u4e2a\uff0c\u53e6\u5916\u4e24\u4e2a\u6587\u4ef6\u4ece\u522b\u7684\u673a\u5668\u4e0a\u590d\u5236\u5c31\u884c\u3002
"},{"location":"infrastructure/discontinued/","title":"\u4e0d\u518d\u4f7f\u7528\u7684\u57fa\u7840\u8bbe\u65bd","text":"Warning
Content under this section is not necessarily up-to-date.
"},{"location":"infrastructure/discontinued/#saltstack","title":"SaltStack","text":"\u76ee\u524d\u4e0d\u77e5 SaltStack \u4f55\u65f6\u5f00\u59cb\u4f7f\u7528\uff0c\u4f46\u662f\u6211\u4eec\u6ca1\u6709\u4efb\u4f55\u4f9d\u8d56\u4e8e salt \u7684\u914d\u7f6e\u3002\u51fa\u4e8e\u8003\u8651\u5230 salt \u51fa\u73b0\u8fc7\u975e\u5e38\u4e25\u91cd\u7684 CVE\uff0csaltstack \u5df2\u4e0d\u518d\u8003\u8651\u4f7f\u7528\uff0c\u4e14\u5728\u5df2\u77e5\u7684\u673a\u5668\u4e0a\u90fd\u5df2\u5220\u9664\u3002\u5982\u679c\u4f60\u53d1\u73b0\u67d0\u53f0 lug \u7684\u673a\u5668\u4e0a\u5b89\u88c5\u4e86 salt\uff0c\u8bf7\u901a\u77e5 CTO \u4ee5\u5c06\u5176\u5220\u9664\u3002
\u5728\u81ea\u52a8\u5316\u8fd0\u7ef4\u65b9\u9762\uff0c\u672a\u6765\u4f1a\u8c03\u7814 ansible\u3002
"},{"location":"infrastructure/discontinued/#vsphere","title":"vSphere \u96c6\u7fa4","text":"\u6211\u4eec\u4ece 2015 \u5e74\uff08\u6216\u66f4\u65e9\uff09\u5f00\u59cb\u4f7f\u7528 vSphere \u5e73\u53f0\uff08ESXi + vCenter\uff09\u8fd0\u884c\u865a\u62df\u673a\u3002\u7531\u4e8e VMware \u4e13\u6709\u5e73\u53f0\u7684\u590d\u6742\u6027\u96be\u4ee5\u7ef4\u62a4\uff0c\u6211\u4eec\u5df2\u4e8e 2022 \u5e74 1 \u6708\u5168\u9762\u8fc1\u79fb\u81f3\u5f00\u6e90\u7684\u3001\u57fa\u4e8e Debian GNU/Linux \u7684\u865a\u62df\u5316\u5e73\u53f0 Proxmox VE\u3002
"},{"location":"infrastructure/discontinued/#pve-2-pve-4","title":"pve-2, pve-4","text":"pve-2 \u548c pve-4 \u4e5f\u4f4d\u4e8e\u4e1c\u56fe\uff0c\u662f\u4e24\u53f0\u672a\u77e5\u54c1\u724c\u3001\u672a\u77e5\u578b\u53f7\u7684\u65e7\u673a\u5668\uff0c\u914d\u7f6e\u4e3a 2\u00d7 Xeon E5420 (Very old 4C4T, 2.50 GHz), 16 GB \u5185\u5b58\uff08DDR2 667 MHz\uff09\u548c\u4e00\u5757 16 GB \u7684 SanDisk SSD\u3002\u8be5\u578b\u53f7\u673a\u5668\u6ca1\u6709 IPMI\u3002
\u7531\u4e8e\u914d\u7f6e\u4f4e\u4e0b\uff0c\u6211\u4eec\u624b\u52a8\u5b89\u88c5\u4e86 Proxmox VE\uff0c\u6ca1\u6709\u4f7f\u7528 LVM\uff0c\u5206\u914d\u4e86 1 GB \u7684 swap\uff0c\u5269\u4e0b\u5168\u90e8\u7ed9 rootfs\u3002
\u673a\u5668\u7684\u7f51\u5361\u6709\u4e24\u4e2a 1 Gbps \u7684\u63a5\u53e3\uff0c\u4e0e pve-6 \u76f8\u540c\uff0c\u90fd\u63a5\u5728\u540c\u4e00\u4e2a\u4ea4\u6362\u673a\u4e0a\u3002
"},{"location":"infrastructure/discontinued/vsphere/esxi/","title":"ESXi","text":"\u73b0\u5f79\u7684 ESXi \u6709 3 \u53f0\uff1aesxi-2 \u548c esxi-6 \u4f4d\u4e8e\u4e1c\u56fe\u673a\u623f\uff0cesxi-5 \u4f4d\u4e8e\u7f51\u7edc\u4fe1\u606f\u4e2d\u5fc3\u673a\u623f\u3002
esxi-2 \u4e0a\u8fd0\u884c\u4e1c\u56fe\u7f51\u5173\u7b49\u670d\u52a1\uff0cesxi-6 \u4e0a\u8fd0\u884c ustclug gitlab\u3002esxi-5 \u4e0a\u8fd0\u884c\u8bf8\u5982 vcenter, \u90ae\u4ef6\u7f51\u5173, ldap, \u5907\u7528\u7f51\u5173, vSphereDataProtection \u5907\u4efd\u670d\u52a1\u7b49\u3002
\u76ee\u524d\uff0c\u6709\u8ba1\u5212\u5c06\u865a\u62df\u5316\u65b9\u6848\u66f4\u6539\u4e3a Proxmox Virtual Environment\u3002
"},{"location":"infrastructure/discontinued/vsphere/esxi/#about-snapshot","title":"\u5173\u4e8e\u5feb\u7167","text":"Best practices: https://kb.vmware.com/s/article/1025279\uff0c\u7ba1\u7406\u865a\u62df\u673a\u524d\u52a1\u5fc5\u9605\u8bfb\u3002
"},{"location":"infrastructure/discontinued/vsphere/esxi/#_1","title":"\u673a\u5668\u914d\u7f6e\u7ec6\u8282","text":""},{"location":"infrastructure/discontinued/vsphere/esxi/#esxi-5","title":"esxi-5","text":"esxi-5 \u4e0a\u4e8e 2021/8 \u53d1\u73b0\u81ea\u5e26\u9635\u5217\u6709\u4e24\u5757\u574f\u76d8\uff0c\u5728\u66f4\u6362\u540e\u53d1\u73b0 storage \"root\"\uff08\u5b58\u653e vcenter \u865a\u62df\u673a\uff0c\u7ec4 RAID 1 \u540e\u5927\u5c0f 1.8TB\uff09\u65e0\u6cd5\u6b63\u5e38 rebuild\uff0c\u5e76\u4e14 vcenter \u865a\u62df\u673a\u7684 vmdk \u6587\u4ef6\u6709 4 \u4e2a\u51fa\u73b0 I/O error\u3002\u76ee\u524d vcenter \u865a\u62df\u673a\u5df2\u7ecf\u8fc1\u79fb\u5230 storage \"data\" (RAID10, 7.2 TB)\uff0c\u5de5\u4f5c\u6b63\u5e38\u3002
"},{"location":"infrastructure/discontinued/vsphere/vcenter/","title":"vCenter","text":"vCenter \u4e3a\u7ef4\u62a4\u4eba\u5458\u63d0\u4f9b\u4e86\u65b9\u4fbf\u7684\u7ba1\u7406\u6240\u6709 ESXi \u670d\u52a1\u5668\u7684\u754c\u9762\u3002\u9700\u8981\u6ce8\u610f\uff1a
\u5f53\u51fa\u73b0\u4e25\u91cd\u7684 CVE \u4e14\u65e0\u6cd5\u7b80\u5355 workaround \u65f6\uff0c\u5efa\u8bae\u5b89\u88c5 patch\uff0c\u5927\u81f4\u65b9\u6cd5\uff1a
software-packages stage --iso
\u52a0\u8f7d\u8865\u4e01\u6587\u4ef6\uff08\u5b9e\u8d28\u662f\u4e00\u5806 rpm\uff09\u3002software-packages install --iso
\u5b89\u88c5\u8865\u4e01\u6587\u4ef6\u3002shell
\u8fdb\u5165 bash\uff0creboot
\u91cd\u542f\u3002service-control --start --all
\u5347\u7ea7\u65f6\u9047\u5230\u7684\u95ee\u9898\uff1a
software-packages
\u66f4\u65b0\uff0c\u67e5\u770b\u539f\u56e0\u3002\u5982\u679c\u662f root \u5bc6\u7801\u8fc7\u671f\uff0c\u8fdb\u5165 bash\uff0c\u4f7f\u7528 passwd \u5148\u91cd\u7f6e\u6210\u65b0\u7684\uff08\u7136\u540e\u518d\u6539\u56de\u6765\uff09\uff0c\u4f7f\u7528 chage -I -1 -m 0 -M 99999 -E -1 root
\u8bbe\u7f6e\u6c38\u4e0d\u8fc7\u671f\u3002\u5f53\u6211\u4eec\u8bf4\u5230 VDP \u7684\u65f6\u5019\uff0c\u6211\u4eec\u5230\u5e95\u5728\u6307\u4ec0\u4e48\uff1f\u4e3a\u4e86\u907f\u514d\u6b67\u4e49\uff0c\u4ee5\u4e0b\u505a\u4e86\u4e00\u4e9b\u5b9a\u4e49\uff1a
vdp2 \u6302\u63a5\u5728 esxi-5 \u4e0a\uff0cesxi-5 \u6e90\u4e8e\u8001 mirrors\uff08mirrors2 \u4e4b\u524d\u7684\u4e00\u4ee3\u673a\u5668\uff09\u3002vSphereDataProtection \u7248\u672c\u4e3a 6.1.5\u3002
\u5f53 vdp \u5907\u4efd\u7a0b\u5e8f\u51fa\u73b0\u5947\u602a\u7684\u95ee\u9898\u7684\u65f6\u5019\uff0c\u91cd\u542f vdp \u5907\u4efd\u865a\u62df\u673a\u7edd\u5927\u591a\u6570\u65f6\u5019\u80fd\u591f\u89e3\u51b3\u95ee\u9898\u3002\u91cd\u542f\u8017\u65f6\u975e\u5e38\u957f\uff0c\u9700\u8981\u505a\u597d\u5fc3\u7406\u51c6\u5907\u3002
\u5907\u4efd\u65f6\uff0cvdp \u5907\u4efd\u7a0b\u5e8f\u4f1a\u4e3a\u865a\u62df\u673a\u65b0\u5efa\u4e00\u4e2a snapshot\uff0c\u4e4b\u540e\u4ece snapshot \u4f20\u8f93\u5907\u4efd\u3002\u5076\u5c14 snapshot \u4e0d\u4f1a\u88ab\u6b63\u5e38\u5220\u9664\uff0c\u800c\u5927\u91cf\u6216\u957f\u65f6\u95f4\u5b58\u653e\u7684 snapshot \u4f1a\u7ed9\u6027\u80fd\u5e26\u6765\u8d1f\u9762\u5f71\u54cd\uff0c\u6240\u4ee5\u5982\u679c\u53d1\u73b0\u6b64\u7c7b\u60c5\u51b5\uff0c\u5728\u786e\u8ba4\u5907\u4efd\u4e0d\u518d\u8fdb\u884c\u540e\uff0c\u9700\u8981\u5220\u9664 snapshot\uff0c\u540c\u65f6\u4fdd\u6301\u673a\u5668\u5728\u7ebf\uff08\u5728\u5173\u673a\u60c5\u51b5\u4e0b\u6574\u5408\u78c1\u76d8\u65f6\u65e0\u6cd5\u5f00\u673a\uff01\uff09\u3002
\u53c2\u8003\u8d44\u6599\uff1ahttps://docs.vmware.com/en/VMware-vSphere/6.5/rn/data-protection-615-release-notes.html
VDP \u5907\u4efd\u865a\u62df\u673a\u5df2\u7ecf EOL\u3002\u8bbf\u95ee vcenter \u4e2d\u7684 VDP \u63d2\u4ef6\u9700\u8981\u4f7f\u7528 Adobe Flash\u3002
"},{"location":"infrastructure/discontinued/vsphere/vdp/#_1","title":"\u5907\u4efd\u8ba1\u5212","text":"\u76ee\u524d\u7684\u5907\u4efd\u8ba1\u5212\u5982\u4e0b\uff1a
\u67e5\u770b\u5f53\u524d\u4efb\u52a1\uff1a
# mccli activity show | grep Running\n
\u67e5\u770b\u670d\u52a1\u60c5\u51b5\uff1a
# dpnctl status\n# status.dpn\n
"},{"location":"infrastructure/discontinued/vsphere/vdp/#vspheredataprotection-on-virtio-scsi","title":"vSphereDataProtection on VirtIO SCSI","text":"vdp \u7684\u64cd\u4f5c\u7cfb\u7edf\u662f SLES 11 SP3\uff0c\u8fd9\u4e2a\u64cd\u4f5c\u9700\u8981\u7cfb\u7edf\u76d8\u7684\u524d\u4e24\u4e2a\u5206\u533a\uff08/boot
\u548c /
\uff09\u3002
/lib/modules/3.0.101-0.47.99-default/kernel/drivers/
\u91cc\u53d6\u51fa virtio \u7684\u5185\u6838\u6a21\u5757\uff08block
\u91cc\u9762\u4e00\u4e2a\uff0cvirtio
\u6574\u4e2a\u76ee\u5f55\uff0c\u4ee5\u53ca scsi
\u91cc\u9762\u4e00\u4e2a\uff09\uff0c\u653e\u5728 initrd \u89e3\u538b\u540e\u7684\u5bf9\u5e94\u4f4d\u7f6e\u3002/lib/modules/3.0.101-0.47.99-default/modules.dep*
\u590d\u5236\u5230 initrd \u91cc\u3002config/start.sh
\u548c run_all.sh
\uff0c\u5728 RESOLVED_INITRD_MODULES
\u53d8\u91cf\u4e2d\u6dfb\u52a0 virtio_pci virtio virtio_scsi virtio_blk
\uff08\u5373\u4fee\u6539\u4e3a RESOLVED_INITRD_MODULES='virtio_pci virtio virtio_scsi virtio_blk cifs ext2 ext3 ext4 fat nfs reiserfs ufs xfs'
\uff09\u3002/boot
) \u91cc\u9762\uff0c\u5efa\u8bae\u4e0d\u8981\u8986\u76d6\u539f\u6765\u7684 initrd\u3002grub/menu.lst
\uff0c\u5c06 initrd \u4fee\u6539\u4e3a\u4f60\u6240\u6253\u5305\u7684\u6587\u4ef6\u540d\u3002Servers Intranet connects all the servers together, including physical servers and virtual machines.
"},{"location":"infrastructure/intranet/#network-topology","title":"Network Topology","text":"\u4ee5\u4e0a\u67b6\u6784\u56fe\u7531 iBug \u5728 2023 \u5e74 11 \u6708\u66f4\u65b0\u3002
\u6b64\u5904\u662f\u4e00\u4e9b\u8fc7\u65f6\u7684\u4fe1\u606f\uff0c\u4e5f\u8bb8\u8fd8\u6709\u70b9\u53c2\u8003\u4ef7\u503cThe network contains three parts:
tincVPN is a mesh VPN, which can be abstracted as a virtual Switch.
vm-nfs.s.ustclug.org runs a layer 2 bridge, connecting tincVPN and SRW2024 (physical switch).
It is obvious that vm-nfs is a single point of failure of communicating between tinc host and vSphere virtual machine. I had tried to add another bridge node, but resulted in a broadcast storm. Maybe we can fix it by MPLS (merged in mainline kernel 4.3). But it isn't a right timing at this time.
"},{"location":"infrastructure/intranet/#network-information","title":"Network information","text":"The network contains one single subnet: 10.254.0.0/21
Every server and service binds to one and only one IP address, used to communicate with each other.
"},{"location":"infrastructure/intranet/#address-planning","title":"Address planning","text":"We run gateways in each colocation to provide internet access to intranet-only hosts (VMs and containers).
When configuring VMs and containers, set their gateway according to their colocation:
Gateway-JP is mainly used for HTTP reverse proxy, so that we can provide HTTP services in compliance with PRC regulations.
For server configuration on each gateway, refer to their corresponding documentation:
After migrating to PVE, we found that sometimes tinc works abnormally within gateway-el and gateway-nic, with following kernel log:
bridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nnet_ratelimit: 2 callbacks suppressed\n
We still don't know the source of this issue. To workaround that, following self-check timer is deployed now:
/opt/tinc-check.sh#!/bin/bash\n\nrestart() {\n systemctl stop tinc@ustclug.service\n sleep 3 # avoid race condition\n systemctl start tinc@ustclug.service\n echo \"tinc restarted\"\n}\n\ndmesg | tail -n 2 | grep 'received packet on ustclug with own address as source address' && restart || echo \"tinc OK now\";\n
/etc/systemd/system/tinc-check.service[Unit]\nDescription=Tinc Check and Auto-Restart\n\n[Service]\nType=oneshot\nExecStart=/opt/tinc-check.sh\n
/etc/systemd/system/tinc-check.timer[Unit]\nDescription=Tinc Check and Auto-Restart Timer\n\n[Timer]\nOnCalendar=minutely\nPersistent=true\n\n[Install]\nWantedBy=timers.target\n
"},{"location":"infrastructure/intranet/lugivpn/","title":"LUG Intranet VPN","text":"service: intranet.ustclug.org
server: board.s.ustclug.org
"},{"location":"infrastructure/intranet/lugivpn/#introduction","title":"Introduction","text":"Server intranet is a closed network, which cannot be accessed from Internet. LUGI VPN helps maintainer get access to intranet temporarily.
LUGI VPN is running in Banana Pi Raspberry Pi 3B+, the only ARM architecture device we owned. Using OpenVPN protocal, authorizing via LDAP.
The original Banana Pi was down in April 2021.
"},{"location":"infrastructure/intranet/lugivpn/#configuration","title":"Configuration","text":"OpenVPN LDAP auth plugin config /etc/openvpn/auth-ldap.conf
:
<LDAP>\n URL ldaps://ldap.ustclug.org\n Timeout 15\n FollowReferrals yes\n TLSCACertFile /etc/ldap/ssl/slapd-ca-cert.pem\n</LDAP>\n\n<Authorization>\n BaseDN \"ou=people,dc=lug,dc=ustc,dc=edu,dc=cn\"\n SearchFilter \"(uid=%u)\"\n RequireGroup false\n</Authorization>\n
In openvpn configuration:
...\nplugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth-ldap.conf\n
Servers intranet is a layer 2 network without default gateway. So NAT is needed:
iptables -t nat -A POSTROUTING -s 10.254.248.0/22 -d 10.254.0.0/21 -j MASQUERADE\n
"},{"location":"infrastructure/proxmox/nfs/","title":"NFS","text":"NFS \u670d\u52a1\u5668\uff08\"vdp\"\uff09\u662f\u4e1c\u56fe\u4e09\u4e2a PVE \u673a\u5668\u7684\u865a\u62df\u673a\u5b58\u50a8\uff0c\u578b\u53f7\u4e3a DELL PowerEdge R510\u3002\u78c1\u76d8\u9635\u5217\u7531\u4e8e\u5728 2021 \u5e74 3 \u6708\u521d\u635f\u574f\uff0c\u76ee\u524d\u5bb9\u91cf\u7f29\u51cf\u5230 8T\uff084 \u5757 4T \u84dd\u76d8 RAID10\uff09\u3002\u9664\u865a\u62df\u673a\u5916\uff0cNFS \u4e5f\u5b58\u50a8 LUG \u6210\u5458\u7684\u4e2a\u4eba\u6570\u636e\u53ca LUG FTP\u3002NFS \u670d\u52a1\u6062\u590d\u540e\uff0c\u4e3a\u4e86\u4fdd\u8bc1\u6570\u636e\u5197\u4f59\u6027\uff0c\u4f7f\u7528 Rclone \u548c Rsync \u6bcf\u5929\u589e\u91cf\u5907\u4efd LUG FTP \u548c LUG \u6210\u5458\u7684\u516c\u5f00\u6570\u636e\uff08public_html
\u76ee\u5f55\uff09\u5230\u4ee5\u4e0b\u4f4d\u7f6e\uff1a
\u5177\u4f53\u7684\u5907\u4efd\u65b9\u5f0f\u548c\u547d\u4ee4\u53c2\u89c1\u673a\u5668\u4e0a\u7684 rclone-backup.timer
\u548c rclone-backup.service
\u3002
vdp \u7684\u5185\u7f51\u8fde\u63a5\u4f9d\u8d56\u4e8e gateway-el\u3002
\u53ef\u80fd\u7684\u7f51\u7edc\u95ee\u9898
\u5728 2021 \u5e74\u4e5d\u6708\u4efd\u4e1c\u56fe\u7684 ESXi \u4e0e NFS \u8fde\u63a5\u4f1a\u51fa\u73b0\u4e0d\u7a33\u5b9a\u7684\u95ee\u9898\uff0c\u539f\u56e0\u76ee\u524d\u4e0d\u660e\u3002\u5728\u8fde\u63a5\u65b9\u5f0f\u4ece NFS 4.1 \u66f4\u6362\u5230 NFS 3 \u4e4b\u540e\uff0c\u8fde\u63a5\u7684\u4e0d\u7a33\u5b9a\u4e0d\u4f1a\u5bfc\u81f4\u865a\u62df\u673a\u88ab\u5173\u95ed\u3002
2021/09/29 \u66f4\u65b0\uff1a\u8fd9\u4e24\u5929\u518d\u6b21\u51fa\u73b0\u4e86\u4e25\u91cd\u7684\u8fde\u63a5\u95ee\u9898\u3002\u8c03\u8bd5\u540e\u53d1\u73b0 192.168.93.0/24 \u7684\u7f51\u5173 192.168.93.254 (Cisco \u8bbe\u5907) \u4e22\u5305\u4e25\u91cd\uff0c\u800c NFS \u7684\u51fa\u53e3 IP \u9519\u8bef\u88ab\u8bbe\u7f6e\u5230\u4e86\u4e0e\u56fe\u4e66\u9986\u4ea4\u6362\u673a\u76f8\u8fde\u63a5\u7684 eno1\uff0c\u5bfc\u81f4\u8bf7\u6c42\u9700\u8981\u7ed5\u8def\u3002\u5c06\u6b64 IP \u79fb\u52a8\u81f3 eno2\uff0c\u4fee\u6539 sysctl \u8bbe\u7f6e ARP \u8fc7\u6ee4\u5e76\u91cd\u542f\u540e\uff0c\u76ee\u524d\u6682\u65f6\u89e3\u51b3\u4e86\u95ee\u9898\u3002
Debian Bookworm \u5185\u6838\u95ee\u9898
6.1.x \u5f00\u59cb\u7684\u5185\u6838\u7684 NFSv4 \u670d\u52a1\u5668\u5b9e\u73b0\u53ef\u80fd\u5b58\u5728\u6f5c\u5728\u7684\u95ee\u9898\uff0c\u5bfc\u81f4\u5728\u67d0\u4e9b\u60c5\u51b5\u4e0b\u6b7b\u9501\uff0c\u89c1 https://lore.kernel.org/all/50d62fc9-206b-4dbc-9a9b-335450656fd0@aixigo.com/T/\u3002\u4ece Buster \u5347\u7ea7\u5230 Bookworm \u4e4b\u540e\u88ab\u5751\u4e86\u4e00\u6b21\u3002
\u7531\u4e8e\u8fd9\u4e2a\u95ee\u9898\u76ee\u524d\u5c1a\u672a\u89e3\u51b3\uff0c\u5728\u5347\u7ea7 Bookworm \u4e4b\u540e vdp \u4ecd\u4f7f\u7528 Bullseye \u7684\u5185\u6838\uff085.10.x\uff09\u3002
/etc/apt/preferences.d/linux-image-amd64Package: linux-image-amd64\nPin: release n=bullseye-security\nPin-Priority: 900\n
\u6211\u4eec\u521b\u5efa\u4e86\u5982\u4e0a\u6587\u4ef6\uff08\u4ee5\u4fbf\u80fd\u591f\u7ee7\u7eed\u4ece bullseye-security \u83b7\u5f97\u5185\u6838\u7684\u5b89\u5168\u66f4\u65b0\uff09\uff0c\u7136\u540e\u624b\u52a8\u5220\u6389\u4e86\u6240\u6709 6.1 \u7684\u5185\u6838\u5305\u3002
"},{"location":"infrastructure/proxmox/nfs/#pve","title":"PVE \u78c1\u76d8\u8def\u5f84\u4e0e\u6302\u8f7d\u53c2\u6570","text":"\u5728 storage.cfg \u8bbe\u7f6e\u4e2d\uff0cNFS \u6302\u8f7d\u5230 /mnt/nfs-el
\uff0c\u8bbe\u7f6e\u7684\u53c2\u6570\u4e3a soft,noexec,nosuid,nodev
\u3002\u8bbe\u7f6e\u4e3a hard
\u4f1a\u5bfc\u81f4 NFS \u4e0b\u7ebf\u65f6\u91cd\u8bd5\u65e0\u9650\u6b21\uff0c\u5927\u6982\u7387\u5bfc\u81f4\u7cfb\u7edf\u5361\u6b7b\uff0c\u5176\u4ed6\u51e0\u4e2a\u53c2\u6570\u4e3b\u8981\u662f\u4e3a\u4e86\u5b89\u5168\u3002
\u5176\u4e2d\uff0c\u6839\u636e PVE \u7684\u8981\u6c42\uff0c\u865a\u62df\u673a\u78c1\u76d8\u6587\u4ef6\u9700\u8981\u653e\u5728 images/<vmid>
\u76ee\u5f55\u4e0b\u624d\u4f1a\u88ab\u81ea\u52a8\u68c0\u6d4b\u5230\u3002\u82e5\u4e00\u5f00\u59cb\u6ca1\u6709\u6309\u8981\u6c42\u653e\u7f6e\u6587\u4ef6\u6216\u6dfb\u52a0\u4e86\u65b0\u6587\u4ef6\uff0c\u53ef\u4ee5\u4f7f\u7528 qm rescan
\u626b\u63cf\u65b0\u7684\u78c1\u76d8\u6587\u4ef6\u3002\u4e5f\u53ef\u4ee5\u76f4\u63a5\u4f7f\u7528 qm set
\u547d\u4ee4\u6216\u624b\u52a8\u7f16\u8f91\u865a\u62df\u673a\u914d\u7f6e\u6587\u4ef6\u6307\u5b9a\u78c1\u76d8\u6587\u4ef6\u7684\u8def\u5f84\uff0c\u8fd9\u4e24\u79cd\u65b9\u6cd5\u6ca1\u6709\u6b64\u9650\u5236\u3002
\u53e6\u5916\uff0c\u7531\u4e8e\u6574\u4e2a storage.cfg \u6587\u4ef6\u5728\u96c6\u7fa4\u4e2d\u5171\u4eab\uff0c\u9700\u8981\u624b\u52a8\u6307\u5b9a nodes
\u4ee5\u514d NIC \u7684\u4e24\u53f0 PVE \u4e3b\u673a\u5c1d\u8bd5\u6302\u8f7d\u3002
nfs: nfs-el\n export /media/vdp/pve\n path /mnt/nfs-el\n server nfs-el.vm.ustclug.org\n options soft,noexec,nosuid,nodev\n content iso,images\n nodes pve-2,pve-4,pve-6\n shared 1\n prune-backups keep-all=1\n
storage.cfg \u7684\u5168\u90e8\u914d\u7f6e\u5185\u5bb9\u53ef\u4ee5\u53c2\u8003 https://pve.proxmox.com/wiki/Storage\u3002
"},{"location":"infrastructure/proxmox/pbs/","title":"Proxmox Backup Server (PBS)","text":"PBS \u73b0\u5728\u90e8\u7f72\u5728 esxi-5 \u4e0a\u9762\uff0c\u7528\u4f5c\u865a\u62df\u673a\u5907\u4efd\uff0cweb \u754c\u9762\u7684\u7aef\u53e3\u53f7\u4e3a 8007\uff08HTTPS only\uff09\u3002
Info
\u672c\u9875\u9762\u8bb0\u5f55 Proxmox Backup Server \u8f6f\u4ef6\u76f8\u5173\uff0c\u4ee5\u53ca Proxmox VE \u865a\u62df\u673a\u76f8\u5173\u7684\u8d44\u6599\u3002\u5173\u4e8e esxi-5 \u7684\u7cfb\u7edf\u914d\u7f6e\u4fe1\u606f\u8bb0\u5f55\u5728 Proxmox VE \u9875\u9762\u3002
"},{"location":"infrastructure/proxmox/pbs/#pbs","title":"\u5b89\u88c5 PBS","text":"PBS \u53ef\u4ee5\u4f7f\u7528\u5b89\u88c5\u5149\u76d8 iso \u5b89\u88c5\u6216\u76f4\u63a5\u52a0\u88c5\u5728\u73b0\u6709\u7684\u5bf9\u5e94\u7248\u672c\u7684 Debian \u7cfb\u7edf\u4e0a\uff0c\u8fd9\u4e24\u79cd\u5b89\u88c5\u65b9\u5f0f\u90fd\u6709\u5b98\u65b9\u7684\u8bf4\u660e\u6587\u6863\u3002
\u6211\u4eec\u7684 esxi-5 \u662f\u4f7f\u7528 PVE \u7684\u5b89\u88c5\u76d8\u5148\u88c5\u6210 PVE\uff0c\u518d\u5728\u4e0a\u9762\u989d\u5916\u52a0\u88c5 PBS \u7684\u3002\u7531\u4e8e PVE \u548c PBS \u5171\u4eab\u4e86\u5927\u91cf\u7ec4\u4ef6\uff0c\u56e0\u6b64\u5728 PVE \u4e0a\u52a0\u88c5 PBS \u5c31\u53ea\u5269\u4e0b\u5f88\u7b80\u5355\u7684\u4e00\u4e9b\u6b65\u9aa4\u4e86\uff1a
echo \"deb http://mirrors.ustc.edu.cn/proxmox/debian/pbs bullseye pbs-no-subscription\" > /etc/apt/sources.list.d/pbs.list\napt update\napt install proxmox-backup\n
\u8be5\u8fc7\u7a0b\u4ec5\u5b89\u88c5\u4e86\u603b\u91cf\u4e3a 150+ MB \u7684 8 \u4e2a\u5305\uff0c\u5c31\u6709 PBS \u53ef\u7528\u4e86\u3002
"},{"location":"infrastructure/proxmox/pbs/#pbs-new-user","title":"\u521b\u5efa\u65b0\u7528\u6237","text":"PBS \u81ea\u5df1\u7684\u8d26\u53f7\u4f53\u7cfb (Realm pbs) \u4e0e PVE (Realm pve) \u4e92\u76f8\u4e0d\u901a\uff0c\u5982\u679c\u9700\u8981\u521b\u5efa\u65b0\u7684 PBS \u7528\u6237\uff0c\u53ef\u4ee5\u901a\u8fc7 SSH \u767b\u5f55\uff0c\u7136\u540e\u53c2\u8003\u4ee5\u4e0b\u6b65\u9aa4\uff1a
proxmox-backup-manager user create \u7528\u6237\u540d@pbs --email \u90ae\u7bb1\u5730\u5740@ustclug.org
proxmox-backup-manager user update \u7528\u6237\u540d@pbs --password '\u4e00\u4e2a\u4e34\u65f6\u7684\u5bc6\u7801'
proxmox-backup-manager acl update / Admin --auth-id \u7528\u6237\u540d@pbs
proxmox-backup-manager acl list
\u786e\u8ba4\u6743\u9650\u5217\u8868\u3002\u53c2\u8003\uff1ahttps://pbs.proxmox.com/docs/user-management.html
Tip
\u5f53\u7136\uff0c\u4f60\u4e5f\u53ef\u4ee5 SSH \u767b\u5f55\u540e\u4fee\u6539 root \u5bc6\u7801\uff0c\u518d\u7528 root@pam \u7684\u8d26\u53f7\u767b\u5f55 web \u754c\u9762\u8fdb\u884c\u64cd\u4f5c\u3002\u8be5\u65b9\u6cd5\u540c\u65f6\u9002\u7528\u4e8e PVE \u548c PBS\u3002\u64cd\u4f5c\u5b8c\u6210\u540e\u8bf7\u6062\u590d root \u5bc6\u7801\uff08passwd -d root
\uff09\u3002
\u5982\u679c\u4f60\u9700\u8981\u7ecf\u5e38\u767b\u5f55 Web \u754c\u9762\u64cd\u4f5c\uff0c\u6700\u597d\u521b\u5efa\u4e00\u4e2a Realm pve/pbs \u800c\u4e0d\u662f\u4f9d\u8d56\u4e8e\u4f7f\u7528 root \u5bc6\u7801\u3002
\u7279\u522b\u5730\uff0c\u7531\u4e8e PBS \u548c PVE \u540c\u65f6\u5b89\u88c5\u5728 esxi-5 \u4e0a\uff0c\u56e0\u6b64\u5b83\u4eec\u53ef\u4ee5\u5171\u4eab esxi-5 \u4e0a\u7684 Linux \u7528\u6237\uff08\u5373 Linux PAM standard authentication\uff09\u3002
"},{"location":"infrastructure/proxmox/pbs/#pbs-add-datastore","title":"\u8bbe\u7f6e Datastore","text":"PBS \u4e0a\u7684\u865a\u62df\u673a\u5907\u4efd\u5355\u5143\u662f\u5c0f\u5757\u7684 chunk\uff0c\u4e5f\u4f9d\u8d56\u8fd9\u4e2a\u8bbe\u8ba1\u5b9e\u73b0\u589e\u91cf\u5907\u4efd\uff0c\u6240\u4ee5\u865a\u62df\u673a\u5907\u4efd\uff08Datastore\uff09\u7684\u540e\u7aef\u90fd\u662f\u76ee\u5f55\u3002\u6dfb\u52a0 Datastore \u53ea\u9700\u8981\u6307\u5b9a\u4e00\u4e2a\u76ee\u5f55\uff0c\u53d6\u4e00\u4e2a\uff08\u7b80\u77ed\u7684\uff09\u540d\u5b57\u5c31\u53ef\u4ee5\u4e86\u3002\u5efa\u8bae\u4e0d\u8981\u4f7f\u7528\u6587\u4ef6\u7cfb\u7edf\u7684\u6839\u76ee\u5f55\u4f5c\u4e3a Datastore\uff0c\u53ef\u4ee5\u521b\u5efa\u4e00\u4e2a pbs
\u6587\u4ef6\u5939\u7528\u4f5c Datastore\uff0c\u53c2\u8003\u4e0b\u9762\u6240\u8ff0\u7684 esxi-5 \u4e0a\u7684\u914d\u7f6e\u3002
\u76ee\u524d\u5728 esxi-5 \u4e0a\u914d\u7f6e\u4e86\u4ee5\u4e0b datastore\uff1a
/mnt/raid1/pbs
\uff1a\u6302\u8f7d\u70b9\u4e3a /mnt/raid1
\uff0c\u662f esxi-5 \u673a\u8eab\u7684\u4e24\u5757\u5feb\u8981\u574f\u6389\u7684 2 TB HDD RAID-1\uff0c\u5df2\u7ecf\u6302\u4e86\uff1b/mnt/data/pbs
\uff1a\u6302\u8f7d\u70b9\u4e3a /mnt/data
\uff0c\u662f\u4e00\u4e2a\u5bb9\u91cf\u4e3a 7 TB \u7684\u673a\u8eab HDD \u9635\u5217\uff1b/mnt/vdp2/pbs
\uff1a\u6302\u8f7d\u70b9\u4e3a /mnt/vdp2
\uff0c\u662f\u4e00\u4e2a\u5bb9\u91cf\u4e3a 14 TB \u7684 iSCSI \u5916\u7f6e HDD \u9635\u5217\uff0c\u662f\u6211\u4eec\u76ee\u524d\u5907\u4efd\u865a\u62df\u673a\u7684\u4e3b\u8981\u5b58\u50a8\u3002LUG \u76ee\u524d\u670d\u5f79\u7684 Proxmox VE \u4e3b\u673a\u6709\uff1a
esxi-5 \u662f 2011 \u5e74\u7684 mirrors \u670d\u52a1\u5668\uff0c\u4e8e 2016 \u5e74\u9000\u5f79\u540e\u6539\u88c5\u4e3a ESXi\uff0c\u73b0\u5728\u5df2\u66ff\u6362\u4e3a Proxmox VE
PVE \u7684 web \u7aef\u53e3\u4e3a 8006\uff0c\u800c PBS \u7684\u7aef\u53e3\u4e3a 8007\uff0c\u56e0\u6b64\u5728\u4e00\u53f0\u4e3b\u673a\u4e0a\u540c\u65f6\u5b89\u88c5 PVE \u548c PBS \u4e92\u4e0d\u51b2\u7a81\uff0c\u8bbf\u95ee\u65f6\u9700\u8981\u4f7f\u7528 HTTPS \u5e76\u6307\u5b9a\u7aef\u53e3\u3002
PVE \u548c PBS \u7684\u7aef\u53e3\u90fd\u662f\u56fa\u5b9a\u7684\uff0c\u65e0\u6cd5\u66f4\u6539
pve-6 \u662f\u4e00\u53f0\u8f83\u8001\u7684\u670d\u52a1\u5668\uff0c\u5728\u6539\u88c5\u524d\u8fd0\u884c ESXi 6.0\uff0c\u56e0\u6b64\u4e3b\u673a\u540d\u66fe\u7ecf\u662f esxi-6\u3002
pve-1 \u5230 pve-4 \u53bb\u54ea\u4e86\uff1f
esxi-1 \u548c esxi-3 \u5df2\u7ecf\u574f\u6389\u5f88\u591a\u5e74\u4e86\uff0c\u540c\u6279\u6b21 5 \u53f0\u673a\u5668\u5df2\u7ecf\u574f\u6389\u4e86 3 \u53f0\uff08\u53e6\u5916\u4e00\u4e2a\u662f vm-nfs\uff0cesxi-6 \u4e0d\u5c5e\u4e8e\u8be5\u6279\u6b21\uff09\u3002
pve-2 \u548c pve-4 \u7531 esxi-2 \u548c esxi-4 \u6539\u88c5\u800c\u6765\uff0c\u7531\u4e8e\u8fc7\u4e8e\u53e4\u8001\uff082007 \u5e74\uff09\uff0c\u5373\u4f7f\u6ca1\u574f\uff0c\u6211\u4eec\u4e5f\u5c06\u5b83\u4eec\u4e0b\u67b6\u5904\u7406\u6389\u4e86\u3002
pve-7 \u662f\u5b8b\u8001\u5e08\u7ed9\u6211\u4eec\u7684\u4e00\u53f0 Oracle x86 \u670d\u52a1\u5668\uff0c\u539f\u5148\u5728\u897f\u56fe\u673a\u623f\u5c1d\u8bd5\u7528\u4f5c docker3\uff0c\u540e\u6765\u53d1\u73b0\u6ca1\u9700\u6c42+\u4e0d\u65b9\u4fbf\u540e\uff0c\u7ecf\u5b8b\u8001\u5e08\u5141\u8bb8\u642c\u5230\u4e86\u4e1c\u56fe\u673a\u623f\u7528\u4f5c PVE\uff0c\u66ff\u4ee3\u4e86 pve-{2,4} \u7684\u529f\u80fd\u8fd0\u884c\u4e00\u4e9b\u865a\u62df\u673a\u3002
\u673a\u5668\u539f\u88c5\u5185\u5b58\u4e3a 64G\uff08\u4f46\u662f\u6709\u635f\u574f\uff09\uff0c\u5728\u56fe\u4e66\u9986\u548c\u7f51\u7edc\u4fe1\u606f\u4e2d\u5fc3\u627e\u4e86\u4e00\u4e9b\u65e7\u5185\u5b58\u540e\u6269\u5145\u5230\u4e86 128G\u3002
\u8fd9\u4e9b PVE \u4e3b\u673a\u914d\u7f6e\u4e3a\u4e00\u4e2a\u96c6\u7fa4\uff0c\u53ef\u4ee5\u5171\u4eab\u4e00\u4e9b\u914d\u7f6e\u4fe1\u606f\u5e76\u4e92\u76f8\u8fc1\u79fb\u865a\u62df\u673a\u3002\u7279\u522b\u5730\uff0cProxmox VE Authentication Server\uff08Realm \u4e3a pve\uff09\u7684\u8d26\u53f7\u5728 PVE \u4e3b\u673a\u4e4b\u95f4\u662f\u5171\u4eab\u7684\uff0c\u5e76\u4e14\u6dfb\u52a0\u7684 PBS \u5b58\u50a8\u540e\u7aef\u4e5f\u662f\u5171\u4eab\u7684\uff0c\u5373\u5927\u5bb6\u90fd\u53ef\u4ee5\u5f80\u76f8\u540c\u7684 PBS \u4e0a\u5907\u4efd\u865a\u62df\u673a\u3002
\u53e6\u6709\u6682\u672a\u52a0\u5165 PVE \u96c6\u7fa4\u7684\u673a\u5668\u5982\u4e0b\uff1a
\u4e0d\u540c\u4e3b\u673a\u4e4b\u95f4\u7684 Linux PAM \u7528\u6237\u662f\u4e0d\u76f8\u901a\u7684
\u6240\u6709 Proxmox \u4e3b\u673a\u7684\u4e3b\u673a\u540d\uff08hostname\uff09\u90fd\u8bbe\u4e3a <hostname>.vm.ustclug.org
\uff0c\u5bf9\u5e94\u7684 IP \u5730\u5740\u8bb0\u5f55\u5728 DNS \u4e2d\u3002
\u5df2\u5e9f\u5f03\u7684\u5185\u5bb9
\u4e3a\u4e86\u4fbf\u4e8e\u901a\u8fc7 IPMI \u7b49\u65b9\u5f0f\u7ef4\u62a4\uff0c\u6211\u4eec\u7ea6\u5b9a\u6240\u6709 Proxmox \u4e3b\u673a\u7684 root \u8d26\u6237\u5bc6\u7801\u4fdd\u6301\u4e3a\u7a7a\u3002\u82e5\u6709\u64cd\u4f5c\u9700\u8981\u4f7f\u7528 root \u5bc6\u7801\uff08\u5982\u521b\u5efa\u548c\u52a0\u5165\u96c6\u7fa4\u65f6\uff09\uff0c\u8bf7\u901a\u8fc7 SSH \u6216 IPMI \u767b\u5f55\uff0c\u4e34\u65f6\u8bbe\u7f6e\u4e00\u4e2a root \u5bc6\u7801\uff0c\u5e76\u5728\u4fee\u6539\u5b8c PVE / PBS \u7684\u914d\u7f6e\u540e\u5c06\u5bc6\u7801\u5220\u9664\uff08passwd -d
\uff09\u3002PVE / PBS \u6ca1\u6709\u4f9d\u8d56\u4e8e\u56fa\u5b9a\u4e0d\u53d8\u7684 root \u5bc6\u7801\u624d\u80fd\u6b63\u5e38\u8fd0\u884c\u7684\u7ec4\u4ef6\uff0c\u56e0\u6b64\u8fd9\u6837\u505a\u5bf9 PVE / PBS \u6765\u8bf4\u662f\u6ca1\u95ee\u9898\u7684\u3002
\u5b89\u5168\u8d77\u89c1\uff0cPVE / PBS \u4e3b\u673a\u4f7f\u7528 RFC 1918 \u6bb5\u7684\u6821\u56ed\u7f51 IP\uff0c\u4e0d\u8fde\u63a5\u516c\u7f51\u3002
Debian \u548c Proxmox \u7684\u8f6f\u4ef6\u66f4\u65b0\u4f7f\u7528 mirrors.ustc.edu.cn \u5373\u53ef\uff0c\u82e5\u6709\u9700\u8981\u8bbf\u95ee\u6821\u5916\uff08\u5982 GitHub \u7b49\uff09\uff0c\u8bf7\u5199 hosts \u5e76\u914d\u7f6e\u8def\u7531\uff0c\u4ee5 GitHub \u4e3a\u4f8b\uff1a
echo \"20.205.243.166 github.com\" >> /etc/hosts\nip route replace 20.205.243.166 via (?) dev (?)\n
\u5176\u4e2d via
\u9009\u62e9 gateway-el \u6216 gateway-nic \u7684\u5185\u7f51\u5730\u5740\uff0cdev
\u9009\u62e9\u6865\u63a5\u5185\u7f51\u7684 vmbr\uff08\u89c1\u4e0b\uff09\u3002
Proxmox VE \u8981\u6c42\u4e3a\u865a\u62df\u673a\u63a5\u5165\u7684\u7f51\u6865\u5fc5\u987b\u547d\u540d\u4e3a vmbrN
\uff0c\u5176\u4e2d N \u662f 0-4094 \u4e4b\u95f4\u7684\u6574\u6570\u3002\u65b9\u4fbf\u8d77\u89c1\uff0c\u6211\u4eec\u5728\u4e24\u4e2a\u673a\u623f\u5206\u522b\u7edf\u4e00 vmbr \u7684\u7f16\u53f7\uff1a
\u6211\u4eec\u4e0d\u4f7f\u7528 Proxmox \u81ea\u5e26\u7684\u9632\u706b\u5899\u529f\u80fd\uff0c\u4f46 pve-firewall \u4ecd\u7136\u4f1a\u5c1d\u8bd5\u90e8\u7f72\u6216\u6062\u590d\u9632\u706b\u5899\u8bbe\u7f6e\uff0c\u56e0\u6b64\u9700\u8981\u7981\u7528\u76f8\u5173\u8bbe\u7f6e\u53ca\u670d\u52a1\uff1a
/etc/pve/nodes/$(hostname -s)/host.fw[OPTIONS]\nenable: 0\n
systemctl stop pve-firewall.service\nsystemctl disable pve-firewall.service\nsystemctl mask pve-firewall.service\n
\u53ef\u9009\u5185\u5bb9\uff1a\u540c\u65f6\u5b89\u88c5 iptables-persistent
\u8f6f\u4ef6\u5305\uff0c\u5e76\u5229\u7528 iptables \u5c06 443 \u7aef\u53e3\u8f6c\u53d1\u5230 8006 \u7aef\u53e3\u65b9\u4fbf\u4f7f\u7528\u3002
update-alternatives --set iptables /usr/sbin/iptables-nft\nupdate-alternatives --set ip6tables /usr/sbin/ip6tables-nft\n
/etc/iptables/rules.v4*nat\nPREROUTING ACCEPT [0:0]\nINPUT ACCEPT [0:0]\nOUTPUT ACCEPT [0:0]\nPOSTROUTING ACCEPT [0:0]\n-A PREROUTING -p tcp --dport 443 -m addrtype --dst-type LOCAL -j REDIRECT --to-ports 8006\nCOMMIT\n
\u5220\u6389 rules.v6
\u6587\u4ef6\uff0c\u7136\u540e\u8fd0\u884c systemctl restart netfilter-persistent.service
\u8f7d\u5165 iptables \u89c4\u5219\u3002
Proxmox \u9ed8\u8ba4\u4f7f\u7528 chrony \u8f6f\u4ef6\u548c Debian \u63d0\u4f9b\u7684 NTP pool\uff0c\u8fd9\u4e9b\u670d\u52a1\u5668\u90fd\u5728\u6821\u5916\uff0c\u4f7f\u7528\u6821\u56ed\u7f51 IP \u65e0\u6cd5\u8fde\u901a\uff0c\u9700\u8981\u6539\u6210\u6821\u56ed\u7f51\u7684 NTP \u670d\u52a1\u5668\uff1a
/etc/chrony/chrony.conf# Use Debian vendor zone.\n#pool 2.debian.pool.ntp.org iburst\nserver time.ustc.edu.cn iburst\n
\u7136\u540e\u8fd0\u884c systemctl restart chrony.service
\u91cd\u542f\u670d\u52a1\u3002
\u53c2\u89c1 SSL \u8bc1\u4e66\uff0c\u6b63\u597d vdp \u4e0a\u9762\u8fd0\u884c\u4e86 LUG FTP \u800c\u56e0\u6b64\u914d\u7f6e\u4e86\u8bc1\u4e66\u7684\u81ea\u52a8\u66f4\u65b0\uff0c\u5229\u7528 vdp \u63d0\u4f9b\u7684 NFS \u670d\u52a1\uff0c\u6211\u4eec\u5728 vdp \u4e0a\u7684\u8bc1\u4e66\u66f4\u65b0\u811a\u672c\u4e2d\u6dfb\u52a0\u4e86\u5c06 vm \u8bc1\u4e66\u590d\u5236\u5230 NFS \u76ee\u5f55\u7684\u529f\u80fd\uff0c\u7136\u540e\u7531 pve-6 \u90e8\u7f72\u5230\u5404\u4e2a\u4e3b\u673a\u4e0a\u3002
\u4e0b\u9762\u662f pve-6 \u4e0a\u7684\u811a\u672c\uff1a
/etc/cron.daily/sync-cert#!/bin/bash -e\n\nSRC=\"/etc/pve/nodes/$(hostname -s)\"\nDSTROOT=\"/etc/pve/nodes\"\nCERTSRC=\"/mnt/nfs-el/cert\"\n\ncp -u \"$CERTSRC/privkey.pem\" \"$SRC/pveproxy-ssl.key\"\ncp -u \"$CERTSRC/fullchain.pem\" \"$SRC/pveproxy-ssl.pem\"\nsystemctl reload pveproxy.service\n\nfor DST in \"$DSTROOT\"/*; do\n [ \"$DST\" = \"$SRC\" ] && continue\n node=\"$(basename \"$DST\")\"\n cp \"$SRC/pveproxy-ssl.key\" \"$SRC/pveproxy-ssl.pem\" \"$DST/\"\n ssh \"$node\" 'systemctl reload pveproxy.service' &\ndone\nwait\n
\u7531\u4e8e PVE \u548c PBS \u7684\u6570\u636e\u4e0d\u4e92\u901a\uff0c\u56e0\u6b64 esxi-5 \u4e0a\u7684\u76f8\u540c\u4f4d\u7f6e\u6709\u53e6\u4e00\u4e2a\u811a\u672c\u4e3a PBS \u90e8\u7f72\u8bc1\u4e66\uff1a
/etc/cron.daily/sync-cert#!/bin/bash\n\nSRC=\"/etc/pve/nodes/$(hostname -s)\"\nDST=\"/etc/proxmox-backup\"\n\nif ! cmp -s \"$SRC/pveproxy-ssl.pem\" \"$DST/proxy.pem\"; then\n cp \"$SRC/pveproxy-ssl.key\" \"$DST/proxy.key\"\n cp \"$SRC/pveproxy-ssl.pem\" \"$DST/proxy.pem\"\n systemctl reload proxmox-backup-proxy.service\nfi\nexit 0\n\n# Unreachable code, leaving here for reference\nif command -v openssl 2>/dev/null; then\n FP=\"$(openssl x509 -noout -fingerprint -sha256 -inform pem -in \"$DST/proxy.pem\")\"\n FP=\"${FP##*=}\"\n pvesm set esxi-5-data --finerprint \"$FP\"\n pvesm set esxi-5-vdp2 --finerprint \"$FP\"\nfi\n
"},{"location":"infrastructure/proxmox/pve/#virtiofs","title":"VirtIO FS","text":"\u5bf9\u4e8e mirrorlog \u7b49\u91cd\u5b58\u50a8\u578b\u7684\u865a\u62df\u673a\uff0c\u6211\u4eec\u5c1d\u8bd5\u628a\u5927\u91cf\u7684\u6570\u636e\u6587\u4ef6\u653e\u5728 host \u4e0a\uff0c\u907f\u514d ZFS\uff08Zvol\uff09\u548c ext4 \u7684\u4e24\u5c42\u5f00\u9500\uff08\u4ee5\u53ca\u5728 ZFS \u4e0a\u4e5f\u53ef\u4ee5\u4f7f\u7528\u66f4\u5927\u7684 recordsize \u83b7\u5f97\u66f4\u597d\u7684 I/O \u4f53\u9a8c\u548c\u66f4\u4f4e\u7684 RAID-Z overhead\uff09\uff0c\u7136\u540e\u4f7f\u7528 virtiofs \u4f9b\u865a\u62df\u673a\u8bbf\u95ee\u3002
Virtiofs \u7684\u914d\u7f6e\u8fc7\u7a0b\u4e3b\u8981\u53c2\u8003\u4e86 https://forum.proxmox.com/threads/virtiofsd-in-pve-8-0-x.130531/\uff1a
\u9996\u5148\u914d\u7f6e\u865a\u62df\u673a\uff1a
/etc/pve/qemu-server/230.confargs: -chardev socket,id=virtfs0,path=/run/virtiofsd-230.sock -device vhost-user-fs-pci,queue-size=1024,chardev=virtfs0,tag=mirrorlog -object memory-backend-file,id=mem,size=8192M,mem-path=/dev/shm,share=on -numa node,memdev=mem\n
\u5176\u4e2d path=
\u6307\u5411 virtiofsd \u7684 socket \u6587\u4ef6\uff0ctag=
\u53ef\u4ee5\u4efb\u610f\u6307\u5b9a\uff0c\u7528\u4e8e\u533a\u5206\u591a\u4e2a virtiofsd \u5b9e\u4f8b\uff08\u5bf9\u5e94\u865a\u62df\u673a\u5185\u7684 mount source\uff09\uff0csize=
\u662f\u5171\u4eab\u5185\u5b58\u5927\u5c0f\u3002
\u7136\u540e\u5b89\u88c5 virtiofsd\uff0c\u76f4\u63a5 apt install virtiofsd
\u5373\u53ef\uff08PVE \u6253\u5305\u4e86 Rust \u91cd\u5199\u7684\u65b0\u7248 virtiofsd\uff09\u3002
\u63a5\u4e0b\u6765\u9700\u8981\u914d\u7f6e virtiofsd \u5728\u865a\u62df\u673a\u5f00\u673a\u524d\u542f\u52a8\u3002\u6ce8\u610f\u4e00\u4e2a virtiofsd \u53ea\u80fd\u4f9b\u4e00\u4e2a\u865a\u62df\u673a\u8bbf\u95ee\u4e00\u4e2a\u4e3b\u673a\u4e0a\u7684\u76ee\u5f55\uff0c\u56e0\u6b64\u9700\u8981\u4f7f\u7528 PVE \u7684 hook script \u6765\u542f\u52a8 virtiofsd\u3002\u8fd9\u4e2a hook script \u653e\u5728 /var/lib/vz
\u76ee\u5f55\u4e0b\uff0c\u63a5\u6536\u4e24\u4e2a\u547d\u4ee4\u884c\u53c2\u6570\uff08VMID \u548c\u542f\u52a8\u9636\u6bb5\uff09\uff1a
#!/bin/sh\n\nif [ $# -ne 2 ]; then\n echo \"Need exactly 2 arguments\" >&2\n exit 1\nfi\n\nVMID=\"$1\"\nPHASE=\"$2\"\n\n[ \"$VMID\" -eq 230 ] || exit 0\n\nNAME=virtiofsd-230\nSOCKPATH=\"/run/$NAME.sock\"\n\ncase \"$PHASE\" in\n pre-start)\n systemctl stop \"$NAME\".service\n rm -f \"$SOCKPATH\" \"$SOCKPATH\".pid\n\n systemd-run \\\n --collect \\\n --unit=\"$NAME\" \\\n /usr/libexec/virtiofsd \\\n --syslog \\\n --socket-path \"$SOCKPATH\" \\\n --shared-dir /mnt/mirrorlog \\\n --announce-submounts \\\n --inode-file-handles=mandatory\n ;;\n pre-stop) ;;\n post-start) ;;\n post-stop) ;;\n *) echo \"Unknown phase $PHASE\" >&2; exit 1;;\nesac\n
\u76f8\u6bd4\u4e8e Proxmox \u8bba\u575b\u91cc\u7684\u6559\u7a0b\u8d34\uff0c\u8fd9\u91cc\u6700\u91cd\u8981\u7684\u4fee\u6539\u662f\u7ed9 systemd-run
\u52a0\u4e0a\u4e86 --collect
\u53c2\u6570\uff0c\u8fd9\u6837 virtiofsd \u9000\u51fa\u65f6\u65e0\u8bba\u662f\u5426 failed\uff0csystemd \u90fd\u4f1a\u6e05\u7406\u6389\u8fd9\u4e2a\u4e34\u65f6\u7684 service unit\u3002
\u7136\u540e\u901a\u8fc7\u547d\u4ee4\u884c\u914d\u7f6e\u4f7f\u7528\uff1a
qm set 230 --hookscript local:snippets/mirrorlog.sh\n
\u7136\u540e\u5c06\u865a\u62df\u673a\u5173\u673a\uff0c\u901a\u8fc7 qm start
\u6216\u8005 web \u754c\u9762\u542f\u52a8\uff0c\u5373\u53ef\u5728\u865a\u62df\u673a\u5185\u6302\u8f7d virtiofsd \u63d0\u4f9b\u7684\u76ee\u5f55\u3002
# Manual\nmount -t virtiofs mirrorlog /mnt/mirrorlog\n\n# via /etc/fstab\nmirrorlog /mnt/mirrorlog virtiofs defaults 0 0\n
"},{"location":"infrastructure/proxmox/pve/#pve-5","title":"pve-5","text":"pve-5 \u4f4d\u4e8e\u7f51\u7edc\u4e2d\u5fc3\uff0c\u914d\u7f6e\u4e3a 2\u00d7 Xeon E5-2603 v4 (Broadwell 6C6T, 1.70 GHz, no HT, no Turbo Boost) Xeon E5-2667 v4 (Broadwell 8C16T, 3.20 GHz, Max 3.60 GHz)\uff0c256 GB \u5185\u5b58\u548c\u4e00\u5927\u5806 SSD\uff082\u00d7 \u4e09\u661f 240 GB SATA + 10x Intel DC S4500 1.92 TB SATA\uff09\u3002\u6211\u4eec\u5c06\u4e24\u5757 240 GB \u7684\u76d8\u7ec4\u6210\u4e00\u4e2a LVM VG\uff0c\u5206\u914d 16 GB \u7684 rootfs\uff08LVM mirror\uff09\u548c 8 GB \u7684 swap\uff0c\u5176\u4f59\u7a7a\u95f4\u7ed9\u4e00\u4e2a thinpool\u3002\u5341\u5757 1.92 TB \u7684\u76d8\u7ec4\u6210\u4e00\u4e2a RAIDZ2 \u7684 zpool\uff0c\u7528\u4e8e\u5b58\u50a8\u865a\u62df\u673a\u7b49\u6570\u636e\u3002
\u5176\u8fde\u63a5\u7684\u5355\u6839 10 Gbps \u7684\u5149\u7ea4\uff0c\u6865\u63a5\u51fa vmbr0
\u81f3 vmbr4
\u7b49\u7f51\u6865\uff08\u7ebf\u8def\u5b9a\u4e49\u89c1\u4e0a\uff09\u3002\u5176\u4e2d\u65e0\u5934\u7f51\u6865\u7528\u4e8e\u4ece gateway-nic \u6865\u63a5 Tinc\u3002
\u786c\u76d8\u63a7\u5236\u5668\u4e0d\u8981\u4f7f\u7528 VirtIO SCSI Single \u6216 LSI \u5f00\u5934\u7684\u9009\u9879
\u53ef\u80fd\u7531\u4e8e ZFS \u6a21\u5757\u7684 bug \u6216\u8005\u5185\u5b58\u6761\u6545\u969c\uff0c\u4f7f\u7528\u8fd9\u4e9b\u6a21\u5f0f\u5728\u865a\u62df\u673a\u91cd\u542f\u65f6\u4f1a\u5bfc\u81f4\u6574\u4e2a Proxmox VE \u4e3b\u673a\u5361\u4f4f\u800c\u4e0d\u5f97\u4e0d\u91cd\u542f\u3002\u8bf7\u4f7f\u7528 VirtIO SCSI\uff08\u4e0d\u5e26 Single\uff09\u3002\u540c\u6837\u539f\u56e0\u521b\u5efa\u865a\u62df\u673a\u786c\u76d8\u65f6\u4e5f\u4e0d\u8981\u52fe\u9009 iothread\u3002
\u4e3b\u673a\u4f7f\u7528 ZFS\uff08Zvol\uff09\u4f5c\u4e3a\u865a\u62df\u673a\u7684\u865a\u62df\u786c\u76d8\uff0c\u5728\u865a\u62df\u673a\u4e2d\u542f\u7528 fstrim.timer
\uff08systemd \u7684 fstrim \u5b9a\u65f6\u4efb\u52a1\uff0c\u7531 util-linux
\u63d0\u4f9b\uff09\u53ef\u4ee5\u5b9a\u671f\u817e\u51fa\u4e0d\u7528\u7684\u7a7a\u95f4\uff0c\u5e2e\u52a9 ZFS \u66f4\u597d\u5730\u89c4\u5212\u7a7a\u95f4\u3002\u542f\u7528 fstrim \u7684\u865a\u62df\u786c\u76d8\u9700\u8981\u5728 PVE \u4e0a\u542f\u7528 discard
\u9009\u9879\uff0c\u5426\u5219 fstrim \u4e0d\u8d77\u4f5c\u7528\u3002\u8be5\u7279\u6027\u662f\u7531\u4e8e ZFS \u662f CoW \u7684\uff0c\u4e0e ZFS \u5e95\u5c42\u4f7f\u7528 SSD \u6ca1\u6709\u5173\u8054\u3002
esxi-5 \u4e5f\u4f4d\u4e8e\u7f51\u7edc\u4e2d\u5fc3\uff0c\u914d\u7f6e\u4e3a 2\u00d7 Xeon E5620\uff08Westmere-EP 4C8T, 2.40~2.66 GHz\uff09\uff0c48 GB \u5185\u5b58\uff0c\u4e24\u5757 240 GB SATA SSD \u548c\u4e00\u4e9b\u4e0d\u77e5\u9053\u574f\u4e86\u591a\u5c11\u7684 1 TB \u548c 2 TB HDD\uff08\u89c1\u4e0b\uff09\u3002\u7531\u4e8e\u673a\u8eab\u81ea\u5e26\u7684 RAID \u5361\u4e0d\u652f\u6301\u786c\u76d8\u76f4\u901a\uff08JBOD \u6a21\u5f0f\uff09\uff0c\u56e0\u6b64\u6211\u4eec\u5c06\u4e24\u5757 SSD \u5206\u522b\u505a\u6210\u5355\u76d8\u201c\u9635\u5217\u201d\u7136\u540e\u5728\u7cfb\u7edf\u91cc\u4f7f\u7528 LVM\uff08LVM \u89c4\u683c\u4e0e pve-5 \u76f8\u540c\uff09
\u987e\u540d\u601d\u4e49\u672c\u673a\u5668\u66fe\u7ecf\u8fd0\u884c\u7684\u662f VMware ESXi\uff0c\u5728 2022 \u5e74 1 \u6708\u91cd\u88c5\u4e3a Proxmox VE 7.1\uff0c\u56e0\u4e3a\u54b1\u4eec\u90fd\u662f\u7ea0\u7ed3\u602a\u6240\u4ee5\u51b3\u5b9a\u4e0d\u6539\u540d\uff0c\u8fd8\u53eb esxi-5\u3002\u8003\u8651\u5230\u8be5\u673a\u5668\u914d\u7f6e\u4e86\u591a\u4e2a\u786c\u76d8\u9635\u5217\uff0c\u4e14\u9635\u5217\u7684\u53ef\u7528\u5bb9\u91cf\u6bd4 pve-5 \u7684\u786c\u76d8\u7684\u539f\u59cb\u5bb9\u91cf\u8fd8\u5927\uff0c\u6211\u4eec\u5728\u4e0a\u9762\u52a0\u88c5 Proxmox Backup Server \u8f6f\u4ef6\uff0c\u4e3b\u8981\u7528\u4f5c\u865a\u62df\u673a\u5907\u4efd\uff0c\u66ff\u4ee3\u539f\u5148\u8fd0\u884c\u5728 ESXi \u4e0a\u7684 vSphereDataProtection \u865a\u62df\u673a\u3002
"},{"location":"infrastructure/proxmox/pve/#_1","title":"\u7f51\u7edc","text":"\u7f51\u7edc\u914d\u7f6e\u4e0e pve-5 \u76f8\u4f3c\uff0c\u5176\u4e0a\u6709\u4e24\u4e2a\u5343\u5146\u7f51\u5361 enp3s0 \u548c enp4s0\u3002enp3s0 \u8fde\u63a5\u7f51\u7edc\u4e2d\u5fc3\u7684\u4ea4\u6362\u673a\uff0c\u6865\u63a5\u4e0d\u540c\u7684 VLAN \u7f51\u7edc\u7ed9\u865a\u62df\u673a\uff0c\u5e76\u4e14\u5404 vmbrX \u7684\u6570\u5b57\u548c\u7aef\u53e3\u4e0e pve-5 \u4e00\u81f4\uff1b\u800c enp4s0 \u8fde\u63a5\u4e00\u4e2a\u5916\u90e8\u9635\u5217\uff08vdp2\uff09\uff0c\u4f7f\u7528 iSCSI \u8bbf\u95ee\u8be5\u9635\u5217\u3002
\u7531\u4e8e\u6211\u4eec\u53ea\u6709\u4e00\u4e2a gateway-nic\uff0c\u800c pve-5 \u548c esxi-5 \u4e24\u4e2a\u4e3b\u673a\u90fd\u4f9d\u8d56 gw-nic \u6865\u63a5\u7684 tinc \u6765\u63a5\u5165\u5185\u7f51\uff0c\u56e0\u6b64\u6211\u4eec\u5728 pve-5 \u548c esxi-5 \u4e4b\u95f4\u62c9\u4e86\u4e00\u6761 GRETAP \u96a7\u9053\uff0c\u5e76\u5728\u4e24\u4e2a\u4e3b\u673a\u4e0a\u5206\u522b\u5c06 VTEP \u6865\u63a5\u5230 vmbr1\u3002
\u53c2\u8003\u914d\u7f6e\uff1a
pve-5:/etc/network/interfacesauto gretap0esxi-5\niface gretap0esxi-5 inet manual\n pre-up ip link add name $IFACE mtu $IF_MTU type gretap local 10.38.95.115 remote 10.38.95.111\n post-down ip link delete $IFACE\n mtu 1500\n\nauto vmbr1\niface vmbr1 inet static\n address 10.254.0.240/21\n bridge-ports gretap0esxi-5\n bridge-stp off\n bridge-fd 0\n
esxi-5 \u8fd9\u7aef\u7684\u914d\u7f6e\u5219\u5c06\u5bf9\u5e94\u7684 iface \u540d\u79f0\u548c IP \u5730\u5740\u7b49\u5168\u90e8\u5bf9\u6362\u5373\u53ef\u3002
MTU \u95ee\u9898
2022 \u5e74 2 \u6708\u5904\u7406\u5185\u7f51 tinc ARP \u95ee\u9898\u65f6\u53d1\u73b0 esxi-5 \u548c pve-5 \u7684 vmbr1 MTU \u90fd\u88ab\u8bbe\u7f6e\u6210\u4e86 1462\uff08GRETAP \u7684\u9ed8\u8ba4 MTU\uff09\u3002\u6211\u4eec\u4e0d\u786e\u5b9a MTU \u95ee\u9898\u4e0e tinc \u662f\u5426\u76f8\u5173\uff0c\u4f46\u4fdd\u9669\u8d77\u89c1\u6211\u4eec\u8fd8\u662f\u5c06\u8be5 GRETAP \u754c\u9762\u7684 MTU \u8bbe\u7f6e\u6210\u4e86 1500\uff08GRE \u5177\u6709\u5206\u7247\u529f\u80fd\uff09\u3002
-pre-up ip link add name $IFACE type gretap local 10.38.95.115 remote 10.38.95.111\n+pre-up ip link add name $IFACE mtu $IF_MTU type gretap local 10.38.95.115 remote 10.38.95.111\n post-down ip link delete $IFACE\n+mtu 1500\n
"},{"location":"infrastructure/proxmox/pve/#iscsi","title":"iSCSI","text":"\u8bbe\u7f6e iSCSI \u5f00\u673a\u81ea\u52a8\u767b\u5f55\uff1a
iscsiadm -m node -T iqn.2002-10.com.infortrend:raid.sn8223150.001 -p 192.168.10.1:3260 -o update -n node.startup -v automatic\niscsiadm -m node -T iqn.2002-10.com.infortrend:raid.sn8223150.001 -p 192.168.10.1:3260 -o update -n node.conn[0].startup -v automatic\n
\u53c2\u8003\u94fe\u63a5\uff1ahttps://library.netapp.com/ecmdocs/ECMP1654943/html/GUID-8EC685B4-8CB6-40D8-A8D5-031A3899BCDC.html
\u8fc7\u65f6\u4fe1\u606f\u7531\u4e8e\u6211\u4eec\u6ca1\u6709\u7814\u7a76\u6e05\u695a open-iscsi \u7684\u5f00\u673a\u81ea\u52a8\u6302\u8f7d\u673a\u5236\uff0c\u56e0\u6b64\u6211\u4eec\u9009\u62e9\u76f4\u63a5 override \u5bf9\u5e94\u7684 service \u6765\u5b8c\u6210\u8fd9\u4e2a\u4efb\u52a1\uff1a
$ systemctl edit open-iscsi.service[Service]\nExecStart=\nExecStart=/sbin/iscsiadm -d8 -m node -T iqn.2002-10.com.infortrend:raid.sn8223150.001 -p 192.168.10.1:3260 --login\nExecStart=/lib/open-iscsi/activate-storage.sh\n
\u82e5 iSCSI \u8fde\u63a5\u6210\u529f\uff0c\u5e94\u8be5\u53ef\u4ee5\u5728\u7cfb\u7edf\u4e2d\u770b\u5230\u4e00\u4e2a\u65b0\u7684\u786c\u76d8\uff0c\u5bb9\u91cf\u4e3a 14.55 TiB\uff0c\u578b\u53f7\u663e\u793a\u4e3a RS-3116I-S42-6\u3002
"},{"location":"infrastructure/proxmox/pve/#rootfs-backup","title":"rootfs \u5907\u4efd","text":"\u5c3d\u7ba1 esxi-5 \u7684 rootfs \u4e5f\u4f7f\u7528\u4e86 LVM mirror \u5728\u4e24\u5757 SSD \u4e0a\u955c\u50cf\uff0c\u4f46\u662f\u6211\u4eec\u4e0d\u592a\u4fe1\u4efb\u8fd9\u5757 RAID \u5361\uff0c\u56e0\u6b64\u6211\u4eec\u5c06 esxi-5 \u7684 rootfs \u6bcf\u5929\u5907\u4efd\u5230 vdp2 \u4e0a\u3002\u4e3a\u4e86\u907f\u514d\u5728 vdp2 \u6389\u7ebf\u7684\u65f6\u5019\u4e71\u201c\u5907\u4efd\u201d\uff0c\u6211\u4eec\u4f7f\u7528\u4e00\u4e2a systemd \u670d\u52a1\uff0c\u8bbe\u7f6e\u4e86 RequiresMountsFor
\u4f9d\u8d56\uff1a
[Unit]\nDescription=Backup rootfs to vdp2\nRequiresMountsFor=/mnt/vdp2\n\n[Service]\nType=oneshot\nExecStart=/usr/bin/rsync -aHAXx --delete / /mnt/vdp2/rootfs/\n
crontab21 4 * * * systemctl start rootfs-backup.service\n
"},{"location":"infrastructure/proxmox/pve/#esxi-5-others","title":"\u5176\u4ed6\u8bb0\u5f55","text":"esxi-5 \u4e8e 2021/8 \u53d1\u73b0\u81ea\u5e26\u9635\u5217\u6709\u4e24\u5757\u574f\u76d8\uff0c\u5728\u66f4\u6362\u540e\u53d1\u73b0 storage \"root\"\uff08\u5b58\u653e vcenter \u865a\u62df\u673a\uff0c\u7ec4\u5efa RAID 1 \u540e\u5927\u5c0f 1.8 TB\uff09\u65e0\u6cd5\u6b63\u5e38 rebuild\uff0c\u5e76\u4e14 vcenter \u865a\u62df\u673a\u7684 vmdk \u6587\u4ef6\u6709 4 \u4e2a\u51fa\u73b0 I/O error\u3002\u6b64\u540e vcenter \u865a\u62df\u673a\u5df2\u7ecf\u8fc1\u79fb\u5230 storage \"data\" (RAID10, 7.2 TB) \u5e76\u6b63\u5e38\u5de5\u4f5c\u3002
"},{"location":"infrastructure/proxmox/pve/#records","title":"\u5de5\u4f5c\u8bb0\u5f55","text":""},{"location":"infrastructure/proxmox/pve/#migrate-docker2","title":"2021-12-31 \u8fc1\u79fb docker2","text":"docker2 \u539f\u5148\u4f7f\u7528 QEMU \u76f4\u63a5\u8fd0\u884c\u5728 mirrors2 \u4e0a\uff0c\u4e0b\u5c42\u5b58\u50a8\u4e3a ZFS Zvol\uff08pool0/qemu/docker2
\uff09\uff0c\u7531\u4e8e ZFS \u8c03\u53c2\u4e0d\u5f53\u4f7f\u5176\u5360\u7528\u4e86 3 \u500d\u7684\u786c\u76d8\u7a7a\u95f4\uff08\u89c1\u8fd9\u4e2a Reddit \u8d34\u5b50\uff09\uff0c\u52a0\u4e0a mirrors2 \u672c\u8eab\u5bf9\u5916\u63d0\u4f9b Rsync \u670d\u52a1\uff0c\u786c\u76d8\u8d1f\u8f7d\u6781\u9ad8\uff0c\u6240\u4ee5\u957f\u671f\u4ee5\u6765 docker2 \u7684 I/O \u6027\u80fd\u5341\u5206\u4f4e\u4e0b\u3002\u6b63\u597d\u501f\u8fd9\u6b21\u5168\u95ea\u7684\u65b0\u5bbf\u4e3b\u673a\u5c06\u5176\u8fc1\u79fb\u8fc7\u53bb\u3002
\u8fc1\u79fb\u65f6\u9700\u8981\u4fdd\u8bc1\u5b8c\u6574\u6027\u7684\u4e3b\u8981\u5185\u5bb9\u5c31\u662f\u865a\u62df\u673a\u5185\u7684\u4e1a\u52a1\uff0c\u56e0\u6b64\u9700\u8981\u5728\u4e3b\u673a\u95f4\u4f20\u8f93\u7684\u5185\u5bb9\u5c31\u662f\u865a\u62df\u78c1\u76d8\uff0c\u5176\u4ed6\u914d\u7f6e\uff08CPU\u3001\u5185\u5b58\u3001\u7f51\u5361\u7b49\uff09\u90fd\u53ef\u4ee5\u76f4\u63a5\u5728\u65b0\u5e73\u53f0\u4e0a\u521b\u5efa\u65b0\u865a\u62df\u673a\u65f6\u4fee\u6539\u3002\u539f\u672c\u6211\u4eec\u6253\u7b97\u4f7f\u7528 rsync \u6216\u8005 dd \u7684\u65b9\u5f0f\u590d\u5236\u78c1\u76d8\uff0c\u4f46\u662f\u8003\u8651\u5230\u4e24\u8fb9\u90fd\u662f ZFS\uff0c\u4f7f\u7528 zfs send
\u662f\u4e00\u4e2a\u66f4\u597d\u7684\u65b9\u6848\u3002
\u6211\u4eec\u5728 pve-5 \u4e0a\u8fd0\u884c nc -l -p 9999 </dev/null | pv | zfs recv rpool/data/docker2
\uff0c\u7136\u540e\u5728 mirrors2 \u4e0a\u5bf9 zvol \u5148\u6253\u4e2a\u5feb\u7167\uff0c\u8fd0\u884c zfs send pool0/qemu/docker2@20211230 > /dev/tcp/{pve-5}/9999
\u5c06\u5feb\u7167\u5185\u5bb9\u53d1\u9001\u5230 pve-5 \u4e0a\uff08300 GiB \u7684\u6570\u636e\u82b1\u8d39\u4e86 16 \u5c0f\u65f6\uff09\uff0c\u7136\u540e\u518d\u5c06 docker2 \u5173\u673a\u5e76\u589e\u91cf\u4f20\u8f93\uff0czfs send -i @20211230 pool0/qemu/docker2 > /dev/tcp/{pve-5}/9999
\uff08\u589e\u91cf\u4f20\u8f93\u53ea\u53d1\u9001\u4e86 10 GB \u6570\u636e\uff09\u3002\u540c\u65f6\u6211\u4eec\u5728 Proxmox \u7684 web \u754c\u9762\u4e0a\u521b\u5efa\u4e00\u4e2a\u65b0\u865a\u62df\u673a\uff0c\u914d\u597d CPU \u5185\u5b58\u7f51\u5361\u7b49\uff0c\u5206\u914d 300 GiB \u7684\u786c\u76d8\u3002
\u7531\u4e8e zfs send \u662f\u539f\u6837\u53d1\u9001\u7684\uff0c\u56e0\u6b64\u63a5\u6536\u5230\u7684 zvol \u786c\u76d8\u5360\u7528\u91cf\u4ecd\u7136\u6709 712 GB\u3002Proxmox \u65b0\u5efa\u7684 zvol \u53c2\u6570\u5c31\u6bd4\u8f83\u5408\u7406\uff08volblocksize=16k
\uff09\uff0c\u6ca1\u6709\u4e25\u91cd\u653e\u5927\u7684\u95ee\u9898\uff0c\u56e0\u6b64\u6211\u4eec\u518d\u5c06\u63a5\u6536\u5230\u7684 zvol \u7ed9 dd \u8fdb\u65b0\u865a\u62df\u673a\u7684 zvol \u800c\u4e0d\u662f\u76f4\u63a5\u4f7f\u7528\u3002dd \u7ed3\u679c\u7ea6 345 GiB\uff08\u5341\u5206\u5408\u7406\uff09\uff0c\u5f00\u673a\u8fdb\u7cfb\u7edf\u8fd0\u884c fstrim \u4e4b\u540e\u5360\u7528\u91cf\u7ea6\u4e3a 240 GiB\uff08\u66f4\u52a0\u5408\u7406\u4e86\uff09\u3002
\u8fc1\u79fb\u8fc7\u7a0b\u6ca1\u6709\u9047\u5230\u4efb\u4f55\u5751\uff0c\u4ec5\u6709\u7684\u6ce8\u610f\u4e8b\u9879\u5c31\u662f zvol \u8c03\u53c2\u9700\u8981\u91cd\u65b0 dd \u800c\u4e0d\u80fd\u76f4\u63a5\u6539\uff0c\u4ee5\u53ca\u521b\u5efa\u7f51\u5361\u7684\u987a\u5e8f\uff08\u4f1a\u5f71\u54cd\u865a\u62df\u673a\u5185\u90e8 eth0 \u548c eth1 \u7684\u987a\u5e8f\uff0c\u9664\u975e\u865a\u62df\u673a\u5185\u90e8\u4f7f\u7528 udev persistent net \u65b9\u5f0f\u6839\u636e MAC \u5730\u5740\u5c06\u7f51\u5361\u6539\u540d\uff09\u3002
"},{"location":"infrastructure/proxmox/pve/#esxi-5-syslog-zfs-error-cannot-open-rpool-no-such-pool","title":"esxi-5 \u7684 syslog \u4e00\u76f4\u51fa\u73b0 zfs error: cannot open 'rpool': no such pool","text":"\u8fd9\u662f\u56e0\u4e3a esxi-5 \u4e0a\u9762\u6839\u672c\u5c31\u6ca1\u6709\u4f7f\u7528 ZFS\uff0c\u800c\u52a0\u5165 pve-5 \u7684\u96c6\u7fa4\u65f6\u865a\u62df\u673a\u7684\u5b58\u50a8\u4fe1\u606f\uff08/etc/pve/storage.cfg
\uff09\u4e5f\u4ece pve-5 \u540c\u6b65\u8fc7\u6765\u5408\u5e76\u4e86\uff0c\u56e0\u6b64 esxi-5 \u5728\u6839\u636e pve-5 \u7684\u914d\u7f6e\u5c1d\u8bd5\u542f\u7528 zfs \u5b58\u50a8\u3002
\u89e3\u51b3\u529e\u6cd5\uff1a\u7531\u4e8e /etc/pve
\u4e0b\u5927\u591a\u6570\u5185\u5bb9\u5728\u96c6\u7fa4\u95f4\u662f\u540c\u6b65\u7684\uff0c\u6253\u5f00 storage.cfg
\uff0c\u5728 zfspool: local-zfs
\u4e0b\u9762\u52a0\u5165\u4e00\u884c\uff0c\u7f29\u8fdb\u4e00\u4e2a Tab \u5e76\u52a0\u4e0a nodes pve-5
\uff0c\u8868\u793a\u8fd9\u4e2a storage \u53ea\u5728 pve-5 \u4e0a\u4f7f\u7528\u3002
pve-6 \u4f4d\u4e8e\u4e1c\u56fe\uff0c\u662f\u4e00\u53f0 HP DL380G6\uff0c\u914d\u7f6e\u4e3a 2\u00d7 Xeon E5620 (Westmere 4C8T, 2.50 GHz), 72 GB \u5185\u5b58\u548cl\u4e24\u5757 300 GB \u7684 SAS \u786c\u76d8\u3002\u66fe\u7ecf\u53eb\u505a esxi-6\uff0c\u5728 2022 \u5e74 1 \u6708\u7edf\u4e00\u66f4\u6362\u4e3a Proxmox VE\u3002
\u673a\u5668\u6709\u4e24\u4e2a\u7f51\u5361\uff0c\u5171\u6709 4 \u4e2a 1 Gbps \u7684\u63a5\u53e3\uff0c\u5176\u4e2d 3 \u4e2a\u90fd\u63a5\u5728 VLAN \u4ea4\u6362\u673a\u4e0a\uff08\u53e6\u4e00\u4e2a\u4e0d\u77e5\u9053\u63a5\u4e86\u5565\uff09\uff0c\u901a\u8fc7 VLAN \u540c\u65f6\u8fde\u63a5\u56fe\u4e66\u9986\u7684\u4e24\u4e2a\u7f51\u6bb5\u4ee5\u53ca\u7ecf\u7531 gateway-el \u6865\u63a5\u7684\u5185\u7f51\uff0c\u4ee5\u53ca\u8fde\u63a5 vdp \u6302\u8f7d NFS\u3002
HP Smart Array
HP \u7684\u81ea\u5e26 RAID \u5361\u7ba1\u7406\u8f6f\u4ef6\u53ef\u4ee5\u5728 http://downloads.linux.hpe.com/SDR/repo/mcp/Debian/pool/non-free/ \u4e0b\u8f7d\uff0c\u5b89\u88c5 ssacli
\u8f6f\u4ef6\u5305\u3002\u76f8\u5173\u4f7f\u7528\u65b9\u6cd5\u53ef\u4ee5\u53c2\u8003 https://sleeplessbeastie.eu/2017/03/06/how-to-use-hp-command-line-array-configuration-utility/\u3002
\u6ce8\u610f
LUG \u7684\u4e3b\u9875\u4e0a\u8fd8\u6709\u4e00\u4efd\u300a\u7f51\u7edc\u670d\u52a1\u5217\u8868\u300b \uff0c\u5982\u679c\u6709\u670d\u52a1\u72b6\u6001\u6539\u53d8\uff0c\u8bb0\u5f97\u540c\u6b65\u66f4\u65b0\u4e3b\u9875\u4e0a\u7684\u5217\u8868\u3002
"},{"location":"services/#mirrors","title":"Mirrors \u955c\u50cf\u7ad9","text":"\u670d\u52a1\u5668\uff1a
\u955c\u50cf\u7ad9\u65e5\u5fd7\u4f1a\u5907\u4efd\u81f3 mirrorlog \u865a\u62df\u673a\u4e0a\u3002
"},{"location":"services/#auth-dns","title":"\u6743\u5a01 DNS","text":"\u4ee5\u4e0b\u5185\u5bb9\u7531 GPT-4 \u751f\u6210
User: \u5411\u65b0\u624b\u8fd0\u7ef4\u4ecb\u7ecd\u4ec0\u4e48\u662f\u6743\u5a01 DNS
Bot: \u6743\u5a01DNS\uff08Authoritative DNS\uff09\u670d\u52a1\u662f\u56e0\u7279\u7f51\u57df\u540d\u7cfb\u7edf\uff08DNS\uff09\u7684\u4e00\u90e8\u5206\uff0c\u5b83\u8d1f\u8d23\u5904\u7406\u5173\u4e8e\u5176\u8d1f\u8d23\u7ba1\u7406\u7684\u4e00\u7ec4\u57df\u540d\u7684\u67e5\u8be2\u3002\u8fd9\u4e9bDNS\u670d\u52a1\u5668\u5e26\u6709\u5173\u4e8e\u4ed6\u4eec\u6240\u8d1f\u8d23\u57df\u7684\u6240\u6709\u5fc5\u8981\u6570\u636e\uff0c\u5e76\u4ece\u7ba1\u7406\u8be5\u57df\u7684\u4eba\u6216\u7ec4\u7ec7\u4e2d\u6536\u5230\u66f4\u65b0\u3002
\u6bd4\u5982\uff0c\u5982\u679c\u4f60\u5728\u6d4f\u89c8\u5668\u4e2d\u8f93\u5165\u4e00\u4e2a\u7f51\u7ad9\u5730\u5740\uff0c\u4f60\u7684\u8bf7\u6c42\u9996\u5148\u53d1\u9001\u5230\u9012\u5f52DNS\u670d\u52a1\u5668\uff0c\u7136\u540e\u9012\u5f52\u670d\u52a1\u5668\u67e5\u8be2\u6743\u5a01DNS\u670d\u52a1\u5668\u6765\u83b7\u53d6\u5bf9\u5e94\u7684IP\u5730\u5740\u3002\u6743\u5a01\u670d\u52a1\u5668\u5c31\u662f\u201c\u6743\u5a01\u201d\u8d44\u6e90\uff0c\u80fd\u591f\u544a\u8bc9\u9012\u5f52\u670d\u52a1\u5668\u5bf9\u5e94\u7684IP\u5730\u5740\u662f\u4ec0\u4e48\u3002\u8fd9\u4e2a\u8fc7\u7a0b\u88ab\u79f0\u4e3aDNS\u89e3\u6790\u3002
\u603b\u7684\u6765\u8bf4\uff0c\u6743\u5a01DNS\u670d\u52a1\u5668\u5c31\u662f\u5b58\u50a8\u3001\u7ba1\u7406\u5e76\u54cd\u5e94\u7279\u5b9a\u57df\u540d\u4fe1\u606f\u7684\u201c\u6743\u5a01\u201d\u6765\u6e90\u3002
\u6211\u4eec\u7684\u6743\u5a01 DNS \u670d\u52a1\u5668\u63d0\u4f9b\u4e86\u4e0e LUG \u6709\u5173\u7684\u57df\u540d\u7684\u76f8\u5173\u89e3\u6790\u4fe1\u606f\uff0c\u540c\u65f6\u4e5f\u662f\u4e00\u4e2a\uff08\u901a\u8fc7\u57df\u540d\uff09\u53ef\u4ee5\u6982\u89c8 LUG \u66fe\u7ecf\u4e0e\u76ee\u524d\u6709\u7684\u670d\u52a1\u7684\u5730\u65b9\u3002
"},{"location":"services/#lug-ftp","title":"LUG FTP","text":"\u4e3b\u670d\u52a1\u5668\uff1avdp.s.ustclug.org
\uff0cSSH \u7aef\u53e3 2222\u3002\u5bf9\u5916\u63d0\u4f9b HTTP(S)\uff08\u6587\u4ef6\u5217\u8868\uff09\u4e0e FTP \u670d\u52a1\u3002\u540c\u65f6\u63a5\u5165 LDAP\uff0c\u6bcf\u4e2a LDAP \u7528\u6237\u90fd\u53ef\u4ee5\u4f7f\u7528 LUG FTP \u5b58\u50a8\u81ea\u5df1\u7684\u6587\u4ef6\u3002
\u4e0e\u6b64\u540c\u65f6\uff0cvdp \u4e5f\u627f\u62c5\u4e86\u4f7f\u7528 NFS \u5411 PVE \u670d\u52a1\u5668\u63d0\u4f9b\u4e00\u90e8\u5206\u5b58\u50a8\u7684\u4efb\u52a1\u3002
"},{"location":"services/#gitlab","title":"LUG GitLab","text":"\u4e3b\u670d\u52a1\u5668\uff1agitlab.s.ustclug.org
\uff0cSSH \u7aef\u53e3 2222\u3002
\u662f\u591a\u4e2a HTTP \u670d\u52a1\u7684\u5165\u53e3\u3002
\u7531\u4e8e\u653f\u7b56\u548c\u5408\u89c4\u6027\u539f\u56e0\uff0c\u6211\u4eec\u5bf9\u4f7f\u7528\u4e3b\u9875\u53cd\u4ee3\u7684\u57df\u540d\u91c7\u7528\u4e86\u5206\u7ebf\u8def\u89e3\u6790\u7684\u65b9\u6848\uff0c\u5176\u4e2d\u7edd\u5927\u90e8\u5206\u57df\u540d\u5728\u6821\u5916\u90fd\u89e3\u6790\u5230 gateway-jp\uff0c\u5728\u6821\u5185\u89e3\u6790\u5230 gateway-nic\u3002\u8fd9\u4e24\u53f0\u670d\u52a1\u5668\u5747\u63a5\u5165 tinc \u5185\u7f51\uff0c\u91c7\u7528\u540c\u4e00\u5957 Nginx \u914d\u7f6e\uff0c\u4e3a\u5185\u7f51\u670d\u52a1\u5668\u63d0\u4f9b HTTP \u53cd\u4ee3\u3002
\u5b8c\u6574\u5217\u8868\u8bf7\u5728 auth-dns \u4ed3\u5e93\u5185\u5bfb\u627e CNAME \u5230 gateway.cname.ustclug.org.
\u7684\u57df\u540d\u3002
\u4e00\u4e9b\u4f8b\u5916\uff1a
ldap
\u670d\u52a1\u5668\u4e0a\uff0c\u5e76\u4e14\u4f7f\u7528 Apache2\uff0c\u5efa\u8bae\u522b\u52a8\uff09*.cdn.cloudflare.net.
\u7684\u57df\u540dweb-cf.cname.ustclug.org.
\u7684\u57df\u540d\u540e\u7aef\u662f docker2 \u4e0a\u7684 website
\u5bb9\u5668\u3002
\u89c1 ustclug/website \u4ed3\u5e93\u7684 README\u3002
tky: planet \u73b0\u5728\u7f3a\u4e4f\u7ef4\u62a4\uff0c\u5e0c\u671b\u80fd\u6709\u4eba\u628a\u5b83\u641e\u8d77\u6765\u3002
"},{"location":"services/#linux-101","title":"Linux 101","text":"\u540e\u7aef\u662f docker2 \u4e0a\u7684 linux101
\u5bb9\u5668\u3002
\u89c1 ustclug/Linux101-docs \u4ed3\u5e93\u7684 README\u3002
"},{"location":"services/#getvpn","title":"\u7533\u8bf7\u7cfb\u7edf","text":"\u4e00\u4e2a\u4f7f\u7528 Flask \u7f16\u5199\u7684 web \u5e94\u7528\uff0c\u90e8\u7f72\u4e86\u4e24\u5957\uff0c\u5206\u522b\u63d0\u4f9b LUG VPN \u548c Light \u7684\u7533\u8bf7\u670d\u52a1\u3002\u5176\u4e2d\uff1a
lugvpn-web
\uff09\uff1b\u57df\u540d\uff1a*.proxy.ustclug.org
\u4f5c\u4e3a\u955c\u50cf\u7ad9\u670d\u52a1\u7684\u4e00\u90e8\u5206\uff0cgateway-jp/nic \u4e5f\u5206\u522b\u4e3a\u6821\u5916\u5185\u63d0\u4f9b\u53cd\u5411\u4ee3\u7406\u5217\u8868\u7684\u53cd\u5411\u4ee3\u7406\u670d\u52a1\u3002
"},{"location":"services/#qt-guide-opensuse-guide","title":"Qt Guide \u548c openSUSE Guide","text":"\u7531 @winland0704 \u8d1f\u8d23\u7f16\u5199\u5185\u5bb9\uff0c\u6211\u4eec\u5e2e\u52a9\u6258\u7ba1\uff0c\u5e73\u65f6\u653e\u7740\u4e0d\u52a8\u5c31\u884c\u3002
\u540e\u7aef\u662f docker2 \u4e0a\u7684\u4e24\u4e2a\u5bb9\u5668 qtguide
\u548c opensuse-guide
\u3002
TODO: servers \u4e0e status \u7684\u5408\u5e76\u5de5\u4f5c\u3002
"},{"location":"services/#lug-vpn","title":"LUG VPN","text":"\u4e3b\u670d\u52a1\u5668\uff1avpnstv.s.ustclug.org
\uff08\u865a\u62df\u673a\uff0cNIC \u673a\u623f\uff09
RADIUS \u8ba4\u8bc1\u670d\u52a1\u5668\uff1aradius.s.ustclug.org
\uff0c\u540c\u65f6\u8fd0\u884c\u4e86 FreeRADIUS \u548c\u5b83\u7684 MySQL \u6570\u636e\u5e93\u3002
\u53e6\u6709\u65e7\u7684 vpn.s.ustclug.org
\u8fd0\u884c\u5728\u4e1c\u56fe\uff0c\u6682\u4e0d\u9700\u8981\u5173\u6ce8\u3002
\u76f8\u5173\u5185\u5bb9\u89c1 hackergame \u5185\u90e8\u6587\u6863\u3002
"},{"location":"services/#docker2","title":"\u5404\u7c7b Docker \u670d\u52a1","text":"Docker2 \u662f\u4e13\u804c\u8d1f\u8d23\u8fd0\u884c\u5bb9\u5668\u7684\u673a\u5668\u3002
"},{"location":"services/#adrain","title":"Adrain","text":"ustcflyer\uff08\u79d1\u5927\u98de\u8dc3\u624b\u518c\u7f51\u7ad9\uff09\u7684\u524d\u8eab\uff0c\u76ee\u524d\u4fdd\u6301\u8fd0\u884c\u3002
tky: ustcflyer \u6ca1\u6709\u5b9e\u73b0\u7ed9 session \u5220\u5bf9\u5e94\u8bc4\u8bba\u7684\u529f\u80fd\uff0c\u6240\u4ee5 adrain \u6ca1\u6709\u4e0b\u7ebf\u3002
"},{"location":"services/#grafana","title":"Grafana","text":"LUG \u7684\u76d1\u63a7\u7ad9\u70b9\u3002
"},{"location":"services/#ldap","title":"LDAP","text":""},{"location":"services/#mail","title":"Mail","text":"\u4e3a\u670d\u52a1\u5668\u3001IPMI \u7b49\u63d0\u4f9b\u7684\u5185\u90e8\u90ae\u4ef6\u670d\u52a1\u3002
[WIP]: \u9700\u8981\u8865\u5145
"},{"location":"services/#pve","title":"\u865a\u62df\u5316\uff1aPVE \u4e0e PBS","text":"PVE: \u63d0\u4f9b\u865a\u62df\u5316\u652f\u6301\uff1bPBS: PVE \u7684\u865a\u62df\u673a\u5907\u4efd\u3002
"},{"location":"services/#pxe","title":"PXE","text":"\u7f51\u7edc\u542f\u52a8\u670d\u52a1\uff0c\u8d1f\u8d23\u4e3a\u5168\u6821\u673a\u5668\u63d0\u4f9b\u63d2\u7f51\u53e3\u5373\u53ef\u5b89\u88c5\u7cfb\u7edf\u7684\u529f\u80fd\uff0c\u4ee5\u53ca\u4e3a\u56fe\u4e66\u9986\u67e5\u8be2\u673a\u63d0\u4f9b\u955c\u50cf\u3002
"},{"location":"services/#others","title":"\u5176\u4ed6","text":"\u6b64\u5904\u6240\u5217\u51fa\u7684\u201c\u670d\u52a1\u201d\u6ca1\u6709\u4f7f\u7528\u6211\u4eec\u81ea\u5df1\u7684\u670d\u52a1\u5668\u8d44\u6e90\uff0c\u90fd\u6258\u7ba1\u5728\u5916\u90e8\u5e73\u53f0\u4e0a\uff0c\u4ec5\u57df\u540d\uff08\u5373 DNS\uff09\u7531\u6211\u4eec\u7ef4\u62a4\u3002
"},{"location":"services/#documentations","title":"\u6280\u672f\u6587\u6863","text":"\u4e5f\u5c31\u662f\u672c\u6587\u6863\uff0c\u8fd0\u884c\u5728 Cloudflare Pages \u4e0a\u3002
"},{"location":"services/#ghauth","title":"GHAuth","text":"https://ghauth.ustclug.org
\u7528\u4e8e\u53cc\u5411\u9a8c\u8bc1 GitHub \u8d26\u53f7\u4e0e\u79d1\u5927\u5b66\u53f7\u7684\u670d\u52a1\uff08\u7c7b\u4f3c\u4e8e https://qq.ustc.life\uff09\uff0c\u76ee\u524d\u5904\u4e8e\u95f2\u7f6e\uff0c\u8fd0\u884c\u5728 iBug \u7684 AWS Lambda \u4e0a\u3002
"},{"location":"services/#discontinued","title":"\u5df2\u5e9f\u5f03\u670d\u52a1","text":""},{"location":"services/discontinued/","title":"Discontinued Services","text":"\u672c\u9875\u9762\u8bb0\u8f7d\u66fe\u7ecf\u63d0\u4f9b\u7684\u670d\u52a1\uff0c\u4f46\u662f\u7531\u4e8e\u67b6\u6784\u6539\u53d8\u6216\u670d\u52a1\u8fc1\u79fb\uff0c\u8fd9\u4e9b\u670d\u52a1\u4e0d\u518d\u4ee5\u539f\u6765\u7684\u5f62\u5f0f\u63d0\u4f9b\uff0c\u5e76\u53ef\u80fd\u5728\u539f\u5904\u6709\u6b8b\u7559\u7684\u914d\u7f6e\u6587\u4ef6\u3002
\u901a\u5e38\u60c5\u51b5\u4e0b\u6b8b\u7559\u7684\u914d\u7f6e\u6587\u4ef6\u53ef\u4ee5\u76f4\u63a5\u5220\u9664\uff0c\u4f46\u662f\u4fdd\u9669\u8d77\u89c1\uff0c\u4ecd\u7136\u5efa\u8bae\u5728 Internals \u7fa4\u91cc\u5148\u8be2\u95ee\u4e00\u4e0b\u518d\u5904\u7406\u3002
"},{"location":"services/discontinued/#docker-registry","title":"Docker Registry","text":"\u66fe\u7ecf\u8fd0\u884c\u5728 docker2 \u4e0a\uff0c\u73b0\u5728 LUG \u7684 Docker \u955c\u50cf\u5df2\u8f6c\u79fb\u81f3 Docker Hub\u3002
"},{"location":"services/discontinued/#freeshell","title":"Freeshell","text":"\uff08\u672a\u5b8c\u5f85\u7eed\uff0c\u914d\u7f6e\u6587\u4ef6\u5148\u4fdd\u7559\uff09
"},{"location":"services/discontinued/#ustc-blog","title":"USTC Blog","text":"Refer to Gitlab Wiki.
"},{"location":"services/discontinued/#telegram-web","title":"Telegram Web","text":"Service\uff1atelegram.ustclug.org
Repository\uff1agithub.com/ustclug/telegram-web
DockerHub\uff1austclug/telegram-web
Deployment\uff1atelegram-web.sh
Servers\uff1a
Blog\uff1aadd-telegram-web-service
"},{"location":"services/discontinued/#ustc-life","title":"USTC Life","text":"USTC Life is a navigation page, which included useful sites in USTC.
Service: ustc.life
2020-04-09 \u66f4\u65b0\u4fe1\u606f
\u76ee\u524d\uff0cUSTC Life \u670d\u52a1\u6258\u7ba1\u5728 GitHub Pages \u4e0a\uff0c\u4ed3\u5e93\u4e5f\u5df2\u8f6c\u79fb\u81f3 SmartHypercube/ustclife\uff0c\u7531 Hypercube \u8d1f\u8d23\u7ef4\u62a4\u3002\u4ee5\u4e0b\u5185\u5bb9\u4ec5\u4e3a\u5386\u53f2\u8bb0\u5f55\u3002
Git Repository: github.com/ustclug/ustclife
DockerHub: ustclug/ustclife
server: docker2.s.ustclug.org
deploy: /srv/webhook/ustclife.sh
webhook from DockerHub: /srv/webhook/hooks.json
"},{"location":"services/discontinued/#wordpress-based-serversustclugorg-planetustclugorg","title":"Wordpress-based servers.ustclug.org & planet.ustclug.org","text":"\u4e3a\u4e86\u51cf\u5c0f\u653b\u51fb\u9762\u4e0e\u7ef4\u62a4\u6210\u672c\uff0cservers.ustclug.org \u8fc1\u79fb\u5230\u4e86\u57fa\u4e8e Jekyll \u7684\u65b9\u6848\uff1bplanet.ustclug.org \u5728\u65e9\u524d\u5df2\u7ecf\u6574\u5408\u5230\u4e86 LUG \u4e3b\u7ad9\u4e2d\u3002
"},{"location":"services/discontinued/#mail-list","title":"Mail List","text":"Plugin Email Subscribers & Newsletters on servers.ustclug.org
sends a mail to Google Group when a new article posted on mirrors catalogue.
The mails are sent from servers@ustclug.org
, which is a member of Google Group with write permission.
Google Group: ustc-mirrors@googlegroups.com
"},{"location":"services/docker2/","title":"Docker services","text":"Server: docker2.s.ustclug.org
Provides Docker container environment for other services. All non-system services should be run as Docker containers on this host.
Methods to run individual containers are maintained in the ustclug/docker-run-script repository.
"},{"location":"services/docker2/#special-configurations","title":"Special configurations","text":""},{"location":"services/docker2/#network-interfaces","title":"Network interfaces","text":"We use udev rules to assign consistent names to network interfaces, identified by their MAC addresses.
/etc/udev/rules.d/70-persistent-net.rulesSUBSYSTEM==\"net\", ACTION==\"add\", DRIVERS==\"?*\", ATTR{address}==\"00:50:56:9f:00:22\", NAME=\"Telecom\"\nSUBSYSTEM==\"net\", ACTION==\"add\", DRIVERS==\"?*\", ATTR{address}==\"00:50:56:9f:00:5b\", NAME=\"Mobile\"\nSUBSYSTEM==\"net\", ACTION==\"add\", DRIVERS==\"?*\", ATTR{address}==\"00:50:56:9f:00:5d\", NAME=\"ustclug\"\n
We then refer to these interfaces using their new names in /etc/network/interfaces
to ensure consistent network configuration.
2022 \u5e74 2 \u6708 21 \u65e5\u66f4\u65b0
\u4eca\u65e5\u53d1\u73b0 docker2 \u65e0\u6cd5\u8fde\u63a5\u5bb9\u5668\u7f51\u7edc\uff0810.254.1.0/21\uff09\uff0c\u8c03\u8bd5\u540e\u53d1\u73b0\u4e3a Linux macvlan \u7f51\u7edc\u7279\u6027\uff08Stack Overflow\uff09\u3002\u4e3a\u4e86\u4fee\u590d\u8fde\u63a5\u95ee\u9898\uff0c\u8fdb\u884c\u4e86\u4ee5\u4e0b\u4fee\u6539\uff1a
/etc/udev/rules.d/70-persistent-net.rules
\u4e2d Policy
\u66f4\u540d\u4e3a ustclug
\uff1b\u5728 /etc/network/interfaces
\u4e2d\u8bbe\u7f6e Policy
\u548c ustclug
\u4e24\u4e2a interface \u7684\u76f8\u5173\u914d\u7f6e\u5982\u4e0b\uff1a
auto Policy\niface Policy inet static\n address 10.254.0.16/21\n pre-up ip link add $IFACE link ustclug type macvlan mode bridge\n post-down ip link del $IFACE\n\nauto ustclug\niface ustclug inet manual\n
docker2 \u4e0a\u9762\u7684 Docker \u4f7f\u7528 macvlan \u6765\u5c06\u865a\u62df\u673a\u63a5\u5165 lugi \u5185\u7f51\uff0c\u56e0\u6b64\u5c06 macvlan \u7684\u4e3b\u7aef\u53e3 Policy \u914d\u7f6e\u4e3a docker.service
\u7684\u5f3a\u4f9d\u8d56\u3002
[Unit]\nBindsTo=sys-subsystem-net-devices-Policy.device\nAfter=sys-subsystem-net-devices-Policy.device\n
\u5b9e\u9645\u4e0a After=network-online.target
\u5c31\u591f\u4e86\uff0c\u4f46\u662f\u51fa\u4e8e\u5386\u53f2\u539f\u56e0\u4f7f\u7528\u4e86 BindsTo
\u5f3a\u4f9d\u8d56\u5185\u7f51\u7aef\u53e3\uff0c\u8fd9\u662f\u56e0\u4e3a docker2 \u66fe\u7ecf\u5355\u72ec\u8fd0\u884c tinc \u63a5\u5165\u5185\u7f51\uff0c\u800c tinc \u7684\u7aef\u53e3\u53ea\u5728 tinc \u542f\u52a8\u540e\u624d\u4f1a\u51fa\u73b0\uff08\u624d\u80fd\u5206\u51fa macvlan \u5b50\u7aef\u53e3\uff09\uff0c\u56e0\u6b64\u4f7f\u7528 BindsTo
\u4fdd\u8bc1 docker \u968f\u8be5\u7aef\u53e3\u7684\u51fa\u73b0\u548c\u6d88\u5931\u800c\u542f\u52a8/\u505c\u6b62\u3002
2022 \u5e74 1 \u6708 15 \u65e5\u4ee5\u540e docker2 \u4e0e\u5176\u4ed6\u865a\u62df\u673a\u4e00\u6837\u901a\u8fc7 gateway-nic \u6865\u63a5\u7684 tinc \u63a5\u5165\u5185\u7f51\uff0c\u4e0d\u518d\u5355\u72ec\u8fd0\u884c tinc\u3002
"},{"location":"services/docker2/#opensuse-guide-qtguide","title":"opensuse-guide \u4e0e qtguide \u6bcf\u65e5\u66f4\u65b0","text":"\u7531\u4e8e\u6ca1\u6709\u8bbe\u7f6e webhook\uff0c\u76ee\u524d\u914d\u7f6e\u4e86 systemd timer\uff0c\u6267\u884c /srv/docker/guide
\u4e2d\u7684\u811a\u672c\uff0c\u4ee5\u5206\u522b\u5728\u6bcf\u65e5\u665a\u4e0a 23:15 \u548c 23:30 \u66f4\u65b0 opensuse-guide \u548c qtguide \u4e24\u4e2a\u5bb9\u5668\u7684 image \u5e76\u91cd\u542f\u5bb9\u5668\u3002
\u8be6\u7ec6\u7684\u914d\u7f6e\u6587\u4ef6\u53ef\u67e5\u770b docker-run-script \u4e2d\u7684 opensuse-guide \u548c qtguide \u4e24\u4e2a\u6587\u4ef6\u5939\u3002
"},{"location":"services/docker2/#workflows-troubleshooting","title":"Workflows & Troubleshooting","text":""},{"location":"services/docker2/#docker-pingd","title":"Docker \"pingd\"","text":"\u66f4\u65b0
\u95ee\u9898\u5df2\u7ecf\u67e5\u660e\u4e3a Debian \u7684 Linux \u5185\u6838 bug (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952660)\uff0c\u5df2\u7ecf\u901a\u8fc7\u66f4\u65b0\u5185\u6838\u5e76\u91cd\u542f\u800c\u89e3\u51b3\u3002\u4ee5\u4e0b\u5185\u5bb9\u4ec5\u4f5c\u5b58\u6863\u3002
\u51fa\u4e8e\u672a\u77e5\u539f\u56e0\u6709\u65f6\u5019\u5916\u90e8\u4e3b\u673a\u4f1a\u65e0\u6cd5\u4e3b\u52a8\u8fde\u901a Docker \u5bb9\u5668\uff08\u53ef\u80fd\u4e0e ARP \u6709\u5173\uff09\uff0c\u4f46\u662f\u5982\u679c\u67d0\u4e2a\u5bb9\u5668\u5148 ping \u4e86\u4e00\u4e0b\u5916\u90e8\u4e3b\u673a\uff0c\u5c31\u80fd\u53cc\u5411\u8fde\u901a\u4e86\u3002
\u7531\u4e8e\u6211\u4eec\u6682\u672a\u627e\u5230\u6b63\u5e38\u7684\u89e3\u51b3\u65b9\u6848\uff0c\u56e0\u6b64\u4f7f\u7528 \u201cping daemon\u201d \u4f5c\u4e3a\u4e00\u4e2a workaround\uff0c\u5728\u5bb9\u5668\u4e2d\u8fd0\u884c ping \u4fdd\u6301\u5916\u90e8\u4e3b\u673a\u7684\u8fde\u901a\u6027\u3002
docker-pingd@.service[Unit]\nDescription=Docker pingd service %I\nDocumentation=man:ping(8)\nAfter=network.target\nStartLimitIntervalSec=0\n\n[Service]\nType=simple\nUser=root\nGroup=root\nExecStart=/bin/sh -c 'IVAR=\"%i\"; exec /usr/bin/docker exec \"$${IVAR%:*}\" ping -q -s 32 \"$${IVAR#*:}\"'\nExecStop=/bin/kill -s INT $MAINPID\nRestart=on-failure\nRestartSec=3\n\n[Install]\nWantedBy=multi-user.target\nAlias=docker-ping@.service\n
\u4f7f\u7528\u65b9\u5f0f\uff1asystemctl enable docker-pingd@container:host.service
\uff0ccontainer
\u6362\u6210\u5bb9\u5668\u540d\uff0chost
\u6362\u6210 ping \u7684\u76ee\u6807\u3002
Trick \u4ecb\u7ecd\uff1aSystemd service \u914d\u7f6e\u6682\u4e0d\u652f\u6301\u591a\u4e2a\u6a21\u677f\u53c2\u6570 %i
\uff0c\u56e0\u6b64\u8c03\u7528 shell \u6765\u89e3\u6790\u53c2\u6570\u3002Ref: https://github.com/systemd/systemd/issues/14895#issuecomment-612270690
taoky
\u5f88\u9ebb\u70e6\uff0c\u5efa\u8bae lug \u4ee5\u540e\u518d\u4e5f\u522b\u7528\uff08\u522b\u5f00\u65b0\u7684\uff09wordpress \u4e86\u3002
servers \u4e0e\u65e7 planet \u4f7f\u7528 WordPress\uff0c\u6258\u7ba1\u5728 docker2 \u4e0a\u3002\u56e0\u4e3a docker2 \u73b0\u5728\u78c1\u76d8 IO \u5f88\u6162\uff0c\u6240\u4ee5\u53ef\u80fd\u4f1a\u51fa\u73b0\u4e00\u4e9b\u989d\u5916\u7684\u95ee\u9898\u3002
\u63a8\u8350\u4f7f\u7528 https://wp-cli.org/#installing\u3002\u547d\u4ee4\uff1a
chmod +x wp-cli.phar\nmv wp-cli.phar /usr/local/bin/wp\ncd /var/www/public/\nsudo -u www-data -- wp core update --version=5.8.1 /tmp/wordpress-5.8.1.zip\n
\u5bb9\u5668\u91cc sudo \u8981\u624b\u52a8\u88c5\u3002
\u4ee5\u4e0b\u5185\u5bb9\u4ec5\u4f9b\u53c2\u8003\u3002
\u5c1d\u8bd5\u5347\u7ea7\u65f6\u5982\u679c\u672a\u51fa\u73b0\u5347\u7ea7\u63d0\u793a\uff0c\u53ef\u4ee5\u4fee\u6539\uff1a
wp-includes/update.php
\uff0c\u5c06\u51fd\u6570 wp_version_check()
\u4e2d $doing_cron ? 3 : 30
\u4fee\u6539\u4e3a $doing_cron ? 30 : 30
\u3002wp-admin/includes/update.php
\uff0c\u5c06\u51fd\u6570 get_core_checksums()
\u4e2d\u5bf9\u5e94\u7684\u90e8\u5206\u4fee\u6539\u4e3a $doing_cron ? 30 : 30
\u3002\u5982\u679c\u51fa\u73b0\u300c\u53e6\u4e00\u66f4\u65b0\u6b63\u5728\u8fd0\u884c\u300d\uff0c\u4e14\u786e\u8ba4\u4e0d\u5728\u66f4\u65b0\uff0c\u53ef\u4ee5\u5728\u6570\u636e\u5e93\u7684 wordpress
\u8868\u4e2d\u6267\u884c\uff1a
DELETE FROM wp_options WHERE option_name = 'core_updater.lock';\n
"},{"location":"services/docker2/#docker","title":"\u770b\u8d77\u6765\u6b63\u5728\u8fd0\u884c\u4f46\u662f\u6ca1\u6709\u8fdb\u7a0b\u7684 Docker \u5bb9\u5668","text":"2021/10/25 \u53d1\u73b0\u67d0\u5bb9\u5668\u663e\u793a\u6b63\u5728\u8fd0\u884c\uff0c\u4f46\u662f\u5b9e\u9645\u6ca1\u6709\u8fdb\u7a0b\u3002\u540e\u53d1\u73b0\u4e3a Docker \u7684 bug\uff0c\u5728\u5bb9\u5668\u8fdb\u7a0b\u88ab cgroups \u5e72\u6389\u4e4b\u540e\u53ef\u80fd\u4f1a\u51fa\u73b0\u6b64\u60c5\u51b5\u3002
\u5bf9\u5e94 issue\uff1ahttps://github.com/moby/moby/issues/38501
\u89e3\u51b3\u65b9\u6cd5\uff1a\u5c06\u5bb9\u5668 ID \u5bf9\u5e94\u7684 containerd-shim
\u6740\u6b7b\u5373\u53ef\u8ba9 Docker \u66f4\u65b0\u5176\u72b6\u6001\u4e3a\u5df2\u505c\u6b62\uff0c\u7136\u540e\u91cd\u65b0\u5f00\u542f\u5373\u53ef\u3002
Services: FTP/FTPS, SFTP, HTTP, HTTPS
https://ftp.lug.ustc.edu.cn/~username/
).Git repository: ustclug/lugftp
Docker Hub: ustclug/ftp
Server: vdp.s.ustclug.org (management ssh port 2222)
Theme: h5ai
Deploy: ftp.sh
"},{"location":"services/ftp/#notes","title":"Notes","text":"ssh-keygen -A
is required to be manually run when initializing.root:root
and permission 0755.1000:1000
. _h5ai
and wp-content
needs to be set to a different owner (misconfigured?). And Incoming
shall be set to 0775.gateway-el
)","text":"Todo
Currently systemctl restart networking
is required after a reboot to set up tunnel. This bug should be fixed.
gateway-el uses IPVS to send requests from one port to other machines directly. IPVS is a Linux kernel feature. Use ipvsadm -Ln
to get its status.
The tunnels used by gateway-el
is mainly maintained by tunnelmonitor. Its config files are in /etc/tunnelmonitor
, service is tunnelmonitor.service
, and log is /var/log/tunnel_monitor.log
.
When starting, netfilter-persistent.service
should be run before tunnelmonitor
. tunnelmonitor
generates new mangle chains when starting, and pings all tunnels periodically and selects all available tunnels, and generates statistc
rules.
You check check /var/log/tunnel_monitor.log
to see if one tunnel has been down. Currently (2021/09), only one tunnel is available among all tunnel settings in /etc/tunnelmonitor/tunnel.ini
.
The following example is for demonstration purposes only.
You can get current status by iptables -t mangle -S
. It is expected to see something like this:
-A DemonstrateManglePrerouting -m statistic --mode nth --every 1 --packet 0 -j MARK --set-xmark 0x12345/0xffffffff\n// ...\n-A PREOUT -m mark --mark 0x0 -j DemonstrateManglePrerouting\n
In this case, all packages to DemonstrateManglePrerouting
chain will get fwmark
0x12345
(= 74565
).
Check ip rule
for that:
// ...\n10: from all fwmark 0x12345 lookup ExtraDemoTunnel\n// ...\n
You can get tunnel information in ip a
:
29: ExtraDemoTunnel: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000\n link/none\n inet 192.168.252.17 peer 192.168.253.17/32 brd 192.168.252.17 scope global ExtraDemoTunnel\n valid_lft forever preferred_lft forever\n
Here 192.168.252.17
is the local server of tunnel, and 192.168.253.17
is the remote server.
Let's check /etc/network/interfaces.d
:
auto ExtraDemoTunnel\niface ExtraDemoTunnel inet static\n address 192.168.252.17\n netmask 255.255.255.255\n pre-up ip link add dev $IFACE type wireguard\n post-down ip link del dev $IFACE\n up wg set $IFACE listen-port 4601 private-key /etc/wireguard/privkey peer pkeypkeypkeypkeypkeypkeypkeypkeypkeypkeypkey endpoint 23.3.3.3:4600 allowed-ips 0.0.0.0/0\n up ip route replace default dev $IFACE table $IFACE\n up ip rule add from all fwmark 74565 table $IFACE prio 10\n pointopoint 192.168.253.17\n
Here we know that this is a wireguard tunnel, and the endpoint is 23.3.3.3:4600
. The fwmark here is 74565
(in decimal).
Why is 74565
set? Let's check /etc/iproute2/rt_tables
!
// ...\n74565 ExtraDemoTunnel\n// ...\n
For wireguard, you can use wg
to check status. If you find that the \"received\" is 0 in transferred, something is going wrong.
See Gateway-NIC
"},{"location":"services/gateway-el/#issues","title":"Issues & resolution","text":""},{"location":"services/gateway-el/#ipvs-conntrack","title":"IPVS Conntrack","text":"In early March 2022 we noticed Light connectivity issues from outside USTCnet, which was narrowed down to connections bypassing Linux Conntrack mechanism.
Thanks to TUNA group we learned about /proc/sys/net/ipv4/vs/conntrack
, which at the time the problem was located, was zero. Settings this to 1 solved the problem.
However after writing net.ipv4.vs.conntrack = 1
to /etc/sysctl.d/10-ipvs-conntrack.conf
and rebooting, the problem returned. Checking systemctl status systemd-sysctl.service
we noticed this:
Mar 05 00:00:00 gateway-el systemd-sysctl[218]: Couldn't write '0' to 'net/ipv4/vs/conntrack', ignoring: No such file or directory\n
Adding ip_vs
to /etc/modules
and rebooting again correctly fixed the problem.
This is because the module was automatically loaded the first time ipvsadm
is called (namely, /etc/init.d/ipvsadm
), which happened at a very late stage. Adding to /etc/modules
gets the module loaded earlier (and before systemd-sysctl.service
) so it worked.
See gateway
"},{"location":"services/gateway-jp/","title":"Gateway: Japan (gateway-jp
)","text":"This page is currently a stub.
"},{"location":"services/gateway-jp/#network-configuration","title":"Network configuration","text":""},{"location":"services/gateway-jp/#iptables","title":"iptables","text":"See Gateway NIC
Blacklists are also managed with ipset
, see /root/iptables
.
When first applying iptables rules, we experienced severe performance degradation. Dmesg was flooded with messages like this:
nf_conntrack: nf_conntrack: table full, dropping packet\n
So we increased this sysctl setting:
/etc/sysctl.d/00-ustclug.confnet.nf_conntrack_max = 262144\nnet.ipv4.tcp_fin_timeout = 10\n
To ensure net.nf_conntrack_max
is available at boot, we also added nf_conntrack
to /etc/modules
and ran update-initramfs -u
.
The other setting is to prevent TCP connections from lingering too long in FIN_WAIT_2
and TIME_WAIT
states.
gateway-nic
)","text":"Previously gateway-nic used CentOS 7 to 8 to Stream, to \"avoid putting all eggs in one basket\". This VM was replaced by a newly setup Debian Bullseye VM on January 2022 during migration from ESXi to Proxmox VE.
The virtual disk of the old gateway-nic was copied onto pve-5, located at ZFS Zvol rpool/data/gateway-nic
. The current VM uses rpool/data/vm-200-disk-0
instead (Proxmox naming convention).
Git repositories exist for these directories:
/etc/nginx\n/etc/systemd/network\n/etc/tinc\n
"},{"location":"services/gateway-nic/#networking","title":"Networking","text":"We use systemd-networkd to configure network on gateway-nic. This replaces both ifupdown
(config file /etc/network/interfaces
)
[Service]\nExecStartPre=-/sbin/ip -4 rule flush\nExecStartPre=-/sbin/ip -6 rule flush\n\n[Install]\nAlias=networkd.service\n
The ExecStartPre=
commands flush (clear) existing rules so that systemd-networkd can fully manage all rules. This is because ManageForeignRoutingPolicyRules
is a new setting in systemd 249, while Debian Bullseye uses systemd 247, so we have to do this manually.
We then load the regular \"main\" and \"default\" rules on the loopback interface (routing rules aren't bound to interfaces, but are added/removed when the configured interface is brought up/turned down).
/etc/systemd/network/00-lo.network[Match]\nName=lo\n\n# Route \"main\"\n[RoutingPolicyRule]\nFamily=both\nTable=254\nPriority=2\nSuppressPrefixLength=1\n\n# Route \"Special\"\n[RoutingPolicyRule]\nFamily=both\nTable=1000\nPriority=5\nSuppressPrefixLength=1\n\n# Route \"default\"\n[RoutingPolicyRule]\nFamily=both\nTable=253\nPriority=32767\n
"},{"location":"services/gateway-nic/#interfaces","title":"Interfaces","text":"Systemd-networkd has built-in capability to rename interfaces, so there's no need to use udev rules.
For example, to assign a name for the cernet interface, we use:
/etc/systemd/network/12-Cernet.link[Match]\nPermanentMACAddress=00:50:56:a2:02:8c\n\n[Link]\nName=Cernet\n
We then configure addresses and routing rules for this interface:
/etc/systemd/network/12-Cernet.network[Match]\nName=Cernet\n\n[Network]\nAddress=202.38.95.102/25\nAddress=2001:da8:d800:95::102/64\nIPv6AcceptRA=no\n\n[Route]\nGateway=202.38.95.126\nTable=253\nMetric=2\n\n[Route]\nGateway=2001:da8:d800:95::1\nTable=253\nMetric=2\n\n[Route]\nGateway=202.38.95.126\nTable=1002\n\n[Route]\nGateway=2001:da8:d800:95::1\nTable=1002\n\n[RoutingPolicyRule]\nFrom=202.38.95.102\nTable=1002\nPriority=3\n\n[RoutingPolicyRule]\nFrom=2001:da8:d800:95::102\nTable=1002\nPriority=3\n\n[RoutingPolicyRule]\nFamily=both\nOutgoingInterface=Cernet\nTable=1002\nPriority=3\n\n[RoutingPolicyRule]\nFamily=both\nFirewallMark=0x2\nTable=1002\nPriority=4\n
This config file assigns one IPv4 and one IPv6 address to the interface, as well as one IPv4 route and one IPv6 route for both the default routing table and an interface-specific routing table. It then adds three routing rules in both IPv4 and IPv6 for replying on the same interface, for sockets bound to this interfaces, and for firewall mark routing.
Other interfaces are configured similarly, so just refer to their configuration files for details.
"},{"location":"services/gateway-nic/#routes","title":"Routes","text":"Outgoing connections are routed through different ISPs. We use ISP IP data from gaoyifan/china-operator-ip. Relevant files are located under /usr/local/network_config
.
The said repository (branch ip-lists
) is cloned and we symlink select files to iplist
directory for consumption. A custom script converts these IP data into additional systemd-networkd config files (under /run/systemd
).
lrwxrwxrwx cernet.txt -> ../china-operator-ip/cernet.txt\nlrwxrwxrwx cernet6.txt -> ../china-operator-ip/cernet6.txt\nlrwxrwxrwx china.txt -> ../china-operator-ip/china.txt\nlrwxrwxrwx china6.txt -> ../china-operator-ip/china6.txt\nlrwxrwxrwx cstnet.txt -> ../china-operator-ip/cstnet.txt\nlrwxrwxrwx cstnet6.txt -> ../china-operator-ip/cstnet6.txt\nlrwxrwxrwx mobile.txt -> ../china-operator-ip/cmcc.txt\nlrwxrwxrwx telecom.txt -> ../china-operator-ip/chinanet.txt\nlrwxrwxrwx unicom.txt -> ../china-operator-ip/unicom.txt\n-rw-r--r-- ustcnet.txt\n-rw-r--r-- ustcnet6.txt\n
/usr/local/network_config/route-all.sh#!/bin/bash\n\n[ -n \"$BASH_VERSION\" ] || exit 1\n\nWD=\"$(dirname \"$0\")\"\nROOT_IP_LIST=\"$WD/iplist\"\nROOT_CONF=/etc/systemd/network\nROOT_RT=/run/systemd/network\n\ngen_route() {\n local DEVFILE=\"$1\"\n local DEV=\"$(awk -F = '/^Name=/{print $2; exit}' \"$ROOT_CONF/$DEVFILE.network\")\"\n local GW=\"$2\" FAMILY=ipv4 V6\n if [[ \"$GW\" =~ : ]]; then\n FAMILY=ipv6\n V6=\"-v6\"\n fi\n # Convert table to number\n local TABLENAME=\"$3\"\n local TABLE=\"$(awk 'substr($0, 1, 1) != \"#\" && $2 == \"'\"$TABLENAME\"'\" { print $1 }' /etc/iproute2/rt_tables | head -1)\"\n local PRIORITY=\"$4\"\n shift 4\n\n F=\"$ROOT_RT/$DEVFILE.network.d\"\n mkdir -p \"$F\"\n F=\"$F/route-${TABLENAME,,}${V6}.conf\"\n echo -e \"[RoutingPolicyRule]\\nFamily=$FAMILY\\nTable=$TABLE\\nPriority=$PRIORITY\\n\" > \"$F\"\n\n awk '{ print \"[Route]\\nDestination=\" $1 \"\\nGateway='\"$GW\"'\\nTable='\"$TABLE\"'\\n\" }' \"${@/#/$ROOT_IP_LIST/}\" >> \"$F\"\n}\n\ngen_route 12-Cernet 202.38.95.126 ustcnet 5 ustcnet.txt\ngen_route 12-Cernet 2001:da8:d800:95::1 ustcnet 5 ustcnet6.txt\ngen_route 12-Cernet 202.38.95.126 cernet 6 cernet.txt cstnet.txt\ngen_route 12-Cernet 2001:da8:d800:95::1 cernet 6 cernet6.txt cstnet6.txt\ngen_route 13-Telecom 202.141.160.126 telecom 6 telecom.txt unicom.txt\ngen_route 14-Mobile 202.141.176.126 mobile 6 mobile.txt\ngen_route 12-Cernet 202.38.95.126 china 7 china.txt\ngen_route 12-Cernet 2001:da8:d800:95::1 china 7 china6.txt\n
We then use a systemd service to ensure additional files for systemd-networkd are generated before it starts.
/etc/systemd/system/route-all.service[Unit]\nDescription=Generate routes for systemd-networkd\nBefore=systemd-networkd.service\n\n[Service]\nType=oneshot\nExecStart=/bin/bash /usr/local/network_config/route-all.sh\n#ExecStart=/usr/local/network_config/special.rb\nRemainAfterExit=true\n\n[Install]\nWantedBy=network.target systemd-networkd.service\n
Updating routes from upstream is easy:
/usr/local/network_config/update.sh#!/bin/sh\n\ncd \"$(dirname \"$0\")\"\n\ngit -C china-operator-ip pull\nsystemctl restart route-all.service\n
The resulting routing policies look like this:
$ ip rule0: from all lookup local\n2: from all lookup main suppress_prefixlength 1\n3: from 172.16.0.2 lookup Warp\n3: from all oif Warp lookup Warp\n3: from 202.141.176.102 lookup Mobile\n3: from all oif Mobile lookup Mobile\n3: from 202.141.160.102 lookup Telecom\n3: from all oif Telecom lookup Telecom\n3: from 202.38.95.102 lookup Cernet\n3: from all oif Cernet lookup Cernet\n4: from all fwmark 0x5 lookup Warp\n4: from all fwmark 0x4 lookup Mobile\n4: from all fwmark 0x3 lookup Telecom\n4: from all fwmark 0x2 lookup Cernet\n5: from all lookup Special suppress_prefixlength 1\n5: from all lookup Ustcnet\n6: from all lookup mobile\n6: from all lookup telecom\n6: from all lookup cernet\n7: from all lookup china\n32767: from all lookup default\n
"},{"location":"services/gateway-nic/#tinc-vpn","title":"Tinc VPN","text":"Gateway-NIC connects to intranet with Tinc. There's no special Tinc configuration other than those described at the Tinc VPN page.
Because Tinc now uses systemd services instead of System V init.d
scripts, we need to systemctl enable tinc@ustclug.service
to make it start on boot. Everything is managed through this templated systemd service.
We also override systemd-networkd's online detection for goodness' sake, so it doesn't block booting. Note that it may interfere with services depending on network-online.target
, though we have yet to discover any issues.
[Service]\nExecStart=\nExecStart=/bin/sleep 1\n
"},{"location":"services/gateway-nic/#iptables","title":"iptables","text":"All iptables firewall rules are managed manually. We use iptables-persistent
to automatically load firewall rules on boot.
To change the rules, manually edit /root/iptables/rules.v4
or rules.v6
and then run apply.sh
to apply the changes.
We use fail2ban to stop SSH scanning and brute-force attempts.
Because fail2ban relies on changing iptables to work, to improve its performance as well as minimize its tampering of iptables rules, we use ipsets for fail2ban.
After stock installation of fail2ban
package, remove defaults-debian.conf
and add this file to secure SSH daemon:
[sshd]\nenabled = true\nmode = aggressive\nfilter = sshd[mode=%(mode)s]\nlogpath = /var/log/auth.log\nbackend = pyinotify\naction = iptables-ipset-proto6[chain=\"fail2ban\"]\n
We provide a pre-created empty chain named fail2ban
for fail2ban to manipulate (see iptables above).
To make sure fail2ban rules can be re-applied after reloading iptables manually, we override the systemd service so that fail2ban is restarted whenever the iptables service is restarted.
$ systemctl edit fail2ban.service[Unit]\nAfter=netfilter-persistent.service\nBindsTo=netfilter-persistent.service\n
For some servers where we want to manually start fail2ban, we use Requires=
+ PartOf=
. This will propagate \"restart\" event from iptables to fail2ban, but not \"start\".
[Unit]\nAfter=netfilter-persistent.service\nRequires=netfilter-persistent.service\nPartOf=netfilter-persistent.service\n
"},{"location":"services/gateway-nic/#nginx","title":"Nginx","text":""},{"location":"services/gateway-nic/#unregistered-domain-traffic","title":"ustclug.org issue","text":"To mitigate the issue of the complaints from ISPs and the regulation authorities caused by the gateways in USTCnet responding to the requests for ustclug.org
, which is a unregistered domain in China MIIT, we make nginx listen on an alternative port 81/444 for HTTP and HTTPS respectively, to respond to requests for lug.ustc.edu.cn
only, and rejecting the handshake for any other domain.
server {\n listen 81 default_server;\n listen [::]:81 default_server;\n listen 444 ssl http2 default_server;\n listen [::]:444 ssl http2 default_server;\n server_name _;\n ssl_reject_handshake on; \n return 444;\n}\n
To whitelist any domain, add listen 81
and listen 444 http2 ssl
to corresponding site's server block.
We use iptables to redirect any traffic from outside USTCnet whose destination is TCP port 80/443 on local machine to TCP port 81/444 respectively.
-A PREROUTING -m addrtype --dst-type LOCAL -j NGINX-REDIRECT\n-A NGINX-REDIRECT -i lo -j RETURN\n-A NGINX-REDIRECT -m set --match-set ustcnet src -j RETURN\n-A NGINX-REDIRECT -p tcp --dport 80 -j REDIRECT --to-port 81\n-A NGINX-REDIRECT -p tcp --dport 443 -j REDIRECT --to-port 444\n
"},{"location":"services/generate-204/","title":"Generate 204","text":"Service: 204.ustclug.org (HTTP / HTTPS)
Server: (gateway)
Blog: add-http-204-service
"},{"location":"services/generate-204/#configration","title":"Configration","text":"/etc/nginx/sites-available/204.ustclug.orgserver {\n listen 80;\n listen [::]:80;\n listen 443 ssl http2;\n listen [::]:443 ssl http2;\n server_name 204.ustclug.org;\n access_log /var/log/nginx/204_access.log;\n error_log /var/log/nginx/204_error.log;\n return 204;\n}\n
The authoritative copy is on LUG GitLab.
"},{"location":"services/gitlab/","title":"GitLab","text":"Server: gitlab.s.ustclug.org (management ssh port 2222)
Git Repository: gitlab-scripts
"},{"location":"services/gitlab/#gitlab-security","title":"GitLab & Security","text":"GitLab \u7ef4\u62a4\u8005\u9700\u8981\u8ba2\u9605\uff1a
\u5728 GitLab \u6709 Security Release \u4e14 docker-gitlab \u53d1\u5e03\u65b0\u7248\u672c\u4e4b\u540e\u9700\u8981\u5b89\u6392\u65f6\u95f4\u66f4\u65b0\u3002\u5c24\u5176 Critical Security Release \u9700\u8981\u5c3d\u5feb\u627e\u65f6\u95f4\u66f4\u65b0\u3002
"},{"location":"services/gitlab/#_1","title":"\u66f4\u65b0","text":"\uff08\u5efa\u8bae\u9605\u8bfb https://docs.gitlab.com/ee/update/index.html\uff0c\u4ee5\u53ca GitLab \u5b98\u65b9\u7684\u5347\u7ea7\u8def\u5f84\u5206\u6790\u5de5\u5177\uff1ahttps://gitlab-com.gitlab.io/support/toolbox/upgrade-path/\uff09
GitLab 16.0 \u8d77\u79fb\u9664\u4e86\u5bf9 CAS3 \u7684\u652f\u6301\uff0c\u56e0\u6b64\u6211\u4eec\u5207\u6362\u5230\u4e86 OAuth2 \u6765\u5bf9\u63a5\u4e2d\u56fd\u79d1\u5b66\u6280\u672f\u5927\u5b66\u7edf\u4e00\u8eab\u4efd\u8ba4\u8bc1\u3002\u4e3a\u4e86\u5b9e\u73b0\u81ea\u5b9a\u4e49 OAuth2 \u767b\u5f55\u53c2\u6570\uff0c\u6211\u4eec fork \u4e86 sameersbn/docker-gitlab\uff0c\u4ed3\u5e93\u4f4d\u4e8e ustclug/docker-gitlab\u3002\u66f4\u65b0\u65f6\uff0c\u9700\u8981\u9996\u5148\u6309\u7167 ustclug/docker-gitlab \u7684 README.md
\u6240\u8ff0\u7684\u6b65\u9aa4\u66f4\u65b0\u955c\u50cf\uff0c\u4e00\u822c\u53ea\u9700\u66f4\u6539\u6240\u8ff0\u7684\u4e24\u4e2a\u4f4d\u7f6e\u7684\u7248\u672c\u53f7\uff0c\u63a8\u9001\u5230\u4ed3\u5e93\u540e\uff0cGitHub Actions \u5c06\u81ea\u52a8\u5b8c\u6210\u955c\u50cf\u7684\u6784\u5efa\uff0c\u5e76\u4e0a\u4f20\u5230 ghcr.io\u3002\u9700\u8981\u6ce8\u610f\u7684\u662f\uff0c\u82e5\u4e0a\u6e38\u66f4\u65b0\u5305\u542b\u5bf9 assets/runtime
\u76ee\u5f55\u7684\u53d8\u66f4\uff0c\u5219\u9700\u5148\u5c06\u4e0a\u6e38\u66f4\u65b0\u5408\u5e76\u5230\u6211\u4eec\u7684\u4ed3\u5e93\uff0c\u5426\u5219\u53ef\u80fd\u51fa\u73b0\u6784\u5efa\u6216\u8fd0\u884c\u65f6\u9519\u8bef\u3002
\u7531\u4e8e\u5df2\u7ecf docker \u5316\uff0c\u56e0\u6b64\u6211\u4eec\u7684\u66f4\u65b0\u662f\u901a\u8fc7\u62c9\u53d6 ustclug/docker-gitlab \u7684 docker image\uff0c\u8fdb\u884c\u6570\u636e\u5e93\u51c6\u5907\u4ee5\u53ca\u542f\u52a8\u955c\u50cf\u5b9e\u4f8b\u6765\u8fdb\u884c\u66f4\u65b0\uff0cZack Zeng \u5b66\u957f\u5df2\u7ecf\u5199\u597d\u4e86\u4e00\u5957\u811a\u672c\u7cfb\u7edf\uff1agitlab-scripts\uff0c\u56e0\u6b64\u66f4\u65b0\u65f6\u53ea\u8981\u8dd1\u811a\u672c\u5c31\u53ef\u4ee5\u4e86\u3002
\u7531\u4e8e\u66f4\u65b0\u9700\u8981\u505c\u6b62\u670d\u52a1\uff0c\u56e0\u6b64\u8bf7\u4e8e\u66f4\u65b0\u524d\u81f3\u5c11\u51e0\u5c0f\u65f6\u53d1\u5e03\u66f4\u65b0\u516c\u544a\uff08\u5305\u62ec\u5177\u4f53\u65f6\u95f4\u7b49\uff09\uff0c\u5e76\u68c0\u67e5 Admin -> Monitoring -> Background Migrations \u4e2d\u6240\u6709 migration \u662f\u5426\u90fd\u5df2\u7ecf\u6210\u529f\u5b8c\u6210\u3002
\u66f4\u65b0\u524d\u8bf7\u5148\u63d0\u524d\u4e8e Proxmox VE \u4e0a\u5bf9\u865a\u62df\u673a\u6253\u5feb\u7167\uff08\u6253\u5feb\u7167\u65f6\u670d\u52a1\u4f1a\u6682\u65f6\u505c\u6b62\uff09
\u6253\u5b8c\u5feb\u7167\u4e4b\u540e\u4f7f\u7528\u811a\u672c\u8fdb\u884c\u66f4\u65b0\uff08\u76ee\u524d\u811a\u672c\u4f4d\u4e8e /home/sirius/gitlab-scripts
\uff09\uff0c\u9996\u5148\u4f7f\u7528 ./gitlab.sh db
\u8fdb\u884c\u6570\u636e\u5e93\u7684\u51c6\u5907\u5de5\u4f5c\u3002\u4e4b\u540e\u53ef\u4ee5\u901a\u8fc7 ./gitlab.sh run <\u7248\u672c\u53f7>
\u6765\u8fdb\u884c docker container \u7684\u66ff\u6362\u3002\u66f4\u6362\u524d\u811a\u672c\u4f1a\u81ea\u52a8\u62c9\u53d6\u76f8\u5e94\u7248\u672c\u53f7\u7684 docker \u955c\u50cf\uff0c\u5982\u679c\u62c5\u5fc3\u62c9\u53d6\u65f6\u95f4\u8fc7\u957f\u53ef\u4ee5\u5728\u6253\u5feb\u7167\u524d\u63d0\u524d\u901a\u8fc7 docker pull ghcr.io/ustclug/docker-gitlab:<\u7248\u672c\u53f7>
\u6765\u62c9\u53d6\u76f8\u5e94\u7684\u955c\u50cf\u3002
\u4e00\u822c\u60c5\u51b5\u4e0b\u7ecf\u4ee5\u4e0a\u64cd\u4f5c\u540e\u66f4\u65b0\u5c31\u6b63\u5e38\u7ed3\u675f\uff0c\u5982\u679c\u957f\u65f6\u95f4\u65e0\u6cd5\u542f\u52a8\uff0c\u53ef\u4ee5\u901a\u8fc7 docker logs gitlab
\u67e5\u770b\u65e5\u5fd7\uff0c\u5982\u679c\u53d1\u73b0\u66f4\u65b0\u540e\u7684\u542f\u52a8\u51fa\u73b0\u95ee\u9898\uff0c\u53ef\u4ee5\u5230 sameersbn/docker-gitlab \u7684 issue \u533a\u7b49\u5730\u67e5\u770b\u76f8\u5173 issue\uff0c\u4ee5\u53ca\u901a\u8fc7\u5bf9\u51fa\u9519\u65e5\u5fd7\u8fdb\u884c Google \u53ef\u80fd\u4f1a\u53d1\u73b0\u662f gitlab \u4e0a\u6e38\u7b49\u51fa\u73b0\u7684\u95ee\u9898\u3002\u5982\u679c\u6709\u89e3\u51b3\u529e\u6cd5\uff0c\u53ef\u4ee5\u6309\u7167\u76f8\u5e94\u89e3\u51b3\u529e\u6cd5\u89e3\u51b3\uff0c\u5982\u679c\u6ca1\u6709\u3002\u53ef\u4ee5\u901a\u8fc7\u627e\u5230\u6709\u76f8\u5e94\u95ee\u9898\u524d\u7684\u6b63\u5e38\u7248\u672c\u53f7\uff0c\u56de\u6eda\u5feb\u7167\uff0c\u4e4b\u540e\u66f4\u5230\u8868\u73b0\u6b63\u5e38\u7684\u7248\u672c\u3002\uff08\u6700\u8fd1\u7684\u66f4\u65b0\u4f1a\u5728\u542f\u52a8\u4e4b\u540e\u77ed\u6682\u51fa\u73b0 502 \u7684\u60c5\u51b5\uff0c\u4f46\u5f88\u5feb\u5c31\u4f1a\u6062\u590d\uff0c\u9047\u5230\u8fd9\u79cd\u60c5\u51b5\u65f6\u4e0d\u8981\u60ca\u614c\uff09\u3002
\u7531\u4e8e\u66f4\u65b0\u53ef\u80fd\u4f1a\u51fa\u73b0\u95ee\u9898\u5bfc\u81f4\u670d\u52a1\u4e0d\u53ef\u7528\uff0c\u56e0\u6b64\u4e0d\u5efa\u8bae\u901a\u8fc7 cron \u7b49\u65b9\u5f0f\u81ea\u52a8\u8fdb\u884c\u66f4\u65b0\u3002
"},{"location":"services/gitlab/#postgresql-redis","title":"postgresql \u4e0e redis \u7684\u66f4\u65b0","text":"\u7531\u4e8e gitlab \u66f4\u65b0\u540e\u53ef\u80fd\u5bf9 postgresql \u4e0e redis \u7684\u7248\u672c\u6709\u8981\u6c42\uff0c\u56e0\u6b64\u6709\u53ef\u80fd\u9700\u8981\u5b9a\u671f\u66f4\u65b0 redis \u4e0e postgresql\u3002
\u66f4\u65b0\u524d\u8bf7\u5148\u505c\u6b62 gitlab \u7684 container\u3002
\u66f4\u65b0\u65f6\u53ef\u4ee5\u6309\u7167\u5b98\u7f51\u6559\u7a0b docker-postgresql \u8fdb\u884c\u66f4\u65b0\uff0c\u53ef\u4ee5\u901a\u8fc7\u62c9\u53d6 latest \u6807\u7b7e\u7684\u955c\u50cf\uff0c\u5220\u9664\u539f\u6765\u7684 container\uff0c\u518d\u901a\u8fc7\u811a\u672c ./gitlab.sh db
\u81ea\u52a8\u542f\u52a8\uff0c\u6570\u636e\u5e93\u66f4\u65b0\u65f6\u53ef\u80fd\u4f1a\u9700\u8981\u4e00\u5b9a\u65f6\u95f4\u6765\u8fc1\u79fb\u6570\u636e\uff0c\u8bf7\u901a\u8fc7 docker logs -f gitlab-postgresql
\u547d\u4ee4\u6765\u67e5\u770b\u8fc1\u79fb\u8fdb\u5ea6\uff0c\u5f85\u8fc1\u79fb\u5b8c\u6210\u540e\u518d\u8fd0\u884c GitLab \u7684 container\u3002
Rails console \u53ef\u4ee5\u5b8c\u6210\u4e00\u4e9b\u9ad8\u7ea7\u7684\u7ef4\u62a4\u4efb\u52a1\u3002\u5728 gitlab \u5bb9\u5668\u4e2d\u6267\u884c bin/rails console
\u542f\u52a8\u3002\u6ce8\u610f console \u7684\u542f\u52a8\u65f6\u95f4\u5f88\u957f\uff08 1 \u5206\u949f\u4ee5\u4e0a\uff09\uff0c\u9700\u8981\u6709\u8010\u5fc3\u3002
\u53ef\u4ee5\u6267\u884c\u7684\u547d\u4ee4\u53ef\u53c2\u8003 https://docs.gitlab.com/ee/administration/troubleshooting/gitlab_rails_cheat_sheet.html\u3002
"},{"location":"services/gitlab/#_2","title":"\u67e5\u8be2","text":""},{"location":"services/gitlab/#hashed-storage","title":"\u67e5\u8be2 Hashed storage \u4e0b\u4ed3\u5e93\u5bf9\u5e94\u7684\u9879\u76ee","text":"ProjectRepository.find_by(disk_path: '@hashed/23/33/2333333333333333333333333333333333333333333333333333333333333333').project\n
\u5982\u679c\u5b58\u5728\uff0c\u4f1a\u8fd4\u56de\u7c7b\u4f3c\u4ee5\u4e0b\u7684\u5185\u5bb9\uff1a
=> #<Project id:23333 username/project>>\n
"},{"location":"services/gitlab/#sql-like","title":"\u67e5\u8be2\u65e0\u9879\u76ee\u4e14\u90ae\u7bb1\u6ee1\u8db3\u6761\u4ef6\u7684\u7528\u6237 (SQL like
)","text":"users = User.where('id NOT IN (select distinct(user_id) from project_authorizations)')\nusers = users.where('email like ?', '%.ru')\nusers.count\n\nusers.each do |user|\n puts user.last_activity_on\nend\n
"},{"location":"services/gitlab/#_3","title":"\u5237\u65b0\u67d0\u4e2a\u9879\u76ee\u7684\u7edf\u8ba1\u4fe1\u606f","text":"p = Project.find_by_full_path('<namespace>/<project>')\npp p.statistics\np.statistics.refresh!\npp p.statistics\n
"},{"location":"services/gitlab/#lfs-id","title":"\u83b7\u53d6\u6240\u6709\u5305\u542b LFS \u7684\u9879\u76ee ID","text":"LfsObject.all.each do |lo|\n puts LfsObjectsProject.find_by_lfs_object_id(lo.id).project_id\nend\n
\u8f93\u51fa\u8f83\u591a\u3002\u53ef\u4ee5\u4f7f\u7528 rails r xxx.rb
\u8fd0\u884c\uff0c\u91cd\u5b9a\u5411\u5230\u6587\u4ef6\uff0c\u53bb\u91cd\u540e\u67e5\u770b\u6240\u6709\u5305\u542b LFS \u7684\u9879\u76ee\u3002
\u8be6\u89c1 https://github.com/sameersbn/docker-gitlab#rake-tasks\u3002\u548c Rails console \u4e00\u6837\uff0c\u521d\u59cb\u5316\u5f88\u6162\u3002
\u5f53\u524d\u5b9e\u4f8b\u4fe1\u606f\uff1a
docker exec --user git -it gitlab bundle exec rake gitlab:env:info RAILS_ENV=production\n
"},{"location":"services/gitlab/#_4","title":"\u6e05\u7406","text":"\u53c2\u8003 https://github.com/gitlabhq/gitlabhq/blob/master/doc/raketasks/cleanup.md\u3002
\u4e0d\u8fc7\u4f5c\u7528\u6709\u9650\u3002
"},{"location":"services/gitlab/#_5","title":"\u6e05\u7406\u4e0a\u4f20\u76ee\u5f55","text":"\u67e5\u770b\u4f1a\u88ab\u6e05\u7406\u7684\u6587\u4ef6\uff1a
docker exec --user git -it gitlab bundle exec rake gitlab:cleanup:project_uploads RAILS_ENV=production\n
\u6e05\u7406\uff08\u79fb\u52a8\u5230 /-/project-lost-found/\uff09\uff1a
docker exec --user git -it gitlab bundle exec rake gitlab:cleanup:project_uploads RAILS_ENV=production DRY_RUN=false\n
"},{"location":"services/gitlab/#artifact","title":"\u6e05\u7406\u672a\u88ab\u5f15\u7528\u7684 artifact \u6587\u4ef6","text":"\u67e5\u770b\u4f1a\u88ab\u6e05\u7406\u7684 artifact \u6570\u91cf\uff1a
docker exec --user git -it gitlab bundle exec rake gitlab:cleanup:orphan_job_artifact_files RAILS_ENV=production\n
\u6e05\u7406\uff1a
docker exec --user git -it gitlab bundle exec rake gitlab:cleanup:orphan_job_artifact_files RAILS_ENV=production DRY_RUN=false\n
\u6ce8\u610f\uff0c\u65b0\u8bbe\u7f6e\u7684 expire \u671f\u9650\u4e0d\u4f1a\u5f71\u54cd\u4ee5\u524d\u7684 artifact\uff0c\u8fd9\u91cc\u7684\u547d\u4ee4\u4e5f\u65e0\u6cd5\u6e05\u7406\u3002
"},{"location":"services/gitlab/#lfs-reference","title":"\u6e05\u7406\u65e0\u6548\u7684 LFS reference","text":"for i in `cat projectid_lfs`; do docker exec --user git -it gitlab bundle exec rake gitlab:cleanup:orphan_lfs_file_references PROJECT_ID=$i RAILS_ENV=production DRY_RUN=false; done\n
projectid_lfs
\u662f\u4e0a\u6587\u4e2d\u300c\u83b7\u53d6\u6240\u6709\u5305\u542b LFS \u7684\u9879\u76ee ID\u300d\u7684\u53bb\u91cd\u540e\u7684\u8f93\u51fa\u3002
\u65e0 reference \u7684 LFS \u6587\u4ef6\u6bcf\u65e5 GitLab \u4f1a\u81ea\u52a8\u6e05\u9664\u3002\u5982\u679c\u9700\u8981\u7acb\u523b\u5220\u9664\uff0c\u53ef\u4ee5\u4f7f\u7528 gitlab:cleanup:orphan_lfs_files
\u3002
Ref: https://docs.gitlab.com/ee/administration/read_only_gitlab.html
docker exec --user git -it gitlab bin/rails console\n
\u4e4b\u540e\u6267\u884c
Project.all.find_each { |project| puts project.name; project.update!(repository_read_only: true) }\n
\u5c06\u6240\u6709\u4ed3\u5e93\u8bbe\u7f6e\u4e3a\u53ea\u8bfb\u3002\u5982\u679c\u4e2d\u95f4\u51fa\u73b0\u9519\u8bef\uff08\u7279\u6b8a\u7684\u9879\u76ee\u540d\u53ef\u80fd\u4f1a\u5bfc\u81f4\u8fd0\u884c\u4e2d\u65ad\uff09\uff0c\u91cd\u547d\u540d\u6700\u540e\u8f93\u51fa\u5bf9\u5e94\u7684\u9879\u76ee\u3002
\u5728\u8bbe\u7f6e\u524d\uff0c\u9700\u8981\u6dfb\u52a0 Messages \u901a\u77e5\u7528\u6237\u3002
\u6b64\u65f6\u6570\u636e\u5e93\u4ecd\u7136\u53ef\u5199\u5165\u3002\u5982\u679c\u9700\u8981\u6570\u636e\u5e93\u53ea\u8bfb\uff0c\u53c2\u8003\u4ee5\u4e0a\u94fe\u63a5\u914d\u7f6e\u3002
"},{"location":"services/light/","title":"Light Accelerator","text":"Service: light.ustclug.org
Git Repository:
Docker Hub:
Mailing list: \u8f7b\u91cf\u7ea7\u7f51\u7edc\u52a0\u901f\u670d\u52a1
Servers:
Deploy script: docker-run-script/light
Deploy order:
git clone https://github.com/ustclug/light-list\ncd accelerate-list\n./tools/add-domain.sh accelerate.list www.example.com\ngit commit -v -a\ngit push origin master\n
GitHub Actions will update PAC files in LUG FTP automatically.
"},{"location":"services/light/#database-maintenance","title":"Database maintenance","text":"Example:
select count(*) from radacct where acctstoptime < '2021-01-01 00:00:00';\ninsert into radacct_backup select * from radacct where acctstoptime < '2021-01-01 00:00:00';\ndelete from radacct where acctstoptime < '2021-01-01 00:00:00';\ndelete from radacct_backup where acctstoptime < '2020-06-01 00:00:00';\noptimize table radacct;\noptimize table radacct_backup;\n
"},{"location":"services/light/#shutdown","title":"Shutdown","text":"light-server
& light-socks
no
(See Docker Documentation)Proxy related log is under /srv/docker/light/log
. Container log (stdout & stderr) is under /srv/docker/docker/containers/<container id>/*.log*
(use docker logs <container>
to view).
Logrotate is configured to save logs for 180 days. Please manually backup logs when removing the container.
"},{"location":"services/mirrorz/","title":"MirrorZ CERNET server","text":"MirrorZ \u9879\u76ee\u5728 CERNET \u5317\u4eac\u8282\u70b9\u6709\u4e00\u4e2a\u865a\u62df\u673a\uff0c\u901a\u8fc7 *.mirrors.cernet.edu.cn \u7684\u57df\u540d\u63d0\u4f9b 302 \u8df3\u8f6c\u548c\u5e2e\u52a9\u9875\u9762\u7b49\u670d\u52a1\u3002
\u7531\u4e8e CentOS 7 \u5728 2024 \u5e74 6 \u6708\u7ed3\u675f\u652f\u6301\uff0ciBug \u548c taoky \u5728 2024 \u5e74 2 \u6708\u914d\u7f6e\u4e86\u4e00\u4e2a\u8fd0\u884c Debian 12 \u7684\u65b0\u865a\u62df\u673a\u3002\u65b0\u865a\u62df\u673a\u955c\u50cf\u57fa\u4e8e debian-cdimage \u63d0\u4f9b\u7684 debian-12-genericcloud-amd64.qcow2
\u3002
\u865a\u62df\u673a\u7684\u7f51\u7edc\u91c7\u7528 systemd-networkd \u914d\u7f6e\uff0c\u914d\u7f6e\u6587\u4ef6\u5728 /etc/systemd/network
\u4e0b\uff0cv4/v6 \u5747\u4f7f\u7528\u9759\u6001 IP \u914d\u7f6e\u3002\u5176\u4e2d [Match]
\u5757\u4f7f\u7528 MACAddress=...
\u6765\u5339\u914d\u7f51\u5361\u3002
PasswordAuthentication no\nPermitRootLogin prohibit-password\n
"},{"location":"services/mirrorz/#ntp","title":"NTP","text":"/etc/systemd/timesyncd.conf.d/ibug.conf[Time]\nNTP=ntp.tuna.tsinghua.edu.cn\n
"},{"location":"services/mirrorz/#software","title":"\u8f6f\u4ef6","text":"etckeeper\uff08\u4e0d\u77e5\u9053\u600e\u4e48\u914d\u7f6e\u7684\uff0c\u88c5\u597d\u5373\u7528\uff1f\uff09
\u4ee5\u4e0a\u56db\u4e2a\u8f6f\u4ef6\u5206\u522b\u4ece\u56db\u4e2a\u4e0d\u540c\u7684 APT \u6e90\u5b89\u88c5\uff0c\u5bf9\u5e94\u7684 APT \u516c\u94a5\u90fd\u5b58\u5728 /etc/apt/keyrings
\u4e2d\u3002
APT \u6e90\u914d\u7f6e
/etc/apt/sources.list.d/docker.listdeb [arch=amd64 signed-by=/etc/apt/keyrings/docker.asc] https://mirrors.ustc.edu.cn/docker-ce/linux/debian bookworm stable\n
/etc/apt/sources.list.d/grafana.listdeb [signed-by=/etc/apt/keyrings/grafana.gpg] https://mirrors.tuna.tsinghua.edu.cn/grafana/apt stable main\n
/etc/apt/sources.list.d/influxdata.listdeb [signed-by=/etc/apt/keyrings/influxdata.asc] https://mirrors.ustc.edu.cn/influxdata/debian stable main\n
/etc/apt/sources.list.d/nodesource.listdeb [arch=amd64 signed-by=/etc/apt/keyrings/nodesource.asc] https://deb.nodesource.com/node_18.x nodistro main\n
/etc/apt/sources.list.d/sb-nginx.listdeb [arch=amd64 signed-by=/etc/apt/keyrings/sb-nginx.asc] https://mirror.xtom.com.hk/sb/nginx/ bookworm main\n
"},{"location":"services/mirrorz/#go","title":"Go","text":"\u4ece\u5b98\u65b9\u7f51\u7ad9\u4e0b\u8f7d\u6700\u65b0\u7684 tar.gz \u5e76\u89e3\u538b\u5230 /usr/local/go
\uff0c\u7136\u540e\u5c06 /usr/local/go/bin
\u4e2d\u7684\u4e24\u4e2a\u4e8c\u8fdb\u5236\u6587\u4ef6\u8f6f\u94fe\u63a5\u5230 /usr/local/bin
\u3002
\u66f4\u65b0 Go \u7684\u5feb\u6377\u811a\u672c\u4f4d\u4e8e /root/go/update.sh
\uff0c\u5185\u5bb9\u89c1 iBug/shGadgets\u3002
MirrorZ \u4e3b\u9879\u76ee\u548c\u5e2e\u52a9\u9875\u9762\u7b49\u53ef\u4ee5\u901a\u8fc7\u6d4f\u89c8\u5668\u8bbf\u95ee\u7684\u9875\u9762\u90fd\u5728 /var/www
\u4e0b\u3002
\u5229\u7528 GitHub \u7684 webhook \u529f\u80fd\uff0c\u90e8\u7f72\u4e86\u4e00\u4efd iBug/uniAPI\u3002\u76f8\u5173\u6587\u4ef6\u5982\u4e0b\uff1a
/usr/bin/uniAPI\n/etc/uniAPI.yml\n/etc/systemd/system/uniAPI.service\n
\u914d\u7f6e\u6837\u4f8b\u5982\u4e0b\uff1a
services:\n uniAPI:\n type: server\n services:\n mirrorz-json-legacy:\n type: github.webhook\n path: /home/mirrorz/mirrorz-org/mirrorz-json-legacy\n branch: master\n secret: # empty\n
location ^~ /uniAPI {\n proxy_pass http://127.0.1.1:1024;\n}\n
"},{"location":"services/neat-dns/","title":"Neat DNS","text":"Services: neatdns.ustclug.org (UDP, TCP, HTTPS, DNSCrypt)
Server: docker2
Deploy: docker-run-script/neatdns
"},{"location":"services/neat-dns/#notes","title":"Notes","text":"Previously all containers on docker2 had gateway-el as their gateway, which generated heavy load on the Tinc network. Docker2 has since been updated to use gateway-nic as gateway for containers, bypassing Tinc for most of the traffic. This, however, broke NAT-based service like Neat DNS, which required that reply traffic goes back through gateway-el (but now gateway-nic).
What's worse, Docker doesn't support setting gateways for individual containers, nor can network config be changed from within the container (default setup). So we chose to selectively route traffic back to gateway-el on gateway-nic. This is accomplished with two parts:
Routing tables and routing rules:
/etc/systemd/network/11-Policy.network[RoutingPolicyRule]\nFrom=0.0.0.0/0\nFirewallMark=0x101/0x1ff\nTable=1101 # Ustclug_override\nPriority=1\n\n[Route]\nGateway=10.254.0.254 # gateway-el\nTable=1011\n
Using iproute2 ip
command, this would be:
ip rule add fwmark 0x101/0x1ff table Ustclug_override prio 1\nip route replace default via 10.254.0.254 table Ustclug_override\n
And then we select traffic to redirect to gateway-el using iptables marks:
iptables -t mangle -S-A PREROUTING -s 10.254.1.5/32 -i Policy -p tcp -m multiport --sports 53,53443 -j MARK --set-xmark 0x101/0x1ff\n-A PREROUTING -s 10.254.1.5/32 -i Policy -p udp -m multiport --sports 53,53443 -j MARK --set-xmark 0x101/0x1ff\n
These two lines of iptables rules selects replying traffic originating from the neat-dns container and marks it appropriately, so it will be routed to gateway-el instead of exiting the intranet right from gateway-nic.
\u672c\u8282\u5185\u5bb9\u9002\u7528\u4e8e\u5305\u62ec VPN \u5728\u5185\u7684\u591a\u4e2a\u670d\u52a1\u5668
\u76ee\u524d\u4ec5\u5bf9 IPv4 \u542f\u7528\u3002
*raw\n:PREROUTING ACCEPT [0:0]\n:OUTPUT ACCEPT [0:0]\n-A PREROUTING -p udp --dport 69 -j CT --helper tftp\nCOMMIT\n
/etc/modulesnf_conntrack_tftp\nnf_nat_tftp\n
"},{"location":"services/vpn/#ssl-certs","title":"SSL Certificates","text":"The certificate for *.vpn.lug.ustc.edu.cn
+ *.vpn.ustclug.org
is acquired with our certificate infrastructure and the vpn server runs updater.sh
with cron.
Two services running in Docker (strongswan and ocserv) use the certificate, so another cron job exists to copy the certificate files into the Docker volume (vpn-certs
). The second updater script is listed below:
#!/bin/sh\n\n# outside, call docker\nif command -v docker >/dev/null 2>&1; then\n exec docker run --rm \\\n --name=vpn-cert-updater \\\n --net=none \\\n -v \"$(realpath \"$0\")\":/update.sh:ro \\\n -v vpn-certs:/vpn-certs \\\n -v /etc/ssl/private:/ssl-certs:ro \\\n alpine \\\n /update.sh\n exit 1 # exec failed\nfi\n\nset -eux\n\nSSL_CERTS=\"/ssl-certs\"\nVPN_CERTS=\"/vpn-certs\"\n\ncp -p \"${SSL_CERTS}/lugvpn/fullchain.pem\" \"${VPN_CERTS}/certs/vpn.ustclug.org.crt\"\ncp -p \"${SSL_CERTS}/lugvpn/privkey.pem\" \"${VPN_CERTS}/private/vpn.ustclug.org.key\"\necho \"Cert Update Complete\"\n
"},{"location":"services/mirrors/","title":"\u5f00\u6e90\u955c\u50cf\u7ad9","text":""},{"location":"services/mirrors/#_2","title":"\u5386\u53f2","text":""},{"location":"services/mirrors/#debianustceducn","title":"debian.ustc.edu.cn","text":"2000 \u5e74\u5de6\u53f3\uff0c\u79d1\u5927\u6821\u5185\u7684 Debian \u7231\u597d\u8005\u4f7f\u7528\u81ea\u5df1\u5b9e\u9a8c\u5ba4\u7684\u673a\u5668\u4e3a\u5927\u5bb6\u63d0\u4f9b Debian \u955c\u50cf\u670d\u52a1\u3002\u968f\u7740\u4e00\u5c4a\u5c4a\u5e08\u5144\u7684\u6bd5\u4e1a\uff0c\u670d\u52a1\u5668\u5728\u5404\u5b9e\u9a8c\u5ba4\u95f4\u63a5\u529b\u3002
2002 \u5e74 5 \u6708\uff0cDebian \u955c\u50cf\u7ad9\u6709\u4e86\u81ea\u5df1\u7684\u57df\u540d debian.ustc.edu.cn\uff0c\u4f46\u670d\u52a1\u5668\u4ecd\u5728\u5b9e\u9a8c\u5ba4\u95f4\u8f97\u8f6c\u3002
2002 \u5e74 6 \u6708 23 \u65e5\uff0c\u79d1\u5927Debian\u955c\u50cf\u7ad9\u5f00\u59cb\u63d0\u4f9b\u975e\u5b98\u65b9(UO)\u8f6f\u4ef6\u4ed3\u5e93\u30022004\u5e744\u670823\u65e5\uff0c\u63d0\u4f9b\u65b0\u7684UO\u4ed3\u5e93\u3002
2005 \u5e74 6 \u6708 20 \u65e5\uff0c\u79d1\u5927 LUG \u53d1\u8d77\u4e3a\u79d1\u5927 Debian \u955c\u50cf\u7ad9\u6350\u6b3e\u7684\u5021\u8bae\uff0c\u622a\u81f3 10 \u6708 1 \u65e5\u52df\u6350\u6d3b\u52a8\u505c\u6b62\uff0cLUG \u5171\u6536\u5230 2922.05 \u5143\u6350\u6b3e\u300210 \u6708 6 \u65e5\u65b0\u673a\u5668\u5b89\u88c5\u914d\u7f6e\u5230\u4f4d\u3002\u5728\u5927\u5bb6\u7684\u9f50\u5fc3\u52aa\u529b\u4e4b\u4e0b\uff0c\u79d1\u5927 Debian \u955c\u50cf\u7ad9\u6709\u4e86\u4e00\u4e2a\u76f8\u5bf9\u56fa\u5b9a\u7684\u201c\u5bb6\u201d\u3002
2009 \u5e74\u5e95\uff0cdebian.ustc \u843d\u6237\u56fe\u4e66\u9986\u6280\u672f\u90e8\u3002
"},{"location":"services/mirrors/#ossustceducn","title":"oss.ustc.edu.cn","text":"2008 \u5e74 12 \u6708 25 \u65e5\uff0c\u79d1\u5927\u5f00\u6e90\u8f6f\u4ef6 (OSS) \u955c\u50cf\u7ad9\u6b63\u5f0f\u542f\u7528\u3002\u5176\u670d\u52a1\u5668\u7531\u5434\u5cf0\u5149\u5e08\u5144\u63d0\u4f9b\u3002Novell \u516c\u53f8\u4e3a\u6211\u4eec\u63d0\u4f9b\u4e86\u4e00\u57571.5T \u7684\u786c\u76d8\u3002
2009 \u5e74 12 \u6708\uff0c\u5f20\u6210\u5e08\u5144\u4e3a OSS \u955c\u50cf\u7ad9\u63d0\u4f9b\u6350\u8d60 1T \u786c\u76d8\u3002
2010 \u5e74 6 \u6708\uff0c\u79d1\u5927 LUG \u4f7f\u7528\u51fa\u552e\u7248\u886b\u4f59\u4e0b\u7684\u94b1\u4e3a OSS \u955c\u50cf\u7ad9\u6dfb\u7f6e\u4e86\u4e00\u5757 2T \u786c\u76d8\u3002
"},{"location":"services/mirrors/#mirrorsustceducn","title":"mirrors.ustc.edu.cn","text":"2011 \u5e74 4 \u6708 8 \u65e5\uff0c\u79d1\u5927 LUG \u4ece\u7f51\u7edc\u4e2d\u5fc3\u5904\u83b7\u5f97\u4e86\u65b0\u7684\u670d\u52a1\u5668\uff0c\u5e76\u7533\u8bf7\u5230\u4e86 mirrors.ustc \u7684\u57df\u540d\u3002debian.ustc \u4e0e oss.ustc \u5f00\u59cb\u5411 mirrors.ustc \u8fc1\u79fb\u3002
\u540c\u5e74 4 \u6708 15 \u65e5\uff0c\u51e0\u5927\u70ed\u95e8\u53d1\u884c\u7248\u955c\u50cf\u540c\u6b65\u5b8c\u6bd5\uff0cmirrors \u5f00\u59cb\u6b63\u5f0f\u5bf9\u5916\u63d0\u4f9b\u670d\u52a1\uff0c\u540c\u65f6 debian.ustc \u4e0e oss.ustc \u9000\u51fa\u4e86\u5386\u53f2\u821e\u53f0\u3002
2013 \u5e74 1 \u6708 6 \u65e5\uff0c\u79d1\u5927 LUG \u4ece\u7f51\u7edc\u4e2d\u5fc3\u5904\u83b7\u5f97\u4e86\u65b0\u7684\u78c1\u76d8\u9635\u5217\uff0c\u5927\u5927\u7f13\u89e3\u4e86 mirrors \u56e0\u78c1\u76d8\u7a7a\u95f4\u4e0d\u8db3\u800c\u5e26\u6765\u7684\u538b\u529b\u3002
2016 \u5e74 12 \u6708 29 \u65e5\uff0c\u79d1\u5927 LUG \u4ece\u7f51\u7edc\u4e2d\u5fc3\u5904\u83b7\u5f97\u4e86\u65b0\u7684\u670d\u52a1\u5668\u3002\u89e3\u51b3\u4e86\u8fd1\u4e00\u5e74\u6765\u7531\u4e8e\u670d\u52a1\u5668\u548c\u9635\u5217\u8001\u5316\u5e26\u6765\u7684\u7a33\u5b9a\u6027\u95ee\u9898\u3002
2019 \u5e74 6 \u6708\uff0c\u79d1\u5927 LUG \u4ece\u56fe\u4e66\u9986\u6280\u672f\u90e8\u83b7\u5f97\u4e86\u4e00\u53f0\u65e7\u670d\u52a1\u5668\uff0c\u7f13\u89e3\u4e86 mirrors \u5bb9\u91cf\u7d27\u5f20\u7684\u95ee\u9898\u3002
2020 \u5e74 3 \u6708 24 \u65e5\uff0c\u79d1\u5927 LUG \u518d\u6b21\u4ece\u7f51\u7edc\u4e2d\u5fc3\u5904\u83b7\u5f97\u4e86\u65b0\u7684\u670d\u52a1\u5668\uff0c\u89e3\u51b3\u4e86\u591a\u5e74\u6765\u7531\u4e8e\u670d\u52a1\u5668\u5bb9\u91cf\u4e0d\u8db3\u548c\u8d1f\u8f7d\u8fc7\u5927\u5e26\u6765\u7684\u538b\u529b\u3002
"},{"location":"services/mirrors/#hardware","title":"\u786c\u4ef6\u914d\u7f6e","text":"Docker \u9ed8\u8ba4\u521b\u5efa\u4e00\u4e2a\u540d\u4e3a bridge \u7684\u7f51\u7edc\uff0c\u4e3b\u673a\u754c\u9762\u4e3a docker0
\uff0cIP \u5730\u5740\u6bb5\u4e3a 172.17.0.0/16\u3002\u8fd9\u4e2a\u9ed8\u8ba4\u5730\u5740\u6bb5\u8fc7\u4e8e\u6d6a\u8d39\uff0c\u56e0\u6b64\u6211\u4eec\u7ed9\u5b83\u914d\u7f6e\u4e00\u4e2a\u66f4\u5c0f\u7684\u5730\u5740\u6bb5\uff1a
{\n \"bip\": \"172.17.0.0/22\"\n}\n
\u6211\u4eec\u5c06 Docker Registry \u7684\u53cd\u4ee3\u6302\u5728\u53e6\u5916\u4e00\u4e2a\u5b50\u7f51\u4e0b\uff0c\u9700\u8981\u5148\u884c\u521b\u5efa\u3002
docker network create \\\n --opt com.docker.network.bridge.name=docker1 \\\n --subnet=172.18.0.0/24 \\\n --gateway=172.18.0.1 \\\n docker-registry\n
"},{"location":"services/mirrors/docker/#routing","title":"Routing","text":"\u4e00\u4e9b\u540c\u6b65\u7a0b\u5e8f\u4e0d\u652f\u6301 bindIP \u7684\u914d\u7f6e\uff0c\u5bf9\u4e8e\u8fd9\u4e9b\u540c\u6b65\u7a0b\u5e8f\uff0c\u6211\u4eec\u901a\u8fc7\u521b\u5efa\u591a\u4e2a Docker network\uff0c\u7136\u540e\u5728\u4e3b\u673a\u4e0a\u6839\u636e Docker network \u8fdb\u884c\u7b56\u7565\u8def\u7531\uff0c\u8fbe\u5230\u9009\u62e9\u51fa\u53e3\u7684\u6548\u679c\u3002
\u521b\u5efa Docker network \u7684\u547d\u4ee4\u5982\u4e0b\uff1a
docker network create --driver=bridge --subnet=172.17.4.0/24 --gateway=172.17.4.1 -o \"com.docker.network.bridge.name=dockerC\" cernet\ndocker network create --driver=bridge --subnet=172.17.5.0/24 --gateway=172.17.5.1 -o \"com.docker.network.bridge.name=dockerT\" telecom\ndocker network create --driver=bridge --subnet=172.17.6.0/24 --gateway=172.17.6.1 -o \"com.docker.network.bridge.name=dockerM\" mobile\ndocker network create --driver=bridge --subnet=172.17.7.0/24 --gateway=172.17.7.1 -o \"com.docker.network.bridge.name=dockerU\" unicom\n\ndocker network create --driver=bridge --subnet=172.17.8.0/24 --gateway=172.17.8.1 \\\n --ipv6 --subnet=fd00:6::/64 --gateway=fd00:6::1 \\\n -o \"com.docker.network.bridge.name=dockerC6\" cernet6\n
\u5bf9\u5e94\u5730\uff0c\u4e3b\u673a\u4e0a\u4e5f\u914d\u7f6e\u597d\u4e86\u7b56\u7565\u8def\u7531\uff0c\u4f8b\u5982\uff1a
/etc/systemd/network/cernet.network# Docker Cernet\n[RoutingPolicyRule]\nFrom=172.17.4.0/24\nTable=1011\nPriority=6\n[RoutingPolicyRule]\nFrom=172.17.8.0/24\nTable=1011\nPriority=6\n
/etc/systemd/network/telecom.network# Docker Telecom\n[RoutingPolicyRule]\nFrom=172.17.5.0/24\nTable=1012\nPriority=6\n
mobile.network
\u548c unicom.network
\u4e5f\u7c7b\u4f3c\u3002
\u9700\u8981\u4f7f\u7528\u8fd9\u79cd\u65b9\u5f0f\u8fdb\u884c\u8def\u7531\u7684\u540c\u6b65\u955c\u50cf\uff0c\u53ef\u4ee5\u5728 YAML \u4e2d\u6307\u5b9a network
\uff0c\u4f8b\u5982\uff1a
network: telecom\n
"},{"location":"services/mirrors/ipmi/","title":"IPMI","text":""},{"location":"services/mirrors/ipmi/#mirrors4","title":"Mirrors4","text":"\u8fd9\u53f0\u673a\u5668\u7684 IPMI \u6709 HTML5 KVM\uff0c\u53ef\u4ee5\u76f4\u63a5\u7f51\u9875\u4f7f\u7528\uff0c\u6bd4\u8f83\u65b9\u4fbf\u3002
"},{"location":"services/mirrors/ipmi/#mirrors23","title":"Mirrors2/3","text":"\u767b\u5f55 IPMI \u540e\uff0c\u4e3a\u4e86\u4f7f\u7528\u8fdc\u7a0b Shell\uff0c\u9700\u8981\u8fd0\u884c\u4e00\u4e2a jnlp \u6587\u4ef6\u3002 \u6b64\u6587\u4ef6\u4e0b\u8f7d\u65f6\u4f1a\u88ab Chrome \u62e6\u622a\uff0c\u9700\u8981\u989d\u5916\u5141\u8bb8\u4e00\u4e0b\u3002
\u6b64 jnlp \u6587\u4ef6\u9700\u8981 Oracle JDK 7 \u8fd0\u884c\uff0cOpenJDK 7 \u65e0\u6cd5\u8fd0\u884c\u3002 \u6307\u4ee4\u7528 javaws a.jnlp
\u5373\u53ef\u3002
Java 8 \u53ca\u4e4b\u524d Java \u7684\u5404\u4e2a\u5de5\u5177\u662f\u6253\u5305\u5728 JDK \u4e2d\u7684\uff0c\u5305\u62ec Java Web Starter\uff0c\u5373\u6211\u4eec\u7528\u7684 javaws
\u3002 \u6240\u4ee5\u53ea\u9700\u8981\u5b89\u88c5 Oracle JDK 7 \u5373\u53ef\uff0c\u65e0\u9700\u5b89\u88c5\u5176\u4ed6\u7684\u3001\u9488\u5bf9 Java 9 \u53ca\u4e4b\u540e\u7248\u672c\u7684\u5176\u4ed6\u5de5\u5177\u3002
\u7531\u4e8e mirrors \u5c5e\u4e8e I/O\u3001\u7f51\u7edc\u5bc6\u96c6\u578b\u670d\u52a1\uff0c\u5728\u90e8\u5206\u7684\u8d1f\u8f7d\u573a\u666f\u4e0b\u6781\u6613\u51fa\u73b0 I/O \u6216\u7f51\u7edc\u8fc7\u8f7d\u3002\u9650\u5236\u7b56\u7565\u4e3b\u8981\u662f\u4e3a\u4e86\u51cf\u5f31\u4ee5\u4e0b\u51e0\u7c7b\u8bf7\u6c42\u5bf9 mirrors \u6574\u4f53\u670d\u52a1\u8d28\u91cf\u7684\u5f71\u54cd\uff1a
\u4e00\u822c\u800c\u8a00\uff0c\u79d1\u5927\u6821\u5185\u7684\u5730\u5740\u4f4d\u4e8e\u9650\u5236\u89c4\u5219\u7684\u767d\u540d\u5355\u4e2d\uff0c\u4e0d\u53d7\u5230\u9650\u5236\u7b56\u7565\u7684\u5f71\u54cd\u3002\u5982\u679c\u6ca1\u6709\u7279\u6b8a\u8bf4\u660e\uff0c\u79d1\u5927\u5730\u5740\u9ed8\u8ba4\u4e0d\u53d7\u9650\u5236\u3002
\u767d\u540d\u5355\u4f4d\u4e8e\uff1a
/usr/local/network_config/iptables/ipset
/etc/nginx/conf.d/geo-ustcnet.conf
\u9632\u706b\u5899 (iptables) \u76ee\u524d\u53ea\u8d1f\u8d23\u9650\u5236\u5355 IP \u7684\u5e76\u53d1\u94fe\u63a5\u6570\u3002\u8fd9\u662f\u4e3a\u4e86\u9632\u6b62\u540c\u65f6\u6d8c\u5165\u5927\u91cf\u5e76\u53d1\u8fde\u63a5\uff0c\u5bfc\u81f4\u540e\u7aef\u5e94\u7528\u8017\u8d39\u5927\u91cf CPU \u548c I/O \u8d44\u6e90\u5904\u7406\u8fd9\u4e9b\u4e0d\u5408\u5e38\u7406\u7684\u8bf7\u6c42\u3002
\u5e8f\u53f7 \u7aef\u53e3 \u670d\u52a1 \u6700\u5927\u8fde\u63a5\u6570 IPv4 CIDR IPv6 CIDR 1 80,443 HTTP/HTTPS 12 29 64 2 20,21,50100:50200 FTP 4* 32 64 3 873 Rsync 5 32 64 4 9418 Git 10 32 64\u6ce8\u610f\u4e8b\u9879
\u8fde\u63a5\u6570\u9650\u5236\u4ec5\u9650\u5236\u77ac\u65f6\u5e76\u53d1\uff08connlimit\uff09\u3002
\u8bf7\u6ce8\u610f\uff0c\u540c\u7ec4\u5185\u7684\u8fde\u63a5\u5171\u4eab\u8fde\u63a5\u6570\u914d\u989d\u3002\u5982\uff1a
\u8d85\u8fc7\u914d\u989d\u7684\u8fde\u63a5\u4f1a\u8fd4\u56de TCP Reset\u3002
* FTP \u670d\u52a1\u5df2\u505c\u6b62\u63d0\u4f9b\u3002
"},{"location":"services/mirrors/limiter/#application","title":"\u5e94\u7528\u7ea7\u522b\u9650\u5236","text":"\u6b64\u7c7b\u9650\u5236\u89c4\u5219\u4f4d\u4e8e\u5e94\u7528\u7a0b\u5e8f\u5185\u3002\u7531\u4e8e\u5728\u7528\u6237\u6001\u7a0b\u5e8f\u4e2d\u5b9e\u73b0\uff0c\u56e0\u6b64\u66f4\u52a0\u7075\u6d3b\u3002
"},{"location":"services/mirrors/limiter/#nginx-mod-lua","title":"Nginx Lua \u7ec4\u4ef6","text":"\u4ee3\u7801\u4f4d\u4e8e /etc/nginx/lua/module/access_limiter.lua
\u76ee\u524d\u4f7f\u7528\u4e86 Nginx \u7684 Lua \u8bed\u8a00\u6269\u5c55\u5b9e\u73b0\u5bf9\u8bf7\u6c42\u7684\u9650\u5236\u3002\u4e3b\u8981\u6709\u4ee5\u4e0b\u4e09\u7c7b\u9650\u5236\u65b9\u5f0f\uff1a
\u76ee\u524d\uff0c\u955c\u50cf\u7ad9\u914d\u7f6e\u4e86\u4ee5\u4e0b\u51e0\u79cd\u529f\u80fd\u7684\u9650\u5236\u5668\uff1a
\u4f8b\u5916\uff1a
\u5bf9\u8fd4\u56de 403 \u7684\u6076\u610f\u8bf7\u6c42\uff08\u89c1\u4e0b\uff09\uff0c\u4ec5\u5e94\u7528\u5168\u5c40\u8bf7\u6c42\u901f\u7387/\u8bf7\u6c42\u6570\u9650\u5236\u5668\uff08Main-Req \u548c Main-Count\uff09\uff0c\u4e14\u5728\u8fd9\u4e24\u4e2a\u9650\u5236\u5668\u91cc\u6309\u53cc\u500d\u8ba1\u6570\uff1b\u540c\u65f6\u8df3\u8fc7\u65ad\u70b9\u7eed\u4f20/\u76ee\u5f55/\u6587\u4ef6\u9650\u5236\u5668\uff0c\u907f\u514d\u56e0\u4e3a\u6076\u610f\u8bf7\u6c42\u5237\u6ee1\u4e86\u76ee\u5f55/\u6587\u4ef6\u7684\u9650\u989d\u5bfc\u81f4\u6b63\u5e38\u7528\u6237\u7684\u8bbf\u95ee\u53d7\u9650\u3002
\u4f8b\u5916\u6587\u4ef6\u7684\u5b9a\u4e49\u53c2\u8003 /etc/nginx/conf.d/access_limiter.conf
\u3002
\u6848\u4f8b\uff1a\u66fe\u9047\u5230\u8fc7\u653b\u51fb\u8005\u5206\u5e03\u5f0f\u8bf7\u6c42\u540c\u4e00\u4e2a\u5927\u6587\u4ef6\uff0c\u5bfc\u81f4 IO\u3001\u7f51\u7edc\u540c\u65f6\u8fc7\u8f7d\u3002\u57fa\u4e8e IP \u5730\u5740\u7684\u9650\u5236\u63aa\u65bd\u5bf9\u4e8e\u6e90\u5730\u5740\u6c60\u5f88\u5927\u7684\u653b\u51fb\u5f80\u5f80\u6ca1\u6709\u6548\u679c\uff0c\u9650\u5236\u5355\u6587\u4ef6\u7684\u8bf7\u6c42\u901f\u7387\u80fd\u591f\u6709\u6548\u7f13\u89e3\u8fd9\u7c7b\u653b\u51fb\u3002
\u5177\u4f53\u53c2\u6570\u53c2\u8003\u4e0b\u8868\uff1a
\u9650\u5236\u5668\u540d\u79f0\u4e0e\u4ee3\u53f7 \u9608\u503c\u5355\u4f4d \u9608\u503c \u7a81\u53d1\u91cf \u8ba1\u6570\u5668\u91cd\u7f6e\u5468\u671f \u52a8\u4f5c \u5168\u5c40\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668Main-Req
\u6b21/\u79d2 40 100 / \u8fd4\u56de 429 \u9519\u8bef \u5168\u5c40\u8bf7\u6c42\u6570\u9650\u5236\u5668Main-Count
\u6b21 15000 / 1 \u5929 \u8bbe\u7f6e\u5168\u5c40\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668\u9608\u503c\u4e3a 0.2 \u6b21/\u79d2 HEAD \u8bf7\u6c42\u6570\u9650\u5236\u5668Head-Count
\u6b21 300 / 1 \u5929 \u5f00\u542f HEAD \u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668 HEAD \u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668Head-Req
\u6b21/\u79d2 0.05 5 / \u8fd4\u56de 429 \u9519\u8bef \u65ad\u70b9\u7eed\u4f20\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668Partial-Req
\u6b21/\u79d2 1 10 / \u8fd4\u56de 429 \u9519\u8bef \u65ad\u70b9\u7eed\u4f20\u8fde\u63a5\u6570\u9650\u5236\u5668Partial-Conn
\u6761 1 0 / \u8fd4\u56de 429 \u9519\u8bef \u76ee\u5f55\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668Ls-Req
\u6b21/\u79d2 0.5 10 / \u8fd4\u56de 429 \u9519\u8bef \u6587\u4ef6\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668File-Req
\u6b21/\u79d2 5 25 / \u8fd4\u56de 429 \u9519\u8bef \u6587\u4ef6\u8bf7\u6c42\u8fde\u63a5\u6570\u9650\u5236\u5668File-Conn
\u6761 100 0 / \u8fd4\u56de 429 \u9519\u8bef HEAD \u9650\u5236\u5668\u5df2\u5173\u95ed
\u8003\u8651\u5230 ZFS \u5bf9 dnode \u7684\u7f13\u5b58\u975e\u5e38\u6709\u6548\uff0c\u5728\u63a5\u5230 AOSC \u793e\u533a\u7684\u53cd\u9988\u540e\uff0c\u6211\u4eec\u5b8c\u5168\u5173\u95ed\u4e86 HEAD \u8bf7\u6c42\u6570\u9650\u5236\u5668\u3002
How lua-resty-limit-traffic works\u9650\u5236\u5668\u903b\u8f91\u4f7f\u7528 https://github.com/openresty/lua-resty-limit-traffic \u5b9e\u73b0\uff0c\u5176\u4e2d\u4e0a\u8868\u4ee3\u53f7\u5206\u522b\u5bf9\u5e94\u5176 req
, count
, conn
\u4e09\u79cd\u5b9e\u73b0\uff0ctraffic
\u5219 aggregate \u4e86 count
\u4e4b\u5916\u7684\u9650\u5236\u5668\uff0c\u8fd4\u56de\u6700\u5927\u7684\u5ef6\u8fdf\u3002
req
\u7684\u6838\u5fc3\u516c\u5f0f\u662f\uff1aexcess = max(excess - rate * elapsed / 1000 + 1000, 0)
\uff0c\u5176\u4e2d\u65f6\u95f4\u5355\u4f4d\u662f\u6beb\u79d2\uff08rate
\u548c burst
\u53c2\u6570\u8ba1\u7b97\u65f6\u90fd\u9700\u8981\u4e58\u4ee5 1000\uff09\u3002excess
\u4f1a\u5148\u548c burst
\u6bd4\u8f83\uff08\u5982\u679c\u8d85\u51fa\uff0c\u5219 reject\uff09\uff0c\u5982\u679c\u6ca1\u6709\u8d85\u51fa\uff0c\u5219 delay excess / rate
\u79d2\u3002
\u5f53 elapsed = 1000/rate \u65f6\uff0c\u6070\u597d\u4e0d\u4f1a\u589e\u52a0 excess
\u7684\u503c\uff0c\u6b64\u65f6 1 \u79d2\u5185\u6070\u597d\u53ef\u4ee5\u5bb9\u7eb3 rate \u4e2a\u8bf7\u6c42\uff1b\u5f53 elapsed = 1000/(rate+burst) \u65f6\uff0cexcess
\u589e\u91cf\u4e3a 1000(1-r/(r+b))\uff0c\u6b64\u65f6 1 \u79d2\u5185\u6070\u597d\u6709 (rate+burst) \u4e2a\u8bf7\u6c42\u4e0d\u4f1a\u88ab reject\u3002
\u7406\u60f3\u60c5\u51b5\u4e0b\u7684\u4f8b\u5b50\uff1a\u5982\u679c rate = 40r/s = 40 * 1000 r/ms\uff0c\u5219 elapsed \u9700\u8981\u81f3\u5c11\u4e3a 1/40 \u79d2\uff0825 \u6beb\u79d2\uff09\uff0c\u624d\u80fd\u548c\u540e\u9762\u7684 + 1000
\u62b5\u6d88\uff0c\u5426\u5219 excess
\u4f1a\u4e00\u76f4\u589e\u52a0\u3002\u5982\u679c burst = 100r/s = 100 * 1000 r/ms\uff0c\u90a3\u4e48\u5047\u8bbe\u6709\u7528\u6237\u6bcf 1/140 \u79d2\uff087.1 \u6beb\u79d2\uff09\u8bbf\u95ee\u4e00\u6b21\uff0c\u90a3\u4e48 excess
\u6bcf\u6b21\u4f1a\u589e\u52a0 714.28\uff0c\u5982\u679c\u6709 140 \u4e2a\u8fd9\u6837\u7684\u8bf7\u6c42\uff0c\u90a3\u4e48 excess
\u7684\u503c\u5219\u6070\u597d\u662f burst
\u7684\u503c\u3002
count
\u7684\u903b\u8f91\u7b80\u5355\u5f88\u591a\uff0c\u4f7f\u7528 lua-nginx-module \u5e26\u7684 https://github.com/openresty/lua-nginx-module?tab=readme-ov-file#ngxshareddictincr \u4e3a\u6bcf\u6b21\u81ea\u589e\u8bbe\u7f6e TTL \u5373\u53ef\u3002
conn
\u4f7f\u7528\u5b57\u5178\u8ba1\u6570\u5668\u7edf\u8ba1\u5f53\u524d\u8fde\u63a5\u6570\uff0c\u5982\u679c\u8d85\u8fc7\u4e86 max + burst
\uff0c\u5219 reject\u3002\u5426\u5219\u5982\u679c\u8d85\u8fc7\u4e86 max
\u5219\u5ef6\u8fdf unit_delay * floor((conn - 1) / max)
\u79d2\u3002unit_delay
\u8d77\u59cb\u4e3a\u7528\u6237\u7ed9\u5b9a\u7684\u503c\uff0c\u5728\u4e4b\u540e\u4f1a\u6309\u7167 unit_delay = (req_latency + unit_delay) / 2
\u5b9a\u65f6\u8c03\u6574\u3002
\u5230\u8fbe\u9608\u503c\u540e\u4f1a\u53d1\u751f\u4ec0\u4e48\uff1f
\u9650\u5236\u5668\u4e4b\u95f4\u76f8\u4e92\u72ec\u7acb\uff0c\u5f53\u88ab\u89e6\u53d1\u7684\u6240\u6709\u9650\u5236\u5668\u4ea7\u751f\u4e0d\u4e00\u81f4\u7684\u7b49\u5f85\u65f6\u95f4\u65f6\uff0c\u5e94\u7528\u6700\u957f\u7684\u7b49\u5f85\u65f6\u95f4\u3002
"},{"location":"services/mirrors/limiter/#large-files","title":"\u5927\u6587\u4ef6\u4e0b\u8f7d\u901f\u5ea6\u9650\u5236","text":"\u4ee3\u7801\u4f4d\u4e8e /etc/nginx/lua/header_filter.lua
\u9488\u5bf9\u5927\u6587\u4ef6\u4e0b\u8f7d\uff0c\u9650\u5236\u6bcf\u4e2a\u6587\u4ef6\u7684\u603b\u5e26\u5bbd\u4e3a 1 Gbps\uff0c\u4ee5\u907f\u514d\u5927\u6587\u4ef6\u6d41\u91cf\u5360\u6ee1\u603b\u5e26\u5bbd\u3002
\u6ce8\u610f\u4e8b\u9879
\u5982\u679c\u6709\u591a\u4e2a\u6587\u4ef6\u9762\u4e34\u9ad8\u538b\u529b\u8bbf\u95ee\uff0c\u603b\u5e26\u5bbd\u4f9d\u7136\u53ef\u80fd\u88ab\u5360\u6ee1
\u5177\u4f53\u505a\u6cd5\u4e3a\uff0c\u8bbe\u7f6e\u4e0b\u8f7d\u901f\u5ea6\u9608\u503c = 1 Gbps / (\u8be5\u5927\u6587\u4ef6\u7684\u540c\u65f6\u8fde\u63a5\u6570 + 1)
\u5f53\u4e0b\u8f7d\u7684\u6587\u4ef6\u65e0\u7a77\u5927\u65f6\uff0c\u5c06\u51fa\u73b0\u6700\u5dee\u60c5\u5f62\uff0c\u5373\u7528\u6237\u88ab\u5206\u914d\u5230\u7684\u4e0b\u8f7d\u901f\u7387\u670d\u4ece\u7c7b\u8c03\u548c\u7ea7\u6570\uff0c\u51fd\u6570\u53d1\u6563\u3002\u5b9e\u9645\u60c5\u51b5\u4e0b\uff0c\u65e9\u671f\u7528\u6237\u4e0b\u8f7d\u5b8c\u6210\u540e\u8fde\u63a5\u91ca\u653e\uff0c\u6700\u7ec8\u5e26\u5bbd\u5c06\u6536\u655b\u5230 1 Gbps\u3002
\u6ce8\uff1a\u5927\u6587\u4ef6\u5b9a\u4e49\u53c2\u7167\u76ee\u524d\u7684 Lua \u811a\u672c\u914d\u7f6e\u3002
"},{"location":"services/mirrors/limiter/#nginx-js-challenge","title":"Nginx JavaScript \u6311\u6218","text":"\u4ee3\u7801\u4f4d\u4e8e /etc/nginx/lua/access-with-challenge.lua
\u4e3a\u4e86\u62b5\u6297\u201c\u8fc5\u96f7\u653b\u51fb\u201d\u3002\u5bf9\u4e8e\u7279\u5b9a\u7c7b\u578b\u7684\u6587\u4ef6\uff0c\u5f00\u542f\u4e86 JS \u6311\u6218\u3002\u5982\u679c\u5ba2\u6237\u7aef User-Agent \u4e3a Mozilla\uff08\u5373\u6d4f\u89c8\u5668\uff09\uff0c\u5219\u53d1\u9001\u4e00\u6bb5\u5305\u542b JS \u811a\u672c\u7684\u9875\u9762\uff0c\u68c0\u9a8c\u8fd0\u884c\u7684\u7ed3\u679c\u3002\u5982\u679c\u6311\u6218\u5931\u8d25\uff0c\u5219\u7981\u6b62\u8bbf\u95ee\u3002
\u88ab\u4fdd\u62a4\u7684\u6587\u4ef6\u7c7b\u578b\u53c2\u89c1 /etc/nginx/conf.d/map_access.conf\uff0c\u90e8\u5206\u5185\u5bb9\u8282\u9009\u5982\u4e0b\uff1a
map $uri $access_url_type {\n default 0;\n\n # 1: large files\n \"~*\\.(iso|exe|dmg|run|zip|tar)$\" 1;\n}\n
"},{"location":"services/mirrors/limiter/#robots","title":"\u722c\u866b\u9650\u5236","text":"\u4ee3\u7801\u4f4d\u4e8e map_access.conf
\uff08\u89c1\u4e0a\uff09\u548c /etc/nginx/snippets/robots\uff0c\u5229\u7528 nginx \u7684 map
\u5b9e\u73b0\u7ec4\u5408\u903b\u8f91\uff0c\u8fdb\u884c\u5982\u4e0b\u9650\u5236\uff1a
Rsync \u670d\u52a1\u8bbe\u7f6e\u4e86\u603b\u8fde\u63a5\u6570\u9650\u5236\u3002\u5373\uff1a\u5f53\u5efa\u7acb\u7684\u8fde\u63a5\u6570\u5230\u8fbe\u67d0\u4e2a\u9608\u503c\u540e\uff0c\u62d2\u7edd\u4e4b\u540e\u6536\u5230\u7684\u8fde\u63a5\u3002
\u5386\u53f2\u8bb0\u5f55
\u4ee5\u524d HTTP \u548c Rsync \u670d\u52a1\u7531\u540c\u4e00\u53f0\u670d\u52a1\u5668\u63d0\u4f9b\uff0c\u7531\u4e8e\u767d\u5929 HTTP \u8bbf\u95ee\u538b\u529b\u8f83\u5927\uff0c\u591c\u665a HTTP \u8bbf\u95ee\u91cf\u8f83\u5c0f\uff0c\u4e3a\u4e86\u5b9e\u73b0\u9519\u5cf0\u540c\u6b65\uff0c\u4fdd\u8bc1\u767d\u5929 HTTP \u7684\u670d\u52a1\u8d28\u91cf\uff0c\u56e0\u6b64\u9488\u5bf9\u4e0d\u540c\u65f6\u6bb5\u8bbe\u7f6e\u4e86\u4e0d\u540c\u7684\u9608\u503c\uff0c\u5177\u4f53\u5982\u4e0b\uff1a
\u5728 2020 \u5e74 8 \u6708 25 \u65e5\u540e\uff0c\u7531\u4e8e\u66f4\u6362\u4e86\u65b0\u670d\u52a1\u5668\uff0cRsync \u7531\u5355\u72ec\u673a\u5668\u63d0\u4f9b\u670d\u52a1\uff0c\u603b\u8fde\u63a5\u6570\u63d0\u5347\u5230\u4e86\u5168\u5929 60 \u4e2a\u8fde\u63a5\u3002
\u7279\u522b\u7684\uff0c\u79d1\u5927\u6821\u5185 IP \u5730\u5740\u53d7\u5230 rsync \u8fde\u63a5\u6570\u9650\u5236\u3002
"},{"location":"services/mirrors/limiter/#interface-limit","title":"\u7f51\u7edc\u63a5\u53e3\u7ea7\u522b\u9650\u5236","text":"mirrors \u5e38\u6001\u4e0b\u6ca1\u6709\u7f51\u7edc\u63a5\u53e3\u9650\u5236\uff0c\u4f46\u5728\u9700\u8981\u4e34\u65f6\u5bf9\u67d0\u4e00\u63a5\u53e3\u8fdb\u884c\u9650\u5236\u65f6\uff0c\u53ef\u4ee5\u4f7f\u7528 tc \u6765\u5b8c\u6210\u3002
\u4f8b\u5982\u53ef\u4ee5\u53c2\u8003\u8fd9\u4efd\u56de\u7b54\uff1aiptables - Limiting interface bandwidth with tc under Linux - Server Fault\uff0c\u4f7f\u7528\u5982\u4e0b\u6307\u4ee4\u9650\u5236\u67d0\u4e00\u63a5\u53e3\u7684\u7f51\u7edc\u901f\u7387\u4e3a 1.5Gbps\uff1a
tc qdisc add dev <interface> root handle 1: tbf rate 1500Mbit burst 750K latency 14ms\n
\u8fd9\u91cc\u4f7f\u7528\u4e86 TBF\uff08\u4ee4\u724c\u6876\uff09\u7b97\u6cd5\uff0c\u540e\u9762\u7684 burst \u548c latency \u53c2\u6570\u610f\u4e49\u53ef\u4ee5\u53c2\u89c1 man tc-tbf
\u3002 \u5177\u4f53\u800c\u8a00\uff0clatency \u6ca1\u6709\u63a8\u8350\u503c\uff0c\u4f46 burst \u8981\u6c42\u81f3\u5c11\u4e3a rate / HZ
\uff0cHZ = 100 \u65f6 10Mbps \u81f3\u5c11\u7ea6 10MB\u3002 HZ \u7684\u503c\u9700\u8981\u4ece\u5185\u6838\u7684\u7f16\u8bd1\u53c2\u6570\u4e2d\u67e5\u770b\uff1aegrep '^CONFIG_HZ_[0-9]+' /boot/config-`uname -r`
\u3002\u73b0\u4ee3\u53d1\u884c\u7248\u63d0\u4f9b\u7684\u5185\u6838\u4e2d\u8fd9\u4e2a\u503c\u4e00\u822c\u4e3a 250\u3002
\u53c2\u8003\u8d44\u6599\uff1aBucket size in tbf
\u76ee\u524d\u90e8\u7f72\u7684\u9650\u5236\u6709\uff1a
\u5728 mirrors4 \u4e0a\u8be5\u914d\u7f6e\u7684\u5f00\u673a\u81ea\u542f\u5206\u522b\u4f4d\u4e8e tc-unicom.service
\u548c tc-telecom.service
\u4e24\u4e2a\u670d\u52a1\u4e2d\uff0c\u5176\u4e2d tc-unicom.service
\u914d\u7f6e\u5982\u4e0b\uff1a
[Unit]\nDescription=Rate Limiting for Unicom Interface\n\n[Service]\nType=oneshot\nRemainAfterExit=true\nExecStart=/usr/sbin/tc qdisc replace dev unicom root handle 1: tbf rate 1500Mbit burst 750K latency 14ms\nExecStop=/usr/sbin/tc qdisc delete dev unicom root handle 1\n\n[Install]\nWantedBy=sys-subsystem-net-devices-unicom.device\n
Install \u90e8\u5206\u7684 WantedBy \u4f7f\u7528\u8fd9\u79cd\u5199\u6cd5\u53ef\u4ee5\u4f7f\u8be5\u670d\u52a1\u4f9d\u8d56\u4e8e\u540d\u4e3a unicom
\u7684\u7f51\u53e3\uff0c\u8be6\u7ec6\u56de\u7b54\u53ef\u4ee5\u770b What is the systemd-networkd equivalent of post-up?\u3002
\u5bf9\u4e8e\u6ee5\u7528\u7684 IP \u6bb5\uff0c\u53ef\u4ee5\u4f7f\u7528 ipset \u548c iptables \u5b9e\u73b0\u9ed1\u540d\u5355\u9650\u5236\u3002 ipset \u5c06\u67d0\u4e2a IP \u5339\u914d\u5230\u4e00\u4e2a\u96c6\u5408\u4e2d\uff0ciptables \u518d\u9488\u5bf9\u67d0\u4e00\u96c6\u5408\u8fdb\u884c\u9650\u5236\u3002
ipset \u548c iptables \u7684\u4f7f\u7528\u53ef\u4ee5\u53c2\u8003\uff1aIpset - Arch Wiki \u3002
\u6211\u4eec\u5df2\u5728 mirrors4 \u4e0a\u914d\u7f6e\u4e86 blacklist
\u548c blacklist6
\u96c6\u5408\uff0c\u82e5\u8981\u5c01\u7981\u67d0\u4e2a IP \u6216\u7f51\u6bb5\uff0c\u53ef\u4ee5\u76f4\u63a5\u5c06\u8be5\u7f51\u6bb5\u52a0\u5165\u96c6\u5408\uff0c\u4f8b\u5982\uff1a
ipset add blacklist 192.0.2.0/24\nipset add blacklist6 2001:db8:114:514::/64\n
\u4e0e iptables \u7c7b\u4f3c\uff0cipset \u4e5f\u9700\u8981\u6301\u4e45\u5316\u3002\u5c01\u7981\u540d\u5355\u7684\u6587\u4ef6\u4f4d\u4e8e\uff08mirrors4\uff09/usr/local/network_config/iptables/blacklist.list
\uff0c\u4fee\u6539\u6b64\u6587\u4ef6\u589e\u51cf\u6761\u76ee\u540e\u8fd0\u884c\u8be5\u76ee\u5f55\u4e0b\u7684 apply.sh
\u5373\u53ef\u3002
\u7531\u4e8e\u5c01\u7981\u4ec5\u5bf9\u65b0\u5efa\u7acb\u7684\u8fde\u63a5\u6709\u6548\uff0c\u8bf7\u5728\u4fee\u6539\u5c01\u7981\u540d\u5355\u540e\uff0c\u4f7f\u7528 ss -K dst \u5bf9\u5e94\u7684\u7f51\u6bb5
\u5173\u95ed\u5df2\u7ecf\u5efa\u7acb\u7684\u8fde\u63a5\uff08\u4f8b\u5982\u5bf9\u4e8e\u4ee5\u4e0a\u4e24\u884c\u89c4\u5219\uff0c\u547d\u4ee4\u5206\u522b\u4e3a ss -K dst 192.0.2.0/24
\u4e0e ss -K dst 2001:db8:114:514::/64
\uff09\u3002
\u6211\u4eec\u4f7f\u7528\u8f6f\u4ef6\u6e90\u91cc\u7684 ipset-persistent
\u5305\u6765\u5e2e\u52a9 ipset \u5728\u5f00\u673a\u65f6\u81ea\u52a8\u6062\u590d\uff0c\u8be5\u8f6f\u4ef6\u5305\u4f1a\u5728\u5f00\u673a\u52a0\u8f7d iptables \u524d\u5148\u4ece /etc/iptables/ipsets
\u4e2d\u6062\u590d ipset \u4ee5\u786e\u4fdd iptables \u4e2d\u7684\u5f15\u7528\u80fd\u6b63\u786e\u5904\u7406\u3002
\u56e0\u4e3a ipset-persistent \u5728\u5f00\u673a\u65f6\u81ea\u52a8\u52a0\u8f7d\uff0c\u6211\u4eec\u9009\u62e9\u4ec5\u52a0\u8f7d\u4e00\u4e2a\u8f83\u5c0f\u7684\u5b50\u96c6\uff0c\u5305\u542b\u5fc5\u8981\u914d\u7f6e\uff08create set\uff09\u548c\u8f83\u5c11\u53d1\u751f\u53d8\u5316\u7684\u5185\u5bb9\uff08\u5982 ustcnet \u7684\u7f51\u6bb5\uff09\u3002\u76ee\u524d /etc/iptables/ipsets
\u5305\u542b\u4ee5\u4e0b\u5185\u5bb9\uff1a
create ustcnet hash:net family inet hashsize 1024 maxelem 65536\ncreate f2b-sshd hash:ip family inet hashsize 1024 maxelem 65536 timeout 3600\ncreate blacklist hash:net family inet hashsize 1024 maxelem 65536\ncreate blacklist6 hash:net family inet6 hashsize 1024 maxelem 65536\n\nadd ustcnet 202.38.64.0/19\n# more ustcnet entries...\n
"},{"location":"services/mirrors/limiter/#403","title":"403 \u9875\u9762","text":"\u76ee\u524d mirrors4 \u5c06\u6765\u6e90 IP \u5c5e\u4e8e blacklist
\u6216 blacklist6
\u96c6\u5408\u4e14\u76ee\u6807\u7aef\u53e3\u4e3a 80 \u6216 443 \u7684\u8fde\u63a5\u91cd\u5b9a\u5411\u81f3 403 \u7aef\u53e3\u3002403 \u9875\u9762\u4f4d\u4e8e /var/www/html/403.html
\u3002
\u76f8\u5173 nginx \u914d\u7f6e\u4f4d\u4e8e /etc/nginx/sites-available/mirrors.ustc.edu.cn-403\u3002
\u6211\u4eec\u4f7f\u7528 ip{,6}tables
\u5c06\u5bf9 80 \u6216 443 \u7aef\u53e3\u7684\u8bbf\u95ee\u91cd\u5b9a\u5411\u81f3 403 \u7aef\u53e3\uff0c\u5728 nat
\u8868\u7684 PREROUTING
\u94fe\u6dfb\u52a0\u89c4\u5219\uff1a
-A PREROUTING -m set --match-set blacklist src -p tcp -m multiport --dports 80,443 -j REDIRECT --to-port 403\n
\u5e76\u5728 filter
\u8868 BLACKLIST
\u94fe\u653e\u884c\u5df2\u5efa\u7acb\u8fde\u63a5\uff0c\u5bf9 403 \u7aef\u53e3\u9650\u901f\uff1a
-A BLACKLIST -m conntrack --ctstate ESTABLISHED -j RETURN\n-A BLACKLIST -p tcp --dport 403 -m hashlimit --hashlimit-upto 60/min --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-srcmask 64 --hashlimit-name nginx-403 --hashlimit-htable-expire 60000 -j RETURN\n-A BLACKLIST -j DROP\n
"},{"location":"services/mirrors/monitor/","title":"Mirrors-specific monitoring","text":""},{"location":"services/mirrors/monitor/#connections-users-online","title":"Connections (Users online)","text":"/etc/telegraf/telegraf.d/exec.conf[[inputs.exec]]\n commands = [\n \"/opt/monitor/telegraf/connection.sh 21:80:443:873:9418\",\n \"/opt/monitor/telegraf/nfacct.sh\",\n \"/opt/monitor/telegraf/process.sh\",\n ]\n timeout = \"5s\"\n data_format = \"influx\"\n
/opt/monitor/telegraf/connection.sh#!/bin/bash\n\nport_list_input=${1//:/|}\nport_list=${port_list_input:-\"80|443\"}\nnetstat -ntW | gawk '{print tolower($6),gensub(/^(.+):([^:]+)$/,\"\\\\1 \\\\2\",\"g\",$4)}' | grep -P \" ($port_list)\\$\" | sort | uniq -c | sort -k 4 -k 3 | awk \"{printf(\\\"connection,protocol=tcp,port=%s,address=%s %s=%s\\n\\\",\\$4,\\$3,\\$2,\\$1)}\"\nnetstat -ntW | gawk '{print tolower($6),gensub(/^(.+):([^:]+)$/,\"\\\\2\",\"g\",$4)}' | grep -P \" ($port_list)\\$\" | sort | uniq -c | sort -k 3 | awk \"{printf(\\\"connection,protocol=tcp,port=%s,address=any %s=%s\\n\\\",\\$3,\\$2,\\$1)}\"\n
/opt/monitor/telegraf/nfacct.sh#!/bin/bash\n\nsudo nfacct list | awk '-F[ ,;]' \"{printf(\\\"nfacct,object=%s bytes=%i,pkgs=%i\\n\\\",\\$11,\\$8,\\$4)}\"\n
/opt/monitor/telegraf/process.sh#!/bin/sh\n\nps -e -o s= -o comm= |\n grep -v '^[SI] ' |\n sed 's|/.*$|/|g' |\n sort | uniq -c |\n awk '{printf(\"process,state=%s,name=%s count=%ii\\n\",$2,$3,$1)}'\n
"},{"location":"services/mirrors/repos/","title":"Repositories","text":"\u955c\u50cf\u7ad9\u670d\u52a1\u5668\u7edf\u4e00\u4f7f\u7528 /srv/repo
\u5b58\u50a8\u955c\u50cf\u4ed3\u5e93\u3002
\u6839\u636e\u670d\u52a1\u5668\u4f7f\u7528\u7684\u6587\u4ef6\u7cfb\u7edf\uff0c\u53c2\u8003 ZFS \u6216\u8005 XFS\u3002
"},{"location":"services/mirrors/repos/#_2","title":"\u6dfb\u52a0\u540c\u6b65\u914d\u7f6e","text":"\u7167\u7740 /home/mirror/repos
\u4e0b\u7684\u73b0\u6709\u6587\u4ef6\u81ea\u5df1\u7814\u7a76\u4e00\u4e0b\u5427\uff0c\u8fd9\u4e2a\u4e0d\u96be\u3002\u9700\u8981\u6ce8\u610f\u7684\u5c31\u4e00\u70b9\uff0c\u6587\u4ef6\u540d\u7ed3\u5c3e\u5fc5\u987b\u662f .yaml
\uff08\u800c\u4e0d\u80fd\u662f .yml
\uff09\uff0c\u8fd9\u662f Yuki \u4ee3\u7801\u91cc\u5199\u7684\u3002
\u51b3\u5b9a bindIP
\u6216 network
\u7684\u503c
\u955c\u50cf\u7ad9\u6709\u591a\u4e2a\u6765\u81ea\u4e0d\u540c\u8fd0\u8425\u5546\u7684 IP \u53ef\u7528\u4e8e\u540c\u6b65\u4efb\u52a1\u3002\u7531\u4e8e\u7f51\u7edc\u73af\u5883\u7684\u4e0d\u786e\u5b9a\u6027\uff0c\u6709\u65f6\u4f1a\u51fa\u73b0\u67d0\u4e2a IP \u540c\u6b65\u901f\u5ea6\u6781\u6162\u7684\u60c5\u51b5\u3002
@taoky \u7684 admirror-speedtest \u53ef\u4ee5\u5e2e\u52a9\u51b3\u5b9a\u6700\u5feb\u901f\u7684 IP\u3002
\u53e6\u5916\uff0cbindIP
\u4e0d\u9002\u7528\u4e8e\u6240\u6709\u7684\u540c\u6b65\u955c\u50cf\uff08\u4e00\u90e8\u5206\u7a0b\u5e8f\u4e0d\u652f\u6301\u4fee\u6539 bind()
\u7684\u53c2\u6570\uff09\uff0c\u6b64\u65f6\u53ef\u4ee5\u4f7f\u7528\u57fa\u4e8e Docker Network \u7684 network
\u914d\u7f6e\u3002
\u5199\u597d\u65b0\u4ed3\u5e93\u7684\u914d\u7f6e\u6587\u4ef6\u4e4b\u540e\u8fd0\u884c yuki reload
\uff0c\u7136\u540e yuki sync <repo>
\u5c31\u53ef\u4ee5\u5f00\u59cb\u521d\u6b21\u540c\u6b65\u4e86\u3002
/srv/git
","text":"git-daemon.service
\u6839\u636e /srv/git
\u4e0b\u7684\u5185\u5bb9\u5bf9\u5916\u63d0\u4f9b Git \u670d\u52a1\u3002\u6240\u4ee5\u5982\u679c\u662f git \u7c7b\u578b\u7684\u4ed3\u5e93\uff0c\u9700\u8981\u6dfb\u52a0\u8f6f\u94fe\u63a5\uff0c\u5426\u5219\u65e0\u6cd5\u4f7f\u7528 git://
\u7684\u534f\u8bae\u8bbf\u95ee\u3002\uff08http(s)://
\u534f\u8bae\u6ca1\u6709\u95ee\u9898\uff09
Git \u4ed3\u5e93\u670d\u52a1\u7684\u5176\u4ed6\u76f8\u5173\u914d\u7f6e
\u90e8\u5206\u514b\u9686\u914d\u7f6e (See https://github.com/ustclug/discussions/issues/432)\uff1a
/etc/gitconfig[uploadpack]\n allowfilter = true\n
\u7531\u4e8e git daemon/fcgiwrap \u7684\u7528\u6237\u4e0d\u662f mirror\uff0c\u6240\u4ee5\u9700\u8981\u8bbe\u7f6e\u7ed5\u8fc7 git \u65b0\u7684\u5b89\u5168\u9650\u5236\uff1a
/etc/gitconfig[safe]\n directory = *\n
"},{"location":"services/mirrors/repos/#_3","title":"\u79fb\u52a8\uff08\u5220\u9664\uff09\u4e00\u4e2a\u4ed3\u5e93","text":"Note
\u4ee5\u4e0b\u4ee5 2023 \u5e74 12 \u6708 27 \u65e5\u5c06 .private/sb
\u79fb\u52a8\u5230 sb
\u7684\u64cd\u4f5c\u4e3a\u4f8b\u5b50\uff0c\u4ecb\u7ecd\u6211\u4eec\u9700\u8981\u505a\u7684\u4e8b\u60c5\u3002
\u5f7c\u65f6\u7684 mirrors4 \u4ecd\u7136\u4f7f\u7528 XFS\uff0c\u5bf9\u4e8e\u4f7f\u7528 ZFS \u7684\u670d\u52a1\u5668\uff0c\u6587\u4ef6\u90e8\u5206\u64cd\u4f5c\u6709\u6240\u4e0d\u540c\u3002
"},{"location":"services/mirrors/repos/#sb","title":"\u521b\u5efasb
\u76ee\u5f55","text":"\u53c2\u8003\u4e0a\u6587\uff0c\u521b\u5efa\u76ee\u5f55\uff0c\u4fee\u6539 /etc/projects
\u7684\u8def\u5f84\uff08ID \u4e0d\u9700\u8981\u4fee\u6539\uff09\uff0c\u7136\u540e\u6267\u884c\u76f8\u5173\u7684 xfs_quota
\u547d\u4ee4\uff08\u89c1 XFS\uff09\u3002
\u7531\u4e8e\u6211\u4eec\u7684\u4f8b\u5b50\u662f\u79fb\u52a8\u76ee\u5f55\uff0c\u53ef\u4ee5\u76f4\u63a5\u4f7f\u7528 mv
\u547d\u4ee4\uff08sb
\u4ed3\u5e93\u5f88\u5c0f\uff09\u3002
\u4fee\u6539 /home/mirror/repos/sb.yaml
\uff0c\u5c06 path
\u4fee\u6539\u4e3a /srv/repo/sb
\u3002\u7136\u540e\u91cd\u65b0\u52a0\u8f7d\uff1a
yukictl reload sb\n
"},{"location":"services/mirrors/repos/#rsync-attrs","title":"\u6d4b\u8bd5\u540c\u6b65\uff0c\u5e76\u5220\u9664 rsync-attrs \u4e2d\u7684\u65e7\u76ee\u5f55","text":"yukictl sync --debug sb\n
\u786e\u8ba4\u540c\u6b65\u65e0\u8bef\u540e\uff0c\u68c0\u67e5 /srv/rsync-attrs
\u7684\u5185\u5bb9\uff0c\u5e76\u5220\u9664\u65e7\u76ee\u5f55 /srv/rsync-attrs/.private
\u3002
/srv/rsync-attrs
\u8be5\u76ee\u5f55\u7684\u7528\u9014\u662f\u4e3a\u574f\u4eba\u4fee\u6539\u7248\u7684 rsyncd\uff08\u5373 rsyncd-huai\uff09\u63d0\u4f9b\u5feb\u901f\u7684\u6587\u4ef6\u5c5e\u6027\u67e5\u8be2\uff08\u5bf9\u5e94\u4f7f\u7528 Reiserfs \u683c\u5f0f\u5316\uff0c\u6302\u8f7d\u5728 SSD \u4e0a\uff09\u3002 \u540c\u65f6\u8be5\u76ee\u5f55\u4e5f\u7528\u4e8e\u4e3b\u9875\u751f\u6210\u3002
"},{"location":"services/mirrors/repos/#nginx","title":"\u4fee\u6539 nginx \u914d\u7f6e","text":"\u7531\u4e8e\u6211\u4eec\u8fd9\u91cc\u662f\u79fb\u52a8\u4ed3\u5e93\uff0c\u4e3a\u4e86\u4fdd\u8bc1\u65e7\u7528\u6237\u80fd\u591f\u6b63\u5e38\u4f7f\u7528\uff0c\u9700\u8981\u4fee\u6539 nginx \u914d\u7f6e\uff0c\u5c06\u65e7\u7684\u8def\u5f84\u91cd\u5b9a\u5411\u5230\u65b0\u7684\u8def\u5f84\u3002
\u76f8\u5173\u7684\u914d\u7f6e\u4e00\u822c\u4f4d\u4e8e /etc/nginx/snippets/mirrors-locations
\uff0c\u672c\u6b21\u6211\u4eec\u65b0\u589e\u7684\u5185\u5bb9\u5982\u4e0b\uff1a
location /.private/sb/ {\n rewrite ^/.private(/sb/.*$) $1 permanent;\n}\n
Nginx rewrite \u76f8\u5173\u7684\u8bed\u6cd5\u77e5\u8bc6\u9700\u8bfb\u8005\u81ea\u884c\u5b66\u4e60\u3002
\u4fee\u6539\u5b8c\u6210\u540e\uff0c\u91cd\u8f7d\u914d\u7f6e\uff1a
nginx -t\nnginx -s reload # \u6216\u8005 systemctl reload nginx\n
\u5e76\u4e14 commit \u6709\u5173\u4fee\u6539\uff1a
git -c user.name=\u4f60\u7684\u540d\u5b57 -c user.email=\u4f60\u7684\u90ae\u7bb1 commit -m \"...\"\n
"},{"location":"services/mirrors/repos/#rsync-proxy-rsyncd","title":"\u4fee\u6539 rsync-proxy \u4e0e rsyncd \u914d\u7f6e","text":"rsync-proxy \u4e3a\u8fd1\u5e74\u6765\u6211\u4eec\u81ea\u884c\u7f16\u5199\u7684 rsync \u53cd\u5411\u4ee3\u7406\u670d\u52a1\u3002 \u4fee\u6539\u4e86 /etc/rsync-proxy/config.toml
\uff0c\u5220\u9664 mirrors2 \u4e2d\u7684 \".private\"
\u9879\uff0c\u5728 mirrors4 \u4e2d\u65b0\u589e \"sb\"
\u9879\u3002
\u56e0\u4e3a rsync-proxy \u6700\u7ec8\u8fd8\u9700\u8981\u8fde\u63a5\u5230\u540e\u7aef\u7684 rsyncd\uff0c\u56e0\u6b64 mirrors4 \u7684 rsyncd \u914d\u7f6e\u4e5f\u9700\u8981\u4fee\u6539\u3002 \u5728 /etc/rsyncd
\u4e0b\u6267\u884c python3 generate_common.py --write
\u5199\u5165\u914d\u7f6e\uff0c\u4f7f\u7528 git diff
\u68c0\u67e5\u65e0\u8bef\u540e git commit
\u3002 rsyncd \u914d\u7f6e\u4e2d\u5305\u542b\u4e0d\u516c\u5f00 rsync \u7684\u5185\u5bb9\uff08\u5982 git \u76ee\u5f55\uff09\u4e0d\u4f1a\u5bfc\u81f4\u95ee\u9898\uff0c\u56e0\u4e3a\u6240\u6709\u7528\u6237\u63a5\u89e6\u5230\u7684\u90fd\u662f rsync-proxy\u3002
\u786e\u8ba4\u540e\u91cd\u8f7d rsync-proxy:
systemctl reload rsync-proxy\n
Rsyncd \u4e0d\u9700\u8981\u91cd\u8f7d\uff1a\u6bcf\u4e2a\u6709\u6548\u8fde\u63a5\u4f1a\u542f\u52a8\u65b0\u8fdb\u7a0b\uff0c\u800c\u65b0\u8fdb\u7a0b\u4f1a\u91cd\u65b0\u8bfb\u53d6\u914d\u7f6e\u3002
"},{"location":"services/mirrors/repos/#mirrors2","title":"\u5220\u9664 mirrors2 \u4e0a\u7684\u4ed3\u5e93\u4e0e\u76f8\u5173\u9879","text":"\u6267\u884c yukictl repo rm sb
\uff0c\u7136\u540e\u5220\u9664 Yuki \u540c\u6b65\u914d\u7f6e\uff08~mirror/repos-etc/sb.yaml
\uff09\uff0c\u540c\u6837\u4e5f\u9700\u8981 git commit\u3002
\u4e4b\u540e\u5220\u9664\u5b58\u50a8\u7684\u5185\u5bb9\uff1a\u6267\u884c /sbin/zfs list
\u786e\u8ba4\u8981\u4e0b\u624b\u5220\u9664\u7684\u5b58\u50a8\u6c60\uff0c\u7136\u540e sudo zfs destroy pool0/repo/\u5bf9\u5e94\u7684\u540d\u5b57
\u5220\u9664\u3002
\u540c\u6837\uff0c/srv/rsync-attrs/.private
\u7684\u5185\u5bb9\u4e5f\u9700\u8981\u5220\u9664\u3002
rsync-huai \u662f\u574f\u4eba\u7684\u5143\u6570\u636e\u52a0\u901f\u7248\u7684 rsync\uff0c\u539f\u59cb\u4ee3\u7801\u5728 https://github.com/tuna/rsync\u3002
\u7531\u4e8e TUNA \u73b0\u5728\u4f7f\u7528\u5168\u95ea\u7684\u65b9\u6848\uff0c\u4e0d\u518d\u9700\u8981\u8fd9\u4e2a patch \u4e86\uff0c\u56e0\u6b64\u6211\u4eec\u81ea\u5df1\u7ef4\u62a4\u5bf9\u5e94\u7684\u7248\u672c\uff1ahttps://github.com/ustclug/rsync/tree/rsync-3.2.7\u3002
\u7279\u522b\u5730\uff0c/etc/systemd/system/rsyncd-huai@.service
\u5185\u5bb9\u5982\u4e0b\uff1a
[Unit]\nDescription=fast remote file copy program daemon\nConditionPathExists=/etc/rsyncd/rsyncd-%i.conf\nAfter=network.target network-online.target\n\n[Service]\nType=simple\nPIDFile=/run/rsyncd-%i.pid\nExecStart=/usr/bin/rsync-huai --daemon --no-detach --config=/etc/rsyncd/rsyncd-%i.conf\nIOSchedulingClass=best-effort\nIOSchedulingPriority=7\nIOAccounting=true\n\n[Install]\nWantedBy=multi-user.target\n
"},{"location":"services/mirrors/rsync/#rsync-proxy","title":"rsync-proxy","text":"\u8be6\u53c2 https://github.com/ustclug/rsync-proxy\u3002\u4e3a\u4e86\u8ba9\u670d\u52a1\u5668\u80fd\u591f\u8bb0\u5f55 IP \u4e0e\u8bbf\u95ee\u8def\u5f84\u7684\u5173\u7cfb\uff0c\u6211\u4eec\u6253\u5f00\u4e86 proxy protocol \u7279\u6027\u3002
"},{"location":"services/mirrors/services/","title":"\u955c\u50cf\u670d\u52a1","text":""},{"location":"services/mirrors/services/#_2","title":"\u9996\u9875\u751f\u6210","text":"\u955c\u50cf\u7ad9\u4e3b\u9875\u662f\u9759\u6001\u7684\uff0c\u7531 https://git.lug.ustc.edu.cn/mirrors/mirrors-index \u811a\u672c\u751f\u6210\u3002
crontab \u4f1a\u5b9a\u65f6\u8fd0\u884c\u8be5\u811a\u672c\uff0c\u751f\u6210\u9996\u9875\u548c mirrorz \u9879\u76ee\u9700\u8981\u7684\u6570\u636e\u3002
\u5728\u9996\u9875\u5c55\u793a\u7684\u300c\u83b7\u53d6\u5b89\u88c5\u955c\u50cf\u300d\u3001\u300c\u83b7\u53d6\u5f00\u6e90\u8f6f\u4ef6\u300d\u3001\u300c\u53cd\u5411\u4ee3\u7406\u5217\u8868\u300d\u5206\u522b\u7531 config \u5185\u914d\u7f6e\u6307\u5b9a\uff0c\u300c\u6587\u4ef6\u5217\u8868\u300d\u5185\u5bb9\u5219\u4f1a\u4ece\u540c\u6b65\u7a0b\u5e8f yuki \u7684 api \u4e2d\u83b7\u53d6\u3002
"},{"location":"services/mirrors/services/#http","title":"HTTP \u670d\u52a1","text":"Mirrors \u4f7f\u7528 OpenResty\uff08\u4e00\u4e2a\u6253\u5305 Nginx \u548c\u4e00\u5806\u6709\u7528\u7684 Lua \u6a21\u5757\u7684\u8f6f\u4ef6\u5305\uff09\u63d0\u4f9b HTTP \u670d\u52a1\u3002
\u914d\u7f6e\u6587\u4ef6\u4f4d\u4e8e LUG GitLab \u4e0a\uff1ahttps://git.lug.ustc.edu.cn/mirrors/nginx-config\uff0c\u6b64\u4ed3\u5e93\u5bf9\u5e94 mirrors \u4e0a\u7684 /etc/nginx
\u76ee\u5f55\u3002
\u89c1\u9650\u5236\u7b56\u7565\u3002
"},{"location":"services/mirrors/services/#repo-stats","title":"\u6bcf\u65e5\u6d41\u91cf\u7edf\u8ba1","text":"\u8bbf\u95ee\u8def\u5f84\uff1ahttps://mirrors.ustc.edu.cn/status/stats.json
\u811a\u672c\u4f4d\u4e8e https://git.lug.ustc.edu.cn/mirrors/sync/-/blob/scripts/repo_stats.py
\u6bcf\u5929\u5728 logrotate \u6eda\u5b8c nginx \u65e5\u5fd7\u540e\uff0c\u901a\u8fc7\u5206\u6790\u521a\u6eda\u51fa\u6765\u7684\u65e5\u5fd7\u6587\u4ef6\uff0c\u7edf\u8ba1\u6bcf\u4e2a\u4ed3\u5e93\u7684\u8bbf\u95ee\u91cf\u4e0e\u8f93\u51fa\u6d41\u91cf\uff08\u56e0\u6b64\u4ec5\u5305\u542b HTTP \u6d41\u91cf\u7edf\u8ba1\uff09\uff0c\u7136\u540e\u8f93\u51fa\u5230 json \u6587\u4ef6\uff0c\u5e76\u4e14\u989d\u5916\u8f93\u51fa\u4e00\u4efd json \u5230 /var/log/nginx/stats
\u4f5c\u4e3a\u5f52\u6863\u5b58\u50a8\uff0c\u65b9\u4fbf\u4ee5\u540e\u5206\u6790\u3002
\u9700\u8981\u6ce8\u610f\u7684\u662f\u8fd9\u4e2a\u811a\u672c\u662f\u7531 logrotate \u5728 nginx \u7684 postrotate script \u91cc\u8fd0\u884c\u7684\uff0c\u800c\u4e0d\u662f\u7531 cron \u6216\u8005 systemd timer\uff0c\u56e0\u6b64\u8c03\u7528\u5165\u53e3\u5728\u8fd9\u91cc\uff1a
/etc/logrotate.d/nginxpostrotate\n # [...]\n sudo -iu mirror ~mirror/scripts/repo_stats.py\nendscript\n
"},{"location":"services/mirrors/services/#rsync","title":"Rsync \u670d\u52a1","text":"\u672a\u5b8c\u5f85\u7eed\u3002
"},{"location":"services/mirrors/services/#_4","title":"\u53cd\u5411\u4ee3\u7406\u670d\u52a1","text":"\u672a\u5b8c\u5f85\u7eed\u3002
"},{"location":"services/mirrors/services/#git","title":"Git \u670d\u52a1","text":"Mirrors \u4e0a\u7684 Git \u670d\u52a1\u7531\u4e24\u90e8\u5206\u7ec4\u6210\uff1a
Git \u534f\u8bae\uff08TCP 9418 \u7aef\u53e3\uff09\u7531 git-daemon
\u76f4\u63a5\u63d0\u4f9b\u3002Git daemon \u7531\u6211\u4eec\u81ea\u5df1\u5199\u7684\u4e00\u4e2a systemd service \u8fd0\u884c\uff1a
[Unit]\nDescription=Git Daemon\nAfter=network.target\n\n[Service]\nType=exec\nNice=19\nIOSchedulingClass=best-effort\nIOSchedulingPriority=6\nExecStart=/usr/lib/git-core/git-daemon --user=gitdaemon --reuseaddr --verbose --export-all --forbid-override=receive-pack --timeout=180 --max-connections=32 --base-path=/srv/git\n\nSlice=system-cgi.slice\n\n[Install]\nWantedBy=multi-user.target\n
Git over HTTP \u7ecf\u8fc7 Nginx \u548c fcgiwrap \u7531 git-http-backend
\u63d0\u4f9b\u3002\u8003\u8651\u5230 fcgiwrap \u4e3b\u8981\u7528\u4e8e Git\uff0c\u6211\u4eec\u5c06\u5176\u653e\u5165\u540c\u4e00\u4e2a slice \u4e0e Git daemon \u5171\u4eab\u5185\u5b58\u9650\u5236\uff1a
[Service]\nType=exec\nNice=19\nIOSchedulingClass=best-effort\nIOSchedulingPriority=6\n\nSlice=system-cgi.slice\n
\u5176\u4e2d system-cgi.slice
\u662f\u6211\u4eec\u81ea\u5df1\u5b9a\u4e49\u7684\u4e00\u4e2a slice\uff0c\u7528\u4e8e\u9650\u5236 CGI \u670d\u52a1\u7684\u8d44\u6e90\u4f7f\u7528\u3002
[Unit]\nDescription=Slice for CGI services (notably Git daemon)\n\n[Slice]\nMemoryMax=32G\nMemoryHigh=28G\n\nIOAccounting=true\n
"},{"location":"services/mirrors/services/#ftp","title":"FTP \u670d\u52a1\uff08\u5df2\u5e9f\u5f03\uff09","text":"Mirrors \u66fe\u7ecf\u63d0\u4f9b FTP \u670d\u52a1\uff0c\u7531 vsftpd \u63d0\u4f9b\u3002\u5728\u5c06\u4e3b\u529b\u670d\u52a1\u5668\u4ece mirrors2 \u8fc1\u79fb\u81f3 mirrors4 \u65f6\u5e9f\u5f03\uff0c\u5373 mirrors4 \u4e0a\u4ece\u672a\u5b89\u88c5\u914d\u7f6e\u8fc7 vsftpd\uff08\u4f46 mirrors2 \u4e0a\u8fd8\u7559\u5b58\u6709\u914d\u7f6e\u6587\u4ef6\uff09\u3002
\u7531\u4e8e\u5e74\u4ee3\u4e45\u8fdc\u4e14\u6211\u4eec\u4e0d\u518d\u6253\u7b97\u6062\u590d FTP \u670d\u52a1\uff0c\u8fd9\u90e8\u5206\u6587\u6863\u4e5f\u5c31\u5495\u5495\u5495\u4e86\u3002
"},{"location":"services/mirrors/xfs/","title":"XFS","text":"\u5bf9\u4e8e\u4f7f\u7528 XFS \u5b58\u50a8\u955c\u50cf\u4ed3\u5e93\u7684\u670d\u52a1\u5668\uff0c\u6211\u4eec\u4f7f\u7528 XFS \u7684 quota \u529f\u80fd\u76d1\u89c6\u4ed3\u5e93\u5bb9\u91cf\u3002/srv/repo
\u4e0b\u7684\u6bcf\u4e2a\u76ee\u5f55\u4e3a\u4e00\u4e2a\u4ed3\u5e93\uff0c\u6709\u4e00\u4e2a\u5bf9\u5e94\u7684 XFS project\u3002\u6b64 XFS \u6587\u4ef6\u7cfb\u7edf\u9700\u8981\u4f7f\u7528 pqnoenforce
\u9009\u9879\u6302\u8f7d\uff0c\u56e0\u4e3a\u6211\u4eec\u53ea\u4f7f\u7528\u5bb9\u91cf\u7edf\u8ba1\u529f\u80fd\uff0c\u4e0d\u9700\u8981\u9650\u5236\u4ed3\u5e93\u7684\u78c1\u76d8\u4f7f\u7528\u3002
Todo
\u9700\u8981\u8c03\u7814\uff1a\u5feb\u901f\u5220\u9664\u4ed3\u5e93\u4e0e\u91cd\u547d\u540d\u4ed3\u5e93 (mv \u548c rm \u53ef\u80fd\u592a\u6162\u4e86)
"},{"location":"services/mirrors/xfs/#new-repo","title":"\u6dfb\u52a0\u4e00\u4e2a\u65b0\u4ed3\u5e93","text":""},{"location":"services/mirrors/xfs/#_1","title":"\u521b\u5efa\u76ee\u5f55","text":"\u5728 /srv/repo/
\u4e0b\u521b\u5efa\u5bf9\u5e94\u7684\u76ee\u5f55\u3002\u6ce8\u610f\u5bf9\u5e94\u76ee\u5f55\u7684\u6240\u6709\u8005\u548c\u6240\u6709\u7ec4\u5747\u5e94\u8be5\u662f mirror
\u3002
chown mirror: /srv/repo/example\n
"},{"location":"services/mirrors/xfs/#xfs-project","title":"\u521b\u5efa XFS project","text":"\u4e3a\u65b0\u4ed3\u5e93\u521b\u5efa XFS quota \u4ee5\u4fbf\u4e8e\u76d1\u89c6\u5bb9\u91cf\u3002\u9996\u5148\u68c0\u67e5 /etc/projects
\u548c /etc/projid
\uff0c\u627e\u5230\u5927\u4e8e 1000 \u7684 ID \u5e8f\u5217\uff0c\u627e\u51fa\u4e0b\u4e00\u4e2a ID\uff08\u4f8b\u5982 1111\uff0c\u4e0b\u9762\u4f7f\u7528\u8fd9\u4e2a\u4f5c\u4e3a\u4f8b\u5b50\uff09\u3002
mkdir /srv/repo/example\n
\u7f16\u8f91 /etc/projects
\uff0c\u52a0\u5165\u5982\u4e0b\u4e00\u884c
1111:/srv/repo/example\n
\u7136\u540e\u6267\u884c\uff1a
xfs_quota -x -c 'project -s 1111'\n
\u7f16\u8f91 /etc/projid
\uff0c\u52a0\u5165\u5982\u4e0b\u4e00\u884c
example:1111\n
\u4fe1\u606f
\u6211\u4eec\u7684\u955c\u50cf\u7ba1\u7406\u5668 Yuki \u6839\u636e\u955c\u50cf\u76ee\u5f55\u7684\u6700\u540e\u4e00\u6bb5\u540d\u79f0\uff08\u5373 basename\uff09\u6765\u4ece XFS \u4e2d\u83b7\u53d6\u5bb9\u91cf\u4fe1\u606f\uff0c\u56e0\u6b64 /etc/projid
\u6587\u4ef6\u5185\u5bb9\u6b63\u786e\u624d\u80fd\u4f7f Yuki \u5f97\u5230\u6b63\u786e\u7684\u5bb9\u91cf\u3002
#!/bin/bash\n\n# Determine largest project ID\nnext_id() {\n local PROJID=$(cut -d':' -f1 /etc/projects | sort -n | tail -1)\n echo $((++PROJID))\n}\n\nBASE=\"/srv/repo\"\nreadonly BASE\n\nif [ \"$1\" = \"-m\" ]; then\n MKDIR=yes\n shift\nfi\n\nwhile [ $# -ne 0 ]; do\n N=\"${1//\\//}\"\n shift\n if grep -q \"$BASE/$N\\$\" /etc/projects; then\n echo \"Repo $N exists, skipped.\" >&2\n continue\n fi\n\n if [ ! -e \"$BASE/$N\" ]; then\n if [ -n \"$MKDIR\" ]; then\n echo \"Path $BASE/$N does not exist, creating directory.\" >&2\n mkdir -p \"$BASE/$N\"\n else\n echo \"Path $BASE/$N does not exist, ignored.\" >&2\n continue\n fi\n elif [ ! -d \"$BASE/$N\" ]; then\n echo \"Path $BASE/$N is not a directory, ignored.\" >&2\n continue\n fi\n\n ID=\"$(next_id)\"\n echo \"$ID:$BASE/$N\" >> /etc/projects\n echo \"$N:$ID\" >> /etc/projid\n xfs_quota -x -c \"project -s $ID\" &>/dev/null\n echo \"Added $N (ID $ID)\"\ndone\n
"},{"location":"services/mirrors/xfs/#quota","title":"\u67e5\u770b quota \u60c5\u51b5","text":"xfs_quota -c 'df -h'\n
"},{"location":"services/mirrors/zfs/","title":"ZFS","text":""},{"location":"services/mirrors/zfs/#common-operations","title":"Common Operations","text":"Get zpool statuszpool status\n
Get IO statuszpool iostat -v 1\n
Replace Diskzpool replace pool0 old-disk new-disk\n
New ZFS file systemzfs create [-o option=value ...] <filesystem>\n\n# Example\nzfs create pool0/repo/debian\n
If mountpoint
is not specified, then it's inherited from the parent with a subpath appended. E.g. when pool0/example
is mounted on /mnt/haha
then pool0/example/test
will by default mount on /mnt/haha/test
.
zfs destroy <filesystem>\n\n# Example\nzfs destroy pool0/repo/debian\n
"},{"location":"services/mirrors/zfs/#new-repo","title":"Create new repository","text":"zfs create pool0/repo/example\n
Contrary to XFS, no other steps are needed.
"},{"location":"services/mirrors/zfs/#setup","title":"Setup","text":"This section is recorded for reference only.
"},{"location":"services/mirrors/zfs/#pool-setup-mirrors2","title":"Pool setup (mirrors2)","text":"zpool create pool0 \\\n -O canmount=off \\\n -O xattr=sa \\\n -O relatime=on \\\n -O compress=zstd \\\n raidz2 \\\n ata-HGST_HUS726060ALE610_K1GKVAAD \\\n ata-HGST_HUS726060ALE610_K1GHTLND \\\n ata-HGST_HUS726060ALE610_K1GHTVWD \\\n ata-HGST_HUS726060ALE610_K1GKNJUD \\\n ata-HGST_HUS726060ALE610_K1GK5KND \\\n ata-HGST_HUS726060ALE610_K1GK9GXD \\\n raidz2 \\\n ata-HGST_HUS726060ALE610_NCH13D2V \\\n ata-HGST_HUS726T6TALE6L4_V9KWJ1PL \\\n ata-HGST_HUS726T6TALE6L4_V9HU810L \\\n ata-HGST_HUS726060ALE610_NCH141WV \\\n ata-HGST_HUS726060ALE610_K1GKPDSD \\\n ata-HGST_HUS726T6TALE6L4_V9KTTT5L \\\n cache nvme0n1\n
Note
The -O
option applies to the root dataset.
zpool create -f pool0 \\\n raidz3 \\\n ata-HGST_HUS726060ALE610_K1GHTLND \\\n ata-HGST_HUS726060ALE610_K1GHTVWD \\\n ata-HGST_HUS726060ALE610_K1GK5KND \\\n ata-HGST_HUS726060ALE610_K1GK9GXD \\\n ata-HGST_HUS726060ALE610_K1GKNJUD \\\n ata-HGST_HUS726060ALE610_K1GKNP5D \\\n ata-HGST_HUS726060ALE610_K1GKNR6D \\\n ata-HGST_HUS726060ALE610_K1GKPDSD \\\n ata-HGST_HUS726060ALE610_K1GKVAAD \\\n ata-HGST_HUS726060ALE610_NCH04T5V \\\n ata-HGST_HUS726060ALE610_NCH13D2V \\\n spare \\\n ata-HGST_HUS726060ALE610_NCH141WV \\\n log mirror \\\n ata-INTEL_SSDSC2BB240G6_PHWA64410400240AGN-part1 \\\n ata-INTEL_SSDSC2BB240G6_PHWA6441041N240AGN-part1 \\\n cache \\\n ata-INTEL_SSDSC2BB240G6_PHWA64410400240AGN-part2 \\\n ata-INTEL_SSDSC2BB240G6_PHWA6441041N240AGN-part2\n
"},{"location":"services/mirrors/zfs/#zfs-kernel-module","title":"ZFS kernel module","text":"For OpenZFS 2.2:
/etc/modprobe.d/zfs.conf# Set ARC size to 160-200 GiB, keep 16 GiB free for OS\noptions zfs zfs_arc_max=214748364800\noptions zfs zfs_arc_min=171798691840\noptions zfs zfs_arc_sys_free=17179869184\n\n# Favor metadata to data by 20x (OpenZFS 2.2+)\noptions zfs zfs_arc_meta_balance=2000\n\n# Allow up to 80% of ARC to be used for dnodes\noptions zfs zfs_arc_dnode_limit_percent=80\n\n# Allow every block to be written to ZIL\noptions zfs zfs_immediate_write_sz=16777216\n\n# See man page section \"ZFS I/O Scheduler\"\noptions zfs zfs_vdev_async_read_max_active=8\noptions zfs zfs_vdev_async_read_min_active=2\noptions zfs zfs_vdev_scrub_max_active=5\noptions zfs zfs_vdev_max_active=20000\n\n# Never throttle the ARC\noptions zfs zfs_arc_lotsfree_percent=0\n\n# Tune L2ARC\noptions zfs l2arc_headroom=8\noptions zfs l2arc_write_max=67108864\noptions zfs l2arc_noprefetch=0\n
Refer to zfs(4)
.
Note
zfs_dmu_offset_next_sync
is 1 by default since OpenZFS v2.1.5, so it's omitted in the configuration.
On mirrors2:
zfs create -o compress=zstd-8 -o recordsize=1M -o atime=off pool0/backup\n\nzfs create pool0/backup/rootfs # inherit everything\nzfs create -o acltype=posix pool0/backup/oldlog\n\nzfs create \\\n -o mountpoint=/srv/repo \\\n -o recordsize=1M \\\n -o xattr=off \\\n -o atime=off \\\n -o setuid=off \\\n -o exec=off \\\n -o devices=off \\\n -o sync=disabled \\\n -o secondarycache=metadata \\\n -o redundant_metadata=some \\\n pool0/repo\n
Refer to zfsprops(7)
.
mountpoint
Self-explanatory.
recordsize=1M
This is the \"block size\" for ZFS, i.e. how large files are split into blocks. Each block (record) is stored contiguously on disk and is read/written as a whole.
Since the typical read pattern on mirror sites is whole-file sequential read, it makes sense to set recordsize
to the maximum value permitted1. Larger recordsize
allows the compression algorithm to exploit more opportunities, while also reducing I/O count for large files.
Note that files under a single recordsize
will not be padded up and will be stored as a single block, so no space is wasted.
compression=zstd
(inherited from pool0
) Enable compression so anything will be tried to compress. The default algorithm (i.e. compression=on
) is LZ4, which is very fast but not as effective. Zstd is a modern multi-threaded algorithm that is also very fast but compresses better. The default compression level is 3 (i.e. zstd
= zstd-3
).
Since OpenZFS 2.2, there's an \"early-abort\" mechanism for Zstd level 3 or up: Every block is first tried with LZ4, then Zstd-1, and if and only if both algorithms suggest that the data block would compress well, the actual algorithm will be applied and the compressed result will be written to disk. This early-abort mechanism ensures minimal CPU wasted for incompressible data.
xattr=off
Apparently mirror data do not need extended attributes.
atime=off
, setuid=off
, exec=off
, devices=off
These simply maps to the noatime
, nosuid
, noexec
, and nodev
mount options respectively. It's safe to assume we don't need these features for mirror data.
sync=disabled
Disable any \"synchronous write\" semantics. This means files will not respond to open(O_SYNC)
and sync(2)
calls. Pending writes will only be committed to disk after zfs_txg_timeout
seconds (default 5) or when the write buffer is full.
While normally this is a bad idea as it goes against data integrity (namely, the \"D\" in ACID), for mirror data that can be easily regenerated, this improves write performance and reduces fragmentation (also note that zfs_dmu_offset_next_sync
is enabled by default).
secondarycache=metadata
As mirrors2 only serves Rsync requests, caching file content provides little benefit. Instead, we cache metadata only to reduce the number of disk seeks.
redundant_metadata=some
(Just read zfsprops(7)
and you'll be able to reason about this.)
Do NOT install zfs-dkms
and related packages from Debian backports repositories. They'll easily break when upgrading.
As of Debian Buster the ZFS packages from the mainstream repository is stable and new enough for our use.
\u4ecd\u7136\u5efa\u8bae\u5b89\u88c5 Backports \u7248\u672c\u7684 ZFS\u3002\u300cStable \u8d8a\u5f80\u540e\uff08\u5bf9 ZFS \u76f8\u5173\u8f6f\u4ef6\u5305\u7684\uff09\u7ef4\u62a4\u8d8a\u5f31\u300d\uff0c\u4ece\u800c\u5bfc\u81f4 stable \u7684 ZFS \u53cd\u800c\u8d28\u91cf\u4e0d\u5982 backports \u7248\u672c\u7684\u3002
Actually, there's the zfs_max_recordsize
module parameter which can be increased to up to 16 MiB. There's a reason this is set to 1 MiB by default, so we're not going to blindly aim for the maximum.\u00a0\u21a9
mirrors1 \u662f 2011 \u5e74\u7f51\u7edc\u4fe1\u606f\u4e2d\u5fc3\u63d0\u4f9b\u7ed9 LUG \u7528\u4f5c\u521d\u4ee3 mirrors.ustc.edu.cn \u670d\u52a1\u7684\u673a\u5668\uff0c\u662f\u4e00\u53f0\u66d9\u5149 i620r-G
\u53c2\u6570 \u914d\u7f6e CPU Intel(R) Xeon(R) CPU E5620 @ 2.40GHz x 2 \u5185\u5b58 48 GB \u5b58\u50a8 LSI Logic MegaRAID SAS 8708EM2 x 2 DFT RS-3016I-S/D30 \u78c1\u76d8\u9635\u5217 \u7f51\u7edc Ethernet Intel 82574L Gigabit x 2\u7528\u6237\u624b\u518c
\u7531\u4e8e\u672c\u6587\u7f16\u5199\u65f6\uff082020 \u5e74\uff09\u8be5\u670d\u52a1\u5668\u65e9\u5df2\u4e0d\u518d\u7528\u4f5c mirrors\uff08\u73b0\u5728\u662f esxi-5\uff09\uff0c\u56e0\u6b64\u66f4\u591a\u7684\u4fe1\u606f\u6682\u65e0\u4ece\u8003\u5bdf\u3002
"},{"location":"services/mirrors/1/#ipmi","title":"IPMI","text":"\u8fd9\u53f0\u673a\u5668\u7684 IPMI \u4f7f\u7528\u6761\u4ef6\u8f83\u4e3a\u82db\u523b\uff0c\u7279\u522b\u662f\u5b83\u7684 Java \u63a7\u5236\u53f0\u53ea\u80fd\u5728 Windows XP\uff0cIE 6 \u548c Java 6 \u73af\u5883\u4e0b\u8fd0\u884c\u3002\u56e0\u6b64\u6211\u4eec\u914d\u7f6e\u4e86\u4e00\u4e2a\u865a\u62df\u673a\u955c\u50cf\u653e\u5728 LUG FTP \u4e0a\u3002
\u4f7f\u7528\u73b0\u4ee3\u7684 HTTP \u5ba2\u6237\u7aef\uff08\u5305\u62ec\u6d4f\u89c8\u5668\u548c cURL \u7b49\uff09\u5c1d\u8bd5\u4e0b\u8f7d viewer.jnlp
\u65f6\u4f1a\u9047\u5230\u95ee\u9898\uff0c\u539f\u56e0\u5728\u4e8e IPMI \u4f1a\u8fd4\u56de\u4e00\u4e2a\u9519\u8bef\u7684 Content-Length
\uff08\u7ea6 3 KiB\uff09\uff0c\u4f46 jnlp \u6587\u4ef6\u5b9e\u9645\u53ea\u6709 1.6 KiB\uff0c\u4f7f\u5ba2\u6237\u7aef\u8ba4\u4e3a\u6587\u4ef6\u672a\u5b8c\u6574\u4e0b\u8f7d\u3002\u5947\u5999\u7684\u662f\uff0cIE 6 \u4f3c\u4e4e\u4f1a\u5ffd\u7565\u8fd9\u4e2a\u95ee\u9898\uff0c\u7136\u540e\u6b63\u5e38\u6253\u5f00 Java \u63a7\u5236\u53f0\u3002
2016 \u5e74\u5e95\u4ece\u7f51\u7edc\u4fe1\u606f\u4e2d\u5fc3\u83b7\u5f97\u7684\u65b0\u673a\u5668\uff0c\u8fd0\u884c\u81f3\u4eca\uff0c\u627f\u62c5\u4e86\u76ee\u524d mirrors \u7684 rsync \u6d41\u91cf\u3002
\u53c2\u6570 \u914d\u7f6e CPU \u53cc\u8def E5-2620 v4 \u5185\u5b58 256 GB DDR4 \u5b58\u50a8 6 TB * 12 (HDD), 250 GB *2 (SSD) \u7f51\u7edc 1 Gbps * 2\u66d9\u5149 I620-G20 \u5bfc\u822a\u5149\u76d8
"},{"location":"services/mirrors/2/#networking","title":"Networking","text":"mirrors2 \u4e0a\u7684\u7f51\u7edc\u914d\u7f6e\u81ea 2024-07-19 \u7ef4\u62a4\u540e\u4e5f\u5207\u6362\u5230\u4e86 systemd-networkd \u65b9\u6848\uff0c\u6587\u6863\u53ef\u4ee5\u53c2\u8003 mirrors4\u3002
Old infomirrors2 \u4e0a\u7684\u7f51\u7edc\u4f7f\u7528\u9ed8\u8ba4\u7684 ifupdown \u914d\u7f6e\u3002
\u5728 /etc/network/interfaces.d
\u4e2d\u5b58\u653e\u7740\u63a5\u53e3\u914d\u7f6e\uff0c\u4f7f\u7528 ifup
/ifdown
\u6765\u542f\u7528/\u505c\u7528\u67d0\u4e00\u63a5\u53e3\u3002
\u91cd\u542f\u6240\u6709\u7f51\u7edc\u63a5\u53e3
\u5728\u67d0\u6b21 mirrors2 \u79bb\u7ebf\u6545\u969c\u4e2d\uff0c\u8bef\u64cd\u4f5c\u7684 systemctl restart networking
\u8fd4\u56de\u4e86\u5931\u8d25\u7684\u7ed3\u679c\uff0c\u4ece\u800c\u5bfc\u81f4\u4e86 mirrors2 \u4ece\u67d0\u4e00\u7f51\u7edc\u63a5\u53e3\u65ad\u5f00\uff08\u731c\u6d4b\uff09\uff08\u5b9e\u9645\u539f\u56e0\u89c1\u4e0b\uff09\uff0c\u91cd\u542f\u6240\u6709\u63a5\u53e3\u4fee\u590d\u4e86\u95ee\u9898\uff1aifdown -a && ifup -a
\u5b9e\u9645\u539f\u56e0\u662f bridge interface \u8fde\u63a5\u7684\u90a3\u4e2a interface \u5728 ifupdown \u7684 config \u91cc\u7684\u914d\u7f6e\u65b9\u5f0f\u662f static
\u7684\uff0c\u5728\u542f\u7528 bridge interface \u65f6\u4f1a\u81ea\u52a8\u66f4\u6539\u914d\u7f6e\u5bfc\u81f4 offline\u3002\u6539\u6210 manual
\u7981\u6b62\u5b83\u7684\u81ea\u52a8\u884c\u4e3a\u4e4b\u540e\u5c31\u6ca1\u4e8b\u4e86\u3002
2020 \u5e74\u521d\u4ece\u56fe\u4e66\u9986\u6280\u672f\u90e8\u83b7\u5f97\u7684\u4e00\u53f0\u65e7\u670d\u52a1\u5668\uff0c\u4e3a\u6234\u5c14 PowerEdge R510\uff0c\u8d1f\u8f7d\u6bd4\u8f83\u6742\u4e71,\u4e3b\u8981\u662f\u4e00\u4e9b\u65e2\u51b7\u95e8\u53c8\u5927\u7684\u4ed3\u5e93\u7684 HTTP + rsync \u6d41\u91cf\u3002
\u53c2\u6570 \u914d\u7f6e CPU \u53cc\u8def\u81f3\u5f3a E5620 \u5185\u5b58 32 GB DDR3 \u5b58\u50a8 1 TB*2 (HDD), 2 TB*5 (HDD), 3 TB*1 (HDD) 1 TB (SAS HDD), 1.8 TB * 3 (SATA HDD), 1 TB (SATA HDD) \u540c\u53cb iSCSI \u9635\u5217\uff0c4 TB * 16 (HDD) \u7f51\u7edc 1 Gbps * 2\u5b58\u50a8\u7ed3\u6784\uff1a
\u6ce8\u610f\u4e8b\u9879
\u7531\u4e8e PERC 6/i \u9635\u5217\u5361\u7684\u9650\u5236\uff0c\u7269\u7406\u78c1\u76d8\u5927\u5c0f\u6700\u5927\u652f\u6301 2TB\uff08SAS 4TB \u76d8\u65e0\u6cd5\u8bc6\u522b\u5927\u5c0f\uff09\u3002\u5728\u5c06 SAS \u574f\u76d8\u79fb\u9664\u540e\uff0c\u76ee\u524d\uff082022/5/10\uff09rootfs VD \u5904\u4e8e degraded \u72b6\u6001\u3002
PERC H700 \u9635\u5217\u5361\u7531\u4e8e\u7f3a\u5c11\u4e24\u6839 SAS \u8f6c\u63a5\u7ebf\uff0c\u5e76\u4e14 mirrors3 \u673a\u67b6\u524d\u53f3\u4fa7\u8f68\u9053\u5904\u65e0\u6cd5\u89e3\u9664\u9501\u5b9a\uff0c\u4e14\u66f4\u6362\u9635\u5217\u5361\u9700\u8981\u5c06\u5176\u4ed6\u6269\u5c55\u5361\u5168\u90e8\u79fb\u9664\uff08\u53c2\u89c1 PowerEdge R510 \u786c\u4ef6\u7528\u6237\u624b\u518c\uff09\uff0c\u7ed9\u65b0\u9635\u5217\u5361\u5b89\u88c5\u5e26\u6765\u4e86\u5f88\u5927\u7684\u96be\u5ea6\u3002
1 TB * 2\u4f4d\u4e8e\u673a\u8eab\uff0c\u7ec4\u6210 RAID1 \u5b89\u88c5\u64cd\u4f5c\u7cfb\u7edf\uff0c\u6302\u8f7d\u4e3a rootfs
2 TB * 5 + 3 TB * 1\u540c\u6837\u4f4d\u4e8e\u673a\u8eab\uff0c\u7ec4\u6210 RAID6 \u5b58\u653e\u8d44\u6599\uff08\u6240\u4ee5\u552f\u4e00\u4e00\u5757 3 TB \u7684\u786c\u76d8\u5b9e\u9645\u4e0a\u5f53\u505a 2 TB \u7684\u6765\u7528\uff09
\u5916\u90e8\u9635\u5217\uff0c4 TB * 16\u901a\u8fc7 SFP+ \u5149\u7ea4\u6302\u8f7d\u4e3a iSCSI \u8bbe\u5907\uff0c\u5206\u4e3a\u4e24\u7ec4 RAID60\uff08\u53ef\u7528\u5bb9\u91cf\u4e3a 12 \u5757\u76d8\uff09\u5b58\u50a8\u8d44\u6599
"},{"location":"services/mirrors/4/","title":"mirrors4","text":"mirrors4 \u662f 2020 \u5e74 3 \u6708 24 \u65e5\u7f51\u7edc\u4fe1\u606f\u4e2d\u5fc3\u63d0\u4f9b\u7ed9 LUG \u7684\u65b0\u673a\u5668\uff0c\u662f\u4e00\u53f0\u6d6a\u6f6e NF5280M5\u3002
"},{"location":"services/mirrors/4/#_1","title":"\u786c\u4ef6\u914d\u7f6e","text":"CPU\u53cc\u8def Intel Xeon Gold 6230
\u5185\u5b58256 GB DDR4 2933 (8 * 32 GB SKHynix)
\u786c\u76d8\u4e00\u5757\u4e09\u661f PM883 2TB
12 \u5757 HGST HUH721010AL (10 TB)
\u4e24\u4e2a\u786c\u76d8\u63a7\u5236\u5668 MegaRAID SAS-3 3108
\u91c7\u7528 ZFS \u5c06 12 \u5757 HDD \u7ec4\u6210\u4e00\u4e2a pool\u3002
\u7f51\u5361\u677f\u8f7d Intel X722 GbE (4 \u4e2a\u5343\u5146\u7f51\u53e3)
PCI-e \u6269\u5c55\u5361\uff1aIntel X520 (82599ES) SFP+ (2 \u4e2a\u4e07\u5146\u5149\u53e3)
"},{"location":"services/mirrors/4/#_2","title":"\u78c1\u76d8\u5206\u533a","text":"\u4e00\u5757 SSD \u5206\u4e3a 512M \u7684 EFI \u5206\u533a\uff0c\u5269\u4f59\u7a7a\u95f4\u5efa\u4e86\u4e00\u4e2a LVM\uff08VG lug
\uff09\u3002LVM \u4e0a\u88c5\u7cfb\u7edf\uff08lug/root
\uff09\u3001swap\uff08lug/swap
\uff09\u3001Docker \u6570\u636e\uff08lug/docker
\uff09\u548c L2ARC\uff08lug/l2arc
\uff0c1.5 TB\uff09\u3002
\u5168\u90e8 12 \u5757 HDD \u7528 ZFS \u505a\u4e86\u4e00\u4e2a pool\uff0c\u6bcf\u4e2a\u63a7\u5236\u5668\u4e0a\u9762\u7684 6 \u5757\u76d8\u4f5c\u4e3a\u4e00\u4e2a RAIDZ2 vdev\uff0c\u8fd9\u4e2a ZFS pool \u7528\u4e8e /home
\u548c /srv/repo
\uff08\u4ed3\u5e93\u6570\u636e\uff09\u7b49\u3002
\u8fd9\u53f0\u670d\u52a1\u5668\u521d\u88c5\u65f6\u662f\u6ca1\u6709\u914d\u7f6e swap \u7684\uff0c\u5728 2024-10-31 17:12 \u5de6\u53f3\u7531 git daemon \u5bfc\u81f4 OOM \u540e\u8865\u5145\u4e86 64G swap\uff0c\u6b64\u65f6 VG \u5269\u4f59\u7a7a\u95f4\u8fd8\u6709 100 \u591a GB \u7559\u7ed9\u4ee5\u540e\u4f7f\u7528\u3002
\u540c\u65f6\u6211\u4eec\u4e5f\u7ed9 git daemon \u4e0a\u4e86\u5185\u5b58\u9650\u5236\uff0c\u8be6\u60c5\u89c1 Service\u3002
"},{"location":"services/mirrors/4/volumes-old/","title":"Volumes on mirrors4","text":"\u6ce8\u610f
mirrors4 \u4e8e 2024 \u5e74 7 \u6708\u91cd\u5efa\u4e3a ZFS pool\uff0c\u4ee5\u4e0b\u5185\u5bb9\u5df2\u7ecf\u8fc7\u65f6\u3002
"},{"location":"services/mirrors/4/volumes-old/#_1","title":"\u78c1\u76d8\u5206\u533a","text":"\u7531\u4e8e\u4e0d\u80fd\u8de8\u63a7\u5236\u5668\u7ec4 RAID \u6216 LUN\uff0c\u4e14\u6bcf\u4e2a\u63a7\u5236\u5668\u53ea\u6709 8 \u4e2a\u63d2\u69fd\uff0c\u56e0\u6b64\u5c06 12 \u5757 HDD \u5206\u4e3a 6 \u5757\u4e00\u7ec4\u63d2\u5728\u4e24\u4e2a\u63a7\u5236\u5668\u4e0a\u7ec4\u6210 RAID6\uff0c\u4ee5\u4e24\u4e2a\u903b\u8f91\u5377\u5448\u73b0\u7ed9\u64cd\u4f5c\u7cfb\u7edf\uff0c\u4e0a\u5c42\u7528 LVM \u5904\u7406\u3002SSD \u5355\u72ec\u521b\u5efa\u4e00\u4e2a\u903b\u8f91\u5377\u7ed9\u64cd\u4f5c\u7cfb\u7edf\u3002
\u6ce8\u610f
\u8fd9\u91cc\u7ed9\u51fa\u7684\u547d\u4ee4\u4ec5\u7528\u4e8e\u5c55\u793a\u5206\u533a\uff08\u5377\uff09\u7684\u521b\u5efa\u65b9\u5f0f\uff0c\u9664\u975e\u5b8c\u5168\u91cd\u88c5\uff0c\u5426\u5219\u4e0d\u5e94\u8be5\u6267\u884c\u5176\u4e2d\u4efb\u4f55\u4e00\u6761\u6709\u526f\u4f5c\u7528\u7684\u547d\u4ee4\u3002
\u64cd\u4f5c\u7cfb\u7edf\u770b\u5230\u4e09\u4e2a\u786c\u76d8\uff1a\u4e24\u4e2a RAID6 \u5927\u76d8\uff0840 TB / 36.4 TiB\uff09\u548c\u4e00\u4e2a SSD\uff082 TB / 1.86 TiB\uff09\u3002\u8bbe\u4e24\u4e2a\u5927\u76d8\u4e3a /dev/sda \u548c /dev/sdb\uff0cSSD \u4e3a /dev/sdc\u3002
\u7531\u4e8e\u542f\u52a8\u5206\u533a\u4e0d\u80fd\u653e\u5728 LVM \u4e0a\uff0c\u56e0\u6b64\u4ee5\u5982\u4e0b\u65b9\u5f0f\u521b\u5efa\u5206\u533a\uff1a
root@mirrors4:~# fdisk -l /dev/sda\nDisk /dev/sda: 36.4 TiB, 40001177911296 bytes, 78127300608 sectors\nDisk model: MR9361-8i\nUnits: sectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 4096 bytes\nI/O size (minimum/optimal): 262144 bytes / 262144 bytes\nDisklabel type: gpt\nDisk identifier: AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA\n\nDevice Start End Sectors Size Type\n/dev/sda1 2048 4095 2048 1M BIOS boot\n/dev/sda2 4096 1052671 1048576 512M EFI System\n/dev/sda3 1052672 78127300574 78126247903 36.4T Linux LVM\n
sdb \u7684\u53c2\u6570\u5b8c\u5168\u4e00\u6837\u3002
\u5b9e\u9645\u7684\u542f\u52a8\u5206\u533a\u4e3a /dev/sda2\uff0c\u5c06\u5176 dd \u5230 /dev/sdb2 \u505a\u5907\u4efd\u3002
\u7136\u540e\u662f SSD \u7684\u5206\u533a\uff1a
Disk /dev/sdc: 1.8 TiB, 1919816826880 bytes, 3749642240 sectors\nDisk model: MR9361-8i\nUnits: sectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 4096 bytes\nI/O size (minimum/optimal): 65536 bytes / 65536 bytes\nDisklabel type: gpt\nDisk identifier: AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA\n\nDevice Start End Sectors Size Type\n/dev/sdc1 2048 3749642206 3749640159 1.8T Linux LVM\n
"},{"location":"services/mirrors/4/volumes-old/#lvm","title":"LVM","text":"\u628a sda3 \u548c sdb3 \u90fd\u653e\u8fdb LVM\uff1a
# fdisk \u5206\u533a\u5b8c\u6bd5\uff0cw \u5199\u5165\u9000\u51fa\npvcreate /dev/sda3 /dev/sdb3\nvgcreate lug /dev/sda3 /dev/sdb3\n
\u521b\u5efa rootfs\uff0c\u8fd9\u91cc\u4ee5 RAID1 \u7684\u65b9\u5f0f\uff08--type raid1
\uff09\u521b\u5efa\u8fd9\u4e2a\u5206\u533a\uff0c\u8fd9\u6837\u5373\u4f7f sda / sdb \u574f\u6389\u4e00\u6574\u7ec4\u4e4b\u540e\u8fd8\u6709 rootfs \u53ef\u4ee5\u7528\u3002
\u6ce8\u610f\uff1a
-m 1
\u8868\u793a 1 \u4efd\u989d\u5916\u7684\u955c\u50cf\u3002--type mirror
\u548c --type raid1
\u662f\u4e0d\u540c\u7684\uff08\u524d\u8005\u5df2\u7ecf deprecated\uff09\u3002\u4e0d\u8981\u521b\u5efa --type mirror
\u7684\u5206\u533a\u3002lvcreate -n root -L 32G --type raid1 -m 1 lug\nmkfs.ext4 /dev/lug/root\n
\u521b\u5efa home\uff0c\u8fd9\u91cc\u53cd\u6b63\u4e0d\u6015\u574f\uff0c\u7528 RAID0\uff08--type striped
\u6216 --type raid0
\uff09\u3002
lvcreate -n root -L 64G --type striped -i 2 lug\nmkfs.ext4 /dev/lug/home\n
\u521b\u5efa\u653e\u955c\u50cf\u7684\u5206\u533a\uff0c\u8fd9\u6b21\u8981\u7528 xfs
XFS \u4e0d\u652f\u6301\u7f29\u5c0f
\u56e0\u6b64\u6211\u4eec\u5728\u521d\u88c5\u65f6\u9009\u62e9\u4e3a\u5176\u5206\u914d 48 TiB \u7684\u7a7a\u95f4\uff0c\u800c\u4e0d\u662f VG lug \u7684\u5269\u4f59\u5168\u90e8\u2014\u2014\u8fd9\u6837\u65b9\u4fbf\u4ee5\u540e\u7ef4\u62a4
lvcreate -n repo -L 48T --type striped -i 2 lug\nmkfs.xfs /dev/lug/repo\n
\u5176\u5b9e\u672c\u6765\u8981\u8c03\u4e00\u4e0b\u53c2\u7684\uff0c\u4e0d\u8fc7\u6839\u636e Arch Wiki\uff0cmkfs.xfs
\u7684\u9ed8\u8ba4\u53c2\u6570\u5c31\u662f\u6700\u4f18\u7684\uff0c\u6240\u4ee5\u6211\u4eec\u51b3\u5b9a\u4e0d\u52a8\u4e86\u3002
SSD \u7684\u7528\u9014\u4e3a\u5b58\u653e Docker \u6570\u636e /var/lib/docker
\uff088 GiB \u5c31\u591f\u4e86\uff0c\u4f46\u662f overlay2 \u7684\u540e\u7aef\u7528 ext4 \u66f4\u597d\uff09\uff0c\u5269\u4e0b\u7528\u4f5c lvmcache(7)\u3002
iBug \u5907\u6ce8
\u867d\u7136\u4f3c\u4e4e\u6ca1\u6709\u8fd9\u6837\u505a\uff08\u5148\u521b\u5efa\u5355\u72ec\u7684 VG \u518d\u5408\u5e76\uff09\u7684\u5fc5\u8981\uff0c\u4f46\u662f\u8fd9\u4e48\u505a\u4e00\u5b9a\u4e0d\u4f1a\u51fa\u9519\uff0c\u5c31\u8fd9\u6837\u5427\u3002
\u5728 SSD \u4e0a\u65b0\u5efa\u4e00\u4e2a VG\uff1a
# fdisk \u521b\u5efa\u552f\u4e00\u4e00\u4e2a\u5206\u533a sdc1\uff0c\u4fdd\u5b58\u9000\u51fa\npvcreate /dev/sdc1\nvgcreate ssd /dev/sdc1\n
\u521b\u5efa Docker \u6570\u636e\u76d8\uff1a
lvcreate -L 8G -n docker ssd\nmkfs.ext4 /dev/ssd/docker\n
\u91cd\u8981\uff1a\u521b\u5efa\u7f13\u5b58\u76d8\u548c\u7f13\u5b58\u5143\u6570\u636e\u76d8\u3002\u6839\u636e Red Hat Documentation \u7684\u4ecb\u7ecd\uff0c\u5148\u624b\u52a8\u521b\u5efa\u6570\u636e\u76d8\u548c\u5143\u6570\u636e\u76d8\uff0c\u7136\u540e\u5c06\u4ed6\u4eec\u5408\u5e76\u4e3a\u4e00\u4e2a cache pool\u3002\u5927\u5c0f\u65b9\u9762\uff0c\u6587\u7ae0\u7684\u53c2\u8003\u662f 2G data \u2194 12M meta\uff0c\u8fd9\u91cc\u6211\u4eec\u6709\u63a5\u8fd1 2 TB \u7684 data\uff0c\u5c31\u5206\u914d 16 GB \u4f5c\u4e3a meta \u5427\u3002
lvcreate -L 16G -n mcache_meta ssd\nlvcreate -l 100%FREE -n mcache ssd\nlvreduce -l -2048 ssd/mcache\nlvconvert --type cache-pool --poolmetadata ssd/mcache_meta --cachemode writethrough -c 64K --config allocation/cache_pool_max_chunks=30000000 ssd/mcache\n
\u8fd9\u91cc\u7684\u7f13\u5b58\u6a21\u5f0f\u91c7\u7528 passthrough\uff0c\u5373\u5199\u5165\u52a8\u4f5c\u7ed5\u8fc7\u7f13\u5b58\u76f4\u63a5\u5199\u56de\u539f\u8bbe\u5907\uff08\u5f53\u7136\u5566\uff0c\u5199\u5165\u90fd\u662f\u7531\u4ece\u4e0a\u6e38\u540c\u6b65\u4ea7\u751f\u7684\uff09\uff0c\u53e6\u5916\u4e24\u79cd writeback \u548c writethrough \u90fd\u4f1a\u5199\u5165\u7f13\u5b58\uff0c\u4e0d\u662f\u6211\u4eec\u60f3\u8981\u7684\u3002 passthrough \u6a21\u5f0f\u4e2d\uff0c\u8bfb\u5199\u90fd\u4f1a\u7ed5\u8fc7 cache\uff0c\u552f\u4e00\u7684\u4f5c\u7528\u662f write hit \u4f1a\u4f7f\u5f97 cache \u5bf9\u5e94\u7684\u5757\u5931\u6548\u3002
\u8fd9\u91cc\u4f7f\u7528 writeback \u6a21\u5f0f\uff0c\u56e0\u4e3a\u4ed3\u5e93\u6570\u636e\u6ca1\u4e86\u8fd8\u80fd\u518d\u540c\u6b65\uff0c\u4f7f\u7528 writeback \u63d0\u5347\u6027\u80fd\u66f4\u5408\u9002\u3002
\u51fa\u4e8e\u7a33\u5b9a\u8003\u8651\uff0c\u4f7f\u7528 writethrough \u6a21\u5f0f\u3002\uff08\u6211\u4eec\u7684 Cache \u592a\u5927\u4e86\uff0cwriteback \u53ef\u80fd\u4f1a\u5f04\u574f\u4e0d\u5c11\u4e1c\u897f\uff0c\u5982\u679c metadata \u574f\u4e86\u5c31\u66f4\u9ebb\u70e6\u4e86\uff09
\u5751
\u76f4\u63a5\u4f7f\u7528 lvconvert(8) \u5c1d\u8bd5\u5408\u5e76\u4f1a\u5bfc\u81f4\u5410\u69fd\uff0c\u8fd9\u662f\u4e0a\u9762 lvreduce(8) \u7684\u539f\u56e0\u3002
Volume group \"ssd\" has insufficient free space (0 extents): 2048 required.\n
iBug \u5907\u6ce8
LVM \u63a8\u8350\u7684\u662f\u4e00\u4e2a\u7f13\u5b58\u6c60\u91cc\u4e0d\u8d85\u8fc7 100 \u4e07\u4e2a chunk\uff08\u8fd9\u4e5f\u662f allocation/cache_pool_max_chunks \u7684\u9ed8\u8ba4\u503c\uff09\uff0c\u4f46\u662f\u8fd9\u6837\u6bcf\u4e2a chunk \u7684\u6700\u5c0f\u5927\u5c0f\u4e3a 1.84 MiB \u592a\u5927\u4e86\uff0c\u8003\u8651\u5230\u6211\u4eec\u6709\u8db3\u591f\u7684 CPU \u548c\u5185\u5b58\uff0c\u8fd9\u91cc\u5c31\u94e4\u800c\u8d70\u9669\u5c1d\u8bd5\u4e00\u4e0b\u8f83\u5927\u7684 chunk count\u3002
\u5751 2
\u7f13\u5b58\u76d8\uff08cache pool\uff09\u548c\u88ab\u7f13\u5b58\u7684\u5377\u5fc5\u987b\u5728\u540c\u4e00\u4e2a VG \u4e2d\u3002
\u5751 3 (taoky \u5907\u6ce8)
LVM Cache \u7684\u5e95\u5c42\u662f\u5728\u5185\u6838\u5b9e\u73b0\u7684 dm-cache\u3002\u76ee\u524d\u5df2\u77e5\u7684\u5751\u5982\u4e0b\uff1a
\u5f53\u51fa\u73b0 dirty blocks\uff08\u4e14 cache policy \u4e3a cleaner \u65f6\uff09\uff0c\u65e0\u6cd5\u6b63\u5e38 flush\u3002\u7f51\u7edc\u4e0a\u53ef\u4ee5\u627e\u5230\u7684\u8fd9\u4e2a bug \u7684\u89e3\u51b3\u65b9\u6cd5\u662f\u589e\u5927 migration_threshold \u7684\u503c\uff08\u5728\u65b0\u7248\u672c LVM \u4e2d\uff0cmigration_threshold \u9ed8\u8ba4\u81f3\u5c11\u4f1a\u662f chunk size \u7684 8 \u500d\uff0c\u5728\u6211\u4eec\u7684\u914d\u7f6e\u4e0b\u5c31\u662f 16384 = 2048 * 8\u3002\u8fd9\u4e2a\u7248\u672c\u7684 LVM \u6682\u65f6\u4e0d\u5728 Buster \u4e2d\uff09\uff0c\u4f46\u662f\u7ecf\u8fc7\u6d4b\u8bd5\uff0c\u5355\u7eaf\u589e\u5927 migration_threshold \u6ca1\u6709\u4efb\u4f55\u6548\u679c\u3002Jiahao \u7ffb\u4e86\u4e00\u4e0b dm-cache \u7684\u6e90\u4ee3\u7801\uff0c\u53d1\u73b0 flush \u7684\u6761\u4ef6\u5728 https://elixir.bootlin.com/linux/latest/source/drivers/md/dm-cache-target.c#L1649\uff0c\u53ea\u5728\u72b6\u6001\u4e3a IDLE \u65f6\u624d\u4f1a flush\u3002IDLE \u7684\u7b2c\u4e00\u4e2a\u6761\u4ef6\u9700\u8981 inflight io = 0\uff0c\u6bd4\u8f83\u82db\u523b\uff0c\u53ef\u80fd\u662f\u65e0\u6cd5\u6b63\u5e38 flush \u7684\u539f\u56e0\u3002
\u4e00\u4e2a\u626d\u66f2\u7684\u89e3\u51b3\u65b9\u6cd5\u662f\uff1a\u5148\u628a migration_threshold \u8bbe\u7f6e\u5f97\u5f88\u5927\uff08\u8bbe\u5927\u5c0f\u4e3a x\uff09\uff0c\u7136\u540e\u9a6c\u4e0a\u7f29\u5c0f\uff0c\u8fd9\u6837\u5c31\u80fd\u628a x \u90a3\u4e48\u591a\u5927\u5c0f\u7684\u810f\u5757\u5f04\u6389\uff08\u539f\u7406\u6682\u65f6\u4e0d\u660e\uff0c\u9700\u8981\u8865\u5145\uff09\u3002\u57fa\u4e8e\u8fd9\u4e2a\u65b9\u6cd5\uff0c\u53ef\u4ee5\u5199\u4e00\u4e2a\u811a\u672c\u6765\u505a flush \u7684\u5de5\u4f5c\uff1a
# dirty hack\nsudo lvchange --cachepolicy cleaner lug/repo\nfor i in `seq 1 1500`; do sudo lvchange --cachesettings migration_threshold=2113536 lug/repo && sudo lvchange --cachesettings migration_threshold=16384 lug/repo && echo $i && sleep 15; done;\n# \u9700\u8981\u786e\u8ba4\u6ca1\u6709\u810f\u5757\u3002\u5982\u679c\u8fd8\u6709\u7684\u8bdd\u7ee7\u7eed\u6267\u884c\uff08\u6b21\u6570\u8c03\u5c0f\u4e00\u4e9b\uff09\n# \u5982\u679c\u662f\u4ece writeback \u5207\u6362\uff0c\u9700\u8981\u5148\u628a\u6a21\u5f0f\u5207\u5230 writethrough\n# \u7136\u540e\u518d\u4fee\u6539 cachepolicy \u5230 smq\nsudo lvchange --cachepolicy smq lug/repo\n
\u5728\u6267\u884c\u65f6\uff0c\u53ef\u4ee5\u67e5\u770b\uff1a
sudo dmsetup status lug-repo\n# \u5728 \"metadata2\" \u524d\u9762\u7684\u524d\u9762\u7684\u6570\u5b57\u5c31\u662f dirty block \u7684\u6570\u91cf\n# \u5982\u679c\u4e0d\u5728\u6267\u884c lvchange\uff08\u6ca1\u6709\u8fdb\u7a0b\u62a2\u5360\u4e86 LVM \u7684\u9501\uff09\uff0c\u53ef\u4ee5\u6267\u884c\u4ee5\u4e0b\u547d\u4ee4\u786e\u8ba4\u810f\u5757\u6570\u91cf\u4ee5\u53ca\u5176\u4ed6\u4e00\u4e9b\u53c2\u6570\u3002\nsudo lvs -o name,cache_policy,cache_settings,chunk_size,cache_used_blocks,cache_dirty_blocks /dev/mapper/lug-repo\n
\u6bcf\u6b21 unclean shutdown \u4e4b\u540e\uff0ccache \u4e2d\u6240\u6709\u5757\u90fd\u4f1a\u88ab\u6807\u8bb0\u4e3a dirty\u3002\u5c3d\u7ba1\u4e0d\u592a\u53ef\u80fd\u963b\u585e\u7cfb\u7edf\u542f\u52a8\uff0c\u8fd9\u53ef\u80fd\u4f1a\u7ed9 HDD \u4e00\u5b9a\u7684\u538b\u529b\u3002
\u5751 4
\u4fee\u6539 migration_threshold
\u7b49\u8bbe\u7f6e\u4f1a\u5bfc\u81f4\u76ee\u524d\u7248\u672c\u7684 GRUB \u65e0\u6cd5\u6b63\u786e\u8bc6\u522b LVM \u5143\u6570\u636e\u3002
\u4e34\u65f6\u4fee\u590d\u7248\u672c\uff1ahttps://github.com/taoky/grub/releases/tag/2.02%2Bdfsg1-20%2Bdeb10u4taoky3_amd64\u3002\u76ee\u524d\u5df2\u90e8\u7f72\uff0c\u4e14\u8bbe\u7f6e\u4e86 apt hold
\u3002
\u5751 5
\u8bbe\u7f6e chunksize \u5230 1M \u4f1a\u6709\u4e25\u91cd\u7684\u5199\u5165\u653e\u5927\u95ee\u9898\uff0c\u56e0\u6b64\u8fd9\u91cc\u4fee\u6539\u4e3a\u4e86 64K\u3002
\u6240\u4ee5\u63a5\u4e0b\u6765\u8981\u5408\u5e76 VG\uff0c\u7136\u540e\u624d\u80fd\u4e3a\u4ed3\u5e93\u5377\u52a0\u4e0a\u7f13\u5b58\u3002
lvchange -a n ssd/docker\nvgmerge lug ssd\nlvconvert --type cache --cachepool lug/mcache lug/repo\n
\u63a5\u4e0b\u6765\u6302\u4e0a Docker \u5377\uff08\u6ce8\u610f VG \u540d\u5df2\u7ecf\u4ece ssd \u53d8\u6210\u4e86 lug\uff09\uff1a
lvchange -a y lug/docker\nmount /dev/lug/docker /var/lib/docker\n
"},{"location":"services/mirrors/4/volumes-old/#repo","title":"repo \u6269\u5bb9","text":"\u67e5\u770b\u5f53\u524d\u903b\u8f91\u5377\u4fe1\u606f\uff1a
# lvs -a -o +devices\n LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert Devices\n backup lug -wi-ao---- 8.00g /dev/sda3(6307840)\n docker lug -wi-ao---- 64.00g /dev/sdc1(0)\n docker2 lug -wi-a----- 300.00g /dev/sda3(7925248)\n home lug -wi-ao---- 64.00g /dev/sda3(8192),/dev/sdb3(8193)\n log lug -wi-ao---- 300.00g /dev/sda3(6309888),/dev/sdb3(6307841)\n log lug -wi-ao---- 300.00g /dev/sda3(7888896),/dev/sdb3(7882753)\n [lvol0_pmspare] lug ewi------- 16.00g /dev/sda3(7884800)\n [mcache] lug Cwi---C--- 1.50t 99.99 0.12 0.00 mcache_cdata(0)\n [mcache_cdata] lug Cwi-ao---- 1.50t /dev/sdc1(20480)\n [mcache_cmeta] lug ewi-ao---- 16.00g /dev/sdc1(16384)\n repo lug Cwi-aoC--- 60.00t [mcache] [repo_corig] 99.99 0.12 0.00 repo_corig(0)\n [repo_corig] lug owi-aoC--- 60.00t /dev/sda3(16384),/dev/sdb3(16385)\n [repo_corig] lug owi-aoC--- 60.00t /dev/sda3(6311936),/dev/sdb3(6309889)\n root lug mwi-aom--- 32.00g [root_mlog] 100.00 root_mimage_0(0),root_mimage_1(0)\n [root_mimage_0] lug iwi-aom--- 32.00g /dev/sda3(0)\n [root_mimage_1] lug iwi-aom--- 32.00g /dev/sdb3(0)\n [root_mlog] lug lwi-aom--- 4.00m /dev/sdb3(8192)\n
\u68c0\u67e5 cache \u662f\u5426\u6709 dirty block\uff1a
$ sudo lvs -o name,cache_policy,cache_settings,chunk_size,cache_used_blocks,cache_dirty_blocks /dev/mapper/lug-repo\n LV CachePolicy CacheSettings Chunk CacheUsedBlocks CacheDirtyBlocks\n repo smq 1.00m 1048551 0\n
\uff08\u6b63\u5e38\u91cd\u542f\u4e4b\u540e\u53ef\u80fd\u4f1a\u51fa\u73b0 dirty block\uff0c\u539f\u56e0\u4e0d\u660e\u3002\u5982\u679c\u770b\u5230\u6709\u7684\u8bdd\uff0c\u90a3\u53ea\u80fd \u518d\u6b21\u8fdb\u5165\u75db\u82e6\u7684\u8f6e\u56de \u7528\u4e0a\u8ff0\u7684\u65b9\u6cd5\u6e05\u9664\uff0c\u5e76\u4e14\u6e05\u9664\u7684\u65f6\u5019\u5bf9\u7cfb\u7edf\u8d1f\u8f7d\u5f71\u54cd\u5f88\u5927\uff0c\u56e0\u4e3a\u843d\u76d8\u7684\u65f6\u5019\u5176\u4ed6\u8fdb\u7a0b\u5bf9\u5e94\u7684 IO \u4f1a\u88ab\u6682\u505c\uff0c\u5728\u76f8\u5bf9\u5e73\u8861\u65f6\u95f4\u548c\u8d1f\u8f7d\u7684\u547d\u4ee4\u4e0b\uff0c\u4f30\u8ba1\u9700\u8981 10 \u5c0f\u65f6\u7684\u65f6\u95f4\u3002\uff09
\u7136\u540e uncache\u3001\u6269\u5bb9\uff1a
# lvconvert --uncache lug/repo\n# lvextend -L +5T lug/repo\n# xfs_growfs /srv\n
\u7136\u540e\u6062\u590d cache\uff08\u53c2\u8003\u4e0a\u9762 mcache_meta \u548c mcache \u903b\u8f91\u5377\u7684\u914d\u7f6e\uff0c\u8bf7\u6ce8\u610f\u5728\u7406\u89e3\u547d\u4ee4\u540e\u518d\u6267\u884c\uff01\uff09\uff1a
# lvcreate -L 16G -n mcache_meta lug /dev/sdc1 # SSD \u8bbe\u5907\u8def\u5f84\u91cd\u542f\u540e\u53ef\u80fd\u4f1a\u53d8\u5316\n# lvcreate -l 100%FREE -n mcache lug /dev/sdc1\n# lvreduce -l -2048 lug/mcache\n# lvconvert --type cache-pool --poolmetadata lug/mcache_meta --cachemode writethrough -c 64K --config allocation/cache_pool_max_chunks=30000000 lug/mcache\n# lvconvert --type cache --cachepool lug/mcache lug/repo\n
\u5751 5
\u65b0\u5efa\u65f6\u5728\u5012\u6570\u7b2c\u4e8c\u6b65\u7684 lvconvert
\u53ef\u80fd\u4f1a\u5361\u6b7b\u8d85\u8fc7\u534a\u5c0f\u65f6\uff08\u4f46\u662f\u6700\u540e\u8fd8\u662f\u80fd\u5b8c\u6210\u7684\uff09\uff0c\u6808\u7684\u4fe1\u606f\u663e\u793a\u6808\u9876\u51fd\u6570\u662f submit_bio_wait()
\uff0c\u5728\u6e05\u96f6\u5bf9\u5e94\u7684 block range\uff0c\u56e0\u4e3a RAID \u5361\u4e0d\u652f\u6301\u4e0b\u4f20 discarding \u6240\u4ee5\u4f1a\u5f88\u6162\uff0c\u9700\u8981\u7b49\u4e00\u6bb5\u65f6\u95f4\u3002
\u5206\u533a\u5b8c\u6bd5\u540e\u7ed9 /etc/fstab
\u8865\u4e0a\u76f8\u5173\u7684\u5185\u5bb9\u5e76\u6302\u8f7d\uff1a
/dev/mapper/lug-home /home ext4 defaults 0 2\n/dev/mapper/lug-docker /var/lib/docker ext4 defaults 0 2\n/dev/mapper/lug-repo /srv xfs defaults,pqnoenforce 0 2\n/dev/mapper/lug-log /var/log ext4 defaults 0 2\n
\uff08\u8fd9\u4e2a log \u5206\u533a\u524d\u9762\u6ca1\u63d0\uff0c\u53cd\u6b63\u50cf\u6a21\u50cf\u6837\u77e5\u9053\u5c31\u884c\u4e86\uff09
"},{"location":"services/mirrors/4/networking/","title":"Networking on mirrors4","text":"\u51fa\u4e8e\u597d\u7528\u7684\u8003\u8651\uff0cmirrors4 \u4e0a\u7684\u7f51\u7edc\u4f7f\u7528 systemd-networkd \u914d\u7f6e\u3002\u4f5c\u4e3a\u5165\u95e8\uff0c\u4e0b\u9762\u662f\u4e24\u4e2a\u53c2\u8003\u94fe\u63a5\uff1a
Debian \u9ed8\u8ba4\u7528\u7684\u662f ifupdown\uff0c\u628a\u5b83\u76f4\u63a5\u5378\u6389\u5c31\u884c\u4e86\u3002\u5168\u90e8\u914d\u7f6e\u5b8c\u6bd5\u4e4b\u540e\u9700\u8981 systemctl enable systemd-networkd.service
\u5e76\u4e14 start \u4e00\u4e0b\uff08\u6216\u8005\u76f4\u63a5\u91cd\u542f\uff09\u3002
/etc/systemd/network \u76ee\u5f55\u4e0b\u6709\u4e2a Git \u4ed3\u5e93\uff0c\u65b9\u4fbf\u4fdd\u5b58\u4e0e\u6062\u590d
"},{"location":"services/mirrors/4/networking/#bond","title":"Bond","text":"Bond \u7528\u4e8e\u5c06\u591a\u4e2a\u7f51\u5361\u805a\u5408\u5f53\u4f5c\u4e00\u4e2a\u4f7f\u7528\u3002
"},{"location":"services/mirrors/4/networking/#_1","title":"\u5b50\u7f51\u5361","text":"\u5411 /etc/systemd/network/ens41f0.network
\u5199\u5165\u5982\u4e0b\u5185\u5bb9\uff1a
[Match]\nName=ens41f0\n\n[Network]\nBond=bond1\n\n[Link]\nRequiredForOnline=no\n
\u5373\u53ef\u5c06\u5176\u8bbe\u7f6e\u4e3a bond1 \u7684\u4e00\u4e2a\u5b50\u7f51\u5361\u3002\u7528\u540c\u6837\u65b9\u5f0f\u628a ens41f1 \u4e5f\u8bbe\u4e3a\u5b50\u7f51\u5361\u3002
\u4e00\u4e2a\u5c0f\u5751
systemd-networkd \u6709\u4e00\u4e2a\u9ed8\u8ba4\u7684 bond0 \u805a\u5408\u7f51\u5361\uff0c\u6a21\u5f0f\u6c38\u8fdc\u662f round-robin\uff0c\u800c\u4e14\u5c1d\u8bd5\u8bbe\u7f6e\u8fd9\u4e2a\u7f51\u5361\u5f88\u5bb9\u6613\u51fa\u95ee\u9898\uff0c\u6240\u4ee5\u6211\u4eec\u907f\u5f00\u8fd9\u4e2a\u540d\u5b57\uff0c\u7528 bond1\u3002
"},{"location":"services/mirrors/4/networking/#bond1","title":"bond1 \u805a\u5408\u7f51\u5361","text":"\u5199\u5165 /etc/systemd/network/bond1.netdev
\uff1a
[NetDev]\nName=bond1\nKind=bond\n\n[Bond]\nMode=balance-tlb\nMIIMonitorSec=1\n
\u5173\u4e8e bond \u6a21\u5f0f\uff08balance-tlb
vs balance-alb
\uff09\uff0c\u53c2\u8003\u8fd9\u4e2a Server Fault \u4e0a\u7684\u56de\u7b54\u3002
\u7136\u540e\u521b\u5efa VLAN\uff0c\u5199\u5165 /etc/systemd/network/bond1.network
\uff1a
[Match]\nName=bond1\n\n[Network]\nDHCP=no\nVLAN=cernet\nVLAN=telecom\nVLAN=mobile\nVLAN=unicom\n
"},{"location":"services/mirrors/4/networking/#vlan","title":"VLAN","text":"NIC \u673a\u623f\u6709 4 \u4e2a VLAN\uff0c\u5206\u522b\u662f
\u6ce8\u610f\u8fd9\u51e0\u4e2a\u7f51\u6bb5\u90fd\u6ca1\u6709 DHCP\uff0c\u53ea\u6709\u6559\u80b2\u7f51 VLAN \u6709 IPv6 RA\u3002
\u4e0b\u9762\u4ee5\u6559\u80b2\u7f51 VLAN \u4e3a\u4f8b\u3002
\u56e0\u4e3a VLAN \u5728\u7269\u7406\u4e0a\u5c5e\u4e8e\u4e00\u4e2a\u7f51\u5361\uff0c\u56e0\u6b64\u5411\u5bf9\u5e94\u7f51\u5361\u7684 .network
\u6587\u4ef6\u7684 [Network]
\u6bb5\u8ffd\u52a0\u4e00\u884c\uff08\u89c1\u4e0a\u9762\u4e00\u8282 bond1.network
\u6587\u4ef6\uff09\uff1a
VLAN=cernet\n
\u521b\u5efa VLAN \u754c\u9762\uff0c\u521b\u5efa cernet.netdev
\u5e76\u5199\u5165
[NetDev]\nName=cernet\nKind=vlan\n\n[VLAN]\nId=95\n
\u7136\u540e\u5c31\u53ef\u4ee5\u6307\u5b9a IP \u5730\u5740\u7b49\u5177\u4f53\u4fe1\u606f\u4e86\uff0c\u521b\u5efa\u4e00\u4e2a\u540d\u5b57\u76f8\u540c\uff0c\u540e\u7f00\u6362\u6210 .network
\u7684\u6587\u4ef6\u5e76\u5199\u5165
[Match]\nName=cernet\n\n[Network]\nDHCP=no\nAddress=202.38.95.110/25\n#Gateway=202.38.95.126\nAddress=2001:da8:d800:95::110/64\n#Gateway=2001:da8:d800:95::1\nIPv6AcceptRA=false\n
\u4fdd\u5b58\u540e\u91cd\u542f systemd-networkd.service
\u5c31\u53ef\u4ee5\u770b\u5230\u6548\u679c\u4e86\u3002
\u4e3a\u4ec0\u4e48 Gateway \u88ab\u6ce8\u91ca\u6389\u4e86
\u6839\u636e systemd \u5b98\u65b9\u6587\u6863\uff0c\u5728 [Network]
\u4e00\u8282\u51fa\u73b0\u7684 Gateway=
\u7b49\u4ef7\u4e8e\u4e00\u4e2a\u5355\u72ec\u7684\u3001\u4ec5\u5305\u542b\u4e00\u884c Gateway=
\u7684 [Route]
\u8282\u3002\u7531\u4e8e\u6211\u4eec\u9700\u8981\u6df1\u5ea6\u81ea\u5b9a\u4e49\u8def\u7531\uff0c\u8fd9\u91cc\u4e0d\u65b9\u4fbf\u91c7\u7528\u8fd9\u4e2a\u8fc7\u4e8e\u7b80\u6d01\u7684\u8bbe\u5b9a\uff08\u4f8b\u5982\u5404\u79cd\u9ed8\u8ba4\u503c Table=main
\u7b49\uff09\u3002
\u9488\u5bf9\u4e2a\u522b\u4e0d\u652f\u6301 bind address \u7684\u540c\u6b65\u5de5\u5177\uff0c\u6211\u4eec\u901a\u8fc7\u5c06\u5176\u653e\u5165\u7279\u5b9a\u7684 docker network \u6765\u5b9e\u73b0\u9009\u62e9\u7ebf\u8def\u7684\u529f\u80fd\u3002
\u521b\u5efa\u547d\u4ee4docker network create --driver=bridge --subnet=172.17.4.1/24 -o \"com.docker.network.bridge.name=dockerC\" cernet\ndocker network create --driver=bridge --subnet=172.17.5.1/24 -o \"com.docker.network.bridge.name=dockerT\" telecom\ndocker network create --driver=bridge --subnet=172.17.6.1/24 -o \"com.docker.network.bridge.name=dockerM\" mobile\ndocker network create --driver=bridge --subnet=172.17.7.1/24 -o \"com.docker.network.bridge.name=dockerU\" unicom\ndocker network create --driver=bridge --ipv6 --subnet=172.17.8.1/24 --subnet=fd00:6::/64 -o \"com.docker.network.bridge.name=dockerC6\" cernet6\ndocker network create --driver=bridge --subnet=172.17.9.1/24 -o \"com.docker.network.bridge.name=dockerV\" lugvpn\n
\u7136\u540e\u4f7f\u7528 systemd-networkd \u5bf9\u521b\u5efa\u597d\u7684 docker network \u7f51\u6bb5\u914d\u7f6e\u89c4\u5219\u8def\u7531\u3002
/etc/systemd/network/cernet.network# Docker Cernet\n[RoutingPolicyRule]\nFrom=172.17.4.0/24\nTable=1011\nPriority=5\n\n[RoutingPolicyRule]\nFrom=172.17.8.0/24\nTable=1011\nPriority=5\n
\u5176\u4ed6\u51e0\u4e2a\u6587\u4ef6\u7c7b\u4f3c\uff0c\u53ea\u9700\u8981\u4fee\u6539\u7f51\u6bb5\u548c Table \u5373\u53ef\u3002
"},{"location":"services/mirrors/4/networking/#docker-network-cernet6","title":"Docker network: cernet6","text":"\u7531\u4e8e\u4e00\u4e9b\u7a0b\u5e8f\u6216\u7cfb\u7edf\u73af\u5883\u5728\u53cc\u6808\u7f51\u7edc\u4e2d\u4ecd\u7136\u4f1a\u4f18\u5148\u5c1d\u8bd5 IPv4\uff0c\u6211\u4eec\u5c06 cernet6 \u7f51\u7edc\u7684 v4 \u516c\u7f51\u8bbf\u95ee\u5c4f\u853d\u6389\u3002
rules.v4*filter\n:FORWARD DROP [0:0]\n# ...\n-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n-A FORWARD -i dockerC6 -j REJECT\n-A FORWARD -i docker+ -j ACCEPT\n
"},{"location":"services/mirrors/4/networking/misc/","title":"mirrors \u7f51\u7edc\u914d\u7f6e\u6742\u9879","text":""},{"location":"services/mirrors/4/networking/misc/#sniproxy","title":"sniproxy","text":"Sniproxy \u7528\u4e8e\u4e3a Docker \u5bb9\u5668\u63d0\u4f9b\u65b9\u4fbf\u7684 HTTP(S) \u7f51\u7edc\u5206\u6d41\u3002\u76ee\u524d\u5728 mirrors \u4e0a\u7528\u4e8e\u4e3a dockerhub \u5bb9\u5668\u63d0\u4f9b\uff08\u5230 Cloudflare \u7684\uff09IPv6 \u63a5\u5165\uff08Docker \u505a IPv6 NAT \u975e\u5e38\u4e0d\u65b9\u4fbf\uff0c\u6240\u4ee5\u4ee5\u6b64\u4e3a\u6743\u5b9c\u4e4b\u4e3e\uff09\uff0c\u4ee5\u63d0\u9ad8\u6821\u5185\u8bbf\u95ee\u65f6\u7684\u901f\u5ea6\u3002
"},{"location":"services/mirrors/4/networking/misc/#_1","title":"\u914d\u7f6e","text":"\u5b89\u88c5 sniproxy\uff0c\u5e76\u4e14 mask \u539f\u670d\u52a1\u914d\u7f6e\uff08\u6211\u4eec\u81ea\u5df1\u5199\u4e00\u4e2a\uff09\uff1a
sudo apt install sniproxy\nsudo mkdir -p /etc/sniproxy\nsudo systemctl mask sniproxy.service\n
\u521b\u5efa /etc/systemd/system/sniproxy@.service
\uff1a
[Unit]\nDescription=SNIProxy (%i.conf)\nAfter=network.target network-online.target\nStartLimitIntervalSec=1\n\n[Service]\nType=simple\nExecStart=/usr/sbin/sniproxy -f -c /etc/sniproxy/%i.conf\nRestart=on-failure\nRestartSec=3\n\n[Install]\nWantedBy=multi-user.target\n
\u5728 /etc/sniproxy
\u4e2d\u521b\u5efa\u914d\u7f6e\u3002\u4ee5\u4e0b\u4e3a IPv6 + TLS (443) only \u7684\u914d\u7f6e\u4f8b\u5b50\uff1a
resolver {\n nameserver 2001:da8:d800::1\n mode ipv6_only\n}\n\naccess_log {\n filename /dev/null\n}\n\nlisten <Bind \u5230\u7684 IP \u5730\u5740>:443 {\n proto tls\n reuseport yes\n table all\n source <IPv6 \u51fa\u53e3\u5730\u5740>\n}\n\ntable all {\n .* *\n}\n
\u6700\u540e\u542f\u52a8\u670d\u52a1\uff1a
sudo systemctl enable sniproxy@\u914d\u7f6e\u6587\u4ef6\u540d.service\nsudo systemctl start sniproxy@\u914d\u7f6e\u6587\u4ef6\u540d.service\n
"},{"location":"services/mirrors/4/networking/route/","title":"Routing on mirrors4","text":"\u7531\u4e8e mirrors4 \u6ca1\u6709\u4f7f\u7528 ifupdown \u4f5c\u4e3a\u7f51\u7edc\u7ba1\u7406\u7cfb\u7edf\uff0c\u800c\u662f\u91c7\u7528 systemd-networkd\uff0c\u56e0\u6b64\u6211\u4eec\u6ca1\u6709 pre-up
, up
, down
, post-down
\u7b49\u8fd0\u884c\u547d\u4ee4\u7684\u65b9\u5f0f\uff0c\u6240\u4ee5 mirrors2 \u4e0a\u4f7f\u7528\u7684\u90a3\u5957\u811a\u672c\uff08ip-route.sh
\u7b49\uff09\u65e0\u6cd5\u76f4\u63a5\u5728 mirrors4 \u4e0a\u7ee7\u7eed\u4f7f\u7528\u3002
\u597d\u5728\u6211\u4eec\u4f7f\u7528 up
\u7b49\u8fd0\u884c\u547d\u4ee4\u53ea\u662f\u4e3a\u4e86\u914d\u7f6e\u8def\u7531\uff0c\u56e0\u6b64\u6362\u4e86\u4e2a\u529e\u6cd5\uff0c\u6574\u4e86\u4e2a\u65b0\u811a\u672c\u628a IP \u5730\u5740\u5217\u8868\uff08\u6765\u81ea gaoyifan/china-operator-ip\uff09\u8f6c\u6362\u6210 networkd \u6240\u4f7f\u7528\u7684\u914d\u7f6e\u6587\u4ef6\u683c\u5f0f\u3002\u4ee3\u7801\u4e0d\u957f\uff1a
#!/bin/bash\n\nROOT_IP_LIST=/usr/local/network_config/iplist\nROOT_RT=/run/systemd/network\n\ngen_route() {\n IPLIST=\"$ROOT_IP_LIST/$1\"\n GW=\"$2\"\n DEV=\"$3\"\n # Convert table to number\n TABLENAME=\"$4\"\n TABLE=\"$(awk 'substr($0, 1, 1) != \"#\" && $2 == \"'\"$TABLENAME\"'\" { print $1 }' /etc/iproute2/rt_tables | head -1)\"\n PRIORITY=\"$5\"\n\n F=\"$ROOT_RT/$DEV.network.d\"\n mkdir -p \"$F\"\n F=\"$F/route-${TABLENAME,,}.conf\"\n\n echo -e \"[RoutingPolicyRule]\\nTable=$TABLE\\nPriority=$PRIORITY\\n\" > \"$F\"\n awk '{ print \"[Route]\\nDestination=\" $1 \"\\nGateway='\"$GW\"'\\nTable='\"$TABLE\"'\\n\" }' \"$IPLIST\" >> \"$F\"\n}\n\ngen_route ustcnet.txt 202.38.95.126 cernet Ustcnet 5\ngen_route cernet.txt 202.38.95.126 cernet Cernet 6\ngen_route telecom.txt 202.141.160.126 telecom Telecom 6\ngen_route mobile.txt 202.141.176.126 mobile Mobile 6\ngen_route unicom.txt 218.104.71.161 unicom Unicom 6\ngen_route china.txt 218.104.71.161 unicom China 7\n
\u8fd9\u4e2a\u4ed3\u5e93\u91cc\u6709\u5f88\u591a\u4e2a txt \u6587\u4ef6\uff0c\u6bcf\u4e2a\u6587\u4ef6\u5bf9\u5e94\u4e00\u4e2a ISP \u7684\u5730\u5740\u5217\u8868\uff0c\u6bcf\u884c\u4e00\u4e2a CIDR\u3002\u811a\u672c\u4e2d\u7684 gen_route
\u51fd\u6570\u6839\u636e\u53c2\u6570\u8bfb\u53d6\u6587\u4ef6\uff0c\u5e76\u8f6c\u6362\u6210\u4e0b\u9762\u8fd9\u6837\u7684\u683c\u5f0f\uff1a
[Route]\nDestination=1.0.0.0/24\nGateway=202.38.95.126\nTable=1011\n
\u8fd9\u6837\u4e00\u4e2a [Route]
\u8282\u5bf9\u5e94\u4e00\u6761\u8def\u7531\u89c4\u5219\uff0c\u6574\u4e2a txt \u7684\u8f6c\u6362\u7ed3\u679c\u8f93\u51fa\u5230 /run/systemd/network/cernet.network.d/route-example.conf
\u3002\u5176\u4e2d cernet.network.d/*.conf
\u7528\u4e8e\u5411\u73b0\u6709\u7684\u914d\u7f6e\u4e2d\u6dfb\u52a0\u5185\u5bb9\uff08\u4e0e systemd service \u7c7b\u4f3c\uff09\uff0c\u800c /run
\u76ee\u5f55\uff08\u6309\u7406\u6765\u8bf4\uff09\u91cd\u542f\u4f1a\u6e05\u7a7a\uff0c\u9002\u5408\u653e\u7f6e\u8fd9\u4e9b\u7528\u4e8e\u52a8\u6001\u751f\u6210\u7684\u5185\u5bb9\u3002\u53e6\u5916\u7531\u4e8e\u8def\u7531\u89c4\u5219\uff08ip rule
\uff09\u4e5f\u7531 networkd \u7ba1\u7406\u548c\u751f\u6210\u4e86\uff0c\u56e0\u6b64\u6bcf\u4e2a route-xxx.conf
\u5f00\u5934\u4f1a\u5305\u542b\u4e00\u4e2a [RoutingPolicyRule]
\u8282\u7528\u4e8e\u751f\u6210\u8def\u7531\u8868\u5bf9\u5e94\u7684\u8def\u7531\u89c4\u5219\u3002
\u6ce8\u610f\u8def\u7531\u8868\u662f\u7528\u540d\u79f0\u6307\u5b9a\u7684\uff0c\u4ece /etc/iproute2/rt_tables
\u4e2d\u67e5\u51fa\u5bf9\u5e94\u7684\u6570\u5b57 ID\u3002\u8fd9\u4e2a\u6587\u4ef6\u672c\u6765\u4e5f\u662f ip
\u547d\u4ee4\u6240\u4f7f\u7528\u7684\uff08\u6ce8\u610f\u5b83\u7684\u76ee\u5f55\u540d\u53eb iproute2
\uff09\u3002
\u6700\u540e\u7ed9\u8fd9\u4e2a\u811a\u672c\u914d\u4e2a service\uff0c\u8ba9\u5b83\u5728 networkd \u4e4b\u524d\u8fd0\u884c\uff1a
# WARNING: This is NOT the final configuration file!\n[Unit]\nDescription=Generate routes for systemd-networkd\nBefore=systemd-networkd.service\n\n[Service]\nType=oneshot\nExecStart=/bin/bash /usr/local/network_config/route-all.sh\nRemainAfterExit=true\n\n[Install]\nWantedBy=network.target systemd-networkd.service\nWants=systemd-networkd.service\n
\u8fd9\u4e2a\u6587\u4ef6\u5b58\u5230 /etc/systemd/system/route-all.service
\uff0creload \u518d enable \u5c31\u53ef\u4ee5\u4e86\u3002
\u6539 systemd-networkd.service \u9700\u8981\u989d\u5916\u6ce8\u610f
\u8fd9\u4e2a\u81ea\u5e26\u7684\u670d\u52a1\u6709\u4e00\u4e2a User=systemd-networkd
\uff0c\u4f60\u65e2\u4e0d\u80fd ip rule
\u4e5f\u4e0d\u80fd\u5199\u5165 /run/systemd
\u7b49\uff0c\u4f1a\u5bfc\u81f4\u670d\u52a1\u70b8\u6389\uff0c\u7136\u540e\u7f51\u4e5f\u70b8\u4e86\u3002\u3002\u3002
\u5982\u679c\u8981\u6539 networkd \u670d\u52a1\u64cd\u4f5c ip rule
\u7684\u8bdd\uff0c\u9700\u8981\u5728\u547d\u4ee4\u884c\u524d\u9762\u52a0\u4e00\u4e2a +
\u8868\u793a\u8be5\u547d\u4ee4\u4e0d\u53d7 User=
\u7b49\u6743\u9650\u8bbe\u7f6e\u5f71\u54cd\uff0c\u8be6\u7ec6\u89e3\u91ca\u89c1 systemd.service \u6587\u6863\u3002
\u90e8\u5206 IP \u9700\u8981\u914d\u7f6e\u7279\u6b8a\u8def\u7531\u89c4\u5219\u65f6\uff08\u800c\u4e0d\u662f\u4f7f\u7528\u9ed8\u8ba4\uff09\uff0c\u7f16\u8f91 /usr/local/network_config/special.yml
\uff0c\u5176\u683c\u5f0f\u5982\u4e0b\uff1a
routes: # Root key\uff0c\u4fdd\u7559\n lugvpn: # /etc/systemd/network \u4e2d\u5bf9\u5e94\u7684 .network \u6587\u4ef6\u540d\n # \u4e0b\u9762\u662f\u4e00\u4e2a\u8def\u7531\u6587\u4ef6\u7684\u914d\u7f6e\uff0c\u4e00\u4e2a\u6587\u4ef6\u5171\u4eab\u4e00\u4e2a table \u548c gateway \u8bbe\u7f6e\n - name: route-special # \u5c06\u8981\u521b\u5efa\u7684 .conf \u6587\u4ef6\u540d\uff0c\u53ef\u4ee5\u968f\u610f\n table: Special # \u8def\u7531\u8868\uff0c\u5373 ip route add table \u540e\u9762\u7684\u53c2\u6570\uff0c\u6570\u5b57\u6216\u8868\u540d\n gateway: false # \u662f\u5426\u5305\u542b\u7f51\u5173\uff0c\u6216\u8005 ip route \u7684 via \u53c2\u6570\n routes: # \u6240\u6709\u7684\u8def\u7531\u6761\u76ee\n - 1.2.3.4\n - 5.6.7.8/28\n - 2001:db8::2333/64\n\n cernet: # \u66f4\u591a\u7684\u914d\u7f6e\n - ...\n
\u4fee\u6539 special.yml
\u4e4b\u540e\u91cd\u542f route-all.service
\u3002\u8be5\u670d\u52a1\u4f1a\u81ea\u52a8\u5bfc\u81f4 systemd-networkd.service
\u91cd\u542f\u5e76\u8f7d\u5165\u65b0\u7684\u8def\u7531\u914d\u7f6e\u4fe1\u606f\u3002
#!/usr/bin/ruby\n\nrequire 'fileutils'\nrequire 'yaml'\n\nBASEDIR = '/run/systemd/network'\nRT_TABLES = '/etc/iproute2/rt_tables'\n\nrt_tables = Hash.new\nFile.readlines(RT_TABLES).each do |l|\n next if l =~ /^\\s*#/\n id, name = l.split\n rt_tables[name] = id\nend\n\ndata = YAML.load_file File.join(__dir__, 'special.yml')\ndata['routes'].each do |fn, setups|\n confdir = File.join(BASEDIR, \"#{fn}.network.d\")\n FileUtils.mkdir_p confdir\n\n setups.each do |config|\n table = config['table']\n gateway = config['gateway']\n File.open File.join(confdir, \"#{config['name']}.conf\"), 'w' do |f|\n config['routes'].each do |dst|\n t = \"[Route]\\nDestination=#{dst}\\n\"\n t += \"Table=#{rt_tables.fetch table, table}\\n\" if table\n t += \"Gateway=#{gateway}\\n\" if gateway\n f.write t + \"\\n\"\n end\n end\n end\nend\n
route-all.service \u6709\u5f88\u591a\u6ce8\u610f\u4e8b\u9879
\u4e3a\u4e86\u6e05\u7406\u5f00\u673a\u81ea\u52a8\u4ea7\u751f\u7684 32766 \u548c 32767 \u4e24\u6761\u8def\u7531\u89c4\u5219\uff0c\u6211\u4eec\u540c\u65f6\u4e3a systemd-networkd.service
\u6dfb\u52a0\u4e86\u4e24\u4e2a ExecStartPre
\u5982\u4e0b\uff1a
[Service]\nExecStartPre=-+/sbin/ip rule delete from all table main pref 32766\nExecStartPre=-+/sbin/ip rule delete from all table default pref 32767\n
\u53e6\u9644\u5b8c\u6574\u7684 route-all.service
\u6587\u4ef6\uff1a
[Unit]\nDescription=Generate routes for systemd-networkd\nBefore=systemd-networkd.service\n\n[Service]\nType=oneshot\nExecStart=/bin/bash /usr/local/network_config/route-all.sh\nExecStart=/usr/local/network_config/special.rb\nRemainAfterExit=true\n\n[Install]\nWantedBy=network.target systemd-networkd.service\nWants=systemd-networkd.service\n
"},{"location":"services/pxe/","title":"PXE","text":"\u5bf9\u6821\u56ed\u7f51\u7528\u6237\u4e0e\u6821\u5916\u7528\u6237\u516c\u5f00\u7684 PXE \u670d\u52a1\u3002LIIMS \u4e0e\u76ee\u524d\u7684 PXE \u867d\u7136\u8fd0\u884c\u5728\u540c\u4e00\u53f0\u670d\u52a1\u5668\u4e0a\uff0c\u4f46\u662f\u914d\u7f6e\u6709\u6240\u4e0d\u540c\u3002
\u672c\u6587\u6863\u9700\u8981\u5927\u5e45\u6269\u5145
"},{"location":"services/pxe/#intro","title":"Intro","text":"https://lug.ustc.edu.cn/wiki/server/pxe/
https://lug.ustc.edu.cn/planet/2018/10/PXE-intro/
\u5173\u4e8e FAQ
https://lug.ustc.edu.cn/wiki/server/pxe/faq/ \u5b9e\u5728\u662f\u5e74\u5934\u592a\u4e45\u8fdc\u4e86\uff0c\u65e0\u6cd5\u66f4\u65b0\u3002\u65b0\u7684\u5185\u5bb9\u8bb0\u5f55\u5728\u672c\u6587\u6863\u4e2d\u3002
\u4e00\u822c\u7684\u542f\u52a8\u6d41\u7a0b\u662f\uff1a
PXE \u5728\u6821\u56ed\u7f51\u4e2d\u76f4\u63a5\u53ef\u7528\uff0c\u56e0\u4e3a\u5b66\u6821\u7684 DHCP \u670d\u52a1\u5668\u7ecf\u8fc7\u4e86\u914d\u7f6e\u3002
\u5982\u679c\u9700\u8981\u5728\u865a\u62df\u673a\u4e2d\u8c03\u8bd5\uff0c\u53ef\u4ee5\uff1a
\u63a8\u8350\u4f7f\u7528\u7684\u865a\u62df\u673a\u65b9\u6848
PXE \u80fd\u591f\u6210\u529f\u8fd0\u884c\u4e0e\u5426\u6709\u53ef\u80fd\u548c\u865a\u62df\u673a\u73af\u5883\uff08\u7279\u522b\u662f\u865a\u62df\u7f51\u5361\u578b\u53f7\uff09\u9ad8\u5ea6\u76f8\u5173\u3002\u63a8\u8350\u4f7f\u7528 QEMU\u3002
\u5176\u4e2d\u4e3b\u8981\u4f7f\u7528\u7684\u662f\u57fa\u4e8e GRUB2 \u548c simple-pxe \u7684\u65b0 PXE \u65b9\u6848\u3002\u4e3b\u677f\u56fa\u4ef6\u4f7f\u7528 TFTP \u534f\u8bae\u83b7\u53d6 GRUB2 \u7a0b\u5e8f\uff08core.0 \u6216\u8005 core.efi\uff09\u4e4b\u540e\uff0cGRUB2 \u4f1a\u901a\u8fc7 HTTP \u534f\u8bae\u83b7\u53d6\u5269\u4e0b\u6240\u6709\u7684\u6587\u4ef6\u3002
TFTP
\u548c FTP active \u6a21\u5f0f\u4e00\u6837\uff0cTFTP \u662f\u4e00\u4e2a\u6709\u70b9\u9ebb\u70e6\u7684\u534f\u8bae\uff0c\u5982\u679c\u4f60\u7684\u865a\u62df\u673a\u65e0\u6cd5\u4e0d\u7ecf\u8fc7 NAT \u8fde\u63a5 PXE \u670d\u52a1\u5668\uff0c\u90a3\u4e48\u5c31\u9700\u8981\u8c03\u6574\u7f51\u7edc\u914d\u7f6e\uff0c\u4f1a\u5f88\u9ebb\u70e6\uff0c\u518d\u52a0\u4e0a\u5bf9\u6821\u5916\u8bbf\u95ee\u9700\u6c42\u7684\u8003\u91cf\uff0c\u56e0\u6b64\u76ee\u524d\u7684\u8003\u8651\u662f\u5c3d\u91cf\u4f7f\u7528 HTTP\u3002
\u57fa\u4e8e SYSLINUX \u7684\u8001 PXE \u65b9\u6848\uff08lpxelinux.0 -> bin/lpxelinux.0\uff09\u76ee\u524d\u4ecd\u53ef\u542f\u52a8\uff0c\u4f46\u662f\u4e0d\u4f7f\u7528\u3002
"},{"location":"services/pxe/#syslinux","title":"SYSLINUX \u66f4\u65b0","text":"\u867d\u7136\u4e0d\u7ef4\u62a4\u4e86\uff0c\u4f46\u662f\u4ee5\u4e0b\u5185\u5bb9\u4ecd\u4f5c\u8bb0\u5f55\uff1a
wget https://mirrors.ustc.edu.cn/fedora/releases/40/Everything/x86_64/os/Packages/s/syslinux-tftpboot-6.04-0.26.fc40.noarch.rpm\n# decompress\nrpm2cpio syslinux-tftpboot-6.04-0.26.fc40.noarch.rpm | cpio -idmv\ncd tftpboot\nln -s lpxelinux.0 pxelinux.0\nln -s lpxelinux.0 undionly.kpxe\n
\u5f97\u5230\u7684 tftpboot \u76ee\u5f55\u66ff\u4ee3\u539f\u5148\u7684 tftp/bin \u76ee\u5f55\u3002\u542f\u52a8 VM \u7684\u65f6\u5019\u53ef\u4ee5 Wireshark \u770b\u770b\u5b83\u4e0b\u8f7d\u4e86\u54ea\u4e9b\u6587\u4ef6\u3002\u540c\u65f6\u8fd8\u6709\u4e2a pxeknife
\uff0c\u76ee\u524d\u53ea\u5728 SYSLINUX \u7684 PXE \u65b9\u6848\u4e2d\u53ef\u7528\u3002
pypxe
pypxe \u4f3c\u4e4e\u53ea\u5728 SYSLINUX \u65b9\u6848\u4e2d\u4f7f\u7528\u3002
"},{"location":"services/pxe/#uefi","title":"\u4f7f\u7528 UEFI \u76f4\u63a5\u542f\u52a8","text":"QEMU \u4e00\u822c\u4f7f\u7528\u7684 UEFI \u56fa\u4ef6 OVMF \u652f\u6301\u76f4\u63a5\u4ece HTTP \u542f\u52a8\u3002\u5728\u5199\u4f5c\u65f6\uff0cArch Linux \u6253\u5305\u7684 OVMF \u6ca1\u7f16\u8bd1\u6b64\u7279\u6027\uff0c\u5176\u4ed6\u7684\u53d1\u884c\u7248\u4e5f\u6709\u53ef\u80fd\u4e0d\u652f\u6301\uff0c\u56e0\u6b64\u9700\u8981\uff1a
\u7136\u540e\u4f7f\u7528\u4ee5\u4e0b\u547d\u4ee4\u542f\u52a8 QEMU\uff1a
qemu-system-x86_64 -L . --bios ../ovmf-x64/OVMF-pure-efi.fd\n
\u542f\u52a8\u540e\u9a6c\u4e0a\u6309\u4e0b ESC\uff0c\u8fdb\u5165\u914d\u7f6e\u754c\u9762\uff0c\u7136\u540e\u9605\u8bfb https://github.com/tianocore/tianocore.github.io/wiki/HTTP-Boot \u505a\u8fdb\u4e00\u6b65\u914d\u7f6e\u3002
\u65e7\u7248\u672c\u7684 GRUB2 \u53ef\u80fd\u6709 bug\uff08\u4f8b\u5982 https://github.com/ustclug/discussions/issues/456\uff09\uff0c\u56e0\u6b64\u6709\u65f6\u5019\u9700\u8981\u5347\u7ea7\u3002
\u66f4\u65b0\u7b56\u7565\u8003\u8651\u4f7f\u7528 Debian stable \u7684 grub2\u3002\u542f\u52a8\u5bb9\u5668\u5e76\u4e14\u5c06\u5916\u9762\u7684\u76ee\u5f55 bind mount\uff1a
docker run -it --rm -v $(pwd)/tftp:/srv/tftp ustclug/debian:12\n
\u7136\u540e\u5728\u5bb9\u5668\u4e2d\u6267\u884c\uff1a
apt update && apt install grub-common grub-pc grub-efi-amd64-signed\ngrub-mknetdir\ngrub-mkimage -d /usr/lib/grub/i386-pc -O i386-pc-pxe -o /srv/tftp/boot/grub/i386-pc/core.0 -p '(http,202.38.93.94)/boot/tftp/grub/' pxe http\ngrub-mkimage -d /usr/lib/grub/x86_64-efi -O x86_64-efi -o /srv/tftp/boot/grub/x86_64-efi/core.efi -p '(http,202.38.93.94)/boot/tftp/grub/' efinet http\n
\u6700\u540e\u4e24\u4e2a grub-mkimage
\u662f\u56e0\u4e3a grub-mknetdir
\u751f\u6210\u7684\u955c\u50cf\u4f7f\u7528 tftp \u534f\u8bae\uff0c\u5728\u8c03\u8bd5\u65f6\u53ef\u80fd\u4f1a\u6709\u95ee\u9898\u3002\u6211\u4eec\u5e0c\u671b GRUB2 \u80fd\u591f\u5168\u7a0b\u4f7f\u7528 HTTP \u505a\u5269\u4e0b\u7684\u5de5\u4f5c\u3002
\u66f4\u6362\u6587\u4ef6\u7684\u65f6\u5019\u522b\u628a\u914d\u7f6e\u8986\u76d6\u4e86\u3002
"},{"location":"services/pxe/#ipxe-iso","title":"\u6784\u5efa iPXE ISO","text":"\u53c2\u8003 https://ipxe.org/embed\u3002
#!ipxe\n\n# Generated by GPT-4\ndhcp\nset 210:string http://202.38.93.94/boot/tftp/\n\n# UEFI boot?\niseq ${platform} efi && goto uefi || goto bios\n\n:uefi\necho \"UEFI boot detected\"\nchain ${210:string}bootx64.efi\nexit\n\n:bios\necho \"BIOS boot detected\"\nchain ${210:string}pxelinux.0\nexit\n
clone ipxe/ipxe \u4ed3\u5e93\uff0c\u8fdb\u5165 src \u76ee\u5f55\uff0c\u7136\u540e\u6267\u884c\uff1a
# https://github.com/ipxe/ipxe/pull/50\nmake bin-x86_64-efi/ipxe.efi bin/ipxe.lkrn\n./util/genfsimg -o ustc.ipxe.iso -s ../../ustc.ipxe bin-x86_64-efi/ipxe.efi bin/ipxe.lkrn\n
"},{"location":"services/pxe/#_2","title":"\u67b6\u6784","text":"\u65b0 PXE \u65b9\u6848\u7684 HTTP \u670d\u52a1\u5668\u4e3a Apache + Nginx\u3002URL \u4e2d\u7684 boot2 \u5bf9\u5e94 /nfsroot/pxe\u3002
\u5904\u7406 web \u670d\u52a1\u5668
\u76ee\u524d PXE \u673a\u5668\u7684 web \u670d\u52a1\u5668\u6709\u70b9\u8be1\u5f02\uff0cApache2 \u76d1\u542c 80\uff0cNginx \u76d1\u542c 443\uff0c\u540e\u7eed\u9700\u8981\u8c03\u6574\u5904\u7406\u3002
\u6587\u4ef6\u8df3\u8f6c\u914d\u7f6e
Apache2 \u4e2d\u914d\u7f6e\u4e86\u4e00\u4e9b alias \u8df3\u8f6c\uff0c\u540c\u6837\u7684\uff0cTFTP \u4e5f\u6709\u7c7b\u4f3c\u7684\u914d\u7f6e\uff08/etc/xinetd.d/tftp
\u7684 server_args
\u91cc\u9762\u6709 -m /home/pxe/tftp/REMAP
\uff09\u3002
\u9700\u8981\u68c0\u67e5\u4e00\u81f4\u6027\u3002
\u5982\u679c\u51fa\u73b0\u95ee\u9898\u9700\u8981\u8c03\u8bd5\uff0c\u5efa\u8bae\u6293\u5305\uff08\u53ef\u4ee5\u4f7f\u7528 Wireshark \u67e5\u770b TFTP \u6216 HTTP \u534f\u8bae\uff09\u770b\u662f\u5426\u6b63\u5e38\u3002
\u6bcf\u5929\u51cc\u6668\uff0cpxe \u7528\u6237\u7684 crontab \u4efb\u52a1\u4f1a\u6267\u884c https://github.com/ustclug/simple-pxe/blob/master/simple-pxe-in-docker\uff08\u6587\u4ef6\u4f4d\u4e8e pxe \u7528\u6237\u7684 home \u4e2d\uff09\uff0c\u5b9e\u73b0 PXE \u76f8\u5173\u6587\u4ef6\u7684\u66f4\u65b0\u3002
"},{"location":"services/pxe/#faults","title":"\u6545\u969c","text":"pxe \u670d\u52a1\u5668\u5728\u5347\u7ea7\u5230 Debian Bullseye (11) \u540e\u65e0\u6cd5\u6b63\u5e38\u5f00\u673a\uff0c\u7ecf\u8fc7 GRUB \u8fdb\u5165\u5185\u6838\u540e\u6bcf 5 \u79d2\u5237\u51fa\u4ee5\u4e0b\u4fe1\u606f\uff1a
DMAR: DRHD: handling fault status reg 2\nDMAR: [DMA Read] Request device [03:00.0] PASID ffffffff fault addr cb2f0000 [fault reason 06] PTE Read access is not set\nDMAR: DRHD: handling fault status reg 102\n
\u7531\u4e8e\u6b64\u65f6\u521a\u5347\u7ea7\u81f3 Debian Bullseye\uff0c\u6240\u4ee5\u7cfb\u7edf\u4ecd\u7136\u4fdd\u7559\u4e86 Debian Buster \u7684 4.19 \u7248\u5185\u6838\u3002\u91cd\u542f\u8fdb\u8be5\u5185\u6838\u53ef\u6b63\u5e38\u542f\u52a8\u5e76\u8fd0\u884c\u670d\u52a1\uff0c\u4f46\u53ea\u8981\u8fdb 5.10 \u7684\u5185\u6838\u5c31\u4f1a\u51fa\u73b0\u4ee5\u4e0a\u9519\u8bef\u3002\u6d4b\u8bd5 Proxmox VE \u63d0\u4f9b\u7684 pve-kernel-5.15 \u4e5f\u662f\u540c\u6837\u95ee\u9898\u3002
\u641c\u7d22\u53d1\u73b0\u4e3b\u673a\u4f7f\u7528\u7684 RAID \u5361 PERC H310 \u4e0d\u652f\u6301\u76f4\u901a\uff08IOMMU \u865a\u62df\u5316\uff09\uff0c\u914d\u7f6e GRUB \u52a0\u5165 intel_iommu=off
\u540e\u53ef\u4ee5\u6b63\u5e38\u8fdb\u5165 5.10 \u7684\u5185\u6838\uff0c\u4f5c\u4e3a\u89e3\u51b3\u65b9\u6848\u3002
\u6309\u8bf4 IOMMU\uff08VT-d\uff09\u4e0d\u5e94\u8be5\u9ed8\u8ba4\u542f\u7528\uff0c\u56e0\u6b64\u731c\u6d4b 5.10+ \u7684\u5185\u6838\u4f1a\u4e3b\u52a8\u5c1d\u8bd5\u5f00\u542f IOMMU\uff0c\u5bfc\u81f4 RAID \u5361\u51fa\u9519\u3002
\u6bd4\u8f83 /boot/config-4.19.0-18-amd64
\u548c /boot/config-5.10.0-11-amd64
\u540e\u53d1\u73b0 5.10 \u7248\u7684 config \u591a\u4e86\u4e00\u884c CONFIG_INTEL_IOMMU_DEFAULT_ON_INTGPU_OFF=y
\uff0c\u641c\u7d22\u53d1\u73b0 Debian bug #932086\uff0c\u5373 Debian \u9ed8\u8ba4\u5bf9\u9664\u4e86 Intel GPU \u4ee5\u5916\u7684\u8bbe\u5907\u542f\u7528 IOMMU\uff08linux 5.2.9-2
\uff09\u3002
\u53c2\u8003\u94fe\u63a5\uff1a
https://github.com/ustclug/simple-pxe/blob/master/menu.d/tool.sh
\u4f9d\u8d56\u4e8e Arch Linux \u63d0\u4f9b\u7684 EFI \u6587\u4ef6\u3002
"},{"location":"services/pxe/images/#memtest86","title":"Memtest86+","text":"https://github.com/memtest86plus/memtest86plus
\u6b64\u5916 memtest86 \u6709\u4e2a\u95ed\u6e90\u5b9e\u73b0\uff0c\u4e0d\u8003\u8651\u7ee7\u7eed\u7ef4\u62a4\u3002
\u4ee5\u4e0b\u6b65\u9aa4\u53c2\u8003\u4e86 https://gitlab.archlinux.org/archlinux/packaging/packages/memtest86plus/-/blob/main/PKGBUILD?ref_type=heads\u3002
git clone https://github.com/memtest86plus/memtest86plus.git\ncd memtest86plus/build64\nmake\n
\u5f97\u5230\u7684 memtest.bin
\u662f BIOS \u7248\u7684\uff0cmemtest.efi
\u662f UEFI \u7248\u7684\u3002
\u542f\u52a8\u83dc\u5355\uff1ahttps://github.com/ustclug/simple-pxe/blob/master/menu.d/tool.sh\u3002
"},{"location":"services/pxe/images/#gparted","title":"GParted","text":"https://github.com/ustclug/simple-pxe/blob/master/menu.d/gparted.sh\u3002
\u542f\u52a8\u53c2\u6570\u4e0d\u80fd\u52a0 ip=
\uff1ahttps://gitlab.gnome.org/GNOME/gparted/-/issues/141\u3002
Short for Libray Independent Inquery Machine System.
Server: pxe.s.ustclug.org
Git Repository:
It is strongly advised to clone liimstrap and read through it when reading this document.
"},{"location":"services/pxe/liims/#add-machine","title":"\u542f\u52a8\u914d\u7f6e","text":"\u914d\u7f6e\u6587\u4ef6\u5728 /home/pxe/tftp/grub/grub.cfg.d
\uff0c\u82e5\u8981\u5141\u8bb8\u65b0\u673a\u5668\u542f\u52a8 liims \u955c\u50cf\uff0c\u521b\u5efa\u4e00\u4e2a\u7b26\u53f7\u94fe\u63a5\u5230\u5bf9\u5e94\u7684\u914d\u7f6e\u6587\u4ef6\u3002\u4f8b\u5982\uff1a
ln -s common_el 02:23:45:67:89:ab\n
\u76ee\u524d\u6211\u4eec\u901a\u8fc7\u51e0\u4e2a\u7b26\u53f7\u94fe\u63a5\u5c06\u914d\u7f6e\u6587\u4ef6\u201c\u5206\u7ec4\u201d\uff0cMAC \u5730\u5740\u5bf9\u5e94\u7684\u7b26\u53f7\u94fe\u63a5\u5e94\u8be5\u94fe\u63a5\u5230\u8fd9\u4e9b\u5206\u7ec4\u4e0a\u3002\u5df2\u6709\u7684\u5206\u7ec4\u5982\u4e0b\uff1a
common_el
\uff1aEL \u5373 East-campus Library\uff08\u4e1c\u56fe\uff09common_wl
\uff1aWL \u5373 West-campus Library\uff08\u897f\u56fe\uff09common_sl
\uff1aSL \u5373 South-campus Library\uff08\u5357\u56fe\uff09common_iat
\uff1aIAT \u5373\u5148\u7814\u9662common_gx
\uff1aGaoXin \u9ad8\u65b0\u6821\u533atest
\uff1a\u6d4b\u8bd5\u955c\u50cf\u9664\u6b64\u4e4b\u5916\uff0c\u8fd8\u9700\u8981\u5728\u67e5\u8be2\u673a\u76d1\u63a7\u7a0b\u5e8f\u4e2d\u6dfb\u52a0\u8be5 MAC \u5730\u5740\uff0c\u89c1\u4e0b\u65b9\u67e5\u8be2\u673a\u76d1\u63a7\u3002
"},{"location":"services/pxe/liims/#lib-api","title":"\u4e3a\u56fe\u4e66\u9986\u8001\u5e08\u5f00\u653e\u7684\u63a5\u53e3","text":"\u56fe\u4e66\u9986\u8001\u5e08\u53ef\u4ee5\u901a\u8fc7 SSH \u767b\u5f55\u673a\u5668\u76f4\u63a5\u521b\u5efa\u6240\u9700\u7684\u7b26\u53f7\u94fe\u63a5\uff08\u4f46\u662f\u8fd8\u9700\u8981\u6211\u4eec\u6765\u6539\u76d1\u63a7\u7a0b\u5e8f\u7684 json\uff09\u3002\u76f8\u5173\u914d\u7f6e\u5982\u4e0b\uff1a
/etc/sudoers.d/sonniesonnie ALL=(pxe) NOPASSWD: /home/pxe/tftp/grub/grub.cfg.d/add_host.py *\n
/etc/ssh/sshd_configMatch User sonnie\n AllowUsers sonnie\n PubkeyAuthentication yes\n AuthorizedKeysFile .ssh/authorized_keys\n
/etc/nsswitch.conf
\u628a sudoers \u4e00\u884c\u4e2d\u7684 ldap \u79fb\u5230 files \u524d\u9762\u3002
\u9ed8\u8ba4\u60c5\u51b5\u4e0b ldap \u5728 files \u540e\u9762\uff0c\u90a3\u4e48\u6765\u81ea LDAP \u7684 sudo rules \u4f1a\u6392\u5728 sudoers \u6587\u4ef6\u4e2d\u7684 rules \u7684\u540e\u9762\uff0c\u800c sudo \u662f\u540e\u9762\u7684\u89c4\u5219\u4f18\u5148\u7ea7\u66f4\u9ad8\uff0c\u4f1a\u5bfc\u81f4\u65e0\u6cd5 NOPASSWD \u8fd0\u884c\u811a\u672c\u3002
"},{"location":"services/pxe/liims/#_1","title":"\u542f\u52a8\u955c\u50cf","text":"\u4f4d\u4e8e /home/pxe/nfsroot/<category>/<name>
\uff0c\u5176\u4e2d <name>
\u5c31\u662f\u955c\u50cf\u540d\u79f0\uff08\u4f8b\u5982 liims160909
\uff09\u3002\u76ee\u524d\u6709\u4e24\u79cd\u90e8\u7f72\u65b9\u5f0f\uff1a\u4e00\u79cd\u662f NFS as rootfs\uff0c\u6587\u4ef6\u5939\u4e2d\u5c31\u662f\u6574\u4e2a rootfs\uff0c\u76f4\u63a5\u4fee\u6539\u8fd9\u91cc\u7684\u6587\u4ef6\uff0c\u673a\u5668\u91cd\u542f\u540e\u5c31\u4f1a\u8f7d\u5165\u3002\uff08\u6ce8\u610f\uff1a\u8986\u76d6\u6587\u4ef6\u53ef\u80fd\u5bfc\u81f4\u5df2\u6709\u7684\u673a\u5668\u8fd0\u884c\u9519\u8bef\uff09
\u53e6\u4e00\u79cd\u662f\u6253\u5305\u538b\u7f29\u4e3a squashfs\uff0c\u6b64\u65f6\u6587\u4ef6\u5939\u4e0b\u4e09\u4e2a\u6587\u4ef6\u5206\u522b\u4e3a vmlinuz\uff08kernel\uff09, initrd.img \u548c root.sfs\uff08squashfs \u955c\u50cf\uff09\u3002\u5982\u679c\u9700\u8981\u4fee\u6539\uff0c\u53ef\u4ee5\u4f7f\u7528 unsquashfs
\u89e3\u538b\u7f29\uff0c\u4fee\u6539\u5b8c\u6210\u540e\u53c2\u8003\u4ed3\u5e93\u4e2d deploy \u6587\u4ef6\u518d\u538b\u7f29\u4e3a squashfs\u3002
IP \u767d\u540d\u5355\u91c7\u7528 iptables \u5b9e\u73b0\uff0c\u4fee\u6539 rootfs \u4e0b\u7684 etc/iptables/rules.v4
\u548c rules.v6
\u53ef\u4fee\u6539\u7b56\u7565\u3002\u6ce8\u610f\uff1a\u9632\u706b\u5899\u7b56\u7565\u4ec5\u5728\u673a\u5668\u542f\u52a8\u65f6\u4f1a\u8f7d\u5165\u4e00\u6b21\u3002
\u5907\u6ce8
\u6b64\u8282\u7684\u5185\u5bb9\u4ec5\u9002\u7528\u4e8e 2022 \u4e4b\u524d\u7684\u8001\u7248\u672c\uff0c\u65b0\u7248\u672c\u6709\u5173\u6784\u5efa\u3001\u8c03\u8bd5\u7b49\u5185\u5bb9\u8bf7\u76f4\u63a5\u9605\u8bfb liimstrap \u4ed3\u5e93 README\u3002
\u4f7f\u7528 liimstrap \u5728 ArchLinux \u4e0b\u8fdb\u884c\u6784\u5efa\uff0cliimstrap \u4f7f\u7528\u65b9\u6cd5\u53c2\u8003\u4ed3\u5e93\u4e2d\u7684\u8bf4\u660e\u3002
\u6784\u5efa\u540e\u9700\u8981\u63a8\u9001\u5230\u670d\u52a1\u5668\u4e0a\u7684 /nfsroot/liims
\u4e0b\uff0c\u5e76\u8bbe\u7f6e /usr \u7684\u6240\u6709\u8005\u4e3a liims\u3002\u673a\u5668\u7684\u9ed8\u8ba4 pxe \u542f\u52a8\u914d\u7f6e\u5728 /home/pxe/tftp/pxelinux.cfg/
\u4e0b
\u521b\u5efa\u5e76\u6302\u8f7d\u4e34\u65f6\u955c\u50cf:
dd if=/dev/zero of=liims.img bs=4k count=1200000\nmkfs.ext4 liims.img\nmount -o loop liims.img /mnt\n
\u5047\u8bbe\u5f53\u524d\u8def\u5f84\u4e3a liimstrap\uff0c\u4fee\u6539 initcpio/mkinitcpio.conf
\uff0c\u53bb\u6389 HOOKS \u4e2d\u7684 liims_root
\uff0c\u589e\u52a0 block
\uff08\u4ec5\u8c03\u8bd5\u65f6\u9700\u8981\uff09\u3002 \u4f7f\u7528 liimstrap \u5236\u4f5c\u955c\u50cf ./liimstrap /mnt
\u3002\u5b8c\u6210\u540e\u4f7f\u7528 qemu \u6253\u5f00\u8c03\u8bd5:
qemu -kernel /mnt/boot/vmlinuz-lts\\\n -initrd /mnt/boot/initramfs-linux-lts.img\\\n -hda liims.img\\\n -netdev user,id=mynet0,net=114.214.188.0/24,dhcpstart=114.214.188.9\\\n -device i82557a,netdev=mynet0\\\n -append \"root=/dev/sda rootflags=rw\"\n
\u6ce8\uff1a\u5176\u4e2d netdev \u4e2d\u7684 ip \u6bb5\u53ef\u4ee5\u81ea\u7531\u9009\u53d6\uff0cdevice
\u4e2d\u7684\u8bbe\u5907\u540d\u901a\u8fc7 qemu -device \\?
\u67e5\u770b\u540e\u9009\u62e9\u4efb\u4e00\u7f51\u7edc\u8bbe\u5907\u5373\u53ef
http://pxe.ustc.edu.cn:3000/
2022 \u5e74\u524d\uff0c\u63d0\u4f9b\u670d\u52a1\u7684\u662f\u4e00\u4e2a Docker \u5bb9\u5668\u3002\u5728 iBug \u7528 Go \u91cd\u5199\u4e4b\u540e\uff0c\u76ee\u524d\u76f4\u63a5\u8dd1\u5728 host \u4e0a\u3002
\u6dfb\u52a0\u65b0\u673a\u5668
\u4fee\u6539 https://github.com/ustclug/liimstrap/blob/master/monitor/clients.json \u540e\uff0c\u5728 pxe \u4e0a clone \u5e76\u5728\u5f53\u524d\u76ee\u5f55 build\u3002\u4f7f\u7528 docker-run-script \u4e2d\u5bf9\u5e94\u811a\u672c\u6267\u884c\u5bb9\u5668\u5373\u53ef\u3002
\u4fee\u6539 /etc/liims-monitor/clients.json
\u4e4b\u540e systemctl reload liims-monitor.service
\u5373\u53ef\u3002
{\n \"name\": \"\u4e1c\u533a\u4e09\u697c\u4e1c01\",\n \"mac\": \"0223456789ab\"\n}\n
"},{"location":"workflow/new-server/","title":"New Server Setup Checklist","text":""},{"location":"workflow/new-server/#ntp-date","title":"NTP Date","text":"Install either chrony
or systemd-timesyncd
(recommended). Usually chrony comes pre-installed so it's easily forgot.
=== \"Chrony\"
Replace the default NTP pool with USTC's NTP server `time.ustc.edu.cn`, like this:\n\n```shell title=\"/etc/chrony/chrony.conf\" linenums=\"7\"\n# Use Debian vendor zone.\n#pool 2.debian.pool.ntp.org iburst\nserver time.ustc.edu.cn iburst\n```\n\nThen restart the service:\n\n```shell\nsystemctl restart chrony\n```\n
=== \"systemd-timesyncd\"
For Debian 11 and up, we use an override file to configure the NTP server:\n\n```shell title=\"/etc/systemd/timesyncd.conf.d/ustc.conf\"\n[Time]\nNTP=time.ustc.edu.cn\n```\n\nThen restart the service:\n\n```shell\nsystemctl restart systemd-timesyncd\n```\n
"},{"location":"workflow/new-server/#time-zone","title":"Time zone","text":"Run dpkg-reconfigure tzdata
and select Asia/Shanghai as the timezone. Reboot the server.
update-alternatives --set iptables /usr/sbin/iptables-nft\nupdate-alternatives --set ip6tables /usr/sbin/ip6tables-nft\n
"},{"location":"workflow/new-server/#update-resolvconf","title":"Update resolv.conf","text":""},{"location":"workflow/new-server/#install-console-setup","title":"Install console-setup","text":"This may have already come with the base system. It's more likely missed if the system is installed from scratch (bootstrapped).
"},{"location":"workflow/new-vm/","title":"Create new server in LUGi","text":"We no longer have a vSphere cluster, so anything mentioning vSphere is left only for references.
"},{"location":"workflow/new-vm/#create-vm-in-vcenter","title":"Create VM in vCenter","text":"vCenter \u5730\u5740\uff1avcenter2.vm.ustclug.org
\u6309\u7167\u63d0\u793a\u521b\u5efa\u865a\u62df\u673a
Note
\u5c06\u7f51\u7edc\u6539\u4e3a cernet\uff0c\u4ee5\u4fbf\u7528 DHCP \u83b7\u5f97 IP \u5730\u5740\uff0c\u7528 PXE \u5b89\u88c5\u7cfb\u7edf\u3002
\u51e0\u4e2a\u5173\u952e\u914d\u7f6e\uff1a
\u6211\u4eec\u76ee\u524d\u4e0d\u4f7f\u7528 PVE \u8fd0\u884c LXC \u5bb9\u5668\uff0c\u56e0\u6b64\u672c\u6587\u6863\u53ea\u4ecb\u7ecd\u521b\u5efa KVM \u865a\u62df\u673a\u7684\u6b65\u9aa4\u3002\u63a8\u8350\u4f7f\u7528 web \u754c\u9762\u64cd\u4f5c\uff0c\u9664\u975e\u4f60\u9700\u8981\u6279\u91cf\u521b\u5efa\u865a\u62df\u673a\uff08\u6b64\u65f6\u901a\u8fc7 SSH \u767b\u5f55\u540e\u53ef\u4ee5\u4f7f\u7528 qm
\u547d\u4ee4\u6279\u5904\u7406\uff09\u3002
\u767b\u5f55 web \u754c\u9762\uff0c\u70b9\u51fb\u53f3\u4e0a\u89d2\u7684 Create VM\uff0c\u5f39\u51fa\u521b\u5efa\u865a\u62df\u673a\u7684\u5bf9\u8bdd\u6846\u3002
General\u6b63\u786e\u9009\u62e9\u865a\u62df\u673a\u6240\u5728\u7684 Node\uff08\u5373 Host\uff09\uff0c\u5e76\u6307\u5b9a\u4e00\u4e2a VMID\u3002\u76ee\u524d VMID \u7684\u5206\u914d\u65b9\u6848\u662f\u4e1c\u56fe 300-399\uff0cNIC 200-299\uff0c\u5728\u6b64\u57fa\u7840\u4e0a\u9012\u589e\u5373\u53ef\u3002\u7ed9 VM \u8d77\u4e2a\u6613\u4e8e\u8fa8\u8bc6\u7684\u540d\u79f0\uff0c\u4e0d\u8981\u4e0e\u5df2\u6709 VM \u91cd\u590d\u3002Resource Pool \u7559\u7a7a\u5373\u53ef\u3002
OS\u9664\u975e\u4f60\u8981\u4f7f\u7528 iso \u955c\u50cf\u624b\u52a8\u5b89\u88c5\u7cfb\u7edf\uff0c\u5426\u5219\u8bf7\u9009\u62e9\u300cDo not use any media\u300d\u3002\u6b63\u786e\u9009\u62e9 Guest OS \u7684\u7c7b\u578b\u548c\u7248\u672c\u3002
System\u5c06 SCSI Controller \u8bbe\u4e3a VirtIO SCSI\uff08\u6ce8\u610f\u4e0d\u8981\u9009 VirtIO SCSI Single\uff09\uff0c\u52fe\u4e0a Qemu Agent \u9009\u9879\uff0c\u5176\u4ed6\u9009\u9879\u90fd\u9009 Default \u5373\u53ef\u3002
Disks, CPU, Memory\u6309\u9700\u5206\u914d\uff0c\u78c1\u76d8\u5bb9\u91cf\u5efa\u8bae\u63a7\u5236\u5728 10 GB \u4ee5\u5185\uff08\u4ec5\u7cfb\u7edf\u76d8\uff0c\u53ef\u53e6\u52a0\u6570\u636e\u76d8\uff09\uff0c\u5176\u4e2d Disk \u52fe\u9009\u4e0a Discard\uff0cCPU Type \u63a8\u8350\u9009\u62e9 Host\u3002
Network\u6309\u9700\u9009\u62e9\uff0cModel \u9009 VirtIO\uff0c\u7136\u540e\u53d6\u6d88\u52fe\u9009 Firewall\u3002
\u8bb0\u5f97\u5728\u865a\u62df\u673a\u7684 Options \u91cc\u5c06 Start at boot \u8bbe\u4e3a Yes
\u5728 Proxmox VE \u4e0a\uff0c\u901a\u8fc7 web \u754c\u9762\u521b\u5efa\u65b0\u865a\u62df\u673a\u540e\uff0c\u53ef\u4ee5\u4f7f\u7528\u666e\u901a\u65b9\u5f0f\u5b89\u88c5\u7cfb\u7edf\uff0c\u4e5f\u53ef\u4ee5\u76f4\u63a5\u5bfc\u5165\u53d1\u884c\u7248\u63d0\u4f9b\u7684\u865a\u62df\u673a\u955c\u50cf\uff08\u9700\u8981\u901a\u8fc7 SSH \u767b\u5f55 Proxmox VE \u6216 NFS \u670d\u52a1\u5668\uff09\u3002
\u4e0b\u9762\u4ee5 Debian \u4e3a\u4f8b\uff0c\u521b\u5efa\u4e00\u4e2a\u65b0\u865a\u62df\u673a\uff0c\u7136\u540e\u6253\u5f00 https://mirrors.ustc.edu.cn/debian-cdimage/cloud/bullseye/\uff0c\u70b9\u51fb\u6700\u65b0\u7684\u76ee\u5f55\uff08\u51fa\u4e8e\u672a\u77e5\u539f\u56e0 latest \u94fe\u63a5\u662f\u574f\u7684\uff09\uff0c\u590d\u5236 debian-11-genericcloud-amd64-<date>-<rev>
\u7684\u94fe\u63a5\uff08\u63a8\u8350\u4f7f\u7528 genericcloud \u800c\u4e0d\u662f generic\uff0c\u5176\u9884\u88c5 linux-image-cloud-amd64
\uff0c\u76f8\u6bd4\u4e8e\u201c\u5b8c\u6574\u7248\u201d\u5185\u6838\u7cbe\u7b80\u6389\u4e86\u5927\u90e8\u5206\u7269\u7406\u8bbe\u5907\u7684\u9a71\u52a8\u7a0b\u5e8f\uff0c\u9002\u7528\u4e8e\u865a\u62df\u673a\u73af\u5883\uff09\uff0c\u7136\u540e\u767b\u5f55 Proxmox VE \u6216 vdp\uff08NFS \u670d\u52a1\u5668\uff09\uff0c\u4f7f\u7528\u4ee5\u4e0b\u547d\u4ee4\u76f4\u63a5\u4e0b\u8f7d\u955c\u50cf\u81f3\u865a\u62df\u673a\u78c1\u76d8\uff1a
# Proxmox VE (ZFS / LVM), use RAW\nwget -O /dev/zvol/rpool/data/vm-<id>-disk-0 https://mirrors.ustc.edu.cn/<...>.raw\nwget -O /dev/<vg>/<lv> https://mirrors.ustc.edu.cn/<...>.raw\n\n# vdp over NFS, use QCOW2\nwget -O /media/vdp/pve/images/<path>.qcow2 https://mirrors.ustc.edu.cn/<...>.qcow2\n
\u7136\u540e\u5728 web \u754c\u9762\u6307\u5b9a\u865a\u62df\u673a\u7684\u78c1\u76d8\uff08\u5982\u6709\u9700\u8981\uff09\u3002
"},{"location":"workflow/new-vm/#reset-password","title":"Reset password","text":"\u7531\u4e8e Debian \u63d0\u4f9b\u7684 cloud image \u9ed8\u8ba4\u7981\u7528\u4e86 root \u7528\u6237\uff0c\u9700\u8981\u624b\u52a8\u6302\u8f7d\u78c1\u76d8\uff0c\u7f16\u8f91\u78c1\u76d8\u4e2d\u7684 /etc/shadow
\u6587\u4ef6\uff0c\u5c06\u7b2c\u4e00\u884c\u7684 root:*:...
\u6539\u4e3a root::...
\uff08\u5373\u5220\u6389\u661f\u53f7\uff09\u3002\u6ce8\u610f\u4e0d\u8981\u8bef\u6539\u4e3b\u673a\u7684 shadow \u6587\u4ef6\u3002
Tip
\u6b64\u6b65\u9aa4\u4e5f\u53ef\u4ee5\u66ff\u6362\u4e3a chroot \u8fdb\u53bb\u540e\u4f7f\u7528 passwd
\u4fee\u6539\u6216\u6e05\u7a7a\u5bc6\u7801\u3002\u5982\u679c\u4f60\u4e0d\u591f\u719f\u6089 shadow \u6587\u4ef6\u7684\u683c\u5f0f\uff0c\u8fd9\u6837\u505a\u66f4\u5b89\u5168\u3002
\u5bf9\u4e8e ZFS \u548c LVM \u5b58\u50a8\u7684\u78c1\u76d8\uff0c\u53ef\u4ee5\u76f4\u63a5\u6302\u8f7d /dev/zvol/<...>
\u6216 /dev/<vg>/<lv>
\uff08\u4f60\u53ef\u80fd\u9700\u8981\u4f7f\u7528 kpartx
\u5de5\u5177\u52a0\u8f7d\u5206\u533a\uff09\u3002\u5bf9\u4e8e Qcow2 \u6587\u4ef6\u7684\u78c1\u76d8\uff0c\u53ef\u4ee5\u53c2\u8003\u8fd9\u4e2a Gist \u4f7f\u7528 qemu-nbd
\u5de5\u5177\u6765\u6302\u8f7d\u3002\u5176\u4e2d nbd
\u662f Linux \u539f\u751f\u7684\u5185\u6838\u6a21\u5757\uff0c\u53ef\u4ee5\u653e\u5fc3 modprobe\u3002
\u4f60\u4e5f\u53ef\u4ee5\u5728\u8fd9\u4e00\u6b65\u540c\u65f6\u4fee\u6539\u522b\u7684\u914d\u7f6e\u6587\u4ef6\uff0c\u4f8b\u5982\u628a /etc/apt/sources.list
\u6362\u6389\u7b49\u3002\u4fee\u6539\u5b8c\u6210\u540e\u4e0d\u8981\u5fd8\u8bb0 umount\u3002
The first two or three boots may hang or end up in kernel panic - this is completely normal. The cloud image will grow the root partition and filesystem to the virtual disk size. After it's all set, purge everything related to cloud-init
.
For better console experiences, install and configure console-setup
, and add vga=792
to GRUB_CMDLINE_LINUX
in /etc/default/grub
. Then run update-grub
and reboot.
db/ustclug/ustclug.intranet
\uff09ifdown -a
/etc/network/interfaces
ifup -a
qemu-guest-agent
open-vm-tools
ssh
\u89c1 LDAP \u670d\u52a1\u4f7f\u7528\u53ca\u914d\u7f6e\u8bf4\u660e \u548c \u4e3a\u670d\u52a1\u5668\u8bbe\u7f6e SSH CA
"},{"location":"workflow/ldap/add-new-user/","title":"\u5728 LDAP \u4e2d\u6dfb\u52a0\u65b0\u7528\u6237","text":""},{"location":"workflow/ldap/add-new-user/#ldap_1","title":"\u65b0\u5efa LDAP \u7528\u6237","text":"POSIX > Group membership > Add\uff1a\u6839\u636e\u9700\u8981\u6dfb\u52a0\u7684\u6743\u9650\u9009\u62e9\u5bf9\u5e94\u7684\u7ec4\uff0c\u5177\u4f53\u8bf4\u660e\u8be6\u89c1 LDAP Users \u548c Groups
LDAP \u7f13\u5b58\u82e5\u53d1\u73b0\u7528\u6237\u65e0\u6cd5\u767b\u9646\u7b49\u60c5\u51b5\uff0c\u53ef\u80fd\u662f\u7f13\u5b58\u670d\u52a1 NSCD \u5bfc\u81f4\u7684\uff0c\u5177\u4f53\u53c2\u8003 LDAP Users \u548c Groups\uff1a
"},{"location":"workflow/mirrors/maintenance/","title":"\u5f00\u6e90\u8f6f\u4ef6\u955c\u50cf\u7ad9\u7ef4\u62a4\u65b9\u5f0f","text":"\u79d1\u5927\u5f00\u6e90\u8f6f\u4ef6\u955c\u50cf\u7ad9\u662f LUG \u6700\u91cd\u8981\u7684\u670d\u52a1\u4e4b\u4e00\uff0c\u56e0\u6b64\u7ef4\u62a4\u64cd\u4f5c\u5fc5\u987b\u8c28\u614e\u3002
"},{"location":"workflow/mirrors/maintenance/#_2","title":"\u91cd\u542f\u7cfb\u7edf","text":"\u7531\u4e8e mirrors \u670d\u52a1\u91cf\u5927\uff0c\u91cd\u542f\u5e94\u63d0\u524d\u5728 LUG \u670d\u52a1\u5668\u65b0\u95fb\u7ad9 \u53d1\u5e03\u516c\u544a\u3002
"},{"location":"workflow/mirrors/maintenance/#_3","title":"\u5b89\u88c5\u66f4\u65b0","text":""},{"location":"workflow/mirrors/maintenance/#_4","title":"\u666e\u901a\u66f4\u65b0","text":"\u591a\u6570\u66f4\u65b0\u53ef\u4ee5\u76f4\u63a5\u4ece apt \u6e90\u5b89\u88c5\uff0c\u4f46\u662f\u90e8\u5206\u8f6f\u4ef6\u5e76\u975e\u6765\u81ea Debian \u5b98\u65b9\u4ed3\u5e93\uff08\u4f8b\u5982 OpenResty\uff09\uff0c\u56e0\u6b64\u66f4\u65b0\u7b56\u7565\u53ef\u80fd\u4e0d\u50cf Debian \u90a3\u4e48\u7a33\u5b9a\u3002\u5982\u679c\u9047\u5230\u63d0\u793a\u914d\u7f6e\u6587\u4ef6\u51b2\u7a81\uff0c\u8bf7\u5c3d\u91cf\u9009\u62e9 3-way merge\uff0c\u5982\u679c\u5931\u8d25\u7684\u8bdd\u53ef\u4ee5\u5148 keep local version\uff0c\u7136\u540e\u624b\u52a8\u89e3\u51b3\u5408\u5e76\u51b2\u7a81\u3002
"},{"location":"workflow/mirrors/maintenance/#_5","title":"\u5185\u6838\u66f4\u65b0","text":"mirrors \u4f7f\u7528\u4e86\u5185\u6838\u6a21\u5757\u63d0\u4f9b\u4e00\u4e9b\u529f\u80fd\u652f\u6301\uff0c\u5982 ZFS\u3002\u56e0\u6b64\u53ea\u8981\u66f4\u65b0\u4e86\u5185\u6838\uff0c\u5c31\u4e00\u5b9a\u8981\u6ce8\u610f\u5185\u6838\u6a21\u5757\u662f\u5426\u5b89\u88c5\u6210\u529f\uff0c\u5982\u679c apt \u5b89\u88c5\u5931\u8d25\u53ef\u4ee5\u624b\u52a8\u8fd0\u884c dkms autoinstall
\uff0c\u4ee5\u786e\u4fdd\u65b0\u5185\u6838\u91cd\u542f\u65f6\u80fd\u6b63\u786e\u52a0\u8f7d\u5fc5\u987b\u7684\u5185\u6838\u6a21\u5757\u3002
\u5730\u5740\u6682\u65e0\uff0c\u4e00\u822c\u7528\u6d4f\u89c8\u5668\u76f4\u63a5\u8bbf\u95ee\u5c31\u884c\u4e86\u3002\u5982\u679c\u9700\u8981\u63a5\u5165\u7ec8\u7aef\uff0cDashboard \u5de6\u8fb9\u7684 Remote Control \u6709 Launch \u6309\u94ae\u3002\u5982\u679c\u6d4f\u89c8\u5668\u4e0d\u652f\u6301 Java \u5c31\u4f1a\u4e0b\u8f7d\u4e00\u4e2a jviewer.jnlp
\uff0c\u81ea\u884c\u89e3\u51b3 Java \u7684\u5b89\u5168\u8b66\u544a\u5373\u53ef\u4f7f\u7528\u3002
\u5f53\u7136\u5982\u679c\u4f1a\u7528 ipmitool
\u66f4\u597d\uff0c\u90a3\u8fd9\u4e00\u6bb5\u7684\u8bf4\u660e\u5c31\u4ea4\u7ed9\u4f60\u6765\u8865\u5145\u4e86 :)
ipmitool
\u7b80\u4ecb","text":"\u5c3d\u7ba1\u51e0\u4e4e\u6211\u4eec\u673a\u5668\u7684 IPMI \u90fd\u6709 Web \u754c\u9762\uff0c\u4f46\u662f Web \u754c\u9762\u4e0d\u4e00\u5b9a\u9760\u8c31\uff0c\u53ef\u80fd\u4f1a\u51fa\u73b0\u6545\u969c\u3002\u6b64\u65f6\uff0c\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528 ipmitool
\u91cd\u7f6e IPMI \u7684\u72b6\u6001\uff08\u7cfb\u7edf\u914d\u7f6e\u4e0d\u4f1a\u6539\u53d8\uff09
\u53c2\u8003\u547d\u4ee4\uff1a
# \u4e00\u90e8\u5206 IPMI \u7684 interface \u662f lanplus \u800c\u4e0d\u662f lan\uff0c\u6bd4\u5982\u8bf4 mirrors3\nipmitool -I lan -H IPMI\u7684IP -U \u7528\u6237\u540d -a mc reset cold\n
\u5177\u4f53\u8be6\u60c5\u53ef\u4ee5\u770b ipmitool
\u7684 manpage\u3002
\u53e6\u5916:
Documentation for LUG @ USTC technical infrastructure.
"},{"location":"#layout","title":"Layout","text":"Our documentation is divided into these sections, as laid out on the left navigation menu:
Proxmox \u4f7f\u7528 Ubuntu kernel\uff0c\u4f46\u662f Ubuntu kernel \u7684 apparmor \u76f8\u6bd4\u4e8e Debian kernel \u6dfb\u52a0\u4e86\u4e00\u4e9b feature\uff0c\u8bf8\u5982 Unix socket \u7ba1\u7406\u3002Debian \u7684 apparmor \u5305\u7684 /etc/apparmor/parser.conf
\u9ed8\u8ba4\u914d\u7f6e\u9650\u5236\u4e86\u529f\u80fd\u96c6\u5408\uff1a
## Pin feature set (avoid regressions when policy is lagging behind\n## the kernel)\npolicy-features=/usr/share/apparmor-features/features\n
Proxmox \u7684 lxc \u652f\u6301\u5305\u4f1a\u8986\u76d6 /usr/share/apparmor-features/features
\u4e3a Ubuntu \u7684\u7248\u672c\uff0c\u4f46\u662f\u5982\u679c\u53ea\u5b89\u88c5 Proxmox/Ubuntu kernel\uff0c\u5bf9\u5e94\u7684 features \u6587\u4ef6\u5c31\u4e0d\u5305\u542b Unix socket \u652f\u6301\uff0c\u8fd9\u4f1a\u76f4\u63a5\u5bfc\u81f4 Docker \u7b49\u7a0b\u5e8f\u5185\u90e8\u65e0\u6cd5\u521b\u5efa unix socket \u7b49\u3002
\u4e00\u4e2a workaround \u662f\u6ce8\u91ca\u6389 /etc/apparmor/parser.conf
\u7684\u5bf9\u5e94\u884c\u3002
\u540e\u7eed\u8c03\u67e5\u53d1\u73b0 lxc-pve
\u6253\u5305\u4e86\u81ea\u5df1\u7684 /usr/share/apparmor-features/features
\u5e76\u8986\u76d6\u4e86 Debian \u7684\u7248\u672c\uff0c\u56e0\u6b64\u6211\u4eec\u6a21\u4eff lxc-pve
\u7684\u505a\u6cd5\u628a Debian \u7684\u7248\u672c\u8986\u76d6\u6389\uff0c\u7136\u540e\u4e0b\u8f7d Proxmox \u7684\u7248\u672c\uff1a
dpkg-divert --package lxc-pve --rename --divert /usr/share/apparmor-features/features.stock --add /usr/share/apparmor-features/features\nwget -O /usr/share/apparmor-features/features https://github.com/proxmox/lxc/raw/master/debian/features\n
"},{"location":"faq/dns/","title":"DNS \u57df\u540d\u89e3\u6790\u95ee\u9898","text":""},{"location":"faq/dns/#wrong-dns-result","title":"\u9519\u8bef\u7684\u89e3\u6790\u7ed3\u679c","text":"\u6211\u4eec\u7684 DNS \u662f\u5206\u6821\u5185\u5916\u3001\u5206 ISP \u89e3\u6790\u7684\u3002\u6709\u65f6\u5019\u4f1a\u9047\u5230\u6821\u5185\u8bbf\u95ee\u89e3\u6790\u5230\u6821\u5916\uff0c\u53ef\u80fd\u7684\u539f\u56e0\u662f
/etc/resolv.conf
\u987a\u5e8f\u4e0d\u5bf9
iBug \u5728 2020 \u5e74 5 \u6708 21 \u65e5\u4fee\u4e86 gw-el \u548c mirrors2\uff0c\u8fd9\u4e24\u4e2a\u673a\u5668\u4e0a\u539f\u5148\u6392\u5728\u6700\u524d\u9762\u7684 nameserver \u5c31\u662f 8.8.4.4 \u6216\u8005 1.1.1.1 \u4e4b\u7c7b\u7684
\u6211\u4eec\u7684\u6743\u5a01\u670d\u52a1\u5668\u4e24\u4e2a\u5728\u6821\u5185\u4e00\u4e2a\u5728\u56fd\u5185\uff0c\u56e0\u6b64\u6821\u5185\u673a\u5668\u5e94\u8be5\u4f18\u5148\u4ece\u6821\u5185\u89e3\u6790\u3002\u628a 202.38.64.1 / 2001:da8:d800::1\uff08\u5b66\u6821\u7684 DNS\uff09\u653e\u6700\u524d\u9762\u80af\u5b9a\u6ca1\u9519
\u5982\u679c IPv4 \u89e3\u6790\u6b63\u786e\u4f46\u662f IPv6 \u8fd8\u662f\u89e3\u6790\u5230\u6821\u5916\u7684\u8bdd\uff0c
/etc/resolv.conf
\u7f3a\u5c11 IPv6 \u6761\u76ee
taoky \u5728 2020 \u5e74 5 \u6708 29 \u65e5\u53d1\u73b0\u7684\uff0cmirrors2 \u4e0a\u8bbf\u95ee servers.ustclug.org \u8fd4\u56de Cloudflare \u7684 522 \u9519\u8bef\u9875\u9762\uff08\u6b64\u65f6\u65e5\u672c\u53cd\u4ee3\u6302\u6389\u4e86\uff09\uff0c\u7ecf\u67e5\u5c3d\u7ba1 IPv4 \u6b63\u786e\u89e3\u6790\u5230\u4e86 gw-el \u4e0a\uff0c\u4f46\u662f IPv6 \u8fd8\u662f\u89e3\u6790\u5230\u4e86 Cloudflare \u4e0a\uff0c\u4e14 nslookup \u548c dig \u7b49\u5de5\u5177\u8f93\u51fa\u770b\u8d77\u6765\u90fd\u662f\u5bf9\u7684\u3002
\u6392\u67e5\u53d1\u73b0 /etc/resolv.conf
\u91cc\u6ca1\u6709 IPv6 \u7684\u670d\u52a1\u5668\u6761\u76ee\uff0c\u5728\u9760\u524d\u7684\u4f4d\u7f6e\u63d2\u5165 nameserver 2001:da8:d800::1
\u540e\u89e3\u51b3\u3002
\u624b\u52a8\u6e05\u7a7a\u672c\u673a\u7684 DNS \u7f13\u5b58\uff1anscd -i hosts
\u6709\u65f6\u5019\u53ef\u80fd\u4f1a\u5728 DNS \u66f4\u65b0\u540e\u968f\u673a\u89e3\u6790\u51fa\u65b0\u65e7\u7ed3\u679c\uff0c\u53ef\u80fd\u7684\u539f\u56e0\u662f
ns-a \u6ca1\u66f4\u65b0
ns-a \u673a\u5668\u6bd4\u8f83\u8001\u65e7\uff0c\u7f51\u7edc\u53ef\u80fd\u4e0d\u987a\u7545\uff0c\u624b\u52a8\u628a ns-a \u66f4\u65b0\u4e00\u4e0b\u5c31\u884c\u4e86\uff08
"},{"location":"faq/docker/","title":"Docker \u76f8\u5173\u95ee\u9898","text":""},{"location":"faq/docker/#debian-11-aufs","title":"Debian 11 \u4e2d\u4e0d\u518d\u652f\u6301 aufs","text":"\u4ece Debian 10 \u5347\u7ea7\u5230 Debian 11 \u65f6\uff0caufs-dkms
\u4e0d\u518d\u5305\u542b\u5728\u65b0\u5185\u6838\u4e2d\uff1a
aufs-dkms \u8f6f\u4ef6\u5305\u5c06\u4e0d\u4f5c\u4e3a bullseye \u7684\u4e00\u90e8\u5206\u51fa\u73b0\u3002\u5927\u591a\u6570 aufs-dkms \u7528\u6237\u5e94\u5f53\u5207\u6362\u81f3 overlayfs\uff0c\u540e\u8005\u63d0\u4f9b\u4e86\u76f8\u4f3c\u7684\u529f\u80fd\u4e14\u5177\u6709\u5185\u6838\u7684\u652f\u6301\u3002\u7136\u800c\uff0c\u67d0\u4e9b Debian \u5b89\u88c5\u5b9e\u4f8b\u53ef\u80fd\u4f7f\u7528\u4e86\u4e0d\u517c\u5bb9 overlayfs \u7684\u6587\u4ef6\u7cfb\u7edf\uff0c\u5982\u4e0d\u5e26\u6709 d_type \u7684 xfs\u3002\u6211\u4eec\u5efa\u8bae\u9700\u8981\u4f7f\u7528 aufs-dkms \u7684\u7528\u6237\u5728\u5347\u7ea7\u81f3 bullseye \u4e4b\u524d\u5148\u8fdb\u884c\u8fc1\u79fb\u3002
(https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.zh-cn.html)
\u5bf9\u4e8e\u8001\u673a\u5668\u6765\u8bf4\u9700\u8981\u63d0\u524d\u786e\u8ba4 Docker \u7684 storage driver\uff1a
$ sudo docker info\n// ...\nServer:\n // ...\n Storage Driver: overlay2\n Backing Filesystem: extfs\n Supports d_type: true\n Native Overlay Diff: true\n userxattr: false\n
\u8fd9\u91cc\u5982\u679c\u662f overlay2 \u90a3\u4e48\u5c31\u6ca1\u95ee\u9898\uff0c\u5982\u679c\u662f aufs \u7684\u8bdd\u5c31\u9700\u8981\u63d0\u524d\u786e\u8ba4\uff0c\u56e0\u4e3a\u5207\u6362\u5230 overlay2 \u4e4b\u540e\u73b0\u6709\u7684\u5bb9\u5668\u548c\u5bb9\u5668\u955c\u50cf\u90fd\u4f1a\u4e22\u5931\uff0c\u9700\u8981\u91cd\u65b0\u521b\u5efa\u3002\u6240\u4ee5\u9700\u8981\u786e\u4fdd\u5bb9\u5668\uff08container\uff09\u548c\u955c\u50cf\uff08image\uff09\u662f\u53ef\u590d\u73b0\u7684\u3002
\u5728\u5347\u7ea7\u7cfb\u7edf\u540e\uff0c\u7f16\u8f91 /etc/docker/daemon.json
\uff0c\u52a0\u4e0a\uff1a
\"storage-driver\": \"overlay2\"\n
\u7136\u540e\u542f\u52a8 docker\uff0c\u91cd\u65b0\u521b\u5efa\u5bb9\u5668\u3002
"},{"location":"faq/ldap/","title":"LDAP \u5957\u4ef6\u95ee\u9898","text":""},{"location":"faq/ldap/#gosa","title":"GOsa \u95ee\u9898","text":"User \u754c\u9762\u6253\u5f00\u65f6\u62a5\u9519
\u5982\u679c\u5728 GOsa \u4e2d\u521b\u5efa\u4e86\u4e00\u4e2a\u65b0\u7528\u6237\uff0c\u5374\u6ca1\u6709\u5728\u6700\u540e\u4e3a\u4ed6\u8bbe\u7f6e\u5bc6\u7801\uff0c\u5c31\u4f1a\u51fa\u73b0\u6b64\u95ee\u9898\uff0c\u6253\u5f00 User \u754c\u9762\u540e\u4f1a\u6709\u62a5\u9519\uff1a
Fatal error: Uncaught ArgumentCountError: Too few arguments to function userManagement::filterLockLabel(), 0 passed in /usr/share/gosa/include/class_listing.inc on line 856 and exactly 1 expected in /usr/share/gosa/plugins/admin/users/class_userManagement.inc:856\nStack trace:\n#0 /usr/share/gosa/include/class_listing.inc(856): userManagement::filterLockLabel()\n#1 /usr/share/gosa/include/class_listing.inc(980): listing->processElementFilter('%{filter:lockLa...', Array, 50)\n#2 /usr/share/gosa/include/class_listing.inc(853): listing->filterActions('cn=...,ou=...', 50, Array)\n#3 /usr/share/gosa/include/class_listing.inc(764): listing->processElementFilter('%{filter:action...', Array, 50)\n#4 /usr/share/gosa/include/class_listing.inc(407): listing->renderCell('%{filter:action...', Array, 50)\n#5 /usr/share/gosa/include/class_management.inc(233): listing->render()\n#6 /usr/share/gosa/include/class_management.inc(222): management->renderList()\n#7 /usr/share/gosa/plugins/admin/users/main.inc(44): management->execute()\n#8 /usr/sh in /usr/share/gosa/plugins/admin/users/class_userManagement.inc on line 856\n
\u8fd9\u662f\u56e0\u4e3a GOsa \u65e0\u6cd5\u8bfb\u53d6\u5230\u7528\u6237\u5bc6\u7801\u7684 Hash\uff0c\u800c LDAP \u5374\u5141\u8bb8\u7528\u6237\u6ca1\u6709\u5bc6\u7801\u3002 \u53ea\u9700\u4e3a\u65b0\u7684\u7528\u6237\u8bbe\u7f6e\u5bc6\u7801\u6216\u5220\u9664\u65b0\u7684\u7528\u6237\u5373\u53ef\u3002
\u65b0\u7248 GOsa \u65e0\u6cd5\u521b\u5efa/\u4fee\u6539\u7528\u6237
\u8868\u73b0\u4e3a\u62a5\u9519 Uncaught ReflectionException: Property LDAP::$count does not exist
\u3002
\u53c2\u89c1 Debian bug #1077759
\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\u4fee\u6539 /usr/share/gosa/plugins/personal/generic/class_user.inc
\uff0c\u5c06 1357 \u884c $ldap->cat($ldap->count)
\u4fee\u6539\u4e3a $ldap->cat($this->new_dn)
\uff0c\u4e14\u6ce8\u91ca\u6389\u4e0b\u4e00\u4e2a if
\u8bed\u53e5\uff08if ($ldap->count != 0
\u5f00\u5934\uff09\u3002
Slapd \u662f OpenLDAP \u7684\u670d\u52a1\u7aef daemon\u3002\u6b63\u5e38\u60c5\u51b5\u4e0b\u4e0d\u9700\u8981\u78b0\uff0c\u4f46\u662f\u5982\u679c\u8981\u78b0\u7684\u65f6\u5019\uff0c\u4f60\u4f1a\u53d1\u73b0\u5b83\u7684\u914d\u7f6e\u6781\u5176\u590d\u6742\u9ebb\u70e6\u3002
\u4fee\u6539\u524d\u4e00\u5b9a\u8981\u5148\u6253\u865a\u62df\u673a\u5feb\u7167\uff01\uff01\uff01
\u5c0f\u5fc3\u5ef6\u6bd5
"},{"location":"faq/ldap/#migrate-hdb-to-mdb","title":"Migrate hdb to mdb","text":"slapd-hdb
\u5728 Debian 11 \u5373\u5c06\u88ab deprecate\uff0c\u6240\u4ee5\u5728 2021/08/15 \u7ec4\u7ec7\u4e86\u4e00\u6b21 migrate\u3002
\u7f51\u4e0a\u8d44\u6599\u5f88\u5c11\uff0c\u53c2\u8003\u4e86\uff1a
\u6b65\u9aa4\uff1a
slapcat -v -l dump.ldif
/etc/ldap
\u4ee5\u53ca /var/lib/ldap
/etc/ldap/slapd.d
\u4ee5\u53ca /var/lib/ldap
\u5220\u6389\uff08\u6216\u8005\u6539\u540d\uff09dpkg-reconfigure slapd
/tmp/ldapconvert
\u76ee\u5f55\uff0c\u8fd0\u884c slaptest -f /etc/ldap/convert.conf -F /tmp/ldapconvert
/etc/ldap/slapd.d/cn=config/cn=schema/
\u4e0b\u7684\u6587\u4ef6\uff0c\u5c06 /tmp/ldapconvert/slapd.d/cn=config/cn=schema/
\u4e0b\u7684\u6587\u4ef6\u590d\u5236\u5230 /etc/ldap/slapd.d/cn=config/cn=schema/
\u5c06 slapd.d \u5907\u4efd\u4e2d cn=config/cn=schema/
\u7684\u6587\u4ef6\u590d\u5236\u5230\u65b0\u7684 slapd.d
\u5bf9\u5e94\u7684\u76ee\u5f55\u4e0b\uff0c\u5e76\u4e14\u4fee\u6539 owner \u4e3a openldap:openldap
slapd
\uff0c\u5982\u679c\u542f\u52a8\u5931\u8d25\uff0c\u770b systemctl status slapd
\u7684\u65e5\u5fd7\u8f93\u51fa debug\u3002slapadd -l dump.ldif
\u3002\u6ce8\u610f\uff0cmdb \u6ca1\u6709\u4e8b\u52a1\uff01\u5982\u679c\u4e2d\u95f4\u51fa\u9519\u4e86\uff0c\u6392\u67e5\u95ee\u9898\u540e\uff0c\u6e05\u7a7a /var/lib/ldap
\uff0c\u91cd\u542f slapd
\u91cd\u6765\u3002\u6062\u590d\u6210\u529f\u540e\uff0c\u6709\u4e9b\u914d\u7f6e\u9700\u8981\u624b\u52a8\u8bbe\u7f6e\uff1a
TLS/SSL
# ldapmodify -H ldapi:/// -Y EXTERNAL << EOF\n> dn: cn=config\n> changetype: modify\n> replace: olcTLSCertificateFile\n> olcTLSCertificateFile: /etc/ldap/ssl/slapd-server.crt\n> -\n> replace: olcTLSCACertificateFile\n> olcTLSCACertificateFile: /etc/ldap/ssl/slapd-ca-cert.pem\n> -\n> replace: olcTLSCertificateKeyFile\n> olcTLSCertificateKeyFile: /etc/ldap/ssl/slapd-server.key\n>\n> EOF\n
\u52a0\u8f7d pw-sha2.la\uff08\u82e5\u4f7f\u7528 ssha512/256 \u5219\u9700\u8981\u52a0\u8f7d\uff09
# ldapmodify -H ldapi:/// -Y EXTERNAL << EOF\n> dn: cn=module,cn=config\n> cn: module\n> objectClass: olcModuleList\n> olcModulePath: /usr/lib/ldap/\n> olcModuleLoad: pw-sha2.la\n>\n> EOF\n
\u4e3a sudoUser \u8bbe\u7f6e index
# ldapadd -Y EXTERNAL -H ldapi:/// << EOF\n> dn: olcDatabase={1}mdb,cn=config\n> changetype: modify\n> add: olcDbIndex\n> olcDbIndex: sudoUser eq,sub\n>\n> EOF\n
\u66f4\u6539\u9ed8\u8ba4\u5bc6\u7801\u5b58\u50a8\u9009\u9879\uff08\u53ef\u9009\uff09
\u66f4\u6539\u4e3a crypt/yescrypt
# ldapmodify -Y EXTERNAL -H ldapi:/// << EOF\n> dn: olcDatabase={-1}frontend,cn=config\n> add: olcPasswordHash\n> olcPasswordHash: {CRYPT}\n> \n> dn: cn=config\n> add: olcPasswordCryptSaltFormat\n> olcPasswordCryptSaltFormat: $y$j9T$%s\n
\u66f4\u6539\u4e3a ssha512\uff08\u9700\u8981 pw-sha2.la\uff0c\u4e5f\u53ef\u53c2\u7167\u4e0a\u8ff0 yescrypt \u7684\u914d\u7f6e\u66f4\u6539\u4e3a crypt/ssha512\uff09
# ldapmodify -Y EXTERNAL -H ldapi:/// << EOF\n> dn: olcDatabase={-1}frontend,cn=config\n> add: olcPasswordHash\n> olcPasswordHash: {SSHA512}\n
\u5982\u679c\u62a5\u9519\u5df2\u7ecf\u5b58\u5728\uff0c\u53ef\u4ee5\u7528 replace \u9009\u9879\uff0c\u4ee5 crypt/yescrypt \u4e3a\u4f8b\uff1a
# ldapmodify -Y EXTERNAL -H ldapi:/// << EOF\n> dn: olcDatabase={-1}frontend,cn=config\n> changetype: modify\n> replace: olcPasswordHash\n> olcPasswordHash: {CRYPT}\n> \n> dn: cn=config\n> changetype: modify\n> replace: olcPasswordCryptSaltFormat\n> olcPasswordCryptSaltFormat: $y$j9T$%s\n
\u6ce8\u610f\u5728\u4f7f\u7528\u4e0a\u8ff0 hash \u65b9\u5f0f\u7684\u65f6\u5019\u8fdb\u5165 gosa \u7528\u6237\u9875\u9762\u65f6\u53ef\u80fd\u4f1a\u62a5\u9519 Cannot find a suitable password method for the current hash
lastbind \u7528\u4e8e\u5728\u7528\u6237\u767b\u5f55\u65f6\u767b\u8bb0\u65f6\u95f4\u6233\uff0c\u4ee5\u65b9\u4fbf\u786e\u8ba4\u54ea\u4e9b\u7528\u6237\u957f\u65f6\u95f4\u6ca1\u6709\u767b\u5f55\uff0c\u4fbf\u4e8e\u6e05\u7406\u3002\u7531\u4e8e\u6211\u4eec\u4f7f\u7528 OLC (cn=config) \u914d\u7f6e\uff0c\u7f51\u7edc\u8d44\u6599\u4e0d\u591a\uff0c\u7279\u6b64\u8bb0\u5f55\u3002
\u52a0\u8f7d\u6a21\u5757
dn: cn=module{0},cn=config\nchangetype: modify\nadd: olcModuleLoad\nolcModuleLoad: lastbind.la\n
\u4fdd\u5b58\u5230 load_lastbind.ldif
\uff0c\u7136\u540e\uff1a
$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f load_lastbind.ldif\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nmodifying entry \"cn=module{0},cn=config\"\n
\u6dfb\u52a0 lastbind overlay
dn: olcOverlay=lastbind,olcDatabase={1}mdb,cn=config\nobjectClass: olcLastBindConfig\nobjectClass: olcOverlayConfig\nolcOverlay: lastbind\nolcLastBindPrecision: 60\n
\u4fdd\u5b58\u5230 add_lastbind.ldif
\uff0c\u7136\u540e\uff1a
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f add_lastbind.ldif\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nadding new entry \"olcOverlay=lastbind,olcDatabase={1}mdb,cn=config\"\n
\u53ef\u4ee5\u4f7f\u7528 ldapsearch
\u83b7\u53d6\u7528\u6237\u7684 authTimestamp
\u3002\u4ece\u672a\u767b\u5f55\u8fc7\u7684\u7528\u6237\u65e0\u8bb0\u5f55\uff1a
sudo ldapsearch -x -LLL -H ldapi:/// -b \"dc=lug,dc=ustc,dc=edu,dc=cn\" \"(authTimestamp=*)\" dn authTimestamp\n
"},{"location":"faq/nginx/","title":"Nginx \u76f8\u5173\u914d\u7f6e","text":""},{"location":"faq/nginx/#git-host-specific","title":"\u4f7f\u7528 Git \u540c\u6b65\u914d\u7f6e\uff0c\u4f46\u9700\u8981 host-specific \u7684\u914d\u7f6e","text":"$hostname
\u53ef\u4ee5\u5728\u5408\u9002\u7684\u5730\u65b9\u7528\u6765 if \u6216\u8005 map\uff0c\u4f46\u662f\u5728\u8fd9\u4e2a\u529e\u6cd5\u4e0d\u9876\u7528\u7684\u65f6\u5019\uff08\u4f8b\u5982\uff0cresolver
\u4e0d\u652f\u6301\u53d8\u91cf\uff09\u5c31\u53ea\u80fd\u7528\u4e0b\u9762\u8fd9\u4e2a\u7b28\u529e\u6cd5\u4e86\u3002.gitignore
\uff0c\u7136\u540e\u5728\u5408\u9002\u7684\u4f4d\u7f6e\u7559\u4e0b\u4e00\u4e2a README\u3002\u5728\u9ed8\u8ba4\u8bbe\u7f6e\u4e2d\uff0cnginx \u7684\u6700\u5927\u6587\u4ef6\u6253\u5f00\u6570\u4e0a\u9650\u5e76\u4e0d\u5927\u3002\u5f53\u6709\u5927\u91cf\u8bbf\u95ee\u65f6\uff0c\u6587\u4ef6\u6253\u5f00\u6570\u53ef\u80fd\u4f1a\u8d85\u8fc7\u9650\u989d\uff0c\u5bfc\u81f4\u7f51\u7ad9\u54cd\u5e94\u7f13\u6162\u3002\u5728\u65b0\u914d\u7f6e\u670d\u52a1\u5668\u65f6\uff0c\u8fd9\u4e00\u9879\u8bbe\u7f6e\u5f88\u5bb9\u6613\u88ab\u5ffd\u7565\u6389\u3002
\u89e3\u51b3\u65b9\u6cd5\uff1a
sudo systemctl edit nginx.service
\uff08\u90e8\u5206\u673a\u5668\u4e0a\u7684\u670d\u52a1\u540d\u53ef\u80fd\u4e3a openresty.service
\uff09[Service]
\u4e0b\u65b9\u6dfb\u52a0 LimitNOFILE=524288
\uff08\u89c6\u60c5\u51b5\u8fd9\u4e2a\u503c\u53ef\u4ee5\u76f8\u5e94\u8c03\u6574\uff09/tmp/mem
\u8def\u5f84","text":"\u66f4\u65b0
\u6211\u4eec\u5df2\u4e0d\u518d\u5728 nginx.conf \u91cc\u4f7f\u7528 /tmp/mem
\u4e86\uff0c\u4ee5\u4e0b\u5185\u5bb9\u4ec5\u4f5c\u5b58\u6863\u3002
\u9519\u8bef\u8868\u73b0\u662f systemctl start nginx.service
\u5931\u8d25\uff0c\u4f7f\u7528 status \u6216 journalctl \u53ef\u4ee5\u770b\u5230\u4ee5\u4e0b\u4fe1\u606f\uff1a
[emerg] mkdir() \"/tmp/mem/nginx_temp\" failed (2: No such file or directory)\n
\u8fd9\u662f\u56e0\u4e3a\u6211\u4eec\u7684 nginx.conf
\u4e2d\u94a6\u70b9\u4e86 proxy_temp /tmp/mem/nginx_temp
\uff0c\u800c /tmp/mem
\u662f\u6211\u4eec\u81ea\u5df1\u5efa\u7684\u4e00\u4e2a tmpfs \u6302\u8f7d\u70b9\uff0c\u5b83\u4e0d\u662f\u4efb\u4f55\u53d1\u884c\u7248\u7684\u9ed8\u8ba4\u914d\u7f6e\uff0c\u6240\u4ee5\u65b0\u88c5\u7684\u7cfb\u7edf\u5982\u679c\u76f4\u63a5 pull \u4e86\u8fd9\u4efd nginx config \u5c31\u4f1a\u62a5\u4ee5\u4e0a\u9519\u8bef\u3002
\uff08\u4f7f\u7528 /tmp/mem
\u7684\u539f\u56e0\u662f\uff0c\u7531\u4e8e nginx \u53cd\u4ee3\u9700\u8981\u9891\u7e41\u8bfb\u5199\u4e34\u65f6\u6587\u4ef6\uff0c\u4e3a\u4e86\u51cf\u5c11\u78c1\u76d8 IO \u5360\u7528\uff0c\u6545\u5c06\u5176\u4e34\u65f6\u6587\u4ef6\u653e\u5165\u5185\u5b58\u4e2d\uff09
\u6b63\u786e\u7684\u89e3\u51b3\u65b9\u6cd5\u662f\u8865\u4e0a\u5bf9\u5e94\u7684 fstab \u884c\uff1a
tmpfs /tmp/mem tmpfs 0 0\n
\u5982\u679c\u521b\u5efa/\u6302\u8f7d\u4e86 /tmp/mem \u540e\uff0c\u542f\u52a8\u4ecd\u7136\u51fa\u9519\uff0c\u5219\u9700\u8981\u68c0\u67e5 openresty.service/nginx.service \u6587\u4ef6\u4e2d\u662f\u5426\u5305\u542b PrivateTmp=yes
\u3002\u5982\u679c\u5305\u542b\uff0c\u5219\u9700\u8981 systemctl edit
\uff0c\u5c06\u6b64\u9879\u8bbe\u7f6e\u4e3a false
\u3002
fstab \u4e0e systemd
\u8c03\u6574 fstab \u4e4b\u540e\uff0c\u9700\u8981\u6267\u884c systemctl daemon-reload
\uff0c\u5426\u5219 systemd \u53ef\u80fd\u4f1a\u5728\u7b2c\u4e8c\u65e5\u51cc\u6668\u6302\u8f7d\u5df2\u88ab\u6ce8\u91ca\u7684\u78c1\u76d8\u9879\u3002
\u8fd9\u91cc\u5173\u6ce8\u4e09\u4e2a\u76f8\u5173\u7684\u6b65\u9aa4\uff1aaccess_by
, log_by
\u548c header_filter_by
\uff0c\u4ee5\u53ca ngx.ctx
\u548c ngx.var
\u7684\u6ce8\u610f\u4e8b\u9879\u3002
\u6d4b\u8bd5\u7528 server \u5757\uff1a
server {\n listen 80 default_server;\n listen [::]:80 default_server;\n\n root /var/www/html;\n\n index index.html index.htm index.nginx-debian.html;\n\n server_name _;\n\n set $testvar \"\";\n access_by_lua_file /etc/nginx/lua/access.lua;\n header_filter_by_lua_file /etc/nginx/lua/header_filter.lua;\n log_by_lua_file /etc/nginx/lua/log.lua;\n\n location / {\n try_files $uri $uri/ =404;\n }\n\n location /lua-test0 {\n return 302 /lua-test1;\n }\n\n location /lua-test1 {\n return 200;\n }\n\n location /lua-test2 {\n try_files $uri $uri/ @internal1;\n }\n\n location @internal1 {\n return 418;\n }\n}\n
\u4e09\u4e2a lua:
/etc/nginx/lua/access.lualocal ctx = ngx.ctx\nctx.testvar = \"testvar\"\nngx.var.testvar = \"testvar\"\nngx.log(ngx.ERR, \"ctx \", ctx.testvar)\nngx.log(ngx.ERR, \"var \", ngx.var.testvar)\n
/etc/nginx/lua/header_filter.lualocal ctx = ngx.ctx\n\nngx.log(ngx.ERR, \"ctx \", ctx.testvar)\nngx.log(ngx.ERR, \"var \", ngx.var.testvar)\n
/etc/nginx/lua/log.lualocal ctx = ngx.ctx\n\nngx.log(ngx.ERR, \"ctx \", ctx.testvar)\nngx.log(ngx.ERR, \"var \", ngx.var.testvar)\n
"},{"location":"faq/nginx/#rewritereturn-access_by","title":"rewrite/return \u4e0e access_by","text":"\u8bbf\u95ee localhost/lua-test0 \u6216\u8005 localhost/lua-test1\uff0c\u6ca1\u6709 access.lua \u7684\u8f93\u51fa\uff1a
2024/07/22 02:50:16 [error] 9465#9465: *12 [lua] header_filter.lua:3: ctx nil, client: 127.0.0.1, server: _, request: \"GET /lua-test0 HTTP/1.1\", host: \"localhost\"\n2024/07/22 02:50:16 [error] 9465#9465: *12 [lua] header_filter.lua:4: var nil, client: 127.0.0.1, server: _, request: \"GET /lua-test0 HTTP/1.1\", host: \"localhost\"\n2024/07/22 02:50:16 [error] 9465#9465: *12 [lua] log.lua:3: ctx nil while logging request, client: 127.0.0.1, server: _, request: \"GET /lua-test0 HTTP/1.1\", host: \"localhost\"\n2024/07/22 02:50:16 [error] 9465#9465: *12 [lua] log.lua:4: var nil while logging request, client: 127.0.0.1, server: _, request: \"GET /lua-test0 HTTP/1.1\", host: \"localhost\"\n
\u5982\u679c\u8bbf\u95ee localhost/somefile\uff0c\u662f\u6709\u8f93\u51fa\u7684\uff1a
2024/07/22 03:03:42 [error] 9628#9628: *19 [lua] access.lua:4: ctx testvar, client: 127.0.0.1, server: _, request: \"GET /somefile HTTP/1.1\", host: \"localhost\"\n2024/07/22 03:03:42 [error] 9628#9628: *19 [lua] access.lua:5: var testvar, client: 127.0.0.1, server: _, request: \"GET /somefile HTTP/1.1\", host: \"localhost\"\n2024/07/22 03:03:42 [error] 9628#9628: *19 [lua] header_filter.lua:3: ctx testvar, client: 127.0.0.1, server: _, request: \"GET /somefile HTTP/1.1\", host: \"localhost\"\n2024/07/22 03:03:42 [error] 9628#9628: *19 [lua] header_filter.lua:4: var testvar, client: 127.0.0.1, server: _, request: \"GET /somefile HTTP/1.1\", host: \"localhost\"\n2024/07/22 03:03:42 [error] 9628#9628: *19 [lua] log.lua:3: ctx testvar while logging request, client: 127.0.0.1, server: _, request: \"GET /somefile HTTP/1.1\", host: \"localhost\"\n2024/07/22 03:03:42 [error] 9628#9628: *19 [lua] log.lua:4: var testvar while logging request, client: 127.0.0.1, server: _, request: \"GET /somefile HTTP/1.1\", host: \"localhost\"\n
\u8fd9\u662f\u56e0\u4e3a return
\u8bed\u53e5\u53d1\u751f\u5728 rewrite
\u9636\u6bb5\uff0c\u56e0\u6b64\u8df3\u8fc7\u4e86 access
\u9636\u6bb5\uff0caccess_by_lua_block
\u5c31\u6ca1\u6709\u88ab\u6267\u884c\u3002\u56e0\u6b64 Content phase \u4e2d\u7684\u7a0b\u5e8f\u4e0d\u80fd\u5047\u8bbe access_by \u80af\u5b9a\u88ab\u6267\u884c\u4e86\u3002
ngx.ctx
","text":"https://github.com/openresty/lua-nginx-module?tab=readme-ov-file#ngxctx
\u652f\u6301\u4efb\u610f lua \u6570\u636e\u7ed3\u6784\u7684\uff0c\u4e0e\u5355\u72ec request \u7ed1\u5b9a\u7684\u72b6\u6001\u53d8\u91cf\u3002\u540c\u65f6\u4e5f\u4e0d\u9700\u8981\u50cf ngx.var
\u4e00\u6837\u63d0\u524d set
\u3002
\u5c0f\u5fc3\u5185\u90e8\u8df3\u8f6c
Internal redirects (triggered by nginx configuration directives like error_page
, try_files
, index
and etc) will destroy the original request ngx.ctx
data (if any) and the new request will have an empty ngx.ctx table.
\u8bbf\u95ee localhost/lua-test2\uff08\u5047\u8bbe\u524d\u9762\u7684 try_files
\u5931\u8d25\uff09\uff1a
2024/07/22 03:10:15 [error] 9630#9630: *22 [lua] access.lua:4: ctx testvar, client: 127.0.0.1, server: _, request: \"GET /lua-test2 HTTP/1.1\", host: \"localhost\"\n2024/07/22 03:10:15 [error] 9630#9630: *22 [lua] access.lua:5: var testvar, client: 127.0.0.1, server: _, request: \"GET /lua-test2 HTTP/1.1\", host: \"localhost\"\n2024/07/22 03:10:15 [error] 9630#9630: *22 [lua] header_filter.lua:3: ctx nil, client: 127.0.0.1, server: _, request: \"GET /lua-test2 HTTP/1.1\", host: \"localhost\"\n2024/07/22 03:10:15 [error] 9630#9630: *22 [lua] header_filter.lua:4: var testvar, client: 127.0.0.1, server: _, request: \"GET /lua-test2 HTTP/1.1\", host: \"localhost\"\n2024/07/22 03:10:15 [error] 9630#9630: *22 [lua] log.lua:3: ctx nil while logging request, client: 127.0.0.1, server: _, request: \"GET /lua-test2 HTTP/1.1\", host: \"localhost\"\n2024/07/22 03:10:15 [error] 9630#9630: *22 [lua] log.lua:4: var testvar while logging request, client: 127.0.0.1, server: _, request: \"GET /lua-test2 HTTP/1.1\", host: \"localhost\"\n
\u8fd9\u4e2a\u95ee\u9898\u5bf9\u4e00\u4e9b\u9700\u8981\u5728 access \u4e2d\u505a\u4e00\u4e9b\u4e8b\u60c5\uff0c\u5c06\u72b6\u6001\u5b58\u50a8\u5728 ngx.ctx
\u4e2d\uff0c\u7136\u540e\u5728 header_filter \u6216\u8005 log \u4e2d\u53d6\u6d88\u5bf9\u5e94\u6548\u679c\u7684\u903b\u8f91\uff08\u4f8b\u5982 resty.limit.conn \u5728\u8bbf\u95ee\u7684\u6587\u4ef6\u5f53\u524d\u4e0d\u5b58\u5728\u7684\u60c5\u51b5\u4e0b\uff09\u6765\u8bf4\u662f\u81f4\u547d\u7684\u3002
ngx.var
","text":"https://github.com/openresty/lua-nginx-module?tab=readme-ov-file#ngxvarvariable
\u4f7f\u7528\u6709\u4e00\u4e9b\u9ebb\u70e6\uff1a
ngx.ctx
\u6765\u8bf4\u4f4e\u4e00\u4e9b\uff0c\u5b98\u65b9\u6587\u6863\u4e0d\u5efa\u8bae\u5c06 ngx.var
\u4f7f\u7528\u5230\u5173\u952e\u8def\u5f84\u4e0a\u3002\u4f46\u662f\u76f8\u6bd4\u4e8e ngx.ctx
\uff0c\u6700\u5927\u7684\u4f18\u52bf\u5c31\u662f\u5373\u4f7f\u7ecf\u8fc7\u4e86 internal redirection\uff0cngx.var
\u7684\u5185\u5bb9\u4e5f\u4f1a\u4fdd\u7559\u3002
\u7531\u4e8e ngx.var
\u5176\u672c\u8eab\u4e0d\u9002\u5408\u5b58\u50a8\u590d\u6742\u7684\u7ed3\u6784\uff0c\u7b2c\u4e09\u65b9\u6a21\u5757 (lua-resty-ctxdump, 2-clause BSD license) \u5904\u7406\u8fd9\u4e2a\u95ee\u9898\u7684\u505a\u6cd5\u662f\uff1a\u5c06\u5b9e\u9645\u5185\u5bb9\u4fdd\u5b58\u5728\u6a21\u5757\u5185\u90e8\u7684 memo \u8868\u4e2d\uff0c\u800c\u9700\u8981\u5b58\u50a8\u5728 ngx.var \u91cc\u9762\u7684\u53ea\u662f memo \u8868\u7684 key\uff08\u6570\u5b57\uff09\u3002
OpenResty \u5b98\u65b9\u63a8\u8350\u4f7f\u7528 opm (openresty-opm
) \u7ba1\u7406\u6a21\u5757\u3002\u624b\u52a8\u7ef4\u62a4\u6a21\u5757\u7684\u8bdd\u9700\u8981\u81ea\u884c\u5904\u7406\u914d\u7f6e\uff0c\u5bf9\u5e94\u7684\u662f lua_package_path
\uff08http
\u5757\u5185\uff0c\u5206\u53f7\u5206\u5272\u8def\u5f84\uff0c\u6700\u540e ;;
\u4ee3\u8868\u5185\u7f6e\u7684\u539f\u59cb\u8def\u5f84\uff09\u3002
\u4f8b\u5982\uff1a
lua_package_path \"/etc/nginx/lua/module/?.lua;;\";\n
\u4ee5 https://github.com/tokers/lua-resty-ctxdump/blob/master/lib/resty/ctxdump.lua \u4e3a\u4f8b\uff0c\u4e0b\u8f7d\u5230 /etc/nginx/lua/module/
\u4e0b\u4e4b\u540e\uff0c\u5c31\u53ef\u4ee5\u5728\u5176\u4ed6 lua \u6587\u4ef6\u5185\u4f7f\u7528\u4e86\uff1a
local ctxdump = require \"ctxdump\"\nlocal ctx = ngx.ctx\nctx.testvar = {foo = \"bar\", num = 42}\n-- \u9700\u8981 set $ctx_ref \"\";\nngx.var.ctx_ref = ctxdump.stash_ngx_ctx()\nngx.log(ngx.ERR, \"ctx foo \", ctx.testvar.foo)\nngx.log(ngx.ERR, \"ctx num \", ctx.testvar.num)\nngx.log(ngx.ERR, \"var ctx_ref \", ngx.var.ctx_ref)\n
/etc/nginx/lua/log.lualocal ctxdump = require \"ctxdump\"\nngx.log(ngx.ERR, \"var ctx_ref \", ngx.var.ctx_ref)\nngx.ctx = ctxdump.apply_ngx_ctx(ngx.var.ctx_ref)\nlocal ctx = ngx.ctx\nngx.log(ngx.ERR, \"ctx foo \", ctx.testvar.foo)\nngx.log(ngx.ERR, \"ctx num \", ctx.testvar.num)\n
\u5982\u679c\u6ca1\u6709\u627e\u5230\u6587\u4ef6\uff0c\u62a5\u9519\u4fe1\u606f\u4e2d\u4f1a\u5305\u542b\u6240\u6709\u5c1d\u8bd5\u8fc7\u7684\u8def\u5f84\u3002
"},{"location":"faq/nginx/#_3","title":"\u4ee3\u7801\u590d\u7528\u4e0e\u6a21\u5757\u7f16\u5199","text":"\u6700\u7b80\u5355\u7684\u4ee3\u7801\u590d\u7528\u7684\u65b9\u6cd5\u662f\u4f7f\u7528 loadfile()
\u51fd\u6570\uff0c\u8fd9\u6837\u51e0\u4e4e\u4e0d\u9700\u8981\u4fee\u6539\u4ee3\u7801\u5185\u5bb9\u3002
local f = loadfile(\"/etc/nginx/lua/somefile.lua\")\nif f then\n f()\nelse\n ngx.log(ngx.ERR, \"failed to load somefile.lua\")\nend\n
\u4f46\u662f\u8fd9\u4e48\u505a\u662f\u6ca1\u6709 JIT \u7f13\u5b58\u7684\uff0c\u610f\u5473\u7740\u6bcf\u4e2a\u8bf7\u6c42\u90fd\u9700\u8981\u6574\u4e2a\u52a0\u8f7d\u4e00\u904d\u5bf9\u5e94\u7684\u539f\u59cb lua \u4ee3\u7801\u3002\u4e00\u4e2a\u57fa\u672c\u7684\u6a21\u5757\u7c7b\u4f3c\u4e8e\u4e0b\u9762\u8fd9\u6837\uff1a
local _M = {}\n\nlocal function some_internal_func(a)\n return a + a\nend\n\nfunction _M.f1(a, b)\n local aa = some_internal_func(a)\n local bb = some_internal_func(b)\n return aa + bb\nend\n\nreturn _M\n
"},{"location":"faq/ssd/","title":"SSD \u56fa\u4ef6","text":"\u6570\u636e\u4e2d\u5fc3\u76d8\u7684 SSD \u8fd1\u5e74\u6765\u6709\u591a\u8d77\u56e0\u4e3a\u56fa\u4ef6\u95ee\u9898\u5bfc\u81f4\u4f7f\u7528\u65f6\u95f4\u8fc7\u957f\uff08\u51e0\u4e07\u5c0f\u65f6\uff09\u540e\u76d8\u574f\u6389\u7684\u65b0\u95fb\u3002 \u8fd9\u7c7b\u4e8b\u4ef6\u4e00\u65e6\u53d1\u751f\uff0c\u540e\u679c\u6781\u5176\u4e25\u91cd\uff0c\u56e0\u4e3a\u914d\u7f6e\u65b0\u670d\u52a1\u5668\u65f6\uff0c\u4e00\u822c\u4f7f\u7528\u7684\u76d8\u578b\u53f7\u662f\u4e00\u6837\u7684\uff0c\u5e76\u4e14\u5f00\u673a\u65f6\u95f4\u4e5f\u662f\u4e00\u6837\u7684\uff0c \u56e0\u6b64\u51fa\u73b0\u95ee\u9898\u4e4b\u540e\uff0c\u6240\u6709\u76d8\u90fd\u4f1a\u5728\u77ed\u65f6\u95f4\u5185\u574f\u6389\uff0cRAID \u6839\u672c\u65e0\u529b\u56de\u5929\u3002 \u56e0\u6b64\u4ee5\u4e0b\u8bb0\u5f55\u4e00\u4e9b\u56fa\u4ef6\u5347\u7ea7\u7684\u65b9\u6cd5\u3002
"},{"location":"faq/ssd/#intel","title":"Intel","text":""},{"location":"faq/ssd/#_1","title":"\u80cc\u666f","text":"2024 \u5e74 1 \u6708 12 \u65e5\u51cc\u6668\uff0c\u5728\u53d1\u73b0\u4e24\u5757 Intel SSD S4510/S4610 \u51fa\u73b0 SMART \u9519\u8bef\u5e76\u4e14 ZFS \u63d0\u793a\u8bfb\u53d6\u9519\u8bef\u4e4b\u540e\u7d27\u6025\u8fdb\u884c\u4e86\u56fa\u4ef6\u5347\u7ea7\uff08\u5426\u5219\u8fd8\u6709 8 \u5757\u76d8\u4e5f\u4f1a\u5f88\u5feb\u56e0\u4e3a\u7c7b\u4f3c\u95ee\u9898\u635f\u574f\uff09\u3002\u7531\u4e8e\u7f3a\u5c11\u76f8\u5173\u8d44\u6599\uff0c\u5e76\u4e14 Intel \u4e0b\u67b6\u4e86\u5927\u91cf\u4fe1\u606f\uff0c\u56e0\u6b64\u82b1\u8d39\u4e86\u5f88\u591a\u65f6\u95f4\uff0c\u81f3\u51cc\u6668\u4e03\u70b9\u5b8c\u6210\u5347\u7ea7\u3002
Timeline2024/01/11 04:21 - \u6536\u5230 smartd \u90ae\u4ef6\u79f0 /dev/sdi
\u51fa\u73b0 End-to-End_Error_Count
\u9519\u8bef\u3002
\u4e4b\u540e\u672a\u6000\u7591\u662f\u56fa\u4ef6\u95ee\u9898\uff0c\u53ea\u8ba4\u4e3a\u662f\u5076\u53d1\u7684\u9519\u8bef\uff0c\u5e76\u4e14 SSD \u4ecd\u53ef\u6b63\u5e38\u8bfb\u53d6\uff0cZFS \u6b63\u5e38\u7ea0\u9519\uff0c\u56e0\u6b64\u5f53\u5929\u5f00\u59cb\u51c6\u5907\u91c7\u8d2d\u65b0 SSD\uff0c\u672a\u8fdb\u884c\u5176\u4ed6\u64cd\u4f5c\u3002
2024/01/12 02:51 - \u6536\u5230 smartd \u90ae\u4ef6\u79f0 /dev/sdh
\u51fa\u73b0 End-to-End_Error_Count
\u9519\u8bef\u3002
\u4e4b\u540e\u6000\u7591\u662f\u56fa\u4ef6\u95ee\u9898\uff0c\u5e76\u4ece\u6d6a\u6f6e\u7684\u7f51\u7ad9\u786e\u8ba4\u4e86\u8fd9\u4e00\u70b9\u3002 Dell \u63d0\u4f9b\u4e86\u4fee\u590d\u5305\uff0c\u4f46\u662f\u65e0\u6cd5\u5728 Debian \u4e0b\u5b89\u88c5\u3002Intel/Solidigm \u63d0\u4f9b\u7684\u5347\u7ea7\u5de5\u5177\u6709\u8bb8\u591a\u4e0d\u540c\u7248\u672c\uff0c\u5176\u4e2d isdct \u4e0e sst \u63d0\u793a\u5347\u7ea7\u5931\u8d25\uff0cintelmas \u63d0\u793a\u5f53\u524d\u4ea7\u54c1\u5df2\u4e0d\u518d\u652f\u6301\u3002
\u5728\u8fc1\u79fb\u90e8\u5206\u91cd\u8981\u865a\u62df\u673a\uff0c\u5e76\u786e\u8ba4\u5907\u4efd\u6b63\u5e38\u540e\uff08\u5927\u81f4\u82b1\u8d39\u4e86 2 \u5230 2.5 \u5c0f\u65f6\uff09\uff0c\u91cd\u542f\u5bf9\u5e94\u670d\u52a1\u5668\uff0c\u5c1d\u8bd5\u4f7f\u7528 Solidigm \u63d0\u4f9b\u7684\u300c\u5347\u7ea7\u542f\u52a8\u76d8\u300d\u5347\u7ea7\uff0c\u63d0\u793a\u627e\u4e0d\u5230 SSD \u800c\u5931\u8d25\u3002 \u4e4b\u540e\u4ece Solidigm \u8bba\u575b\u4e86\u89e3\u5230\u9700\u8981\u5173\u95ed\u76f4\u901a\u8bbe\u7f6e\u3002\u5148\u5bf9 /dev/sdi
\u8fdb\u884c\u4e86\u6d4b\u8bd5\uff08\u8be5\u76d8\u6709 SMART \u9519\u8bef\uff0c\u4f46\u662f\u4ecd\u53ef\u8bfb\u5199\uff09\uff0c\u5347\u7ea7\u6210\u529f\u3002\u4e4b\u540e\u5347\u7ea7\u4e86\u5168\u90e8 Intel SSD\u3002
\u76f8\u5173\u6d89\u95ee\u9898\u56fa\u4ef6\u7248\u672c\u4e3a XCV10100\u3002XCV10110 \u53ca\u4ee5\u4e0a\u4fee\u590d\u4e86\u95ee\u9898\u3002
"},{"location":"faq/ssd/#_2","title":"\u5347\u7ea7\u65b9\u6cd5","text":"Intel \u7684\u5b58\u50a8\u4e1a\u52a1\u5df2\u7ecf\u88ab SK Hynix \u5b50\u516c\u53f8 Solidigm \u6536\u8d2d\u3002\u5176\u63d0\u4f9b\u4e86\u76f8\u5173\u5de5\u5177\u8fdb\u884c\u5347\u7ea7\u3002
https://www.solidigm.com/us/en/support-page/product-doc-cert/ka-00099.html \u63d0\u4f9b\u4e86 Solidigm \u5de5\u5177\u652f\u6301\u7684\u4ea7\u54c1\u5217\u8868\u3002\u4e0b\u8f7d\u6700\u65b0\u7248\u672c Solidigm\u2122 Storage Tool \u4e4b\u540e\uff08\u652f\u6301 Debian/Ubuntu\uff09\uff0c\u4f7f\u7528\u4ee5\u4e0b\u65b9\u6cd5\u68c0\u67e5\u6240\u6709 SSD \u7684\u4fe1\u606f\uff1a
sst show -ssd\n
\u5173\u6ce8\u6bcf\u4e2a SSD \u7684 FirmwareUpdateAvailable
\u4e00\u884c\u662f\u5426\u6709\u66f4\u65b0\u4fe1\u606f\u3002
\u4f7f\u7528\u4ee5\u4e0b\u547d\u4ee4\u5347\u7ea7\uff1a
sst load -ssd <SSD \u7684\u7f16\u53f7>\n
\u8bf7\u6ce8\u610f\uff0c\u8be5\u5de5\u5177\u4e0d\u652f\u6301 RAID \u5361\u7684\u76f4\u901a\u6a21\u5f0f\u3002\u5bf9\u4e8e Dell \u670d\u52a1\u5668\u6765\u8bf4\uff0c\u9700\u8981\u8bbe\u7f6e\u5982\u4e0b\uff1a
sst set -system EnableLSIAdapter=True
sst
\u8fdb\u884c\u5347\u7ea7\u3002Systemd-timer \u4f5c\u4e3a crontab \u7684\u66ff\u4ee3\u54c1\uff0c\u6709\u4e00\u7cfb\u5217\u7684\u4f18\u70b9\uff1a
\u5f53\u7136\u76f8\u6bd4\u4e8e crontab\uff0c\u7f3a\u70b9\u4e5f\u5f88\u660e\u663e\uff1a
\u6240\u4ee5\u4ee5\u4e0b\u7ed9\u51fa\u4e00\u4e2a\u6a21\u677f\uff0c\u65b9\u4fbf\u5728\u521b\u5efa\u65b0\u5b9a\u65f6\u4efb\u52a1\u7684\u65f6\u5019\u4f7f\u7528\u3002\u8fd9\u91cc\u7684\u4f8b\u5b50\u662f mirrors2 \u4ece mirrors4 \u83b7\u53d6\u538b\u7f29\u540e\u7684\u65e5\u5fd7\u3002\u4ee5\u4e0b\u6587\u4ef6\u5747\u653e\u5728 /etc/systemd/system
\u3002
[Unit]\nDescription=Mirrors4 log backup\nDocumentation=man:rsync(1)\nAfter=network.target\nStartLimitIntervalSec=0\n\n[Service]\nType=simple\nUser=mirror\nGroup=mirror\nExecStart=rsync -rltpv --include=*/ --include=*.xz --exclude=* m4log:/ /var/m4log/\nRestart=on-failure\nRestartSec=3\n
m4log.timer[Unit]\nDescription=Mirrors4 log backup timer\nDocumentation=man:rsync(1)\nAfter=network.target\nStartLimitIntervalSec=0\n\n[Timer]\nOnCalendar=*-*-* 7:13:00\nRandomizedDelaySec=60s\nPersistent=true\nUnit=m4log.service\n\n[Install]\nWantedBy=timer.target\n
\u5173\u4e8e OnCalendar \u7684\u89e6\u53d1\u65f6\u95f4\uff0c\u53ef\u4ee5\u53c2\u8003 systemd \u7684 Calendar Events \u8bf4\u660e\uff0c\u5e76\u7528 systemd-analyze calendar
\u6765\u68c0\u9a8c\u6b63\u786e\u6027\uff0c\u4e5f\u53ef\u4ee5\u7528 systemctl list-timers
\u89c2\u5bdf Timer \u4e0b\u6b21\u89e6\u53d1\u7684\u65f6\u95f4\u662f\u5426\u7b26\u5408\u9884\u671f\u3002
\u4e0b\u9762\u662f\u4e00\u4e9b\u5e38\u7528\u547d\u4ee4\uff1a
systemctl enable m4log.timer
systemctl start m4log.timer
systemctl start m4log.service
systemctl status m4log.service
\u6269\u5927\u865a\u62df\u78c1\u76d8\u7684\u5927\u5c0f\u540e\uff0c\u53ef\u4ee5\u91c7\u7528\u4ee5\u4e0b\u76f8\u5bf9\u7b80\u5355\u7684\u65b9\u5f0f\u6269\u5c55\u5206\u533a\u5927\u5c0f\uff1a
\u8bf7\u786e\u4fdd\u7406\u89e3\u547d\u4ee4\u540e\u518d\u6267\u884c
$ # \u5b89\u88c5 growpart\n$ sudo apt install cloud-guest-utils\n$ # \u6269\u5c55 /dev/sdb1\n$ sudo growpart /dev/sdb 1\n$ # \u73b0\u5728\u5206\u533a\u8868\u4ee5\u53ca\u5206\u533a\u6269\u5c55\u4e86\uff0c\u4f46\u662f\u5206\u533a\u91cc\u9762\u7684\u6587\u4ef6\u7cfb\u7edf\u7684\u5927\u5c0f\u8fd8\u6ca1\u6709\u6269\u5c55\n$ # \u4ee5 ext4 \u4e3a\u4f8b\n$ sudo resize2fs /dev/sdb1\n
"},{"location":"infrastructure/auth-dns/","title":"Authoritative DNS","text":"Services (Servers):
All three servers are dedicated to DNS service and run no other services.
"},{"location":"infrastructure/auth-dns/#deploy","title":"Deploy","text":"The bind configuration repository is only visible to admins because private key is included.
# copy the ssh key https://github.com/ustclug/auth-dns/blob/master/git_pull_key\n# to ~/.ssh/id_ed25519\n\n# now get the conf\ngit clone git@github.com:ustclug/auth-dns.git /var/lib/bind\n\n# delete the ssh key\nrm ~/.ssh/id_ed25519\n
docker run --restart=always -v /var/lib/bind/:/etc/bind \\\n --net host -it -d --name=auth-dns zhusj/bind9\n
"},{"location":"infrastructure/auth-dns/#update-dns-record","title":"Update DNS Record","text":"Just commit your changes to the configuration repository. More details can be found in the repository.
"},{"location":"infrastructure/auth-dns/#webhook","title":"Webhook","text":"Please add a webhook in the configuration repository, so that the DNS record can be automatically updated when commits are pushed.
The webhook endpoint is http://<server_ip>:9000/hooks/bind
, see https://github.com/ustclug/auth-dns/settings/hooks for examples.
The first application on October 25, 2023 was declined with the following reason (emphasis mine):
During our review of your application for Various (USTC Open Source Soft[sic], we determined that while your project meets most of the program requirements, there is a lack of documentation in one or more of your repositories on Docker Hub.
Before resubmitting the application, I deleted a few obsolete repositories and filled in the \"Repository overview\" for the rest, asking ChatGPT to produce it when needed. Afterwards, the second submission was approved in just 3 hours.
"},{"location":"infrastructure/github/","title":"GitHub Organization","text":"ustclug @ GitHub
"},{"location":"infrastructure/github/#github-actions","title":"GitHub Actions","text":"GitHub Actions \u5bf9\u516c\u5f00\u4ed3\u5e93\u514d\u8d39\uff0c\u5bf9\u79c1\u6709\u4ed3\u5e93\u6bcf\u6708\u6709 3000 \u5206\u949f\u7684\u9650\u989d\uff08\u6ce8\uff1a\u6211\u4eec\u662f\u5b66\u6821\u5e2e\u5fd9\u7533\u8bf7\u7684 GitHub Education\uff0c\u6240\u4ee5\u6211\u4eec\u5728\u529f\u80fd\u4e0a\u76f8\u5f53\u4e8e\u4ed8\u8d39\u7684 GitHub Team\uff09\u3002\u76ee\u524d\u6211\u4eec\u6709\u591a\u4e2a\u9879\u76ee\u4f7f\u7528 GitHub Actions \u90e8\u7f72\uff0c\u4f8b\u5982 Linux 101 \u7684\u8bb2\u4e49\u3002
\u6211\u4eec\u66fe\u7ecf\u4f7f\u7528 Travis CI\uff08\u73b0\u5728\u4e5f\u5728\u90e8\u5206\u516c\u5f00\u4ed3\u5e93\u4e2d\u4f7f\u7528\uff09\uff0c\u56e0\u4e3a\uff08\u4e0d\u4f1a\u5b9a\u671f\u91cd\u7f6e\u7684\uff09\u6570\u91cf\u9650\u5236\u800c\u5c06\u79c1\u6709\u4ed3\u5e93\u5168\u90e8\u8fc1\u51fa\uff0c\u8ba8\u8bba\u89c1 Discussion #308.
"},{"location":"infrastructure/github/#2fa","title":"\u4e24\u6b65\u8ba4\u8bc1\uff082FA\uff09","text":"\u6211\u4eec\u5f3a\u70c8\u5efa\u8bae\u52a0\u5165 ustclug \u7ec4\u7ec7\u7684\u7528\u6237\u4e3a\u81ea\u5df1\u7684 GitHub \u8d26\u53f7\u914d\u7f6e\u4e24\u6b65\u8ba4\u8bc1\uff1a
\u7531\u4e8e G Suite \u81ea 2022 \u5e74 7 \u6708\u8d77\u4e0d\u518d\u63d0\u4f9b\u514d\u8d39\u7684 Teams\uff0c\u4e14\u5df2\u6709\u7684\u514d\u8d39 Teams \u4e5f\u5c06\u505c\u6b62\u670d\u52a1\uff0c\u6211\u4eec\u5df2\u4e8e 2022 \u5e74 3 \u6708\u5168\u9762\u8fc1\u79fb\u81f3 Office 365\u3002
\u8003\u8651\u5230\u6b64\u9875\u9762\u7684 URL \u8fd8\u6709\u4e00\u5b9a\u6570\u91cf\u7684\u5916\u94fe\uff0c\u6211\u4eec\u628a\u672c\u9875\u6587\u6863\u91cd\u65b0\u52a0\u4e86\u56de\u6765\uff0c\u4f46\u662f\u6240\u6709\u6709\u610f\u4e49\u7684\u5185\u5bb9\u90fd\u5df2\u7ecf\u79fb\u52a8\u5230\u4e86 Office 365 \u9875\u9762\u4e2d\u3002
"},{"location":"infrastructure/ldap/","title":"LDAP \u670d\u52a1\u4f7f\u7528\u53ca\u914d\u7f6e\u8bf4\u660e","text":"LDAP \u662f\u8f7b\u91cf\u76ee\u5f55\u8bbf\u95ee\u534f\u8bae\uff0c\u6211\u4eec\u7528\u7684\u8f6f\u4ef6\u662f OpenLDAP\u3002
LDAP \u7684\u914d\u7f6e\u5f88\u9ebb\u70e6\uff0c\u6240\u4ee5\u88c5\u4e86\u4e00\u4e2a\u7f51\u9875\u524d\u7aef\u6765\u914d\u7f6e\u5b83\uff0c\u7f51\u9875\u524d\u7aef\u662f GOsa\u00b2\u3002
"},{"location":"infrastructure/ldap/#_1","title":"\u5bc6\u7801\u4fee\u6539","text":"\u767b\u5f55\u4efb\u610f\u4e00\u53f0\u670d\u52a1\u5668\u4f7f\u7528 passwd
\u5c31\u53ef\u4ee5\u4fee\u6539\u5bc6\u7801\uff0c\u4fee\u6539\u7684\u5bc6\u7801\u5728\u6240\u6709\u673a\u5668\u4e0a\u5b9e\u65f6\u751f\u6548\uff08\u56e0\u4e3a\u5b9e\u9645\u662f\u5b58\u5728 LDAP \u6570\u636e\u5e93\u91cc\u7684\uff09\u3002
\u7f51\u9875\u754c\u9762\u4f4d\u4e8e ldap.lug.ustc.edu.cn\u3002
\u7528\u4f60\u7684\u8d26\u53f7\u767b\u5f55\u8fdb\u53bb\u4e4b\u540e\uff0c\u53ef\u4ee5\u5728\u53f3\u4e0a\u89d2\u9000\u51fa\uff0c\u53f3\u4e0a\u89d2\u8fd8\u6709\u4e24\u4e2a\u6309\u94ae\u5206\u522b\u662f\u4fee\u6539\u8d26\u53f7\u4fe1\u606f\u548c\u4fee\u6539\u5bc6\u7801\u3002\u8d26\u53f7\u4fe1\u606f\u7b2c\u4e00\u9875\u5927\u90e8\u5206\u662f\u6ca1\u7528\u7684\uff0c\u53ea\u6709\u4e00\u4e2a\u767b\u5f55\u540d\u662f\u6709\u7528\u7684\uff0c\u8fd9\u662f\u4f60\u767b\u5f55\u4efb\u4f55\u5730\u65b9\u7684\u7528\u6237\u540d\u3002
"},{"location":"infrastructure/ldap/#ldap-users-and-groups","title":"Users \u548c Groups","text":"Users \u662f\u7528\u6765\u6dfb\u52a0\u548c\u914d\u7f6e\u7528\u6237\u4fe1\u606f\u7684\u5730\u65b9\u3002\u6700\u4e3b\u8981\u7684\u529f\u80fd\u4f4d\u4e8e\u6bcf\u4e2a User \u7684\u7b2c\u4e8c\u9875 POSIX\uff0c\u8fd9\u91cc\u53ef\u4ee5\u8bbe\u7f6e\u7528\u6237\u7684\u5bb6\u76ee\u5f55\uff0cUID\uff0cGID\uff0c\u4ee5\u53ca\u6240\u5c5e\u7684\u7528\u6237\u7ec4\u3002\u8fd9\u91cc\u9700\u8981\u6ce8\u610f\u7684\u5730\u65b9\u5982\u4e0b\uff1a
UID\uff0cGID \u4ece 2000 \u5f00\u59cb\u8ba1\u6570\uff0c\u7531\u4e8e gosa \u4e0d\u80fd\u5bf9 UID \u81ea\u52a8\u589e\u957f\uff0c\u6240\u4ee5\u7ba1\u7406\u5458\u9700\u8981\u4eba\u5de5\u589e\u957f\u3002\u65b9\u6cd5\u662f\u767b\u5f55\u4efb\u610f\u4e00\u53f0\u673a\u5668\uff0c\u8fd0\u884c getent passwd
\u5e76\u89c2\u5bdf\u8f93\u51fa\uff0c\u53d6\u6700\u5927\u7684 UID + 1 \u5c31\u884c\u4e86\u3002
\u5751
\u5c0f\u5fc3\u8f93\u51fa\u7684\u987a\u5e8f\uff0c\u6700\u5927\u7684 UID \u4e0d\u4e00\u5b9a\u662f\u6700\u540e\u4e00\u4e2a\uff08\u800c\u4e14\u4e8b\u5b9e\u4e0a\u7ecf\u5e38\u4e0d\u662f\uff09\uff0c\u5efa\u8bae\u914d\u5408 sed, awk, sort \u4e4b\u7c7b\u7684\u547d\u4ee4\u59a5\u5584\u5904\u7406\uff0c\u4f8b\u5982
getent -s ldap passwd | cut -d: -f3 | sort -n\n
\u540c\u65f6\u8fd8\u6709\u82e5\u5e72 UID \u5f88\u5927\u4f46\u662f\u79bb\u6563\u7684\u7279\u6b8a\u8d26\u53f7\uff0c\u5f88\u5bb9\u6613\u5206\u8fa8\u3002\u663e\u7136\u65b0 UID \u662f 2000 \u5f00\u59cb\u8fde\u7eed\u7684\u6700\u5927 UID + 1.
GID \u5efa\u8bae\u4e0d\u8981\u6bcf\u4eba\u4e00\u4e2a\uff0c\u6211\u4eec\u5efa\u4e00\u4e2a group\uff0c\u7ed9\u5927\u5bb6\u90fd\u52a0\u8fdb\u6765\uff0c\u8fd9\u6837\u5c31\u53ea\u9700\u8981\u8003\u8651 UID \u7684\u589e\u957f\u4e86\u3002\u76ee\u524d\u8be5 group \u4e3a ldap_users
\uff0cGID \u4e3a 2001\u3002
\u5efa\u8d26\u53f7\u4e4b\u524d\u5148\u6ce8\u610f\u4e00\u4e0b\u5404\u4e2a\u670d\u52a1\u5668\u4e0a\u6709\u6ca1\u6709\u76f8\u540c\u7684\u7528\u6237\u540d\uff0c\u6709\u7684\u8bdd\u628a\u539f\u5bb6\u76ee\u5f55 chown \u5230\u65b0\u7684 UID GID\uff0c\u5220\u9664\u540c\u540d\u7528\u6237\u3002
Groups \u4e2d\u4ee5 ssh \u5f00\u5934\u7684\u7ec4\u63a7\u5236\u5bf9\u5e94\u673a\u5668\u7684 ssh \u6743\u9650\uff0csudo \u5f00\u5934\u540c\u7406\u3002super_maneger \u7ec4\u5305\u542b\u6240\u6709\u673a\u5668\u7684\u6743\u9650\uff0c\u4ee5\u53ca LDAP \u7684 admin \u8eab\u4efd\u3002\u52a0\u5165\u5bf9\u5e94\u7684\u7ec4\u5373\u6388\u4e88\u76f8\u5e94\u6743\u9650\u3002\u5df2\u77e5\u7684 GID
"},{"location":"infrastructure/ldap/#access-control","title":"Access Control","text":"\u8fd9\u91cc\u53ef\u4ee5\u914d\u7f6e GOsa \u7684\u7f16\u8f91\u6743\u9650\uff0c\u73b0\u5728\u8fd9\u91cc\u9762\u53ea\u6709\u4e00\u4e2a\u7ec4\uff0c\u662f\u5b8c\u5168\u6743\u9650\u7684\u3002\u53e6\u5916\uff0c\u6bcf\u4e2a\u9879\u53ef\u4ee5\u8bbe\u7f6e\u4e13\u95e8\u9488\u5bf9\u8fd9\u4e2a\u9879\u7684 ACL\u3002
"},{"location":"infrastructure/ldap/#sudo-rules","title":"Sudo rules","text":"\u8fd9\u91cc\u914d\u7f6e sudo \u6743\u9650\u3002\u8fd9\u91cc\u7684\u8bed\u6cd5\u548c sudoers \u4e00\u6837\uff08\u8bf7\u65e0\u89c6 System trust\uff09\u3002\u7279\u522b\u8981\u8bf4\u7684\u4e00\u70b9\u662f\u901a\u8fc7\u5728 System \u4e2d\u52a0\u5165\u4e3b\u673a\u540d\u53ef\u4ee5\u9488\u5bf9\u6bcf\u4e2a\u4e3b\u673a\u914d\u7f6e\u6743\u9650\uff0c\u8fd9\u91cc\u8981\u586b\u7684\u662f\u4e3b\u673a\u540d\u800c\u4e0d\u662f\u57df\u540d\uff0c\u5177\u4f53\u8303\u4f8b\u8bf7\u770b\u91cc\u9762\u7684 lugsu wikimanager \u7b49\u9879\u3002
\u5176\u5b83\u6211\u6ca1\u63d0\u5230\u7684\u9879\u6211\u4e5f\u6ca1\u641e\u660e\u767d\u600e\u4e48\u7528\u3002\u3002\u3002
gosa \u7684\u914d\u7f6e\u6587\u4ef6\u5728 /etc/gosa/gosa.conf
\uff0c\u5b83\u662f\u5728\u7b2c\u4e00\u6b21\u8fd0\u884c gosa \u65f6\u5019\u81ea\u52a8\u751f\u6210\u7684\uff0c\u4f46\u5728\u4e4b\u540e\u5c31\u53ea\u80fd\u901a\u8fc7\u624b\u52a8\u7f16\u8f91\u6765\u4fee\u6539\u3002\u7531\u4e8e\u914d\u7f6e\u6587\u4ef6\u51e0\u4e4e\u6ca1\u6709\u6587\u6863\uff0c\u5b98\u65b9\u7684 FAQ \u6709\u597d\u591a\u662f\u9519\u7684\uff0c\u6240\u4ee5\u6211\u57fa\u672c\u6ca1\u52a8 :-D
\u3002
\u5982\u679c\u53d1\u73b0\u66f4\u65b0 GOsa \u4e4b\u540e\uff0c/gosa
\u6ca1\u6709\u6b63\u5e38\u5de5\u4f5c\uff08\u6bd4\u5982\u8bf4\u76f4\u63a5\u663e\u793a\u4e86 PHP \u7684\u6e90\u4ee3\u7801\uff09\uff0c\u53ef\u4ee5\u5c1d\u8bd5\u5220\u9664 /var/spool/gosa/
\u4e2d\u7684\u6240\u6709\u6587\u4ef6\uff0c\u8be6\u89c1 Gosa broken in Debian stretch\u3002
Warning
Debian 13 Trixie \u662f\u6700\u540e\u4e00\u4e2a\u652f\u6301 sudo-ldap
\u7684\u7248\u672c\uff0cDebian 14 \u5c06\u5b8c\u5168\u79fb\u9664 sudo-ldap
\uff0c\u9700\u8981\u5c3d\u5feb\u8fc1\u79fb\u81f3 sssd
\u3002
\u6211\u4eec\u5927\u90e8\u5206\u73b0\u6709\u7684\u670d\u52a1\u5668\u4ecd\u5728\u4f7f\u7528 sudo-ldap
\uff0c\u5728\u4e0b\u6b21\u5927\u7248\u672c\u5347\u7ea7\u524d\u9700\u8981\u9010\u6b65\u8fc1\u79fb\u3002\u4ee5\u4e0b\u63d0\u4f9b\u4f7f\u7528 sssd
\u7684\u914d\u7f6e\u65b9\u6cd5\u3002
Ref: https://packages.debian.org/trixie/sudo-ldap
"},{"location":"infrastructure/ldap/#_3","title":"\u8f6f\u4ef6\u5305\u5b89\u88c5","text":"Debian 7 \u4ee5\u4e0a\u7cfb\u7edf\u5b89\u88c5 libnss-ldapd
\u3001libpam-ldapd
\u3001sssd-ldap
\u3001libsss-sudo
Note
\u66f4\u65b0\u8fd9\u4e9b\u8f6f\u4ef6\u5305\u65f6\uff0c\u6ce8\u610f\u4fdd\u7559\u4e00\u4e2a root \u7ec8\u7aef\uff0c\u66f4\u65b0\u540e\u53ef\u80fd\u9700\u8981\u91cd\u542f daemon \u8fdb\u7a0b\u3002
Note
\u5982\u679c\u5df2\u7ecf\u5b89\u88c5\u4e86 sudo-ldap
\uff0c\u8bf7\u5728\u5168\u90e8\u914d\u7f6e\u5b8c\u6210\u4e4b\u540e\u8fd0\u884c apt install sudo
\uff0c\u8fc1\u79fb\u56de\u539f sudo
\u3002
\u5728\u5b89\u88c5\u8fc7\u7a0b\u4e2d\u4f1a\u88ab\u95ee\u4e00\u4e9b\u95ee\u9898\uff08\u4e0d\u540c\u7248\u672c\u7684 Debian \u7684\u95ee\u9898\u53ef\u80fd\u4e0d\u540c\uff09\uff1a
ldaps://ldap.lug.ustc.edu.cn
dc=lug,dc=ustc,dc=edu,dc=cn
\u7f16\u8f91\u5185\u5bb9\u5982\u4e0b\uff1a
/etc/ldap/ldap.confBASE dc=lug,dc=ustc,dc=edu,dc=cn\nURI ldaps://ldap.lug.ustc.edu.cn\nSSL yes\nTLS_CACERT /etc/ldap/slapd-ca-cert.pem\nTLS_REQCERT demand\nSUDOERS_BASE ou=sudoers,dc=lug,dc=ustc,dc=edu,dc=cn\n
\u4e3a\u4e86\u5b89\u5168\u6027\u8003\u8651\uff0c\u8981\u4ee5 ldaps \u7684\u65b9\u5f0f\u8fde\u63a5 ldap \u670d\u52a1\u5668\uff0c\u540c\u65f6\u5e94\u914d\u7f6e\u597d\u8bc1\u4e66 (/etc/ldap/slapd-ca-cert.pem
, \u4ece\u5176\u5b83\u670d\u52a1\u5668\u590d\u5236\u4e00\u4e2a)
\u6ce8\u610f\u68c0\u67e5\u4e00\u4e0b\u6b64\u914d\u7f6e\u6587\u4ef6\u662f\u5426\u4e0e /etc/ldap/ldap.conf
\u4e0b\u7684\u5185\u5bb9\u76f8\u4e00\u81f4\uff0c\u5982
uid nslcd\ngid nslcd\nuri ldaps://ldap.lug.ustc.edu.cn\nbase dc=lug,dc=ustc,dc=edu,dc=cn\nssl on\ntls_reqcert demand\ntls_cacertfile /etc/ldap/slapd-ca-cert.pem\n
"},{"location":"infrastructure/ldap/#etcnsswitchconf","title":"/etc/nsswitch.conf","text":"\u5b89\u88c5\u8f6f\u4ef6\u5305\u65f6\uff0c\u5b89\u88c5\u811a\u672c\u5df2\u7ecf\u5904\u7406\u8fc7\u8be5\u6587\u4ef6\u3002\u68c0\u67e5\u4e00\u4e0b\u5185\u5bb9\uff0c\u5927\u81f4\u4e3a\uff1a
passwd: compat ldap\ngroup: compat ldap\nshadow: compat ldap\n......\nsudoers: files ldap\n
\u6ce8\u610f\u6bcf\u4e00\u9879\u540e\u9762\u7684 ldap
\uff0c\u5982\u679c\u6ca1\u6709\u8981\u624b\u52a8\u52a0\u4e0a\u3002\u4e0d\u592a\u6e05\u695a\u5177\u4f53\u542b\u4e49\uff0c\u53cd\u6b63\u7ed9\u6bcf\u4e00\u9879\u90fd\u52a0\u4e0a ldap
\u662f\u6ca1\u6709\u95ee\u9898\u7684\u3002
\u5bf9\u4e8e\u4f7f\u7528 sssd \u7684\u914d\u7f6e\uff0c\u6ce8\u610f sudoers
\u4e00\u884c\u9700\u8981\u6709 sss
\uff0c\u7c7b\u4f3c\u4e8e\u4e0b\u9762\u8fd9\u6837\uff1a
sudoers: files sss\n
\u800c\u5982\u679c\u4f7f\u7528\u4f20\u7edf\u7684 sudo-ldap
\uff0c\u90a3\u4e48 sudoers
\u4e00\u884c\u5e94\u8be5\u7c7b\u4f3c\u4e8e\u8fd9\u6837\uff1a
sudoers: ldap [SUCCESS=return] files\n
\u91cd\u542f\u4e00\u4e0b nscd
\u548c nslcd
\u670d\u52a1\uff0c\u6b64\u65f6\u8fd0\u884c getent passwd
\uff0c\u5e94\u8be5\u53ef\u4ee5\u770b\u5230\u6bd4 /etc/passwd
\u66f4\u591a\u7684\u5185\u5bb9\uff0c\u8fd9\u5c31\u8bf4\u660e\u914d\u7f6e\u6b63\u786e\u4e86\u3002
\u5982\u679c PAM \u914d\u7f6e\u9519\u8bef\uff0c\u53ef\u80fd\u5bfc\u81f4\u7528\u6237\u65e0\u6cd5\u4f7f\u7528 SSH \u767b\u5f55\uff0c\u751a\u81f3\u8fde sudo \u4e5f\u53ef\u80fd\u6302\u6389\u3002\u6240\u4ee5\u4fee\u6539 PAM \u914d\u7f6e\u65f6\uff1a
\u5bf9\u4e8e Debian 7+\uff0c\u53ea\u9700\u8bbe\u7f6e\u4e00\u5904\u3002\u4e3a\u4e86\u767b\u5f55\u65f6\u81ea\u52a8\u521b\u5efa\u5bb6\u76ee\u5f55\uff0c\u5728 /etc/pam.d/common-session
\u4e2d\u6dfb\u52a0\u4e0b\u9762\u8fd9\u53e5\uff1a
session required pam_mkhomedir.so skel=/etc/skel umask=0022\n
\u5bf9\u4e8e Debian 5\uff0c\u8bf7\u67e5\u9605\u672c\u6587\u6863\u7684 Git \u8bb0\u5f55\u3002
"},{"location":"infrastructure/ldap/#sssd","title":"SSSD \u914d\u7f6e","text":"\u7531\u4e8e sudo-ldap
\u672a\u6765\u88ab\u5e9f\u5f03\uff0csudo \u7684\u914d\u7f6e\u901a\u8fc7 sssd \u5b9e\u73b0\uff0c\u53c2\u8003 https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-ldap-sudo.html\u3002
\u5c06 /usr/share/doc/sssd-common/examples/sssd-example.conf
\u590d\u5236\u5230 /etc/sssd/sssd.conf
\u5e76\u4fee\u6539\u6743\u9650\u4e3a 600\u3002
[taoky@gateway-nic ~]$ sudo diff /usr/share/doc/sssd-common/examples/sssd-example.conf /etc/sssd/sssd.conf\n3c3\n< services = nss, pam\n---\n> services = nss, pam, sudo\n8c8,10\n< ; domains = LDAP\n---\n> domains = LDAP\n>\n> [sudo]\n15,17c17,19\n< ; [domain/LDAP]\n< ; id_provider = ldap\n< ; auth_provider = ldap\n---\n> [domain/LDAP]\n> id_provider = ldap\n> auth_provider = ldap\n22,24c24,26\n< ; ldap_schema = rfc2307\n< ; ldap_uri = ldap://ldap.mydomain.org\n< ; ldap_search_base = dc=mydomain,dc=org\n---\n> ldap_schema = rfc2307\n> ldap_uri = ldaps://ldap.lug.ustc.edu.cn\n> ldap_search_base = dc=lug,dc=ustc,dc=edu,dc=cn\n30c32\n< ; cache_credentials = true\n---\n> cache_credentials = true\n
\u5751
\u9700\u8981\u52a0\u4e0a [sudo]
\uff0c\u5426\u5219 sudo \u914d\u7f6e\u4e0d\u4f1a\u751f\u6548\uff0c\u8fd9\u4e2a\u914d\u7f6e\u95ee\u9898\u5bfc\u81f4\u4e86\u4fee\u6539\u524d\u5728 gateway-nic \u4e0a\u7528\u6237\u65e0\u6cd5\u4f7f\u7528 sudo\u3002
\u53e6\u5916\u8bb0\u5f97\u50cf\u524d\u9762\u5728 Debian \u4e2d\u5b89\u88c5\u4ecb\u7ecd\u5230\u7684\u90a3\u6837\u4fee\u6539 /etc/nsswitch.conf
\u4ee5\u53ca /etc/nslcd.conf
.
\u5728 SSSD \u672a\u5b89\u88c5\u7684\u60c5\u51b5\u4e0b\uff0cNSCD \u4f1a\u63d0\u4f9b LDAP \u7f13\u5b58\u670d\u52a1\u3002\u5982\u679c\u5728\u4f7f\u7528 NSCD \u7684\u673a\u5668\u4e0a\u9700\u8981\u6e05\u7a7a LDAP \u7f13\u5b58\uff0c\u6267\u884c\u4ee5\u4e0b\u547d\u4ee4\uff1a
nscd -i passwd\nnscd -i group\n
\u5982\u679c SSSD \u5b89\u88c5\uff0csystemctl status sssd
\u4f1a\u663e\u793a SSSD \u4e0e NSCD \u540c\u65f6\u63d0\u4f9b\u4e86\u76f8\u5173\u7f13\u5b58\uff0c\u53ef\u80fd\u5b58\u5728\u51b2\u7a81\u95ee\u9898\uff1a
NSCD socket was detected and seems to be configured to cache some of the databases controlled by SSSD [passwd,group,netgroup,services].\n
\u9700\u8981\u4fee\u6539 /etc/nscd.conf
\uff0c\u5c06\u63d0\u53ca\u7684 passwd
, group
, netgroup
\u548c services
\u7684 enable-cache
\u8bbe\u7f6e\u4e3a no
\u3002
\u8fd9\u91cc\u4ee5 ldappasswd
\u4e3a\u4f8b\uff0c\u5176\u4f59 ldap \u7cfb\u5217\u6307\u4ee4\u4e0e\u5176\u5927\u81f4\u76f8\u540c\uff1a
LDAP \u5229\u7528 dn \u6765\u5b9a\u4f4d\u4e00\u4e2a\u7528\u6237\uff0c\u4ee5\u4e0b\u6307\u4ee4\u53ef\u4ee5\u5217\u51fa\u6240\u6709\u7528\u6237\u53ca\u5176 dn\uff1a
ldapsearch -x -LLL uid=* uid\n
-x
\u6307\u5b9a\u4f7f\u7528 Simple authentication\uff0c\u5373\u4f7f\u7528\u5bc6\u7801\u8ba4\u8bc1\u3002
\u5982\u679c\u8981\u4fee\u6539\u4e00\u4e2a\u7528\u6237\u7684\u5bc6\u7801\uff0c\u4f7f\u7528\uff1a
ldappasswd -x -D '<executor dn>' -W -S '<target user dn>'\n
-D '<executor dn>'
\u6307\u5b9a\u4e86\u6267\u884c\u8005\u7684\u8eab\u4efd\uff0c-W
/-S
\u6307\u5b9a\u4e86\u63a5\u4e0b\u6765\u8be2\u95ee\u6267\u884c\u8005/\u76ee\u6807\u7528\u6237\u7684\u5bc6\u7801/\u65e7\u5bc6\u7801\u3002
\u9700\u8981\u989d\u5916\u6ce8\u610f\u7684\u662f\uff0c\u5728 CLI \u4e2d\u6dfb\u52a0/\u5220\u9664\u7528\u6237\u6216\u66f4\u6539\u7528\u6237\u5bc6\u7801\u65f6\u9700\u8981\u4ee5 LDAP admin \u6267\u884c\uff0c\u5426\u5219\u4f1a\u6709\u62a5\u9519\uff1a
Insufficient access (50) additional info: no write access to parent\n
\u6216\u662f\u5176\u4ed6\u7684\u6743\u9650\u4e0d\u8db3\u7684\u9519\u8bef\u3002
"},{"location":"infrastructure/ldap/#_4","title":"\u90e8\u7f72\u60c5\u51b5","text":"\u76ee\u524d\u6240\u6709\u670d\u52a1\u5668\u5747\u5df2\u90e8\u7f72 LDAP
"},{"location":"infrastructure/ldap/#ldap-known-gids","title":"\u5df2\u77e5\u7684 GID","text":"GID \u4fe1\u606f\u5df2\u8fc7\u65f6\uff0c\u4ee5 LDAP \u5b9e\u9645\u914d\u7f6e\u4e3a\u51c6\u3002
GID \u540d\u79f0 \u8bf4\u660e 2001 ldap_users \u6240\u6709\u7528\u6237\u90fd\u5728\u8fd9\u4e2a\u7ec4\u91cc 1001 ssh_docker2 - 2013 ssh_bbs - 2014 ssh_linode - 2101 ssh_ldap - 2102 ssh_blog - 2103 ssh_dns - 2104 ssh_gitlab - 2105 ssh_lug - 2106 ssh_vpn - 2107 ssh_mirrors - 2108 ssh_pxe - 2109 ssh_freeshell - 2110 ssh_backup - 2112 ssh_vmnfs - 2113 ssh_homepage - 2201 sudo_ldap - 2202 sudo_blog - 2203 sudo_dns - 2204 sudo_gitlab - 2205 sudo_lug - 2206 sudo_vpn - 2207 sudo_mirrors - 2208 sudo_pxe - 2209 sudo_freeshell - 2210 sudo_backup - 2212 sudo_vmnfs - 2213 sudo_homepage - 2000 super_manager - 2999 nologin \u4e0d\u786e\u5b9a\u8fd9\u4e2a\u7ec4\u6709\u6ca1\u6709\u7528\u6ce8\u610f\u4e8b\u9879
LDAP \u914d\u7f6e\u5b8c\u6210\u540e\uff0c\u52a1\u5fc5\u786e\u8ba4 sshd_config \u5df2\u7ecf\u9650\u5236\u4e86\u516c\u7f51\u767b\u5f55\u3002
\u672c\u6587\u6863\u539f\u59cb\u7248\u672c\u590d\u5236\u81ea LUG wiki\uff0c\u7531\u5f20\u5149\u5b87\u3001\u5d14\u704f\u3001\u6731\u665f\u83c1\u3001\u5de6\u683c\u975e\u64b0\u5199\u3002
"},{"location":"infrastructure/mail/","title":"Mail Agent","text":"\u53ef\u4ee5\u914d\u7f6e\u673a\u5668\u901a\u8fc7 mail.ustclug.org \u53d1\u4ef6\uff0c\u5b9e\u73b0\u8b66\u62a5\u7684\u90ae\u4ef6\u63d0\u9192\uff08\u6536\u4ef6\u4eba\u8bbe\u7f6e\u4e3a alert AT ustclug DOT org\uff09\u3002\u914d\u7f6e\u65f6\u9700\u8981\u5728 mail.s.ustclug.org \u4e0a\u8bbe\u7f6e postfix \u767d\u540d\u5355\u3002
"},{"location":"infrastructure/mail/#_1","title":"\u5e38\u7528\u547d\u4ee4","text":"\u4ece\u961f\u5217\u4e2d\u5220\u9664\u90ae\u4ef6\uff1asudo postsuper -d <\u90ae\u4ef6 ID>
\uff08\u90ae\u4ef6 ID \u53ef\u4ee5\u65e5\u5fd7\u4e2d\u770b\u5230\uff09
\u66f4\u65b0 virtual
\u8868\u6620\u5c04\uff1asudo postmap /etc/postfix/virtual
\u540e\u91cd\u542f postfix
\u670d\u52a1\u3002
\u7f16\u8f91 /etc/opendkim/TrustedHosts
\uff0c\u6dfb\u52a0\u5185\u90e8\u670d\u52a1\u5bf9\u5e94\u7684 IP\uff08\u6bb5\uff09\u5230\u5176\u4e2d\uff0c\u5e76 reload opendkim
\u5373\u53ef\u3002
\u76d1\u63a7\u7cfb\u7edf\u7531\u4ee5\u4e0b\u51e0\u4e2a\u7ec4\u4ef6\u7ec4\u6210\uff1a
\u7279\u522b\u6ce8\u610f \uff1aInfluxDB \u9ed8\u8ba4\u6ca1\u6709\u5f00\u542f\u8ba4\u8bc1\u3002
\u9996\u6b21\u8fd0\u884c\u65f6\uff0c\u521b\u5efa\u597d\u7ba1\u7406\u8d26\u53f7\uff08admin
\uff09\uff0c\u53ea\u8bfb\u8d26\u53f7\uff08grafana
\uff09\u548c\u5199\u5165\u8d26\u53f7\uff08telegraf
\uff09\u3002
\u7136\u540e\u4fee\u6539\u4f4d\u4e8e /srv/docker/influxdb/conf/influxdb.conf
\u7684\u914d\u7f6e\uff0c\u4fee\u6539\u4ee5\u542f\u7528\u8ba4\u8bc1\uff1a
[http]\n# ...\n# Determines whether HTTP authentication is enabled.\nauth-enabled = true\n
\u6b64\u5916\uff0c\u53c2\u8003 https://docs.influxdata.com/influxdb/v1.8/administration/authentication_and_authorization/#set-up-authentication\uff0c\u8003\u8651\u5173\u95ed\u90e8\u5206\u529f\u80fd\uff1a
/srv/docker/influxdb/conf/influxdb.conf[http]\n# Determines whether the pprof endpoint is enabled. This endpoint is used for\n# troubleshooting and monitoring.\npprof-enabled = false\n
"},{"location":"infrastructure/monitor/#install-telegraf","title":"Install telegraf","text":"\u5b98\u65b9\u6587\u6863\u89c1 https://docs.influxdata.com/telegraf/v1/install/
\u5178\u578b\u7684\u5b89\u88c5\u65b9\u5f0f\u662f\u4ece APT \u6e90\u5b89\u88c5\uff1a
wget -O /etc/apt/trusted.gpg.d/influxdb.asc https://repos.influxdata.com/influxdata-archive_compat.key\necho \"deb https://mirrors.ustc.edu.cn/influxdata/debian bullseye stable\" > /etc/apt/sources.list.d/influxdb.list\napt update\napt install --no-install-recommends telegraf\n
\u624b\u52a8\u5b89\u88c5\u65b9\u5f0f\uff08\u4e0d\u63a8\u8350\uff09 wget https://dl.influxdata.com/telegraf/releases/telegraf_1.28.2-1_amd64.deb\nsudo dpkg -i telegraf_1.28.2-1_amd64.deb\n
"},{"location":"infrastructure/monitor/#configure-telegraf","title":"Configure telegraf","text":"\u914d\u7f6e\u6587\u4ef6\u5728 ustclug/telegraf-config \u4ed3\u5e93\u4e2d\u7ba1\u7406\uff0c\u4f7f\u7528\u65b9\u6cd5\u5982\u4e0b\uff1a
/etc/telegraf/telegraf.conf
\uff08\u4f8b\u5982 truncate -s 0
\u6216\u8005 :>
\uff09\u628a\u4ed3\u5e93 clone \u5230 /etc/telegraf/repo
\uff0c\u4f8b\u5982\uff1a
mkdir /etc/telegraf/repo\ncd /etc/telegraf/repo\ngit init\ngit branch -M master\n\nssh-keygen -f .git/id_ed25519 -t ed25519 -N ''\ncat .git/id_ed25519.pub\n# Upload the output to https://github.com/ustclug/telegraf-config/settings/keys\ngit config core.sshCommand 'ssh -i .git/id_ed25519'\ngit remote add origin git@github.com:ustclug/telegraf-config.git\ngit pull origin master\ngit branch --set-upstream-to=origin/master master\n
\u56de\u5230 /etc/telegraf/telegraf.d
\uff0c\u4ece ../repo/*.conf
\u4e2d\u6309\u9700 symlink \u6587\u4ef6\u8fc7\u6765
\u914d\u7f6e\u5b8c\u6210\u4e4b\u540e\uff0c\u91cd\u542f telegraf \u670d\u52a1\uff0c\u5e76\u786e\u4fdd\u670d\u52a1\u8fd0\u884c\u6b63\u5e38\u3002
sudo systemctl restart telegraf\nsudo systemctl status telegraf\n
Tip
\u5efa\u8bae\u5728\u88ab\u76d1\u63a7\u673a\u5668\u4e0a\u914d\u7f6e NTP\uff08\u53ef\u4ee5\u4f7f\u7528 systemd-timesyncd
\uff0c\u8bbe\u7f6e NTP \u670d\u52a1\u5668\u4e3a time.ustc.edu.cn\uff09\uff0c\u4ee5\u907f\u514d\u65f6\u95f4\u4e0d\u540c\u6b65\u53ef\u80fd\u5e26\u6765\u7684\u95ee\u9898\u3002
Web \u7aef\u76d1\u63a7\u4f4d\u4e8e https://monitor.ustclug.org\uff0c\u8d26\u53f7\u7cfb\u7edf\u4f7f\u7528 LDAP\uff0c\u53ef\u4ee5\u5728\u8fd9\u91cc\u8bbe\u7f6e\u9884\u8b66\u63d0\u793a\u7b49\u3002
Warning
\u914d\u7f6e InfluxDB \u6570\u636e\u6e90\u65f6\uff0c\u53ea\u80fd\u4f7f\u7528\u53ea\u8bfb\u8d26\u53f7\uff0c\u5426\u5219\u4f1a\u5e26\u6765\u4e25\u91cd\u7684\u5b89\u5168\u95ee\u9898\u3002
"},{"location":"infrastructure/monitor/#_2","title":"\u66f4\u65b0\u8bb0\u5f55","text":""},{"location":"infrastructure/monitor/#unified-alerting","title":"\u8fc1\u79fb\u5230 Unified Alerting","text":"Grafana 11 \u8d77\u5c06\u5b8c\u5168\u5220\u9664\u65e7\u7684\u62a5\u8b66\u7cfb\u7edf\uff0c\u5168\u9762\u4f7f\u7528\u65b0\u7684\uff08\u96be\u7528\u7684\uff09Unified Alerting\u3002
\u6211\u4eec\u539f\u5148\u8fd0\u884c\u7684\u662f Grafana 9.3.8\uff0c\u6839\u636e\u66f4\u65b0\u8bb0\u5f55\uff0c\u53d1\u73b0 v10.4 \u63d0\u4f9b\u4e86\u4e00\u4e2a\u8fc1\u79fb\u5de5\u5177\uff0c\u53ef\u4ee5\u5c06\u539f\u5148\u7684\u62a5\u8b66\u8fc1\u79fb\u5230\u65b0\u7684 Unified Alerting \u7cfb\u7edf\uff0c\u56e0\u6b64\u5148\u5c06 Grafana \u66f4\u65b0\u5230 10.4.3\uff0c\u51c6\u5907\u8fc1\u79fb\u3002
\u5728 Alerting (legacy) \u83dc\u5355\u4e0b\u6709\u4e2a Upgrade rules \u754c\u9762\uff0c\u70b9\u8fdb\u53bb\u5c31\u53ef\u4ee5\u4f7f\u7528\u8fc1\u79fb\u5411\u5bfc\u3002\u9996\u5148\u8fc1\u79fb\u6211\u4eec\u552f\u4e00\u7684\u4e00\u4e2a Notification Channel\uff0c\u53d8\u6210\u4e00\u4e2a Contact Point\u3002\u7531\u4e8e \u5783\u573e\u7684\u65b0 alerting \u65b9\u6848\u6ca1\u6709\u63d0\u4f9b\u9ed8\u8ba4\u7684\u6d88\u606f\u6a21\u677f\uff0c\u56e0\u6b64\u6211\u4eec\u9700\u8981\u81ea\u5df1\u5199\u4e00\u4e2a\uff08\u6587\u6863\u4e5f\u6666\u6da9\u96be\u61c2\uff09\u3002
Notification templatetelegram.message
{{ define \"alert_list\" -}}\n{{ range . }}[{{ .Labels.alertname }}] {{ .Annotations.description }}\n{{ if or (gt (len .GeneratorURL) 0) (gt (len .SilenceURL) 0) (gt (len .DashboardURL) 0) (gt (len .PanelURL) 0) }}|{{- end }}\n{{- if gt (len .GeneratorURL) 0 }} <a href=\"{{ .GeneratorURL }}\">Source</a> | {{- end }}\n{{- if gt (len .SilenceURL) 0 }} <a href=\"{{ .SilenceURL }}\">Silence</a> | {{- end }}\n{{- if gt (len .DashboardURL) 0 }} <a href=\"{{ .DashboardURL }}\">Dashboard</a> | {{- end }}\n{{- if gt (len .PanelURL) 0 }} <a href=\"{{ .PanelURL }}\">Panel</a> | {{- end }}\n{{ end }}\n{{ end }}\n\n{{- define \"telegram.message\" }}\n{{- if gt (len .Alerts.Firing) 0 }}<strong>Firing</strong>\n{{ template \"alert_list\" .Alerts.Firing }}\n{{ if gt (len .Alerts.Resolved) 0 }}\n{{ end }}\n{{- end }}\n\n{{- if gt (len .Alerts.Resolved) 0 }}<strong>Resolved</strong>\n{{ template \"alert_list\" .Alerts.Resolved }}\n{{ end }}\n{{- end }}\n
\u7136\u540e\u56de\u5230 Contact point \u7f16\u8f91\uff0c\u5c55\u5f00 Optional Telegram settings\uff0c\u5728 Message \u4e2d\u586b\u5165 {{ template \"telegram.message\" . }}
\u6765\u5f15\u7528\u6211\u4eec\u521a\u521a\u5199\u7684\u6a21\u677f\uff0c\u5e76\u5c06 Parse mode \u8bbe\u4e3a HTML\u3002
\u63a5\u4e0b\u6765\u56de\u5230\u8fc1\u79fb Alerting \u7684\u5730\u65b9\uff0c\u9010\u4e2a\u8fc1\u79fb Alerting\uff1a
avg()
\u548c\u4e00\u4e2a\u6570\u503c\uff09\uff0c\u7136\u540e\u628a\u5b83\u5220\u6389\u5728 Go template \u4e2d\u53ef\u7528\u7684\u5e2e\u52a9\u51fd\u6570\u53c2\u89c1 https://grafana.com/docs/grafana/latest/alerting/alerting-rules/templating-labels-annotations/\u3002
{{ index $labels \"host\" }}: {{ humanize (index $values \"B\").Value }}\n\n{{ index $labels \"host\" }}: {{ humanizePercentage (index $values \"D\").Value }}\n\n{{ index $labels \"host\" }}: {{ humanizeDuration (index $values \"B\").Value }}\n
\u5176\u4e2d index $labels
\u540e\u9762\u7684\u53c2\u6570\u53ef\u4ee5\u662f\u524d\u9762 InfluxDB query \u4e2d GROUP BY \u7684 tag\uff0c\u53ef\u4ee5\u7075\u6d3b\u4f7f\u7528\u3002
\u624b\u5de5\u5904\u7406\u5b8c\u5168\u90e8 18 \u4e2a alert rules \u4e4b\u540e\uff08\u7d2f\u6b7b\u6211\u4e86\uff09\uff0c\u5c31\u53ef\u4ee5\u5f00\u59cb\u6d4b\u8bd5\u4e86\u3002
\u5148\u542f\u7528\u65b0\u7684 unified alerting\uff1a
/srv/docker/grafana/conf/grafana.ini[alerting]\nenabled = false\n\n[unified_alerting]\nenabled = true\n\n[unified_alerting.screenshots]\ncapture = true\n
\u7136\u540e\u627e\u4e2a\u673a\u5668\u91cd\u542f\u4e00\u4e0b\uff0c\u89e6\u53d1 Reboot alert\uff0c\u53bb Telegram \u7fa4\u91cc\u770b\u6d88\u606f\u548c\u56fe\u7247\u90fd\u6b63\u786e\u5192\u51fa\u6765\u4e86\uff0c\u5c31\u8bf4\u660e\u8fc1\u79fb\u6210\u529f\u4e86\u3002
Test alert \u4e0d\u4f1a\u89e6\u53d1\u622a\u56fe\uff0c\u5373\u4f7f\u8bbe\u7f6e\u4e86 Link dashboard and panel \u4e5f\u6ca1\u7528
"},{"location":"infrastructure/office/","title":"Office 365","text":""},{"location":"infrastructure/office/#application","title":"\u7533\u8bf7\u65b9\u5f0f","text":"\u7406\u8bba\u4e0a\u4efb\u4f55\u793e\u56e2\u8d1f\u8d23\u4eba\u6216\u8005\u5728\u793e\u56e2\u4e2d\u8d1f\u8d23\u91cd\u8981\u9879\u76ee\u7684\u4eba\u5458\u90fd\u53ef\u4ee5\u7533\u8bf7\uff0c\u539f\u5219\u662f\u6309\u9700\u5206\u914d\uff0c\u56e0\u4e3a\u90ae\u7bb1\u662f\u5de5\u4f5c\u5de5\u5177\uff0c\u800c\u4e0d\u662f\u798f\u5229\u8d44\u6e90\u3002
\u540c\u7406\uff0c\u4e0d\u518d\u62c5\u4efb\u8d1f\u8d23\u4eba\u4e14\u4e0d\u518d\u5904\u7406\u4e8b\u52a1\u7684\u540c\u5b66\u4f7f\u7528\u7684\u90ae\u7bb1\u5e94\u8be5\u6536\u56de\uff08\u89c1\u4e0b\u65b9 \u9ed8\u8ba4\u5730\u5740 \u4e00\u8282\uff09\u3002
"},{"location":"infrastructure/office/#email-etiquette","title":"\u90ae\u4ef6\u793c\u4eea","text":"CC\uff08\u6284\u9001\uff09\u548c\u8bbe\u7f6e\u56de\u590d\u5730\u5740\u7684\u76ee\u7684\u90fd\u662f\u4e3a\u4e86\u8ba9\u6240\u6709 LUG \u8d1f\u8d23\u7684\u540c\u5b66\u53ef\u4ee5\u770b\u5230\u4e8b\u4ef6\u6700\u65b0\u7684\u8fdb\u5c55
\u6284\u9001\u4f1a\u628a\u4f60\u53d1\u7684\u90ae\u4ef6\u7ed9\u6240\u6709\u7684\u8d1f\u8d23\u4eba\uff1b\u56de\u590d\u5730\u5740\uff08Reply-To\uff09\u8bbe\u7f6e\u4e4b\u540e\uff0c\u5bf9\u65b9\u5c31\u77e5\u9053\u8fd9\u662f\u4f60\u4ee3\u8868 LUG \u5199\u7684\u90ae\u4ef6\uff0c\u5e76\u4e14\u9ed8\u8ba4\u56de\u590d\u90ae\u4ef6\u7684\u65f6\u5019\u5730\u5740\u5c31\u662f\u6240\u6709\u8d1f\u8d23\u4eba\u7684\u90ae\u4ef6\u5217\u8868\u3002\u6240\u4ee5\u4e0b\u6587\u4e2d\u8981\u6c42\u8bbe\u7f6e\u8fd9\u4e9b\u5185\u5bb9\u3002
\u5982\u679c\u9047\u5230\u9700\u8981\u4ee5\u79c1\u4eba\u8eab\u4efd\uff0c\u6216\u8005\u4ee5\u5176\u4ed6\u975e LUG \u4ee3\u8868\u8d1f\u8d23\u4eba\u7684\u8eab\u4efd\u56de\u590d\u90ae\u4ef6\u7684\u573a\u5408\uff0c\u8bf7\u4fee\u6539\u56de\u590d\u5730\u5740\u4fe1\u606f\u3002\u56e0\u4e3a Outlook \u7f51\u9875\u7248\u4e0d\u4fbf\u4e8e\u4fee\u6539\u8fd9\u4e9b\u5185\u5bb9\uff0c\u5efa\u8bae\u4f7f\u7528\u90ae\u4ef6\u5ba2\u6237\u7aef\u5904\u7406\u3002\uff08\u4e2a\u4eba\u63a8\u8350 ThunderBird\uff09\u3002
\u5bf9\u4e8e\u9700\u8981\u5411\u975e\u90ae\u4ef6\u5217\u8868\u7684\u4e0d\u7279\u5b9a\u7fa4\u4f53\u7fa4\u53d1\u7684\u90ae\u4ef6\uff08\u4f8b\u5982\u901a\u77e5\u7c7b\u6d88\u606f\uff09\uff0c\u8bf7\u6ce8\u610f\u4e0d\u8981\u5c06\u6240\u6709\u90ae\u7bb1\u90fd\u653e\u5728\u6536\u4ef6\u4eba\u91cc\uff0c\u5426\u5219\u6240\u6709\u6536\u5230\u90ae\u4ef6\u7684\u4eba\u90fd\u80fd\u770b\u5230\u5176\u4ed6\u6536\u4ef6\u4eba\u7684\u90ae\u7bb1\uff08\u9690\u79c1\u95ee\u9898\uff09\uff1b\u5e76\u4e14\u6536\u4ef6\u4eba\u5982\u679c\u56de\u590d\u90ae\u4ef6\u4e0d\u5f53\uff0c\u5176\u4ed6\u7684\u6536\u4ef6\u4eba\u4e5f\u4f1a\u6536\u5230\u5176\u56de\u590d\u3002\u4e00\u79cd\u65b9\u4fbf\u7684\u505a\u6cd5\u662f\uff1a\u5c06\u6240\u6709\u9700\u8981\u6536\u5230\u901a\u77e5\u7684\u6536\u4ef6\u4eba\u653e\u5728\u5bc6\u9001 (BCC)\u4e00\u680f\u4e2d\uff0c\u6536\u4ef6\u4eba\u586b\u5199\u539f\u6284\u9001\u5730\u5740\u3002
\u6211\u4eec\u52a0\u5165\u4e86\u5f88\u591a\u90ae\u4ef6\u5217\u8868\uff0c\u5176\u4e2d\u7ecf\u5e38\u6709\u5404\u79cd\u5f80\u6765\u90ae\u4ef6\uff08\u7279\u522b\u662f CentOS mirror announcement \u8fd9\u4e2a\u5217\u8868\uff0c\u5df2\u9000\uff09\uff0c\u5b83\u4eec\u5927\u591a\u6570\u4e0d\u9700\u8981\u6211\u4eec\u7406\u4f1a\u3002
\u603b\u4e4b\uff0c\u4e0d\u77e5\u9053\u600e\u4e48\u5904\u7406\u7684\u90ae\u4ef6\u4e0d\u8981\u8d38\u7136\u56de\u590d\u3002\u5982\u679c\u4f60\u8ba4\u4e3a\u67d0\u4e00\u5c01\u90ae\u4ef6\u9700\u8981\u6211\u4eec\u5904\u7406\u4f46\u4e0d\u77e5\u9053\u600e\u4e48\u5904\u7406\uff0c\u8bf7\u8f6c\u544a\u7ed9\u5176\u4ed6\u76f8\u5173\u540c\u5b66\u3002
\u4ee5\u4e0b\u5185\u5bb9\u4ece Hypercube \u7f16\u5199\u7684\u5185\u5bb9\u4e2d\u622a\u53d6\uff1a
\u56de\u590d\u4efb\u4f55\u90ae\u4ef6\u65f6\uff0c\u8bf7\u6284\u9001 / CC\uff08\u4e0d\u662f\u5bc6\u9001 / BCC\uff09\u7ed9\u539f\u90ae\u4ef6\u7684\u6536\u4ef6\u5730\u5740\uff01\uff08\u6bd4\u5982\u522b\u4eba\u53d1\u5230 lug A ustc.edu.cn
\uff0c\u56de\u590d\u65f6\u4e5f\u8bf7 CC \u5230 lug A ustc.edu.cn
\uff09
\u8bf7\u4e0d\u8981\u201c\u53ea\u56de\u590d\u90ae\u4ef6\u201d\u3002\u5982\u679c\u5728\u56de\u590d\u4e2d\u8bf4\u201c\u6211\u4eec\u4f1a\u505a\u67d0\u67d0\u4e8b\u201d\uff0c\u8bf7\u6ce8\u610f\u9664\u975e\u4f60\u660e\u786e\u8f6c\u4ea4\u7ed9\u4e86\u522b\u4eba\uff0c\u8fd9\u4ef6\u4e8b\u5e94\u5f53\u7531\u4f60\u6765\u5b8c\u6210\u3002
"},{"location":"infrastructure/office/#lug-ustc-mailing-list","title":"\u52a0\u5165 LUG @ USTC \u5217\u8868","text":"\u672c\u8282\u9700\u8981\u7531 Microsoft 365 \u7684\u7ba1\u7406\u5458\u64cd\u4f5c
\u90ae\u4ef6\u5217\u8868\u7ba1\u7406\u5728 Microsoft Admin Portal \u7684 Distribution list \u9875\u9762\uff0c\u5176\u4e2d Staff \u7ec4\u548c Mirrors \u7ec4\u7684\u90ae\u4ef6\u5730\u5740\u5206\u522b\u662f lug A ustc.edu.cn
\u548c mirrors A ustc.edu.cn
\u7684\u8f6c\u53d1\u76ee\u6807\u3002
Outlook \u65e0\u6cd5\u76f4\u63a5\u901a\u8fc7\u7f51\u9875\u7aef\u6dfb\u52a0\u53d1\u4ef6\u4eba\u540d\u79f0\u3001\u8bbe\u7f6e\u56de\u590d\u5730\u5740\uff0c\u56e0\u6b64\u53ea\u80fd\u901a\u8fc7\u90ae\u4ef6\u5ba2\u6237\u7aef\u8fdb\u884c\u4f7f\u7528\u3002\u5728\u4e0b\u4e00\u7ae0\u8282\u7684 Thunderbird \u4e2d\u8fdb\u884c\u8be6\u7ec6\u9610\u8ff0\u3002
"},{"location":"infrastructure/office/#thunderbird","title":"Thunderbird \u914d\u7f6e","text":""},{"location":"infrastructure/office/#tb-login","title":"\u767b\u5f55","text":"\u5728\u767b\u5f55\u65f6\uff0c\u8f93\u5165\u4e86\u7528\u6237\u540d\u3001\u5bc6\u7801\u540e\uff0c\u4f1a\u663e\u793a\u65e0\u6cd5\u627e\u5230\u5bf9\u5e94\u7684\u90ae\u7bb1\u914d\u7f6e
\u8fdb\u884c\u5982\u4e0b\u7684\u624b\u52a8\u914d\u7f6e\uff1a
outlook.office365.com
smtp.office365.com
\u5982\u4e0b\u56fe\uff1a
\u7136\u540e\u70b9\u5de6\u4e0b\u89d2\u7684 Re-test\uff0c\u91cd\u65b0\u641c\u7d22\u5230\u914d\u7f6e\u540e\uff0c\u5728\u4e24\u4e2a Authentication method \u4e2d\u5747\u9009\u62e9 OAuth2\u3002
\u7136\u540e\u70b9 Done\u3002\u5728\u5f39\u51fa\u7684\u7a97\u53e3\u4e2d\u5b8c\u6210\u8ba4\u8bc1\u3002
"},{"location":"infrastructure/office/#tb-signature","title":"\u7b7e\u540d\u4e0e\u53d1\u4ef6\u8eab\u4efd","text":"\u5728\u53f3\u4e0a\u89d2\u4e2d\u9009\u62e9\u8d26\u6237\u8bbe\u7f6e\uff0c\u5728\u9ed8\u8ba4\u8eab\u4efd\u4e2d
Zeyu Gao on behalf of USTC LUG
\uff08\u8bf7\u6362\u6210\u81ea\u5df1\u7684\u540d\u5b57\uff09lug@ustc.edu.cn
\u4fee\u6539 Signature text (\u7b7e\u540d\u6587\u5b57) \u4e3a\uff08\u6700\u540e\u4e00\u884c\u6362\u6210\u81ea\u5df1\u7684\u4fe1\u606f\uff09
Linux User Group\nUniversity of Science and Technology of China\nHomepage: https://lug.ustc.edu.cn/\nE-Mail: lug@ustc.edu.cn\nZeyu Gao (\u9ad8\u6cfd\u8c6b) <zeyugao@ustclug.org>\n
\u7ed3\u679c\u5982\u56fe\uff1a
"},{"location":"infrastructure/office/#tb-cc","title":"\u6284\u9001\u8bbe\u7f6e","text":"\u5728\u8d26\u6237\u8bbe\u7f6e\u4e2d\uff0c\u9009\u62e9\u8eab\u4efd\u7ba1\u7406\uff0c\u70b9\u51fb\u7f16\u8f91\uff0c\u9009\u62e9 Copies and Folders, \u542f\u7528 Cc these email addresses, \u5e76\u8f93\u5165\u9ed8\u8ba4\u6284\u9001\u5730\u5740 lug A ustc.edu.cn
\u90ae\u4ef6\u53ef\u4ee5\u4ee5 HTML \u65b9\u5f0f\u7f16\u5199\uff0c\u4e5f\u53ef\u4ee5\u53ea\u662f\u7eaf\u6587\u672c\u5185\u5bb9\u3002\u4e3a\u4e86\u964d\u4f4e\u5bf9\u65b9\u9605\u8bfb\u51fa\u73b0\u9ebb\u70e6\u7684\u53ef\u80fd\u6027\uff0c\u5efa\u8bae\u4f7f\u7528\u7eaf\u6587\u672c\u6d88\u606f\u3002\u4f7f\u7528\u7eaf\u6587\u672c\u6d88\u606f\u7684\u65b9\u6cd5\u662f\uff1a\u6253\u5f00 Thunderbird \u8bbe\u7f6e \uff0c\u6253\u5f00 Account Settings \uff0c\u6253\u5f00\u5bf9\u5e94\u90ae\u4ef6\u5730\u5740\u4e0b\u7684 Composition & Addressing \u9875\u9762\uff0c\u5728 Composition \u8282\u4e0b\u627e\u5230 Compose messages in HTML format \uff0c\u5c06\u5176\u590d\u9009\u6846\u53bb\u9664\u52fe\u9009\u5373\u53ef\u3002
"},{"location":"infrastructure/office/#tb-folders","title":"\u6587\u4ef6\u5939","text":"Thunderbird \u7ef4\u62a4\u4e86\u81ea\u5df1\u7684\u6587\u4ef6\u5939\uff0c\u5982\u679c\u9700\u8981\u4e0e\u4e91\u7aef\u7684\u6587\u4ef6\u5939\u540c\u6b65\uff0c\u53ef\u4ee5\u8fdb\u884c\u5982\u4e0b\u64cd\u4f5c
\u5728\u8d26\u6237\u4e0a\u53f3\u952e\uff0c\u5728\u5f39\u51fa\u7684\u83dc\u5355\u4e2d\u70b9\u51fb Subscribe\u3002\u5f39\u51fa\u7684\u7a97\u53e3\u4e2d\u5305\u542b\u4e86\u4e91\u7aef\u7684\u6587\u4ef6\u5939\uff0c\u7531\u4e8e Thunderbird \u4f1a\u81ea\u884c\u7ef4\u62a4\u5783\u573e\u7bb1\u548c\u5df2\u53d1\u90ae\u4ef6\uff0c\u56e0\u6b64\u53ef\u80fd\u4f1a\u6709\u4e24\u4e2a\u5783\u573e\u7bb1\uff0cDeleted Items \u548c Trash\uff0c\u53ef\u4ee5\u5728\u7f51\u9875\u7aef\u5220\u9664\u4e0d\u9700\u8981\u7684\u6587\u4ef6\u5939\uff0c\u5e76\u5728 Thunderbird \u4e2d\u9009\u62e9\u9700\u8981\u7684\u3002
\u90ae\u4ef6\u6587\u4ef6\u5939\u672f\u8bed
\u8bf7\u6ce8\u610f\uff0c\u4ee5\u4e0b\u4e24\u8005\u662f\u4e0d\u540c\u7684\uff1a
\u88ab\u90ae\u4ef6\u7cfb\u7edf\u8ba4\u4e3a\u6709\u95ee\u9898\u7684\u90ae\u4ef6\u4f1a\u88ab\u6254\u8fdb \u5783\u573e\u90ae\u4ef6\u7bb1\uff0c\u800c\u4e0d\u662f \u5783\u573e\u7bb1\u3002
\u7136\u540e\u6253\u5f00\u8d26\u6237\u8bbe\u7f6e\uff0c\u8fdb\u884c\u5982\u4e0b\u4fee\u6539
\u5728 Server Settings \u4e0b\uff0c\u4fee\u6539 When I delete a message \u4e3a Move it to this folder: Deleted Items
\u5728 Copies & Folders \u4e0b\uff0c\u4fee\u6539 Place a copy\u3001Keep message archives in\u3001Keep draft messages in \u4e3a\u5bf9\u5e94\u7684\u8fdc\u7aef\u670d\u52a1\u5668\u6587\u4ef6\u5939
Outlook \u4e91\u7aef\u5df2\u7ecf\u5e26\u6709\u4e86\u5783\u573e\u90ae\u4ef6\u5206\u7c7b\u529f\u80fd\uff0c\u4e0d\u9700\u8981 Thunderbird \u81ea\u5df1\u7684\u5783\u573e\u90ae\u4ef6\u5206\u7c7b\u529f\u80fd\u3002
\u5728\u8d26\u6237\u8bbe\u7f6e\u7684 Local Folders \u4e0b\u7684 Junk Settings \u4e2d\uff0c\u53d6\u6d88\u9009\u4e2d Enable adaptive junk mail controls for this account\u3002
\u8bf7\u5728\u4e0a\u9762\u7684 Subscribe\uff08\u89c1 \u6587\u4ef6\u5939\uff09\u4e2d\u5c06\u5783\u573e\u90ae\u4ef6\u9009\u4e2d\u4ee5\u540c\u6b65\u3002\u6b64\u5916\uff0c\u7531\u4e8e Outlook \u76ee\u524d\u4f1a\u5c06\u51e0\u4e4e\u6240\u6709\u90ae\u4ef6\u90fd\u6254\u8fdb\u5783\u573e\u90ae\u4ef6\u7bb1\uff08\u539f\u56e0\u4f3c\u4e4e\u662f M365 \u7684\u673a\u5668\u5b66\u4e60\u6a21\u578b\u4f1a\u628a\u6240\u6709\u79d1\u5927\u7684\u90ae\u4ef6\u6254\u8fdb\u5783\u573e\u7bb1\uff09\uff0c\u56e0\u6b64\u8bbe\u7f6e\u62c9\u53d6\u90ae\u4ef6\u65f6\u603b\u662f\u68c0\u67e5\u5783\u573e\u90ae\u4ef6\u7bb1\u3002\u8bbe\u7f6e\u65b9\u6cd5\u4e3a\u5728\u5783\u573e\u90ae\u4ef6\u76ee\u5f55\u4e0a\u70b9\u51fb\u53f3\u952e \u2192 \u5c5e\u6027\uff0c\u7136\u540e\u9009\u62e9\u8fd9\u91cc\u7b2c\u4e8c\u4e2a\u52fe\uff1a
\u6ce8\u610f
\u4e0d\u8981\u67e5\u770b\u5783\u573e\u90ae\u4ef6\u7684\u8fdc\u7a0b\u5185\u5bb9\u3002\u4e0d\u8981\u56de\u590d\u5783\u573e\u90ae\u4ef6\u3002\u6b63\u5e38\u90ae\u4ef6\u9700\u8981\u624b\u52a8\u79fb\u52a8\u5230\u6536\u4ef6\u7bb1\u3002
"},{"location":"infrastructure/office/#tb-profiles","title":"\u4f7f\u7528 Thunderbird \u914d\u7f6e\u4e0d\u540c\u7684\u8eab\u4efd","text":"(written by taoky)
\u5728\u67d0\u4e9b\u60c5\u51b5\u4e0b\uff0c\u9700\u8981\u8bbe\u7f6e\u65b0\u7684\u53d1\u4ef6\u4eba\u540d\u79f0\u548c\u56de\u590d\u5730\u5740\uff08\u4f8b\u5982 hackergame staff \u9700\u8981\u4e00\u5957\u4e0d\u540c\u7684\u8bbe\u7f6e\uff09\u3002\u7531\u4e8e Gmail \u7f51\u9875\u7aef\u4fee\u6539\u914d\u7f6e\u5f88\u9ebb\u70e6\uff08\u800c\u4e14\u5f88\u5bb9\u6613\u5fd8\u8bb0\u6539\u56de\u6765\uff09\uff0c\u5f3a\u70c8\u5efa\u8bae\u4f7f\u7528\u90ae\u4ef6\u5ba2\u6237\u7aef\u3002\u4e2a\u4eba\u4f7f\u7528\u7684\u662f Thunderbird\uff0c\u4e0b\u9762\u4e5f\u4ee5\u5b83\u4e3a\u4f8b\u5b50\u3002
\u5728\u8d26\u53f7\u52a0\u4e0a\u90ae\u7bb1\u4e4b\u540e\uff0c\u70b9\u51fb\u53f3\u952e \u2192 \u5c5e\u6027\uff0c\u9ed8\u8ba4\u914d\u7f6e\uff08LUG Staff\uff09\u5982\u56fe\uff1a
\u9700\u8981\u6dfb\u52a0\u65b0\u8eab\u4efd\u65f6\uff0c\u70b9\u51fb\u53f3\u4e0b\u89d2\u300c\u7ba1\u7406\u6807\u8bc6\u300d\uff0c\u6dfb\u52a0\u5bf9\u5e94\u7684\u6807\u8bc6\u3002\u5bf9\u4e8e hackergame\uff0c\u53ef\u4ee5\u914d\u7f6e\u5982\u4e0b\uff1a
\u5e76\u53c2\u8003\u6284\u9001\u8bbe\u7f6e \u914d\u7f6e\u9ed8\u8ba4\u6284\u9001\u5730\u5740 (hackergame A ustclug.org
)
\u914d\u7f6e\u5b8c\u6210\u540e\uff0c\u5728\u7f16\u5199\u90ae\u4ef6\u65f6\uff0c\u5c31\u53ef\u4ee5\u9009\u62e9\u65b0\u7684\u6807\u8bc6\u4e86\uff0c\u5e76\u4e14\u53d1\u4ef6\u4eba\u540d\u79f0\u3001\u56de\u590d\u5730\u5740\u548c\u7b7e\u540d\u90fd\u4f1a\u81ea\u52a8\u8bbe\u7f6e\u597d\u3002
\u4f7f\u7528 Thunderbird \u914d\u7f6e\u5b66\u6821\u90ae\u7bb1\u9700\u8981\u7684\u989d\u5916\u8bbe\u7f6ejames: \"thunderbird\u67d0\u6b21\u5347\u7ea7\u540e\u51fa\u4e86\u4e00\u4e2abug\uff0c\u8fde\u63a5\u65f6\u670d\u52a1\u5668\u8fd4\u56de\u652f\u6301utf8\uff0ctb\u53d1\u4e86\u4e00\u4e2a\u547d\u4ee4enable utf8\uff0c\u670d\u52a1\u5668\u6b63\u5e38\u8fd4\u56de\u540e\uff0ctb\u6709bug\u8ba4\u4e3a\u4e00\u76f4\u5728\u7b49\u670d\u52a1\u5668\u5e94\u7b54\u3002\"
\u6240\u4ee5\u5982\u679c\u9700\u8981\u4f7f\u7528 Thunderbird \u4ece mail.ustc.edu.cn \u6536\u53d1\u90ae\u4ef6\uff0c\u9700\u8981\u505a\u4ee5\u4e0b\u7684\u914d\u7f6e\uff1aEdit -> Settings\uff0c\u5728 \"General\" \u4e2d\u62d6\u5230\u6700\u4e0b\u9762\u9009\u62e9 \"Config Editor...\"\u3002\u5728\u65b0\u5f39\u51fa\u7684\u9ad8\u7ea7\u914d\u7f6e\u7684\u6807\u7b7e\u4e2d\u8f93\u5165 utf8\uff0c\u5c06 mail.server.default.allow_utf8_accept
\u7684\u503c\u4ece true \u6539\u6210 false\u3002\u8fd9\u4e2a\u8bbe\u7f6e\u4e0d\u4f1a\u5f71\u54cd\u5176\u4ed6\u90ae\u7bb1\u7684\u4f7f\u7528\u3002
Warning
\u7531\u4e8e Google \u5c06 G Suite \u5168\u9762\u8f6c\u5411\u4ed8\u8d39\u670d\u52a1\uff0c\u6211\u4eec\u5df2\u5728 2022 \u5e74 3 \u6708 31 \u65e5\u540e\u505c\u6b62\u4f7f\u7528 G Suite \u76f8\u5173\u670d\u52a1\u3002\u8f6c\u5411 Office 365 \u63d0\u4f9b\u7684\u670d\u52a1\u3002\u4ee5\u4e0b\u5185\u5bb9\u4ec5\u4f5c\u4e3a\u5b58\u6863\u4e0e\u53c2\u8003
\u4ee5\u4e0b\u539f\u6587\u7531 Hypercube \u7f16\u5199
\u5927\u5bb6\u597d\uff0c
\u8bf7\u5404\u4f4d\u9605\u8bfb\u4e0b\u65b9\u5185\u5bb9\uff0c\u5e76\u6309\u6307\u793a\u914d\u7f6e\u81ea\u5df1\u7684\u90ae\u7bb1\uff1a
\u767b\u5f55\u7f51\u9875\u7248 Gmail\uff0c\u5728\u53f3\u4e0a\u89d2\u70b9\u5f00\u8bbe\u7f6e\uff0c\u4e8e\u201c\u5e38\u89c4\u201d\u6807\u7b7e\u9875\u4e2d\u8bbe\u7f6e\u201c\u7b7e\u540d\u201d\u4e3a\u7eaf\u6587\u672c\u5982\u4e0b\u5185\u5bb9\uff08\u5171 5 \u884c\uff0c\u5c06\u6700\u540e\u4e00\u884c\u6362\u6210\u81ea\u5df1\u7684\u4fe1\u606f\uff09\uff1a
Linux User Group University of Science and Technology of China Homepage: https://lug.ustc.edu.cn/ E-Mail: lug@ustc.edu.cn Zibo Wang (\u738b\u5b50\u535a) <example@ustclug.org>
\u4e8e\u201c\u8d26\u53f7\u201d\u6807\u7b7e\u9875\u4e2d\u201c\u7528\u8fd9\u4e2a\u5730\u5740\u53d1\u9001\u90ae\u4ef6\u201d\u5185\u70b9\u201c\u4fee\u6539\u4fe1\u606f\u201d\uff0c\u5728\u5f39\u51fa\u7a97\u53e3\u4e2d\u8f93\u5165\u540d\u79f0\u201cZibo Wang on behalf of USTC LUG\u201d\uff08\u8bf7\u6362\u6210\u81ea\u5df1\u7684\u540d\u5b57\uff09\uff0c\u8f93\u5165\u56de\u590d\u5730\u5740\u201clug@ustc.edu.cn
\u201d\u3002
\u8fd8\u53ef\u4ee5\u89c6\u81ea\u5df1\u9700\u8981\u5728\u201c\u8f6c\u53d1\u548c POP / IMAP\u201d\u6807\u7b7e\u9875\u4e2d\u914d\u7f6e\u81ea\u52a8\u8f6c\u53d1\uff0c\u4f46\u8bf7\u6ce8\u610f\uff0c\u5982\u679c\u4f60\u914d\u7f6e\u4e86\u8f6c\u53d1\u5230\u81ea\u5df1\u7684\u5e38\u7528\u90ae\u7bb1\uff0c\u8bf7\u4e0d\u8981\u76f4\u63a5\u4ece\u5e38\u7528\u90ae\u7bb1\u56de\u590d\u90ae\u4ef6\uff0c\u800c\u5e94\u8be5\u767b\u5f55 LUG \u90ae\u7bb1\u56de\u590d\u3002 \u56de\u590d\u4efb\u4f55\u90ae\u4ef6\u65f6\uff0c\u8bf7\u6284\u9001 / CC\uff08\u4e0d\u662f\u5bc6\u9001 / BCC\uff09\u7ed9\u539f\u90ae\u4ef6\u7684\u6536\u4ef6\u5730\u5740\uff01\uff08\u6bd4\u5982\u522b\u4eba\u53d1\u5230 lug A ustc.edu.cn \uff0c\u56de\u590d\u65f6\u4e5f\u8bf7 CC \u5230 lug A ustc.edu.cn\uff09
\u8bf7\u4e0d\u8981\u201c\u53ea\u56de\u590d\u90ae\u4ef6\u201d\u3002\u5982\u679c\u5728\u56de\u590d\u4e2d\u8bf4\u201c\u6211\u4eec\u4f1a\u505a\u67d0\u67d0\u4e8b\u201d\uff0c\u8bf7\u6ce8\u610f\u9664\u975e\u4f60\u660e\u786e\u8f6c\u4ea4\u7ed9\u4e86\u522b\u4eba\uff0c\u8fd9\u4ef6\u4e8b\u5e94\u5f53\u7531\u4f60\u6765\u5b8c\u6210\u3002
\u5728\u6dfb\u52a0\u4e86\u7b7e\u540d\u540e\uff0c\u5728\u4e0b\u9762\u7684\u201c\u9ed8\u8ba4\u7b7e\u540d\u8bbe\u7f6e\u201d\u4e2d\uff0c\u5c06\u201c\u7528\u4e8e\u65b0\u7535\u5b50\u90ae\u4ef6\u201d\u4ee5\u53ca\u201c\u7528\u4e8e\u56de\u590d/\u8f6c\u53d1\u201d\u5747\u9009\u62e9\u4e3a\u4e0a\u9762\u6dfb\u52a0\u7684\u7b7e\u540d\u3002
\u8bb0\u5f97\u6eda\u52a8\u5230\u9875\u9762\u6700\u4e0b\u65b9\u70b9\u51fb\u201c\u4fdd\u5b58\u9875\u9762\u201d\uff01
"},{"location":"infrastructure/office/#default-route","title":"\u8bbe\u7f6e\u9ed8\u8ba4\u5730\u5740","text":"\u672c\u8282\u5199\u7684\u662f G Suite \u7528\u6cd5\uff0c\u9700\u8981\u66f4\u65b0\u6210 Office 365
G Suite \u652f\u6301\u5c06\u5355\u4e2a\u5730\u5740\u8bbe\u4e3a\u201c\u9ed8\u8ba4\u5730\u5740\u201d\uff0c\u7528\u4e8e\u63a5\u53d7\u53d1\u5f80\u4e0d\u5b58\u5728\u7684\u5730\u5740\u7684\u90ae\u4ef6\u3002
\u53c2\u8003\u8d44\u6599\uff1ahttps://support.google.com/a/answer/2368153
\u5bf9\u4e8e\u4e2d\u6587\u754c\u9762\uff0c\u5e94\u8be5\u4ece Google Admin \u63a7\u5236\u53f0\u6309\u987a\u5e8f\u9009\u62e9 \u5e94\u7528 \u2192 G Suite \u2192 Gmail \u2192 \u9ad8\u7ea7\u8bbe\u7f6e\uff0c\u5176\u4e2d\u7684 \u65e0\u9650\u522b\u540d\u5730\u5740 \u5c31\u662f\u8fd9\u4e2a\u9009\u9879\uff0c\u4e00\u822c\u53d1\u7ed9\u4f1a\u957f\u6216 CTO\u3002
"},{"location":"infrastructure/raid/","title":"RAID","text":""},{"location":"infrastructure/raid/#megaraid","title":"MegaRAID \u5e38\u7528\u547d\u4ee4","text":"MegaRAID \u6e90\u91cc\u6ca1\u6709\uff0c\u9700\u8981\u4ece\u5b98\u7f51\u4e0b\u8f7d RPM \u5305\u540e\u624b\u52a8\u89e3\u538b\u3002Debian 10 \u5b89\u88c5 libncurses5 \u540e\u53ef\u4f7f\u7528\u3002
sudo /opt/MegaRAID/MegaCli/MegaCli64 -adpallinfo -aAll # \u67e5\u770b\u6240\u6709\u4fe1\u606f\nsudo /opt/MegaRAID/MegaCli/MegaCli64 -pdlist -aall # \u67e5\u770b\u7269\u7406\u76d8\u4fe1\u606f\n
"},{"location":"infrastructure/raid/#_1","title":"\u76d1\u63a7","text":"\u73b0\u5728\u90e8\u7f72\u7684\u65b9\u6848\u662f\u7531 telegraf \u6267\u884c\u89e3\u6790\u811a\u672c\uff0c\u5c06\u6570\u636e\u53d1\u9001\u5230 influxdb\uff0c\u7531 grafana \u62a5\u8b66\u3002
\u811a\u672c\uff1a
https://docs.broadcom.com/docs-and-downloads/raid-controllers/raid-controllers-common-files/8-07-07_MegaCLI.zip
ESXi 5 \u7684 binary \u548c ESXi 6.0 \u517c\u5bb9\u3002
esxcli software vib install -v=/tmp/vmware-esx-MegaCli-8.07.07.vib --no-sig-check\n
\u7136\u540e\u8fdb\u5165 /opt/lsi/MegaCLI
\u76ee\u5f55\u6267\u884c MegaCli
.
pve-6 \u7684 RAID \u65b9\u6848\u662f HPE Smart Array\u3002\u5bf9\u5e94\u4f7f\u7528\u65b9\u6cd5\u53ef\u4ee5\u53c2\u8003 https://gist.github.com/mrpeardotnet/a9ce41da99936c0175600f484fa20d03\u3002
\u5bf9\u5e94\u4e3b\u673a\u9700\u8981\u5b89\u88c5 https://downloads.linux.hpe.com/SDR/repo/mcp/Debian/pool/non-free/ssacli-5.30-6.0_amd64.deb\uff08HPE \u6e90\u5b9e\u5728\u592a\u6162\u4e86\uff09\u3002
"},{"location":"infrastructure/sshca/","title":"SSH Certificate Authentication","text":"Discussion: SSH \u5347\u7ea7\u5230\u8bc1\u4e66\u767b\u9646\u65b9\u6848\u8ba8\u8bba
Usage: SSH \u8bc1\u4e66\u8ba4\u8bc1\u7684\u4f7f\u7528\u65b9\u6cd5 (See also: iBug's blog)
"},{"location":"infrastructure/sshca/#introduction","title":"Introduction","text":"An SSH Certificate Authority (CA) is a trusted key pair that issues certificates. It has the same format as a regular SSH private-public key pair (it is, in fact).
Certificates can be used for authentication on both the server side and the client side. But certificates cannot issue new certificates (i.e. no chains), it is the very difference from X.509 certificate system.
"},{"location":"infrastructure/sshca/#server-setup","title":"Server setup","text":""},{"location":"infrastructure/sshca/#trustedusercakeys","title":"Configure server to accept client certificates","text":"First drop our public key to /etc/ssh/ssh_user_ca
:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1Bxw9AXoZvc9HTe5o4f7/qOROcmzvlcO5oofoF3pewtRnhNpcd/DwmxSblqpj/cjLYkE32mSCzMYY8X0CRFyMJsgSIDC4i4LXDNU0e8PbB2NIQAAeyfJEU5m/Dn1tPw9WvPtPqHCRvgSwnRfzYngMVWROgV2Qe6pOqTTgetEYfb5gkDc2i1M7yfTp3H3ExfrDKwOKPc/9UYOADMFU6u1fJN+4epLETilHC1ubtBeVi23pn1K+LDy06Gwhq1MLljCM7gFBMrmv894HrOHU4WrzLUlfkiDt2cyXLb4qPWYqilBFLUjU92kjmiI/EwB/8pR1WmdU7FoYpdgBHNr3NT53 LUG-CA\n
Then add the following line to sshd config (Debian 11+):
/etc/ssh/sshd_config.d/ustclug.confTrustedUserCAKeys /etc/ssh/ssh_user_ca\n
Old version config (<= Debian 10)
On Debian 10 (buster) or older, sshd_config
does not support the Include
directive. Thus any extra setting must be added in the main sshd_config
file directly.
Warning
When signing certificates using OpenSSH <= 8.1, add -t rsa-sha2-512
to the ssh-keygen
command. More details can be found here: https://ibug.io/p/35
Note
Some of our servers may still be running Debian Jessie, which has OpenSSH 6.7 that does not support SHA-2 certificate algorithms (OpenSSH 7.2 required). Sign with -t ssh-rsa
instead if you want to log in to such servers.
January 2022 update: We believe we have got rid of all Jessie systems, so this should no longer be the case.
Copy the file /etc/ssh/ssh_host_rsa_key.pub
from target server.
Then, run ssh-keygen
to issue a public key. For example:
ssh-keygen -s /path/to/ssh_ca \\\n -I blog \\\n -h \\\n -n blog.s.ustclug.org,blog.p.ustclug.org,10.254.0.15,202.141.176.98,202.141.160.98 \\\n ssh_host_rsa_key.pub\n
Then, copy the certificate file ssh_host_rsa_key-cert.pub
back to target server.
At last, add the following lines to sshd config:
/etc/ssh/sshd_config.d/ustclug.confHostKey /etc/ssh/ssh_host_rsa_key\nHostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub\n
Warning
See the same warning block above.
Certificate will take effect after SSH daemon is reloaded (systemctl reload ssh
).
Add the following line to your known_hosts
:
@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1Bxw9AXoZvc9HTe5o4f7/qOROcmzvlcO5oofoF3pewtRnhNpcd/DwmxSblqpj/cjLYkE32mSCzMYY8X0CRFyMJsgSIDC4i4LXDNU0e8PbB2NIQAAeyfJEU5m/Dn1tPw9WvPtPqHCRvgSwnRfzYngMVWROgV2Qe6pOqTTgetEYfb5gkDc2i1M7yfTp3H3ExfrDKwOKPc/9UYOADMFU6u1fJN+4epLETilHC1ubtBeVi23pn1K+LDy06Gwhq1MLljCM7gFBMrmv894HrOHU4WrzLUlfkiDt2cyXLb4qPWYqilBFLUjU92kjmiI/EwB/8pR1WmdU7FoYpdgBHNr3NT53 LUG-CA\n
And when you log in to a LUG server, it is automatically trusted. If you find a machine that does not support this setup, report it to CTO.
"},{"location":"infrastructure/sshca/#issue-a-client-certificate","title":"Issue a client certificate","text":"ssh-keygen -s /path/to/ssh_ca \\\n -I certificate_identity \\\n -n principals \\\n [-O options] \\\n [-V validity_interval] \\\n public_key_file\n
For example:
ssh-keygen -s /path/to/ssh_ca -I \"Yifan Gao\" -n yifan -V -5m:+365d yifan.pub\n
In general, certificate_identity is the user's full name, and principals is the system username. The certificate identity is used to identify certificates and is logged in system logs. In addition, one certificate can carry multiply principals, like:
ssh-keygen -s /path/to/ssh_ca -I \"Yifan Gao\" -n yifan,root,liims -V -5m:+365d yifan.pub\n
It authorizes the certificate owner to login to any server as yifan
, root
or liims
user.
Note
The liims
principal is used to log into library inquiry machines.
Tip
The validity interval by default starts at the current system time. Using -5m:+365d
creates a certificate valid from 5 minutes ago to make up for offset times on other systems. Otherwise it's not much useful to have a validity period starting from a long time ago.
For security purposes, avoid creating certificates without a defined validity period. It's also recommended to keep validity periods as short as necessary.
"},{"location":"infrastructure/ssl/","title":"SSL Certificates","text":"Discussion: #224
Our SSL certificates are automatically renewed on GitHub ustclug/ssl-cert ( Private).
We delegate the subdomain ssl-digitalocean.ustclug.org
to DigitalOcean DNS hosting, and use acme.sh DNS alias mode to issue certificates. For this to work, we have the following CNAME records in place:
_acme-challenge.lug.ustc.edu.cn -> lug.ssl-digitalocean.ustclug.org\n_acme-challenge.ustclug.org -> lug.ssl-digitalocean.ustclug.org\n_acme-challenge.proxy.ustclug.org -> lug.ssl-digitalocean.ustclug.org\n\n_acme-challenge.vpn.lug.ustc.edu.cn -> lugvpn.ssl-digitalocean.ustclug.org\n_acme-challenge.vpn.ustclug.org -> lugvpn.ssl-digitalocean.ustclug.org\n\n_acme-challenge.mirrors.ustc.edu.cn -> mirrors.ssl-digitalocean.ustclug.org\n
Individual machines that use SSL certificates should pull from the said repository (branch cert
). Certificates may be loaded via symbolic links (for processes running on the host system directly), or copied around from within the updater script (when there are path constraints, e.g. in a Docker container). The update task is managed by cron.
Update script for reference:
/etc/ssl/private/.git/update.sh#!/bin/sh\n\ncd \"/etc/ssl/private\"\n\ngit fetch -q\nif [ \"$(git rev-parse HEAD)\" = \"$(git rev-parse '@{u}')\" ]; then\n exit 0\nfi\ngit reset --hard '@{u}'\n\n# Display certificate dates. This section is optional\nif command -v openssl >/dev/null 2>&1; then\n echo \"Cert has been updated. New expiry:\"\n for f in */cert.pem; do\n echo \"$f:\"\n openssl x509 -in \"$f\" -noout -dates\n done\nelse\n echo \"Cert has been updated.\"\nfi\n\nsystemctl reload openresty.service\n# Other `cp -a` or `docker restart` commands, etc.\n
The DigitalOcean account we use is owned by iBug and has nothing else running.
Plan B
Hurricane Electric provides hosted DNS zones for free, which is also supported by acme.sh
. This makes HE DNS a feasible alternative should our current dependency (DigitalOcean) fails.
PXE manages its own certificates with acme.sh
and validates via HTTP-01 challenge. The certificates are stored in /etc/acme.sh/pxe.ustc.edu.cn/
.
Tinc VPN \u662f LUG \u5185\u7f51\u7684\u4e3b\u8981\u6784\u6210\u8f6f\u4ef6\uff0cLDAP \u9700\u8981\u7528\u5230\u5b83\uff08\u56e0\u4e3a ldap \u670d\u52a1\u5668\u662f\u4e2a\u5185\u7f51\u670d\u52a1\u5668\uff09
"},{"location":"infrastructure/tinc/#_1","title":"\u5b89\u88c5","text":"Debian 9+ \u53ef\u4ee5\u76f4\u63a5\u4ece apt \u6e90\u5b89\u88c5 tinc
\u5305\u3002
\u4e0d\u65e9\u8bf4\u8fd9\u73a9\u610f\u6709\u4e2a Git \u4ed3\u5e93\uff1f\uff1fhttps://git.lug.ustc.edu.cn/ustclug/tinc-configure
\u65e2\u7136\u6709\u4ed3\u5e93\u6240\u4ee5\u8981\u505a\u7684\u4e8b\u60c5\u6bd4\u8f83\u7b80\u5355\uff0c\u8fdb\u5165 /etc/tinc
\u76ee\u5f55\u51c6\u5907\u548c Git \u4ed3\u5e93\u540c\u6b65\u914d\u7f6e\uff1a
git init\ngit remote add origin https://git.lug.ustc.edu.cn/ustclug/tinc-configure.git\ngit fetch origin master\ngit reset --hard FETCH_HEAD\n
\u6ce8\u610f git reset
\u4f1a\u8986\u76d6\u90e8\u5206\u6587\u4ef6\uff0c\u5efa\u8bae\u5728\u5168\u65b0\u5b89\u88c5 tinc
\u4e4b\u540e\u8fdb\u884c\u540c\u6b65\u914d\u7f6e\u3002
\u914d\u7f6e\u5b8c\u6210\u540e\u6267\u884c systemctl enable tinc@ustclug.service
\u4f7f tinc \u80fd\u591f\u5f00\u673a\u542f\u52a8\u3002
\u9996\u5148\u9700\u8981\u5728\u65b0\u4e3b\u673a\u4e0a\u751f\u6210\u5bc6\u94a5\uff1a
tincd -n ustclug -K\n
\u7136\u540e\u5728 /etc/tinc/ustclug/hosts/$HOST
\u6700\u540e\u8865\u4e0a\u4e00\u884c\uff1a
Address = [\u8fd9\u53f0\u673a\u5668\u7684\u516c\u7f51IP]\n
\u628a\u65b0\u589e\u7684\u8fd9\u4e2a\u6587\u4ef6\u63d0\u4ea4\u8fdb Git \u4ed3\u5e93\uff0c\u5e76\u5728 {ldap,board,gateway-el,gateway-nic}.s.ustclug.org
\u7b49\u591a\u53f0\u673a\u5668\u4e0a\u901a\u8fc7 git pull
\u66f4\u65b0\uff0c\u5e76 systemctl reload tinc@ustclug.service
\u3002
\u6d4b\u8bd5\u7684\u65f6\u5019\uff0c\u4f60\u53ef\u4ee5\u76f4\u63a5\u901a\u8fc7 ifconfig
\u7b49\u65b9\u5f0f\u6307\u5b9a\u4e00\u4e2a\u4e34\u65f6\u7684 IP\uff0c\u6ce8\u610f\u4e0d\u8981\u4e0e\u5df2\u6709\u7684\u5185\u7f51 IP \u51b2\u7a81\uff1a
ifconfig 10.254.0.xxx/21 ustclug\n
\u8fd9\u65f6\u5019\u5e94\u8be5\u80fd\u4ece\u5176\u4ed6\u673a\u5668 ping \u901a\u8fd9\u4e2a IP\u3002
\u6307\u5b9a\u9759\u6001\u5185\u7f51 IP \u7684\u6b63\u786e\u65b9\u6cd5\u662f\u5728 DNS \u4e2d\u6dfb\u52a0\u4e00\u6761\u8fd9\u6837\u7684\u8bb0\u5f55\uff1a
$ORIGIN s.ustclug.org\n<HOST> 600 IN A <Intranet IP>\n
\u7136\u540e\u5728\u673a\u5668\u4e0a\u91cd\u542f systemctl restart tinc@ustclug.service
\u5c31\u80fd\u81ea\u52a8\u83b7\u53d6\u4e86\u3002
Tip
\u5bf9\u4e8e Debian 11+ \u7684\u7cfb\u7edf\uff0c\u5efa\u8bae\u4fdd\u6301 sshd_config
\u4e0d\u52a8\uff0c\u5c06\u81ea\u5b9a\u4e49\u7684\u914d\u7f6e\u5199\u5165 sshd_config.d/ustclug.conf
\uff0c\u4ee5\u51cf\u5c11\u66f4\u65b0 ssh \u8f6f\u4ef6\u5305\u65f6\u7684\u914d\u7f6e\u6587\u4ef6\u51b2\u7a81\u3002\u6ce8\u610f\u5982\u679c\u8fd9\u4e48\u505a\u7684\u8bdd\u9700\u8981\u628a\u914d\u7f6e\u6587\u4ef6\u91cc\u7684 Subsystem sftp
\u5220\u6389\uff0c\u5426\u5219 sshd \u4f1a\u62a5\u9519\u201c\u91cd\u590d\u6307\u5b9a\u4e86 Subsystem sshd\u201d\u3002
\u4ee5\u4e0b\u914d\u7f6e\u4f9b\u53c2\u8003\uff0c\u590d\u5236\u65f6\u6ce8\u610f\u4fee\u6539 Match LocalAddress
\u540e\u9762\u7684\u5185\u5bb9\uff08\u5185\u7f51\u5730\u5740\u548c AllowGroups \u6700\u540e\u7684\u540d\u79f0\uff09\uff1a
AddressFamily inet\nUseDNS no\n\nHostKey /etc/ssh/ssh_host_rsa_key\nHostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub\nTrustedUserCAKeys /etc/ssh/ssh_user_ca\nRevokedKeys /etc/ssh/ssh_revoked_keys\n\nPasswordAuthentication no\nPubkeyAuthentication no\nChallengeResponseAuthentication no\nUsePAM yes # LDAP for Debian\n\nAcceptEnv LANG LC_*\nX11Forwarding yes\nPrintLastLog no\nPrintMotd no\nSubsystem sftp /usr/lib/openssh/sftp-server\n\nMatch LocalAddress 10.254.0.0\n AllowGroups ssh_local super_manager ssh_groupname\n PasswordAuthentication yes\n PubkeyAuthentication yes\n\n# Public IP access = root-only\nMatch LocalAddress 202.38.95.110,202.141.160.110,202.141.176.110,218.104.71.170\n AllowUsers root\n PubkeyAuthentication yes\n AuthorizedKeysFile none # \u5c4f\u853d\u516c\u94a5\uff0c\u4ec5\u5141\u8bb8\u8bc1\u4e66\u767b\u5f55\n\n# For SSH Push trigger\nMatch User mirror\n AllowUsers mirror\n AuthenticationMethods publickey\n PermitTTY no\n PermitTunnel no\n X11Forwarding no\n\nMatch All #(1)\n
Match All
\u6765\u7ed3\u675f\u4e0a\u9762\u7684 Match \u5757\u3002\u7531\u4e8e Include
\u6307\u4ee4\u51fa\u73b0\u5728 /etc/ssh/sshd_config
\u7684\u6700\u4e0a\u9762\uff0c\u800c\u63a5\u4e0b\u6765\u7684\u5185\u5bb9\u90fd\u662f\u5168\u5c40\u8bbe\u7f6e\uff0c\u56e0\u6b64\u4f7f\u7528 Match All
\u4fdd\u8bc1\u539f\u5148\u7684\u5185\u5bb9\u7ee7\u7eed\u4f5c\u7528\u4e8e\u5168\u5c40\uff0c\u800c\u4e0d\u662f\u50cf\u4e0a\u9762\u8fd9\u4e2a\u4f8b\u5b50\u4e00\u6837\u53d8\u6210 Match User mirror
\u7684\u8bbe\u7f6e\u3002\u6ce8\u610f HostCertificate, TrustedUserCAKeys \u548c RevokedKeys \u8fd9\u4e09\u4e2a\u6587\u4ef6\u5fc5\u987b\u5b58\u5728\uff0c\u5426\u5219 SSH \u4f1a\u51fa\u4e00\u4e9b\u95ee\u9898\uff0c\u4f8b\u5982\u4e0d\u80fd\u5bc6\u94a5\u767b\u5f55\u53ea\u80fd\u5bc6\u7801\u767b\u5f55\u3002
HostCertificate \u9700\u8981\u624b\u52a8\u7b7e\u53d1\u4e00\u4e2a\uff0c\u53e6\u5916\u4e24\u4e2a\u6587\u4ef6\u4ece\u522b\u7684\u673a\u5668\u4e0a\u590d\u5236\u5c31\u884c\u3002
"},{"location":"infrastructure/discontinued/","title":"\u4e0d\u518d\u4f7f\u7528\u7684\u57fa\u7840\u8bbe\u65bd","text":"Warning
Content under this section is not necessarily up-to-date.
"},{"location":"infrastructure/discontinued/#saltstack","title":"SaltStack","text":"\u76ee\u524d\u4e0d\u77e5 SaltStack \u4f55\u65f6\u5f00\u59cb\u4f7f\u7528\uff0c\u4f46\u662f\u6211\u4eec\u6ca1\u6709\u4efb\u4f55\u4f9d\u8d56\u4e8e salt \u7684\u914d\u7f6e\u3002\u51fa\u4e8e\u8003\u8651\u5230 salt \u51fa\u73b0\u8fc7\u975e\u5e38\u4e25\u91cd\u7684 CVE\uff0csaltstack \u5df2\u4e0d\u518d\u8003\u8651\u4f7f\u7528\uff0c\u4e14\u5728\u5df2\u77e5\u7684\u673a\u5668\u4e0a\u90fd\u5df2\u5220\u9664\u3002\u5982\u679c\u4f60\u53d1\u73b0\u67d0\u53f0 lug \u7684\u673a\u5668\u4e0a\u5b89\u88c5\u4e86 salt\uff0c\u8bf7\u901a\u77e5 CTO \u4ee5\u5c06\u5176\u5220\u9664\u3002
\u5728\u81ea\u52a8\u5316\u8fd0\u7ef4\u65b9\u9762\uff0c\u672a\u6765\u4f1a\u8c03\u7814 ansible\u3002
"},{"location":"infrastructure/discontinued/#vsphere","title":"vSphere \u96c6\u7fa4","text":"\u6211\u4eec\u4ece 2015 \u5e74\uff08\u6216\u66f4\u65e9\uff09\u5f00\u59cb\u4f7f\u7528 vSphere \u5e73\u53f0\uff08ESXi + vCenter\uff09\u8fd0\u884c\u865a\u62df\u673a\u3002\u7531\u4e8e VMware \u4e13\u6709\u5e73\u53f0\u7684\u590d\u6742\u6027\u96be\u4ee5\u7ef4\u62a4\uff0c\u6211\u4eec\u5df2\u4e8e 2022 \u5e74 1 \u6708\u5168\u9762\u8fc1\u79fb\u81f3\u5f00\u6e90\u7684\u3001\u57fa\u4e8e Debian GNU/Linux \u7684\u865a\u62df\u5316\u5e73\u53f0 Proxmox VE\u3002
"},{"location":"infrastructure/discontinued/#pve-2-pve-4","title":"pve-2, pve-4","text":"pve-2 \u548c pve-4 \u4e5f\u4f4d\u4e8e\u4e1c\u56fe\uff0c\u662f\u4e24\u53f0\u672a\u77e5\u54c1\u724c\u3001\u672a\u77e5\u578b\u53f7\u7684\u65e7\u673a\u5668\uff0c\u914d\u7f6e\u4e3a 2\u00d7 Xeon E5420 (Very old 4C4T, 2.50 GHz), 16 GB \u5185\u5b58\uff08DDR2 667 MHz\uff09\u548c\u4e00\u5757 16 GB \u7684 SanDisk SSD\u3002\u8be5\u578b\u53f7\u673a\u5668\u6ca1\u6709 IPMI\u3002
\u7531\u4e8e\u914d\u7f6e\u4f4e\u4e0b\uff0c\u6211\u4eec\u624b\u52a8\u5b89\u88c5\u4e86 Proxmox VE\uff0c\u6ca1\u6709\u4f7f\u7528 LVM\uff0c\u5206\u914d\u4e86 1 GB \u7684 swap\uff0c\u5269\u4e0b\u5168\u90e8\u7ed9 rootfs\u3002
\u673a\u5668\u7684\u7f51\u5361\u6709\u4e24\u4e2a 1 Gbps \u7684\u63a5\u53e3\uff0c\u4e0e pve-6 \u76f8\u540c\uff0c\u90fd\u63a5\u5728\u540c\u4e00\u4e2a\u4ea4\u6362\u673a\u4e0a\u3002
"},{"location":"infrastructure/discontinued/vsphere/esxi/","title":"ESXi","text":"\u73b0\u5f79\u7684 ESXi \u6709 3 \u53f0\uff1aesxi-2 \u548c esxi-6 \u4f4d\u4e8e\u4e1c\u56fe\u673a\u623f\uff0cesxi-5 \u4f4d\u4e8e\u7f51\u7edc\u4fe1\u606f\u4e2d\u5fc3\u673a\u623f\u3002
esxi-2 \u4e0a\u8fd0\u884c\u4e1c\u56fe\u7f51\u5173\u7b49\u670d\u52a1\uff0cesxi-6 \u4e0a\u8fd0\u884c ustclug gitlab\u3002esxi-5 \u4e0a\u8fd0\u884c\u8bf8\u5982 vcenter, \u90ae\u4ef6\u7f51\u5173, ldap, \u5907\u7528\u7f51\u5173, vSphereDataProtection \u5907\u4efd\u670d\u52a1\u7b49\u3002
\u76ee\u524d\uff0c\u6709\u8ba1\u5212\u5c06\u865a\u62df\u5316\u65b9\u6848\u66f4\u6539\u4e3a Proxmox Virtual Environment\u3002
"},{"location":"infrastructure/discontinued/vsphere/esxi/#about-snapshot","title":"\u5173\u4e8e\u5feb\u7167","text":"Best practices: https://kb.vmware.com/s/article/1025279\uff0c\u7ba1\u7406\u865a\u62df\u673a\u524d\u52a1\u5fc5\u9605\u8bfb\u3002
"},{"location":"infrastructure/discontinued/vsphere/esxi/#_1","title":"\u673a\u5668\u914d\u7f6e\u7ec6\u8282","text":""},{"location":"infrastructure/discontinued/vsphere/esxi/#esxi-5","title":"esxi-5","text":"esxi-5 \u4e0a\u4e8e 2021/8 \u53d1\u73b0\u81ea\u5e26\u9635\u5217\u6709\u4e24\u5757\u574f\u76d8\uff0c\u5728\u66f4\u6362\u540e\u53d1\u73b0 storage \"root\"\uff08\u5b58\u653e vcenter \u865a\u62df\u673a\uff0c\u7ec4 RAID 1 \u540e\u5927\u5c0f 1.8TB\uff09\u65e0\u6cd5\u6b63\u5e38 rebuild\uff0c\u5e76\u4e14 vcenter \u865a\u62df\u673a\u7684 vmdk \u6587\u4ef6\u6709 4 \u4e2a\u51fa\u73b0 I/O error\u3002\u76ee\u524d vcenter \u865a\u62df\u673a\u5df2\u7ecf\u8fc1\u79fb\u5230 storage \"data\" (RAID10, 7.2 TB)\uff0c\u5de5\u4f5c\u6b63\u5e38\u3002
"},{"location":"infrastructure/discontinued/vsphere/vcenter/","title":"vCenter","text":"vCenter \u4e3a\u7ef4\u62a4\u4eba\u5458\u63d0\u4f9b\u4e86\u65b9\u4fbf\u7684\u7ba1\u7406\u6240\u6709 ESXi \u670d\u52a1\u5668\u7684\u754c\u9762\u3002\u9700\u8981\u6ce8\u610f\uff1a
\u5f53\u51fa\u73b0\u4e25\u91cd\u7684 CVE \u4e14\u65e0\u6cd5\u7b80\u5355 workaround \u65f6\uff0c\u5efa\u8bae\u5b89\u88c5 patch\uff0c\u5927\u81f4\u65b9\u6cd5\uff1a
software-packages stage --iso
\u52a0\u8f7d\u8865\u4e01\u6587\u4ef6\uff08\u5b9e\u8d28\u662f\u4e00\u5806 rpm\uff09\u3002software-packages install --iso
\u5b89\u88c5\u8865\u4e01\u6587\u4ef6\u3002shell
\u8fdb\u5165 bash\uff0creboot
\u91cd\u542f\u3002service-control --start --all
\u5347\u7ea7\u65f6\u9047\u5230\u7684\u95ee\u9898\uff1a
software-packages
\u66f4\u65b0\uff0c\u67e5\u770b\u539f\u56e0\u3002\u5982\u679c\u662f root \u5bc6\u7801\u8fc7\u671f\uff0c\u8fdb\u5165 bash\uff0c\u4f7f\u7528 passwd \u5148\u91cd\u7f6e\u6210\u65b0\u7684\uff08\u7136\u540e\u518d\u6539\u56de\u6765\uff09\uff0c\u4f7f\u7528 chage -I -1 -m 0 -M 99999 -E -1 root
\u8bbe\u7f6e\u6c38\u4e0d\u8fc7\u671f\u3002\u5f53\u6211\u4eec\u8bf4\u5230 VDP \u7684\u65f6\u5019\uff0c\u6211\u4eec\u5230\u5e95\u5728\u6307\u4ec0\u4e48\uff1f\u4e3a\u4e86\u907f\u514d\u6b67\u4e49\uff0c\u4ee5\u4e0b\u505a\u4e86\u4e00\u4e9b\u5b9a\u4e49\uff1a
vdp2 \u6302\u63a5\u5728 esxi-5 \u4e0a\uff0cesxi-5 \u6e90\u4e8e\u8001 mirrors\uff08mirrors2 \u4e4b\u524d\u7684\u4e00\u4ee3\u673a\u5668\uff09\u3002vSphereDataProtection \u7248\u672c\u4e3a 6.1.5\u3002
\u5f53 vdp \u5907\u4efd\u7a0b\u5e8f\u51fa\u73b0\u5947\u602a\u7684\u95ee\u9898\u7684\u65f6\u5019\uff0c\u91cd\u542f vdp \u5907\u4efd\u865a\u62df\u673a\u7edd\u5927\u591a\u6570\u65f6\u5019\u80fd\u591f\u89e3\u51b3\u95ee\u9898\u3002\u91cd\u542f\u8017\u65f6\u975e\u5e38\u957f\uff0c\u9700\u8981\u505a\u597d\u5fc3\u7406\u51c6\u5907\u3002
\u5907\u4efd\u65f6\uff0cvdp \u5907\u4efd\u7a0b\u5e8f\u4f1a\u4e3a\u865a\u62df\u673a\u65b0\u5efa\u4e00\u4e2a snapshot\uff0c\u4e4b\u540e\u4ece snapshot \u4f20\u8f93\u5907\u4efd\u3002\u5076\u5c14 snapshot \u4e0d\u4f1a\u88ab\u6b63\u5e38\u5220\u9664\uff0c\u800c\u5927\u91cf\u6216\u957f\u65f6\u95f4\u5b58\u653e\u7684 snapshot \u4f1a\u7ed9\u6027\u80fd\u5e26\u6765\u8d1f\u9762\u5f71\u54cd\uff0c\u6240\u4ee5\u5982\u679c\u53d1\u73b0\u6b64\u7c7b\u60c5\u51b5\uff0c\u5728\u786e\u8ba4\u5907\u4efd\u4e0d\u518d\u8fdb\u884c\u540e\uff0c\u9700\u8981\u5220\u9664 snapshot\uff0c\u540c\u65f6\u4fdd\u6301\u673a\u5668\u5728\u7ebf\uff08\u5728\u5173\u673a\u60c5\u51b5\u4e0b\u6574\u5408\u78c1\u76d8\u65f6\u65e0\u6cd5\u5f00\u673a\uff01\uff09\u3002
\u53c2\u8003\u8d44\u6599\uff1ahttps://docs.vmware.com/en/VMware-vSphere/6.5/rn/data-protection-615-release-notes.html
VDP \u5907\u4efd\u865a\u62df\u673a\u5df2\u7ecf EOL\u3002\u8bbf\u95ee vcenter \u4e2d\u7684 VDP \u63d2\u4ef6\u9700\u8981\u4f7f\u7528 Adobe Flash\u3002
"},{"location":"infrastructure/discontinued/vsphere/vdp/#_1","title":"\u5907\u4efd\u8ba1\u5212","text":"\u76ee\u524d\u7684\u5907\u4efd\u8ba1\u5212\u5982\u4e0b\uff1a
\u67e5\u770b\u5f53\u524d\u4efb\u52a1\uff1a
# mccli activity show | grep Running\n
\u67e5\u770b\u670d\u52a1\u60c5\u51b5\uff1a
# dpnctl status\n# status.dpn\n
"},{"location":"infrastructure/discontinued/vsphere/vdp/#vspheredataprotection-on-virtio-scsi","title":"vSphereDataProtection on VirtIO SCSI","text":"vdp \u7684\u64cd\u4f5c\u7cfb\u7edf\u662f SLES 11 SP3\uff0c\u8fd9\u4e2a\u64cd\u4f5c\u9700\u8981\u7cfb\u7edf\u76d8\u7684\u524d\u4e24\u4e2a\u5206\u533a\uff08/boot
\u548c /
\uff09\u3002
/lib/modules/3.0.101-0.47.99-default/kernel/drivers/
\u91cc\u53d6\u51fa virtio \u7684\u5185\u6838\u6a21\u5757\uff08block
\u91cc\u9762\u4e00\u4e2a\uff0cvirtio
\u6574\u4e2a\u76ee\u5f55\uff0c\u4ee5\u53ca scsi
\u91cc\u9762\u4e00\u4e2a\uff09\uff0c\u653e\u5728 initrd \u89e3\u538b\u540e\u7684\u5bf9\u5e94\u4f4d\u7f6e\u3002/lib/modules/3.0.101-0.47.99-default/modules.dep*
\u590d\u5236\u5230 initrd \u91cc\u3002config/start.sh
\u548c run_all.sh
\uff0c\u5728 RESOLVED_INITRD_MODULES
\u53d8\u91cf\u4e2d\u6dfb\u52a0 virtio_pci virtio virtio_scsi virtio_blk
\uff08\u5373\u4fee\u6539\u4e3a RESOLVED_INITRD_MODULES='virtio_pci virtio virtio_scsi virtio_blk cifs ext2 ext3 ext4 fat nfs reiserfs ufs xfs'
\uff09\u3002/boot
) \u91cc\u9762\uff0c\u5efa\u8bae\u4e0d\u8981\u8986\u76d6\u539f\u6765\u7684 initrd\u3002grub/menu.lst
\uff0c\u5c06 initrd \u4fee\u6539\u4e3a\u4f60\u6240\u6253\u5305\u7684\u6587\u4ef6\u540d\u3002Servers Intranet connects all the servers together, including physical servers and virtual machines.
"},{"location":"infrastructure/intranet/#network-topology","title":"Network Topology","text":"\u4ee5\u4e0a\u67b6\u6784\u56fe\u7531 iBug \u5728 2023 \u5e74 11 \u6708\u66f4\u65b0\u3002
\u6b64\u5904\u662f\u4e00\u4e9b\u8fc7\u65f6\u7684\u4fe1\u606f\uff0c\u4e5f\u8bb8\u8fd8\u6709\u70b9\u53c2\u8003\u4ef7\u503cThe network contains three parts:
tincVPN is a mesh VPN, which can be abstracted as a virtual Switch.
vm-nfs.s.ustclug.org runs a layer 2 bridge, connecting tincVPN and SRW2024 (physical switch).
It is obvious that vm-nfs is a single point of failure of communicating between tinc host and vSphere virtual machine. I had tried to add another bridge node, but resulted in a broadcast storm. Maybe we can fix it by MPLS (merged in mainline kernel 4.3). But it isn't a right timing at this time.
"},{"location":"infrastructure/intranet/#network-information","title":"Network information","text":"The network contains one single subnet: 10.254.0.0/21
Every server and service binds to one and only one IP address, used to communicate with each other.
"},{"location":"infrastructure/intranet/#address-planning","title":"Address planning","text":"We run gateways in each colocation to provide internet access to intranet-only hosts (VMs and containers).
When configuring VMs and containers, set their gateway according to their colocation:
Gateway-JP is mainly used for HTTP reverse proxy, so that we can provide HTTP services in compliance with PRC regulations.
For server configuration on each gateway, refer to their corresponding documentation:
After migrating to PVE, we found that sometimes tinc works abnormally within gateway-el and gateway-nic, with following kernel log:
bridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nnet_ratelimit: 2 callbacks suppressed\n
We still don't know the source of this issue. To workaround that, following self-check timer is deployed now:
/opt/tinc-check.sh#!/bin/bash\n\nrestart() {\n systemctl stop tinc@ustclug.service\n sleep 3 # avoid race condition\n systemctl start tinc@ustclug.service\n echo \"tinc restarted\"\n}\n\ndmesg | tail -n 2 | grep 'received packet on ustclug with own address as source address' && restart || echo \"tinc OK now\";\n
/etc/systemd/system/tinc-check.service[Unit]\nDescription=Tinc Check and Auto-Restart\n\n[Service]\nType=oneshot\nExecStart=/opt/tinc-check.sh\n
/etc/systemd/system/tinc-check.timer[Unit]\nDescription=Tinc Check and Auto-Restart Timer\n\n[Timer]\nOnCalendar=minutely\nPersistent=true\n\n[Install]\nWantedBy=timers.target\n
"},{"location":"infrastructure/intranet/lugivpn/","title":"LUG Intranet VPN","text":"service: intranet.ustclug.org
server: board.s.ustclug.org
"},{"location":"infrastructure/intranet/lugivpn/#introduction","title":"Introduction","text":"Server intranet is a closed network, which cannot be accessed from Internet. LUGI VPN helps maintainer get access to intranet temporarily.
LUGI VPN is running in Banana Pi Raspberry Pi 3B+, the only ARM architecture device we owned. Using OpenVPN protocal, authorizing via LDAP.
The original Banana Pi was down in April 2021.
"},{"location":"infrastructure/intranet/lugivpn/#configuration","title":"Configuration","text":"OpenVPN LDAP auth plugin config /etc/openvpn/auth-ldap.conf
:
<LDAP>\n URL ldaps://ldap.ustclug.org\n Timeout 15\n FollowReferrals yes\n TLSCACertFile /etc/ldap/ssl/slapd-ca-cert.pem\n</LDAP>\n\n<Authorization>\n BaseDN \"ou=people,dc=lug,dc=ustc,dc=edu,dc=cn\"\n SearchFilter \"(uid=%u)\"\n RequireGroup false\n</Authorization>\n
In openvpn configuration:
...\nplugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth-ldap.conf\n
Servers intranet is a layer 2 network without default gateway. So NAT is needed:
iptables -t nat -A POSTROUTING -s 10.254.248.0/22 -d 10.254.0.0/21 -j MASQUERADE\n
"},{"location":"infrastructure/proxmox/nfs/","title":"NFS","text":"NFS \u670d\u52a1\u5668\uff08\"vdp\"\uff09\u662f\u4e1c\u56fe\u4e09\u4e2a PVE \u673a\u5668\u7684\u865a\u62df\u673a\u5b58\u50a8\uff0c\u578b\u53f7\u4e3a DELL PowerEdge R510\u3002\u78c1\u76d8\u9635\u5217\u7531\u4e8e\u5728 2021 \u5e74 3 \u6708\u521d\u635f\u574f\uff0c\u76ee\u524d\u5bb9\u91cf\u7f29\u51cf\u5230 8T\uff084 \u5757 4T \u84dd\u76d8 RAID10\uff09\u3002\u9664\u865a\u62df\u673a\u5916\uff0cNFS \u4e5f\u5b58\u50a8 LUG \u6210\u5458\u7684\u4e2a\u4eba\u6570\u636e\u53ca LUG FTP\u3002NFS \u670d\u52a1\u6062\u590d\u540e\uff0c\u4e3a\u4e86\u4fdd\u8bc1\u6570\u636e\u5197\u4f59\u6027\uff0c\u4f7f\u7528 Rclone \u548c Rsync \u6bcf\u5929\u589e\u91cf\u5907\u4efd LUG FTP \u548c LUG \u6210\u5458\u7684\u516c\u5f00\u6570\u636e\uff08public_html
\u76ee\u5f55\uff09\u5230\u4ee5\u4e0b\u4f4d\u7f6e\uff1a
\u5177\u4f53\u7684\u5907\u4efd\u65b9\u5f0f\u548c\u547d\u4ee4\u53c2\u89c1\u673a\u5668\u4e0a\u7684 rclone-backup.timer
\u548c rclone-backup.service
\u3002
vdp \u7684\u5185\u7f51\u8fde\u63a5\u4f9d\u8d56\u4e8e gateway-el\u3002
\u53ef\u80fd\u7684\u7f51\u7edc\u95ee\u9898
\u5728 2021 \u5e74\u4e5d\u6708\u4efd\u4e1c\u56fe\u7684 ESXi \u4e0e NFS \u8fde\u63a5\u4f1a\u51fa\u73b0\u4e0d\u7a33\u5b9a\u7684\u95ee\u9898\uff0c\u539f\u56e0\u76ee\u524d\u4e0d\u660e\u3002\u5728\u8fde\u63a5\u65b9\u5f0f\u4ece NFS 4.1 \u66f4\u6362\u5230 NFS 3 \u4e4b\u540e\uff0c\u8fde\u63a5\u7684\u4e0d\u7a33\u5b9a\u4e0d\u4f1a\u5bfc\u81f4\u865a\u62df\u673a\u88ab\u5173\u95ed\u3002
2021/09/29 \u66f4\u65b0\uff1a\u8fd9\u4e24\u5929\u518d\u6b21\u51fa\u73b0\u4e86\u4e25\u91cd\u7684\u8fde\u63a5\u95ee\u9898\u3002\u8c03\u8bd5\u540e\u53d1\u73b0 192.168.93.0/24 \u7684\u7f51\u5173 192.168.93.254 (Cisco \u8bbe\u5907) \u4e22\u5305\u4e25\u91cd\uff0c\u800c NFS \u7684\u51fa\u53e3 IP \u9519\u8bef\u88ab\u8bbe\u7f6e\u5230\u4e86\u4e0e\u56fe\u4e66\u9986\u4ea4\u6362\u673a\u76f8\u8fde\u63a5\u7684 eno1\uff0c\u5bfc\u81f4\u8bf7\u6c42\u9700\u8981\u7ed5\u8def\u3002\u5c06\u6b64 IP \u79fb\u52a8\u81f3 eno2\uff0c\u4fee\u6539 sysctl \u8bbe\u7f6e ARP \u8fc7\u6ee4\u5e76\u91cd\u542f\u540e\uff0c\u76ee\u524d\u6682\u65f6\u89e3\u51b3\u4e86\u95ee\u9898\u3002
Debian Bookworm \u5185\u6838\u95ee\u9898
6.1.x \u5f00\u59cb\u7684\u5185\u6838\u7684 NFSv4 \u670d\u52a1\u5668\u5b9e\u73b0\u53ef\u80fd\u5b58\u5728\u6f5c\u5728\u7684\u95ee\u9898\uff0c\u5bfc\u81f4\u5728\u67d0\u4e9b\u60c5\u51b5\u4e0b\u6b7b\u9501\uff0c\u89c1 https://lore.kernel.org/all/50d62fc9-206b-4dbc-9a9b-335450656fd0@aixigo.com/T/\u3002\u4ece Buster \u5347\u7ea7\u5230 Bookworm \u4e4b\u540e\u88ab\u5751\u4e86\u4e00\u6b21\u3002
\u7531\u4e8e\u8fd9\u4e2a\u95ee\u9898\u76ee\u524d\u5c1a\u672a\u89e3\u51b3\uff0c\u5728\u5347\u7ea7 Bookworm \u4e4b\u540e vdp \u4ecd\u4f7f\u7528 Bullseye \u7684\u5185\u6838\uff085.10.x\uff09\u3002
/etc/apt/preferences.d/linux-image-amd64Package: linux-image-amd64\nPin: release n=bullseye-security\nPin-Priority: 900\n
\u6211\u4eec\u521b\u5efa\u4e86\u5982\u4e0a\u6587\u4ef6\uff08\u4ee5\u4fbf\u80fd\u591f\u7ee7\u7eed\u4ece bullseye-security \u83b7\u5f97\u5185\u6838\u7684\u5b89\u5168\u66f4\u65b0\uff09\uff0c\u7136\u540e\u624b\u52a8\u5220\u6389\u4e86\u6240\u6709 6.1 \u7684\u5185\u6838\u5305\u3002
"},{"location":"infrastructure/proxmox/nfs/#pve","title":"PVE \u78c1\u76d8\u8def\u5f84\u4e0e\u6302\u8f7d\u53c2\u6570","text":"\u5728 storage.cfg \u8bbe\u7f6e\u4e2d\uff0cNFS \u6302\u8f7d\u5230 /mnt/nfs-el
\uff0c\u8bbe\u7f6e\u7684\u53c2\u6570\u4e3a soft,noexec,nosuid,nodev
\u3002\u8bbe\u7f6e\u4e3a hard
\u4f1a\u5bfc\u81f4 NFS \u4e0b\u7ebf\u65f6\u91cd\u8bd5\u65e0\u9650\u6b21\uff0c\u5927\u6982\u7387\u5bfc\u81f4\u7cfb\u7edf\u5361\u6b7b\uff0c\u5176\u4ed6\u51e0\u4e2a\u53c2\u6570\u4e3b\u8981\u662f\u4e3a\u4e86\u5b89\u5168\u3002
\u5176\u4e2d\uff0c\u6839\u636e PVE \u7684\u8981\u6c42\uff0c\u865a\u62df\u673a\u78c1\u76d8\u6587\u4ef6\u9700\u8981\u653e\u5728 images/<vmid>
\u76ee\u5f55\u4e0b\u624d\u4f1a\u88ab\u81ea\u52a8\u68c0\u6d4b\u5230\u3002\u82e5\u4e00\u5f00\u59cb\u6ca1\u6709\u6309\u8981\u6c42\u653e\u7f6e\u6587\u4ef6\u6216\u6dfb\u52a0\u4e86\u65b0\u6587\u4ef6\uff0c\u53ef\u4ee5\u4f7f\u7528 qm rescan
\u626b\u63cf\u65b0\u7684\u78c1\u76d8\u6587\u4ef6\u3002\u4e5f\u53ef\u4ee5\u76f4\u63a5\u4f7f\u7528 qm set
\u547d\u4ee4\u6216\u624b\u52a8\u7f16\u8f91\u865a\u62df\u673a\u914d\u7f6e\u6587\u4ef6\u6307\u5b9a\u78c1\u76d8\u6587\u4ef6\u7684\u8def\u5f84\uff0c\u8fd9\u4e24\u79cd\u65b9\u6cd5\u6ca1\u6709\u6b64\u9650\u5236\u3002
\u53e6\u5916\uff0c\u7531\u4e8e\u6574\u4e2a storage.cfg \u6587\u4ef6\u5728\u96c6\u7fa4\u4e2d\u5171\u4eab\uff0c\u9700\u8981\u624b\u52a8\u6307\u5b9a nodes
\u4ee5\u514d NIC \u7684\u4e24\u53f0 PVE \u4e3b\u673a\u5c1d\u8bd5\u6302\u8f7d\u3002
nfs: nfs-el\n export /media/vdp/pve\n path /mnt/nfs-el\n server nfs-el.vm.ustclug.org\n options soft,noexec,nosuid,nodev\n content iso,images\n nodes pve-2,pve-4,pve-6\n shared 1\n prune-backups keep-all=1\n
storage.cfg \u7684\u5168\u90e8\u914d\u7f6e\u5185\u5bb9\u53ef\u4ee5\u53c2\u8003 https://pve.proxmox.com/wiki/Storage\u3002
"},{"location":"infrastructure/proxmox/pbs/","title":"Proxmox Backup Server (PBS)","text":"PBS \u73b0\u5728\u90e8\u7f72\u5728 esxi-5 \u4e0a\u9762\uff0c\u7528\u4f5c\u865a\u62df\u673a\u5907\u4efd\uff0cweb \u754c\u9762\u7684\u7aef\u53e3\u53f7\u4e3a 8007\uff08HTTPS only\uff09\u3002
Info
\u672c\u9875\u9762\u8bb0\u5f55 Proxmox Backup Server \u8f6f\u4ef6\u76f8\u5173\uff0c\u4ee5\u53ca Proxmox VE \u865a\u62df\u673a\u76f8\u5173\u7684\u8d44\u6599\u3002\u5173\u4e8e esxi-5 \u7684\u7cfb\u7edf\u914d\u7f6e\u4fe1\u606f\u8bb0\u5f55\u5728 Proxmox VE \u9875\u9762\u3002
"},{"location":"infrastructure/proxmox/pbs/#pbs","title":"\u5b89\u88c5 PBS","text":"PBS \u53ef\u4ee5\u4f7f\u7528\u5b89\u88c5\u5149\u76d8 iso \u5b89\u88c5\u6216\u76f4\u63a5\u52a0\u88c5\u5728\u73b0\u6709\u7684\u5bf9\u5e94\u7248\u672c\u7684 Debian \u7cfb\u7edf\u4e0a\uff0c\u8fd9\u4e24\u79cd\u5b89\u88c5\u65b9\u5f0f\u90fd\u6709\u5b98\u65b9\u7684\u8bf4\u660e\u6587\u6863\u3002
\u6211\u4eec\u7684 esxi-5 \u662f\u4f7f\u7528 PVE \u7684\u5b89\u88c5\u76d8\u5148\u88c5\u6210 PVE\uff0c\u518d\u5728\u4e0a\u9762\u989d\u5916\u52a0\u88c5 PBS \u7684\u3002\u7531\u4e8e PVE \u548c PBS \u5171\u4eab\u4e86\u5927\u91cf\u7ec4\u4ef6\uff0c\u56e0\u6b64\u5728 PVE \u4e0a\u52a0\u88c5 PBS \u5c31\u53ea\u5269\u4e0b\u5f88\u7b80\u5355\u7684\u4e00\u4e9b\u6b65\u9aa4\u4e86\uff1a
echo \"deb http://mirrors.ustc.edu.cn/proxmox/debian/pbs bullseye pbs-no-subscription\" > /etc/apt/sources.list.d/pbs.list\napt update\napt install proxmox-backup\n
\u8be5\u8fc7\u7a0b\u4ec5\u5b89\u88c5\u4e86\u603b\u91cf\u4e3a 150+ MB \u7684 8 \u4e2a\u5305\uff0c\u5c31\u6709 PBS \u53ef\u7528\u4e86\u3002
"},{"location":"infrastructure/proxmox/pbs/#pbs-new-user","title":"\u521b\u5efa\u65b0\u7528\u6237","text":"PBS \u81ea\u5df1\u7684\u8d26\u53f7\u4f53\u7cfb (Realm pbs) \u4e0e PVE (Realm pve) \u4e92\u76f8\u4e0d\u901a\uff0c\u5982\u679c\u9700\u8981\u521b\u5efa\u65b0\u7684 PBS \u7528\u6237\uff0c\u53ef\u4ee5\u901a\u8fc7 SSH \u767b\u5f55\uff0c\u7136\u540e\u53c2\u8003\u4ee5\u4e0b\u6b65\u9aa4\uff1a
proxmox-backup-manager user create \u7528\u6237\u540d@pbs --email \u90ae\u7bb1\u5730\u5740@ustclug.org
proxmox-backup-manager user update \u7528\u6237\u540d@pbs --password '\u4e00\u4e2a\u4e34\u65f6\u7684\u5bc6\u7801'
proxmox-backup-manager acl update / Admin --auth-id \u7528\u6237\u540d@pbs
proxmox-backup-manager acl list
\u786e\u8ba4\u6743\u9650\u5217\u8868\u3002\u53c2\u8003\uff1ahttps://pbs.proxmox.com/docs/user-management.html
Tip
\u5f53\u7136\uff0c\u4f60\u4e5f\u53ef\u4ee5 SSH \u767b\u5f55\u540e\u4fee\u6539 root \u5bc6\u7801\uff0c\u518d\u7528 root@pam \u7684\u8d26\u53f7\u767b\u5f55 web \u754c\u9762\u8fdb\u884c\u64cd\u4f5c\u3002\u8be5\u65b9\u6cd5\u540c\u65f6\u9002\u7528\u4e8e PVE \u548c PBS\u3002\u64cd\u4f5c\u5b8c\u6210\u540e\u8bf7\u6062\u590d root \u5bc6\u7801\uff08passwd -d root
\uff09\u3002
\u5982\u679c\u4f60\u9700\u8981\u7ecf\u5e38\u767b\u5f55 Web \u754c\u9762\u64cd\u4f5c\uff0c\u6700\u597d\u521b\u5efa\u4e00\u4e2a Realm pve/pbs \u800c\u4e0d\u662f\u4f9d\u8d56\u4e8e\u4f7f\u7528 root \u5bc6\u7801\u3002
\u7279\u522b\u5730\uff0c\u7531\u4e8e PBS \u548c PVE \u540c\u65f6\u5b89\u88c5\u5728 esxi-5 \u4e0a\uff0c\u56e0\u6b64\u5b83\u4eec\u53ef\u4ee5\u5171\u4eab esxi-5 \u4e0a\u7684 Linux \u7528\u6237\uff08\u5373 Linux PAM standard authentication\uff09\u3002
"},{"location":"infrastructure/proxmox/pbs/#pbs-add-datastore","title":"\u8bbe\u7f6e Datastore","text":"PBS \u4e0a\u7684\u865a\u62df\u673a\u5907\u4efd\u5355\u5143\u662f\u5c0f\u5757\u7684 chunk\uff0c\u4e5f\u4f9d\u8d56\u8fd9\u4e2a\u8bbe\u8ba1\u5b9e\u73b0\u589e\u91cf\u5907\u4efd\uff0c\u6240\u4ee5\u865a\u62df\u673a\u5907\u4efd\uff08Datastore\uff09\u7684\u540e\u7aef\u90fd\u662f\u76ee\u5f55\u3002\u6dfb\u52a0 Datastore \u53ea\u9700\u8981\u6307\u5b9a\u4e00\u4e2a\u76ee\u5f55\uff0c\u53d6\u4e00\u4e2a\uff08\u7b80\u77ed\u7684\uff09\u540d\u5b57\u5c31\u53ef\u4ee5\u4e86\u3002\u5efa\u8bae\u4e0d\u8981\u4f7f\u7528\u6587\u4ef6\u7cfb\u7edf\u7684\u6839\u76ee\u5f55\u4f5c\u4e3a Datastore\uff0c\u53ef\u4ee5\u521b\u5efa\u4e00\u4e2a pbs
\u6587\u4ef6\u5939\u7528\u4f5c Datastore\uff0c\u53c2\u8003\u4e0b\u9762\u6240\u8ff0\u7684 esxi-5 \u4e0a\u7684\u914d\u7f6e\u3002
\u76ee\u524d\u5728 esxi-5 \u4e0a\u914d\u7f6e\u4e86\u4ee5\u4e0b datastore\uff1a
/mnt/raid1/pbs
\uff1a\u6302\u8f7d\u70b9\u4e3a /mnt/raid1
\uff0c\u662f esxi-5 \u673a\u8eab\u7684\u4e24\u5757\u5feb\u8981\u574f\u6389\u7684 2 TB HDD RAID-1\uff0c\u5df2\u7ecf\u6302\u4e86\uff1b/mnt/data/pbs
\uff1a\u6302\u8f7d\u70b9\u4e3a /mnt/data
\uff0c\u662f\u4e00\u4e2a\u5bb9\u91cf\u4e3a 7 TB \u7684\u673a\u8eab HDD \u9635\u5217\uff1b/mnt/vdp2/pbs
\uff1a\u6302\u8f7d\u70b9\u4e3a /mnt/vdp2
\uff0c\u662f\u4e00\u4e2a\u5bb9\u91cf\u4e3a 14 TB \u7684 iSCSI \u5916\u7f6e HDD \u9635\u5217\uff0c\u662f\u6211\u4eec\u76ee\u524d\u5907\u4efd\u865a\u62df\u673a\u7684\u4e3b\u8981\u5b58\u50a8\u3002LUG \u76ee\u524d\u670d\u5f79\u7684 Proxmox VE \u4e3b\u673a\u6709\uff1a
esxi-5 \u662f 2011 \u5e74\u7684 mirrors \u670d\u52a1\u5668\uff0c\u4e8e 2016 \u5e74\u9000\u5f79\u540e\u6539\u88c5\u4e3a ESXi\uff0c\u73b0\u5728\u5df2\u66ff\u6362\u4e3a Proxmox VE
PVE \u7684 web \u7aef\u53e3\u4e3a 8006\uff0c\u800c PBS \u7684\u7aef\u53e3\u4e3a 8007\uff0c\u56e0\u6b64\u5728\u4e00\u53f0\u4e3b\u673a\u4e0a\u540c\u65f6\u5b89\u88c5 PVE \u548c PBS \u4e92\u4e0d\u51b2\u7a81\uff0c\u8bbf\u95ee\u65f6\u9700\u8981\u4f7f\u7528 HTTPS \u5e76\u6307\u5b9a\u7aef\u53e3\u3002
PVE \u548c PBS \u7684\u7aef\u53e3\u90fd\u662f\u56fa\u5b9a\u7684\uff0c\u65e0\u6cd5\u66f4\u6539
pve-6 \u662f\u4e00\u53f0\u8f83\u8001\u7684\u670d\u52a1\u5668\uff0c\u5728\u6539\u88c5\u524d\u8fd0\u884c ESXi 6.0\uff0c\u56e0\u6b64\u4e3b\u673a\u540d\u66fe\u7ecf\u662f esxi-6\u3002
pve-1 \u5230 pve-4 \u53bb\u54ea\u4e86\uff1f
esxi-1 \u548c esxi-3 \u5df2\u7ecf\u574f\u6389\u5f88\u591a\u5e74\u4e86\uff0c\u540c\u6279\u6b21 5 \u53f0\u673a\u5668\u5df2\u7ecf\u574f\u6389\u4e86 3 \u53f0\uff08\u53e6\u5916\u4e00\u4e2a\u662f vm-nfs\uff0cesxi-6 \u4e0d\u5c5e\u4e8e\u8be5\u6279\u6b21\uff09\u3002
pve-2 \u548c pve-4 \u7531 esxi-2 \u548c esxi-4 \u6539\u88c5\u800c\u6765\uff0c\u7531\u4e8e\u8fc7\u4e8e\u53e4\u8001\uff082007 \u5e74\uff09\uff0c\u5373\u4f7f\u6ca1\u574f\uff0c\u6211\u4eec\u4e5f\u5c06\u5b83\u4eec\u4e0b\u67b6\u5904\u7406\u6389\u4e86\u3002
pve-7 \u662f\u5b8b\u8001\u5e08\u7ed9\u6211\u4eec\u7684\u4e00\u53f0 Oracle x86 \u670d\u52a1\u5668\uff0c\u539f\u5148\u5728\u897f\u56fe\u673a\u623f\u5c1d\u8bd5\u7528\u4f5c docker3\uff0c\u540e\u6765\u53d1\u73b0\u6ca1\u9700\u6c42+\u4e0d\u65b9\u4fbf\u540e\uff0c\u7ecf\u5b8b\u8001\u5e08\u5141\u8bb8\u642c\u5230\u4e86\u4e1c\u56fe\u673a\u623f\u7528\u4f5c PVE\uff0c\u66ff\u4ee3\u4e86 pve-{2,4} \u7684\u529f\u80fd\u8fd0\u884c\u4e00\u4e9b\u865a\u62df\u673a\u3002
\u673a\u5668\u539f\u88c5\u5185\u5b58\u4e3a 64G\uff08\u4f46\u662f\u6709\u635f\u574f\uff09\uff0c\u5728\u56fe\u4e66\u9986\u548c\u7f51\u7edc\u4fe1\u606f\u4e2d\u5fc3\u627e\u4e86\u4e00\u4e9b\u65e7\u5185\u5b58\u540e\u6269\u5145\u5230\u4e86 128G\u3002
\u8fd9\u4e9b PVE \u4e3b\u673a\u914d\u7f6e\u4e3a\u4e00\u4e2a\u96c6\u7fa4\uff0c\u53ef\u4ee5\u5171\u4eab\u4e00\u4e9b\u914d\u7f6e\u4fe1\u606f\u5e76\u4e92\u76f8\u8fc1\u79fb\u865a\u62df\u673a\u3002\u7279\u522b\u5730\uff0cProxmox VE Authentication Server\uff08Realm \u4e3a pve\uff09\u7684\u8d26\u53f7\u5728 PVE \u4e3b\u673a\u4e4b\u95f4\u662f\u5171\u4eab\u7684\uff0c\u5e76\u4e14\u6dfb\u52a0\u7684 PBS \u5b58\u50a8\u540e\u7aef\u4e5f\u662f\u5171\u4eab\u7684\uff0c\u5373\u5927\u5bb6\u90fd\u53ef\u4ee5\u5f80\u76f8\u540c\u7684 PBS \u4e0a\u5907\u4efd\u865a\u62df\u673a\u3002
\u53e6\u6709\u6682\u672a\u52a0\u5165 PVE \u96c6\u7fa4\u7684\u673a\u5668\u5982\u4e0b\uff1a
\u4e0d\u540c\u4e3b\u673a\u4e4b\u95f4\u7684 Linux PAM \u7528\u6237\u662f\u4e0d\u76f8\u901a\u7684
\u6240\u6709 Proxmox \u4e3b\u673a\u7684\u4e3b\u673a\u540d\uff08hostname\uff09\u90fd\u8bbe\u4e3a <hostname>.vm.ustclug.org
\uff0c\u5bf9\u5e94\u7684 IP \u5730\u5740\u8bb0\u5f55\u5728 DNS \u4e2d\u3002
\u5df2\u5e9f\u5f03\u7684\u5185\u5bb9
\u4e3a\u4e86\u4fbf\u4e8e\u901a\u8fc7 IPMI \u7b49\u65b9\u5f0f\u7ef4\u62a4\uff0c\u6211\u4eec\u7ea6\u5b9a\u6240\u6709 Proxmox \u4e3b\u673a\u7684 root \u8d26\u6237\u5bc6\u7801\u4fdd\u6301\u4e3a\u7a7a\u3002\u82e5\u6709\u64cd\u4f5c\u9700\u8981\u4f7f\u7528 root \u5bc6\u7801\uff08\u5982\u521b\u5efa\u548c\u52a0\u5165\u96c6\u7fa4\u65f6\uff09\uff0c\u8bf7\u901a\u8fc7 SSH \u6216 IPMI \u767b\u5f55\uff0c\u4e34\u65f6\u8bbe\u7f6e\u4e00\u4e2a root \u5bc6\u7801\uff0c\u5e76\u5728\u4fee\u6539\u5b8c PVE / PBS \u7684\u914d\u7f6e\u540e\u5c06\u5bc6\u7801\u5220\u9664\uff08passwd -d
\uff09\u3002PVE / PBS \u6ca1\u6709\u4f9d\u8d56\u4e8e\u56fa\u5b9a\u4e0d\u53d8\u7684 root \u5bc6\u7801\u624d\u80fd\u6b63\u5e38\u8fd0\u884c\u7684\u7ec4\u4ef6\uff0c\u56e0\u6b64\u8fd9\u6837\u505a\u5bf9 PVE / PBS \u6765\u8bf4\u662f\u6ca1\u95ee\u9898\u7684\u3002
\u5b89\u5168\u8d77\u89c1\uff0cPVE / PBS \u4e3b\u673a\u4f7f\u7528 RFC 1918 \u6bb5\u7684\u6821\u56ed\u7f51 IP\uff0c\u4e0d\u8fde\u63a5\u516c\u7f51\u3002
Debian \u548c Proxmox \u7684\u8f6f\u4ef6\u66f4\u65b0\u4f7f\u7528 mirrors.ustc.edu.cn \u5373\u53ef\uff0c\u82e5\u6709\u9700\u8981\u8bbf\u95ee\u6821\u5916\uff08\u5982 GitHub \u7b49\uff09\uff0c\u8bf7\u5199 hosts \u5e76\u914d\u7f6e\u8def\u7531\uff0c\u4ee5 GitHub \u4e3a\u4f8b\uff1a
echo \"20.205.243.166 github.com\" >> /etc/hosts\nip route replace 20.205.243.166 via (?) dev (?)\n
\u5176\u4e2d via
\u9009\u62e9 gateway-el \u6216 gateway-nic \u7684\u5185\u7f51\u5730\u5740\uff0cdev
\u9009\u62e9\u6865\u63a5\u5185\u7f51\u7684 vmbr\uff08\u89c1\u4e0b\uff09\u3002
Proxmox VE \u8981\u6c42\u4e3a\u865a\u62df\u673a\u63a5\u5165\u7684\u7f51\u6865\u5fc5\u987b\u547d\u540d\u4e3a vmbrN
\uff0c\u5176\u4e2d N \u662f 0-4094 \u4e4b\u95f4\u7684\u6574\u6570\u3002\u65b9\u4fbf\u8d77\u89c1\uff0c\u6211\u4eec\u5728\u4e24\u4e2a\u673a\u623f\u5206\u522b\u7edf\u4e00 vmbr \u7684\u7f16\u53f7\uff1a
\u6211\u4eec\u4e0d\u4f7f\u7528 Proxmox \u81ea\u5e26\u7684\u9632\u706b\u5899\u529f\u80fd\uff0c\u4f46 pve-firewall \u4ecd\u7136\u4f1a\u5c1d\u8bd5\u90e8\u7f72\u6216\u6062\u590d\u9632\u706b\u5899\u8bbe\u7f6e\uff0c\u56e0\u6b64\u9700\u8981\u7981\u7528\u76f8\u5173\u8bbe\u7f6e\u53ca\u670d\u52a1\uff1a
/etc/pve/nodes/$(hostname -s)/host.fw[OPTIONS]\nenable: 0\n
systemctl stop pve-firewall.service\nsystemctl disable pve-firewall.service\nsystemctl mask pve-firewall.service\n
\u53ef\u9009\u5185\u5bb9\uff1a\u540c\u65f6\u5b89\u88c5 iptables-persistent
\u8f6f\u4ef6\u5305\uff0c\u5e76\u5229\u7528 iptables \u5c06 443 \u7aef\u53e3\u8f6c\u53d1\u5230 8006 \u7aef\u53e3\u65b9\u4fbf\u4f7f\u7528\u3002
update-alternatives --set iptables /usr/sbin/iptables-nft\nupdate-alternatives --set ip6tables /usr/sbin/ip6tables-nft\n
/etc/iptables/rules.v4*nat\nPREROUTING ACCEPT [0:0]\nINPUT ACCEPT [0:0]\nOUTPUT ACCEPT [0:0]\nPOSTROUTING ACCEPT [0:0]\n-A PREROUTING -p tcp --dport 443 -m addrtype --dst-type LOCAL -j REDIRECT --to-ports 8006\nCOMMIT\n
\u5220\u6389 rules.v6
\u6587\u4ef6\uff0c\u7136\u540e\u8fd0\u884c systemctl restart netfilter-persistent.service
\u8f7d\u5165 iptables \u89c4\u5219\u3002
Proxmox \u9ed8\u8ba4\u4f7f\u7528 chrony \u8f6f\u4ef6\u548c Debian \u63d0\u4f9b\u7684 NTP pool\uff0c\u8fd9\u4e9b\u670d\u52a1\u5668\u90fd\u5728\u6821\u5916\uff0c\u4f7f\u7528\u6821\u56ed\u7f51 IP \u65e0\u6cd5\u8fde\u901a\uff0c\u9700\u8981\u6539\u6210\u6821\u56ed\u7f51\u7684 NTP \u670d\u52a1\u5668\uff1a
/etc/chrony/chrony.conf# Use Debian vendor zone.\n#pool 2.debian.pool.ntp.org iburst\nserver time.ustc.edu.cn iburst\n
\u7136\u540e\u8fd0\u884c systemctl restart chrony.service
\u91cd\u542f\u670d\u52a1\u3002
\u53c2\u89c1 SSL \u8bc1\u4e66\uff0c\u6b63\u597d vdp \u4e0a\u9762\u8fd0\u884c\u4e86 LUG FTP \u800c\u56e0\u6b64\u914d\u7f6e\u4e86\u8bc1\u4e66\u7684\u81ea\u52a8\u66f4\u65b0\uff0c\u5229\u7528 vdp \u63d0\u4f9b\u7684 NFS \u670d\u52a1\uff0c\u6211\u4eec\u5728 vdp \u4e0a\u7684\u8bc1\u4e66\u66f4\u65b0\u811a\u672c\u4e2d\u6dfb\u52a0\u4e86\u5c06 vm \u8bc1\u4e66\u590d\u5236\u5230 NFS \u76ee\u5f55\u7684\u529f\u80fd\uff0c\u7136\u540e\u7531 pve-6 \u90e8\u7f72\u5230\u5404\u4e2a\u4e3b\u673a\u4e0a\u3002
\u4e0b\u9762\u662f pve-6 \u4e0a\u7684\u811a\u672c\uff1a
/etc/cron.daily/sync-cert#!/bin/bash -e\n\nSRC=\"/etc/pve/nodes/$(hostname -s)\"\nDSTROOT=\"/etc/pve/nodes\"\nCERTSRC=\"/mnt/nfs-el/cert\"\n\ncp -u \"$CERTSRC/privkey.pem\" \"$SRC/pveproxy-ssl.key\"\ncp -u \"$CERTSRC/fullchain.pem\" \"$SRC/pveproxy-ssl.pem\"\nsystemctl reload pveproxy.service\n\nfor DST in \"$DSTROOT\"/*; do\n [ \"$DST\" = \"$SRC\" ] && continue\n node=\"$(basename \"$DST\")\"\n cp \"$SRC/pveproxy-ssl.key\" \"$SRC/pveproxy-ssl.pem\" \"$DST/\"\n ssh \"$node\" 'systemctl reload pveproxy.service' &\ndone\nwait\n
\u7531\u4e8e PVE \u548c PBS \u7684\u6570\u636e\u4e0d\u4e92\u901a\uff0c\u56e0\u6b64 esxi-5 \u4e0a\u7684\u76f8\u540c\u4f4d\u7f6e\u6709\u53e6\u4e00\u4e2a\u811a\u672c\u4e3a PBS \u90e8\u7f72\u8bc1\u4e66\uff1a
/etc/cron.daily/sync-cert#!/bin/bash\n\nSRC=\"/etc/pve/nodes/$(hostname -s)\"\nDST=\"/etc/proxmox-backup\"\n\nif ! cmp -s \"$SRC/pveproxy-ssl.pem\" \"$DST/proxy.pem\"; then\n cp \"$SRC/pveproxy-ssl.key\" \"$DST/proxy.key\"\n cp \"$SRC/pveproxy-ssl.pem\" \"$DST/proxy.pem\"\n systemctl reload proxmox-backup-proxy.service\nfi\nexit 0\n\n# Unreachable code, leaving here for reference\nif command -v openssl 2>/dev/null; then\n FP=\"$(openssl x509 -noout -fingerprint -sha256 -inform pem -in \"$DST/proxy.pem\")\"\n FP=\"${FP##*=}\"\n pvesm set esxi-5-data --finerprint \"$FP\"\n pvesm set esxi-5-vdp2 --finerprint \"$FP\"\nfi\n
"},{"location":"infrastructure/proxmox/pve/#virtiofs","title":"VirtIO FS","text":"\u5bf9\u4e8e mirrorlog \u7b49\u91cd\u5b58\u50a8\u578b\u7684\u865a\u62df\u673a\uff0c\u6211\u4eec\u5c1d\u8bd5\u628a\u5927\u91cf\u7684\u6570\u636e\u6587\u4ef6\u653e\u5728 host \u4e0a\uff0c\u907f\u514d ZFS\uff08Zvol\uff09\u548c ext4 \u7684\u4e24\u5c42\u5f00\u9500\uff08\u4ee5\u53ca\u5728 ZFS \u4e0a\u4e5f\u53ef\u4ee5\u4f7f\u7528\u66f4\u5927\u7684 recordsize \u83b7\u5f97\u66f4\u597d\u7684 I/O \u4f53\u9a8c\u548c\u66f4\u4f4e\u7684 RAID-Z overhead\uff09\uff0c\u7136\u540e\u4f7f\u7528 virtiofs \u4f9b\u865a\u62df\u673a\u8bbf\u95ee\u3002
Virtiofs \u7684\u914d\u7f6e\u8fc7\u7a0b\u4e3b\u8981\u53c2\u8003\u4e86 https://forum.proxmox.com/threads/virtiofsd-in-pve-8-0-x.130531/\uff1a
\u9996\u5148\u914d\u7f6e\u865a\u62df\u673a\uff1a
/etc/pve/qemu-server/230.confargs: -chardev socket,id=virtfs0,path=/run/virtiofsd-230.sock -device vhost-user-fs-pci,queue-size=1024,chardev=virtfs0,tag=mirrorlog -object memory-backend-file,id=mem,size=8192M,mem-path=/dev/shm,share=on -numa node,memdev=mem\n
\u5176\u4e2d path=
\u6307\u5411 virtiofsd \u7684 socket \u6587\u4ef6\uff0ctag=
\u53ef\u4ee5\u4efb\u610f\u6307\u5b9a\uff0c\u7528\u4e8e\u533a\u5206\u591a\u4e2a virtiofsd \u5b9e\u4f8b\uff08\u5bf9\u5e94\u865a\u62df\u673a\u5185\u7684 mount source\uff09\uff0csize=
\u662f\u5171\u4eab\u5185\u5b58\u5927\u5c0f\u3002
\u7136\u540e\u5b89\u88c5 virtiofsd\uff0c\u76f4\u63a5 apt install virtiofsd
\u5373\u53ef\uff08PVE \u6253\u5305\u4e86 Rust \u91cd\u5199\u7684\u65b0\u7248 virtiofsd\uff09\u3002
\u63a5\u4e0b\u6765\u9700\u8981\u914d\u7f6e virtiofsd \u5728\u865a\u62df\u673a\u5f00\u673a\u524d\u542f\u52a8\u3002\u6ce8\u610f\u4e00\u4e2a virtiofsd \u53ea\u80fd\u4f9b\u4e00\u4e2a\u865a\u62df\u673a\u8bbf\u95ee\u4e00\u4e2a\u4e3b\u673a\u4e0a\u7684\u76ee\u5f55\uff0c\u56e0\u6b64\u9700\u8981\u4f7f\u7528 PVE \u7684 hook script \u6765\u542f\u52a8 virtiofsd\u3002\u8fd9\u4e2a hook script \u653e\u5728 /var/lib/vz
\u76ee\u5f55\u4e0b\uff0c\u63a5\u6536\u4e24\u4e2a\u547d\u4ee4\u884c\u53c2\u6570\uff08VMID \u548c\u542f\u52a8\u9636\u6bb5\uff09\uff1a
#!/bin/sh\n\nif [ $# -ne 2 ]; then\n echo \"Need exactly 2 arguments\" >&2\n exit 1\nfi\n\nVMID=\"$1\"\nPHASE=\"$2\"\n\n[ \"$VMID\" -eq 230 ] || exit 0\n\nNAME=virtiofsd-230\nSOCKPATH=\"/run/$NAME.sock\"\n\ncase \"$PHASE\" in\n pre-start)\n systemctl stop \"$NAME\".service\n rm -f \"$SOCKPATH\" \"$SOCKPATH\".pid\n\n systemd-run \\\n --collect \\\n --unit=\"$NAME\" \\\n /usr/libexec/virtiofsd \\\n --syslog \\\n --socket-path \"$SOCKPATH\" \\\n --shared-dir /mnt/mirrorlog \\\n --announce-submounts \\\n --inode-file-handles=mandatory\n ;;\n pre-stop) ;;\n post-start) ;;\n post-stop) ;;\n *) echo \"Unknown phase $PHASE\" >&2; exit 1;;\nesac\n
\u76f8\u6bd4\u4e8e Proxmox \u8bba\u575b\u91cc\u7684\u6559\u7a0b\u8d34\uff0c\u8fd9\u91cc\u6700\u91cd\u8981\u7684\u4fee\u6539\u662f\u7ed9 systemd-run
\u52a0\u4e0a\u4e86 --collect
\u53c2\u6570\uff0c\u8fd9\u6837 virtiofsd \u9000\u51fa\u65f6\u65e0\u8bba\u662f\u5426 failed\uff0csystemd \u90fd\u4f1a\u6e05\u7406\u6389\u8fd9\u4e2a\u4e34\u65f6\u7684 service unit\u3002
\u7136\u540e\u901a\u8fc7\u547d\u4ee4\u884c\u914d\u7f6e\u4f7f\u7528\uff1a
qm set 230 --hookscript local:snippets/mirrorlog.sh\n
\u7136\u540e\u5c06\u865a\u62df\u673a\u5173\u673a\uff0c\u901a\u8fc7 qm start
\u6216\u8005 web \u754c\u9762\u542f\u52a8\uff0c\u5373\u53ef\u5728\u865a\u62df\u673a\u5185\u6302\u8f7d virtiofsd \u63d0\u4f9b\u7684\u76ee\u5f55\u3002
# Manual\nmount -t virtiofs mirrorlog /mnt/mirrorlog\n\n# via /etc/fstab\nmirrorlog /mnt/mirrorlog virtiofs defaults 0 0\n
"},{"location":"infrastructure/proxmox/pve/#pve-5","title":"pve-5","text":"pve-5 \u4f4d\u4e8e\u7f51\u7edc\u4e2d\u5fc3\uff0c\u914d\u7f6e\u4e3a 2\u00d7 Xeon E5-2603 v4 (Broadwell 6C6T, 1.70 GHz, no HT, no Turbo Boost) Xeon E5-2667 v4 (Broadwell 8C16T, 3.20 GHz, Max 3.60 GHz)\uff0c256 GB \u5185\u5b58\u548c\u4e00\u5927\u5806 SSD\uff082\u00d7 \u4e09\u661f 240 GB SATA + 10x Intel DC S4500 1.92 TB SATA\uff09\u3002\u6211\u4eec\u5c06\u4e24\u5757 240 GB \u7684\u76d8\u7ec4\u6210\u4e00\u4e2a LVM VG\uff0c\u5206\u914d 16 GB \u7684 rootfs\uff08LVM mirror\uff09\u548c 8 GB \u7684 swap\uff0c\u5176\u4f59\u7a7a\u95f4\u7ed9\u4e00\u4e2a thinpool\u3002\u5341\u5757 1.92 TB \u7684\u76d8\u7ec4\u6210\u4e00\u4e2a RAIDZ2 \u7684 zpool\uff0c\u7528\u4e8e\u5b58\u50a8\u865a\u62df\u673a\u7b49\u6570\u636e\u3002
\u5176\u8fde\u63a5\u7684\u5355\u6839 10 Gbps \u7684\u5149\u7ea4\uff0c\u6865\u63a5\u51fa vmbr0
\u81f3 vmbr4
\u7b49\u7f51\u6865\uff08\u7ebf\u8def\u5b9a\u4e49\u89c1\u4e0a\uff09\u3002\u5176\u4e2d\u65e0\u5934\u7f51\u6865\u7528\u4e8e\u4ece gateway-nic \u6865\u63a5 Tinc\u3002
\u786c\u76d8\u63a7\u5236\u5668\u4e0d\u8981\u4f7f\u7528 VirtIO SCSI Single \u6216 LSI \u5f00\u5934\u7684\u9009\u9879
\u53ef\u80fd\u7531\u4e8e ZFS \u6a21\u5757\u7684 bug \u6216\u8005\u5185\u5b58\u6761\u6545\u969c\uff0c\u4f7f\u7528\u8fd9\u4e9b\u6a21\u5f0f\u5728\u865a\u62df\u673a\u91cd\u542f\u65f6\u4f1a\u5bfc\u81f4\u6574\u4e2a Proxmox VE \u4e3b\u673a\u5361\u4f4f\u800c\u4e0d\u5f97\u4e0d\u91cd\u542f\u3002\u8bf7\u4f7f\u7528 VirtIO SCSI\uff08\u4e0d\u5e26 Single\uff09\u3002\u540c\u6837\u539f\u56e0\u521b\u5efa\u865a\u62df\u673a\u786c\u76d8\u65f6\u4e5f\u4e0d\u8981\u52fe\u9009 iothread\u3002
\u4e3b\u673a\u4f7f\u7528 ZFS\uff08Zvol\uff09\u4f5c\u4e3a\u865a\u62df\u673a\u7684\u865a\u62df\u786c\u76d8\uff0c\u5728\u865a\u62df\u673a\u4e2d\u542f\u7528 fstrim.timer
\uff08systemd \u7684 fstrim \u5b9a\u65f6\u4efb\u52a1\uff0c\u7531 util-linux
\u63d0\u4f9b\uff09\u53ef\u4ee5\u5b9a\u671f\u817e\u51fa\u4e0d\u7528\u7684\u7a7a\u95f4\uff0c\u5e2e\u52a9 ZFS \u66f4\u597d\u5730\u89c4\u5212\u7a7a\u95f4\u3002\u542f\u7528 fstrim \u7684\u865a\u62df\u786c\u76d8\u9700\u8981\u5728 PVE \u4e0a\u542f\u7528 discard
\u9009\u9879\uff0c\u5426\u5219 fstrim \u4e0d\u8d77\u4f5c\u7528\u3002\u8be5\u7279\u6027\u662f\u7531\u4e8e ZFS \u662f CoW \u7684\uff0c\u4e0e ZFS \u5e95\u5c42\u4f7f\u7528 SSD \u6ca1\u6709\u5173\u8054\u3002
esxi-5 \u4e5f\u4f4d\u4e8e\u7f51\u7edc\u4e2d\u5fc3\uff0c\u914d\u7f6e\u4e3a 2\u00d7 Xeon E5620\uff08Westmere-EP 4C8T, 2.40~2.66 GHz\uff09\uff0c48 GB \u5185\u5b58\uff0c\u4e24\u5757 240 GB SATA SSD \u548c\u4e00\u4e9b\u4e0d\u77e5\u9053\u574f\u4e86\u591a\u5c11\u7684 1 TB \u548c 2 TB HDD\uff08\u89c1\u4e0b\uff09\u3002\u7531\u4e8e\u673a\u8eab\u81ea\u5e26\u7684 RAID \u5361\u4e0d\u652f\u6301\u786c\u76d8\u76f4\u901a\uff08JBOD \u6a21\u5f0f\uff09\uff0c\u56e0\u6b64\u6211\u4eec\u5c06\u4e24\u5757 SSD \u5206\u522b\u505a\u6210\u5355\u76d8\u201c\u9635\u5217\u201d\u7136\u540e\u5728\u7cfb\u7edf\u91cc\u4f7f\u7528 LVM\uff08LVM \u89c4\u683c\u4e0e pve-5 \u76f8\u540c\uff09
\u987e\u540d\u601d\u4e49\u672c\u673a\u5668\u66fe\u7ecf\u8fd0\u884c\u7684\u662f VMware ESXi\uff0c\u5728 2022 \u5e74 1 \u6708\u91cd\u88c5\u4e3a Proxmox VE 7.1\uff0c\u56e0\u4e3a\u54b1\u4eec\u90fd\u662f\u7ea0\u7ed3\u602a\u6240\u4ee5\u51b3\u5b9a\u4e0d\u6539\u540d\uff0c\u8fd8\u53eb esxi-5\u3002\u8003\u8651\u5230\u8be5\u673a\u5668\u914d\u7f6e\u4e86\u591a\u4e2a\u786c\u76d8\u9635\u5217\uff0c\u4e14\u9635\u5217\u7684\u53ef\u7528\u5bb9\u91cf\u6bd4 pve-5 \u7684\u786c\u76d8\u7684\u539f\u59cb\u5bb9\u91cf\u8fd8\u5927\uff0c\u6211\u4eec\u5728\u4e0a\u9762\u52a0\u88c5 Proxmox Backup Server \u8f6f\u4ef6\uff0c\u4e3b\u8981\u7528\u4f5c\u865a\u62df\u673a\u5907\u4efd\uff0c\u66ff\u4ee3\u539f\u5148\u8fd0\u884c\u5728 ESXi \u4e0a\u7684 vSphereDataProtection \u865a\u62df\u673a\u3002
"},{"location":"infrastructure/proxmox/pve/#_1","title":"\u7f51\u7edc","text":"\u7f51\u7edc\u914d\u7f6e\u4e0e pve-5 \u76f8\u4f3c\uff0c\u5176\u4e0a\u6709\u4e24\u4e2a\u5343\u5146\u7f51\u5361 enp3s0 \u548c enp4s0\u3002enp3s0 \u8fde\u63a5\u7f51\u7edc\u4e2d\u5fc3\u7684\u4ea4\u6362\u673a\uff0c\u6865\u63a5\u4e0d\u540c\u7684 VLAN \u7f51\u7edc\u7ed9\u865a\u62df\u673a\uff0c\u5e76\u4e14\u5404 vmbrX \u7684\u6570\u5b57\u548c\u7aef\u53e3\u4e0e pve-5 \u4e00\u81f4\uff1b\u800c enp4s0 \u8fde\u63a5\u4e00\u4e2a\u5916\u90e8\u9635\u5217\uff08vdp2\uff09\uff0c\u4f7f\u7528 iSCSI \u8bbf\u95ee\u8be5\u9635\u5217\u3002
\u7531\u4e8e\u6211\u4eec\u53ea\u6709\u4e00\u4e2a gateway-nic\uff0c\u800c pve-5 \u548c esxi-5 \u4e24\u4e2a\u4e3b\u673a\u90fd\u4f9d\u8d56 gw-nic \u6865\u63a5\u7684 tinc \u6765\u63a5\u5165\u5185\u7f51\uff0c\u56e0\u6b64\u6211\u4eec\u5728 pve-5 \u548c esxi-5 \u4e4b\u95f4\u62c9\u4e86\u4e00\u6761 GRETAP \u96a7\u9053\uff0c\u5e76\u5728\u4e24\u4e2a\u4e3b\u673a\u4e0a\u5206\u522b\u5c06 VTEP \u6865\u63a5\u5230 vmbr1\u3002
\u53c2\u8003\u914d\u7f6e\uff1a
pve-5:/etc/network/interfacesauto gretap0esxi-5\niface gretap0esxi-5 inet manual\n pre-up ip link add name $IFACE mtu $IF_MTU type gretap local 10.38.95.115 remote 10.38.95.111\n post-down ip link delete $IFACE\n mtu 1500\n\nauto vmbr1\niface vmbr1 inet static\n address 10.254.0.240/21\n bridge-ports gretap0esxi-5\n bridge-stp off\n bridge-fd 0\n
esxi-5 \u8fd9\u7aef\u7684\u914d\u7f6e\u5219\u5c06\u5bf9\u5e94\u7684 iface \u540d\u79f0\u548c IP \u5730\u5740\u7b49\u5168\u90e8\u5bf9\u6362\u5373\u53ef\u3002
MTU \u95ee\u9898
2022 \u5e74 2 \u6708\u5904\u7406\u5185\u7f51 tinc ARP \u95ee\u9898\u65f6\u53d1\u73b0 esxi-5 \u548c pve-5 \u7684 vmbr1 MTU \u90fd\u88ab\u8bbe\u7f6e\u6210\u4e86 1462\uff08GRETAP \u7684\u9ed8\u8ba4 MTU\uff09\u3002\u6211\u4eec\u4e0d\u786e\u5b9a MTU \u95ee\u9898\u4e0e tinc \u662f\u5426\u76f8\u5173\uff0c\u4f46\u4fdd\u9669\u8d77\u89c1\u6211\u4eec\u8fd8\u662f\u5c06\u8be5 GRETAP \u754c\u9762\u7684 MTU \u8bbe\u7f6e\u6210\u4e86 1500\uff08GRE \u5177\u6709\u5206\u7247\u529f\u80fd\uff09\u3002
-pre-up ip link add name $IFACE type gretap local 10.38.95.115 remote 10.38.95.111\n+pre-up ip link add name $IFACE mtu $IF_MTU type gretap local 10.38.95.115 remote 10.38.95.111\n post-down ip link delete $IFACE\n+mtu 1500\n
"},{"location":"infrastructure/proxmox/pve/#iscsi","title":"iSCSI","text":"\u8bbe\u7f6e iSCSI \u5f00\u673a\u81ea\u52a8\u767b\u5f55\uff1a
iscsiadm -m node -T iqn.2002-10.com.infortrend:raid.sn8223150.001 -p 192.168.10.1:3260 -o update -n node.startup -v automatic\niscsiadm -m node -T iqn.2002-10.com.infortrend:raid.sn8223150.001 -p 192.168.10.1:3260 -o update -n node.conn[0].startup -v automatic\n
\u53c2\u8003\u94fe\u63a5\uff1ahttps://library.netapp.com/ecmdocs/ECMP1654943/html/GUID-8EC685B4-8CB6-40D8-A8D5-031A3899BCDC.html
\u8fc7\u65f6\u4fe1\u606f\u7531\u4e8e\u6211\u4eec\u6ca1\u6709\u7814\u7a76\u6e05\u695a open-iscsi \u7684\u5f00\u673a\u81ea\u52a8\u6302\u8f7d\u673a\u5236\uff0c\u56e0\u6b64\u6211\u4eec\u9009\u62e9\u76f4\u63a5 override \u5bf9\u5e94\u7684 service \u6765\u5b8c\u6210\u8fd9\u4e2a\u4efb\u52a1\uff1a
$ systemctl edit open-iscsi.service[Service]\nExecStart=\nExecStart=/sbin/iscsiadm -d8 -m node -T iqn.2002-10.com.infortrend:raid.sn8223150.001 -p 192.168.10.1:3260 --login\nExecStart=/lib/open-iscsi/activate-storage.sh\n
\u82e5 iSCSI \u8fde\u63a5\u6210\u529f\uff0c\u5e94\u8be5\u53ef\u4ee5\u5728\u7cfb\u7edf\u4e2d\u770b\u5230\u4e00\u4e2a\u65b0\u7684\u786c\u76d8\uff0c\u5bb9\u91cf\u4e3a 14.55 TiB\uff0c\u578b\u53f7\u663e\u793a\u4e3a RS-3116I-S42-6\u3002
"},{"location":"infrastructure/proxmox/pve/#rootfs-backup","title":"rootfs \u5907\u4efd","text":"\u5c3d\u7ba1 esxi-5 \u7684 rootfs \u4e5f\u4f7f\u7528\u4e86 LVM mirror \u5728\u4e24\u5757 SSD \u4e0a\u955c\u50cf\uff0c\u4f46\u662f\u6211\u4eec\u4e0d\u592a\u4fe1\u4efb\u8fd9\u5757 RAID \u5361\uff0c\u56e0\u6b64\u6211\u4eec\u5c06 esxi-5 \u7684 rootfs \u6bcf\u5929\u5907\u4efd\u5230 vdp2 \u4e0a\u3002\u4e3a\u4e86\u907f\u514d\u5728 vdp2 \u6389\u7ebf\u7684\u65f6\u5019\u4e71\u201c\u5907\u4efd\u201d\uff0c\u6211\u4eec\u4f7f\u7528\u4e00\u4e2a systemd \u670d\u52a1\uff0c\u8bbe\u7f6e\u4e86 RequiresMountsFor
\u4f9d\u8d56\uff1a
[Unit]\nDescription=Backup rootfs to vdp2\nRequiresMountsFor=/mnt/vdp2\n\n[Service]\nType=oneshot\nExecStart=/usr/bin/rsync -aHAXx --delete / /mnt/vdp2/rootfs/\n
crontab21 4 * * * systemctl start rootfs-backup.service\n
"},{"location":"infrastructure/proxmox/pve/#esxi-5-others","title":"\u5176\u4ed6\u8bb0\u5f55","text":"esxi-5 \u4e8e 2021/8 \u53d1\u73b0\u81ea\u5e26\u9635\u5217\u6709\u4e24\u5757\u574f\u76d8\uff0c\u5728\u66f4\u6362\u540e\u53d1\u73b0 storage \"root\"\uff08\u5b58\u653e vcenter \u865a\u62df\u673a\uff0c\u7ec4\u5efa RAID 1 \u540e\u5927\u5c0f 1.8 TB\uff09\u65e0\u6cd5\u6b63\u5e38 rebuild\uff0c\u5e76\u4e14 vcenter \u865a\u62df\u673a\u7684 vmdk \u6587\u4ef6\u6709 4 \u4e2a\u51fa\u73b0 I/O error\u3002\u6b64\u540e vcenter \u865a\u62df\u673a\u5df2\u7ecf\u8fc1\u79fb\u5230 storage \"data\" (RAID10, 7.2 TB) \u5e76\u6b63\u5e38\u5de5\u4f5c\u3002
"},{"location":"infrastructure/proxmox/pve/#records","title":"\u5de5\u4f5c\u8bb0\u5f55","text":""},{"location":"infrastructure/proxmox/pve/#migrate-docker2","title":"2021-12-31 \u8fc1\u79fb docker2","text":"docker2 \u539f\u5148\u4f7f\u7528 QEMU \u76f4\u63a5\u8fd0\u884c\u5728 mirrors2 \u4e0a\uff0c\u4e0b\u5c42\u5b58\u50a8\u4e3a ZFS Zvol\uff08pool0/qemu/docker2
\uff09\uff0c\u7531\u4e8e ZFS \u8c03\u53c2\u4e0d\u5f53\u4f7f\u5176\u5360\u7528\u4e86 3 \u500d\u7684\u786c\u76d8\u7a7a\u95f4\uff08\u89c1\u8fd9\u4e2a Reddit \u8d34\u5b50\uff09\uff0c\u52a0\u4e0a mirrors2 \u672c\u8eab\u5bf9\u5916\u63d0\u4f9b Rsync \u670d\u52a1\uff0c\u786c\u76d8\u8d1f\u8f7d\u6781\u9ad8\uff0c\u6240\u4ee5\u957f\u671f\u4ee5\u6765 docker2 \u7684 I/O \u6027\u80fd\u5341\u5206\u4f4e\u4e0b\u3002\u6b63\u597d\u501f\u8fd9\u6b21\u5168\u95ea\u7684\u65b0\u5bbf\u4e3b\u673a\u5c06\u5176\u8fc1\u79fb\u8fc7\u53bb\u3002
\u8fc1\u79fb\u65f6\u9700\u8981\u4fdd\u8bc1\u5b8c\u6574\u6027\u7684\u4e3b\u8981\u5185\u5bb9\u5c31\u662f\u865a\u62df\u673a\u5185\u7684\u4e1a\u52a1\uff0c\u56e0\u6b64\u9700\u8981\u5728\u4e3b\u673a\u95f4\u4f20\u8f93\u7684\u5185\u5bb9\u5c31\u662f\u865a\u62df\u78c1\u76d8\uff0c\u5176\u4ed6\u914d\u7f6e\uff08CPU\u3001\u5185\u5b58\u3001\u7f51\u5361\u7b49\uff09\u90fd\u53ef\u4ee5\u76f4\u63a5\u5728\u65b0\u5e73\u53f0\u4e0a\u521b\u5efa\u65b0\u865a\u62df\u673a\u65f6\u4fee\u6539\u3002\u539f\u672c\u6211\u4eec\u6253\u7b97\u4f7f\u7528 rsync \u6216\u8005 dd \u7684\u65b9\u5f0f\u590d\u5236\u78c1\u76d8\uff0c\u4f46\u662f\u8003\u8651\u5230\u4e24\u8fb9\u90fd\u662f ZFS\uff0c\u4f7f\u7528 zfs send
\u662f\u4e00\u4e2a\u66f4\u597d\u7684\u65b9\u6848\u3002
\u6211\u4eec\u5728 pve-5 \u4e0a\u8fd0\u884c nc -l -p 9999 </dev/null | pv | zfs recv rpool/data/docker2
\uff0c\u7136\u540e\u5728 mirrors2 \u4e0a\u5bf9 zvol \u5148\u6253\u4e2a\u5feb\u7167\uff0c\u8fd0\u884c zfs send pool0/qemu/docker2@20211230 > /dev/tcp/{pve-5}/9999
\u5c06\u5feb\u7167\u5185\u5bb9\u53d1\u9001\u5230 pve-5 \u4e0a\uff08300 GiB \u7684\u6570\u636e\u82b1\u8d39\u4e86 16 \u5c0f\u65f6\uff09\uff0c\u7136\u540e\u518d\u5c06 docker2 \u5173\u673a\u5e76\u589e\u91cf\u4f20\u8f93\uff0czfs send -i @20211230 pool0/qemu/docker2 > /dev/tcp/{pve-5}/9999
\uff08\u589e\u91cf\u4f20\u8f93\u53ea\u53d1\u9001\u4e86 10 GB \u6570\u636e\uff09\u3002\u540c\u65f6\u6211\u4eec\u5728 Proxmox \u7684 web \u754c\u9762\u4e0a\u521b\u5efa\u4e00\u4e2a\u65b0\u865a\u62df\u673a\uff0c\u914d\u597d CPU \u5185\u5b58\u7f51\u5361\u7b49\uff0c\u5206\u914d 300 GiB \u7684\u786c\u76d8\u3002
\u7531\u4e8e zfs send \u662f\u539f\u6837\u53d1\u9001\u7684\uff0c\u56e0\u6b64\u63a5\u6536\u5230\u7684 zvol \u786c\u76d8\u5360\u7528\u91cf\u4ecd\u7136\u6709 712 GB\u3002Proxmox \u65b0\u5efa\u7684 zvol \u53c2\u6570\u5c31\u6bd4\u8f83\u5408\u7406\uff08volblocksize=16k
\uff09\uff0c\u6ca1\u6709\u4e25\u91cd\u653e\u5927\u7684\u95ee\u9898\uff0c\u56e0\u6b64\u6211\u4eec\u518d\u5c06\u63a5\u6536\u5230\u7684 zvol \u7ed9 dd \u8fdb\u65b0\u865a\u62df\u673a\u7684 zvol \u800c\u4e0d\u662f\u76f4\u63a5\u4f7f\u7528\u3002dd \u7ed3\u679c\u7ea6 345 GiB\uff08\u5341\u5206\u5408\u7406\uff09\uff0c\u5f00\u673a\u8fdb\u7cfb\u7edf\u8fd0\u884c fstrim \u4e4b\u540e\u5360\u7528\u91cf\u7ea6\u4e3a 240 GiB\uff08\u66f4\u52a0\u5408\u7406\u4e86\uff09\u3002
\u8fc1\u79fb\u8fc7\u7a0b\u6ca1\u6709\u9047\u5230\u4efb\u4f55\u5751\uff0c\u4ec5\u6709\u7684\u6ce8\u610f\u4e8b\u9879\u5c31\u662f zvol \u8c03\u53c2\u9700\u8981\u91cd\u65b0 dd \u800c\u4e0d\u80fd\u76f4\u63a5\u6539\uff0c\u4ee5\u53ca\u521b\u5efa\u7f51\u5361\u7684\u987a\u5e8f\uff08\u4f1a\u5f71\u54cd\u865a\u62df\u673a\u5185\u90e8 eth0 \u548c eth1 \u7684\u987a\u5e8f\uff0c\u9664\u975e\u865a\u62df\u673a\u5185\u90e8\u4f7f\u7528 udev persistent net \u65b9\u5f0f\u6839\u636e MAC \u5730\u5740\u5c06\u7f51\u5361\u6539\u540d\uff09\u3002
"},{"location":"infrastructure/proxmox/pve/#esxi-5-syslog-zfs-error-cannot-open-rpool-no-such-pool","title":"esxi-5 \u7684 syslog \u4e00\u76f4\u51fa\u73b0 zfs error: cannot open 'rpool': no such pool","text":"\u8fd9\u662f\u56e0\u4e3a esxi-5 \u4e0a\u9762\u6839\u672c\u5c31\u6ca1\u6709\u4f7f\u7528 ZFS\uff0c\u800c\u52a0\u5165 pve-5 \u7684\u96c6\u7fa4\u65f6\u865a\u62df\u673a\u7684\u5b58\u50a8\u4fe1\u606f\uff08/etc/pve/storage.cfg
\uff09\u4e5f\u4ece pve-5 \u540c\u6b65\u8fc7\u6765\u5408\u5e76\u4e86\uff0c\u56e0\u6b64 esxi-5 \u5728\u6839\u636e pve-5 \u7684\u914d\u7f6e\u5c1d\u8bd5\u542f\u7528 zfs \u5b58\u50a8\u3002
\u89e3\u51b3\u529e\u6cd5\uff1a\u7531\u4e8e /etc/pve
\u4e0b\u5927\u591a\u6570\u5185\u5bb9\u5728\u96c6\u7fa4\u95f4\u662f\u540c\u6b65\u7684\uff0c\u6253\u5f00 storage.cfg
\uff0c\u5728 zfspool: local-zfs
\u4e0b\u9762\u52a0\u5165\u4e00\u884c\uff0c\u7f29\u8fdb\u4e00\u4e2a Tab \u5e76\u52a0\u4e0a nodes pve-5
\uff0c\u8868\u793a\u8fd9\u4e2a storage \u53ea\u5728 pve-5 \u4e0a\u4f7f\u7528\u3002
pve-6 \u4f4d\u4e8e\u4e1c\u56fe\uff0c\u662f\u4e00\u53f0 HP DL380G6\uff0c\u914d\u7f6e\u4e3a 2\u00d7 Xeon E5620 (Westmere 4C8T, 2.50 GHz), 72 GB \u5185\u5b58\u548cl\u4e24\u5757 300 GB \u7684 SAS \u786c\u76d8\u3002\u66fe\u7ecf\u53eb\u505a esxi-6\uff0c\u5728 2022 \u5e74 1 \u6708\u7edf\u4e00\u66f4\u6362\u4e3a Proxmox VE\u3002
\u673a\u5668\u6709\u4e24\u4e2a\u7f51\u5361\uff0c\u5171\u6709 4 \u4e2a 1 Gbps \u7684\u63a5\u53e3\uff0c\u5176\u4e2d 3 \u4e2a\u90fd\u63a5\u5728 VLAN \u4ea4\u6362\u673a\u4e0a\uff08\u53e6\u4e00\u4e2a\u4e0d\u77e5\u9053\u63a5\u4e86\u5565\uff09\uff0c\u901a\u8fc7 VLAN \u540c\u65f6\u8fde\u63a5\u56fe\u4e66\u9986\u7684\u4e24\u4e2a\u7f51\u6bb5\u4ee5\u53ca\u7ecf\u7531 gateway-el \u6865\u63a5\u7684\u5185\u7f51\uff0c\u4ee5\u53ca\u8fde\u63a5 vdp \u6302\u8f7d NFS\u3002
HP Smart Array
HP \u7684\u81ea\u5e26 RAID \u5361\u7ba1\u7406\u8f6f\u4ef6\u53ef\u4ee5\u5728 http://downloads.linux.hpe.com/SDR/repo/mcp/Debian/pool/non-free/ \u4e0b\u8f7d\uff0c\u5b89\u88c5 ssacli
\u8f6f\u4ef6\u5305\u3002\u76f8\u5173\u4f7f\u7528\u65b9\u6cd5\u53ef\u4ee5\u53c2\u8003 https://sleeplessbeastie.eu/2017/03/06/how-to-use-hp-command-line-array-configuration-utility/\u3002
\u6ce8\u610f
LUG \u7684\u4e3b\u9875\u4e0a\u8fd8\u6709\u4e00\u4efd\u300a\u7f51\u7edc\u670d\u52a1\u5217\u8868\u300b \uff0c\u5982\u679c\u6709\u670d\u52a1\u72b6\u6001\u6539\u53d8\uff0c\u8bb0\u5f97\u540c\u6b65\u66f4\u65b0\u4e3b\u9875\u4e0a\u7684\u5217\u8868\u3002
"},{"location":"services/#mirrors","title":"Mirrors \u955c\u50cf\u7ad9","text":"\u670d\u52a1\u5668\uff1a
\u955c\u50cf\u7ad9\u65e5\u5fd7\u4f1a\u5907\u4efd\u81f3 mirrorlog \u865a\u62df\u673a\u4e0a\u3002
"},{"location":"services/#auth-dns","title":"\u6743\u5a01 DNS","text":"\u4ee5\u4e0b\u5185\u5bb9\u7531 GPT-4 \u751f\u6210
User: \u5411\u65b0\u624b\u8fd0\u7ef4\u4ecb\u7ecd\u4ec0\u4e48\u662f\u6743\u5a01 DNS
Bot: \u6743\u5a01DNS\uff08Authoritative DNS\uff09\u670d\u52a1\u662f\u56e0\u7279\u7f51\u57df\u540d\u7cfb\u7edf\uff08DNS\uff09\u7684\u4e00\u90e8\u5206\uff0c\u5b83\u8d1f\u8d23\u5904\u7406\u5173\u4e8e\u5176\u8d1f\u8d23\u7ba1\u7406\u7684\u4e00\u7ec4\u57df\u540d\u7684\u67e5\u8be2\u3002\u8fd9\u4e9bDNS\u670d\u52a1\u5668\u5e26\u6709\u5173\u4e8e\u4ed6\u4eec\u6240\u8d1f\u8d23\u57df\u7684\u6240\u6709\u5fc5\u8981\u6570\u636e\uff0c\u5e76\u4ece\u7ba1\u7406\u8be5\u57df\u7684\u4eba\u6216\u7ec4\u7ec7\u4e2d\u6536\u5230\u66f4\u65b0\u3002
\u6bd4\u5982\uff0c\u5982\u679c\u4f60\u5728\u6d4f\u89c8\u5668\u4e2d\u8f93\u5165\u4e00\u4e2a\u7f51\u7ad9\u5730\u5740\uff0c\u4f60\u7684\u8bf7\u6c42\u9996\u5148\u53d1\u9001\u5230\u9012\u5f52DNS\u670d\u52a1\u5668\uff0c\u7136\u540e\u9012\u5f52\u670d\u52a1\u5668\u67e5\u8be2\u6743\u5a01DNS\u670d\u52a1\u5668\u6765\u83b7\u53d6\u5bf9\u5e94\u7684IP\u5730\u5740\u3002\u6743\u5a01\u670d\u52a1\u5668\u5c31\u662f\u201c\u6743\u5a01\u201d\u8d44\u6e90\uff0c\u80fd\u591f\u544a\u8bc9\u9012\u5f52\u670d\u52a1\u5668\u5bf9\u5e94\u7684IP\u5730\u5740\u662f\u4ec0\u4e48\u3002\u8fd9\u4e2a\u8fc7\u7a0b\u88ab\u79f0\u4e3aDNS\u89e3\u6790\u3002
\u603b\u7684\u6765\u8bf4\uff0c\u6743\u5a01DNS\u670d\u52a1\u5668\u5c31\u662f\u5b58\u50a8\u3001\u7ba1\u7406\u5e76\u54cd\u5e94\u7279\u5b9a\u57df\u540d\u4fe1\u606f\u7684\u201c\u6743\u5a01\u201d\u6765\u6e90\u3002
\u6211\u4eec\u7684\u6743\u5a01 DNS \u670d\u52a1\u5668\u63d0\u4f9b\u4e86\u4e0e LUG \u6709\u5173\u7684\u57df\u540d\u7684\u76f8\u5173\u89e3\u6790\u4fe1\u606f\uff0c\u540c\u65f6\u4e5f\u662f\u4e00\u4e2a\uff08\u901a\u8fc7\u57df\u540d\uff09\u53ef\u4ee5\u6982\u89c8 LUG \u66fe\u7ecf\u4e0e\u76ee\u524d\u6709\u7684\u670d\u52a1\u7684\u5730\u65b9\u3002
"},{"location":"services/#lug-ftp","title":"LUG FTP","text":"\u4e3b\u670d\u52a1\u5668\uff1avdp.s.ustclug.org
\uff0cSSH \u7aef\u53e3 2222\u3002\u5bf9\u5916\u63d0\u4f9b HTTP(S)\uff08\u6587\u4ef6\u5217\u8868\uff09\u4e0e FTP \u670d\u52a1\u3002\u540c\u65f6\u63a5\u5165 LDAP\uff0c\u6bcf\u4e2a LDAP \u7528\u6237\u90fd\u53ef\u4ee5\u4f7f\u7528 LUG FTP \u5b58\u50a8\u81ea\u5df1\u7684\u6587\u4ef6\u3002
\u4e0e\u6b64\u540c\u65f6\uff0cvdp \u4e5f\u627f\u62c5\u4e86\u4f7f\u7528 NFS \u5411 PVE \u670d\u52a1\u5668\u63d0\u4f9b\u4e00\u90e8\u5206\u5b58\u50a8\u7684\u4efb\u52a1\u3002
"},{"location":"services/#gitlab","title":"LUG GitLab","text":"\u4e3b\u670d\u52a1\u5668\uff1agitlab.s.ustclug.org
\uff0cSSH \u7aef\u53e3 2222\u3002
\u662f\u591a\u4e2a HTTP \u670d\u52a1\u7684\u5165\u53e3\u3002
\u7531\u4e8e\u653f\u7b56\u548c\u5408\u89c4\u6027\u539f\u56e0\uff0c\u6211\u4eec\u5bf9\u4f7f\u7528\u4e3b\u9875\u53cd\u4ee3\u7684\u57df\u540d\u91c7\u7528\u4e86\u5206\u7ebf\u8def\u89e3\u6790\u7684\u65b9\u6848\uff0c\u5176\u4e2d\u7edd\u5927\u90e8\u5206\u57df\u540d\u5728\u6821\u5916\u90fd\u89e3\u6790\u5230 gateway-jp\uff0c\u5728\u6821\u5185\u89e3\u6790\u5230 gateway-nic\u3002\u8fd9\u4e24\u53f0\u670d\u52a1\u5668\u5747\u63a5\u5165 tinc \u5185\u7f51\uff0c\u91c7\u7528\u540c\u4e00\u5957 Nginx \u914d\u7f6e\uff0c\u4e3a\u5185\u7f51\u670d\u52a1\u5668\u63d0\u4f9b HTTP \u53cd\u4ee3\u3002
\u5b8c\u6574\u5217\u8868\u8bf7\u5728 auth-dns \u4ed3\u5e93\u5185\u5bfb\u627e CNAME \u5230 gateway.cname.ustclug.org.
\u7684\u57df\u540d\u3002
\u4e00\u4e9b\u4f8b\u5916\uff1a
ldap
\u670d\u52a1\u5668\u4e0a\uff0c\u5e76\u4e14\u4f7f\u7528 Apache2\uff0c\u5efa\u8bae\u522b\u52a8\uff09*.cdn.cloudflare.net.
\u7684\u57df\u540dweb-cf.cname.ustclug.org.
\u7684\u57df\u540d\u540e\u7aef\u662f docker2 \u4e0a\u7684 website
\u5bb9\u5668\u3002
\u89c1 ustclug/website \u4ed3\u5e93\u7684 README\u3002
tky: planet \u73b0\u5728\u7f3a\u4e4f\u7ef4\u62a4\uff0c\u5e0c\u671b\u80fd\u6709\u4eba\u628a\u5b83\u641e\u8d77\u6765\u3002
"},{"location":"services/#linux-101","title":"Linux 101","text":"\u540e\u7aef\u662f docker2 \u4e0a\u7684 linux101
\u5bb9\u5668\u3002
\u89c1 ustclug/Linux101-docs \u4ed3\u5e93\u7684 README\u3002
"},{"location":"services/#getvpn","title":"\u7533\u8bf7\u7cfb\u7edf","text":"\u4e00\u4e2a\u4f7f\u7528 Flask \u7f16\u5199\u7684 web \u5e94\u7528\uff0c\u90e8\u7f72\u4e86\u4e24\u5957\uff0c\u5206\u522b\u63d0\u4f9b LUG VPN \u548c Light \u7684\u7533\u8bf7\u670d\u52a1\u3002\u5176\u4e2d\uff1a
lugvpn-web
\uff09\uff1b\u57df\u540d\uff1a*.proxy.ustclug.org
\u4f5c\u4e3a\u955c\u50cf\u7ad9\u670d\u52a1\u7684\u4e00\u90e8\u5206\uff0cgateway-jp/nic \u4e5f\u5206\u522b\u4e3a\u6821\u5916\u5185\u63d0\u4f9b\u53cd\u5411\u4ee3\u7406\u5217\u8868\u7684\u53cd\u5411\u4ee3\u7406\u670d\u52a1\u3002
"},{"location":"services/#qt-guide-opensuse-guide","title":"Qt Guide \u548c openSUSE Guide","text":"\u7531 @winland0704 \u8d1f\u8d23\u7f16\u5199\u5185\u5bb9\uff0c\u6211\u4eec\u5e2e\u52a9\u6258\u7ba1\uff0c\u5e73\u65f6\u653e\u7740\u4e0d\u52a8\u5c31\u884c\u3002
\u540e\u7aef\u662f docker2 \u4e0a\u7684\u4e24\u4e2a\u5bb9\u5668 qtguide
\u548c opensuse-guide
\u3002
TODO: servers \u4e0e status \u7684\u5408\u5e76\u5de5\u4f5c\u3002
"},{"location":"services/#lug-vpn","title":"LUG VPN","text":"\u4e3b\u670d\u52a1\u5668\uff1avpnstv.s.ustclug.org
\uff08\u865a\u62df\u673a\uff0cNIC \u673a\u623f\uff09
RADIUS \u8ba4\u8bc1\u670d\u52a1\u5668\uff1aradius.s.ustclug.org
\uff0c\u540c\u65f6\u8fd0\u884c\u4e86 FreeRADIUS \u548c\u5b83\u7684 MySQL \u6570\u636e\u5e93\u3002
\u53e6\u6709\u65e7\u7684 vpn.s.ustclug.org
\u8fd0\u884c\u5728\u4e1c\u56fe\uff0c\u6682\u4e0d\u9700\u8981\u5173\u6ce8\u3002
\u76f8\u5173\u5185\u5bb9\u89c1 hackergame \u5185\u90e8\u6587\u6863\u3002
"},{"location":"services/#docker2","title":"\u5404\u7c7b Docker \u670d\u52a1","text":"Docker2 \u662f\u4e13\u804c\u8d1f\u8d23\u8fd0\u884c\u5bb9\u5668\u7684\u673a\u5668\u3002
"},{"location":"services/#adrain","title":"Adrain","text":"ustcflyer\uff08\u79d1\u5927\u98de\u8dc3\u624b\u518c\u7f51\u7ad9\uff09\u7684\u524d\u8eab\uff0c\u76ee\u524d\u4fdd\u6301\u8fd0\u884c\u3002
tky: ustcflyer \u6ca1\u6709\u5b9e\u73b0\u7ed9 session \u5220\u5bf9\u5e94\u8bc4\u8bba\u7684\u529f\u80fd\uff0c\u6240\u4ee5 adrain \u6ca1\u6709\u4e0b\u7ebf\u3002
"},{"location":"services/#grafana","title":"Grafana","text":"LUG \u7684\u76d1\u63a7\u7ad9\u70b9\u3002
"},{"location":"services/#ldap","title":"LDAP","text":""},{"location":"services/#mail","title":"Mail","text":"\u4e3a\u670d\u52a1\u5668\u3001IPMI \u7b49\u63d0\u4f9b\u7684\u5185\u90e8\u90ae\u4ef6\u670d\u52a1\u3002
[WIP]: \u9700\u8981\u8865\u5145
"},{"location":"services/#pve","title":"\u865a\u62df\u5316\uff1aPVE \u4e0e PBS","text":"PVE: \u63d0\u4f9b\u865a\u62df\u5316\u652f\u6301\uff1bPBS: PVE \u7684\u865a\u62df\u673a\u5907\u4efd\u3002
"},{"location":"services/#pxe","title":"PXE","text":"\u7f51\u7edc\u542f\u52a8\u670d\u52a1\uff0c\u8d1f\u8d23\u4e3a\u5168\u6821\u673a\u5668\u63d0\u4f9b\u63d2\u7f51\u53e3\u5373\u53ef\u5b89\u88c5\u7cfb\u7edf\u7684\u529f\u80fd\uff0c\u4ee5\u53ca\u4e3a\u56fe\u4e66\u9986\u67e5\u8be2\u673a\u63d0\u4f9b\u955c\u50cf\u3002
"},{"location":"services/#others","title":"\u5176\u4ed6","text":"\u6b64\u5904\u6240\u5217\u51fa\u7684\u201c\u670d\u52a1\u201d\u6ca1\u6709\u4f7f\u7528\u6211\u4eec\u81ea\u5df1\u7684\u670d\u52a1\u5668\u8d44\u6e90\uff0c\u90fd\u6258\u7ba1\u5728\u5916\u90e8\u5e73\u53f0\u4e0a\uff0c\u4ec5\u57df\u540d\uff08\u5373 DNS\uff09\u7531\u6211\u4eec\u7ef4\u62a4\u3002
"},{"location":"services/#documentations","title":"\u6280\u672f\u6587\u6863","text":"\u4e5f\u5c31\u662f\u672c\u6587\u6863\uff0c\u8fd0\u884c\u5728 Cloudflare Pages \u4e0a\u3002
"},{"location":"services/#ghauth","title":"GHAuth","text":"https://ghauth.ustclug.org
\u7528\u4e8e\u53cc\u5411\u9a8c\u8bc1 GitHub \u8d26\u53f7\u4e0e\u79d1\u5927\u5b66\u53f7\u7684\u670d\u52a1\uff08\u7c7b\u4f3c\u4e8e https://qq.ustc.life\uff09\uff0c\u76ee\u524d\u5904\u4e8e\u95f2\u7f6e\uff0c\u8fd0\u884c\u5728 iBug \u7684 AWS Lambda \u4e0a\u3002
"},{"location":"services/#discontinued","title":"\u5df2\u5e9f\u5f03\u670d\u52a1","text":""},{"location":"services/discontinued/","title":"Discontinued Services","text":"\u672c\u9875\u9762\u8bb0\u8f7d\u66fe\u7ecf\u63d0\u4f9b\u7684\u670d\u52a1\uff0c\u4f46\u662f\u7531\u4e8e\u67b6\u6784\u6539\u53d8\u6216\u670d\u52a1\u8fc1\u79fb\uff0c\u8fd9\u4e9b\u670d\u52a1\u4e0d\u518d\u4ee5\u539f\u6765\u7684\u5f62\u5f0f\u63d0\u4f9b\uff0c\u5e76\u53ef\u80fd\u5728\u539f\u5904\u6709\u6b8b\u7559\u7684\u914d\u7f6e\u6587\u4ef6\u3002
\u901a\u5e38\u60c5\u51b5\u4e0b\u6b8b\u7559\u7684\u914d\u7f6e\u6587\u4ef6\u53ef\u4ee5\u76f4\u63a5\u5220\u9664\uff0c\u4f46\u662f\u4fdd\u9669\u8d77\u89c1\uff0c\u4ecd\u7136\u5efa\u8bae\u5728 Internals \u7fa4\u91cc\u5148\u8be2\u95ee\u4e00\u4e0b\u518d\u5904\u7406\u3002
"},{"location":"services/discontinued/#docker-registry","title":"Docker Registry","text":"\u66fe\u7ecf\u8fd0\u884c\u5728 docker2 \u4e0a\uff0c\u73b0\u5728 LUG \u7684 Docker \u955c\u50cf\u5df2\u8f6c\u79fb\u81f3 Docker Hub\u3002
"},{"location":"services/discontinued/#freeshell","title":"Freeshell","text":"\uff08\u672a\u5b8c\u5f85\u7eed\uff0c\u914d\u7f6e\u6587\u4ef6\u5148\u4fdd\u7559\uff09
"},{"location":"services/discontinued/#ustc-blog","title":"USTC Blog","text":"Refer to Gitlab Wiki.
"},{"location":"services/discontinued/#telegram-web","title":"Telegram Web","text":"Service\uff1atelegram.ustclug.org
Repository\uff1agithub.com/ustclug/telegram-web
DockerHub\uff1austclug/telegram-web
Deployment\uff1atelegram-web.sh
Servers\uff1a
Blog\uff1aadd-telegram-web-service
"},{"location":"services/discontinued/#ustc-life","title":"USTC Life","text":"USTC Life is a navigation page, which included useful sites in USTC.
Service: ustc.life
2020-04-09 \u66f4\u65b0\u4fe1\u606f
\u76ee\u524d\uff0cUSTC Life \u670d\u52a1\u6258\u7ba1\u5728 GitHub Pages \u4e0a\uff0c\u4ed3\u5e93\u4e5f\u5df2\u8f6c\u79fb\u81f3 SmartHypercube/ustclife\uff0c\u7531 Hypercube \u8d1f\u8d23\u7ef4\u62a4\u3002\u4ee5\u4e0b\u5185\u5bb9\u4ec5\u4e3a\u5386\u53f2\u8bb0\u5f55\u3002
Git Repository: github.com/ustclug/ustclife
DockerHub: ustclug/ustclife
server: docker2.s.ustclug.org
deploy: /srv/webhook/ustclife.sh
webhook from DockerHub: /srv/webhook/hooks.json
"},{"location":"services/discontinued/#wordpress-based-serversustclugorg-planetustclugorg","title":"Wordpress-based servers.ustclug.org & planet.ustclug.org","text":"\u4e3a\u4e86\u51cf\u5c0f\u653b\u51fb\u9762\u4e0e\u7ef4\u62a4\u6210\u672c\uff0cservers.ustclug.org \u8fc1\u79fb\u5230\u4e86\u57fa\u4e8e Jekyll \u7684\u65b9\u6848\uff1bplanet.ustclug.org \u5728\u65e9\u524d\u5df2\u7ecf\u6574\u5408\u5230\u4e86 LUG \u4e3b\u7ad9\u4e2d\u3002
"},{"location":"services/discontinued/#mail-list","title":"Mail List","text":"Plugin Email Subscribers & Newsletters on servers.ustclug.org
sends a mail to Google Group when a new article posted on mirrors catalogue.
The mails are sent from servers@ustclug.org
, which is a member of Google Group with write permission.
Google Group: ustc-mirrors@googlegroups.com
"},{"location":"services/docker2/","title":"Docker services","text":"Server: docker2.s.ustclug.org
Provides Docker container environment for other services. All non-system services should be run as Docker containers on this host.
Methods to run individual containers are maintained in the ustclug/docker-run-script repository.
"},{"location":"services/docker2/#special-configurations","title":"Special configurations","text":""},{"location":"services/docker2/#network-interfaces","title":"Network interfaces","text":"We use udev rules to assign consistent names to network interfaces, identified by their MAC addresses.
/etc/udev/rules.d/70-persistent-net.rulesSUBSYSTEM==\"net\", ACTION==\"add\", DRIVERS==\"?*\", ATTR{address}==\"00:50:56:9f:00:22\", NAME=\"Telecom\"\nSUBSYSTEM==\"net\", ACTION==\"add\", DRIVERS==\"?*\", ATTR{address}==\"00:50:56:9f:00:5b\", NAME=\"Mobile\"\nSUBSYSTEM==\"net\", ACTION==\"add\", DRIVERS==\"?*\", ATTR{address}==\"00:50:56:9f:00:5d\", NAME=\"ustclug\"\n
We then refer to these interfaces using their new names in /etc/network/interfaces
to ensure consistent network configuration.
2022 \u5e74 2 \u6708 21 \u65e5\u66f4\u65b0
\u4eca\u65e5\u53d1\u73b0 docker2 \u65e0\u6cd5\u8fde\u63a5\u5bb9\u5668\u7f51\u7edc\uff0810.254.1.0/21\uff09\uff0c\u8c03\u8bd5\u540e\u53d1\u73b0\u4e3a Linux macvlan \u7f51\u7edc\u7279\u6027\uff08Stack Overflow\uff09\u3002\u4e3a\u4e86\u4fee\u590d\u8fde\u63a5\u95ee\u9898\uff0c\u8fdb\u884c\u4e86\u4ee5\u4e0b\u4fee\u6539\uff1a
/etc/udev/rules.d/70-persistent-net.rules
\u4e2d Policy
\u66f4\u540d\u4e3a ustclug
\uff1b\u5728 /etc/network/interfaces
\u4e2d\u8bbe\u7f6e Policy
\u548c ustclug
\u4e24\u4e2a interface \u7684\u76f8\u5173\u914d\u7f6e\u5982\u4e0b\uff1a
auto Policy\niface Policy inet static\n address 10.254.0.16/21\n pre-up ip link add $IFACE link ustclug type macvlan mode bridge\n post-down ip link del $IFACE\n\nauto ustclug\niface ustclug inet manual\n
docker2 \u4e0a\u9762\u7684 Docker \u4f7f\u7528 macvlan \u6765\u5c06\u865a\u62df\u673a\u63a5\u5165 lugi \u5185\u7f51\uff0c\u56e0\u6b64\u5c06 macvlan \u7684\u4e3b\u7aef\u53e3 Policy \u914d\u7f6e\u4e3a docker.service
\u7684\u5f3a\u4f9d\u8d56\u3002
[Unit]\nBindsTo=sys-subsystem-net-devices-Policy.device\nAfter=sys-subsystem-net-devices-Policy.device\n
\u5b9e\u9645\u4e0a After=network-online.target
\u5c31\u591f\u4e86\uff0c\u4f46\u662f\u51fa\u4e8e\u5386\u53f2\u539f\u56e0\u4f7f\u7528\u4e86 BindsTo
\u5f3a\u4f9d\u8d56\u5185\u7f51\u7aef\u53e3\uff0c\u8fd9\u662f\u56e0\u4e3a docker2 \u66fe\u7ecf\u5355\u72ec\u8fd0\u884c tinc \u63a5\u5165\u5185\u7f51\uff0c\u800c tinc \u7684\u7aef\u53e3\u53ea\u5728 tinc \u542f\u52a8\u540e\u624d\u4f1a\u51fa\u73b0\uff08\u624d\u80fd\u5206\u51fa macvlan \u5b50\u7aef\u53e3\uff09\uff0c\u56e0\u6b64\u4f7f\u7528 BindsTo
\u4fdd\u8bc1 docker \u968f\u8be5\u7aef\u53e3\u7684\u51fa\u73b0\u548c\u6d88\u5931\u800c\u542f\u52a8/\u505c\u6b62\u3002
2022 \u5e74 1 \u6708 15 \u65e5\u4ee5\u540e docker2 \u4e0e\u5176\u4ed6\u865a\u62df\u673a\u4e00\u6837\u901a\u8fc7 gateway-nic \u6865\u63a5\u7684 tinc \u63a5\u5165\u5185\u7f51\uff0c\u4e0d\u518d\u5355\u72ec\u8fd0\u884c tinc\u3002
"},{"location":"services/docker2/#opensuse-guide-qtguide","title":"opensuse-guide \u4e0e qtguide \u6bcf\u65e5\u66f4\u65b0","text":"\u7531\u4e8e\u6ca1\u6709\u8bbe\u7f6e webhook\uff0c\u76ee\u524d\u914d\u7f6e\u4e86 systemd timer\uff0c\u6267\u884c /srv/docker/guide
\u4e2d\u7684\u811a\u672c\uff0c\u4ee5\u5206\u522b\u5728\u6bcf\u65e5\u665a\u4e0a 23:15 \u548c 23:30 \u66f4\u65b0 opensuse-guide \u548c qtguide \u4e24\u4e2a\u5bb9\u5668\u7684 image \u5e76\u91cd\u542f\u5bb9\u5668\u3002
\u8be6\u7ec6\u7684\u914d\u7f6e\u6587\u4ef6\u53ef\u67e5\u770b docker-run-script \u4e2d\u7684 opensuse-guide \u548c qtguide \u4e24\u4e2a\u6587\u4ef6\u5939\u3002
"},{"location":"services/docker2/#workflows-troubleshooting","title":"Workflows & Troubleshooting","text":""},{"location":"services/docker2/#docker-pingd","title":"Docker \"pingd\"","text":"\u66f4\u65b0
\u95ee\u9898\u5df2\u7ecf\u67e5\u660e\u4e3a Debian \u7684 Linux \u5185\u6838 bug (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952660)\uff0c\u5df2\u7ecf\u901a\u8fc7\u66f4\u65b0\u5185\u6838\u5e76\u91cd\u542f\u800c\u89e3\u51b3\u3002\u4ee5\u4e0b\u5185\u5bb9\u4ec5\u4f5c\u5b58\u6863\u3002
\u51fa\u4e8e\u672a\u77e5\u539f\u56e0\u6709\u65f6\u5019\u5916\u90e8\u4e3b\u673a\u4f1a\u65e0\u6cd5\u4e3b\u52a8\u8fde\u901a Docker \u5bb9\u5668\uff08\u53ef\u80fd\u4e0e ARP \u6709\u5173\uff09\uff0c\u4f46\u662f\u5982\u679c\u67d0\u4e2a\u5bb9\u5668\u5148 ping \u4e86\u4e00\u4e0b\u5916\u90e8\u4e3b\u673a\uff0c\u5c31\u80fd\u53cc\u5411\u8fde\u901a\u4e86\u3002
\u7531\u4e8e\u6211\u4eec\u6682\u672a\u627e\u5230\u6b63\u5e38\u7684\u89e3\u51b3\u65b9\u6848\uff0c\u56e0\u6b64\u4f7f\u7528 \u201cping daemon\u201d \u4f5c\u4e3a\u4e00\u4e2a workaround\uff0c\u5728\u5bb9\u5668\u4e2d\u8fd0\u884c ping \u4fdd\u6301\u5916\u90e8\u4e3b\u673a\u7684\u8fde\u901a\u6027\u3002
docker-pingd@.service[Unit]\nDescription=Docker pingd service %I\nDocumentation=man:ping(8)\nAfter=network.target\nStartLimitIntervalSec=0\n\n[Service]\nType=simple\nUser=root\nGroup=root\nExecStart=/bin/sh -c 'IVAR=\"%i\"; exec /usr/bin/docker exec \"$${IVAR%:*}\" ping -q -s 32 \"$${IVAR#*:}\"'\nExecStop=/bin/kill -s INT $MAINPID\nRestart=on-failure\nRestartSec=3\n\n[Install]\nWantedBy=multi-user.target\nAlias=docker-ping@.service\n
\u4f7f\u7528\u65b9\u5f0f\uff1asystemctl enable docker-pingd@container:host.service
\uff0ccontainer
\u6362\u6210\u5bb9\u5668\u540d\uff0chost
\u6362\u6210 ping \u7684\u76ee\u6807\u3002
Trick \u4ecb\u7ecd\uff1aSystemd service \u914d\u7f6e\u6682\u4e0d\u652f\u6301\u591a\u4e2a\u6a21\u677f\u53c2\u6570 %i
\uff0c\u56e0\u6b64\u8c03\u7528 shell \u6765\u89e3\u6790\u53c2\u6570\u3002Ref: https://github.com/systemd/systemd/issues/14895#issuecomment-612270690
taoky
\u5f88\u9ebb\u70e6\uff0c\u5efa\u8bae lug \u4ee5\u540e\u518d\u4e5f\u522b\u7528\uff08\u522b\u5f00\u65b0\u7684\uff09wordpress \u4e86\u3002
servers \u4e0e\u65e7 planet \u4f7f\u7528 WordPress\uff0c\u6258\u7ba1\u5728 docker2 \u4e0a\u3002\u56e0\u4e3a docker2 \u73b0\u5728\u78c1\u76d8 IO \u5f88\u6162\uff0c\u6240\u4ee5\u53ef\u80fd\u4f1a\u51fa\u73b0\u4e00\u4e9b\u989d\u5916\u7684\u95ee\u9898\u3002
\u63a8\u8350\u4f7f\u7528 https://wp-cli.org/#installing\u3002\u547d\u4ee4\uff1a
chmod +x wp-cli.phar\nmv wp-cli.phar /usr/local/bin/wp\ncd /var/www/public/\nsudo -u www-data -- wp core update --version=5.8.1 /tmp/wordpress-5.8.1.zip\n
\u5bb9\u5668\u91cc sudo \u8981\u624b\u52a8\u88c5\u3002
\u4ee5\u4e0b\u5185\u5bb9\u4ec5\u4f9b\u53c2\u8003\u3002
\u5c1d\u8bd5\u5347\u7ea7\u65f6\u5982\u679c\u672a\u51fa\u73b0\u5347\u7ea7\u63d0\u793a\uff0c\u53ef\u4ee5\u4fee\u6539\uff1a
wp-includes/update.php
\uff0c\u5c06\u51fd\u6570 wp_version_check()
\u4e2d $doing_cron ? 3 : 30
\u4fee\u6539\u4e3a $doing_cron ? 30 : 30
\u3002wp-admin/includes/update.php
\uff0c\u5c06\u51fd\u6570 get_core_checksums()
\u4e2d\u5bf9\u5e94\u7684\u90e8\u5206\u4fee\u6539\u4e3a $doing_cron ? 30 : 30
\u3002\u5982\u679c\u51fa\u73b0\u300c\u53e6\u4e00\u66f4\u65b0\u6b63\u5728\u8fd0\u884c\u300d\uff0c\u4e14\u786e\u8ba4\u4e0d\u5728\u66f4\u65b0\uff0c\u53ef\u4ee5\u5728\u6570\u636e\u5e93\u7684 wordpress
\u8868\u4e2d\u6267\u884c\uff1a
DELETE FROM wp_options WHERE option_name = 'core_updater.lock';\n
"},{"location":"services/docker2/#docker","title":"\u770b\u8d77\u6765\u6b63\u5728\u8fd0\u884c\u4f46\u662f\u6ca1\u6709\u8fdb\u7a0b\u7684 Docker \u5bb9\u5668","text":"2021/10/25 \u53d1\u73b0\u67d0\u5bb9\u5668\u663e\u793a\u6b63\u5728\u8fd0\u884c\uff0c\u4f46\u662f\u5b9e\u9645\u6ca1\u6709\u8fdb\u7a0b\u3002\u540e\u53d1\u73b0\u4e3a Docker \u7684 bug\uff0c\u5728\u5bb9\u5668\u8fdb\u7a0b\u88ab cgroups \u5e72\u6389\u4e4b\u540e\u53ef\u80fd\u4f1a\u51fa\u73b0\u6b64\u60c5\u51b5\u3002
\u5bf9\u5e94 issue\uff1ahttps://github.com/moby/moby/issues/38501
\u89e3\u51b3\u65b9\u6cd5\uff1a\u5c06\u5bb9\u5668 ID \u5bf9\u5e94\u7684 containerd-shim
\u6740\u6b7b\u5373\u53ef\u8ba9 Docker \u66f4\u65b0\u5176\u72b6\u6001\u4e3a\u5df2\u505c\u6b62\uff0c\u7136\u540e\u91cd\u65b0\u5f00\u542f\u5373\u53ef\u3002
Services: FTP/FTPS, SFTP, HTTP, HTTPS
https://ftp.lug.ustc.edu.cn/~username/
).Git repository: ustclug/lugftp
Docker Hub: ustclug/ftp
Server: vdp.s.ustclug.org (management ssh port 2222)
Theme: h5ai
Deploy: ftp.sh
"},{"location":"services/ftp/#notes","title":"Notes","text":"ssh-keygen -A
is required to be manually run when initializing.root:root
and permission 0755.1000:1000
. _h5ai
and wp-content
needs to be set to a different owner (misconfigured?). And Incoming
shall be set to 0775.gateway-el
)","text":"Todo
Currently systemctl restart networking
is required after a reboot to set up tunnel. This bug should be fixed.
gateway-el uses IPVS to send requests from one port to other machines directly. IPVS is a Linux kernel feature. Use ipvsadm -Ln
to get its status.
The tunnels used by gateway-el
is mainly maintained by tunnelmonitor. Its config files are in /etc/tunnelmonitor
, service is tunnelmonitor.service
, and log is /var/log/tunnel_monitor.log
.
When starting, netfilter-persistent.service
should be run before tunnelmonitor
. tunnelmonitor
generates new mangle chains when starting, and pings all tunnels periodically and selects all available tunnels, and generates statistc
rules.
You check check /var/log/tunnel_monitor.log
to see if one tunnel has been down. Currently (2021/09), only one tunnel is available among all tunnel settings in /etc/tunnelmonitor/tunnel.ini
.
The following example is for demonstration purposes only.
You can get current status by iptables -t mangle -S
. It is expected to see something like this:
-A DemonstrateManglePrerouting -m statistic --mode nth --every 1 --packet 0 -j MARK --set-xmark 0x12345/0xffffffff\n// ...\n-A PREOUT -m mark --mark 0x0 -j DemonstrateManglePrerouting\n
In this case, all packages to DemonstrateManglePrerouting
chain will get fwmark
0x12345
(= 74565
).
Check ip rule
for that:
// ...\n10: from all fwmark 0x12345 lookup ExtraDemoTunnel\n// ...\n
You can get tunnel information in ip a
:
29: ExtraDemoTunnel: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000\n link/none\n inet 192.168.252.17 peer 192.168.253.17/32 brd 192.168.252.17 scope global ExtraDemoTunnel\n valid_lft forever preferred_lft forever\n
Here 192.168.252.17
is the local server of tunnel, and 192.168.253.17
is the remote server.
Let's check /etc/network/interfaces.d
:
auto ExtraDemoTunnel\niface ExtraDemoTunnel inet static\n address 192.168.252.17\n netmask 255.255.255.255\n pre-up ip link add dev $IFACE type wireguard\n post-down ip link del dev $IFACE\n up wg set $IFACE listen-port 4601 private-key /etc/wireguard/privkey peer pkeypkeypkeypkeypkeypkeypkeypkeypkeypkeypkey endpoint 23.3.3.3:4600 allowed-ips 0.0.0.0/0\n up ip route replace default dev $IFACE table $IFACE\n up ip rule add from all fwmark 74565 table $IFACE prio 10\n pointopoint 192.168.253.17\n
Here we know that this is a wireguard tunnel, and the endpoint is 23.3.3.3:4600
. The fwmark here is 74565
(in decimal).
Why is 74565
set? Let's check /etc/iproute2/rt_tables
!
// ...\n74565 ExtraDemoTunnel\n// ...\n
For wireguard, you can use wg
to check status. If you find that the \"received\" is 0 in transferred, something is going wrong.
See Gateway-NIC
"},{"location":"services/gateway-el/#issues","title":"Issues & resolution","text":""},{"location":"services/gateway-el/#ipvs-conntrack","title":"IPVS Conntrack","text":"In early March 2022 we noticed Light connectivity issues from outside USTCnet, which was narrowed down to connections bypassing Linux Conntrack mechanism.
Thanks to TUNA group we learned about /proc/sys/net/ipv4/vs/conntrack
, which at the time the problem was located, was zero. Settings this to 1 solved the problem.
However after writing net.ipv4.vs.conntrack = 1
to /etc/sysctl.d/10-ipvs-conntrack.conf
and rebooting, the problem returned. Checking systemctl status systemd-sysctl.service
we noticed this:
Mar 05 00:00:00 gateway-el systemd-sysctl[218]: Couldn't write '0' to 'net/ipv4/vs/conntrack', ignoring: No such file or directory\n
Adding ip_vs
to /etc/modules
and rebooting again correctly fixed the problem.
This is because the module was automatically loaded the first time ipvsadm
is called (namely, /etc/init.d/ipvsadm
), which happened at a very late stage. Adding to /etc/modules
gets the module loaded earlier (and before systemd-sysctl.service
) so it worked.
See gateway
"},{"location":"services/gateway-jp/","title":"Gateway: Japan (gateway-jp
)","text":"This page is currently a stub.
"},{"location":"services/gateway-jp/#network-configuration","title":"Network configuration","text":""},{"location":"services/gateway-jp/#iptables","title":"iptables","text":"See Gateway NIC
Blacklists are also managed with ipset
, see /root/iptables
.
When first applying iptables rules, we experienced severe performance degradation. Dmesg was flooded with messages like this:
nf_conntrack: nf_conntrack: table full, dropping packet\n
So we increased this sysctl setting:
/etc/sysctl.d/00-ustclug.confnet.nf_conntrack_max = 262144\nnet.ipv4.tcp_fin_timeout = 10\n
To ensure net.nf_conntrack_max
is available at boot, we also added nf_conntrack
to /etc/modules
and ran update-initramfs -u
.
The other setting is to prevent TCP connections from lingering too long in FIN_WAIT_2
and TIME_WAIT
states.
gateway-nic
)","text":"Previously gateway-nic used CentOS 7 to 8 to Stream, to \"avoid putting all eggs in one basket\". This VM was replaced by a newly setup Debian Bullseye VM on January 2022 during migration from ESXi to Proxmox VE.
The virtual disk of the old gateway-nic was copied onto pve-5, located at ZFS Zvol rpool/data/gateway-nic
. The current VM uses rpool/data/vm-200-disk-0
instead (Proxmox naming convention).
Git repositories exist for these directories:
/etc/nginx\n/etc/systemd/network\n/etc/tinc\n
"},{"location":"services/gateway-nic/#networking","title":"Networking","text":"We use systemd-networkd to configure network on gateway-nic. This replaces both ifupdown
(config file /etc/network/interfaces
)
[Service]\nExecStartPre=-/sbin/ip -4 rule flush\nExecStartPre=-/sbin/ip -6 rule flush\n\n[Install]\nAlias=networkd.service\n
The ExecStartPre=
commands flush (clear) existing rules so that systemd-networkd can fully manage all rules. This is because ManageForeignRoutingPolicyRules
is a new setting in systemd 249, while Debian Bullseye uses systemd 247, so we have to do this manually.
We then load the regular \"main\" and \"default\" rules on the loopback interface (routing rules aren't bound to interfaces, but are added/removed when the configured interface is brought up/turned down).
/etc/systemd/network/00-lo.network[Match]\nName=lo\n\n# Route \"main\"\n[RoutingPolicyRule]\nFamily=both\nTable=254\nPriority=2\nSuppressPrefixLength=1\n\n# Route \"Special\"\n[RoutingPolicyRule]\nFamily=both\nTable=1000\nPriority=5\nSuppressPrefixLength=1\n\n# Route \"default\"\n[RoutingPolicyRule]\nFamily=both\nTable=253\nPriority=32767\n
"},{"location":"services/gateway-nic/#interfaces","title":"Interfaces","text":"Systemd-networkd has built-in capability to rename interfaces, so there's no need to use udev rules.
For example, to assign a name for the cernet interface, we use:
/etc/systemd/network/12-Cernet.link[Match]\nPermanentMACAddress=00:50:56:a2:02:8c\n\n[Link]\nName=Cernet\n
We then configure addresses and routing rules for this interface:
/etc/systemd/network/12-Cernet.network[Match]\nName=Cernet\n\n[Network]\nAddress=202.38.95.102/25\nAddress=2001:da8:d800:95::102/64\nIPv6AcceptRA=no\n\n[Route]\nGateway=202.38.95.126\nTable=253\nMetric=2\n\n[Route]\nGateway=2001:da8:d800:95::1\nTable=253\nMetric=2\n\n[Route]\nGateway=202.38.95.126\nTable=1002\n\n[Route]\nGateway=2001:da8:d800:95::1\nTable=1002\n\n[RoutingPolicyRule]\nFrom=202.38.95.102\nTable=1002\nPriority=3\n\n[RoutingPolicyRule]\nFrom=2001:da8:d800:95::102\nTable=1002\nPriority=3\n\n[RoutingPolicyRule]\nFamily=both\nOutgoingInterface=Cernet\nTable=1002\nPriority=3\n\n[RoutingPolicyRule]\nFamily=both\nFirewallMark=0x2\nTable=1002\nPriority=4\n
This config file assigns one IPv4 and one IPv6 address to the interface, as well as one IPv4 route and one IPv6 route for both the default routing table and an interface-specific routing table. It then adds three routing rules in both IPv4 and IPv6 for replying on the same interface, for sockets bound to this interfaces, and for firewall mark routing.
Other interfaces are configured similarly, so just refer to their configuration files for details.
"},{"location":"services/gateway-nic/#routes","title":"Routes","text":"Outgoing connections are routed through different ISPs. We use ISP IP data from gaoyifan/china-operator-ip. Relevant files are located under /usr/local/network_config
.
The said repository (branch ip-lists
) is cloned and we symlink select files to iplist
directory for consumption. A custom script converts these IP data into additional systemd-networkd config files (under /run/systemd
).
lrwxrwxrwx cernet.txt -> ../china-operator-ip/cernet.txt\nlrwxrwxrwx cernet6.txt -> ../china-operator-ip/cernet6.txt\nlrwxrwxrwx china.txt -> ../china-operator-ip/china.txt\nlrwxrwxrwx china6.txt -> ../china-operator-ip/china6.txt\nlrwxrwxrwx cstnet.txt -> ../china-operator-ip/cstnet.txt\nlrwxrwxrwx cstnet6.txt -> ../china-operator-ip/cstnet6.txt\nlrwxrwxrwx mobile.txt -> ../china-operator-ip/cmcc.txt\nlrwxrwxrwx telecom.txt -> ../china-operator-ip/chinanet.txt\nlrwxrwxrwx unicom.txt -> ../china-operator-ip/unicom.txt\n-rw-r--r-- ustcnet.txt\n-rw-r--r-- ustcnet6.txt\n
/usr/local/network_config/route-all.sh#!/bin/bash\n\n[ -n \"$BASH_VERSION\" ] || exit 1\n\nWD=\"$(dirname \"$0\")\"\nROOT_IP_LIST=\"$WD/iplist\"\nROOT_CONF=/etc/systemd/network\nROOT_RT=/run/systemd/network\n\ngen_route() {\n local DEVFILE=\"$1\"\n local DEV=\"$(awk -F = '/^Name=/{print $2; exit}' \"$ROOT_CONF/$DEVFILE.network\")\"\n local GW=\"$2\" FAMILY=ipv4 V6\n if [[ \"$GW\" =~ : ]]; then\n FAMILY=ipv6\n V6=\"-v6\"\n fi\n # Convert table to number\n local TABLENAME=\"$3\"\n local TABLE=\"$(awk 'substr($0, 1, 1) != \"#\" && $2 == \"'\"$TABLENAME\"'\" { print $1 }' /etc/iproute2/rt_tables | head -1)\"\n local PRIORITY=\"$4\"\n shift 4\n\n F=\"$ROOT_RT/$DEVFILE.network.d\"\n mkdir -p \"$F\"\n F=\"$F/route-${TABLENAME,,}${V6}.conf\"\n echo -e \"[RoutingPolicyRule]\\nFamily=$FAMILY\\nTable=$TABLE\\nPriority=$PRIORITY\\n\" > \"$F\"\n\n awk '{ print \"[Route]\\nDestination=\" $1 \"\\nGateway='\"$GW\"'\\nTable='\"$TABLE\"'\\n\" }' \"${@/#/$ROOT_IP_LIST/}\" >> \"$F\"\n}\n\ngen_route 12-Cernet 202.38.95.126 ustcnet 5 ustcnet.txt\ngen_route 12-Cernet 2001:da8:d800:95::1 ustcnet 5 ustcnet6.txt\ngen_route 12-Cernet 202.38.95.126 cernet 6 cernet.txt cstnet.txt\ngen_route 12-Cernet 2001:da8:d800:95::1 cernet 6 cernet6.txt cstnet6.txt\ngen_route 13-Telecom 202.141.160.126 telecom 6 telecom.txt unicom.txt\ngen_route 14-Mobile 202.141.176.126 mobile 6 mobile.txt\ngen_route 12-Cernet 202.38.95.126 china 7 china.txt\ngen_route 12-Cernet 2001:da8:d800:95::1 china 7 china6.txt\n
We then use a systemd service to ensure additional files for systemd-networkd are generated before it starts.
/etc/systemd/system/route-all.service[Unit]\nDescription=Generate routes for systemd-networkd\nBefore=systemd-networkd.service\n\n[Service]\nType=oneshot\nExecStart=/bin/bash /usr/local/network_config/route-all.sh\n#ExecStart=/usr/local/network_config/special.rb\nRemainAfterExit=true\n\n[Install]\nWantedBy=network.target systemd-networkd.service\n
Updating routes from upstream is easy:
/usr/local/network_config/update.sh#!/bin/sh\n\ncd \"$(dirname \"$0\")\"\n\ngit -C china-operator-ip pull\nsystemctl restart route-all.service\n
The resulting routing policies look like this:
$ ip rule0: from all lookup local\n2: from all lookup main suppress_prefixlength 1\n3: from 172.16.0.2 lookup Warp\n3: from all oif Warp lookup Warp\n3: from 202.141.176.102 lookup Mobile\n3: from all oif Mobile lookup Mobile\n3: from 202.141.160.102 lookup Telecom\n3: from all oif Telecom lookup Telecom\n3: from 202.38.95.102 lookup Cernet\n3: from all oif Cernet lookup Cernet\n4: from all fwmark 0x5 lookup Warp\n4: from all fwmark 0x4 lookup Mobile\n4: from all fwmark 0x3 lookup Telecom\n4: from all fwmark 0x2 lookup Cernet\n5: from all lookup Special suppress_prefixlength 1\n5: from all lookup Ustcnet\n6: from all lookup mobile\n6: from all lookup telecom\n6: from all lookup cernet\n7: from all lookup china\n32767: from all lookup default\n
"},{"location":"services/gateway-nic/#tinc-vpn","title":"Tinc VPN","text":"Gateway-NIC connects to intranet with Tinc. There's no special Tinc configuration other than those described at the Tinc VPN page.
Because Tinc now uses systemd services instead of System V init.d
scripts, we need to systemctl enable tinc@ustclug.service
to make it start on boot. Everything is managed through this templated systemd service.
We also override systemd-networkd's online detection for goodness' sake, so it doesn't block booting. Note that it may interfere with services depending on network-online.target
, though we have yet to discover any issues.
[Service]\nExecStart=\nExecStart=/bin/sleep 1\n
"},{"location":"services/gateway-nic/#iptables","title":"iptables","text":"All iptables firewall rules are managed manually. We use iptables-persistent
to automatically load firewall rules on boot.
To change the rules, manually edit /root/iptables/rules.v4
or rules.v6
and then run apply.sh
to apply the changes.
We use fail2ban to stop SSH scanning and brute-force attempts.
Because fail2ban relies on changing iptables to work, to improve its performance as well as minimize its tampering of iptables rules, we use ipsets for fail2ban.
After stock installation of fail2ban
package, remove defaults-debian.conf
and add this file to secure SSH daemon:
[sshd]\nenabled = true\nmode = aggressive\nfilter = sshd[mode=%(mode)s]\nlogpath = /var/log/auth.log\nbackend = pyinotify\naction = iptables-ipset-proto6[chain=\"fail2ban\"]\n
We provide a pre-created empty chain named fail2ban
for fail2ban to manipulate (see iptables above).
To make sure fail2ban rules can be re-applied after reloading iptables manually, we override the systemd service so that fail2ban is restarted whenever the iptables service is restarted.
$ systemctl edit fail2ban.service[Unit]\nAfter=netfilter-persistent.service\nBindsTo=netfilter-persistent.service\n
For some servers where we want to manually start fail2ban, we use Requires=
+ PartOf=
. This will propagate \"restart\" event from iptables to fail2ban, but not \"start\".
[Unit]\nAfter=netfilter-persistent.service\nRequires=netfilter-persistent.service\nPartOf=netfilter-persistent.service\n
"},{"location":"services/gateway-nic/#nginx","title":"Nginx","text":""},{"location":"services/gateway-nic/#unregistered-domain-traffic","title":"ustclug.org issue","text":"To mitigate the issue of the complaints from ISPs and the regulation authorities caused by the gateways in USTCnet responding to the requests for ustclug.org
, which is a unregistered domain in China MIIT, we make nginx listen on an alternative port 81/444 for HTTP and HTTPS respectively, to respond to requests for lug.ustc.edu.cn
only, and rejecting the handshake for any other domain.
server {\n listen 81 default_server;\n listen [::]:81 default_server;\n listen 444 ssl http2 default_server;\n listen [::]:444 ssl http2 default_server;\n server_name _;\n ssl_reject_handshake on; \n return 444;\n}\n
To whitelist any domain, add listen 81
and listen 444 http2 ssl
to corresponding site's server block.
We use iptables to redirect any traffic from outside USTCnet whose destination is TCP port 80/443 on local machine to TCP port 81/444 respectively.
-A PREROUTING -m addrtype --dst-type LOCAL -j NGINX-REDIRECT\n-A NGINX-REDIRECT -i lo -j RETURN\n-A NGINX-REDIRECT -m set --match-set ustcnet src -j RETURN\n-A NGINX-REDIRECT -p tcp --dport 80 -j REDIRECT --to-port 81\n-A NGINX-REDIRECT -p tcp --dport 443 -j REDIRECT --to-port 444\n
"},{"location":"services/generate-204/","title":"Generate 204","text":"Service: 204.ustclug.org (HTTP / HTTPS)
Server: (gateway)
Blog: add-http-204-service
"},{"location":"services/generate-204/#configration","title":"Configration","text":"/etc/nginx/sites-available/204.ustclug.orgserver {\n listen 80;\n listen [::]:80;\n listen 443 ssl http2;\n listen [::]:443 ssl http2;\n server_name 204.ustclug.org;\n access_log /var/log/nginx/204_access.log;\n error_log /var/log/nginx/204_error.log;\n return 204;\n}\n
The authoritative copy is on LUG GitLab.
"},{"location":"services/gitlab/","title":"GitLab","text":"Server: gitlab.s.ustclug.org (management ssh port 2222)
Git Repository: gitlab-scripts
"},{"location":"services/gitlab/#gitlab-security","title":"GitLab & Security","text":"GitLab \u7ef4\u62a4\u8005\u9700\u8981\u8ba2\u9605\uff1a
\u5728 GitLab \u6709 Security Release \u4e14 docker-gitlab \u53d1\u5e03\u65b0\u7248\u672c\u4e4b\u540e\u9700\u8981\u5b89\u6392\u65f6\u95f4\u66f4\u65b0\u3002\u5c24\u5176 Critical Security Release \u9700\u8981\u5c3d\u5feb\u627e\u65f6\u95f4\u66f4\u65b0\u3002
"},{"location":"services/gitlab/#_1","title":"\u66f4\u65b0","text":"\uff08\u5efa\u8bae\u9605\u8bfb https://docs.gitlab.com/ee/update/index.html\uff0c\u4ee5\u53ca GitLab \u5b98\u65b9\u7684\u5347\u7ea7\u8def\u5f84\u5206\u6790\u5de5\u5177\uff1ahttps://gitlab-com.gitlab.io/support/toolbox/upgrade-path/\uff09
GitLab 16.0 \u8d77\u79fb\u9664\u4e86\u5bf9 CAS3 \u7684\u652f\u6301\uff0c\u56e0\u6b64\u6211\u4eec\u5207\u6362\u5230\u4e86 OAuth2 \u6765\u5bf9\u63a5\u4e2d\u56fd\u79d1\u5b66\u6280\u672f\u5927\u5b66\u7edf\u4e00\u8eab\u4efd\u8ba4\u8bc1\u3002\u4e3a\u4e86\u5b9e\u73b0\u81ea\u5b9a\u4e49 OAuth2 \u767b\u5f55\u53c2\u6570\uff0c\u6211\u4eec fork \u4e86 sameersbn/docker-gitlab\uff0c\u4ed3\u5e93\u4f4d\u4e8e ustclug/docker-gitlab\u3002\u66f4\u65b0\u65f6\uff0c\u9700\u8981\u9996\u5148\u6309\u7167 ustclug/docker-gitlab \u7684 README.md
\u6240\u8ff0\u7684\u6b65\u9aa4\u66f4\u65b0\u955c\u50cf\uff0c\u4e00\u822c\u53ea\u9700\u66f4\u6539\u6240\u8ff0\u7684\u4e24\u4e2a\u4f4d\u7f6e\u7684\u7248\u672c\u53f7\uff0c\u63a8\u9001\u5230\u4ed3\u5e93\u540e\uff0cGitHub Actions \u5c06\u81ea\u52a8\u5b8c\u6210\u955c\u50cf\u7684\u6784\u5efa\uff0c\u5e76\u4e0a\u4f20\u5230 ghcr.io\u3002\u9700\u8981\u6ce8\u610f\u7684\u662f\uff0c\u82e5\u4e0a\u6e38\u66f4\u65b0\u5305\u542b\u5bf9 assets/runtime
\u76ee\u5f55\u7684\u53d8\u66f4\uff0c\u5219\u9700\u5148\u5c06\u4e0a\u6e38\u66f4\u65b0\u5408\u5e76\u5230\u6211\u4eec\u7684\u4ed3\u5e93\uff0c\u5426\u5219\u53ef\u80fd\u51fa\u73b0\u6784\u5efa\u6216\u8fd0\u884c\u65f6\u9519\u8bef\u3002
\u7531\u4e8e\u5df2\u7ecf docker \u5316\uff0c\u56e0\u6b64\u6211\u4eec\u7684\u66f4\u65b0\u662f\u901a\u8fc7\u62c9\u53d6 ustclug/docker-gitlab \u7684 docker image\uff0c\u8fdb\u884c\u6570\u636e\u5e93\u51c6\u5907\u4ee5\u53ca\u542f\u52a8\u955c\u50cf\u5b9e\u4f8b\u6765\u8fdb\u884c\u66f4\u65b0\uff0cZack Zeng \u5b66\u957f\u5df2\u7ecf\u5199\u597d\u4e86\u4e00\u5957\u811a\u672c\u7cfb\u7edf\uff1agitlab-scripts\uff0c\u56e0\u6b64\u66f4\u65b0\u65f6\u53ea\u8981\u8dd1\u811a\u672c\u5c31\u53ef\u4ee5\u4e86\u3002
\u7531\u4e8e\u66f4\u65b0\u9700\u8981\u505c\u6b62\u670d\u52a1\uff0c\u56e0\u6b64\u8bf7\u4e8e\u66f4\u65b0\u524d\u81f3\u5c11\u51e0\u5c0f\u65f6\u53d1\u5e03\u66f4\u65b0\u516c\u544a\uff08\u5305\u62ec\u5177\u4f53\u65f6\u95f4\u7b49\uff09\uff0c\u5e76\u68c0\u67e5 Admin -> Monitoring -> Background Migrations \u4e2d\u6240\u6709 migration \u662f\u5426\u90fd\u5df2\u7ecf\u6210\u529f\u5b8c\u6210\u3002
\u66f4\u65b0\u524d\u8bf7\u5148\u63d0\u524d\u4e8e Proxmox VE \u4e0a\u5bf9\u865a\u62df\u673a\u6253\u5feb\u7167\uff08\u6253\u5feb\u7167\u65f6\u670d\u52a1\u4f1a\u6682\u65f6\u505c\u6b62\uff09
\u6253\u5b8c\u5feb\u7167\u4e4b\u540e\u4f7f\u7528\u811a\u672c\u8fdb\u884c\u66f4\u65b0\uff08\u76ee\u524d\u811a\u672c\u4f4d\u4e8e /home/sirius/gitlab-scripts
\uff09\uff0c\u9996\u5148\u4f7f\u7528 ./gitlab.sh db
\u8fdb\u884c\u6570\u636e\u5e93\u7684\u51c6\u5907\u5de5\u4f5c\u3002\u4e4b\u540e\u53ef\u4ee5\u901a\u8fc7 ./gitlab.sh run <\u7248\u672c\u53f7>
\u6765\u8fdb\u884c docker container \u7684\u66ff\u6362\u3002\u66f4\u6362\u524d\u811a\u672c\u4f1a\u81ea\u52a8\u62c9\u53d6\u76f8\u5e94\u7248\u672c\u53f7\u7684 docker \u955c\u50cf\uff0c\u5982\u679c\u62c5\u5fc3\u62c9\u53d6\u65f6\u95f4\u8fc7\u957f\u53ef\u4ee5\u5728\u6253\u5feb\u7167\u524d\u63d0\u524d\u901a\u8fc7 docker pull ghcr.io/ustclug/docker-gitlab:<\u7248\u672c\u53f7>
\u6765\u62c9\u53d6\u76f8\u5e94\u7684\u955c\u50cf\u3002
\u4e00\u822c\u60c5\u51b5\u4e0b\u7ecf\u4ee5\u4e0a\u64cd\u4f5c\u540e\u66f4\u65b0\u5c31\u6b63\u5e38\u7ed3\u675f\uff0c\u5982\u679c\u957f\u65f6\u95f4\u65e0\u6cd5\u542f\u52a8\uff0c\u53ef\u4ee5\u901a\u8fc7 docker logs gitlab
\u67e5\u770b\u65e5\u5fd7\uff0c\u5982\u679c\u53d1\u73b0\u66f4\u65b0\u540e\u7684\u542f\u52a8\u51fa\u73b0\u95ee\u9898\uff0c\u53ef\u4ee5\u5230 sameersbn/docker-gitlab \u7684 issue \u533a\u7b49\u5730\u67e5\u770b\u76f8\u5173 issue\uff0c\u4ee5\u53ca\u901a\u8fc7\u5bf9\u51fa\u9519\u65e5\u5fd7\u8fdb\u884c Google \u53ef\u80fd\u4f1a\u53d1\u73b0\u662f gitlab \u4e0a\u6e38\u7b49\u51fa\u73b0\u7684\u95ee\u9898\u3002\u5982\u679c\u6709\u89e3\u51b3\u529e\u6cd5\uff0c\u53ef\u4ee5\u6309\u7167\u76f8\u5e94\u89e3\u51b3\u529e\u6cd5\u89e3\u51b3\uff0c\u5982\u679c\u6ca1\u6709\u3002\u53ef\u4ee5\u901a\u8fc7\u627e\u5230\u6709\u76f8\u5e94\u95ee\u9898\u524d\u7684\u6b63\u5e38\u7248\u672c\u53f7\uff0c\u56de\u6eda\u5feb\u7167\uff0c\u4e4b\u540e\u66f4\u5230\u8868\u73b0\u6b63\u5e38\u7684\u7248\u672c\u3002\uff08\u6700\u8fd1\u7684\u66f4\u65b0\u4f1a\u5728\u542f\u52a8\u4e4b\u540e\u77ed\u6682\u51fa\u73b0 502 \u7684\u60c5\u51b5\uff0c\u4f46\u5f88\u5feb\u5c31\u4f1a\u6062\u590d\uff0c\u9047\u5230\u8fd9\u79cd\u60c5\u51b5\u65f6\u4e0d\u8981\u60ca\u614c\uff09\u3002
\u7531\u4e8e\u66f4\u65b0\u53ef\u80fd\u4f1a\u51fa\u73b0\u95ee\u9898\u5bfc\u81f4\u670d\u52a1\u4e0d\u53ef\u7528\uff0c\u56e0\u6b64\u4e0d\u5efa\u8bae\u901a\u8fc7 cron \u7b49\u65b9\u5f0f\u81ea\u52a8\u8fdb\u884c\u66f4\u65b0\u3002
"},{"location":"services/gitlab/#postgresql-redis","title":"postgresql \u4e0e redis \u7684\u66f4\u65b0","text":"\u7531\u4e8e gitlab \u66f4\u65b0\u540e\u53ef\u80fd\u5bf9 postgresql \u4e0e redis \u7684\u7248\u672c\u6709\u8981\u6c42\uff0c\u56e0\u6b64\u6709\u53ef\u80fd\u9700\u8981\u5b9a\u671f\u66f4\u65b0 redis \u4e0e postgresql\u3002
\u66f4\u65b0\u524d\u8bf7\u5148\u505c\u6b62 gitlab \u7684 container\u3002
\u66f4\u65b0\u65f6\u53ef\u4ee5\u6309\u7167\u5b98\u7f51\u6559\u7a0b docker-postgresql \u8fdb\u884c\u66f4\u65b0\uff0c\u53ef\u4ee5\u901a\u8fc7\u62c9\u53d6 latest \u6807\u7b7e\u7684\u955c\u50cf\uff0c\u5220\u9664\u539f\u6765\u7684 container\uff0c\u518d\u901a\u8fc7\u811a\u672c ./gitlab.sh db
\u81ea\u52a8\u542f\u52a8\uff0c\u6570\u636e\u5e93\u66f4\u65b0\u65f6\u53ef\u80fd\u4f1a\u9700\u8981\u4e00\u5b9a\u65f6\u95f4\u6765\u8fc1\u79fb\u6570\u636e\uff0c\u8bf7\u901a\u8fc7 docker logs -f gitlab-postgresql
\u547d\u4ee4\u6765\u67e5\u770b\u8fc1\u79fb\u8fdb\u5ea6\uff0c\u5f85\u8fc1\u79fb\u5b8c\u6210\u540e\u518d\u8fd0\u884c GitLab \u7684 container\u3002
Rails console \u53ef\u4ee5\u5b8c\u6210\u4e00\u4e9b\u9ad8\u7ea7\u7684\u7ef4\u62a4\u4efb\u52a1\u3002\u5728 gitlab \u5bb9\u5668\u4e2d\u6267\u884c bin/rails console
\u542f\u52a8\u3002\u6ce8\u610f console \u7684\u542f\u52a8\u65f6\u95f4\u5f88\u957f\uff08 1 \u5206\u949f\u4ee5\u4e0a\uff09\uff0c\u9700\u8981\u6709\u8010\u5fc3\u3002
\u53ef\u4ee5\u6267\u884c\u7684\u547d\u4ee4\u53ef\u53c2\u8003 https://docs.gitlab.com/ee/administration/troubleshooting/gitlab_rails_cheat_sheet.html\u3002
"},{"location":"services/gitlab/#_2","title":"\u67e5\u8be2","text":""},{"location":"services/gitlab/#hashed-storage","title":"\u67e5\u8be2 Hashed storage \u4e0b\u4ed3\u5e93\u5bf9\u5e94\u7684\u9879\u76ee","text":"ProjectRepository.find_by(disk_path: '@hashed/23/33/2333333333333333333333333333333333333333333333333333333333333333').project\n
\u5982\u679c\u5b58\u5728\uff0c\u4f1a\u8fd4\u56de\u7c7b\u4f3c\u4ee5\u4e0b\u7684\u5185\u5bb9\uff1a
=> #<Project id:23333 username/project>>\n
"},{"location":"services/gitlab/#sql-like","title":"\u67e5\u8be2\u65e0\u9879\u76ee\u4e14\u90ae\u7bb1\u6ee1\u8db3\u6761\u4ef6\u7684\u7528\u6237 (SQL like
)","text":"users = User.where('id NOT IN (select distinct(user_id) from project_authorizations)')\nusers = users.where('email like ?', '%.ru')\nusers.count\n\nusers.each do |user|\n puts user.last_activity_on\nend\n
"},{"location":"services/gitlab/#_3","title":"\u5237\u65b0\u67d0\u4e2a\u9879\u76ee\u7684\u7edf\u8ba1\u4fe1\u606f","text":"p = Project.find_by_full_path('<namespace>/<project>')\npp p.statistics\np.statistics.refresh!\npp p.statistics\n
"},{"location":"services/gitlab/#lfs-id","title":"\u83b7\u53d6\u6240\u6709\u5305\u542b LFS \u7684\u9879\u76ee ID","text":"LfsObject.all.each do |lo|\n puts LfsObjectsProject.find_by_lfs_object_id(lo.id).project_id\nend\n
\u8f93\u51fa\u8f83\u591a\u3002\u53ef\u4ee5\u4f7f\u7528 rails r xxx.rb
\u8fd0\u884c\uff0c\u91cd\u5b9a\u5411\u5230\u6587\u4ef6\uff0c\u53bb\u91cd\u540e\u67e5\u770b\u6240\u6709\u5305\u542b LFS \u7684\u9879\u76ee\u3002
\u8be6\u89c1 https://github.com/sameersbn/docker-gitlab#rake-tasks\u3002\u548c Rails console \u4e00\u6837\uff0c\u521d\u59cb\u5316\u5f88\u6162\u3002
\u5f53\u524d\u5b9e\u4f8b\u4fe1\u606f\uff1a
docker exec --user git -it gitlab bundle exec rake gitlab:env:info RAILS_ENV=production\n
"},{"location":"services/gitlab/#_4","title":"\u6e05\u7406","text":"\u53c2\u8003 https://github.com/gitlabhq/gitlabhq/blob/master/doc/raketasks/cleanup.md\u3002
\u4e0d\u8fc7\u4f5c\u7528\u6709\u9650\u3002
"},{"location":"services/gitlab/#_5","title":"\u6e05\u7406\u4e0a\u4f20\u76ee\u5f55","text":"\u67e5\u770b\u4f1a\u88ab\u6e05\u7406\u7684\u6587\u4ef6\uff1a
docker exec --user git -it gitlab bundle exec rake gitlab:cleanup:project_uploads RAILS_ENV=production\n
\u6e05\u7406\uff08\u79fb\u52a8\u5230 /-/project-lost-found/\uff09\uff1a
docker exec --user git -it gitlab bundle exec rake gitlab:cleanup:project_uploads RAILS_ENV=production DRY_RUN=false\n
"},{"location":"services/gitlab/#artifact","title":"\u6e05\u7406\u672a\u88ab\u5f15\u7528\u7684 artifact \u6587\u4ef6","text":"\u67e5\u770b\u4f1a\u88ab\u6e05\u7406\u7684 artifact \u6570\u91cf\uff1a
docker exec --user git -it gitlab bundle exec rake gitlab:cleanup:orphan_job_artifact_files RAILS_ENV=production\n
\u6e05\u7406\uff1a
docker exec --user git -it gitlab bundle exec rake gitlab:cleanup:orphan_job_artifact_files RAILS_ENV=production DRY_RUN=false\n
\u6ce8\u610f\uff0c\u65b0\u8bbe\u7f6e\u7684 expire \u671f\u9650\u4e0d\u4f1a\u5f71\u54cd\u4ee5\u524d\u7684 artifact\uff0c\u8fd9\u91cc\u7684\u547d\u4ee4\u4e5f\u65e0\u6cd5\u6e05\u7406\u3002
"},{"location":"services/gitlab/#lfs-reference","title":"\u6e05\u7406\u65e0\u6548\u7684 LFS reference","text":"for i in `cat projectid_lfs`; do docker exec --user git -it gitlab bundle exec rake gitlab:cleanup:orphan_lfs_file_references PROJECT_ID=$i RAILS_ENV=production DRY_RUN=false; done\n
projectid_lfs
\u662f\u4e0a\u6587\u4e2d\u300c\u83b7\u53d6\u6240\u6709\u5305\u542b LFS \u7684\u9879\u76ee ID\u300d\u7684\u53bb\u91cd\u540e\u7684\u8f93\u51fa\u3002
\u65e0 reference \u7684 LFS \u6587\u4ef6\u6bcf\u65e5 GitLab \u4f1a\u81ea\u52a8\u6e05\u9664\u3002\u5982\u679c\u9700\u8981\u7acb\u523b\u5220\u9664\uff0c\u53ef\u4ee5\u4f7f\u7528 gitlab:cleanup:orphan_lfs_files
\u3002
Ref: https://docs.gitlab.com/ee/administration/read_only_gitlab.html
docker exec --user git -it gitlab bin/rails console\n
\u4e4b\u540e\u6267\u884c
Project.all.find_each { |project| puts project.name; project.update!(repository_read_only: true) }\n
\u5c06\u6240\u6709\u4ed3\u5e93\u8bbe\u7f6e\u4e3a\u53ea\u8bfb\u3002\u5982\u679c\u4e2d\u95f4\u51fa\u73b0\u9519\u8bef\uff08\u7279\u6b8a\u7684\u9879\u76ee\u540d\u53ef\u80fd\u4f1a\u5bfc\u81f4\u8fd0\u884c\u4e2d\u65ad\uff09\uff0c\u91cd\u547d\u540d\u6700\u540e\u8f93\u51fa\u5bf9\u5e94\u7684\u9879\u76ee\u3002
\u5728\u8bbe\u7f6e\u524d\uff0c\u9700\u8981\u6dfb\u52a0 Messages \u901a\u77e5\u7528\u6237\u3002
\u6b64\u65f6\u6570\u636e\u5e93\u4ecd\u7136\u53ef\u5199\u5165\u3002\u5982\u679c\u9700\u8981\u6570\u636e\u5e93\u53ea\u8bfb\uff0c\u53c2\u8003\u4ee5\u4e0a\u94fe\u63a5\u914d\u7f6e\u3002
"},{"location":"services/light/","title":"Light Accelerator","text":"Service: light.ustclug.org
Git Repository:
Docker Hub:
Mailing list: \u8f7b\u91cf\u7ea7\u7f51\u7edc\u52a0\u901f\u670d\u52a1
Servers:
Deploy script: docker-run-script/light
Deploy order:
git clone https://github.com/ustclug/light-list\ncd accelerate-list\n./tools/add-domain.sh accelerate.list www.example.com\ngit commit -v -a\ngit push origin master\n
GitHub Actions will update PAC files in LUG FTP automatically.
"},{"location":"services/light/#database-maintenance","title":"Database maintenance","text":"Example:
select count(*) from radacct where acctstoptime < '2021-01-01 00:00:00';\ninsert into radacct_backup select * from radacct where acctstoptime < '2021-01-01 00:00:00';\ndelete from radacct where acctstoptime < '2021-01-01 00:00:00';\ndelete from radacct_backup where acctstoptime < '2020-06-01 00:00:00';\noptimize table radacct;\noptimize table radacct_backup;\n
"},{"location":"services/light/#shutdown","title":"Shutdown","text":"light-server
& light-socks
no
(See Docker Documentation)Proxy related log is under /srv/docker/light/log
. Container log (stdout & stderr) is under /srv/docker/docker/containers/<container id>/*.log*
(use docker logs <container>
to view).
Logrotate is configured to save logs for 180 days. Please manually backup logs when removing the container.
"},{"location":"services/mirrorz/","title":"MirrorZ CERNET server","text":"MirrorZ \u9879\u76ee\u5728 CERNET \u5317\u4eac\u8282\u70b9\u6709\u4e00\u4e2a\u865a\u62df\u673a\uff0c\u901a\u8fc7 *.mirrors.cernet.edu.cn \u7684\u57df\u540d\u63d0\u4f9b 302 \u8df3\u8f6c\u548c\u5e2e\u52a9\u9875\u9762\u7b49\u670d\u52a1\u3002
\u7531\u4e8e CentOS 7 \u5728 2024 \u5e74 6 \u6708\u7ed3\u675f\u652f\u6301\uff0ciBug \u548c taoky \u5728 2024 \u5e74 2 \u6708\u914d\u7f6e\u4e86\u4e00\u4e2a\u8fd0\u884c Debian 12 \u7684\u65b0\u865a\u62df\u673a\u3002\u65b0\u865a\u62df\u673a\u955c\u50cf\u57fa\u4e8e debian-cdimage \u63d0\u4f9b\u7684 debian-12-genericcloud-amd64.qcow2
\u3002
\u865a\u62df\u673a\u7684\u7f51\u7edc\u91c7\u7528 systemd-networkd \u914d\u7f6e\uff0c\u914d\u7f6e\u6587\u4ef6\u5728 /etc/systemd/network
\u4e0b\uff0cv4/v6 \u5747\u4f7f\u7528\u9759\u6001 IP \u914d\u7f6e\u3002\u5176\u4e2d [Match]
\u5757\u4f7f\u7528 MACAddress=...
\u6765\u5339\u914d\u7f51\u5361\u3002
PasswordAuthentication no\nPermitRootLogin prohibit-password\n
"},{"location":"services/mirrorz/#ntp","title":"NTP","text":"/etc/systemd/timesyncd.conf.d/ibug.conf[Time]\nNTP=ntp.tuna.tsinghua.edu.cn\n
"},{"location":"services/mirrorz/#software","title":"\u8f6f\u4ef6","text":"etckeeper\uff08\u4e0d\u77e5\u9053\u600e\u4e48\u914d\u7f6e\u7684\uff0c\u88c5\u597d\u5373\u7528\uff1f\uff09
\u4ee5\u4e0a\u56db\u4e2a\u8f6f\u4ef6\u5206\u522b\u4ece\u56db\u4e2a\u4e0d\u540c\u7684 APT \u6e90\u5b89\u88c5\uff0c\u5bf9\u5e94\u7684 APT \u516c\u94a5\u90fd\u5b58\u5728 /etc/apt/keyrings
\u4e2d\u3002
APT \u6e90\u914d\u7f6e
/etc/apt/sources.list.d/docker.listdeb [arch=amd64 signed-by=/etc/apt/keyrings/docker.asc] https://mirrors.ustc.edu.cn/docker-ce/linux/debian bookworm stable\n
/etc/apt/sources.list.d/grafana.listdeb [signed-by=/etc/apt/keyrings/grafana.gpg] https://mirrors.tuna.tsinghua.edu.cn/grafana/apt stable main\n
/etc/apt/sources.list.d/influxdata.listdeb [signed-by=/etc/apt/keyrings/influxdata.asc] https://mirrors.ustc.edu.cn/influxdata/debian stable main\n
/etc/apt/sources.list.d/nodesource.listdeb [arch=amd64 signed-by=/etc/apt/keyrings/nodesource.asc] https://deb.nodesource.com/node_18.x nodistro main\n
/etc/apt/sources.list.d/sb-nginx.listdeb [arch=amd64 signed-by=/etc/apt/keyrings/sb-nginx.asc] https://mirror.xtom.com.hk/sb/nginx/ bookworm main\n
"},{"location":"services/mirrorz/#go","title":"Go","text":"\u4ece\u5b98\u65b9\u7f51\u7ad9\u4e0b\u8f7d\u6700\u65b0\u7684 tar.gz \u5e76\u89e3\u538b\u5230 /usr/local/go
\uff0c\u7136\u540e\u5c06 /usr/local/go/bin
\u4e2d\u7684\u4e24\u4e2a\u4e8c\u8fdb\u5236\u6587\u4ef6\u8f6f\u94fe\u63a5\u5230 /usr/local/bin
\u3002
\u66f4\u65b0 Go \u7684\u5feb\u6377\u811a\u672c\u4f4d\u4e8e /root/go/update.sh
\uff0c\u5185\u5bb9\u89c1 iBug/shGadgets\u3002
MirrorZ \u4e3b\u9879\u76ee\u548c\u5e2e\u52a9\u9875\u9762\u7b49\u53ef\u4ee5\u901a\u8fc7\u6d4f\u89c8\u5668\u8bbf\u95ee\u7684\u9875\u9762\u90fd\u5728 /var/www
\u4e0b\u3002
\u5229\u7528 GitHub \u7684 webhook \u529f\u80fd\uff0c\u90e8\u7f72\u4e86\u4e00\u4efd iBug/uniAPI\u3002\u76f8\u5173\u6587\u4ef6\u5982\u4e0b\uff1a
/usr/bin/uniAPI\n/etc/uniAPI.yml\n/etc/systemd/system/uniAPI.service\n
\u914d\u7f6e\u6837\u4f8b\u5982\u4e0b\uff1a
services:\n uniAPI:\n type: server\n services:\n mirrorz-json-legacy:\n type: github.webhook\n path: /home/mirrorz/mirrorz-org/mirrorz-json-legacy\n branch: master\n secret: # empty\n
location ^~ /uniAPI {\n proxy_pass http://127.0.1.1:1024;\n}\n
"},{"location":"services/neat-dns/","title":"Neat DNS","text":"Services: neatdns.ustclug.org (UDP, TCP, HTTPS, DNSCrypt)
Server: docker2
Deploy: docker-run-script/neatdns
"},{"location":"services/neat-dns/#notes","title":"Notes","text":"Previously all containers on docker2 had gateway-el as their gateway, which generated heavy load on the Tinc network. Docker2 has since been updated to use gateway-nic as gateway for containers, bypassing Tinc for most of the traffic. This, however, broke NAT-based service like Neat DNS, which required that reply traffic goes back through gateway-el (but now gateway-nic).
What's worse, Docker doesn't support setting gateways for individual containers, nor can network config be changed from within the container (default setup). So we chose to selectively route traffic back to gateway-el on gateway-nic. This is accomplished with two parts:
Routing tables and routing rules:
/etc/systemd/network/11-Policy.network[RoutingPolicyRule]\nFrom=0.0.0.0/0\nFirewallMark=0x101/0x1ff\nTable=1101 # Ustclug_override\nPriority=1\n\n[Route]\nGateway=10.254.0.254 # gateway-el\nTable=1011\n
Using iproute2 ip
command, this would be:
ip rule add fwmark 0x101/0x1ff table Ustclug_override prio 1\nip route replace default via 10.254.0.254 table Ustclug_override\n
And then we select traffic to redirect to gateway-el using iptables marks:
iptables -t mangle -S-A PREROUTING -s 10.254.1.5/32 -i Policy -p tcp -m multiport --sports 53,53443 -j MARK --set-xmark 0x101/0x1ff\n-A PREROUTING -s 10.254.1.5/32 -i Policy -p udp -m multiport --sports 53,53443 -j MARK --set-xmark 0x101/0x1ff\n
These two lines of iptables rules selects replying traffic originating from the neat-dns container and marks it appropriately, so it will be routed to gateway-el instead of exiting the intranet right from gateway-nic.
\u672c\u8282\u5185\u5bb9\u9002\u7528\u4e8e\u5305\u62ec VPN \u5728\u5185\u7684\u591a\u4e2a\u670d\u52a1\u5668
\u76ee\u524d\u4ec5\u5bf9 IPv4 \u542f\u7528\u3002
*raw\n:PREROUTING ACCEPT [0:0]\n:OUTPUT ACCEPT [0:0]\n-A PREROUTING -p udp --dport 69 -j CT --helper tftp\nCOMMIT\n
/etc/modulesnf_conntrack_tftp\nnf_nat_tftp\n
"},{"location":"services/vpn/#ssl-certs","title":"SSL Certificates","text":"The certificate for *.vpn.lug.ustc.edu.cn
+ *.vpn.ustclug.org
is acquired with our certificate infrastructure and the vpn server runs updater.sh
with cron.
Two services running in Docker (strongswan and ocserv) use the certificate, so another cron job exists to copy the certificate files into the Docker volume (vpn-certs
). The second updater script is listed below:
#!/bin/sh\n\n# outside, call docker\nif command -v docker >/dev/null 2>&1; then\n exec docker run --rm \\\n --name=vpn-cert-updater \\\n --net=none \\\n -v \"$(realpath \"$0\")\":/update.sh:ro \\\n -v vpn-certs:/vpn-certs \\\n -v /etc/ssl/private:/ssl-certs:ro \\\n alpine \\\n /update.sh\n exit 1 # exec failed\nfi\n\nset -eux\n\nSSL_CERTS=\"/ssl-certs\"\nVPN_CERTS=\"/vpn-certs\"\n\ncp -p \"${SSL_CERTS}/lugvpn/fullchain.pem\" \"${VPN_CERTS}/certs/vpn.ustclug.org.crt\"\ncp -p \"${SSL_CERTS}/lugvpn/privkey.pem\" \"${VPN_CERTS}/private/vpn.ustclug.org.key\"\necho \"Cert Update Complete\"\n
"},{"location":"services/mirrors/","title":"\u5f00\u6e90\u955c\u50cf\u7ad9","text":""},{"location":"services/mirrors/#_2","title":"\u5386\u53f2","text":""},{"location":"services/mirrors/#debianustceducn","title":"debian.ustc.edu.cn","text":"2000 \u5e74\u5de6\u53f3\uff0c\u79d1\u5927\u6821\u5185\u7684 Debian \u7231\u597d\u8005\u4f7f\u7528\u81ea\u5df1\u5b9e\u9a8c\u5ba4\u7684\u673a\u5668\u4e3a\u5927\u5bb6\u63d0\u4f9b Debian \u955c\u50cf\u670d\u52a1\u3002\u968f\u7740\u4e00\u5c4a\u5c4a\u5e08\u5144\u7684\u6bd5\u4e1a\uff0c\u670d\u52a1\u5668\u5728\u5404\u5b9e\u9a8c\u5ba4\u95f4\u63a5\u529b\u3002
2002 \u5e74 5 \u6708\uff0cDebian \u955c\u50cf\u7ad9\u6709\u4e86\u81ea\u5df1\u7684\u57df\u540d debian.ustc.edu.cn\uff0c\u4f46\u670d\u52a1\u5668\u4ecd\u5728\u5b9e\u9a8c\u5ba4\u95f4\u8f97\u8f6c\u3002
2002 \u5e74 6 \u6708 23 \u65e5\uff0c\u79d1\u5927Debian\u955c\u50cf\u7ad9\u5f00\u59cb\u63d0\u4f9b\u975e\u5b98\u65b9(UO)\u8f6f\u4ef6\u4ed3\u5e93\u30022004\u5e744\u670823\u65e5\uff0c\u63d0\u4f9b\u65b0\u7684UO\u4ed3\u5e93\u3002
2005 \u5e74 6 \u6708 20 \u65e5\uff0c\u79d1\u5927 LUG \u53d1\u8d77\u4e3a\u79d1\u5927 Debian \u955c\u50cf\u7ad9\u6350\u6b3e\u7684\u5021\u8bae\uff0c\u622a\u81f3 10 \u6708 1 \u65e5\u52df\u6350\u6d3b\u52a8\u505c\u6b62\uff0cLUG \u5171\u6536\u5230 2922.05 \u5143\u6350\u6b3e\u300210 \u6708 6 \u65e5\u65b0\u673a\u5668\u5b89\u88c5\u914d\u7f6e\u5230\u4f4d\u3002\u5728\u5927\u5bb6\u7684\u9f50\u5fc3\u52aa\u529b\u4e4b\u4e0b\uff0c\u79d1\u5927 Debian \u955c\u50cf\u7ad9\u6709\u4e86\u4e00\u4e2a\u76f8\u5bf9\u56fa\u5b9a\u7684\u201c\u5bb6\u201d\u3002
2009 \u5e74\u5e95\uff0cdebian.ustc \u843d\u6237\u56fe\u4e66\u9986\u6280\u672f\u90e8\u3002
"},{"location":"services/mirrors/#ossustceducn","title":"oss.ustc.edu.cn","text":"2008 \u5e74 12 \u6708 25 \u65e5\uff0c\u79d1\u5927\u5f00\u6e90\u8f6f\u4ef6 (OSS) \u955c\u50cf\u7ad9\u6b63\u5f0f\u542f\u7528\u3002\u5176\u670d\u52a1\u5668\u7531\u5434\u5cf0\u5149\u5e08\u5144\u63d0\u4f9b\u3002Novell \u516c\u53f8\u4e3a\u6211\u4eec\u63d0\u4f9b\u4e86\u4e00\u57571.5T \u7684\u786c\u76d8\u3002
2009 \u5e74 12 \u6708\uff0c\u5f20\u6210\u5e08\u5144\u4e3a OSS \u955c\u50cf\u7ad9\u63d0\u4f9b\u6350\u8d60 1T \u786c\u76d8\u3002
2010 \u5e74 6 \u6708\uff0c\u79d1\u5927 LUG \u4f7f\u7528\u51fa\u552e\u7248\u886b\u4f59\u4e0b\u7684\u94b1\u4e3a OSS \u955c\u50cf\u7ad9\u6dfb\u7f6e\u4e86\u4e00\u5757 2T \u786c\u76d8\u3002
"},{"location":"services/mirrors/#mirrorsustceducn","title":"mirrors.ustc.edu.cn","text":"2011 \u5e74 4 \u6708 8 \u65e5\uff0c\u79d1\u5927 LUG \u4ece\u7f51\u7edc\u4e2d\u5fc3\u5904\u83b7\u5f97\u4e86\u65b0\u7684\u670d\u52a1\u5668\uff0c\u5e76\u7533\u8bf7\u5230\u4e86 mirrors.ustc \u7684\u57df\u540d\u3002debian.ustc \u4e0e oss.ustc \u5f00\u59cb\u5411 mirrors.ustc \u8fc1\u79fb\u3002
\u540c\u5e74 4 \u6708 15 \u65e5\uff0c\u51e0\u5927\u70ed\u95e8\u53d1\u884c\u7248\u955c\u50cf\u540c\u6b65\u5b8c\u6bd5\uff0cmirrors \u5f00\u59cb\u6b63\u5f0f\u5bf9\u5916\u63d0\u4f9b\u670d\u52a1\uff0c\u540c\u65f6 debian.ustc \u4e0e oss.ustc \u9000\u51fa\u4e86\u5386\u53f2\u821e\u53f0\u3002
2013 \u5e74 1 \u6708 6 \u65e5\uff0c\u79d1\u5927 LUG \u4ece\u7f51\u7edc\u4e2d\u5fc3\u5904\u83b7\u5f97\u4e86\u65b0\u7684\u78c1\u76d8\u9635\u5217\uff0c\u5927\u5927\u7f13\u89e3\u4e86 mirrors \u56e0\u78c1\u76d8\u7a7a\u95f4\u4e0d\u8db3\u800c\u5e26\u6765\u7684\u538b\u529b\u3002
2016 \u5e74 12 \u6708 29 \u65e5\uff0c\u79d1\u5927 LUG \u4ece\u7f51\u7edc\u4e2d\u5fc3\u5904\u83b7\u5f97\u4e86\u65b0\u7684\u670d\u52a1\u5668\u3002\u89e3\u51b3\u4e86\u8fd1\u4e00\u5e74\u6765\u7531\u4e8e\u670d\u52a1\u5668\u548c\u9635\u5217\u8001\u5316\u5e26\u6765\u7684\u7a33\u5b9a\u6027\u95ee\u9898\u3002
2019 \u5e74 6 \u6708\uff0c\u79d1\u5927 LUG \u4ece\u56fe\u4e66\u9986\u6280\u672f\u90e8\u83b7\u5f97\u4e86\u4e00\u53f0\u65e7\u670d\u52a1\u5668\uff0c\u7f13\u89e3\u4e86 mirrors \u5bb9\u91cf\u7d27\u5f20\u7684\u95ee\u9898\u3002
2020 \u5e74 3 \u6708 24 \u65e5\uff0c\u79d1\u5927 LUG \u518d\u6b21\u4ece\u7f51\u7edc\u4e2d\u5fc3\u5904\u83b7\u5f97\u4e86\u65b0\u7684\u670d\u52a1\u5668\uff0c\u89e3\u51b3\u4e86\u591a\u5e74\u6765\u7531\u4e8e\u670d\u52a1\u5668\u5bb9\u91cf\u4e0d\u8db3\u548c\u8d1f\u8f7d\u8fc7\u5927\u5e26\u6765\u7684\u538b\u529b\u3002
"},{"location":"services/mirrors/#hardware","title":"\u786c\u4ef6\u914d\u7f6e","text":"Docker \u9ed8\u8ba4\u521b\u5efa\u4e00\u4e2a\u540d\u4e3a bridge \u7684\u7f51\u7edc\uff0c\u4e3b\u673a\u754c\u9762\u4e3a docker0
\uff0cIP \u5730\u5740\u6bb5\u4e3a 172.17.0.0/16\u3002\u8fd9\u4e2a\u9ed8\u8ba4\u5730\u5740\u6bb5\u8fc7\u4e8e\u6d6a\u8d39\uff0c\u56e0\u6b64\u6211\u4eec\u7ed9\u5b83\u914d\u7f6e\u4e00\u4e2a\u66f4\u5c0f\u7684\u5730\u5740\u6bb5\uff1a
{\n \"bip\": \"172.17.0.0/22\"\n}\n
\u6211\u4eec\u5c06 Docker Registry \u7684\u53cd\u4ee3\u6302\u5728\u53e6\u5916\u4e00\u4e2a\u5b50\u7f51\u4e0b\uff0c\u9700\u8981\u5148\u884c\u521b\u5efa\u3002
docker network create \\\n --opt com.docker.network.bridge.name=docker1 \\\n --subnet=172.18.0.0/24 \\\n --gateway=172.18.0.1 \\\n docker-registry\n
"},{"location":"services/mirrors/docker/#routing","title":"Routing","text":"\u4e00\u4e9b\u540c\u6b65\u7a0b\u5e8f\u4e0d\u652f\u6301 bindIP \u7684\u914d\u7f6e\uff0c\u5bf9\u4e8e\u8fd9\u4e9b\u540c\u6b65\u7a0b\u5e8f\uff0c\u6211\u4eec\u901a\u8fc7\u521b\u5efa\u591a\u4e2a Docker network\uff0c\u7136\u540e\u5728\u4e3b\u673a\u4e0a\u6839\u636e Docker network \u8fdb\u884c\u7b56\u7565\u8def\u7531\uff0c\u8fbe\u5230\u9009\u62e9\u51fa\u53e3\u7684\u6548\u679c\u3002
\u521b\u5efa Docker network \u7684\u547d\u4ee4\u5982\u4e0b\uff1a
docker network create --driver=bridge --subnet=172.17.4.0/24 --gateway=172.17.4.1 -o \"com.docker.network.bridge.name=dockerC\" cernet\ndocker network create --driver=bridge --subnet=172.17.5.0/24 --gateway=172.17.5.1 -o \"com.docker.network.bridge.name=dockerT\" telecom\ndocker network create --driver=bridge --subnet=172.17.6.0/24 --gateway=172.17.6.1 -o \"com.docker.network.bridge.name=dockerM\" mobile\ndocker network create --driver=bridge --subnet=172.17.7.0/24 --gateway=172.17.7.1 -o \"com.docker.network.bridge.name=dockerU\" unicom\n\ndocker network create --driver=bridge --subnet=172.17.8.0/24 --gateway=172.17.8.1 \\\n --ipv6 --subnet=fd00:6::/64 --gateway=fd00:6::1 \\\n -o \"com.docker.network.bridge.name=dockerC6\" cernet6\n
\u5bf9\u5e94\u5730\uff0c\u4e3b\u673a\u4e0a\u4e5f\u914d\u7f6e\u597d\u4e86\u7b56\u7565\u8def\u7531\uff0c\u4f8b\u5982\uff1a
/etc/systemd/network/cernet.network# Docker Cernet\n[RoutingPolicyRule]\nFrom=172.17.4.0/24\nTable=1011\nPriority=6\n[RoutingPolicyRule]\nFrom=172.17.8.0/24\nTable=1011\nPriority=6\n
/etc/systemd/network/telecom.network# Docker Telecom\n[RoutingPolicyRule]\nFrom=172.17.5.0/24\nTable=1012\nPriority=6\n
mobile.network
\u548c unicom.network
\u4e5f\u7c7b\u4f3c\u3002
\u9700\u8981\u4f7f\u7528\u8fd9\u79cd\u65b9\u5f0f\u8fdb\u884c\u8def\u7531\u7684\u540c\u6b65\u955c\u50cf\uff0c\u53ef\u4ee5\u5728 YAML \u4e2d\u6307\u5b9a network
\uff0c\u4f8b\u5982\uff1a
network: telecom\n
"},{"location":"services/mirrors/ipmi/","title":"IPMI","text":""},{"location":"services/mirrors/ipmi/#mirrors4","title":"Mirrors4","text":"\u8fd9\u53f0\u673a\u5668\u7684 IPMI \u6709 HTML5 KVM\uff0c\u53ef\u4ee5\u76f4\u63a5\u7f51\u9875\u4f7f\u7528\uff0c\u6bd4\u8f83\u65b9\u4fbf\u3002
"},{"location":"services/mirrors/ipmi/#mirrors23","title":"Mirrors2/3","text":"\u767b\u5f55 IPMI \u540e\uff0c\u4e3a\u4e86\u4f7f\u7528\u8fdc\u7a0b Shell\uff0c\u9700\u8981\u8fd0\u884c\u4e00\u4e2a jnlp \u6587\u4ef6\u3002 \u6b64\u6587\u4ef6\u4e0b\u8f7d\u65f6\u4f1a\u88ab Chrome \u62e6\u622a\uff0c\u9700\u8981\u989d\u5916\u5141\u8bb8\u4e00\u4e0b\u3002
\u6b64 jnlp \u6587\u4ef6\u9700\u8981 Oracle JDK 7 \u8fd0\u884c\uff0cOpenJDK 7 \u65e0\u6cd5\u8fd0\u884c\u3002 \u6307\u4ee4\u7528 javaws a.jnlp
\u5373\u53ef\u3002
Java 8 \u53ca\u4e4b\u524d Java \u7684\u5404\u4e2a\u5de5\u5177\u662f\u6253\u5305\u5728 JDK \u4e2d\u7684\uff0c\u5305\u62ec Java Web Starter\uff0c\u5373\u6211\u4eec\u7528\u7684 javaws
\u3002 \u6240\u4ee5\u53ea\u9700\u8981\u5b89\u88c5 Oracle JDK 7 \u5373\u53ef\uff0c\u65e0\u9700\u5b89\u88c5\u5176\u4ed6\u7684\u3001\u9488\u5bf9 Java 9 \u53ca\u4e4b\u540e\u7248\u672c\u7684\u5176\u4ed6\u5de5\u5177\u3002
\u7531\u4e8e mirrors \u5c5e\u4e8e I/O\u3001\u7f51\u7edc\u5bc6\u96c6\u578b\u670d\u52a1\uff0c\u5728\u90e8\u5206\u7684\u8d1f\u8f7d\u573a\u666f\u4e0b\u6781\u6613\u51fa\u73b0 I/O \u6216\u7f51\u7edc\u8fc7\u8f7d\u3002\u9650\u5236\u7b56\u7565\u4e3b\u8981\u662f\u4e3a\u4e86\u51cf\u5f31\u4ee5\u4e0b\u51e0\u7c7b\u8bf7\u6c42\u5bf9 mirrors \u6574\u4f53\u670d\u52a1\u8d28\u91cf\u7684\u5f71\u54cd\uff1a
\u4e00\u822c\u800c\u8a00\uff0c\u79d1\u5927\u6821\u5185\u7684\u5730\u5740\u4f4d\u4e8e\u9650\u5236\u89c4\u5219\u7684\u767d\u540d\u5355\u4e2d\uff0c\u4e0d\u53d7\u5230\u9650\u5236\u7b56\u7565\u7684\u5f71\u54cd\u3002\u5982\u679c\u6ca1\u6709\u7279\u6b8a\u8bf4\u660e\uff0c\u79d1\u5927\u5730\u5740\u9ed8\u8ba4\u4e0d\u53d7\u9650\u5236\u3002
\u767d\u540d\u5355\u4f4d\u4e8e\uff1a
/usr/local/network_config/iptables/ipset
/etc/nginx/conf.d/geo-ustcnet.conf
\u9632\u706b\u5899 (iptables) \u76ee\u524d\u53ea\u8d1f\u8d23\u9650\u5236\u5355 IP \u7684\u5e76\u53d1\u94fe\u63a5\u6570\u3002\u8fd9\u662f\u4e3a\u4e86\u9632\u6b62\u540c\u65f6\u6d8c\u5165\u5927\u91cf\u5e76\u53d1\u8fde\u63a5\uff0c\u5bfc\u81f4\u540e\u7aef\u5e94\u7528\u8017\u8d39\u5927\u91cf CPU \u548c I/O \u8d44\u6e90\u5904\u7406\u8fd9\u4e9b\u4e0d\u5408\u5e38\u7406\u7684\u8bf7\u6c42\u3002
\u5e8f\u53f7 \u7aef\u53e3 \u670d\u52a1 \u6700\u5927\u8fde\u63a5\u6570 IPv4 CIDR IPv6 CIDR 1 80,443 HTTP/HTTPS 12 29 64 2 20,21,50100:50200 FTP 4* 32 64 3 873 Rsync 5 32 64 4 9418 Git 10 32 64\u6ce8\u610f\u4e8b\u9879
\u8fde\u63a5\u6570\u9650\u5236\u4ec5\u9650\u5236\u77ac\u65f6\u5e76\u53d1\uff08connlimit\uff09\u3002
\u8bf7\u6ce8\u610f\uff0c\u540c\u7ec4\u5185\u7684\u8fde\u63a5\u5171\u4eab\u8fde\u63a5\u6570\u914d\u989d\u3002\u5982\uff1a
\u8d85\u8fc7\u914d\u989d\u7684\u8fde\u63a5\u4f1a\u8fd4\u56de TCP Reset\u3002
* FTP \u670d\u52a1\u5df2\u505c\u6b62\u63d0\u4f9b\u3002
"},{"location":"services/mirrors/limiter/#application","title":"\u5e94\u7528\u7ea7\u522b\u9650\u5236","text":"\u6b64\u7c7b\u9650\u5236\u89c4\u5219\u4f4d\u4e8e\u5e94\u7528\u7a0b\u5e8f\u5185\u3002\u7531\u4e8e\u5728\u7528\u6237\u6001\u7a0b\u5e8f\u4e2d\u5b9e\u73b0\uff0c\u56e0\u6b64\u66f4\u52a0\u7075\u6d3b\u3002
"},{"location":"services/mirrors/limiter/#nginx-mod-lua","title":"Nginx Lua \u7ec4\u4ef6","text":"\u4ee3\u7801\u4f4d\u4e8e /etc/nginx/lua/module/access_limiter.lua
\u76ee\u524d\u4f7f\u7528\u4e86 Nginx \u7684 Lua \u8bed\u8a00\u6269\u5c55\u5b9e\u73b0\u5bf9\u8bf7\u6c42\u7684\u9650\u5236\u3002\u4e3b\u8981\u6709\u4ee5\u4e0b\u4e09\u7c7b\u9650\u5236\u65b9\u5f0f\uff1a
\u76ee\u524d\uff0c\u955c\u50cf\u7ad9\u914d\u7f6e\u4e86\u4ee5\u4e0b\u51e0\u79cd\u529f\u80fd\u7684\u9650\u5236\u5668\uff1a
\u4f8b\u5916\uff1a
\u5bf9\u8fd4\u56de 403 \u7684\u6076\u610f\u8bf7\u6c42\uff08\u89c1\u4e0b\uff09\uff0c\u4ec5\u5e94\u7528\u5168\u5c40\u8bf7\u6c42\u901f\u7387/\u8bf7\u6c42\u6570\u9650\u5236\u5668\uff08Main-Req \u548c Main-Count\uff09\uff0c\u4e14\u5728\u8fd9\u4e24\u4e2a\u9650\u5236\u5668\u91cc\u6309\u53cc\u500d\u8ba1\u6570\uff1b\u540c\u65f6\u8df3\u8fc7\u65ad\u70b9\u7eed\u4f20/\u76ee\u5f55/\u6587\u4ef6\u9650\u5236\u5668\uff0c\u907f\u514d\u56e0\u4e3a\u6076\u610f\u8bf7\u6c42\u5237\u6ee1\u4e86\u76ee\u5f55/\u6587\u4ef6\u7684\u9650\u989d\u5bfc\u81f4\u6b63\u5e38\u7528\u6237\u7684\u8bbf\u95ee\u53d7\u9650\u3002
\u4f8b\u5916\u6587\u4ef6\u7684\u5b9a\u4e49\u53c2\u8003 /etc/nginx/conf.d/access_limiter.conf
\u3002
\u6848\u4f8b\uff1a\u66fe\u9047\u5230\u8fc7\u653b\u51fb\u8005\u5206\u5e03\u5f0f\u8bf7\u6c42\u540c\u4e00\u4e2a\u5927\u6587\u4ef6\uff0c\u5bfc\u81f4 IO\u3001\u7f51\u7edc\u540c\u65f6\u8fc7\u8f7d\u3002\u57fa\u4e8e IP \u5730\u5740\u7684\u9650\u5236\u63aa\u65bd\u5bf9\u4e8e\u6e90\u5730\u5740\u6c60\u5f88\u5927\u7684\u653b\u51fb\u5f80\u5f80\u6ca1\u6709\u6548\u679c\uff0c\u9650\u5236\u5355\u6587\u4ef6\u7684\u8bf7\u6c42\u901f\u7387\u80fd\u591f\u6709\u6548\u7f13\u89e3\u8fd9\u7c7b\u653b\u51fb\u3002
\u5177\u4f53\u53c2\u6570\u53c2\u8003\u4e0b\u8868\uff1a
\u9650\u5236\u5668\u540d\u79f0\u4e0e\u4ee3\u53f7 \u9608\u503c\u5355\u4f4d \u9608\u503c \u7a81\u53d1\u91cf \u8ba1\u6570\u5668\u91cd\u7f6e\u5468\u671f \u52a8\u4f5c \u5168\u5c40\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668Main-Req
\u6b21/\u79d2 40 100 / \u8fd4\u56de 429 \u9519\u8bef \u5168\u5c40\u8bf7\u6c42\u6570\u9650\u5236\u5668Main-Count
\u6b21 15000 / 1 \u5929 \u8bbe\u7f6e\u5168\u5c40\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668\u9608\u503c\u4e3a 0.2 \u6b21/\u79d2 HEAD \u8bf7\u6c42\u6570\u9650\u5236\u5668Head-Count
\u6b21 300 / 1 \u5929 \u5f00\u542f HEAD \u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668 HEAD \u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668Head-Req
\u6b21/\u79d2 0.05 5 / \u8fd4\u56de 429 \u9519\u8bef \u65ad\u70b9\u7eed\u4f20\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668Partial-Req
\u6b21/\u79d2 1 10 / \u8fd4\u56de 429 \u9519\u8bef \u65ad\u70b9\u7eed\u4f20\u8fde\u63a5\u6570\u9650\u5236\u5668Partial-Conn
\u6761 1 0 / \u8fd4\u56de 429 \u9519\u8bef \u76ee\u5f55\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668Ls-Req
\u6b21/\u79d2 0.5 10 / \u8fd4\u56de 429 \u9519\u8bef \u6587\u4ef6\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668File-Req
\u6b21/\u79d2 5 25 / \u8fd4\u56de 429 \u9519\u8bef \u6587\u4ef6\u8bf7\u6c42\u8fde\u63a5\u6570\u9650\u5236\u5668File-Conn
\u6761 100 0 / \u8fd4\u56de 429 \u9519\u8bef HEAD \u9650\u5236\u5668\u5df2\u5173\u95ed
\u8003\u8651\u5230 ZFS \u5bf9 dnode \u7684\u7f13\u5b58\u975e\u5e38\u6709\u6548\uff0c\u5728\u63a5\u5230 AOSC \u793e\u533a\u7684\u53cd\u9988\u540e\uff0c\u6211\u4eec\u5b8c\u5168\u5173\u95ed\u4e86 HEAD \u8bf7\u6c42\u6570\u9650\u5236\u5668\u3002
How lua-resty-limit-traffic works\u9650\u5236\u5668\u903b\u8f91\u4f7f\u7528 https://github.com/openresty/lua-resty-limit-traffic \u5b9e\u73b0\uff0c\u5176\u4e2d\u4e0a\u8868\u4ee3\u53f7\u5206\u522b\u5bf9\u5e94\u5176 req
, count
, conn
\u4e09\u79cd\u5b9e\u73b0\uff0ctraffic
\u5219 aggregate \u4e86 count
\u4e4b\u5916\u7684\u9650\u5236\u5668\uff0c\u8fd4\u56de\u6700\u5927\u7684\u5ef6\u8fdf\u3002
req
\u7684\u6838\u5fc3\u516c\u5f0f\u662f\uff1aexcess = max(excess - rate * elapsed / 1000 + 1000, 0)
\uff0c\u5176\u4e2d\u65f6\u95f4\u5355\u4f4d\u662f\u6beb\u79d2\uff08rate
\u548c burst
\u53c2\u6570\u8ba1\u7b97\u65f6\u90fd\u9700\u8981\u4e58\u4ee5 1000\uff09\u3002excess
\u4f1a\u5148\u548c burst
\u6bd4\u8f83\uff08\u5982\u679c\u8d85\u51fa\uff0c\u5219 reject\uff09\uff0c\u5982\u679c\u6ca1\u6709\u8d85\u51fa\uff0c\u5219 delay excess / rate
\u79d2\u3002
\u5f53 elapsed = 1000/rate \u65f6\uff0c\u6070\u597d\u4e0d\u4f1a\u589e\u52a0 excess
\u7684\u503c\uff0c\u6b64\u65f6 1 \u79d2\u5185\u6070\u597d\u53ef\u4ee5\u5bb9\u7eb3 rate \u4e2a\u8bf7\u6c42\uff1b\u5f53 elapsed = 1000/(rate+burst) \u65f6\uff0cexcess
\u589e\u91cf\u4e3a 1000(1-r/(r+b))\uff0c\u6b64\u65f6 1 \u79d2\u5185\u6070\u597d\u6709 (rate+burst) \u4e2a\u8bf7\u6c42\u4e0d\u4f1a\u88ab reject\u3002
\u7406\u60f3\u60c5\u51b5\u4e0b\u7684\u4f8b\u5b50\uff1a\u5982\u679c rate = 40r/s = 40 * 1000 r/ms\uff0c\u5219 elapsed \u9700\u8981\u81f3\u5c11\u4e3a 1/40 \u79d2\uff0825 \u6beb\u79d2\uff09\uff0c\u624d\u80fd\u548c\u540e\u9762\u7684 + 1000
\u62b5\u6d88\uff0c\u5426\u5219 excess
\u4f1a\u4e00\u76f4\u589e\u52a0\u3002\u5982\u679c burst = 100r/s = 100 * 1000 r/ms\uff0c\u90a3\u4e48\u5047\u8bbe\u6709\u7528\u6237\u6bcf 1/140 \u79d2\uff087.1 \u6beb\u79d2\uff09\u8bbf\u95ee\u4e00\u6b21\uff0c\u90a3\u4e48 excess
\u6bcf\u6b21\u4f1a\u589e\u52a0 714.28\uff0c\u5982\u679c\u6709 140 \u4e2a\u8fd9\u6837\u7684\u8bf7\u6c42\uff0c\u90a3\u4e48 excess
\u7684\u503c\u5219\u6070\u597d\u662f burst
\u7684\u503c\u3002
count
\u7684\u903b\u8f91\u7b80\u5355\u5f88\u591a\uff0c\u4f7f\u7528 lua-nginx-module \u5e26\u7684 https://github.com/openresty/lua-nginx-module?tab=readme-ov-file#ngxshareddictincr \u4e3a\u6bcf\u6b21\u81ea\u589e\u8bbe\u7f6e TTL \u5373\u53ef\u3002
conn
\u4f7f\u7528\u5b57\u5178\u8ba1\u6570\u5668\u7edf\u8ba1\u5f53\u524d\u8fde\u63a5\u6570\uff0c\u5982\u679c\u8d85\u8fc7\u4e86 max + burst
\uff0c\u5219 reject\u3002\u5426\u5219\u5982\u679c\u8d85\u8fc7\u4e86 max
\u5219\u5ef6\u8fdf unit_delay * floor((conn - 1) / max)
\u79d2\u3002unit_delay
\u8d77\u59cb\u4e3a\u7528\u6237\u7ed9\u5b9a\u7684\u503c\uff0c\u5728\u4e4b\u540e\u4f1a\u6309\u7167 unit_delay = (req_latency + unit_delay) / 2
\u5b9a\u65f6\u8c03\u6574\u3002
\u5230\u8fbe\u9608\u503c\u540e\u4f1a\u53d1\u751f\u4ec0\u4e48\uff1f
\u9650\u5236\u5668\u4e4b\u95f4\u76f8\u4e92\u72ec\u7acb\uff0c\u5f53\u88ab\u89e6\u53d1\u7684\u6240\u6709\u9650\u5236\u5668\u4ea7\u751f\u4e0d\u4e00\u81f4\u7684\u7b49\u5f85\u65f6\u95f4\u65f6\uff0c\u5e94\u7528\u6700\u957f\u7684\u7b49\u5f85\u65f6\u95f4\u3002
"},{"location":"services/mirrors/limiter/#large-files","title":"\u5927\u6587\u4ef6\u4e0b\u8f7d\u901f\u5ea6\u9650\u5236","text":"\u4ee3\u7801\u4f4d\u4e8e /etc/nginx/lua/header_filter.lua
\u9488\u5bf9\u5927\u6587\u4ef6\u4e0b\u8f7d\uff0c\u9650\u5236\u6bcf\u4e2a\u6587\u4ef6\u7684\u603b\u5e26\u5bbd\u4e3a 1 Gbps\uff0c\u4ee5\u907f\u514d\u5927\u6587\u4ef6\u6d41\u91cf\u5360\u6ee1\u603b\u5e26\u5bbd\u3002
\u6ce8\u610f\u4e8b\u9879
\u5982\u679c\u6709\u591a\u4e2a\u6587\u4ef6\u9762\u4e34\u9ad8\u538b\u529b\u8bbf\u95ee\uff0c\u603b\u5e26\u5bbd\u4f9d\u7136\u53ef\u80fd\u88ab\u5360\u6ee1
\u5177\u4f53\u505a\u6cd5\u4e3a\uff0c\u8bbe\u7f6e\u4e0b\u8f7d\u901f\u5ea6\u9608\u503c = 1 Gbps / (\u8be5\u5927\u6587\u4ef6\u7684\u540c\u65f6\u8fde\u63a5\u6570 + 1)
\u5f53\u4e0b\u8f7d\u7684\u6587\u4ef6\u65e0\u7a77\u5927\u65f6\uff0c\u5c06\u51fa\u73b0\u6700\u5dee\u60c5\u5f62\uff0c\u5373\u7528\u6237\u88ab\u5206\u914d\u5230\u7684\u4e0b\u8f7d\u901f\u7387\u670d\u4ece\u7c7b\u8c03\u548c\u7ea7\u6570\uff0c\u51fd\u6570\u53d1\u6563\u3002\u5b9e\u9645\u60c5\u51b5\u4e0b\uff0c\u65e9\u671f\u7528\u6237\u4e0b\u8f7d\u5b8c\u6210\u540e\u8fde\u63a5\u91ca\u653e\uff0c\u6700\u7ec8\u5e26\u5bbd\u5c06\u6536\u655b\u5230 1 Gbps\u3002
\u6ce8\uff1a\u5927\u6587\u4ef6\u5b9a\u4e49\u53c2\u7167\u76ee\u524d\u7684 Lua \u811a\u672c\u914d\u7f6e\u3002
"},{"location":"services/mirrors/limiter/#nginx-js-challenge","title":"Nginx JavaScript \u6311\u6218","text":"\u4ee3\u7801\u4f4d\u4e8e /etc/nginx/lua/access-with-challenge.lua
\u4e3a\u4e86\u62b5\u6297\u201c\u8fc5\u96f7\u653b\u51fb\u201d\u3002\u5bf9\u4e8e\u7279\u5b9a\u7c7b\u578b\u7684\u6587\u4ef6\uff0c\u5f00\u542f\u4e86 JS \u6311\u6218\u3002\u5982\u679c\u5ba2\u6237\u7aef User-Agent \u4e3a Mozilla\uff08\u5373\u6d4f\u89c8\u5668\uff09\uff0c\u5219\u53d1\u9001\u4e00\u6bb5\u5305\u542b JS \u811a\u672c\u7684\u9875\u9762\uff0c\u68c0\u9a8c\u8fd0\u884c\u7684\u7ed3\u679c\u3002\u5982\u679c\u6311\u6218\u5931\u8d25\uff0c\u5219\u7981\u6b62\u8bbf\u95ee\u3002
\u88ab\u4fdd\u62a4\u7684\u6587\u4ef6\u7c7b\u578b\u53c2\u89c1 /etc/nginx/conf.d/map_access.conf\uff0c\u90e8\u5206\u5185\u5bb9\u8282\u9009\u5982\u4e0b\uff1a
map $uri $access_url_type {\n default 0;\n\n # 1: large files\n \"~*\\.(iso|exe|dmg|run|zip|tar)$\" 1;\n}\n
"},{"location":"services/mirrors/limiter/#robots","title":"\u722c\u866b\u9650\u5236","text":"\u4ee3\u7801\u4f4d\u4e8e map_access.conf
\uff08\u89c1\u4e0a\uff09\u548c /etc/nginx/snippets/robots\uff0c\u5229\u7528 nginx \u7684 map
\u5b9e\u73b0\u7ec4\u5408\u903b\u8f91\uff0c\u8fdb\u884c\u5982\u4e0b\u9650\u5236\uff1a
Rsync \u670d\u52a1\u8bbe\u7f6e\u4e86\u603b\u8fde\u63a5\u6570\u9650\u5236\u3002\u5373\uff1a\u5f53\u5efa\u7acb\u7684\u8fde\u63a5\u6570\u5230\u8fbe\u67d0\u4e2a\u9608\u503c\u540e\uff0c\u62d2\u7edd\u4e4b\u540e\u6536\u5230\u7684\u8fde\u63a5\u3002
\u5386\u53f2\u8bb0\u5f55
\u4ee5\u524d HTTP \u548c Rsync \u670d\u52a1\u7531\u540c\u4e00\u53f0\u670d\u52a1\u5668\u63d0\u4f9b\uff0c\u7531\u4e8e\u767d\u5929 HTTP \u8bbf\u95ee\u538b\u529b\u8f83\u5927\uff0c\u591c\u665a HTTP \u8bbf\u95ee\u91cf\u8f83\u5c0f\uff0c\u4e3a\u4e86\u5b9e\u73b0\u9519\u5cf0\u540c\u6b65\uff0c\u4fdd\u8bc1\u767d\u5929 HTTP \u7684\u670d\u52a1\u8d28\u91cf\uff0c\u56e0\u6b64\u9488\u5bf9\u4e0d\u540c\u65f6\u6bb5\u8bbe\u7f6e\u4e86\u4e0d\u540c\u7684\u9608\u503c\uff0c\u5177\u4f53\u5982\u4e0b\uff1a
\u5728 2020 \u5e74 8 \u6708 25 \u65e5\u540e\uff0c\u7531\u4e8e\u66f4\u6362\u4e86\u65b0\u670d\u52a1\u5668\uff0cRsync \u7531\u5355\u72ec\u673a\u5668\u63d0\u4f9b\u670d\u52a1\uff0c\u603b\u8fde\u63a5\u6570\u63d0\u5347\u5230\u4e86\u5168\u5929 60 \u4e2a\u8fde\u63a5\u3002
\u7279\u522b\u7684\uff0c\u79d1\u5927\u6821\u5185 IP \u5730\u5740\u53d7\u5230 rsync \u8fde\u63a5\u6570\u9650\u5236\u3002
"},{"location":"services/mirrors/limiter/#interface-limit","title":"\u7f51\u7edc\u63a5\u53e3\u7ea7\u522b\u9650\u5236","text":"mirrors \u5e38\u6001\u4e0b\u6ca1\u6709\u7f51\u7edc\u63a5\u53e3\u9650\u5236\uff0c\u4f46\u5728\u9700\u8981\u4e34\u65f6\u5bf9\u67d0\u4e00\u63a5\u53e3\u8fdb\u884c\u9650\u5236\u65f6\uff0c\u53ef\u4ee5\u4f7f\u7528 tc \u6765\u5b8c\u6210\u3002
\u4f8b\u5982\u53ef\u4ee5\u53c2\u8003\u8fd9\u4efd\u56de\u7b54\uff1aiptables - Limiting interface bandwidth with tc under Linux - Server Fault\uff0c\u4f7f\u7528\u5982\u4e0b\u6307\u4ee4\u9650\u5236\u67d0\u4e00\u63a5\u53e3\u7684\u7f51\u7edc\u901f\u7387\u4e3a 1.5Gbps\uff1a
tc qdisc add dev <interface> root handle 1: tbf rate 1500Mbit burst 750K latency 14ms\n
\u8fd9\u91cc\u4f7f\u7528\u4e86 TBF\uff08\u4ee4\u724c\u6876\uff09\u7b97\u6cd5\uff0c\u540e\u9762\u7684 burst \u548c latency \u53c2\u6570\u610f\u4e49\u53ef\u4ee5\u53c2\u89c1 man tc-tbf
\u3002 \u5177\u4f53\u800c\u8a00\uff0clatency \u6ca1\u6709\u63a8\u8350\u503c\uff0c\u4f46 burst \u8981\u6c42\u81f3\u5c11\u4e3a rate / HZ
\uff0cHZ = 100 \u65f6 10Mbps \u81f3\u5c11\u7ea6 10MB\u3002 HZ \u7684\u503c\u9700\u8981\u4ece\u5185\u6838\u7684\u7f16\u8bd1\u53c2\u6570\u4e2d\u67e5\u770b\uff1aegrep '^CONFIG_HZ_[0-9]+' /boot/config-`uname -r`
\u3002\u73b0\u4ee3\u53d1\u884c\u7248\u63d0\u4f9b\u7684\u5185\u6838\u4e2d\u8fd9\u4e2a\u503c\u4e00\u822c\u4e3a 250\u3002
\u53c2\u8003\u8d44\u6599\uff1aBucket size in tbf
\u76ee\u524d\u90e8\u7f72\u7684\u9650\u5236\u6709\uff1a
\u5728 mirrors4 \u4e0a\u8be5\u914d\u7f6e\u7684\u5f00\u673a\u81ea\u542f\u5206\u522b\u4f4d\u4e8e tc-unicom.service
\u548c tc-telecom.service
\u4e24\u4e2a\u670d\u52a1\u4e2d\uff0c\u5176\u4e2d tc-unicom.service
\u914d\u7f6e\u5982\u4e0b\uff1a
[Unit]\nDescription=Rate Limiting for Unicom Interface\n\n[Service]\nType=oneshot\nRemainAfterExit=true\nExecStart=/usr/sbin/tc qdisc replace dev unicom root handle 1: tbf rate 1500Mbit burst 750K latency 14ms\nExecStop=/usr/sbin/tc qdisc delete dev unicom root handle 1\n\n[Install]\nWantedBy=sys-subsystem-net-devices-unicom.device\n
Install \u90e8\u5206\u7684 WantedBy \u4f7f\u7528\u8fd9\u79cd\u5199\u6cd5\u53ef\u4ee5\u4f7f\u8be5\u670d\u52a1\u4f9d\u8d56\u4e8e\u540d\u4e3a unicom
\u7684\u7f51\u53e3\uff0c\u8be6\u7ec6\u56de\u7b54\u53ef\u4ee5\u770b What is the systemd-networkd equivalent of post-up?\u3002
\u5bf9\u4e8e\u6ee5\u7528\u7684 IP \u6bb5\uff0c\u53ef\u4ee5\u4f7f\u7528 ipset \u548c iptables \u5b9e\u73b0\u9ed1\u540d\u5355\u9650\u5236\u3002 ipset \u5c06\u67d0\u4e2a IP \u5339\u914d\u5230\u4e00\u4e2a\u96c6\u5408\u4e2d\uff0ciptables \u518d\u9488\u5bf9\u67d0\u4e00\u96c6\u5408\u8fdb\u884c\u9650\u5236\u3002
ipset \u548c iptables \u7684\u4f7f\u7528\u53ef\u4ee5\u53c2\u8003\uff1aIpset - Arch Wiki \u3002
\u6211\u4eec\u5df2\u5728 mirrors4 \u4e0a\u914d\u7f6e\u4e86 blacklist
\u548c blacklist6
\u96c6\u5408\uff0c\u82e5\u8981\u5c01\u7981\u67d0\u4e2a IP \u6216\u7f51\u6bb5\uff0c\u53ef\u4ee5\u76f4\u63a5\u5c06\u8be5\u7f51\u6bb5\u52a0\u5165\u96c6\u5408\uff0c\u4f8b\u5982\uff1a
ipset add blacklist 192.0.2.0/24\nipset add blacklist6 2001:db8:114:514::/64\n
\u4e0e iptables \u7c7b\u4f3c\uff0cipset \u4e5f\u9700\u8981\u6301\u4e45\u5316\u3002\u5c01\u7981\u540d\u5355\u7684\u6587\u4ef6\u4f4d\u4e8e\uff08mirrors4\uff09/usr/local/network_config/iptables/blacklist.list
\uff0c\u4fee\u6539\u6b64\u6587\u4ef6\u589e\u51cf\u6761\u76ee\u540e\u8fd0\u884c\u8be5\u76ee\u5f55\u4e0b\u7684 apply.sh
\u5373\u53ef\u3002
\u7531\u4e8e\u5c01\u7981\u4ec5\u5bf9\u65b0\u5efa\u7acb\u7684\u8fde\u63a5\u6709\u6548\uff0c\u8bf7\u5728\u4fee\u6539\u5c01\u7981\u540d\u5355\u540e\uff0c\u4f7f\u7528 ss -K dst \u5bf9\u5e94\u7684\u7f51\u6bb5
\u5173\u95ed\u5df2\u7ecf\u5efa\u7acb\u7684\u8fde\u63a5\uff08\u4f8b\u5982\u5bf9\u4e8e\u4ee5\u4e0a\u4e24\u884c\u89c4\u5219\uff0c\u547d\u4ee4\u5206\u522b\u4e3a ss -K dst 192.0.2.0/24
\u4e0e ss -K dst 2001:db8:114:514::/64
\uff09\u3002
\u6211\u4eec\u4f7f\u7528\u8f6f\u4ef6\u6e90\u91cc\u7684 ipset-persistent
\u5305\u6765\u5e2e\u52a9 ipset \u5728\u5f00\u673a\u65f6\u81ea\u52a8\u6062\u590d\uff0c\u8be5\u8f6f\u4ef6\u5305\u4f1a\u5728\u5f00\u673a\u52a0\u8f7d iptables \u524d\u5148\u4ece /etc/iptables/ipsets
\u4e2d\u6062\u590d ipset \u4ee5\u786e\u4fdd iptables \u4e2d\u7684\u5f15\u7528\u80fd\u6b63\u786e\u5904\u7406\u3002
\u56e0\u4e3a ipset-persistent \u5728\u5f00\u673a\u65f6\u81ea\u52a8\u52a0\u8f7d\uff0c\u6211\u4eec\u9009\u62e9\u4ec5\u52a0\u8f7d\u4e00\u4e2a\u8f83\u5c0f\u7684\u5b50\u96c6\uff0c\u5305\u542b\u5fc5\u8981\u914d\u7f6e\uff08create set\uff09\u548c\u8f83\u5c11\u53d1\u751f\u53d8\u5316\u7684\u5185\u5bb9\uff08\u5982 ustcnet \u7684\u7f51\u6bb5\uff09\u3002\u76ee\u524d /etc/iptables/ipsets
\u5305\u542b\u4ee5\u4e0b\u5185\u5bb9\uff1a
create ustcnet hash:net family inet hashsize 1024 maxelem 65536\ncreate f2b-sshd hash:ip family inet hashsize 1024 maxelem 65536 timeout 3600\ncreate blacklist hash:net family inet hashsize 1024 maxelem 65536\ncreate blacklist6 hash:net family inet6 hashsize 1024 maxelem 65536\n\nadd ustcnet 202.38.64.0/19\n# more ustcnet entries...\n
"},{"location":"services/mirrors/limiter/#403","title":"403 \u9875\u9762","text":"\u76ee\u524d mirrors4 \u5c06\u6765\u6e90 IP \u5c5e\u4e8e blacklist
\u6216 blacklist6
\u96c6\u5408\u4e14\u76ee\u6807\u7aef\u53e3\u4e3a 80 \u6216 443 \u7684\u8fde\u63a5\u91cd\u5b9a\u5411\u81f3 403 \u7aef\u53e3\u3002403 \u9875\u9762\u4f4d\u4e8e /var/www/html/403.html
\u3002
\u76f8\u5173 nginx \u914d\u7f6e\u4f4d\u4e8e /etc/nginx/sites-available/mirrors.ustc.edu.cn-403\u3002
\u6211\u4eec\u4f7f\u7528 ip{,6}tables
\u5c06\u5bf9 80 \u6216 443 \u7aef\u53e3\u7684\u8bbf\u95ee\u91cd\u5b9a\u5411\u81f3 403 \u7aef\u53e3\uff0c\u5728 nat
\u8868\u7684 PREROUTING
\u94fe\u6dfb\u52a0\u89c4\u5219\uff1a
-A PREROUTING -m set --match-set blacklist src -p tcp -m multiport --dports 80,443 -j REDIRECT --to-port 403\n
\u5e76\u5728 filter
\u8868 BLACKLIST
\u94fe\u653e\u884c\u5df2\u5efa\u7acb\u8fde\u63a5\uff0c\u5bf9 403 \u7aef\u53e3\u9650\u901f\uff1a
-A BLACKLIST -m conntrack --ctstate ESTABLISHED -j RETURN\n-A BLACKLIST -p tcp --dport 403 -m hashlimit --hashlimit-upto 60/min --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-srcmask 64 --hashlimit-name nginx-403 --hashlimit-htable-expire 60000 -j RETURN\n-A BLACKLIST -j DROP\n
"},{"location":"services/mirrors/monitor/","title":"Mirrors-specific monitoring","text":""},{"location":"services/mirrors/monitor/#connections-users-online","title":"Connections (Users online)","text":"/etc/telegraf/telegraf.d/exec.conf[[inputs.exec]]\n commands = [\n \"/opt/monitor/telegraf/connection.sh 21:80:443:873:9418\",\n \"/opt/monitor/telegraf/nfacct.sh\",\n \"/opt/monitor/telegraf/process.sh\",\n ]\n timeout = \"5s\"\n data_format = \"influx\"\n
/opt/monitor/telegraf/connection.sh#!/bin/bash\n\nport_list_input=${1//:/|}\nport_list=${port_list_input:-\"80|443\"}\nnetstat -ntW | gawk '{print tolower($6),gensub(/^(.+):([^:]+)$/,\"\\\\1 \\\\2\",\"g\",$4)}' | grep -P \" ($port_list)\\$\" | sort | uniq -c | sort -k 4 -k 3 | awk \"{printf(\\\"connection,protocol=tcp,port=%s,address=%s %s=%s\\n\\\",\\$4,\\$3,\\$2,\\$1)}\"\nnetstat -ntW | gawk '{print tolower($6),gensub(/^(.+):([^:]+)$/,\"\\\\2\",\"g\",$4)}' | grep -P \" ($port_list)\\$\" | sort | uniq -c | sort -k 3 | awk \"{printf(\\\"connection,protocol=tcp,port=%s,address=any %s=%s\\n\\\",\\$3,\\$2,\\$1)}\"\n
/opt/monitor/telegraf/nfacct.sh#!/bin/bash\n\nsudo nfacct list | awk '-F[ ,;]' \"{printf(\\\"nfacct,object=%s bytes=%i,pkgs=%i\\n\\\",\\$11,\\$8,\\$4)}\"\n
/opt/monitor/telegraf/process.sh#!/bin/sh\n\nps -e -o s= -o comm= |\n grep -v '^[SI] ' |\n sed 's|/.*$|/|g' |\n sort | uniq -c |\n awk '{printf(\"process,state=%s,name=%s count=%ii\\n\",$2,$3,$1)}'\n
"},{"location":"services/mirrors/repos/","title":"Repositories","text":"\u955c\u50cf\u7ad9\u670d\u52a1\u5668\u7edf\u4e00\u4f7f\u7528 /srv/repo
\u5b58\u50a8\u955c\u50cf\u4ed3\u5e93\u3002
\u6839\u636e\u670d\u52a1\u5668\u4f7f\u7528\u7684\u6587\u4ef6\u7cfb\u7edf\uff0c\u53c2\u8003 ZFS \u6216\u8005 XFS\u3002
"},{"location":"services/mirrors/repos/#_2","title":"\u6dfb\u52a0\u540c\u6b65\u914d\u7f6e","text":"\u7167\u7740 /home/mirror/repos
\u4e0b\u7684\u73b0\u6709\u6587\u4ef6\u81ea\u5df1\u7814\u7a76\u4e00\u4e0b\u5427\uff0c\u8fd9\u4e2a\u4e0d\u96be\u3002\u9700\u8981\u6ce8\u610f\u7684\u5c31\u4e00\u70b9\uff0c\u6587\u4ef6\u540d\u7ed3\u5c3e\u5fc5\u987b\u662f .yaml
\uff08\u800c\u4e0d\u80fd\u662f .yml
\uff09\uff0c\u8fd9\u662f Yuki \u4ee3\u7801\u91cc\u5199\u7684\u3002
\u51b3\u5b9a bindIP
\u6216 network
\u7684\u503c
\u955c\u50cf\u7ad9\u6709\u591a\u4e2a\u6765\u81ea\u4e0d\u540c\u8fd0\u8425\u5546\u7684 IP \u53ef\u7528\u4e8e\u540c\u6b65\u4efb\u52a1\u3002\u7531\u4e8e\u7f51\u7edc\u73af\u5883\u7684\u4e0d\u786e\u5b9a\u6027\uff0c\u6709\u65f6\u4f1a\u51fa\u73b0\u67d0\u4e2a IP \u540c\u6b65\u901f\u5ea6\u6781\u6162\u7684\u60c5\u51b5\u3002
@taoky \u7684 admirror-speedtest \u53ef\u4ee5\u5e2e\u52a9\u51b3\u5b9a\u6700\u5feb\u901f\u7684 IP\u3002
\u53e6\u5916\uff0cbindIP
\u4e0d\u9002\u7528\u4e8e\u6240\u6709\u7684\u540c\u6b65\u955c\u50cf\uff08\u4e00\u90e8\u5206\u7a0b\u5e8f\u4e0d\u652f\u6301\u4fee\u6539 bind()
\u7684\u53c2\u6570\uff09\uff0c\u6b64\u65f6\u53ef\u4ee5\u4f7f\u7528\u57fa\u4e8e Docker Network \u7684 network
\u914d\u7f6e\u3002
\u5199\u597d\u65b0\u4ed3\u5e93\u7684\u914d\u7f6e\u6587\u4ef6\u4e4b\u540e\u8fd0\u884c yuki reload
\uff0c\u7136\u540e yuki sync <repo>
\u5c31\u53ef\u4ee5\u5f00\u59cb\u521d\u6b21\u540c\u6b65\u4e86\u3002
/srv/git
","text":"git-daemon.service
\u6839\u636e /srv/git
\u4e0b\u7684\u5185\u5bb9\u5bf9\u5916\u63d0\u4f9b Git \u670d\u52a1\u3002\u6240\u4ee5\u5982\u679c\u662f git \u7c7b\u578b\u7684\u4ed3\u5e93\uff0c\u9700\u8981\u6dfb\u52a0\u8f6f\u94fe\u63a5\uff0c\u5426\u5219\u65e0\u6cd5\u4f7f\u7528 git://
\u7684\u534f\u8bae\u8bbf\u95ee\u3002\uff08http(s)://
\u534f\u8bae\u6ca1\u6709\u95ee\u9898\uff09
Git \u4ed3\u5e93\u670d\u52a1\u7684\u5176\u4ed6\u76f8\u5173\u914d\u7f6e
\u90e8\u5206\u514b\u9686\u914d\u7f6e (See https://github.com/ustclug/discussions/issues/432)\uff1a
/etc/gitconfig[uploadpack]\n allowfilter = true\n
\u7531\u4e8e git daemon/fcgiwrap \u7684\u7528\u6237\u4e0d\u662f mirror\uff0c\u6240\u4ee5\u9700\u8981\u8bbe\u7f6e\u7ed5\u8fc7 git \u65b0\u7684\u5b89\u5168\u9650\u5236\uff1a
/etc/gitconfig[safe]\n directory = *\n
"},{"location":"services/mirrors/repos/#_3","title":"\u79fb\u52a8\uff08\u5220\u9664\uff09\u4e00\u4e2a\u4ed3\u5e93","text":"Note
\u4ee5\u4e0b\u4ee5 2023 \u5e74 12 \u6708 27 \u65e5\u5c06 .private/sb
\u79fb\u52a8\u5230 sb
\u7684\u64cd\u4f5c\u4e3a\u4f8b\u5b50\uff0c\u4ecb\u7ecd\u6211\u4eec\u9700\u8981\u505a\u7684\u4e8b\u60c5\u3002
\u5f7c\u65f6\u7684 mirrors4 \u4ecd\u7136\u4f7f\u7528 XFS\uff0c\u5bf9\u4e8e\u4f7f\u7528 ZFS \u7684\u670d\u52a1\u5668\uff0c\u6587\u4ef6\u90e8\u5206\u64cd\u4f5c\u6709\u6240\u4e0d\u540c\u3002
"},{"location":"services/mirrors/repos/#sb","title":"\u521b\u5efasb
\u76ee\u5f55","text":"\u53c2\u8003\u4e0a\u6587\uff0c\u521b\u5efa\u76ee\u5f55\uff0c\u4fee\u6539 /etc/projects
\u7684\u8def\u5f84\uff08ID \u4e0d\u9700\u8981\u4fee\u6539\uff09\uff0c\u7136\u540e\u6267\u884c\u76f8\u5173\u7684 xfs_quota
\u547d\u4ee4\uff08\u89c1 XFS\uff09\u3002
\u7531\u4e8e\u6211\u4eec\u7684\u4f8b\u5b50\u662f\u79fb\u52a8\u76ee\u5f55\uff0c\u53ef\u4ee5\u76f4\u63a5\u4f7f\u7528 mv
\u547d\u4ee4\uff08sb
\u4ed3\u5e93\u5f88\u5c0f\uff09\u3002
\u4fee\u6539 /home/mirror/repos/sb.yaml
\uff0c\u5c06 path
\u4fee\u6539\u4e3a /srv/repo/sb
\u3002\u7136\u540e\u91cd\u65b0\u52a0\u8f7d\uff1a
yukictl reload sb\n
"},{"location":"services/mirrors/repos/#rsync-attrs","title":"\u6d4b\u8bd5\u540c\u6b65\uff0c\u5e76\u5220\u9664 rsync-attrs \u4e2d\u7684\u65e7\u76ee\u5f55","text":"yukictl sync --debug sb\n
\u786e\u8ba4\u540c\u6b65\u65e0\u8bef\u540e\uff0c\u68c0\u67e5 /srv/rsync-attrs
\u7684\u5185\u5bb9\uff0c\u5e76\u5220\u9664\u65e7\u76ee\u5f55 /srv/rsync-attrs/.private
\u3002
/srv/rsync-attrs
\u8be5\u76ee\u5f55\u7684\u7528\u9014\u662f\u4e3a\u574f\u4eba\u4fee\u6539\u7248\u7684 rsyncd\uff08\u5373 rsyncd-huai\uff09\u63d0\u4f9b\u5feb\u901f\u7684\u6587\u4ef6\u5c5e\u6027\u67e5\u8be2\uff08\u5bf9\u5e94\u4f7f\u7528 Reiserfs \u683c\u5f0f\u5316\uff0c\u6302\u8f7d\u5728 SSD \u4e0a\uff09\u3002 \u540c\u65f6\u8be5\u76ee\u5f55\u4e5f\u7528\u4e8e\u4e3b\u9875\u751f\u6210\u3002
"},{"location":"services/mirrors/repos/#nginx","title":"\u4fee\u6539 nginx \u914d\u7f6e","text":"\u7531\u4e8e\u6211\u4eec\u8fd9\u91cc\u662f\u79fb\u52a8\u4ed3\u5e93\uff0c\u4e3a\u4e86\u4fdd\u8bc1\u65e7\u7528\u6237\u80fd\u591f\u6b63\u5e38\u4f7f\u7528\uff0c\u9700\u8981\u4fee\u6539 nginx \u914d\u7f6e\uff0c\u5c06\u65e7\u7684\u8def\u5f84\u91cd\u5b9a\u5411\u5230\u65b0\u7684\u8def\u5f84\u3002
\u76f8\u5173\u7684\u914d\u7f6e\u4e00\u822c\u4f4d\u4e8e /etc/nginx/snippets/mirrors-locations
\uff0c\u672c\u6b21\u6211\u4eec\u65b0\u589e\u7684\u5185\u5bb9\u5982\u4e0b\uff1a
location /.private/sb/ {\n rewrite ^/.private(/sb/.*$) $1 permanent;\n}\n
Nginx rewrite \u76f8\u5173\u7684\u8bed\u6cd5\u77e5\u8bc6\u9700\u8bfb\u8005\u81ea\u884c\u5b66\u4e60\u3002
\u4fee\u6539\u5b8c\u6210\u540e\uff0c\u91cd\u8f7d\u914d\u7f6e\uff1a
nginx -t\nnginx -s reload # \u6216\u8005 systemctl reload nginx\n
\u5e76\u4e14 commit \u6709\u5173\u4fee\u6539\uff1a
git -c user.name=\u4f60\u7684\u540d\u5b57 -c user.email=\u4f60\u7684\u90ae\u7bb1 commit -m \"...\"\n
"},{"location":"services/mirrors/repos/#rsync-proxy-rsyncd","title":"\u4fee\u6539 rsync-proxy \u4e0e rsyncd \u914d\u7f6e","text":"rsync-proxy \u4e3a\u8fd1\u5e74\u6765\u6211\u4eec\u81ea\u884c\u7f16\u5199\u7684 rsync \u53cd\u5411\u4ee3\u7406\u670d\u52a1\u3002 \u4fee\u6539\u4e86 /etc/rsync-proxy/config.toml
\uff0c\u5220\u9664 mirrors2 \u4e2d\u7684 \".private\"
\u9879\uff0c\u5728 mirrors4 \u4e2d\u65b0\u589e \"sb\"
\u9879\u3002
\u56e0\u4e3a rsync-proxy \u6700\u7ec8\u8fd8\u9700\u8981\u8fde\u63a5\u5230\u540e\u7aef\u7684 rsyncd\uff0c\u56e0\u6b64 mirrors4 \u7684 rsyncd \u914d\u7f6e\u4e5f\u9700\u8981\u4fee\u6539\u3002 \u5728 /etc/rsyncd
\u4e0b\u6267\u884c python3 generate_common.py --write
\u5199\u5165\u914d\u7f6e\uff0c\u4f7f\u7528 git diff
\u68c0\u67e5\u65e0\u8bef\u540e git commit
\u3002 rsyncd \u914d\u7f6e\u4e2d\u5305\u542b\u4e0d\u516c\u5f00 rsync \u7684\u5185\u5bb9\uff08\u5982 git \u76ee\u5f55\uff09\u4e0d\u4f1a\u5bfc\u81f4\u95ee\u9898\uff0c\u56e0\u4e3a\u6240\u6709\u7528\u6237\u63a5\u89e6\u5230\u7684\u90fd\u662f rsync-proxy\u3002
\u786e\u8ba4\u540e\u91cd\u8f7d rsync-proxy:
systemctl reload rsync-proxy\n
Rsyncd \u4e0d\u9700\u8981\u91cd\u8f7d\uff1a\u6bcf\u4e2a\u6709\u6548\u8fde\u63a5\u4f1a\u542f\u52a8\u65b0\u8fdb\u7a0b\uff0c\u800c\u65b0\u8fdb\u7a0b\u4f1a\u91cd\u65b0\u8bfb\u53d6\u914d\u7f6e\u3002
"},{"location":"services/mirrors/repos/#mirrors2","title":"\u5220\u9664 mirrors2 \u4e0a\u7684\u4ed3\u5e93\u4e0e\u76f8\u5173\u9879","text":"\u6267\u884c yukictl repo rm sb
\uff0c\u7136\u540e\u5220\u9664 Yuki \u540c\u6b65\u914d\u7f6e\uff08~mirror/repos-etc/sb.yaml
\uff09\uff0c\u540c\u6837\u4e5f\u9700\u8981 git commit\u3002
\u4e4b\u540e\u5220\u9664\u5b58\u50a8\u7684\u5185\u5bb9\uff1a\u6267\u884c /sbin/zfs list
\u786e\u8ba4\u8981\u4e0b\u624b\u5220\u9664\u7684\u5b58\u50a8\u6c60\uff0c\u7136\u540e sudo zfs destroy pool0/repo/\u5bf9\u5e94\u7684\u540d\u5b57
\u5220\u9664\u3002
\u540c\u6837\uff0c/srv/rsync-attrs/.private
\u7684\u5185\u5bb9\u4e5f\u9700\u8981\u5220\u9664\u3002
rsync-huai \u662f\u574f\u4eba\u7684\u5143\u6570\u636e\u52a0\u901f\u7248\u7684 rsync\uff0c\u539f\u59cb\u4ee3\u7801\u5728 https://github.com/tuna/rsync\u3002
\u7531\u4e8e TUNA \u73b0\u5728\u4f7f\u7528\u5168\u95ea\u7684\u65b9\u6848\uff0c\u4e0d\u518d\u9700\u8981\u8fd9\u4e2a patch \u4e86\uff0c\u56e0\u6b64\u6211\u4eec\u81ea\u5df1\u7ef4\u62a4\u5bf9\u5e94\u7684\u7248\u672c\uff1ahttps://github.com/ustclug/rsync/tree/rsync-3.2.7\u3002
\u7279\u522b\u5730\uff0c/etc/systemd/system/rsyncd-huai@.service
\u5185\u5bb9\u5982\u4e0b\uff1a
[Unit]\nDescription=fast remote file copy program daemon\nConditionPathExists=/etc/rsyncd/rsyncd-%i.conf\nAfter=network.target network-online.target\n\n[Service]\nType=simple\nPIDFile=/run/rsyncd-%i.pid\nExecStart=/usr/bin/rsync-huai --daemon --no-detach --config=/etc/rsyncd/rsyncd-%i.conf\nIOSchedulingClass=best-effort\nIOSchedulingPriority=7\nIOAccounting=true\n\n[Install]\nWantedBy=multi-user.target\n
"},{"location":"services/mirrors/rsync/#rsync-proxy","title":"rsync-proxy","text":"\u8be6\u53c2 https://github.com/ustclug/rsync-proxy\u3002\u4e3a\u4e86\u8ba9\u670d\u52a1\u5668\u80fd\u591f\u8bb0\u5f55 IP \u4e0e\u8bbf\u95ee\u8def\u5f84\u7684\u5173\u7cfb\uff0c\u6211\u4eec\u6253\u5f00\u4e86 proxy protocol \u7279\u6027\u3002
"},{"location":"services/mirrors/services/","title":"\u955c\u50cf\u670d\u52a1","text":""},{"location":"services/mirrors/services/#_2","title":"\u9996\u9875\u751f\u6210","text":"\u955c\u50cf\u7ad9\u4e3b\u9875\u662f\u9759\u6001\u7684\uff0c\u7531 https://git.lug.ustc.edu.cn/mirrors/mirrors-index \u811a\u672c\u751f\u6210\u3002
crontab \u4f1a\u5b9a\u65f6\u8fd0\u884c\u8be5\u811a\u672c\uff0c\u751f\u6210\u9996\u9875\u548c mirrorz \u9879\u76ee\u9700\u8981\u7684\u6570\u636e\u3002
\u5728\u9996\u9875\u5c55\u793a\u7684\u300c\u83b7\u53d6\u5b89\u88c5\u955c\u50cf\u300d\u3001\u300c\u83b7\u53d6\u5f00\u6e90\u8f6f\u4ef6\u300d\u3001\u300c\u53cd\u5411\u4ee3\u7406\u5217\u8868\u300d\u5206\u522b\u7531 config \u5185\u914d\u7f6e\u6307\u5b9a\uff0c\u300c\u6587\u4ef6\u5217\u8868\u300d\u5185\u5bb9\u5219\u4f1a\u4ece\u540c\u6b65\u7a0b\u5e8f yuki \u7684 api \u4e2d\u83b7\u53d6\u3002
"},{"location":"services/mirrors/services/#http","title":"HTTP \u670d\u52a1","text":"Mirrors \u4f7f\u7528 OpenResty\uff08\u4e00\u4e2a\u6253\u5305 Nginx \u548c\u4e00\u5806\u6709\u7528\u7684 Lua \u6a21\u5757\u7684\u8f6f\u4ef6\u5305\uff09\u63d0\u4f9b HTTP \u670d\u52a1\u3002
\u914d\u7f6e\u6587\u4ef6\u4f4d\u4e8e LUG GitLab \u4e0a\uff1ahttps://git.lug.ustc.edu.cn/mirrors/nginx-config\uff0c\u6b64\u4ed3\u5e93\u5bf9\u5e94 mirrors \u4e0a\u7684 /etc/nginx
\u76ee\u5f55\u3002
\u89c1\u9650\u5236\u7b56\u7565\u3002
"},{"location":"services/mirrors/services/#repo-stats","title":"\u6bcf\u65e5\u6d41\u91cf\u7edf\u8ba1","text":"\u8bbf\u95ee\u8def\u5f84\uff1ahttps://mirrors.ustc.edu.cn/status/stats.json
\u811a\u672c\u4f4d\u4e8e https://git.lug.ustc.edu.cn/mirrors/sync/-/blob/scripts/repo_stats.py
\u6bcf\u5929\u5728 logrotate \u6eda\u5b8c nginx \u65e5\u5fd7\u540e\uff0c\u901a\u8fc7\u5206\u6790\u521a\u6eda\u51fa\u6765\u7684\u65e5\u5fd7\u6587\u4ef6\uff0c\u7edf\u8ba1\u6bcf\u4e2a\u4ed3\u5e93\u7684\u8bbf\u95ee\u91cf\u4e0e\u8f93\u51fa\u6d41\u91cf\uff08\u56e0\u6b64\u4ec5\u5305\u542b HTTP \u6d41\u91cf\u7edf\u8ba1\uff09\uff0c\u7136\u540e\u8f93\u51fa\u5230 json \u6587\u4ef6\uff0c\u5e76\u4e14\u989d\u5916\u8f93\u51fa\u4e00\u4efd json \u5230 /var/log/nginx/stats
\u4f5c\u4e3a\u5f52\u6863\u5b58\u50a8\uff0c\u65b9\u4fbf\u4ee5\u540e\u5206\u6790\u3002
\u9700\u8981\u6ce8\u610f\u7684\u662f\u8fd9\u4e2a\u811a\u672c\u662f\u7531 logrotate \u5728 nginx \u7684 postrotate script \u91cc\u8fd0\u884c\u7684\uff0c\u800c\u4e0d\u662f\u7531 cron \u6216\u8005 systemd timer\uff0c\u56e0\u6b64\u8c03\u7528\u5165\u53e3\u5728\u8fd9\u91cc\uff1a
/etc/logrotate.d/nginxpostrotate\n # [...]\n sudo -iu mirror ~mirror/scripts/repo_stats.py\nendscript\n
"},{"location":"services/mirrors/services/#rsync","title":"Rsync \u670d\u52a1","text":"\u672a\u5b8c\u5f85\u7eed\u3002
"},{"location":"services/mirrors/services/#_4","title":"\u53cd\u5411\u4ee3\u7406\u670d\u52a1","text":"\u672a\u5b8c\u5f85\u7eed\u3002
"},{"location":"services/mirrors/services/#git","title":"Git \u670d\u52a1","text":"Mirrors \u4e0a\u7684 Git \u670d\u52a1\u7531\u4e24\u90e8\u5206\u7ec4\u6210\uff1a
Git \u534f\u8bae\uff08TCP 9418 \u7aef\u53e3\uff09\u7531 git-daemon
\u76f4\u63a5\u63d0\u4f9b\u3002Git daemon \u7531\u6211\u4eec\u81ea\u5df1\u5199\u7684\u4e00\u4e2a systemd service \u8fd0\u884c\uff1a
[Unit]\nDescription=Git Daemon\nAfter=network.target\n\n[Service]\nType=exec\nNice=19\nIOSchedulingClass=best-effort\nIOSchedulingPriority=6\nExecStart=/usr/lib/git-core/git-daemon --user=gitdaemon --reuseaddr --verbose --export-all --forbid-override=receive-pack --timeout=180 --max-connections=32 --base-path=/srv/git\n\nSlice=system-cgi.slice\n\n[Install]\nWantedBy=multi-user.target\n
Git over HTTP \u7ecf\u8fc7 Nginx \u548c fcgiwrap \u7531 git-http-backend
\u63d0\u4f9b\u3002\u8003\u8651\u5230 fcgiwrap \u4e3b\u8981\u7528\u4e8e Git\uff0c\u6211\u4eec\u5c06\u5176\u653e\u5165\u540c\u4e00\u4e2a slice \u4e0e Git daemon \u5171\u4eab\u5185\u5b58\u9650\u5236\uff1a
[Service]\nType=exec\nNice=19\nIOSchedulingClass=best-effort\nIOSchedulingPriority=6\n\nSlice=system-cgi.slice\n
\u5176\u4e2d system-cgi.slice
\u662f\u6211\u4eec\u81ea\u5df1\u5b9a\u4e49\u7684\u4e00\u4e2a slice\uff0c\u7528\u4e8e\u9650\u5236 CGI \u670d\u52a1\u7684\u8d44\u6e90\u4f7f\u7528\u3002
[Unit]\nDescription=Slice for CGI services (notably Git daemon)\n\n[Slice]\nMemoryMax=32G\nMemoryHigh=28G\n\nIOAccounting=true\n
"},{"location":"services/mirrors/services/#ftp","title":"FTP \u670d\u52a1\uff08\u5df2\u5e9f\u5f03\uff09","text":"Mirrors \u66fe\u7ecf\u63d0\u4f9b FTP \u670d\u52a1\uff0c\u7531 vsftpd \u63d0\u4f9b\u3002\u5728\u5c06\u4e3b\u529b\u670d\u52a1\u5668\u4ece mirrors2 \u8fc1\u79fb\u81f3 mirrors4 \u65f6\u5e9f\u5f03\uff0c\u5373 mirrors4 \u4e0a\u4ece\u672a\u5b89\u88c5\u914d\u7f6e\u8fc7 vsftpd\uff08\u4f46 mirrors2 \u4e0a\u8fd8\u7559\u5b58\u6709\u914d\u7f6e\u6587\u4ef6\uff09\u3002
\u7531\u4e8e\u5e74\u4ee3\u4e45\u8fdc\u4e14\u6211\u4eec\u4e0d\u518d\u6253\u7b97\u6062\u590d FTP \u670d\u52a1\uff0c\u8fd9\u90e8\u5206\u6587\u6863\u4e5f\u5c31\u5495\u5495\u5495\u4e86\u3002
"},{"location":"services/mirrors/xfs/","title":"XFS","text":"\u5bf9\u4e8e\u4f7f\u7528 XFS \u5b58\u50a8\u955c\u50cf\u4ed3\u5e93\u7684\u670d\u52a1\u5668\uff0c\u6211\u4eec\u4f7f\u7528 XFS \u7684 quota \u529f\u80fd\u76d1\u89c6\u4ed3\u5e93\u5bb9\u91cf\u3002/srv/repo
\u4e0b\u7684\u6bcf\u4e2a\u76ee\u5f55\u4e3a\u4e00\u4e2a\u4ed3\u5e93\uff0c\u6709\u4e00\u4e2a\u5bf9\u5e94\u7684 XFS project\u3002\u6b64 XFS \u6587\u4ef6\u7cfb\u7edf\u9700\u8981\u4f7f\u7528 pqnoenforce
\u9009\u9879\u6302\u8f7d\uff0c\u56e0\u4e3a\u6211\u4eec\u53ea\u4f7f\u7528\u5bb9\u91cf\u7edf\u8ba1\u529f\u80fd\uff0c\u4e0d\u9700\u8981\u9650\u5236\u4ed3\u5e93\u7684\u78c1\u76d8\u4f7f\u7528\u3002
Todo
\u9700\u8981\u8c03\u7814\uff1a\u5feb\u901f\u5220\u9664\u4ed3\u5e93\u4e0e\u91cd\u547d\u540d\u4ed3\u5e93 (mv \u548c rm \u53ef\u80fd\u592a\u6162\u4e86)
"},{"location":"services/mirrors/xfs/#new-repo","title":"\u6dfb\u52a0\u4e00\u4e2a\u65b0\u4ed3\u5e93","text":""},{"location":"services/mirrors/xfs/#_1","title":"\u521b\u5efa\u76ee\u5f55","text":"\u5728 /srv/repo/
\u4e0b\u521b\u5efa\u5bf9\u5e94\u7684\u76ee\u5f55\u3002\u6ce8\u610f\u5bf9\u5e94\u76ee\u5f55\u7684\u6240\u6709\u8005\u548c\u6240\u6709\u7ec4\u5747\u5e94\u8be5\u662f mirror
\u3002
chown mirror: /srv/repo/example\n
"},{"location":"services/mirrors/xfs/#xfs-project","title":"\u521b\u5efa XFS project","text":"\u4e3a\u65b0\u4ed3\u5e93\u521b\u5efa XFS quota \u4ee5\u4fbf\u4e8e\u76d1\u89c6\u5bb9\u91cf\u3002\u9996\u5148\u68c0\u67e5 /etc/projects
\u548c /etc/projid
\uff0c\u627e\u5230\u5927\u4e8e 1000 \u7684 ID \u5e8f\u5217\uff0c\u627e\u51fa\u4e0b\u4e00\u4e2a ID\uff08\u4f8b\u5982 1111\uff0c\u4e0b\u9762\u4f7f\u7528\u8fd9\u4e2a\u4f5c\u4e3a\u4f8b\u5b50\uff09\u3002
mkdir /srv/repo/example\n
\u7f16\u8f91 /etc/projects
\uff0c\u52a0\u5165\u5982\u4e0b\u4e00\u884c
1111:/srv/repo/example\n
\u7136\u540e\u6267\u884c\uff1a
xfs_quota -x -c 'project -s 1111'\n
\u7f16\u8f91 /etc/projid
\uff0c\u52a0\u5165\u5982\u4e0b\u4e00\u884c
example:1111\n
\u4fe1\u606f
\u6211\u4eec\u7684\u955c\u50cf\u7ba1\u7406\u5668 Yuki \u6839\u636e\u955c\u50cf\u76ee\u5f55\u7684\u6700\u540e\u4e00\u6bb5\u540d\u79f0\uff08\u5373 basename\uff09\u6765\u4ece XFS \u4e2d\u83b7\u53d6\u5bb9\u91cf\u4fe1\u606f\uff0c\u56e0\u6b64 /etc/projid
\u6587\u4ef6\u5185\u5bb9\u6b63\u786e\u624d\u80fd\u4f7f Yuki \u5f97\u5230\u6b63\u786e\u7684\u5bb9\u91cf\u3002
#!/bin/bash\n\n# Determine largest project ID\nnext_id() {\n local PROJID=$(cut -d':' -f1 /etc/projects | sort -n | tail -1)\n echo $((++PROJID))\n}\n\nBASE=\"/srv/repo\"\nreadonly BASE\n\nif [ \"$1\" = \"-m\" ]; then\n MKDIR=yes\n shift\nfi\n\nwhile [ $# -ne 0 ]; do\n N=\"${1//\\//}\"\n shift\n if grep -q \"$BASE/$N\\$\" /etc/projects; then\n echo \"Repo $N exists, skipped.\" >&2\n continue\n fi\n\n if [ ! -e \"$BASE/$N\" ]; then\n if [ -n \"$MKDIR\" ]; then\n echo \"Path $BASE/$N does not exist, creating directory.\" >&2\n mkdir -p \"$BASE/$N\"\n else\n echo \"Path $BASE/$N does not exist, ignored.\" >&2\n continue\n fi\n elif [ ! -d \"$BASE/$N\" ]; then\n echo \"Path $BASE/$N is not a directory, ignored.\" >&2\n continue\n fi\n\n ID=\"$(next_id)\"\n echo \"$ID:$BASE/$N\" >> /etc/projects\n echo \"$N:$ID\" >> /etc/projid\n xfs_quota -x -c \"project -s $ID\" &>/dev/null\n echo \"Added $N (ID $ID)\"\ndone\n
"},{"location":"services/mirrors/xfs/#quota","title":"\u67e5\u770b quota \u60c5\u51b5","text":"xfs_quota -c 'df -h'\n
"},{"location":"services/mirrors/zfs/","title":"ZFS","text":""},{"location":"services/mirrors/zfs/#common-operations","title":"Common Operations","text":"Get zpool statuszpool status\n
Get IO statuszpool iostat -v 1\n
Replace Diskzpool replace pool0 old-disk new-disk\n
New ZFS file systemzfs create [-o option=value ...] <filesystem>\n\n# Example\nzfs create pool0/repo/debian\n
If mountpoint
is not specified, then it's inherited from the parent with a subpath appended. E.g. when pool0/example
is mounted on /mnt/haha
then pool0/example/test
will by default mount on /mnt/haha/test
.
zfs destroy <filesystem>\n\n# Example\nzfs destroy pool0/repo/debian\n
"},{"location":"services/mirrors/zfs/#new-repo","title":"Create new repository","text":"zfs create pool0/repo/example\n
Contrary to XFS, no other steps are needed.
"},{"location":"services/mirrors/zfs/#setup","title":"Setup","text":"This section is recorded for reference only.
"},{"location":"services/mirrors/zfs/#pool-setup-mirrors2","title":"Pool setup (mirrors2)","text":"zpool create pool0 \\\n -O canmount=off \\\n -O xattr=sa \\\n -O relatime=on \\\n -O compress=zstd \\\n raidz2 \\\n ata-HGST_HUS726060ALE610_K1GKVAAD \\\n ata-HGST_HUS726060ALE610_K1GHTLND \\\n ata-HGST_HUS726060ALE610_K1GHTVWD \\\n ata-HGST_HUS726060ALE610_K1GKNJUD \\\n ata-HGST_HUS726060ALE610_K1GK5KND \\\n ata-HGST_HUS726060ALE610_K1GK9GXD \\\n raidz2 \\\n ata-HGST_HUS726060ALE610_NCH13D2V \\\n ata-HGST_HUS726T6TALE6L4_V9KWJ1PL \\\n ata-HGST_HUS726T6TALE6L4_V9HU810L \\\n ata-HGST_HUS726060ALE610_NCH141WV \\\n ata-HGST_HUS726060ALE610_K1GKPDSD \\\n ata-HGST_HUS726T6TALE6L4_V9KTTT5L \\\n cache nvme0n1\n
Note
The -O
option applies to the root dataset.
zpool create -f pool0 \\\n raidz3 \\\n ata-HGST_HUS726060ALE610_K1GHTLND \\\n ata-HGST_HUS726060ALE610_K1GHTVWD \\\n ata-HGST_HUS726060ALE610_K1GK5KND \\\n ata-HGST_HUS726060ALE610_K1GK9GXD \\\n ata-HGST_HUS726060ALE610_K1GKNJUD \\\n ata-HGST_HUS726060ALE610_K1GKNP5D \\\n ata-HGST_HUS726060ALE610_K1GKNR6D \\\n ata-HGST_HUS726060ALE610_K1GKPDSD \\\n ata-HGST_HUS726060ALE610_K1GKVAAD \\\n ata-HGST_HUS726060ALE610_NCH04T5V \\\n ata-HGST_HUS726060ALE610_NCH13D2V \\\n spare \\\n ata-HGST_HUS726060ALE610_NCH141WV \\\n log mirror \\\n ata-INTEL_SSDSC2BB240G6_PHWA64410400240AGN-part1 \\\n ata-INTEL_SSDSC2BB240G6_PHWA6441041N240AGN-part1 \\\n cache \\\n ata-INTEL_SSDSC2BB240G6_PHWA64410400240AGN-part2 \\\n ata-INTEL_SSDSC2BB240G6_PHWA6441041N240AGN-part2\n
"},{"location":"services/mirrors/zfs/#zfs-kernel-module","title":"ZFS kernel module","text":"For OpenZFS 2.2:
/etc/modprobe.d/zfs.conf# Set ARC size to 160-200 GiB, keep 16 GiB free for OS\noptions zfs zfs_arc_max=214748364800\noptions zfs zfs_arc_min=171798691840\noptions zfs zfs_arc_sys_free=17179869184\n\n# Favor metadata to data by 20x (OpenZFS 2.2+)\noptions zfs zfs_arc_meta_balance=2000\n\n# Allow up to 80% of ARC to be used for dnodes\noptions zfs zfs_arc_dnode_limit_percent=80\n\n# Allow every block to be written to ZIL\noptions zfs zfs_immediate_write_sz=16777216\n\n# See man page section \"ZFS I/O Scheduler\"\noptions zfs zfs_vdev_async_read_max_active=8\noptions zfs zfs_vdev_async_read_min_active=2\noptions zfs zfs_vdev_scrub_max_active=5\noptions zfs zfs_vdev_max_active=20000\n\n# Never throttle the ARC\noptions zfs zfs_arc_lotsfree_percent=0\n\n# Tune L2ARC\noptions zfs l2arc_headroom=8\noptions zfs l2arc_write_max=67108864\noptions zfs l2arc_noprefetch=0\n
Refer to zfs(4)
.
Note
zfs_dmu_offset_next_sync
is 1 by default since OpenZFS v2.1.5, so it's omitted in the configuration.
On mirrors2:
zfs create -o compress=zstd-8 -o recordsize=1M -o atime=off pool0/backup\n\nzfs create pool0/backup/rootfs # inherit everything\nzfs create -o acltype=posix pool0/backup/oldlog\n\nzfs create \\\n -o mountpoint=/srv/repo \\\n -o recordsize=1M \\\n -o xattr=off \\\n -o atime=off \\\n -o setuid=off \\\n -o exec=off \\\n -o devices=off \\\n -o sync=disabled \\\n -o secondarycache=metadata \\\n -o redundant_metadata=some \\\n pool0/repo\n
Refer to zfsprops(7)
.
mountpoint
Self-explanatory.
recordsize=1M
This is the \"block size\" for ZFS, i.e. how large files are split into blocks. Each block (record) is stored contiguously on disk and is read/written as a whole.
Since the typical read pattern on mirror sites is whole-file sequential read, it makes sense to set recordsize
to the maximum value permitted1. Larger recordsize
allows the compression algorithm to exploit more opportunities, while also reducing I/O count for large files.
Note that files under a single recordsize
will not be padded up and will be stored as a single block, so no space is wasted.
compression=zstd
(inherited from pool0
) Enable compression so anything will be tried to compress. The default algorithm (i.e. compression=on
) is LZ4, which is very fast but not as effective. Zstd is a modern multi-threaded algorithm that is also very fast but compresses better. The default compression level is 3 (i.e. zstd
= zstd-3
).
Since OpenZFS 2.2, there's an \"early-abort\" mechanism for Zstd level 3 or up: Every block is first tried with LZ4, then Zstd-1, and if and only if both algorithms suggest that the data block would compress well, the actual algorithm will be applied and the compressed result will be written to disk. This early-abort mechanism ensures minimal CPU wasted for incompressible data.
xattr=off
Apparently mirror data do not need extended attributes.
atime=off
, setuid=off
, exec=off
, devices=off
These simply maps to the noatime
, nosuid
, noexec
, and nodev
mount options respectively. It's safe to assume we don't need these features for mirror data.
sync=disabled
Disable any \"synchronous write\" semantics. This means files will not respond to open(O_SYNC)
and sync(2)
calls. Pending writes will only be committed to disk after zfs_txg_timeout
seconds (default 5) or when the write buffer is full.
While normally this is a bad idea as it goes against data integrity (namely, the \"D\" in ACID), for mirror data that can be easily regenerated, this improves write performance and reduces fragmentation (also note that zfs_dmu_offset_next_sync
is enabled by default).
secondarycache=metadata
As mirrors2 only serves Rsync requests, caching file content provides little benefit. Instead, we cache metadata only to reduce the number of disk seeks.
redundant_metadata=some
(Just read zfsprops(7)
and you'll be able to reason about this.)
Do NOT install zfs-dkms
and related packages from Debian backports repositories. They'll easily break when upgrading.
As of Debian Buster the ZFS packages from the mainstream repository is stable and new enough for our use.
\u4ecd\u7136\u5efa\u8bae\u5b89\u88c5 Backports \u7248\u672c\u7684 ZFS\u3002\u300cStable \u8d8a\u5f80\u540e\uff08\u5bf9 ZFS \u76f8\u5173\u8f6f\u4ef6\u5305\u7684\uff09\u7ef4\u62a4\u8d8a\u5f31\u300d\uff0c\u4ece\u800c\u5bfc\u81f4 stable \u7684 ZFS \u53cd\u800c\u8d28\u91cf\u4e0d\u5982 backports \u7248\u672c\u7684\u3002
Actually, there's the zfs_max_recordsize
module parameter which can be increased to up to 16 MiB. There's a reason this is set to 1 MiB by default, so we're not going to blindly aim for the maximum.\u00a0\u21a9
mirrors1 \u662f 2011 \u5e74\u7f51\u7edc\u4fe1\u606f\u4e2d\u5fc3\u63d0\u4f9b\u7ed9 LUG \u7528\u4f5c\u521d\u4ee3 mirrors.ustc.edu.cn \u670d\u52a1\u7684\u673a\u5668\uff0c\u662f\u4e00\u53f0\u66d9\u5149 i620r-G
\u53c2\u6570 \u914d\u7f6e CPU Intel(R) Xeon(R) CPU E5620 @ 2.40GHz x 2 \u5185\u5b58 48 GB \u5b58\u50a8 LSI Logic MegaRAID SAS 8708EM2 x 2 DFT RS-3016I-S/D30 \u78c1\u76d8\u9635\u5217 \u7f51\u7edc Ethernet Intel 82574L Gigabit x 2\u7528\u6237\u624b\u518c
\u7531\u4e8e\u672c\u6587\u7f16\u5199\u65f6\uff082020 \u5e74\uff09\u8be5\u670d\u52a1\u5668\u65e9\u5df2\u4e0d\u518d\u7528\u4f5c mirrors\uff08\u73b0\u5728\u662f esxi-5\uff09\uff0c\u56e0\u6b64\u66f4\u591a\u7684\u4fe1\u606f\u6682\u65e0\u4ece\u8003\u5bdf\u3002
"},{"location":"services/mirrors/1/#ipmi","title":"IPMI","text":"\u8fd9\u53f0\u673a\u5668\u7684 IPMI \u4f7f\u7528\u6761\u4ef6\u8f83\u4e3a\u82db\u523b\uff0c\u7279\u522b\u662f\u5b83\u7684 Java \u63a7\u5236\u53f0\u53ea\u80fd\u5728 Windows XP\uff0cIE 6 \u548c Java 6 \u73af\u5883\u4e0b\u8fd0\u884c\u3002\u56e0\u6b64\u6211\u4eec\u914d\u7f6e\u4e86\u4e00\u4e2a\u865a\u62df\u673a\u955c\u50cf\u653e\u5728 LUG FTP \u4e0a\u3002
\u4f7f\u7528\u73b0\u4ee3\u7684 HTTP \u5ba2\u6237\u7aef\uff08\u5305\u62ec\u6d4f\u89c8\u5668\u548c cURL \u7b49\uff09\u5c1d\u8bd5\u4e0b\u8f7d viewer.jnlp
\u65f6\u4f1a\u9047\u5230\u95ee\u9898\uff0c\u539f\u56e0\u5728\u4e8e IPMI \u4f1a\u8fd4\u56de\u4e00\u4e2a\u9519\u8bef\u7684 Content-Length
\uff08\u7ea6 3 KiB\uff09\uff0c\u4f46 jnlp \u6587\u4ef6\u5b9e\u9645\u53ea\u6709 1.6 KiB\uff0c\u4f7f\u5ba2\u6237\u7aef\u8ba4\u4e3a\u6587\u4ef6\u672a\u5b8c\u6574\u4e0b\u8f7d\u3002\u5947\u5999\u7684\u662f\uff0cIE 6 \u4f3c\u4e4e\u4f1a\u5ffd\u7565\u8fd9\u4e2a\u95ee\u9898\uff0c\u7136\u540e\u6b63\u5e38\u6253\u5f00 Java \u63a7\u5236\u53f0\u3002
2016 \u5e74\u5e95\u4ece\u7f51\u7edc\u4fe1\u606f\u4e2d\u5fc3\u83b7\u5f97\u7684\u65b0\u673a\u5668\uff0c\u8fd0\u884c\u81f3\u4eca\uff0c\u627f\u62c5\u4e86\u76ee\u524d mirrors \u7684 rsync \u6d41\u91cf\u3002
\u53c2\u6570 \u914d\u7f6e CPU \u53cc\u8def E5-2620 v4 \u5185\u5b58 256 GB DDR4 \u5b58\u50a8 6 TB * 12 (HDD), 250 GB *2 (SSD) \u7f51\u7edc 1 Gbps * 2\u66d9\u5149 I620-G20 \u5bfc\u822a\u5149\u76d8
"},{"location":"services/mirrors/2/#networking","title":"Networking","text":"mirrors2 \u4e0a\u7684\u7f51\u7edc\u914d\u7f6e\u81ea 2024-07-19 \u7ef4\u62a4\u540e\u4e5f\u5207\u6362\u5230\u4e86 systemd-networkd \u65b9\u6848\uff0c\u6587\u6863\u53ef\u4ee5\u53c2\u8003 mirrors4\u3002
Old infomirrors2 \u4e0a\u7684\u7f51\u7edc\u4f7f\u7528\u9ed8\u8ba4\u7684 ifupdown \u914d\u7f6e\u3002
\u5728 /etc/network/interfaces.d
\u4e2d\u5b58\u653e\u7740\u63a5\u53e3\u914d\u7f6e\uff0c\u4f7f\u7528 ifup
/ifdown
\u6765\u542f\u7528/\u505c\u7528\u67d0\u4e00\u63a5\u53e3\u3002
\u91cd\u542f\u6240\u6709\u7f51\u7edc\u63a5\u53e3
\u5728\u67d0\u6b21 mirrors2 \u79bb\u7ebf\u6545\u969c\u4e2d\uff0c\u8bef\u64cd\u4f5c\u7684 systemctl restart networking
\u8fd4\u56de\u4e86\u5931\u8d25\u7684\u7ed3\u679c\uff0c\u4ece\u800c\u5bfc\u81f4\u4e86 mirrors2 \u4ece\u67d0\u4e00\u7f51\u7edc\u63a5\u53e3\u65ad\u5f00\uff08\u731c\u6d4b\uff09\uff08\u5b9e\u9645\u539f\u56e0\u89c1\u4e0b\uff09\uff0c\u91cd\u542f\u6240\u6709\u63a5\u53e3\u4fee\u590d\u4e86\u95ee\u9898\uff1aifdown -a && ifup -a
\u5b9e\u9645\u539f\u56e0\u662f bridge interface \u8fde\u63a5\u7684\u90a3\u4e2a interface \u5728 ifupdown \u7684 config \u91cc\u7684\u914d\u7f6e\u65b9\u5f0f\u662f static
\u7684\uff0c\u5728\u542f\u7528 bridge interface \u65f6\u4f1a\u81ea\u52a8\u66f4\u6539\u914d\u7f6e\u5bfc\u81f4 offline\u3002\u6539\u6210 manual
\u7981\u6b62\u5b83\u7684\u81ea\u52a8\u884c\u4e3a\u4e4b\u540e\u5c31\u6ca1\u4e8b\u4e86\u3002
2020 \u5e74\u521d\u4ece\u56fe\u4e66\u9986\u6280\u672f\u90e8\u83b7\u5f97\u7684\u4e00\u53f0\u65e7\u670d\u52a1\u5668\uff0c\u4e3a\u6234\u5c14 PowerEdge R510\uff0c\u8d1f\u8f7d\u6bd4\u8f83\u6742\u4e71,\u4e3b\u8981\u662f\u4e00\u4e9b\u65e2\u51b7\u95e8\u53c8\u5927\u7684\u4ed3\u5e93\u7684 HTTP + rsync \u6d41\u91cf\u3002
\u53c2\u6570 \u914d\u7f6e CPU \u53cc\u8def\u81f3\u5f3a E5620 \u5185\u5b58 32 GB DDR3 \u5b58\u50a8 1 TB*2 (HDD), 2 TB*5 (HDD), 3 TB*1 (HDD) 1 TB (SAS HDD), 1.8 TB * 3 (SATA HDD), 1 TB (SATA HDD) \u540c\u53cb iSCSI \u9635\u5217\uff0c4 TB * 16 (HDD) \u7f51\u7edc 1 Gbps * 2\u5b58\u50a8\u7ed3\u6784\uff1a
\u6ce8\u610f\u4e8b\u9879
\u7531\u4e8e PERC 6/i \u9635\u5217\u5361\u7684\u9650\u5236\uff0c\u7269\u7406\u78c1\u76d8\u5927\u5c0f\u6700\u5927\u652f\u6301 2TB\uff08SAS 4TB \u76d8\u65e0\u6cd5\u8bc6\u522b\u5927\u5c0f\uff09\u3002\u5728\u5c06 SAS \u574f\u76d8\u79fb\u9664\u540e\uff0c\u76ee\u524d\uff082022/5/10\uff09rootfs VD \u5904\u4e8e degraded \u72b6\u6001\u3002
PERC H700 \u9635\u5217\u5361\u7531\u4e8e\u7f3a\u5c11\u4e24\u6839 SAS \u8f6c\u63a5\u7ebf\uff0c\u5e76\u4e14 mirrors3 \u673a\u67b6\u524d\u53f3\u4fa7\u8f68\u9053\u5904\u65e0\u6cd5\u89e3\u9664\u9501\u5b9a\uff0c\u4e14\u66f4\u6362\u9635\u5217\u5361\u9700\u8981\u5c06\u5176\u4ed6\u6269\u5c55\u5361\u5168\u90e8\u79fb\u9664\uff08\u53c2\u89c1 PowerEdge R510 \u786c\u4ef6\u7528\u6237\u624b\u518c\uff09\uff0c\u7ed9\u65b0\u9635\u5217\u5361\u5b89\u88c5\u5e26\u6765\u4e86\u5f88\u5927\u7684\u96be\u5ea6\u3002
1 TB * 2\u4f4d\u4e8e\u673a\u8eab\uff0c\u7ec4\u6210 RAID1 \u5b89\u88c5\u64cd\u4f5c\u7cfb\u7edf\uff0c\u6302\u8f7d\u4e3a rootfs
2 TB * 5 + 3 TB * 1\u540c\u6837\u4f4d\u4e8e\u673a\u8eab\uff0c\u7ec4\u6210 RAID6 \u5b58\u653e\u8d44\u6599\uff08\u6240\u4ee5\u552f\u4e00\u4e00\u5757 3 TB \u7684\u786c\u76d8\u5b9e\u9645\u4e0a\u5f53\u505a 2 TB \u7684\u6765\u7528\uff09
\u5916\u90e8\u9635\u5217\uff0c4 TB * 16\u901a\u8fc7 SFP+ \u5149\u7ea4\u6302\u8f7d\u4e3a iSCSI \u8bbe\u5907\uff0c\u5206\u4e3a\u4e24\u7ec4 RAID60\uff08\u53ef\u7528\u5bb9\u91cf\u4e3a 12 \u5757\u76d8\uff09\u5b58\u50a8\u8d44\u6599
"},{"location":"services/mirrors/4/","title":"mirrors4","text":"mirrors4 \u662f 2020 \u5e74 3 \u6708 24 \u65e5\u7f51\u7edc\u4fe1\u606f\u4e2d\u5fc3\u63d0\u4f9b\u7ed9 LUG \u7684\u65b0\u673a\u5668\uff0c\u662f\u4e00\u53f0\u6d6a\u6f6e NF5280M5\u3002
"},{"location":"services/mirrors/4/#_1","title":"\u786c\u4ef6\u914d\u7f6e","text":"CPU\u53cc\u8def Intel Xeon Gold 6230
\u5185\u5b58256 GB DDR4 2933 (8 * 32 GB SKHynix)
\u786c\u76d8\u4e00\u5757\u4e09\u661f PM883 2TB
12 \u5757 HGST HUH721010AL (10 TB)
\u4e24\u4e2a\u786c\u76d8\u63a7\u5236\u5668 MegaRAID SAS-3 3108
\u91c7\u7528 ZFS \u5c06 12 \u5757 HDD \u7ec4\u6210\u4e00\u4e2a pool\u3002
\u7f51\u5361\u677f\u8f7d Intel X722 GbE (4 \u4e2a\u5343\u5146\u7f51\u53e3)
PCI-e \u6269\u5c55\u5361\uff1aIntel X520 (82599ES) SFP+ (2 \u4e2a\u4e07\u5146\u5149\u53e3)
"},{"location":"services/mirrors/4/#_2","title":"\u78c1\u76d8\u5206\u533a","text":"\u4e00\u5757 SSD \u5206\u4e3a 512M \u7684 EFI \u5206\u533a\uff0c\u5269\u4f59\u7a7a\u95f4\u5efa\u4e86\u4e00\u4e2a LVM\uff08VG lug
\uff09\u3002LVM \u4e0a\u88c5\u7cfb\u7edf\uff08lug/root
\uff09\u3001swap\uff08lug/swap
\uff09\u3001Docker \u6570\u636e\uff08lug/docker
\uff09\u548c L2ARC\uff08lug/l2arc
\uff0c1.5 TB\uff09\u3002
\u5168\u90e8 12 \u5757 HDD \u7528 ZFS \u505a\u4e86\u4e00\u4e2a pool\uff0c\u6bcf\u4e2a\u63a7\u5236\u5668\u4e0a\u9762\u7684 6 \u5757\u76d8\u4f5c\u4e3a\u4e00\u4e2a RAIDZ2 vdev\uff0c\u8fd9\u4e2a ZFS pool \u7528\u4e8e /home
\u548c /srv/repo
\uff08\u4ed3\u5e93\u6570\u636e\uff09\u7b49\u3002
\u8fd9\u53f0\u670d\u52a1\u5668\u521d\u88c5\u65f6\u662f\u6ca1\u6709\u914d\u7f6e swap \u7684\uff0c\u5728 2024-10-31 17:12 \u5de6\u53f3\u7531 git daemon \u5bfc\u81f4 OOM \u540e\u8865\u5145\u4e86 64G swap\uff0c\u6b64\u65f6 VG \u5269\u4f59\u7a7a\u95f4\u8fd8\u6709 100 \u591a GB \u7559\u7ed9\u4ee5\u540e\u4f7f\u7528\u3002
\u540c\u65f6\u6211\u4eec\u4e5f\u7ed9 git daemon \u4e0a\u4e86\u5185\u5b58\u9650\u5236\uff0c\u8be6\u60c5\u89c1 Service\u3002
"},{"location":"services/mirrors/4/volumes-old/","title":"Volumes on mirrors4","text":"\u6ce8\u610f
mirrors4 \u4e8e 2024 \u5e74 7 \u6708\u91cd\u5efa\u4e3a ZFS pool\uff0c\u4ee5\u4e0b\u5185\u5bb9\u5df2\u7ecf\u8fc7\u65f6\u3002
"},{"location":"services/mirrors/4/volumes-old/#_1","title":"\u78c1\u76d8\u5206\u533a","text":"\u7531\u4e8e\u4e0d\u80fd\u8de8\u63a7\u5236\u5668\u7ec4 RAID \u6216 LUN\uff0c\u4e14\u6bcf\u4e2a\u63a7\u5236\u5668\u53ea\u6709 8 \u4e2a\u63d2\u69fd\uff0c\u56e0\u6b64\u5c06 12 \u5757 HDD \u5206\u4e3a 6 \u5757\u4e00\u7ec4\u63d2\u5728\u4e24\u4e2a\u63a7\u5236\u5668\u4e0a\u7ec4\u6210 RAID6\uff0c\u4ee5\u4e24\u4e2a\u903b\u8f91\u5377\u5448\u73b0\u7ed9\u64cd\u4f5c\u7cfb\u7edf\uff0c\u4e0a\u5c42\u7528 LVM \u5904\u7406\u3002SSD \u5355\u72ec\u521b\u5efa\u4e00\u4e2a\u903b\u8f91\u5377\u7ed9\u64cd\u4f5c\u7cfb\u7edf\u3002
\u6ce8\u610f
\u8fd9\u91cc\u7ed9\u51fa\u7684\u547d\u4ee4\u4ec5\u7528\u4e8e\u5c55\u793a\u5206\u533a\uff08\u5377\uff09\u7684\u521b\u5efa\u65b9\u5f0f\uff0c\u9664\u975e\u5b8c\u5168\u91cd\u88c5\uff0c\u5426\u5219\u4e0d\u5e94\u8be5\u6267\u884c\u5176\u4e2d\u4efb\u4f55\u4e00\u6761\u6709\u526f\u4f5c\u7528\u7684\u547d\u4ee4\u3002
\u64cd\u4f5c\u7cfb\u7edf\u770b\u5230\u4e09\u4e2a\u786c\u76d8\uff1a\u4e24\u4e2a RAID6 \u5927\u76d8\uff0840 TB / 36.4 TiB\uff09\u548c\u4e00\u4e2a SSD\uff082 TB / 1.86 TiB\uff09\u3002\u8bbe\u4e24\u4e2a\u5927\u76d8\u4e3a /dev/sda \u548c /dev/sdb\uff0cSSD \u4e3a /dev/sdc\u3002
\u7531\u4e8e\u542f\u52a8\u5206\u533a\u4e0d\u80fd\u653e\u5728 LVM \u4e0a\uff0c\u56e0\u6b64\u4ee5\u5982\u4e0b\u65b9\u5f0f\u521b\u5efa\u5206\u533a\uff1a
root@mirrors4:~# fdisk -l /dev/sda\nDisk /dev/sda: 36.4 TiB, 40001177911296 bytes, 78127300608 sectors\nDisk model: MR9361-8i\nUnits: sectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 4096 bytes\nI/O size (minimum/optimal): 262144 bytes / 262144 bytes\nDisklabel type: gpt\nDisk identifier: AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA\n\nDevice Start End Sectors Size Type\n/dev/sda1 2048 4095 2048 1M BIOS boot\n/dev/sda2 4096 1052671 1048576 512M EFI System\n/dev/sda3 1052672 78127300574 78126247903 36.4T Linux LVM\n
sdb \u7684\u53c2\u6570\u5b8c\u5168\u4e00\u6837\u3002
\u5b9e\u9645\u7684\u542f\u52a8\u5206\u533a\u4e3a /dev/sda2\uff0c\u5c06\u5176 dd \u5230 /dev/sdb2 \u505a\u5907\u4efd\u3002
\u7136\u540e\u662f SSD \u7684\u5206\u533a\uff1a
Disk /dev/sdc: 1.8 TiB, 1919816826880 bytes, 3749642240 sectors\nDisk model: MR9361-8i\nUnits: sectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 4096 bytes\nI/O size (minimum/optimal): 65536 bytes / 65536 bytes\nDisklabel type: gpt\nDisk identifier: AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA\n\nDevice Start End Sectors Size Type\n/dev/sdc1 2048 3749642206 3749640159 1.8T Linux LVM\n
"},{"location":"services/mirrors/4/volumes-old/#lvm","title":"LVM","text":"\u628a sda3 \u548c sdb3 \u90fd\u653e\u8fdb LVM\uff1a
# fdisk \u5206\u533a\u5b8c\u6bd5\uff0cw \u5199\u5165\u9000\u51fa\npvcreate /dev/sda3 /dev/sdb3\nvgcreate lug /dev/sda3 /dev/sdb3\n
\u521b\u5efa rootfs\uff0c\u8fd9\u91cc\u4ee5 RAID1 \u7684\u65b9\u5f0f\uff08--type raid1
\uff09\u521b\u5efa\u8fd9\u4e2a\u5206\u533a\uff0c\u8fd9\u6837\u5373\u4f7f sda / sdb \u574f\u6389\u4e00\u6574\u7ec4\u4e4b\u540e\u8fd8\u6709 rootfs \u53ef\u4ee5\u7528\u3002
\u6ce8\u610f\uff1a
-m 1
\u8868\u793a 1 \u4efd\u989d\u5916\u7684\u955c\u50cf\u3002--type mirror
\u548c --type raid1
\u662f\u4e0d\u540c\u7684\uff08\u524d\u8005\u5df2\u7ecf deprecated\uff09\u3002\u4e0d\u8981\u521b\u5efa --type mirror
\u7684\u5206\u533a\u3002lvcreate -n root -L 32G --type raid1 -m 1 lug\nmkfs.ext4 /dev/lug/root\n
\u521b\u5efa home\uff0c\u8fd9\u91cc\u53cd\u6b63\u4e0d\u6015\u574f\uff0c\u7528 RAID0\uff08--type striped
\u6216 --type raid0
\uff09\u3002
lvcreate -n root -L 64G --type striped -i 2 lug\nmkfs.ext4 /dev/lug/home\n
\u521b\u5efa\u653e\u955c\u50cf\u7684\u5206\u533a\uff0c\u8fd9\u6b21\u8981\u7528 xfs
XFS \u4e0d\u652f\u6301\u7f29\u5c0f
\u56e0\u6b64\u6211\u4eec\u5728\u521d\u88c5\u65f6\u9009\u62e9\u4e3a\u5176\u5206\u914d 48 TiB \u7684\u7a7a\u95f4\uff0c\u800c\u4e0d\u662f VG lug \u7684\u5269\u4f59\u5168\u90e8\u2014\u2014\u8fd9\u6837\u65b9\u4fbf\u4ee5\u540e\u7ef4\u62a4
lvcreate -n repo -L 48T --type striped -i 2 lug\nmkfs.xfs /dev/lug/repo\n
\u5176\u5b9e\u672c\u6765\u8981\u8c03\u4e00\u4e0b\u53c2\u7684\uff0c\u4e0d\u8fc7\u6839\u636e Arch Wiki\uff0cmkfs.xfs
\u7684\u9ed8\u8ba4\u53c2\u6570\u5c31\u662f\u6700\u4f18\u7684\uff0c\u6240\u4ee5\u6211\u4eec\u51b3\u5b9a\u4e0d\u52a8\u4e86\u3002
SSD \u7684\u7528\u9014\u4e3a\u5b58\u653e Docker \u6570\u636e /var/lib/docker
\uff088 GiB \u5c31\u591f\u4e86\uff0c\u4f46\u662f overlay2 \u7684\u540e\u7aef\u7528 ext4 \u66f4\u597d\uff09\uff0c\u5269\u4e0b\u7528\u4f5c lvmcache(7)\u3002
iBug \u5907\u6ce8
\u867d\u7136\u4f3c\u4e4e\u6ca1\u6709\u8fd9\u6837\u505a\uff08\u5148\u521b\u5efa\u5355\u72ec\u7684 VG \u518d\u5408\u5e76\uff09\u7684\u5fc5\u8981\uff0c\u4f46\u662f\u8fd9\u4e48\u505a\u4e00\u5b9a\u4e0d\u4f1a\u51fa\u9519\uff0c\u5c31\u8fd9\u6837\u5427\u3002
\u5728 SSD \u4e0a\u65b0\u5efa\u4e00\u4e2a VG\uff1a
# fdisk \u521b\u5efa\u552f\u4e00\u4e00\u4e2a\u5206\u533a sdc1\uff0c\u4fdd\u5b58\u9000\u51fa\npvcreate /dev/sdc1\nvgcreate ssd /dev/sdc1\n
\u521b\u5efa Docker \u6570\u636e\u76d8\uff1a
lvcreate -L 8G -n docker ssd\nmkfs.ext4 /dev/ssd/docker\n
\u91cd\u8981\uff1a\u521b\u5efa\u7f13\u5b58\u76d8\u548c\u7f13\u5b58\u5143\u6570\u636e\u76d8\u3002\u6839\u636e Red Hat Documentation \u7684\u4ecb\u7ecd\uff0c\u5148\u624b\u52a8\u521b\u5efa\u6570\u636e\u76d8\u548c\u5143\u6570\u636e\u76d8\uff0c\u7136\u540e\u5c06\u4ed6\u4eec\u5408\u5e76\u4e3a\u4e00\u4e2a cache pool\u3002\u5927\u5c0f\u65b9\u9762\uff0c\u6587\u7ae0\u7684\u53c2\u8003\u662f 2G data \u2194 12M meta\uff0c\u8fd9\u91cc\u6211\u4eec\u6709\u63a5\u8fd1 2 TB \u7684 data\uff0c\u5c31\u5206\u914d 16 GB \u4f5c\u4e3a meta \u5427\u3002
lvcreate -L 16G -n mcache_meta ssd\nlvcreate -l 100%FREE -n mcache ssd\nlvreduce -l -2048 ssd/mcache\nlvconvert --type cache-pool --poolmetadata ssd/mcache_meta --cachemode writethrough -c 64K --config allocation/cache_pool_max_chunks=30000000 ssd/mcache\n
\u8fd9\u91cc\u7684\u7f13\u5b58\u6a21\u5f0f\u91c7\u7528 passthrough\uff0c\u5373\u5199\u5165\u52a8\u4f5c\u7ed5\u8fc7\u7f13\u5b58\u76f4\u63a5\u5199\u56de\u539f\u8bbe\u5907\uff08\u5f53\u7136\u5566\uff0c\u5199\u5165\u90fd\u662f\u7531\u4ece\u4e0a\u6e38\u540c\u6b65\u4ea7\u751f\u7684\uff09\uff0c\u53e6\u5916\u4e24\u79cd writeback \u548c writethrough \u90fd\u4f1a\u5199\u5165\u7f13\u5b58\uff0c\u4e0d\u662f\u6211\u4eec\u60f3\u8981\u7684\u3002 passthrough \u6a21\u5f0f\u4e2d\uff0c\u8bfb\u5199\u90fd\u4f1a\u7ed5\u8fc7 cache\uff0c\u552f\u4e00\u7684\u4f5c\u7528\u662f write hit \u4f1a\u4f7f\u5f97 cache \u5bf9\u5e94\u7684\u5757\u5931\u6548\u3002
\u8fd9\u91cc\u4f7f\u7528 writeback \u6a21\u5f0f\uff0c\u56e0\u4e3a\u4ed3\u5e93\u6570\u636e\u6ca1\u4e86\u8fd8\u80fd\u518d\u540c\u6b65\uff0c\u4f7f\u7528 writeback \u63d0\u5347\u6027\u80fd\u66f4\u5408\u9002\u3002
\u51fa\u4e8e\u7a33\u5b9a\u8003\u8651\uff0c\u4f7f\u7528 writethrough \u6a21\u5f0f\u3002\uff08\u6211\u4eec\u7684 Cache \u592a\u5927\u4e86\uff0cwriteback \u53ef\u80fd\u4f1a\u5f04\u574f\u4e0d\u5c11\u4e1c\u897f\uff0c\u5982\u679c metadata \u574f\u4e86\u5c31\u66f4\u9ebb\u70e6\u4e86\uff09
\u5751
\u76f4\u63a5\u4f7f\u7528 lvconvert(8) \u5c1d\u8bd5\u5408\u5e76\u4f1a\u5bfc\u81f4\u5410\u69fd\uff0c\u8fd9\u662f\u4e0a\u9762 lvreduce(8) \u7684\u539f\u56e0\u3002
Volume group \"ssd\" has insufficient free space (0 extents): 2048 required.\n
iBug \u5907\u6ce8
LVM \u63a8\u8350\u7684\u662f\u4e00\u4e2a\u7f13\u5b58\u6c60\u91cc\u4e0d\u8d85\u8fc7 100 \u4e07\u4e2a chunk\uff08\u8fd9\u4e5f\u662f allocation/cache_pool_max_chunks \u7684\u9ed8\u8ba4\u503c\uff09\uff0c\u4f46\u662f\u8fd9\u6837\u6bcf\u4e2a chunk \u7684\u6700\u5c0f\u5927\u5c0f\u4e3a 1.84 MiB \u592a\u5927\u4e86\uff0c\u8003\u8651\u5230\u6211\u4eec\u6709\u8db3\u591f\u7684 CPU \u548c\u5185\u5b58\uff0c\u8fd9\u91cc\u5c31\u94e4\u800c\u8d70\u9669\u5c1d\u8bd5\u4e00\u4e0b\u8f83\u5927\u7684 chunk count\u3002
\u5751 2
\u7f13\u5b58\u76d8\uff08cache pool\uff09\u548c\u88ab\u7f13\u5b58\u7684\u5377\u5fc5\u987b\u5728\u540c\u4e00\u4e2a VG \u4e2d\u3002
\u5751 3 (taoky \u5907\u6ce8)
LVM Cache \u7684\u5e95\u5c42\u662f\u5728\u5185\u6838\u5b9e\u73b0\u7684 dm-cache\u3002\u76ee\u524d\u5df2\u77e5\u7684\u5751\u5982\u4e0b\uff1a
\u5f53\u51fa\u73b0 dirty blocks\uff08\u4e14 cache policy \u4e3a cleaner \u65f6\uff09\uff0c\u65e0\u6cd5\u6b63\u5e38 flush\u3002\u7f51\u7edc\u4e0a\u53ef\u4ee5\u627e\u5230\u7684\u8fd9\u4e2a bug \u7684\u89e3\u51b3\u65b9\u6cd5\u662f\u589e\u5927 migration_threshold \u7684\u503c\uff08\u5728\u65b0\u7248\u672c LVM \u4e2d\uff0cmigration_threshold \u9ed8\u8ba4\u81f3\u5c11\u4f1a\u662f chunk size \u7684 8 \u500d\uff0c\u5728\u6211\u4eec\u7684\u914d\u7f6e\u4e0b\u5c31\u662f 16384 = 2048 * 8\u3002\u8fd9\u4e2a\u7248\u672c\u7684 LVM \u6682\u65f6\u4e0d\u5728 Buster \u4e2d\uff09\uff0c\u4f46\u662f\u7ecf\u8fc7\u6d4b\u8bd5\uff0c\u5355\u7eaf\u589e\u5927 migration_threshold \u6ca1\u6709\u4efb\u4f55\u6548\u679c\u3002Jiahao \u7ffb\u4e86\u4e00\u4e0b dm-cache \u7684\u6e90\u4ee3\u7801\uff0c\u53d1\u73b0 flush \u7684\u6761\u4ef6\u5728 https://elixir.bootlin.com/linux/latest/source/drivers/md/dm-cache-target.c#L1649\uff0c\u53ea\u5728\u72b6\u6001\u4e3a IDLE \u65f6\u624d\u4f1a flush\u3002IDLE \u7684\u7b2c\u4e00\u4e2a\u6761\u4ef6\u9700\u8981 inflight io = 0\uff0c\u6bd4\u8f83\u82db\u523b\uff0c\u53ef\u80fd\u662f\u65e0\u6cd5\u6b63\u5e38 flush \u7684\u539f\u56e0\u3002
\u4e00\u4e2a\u626d\u66f2\u7684\u89e3\u51b3\u65b9\u6cd5\u662f\uff1a\u5148\u628a migration_threshold \u8bbe\u7f6e\u5f97\u5f88\u5927\uff08\u8bbe\u5927\u5c0f\u4e3a x\uff09\uff0c\u7136\u540e\u9a6c\u4e0a\u7f29\u5c0f\uff0c\u8fd9\u6837\u5c31\u80fd\u628a x \u90a3\u4e48\u591a\u5927\u5c0f\u7684\u810f\u5757\u5f04\u6389\uff08\u539f\u7406\u6682\u65f6\u4e0d\u660e\uff0c\u9700\u8981\u8865\u5145\uff09\u3002\u57fa\u4e8e\u8fd9\u4e2a\u65b9\u6cd5\uff0c\u53ef\u4ee5\u5199\u4e00\u4e2a\u811a\u672c\u6765\u505a flush \u7684\u5de5\u4f5c\uff1a
# dirty hack\nsudo lvchange --cachepolicy cleaner lug/repo\nfor i in `seq 1 1500`; do sudo lvchange --cachesettings migration_threshold=2113536 lug/repo && sudo lvchange --cachesettings migration_threshold=16384 lug/repo && echo $i && sleep 15; done;\n# \u9700\u8981\u786e\u8ba4\u6ca1\u6709\u810f\u5757\u3002\u5982\u679c\u8fd8\u6709\u7684\u8bdd\u7ee7\u7eed\u6267\u884c\uff08\u6b21\u6570\u8c03\u5c0f\u4e00\u4e9b\uff09\n# \u5982\u679c\u662f\u4ece writeback \u5207\u6362\uff0c\u9700\u8981\u5148\u628a\u6a21\u5f0f\u5207\u5230 writethrough\n# \u7136\u540e\u518d\u4fee\u6539 cachepolicy \u5230 smq\nsudo lvchange --cachepolicy smq lug/repo\n
\u5728\u6267\u884c\u65f6\uff0c\u53ef\u4ee5\u67e5\u770b\uff1a
sudo dmsetup status lug-repo\n# \u5728 \"metadata2\" \u524d\u9762\u7684\u524d\u9762\u7684\u6570\u5b57\u5c31\u662f dirty block \u7684\u6570\u91cf\n# \u5982\u679c\u4e0d\u5728\u6267\u884c lvchange\uff08\u6ca1\u6709\u8fdb\u7a0b\u62a2\u5360\u4e86 LVM \u7684\u9501\uff09\uff0c\u53ef\u4ee5\u6267\u884c\u4ee5\u4e0b\u547d\u4ee4\u786e\u8ba4\u810f\u5757\u6570\u91cf\u4ee5\u53ca\u5176\u4ed6\u4e00\u4e9b\u53c2\u6570\u3002\nsudo lvs -o name,cache_policy,cache_settings,chunk_size,cache_used_blocks,cache_dirty_blocks /dev/mapper/lug-repo\n
\u6bcf\u6b21 unclean shutdown \u4e4b\u540e\uff0ccache \u4e2d\u6240\u6709\u5757\u90fd\u4f1a\u88ab\u6807\u8bb0\u4e3a dirty\u3002\u5c3d\u7ba1\u4e0d\u592a\u53ef\u80fd\u963b\u585e\u7cfb\u7edf\u542f\u52a8\uff0c\u8fd9\u53ef\u80fd\u4f1a\u7ed9 HDD \u4e00\u5b9a\u7684\u538b\u529b\u3002
\u5751 4
\u4fee\u6539 migration_threshold
\u7b49\u8bbe\u7f6e\u4f1a\u5bfc\u81f4\u76ee\u524d\u7248\u672c\u7684 GRUB \u65e0\u6cd5\u6b63\u786e\u8bc6\u522b LVM \u5143\u6570\u636e\u3002
\u4e34\u65f6\u4fee\u590d\u7248\u672c\uff1ahttps://github.com/taoky/grub/releases/tag/2.02%2Bdfsg1-20%2Bdeb10u4taoky3_amd64\u3002\u76ee\u524d\u5df2\u90e8\u7f72\uff0c\u4e14\u8bbe\u7f6e\u4e86 apt hold
\u3002
\u5751 5
\u8bbe\u7f6e chunksize \u5230 1M \u4f1a\u6709\u4e25\u91cd\u7684\u5199\u5165\u653e\u5927\u95ee\u9898\uff0c\u56e0\u6b64\u8fd9\u91cc\u4fee\u6539\u4e3a\u4e86 64K\u3002
\u6240\u4ee5\u63a5\u4e0b\u6765\u8981\u5408\u5e76 VG\uff0c\u7136\u540e\u624d\u80fd\u4e3a\u4ed3\u5e93\u5377\u52a0\u4e0a\u7f13\u5b58\u3002
lvchange -a n ssd/docker\nvgmerge lug ssd\nlvconvert --type cache --cachepool lug/mcache lug/repo\n
\u63a5\u4e0b\u6765\u6302\u4e0a Docker \u5377\uff08\u6ce8\u610f VG \u540d\u5df2\u7ecf\u4ece ssd \u53d8\u6210\u4e86 lug\uff09\uff1a
lvchange -a y lug/docker\nmount /dev/lug/docker /var/lib/docker\n
"},{"location":"services/mirrors/4/volumes-old/#repo","title":"repo \u6269\u5bb9","text":"\u67e5\u770b\u5f53\u524d\u903b\u8f91\u5377\u4fe1\u606f\uff1a
# lvs -a -o +devices\n LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert Devices\n backup lug -wi-ao---- 8.00g /dev/sda3(6307840)\n docker lug -wi-ao---- 64.00g /dev/sdc1(0)\n docker2 lug -wi-a----- 300.00g /dev/sda3(7925248)\n home lug -wi-ao---- 64.00g /dev/sda3(8192),/dev/sdb3(8193)\n log lug -wi-ao---- 300.00g /dev/sda3(6309888),/dev/sdb3(6307841)\n log lug -wi-ao---- 300.00g /dev/sda3(7888896),/dev/sdb3(7882753)\n [lvol0_pmspare] lug ewi------- 16.00g /dev/sda3(7884800)\n [mcache] lug Cwi---C--- 1.50t 99.99 0.12 0.00 mcache_cdata(0)\n [mcache_cdata] lug Cwi-ao---- 1.50t /dev/sdc1(20480)\n [mcache_cmeta] lug ewi-ao---- 16.00g /dev/sdc1(16384)\n repo lug Cwi-aoC--- 60.00t [mcache] [repo_corig] 99.99 0.12 0.00 repo_corig(0)\n [repo_corig] lug owi-aoC--- 60.00t /dev/sda3(16384),/dev/sdb3(16385)\n [repo_corig] lug owi-aoC--- 60.00t /dev/sda3(6311936),/dev/sdb3(6309889)\n root lug mwi-aom--- 32.00g [root_mlog] 100.00 root_mimage_0(0),root_mimage_1(0)\n [root_mimage_0] lug iwi-aom--- 32.00g /dev/sda3(0)\n [root_mimage_1] lug iwi-aom--- 32.00g /dev/sdb3(0)\n [root_mlog] lug lwi-aom--- 4.00m /dev/sdb3(8192)\n
\u68c0\u67e5 cache \u662f\u5426\u6709 dirty block\uff1a
$ sudo lvs -o name,cache_policy,cache_settings,chunk_size,cache_used_blocks,cache_dirty_blocks /dev/mapper/lug-repo\n LV CachePolicy CacheSettings Chunk CacheUsedBlocks CacheDirtyBlocks\n repo smq 1.00m 1048551 0\n
\uff08\u6b63\u5e38\u91cd\u542f\u4e4b\u540e\u53ef\u80fd\u4f1a\u51fa\u73b0 dirty block\uff0c\u539f\u56e0\u4e0d\u660e\u3002\u5982\u679c\u770b\u5230\u6709\u7684\u8bdd\uff0c\u90a3\u53ea\u80fd \u518d\u6b21\u8fdb\u5165\u75db\u82e6\u7684\u8f6e\u56de \u7528\u4e0a\u8ff0\u7684\u65b9\u6cd5\u6e05\u9664\uff0c\u5e76\u4e14\u6e05\u9664\u7684\u65f6\u5019\u5bf9\u7cfb\u7edf\u8d1f\u8f7d\u5f71\u54cd\u5f88\u5927\uff0c\u56e0\u4e3a\u843d\u76d8\u7684\u65f6\u5019\u5176\u4ed6\u8fdb\u7a0b\u5bf9\u5e94\u7684 IO \u4f1a\u88ab\u6682\u505c\uff0c\u5728\u76f8\u5bf9\u5e73\u8861\u65f6\u95f4\u548c\u8d1f\u8f7d\u7684\u547d\u4ee4\u4e0b\uff0c\u4f30\u8ba1\u9700\u8981 10 \u5c0f\u65f6\u7684\u65f6\u95f4\u3002\uff09
\u7136\u540e uncache\u3001\u6269\u5bb9\uff1a
# lvconvert --uncache lug/repo\n# lvextend -L +5T lug/repo\n# xfs_growfs /srv\n
\u7136\u540e\u6062\u590d cache\uff08\u53c2\u8003\u4e0a\u9762 mcache_meta \u548c mcache \u903b\u8f91\u5377\u7684\u914d\u7f6e\uff0c\u8bf7\u6ce8\u610f\u5728\u7406\u89e3\u547d\u4ee4\u540e\u518d\u6267\u884c\uff01\uff09\uff1a
# lvcreate -L 16G -n mcache_meta lug /dev/sdc1 # SSD \u8bbe\u5907\u8def\u5f84\u91cd\u542f\u540e\u53ef\u80fd\u4f1a\u53d8\u5316\n# lvcreate -l 100%FREE -n mcache lug /dev/sdc1\n# lvreduce -l -2048 lug/mcache\n# lvconvert --type cache-pool --poolmetadata lug/mcache_meta --cachemode writethrough -c 64K --config allocation/cache_pool_max_chunks=30000000 lug/mcache\n# lvconvert --type cache --cachepool lug/mcache lug/repo\n
\u5751 5
\u65b0\u5efa\u65f6\u5728\u5012\u6570\u7b2c\u4e8c\u6b65\u7684 lvconvert
\u53ef\u80fd\u4f1a\u5361\u6b7b\u8d85\u8fc7\u534a\u5c0f\u65f6\uff08\u4f46\u662f\u6700\u540e\u8fd8\u662f\u80fd\u5b8c\u6210\u7684\uff09\uff0c\u6808\u7684\u4fe1\u606f\u663e\u793a\u6808\u9876\u51fd\u6570\u662f submit_bio_wait()
\uff0c\u5728\u6e05\u96f6\u5bf9\u5e94\u7684 block range\uff0c\u56e0\u4e3a RAID \u5361\u4e0d\u652f\u6301\u4e0b\u4f20 discarding \u6240\u4ee5\u4f1a\u5f88\u6162\uff0c\u9700\u8981\u7b49\u4e00\u6bb5\u65f6\u95f4\u3002
\u5206\u533a\u5b8c\u6bd5\u540e\u7ed9 /etc/fstab
\u8865\u4e0a\u76f8\u5173\u7684\u5185\u5bb9\u5e76\u6302\u8f7d\uff1a
/dev/mapper/lug-home /home ext4 defaults 0 2\n/dev/mapper/lug-docker /var/lib/docker ext4 defaults 0 2\n/dev/mapper/lug-repo /srv xfs defaults,pqnoenforce 0 2\n/dev/mapper/lug-log /var/log ext4 defaults 0 2\n
\uff08\u8fd9\u4e2a log \u5206\u533a\u524d\u9762\u6ca1\u63d0\uff0c\u53cd\u6b63\u50cf\u6a21\u50cf\u6837\u77e5\u9053\u5c31\u884c\u4e86\uff09
"},{"location":"services/mirrors/4/networking/","title":"Networking on mirrors4","text":"\u51fa\u4e8e\u597d\u7528\u7684\u8003\u8651\uff0cmirrors4 \u4e0a\u7684\u7f51\u7edc\u4f7f\u7528 systemd-networkd \u914d\u7f6e\u3002\u4f5c\u4e3a\u5165\u95e8\uff0c\u4e0b\u9762\u662f\u4e24\u4e2a\u53c2\u8003\u94fe\u63a5\uff1a
Debian \u9ed8\u8ba4\u7528\u7684\u662f ifupdown\uff0c\u628a\u5b83\u76f4\u63a5\u5378\u6389\u5c31\u884c\u4e86\u3002\u5168\u90e8\u914d\u7f6e\u5b8c\u6bd5\u4e4b\u540e\u9700\u8981 systemctl enable systemd-networkd.service
\u5e76\u4e14 start \u4e00\u4e0b\uff08\u6216\u8005\u76f4\u63a5\u91cd\u542f\uff09\u3002
/etc/systemd/network \u76ee\u5f55\u4e0b\u6709\u4e2a Git \u4ed3\u5e93\uff0c\u65b9\u4fbf\u4fdd\u5b58\u4e0e\u6062\u590d
"},{"location":"services/mirrors/4/networking/#bond","title":"Bond","text":"Bond \u7528\u4e8e\u5c06\u591a\u4e2a\u7f51\u5361\u805a\u5408\u5f53\u4f5c\u4e00\u4e2a\u4f7f\u7528\u3002
"},{"location":"services/mirrors/4/networking/#_1","title":"\u5b50\u7f51\u5361","text":"\u5411 /etc/systemd/network/ens41f0.network
\u5199\u5165\u5982\u4e0b\u5185\u5bb9\uff1a
[Match]\nName=ens41f0\n\n[Network]\nBond=bond1\n\n[Link]\nRequiredForOnline=no\n
\u5373\u53ef\u5c06\u5176\u8bbe\u7f6e\u4e3a bond1 \u7684\u4e00\u4e2a\u5b50\u7f51\u5361\u3002\u7528\u540c\u6837\u65b9\u5f0f\u628a ens41f1 \u4e5f\u8bbe\u4e3a\u5b50\u7f51\u5361\u3002
\u4e00\u4e2a\u5c0f\u5751
systemd-networkd \u6709\u4e00\u4e2a\u9ed8\u8ba4\u7684 bond0 \u805a\u5408\u7f51\u5361\uff0c\u6a21\u5f0f\u6c38\u8fdc\u662f round-robin\uff0c\u800c\u4e14\u5c1d\u8bd5\u8bbe\u7f6e\u8fd9\u4e2a\u7f51\u5361\u5f88\u5bb9\u6613\u51fa\u95ee\u9898\uff0c\u6240\u4ee5\u6211\u4eec\u907f\u5f00\u8fd9\u4e2a\u540d\u5b57\uff0c\u7528 bond1\u3002
"},{"location":"services/mirrors/4/networking/#bond1","title":"bond1 \u805a\u5408\u7f51\u5361","text":"\u5199\u5165 /etc/systemd/network/bond1.netdev
\uff1a
[NetDev]\nName=bond1\nKind=bond\n\n[Bond]\nMode=balance-tlb\nMIIMonitorSec=1\n
\u5173\u4e8e bond \u6a21\u5f0f\uff08balance-tlb
vs balance-alb
\uff09\uff0c\u53c2\u8003\u8fd9\u4e2a Server Fault \u4e0a\u7684\u56de\u7b54\u3002
\u7136\u540e\u521b\u5efa VLAN\uff0c\u5199\u5165 /etc/systemd/network/bond1.network
\uff1a
[Match]\nName=bond1\n\n[Network]\nDHCP=no\nVLAN=cernet\nVLAN=telecom\nVLAN=mobile\nVLAN=unicom\n
"},{"location":"services/mirrors/4/networking/#vlan","title":"VLAN","text":"NIC \u673a\u623f\u6709 4 \u4e2a VLAN\uff0c\u5206\u522b\u662f
\u6ce8\u610f\u8fd9\u51e0\u4e2a\u7f51\u6bb5\u90fd\u6ca1\u6709 DHCP\uff0c\u53ea\u6709\u6559\u80b2\u7f51 VLAN \u6709 IPv6 RA\u3002
\u4e0b\u9762\u4ee5\u6559\u80b2\u7f51 VLAN \u4e3a\u4f8b\u3002
\u56e0\u4e3a VLAN \u5728\u7269\u7406\u4e0a\u5c5e\u4e8e\u4e00\u4e2a\u7f51\u5361\uff0c\u56e0\u6b64\u5411\u5bf9\u5e94\u7f51\u5361\u7684 .network
\u6587\u4ef6\u7684 [Network]
\u6bb5\u8ffd\u52a0\u4e00\u884c\uff08\u89c1\u4e0a\u9762\u4e00\u8282 bond1.network
\u6587\u4ef6\uff09\uff1a
VLAN=cernet\n
\u521b\u5efa VLAN \u754c\u9762\uff0c\u521b\u5efa cernet.netdev
\u5e76\u5199\u5165
[NetDev]\nName=cernet\nKind=vlan\n\n[VLAN]\nId=95\n
\u7136\u540e\u5c31\u53ef\u4ee5\u6307\u5b9a IP \u5730\u5740\u7b49\u5177\u4f53\u4fe1\u606f\u4e86\uff0c\u521b\u5efa\u4e00\u4e2a\u540d\u5b57\u76f8\u540c\uff0c\u540e\u7f00\u6362\u6210 .network
\u7684\u6587\u4ef6\u5e76\u5199\u5165
[Match]\nName=cernet\n\n[Network]\nDHCP=no\nAddress=202.38.95.110/25\n#Gateway=202.38.95.126\nAddress=2001:da8:d800:95::110/64\n#Gateway=2001:da8:d800:95::1\nIPv6AcceptRA=false\n
\u4fdd\u5b58\u540e\u91cd\u542f systemd-networkd.service
\u5c31\u53ef\u4ee5\u770b\u5230\u6548\u679c\u4e86\u3002
\u4e3a\u4ec0\u4e48 Gateway \u88ab\u6ce8\u91ca\u6389\u4e86
\u6839\u636e systemd \u5b98\u65b9\u6587\u6863\uff0c\u5728 [Network]
\u4e00\u8282\u51fa\u73b0\u7684 Gateway=
\u7b49\u4ef7\u4e8e\u4e00\u4e2a\u5355\u72ec\u7684\u3001\u4ec5\u5305\u542b\u4e00\u884c Gateway=
\u7684 [Route]
\u8282\u3002\u7531\u4e8e\u6211\u4eec\u9700\u8981\u6df1\u5ea6\u81ea\u5b9a\u4e49\u8def\u7531\uff0c\u8fd9\u91cc\u4e0d\u65b9\u4fbf\u91c7\u7528\u8fd9\u4e2a\u8fc7\u4e8e\u7b80\u6d01\u7684\u8bbe\u5b9a\uff08\u4f8b\u5982\u5404\u79cd\u9ed8\u8ba4\u503c Table=main
\u7b49\uff09\u3002
\u9488\u5bf9\u4e2a\u522b\u4e0d\u652f\u6301 bind address \u7684\u540c\u6b65\u5de5\u5177\uff0c\u6211\u4eec\u901a\u8fc7\u5c06\u5176\u653e\u5165\u7279\u5b9a\u7684 docker network \u6765\u5b9e\u73b0\u9009\u62e9\u7ebf\u8def\u7684\u529f\u80fd\u3002
\u521b\u5efa\u547d\u4ee4docker network create --driver=bridge --subnet=172.17.4.1/24 -o \"com.docker.network.bridge.name=dockerC\" cernet\ndocker network create --driver=bridge --subnet=172.17.5.1/24 -o \"com.docker.network.bridge.name=dockerT\" telecom\ndocker network create --driver=bridge --subnet=172.17.6.1/24 -o \"com.docker.network.bridge.name=dockerM\" mobile\ndocker network create --driver=bridge --subnet=172.17.7.1/24 -o \"com.docker.network.bridge.name=dockerU\" unicom\ndocker network create --driver=bridge --ipv6 --subnet=172.17.8.1/24 --subnet=fd00:6::/64 -o \"com.docker.network.bridge.name=dockerC6\" cernet6\ndocker network create --driver=bridge --subnet=172.17.9.1/24 -o \"com.docker.network.bridge.name=dockerV\" lugvpn\n
\u7136\u540e\u4f7f\u7528 systemd-networkd \u5bf9\u521b\u5efa\u597d\u7684 docker network \u7f51\u6bb5\u914d\u7f6e\u89c4\u5219\u8def\u7531\u3002
/etc/systemd/network/cernet.network# Docker Cernet\n[RoutingPolicyRule]\nFrom=172.17.4.0/24\nTable=1011\nPriority=5\n\n[RoutingPolicyRule]\nFrom=172.17.8.0/24\nTable=1011\nPriority=5\n
\u5176\u4ed6\u51e0\u4e2a\u6587\u4ef6\u7c7b\u4f3c\uff0c\u53ea\u9700\u8981\u4fee\u6539\u7f51\u6bb5\u548c Table \u5373\u53ef\u3002
"},{"location":"services/mirrors/4/networking/#docker-network-cernet6","title":"Docker network: cernet6","text":"\u7531\u4e8e\u4e00\u4e9b\u7a0b\u5e8f\u6216\u7cfb\u7edf\u73af\u5883\u5728\u53cc\u6808\u7f51\u7edc\u4e2d\u4ecd\u7136\u4f1a\u4f18\u5148\u5c1d\u8bd5 IPv4\uff0c\u6211\u4eec\u5c06 cernet6 \u7f51\u7edc\u7684 v4 \u516c\u7f51\u8bbf\u95ee\u5c4f\u853d\u6389\u3002
rules.v4*filter\n:FORWARD DROP [0:0]\n# ...\n-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n-A FORWARD -i dockerC6 -j REJECT\n-A FORWARD -i docker+ -j ACCEPT\n
"},{"location":"services/mirrors/4/networking/misc/","title":"mirrors \u7f51\u7edc\u914d\u7f6e\u6742\u9879","text":""},{"location":"services/mirrors/4/networking/misc/#sniproxy","title":"sniproxy","text":"Sniproxy \u7528\u4e8e\u4e3a Docker \u5bb9\u5668\u63d0\u4f9b\u65b9\u4fbf\u7684 HTTP(S) \u7f51\u7edc\u5206\u6d41\u3002\u76ee\u524d\u5728 mirrors \u4e0a\u7528\u4e8e\u4e3a dockerhub \u5bb9\u5668\u63d0\u4f9b\uff08\u5230 Cloudflare \u7684\uff09IPv6 \u63a5\u5165\uff08Docker \u505a IPv6 NAT \u975e\u5e38\u4e0d\u65b9\u4fbf\uff0c\u6240\u4ee5\u4ee5\u6b64\u4e3a\u6743\u5b9c\u4e4b\u4e3e\uff09\uff0c\u4ee5\u63d0\u9ad8\u6821\u5185\u8bbf\u95ee\u65f6\u7684\u901f\u5ea6\u3002
"},{"location":"services/mirrors/4/networking/misc/#_1","title":"\u914d\u7f6e","text":"\u5b89\u88c5 sniproxy\uff0c\u5e76\u4e14 mask \u539f\u670d\u52a1\u914d\u7f6e\uff08\u6211\u4eec\u81ea\u5df1\u5199\u4e00\u4e2a\uff09\uff1a
sudo apt install sniproxy\nsudo mkdir -p /etc/sniproxy\nsudo systemctl mask sniproxy.service\n
\u521b\u5efa /etc/systemd/system/sniproxy@.service
\uff1a
[Unit]\nDescription=SNIProxy (%i.conf)\nAfter=network.target network-online.target\nStartLimitIntervalSec=1\n\n[Service]\nType=simple\nExecStart=/usr/sbin/sniproxy -f -c /etc/sniproxy/%i.conf\nRestart=on-failure\nRestartSec=3\n\n[Install]\nWantedBy=multi-user.target\n
\u5728 /etc/sniproxy
\u4e2d\u521b\u5efa\u914d\u7f6e\u3002\u4ee5\u4e0b\u4e3a IPv6 + TLS (443) only \u7684\u914d\u7f6e\u4f8b\u5b50\uff1a
resolver {\n nameserver 2001:da8:d800::1\n mode ipv6_only\n}\n\naccess_log {\n filename /dev/null\n}\n\nlisten <Bind \u5230\u7684 IP \u5730\u5740>:443 {\n proto tls\n reuseport yes\n table all\n source <IPv6 \u51fa\u53e3\u5730\u5740>\n}\n\ntable all {\n .* *\n}\n
\u6700\u540e\u542f\u52a8\u670d\u52a1\uff1a
sudo systemctl enable sniproxy@\u914d\u7f6e\u6587\u4ef6\u540d.service\nsudo systemctl start sniproxy@\u914d\u7f6e\u6587\u4ef6\u540d.service\n
"},{"location":"services/mirrors/4/networking/route/","title":"Routing on mirrors4","text":"\u7531\u4e8e mirrors4 \u6ca1\u6709\u4f7f\u7528 ifupdown \u4f5c\u4e3a\u7f51\u7edc\u7ba1\u7406\u7cfb\u7edf\uff0c\u800c\u662f\u91c7\u7528 systemd-networkd\uff0c\u56e0\u6b64\u6211\u4eec\u6ca1\u6709 pre-up
, up
, down
, post-down
\u7b49\u8fd0\u884c\u547d\u4ee4\u7684\u65b9\u5f0f\uff0c\u6240\u4ee5 mirrors2 \u4e0a\u4f7f\u7528\u7684\u90a3\u5957\u811a\u672c\uff08ip-route.sh
\u7b49\uff09\u65e0\u6cd5\u76f4\u63a5\u5728 mirrors4 \u4e0a\u7ee7\u7eed\u4f7f\u7528\u3002
\u597d\u5728\u6211\u4eec\u4f7f\u7528 up
\u7b49\u8fd0\u884c\u547d\u4ee4\u53ea\u662f\u4e3a\u4e86\u914d\u7f6e\u8def\u7531\uff0c\u56e0\u6b64\u6362\u4e86\u4e2a\u529e\u6cd5\uff0c\u6574\u4e86\u4e2a\u65b0\u811a\u672c\u628a IP \u5730\u5740\u5217\u8868\uff08\u6765\u81ea gaoyifan/china-operator-ip\uff09\u8f6c\u6362\u6210 networkd \u6240\u4f7f\u7528\u7684\u914d\u7f6e\u6587\u4ef6\u683c\u5f0f\u3002\u4ee3\u7801\u4e0d\u957f\uff1a
#!/bin/bash\n\nROOT_IP_LIST=/usr/local/network_config/iplist\nROOT_RT=/run/systemd/network\n\ngen_route() {\n IPLIST=\"$ROOT_IP_LIST/$1\"\n GW=\"$2\"\n DEV=\"$3\"\n # Convert table to number\n TABLENAME=\"$4\"\n TABLE=\"$(awk 'substr($0, 1, 1) != \"#\" && $2 == \"'\"$TABLENAME\"'\" { print $1 }' /etc/iproute2/rt_tables | head -1)\"\n PRIORITY=\"$5\"\n\n F=\"$ROOT_RT/$DEV.network.d\"\n mkdir -p \"$F\"\n F=\"$F/route-${TABLENAME,,}.conf\"\n\n echo -e \"[RoutingPolicyRule]\\nTable=$TABLE\\nPriority=$PRIORITY\\n\" > \"$F\"\n awk '{ print \"[Route]\\nDestination=\" $1 \"\\nGateway='\"$GW\"'\\nTable='\"$TABLE\"'\\n\" }' \"$IPLIST\" >> \"$F\"\n}\n\ngen_route ustcnet.txt 202.38.95.126 cernet Ustcnet 5\ngen_route cernet.txt 202.38.95.126 cernet Cernet 6\ngen_route telecom.txt 202.141.160.126 telecom Telecom 6\ngen_route mobile.txt 202.141.176.126 mobile Mobile 6\ngen_route unicom.txt 218.104.71.161 unicom Unicom 6\ngen_route china.txt 218.104.71.161 unicom China 7\n
\u8fd9\u4e2a\u4ed3\u5e93\u91cc\u6709\u5f88\u591a\u4e2a txt \u6587\u4ef6\uff0c\u6bcf\u4e2a\u6587\u4ef6\u5bf9\u5e94\u4e00\u4e2a ISP \u7684\u5730\u5740\u5217\u8868\uff0c\u6bcf\u884c\u4e00\u4e2a CIDR\u3002\u811a\u672c\u4e2d\u7684 gen_route
\u51fd\u6570\u6839\u636e\u53c2\u6570\u8bfb\u53d6\u6587\u4ef6\uff0c\u5e76\u8f6c\u6362\u6210\u4e0b\u9762\u8fd9\u6837\u7684\u683c\u5f0f\uff1a
[Route]\nDestination=1.0.0.0/24\nGateway=202.38.95.126\nTable=1011\n
\u8fd9\u6837\u4e00\u4e2a [Route]
\u8282\u5bf9\u5e94\u4e00\u6761\u8def\u7531\u89c4\u5219\uff0c\u6574\u4e2a txt \u7684\u8f6c\u6362\u7ed3\u679c\u8f93\u51fa\u5230 /run/systemd/network/cernet.network.d/route-example.conf
\u3002\u5176\u4e2d cernet.network.d/*.conf
\u7528\u4e8e\u5411\u73b0\u6709\u7684\u914d\u7f6e\u4e2d\u6dfb\u52a0\u5185\u5bb9\uff08\u4e0e systemd service \u7c7b\u4f3c\uff09\uff0c\u800c /run
\u76ee\u5f55\uff08\u6309\u7406\u6765\u8bf4\uff09\u91cd\u542f\u4f1a\u6e05\u7a7a\uff0c\u9002\u5408\u653e\u7f6e\u8fd9\u4e9b\u7528\u4e8e\u52a8\u6001\u751f\u6210\u7684\u5185\u5bb9\u3002\u53e6\u5916\u7531\u4e8e\u8def\u7531\u89c4\u5219\uff08ip rule
\uff09\u4e5f\u7531 networkd \u7ba1\u7406\u548c\u751f\u6210\u4e86\uff0c\u56e0\u6b64\u6bcf\u4e2a route-xxx.conf
\u5f00\u5934\u4f1a\u5305\u542b\u4e00\u4e2a [RoutingPolicyRule]
\u8282\u7528\u4e8e\u751f\u6210\u8def\u7531\u8868\u5bf9\u5e94\u7684\u8def\u7531\u89c4\u5219\u3002
\u6ce8\u610f\u8def\u7531\u8868\u662f\u7528\u540d\u79f0\u6307\u5b9a\u7684\uff0c\u4ece /etc/iproute2/rt_tables
\u4e2d\u67e5\u51fa\u5bf9\u5e94\u7684\u6570\u5b57 ID\u3002\u8fd9\u4e2a\u6587\u4ef6\u672c\u6765\u4e5f\u662f ip
\u547d\u4ee4\u6240\u4f7f\u7528\u7684\uff08\u6ce8\u610f\u5b83\u7684\u76ee\u5f55\u540d\u53eb iproute2
\uff09\u3002
\u6700\u540e\u7ed9\u8fd9\u4e2a\u811a\u672c\u914d\u4e2a service\uff0c\u8ba9\u5b83\u5728 networkd \u4e4b\u524d\u8fd0\u884c\uff1a
# WARNING: This is NOT the final configuration file!\n[Unit]\nDescription=Generate routes for systemd-networkd\nBefore=systemd-networkd.service\n\n[Service]\nType=oneshot\nExecStart=/bin/bash /usr/local/network_config/route-all.sh\nRemainAfterExit=true\n\n[Install]\nWantedBy=network.target systemd-networkd.service\nWants=systemd-networkd.service\n
\u8fd9\u4e2a\u6587\u4ef6\u5b58\u5230 /etc/systemd/system/route-all.service
\uff0creload \u518d enable \u5c31\u53ef\u4ee5\u4e86\u3002
\u6539 systemd-networkd.service \u9700\u8981\u989d\u5916\u6ce8\u610f
\u8fd9\u4e2a\u81ea\u5e26\u7684\u670d\u52a1\u6709\u4e00\u4e2a User=systemd-networkd
\uff0c\u4f60\u65e2\u4e0d\u80fd ip rule
\u4e5f\u4e0d\u80fd\u5199\u5165 /run/systemd
\u7b49\uff0c\u4f1a\u5bfc\u81f4\u670d\u52a1\u70b8\u6389\uff0c\u7136\u540e\u7f51\u4e5f\u70b8\u4e86\u3002\u3002\u3002
\u5982\u679c\u8981\u6539 networkd \u670d\u52a1\u64cd\u4f5c ip rule
\u7684\u8bdd\uff0c\u9700\u8981\u5728\u547d\u4ee4\u884c\u524d\u9762\u52a0\u4e00\u4e2a +
\u8868\u793a\u8be5\u547d\u4ee4\u4e0d\u53d7 User=
\u7b49\u6743\u9650\u8bbe\u7f6e\u5f71\u54cd\uff0c\u8be6\u7ec6\u89e3\u91ca\u89c1 systemd.service \u6587\u6863\u3002
\u90e8\u5206 IP \u9700\u8981\u914d\u7f6e\u7279\u6b8a\u8def\u7531\u89c4\u5219\u65f6\uff08\u800c\u4e0d\u662f\u4f7f\u7528\u9ed8\u8ba4\uff09\uff0c\u7f16\u8f91 /usr/local/network_config/special.yml
\uff0c\u5176\u683c\u5f0f\u5982\u4e0b\uff1a
routes: # Root key\uff0c\u4fdd\u7559\n lugvpn: # /etc/systemd/network \u4e2d\u5bf9\u5e94\u7684 .network \u6587\u4ef6\u540d\n # \u4e0b\u9762\u662f\u4e00\u4e2a\u8def\u7531\u6587\u4ef6\u7684\u914d\u7f6e\uff0c\u4e00\u4e2a\u6587\u4ef6\u5171\u4eab\u4e00\u4e2a table \u548c gateway \u8bbe\u7f6e\n - name: route-special # \u5c06\u8981\u521b\u5efa\u7684 .conf \u6587\u4ef6\u540d\uff0c\u53ef\u4ee5\u968f\u610f\n table: Special # \u8def\u7531\u8868\uff0c\u5373 ip route add table \u540e\u9762\u7684\u53c2\u6570\uff0c\u6570\u5b57\u6216\u8868\u540d\n gateway: false # \u662f\u5426\u5305\u542b\u7f51\u5173\uff0c\u6216\u8005 ip route \u7684 via \u53c2\u6570\n routes: # \u6240\u6709\u7684\u8def\u7531\u6761\u76ee\n - 1.2.3.4\n - 5.6.7.8/28\n - 2001:db8::2333/64\n\n cernet: # \u66f4\u591a\u7684\u914d\u7f6e\n - ...\n
\u4fee\u6539 special.yml
\u4e4b\u540e\u91cd\u542f route-all.service
\u3002\u8be5\u670d\u52a1\u4f1a\u81ea\u52a8\u5bfc\u81f4 systemd-networkd.service
\u91cd\u542f\u5e76\u8f7d\u5165\u65b0\u7684\u8def\u7531\u914d\u7f6e\u4fe1\u606f\u3002
#!/usr/bin/ruby\n\nrequire 'fileutils'\nrequire 'yaml'\n\nBASEDIR = '/run/systemd/network'\nRT_TABLES = '/etc/iproute2/rt_tables'\n\nrt_tables = Hash.new\nFile.readlines(RT_TABLES).each do |l|\n next if l =~ /^\\s*#/\n id, name = l.split\n rt_tables[name] = id\nend\n\ndata = YAML.load_file File.join(__dir__, 'special.yml')\ndata['routes'].each do |fn, setups|\n confdir = File.join(BASEDIR, \"#{fn}.network.d\")\n FileUtils.mkdir_p confdir\n\n setups.each do |config|\n table = config['table']\n gateway = config['gateway']\n File.open File.join(confdir, \"#{config['name']}.conf\"), 'w' do |f|\n config['routes'].each do |dst|\n t = \"[Route]\\nDestination=#{dst}\\n\"\n t += \"Table=#{rt_tables.fetch table, table}\\n\" if table\n t += \"Gateway=#{gateway}\\n\" if gateway\n f.write t + \"\\n\"\n end\n end\n end\nend\n
route-all.service \u6709\u5f88\u591a\u6ce8\u610f\u4e8b\u9879
\u4e3a\u4e86\u6e05\u7406\u5f00\u673a\u81ea\u52a8\u4ea7\u751f\u7684 32766 \u548c 32767 \u4e24\u6761\u8def\u7531\u89c4\u5219\uff0c\u6211\u4eec\u540c\u65f6\u4e3a systemd-networkd.service
\u6dfb\u52a0\u4e86\u4e24\u4e2a ExecStartPre
\u5982\u4e0b\uff1a
[Service]\nExecStartPre=-+/sbin/ip rule delete from all table main pref 32766\nExecStartPre=-+/sbin/ip rule delete from all table default pref 32767\n
\u53e6\u9644\u5b8c\u6574\u7684 route-all.service
\u6587\u4ef6\uff1a
[Unit]\nDescription=Generate routes for systemd-networkd\nBefore=systemd-networkd.service\n\n[Service]\nType=oneshot\nExecStart=/bin/bash /usr/local/network_config/route-all.sh\nExecStart=/usr/local/network_config/special.rb\nRemainAfterExit=true\n\n[Install]\nWantedBy=network.target systemd-networkd.service\nWants=systemd-networkd.service\n
"},{"location":"services/pxe/","title":"PXE","text":"\u5bf9\u6821\u56ed\u7f51\u7528\u6237\u4e0e\u6821\u5916\u7528\u6237\u516c\u5f00\u7684 PXE \u670d\u52a1\u3002LIIMS \u4e0e\u76ee\u524d\u7684 PXE \u867d\u7136\u8fd0\u884c\u5728\u540c\u4e00\u53f0\u670d\u52a1\u5668\u4e0a\uff0c\u4f46\u662f\u914d\u7f6e\u6709\u6240\u4e0d\u540c\u3002
\u672c\u6587\u6863\u9700\u8981\u5927\u5e45\u6269\u5145
"},{"location":"services/pxe/#intro","title":"Intro","text":"https://lug.ustc.edu.cn/wiki/server/pxe/
https://lug.ustc.edu.cn/planet/2018/10/PXE-intro/
\u5173\u4e8e FAQ
https://lug.ustc.edu.cn/wiki/server/pxe/faq/ \u5b9e\u5728\u662f\u5e74\u5934\u592a\u4e45\u8fdc\u4e86\uff0c\u65e0\u6cd5\u66f4\u65b0\u3002\u65b0\u7684\u5185\u5bb9\u8bb0\u5f55\u5728\u672c\u6587\u6863\u4e2d\u3002
\u4e00\u822c\u7684\u542f\u52a8\u6d41\u7a0b\u662f\uff1a
PXE \u5728\u6821\u56ed\u7f51\u4e2d\u76f4\u63a5\u53ef\u7528\uff0c\u56e0\u4e3a\u5b66\u6821\u7684 DHCP \u670d\u52a1\u5668\u7ecf\u8fc7\u4e86\u914d\u7f6e\u3002
\u5982\u679c\u9700\u8981\u5728\u865a\u62df\u673a\u4e2d\u8c03\u8bd5\uff0c\u53ef\u4ee5\uff1a
\u63a8\u8350\u4f7f\u7528\u7684\u865a\u62df\u673a\u65b9\u6848
PXE \u80fd\u591f\u6210\u529f\u8fd0\u884c\u4e0e\u5426\u6709\u53ef\u80fd\u548c\u865a\u62df\u673a\u73af\u5883\uff08\u7279\u522b\u662f\u865a\u62df\u7f51\u5361\u578b\u53f7\uff09\u9ad8\u5ea6\u76f8\u5173\u3002\u63a8\u8350\u4f7f\u7528 QEMU\u3002
\u5176\u4e2d\u4e3b\u8981\u4f7f\u7528\u7684\u662f\u57fa\u4e8e GRUB2 \u548c simple-pxe \u7684\u65b0 PXE \u65b9\u6848\u3002\u4e3b\u677f\u56fa\u4ef6\u4f7f\u7528 TFTP \u534f\u8bae\u83b7\u53d6 GRUB2 \u7a0b\u5e8f\uff08core.0 \u6216\u8005 core.efi\uff09\u4e4b\u540e\uff0cGRUB2 \u4f1a\u901a\u8fc7 HTTP \u534f\u8bae\u83b7\u53d6\u5269\u4e0b\u6240\u6709\u7684\u6587\u4ef6\u3002
TFTP
\u548c FTP active \u6a21\u5f0f\u4e00\u6837\uff0cTFTP \u662f\u4e00\u4e2a\u6709\u70b9\u9ebb\u70e6\u7684\u534f\u8bae\uff0c\u5982\u679c\u4f60\u7684\u865a\u62df\u673a\u65e0\u6cd5\u4e0d\u7ecf\u8fc7 NAT \u8fde\u63a5 PXE \u670d\u52a1\u5668\uff0c\u90a3\u4e48\u5c31\u9700\u8981\u8c03\u6574\u7f51\u7edc\u914d\u7f6e\uff0c\u4f1a\u5f88\u9ebb\u70e6\uff0c\u518d\u52a0\u4e0a\u5bf9\u6821\u5916\u8bbf\u95ee\u9700\u6c42\u7684\u8003\u91cf\uff0c\u56e0\u6b64\u76ee\u524d\u7684\u8003\u8651\u662f\u5c3d\u91cf\u4f7f\u7528 HTTP\u3002
\u57fa\u4e8e SYSLINUX \u7684\u8001 PXE \u65b9\u6848\uff08lpxelinux.0 -> bin/lpxelinux.0\uff09\u76ee\u524d\u4ecd\u53ef\u542f\u52a8\uff0c\u4f46\u662f\u4e0d\u4f7f\u7528\u3002
"},{"location":"services/pxe/#syslinux","title":"SYSLINUX \u66f4\u65b0","text":"\u867d\u7136\u4e0d\u7ef4\u62a4\u4e86\uff0c\u4f46\u662f\u4ee5\u4e0b\u5185\u5bb9\u4ecd\u4f5c\u8bb0\u5f55\uff1a
wget https://mirrors.ustc.edu.cn/fedora/releases/40/Everything/x86_64/os/Packages/s/syslinux-tftpboot-6.04-0.26.fc40.noarch.rpm\n# decompress\nrpm2cpio syslinux-tftpboot-6.04-0.26.fc40.noarch.rpm | cpio -idmv\ncd tftpboot\nln -s lpxelinux.0 pxelinux.0\nln -s lpxelinux.0 undionly.kpxe\n
\u5f97\u5230\u7684 tftpboot \u76ee\u5f55\u66ff\u4ee3\u539f\u5148\u7684 tftp/bin \u76ee\u5f55\u3002\u542f\u52a8 VM \u7684\u65f6\u5019\u53ef\u4ee5 Wireshark \u770b\u770b\u5b83\u4e0b\u8f7d\u4e86\u54ea\u4e9b\u6587\u4ef6\u3002\u540c\u65f6\u8fd8\u6709\u4e2a pxeknife
\uff0c\u76ee\u524d\u53ea\u5728 SYSLINUX \u7684 PXE \u65b9\u6848\u4e2d\u53ef\u7528\u3002
pypxe
pypxe \u4f3c\u4e4e\u53ea\u5728 SYSLINUX \u65b9\u6848\u4e2d\u4f7f\u7528\u3002
"},{"location":"services/pxe/#uefi","title":"\u4f7f\u7528 UEFI \u76f4\u63a5\u542f\u52a8","text":"QEMU \u4e00\u822c\u4f7f\u7528\u7684 UEFI \u56fa\u4ef6 OVMF \u652f\u6301\u76f4\u63a5\u4ece HTTP \u542f\u52a8\u3002\u5728\u5199\u4f5c\u65f6\uff0cArch Linux \u6253\u5305\u7684 OVMF \u6ca1\u7f16\u8bd1\u6b64\u7279\u6027\uff0c\u5176\u4ed6\u7684\u53d1\u884c\u7248\u4e5f\u6709\u53ef\u80fd\u4e0d\u652f\u6301\uff0c\u56e0\u6b64\u9700\u8981\uff1a
\u7136\u540e\u4f7f\u7528\u4ee5\u4e0b\u547d\u4ee4\u542f\u52a8 QEMU\uff1a
qemu-system-x86_64 -L . --bios ../ovmf-x64/OVMF-pure-efi.fd\n
\u542f\u52a8\u540e\u9a6c\u4e0a\u6309\u4e0b ESC\uff0c\u8fdb\u5165\u914d\u7f6e\u754c\u9762\uff0c\u7136\u540e\u9605\u8bfb https://github.com/tianocore/tianocore.github.io/wiki/HTTP-Boot \u505a\u8fdb\u4e00\u6b65\u914d\u7f6e\u3002
\u65e7\u7248\u672c\u7684 GRUB2 \u53ef\u80fd\u6709 bug\uff08\u4f8b\u5982 https://github.com/ustclug/discussions/issues/456\uff09\uff0c\u56e0\u6b64\u6709\u65f6\u5019\u9700\u8981\u5347\u7ea7\u3002
\u66f4\u65b0\u7b56\u7565\u8003\u8651\u4f7f\u7528 Debian stable \u7684 grub2\u3002\u542f\u52a8\u5bb9\u5668\u5e76\u4e14\u5c06\u5916\u9762\u7684\u76ee\u5f55 bind mount\uff1a
docker run -it --rm -v $(pwd)/tftp:/srv/tftp ustclug/debian:12\n
\u7136\u540e\u5728\u5bb9\u5668\u4e2d\u6267\u884c\uff1a
apt update && apt install grub-common grub-pc grub-efi-amd64-signed\ngrub-mknetdir\ngrub-mkimage -d /usr/lib/grub/i386-pc -O i386-pc-pxe -o /srv/tftp/boot/grub/i386-pc/core.0 -p '(http,202.38.93.94)/boot/tftp/grub/' pxe http\ngrub-mkimage -d /usr/lib/grub/x86_64-efi -O x86_64-efi -o /srv/tftp/boot/grub/x86_64-efi/core.efi -p '(http,202.38.93.94)/boot/tftp/grub/' efinet http\n
\u6700\u540e\u4e24\u4e2a grub-mkimage
\u662f\u56e0\u4e3a grub-mknetdir
\u751f\u6210\u7684\u955c\u50cf\u4f7f\u7528 tftp \u534f\u8bae\uff0c\u5728\u8c03\u8bd5\u65f6\u53ef\u80fd\u4f1a\u6709\u95ee\u9898\u3002\u6211\u4eec\u5e0c\u671b GRUB2 \u80fd\u591f\u5168\u7a0b\u4f7f\u7528 HTTP \u505a\u5269\u4e0b\u7684\u5de5\u4f5c\u3002
\u66f4\u6362\u6587\u4ef6\u7684\u65f6\u5019\u522b\u628a\u914d\u7f6e\u8986\u76d6\u4e86\u3002
"},{"location":"services/pxe/#ipxe-iso","title":"\u6784\u5efa iPXE ISO","text":"\u53c2\u8003 https://ipxe.org/embed\u3002
#!ipxe\n\n# Generated by GPT-4\ndhcp\nset 210:string http://202.38.93.94/boot/tftp/\n\n# UEFI boot?\niseq ${platform} efi && goto uefi || goto bios\n\n:uefi\necho \"UEFI boot detected\"\nchain ${210:string}bootx64.efi\nexit\n\n:bios\necho \"BIOS boot detected\"\nchain ${210:string}pxelinux.0\nexit\n
clone ipxe/ipxe \u4ed3\u5e93\uff0c\u8fdb\u5165 src \u76ee\u5f55\uff0c\u7136\u540e\u6267\u884c\uff1a
# https://github.com/ipxe/ipxe/pull/50\nmake bin-x86_64-efi/ipxe.efi bin/ipxe.lkrn\n./util/genfsimg -o ustc.ipxe.iso -s ../../ustc.ipxe bin-x86_64-efi/ipxe.efi bin/ipxe.lkrn\n
"},{"location":"services/pxe/#_2","title":"\u67b6\u6784","text":"\u65b0 PXE \u65b9\u6848\u7684 HTTP \u670d\u52a1\u5668\u4e3a Apache + Nginx\u3002URL \u4e2d\u7684 boot2 \u5bf9\u5e94 /nfsroot/pxe\u3002
\u5904\u7406 web \u670d\u52a1\u5668
\u76ee\u524d PXE \u673a\u5668\u7684 web \u670d\u52a1\u5668\u6709\u70b9\u8be1\u5f02\uff0cApache2 \u76d1\u542c 80\uff0cNginx \u76d1\u542c 443\uff0c\u540e\u7eed\u9700\u8981\u8c03\u6574\u5904\u7406\u3002
\u6587\u4ef6\u8df3\u8f6c\u914d\u7f6e
Apache2 \u4e2d\u914d\u7f6e\u4e86\u4e00\u4e9b alias \u8df3\u8f6c\uff0c\u540c\u6837\u7684\uff0cTFTP \u4e5f\u6709\u7c7b\u4f3c\u7684\u914d\u7f6e\uff08/etc/xinetd.d/tftp
\u7684 server_args
\u91cc\u9762\u6709 -m /home/pxe/tftp/REMAP
\uff09\u3002
\u9700\u8981\u68c0\u67e5\u4e00\u81f4\u6027\u3002
\u5982\u679c\u51fa\u73b0\u95ee\u9898\u9700\u8981\u8c03\u8bd5\uff0c\u5efa\u8bae\u6293\u5305\uff08\u53ef\u4ee5\u4f7f\u7528 Wireshark \u67e5\u770b TFTP \u6216 HTTP \u534f\u8bae\uff09\u770b\u662f\u5426\u6b63\u5e38\u3002
\u6bcf\u5929\u51cc\u6668\uff0cpxe \u7528\u6237\u7684 crontab \u4efb\u52a1\u4f1a\u6267\u884c https://github.com/ustclug/simple-pxe/blob/master/simple-pxe-in-docker\uff08\u6587\u4ef6\u4f4d\u4e8e pxe \u7528\u6237\u7684 home \u4e2d\uff09\uff0c\u5b9e\u73b0 PXE \u76f8\u5173\u6587\u4ef6\u7684\u66f4\u65b0\u3002
"},{"location":"services/pxe/#faults","title":"\u6545\u969c","text":"pxe \u670d\u52a1\u5668\u5728\u5347\u7ea7\u5230 Debian Bullseye (11) \u540e\u65e0\u6cd5\u6b63\u5e38\u5f00\u673a\uff0c\u7ecf\u8fc7 GRUB \u8fdb\u5165\u5185\u6838\u540e\u6bcf 5 \u79d2\u5237\u51fa\u4ee5\u4e0b\u4fe1\u606f\uff1a
DMAR: DRHD: handling fault status reg 2\nDMAR: [DMA Read] Request device [03:00.0] PASID ffffffff fault addr cb2f0000 [fault reason 06] PTE Read access is not set\nDMAR: DRHD: handling fault status reg 102\n
\u7531\u4e8e\u6b64\u65f6\u521a\u5347\u7ea7\u81f3 Debian Bullseye\uff0c\u6240\u4ee5\u7cfb\u7edf\u4ecd\u7136\u4fdd\u7559\u4e86 Debian Buster \u7684 4.19 \u7248\u5185\u6838\u3002\u91cd\u542f\u8fdb\u8be5\u5185\u6838\u53ef\u6b63\u5e38\u542f\u52a8\u5e76\u8fd0\u884c\u670d\u52a1\uff0c\u4f46\u53ea\u8981\u8fdb 5.10 \u7684\u5185\u6838\u5c31\u4f1a\u51fa\u73b0\u4ee5\u4e0a\u9519\u8bef\u3002\u6d4b\u8bd5 Proxmox VE \u63d0\u4f9b\u7684 pve-kernel-5.15 \u4e5f\u662f\u540c\u6837\u95ee\u9898\u3002
\u641c\u7d22\u53d1\u73b0\u4e3b\u673a\u4f7f\u7528\u7684 RAID \u5361 PERC H310 \u4e0d\u652f\u6301\u76f4\u901a\uff08IOMMU \u865a\u62df\u5316\uff09\uff0c\u914d\u7f6e GRUB \u52a0\u5165 intel_iommu=off
\u540e\u53ef\u4ee5\u6b63\u5e38\u8fdb\u5165 5.10 \u7684\u5185\u6838\uff0c\u4f5c\u4e3a\u89e3\u51b3\u65b9\u6848\u3002
\u6309\u8bf4 IOMMU\uff08VT-d\uff09\u4e0d\u5e94\u8be5\u9ed8\u8ba4\u542f\u7528\uff0c\u56e0\u6b64\u731c\u6d4b 5.10+ \u7684\u5185\u6838\u4f1a\u4e3b\u52a8\u5c1d\u8bd5\u5f00\u542f IOMMU\uff0c\u5bfc\u81f4 RAID \u5361\u51fa\u9519\u3002
\u6bd4\u8f83 /boot/config-4.19.0-18-amd64
\u548c /boot/config-5.10.0-11-amd64
\u540e\u53d1\u73b0 5.10 \u7248\u7684 config \u591a\u4e86\u4e00\u884c CONFIG_INTEL_IOMMU_DEFAULT_ON_INTGPU_OFF=y
\uff0c\u641c\u7d22\u53d1\u73b0 Debian bug #932086\uff0c\u5373 Debian \u9ed8\u8ba4\u5bf9\u9664\u4e86 Intel GPU \u4ee5\u5916\u7684\u8bbe\u5907\u542f\u7528 IOMMU\uff08linux 5.2.9-2
\uff09\u3002
\u53c2\u8003\u94fe\u63a5\uff1a
https://github.com/ustclug/simple-pxe/blob/master/menu.d/tool.sh
\u4f9d\u8d56\u4e8e Arch Linux \u63d0\u4f9b\u7684 EFI \u6587\u4ef6\u3002
"},{"location":"services/pxe/images/#memtest86","title":"Memtest86+","text":"https://github.com/memtest86plus/memtest86plus
\u6b64\u5916 memtest86 \u6709\u4e2a\u95ed\u6e90\u5b9e\u73b0\uff0c\u4e0d\u8003\u8651\u7ee7\u7eed\u7ef4\u62a4\u3002
\u4ee5\u4e0b\u6b65\u9aa4\u53c2\u8003\u4e86 https://gitlab.archlinux.org/archlinux/packaging/packages/memtest86plus/-/blob/main/PKGBUILD?ref_type=heads\u3002
git clone https://github.com/memtest86plus/memtest86plus.git\ncd memtest86plus/build64\nmake\n
\u5f97\u5230\u7684 memtest.bin
\u662f BIOS \u7248\u7684\uff0cmemtest.efi
\u662f UEFI \u7248\u7684\u3002
\u542f\u52a8\u83dc\u5355\uff1ahttps://github.com/ustclug/simple-pxe/blob/master/menu.d/tool.sh\u3002
"},{"location":"services/pxe/images/#gparted","title":"GParted","text":"https://github.com/ustclug/simple-pxe/blob/master/menu.d/gparted.sh\u3002
\u542f\u52a8\u53c2\u6570\u4e0d\u80fd\u52a0 ip=
\uff1ahttps://gitlab.gnome.org/GNOME/gparted/-/issues/141\u3002
Short for Libray Independent Inquery Machine System.
Server: pxe.s.ustclug.org
Git Repository:
It is strongly advised to clone liimstrap and read through it when reading this document.
"},{"location":"services/pxe/liims/#add-machine","title":"\u542f\u52a8\u914d\u7f6e","text":"\u914d\u7f6e\u6587\u4ef6\u5728 /home/pxe/tftp/grub/grub.cfg.d
\uff0c\u82e5\u8981\u5141\u8bb8\u65b0\u673a\u5668\u542f\u52a8 liims \u955c\u50cf\uff0c\u521b\u5efa\u4e00\u4e2a\u7b26\u53f7\u94fe\u63a5\u5230\u5bf9\u5e94\u7684\u914d\u7f6e\u6587\u4ef6\u3002\u4f8b\u5982\uff1a
ln -s common_el 02:23:45:67:89:ab\n
\u76ee\u524d\u6211\u4eec\u901a\u8fc7\u51e0\u4e2a\u7b26\u53f7\u94fe\u63a5\u5c06\u914d\u7f6e\u6587\u4ef6\u201c\u5206\u7ec4\u201d\uff0cMAC \u5730\u5740\u5bf9\u5e94\u7684\u7b26\u53f7\u94fe\u63a5\u5e94\u8be5\u94fe\u63a5\u5230\u8fd9\u4e9b\u5206\u7ec4\u4e0a\u3002\u5df2\u6709\u7684\u5206\u7ec4\u5982\u4e0b\uff1a
common_el
\uff1aEL \u5373 East-campus Library\uff08\u4e1c\u56fe\uff09common_wl
\uff1aWL \u5373 West-campus Library\uff08\u897f\u56fe\uff09common_sl
\uff1aSL \u5373 South-campus Library\uff08\u5357\u56fe\uff09common_iat
\uff1aIAT \u5373\u5148\u7814\u9662common_gx
\uff1aGaoXin \u9ad8\u65b0\u6821\u533atest
\uff1a\u6d4b\u8bd5\u955c\u50cf\u9664\u6b64\u4e4b\u5916\uff0c\u8fd8\u9700\u8981\u5728\u67e5\u8be2\u673a\u76d1\u63a7\u7a0b\u5e8f\u4e2d\u6dfb\u52a0\u8be5 MAC \u5730\u5740\uff0c\u89c1\u4e0b\u65b9\u67e5\u8be2\u673a\u76d1\u63a7\u3002
"},{"location":"services/pxe/liims/#lib-api","title":"\u4e3a\u56fe\u4e66\u9986\u8001\u5e08\u5f00\u653e\u7684\u63a5\u53e3","text":"\u56fe\u4e66\u9986\u8001\u5e08\u53ef\u4ee5\u901a\u8fc7 SSH \u767b\u5f55\u673a\u5668\u76f4\u63a5\u521b\u5efa\u6240\u9700\u7684\u7b26\u53f7\u94fe\u63a5\uff08\u4f46\u662f\u8fd8\u9700\u8981\u6211\u4eec\u6765\u6539\u76d1\u63a7\u7a0b\u5e8f\u7684 json\uff09\u3002\u76f8\u5173\u914d\u7f6e\u5982\u4e0b\uff1a
/etc/sudoers.d/sonniesonnie ALL=(pxe) NOPASSWD: /home/pxe/tftp/grub/grub.cfg.d/add_host.py *\n
/etc/ssh/sshd_configMatch User sonnie\n AllowUsers sonnie\n PubkeyAuthentication yes\n AuthorizedKeysFile .ssh/authorized_keys\n
/etc/nsswitch.conf
\u628a sudoers \u4e00\u884c\u4e2d\u7684 ldap \u79fb\u5230 files \u524d\u9762\u3002
\u9ed8\u8ba4\u60c5\u51b5\u4e0b ldap \u5728 files \u540e\u9762\uff0c\u90a3\u4e48\u6765\u81ea LDAP \u7684 sudo rules \u4f1a\u6392\u5728 sudoers \u6587\u4ef6\u4e2d\u7684 rules \u7684\u540e\u9762\uff0c\u800c sudo \u662f\u540e\u9762\u7684\u89c4\u5219\u4f18\u5148\u7ea7\u66f4\u9ad8\uff0c\u4f1a\u5bfc\u81f4\u65e0\u6cd5 NOPASSWD \u8fd0\u884c\u811a\u672c\u3002
"},{"location":"services/pxe/liims/#_1","title":"\u542f\u52a8\u955c\u50cf","text":"\u4f4d\u4e8e /home/pxe/nfsroot/<category>/<name>
\uff0c\u5176\u4e2d <name>
\u5c31\u662f\u955c\u50cf\u540d\u79f0\uff08\u4f8b\u5982 liims160909
\uff09\u3002\u76ee\u524d\u6709\u4e24\u79cd\u90e8\u7f72\u65b9\u5f0f\uff1a\u4e00\u79cd\u662f NFS as rootfs\uff0c\u6587\u4ef6\u5939\u4e2d\u5c31\u662f\u6574\u4e2a rootfs\uff0c\u76f4\u63a5\u4fee\u6539\u8fd9\u91cc\u7684\u6587\u4ef6\uff0c\u673a\u5668\u91cd\u542f\u540e\u5c31\u4f1a\u8f7d\u5165\u3002\uff08\u6ce8\u610f\uff1a\u8986\u76d6\u6587\u4ef6\u53ef\u80fd\u5bfc\u81f4\u5df2\u6709\u7684\u673a\u5668\u8fd0\u884c\u9519\u8bef\uff09
\u53e6\u4e00\u79cd\u662f\u6253\u5305\u538b\u7f29\u4e3a squashfs\uff0c\u6b64\u65f6\u6587\u4ef6\u5939\u4e0b\u4e09\u4e2a\u6587\u4ef6\u5206\u522b\u4e3a vmlinuz\uff08kernel\uff09, initrd.img \u548c root.sfs\uff08squashfs \u955c\u50cf\uff09\u3002\u5982\u679c\u9700\u8981\u4fee\u6539\uff0c\u53ef\u4ee5\u4f7f\u7528 unsquashfs
\u89e3\u538b\u7f29\uff0c\u4fee\u6539\u5b8c\u6210\u540e\u53c2\u8003\u4ed3\u5e93\u4e2d deploy \u6587\u4ef6\u518d\u538b\u7f29\u4e3a squashfs\u3002
IP \u767d\u540d\u5355\u91c7\u7528 iptables \u5b9e\u73b0\uff0c\u4fee\u6539 rootfs \u4e0b\u7684 etc/iptables/rules.v4
\u548c rules.v6
\u53ef\u4fee\u6539\u7b56\u7565\u3002\u6ce8\u610f\uff1a\u9632\u706b\u5899\u7b56\u7565\u4ec5\u5728\u673a\u5668\u542f\u52a8\u65f6\u4f1a\u8f7d\u5165\u4e00\u6b21\u3002
\u5907\u6ce8
\u6b64\u8282\u7684\u5185\u5bb9\u4ec5\u9002\u7528\u4e8e 2022 \u4e4b\u524d\u7684\u8001\u7248\u672c\uff0c\u65b0\u7248\u672c\u6709\u5173\u6784\u5efa\u3001\u8c03\u8bd5\u7b49\u5185\u5bb9\u8bf7\u76f4\u63a5\u9605\u8bfb liimstrap \u4ed3\u5e93 README\u3002
\u4f7f\u7528 liimstrap \u5728 ArchLinux \u4e0b\u8fdb\u884c\u6784\u5efa\uff0cliimstrap \u4f7f\u7528\u65b9\u6cd5\u53c2\u8003\u4ed3\u5e93\u4e2d\u7684\u8bf4\u660e\u3002
\u6784\u5efa\u540e\u9700\u8981\u63a8\u9001\u5230\u670d\u52a1\u5668\u4e0a\u7684 /nfsroot/liims
\u4e0b\uff0c\u5e76\u8bbe\u7f6e /usr \u7684\u6240\u6709\u8005\u4e3a liims\u3002\u673a\u5668\u7684\u9ed8\u8ba4 pxe \u542f\u52a8\u914d\u7f6e\u5728 /home/pxe/tftp/pxelinux.cfg/
\u4e0b
\u521b\u5efa\u5e76\u6302\u8f7d\u4e34\u65f6\u955c\u50cf:
dd if=/dev/zero of=liims.img bs=4k count=1200000\nmkfs.ext4 liims.img\nmount -o loop liims.img /mnt\n
\u5047\u8bbe\u5f53\u524d\u8def\u5f84\u4e3a liimstrap\uff0c\u4fee\u6539 initcpio/mkinitcpio.conf
\uff0c\u53bb\u6389 HOOKS \u4e2d\u7684 liims_root
\uff0c\u589e\u52a0 block
\uff08\u4ec5\u8c03\u8bd5\u65f6\u9700\u8981\uff09\u3002 \u4f7f\u7528 liimstrap \u5236\u4f5c\u955c\u50cf ./liimstrap /mnt
\u3002\u5b8c\u6210\u540e\u4f7f\u7528 qemu \u6253\u5f00\u8c03\u8bd5:
qemu -kernel /mnt/boot/vmlinuz-lts\\\n -initrd /mnt/boot/initramfs-linux-lts.img\\\n -hda liims.img\\\n -netdev user,id=mynet0,net=114.214.188.0/24,dhcpstart=114.214.188.9\\\n -device i82557a,netdev=mynet0\\\n -append \"root=/dev/sda rootflags=rw\"\n
\u6ce8\uff1a\u5176\u4e2d netdev \u4e2d\u7684 ip \u6bb5\u53ef\u4ee5\u81ea\u7531\u9009\u53d6\uff0cdevice
\u4e2d\u7684\u8bbe\u5907\u540d\u901a\u8fc7 qemu -device \\?
\u67e5\u770b\u540e\u9009\u62e9\u4efb\u4e00\u7f51\u7edc\u8bbe\u5907\u5373\u53ef
http://pxe.ustc.edu.cn:3000/
2022 \u5e74\u524d\uff0c\u63d0\u4f9b\u670d\u52a1\u7684\u662f\u4e00\u4e2a Docker \u5bb9\u5668\u3002\u5728 iBug \u7528 Go \u91cd\u5199\u4e4b\u540e\uff0c\u76ee\u524d\u76f4\u63a5\u8dd1\u5728 host \u4e0a\u3002
\u6dfb\u52a0\u65b0\u673a\u5668
\u4fee\u6539 https://github.com/ustclug/liimstrap/blob/master/monitor/clients.json \u540e\uff0c\u5728 pxe \u4e0a clone \u5e76\u5728\u5f53\u524d\u76ee\u5f55 build\u3002\u4f7f\u7528 docker-run-script \u4e2d\u5bf9\u5e94\u811a\u672c\u6267\u884c\u5bb9\u5668\u5373\u53ef\u3002
\u4fee\u6539 /etc/liims-monitor/clients.json
\u4e4b\u540e systemctl reload liims-monitor.service
\u5373\u53ef\u3002
{\n \"name\": \"\u4e1c\u533a\u4e09\u697c\u4e1c01\",\n \"mac\": \"0223456789ab\"\n}\n
"},{"location":"workflow/new-server/","title":"New Server Setup Checklist","text":""},{"location":"workflow/new-server/#ntp-date","title":"NTP Date","text":"Install either chrony
or systemd-timesyncd
(recommended). Usually chrony comes pre-installed so it's easily forgot.
=== \"Chrony\"
Replace the default NTP pool with USTC's NTP server `time.ustc.edu.cn`, like this:\n\n```shell title=\"/etc/chrony/chrony.conf\" linenums=\"7\"\n# Use Debian vendor zone.\n#pool 2.debian.pool.ntp.org iburst\nserver time.ustc.edu.cn iburst\n```\n\nThen restart the service:\n\n```shell\nsystemctl restart chrony\n```\n
=== \"systemd-timesyncd\"
For Debian 11 and up, we use an override file to configure the NTP server:\n\n```shell title=\"/etc/systemd/timesyncd.conf.d/ustc.conf\"\n[Time]\nNTP=time.ustc.edu.cn\n```\n\nThen restart the service:\n\n```shell\nsystemctl restart systemd-timesyncd\n```\n
"},{"location":"workflow/new-server/#time-zone","title":"Time zone","text":"Run dpkg-reconfigure tzdata
and select Asia/Shanghai as the timezone. Reboot the server.
update-alternatives --set iptables /usr/sbin/iptables-nft\nupdate-alternatives --set ip6tables /usr/sbin/ip6tables-nft\n
"},{"location":"workflow/new-server/#update-resolvconf","title":"Update resolv.conf","text":""},{"location":"workflow/new-server/#install-console-setup","title":"Install console-setup","text":"This may have already come with the base system. It's more likely missed if the system is installed from scratch (bootstrapped).
"},{"location":"workflow/new-vm/","title":"Create new server in LUGi","text":"We no longer have a vSphere cluster, so anything mentioning vSphere is left only for references.
"},{"location":"workflow/new-vm/#create-vm-in-vcenter","title":"Create VM in vCenter","text":"vCenter \u5730\u5740\uff1avcenter2.vm.ustclug.org
\u6309\u7167\u63d0\u793a\u521b\u5efa\u865a\u62df\u673a
Note
\u5c06\u7f51\u7edc\u6539\u4e3a cernet\uff0c\u4ee5\u4fbf\u7528 DHCP \u83b7\u5f97 IP \u5730\u5740\uff0c\u7528 PXE \u5b89\u88c5\u7cfb\u7edf\u3002
\u51e0\u4e2a\u5173\u952e\u914d\u7f6e\uff1a
\u6211\u4eec\u76ee\u524d\u4e0d\u4f7f\u7528 PVE \u8fd0\u884c LXC \u5bb9\u5668\uff0c\u56e0\u6b64\u672c\u6587\u6863\u53ea\u4ecb\u7ecd\u521b\u5efa KVM \u865a\u62df\u673a\u7684\u6b65\u9aa4\u3002\u63a8\u8350\u4f7f\u7528 web \u754c\u9762\u64cd\u4f5c\uff0c\u9664\u975e\u4f60\u9700\u8981\u6279\u91cf\u521b\u5efa\u865a\u62df\u673a\uff08\u6b64\u65f6\u901a\u8fc7 SSH \u767b\u5f55\u540e\u53ef\u4ee5\u4f7f\u7528 qm
\u547d\u4ee4\u6279\u5904\u7406\uff09\u3002
\u767b\u5f55 web \u754c\u9762\uff0c\u70b9\u51fb\u53f3\u4e0a\u89d2\u7684 Create VM\uff0c\u5f39\u51fa\u521b\u5efa\u865a\u62df\u673a\u7684\u5bf9\u8bdd\u6846\u3002
General\u6b63\u786e\u9009\u62e9\u865a\u62df\u673a\u6240\u5728\u7684 Node\uff08\u5373 Host\uff09\uff0c\u5e76\u6307\u5b9a\u4e00\u4e2a VMID\u3002\u76ee\u524d VMID \u7684\u5206\u914d\u65b9\u6848\u662f\u4e1c\u56fe 300-399\uff0cNIC 200-299\uff0c\u5728\u6b64\u57fa\u7840\u4e0a\u9012\u589e\u5373\u53ef\u3002\u7ed9 VM \u8d77\u4e2a\u6613\u4e8e\u8fa8\u8bc6\u7684\u540d\u79f0\uff0c\u4e0d\u8981\u4e0e\u5df2\u6709 VM \u91cd\u590d\u3002Resource Pool \u7559\u7a7a\u5373\u53ef\u3002
OS\u9664\u975e\u4f60\u8981\u4f7f\u7528 iso \u955c\u50cf\u624b\u52a8\u5b89\u88c5\u7cfb\u7edf\uff0c\u5426\u5219\u8bf7\u9009\u62e9\u300cDo not use any media\u300d\u3002\u6b63\u786e\u9009\u62e9 Guest OS \u7684\u7c7b\u578b\u548c\u7248\u672c\u3002
System\u5c06 SCSI Controller \u8bbe\u4e3a VirtIO SCSI\uff08\u6ce8\u610f\u4e0d\u8981\u9009 VirtIO SCSI Single\uff09\uff0c\u52fe\u4e0a Qemu Agent \u9009\u9879\uff0c\u5176\u4ed6\u9009\u9879\u90fd\u9009 Default \u5373\u53ef\u3002
Disks, CPU, Memory\u6309\u9700\u5206\u914d\uff0c\u78c1\u76d8\u5bb9\u91cf\u5efa\u8bae\u63a7\u5236\u5728 10 GB \u4ee5\u5185\uff08\u4ec5\u7cfb\u7edf\u76d8\uff0c\u53ef\u53e6\u52a0\u6570\u636e\u76d8\uff09\uff0c\u5176\u4e2d Disk \u52fe\u9009\u4e0a Discard\uff0cCPU Type \u63a8\u8350\u9009\u62e9 Host\u3002
Network\u6309\u9700\u9009\u62e9\uff0cModel \u9009 VirtIO\uff0c\u7136\u540e\u53d6\u6d88\u52fe\u9009 Firewall\u3002
\u8bb0\u5f97\u5728\u865a\u62df\u673a\u7684 Options \u91cc\u5c06 Start at boot \u8bbe\u4e3a Yes
\u5728 Proxmox VE \u4e0a\uff0c\u901a\u8fc7 web \u754c\u9762\u521b\u5efa\u65b0\u865a\u62df\u673a\u540e\uff0c\u53ef\u4ee5\u4f7f\u7528\u666e\u901a\u65b9\u5f0f\u5b89\u88c5\u7cfb\u7edf\uff0c\u4e5f\u53ef\u4ee5\u76f4\u63a5\u5bfc\u5165\u53d1\u884c\u7248\u63d0\u4f9b\u7684\u865a\u62df\u673a\u955c\u50cf\uff08\u9700\u8981\u901a\u8fc7 SSH \u767b\u5f55 Proxmox VE \u6216 NFS \u670d\u52a1\u5668\uff09\u3002
\u4e0b\u9762\u4ee5 Debian \u4e3a\u4f8b\uff0c\u521b\u5efa\u4e00\u4e2a\u65b0\u865a\u62df\u673a\uff0c\u7136\u540e\u6253\u5f00 https://mirrors.ustc.edu.cn/debian-cdimage/cloud/bullseye/\uff0c\u70b9\u51fb\u6700\u65b0\u7684\u76ee\u5f55\uff08\u51fa\u4e8e\u672a\u77e5\u539f\u56e0 latest \u94fe\u63a5\u662f\u574f\u7684\uff09\uff0c\u590d\u5236 debian-11-genericcloud-amd64-<date>-<rev>
\u7684\u94fe\u63a5\uff08\u63a8\u8350\u4f7f\u7528 genericcloud \u800c\u4e0d\u662f generic\uff0c\u5176\u9884\u88c5 linux-image-cloud-amd64
\uff0c\u76f8\u6bd4\u4e8e\u201c\u5b8c\u6574\u7248\u201d\u5185\u6838\u7cbe\u7b80\u6389\u4e86\u5927\u90e8\u5206\u7269\u7406\u8bbe\u5907\u7684\u9a71\u52a8\u7a0b\u5e8f\uff0c\u9002\u7528\u4e8e\u865a\u62df\u673a\u73af\u5883\uff09\uff0c\u7136\u540e\u767b\u5f55 Proxmox VE \u6216 vdp\uff08NFS \u670d\u52a1\u5668\uff09\uff0c\u4f7f\u7528\u4ee5\u4e0b\u547d\u4ee4\u76f4\u63a5\u4e0b\u8f7d\u955c\u50cf\u81f3\u865a\u62df\u673a\u78c1\u76d8\uff1a
# Proxmox VE (ZFS / LVM), use RAW\nwget -O /dev/zvol/rpool/data/vm-<id>-disk-0 https://mirrors.ustc.edu.cn/<...>.raw\nwget -O /dev/<vg>/<lv> https://mirrors.ustc.edu.cn/<...>.raw\n\n# vdp over NFS, use QCOW2\nwget -O /media/vdp/pve/images/<path>.qcow2 https://mirrors.ustc.edu.cn/<...>.qcow2\n
\u7136\u540e\u5728 web \u754c\u9762\u6307\u5b9a\u865a\u62df\u673a\u7684\u78c1\u76d8\uff08\u5982\u6709\u9700\u8981\uff09\u3002
"},{"location":"workflow/new-vm/#reset-password","title":"Reset password","text":"\u7531\u4e8e Debian \u63d0\u4f9b\u7684 cloud image \u9ed8\u8ba4\u7981\u7528\u4e86 root \u7528\u6237\uff0c\u9700\u8981\u624b\u52a8\u6302\u8f7d\u78c1\u76d8\uff0c\u7f16\u8f91\u78c1\u76d8\u4e2d\u7684 /etc/shadow
\u6587\u4ef6\uff0c\u5c06\u7b2c\u4e00\u884c\u7684 root:*:...
\u6539\u4e3a root::...
\uff08\u5373\u5220\u6389\u661f\u53f7\uff09\u3002\u6ce8\u610f\u4e0d\u8981\u8bef\u6539\u4e3b\u673a\u7684 shadow \u6587\u4ef6\u3002
Tip
\u6b64\u6b65\u9aa4\u4e5f\u53ef\u4ee5\u66ff\u6362\u4e3a chroot \u8fdb\u53bb\u540e\u4f7f\u7528 passwd
\u4fee\u6539\u6216\u6e05\u7a7a\u5bc6\u7801\u3002\u5982\u679c\u4f60\u4e0d\u591f\u719f\u6089 shadow \u6587\u4ef6\u7684\u683c\u5f0f\uff0c\u8fd9\u6837\u505a\u66f4\u5b89\u5168\u3002
\u5bf9\u4e8e ZFS \u548c LVM \u5b58\u50a8\u7684\u78c1\u76d8\uff0c\u53ef\u4ee5\u76f4\u63a5\u6302\u8f7d /dev/zvol/<...>
\u6216 /dev/<vg>/<lv>
\uff08\u4f60\u53ef\u80fd\u9700\u8981\u4f7f\u7528 kpartx
\u5de5\u5177\u52a0\u8f7d\u5206\u533a\uff09\u3002\u5bf9\u4e8e Qcow2 \u6587\u4ef6\u7684\u78c1\u76d8\uff0c\u53ef\u4ee5\u53c2\u8003\u8fd9\u4e2a Gist \u4f7f\u7528 qemu-nbd
\u5de5\u5177\u6765\u6302\u8f7d\u3002\u5176\u4e2d nbd
\u662f Linux \u539f\u751f\u7684\u5185\u6838\u6a21\u5757\uff0c\u53ef\u4ee5\u653e\u5fc3 modprobe\u3002
\u4f60\u4e5f\u53ef\u4ee5\u5728\u8fd9\u4e00\u6b65\u540c\u65f6\u4fee\u6539\u522b\u7684\u914d\u7f6e\u6587\u4ef6\uff0c\u4f8b\u5982\u628a /etc/apt/sources.list
\u6362\u6389\u7b49\u3002\u4fee\u6539\u5b8c\u6210\u540e\u4e0d\u8981\u5fd8\u8bb0 umount\u3002
The first two or three boots may hang or end up in kernel panic - this is completely normal. The cloud image will grow the root partition and filesystem to the virtual disk size. After it's all set, purge everything related to cloud-init
.
For better console experiences, install and configure console-setup
, and add vga=792
to GRUB_CMDLINE_LINUX
in /etc/default/grub
. Then run update-grub
and reboot.
db/ustclug/ustclug.intranet
\uff09ifdown -a
/etc/network/interfaces
ifup -a
qemu-guest-agent
open-vm-tools
ssh
\u89c1 LDAP \u670d\u52a1\u4f7f\u7528\u53ca\u914d\u7f6e\u8bf4\u660e \u548c \u4e3a\u670d\u52a1\u5668\u8bbe\u7f6e SSH CA
"},{"location":"workflow/ldap/add-new-user/","title":"\u5728 LDAP \u4e2d\u6dfb\u52a0\u65b0\u7528\u6237","text":""},{"location":"workflow/ldap/add-new-user/#ldap_1","title":"\u65b0\u5efa LDAP \u7528\u6237","text":"POSIX > Group membership > Add\uff1a\u6839\u636e\u9700\u8981\u6dfb\u52a0\u7684\u6743\u9650\u9009\u62e9\u5bf9\u5e94\u7684\u7ec4\uff0c\u5177\u4f53\u8bf4\u660e\u8be6\u89c1 LDAP Users \u548c Groups
LDAP \u7f13\u5b58\u82e5\u53d1\u73b0\u7528\u6237\u65e0\u6cd5\u767b\u9646\u7b49\u60c5\u51b5\uff0c\u53ef\u80fd\u662f\u7f13\u5b58\u670d\u52a1 NSCD \u5bfc\u81f4\u7684\uff0c\u5177\u4f53\u53c2\u8003 LDAP Users \u548c Groups\uff1a
"},{"location":"workflow/mirrors/maintenance/","title":"\u5f00\u6e90\u8f6f\u4ef6\u955c\u50cf\u7ad9\u7ef4\u62a4\u65b9\u5f0f","text":"\u79d1\u5927\u5f00\u6e90\u8f6f\u4ef6\u955c\u50cf\u7ad9\u662f LUG \u6700\u91cd\u8981\u7684\u670d\u52a1\u4e4b\u4e00\uff0c\u56e0\u6b64\u7ef4\u62a4\u64cd\u4f5c\u5fc5\u987b\u8c28\u614e\u3002
"},{"location":"workflow/mirrors/maintenance/#_2","title":"\u91cd\u542f\u7cfb\u7edf","text":"\u7531\u4e8e mirrors \u670d\u52a1\u91cf\u5927\uff0c\u91cd\u542f\u5e94\u63d0\u524d\u5728 LUG \u670d\u52a1\u5668\u65b0\u95fb\u7ad9 \u53d1\u5e03\u516c\u544a\u3002
"},{"location":"workflow/mirrors/maintenance/#_3","title":"\u5b89\u88c5\u66f4\u65b0","text":""},{"location":"workflow/mirrors/maintenance/#_4","title":"\u666e\u901a\u66f4\u65b0","text":"\u591a\u6570\u66f4\u65b0\u53ef\u4ee5\u76f4\u63a5\u4ece apt \u6e90\u5b89\u88c5\uff0c\u4f46\u662f\u90e8\u5206\u8f6f\u4ef6\u5e76\u975e\u6765\u81ea Debian \u5b98\u65b9\u4ed3\u5e93\uff08\u4f8b\u5982 OpenResty\uff09\uff0c\u56e0\u6b64\u66f4\u65b0\u7b56\u7565\u53ef\u80fd\u4e0d\u50cf Debian \u90a3\u4e48\u7a33\u5b9a\u3002\u5982\u679c\u9047\u5230\u63d0\u793a\u914d\u7f6e\u6587\u4ef6\u51b2\u7a81\uff0c\u8bf7\u5c3d\u91cf\u9009\u62e9 3-way merge\uff0c\u5982\u679c\u5931\u8d25\u7684\u8bdd\u53ef\u4ee5\u5148 keep local version\uff0c\u7136\u540e\u624b\u52a8\u89e3\u51b3\u5408\u5e76\u51b2\u7a81\u3002
"},{"location":"workflow/mirrors/maintenance/#_5","title":"\u5185\u6838\u66f4\u65b0","text":"mirrors \u4f7f\u7528\u4e86\u5185\u6838\u6a21\u5757\u63d0\u4f9b\u4e00\u4e9b\u529f\u80fd\u652f\u6301\uff0c\u5982 ZFS\u3002\u56e0\u6b64\u53ea\u8981\u66f4\u65b0\u4e86\u5185\u6838\uff0c\u5c31\u4e00\u5b9a\u8981\u6ce8\u610f\u5185\u6838\u6a21\u5757\u662f\u5426\u5b89\u88c5\u6210\u529f\uff0c\u5982\u679c apt \u5b89\u88c5\u5931\u8d25\u53ef\u4ee5\u624b\u52a8\u8fd0\u884c dkms autoinstall
\uff0c\u4ee5\u786e\u4fdd\u65b0\u5185\u6838\u91cd\u542f\u65f6\u80fd\u6b63\u786e\u52a0\u8f7d\u5fc5\u987b\u7684\u5185\u6838\u6a21\u5757\u3002
\u5730\u5740\u6682\u65e0\uff0c\u4e00\u822c\u7528\u6d4f\u89c8\u5668\u76f4\u63a5\u8bbf\u95ee\u5c31\u884c\u4e86\u3002\u5982\u679c\u9700\u8981\u63a5\u5165\u7ec8\u7aef\uff0cDashboard \u5de6\u8fb9\u7684 Remote Control \u6709 Launch \u6309\u94ae\u3002\u5982\u679c\u6d4f\u89c8\u5668\u4e0d\u652f\u6301 Java \u5c31\u4f1a\u4e0b\u8f7d\u4e00\u4e2a jviewer.jnlp
\uff0c\u81ea\u884c\u89e3\u51b3 Java \u7684\u5b89\u5168\u8b66\u544a\u5373\u53ef\u4f7f\u7528\u3002
\u5f53\u7136\u5982\u679c\u4f1a\u7528 ipmitool
\u66f4\u597d\uff0c\u90a3\u8fd9\u4e00\u6bb5\u7684\u8bf4\u660e\u5c31\u4ea4\u7ed9\u4f60\u6765\u8865\u5145\u4e86 :)
ipmitool
\u7b80\u4ecb","text":"\u5c3d\u7ba1\u51e0\u4e4e\u6211\u4eec\u673a\u5668\u7684 IPMI \u90fd\u6709 Web \u754c\u9762\uff0c\u4f46\u662f Web \u754c\u9762\u4e0d\u4e00\u5b9a\u9760\u8c31\uff0c\u53ef\u80fd\u4f1a\u51fa\u73b0\u6545\u969c\u3002\u6b64\u65f6\uff0c\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528 ipmitool
\u91cd\u7f6e IPMI \u7684\u72b6\u6001\uff08\u7cfb\u7edf\u914d\u7f6e\u4e0d\u4f1a\u6539\u53d8\uff09
\u53c2\u8003\u547d\u4ee4\uff1a
# \u4e00\u90e8\u5206 IPMI \u7684 interface \u662f lanplus \u800c\u4e0d\u662f lan\uff0c\u6bd4\u5982\u8bf4 mirrors3\nipmitool -I lan -H IPMI\u7684IP -U \u7528\u6237\u540d -a mc reset cold\n
\u5177\u4f53\u8be6\u60c5\u53ef\u4ee5\u770b ipmitool
\u7684 manpage\u3002
\u53e6\u5916: