From 7784428231b823d367a3ff128fc4dfa4b8e86574 Mon Sep 17 00:00:00 2001 From: GitHub Date: Fri, 29 Nov 2024 11:30:57 +0000 Subject: [PATCH] Auto deploy from GitHub Actions build 486 [a17c57c] iBug: inf/pro/nfs: Add pve-10 to backup target (using Rsync) --- infrastructure/proxmox/nfs/index.html | 8 +++++++- search/search_index.json | 2 +- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/infrastructure/proxmox/nfs/index.html b/infrastructure/proxmox/nfs/index.html index a2771cad..8eb7a826 100644 --- a/infrastructure/proxmox/nfs/index.html +++ b/infrastructure/proxmox/nfs/index.html @@ -2547,7 +2547,13 @@

NFS

-

NFS 服务器("vdp")是东图三个 PVE 机器的虚拟机存储,型号为 DELL PowerEdge R510。磁盘阵列由于在 2021 年 3 月初损坏,目前容量缩减到 8T(4 块 4T 蓝盘 RAID10)。除虚拟机外,NFS 也存储 LUG 成员的个人数据及 LUG FTP。NFS 服务恢复后,为了保证数据冗余性,使用 科大 Office 365 A1 账号、学校对象存储和 Rclone 每天增量备份 LUG FTP 和 LUG 成员的公开数据。Rclone 的备份方式参见机器上的 rclone-backup.timerrclone-backup.service

+

NFS 服务器("vdp")是东图三个 PVE 机器的虚拟机存储,型号为 DELL PowerEdge R510。磁盘阵列由于在 2021 年 3 月初损坏,目前容量缩减到 8T(4 块 4T 蓝盘 RAID10)。除虚拟机外,NFS 也存储 LUG 成员的个人数据及 LUG FTP。NFS 服务恢复后,为了保证数据冗余性,使用 Rclone 和 Rsync 每天增量备份 LUG FTP 和 LUG 成员的公开数据(public_html 目录)到以下位置:

+ +

具体的备份方式和命令参见机器上的 rclone-backup.timerrclone-backup.service

vdp 的内网连接依赖于 gateway-el。

可能的网络问题

diff --git a/search/search_index.json b/search/search_index.json index 5ea2ff4f..bbdd3f61 100644 --- a/search/search_index.json +++ b/search/search_index.json @@ -1 +1 @@ -{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"]},"docs":[{"location":"","title":"LUG @ USTC Documentation","text":"

Documentation for LUG @ USTC technical infrastructure.

"},{"location":"#layout","title":"Layout","text":"

Our documentation is divided into these sections, as laid out on the left navigation menu:

"},{"location":"#links","title":"References","text":""},{"location":"faq/apparmor/","title":"AppArmor","text":""},{"location":"faq/apparmor/#proxmox-kernel-debian-userspace","title":"Proxmox kernel + Debian userspace","text":"

Proxmox \u4f7f\u7528 Ubuntu kernel\uff0c\u4f46\u662f Ubuntu kernel \u7684 apparmor \u76f8\u6bd4\u4e8e Debian kernel \u6dfb\u52a0\u4e86\u4e00\u4e9b feature\uff0c\u8bf8\u5982 Unix socket \u7ba1\u7406\u3002Debian \u7684 apparmor \u5305\u7684 /etc/apparmor/parser.conf \u9ed8\u8ba4\u914d\u7f6e\u9650\u5236\u4e86\u529f\u80fd\u96c6\u5408\uff1a

## Pin feature set (avoid regressions when policy is lagging behind\n## the kernel)\npolicy-features=/usr/share/apparmor-features/features\n

Proxmox \u7684 lxc \u652f\u6301\u5305\u4f1a\u8986\u76d6 /usr/share/apparmor-features/features \u4e3a Ubuntu \u7684\u7248\u672c\uff0c\u4f46\u662f\u5982\u679c\u53ea\u5b89\u88c5 Proxmox/Ubuntu kernel\uff0c\u5bf9\u5e94\u7684 features \u6587\u4ef6\u5c31\u4e0d\u5305\u542b Unix socket \u652f\u6301\uff0c\u8fd9\u4f1a\u76f4\u63a5\u5bfc\u81f4 Docker \u7b49\u7a0b\u5e8f\u5185\u90e8\u65e0\u6cd5\u521b\u5efa unix socket \u7b49\u3002

\u4e00\u4e2a workaround \u662f\u6ce8\u91ca\u6389 /etc/apparmor/parser.conf \u7684\u5bf9\u5e94\u884c\u3002

"},{"location":"faq/apparmor/#pve","title":"PVE \u7684\u89e3\u51b3\u65b9\u6848","text":"

\u540e\u7eed\u8c03\u67e5\u53d1\u73b0 lxc-pve \u6253\u5305\u4e86\u81ea\u5df1\u7684 /usr/share/apparmor-features/features \u5e76\u8986\u76d6\u4e86 Debian \u7684\u7248\u672c\uff0c\u56e0\u6b64\u6211\u4eec\u6a21\u4eff lxc-pve \u7684\u505a\u6cd5\u628a Debian \u7684\u7248\u672c\u8986\u76d6\u6389\uff0c\u7136\u540e\u4e0b\u8f7d Proxmox \u7684\u7248\u672c\uff1a

dpkg-divert --package lxc-pve --rename --divert /usr/share/apparmor-features/features.stock --add /usr/share/apparmor-features/features\nwget -O /usr/share/apparmor-features/features https://github.com/proxmox/lxc/raw/master/debian/features\n
"},{"location":"faq/dns/","title":"DNS \u57df\u540d\u89e3\u6790\u95ee\u9898","text":""},{"location":"faq/dns/#wrong-dns-result","title":"\u9519\u8bef\u7684\u89e3\u6790\u7ed3\u679c","text":"

\u6211\u4eec\u7684 DNS \u662f\u5206\u6821\u5185\u5916\u3001\u5206 ISP \u89e3\u6790\u7684\u3002\u6709\u65f6\u5019\u4f1a\u9047\u5230\u6821\u5185\u8bbf\u95ee\u89e3\u6790\u5230\u6821\u5916\uff0c\u53ef\u80fd\u7684\u539f\u56e0\u662f

/etc/resolv.conf \u987a\u5e8f\u4e0d\u5bf9

iBug \u5728 2020 \u5e74 5 \u6708 21 \u65e5\u4fee\u4e86 gw-el \u548c mirrors2\uff0c\u8fd9\u4e24\u4e2a\u673a\u5668\u4e0a\u539f\u5148\u6392\u5728\u6700\u524d\u9762\u7684 nameserver \u5c31\u662f 8.8.4.4 \u6216\u8005 1.1.1.1 \u4e4b\u7c7b\u7684

\u6211\u4eec\u7684\u6743\u5a01\u670d\u52a1\u5668\u4e24\u4e2a\u5728\u6821\u5185\u4e00\u4e2a\u5728\u56fd\u5185\uff0c\u56e0\u6b64\u6821\u5185\u673a\u5668\u5e94\u8be5\u4f18\u5148\u4ece\u6821\u5185\u89e3\u6790\u3002\u628a 202.38.64.1 / 2001:da8:d800::1\uff08\u5b66\u6821\u7684 DNS\uff09\u653e\u6700\u524d\u9762\u80af\u5b9a\u6ca1\u9519

\u5982\u679c IPv4 \u89e3\u6790\u6b63\u786e\u4f46\u662f IPv6 \u8fd8\u662f\u89e3\u6790\u5230\u6821\u5916\u7684\u8bdd\uff0c

/etc/resolv.conf \u7f3a\u5c11 IPv6 \u6761\u76ee

taoky \u5728 2020 \u5e74 5 \u6708 29 \u65e5\u53d1\u73b0\u7684\uff0cmirrors2 \u4e0a\u8bbf\u95ee servers.ustclug.org \u8fd4\u56de Cloudflare \u7684 522 \u9519\u8bef\u9875\u9762\uff08\u6b64\u65f6\u65e5\u672c\u53cd\u4ee3\u6302\u6389\u4e86\uff09\uff0c\u7ecf\u67e5\u5c3d\u7ba1 IPv4 \u6b63\u786e\u89e3\u6790\u5230\u4e86 gw-el \u4e0a\uff0c\u4f46\u662f IPv6 \u8fd8\u662f\u89e3\u6790\u5230\u4e86 Cloudflare \u4e0a\uff0c\u4e14 nslookup \u548c dig \u7b49\u5de5\u5177\u8f93\u51fa\u770b\u8d77\u6765\u90fd\u662f\u5bf9\u7684\u3002

\u6392\u67e5\u53d1\u73b0 /etc/resolv.conf \u91cc\u6ca1\u6709 IPv6 \u7684\u670d\u52a1\u5668\u6761\u76ee\uff0c\u5728\u9760\u524d\u7684\u4f4d\u7f6e\u63d2\u5165 nameserver 2001:da8:d800::1 \u540e\u89e3\u51b3\u3002

\u624b\u52a8\u6e05\u7a7a\u672c\u673a\u7684 DNS \u7f13\u5b58\uff1anscd -i hosts

\u6709\u65f6\u5019\u53ef\u80fd\u4f1a\u5728 DNS \u66f4\u65b0\u540e\u968f\u673a\u89e3\u6790\u51fa\u65b0\u65e7\u7ed3\u679c\uff0c\u53ef\u80fd\u7684\u539f\u56e0\u662f

ns-a \u6ca1\u66f4\u65b0

ns-a \u673a\u5668\u6bd4\u8f83\u8001\u65e7\uff0c\u7f51\u7edc\u53ef\u80fd\u4e0d\u987a\u7545\uff0c\u624b\u52a8\u628a ns-a \u66f4\u65b0\u4e00\u4e0b\u5c31\u884c\u4e86\uff08

"},{"location":"faq/docker/","title":"Docker \u76f8\u5173\u95ee\u9898","text":""},{"location":"faq/docker/#debian-11-aufs","title":"Debian 11 \u4e2d\u4e0d\u518d\u652f\u6301 aufs","text":"

\u4ece Debian 10 \u5347\u7ea7\u5230 Debian 11 \u65f6\uff0caufs-dkms \u4e0d\u518d\u5305\u542b\u5728\u65b0\u5185\u6838\u4e2d\uff1a

aufs-dkms \u8f6f\u4ef6\u5305\u5c06\u4e0d\u4f5c\u4e3a bullseye \u7684\u4e00\u90e8\u5206\u51fa\u73b0\u3002\u5927\u591a\u6570 aufs-dkms \u7528\u6237\u5e94\u5f53\u5207\u6362\u81f3 overlayfs\uff0c\u540e\u8005\u63d0\u4f9b\u4e86\u76f8\u4f3c\u7684\u529f\u80fd\u4e14\u5177\u6709\u5185\u6838\u7684\u652f\u6301\u3002\u7136\u800c\uff0c\u67d0\u4e9b Debian \u5b89\u88c5\u5b9e\u4f8b\u53ef\u80fd\u4f7f\u7528\u4e86\u4e0d\u517c\u5bb9 overlayfs \u7684\u6587\u4ef6\u7cfb\u7edf\uff0c\u5982\u4e0d\u5e26\u6709 d_type \u7684 xfs\u3002\u6211\u4eec\u5efa\u8bae\u9700\u8981\u4f7f\u7528 aufs-dkms \u7684\u7528\u6237\u5728\u5347\u7ea7\u81f3 bullseye \u4e4b\u524d\u5148\u8fdb\u884c\u8fc1\u79fb\u3002

(https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.zh-cn.html)

\u5bf9\u4e8e\u8001\u673a\u5668\u6765\u8bf4\u9700\u8981\u63d0\u524d\u786e\u8ba4 Docker \u7684 storage driver\uff1a

$ sudo docker info\n// ...\nServer:\n // ...\n Storage Driver: overlay2\n  Backing Filesystem: extfs\n  Supports d_type: true\n  Native Overlay Diff: true\n  userxattr: false\n

\u8fd9\u91cc\u5982\u679c\u662f overlay2 \u90a3\u4e48\u5c31\u6ca1\u95ee\u9898\uff0c\u5982\u679c\u662f aufs \u7684\u8bdd\u5c31\u9700\u8981\u63d0\u524d\u786e\u8ba4\uff0c\u56e0\u4e3a\u5207\u6362\u5230 overlay2 \u4e4b\u540e\u73b0\u6709\u7684\u5bb9\u5668\u548c\u5bb9\u5668\u955c\u50cf\u90fd\u4f1a\u4e22\u5931\uff0c\u9700\u8981\u91cd\u65b0\u521b\u5efa\u3002\u6240\u4ee5\u9700\u8981\u786e\u4fdd\u5bb9\u5668\uff08container\uff09\u548c\u955c\u50cf\uff08image\uff09\u662f\u53ef\u590d\u73b0\u7684\u3002

\u5728\u5347\u7ea7\u7cfb\u7edf\u540e\uff0c\u7f16\u8f91 /etc/docker/daemon.json\uff0c\u52a0\u4e0a\uff1a

\"storage-driver\": \"overlay2\"\n

\u7136\u540e\u542f\u52a8 docker\uff0c\u91cd\u65b0\u521b\u5efa\u5bb9\u5668\u3002

"},{"location":"faq/ldap/","title":"LDAP \u5957\u4ef6\u95ee\u9898","text":""},{"location":"faq/ldap/#gosa","title":"GOsa \u95ee\u9898","text":"

User \u754c\u9762\u6253\u5f00\u65f6\u62a5\u9519

\u5982\u679c\u5728 GOsa \u4e2d\u521b\u5efa\u4e86\u4e00\u4e2a\u65b0\u7528\u6237\uff0c\u5374\u6ca1\u6709\u5728\u6700\u540e\u4e3a\u4ed6\u8bbe\u7f6e\u5bc6\u7801\uff0c\u5c31\u4f1a\u51fa\u73b0\u6b64\u95ee\u9898\uff0c\u6253\u5f00 User \u754c\u9762\u540e\u4f1a\u6709\u62a5\u9519\uff1a

Fatal error: Uncaught ArgumentCountError: Too few arguments to function userManagement::filterLockLabel(), 0 passed in /usr/share/gosa/include/class_listing.inc on line 856 and exactly 1 expected in /usr/share/gosa/plugins/admin/users/class_userManagement.inc:856\nStack trace:\n#0 /usr/share/gosa/include/class_listing.inc(856): userManagement::filterLockLabel()\n#1 /usr/share/gosa/include/class_listing.inc(980): listing->processElementFilter('%{filter:lockLa...', Array, 50)\n#2 /usr/share/gosa/include/class_listing.inc(853): listing->filterActions('cn=...,ou=...', 50, Array)\n#3 /usr/share/gosa/include/class_listing.inc(764): listing->processElementFilter('%{filter:action...', Array, 50)\n#4 /usr/share/gosa/include/class_listing.inc(407): listing->renderCell('%{filter:action...', Array, 50)\n#5 /usr/share/gosa/include/class_management.inc(233): listing->render()\n#6 /usr/share/gosa/include/class_management.inc(222): management->renderList()\n#7 /usr/share/gosa/plugins/admin/users/main.inc(44): management->execute()\n#8 /usr/sh in /usr/share/gosa/plugins/admin/users/class_userManagement.inc on line 856\n

\u8fd9\u662f\u56e0\u4e3a GOsa \u65e0\u6cd5\u8bfb\u53d6\u5230\u7528\u6237\u5bc6\u7801\u7684 Hash\uff0c\u800c LDAP \u5374\u5141\u8bb8\u7528\u6237\u6ca1\u6709\u5bc6\u7801\u3002 \u53ea\u9700\u4e3a\u65b0\u7684\u7528\u6237\u8bbe\u7f6e\u5bc6\u7801\u6216\u5220\u9664\u65b0\u7684\u7528\u6237\u5373\u53ef\u3002

\u65b0\u7248 GOsa \u65e0\u6cd5\u521b\u5efa/\u4fee\u6539\u7528\u6237

\u8868\u73b0\u4e3a\u62a5\u9519 Uncaught ReflectionException: Property LDAP::$count does not exist\u3002

\u53c2\u89c1 Debian bug #1077759

\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\u4fee\u6539 /usr/share/gosa/plugins/personal/generic/class_user.inc\uff0c\u5c06 1357 \u884c $ldap->cat($ldap->count) \u4fee\u6539\u4e3a $ldap->cat($this->new_dn)\uff0c\u4e14\u6ce8\u91ca\u6389\u4e0b\u4e00\u4e2a if \u8bed\u53e5\uff08if ($ldap->count != 0 \u5f00\u5934\uff09\u3002

"},{"location":"faq/ldap/#slapd","title":"Slapd","text":"

Slapd \u662f OpenLDAP \u7684\u670d\u52a1\u7aef daemon\u3002\u6b63\u5e38\u60c5\u51b5\u4e0b\u4e0d\u9700\u8981\u78b0\uff0c\u4f46\u662f\u5982\u679c\u8981\u78b0\u7684\u65f6\u5019\uff0c\u4f60\u4f1a\u53d1\u73b0\u5b83\u7684\u914d\u7f6e\u6781\u5176\u590d\u6742\u9ebb\u70e6\u3002

\u4fee\u6539\u524d\u4e00\u5b9a\u8981\u5148\u6253\u865a\u62df\u673a\u5feb\u7167\uff01\uff01\uff01

\u5c0f\u5fc3\u5ef6\u6bd5

"},{"location":"faq/ldap/#migrate-hdb-to-mdb","title":"Migrate hdb to mdb","text":"

slapd-hdb \u5728 Debian 11 \u5373\u5c06\u88ab deprecate\uff0c\u6240\u4ee5\u5728 2021/08/15 \u7ec4\u7ec7\u4e86\u4e00\u6b21 migrate\u3002

\u7f51\u4e0a\u8d44\u6599\u5f88\u5c11\uff0c\u53c2\u8003\u4e86\uff1a

  1. https://github.com/osixia/docker-openldap/issues/97
  2. https://gist.github.com/wenzhixin/4705697206cdbf61bc88

\u6b65\u9aa4\uff1a

  1. \u865a\u62df\u673a\u5feb\u7167\u6253\u597d\u3002
  2. \u5907\u4efd\u6570\u636e\u5e93\uff1aslapcat -v -l dump.ldif
  3. \u5907\u4efd /etc/ldap \u4ee5\u53ca /var/lib/ldap
  4. \u628a /etc/ldap/slapd.d \u4ee5\u53ca /var/lib/ldap \u5220\u6389\uff08\u6216\u8005\u6539\u540d\uff09
  5. \u8fd0\u884c dpkg-reconfigure slapd
  6. \u521b\u5efa /tmp/ldapconvert \u76ee\u5f55\uff0c\u8fd0\u884c slaptest -f /etc/ldap/convert.conf -F /tmp/ldapconvert
  7. \u6e05\u7a7a /etc/ldap/slapd.d/cn=config/cn=schema/ \u4e0b\u7684\u6587\u4ef6\uff0c\u5c06 /tmp/ldapconvert/slapd.d/cn=config/cn=schema/ \u4e0b\u7684\u6587\u4ef6\u590d\u5236\u5230 /etc/ldap/slapd.d/cn=config/cn=schema/ \u5c06 slapd.d \u5907\u4efd\u4e2d cn=config/cn=schema/ \u7684\u6587\u4ef6\u590d\u5236\u5230\u65b0\u7684 slapd.d \u5bf9\u5e94\u7684\u76ee\u5f55\u4e0b\uff0c\u5e76\u4e14\u4fee\u6539 owner \u4e3a openldap:openldap
  8. \u91cd\u542f slapd\uff0c\u5982\u679c\u542f\u52a8\u5931\u8d25\uff0c\u770b systemctl status slapd \u7684\u65e5\u5fd7\u8f93\u51fa debug\u3002
  9. \u6062\u590d\u6570\u636e\u5e93\uff1aslapadd -l dump.ldif\u3002\u6ce8\u610f\uff0cmdb \u6ca1\u6709\u4e8b\u52a1\uff01\u5982\u679c\u4e2d\u95f4\u51fa\u9519\u4e86\uff0c\u6392\u67e5\u95ee\u9898\u540e\uff0c\u6e05\u7a7a /var/lib/ldap\uff0c\u91cd\u542f slapd \u91cd\u6765\u3002

\u6062\u590d\u6210\u529f\u540e\uff0c\u6709\u4e9b\u914d\u7f6e\u9700\u8981\u624b\u52a8\u8bbe\u7f6e\uff1a

  1. TLS/SSL

    # ldapmodify -H ldapi:/// -Y EXTERNAL << EOF\n> dn: cn=config\n> changetype: modify\n> replace: olcTLSCertificateFile\n> olcTLSCertificateFile: /etc/ldap/ssl/slapd-server.crt\n> -\n> replace: olcTLSCACertificateFile\n> olcTLSCACertificateFile: /etc/ldap/ssl/slapd-ca-cert.pem\n> -\n> replace: olcTLSCertificateKeyFile\n> olcTLSCertificateKeyFile: /etc/ldap/ssl/slapd-server.key\n>\n> EOF\n
  2. \u52a0\u8f7d pw-sha2.la\uff08\u82e5\u4f7f\u7528 ssha512/256 \u5219\u9700\u8981\u52a0\u8f7d\uff09

    # ldapmodify -H ldapi:/// -Y EXTERNAL << EOF\n> dn: cn=module,cn=config\n> cn: module\n> objectClass: olcModuleList\n> olcModulePath: /usr/lib/ldap/\n> olcModuleLoad: pw-sha2.la\n>\n> EOF\n
  3. \u4e3a sudoUser \u8bbe\u7f6e index

    # ldapadd -Y EXTERNAL -H ldapi:/// << EOF\n> dn: olcDatabase={1}mdb,cn=config\n> changetype: modify\n> add: olcDbIndex\n> olcDbIndex: sudoUser eq,sub\n>\n> EOF\n
  4. \u66f4\u6539\u9ed8\u8ba4\u5bc6\u7801\u5b58\u50a8\u9009\u9879\uff08\u53ef\u9009\uff09

    \u66f4\u6539\u4e3a crypt/yescrypt

    # ldapmodify -Y EXTERNAL -H ldapi:/// << EOF\n> dn: olcDatabase={-1}frontend,cn=config\n> add: olcPasswordHash\n> olcPasswordHash: {CRYPT}\n> \n> dn: cn=config\n> add: olcPasswordCryptSaltFormat\n> olcPasswordCryptSaltFormat: $y$j9T$%s\n

    \u66f4\u6539\u4e3a ssha512\uff08\u9700\u8981 pw-sha2.la\uff0c\u4e5f\u53ef\u53c2\u7167\u4e0a\u8ff0 yescrypt \u7684\u914d\u7f6e\u66f4\u6539\u4e3a crypt/ssha512\uff09

    # ldapmodify -Y EXTERNAL -H ldapi:/// << EOF\n> dn: olcDatabase={-1}frontend,cn=config\n> add: olcPasswordHash\n> olcPasswordHash: {SSHA512}\n

    \u5982\u679c\u62a5\u9519\u5df2\u7ecf\u5b58\u5728\uff0c\u53ef\u4ee5\u7528 replace \u9009\u9879\uff0c\u4ee5 crypt/yescrypt \u4e3a\u4f8b\uff1a

    # ldapmodify -Y EXTERNAL -H ldapi:/// << EOF\n> dn: olcDatabase={-1}frontend,cn=config\n> changetype: modify\n> replace: olcPasswordHash\n> olcPasswordHash: {CRYPT}\n> \n> dn: cn=config\n> changetype: modify\n> replace: olcPasswordCryptSaltFormat\n> olcPasswordCryptSaltFormat: $y$j9T$%s\n

    \u6ce8\u610f\u5728\u4f7f\u7528\u4e0a\u8ff0 hash \u65b9\u5f0f\u7684\u65f6\u5019\u8fdb\u5165 gosa \u7528\u6237\u9875\u9762\u65f6\u53ef\u80fd\u4f1a\u62a5\u9519 Cannot find a suitable password method for the current hash

"},{"location":"faq/ldap/#lastbind-overlay","title":"\u914d\u7f6e lastbind overlay","text":"

lastbind \u7528\u4e8e\u5728\u7528\u6237\u767b\u5f55\u65f6\u767b\u8bb0\u65f6\u95f4\u6233\uff0c\u4ee5\u65b9\u4fbf\u786e\u8ba4\u54ea\u4e9b\u7528\u6237\u957f\u65f6\u95f4\u6ca1\u6709\u767b\u5f55\uff0c\u4fbf\u4e8e\u6e05\u7406\u3002\u7531\u4e8e\u6211\u4eec\u4f7f\u7528 OLC (cn=config) \u914d\u7f6e\uff0c\u7f51\u7edc\u8d44\u6599\u4e0d\u591a\uff0c\u7279\u6b64\u8bb0\u5f55\u3002

  1. \u52a0\u8f7d\u6a21\u5757

    dn: cn=module{0},cn=config\nchangetype: modify\nadd: olcModuleLoad\nolcModuleLoad: lastbind.la\n

    \u4fdd\u5b58\u5230 load_lastbind.ldif\uff0c\u7136\u540e\uff1a

    $ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f load_lastbind.ldif\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nmodifying entry \"cn=module{0},cn=config\"\n
  2. \u6dfb\u52a0 lastbind overlay

    dn: olcOverlay=lastbind,olcDatabase={1}mdb,cn=config\nobjectClass: olcLastBindConfig\nobjectClass: olcOverlayConfig\nolcOverlay: lastbind\nolcLastBindPrecision: 60\n

    \u4fdd\u5b58\u5230 add_lastbind.ldif\uff0c\u7136\u540e\uff1a

    $ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f add_lastbind.ldif\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nadding new entry \"olcOverlay=lastbind,olcDatabase={1}mdb,cn=config\"\n

\u53ef\u4ee5\u4f7f\u7528 ldapsearch \u83b7\u53d6\u7528\u6237\u7684 authTimestamp\u3002\u4ece\u672a\u767b\u5f55\u8fc7\u7684\u7528\u6237\u65e0\u8bb0\u5f55\uff1a

sudo ldapsearch -x -LLL -H ldapi:/// -b \"dc=lug,dc=ustc,dc=edu,dc=cn\" \"(authTimestamp=*)\" dn authTimestamp\n
"},{"location":"faq/nginx/","title":"Nginx \u76f8\u5173\u914d\u7f6e","text":""},{"location":"faq/nginx/#git-host-specific","title":"\u4f7f\u7528 Git \u540c\u6b65\u914d\u7f6e\uff0c\u4f46\u9700\u8981 host-specific \u7684\u914d\u7f6e","text":"
  1. Nginx \u81ea\u5e26\u4e00\u4e2a\u53d8\u91cf $hostname \u53ef\u4ee5\u5728\u5408\u9002\u7684\u5730\u65b9\u7528\u6765 if \u6216\u8005 map\uff0c\u4f46\u662f\u5728\u8fd9\u4e2a\u529e\u6cd5\u4e0d\u9876\u7528\u7684\u65f6\u5019\uff08\u4f8b\u5982\uff0cresolver \u4e0d\u652f\u6301\u53d8\u91cf\uff09\u5c31\u53ea\u80fd\u7528\u4e0b\u9762\u8fd9\u4e2a\u7b28\u529e\u6cd5\u4e86\u3002
  2. \u628a\u9700\u8981 host-specific \u7684\u90a3\u4e2a\u6587\u4ef6\u52a0\u5165 .gitignore\uff0c\u7136\u540e\u5728\u5408\u9002\u7684\u4f4d\u7f6e\u7559\u4e0b\u4e00\u4e2a README\u3002
"},{"location":"faq/nginx/#_1","title":"\u6587\u4ef6\u6253\u5f00\u6570\u5927\u5c0f\u9650\u5236","text":"

\u5728\u9ed8\u8ba4\u8bbe\u7f6e\u4e2d\uff0cnginx \u7684\u6700\u5927\u6587\u4ef6\u6253\u5f00\u6570\u4e0a\u9650\u5e76\u4e0d\u5927\u3002\u5f53\u6709\u5927\u91cf\u8bbf\u95ee\u65f6\uff0c\u6587\u4ef6\u6253\u5f00\u6570\u53ef\u80fd\u4f1a\u8d85\u8fc7\u9650\u989d\uff0c\u5bfc\u81f4\u7f51\u7ad9\u54cd\u5e94\u7f13\u6162\u3002\u5728\u65b0\u914d\u7f6e\u670d\u52a1\u5668\u65f6\uff0c\u8fd9\u4e00\u9879\u8bbe\u7f6e\u5f88\u5bb9\u6613\u88ab\u5ffd\u7565\u6389\u3002

\u89e3\u51b3\u65b9\u6cd5\uff1a

  1. sudo systemctl edit nginx.service\uff08\u90e8\u5206\u673a\u5668\u4e0a\u7684\u670d\u52a1\u540d\u53ef\u80fd\u4e3a openresty.service\uff09
  2. \u5728\u6253\u5f00\u7684 override \u6587\u4ef6\u7684 [Service] \u4e0b\u65b9\u6dfb\u52a0 LimitNOFILE=524288\uff08\u89c6\u60c5\u51b5\u8fd9\u4e2a\u503c\u53ef\u4ee5\u76f8\u5e94\u8c03\u6574\uff09
"},{"location":"faq/nginx/#gateway-tmpmem","title":"\u5173\u4e8e gateway \u914d\u7f6e\u4e2d\u7684 /tmp/mem \u8def\u5f84","text":"

\u66f4\u65b0

\u6211\u4eec\u5df2\u4e0d\u518d\u5728 nginx.conf \u91cc\u4f7f\u7528 /tmp/mem \u4e86\uff0c\u4ee5\u4e0b\u5185\u5bb9\u4ec5\u4f5c\u5b58\u6863\u3002

\u9519\u8bef\u8868\u73b0\u662f systemctl start nginx.service \u5931\u8d25\uff0c\u4f7f\u7528 status \u6216 journalctl \u53ef\u4ee5\u770b\u5230\u4ee5\u4e0b\u4fe1\u606f\uff1a

[emerg] mkdir() \"/tmp/mem/nginx_temp\" failed (2: No such file or directory)\n

\u8fd9\u662f\u56e0\u4e3a\u6211\u4eec\u7684 nginx.conf \u4e2d\u94a6\u70b9\u4e86 proxy_temp /tmp/mem/nginx_temp\uff0c\u800c /tmp/mem \u662f\u6211\u4eec\u81ea\u5df1\u5efa\u7684\u4e00\u4e2a tmpfs \u6302\u8f7d\u70b9\uff0c\u5b83\u4e0d\u662f\u4efb\u4f55\u53d1\u884c\u7248\u7684\u9ed8\u8ba4\u914d\u7f6e\uff0c\u6240\u4ee5\u65b0\u88c5\u7684\u7cfb\u7edf\u5982\u679c\u76f4\u63a5 pull \u4e86\u8fd9\u4efd nginx config \u5c31\u4f1a\u62a5\u4ee5\u4e0a\u9519\u8bef\u3002

\uff08\u4f7f\u7528 /tmp/mem \u7684\u539f\u56e0\u662f\uff0c\u7531\u4e8e nginx \u53cd\u4ee3\u9700\u8981\u9891\u7e41\u8bfb\u5199\u4e34\u65f6\u6587\u4ef6\uff0c\u4e3a\u4e86\u51cf\u5c11\u78c1\u76d8 IO \u5360\u7528\uff0c\u6545\u5c06\u5176\u4e34\u65f6\u6587\u4ef6\u653e\u5165\u5185\u5b58\u4e2d\uff09

\u6b63\u786e\u7684\u89e3\u51b3\u65b9\u6cd5\u662f\u8865\u4e0a\u5bf9\u5e94\u7684 fstab \u884c\uff1a

tmpfs   /tmp/mem    tmpfs   0   0\n

\u5982\u679c\u521b\u5efa/\u6302\u8f7d\u4e86 /tmp/mem \u540e\uff0c\u542f\u52a8\u4ecd\u7136\u51fa\u9519\uff0c\u5219\u9700\u8981\u68c0\u67e5 openresty.service/nginx.service \u6587\u4ef6\u4e2d\u662f\u5426\u5305\u542b PrivateTmp=yes\u3002\u5982\u679c\u5305\u542b\uff0c\u5219\u9700\u8981 systemctl edit\uff0c\u5c06\u6b64\u9879\u8bbe\u7f6e\u4e3a false\u3002

fstab \u4e0e systemd

\u8c03\u6574 fstab \u4e4b\u540e\uff0c\u9700\u8981\u6267\u884c systemctl daemon-reload\uff0c\u5426\u5219 systemd \u53ef\u80fd\u4f1a\u5728\u7b2c\u4e8c\u65e5\u51cc\u6668\u6302\u8f7d\u5df2\u88ab\u6ce8\u91ca\u7684\u78c1\u76d8\u9879\u3002

"},{"location":"faq/nginx/#openresty","title":"OpenResty","text":""},{"location":"faq/nginx/#lua","title":"Lua \u76f8\u5173","text":"

\u8fd9\u91cc\u5173\u6ce8\u4e09\u4e2a\u76f8\u5173\u7684\u6b65\u9aa4\uff1aaccess_by, log_by \u548c header_filter_by\uff0c\u4ee5\u53ca ngx.ctx \u548c ngx.var \u7684\u6ce8\u610f\u4e8b\u9879\u3002

\u6d4b\u8bd5\u7528 server \u5757\uff1a

server {\n    listen 80 default_server;\n    listen [::]:80 default_server;\n\n    root /var/www/html;\n\n    index index.html index.htm index.nginx-debian.html;\n\n    server_name _;\n\n    set $testvar \"\";\n    access_by_lua_file /etc/nginx/lua/access.lua;\n    header_filter_by_lua_file /etc/nginx/lua/header_filter.lua;\n    log_by_lua_file /etc/nginx/lua/log.lua;\n\n    location / {\n        try_files $uri $uri/ =404;\n    }\n\n    location /lua-test0 {\n        return 302 /lua-test1;\n    }\n\n    location /lua-test1 {\n        return 200;\n    }\n\n    location /lua-test2 {\n        try_files $uri $uri/ @internal1;\n    }\n\n    location @internal1 {\n        return 418;\n    }\n}\n

\u4e09\u4e2a lua:

/etc/nginx/lua/access.lua
local ctx = ngx.ctx\nctx.testvar = \"testvar\"\nngx.var.testvar = \"testvar\"\nngx.log(ngx.ERR, \"ctx \", ctx.testvar)\nngx.log(ngx.ERR, \"var \", ngx.var.testvar)\n
/etc/nginx/lua/header_filter.lua
local ctx = ngx.ctx\n\nngx.log(ngx.ERR, \"ctx \", ctx.testvar)\nngx.log(ngx.ERR, \"var \", ngx.var.testvar)\n
/etc/nginx/lua/log.lua
local ctx = ngx.ctx\n\nngx.log(ngx.ERR, \"ctx \", ctx.testvar)\nngx.log(ngx.ERR, \"var \", ngx.var.testvar)\n
"},{"location":"faq/nginx/#rewritereturn-access_by","title":"rewrite/return \u4e0e access_by","text":"

\u8bbf\u95ee localhost/lua-test0 \u6216\u8005 localhost/lua-test1\uff0c\u6ca1\u6709 access.lua \u7684\u8f93\u51fa\uff1a

2024/07/22 02:50:16 [error] 9465#9465: *12 [lua] header_filter.lua:3: ctx nil, client: 127.0.0.1, server: _, request: \"GET /lua-test0 HTTP/1.1\", host: \"localhost\"\n2024/07/22 02:50:16 [error] 9465#9465: *12 [lua] header_filter.lua:4: var nil, client: 127.0.0.1, server: _, request: \"GET /lua-test0 HTTP/1.1\", host: \"localhost\"\n2024/07/22 02:50:16 [error] 9465#9465: *12 [lua] log.lua:3: ctx nil while logging request, client: 127.0.0.1, server: _, request: \"GET /lua-test0 HTTP/1.1\", host: \"localhost\"\n2024/07/22 02:50:16 [error] 9465#9465: *12 [lua] log.lua:4: var nil while logging request, client: 127.0.0.1, server: _, request: \"GET /lua-test0 HTTP/1.1\", host: \"localhost\"\n

\u5982\u679c\u8bbf\u95ee localhost/somefile\uff0c\u662f\u6709\u8f93\u51fa\u7684\uff1a

2024/07/22 03:03:42 [error] 9628#9628: *19 [lua] access.lua:4: ctx testvar, client: 127.0.0.1, server: _, request: \"GET /somefile HTTP/1.1\", host: \"localhost\"\n2024/07/22 03:03:42 [error] 9628#9628: *19 [lua] access.lua:5: var testvar, client: 127.0.0.1, server: _, request: \"GET /somefile HTTP/1.1\", host: \"localhost\"\n2024/07/22 03:03:42 [error] 9628#9628: *19 [lua] header_filter.lua:3: ctx testvar, client: 127.0.0.1, server: _, request: \"GET /somefile HTTP/1.1\", host: \"localhost\"\n2024/07/22 03:03:42 [error] 9628#9628: *19 [lua] header_filter.lua:4: var testvar, client: 127.0.0.1, server: _, request: \"GET /somefile HTTP/1.1\", host: \"localhost\"\n2024/07/22 03:03:42 [error] 9628#9628: *19 [lua] log.lua:3: ctx testvar while logging request, client: 127.0.0.1, server: _, request: \"GET /somefile HTTP/1.1\", host: \"localhost\"\n2024/07/22 03:03:42 [error] 9628#9628: *19 [lua] log.lua:4: var testvar while logging request, client: 127.0.0.1, server: _, request: \"GET /somefile HTTP/1.1\", host: \"localhost\"\n

\u8fd9\u662f\u56e0\u4e3a return \u8bed\u53e5\u53d1\u751f\u5728 rewrite \u9636\u6bb5\uff0c\u56e0\u6b64\u8df3\u8fc7\u4e86 access \u9636\u6bb5\uff0caccess_by_lua_block \u5c31\u6ca1\u6709\u88ab\u6267\u884c\u3002\u56e0\u6b64 Content phase \u4e2d\u7684\u7a0b\u5e8f\u4e0d\u80fd\u5047\u8bbe access_by \u80af\u5b9a\u88ab\u6267\u884c\u4e86\u3002

"},{"location":"faq/nginx/#ngxctx","title":"ngx.ctx","text":"

https://github.com/openresty/lua-nginx-module?tab=readme-ov-file#ngxctx

\u652f\u6301\u4efb\u610f lua \u6570\u636e\u7ed3\u6784\u7684\uff0c\u4e0e\u5355\u72ec request \u7ed1\u5b9a\u7684\u72b6\u6001\u53d8\u91cf\u3002\u540c\u65f6\u4e5f\u4e0d\u9700\u8981\u50cf ngx.var \u4e00\u6837\u63d0\u524d set\u3002

\u5c0f\u5fc3\u5185\u90e8\u8df3\u8f6c

Internal redirects (triggered by nginx configuration directives like error_page, try_files, index and etc) will destroy the original request ngx.ctx data (if any) and the new request will have an empty ngx.ctx table.

\u8bbf\u95ee localhost/lua-test2\uff08\u5047\u8bbe\u524d\u9762\u7684 try_files \u5931\u8d25\uff09\uff1a

2024/07/22 03:10:15 [error] 9630#9630: *22 [lua] access.lua:4: ctx testvar, client: 127.0.0.1, server: _, request: \"GET /lua-test2 HTTP/1.1\", host: \"localhost\"\n2024/07/22 03:10:15 [error] 9630#9630: *22 [lua] access.lua:5: var testvar, client: 127.0.0.1, server: _, request: \"GET /lua-test2 HTTP/1.1\", host: \"localhost\"\n2024/07/22 03:10:15 [error] 9630#9630: *22 [lua] header_filter.lua:3: ctx nil, client: 127.0.0.1, server: _, request: \"GET /lua-test2 HTTP/1.1\", host: \"localhost\"\n2024/07/22 03:10:15 [error] 9630#9630: *22 [lua] header_filter.lua:4: var testvar, client: 127.0.0.1, server: _, request: \"GET /lua-test2 HTTP/1.1\", host: \"localhost\"\n2024/07/22 03:10:15 [error] 9630#9630: *22 [lua] log.lua:3: ctx nil while logging request, client: 127.0.0.1, server: _, request: \"GET /lua-test2 HTTP/1.1\", host: \"localhost\"\n2024/07/22 03:10:15 [error] 9630#9630: *22 [lua] log.lua:4: var testvar while logging request, client: 127.0.0.1, server: _, request: \"GET /lua-test2 HTTP/1.1\", host: \"localhost\"\n

\u8fd9\u4e2a\u95ee\u9898\u5bf9\u4e00\u4e9b\u9700\u8981\u5728 access \u4e2d\u505a\u4e00\u4e9b\u4e8b\u60c5\uff0c\u5c06\u72b6\u6001\u5b58\u50a8\u5728 ngx.ctx \u4e2d\uff0c\u7136\u540e\u5728 header_filter \u6216\u8005 log \u4e2d\u53d6\u6d88\u5bf9\u5e94\u6548\u679c\u7684\u903b\u8f91\uff08\u4f8b\u5982 resty.limit.conn \u5728\u8bbf\u95ee\u7684\u6587\u4ef6\u5f53\u524d\u4e0d\u5b58\u5728\u7684\u60c5\u51b5\u4e0b\uff09\u6765\u8bf4\u662f\u81f4\u547d\u7684\u3002

"},{"location":"faq/nginx/#ngxvar","title":"ngx.var","text":"

https://github.com/openresty/lua-nginx-module?tab=readme-ov-file#ngxvarvariable

\u4f7f\u7528\u6709\u4e00\u4e9b\u9ebb\u70e6\uff1a

\u4f46\u662f\u76f8\u6bd4\u4e8e ngx.ctx\uff0c\u6700\u5927\u7684\u4f18\u52bf\u5c31\u662f\u5373\u4f7f\u7ecf\u8fc7\u4e86 internal redirection\uff0cngx.var \u7684\u5185\u5bb9\u4e5f\u4f1a\u4fdd\u7559\u3002

\u7531\u4e8e ngx.var \u5176\u672c\u8eab\u4e0d\u9002\u5408\u5b58\u50a8\u590d\u6742\u7684\u7ed3\u6784\uff0c\u7b2c\u4e09\u65b9\u6a21\u5757 (lua-resty-ctxdump, 2-clause BSD license) \u5904\u7406\u8fd9\u4e2a\u95ee\u9898\u7684\u505a\u6cd5\u662f\uff1a\u5c06\u5b9e\u9645\u5185\u5bb9\u4fdd\u5b58\u5728\u6a21\u5757\u5185\u90e8\u7684 memo \u8868\u4e2d\uff0c\u800c\u9700\u8981\u5b58\u50a8\u5728 ngx.var \u91cc\u9762\u7684\u53ea\u662f memo \u8868\u7684 key\uff08\u6570\u5b57\uff09\u3002

"},{"location":"faq/nginx/#_2","title":"\u6a21\u5757\u7ba1\u7406","text":"

OpenResty \u5b98\u65b9\u63a8\u8350\u4f7f\u7528 opm (openresty-opm) \u7ba1\u7406\u6a21\u5757\u3002\u624b\u52a8\u7ef4\u62a4\u6a21\u5757\u7684\u8bdd\u9700\u8981\u81ea\u884c\u5904\u7406\u914d\u7f6e\uff0c\u5bf9\u5e94\u7684\u662f lua_package_path\uff08http \u5757\u5185\uff0c\u5206\u53f7\u5206\u5272\u8def\u5f84\uff0c\u6700\u540e ;; \u4ee3\u8868\u5185\u7f6e\u7684\u539f\u59cb\u8def\u5f84\uff09\u3002

\u4f8b\u5982\uff1a

lua_package_path \"/etc/nginx/lua/module/?.lua;;\";\n

\u4ee5 https://github.com/tokers/lua-resty-ctxdump/blob/master/lib/resty/ctxdump.lua \u4e3a\u4f8b\uff0c\u4e0b\u8f7d\u5230 /etc/nginx/lua/module/ \u4e0b\u4e4b\u540e\uff0c\u5c31\u53ef\u4ee5\u5728\u5176\u4ed6 lua \u6587\u4ef6\u5185\u4f7f\u7528\u4e86\uff1a

/etc/nginx/lua/access.lua
local ctxdump = require \"ctxdump\"\nlocal ctx = ngx.ctx\nctx.testvar = {foo = \"bar\", num = 42}\n-- \u9700\u8981 set $ctx_ref \"\";\nngx.var.ctx_ref = ctxdump.stash_ngx_ctx()\nngx.log(ngx.ERR, \"ctx foo \", ctx.testvar.foo)\nngx.log(ngx.ERR, \"ctx num \", ctx.testvar.num)\nngx.log(ngx.ERR, \"var ctx_ref \", ngx.var.ctx_ref)\n
/etc/nginx/lua/log.lua
local ctxdump = require \"ctxdump\"\nngx.log(ngx.ERR, \"var ctx_ref \", ngx.var.ctx_ref)\nngx.ctx = ctxdump.apply_ngx_ctx(ngx.var.ctx_ref)\nlocal ctx = ngx.ctx\nngx.log(ngx.ERR, \"ctx foo \", ctx.testvar.foo)\nngx.log(ngx.ERR, \"ctx num \", ctx.testvar.num)\n

\u5982\u679c\u6ca1\u6709\u627e\u5230\u6587\u4ef6\uff0c\u62a5\u9519\u4fe1\u606f\u4e2d\u4f1a\u5305\u542b\u6240\u6709\u5c1d\u8bd5\u8fc7\u7684\u8def\u5f84\u3002

"},{"location":"faq/nginx/#_3","title":"\u4ee3\u7801\u590d\u7528\u4e0e\u6a21\u5757\u7f16\u5199","text":"

\u6700\u7b80\u5355\u7684\u4ee3\u7801\u590d\u7528\u7684\u65b9\u6cd5\u662f\u4f7f\u7528 loadfile() \u51fd\u6570\uff0c\u8fd9\u6837\u51e0\u4e4e\u4e0d\u9700\u8981\u4fee\u6539\u4ee3\u7801\u5185\u5bb9\u3002

local f = loadfile(\"/etc/nginx/lua/somefile.lua\")\nif f then\n    f()\nelse\n    ngx.log(ngx.ERR, \"failed to load somefile.lua\")\nend\n

\u4f46\u662f\u8fd9\u4e48\u505a\u662f\u6ca1\u6709 JIT \u7f13\u5b58\u7684\uff0c\u610f\u5473\u7740\u6bcf\u4e2a\u8bf7\u6c42\u90fd\u9700\u8981\u6574\u4e2a\u52a0\u8f7d\u4e00\u904d\u5bf9\u5e94\u7684\u539f\u59cb lua \u4ee3\u7801\u3002\u4e00\u4e2a\u57fa\u672c\u7684\u6a21\u5757\u7c7b\u4f3c\u4e8e\u4e0b\u9762\u8fd9\u6837\uff1a

local _M = {}\n\nlocal function some_internal_func(a)\n    return a + a\nend\n\nfunction _M.f1(a, b)\n    local aa = some_internal_func(a)\n    local bb = some_internal_func(b)\n    return aa + bb\nend\n\nreturn _M\n
"},{"location":"faq/ssd/","title":"SSD \u56fa\u4ef6","text":"

\u6570\u636e\u4e2d\u5fc3\u76d8\u7684 SSD \u8fd1\u5e74\u6765\u6709\u591a\u8d77\u56e0\u4e3a\u56fa\u4ef6\u95ee\u9898\u5bfc\u81f4\u4f7f\u7528\u65f6\u95f4\u8fc7\u957f\uff08\u51e0\u4e07\u5c0f\u65f6\uff09\u540e\u76d8\u574f\u6389\u7684\u65b0\u95fb\u3002 \u8fd9\u7c7b\u4e8b\u4ef6\u4e00\u65e6\u53d1\u751f\uff0c\u540e\u679c\u6781\u5176\u4e25\u91cd\uff0c\u56e0\u4e3a\u914d\u7f6e\u65b0\u670d\u52a1\u5668\u65f6\uff0c\u4e00\u822c\u4f7f\u7528\u7684\u76d8\u578b\u53f7\u662f\u4e00\u6837\u7684\uff0c\u5e76\u4e14\u5f00\u673a\u65f6\u95f4\u4e5f\u662f\u4e00\u6837\u7684\uff0c \u56e0\u6b64\u51fa\u73b0\u95ee\u9898\u4e4b\u540e\uff0c\u6240\u6709\u76d8\u90fd\u4f1a\u5728\u77ed\u65f6\u95f4\u5185\u574f\u6389\uff0cRAID \u6839\u672c\u65e0\u529b\u56de\u5929\u3002 \u56e0\u6b64\u4ee5\u4e0b\u8bb0\u5f55\u4e00\u4e9b\u56fa\u4ef6\u5347\u7ea7\u7684\u65b9\u6cd5\u3002

"},{"location":"faq/ssd/#intel","title":"Intel","text":""},{"location":"faq/ssd/#_1","title":"\u80cc\u666f","text":"

2024 \u5e74 1 \u6708 12 \u65e5\u51cc\u6668\uff0c\u5728\u53d1\u73b0\u4e24\u5757 Intel SSD S4510/S4610 \u51fa\u73b0 SMART \u9519\u8bef\u5e76\u4e14 ZFS \u63d0\u793a\u8bfb\u53d6\u9519\u8bef\u4e4b\u540e\u7d27\u6025\u8fdb\u884c\u4e86\u56fa\u4ef6\u5347\u7ea7\uff08\u5426\u5219\u8fd8\u6709 8 \u5757\u76d8\u4e5f\u4f1a\u5f88\u5feb\u56e0\u4e3a\u7c7b\u4f3c\u95ee\u9898\u635f\u574f\uff09\u3002\u7531\u4e8e\u7f3a\u5c11\u76f8\u5173\u8d44\u6599\uff0c\u5e76\u4e14 Intel \u4e0b\u67b6\u4e86\u5927\u91cf\u4fe1\u606f\uff0c\u56e0\u6b64\u82b1\u8d39\u4e86\u5f88\u591a\u65f6\u95f4\uff0c\u81f3\u51cc\u6668\u4e03\u70b9\u5b8c\u6210\u5347\u7ea7\u3002

Timeline

2024/01/11 04:21 - \u6536\u5230 smartd \u90ae\u4ef6\u79f0 /dev/sdi \u51fa\u73b0 End-to-End_Error_Count \u9519\u8bef\u3002

\u4e4b\u540e\u672a\u6000\u7591\u662f\u56fa\u4ef6\u95ee\u9898\uff0c\u53ea\u8ba4\u4e3a\u662f\u5076\u53d1\u7684\u9519\u8bef\uff0c\u5e76\u4e14 SSD \u4ecd\u53ef\u6b63\u5e38\u8bfb\u53d6\uff0cZFS \u6b63\u5e38\u7ea0\u9519\uff0c\u56e0\u6b64\u5f53\u5929\u5f00\u59cb\u51c6\u5907\u91c7\u8d2d\u65b0 SSD\uff0c\u672a\u8fdb\u884c\u5176\u4ed6\u64cd\u4f5c\u3002

2024/01/12 02:51 - \u6536\u5230 smartd \u90ae\u4ef6\u79f0 /dev/sdh \u51fa\u73b0 End-to-End_Error_Count \u9519\u8bef\u3002

\u4e4b\u540e\u6000\u7591\u662f\u56fa\u4ef6\u95ee\u9898\uff0c\u5e76\u4ece\u6d6a\u6f6e\u7684\u7f51\u7ad9\u786e\u8ba4\u4e86\u8fd9\u4e00\u70b9\u3002 Dell \u63d0\u4f9b\u4e86\u4fee\u590d\u5305\uff0c\u4f46\u662f\u65e0\u6cd5\u5728 Debian \u4e0b\u5b89\u88c5\u3002Intel/Solidigm \u63d0\u4f9b\u7684\u5347\u7ea7\u5de5\u5177\u6709\u8bb8\u591a\u4e0d\u540c\u7248\u672c\uff0c\u5176\u4e2d isdct \u4e0e sst \u63d0\u793a\u5347\u7ea7\u5931\u8d25\uff0cintelmas \u63d0\u793a\u5f53\u524d\u4ea7\u54c1\u5df2\u4e0d\u518d\u652f\u6301\u3002

\u5728\u8fc1\u79fb\u90e8\u5206\u91cd\u8981\u865a\u62df\u673a\uff0c\u5e76\u786e\u8ba4\u5907\u4efd\u6b63\u5e38\u540e\uff08\u5927\u81f4\u82b1\u8d39\u4e86 2 \u5230 2.5 \u5c0f\u65f6\uff09\uff0c\u91cd\u542f\u5bf9\u5e94\u670d\u52a1\u5668\uff0c\u5c1d\u8bd5\u4f7f\u7528 Solidigm \u63d0\u4f9b\u7684\u300c\u5347\u7ea7\u542f\u52a8\u76d8\u300d\u5347\u7ea7\uff0c\u63d0\u793a\u627e\u4e0d\u5230 SSD \u800c\u5931\u8d25\u3002 \u4e4b\u540e\u4ece Solidigm \u8bba\u575b\u4e86\u89e3\u5230\u9700\u8981\u5173\u95ed\u76f4\u901a\u8bbe\u7f6e\u3002\u5148\u5bf9 /dev/sdi \u8fdb\u884c\u4e86\u6d4b\u8bd5\uff08\u8be5\u76d8\u6709 SMART \u9519\u8bef\uff0c\u4f46\u662f\u4ecd\u53ef\u8bfb\u5199\uff09\uff0c\u5347\u7ea7\u6210\u529f\u3002\u4e4b\u540e\u5347\u7ea7\u4e86\u5168\u90e8 Intel SSD\u3002

\u76f8\u5173\u6d89\u95ee\u9898\u56fa\u4ef6\u7248\u672c\u4e3a XCV10100\u3002XCV10110 \u53ca\u4ee5\u4e0a\u4fee\u590d\u4e86\u95ee\u9898\u3002

"},{"location":"faq/ssd/#_2","title":"\u5347\u7ea7\u65b9\u6cd5","text":"

Intel \u7684\u5b58\u50a8\u4e1a\u52a1\u5df2\u7ecf\u88ab SK Hynix \u5b50\u516c\u53f8 Solidigm \u6536\u8d2d\u3002\u5176\u63d0\u4f9b\u4e86\u76f8\u5173\u5de5\u5177\u8fdb\u884c\u5347\u7ea7\u3002

https://www.solidigm.com/us/en/support-page/product-doc-cert/ka-00099.html \u63d0\u4f9b\u4e86 Solidigm \u5de5\u5177\u652f\u6301\u7684\u4ea7\u54c1\u5217\u8868\u3002\u4e0b\u8f7d\u6700\u65b0\u7248\u672c Solidigm\u2122 Storage Tool \u4e4b\u540e\uff08\u652f\u6301 Debian/Ubuntu\uff09\uff0c\u4f7f\u7528\u4ee5\u4e0b\u65b9\u6cd5\u68c0\u67e5\u6240\u6709 SSD \u7684\u4fe1\u606f\uff1a

sst show -ssd\n

\u5173\u6ce8\u6bcf\u4e2a SSD \u7684 FirmwareUpdateAvailable \u4e00\u884c\u662f\u5426\u6709\u66f4\u65b0\u4fe1\u606f\u3002

\u4f7f\u7528\u4ee5\u4e0b\u547d\u4ee4\u5347\u7ea7\uff1a

sst load -ssd <SSD \u7684\u7f16\u53f7>\n

\u8bf7\u6ce8\u610f\uff0c\u8be5\u5de5\u5177\u4e0d\u652f\u6301 RAID \u5361\u7684\u76f4\u901a\u6a21\u5f0f\u3002\u5bf9\u4e8e Dell \u670d\u52a1\u5668\u6765\u8bf4\uff0c\u9700\u8981\u8bbe\u7f6e\u5982\u4e0b\uff1a

  1. \u542f\u7528 LSI \u652f\u6301\uff1asst set -system EnableLSIAdapter=True
  2. \u91cd\u542f\u8fdb\u5165 BIOS\uff0c\u5c06 RAID \u5361\u4ece HBA \u6a21\u5f0f\u5207\u6362\u4e3a RAID \u6a21\u5f0f\uff08\u5982\u679c\u662f\u7684\u8bdd\uff09
  3. \u5c06\u9700\u8981\u5347\u7ea7\u7684\u76d8\u4ece Non-RAID \u6a21\u5f0f\u5207\u6362\u4e3a RAID-Capable\uff08\u6ce8\u610f\u4e0d\u8981\u70b9\u6210\u6e05\u7a7a\u6240\u6709\u6570\u636e\uff01\uff09
  4. \u91cd\u542f\u8fdb\u5165 recovery \u6a21\u5f0f\uff0c\u4f7f\u7528 sst \u8fdb\u884c\u5347\u7ea7\u3002
  5. \u5347\u7ea7\u5b8c\u6210\u540e\u91cd\u542f\uff0c\u8fdb\u5165 BIOS \u6062\u590d\u4e4b\u524d\u7684\u8bbe\u7f6e\uff08\u540c\u6837\u6ce8\u610f\u4e0d\u8981\u70b9\u9519\uff01\uff09
"},{"location":"faq/systemd-timer/","title":"Systemd-timer \u53c2\u8003\u6a21\u677f","text":"

Systemd-timer \u4f5c\u4e3a crontab \u7684\u66ff\u4ee3\u54c1\uff0c\u6709\u4e00\u7cfb\u5217\u7684\u4f18\u70b9\uff1a

\u5f53\u7136\u76f8\u6bd4\u4e8e crontab\uff0c\u7f3a\u70b9\u4e5f\u5f88\u660e\u663e\uff1a

\u6240\u4ee5\u4ee5\u4e0b\u7ed9\u51fa\u4e00\u4e2a\u6a21\u677f\uff0c\u65b9\u4fbf\u5728\u521b\u5efa\u65b0\u5b9a\u65f6\u4efb\u52a1\u7684\u65f6\u5019\u4f7f\u7528\u3002\u8fd9\u91cc\u7684\u4f8b\u5b50\u662f mirrors2 \u4ece mirrors4 \u83b7\u53d6\u538b\u7f29\u540e\u7684\u65e5\u5fd7\u3002\u4ee5\u4e0b\u6587\u4ef6\u5747\u653e\u5728 /etc/systemd/system\u3002

m4log.service
[Unit]\nDescription=Mirrors4 log backup\nDocumentation=man:rsync(1)\nAfter=network.target\nStartLimitIntervalSec=0\n\n[Service]\nType=simple\nUser=mirror\nGroup=mirror\nExecStart=rsync -rltpv --include=*/ --include=*.xz --exclude=* m4log:/ /var/m4log/\nRestart=on-failure\nRestartSec=3\n
m4log.timer
[Unit]\nDescription=Mirrors4 log backup timer\nDocumentation=man:rsync(1)\nAfter=network.target\nStartLimitIntervalSec=0\n\n[Timer]\nOnCalendar=*-*-* 7:13:00\nRandomizedDelaySec=60s\nPersistent=true\nUnit=m4log.service\n\n[Install]\nWantedBy=timer.target\n

\u5173\u4e8e OnCalendar \u7684\u89e6\u53d1\u65f6\u95f4\uff0c\u53ef\u4ee5\u53c2\u8003 systemd \u7684 Calendar Events \u8bf4\u660e\uff0c\u5e76\u7528 systemd-analyze calendar \u6765\u68c0\u9a8c\u6b63\u786e\u6027\uff0c\u4e5f\u53ef\u4ee5\u7528 systemctl list-timers \u89c2\u5bdf Timer \u4e0b\u6b21\u89e6\u53d1\u7684\u65f6\u95f4\u662f\u5426\u7b26\u5408\u9884\u671f\u3002

\u4e0b\u9762\u662f\u4e00\u4e9b\u5e38\u7528\u547d\u4ee4\uff1a

"},{"location":"faq/vm/","title":"\u865a\u62df\u5316\u76f8\u5173","text":""},{"location":"faq/vm/#_2","title":"\u6269\u76d8","text":"

\u6269\u5927\u865a\u62df\u78c1\u76d8\u7684\u5927\u5c0f\u540e\uff0c\u53ef\u4ee5\u91c7\u7528\u4ee5\u4e0b\u76f8\u5bf9\u7b80\u5355\u7684\u65b9\u5f0f\u6269\u5c55\u5206\u533a\u5927\u5c0f\uff1a

\u8bf7\u786e\u4fdd\u7406\u89e3\u547d\u4ee4\u540e\u518d\u6267\u884c

$ # \u5b89\u88c5 growpart\n$ sudo apt install cloud-guest-utils\n$ # \u6269\u5c55 /dev/sdb1\n$ sudo growpart /dev/sdb 1\n$ # \u73b0\u5728\u5206\u533a\u8868\u4ee5\u53ca\u5206\u533a\u6269\u5c55\u4e86\uff0c\u4f46\u662f\u5206\u533a\u91cc\u9762\u7684\u6587\u4ef6\u7cfb\u7edf\u7684\u5927\u5c0f\u8fd8\u6ca1\u6709\u6269\u5c55\n$ # \u4ee5 ext4 \u4e3a\u4f8b\n$ sudo resize2fs /dev/sdb1\n
"},{"location":"infrastructure/auth-dns/","title":"Authoritative DNS","text":"

Services (Servers):

All three servers are dedicated to DNS service and run no other services.

"},{"location":"infrastructure/auth-dns/#deploy","title":"Deploy","text":"

The bind configuration repository is only visible to admins because private key is included.

# copy the ssh key https://github.com/ustclug/auth-dns/blob/master/git_pull_key\n# to ~/.ssh/id_ed25519\n\n# now get the conf\ngit clone git@github.com:ustclug/auth-dns.git /var/lib/bind\n\n# delete the ssh key\nrm ~/.ssh/id_ed25519\n
docker run --restart=always -v /var/lib/bind/:/etc/bind \\\n       --net host -it -d --name=auth-dns zhusj/bind9\n
"},{"location":"infrastructure/auth-dns/#update-dns-record","title":"Update DNS Record","text":"

Just commit your changes to the configuration repository. More details can be found in the repository.

"},{"location":"infrastructure/auth-dns/#webhook","title":"Webhook","text":"

Please add a webhook in the configuration repository, so that the DNS record can be automatically updated when commits are pushed.

The webhook endpoint is http://<server_ip>:9000/hooks/bind, see https://github.com/ustclug/auth-dns/settings/hooks for examples.

"},{"location":"infrastructure/dockerhub/","title":"Docker Hub","text":""},{"location":"infrastructure/dockerhub/#dsos","title":"Docker-Sponsored Open-Source program (DSOS) application","text":"Item Reference response First Name Jiawei (Use your own name) Last Name Fu (Use your own name) Email Address redacted (Use your own email address) Role Tech Lead (or anything that makes sense) Company or Organization Name Linux User Group of University of Science and Technology of China Country (Select) China What is the name of your project? Various: USTC Open Source Software Mirror, USTC Network Boot Service, etc. Please link the public repository of your OSS organization (github, gitlab, etc.) https://github.com/ustclug Please provide a link to your project website. https://lug.ustc.edu.cn/ Enter your user Docker ID (aka username). ibugone (Use your own Docker ID) Do you have an existing Organization? (Select) Yes Enter the existing Docker ID for your organization on Docker Hub. ustclug What is the goal of this project? Ease the use of many Linux distros and open-source software, as well as advocate the spirit of Free Software What types of user(s) benefit from this project? Linux users and developers in mainland China What is the code distribution license for your OSS project? (Select) MIT License To what industry does your project or organization belong? (Select) Academic/research To what industry does your project or organization belong? 6 (Adjust as needed) Please list all sponsors for this project (patreon and other microdonations can be listed as one). USTC Network Information Center, USTC Library Does this project have a pathway to commercialization? ... (Select) No If approved, do you agree to the ...? (Tick the checkbox) Press Submit"},{"location":"infrastructure/dockerhub/#notes","title":"Notes","text":"

The first application on October 25, 2023 was declined with the following reason (emphasis mine):

During our review of your application for Various (USTC Open Source Soft[sic], we determined that while your project meets most of the program requirements, there is a lack of documentation in one or more of your repositories on Docker Hub.

Before resubmitting the application, I deleted a few obsolete repositories and filled in the \"Repository overview\" for the rest, asking ChatGPT to produce it when needed. Afterwards, the second submission was approved in just 3 hours.

"},{"location":"infrastructure/github/","title":"GitHub Organization","text":"

ustclug @ GitHub

"},{"location":"infrastructure/github/#github-actions","title":"GitHub Actions","text":"

GitHub Actions \u5bf9\u516c\u5f00\u4ed3\u5e93\u514d\u8d39\uff0c\u5bf9\u79c1\u6709\u4ed3\u5e93\u6bcf\u6708\u6709 3000 \u5206\u949f\u7684\u9650\u989d\uff08\u6ce8\uff1a\u6211\u4eec\u662f\u5b66\u6821\u5e2e\u5fd9\u7533\u8bf7\u7684 GitHub Education\uff0c\u6240\u4ee5\u6211\u4eec\u5728\u529f\u80fd\u4e0a\u76f8\u5f53\u4e8e\u4ed8\u8d39\u7684 GitHub Team\uff09\u3002\u76ee\u524d\u6211\u4eec\u6709\u591a\u4e2a\u9879\u76ee\u4f7f\u7528 GitHub Actions \u90e8\u7f72\uff0c\u4f8b\u5982 Linux 101 \u7684\u8bb2\u4e49\u3002

\u6211\u4eec\u66fe\u7ecf\u4f7f\u7528 Travis CI\uff08\u73b0\u5728\u4e5f\u5728\u90e8\u5206\u516c\u5f00\u4ed3\u5e93\u4e2d\u4f7f\u7528\uff09\uff0c\u56e0\u4e3a\uff08\u4e0d\u4f1a\u5b9a\u671f\u91cd\u7f6e\u7684\uff09\u6570\u91cf\u9650\u5236\u800c\u5c06\u79c1\u6709\u4ed3\u5e93\u5168\u90e8\u8fc1\u51fa\uff0c\u8ba8\u8bba\u89c1 Discussion #308.

"},{"location":"infrastructure/github/#2fa","title":"\u4e24\u6b65\u8ba4\u8bc1\uff082FA\uff09","text":"

\u6211\u4eec\u5f3a\u70c8\u5efa\u8bae\u52a0\u5165 ustclug \u7ec4\u7ec7\u7684\u7528\u6237\u4e3a\u81ea\u5df1\u7684 GitHub \u8d26\u53f7\u914d\u7f6e\u4e24\u6b65\u8ba4\u8bc1\uff1a

"},{"location":"infrastructure/google/","title":"G Suite","text":"

\u7531\u4e8e G Suite \u81ea 2022 \u5e74 7 \u6708\u8d77\u4e0d\u518d\u63d0\u4f9b\u514d\u8d39\u7684 Teams\uff0c\u4e14\u5df2\u6709\u7684\u514d\u8d39 Teams \u4e5f\u5c06\u505c\u6b62\u670d\u52a1\uff0c\u6211\u4eec\u5df2\u4e8e 2022 \u5e74 3 \u6708\u5168\u9762\u8fc1\u79fb\u81f3 Office 365\u3002

\u8003\u8651\u5230\u6b64\u9875\u9762\u7684 URL \u8fd8\u6709\u4e00\u5b9a\u6570\u91cf\u7684\u5916\u94fe\uff0c\u6211\u4eec\u628a\u672c\u9875\u6587\u6863\u91cd\u65b0\u52a0\u4e86\u56de\u6765\uff0c\u4f46\u662f\u6240\u6709\u6709\u610f\u4e49\u7684\u5185\u5bb9\u90fd\u5df2\u7ecf\u79fb\u52a8\u5230\u4e86 Office 365 \u9875\u9762\u4e2d\u3002

"},{"location":"infrastructure/ldap/","title":"LDAP \u670d\u52a1\u4f7f\u7528\u53ca\u914d\u7f6e\u8bf4\u660e","text":"

LDAP \u662f\u8f7b\u91cf\u76ee\u5f55\u8bbf\u95ee\u534f\u8bae\uff0c\u6211\u4eec\u7528\u7684\u8f6f\u4ef6\u662f OpenLDAP\u3002

LDAP \u7684\u914d\u7f6e\u5f88\u9ebb\u70e6\uff0c\u6240\u4ee5\u88c5\u4e86\u4e00\u4e2a\u7f51\u9875\u524d\u7aef\u6765\u914d\u7f6e\u5b83\uff0c\u7f51\u9875\u524d\u7aef\u662f GOsa\u00b2\u3002

"},{"location":"infrastructure/ldap/#_1","title":"\u5bc6\u7801\u4fee\u6539","text":"

\u767b\u5f55\u4efb\u610f\u4e00\u53f0\u670d\u52a1\u5668\u4f7f\u7528 passwd \u5c31\u53ef\u4ee5\u4fee\u6539\u5bc6\u7801\uff0c\u4fee\u6539\u7684\u5bc6\u7801\u5728\u6240\u6709\u673a\u5668\u4e0a\u5b9e\u65f6\u751f\u6548\uff08\u56e0\u4e3a\u5b9e\u9645\u662f\u5b58\u5728 LDAP \u6570\u636e\u5e93\u91cc\u7684\uff09\u3002

"},{"location":"infrastructure/ldap/#gosa","title":"GOsa \u4f7f\u7528","text":"

\u7f51\u9875\u754c\u9762\u4f4d\u4e8e ldap.lug.ustc.edu.cn\u3002

\u7528\u4f60\u7684\u8d26\u53f7\u767b\u5f55\u8fdb\u53bb\u4e4b\u540e\uff0c\u53ef\u4ee5\u5728\u53f3\u4e0a\u89d2\u9000\u51fa\uff0c\u53f3\u4e0a\u89d2\u8fd8\u6709\u4e24\u4e2a\u6309\u94ae\u5206\u522b\u662f\u4fee\u6539\u8d26\u53f7\u4fe1\u606f\u548c\u4fee\u6539\u5bc6\u7801\u3002\u8d26\u53f7\u4fe1\u606f\u7b2c\u4e00\u9875\u5927\u90e8\u5206\u662f\u6ca1\u7528\u7684\uff0c\u53ea\u6709\u4e00\u4e2a\u767b\u5f55\u540d\u662f\u6709\u7528\u7684\uff0c\u8fd9\u662f\u4f60\u767b\u5f55\u4efb\u4f55\u5730\u65b9\u7684\u7528\u6237\u540d\u3002

"},{"location":"infrastructure/ldap/#ldap-users-and-groups","title":"Users \u548c Groups","text":"

Users \u662f\u7528\u6765\u6dfb\u52a0\u548c\u914d\u7f6e\u7528\u6237\u4fe1\u606f\u7684\u5730\u65b9\u3002\u6700\u4e3b\u8981\u7684\u529f\u80fd\u4f4d\u4e8e\u6bcf\u4e2a User \u7684\u7b2c\u4e8c\u9875 POSIX\uff0c\u8fd9\u91cc\u53ef\u4ee5\u8bbe\u7f6e\u7528\u6237\u7684\u5bb6\u76ee\u5f55\uff0cUID\uff0cGID\uff0c\u4ee5\u53ca\u6240\u5c5e\u7684\u7528\u6237\u7ec4\u3002\u8fd9\u91cc\u9700\u8981\u6ce8\u610f\u7684\u5730\u65b9\u5982\u4e0b\uff1a

Groups \u4e2d\u4ee5 ssh \u5f00\u5934\u7684\u7ec4\u63a7\u5236\u5bf9\u5e94\u673a\u5668\u7684 ssh \u6743\u9650\uff0csudo \u5f00\u5934\u540c\u7406\u3002super_maneger \u7ec4\u5305\u542b\u6240\u6709\u673a\u5668\u7684\u6743\u9650\uff0c\u4ee5\u53ca LDAP \u7684 admin \u8eab\u4efd\u3002\u52a0\u5165\u5bf9\u5e94\u7684\u7ec4\u5373\u6388\u4e88\u76f8\u5e94\u6743\u9650\u3002\u5df2\u77e5\u7684 GID

"},{"location":"infrastructure/ldap/#access-control","title":"Access Control","text":"

\u8fd9\u91cc\u53ef\u4ee5\u914d\u7f6e GOsa \u7684\u7f16\u8f91\u6743\u9650\uff0c\u73b0\u5728\u8fd9\u91cc\u9762\u53ea\u6709\u4e00\u4e2a\u7ec4\uff0c\u662f\u5b8c\u5168\u6743\u9650\u7684\u3002\u53e6\u5916\uff0c\u6bcf\u4e2a\u9879\u53ef\u4ee5\u8bbe\u7f6e\u4e13\u95e8\u9488\u5bf9\u8fd9\u4e2a\u9879\u7684 ACL\u3002

"},{"location":"infrastructure/ldap/#sudo-rules","title":"Sudo rules","text":"

\u8fd9\u91cc\u914d\u7f6e sudo \u6743\u9650\u3002\u8fd9\u91cc\u7684\u8bed\u6cd5\u548c sudoers \u4e00\u6837\uff08\u8bf7\u65e0\u89c6 System trust\uff09\u3002\u7279\u522b\u8981\u8bf4\u7684\u4e00\u70b9\u662f\u901a\u8fc7\u5728 System \u4e2d\u52a0\u5165\u4e3b\u673a\u540d\u53ef\u4ee5\u9488\u5bf9\u6bcf\u4e2a\u4e3b\u673a\u914d\u7f6e\u6743\u9650\uff0c\u8fd9\u91cc\u8981\u586b\u7684\u662f\u4e3b\u673a\u540d\u800c\u4e0d\u662f\u57df\u540d\uff0c\u5177\u4f53\u8303\u4f8b\u8bf7\u770b\u91cc\u9762\u7684 lugsu wikimanager \u7b49\u9879\u3002

\u5176\u5b83\u6211\u6ca1\u63d0\u5230\u7684\u9879\u6211\u4e5f\u6ca1\u641e\u660e\u767d\u600e\u4e48\u7528\u3002\u3002\u3002

gosa \u7684\u914d\u7f6e\u6587\u4ef6\u5728 /etc/gosa/gosa.conf\uff0c\u5b83\u662f\u5728\u7b2c\u4e00\u6b21\u8fd0\u884c gosa \u65f6\u5019\u81ea\u52a8\u751f\u6210\u7684\uff0c\u4f46\u5728\u4e4b\u540e\u5c31\u53ea\u80fd\u901a\u8fc7\u624b\u52a8\u7f16\u8f91\u6765\u4fee\u6539\u3002\u7531\u4e8e\u914d\u7f6e\u6587\u4ef6\u51e0\u4e4e\u6ca1\u6709\u6587\u6863\uff0c\u5b98\u65b9\u7684 FAQ \u6709\u597d\u591a\u662f\u9519\u7684\uff0c\u6240\u4ee5\u6211\u57fa\u672c\u6ca1\u52a8 :-D\u3002

"},{"location":"infrastructure/ldap/#_2","title":"\u7ef4\u62a4\u5907\u6ce8","text":"

\u5982\u679c\u53d1\u73b0\u66f4\u65b0 GOsa \u4e4b\u540e\uff0c/gosa \u6ca1\u6709\u6b63\u5e38\u5de5\u4f5c\uff08\u6bd4\u5982\u8bf4\u76f4\u63a5\u663e\u793a\u4e86 PHP \u7684\u6e90\u4ee3\u7801\uff09\uff0c\u53ef\u4ee5\u5c1d\u8bd5\u5220\u9664 /var/spool/gosa/ \u4e2d\u7684\u6240\u6709\u6587\u4ef6\uff0c\u8be6\u89c1 Gosa broken in Debian stretch\u3002

"},{"location":"infrastructure/ldap/#ldap_1","title":"LDAP \u5ba2\u6237\u7aef\u914d\u7f6e","text":""},{"location":"infrastructure/ldap/#debian","title":"Debian \u914d\u7f6e\u65b9\u6cd5","text":"

Warning

Debian 13 Trixie \u662f\u6700\u540e\u4e00\u4e2a\u652f\u6301 sudo-ldap \u7684\u7248\u672c\uff0cDebian 14 \u5c06\u5b8c\u5168\u79fb\u9664 sudo-ldap\uff0c\u9700\u8981\u5c3d\u5feb\u8fc1\u79fb\u81f3 sssd\u3002

\u6211\u4eec\u5927\u90e8\u5206\u73b0\u6709\u7684\u670d\u52a1\u5668\u4ecd\u5728\u4f7f\u7528 sudo-ldap\uff0c\u5728\u4e0b\u6b21\u5927\u7248\u672c\u5347\u7ea7\u524d\u9700\u8981\u9010\u6b65\u8fc1\u79fb\u3002\u4ee5\u4e0b\u63d0\u4f9b\u4f7f\u7528 sssd \u7684\u914d\u7f6e\u65b9\u6cd5\u3002

Ref: https://packages.debian.org/trixie/sudo-ldap

"},{"location":"infrastructure/ldap/#_3","title":"\u8f6f\u4ef6\u5305\u5b89\u88c5","text":"

Debian 7 \u4ee5\u4e0a\u7cfb\u7edf\u5b89\u88c5 libnss-ldapd\u3001libpam-ldapd\u3001sssd-ldap\u3001libsss-sudo

Note

\u66f4\u65b0\u8fd9\u4e9b\u8f6f\u4ef6\u5305\u65f6\uff0c\u6ce8\u610f\u4fdd\u7559\u4e00\u4e2a root \u7ec8\u7aef\uff0c\u66f4\u65b0\u540e\u53ef\u80fd\u9700\u8981\u91cd\u542f daemon \u8fdb\u7a0b\u3002

Note

\u5982\u679c\u5df2\u7ecf\u5b89\u88c5\u4e86 sudo-ldap\uff0c\u8bf7\u5728\u5168\u90e8\u914d\u7f6e\u5b8c\u6210\u4e4b\u540e\u8fd0\u884c apt install sudo\uff0c\u8fc1\u79fb\u56de\u539f sudo\u3002

\u5728\u5b89\u88c5\u8fc7\u7a0b\u4e2d\u4f1a\u88ab\u95ee\u4e00\u4e9b\u95ee\u9898\uff08\u4e0d\u540c\u7248\u672c\u7684 Debian \u7684\u95ee\u9898\u53ef\u80fd\u4e0d\u540c\uff09\uff1a

"},{"location":"infrastructure/ldap/#etcldapldapconf","title":"/etc/ldap/ldap.conf","text":"

\u7f16\u8f91\u5185\u5bb9\u5982\u4e0b\uff1a

/etc/ldap/ldap.conf
BASE dc=lug,dc=ustc,dc=edu,dc=cn\nURI ldaps://ldap.lug.ustc.edu.cn\nSSL yes\nTLS_CACERT /etc/ldap/slapd-ca-cert.pem\nTLS_REQCERT demand\nSUDOERS_BASE ou=sudoers,dc=lug,dc=ustc,dc=edu,dc=cn\n

\u4e3a\u4e86\u5b89\u5168\u6027\u8003\u8651\uff0c\u8981\u4ee5 ldaps \u7684\u65b9\u5f0f\u8fde\u63a5 ldap \u670d\u52a1\u5668\uff0c\u540c\u65f6\u5e94\u914d\u7f6e\u597d\u8bc1\u4e66 (/etc/ldap/slapd-ca-cert.pem, \u4ece\u5176\u5b83\u670d\u52a1\u5668\u590d\u5236\u4e00\u4e2a)

"},{"location":"infrastructure/ldap/#etcnslcdconf","title":"/etc/nslcd.conf","text":"

\u6ce8\u610f\u68c0\u67e5\u4e00\u4e0b\u6b64\u914d\u7f6e\u6587\u4ef6\u662f\u5426\u4e0e /etc/ldap/ldap.conf \u4e0b\u7684\u5185\u5bb9\u76f8\u4e00\u81f4\uff0c\u5982

/etc/nslcd.conf
uid nslcd\ngid nslcd\nuri ldaps://ldap.lug.ustc.edu.cn\nbase dc=lug,dc=ustc,dc=edu,dc=cn\nssl on\ntls_reqcert demand\ntls_cacertfile /etc/ldap/slapd-ca-cert.pem\n
"},{"location":"infrastructure/ldap/#etcnsswitchconf","title":"/etc/nsswitch.conf","text":"

\u5b89\u88c5\u8f6f\u4ef6\u5305\u65f6\uff0c\u5b89\u88c5\u811a\u672c\u5df2\u7ecf\u5904\u7406\u8fc7\u8be5\u6587\u4ef6\u3002\u68c0\u67e5\u4e00\u4e0b\u5185\u5bb9\uff0c\u5927\u81f4\u4e3a\uff1a

passwd:         compat ldap\ngroup:          compat ldap\nshadow:         compat ldap\n......\nsudoers:        files ldap\n

\u6ce8\u610f\u6bcf\u4e00\u9879\u540e\u9762\u7684 ldap\uff0c\u5982\u679c\u6ca1\u6709\u8981\u624b\u52a8\u52a0\u4e0a\u3002\u4e0d\u592a\u6e05\u695a\u5177\u4f53\u542b\u4e49\uff0c\u53cd\u6b63\u7ed9\u6bcf\u4e00\u9879\u90fd\u52a0\u4e0a ldap \u662f\u6ca1\u6709\u95ee\u9898\u7684\u3002

\u5bf9\u4e8e\u4f7f\u7528 sssd \u7684\u914d\u7f6e\uff0c\u6ce8\u610f sudoers \u4e00\u884c\u9700\u8981\u6709 sss\uff0c\u7c7b\u4f3c\u4e8e\u4e0b\u9762\u8fd9\u6837\uff1a

sudoers: files sss\n

\u800c\u5982\u679c\u4f7f\u7528\u4f20\u7edf\u7684 sudo-ldap\uff0c\u90a3\u4e48 sudoers \u4e00\u884c\u5e94\u8be5\u7c7b\u4f3c\u4e8e\u8fd9\u6837\uff1a

sudoers:        ldap [SUCCESS=return] files\n

\u91cd\u542f\u4e00\u4e0b nscd \u548c nslcd \u670d\u52a1\uff0c\u6b64\u65f6\u8fd0\u884c getent passwd\uff0c\u5e94\u8be5\u53ef\u4ee5\u770b\u5230\u6bd4 /etc/passwd \u66f4\u591a\u7684\u5185\u5bb9\uff0c\u8fd9\u5c31\u8bf4\u660e\u914d\u7f6e\u6b63\u786e\u4e86\u3002

"},{"location":"infrastructure/ldap/#pam","title":"PAM \u914d\u7f6e","text":"

\u5982\u679c PAM \u914d\u7f6e\u9519\u8bef\uff0c\u53ef\u80fd\u5bfc\u81f4\u7528\u6237\u65e0\u6cd5\u4f7f\u7528 SSH \u767b\u5f55\uff0c\u751a\u81f3\u8fde sudo \u4e5f\u53ef\u80fd\u6302\u6389\u3002\u6240\u4ee5\u4fee\u6539 PAM \u914d\u7f6e\u65f6\uff1a

  1. \u8bf7\u505a\u597d\u6587\u4ef6\u5907\u4efd\uff1b
  2. \u8bf7\u53e6\u5f00\u4e00\u4e2a root \u7ec8\u7aef\u4ee5\u9632\u4e07\u4e00\u3002

\u5bf9\u4e8e Debian 7+\uff0c\u53ea\u9700\u8bbe\u7f6e\u4e00\u5904\u3002\u4e3a\u4e86\u767b\u5f55\u65f6\u81ea\u52a8\u521b\u5efa\u5bb6\u76ee\u5f55\uff0c\u5728 /etc/pam.d/common-session \u4e2d\u6dfb\u52a0\u4e0b\u9762\u8fd9\u53e5\uff1a

session required    pam_mkhomedir.so skel=/etc/skel umask=0022\n

\u5bf9\u4e8e Debian 5\uff0c\u8bf7\u67e5\u9605\u672c\u6587\u6863\u7684 Git \u8bb0\u5f55\u3002

"},{"location":"infrastructure/ldap/#sssd","title":"SSSD \u914d\u7f6e","text":"

\u7531\u4e8e sudo-ldap \u672a\u6765\u88ab\u5e9f\u5f03\uff0csudo \u7684\u914d\u7f6e\u901a\u8fc7 sssd \u5b9e\u73b0\uff0c\u53c2\u8003 https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-ldap-sudo.html\u3002

\u5c06 /usr/share/doc/sssd-common/examples/sssd-example.conf \u590d\u5236\u5230 /etc/sssd/sssd.conf \u5e76\u4fee\u6539\u6743\u9650\u4e3a 600\u3002

[taoky@gateway-nic ~]$ sudo diff /usr/share/doc/sssd-common/examples/sssd-example.conf /etc/sssd/sssd.conf\n3c3\n< services = nss, pam\n---\n> services = nss, pam, sudo\n8c8,10\n< ; domains = LDAP\n---\n> domains = LDAP\n>\n> [sudo]\n15,17c17,19\n< ; [domain/LDAP]\n< ; id_provider = ldap\n< ; auth_provider = ldap\n---\n> [domain/LDAP]\n> id_provider = ldap\n> auth_provider = ldap\n22,24c24,26\n< ; ldap_schema = rfc2307\n< ; ldap_uri = ldap://ldap.mydomain.org\n< ; ldap_search_base = dc=mydomain,dc=org\n---\n> ldap_schema = rfc2307\n> ldap_uri = ldaps://ldap.lug.ustc.edu.cn\n> ldap_search_base = dc=lug,dc=ustc,dc=edu,dc=cn\n30c32\n< ; cache_credentials = true\n---\n> cache_credentials = true\n

\u5751

\u9700\u8981\u52a0\u4e0a [sudo]\uff0c\u5426\u5219 sudo \u914d\u7f6e\u4e0d\u4f1a\u751f\u6548\uff0c\u8fd9\u4e2a\u914d\u7f6e\u95ee\u9898\u5bfc\u81f4\u4e86\u4fee\u6539\u524d\u5728 gateway-nic \u4e0a\u7528\u6237\u65e0\u6cd5\u4f7f\u7528 sudo\u3002

\u53e6\u5916\u8bb0\u5f97\u50cf\u524d\u9762\u5728 Debian \u4e2d\u5b89\u88c5\u4ecb\u7ecd\u5230\u7684\u90a3\u6837\u4fee\u6539 /etc/nsswitch.conf \u4ee5\u53ca /etc/nslcd.conf.

"},{"location":"infrastructure/ldap/#nscd","title":"NSCD \u4f7f\u7528\u8bf4\u660e","text":"

\u5728 SSSD \u672a\u5b89\u88c5\u7684\u60c5\u51b5\u4e0b\uff0cNSCD \u4f1a\u63d0\u4f9b LDAP \u7f13\u5b58\u670d\u52a1\u3002\u5982\u679c\u5728\u4f7f\u7528 NSCD \u7684\u673a\u5668\u4e0a\u9700\u8981\u6e05\u7a7a LDAP \u7f13\u5b58\uff0c\u6267\u884c\u4ee5\u4e0b\u547d\u4ee4\uff1a

nscd -i passwd\nnscd -i group\n

\u5982\u679c SSSD \u5b89\u88c5\uff0csystemctl status sssd \u4f1a\u663e\u793a SSSD \u4e0e NSCD \u540c\u65f6\u63d0\u4f9b\u4e86\u76f8\u5173\u7f13\u5b58\uff0c\u53ef\u80fd\u5b58\u5728\u51b2\u7a81\u95ee\u9898\uff1a

NSCD socket was detected and seems to be configured to cache some of the databases controlled by SSSD [passwd,group,netgroup,services].\n

\u9700\u8981\u4fee\u6539 /etc/nscd.conf\uff0c\u5c06\u63d0\u53ca\u7684 passwd, group, netgroup \u548c services \u7684 enable-cache \u8bbe\u7f6e\u4e3a no\u3002

"},{"location":"infrastructure/ldap/#ldap-cli","title":"LDAP CLI \u5de5\u5177\u4f7f\u7528\u8bf4\u660e","text":"

\u8fd9\u91cc\u4ee5 ldappasswd \u4e3a\u4f8b\uff0c\u5176\u4f59 ldap \u7cfb\u5217\u6307\u4ee4\u4e0e\u5176\u5927\u81f4\u76f8\u540c\uff1a

LDAP \u5229\u7528 dn \u6765\u5b9a\u4f4d\u4e00\u4e2a\u7528\u6237\uff0c\u4ee5\u4e0b\u6307\u4ee4\u53ef\u4ee5\u5217\u51fa\u6240\u6709\u7528\u6237\u53ca\u5176 dn\uff1a

ldapsearch -x -LLL uid=* uid\n

-x \u6307\u5b9a\u4f7f\u7528 Simple authentication\uff0c\u5373\u4f7f\u7528\u5bc6\u7801\u8ba4\u8bc1\u3002

\u5982\u679c\u8981\u4fee\u6539\u4e00\u4e2a\u7528\u6237\u7684\u5bc6\u7801\uff0c\u4f7f\u7528\uff1a

ldappasswd -x -D '<executor dn>' -W -S '<target user dn>'\n

-D '<executor dn>' \u6307\u5b9a\u4e86\u6267\u884c\u8005\u7684\u8eab\u4efd\uff0c-W/-S \u6307\u5b9a\u4e86\u63a5\u4e0b\u6765\u8be2\u95ee\u6267\u884c\u8005/\u76ee\u6807\u7528\u6237\u7684\u5bc6\u7801/\u65e7\u5bc6\u7801\u3002

\u9700\u8981\u989d\u5916\u6ce8\u610f\u7684\u662f\uff0c\u5728 CLI \u4e2d\u6dfb\u52a0/\u5220\u9664\u7528\u6237\u6216\u66f4\u6539\u7528\u6237\u5bc6\u7801\u65f6\u9700\u8981\u4ee5 LDAP admin \u6267\u884c\uff0c\u5426\u5219\u4f1a\u6709\u62a5\u9519\uff1a

Insufficient access (50) additional info: no write access to parent\n

\u6216\u662f\u5176\u4ed6\u7684\u6743\u9650\u4e0d\u8db3\u7684\u9519\u8bef\u3002

"},{"location":"infrastructure/ldap/#_4","title":"\u90e8\u7f72\u60c5\u51b5","text":"

\u76ee\u524d\u6240\u6709\u670d\u52a1\u5668\u5747\u5df2\u90e8\u7f72 LDAP

"},{"location":"infrastructure/ldap/#ldap-known-gids","title":"\u5df2\u77e5\u7684 GID","text":"

GID \u4fe1\u606f\u5df2\u8fc7\u65f6\uff0c\u4ee5 LDAP \u5b9e\u9645\u914d\u7f6e\u4e3a\u51c6\u3002

GID \u540d\u79f0 \u8bf4\u660e 2001 ldap_users \u6240\u6709\u7528\u6237\u90fd\u5728\u8fd9\u4e2a\u7ec4\u91cc 1001 ssh_docker2 - 2013 ssh_bbs - 2014 ssh_linode - 2101 ssh_ldap - 2102 ssh_blog - 2103 ssh_dns - 2104 ssh_gitlab - 2105 ssh_lug - 2106 ssh_vpn - 2107 ssh_mirrors - 2108 ssh_pxe - 2109 ssh_freeshell - 2110 ssh_backup - 2112 ssh_vmnfs - 2113 ssh_homepage - 2201 sudo_ldap - 2202 sudo_blog - 2203 sudo_dns - 2204 sudo_gitlab - 2205 sudo_lug - 2206 sudo_vpn - 2207 sudo_mirrors - 2208 sudo_pxe - 2209 sudo_freeshell - 2210 sudo_backup - 2212 sudo_vmnfs - 2213 sudo_homepage - 2000 super_manager - 2999 nologin \u4e0d\u786e\u5b9a\u8fd9\u4e2a\u7ec4\u6709\u6ca1\u6709\u7528

\u6ce8\u610f\u4e8b\u9879

LDAP \u914d\u7f6e\u5b8c\u6210\u540e\uff0c\u52a1\u5fc5\u786e\u8ba4 sshd_config \u5df2\u7ecf\u9650\u5236\u4e86\u516c\u7f51\u767b\u5f55\u3002

\u672c\u6587\u6863\u539f\u59cb\u7248\u672c\u590d\u5236\u81ea LUG wiki\uff0c\u7531\u5f20\u5149\u5b87\u3001\u5d14\u704f\u3001\u6731\u665f\u83c1\u3001\u5de6\u683c\u975e\u64b0\u5199\u3002

"},{"location":"infrastructure/mail/","title":"Mail Agent","text":"

\u53ef\u4ee5\u914d\u7f6e\u673a\u5668\u901a\u8fc7 mail.ustclug.org \u53d1\u4ef6\uff0c\u5b9e\u73b0\u8b66\u62a5\u7684\u90ae\u4ef6\u63d0\u9192\uff08\u6536\u4ef6\u4eba\u8bbe\u7f6e\u4e3a alert AT ustclug DOT org\uff09\u3002\u914d\u7f6e\u65f6\u9700\u8981\u5728 mail.s.ustclug.org \u4e0a\u8bbe\u7f6e postfix \u767d\u540d\u5355\u3002

"},{"location":"infrastructure/mail/#_1","title":"\u5e38\u7528\u547d\u4ee4","text":"

\u4ece\u961f\u5217\u4e2d\u5220\u9664\u90ae\u4ef6\uff1asudo postsuper -d <\u90ae\u4ef6 ID>\uff08\u90ae\u4ef6 ID \u53ef\u4ee5\u65e5\u5fd7\u4e2d\u770b\u5230\uff09

\u66f4\u65b0 virtual \u8868\u6620\u5c04\uff1asudo postmap /etc/postfix/virtual \u540e\u91cd\u542f postfix \u670d\u52a1\u3002

"},{"location":"infrastructure/mail/#mailustclugorg-dkim","title":"mail.ustclug.org \u7684 DKIM \u7b7e\u540d","text":"

\u7f16\u8f91 /etc/opendkim/TrustedHosts\uff0c\u6dfb\u52a0\u5185\u90e8\u670d\u52a1\u5bf9\u5e94\u7684 IP\uff08\u6bb5\uff09\u5230\u5176\u4e2d\uff0c\u5e76 reload opendkim \u5373\u53ef\u3002

"},{"location":"infrastructure/monitor/","title":"\u76d1\u63a7\u7cfb\u7edf\u4f7f\u7528\u53ca\u914d\u7f6e\u8bf4\u660e","text":"

\u76d1\u63a7\u7cfb\u7edf\u7531\u4ee5\u4e0b\u51e0\u4e2a\u7ec4\u4ef6\u7ec4\u6210\uff1a

"},{"location":"infrastructure/monitor/#configure-influxdb","title":"Configure InfluxDB","text":"

\u7279\u522b\u6ce8\u610f \uff1aInfluxDB \u9ed8\u8ba4\u6ca1\u6709\u5f00\u542f\u8ba4\u8bc1\u3002

\u9996\u6b21\u8fd0\u884c\u65f6\uff0c\u521b\u5efa\u597d\u7ba1\u7406\u8d26\u53f7\uff08admin\uff09\uff0c\u53ea\u8bfb\u8d26\u53f7\uff08grafana\uff09\u548c\u5199\u5165\u8d26\u53f7\uff08telegraf\uff09\u3002

\u7136\u540e\u4fee\u6539\u4f4d\u4e8e /srv/docker/influxdb/conf/influxdb.conf \u7684\u914d\u7f6e\uff0c\u4fee\u6539\u4ee5\u542f\u7528\u8ba4\u8bc1\uff1a

/srv/docker/influxdb/conf/influxdb.conf
[http]\n# ...\n# Determines whether HTTP authentication is enabled.\nauth-enabled = true\n

\u6b64\u5916\uff0c\u53c2\u8003 https://docs.influxdata.com/influxdb/v1.8/administration/authentication_and_authorization/#set-up-authentication\uff0c\u8003\u8651\u5173\u95ed\u90e8\u5206\u529f\u80fd\uff1a

/srv/docker/influxdb/conf/influxdb.conf
[http]\n# Determines whether the pprof endpoint is enabled.  This endpoint is used for\n# troubleshooting and monitoring.\npprof-enabled = false\n
"},{"location":"infrastructure/monitor/#install-telegraf","title":"Install telegraf","text":"

\u5b98\u65b9\u6587\u6863\u89c1 https://docs.influxdata.com/telegraf/v1/install/

\u5178\u578b\u7684\u5b89\u88c5\u65b9\u5f0f\u662f\u4ece APT \u6e90\u5b89\u88c5\uff1a

wget -O /etc/apt/trusted.gpg.d/influxdb.asc https://repos.influxdata.com/influxdata-archive_compat.key\necho \"deb https://mirrors.ustc.edu.cn/influxdata/debian bullseye stable\" > /etc/apt/sources.list.d/influxdb.list\napt update\napt install --no-install-recommends telegraf\n
\u624b\u52a8\u5b89\u88c5\u65b9\u5f0f\uff08\u4e0d\u63a8\u8350\uff09
wget https://dl.influxdata.com/telegraf/releases/telegraf_1.28.2-1_amd64.deb\nsudo dpkg -i telegraf_1.28.2-1_amd64.deb\n
"},{"location":"infrastructure/monitor/#configure-telegraf","title":"Configure telegraf","text":"

\u914d\u7f6e\u6587\u4ef6\u5728 ustclug/telegraf-config \u4ed3\u5e93\u4e2d\u7ba1\u7406\uff0c\u4f7f\u7528\u65b9\u6cd5\u5982\u4e0b\uff1a

\u914d\u7f6e\u5b8c\u6210\u4e4b\u540e\uff0c\u91cd\u542f telegraf \u670d\u52a1\uff0c\u5e76\u786e\u4fdd\u670d\u52a1\u8fd0\u884c\u6b63\u5e38\u3002

sudo systemctl restart telegraf\nsudo systemctl status telegraf\n

Tip

\u5efa\u8bae\u5728\u88ab\u76d1\u63a7\u673a\u5668\u4e0a\u914d\u7f6e NTP\uff08\u53ef\u4ee5\u4f7f\u7528 systemd-timesyncd\uff0c\u8bbe\u7f6e NTP \u670d\u52a1\u5668\u4e3a time.ustc.edu.cn\uff09\uff0c\u4ee5\u907f\u514d\u65f6\u95f4\u4e0d\u540c\u6b65\u53ef\u80fd\u5e26\u6765\u7684\u95ee\u9898\u3002

"},{"location":"infrastructure/monitor/#web","title":"Web","text":"

Web \u7aef\u76d1\u63a7\u4f4d\u4e8e https://monitor.ustclug.org\uff0c\u8d26\u53f7\u7cfb\u7edf\u4f7f\u7528 LDAP\uff0c\u53ef\u4ee5\u5728\u8fd9\u91cc\u8bbe\u7f6e\u9884\u8b66\u63d0\u793a\u7b49\u3002

Warning

\u914d\u7f6e InfluxDB \u6570\u636e\u6e90\u65f6\uff0c\u53ea\u80fd\u4f7f\u7528\u53ea\u8bfb\u8d26\u53f7\uff0c\u5426\u5219\u4f1a\u5e26\u6765\u4e25\u91cd\u7684\u5b89\u5168\u95ee\u9898\u3002

"},{"location":"infrastructure/monitor/#_2","title":"\u66f4\u65b0\u8bb0\u5f55","text":""},{"location":"infrastructure/monitor/#unified-alerting","title":"\u8fc1\u79fb\u5230 Unified Alerting","text":"

Grafana 11 \u8d77\u5c06\u5b8c\u5168\u5220\u9664\u65e7\u7684\u62a5\u8b66\u7cfb\u7edf\uff0c\u5168\u9762\u4f7f\u7528\u65b0\u7684\uff08\u96be\u7528\u7684\uff09Unified Alerting\u3002

\u6211\u4eec\u539f\u5148\u8fd0\u884c\u7684\u662f Grafana 9.3.8\uff0c\u6839\u636e\u66f4\u65b0\u8bb0\u5f55\uff0c\u53d1\u73b0 v10.4 \u63d0\u4f9b\u4e86\u4e00\u4e2a\u8fc1\u79fb\u5de5\u5177\uff0c\u53ef\u4ee5\u5c06\u539f\u5148\u7684\u62a5\u8b66\u8fc1\u79fb\u5230\u65b0\u7684 Unified Alerting \u7cfb\u7edf\uff0c\u56e0\u6b64\u5148\u5c06 Grafana \u66f4\u65b0\u5230 10.4.3\uff0c\u51c6\u5907\u8fc1\u79fb\u3002

\u5728 Alerting (legacy) \u83dc\u5355\u4e0b\u6709\u4e2a Upgrade rules \u754c\u9762\uff0c\u70b9\u8fdb\u53bb\u5c31\u53ef\u4ee5\u4f7f\u7528\u8fc1\u79fb\u5411\u5bfc\u3002\u9996\u5148\u8fc1\u79fb\u6211\u4eec\u552f\u4e00\u7684\u4e00\u4e2a Notification Channel\uff0c\u53d8\u6210\u4e00\u4e2a Contact Point\u3002\u7531\u4e8e \u5783\u573e\u7684\u65b0 alerting \u65b9\u6848\u6ca1\u6709\u63d0\u4f9b\u9ed8\u8ba4\u7684\u6d88\u606f\u6a21\u677f\uff0c\u56e0\u6b64\u6211\u4eec\u9700\u8981\u81ea\u5df1\u5199\u4e00\u4e2a\uff08\u6587\u6863\u4e5f\u6666\u6da9\u96be\u61c2\uff09\u3002

Notification template telegram.message
{{ define \"alert_list\" -}}\n{{ range . }}[{{ .Labels.alertname }}] {{ .Annotations.description }}\n{{ if or (gt (len .GeneratorURL) 0) (gt (len .SilenceURL) 0) (gt (len .DashboardURL) 0) (gt (len .PanelURL) 0) }}|{{- end }}\n{{- if gt (len .GeneratorURL) 0 }} <a href=\"{{ .GeneratorURL }}\">Source</a> | {{- end }}\n{{- if gt (len .SilenceURL) 0 }} <a href=\"{{ .SilenceURL }}\">Silence</a> | {{- end }}\n{{- if gt (len .DashboardURL) 0 }} <a href=\"{{ .DashboardURL }}\">Dashboard</a> | {{- end }}\n{{- if gt (len .PanelURL) 0 }} <a href=\"{{ .PanelURL }}\">Panel</a> | {{- end }}\n{{ end }}\n{{ end }}\n\n{{- define \"telegram.message\" }}\n{{- if gt (len .Alerts.Firing) 0 }}<strong>Firing</strong>\n{{ template \"alert_list\" .Alerts.Firing }}\n{{ if gt (len .Alerts.Resolved) 0 }}\n{{ end }}\n{{- end }}\n\n{{- if gt (len .Alerts.Resolved) 0 }}<strong>Resolved</strong>\n{{ template \"alert_list\" .Alerts.Resolved }}\n{{ end }}\n{{- end }}\n

\u7136\u540e\u56de\u5230 Contact point \u7f16\u8f91\uff0c\u5c55\u5f00 Optional Telegram settings\uff0c\u5728 Message \u4e2d\u586b\u5165 {{ template \"telegram.message\" . }} \u6765\u5f15\u7528\u6211\u4eec\u521a\u521a\u5199\u7684\u6a21\u677f\uff0c\u5e76\u5c06 Parse mode \u8bbe\u4e3a HTML\u3002

\u63a5\u4e0b\u6765\u56de\u5230\u8fc1\u79fb Alerting \u7684\u5730\u65b9\uff0c\u9010\u4e2a\u8fc1\u79fb Alerting\uff1a

Description \u6a21\u677f

\u5728 Go template \u4e2d\u53ef\u7528\u7684\u5e2e\u52a9\u51fd\u6570\u53c2\u89c1 https://grafana.com/docs/grafana/latest/alerting/alerting-rules/templating-labels-annotations/\u3002

{{ index $labels \"host\" }}: {{ humanize (index $values \"B\").Value }}\n\n{{ index $labels \"host\" }}: {{ humanizePercentage (index $values \"D\").Value }}\n\n{{ index $labels \"host\" }}: {{ humanizeDuration (index $values \"B\").Value }}\n

\u5176\u4e2d index $labels \u540e\u9762\u7684\u53c2\u6570\u53ef\u4ee5\u662f\u524d\u9762 InfluxDB query \u4e2d GROUP BY \u7684 tag\uff0c\u53ef\u4ee5\u7075\u6d3b\u4f7f\u7528\u3002

\u624b\u5de5\u5904\u7406\u5b8c\u5168\u90e8 18 \u4e2a alert rules \u4e4b\u540e\uff08\u7d2f\u6b7b\u6211\u4e86\uff09\uff0c\u5c31\u53ef\u4ee5\u5f00\u59cb\u6d4b\u8bd5\u4e86\u3002

\u5148\u542f\u7528\u65b0\u7684 unified alerting\uff1a

/srv/docker/grafana/conf/grafana.ini
[alerting]\nenabled = false\n\n[unified_alerting]\nenabled = true\n\n[unified_alerting.screenshots]\ncapture = true\n

\u7136\u540e\u627e\u4e2a\u673a\u5668\u91cd\u542f\u4e00\u4e0b\uff0c\u89e6\u53d1 Reboot alert\uff0c\u53bb Telegram \u7fa4\u91cc\u770b\u6d88\u606f\u548c\u56fe\u7247\u90fd\u6b63\u786e\u5192\u51fa\u6765\u4e86\uff0c\u5c31\u8bf4\u660e\u8fc1\u79fb\u6210\u529f\u4e86\u3002

Test alert \u4e0d\u4f1a\u89e6\u53d1\u622a\u56fe\uff0c\u5373\u4f7f\u8bbe\u7f6e\u4e86 Link dashboard and panel \u4e5f\u6ca1\u7528

"},{"location":"infrastructure/office/","title":"Office 365","text":""},{"location":"infrastructure/office/#application","title":"\u7533\u8bf7\u65b9\u5f0f","text":"

\u7406\u8bba\u4e0a\u4efb\u4f55\u793e\u56e2\u8d1f\u8d23\u4eba\u6216\u8005\u5728\u793e\u56e2\u4e2d\u8d1f\u8d23\u91cd\u8981\u9879\u76ee\u7684\u4eba\u5458\u90fd\u53ef\u4ee5\u7533\u8bf7\uff0c\u539f\u5219\u662f\u6309\u9700\u5206\u914d\uff0c\u56e0\u4e3a\u90ae\u7bb1\u662f\u5de5\u4f5c\u5de5\u5177\uff0c\u800c\u4e0d\u662f\u798f\u5229\u8d44\u6e90\u3002

\u540c\u7406\uff0c\u4e0d\u518d\u62c5\u4efb\u8d1f\u8d23\u4eba\u4e14\u4e0d\u518d\u5904\u7406\u4e8b\u52a1\u7684\u540c\u5b66\u4f7f\u7528\u7684\u90ae\u7bb1\u5e94\u8be5\u6536\u56de\uff08\u89c1\u4e0b\u65b9 \u9ed8\u8ba4\u5730\u5740 \u4e00\u8282\uff09\u3002

"},{"location":"infrastructure/office/#email-etiquette","title":"\u90ae\u4ef6\u793c\u4eea","text":"

CC\uff08\u6284\u9001\uff09\u548c\u8bbe\u7f6e\u56de\u590d\u5730\u5740\u7684\u76ee\u7684\u90fd\u662f\u4e3a\u4e86\u8ba9\u6240\u6709 LUG \u8d1f\u8d23\u7684\u540c\u5b66\u53ef\u4ee5\u770b\u5230\u4e8b\u4ef6\u6700\u65b0\u7684\u8fdb\u5c55

\u6284\u9001\u4f1a\u628a\u4f60\u53d1\u7684\u90ae\u4ef6\u7ed9\u6240\u6709\u7684\u8d1f\u8d23\u4eba\uff1b\u56de\u590d\u5730\u5740\uff08Reply-To\uff09\u8bbe\u7f6e\u4e4b\u540e\uff0c\u5bf9\u65b9\u5c31\u77e5\u9053\u8fd9\u662f\u4f60\u4ee3\u8868 LUG \u5199\u7684\u90ae\u4ef6\uff0c\u5e76\u4e14\u9ed8\u8ba4\u56de\u590d\u90ae\u4ef6\u7684\u65f6\u5019\u5730\u5740\u5c31\u662f\u6240\u6709\u8d1f\u8d23\u4eba\u7684\u90ae\u4ef6\u5217\u8868\u3002\u6240\u4ee5\u4e0b\u6587\u4e2d\u8981\u6c42\u8bbe\u7f6e\u8fd9\u4e9b\u5185\u5bb9\u3002

\u5982\u679c\u9047\u5230\u9700\u8981\u4ee5\u79c1\u4eba\u8eab\u4efd\uff0c\u6216\u8005\u4ee5\u5176\u4ed6\u975e LUG \u4ee3\u8868\u8d1f\u8d23\u4eba\u7684\u8eab\u4efd\u56de\u590d\u90ae\u4ef6\u7684\u573a\u5408\uff0c\u8bf7\u4fee\u6539\u56de\u590d\u5730\u5740\u4fe1\u606f\u3002\u56e0\u4e3a Outlook \u7f51\u9875\u7248\u4e0d\u4fbf\u4e8e\u4fee\u6539\u8fd9\u4e9b\u5185\u5bb9\uff0c\u5efa\u8bae\u4f7f\u7528\u90ae\u4ef6\u5ba2\u6237\u7aef\u5904\u7406\u3002\uff08\u4e2a\u4eba\u63a8\u8350 ThunderBird\uff09\u3002

\u5bf9\u4e8e\u9700\u8981\u5411\u975e\u90ae\u4ef6\u5217\u8868\u7684\u4e0d\u7279\u5b9a\u7fa4\u4f53\u7fa4\u53d1\u7684\u90ae\u4ef6\uff08\u4f8b\u5982\u901a\u77e5\u7c7b\u6d88\u606f\uff09\uff0c\u8bf7\u6ce8\u610f\u4e0d\u8981\u5c06\u6240\u6709\u90ae\u7bb1\u90fd\u653e\u5728\u6536\u4ef6\u4eba\u91cc\uff0c\u5426\u5219\u6240\u6709\u6536\u5230\u90ae\u4ef6\u7684\u4eba\u90fd\u80fd\u770b\u5230\u5176\u4ed6\u6536\u4ef6\u4eba\u7684\u90ae\u7bb1\uff08\u9690\u79c1\u95ee\u9898\uff09\uff1b\u5e76\u4e14\u6536\u4ef6\u4eba\u5982\u679c\u56de\u590d\u90ae\u4ef6\u4e0d\u5f53\uff0c\u5176\u4ed6\u7684\u6536\u4ef6\u4eba\u4e5f\u4f1a\u6536\u5230\u5176\u56de\u590d\u3002\u4e00\u79cd\u65b9\u4fbf\u7684\u505a\u6cd5\u662f\uff1a\u5c06\u6240\u6709\u9700\u8981\u6536\u5230\u901a\u77e5\u7684\u6536\u4ef6\u4eba\u653e\u5728\u5bc6\u9001 (BCC)\u4e00\u680f\u4e2d\uff0c\u6536\u4ef6\u4eba\u586b\u5199\u539f\u6284\u9001\u5730\u5740\u3002

\u6211\u4eec\u52a0\u5165\u4e86\u5f88\u591a\u90ae\u4ef6\u5217\u8868\uff0c\u5176\u4e2d\u7ecf\u5e38\u6709\u5404\u79cd\u5f80\u6765\u90ae\u4ef6\uff08\u7279\u522b\u662f CentOS mirror announcement \u8fd9\u4e2a\u5217\u8868\uff0c\u5df2\u9000\uff09\uff0c\u5b83\u4eec\u5927\u591a\u6570\u4e0d\u9700\u8981\u6211\u4eec\u7406\u4f1a\u3002

\u603b\u4e4b\uff0c\u4e0d\u77e5\u9053\u600e\u4e48\u5904\u7406\u7684\u90ae\u4ef6\u4e0d\u8981\u8d38\u7136\u56de\u590d\u3002\u5982\u679c\u4f60\u8ba4\u4e3a\u67d0\u4e00\u5c01\u90ae\u4ef6\u9700\u8981\u6211\u4eec\u5904\u7406\u4f46\u4e0d\u77e5\u9053\u600e\u4e48\u5904\u7406\uff0c\u8bf7\u8f6c\u544a\u7ed9\u5176\u4ed6\u76f8\u5173\u540c\u5b66\u3002

\u4ee5\u4e0b\u5185\u5bb9\u4ece Hypercube \u7f16\u5199\u7684\u5185\u5bb9\u4e2d\u622a\u53d6\uff1a

\u56de\u590d\u4efb\u4f55\u90ae\u4ef6\u65f6\uff0c\u8bf7\u6284\u9001 / CC\uff08\u4e0d\u662f\u5bc6\u9001 / BCC\uff09\u7ed9\u539f\u90ae\u4ef6\u7684\u6536\u4ef6\u5730\u5740\uff01\uff08\u6bd4\u5982\u522b\u4eba\u53d1\u5230 lug A ustc.edu.cn\uff0c\u56de\u590d\u65f6\u4e5f\u8bf7 CC \u5230 lug A ustc.edu.cn\uff09

\u8bf7\u4e0d\u8981\u201c\u53ea\u56de\u590d\u90ae\u4ef6\u201d\u3002\u5982\u679c\u5728\u56de\u590d\u4e2d\u8bf4\u201c\u6211\u4eec\u4f1a\u505a\u67d0\u67d0\u4e8b\u201d\uff0c\u8bf7\u6ce8\u610f\u9664\u975e\u4f60\u660e\u786e\u8f6c\u4ea4\u7ed9\u4e86\u522b\u4eba\uff0c\u8fd9\u4ef6\u4e8b\u5e94\u5f53\u7531\u4f60\u6765\u5b8c\u6210\u3002

"},{"location":"infrastructure/office/#lug-ustc-mailing-list","title":"\u52a0\u5165 LUG @ USTC \u5217\u8868","text":"

\u672c\u8282\u9700\u8981\u7531 Microsoft 365 \u7684\u7ba1\u7406\u5458\u64cd\u4f5c

\u90ae\u4ef6\u5217\u8868\u7ba1\u7406\u5728 Microsoft Admin Portal \u7684 Distribution list \u9875\u9762\uff0c\u5176\u4e2d Staff \u7ec4\u548c Mirrors \u7ec4\u7684\u90ae\u4ef6\u5730\u5740\u5206\u522b\u662f lug A ustc.edu.cn \u548c mirrors A ustc.edu.cn \u7684\u8f6c\u53d1\u76ee\u6807\u3002

"},{"location":"infrastructure/office/#email-signature","title":"\u90ae\u4ef6\u7b7e\u540d","text":"

Outlook \u65e0\u6cd5\u76f4\u63a5\u901a\u8fc7\u7f51\u9875\u7aef\u6dfb\u52a0\u53d1\u4ef6\u4eba\u540d\u79f0\u3001\u8bbe\u7f6e\u56de\u590d\u5730\u5740\uff0c\u56e0\u6b64\u53ea\u80fd\u901a\u8fc7\u90ae\u4ef6\u5ba2\u6237\u7aef\u8fdb\u884c\u4f7f\u7528\u3002\u5728\u4e0b\u4e00\u7ae0\u8282\u7684 Thunderbird \u4e2d\u8fdb\u884c\u8be6\u7ec6\u9610\u8ff0\u3002

"},{"location":"infrastructure/office/#thunderbird","title":"Thunderbird \u914d\u7f6e","text":""},{"location":"infrastructure/office/#tb-login","title":"\u767b\u5f55","text":"

\u5728\u767b\u5f55\u65f6\uff0c\u8f93\u5165\u4e86\u7528\u6237\u540d\u3001\u5bc6\u7801\u540e\uff0c\u4f1a\u663e\u793a\u65e0\u6cd5\u627e\u5230\u5bf9\u5e94\u7684\u90ae\u7bb1\u914d\u7f6e

\u8fdb\u884c\u5982\u4e0b\u7684\u624b\u52a8\u914d\u7f6e\uff1a

\u5982\u4e0b\u56fe\uff1a

\u7136\u540e\u70b9\u5de6\u4e0b\u89d2\u7684 Re-test\uff0c\u91cd\u65b0\u641c\u7d22\u5230\u914d\u7f6e\u540e\uff0c\u5728\u4e24\u4e2a Authentication method \u4e2d\u5747\u9009\u62e9 OAuth2\u3002

\u7136\u540e\u70b9 Done\u3002\u5728\u5f39\u51fa\u7684\u7a97\u53e3\u4e2d\u5b8c\u6210\u8ba4\u8bc1\u3002

"},{"location":"infrastructure/office/#tb-signature","title":"\u7b7e\u540d\u4e0e\u53d1\u4ef6\u8eab\u4efd","text":"

\u5728\u53f3\u4e0a\u89d2\u4e2d\u9009\u62e9\u8d26\u6237\u8bbe\u7f6e\uff0c\u5728\u9ed8\u8ba4\u8eab\u4efd\u4e2d

\u7ed3\u679c\u5982\u56fe\uff1a

"},{"location":"infrastructure/office/#tb-cc","title":"\u6284\u9001\u8bbe\u7f6e","text":"

\u5728\u8d26\u6237\u8bbe\u7f6e\u4e2d\uff0c\u9009\u62e9\u8eab\u4efd\u7ba1\u7406\uff0c\u70b9\u51fb\u7f16\u8f91\uff0c\u9009\u62e9 Copies and Folders, \u542f\u7528 Cc these email addresses, \u5e76\u8f93\u5165\u9ed8\u8ba4\u6284\u9001\u5730\u5740 lug A ustc.edu.cn

"},{"location":"infrastructure/office/#html","title":"HTML\u4e0e\u7eaf\u6587\u672c","text":"

\u90ae\u4ef6\u53ef\u4ee5\u4ee5 HTML \u65b9\u5f0f\u7f16\u5199\uff0c\u4e5f\u53ef\u4ee5\u53ea\u662f\u7eaf\u6587\u672c\u5185\u5bb9\u3002\u4e3a\u4e86\u964d\u4f4e\u5bf9\u65b9\u9605\u8bfb\u51fa\u73b0\u9ebb\u70e6\u7684\u53ef\u80fd\u6027\uff0c\u5efa\u8bae\u4f7f\u7528\u7eaf\u6587\u672c\u6d88\u606f\u3002\u4f7f\u7528\u7eaf\u6587\u672c\u6d88\u606f\u7684\u65b9\u6cd5\u662f\uff1a\u6253\u5f00 Thunderbird \u8bbe\u7f6e \uff0c\u6253\u5f00 Account Settings \uff0c\u6253\u5f00\u5bf9\u5e94\u90ae\u4ef6\u5730\u5740\u4e0b\u7684 Composition & Addressing \u9875\u9762\uff0c\u5728 Composition \u8282\u4e0b\u627e\u5230 Compose messages in HTML format \uff0c\u5c06\u5176\u590d\u9009\u6846\u53bb\u9664\u52fe\u9009\u5373\u53ef\u3002

"},{"location":"infrastructure/office/#tb-folders","title":"\u6587\u4ef6\u5939","text":"

Thunderbird \u7ef4\u62a4\u4e86\u81ea\u5df1\u7684\u6587\u4ef6\u5939\uff0c\u5982\u679c\u9700\u8981\u4e0e\u4e91\u7aef\u7684\u6587\u4ef6\u5939\u540c\u6b65\uff0c\u53ef\u4ee5\u8fdb\u884c\u5982\u4e0b\u64cd\u4f5c

\u5728\u8d26\u6237\u4e0a\u53f3\u952e\uff0c\u5728\u5f39\u51fa\u7684\u83dc\u5355\u4e2d\u70b9\u51fb Subscribe\u3002\u5f39\u51fa\u7684\u7a97\u53e3\u4e2d\u5305\u542b\u4e86\u4e91\u7aef\u7684\u6587\u4ef6\u5939\uff0c\u7531\u4e8e Thunderbird \u4f1a\u81ea\u884c\u7ef4\u62a4\u5783\u573e\u7bb1\u548c\u5df2\u53d1\u90ae\u4ef6\uff0c\u56e0\u6b64\u53ef\u80fd\u4f1a\u6709\u4e24\u4e2a\u5783\u573e\u7bb1\uff0cDeleted Items \u548c Trash\uff0c\u53ef\u4ee5\u5728\u7f51\u9875\u7aef\u5220\u9664\u4e0d\u9700\u8981\u7684\u6587\u4ef6\u5939\uff0c\u5e76\u5728 Thunderbird \u4e2d\u9009\u62e9\u9700\u8981\u7684\u3002

\u7136\u540e\u6253\u5f00\u8d26\u6237\u8bbe\u7f6e\uff0c\u8fdb\u884c\u5982\u4e0b\u4fee\u6539

  1. \u5728 Server Settings \u4e0b\uff0c\u4fee\u6539 When I delete a message \u4e3a Move it to this folder: Deleted Items

  2. \u5728 Copies & Folders \u4e0b\uff0c\u4fee\u6539 Place a copy\u3001Keep message archives in\u3001Keep draft messages in \u4e3a\u5bf9\u5e94\u7684\u8fdc\u7aef\u670d\u52a1\u5668\u6587\u4ef6\u5939

"},{"location":"infrastructure/office/#tb-junk","title":"\u5783\u573e\u90ae\u4ef6","text":"

Outlook \u4e91\u7aef\u5df2\u7ecf\u5e26\u6709\u4e86\u5783\u573e\u90ae\u4ef6\u5206\u7c7b\u529f\u80fd\uff0c\u4e0d\u9700\u8981 Thunderbird \u81ea\u5df1\u7684\u5783\u573e\u90ae\u4ef6\u5206\u7c7b\u529f\u80fd\u3002

\u5728\u8d26\u6237\u8bbe\u7f6e\u7684 Local Folders \u4e0b\u7684 Junk Settings \u4e2d\uff0c\u53d6\u6d88\u9009\u4e2d Enable adaptive junk mail controls for this account\u3002

\u8bf7\u5728\u4e0a\u9762\u7684 Subscribe \u4e2d\u5c06\u5783\u573e\u90ae\u4ef6\u9009\u4e2d\u4ee5\u540c\u6b65\u3002\u6b64\u5916\uff0c\u7531\u4e8e Outlook \u76ee\u524d\u4f1a\u5c06\u51e0\u4e4e\u6240\u6709\u90ae\u4ef6\u90fd\u6254\u8fdb\u5783\u573e\u90ae\u4ef6\u7bb1\uff08\u539f\u56e0\u4f3c\u4e4e\u662f M365 \u7684\u673a\u5668\u5b66\u4e60\u6a21\u578b\u4f1a\u628a\u6240\u6709\u79d1\u5927\u7684\u90ae\u4ef6\u6254\u8fdb\u5783\u573e\u7bb1\uff09\uff0c\u56e0\u6b64\u8bbe\u7f6e\u62c9\u53d6\u90ae\u4ef6\u65f6\u603b\u662f\u68c0\u67e5\u5783\u573e\u90ae\u4ef6\u7bb1\u3002\u8bbe\u7f6e\u65b9\u6cd5\u4e3a\u5728\u5783\u573e\u90ae\u4ef6\u76ee\u5f55\u4e0a\u70b9\u51fb\u53f3\u952e \u2192 \u5c5e\u6027\uff0c\u7136\u540e\u9009\u62e9\u8fd9\u91cc\u7b2c\u4e8c\u4e2a\u52fe\uff1a

\u6ce8\u610f

\u4e0d\u8981\u67e5\u770b\u5783\u573e\u90ae\u4ef6\u7684\u8fdc\u7a0b\u5185\u5bb9\u3002\u4e0d\u8981\u56de\u590d\u5783\u573e\u90ae\u4ef6\u3002\u6b63\u5e38\u90ae\u4ef6\u9700\u8981\u624b\u52a8\u79fb\u52a8\u5230\u6536\u4ef6\u7bb1\u3002

"},{"location":"infrastructure/office/#tb-profiles","title":"\u4f7f\u7528 Thunderbird \u914d\u7f6e\u4e0d\u540c\u7684\u8eab\u4efd","text":"

(written by taoky)

\u5728\u67d0\u4e9b\u60c5\u51b5\u4e0b\uff0c\u9700\u8981\u8bbe\u7f6e\u65b0\u7684\u53d1\u4ef6\u4eba\u540d\u79f0\u548c\u56de\u590d\u5730\u5740\uff08\u4f8b\u5982 hackergame staff \u9700\u8981\u4e00\u5957\u4e0d\u540c\u7684\u8bbe\u7f6e\uff09\u3002\u7531\u4e8e Gmail \u7f51\u9875\u7aef\u4fee\u6539\u914d\u7f6e\u5f88\u9ebb\u70e6\uff08\u800c\u4e14\u5f88\u5bb9\u6613\u5fd8\u8bb0\u6539\u56de\u6765\uff09\uff0c\u5f3a\u70c8\u5efa\u8bae\u4f7f\u7528\u90ae\u4ef6\u5ba2\u6237\u7aef\u3002\u4e2a\u4eba\u4f7f\u7528\u7684\u662f Thunderbird\uff0c\u4e0b\u9762\u4e5f\u4ee5\u5b83\u4e3a\u4f8b\u5b50\u3002

\u5728\u8d26\u53f7\u52a0\u4e0a\u90ae\u7bb1\u4e4b\u540e\uff0c\u70b9\u51fb\u53f3\u952e \u2192 \u5c5e\u6027\uff0c\u9ed8\u8ba4\u914d\u7f6e\uff08LUG Staff\uff09\u5982\u56fe\uff1a

\u9700\u8981\u6dfb\u52a0\u65b0\u8eab\u4efd\u65f6\uff0c\u70b9\u51fb\u53f3\u4e0b\u89d2\u300c\u7ba1\u7406\u6807\u8bc6\u300d\uff0c\u6dfb\u52a0\u5bf9\u5e94\u7684\u6807\u8bc6\u3002\u5bf9\u4e8e hackergame\uff0c\u53ef\u4ee5\u914d\u7f6e\u5982\u4e0b\uff1a

\u5e76\u53c2\u8003\u6284\u9001\u8bbe\u7f6e \u914d\u7f6e\u9ed8\u8ba4\u6284\u9001\u5730\u5740 (hackergame A ustclug.org)

\u914d\u7f6e\u5b8c\u6210\u540e\uff0c\u5728\u7f16\u5199\u90ae\u4ef6\u65f6\uff0c\u5c31\u53ef\u4ee5\u9009\u62e9\u65b0\u7684\u6807\u8bc6\u4e86\uff0c\u5e76\u4e14\u53d1\u4ef6\u4eba\u540d\u79f0\u3001\u56de\u590d\u5730\u5740\u548c\u7b7e\u540d\u90fd\u4f1a\u81ea\u52a8\u8bbe\u7f6e\u597d\u3002

\u4f7f\u7528 Thunderbird \u914d\u7f6e\u5b66\u6821\u90ae\u7bb1\u9700\u8981\u7684\u989d\u5916\u8bbe\u7f6e

james: \"thunderbird\u67d0\u6b21\u5347\u7ea7\u540e\u51fa\u4e86\u4e00\u4e2abug\uff0c\u8fde\u63a5\u65f6\u670d\u52a1\u5668\u8fd4\u56de\u652f\u6301utf8\uff0ctb\u53d1\u4e86\u4e00\u4e2a\u547d\u4ee4enable utf8\uff0c\u670d\u52a1\u5668\u6b63\u5e38\u8fd4\u56de\u540e\uff0ctb\u6709bug\u8ba4\u4e3a\u4e00\u76f4\u5728\u7b49\u670d\u52a1\u5668\u5e94\u7b54\u3002\"

\u6240\u4ee5\u5982\u679c\u9700\u8981\u4f7f\u7528 Thunderbird \u4ece mail.ustc.edu.cn \u6536\u53d1\u90ae\u4ef6\uff0c\u9700\u8981\u505a\u4ee5\u4e0b\u7684\u914d\u7f6e\uff1aEdit -> Settings\uff0c\u5728 \"General\" \u4e2d\u62d6\u5230\u6700\u4e0b\u9762\u9009\u62e9 \"Config Editor...\"\u3002\u5728\u65b0\u5f39\u51fa\u7684\u9ad8\u7ea7\u914d\u7f6e\u7684\u6807\u7b7e\u4e2d\u8f93\u5165 utf8\uff0c\u5c06 mail.server.default.allow_utf8_accept \u7684\u503c\u4ece true \u6539\u6210 false\u3002\u8fd9\u4e2a\u8bbe\u7f6e\u4e0d\u4f1a\u5f71\u54cd\u5176\u4ed6\u90ae\u7bb1\u7684\u4f7f\u7528\u3002

"},{"location":"infrastructure/office/#gmail","title":"Gmail","text":"

Warning

\u7531\u4e8e Google \u5c06 G Suite \u5168\u9762\u8f6c\u5411\u4ed8\u8d39\u670d\u52a1\uff0c\u6211\u4eec\u5df2\u5728 2022 \u5e74 3 \u6708 31 \u65e5\u540e\u505c\u6b62\u4f7f\u7528 G Suite \u76f8\u5173\u670d\u52a1\u3002\u8f6c\u5411 Office 365 \u63d0\u4f9b\u7684\u670d\u52a1\u3002\u4ee5\u4e0b\u5185\u5bb9\u4ec5\u4f5c\u4e3a\u5b58\u6863\u4e0e\u53c2\u8003

\u4ee5\u4e0b\u539f\u6587\u7531 Hypercube \u7f16\u5199

\u5927\u5bb6\u597d\uff0c

\u8bf7\u5404\u4f4d\u9605\u8bfb\u4e0b\u65b9\u5185\u5bb9\uff0c\u5e76\u6309\u6307\u793a\u914d\u7f6e\u81ea\u5df1\u7684\u90ae\u7bb1\uff1a

\u767b\u5f55\u7f51\u9875\u7248 Gmail\uff0c\u5728\u53f3\u4e0a\u89d2\u70b9\u5f00\u8bbe\u7f6e\uff0c\u4e8e\u201c\u5e38\u89c4\u201d\u6807\u7b7e\u9875\u4e2d\u8bbe\u7f6e\u201c\u7b7e\u540d\u201d\u4e3a\u7eaf\u6587\u672c\u5982\u4e0b\u5185\u5bb9\uff08\u5171 5 \u884c\uff0c\u5c06\u6700\u540e\u4e00\u884c\u6362\u6210\u81ea\u5df1\u7684\u4fe1\u606f\uff09\uff1a

Linux User Group University of Science and Technology of China Homepage: https://lug.ustc.edu.cn/ E-Mail: lug@ustc.edu.cn Zibo Wang (\u738b\u5b50\u535a) <example@ustclug.org>

\u4e8e\u201c\u8d26\u53f7\u201d\u6807\u7b7e\u9875\u4e2d\u201c\u7528\u8fd9\u4e2a\u5730\u5740\u53d1\u9001\u90ae\u4ef6\u201d\u5185\u70b9\u201c\u4fee\u6539\u4fe1\u606f\u201d\uff0c\u5728\u5f39\u51fa\u7a97\u53e3\u4e2d\u8f93\u5165\u540d\u79f0\u201cZibo Wang on behalf of USTC LUG\u201d\uff08\u8bf7\u6362\u6210\u81ea\u5df1\u7684\u540d\u5b57\uff09\uff0c\u8f93\u5165\u56de\u590d\u5730\u5740\u201clug@ustc.edu.cn\u201d\u3002

\u8fd8\u53ef\u4ee5\u89c6\u81ea\u5df1\u9700\u8981\u5728\u201c\u8f6c\u53d1\u548c POP / IMAP\u201d\u6807\u7b7e\u9875\u4e2d\u914d\u7f6e\u81ea\u52a8\u8f6c\u53d1\uff0c\u4f46\u8bf7\u6ce8\u610f\uff0c\u5982\u679c\u4f60\u914d\u7f6e\u4e86\u8f6c\u53d1\u5230\u81ea\u5df1\u7684\u5e38\u7528\u90ae\u7bb1\uff0c\u8bf7\u4e0d\u8981\u76f4\u63a5\u4ece\u5e38\u7528\u90ae\u7bb1\u56de\u590d\u90ae\u4ef6\uff0c\u800c\u5e94\u8be5\u767b\u5f55 LUG \u90ae\u7bb1\u56de\u590d\u3002 \u56de\u590d\u4efb\u4f55\u90ae\u4ef6\u65f6\uff0c\u8bf7\u6284\u9001 / CC\uff08\u4e0d\u662f\u5bc6\u9001 / BCC\uff09\u7ed9\u539f\u90ae\u4ef6\u7684\u6536\u4ef6\u5730\u5740\uff01\uff08\u6bd4\u5982\u522b\u4eba\u53d1\u5230 lug A ustc.edu.cn \uff0c\u56de\u590d\u65f6\u4e5f\u8bf7 CC \u5230 lug A ustc.edu.cn\uff09

\u8bf7\u4e0d\u8981\u201c\u53ea\u56de\u590d\u90ae\u4ef6\u201d\u3002\u5982\u679c\u5728\u56de\u590d\u4e2d\u8bf4\u201c\u6211\u4eec\u4f1a\u505a\u67d0\u67d0\u4e8b\u201d\uff0c\u8bf7\u6ce8\u610f\u9664\u975e\u4f60\u660e\u786e\u8f6c\u4ea4\u7ed9\u4e86\u522b\u4eba\uff0c\u8fd9\u4ef6\u4e8b\u5e94\u5f53\u7531\u4f60\u6765\u5b8c\u6210\u3002

\u5728\u6dfb\u52a0\u4e86\u7b7e\u540d\u540e\uff0c\u5728\u4e0b\u9762\u7684\u201c\u9ed8\u8ba4\u7b7e\u540d\u8bbe\u7f6e\u201d\u4e2d\uff0c\u5c06\u201c\u7528\u4e8e\u65b0\u7535\u5b50\u90ae\u4ef6\u201d\u4ee5\u53ca\u201c\u7528\u4e8e\u56de\u590d/\u8f6c\u53d1\u201d\u5747\u9009\u62e9\u4e3a\u4e0a\u9762\u6dfb\u52a0\u7684\u7b7e\u540d\u3002

\u8bb0\u5f97\u6eda\u52a8\u5230\u9875\u9762\u6700\u4e0b\u65b9\u70b9\u51fb\u201c\u4fdd\u5b58\u9875\u9762\u201d\uff01

"},{"location":"infrastructure/office/#default-route","title":"\u8bbe\u7f6e\u9ed8\u8ba4\u5730\u5740","text":"

\u672c\u8282\u5199\u7684\u662f G Suite \u7528\u6cd5\uff0c\u9700\u8981\u66f4\u65b0\u6210 Office 365

G Suite \u652f\u6301\u5c06\u5355\u4e2a\u5730\u5740\u8bbe\u4e3a\u201c\u9ed8\u8ba4\u5730\u5740\u201d\uff0c\u7528\u4e8e\u63a5\u53d7\u53d1\u5f80\u4e0d\u5b58\u5728\u7684\u5730\u5740\u7684\u90ae\u4ef6\u3002

\u53c2\u8003\u8d44\u6599\uff1ahttps://support.google.com/a/answer/2368153

\u5bf9\u4e8e\u4e2d\u6587\u754c\u9762\uff0c\u5e94\u8be5\u4ece Google Admin \u63a7\u5236\u53f0\u6309\u987a\u5e8f\u9009\u62e9 \u5e94\u7528 \u2192 G Suite \u2192 Gmail \u2192 \u9ad8\u7ea7\u8bbe\u7f6e\uff0c\u5176\u4e2d\u7684 \u65e0\u9650\u522b\u540d\u5730\u5740 \u5c31\u662f\u8fd9\u4e2a\u9009\u9879\uff0c\u4e00\u822c\u53d1\u7ed9\u4f1a\u957f\u6216 CTO\u3002

"},{"location":"infrastructure/raid/","title":"RAID","text":""},{"location":"infrastructure/raid/#megaraid","title":"MegaRAID \u5e38\u7528\u547d\u4ee4","text":"

MegaRAID \u6e90\u91cc\u6ca1\u6709\uff0c\u9700\u8981\u4ece\u5b98\u7f51\u4e0b\u8f7d RPM \u5305\u540e\u624b\u52a8\u89e3\u538b\u3002Debian 10 \u5b89\u88c5 libncurses5 \u540e\u53ef\u4f7f\u7528\u3002

sudo /opt/MegaRAID/MegaCli/MegaCli64 -adpallinfo -aAll  # \u67e5\u770b\u6240\u6709\u4fe1\u606f\nsudo /opt/MegaRAID/MegaCli/MegaCli64 -pdlist -aall  # \u67e5\u770b\u7269\u7406\u76d8\u4fe1\u606f\n
"},{"location":"infrastructure/raid/#_1","title":"\u76d1\u63a7","text":"

\u73b0\u5728\u90e8\u7f72\u7684\u65b9\u6848\u662f\u7531 telegraf \u6267\u884c\u89e3\u6790\u811a\u672c\uff0c\u5c06\u6570\u636e\u53d1\u9001\u5230 influxdb\uff0c\u7531 grafana \u62a5\u8b66\u3002

\u811a\u672c\uff1a

"},{"location":"infrastructure/raid/#esxi","title":"ESXi","text":"

https://docs.broadcom.com/docs-and-downloads/raid-controllers/raid-controllers-common-files/8-07-07_MegaCLI.zip

ESXi 5 \u7684 binary \u548c ESXi 6.0 \u517c\u5bb9\u3002

esxcli software vib install -v=/tmp/vmware-esx-MegaCli-8.07.07.vib --no-sig-check\n

\u7136\u540e\u8fdb\u5165 /opt/lsi/MegaCLI \u76ee\u5f55\u6267\u884c MegaCli.

"},{"location":"infrastructure/raid/#ssacli-hpe-smart-array","title":"ssacli (HPE Smart Array)","text":"

pve-6 \u7684 RAID \u65b9\u6848\u662f HPE Smart Array\u3002\u5bf9\u5e94\u4f7f\u7528\u65b9\u6cd5\u53ef\u4ee5\u53c2\u8003 https://gist.github.com/mrpeardotnet/a9ce41da99936c0175600f484fa20d03\u3002

\u5bf9\u5e94\u4e3b\u673a\u9700\u8981\u5b89\u88c5 https://downloads.linux.hpe.com/SDR/repo/mcp/Debian/pool/non-free/ssacli-5.30-6.0_amd64.deb\uff08HPE \u6e90\u5b9e\u5728\u592a\u6162\u4e86\uff09\u3002

"},{"location":"infrastructure/sshca/","title":"SSH Certificate Authentication","text":"

Discussion: SSH \u5347\u7ea7\u5230\u8bc1\u4e66\u767b\u9646\u65b9\u6848\u8ba8\u8bba

Usage: SSH \u8bc1\u4e66\u8ba4\u8bc1\u7684\u4f7f\u7528\u65b9\u6cd5 (See also: iBug's blog)

"},{"location":"infrastructure/sshca/#introduction","title":"Introduction","text":"

An SSH Certificate Authority (CA) is a trusted key pair that issues certificates. It has the same format as a regular SSH private-public key pair (it is, in fact).

Certificates can be used for authentication on both the server side and the client side. But certificates cannot issue new certificates (i.e. no chains), it is the very difference from X.509 certificate system.

"},{"location":"infrastructure/sshca/#server-setup","title":"Server setup","text":""},{"location":"infrastructure/sshca/#trustedusercakeys","title":"Configure server to accept client certificates","text":"

First drop our public key to /etc/ssh/ssh_user_ca:

/etc/ssh/ssh_user_ca
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1Bxw9AXoZvc9HTe5o4f7/qOROcmzvlcO5oofoF3pewtRnhNpcd/DwmxSblqpj/cjLYkE32mSCzMYY8X0CRFyMJsgSIDC4i4LXDNU0e8PbB2NIQAAeyfJEU5m/Dn1tPw9WvPtPqHCRvgSwnRfzYngMVWROgV2Qe6pOqTTgetEYfb5gkDc2i1M7yfTp3H3ExfrDKwOKPc/9UYOADMFU6u1fJN+4epLETilHC1ubtBeVi23pn1K+LDy06Gwhq1MLljCM7gFBMrmv894HrOHU4WrzLUlfkiDt2cyXLb4qPWYqilBFLUjU92kjmiI/EwB/8pR1WmdU7FoYpdgBHNr3NT53 LUG-CA\n

Then add the following line to sshd config (Debian 11+):

/etc/ssh/sshd_config.d/ustclug.conf
TrustedUserCAKeys /etc/ssh/ssh_user_ca\n

Old version config (<= Debian 10)

On Debian 10 (buster) or older, sshd_config does not support the Include directive. Thus any extra setting must be added in the main sshd_config file directly.

"},{"location":"infrastructure/sshca/#issue-a-server-certificate","title":"Issue a server certificate","text":"

Warning

When signing certificates using OpenSSH <= 8.1, add -t rsa-sha2-512 to the ssh-keygen command. More details can be found here: https://ibug.io/p/35

Note

Some of our servers may still be running Debian Jessie, which has OpenSSH 6.7 that does not support SHA-2 certificate algorithms (OpenSSH 7.2 required). Sign with -t ssh-rsa instead if you want to log in to such servers.

January 2022 update: We believe we have got rid of all Jessie systems, so this should no longer be the case.

Copy the file /etc/ssh/ssh_host_rsa_key.pub from target server.

Then, run ssh-keygen to issue a public key. For example:

ssh-keygen -s /path/to/ssh_ca \\\n           -I blog \\\n           -h \\\n           -n blog.s.ustclug.org,blog.p.ustclug.org,10.254.0.15,202.141.176.98,202.141.160.98 \\\n           ssh_host_rsa_key.pub\n

Then, copy the certificate file ssh_host_rsa_key-cert.pub back to target server.

At last, add the following lines to sshd config:

/etc/ssh/sshd_config.d/ustclug.conf
HostKey /etc/ssh/ssh_host_rsa_key\nHostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub\n

Warning

See the same warning block above.

Certificate will take effect after SSH daemon is reloaded (systemctl reload ssh).

"},{"location":"infrastructure/sshca/#client-setup","title":"Client setup","text":"

Add the following line to your known_hosts:

~/.ssh/known_hosts
@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1Bxw9AXoZvc9HTe5o4f7/qOROcmzvlcO5oofoF3pewtRnhNpcd/DwmxSblqpj/cjLYkE32mSCzMYY8X0CRFyMJsgSIDC4i4LXDNU0e8PbB2NIQAAeyfJEU5m/Dn1tPw9WvPtPqHCRvgSwnRfzYngMVWROgV2Qe6pOqTTgetEYfb5gkDc2i1M7yfTp3H3ExfrDKwOKPc/9UYOADMFU6u1fJN+4epLETilHC1ubtBeVi23pn1K+LDy06Gwhq1MLljCM7gFBMrmv894HrOHU4WrzLUlfkiDt2cyXLb4qPWYqilBFLUjU92kjmiI/EwB/8pR1WmdU7FoYpdgBHNr3NT53 LUG-CA\n

And when you log in to a LUG server, it is automatically trusted. If you find a machine that does not support this setup, report it to CTO.

"},{"location":"infrastructure/sshca/#issue-a-client-certificate","title":"Issue a client certificate","text":"
ssh-keygen -s /path/to/ssh_ca \\\n           -I certificate_identity \\\n           -n principals \\\n          [-O options] \\\n          [-V validity_interval] \\\n           public_key_file\n

For example:

ssh-keygen -s /path/to/ssh_ca -I \"Yifan Gao\" -n yifan -V -5m:+365d yifan.pub\n

In general, certificate_identity is the user's full name, and principals is the system username. The certificate identity is used to identify certificates and is logged in system logs. In addition, one certificate can carry multiply principals, like:

ssh-keygen -s /path/to/ssh_ca -I \"Yifan Gao\" -n yifan,root,liims -V -5m:+365d yifan.pub\n

It authorizes the certificate owner to login to any server as yifan, root or liims user.

Note

The liims principal is used to log into library inquiry machines.

Tip

The validity interval by default starts at the current system time. Using -5m:+365d creates a certificate valid from 5 minutes ago to make up for offset times on other systems. Otherwise it's not much useful to have a validity period starting from a long time ago.

For security purposes, avoid creating certificates without a defined validity period. It's also recommended to keep validity periods as short as necessary.

"},{"location":"infrastructure/ssl/","title":"SSL Certificates","text":"

Discussion: #224

Our SSL certificates are automatically renewed on GitHub ustclug/ssl-cert ( Private).

We delegate the subdomain ssl-digitalocean.ustclug.org to DigitalOcean DNS hosting, and use acme.sh DNS alias mode to issue certificates. For this to work, we have the following CNAME records in place:

_acme-challenge.lug.ustc.edu.cn    ->  lug.ssl-digitalocean.ustclug.org\n_acme-challenge.ustclug.org        ->  lug.ssl-digitalocean.ustclug.org\n_acme-challenge.proxy.ustclug.org  ->  lug.ssl-digitalocean.ustclug.org\n\n_acme-challenge.vpn.lug.ustc.edu.cn  ->  lugvpn.ssl-digitalocean.ustclug.org\n_acme-challenge.vpn.ustclug.org      ->  lugvpn.ssl-digitalocean.ustclug.org\n\n_acme-challenge.mirrors.ustc.edu.cn  ->  mirrors.ssl-digitalocean.ustclug.org\n

Individual machines that use SSL certificates should pull from the said repository (branch cert). Certificates may be loaded via symbolic links (for processes running on the host system directly), or copied around from within the updater script (when there are path constraints, e.g. in a Docker container). The update task is managed by cron.

Update script for reference:

/etc/ssl/private/.git/update.sh
#!/bin/sh\n\ncd \"/etc/ssl/private\"\n\ngit fetch -q\nif [ \"$(git rev-parse HEAD)\" = \"$(git rev-parse '@{u}')\" ]; then\n  exit 0\nfi\ngit reset --hard '@{u}'\n\n# Display certificate dates. This section is optional\nif command -v openssl >/dev/null 2>&1; then\n  echo \"Cert has been updated. New expiry:\"\n  for f in */cert.pem; do\n    echo \"$f:\"\n    openssl x509 -in \"$f\" -noout -dates\n  done\nelse\n  echo \"Cert has been updated.\"\nfi\n\nsystemctl reload openresty.service\n# Other `cp -a` or `docker restart` commands, etc.\n

The DigitalOcean account we use is owned by iBug and has nothing else running.

Plan B

Hurricane Electric provides hosted DNS zones for free, which is also supported by acme.sh. This makes HE DNS a feasible alternative should our current dependency (DigitalOcean) fails.

"},{"location":"infrastructure/ssl/#exceptions","title":"Exceptions","text":"

PXE manages its own certificates with acme.sh and validates via HTTP-01 challenge. The certificates are stored in /etc/acme.sh/pxe.ustc.edu.cn/.

"},{"location":"infrastructure/tinc/","title":"Tinc VPN \u914d\u7f6e\u8bf4\u660e","text":"

Tinc VPN \u662f LUG \u5185\u7f51\u7684\u4e3b\u8981\u6784\u6210\u8f6f\u4ef6\uff0cLDAP \u9700\u8981\u7528\u5230\u5b83\uff08\u56e0\u4e3a ldap \u670d\u52a1\u5668\u662f\u4e2a\u5185\u7f51\u670d\u52a1\u5668\uff09

"},{"location":"infrastructure/tinc/#_1","title":"\u5b89\u88c5","text":"

Debian 9+ \u53ef\u4ee5\u76f4\u63a5\u4ece apt \u6e90\u5b89\u88c5 tinc \u5305\u3002

\u4e0d\u65e9\u8bf4\u8fd9\u73a9\u610f\u6709\u4e2a Git \u4ed3\u5e93\uff1f\uff1fhttps://git.lug.ustc.edu.cn/ustclug/tinc-configure

\u65e2\u7136\u6709\u4ed3\u5e93\u6240\u4ee5\u8981\u505a\u7684\u4e8b\u60c5\u6bd4\u8f83\u7b80\u5355\uff0c\u8fdb\u5165 /etc/tinc \u76ee\u5f55\u51c6\u5907\u548c Git \u4ed3\u5e93\u540c\u6b65\u914d\u7f6e\uff1a

git init\ngit remote add origin https://git.lug.ustc.edu.cn/ustclug/tinc-configure.git\ngit fetch origin master\ngit reset --hard FETCH_HEAD\n

\u6ce8\u610f git reset \u4f1a\u8986\u76d6\u90e8\u5206\u6587\u4ef6\uff0c\u5efa\u8bae\u5728\u5168\u65b0\u5b89\u88c5 tinc \u4e4b\u540e\u8fdb\u884c\u540c\u6b65\u914d\u7f6e\u3002

\u914d\u7f6e\u5b8c\u6210\u540e\u6267\u884c systemctl enable tinc@ustclug.service \u4f7f tinc \u80fd\u591f\u5f00\u673a\u542f\u52a8\u3002

"},{"location":"infrastructure/tinc/#_2","title":"\u52a0\u5165\u4e3b\u673a","text":"

\u9996\u5148\u9700\u8981\u5728\u65b0\u4e3b\u673a\u4e0a\u751f\u6210\u5bc6\u94a5\uff1a

tincd -n ustclug -K\n

\u7136\u540e\u5728 /etc/tinc/ustclug/hosts/$HOST \u6700\u540e\u8865\u4e0a\u4e00\u884c\uff1a

Address = [\u8fd9\u53f0\u673a\u5668\u7684\u516c\u7f51IP]\n

\u628a\u65b0\u589e\u7684\u8fd9\u4e2a\u6587\u4ef6\u63d0\u4ea4\u8fdb Git \u4ed3\u5e93\uff0c\u5e76\u5728 {ldap,board,gateway-el,gateway-nic}.s.ustclug.org \u7b49\u591a\u53f0\u673a\u5668\u4e0a\u901a\u8fc7 git pull \u66f4\u65b0\uff0c\u5e76 systemctl reload tinc@ustclug.service\u3002

"},{"location":"infrastructure/tinc/#ip","title":"\u5185\u7f51 IP","text":"

\u6d4b\u8bd5\u7684\u65f6\u5019\uff0c\u4f60\u53ef\u4ee5\u76f4\u63a5\u901a\u8fc7 ifconfig \u7b49\u65b9\u5f0f\u6307\u5b9a\u4e00\u4e2a\u4e34\u65f6\u7684 IP\uff0c\u6ce8\u610f\u4e0d\u8981\u4e0e\u5df2\u6709\u7684\u5185\u7f51 IP \u51b2\u7a81\uff1a

ifconfig 10.254.0.xxx/21 ustclug\n

\u8fd9\u65f6\u5019\u5e94\u8be5\u80fd\u4ece\u5176\u4ed6\u673a\u5668 ping \u901a\u8fd9\u4e2a IP\u3002

\u6307\u5b9a\u9759\u6001\u5185\u7f51 IP \u7684\u6b63\u786e\u65b9\u6cd5\u662f\u5728 DNS \u4e2d\u6dfb\u52a0\u4e00\u6761\u8fd9\u6837\u7684\u8bb0\u5f55\uff1a

$ORIGIN s.ustclug.org\n<HOST>  600     IN A    <Intranet IP>\n

\u7136\u540e\u5728\u673a\u5668\u4e0a\u91cd\u542f systemctl restart tinc@ustclug.service \u5c31\u80fd\u81ea\u52a8\u83b7\u53d6\u4e86\u3002

"},{"location":"infrastructure/tinc/#ssh","title":"\u914d\u7f6e SSH \u4fa6\u542c\u5185\u7f51\u5730\u5740","text":"

Tip

\u5bf9\u4e8e Debian 11+ \u7684\u7cfb\u7edf\uff0c\u5efa\u8bae\u4fdd\u6301 sshd_config \u4e0d\u52a8\uff0c\u5c06\u81ea\u5b9a\u4e49\u7684\u914d\u7f6e\u5199\u5165 sshd_config.d/ustclug.conf\uff0c\u4ee5\u51cf\u5c11\u66f4\u65b0 ssh \u8f6f\u4ef6\u5305\u65f6\u7684\u914d\u7f6e\u6587\u4ef6\u51b2\u7a81\u3002\u6ce8\u610f\u5982\u679c\u8fd9\u4e48\u505a\u7684\u8bdd\u9700\u8981\u628a\u914d\u7f6e\u6587\u4ef6\u91cc\u7684 Subsystem sftp \u5220\u6389\uff0c\u5426\u5219 sshd \u4f1a\u62a5\u9519\u201c\u91cd\u590d\u6307\u5b9a\u4e86 Subsystem sshd\u201d\u3002

\u4ee5\u4e0b\u914d\u7f6e\u4f9b\u53c2\u8003\uff0c\u590d\u5236\u65f6\u6ce8\u610f\u4fee\u6539 Match LocalAddress \u540e\u9762\u7684\u5185\u5bb9\uff08\u5185\u7f51\u5730\u5740\u548c AllowGroups \u6700\u540e\u7684\u540d\u79f0\uff09\uff1a

/etc/ssh/sshd_config
AddressFamily inet\nUseDNS no\n\nHostKey /etc/ssh/ssh_host_rsa_key\nHostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub\nTrustedUserCAKeys /etc/ssh/ssh_user_ca\nRevokedKeys /etc/ssh/ssh_revoked_keys\n\nPasswordAuthentication no\nPubkeyAuthentication no\nChallengeResponseAuthentication no\nUsePAM yes # LDAP for Debian\n\nAcceptEnv LANG LC_*\nX11Forwarding yes\nPrintLastLog no\nPrintMotd no\nSubsystem sftp /usr/lib/openssh/sftp-server\n\nMatch LocalAddress 10.254.0.0\n    AllowGroups ssh_local super_manager ssh_groupname\n    PasswordAuthentication yes\n    PubkeyAuthentication yes\n\n# Public IP access = root-only\nMatch LocalAddress 202.38.95.110,202.141.160.110,202.141.176.110,218.104.71.170\n    AllowUsers root\n    PubkeyAuthentication yes\n    AuthorizedKeysFile none  # \u5c4f\u853d\u516c\u94a5\uff0c\u4ec5\u5141\u8bb8\u8bc1\u4e66\u767b\u5f55\n\n# For SSH Push trigger\nMatch User mirror\n    AllowUsers mirror\n    AuthenticationMethods publickey\n    PermitTTY no\n    PermitTunnel no\n    X11Forwarding no\n\nMatch All #(1)\n
  1. OpenSSH 6.5p1 \u4ee5\u4e0a\u53ef\u4ee5\u4f7f\u7528 Match All \u6765\u7ed3\u675f\u4e0a\u9762\u7684 Match \u5757\u3002\u7531\u4e8e Include \u6307\u4ee4\u51fa\u73b0\u5728 /etc/ssh/sshd_config \u7684\u6700\u4e0a\u9762\uff0c\u800c\u63a5\u4e0b\u6765\u7684\u5185\u5bb9\u90fd\u662f\u5168\u5c40\u8bbe\u7f6e\uff0c\u56e0\u6b64\u4f7f\u7528 Match All \u4fdd\u8bc1\u539f\u5148\u7684\u5185\u5bb9\u7ee7\u7eed\u4f5c\u7528\u4e8e\u5168\u5c40\uff0c\u800c\u4e0d\u662f\u50cf\u4e0a\u9762\u8fd9\u4e2a\u4f8b\u5b50\u4e00\u6837\u53d8\u6210 Match User mirror \u7684\u8bbe\u7f6e\u3002

\u6ce8\u610f HostCertificate, TrustedUserCAKeys \u548c RevokedKeys \u8fd9\u4e09\u4e2a\u6587\u4ef6\u5fc5\u987b\u5b58\u5728\uff0c\u5426\u5219 SSH \u4f1a\u51fa\u4e00\u4e9b\u95ee\u9898\uff0c\u4f8b\u5982\u4e0d\u80fd\u5bc6\u94a5\u767b\u5f55\u53ea\u80fd\u5bc6\u7801\u767b\u5f55\u3002

HostCertificate \u9700\u8981\u624b\u52a8\u7b7e\u53d1\u4e00\u4e2a\uff0c\u53e6\u5916\u4e24\u4e2a\u6587\u4ef6\u4ece\u522b\u7684\u673a\u5668\u4e0a\u590d\u5236\u5c31\u884c\u3002

"},{"location":"infrastructure/discontinued/","title":"\u4e0d\u518d\u4f7f\u7528\u7684\u57fa\u7840\u8bbe\u65bd","text":"

Warning

Content under this section is not necessarily up-to-date.

"},{"location":"infrastructure/discontinued/#saltstack","title":"SaltStack","text":"

\u76ee\u524d\u4e0d\u77e5 SaltStack \u4f55\u65f6\u5f00\u59cb\u4f7f\u7528\uff0c\u4f46\u662f\u6211\u4eec\u6ca1\u6709\u4efb\u4f55\u4f9d\u8d56\u4e8e salt \u7684\u914d\u7f6e\u3002\u51fa\u4e8e\u8003\u8651\u5230 salt \u51fa\u73b0\u8fc7\u975e\u5e38\u4e25\u91cd\u7684 CVE\uff0csaltstack \u5df2\u4e0d\u518d\u8003\u8651\u4f7f\u7528\uff0c\u4e14\u5728\u5df2\u77e5\u7684\u673a\u5668\u4e0a\u90fd\u5df2\u5220\u9664\u3002\u5982\u679c\u4f60\u53d1\u73b0\u67d0\u53f0 lug \u7684\u673a\u5668\u4e0a\u5b89\u88c5\u4e86 salt\uff0c\u8bf7\u901a\u77e5 CTO \u4ee5\u5c06\u5176\u5220\u9664\u3002

\u5728\u81ea\u52a8\u5316\u8fd0\u7ef4\u65b9\u9762\uff0c\u672a\u6765\u4f1a\u8c03\u7814 ansible\u3002

"},{"location":"infrastructure/discontinued/#vsphere","title":"vSphere \u96c6\u7fa4","text":"

\u6211\u4eec\u4ece 2015 \u5e74\uff08\u6216\u66f4\u65e9\uff09\u5f00\u59cb\u4f7f\u7528 vSphere \u5e73\u53f0\uff08ESXi + vCenter\uff09\u8fd0\u884c\u865a\u62df\u673a\u3002\u7531\u4e8e VMware \u4e13\u6709\u5e73\u53f0\u7684\u590d\u6742\u6027\u96be\u4ee5\u7ef4\u62a4\uff0c\u6211\u4eec\u5df2\u4e8e 2022 \u5e74 1 \u6708\u5168\u9762\u8fc1\u79fb\u81f3\u5f00\u6e90\u7684\u3001\u57fa\u4e8e Debian GNU/Linux \u7684\u865a\u62df\u5316\u5e73\u53f0 Proxmox VE\u3002

"},{"location":"infrastructure/discontinued/#pve-2-pve-4","title":"pve-2, pve-4","text":"

pve-2 \u548c pve-4 \u4e5f\u4f4d\u4e8e\u4e1c\u56fe\uff0c\u662f\u4e24\u53f0\u672a\u77e5\u54c1\u724c\u3001\u672a\u77e5\u578b\u53f7\u7684\u65e7\u673a\u5668\uff0c\u914d\u7f6e\u4e3a 2\u00d7 Xeon E5420 (Very old 4C4T, 2.50 GHz), 16 GB \u5185\u5b58\uff08DDR2 667 MHz\uff09\u548c\u4e00\u5757 16 GB \u7684 SanDisk SSD\u3002\u8be5\u578b\u53f7\u673a\u5668\u6ca1\u6709 IPMI\u3002

\u7531\u4e8e\u914d\u7f6e\u4f4e\u4e0b\uff0c\u6211\u4eec\u624b\u52a8\u5b89\u88c5\u4e86 Proxmox VE\uff0c\u6ca1\u6709\u4f7f\u7528 LVM\uff0c\u5206\u914d\u4e86 1 GB \u7684 swap\uff0c\u5269\u4e0b\u5168\u90e8\u7ed9 rootfs\u3002

\u673a\u5668\u7684\u7f51\u5361\u6709\u4e24\u4e2a 1 Gbps \u7684\u63a5\u53e3\uff0c\u4e0e pve-6 \u76f8\u540c\uff0c\u90fd\u63a5\u5728\u540c\u4e00\u4e2a\u4ea4\u6362\u673a\u4e0a\u3002

"},{"location":"infrastructure/discontinued/vsphere/esxi/","title":"ESXi","text":"

\u73b0\u5f79\u7684 ESXi \u6709 3 \u53f0\uff1aesxi-2 \u548c esxi-6 \u4f4d\u4e8e\u4e1c\u56fe\u673a\u623f\uff0cesxi-5 \u4f4d\u4e8e\u7f51\u7edc\u4fe1\u606f\u4e2d\u5fc3\u673a\u623f\u3002

esxi-2 \u4e0a\u8fd0\u884c\u4e1c\u56fe\u7f51\u5173\u7b49\u670d\u52a1\uff0cesxi-6 \u4e0a\u8fd0\u884c ustclug gitlab\u3002esxi-5 \u4e0a\u8fd0\u884c\u8bf8\u5982 vcenter, \u90ae\u4ef6\u7f51\u5173, ldap, \u5907\u7528\u7f51\u5173, vSphereDataProtection \u5907\u4efd\u670d\u52a1\u7b49\u3002

\u76ee\u524d\uff0c\u6709\u8ba1\u5212\u5c06\u865a\u62df\u5316\u65b9\u6848\u66f4\u6539\u4e3a Proxmox Virtual Environment\u3002

"},{"location":"infrastructure/discontinued/vsphere/esxi/#about-snapshot","title":"\u5173\u4e8e\u5feb\u7167","text":"

Best practices: https://kb.vmware.com/s/article/1025279\uff0c\u7ba1\u7406\u865a\u62df\u673a\u524d\u52a1\u5fc5\u9605\u8bfb\u3002

"},{"location":"infrastructure/discontinued/vsphere/esxi/#_1","title":"\u673a\u5668\u914d\u7f6e\u7ec6\u8282","text":""},{"location":"infrastructure/discontinued/vsphere/esxi/#esxi-5","title":"esxi-5","text":"

esxi-5 \u4e0a\u4e8e 2021/8 \u53d1\u73b0\u81ea\u5e26\u9635\u5217\u6709\u4e24\u5757\u574f\u76d8\uff0c\u5728\u66f4\u6362\u540e\u53d1\u73b0 storage \"root\"\uff08\u5b58\u653e vcenter \u865a\u62df\u673a\uff0c\u7ec4 RAID 1 \u540e\u5927\u5c0f 1.8TB\uff09\u65e0\u6cd5\u6b63\u5e38 rebuild\uff0c\u5e76\u4e14 vcenter \u865a\u62df\u673a\u7684 vmdk \u6587\u4ef6\u6709 4 \u4e2a\u51fa\u73b0 I/O error\u3002\u76ee\u524d vcenter \u865a\u62df\u673a\u5df2\u7ecf\u8fc1\u79fb\u5230 storage \"data\" (RAID10, 7.2 TB)\uff0c\u5de5\u4f5c\u6b63\u5e38\u3002

"},{"location":"infrastructure/discontinued/vsphere/vcenter/","title":"vCenter","text":"

vCenter \u4e3a\u7ef4\u62a4\u4eba\u5458\u63d0\u4f9b\u4e86\u65b9\u4fbf\u7684\u7ba1\u7406\u6240\u6709 ESXi \u670d\u52a1\u5668\u7684\u754c\u9762\u3002\u9700\u8981\u6ce8\u610f\uff1a

"},{"location":"infrastructure/discontinued/vsphere/vcenter/#patch","title":"\u5b89\u88c5 patch","text":"

\u5f53\u51fa\u73b0\u4e25\u91cd\u7684 CVE \u4e14\u65e0\u6cd5\u7b80\u5355 workaround \u65f6\uff0c\u5efa\u8bae\u5b89\u88c5 patch\uff0c\u5927\u81f4\u65b9\u6cd5\uff1a

  1. \u6253\u5feb\u7167\uff0c\u6700\u597d\u80fd\u624b\u52a8\u5907\u4efd\u4e00\u4e0b\u3002
  2. \u524d\u5f80 https://my.vmware.com/group/vmware/patch \u4e0b\u8f7d\u6700\u65b0\u7248 patch ISO \u6587\u4ef6\uff08\u5206\u7c7b\u4e3a VC\uff0c\u9700\u8981\u6ce8\u518c\u514d\u8d39\u8d26\u53f7\uff09\uff1b
  3. \u4e0a\u4f20 ISO \u6587\u4ef6\u5230 esxi-5 \u67d0\u4e2a datastore \u4e2d\uff0c\u5c06 ISO \u6302\u8f7d\u5230 VMware vCenter Server Appliance \u865a\u62df\u673a\u4e2d\uff1b
  4. \u767b\u5f55 esxi-5 \u7ba1\u7406\u754c\u9762\uff08\u4e0d\u662f vcenter \u754c\u9762\uff0c\u56e0\u4e3a\u66f4\u65b0\u7684\u65f6\u5019 vcenter \u4f1a\u4e0b\u7ebf\uff09\uff0c\u8fdb\u5165 vcenter console\u3002
  5. software-packages stage --iso \u52a0\u8f7d\u8865\u4e01\u6587\u4ef6\uff08\u5b9e\u8d28\u662f\u4e00\u5806 rpm\uff09\u3002
  6. software-packages install --iso \u5b89\u88c5\u8865\u4e01\u6587\u4ef6\u3002
  7. shell \u8fdb\u5165 bash\uff0creboot \u91cd\u542f\u3002
  8. \u91cd\u542f\u540e\u5982\u679c\u8fdb\u5165 5480 \u7aef\u53e3\u53d1\u73b0\u670d\u52a1\u72b6\u6001\u4e3a\u672a\u77e5\uff0c\u624b\u52a8\u91cd\u542f\u6240\u6709\u670d\u52a1\uff1aservice-control --start --all
  9. \u7b49\u5f85\u4e00\u6bb5\u65f6\u95f4\uff08\u6bd4\u8f83\u957f\uff09\uff0c\u671f\u95f4\u53ef\u80fd 503/\u663e\u793a\u670d\u52a1\u6b63\u5728\u52a0\u8f7d\u4e2d\uff0c\u7b49\u7b49\uff0c\u4e4b\u540e\u5c31\u5e94\u8be5\u6b63\u5e38\u4e86\u3002
  10. \u522b\u5fd8\u4e86\u624b\u52a8\u5907\u4efd\u3002

\u5347\u7ea7\u65f6\u9047\u5230\u7684\u95ee\u9898\uff1a

  1. \u65e0\u6cd5\u8bc6\u522b ISO \u4e3a\u66f4\u65b0\u7684\u7248\u672c\uff1ahttps://kb.vmware.com/s/article/59659?lang=zh_CN
  2. \u300c\u73af\u5883\u5c1a\u672a\u51c6\u5907\u597d\u66f4\u65b0\u300d\uff1a\u4f7f\u7528 console \u7684 software-packages \u66f4\u65b0\uff0c\u67e5\u770b\u539f\u56e0\u3002\u5982\u679c\u662f root \u5bc6\u7801\u8fc7\u671f\uff0c\u8fdb\u5165 bash\uff0c\u4f7f\u7528 passwd \u5148\u91cd\u7f6e\u6210\u65b0\u7684\uff08\u7136\u540e\u518d\u6539\u56de\u6765\uff09\uff0c\u4f7f\u7528 chage -I -1 -m 0 -M 99999 -E -1 root \u8bbe\u7f6e\u6c38\u4e0d\u8fc7\u671f\u3002
"},{"location":"infrastructure/discontinued/vsphere/vdp/","title":"VDP","text":"

\u5f53\u6211\u4eec\u8bf4\u5230 VDP \u7684\u65f6\u5019\uff0c\u6211\u4eec\u5230\u5e95\u5728\u6307\u4ec0\u4e48\uff1f\u4e3a\u4e86\u907f\u514d\u6b67\u4e49\uff0c\u4ee5\u4e0b\u505a\u4e86\u4e00\u4e9b\u5b9a\u4e49\uff1a

vdp2 \u6302\u63a5\u5728 esxi-5 \u4e0a\uff0cesxi-5 \u6e90\u4e8e\u8001 mirrors\uff08mirrors2 \u4e4b\u524d\u7684\u4e00\u4ee3\u673a\u5668\uff09\u3002vSphereDataProtection \u7248\u672c\u4e3a 6.1.5\u3002

\u5f53 vdp \u5907\u4efd\u7a0b\u5e8f\u51fa\u73b0\u5947\u602a\u7684\u95ee\u9898\u7684\u65f6\u5019\uff0c\u91cd\u542f vdp \u5907\u4efd\u865a\u62df\u673a\u7edd\u5927\u591a\u6570\u65f6\u5019\u80fd\u591f\u89e3\u51b3\u95ee\u9898\u3002\u91cd\u542f\u8017\u65f6\u975e\u5e38\u957f\uff0c\u9700\u8981\u505a\u597d\u5fc3\u7406\u51c6\u5907\u3002

\u5907\u4efd\u65f6\uff0cvdp \u5907\u4efd\u7a0b\u5e8f\u4f1a\u4e3a\u865a\u62df\u673a\u65b0\u5efa\u4e00\u4e2a snapshot\uff0c\u4e4b\u540e\u4ece snapshot \u4f20\u8f93\u5907\u4efd\u3002\u5076\u5c14 snapshot \u4e0d\u4f1a\u88ab\u6b63\u5e38\u5220\u9664\uff0c\u800c\u5927\u91cf\u6216\u957f\u65f6\u95f4\u5b58\u653e\u7684 snapshot \u4f1a\u7ed9\u6027\u80fd\u5e26\u6765\u8d1f\u9762\u5f71\u54cd\uff0c\u6240\u4ee5\u5982\u679c\u53d1\u73b0\u6b64\u7c7b\u60c5\u51b5\uff0c\u5728\u786e\u8ba4\u5907\u4efd\u4e0d\u518d\u8fdb\u884c\u540e\uff0c\u9700\u8981\u5220\u9664 snapshot\uff0c\u540c\u65f6\u4fdd\u6301\u673a\u5668\u5728\u7ebf\uff08\u5728\u5173\u673a\u60c5\u51b5\u4e0b\u6574\u5408\u78c1\u76d8\u65f6\u65e0\u6cd5\u5f00\u673a\uff01\uff09\u3002

\u53c2\u8003\u8d44\u6599\uff1ahttps://docs.vmware.com/en/VMware-vSphere/6.5/rn/data-protection-615-release-notes.html

VDP \u5907\u4efd\u865a\u62df\u673a\u5df2\u7ecf EOL\u3002\u8bbf\u95ee vcenter \u4e2d\u7684 VDP \u63d2\u4ef6\u9700\u8981\u4f7f\u7528 Adobe Flash\u3002

"},{"location":"infrastructure/discontinued/vsphere/vdp/#_1","title":"\u5907\u4efd\u8ba1\u5212","text":"

\u76ee\u524d\u7684\u5907\u4efd\u8ba1\u5212\u5982\u4e0b\uff1a

"},{"location":"infrastructure/discontinued/vsphere/vdp/#_2","title":"\u9ad8\u7ea7\u547d\u4ee4","text":"

\u67e5\u770b\u5f53\u524d\u4efb\u52a1\uff1a

# mccli activity show | grep Running\n

\u67e5\u770b\u670d\u52a1\u60c5\u51b5\uff1a

# dpnctl status\n# status.dpn\n
"},{"location":"infrastructure/discontinued/vsphere/vdp/#vspheredataprotection-on-virtio-scsi","title":"vSphereDataProtection on VirtIO SCSI","text":"

vdp \u7684\u64cd\u4f5c\u7cfb\u7edf\u662f SLES 11 SP3\uff0c\u8fd9\u4e2a\u64cd\u4f5c\u9700\u8981\u7cfb\u7edf\u76d8\u7684\u524d\u4e24\u4e2a\u5206\u533a\uff08/boot \u548c /\uff09\u3002

  1. \u53c2\u8003 https://www.suse.com/support/kb/doc/?id=000016530\uff0c\u89e3\u538b initrd \u5230\u67d0\u4e2a\u76ee\u5f55\u3002
  2. \u4ece rootfs \u7684 /lib/modules/3.0.101-0.47.99-default/kernel/drivers/ \u91cc\u53d6\u51fa virtio \u7684\u5185\u6838\u6a21\u5757\uff08block \u91cc\u9762\u4e00\u4e2a\uff0cvirtio \u6574\u4e2a\u76ee\u5f55\uff0c\u4ee5\u53ca scsi \u91cc\u9762\u4e00\u4e2a\uff09\uff0c\u653e\u5728 initrd \u89e3\u538b\u540e\u7684\u5bf9\u5e94\u4f4d\u7f6e\u3002
  3. rootfs \u7684 /lib/modules/3.0.101-0.47.99-default/modules.dep* \u590d\u5236\u5230 initrd \u91cc\u3002
  4. \u4fee\u6539 initrd \u91cc\u7684 config/start.sh \u548c run_all.sh\uff0c\u5728 RESOLVED_INITRD_MODULES \u53d8\u91cf\u4e2d\u6dfb\u52a0 virtio_pci virtio virtio_scsi virtio_blk\uff08\u5373\u4fee\u6539\u4e3a RESOLVED_INITRD_MODULES='virtio_pci virtio virtio_scsi virtio_blk cifs ext2 ext3 ext4 fat nfs reiserfs ufs xfs'\uff09\u3002
  5. \u53c2\u8003 https://www.suse.com/support/kb/doc/?id=000016530 \u91cd\u65b0\u6253\u5305\uff0c\u653e\u5728\u7b2c\u4e00\u4e2a\u5206\u533a (/boot) \u91cc\u9762\uff0c\u5efa\u8bae\u4e0d\u8981\u8986\u76d6\u539f\u6765\u7684 initrd\u3002
  6. \u4fee\u6539\u7b2c\u4e00\u4e2a\u5206\u533a\u91cc grub/menu.lst\uff0c\u5c06 initrd \u4fee\u6539\u4e3a\u4f60\u6240\u6253\u5305\u7684\u6587\u4ef6\u540d\u3002
"},{"location":"infrastructure/intranet/","title":"Servers Intranet","text":"

Servers Intranet connects all the servers together, including physical servers and virtual machines.

"},{"location":"infrastructure/intranet/#network-topology","title":"Network Topology","text":"

\u4ee5\u4e0a\u67b6\u6784\u56fe\u7531 iBug \u5728 2023 \u5e74 11 \u6708\u66f4\u65b0\u3002

\u6b64\u5904\u662f\u4e00\u4e9b\u8fc7\u65f6\u7684\u4fe1\u606f\uff0c\u4e5f\u8bb8\u8fd8\u6709\u70b9\u53c2\u8003\u4ef7\u503c

The network contains three parts:

tincVPN is a mesh VPN, which can be abstracted as a virtual Switch.

vm-nfs.s.ustclug.org runs a layer 2 bridge, connecting tincVPN and SRW2024 (physical switch).

It is obvious that vm-nfs is a single point of failure of communicating between tinc host and vSphere virtual machine. I had tried to add another bridge node, but resulted in a broadcast storm. Maybe we can fix it by MPLS (merged in mainline kernel 4.3). But it isn't a right timing at this time.

"},{"location":"infrastructure/intranet/#network-information","title":"Network information","text":"

The network contains one single subnet: 10.254.0.0/21

Every server and service binds to one and only one IP address, used to communicate with each other.

"},{"location":"infrastructure/intranet/#address-planning","title":"Address planning","text":""},{"location":"infrastructure/intranet/gateway/","title":"Intranet Gateway","text":"

We run gateways in each colocation to provide internet access to intranet-only hosts (VMs and containers).

When configuring VMs and containers, set their gateway according to their colocation:

Gateway-JP is mainly used for HTTP reverse proxy, so that we can provide HTTP services in compliance with PRC regulations.

For server configuration on each gateway, refer to their corresponding documentation:

"},{"location":"infrastructure/intranet/gateway/#tinc-workaround-1","title":"Tinc \"received packet on ustclug with own address as source address\" workaround","text":"

After migrating to PVE, we found that sometimes tinc works abnormally within gateway-el and gateway-nic, with following kernel log:

bridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nnet_ratelimit: 2 callbacks suppressed\n

We still don't know the source of this issue. To workaround that, following self-check timer is deployed now:

/opt/tinc-check.sh
#!/bin/bash\n\nrestart() {\n  systemctl stop tinc@ustclug.service\n  sleep 3  # avoid race condition\n  systemctl start tinc@ustclug.service\n  echo \"tinc restarted\"\n}\n\ndmesg | tail -n 2 | grep 'received packet on ustclug with own address as source address' && restart ||  echo \"tinc OK now\";\n
/etc/systemd/system/tinc-check.service
[Unit]\nDescription=Tinc Check and Auto-Restart\n\n[Service]\nType=oneshot\nExecStart=/opt/tinc-check.sh\n
/etc/systemd/system/tinc-check.timer
[Unit]\nDescription=Tinc Check and Auto-Restart Timer\n\n[Timer]\nOnCalendar=minutely\nPersistent=true\n\n[Install]\nWantedBy=timers.target\n
"},{"location":"infrastructure/intranet/lugivpn/","title":"LUG Intranet VPN","text":"

service: intranet.ustclug.org

server: board.s.ustclug.org

"},{"location":"infrastructure/intranet/lugivpn/#introduction","title":"Introduction","text":"

Server intranet is a closed network, which cannot be accessed from Internet. LUGI VPN helps maintainer get access to intranet temporarily.

LUGI VPN is running in Banana Pi Raspberry Pi 3B+, the only ARM architecture device we owned. Using OpenVPN protocal, authorizing via LDAP.

The original Banana Pi was down in April 2021.

"},{"location":"infrastructure/intranet/lugivpn/#configuration","title":"Configuration","text":"

OpenVPN LDAP auth plugin config /etc/openvpn/auth-ldap.conf:

<LDAP>\n    URL             ldaps://ldap.ustclug.org\n    Timeout         15\n    FollowReferrals yes\n    TLSCACertFile   /etc/ldap/ssl/slapd-ca-cert.pem\n</LDAP>\n\n<Authorization>\n    BaseDN          \"ou=people,dc=lug,dc=ustc,dc=edu,dc=cn\"\n    SearchFilter    \"(uid=%u)\"\n    RequireGroup    false\n</Authorization>\n

In openvpn configuration:

...\nplugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth-ldap.conf\n

Servers intranet is a layer 2 network without default gateway. So NAT is needed:

iptables -t nat -A POSTROUTING -s 10.254.248.0/22 -d 10.254.0.0/21 -j MASQUERADE\n
"},{"location":"infrastructure/proxmox/nfs/","title":"NFS","text":"

NFS \u670d\u52a1\u5668\uff08\"vdp\"\uff09\u662f\u4e1c\u56fe\u4e09\u4e2a PVE \u673a\u5668\u7684\u865a\u62df\u673a\u5b58\u50a8\uff0c\u578b\u53f7\u4e3a DELL PowerEdge R510\u3002\u78c1\u76d8\u9635\u5217\u7531\u4e8e\u5728 2021 \u5e74 3 \u6708\u521d\u635f\u574f\uff0c\u76ee\u524d\u5bb9\u91cf\u7f29\u51cf\u5230 8T\uff084 \u5757 4T \u84dd\u76d8 RAID10\uff09\u3002\u9664\u865a\u62df\u673a\u5916\uff0cNFS \u4e5f\u5b58\u50a8 LUG \u6210\u5458\u7684\u4e2a\u4eba\u6570\u636e\u53ca LUG FTP\u3002NFS \u670d\u52a1\u6062\u590d\u540e\uff0c\u4e3a\u4e86\u4fdd\u8bc1\u6570\u636e\u5197\u4f59\u6027\uff0c\u4f7f\u7528 \u79d1\u5927 Office 365 A1 \u8d26\u53f7\u3001\u5b66\u6821\u5bf9\u8c61\u5b58\u50a8\u548c Rclone \u6bcf\u5929\u589e\u91cf\u5907\u4efd LUG FTP \u548c LUG \u6210\u5458\u7684\u516c\u5f00\u6570\u636e\u3002Rclone \u7684\u5907\u4efd\u65b9\u5f0f\u53c2\u89c1\u673a\u5668\u4e0a\u7684 rclone-backup.timer \u548c rclone-backup.service\u3002

vdp \u7684\u5185\u7f51\u8fde\u63a5\u4f9d\u8d56\u4e8e gateway-el\u3002

\u53ef\u80fd\u7684\u7f51\u7edc\u95ee\u9898

\u5728 2021 \u5e74\u4e5d\u6708\u4efd\u4e1c\u56fe\u7684 ESXi \u4e0e NFS \u8fde\u63a5\u4f1a\u51fa\u73b0\u4e0d\u7a33\u5b9a\u7684\u95ee\u9898\uff0c\u539f\u56e0\u76ee\u524d\u4e0d\u660e\u3002\u5728\u8fde\u63a5\u65b9\u5f0f\u4ece NFS 4.1 \u66f4\u6362\u5230 NFS 3 \u4e4b\u540e\uff0c\u8fde\u63a5\u7684\u4e0d\u7a33\u5b9a\u4e0d\u4f1a\u5bfc\u81f4\u865a\u62df\u673a\u88ab\u5173\u95ed\u3002

2021/09/29 \u66f4\u65b0\uff1a\u8fd9\u4e24\u5929\u518d\u6b21\u51fa\u73b0\u4e86\u4e25\u91cd\u7684\u8fde\u63a5\u95ee\u9898\u3002\u8c03\u8bd5\u540e\u53d1\u73b0 192.168.93.0/24 \u7684\u7f51\u5173 192.168.93.254 (Cisco \u8bbe\u5907) \u4e22\u5305\u4e25\u91cd\uff0c\u800c NFS \u7684\u51fa\u53e3 IP \u9519\u8bef\u88ab\u8bbe\u7f6e\u5230\u4e86\u4e0e\u56fe\u4e66\u9986\u4ea4\u6362\u673a\u76f8\u8fde\u63a5\u7684 eno1\uff0c\u5bfc\u81f4\u8bf7\u6c42\u9700\u8981\u7ed5\u8def\u3002\u5c06\u6b64 IP \u79fb\u52a8\u81f3 eno2\uff0c\u4fee\u6539 sysctl \u8bbe\u7f6e ARP \u8fc7\u6ee4\u5e76\u91cd\u542f\u540e\uff0c\u76ee\u524d\u6682\u65f6\u89e3\u51b3\u4e86\u95ee\u9898\u3002

Debian Bookworm \u5185\u6838\u95ee\u9898

6.1.x \u5f00\u59cb\u7684\u5185\u6838\u7684 NFSv4 \u670d\u52a1\u5668\u5b9e\u73b0\u53ef\u80fd\u5b58\u5728\u6f5c\u5728\u7684\u95ee\u9898\uff0c\u5bfc\u81f4\u5728\u67d0\u4e9b\u60c5\u51b5\u4e0b\u6b7b\u9501\uff0c\u89c1 https://lore.kernel.org/all/50d62fc9-206b-4dbc-9a9b-335450656fd0@aixigo.com/T/\u3002\u4ece Buster \u5347\u7ea7\u5230 Bookworm \u4e4b\u540e\u88ab\u5751\u4e86\u4e00\u6b21\u3002

\u7531\u4e8e\u8fd9\u4e2a\u95ee\u9898\u76ee\u524d\u5c1a\u672a\u89e3\u51b3\uff0c\u5728\u5347\u7ea7 Bookworm \u4e4b\u540e vdp \u4ecd\u4f7f\u7528 Bullseye \u7684\u5185\u6838\uff085.10.x\uff09\u3002

/etc/apt/preferences.d/linux-image-amd64
Package: linux-image-amd64\nPin: release n=bullseye-security\nPin-Priority: 900\n

\u6211\u4eec\u521b\u5efa\u4e86\u5982\u4e0a\u6587\u4ef6\uff08\u4ee5\u4fbf\u80fd\u591f\u7ee7\u7eed\u4ece bullseye-security \u83b7\u5f97\u5185\u6838\u7684\u5b89\u5168\u66f4\u65b0\uff09\uff0c\u7136\u540e\u624b\u52a8\u5220\u6389\u4e86\u6240\u6709 6.1 \u7684\u5185\u6838\u5305\u3002

"},{"location":"infrastructure/proxmox/nfs/#pve","title":"PVE \u78c1\u76d8\u8def\u5f84\u4e0e\u6302\u8f7d\u53c2\u6570","text":"

\u5728 storage.cfg \u8bbe\u7f6e\u4e2d\uff0cNFS \u6302\u8f7d\u5230 /mnt/nfs-el\uff0c\u8bbe\u7f6e\u7684\u53c2\u6570\u4e3a soft,noexec,nosuid,nodev\u3002\u8bbe\u7f6e\u4e3a hard \u4f1a\u5bfc\u81f4 NFS \u4e0b\u7ebf\u65f6\u91cd\u8bd5\u65e0\u9650\u6b21\uff0c\u5927\u6982\u7387\u5bfc\u81f4\u7cfb\u7edf\u5361\u6b7b\uff0c\u5176\u4ed6\u51e0\u4e2a\u53c2\u6570\u4e3b\u8981\u662f\u4e3a\u4e86\u5b89\u5168\u3002

\u5176\u4e2d\uff0c\u6839\u636e PVE \u7684\u8981\u6c42\uff0c\u865a\u62df\u673a\u78c1\u76d8\u6587\u4ef6\u9700\u8981\u653e\u5728 images/<vmid> \u76ee\u5f55\u4e0b\u624d\u4f1a\u88ab\u81ea\u52a8\u68c0\u6d4b\u5230\u3002\u82e5\u4e00\u5f00\u59cb\u6ca1\u6709\u6309\u8981\u6c42\u653e\u7f6e\u6587\u4ef6\u6216\u6dfb\u52a0\u4e86\u65b0\u6587\u4ef6\uff0c\u53ef\u4ee5\u4f7f\u7528 qm rescan \u626b\u63cf\u65b0\u7684\u78c1\u76d8\u6587\u4ef6\u3002\u4e5f\u53ef\u4ee5\u76f4\u63a5\u4f7f\u7528 qm set \u547d\u4ee4\u6216\u624b\u52a8\u7f16\u8f91\u865a\u62df\u673a\u914d\u7f6e\u6587\u4ef6\u6307\u5b9a\u78c1\u76d8\u6587\u4ef6\u7684\u8def\u5f84\uff0c\u8fd9\u4e24\u79cd\u65b9\u6cd5\u6ca1\u6709\u6b64\u9650\u5236\u3002

\u53e6\u5916\uff0c\u7531\u4e8e\u6574\u4e2a storage.cfg \u6587\u4ef6\u5728\u96c6\u7fa4\u4e2d\u5171\u4eab\uff0c\u9700\u8981\u624b\u52a8\u6307\u5b9a nodes \u4ee5\u514d NIC \u7684\u4e24\u53f0 PVE \u4e3b\u673a\u5c1d\u8bd5\u6302\u8f7d\u3002

/etc/pve/storage.cfg
nfs: nfs-el\n        export /media/vdp/pve\n        path /mnt/nfs-el\n        server nfs-el.vm.ustclug.org\n        options soft,noexec,nosuid,nodev\n        content iso,images\n        nodes pve-2,pve-4,pve-6\n        shared 1\n        prune-backups keep-all=1\n

storage.cfg \u7684\u5168\u90e8\u914d\u7f6e\u5185\u5bb9\u53ef\u4ee5\u53c2\u8003 https://pve.proxmox.com/wiki/Storage\u3002

"},{"location":"infrastructure/proxmox/pbs/","title":"Proxmox Backup Server (PBS)","text":"

PBS \u73b0\u5728\u90e8\u7f72\u5728 esxi-5 \u4e0a\u9762\uff0c\u7528\u4f5c\u865a\u62df\u673a\u5907\u4efd\uff0cweb \u754c\u9762\u7684\u7aef\u53e3\u53f7\u4e3a 8007\uff08HTTPS only\uff09\u3002

Info

\u672c\u9875\u9762\u8bb0\u5f55 Proxmox Backup Server \u8f6f\u4ef6\u76f8\u5173\uff0c\u4ee5\u53ca Proxmox VE \u865a\u62df\u673a\u76f8\u5173\u7684\u8d44\u6599\u3002\u5173\u4e8e esxi-5 \u7684\u7cfb\u7edf\u914d\u7f6e\u4fe1\u606f\u8bb0\u5f55\u5728 Proxmox VE \u9875\u9762\u3002

"},{"location":"infrastructure/proxmox/pbs/#pbs","title":"\u5b89\u88c5 PBS","text":"

PBS \u53ef\u4ee5\u4f7f\u7528\u5b89\u88c5\u5149\u76d8 iso \u5b89\u88c5\u6216\u76f4\u63a5\u52a0\u88c5\u5728\u73b0\u6709\u7684\u5bf9\u5e94\u7248\u672c\u7684 Debian \u7cfb\u7edf\u4e0a\uff0c\u8fd9\u4e24\u79cd\u5b89\u88c5\u65b9\u5f0f\u90fd\u6709\u5b98\u65b9\u7684\u8bf4\u660e\u6587\u6863\u3002

\u6211\u4eec\u7684 esxi-5 \u662f\u4f7f\u7528 PVE \u7684\u5b89\u88c5\u76d8\u5148\u88c5\u6210 PVE\uff0c\u518d\u5728\u4e0a\u9762\u989d\u5916\u52a0\u88c5 PBS \u7684\u3002\u7531\u4e8e PVE \u548c PBS \u5171\u4eab\u4e86\u5927\u91cf\u7ec4\u4ef6\uff0c\u56e0\u6b64\u5728 PVE \u4e0a\u52a0\u88c5 PBS \u5c31\u53ea\u5269\u4e0b\u5f88\u7b80\u5355\u7684\u4e00\u4e9b\u6b65\u9aa4\u4e86\uff1a

echo \"deb http://mirrors.ustc.edu.cn/proxmox/debian/pbs bullseye pbs-no-subscription\" > /etc/apt/sources.list.d/pbs.list\napt update\napt install proxmox-backup\n

\u8be5\u8fc7\u7a0b\u4ec5\u5b89\u88c5\u4e86\u603b\u91cf\u4e3a 150+ MB \u7684 8 \u4e2a\u5305\uff0c\u5c31\u6709 PBS \u53ef\u7528\u4e86\u3002

"},{"location":"infrastructure/proxmox/pbs/#pbs-new-user","title":"\u521b\u5efa\u65b0\u7528\u6237","text":"

PBS \u81ea\u5df1\u7684\u8d26\u53f7\u4f53\u7cfb (Realm pbs) \u4e0e PVE (Realm pve) \u4e92\u76f8\u4e0d\u901a\uff0c\u5982\u679c\u9700\u8981\u521b\u5efa\u65b0\u7684 PBS \u7528\u6237\uff0c\u53ef\u4ee5\u901a\u8fc7 SSH \u767b\u5f55\uff0c\u7136\u540e\u53c2\u8003\u4ee5\u4e0b\u6b65\u9aa4\uff1a

  1. proxmox-backup-manager user create \u7528\u6237\u540d@pbs --email \u90ae\u7bb1\u5730\u5740@ustclug.org
  2. proxmox-backup-manager user update \u7528\u6237\u540d@pbs --password '\u4e00\u4e2a\u4e34\u65f6\u7684\u5bc6\u7801'
  3. \u4f7f\u7528\u8be5\u7528\u6237\u767b\u5f55 PBS\uff08\u6b64\u65f6\u7528\u6237\u65e0\u6743\u9650\uff09\uff0c\u4fee\u6539\u5bc6\u7801\uff1b
  4. \u8d4b\u4e88\u6743\u9650\u3002\u8d85\u7ea7\u7ba1\u7406\u5458\u5bf9\u5e94\u7684\u547d\u4ee4\u662f proxmox-backup-manager acl update / Admin --auth-id \u7528\u6237\u540d@pbs
  5. \u4f7f\u7528 proxmox-backup-manager acl list \u786e\u8ba4\u6743\u9650\u5217\u8868\u3002

\u53c2\u8003\uff1ahttps://pbs.proxmox.com/docs/user-management.html

Tip

\u5f53\u7136\uff0c\u4f60\u4e5f\u53ef\u4ee5 SSH \u767b\u5f55\u540e\u4fee\u6539 root \u5bc6\u7801\uff0c\u518d\u7528 root@pam \u7684\u8d26\u53f7\u767b\u5f55 web \u754c\u9762\u8fdb\u884c\u64cd\u4f5c\u3002\u8be5\u65b9\u6cd5\u540c\u65f6\u9002\u7528\u4e8e PVE \u548c PBS\u3002\u64cd\u4f5c\u5b8c\u6210\u540e\u8bf7\u6062\u590d root \u5bc6\u7801\uff08passwd -d root\uff09\u3002

\u5982\u679c\u4f60\u9700\u8981\u7ecf\u5e38\u767b\u5f55 Web \u754c\u9762\u64cd\u4f5c\uff0c\u6700\u597d\u521b\u5efa\u4e00\u4e2a Realm pve/pbs \u800c\u4e0d\u662f\u4f9d\u8d56\u4e8e\u4f7f\u7528 root \u5bc6\u7801\u3002

\u7279\u522b\u5730\uff0c\u7531\u4e8e PBS \u548c PVE \u540c\u65f6\u5b89\u88c5\u5728 esxi-5 \u4e0a\uff0c\u56e0\u6b64\u5b83\u4eec\u53ef\u4ee5\u5171\u4eab esxi-5 \u4e0a\u7684 Linux \u7528\u6237\uff08\u5373 Linux PAM standard authentication\uff09\u3002

"},{"location":"infrastructure/proxmox/pbs/#pbs-add-datastore","title":"\u8bbe\u7f6e Datastore","text":"

PBS \u4e0a\u7684\u865a\u62df\u673a\u5907\u4efd\u5355\u5143\u662f\u5c0f\u5757\u7684 chunk\uff0c\u4e5f\u4f9d\u8d56\u8fd9\u4e2a\u8bbe\u8ba1\u5b9e\u73b0\u589e\u91cf\u5907\u4efd\uff0c\u6240\u4ee5\u865a\u62df\u673a\u5907\u4efd\uff08Datastore\uff09\u7684\u540e\u7aef\u90fd\u662f\u76ee\u5f55\u3002\u6dfb\u52a0 Datastore \u53ea\u9700\u8981\u6307\u5b9a\u4e00\u4e2a\u76ee\u5f55\uff0c\u53d6\u4e00\u4e2a\uff08\u7b80\u77ed\u7684\uff09\u540d\u5b57\u5c31\u53ef\u4ee5\u4e86\u3002\u5efa\u8bae\u4e0d\u8981\u4f7f\u7528\u6587\u4ef6\u7cfb\u7edf\u7684\u6839\u76ee\u5f55\u4f5c\u4e3a Datastore\uff0c\u53ef\u4ee5\u521b\u5efa\u4e00\u4e2a pbs \u6587\u4ef6\u5939\u7528\u4f5c Datastore\uff0c\u53c2\u8003\u4e0b\u9762\u6240\u8ff0\u7684 esxi-5 \u4e0a\u7684\u914d\u7f6e\u3002

\u76ee\u524d\u5728 esxi-5 \u4e0a\u914d\u7f6e\u4e86\u4ee5\u4e0b datastore\uff1a

"},{"location":"infrastructure/proxmox/pve/","title":"Proxmox Virtual Environment (PVE)","text":"

LUG \u76ee\u524d\u670d\u5f79\u7684 Proxmox VE \u4e3b\u673a\u6709\uff1a

\u8fd9\u4e9b PVE \u4e3b\u673a\u914d\u7f6e\u4e3a\u4e00\u4e2a\u96c6\u7fa4\uff0c\u53ef\u4ee5\u5171\u4eab\u4e00\u4e9b\u914d\u7f6e\u4fe1\u606f\u5e76\u4e92\u76f8\u8fc1\u79fb\u865a\u62df\u673a\u3002\u7279\u522b\u5730\uff0cProxmox VE Authentication Server\uff08Realm \u4e3a pve\uff09\u7684\u8d26\u53f7\u5728 PVE \u4e3b\u673a\u4e4b\u95f4\u662f\u5171\u4eab\u7684\uff0c\u5e76\u4e14\u6dfb\u52a0\u7684 PBS \u5b58\u50a8\u540e\u7aef\u4e5f\u662f\u5171\u4eab\u7684\uff0c\u5373\u5927\u5bb6\u90fd\u53ef\u4ee5\u5f80\u76f8\u540c\u7684 PBS \u4e0a\u5907\u4efd\u865a\u62df\u673a\u3002

\u53e6\u6709\u6682\u672a\u52a0\u5165 PVE \u96c6\u7fa4\u7684\u673a\u5668\u5982\u4e0b\uff1a

\u4e0d\u540c\u4e3b\u673a\u4e4b\u95f4\u7684 Linux PAM \u7528\u6237\u662f\u4e0d\u76f8\u901a\u7684

\u6240\u6709 Proxmox \u4e3b\u673a\u7684\u4e3b\u673a\u540d\uff08hostname\uff09\u90fd\u8bbe\u4e3a <hostname>.vm.ustclug.org\uff0c\u5bf9\u5e94\u7684 IP \u5730\u5740\u8bb0\u5f55\u5728 DNS \u4e2d\u3002

"},{"location":"infrastructure/proxmox/pve/#common","title":"\u516c\u7528\u914d\u7f6e","text":""},{"location":"infrastructure/proxmox/pve/#root","title":"root \u8d26\u6237","text":"

\u5df2\u5e9f\u5f03\u7684\u5185\u5bb9

\u4e3a\u4e86\u4fbf\u4e8e\u901a\u8fc7 IPMI \u7b49\u65b9\u5f0f\u7ef4\u62a4\uff0c\u6211\u4eec\u7ea6\u5b9a\u6240\u6709 Proxmox \u4e3b\u673a\u7684 root \u8d26\u6237\u5bc6\u7801\u4fdd\u6301\u4e3a\u7a7a\u3002\u82e5\u6709\u64cd\u4f5c\u9700\u8981\u4f7f\u7528 root \u5bc6\u7801\uff08\u5982\u521b\u5efa\u548c\u52a0\u5165\u96c6\u7fa4\u65f6\uff09\uff0c\u8bf7\u901a\u8fc7 SSH \u6216 IPMI \u767b\u5f55\uff0c\u4e34\u65f6\u8bbe\u7f6e\u4e00\u4e2a root \u5bc6\u7801\uff0c\u5e76\u5728\u4fee\u6539\u5b8c PVE / PBS \u7684\u914d\u7f6e\u540e\u5c06\u5bc6\u7801\u5220\u9664\uff08passwd -d\uff09\u3002PVE / PBS \u6ca1\u6709\u4f9d\u8d56\u4e8e\u56fa\u5b9a\u4e0d\u53d8\u7684 root \u5bc6\u7801\u624d\u80fd\u6b63\u5e38\u8fd0\u884c\u7684\u7ec4\u4ef6\uff0c\u56e0\u6b64\u8fd9\u6837\u505a\u5bf9 PVE / PBS \u6765\u8bf4\u662f\u6ca1\u95ee\u9898\u7684\u3002

"},{"location":"infrastructure/proxmox/pve/#networking","title":"\u7f51\u7edc\u914d\u7f6e","text":"

\u5b89\u5168\u8d77\u89c1\uff0cPVE / PBS \u4e3b\u673a\u4f7f\u7528 RFC 1918 \u6bb5\u7684\u6821\u56ed\u7f51 IP\uff0c\u4e0d\u8fde\u63a5\u516c\u7f51\u3002

Debian \u548c Proxmox \u7684\u8f6f\u4ef6\u66f4\u65b0\u4f7f\u7528 mirrors.ustc.edu.cn \u5373\u53ef\uff0c\u82e5\u6709\u9700\u8981\u8bbf\u95ee\u6821\u5916\uff08\u5982 GitHub \u7b49\uff09\uff0c\u8bf7\u5199 hosts \u5e76\u914d\u7f6e\u8def\u7531\uff0c\u4ee5 GitHub \u4e3a\u4f8b\uff1a

echo \"20.205.243.166 github.com\" >> /etc/hosts\nip route replace 20.205.243.166 via (?) dev (?)\n

\u5176\u4e2d via \u9009\u62e9 gateway-el \u6216 gateway-nic \u7684\u5185\u7f51\u5730\u5740\uff0cdev \u9009\u62e9\u6865\u63a5\u5185\u7f51\u7684 vmbr\uff08\u89c1\u4e0b\uff09\u3002

"},{"location":"infrastructure/proxmox/pve/#vmbr","title":"\u865a\u62df\u673a\u7f51\u6865","text":"

Proxmox VE \u8981\u6c42\u4e3a\u865a\u62df\u673a\u63a5\u5165\u7684\u7f51\u6865\u5fc5\u987b\u547d\u540d\u4e3a vmbrN\uff0c\u5176\u4e2d N \u662f 0-4094 \u4e4b\u95f4\u7684\u6574\u6570\u3002\u65b9\u4fbf\u8d77\u89c1\uff0c\u6211\u4eec\u5728\u4e24\u4e2a\u673a\u623f\u5206\u522b\u7edf\u4e00 vmbr \u7684\u7f16\u53f7\uff1a

\u7f16\u53f7 \u4e1c\u56fe \u7f51\u7edc\u4e2d\u5fc3 vmbr0 \u6821\u56ed\u7f51\uff08\u6559\u80b2\u7f51\uff09 \u6821\u56ed\u7f51\uff08\u6559\u80b2\u7f51\uff09 vmbr1 \u5185\u7f51 \u5185\u7f51 vmbr2 \u7535\u4fe1+\u79fb\u52a8 \u7535\u4fe1 vmbr3 - \u8054\u901a vmbr4 - \u79fb\u52a8 vmbr5 - \u7279\u6b8a\u7528\u9014 vmbr10 \u5907\u7528 -"},{"location":"infrastructure/proxmox/pve/#pve-firewall","title":"\u9632\u706b\u5899","text":"

\u6211\u4eec\u4e0d\u4f7f\u7528 Proxmox \u81ea\u5e26\u7684\u9632\u706b\u5899\u529f\u80fd\uff0c\u4f46 pve-firewall \u4ecd\u7136\u4f1a\u5c1d\u8bd5\u90e8\u7f72\u6216\u6062\u590d\u9632\u706b\u5899\u8bbe\u7f6e\uff0c\u56e0\u6b64\u9700\u8981\u7981\u7528\u76f8\u5173\u8bbe\u7f6e\u53ca\u670d\u52a1\uff1a

/etc/pve/nodes/$(hostname -s)/host.fw
[OPTIONS]\nenable: 0\n
systemctl stop pve-firewall.service\nsystemctl disable pve-firewall.service\nsystemctl mask pve-firewall.service\n

\u53ef\u9009\u5185\u5bb9\uff1a\u540c\u65f6\u5b89\u88c5 iptables-persistent \u8f6f\u4ef6\u5305\uff0c\u5e76\u5229\u7528 iptables \u5c06 443 \u7aef\u53e3\u8f6c\u53d1\u5230 8006 \u7aef\u53e3\u65b9\u4fbf\u4f7f\u7528\u3002

update-alternatives --set iptables /usr/sbin/iptables-nft\nupdate-alternatives --set ip6tables /usr/sbin/ip6tables-nft\n
/etc/iptables/rules.v4
*nat\nPREROUTING ACCEPT [0:0]\nINPUT ACCEPT [0:0]\nOUTPUT ACCEPT [0:0]\nPOSTROUTING ACCEPT [0:0]\n-A PREROUTING -p tcp --dport 443 -m addrtype --dst-type LOCAL -j REDIRECT --to-ports 8006\nCOMMIT\n

\u5220\u6389 rules.v6 \u6587\u4ef6\uff0c\u7136\u540e\u8fd0\u884c systemctl restart netfilter-persistent.service \u8f7d\u5165 iptables \u89c4\u5219\u3002

"},{"location":"infrastructure/proxmox/pve/#ntp","title":"NTP \u65f6\u95f4","text":"

Proxmox \u9ed8\u8ba4\u4f7f\u7528 chrony \u8f6f\u4ef6\u548c Debian \u63d0\u4f9b\u7684 NTP pool\uff0c\u8fd9\u4e9b\u670d\u52a1\u5668\u90fd\u5728\u6821\u5916\uff0c\u4f7f\u7528\u6821\u56ed\u7f51 IP \u65e0\u6cd5\u8fde\u901a\uff0c\u9700\u8981\u6539\u6210\u6821\u56ed\u7f51\u7684 NTP \u670d\u52a1\u5668\uff1a

/etc/chrony/chrony.conf
# Use Debian vendor zone.\n#pool 2.debian.pool.ntp.org iburst\nserver time.ustc.edu.cn iburst\n

\u7136\u540e\u8fd0\u884c systemctl restart chrony.service \u91cd\u542f\u670d\u52a1\u3002

"},{"location":"infrastructure/proxmox/pve/#ssl","title":"SSL \u8bc1\u4e66","text":"

\u53c2\u89c1 SSL \u8bc1\u4e66\uff0c\u6b63\u597d vdp \u4e0a\u9762\u8fd0\u884c\u4e86 LUG FTP \u800c\u56e0\u6b64\u914d\u7f6e\u4e86\u8bc1\u4e66\u7684\u81ea\u52a8\u66f4\u65b0\uff0c\u5229\u7528 vdp \u63d0\u4f9b\u7684 NFS \u670d\u52a1\uff0c\u6211\u4eec\u5728 vdp \u4e0a\u7684\u8bc1\u4e66\u66f4\u65b0\u811a\u672c\u4e2d\u6dfb\u52a0\u4e86\u5c06 vm \u8bc1\u4e66\u590d\u5236\u5230 NFS \u76ee\u5f55\u7684\u529f\u80fd\uff0c\u7136\u540e\u7531 pve-6 \u90e8\u7f72\u5230\u5404\u4e2a\u4e3b\u673a\u4e0a\u3002

\u4e0b\u9762\u662f pve-6 \u4e0a\u7684\u811a\u672c\uff1a

/etc/cron.daily/sync-cert
#!/bin/bash -e\n\nSRC=\"/etc/pve/nodes/$(hostname -s)\"\nDSTROOT=\"/etc/pve/nodes\"\nCERTSRC=\"/mnt/nfs-el/cert\"\n\ncp -u \"$CERTSRC/privkey.pem\" \"$SRC/pveproxy-ssl.key\"\ncp -u \"$CERTSRC/fullchain.pem\" \"$SRC/pveproxy-ssl.pem\"\nsystemctl reload pveproxy.service\n\nfor DST in \"$DSTROOT\"/*; do\n  [ \"$DST\" = \"$SRC\" ] && continue\n  node=\"$(basename \"$DST\")\"\n  cp \"$SRC/pveproxy-ssl.key\" \"$SRC/pveproxy-ssl.pem\" \"$DST/\"\n  ssh \"$node\" 'systemctl reload pveproxy.service' &\ndone\nwait\n

\u7531\u4e8e PVE \u548c PBS \u7684\u6570\u636e\u4e0d\u4e92\u901a\uff0c\u56e0\u6b64 esxi-5 \u4e0a\u7684\u76f8\u540c\u4f4d\u7f6e\u6709\u53e6\u4e00\u4e2a\u811a\u672c\u4e3a PBS \u90e8\u7f72\u8bc1\u4e66\uff1a

/etc/cron.daily/sync-cert
#!/bin/bash\n\nSRC=\"/etc/pve/nodes/$(hostname -s)\"\nDST=\"/etc/proxmox-backup\"\n\nif ! cmp -s \"$SRC/pveproxy-ssl.pem\" \"$DST/proxy.pem\"; then\n  cp \"$SRC/pveproxy-ssl.key\" \"$DST/proxy.key\"\n  cp \"$SRC/pveproxy-ssl.pem\" \"$DST/proxy.pem\"\n  systemctl reload proxmox-backup-proxy.service\nfi\nexit 0\n\n# Unreachable code, leaving here for reference\nif command -v openssl 2>/dev/null; then\n  FP=\"$(openssl x509 -noout -fingerprint -sha256 -inform pem -in \"$DST/proxy.pem\")\"\n  FP=\"${FP##*=}\"\n  pvesm set esxi-5-data --finerprint \"$FP\"\n  pvesm set esxi-5-vdp2 --finerprint \"$FP\"\nfi\n
"},{"location":"infrastructure/proxmox/pve/#virtiofs","title":"VirtIO FS","text":"

\u5bf9\u4e8e mirrorlog \u7b49\u91cd\u5b58\u50a8\u578b\u7684\u865a\u62df\u673a\uff0c\u6211\u4eec\u5c1d\u8bd5\u628a\u5927\u91cf\u7684\u6570\u636e\u6587\u4ef6\u653e\u5728 host \u4e0a\uff0c\u907f\u514d ZFS\uff08Zvol\uff09\u548c ext4 \u7684\u4e24\u5c42\u5f00\u9500\uff08\u4ee5\u53ca\u5728 ZFS \u4e0a\u4e5f\u53ef\u4ee5\u4f7f\u7528\u66f4\u5927\u7684 recordsize \u83b7\u5f97\u66f4\u597d\u7684 I/O \u4f53\u9a8c\u548c\u66f4\u4f4e\u7684 RAID-Z overhead\uff09\uff0c\u7136\u540e\u4f7f\u7528 virtiofs \u4f9b\u865a\u62df\u673a\u8bbf\u95ee\u3002

Virtiofs \u7684\u914d\u7f6e\u8fc7\u7a0b\u4e3b\u8981\u53c2\u8003\u4e86 https://forum.proxmox.com/threads/virtiofsd-in-pve-8-0-x.130531/\uff1a

\u9996\u5148\u914d\u7f6e\u865a\u62df\u673a\uff1a

/etc/pve/qemu-server/230.conf
args: -chardev socket,id=virtfs0,path=/run/virtiofsd-230.sock -device vhost-user-fs-pci,queue-size=1024,chardev=virtfs0,tag=mirrorlog -object memory-backend-file,id=mem,size=8192M,mem-path=/dev/shm,share=on -numa node,memdev=mem\n

\u5176\u4e2d path= \u6307\u5411 virtiofsd \u7684 socket \u6587\u4ef6\uff0ctag= \u53ef\u4ee5\u4efb\u610f\u6307\u5b9a\uff0c\u7528\u4e8e\u533a\u5206\u591a\u4e2a virtiofsd \u5b9e\u4f8b\uff08\u5bf9\u5e94\u865a\u62df\u673a\u5185\u7684 mount source\uff09\uff0csize= \u662f\u5171\u4eab\u5185\u5b58\u5927\u5c0f\u3002

\u7136\u540e\u5b89\u88c5 virtiofsd\uff0c\u76f4\u63a5 apt install virtiofsd \u5373\u53ef\uff08PVE \u6253\u5305\u4e86 Rust \u91cd\u5199\u7684\u65b0\u7248 virtiofsd\uff09\u3002

\u63a5\u4e0b\u6765\u9700\u8981\u914d\u7f6e virtiofsd \u5728\u865a\u62df\u673a\u5f00\u673a\u524d\u542f\u52a8\u3002\u6ce8\u610f\u4e00\u4e2a virtiofsd \u53ea\u80fd\u4f9b\u4e00\u4e2a\u865a\u62df\u673a\u8bbf\u95ee\u4e00\u4e2a\u4e3b\u673a\u4e0a\u7684\u76ee\u5f55\uff0c\u56e0\u6b64\u9700\u8981\u4f7f\u7528 PVE \u7684 hook script \u6765\u542f\u52a8 virtiofsd\u3002\u8fd9\u4e2a hook script \u653e\u5728 /var/lib/vz \u76ee\u5f55\u4e0b\uff0c\u63a5\u6536\u4e24\u4e2a\u547d\u4ee4\u884c\u53c2\u6570\uff08VMID \u548c\u542f\u52a8\u9636\u6bb5\uff09\uff1a

/var/lib/vz/snippets/mirrorlog.sh
#!/bin/sh\n\nif [ $# -ne 2 ]; then\n  echo \"Need exactly 2 arguments\" >&2\n  exit 1\nfi\n\nVMID=\"$1\"\nPHASE=\"$2\"\n\n[ \"$VMID\" -eq 230 ] || exit 0\n\nNAME=virtiofsd-230\nSOCKPATH=\"/run/$NAME.sock\"\n\ncase \"$PHASE\" in\n  pre-start)\n    systemctl stop \"$NAME\".service\n    rm -f \"$SOCKPATH\" \"$SOCKPATH\".pid\n\n    systemd-run \\\n      --collect \\\n      --unit=\"$NAME\" \\\n      /usr/libexec/virtiofsd \\\n      --syslog \\\n      --socket-path \"$SOCKPATH\" \\\n      --shared-dir /mnt/mirrorlog \\\n      --announce-submounts \\\n      --inode-file-handles=mandatory\n      ;;\n  pre-stop) ;;\n  post-start) ;;\n  post-stop) ;;\n  *) echo \"Unknown phase $PHASE\" >&2; exit 1;;\nesac\n

\u76f8\u6bd4\u4e8e Proxmox \u8bba\u575b\u91cc\u7684\u6559\u7a0b\u8d34\uff0c\u8fd9\u91cc\u6700\u91cd\u8981\u7684\u4fee\u6539\u662f\u7ed9 systemd-run \u52a0\u4e0a\u4e86 --collect \u53c2\u6570\uff0c\u8fd9\u6837 virtiofsd \u9000\u51fa\u65f6\u65e0\u8bba\u662f\u5426 failed\uff0csystemd \u90fd\u4f1a\u6e05\u7406\u6389\u8fd9\u4e2a\u4e34\u65f6\u7684 service unit\u3002

\u7136\u540e\u901a\u8fc7\u547d\u4ee4\u884c\u914d\u7f6e\u4f7f\u7528\uff1a

qm set 230 --hookscript local:snippets/mirrorlog.sh\n

\u7136\u540e\u5c06\u865a\u62df\u673a\u5173\u673a\uff0c\u901a\u8fc7 qm start \u6216\u8005 web \u754c\u9762\u542f\u52a8\uff0c\u5373\u53ef\u5728\u865a\u62df\u673a\u5185\u6302\u8f7d virtiofsd \u63d0\u4f9b\u7684\u76ee\u5f55\u3002

# Manual\nmount -t virtiofs mirrorlog /mnt/mirrorlog\n\n# via /etc/fstab\nmirrorlog /mnt/mirrorlog virtiofs defaults 0 0\n
"},{"location":"infrastructure/proxmox/pve/#pve-5","title":"pve-5","text":"

pve-5 \u4f4d\u4e8e\u7f51\u7edc\u4e2d\u5fc3\uff0c\u914d\u7f6e\u4e3a 2\u00d7 Xeon E5-2603 v4 (Broadwell 6C6T, 1.70 GHz, no HT, no Turbo Boost) Xeon E5-2667 v4 (Broadwell 8C16T, 3.20 GHz, Max 3.60 GHz)\uff0c256 GB \u5185\u5b58\u548c\u4e00\u5927\u5806 SSD\uff082\u00d7 \u4e09\u661f 240 GB SATA + 10x Intel DC S4500 1.92 TB SATA\uff09\u3002\u6211\u4eec\u5c06\u4e24\u5757 240 GB \u7684\u76d8\u7ec4\u6210\u4e00\u4e2a LVM VG\uff0c\u5206\u914d 16 GB \u7684 rootfs\uff08LVM mirror\uff09\u548c 8 GB \u7684 swap\uff0c\u5176\u4f59\u7a7a\u95f4\u7ed9\u4e00\u4e2a thinpool\u3002\u5341\u5757 1.92 TB \u7684\u76d8\u7ec4\u6210\u4e00\u4e2a RAIDZ2 \u7684 zpool\uff0c\u7528\u4e8e\u5b58\u50a8\u865a\u62df\u673a\u7b49\u6570\u636e\u3002

\u5176\u8fde\u63a5\u7684\u5355\u6839 10 Gbps \u7684\u5149\u7ea4\uff0c\u6865\u63a5\u51fa vmbr0 \u81f3 vmbr4 \u7b49\u7f51\u6865\uff08\u7ebf\u8def\u5b9a\u4e49\u89c1\u4e0a\uff09\u3002\u5176\u4e2d\u65e0\u5934\u7f51\u6865\u7528\u4e8e\u4ece gateway-nic \u6865\u63a5 Tinc\u3002

\u786c\u76d8\u63a7\u5236\u5668\u4e0d\u8981\u4f7f\u7528 VirtIO SCSI Single \u6216 LSI \u5f00\u5934\u7684\u9009\u9879

\u53ef\u80fd\u7531\u4e8e ZFS \u6a21\u5757\u7684 bug \u6216\u8005\u5185\u5b58\u6761\u6545\u969c\uff0c\u4f7f\u7528\u8fd9\u4e9b\u6a21\u5f0f\u5728\u865a\u62df\u673a\u91cd\u542f\u65f6\u4f1a\u5bfc\u81f4\u6574\u4e2a Proxmox VE \u4e3b\u673a\u5361\u4f4f\u800c\u4e0d\u5f97\u4e0d\u91cd\u542f\u3002\u8bf7\u4f7f\u7528 VirtIO SCSI\uff08\u4e0d\u5e26 Single\uff09\u3002\u540c\u6837\u539f\u56e0\u521b\u5efa\u865a\u62df\u673a\u786c\u76d8\u65f6\u4e5f\u4e0d\u8981\u52fe\u9009 iothread\u3002

\u4e3b\u673a\u4f7f\u7528 ZFS\uff08Zvol\uff09\u4f5c\u4e3a\u865a\u62df\u673a\u7684\u865a\u62df\u786c\u76d8\uff0c\u5728\u865a\u62df\u673a\u4e2d\u542f\u7528 fstrim.timer\uff08systemd \u7684 fstrim \u5b9a\u65f6\u4efb\u52a1\uff0c\u7531 util-linux \u63d0\u4f9b\uff09\u53ef\u4ee5\u5b9a\u671f\u817e\u51fa\u4e0d\u7528\u7684\u7a7a\u95f4\uff0c\u5e2e\u52a9 ZFS \u66f4\u597d\u5730\u89c4\u5212\u7a7a\u95f4\u3002\u542f\u7528 fstrim \u7684\u865a\u62df\u786c\u76d8\u9700\u8981\u5728 PVE \u4e0a\u542f\u7528 discard \u9009\u9879\uff0c\u5426\u5219 fstrim \u4e0d\u8d77\u4f5c\u7528\u3002\u8be5\u7279\u6027\u662f\u7531\u4e8e ZFS \u662f CoW \u7684\uff0c\u4e0e ZFS \u5e95\u5c42\u4f7f\u7528 SSD \u6ca1\u6709\u5173\u8054\u3002

"},{"location":"infrastructure/proxmox/pve/#esxi-5","title":"esxi-5","text":"

esxi-5 \u4e5f\u4f4d\u4e8e\u7f51\u7edc\u4e2d\u5fc3\uff0c\u914d\u7f6e\u4e3a 2\u00d7 Xeon E5620\uff08Westmere-EP 4C8T, 2.40~2.66 GHz\uff09\uff0c48 GB \u5185\u5b58\uff0c\u4e24\u5757 240 GB SATA SSD \u548c\u4e00\u4e9b\u4e0d\u77e5\u9053\u574f\u4e86\u591a\u5c11\u7684 1 TB \u548c 2 TB HDD\uff08\u89c1\u4e0b\uff09\u3002\u7531\u4e8e\u673a\u8eab\u81ea\u5e26\u7684 RAID \u5361\u4e0d\u652f\u6301\u786c\u76d8\u76f4\u901a\uff08JBOD \u6a21\u5f0f\uff09\uff0c\u56e0\u6b64\u6211\u4eec\u5c06\u4e24\u5757 SSD \u5206\u522b\u505a\u6210\u5355\u76d8\u201c\u9635\u5217\u201d\u7136\u540e\u5728\u7cfb\u7edf\u91cc\u4f7f\u7528 LVM\uff08LVM \u89c4\u683c\u4e0e pve-5 \u76f8\u540c\uff09

\u987e\u540d\u601d\u4e49\u672c\u673a\u5668\u66fe\u7ecf\u8fd0\u884c\u7684\u662f VMware ESXi\uff0c\u5728 2022 \u5e74 1 \u6708\u91cd\u88c5\u4e3a Proxmox VE 7.1\uff0c\u56e0\u4e3a\u54b1\u4eec\u90fd\u662f\u7ea0\u7ed3\u602a\u6240\u4ee5\u51b3\u5b9a\u4e0d\u6539\u540d\uff0c\u8fd8\u53eb esxi-5\u3002\u8003\u8651\u5230\u8be5\u673a\u5668\u914d\u7f6e\u4e86\u591a\u4e2a\u786c\u76d8\u9635\u5217\uff0c\u4e14\u9635\u5217\u7684\u53ef\u7528\u5bb9\u91cf\u6bd4 pve-5 \u7684\u786c\u76d8\u7684\u539f\u59cb\u5bb9\u91cf\u8fd8\u5927\uff0c\u6211\u4eec\u5728\u4e0a\u9762\u52a0\u88c5 Proxmox Backup Server \u8f6f\u4ef6\uff0c\u4e3b\u8981\u7528\u4f5c\u865a\u62df\u673a\u5907\u4efd\uff0c\u66ff\u4ee3\u539f\u5148\u8fd0\u884c\u5728 ESXi \u4e0a\u7684 vSphereDataProtection \u865a\u62df\u673a\u3002

"},{"location":"infrastructure/proxmox/pve/#_1","title":"\u7f51\u7edc","text":"

\u7f51\u7edc\u914d\u7f6e\u4e0e pve-5 \u76f8\u4f3c\uff0c\u5176\u4e0a\u6709\u4e24\u4e2a\u5343\u5146\u7f51\u5361 enp3s0 \u548c enp4s0\u3002enp3s0 \u8fde\u63a5\u7f51\u7edc\u4e2d\u5fc3\u7684\u4ea4\u6362\u673a\uff0c\u6865\u63a5\u4e0d\u540c\u7684 VLAN \u7f51\u7edc\u7ed9\u865a\u62df\u673a\uff0c\u5e76\u4e14\u5404 vmbrX \u7684\u6570\u5b57\u548c\u7aef\u53e3\u4e0e pve-5 \u4e00\u81f4\uff1b\u800c enp4s0 \u8fde\u63a5\u4e00\u4e2a\u5916\u90e8\u9635\u5217\uff08vdp2\uff09\uff0c\u4f7f\u7528 iSCSI \u8bbf\u95ee\u8be5\u9635\u5217\u3002

\u7531\u4e8e\u6211\u4eec\u53ea\u6709\u4e00\u4e2a gateway-nic\uff0c\u800c pve-5 \u548c esxi-5 \u4e24\u4e2a\u4e3b\u673a\u90fd\u4f9d\u8d56 gw-nic \u6865\u63a5\u7684 tinc \u6765\u63a5\u5165\u5185\u7f51\uff0c\u56e0\u6b64\u6211\u4eec\u5728 pve-5 \u548c esxi-5 \u4e4b\u95f4\u62c9\u4e86\u4e00\u6761 GRETAP \u96a7\u9053\uff0c\u5e76\u5728\u4e24\u4e2a\u4e3b\u673a\u4e0a\u5206\u522b\u5c06 VTEP \u6865\u63a5\u5230 vmbr1\u3002

\u53c2\u8003\u914d\u7f6e\uff1a

pve-5:/etc/network/interfaces
auto gretap0esxi-5\niface gretap0esxi-5 inet manual\n    pre-up ip link add name $IFACE mtu $IF_MTU type gretap local 10.38.95.115 remote 10.38.95.111\n    post-down ip link delete $IFACE\n    mtu 1500\n\nauto vmbr1\niface vmbr1 inet static\n    address 10.254.0.240/21\n    bridge-ports gretap0esxi-5\n    bridge-stp off\n    bridge-fd 0\n

esxi-5 \u8fd9\u7aef\u7684\u914d\u7f6e\u5219\u5c06\u5bf9\u5e94\u7684 iface \u540d\u79f0\u548c IP \u5730\u5740\u7b49\u5168\u90e8\u5bf9\u6362\u5373\u53ef\u3002

MTU \u95ee\u9898

2022 \u5e74 2 \u6708\u5904\u7406\u5185\u7f51 tinc ARP \u95ee\u9898\u65f6\u53d1\u73b0 esxi-5 \u548c pve-5 \u7684 vmbr1 MTU \u90fd\u88ab\u8bbe\u7f6e\u6210\u4e86 1462\uff08GRETAP \u7684\u9ed8\u8ba4 MTU\uff09\u3002\u6211\u4eec\u4e0d\u786e\u5b9a MTU \u95ee\u9898\u4e0e tinc \u662f\u5426\u76f8\u5173\uff0c\u4f46\u4fdd\u9669\u8d77\u89c1\u6211\u4eec\u8fd8\u662f\u5c06\u8be5 GRETAP \u754c\u9762\u7684 MTU \u8bbe\u7f6e\u6210\u4e86 1500\uff08GRE \u5177\u6709\u5206\u7247\u529f\u80fd\uff09\u3002

-pre-up ip link add name $IFACE type gretap local 10.38.95.115 remote 10.38.95.111\n+pre-up ip link add name $IFACE mtu $IF_MTU type gretap local 10.38.95.115 remote 10.38.95.111\n post-down ip link delete $IFACE\n+mtu 1500\n
"},{"location":"infrastructure/proxmox/pve/#iscsi","title":"iSCSI","text":"

\u8bbe\u7f6e iSCSI \u5f00\u673a\u81ea\u52a8\u767b\u5f55\uff1a

iscsiadm -m node -T iqn.2002-10.com.infortrend:raid.sn8223150.001 -p 192.168.10.1:3260 -o update -n node.startup -v automatic\niscsiadm -m node -T iqn.2002-10.com.infortrend:raid.sn8223150.001 -p 192.168.10.1:3260 -o update -n node.conn[0].startup -v automatic\n

\u53c2\u8003\u94fe\u63a5\uff1ahttps://library.netapp.com/ecmdocs/ECMP1654943/html/GUID-8EC685B4-8CB6-40D8-A8D5-031A3899BCDC.html

\u8fc7\u65f6\u4fe1\u606f

\u7531\u4e8e\u6211\u4eec\u6ca1\u6709\u7814\u7a76\u6e05\u695a open-iscsi \u7684\u5f00\u673a\u81ea\u52a8\u6302\u8f7d\u673a\u5236\uff0c\u56e0\u6b64\u6211\u4eec\u9009\u62e9\u76f4\u63a5 override \u5bf9\u5e94\u7684 service \u6765\u5b8c\u6210\u8fd9\u4e2a\u4efb\u52a1\uff1a

$ systemctl edit open-iscsi.service
[Service]\nExecStart=\nExecStart=/sbin/iscsiadm -d8 -m node -T iqn.2002-10.com.infortrend:raid.sn8223150.001 -p 192.168.10.1:3260 --login\nExecStart=/lib/open-iscsi/activate-storage.sh\n

\u82e5 iSCSI \u8fde\u63a5\u6210\u529f\uff0c\u5e94\u8be5\u53ef\u4ee5\u5728\u7cfb\u7edf\u4e2d\u770b\u5230\u4e00\u4e2a\u65b0\u7684\u786c\u76d8\uff0c\u5bb9\u91cf\u4e3a 14.55 TiB\uff0c\u578b\u53f7\u663e\u793a\u4e3a RS-3116I-S42-6\u3002

"},{"location":"infrastructure/proxmox/pve/#rootfs-backup","title":"rootfs \u5907\u4efd","text":"

\u5c3d\u7ba1 esxi-5 \u7684 rootfs \u4e5f\u4f7f\u7528\u4e86 LVM mirror \u5728\u4e24\u5757 SSD \u4e0a\u955c\u50cf\uff0c\u4f46\u662f\u6211\u4eec\u4e0d\u592a\u4fe1\u4efb\u8fd9\u5757 RAID \u5361\uff0c\u56e0\u6b64\u6211\u4eec\u5c06 esxi-5 \u7684 rootfs \u6bcf\u5929\u5907\u4efd\u5230 vdp2 \u4e0a\u3002\u4e3a\u4e86\u907f\u514d\u5728 vdp2 \u6389\u7ebf\u7684\u65f6\u5019\u4e71\u201c\u5907\u4efd\u201d\uff0c\u6211\u4eec\u4f7f\u7528\u4e00\u4e2a systemd \u670d\u52a1\uff0c\u8bbe\u7f6e\u4e86 RequiresMountsFor \u4f9d\u8d56\uff1a

/etc/systemd/system/rootfs-backup.service
[Unit]\nDescription=Backup rootfs to vdp2\nRequiresMountsFor=/mnt/vdp2\n\n[Service]\nType=oneshot\nExecStart=/usr/bin/rsync -aHAXx --delete / /mnt/vdp2/rootfs/\n
crontab
21 4 * * * systemctl start rootfs-backup.service\n
"},{"location":"infrastructure/proxmox/pve/#esxi-5-others","title":"\u5176\u4ed6\u8bb0\u5f55","text":"

esxi-5 \u4e8e 2021/8 \u53d1\u73b0\u81ea\u5e26\u9635\u5217\u6709\u4e24\u5757\u574f\u76d8\uff0c\u5728\u66f4\u6362\u540e\u53d1\u73b0 storage \"root\"\uff08\u5b58\u653e vcenter \u865a\u62df\u673a\uff0c\u7ec4\u5efa RAID 1 \u540e\u5927\u5c0f 1.8 TB\uff09\u65e0\u6cd5\u6b63\u5e38 rebuild\uff0c\u5e76\u4e14 vcenter \u865a\u62df\u673a\u7684 vmdk \u6587\u4ef6\u6709 4 \u4e2a\u51fa\u73b0 I/O error\u3002\u6b64\u540e vcenter \u865a\u62df\u673a\u5df2\u7ecf\u8fc1\u79fb\u5230 storage \"data\" (RAID10, 7.2 TB) \u5e76\u6b63\u5e38\u5de5\u4f5c\u3002

"},{"location":"infrastructure/proxmox/pve/#records","title":"\u5de5\u4f5c\u8bb0\u5f55","text":""},{"location":"infrastructure/proxmox/pve/#migrate-docker2","title":"2021-12-31 \u8fc1\u79fb docker2","text":"

docker2 \u539f\u5148\u4f7f\u7528 QEMU \u76f4\u63a5\u8fd0\u884c\u5728 mirrors2 \u4e0a\uff0c\u4e0b\u5c42\u5b58\u50a8\u4e3a ZFS Zvol\uff08pool0/qemu/docker2\uff09\uff0c\u7531\u4e8e ZFS \u8c03\u53c2\u4e0d\u5f53\u4f7f\u5176\u5360\u7528\u4e86 3 \u500d\u7684\u786c\u76d8\u7a7a\u95f4\uff08\u89c1\u8fd9\u4e2a Reddit \u8d34\u5b50\uff09\uff0c\u52a0\u4e0a mirrors2 \u672c\u8eab\u5bf9\u5916\u63d0\u4f9b Rsync \u670d\u52a1\uff0c\u786c\u76d8\u8d1f\u8f7d\u6781\u9ad8\uff0c\u6240\u4ee5\u957f\u671f\u4ee5\u6765 docker2 \u7684 I/O \u6027\u80fd\u5341\u5206\u4f4e\u4e0b\u3002\u6b63\u597d\u501f\u8fd9\u6b21\u5168\u95ea\u7684\u65b0\u5bbf\u4e3b\u673a\u5c06\u5176\u8fc1\u79fb\u8fc7\u53bb\u3002

\u8fc1\u79fb\u65f6\u9700\u8981\u4fdd\u8bc1\u5b8c\u6574\u6027\u7684\u4e3b\u8981\u5185\u5bb9\u5c31\u662f\u865a\u62df\u673a\u5185\u7684\u4e1a\u52a1\uff0c\u56e0\u6b64\u9700\u8981\u5728\u4e3b\u673a\u95f4\u4f20\u8f93\u7684\u5185\u5bb9\u5c31\u662f\u865a\u62df\u78c1\u76d8\uff0c\u5176\u4ed6\u914d\u7f6e\uff08CPU\u3001\u5185\u5b58\u3001\u7f51\u5361\u7b49\uff09\u90fd\u53ef\u4ee5\u76f4\u63a5\u5728\u65b0\u5e73\u53f0\u4e0a\u521b\u5efa\u65b0\u865a\u62df\u673a\u65f6\u4fee\u6539\u3002\u539f\u672c\u6211\u4eec\u6253\u7b97\u4f7f\u7528 rsync \u6216\u8005 dd \u7684\u65b9\u5f0f\u590d\u5236\u78c1\u76d8\uff0c\u4f46\u662f\u8003\u8651\u5230\u4e24\u8fb9\u90fd\u662f ZFS\uff0c\u4f7f\u7528 zfs send \u662f\u4e00\u4e2a\u66f4\u597d\u7684\u65b9\u6848\u3002

\u6211\u4eec\u5728 pve-5 \u4e0a\u8fd0\u884c nc -l -p 9999 </dev/null | pv | zfs recv rpool/data/docker2\uff0c\u7136\u540e\u5728 mirrors2 \u4e0a\u5bf9 zvol \u5148\u6253\u4e2a\u5feb\u7167\uff0c\u8fd0\u884c zfs send pool0/qemu/docker2@20211230 > /dev/tcp/{pve-5}/9999 \u5c06\u5feb\u7167\u5185\u5bb9\u53d1\u9001\u5230 pve-5 \u4e0a\uff08300 GiB \u7684\u6570\u636e\u82b1\u8d39\u4e86 16 \u5c0f\u65f6\uff09\uff0c\u7136\u540e\u518d\u5c06 docker2 \u5173\u673a\u5e76\u589e\u91cf\u4f20\u8f93\uff0czfs send -i @20211230 pool0/qemu/docker2 > /dev/tcp/{pve-5}/9999\uff08\u589e\u91cf\u4f20\u8f93\u53ea\u53d1\u9001\u4e86 10 GB \u6570\u636e\uff09\u3002\u540c\u65f6\u6211\u4eec\u5728 Proxmox \u7684 web \u754c\u9762\u4e0a\u521b\u5efa\u4e00\u4e2a\u65b0\u865a\u62df\u673a\uff0c\u914d\u597d CPU \u5185\u5b58\u7f51\u5361\u7b49\uff0c\u5206\u914d 300 GiB \u7684\u786c\u76d8\u3002

\u7531\u4e8e zfs send \u662f\u539f\u6837\u53d1\u9001\u7684\uff0c\u56e0\u6b64\u63a5\u6536\u5230\u7684 zvol \u786c\u76d8\u5360\u7528\u91cf\u4ecd\u7136\u6709 712 GB\u3002Proxmox \u65b0\u5efa\u7684 zvol \u53c2\u6570\u5c31\u6bd4\u8f83\u5408\u7406\uff08volblocksize=16k\uff09\uff0c\u6ca1\u6709\u4e25\u91cd\u653e\u5927\u7684\u95ee\u9898\uff0c\u56e0\u6b64\u6211\u4eec\u518d\u5c06\u63a5\u6536\u5230\u7684 zvol \u7ed9 dd \u8fdb\u65b0\u865a\u62df\u673a\u7684 zvol \u800c\u4e0d\u662f\u76f4\u63a5\u4f7f\u7528\u3002dd \u7ed3\u679c\u7ea6 345 GiB\uff08\u5341\u5206\u5408\u7406\uff09\uff0c\u5f00\u673a\u8fdb\u7cfb\u7edf\u8fd0\u884c fstrim \u4e4b\u540e\u5360\u7528\u91cf\u7ea6\u4e3a 240 GiB\uff08\u66f4\u52a0\u5408\u7406\u4e86\uff09\u3002

\u8fc1\u79fb\u8fc7\u7a0b\u6ca1\u6709\u9047\u5230\u4efb\u4f55\u5751\uff0c\u4ec5\u6709\u7684\u6ce8\u610f\u4e8b\u9879\u5c31\u662f zvol \u8c03\u53c2\u9700\u8981\u91cd\u65b0 dd \u800c\u4e0d\u80fd\u76f4\u63a5\u6539\uff0c\u4ee5\u53ca\u521b\u5efa\u7f51\u5361\u7684\u987a\u5e8f\uff08\u4f1a\u5f71\u54cd\u865a\u62df\u673a\u5185\u90e8 eth0 \u548c eth1 \u7684\u987a\u5e8f\uff0c\u9664\u975e\u865a\u62df\u673a\u5185\u90e8\u4f7f\u7528 udev persistent net \u65b9\u5f0f\u6839\u636e MAC \u5730\u5740\u5c06\u7f51\u5361\u6539\u540d\uff09\u3002

"},{"location":"infrastructure/proxmox/pve/#esxi-5-syslog-zfs-error-cannot-open-rpool-no-such-pool","title":"esxi-5 \u7684 syslog \u4e00\u76f4\u51fa\u73b0 zfs error: cannot open 'rpool': no such pool","text":"

\u8fd9\u662f\u56e0\u4e3a esxi-5 \u4e0a\u9762\u6839\u672c\u5c31\u6ca1\u6709\u4f7f\u7528 ZFS\uff0c\u800c\u52a0\u5165 pve-5 \u7684\u96c6\u7fa4\u65f6\u865a\u62df\u673a\u7684\u5b58\u50a8\u4fe1\u606f\uff08/etc/pve/storage.cfg\uff09\u4e5f\u4ece pve-5 \u540c\u6b65\u8fc7\u6765\u5408\u5e76\u4e86\uff0c\u56e0\u6b64 esxi-5 \u5728\u6839\u636e pve-5 \u7684\u914d\u7f6e\u5c1d\u8bd5\u542f\u7528 zfs \u5b58\u50a8\u3002

\u89e3\u51b3\u529e\u6cd5\uff1a\u7531\u4e8e /etc/pve \u4e0b\u5927\u591a\u6570\u5185\u5bb9\u5728\u96c6\u7fa4\u95f4\u662f\u540c\u6b65\u7684\uff0c\u6253\u5f00 storage.cfg\uff0c\u5728 zfspool: local-zfs \u4e0b\u9762\u52a0\u5165\u4e00\u884c\uff0c\u7f29\u8fdb\u4e00\u4e2a Tab \u5e76\u52a0\u4e0a nodes pve-5\uff0c\u8868\u793a\u8fd9\u4e2a storage \u53ea\u5728 pve-5 \u4e0a\u4f7f\u7528\u3002

"},{"location":"infrastructure/proxmox/pve/#pve-6","title":"pve-6","text":"

pve-6 \u4f4d\u4e8e\u4e1c\u56fe\uff0c\u662f\u4e00\u53f0 HP DL380G6\uff0c\u914d\u7f6e\u4e3a 2\u00d7 Xeon E5620 (Westmere 4C8T, 2.50 GHz), 72 GB \u5185\u5b58\u548cl\u4e24\u5757 300 GB \u7684 SAS \u786c\u76d8\u3002\u66fe\u7ecf\u53eb\u505a esxi-6\uff0c\u5728 2022 \u5e74 1 \u6708\u7edf\u4e00\u66f4\u6362\u4e3a Proxmox VE\u3002

\u673a\u5668\u6709\u4e24\u4e2a\u7f51\u5361\uff0c\u5171\u6709 4 \u4e2a 1 Gbps \u7684\u63a5\u53e3\uff0c\u5176\u4e2d 3 \u4e2a\u90fd\u63a5\u5728 VLAN \u4ea4\u6362\u673a\u4e0a\uff08\u53e6\u4e00\u4e2a\u4e0d\u77e5\u9053\u63a5\u4e86\u5565\uff09\uff0c\u901a\u8fc7 VLAN \u540c\u65f6\u8fde\u63a5\u56fe\u4e66\u9986\u7684\u4e24\u4e2a\u7f51\u6bb5\u4ee5\u53ca\u7ecf\u7531 gateway-el \u6865\u63a5\u7684\u5185\u7f51\uff0c\u4ee5\u53ca\u8fde\u63a5 vdp \u6302\u8f7d NFS\u3002

HP Smart Array

HP \u7684\u81ea\u5e26 RAID \u5361\u7ba1\u7406\u8f6f\u4ef6\u53ef\u4ee5\u5728 http://downloads.linux.hpe.com/SDR/repo/mcp/Debian/pool/non-free/ \u4e0b\u8f7d\uff0c\u5b89\u88c5 ssacli \u8f6f\u4ef6\u5305\u3002\u76f8\u5173\u4f7f\u7528\u65b9\u6cd5\u53ef\u4ee5\u53c2\u8003 https://sleeplessbeastie.eu/2017/03/06/how-to-use-hp-command-line-array-configuration-utility/\u3002

"},{"location":"services/","title":"LUG \u670d\u52a1\u603b\u89c8","text":"

\u6ce8\u610f

LUG \u7684\u4e3b\u9875\u4e0a\u8fd8\u6709\u4e00\u4efd\u300a\u7f51\u7edc\u670d\u52a1\u5217\u8868\u300b \uff0c\u5982\u679c\u6709\u670d\u52a1\u72b6\u6001\u6539\u53d8\uff0c\u8bb0\u5f97\u540c\u6b65\u66f4\u65b0\u4e3b\u9875\u4e0a\u7684\u5217\u8868\u3002

"},{"location":"services/#mirrors","title":"Mirrors \u955c\u50cf\u7ad9","text":"

\u670d\u52a1\u5668\uff1a

\u955c\u50cf\u7ad9\u65e5\u5fd7\u4f1a\u5907\u4efd\u81f3 mirrorlog \u865a\u62df\u673a\u4e0a\u3002

"},{"location":"services/#auth-dns","title":"\u6743\u5a01 DNS","text":"

\u4ee5\u4e0b\u5185\u5bb9\u7531 GPT-4 \u751f\u6210

User: \u5411\u65b0\u624b\u8fd0\u7ef4\u4ecb\u7ecd\u4ec0\u4e48\u662f\u6743\u5a01 DNS

Bot: \u6743\u5a01DNS\uff08Authoritative DNS\uff09\u670d\u52a1\u662f\u56e0\u7279\u7f51\u57df\u540d\u7cfb\u7edf\uff08DNS\uff09\u7684\u4e00\u90e8\u5206\uff0c\u5b83\u8d1f\u8d23\u5904\u7406\u5173\u4e8e\u5176\u8d1f\u8d23\u7ba1\u7406\u7684\u4e00\u7ec4\u57df\u540d\u7684\u67e5\u8be2\u3002\u8fd9\u4e9bDNS\u670d\u52a1\u5668\u5e26\u6709\u5173\u4e8e\u4ed6\u4eec\u6240\u8d1f\u8d23\u57df\u7684\u6240\u6709\u5fc5\u8981\u6570\u636e\uff0c\u5e76\u4ece\u7ba1\u7406\u8be5\u57df\u7684\u4eba\u6216\u7ec4\u7ec7\u4e2d\u6536\u5230\u66f4\u65b0\u3002

\u6bd4\u5982\uff0c\u5982\u679c\u4f60\u5728\u6d4f\u89c8\u5668\u4e2d\u8f93\u5165\u4e00\u4e2a\u7f51\u7ad9\u5730\u5740\uff0c\u4f60\u7684\u8bf7\u6c42\u9996\u5148\u53d1\u9001\u5230\u9012\u5f52DNS\u670d\u52a1\u5668\uff0c\u7136\u540e\u9012\u5f52\u670d\u52a1\u5668\u67e5\u8be2\u6743\u5a01DNS\u670d\u52a1\u5668\u6765\u83b7\u53d6\u5bf9\u5e94\u7684IP\u5730\u5740\u3002\u6743\u5a01\u670d\u52a1\u5668\u5c31\u662f\u201c\u6743\u5a01\u201d\u8d44\u6e90\uff0c\u80fd\u591f\u544a\u8bc9\u9012\u5f52\u670d\u52a1\u5668\u5bf9\u5e94\u7684IP\u5730\u5740\u662f\u4ec0\u4e48\u3002\u8fd9\u4e2a\u8fc7\u7a0b\u88ab\u79f0\u4e3aDNS\u89e3\u6790\u3002

\u603b\u7684\u6765\u8bf4\uff0c\u6743\u5a01DNS\u670d\u52a1\u5668\u5c31\u662f\u5b58\u50a8\u3001\u7ba1\u7406\u5e76\u54cd\u5e94\u7279\u5b9a\u57df\u540d\u4fe1\u606f\u7684\u201c\u6743\u5a01\u201d\u6765\u6e90\u3002

\u6211\u4eec\u7684\u6743\u5a01 DNS \u670d\u52a1\u5668\u63d0\u4f9b\u4e86\u4e0e LUG \u6709\u5173\u7684\u57df\u540d\u7684\u76f8\u5173\u89e3\u6790\u4fe1\u606f\uff0c\u540c\u65f6\u4e5f\u662f\u4e00\u4e2a\uff08\u901a\u8fc7\u57df\u540d\uff09\u53ef\u4ee5\u6982\u89c8 LUG \u66fe\u7ecf\u4e0e\u76ee\u524d\u6709\u7684\u670d\u52a1\u7684\u5730\u65b9\u3002

"},{"location":"services/#lug-ftp","title":"LUG FTP","text":"

\u4e3b\u670d\u52a1\u5668\uff1avdp.s.ustclug.org\uff0cSSH \u7aef\u53e3 2222\u3002\u5bf9\u5916\u63d0\u4f9b HTTP(S)\uff08\u6587\u4ef6\u5217\u8868\uff09\u4e0e FTP \u670d\u52a1\u3002\u540c\u65f6\u63a5\u5165 LDAP\uff0c\u6bcf\u4e2a LDAP \u7528\u6237\u90fd\u53ef\u4ee5\u4f7f\u7528 LUG FTP \u5b58\u50a8\u81ea\u5df1\u7684\u6587\u4ef6\u3002

\u4e0e\u6b64\u540c\u65f6\uff0cvdp \u4e5f\u627f\u62c5\u4e86\u4f7f\u7528 NFS \u5411 PVE \u670d\u52a1\u5668\u63d0\u4f9b\u4e00\u90e8\u5206\u5b58\u50a8\u7684\u4efb\u52a1\u3002

"},{"location":"services/#gitlab","title":"LUG GitLab","text":"

\u4e3b\u670d\u52a1\u5668\uff1agitlab.s.ustclug.org\uff0cSSH \u7aef\u53e3 2222\u3002

"},{"location":"services/#revproxy","title":"\u4e3b\u9875\u53cd\u4ee3","text":"

\u662f\u591a\u4e2a HTTP \u670d\u52a1\u7684\u5165\u53e3\u3002

\u7531\u4e8e\u653f\u7b56\u548c\u5408\u89c4\u6027\u539f\u56e0\uff0c\u6211\u4eec\u5bf9\u4f7f\u7528\u4e3b\u9875\u53cd\u4ee3\u7684\u57df\u540d\u91c7\u7528\u4e86\u5206\u7ebf\u8def\u89e3\u6790\u7684\u65b9\u6848\uff0c\u5176\u4e2d\u7edd\u5927\u90e8\u5206\u57df\u540d\u5728\u6821\u5916\u90fd\u89e3\u6790\u5230 gateway-jp\uff0c\u5728\u6821\u5185\u89e3\u6790\u5230 gateway-nic\u3002\u8fd9\u4e24\u53f0\u670d\u52a1\u5668\u5747\u63a5\u5165 tinc \u5185\u7f51\uff0c\u91c7\u7528\u540c\u4e00\u5957 Nginx \u914d\u7f6e\uff0c\u4e3a\u5185\u7f51\u670d\u52a1\u5668\u63d0\u4f9b HTTP \u53cd\u4ee3\u3002

\u5b8c\u6574\u5217\u8868\u8bf7\u5728 auth-dns \u4ed3\u5e93\u5185\u5bfb\u627e CNAME \u5230 gateway.cname.ustclug.org. \u7684\u57df\u540d\u3002

\u4e00\u4e9b\u4f8b\u5916\uff1a

"},{"location":"services/#homepage","title":"LUG \u4e3b\u9875","text":"

\u540e\u7aef\u662f docker2 \u4e0a\u7684 website \u5bb9\u5668\u3002

\u89c1 ustclug/website \u4ed3\u5e93\u7684 README\u3002

tky: planet \u73b0\u5728\u7f3a\u4e4f\u7ef4\u62a4\uff0c\u5e0c\u671b\u80fd\u6709\u4eba\u628a\u5b83\u641e\u8d77\u6765\u3002

"},{"location":"services/#linux-101","title":"Linux 101","text":"

\u540e\u7aef\u662f docker2 \u4e0a\u7684 linux101 \u5bb9\u5668\u3002

\u89c1 ustclug/Linux101-docs \u4ed3\u5e93\u7684 README\u3002

"},{"location":"services/#getvpn","title":"\u7533\u8bf7\u7cfb\u7edf","text":"

\u4e00\u4e2a\u4f7f\u7528 Flask \u7f16\u5199\u7684 web \u5e94\u7528\uff0c\u90e8\u7f72\u4e86\u4e24\u5957\uff0c\u5206\u522b\u63d0\u4f9b LUG VPN \u548c Light \u7684\u7533\u8bf7\u670d\u52a1\u3002\u5176\u4e2d\uff1a

"},{"location":"services/#proxy","title":"\u5404\u8def\u53cd\u5411\u4ee3\u7406","text":"

\u57df\u540d\uff1a*.proxy.ustclug.org

\u4f5c\u4e3a\u955c\u50cf\u7ad9\u670d\u52a1\u7684\u4e00\u90e8\u5206\uff0cgateway-jp/nic \u4e5f\u5206\u522b\u4e3a\u6821\u5916\u5185\u63d0\u4f9b\u53cd\u5411\u4ee3\u7406\u5217\u8868\u7684\u53cd\u5411\u4ee3\u7406\u670d\u52a1\u3002

"},{"location":"services/#qt-guide-opensuse-guide","title":"Qt Guide \u548c openSUSE Guide","text":"

\u7531 @winland0704 \u8d1f\u8d23\u7f16\u5199\u5185\u5bb9\uff0c\u6211\u4eec\u5e2e\u52a9\u6258\u7ba1\uff0c\u5e73\u65f6\u653e\u7740\u4e0d\u52a8\u5c31\u884c\u3002

\u540e\u7aef\u662f docker2 \u4e0a\u7684\u4e24\u4e2a\u5bb9\u5668 qtguide \u548c opensuse-guide\u3002

"},{"location":"services/#_1","title":"\u670d\u52a1\u8fd0\u884c\u72b6\u6001\u670d\u52a1\u5668\u9ed1\u677f\u62a5","text":"

TODO: servers \u4e0e status \u7684\u5408\u5e76\u5de5\u4f5c\u3002

"},{"location":"services/#lug-vpn","title":"LUG VPN","text":"

\u4e3b\u670d\u52a1\u5668\uff1avpnstv.s.ustclug.org\uff08\u865a\u62df\u673a\uff0cNIC \u673a\u623f\uff09

RADIUS \u8ba4\u8bc1\u670d\u52a1\u5668\uff1aradius.s.ustclug.org\uff0c\u540c\u65f6\u8fd0\u884c\u4e86 FreeRADIUS \u548c\u5b83\u7684 MySQL \u6570\u636e\u5e93\u3002

\u53e6\u6709\u65e7\u7684 vpn.s.ustclug.org \u8fd0\u884c\u5728\u4e1c\u56fe\uff0c\u6682\u4e0d\u9700\u8981\u5173\u6ce8\u3002

"},{"location":"services/#hackergame","title":"Hackergame","text":"

\u76f8\u5173\u5185\u5bb9\u89c1 hackergame \u5185\u90e8\u6587\u6863\u3002

"},{"location":"services/#docker2","title":"\u5404\u7c7b Docker \u670d\u52a1","text":"

Docker2 \u662f\u4e13\u804c\u8d1f\u8d23\u8fd0\u884c\u5bb9\u5668\u7684\u673a\u5668\u3002

"},{"location":"services/#adrain","title":"Adrain","text":"

ustcflyer\uff08\u79d1\u5927\u98de\u8dc3\u624b\u518c\u7f51\u7ad9\uff09\u7684\u524d\u8eab\uff0c\u76ee\u524d\u4fdd\u6301\u8fd0\u884c\u3002

tky: ustcflyer \u6ca1\u6709\u5b9e\u73b0\u7ed9 session \u5220\u5bf9\u5e94\u8bc4\u8bba\u7684\u529f\u80fd\uff0c\u6240\u4ee5 adrain \u6ca1\u6709\u4e0b\u7ebf\u3002

"},{"location":"services/#grafana","title":"Grafana","text":"

LUG \u7684\u76d1\u63a7\u7ad9\u70b9\u3002

"},{"location":"services/#ldap","title":"LDAP","text":""},{"location":"services/#mail","title":"Mail","text":"

\u4e3a\u670d\u52a1\u5668\u3001IPMI \u7b49\u63d0\u4f9b\u7684\u5185\u90e8\u90ae\u4ef6\u670d\u52a1\u3002

[WIP]: \u9700\u8981\u8865\u5145

"},{"location":"services/#pve","title":"\u865a\u62df\u5316\uff1aPVE \u4e0e PBS","text":"

PVE: \u63d0\u4f9b\u865a\u62df\u5316\u652f\u6301\uff1bPBS: PVE \u7684\u865a\u62df\u673a\u5907\u4efd\u3002

"},{"location":"services/#pxe","title":"PXE","text":"

\u7f51\u7edc\u542f\u52a8\u670d\u52a1\uff0c\u8d1f\u8d23\u4e3a\u5168\u6821\u673a\u5668\u63d0\u4f9b\u63d2\u7f51\u53e3\u5373\u53ef\u5b89\u88c5\u7cfb\u7edf\u7684\u529f\u80fd\uff0c\u4ee5\u53ca\u4e3a\u56fe\u4e66\u9986\u67e5\u8be2\u673a\u63d0\u4f9b\u955c\u50cf\u3002

"},{"location":"services/#others","title":"\u5176\u4ed6","text":"

\u6b64\u5904\u6240\u5217\u51fa\u7684\u201c\u670d\u52a1\u201d\u6ca1\u6709\u4f7f\u7528\u6211\u4eec\u81ea\u5df1\u7684\u670d\u52a1\u5668\u8d44\u6e90\uff0c\u90fd\u6258\u7ba1\u5728\u5916\u90e8\u5e73\u53f0\u4e0a\uff0c\u4ec5\u57df\u540d\uff08\u5373 DNS\uff09\u7531\u6211\u4eec\u7ef4\u62a4\u3002

"},{"location":"services/#documentations","title":"\u6280\u672f\u6587\u6863","text":"

\u4e5f\u5c31\u662f\u672c\u6587\u6863\uff0c\u8fd0\u884c\u5728 Cloudflare Pages \u4e0a\u3002

"},{"location":"services/#ghauth","title":"GHAuth","text":"

https://ghauth.ustclug.org

\u7528\u4e8e\u53cc\u5411\u9a8c\u8bc1 GitHub \u8d26\u53f7\u4e0e\u79d1\u5927\u5b66\u53f7\u7684\u670d\u52a1\uff08\u7c7b\u4f3c\u4e8e https://qq.ustc.life\uff09\uff0c\u76ee\u524d\u5904\u4e8e\u95f2\u7f6e\uff0c\u8fd0\u884c\u5728 iBug \u7684 AWS Lambda \u4e0a\u3002

"},{"location":"services/#discontinued","title":"\u5df2\u5e9f\u5f03\u670d\u52a1","text":""},{"location":"services/discontinued/","title":"Discontinued Services","text":"

\u672c\u9875\u9762\u8bb0\u8f7d\u66fe\u7ecf\u63d0\u4f9b\u7684\u670d\u52a1\uff0c\u4f46\u662f\u7531\u4e8e\u67b6\u6784\u6539\u53d8\u6216\u670d\u52a1\u8fc1\u79fb\uff0c\u8fd9\u4e9b\u670d\u52a1\u4e0d\u518d\u4ee5\u539f\u6765\u7684\u5f62\u5f0f\u63d0\u4f9b\uff0c\u5e76\u53ef\u80fd\u5728\u539f\u5904\u6709\u6b8b\u7559\u7684\u914d\u7f6e\u6587\u4ef6\u3002

\u901a\u5e38\u60c5\u51b5\u4e0b\u6b8b\u7559\u7684\u914d\u7f6e\u6587\u4ef6\u53ef\u4ee5\u76f4\u63a5\u5220\u9664\uff0c\u4f46\u662f\u4fdd\u9669\u8d77\u89c1\uff0c\u4ecd\u7136\u5efa\u8bae\u5728 Internals \u7fa4\u91cc\u5148\u8be2\u95ee\u4e00\u4e0b\u518d\u5904\u7406\u3002

"},{"location":"services/discontinued/#docker-registry","title":"Docker Registry","text":"

\u66fe\u7ecf\u8fd0\u884c\u5728 docker2 \u4e0a\uff0c\u73b0\u5728 LUG \u7684 Docker \u955c\u50cf\u5df2\u8f6c\u79fb\u81f3 Docker Hub\u3002

"},{"location":"services/discontinued/#freeshell","title":"Freeshell","text":"

\uff08\u672a\u5b8c\u5f85\u7eed\uff0c\u914d\u7f6e\u6587\u4ef6\u5148\u4fdd\u7559\uff09

"},{"location":"services/discontinued/#ustc-blog","title":"USTC Blog","text":"

Refer to Gitlab Wiki.

"},{"location":"services/discontinued/#telegram-web","title":"Telegram Web","text":"

Service\uff1atelegram.ustclug.org

Repository\uff1agithub.com/ustclug/telegram-web

DockerHub\uff1austclug/telegram-web

Deployment\uff1atelegram-web.sh

Servers\uff1a

Blog\uff1aadd-telegram-web-service

"},{"location":"services/discontinued/#ustc-life","title":"USTC Life","text":"

USTC Life is a navigation page, which included useful sites in USTC.

Service: ustc.life

2020-04-09 \u66f4\u65b0\u4fe1\u606f

\u76ee\u524d\uff0cUSTC Life \u670d\u52a1\u6258\u7ba1\u5728 GitHub Pages \u4e0a\uff0c\u4ed3\u5e93\u4e5f\u5df2\u8f6c\u79fb\u81f3 SmartHypercube/ustclife\uff0c\u7531 Hypercube \u8d1f\u8d23\u7ef4\u62a4\u3002\u4ee5\u4e0b\u5185\u5bb9\u4ec5\u4e3a\u5386\u53f2\u8bb0\u5f55\u3002

Git Repository: github.com/ustclug/ustclife

DockerHub: ustclug/ustclife

server: docker2.s.ustclug.org

deploy: /srv/webhook/ustclife.sh

webhook from DockerHub: /srv/webhook/hooks.json

"},{"location":"services/discontinued/#wordpress-based-serversustclugorg-planetustclugorg","title":"Wordpress-based servers.ustclug.org & planet.ustclug.org","text":"

\u4e3a\u4e86\u51cf\u5c0f\u653b\u51fb\u9762\u4e0e\u7ef4\u62a4\u6210\u672c\uff0cservers.ustclug.org \u8fc1\u79fb\u5230\u4e86\u57fa\u4e8e Jekyll \u7684\u65b9\u6848\uff1bplanet.ustclug.org \u5728\u65e9\u524d\u5df2\u7ecf\u6574\u5408\u5230\u4e86 LUG \u4e3b\u7ad9\u4e2d\u3002

"},{"location":"services/discontinued/#mail-list","title":"Mail List","text":"

Plugin Email Subscribers & Newsletters on servers.ustclug.org sends a mail to Google Group when a new article posted on mirrors catalogue.

The mails are sent from servers@ustclug.org, which is a member of Google Group with write permission.

Google Group: ustc-mirrors@googlegroups.com

"},{"location":"services/docker2/","title":"Docker services","text":"

Server: docker2.s.ustclug.org

Provides Docker container environment for other services. All non-system services should be run as Docker containers on this host.

Methods to run individual containers are maintained in the ustclug/docker-run-script repository.

"},{"location":"services/docker2/#special-configurations","title":"Special configurations","text":""},{"location":"services/docker2/#network-interfaces","title":"Network interfaces","text":"

We use udev rules to assign consistent names to network interfaces, identified by their MAC addresses.

/etc/udev/rules.d/70-persistent-net.rules
SUBSYSTEM==\"net\", ACTION==\"add\", DRIVERS==\"?*\", ATTR{address}==\"00:50:56:9f:00:22\", NAME=\"Telecom\"\nSUBSYSTEM==\"net\", ACTION==\"add\", DRIVERS==\"?*\", ATTR{address}==\"00:50:56:9f:00:5b\", NAME=\"Mobile\"\nSUBSYSTEM==\"net\", ACTION==\"add\", DRIVERS==\"?*\", ATTR{address}==\"00:50:56:9f:00:5d\", NAME=\"ustclug\"\n

We then refer to these interfaces using their new names in /etc/network/interfaces to ensure consistent network configuration.

2022 \u5e74 2 \u6708 21 \u65e5\u66f4\u65b0

\u4eca\u65e5\u53d1\u73b0 docker2 \u65e0\u6cd5\u8fde\u63a5\u5bb9\u5668\u7f51\u7edc\uff0810.254.1.0/21\uff09\uff0c\u8c03\u8bd5\u540e\u53d1\u73b0\u4e3a Linux macvlan \u7f51\u7edc\u7279\u6027\uff08Stack Overflow\uff09\u3002\u4e3a\u4e86\u4fee\u590d\u8fde\u63a5\u95ee\u9898\uff0c\u8fdb\u884c\u4e86\u4ee5\u4e0b\u4fee\u6539\uff1a

  1. \u5c06 /etc/udev/rules.d/70-persistent-net.rules \u4e2d Policy \u66f4\u540d\u4e3a ustclug\uff1b
  2. \u5728 /etc/network/interfaces \u4e2d\u8bbe\u7f6e Policy \u548c ustclug \u4e24\u4e2a interface \u7684\u76f8\u5173\u914d\u7f6e\u5982\u4e0b\uff1a

    auto Policy\niface Policy inet static\n    address 10.254.0.16/21\n    pre-up ip link add $IFACE link ustclug type macvlan mode bridge\n    post-down ip link del $IFACE\n\nauto ustclug\niface ustclug inet manual\n
"},{"location":"services/docker2/#docker-daemon-service","title":"Docker daemon service","text":"

docker2 \u4e0a\u9762\u7684 Docker \u4f7f\u7528 macvlan \u6765\u5c06\u865a\u62df\u673a\u63a5\u5165 lugi \u5185\u7f51\uff0c\u56e0\u6b64\u5c06 macvlan \u7684\u4e3b\u7aef\u53e3 Policy \u914d\u7f6e\u4e3a docker.service \u7684\u5f3a\u4f9d\u8d56\u3002

systemctl edit docker.service
[Unit]\nBindsTo=sys-subsystem-net-devices-Policy.device\nAfter=sys-subsystem-net-devices-Policy.device\n

\u5b9e\u9645\u4e0a After=network-online.target \u5c31\u591f\u4e86\uff0c\u4f46\u662f\u51fa\u4e8e\u5386\u53f2\u539f\u56e0\u4f7f\u7528\u4e86 BindsTo \u5f3a\u4f9d\u8d56\u5185\u7f51\u7aef\u53e3\uff0c\u8fd9\u662f\u56e0\u4e3a docker2 \u66fe\u7ecf\u5355\u72ec\u8fd0\u884c tinc \u63a5\u5165\u5185\u7f51\uff0c\u800c tinc \u7684\u7aef\u53e3\u53ea\u5728 tinc \u542f\u52a8\u540e\u624d\u4f1a\u51fa\u73b0\uff08\u624d\u80fd\u5206\u51fa macvlan \u5b50\u7aef\u53e3\uff09\uff0c\u56e0\u6b64\u4f7f\u7528 BindsTo \u4fdd\u8bc1 docker \u968f\u8be5\u7aef\u53e3\u7684\u51fa\u73b0\u548c\u6d88\u5931\u800c\u542f\u52a8/\u505c\u6b62\u3002

2022 \u5e74 1 \u6708 15 \u65e5\u4ee5\u540e docker2 \u4e0e\u5176\u4ed6\u865a\u62df\u673a\u4e00\u6837\u901a\u8fc7 gateway-nic \u6865\u63a5\u7684 tinc \u63a5\u5165\u5185\u7f51\uff0c\u4e0d\u518d\u5355\u72ec\u8fd0\u884c tinc\u3002

"},{"location":"services/docker2/#opensuse-guide-qtguide","title":"opensuse-guide \u4e0e qtguide \u6bcf\u65e5\u66f4\u65b0","text":"

\u7531\u4e8e\u6ca1\u6709\u8bbe\u7f6e webhook\uff0c\u76ee\u524d\u914d\u7f6e\u4e86 systemd timer\uff0c\u6267\u884c /srv/docker/guide \u4e2d\u7684\u811a\u672c\uff0c\u4ee5\u5206\u522b\u5728\u6bcf\u65e5\u665a\u4e0a 23:15 \u548c 23:30 \u66f4\u65b0 opensuse-guide \u548c qtguide \u4e24\u4e2a\u5bb9\u5668\u7684 image \u5e76\u91cd\u542f\u5bb9\u5668\u3002

\u8be6\u7ec6\u7684\u914d\u7f6e\u6587\u4ef6\u53ef\u67e5\u770b docker-run-script \u4e2d\u7684 opensuse-guide \u548c qtguide \u4e24\u4e2a\u6587\u4ef6\u5939\u3002

"},{"location":"services/docker2/#workflows-troubleshooting","title":"Workflows & Troubleshooting","text":""},{"location":"services/docker2/#docker-pingd","title":"Docker \"pingd\"","text":"

\u66f4\u65b0

\u95ee\u9898\u5df2\u7ecf\u67e5\u660e\u4e3a Debian \u7684 Linux \u5185\u6838 bug (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952660)\uff0c\u5df2\u7ecf\u901a\u8fc7\u66f4\u65b0\u5185\u6838\u5e76\u91cd\u542f\u800c\u89e3\u51b3\u3002\u4ee5\u4e0b\u5185\u5bb9\u4ec5\u4f5c\u5b58\u6863\u3002

\u51fa\u4e8e\u672a\u77e5\u539f\u56e0\u6709\u65f6\u5019\u5916\u90e8\u4e3b\u673a\u4f1a\u65e0\u6cd5\u4e3b\u52a8\u8fde\u901a Docker \u5bb9\u5668\uff08\u53ef\u80fd\u4e0e ARP \u6709\u5173\uff09\uff0c\u4f46\u662f\u5982\u679c\u67d0\u4e2a\u5bb9\u5668\u5148 ping \u4e86\u4e00\u4e0b\u5916\u90e8\u4e3b\u673a\uff0c\u5c31\u80fd\u53cc\u5411\u8fde\u901a\u4e86\u3002

\u7531\u4e8e\u6211\u4eec\u6682\u672a\u627e\u5230\u6b63\u5e38\u7684\u89e3\u51b3\u65b9\u6848\uff0c\u56e0\u6b64\u4f7f\u7528 \u201cping daemon\u201d \u4f5c\u4e3a\u4e00\u4e2a workaround\uff0c\u5728\u5bb9\u5668\u4e2d\u8fd0\u884c ping \u4fdd\u6301\u5916\u90e8\u4e3b\u673a\u7684\u8fde\u901a\u6027\u3002

docker-pingd@.service
[Unit]\nDescription=Docker pingd service %I\nDocumentation=man:ping(8)\nAfter=network.target\nStartLimitIntervalSec=0\n\n[Service]\nType=simple\nUser=root\nGroup=root\nExecStart=/bin/sh -c 'IVAR=\"%i\"; exec /usr/bin/docker exec \"$${IVAR%:*}\" ping -q -s 32 \"$${IVAR#*:}\"'\nExecStop=/bin/kill -s INT $MAINPID\nRestart=on-failure\nRestartSec=3\n\n[Install]\nWantedBy=multi-user.target\nAlias=docker-ping@.service\n

\u4f7f\u7528\u65b9\u5f0f\uff1asystemctl enable docker-pingd@container:host.service\uff0ccontainer \u6362\u6210\u5bb9\u5668\u540d\uff0chost \u6362\u6210 ping \u7684\u76ee\u6807\u3002

Trick \u4ecb\u7ecd\uff1aSystemd service \u914d\u7f6e\u6682\u4e0d\u652f\u6301\u591a\u4e2a\u6a21\u677f\u53c2\u6570 %i\uff0c\u56e0\u6b64\u8c03\u7528 shell \u6765\u89e3\u6790\u53c2\u6570\u3002Ref: https://github.com/systemd/systemd/issues/14895#issuecomment-612270690

"},{"location":"services/docker2/#wordpress","title":"WordPress \u5347\u7ea7","text":"

taoky

\u5f88\u9ebb\u70e6\uff0c\u5efa\u8bae lug \u4ee5\u540e\u518d\u4e5f\u522b\u7528\uff08\u522b\u5f00\u65b0\u7684\uff09wordpress \u4e86\u3002

servers \u4e0e\u65e7 planet \u4f7f\u7528 WordPress\uff0c\u6258\u7ba1\u5728 docker2 \u4e0a\u3002\u56e0\u4e3a docker2 \u73b0\u5728\u78c1\u76d8 IO \u5f88\u6162\uff0c\u6240\u4ee5\u53ef\u80fd\u4f1a\u51fa\u73b0\u4e00\u4e9b\u989d\u5916\u7684\u95ee\u9898\u3002

\u63a8\u8350\u4f7f\u7528 https://wp-cli.org/#installing\u3002\u547d\u4ee4\uff1a

chmod +x wp-cli.phar\nmv wp-cli.phar /usr/local/bin/wp\ncd /var/www/public/\nsudo -u www-data -- wp core update --version=5.8.1 /tmp/wordpress-5.8.1.zip\n

\u5bb9\u5668\u91cc sudo \u8981\u624b\u52a8\u88c5\u3002

\u4ee5\u4e0b\u5185\u5bb9\u4ec5\u4f9b\u53c2\u8003\u3002

\u5c1d\u8bd5\u5347\u7ea7\u65f6\u5982\u679c\u672a\u51fa\u73b0\u5347\u7ea7\u63d0\u793a\uff0c\u53ef\u4ee5\u4fee\u6539\uff1a

\u5982\u679c\u51fa\u73b0\u300c\u53e6\u4e00\u66f4\u65b0\u6b63\u5728\u8fd0\u884c\u300d\uff0c\u4e14\u786e\u8ba4\u4e0d\u5728\u66f4\u65b0\uff0c\u53ef\u4ee5\u5728\u6570\u636e\u5e93\u7684 wordpress \u8868\u4e2d\u6267\u884c\uff1a

DELETE FROM wp_options WHERE option_name = 'core_updater.lock';\n
"},{"location":"services/docker2/#docker","title":"\u770b\u8d77\u6765\u6b63\u5728\u8fd0\u884c\u4f46\u662f\u6ca1\u6709\u8fdb\u7a0b\u7684 Docker \u5bb9\u5668","text":"

2021/10/25 \u53d1\u73b0\u67d0\u5bb9\u5668\u663e\u793a\u6b63\u5728\u8fd0\u884c\uff0c\u4f46\u662f\u5b9e\u9645\u6ca1\u6709\u8fdb\u7a0b\u3002\u540e\u53d1\u73b0\u4e3a Docker \u7684 bug\uff0c\u5728\u5bb9\u5668\u8fdb\u7a0b\u88ab cgroups \u5e72\u6389\u4e4b\u540e\u53ef\u80fd\u4f1a\u51fa\u73b0\u6b64\u60c5\u51b5\u3002

\u5bf9\u5e94 issue\uff1ahttps://github.com/moby/moby/issues/38501

\u89e3\u51b3\u65b9\u6cd5\uff1a\u5c06\u5bb9\u5668 ID \u5bf9\u5e94\u7684 containerd-shim \u6740\u6b7b\u5373\u53ef\u8ba9 Docker \u66f4\u65b0\u5176\u72b6\u6001\u4e3a\u5df2\u505c\u6b62\uff0c\u7136\u540e\u91cd\u65b0\u5f00\u542f\u5373\u53ef\u3002

"},{"location":"services/documentations/","title":"LUG \u6587\u6863","text":""},{"location":"services/ftp/","title":"LUG FTP","text":"

Services: FTP/FTPS, SFTP, HTTP, HTTPS

Git repository: ustclug/lugftp

Docker Hub: ustclug/ftp

Server: vdp.s.ustclug.org (management ssh port 2222)

Theme: h5ai

Deploy: ftp.sh

"},{"location":"services/ftp/#notes","title":"Notes","text":"
  1. SSL cert is required when running LUG FTP.
  2. ssh-keygen -A is required to be manually run when initializing.
  3. About directory permission:
    1. It is strongly suggested to keep permission & owner metadata when backing up/restoring.
    2. Public folder root: set owner root:root and permission 0755.
    3. Subfolders: set owner to 1000:1000. _h5ai and wp-content needs to be set to a different owner (misconfigured?). And Incoming shall be set to 0775.
  4. Do not use Google DNS in host, as China Mobile network may drop UDP packets to 8.8.8.8. A misconfigured DNS may lead to LDAP in container broken.
  5. Port 22 is delegated to the LUG FTP container for SFTP, and SSH access to the host has been reassigned to port 2222.
"},{"location":"services/gateway-el/","title":"Gateway: East Campus Library (gateway-el)","text":"

Todo

Currently systemctl restart networking is required after a reboot to set up tunnel. This bug should be fixed.

"},{"location":"services/gateway-el/#configurations","title":"Configurations","text":""},{"location":"services/gateway-el/#ip-virtual-server","title":"IP Virtual Server","text":"

gateway-el uses IPVS to send requests from one port to other machines directly. IPVS is a Linux kernel feature. Use ipvsadm -Ln to get its status.

"},{"location":"services/gateway-el/#tunnelmonitor","title":"tunnelmonitor","text":"

The tunnels used by gateway-el is mainly maintained by tunnelmonitor. Its config files are in /etc/tunnelmonitor, service is tunnelmonitor.service, and log is /var/log/tunnel_monitor.log.

When starting, netfilter-persistent.service should be run before tunnelmonitor. tunnelmonitor generates new mangle chains when starting, and pings all tunnels periodically and selects all available tunnels, and generates statistc rules.

You check check /var/log/tunnel_monitor.log to see if one tunnel has been down. Currently (2021/09), only one tunnel is available among all tunnel settings in /etc/tunnelmonitor/tunnel.ini.

"},{"location":"services/gateway-el/#iptables-mangle-rt_tables-and-ip-rule","title":"iptables mangle, rt_tables and ip rule","text":"

The following example is for demonstration purposes only.

You can get current status by iptables -t mangle -S. It is expected to see something like this:

-A DemonstrateManglePrerouting -m statistic --mode nth --every 1 --packet 0 -j MARK --set-xmark 0x12345/0xffffffff\n// ...\n-A PREOUT -m mark --mark 0x0 -j DemonstrateManglePrerouting\n

In this case, all packages to DemonstrateManglePrerouting chain will get fwmark 0x12345 (= 74565).

Check ip rule for that:

// ...\n10: from all fwmark 0x12345 lookup ExtraDemoTunnel\n// ...\n

You can get tunnel information in ip a:

29: ExtraDemoTunnel: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000\n    link/none\n    inet 192.168.252.17 peer 192.168.253.17/32 brd 192.168.252.17 scope global ExtraDemoTunnel\n       valid_lft forever preferred_lft forever\n

Here 192.168.252.17 is the local server of tunnel, and 192.168.253.17 is the remote server.

Let's check /etc/network/interfaces.d:

/etc/network/interfaces.d/03ExtraDemoTunnel
auto ExtraDemoTunnel\niface ExtraDemoTunnel inet static\n    address 192.168.252.17\n    netmask 255.255.255.255\n    pre-up ip link add dev $IFACE type wireguard\n    post-down ip link del dev $IFACE\n    up wg set $IFACE listen-port 4601 private-key /etc/wireguard/privkey peer pkeypkeypkeypkeypkeypkeypkeypkeypkeypkeypkey endpoint 23.3.3.3:4600 allowed-ips 0.0.0.0/0\n    up ip route replace default dev $IFACE table $IFACE\n    up ip rule add from all fwmark 74565 table $IFACE prio 10\n    pointopoint 192.168.253.17\n

Here we know that this is a wireguard tunnel, and the endpoint is 23.3.3.3:4600. The fwmark here is 74565 (in decimal).

Why is 74565 set? Let's check /etc/iproute2/rt_tables!

// ...\n74565   ExtraDemoTunnel\n// ...\n

For wireguard, you can use wg to check status. If you find that the \"received\" is 0 in transferred, something is going wrong.

"},{"location":"services/gateway-el/#nginx","title":"Nginx","text":""},{"location":"services/gateway-el/#ustclugorg-issue","title":"ustclug.org issue","text":"

See Gateway-NIC

"},{"location":"services/gateway-el/#issues","title":"Issues & resolution","text":""},{"location":"services/gateway-el/#ipvs-conntrack","title":"IPVS Conntrack","text":"

In early March 2022 we noticed Light connectivity issues from outside USTCnet, which was narrowed down to connections bypassing Linux Conntrack mechanism.

Thanks to TUNA group we learned about /proc/sys/net/ipv4/vs/conntrack, which at the time the problem was located, was zero. Settings this to 1 solved the problem.

However after writing net.ipv4.vs.conntrack = 1 to /etc/sysctl.d/10-ipvs-conntrack.conf and rebooting, the problem returned. Checking systemctl status systemd-sysctl.service we noticed this:

Mar 05 00:00:00 gateway-el systemd-sysctl[218]: Couldn't write '0' to 'net/ipv4/vs/conntrack', ignoring: No such file or directory\n

Adding ip_vs to /etc/modules and rebooting again correctly fixed the problem.

This is because the module was automatically loaded the first time ipvsadm is called (namely, /etc/init.d/ipvsadm), which happened at a very late stage. Adding to /etc/modules gets the module loaded earlier (and before systemd-sysctl.service) so it worked.

"},{"location":"services/gateway-el/#tinc-issue","title":"Tinc issue","text":"

See gateway

"},{"location":"services/gateway-jp/","title":"Gateway: Japan (gateway-jp)","text":"

This page is currently a stub.

"},{"location":"services/gateway-jp/#network-configuration","title":"Network configuration","text":""},{"location":"services/gateway-jp/#iptables","title":"iptables","text":"

See Gateway NIC

Blacklists are also managed with ipset, see /root/iptables.

"},{"location":"services/gateway-jp/#sysctl","title":"sysctl","text":"

When first applying iptables rules, we experienced severe performance degradation. Dmesg was flooded with messages like this:

nf_conntrack: nf_conntrack: table full, dropping packet\n

So we increased this sysctl setting:

/etc/sysctl.d/00-ustclug.conf
net.nf_conntrack_max = 262144\nnet.ipv4.tcp_fin_timeout = 10\n

To ensure net.nf_conntrack_max is available at boot, we also added nf_conntrack to /etc/modules and ran update-initramfs -u.

The other setting is to prevent TCP connections from lingering too long in FIN_WAIT_2 and TIME_WAIT states.

"},{"location":"services/gateway-nic/","title":"Gateway: Network Information Center (gateway-nic)","text":"

Previously gateway-nic used CentOS 7 to 8 to Stream, to \"avoid putting all eggs in one basket\". This VM was replaced by a newly setup Debian Bullseye VM on January 2022 during migration from ESXi to Proxmox VE.

The virtual disk of the old gateway-nic was copied onto pve-5, located at ZFS Zvol rpool/data/gateway-nic. The current VM uses rpool/data/vm-200-disk-0 instead (Proxmox naming convention).

"},{"location":"services/gateway-nic/#config-file-management","title":"Config file management","text":"

Git repositories exist for these directories:

/etc/nginx\n/etc/systemd/network\n/etc/tinc\n
"},{"location":"services/gateway-nic/#networking","title":"Networking","text":"

We use systemd-networkd to configure network on gateway-nic. This replaces both ifupdown (config file /etc/network/interfaces)

$ systemctl edit systemd-networkd.service
[Service]\nExecStartPre=-/sbin/ip -4 rule flush\nExecStartPre=-/sbin/ip -6 rule flush\n\n[Install]\nAlias=networkd.service\n

The ExecStartPre= commands flush (clear) existing rules so that systemd-networkd can fully manage all rules. This is because ManageForeignRoutingPolicyRules is a new setting in systemd 249, while Debian Bullseye uses systemd 247, so we have to do this manually.

We then load the regular \"main\" and \"default\" rules on the loopback interface (routing rules aren't bound to interfaces, but are added/removed when the configured interface is brought up/turned down).

/etc/systemd/network/00-lo.network
[Match]\nName=lo\n\n# Route \"main\"\n[RoutingPolicyRule]\nFamily=both\nTable=254\nPriority=2\nSuppressPrefixLength=1\n\n# Route \"Special\"\n[RoutingPolicyRule]\nFamily=both\nTable=1000\nPriority=5\nSuppressPrefixLength=1\n\n# Route \"default\"\n[RoutingPolicyRule]\nFamily=both\nTable=253\nPriority=32767\n
"},{"location":"services/gateway-nic/#interfaces","title":"Interfaces","text":"

Systemd-networkd has built-in capability to rename interfaces, so there's no need to use udev rules.

For example, to assign a name for the cernet interface, we use:

/etc/systemd/network/12-Cernet.link
[Match]\nPermanentMACAddress=00:50:56:a2:02:8c\n\n[Link]\nName=Cernet\n

We then configure addresses and routing rules for this interface:

/etc/systemd/network/12-Cernet.network
[Match]\nName=Cernet\n\n[Network]\nAddress=202.38.95.102/25\nAddress=2001:da8:d800:95::102/64\nIPv6AcceptRA=no\n\n[Route]\nGateway=202.38.95.126\nTable=253\nMetric=2\n\n[Route]\nGateway=2001:da8:d800:95::1\nTable=253\nMetric=2\n\n[Route]\nGateway=202.38.95.126\nTable=1002\n\n[Route]\nGateway=2001:da8:d800:95::1\nTable=1002\n\n[RoutingPolicyRule]\nFrom=202.38.95.102\nTable=1002\nPriority=3\n\n[RoutingPolicyRule]\nFrom=2001:da8:d800:95::102\nTable=1002\nPriority=3\n\n[RoutingPolicyRule]\nFamily=both\nOutgoingInterface=Cernet\nTable=1002\nPriority=3\n\n[RoutingPolicyRule]\nFamily=both\nFirewallMark=0x2\nTable=1002\nPriority=4\n

This config file assigns one IPv4 and one IPv6 address to the interface, as well as one IPv4 route and one IPv6 route for both the default routing table and an interface-specific routing table. It then adds three routing rules in both IPv4 and IPv6 for replying on the same interface, for sockets bound to this interfaces, and for firewall mark routing.

Other interfaces are configured similarly, so just refer to their configuration files for details.

"},{"location":"services/gateway-nic/#routes","title":"Routes","text":"

Outgoing connections are routed through different ISPs. We use ISP IP data from gaoyifan/china-operator-ip. Relevant files are located under /usr/local/network_config.

The said repository (branch ip-lists) is cloned and we symlink select files to iplist directory for consumption. A custom script converts these IP data into additional systemd-networkd config files (under /run/systemd).

$ ls -l /usr/local/network_config/iplist/
lrwxrwxrwx cernet.txt -> ../china-operator-ip/cernet.txt\nlrwxrwxrwx cernet6.txt -> ../china-operator-ip/cernet6.txt\nlrwxrwxrwx china.txt -> ../china-operator-ip/china.txt\nlrwxrwxrwx china6.txt -> ../china-operator-ip/china6.txt\nlrwxrwxrwx cstnet.txt -> ../china-operator-ip/cstnet.txt\nlrwxrwxrwx cstnet6.txt -> ../china-operator-ip/cstnet6.txt\nlrwxrwxrwx mobile.txt -> ../china-operator-ip/cmcc.txt\nlrwxrwxrwx telecom.txt -> ../china-operator-ip/chinanet.txt\nlrwxrwxrwx unicom.txt -> ../china-operator-ip/unicom.txt\n-rw-r--r-- ustcnet.txt\n-rw-r--r-- ustcnet6.txt\n
/usr/local/network_config/route-all.sh
#!/bin/bash\n\n[ -n \"$BASH_VERSION\" ] || exit 1\n\nWD=\"$(dirname \"$0\")\"\nROOT_IP_LIST=\"$WD/iplist\"\nROOT_CONF=/etc/systemd/network\nROOT_RT=/run/systemd/network\n\ngen_route() {\n  local DEVFILE=\"$1\"\n  local DEV=\"$(awk -F = '/^Name=/{print $2; exit}' \"$ROOT_CONF/$DEVFILE.network\")\"\n  local GW=\"$2\" FAMILY=ipv4 V6\n  if [[ \"$GW\" =~ : ]]; then\n    FAMILY=ipv6\n    V6=\"-v6\"\n  fi\n  # Convert table to number\n  local TABLENAME=\"$3\"\n  local TABLE=\"$(awk 'substr($0, 1, 1) != \"#\" && $2 == \"'\"$TABLENAME\"'\" { print $1 }' /etc/iproute2/rt_tables | head -1)\"\n  local PRIORITY=\"$4\"\n  shift 4\n\n  F=\"$ROOT_RT/$DEVFILE.network.d\"\n  mkdir -p \"$F\"\n  F=\"$F/route-${TABLENAME,,}${V6}.conf\"\n  echo -e \"[RoutingPolicyRule]\\nFamily=$FAMILY\\nTable=$TABLE\\nPriority=$PRIORITY\\n\" > \"$F\"\n\n  awk '{ print \"[Route]\\nDestination=\" $1 \"\\nGateway='\"$GW\"'\\nTable='\"$TABLE\"'\\n\" }' \"${@/#/$ROOT_IP_LIST/}\" >> \"$F\"\n}\n\ngen_route 12-Cernet 202.38.95.126 ustcnet 5 ustcnet.txt\ngen_route 12-Cernet 2001:da8:d800:95::1 ustcnet 5 ustcnet6.txt\ngen_route 12-Cernet 202.38.95.126 cernet 6 cernet.txt cstnet.txt\ngen_route 12-Cernet 2001:da8:d800:95::1 cernet 6 cernet6.txt cstnet6.txt\ngen_route 13-Telecom 202.141.160.126 telecom 6 telecom.txt unicom.txt\ngen_route 14-Mobile 202.141.176.126 mobile 6 mobile.txt\ngen_route 12-Cernet 202.38.95.126 china 7 china.txt\ngen_route 12-Cernet 2001:da8:d800:95::1 china 7 china6.txt\n

We then use a systemd service to ensure additional files for systemd-networkd are generated before it starts.

/etc/systemd/system/route-all.service
[Unit]\nDescription=Generate routes for systemd-networkd\nBefore=systemd-networkd.service\n\n[Service]\nType=oneshot\nExecStart=/bin/bash /usr/local/network_config/route-all.sh\n#ExecStart=/usr/local/network_config/special.rb\nRemainAfterExit=true\n\n[Install]\nWantedBy=network.target systemd-networkd.service\n

Updating routes from upstream is easy:

/usr/local/network_config/update.sh
#!/bin/sh\n\ncd \"$(dirname \"$0\")\"\n\ngit -C china-operator-ip pull\nsystemctl restart route-all.service\n

The resulting routing policies look like this:

$ ip rule
0:      from all lookup local\n2:      from all lookup main suppress_prefixlength 1\n3:      from 172.16.0.2 lookup Warp\n3:      from all oif Warp lookup Warp\n3:      from 202.141.176.102 lookup Mobile\n3:      from all oif Mobile lookup Mobile\n3:      from 202.141.160.102 lookup Telecom\n3:      from all oif Telecom lookup Telecom\n3:      from 202.38.95.102 lookup Cernet\n3:      from all oif Cernet lookup Cernet\n4:      from all fwmark 0x5 lookup Warp\n4:      from all fwmark 0x4 lookup Mobile\n4:      from all fwmark 0x3 lookup Telecom\n4:      from all fwmark 0x2 lookup Cernet\n5:      from all lookup Special suppress_prefixlength 1\n5:      from all lookup Ustcnet\n6:      from all lookup mobile\n6:      from all lookup telecom\n6:      from all lookup cernet\n7:      from all lookup china\n32767:  from all lookup default\n
"},{"location":"services/gateway-nic/#tinc-vpn","title":"Tinc VPN","text":"

Gateway-NIC connects to intranet with Tinc. There's no special Tinc configuration other than those described at the Tinc VPN page.

Because Tinc now uses systemd services instead of System V init.d scripts, we need to systemctl enable tinc@ustclug.service to make it start on boot. Everything is managed through this templated systemd service.

"},{"location":"services/gateway-nic/#systemd-networkd-wait-onlineservice","title":"systemd-networkd-wait-online.service","text":"

We also override systemd-networkd's online detection for goodness' sake, so it doesn't block booting. Note that it may interfere with services depending on network-online.target, though we have yet to discover any issues.

$ systemctl edit systemd-networkd-wait-online.service
[Service]\nExecStart=\nExecStart=/bin/sleep 1\n
"},{"location":"services/gateway-nic/#iptables","title":"iptables","text":"

All iptables firewall rules are managed manually. We use iptables-persistent to automatically load firewall rules on boot.

To change the rules, manually edit /root/iptables/rules.v4 or rules.v6 and then run apply.sh to apply the changes.

"},{"location":"services/gateway-nic/#fail2ban","title":"Fail2ban","text":"

We use fail2ban to stop SSH scanning and brute-force attempts.

Because fail2ban relies on changing iptables to work, to improve its performance as well as minimize its tampering of iptables rules, we use ipsets for fail2ban.

After stock installation of fail2ban package, remove defaults-debian.conf and add this file to secure SSH daemon:

/etc/fail2ban/jail.d/sshd.conf
[sshd]\nenabled = true\nmode    = aggressive\nfilter  = sshd[mode=%(mode)s]\nlogpath = /var/log/auth.log\nbackend = pyinotify\naction  = iptables-ipset-proto6[chain=\"fail2ban\"]\n

We provide a pre-created empty chain named fail2ban for fail2ban to manipulate (see iptables above).

To make sure fail2ban rules can be re-applied after reloading iptables manually, we override the systemd service so that fail2ban is restarted whenever the iptables service is restarted.

$ systemctl edit fail2ban.service
[Unit]\nAfter=netfilter-persistent.service\nBindsTo=netfilter-persistent.service\n

For some servers where we want to manually start fail2ban, we use Requires= + PartOf=. This will propagate \"restart\" event from iptables to fail2ban, but not \"start\".

$ systemctl edit fail2ban.service
[Unit]\nAfter=netfilter-persistent.service\nRequires=netfilter-persistent.service\nPartOf=netfilter-persistent.service\n
"},{"location":"services/gateway-nic/#nginx","title":"Nginx","text":""},{"location":"services/gateway-nic/#unregistered-domain-traffic","title":"ustclug.org issue","text":"

To mitigate the issue of the complaints from ISPs and the regulation authorities caused by the gateways in USTCnet responding to the requests for ustclug.org, which is a unregistered domain in China MIIT, we make nginx listen on an alternative port 81/444 for HTTP and HTTPS respectively, to respond to requests for lug.ustc.edu.cn only, and rejecting the handshake for any other domain.

/etc/nginx/sites-available/default
server {\n  listen 81 default_server;\n  listen [::]:81 default_server;\n  listen 444 ssl http2 default_server;\n  listen [::]:444 ssl http2 default_server;\n  server_name _;\n  ssl_reject_handshake on; \n  return 444;\n}\n

To whitelist any domain, add listen 81 and listen 444 http2 ssl to corresponding site's server block.

We use iptables to redirect any traffic from outside USTCnet whose destination is TCP port 80/443 on local machine to TCP port 81/444 respectively.

-A PREROUTING -m addrtype --dst-type LOCAL -j NGINX-REDIRECT\n-A NGINX-REDIRECT -i lo -j RETURN\n-A NGINX-REDIRECT -m set --match-set ustcnet src -j RETURN\n-A NGINX-REDIRECT -p tcp --dport 80 -j REDIRECT --to-port 81\n-A NGINX-REDIRECT -p tcp --dport 443 -j REDIRECT --to-port 444\n
"},{"location":"services/generate-204/","title":"Generate 204","text":"

Service: 204.ustclug.org (HTTP / HTTPS)

Server: (gateway)

Blog: add-http-204-service

"},{"location":"services/generate-204/#configration","title":"Configration","text":"/etc/nginx/sites-available/204.ustclug.org
server {\n    listen      80;\n    listen      [::]:80;\n    listen      443 ssl http2;\n    listen      [::]:443 ssl http2;\n    server_name 204.ustclug.org;\n    access_log  /var/log/nginx/204_access.log;\n    error_log   /var/log/nginx/204_error.log;\n    return 204;\n}\n

The authoritative copy is on LUG GitLab.

"},{"location":"services/gitlab/","title":"GitLab","text":"

Server: gitlab.s.ustclug.org (management ssh port 2222)

Git Repository: gitlab-scripts

"},{"location":"services/gitlab/#gitlab-security","title":"GitLab & Security","text":"

GitLab \u7ef4\u62a4\u8005\u9700\u8981\u8ba2\u9605\uff1a

  1. GitLab Security Notices \u90ae\u4ef6\u5217\u8868 (https://about.gitlab.com/company/contact/ \u53f3\u4fa7 \"Sign up for security notices\")
  2. sameersbn/docker-gitlab Releases (Watch \u2192 Custom \u2192 Releases)

\u5728 GitLab \u6709 Security Release \u4e14 docker-gitlab \u53d1\u5e03\u65b0\u7248\u672c\u4e4b\u540e\u9700\u8981\u5b89\u6392\u65f6\u95f4\u66f4\u65b0\u3002\u5c24\u5176 Critical Security Release \u9700\u8981\u5c3d\u5feb\u627e\u65f6\u95f4\u66f4\u65b0\u3002

"},{"location":"services/gitlab/#_1","title":"\u66f4\u65b0","text":"

\uff08\u5efa\u8bae\u9605\u8bfb https://docs.gitlab.com/ee/update/index.html\uff0c\u4ee5\u53ca GitLab \u5b98\u65b9\u7684\u5347\u7ea7\u8def\u5f84\u5206\u6790\u5de5\u5177\uff1ahttps://gitlab-com.gitlab.io/support/toolbox/upgrade-path/\uff09

GitLab 16.0 \u8d77\u79fb\u9664\u4e86\u5bf9 CAS3 \u7684\u652f\u6301\uff0c\u56e0\u6b64\u6211\u4eec\u5207\u6362\u5230\u4e86 OAuth2 \u6765\u5bf9\u63a5\u4e2d\u56fd\u79d1\u5b66\u6280\u672f\u5927\u5b66\u7edf\u4e00\u8eab\u4efd\u8ba4\u8bc1\u3002\u4e3a\u4e86\u5b9e\u73b0\u81ea\u5b9a\u4e49 OAuth2 \u767b\u5f55\u53c2\u6570\uff0c\u6211\u4eec fork \u4e86 sameersbn/docker-gitlab\uff0c\u4ed3\u5e93\u4f4d\u4e8e ustclug/docker-gitlab\u3002\u66f4\u65b0\u65f6\uff0c\u9700\u8981\u9996\u5148\u6309\u7167 ustclug/docker-gitlab \u7684 README.md \u6240\u8ff0\u7684\u6b65\u9aa4\u66f4\u65b0\u955c\u50cf\uff0c\u4e00\u822c\u53ea\u9700\u66f4\u6539\u6240\u8ff0\u7684\u4e24\u4e2a\u4f4d\u7f6e\u7684\u7248\u672c\u53f7\uff0c\u63a8\u9001\u5230\u4ed3\u5e93\u540e\uff0cGitHub Actions \u5c06\u81ea\u52a8\u5b8c\u6210\u955c\u50cf\u7684\u6784\u5efa\uff0c\u5e76\u4e0a\u4f20\u5230 ghcr.io\u3002\u9700\u8981\u6ce8\u610f\u7684\u662f\uff0c\u82e5\u4e0a\u6e38\u66f4\u65b0\u5305\u542b\u5bf9 assets/runtime \u76ee\u5f55\u7684\u53d8\u66f4\uff0c\u5219\u9700\u5148\u5c06\u4e0a\u6e38\u66f4\u65b0\u5408\u5e76\u5230\u6211\u4eec\u7684\u4ed3\u5e93\uff0c\u5426\u5219\u53ef\u80fd\u51fa\u73b0\u6784\u5efa\u6216\u8fd0\u884c\u65f6\u9519\u8bef\u3002

\u7531\u4e8e\u5df2\u7ecf docker \u5316\uff0c\u56e0\u6b64\u6211\u4eec\u7684\u66f4\u65b0\u662f\u901a\u8fc7\u62c9\u53d6 ustclug/docker-gitlab \u7684 docker image\uff0c\u8fdb\u884c\u6570\u636e\u5e93\u51c6\u5907\u4ee5\u53ca\u542f\u52a8\u955c\u50cf\u5b9e\u4f8b\u6765\u8fdb\u884c\u66f4\u65b0\uff0cZack Zeng \u5b66\u957f\u5df2\u7ecf\u5199\u597d\u4e86\u4e00\u5957\u811a\u672c\u7cfb\u7edf\uff1agitlab-scripts\uff0c\u56e0\u6b64\u66f4\u65b0\u65f6\u53ea\u8981\u8dd1\u811a\u672c\u5c31\u53ef\u4ee5\u4e86\u3002

\u7531\u4e8e\u66f4\u65b0\u9700\u8981\u505c\u6b62\u670d\u52a1\uff0c\u56e0\u6b64\u8bf7\u4e8e\u66f4\u65b0\u524d\u81f3\u5c11\u51e0\u5c0f\u65f6\u53d1\u5e03\u66f4\u65b0\u516c\u544a\uff08\u5305\u62ec\u5177\u4f53\u65f6\u95f4\u7b49\uff09\uff0c\u5e76\u68c0\u67e5 Admin -> Monitoring -> Background Migrations \u4e2d\u6240\u6709 migration \u662f\u5426\u90fd\u5df2\u7ecf\u6210\u529f\u5b8c\u6210\u3002

\u66f4\u65b0\u524d\u8bf7\u5148\u63d0\u524d\u4e8e Proxmox VE \u4e0a\u5bf9\u865a\u62df\u673a\u6253\u5feb\u7167\uff08\u6253\u5feb\u7167\u65f6\u670d\u52a1\u4f1a\u6682\u65f6\u505c\u6b62\uff09

\u6253\u5b8c\u5feb\u7167\u4e4b\u540e\u4f7f\u7528\u811a\u672c\u8fdb\u884c\u66f4\u65b0\uff08\u76ee\u524d\u811a\u672c\u4f4d\u4e8e /home/sirius/gitlab-scripts\uff09\uff0c\u9996\u5148\u4f7f\u7528 ./gitlab.sh db \u8fdb\u884c\u6570\u636e\u5e93\u7684\u51c6\u5907\u5de5\u4f5c\u3002\u4e4b\u540e\u53ef\u4ee5\u901a\u8fc7 ./gitlab.sh run <\u7248\u672c\u53f7> \u6765\u8fdb\u884c docker container \u7684\u66ff\u6362\u3002\u66f4\u6362\u524d\u811a\u672c\u4f1a\u81ea\u52a8\u62c9\u53d6\u76f8\u5e94\u7248\u672c\u53f7\u7684 docker \u955c\u50cf\uff0c\u5982\u679c\u62c5\u5fc3\u62c9\u53d6\u65f6\u95f4\u8fc7\u957f\u53ef\u4ee5\u5728\u6253\u5feb\u7167\u524d\u63d0\u524d\u901a\u8fc7 docker pull ghcr.io/ustclug/docker-gitlab:<\u7248\u672c\u53f7> \u6765\u62c9\u53d6\u76f8\u5e94\u7684\u955c\u50cf\u3002

\u4e00\u822c\u60c5\u51b5\u4e0b\u7ecf\u4ee5\u4e0a\u64cd\u4f5c\u540e\u66f4\u65b0\u5c31\u6b63\u5e38\u7ed3\u675f\uff0c\u5982\u679c\u957f\u65f6\u95f4\u65e0\u6cd5\u542f\u52a8\uff0c\u53ef\u4ee5\u901a\u8fc7 docker logs gitlab \u67e5\u770b\u65e5\u5fd7\uff0c\u5982\u679c\u53d1\u73b0\u66f4\u65b0\u540e\u7684\u542f\u52a8\u51fa\u73b0\u95ee\u9898\uff0c\u53ef\u4ee5\u5230 sameersbn/docker-gitlab \u7684 issue \u533a\u7b49\u5730\u67e5\u770b\u76f8\u5173 issue\uff0c\u4ee5\u53ca\u901a\u8fc7\u5bf9\u51fa\u9519\u65e5\u5fd7\u8fdb\u884c Google \u53ef\u80fd\u4f1a\u53d1\u73b0\u662f gitlab \u4e0a\u6e38\u7b49\u51fa\u73b0\u7684\u95ee\u9898\u3002\u5982\u679c\u6709\u89e3\u51b3\u529e\u6cd5\uff0c\u53ef\u4ee5\u6309\u7167\u76f8\u5e94\u89e3\u51b3\u529e\u6cd5\u89e3\u51b3\uff0c\u5982\u679c\u6ca1\u6709\u3002\u53ef\u4ee5\u901a\u8fc7\u627e\u5230\u6709\u76f8\u5e94\u95ee\u9898\u524d\u7684\u6b63\u5e38\u7248\u672c\u53f7\uff0c\u56de\u6eda\u5feb\u7167\uff0c\u4e4b\u540e\u66f4\u5230\u8868\u73b0\u6b63\u5e38\u7684\u7248\u672c\u3002\uff08\u6700\u8fd1\u7684\u66f4\u65b0\u4f1a\u5728\u542f\u52a8\u4e4b\u540e\u77ed\u6682\u51fa\u73b0 502 \u7684\u60c5\u51b5\uff0c\u4f46\u5f88\u5feb\u5c31\u4f1a\u6062\u590d\uff0c\u9047\u5230\u8fd9\u79cd\u60c5\u51b5\u65f6\u4e0d\u8981\u60ca\u614c\uff09\u3002

\u7531\u4e8e\u66f4\u65b0\u53ef\u80fd\u4f1a\u51fa\u73b0\u95ee\u9898\u5bfc\u81f4\u670d\u52a1\u4e0d\u53ef\u7528\uff0c\u56e0\u6b64\u4e0d\u5efa\u8bae\u901a\u8fc7 cron \u7b49\u65b9\u5f0f\u81ea\u52a8\u8fdb\u884c\u66f4\u65b0\u3002

"},{"location":"services/gitlab/#postgresql-redis","title":"postgresql \u4e0e redis \u7684\u66f4\u65b0","text":"

\u7531\u4e8e gitlab \u66f4\u65b0\u540e\u53ef\u80fd\u5bf9 postgresql \u4e0e redis \u7684\u7248\u672c\u6709\u8981\u6c42\uff0c\u56e0\u6b64\u6709\u53ef\u80fd\u9700\u8981\u5b9a\u671f\u66f4\u65b0 redis \u4e0e postgresql\u3002

\u66f4\u65b0\u524d\u8bf7\u5148\u505c\u6b62 gitlab \u7684 container\u3002

\u66f4\u65b0\u65f6\u53ef\u4ee5\u6309\u7167\u5b98\u7f51\u6559\u7a0b docker-postgresql \u8fdb\u884c\u66f4\u65b0\uff0c\u53ef\u4ee5\u901a\u8fc7\u62c9\u53d6 latest \u6807\u7b7e\u7684\u955c\u50cf\uff0c\u5220\u9664\u539f\u6765\u7684 container\uff0c\u518d\u901a\u8fc7\u811a\u672c ./gitlab.sh db \u81ea\u52a8\u542f\u52a8\uff0c\u6570\u636e\u5e93\u66f4\u65b0\u65f6\u53ef\u80fd\u4f1a\u9700\u8981\u4e00\u5b9a\u65f6\u95f4\u6765\u8fc1\u79fb\u6570\u636e\uff0c\u8bf7\u901a\u8fc7 docker logs -f gitlab-postgresql \u547d\u4ee4\u6765\u67e5\u770b\u8fc1\u79fb\u8fdb\u5ea6\uff0c\u5f85\u8fc1\u79fb\u5b8c\u6210\u540e\u518d\u8fd0\u884c GitLab \u7684 container\u3002

"},{"location":"services/gitlab/#rails-console","title":"\u8bbf\u95ee Rails console","text":"

Rails console \u53ef\u4ee5\u5b8c\u6210\u4e00\u4e9b\u9ad8\u7ea7\u7684\u7ef4\u62a4\u4efb\u52a1\u3002\u5728 gitlab \u5bb9\u5668\u4e2d\u6267\u884c bin/rails console \u542f\u52a8\u3002\u6ce8\u610f console \u7684\u542f\u52a8\u65f6\u95f4\u5f88\u957f\uff08 1 \u5206\u949f\u4ee5\u4e0a\uff09\uff0c\u9700\u8981\u6709\u8010\u5fc3\u3002

\u53ef\u4ee5\u6267\u884c\u7684\u547d\u4ee4\u53ef\u53c2\u8003 https://docs.gitlab.com/ee/administration/troubleshooting/gitlab_rails_cheat_sheet.html\u3002

"},{"location":"services/gitlab/#_2","title":"\u67e5\u8be2","text":""},{"location":"services/gitlab/#hashed-storage","title":"\u67e5\u8be2 Hashed storage \u4e0b\u4ed3\u5e93\u5bf9\u5e94\u7684\u9879\u76ee","text":"
ProjectRepository.find_by(disk_path: '@hashed/23/33/2333333333333333333333333333333333333333333333333333333333333333').project\n

\u5982\u679c\u5b58\u5728\uff0c\u4f1a\u8fd4\u56de\u7c7b\u4f3c\u4ee5\u4e0b\u7684\u5185\u5bb9\uff1a

=> #<Project id:23333 username/project>>\n
"},{"location":"services/gitlab/#sql-like","title":"\u67e5\u8be2\u65e0\u9879\u76ee\u4e14\u90ae\u7bb1\u6ee1\u8db3\u6761\u4ef6\u7684\u7528\u6237 (SQL like)","text":"
users = User.where('id NOT IN (select distinct(user_id) from project_authorizations)')\nusers = users.where('email like ?', '%.ru')\nusers.count\n\nusers.each do |user|\n    puts user.last_activity_on\nend\n
"},{"location":"services/gitlab/#_3","title":"\u5237\u65b0\u67d0\u4e2a\u9879\u76ee\u7684\u7edf\u8ba1\u4fe1\u606f","text":"
p = Project.find_by_full_path('<namespace>/<project>')\npp p.statistics\np.statistics.refresh!\npp p.statistics\n
"},{"location":"services/gitlab/#lfs-id","title":"\u83b7\u53d6\u6240\u6709\u5305\u542b LFS \u7684\u9879\u76ee ID","text":"
LfsObject.all.each do |lo|\n    puts LfsObjectsProject.find_by_lfs_object_id(lo.id).project_id\nend\n

\u8f93\u51fa\u8f83\u591a\u3002\u53ef\u4ee5\u4f7f\u7528 rails r xxx.rb \u8fd0\u884c\uff0c\u91cd\u5b9a\u5411\u5230\u6587\u4ef6\uff0c\u53bb\u91cd\u540e\u67e5\u770b\u6240\u6709\u5305\u542b LFS \u7684\u9879\u76ee\u3002

"},{"location":"services/gitlab/#rake-tasks","title":"\u4f7f\u7528 Rake tasks","text":"

\u8be6\u89c1 https://github.com/sameersbn/docker-gitlab#rake-tasks\u3002\u548c Rails console \u4e00\u6837\uff0c\u521d\u59cb\u5316\u5f88\u6162\u3002

\u5f53\u524d\u5b9e\u4f8b\u4fe1\u606f\uff1a

docker exec --user git -it gitlab bundle exec rake gitlab:env:info RAILS_ENV=production\n
"},{"location":"services/gitlab/#_4","title":"\u6e05\u7406","text":"

\u53c2\u8003 https://github.com/gitlabhq/gitlabhq/blob/master/doc/raketasks/cleanup.md\u3002

\u4e0d\u8fc7\u4f5c\u7528\u6709\u9650\u3002

"},{"location":"services/gitlab/#_5","title":"\u6e05\u7406\u4e0a\u4f20\u76ee\u5f55","text":"

\u67e5\u770b\u4f1a\u88ab\u6e05\u7406\u7684\u6587\u4ef6\uff1a

docker exec --user git -it gitlab bundle exec rake gitlab:cleanup:project_uploads RAILS_ENV=production\n

\u6e05\u7406\uff08\u79fb\u52a8\u5230 /-/project-lost-found/\uff09\uff1a

docker exec --user git -it gitlab bundle exec rake gitlab:cleanup:project_uploads RAILS_ENV=production DRY_RUN=false\n
"},{"location":"services/gitlab/#artifact","title":"\u6e05\u7406\u672a\u88ab\u5f15\u7528\u7684 artifact \u6587\u4ef6","text":"

\u67e5\u770b\u4f1a\u88ab\u6e05\u7406\u7684 artifact \u6570\u91cf\uff1a

docker exec --user git -it gitlab bundle exec rake gitlab:cleanup:orphan_job_artifact_files RAILS_ENV=production\n

\u6e05\u7406\uff1a

docker exec --user git -it gitlab bundle exec rake gitlab:cleanup:orphan_job_artifact_files RAILS_ENV=production DRY_RUN=false\n

\u6ce8\u610f\uff0c\u65b0\u8bbe\u7f6e\u7684 expire \u671f\u9650\u4e0d\u4f1a\u5f71\u54cd\u4ee5\u524d\u7684 artifact\uff0c\u8fd9\u91cc\u7684\u547d\u4ee4\u4e5f\u65e0\u6cd5\u6e05\u7406\u3002

"},{"location":"services/gitlab/#lfs-reference","title":"\u6e05\u7406\u65e0\u6548\u7684 LFS reference","text":"
for i in `cat projectid_lfs`; do docker exec --user git -it gitlab bundle exec rake gitlab:cleanup:orphan_lfs_file_references PROJECT_ID=$i RAILS_ENV=production DRY_RUN=false; done\n

projectid_lfs \u662f\u4e0a\u6587\u4e2d\u300c\u83b7\u53d6\u6240\u6709\u5305\u542b LFS \u7684\u9879\u76ee ID\u300d\u7684\u53bb\u91cd\u540e\u7684\u8f93\u51fa\u3002

\u65e0 reference \u7684 LFS \u6587\u4ef6\u6bcf\u65e5 GitLab \u4f1a\u81ea\u52a8\u6e05\u9664\u3002\u5982\u679c\u9700\u8981\u7acb\u523b\u5220\u9664\uff0c\u53ef\u4ee5\u4f7f\u7528 gitlab:cleanup:orphan_lfs_files\u3002

"},{"location":"services/gitlab/#_6","title":"\u7d27\u6025\u64cd\u4f5c","text":""},{"location":"services/gitlab/#_7","title":"\u8bbe\u7f6e\u4e3a\u53ea\u8bfb","text":"

Ref: https://docs.gitlab.com/ee/administration/read_only_gitlab.html

docker exec --user git -it gitlab bin/rails console\n

\u4e4b\u540e\u6267\u884c

Project.all.find_each { |project| puts project.name; project.update!(repository_read_only: true) }\n

\u5c06\u6240\u6709\u4ed3\u5e93\u8bbe\u7f6e\u4e3a\u53ea\u8bfb\u3002\u5982\u679c\u4e2d\u95f4\u51fa\u73b0\u9519\u8bef\uff08\u7279\u6b8a\u7684\u9879\u76ee\u540d\u53ef\u80fd\u4f1a\u5bfc\u81f4\u8fd0\u884c\u4e2d\u65ad\uff09\uff0c\u91cd\u547d\u540d\u6700\u540e\u8f93\u51fa\u5bf9\u5e94\u7684\u9879\u76ee\u3002

\u5728\u8bbe\u7f6e\u524d\uff0c\u9700\u8981\u6dfb\u52a0 Messages \u901a\u77e5\u7528\u6237\u3002

\u6b64\u65f6\u6570\u636e\u5e93\u4ecd\u7136\u53ef\u5199\u5165\u3002\u5982\u679c\u9700\u8981\u6570\u636e\u5e93\u53ea\u8bfb\uff0c\u53c2\u8003\u4ee5\u4e0a\u94fe\u63a5\u914d\u7f6e\u3002

"},{"location":"services/light/","title":"Light Accelerator","text":"

Service: light.ustclug.org

Git Repository:

Docker Hub:

Mailing list: \u8f7b\u91cf\u7ea7\u7f51\u7edc\u52a0\u901f\u670d\u52a1

Servers:

"},{"location":"services/light/#deploy","title":"Deploy","text":"

Deploy script: docker-run-script/light

Deploy order:

  1. mysql
  2. freeradius, light-web
  3. squid
"},{"location":"services/light/#add-new-domain","title":"Add new domain","text":"
git clone https://github.com/ustclug/light-list\ncd accelerate-list\n./tools/add-domain.sh accelerate.list www.example.com\ngit commit -v -a\ngit push origin master\n

GitHub Actions will update PAC files in LUG FTP automatically.

"},{"location":"services/light/#database-maintenance","title":"Database maintenance","text":"

Example:

select count(*) from radacct where acctstoptime < '2021-01-01 00:00:00';\ninsert into radacct_backup select * from radacct where acctstoptime < '2021-01-01 00:00:00';\ndelete from radacct where acctstoptime < '2021-01-01 00:00:00';\ndelete from radacct_backup where acctstoptime < '2020-06-01 00:00:00';\noptimize table radacct;\noptimize table radacct_backup;\n
"},{"location":"services/light/#shutdown","title":"Shutdown","text":"
  1. Stop two containers: light-server & light-socks
  2. Set restart policy to no (See Docker Documentation)
"},{"location":"services/light/#logs","title":"Logs","text":"

Proxy related log is under /srv/docker/light/log. Container log (stdout & stderr) is under /srv/docker/docker/containers/<container id>/*.log* (use docker logs <container> to view).

Logrotate is configured to save logs for 180 days. Please manually backup logs when removing the container.

"},{"location":"services/mirrorz/","title":"MirrorZ CERNET server","text":"

MirrorZ \u9879\u76ee\u5728 CERNET \u5317\u4eac\u8282\u70b9\u6709\u4e00\u4e2a\u865a\u62df\u673a\uff0c\u901a\u8fc7 *.mirrors.cernet.edu.cn \u7684\u57df\u540d\u63d0\u4f9b 302 \u8df3\u8f6c\u548c\u5e2e\u52a9\u9875\u9762\u7b49\u670d\u52a1\u3002

\u7531\u4e8e CentOS 7 \u5728 2024 \u5e74 6 \u6708\u7ed3\u675f\u652f\u6301\uff0ciBug \u548c taoky \u5728 2024 \u5e74 2 \u6708\u914d\u7f6e\u4e86\u4e00\u4e2a\u8fd0\u884c Debian 12 \u7684\u65b0\u865a\u62df\u673a\u3002\u65b0\u865a\u62df\u673a\u955c\u50cf\u57fa\u4e8e debian-cdimage \u63d0\u4f9b\u7684 debian-12-genericcloud-amd64.qcow2\u3002

"},{"location":"services/mirrorz/#system","title":"\u7cfb\u7edf\u914d\u7f6e","text":""},{"location":"services/mirrorz/#network","title":"\u7f51\u7edc","text":"

\u865a\u62df\u673a\u7684\u7f51\u7edc\u91c7\u7528 systemd-networkd \u914d\u7f6e\uff0c\u914d\u7f6e\u6587\u4ef6\u5728 /etc/systemd/network \u4e0b\uff0cv4/v6 \u5747\u4f7f\u7528\u9759\u6001 IP \u914d\u7f6e\u3002\u5176\u4e2d [Match] \u5757\u4f7f\u7528 MACAddress=... \u6765\u5339\u914d\u7f51\u5361\u3002

"},{"location":"services/mirrorz/#ssh","title":"SSH","text":"/etc/ssh/sshd_config.d/ibug.conf
PasswordAuthentication no\nPermitRootLogin prohibit-password\n
"},{"location":"services/mirrorz/#ntp","title":"NTP","text":"/etc/systemd/timesyncd.conf.d/ibug.conf
[Time]\nNTP=ntp.tuna.tsinghua.edu.cn\n
"},{"location":"services/mirrorz/#software","title":"\u8f6f\u4ef6","text":"

etckeeper\uff08\u4e0d\u77e5\u9053\u600e\u4e48\u914d\u7f6e\u7684\uff0c\u88c5\u597d\u5373\u7528\uff1f\uff09

\u4ee5\u4e0a\u56db\u4e2a\u8f6f\u4ef6\u5206\u522b\u4ece\u56db\u4e2a\u4e0d\u540c\u7684 APT \u6e90\u5b89\u88c5\uff0c\u5bf9\u5e94\u7684 APT \u516c\u94a5\u90fd\u5b58\u5728 /etc/apt/keyrings \u4e2d\u3002

APT \u6e90\u914d\u7f6e

/etc/apt/sources.list.d/docker.list
deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.asc] https://mirrors.ustc.edu.cn/docker-ce/linux/debian bookworm stable\n
/etc/apt/sources.list.d/grafana.list
deb [signed-by=/etc/apt/keyrings/grafana.gpg] https://mirrors.tuna.tsinghua.edu.cn/grafana/apt stable main\n
/etc/apt/sources.list.d/influxdata.list
deb [signed-by=/etc/apt/keyrings/influxdata.asc] https://mirrors.ustc.edu.cn/influxdata/debian stable main\n
/etc/apt/sources.list.d/nodesource.list
deb [arch=amd64 signed-by=/etc/apt/keyrings/nodesource.asc] https://deb.nodesource.com/node_18.x nodistro main\n
/etc/apt/sources.list.d/sb-nginx.list
deb [arch=amd64 signed-by=/etc/apt/keyrings/sb-nginx.asc] https://mirror.xtom.com.hk/sb/nginx/ bookworm main\n
"},{"location":"services/mirrorz/#go","title":"Go","text":"

\u4ece\u5b98\u65b9\u7f51\u7ad9\u4e0b\u8f7d\u6700\u65b0\u7684 tar.gz \u5e76\u89e3\u538b\u5230 /usr/local/go\uff0c\u7136\u540e\u5c06 /usr/local/go/bin \u4e2d\u7684\u4e24\u4e2a\u4e8c\u8fdb\u5236\u6587\u4ef6\u8f6f\u94fe\u63a5\u5230 /usr/local/bin\u3002

\u66f4\u65b0 Go \u7684\u5feb\u6377\u811a\u672c\u4f4d\u4e8e /root/go/update.sh\uff0c\u5185\u5bb9\u89c1 iBug/shGadgets\u3002

"},{"location":"services/mirrorz/#_1","title":"\u6570\u636e\u76ee\u5f55","text":"

MirrorZ \u4e3b\u9879\u76ee\u548c\u5e2e\u52a9\u9875\u9762\u7b49\u53ef\u4ee5\u901a\u8fc7\u6d4f\u89c8\u5668\u8bbf\u95ee\u7684\u9875\u9762\u90fd\u5728 /var/www \u4e0b\u3002

"},{"location":"services/mirrorz/#_2","title":"\u81ea\u52a8\u66f4\u65b0","text":"

\u5229\u7528 GitHub \u7684 webhook \u529f\u80fd\uff0c\u90e8\u7f72\u4e86\u4e00\u4efd iBug/uniAPI\u3002\u76f8\u5173\u6587\u4ef6\u5982\u4e0b\uff1a

/usr/bin/uniAPI\n/etc/uniAPI.yml\n/etc/systemd/system/uniAPI.service\n

\u914d\u7f6e\u6837\u4f8b\u5982\u4e0b\uff1a

services:\n  uniAPI:\n    type: server\n    services:\n      mirrorz-json-legacy:\n        type: github.webhook\n        path: /home/mirrorz/mirrorz-org/mirrorz-json-legacy\n        branch: master\n        secret: # empty\n
location ^~ /uniAPI {\n    proxy_pass http://127.0.1.1:1024;\n}\n
"},{"location":"services/neat-dns/","title":"Neat DNS","text":"

Services: neatdns.ustclug.org (UDP, TCP, HTTPS, DNSCrypt)

Server: docker2

Deploy: docker-run-script/neatdns

"},{"location":"services/neat-dns/#notes","title":"Notes","text":"

Previously all containers on docker2 had gateway-el as their gateway, which generated heavy load on the Tinc network. Docker2 has since been updated to use gateway-nic as gateway for containers, bypassing Tinc for most of the traffic. This, however, broke NAT-based service like Neat DNS, which required that reply traffic goes back through gateway-el (but now gateway-nic).

What's worse, Docker doesn't support setting gateways for individual containers, nor can network config be changed from within the container (default setup). So we chose to selectively route traffic back to gateway-el on gateway-nic. This is accomplished with two parts:

"},{"location":"services/vpn/","title":"LUG VPN","text":""},{"location":"services/vpn/#iptables","title":"iptables \u9632\u706b\u5899\u7ba1\u7406","text":"

\u672c\u8282\u5185\u5bb9\u9002\u7528\u4e8e\u5305\u62ec VPN \u5728\u5185\u7684\u591a\u4e2a\u670d\u52a1\u5668

"},{"location":"services/vpn/#tftp-helper","title":"TFTP helper","text":"

\u76ee\u524d\u4ec5\u5bf9 IPv4 \u542f\u7528\u3002

*raw\n:PREROUTING ACCEPT [0:0]\n:OUTPUT ACCEPT [0:0]\n-A PREROUTING -p udp --dport 69 -j CT --helper tftp\nCOMMIT\n
/etc/modules
nf_conntrack_tftp\nnf_nat_tftp\n
"},{"location":"services/vpn/#ssl-certs","title":"SSL Certificates","text":"

The certificate for *.vpn.lug.ustc.edu.cn + *.vpn.ustclug.org is acquired with our certificate infrastructure and the vpn server runs updater.sh with cron.

Two services running in Docker (strongswan and ocserv) use the certificate, so another cron job exists to copy the certificate files into the Docker volume (vpn-certs). The second updater script is listed below:

/usr/local/docker_sh/vpn-cert-updater.sh
#!/bin/sh\n\n# outside, call docker\nif command -v docker >/dev/null 2>&1; then\n  exec docker run --rm \\\n    --name=vpn-cert-updater \\\n    --net=none \\\n    -v \"$(realpath \"$0\")\":/update.sh:ro \\\n    -v vpn-certs:/vpn-certs \\\n    -v /etc/ssl/private:/ssl-certs:ro \\\n    alpine \\\n    /update.sh\n  exit 1 # exec failed\nfi\n\nset -eux\n\nSSL_CERTS=\"/ssl-certs\"\nVPN_CERTS=\"/vpn-certs\"\n\ncp -p \"${SSL_CERTS}/lugvpn/fullchain.pem\" \"${VPN_CERTS}/certs/vpn.ustclug.org.crt\"\ncp -p \"${SSL_CERTS}/lugvpn/privkey.pem\" \"${VPN_CERTS}/private/vpn.ustclug.org.key\"\necho \"Cert Update Complete\"\n
"},{"location":"services/mirrors/","title":"\u5f00\u6e90\u955c\u50cf\u7ad9","text":""},{"location":"services/mirrors/#_2","title":"\u5386\u53f2","text":""},{"location":"services/mirrors/#debianustceducn","title":"debian.ustc.edu.cn","text":"

2000 \u5e74\u5de6\u53f3\uff0c\u79d1\u5927\u6821\u5185\u7684 Debian \u7231\u597d\u8005\u4f7f\u7528\u81ea\u5df1\u5b9e\u9a8c\u5ba4\u7684\u673a\u5668\u4e3a\u5927\u5bb6\u63d0\u4f9b Debian \u955c\u50cf\u670d\u52a1\u3002\u968f\u7740\u4e00\u5c4a\u5c4a\u5e08\u5144\u7684\u6bd5\u4e1a\uff0c\u670d\u52a1\u5668\u5728\u5404\u5b9e\u9a8c\u5ba4\u95f4\u63a5\u529b\u3002

2002 \u5e74 5 \u6708\uff0cDebian \u955c\u50cf\u7ad9\u6709\u4e86\u81ea\u5df1\u7684\u57df\u540d debian.ustc.edu.cn\uff0c\u4f46\u670d\u52a1\u5668\u4ecd\u5728\u5b9e\u9a8c\u5ba4\u95f4\u8f97\u8f6c\u3002

2002 \u5e74 6 \u6708 23 \u65e5\uff0c\u79d1\u5927Debian\u955c\u50cf\u7ad9\u5f00\u59cb\u63d0\u4f9b\u975e\u5b98\u65b9(UO)\u8f6f\u4ef6\u4ed3\u5e93\u30022004\u5e744\u670823\u65e5\uff0c\u63d0\u4f9b\u65b0\u7684UO\u4ed3\u5e93\u3002

2005 \u5e74 6 \u6708 20 \u65e5\uff0c\u79d1\u5927 LUG \u53d1\u8d77\u4e3a\u79d1\u5927 Debian \u955c\u50cf\u7ad9\u6350\u6b3e\u7684\u5021\u8bae\uff0c\u622a\u81f3 10 \u6708 1 \u65e5\u52df\u6350\u6d3b\u52a8\u505c\u6b62\uff0cLUG \u5171\u6536\u5230 2922.05 \u5143\u6350\u6b3e\u300210 \u6708 6 \u65e5\u65b0\u673a\u5668\u5b89\u88c5\u914d\u7f6e\u5230\u4f4d\u3002\u5728\u5927\u5bb6\u7684\u9f50\u5fc3\u52aa\u529b\u4e4b\u4e0b\uff0c\u79d1\u5927 Debian \u955c\u50cf\u7ad9\u6709\u4e86\u4e00\u4e2a\u76f8\u5bf9\u56fa\u5b9a\u7684\u201c\u5bb6\u201d\u3002

2009 \u5e74\u5e95\uff0cdebian.ustc \u843d\u6237\u56fe\u4e66\u9986\u6280\u672f\u90e8\u3002

"},{"location":"services/mirrors/#ossustceducn","title":"oss.ustc.edu.cn","text":"

2008 \u5e74 12 \u6708 25 \u65e5\uff0c\u79d1\u5927\u5f00\u6e90\u8f6f\u4ef6 (OSS) \u955c\u50cf\u7ad9\u6b63\u5f0f\u542f\u7528\u3002\u5176\u670d\u52a1\u5668\u7531\u5434\u5cf0\u5149\u5e08\u5144\u63d0\u4f9b\u3002Novell \u516c\u53f8\u4e3a\u6211\u4eec\u63d0\u4f9b\u4e86\u4e00\u57571.5T \u7684\u786c\u76d8\u3002

2009 \u5e74 12 \u6708\uff0c\u5f20\u6210\u5e08\u5144\u4e3a OSS \u955c\u50cf\u7ad9\u63d0\u4f9b\u6350\u8d60 1T \u786c\u76d8\u3002

2010 \u5e74 6 \u6708\uff0c\u79d1\u5927 LUG \u4f7f\u7528\u51fa\u552e\u7248\u886b\u4f59\u4e0b\u7684\u94b1\u4e3a OSS \u955c\u50cf\u7ad9\u6dfb\u7f6e\u4e86\u4e00\u5757 2T \u786c\u76d8\u3002

"},{"location":"services/mirrors/#mirrorsustceducn","title":"mirrors.ustc.edu.cn","text":"

2011 \u5e74 4 \u6708 8 \u65e5\uff0c\u79d1\u5927 LUG \u4ece\u7f51\u7edc\u4e2d\u5fc3\u5904\u83b7\u5f97\u4e86\u65b0\u7684\u670d\u52a1\u5668\uff0c\u5e76\u7533\u8bf7\u5230\u4e86 mirrors.ustc \u7684\u57df\u540d\u3002debian.ustc \u4e0e oss.ustc \u5f00\u59cb\u5411 mirrors.ustc \u8fc1\u79fb\u3002

\u540c\u5e74 4 \u6708 15 \u65e5\uff0c\u51e0\u5927\u70ed\u95e8\u53d1\u884c\u7248\u955c\u50cf\u540c\u6b65\u5b8c\u6bd5\uff0cmirrors \u5f00\u59cb\u6b63\u5f0f\u5bf9\u5916\u63d0\u4f9b\u670d\u52a1\uff0c\u540c\u65f6 debian.ustc \u4e0e oss.ustc \u9000\u51fa\u4e86\u5386\u53f2\u821e\u53f0\u3002

2013 \u5e74 1 \u6708 6 \u65e5\uff0c\u79d1\u5927 LUG \u4ece\u7f51\u7edc\u4e2d\u5fc3\u5904\u83b7\u5f97\u4e86\u65b0\u7684\u78c1\u76d8\u9635\u5217\uff0c\u5927\u5927\u7f13\u89e3\u4e86 mirrors \u56e0\u78c1\u76d8\u7a7a\u95f4\u4e0d\u8db3\u800c\u5e26\u6765\u7684\u538b\u529b\u3002

2016 \u5e74 12 \u6708 29 \u65e5\uff0c\u79d1\u5927 LUG \u4ece\u7f51\u7edc\u4e2d\u5fc3\u5904\u83b7\u5f97\u4e86\u65b0\u7684\u670d\u52a1\u5668\u3002\u89e3\u51b3\u4e86\u8fd1\u4e00\u5e74\u6765\u7531\u4e8e\u670d\u52a1\u5668\u548c\u9635\u5217\u8001\u5316\u5e26\u6765\u7684\u7a33\u5b9a\u6027\u95ee\u9898\u3002

2019 \u5e74 6 \u6708\uff0c\u79d1\u5927 LUG \u4ece\u56fe\u4e66\u9986\u6280\u672f\u90e8\u83b7\u5f97\u4e86\u4e00\u53f0\u65e7\u670d\u52a1\u5668\uff0c\u7f13\u89e3\u4e86 mirrors \u5bb9\u91cf\u7d27\u5f20\u7684\u95ee\u9898\u3002

2020 \u5e74 3 \u6708 24 \u65e5\uff0c\u79d1\u5927 LUG \u518d\u6b21\u4ece\u7f51\u7edc\u4e2d\u5fc3\u5904\u83b7\u5f97\u4e86\u65b0\u7684\u670d\u52a1\u5668\uff0c\u89e3\u51b3\u4e86\u591a\u5e74\u6765\u7531\u4e8e\u670d\u52a1\u5668\u5bb9\u91cf\u4e0d\u8db3\u548c\u8d1f\u8f7d\u8fc7\u5927\u5e26\u6765\u7684\u538b\u529b\u3002

"},{"location":"services/mirrors/#hardware","title":"\u786c\u4ef6\u914d\u7f6e","text":""},{"location":"services/mirrors/docker/","title":"Docker","text":""},{"location":"services/mirrors/docker/#networking","title":"Networking","text":"

Docker \u9ed8\u8ba4\u521b\u5efa\u4e00\u4e2a\u540d\u4e3a bridge \u7684\u7f51\u7edc\uff0c\u4e3b\u673a\u754c\u9762\u4e3a docker0\uff0cIP \u5730\u5740\u6bb5\u4e3a 172.17.0.0/16\u3002\u8fd9\u4e2a\u9ed8\u8ba4\u5730\u5740\u6bb5\u8fc7\u4e8e\u6d6a\u8d39\uff0c\u56e0\u6b64\u6211\u4eec\u7ed9\u5b83\u914d\u7f6e\u4e00\u4e2a\u66f4\u5c0f\u7684\u5730\u5740\u6bb5\uff1a

/etc/docker/daemon.json
{\n  \"bip\": \"172.17.0.0/22\"\n}\n

\u6211\u4eec\u5c06 Docker Registry \u7684\u53cd\u4ee3\u6302\u5728\u53e6\u5916\u4e00\u4e2a\u5b50\u7f51\u4e0b\uff0c\u9700\u8981\u5148\u884c\u521b\u5efa\u3002

docker network create \\\n  --opt com.docker.network.bridge.name=docker1 \\\n  --subnet=172.18.0.0/24 \\\n  --gateway=172.18.0.1 \\\n  docker-registry\n
"},{"location":"services/mirrors/docker/#routing","title":"Routing","text":"

\u4e00\u4e9b\u540c\u6b65\u7a0b\u5e8f\u4e0d\u652f\u6301 bindIP \u7684\u914d\u7f6e\uff0c\u5bf9\u4e8e\u8fd9\u4e9b\u540c\u6b65\u7a0b\u5e8f\uff0c\u6211\u4eec\u901a\u8fc7\u521b\u5efa\u591a\u4e2a Docker network\uff0c\u7136\u540e\u5728\u4e3b\u673a\u4e0a\u6839\u636e Docker network \u8fdb\u884c\u7b56\u7565\u8def\u7531\uff0c\u8fbe\u5230\u9009\u62e9\u51fa\u53e3\u7684\u6548\u679c\u3002

\u521b\u5efa Docker network \u7684\u547d\u4ee4\u5982\u4e0b\uff1a

docker network create --driver=bridge --subnet=172.17.4.0/24 --gateway=172.17.4.1 -o \"com.docker.network.bridge.name=dockerC\" cernet\ndocker network create --driver=bridge --subnet=172.17.5.0/24 --gateway=172.17.5.1 -o \"com.docker.network.bridge.name=dockerT\" telecom\ndocker network create --driver=bridge --subnet=172.17.6.0/24 --gateway=172.17.6.1 -o \"com.docker.network.bridge.name=dockerM\" mobile\ndocker network create --driver=bridge --subnet=172.17.7.0/24 --gateway=172.17.7.1 -o \"com.docker.network.bridge.name=dockerU\" unicom\n\ndocker network create --driver=bridge --subnet=172.17.8.0/24 --gateway=172.17.8.1 \\\n  --ipv6 --subnet=fd00:6::/64 --gateway=fd00:6::1 \\\n  -o \"com.docker.network.bridge.name=dockerC6\" cernet6\n

\u5bf9\u5e94\u5730\uff0c\u4e3b\u673a\u4e0a\u4e5f\u914d\u7f6e\u597d\u4e86\u7b56\u7565\u8def\u7531\uff0c\u4f8b\u5982\uff1a

/etc/systemd/network/cernet.network
# Docker Cernet\n[RoutingPolicyRule]\nFrom=172.17.4.0/24\nTable=1011\nPriority=6\n[RoutingPolicyRule]\nFrom=172.17.8.0/24\nTable=1011\nPriority=6\n
/etc/systemd/network/telecom.network
# Docker Telecom\n[RoutingPolicyRule]\nFrom=172.17.5.0/24\nTable=1012\nPriority=6\n

mobile.network \u548c unicom.network \u4e5f\u7c7b\u4f3c\u3002

\u9700\u8981\u4f7f\u7528\u8fd9\u79cd\u65b9\u5f0f\u8fdb\u884c\u8def\u7531\u7684\u540c\u6b65\u955c\u50cf\uff0c\u53ef\u4ee5\u5728 YAML \u4e2d\u6307\u5b9a network\uff0c\u4f8b\u5982\uff1a

adoptium.yum.yaml
network: telecom\n
"},{"location":"services/mirrors/ipmi/","title":"IPMI","text":""},{"location":"services/mirrors/ipmi/#mirrors4","title":"Mirrors4","text":"

\u8fd9\u53f0\u673a\u5668\u7684 IPMI \u6709 HTML5 KVM\uff0c\u53ef\u4ee5\u76f4\u63a5\u7f51\u9875\u4f7f\u7528\uff0c\u6bd4\u8f83\u65b9\u4fbf\u3002

"},{"location":"services/mirrors/ipmi/#mirrors23","title":"Mirrors2/3","text":"

\u767b\u5f55 IPMI \u540e\uff0c\u4e3a\u4e86\u4f7f\u7528\u8fdc\u7a0b Shell\uff0c\u9700\u8981\u8fd0\u884c\u4e00\u4e2a jnlp \u6587\u4ef6\u3002 \u6b64\u6587\u4ef6\u4e0b\u8f7d\u65f6\u4f1a\u88ab Chrome \u62e6\u622a\uff0c\u9700\u8981\u989d\u5916\u5141\u8bb8\u4e00\u4e0b\u3002

\u6b64 jnlp \u6587\u4ef6\u9700\u8981 Oracle JDK 7 \u8fd0\u884c\uff0cOpenJDK 7 \u65e0\u6cd5\u8fd0\u884c\u3002 \u6307\u4ee4\u7528 javaws a.jnlp \u5373\u53ef\u3002

Java 8 \u53ca\u4e4b\u524d Java \u7684\u5404\u4e2a\u5de5\u5177\u662f\u6253\u5305\u5728 JDK \u4e2d\u7684\uff0c\u5305\u62ec Java Web Starter\uff0c\u5373\u6211\u4eec\u7528\u7684 javaws\u3002 \u6240\u4ee5\u53ea\u9700\u8981\u5b89\u88c5 Oracle JDK 7 \u5373\u53ef\uff0c\u65e0\u9700\u5b89\u88c5\u5176\u4ed6\u7684\u3001\u9488\u5bf9 Java 9 \u53ca\u4e4b\u540e\u7248\u672c\u7684\u5176\u4ed6\u5de5\u5177\u3002

"},{"location":"services/mirrors/limiter/","title":"\u9650\u5236\u7b56\u7565","text":"

\u7531\u4e8e mirrors \u5c5e\u4e8e I/O\u3001\u7f51\u7edc\u5bc6\u96c6\u578b\u670d\u52a1\uff0c\u5728\u90e8\u5206\u7684\u8d1f\u8f7d\u573a\u666f\u4e0b\u6781\u6613\u51fa\u73b0 I/O \u6216\u7f51\u7edc\u8fc7\u8f7d\u3002\u9650\u5236\u7b56\u7565\u4e3b\u8981\u662f\u4e3a\u4e86\u51cf\u5f31\u4ee5\u4e0b\u51e0\u7c7b\u8bf7\u6c42\u5bf9 mirrors \u6574\u4f53\u670d\u52a1\u8d28\u91cf\u7684\u5f71\u54cd\uff1a

  1. \u7a81\u53d1\u6027\u7684\u9ad8\u5e76\u53d1\u8bf7\u6c42
  2. \u722c\u866b\u7c7b\u6d41\u91cf
  3. \u4e0d\u5408\u7406\u7684\u8bf7\u6c42\uff08\u5982\uff1a\u6781\u5c11\u6570\u7528\u6237\u7684\u5927\u91cf\u8bf7\u6c42\uff09
"},{"location":"services/mirrors/limiter/#whitelists","title":"\u767d\u540d\u5355","text":"

\u4e00\u822c\u800c\u8a00\uff0c\u79d1\u5927\u6821\u5185\u7684\u5730\u5740\u4f4d\u4e8e\u9650\u5236\u89c4\u5219\u7684\u767d\u540d\u5355\u4e2d\uff0c\u4e0d\u53d7\u5230\u9650\u5236\u7b56\u7565\u7684\u5f71\u54cd\u3002\u5982\u679c\u6ca1\u6709\u7279\u6b8a\u8bf4\u660e\uff0c\u79d1\u5927\u5730\u5740\u9ed8\u8ba4\u4e0d\u53d7\u9650\u5236\u3002

\u767d\u540d\u5355\u4f4d\u4e8e\uff1a

"},{"location":"services/mirrors/limiter/#firewall","title":"\u9632\u706b\u5899\u7ea7\u522b\u9650\u5236","text":"

\u9632\u706b\u5899 (iptables) \u76ee\u524d\u53ea\u8d1f\u8d23\u9650\u5236\u5355 IP \u7684\u5e76\u53d1\u94fe\u63a5\u6570\u3002\u8fd9\u662f\u4e3a\u4e86\u9632\u6b62\u540c\u65f6\u6d8c\u5165\u5927\u91cf\u5e76\u53d1\u8fde\u63a5\uff0c\u5bfc\u81f4\u540e\u7aef\u5e94\u7528\u8017\u8d39\u5927\u91cf CPU \u548c I/O \u8d44\u6e90\u5904\u7406\u8fd9\u4e9b\u4e0d\u5408\u5e38\u7406\u7684\u8bf7\u6c42\u3002

\u5e8f\u53f7 \u7aef\u53e3 \u670d\u52a1 \u6700\u5927\u8fde\u63a5\u6570 IPv4 CIDR IPv6 CIDR 1 80,443 HTTP/HTTPS 12 29 64 2 20,21,50100:50200 FTP 4* 32 64 3 873 Rsync 5 32 64 4 9418 Git 10 32 64

\u6ce8\u610f\u4e8b\u9879

\u8fde\u63a5\u6570\u9650\u5236\u4ec5\u9650\u5236\u77ac\u65f6\u5e76\u53d1\uff08connlimit\uff09\u3002

\u8bf7\u6ce8\u610f\uff0c\u540c\u7ec4\u5185\u7684\u8fde\u63a5\u5171\u4eab\u8fde\u63a5\u6570\u914d\u989d\u3002\u5982\uff1a

\u8d85\u8fc7\u914d\u989d\u7684\u8fde\u63a5\u4f1a\u8fd4\u56de TCP Reset\u3002

* FTP \u670d\u52a1\u5df2\u505c\u6b62\u63d0\u4f9b\u3002

"},{"location":"services/mirrors/limiter/#application","title":"\u5e94\u7528\u7ea7\u522b\u9650\u5236","text":"

\u6b64\u7c7b\u9650\u5236\u89c4\u5219\u4f4d\u4e8e\u5e94\u7528\u7a0b\u5e8f\u5185\u3002\u7531\u4e8e\u5728\u7528\u6237\u6001\u7a0b\u5e8f\u4e2d\u5b9e\u73b0\uff0c\u56e0\u6b64\u66f4\u52a0\u7075\u6d3b\u3002

"},{"location":"services/mirrors/limiter/#nginx-mod-lua","title":"Nginx Lua \u7ec4\u4ef6","text":"

\u4ee3\u7801\u4f4d\u4e8e /etc/nginx/lua/module/access_limiter.lua

\u76ee\u524d\u4f7f\u7528\u4e86 Nginx \u7684 Lua \u8bed\u8a00\u6269\u5c55\u5b9e\u73b0\u5bf9\u8bf7\u6c42\u7684\u9650\u5236\u3002\u4e3b\u8981\u6709\u4ee5\u4e0b\u4e09\u7c7b\u9650\u5236\u65b9\u5f0f\uff1a

  1. \u6309\u8fde\u63a5\u6570\u9650\u5236\uff08\u5373\uff1a\u5e76\u53d1\u8bf7\u6c42\u6570\uff09
  2. \u6309\u8bf7\u6c42\u901f\u7387\u9650\u5236
  3. \u6309\u7d2f\u8ba1\u8bf7\u6c42\u6570\u9650\u5236\uff08\u5468\u671f\u6027\u91cd\u7f6e\u8ba1\u6570\u5668\uff09

\u76ee\u524d\uff0c\u955c\u50cf\u7ad9\u914d\u7f6e\u4e86\u4ee5\u4e0b\u51e0\u79cd\u529f\u80fd\u7684\u9650\u5236\u5668\uff1a

  1. \u5168\u5c40\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668\uff1a\u5bf9\u6240\u6709\u8bf7\u6c42\uff0c\u9650\u5236\u5355 IP \u7684\u8bf7\u6c42\u901f\u7387\u3002
  2. \u5168\u5c40\u8bf7\u6c42\u6570\u9650\u5236\u5668\uff1a\u5bf9\u4e8e\u6240\u6709\u8bf7\u6c42\uff0c\u68c0\u6d4b\u5355 IP \u5728\u4e00\u5929\u5185\u7684\u7d2f\u8ba1\u8bf7\u6c42\u6570\u3002\u8d85\u8fc7\u9608\u503c\u540e\uff0c\u964d\u4f4e\u8be5 IP \u7684\u5168\u5c40\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668\u7684\u9608\u503c\u3002
  3. HEAD \u8bf7\u6c42\u6570\u9650\u5236\u5668\uff1a\u5bf9\u4e8e HTTP Method = HEAD \u7c7b\u578b\u7684\u8bf7\u6c42\uff0c\u68c0\u6d4b\u5355 IP \u5728\u4e00\u5929\u5185\u7684\u7d2f\u8ba1\u8bf7\u6c42\u6570\u3002\u8d85\u8fc7\u9608\u503c\u540e\uff0c\u5f00\u542f HEAD \u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668\u3002
  4. HEAD \u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668\uff1a\u5bf9\u4e8e HTTP Method = HEAD \u7c7b\u578b\u7684\u8bf7\u6c42\uff0c\u9650\u5236\u5355 IP \u7684\u8bf7\u6c42\u901f\u7387\u3002\u8be5\u9650\u5236\u5668\u9ed8\u8ba4\u5173\u95ed\u3002
  5. \u65ad\u70b9\u7eed\u4f20\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668\uff1a\u5bf9\u4e8e\u65ad\u70b9\u7eed\u4f20\u7c7b\u578b\u7684\u8bf7\u6c42\uff0c\u9650\u5236\u5355 IP \u7684\u8bf7\u6c42\u901f\u7387\u3002
  6. \u65ad\u70b9\u7eed\u4f20\u8fde\u63a5\u6570\u9650\u5236\u5668\uff1a\u5bf9\u4e8e\u65ad\u70b9\u7eed\u4f20\u7c7b\u578b\u7684\u8bf7\u6c42\uff0c\u9650\u5236\u5355 IP \u5355 URI \u7684\u8fde\u63a5\u6570\u3002
  7. \u76ee\u5f55\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668\uff1a\u5bf9\u4e8e\u5217\u76ee\u5f55\u7c7b\u578b\u7684\u8bf7\u6c42\uff0c\u9650\u5236\u5355 IP \u8bf7\u6c42\u901f\u7387\u3002
  8. \u6587\u4ef6\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668\uff1a\u5bf9\u4e8e\u975e\u76ee\u5f55\u7c7b\u578b\u7684\u8bf7\u6c42\uff0c\u9650\u5236\u5355\u6587\u4ef6\u8bf7\u6c42\u901f\u7387\u3002\u5373\uff1a\u6240\u6709\u7528\u6237\u4e4b\u95f4\u5171\u4eab\u540c\u4e00\u4e2a\u914d\u989d\u3002

\u4f8b\u5916\uff1a

  1. apt/yum \u4ed3\u5e93\u7684\u7d22\u5f15\u6587\u4ef6\u4e0d\u53d7\u9650\u5236\u3002
  2. AOSP \u4ed3\u5e93\u4e0d\u9650\u5236\u5168\u5c40\u8bf7\u6c42\u6570\uff08git objects \u592a\u591a\u4e86\uff0c\u7528\u6237\u53cd\u9988\u89c1 Issue 397\uff09\uff1bnix-channels \u4e5f\u4e0d\u9650\u5236\u5168\u5c40\u8bf7\u6c42\u6570\uff08nix \u5305\u7ba1\u7406\u5668\u9ed8\u8ba4\u5f00\u542f 16 \u5e76\u53d1\uff09\u3002
  3. \u5bf9\u8fd4\u56de 403 \u7684\u6076\u610f\u8bf7\u6c42\uff08\u89c1\u4e0b\uff09\uff0c\u4ec5\u5e94\u7528\u5168\u5c40\u8bf7\u6c42\u901f\u7387/\u8bf7\u6c42\u6570\u9650\u5236\u5668\uff08Main-Req \u548c Main-Count\uff09\uff0c\u4e14\u5728\u8fd9\u4e24\u4e2a\u9650\u5236\u5668\u91cc\u6309\u53cc\u500d\u8ba1\u6570\uff1b\u540c\u65f6\u8df3\u8fc7\u65ad\u70b9\u7eed\u4f20/\u76ee\u5f55/\u6587\u4ef6\u9650\u5236\u5668\uff0c\u907f\u514d\u56e0\u4e3a\u6076\u610f\u8bf7\u6c42\u5237\u6ee1\u4e86\u76ee\u5f55/\u6587\u4ef6\u7684\u9650\u989d\u5bfc\u81f4\u6b63\u5e38\u7528\u6237\u7684\u8bbf\u95ee\u53d7\u9650\u3002

    \u4f8b\u5916\u6587\u4ef6\u7684\u5b9a\u4e49\u53c2\u8003 /etc/nginx/conf.d/access_limiter.conf\u3002

\u6848\u4f8b\uff1a\u66fe\u9047\u5230\u8fc7\u653b\u51fb\u8005\u5206\u5e03\u5f0f\u8bf7\u6c42\u540c\u4e00\u4e2a\u5927\u6587\u4ef6\uff0c\u5bfc\u81f4 IO\u3001\u7f51\u7edc\u540c\u65f6\u8fc7\u8f7d\u3002\u57fa\u4e8e IP \u5730\u5740\u7684\u9650\u5236\u63aa\u65bd\u5bf9\u4e8e\u6e90\u5730\u5740\u6c60\u5f88\u5927\u7684\u653b\u51fb\u5f80\u5f80\u6ca1\u6709\u6548\u679c\uff0c\u9650\u5236\u5355\u6587\u4ef6\u7684\u8bf7\u6c42\u901f\u7387\u80fd\u591f\u6709\u6548\u7f13\u89e3\u8fd9\u7c7b\u653b\u51fb\u3002

\u5177\u4f53\u53c2\u6570\u53c2\u8003\u4e0b\u8868\uff1a

\u9650\u5236\u5668\u540d\u79f0\u4e0e\u4ee3\u53f7 \u9608\u503c\u5355\u4f4d \u9608\u503c \u7a81\u53d1\u91cf \u8ba1\u6570\u5668\u91cd\u7f6e\u5468\u671f \u52a8\u4f5c \u5168\u5c40\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668Main-Req \u6b21/\u79d2 40 100 / \u8fd4\u56de 429 \u9519\u8bef \u5168\u5c40\u8bf7\u6c42\u6570\u9650\u5236\u5668Main-Count \u6b21 15000 / 1 \u5929 \u8bbe\u7f6e\u5168\u5c40\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668\u9608\u503c\u4e3a 0.2 \u6b21/\u79d2 HEAD \u8bf7\u6c42\u6570\u9650\u5236\u5668Head-Count \u6b21 300 / 1 \u5929 \u5f00\u542f HEAD \u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668 HEAD \u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668Head-Req \u6b21/\u79d2 0.05 5 / \u8fd4\u56de 429 \u9519\u8bef \u65ad\u70b9\u7eed\u4f20\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668Partial-Req \u6b21/\u79d2 1 10 / \u8fd4\u56de 429 \u9519\u8bef \u65ad\u70b9\u7eed\u4f20\u8fde\u63a5\u6570\u9650\u5236\u5668Partial-Conn \u6761 1 0 / \u8fd4\u56de 429 \u9519\u8bef \u76ee\u5f55\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668Ls-Req \u6b21/\u79d2 0.5 10 / \u8fd4\u56de 429 \u9519\u8bef \u6587\u4ef6\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668File-Req \u6b21/\u79d2 5 25 / \u8fd4\u56de 429 \u9519\u8bef \u6587\u4ef6\u8bf7\u6c42\u8fde\u63a5\u6570\u9650\u5236\u5668File-Conn \u6761 100 0 / \u8fd4\u56de 429 \u9519\u8bef

HEAD \u9650\u5236\u5668\u5df2\u5173\u95ed

\u8003\u8651\u5230 ZFS \u5bf9 dnode \u7684\u7f13\u5b58\u975e\u5e38\u6709\u6548\uff0c\u5728\u63a5\u5230 AOSC \u793e\u533a\u7684\u53cd\u9988\u540e\uff0c\u6211\u4eec\u5b8c\u5168\u5173\u95ed\u4e86 HEAD \u8bf7\u6c42\u6570\u9650\u5236\u5668\u3002

How lua-resty-limit-traffic works

\u9650\u5236\u5668\u903b\u8f91\u4f7f\u7528 https://github.com/openresty/lua-resty-limit-traffic \u5b9e\u73b0\uff0c\u5176\u4e2d\u4e0a\u8868\u4ee3\u53f7\u5206\u522b\u5bf9\u5e94\u5176 req, count, conn \u4e09\u79cd\u5b9e\u73b0\uff0ctraffic \u5219 aggregate \u4e86 count \u4e4b\u5916\u7684\u9650\u5236\u5668\uff0c\u8fd4\u56de\u6700\u5927\u7684\u5ef6\u8fdf\u3002

req \u7684\u6838\u5fc3\u516c\u5f0f\u662f\uff1aexcess = max(excess - rate * elapsed / 1000 + 1000, 0)\uff0c\u5176\u4e2d\u65f6\u95f4\u5355\u4f4d\u662f\u6beb\u79d2\uff08rate \u548c burst \u53c2\u6570\u8ba1\u7b97\u65f6\u90fd\u9700\u8981\u4e58\u4ee5 1000\uff09\u3002excess \u4f1a\u5148\u548c burst \u6bd4\u8f83\uff08\u5982\u679c\u8d85\u51fa\uff0c\u5219 reject\uff09\uff0c\u5982\u679c\u6ca1\u6709\u8d85\u51fa\uff0c\u5219 delay excess / rate \u79d2\u3002

\u5f53 elapsed = 1000/rate \u65f6\uff0c\u6070\u597d\u4e0d\u4f1a\u589e\u52a0 excess \u7684\u503c\uff0c\u6b64\u65f6 1 \u79d2\u5185\u6070\u597d\u53ef\u4ee5\u5bb9\u7eb3 rate \u4e2a\u8bf7\u6c42\uff1b\u5f53 elapsed = 1000/(rate+burst) \u65f6\uff0cexcess \u589e\u91cf\u4e3a 1000(1-r/(r+b))\uff0c\u6b64\u65f6 1 \u79d2\u5185\u6070\u597d\u6709 (rate+burst) \u4e2a\u8bf7\u6c42\u4e0d\u4f1a\u88ab reject\u3002

\u7406\u60f3\u60c5\u51b5\u4e0b\u7684\u4f8b\u5b50\uff1a\u5982\u679c rate = 40r/s = 40 * 1000 r/ms\uff0c\u5219 elapsed \u9700\u8981\u81f3\u5c11\u4e3a 1/40 \u79d2\uff0825 \u6beb\u79d2\uff09\uff0c\u624d\u80fd\u548c\u540e\u9762\u7684 + 1000 \u62b5\u6d88\uff0c\u5426\u5219 excess \u4f1a\u4e00\u76f4\u589e\u52a0\u3002\u5982\u679c burst = 100r/s = 100 * 1000 r/ms\uff0c\u90a3\u4e48\u5047\u8bbe\u6709\u7528\u6237\u6bcf 1/140 \u79d2\uff087.1 \u6beb\u79d2\uff09\u8bbf\u95ee\u4e00\u6b21\uff0c\u90a3\u4e48 excess \u6bcf\u6b21\u4f1a\u589e\u52a0 714.28\uff0c\u5982\u679c\u6709 140 \u4e2a\u8fd9\u6837\u7684\u8bf7\u6c42\uff0c\u90a3\u4e48 excess \u7684\u503c\u5219\u6070\u597d\u662f burst \u7684\u503c\u3002

count \u7684\u903b\u8f91\u7b80\u5355\u5f88\u591a\uff0c\u4f7f\u7528 lua-nginx-module \u5e26\u7684 https://github.com/openresty/lua-nginx-module?tab=readme-ov-file#ngxshareddictincr \u4e3a\u6bcf\u6b21\u81ea\u589e\u8bbe\u7f6e TTL \u5373\u53ef\u3002

conn \u4f7f\u7528\u5b57\u5178\u8ba1\u6570\u5668\u7edf\u8ba1\u5f53\u524d\u8fde\u63a5\u6570\uff0c\u5982\u679c\u8d85\u8fc7\u4e86 max + burst\uff0c\u5219 reject\u3002\u5426\u5219\u5982\u679c\u8d85\u8fc7\u4e86 max \u5219\u5ef6\u8fdf unit_delay * floor((conn - 1) / max) \u79d2\u3002unit_delay \u8d77\u59cb\u4e3a\u7528\u6237\u7ed9\u5b9a\u7684\u503c\uff0c\u5728\u4e4b\u540e\u4f1a\u6309\u7167 unit_delay = (req_latency + unit_delay) / 2 \u5b9a\u65f6\u8c03\u6574\u3002

\u5230\u8fbe\u9608\u503c\u540e\u4f1a\u53d1\u751f\u4ec0\u4e48\uff1f

\u9650\u5236\u5668\u4e4b\u95f4\u76f8\u4e92\u72ec\u7acb\uff0c\u5f53\u88ab\u89e6\u53d1\u7684\u6240\u6709\u9650\u5236\u5668\u4ea7\u751f\u4e0d\u4e00\u81f4\u7684\u7b49\u5f85\u65f6\u95f4\u65f6\uff0c\u5e94\u7528\u6700\u957f\u7684\u7b49\u5f85\u65f6\u95f4\u3002

"},{"location":"services/mirrors/limiter/#large-files","title":"\u5927\u6587\u4ef6\u4e0b\u8f7d\u901f\u5ea6\u9650\u5236","text":"

\u4ee3\u7801\u4f4d\u4e8e /etc/nginx/lua/header_filter.lua

\u9488\u5bf9\u5927\u6587\u4ef6\u4e0b\u8f7d\uff0c\u9650\u5236\u6bcf\u4e2a\u6587\u4ef6\u7684\u603b\u5e26\u5bbd\u4e3a 1 Gbps\uff0c\u4ee5\u907f\u514d\u5927\u6587\u4ef6\u6d41\u91cf\u5360\u6ee1\u603b\u5e26\u5bbd\u3002

\u6ce8\u610f\u4e8b\u9879

\u5982\u679c\u6709\u591a\u4e2a\u6587\u4ef6\u9762\u4e34\u9ad8\u538b\u529b\u8bbf\u95ee\uff0c\u603b\u5e26\u5bbd\u4f9d\u7136\u53ef\u80fd\u88ab\u5360\u6ee1

\u5177\u4f53\u505a\u6cd5\u4e3a\uff0c\u8bbe\u7f6e\u4e0b\u8f7d\u901f\u5ea6\u9608\u503c = 1 Gbps / (\u8be5\u5927\u6587\u4ef6\u7684\u540c\u65f6\u8fde\u63a5\u6570 + 1)

\u5f53\u4e0b\u8f7d\u7684\u6587\u4ef6\u65e0\u7a77\u5927\u65f6\uff0c\u5c06\u51fa\u73b0\u6700\u5dee\u60c5\u5f62\uff0c\u5373\u7528\u6237\u88ab\u5206\u914d\u5230\u7684\u4e0b\u8f7d\u901f\u7387\u670d\u4ece\u7c7b\u8c03\u548c\u7ea7\u6570\uff0c\u51fd\u6570\u53d1\u6563\u3002\u5b9e\u9645\u60c5\u51b5\u4e0b\uff0c\u65e9\u671f\u7528\u6237\u4e0b\u8f7d\u5b8c\u6210\u540e\u8fde\u63a5\u91ca\u653e\uff0c\u6700\u7ec8\u5e26\u5bbd\u5c06\u6536\u655b\u5230 1 Gbps\u3002

\u6ce8\uff1a\u5927\u6587\u4ef6\u5b9a\u4e49\u53c2\u7167\u76ee\u524d\u7684 Lua \u811a\u672c\u914d\u7f6e\u3002

"},{"location":"services/mirrors/limiter/#nginx-js-challenge","title":"Nginx JavaScript \u6311\u6218","text":"

\u4ee3\u7801\u4f4d\u4e8e /etc/nginx/lua/access-with-challenge.lua

\u4e3a\u4e86\u62b5\u6297\u201c\u8fc5\u96f7\u653b\u51fb\u201d\u3002\u5bf9\u4e8e\u7279\u5b9a\u7c7b\u578b\u7684\u6587\u4ef6\uff0c\u5f00\u542f\u4e86 JS \u6311\u6218\u3002\u5982\u679c\u5ba2\u6237\u7aef User-Agent \u4e3a Mozilla\uff08\u5373\u6d4f\u89c8\u5668\uff09\uff0c\u5219\u53d1\u9001\u4e00\u6bb5\u5305\u542b JS \u811a\u672c\u7684\u9875\u9762\uff0c\u68c0\u9a8c\u8fd0\u884c\u7684\u7ed3\u679c\u3002\u5982\u679c\u6311\u6218\u5931\u8d25\uff0c\u5219\u7981\u6b62\u8bbf\u95ee\u3002

\u88ab\u4fdd\u62a4\u7684\u6587\u4ef6\u7c7b\u578b\u53c2\u89c1 /etc/nginx/conf.d/map_access.conf\uff0c\u90e8\u5206\u5185\u5bb9\u8282\u9009\u5982\u4e0b\uff1a

map $uri $access_url_type {\n    default 0;\n\n    # 1: large files\n    \"~*\\.(iso|exe|dmg|run|zip|tar)$\" 1;\n}\n
"},{"location":"services/mirrors/limiter/#robots","title":"\u722c\u866b\u9650\u5236","text":"

\u4ee3\u7801\u4f4d\u4e8e map_access.conf\uff08\u89c1\u4e0a\uff09\u548c /etc/nginx/snippets/robots\uff0c\u5229\u7528 nginx \u7684 map \u5b9e\u73b0\u7ec4\u5408\u903b\u8f91\uff0c\u8fdb\u884c\u5982\u4e0b\u9650\u5236\uff1a

"},{"location":"services/mirrors/limiter/#rsync-connections","title":"Rsync \u603b\u8fde\u63a5\u6570\u9650\u5236","text":"

Rsync \u670d\u52a1\u8bbe\u7f6e\u4e86\u603b\u8fde\u63a5\u6570\u9650\u5236\u3002\u5373\uff1a\u5f53\u5efa\u7acb\u7684\u8fde\u63a5\u6570\u5230\u8fbe\u67d0\u4e2a\u9608\u503c\u540e\uff0c\u62d2\u7edd\u4e4b\u540e\u6536\u5230\u7684\u8fde\u63a5\u3002

\u5386\u53f2\u8bb0\u5f55

\u4ee5\u524d HTTP \u548c Rsync \u670d\u52a1\u7531\u540c\u4e00\u53f0\u670d\u52a1\u5668\u63d0\u4f9b\uff0c\u7531\u4e8e\u767d\u5929 HTTP \u8bbf\u95ee\u538b\u529b\u8f83\u5927\uff0c\u591c\u665a HTTP \u8bbf\u95ee\u91cf\u8f83\u5c0f\uff0c\u4e3a\u4e86\u5b9e\u73b0\u9519\u5cf0\u540c\u6b65\uff0c\u4fdd\u8bc1\u767d\u5929 HTTP \u7684\u670d\u52a1\u8d28\u91cf\uff0c\u56e0\u6b64\u9488\u5bf9\u4e0d\u540c\u65f6\u6bb5\u8bbe\u7f6e\u4e86\u4e0d\u540c\u7684\u9608\u503c\uff0c\u5177\u4f53\u5982\u4e0b\uff1a

\u5728 2020 \u5e74 8 \u6708 25 \u65e5\u540e\uff0c\u7531\u4e8e\u66f4\u6362\u4e86\u65b0\u670d\u52a1\u5668\uff0cRsync \u7531\u5355\u72ec\u673a\u5668\u63d0\u4f9b\u670d\u52a1\uff0c\u603b\u8fde\u63a5\u6570\u63d0\u5347\u5230\u4e86\u5168\u5929 60 \u4e2a\u8fde\u63a5\u3002

\u7279\u522b\u7684\uff0c\u79d1\u5927\u6821\u5185 IP \u5730\u5740\u53d7\u5230 rsync \u8fde\u63a5\u6570\u9650\u5236\u3002

"},{"location":"services/mirrors/limiter/#interface-limit","title":"\u7f51\u7edc\u63a5\u53e3\u7ea7\u522b\u9650\u5236","text":"

mirrors \u5e38\u6001\u4e0b\u6ca1\u6709\u7f51\u7edc\u63a5\u53e3\u9650\u5236\uff0c\u4f46\u5728\u9700\u8981\u4e34\u65f6\u5bf9\u67d0\u4e00\u63a5\u53e3\u8fdb\u884c\u9650\u5236\u65f6\uff0c\u53ef\u4ee5\u4f7f\u7528 tc \u6765\u5b8c\u6210\u3002

\u4f8b\u5982\u53ef\u4ee5\u53c2\u8003\u8fd9\u4efd\u56de\u7b54\uff1aiptables - Limiting interface bandwidth with tc under Linux - Server Fault\uff0c\u4f7f\u7528\u5982\u4e0b\u6307\u4ee4\u9650\u5236\u67d0\u4e00\u63a5\u53e3\u7684\u7f51\u7edc\u901f\u7387\u4e3a 1.5Gbps\uff1a

tc qdisc add dev <interface> root handle 1: tbf rate 1500Mbit burst 750K latency 14ms\n

\u8fd9\u91cc\u4f7f\u7528\u4e86 TBF\uff08\u4ee4\u724c\u6876\uff09\u7b97\u6cd5\uff0c\u540e\u9762\u7684 burst \u548c latency \u53c2\u6570\u610f\u4e49\u53ef\u4ee5\u53c2\u89c1 man tc-tbf\u3002 \u5177\u4f53\u800c\u8a00\uff0clatency \u6ca1\u6709\u63a8\u8350\u503c\uff0c\u4f46 burst \u8981\u6c42\u81f3\u5c11\u4e3a rate / HZ\uff0cHZ = 100 \u65f6 10Mbps \u81f3\u5c11\u7ea6 10MB\u3002 HZ \u7684\u503c\u9700\u8981\u4ece\u5185\u6838\u7684\u7f16\u8bd1\u53c2\u6570\u4e2d\u67e5\u770b\uff1aegrep '^CONFIG_HZ_[0-9]+' /boot/config-`uname -r`\u3002\u73b0\u4ee3\u53d1\u884c\u7248\u63d0\u4f9b\u7684\u5185\u6838\u4e2d\u8fd9\u4e2a\u503c\u4e00\u822c\u4e3a 250\u3002

\u53c2\u8003\u8d44\u6599\uff1aBucket size in tbf

\u76ee\u524d\u90e8\u7f72\u7684\u9650\u5236\u6709\uff1a

\u5728 mirrors4 \u4e0a\u8be5\u914d\u7f6e\u7684\u5f00\u673a\u81ea\u542f\u5206\u522b\u4f4d\u4e8e tc-unicom.service \u548c tc-telecom.service \u4e24\u4e2a\u670d\u52a1\u4e2d\uff0c\u5176\u4e2d tc-unicom.service \u914d\u7f6e\u5982\u4e0b\uff1a

[Unit]\nDescription=Rate Limiting for Unicom Interface\n\n[Service]\nType=oneshot\nRemainAfterExit=true\nExecStart=/usr/sbin/tc qdisc replace dev unicom root handle 1: tbf rate 1500Mbit burst 750K latency 14ms\nExecStop=/usr/sbin/tc qdisc delete dev unicom root handle 1\n\n[Install]\nWantedBy=sys-subsystem-net-devices-unicom.device\n

Install \u90e8\u5206\u7684 WantedBy \u4f7f\u7528\u8fd9\u79cd\u5199\u6cd5\u53ef\u4ee5\u4f7f\u8be5\u670d\u52a1\u4f9d\u8d56\u4e8e\u540d\u4e3a unicom \u7684\u7f51\u53e3\uff0c\u8be6\u7ec6\u56de\u7b54\u53ef\u4ee5\u770b What is the systemd-networkd equivalent of post-up?\u3002

"},{"location":"services/mirrors/limiter/#blacklists","title":"IP \u9ed1\u540d\u5355\u9650\u5236","text":"

\u5bf9\u4e8e\u6ee5\u7528\u7684 IP \u6bb5\uff0c\u53ef\u4ee5\u4f7f\u7528 ipset \u548c iptables \u5b9e\u73b0\u9ed1\u540d\u5355\u9650\u5236\u3002 ipset \u5c06\u67d0\u4e2a IP \u5339\u914d\u5230\u4e00\u4e2a\u96c6\u5408\u4e2d\uff0ciptables \u518d\u9488\u5bf9\u67d0\u4e00\u96c6\u5408\u8fdb\u884c\u9650\u5236\u3002

ipset \u548c iptables \u7684\u4f7f\u7528\u53ef\u4ee5\u53c2\u8003\uff1aIpset - Arch Wiki \u3002

\u6211\u4eec\u5df2\u5728 mirrors4 \u4e0a\u914d\u7f6e\u4e86 blacklist \u548c blacklist6 \u96c6\u5408\uff0c\u82e5\u8981\u5c01\u7981\u67d0\u4e2a IP \u6216\u7f51\u6bb5\uff0c\u53ef\u4ee5\u76f4\u63a5\u5c06\u8be5\u7f51\u6bb5\u52a0\u5165\u96c6\u5408\uff0c\u4f8b\u5982\uff1a

ipset add blacklist 192.0.2.0/24\nipset add blacklist6 2001:db8:114:514::/64\n

\u4e0e iptables \u7c7b\u4f3c\uff0cipset \u4e5f\u9700\u8981\u6301\u4e45\u5316\u3002\u5c01\u7981\u540d\u5355\u7684\u6587\u4ef6\u4f4d\u4e8e\uff08mirrors4\uff09/usr/local/network_config/iptables/blacklist.list\uff0c\u4fee\u6539\u6b64\u6587\u4ef6\u589e\u51cf\u6761\u76ee\u540e\u8fd0\u884c\u8be5\u76ee\u5f55\u4e0b\u7684 apply.sh \u5373\u53ef\u3002

\u7531\u4e8e\u5c01\u7981\u4ec5\u5bf9\u65b0\u5efa\u7acb\u7684\u8fde\u63a5\u6709\u6548\uff0c\u8bf7\u5728\u4fee\u6539\u5c01\u7981\u540d\u5355\u540e\uff0c\u4f7f\u7528 ss -K dst \u5bf9\u5e94\u7684\u7f51\u6bb5 \u5173\u95ed\u5df2\u7ecf\u5efa\u7acb\u7684\u8fde\u63a5\uff08\u4f8b\u5982\u5bf9\u4e8e\u4ee5\u4e0a\u4e24\u884c\u89c4\u5219\uff0c\u547d\u4ee4\u5206\u522b\u4e3a ss -K dst 192.0.2.0/24 \u4e0e ss -K dst 2001:db8:114:514::/64\uff09\u3002

"},{"location":"services/mirrors/limiter/#ipset-persistent","title":"ipset \u6301\u4e45\u5316","text":"

\u6211\u4eec\u4f7f\u7528\u8f6f\u4ef6\u6e90\u91cc\u7684 ipset-persistent \u5305\u6765\u5e2e\u52a9 ipset \u5728\u5f00\u673a\u65f6\u81ea\u52a8\u6062\u590d\uff0c\u8be5\u8f6f\u4ef6\u5305\u4f1a\u5728\u5f00\u673a\u52a0\u8f7d iptables \u524d\u5148\u4ece /etc/iptables/ipsets \u4e2d\u6062\u590d ipset \u4ee5\u786e\u4fdd iptables \u4e2d\u7684\u5f15\u7528\u80fd\u6b63\u786e\u5904\u7406\u3002

\u56e0\u4e3a ipset-persistent \u5728\u5f00\u673a\u65f6\u81ea\u52a8\u52a0\u8f7d\uff0c\u6211\u4eec\u9009\u62e9\u4ec5\u52a0\u8f7d\u4e00\u4e2a\u8f83\u5c0f\u7684\u5b50\u96c6\uff0c\u5305\u542b\u5fc5\u8981\u914d\u7f6e\uff08create set\uff09\u548c\u8f83\u5c11\u53d1\u751f\u53d8\u5316\u7684\u5185\u5bb9\uff08\u5982 ustcnet \u7684\u7f51\u6bb5\uff09\u3002\u76ee\u524d /etc/iptables/ipsets \u5305\u542b\u4ee5\u4e0b\u5185\u5bb9\uff1a

create ustcnet hash:net family inet hashsize 1024 maxelem 65536\ncreate f2b-sshd hash:ip family inet hashsize 1024 maxelem 65536 timeout 3600\ncreate blacklist hash:net family inet hashsize 1024 maxelem 65536\ncreate blacklist6 hash:net family inet6 hashsize 1024 maxelem 65536\n\nadd ustcnet 202.38.64.0/19\n# more ustcnet entries...\n
"},{"location":"services/mirrors/limiter/#403","title":"403 \u9875\u9762","text":"

\u76ee\u524d mirrors4 \u5c06\u6765\u6e90 IP \u5c5e\u4e8e blacklist \u6216 blacklist6 \u96c6\u5408\u4e14\u76ee\u6807\u7aef\u53e3\u4e3a 80 \u6216 443 \u7684\u8fde\u63a5\u91cd\u5b9a\u5411\u81f3 403 \u7aef\u53e3\u3002403 \u9875\u9762\u4f4d\u4e8e /var/www/html/403.html\u3002

\u76f8\u5173 nginx \u914d\u7f6e\u4f4d\u4e8e /etc/nginx/sites-available/mirrors.ustc.edu.cn-403\u3002

\u6211\u4eec\u4f7f\u7528 ip{,6}tables \u5c06\u5bf9 80 \u6216 443 \u7aef\u53e3\u7684\u8bbf\u95ee\u91cd\u5b9a\u5411\u81f3 403 \u7aef\u53e3\uff0c\u5728 nat \u8868\u7684 PREROUTING \u94fe\u6dfb\u52a0\u89c4\u5219\uff1a

-A PREROUTING -m set --match-set blacklist src -p tcp -m multiport --dports 80,443 -j REDIRECT --to-port 403\n

\u5e76\u5728 filter \u8868 BLACKLIST \u94fe\u653e\u884c\u5df2\u5efa\u7acb\u8fde\u63a5\uff0c\u5bf9 403 \u7aef\u53e3\u9650\u901f\uff1a

-A BLACKLIST -m conntrack --ctstate ESTABLISHED -j RETURN\n-A BLACKLIST -p tcp --dport 403 -m hashlimit --hashlimit-upto 60/min --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-srcmask 64 --hashlimit-name nginx-403 --hashlimit-htable-expire 60000 -j RETURN\n-A BLACKLIST -j DROP\n
"},{"location":"services/mirrors/monitor/","title":"Mirrors-specific monitoring","text":""},{"location":"services/mirrors/monitor/#connections-users-online","title":"Connections (Users online)","text":"/etc/telegraf/telegraf.d/exec.conf
[[inputs.exec]]\n  commands = [\n    \"/opt/monitor/telegraf/connection.sh 21:80:443:873:9418\",\n    \"/opt/monitor/telegraf/nfacct.sh\",\n    \"/opt/monitor/telegraf/process.sh\",\n  ]\n  timeout = \"5s\"\n  data_format = \"influx\"\n
/opt/monitor/telegraf/connection.sh
#!/bin/bash\n\nport_list_input=${1//:/|}\nport_list=${port_list_input:-\"80|443\"}\nnetstat -ntW | gawk '{print tolower($6),gensub(/^(.+):([^:]+)$/,\"\\\\1 \\\\2\",\"g\",$4)}' | grep -P \" ($port_list)\\$\" | sort | uniq -c | sort -k 4 -k 3 | awk \"{printf(\\\"connection,protocol=tcp,port=%s,address=%s %s=%s\\n\\\",\\$4,\\$3,\\$2,\\$1)}\"\nnetstat -ntW | gawk '{print tolower($6),gensub(/^(.+):([^:]+)$/,\"\\\\2\",\"g\",$4)}' | grep -P \" ($port_list)\\$\" | sort | uniq -c | sort -k 3 | awk \"{printf(\\\"connection,protocol=tcp,port=%s,address=any %s=%s\\n\\\",\\$3,\\$2,\\$1)}\"\n
/opt/monitor/telegraf/nfacct.sh
#!/bin/bash\n\nsudo nfacct list | awk '-F[ ,;]' \"{printf(\\\"nfacct,object=%s bytes=%i,pkgs=%i\\n\\\",\\$11,\\$8,\\$4)}\"\n
/opt/monitor/telegraf/process.sh
#!/bin/sh\n\nps -e -o s= -o comm= |\n  grep -v '^[SI] ' |\n  sed 's|/.*$|/|g' |\n  sort | uniq -c |\n  awk '{printf(\"process,state=%s,name=%s count=%ii\\n\",$2,$3,$1)}'\n
"},{"location":"services/mirrors/repos/","title":"Repositories","text":"

\u955c\u50cf\u7ad9\u670d\u52a1\u5668\u7edf\u4e00\u4f7f\u7528 /srv/repo \u5b58\u50a8\u955c\u50cf\u4ed3\u5e93\u3002

"},{"location":"services/mirrors/repos/#new-repo","title":"\u6dfb\u52a0\u4e00\u4e2a\u65b0\u4ed3\u5e93","text":""},{"location":"services/mirrors/repos/#_1","title":"\u521b\u5efa\u5b58\u50a8\u76ee\u5f55","text":"

\u6839\u636e\u670d\u52a1\u5668\u4f7f\u7528\u7684\u6587\u4ef6\u7cfb\u7edf\uff0c\u53c2\u8003 ZFS \u6216\u8005 XFS\u3002

"},{"location":"services/mirrors/repos/#_2","title":"\u6dfb\u52a0\u540c\u6b65\u914d\u7f6e","text":"

\u7167\u7740 /home/mirror/repos \u4e0b\u7684\u73b0\u6709\u6587\u4ef6\u81ea\u5df1\u7814\u7a76\u4e00\u4e0b\u5427\uff0c\u8fd9\u4e2a\u4e0d\u96be\u3002\u9700\u8981\u6ce8\u610f\u7684\u5c31\u4e00\u70b9\uff0c\u6587\u4ef6\u540d\u7ed3\u5c3e\u5fc5\u987b\u662f .yaml\uff08\u800c\u4e0d\u80fd\u662f .yml\uff09\uff0c\u8fd9\u662f Yuki \u4ee3\u7801\u91cc\u5199\u7684\u3002

\u51b3\u5b9a bindIP \u6216 network \u7684\u503c

\u955c\u50cf\u7ad9\u6709\u591a\u4e2a\u6765\u81ea\u4e0d\u540c\u8fd0\u8425\u5546\u7684 IP \u53ef\u7528\u4e8e\u540c\u6b65\u4efb\u52a1\u3002\u7531\u4e8e\u7f51\u7edc\u73af\u5883\u7684\u4e0d\u786e\u5b9a\u6027\uff0c\u6709\u65f6\u4f1a\u51fa\u73b0\u67d0\u4e2a IP \u540c\u6b65\u901f\u5ea6\u6781\u6162\u7684\u60c5\u51b5\u3002

@taoky \u7684 admirror-speedtest \u53ef\u4ee5\u5e2e\u52a9\u51b3\u5b9a\u6700\u5feb\u901f\u7684 IP\u3002

\u53e6\u5916\uff0cbindIP \u4e0d\u9002\u7528\u4e8e\u6240\u6709\u7684\u540c\u6b65\u955c\u50cf\uff08\u4e00\u90e8\u5206\u7a0b\u5e8f\u4e0d\u652f\u6301\u4fee\u6539 bind() \u7684\u53c2\u6570\uff09\uff0c\u6b64\u65f6\u53ef\u4ee5\u4f7f\u7528\u57fa\u4e8e Docker Network \u7684 network \u914d\u7f6e\u3002

\u5199\u597d\u65b0\u4ed3\u5e93\u7684\u914d\u7f6e\u6587\u4ef6\u4e4b\u540e\u8fd0\u884c yuki reload\uff0c\u7136\u540e yuki sync <repo> \u5c31\u53ef\u4ee5\u5f00\u59cb\u521d\u6b21\u540c\u6b65\u4e86\u3002

"},{"location":"services/mirrors/repos/#git-srvgit","title":"\u4e3a Git \u7c7b\u578b\u4ed3\u5e93\u6dfb\u52a0\u8f6f\u94fe\u63a5\u81f3 /srv/git","text":"

git-daemon.service \u6839\u636e /srv/git \u4e0b\u7684\u5185\u5bb9\u5bf9\u5916\u63d0\u4f9b Git \u670d\u52a1\u3002\u6240\u4ee5\u5982\u679c\u662f git \u7c7b\u578b\u7684\u4ed3\u5e93\uff0c\u9700\u8981\u6dfb\u52a0\u8f6f\u94fe\u63a5\uff0c\u5426\u5219\u65e0\u6cd5\u4f7f\u7528 git:// \u7684\u534f\u8bae\u8bbf\u95ee\u3002\uff08http(s):// \u534f\u8bae\u6ca1\u6709\u95ee\u9898\uff09

Git \u4ed3\u5e93\u670d\u52a1\u7684\u5176\u4ed6\u76f8\u5173\u914d\u7f6e

\u90e8\u5206\u514b\u9686\u914d\u7f6e (See https://github.com/ustclug/discussions/issues/432)\uff1a

/etc/gitconfig
[uploadpack]\n    allowfilter = true\n

\u7531\u4e8e git daemon/fcgiwrap \u7684\u7528\u6237\u4e0d\u662f mirror\uff0c\u6240\u4ee5\u9700\u8981\u8bbe\u7f6e\u7ed5\u8fc7 git \u65b0\u7684\u5b89\u5168\u9650\u5236\uff1a

/etc/gitconfig
[safe]\n    directory = *\n
"},{"location":"services/mirrors/repos/#_3","title":"\u79fb\u52a8\uff08\u5220\u9664\uff09\u4e00\u4e2a\u4ed3\u5e93","text":"

Note

\u4ee5\u4e0b\u4ee5 2023 \u5e74 12 \u6708 27 \u65e5\u5c06 .private/sb \u79fb\u52a8\u5230 sb \u7684\u64cd\u4f5c\u4e3a\u4f8b\u5b50\uff0c\u4ecb\u7ecd\u6211\u4eec\u9700\u8981\u505a\u7684\u4e8b\u60c5\u3002

\u5f7c\u65f6\u7684 mirrors4 \u4ecd\u7136\u4f7f\u7528 XFS\uff0c\u5bf9\u4e8e\u4f7f\u7528 ZFS \u7684\u670d\u52a1\u5668\uff0c\u6587\u4ef6\u90e8\u5206\u64cd\u4f5c\u6709\u6240\u4e0d\u540c\u3002

"},{"location":"services/mirrors/repos/#sb","title":"\u521b\u5efa sb \u76ee\u5f55","text":"

\u53c2\u8003\u4e0a\u6587\uff0c\u521b\u5efa\u76ee\u5f55\uff0c\u4fee\u6539 /etc/projects \u7684\u8def\u5f84\uff08ID \u4e0d\u9700\u8981\u4fee\u6539\uff09\uff0c\u7136\u540e\u6267\u884c\u76f8\u5173\u7684 xfs_quota \u547d\u4ee4\uff08\u89c1 XFS\uff09\u3002

\u7531\u4e8e\u6211\u4eec\u7684\u4f8b\u5b50\u662f\u79fb\u52a8\u76ee\u5f55\uff0c\u53ef\u4ee5\u76f4\u63a5\u4f7f\u7528 mv \u547d\u4ee4\uff08sb \u4ed3\u5e93\u5f88\u5c0f\uff09\u3002

"},{"location":"services/mirrors/repos/#yuki","title":"\u4fee\u6539 Yuki \u914d\u7f6e","text":"

\u4fee\u6539 /home/mirror/repos/sb.yaml\uff0c\u5c06 path \u4fee\u6539\u4e3a /srv/repo/sb\u3002\u7136\u540e\u91cd\u65b0\u52a0\u8f7d\uff1a

yukictl reload sb\n
"},{"location":"services/mirrors/repos/#rsync-attrs","title":"\u6d4b\u8bd5\u540c\u6b65\uff0c\u5e76\u5220\u9664 rsync-attrs \u4e2d\u7684\u65e7\u76ee\u5f55","text":"
yukictl sync --debug sb\n

\u786e\u8ba4\u540c\u6b65\u65e0\u8bef\u540e\uff0c\u68c0\u67e5 /srv/rsync-attrs \u7684\u5185\u5bb9\uff0c\u5e76\u5220\u9664\u65e7\u76ee\u5f55 /srv/rsync-attrs/.private\u3002

/srv/rsync-attrs

\u8be5\u76ee\u5f55\u7684\u7528\u9014\u662f\u4e3a\u574f\u4eba\u4fee\u6539\u7248\u7684 rsyncd\uff08\u5373 rsyncd-huai\uff09\u63d0\u4f9b\u5feb\u901f\u7684\u6587\u4ef6\u5c5e\u6027\u67e5\u8be2\uff08\u5bf9\u5e94\u4f7f\u7528 Reiserfs \u683c\u5f0f\u5316\uff0c\u6302\u8f7d\u5728 SSD \u4e0a\uff09\u3002 \u540c\u65f6\u8be5\u76ee\u5f55\u4e5f\u7528\u4e8e\u4e3b\u9875\u751f\u6210\u3002

"},{"location":"services/mirrors/repos/#nginx","title":"\u4fee\u6539 nginx \u914d\u7f6e","text":"

\u7531\u4e8e\u6211\u4eec\u8fd9\u91cc\u662f\u79fb\u52a8\u4ed3\u5e93\uff0c\u4e3a\u4e86\u4fdd\u8bc1\u65e7\u7528\u6237\u80fd\u591f\u6b63\u5e38\u4f7f\u7528\uff0c\u9700\u8981\u4fee\u6539 nginx \u914d\u7f6e\uff0c\u5c06\u65e7\u7684\u8def\u5f84\u91cd\u5b9a\u5411\u5230\u65b0\u7684\u8def\u5f84\u3002

\u76f8\u5173\u7684\u914d\u7f6e\u4e00\u822c\u4f4d\u4e8e /etc/nginx/snippets/mirrors-locations\uff0c\u672c\u6b21\u6211\u4eec\u65b0\u589e\u7684\u5185\u5bb9\u5982\u4e0b\uff1a

location /.private/sb/ {\n    rewrite ^/.private(/sb/.*$) $1 permanent;\n}\n

Nginx rewrite \u76f8\u5173\u7684\u8bed\u6cd5\u77e5\u8bc6\u9700\u8bfb\u8005\u81ea\u884c\u5b66\u4e60\u3002

\u4fee\u6539\u5b8c\u6210\u540e\uff0c\u91cd\u8f7d\u914d\u7f6e\uff1a

nginx -t\nnginx -s reload  # \u6216\u8005 systemctl reload nginx\n

\u5e76\u4e14 commit \u6709\u5173\u4fee\u6539\uff1a

git -c user.name=\u4f60\u7684\u540d\u5b57 -c user.email=\u4f60\u7684\u90ae\u7bb1 commit -m \"...\"\n
"},{"location":"services/mirrors/repos/#rsync-proxy-rsyncd","title":"\u4fee\u6539 rsync-proxy \u4e0e rsyncd \u914d\u7f6e","text":"

rsync-proxy \u4e3a\u8fd1\u5e74\u6765\u6211\u4eec\u81ea\u884c\u7f16\u5199\u7684 rsync \u53cd\u5411\u4ee3\u7406\u670d\u52a1\u3002 \u4fee\u6539\u4e86 /etc/rsync-proxy/config.toml\uff0c\u5220\u9664 mirrors2 \u4e2d\u7684 \".private\" \u9879\uff0c\u5728 mirrors4 \u4e2d\u65b0\u589e \"sb\" \u9879\u3002

\u56e0\u4e3a rsync-proxy \u6700\u7ec8\u8fd8\u9700\u8981\u8fde\u63a5\u5230\u540e\u7aef\u7684 rsyncd\uff0c\u56e0\u6b64 mirrors4 \u7684 rsyncd \u914d\u7f6e\u4e5f\u9700\u8981\u4fee\u6539\u3002 \u5728 /etc/rsyncd \u4e0b\u6267\u884c python3 generate_common.py --write \u5199\u5165\u914d\u7f6e\uff0c\u4f7f\u7528 git diff \u68c0\u67e5\u65e0\u8bef\u540e git commit\u3002 rsyncd \u914d\u7f6e\u4e2d\u5305\u542b\u4e0d\u516c\u5f00 rsync \u7684\u5185\u5bb9\uff08\u5982 git \u76ee\u5f55\uff09\u4e0d\u4f1a\u5bfc\u81f4\u95ee\u9898\uff0c\u56e0\u4e3a\u6240\u6709\u7528\u6237\u63a5\u89e6\u5230\u7684\u90fd\u662f rsync-proxy\u3002

\u786e\u8ba4\u540e\u91cd\u8f7d rsync-proxy:

systemctl reload rsync-proxy\n

Rsyncd \u4e0d\u9700\u8981\u91cd\u8f7d\uff1a\u6bcf\u4e2a\u6709\u6548\u8fde\u63a5\u4f1a\u542f\u52a8\u65b0\u8fdb\u7a0b\uff0c\u800c\u65b0\u8fdb\u7a0b\u4f1a\u91cd\u65b0\u8bfb\u53d6\u914d\u7f6e\u3002

"},{"location":"services/mirrors/repos/#mirrors2","title":"\u5220\u9664 mirrors2 \u4e0a\u7684\u4ed3\u5e93\u4e0e\u76f8\u5173\u9879","text":"

\u6267\u884c yukictl repo rm sb\uff0c\u7136\u540e\u5220\u9664 Yuki \u540c\u6b65\u914d\u7f6e\uff08~mirror/repos-etc/sb.yaml\uff09\uff0c\u540c\u6837\u4e5f\u9700\u8981 git commit\u3002

\u4e4b\u540e\u5220\u9664\u5b58\u50a8\u7684\u5185\u5bb9\uff1a\u6267\u884c /sbin/zfs list \u786e\u8ba4\u8981\u4e0b\u624b\u5220\u9664\u7684\u5b58\u50a8\u6c60\uff0c\u7136\u540e sudo zfs destroy pool0/repo/\u5bf9\u5e94\u7684\u540d\u5b57 \u5220\u9664\u3002

\u540c\u6837\uff0c/srv/rsync-attrs/.private \u7684\u5185\u5bb9\u4e5f\u9700\u8981\u5220\u9664\u3002

"},{"location":"services/mirrors/rsync/","title":"Rsync","text":""},{"location":"services/mirrors/rsync/#rsync-huai","title":"rsync-huai","text":"

rsync-huai \u662f\u574f\u4eba\u7684\u5143\u6570\u636e\u52a0\u901f\u7248\u7684 rsync\uff0c\u539f\u59cb\u4ee3\u7801\u5728 https://github.com/tuna/rsync\u3002

\u7531\u4e8e TUNA \u73b0\u5728\u4f7f\u7528\u5168\u95ea\u7684\u65b9\u6848\uff0c\u4e0d\u518d\u9700\u8981\u8fd9\u4e2a patch \u4e86\uff0c\u56e0\u6b64\u6211\u4eec\u81ea\u5df1\u7ef4\u62a4\u5bf9\u5e94\u7684\u7248\u672c\uff1ahttps://github.com/ustclug/rsync/tree/rsync-3.2.7\u3002

\u7279\u522b\u5730\uff0c/etc/systemd/system/rsyncd-huai@.service \u5185\u5bb9\u5982\u4e0b\uff1a

[Unit]\nDescription=fast remote file copy program daemon\nConditionPathExists=/etc/rsyncd/rsyncd-%i.conf\nAfter=network.target network-online.target\n\n[Service]\nType=simple\nPIDFile=/run/rsyncd-%i.pid\nExecStart=/usr/bin/rsync-huai --daemon --no-detach --config=/etc/rsyncd/rsyncd-%i.conf\nIOSchedulingClass=best-effort\nIOSchedulingPriority=7\nIOAccounting=true\n\n[Install]\nWantedBy=multi-user.target\n
"},{"location":"services/mirrors/rsync/#rsync-proxy","title":"rsync-proxy","text":"

\u8be6\u53c2 https://github.com/ustclug/rsync-proxy\u3002\u4e3a\u4e86\u8ba9\u670d\u52a1\u5668\u80fd\u591f\u8bb0\u5f55 IP \u4e0e\u8bbf\u95ee\u8def\u5f84\u7684\u5173\u7cfb\uff0c\u6211\u4eec\u6253\u5f00\u4e86 proxy protocol \u7279\u6027\u3002

"},{"location":"services/mirrors/services/","title":"\u955c\u50cf\u670d\u52a1","text":""},{"location":"services/mirrors/services/#_2","title":"\u9996\u9875\u751f\u6210","text":"

\u955c\u50cf\u7ad9\u4e3b\u9875\u662f\u9759\u6001\u7684\uff0c\u7531 https://git.lug.ustc.edu.cn/mirrors/mirrors-index \u811a\u672c\u751f\u6210\u3002

crontab \u4f1a\u5b9a\u65f6\u8fd0\u884c\u8be5\u811a\u672c\uff0c\u751f\u6210\u9996\u9875\u548c mirrorz \u9879\u76ee\u9700\u8981\u7684\u6570\u636e\u3002

\u5728\u9996\u9875\u5c55\u793a\u7684\u300c\u83b7\u53d6\u5b89\u88c5\u955c\u50cf\u300d\u3001\u300c\u83b7\u53d6\u5f00\u6e90\u8f6f\u4ef6\u300d\u3001\u300c\u53cd\u5411\u4ee3\u7406\u5217\u8868\u300d\u5206\u522b\u7531 config \u5185\u914d\u7f6e\u6307\u5b9a\uff0c\u300c\u6587\u4ef6\u5217\u8868\u300d\u5185\u5bb9\u5219\u4f1a\u4ece\u540c\u6b65\u7a0b\u5e8f yuki \u7684 api \u4e2d\u83b7\u53d6\u3002

"},{"location":"services/mirrors/services/#http","title":"HTTP \u670d\u52a1","text":"

Mirrors \u4f7f\u7528 OpenResty\uff08\u4e00\u4e2a\u6253\u5305 Nginx \u548c\u4e00\u5806\u6709\u7528\u7684 Lua \u6a21\u5757\u7684\u8f6f\u4ef6\u5305\uff09\u63d0\u4f9b HTTP \u670d\u52a1\u3002

\u914d\u7f6e\u6587\u4ef6\u4f4d\u4e8e LUG GitLab \u4e0a\uff1ahttps://git.lug.ustc.edu.cn/mirrors/nginx-config\uff0c\u6b64\u4ed3\u5e93\u5bf9\u5e94 mirrors \u4e0a\u7684 /etc/nginx \u76ee\u5f55\u3002

"},{"location":"services/mirrors/services/#_3","title":"\u8bf7\u6c42\u9650\u5236\u7b56\u7565","text":"

\u89c1\u9650\u5236\u7b56\u7565\u3002

"},{"location":"services/mirrors/services/#repo-stats","title":"\u6bcf\u65e5\u6d41\u91cf\u7edf\u8ba1","text":"

\u8bbf\u95ee\u8def\u5f84\uff1ahttps://mirrors.ustc.edu.cn/status/stats.json

\u811a\u672c\u4f4d\u4e8e https://git.lug.ustc.edu.cn/mirrors/sync/-/blob/scripts/repo_stats.py

\u6bcf\u5929\u5728 logrotate \u6eda\u5b8c nginx \u65e5\u5fd7\u540e\uff0c\u901a\u8fc7\u5206\u6790\u521a\u6eda\u51fa\u6765\u7684\u65e5\u5fd7\u6587\u4ef6\uff0c\u7edf\u8ba1\u6bcf\u4e2a\u4ed3\u5e93\u7684\u8bbf\u95ee\u91cf\u4e0e\u8f93\u51fa\u6d41\u91cf\uff08\u56e0\u6b64\u4ec5\u5305\u542b HTTP \u6d41\u91cf\u7edf\u8ba1\uff09\uff0c\u7136\u540e\u8f93\u51fa\u5230 json \u6587\u4ef6\uff0c\u5e76\u4e14\u989d\u5916\u8f93\u51fa\u4e00\u4efd json \u5230 /var/log/nginx/stats \u4f5c\u4e3a\u5f52\u6863\u5b58\u50a8\uff0c\u65b9\u4fbf\u4ee5\u540e\u5206\u6790\u3002

\u9700\u8981\u6ce8\u610f\u7684\u662f\u8fd9\u4e2a\u811a\u672c\u662f\u7531 logrotate \u5728 nginx \u7684 postrotate script \u91cc\u8fd0\u884c\u7684\uff0c\u800c\u4e0d\u662f\u7531 cron \u6216\u8005 systemd timer\uff0c\u56e0\u6b64\u8c03\u7528\u5165\u53e3\u5728\u8fd9\u91cc\uff1a

/etc/logrotate.d/nginx
postrotate\n    # [...]\n    sudo -iu mirror ~mirror/scripts/repo_stats.py\nendscript\n
"},{"location":"services/mirrors/services/#rsync","title":"Rsync \u670d\u52a1","text":"

\u672a\u5b8c\u5f85\u7eed\u3002

"},{"location":"services/mirrors/services/#_4","title":"\u53cd\u5411\u4ee3\u7406\u670d\u52a1","text":"

\u672a\u5b8c\u5f85\u7eed\u3002

"},{"location":"services/mirrors/services/#git","title":"Git \u670d\u52a1","text":"

Mirrors \u4e0a\u7684 Git \u670d\u52a1\u7531\u4e24\u90e8\u5206\u7ec4\u6210\uff1a

\u5176\u4e2d system-cgi.slice \u662f\u6211\u4eec\u81ea\u5df1\u5b9a\u4e49\u7684\u4e00\u4e2a slice\uff0c\u7528\u4e8e\u9650\u5236 CGI \u670d\u52a1\u7684\u8d44\u6e90\u4f7f\u7528\u3002

/etc/systemd/system/system-cgi.slice
[Unit]\nDescription=Slice for CGI services (notably Git daemon)\n\n[Slice]\nMemoryMax=32G\nMemoryHigh=28G\n\nIOAccounting=true\n
"},{"location":"services/mirrors/services/#ftp","title":"FTP \u670d\u52a1\uff08\u5df2\u5e9f\u5f03\uff09","text":"

Mirrors \u66fe\u7ecf\u63d0\u4f9b FTP \u670d\u52a1\uff0c\u7531 vsftpd \u63d0\u4f9b\u3002\u5728\u5c06\u4e3b\u529b\u670d\u52a1\u5668\u4ece mirrors2 \u8fc1\u79fb\u81f3 mirrors4 \u65f6\u5e9f\u5f03\uff0c\u5373 mirrors4 \u4e0a\u4ece\u672a\u5b89\u88c5\u914d\u7f6e\u8fc7 vsftpd\uff08\u4f46 mirrors2 \u4e0a\u8fd8\u7559\u5b58\u6709\u914d\u7f6e\u6587\u4ef6\uff09\u3002

\u7531\u4e8e\u5e74\u4ee3\u4e45\u8fdc\u4e14\u6211\u4eec\u4e0d\u518d\u6253\u7b97\u6062\u590d FTP \u670d\u52a1\uff0c\u8fd9\u90e8\u5206\u6587\u6863\u4e5f\u5c31\u5495\u5495\u5495\u4e86\u3002

"},{"location":"services/mirrors/xfs/","title":"XFS","text":"

\u5bf9\u4e8e\u4f7f\u7528 XFS \u5b58\u50a8\u955c\u50cf\u4ed3\u5e93\u7684\u670d\u52a1\u5668\uff0c\u6211\u4eec\u4f7f\u7528 XFS \u7684 quota \u529f\u80fd\u76d1\u89c6\u4ed3\u5e93\u5bb9\u91cf\u3002/srv/repo \u4e0b\u7684\u6bcf\u4e2a\u76ee\u5f55\u4e3a\u4e00\u4e2a\u4ed3\u5e93\uff0c\u6709\u4e00\u4e2a\u5bf9\u5e94\u7684 XFS project\u3002\u6b64 XFS \u6587\u4ef6\u7cfb\u7edf\u9700\u8981\u4f7f\u7528 pqnoenforce \u9009\u9879\u6302\u8f7d\uff0c\u56e0\u4e3a\u6211\u4eec\u53ea\u4f7f\u7528\u5bb9\u91cf\u7edf\u8ba1\u529f\u80fd\uff0c\u4e0d\u9700\u8981\u9650\u5236\u4ed3\u5e93\u7684\u78c1\u76d8\u4f7f\u7528\u3002

Todo

\u9700\u8981\u8c03\u7814\uff1a\u5feb\u901f\u5220\u9664\u4ed3\u5e93\u4e0e\u91cd\u547d\u540d\u4ed3\u5e93 (mv \u548c rm \u53ef\u80fd\u592a\u6162\u4e86)

"},{"location":"services/mirrors/xfs/#new-repo","title":"\u6dfb\u52a0\u4e00\u4e2a\u65b0\u4ed3\u5e93","text":""},{"location":"services/mirrors/xfs/#_1","title":"\u521b\u5efa\u76ee\u5f55","text":"

\u5728 /srv/repo/ \u4e0b\u521b\u5efa\u5bf9\u5e94\u7684\u76ee\u5f55\u3002\u6ce8\u610f\u5bf9\u5e94\u76ee\u5f55\u7684\u6240\u6709\u8005\u548c\u6240\u6709\u7ec4\u5747\u5e94\u8be5\u662f mirror\u3002

chown mirror: /srv/repo/example\n
"},{"location":"services/mirrors/xfs/#xfs-project","title":"\u521b\u5efa XFS project","text":"

\u4e3a\u65b0\u4ed3\u5e93\u521b\u5efa XFS quota \u4ee5\u4fbf\u4e8e\u76d1\u89c6\u5bb9\u91cf\u3002\u9996\u5148\u68c0\u67e5 /etc/projects \u548c /etc/projid\uff0c\u627e\u5230\u5927\u4e8e 1000 \u7684 ID \u5e8f\u5217\uff0c\u627e\u51fa\u4e0b\u4e00\u4e2a ID\uff08\u4f8b\u5982 1111\uff0c\u4e0b\u9762\u4f7f\u7528\u8fd9\u4e2a\u4f5c\u4e3a\u4f8b\u5b50\uff09\u3002

mkdir /srv/repo/example\n

\u7f16\u8f91 /etc/projects\uff0c\u52a0\u5165\u5982\u4e0b\u4e00\u884c

1111:/srv/repo/example\n

\u7136\u540e\u6267\u884c\uff1a

xfs_quota -x -c 'project -s 1111'\n

\u7f16\u8f91 /etc/projid\uff0c\u52a0\u5165\u5982\u4e0b\u4e00\u884c

example:1111\n

\u4fe1\u606f

\u6211\u4eec\u7684\u955c\u50cf\u7ba1\u7406\u5668 Yuki \u6839\u636e\u955c\u50cf\u76ee\u5f55\u7684\u6700\u540e\u4e00\u6bb5\u540d\u79f0\uff08\u5373 basename\uff09\u6765\u4ece XFS \u4e2d\u83b7\u53d6\u5bb9\u91cf\u4fe1\u606f\uff0c\u56e0\u6b64 /etc/projid \u6587\u4ef6\u5185\u5bb9\u6b63\u786e\u624d\u80fd\u4f7f Yuki \u5f97\u5230\u6b63\u786e\u7684\u5bb9\u91cf\u3002

"},{"location":"services/mirrors/xfs/#_2","title":"\u4fbf\u6377\u914d\u7f6e\u811a\u672c","text":"
#!/bin/bash\n\n# Determine largest project ID\nnext_id() {\n  local PROJID=$(cut -d':' -f1 /etc/projects | sort -n | tail -1)\n  echo $((++PROJID))\n}\n\nBASE=\"/srv/repo\"\nreadonly BASE\n\nif [ \"$1\" = \"-m\" ]; then\n  MKDIR=yes\n  shift\nfi\n\nwhile [ $# -ne 0 ]; do\n  N=\"${1//\\//}\"\n  shift\n  if grep -q \"$BASE/$N\\$\" /etc/projects; then\n    echo \"Repo $N exists, skipped.\" >&2\n    continue\n  fi\n\n  if [ ! -e \"$BASE/$N\" ]; then\n    if [ -n \"$MKDIR\" ]; then\n      echo \"Path $BASE/$N does not exist, creating directory.\" >&2\n      mkdir -p \"$BASE/$N\"\n    else\n      echo \"Path $BASE/$N does not exist, ignored.\" >&2\n      continue\n    fi\n  elif [ ! -d \"$BASE/$N\" ]; then\n    echo \"Path $BASE/$N is not a directory, ignored.\" >&2\n    continue\n  fi\n\n  ID=\"$(next_id)\"\n  echo \"$ID:$BASE/$N\" >> /etc/projects\n  echo \"$N:$ID\" >> /etc/projid\n  xfs_quota -x -c \"project -s $ID\" &>/dev/null\n  echo \"Added $N (ID $ID)\"\ndone\n
"},{"location":"services/mirrors/xfs/#quota","title":"\u67e5\u770b quota \u60c5\u51b5","text":"
xfs_quota -c 'df -h'\n
"},{"location":"services/mirrors/zfs/","title":"ZFS","text":""},{"location":"services/mirrors/zfs/#common-operations","title":"Common Operations","text":"Get zpool status
zpool status\n
Get IO status
zpool iostat -v 1\n
Replace Disk
zpool replace pool0 old-disk new-disk\n
New ZFS file system
zfs create [-o option=value ...] <filesystem>\n\n# Example\nzfs create pool0/repo/debian\n

If mountpoint is not specified, then it's inherited from the parent with a subpath appended. E.g. when pool0/example is mounted on /mnt/haha then pool0/example/test will by default mount on /mnt/haha/test.

Destory ZFS file system
zfs destroy <filesystem>\n\n# Example\nzfs destroy pool0/repo/debian\n
"},{"location":"services/mirrors/zfs/#new-repo","title":"Create new repository","text":"
zfs create pool0/repo/example\n

Contrary to XFS, no other steps are needed.

"},{"location":"services/mirrors/zfs/#setup","title":"Setup","text":"

This section is recorded for reference only.

"},{"location":"services/mirrors/zfs/#pool-setup-mirrors2","title":"Pool setup (mirrors2)","text":"
zpool create pool0 \\\n  -O canmount=off \\\n  -O xattr=sa \\\n  -O relatime=on \\\n  -O compress=zstd \\\n  raidz2 \\\n  ata-HGST_HUS726060ALE610_K1GKVAAD \\\n  ata-HGST_HUS726060ALE610_K1GHTLND \\\n  ata-HGST_HUS726060ALE610_K1GHTVWD \\\n  ata-HGST_HUS726060ALE610_K1GKNJUD \\\n  ata-HGST_HUS726060ALE610_K1GK5KND \\\n  ata-HGST_HUS726060ALE610_K1GK9GXD \\\n  raidz2 \\\n  ata-HGST_HUS726060ALE610_NCH13D2V \\\n  ata-HGST_HUS726T6TALE6L4_V9KWJ1PL \\\n  ata-HGST_HUS726T6TALE6L4_V9HU810L \\\n  ata-HGST_HUS726060ALE610_NCH141WV \\\n  ata-HGST_HUS726060ALE610_K1GKPDSD \\\n  ata-HGST_HUS726T6TALE6L4_V9KTTT5L \\\n  cache nvme0n1\n

Note

The -O option applies to the root dataset.

Create ZFS (2016)
zpool create -f pool0 \\\n  raidz3 \\\n  ata-HGST_HUS726060ALE610_K1GHTLND \\\n  ata-HGST_HUS726060ALE610_K1GHTVWD \\\n  ata-HGST_HUS726060ALE610_K1GK5KND \\\n  ata-HGST_HUS726060ALE610_K1GK9GXD \\\n  ata-HGST_HUS726060ALE610_K1GKNJUD \\\n  ata-HGST_HUS726060ALE610_K1GKNP5D \\\n  ata-HGST_HUS726060ALE610_K1GKNR6D \\\n  ata-HGST_HUS726060ALE610_K1GKPDSD \\\n  ata-HGST_HUS726060ALE610_K1GKVAAD \\\n  ata-HGST_HUS726060ALE610_NCH04T5V \\\n  ata-HGST_HUS726060ALE610_NCH13D2V \\\n  spare \\\n  ata-HGST_HUS726060ALE610_NCH141WV \\\n  log mirror \\\n  ata-INTEL_SSDSC2BB240G6_PHWA64410400240AGN-part1 \\\n  ata-INTEL_SSDSC2BB240G6_PHWA6441041N240AGN-part1 \\\n  cache \\\n  ata-INTEL_SSDSC2BB240G6_PHWA64410400240AGN-part2 \\\n  ata-INTEL_SSDSC2BB240G6_PHWA6441041N240AGN-part2\n
"},{"location":"services/mirrors/zfs/#zfs-kernel-module","title":"ZFS kernel module","text":"

For OpenZFS 2.2:

/etc/modprobe.d/zfs.conf
# Set ARC size to 160-200 GiB, keep 16 GiB free for OS\noptions zfs zfs_arc_max=214748364800\noptions zfs zfs_arc_min=171798691840\noptions zfs zfs_arc_sys_free=17179869184\n\n# Favor metadata to data by 20x (OpenZFS 2.2+)\noptions zfs zfs_arc_meta_balance=2000\n\n# Allow up to 80% of ARC to be used for dnodes\noptions zfs zfs_arc_dnode_limit_percent=80\n\n# Allow every block to be written to ZIL\noptions zfs zfs_immediate_write_sz=16777216\n\n# See man page section \"ZFS I/O Scheduler\"\noptions zfs zfs_vdev_async_read_max_active=8\noptions zfs zfs_vdev_async_read_min_active=2\noptions zfs zfs_vdev_scrub_max_active=5\noptions zfs zfs_vdev_max_active=20000\n\n# Never throttle the ARC\noptions zfs zfs_arc_lotsfree_percent=0\n\n# Tune L2ARC\noptions zfs l2arc_headroom=8\noptions zfs l2arc_write_max=67108864\noptions zfs l2arc_noprefetch=0\n

Refer to zfs(4).

Note

zfs_dmu_offset_next_sync is 1 by default since OpenZFS v2.1.5, so it's omitted in the configuration.

"},{"location":"services/mirrors/zfs/#dataset-properties","title":"Dataset properties","text":"

On mirrors2:

zfs create -o compress=zstd-8 -o recordsize=1M -o atime=off pool0/backup\n\nzfs create pool0/backup/rootfs # inherit everything\nzfs create -o acltype=posix pool0/backup/oldlog\n\nzfs create \\\n  -o mountpoint=/srv/repo \\\n  -o recordsize=1M \\\n  -o xattr=off \\\n  -o atime=off \\\n  -o setuid=off \\\n  -o exec=off \\\n  -o devices=off \\\n  -o sync=disabled \\\n  -o secondarycache=metadata \\\n  -o redundant_metadata=some \\\n  pool0/repo\n

Refer to zfsprops(7).

"},{"location":"services/mirrors/zfs/#considerations","title":"Considerations","text":"mountpoint

Self-explanatory.

recordsize=1M

This is the \"block size\" for ZFS, i.e. how large files are split into blocks. Each block (record) is stored contiguously on disk and is read/written as a whole.

Since the typical read pattern on mirror sites is whole-file sequential read, it makes sense to set recordsize to the maximum value permitted1. Larger recordsize allows the compression algorithm to exploit more opportunities, while also reducing I/O count for large files.

Note that files under a single recordsize will not be padded up and will be stored as a single block, so no space is wasted.

compression=zstd (inherited from pool0)

Enable compression so anything will be tried to compress. The default algorithm (i.e. compression=on) is LZ4, which is very fast but not as effective. Zstd is a modern multi-threaded algorithm that is also very fast but compresses better. The default compression level is 3 (i.e. zstd = zstd-3).

Since OpenZFS 2.2, there's an \"early-abort\" mechanism for Zstd level 3 or up: Every block is first tried with LZ4, then Zstd-1, and if and only if both algorithms suggest that the data block would compress well, the actual algorithm will be applied and the compressed result will be written to disk. This early-abort mechanism ensures minimal CPU wasted for incompressible data.

xattr=off

Apparently mirror data do not need extended attributes.

atime=off, setuid=off, exec=off, devices=off

These simply maps to the noatime, nosuid, noexec, and nodev mount options respectively. It's safe to assume we don't need these features for mirror data.

sync=disabled

Disable any \"synchronous write\" semantics. This means files will not respond to open(O_SYNC) and sync(2) calls. Pending writes will only be committed to disk after zfs_txg_timeout seconds (default 5) or when the write buffer is full.

While normally this is a bad idea as it goes against data integrity (namely, the \"D\" in ACID), for mirror data that can be easily regenerated, this improves write performance and reduces fragmentation (also note that zfs_dmu_offset_next_sync is enabled by default).

secondarycache=metadata

As mirrors2 only serves Rsync requests, caching file content provides little benefit. Instead, we cache metadata only to reduce the number of disk seeks.

redundant_metadata=some

(Just read zfsprops(7) and you'll be able to reason about this.)

"},{"location":"services/mirrors/zfs/#traps","title":"Traps","text":"

Do NOT install zfs-dkms and related packages from Debian backports repositories. They'll easily break when upgrading.

As of Debian Buster the ZFS packages from the mainstream repository is stable and new enough for our use.

\u4ecd\u7136\u5efa\u8bae\u5b89\u88c5 Backports \u7248\u672c\u7684 ZFS\u3002\u300cStable \u8d8a\u5f80\u540e\uff08\u5bf9 ZFS \u76f8\u5173\u8f6f\u4ef6\u5305\u7684\uff09\u7ef4\u62a4\u8d8a\u5f31\u300d\uff0c\u4ece\u800c\u5bfc\u81f4 stable \u7684 ZFS \u53cd\u800c\u8d28\u91cf\u4e0d\u5982 backports \u7248\u672c\u7684\u3002

  1. Actually, there's the zfs_max_recordsize module parameter which can be increased to up to 16 MiB. There's a reason this is set to 1 MiB by default, so we're not going to blindly aim for the maximum.\u00a0\u21a9

"},{"location":"services/mirrors/1/","title":"mirrors1","text":"

mirrors1 \u662f 2011 \u5e74\u7f51\u7edc\u4fe1\u606f\u4e2d\u5fc3\u63d0\u4f9b\u7ed9 LUG \u7528\u4f5c\u521d\u4ee3 mirrors.ustc.edu.cn \u670d\u52a1\u7684\u673a\u5668\uff0c\u662f\u4e00\u53f0\u66d9\u5149 i620r-G

\u53c2\u6570 \u914d\u7f6e CPU Intel(R) Xeon(R) CPU E5620 @ 2.40GHz x 2 \u5185\u5b58 48 GB \u5b58\u50a8 LSI Logic MegaRAID SAS 8708EM2 x 2 DFT RS-3016I-S/D30 \u78c1\u76d8\u9635\u5217 \u7f51\u7edc Ethernet Intel 82574L Gigabit x 2

\u7528\u6237\u624b\u518c

\u7531\u4e8e\u672c\u6587\u7f16\u5199\u65f6\uff082020 \u5e74\uff09\u8be5\u670d\u52a1\u5668\u65e9\u5df2\u4e0d\u518d\u7528\u4f5c mirrors\uff08\u73b0\u5728\u662f esxi-5\uff09\uff0c\u56e0\u6b64\u66f4\u591a\u7684\u4fe1\u606f\u6682\u65e0\u4ece\u8003\u5bdf\u3002

"},{"location":"services/mirrors/1/#ipmi","title":"IPMI","text":"

\u8fd9\u53f0\u673a\u5668\u7684 IPMI \u4f7f\u7528\u6761\u4ef6\u8f83\u4e3a\u82db\u523b\uff0c\u7279\u522b\u662f\u5b83\u7684 Java \u63a7\u5236\u53f0\u53ea\u80fd\u5728 Windows XP\uff0cIE 6 \u548c Java 6 \u73af\u5883\u4e0b\u8fd0\u884c\u3002\u56e0\u6b64\u6211\u4eec\u914d\u7f6e\u4e86\u4e00\u4e2a\u865a\u62df\u673a\u955c\u50cf\u653e\u5728 LUG FTP \u4e0a\u3002

\u4f7f\u7528\u73b0\u4ee3\u7684 HTTP \u5ba2\u6237\u7aef\uff08\u5305\u62ec\u6d4f\u89c8\u5668\u548c cURL \u7b49\uff09\u5c1d\u8bd5\u4e0b\u8f7d viewer.jnlp \u65f6\u4f1a\u9047\u5230\u95ee\u9898\uff0c\u539f\u56e0\u5728\u4e8e IPMI \u4f1a\u8fd4\u56de\u4e00\u4e2a\u9519\u8bef\u7684 Content-Length\uff08\u7ea6 3 KiB\uff09\uff0c\u4f46 jnlp \u6587\u4ef6\u5b9e\u9645\u53ea\u6709 1.6 KiB\uff0c\u4f7f\u5ba2\u6237\u7aef\u8ba4\u4e3a\u6587\u4ef6\u672a\u5b8c\u6574\u4e0b\u8f7d\u3002\u5947\u5999\u7684\u662f\uff0cIE 6 \u4f3c\u4e4e\u4f1a\u5ffd\u7565\u8fd9\u4e2a\u95ee\u9898\uff0c\u7136\u540e\u6b63\u5e38\u6253\u5f00 Java \u63a7\u5236\u53f0\u3002

"},{"location":"services/mirrors/2/","title":"mirrors2","text":"

2016 \u5e74\u5e95\u4ece\u7f51\u7edc\u4fe1\u606f\u4e2d\u5fc3\u83b7\u5f97\u7684\u65b0\u673a\u5668\uff0c\u8fd0\u884c\u81f3\u4eca\uff0c\u627f\u62c5\u4e86\u76ee\u524d mirrors \u7684 rsync \u6d41\u91cf\u3002

\u53c2\u6570 \u914d\u7f6e CPU \u53cc\u8def E5-2620 v4 \u5185\u5b58 256 GB DDR4 \u5b58\u50a8 6 TB * 12 (HDD), 250 GB *2 (SSD) \u7f51\u7edc 1 Gbps * 2

\u66d9\u5149 I620-G20 \u5bfc\u822a\u5149\u76d8

"},{"location":"services/mirrors/2/#networking","title":"Networking","text":"

mirrors2 \u4e0a\u7684\u7f51\u7edc\u914d\u7f6e\u81ea 2024-07-19 \u7ef4\u62a4\u540e\u4e5f\u5207\u6362\u5230\u4e86 systemd-networkd \u65b9\u6848\uff0c\u6587\u6863\u53ef\u4ee5\u53c2\u8003 mirrors4\u3002

Old info

mirrors2 \u4e0a\u7684\u7f51\u7edc\u4f7f\u7528\u9ed8\u8ba4\u7684 ifupdown \u914d\u7f6e\u3002

\u5728 /etc/network/interfaces.d \u4e2d\u5b58\u653e\u7740\u63a5\u53e3\u914d\u7f6e\uff0c\u4f7f\u7528 ifup/ifdown \u6765\u542f\u7528/\u505c\u7528\u67d0\u4e00\u63a5\u53e3\u3002

\u91cd\u542f\u6240\u6709\u7f51\u7edc\u63a5\u53e3

\u5728\u67d0\u6b21 mirrors2 \u79bb\u7ebf\u6545\u969c\u4e2d\uff0c\u8bef\u64cd\u4f5c\u7684 systemctl restart networking \u8fd4\u56de\u4e86\u5931\u8d25\u7684\u7ed3\u679c\uff0c\u4ece\u800c\u5bfc\u81f4\u4e86 mirrors2 \u4ece\u67d0\u4e00\u7f51\u7edc\u63a5\u53e3\u65ad\u5f00\uff08\u731c\u6d4b\uff09\uff08\u5b9e\u9645\u539f\u56e0\u89c1\u4e0b\uff09\uff0c\u91cd\u542f\u6240\u6709\u63a5\u53e3\u4fee\u590d\u4e86\u95ee\u9898\uff1aifdown -a && ifup -a

\u5b9e\u9645\u539f\u56e0\u662f bridge interface \u8fde\u63a5\u7684\u90a3\u4e2a interface \u5728 ifupdown \u7684 config \u91cc\u7684\u914d\u7f6e\u65b9\u5f0f\u662f static \u7684\uff0c\u5728\u542f\u7528 bridge interface \u65f6\u4f1a\u81ea\u52a8\u66f4\u6539\u914d\u7f6e\u5bfc\u81f4 offline\u3002\u6539\u6210 manual \u7981\u6b62\u5b83\u7684\u81ea\u52a8\u884c\u4e3a\u4e4b\u540e\u5c31\u6ca1\u4e8b\u4e86\u3002

"},{"location":"services/mirrors/3/","title":"mirrors3","text":"

2020 \u5e74\u521d\u4ece\u56fe\u4e66\u9986\u6280\u672f\u90e8\u83b7\u5f97\u7684\u4e00\u53f0\u65e7\u670d\u52a1\u5668\uff0c\u4e3a\u6234\u5c14 PowerEdge R510\uff0c\u8d1f\u8f7d\u6bd4\u8f83\u6742\u4e71,\u4e3b\u8981\u662f\u4e00\u4e9b\u65e2\u51b7\u95e8\u53c8\u5927\u7684\u4ed3\u5e93\u7684 HTTP + rsync \u6d41\u91cf\u3002

\u53c2\u6570 \u914d\u7f6e CPU \u53cc\u8def\u81f3\u5f3a E5620 \u5185\u5b58 32 GB DDR3 \u5b58\u50a8 1 TB*2 (HDD), 2 TB*5 (HDD), 3 TB*1 (HDD) 1 TB (SAS HDD), 1.8 TB * 3 (SATA HDD), 1 TB (SATA HDD) \u540c\u53cb iSCSI \u9635\u5217\uff0c4 TB * 16 (HDD) \u7f51\u7edc 1 Gbps * 2

\u5b58\u50a8\u7ed3\u6784\uff1a

\u6ce8\u610f\u4e8b\u9879

\u7531\u4e8e PERC 6/i \u9635\u5217\u5361\u7684\u9650\u5236\uff0c\u7269\u7406\u78c1\u76d8\u5927\u5c0f\u6700\u5927\u652f\u6301 2TB\uff08SAS 4TB \u76d8\u65e0\u6cd5\u8bc6\u522b\u5927\u5c0f\uff09\u3002\u5728\u5c06 SAS \u574f\u76d8\u79fb\u9664\u540e\uff0c\u76ee\u524d\uff082022/5/10\uff09rootfs VD \u5904\u4e8e degraded \u72b6\u6001\u3002

PERC H700 \u9635\u5217\u5361\u7531\u4e8e\u7f3a\u5c11\u4e24\u6839 SAS \u8f6c\u63a5\u7ebf\uff0c\u5e76\u4e14 mirrors3 \u673a\u67b6\u524d\u53f3\u4fa7\u8f68\u9053\u5904\u65e0\u6cd5\u89e3\u9664\u9501\u5b9a\uff0c\u4e14\u66f4\u6362\u9635\u5217\u5361\u9700\u8981\u5c06\u5176\u4ed6\u6269\u5c55\u5361\u5168\u90e8\u79fb\u9664\uff08\u53c2\u89c1 PowerEdge R510 \u786c\u4ef6\u7528\u6237\u624b\u518c\uff09\uff0c\u7ed9\u65b0\u9635\u5217\u5361\u5b89\u88c5\u5e26\u6765\u4e86\u5f88\u5927\u7684\u96be\u5ea6\u3002

1 TB * 2

\u4f4d\u4e8e\u673a\u8eab\uff0c\u7ec4\u6210 RAID1 \u5b89\u88c5\u64cd\u4f5c\u7cfb\u7edf\uff0c\u6302\u8f7d\u4e3a rootfs

2 TB * 5 + 3 TB * 1

\u540c\u6837\u4f4d\u4e8e\u673a\u8eab\uff0c\u7ec4\u6210 RAID6 \u5b58\u653e\u8d44\u6599\uff08\u6240\u4ee5\u552f\u4e00\u4e00\u5757 3 TB \u7684\u786c\u76d8\u5b9e\u9645\u4e0a\u5f53\u505a 2 TB \u7684\u6765\u7528\uff09

\u5916\u90e8\u9635\u5217\uff0c4 TB * 16

\u901a\u8fc7 SFP+ \u5149\u7ea4\u6302\u8f7d\u4e3a iSCSI \u8bbe\u5907\uff0c\u5206\u4e3a\u4e24\u7ec4 RAID60\uff08\u53ef\u7528\u5bb9\u91cf\u4e3a 12 \u5757\u76d8\uff09\u5b58\u50a8\u8d44\u6599

"},{"location":"services/mirrors/4/","title":"mirrors4","text":"

mirrors4 \u662f 2020 \u5e74 3 \u6708 24 \u65e5\u7f51\u7edc\u4fe1\u606f\u4e2d\u5fc3\u63d0\u4f9b\u7ed9 LUG \u7684\u65b0\u673a\u5668\uff0c\u662f\u4e00\u53f0\u6d6a\u6f6e NF5280M5\u3002

"},{"location":"services/mirrors/4/#_1","title":"\u786c\u4ef6\u914d\u7f6e","text":"CPU

\u53cc\u8def Intel Xeon Gold 6230

\u5185\u5b58

256 GB DDR4 2933 (8 * 32 GB SKHynix)

\u786c\u76d8

\u4e00\u5757\u4e09\u661f PM883 2TB

12 \u5757 HGST HUH721010AL (10 TB)

\u4e24\u4e2a\u786c\u76d8\u63a7\u5236\u5668 MegaRAID SAS-3 3108

\u91c7\u7528 ZFS \u5c06 12 \u5757 HDD \u7ec4\u6210\u4e00\u4e2a pool\u3002

\u7f51\u5361

\u677f\u8f7d Intel X722 GbE (4 \u4e2a\u5343\u5146\u7f51\u53e3)

PCI-e \u6269\u5c55\u5361\uff1aIntel X520 (82599ES) SFP+ (2 \u4e2a\u4e07\u5146\u5149\u53e3)

"},{"location":"services/mirrors/4/#_2","title":"\u78c1\u76d8\u5206\u533a","text":"

\u4e00\u5757 SSD \u5206\u4e3a 512M \u7684 EFI \u5206\u533a\uff0c\u5269\u4f59\u7a7a\u95f4\u5efa\u4e86\u4e00\u4e2a LVM\uff08VG lug\uff09\u3002LVM \u4e0a\u88c5\u7cfb\u7edf\uff08lug/root\uff09\u3001swap\uff08lug/swap\uff09\u3001Docker \u6570\u636e\uff08lug/docker\uff09\u548c L2ARC\uff08lug/l2arc\uff0c1.5 TB\uff09\u3002

\u5168\u90e8 12 \u5757 HDD \u7528 ZFS \u505a\u4e86\u4e00\u4e2a pool\uff0c\u6bcf\u4e2a\u63a7\u5236\u5668\u4e0a\u9762\u7684 6 \u5757\u76d8\u4f5c\u4e3a\u4e00\u4e2a RAIDZ2 vdev\uff0c\u8fd9\u4e2a ZFS pool \u7528\u4e8e /home \u548c /srv/repo\uff08\u4ed3\u5e93\u6570\u636e\uff09\u7b49\u3002

"},{"location":"services/mirrors/4/#swap-oom","title":"Swap \u4e0e OOM","text":"

\u8fd9\u53f0\u670d\u52a1\u5668\u521d\u88c5\u65f6\u662f\u6ca1\u6709\u914d\u7f6e swap \u7684\uff0c\u5728 2024-10-31 17:12 \u5de6\u53f3\u7531 git daemon \u5bfc\u81f4 OOM \u540e\u8865\u5145\u4e86 64G swap\uff0c\u6b64\u65f6 VG \u5269\u4f59\u7a7a\u95f4\u8fd8\u6709 100 \u591a GB \u7559\u7ed9\u4ee5\u540e\u4f7f\u7528\u3002

\u540c\u65f6\u6211\u4eec\u4e5f\u7ed9 git daemon \u4e0a\u4e86\u5185\u5b58\u9650\u5236\uff0c\u8be6\u60c5\u89c1 Service\u3002

"},{"location":"services/mirrors/4/volumes-old/","title":"Volumes on mirrors4","text":"

\u6ce8\u610f

mirrors4 \u4e8e 2024 \u5e74 7 \u6708\u91cd\u5efa\u4e3a ZFS pool\uff0c\u4ee5\u4e0b\u5185\u5bb9\u5df2\u7ecf\u8fc7\u65f6\u3002

"},{"location":"services/mirrors/4/volumes-old/#_1","title":"\u78c1\u76d8\u5206\u533a","text":"

\u7531\u4e8e\u4e0d\u80fd\u8de8\u63a7\u5236\u5668\u7ec4 RAID \u6216 LUN\uff0c\u4e14\u6bcf\u4e2a\u63a7\u5236\u5668\u53ea\u6709 8 \u4e2a\u63d2\u69fd\uff0c\u56e0\u6b64\u5c06 12 \u5757 HDD \u5206\u4e3a 6 \u5757\u4e00\u7ec4\u63d2\u5728\u4e24\u4e2a\u63a7\u5236\u5668\u4e0a\u7ec4\u6210 RAID6\uff0c\u4ee5\u4e24\u4e2a\u903b\u8f91\u5377\u5448\u73b0\u7ed9\u64cd\u4f5c\u7cfb\u7edf\uff0c\u4e0a\u5c42\u7528 LVM \u5904\u7406\u3002SSD \u5355\u72ec\u521b\u5efa\u4e00\u4e2a\u903b\u8f91\u5377\u7ed9\u64cd\u4f5c\u7cfb\u7edf\u3002

\u6ce8\u610f

\u8fd9\u91cc\u7ed9\u51fa\u7684\u547d\u4ee4\u4ec5\u7528\u4e8e\u5c55\u793a\u5206\u533a\uff08\u5377\uff09\u7684\u521b\u5efa\u65b9\u5f0f\uff0c\u9664\u975e\u5b8c\u5168\u91cd\u88c5\uff0c\u5426\u5219\u4e0d\u5e94\u8be5\u6267\u884c\u5176\u4e2d\u4efb\u4f55\u4e00\u6761\u6709\u526f\u4f5c\u7528\u7684\u547d\u4ee4\u3002

\u64cd\u4f5c\u7cfb\u7edf\u770b\u5230\u4e09\u4e2a\u786c\u76d8\uff1a\u4e24\u4e2a RAID6 \u5927\u76d8\uff0840 TB / 36.4 TiB\uff09\u548c\u4e00\u4e2a SSD\uff082 TB / 1.86 TiB\uff09\u3002\u8bbe\u4e24\u4e2a\u5927\u76d8\u4e3a /dev/sda \u548c /dev/sdb\uff0cSSD \u4e3a /dev/sdc\u3002

\u7531\u4e8e\u542f\u52a8\u5206\u533a\u4e0d\u80fd\u653e\u5728 LVM \u4e0a\uff0c\u56e0\u6b64\u4ee5\u5982\u4e0b\u65b9\u5f0f\u521b\u5efa\u5206\u533a\uff1a

root@mirrors4:~# fdisk -l /dev/sda\nDisk /dev/sda: 36.4 TiB, 40001177911296 bytes, 78127300608 sectors\nDisk model: MR9361-8i\nUnits: sectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 4096 bytes\nI/O size (minimum/optimal): 262144 bytes / 262144 bytes\nDisklabel type: gpt\nDisk identifier: AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA\n\nDevice       Start         End     Sectors  Size Type\n/dev/sda1     2048        4095        2048    1M BIOS boot\n/dev/sda2     4096     1052671     1048576  512M EFI System\n/dev/sda3  1052672 78127300574 78126247903 36.4T Linux LVM\n

sdb \u7684\u53c2\u6570\u5b8c\u5168\u4e00\u6837\u3002

\u5b9e\u9645\u7684\u542f\u52a8\u5206\u533a\u4e3a /dev/sda2\uff0c\u5c06\u5176 dd \u5230 /dev/sdb2 \u505a\u5907\u4efd\u3002

\u7136\u540e\u662f SSD \u7684\u5206\u533a\uff1a

Disk /dev/sdc: 1.8 TiB, 1919816826880 bytes, 3749642240 sectors\nDisk model: MR9361-8i\nUnits: sectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 4096 bytes\nI/O size (minimum/optimal): 65536 bytes / 65536 bytes\nDisklabel type: gpt\nDisk identifier: AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA\n\nDevice     Start        End    Sectors  Size Type\n/dev/sdc1   2048 3749642206 3749640159  1.8T Linux LVM\n
"},{"location":"services/mirrors/4/volumes-old/#lvm","title":"LVM","text":"

\u628a sda3 \u548c sdb3 \u90fd\u653e\u8fdb LVM\uff1a

# fdisk \u5206\u533a\u5b8c\u6bd5\uff0cw \u5199\u5165\u9000\u51fa\npvcreate /dev/sda3 /dev/sdb3\nvgcreate lug /dev/sda3 /dev/sdb3\n

\u521b\u5efa rootfs\uff0c\u8fd9\u91cc\u4ee5 RAID1 \u7684\u65b9\u5f0f\uff08--type raid1\uff09\u521b\u5efa\u8fd9\u4e2a\u5206\u533a\uff0c\u8fd9\u6837\u5373\u4f7f sda / sdb \u574f\u6389\u4e00\u6574\u7ec4\u4e4b\u540e\u8fd8\u6709 rootfs \u53ef\u4ee5\u7528\u3002

\u6ce8\u610f\uff1a

lvcreate -n root -L 32G --type raid1 -m 1 lug\nmkfs.ext4 /dev/lug/root\n

\u521b\u5efa home\uff0c\u8fd9\u91cc\u53cd\u6b63\u4e0d\u6015\u574f\uff0c\u7528 RAID0\uff08--type striped \u6216 --type raid0\uff09\u3002

lvcreate -n root -L 64G --type striped -i 2 lug\nmkfs.ext4 /dev/lug/home\n

\u521b\u5efa\u653e\u955c\u50cf\u7684\u5206\u533a\uff0c\u8fd9\u6b21\u8981\u7528 xfs

XFS \u4e0d\u652f\u6301\u7f29\u5c0f

\u56e0\u6b64\u6211\u4eec\u5728\u521d\u88c5\u65f6\u9009\u62e9\u4e3a\u5176\u5206\u914d 48 TiB \u7684\u7a7a\u95f4\uff0c\u800c\u4e0d\u662f VG lug \u7684\u5269\u4f59\u5168\u90e8\u2014\u2014\u8fd9\u6837\u65b9\u4fbf\u4ee5\u540e\u7ef4\u62a4

lvcreate -n repo -L 48T --type striped -i 2 lug\nmkfs.xfs /dev/lug/repo\n

\u5176\u5b9e\u672c\u6765\u8981\u8c03\u4e00\u4e0b\u53c2\u7684\uff0c\u4e0d\u8fc7\u6839\u636e Arch Wiki\uff0cmkfs.xfs \u7684\u9ed8\u8ba4\u53c2\u6570\u5c31\u662f\u6700\u4f18\u7684\uff0c\u6240\u4ee5\u6211\u4eec\u51b3\u5b9a\u4e0d\u52a8\u4e86\u3002

"},{"location":"services/mirrors/4/volumes-old/#ssd","title":"SSD","text":"

SSD \u7684\u7528\u9014\u4e3a\u5b58\u653e Docker \u6570\u636e /var/lib/docker\uff088 GiB \u5c31\u591f\u4e86\uff0c\u4f46\u662f overlay2 \u7684\u540e\u7aef\u7528 ext4 \u66f4\u597d\uff09\uff0c\u5269\u4e0b\u7528\u4f5c lvmcache(7)\u3002

iBug \u5907\u6ce8

\u867d\u7136\u4f3c\u4e4e\u6ca1\u6709\u8fd9\u6837\u505a\uff08\u5148\u521b\u5efa\u5355\u72ec\u7684 VG \u518d\u5408\u5e76\uff09\u7684\u5fc5\u8981\uff0c\u4f46\u662f\u8fd9\u4e48\u505a\u4e00\u5b9a\u4e0d\u4f1a\u51fa\u9519\uff0c\u5c31\u8fd9\u6837\u5427\u3002

\u5728 SSD \u4e0a\u65b0\u5efa\u4e00\u4e2a VG\uff1a

# fdisk \u521b\u5efa\u552f\u4e00\u4e00\u4e2a\u5206\u533a sdc1\uff0c\u4fdd\u5b58\u9000\u51fa\npvcreate /dev/sdc1\nvgcreate ssd /dev/sdc1\n

\u521b\u5efa Docker \u6570\u636e\u76d8\uff1a

lvcreate -L 8G -n docker ssd\nmkfs.ext4 /dev/ssd/docker\n

\u91cd\u8981\uff1a\u521b\u5efa\u7f13\u5b58\u76d8\u548c\u7f13\u5b58\u5143\u6570\u636e\u76d8\u3002\u6839\u636e Red Hat Documentation \u7684\u4ecb\u7ecd\uff0c\u5148\u624b\u52a8\u521b\u5efa\u6570\u636e\u76d8\u548c\u5143\u6570\u636e\u76d8\uff0c\u7136\u540e\u5c06\u4ed6\u4eec\u5408\u5e76\u4e3a\u4e00\u4e2a cache pool\u3002\u5927\u5c0f\u65b9\u9762\uff0c\u6587\u7ae0\u7684\u53c2\u8003\u662f 2G data \u2194 12M meta\uff0c\u8fd9\u91cc\u6211\u4eec\u6709\u63a5\u8fd1 2 TB \u7684 data\uff0c\u5c31\u5206\u914d 16 GB \u4f5c\u4e3a meta \u5427\u3002

lvcreate -L 16G -n mcache_meta ssd\nlvcreate -l 100%FREE -n mcache ssd\nlvreduce -l -2048 ssd/mcache\nlvconvert --type cache-pool --poolmetadata ssd/mcache_meta --cachemode writethrough -c 64K --config allocation/cache_pool_max_chunks=30000000 ssd/mcache\n

\u8fd9\u91cc\u7684\u7f13\u5b58\u6a21\u5f0f\u91c7\u7528 passthrough\uff0c\u5373\u5199\u5165\u52a8\u4f5c\u7ed5\u8fc7\u7f13\u5b58\u76f4\u63a5\u5199\u56de\u539f\u8bbe\u5907\uff08\u5f53\u7136\u5566\uff0c\u5199\u5165\u90fd\u662f\u7531\u4ece\u4e0a\u6e38\u540c\u6b65\u4ea7\u751f\u7684\uff09\uff0c\u53e6\u5916\u4e24\u79cd writeback \u548c writethrough \u90fd\u4f1a\u5199\u5165\u7f13\u5b58\uff0c\u4e0d\u662f\u6211\u4eec\u60f3\u8981\u7684\u3002 passthrough \u6a21\u5f0f\u4e2d\uff0c\u8bfb\u5199\u90fd\u4f1a\u7ed5\u8fc7 cache\uff0c\u552f\u4e00\u7684\u4f5c\u7528\u662f write hit \u4f1a\u4f7f\u5f97 cache \u5bf9\u5e94\u7684\u5757\u5931\u6548\u3002

\u8fd9\u91cc\u4f7f\u7528 writeback \u6a21\u5f0f\uff0c\u56e0\u4e3a\u4ed3\u5e93\u6570\u636e\u6ca1\u4e86\u8fd8\u80fd\u518d\u540c\u6b65\uff0c\u4f7f\u7528 writeback \u63d0\u5347\u6027\u80fd\u66f4\u5408\u9002\u3002

\u51fa\u4e8e\u7a33\u5b9a\u8003\u8651\uff0c\u4f7f\u7528 writethrough \u6a21\u5f0f\u3002\uff08\u6211\u4eec\u7684 Cache \u592a\u5927\u4e86\uff0cwriteback \u53ef\u80fd\u4f1a\u5f04\u574f\u4e0d\u5c11\u4e1c\u897f\uff0c\u5982\u679c metadata \u574f\u4e86\u5c31\u66f4\u9ebb\u70e6\u4e86\uff09

\u5751

\u76f4\u63a5\u4f7f\u7528 lvconvert(8) \u5c1d\u8bd5\u5408\u5e76\u4f1a\u5bfc\u81f4\u5410\u69fd\uff0c\u8fd9\u662f\u4e0a\u9762 lvreduce(8) \u7684\u539f\u56e0\u3002

Volume group \"ssd\" has insufficient free space (0 extents): 2048 required.\n

iBug \u5907\u6ce8

LVM \u63a8\u8350\u7684\u662f\u4e00\u4e2a\u7f13\u5b58\u6c60\u91cc\u4e0d\u8d85\u8fc7 100 \u4e07\u4e2a chunk\uff08\u8fd9\u4e5f\u662f allocation/cache_pool_max_chunks \u7684\u9ed8\u8ba4\u503c\uff09\uff0c\u4f46\u662f\u8fd9\u6837\u6bcf\u4e2a chunk \u7684\u6700\u5c0f\u5927\u5c0f\u4e3a 1.84 MiB \u592a\u5927\u4e86\uff0c\u8003\u8651\u5230\u6211\u4eec\u6709\u8db3\u591f\u7684 CPU \u548c\u5185\u5b58\uff0c\u8fd9\u91cc\u5c31\u94e4\u800c\u8d70\u9669\u5c1d\u8bd5\u4e00\u4e0b\u8f83\u5927\u7684 chunk count\u3002

\u5751 2

\u7f13\u5b58\u76d8\uff08cache pool\uff09\u548c\u88ab\u7f13\u5b58\u7684\u5377\u5fc5\u987b\u5728\u540c\u4e00\u4e2a VG \u4e2d\u3002

\u5751 3 (taoky \u5907\u6ce8)

LVM Cache \u7684\u5e95\u5c42\u662f\u5728\u5185\u6838\u5b9e\u73b0\u7684 dm-cache\u3002\u76ee\u524d\u5df2\u77e5\u7684\u5751\u5982\u4e0b\uff1a

  1. \u5f53\u51fa\u73b0 dirty blocks\uff08\u4e14 cache policy \u4e3a cleaner \u65f6\uff09\uff0c\u65e0\u6cd5\u6b63\u5e38 flush\u3002\u7f51\u7edc\u4e0a\u53ef\u4ee5\u627e\u5230\u7684\u8fd9\u4e2a bug \u7684\u89e3\u51b3\u65b9\u6cd5\u662f\u589e\u5927 migration_threshold \u7684\u503c\uff08\u5728\u65b0\u7248\u672c LVM \u4e2d\uff0cmigration_threshold \u9ed8\u8ba4\u81f3\u5c11\u4f1a\u662f chunk size \u7684 8 \u500d\uff0c\u5728\u6211\u4eec\u7684\u914d\u7f6e\u4e0b\u5c31\u662f 16384 = 2048 * 8\u3002\u8fd9\u4e2a\u7248\u672c\u7684 LVM \u6682\u65f6\u4e0d\u5728 Buster \u4e2d\uff09\uff0c\u4f46\u662f\u7ecf\u8fc7\u6d4b\u8bd5\uff0c\u5355\u7eaf\u589e\u5927 migration_threshold \u6ca1\u6709\u4efb\u4f55\u6548\u679c\u3002Jiahao \u7ffb\u4e86\u4e00\u4e0b dm-cache \u7684\u6e90\u4ee3\u7801\uff0c\u53d1\u73b0 flush \u7684\u6761\u4ef6\u5728 https://elixir.bootlin.com/linux/latest/source/drivers/md/dm-cache-target.c#L1649\uff0c\u53ea\u5728\u72b6\u6001\u4e3a IDLE \u65f6\u624d\u4f1a flush\u3002IDLE \u7684\u7b2c\u4e00\u4e2a\u6761\u4ef6\u9700\u8981 inflight io = 0\uff0c\u6bd4\u8f83\u82db\u523b\uff0c\u53ef\u80fd\u662f\u65e0\u6cd5\u6b63\u5e38 flush \u7684\u539f\u56e0\u3002

    \u4e00\u4e2a\u626d\u66f2\u7684\u89e3\u51b3\u65b9\u6cd5\u662f\uff1a\u5148\u628a migration_threshold \u8bbe\u7f6e\u5f97\u5f88\u5927\uff08\u8bbe\u5927\u5c0f\u4e3a x\uff09\uff0c\u7136\u540e\u9a6c\u4e0a\u7f29\u5c0f\uff0c\u8fd9\u6837\u5c31\u80fd\u628a x \u90a3\u4e48\u591a\u5927\u5c0f\u7684\u810f\u5757\u5f04\u6389\uff08\u539f\u7406\u6682\u65f6\u4e0d\u660e\uff0c\u9700\u8981\u8865\u5145\uff09\u3002\u57fa\u4e8e\u8fd9\u4e2a\u65b9\u6cd5\uff0c\u53ef\u4ee5\u5199\u4e00\u4e2a\u811a\u672c\u6765\u505a flush \u7684\u5de5\u4f5c\uff1a

    # dirty hack\nsudo lvchange --cachepolicy cleaner lug/repo\nfor i in `seq 1 1500`; do sudo lvchange --cachesettings migration_threshold=2113536 lug/repo && sudo lvchange --cachesettings migration_threshold=16384 lug/repo && echo $i && sleep 15; done;\n# \u9700\u8981\u786e\u8ba4\u6ca1\u6709\u810f\u5757\u3002\u5982\u679c\u8fd8\u6709\u7684\u8bdd\u7ee7\u7eed\u6267\u884c\uff08\u6b21\u6570\u8c03\u5c0f\u4e00\u4e9b\uff09\n# \u5982\u679c\u662f\u4ece writeback \u5207\u6362\uff0c\u9700\u8981\u5148\u628a\u6a21\u5f0f\u5207\u5230 writethrough\n# \u7136\u540e\u518d\u4fee\u6539 cachepolicy \u5230 smq\nsudo lvchange --cachepolicy smq lug/repo\n

    \u5728\u6267\u884c\u65f6\uff0c\u53ef\u4ee5\u67e5\u770b\uff1a

    sudo dmsetup status lug-repo\n# \u5728 \"metadata2\" \u524d\u9762\u7684\u524d\u9762\u7684\u6570\u5b57\u5c31\u662f dirty block \u7684\u6570\u91cf\n# \u5982\u679c\u4e0d\u5728\u6267\u884c lvchange\uff08\u6ca1\u6709\u8fdb\u7a0b\u62a2\u5360\u4e86 LVM \u7684\u9501\uff09\uff0c\u53ef\u4ee5\u6267\u884c\u4ee5\u4e0b\u547d\u4ee4\u786e\u8ba4\u810f\u5757\u6570\u91cf\u4ee5\u53ca\u5176\u4ed6\u4e00\u4e9b\u53c2\u6570\u3002\nsudo lvs -o name,cache_policy,cache_settings,chunk_size,cache_used_blocks,cache_dirty_blocks /dev/mapper/lug-repo\n
  2. \u6bcf\u6b21 unclean shutdown \u4e4b\u540e\uff0ccache \u4e2d\u6240\u6709\u5757\u90fd\u4f1a\u88ab\u6807\u8bb0\u4e3a dirty\u3002\u5c3d\u7ba1\u4e0d\u592a\u53ef\u80fd\u963b\u585e\u7cfb\u7edf\u542f\u52a8\uff0c\u8fd9\u53ef\u80fd\u4f1a\u7ed9 HDD \u4e00\u5b9a\u7684\u538b\u529b\u3002

  3. \u6269\u5927 lug/repo \u7684\u5927\u5c0f\u524d\u9700\u8981 uncache\uff0c\u4e14 uncache \u7684\u524d\u63d0\u6761\u4ef6\u662f\u6ca1\u6709\u810f\u5757\u3002

\u5751 4

\u4fee\u6539 migration_threshold \u7b49\u8bbe\u7f6e\u4f1a\u5bfc\u81f4\u76ee\u524d\u7248\u672c\u7684 GRUB \u65e0\u6cd5\u6b63\u786e\u8bc6\u522b LVM \u5143\u6570\u636e\u3002

\u4e34\u65f6\u4fee\u590d\u7248\u672c\uff1ahttps://github.com/taoky/grub/releases/tag/2.02%2Bdfsg1-20%2Bdeb10u4taoky3_amd64\u3002\u76ee\u524d\u5df2\u90e8\u7f72\uff0c\u4e14\u8bbe\u7f6e\u4e86 apt hold\u3002

\u5751 5

\u8bbe\u7f6e chunksize \u5230 1M \u4f1a\u6709\u4e25\u91cd\u7684\u5199\u5165\u653e\u5927\u95ee\u9898\uff0c\u56e0\u6b64\u8fd9\u91cc\u4fee\u6539\u4e3a\u4e86 64K\u3002

\u6240\u4ee5\u63a5\u4e0b\u6765\u8981\u5408\u5e76 VG\uff0c\u7136\u540e\u624d\u80fd\u4e3a\u4ed3\u5e93\u5377\u52a0\u4e0a\u7f13\u5b58\u3002

lvchange -a n ssd/docker\nvgmerge lug ssd\nlvconvert --type cache --cachepool lug/mcache lug/repo\n

\u63a5\u4e0b\u6765\u6302\u4e0a Docker \u5377\uff08\u6ce8\u610f VG \u540d\u5df2\u7ecf\u4ece ssd \u53d8\u6210\u4e86 lug\uff09\uff1a

lvchange -a y lug/docker\nmount /dev/lug/docker /var/lib/docker\n
"},{"location":"services/mirrors/4/volumes-old/#repo","title":"repo \u6269\u5bb9","text":"

\u67e5\u770b\u5f53\u524d\u903b\u8f91\u5377\u4fe1\u606f\uff1a

# lvs -a -o +devices\n  LV              VG  Attr       LSize   Pool     Origin       Data%  Meta%  Move Log         Cpy%Sync Convert Devices\n  backup          lug -wi-ao----   8.00g                                                                       /dev/sda3(6307840)\n  docker          lug -wi-ao----  64.00g                                                                       /dev/sdc1(0)\n  docker2         lug -wi-a----- 300.00g                                                                       /dev/sda3(7925248)\n  home            lug -wi-ao----  64.00g                                                                       /dev/sda3(8192),/dev/sdb3(8193)\n  log             lug -wi-ao---- 300.00g                                                                       /dev/sda3(6309888),/dev/sdb3(6307841)\n  log             lug -wi-ao---- 300.00g                                                                       /dev/sda3(7888896),/dev/sdb3(7882753)\n  [lvol0_pmspare] lug ewi-------  16.00g                                                                       /dev/sda3(7884800)\n  [mcache]        lug Cwi---C---   1.50t                       99.99  0.12                    0.00             mcache_cdata(0)\n  [mcache_cdata]  lug Cwi-ao----   1.50t                                                                       /dev/sdc1(20480)\n  [mcache_cmeta]  lug ewi-ao----  16.00g                                                                       /dev/sdc1(16384)\n  repo            lug Cwi-aoC---  60.00t [mcache] [repo_corig] 99.99  0.12                    0.00             repo_corig(0)\n  [repo_corig]    lug owi-aoC---  60.00t                                                                       /dev/sda3(16384),/dev/sdb3(16385)\n  [repo_corig]    lug owi-aoC---  60.00t                                                                       /dev/sda3(6311936),/dev/sdb3(6309889)\n  root            lug mwi-aom---  32.00g                                          [root_mlog] 100.00           root_mimage_0(0),root_mimage_1(0)\n  [root_mimage_0] lug iwi-aom---  32.00g                                                                       /dev/sda3(0)\n  [root_mimage_1] lug iwi-aom---  32.00g                                                                       /dev/sdb3(0)\n  [root_mlog]     lug lwi-aom---   4.00m                                                                       /dev/sdb3(8192)\n

\u68c0\u67e5 cache \u662f\u5426\u6709 dirty block\uff1a

$ sudo lvs -o name,cache_policy,cache_settings,chunk_size,cache_used_blocks,cache_dirty_blocks /dev/mapper/lug-repo\n  LV   CachePolicy CacheSettings Chunk CacheUsedBlocks  CacheDirtyBlocks\n  repo smq                       1.00m          1048551                0\n

\uff08\u6b63\u5e38\u91cd\u542f\u4e4b\u540e\u53ef\u80fd\u4f1a\u51fa\u73b0 dirty block\uff0c\u539f\u56e0\u4e0d\u660e\u3002\u5982\u679c\u770b\u5230\u6709\u7684\u8bdd\uff0c\u90a3\u53ea\u80fd \u518d\u6b21\u8fdb\u5165\u75db\u82e6\u7684\u8f6e\u56de \u7528\u4e0a\u8ff0\u7684\u65b9\u6cd5\u6e05\u9664\uff0c\u5e76\u4e14\u6e05\u9664\u7684\u65f6\u5019\u5bf9\u7cfb\u7edf\u8d1f\u8f7d\u5f71\u54cd\u5f88\u5927\uff0c\u56e0\u4e3a\u843d\u76d8\u7684\u65f6\u5019\u5176\u4ed6\u8fdb\u7a0b\u5bf9\u5e94\u7684 IO \u4f1a\u88ab\u6682\u505c\uff0c\u5728\u76f8\u5bf9\u5e73\u8861\u65f6\u95f4\u548c\u8d1f\u8f7d\u7684\u547d\u4ee4\u4e0b\uff0c\u4f30\u8ba1\u9700\u8981 10 \u5c0f\u65f6\u7684\u65f6\u95f4\u3002\uff09

\u7136\u540e uncache\u3001\u6269\u5bb9\uff1a

# lvconvert --uncache lug/repo\n# lvextend -L +5T lug/repo\n# xfs_growfs /srv\n

\u7136\u540e\u6062\u590d cache\uff08\u53c2\u8003\u4e0a\u9762 mcache_meta \u548c mcache \u903b\u8f91\u5377\u7684\u914d\u7f6e\uff0c\u8bf7\u6ce8\u610f\u5728\u7406\u89e3\u547d\u4ee4\u540e\u518d\u6267\u884c\uff01\uff09\uff1a

# lvcreate -L 16G -n mcache_meta lug /dev/sdc1  # SSD \u8bbe\u5907\u8def\u5f84\u91cd\u542f\u540e\u53ef\u80fd\u4f1a\u53d8\u5316\n# lvcreate -l 100%FREE -n mcache lug /dev/sdc1\n# lvreduce -l -2048 lug/mcache\n# lvconvert --type cache-pool --poolmetadata lug/mcache_meta --cachemode writethrough -c 64K --config allocation/cache_pool_max_chunks=30000000 lug/mcache\n# lvconvert --type cache --cachepool lug/mcache lug/repo\n

\u5751 5

\u65b0\u5efa\u65f6\u5728\u5012\u6570\u7b2c\u4e8c\u6b65\u7684 lvconvert \u53ef\u80fd\u4f1a\u5361\u6b7b\u8d85\u8fc7\u534a\u5c0f\u65f6\uff08\u4f46\u662f\u6700\u540e\u8fd8\u662f\u80fd\u5b8c\u6210\u7684\uff09\uff0c\u6808\u7684\u4fe1\u606f\u663e\u793a\u6808\u9876\u51fd\u6570\u662f submit_bio_wait()\uff0c\u5728\u6e05\u96f6\u5bf9\u5e94\u7684 block range\uff0c\u56e0\u4e3a RAID \u5361\u4e0d\u652f\u6301\u4e0b\u4f20 discarding \u6240\u4ee5\u4f1a\u5f88\u6162\uff0c\u9700\u8981\u7b49\u4e00\u6bb5\u65f6\u95f4\u3002

"},{"location":"services/mirrors/4/volumes-old/#fstab","title":"fstab","text":"

\u5206\u533a\u5b8c\u6bd5\u540e\u7ed9 /etc/fstab \u8865\u4e0a\u76f8\u5173\u7684\u5185\u5bb9\u5e76\u6302\u8f7d\uff1a

/dev/mapper/lug-home   /home           ext4 defaults             0 2\n/dev/mapper/lug-docker /var/lib/docker ext4 defaults             0 2\n/dev/mapper/lug-repo   /srv            xfs  defaults,pqnoenforce 0 2\n/dev/mapper/lug-log    /var/log        ext4 defaults             0 2\n

\uff08\u8fd9\u4e2a log \u5206\u533a\u524d\u9762\u6ca1\u63d0\uff0c\u53cd\u6b63\u50cf\u6a21\u50cf\u6837\u77e5\u9053\u5c31\u884c\u4e86\uff09

"},{"location":"services/mirrors/4/networking/","title":"Networking on mirrors4","text":"

\u51fa\u4e8e\u597d\u7528\u7684\u8003\u8651\uff0cmirrors4 \u4e0a\u7684\u7f51\u7edc\u4f7f\u7528 systemd-networkd \u914d\u7f6e\u3002\u4f5c\u4e3a\u5165\u95e8\uff0c\u4e0b\u9762\u662f\u4e24\u4e2a\u53c2\u8003\u94fe\u63a5\uff1a

Debian \u9ed8\u8ba4\u7528\u7684\u662f ifupdown\uff0c\u628a\u5b83\u76f4\u63a5\u5378\u6389\u5c31\u884c\u4e86\u3002\u5168\u90e8\u914d\u7f6e\u5b8c\u6bd5\u4e4b\u540e\u9700\u8981 systemctl enable systemd-networkd.service \u5e76\u4e14 start \u4e00\u4e0b\uff08\u6216\u8005\u76f4\u63a5\u91cd\u542f\uff09\u3002

/etc/systemd/network \u76ee\u5f55\u4e0b\u6709\u4e2a Git \u4ed3\u5e93\uff0c\u65b9\u4fbf\u4fdd\u5b58\u4e0e\u6062\u590d

"},{"location":"services/mirrors/4/networking/#bond","title":"Bond","text":"

Bond \u7528\u4e8e\u5c06\u591a\u4e2a\u7f51\u5361\u805a\u5408\u5f53\u4f5c\u4e00\u4e2a\u4f7f\u7528\u3002

"},{"location":"services/mirrors/4/networking/#_1","title":"\u5b50\u7f51\u5361","text":"

\u5411 /etc/systemd/network/ens41f0.network \u5199\u5165\u5982\u4e0b\u5185\u5bb9\uff1a

[Match]\nName=ens41f0\n\n[Network]\nBond=bond1\n\n[Link]\nRequiredForOnline=no\n

\u5373\u53ef\u5c06\u5176\u8bbe\u7f6e\u4e3a bond1 \u7684\u4e00\u4e2a\u5b50\u7f51\u5361\u3002\u7528\u540c\u6837\u65b9\u5f0f\u628a ens41f1 \u4e5f\u8bbe\u4e3a\u5b50\u7f51\u5361\u3002

\u4e00\u4e2a\u5c0f\u5751

systemd-networkd \u6709\u4e00\u4e2a\u9ed8\u8ba4\u7684 bond0 \u805a\u5408\u7f51\u5361\uff0c\u6a21\u5f0f\u6c38\u8fdc\u662f round-robin\uff0c\u800c\u4e14\u5c1d\u8bd5\u8bbe\u7f6e\u8fd9\u4e2a\u7f51\u5361\u5f88\u5bb9\u6613\u51fa\u95ee\u9898\uff0c\u6240\u4ee5\u6211\u4eec\u907f\u5f00\u8fd9\u4e2a\u540d\u5b57\uff0c\u7528 bond1\u3002

"},{"location":"services/mirrors/4/networking/#bond1","title":"bond1 \u805a\u5408\u7f51\u5361","text":"

\u5199\u5165 /etc/systemd/network/bond1.netdev\uff1a

[NetDev]\nName=bond1\nKind=bond\n\n[Bond]\nMode=balance-tlb\nMIIMonitorSec=1\n

\u5173\u4e8e bond \u6a21\u5f0f\uff08balance-tlb vs balance-alb\uff09\uff0c\u53c2\u8003\u8fd9\u4e2a Server Fault \u4e0a\u7684\u56de\u7b54\u3002

\u7136\u540e\u521b\u5efa VLAN\uff0c\u5199\u5165 /etc/systemd/network/bond1.network\uff1a

[Match]\nName=bond1\n\n[Network]\nDHCP=no\nVLAN=cernet\nVLAN=telecom\nVLAN=mobile\nVLAN=unicom\n
"},{"location":"services/mirrors/4/networking/#vlan","title":"VLAN","text":"

NIC \u673a\u623f\u6709 4 \u4e2a VLAN\uff0c\u5206\u522b\u662f

\u6ce8\u610f\u8fd9\u51e0\u4e2a\u7f51\u6bb5\u90fd\u6ca1\u6709 DHCP\uff0c\u53ea\u6709\u6559\u80b2\u7f51 VLAN \u6709 IPv6 RA\u3002

\u4e0b\u9762\u4ee5\u6559\u80b2\u7f51 VLAN \u4e3a\u4f8b\u3002

\u56e0\u4e3a VLAN \u5728\u7269\u7406\u4e0a\u5c5e\u4e8e\u4e00\u4e2a\u7f51\u5361\uff0c\u56e0\u6b64\u5411\u5bf9\u5e94\u7f51\u5361\u7684 .network \u6587\u4ef6\u7684 [Network] \u6bb5\u8ffd\u52a0\u4e00\u884c\uff08\u89c1\u4e0a\u9762\u4e00\u8282 bond1.network \u6587\u4ef6\uff09\uff1a

VLAN=cernet\n

\u521b\u5efa VLAN \u754c\u9762\uff0c\u521b\u5efa cernet.netdev \u5e76\u5199\u5165

[NetDev]\nName=cernet\nKind=vlan\n\n[VLAN]\nId=95\n

\u7136\u540e\u5c31\u53ef\u4ee5\u6307\u5b9a IP \u5730\u5740\u7b49\u5177\u4f53\u4fe1\u606f\u4e86\uff0c\u521b\u5efa\u4e00\u4e2a\u540d\u5b57\u76f8\u540c\uff0c\u540e\u7f00\u6362\u6210 .network \u7684\u6587\u4ef6\u5e76\u5199\u5165

[Match]\nName=cernet\n\n[Network]\nDHCP=no\nAddress=202.38.95.110/25\n#Gateway=202.38.95.126\nAddress=2001:da8:d800:95::110/64\n#Gateway=2001:da8:d800:95::1\nIPv6AcceptRA=false\n

\u4fdd\u5b58\u540e\u91cd\u542f systemd-networkd.service \u5c31\u53ef\u4ee5\u770b\u5230\u6548\u679c\u4e86\u3002

\u4e3a\u4ec0\u4e48 Gateway \u88ab\u6ce8\u91ca\u6389\u4e86

\u6839\u636e systemd \u5b98\u65b9\u6587\u6863\uff0c\u5728 [Network] \u4e00\u8282\u51fa\u73b0\u7684 Gateway= \u7b49\u4ef7\u4e8e\u4e00\u4e2a\u5355\u72ec\u7684\u3001\u4ec5\u5305\u542b\u4e00\u884c Gateway= \u7684 [Route] \u8282\u3002\u7531\u4e8e\u6211\u4eec\u9700\u8981\u6df1\u5ea6\u81ea\u5b9a\u4e49\u8def\u7531\uff0c\u8fd9\u91cc\u4e0d\u65b9\u4fbf\u91c7\u7528\u8fd9\u4e2a\u8fc7\u4e8e\u7b80\u6d01\u7684\u8bbe\u5b9a\uff08\u4f8b\u5982\u5404\u79cd\u9ed8\u8ba4\u503c Table=main \u7b49\uff09\u3002

"},{"location":"services/mirrors/4/networking/#docker-network","title":"Docker network","text":"

\u9488\u5bf9\u4e2a\u522b\u4e0d\u652f\u6301 bind address \u7684\u540c\u6b65\u5de5\u5177\uff0c\u6211\u4eec\u901a\u8fc7\u5c06\u5176\u653e\u5165\u7279\u5b9a\u7684 docker network \u6765\u5b9e\u73b0\u9009\u62e9\u7ebf\u8def\u7684\u529f\u80fd\u3002

\u521b\u5efa\u547d\u4ee4
docker network create --driver=bridge --subnet=172.17.4.1/24 -o \"com.docker.network.bridge.name=dockerC\" cernet\ndocker network create --driver=bridge --subnet=172.17.5.1/24 -o \"com.docker.network.bridge.name=dockerT\" telecom\ndocker network create --driver=bridge --subnet=172.17.6.1/24 -o \"com.docker.network.bridge.name=dockerM\" mobile\ndocker network create --driver=bridge --subnet=172.17.7.1/24 -o \"com.docker.network.bridge.name=dockerU\" unicom\ndocker network create --driver=bridge --ipv6 --subnet=172.17.8.1/24 --subnet=fd00:6::/64 -o \"com.docker.network.bridge.name=dockerC6\" cernet6\ndocker network create --driver=bridge --subnet=172.17.9.1/24 -o \"com.docker.network.bridge.name=dockerV\" lugvpn\n

\u7136\u540e\u4f7f\u7528 systemd-networkd \u5bf9\u521b\u5efa\u597d\u7684 docker network \u7f51\u6bb5\u914d\u7f6e\u89c4\u5219\u8def\u7531\u3002

/etc/systemd/network/cernet.network
# Docker Cernet\n[RoutingPolicyRule]\nFrom=172.17.4.0/24\nTable=1011\nPriority=5\n\n[RoutingPolicyRule]\nFrom=172.17.8.0/24\nTable=1011\nPriority=5\n

\u5176\u4ed6\u51e0\u4e2a\u6587\u4ef6\u7c7b\u4f3c\uff0c\u53ea\u9700\u8981\u4fee\u6539\u7f51\u6bb5\u548c Table \u5373\u53ef\u3002

"},{"location":"services/mirrors/4/networking/#docker-network-cernet6","title":"Docker network: cernet6","text":"

\u7531\u4e8e\u4e00\u4e9b\u7a0b\u5e8f\u6216\u7cfb\u7edf\u73af\u5883\u5728\u53cc\u6808\u7f51\u7edc\u4e2d\u4ecd\u7136\u4f1a\u4f18\u5148\u5c1d\u8bd5 IPv4\uff0c\u6211\u4eec\u5c06 cernet6 \u7f51\u7edc\u7684 v4 \u516c\u7f51\u8bbf\u95ee\u5c4f\u853d\u6389\u3002

rules.v4
*filter\n:FORWARD DROP [0:0]\n# ...\n-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n-A FORWARD -i dockerC6 -j REJECT\n-A FORWARD -i docker+ -j ACCEPT\n
"},{"location":"services/mirrors/4/networking/misc/","title":"mirrors \u7f51\u7edc\u914d\u7f6e\u6742\u9879","text":""},{"location":"services/mirrors/4/networking/misc/#sniproxy","title":"sniproxy","text":"

Sniproxy \u7528\u4e8e\u4e3a Docker \u5bb9\u5668\u63d0\u4f9b\u65b9\u4fbf\u7684 HTTP(S) \u7f51\u7edc\u5206\u6d41\u3002\u76ee\u524d\u5728 mirrors \u4e0a\u7528\u4e8e\u4e3a dockerhub \u5bb9\u5668\u63d0\u4f9b\uff08\u5230 Cloudflare \u7684\uff09IPv6 \u63a5\u5165\uff08Docker \u505a IPv6 NAT \u975e\u5e38\u4e0d\u65b9\u4fbf\uff0c\u6240\u4ee5\u4ee5\u6b64\u4e3a\u6743\u5b9c\u4e4b\u4e3e\uff09\uff0c\u4ee5\u63d0\u9ad8\u6821\u5185\u8bbf\u95ee\u65f6\u7684\u901f\u5ea6\u3002

"},{"location":"services/mirrors/4/networking/misc/#_1","title":"\u914d\u7f6e","text":"

\u5b89\u88c5 sniproxy\uff0c\u5e76\u4e14 mask \u539f\u670d\u52a1\u914d\u7f6e\uff08\u6211\u4eec\u81ea\u5df1\u5199\u4e00\u4e2a\uff09\uff1a

sudo apt install sniproxy\nsudo mkdir -p /etc/sniproxy\nsudo systemctl mask sniproxy.service\n

\u521b\u5efa /etc/systemd/system/sniproxy@.service\uff1a

[Unit]\nDescription=SNIProxy (%i.conf)\nAfter=network.target network-online.target\nStartLimitIntervalSec=1\n\n[Service]\nType=simple\nExecStart=/usr/sbin/sniproxy -f -c /etc/sniproxy/%i.conf\nRestart=on-failure\nRestartSec=3\n\n[Install]\nWantedBy=multi-user.target\n

\u5728 /etc/sniproxy \u4e2d\u521b\u5efa\u914d\u7f6e\u3002\u4ee5\u4e0b\u4e3a IPv6 + TLS (443) only \u7684\u914d\u7f6e\u4f8b\u5b50\uff1a

resolver {\n    nameserver 2001:da8:d800::1\n    mode ipv6_only\n}\n\naccess_log {\n    filename /dev/null\n}\n\nlisten <Bind \u5230\u7684 IP \u5730\u5740>:443 {\n    proto tls\n    reuseport yes\n    table all\n    source <IPv6 \u51fa\u53e3\u5730\u5740>\n}\n\ntable all {\n    .* *\n}\n

\u6700\u540e\u542f\u52a8\u670d\u52a1\uff1a

sudo systemctl enable sniproxy@\u914d\u7f6e\u6587\u4ef6\u540d.service\nsudo systemctl start sniproxy@\u914d\u7f6e\u6587\u4ef6\u540d.service\n
"},{"location":"services/mirrors/4/networking/route/","title":"Routing on mirrors4","text":"

\u7531\u4e8e mirrors4 \u6ca1\u6709\u4f7f\u7528 ifupdown \u4f5c\u4e3a\u7f51\u7edc\u7ba1\u7406\u7cfb\u7edf\uff0c\u800c\u662f\u91c7\u7528 systemd-networkd\uff0c\u56e0\u6b64\u6211\u4eec\u6ca1\u6709 pre-up, up, down, post-down \u7b49\u8fd0\u884c\u547d\u4ee4\u7684\u65b9\u5f0f\uff0c\u6240\u4ee5 mirrors2 \u4e0a\u4f7f\u7528\u7684\u90a3\u5957\u811a\u672c\uff08ip-route.sh \u7b49\uff09\u65e0\u6cd5\u76f4\u63a5\u5728 mirrors4 \u4e0a\u7ee7\u7eed\u4f7f\u7528\u3002

\u597d\u5728\u6211\u4eec\u4f7f\u7528 up \u7b49\u8fd0\u884c\u547d\u4ee4\u53ea\u662f\u4e3a\u4e86\u914d\u7f6e\u8def\u7531\uff0c\u56e0\u6b64\u6362\u4e86\u4e2a\u529e\u6cd5\uff0c\u6574\u4e86\u4e2a\u65b0\u811a\u672c\u628a IP \u5730\u5740\u5217\u8868\uff08\u6765\u81ea gaoyifan/china-operator-ip\uff09\u8f6c\u6362\u6210 networkd \u6240\u4f7f\u7528\u7684\u914d\u7f6e\u6587\u4ef6\u683c\u5f0f\u3002\u4ee3\u7801\u4e0d\u957f\uff1a

#!/bin/bash\n\nROOT_IP_LIST=/usr/local/network_config/iplist\nROOT_RT=/run/systemd/network\n\ngen_route() {\n  IPLIST=\"$ROOT_IP_LIST/$1\"\n  GW=\"$2\"\n  DEV=\"$3\"\n  # Convert table to number\n  TABLENAME=\"$4\"\n  TABLE=\"$(awk 'substr($0, 1, 1) != \"#\" && $2 == \"'\"$TABLENAME\"'\" { print $1 }' /etc/iproute2/rt_tables | head -1)\"\n  PRIORITY=\"$5\"\n\n  F=\"$ROOT_RT/$DEV.network.d\"\n  mkdir -p \"$F\"\n  F=\"$F/route-${TABLENAME,,}.conf\"\n\n  echo -e \"[RoutingPolicyRule]\\nTable=$TABLE\\nPriority=$PRIORITY\\n\" > \"$F\"\n  awk '{ print \"[Route]\\nDestination=\" $1 \"\\nGateway='\"$GW\"'\\nTable='\"$TABLE\"'\\n\" }' \"$IPLIST\" >> \"$F\"\n}\n\ngen_route ustcnet.txt 202.38.95.126 cernet Ustcnet 5\ngen_route cernet.txt 202.38.95.126 cernet Cernet 6\ngen_route telecom.txt 202.141.160.126 telecom Telecom 6\ngen_route mobile.txt 202.141.176.126 mobile Mobile 6\ngen_route unicom.txt 218.104.71.161 unicom Unicom 6\ngen_route china.txt 218.104.71.161 unicom China 7\n

\u8fd9\u4e2a\u4ed3\u5e93\u91cc\u6709\u5f88\u591a\u4e2a txt \u6587\u4ef6\uff0c\u6bcf\u4e2a\u6587\u4ef6\u5bf9\u5e94\u4e00\u4e2a ISP \u7684\u5730\u5740\u5217\u8868\uff0c\u6bcf\u884c\u4e00\u4e2a CIDR\u3002\u811a\u672c\u4e2d\u7684 gen_route \u51fd\u6570\u6839\u636e\u53c2\u6570\u8bfb\u53d6\u6587\u4ef6\uff0c\u5e76\u8f6c\u6362\u6210\u4e0b\u9762\u8fd9\u6837\u7684\u683c\u5f0f\uff1a

[Route]\nDestination=1.0.0.0/24\nGateway=202.38.95.126\nTable=1011\n

\u8fd9\u6837\u4e00\u4e2a [Route] \u8282\u5bf9\u5e94\u4e00\u6761\u8def\u7531\u89c4\u5219\uff0c\u6574\u4e2a txt \u7684\u8f6c\u6362\u7ed3\u679c\u8f93\u51fa\u5230 /run/systemd/network/cernet.network.d/route-example.conf\u3002\u5176\u4e2d cernet.network.d/*.conf \u7528\u4e8e\u5411\u73b0\u6709\u7684\u914d\u7f6e\u4e2d\u6dfb\u52a0\u5185\u5bb9\uff08\u4e0e systemd service \u7c7b\u4f3c\uff09\uff0c\u800c /run \u76ee\u5f55\uff08\u6309\u7406\u6765\u8bf4\uff09\u91cd\u542f\u4f1a\u6e05\u7a7a\uff0c\u9002\u5408\u653e\u7f6e\u8fd9\u4e9b\u7528\u4e8e\u52a8\u6001\u751f\u6210\u7684\u5185\u5bb9\u3002\u53e6\u5916\u7531\u4e8e\u8def\u7531\u89c4\u5219\uff08ip rule\uff09\u4e5f\u7531 networkd \u7ba1\u7406\u548c\u751f\u6210\u4e86\uff0c\u56e0\u6b64\u6bcf\u4e2a route-xxx.conf \u5f00\u5934\u4f1a\u5305\u542b\u4e00\u4e2a [RoutingPolicyRule] \u8282\u7528\u4e8e\u751f\u6210\u8def\u7531\u8868\u5bf9\u5e94\u7684\u8def\u7531\u89c4\u5219\u3002

\u6ce8\u610f\u8def\u7531\u8868\u662f\u7528\u540d\u79f0\u6307\u5b9a\u7684\uff0c\u4ece /etc/iproute2/rt_tables \u4e2d\u67e5\u51fa\u5bf9\u5e94\u7684\u6570\u5b57 ID\u3002\u8fd9\u4e2a\u6587\u4ef6\u672c\u6765\u4e5f\u662f ip \u547d\u4ee4\u6240\u4f7f\u7528\u7684\uff08\u6ce8\u610f\u5b83\u7684\u76ee\u5f55\u540d\u53eb iproute2\uff09\u3002

\u6700\u540e\u7ed9\u8fd9\u4e2a\u811a\u672c\u914d\u4e2a service\uff0c\u8ba9\u5b83\u5728 networkd \u4e4b\u524d\u8fd0\u884c\uff1a

# WARNING: This is NOT the final configuration file!\n[Unit]\nDescription=Generate routes for systemd-networkd\nBefore=systemd-networkd.service\n\n[Service]\nType=oneshot\nExecStart=/bin/bash /usr/local/network_config/route-all.sh\nRemainAfterExit=true\n\n[Install]\nWantedBy=network.target systemd-networkd.service\nWants=systemd-networkd.service\n

\u8fd9\u4e2a\u6587\u4ef6\u5b58\u5230 /etc/systemd/system/route-all.service\uff0creload \u518d enable \u5c31\u53ef\u4ee5\u4e86\u3002

\u6539 systemd-networkd.service \u9700\u8981\u989d\u5916\u6ce8\u610f

\u8fd9\u4e2a\u81ea\u5e26\u7684\u670d\u52a1\u6709\u4e00\u4e2a User=systemd-networkd\uff0c\u4f60\u65e2\u4e0d\u80fd ip rule \u4e5f\u4e0d\u80fd\u5199\u5165 /run/systemd \u7b49\uff0c\u4f1a\u5bfc\u81f4\u670d\u52a1\u70b8\u6389\uff0c\u7136\u540e\u7f51\u4e5f\u70b8\u4e86\u3002\u3002\u3002

\u5982\u679c\u8981\u6539 networkd \u670d\u52a1\u64cd\u4f5c ip rule \u7684\u8bdd\uff0c\u9700\u8981\u5728\u547d\u4ee4\u884c\u524d\u9762\u52a0\u4e00\u4e2a + \u8868\u793a\u8be5\u547d\u4ee4\u4e0d\u53d7 User= \u7b49\u6743\u9650\u8bbe\u7f6e\u5f71\u54cd\uff0c\u8be6\u7ec6\u89e3\u91ca\u89c1 systemd.service \u6587\u6863\u3002

"},{"location":"services/mirrors/4/networking/route/#special-routing","title":"Special routing","text":"

\u90e8\u5206 IP \u9700\u8981\u914d\u7f6e\u7279\u6b8a\u8def\u7531\u89c4\u5219\u65f6\uff08\u800c\u4e0d\u662f\u4f7f\u7528\u9ed8\u8ba4\uff09\uff0c\u7f16\u8f91 /usr/local/network_config/special.yml\uff0c\u5176\u683c\u5f0f\u5982\u4e0b\uff1a

routes: # Root key\uff0c\u4fdd\u7559\n  lugvpn: # /etc/systemd/network \u4e2d\u5bf9\u5e94\u7684 .network \u6587\u4ef6\u540d\n    # \u4e0b\u9762\u662f\u4e00\u4e2a\u8def\u7531\u6587\u4ef6\u7684\u914d\u7f6e\uff0c\u4e00\u4e2a\u6587\u4ef6\u5171\u4eab\u4e00\u4e2a table \u548c gateway \u8bbe\u7f6e\n    - name: route-special # \u5c06\u8981\u521b\u5efa\u7684 .conf \u6587\u4ef6\u540d\uff0c\u53ef\u4ee5\u968f\u610f\n      table: Special # \u8def\u7531\u8868\uff0c\u5373 ip route add table \u540e\u9762\u7684\u53c2\u6570\uff0c\u6570\u5b57\u6216\u8868\u540d\n      gateway: false # \u662f\u5426\u5305\u542b\u7f51\u5173\uff0c\u6216\u8005 ip route \u7684 via \u53c2\u6570\n      routes: # \u6240\u6709\u7684\u8def\u7531\u6761\u76ee\n        - 1.2.3.4\n        - 5.6.7.8/28\n        - 2001:db8::2333/64\n\n  cernet: # \u66f4\u591a\u7684\u914d\u7f6e\n    - ...\n

\u4fee\u6539 special.yml \u4e4b\u540e\u91cd\u542f route-all.service\u3002\u8be5\u670d\u52a1\u4f1a\u81ea\u52a8\u5bfc\u81f4 systemd-networkd.service \u91cd\u542f\u5e76\u8f7d\u5165\u65b0\u7684\u8def\u7531\u914d\u7f6e\u4fe1\u606f\u3002

special.rb \u5904\u7406\u811a\u672c\uff08\u653e\u5728\u8fd9\u5907\u4efd\uff09
#!/usr/bin/ruby\n\nrequire 'fileutils'\nrequire 'yaml'\n\nBASEDIR = '/run/systemd/network'\nRT_TABLES = '/etc/iproute2/rt_tables'\n\nrt_tables = Hash.new\nFile.readlines(RT_TABLES).each do |l|\n  next if l =~ /^\\s*#/\n  id, name = l.split\n  rt_tables[name] = id\nend\n\ndata = YAML.load_file File.join(__dir__, 'special.yml')\ndata['routes'].each do |fn, setups|\n  confdir = File.join(BASEDIR, \"#{fn}.network.d\")\n  FileUtils.mkdir_p confdir\n\n  setups.each do |config|\n    table = config['table']\n    gateway = config['gateway']\n    File.open File.join(confdir, \"#{config['name']}.conf\"), 'w' do |f|\n      config['routes'].each do |dst|\n        t = \"[Route]\\nDestination=#{dst}\\n\"\n        t += \"Table=#{rt_tables.fetch table, table}\\n\" if table\n        t += \"Gateway=#{gateway}\\n\" if gateway\n        f.write t + \"\\n\"\n      end\n    end\n  end\nend\n

route-all.service \u6709\u5f88\u591a\u6ce8\u610f\u4e8b\u9879

\u4e3a\u4e86\u6e05\u7406\u5f00\u673a\u81ea\u52a8\u4ea7\u751f\u7684 32766 \u548c 32767 \u4e24\u6761\u8def\u7531\u89c4\u5219\uff0c\u6211\u4eec\u540c\u65f6\u4e3a systemd-networkd.service \u6dfb\u52a0\u4e86\u4e24\u4e2a ExecStartPre \u5982\u4e0b\uff1a

[Service]\nExecStartPre=-+/sbin/ip rule delete from all table main pref 32766\nExecStartPre=-+/sbin/ip rule delete from all table default pref 32767\n

\u53e6\u9644\u5b8c\u6574\u7684 route-all.service \u6587\u4ef6\uff1a

[Unit]\nDescription=Generate routes for systemd-networkd\nBefore=systemd-networkd.service\n\n[Service]\nType=oneshot\nExecStart=/bin/bash /usr/local/network_config/route-all.sh\nExecStart=/usr/local/network_config/special.rb\nRemainAfterExit=true\n\n[Install]\nWantedBy=network.target systemd-networkd.service\nWants=systemd-networkd.service\n
"},{"location":"services/pxe/","title":"PXE","text":"

\u5bf9\u6821\u56ed\u7f51\u7528\u6237\u4e0e\u6821\u5916\u7528\u6237\u516c\u5f00\u7684 PXE \u670d\u52a1\u3002LIIMS \u4e0e\u76ee\u524d\u7684 PXE \u867d\u7136\u8fd0\u884c\u5728\u540c\u4e00\u53f0\u670d\u52a1\u5668\u4e0a\uff0c\u4f46\u662f\u914d\u7f6e\u6709\u6240\u4e0d\u540c\u3002

\u672c\u6587\u6863\u9700\u8981\u5927\u5e45\u6269\u5145

"},{"location":"services/pxe/#intro","title":"Intro","text":"

https://lug.ustc.edu.cn/wiki/server/pxe/

https://lug.ustc.edu.cn/planet/2018/10/PXE-intro/

\u5173\u4e8e FAQ

https://lug.ustc.edu.cn/wiki/server/pxe/faq/ \u5b9e\u5728\u662f\u5e74\u5934\u592a\u4e45\u8fdc\u4e86\uff0c\u65e0\u6cd5\u66f4\u65b0\u3002\u65b0\u7684\u5185\u5bb9\u8bb0\u5f55\u5728\u672c\u6587\u6863\u4e2d\u3002

\u4e00\u822c\u7684\u542f\u52a8\u6d41\u7a0b\u662f\uff1a

  1. iPXE\uff0c\u6216\u8005\u4e3b\u677f\u4e0a\u83b7\u53d6\u7684 DHCP \u542f\u52a8\u4fe1\u606f\u7684\u56fa\u4ef6\u4e0b\u8f7d\u5e76\u52a0\u8f7d GRUB \u76f8\u5173\u6587\u4ef6\u3002
  2. \u5982\u679c MAC \u5730\u5740\u4e0d\u4e3a\u6307\u5b9a\u503c\uff0c\u90a3\u4e48\u52a0\u8f7d\u83dc\u5355\u5e76\u663e\u793a\uff1b\u7136\u540e\u52a0\u8f7d Linux \u5185\u6838\u4e0e initramfs \u7b49\u4e8b\u9879\u7531 GRUB \u8d1f\u8d23\u3002
  3. Initramfs \u4ece\u542f\u52a8\u53c2\u6570\u6302\u8f7d NFS \u4e3a rootfs\uff0c\u8fdb\u884c\u4e0b\u4e00\u6b65\u7684\u542f\u52a8\u3002
"},{"location":"services/pxe/#_1","title":"\u4f7f\u7528/\u8c03\u8bd5","text":"

PXE \u5728\u6821\u56ed\u7f51\u4e2d\u76f4\u63a5\u53ef\u7528\uff0c\u56e0\u4e3a\u5b66\u6821\u7684 DHCP \u670d\u52a1\u5668\u7ecf\u8fc7\u4e86\u914d\u7f6e\u3002

\u5982\u679c\u9700\u8981\u5728\u865a\u62df\u673a\u4e2d\u8c03\u8bd5\uff0c\u53ef\u4ee5\uff1a

\u63a8\u8350\u4f7f\u7528\u7684\u865a\u62df\u673a\u65b9\u6848

PXE \u80fd\u591f\u6210\u529f\u8fd0\u884c\u4e0e\u5426\u6709\u53ef\u80fd\u548c\u865a\u62df\u673a\u73af\u5883\uff08\u7279\u522b\u662f\u865a\u62df\u7f51\u5361\u578b\u53f7\uff09\u9ad8\u5ea6\u76f8\u5173\u3002\u63a8\u8350\u4f7f\u7528 QEMU\u3002

\u5176\u4e2d\u4e3b\u8981\u4f7f\u7528\u7684\u662f\u57fa\u4e8e GRUB2 \u548c simple-pxe \u7684\u65b0 PXE \u65b9\u6848\u3002\u4e3b\u677f\u56fa\u4ef6\u4f7f\u7528 TFTP \u534f\u8bae\u83b7\u53d6 GRUB2 \u7a0b\u5e8f\uff08core.0 \u6216\u8005 core.efi\uff09\u4e4b\u540e\uff0cGRUB2 \u4f1a\u901a\u8fc7 HTTP \u534f\u8bae\u83b7\u53d6\u5269\u4e0b\u6240\u6709\u7684\u6587\u4ef6\u3002

TFTP

\u548c FTP active \u6a21\u5f0f\u4e00\u6837\uff0cTFTP \u662f\u4e00\u4e2a\u6709\u70b9\u9ebb\u70e6\u7684\u534f\u8bae\uff0c\u5982\u679c\u4f60\u7684\u865a\u62df\u673a\u65e0\u6cd5\u4e0d\u7ecf\u8fc7 NAT \u8fde\u63a5 PXE \u670d\u52a1\u5668\uff0c\u90a3\u4e48\u5c31\u9700\u8981\u8c03\u6574\u7f51\u7edc\u914d\u7f6e\uff0c\u4f1a\u5f88\u9ebb\u70e6\uff0c\u518d\u52a0\u4e0a\u5bf9\u6821\u5916\u8bbf\u95ee\u9700\u6c42\u7684\u8003\u91cf\uff0c\u56e0\u6b64\u76ee\u524d\u7684\u8003\u8651\u662f\u5c3d\u91cf\u4f7f\u7528 HTTP\u3002

\u57fa\u4e8e SYSLINUX \u7684\u8001 PXE \u65b9\u6848\uff08lpxelinux.0 -> bin/lpxelinux.0\uff09\u76ee\u524d\u4ecd\u53ef\u542f\u52a8\uff0c\u4f46\u662f\u4e0d\u4f7f\u7528\u3002

"},{"location":"services/pxe/#syslinux","title":"SYSLINUX \u66f4\u65b0","text":"

\u867d\u7136\u4e0d\u7ef4\u62a4\u4e86\uff0c\u4f46\u662f\u4ee5\u4e0b\u5185\u5bb9\u4ecd\u4f5c\u8bb0\u5f55\uff1a

wget https://mirrors.ustc.edu.cn/fedora/releases/40/Everything/x86_64/os/Packages/s/syslinux-tftpboot-6.04-0.26.fc40.noarch.rpm\n# decompress\nrpm2cpio syslinux-tftpboot-6.04-0.26.fc40.noarch.rpm | cpio -idmv\ncd tftpboot\nln -s lpxelinux.0 pxelinux.0\nln -s lpxelinux.0 undionly.kpxe\n

\u5f97\u5230\u7684 tftpboot \u76ee\u5f55\u66ff\u4ee3\u539f\u5148\u7684 tftp/bin \u76ee\u5f55\u3002\u542f\u52a8 VM \u7684\u65f6\u5019\u53ef\u4ee5 Wireshark \u770b\u770b\u5b83\u4e0b\u8f7d\u4e86\u54ea\u4e9b\u6587\u4ef6\u3002\u540c\u65f6\u8fd8\u6709\u4e2a pxeknife\uff0c\u76ee\u524d\u53ea\u5728 SYSLINUX \u7684 PXE \u65b9\u6848\u4e2d\u53ef\u7528\u3002

pypxe

pypxe \u4f3c\u4e4e\u53ea\u5728 SYSLINUX \u65b9\u6848\u4e2d\u4f7f\u7528\u3002

"},{"location":"services/pxe/#uefi","title":"\u4f7f\u7528 UEFI \u76f4\u63a5\u542f\u52a8","text":"

QEMU \u4e00\u822c\u4f7f\u7528\u7684 UEFI \u56fa\u4ef6 OVMF \u652f\u6301\u76f4\u63a5\u4ece HTTP \u542f\u52a8\u3002\u5728\u5199\u4f5c\u65f6\uff0cArch Linux \u6253\u5305\u7684 OVMF \u6ca1\u7f16\u8bd1\u6b64\u7279\u6027\uff0c\u5176\u4ed6\u7684\u53d1\u884c\u7248\u4e5f\u6709\u53ef\u80fd\u4e0d\u652f\u6301\uff0c\u56e0\u6b64\u9700\u8981\uff1a

  1. \u4ece https://www.kraxel.org/repos/jenkins/edk2/ \u4e0b\u8f7d x64 \u7248\u672c\u7684 rpm \u5e76\u89e3\u538b
  2. \u7136\u540e\u4f7f\u7528\u4ee5\u4e0b\u547d\u4ee4\u542f\u52a8 QEMU\uff1a

    qemu-system-x86_64 -L . --bios ../ovmf-x64/OVMF-pure-efi.fd\n

    \u542f\u52a8\u540e\u9a6c\u4e0a\u6309\u4e0b ESC\uff0c\u8fdb\u5165\u914d\u7f6e\u754c\u9762\uff0c\u7136\u540e\u9605\u8bfb https://github.com/tianocore/tianocore.github.io/wiki/HTTP-Boot \u505a\u8fdb\u4e00\u6b65\u914d\u7f6e\u3002

"},{"location":"services/pxe/#grub2","title":"\u5236\u4f5c GRUB2 \u955c\u50cf","text":"

\u65e7\u7248\u672c\u7684 GRUB2 \u53ef\u80fd\u6709 bug\uff08\u4f8b\u5982 https://github.com/ustclug/discussions/issues/456\uff09\uff0c\u56e0\u6b64\u6709\u65f6\u5019\u9700\u8981\u5347\u7ea7\u3002

\u66f4\u65b0\u7b56\u7565\u8003\u8651\u4f7f\u7528 Debian stable \u7684 grub2\u3002\u542f\u52a8\u5bb9\u5668\u5e76\u4e14\u5c06\u5916\u9762\u7684\u76ee\u5f55 bind mount\uff1a

docker run -it --rm -v $(pwd)/tftp:/srv/tftp ustclug/debian:12\n

\u7136\u540e\u5728\u5bb9\u5668\u4e2d\u6267\u884c\uff1a

apt update && apt install grub-common grub-pc grub-efi-amd64-signed\ngrub-mknetdir\ngrub-mkimage -d /usr/lib/grub/i386-pc -O i386-pc-pxe -o /srv/tftp/boot/grub/i386-pc/core.0 -p '(http,202.38.93.94)/boot/tftp/grub/' pxe http\ngrub-mkimage -d /usr/lib/grub/x86_64-efi -O x86_64-efi -o /srv/tftp/boot/grub/x86_64-efi/core.efi -p '(http,202.38.93.94)/boot/tftp/grub/' efinet http\n

\u6700\u540e\u4e24\u4e2a grub-mkimage \u662f\u56e0\u4e3a grub-mknetdir \u751f\u6210\u7684\u955c\u50cf\u4f7f\u7528 tftp \u534f\u8bae\uff0c\u5728\u8c03\u8bd5\u65f6\u53ef\u80fd\u4f1a\u6709\u95ee\u9898\u3002\u6211\u4eec\u5e0c\u671b GRUB2 \u80fd\u591f\u5168\u7a0b\u4f7f\u7528 HTTP \u505a\u5269\u4e0b\u7684\u5de5\u4f5c\u3002

\u66f4\u6362\u6587\u4ef6\u7684\u65f6\u5019\u522b\u628a\u914d\u7f6e\u8986\u76d6\u4e86\u3002

"},{"location":"services/pxe/#ipxe-iso","title":"\u6784\u5efa iPXE ISO","text":"

\u53c2\u8003 https://ipxe.org/embed\u3002

#!ipxe\n\n# Generated by GPT-4\ndhcp\nset 210:string http://202.38.93.94/boot/tftp/\n\n# UEFI boot?\niseq ${platform} efi && goto uefi || goto bios\n\n:uefi\necho \"UEFI boot detected\"\nchain ${210:string}bootx64.efi\nexit\n\n:bios\necho \"BIOS boot detected\"\nchain ${210:string}pxelinux.0\nexit\n

clone ipxe/ipxe \u4ed3\u5e93\uff0c\u8fdb\u5165 src \u76ee\u5f55\uff0c\u7136\u540e\u6267\u884c\uff1a

# https://github.com/ipxe/ipxe/pull/50\nmake bin-x86_64-efi/ipxe.efi bin/ipxe.lkrn\n./util/genfsimg -o ustc.ipxe.iso -s ../../ustc.ipxe bin-x86_64-efi/ipxe.efi bin/ipxe.lkrn\n
"},{"location":"services/pxe/#_2","title":"\u67b6\u6784","text":"

\u65b0 PXE \u65b9\u6848\u7684 HTTP \u670d\u52a1\u5668\u4e3a Apache + Nginx\u3002URL \u4e2d\u7684 boot2 \u5bf9\u5e94 /nfsroot/pxe\u3002

\u5904\u7406 web \u670d\u52a1\u5668

\u76ee\u524d PXE \u673a\u5668\u7684 web \u670d\u52a1\u5668\u6709\u70b9\u8be1\u5f02\uff0cApache2 \u76d1\u542c 80\uff0cNginx \u76d1\u542c 443\uff0c\u540e\u7eed\u9700\u8981\u8c03\u6574\u5904\u7406\u3002

\u6587\u4ef6\u8df3\u8f6c\u914d\u7f6e

Apache2 \u4e2d\u914d\u7f6e\u4e86\u4e00\u4e9b alias \u8df3\u8f6c\uff0c\u540c\u6837\u7684\uff0cTFTP \u4e5f\u6709\u7c7b\u4f3c\u7684\u914d\u7f6e\uff08/etc/xinetd.d/tftp \u7684 server_args \u91cc\u9762\u6709 -m /home/pxe/tftp/REMAP\uff09\u3002

\u9700\u8981\u68c0\u67e5\u4e00\u81f4\u6027\u3002

\u5982\u679c\u51fa\u73b0\u95ee\u9898\u9700\u8981\u8c03\u8bd5\uff0c\u5efa\u8bae\u6293\u5305\uff08\u53ef\u4ee5\u4f7f\u7528 Wireshark \u67e5\u770b TFTP \u6216 HTTP \u534f\u8bae\uff09\u770b\u662f\u5426\u6b63\u5e38\u3002

\u6bcf\u5929\u51cc\u6668\uff0cpxe \u7528\u6237\u7684 crontab \u4efb\u52a1\u4f1a\u6267\u884c https://github.com/ustclug/simple-pxe/blob/master/simple-pxe-in-docker\uff08\u6587\u4ef6\u4f4d\u4e8e pxe \u7528\u6237\u7684 home \u4e2d\uff09\uff0c\u5b9e\u73b0 PXE \u76f8\u5173\u6587\u4ef6\u7684\u66f4\u65b0\u3002

"},{"location":"services/pxe/#faults","title":"\u6545\u969c","text":"

pxe \u670d\u52a1\u5668\u5728\u5347\u7ea7\u5230 Debian Bullseye (11) \u540e\u65e0\u6cd5\u6b63\u5e38\u5f00\u673a\uff0c\u7ecf\u8fc7 GRUB \u8fdb\u5165\u5185\u6838\u540e\u6bcf 5 \u79d2\u5237\u51fa\u4ee5\u4e0b\u4fe1\u606f\uff1a

DMAR: DRHD: handling fault status reg 2\nDMAR: [DMA Read] Request device [03:00.0] PASID ffffffff fault addr cb2f0000 [fault reason 06] PTE Read access is not set\nDMAR: DRHD: handling fault status reg 102\n

\u7531\u4e8e\u6b64\u65f6\u521a\u5347\u7ea7\u81f3 Debian Bullseye\uff0c\u6240\u4ee5\u7cfb\u7edf\u4ecd\u7136\u4fdd\u7559\u4e86 Debian Buster \u7684 4.19 \u7248\u5185\u6838\u3002\u91cd\u542f\u8fdb\u8be5\u5185\u6838\u53ef\u6b63\u5e38\u542f\u52a8\u5e76\u8fd0\u884c\u670d\u52a1\uff0c\u4f46\u53ea\u8981\u8fdb 5.10 \u7684\u5185\u6838\u5c31\u4f1a\u51fa\u73b0\u4ee5\u4e0a\u9519\u8bef\u3002\u6d4b\u8bd5 Proxmox VE \u63d0\u4f9b\u7684 pve-kernel-5.15 \u4e5f\u662f\u540c\u6837\u95ee\u9898\u3002

\u641c\u7d22\u53d1\u73b0\u4e3b\u673a\u4f7f\u7528\u7684 RAID \u5361 PERC H310 \u4e0d\u652f\u6301\u76f4\u901a\uff08IOMMU \u865a\u62df\u5316\uff09\uff0c\u914d\u7f6e GRUB \u52a0\u5165 intel_iommu=off \u540e\u53ef\u4ee5\u6b63\u5e38\u8fdb\u5165 5.10 \u7684\u5185\u6838\uff0c\u4f5c\u4e3a\u89e3\u51b3\u65b9\u6848\u3002

\u8c03\u67e5\u7ed3\u679c

\u6309\u8bf4 IOMMU\uff08VT-d\uff09\u4e0d\u5e94\u8be5\u9ed8\u8ba4\u542f\u7528\uff0c\u56e0\u6b64\u731c\u6d4b 5.10+ \u7684\u5185\u6838\u4f1a\u4e3b\u52a8\u5c1d\u8bd5\u5f00\u542f IOMMU\uff0c\u5bfc\u81f4 RAID \u5361\u51fa\u9519\u3002

\u6bd4\u8f83 /boot/config-4.19.0-18-amd64 \u548c /boot/config-5.10.0-11-amd64 \u540e\u53d1\u73b0 5.10 \u7248\u7684 config \u591a\u4e86\u4e00\u884c CONFIG_INTEL_IOMMU_DEFAULT_ON_INTGPU_OFF=y\uff0c\u641c\u7d22\u53d1\u73b0 Debian bug #932086\uff0c\u5373 Debian \u9ed8\u8ba4\u5bf9\u9664\u4e86 Intel GPU \u4ee5\u5916\u7684\u8bbe\u5907\u542f\u7528 IOMMU\uff08linux 5.2.9-2\uff09\u3002

\u53c2\u8003\u94fe\u63a5\uff1a

"},{"location":"services/pxe/images/","title":"PXE \u955c\u50cf","text":""},{"location":"services/pxe/images/#uefi-shell","title":"UEFI Shell","text":"

https://github.com/ustclug/simple-pxe/blob/master/menu.d/tool.sh

\u4f9d\u8d56\u4e8e Arch Linux \u63d0\u4f9b\u7684 EFI \u6587\u4ef6\u3002

"},{"location":"services/pxe/images/#memtest86","title":"Memtest86+","text":"

https://github.com/memtest86plus/memtest86plus

\u6b64\u5916 memtest86 \u6709\u4e2a\u95ed\u6e90\u5b9e\u73b0\uff0c\u4e0d\u8003\u8651\u7ee7\u7eed\u7ef4\u62a4\u3002

\u4ee5\u4e0b\u6b65\u9aa4\u53c2\u8003\u4e86 https://gitlab.archlinux.org/archlinux/packaging/packages/memtest86plus/-/blob/main/PKGBUILD?ref_type=heads\u3002

git clone https://github.com/memtest86plus/memtest86plus.git\ncd memtest86plus/build64\nmake\n

\u5f97\u5230\u7684 memtest.bin \u662f BIOS \u7248\u7684\uff0cmemtest.efi \u662f UEFI \u7248\u7684\u3002

\u542f\u52a8\u83dc\u5355\uff1ahttps://github.com/ustclug/simple-pxe/blob/master/menu.d/tool.sh\u3002

"},{"location":"services/pxe/images/#gparted","title":"GParted","text":"

https://github.com/ustclug/simple-pxe/blob/master/menu.d/gparted.sh\u3002

\u542f\u52a8\u53c2\u6570\u4e0d\u80fd\u52a0 ip=\uff1ahttps://gitlab.gnome.org/GNOME/gparted/-/issues/141\u3002

"},{"location":"services/pxe/liims/","title":"LIIMS","text":"

Short for Libray Independent Inquery Machine System.

Server: pxe.s.ustclug.org

Git Repository:

It is strongly advised to clone liimstrap and read through it when reading this document.

"},{"location":"services/pxe/liims/#add-machine","title":"\u542f\u52a8\u914d\u7f6e","text":"

\u914d\u7f6e\u6587\u4ef6\u5728 /home/pxe/tftp/grub/grub.cfg.d\uff0c\u82e5\u8981\u5141\u8bb8\u65b0\u673a\u5668\u542f\u52a8 liims \u955c\u50cf\uff0c\u521b\u5efa\u4e00\u4e2a\u7b26\u53f7\u94fe\u63a5\u5230\u5bf9\u5e94\u7684\u914d\u7f6e\u6587\u4ef6\u3002\u4f8b\u5982\uff1a

ln -s common_el 02:23:45:67:89:ab\n

\u76ee\u524d\u6211\u4eec\u901a\u8fc7\u51e0\u4e2a\u7b26\u53f7\u94fe\u63a5\u5c06\u914d\u7f6e\u6587\u4ef6\u201c\u5206\u7ec4\u201d\uff0cMAC \u5730\u5740\u5bf9\u5e94\u7684\u7b26\u53f7\u94fe\u63a5\u5e94\u8be5\u94fe\u63a5\u5230\u8fd9\u4e9b\u5206\u7ec4\u4e0a\u3002\u5df2\u6709\u7684\u5206\u7ec4\u5982\u4e0b\uff1a

\u9664\u6b64\u4e4b\u5916\uff0c\u8fd8\u9700\u8981\u5728\u67e5\u8be2\u673a\u76d1\u63a7\u7a0b\u5e8f\u4e2d\u6dfb\u52a0\u8be5 MAC \u5730\u5740\uff0c\u89c1\u4e0b\u65b9\u67e5\u8be2\u673a\u76d1\u63a7\u3002

"},{"location":"services/pxe/liims/#lib-api","title":"\u4e3a\u56fe\u4e66\u9986\u8001\u5e08\u5f00\u653e\u7684\u63a5\u53e3","text":"

\u56fe\u4e66\u9986\u8001\u5e08\u53ef\u4ee5\u901a\u8fc7 SSH \u767b\u5f55\u673a\u5668\u76f4\u63a5\u521b\u5efa\u6240\u9700\u7684\u7b26\u53f7\u94fe\u63a5\uff08\u4f46\u662f\u8fd8\u9700\u8981\u6211\u4eec\u6765\u6539\u76d1\u63a7\u7a0b\u5e8f\u7684 json\uff09\u3002\u76f8\u5173\u914d\u7f6e\u5982\u4e0b\uff1a

/etc/sudoers.d/sonnie
sonnie ALL=(pxe) NOPASSWD: /home/pxe/tftp/grub/grub.cfg.d/add_host.py *\n
/etc/ssh/sshd_config
Match User sonnie\n    AllowUsers sonnie\n    PubkeyAuthentication yes\n    AuthorizedKeysFile .ssh/authorized_keys\n

/etc/nsswitch.conf

\u628a sudoers \u4e00\u884c\u4e2d\u7684 ldap \u79fb\u5230 files \u524d\u9762\u3002

\u9ed8\u8ba4\u60c5\u51b5\u4e0b ldap \u5728 files \u540e\u9762\uff0c\u90a3\u4e48\u6765\u81ea LDAP \u7684 sudo rules \u4f1a\u6392\u5728 sudoers \u6587\u4ef6\u4e2d\u7684 rules \u7684\u540e\u9762\uff0c\u800c sudo \u662f\u540e\u9762\u7684\u89c4\u5219\u4f18\u5148\u7ea7\u66f4\u9ad8\uff0c\u4f1a\u5bfc\u81f4\u65e0\u6cd5 NOPASSWD \u8fd0\u884c\u811a\u672c\u3002

"},{"location":"services/pxe/liims/#_1","title":"\u542f\u52a8\u955c\u50cf","text":"

\u4f4d\u4e8e /home/pxe/nfsroot/<category>/<name>\uff0c\u5176\u4e2d <name> \u5c31\u662f\u955c\u50cf\u540d\u79f0\uff08\u4f8b\u5982 liims160909\uff09\u3002\u76ee\u524d\u6709\u4e24\u79cd\u90e8\u7f72\u65b9\u5f0f\uff1a\u4e00\u79cd\u662f NFS as rootfs\uff0c\u6587\u4ef6\u5939\u4e2d\u5c31\u662f\u6574\u4e2a rootfs\uff0c\u76f4\u63a5\u4fee\u6539\u8fd9\u91cc\u7684\u6587\u4ef6\uff0c\u673a\u5668\u91cd\u542f\u540e\u5c31\u4f1a\u8f7d\u5165\u3002\uff08\u6ce8\u610f\uff1a\u8986\u76d6\u6587\u4ef6\u53ef\u80fd\u5bfc\u81f4\u5df2\u6709\u7684\u673a\u5668\u8fd0\u884c\u9519\u8bef\uff09

\u53e6\u4e00\u79cd\u662f\u6253\u5305\u538b\u7f29\u4e3a squashfs\uff0c\u6b64\u65f6\u6587\u4ef6\u5939\u4e0b\u4e09\u4e2a\u6587\u4ef6\u5206\u522b\u4e3a vmlinuz\uff08kernel\uff09, initrd.img \u548c root.sfs\uff08squashfs \u955c\u50cf\uff09\u3002\u5982\u679c\u9700\u8981\u4fee\u6539\uff0c\u53ef\u4ee5\u4f7f\u7528 unsquashfs \u89e3\u538b\u7f29\uff0c\u4fee\u6539\u5b8c\u6210\u540e\u53c2\u8003\u4ed3\u5e93\u4e2d deploy \u6587\u4ef6\u518d\u538b\u7f29\u4e3a squashfs\u3002

IP \u767d\u540d\u5355\u91c7\u7528 iptables \u5b9e\u73b0\uff0c\u4fee\u6539 rootfs \u4e0b\u7684 etc/iptables/rules.v4 \u548c rules.v6 \u53ef\u4fee\u6539\u7b56\u7565\u3002\u6ce8\u610f\uff1a\u9632\u706b\u5899\u7b56\u7565\u4ec5\u5728\u673a\u5668\u542f\u52a8\u65f6\u4f1a\u8f7d\u5165\u4e00\u6b21\u3002

"},{"location":"services/pxe/liims/#_2","title":"\u955c\u50cf\u6784\u5efa","text":"

\u5907\u6ce8

\u6b64\u8282\u7684\u5185\u5bb9\u4ec5\u9002\u7528\u4e8e 2022 \u4e4b\u524d\u7684\u8001\u7248\u672c\uff0c\u65b0\u7248\u672c\u6709\u5173\u6784\u5efa\u3001\u8c03\u8bd5\u7b49\u5185\u5bb9\u8bf7\u76f4\u63a5\u9605\u8bfb liimstrap \u4ed3\u5e93 README\u3002

\u4f7f\u7528 liimstrap \u5728 ArchLinux \u4e0b\u8fdb\u884c\u6784\u5efa\uff0cliimstrap \u4f7f\u7528\u65b9\u6cd5\u53c2\u8003\u4ed3\u5e93\u4e2d\u7684\u8bf4\u660e\u3002

\u6784\u5efa\u540e\u9700\u8981\u63a8\u9001\u5230\u670d\u52a1\u5668\u4e0a\u7684 /nfsroot/liims \u4e0b\uff0c\u5e76\u8bbe\u7f6e /usr \u7684\u6240\u6709\u8005\u4e3a liims\u3002\u673a\u5668\u7684\u9ed8\u8ba4 pxe \u542f\u52a8\u914d\u7f6e\u5728 /home/pxe/tftp/pxelinux.cfg/ \u4e0b

"},{"location":"services/pxe/liims/#qemu","title":"\u793a\u4f8b qemu \u8c03\u8bd5\u65b9\u6cd5","text":"

\u521b\u5efa\u5e76\u6302\u8f7d\u4e34\u65f6\u955c\u50cf:

dd if=/dev/zero of=liims.img bs=4k count=1200000\nmkfs.ext4 liims.img\nmount -o loop liims.img /mnt\n

\u5047\u8bbe\u5f53\u524d\u8def\u5f84\u4e3a liimstrap\uff0c\u4fee\u6539 initcpio/mkinitcpio.conf\uff0c\u53bb\u6389 HOOKS \u4e2d\u7684 liims_root\uff0c\u589e\u52a0 block\uff08\u4ec5\u8c03\u8bd5\u65f6\u9700\u8981\uff09\u3002 \u4f7f\u7528 liimstrap \u5236\u4f5c\u955c\u50cf ./liimstrap /mnt\u3002\u5b8c\u6210\u540e\u4f7f\u7528 qemu \u6253\u5f00\u8c03\u8bd5:

qemu -kernel /mnt/boot/vmlinuz-lts\\\n     -initrd /mnt/boot/initramfs-linux-lts.img\\\n     -hda liims.img\\\n     -netdev user,id=mynet0,net=114.214.188.0/24,dhcpstart=114.214.188.9\\\n     -device i82557a,netdev=mynet0\\\n     -append \"root=/dev/sda rootflags=rw\"\n

\u6ce8\uff1a\u5176\u4e2d netdev \u4e2d\u7684 ip \u6bb5\u53ef\u4ee5\u81ea\u7531\u9009\u53d6\uff0cdevice \u4e2d\u7684\u8bbe\u5907\u540d\u901a\u8fc7 qemu -device \\? \u67e5\u770b\u540e\u9009\u62e9\u4efb\u4e00\u7f51\u7edc\u8bbe\u5907\u5373\u53ef

"},{"location":"services/pxe/liims/#monitor","title":"\u67e5\u8be2\u673a\u76d1\u63a7","text":"

http://pxe.ustc.edu.cn:3000/

2022 \u5e74\u524d\uff0c\u63d0\u4f9b\u670d\u52a1\u7684\u662f\u4e00\u4e2a Docker \u5bb9\u5668\u3002\u5728 iBug \u7528 Go \u91cd\u5199\u4e4b\u540e\uff0c\u76ee\u524d\u76f4\u63a5\u8dd1\u5728 host \u4e0a\u3002

\u6dfb\u52a0\u65b0\u673a\u5668

\u4fee\u6539 https://github.com/ustclug/liimstrap/blob/master/monitor/clients.json \u540e\uff0c\u5728 pxe \u4e0a clone \u5e76\u5728\u5f53\u524d\u76ee\u5f55 build\u3002\u4f7f\u7528 docker-run-script \u4e2d\u5bf9\u5e94\u811a\u672c\u6267\u884c\u5bb9\u5668\u5373\u53ef\u3002

\u4fee\u6539 /etc/liims-monitor/clients.json \u4e4b\u540e systemctl reload liims-monitor.service \u5373\u53ef\u3002

/etc/liims-monitor/clients.json
{\n    \"name\": \"\u4e1c\u533a\u4e09\u697c\u4e1c01\",\n    \"mac\": \"0223456789ab\"\n}\n
"},{"location":"workflow/new-server/","title":"New Server Setup Checklist","text":""},{"location":"workflow/new-server/#ntp-date","title":"NTP Date","text":"

Install either chrony or systemd-timesyncd (recommended). Usually chrony comes pre-installed so it's easily forgot.

=== \"Chrony\"

Replace the default NTP pool with USTC's NTP server `time.ustc.edu.cn`, like this:\n\n```shell title=\"/etc/chrony/chrony.conf\" linenums=\"7\"\n# Use Debian vendor zone.\n#pool 2.debian.pool.ntp.org iburst\nserver time.ustc.edu.cn iburst\n```\n\nThen restart the service:\n\n```shell\nsystemctl restart chrony\n```\n

=== \"systemd-timesyncd\"

For Debian 11 and up, we use an override file to configure the NTP server:\n\n```shell title=\"/etc/systemd/timesyncd.conf.d/ustc.conf\"\n[Time]\nNTP=time.ustc.edu.cn\n```\n\nThen restart the service:\n\n```shell\nsystemctl restart systemd-timesyncd\n```\n
"},{"location":"workflow/new-server/#time-zone","title":"Time zone","text":"

Run dpkg-reconfigure tzdata and select Asia/Shanghai as the timezone. Reboot the server.

"},{"location":"workflow/new-server/#use-nft-backend-for-iptables","title":"Use nft-backend for iptables","text":"
update-alternatives --set iptables /usr/sbin/iptables-nft\nupdate-alternatives --set ip6tables /usr/sbin/ip6tables-nft\n
"},{"location":"workflow/new-server/#update-resolvconf","title":"Update resolv.conf","text":""},{"location":"workflow/new-server/#install-console-setup","title":"Install console-setup","text":"

This may have already come with the base system. It's more likely missed if the system is installed from scratch (bootstrapped).

"},{"location":"workflow/new-vm/","title":"Create new server in LUGi","text":"

We no longer have a vSphere cluster, so anything mentioning vSphere is left only for references.

"},{"location":"workflow/new-vm/#create-vm-in-vcenter","title":"Create VM in vCenter","text":"

vCenter \u5730\u5740\uff1avcenter2.vm.ustclug.org

\u6309\u7167\u63d0\u793a\u521b\u5efa\u865a\u62df\u673a

"},{"location":"workflow/new-vm/#install-os-vsphere","title":"Install OS (vSphere)","text":"

Note

\u5c06\u7f51\u7edc\u6539\u4e3a cernet\uff0c\u4ee5\u4fbf\u7528 DHCP \u83b7\u5f97 IP \u5730\u5740\uff0c\u7528 PXE \u5b89\u88c5\u7cfb\u7edf\u3002

\u51e0\u4e2a\u5173\u952e\u914d\u7f6e\uff1a

"},{"location":"workflow/new-vm/#create-vm-on-proxmox-ve","title":"Create VM on Proxmox VE","text":"

\u6211\u4eec\u76ee\u524d\u4e0d\u4f7f\u7528 PVE \u8fd0\u884c LXC \u5bb9\u5668\uff0c\u56e0\u6b64\u672c\u6587\u6863\u53ea\u4ecb\u7ecd\u521b\u5efa KVM \u865a\u62df\u673a\u7684\u6b65\u9aa4\u3002\u63a8\u8350\u4f7f\u7528 web \u754c\u9762\u64cd\u4f5c\uff0c\u9664\u975e\u4f60\u9700\u8981\u6279\u91cf\u521b\u5efa\u865a\u62df\u673a\uff08\u6b64\u65f6\u901a\u8fc7 SSH \u767b\u5f55\u540e\u53ef\u4ee5\u4f7f\u7528 qm \u547d\u4ee4\u6279\u5904\u7406\uff09\u3002

\u767b\u5f55 web \u754c\u9762\uff0c\u70b9\u51fb\u53f3\u4e0a\u89d2\u7684 Create VM\uff0c\u5f39\u51fa\u521b\u5efa\u865a\u62df\u673a\u7684\u5bf9\u8bdd\u6846\u3002

General

\u6b63\u786e\u9009\u62e9\u865a\u62df\u673a\u6240\u5728\u7684 Node\uff08\u5373 Host\uff09\uff0c\u5e76\u6307\u5b9a\u4e00\u4e2a VMID\u3002\u76ee\u524d VMID \u7684\u5206\u914d\u65b9\u6848\u662f\u4e1c\u56fe 300-399\uff0cNIC 200-299\uff0c\u5728\u6b64\u57fa\u7840\u4e0a\u9012\u589e\u5373\u53ef\u3002\u7ed9 VM \u8d77\u4e2a\u6613\u4e8e\u8fa8\u8bc6\u7684\u540d\u79f0\uff0c\u4e0d\u8981\u4e0e\u5df2\u6709 VM \u91cd\u590d\u3002Resource Pool \u7559\u7a7a\u5373\u53ef\u3002

OS

\u9664\u975e\u4f60\u8981\u4f7f\u7528 iso \u955c\u50cf\u624b\u52a8\u5b89\u88c5\u7cfb\u7edf\uff0c\u5426\u5219\u8bf7\u9009\u62e9\u300cDo not use any media\u300d\u3002\u6b63\u786e\u9009\u62e9 Guest OS \u7684\u7c7b\u578b\u548c\u7248\u672c\u3002

System

\u5c06 SCSI Controller \u8bbe\u4e3a VirtIO SCSI\uff08\u6ce8\u610f\u4e0d\u8981\u9009 VirtIO SCSI Single\uff09\uff0c\u52fe\u4e0a Qemu Agent \u9009\u9879\uff0c\u5176\u4ed6\u9009\u9879\u90fd\u9009 Default \u5373\u53ef\u3002

Disks, CPU, Memory

\u6309\u9700\u5206\u914d\uff0c\u78c1\u76d8\u5bb9\u91cf\u5efa\u8bae\u63a7\u5236\u5728 10 GB \u4ee5\u5185\uff08\u4ec5\u7cfb\u7edf\u76d8\uff0c\u53ef\u53e6\u52a0\u6570\u636e\u76d8\uff09\uff0c\u5176\u4e2d Disk \u52fe\u9009\u4e0a Discard\uff0cCPU Type \u63a8\u8350\u9009\u62e9 Host\u3002

Network

\u6309\u9700\u9009\u62e9\uff0cModel \u9009 VirtIO\uff0c\u7136\u540e\u53d6\u6d88\u52fe\u9009 Firewall\u3002

\u8bb0\u5f97\u5728\u865a\u62df\u673a\u7684 Options \u91cc\u5c06 Start at boot \u8bbe\u4e3a Yes

\u5728 Proxmox VE \u4e0a\uff0c\u901a\u8fc7 web \u754c\u9762\u521b\u5efa\u65b0\u865a\u62df\u673a\u540e\uff0c\u53ef\u4ee5\u4f7f\u7528\u666e\u901a\u65b9\u5f0f\u5b89\u88c5\u7cfb\u7edf\uff0c\u4e5f\u53ef\u4ee5\u76f4\u63a5\u5bfc\u5165\u53d1\u884c\u7248\u63d0\u4f9b\u7684\u865a\u62df\u673a\u955c\u50cf\uff08\u9700\u8981\u901a\u8fc7 SSH \u767b\u5f55 Proxmox VE \u6216 NFS \u670d\u52a1\u5668\uff09\u3002

\u4e0b\u9762\u4ee5 Debian \u4e3a\u4f8b\uff0c\u521b\u5efa\u4e00\u4e2a\u65b0\u865a\u62df\u673a\uff0c\u7136\u540e\u6253\u5f00 https://mirrors.ustc.edu.cn/debian-cdimage/cloud/bullseye/\uff0c\u70b9\u51fb\u6700\u65b0\u7684\u76ee\u5f55\uff08\u51fa\u4e8e\u672a\u77e5\u539f\u56e0 latest \u94fe\u63a5\u662f\u574f\u7684\uff09\uff0c\u590d\u5236 debian-11-genericcloud-amd64-<date>-<rev> \u7684\u94fe\u63a5\uff08\u63a8\u8350\u4f7f\u7528 genericcloud \u800c\u4e0d\u662f generic\uff0c\u5176\u9884\u88c5 linux-image-cloud-amd64\uff0c\u76f8\u6bd4\u4e8e\u201c\u5b8c\u6574\u7248\u201d\u5185\u6838\u7cbe\u7b80\u6389\u4e86\u5927\u90e8\u5206\u7269\u7406\u8bbe\u5907\u7684\u9a71\u52a8\u7a0b\u5e8f\uff0c\u9002\u7528\u4e8e\u865a\u62df\u673a\u73af\u5883\uff09\uff0c\u7136\u540e\u767b\u5f55 Proxmox VE \u6216 vdp\uff08NFS \u670d\u52a1\u5668\uff09\uff0c\u4f7f\u7528\u4ee5\u4e0b\u547d\u4ee4\u76f4\u63a5\u4e0b\u8f7d\u955c\u50cf\u81f3\u865a\u62df\u673a\u78c1\u76d8\uff1a

# Proxmox VE (ZFS / LVM), use RAW\nwget -O /dev/zvol/rpool/data/vm-<id>-disk-0 https://mirrors.ustc.edu.cn/<...>.raw\nwget -O /dev/<vg>/<lv> https://mirrors.ustc.edu.cn/<...>.raw\n\n# vdp over NFS, use QCOW2\nwget -O /media/vdp/pve/images/<path>.qcow2 https://mirrors.ustc.edu.cn/<...>.qcow2\n

\u7136\u540e\u5728 web \u754c\u9762\u6307\u5b9a\u865a\u62df\u673a\u7684\u78c1\u76d8\uff08\u5982\u6709\u9700\u8981\uff09\u3002

"},{"location":"workflow/new-vm/#reset-password","title":"Reset password","text":"

\u7531\u4e8e Debian \u63d0\u4f9b\u7684 cloud image \u9ed8\u8ba4\u7981\u7528\u4e86 root \u7528\u6237\uff0c\u9700\u8981\u624b\u52a8\u6302\u8f7d\u78c1\u76d8\uff0c\u7f16\u8f91\u78c1\u76d8\u4e2d\u7684 /etc/shadow \u6587\u4ef6\uff0c\u5c06\u7b2c\u4e00\u884c\u7684 root:*:... \u6539\u4e3a root::...\uff08\u5373\u5220\u6389\u661f\u53f7\uff09\u3002\u6ce8\u610f\u4e0d\u8981\u8bef\u6539\u4e3b\u673a\u7684 shadow \u6587\u4ef6\u3002

Tip

\u6b64\u6b65\u9aa4\u4e5f\u53ef\u4ee5\u66ff\u6362\u4e3a chroot \u8fdb\u53bb\u540e\u4f7f\u7528 passwd \u4fee\u6539\u6216\u6e05\u7a7a\u5bc6\u7801\u3002\u5982\u679c\u4f60\u4e0d\u591f\u719f\u6089 shadow \u6587\u4ef6\u7684\u683c\u5f0f\uff0c\u8fd9\u6837\u505a\u66f4\u5b89\u5168\u3002

\u5bf9\u4e8e ZFS \u548c LVM \u5b58\u50a8\u7684\u78c1\u76d8\uff0c\u53ef\u4ee5\u76f4\u63a5\u6302\u8f7d /dev/zvol/<...> \u6216 /dev/<vg>/<lv>\uff08\u4f60\u53ef\u80fd\u9700\u8981\u4f7f\u7528 kpartx \u5de5\u5177\u52a0\u8f7d\u5206\u533a\uff09\u3002\u5bf9\u4e8e Qcow2 \u6587\u4ef6\u7684\u78c1\u76d8\uff0c\u53ef\u4ee5\u53c2\u8003\u8fd9\u4e2a Gist \u4f7f\u7528 qemu-nbd \u5de5\u5177\u6765\u6302\u8f7d\u3002\u5176\u4e2d nbd \u662f Linux \u539f\u751f\u7684\u5185\u6838\u6a21\u5757\uff0c\u53ef\u4ee5\u653e\u5fc3 modprobe\u3002

\u4f60\u4e5f\u53ef\u4ee5\u5728\u8fd9\u4e00\u6b65\u540c\u65f6\u4fee\u6539\u522b\u7684\u914d\u7f6e\u6587\u4ef6\uff0c\u4f8b\u5982\u628a /etc/apt/sources.list \u6362\u6389\u7b49\u3002\u4fee\u6539\u5b8c\u6210\u540e\u4e0d\u8981\u5fd8\u8bb0 umount\u3002

"},{"location":"workflow/new-vm/#extra-configurations-for-cloud-images","title":"Extra configurations for cloud images","text":"

The first two or three boots may hang or end up in kernel panic - this is completely normal. The cloud image will grow the root partition and filesystem to the virtual disk size. After it's all set, purge everything related to cloud-init.

For better console experiences, install and configure console-setup, and add vga=792 to GRUB_CMDLINE_LINUX in /etc/default/grub. Then run update-grub and reboot.

"},{"location":"workflow/new-vm/#configure-network","title":"Configure network","text":""},{"location":"workflow/new-vm/#install-software","title":"Install software","text":""},{"location":"workflow/new-vm/#configure-ldap-and-ssh-ca","title":"Configure LDAP and SSH CA","text":"

\u89c1 LDAP \u670d\u52a1\u4f7f\u7528\u53ca\u914d\u7f6e\u8bf4\u660e \u548c \u4e3a\u670d\u52a1\u5668\u8bbe\u7f6e SSH CA

"},{"location":"workflow/ldap/add-new-user/","title":"\u5728 LDAP \u4e2d\u6dfb\u52a0\u65b0\u7528\u6237","text":""},{"location":"workflow/ldap/add-new-user/#ldap_1","title":"\u65b0\u5efa LDAP \u7528\u6237","text":"
  1. \u767b\u9646\u7f51\u9875\u754c\u9762
  2. Users > Actions > Create > User
  3. Generic: \u8f93\u5165 Last name\uff0cFirst name\uff0cLogin\uff08\u767b\u5f55\u540d\uff09
  4. POSIX > Generic\uff1a\u8f93\u5165 Home directory\u3002\u4f7f\u7528 Force UID/GID \uff0c\u5177\u4f53\u8bf4\u660e\u8be6\u89c1 LDAP Users \u548c Groups
"},{"location":"workflow/ldap/add-new-user/#ldap_2","title":"\u6dfb\u52a0 LDAP \u7528\u6237\u6743\u9650","text":"

POSIX > Group membership > Add\uff1a\u6839\u636e\u9700\u8981\u6dfb\u52a0\u7684\u6743\u9650\u9009\u62e9\u5bf9\u5e94\u7684\u7ec4\uff0c\u5177\u4f53\u8bf4\u660e\u8be6\u89c1 LDAP Users \u548c Groups

LDAP \u7f13\u5b58

\u82e5\u53d1\u73b0\u7528\u6237\u65e0\u6cd5\u767b\u9646\u7b49\u60c5\u51b5\uff0c\u53ef\u80fd\u662f\u7f13\u5b58\u670d\u52a1 NSCD \u5bfc\u81f4\u7684\uff0c\u5177\u4f53\u53c2\u8003 LDAP Users \u548c Groups\uff1a

"},{"location":"workflow/mirrors/maintenance/","title":"\u5f00\u6e90\u8f6f\u4ef6\u955c\u50cf\u7ad9\u7ef4\u62a4\u65b9\u5f0f","text":"

\u79d1\u5927\u5f00\u6e90\u8f6f\u4ef6\u955c\u50cf\u7ad9\u662f LUG \u6700\u91cd\u8981\u7684\u670d\u52a1\u4e4b\u4e00\uff0c\u56e0\u6b64\u7ef4\u62a4\u64cd\u4f5c\u5fc5\u987b\u8c28\u614e\u3002

"},{"location":"workflow/mirrors/maintenance/#_2","title":"\u91cd\u542f\u7cfb\u7edf","text":"

\u7531\u4e8e mirrors \u670d\u52a1\u91cf\u5927\uff0c\u91cd\u542f\u5e94\u63d0\u524d\u5728 LUG \u670d\u52a1\u5668\u65b0\u95fb\u7ad9 \u53d1\u5e03\u516c\u544a\u3002

"},{"location":"workflow/mirrors/maintenance/#_3","title":"\u5b89\u88c5\u66f4\u65b0","text":""},{"location":"workflow/mirrors/maintenance/#_4","title":"\u666e\u901a\u66f4\u65b0","text":"

\u591a\u6570\u66f4\u65b0\u53ef\u4ee5\u76f4\u63a5\u4ece apt \u6e90\u5b89\u88c5\uff0c\u4f46\u662f\u90e8\u5206\u8f6f\u4ef6\u5e76\u975e\u6765\u81ea Debian \u5b98\u65b9\u4ed3\u5e93\uff08\u4f8b\u5982 OpenResty\uff09\uff0c\u56e0\u6b64\u66f4\u65b0\u7b56\u7565\u53ef\u80fd\u4e0d\u50cf Debian \u90a3\u4e48\u7a33\u5b9a\u3002\u5982\u679c\u9047\u5230\u63d0\u793a\u914d\u7f6e\u6587\u4ef6\u51b2\u7a81\uff0c\u8bf7\u5c3d\u91cf\u9009\u62e9 3-way merge\uff0c\u5982\u679c\u5931\u8d25\u7684\u8bdd\u53ef\u4ee5\u5148 keep local version\uff0c\u7136\u540e\u624b\u52a8\u89e3\u51b3\u5408\u5e76\u51b2\u7a81\u3002

"},{"location":"workflow/mirrors/maintenance/#_5","title":"\u5185\u6838\u66f4\u65b0","text":"

mirrors \u4f7f\u7528\u4e86\u5185\u6838\u6a21\u5757\u63d0\u4f9b\u4e00\u4e9b\u529f\u80fd\u652f\u6301\uff0c\u5982 ZFS\u3002\u56e0\u6b64\u53ea\u8981\u66f4\u65b0\u4e86\u5185\u6838\uff0c\u5c31\u4e00\u5b9a\u8981\u6ce8\u610f\u5185\u6838\u6a21\u5757\u662f\u5426\u5b89\u88c5\u6210\u529f\uff0c\u5982\u679c apt \u5b89\u88c5\u5931\u8d25\u53ef\u4ee5\u624b\u52a8\u8fd0\u884c dkms autoinstall\uff0c\u4ee5\u786e\u4fdd\u65b0\u5185\u6838\u91cd\u542f\u65f6\u80fd\u6b63\u786e\u52a0\u8f7d\u5fc5\u987b\u7684\u5185\u6838\u6a21\u5757\u3002

"},{"location":"workflow/mirrors/maintenance/#ipmi","title":"IPMI","text":"

\u5730\u5740\u6682\u65e0\uff0c\u4e00\u822c\u7528\u6d4f\u89c8\u5668\u76f4\u63a5\u8bbf\u95ee\u5c31\u884c\u4e86\u3002\u5982\u679c\u9700\u8981\u63a5\u5165\u7ec8\u7aef\uff0cDashboard \u5de6\u8fb9\u7684 Remote Control \u6709 Launch \u6309\u94ae\u3002\u5982\u679c\u6d4f\u89c8\u5668\u4e0d\u652f\u6301 Java \u5c31\u4f1a\u4e0b\u8f7d\u4e00\u4e2a jviewer.jnlp\uff0c\u81ea\u884c\u89e3\u51b3 Java \u7684\u5b89\u5168\u8b66\u544a\u5373\u53ef\u4f7f\u7528\u3002

\u5f53\u7136\u5982\u679c\u4f1a\u7528 ipmitool \u66f4\u597d\uff0c\u90a3\u8fd9\u4e00\u6bb5\u7684\u8bf4\u660e\u5c31\u4ea4\u7ed9\u4f60\u6765\u8865\u5145\u4e86 :)

"},{"location":"workflow/mirrors/maintenance/#ipmitool","title":"ipmitool \u7b80\u4ecb","text":"

\u5c3d\u7ba1\u51e0\u4e4e\u6211\u4eec\u673a\u5668\u7684 IPMI \u90fd\u6709 Web \u754c\u9762\uff0c\u4f46\u662f Web \u754c\u9762\u4e0d\u4e00\u5b9a\u9760\u8c31\uff0c\u53ef\u80fd\u4f1a\u51fa\u73b0\u6545\u969c\u3002\u6b64\u65f6\uff0c\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528 ipmitool \u91cd\u7f6e IPMI \u7684\u72b6\u6001\uff08\u7cfb\u7edf\u914d\u7f6e\u4e0d\u4f1a\u6539\u53d8\uff09

\u53c2\u8003\u547d\u4ee4\uff1a

# \u4e00\u90e8\u5206 IPMI \u7684 interface \u662f lanplus \u800c\u4e0d\u662f lan\uff0c\u6bd4\u5982\u8bf4 mirrors3\nipmitool -I lan -H IPMI\u7684IP -U \u7528\u6237\u540d -a mc reset cold\n

\u5177\u4f53\u8be6\u60c5\u53ef\u4ee5\u770b ipmitool \u7684 manpage\u3002

\u53e6\u5916:

"}]} \ No newline at end of file +{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"]},"docs":[{"location":"","title":"LUG @ USTC Documentation","text":"

Documentation for LUG @ USTC technical infrastructure.

"},{"location":"#layout","title":"Layout","text":"

Our documentation is divided into these sections, as laid out on the left navigation menu:

"},{"location":"#links","title":"References","text":""},{"location":"faq/apparmor/","title":"AppArmor","text":""},{"location":"faq/apparmor/#proxmox-kernel-debian-userspace","title":"Proxmox kernel + Debian userspace","text":"

Proxmox \u4f7f\u7528 Ubuntu kernel\uff0c\u4f46\u662f Ubuntu kernel \u7684 apparmor \u76f8\u6bd4\u4e8e Debian kernel \u6dfb\u52a0\u4e86\u4e00\u4e9b feature\uff0c\u8bf8\u5982 Unix socket \u7ba1\u7406\u3002Debian \u7684 apparmor \u5305\u7684 /etc/apparmor/parser.conf \u9ed8\u8ba4\u914d\u7f6e\u9650\u5236\u4e86\u529f\u80fd\u96c6\u5408\uff1a

## Pin feature set (avoid regressions when policy is lagging behind\n## the kernel)\npolicy-features=/usr/share/apparmor-features/features\n

Proxmox \u7684 lxc \u652f\u6301\u5305\u4f1a\u8986\u76d6 /usr/share/apparmor-features/features \u4e3a Ubuntu \u7684\u7248\u672c\uff0c\u4f46\u662f\u5982\u679c\u53ea\u5b89\u88c5 Proxmox/Ubuntu kernel\uff0c\u5bf9\u5e94\u7684 features \u6587\u4ef6\u5c31\u4e0d\u5305\u542b Unix socket \u652f\u6301\uff0c\u8fd9\u4f1a\u76f4\u63a5\u5bfc\u81f4 Docker \u7b49\u7a0b\u5e8f\u5185\u90e8\u65e0\u6cd5\u521b\u5efa unix socket \u7b49\u3002

\u4e00\u4e2a workaround \u662f\u6ce8\u91ca\u6389 /etc/apparmor/parser.conf \u7684\u5bf9\u5e94\u884c\u3002

"},{"location":"faq/apparmor/#pve","title":"PVE \u7684\u89e3\u51b3\u65b9\u6848","text":"

\u540e\u7eed\u8c03\u67e5\u53d1\u73b0 lxc-pve \u6253\u5305\u4e86\u81ea\u5df1\u7684 /usr/share/apparmor-features/features \u5e76\u8986\u76d6\u4e86 Debian \u7684\u7248\u672c\uff0c\u56e0\u6b64\u6211\u4eec\u6a21\u4eff lxc-pve \u7684\u505a\u6cd5\u628a Debian \u7684\u7248\u672c\u8986\u76d6\u6389\uff0c\u7136\u540e\u4e0b\u8f7d Proxmox \u7684\u7248\u672c\uff1a

dpkg-divert --package lxc-pve --rename --divert /usr/share/apparmor-features/features.stock --add /usr/share/apparmor-features/features\nwget -O /usr/share/apparmor-features/features https://github.com/proxmox/lxc/raw/master/debian/features\n
"},{"location":"faq/dns/","title":"DNS \u57df\u540d\u89e3\u6790\u95ee\u9898","text":""},{"location":"faq/dns/#wrong-dns-result","title":"\u9519\u8bef\u7684\u89e3\u6790\u7ed3\u679c","text":"

\u6211\u4eec\u7684 DNS \u662f\u5206\u6821\u5185\u5916\u3001\u5206 ISP \u89e3\u6790\u7684\u3002\u6709\u65f6\u5019\u4f1a\u9047\u5230\u6821\u5185\u8bbf\u95ee\u89e3\u6790\u5230\u6821\u5916\uff0c\u53ef\u80fd\u7684\u539f\u56e0\u662f

/etc/resolv.conf \u987a\u5e8f\u4e0d\u5bf9

iBug \u5728 2020 \u5e74 5 \u6708 21 \u65e5\u4fee\u4e86 gw-el \u548c mirrors2\uff0c\u8fd9\u4e24\u4e2a\u673a\u5668\u4e0a\u539f\u5148\u6392\u5728\u6700\u524d\u9762\u7684 nameserver \u5c31\u662f 8.8.4.4 \u6216\u8005 1.1.1.1 \u4e4b\u7c7b\u7684

\u6211\u4eec\u7684\u6743\u5a01\u670d\u52a1\u5668\u4e24\u4e2a\u5728\u6821\u5185\u4e00\u4e2a\u5728\u56fd\u5185\uff0c\u56e0\u6b64\u6821\u5185\u673a\u5668\u5e94\u8be5\u4f18\u5148\u4ece\u6821\u5185\u89e3\u6790\u3002\u628a 202.38.64.1 / 2001:da8:d800::1\uff08\u5b66\u6821\u7684 DNS\uff09\u653e\u6700\u524d\u9762\u80af\u5b9a\u6ca1\u9519

\u5982\u679c IPv4 \u89e3\u6790\u6b63\u786e\u4f46\u662f IPv6 \u8fd8\u662f\u89e3\u6790\u5230\u6821\u5916\u7684\u8bdd\uff0c

/etc/resolv.conf \u7f3a\u5c11 IPv6 \u6761\u76ee

taoky \u5728 2020 \u5e74 5 \u6708 29 \u65e5\u53d1\u73b0\u7684\uff0cmirrors2 \u4e0a\u8bbf\u95ee servers.ustclug.org \u8fd4\u56de Cloudflare \u7684 522 \u9519\u8bef\u9875\u9762\uff08\u6b64\u65f6\u65e5\u672c\u53cd\u4ee3\u6302\u6389\u4e86\uff09\uff0c\u7ecf\u67e5\u5c3d\u7ba1 IPv4 \u6b63\u786e\u89e3\u6790\u5230\u4e86 gw-el \u4e0a\uff0c\u4f46\u662f IPv6 \u8fd8\u662f\u89e3\u6790\u5230\u4e86 Cloudflare \u4e0a\uff0c\u4e14 nslookup \u548c dig \u7b49\u5de5\u5177\u8f93\u51fa\u770b\u8d77\u6765\u90fd\u662f\u5bf9\u7684\u3002

\u6392\u67e5\u53d1\u73b0 /etc/resolv.conf \u91cc\u6ca1\u6709 IPv6 \u7684\u670d\u52a1\u5668\u6761\u76ee\uff0c\u5728\u9760\u524d\u7684\u4f4d\u7f6e\u63d2\u5165 nameserver 2001:da8:d800::1 \u540e\u89e3\u51b3\u3002

\u624b\u52a8\u6e05\u7a7a\u672c\u673a\u7684 DNS \u7f13\u5b58\uff1anscd -i hosts

\u6709\u65f6\u5019\u53ef\u80fd\u4f1a\u5728 DNS \u66f4\u65b0\u540e\u968f\u673a\u89e3\u6790\u51fa\u65b0\u65e7\u7ed3\u679c\uff0c\u53ef\u80fd\u7684\u539f\u56e0\u662f

ns-a \u6ca1\u66f4\u65b0

ns-a \u673a\u5668\u6bd4\u8f83\u8001\u65e7\uff0c\u7f51\u7edc\u53ef\u80fd\u4e0d\u987a\u7545\uff0c\u624b\u52a8\u628a ns-a \u66f4\u65b0\u4e00\u4e0b\u5c31\u884c\u4e86\uff08

"},{"location":"faq/docker/","title":"Docker \u76f8\u5173\u95ee\u9898","text":""},{"location":"faq/docker/#debian-11-aufs","title":"Debian 11 \u4e2d\u4e0d\u518d\u652f\u6301 aufs","text":"

\u4ece Debian 10 \u5347\u7ea7\u5230 Debian 11 \u65f6\uff0caufs-dkms \u4e0d\u518d\u5305\u542b\u5728\u65b0\u5185\u6838\u4e2d\uff1a

aufs-dkms \u8f6f\u4ef6\u5305\u5c06\u4e0d\u4f5c\u4e3a bullseye \u7684\u4e00\u90e8\u5206\u51fa\u73b0\u3002\u5927\u591a\u6570 aufs-dkms \u7528\u6237\u5e94\u5f53\u5207\u6362\u81f3 overlayfs\uff0c\u540e\u8005\u63d0\u4f9b\u4e86\u76f8\u4f3c\u7684\u529f\u80fd\u4e14\u5177\u6709\u5185\u6838\u7684\u652f\u6301\u3002\u7136\u800c\uff0c\u67d0\u4e9b Debian \u5b89\u88c5\u5b9e\u4f8b\u53ef\u80fd\u4f7f\u7528\u4e86\u4e0d\u517c\u5bb9 overlayfs \u7684\u6587\u4ef6\u7cfb\u7edf\uff0c\u5982\u4e0d\u5e26\u6709 d_type \u7684 xfs\u3002\u6211\u4eec\u5efa\u8bae\u9700\u8981\u4f7f\u7528 aufs-dkms \u7684\u7528\u6237\u5728\u5347\u7ea7\u81f3 bullseye \u4e4b\u524d\u5148\u8fdb\u884c\u8fc1\u79fb\u3002

(https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.zh-cn.html)

\u5bf9\u4e8e\u8001\u673a\u5668\u6765\u8bf4\u9700\u8981\u63d0\u524d\u786e\u8ba4 Docker \u7684 storage driver\uff1a

$ sudo docker info\n// ...\nServer:\n // ...\n Storage Driver: overlay2\n  Backing Filesystem: extfs\n  Supports d_type: true\n  Native Overlay Diff: true\n  userxattr: false\n

\u8fd9\u91cc\u5982\u679c\u662f overlay2 \u90a3\u4e48\u5c31\u6ca1\u95ee\u9898\uff0c\u5982\u679c\u662f aufs \u7684\u8bdd\u5c31\u9700\u8981\u63d0\u524d\u786e\u8ba4\uff0c\u56e0\u4e3a\u5207\u6362\u5230 overlay2 \u4e4b\u540e\u73b0\u6709\u7684\u5bb9\u5668\u548c\u5bb9\u5668\u955c\u50cf\u90fd\u4f1a\u4e22\u5931\uff0c\u9700\u8981\u91cd\u65b0\u521b\u5efa\u3002\u6240\u4ee5\u9700\u8981\u786e\u4fdd\u5bb9\u5668\uff08container\uff09\u548c\u955c\u50cf\uff08image\uff09\u662f\u53ef\u590d\u73b0\u7684\u3002

\u5728\u5347\u7ea7\u7cfb\u7edf\u540e\uff0c\u7f16\u8f91 /etc/docker/daemon.json\uff0c\u52a0\u4e0a\uff1a

\"storage-driver\": \"overlay2\"\n

\u7136\u540e\u542f\u52a8 docker\uff0c\u91cd\u65b0\u521b\u5efa\u5bb9\u5668\u3002

"},{"location":"faq/ldap/","title":"LDAP \u5957\u4ef6\u95ee\u9898","text":""},{"location":"faq/ldap/#gosa","title":"GOsa \u95ee\u9898","text":"

User \u754c\u9762\u6253\u5f00\u65f6\u62a5\u9519

\u5982\u679c\u5728 GOsa \u4e2d\u521b\u5efa\u4e86\u4e00\u4e2a\u65b0\u7528\u6237\uff0c\u5374\u6ca1\u6709\u5728\u6700\u540e\u4e3a\u4ed6\u8bbe\u7f6e\u5bc6\u7801\uff0c\u5c31\u4f1a\u51fa\u73b0\u6b64\u95ee\u9898\uff0c\u6253\u5f00 User \u754c\u9762\u540e\u4f1a\u6709\u62a5\u9519\uff1a

Fatal error: Uncaught ArgumentCountError: Too few arguments to function userManagement::filterLockLabel(), 0 passed in /usr/share/gosa/include/class_listing.inc on line 856 and exactly 1 expected in /usr/share/gosa/plugins/admin/users/class_userManagement.inc:856\nStack trace:\n#0 /usr/share/gosa/include/class_listing.inc(856): userManagement::filterLockLabel()\n#1 /usr/share/gosa/include/class_listing.inc(980): listing->processElementFilter('%{filter:lockLa...', Array, 50)\n#2 /usr/share/gosa/include/class_listing.inc(853): listing->filterActions('cn=...,ou=...', 50, Array)\n#3 /usr/share/gosa/include/class_listing.inc(764): listing->processElementFilter('%{filter:action...', Array, 50)\n#4 /usr/share/gosa/include/class_listing.inc(407): listing->renderCell('%{filter:action...', Array, 50)\n#5 /usr/share/gosa/include/class_management.inc(233): listing->render()\n#6 /usr/share/gosa/include/class_management.inc(222): management->renderList()\n#7 /usr/share/gosa/plugins/admin/users/main.inc(44): management->execute()\n#8 /usr/sh in /usr/share/gosa/plugins/admin/users/class_userManagement.inc on line 856\n

\u8fd9\u662f\u56e0\u4e3a GOsa \u65e0\u6cd5\u8bfb\u53d6\u5230\u7528\u6237\u5bc6\u7801\u7684 Hash\uff0c\u800c LDAP \u5374\u5141\u8bb8\u7528\u6237\u6ca1\u6709\u5bc6\u7801\u3002 \u53ea\u9700\u4e3a\u65b0\u7684\u7528\u6237\u8bbe\u7f6e\u5bc6\u7801\u6216\u5220\u9664\u65b0\u7684\u7528\u6237\u5373\u53ef\u3002

\u65b0\u7248 GOsa \u65e0\u6cd5\u521b\u5efa/\u4fee\u6539\u7528\u6237

\u8868\u73b0\u4e3a\u62a5\u9519 Uncaught ReflectionException: Property LDAP::$count does not exist\u3002

\u53c2\u89c1 Debian bug #1077759

\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\u4fee\u6539 /usr/share/gosa/plugins/personal/generic/class_user.inc\uff0c\u5c06 1357 \u884c $ldap->cat($ldap->count) \u4fee\u6539\u4e3a $ldap->cat($this->new_dn)\uff0c\u4e14\u6ce8\u91ca\u6389\u4e0b\u4e00\u4e2a if \u8bed\u53e5\uff08if ($ldap->count != 0 \u5f00\u5934\uff09\u3002

"},{"location":"faq/ldap/#slapd","title":"Slapd","text":"

Slapd \u662f OpenLDAP \u7684\u670d\u52a1\u7aef daemon\u3002\u6b63\u5e38\u60c5\u51b5\u4e0b\u4e0d\u9700\u8981\u78b0\uff0c\u4f46\u662f\u5982\u679c\u8981\u78b0\u7684\u65f6\u5019\uff0c\u4f60\u4f1a\u53d1\u73b0\u5b83\u7684\u914d\u7f6e\u6781\u5176\u590d\u6742\u9ebb\u70e6\u3002

\u4fee\u6539\u524d\u4e00\u5b9a\u8981\u5148\u6253\u865a\u62df\u673a\u5feb\u7167\uff01\uff01\uff01

\u5c0f\u5fc3\u5ef6\u6bd5

"},{"location":"faq/ldap/#migrate-hdb-to-mdb","title":"Migrate hdb to mdb","text":"

slapd-hdb \u5728 Debian 11 \u5373\u5c06\u88ab deprecate\uff0c\u6240\u4ee5\u5728 2021/08/15 \u7ec4\u7ec7\u4e86\u4e00\u6b21 migrate\u3002

\u7f51\u4e0a\u8d44\u6599\u5f88\u5c11\uff0c\u53c2\u8003\u4e86\uff1a

  1. https://github.com/osixia/docker-openldap/issues/97
  2. https://gist.github.com/wenzhixin/4705697206cdbf61bc88

\u6b65\u9aa4\uff1a

  1. \u865a\u62df\u673a\u5feb\u7167\u6253\u597d\u3002
  2. \u5907\u4efd\u6570\u636e\u5e93\uff1aslapcat -v -l dump.ldif
  3. \u5907\u4efd /etc/ldap \u4ee5\u53ca /var/lib/ldap
  4. \u628a /etc/ldap/slapd.d \u4ee5\u53ca /var/lib/ldap \u5220\u6389\uff08\u6216\u8005\u6539\u540d\uff09
  5. \u8fd0\u884c dpkg-reconfigure slapd
  6. \u521b\u5efa /tmp/ldapconvert \u76ee\u5f55\uff0c\u8fd0\u884c slaptest -f /etc/ldap/convert.conf -F /tmp/ldapconvert
  7. \u6e05\u7a7a /etc/ldap/slapd.d/cn=config/cn=schema/ \u4e0b\u7684\u6587\u4ef6\uff0c\u5c06 /tmp/ldapconvert/slapd.d/cn=config/cn=schema/ \u4e0b\u7684\u6587\u4ef6\u590d\u5236\u5230 /etc/ldap/slapd.d/cn=config/cn=schema/ \u5c06 slapd.d \u5907\u4efd\u4e2d cn=config/cn=schema/ \u7684\u6587\u4ef6\u590d\u5236\u5230\u65b0\u7684 slapd.d \u5bf9\u5e94\u7684\u76ee\u5f55\u4e0b\uff0c\u5e76\u4e14\u4fee\u6539 owner \u4e3a openldap:openldap
  8. \u91cd\u542f slapd\uff0c\u5982\u679c\u542f\u52a8\u5931\u8d25\uff0c\u770b systemctl status slapd \u7684\u65e5\u5fd7\u8f93\u51fa debug\u3002
  9. \u6062\u590d\u6570\u636e\u5e93\uff1aslapadd -l dump.ldif\u3002\u6ce8\u610f\uff0cmdb \u6ca1\u6709\u4e8b\u52a1\uff01\u5982\u679c\u4e2d\u95f4\u51fa\u9519\u4e86\uff0c\u6392\u67e5\u95ee\u9898\u540e\uff0c\u6e05\u7a7a /var/lib/ldap\uff0c\u91cd\u542f slapd \u91cd\u6765\u3002

\u6062\u590d\u6210\u529f\u540e\uff0c\u6709\u4e9b\u914d\u7f6e\u9700\u8981\u624b\u52a8\u8bbe\u7f6e\uff1a

  1. TLS/SSL

    # ldapmodify -H ldapi:/// -Y EXTERNAL << EOF\n> dn: cn=config\n> changetype: modify\n> replace: olcTLSCertificateFile\n> olcTLSCertificateFile: /etc/ldap/ssl/slapd-server.crt\n> -\n> replace: olcTLSCACertificateFile\n> olcTLSCACertificateFile: /etc/ldap/ssl/slapd-ca-cert.pem\n> -\n> replace: olcTLSCertificateKeyFile\n> olcTLSCertificateKeyFile: /etc/ldap/ssl/slapd-server.key\n>\n> EOF\n
  2. \u52a0\u8f7d pw-sha2.la\uff08\u82e5\u4f7f\u7528 ssha512/256 \u5219\u9700\u8981\u52a0\u8f7d\uff09

    # ldapmodify -H ldapi:/// -Y EXTERNAL << EOF\n> dn: cn=module,cn=config\n> cn: module\n> objectClass: olcModuleList\n> olcModulePath: /usr/lib/ldap/\n> olcModuleLoad: pw-sha2.la\n>\n> EOF\n
  3. \u4e3a sudoUser \u8bbe\u7f6e index

    # ldapadd -Y EXTERNAL -H ldapi:/// << EOF\n> dn: olcDatabase={1}mdb,cn=config\n> changetype: modify\n> add: olcDbIndex\n> olcDbIndex: sudoUser eq,sub\n>\n> EOF\n
  4. \u66f4\u6539\u9ed8\u8ba4\u5bc6\u7801\u5b58\u50a8\u9009\u9879\uff08\u53ef\u9009\uff09

    \u66f4\u6539\u4e3a crypt/yescrypt

    # ldapmodify -Y EXTERNAL -H ldapi:/// << EOF\n> dn: olcDatabase={-1}frontend,cn=config\n> add: olcPasswordHash\n> olcPasswordHash: {CRYPT}\n> \n> dn: cn=config\n> add: olcPasswordCryptSaltFormat\n> olcPasswordCryptSaltFormat: $y$j9T$%s\n

    \u66f4\u6539\u4e3a ssha512\uff08\u9700\u8981 pw-sha2.la\uff0c\u4e5f\u53ef\u53c2\u7167\u4e0a\u8ff0 yescrypt \u7684\u914d\u7f6e\u66f4\u6539\u4e3a crypt/ssha512\uff09

    # ldapmodify -Y EXTERNAL -H ldapi:/// << EOF\n> dn: olcDatabase={-1}frontend,cn=config\n> add: olcPasswordHash\n> olcPasswordHash: {SSHA512}\n

    \u5982\u679c\u62a5\u9519\u5df2\u7ecf\u5b58\u5728\uff0c\u53ef\u4ee5\u7528 replace \u9009\u9879\uff0c\u4ee5 crypt/yescrypt \u4e3a\u4f8b\uff1a

    # ldapmodify -Y EXTERNAL -H ldapi:/// << EOF\n> dn: olcDatabase={-1}frontend,cn=config\n> changetype: modify\n> replace: olcPasswordHash\n> olcPasswordHash: {CRYPT}\n> \n> dn: cn=config\n> changetype: modify\n> replace: olcPasswordCryptSaltFormat\n> olcPasswordCryptSaltFormat: $y$j9T$%s\n

    \u6ce8\u610f\u5728\u4f7f\u7528\u4e0a\u8ff0 hash \u65b9\u5f0f\u7684\u65f6\u5019\u8fdb\u5165 gosa \u7528\u6237\u9875\u9762\u65f6\u53ef\u80fd\u4f1a\u62a5\u9519 Cannot find a suitable password method for the current hash

"},{"location":"faq/ldap/#lastbind-overlay","title":"\u914d\u7f6e lastbind overlay","text":"

lastbind \u7528\u4e8e\u5728\u7528\u6237\u767b\u5f55\u65f6\u767b\u8bb0\u65f6\u95f4\u6233\uff0c\u4ee5\u65b9\u4fbf\u786e\u8ba4\u54ea\u4e9b\u7528\u6237\u957f\u65f6\u95f4\u6ca1\u6709\u767b\u5f55\uff0c\u4fbf\u4e8e\u6e05\u7406\u3002\u7531\u4e8e\u6211\u4eec\u4f7f\u7528 OLC (cn=config) \u914d\u7f6e\uff0c\u7f51\u7edc\u8d44\u6599\u4e0d\u591a\uff0c\u7279\u6b64\u8bb0\u5f55\u3002

  1. \u52a0\u8f7d\u6a21\u5757

    dn: cn=module{0},cn=config\nchangetype: modify\nadd: olcModuleLoad\nolcModuleLoad: lastbind.la\n

    \u4fdd\u5b58\u5230 load_lastbind.ldif\uff0c\u7136\u540e\uff1a

    $ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f load_lastbind.ldif\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nmodifying entry \"cn=module{0},cn=config\"\n
  2. \u6dfb\u52a0 lastbind overlay

    dn: olcOverlay=lastbind,olcDatabase={1}mdb,cn=config\nobjectClass: olcLastBindConfig\nobjectClass: olcOverlayConfig\nolcOverlay: lastbind\nolcLastBindPrecision: 60\n

    \u4fdd\u5b58\u5230 add_lastbind.ldif\uff0c\u7136\u540e\uff1a

    $ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f add_lastbind.ldif\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nadding new entry \"olcOverlay=lastbind,olcDatabase={1}mdb,cn=config\"\n

\u53ef\u4ee5\u4f7f\u7528 ldapsearch \u83b7\u53d6\u7528\u6237\u7684 authTimestamp\u3002\u4ece\u672a\u767b\u5f55\u8fc7\u7684\u7528\u6237\u65e0\u8bb0\u5f55\uff1a

sudo ldapsearch -x -LLL -H ldapi:/// -b \"dc=lug,dc=ustc,dc=edu,dc=cn\" \"(authTimestamp=*)\" dn authTimestamp\n
"},{"location":"faq/nginx/","title":"Nginx \u76f8\u5173\u914d\u7f6e","text":""},{"location":"faq/nginx/#git-host-specific","title":"\u4f7f\u7528 Git \u540c\u6b65\u914d\u7f6e\uff0c\u4f46\u9700\u8981 host-specific \u7684\u914d\u7f6e","text":"
  1. Nginx \u81ea\u5e26\u4e00\u4e2a\u53d8\u91cf $hostname \u53ef\u4ee5\u5728\u5408\u9002\u7684\u5730\u65b9\u7528\u6765 if \u6216\u8005 map\uff0c\u4f46\u662f\u5728\u8fd9\u4e2a\u529e\u6cd5\u4e0d\u9876\u7528\u7684\u65f6\u5019\uff08\u4f8b\u5982\uff0cresolver \u4e0d\u652f\u6301\u53d8\u91cf\uff09\u5c31\u53ea\u80fd\u7528\u4e0b\u9762\u8fd9\u4e2a\u7b28\u529e\u6cd5\u4e86\u3002
  2. \u628a\u9700\u8981 host-specific \u7684\u90a3\u4e2a\u6587\u4ef6\u52a0\u5165 .gitignore\uff0c\u7136\u540e\u5728\u5408\u9002\u7684\u4f4d\u7f6e\u7559\u4e0b\u4e00\u4e2a README\u3002
"},{"location":"faq/nginx/#_1","title":"\u6587\u4ef6\u6253\u5f00\u6570\u5927\u5c0f\u9650\u5236","text":"

\u5728\u9ed8\u8ba4\u8bbe\u7f6e\u4e2d\uff0cnginx \u7684\u6700\u5927\u6587\u4ef6\u6253\u5f00\u6570\u4e0a\u9650\u5e76\u4e0d\u5927\u3002\u5f53\u6709\u5927\u91cf\u8bbf\u95ee\u65f6\uff0c\u6587\u4ef6\u6253\u5f00\u6570\u53ef\u80fd\u4f1a\u8d85\u8fc7\u9650\u989d\uff0c\u5bfc\u81f4\u7f51\u7ad9\u54cd\u5e94\u7f13\u6162\u3002\u5728\u65b0\u914d\u7f6e\u670d\u52a1\u5668\u65f6\uff0c\u8fd9\u4e00\u9879\u8bbe\u7f6e\u5f88\u5bb9\u6613\u88ab\u5ffd\u7565\u6389\u3002

\u89e3\u51b3\u65b9\u6cd5\uff1a

  1. sudo systemctl edit nginx.service\uff08\u90e8\u5206\u673a\u5668\u4e0a\u7684\u670d\u52a1\u540d\u53ef\u80fd\u4e3a openresty.service\uff09
  2. \u5728\u6253\u5f00\u7684 override \u6587\u4ef6\u7684 [Service] \u4e0b\u65b9\u6dfb\u52a0 LimitNOFILE=524288\uff08\u89c6\u60c5\u51b5\u8fd9\u4e2a\u503c\u53ef\u4ee5\u76f8\u5e94\u8c03\u6574\uff09
"},{"location":"faq/nginx/#gateway-tmpmem","title":"\u5173\u4e8e gateway \u914d\u7f6e\u4e2d\u7684 /tmp/mem \u8def\u5f84","text":"

\u66f4\u65b0

\u6211\u4eec\u5df2\u4e0d\u518d\u5728 nginx.conf \u91cc\u4f7f\u7528 /tmp/mem \u4e86\uff0c\u4ee5\u4e0b\u5185\u5bb9\u4ec5\u4f5c\u5b58\u6863\u3002

\u9519\u8bef\u8868\u73b0\u662f systemctl start nginx.service \u5931\u8d25\uff0c\u4f7f\u7528 status \u6216 journalctl \u53ef\u4ee5\u770b\u5230\u4ee5\u4e0b\u4fe1\u606f\uff1a

[emerg] mkdir() \"/tmp/mem/nginx_temp\" failed (2: No such file or directory)\n

\u8fd9\u662f\u56e0\u4e3a\u6211\u4eec\u7684 nginx.conf \u4e2d\u94a6\u70b9\u4e86 proxy_temp /tmp/mem/nginx_temp\uff0c\u800c /tmp/mem \u662f\u6211\u4eec\u81ea\u5df1\u5efa\u7684\u4e00\u4e2a tmpfs \u6302\u8f7d\u70b9\uff0c\u5b83\u4e0d\u662f\u4efb\u4f55\u53d1\u884c\u7248\u7684\u9ed8\u8ba4\u914d\u7f6e\uff0c\u6240\u4ee5\u65b0\u88c5\u7684\u7cfb\u7edf\u5982\u679c\u76f4\u63a5 pull \u4e86\u8fd9\u4efd nginx config \u5c31\u4f1a\u62a5\u4ee5\u4e0a\u9519\u8bef\u3002

\uff08\u4f7f\u7528 /tmp/mem \u7684\u539f\u56e0\u662f\uff0c\u7531\u4e8e nginx \u53cd\u4ee3\u9700\u8981\u9891\u7e41\u8bfb\u5199\u4e34\u65f6\u6587\u4ef6\uff0c\u4e3a\u4e86\u51cf\u5c11\u78c1\u76d8 IO \u5360\u7528\uff0c\u6545\u5c06\u5176\u4e34\u65f6\u6587\u4ef6\u653e\u5165\u5185\u5b58\u4e2d\uff09

\u6b63\u786e\u7684\u89e3\u51b3\u65b9\u6cd5\u662f\u8865\u4e0a\u5bf9\u5e94\u7684 fstab \u884c\uff1a

tmpfs   /tmp/mem    tmpfs   0   0\n

\u5982\u679c\u521b\u5efa/\u6302\u8f7d\u4e86 /tmp/mem \u540e\uff0c\u542f\u52a8\u4ecd\u7136\u51fa\u9519\uff0c\u5219\u9700\u8981\u68c0\u67e5 openresty.service/nginx.service \u6587\u4ef6\u4e2d\u662f\u5426\u5305\u542b PrivateTmp=yes\u3002\u5982\u679c\u5305\u542b\uff0c\u5219\u9700\u8981 systemctl edit\uff0c\u5c06\u6b64\u9879\u8bbe\u7f6e\u4e3a false\u3002

fstab \u4e0e systemd

\u8c03\u6574 fstab \u4e4b\u540e\uff0c\u9700\u8981\u6267\u884c systemctl daemon-reload\uff0c\u5426\u5219 systemd \u53ef\u80fd\u4f1a\u5728\u7b2c\u4e8c\u65e5\u51cc\u6668\u6302\u8f7d\u5df2\u88ab\u6ce8\u91ca\u7684\u78c1\u76d8\u9879\u3002

"},{"location":"faq/nginx/#openresty","title":"OpenResty","text":""},{"location":"faq/nginx/#lua","title":"Lua \u76f8\u5173","text":"

\u8fd9\u91cc\u5173\u6ce8\u4e09\u4e2a\u76f8\u5173\u7684\u6b65\u9aa4\uff1aaccess_by, log_by \u548c header_filter_by\uff0c\u4ee5\u53ca ngx.ctx \u548c ngx.var \u7684\u6ce8\u610f\u4e8b\u9879\u3002

\u6d4b\u8bd5\u7528 server \u5757\uff1a

server {\n    listen 80 default_server;\n    listen [::]:80 default_server;\n\n    root /var/www/html;\n\n    index index.html index.htm index.nginx-debian.html;\n\n    server_name _;\n\n    set $testvar \"\";\n    access_by_lua_file /etc/nginx/lua/access.lua;\n    header_filter_by_lua_file /etc/nginx/lua/header_filter.lua;\n    log_by_lua_file /etc/nginx/lua/log.lua;\n\n    location / {\n        try_files $uri $uri/ =404;\n    }\n\n    location /lua-test0 {\n        return 302 /lua-test1;\n    }\n\n    location /lua-test1 {\n        return 200;\n    }\n\n    location /lua-test2 {\n        try_files $uri $uri/ @internal1;\n    }\n\n    location @internal1 {\n        return 418;\n    }\n}\n

\u4e09\u4e2a lua:

/etc/nginx/lua/access.lua
local ctx = ngx.ctx\nctx.testvar = \"testvar\"\nngx.var.testvar = \"testvar\"\nngx.log(ngx.ERR, \"ctx \", ctx.testvar)\nngx.log(ngx.ERR, \"var \", ngx.var.testvar)\n
/etc/nginx/lua/header_filter.lua
local ctx = ngx.ctx\n\nngx.log(ngx.ERR, \"ctx \", ctx.testvar)\nngx.log(ngx.ERR, \"var \", ngx.var.testvar)\n
/etc/nginx/lua/log.lua
local ctx = ngx.ctx\n\nngx.log(ngx.ERR, \"ctx \", ctx.testvar)\nngx.log(ngx.ERR, \"var \", ngx.var.testvar)\n
"},{"location":"faq/nginx/#rewritereturn-access_by","title":"rewrite/return \u4e0e access_by","text":"

\u8bbf\u95ee localhost/lua-test0 \u6216\u8005 localhost/lua-test1\uff0c\u6ca1\u6709 access.lua \u7684\u8f93\u51fa\uff1a

2024/07/22 02:50:16 [error] 9465#9465: *12 [lua] header_filter.lua:3: ctx nil, client: 127.0.0.1, server: _, request: \"GET /lua-test0 HTTP/1.1\", host: \"localhost\"\n2024/07/22 02:50:16 [error] 9465#9465: *12 [lua] header_filter.lua:4: var nil, client: 127.0.0.1, server: _, request: \"GET /lua-test0 HTTP/1.1\", host: \"localhost\"\n2024/07/22 02:50:16 [error] 9465#9465: *12 [lua] log.lua:3: ctx nil while logging request, client: 127.0.0.1, server: _, request: \"GET /lua-test0 HTTP/1.1\", host: \"localhost\"\n2024/07/22 02:50:16 [error] 9465#9465: *12 [lua] log.lua:4: var nil while logging request, client: 127.0.0.1, server: _, request: \"GET /lua-test0 HTTP/1.1\", host: \"localhost\"\n

\u5982\u679c\u8bbf\u95ee localhost/somefile\uff0c\u662f\u6709\u8f93\u51fa\u7684\uff1a

2024/07/22 03:03:42 [error] 9628#9628: *19 [lua] access.lua:4: ctx testvar, client: 127.0.0.1, server: _, request: \"GET /somefile HTTP/1.1\", host: \"localhost\"\n2024/07/22 03:03:42 [error] 9628#9628: *19 [lua] access.lua:5: var testvar, client: 127.0.0.1, server: _, request: \"GET /somefile HTTP/1.1\", host: \"localhost\"\n2024/07/22 03:03:42 [error] 9628#9628: *19 [lua] header_filter.lua:3: ctx testvar, client: 127.0.0.1, server: _, request: \"GET /somefile HTTP/1.1\", host: \"localhost\"\n2024/07/22 03:03:42 [error] 9628#9628: *19 [lua] header_filter.lua:4: var testvar, client: 127.0.0.1, server: _, request: \"GET /somefile HTTP/1.1\", host: \"localhost\"\n2024/07/22 03:03:42 [error] 9628#9628: *19 [lua] log.lua:3: ctx testvar while logging request, client: 127.0.0.1, server: _, request: \"GET /somefile HTTP/1.1\", host: \"localhost\"\n2024/07/22 03:03:42 [error] 9628#9628: *19 [lua] log.lua:4: var testvar while logging request, client: 127.0.0.1, server: _, request: \"GET /somefile HTTP/1.1\", host: \"localhost\"\n

\u8fd9\u662f\u56e0\u4e3a return \u8bed\u53e5\u53d1\u751f\u5728 rewrite \u9636\u6bb5\uff0c\u56e0\u6b64\u8df3\u8fc7\u4e86 access \u9636\u6bb5\uff0caccess_by_lua_block \u5c31\u6ca1\u6709\u88ab\u6267\u884c\u3002\u56e0\u6b64 Content phase \u4e2d\u7684\u7a0b\u5e8f\u4e0d\u80fd\u5047\u8bbe access_by \u80af\u5b9a\u88ab\u6267\u884c\u4e86\u3002

"},{"location":"faq/nginx/#ngxctx","title":"ngx.ctx","text":"

https://github.com/openresty/lua-nginx-module?tab=readme-ov-file#ngxctx

\u652f\u6301\u4efb\u610f lua \u6570\u636e\u7ed3\u6784\u7684\uff0c\u4e0e\u5355\u72ec request \u7ed1\u5b9a\u7684\u72b6\u6001\u53d8\u91cf\u3002\u540c\u65f6\u4e5f\u4e0d\u9700\u8981\u50cf ngx.var \u4e00\u6837\u63d0\u524d set\u3002

\u5c0f\u5fc3\u5185\u90e8\u8df3\u8f6c

Internal redirects (triggered by nginx configuration directives like error_page, try_files, index and etc) will destroy the original request ngx.ctx data (if any) and the new request will have an empty ngx.ctx table.

\u8bbf\u95ee localhost/lua-test2\uff08\u5047\u8bbe\u524d\u9762\u7684 try_files \u5931\u8d25\uff09\uff1a

2024/07/22 03:10:15 [error] 9630#9630: *22 [lua] access.lua:4: ctx testvar, client: 127.0.0.1, server: _, request: \"GET /lua-test2 HTTP/1.1\", host: \"localhost\"\n2024/07/22 03:10:15 [error] 9630#9630: *22 [lua] access.lua:5: var testvar, client: 127.0.0.1, server: _, request: \"GET /lua-test2 HTTP/1.1\", host: \"localhost\"\n2024/07/22 03:10:15 [error] 9630#9630: *22 [lua] header_filter.lua:3: ctx nil, client: 127.0.0.1, server: _, request: \"GET /lua-test2 HTTP/1.1\", host: \"localhost\"\n2024/07/22 03:10:15 [error] 9630#9630: *22 [lua] header_filter.lua:4: var testvar, client: 127.0.0.1, server: _, request: \"GET /lua-test2 HTTP/1.1\", host: \"localhost\"\n2024/07/22 03:10:15 [error] 9630#9630: *22 [lua] log.lua:3: ctx nil while logging request, client: 127.0.0.1, server: _, request: \"GET /lua-test2 HTTP/1.1\", host: \"localhost\"\n2024/07/22 03:10:15 [error] 9630#9630: *22 [lua] log.lua:4: var testvar while logging request, client: 127.0.0.1, server: _, request: \"GET /lua-test2 HTTP/1.1\", host: \"localhost\"\n

\u8fd9\u4e2a\u95ee\u9898\u5bf9\u4e00\u4e9b\u9700\u8981\u5728 access \u4e2d\u505a\u4e00\u4e9b\u4e8b\u60c5\uff0c\u5c06\u72b6\u6001\u5b58\u50a8\u5728 ngx.ctx \u4e2d\uff0c\u7136\u540e\u5728 header_filter \u6216\u8005 log \u4e2d\u53d6\u6d88\u5bf9\u5e94\u6548\u679c\u7684\u903b\u8f91\uff08\u4f8b\u5982 resty.limit.conn \u5728\u8bbf\u95ee\u7684\u6587\u4ef6\u5f53\u524d\u4e0d\u5b58\u5728\u7684\u60c5\u51b5\u4e0b\uff09\u6765\u8bf4\u662f\u81f4\u547d\u7684\u3002

"},{"location":"faq/nginx/#ngxvar","title":"ngx.var","text":"

https://github.com/openresty/lua-nginx-module?tab=readme-ov-file#ngxvarvariable

\u4f7f\u7528\u6709\u4e00\u4e9b\u9ebb\u70e6\uff1a

\u4f46\u662f\u76f8\u6bd4\u4e8e ngx.ctx\uff0c\u6700\u5927\u7684\u4f18\u52bf\u5c31\u662f\u5373\u4f7f\u7ecf\u8fc7\u4e86 internal redirection\uff0cngx.var \u7684\u5185\u5bb9\u4e5f\u4f1a\u4fdd\u7559\u3002

\u7531\u4e8e ngx.var \u5176\u672c\u8eab\u4e0d\u9002\u5408\u5b58\u50a8\u590d\u6742\u7684\u7ed3\u6784\uff0c\u7b2c\u4e09\u65b9\u6a21\u5757 (lua-resty-ctxdump, 2-clause BSD license) \u5904\u7406\u8fd9\u4e2a\u95ee\u9898\u7684\u505a\u6cd5\u662f\uff1a\u5c06\u5b9e\u9645\u5185\u5bb9\u4fdd\u5b58\u5728\u6a21\u5757\u5185\u90e8\u7684 memo \u8868\u4e2d\uff0c\u800c\u9700\u8981\u5b58\u50a8\u5728 ngx.var \u91cc\u9762\u7684\u53ea\u662f memo \u8868\u7684 key\uff08\u6570\u5b57\uff09\u3002

"},{"location":"faq/nginx/#_2","title":"\u6a21\u5757\u7ba1\u7406","text":"

OpenResty \u5b98\u65b9\u63a8\u8350\u4f7f\u7528 opm (openresty-opm) \u7ba1\u7406\u6a21\u5757\u3002\u624b\u52a8\u7ef4\u62a4\u6a21\u5757\u7684\u8bdd\u9700\u8981\u81ea\u884c\u5904\u7406\u914d\u7f6e\uff0c\u5bf9\u5e94\u7684\u662f lua_package_path\uff08http \u5757\u5185\uff0c\u5206\u53f7\u5206\u5272\u8def\u5f84\uff0c\u6700\u540e ;; \u4ee3\u8868\u5185\u7f6e\u7684\u539f\u59cb\u8def\u5f84\uff09\u3002

\u4f8b\u5982\uff1a

lua_package_path \"/etc/nginx/lua/module/?.lua;;\";\n

\u4ee5 https://github.com/tokers/lua-resty-ctxdump/blob/master/lib/resty/ctxdump.lua \u4e3a\u4f8b\uff0c\u4e0b\u8f7d\u5230 /etc/nginx/lua/module/ \u4e0b\u4e4b\u540e\uff0c\u5c31\u53ef\u4ee5\u5728\u5176\u4ed6 lua \u6587\u4ef6\u5185\u4f7f\u7528\u4e86\uff1a

/etc/nginx/lua/access.lua
local ctxdump = require \"ctxdump\"\nlocal ctx = ngx.ctx\nctx.testvar = {foo = \"bar\", num = 42}\n-- \u9700\u8981 set $ctx_ref \"\";\nngx.var.ctx_ref = ctxdump.stash_ngx_ctx()\nngx.log(ngx.ERR, \"ctx foo \", ctx.testvar.foo)\nngx.log(ngx.ERR, \"ctx num \", ctx.testvar.num)\nngx.log(ngx.ERR, \"var ctx_ref \", ngx.var.ctx_ref)\n
/etc/nginx/lua/log.lua
local ctxdump = require \"ctxdump\"\nngx.log(ngx.ERR, \"var ctx_ref \", ngx.var.ctx_ref)\nngx.ctx = ctxdump.apply_ngx_ctx(ngx.var.ctx_ref)\nlocal ctx = ngx.ctx\nngx.log(ngx.ERR, \"ctx foo \", ctx.testvar.foo)\nngx.log(ngx.ERR, \"ctx num \", ctx.testvar.num)\n

\u5982\u679c\u6ca1\u6709\u627e\u5230\u6587\u4ef6\uff0c\u62a5\u9519\u4fe1\u606f\u4e2d\u4f1a\u5305\u542b\u6240\u6709\u5c1d\u8bd5\u8fc7\u7684\u8def\u5f84\u3002

"},{"location":"faq/nginx/#_3","title":"\u4ee3\u7801\u590d\u7528\u4e0e\u6a21\u5757\u7f16\u5199","text":"

\u6700\u7b80\u5355\u7684\u4ee3\u7801\u590d\u7528\u7684\u65b9\u6cd5\u662f\u4f7f\u7528 loadfile() \u51fd\u6570\uff0c\u8fd9\u6837\u51e0\u4e4e\u4e0d\u9700\u8981\u4fee\u6539\u4ee3\u7801\u5185\u5bb9\u3002

local f = loadfile(\"/etc/nginx/lua/somefile.lua\")\nif f then\n    f()\nelse\n    ngx.log(ngx.ERR, \"failed to load somefile.lua\")\nend\n

\u4f46\u662f\u8fd9\u4e48\u505a\u662f\u6ca1\u6709 JIT \u7f13\u5b58\u7684\uff0c\u610f\u5473\u7740\u6bcf\u4e2a\u8bf7\u6c42\u90fd\u9700\u8981\u6574\u4e2a\u52a0\u8f7d\u4e00\u904d\u5bf9\u5e94\u7684\u539f\u59cb lua \u4ee3\u7801\u3002\u4e00\u4e2a\u57fa\u672c\u7684\u6a21\u5757\u7c7b\u4f3c\u4e8e\u4e0b\u9762\u8fd9\u6837\uff1a

local _M = {}\n\nlocal function some_internal_func(a)\n    return a + a\nend\n\nfunction _M.f1(a, b)\n    local aa = some_internal_func(a)\n    local bb = some_internal_func(b)\n    return aa + bb\nend\n\nreturn _M\n
"},{"location":"faq/ssd/","title":"SSD \u56fa\u4ef6","text":"

\u6570\u636e\u4e2d\u5fc3\u76d8\u7684 SSD \u8fd1\u5e74\u6765\u6709\u591a\u8d77\u56e0\u4e3a\u56fa\u4ef6\u95ee\u9898\u5bfc\u81f4\u4f7f\u7528\u65f6\u95f4\u8fc7\u957f\uff08\u51e0\u4e07\u5c0f\u65f6\uff09\u540e\u76d8\u574f\u6389\u7684\u65b0\u95fb\u3002 \u8fd9\u7c7b\u4e8b\u4ef6\u4e00\u65e6\u53d1\u751f\uff0c\u540e\u679c\u6781\u5176\u4e25\u91cd\uff0c\u56e0\u4e3a\u914d\u7f6e\u65b0\u670d\u52a1\u5668\u65f6\uff0c\u4e00\u822c\u4f7f\u7528\u7684\u76d8\u578b\u53f7\u662f\u4e00\u6837\u7684\uff0c\u5e76\u4e14\u5f00\u673a\u65f6\u95f4\u4e5f\u662f\u4e00\u6837\u7684\uff0c \u56e0\u6b64\u51fa\u73b0\u95ee\u9898\u4e4b\u540e\uff0c\u6240\u6709\u76d8\u90fd\u4f1a\u5728\u77ed\u65f6\u95f4\u5185\u574f\u6389\uff0cRAID \u6839\u672c\u65e0\u529b\u56de\u5929\u3002 \u56e0\u6b64\u4ee5\u4e0b\u8bb0\u5f55\u4e00\u4e9b\u56fa\u4ef6\u5347\u7ea7\u7684\u65b9\u6cd5\u3002

"},{"location":"faq/ssd/#intel","title":"Intel","text":""},{"location":"faq/ssd/#_1","title":"\u80cc\u666f","text":"

2024 \u5e74 1 \u6708 12 \u65e5\u51cc\u6668\uff0c\u5728\u53d1\u73b0\u4e24\u5757 Intel SSD S4510/S4610 \u51fa\u73b0 SMART \u9519\u8bef\u5e76\u4e14 ZFS \u63d0\u793a\u8bfb\u53d6\u9519\u8bef\u4e4b\u540e\u7d27\u6025\u8fdb\u884c\u4e86\u56fa\u4ef6\u5347\u7ea7\uff08\u5426\u5219\u8fd8\u6709 8 \u5757\u76d8\u4e5f\u4f1a\u5f88\u5feb\u56e0\u4e3a\u7c7b\u4f3c\u95ee\u9898\u635f\u574f\uff09\u3002\u7531\u4e8e\u7f3a\u5c11\u76f8\u5173\u8d44\u6599\uff0c\u5e76\u4e14 Intel \u4e0b\u67b6\u4e86\u5927\u91cf\u4fe1\u606f\uff0c\u56e0\u6b64\u82b1\u8d39\u4e86\u5f88\u591a\u65f6\u95f4\uff0c\u81f3\u51cc\u6668\u4e03\u70b9\u5b8c\u6210\u5347\u7ea7\u3002

Timeline

2024/01/11 04:21 - \u6536\u5230 smartd \u90ae\u4ef6\u79f0 /dev/sdi \u51fa\u73b0 End-to-End_Error_Count \u9519\u8bef\u3002

\u4e4b\u540e\u672a\u6000\u7591\u662f\u56fa\u4ef6\u95ee\u9898\uff0c\u53ea\u8ba4\u4e3a\u662f\u5076\u53d1\u7684\u9519\u8bef\uff0c\u5e76\u4e14 SSD \u4ecd\u53ef\u6b63\u5e38\u8bfb\u53d6\uff0cZFS \u6b63\u5e38\u7ea0\u9519\uff0c\u56e0\u6b64\u5f53\u5929\u5f00\u59cb\u51c6\u5907\u91c7\u8d2d\u65b0 SSD\uff0c\u672a\u8fdb\u884c\u5176\u4ed6\u64cd\u4f5c\u3002

2024/01/12 02:51 - \u6536\u5230 smartd \u90ae\u4ef6\u79f0 /dev/sdh \u51fa\u73b0 End-to-End_Error_Count \u9519\u8bef\u3002

\u4e4b\u540e\u6000\u7591\u662f\u56fa\u4ef6\u95ee\u9898\uff0c\u5e76\u4ece\u6d6a\u6f6e\u7684\u7f51\u7ad9\u786e\u8ba4\u4e86\u8fd9\u4e00\u70b9\u3002 Dell \u63d0\u4f9b\u4e86\u4fee\u590d\u5305\uff0c\u4f46\u662f\u65e0\u6cd5\u5728 Debian \u4e0b\u5b89\u88c5\u3002Intel/Solidigm \u63d0\u4f9b\u7684\u5347\u7ea7\u5de5\u5177\u6709\u8bb8\u591a\u4e0d\u540c\u7248\u672c\uff0c\u5176\u4e2d isdct \u4e0e sst \u63d0\u793a\u5347\u7ea7\u5931\u8d25\uff0cintelmas \u63d0\u793a\u5f53\u524d\u4ea7\u54c1\u5df2\u4e0d\u518d\u652f\u6301\u3002

\u5728\u8fc1\u79fb\u90e8\u5206\u91cd\u8981\u865a\u62df\u673a\uff0c\u5e76\u786e\u8ba4\u5907\u4efd\u6b63\u5e38\u540e\uff08\u5927\u81f4\u82b1\u8d39\u4e86 2 \u5230 2.5 \u5c0f\u65f6\uff09\uff0c\u91cd\u542f\u5bf9\u5e94\u670d\u52a1\u5668\uff0c\u5c1d\u8bd5\u4f7f\u7528 Solidigm \u63d0\u4f9b\u7684\u300c\u5347\u7ea7\u542f\u52a8\u76d8\u300d\u5347\u7ea7\uff0c\u63d0\u793a\u627e\u4e0d\u5230 SSD \u800c\u5931\u8d25\u3002 \u4e4b\u540e\u4ece Solidigm \u8bba\u575b\u4e86\u89e3\u5230\u9700\u8981\u5173\u95ed\u76f4\u901a\u8bbe\u7f6e\u3002\u5148\u5bf9 /dev/sdi \u8fdb\u884c\u4e86\u6d4b\u8bd5\uff08\u8be5\u76d8\u6709 SMART \u9519\u8bef\uff0c\u4f46\u662f\u4ecd\u53ef\u8bfb\u5199\uff09\uff0c\u5347\u7ea7\u6210\u529f\u3002\u4e4b\u540e\u5347\u7ea7\u4e86\u5168\u90e8 Intel SSD\u3002

\u76f8\u5173\u6d89\u95ee\u9898\u56fa\u4ef6\u7248\u672c\u4e3a XCV10100\u3002XCV10110 \u53ca\u4ee5\u4e0a\u4fee\u590d\u4e86\u95ee\u9898\u3002

"},{"location":"faq/ssd/#_2","title":"\u5347\u7ea7\u65b9\u6cd5","text":"

Intel \u7684\u5b58\u50a8\u4e1a\u52a1\u5df2\u7ecf\u88ab SK Hynix \u5b50\u516c\u53f8 Solidigm \u6536\u8d2d\u3002\u5176\u63d0\u4f9b\u4e86\u76f8\u5173\u5de5\u5177\u8fdb\u884c\u5347\u7ea7\u3002

https://www.solidigm.com/us/en/support-page/product-doc-cert/ka-00099.html \u63d0\u4f9b\u4e86 Solidigm \u5de5\u5177\u652f\u6301\u7684\u4ea7\u54c1\u5217\u8868\u3002\u4e0b\u8f7d\u6700\u65b0\u7248\u672c Solidigm\u2122 Storage Tool \u4e4b\u540e\uff08\u652f\u6301 Debian/Ubuntu\uff09\uff0c\u4f7f\u7528\u4ee5\u4e0b\u65b9\u6cd5\u68c0\u67e5\u6240\u6709 SSD \u7684\u4fe1\u606f\uff1a

sst show -ssd\n

\u5173\u6ce8\u6bcf\u4e2a SSD \u7684 FirmwareUpdateAvailable \u4e00\u884c\u662f\u5426\u6709\u66f4\u65b0\u4fe1\u606f\u3002

\u4f7f\u7528\u4ee5\u4e0b\u547d\u4ee4\u5347\u7ea7\uff1a

sst load -ssd <SSD \u7684\u7f16\u53f7>\n

\u8bf7\u6ce8\u610f\uff0c\u8be5\u5de5\u5177\u4e0d\u652f\u6301 RAID \u5361\u7684\u76f4\u901a\u6a21\u5f0f\u3002\u5bf9\u4e8e Dell \u670d\u52a1\u5668\u6765\u8bf4\uff0c\u9700\u8981\u8bbe\u7f6e\u5982\u4e0b\uff1a

  1. \u542f\u7528 LSI \u652f\u6301\uff1asst set -system EnableLSIAdapter=True
  2. \u91cd\u542f\u8fdb\u5165 BIOS\uff0c\u5c06 RAID \u5361\u4ece HBA \u6a21\u5f0f\u5207\u6362\u4e3a RAID \u6a21\u5f0f\uff08\u5982\u679c\u662f\u7684\u8bdd\uff09
  3. \u5c06\u9700\u8981\u5347\u7ea7\u7684\u76d8\u4ece Non-RAID \u6a21\u5f0f\u5207\u6362\u4e3a RAID-Capable\uff08\u6ce8\u610f\u4e0d\u8981\u70b9\u6210\u6e05\u7a7a\u6240\u6709\u6570\u636e\uff01\uff09
  4. \u91cd\u542f\u8fdb\u5165 recovery \u6a21\u5f0f\uff0c\u4f7f\u7528 sst \u8fdb\u884c\u5347\u7ea7\u3002
  5. \u5347\u7ea7\u5b8c\u6210\u540e\u91cd\u542f\uff0c\u8fdb\u5165 BIOS \u6062\u590d\u4e4b\u524d\u7684\u8bbe\u7f6e\uff08\u540c\u6837\u6ce8\u610f\u4e0d\u8981\u70b9\u9519\uff01\uff09
"},{"location":"faq/systemd-timer/","title":"Systemd-timer \u53c2\u8003\u6a21\u677f","text":"

Systemd-timer \u4f5c\u4e3a crontab \u7684\u66ff\u4ee3\u54c1\uff0c\u6709\u4e00\u7cfb\u5217\u7684\u4f18\u70b9\uff1a

\u5f53\u7136\u76f8\u6bd4\u4e8e crontab\uff0c\u7f3a\u70b9\u4e5f\u5f88\u660e\u663e\uff1a

\u6240\u4ee5\u4ee5\u4e0b\u7ed9\u51fa\u4e00\u4e2a\u6a21\u677f\uff0c\u65b9\u4fbf\u5728\u521b\u5efa\u65b0\u5b9a\u65f6\u4efb\u52a1\u7684\u65f6\u5019\u4f7f\u7528\u3002\u8fd9\u91cc\u7684\u4f8b\u5b50\u662f mirrors2 \u4ece mirrors4 \u83b7\u53d6\u538b\u7f29\u540e\u7684\u65e5\u5fd7\u3002\u4ee5\u4e0b\u6587\u4ef6\u5747\u653e\u5728 /etc/systemd/system\u3002

m4log.service
[Unit]\nDescription=Mirrors4 log backup\nDocumentation=man:rsync(1)\nAfter=network.target\nStartLimitIntervalSec=0\n\n[Service]\nType=simple\nUser=mirror\nGroup=mirror\nExecStart=rsync -rltpv --include=*/ --include=*.xz --exclude=* m4log:/ /var/m4log/\nRestart=on-failure\nRestartSec=3\n
m4log.timer
[Unit]\nDescription=Mirrors4 log backup timer\nDocumentation=man:rsync(1)\nAfter=network.target\nStartLimitIntervalSec=0\n\n[Timer]\nOnCalendar=*-*-* 7:13:00\nRandomizedDelaySec=60s\nPersistent=true\nUnit=m4log.service\n\n[Install]\nWantedBy=timer.target\n

\u5173\u4e8e OnCalendar \u7684\u89e6\u53d1\u65f6\u95f4\uff0c\u53ef\u4ee5\u53c2\u8003 systemd \u7684 Calendar Events \u8bf4\u660e\uff0c\u5e76\u7528 systemd-analyze calendar \u6765\u68c0\u9a8c\u6b63\u786e\u6027\uff0c\u4e5f\u53ef\u4ee5\u7528 systemctl list-timers \u89c2\u5bdf Timer \u4e0b\u6b21\u89e6\u53d1\u7684\u65f6\u95f4\u662f\u5426\u7b26\u5408\u9884\u671f\u3002

\u4e0b\u9762\u662f\u4e00\u4e9b\u5e38\u7528\u547d\u4ee4\uff1a

"},{"location":"faq/vm/","title":"\u865a\u62df\u5316\u76f8\u5173","text":""},{"location":"faq/vm/#_2","title":"\u6269\u76d8","text":"

\u6269\u5927\u865a\u62df\u78c1\u76d8\u7684\u5927\u5c0f\u540e\uff0c\u53ef\u4ee5\u91c7\u7528\u4ee5\u4e0b\u76f8\u5bf9\u7b80\u5355\u7684\u65b9\u5f0f\u6269\u5c55\u5206\u533a\u5927\u5c0f\uff1a

\u8bf7\u786e\u4fdd\u7406\u89e3\u547d\u4ee4\u540e\u518d\u6267\u884c

$ # \u5b89\u88c5 growpart\n$ sudo apt install cloud-guest-utils\n$ # \u6269\u5c55 /dev/sdb1\n$ sudo growpart /dev/sdb 1\n$ # \u73b0\u5728\u5206\u533a\u8868\u4ee5\u53ca\u5206\u533a\u6269\u5c55\u4e86\uff0c\u4f46\u662f\u5206\u533a\u91cc\u9762\u7684\u6587\u4ef6\u7cfb\u7edf\u7684\u5927\u5c0f\u8fd8\u6ca1\u6709\u6269\u5c55\n$ # \u4ee5 ext4 \u4e3a\u4f8b\n$ sudo resize2fs /dev/sdb1\n
"},{"location":"infrastructure/auth-dns/","title":"Authoritative DNS","text":"

Services (Servers):

All three servers are dedicated to DNS service and run no other services.

"},{"location":"infrastructure/auth-dns/#deploy","title":"Deploy","text":"

The bind configuration repository is only visible to admins because private key is included.

# copy the ssh key https://github.com/ustclug/auth-dns/blob/master/git_pull_key\n# to ~/.ssh/id_ed25519\n\n# now get the conf\ngit clone git@github.com:ustclug/auth-dns.git /var/lib/bind\n\n# delete the ssh key\nrm ~/.ssh/id_ed25519\n
docker run --restart=always -v /var/lib/bind/:/etc/bind \\\n       --net host -it -d --name=auth-dns zhusj/bind9\n
"},{"location":"infrastructure/auth-dns/#update-dns-record","title":"Update DNS Record","text":"

Just commit your changes to the configuration repository. More details can be found in the repository.

"},{"location":"infrastructure/auth-dns/#webhook","title":"Webhook","text":"

Please add a webhook in the configuration repository, so that the DNS record can be automatically updated when commits are pushed.

The webhook endpoint is http://<server_ip>:9000/hooks/bind, see https://github.com/ustclug/auth-dns/settings/hooks for examples.

"},{"location":"infrastructure/dockerhub/","title":"Docker Hub","text":""},{"location":"infrastructure/dockerhub/#dsos","title":"Docker-Sponsored Open-Source program (DSOS) application","text":"Item Reference response First Name Jiawei (Use your own name) Last Name Fu (Use your own name) Email Address redacted (Use your own email address) Role Tech Lead (or anything that makes sense) Company or Organization Name Linux User Group of University of Science and Technology of China Country (Select) China What is the name of your project? Various: USTC Open Source Software Mirror, USTC Network Boot Service, etc. Please link the public repository of your OSS organization (github, gitlab, etc.) https://github.com/ustclug Please provide a link to your project website. https://lug.ustc.edu.cn/ Enter your user Docker ID (aka username). ibugone (Use your own Docker ID) Do you have an existing Organization? (Select) Yes Enter the existing Docker ID for your organization on Docker Hub. ustclug What is the goal of this project? Ease the use of many Linux distros and open-source software, as well as advocate the spirit of Free Software What types of user(s) benefit from this project? Linux users and developers in mainland China What is the code distribution license for your OSS project? (Select) MIT License To what industry does your project or organization belong? (Select) Academic/research To what industry does your project or organization belong? 6 (Adjust as needed) Please list all sponsors for this project (patreon and other microdonations can be listed as one). USTC Network Information Center, USTC Library Does this project have a pathway to commercialization? ... (Select) No If approved, do you agree to the ...? (Tick the checkbox) Press Submit"},{"location":"infrastructure/dockerhub/#notes","title":"Notes","text":"

The first application on October 25, 2023 was declined with the following reason (emphasis mine):

During our review of your application for Various (USTC Open Source Soft[sic], we determined that while your project meets most of the program requirements, there is a lack of documentation in one or more of your repositories on Docker Hub.

Before resubmitting the application, I deleted a few obsolete repositories and filled in the \"Repository overview\" for the rest, asking ChatGPT to produce it when needed. Afterwards, the second submission was approved in just 3 hours.

"},{"location":"infrastructure/github/","title":"GitHub Organization","text":"

ustclug @ GitHub

"},{"location":"infrastructure/github/#github-actions","title":"GitHub Actions","text":"

GitHub Actions \u5bf9\u516c\u5f00\u4ed3\u5e93\u514d\u8d39\uff0c\u5bf9\u79c1\u6709\u4ed3\u5e93\u6bcf\u6708\u6709 3000 \u5206\u949f\u7684\u9650\u989d\uff08\u6ce8\uff1a\u6211\u4eec\u662f\u5b66\u6821\u5e2e\u5fd9\u7533\u8bf7\u7684 GitHub Education\uff0c\u6240\u4ee5\u6211\u4eec\u5728\u529f\u80fd\u4e0a\u76f8\u5f53\u4e8e\u4ed8\u8d39\u7684 GitHub Team\uff09\u3002\u76ee\u524d\u6211\u4eec\u6709\u591a\u4e2a\u9879\u76ee\u4f7f\u7528 GitHub Actions \u90e8\u7f72\uff0c\u4f8b\u5982 Linux 101 \u7684\u8bb2\u4e49\u3002

\u6211\u4eec\u66fe\u7ecf\u4f7f\u7528 Travis CI\uff08\u73b0\u5728\u4e5f\u5728\u90e8\u5206\u516c\u5f00\u4ed3\u5e93\u4e2d\u4f7f\u7528\uff09\uff0c\u56e0\u4e3a\uff08\u4e0d\u4f1a\u5b9a\u671f\u91cd\u7f6e\u7684\uff09\u6570\u91cf\u9650\u5236\u800c\u5c06\u79c1\u6709\u4ed3\u5e93\u5168\u90e8\u8fc1\u51fa\uff0c\u8ba8\u8bba\u89c1 Discussion #308.

"},{"location":"infrastructure/github/#2fa","title":"\u4e24\u6b65\u8ba4\u8bc1\uff082FA\uff09","text":"

\u6211\u4eec\u5f3a\u70c8\u5efa\u8bae\u52a0\u5165 ustclug \u7ec4\u7ec7\u7684\u7528\u6237\u4e3a\u81ea\u5df1\u7684 GitHub \u8d26\u53f7\u914d\u7f6e\u4e24\u6b65\u8ba4\u8bc1\uff1a

"},{"location":"infrastructure/google/","title":"G Suite","text":"

\u7531\u4e8e G Suite \u81ea 2022 \u5e74 7 \u6708\u8d77\u4e0d\u518d\u63d0\u4f9b\u514d\u8d39\u7684 Teams\uff0c\u4e14\u5df2\u6709\u7684\u514d\u8d39 Teams \u4e5f\u5c06\u505c\u6b62\u670d\u52a1\uff0c\u6211\u4eec\u5df2\u4e8e 2022 \u5e74 3 \u6708\u5168\u9762\u8fc1\u79fb\u81f3 Office 365\u3002

\u8003\u8651\u5230\u6b64\u9875\u9762\u7684 URL \u8fd8\u6709\u4e00\u5b9a\u6570\u91cf\u7684\u5916\u94fe\uff0c\u6211\u4eec\u628a\u672c\u9875\u6587\u6863\u91cd\u65b0\u52a0\u4e86\u56de\u6765\uff0c\u4f46\u662f\u6240\u6709\u6709\u610f\u4e49\u7684\u5185\u5bb9\u90fd\u5df2\u7ecf\u79fb\u52a8\u5230\u4e86 Office 365 \u9875\u9762\u4e2d\u3002

"},{"location":"infrastructure/ldap/","title":"LDAP \u670d\u52a1\u4f7f\u7528\u53ca\u914d\u7f6e\u8bf4\u660e","text":"

LDAP \u662f\u8f7b\u91cf\u76ee\u5f55\u8bbf\u95ee\u534f\u8bae\uff0c\u6211\u4eec\u7528\u7684\u8f6f\u4ef6\u662f OpenLDAP\u3002

LDAP \u7684\u914d\u7f6e\u5f88\u9ebb\u70e6\uff0c\u6240\u4ee5\u88c5\u4e86\u4e00\u4e2a\u7f51\u9875\u524d\u7aef\u6765\u914d\u7f6e\u5b83\uff0c\u7f51\u9875\u524d\u7aef\u662f GOsa\u00b2\u3002

"},{"location":"infrastructure/ldap/#_1","title":"\u5bc6\u7801\u4fee\u6539","text":"

\u767b\u5f55\u4efb\u610f\u4e00\u53f0\u670d\u52a1\u5668\u4f7f\u7528 passwd \u5c31\u53ef\u4ee5\u4fee\u6539\u5bc6\u7801\uff0c\u4fee\u6539\u7684\u5bc6\u7801\u5728\u6240\u6709\u673a\u5668\u4e0a\u5b9e\u65f6\u751f\u6548\uff08\u56e0\u4e3a\u5b9e\u9645\u662f\u5b58\u5728 LDAP \u6570\u636e\u5e93\u91cc\u7684\uff09\u3002

"},{"location":"infrastructure/ldap/#gosa","title":"GOsa \u4f7f\u7528","text":"

\u7f51\u9875\u754c\u9762\u4f4d\u4e8e ldap.lug.ustc.edu.cn\u3002

\u7528\u4f60\u7684\u8d26\u53f7\u767b\u5f55\u8fdb\u53bb\u4e4b\u540e\uff0c\u53ef\u4ee5\u5728\u53f3\u4e0a\u89d2\u9000\u51fa\uff0c\u53f3\u4e0a\u89d2\u8fd8\u6709\u4e24\u4e2a\u6309\u94ae\u5206\u522b\u662f\u4fee\u6539\u8d26\u53f7\u4fe1\u606f\u548c\u4fee\u6539\u5bc6\u7801\u3002\u8d26\u53f7\u4fe1\u606f\u7b2c\u4e00\u9875\u5927\u90e8\u5206\u662f\u6ca1\u7528\u7684\uff0c\u53ea\u6709\u4e00\u4e2a\u767b\u5f55\u540d\u662f\u6709\u7528\u7684\uff0c\u8fd9\u662f\u4f60\u767b\u5f55\u4efb\u4f55\u5730\u65b9\u7684\u7528\u6237\u540d\u3002

"},{"location":"infrastructure/ldap/#ldap-users-and-groups","title":"Users \u548c Groups","text":"

Users \u662f\u7528\u6765\u6dfb\u52a0\u548c\u914d\u7f6e\u7528\u6237\u4fe1\u606f\u7684\u5730\u65b9\u3002\u6700\u4e3b\u8981\u7684\u529f\u80fd\u4f4d\u4e8e\u6bcf\u4e2a User \u7684\u7b2c\u4e8c\u9875 POSIX\uff0c\u8fd9\u91cc\u53ef\u4ee5\u8bbe\u7f6e\u7528\u6237\u7684\u5bb6\u76ee\u5f55\uff0cUID\uff0cGID\uff0c\u4ee5\u53ca\u6240\u5c5e\u7684\u7528\u6237\u7ec4\u3002\u8fd9\u91cc\u9700\u8981\u6ce8\u610f\u7684\u5730\u65b9\u5982\u4e0b\uff1a

Groups \u4e2d\u4ee5 ssh \u5f00\u5934\u7684\u7ec4\u63a7\u5236\u5bf9\u5e94\u673a\u5668\u7684 ssh \u6743\u9650\uff0csudo \u5f00\u5934\u540c\u7406\u3002super_maneger \u7ec4\u5305\u542b\u6240\u6709\u673a\u5668\u7684\u6743\u9650\uff0c\u4ee5\u53ca LDAP \u7684 admin \u8eab\u4efd\u3002\u52a0\u5165\u5bf9\u5e94\u7684\u7ec4\u5373\u6388\u4e88\u76f8\u5e94\u6743\u9650\u3002\u5df2\u77e5\u7684 GID

"},{"location":"infrastructure/ldap/#access-control","title":"Access Control","text":"

\u8fd9\u91cc\u53ef\u4ee5\u914d\u7f6e GOsa \u7684\u7f16\u8f91\u6743\u9650\uff0c\u73b0\u5728\u8fd9\u91cc\u9762\u53ea\u6709\u4e00\u4e2a\u7ec4\uff0c\u662f\u5b8c\u5168\u6743\u9650\u7684\u3002\u53e6\u5916\uff0c\u6bcf\u4e2a\u9879\u53ef\u4ee5\u8bbe\u7f6e\u4e13\u95e8\u9488\u5bf9\u8fd9\u4e2a\u9879\u7684 ACL\u3002

"},{"location":"infrastructure/ldap/#sudo-rules","title":"Sudo rules","text":"

\u8fd9\u91cc\u914d\u7f6e sudo \u6743\u9650\u3002\u8fd9\u91cc\u7684\u8bed\u6cd5\u548c sudoers \u4e00\u6837\uff08\u8bf7\u65e0\u89c6 System trust\uff09\u3002\u7279\u522b\u8981\u8bf4\u7684\u4e00\u70b9\u662f\u901a\u8fc7\u5728 System \u4e2d\u52a0\u5165\u4e3b\u673a\u540d\u53ef\u4ee5\u9488\u5bf9\u6bcf\u4e2a\u4e3b\u673a\u914d\u7f6e\u6743\u9650\uff0c\u8fd9\u91cc\u8981\u586b\u7684\u662f\u4e3b\u673a\u540d\u800c\u4e0d\u662f\u57df\u540d\uff0c\u5177\u4f53\u8303\u4f8b\u8bf7\u770b\u91cc\u9762\u7684 lugsu wikimanager \u7b49\u9879\u3002

\u5176\u5b83\u6211\u6ca1\u63d0\u5230\u7684\u9879\u6211\u4e5f\u6ca1\u641e\u660e\u767d\u600e\u4e48\u7528\u3002\u3002\u3002

gosa \u7684\u914d\u7f6e\u6587\u4ef6\u5728 /etc/gosa/gosa.conf\uff0c\u5b83\u662f\u5728\u7b2c\u4e00\u6b21\u8fd0\u884c gosa \u65f6\u5019\u81ea\u52a8\u751f\u6210\u7684\uff0c\u4f46\u5728\u4e4b\u540e\u5c31\u53ea\u80fd\u901a\u8fc7\u624b\u52a8\u7f16\u8f91\u6765\u4fee\u6539\u3002\u7531\u4e8e\u914d\u7f6e\u6587\u4ef6\u51e0\u4e4e\u6ca1\u6709\u6587\u6863\uff0c\u5b98\u65b9\u7684 FAQ \u6709\u597d\u591a\u662f\u9519\u7684\uff0c\u6240\u4ee5\u6211\u57fa\u672c\u6ca1\u52a8 :-D\u3002

"},{"location":"infrastructure/ldap/#_2","title":"\u7ef4\u62a4\u5907\u6ce8","text":"

\u5982\u679c\u53d1\u73b0\u66f4\u65b0 GOsa \u4e4b\u540e\uff0c/gosa \u6ca1\u6709\u6b63\u5e38\u5de5\u4f5c\uff08\u6bd4\u5982\u8bf4\u76f4\u63a5\u663e\u793a\u4e86 PHP \u7684\u6e90\u4ee3\u7801\uff09\uff0c\u53ef\u4ee5\u5c1d\u8bd5\u5220\u9664 /var/spool/gosa/ \u4e2d\u7684\u6240\u6709\u6587\u4ef6\uff0c\u8be6\u89c1 Gosa broken in Debian stretch\u3002

"},{"location":"infrastructure/ldap/#ldap_1","title":"LDAP \u5ba2\u6237\u7aef\u914d\u7f6e","text":""},{"location":"infrastructure/ldap/#debian","title":"Debian \u914d\u7f6e\u65b9\u6cd5","text":"

Warning

Debian 13 Trixie \u662f\u6700\u540e\u4e00\u4e2a\u652f\u6301 sudo-ldap \u7684\u7248\u672c\uff0cDebian 14 \u5c06\u5b8c\u5168\u79fb\u9664 sudo-ldap\uff0c\u9700\u8981\u5c3d\u5feb\u8fc1\u79fb\u81f3 sssd\u3002

\u6211\u4eec\u5927\u90e8\u5206\u73b0\u6709\u7684\u670d\u52a1\u5668\u4ecd\u5728\u4f7f\u7528 sudo-ldap\uff0c\u5728\u4e0b\u6b21\u5927\u7248\u672c\u5347\u7ea7\u524d\u9700\u8981\u9010\u6b65\u8fc1\u79fb\u3002\u4ee5\u4e0b\u63d0\u4f9b\u4f7f\u7528 sssd \u7684\u914d\u7f6e\u65b9\u6cd5\u3002

Ref: https://packages.debian.org/trixie/sudo-ldap

"},{"location":"infrastructure/ldap/#_3","title":"\u8f6f\u4ef6\u5305\u5b89\u88c5","text":"

Debian 7 \u4ee5\u4e0a\u7cfb\u7edf\u5b89\u88c5 libnss-ldapd\u3001libpam-ldapd\u3001sssd-ldap\u3001libsss-sudo

Note

\u66f4\u65b0\u8fd9\u4e9b\u8f6f\u4ef6\u5305\u65f6\uff0c\u6ce8\u610f\u4fdd\u7559\u4e00\u4e2a root \u7ec8\u7aef\uff0c\u66f4\u65b0\u540e\u53ef\u80fd\u9700\u8981\u91cd\u542f daemon \u8fdb\u7a0b\u3002

Note

\u5982\u679c\u5df2\u7ecf\u5b89\u88c5\u4e86 sudo-ldap\uff0c\u8bf7\u5728\u5168\u90e8\u914d\u7f6e\u5b8c\u6210\u4e4b\u540e\u8fd0\u884c apt install sudo\uff0c\u8fc1\u79fb\u56de\u539f sudo\u3002

\u5728\u5b89\u88c5\u8fc7\u7a0b\u4e2d\u4f1a\u88ab\u95ee\u4e00\u4e9b\u95ee\u9898\uff08\u4e0d\u540c\u7248\u672c\u7684 Debian \u7684\u95ee\u9898\u53ef\u80fd\u4e0d\u540c\uff09\uff1a

"},{"location":"infrastructure/ldap/#etcldapldapconf","title":"/etc/ldap/ldap.conf","text":"

\u7f16\u8f91\u5185\u5bb9\u5982\u4e0b\uff1a

/etc/ldap/ldap.conf
BASE dc=lug,dc=ustc,dc=edu,dc=cn\nURI ldaps://ldap.lug.ustc.edu.cn\nSSL yes\nTLS_CACERT /etc/ldap/slapd-ca-cert.pem\nTLS_REQCERT demand\nSUDOERS_BASE ou=sudoers,dc=lug,dc=ustc,dc=edu,dc=cn\n

\u4e3a\u4e86\u5b89\u5168\u6027\u8003\u8651\uff0c\u8981\u4ee5 ldaps \u7684\u65b9\u5f0f\u8fde\u63a5 ldap \u670d\u52a1\u5668\uff0c\u540c\u65f6\u5e94\u914d\u7f6e\u597d\u8bc1\u4e66 (/etc/ldap/slapd-ca-cert.pem, \u4ece\u5176\u5b83\u670d\u52a1\u5668\u590d\u5236\u4e00\u4e2a)

"},{"location":"infrastructure/ldap/#etcnslcdconf","title":"/etc/nslcd.conf","text":"

\u6ce8\u610f\u68c0\u67e5\u4e00\u4e0b\u6b64\u914d\u7f6e\u6587\u4ef6\u662f\u5426\u4e0e /etc/ldap/ldap.conf \u4e0b\u7684\u5185\u5bb9\u76f8\u4e00\u81f4\uff0c\u5982

/etc/nslcd.conf
uid nslcd\ngid nslcd\nuri ldaps://ldap.lug.ustc.edu.cn\nbase dc=lug,dc=ustc,dc=edu,dc=cn\nssl on\ntls_reqcert demand\ntls_cacertfile /etc/ldap/slapd-ca-cert.pem\n
"},{"location":"infrastructure/ldap/#etcnsswitchconf","title":"/etc/nsswitch.conf","text":"

\u5b89\u88c5\u8f6f\u4ef6\u5305\u65f6\uff0c\u5b89\u88c5\u811a\u672c\u5df2\u7ecf\u5904\u7406\u8fc7\u8be5\u6587\u4ef6\u3002\u68c0\u67e5\u4e00\u4e0b\u5185\u5bb9\uff0c\u5927\u81f4\u4e3a\uff1a

passwd:         compat ldap\ngroup:          compat ldap\nshadow:         compat ldap\n......\nsudoers:        files ldap\n

\u6ce8\u610f\u6bcf\u4e00\u9879\u540e\u9762\u7684 ldap\uff0c\u5982\u679c\u6ca1\u6709\u8981\u624b\u52a8\u52a0\u4e0a\u3002\u4e0d\u592a\u6e05\u695a\u5177\u4f53\u542b\u4e49\uff0c\u53cd\u6b63\u7ed9\u6bcf\u4e00\u9879\u90fd\u52a0\u4e0a ldap \u662f\u6ca1\u6709\u95ee\u9898\u7684\u3002

\u5bf9\u4e8e\u4f7f\u7528 sssd \u7684\u914d\u7f6e\uff0c\u6ce8\u610f sudoers \u4e00\u884c\u9700\u8981\u6709 sss\uff0c\u7c7b\u4f3c\u4e8e\u4e0b\u9762\u8fd9\u6837\uff1a

sudoers: files sss\n

\u800c\u5982\u679c\u4f7f\u7528\u4f20\u7edf\u7684 sudo-ldap\uff0c\u90a3\u4e48 sudoers \u4e00\u884c\u5e94\u8be5\u7c7b\u4f3c\u4e8e\u8fd9\u6837\uff1a

sudoers:        ldap [SUCCESS=return] files\n

\u91cd\u542f\u4e00\u4e0b nscd \u548c nslcd \u670d\u52a1\uff0c\u6b64\u65f6\u8fd0\u884c getent passwd\uff0c\u5e94\u8be5\u53ef\u4ee5\u770b\u5230\u6bd4 /etc/passwd \u66f4\u591a\u7684\u5185\u5bb9\uff0c\u8fd9\u5c31\u8bf4\u660e\u914d\u7f6e\u6b63\u786e\u4e86\u3002

"},{"location":"infrastructure/ldap/#pam","title":"PAM \u914d\u7f6e","text":"

\u5982\u679c PAM \u914d\u7f6e\u9519\u8bef\uff0c\u53ef\u80fd\u5bfc\u81f4\u7528\u6237\u65e0\u6cd5\u4f7f\u7528 SSH \u767b\u5f55\uff0c\u751a\u81f3\u8fde sudo \u4e5f\u53ef\u80fd\u6302\u6389\u3002\u6240\u4ee5\u4fee\u6539 PAM \u914d\u7f6e\u65f6\uff1a

  1. \u8bf7\u505a\u597d\u6587\u4ef6\u5907\u4efd\uff1b
  2. \u8bf7\u53e6\u5f00\u4e00\u4e2a root \u7ec8\u7aef\u4ee5\u9632\u4e07\u4e00\u3002

\u5bf9\u4e8e Debian 7+\uff0c\u53ea\u9700\u8bbe\u7f6e\u4e00\u5904\u3002\u4e3a\u4e86\u767b\u5f55\u65f6\u81ea\u52a8\u521b\u5efa\u5bb6\u76ee\u5f55\uff0c\u5728 /etc/pam.d/common-session \u4e2d\u6dfb\u52a0\u4e0b\u9762\u8fd9\u53e5\uff1a

session required    pam_mkhomedir.so skel=/etc/skel umask=0022\n

\u5bf9\u4e8e Debian 5\uff0c\u8bf7\u67e5\u9605\u672c\u6587\u6863\u7684 Git \u8bb0\u5f55\u3002

"},{"location":"infrastructure/ldap/#sssd","title":"SSSD \u914d\u7f6e","text":"

\u7531\u4e8e sudo-ldap \u672a\u6765\u88ab\u5e9f\u5f03\uff0csudo \u7684\u914d\u7f6e\u901a\u8fc7 sssd \u5b9e\u73b0\uff0c\u53c2\u8003 https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-ldap-sudo.html\u3002

\u5c06 /usr/share/doc/sssd-common/examples/sssd-example.conf \u590d\u5236\u5230 /etc/sssd/sssd.conf \u5e76\u4fee\u6539\u6743\u9650\u4e3a 600\u3002

[taoky@gateway-nic ~]$ sudo diff /usr/share/doc/sssd-common/examples/sssd-example.conf /etc/sssd/sssd.conf\n3c3\n< services = nss, pam\n---\n> services = nss, pam, sudo\n8c8,10\n< ; domains = LDAP\n---\n> domains = LDAP\n>\n> [sudo]\n15,17c17,19\n< ; [domain/LDAP]\n< ; id_provider = ldap\n< ; auth_provider = ldap\n---\n> [domain/LDAP]\n> id_provider = ldap\n> auth_provider = ldap\n22,24c24,26\n< ; ldap_schema = rfc2307\n< ; ldap_uri = ldap://ldap.mydomain.org\n< ; ldap_search_base = dc=mydomain,dc=org\n---\n> ldap_schema = rfc2307\n> ldap_uri = ldaps://ldap.lug.ustc.edu.cn\n> ldap_search_base = dc=lug,dc=ustc,dc=edu,dc=cn\n30c32\n< ; cache_credentials = true\n---\n> cache_credentials = true\n

\u5751

\u9700\u8981\u52a0\u4e0a [sudo]\uff0c\u5426\u5219 sudo \u914d\u7f6e\u4e0d\u4f1a\u751f\u6548\uff0c\u8fd9\u4e2a\u914d\u7f6e\u95ee\u9898\u5bfc\u81f4\u4e86\u4fee\u6539\u524d\u5728 gateway-nic \u4e0a\u7528\u6237\u65e0\u6cd5\u4f7f\u7528 sudo\u3002

\u53e6\u5916\u8bb0\u5f97\u50cf\u524d\u9762\u5728 Debian \u4e2d\u5b89\u88c5\u4ecb\u7ecd\u5230\u7684\u90a3\u6837\u4fee\u6539 /etc/nsswitch.conf \u4ee5\u53ca /etc/nslcd.conf.

"},{"location":"infrastructure/ldap/#nscd","title":"NSCD \u4f7f\u7528\u8bf4\u660e","text":"

\u5728 SSSD \u672a\u5b89\u88c5\u7684\u60c5\u51b5\u4e0b\uff0cNSCD \u4f1a\u63d0\u4f9b LDAP \u7f13\u5b58\u670d\u52a1\u3002\u5982\u679c\u5728\u4f7f\u7528 NSCD \u7684\u673a\u5668\u4e0a\u9700\u8981\u6e05\u7a7a LDAP \u7f13\u5b58\uff0c\u6267\u884c\u4ee5\u4e0b\u547d\u4ee4\uff1a

nscd -i passwd\nnscd -i group\n

\u5982\u679c SSSD \u5b89\u88c5\uff0csystemctl status sssd \u4f1a\u663e\u793a SSSD \u4e0e NSCD \u540c\u65f6\u63d0\u4f9b\u4e86\u76f8\u5173\u7f13\u5b58\uff0c\u53ef\u80fd\u5b58\u5728\u51b2\u7a81\u95ee\u9898\uff1a

NSCD socket was detected and seems to be configured to cache some of the databases controlled by SSSD [passwd,group,netgroup,services].\n

\u9700\u8981\u4fee\u6539 /etc/nscd.conf\uff0c\u5c06\u63d0\u53ca\u7684 passwd, group, netgroup \u548c services \u7684 enable-cache \u8bbe\u7f6e\u4e3a no\u3002

"},{"location":"infrastructure/ldap/#ldap-cli","title":"LDAP CLI \u5de5\u5177\u4f7f\u7528\u8bf4\u660e","text":"

\u8fd9\u91cc\u4ee5 ldappasswd \u4e3a\u4f8b\uff0c\u5176\u4f59 ldap \u7cfb\u5217\u6307\u4ee4\u4e0e\u5176\u5927\u81f4\u76f8\u540c\uff1a

LDAP \u5229\u7528 dn \u6765\u5b9a\u4f4d\u4e00\u4e2a\u7528\u6237\uff0c\u4ee5\u4e0b\u6307\u4ee4\u53ef\u4ee5\u5217\u51fa\u6240\u6709\u7528\u6237\u53ca\u5176 dn\uff1a

ldapsearch -x -LLL uid=* uid\n

-x \u6307\u5b9a\u4f7f\u7528 Simple authentication\uff0c\u5373\u4f7f\u7528\u5bc6\u7801\u8ba4\u8bc1\u3002

\u5982\u679c\u8981\u4fee\u6539\u4e00\u4e2a\u7528\u6237\u7684\u5bc6\u7801\uff0c\u4f7f\u7528\uff1a

ldappasswd -x -D '<executor dn>' -W -S '<target user dn>'\n

-D '<executor dn>' \u6307\u5b9a\u4e86\u6267\u884c\u8005\u7684\u8eab\u4efd\uff0c-W/-S \u6307\u5b9a\u4e86\u63a5\u4e0b\u6765\u8be2\u95ee\u6267\u884c\u8005/\u76ee\u6807\u7528\u6237\u7684\u5bc6\u7801/\u65e7\u5bc6\u7801\u3002

\u9700\u8981\u989d\u5916\u6ce8\u610f\u7684\u662f\uff0c\u5728 CLI \u4e2d\u6dfb\u52a0/\u5220\u9664\u7528\u6237\u6216\u66f4\u6539\u7528\u6237\u5bc6\u7801\u65f6\u9700\u8981\u4ee5 LDAP admin \u6267\u884c\uff0c\u5426\u5219\u4f1a\u6709\u62a5\u9519\uff1a

Insufficient access (50) additional info: no write access to parent\n

\u6216\u662f\u5176\u4ed6\u7684\u6743\u9650\u4e0d\u8db3\u7684\u9519\u8bef\u3002

"},{"location":"infrastructure/ldap/#_4","title":"\u90e8\u7f72\u60c5\u51b5","text":"

\u76ee\u524d\u6240\u6709\u670d\u52a1\u5668\u5747\u5df2\u90e8\u7f72 LDAP

"},{"location":"infrastructure/ldap/#ldap-known-gids","title":"\u5df2\u77e5\u7684 GID","text":"

GID \u4fe1\u606f\u5df2\u8fc7\u65f6\uff0c\u4ee5 LDAP \u5b9e\u9645\u914d\u7f6e\u4e3a\u51c6\u3002

GID \u540d\u79f0 \u8bf4\u660e 2001 ldap_users \u6240\u6709\u7528\u6237\u90fd\u5728\u8fd9\u4e2a\u7ec4\u91cc 1001 ssh_docker2 - 2013 ssh_bbs - 2014 ssh_linode - 2101 ssh_ldap - 2102 ssh_blog - 2103 ssh_dns - 2104 ssh_gitlab - 2105 ssh_lug - 2106 ssh_vpn - 2107 ssh_mirrors - 2108 ssh_pxe - 2109 ssh_freeshell - 2110 ssh_backup - 2112 ssh_vmnfs - 2113 ssh_homepage - 2201 sudo_ldap - 2202 sudo_blog - 2203 sudo_dns - 2204 sudo_gitlab - 2205 sudo_lug - 2206 sudo_vpn - 2207 sudo_mirrors - 2208 sudo_pxe - 2209 sudo_freeshell - 2210 sudo_backup - 2212 sudo_vmnfs - 2213 sudo_homepage - 2000 super_manager - 2999 nologin \u4e0d\u786e\u5b9a\u8fd9\u4e2a\u7ec4\u6709\u6ca1\u6709\u7528

\u6ce8\u610f\u4e8b\u9879

LDAP \u914d\u7f6e\u5b8c\u6210\u540e\uff0c\u52a1\u5fc5\u786e\u8ba4 sshd_config \u5df2\u7ecf\u9650\u5236\u4e86\u516c\u7f51\u767b\u5f55\u3002

\u672c\u6587\u6863\u539f\u59cb\u7248\u672c\u590d\u5236\u81ea LUG wiki\uff0c\u7531\u5f20\u5149\u5b87\u3001\u5d14\u704f\u3001\u6731\u665f\u83c1\u3001\u5de6\u683c\u975e\u64b0\u5199\u3002

"},{"location":"infrastructure/mail/","title":"Mail Agent","text":"

\u53ef\u4ee5\u914d\u7f6e\u673a\u5668\u901a\u8fc7 mail.ustclug.org \u53d1\u4ef6\uff0c\u5b9e\u73b0\u8b66\u62a5\u7684\u90ae\u4ef6\u63d0\u9192\uff08\u6536\u4ef6\u4eba\u8bbe\u7f6e\u4e3a alert AT ustclug DOT org\uff09\u3002\u914d\u7f6e\u65f6\u9700\u8981\u5728 mail.s.ustclug.org \u4e0a\u8bbe\u7f6e postfix \u767d\u540d\u5355\u3002

"},{"location":"infrastructure/mail/#_1","title":"\u5e38\u7528\u547d\u4ee4","text":"

\u4ece\u961f\u5217\u4e2d\u5220\u9664\u90ae\u4ef6\uff1asudo postsuper -d <\u90ae\u4ef6 ID>\uff08\u90ae\u4ef6 ID \u53ef\u4ee5\u65e5\u5fd7\u4e2d\u770b\u5230\uff09

\u66f4\u65b0 virtual \u8868\u6620\u5c04\uff1asudo postmap /etc/postfix/virtual \u540e\u91cd\u542f postfix \u670d\u52a1\u3002

"},{"location":"infrastructure/mail/#mailustclugorg-dkim","title":"mail.ustclug.org \u7684 DKIM \u7b7e\u540d","text":"

\u7f16\u8f91 /etc/opendkim/TrustedHosts\uff0c\u6dfb\u52a0\u5185\u90e8\u670d\u52a1\u5bf9\u5e94\u7684 IP\uff08\u6bb5\uff09\u5230\u5176\u4e2d\uff0c\u5e76 reload opendkim \u5373\u53ef\u3002

"},{"location":"infrastructure/monitor/","title":"\u76d1\u63a7\u7cfb\u7edf\u4f7f\u7528\u53ca\u914d\u7f6e\u8bf4\u660e","text":"

\u76d1\u63a7\u7cfb\u7edf\u7531\u4ee5\u4e0b\u51e0\u4e2a\u7ec4\u4ef6\u7ec4\u6210\uff1a

"},{"location":"infrastructure/monitor/#configure-influxdb","title":"Configure InfluxDB","text":"

\u7279\u522b\u6ce8\u610f \uff1aInfluxDB \u9ed8\u8ba4\u6ca1\u6709\u5f00\u542f\u8ba4\u8bc1\u3002

\u9996\u6b21\u8fd0\u884c\u65f6\uff0c\u521b\u5efa\u597d\u7ba1\u7406\u8d26\u53f7\uff08admin\uff09\uff0c\u53ea\u8bfb\u8d26\u53f7\uff08grafana\uff09\u548c\u5199\u5165\u8d26\u53f7\uff08telegraf\uff09\u3002

\u7136\u540e\u4fee\u6539\u4f4d\u4e8e /srv/docker/influxdb/conf/influxdb.conf \u7684\u914d\u7f6e\uff0c\u4fee\u6539\u4ee5\u542f\u7528\u8ba4\u8bc1\uff1a

/srv/docker/influxdb/conf/influxdb.conf
[http]\n# ...\n# Determines whether HTTP authentication is enabled.\nauth-enabled = true\n

\u6b64\u5916\uff0c\u53c2\u8003 https://docs.influxdata.com/influxdb/v1.8/administration/authentication_and_authorization/#set-up-authentication\uff0c\u8003\u8651\u5173\u95ed\u90e8\u5206\u529f\u80fd\uff1a

/srv/docker/influxdb/conf/influxdb.conf
[http]\n# Determines whether the pprof endpoint is enabled.  This endpoint is used for\n# troubleshooting and monitoring.\npprof-enabled = false\n
"},{"location":"infrastructure/monitor/#install-telegraf","title":"Install telegraf","text":"

\u5b98\u65b9\u6587\u6863\u89c1 https://docs.influxdata.com/telegraf/v1/install/

\u5178\u578b\u7684\u5b89\u88c5\u65b9\u5f0f\u662f\u4ece APT \u6e90\u5b89\u88c5\uff1a

wget -O /etc/apt/trusted.gpg.d/influxdb.asc https://repos.influxdata.com/influxdata-archive_compat.key\necho \"deb https://mirrors.ustc.edu.cn/influxdata/debian bullseye stable\" > /etc/apt/sources.list.d/influxdb.list\napt update\napt install --no-install-recommends telegraf\n
\u624b\u52a8\u5b89\u88c5\u65b9\u5f0f\uff08\u4e0d\u63a8\u8350\uff09
wget https://dl.influxdata.com/telegraf/releases/telegraf_1.28.2-1_amd64.deb\nsudo dpkg -i telegraf_1.28.2-1_amd64.deb\n
"},{"location":"infrastructure/monitor/#configure-telegraf","title":"Configure telegraf","text":"

\u914d\u7f6e\u6587\u4ef6\u5728 ustclug/telegraf-config \u4ed3\u5e93\u4e2d\u7ba1\u7406\uff0c\u4f7f\u7528\u65b9\u6cd5\u5982\u4e0b\uff1a

\u914d\u7f6e\u5b8c\u6210\u4e4b\u540e\uff0c\u91cd\u542f telegraf \u670d\u52a1\uff0c\u5e76\u786e\u4fdd\u670d\u52a1\u8fd0\u884c\u6b63\u5e38\u3002

sudo systemctl restart telegraf\nsudo systemctl status telegraf\n

Tip

\u5efa\u8bae\u5728\u88ab\u76d1\u63a7\u673a\u5668\u4e0a\u914d\u7f6e NTP\uff08\u53ef\u4ee5\u4f7f\u7528 systemd-timesyncd\uff0c\u8bbe\u7f6e NTP \u670d\u52a1\u5668\u4e3a time.ustc.edu.cn\uff09\uff0c\u4ee5\u907f\u514d\u65f6\u95f4\u4e0d\u540c\u6b65\u53ef\u80fd\u5e26\u6765\u7684\u95ee\u9898\u3002

"},{"location":"infrastructure/monitor/#web","title":"Web","text":"

Web \u7aef\u76d1\u63a7\u4f4d\u4e8e https://monitor.ustclug.org\uff0c\u8d26\u53f7\u7cfb\u7edf\u4f7f\u7528 LDAP\uff0c\u53ef\u4ee5\u5728\u8fd9\u91cc\u8bbe\u7f6e\u9884\u8b66\u63d0\u793a\u7b49\u3002

Warning

\u914d\u7f6e InfluxDB \u6570\u636e\u6e90\u65f6\uff0c\u53ea\u80fd\u4f7f\u7528\u53ea\u8bfb\u8d26\u53f7\uff0c\u5426\u5219\u4f1a\u5e26\u6765\u4e25\u91cd\u7684\u5b89\u5168\u95ee\u9898\u3002

"},{"location":"infrastructure/monitor/#_2","title":"\u66f4\u65b0\u8bb0\u5f55","text":""},{"location":"infrastructure/monitor/#unified-alerting","title":"\u8fc1\u79fb\u5230 Unified Alerting","text":"

Grafana 11 \u8d77\u5c06\u5b8c\u5168\u5220\u9664\u65e7\u7684\u62a5\u8b66\u7cfb\u7edf\uff0c\u5168\u9762\u4f7f\u7528\u65b0\u7684\uff08\u96be\u7528\u7684\uff09Unified Alerting\u3002

\u6211\u4eec\u539f\u5148\u8fd0\u884c\u7684\u662f Grafana 9.3.8\uff0c\u6839\u636e\u66f4\u65b0\u8bb0\u5f55\uff0c\u53d1\u73b0 v10.4 \u63d0\u4f9b\u4e86\u4e00\u4e2a\u8fc1\u79fb\u5de5\u5177\uff0c\u53ef\u4ee5\u5c06\u539f\u5148\u7684\u62a5\u8b66\u8fc1\u79fb\u5230\u65b0\u7684 Unified Alerting \u7cfb\u7edf\uff0c\u56e0\u6b64\u5148\u5c06 Grafana \u66f4\u65b0\u5230 10.4.3\uff0c\u51c6\u5907\u8fc1\u79fb\u3002

\u5728 Alerting (legacy) \u83dc\u5355\u4e0b\u6709\u4e2a Upgrade rules \u754c\u9762\uff0c\u70b9\u8fdb\u53bb\u5c31\u53ef\u4ee5\u4f7f\u7528\u8fc1\u79fb\u5411\u5bfc\u3002\u9996\u5148\u8fc1\u79fb\u6211\u4eec\u552f\u4e00\u7684\u4e00\u4e2a Notification Channel\uff0c\u53d8\u6210\u4e00\u4e2a Contact Point\u3002\u7531\u4e8e \u5783\u573e\u7684\u65b0 alerting \u65b9\u6848\u6ca1\u6709\u63d0\u4f9b\u9ed8\u8ba4\u7684\u6d88\u606f\u6a21\u677f\uff0c\u56e0\u6b64\u6211\u4eec\u9700\u8981\u81ea\u5df1\u5199\u4e00\u4e2a\uff08\u6587\u6863\u4e5f\u6666\u6da9\u96be\u61c2\uff09\u3002

Notification template telegram.message
{{ define \"alert_list\" -}}\n{{ range . }}[{{ .Labels.alertname }}] {{ .Annotations.description }}\n{{ if or (gt (len .GeneratorURL) 0) (gt (len .SilenceURL) 0) (gt (len .DashboardURL) 0) (gt (len .PanelURL) 0) }}|{{- end }}\n{{- if gt (len .GeneratorURL) 0 }} <a href=\"{{ .GeneratorURL }}\">Source</a> | {{- end }}\n{{- if gt (len .SilenceURL) 0 }} <a href=\"{{ .SilenceURL }}\">Silence</a> | {{- end }}\n{{- if gt (len .DashboardURL) 0 }} <a href=\"{{ .DashboardURL }}\">Dashboard</a> | {{- end }}\n{{- if gt (len .PanelURL) 0 }} <a href=\"{{ .PanelURL }}\">Panel</a> | {{- end }}\n{{ end }}\n{{ end }}\n\n{{- define \"telegram.message\" }}\n{{- if gt (len .Alerts.Firing) 0 }}<strong>Firing</strong>\n{{ template \"alert_list\" .Alerts.Firing }}\n{{ if gt (len .Alerts.Resolved) 0 }}\n{{ end }}\n{{- end }}\n\n{{- if gt (len .Alerts.Resolved) 0 }}<strong>Resolved</strong>\n{{ template \"alert_list\" .Alerts.Resolved }}\n{{ end }}\n{{- end }}\n

\u7136\u540e\u56de\u5230 Contact point \u7f16\u8f91\uff0c\u5c55\u5f00 Optional Telegram settings\uff0c\u5728 Message \u4e2d\u586b\u5165 {{ template \"telegram.message\" . }} \u6765\u5f15\u7528\u6211\u4eec\u521a\u521a\u5199\u7684\u6a21\u677f\uff0c\u5e76\u5c06 Parse mode \u8bbe\u4e3a HTML\u3002

\u63a5\u4e0b\u6765\u56de\u5230\u8fc1\u79fb Alerting \u7684\u5730\u65b9\uff0c\u9010\u4e2a\u8fc1\u79fb Alerting\uff1a

Description \u6a21\u677f

\u5728 Go template \u4e2d\u53ef\u7528\u7684\u5e2e\u52a9\u51fd\u6570\u53c2\u89c1 https://grafana.com/docs/grafana/latest/alerting/alerting-rules/templating-labels-annotations/\u3002

{{ index $labels \"host\" }}: {{ humanize (index $values \"B\").Value }}\n\n{{ index $labels \"host\" }}: {{ humanizePercentage (index $values \"D\").Value }}\n\n{{ index $labels \"host\" }}: {{ humanizeDuration (index $values \"B\").Value }}\n

\u5176\u4e2d index $labels \u540e\u9762\u7684\u53c2\u6570\u53ef\u4ee5\u662f\u524d\u9762 InfluxDB query \u4e2d GROUP BY \u7684 tag\uff0c\u53ef\u4ee5\u7075\u6d3b\u4f7f\u7528\u3002

\u624b\u5de5\u5904\u7406\u5b8c\u5168\u90e8 18 \u4e2a alert rules \u4e4b\u540e\uff08\u7d2f\u6b7b\u6211\u4e86\uff09\uff0c\u5c31\u53ef\u4ee5\u5f00\u59cb\u6d4b\u8bd5\u4e86\u3002

\u5148\u542f\u7528\u65b0\u7684 unified alerting\uff1a

/srv/docker/grafana/conf/grafana.ini
[alerting]\nenabled = false\n\n[unified_alerting]\nenabled = true\n\n[unified_alerting.screenshots]\ncapture = true\n

\u7136\u540e\u627e\u4e2a\u673a\u5668\u91cd\u542f\u4e00\u4e0b\uff0c\u89e6\u53d1 Reboot alert\uff0c\u53bb Telegram \u7fa4\u91cc\u770b\u6d88\u606f\u548c\u56fe\u7247\u90fd\u6b63\u786e\u5192\u51fa\u6765\u4e86\uff0c\u5c31\u8bf4\u660e\u8fc1\u79fb\u6210\u529f\u4e86\u3002

Test alert \u4e0d\u4f1a\u89e6\u53d1\u622a\u56fe\uff0c\u5373\u4f7f\u8bbe\u7f6e\u4e86 Link dashboard and panel \u4e5f\u6ca1\u7528

"},{"location":"infrastructure/office/","title":"Office 365","text":""},{"location":"infrastructure/office/#application","title":"\u7533\u8bf7\u65b9\u5f0f","text":"

\u7406\u8bba\u4e0a\u4efb\u4f55\u793e\u56e2\u8d1f\u8d23\u4eba\u6216\u8005\u5728\u793e\u56e2\u4e2d\u8d1f\u8d23\u91cd\u8981\u9879\u76ee\u7684\u4eba\u5458\u90fd\u53ef\u4ee5\u7533\u8bf7\uff0c\u539f\u5219\u662f\u6309\u9700\u5206\u914d\uff0c\u56e0\u4e3a\u90ae\u7bb1\u662f\u5de5\u4f5c\u5de5\u5177\uff0c\u800c\u4e0d\u662f\u798f\u5229\u8d44\u6e90\u3002

\u540c\u7406\uff0c\u4e0d\u518d\u62c5\u4efb\u8d1f\u8d23\u4eba\u4e14\u4e0d\u518d\u5904\u7406\u4e8b\u52a1\u7684\u540c\u5b66\u4f7f\u7528\u7684\u90ae\u7bb1\u5e94\u8be5\u6536\u56de\uff08\u89c1\u4e0b\u65b9 \u9ed8\u8ba4\u5730\u5740 \u4e00\u8282\uff09\u3002

"},{"location":"infrastructure/office/#email-etiquette","title":"\u90ae\u4ef6\u793c\u4eea","text":"

CC\uff08\u6284\u9001\uff09\u548c\u8bbe\u7f6e\u56de\u590d\u5730\u5740\u7684\u76ee\u7684\u90fd\u662f\u4e3a\u4e86\u8ba9\u6240\u6709 LUG \u8d1f\u8d23\u7684\u540c\u5b66\u53ef\u4ee5\u770b\u5230\u4e8b\u4ef6\u6700\u65b0\u7684\u8fdb\u5c55

\u6284\u9001\u4f1a\u628a\u4f60\u53d1\u7684\u90ae\u4ef6\u7ed9\u6240\u6709\u7684\u8d1f\u8d23\u4eba\uff1b\u56de\u590d\u5730\u5740\uff08Reply-To\uff09\u8bbe\u7f6e\u4e4b\u540e\uff0c\u5bf9\u65b9\u5c31\u77e5\u9053\u8fd9\u662f\u4f60\u4ee3\u8868 LUG \u5199\u7684\u90ae\u4ef6\uff0c\u5e76\u4e14\u9ed8\u8ba4\u56de\u590d\u90ae\u4ef6\u7684\u65f6\u5019\u5730\u5740\u5c31\u662f\u6240\u6709\u8d1f\u8d23\u4eba\u7684\u90ae\u4ef6\u5217\u8868\u3002\u6240\u4ee5\u4e0b\u6587\u4e2d\u8981\u6c42\u8bbe\u7f6e\u8fd9\u4e9b\u5185\u5bb9\u3002

\u5982\u679c\u9047\u5230\u9700\u8981\u4ee5\u79c1\u4eba\u8eab\u4efd\uff0c\u6216\u8005\u4ee5\u5176\u4ed6\u975e LUG \u4ee3\u8868\u8d1f\u8d23\u4eba\u7684\u8eab\u4efd\u56de\u590d\u90ae\u4ef6\u7684\u573a\u5408\uff0c\u8bf7\u4fee\u6539\u56de\u590d\u5730\u5740\u4fe1\u606f\u3002\u56e0\u4e3a Outlook \u7f51\u9875\u7248\u4e0d\u4fbf\u4e8e\u4fee\u6539\u8fd9\u4e9b\u5185\u5bb9\uff0c\u5efa\u8bae\u4f7f\u7528\u90ae\u4ef6\u5ba2\u6237\u7aef\u5904\u7406\u3002\uff08\u4e2a\u4eba\u63a8\u8350 ThunderBird\uff09\u3002

\u5bf9\u4e8e\u9700\u8981\u5411\u975e\u90ae\u4ef6\u5217\u8868\u7684\u4e0d\u7279\u5b9a\u7fa4\u4f53\u7fa4\u53d1\u7684\u90ae\u4ef6\uff08\u4f8b\u5982\u901a\u77e5\u7c7b\u6d88\u606f\uff09\uff0c\u8bf7\u6ce8\u610f\u4e0d\u8981\u5c06\u6240\u6709\u90ae\u7bb1\u90fd\u653e\u5728\u6536\u4ef6\u4eba\u91cc\uff0c\u5426\u5219\u6240\u6709\u6536\u5230\u90ae\u4ef6\u7684\u4eba\u90fd\u80fd\u770b\u5230\u5176\u4ed6\u6536\u4ef6\u4eba\u7684\u90ae\u7bb1\uff08\u9690\u79c1\u95ee\u9898\uff09\uff1b\u5e76\u4e14\u6536\u4ef6\u4eba\u5982\u679c\u56de\u590d\u90ae\u4ef6\u4e0d\u5f53\uff0c\u5176\u4ed6\u7684\u6536\u4ef6\u4eba\u4e5f\u4f1a\u6536\u5230\u5176\u56de\u590d\u3002\u4e00\u79cd\u65b9\u4fbf\u7684\u505a\u6cd5\u662f\uff1a\u5c06\u6240\u6709\u9700\u8981\u6536\u5230\u901a\u77e5\u7684\u6536\u4ef6\u4eba\u653e\u5728\u5bc6\u9001 (BCC)\u4e00\u680f\u4e2d\uff0c\u6536\u4ef6\u4eba\u586b\u5199\u539f\u6284\u9001\u5730\u5740\u3002

\u6211\u4eec\u52a0\u5165\u4e86\u5f88\u591a\u90ae\u4ef6\u5217\u8868\uff0c\u5176\u4e2d\u7ecf\u5e38\u6709\u5404\u79cd\u5f80\u6765\u90ae\u4ef6\uff08\u7279\u522b\u662f CentOS mirror announcement \u8fd9\u4e2a\u5217\u8868\uff0c\u5df2\u9000\uff09\uff0c\u5b83\u4eec\u5927\u591a\u6570\u4e0d\u9700\u8981\u6211\u4eec\u7406\u4f1a\u3002

\u603b\u4e4b\uff0c\u4e0d\u77e5\u9053\u600e\u4e48\u5904\u7406\u7684\u90ae\u4ef6\u4e0d\u8981\u8d38\u7136\u56de\u590d\u3002\u5982\u679c\u4f60\u8ba4\u4e3a\u67d0\u4e00\u5c01\u90ae\u4ef6\u9700\u8981\u6211\u4eec\u5904\u7406\u4f46\u4e0d\u77e5\u9053\u600e\u4e48\u5904\u7406\uff0c\u8bf7\u8f6c\u544a\u7ed9\u5176\u4ed6\u76f8\u5173\u540c\u5b66\u3002

\u4ee5\u4e0b\u5185\u5bb9\u4ece Hypercube \u7f16\u5199\u7684\u5185\u5bb9\u4e2d\u622a\u53d6\uff1a

\u56de\u590d\u4efb\u4f55\u90ae\u4ef6\u65f6\uff0c\u8bf7\u6284\u9001 / CC\uff08\u4e0d\u662f\u5bc6\u9001 / BCC\uff09\u7ed9\u539f\u90ae\u4ef6\u7684\u6536\u4ef6\u5730\u5740\uff01\uff08\u6bd4\u5982\u522b\u4eba\u53d1\u5230 lug A ustc.edu.cn\uff0c\u56de\u590d\u65f6\u4e5f\u8bf7 CC \u5230 lug A ustc.edu.cn\uff09

\u8bf7\u4e0d\u8981\u201c\u53ea\u56de\u590d\u90ae\u4ef6\u201d\u3002\u5982\u679c\u5728\u56de\u590d\u4e2d\u8bf4\u201c\u6211\u4eec\u4f1a\u505a\u67d0\u67d0\u4e8b\u201d\uff0c\u8bf7\u6ce8\u610f\u9664\u975e\u4f60\u660e\u786e\u8f6c\u4ea4\u7ed9\u4e86\u522b\u4eba\uff0c\u8fd9\u4ef6\u4e8b\u5e94\u5f53\u7531\u4f60\u6765\u5b8c\u6210\u3002

"},{"location":"infrastructure/office/#lug-ustc-mailing-list","title":"\u52a0\u5165 LUG @ USTC \u5217\u8868","text":"

\u672c\u8282\u9700\u8981\u7531 Microsoft 365 \u7684\u7ba1\u7406\u5458\u64cd\u4f5c

\u90ae\u4ef6\u5217\u8868\u7ba1\u7406\u5728 Microsoft Admin Portal \u7684 Distribution list \u9875\u9762\uff0c\u5176\u4e2d Staff \u7ec4\u548c Mirrors \u7ec4\u7684\u90ae\u4ef6\u5730\u5740\u5206\u522b\u662f lug A ustc.edu.cn \u548c mirrors A ustc.edu.cn \u7684\u8f6c\u53d1\u76ee\u6807\u3002

"},{"location":"infrastructure/office/#email-signature","title":"\u90ae\u4ef6\u7b7e\u540d","text":"

Outlook \u65e0\u6cd5\u76f4\u63a5\u901a\u8fc7\u7f51\u9875\u7aef\u6dfb\u52a0\u53d1\u4ef6\u4eba\u540d\u79f0\u3001\u8bbe\u7f6e\u56de\u590d\u5730\u5740\uff0c\u56e0\u6b64\u53ea\u80fd\u901a\u8fc7\u90ae\u4ef6\u5ba2\u6237\u7aef\u8fdb\u884c\u4f7f\u7528\u3002\u5728\u4e0b\u4e00\u7ae0\u8282\u7684 Thunderbird \u4e2d\u8fdb\u884c\u8be6\u7ec6\u9610\u8ff0\u3002

"},{"location":"infrastructure/office/#thunderbird","title":"Thunderbird \u914d\u7f6e","text":""},{"location":"infrastructure/office/#tb-login","title":"\u767b\u5f55","text":"

\u5728\u767b\u5f55\u65f6\uff0c\u8f93\u5165\u4e86\u7528\u6237\u540d\u3001\u5bc6\u7801\u540e\uff0c\u4f1a\u663e\u793a\u65e0\u6cd5\u627e\u5230\u5bf9\u5e94\u7684\u90ae\u7bb1\u914d\u7f6e

\u8fdb\u884c\u5982\u4e0b\u7684\u624b\u52a8\u914d\u7f6e\uff1a

\u5982\u4e0b\u56fe\uff1a

\u7136\u540e\u70b9\u5de6\u4e0b\u89d2\u7684 Re-test\uff0c\u91cd\u65b0\u641c\u7d22\u5230\u914d\u7f6e\u540e\uff0c\u5728\u4e24\u4e2a Authentication method \u4e2d\u5747\u9009\u62e9 OAuth2\u3002

\u7136\u540e\u70b9 Done\u3002\u5728\u5f39\u51fa\u7684\u7a97\u53e3\u4e2d\u5b8c\u6210\u8ba4\u8bc1\u3002

"},{"location":"infrastructure/office/#tb-signature","title":"\u7b7e\u540d\u4e0e\u53d1\u4ef6\u8eab\u4efd","text":"

\u5728\u53f3\u4e0a\u89d2\u4e2d\u9009\u62e9\u8d26\u6237\u8bbe\u7f6e\uff0c\u5728\u9ed8\u8ba4\u8eab\u4efd\u4e2d

\u7ed3\u679c\u5982\u56fe\uff1a

"},{"location":"infrastructure/office/#tb-cc","title":"\u6284\u9001\u8bbe\u7f6e","text":"

\u5728\u8d26\u6237\u8bbe\u7f6e\u4e2d\uff0c\u9009\u62e9\u8eab\u4efd\u7ba1\u7406\uff0c\u70b9\u51fb\u7f16\u8f91\uff0c\u9009\u62e9 Copies and Folders, \u542f\u7528 Cc these email addresses, \u5e76\u8f93\u5165\u9ed8\u8ba4\u6284\u9001\u5730\u5740 lug A ustc.edu.cn

"},{"location":"infrastructure/office/#html","title":"HTML\u4e0e\u7eaf\u6587\u672c","text":"

\u90ae\u4ef6\u53ef\u4ee5\u4ee5 HTML \u65b9\u5f0f\u7f16\u5199\uff0c\u4e5f\u53ef\u4ee5\u53ea\u662f\u7eaf\u6587\u672c\u5185\u5bb9\u3002\u4e3a\u4e86\u964d\u4f4e\u5bf9\u65b9\u9605\u8bfb\u51fa\u73b0\u9ebb\u70e6\u7684\u53ef\u80fd\u6027\uff0c\u5efa\u8bae\u4f7f\u7528\u7eaf\u6587\u672c\u6d88\u606f\u3002\u4f7f\u7528\u7eaf\u6587\u672c\u6d88\u606f\u7684\u65b9\u6cd5\u662f\uff1a\u6253\u5f00 Thunderbird \u8bbe\u7f6e \uff0c\u6253\u5f00 Account Settings \uff0c\u6253\u5f00\u5bf9\u5e94\u90ae\u4ef6\u5730\u5740\u4e0b\u7684 Composition & Addressing \u9875\u9762\uff0c\u5728 Composition \u8282\u4e0b\u627e\u5230 Compose messages in HTML format \uff0c\u5c06\u5176\u590d\u9009\u6846\u53bb\u9664\u52fe\u9009\u5373\u53ef\u3002

"},{"location":"infrastructure/office/#tb-folders","title":"\u6587\u4ef6\u5939","text":"

Thunderbird \u7ef4\u62a4\u4e86\u81ea\u5df1\u7684\u6587\u4ef6\u5939\uff0c\u5982\u679c\u9700\u8981\u4e0e\u4e91\u7aef\u7684\u6587\u4ef6\u5939\u540c\u6b65\uff0c\u53ef\u4ee5\u8fdb\u884c\u5982\u4e0b\u64cd\u4f5c

\u5728\u8d26\u6237\u4e0a\u53f3\u952e\uff0c\u5728\u5f39\u51fa\u7684\u83dc\u5355\u4e2d\u70b9\u51fb Subscribe\u3002\u5f39\u51fa\u7684\u7a97\u53e3\u4e2d\u5305\u542b\u4e86\u4e91\u7aef\u7684\u6587\u4ef6\u5939\uff0c\u7531\u4e8e Thunderbird \u4f1a\u81ea\u884c\u7ef4\u62a4\u5783\u573e\u7bb1\u548c\u5df2\u53d1\u90ae\u4ef6\uff0c\u56e0\u6b64\u53ef\u80fd\u4f1a\u6709\u4e24\u4e2a\u5783\u573e\u7bb1\uff0cDeleted Items \u548c Trash\uff0c\u53ef\u4ee5\u5728\u7f51\u9875\u7aef\u5220\u9664\u4e0d\u9700\u8981\u7684\u6587\u4ef6\u5939\uff0c\u5e76\u5728 Thunderbird \u4e2d\u9009\u62e9\u9700\u8981\u7684\u3002

\u7136\u540e\u6253\u5f00\u8d26\u6237\u8bbe\u7f6e\uff0c\u8fdb\u884c\u5982\u4e0b\u4fee\u6539

  1. \u5728 Server Settings \u4e0b\uff0c\u4fee\u6539 When I delete a message \u4e3a Move it to this folder: Deleted Items

  2. \u5728 Copies & Folders \u4e0b\uff0c\u4fee\u6539 Place a copy\u3001Keep message archives in\u3001Keep draft messages in \u4e3a\u5bf9\u5e94\u7684\u8fdc\u7aef\u670d\u52a1\u5668\u6587\u4ef6\u5939

"},{"location":"infrastructure/office/#tb-junk","title":"\u5783\u573e\u90ae\u4ef6","text":"

Outlook \u4e91\u7aef\u5df2\u7ecf\u5e26\u6709\u4e86\u5783\u573e\u90ae\u4ef6\u5206\u7c7b\u529f\u80fd\uff0c\u4e0d\u9700\u8981 Thunderbird \u81ea\u5df1\u7684\u5783\u573e\u90ae\u4ef6\u5206\u7c7b\u529f\u80fd\u3002

\u5728\u8d26\u6237\u8bbe\u7f6e\u7684 Local Folders \u4e0b\u7684 Junk Settings \u4e2d\uff0c\u53d6\u6d88\u9009\u4e2d Enable adaptive junk mail controls for this account\u3002

\u8bf7\u5728\u4e0a\u9762\u7684 Subscribe \u4e2d\u5c06\u5783\u573e\u90ae\u4ef6\u9009\u4e2d\u4ee5\u540c\u6b65\u3002\u6b64\u5916\uff0c\u7531\u4e8e Outlook \u76ee\u524d\u4f1a\u5c06\u51e0\u4e4e\u6240\u6709\u90ae\u4ef6\u90fd\u6254\u8fdb\u5783\u573e\u90ae\u4ef6\u7bb1\uff08\u539f\u56e0\u4f3c\u4e4e\u662f M365 \u7684\u673a\u5668\u5b66\u4e60\u6a21\u578b\u4f1a\u628a\u6240\u6709\u79d1\u5927\u7684\u90ae\u4ef6\u6254\u8fdb\u5783\u573e\u7bb1\uff09\uff0c\u56e0\u6b64\u8bbe\u7f6e\u62c9\u53d6\u90ae\u4ef6\u65f6\u603b\u662f\u68c0\u67e5\u5783\u573e\u90ae\u4ef6\u7bb1\u3002\u8bbe\u7f6e\u65b9\u6cd5\u4e3a\u5728\u5783\u573e\u90ae\u4ef6\u76ee\u5f55\u4e0a\u70b9\u51fb\u53f3\u952e \u2192 \u5c5e\u6027\uff0c\u7136\u540e\u9009\u62e9\u8fd9\u91cc\u7b2c\u4e8c\u4e2a\u52fe\uff1a

\u6ce8\u610f

\u4e0d\u8981\u67e5\u770b\u5783\u573e\u90ae\u4ef6\u7684\u8fdc\u7a0b\u5185\u5bb9\u3002\u4e0d\u8981\u56de\u590d\u5783\u573e\u90ae\u4ef6\u3002\u6b63\u5e38\u90ae\u4ef6\u9700\u8981\u624b\u52a8\u79fb\u52a8\u5230\u6536\u4ef6\u7bb1\u3002

"},{"location":"infrastructure/office/#tb-profiles","title":"\u4f7f\u7528 Thunderbird \u914d\u7f6e\u4e0d\u540c\u7684\u8eab\u4efd","text":"

(written by taoky)

\u5728\u67d0\u4e9b\u60c5\u51b5\u4e0b\uff0c\u9700\u8981\u8bbe\u7f6e\u65b0\u7684\u53d1\u4ef6\u4eba\u540d\u79f0\u548c\u56de\u590d\u5730\u5740\uff08\u4f8b\u5982 hackergame staff \u9700\u8981\u4e00\u5957\u4e0d\u540c\u7684\u8bbe\u7f6e\uff09\u3002\u7531\u4e8e Gmail \u7f51\u9875\u7aef\u4fee\u6539\u914d\u7f6e\u5f88\u9ebb\u70e6\uff08\u800c\u4e14\u5f88\u5bb9\u6613\u5fd8\u8bb0\u6539\u56de\u6765\uff09\uff0c\u5f3a\u70c8\u5efa\u8bae\u4f7f\u7528\u90ae\u4ef6\u5ba2\u6237\u7aef\u3002\u4e2a\u4eba\u4f7f\u7528\u7684\u662f Thunderbird\uff0c\u4e0b\u9762\u4e5f\u4ee5\u5b83\u4e3a\u4f8b\u5b50\u3002

\u5728\u8d26\u53f7\u52a0\u4e0a\u90ae\u7bb1\u4e4b\u540e\uff0c\u70b9\u51fb\u53f3\u952e \u2192 \u5c5e\u6027\uff0c\u9ed8\u8ba4\u914d\u7f6e\uff08LUG Staff\uff09\u5982\u56fe\uff1a

\u9700\u8981\u6dfb\u52a0\u65b0\u8eab\u4efd\u65f6\uff0c\u70b9\u51fb\u53f3\u4e0b\u89d2\u300c\u7ba1\u7406\u6807\u8bc6\u300d\uff0c\u6dfb\u52a0\u5bf9\u5e94\u7684\u6807\u8bc6\u3002\u5bf9\u4e8e hackergame\uff0c\u53ef\u4ee5\u914d\u7f6e\u5982\u4e0b\uff1a

\u5e76\u53c2\u8003\u6284\u9001\u8bbe\u7f6e \u914d\u7f6e\u9ed8\u8ba4\u6284\u9001\u5730\u5740 (hackergame A ustclug.org)

\u914d\u7f6e\u5b8c\u6210\u540e\uff0c\u5728\u7f16\u5199\u90ae\u4ef6\u65f6\uff0c\u5c31\u53ef\u4ee5\u9009\u62e9\u65b0\u7684\u6807\u8bc6\u4e86\uff0c\u5e76\u4e14\u53d1\u4ef6\u4eba\u540d\u79f0\u3001\u56de\u590d\u5730\u5740\u548c\u7b7e\u540d\u90fd\u4f1a\u81ea\u52a8\u8bbe\u7f6e\u597d\u3002

\u4f7f\u7528 Thunderbird \u914d\u7f6e\u5b66\u6821\u90ae\u7bb1\u9700\u8981\u7684\u989d\u5916\u8bbe\u7f6e

james: \"thunderbird\u67d0\u6b21\u5347\u7ea7\u540e\u51fa\u4e86\u4e00\u4e2abug\uff0c\u8fde\u63a5\u65f6\u670d\u52a1\u5668\u8fd4\u56de\u652f\u6301utf8\uff0ctb\u53d1\u4e86\u4e00\u4e2a\u547d\u4ee4enable utf8\uff0c\u670d\u52a1\u5668\u6b63\u5e38\u8fd4\u56de\u540e\uff0ctb\u6709bug\u8ba4\u4e3a\u4e00\u76f4\u5728\u7b49\u670d\u52a1\u5668\u5e94\u7b54\u3002\"

\u6240\u4ee5\u5982\u679c\u9700\u8981\u4f7f\u7528 Thunderbird \u4ece mail.ustc.edu.cn \u6536\u53d1\u90ae\u4ef6\uff0c\u9700\u8981\u505a\u4ee5\u4e0b\u7684\u914d\u7f6e\uff1aEdit -> Settings\uff0c\u5728 \"General\" \u4e2d\u62d6\u5230\u6700\u4e0b\u9762\u9009\u62e9 \"Config Editor...\"\u3002\u5728\u65b0\u5f39\u51fa\u7684\u9ad8\u7ea7\u914d\u7f6e\u7684\u6807\u7b7e\u4e2d\u8f93\u5165 utf8\uff0c\u5c06 mail.server.default.allow_utf8_accept \u7684\u503c\u4ece true \u6539\u6210 false\u3002\u8fd9\u4e2a\u8bbe\u7f6e\u4e0d\u4f1a\u5f71\u54cd\u5176\u4ed6\u90ae\u7bb1\u7684\u4f7f\u7528\u3002

"},{"location":"infrastructure/office/#gmail","title":"Gmail","text":"

Warning

\u7531\u4e8e Google \u5c06 G Suite \u5168\u9762\u8f6c\u5411\u4ed8\u8d39\u670d\u52a1\uff0c\u6211\u4eec\u5df2\u5728 2022 \u5e74 3 \u6708 31 \u65e5\u540e\u505c\u6b62\u4f7f\u7528 G Suite \u76f8\u5173\u670d\u52a1\u3002\u8f6c\u5411 Office 365 \u63d0\u4f9b\u7684\u670d\u52a1\u3002\u4ee5\u4e0b\u5185\u5bb9\u4ec5\u4f5c\u4e3a\u5b58\u6863\u4e0e\u53c2\u8003

\u4ee5\u4e0b\u539f\u6587\u7531 Hypercube \u7f16\u5199

\u5927\u5bb6\u597d\uff0c

\u8bf7\u5404\u4f4d\u9605\u8bfb\u4e0b\u65b9\u5185\u5bb9\uff0c\u5e76\u6309\u6307\u793a\u914d\u7f6e\u81ea\u5df1\u7684\u90ae\u7bb1\uff1a

\u767b\u5f55\u7f51\u9875\u7248 Gmail\uff0c\u5728\u53f3\u4e0a\u89d2\u70b9\u5f00\u8bbe\u7f6e\uff0c\u4e8e\u201c\u5e38\u89c4\u201d\u6807\u7b7e\u9875\u4e2d\u8bbe\u7f6e\u201c\u7b7e\u540d\u201d\u4e3a\u7eaf\u6587\u672c\u5982\u4e0b\u5185\u5bb9\uff08\u5171 5 \u884c\uff0c\u5c06\u6700\u540e\u4e00\u884c\u6362\u6210\u81ea\u5df1\u7684\u4fe1\u606f\uff09\uff1a

Linux User Group University of Science and Technology of China Homepage: https://lug.ustc.edu.cn/ E-Mail: lug@ustc.edu.cn Zibo Wang (\u738b\u5b50\u535a) <example@ustclug.org>

\u4e8e\u201c\u8d26\u53f7\u201d\u6807\u7b7e\u9875\u4e2d\u201c\u7528\u8fd9\u4e2a\u5730\u5740\u53d1\u9001\u90ae\u4ef6\u201d\u5185\u70b9\u201c\u4fee\u6539\u4fe1\u606f\u201d\uff0c\u5728\u5f39\u51fa\u7a97\u53e3\u4e2d\u8f93\u5165\u540d\u79f0\u201cZibo Wang on behalf of USTC LUG\u201d\uff08\u8bf7\u6362\u6210\u81ea\u5df1\u7684\u540d\u5b57\uff09\uff0c\u8f93\u5165\u56de\u590d\u5730\u5740\u201clug@ustc.edu.cn\u201d\u3002

\u8fd8\u53ef\u4ee5\u89c6\u81ea\u5df1\u9700\u8981\u5728\u201c\u8f6c\u53d1\u548c POP / IMAP\u201d\u6807\u7b7e\u9875\u4e2d\u914d\u7f6e\u81ea\u52a8\u8f6c\u53d1\uff0c\u4f46\u8bf7\u6ce8\u610f\uff0c\u5982\u679c\u4f60\u914d\u7f6e\u4e86\u8f6c\u53d1\u5230\u81ea\u5df1\u7684\u5e38\u7528\u90ae\u7bb1\uff0c\u8bf7\u4e0d\u8981\u76f4\u63a5\u4ece\u5e38\u7528\u90ae\u7bb1\u56de\u590d\u90ae\u4ef6\uff0c\u800c\u5e94\u8be5\u767b\u5f55 LUG \u90ae\u7bb1\u56de\u590d\u3002 \u56de\u590d\u4efb\u4f55\u90ae\u4ef6\u65f6\uff0c\u8bf7\u6284\u9001 / CC\uff08\u4e0d\u662f\u5bc6\u9001 / BCC\uff09\u7ed9\u539f\u90ae\u4ef6\u7684\u6536\u4ef6\u5730\u5740\uff01\uff08\u6bd4\u5982\u522b\u4eba\u53d1\u5230 lug A ustc.edu.cn \uff0c\u56de\u590d\u65f6\u4e5f\u8bf7 CC \u5230 lug A ustc.edu.cn\uff09

\u8bf7\u4e0d\u8981\u201c\u53ea\u56de\u590d\u90ae\u4ef6\u201d\u3002\u5982\u679c\u5728\u56de\u590d\u4e2d\u8bf4\u201c\u6211\u4eec\u4f1a\u505a\u67d0\u67d0\u4e8b\u201d\uff0c\u8bf7\u6ce8\u610f\u9664\u975e\u4f60\u660e\u786e\u8f6c\u4ea4\u7ed9\u4e86\u522b\u4eba\uff0c\u8fd9\u4ef6\u4e8b\u5e94\u5f53\u7531\u4f60\u6765\u5b8c\u6210\u3002

\u5728\u6dfb\u52a0\u4e86\u7b7e\u540d\u540e\uff0c\u5728\u4e0b\u9762\u7684\u201c\u9ed8\u8ba4\u7b7e\u540d\u8bbe\u7f6e\u201d\u4e2d\uff0c\u5c06\u201c\u7528\u4e8e\u65b0\u7535\u5b50\u90ae\u4ef6\u201d\u4ee5\u53ca\u201c\u7528\u4e8e\u56de\u590d/\u8f6c\u53d1\u201d\u5747\u9009\u62e9\u4e3a\u4e0a\u9762\u6dfb\u52a0\u7684\u7b7e\u540d\u3002

\u8bb0\u5f97\u6eda\u52a8\u5230\u9875\u9762\u6700\u4e0b\u65b9\u70b9\u51fb\u201c\u4fdd\u5b58\u9875\u9762\u201d\uff01

"},{"location":"infrastructure/office/#default-route","title":"\u8bbe\u7f6e\u9ed8\u8ba4\u5730\u5740","text":"

\u672c\u8282\u5199\u7684\u662f G Suite \u7528\u6cd5\uff0c\u9700\u8981\u66f4\u65b0\u6210 Office 365

G Suite \u652f\u6301\u5c06\u5355\u4e2a\u5730\u5740\u8bbe\u4e3a\u201c\u9ed8\u8ba4\u5730\u5740\u201d\uff0c\u7528\u4e8e\u63a5\u53d7\u53d1\u5f80\u4e0d\u5b58\u5728\u7684\u5730\u5740\u7684\u90ae\u4ef6\u3002

\u53c2\u8003\u8d44\u6599\uff1ahttps://support.google.com/a/answer/2368153

\u5bf9\u4e8e\u4e2d\u6587\u754c\u9762\uff0c\u5e94\u8be5\u4ece Google Admin \u63a7\u5236\u53f0\u6309\u987a\u5e8f\u9009\u62e9 \u5e94\u7528 \u2192 G Suite \u2192 Gmail \u2192 \u9ad8\u7ea7\u8bbe\u7f6e\uff0c\u5176\u4e2d\u7684 \u65e0\u9650\u522b\u540d\u5730\u5740 \u5c31\u662f\u8fd9\u4e2a\u9009\u9879\uff0c\u4e00\u822c\u53d1\u7ed9\u4f1a\u957f\u6216 CTO\u3002

"},{"location":"infrastructure/raid/","title":"RAID","text":""},{"location":"infrastructure/raid/#megaraid","title":"MegaRAID \u5e38\u7528\u547d\u4ee4","text":"

MegaRAID \u6e90\u91cc\u6ca1\u6709\uff0c\u9700\u8981\u4ece\u5b98\u7f51\u4e0b\u8f7d RPM \u5305\u540e\u624b\u52a8\u89e3\u538b\u3002Debian 10 \u5b89\u88c5 libncurses5 \u540e\u53ef\u4f7f\u7528\u3002

sudo /opt/MegaRAID/MegaCli/MegaCli64 -adpallinfo -aAll  # \u67e5\u770b\u6240\u6709\u4fe1\u606f\nsudo /opt/MegaRAID/MegaCli/MegaCli64 -pdlist -aall  # \u67e5\u770b\u7269\u7406\u76d8\u4fe1\u606f\n
"},{"location":"infrastructure/raid/#_1","title":"\u76d1\u63a7","text":"

\u73b0\u5728\u90e8\u7f72\u7684\u65b9\u6848\u662f\u7531 telegraf \u6267\u884c\u89e3\u6790\u811a\u672c\uff0c\u5c06\u6570\u636e\u53d1\u9001\u5230 influxdb\uff0c\u7531 grafana \u62a5\u8b66\u3002

\u811a\u672c\uff1a

"},{"location":"infrastructure/raid/#esxi","title":"ESXi","text":"

https://docs.broadcom.com/docs-and-downloads/raid-controllers/raid-controllers-common-files/8-07-07_MegaCLI.zip

ESXi 5 \u7684 binary \u548c ESXi 6.0 \u517c\u5bb9\u3002

esxcli software vib install -v=/tmp/vmware-esx-MegaCli-8.07.07.vib --no-sig-check\n

\u7136\u540e\u8fdb\u5165 /opt/lsi/MegaCLI \u76ee\u5f55\u6267\u884c MegaCli.

"},{"location":"infrastructure/raid/#ssacli-hpe-smart-array","title":"ssacli (HPE Smart Array)","text":"

pve-6 \u7684 RAID \u65b9\u6848\u662f HPE Smart Array\u3002\u5bf9\u5e94\u4f7f\u7528\u65b9\u6cd5\u53ef\u4ee5\u53c2\u8003 https://gist.github.com/mrpeardotnet/a9ce41da99936c0175600f484fa20d03\u3002

\u5bf9\u5e94\u4e3b\u673a\u9700\u8981\u5b89\u88c5 https://downloads.linux.hpe.com/SDR/repo/mcp/Debian/pool/non-free/ssacli-5.30-6.0_amd64.deb\uff08HPE \u6e90\u5b9e\u5728\u592a\u6162\u4e86\uff09\u3002

"},{"location":"infrastructure/sshca/","title":"SSH Certificate Authentication","text":"

Discussion: SSH \u5347\u7ea7\u5230\u8bc1\u4e66\u767b\u9646\u65b9\u6848\u8ba8\u8bba

Usage: SSH \u8bc1\u4e66\u8ba4\u8bc1\u7684\u4f7f\u7528\u65b9\u6cd5 (See also: iBug's blog)

"},{"location":"infrastructure/sshca/#introduction","title":"Introduction","text":"

An SSH Certificate Authority (CA) is a trusted key pair that issues certificates. It has the same format as a regular SSH private-public key pair (it is, in fact).

Certificates can be used for authentication on both the server side and the client side. But certificates cannot issue new certificates (i.e. no chains), it is the very difference from X.509 certificate system.

"},{"location":"infrastructure/sshca/#server-setup","title":"Server setup","text":""},{"location":"infrastructure/sshca/#trustedusercakeys","title":"Configure server to accept client certificates","text":"

First drop our public key to /etc/ssh/ssh_user_ca:

/etc/ssh/ssh_user_ca
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1Bxw9AXoZvc9HTe5o4f7/qOROcmzvlcO5oofoF3pewtRnhNpcd/DwmxSblqpj/cjLYkE32mSCzMYY8X0CRFyMJsgSIDC4i4LXDNU0e8PbB2NIQAAeyfJEU5m/Dn1tPw9WvPtPqHCRvgSwnRfzYngMVWROgV2Qe6pOqTTgetEYfb5gkDc2i1M7yfTp3H3ExfrDKwOKPc/9UYOADMFU6u1fJN+4epLETilHC1ubtBeVi23pn1K+LDy06Gwhq1MLljCM7gFBMrmv894HrOHU4WrzLUlfkiDt2cyXLb4qPWYqilBFLUjU92kjmiI/EwB/8pR1WmdU7FoYpdgBHNr3NT53 LUG-CA\n

Then add the following line to sshd config (Debian 11+):

/etc/ssh/sshd_config.d/ustclug.conf
TrustedUserCAKeys /etc/ssh/ssh_user_ca\n

Old version config (<= Debian 10)

On Debian 10 (buster) or older, sshd_config does not support the Include directive. Thus any extra setting must be added in the main sshd_config file directly.

"},{"location":"infrastructure/sshca/#issue-a-server-certificate","title":"Issue a server certificate","text":"

Warning

When signing certificates using OpenSSH <= 8.1, add -t rsa-sha2-512 to the ssh-keygen command. More details can be found here: https://ibug.io/p/35

Note

Some of our servers may still be running Debian Jessie, which has OpenSSH 6.7 that does not support SHA-2 certificate algorithms (OpenSSH 7.2 required). Sign with -t ssh-rsa instead if you want to log in to such servers.

January 2022 update: We believe we have got rid of all Jessie systems, so this should no longer be the case.

Copy the file /etc/ssh/ssh_host_rsa_key.pub from target server.

Then, run ssh-keygen to issue a public key. For example:

ssh-keygen -s /path/to/ssh_ca \\\n           -I blog \\\n           -h \\\n           -n blog.s.ustclug.org,blog.p.ustclug.org,10.254.0.15,202.141.176.98,202.141.160.98 \\\n           ssh_host_rsa_key.pub\n

Then, copy the certificate file ssh_host_rsa_key-cert.pub back to target server.

At last, add the following lines to sshd config:

/etc/ssh/sshd_config.d/ustclug.conf
HostKey /etc/ssh/ssh_host_rsa_key\nHostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub\n

Warning

See the same warning block above.

Certificate will take effect after SSH daemon is reloaded (systemctl reload ssh).

"},{"location":"infrastructure/sshca/#client-setup","title":"Client setup","text":"

Add the following line to your known_hosts:

~/.ssh/known_hosts
@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1Bxw9AXoZvc9HTe5o4f7/qOROcmzvlcO5oofoF3pewtRnhNpcd/DwmxSblqpj/cjLYkE32mSCzMYY8X0CRFyMJsgSIDC4i4LXDNU0e8PbB2NIQAAeyfJEU5m/Dn1tPw9WvPtPqHCRvgSwnRfzYngMVWROgV2Qe6pOqTTgetEYfb5gkDc2i1M7yfTp3H3ExfrDKwOKPc/9UYOADMFU6u1fJN+4epLETilHC1ubtBeVi23pn1K+LDy06Gwhq1MLljCM7gFBMrmv894HrOHU4WrzLUlfkiDt2cyXLb4qPWYqilBFLUjU92kjmiI/EwB/8pR1WmdU7FoYpdgBHNr3NT53 LUG-CA\n

And when you log in to a LUG server, it is automatically trusted. If you find a machine that does not support this setup, report it to CTO.

"},{"location":"infrastructure/sshca/#issue-a-client-certificate","title":"Issue a client certificate","text":"
ssh-keygen -s /path/to/ssh_ca \\\n           -I certificate_identity \\\n           -n principals \\\n          [-O options] \\\n          [-V validity_interval] \\\n           public_key_file\n

For example:

ssh-keygen -s /path/to/ssh_ca -I \"Yifan Gao\" -n yifan -V -5m:+365d yifan.pub\n

In general, certificate_identity is the user's full name, and principals is the system username. The certificate identity is used to identify certificates and is logged in system logs. In addition, one certificate can carry multiply principals, like:

ssh-keygen -s /path/to/ssh_ca -I \"Yifan Gao\" -n yifan,root,liims -V -5m:+365d yifan.pub\n

It authorizes the certificate owner to login to any server as yifan, root or liims user.

Note

The liims principal is used to log into library inquiry machines.

Tip

The validity interval by default starts at the current system time. Using -5m:+365d creates a certificate valid from 5 minutes ago to make up for offset times on other systems. Otherwise it's not much useful to have a validity period starting from a long time ago.

For security purposes, avoid creating certificates without a defined validity period. It's also recommended to keep validity periods as short as necessary.

"},{"location":"infrastructure/ssl/","title":"SSL Certificates","text":"

Discussion: #224

Our SSL certificates are automatically renewed on GitHub ustclug/ssl-cert ( Private).

We delegate the subdomain ssl-digitalocean.ustclug.org to DigitalOcean DNS hosting, and use acme.sh DNS alias mode to issue certificates. For this to work, we have the following CNAME records in place:

_acme-challenge.lug.ustc.edu.cn    ->  lug.ssl-digitalocean.ustclug.org\n_acme-challenge.ustclug.org        ->  lug.ssl-digitalocean.ustclug.org\n_acme-challenge.proxy.ustclug.org  ->  lug.ssl-digitalocean.ustclug.org\n\n_acme-challenge.vpn.lug.ustc.edu.cn  ->  lugvpn.ssl-digitalocean.ustclug.org\n_acme-challenge.vpn.ustclug.org      ->  lugvpn.ssl-digitalocean.ustclug.org\n\n_acme-challenge.mirrors.ustc.edu.cn  ->  mirrors.ssl-digitalocean.ustclug.org\n

Individual machines that use SSL certificates should pull from the said repository (branch cert). Certificates may be loaded via symbolic links (for processes running on the host system directly), or copied around from within the updater script (when there are path constraints, e.g. in a Docker container). The update task is managed by cron.

Update script for reference:

/etc/ssl/private/.git/update.sh
#!/bin/sh\n\ncd \"/etc/ssl/private\"\n\ngit fetch -q\nif [ \"$(git rev-parse HEAD)\" = \"$(git rev-parse '@{u}')\" ]; then\n  exit 0\nfi\ngit reset --hard '@{u}'\n\n# Display certificate dates. This section is optional\nif command -v openssl >/dev/null 2>&1; then\n  echo \"Cert has been updated. New expiry:\"\n  for f in */cert.pem; do\n    echo \"$f:\"\n    openssl x509 -in \"$f\" -noout -dates\n  done\nelse\n  echo \"Cert has been updated.\"\nfi\n\nsystemctl reload openresty.service\n# Other `cp -a` or `docker restart` commands, etc.\n

The DigitalOcean account we use is owned by iBug and has nothing else running.

Plan B

Hurricane Electric provides hosted DNS zones for free, which is also supported by acme.sh. This makes HE DNS a feasible alternative should our current dependency (DigitalOcean) fails.

"},{"location":"infrastructure/ssl/#exceptions","title":"Exceptions","text":"

PXE manages its own certificates with acme.sh and validates via HTTP-01 challenge. The certificates are stored in /etc/acme.sh/pxe.ustc.edu.cn/.

"},{"location":"infrastructure/tinc/","title":"Tinc VPN \u914d\u7f6e\u8bf4\u660e","text":"

Tinc VPN \u662f LUG \u5185\u7f51\u7684\u4e3b\u8981\u6784\u6210\u8f6f\u4ef6\uff0cLDAP \u9700\u8981\u7528\u5230\u5b83\uff08\u56e0\u4e3a ldap \u670d\u52a1\u5668\u662f\u4e2a\u5185\u7f51\u670d\u52a1\u5668\uff09

"},{"location":"infrastructure/tinc/#_1","title":"\u5b89\u88c5","text":"

Debian 9+ \u53ef\u4ee5\u76f4\u63a5\u4ece apt \u6e90\u5b89\u88c5 tinc \u5305\u3002

\u4e0d\u65e9\u8bf4\u8fd9\u73a9\u610f\u6709\u4e2a Git \u4ed3\u5e93\uff1f\uff1fhttps://git.lug.ustc.edu.cn/ustclug/tinc-configure

\u65e2\u7136\u6709\u4ed3\u5e93\u6240\u4ee5\u8981\u505a\u7684\u4e8b\u60c5\u6bd4\u8f83\u7b80\u5355\uff0c\u8fdb\u5165 /etc/tinc \u76ee\u5f55\u51c6\u5907\u548c Git \u4ed3\u5e93\u540c\u6b65\u914d\u7f6e\uff1a

git init\ngit remote add origin https://git.lug.ustc.edu.cn/ustclug/tinc-configure.git\ngit fetch origin master\ngit reset --hard FETCH_HEAD\n

\u6ce8\u610f git reset \u4f1a\u8986\u76d6\u90e8\u5206\u6587\u4ef6\uff0c\u5efa\u8bae\u5728\u5168\u65b0\u5b89\u88c5 tinc \u4e4b\u540e\u8fdb\u884c\u540c\u6b65\u914d\u7f6e\u3002

\u914d\u7f6e\u5b8c\u6210\u540e\u6267\u884c systemctl enable tinc@ustclug.service \u4f7f tinc \u80fd\u591f\u5f00\u673a\u542f\u52a8\u3002

"},{"location":"infrastructure/tinc/#_2","title":"\u52a0\u5165\u4e3b\u673a","text":"

\u9996\u5148\u9700\u8981\u5728\u65b0\u4e3b\u673a\u4e0a\u751f\u6210\u5bc6\u94a5\uff1a

tincd -n ustclug -K\n

\u7136\u540e\u5728 /etc/tinc/ustclug/hosts/$HOST \u6700\u540e\u8865\u4e0a\u4e00\u884c\uff1a

Address = [\u8fd9\u53f0\u673a\u5668\u7684\u516c\u7f51IP]\n

\u628a\u65b0\u589e\u7684\u8fd9\u4e2a\u6587\u4ef6\u63d0\u4ea4\u8fdb Git \u4ed3\u5e93\uff0c\u5e76\u5728 {ldap,board,gateway-el,gateway-nic}.s.ustclug.org \u7b49\u591a\u53f0\u673a\u5668\u4e0a\u901a\u8fc7 git pull \u66f4\u65b0\uff0c\u5e76 systemctl reload tinc@ustclug.service\u3002

"},{"location":"infrastructure/tinc/#ip","title":"\u5185\u7f51 IP","text":"

\u6d4b\u8bd5\u7684\u65f6\u5019\uff0c\u4f60\u53ef\u4ee5\u76f4\u63a5\u901a\u8fc7 ifconfig \u7b49\u65b9\u5f0f\u6307\u5b9a\u4e00\u4e2a\u4e34\u65f6\u7684 IP\uff0c\u6ce8\u610f\u4e0d\u8981\u4e0e\u5df2\u6709\u7684\u5185\u7f51 IP \u51b2\u7a81\uff1a

ifconfig 10.254.0.xxx/21 ustclug\n

\u8fd9\u65f6\u5019\u5e94\u8be5\u80fd\u4ece\u5176\u4ed6\u673a\u5668 ping \u901a\u8fd9\u4e2a IP\u3002

\u6307\u5b9a\u9759\u6001\u5185\u7f51 IP \u7684\u6b63\u786e\u65b9\u6cd5\u662f\u5728 DNS \u4e2d\u6dfb\u52a0\u4e00\u6761\u8fd9\u6837\u7684\u8bb0\u5f55\uff1a

$ORIGIN s.ustclug.org\n<HOST>  600     IN A    <Intranet IP>\n

\u7136\u540e\u5728\u673a\u5668\u4e0a\u91cd\u542f systemctl restart tinc@ustclug.service \u5c31\u80fd\u81ea\u52a8\u83b7\u53d6\u4e86\u3002

"},{"location":"infrastructure/tinc/#ssh","title":"\u914d\u7f6e SSH \u4fa6\u542c\u5185\u7f51\u5730\u5740","text":"

Tip

\u5bf9\u4e8e Debian 11+ \u7684\u7cfb\u7edf\uff0c\u5efa\u8bae\u4fdd\u6301 sshd_config \u4e0d\u52a8\uff0c\u5c06\u81ea\u5b9a\u4e49\u7684\u914d\u7f6e\u5199\u5165 sshd_config.d/ustclug.conf\uff0c\u4ee5\u51cf\u5c11\u66f4\u65b0 ssh \u8f6f\u4ef6\u5305\u65f6\u7684\u914d\u7f6e\u6587\u4ef6\u51b2\u7a81\u3002\u6ce8\u610f\u5982\u679c\u8fd9\u4e48\u505a\u7684\u8bdd\u9700\u8981\u628a\u914d\u7f6e\u6587\u4ef6\u91cc\u7684 Subsystem sftp \u5220\u6389\uff0c\u5426\u5219 sshd \u4f1a\u62a5\u9519\u201c\u91cd\u590d\u6307\u5b9a\u4e86 Subsystem sshd\u201d\u3002

\u4ee5\u4e0b\u914d\u7f6e\u4f9b\u53c2\u8003\uff0c\u590d\u5236\u65f6\u6ce8\u610f\u4fee\u6539 Match LocalAddress \u540e\u9762\u7684\u5185\u5bb9\uff08\u5185\u7f51\u5730\u5740\u548c AllowGroups \u6700\u540e\u7684\u540d\u79f0\uff09\uff1a

/etc/ssh/sshd_config
AddressFamily inet\nUseDNS no\n\nHostKey /etc/ssh/ssh_host_rsa_key\nHostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub\nTrustedUserCAKeys /etc/ssh/ssh_user_ca\nRevokedKeys /etc/ssh/ssh_revoked_keys\n\nPasswordAuthentication no\nPubkeyAuthentication no\nChallengeResponseAuthentication no\nUsePAM yes # LDAP for Debian\n\nAcceptEnv LANG LC_*\nX11Forwarding yes\nPrintLastLog no\nPrintMotd no\nSubsystem sftp /usr/lib/openssh/sftp-server\n\nMatch LocalAddress 10.254.0.0\n    AllowGroups ssh_local super_manager ssh_groupname\n    PasswordAuthentication yes\n    PubkeyAuthentication yes\n\n# Public IP access = root-only\nMatch LocalAddress 202.38.95.110,202.141.160.110,202.141.176.110,218.104.71.170\n    AllowUsers root\n    PubkeyAuthentication yes\n    AuthorizedKeysFile none  # \u5c4f\u853d\u516c\u94a5\uff0c\u4ec5\u5141\u8bb8\u8bc1\u4e66\u767b\u5f55\n\n# For SSH Push trigger\nMatch User mirror\n    AllowUsers mirror\n    AuthenticationMethods publickey\n    PermitTTY no\n    PermitTunnel no\n    X11Forwarding no\n\nMatch All #(1)\n
  1. OpenSSH 6.5p1 \u4ee5\u4e0a\u53ef\u4ee5\u4f7f\u7528 Match All \u6765\u7ed3\u675f\u4e0a\u9762\u7684 Match \u5757\u3002\u7531\u4e8e Include \u6307\u4ee4\u51fa\u73b0\u5728 /etc/ssh/sshd_config \u7684\u6700\u4e0a\u9762\uff0c\u800c\u63a5\u4e0b\u6765\u7684\u5185\u5bb9\u90fd\u662f\u5168\u5c40\u8bbe\u7f6e\uff0c\u56e0\u6b64\u4f7f\u7528 Match All \u4fdd\u8bc1\u539f\u5148\u7684\u5185\u5bb9\u7ee7\u7eed\u4f5c\u7528\u4e8e\u5168\u5c40\uff0c\u800c\u4e0d\u662f\u50cf\u4e0a\u9762\u8fd9\u4e2a\u4f8b\u5b50\u4e00\u6837\u53d8\u6210 Match User mirror \u7684\u8bbe\u7f6e\u3002

\u6ce8\u610f HostCertificate, TrustedUserCAKeys \u548c RevokedKeys \u8fd9\u4e09\u4e2a\u6587\u4ef6\u5fc5\u987b\u5b58\u5728\uff0c\u5426\u5219 SSH \u4f1a\u51fa\u4e00\u4e9b\u95ee\u9898\uff0c\u4f8b\u5982\u4e0d\u80fd\u5bc6\u94a5\u767b\u5f55\u53ea\u80fd\u5bc6\u7801\u767b\u5f55\u3002

HostCertificate \u9700\u8981\u624b\u52a8\u7b7e\u53d1\u4e00\u4e2a\uff0c\u53e6\u5916\u4e24\u4e2a\u6587\u4ef6\u4ece\u522b\u7684\u673a\u5668\u4e0a\u590d\u5236\u5c31\u884c\u3002

"},{"location":"infrastructure/discontinued/","title":"\u4e0d\u518d\u4f7f\u7528\u7684\u57fa\u7840\u8bbe\u65bd","text":"

Warning

Content under this section is not necessarily up-to-date.

"},{"location":"infrastructure/discontinued/#saltstack","title":"SaltStack","text":"

\u76ee\u524d\u4e0d\u77e5 SaltStack \u4f55\u65f6\u5f00\u59cb\u4f7f\u7528\uff0c\u4f46\u662f\u6211\u4eec\u6ca1\u6709\u4efb\u4f55\u4f9d\u8d56\u4e8e salt \u7684\u914d\u7f6e\u3002\u51fa\u4e8e\u8003\u8651\u5230 salt \u51fa\u73b0\u8fc7\u975e\u5e38\u4e25\u91cd\u7684 CVE\uff0csaltstack \u5df2\u4e0d\u518d\u8003\u8651\u4f7f\u7528\uff0c\u4e14\u5728\u5df2\u77e5\u7684\u673a\u5668\u4e0a\u90fd\u5df2\u5220\u9664\u3002\u5982\u679c\u4f60\u53d1\u73b0\u67d0\u53f0 lug \u7684\u673a\u5668\u4e0a\u5b89\u88c5\u4e86 salt\uff0c\u8bf7\u901a\u77e5 CTO \u4ee5\u5c06\u5176\u5220\u9664\u3002

\u5728\u81ea\u52a8\u5316\u8fd0\u7ef4\u65b9\u9762\uff0c\u672a\u6765\u4f1a\u8c03\u7814 ansible\u3002

"},{"location":"infrastructure/discontinued/#vsphere","title":"vSphere \u96c6\u7fa4","text":"

\u6211\u4eec\u4ece 2015 \u5e74\uff08\u6216\u66f4\u65e9\uff09\u5f00\u59cb\u4f7f\u7528 vSphere \u5e73\u53f0\uff08ESXi + vCenter\uff09\u8fd0\u884c\u865a\u62df\u673a\u3002\u7531\u4e8e VMware \u4e13\u6709\u5e73\u53f0\u7684\u590d\u6742\u6027\u96be\u4ee5\u7ef4\u62a4\uff0c\u6211\u4eec\u5df2\u4e8e 2022 \u5e74 1 \u6708\u5168\u9762\u8fc1\u79fb\u81f3\u5f00\u6e90\u7684\u3001\u57fa\u4e8e Debian GNU/Linux \u7684\u865a\u62df\u5316\u5e73\u53f0 Proxmox VE\u3002

"},{"location":"infrastructure/discontinued/#pve-2-pve-4","title":"pve-2, pve-4","text":"

pve-2 \u548c pve-4 \u4e5f\u4f4d\u4e8e\u4e1c\u56fe\uff0c\u662f\u4e24\u53f0\u672a\u77e5\u54c1\u724c\u3001\u672a\u77e5\u578b\u53f7\u7684\u65e7\u673a\u5668\uff0c\u914d\u7f6e\u4e3a 2\u00d7 Xeon E5420 (Very old 4C4T, 2.50 GHz), 16 GB \u5185\u5b58\uff08DDR2 667 MHz\uff09\u548c\u4e00\u5757 16 GB \u7684 SanDisk SSD\u3002\u8be5\u578b\u53f7\u673a\u5668\u6ca1\u6709 IPMI\u3002

\u7531\u4e8e\u914d\u7f6e\u4f4e\u4e0b\uff0c\u6211\u4eec\u624b\u52a8\u5b89\u88c5\u4e86 Proxmox VE\uff0c\u6ca1\u6709\u4f7f\u7528 LVM\uff0c\u5206\u914d\u4e86 1 GB \u7684 swap\uff0c\u5269\u4e0b\u5168\u90e8\u7ed9 rootfs\u3002

\u673a\u5668\u7684\u7f51\u5361\u6709\u4e24\u4e2a 1 Gbps \u7684\u63a5\u53e3\uff0c\u4e0e pve-6 \u76f8\u540c\uff0c\u90fd\u63a5\u5728\u540c\u4e00\u4e2a\u4ea4\u6362\u673a\u4e0a\u3002

"},{"location":"infrastructure/discontinued/vsphere/esxi/","title":"ESXi","text":"

\u73b0\u5f79\u7684 ESXi \u6709 3 \u53f0\uff1aesxi-2 \u548c esxi-6 \u4f4d\u4e8e\u4e1c\u56fe\u673a\u623f\uff0cesxi-5 \u4f4d\u4e8e\u7f51\u7edc\u4fe1\u606f\u4e2d\u5fc3\u673a\u623f\u3002

esxi-2 \u4e0a\u8fd0\u884c\u4e1c\u56fe\u7f51\u5173\u7b49\u670d\u52a1\uff0cesxi-6 \u4e0a\u8fd0\u884c ustclug gitlab\u3002esxi-5 \u4e0a\u8fd0\u884c\u8bf8\u5982 vcenter, \u90ae\u4ef6\u7f51\u5173, ldap, \u5907\u7528\u7f51\u5173, vSphereDataProtection \u5907\u4efd\u670d\u52a1\u7b49\u3002

\u76ee\u524d\uff0c\u6709\u8ba1\u5212\u5c06\u865a\u62df\u5316\u65b9\u6848\u66f4\u6539\u4e3a Proxmox Virtual Environment\u3002

"},{"location":"infrastructure/discontinued/vsphere/esxi/#about-snapshot","title":"\u5173\u4e8e\u5feb\u7167","text":"

Best practices: https://kb.vmware.com/s/article/1025279\uff0c\u7ba1\u7406\u865a\u62df\u673a\u524d\u52a1\u5fc5\u9605\u8bfb\u3002

"},{"location":"infrastructure/discontinued/vsphere/esxi/#_1","title":"\u673a\u5668\u914d\u7f6e\u7ec6\u8282","text":""},{"location":"infrastructure/discontinued/vsphere/esxi/#esxi-5","title":"esxi-5","text":"

esxi-5 \u4e0a\u4e8e 2021/8 \u53d1\u73b0\u81ea\u5e26\u9635\u5217\u6709\u4e24\u5757\u574f\u76d8\uff0c\u5728\u66f4\u6362\u540e\u53d1\u73b0 storage \"root\"\uff08\u5b58\u653e vcenter \u865a\u62df\u673a\uff0c\u7ec4 RAID 1 \u540e\u5927\u5c0f 1.8TB\uff09\u65e0\u6cd5\u6b63\u5e38 rebuild\uff0c\u5e76\u4e14 vcenter \u865a\u62df\u673a\u7684 vmdk \u6587\u4ef6\u6709 4 \u4e2a\u51fa\u73b0 I/O error\u3002\u76ee\u524d vcenter \u865a\u62df\u673a\u5df2\u7ecf\u8fc1\u79fb\u5230 storage \"data\" (RAID10, 7.2 TB)\uff0c\u5de5\u4f5c\u6b63\u5e38\u3002

"},{"location":"infrastructure/discontinued/vsphere/vcenter/","title":"vCenter","text":"

vCenter \u4e3a\u7ef4\u62a4\u4eba\u5458\u63d0\u4f9b\u4e86\u65b9\u4fbf\u7684\u7ba1\u7406\u6240\u6709 ESXi \u670d\u52a1\u5668\u7684\u754c\u9762\u3002\u9700\u8981\u6ce8\u610f\uff1a

"},{"location":"infrastructure/discontinued/vsphere/vcenter/#patch","title":"\u5b89\u88c5 patch","text":"

\u5f53\u51fa\u73b0\u4e25\u91cd\u7684 CVE \u4e14\u65e0\u6cd5\u7b80\u5355 workaround \u65f6\uff0c\u5efa\u8bae\u5b89\u88c5 patch\uff0c\u5927\u81f4\u65b9\u6cd5\uff1a

  1. \u6253\u5feb\u7167\uff0c\u6700\u597d\u80fd\u624b\u52a8\u5907\u4efd\u4e00\u4e0b\u3002
  2. \u524d\u5f80 https://my.vmware.com/group/vmware/patch \u4e0b\u8f7d\u6700\u65b0\u7248 patch ISO \u6587\u4ef6\uff08\u5206\u7c7b\u4e3a VC\uff0c\u9700\u8981\u6ce8\u518c\u514d\u8d39\u8d26\u53f7\uff09\uff1b
  3. \u4e0a\u4f20 ISO \u6587\u4ef6\u5230 esxi-5 \u67d0\u4e2a datastore \u4e2d\uff0c\u5c06 ISO \u6302\u8f7d\u5230 VMware vCenter Server Appliance \u865a\u62df\u673a\u4e2d\uff1b
  4. \u767b\u5f55 esxi-5 \u7ba1\u7406\u754c\u9762\uff08\u4e0d\u662f vcenter \u754c\u9762\uff0c\u56e0\u4e3a\u66f4\u65b0\u7684\u65f6\u5019 vcenter \u4f1a\u4e0b\u7ebf\uff09\uff0c\u8fdb\u5165 vcenter console\u3002
  5. software-packages stage --iso \u52a0\u8f7d\u8865\u4e01\u6587\u4ef6\uff08\u5b9e\u8d28\u662f\u4e00\u5806 rpm\uff09\u3002
  6. software-packages install --iso \u5b89\u88c5\u8865\u4e01\u6587\u4ef6\u3002
  7. shell \u8fdb\u5165 bash\uff0creboot \u91cd\u542f\u3002
  8. \u91cd\u542f\u540e\u5982\u679c\u8fdb\u5165 5480 \u7aef\u53e3\u53d1\u73b0\u670d\u52a1\u72b6\u6001\u4e3a\u672a\u77e5\uff0c\u624b\u52a8\u91cd\u542f\u6240\u6709\u670d\u52a1\uff1aservice-control --start --all
  9. \u7b49\u5f85\u4e00\u6bb5\u65f6\u95f4\uff08\u6bd4\u8f83\u957f\uff09\uff0c\u671f\u95f4\u53ef\u80fd 503/\u663e\u793a\u670d\u52a1\u6b63\u5728\u52a0\u8f7d\u4e2d\uff0c\u7b49\u7b49\uff0c\u4e4b\u540e\u5c31\u5e94\u8be5\u6b63\u5e38\u4e86\u3002
  10. \u522b\u5fd8\u4e86\u624b\u52a8\u5907\u4efd\u3002

\u5347\u7ea7\u65f6\u9047\u5230\u7684\u95ee\u9898\uff1a

  1. \u65e0\u6cd5\u8bc6\u522b ISO \u4e3a\u66f4\u65b0\u7684\u7248\u672c\uff1ahttps://kb.vmware.com/s/article/59659?lang=zh_CN
  2. \u300c\u73af\u5883\u5c1a\u672a\u51c6\u5907\u597d\u66f4\u65b0\u300d\uff1a\u4f7f\u7528 console \u7684 software-packages \u66f4\u65b0\uff0c\u67e5\u770b\u539f\u56e0\u3002\u5982\u679c\u662f root \u5bc6\u7801\u8fc7\u671f\uff0c\u8fdb\u5165 bash\uff0c\u4f7f\u7528 passwd \u5148\u91cd\u7f6e\u6210\u65b0\u7684\uff08\u7136\u540e\u518d\u6539\u56de\u6765\uff09\uff0c\u4f7f\u7528 chage -I -1 -m 0 -M 99999 -E -1 root \u8bbe\u7f6e\u6c38\u4e0d\u8fc7\u671f\u3002
"},{"location":"infrastructure/discontinued/vsphere/vdp/","title":"VDP","text":"

\u5f53\u6211\u4eec\u8bf4\u5230 VDP \u7684\u65f6\u5019\uff0c\u6211\u4eec\u5230\u5e95\u5728\u6307\u4ec0\u4e48\uff1f\u4e3a\u4e86\u907f\u514d\u6b67\u4e49\uff0c\u4ee5\u4e0b\u505a\u4e86\u4e00\u4e9b\u5b9a\u4e49\uff1a

vdp2 \u6302\u63a5\u5728 esxi-5 \u4e0a\uff0cesxi-5 \u6e90\u4e8e\u8001 mirrors\uff08mirrors2 \u4e4b\u524d\u7684\u4e00\u4ee3\u673a\u5668\uff09\u3002vSphereDataProtection \u7248\u672c\u4e3a 6.1.5\u3002

\u5f53 vdp \u5907\u4efd\u7a0b\u5e8f\u51fa\u73b0\u5947\u602a\u7684\u95ee\u9898\u7684\u65f6\u5019\uff0c\u91cd\u542f vdp \u5907\u4efd\u865a\u62df\u673a\u7edd\u5927\u591a\u6570\u65f6\u5019\u80fd\u591f\u89e3\u51b3\u95ee\u9898\u3002\u91cd\u542f\u8017\u65f6\u975e\u5e38\u957f\uff0c\u9700\u8981\u505a\u597d\u5fc3\u7406\u51c6\u5907\u3002

\u5907\u4efd\u65f6\uff0cvdp \u5907\u4efd\u7a0b\u5e8f\u4f1a\u4e3a\u865a\u62df\u673a\u65b0\u5efa\u4e00\u4e2a snapshot\uff0c\u4e4b\u540e\u4ece snapshot \u4f20\u8f93\u5907\u4efd\u3002\u5076\u5c14 snapshot \u4e0d\u4f1a\u88ab\u6b63\u5e38\u5220\u9664\uff0c\u800c\u5927\u91cf\u6216\u957f\u65f6\u95f4\u5b58\u653e\u7684 snapshot \u4f1a\u7ed9\u6027\u80fd\u5e26\u6765\u8d1f\u9762\u5f71\u54cd\uff0c\u6240\u4ee5\u5982\u679c\u53d1\u73b0\u6b64\u7c7b\u60c5\u51b5\uff0c\u5728\u786e\u8ba4\u5907\u4efd\u4e0d\u518d\u8fdb\u884c\u540e\uff0c\u9700\u8981\u5220\u9664 snapshot\uff0c\u540c\u65f6\u4fdd\u6301\u673a\u5668\u5728\u7ebf\uff08\u5728\u5173\u673a\u60c5\u51b5\u4e0b\u6574\u5408\u78c1\u76d8\u65f6\u65e0\u6cd5\u5f00\u673a\uff01\uff09\u3002

\u53c2\u8003\u8d44\u6599\uff1ahttps://docs.vmware.com/en/VMware-vSphere/6.5/rn/data-protection-615-release-notes.html

VDP \u5907\u4efd\u865a\u62df\u673a\u5df2\u7ecf EOL\u3002\u8bbf\u95ee vcenter \u4e2d\u7684 VDP \u63d2\u4ef6\u9700\u8981\u4f7f\u7528 Adobe Flash\u3002

"},{"location":"infrastructure/discontinued/vsphere/vdp/#_1","title":"\u5907\u4efd\u8ba1\u5212","text":"

\u76ee\u524d\u7684\u5907\u4efd\u8ba1\u5212\u5982\u4e0b\uff1a

"},{"location":"infrastructure/discontinued/vsphere/vdp/#_2","title":"\u9ad8\u7ea7\u547d\u4ee4","text":"

\u67e5\u770b\u5f53\u524d\u4efb\u52a1\uff1a

# mccli activity show | grep Running\n

\u67e5\u770b\u670d\u52a1\u60c5\u51b5\uff1a

# dpnctl status\n# status.dpn\n
"},{"location":"infrastructure/discontinued/vsphere/vdp/#vspheredataprotection-on-virtio-scsi","title":"vSphereDataProtection on VirtIO SCSI","text":"

vdp \u7684\u64cd\u4f5c\u7cfb\u7edf\u662f SLES 11 SP3\uff0c\u8fd9\u4e2a\u64cd\u4f5c\u9700\u8981\u7cfb\u7edf\u76d8\u7684\u524d\u4e24\u4e2a\u5206\u533a\uff08/boot \u548c /\uff09\u3002

  1. \u53c2\u8003 https://www.suse.com/support/kb/doc/?id=000016530\uff0c\u89e3\u538b initrd \u5230\u67d0\u4e2a\u76ee\u5f55\u3002
  2. \u4ece rootfs \u7684 /lib/modules/3.0.101-0.47.99-default/kernel/drivers/ \u91cc\u53d6\u51fa virtio \u7684\u5185\u6838\u6a21\u5757\uff08block \u91cc\u9762\u4e00\u4e2a\uff0cvirtio \u6574\u4e2a\u76ee\u5f55\uff0c\u4ee5\u53ca scsi \u91cc\u9762\u4e00\u4e2a\uff09\uff0c\u653e\u5728 initrd \u89e3\u538b\u540e\u7684\u5bf9\u5e94\u4f4d\u7f6e\u3002
  3. rootfs \u7684 /lib/modules/3.0.101-0.47.99-default/modules.dep* \u590d\u5236\u5230 initrd \u91cc\u3002
  4. \u4fee\u6539 initrd \u91cc\u7684 config/start.sh \u548c run_all.sh\uff0c\u5728 RESOLVED_INITRD_MODULES \u53d8\u91cf\u4e2d\u6dfb\u52a0 virtio_pci virtio virtio_scsi virtio_blk\uff08\u5373\u4fee\u6539\u4e3a RESOLVED_INITRD_MODULES='virtio_pci virtio virtio_scsi virtio_blk cifs ext2 ext3 ext4 fat nfs reiserfs ufs xfs'\uff09\u3002
  5. \u53c2\u8003 https://www.suse.com/support/kb/doc/?id=000016530 \u91cd\u65b0\u6253\u5305\uff0c\u653e\u5728\u7b2c\u4e00\u4e2a\u5206\u533a (/boot) \u91cc\u9762\uff0c\u5efa\u8bae\u4e0d\u8981\u8986\u76d6\u539f\u6765\u7684 initrd\u3002
  6. \u4fee\u6539\u7b2c\u4e00\u4e2a\u5206\u533a\u91cc grub/menu.lst\uff0c\u5c06 initrd \u4fee\u6539\u4e3a\u4f60\u6240\u6253\u5305\u7684\u6587\u4ef6\u540d\u3002
"},{"location":"infrastructure/intranet/","title":"Servers Intranet","text":"

Servers Intranet connects all the servers together, including physical servers and virtual machines.

"},{"location":"infrastructure/intranet/#network-topology","title":"Network Topology","text":"

\u4ee5\u4e0a\u67b6\u6784\u56fe\u7531 iBug \u5728 2023 \u5e74 11 \u6708\u66f4\u65b0\u3002

\u6b64\u5904\u662f\u4e00\u4e9b\u8fc7\u65f6\u7684\u4fe1\u606f\uff0c\u4e5f\u8bb8\u8fd8\u6709\u70b9\u53c2\u8003\u4ef7\u503c

The network contains three parts:

tincVPN is a mesh VPN, which can be abstracted as a virtual Switch.

vm-nfs.s.ustclug.org runs a layer 2 bridge, connecting tincVPN and SRW2024 (physical switch).

It is obvious that vm-nfs is a single point of failure of communicating between tinc host and vSphere virtual machine. I had tried to add another bridge node, but resulted in a broadcast storm. Maybe we can fix it by MPLS (merged in mainline kernel 4.3). But it isn't a right timing at this time.

"},{"location":"infrastructure/intranet/#network-information","title":"Network information","text":"

The network contains one single subnet: 10.254.0.0/21

Every server and service binds to one and only one IP address, used to communicate with each other.

"},{"location":"infrastructure/intranet/#address-planning","title":"Address planning","text":""},{"location":"infrastructure/intranet/gateway/","title":"Intranet Gateway","text":"

We run gateways in each colocation to provide internet access to intranet-only hosts (VMs and containers).

When configuring VMs and containers, set their gateway according to their colocation:

Gateway-JP is mainly used for HTTP reverse proxy, so that we can provide HTTP services in compliance with PRC regulations.

For server configuration on each gateway, refer to their corresponding documentation:

"},{"location":"infrastructure/intranet/gateway/#tinc-workaround-1","title":"Tinc \"received packet on ustclug with own address as source address\" workaround","text":"

After migrating to PVE, we found that sometimes tinc works abnormally within gateway-el and gateway-nic, with following kernel log:

bridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nbridge: received packet on ustclug with own address as source address (addr:12:34:56:78:90:ab, vlan:0)\nnet_ratelimit: 2 callbacks suppressed\n

We still don't know the source of this issue. To workaround that, following self-check timer is deployed now:

/opt/tinc-check.sh
#!/bin/bash\n\nrestart() {\n  systemctl stop tinc@ustclug.service\n  sleep 3  # avoid race condition\n  systemctl start tinc@ustclug.service\n  echo \"tinc restarted\"\n}\n\ndmesg | tail -n 2 | grep 'received packet on ustclug with own address as source address' && restart ||  echo \"tinc OK now\";\n
/etc/systemd/system/tinc-check.service
[Unit]\nDescription=Tinc Check and Auto-Restart\n\n[Service]\nType=oneshot\nExecStart=/opt/tinc-check.sh\n
/etc/systemd/system/tinc-check.timer
[Unit]\nDescription=Tinc Check and Auto-Restart Timer\n\n[Timer]\nOnCalendar=minutely\nPersistent=true\n\n[Install]\nWantedBy=timers.target\n
"},{"location":"infrastructure/intranet/lugivpn/","title":"LUG Intranet VPN","text":"

service: intranet.ustclug.org

server: board.s.ustclug.org

"},{"location":"infrastructure/intranet/lugivpn/#introduction","title":"Introduction","text":"

Server intranet is a closed network, which cannot be accessed from Internet. LUGI VPN helps maintainer get access to intranet temporarily.

LUGI VPN is running in Banana Pi Raspberry Pi 3B+, the only ARM architecture device we owned. Using OpenVPN protocal, authorizing via LDAP.

The original Banana Pi was down in April 2021.

"},{"location":"infrastructure/intranet/lugivpn/#configuration","title":"Configuration","text":"

OpenVPN LDAP auth plugin config /etc/openvpn/auth-ldap.conf:

<LDAP>\n    URL             ldaps://ldap.ustclug.org\n    Timeout         15\n    FollowReferrals yes\n    TLSCACertFile   /etc/ldap/ssl/slapd-ca-cert.pem\n</LDAP>\n\n<Authorization>\n    BaseDN          \"ou=people,dc=lug,dc=ustc,dc=edu,dc=cn\"\n    SearchFilter    \"(uid=%u)\"\n    RequireGroup    false\n</Authorization>\n

In openvpn configuration:

...\nplugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth-ldap.conf\n

Servers intranet is a layer 2 network without default gateway. So NAT is needed:

iptables -t nat -A POSTROUTING -s 10.254.248.0/22 -d 10.254.0.0/21 -j MASQUERADE\n
"},{"location":"infrastructure/proxmox/nfs/","title":"NFS","text":"

NFS \u670d\u52a1\u5668\uff08\"vdp\"\uff09\u662f\u4e1c\u56fe\u4e09\u4e2a PVE \u673a\u5668\u7684\u865a\u62df\u673a\u5b58\u50a8\uff0c\u578b\u53f7\u4e3a DELL PowerEdge R510\u3002\u78c1\u76d8\u9635\u5217\u7531\u4e8e\u5728 2021 \u5e74 3 \u6708\u521d\u635f\u574f\uff0c\u76ee\u524d\u5bb9\u91cf\u7f29\u51cf\u5230 8T\uff084 \u5757 4T \u84dd\u76d8 RAID10\uff09\u3002\u9664\u865a\u62df\u673a\u5916\uff0cNFS \u4e5f\u5b58\u50a8 LUG \u6210\u5458\u7684\u4e2a\u4eba\u6570\u636e\u53ca LUG FTP\u3002NFS \u670d\u52a1\u6062\u590d\u540e\uff0c\u4e3a\u4e86\u4fdd\u8bc1\u6570\u636e\u5197\u4f59\u6027\uff0c\u4f7f\u7528 Rclone \u548c Rsync \u6bcf\u5929\u589e\u91cf\u5907\u4efd LUG FTP \u548c LUG \u6210\u5458\u7684\u516c\u5f00\u6570\u636e\uff08public_html \u76ee\u5f55\uff09\u5230\u4ee5\u4e0b\u4f4d\u7f6e\uff1a

\u5177\u4f53\u7684\u5907\u4efd\u65b9\u5f0f\u548c\u547d\u4ee4\u53c2\u89c1\u673a\u5668\u4e0a\u7684 rclone-backup.timer \u548c rclone-backup.service\u3002

vdp \u7684\u5185\u7f51\u8fde\u63a5\u4f9d\u8d56\u4e8e gateway-el\u3002

\u53ef\u80fd\u7684\u7f51\u7edc\u95ee\u9898

\u5728 2021 \u5e74\u4e5d\u6708\u4efd\u4e1c\u56fe\u7684 ESXi \u4e0e NFS \u8fde\u63a5\u4f1a\u51fa\u73b0\u4e0d\u7a33\u5b9a\u7684\u95ee\u9898\uff0c\u539f\u56e0\u76ee\u524d\u4e0d\u660e\u3002\u5728\u8fde\u63a5\u65b9\u5f0f\u4ece NFS 4.1 \u66f4\u6362\u5230 NFS 3 \u4e4b\u540e\uff0c\u8fde\u63a5\u7684\u4e0d\u7a33\u5b9a\u4e0d\u4f1a\u5bfc\u81f4\u865a\u62df\u673a\u88ab\u5173\u95ed\u3002

2021/09/29 \u66f4\u65b0\uff1a\u8fd9\u4e24\u5929\u518d\u6b21\u51fa\u73b0\u4e86\u4e25\u91cd\u7684\u8fde\u63a5\u95ee\u9898\u3002\u8c03\u8bd5\u540e\u53d1\u73b0 192.168.93.0/24 \u7684\u7f51\u5173 192.168.93.254 (Cisco \u8bbe\u5907) \u4e22\u5305\u4e25\u91cd\uff0c\u800c NFS \u7684\u51fa\u53e3 IP \u9519\u8bef\u88ab\u8bbe\u7f6e\u5230\u4e86\u4e0e\u56fe\u4e66\u9986\u4ea4\u6362\u673a\u76f8\u8fde\u63a5\u7684 eno1\uff0c\u5bfc\u81f4\u8bf7\u6c42\u9700\u8981\u7ed5\u8def\u3002\u5c06\u6b64 IP \u79fb\u52a8\u81f3 eno2\uff0c\u4fee\u6539 sysctl \u8bbe\u7f6e ARP \u8fc7\u6ee4\u5e76\u91cd\u542f\u540e\uff0c\u76ee\u524d\u6682\u65f6\u89e3\u51b3\u4e86\u95ee\u9898\u3002

Debian Bookworm \u5185\u6838\u95ee\u9898

6.1.x \u5f00\u59cb\u7684\u5185\u6838\u7684 NFSv4 \u670d\u52a1\u5668\u5b9e\u73b0\u53ef\u80fd\u5b58\u5728\u6f5c\u5728\u7684\u95ee\u9898\uff0c\u5bfc\u81f4\u5728\u67d0\u4e9b\u60c5\u51b5\u4e0b\u6b7b\u9501\uff0c\u89c1 https://lore.kernel.org/all/50d62fc9-206b-4dbc-9a9b-335450656fd0@aixigo.com/T/\u3002\u4ece Buster \u5347\u7ea7\u5230 Bookworm \u4e4b\u540e\u88ab\u5751\u4e86\u4e00\u6b21\u3002

\u7531\u4e8e\u8fd9\u4e2a\u95ee\u9898\u76ee\u524d\u5c1a\u672a\u89e3\u51b3\uff0c\u5728\u5347\u7ea7 Bookworm \u4e4b\u540e vdp \u4ecd\u4f7f\u7528 Bullseye \u7684\u5185\u6838\uff085.10.x\uff09\u3002

/etc/apt/preferences.d/linux-image-amd64
Package: linux-image-amd64\nPin: release n=bullseye-security\nPin-Priority: 900\n

\u6211\u4eec\u521b\u5efa\u4e86\u5982\u4e0a\u6587\u4ef6\uff08\u4ee5\u4fbf\u80fd\u591f\u7ee7\u7eed\u4ece bullseye-security \u83b7\u5f97\u5185\u6838\u7684\u5b89\u5168\u66f4\u65b0\uff09\uff0c\u7136\u540e\u624b\u52a8\u5220\u6389\u4e86\u6240\u6709 6.1 \u7684\u5185\u6838\u5305\u3002

"},{"location":"infrastructure/proxmox/nfs/#pve","title":"PVE \u78c1\u76d8\u8def\u5f84\u4e0e\u6302\u8f7d\u53c2\u6570","text":"

\u5728 storage.cfg \u8bbe\u7f6e\u4e2d\uff0cNFS \u6302\u8f7d\u5230 /mnt/nfs-el\uff0c\u8bbe\u7f6e\u7684\u53c2\u6570\u4e3a soft,noexec,nosuid,nodev\u3002\u8bbe\u7f6e\u4e3a hard \u4f1a\u5bfc\u81f4 NFS \u4e0b\u7ebf\u65f6\u91cd\u8bd5\u65e0\u9650\u6b21\uff0c\u5927\u6982\u7387\u5bfc\u81f4\u7cfb\u7edf\u5361\u6b7b\uff0c\u5176\u4ed6\u51e0\u4e2a\u53c2\u6570\u4e3b\u8981\u662f\u4e3a\u4e86\u5b89\u5168\u3002

\u5176\u4e2d\uff0c\u6839\u636e PVE \u7684\u8981\u6c42\uff0c\u865a\u62df\u673a\u78c1\u76d8\u6587\u4ef6\u9700\u8981\u653e\u5728 images/<vmid> \u76ee\u5f55\u4e0b\u624d\u4f1a\u88ab\u81ea\u52a8\u68c0\u6d4b\u5230\u3002\u82e5\u4e00\u5f00\u59cb\u6ca1\u6709\u6309\u8981\u6c42\u653e\u7f6e\u6587\u4ef6\u6216\u6dfb\u52a0\u4e86\u65b0\u6587\u4ef6\uff0c\u53ef\u4ee5\u4f7f\u7528 qm rescan \u626b\u63cf\u65b0\u7684\u78c1\u76d8\u6587\u4ef6\u3002\u4e5f\u53ef\u4ee5\u76f4\u63a5\u4f7f\u7528 qm set \u547d\u4ee4\u6216\u624b\u52a8\u7f16\u8f91\u865a\u62df\u673a\u914d\u7f6e\u6587\u4ef6\u6307\u5b9a\u78c1\u76d8\u6587\u4ef6\u7684\u8def\u5f84\uff0c\u8fd9\u4e24\u79cd\u65b9\u6cd5\u6ca1\u6709\u6b64\u9650\u5236\u3002

\u53e6\u5916\uff0c\u7531\u4e8e\u6574\u4e2a storage.cfg \u6587\u4ef6\u5728\u96c6\u7fa4\u4e2d\u5171\u4eab\uff0c\u9700\u8981\u624b\u52a8\u6307\u5b9a nodes \u4ee5\u514d NIC \u7684\u4e24\u53f0 PVE \u4e3b\u673a\u5c1d\u8bd5\u6302\u8f7d\u3002

/etc/pve/storage.cfg
nfs: nfs-el\n        export /media/vdp/pve\n        path /mnt/nfs-el\n        server nfs-el.vm.ustclug.org\n        options soft,noexec,nosuid,nodev\n        content iso,images\n        nodes pve-2,pve-4,pve-6\n        shared 1\n        prune-backups keep-all=1\n

storage.cfg \u7684\u5168\u90e8\u914d\u7f6e\u5185\u5bb9\u53ef\u4ee5\u53c2\u8003 https://pve.proxmox.com/wiki/Storage\u3002

"},{"location":"infrastructure/proxmox/pbs/","title":"Proxmox Backup Server (PBS)","text":"

PBS \u73b0\u5728\u90e8\u7f72\u5728 esxi-5 \u4e0a\u9762\uff0c\u7528\u4f5c\u865a\u62df\u673a\u5907\u4efd\uff0cweb \u754c\u9762\u7684\u7aef\u53e3\u53f7\u4e3a 8007\uff08HTTPS only\uff09\u3002

Info

\u672c\u9875\u9762\u8bb0\u5f55 Proxmox Backup Server \u8f6f\u4ef6\u76f8\u5173\uff0c\u4ee5\u53ca Proxmox VE \u865a\u62df\u673a\u76f8\u5173\u7684\u8d44\u6599\u3002\u5173\u4e8e esxi-5 \u7684\u7cfb\u7edf\u914d\u7f6e\u4fe1\u606f\u8bb0\u5f55\u5728 Proxmox VE \u9875\u9762\u3002

"},{"location":"infrastructure/proxmox/pbs/#pbs","title":"\u5b89\u88c5 PBS","text":"

PBS \u53ef\u4ee5\u4f7f\u7528\u5b89\u88c5\u5149\u76d8 iso \u5b89\u88c5\u6216\u76f4\u63a5\u52a0\u88c5\u5728\u73b0\u6709\u7684\u5bf9\u5e94\u7248\u672c\u7684 Debian \u7cfb\u7edf\u4e0a\uff0c\u8fd9\u4e24\u79cd\u5b89\u88c5\u65b9\u5f0f\u90fd\u6709\u5b98\u65b9\u7684\u8bf4\u660e\u6587\u6863\u3002

\u6211\u4eec\u7684 esxi-5 \u662f\u4f7f\u7528 PVE \u7684\u5b89\u88c5\u76d8\u5148\u88c5\u6210 PVE\uff0c\u518d\u5728\u4e0a\u9762\u989d\u5916\u52a0\u88c5 PBS \u7684\u3002\u7531\u4e8e PVE \u548c PBS \u5171\u4eab\u4e86\u5927\u91cf\u7ec4\u4ef6\uff0c\u56e0\u6b64\u5728 PVE \u4e0a\u52a0\u88c5 PBS \u5c31\u53ea\u5269\u4e0b\u5f88\u7b80\u5355\u7684\u4e00\u4e9b\u6b65\u9aa4\u4e86\uff1a

echo \"deb http://mirrors.ustc.edu.cn/proxmox/debian/pbs bullseye pbs-no-subscription\" > /etc/apt/sources.list.d/pbs.list\napt update\napt install proxmox-backup\n

\u8be5\u8fc7\u7a0b\u4ec5\u5b89\u88c5\u4e86\u603b\u91cf\u4e3a 150+ MB \u7684 8 \u4e2a\u5305\uff0c\u5c31\u6709 PBS \u53ef\u7528\u4e86\u3002

"},{"location":"infrastructure/proxmox/pbs/#pbs-new-user","title":"\u521b\u5efa\u65b0\u7528\u6237","text":"

PBS \u81ea\u5df1\u7684\u8d26\u53f7\u4f53\u7cfb (Realm pbs) \u4e0e PVE (Realm pve) \u4e92\u76f8\u4e0d\u901a\uff0c\u5982\u679c\u9700\u8981\u521b\u5efa\u65b0\u7684 PBS \u7528\u6237\uff0c\u53ef\u4ee5\u901a\u8fc7 SSH \u767b\u5f55\uff0c\u7136\u540e\u53c2\u8003\u4ee5\u4e0b\u6b65\u9aa4\uff1a

  1. proxmox-backup-manager user create \u7528\u6237\u540d@pbs --email \u90ae\u7bb1\u5730\u5740@ustclug.org
  2. proxmox-backup-manager user update \u7528\u6237\u540d@pbs --password '\u4e00\u4e2a\u4e34\u65f6\u7684\u5bc6\u7801'
  3. \u4f7f\u7528\u8be5\u7528\u6237\u767b\u5f55 PBS\uff08\u6b64\u65f6\u7528\u6237\u65e0\u6743\u9650\uff09\uff0c\u4fee\u6539\u5bc6\u7801\uff1b
  4. \u8d4b\u4e88\u6743\u9650\u3002\u8d85\u7ea7\u7ba1\u7406\u5458\u5bf9\u5e94\u7684\u547d\u4ee4\u662f proxmox-backup-manager acl update / Admin --auth-id \u7528\u6237\u540d@pbs
  5. \u4f7f\u7528 proxmox-backup-manager acl list \u786e\u8ba4\u6743\u9650\u5217\u8868\u3002

\u53c2\u8003\uff1ahttps://pbs.proxmox.com/docs/user-management.html

Tip

\u5f53\u7136\uff0c\u4f60\u4e5f\u53ef\u4ee5 SSH \u767b\u5f55\u540e\u4fee\u6539 root \u5bc6\u7801\uff0c\u518d\u7528 root@pam \u7684\u8d26\u53f7\u767b\u5f55 web \u754c\u9762\u8fdb\u884c\u64cd\u4f5c\u3002\u8be5\u65b9\u6cd5\u540c\u65f6\u9002\u7528\u4e8e PVE \u548c PBS\u3002\u64cd\u4f5c\u5b8c\u6210\u540e\u8bf7\u6062\u590d root \u5bc6\u7801\uff08passwd -d root\uff09\u3002

\u5982\u679c\u4f60\u9700\u8981\u7ecf\u5e38\u767b\u5f55 Web \u754c\u9762\u64cd\u4f5c\uff0c\u6700\u597d\u521b\u5efa\u4e00\u4e2a Realm pve/pbs \u800c\u4e0d\u662f\u4f9d\u8d56\u4e8e\u4f7f\u7528 root \u5bc6\u7801\u3002

\u7279\u522b\u5730\uff0c\u7531\u4e8e PBS \u548c PVE \u540c\u65f6\u5b89\u88c5\u5728 esxi-5 \u4e0a\uff0c\u56e0\u6b64\u5b83\u4eec\u53ef\u4ee5\u5171\u4eab esxi-5 \u4e0a\u7684 Linux \u7528\u6237\uff08\u5373 Linux PAM standard authentication\uff09\u3002

"},{"location":"infrastructure/proxmox/pbs/#pbs-add-datastore","title":"\u8bbe\u7f6e Datastore","text":"

PBS \u4e0a\u7684\u865a\u62df\u673a\u5907\u4efd\u5355\u5143\u662f\u5c0f\u5757\u7684 chunk\uff0c\u4e5f\u4f9d\u8d56\u8fd9\u4e2a\u8bbe\u8ba1\u5b9e\u73b0\u589e\u91cf\u5907\u4efd\uff0c\u6240\u4ee5\u865a\u62df\u673a\u5907\u4efd\uff08Datastore\uff09\u7684\u540e\u7aef\u90fd\u662f\u76ee\u5f55\u3002\u6dfb\u52a0 Datastore \u53ea\u9700\u8981\u6307\u5b9a\u4e00\u4e2a\u76ee\u5f55\uff0c\u53d6\u4e00\u4e2a\uff08\u7b80\u77ed\u7684\uff09\u540d\u5b57\u5c31\u53ef\u4ee5\u4e86\u3002\u5efa\u8bae\u4e0d\u8981\u4f7f\u7528\u6587\u4ef6\u7cfb\u7edf\u7684\u6839\u76ee\u5f55\u4f5c\u4e3a Datastore\uff0c\u53ef\u4ee5\u521b\u5efa\u4e00\u4e2a pbs \u6587\u4ef6\u5939\u7528\u4f5c Datastore\uff0c\u53c2\u8003\u4e0b\u9762\u6240\u8ff0\u7684 esxi-5 \u4e0a\u7684\u914d\u7f6e\u3002

\u76ee\u524d\u5728 esxi-5 \u4e0a\u914d\u7f6e\u4e86\u4ee5\u4e0b datastore\uff1a

"},{"location":"infrastructure/proxmox/pve/","title":"Proxmox Virtual Environment (PVE)","text":"

LUG \u76ee\u524d\u670d\u5f79\u7684 Proxmox VE \u4e3b\u673a\u6709\uff1a

\u8fd9\u4e9b PVE \u4e3b\u673a\u914d\u7f6e\u4e3a\u4e00\u4e2a\u96c6\u7fa4\uff0c\u53ef\u4ee5\u5171\u4eab\u4e00\u4e9b\u914d\u7f6e\u4fe1\u606f\u5e76\u4e92\u76f8\u8fc1\u79fb\u865a\u62df\u673a\u3002\u7279\u522b\u5730\uff0cProxmox VE Authentication Server\uff08Realm \u4e3a pve\uff09\u7684\u8d26\u53f7\u5728 PVE \u4e3b\u673a\u4e4b\u95f4\u662f\u5171\u4eab\u7684\uff0c\u5e76\u4e14\u6dfb\u52a0\u7684 PBS \u5b58\u50a8\u540e\u7aef\u4e5f\u662f\u5171\u4eab\u7684\uff0c\u5373\u5927\u5bb6\u90fd\u53ef\u4ee5\u5f80\u76f8\u540c\u7684 PBS \u4e0a\u5907\u4efd\u865a\u62df\u673a\u3002

\u53e6\u6709\u6682\u672a\u52a0\u5165 PVE \u96c6\u7fa4\u7684\u673a\u5668\u5982\u4e0b\uff1a

\u4e0d\u540c\u4e3b\u673a\u4e4b\u95f4\u7684 Linux PAM \u7528\u6237\u662f\u4e0d\u76f8\u901a\u7684

\u6240\u6709 Proxmox \u4e3b\u673a\u7684\u4e3b\u673a\u540d\uff08hostname\uff09\u90fd\u8bbe\u4e3a <hostname>.vm.ustclug.org\uff0c\u5bf9\u5e94\u7684 IP \u5730\u5740\u8bb0\u5f55\u5728 DNS \u4e2d\u3002

"},{"location":"infrastructure/proxmox/pve/#common","title":"\u516c\u7528\u914d\u7f6e","text":""},{"location":"infrastructure/proxmox/pve/#root","title":"root \u8d26\u6237","text":"

\u5df2\u5e9f\u5f03\u7684\u5185\u5bb9

\u4e3a\u4e86\u4fbf\u4e8e\u901a\u8fc7 IPMI \u7b49\u65b9\u5f0f\u7ef4\u62a4\uff0c\u6211\u4eec\u7ea6\u5b9a\u6240\u6709 Proxmox \u4e3b\u673a\u7684 root \u8d26\u6237\u5bc6\u7801\u4fdd\u6301\u4e3a\u7a7a\u3002\u82e5\u6709\u64cd\u4f5c\u9700\u8981\u4f7f\u7528 root \u5bc6\u7801\uff08\u5982\u521b\u5efa\u548c\u52a0\u5165\u96c6\u7fa4\u65f6\uff09\uff0c\u8bf7\u901a\u8fc7 SSH \u6216 IPMI \u767b\u5f55\uff0c\u4e34\u65f6\u8bbe\u7f6e\u4e00\u4e2a root \u5bc6\u7801\uff0c\u5e76\u5728\u4fee\u6539\u5b8c PVE / PBS \u7684\u914d\u7f6e\u540e\u5c06\u5bc6\u7801\u5220\u9664\uff08passwd -d\uff09\u3002PVE / PBS \u6ca1\u6709\u4f9d\u8d56\u4e8e\u56fa\u5b9a\u4e0d\u53d8\u7684 root \u5bc6\u7801\u624d\u80fd\u6b63\u5e38\u8fd0\u884c\u7684\u7ec4\u4ef6\uff0c\u56e0\u6b64\u8fd9\u6837\u505a\u5bf9 PVE / PBS \u6765\u8bf4\u662f\u6ca1\u95ee\u9898\u7684\u3002

"},{"location":"infrastructure/proxmox/pve/#networking","title":"\u7f51\u7edc\u914d\u7f6e","text":"

\u5b89\u5168\u8d77\u89c1\uff0cPVE / PBS \u4e3b\u673a\u4f7f\u7528 RFC 1918 \u6bb5\u7684\u6821\u56ed\u7f51 IP\uff0c\u4e0d\u8fde\u63a5\u516c\u7f51\u3002

Debian \u548c Proxmox \u7684\u8f6f\u4ef6\u66f4\u65b0\u4f7f\u7528 mirrors.ustc.edu.cn \u5373\u53ef\uff0c\u82e5\u6709\u9700\u8981\u8bbf\u95ee\u6821\u5916\uff08\u5982 GitHub \u7b49\uff09\uff0c\u8bf7\u5199 hosts \u5e76\u914d\u7f6e\u8def\u7531\uff0c\u4ee5 GitHub \u4e3a\u4f8b\uff1a

echo \"20.205.243.166 github.com\" >> /etc/hosts\nip route replace 20.205.243.166 via (?) dev (?)\n

\u5176\u4e2d via \u9009\u62e9 gateway-el \u6216 gateway-nic \u7684\u5185\u7f51\u5730\u5740\uff0cdev \u9009\u62e9\u6865\u63a5\u5185\u7f51\u7684 vmbr\uff08\u89c1\u4e0b\uff09\u3002

"},{"location":"infrastructure/proxmox/pve/#vmbr","title":"\u865a\u62df\u673a\u7f51\u6865","text":"

Proxmox VE \u8981\u6c42\u4e3a\u865a\u62df\u673a\u63a5\u5165\u7684\u7f51\u6865\u5fc5\u987b\u547d\u540d\u4e3a vmbrN\uff0c\u5176\u4e2d N \u662f 0-4094 \u4e4b\u95f4\u7684\u6574\u6570\u3002\u65b9\u4fbf\u8d77\u89c1\uff0c\u6211\u4eec\u5728\u4e24\u4e2a\u673a\u623f\u5206\u522b\u7edf\u4e00 vmbr \u7684\u7f16\u53f7\uff1a

\u7f16\u53f7 \u4e1c\u56fe \u7f51\u7edc\u4e2d\u5fc3 vmbr0 \u6821\u56ed\u7f51\uff08\u6559\u80b2\u7f51\uff09 \u6821\u56ed\u7f51\uff08\u6559\u80b2\u7f51\uff09 vmbr1 \u5185\u7f51 \u5185\u7f51 vmbr2 \u7535\u4fe1+\u79fb\u52a8 \u7535\u4fe1 vmbr3 - \u8054\u901a vmbr4 - \u79fb\u52a8 vmbr5 - \u7279\u6b8a\u7528\u9014 vmbr10 \u5907\u7528 -"},{"location":"infrastructure/proxmox/pve/#pve-firewall","title":"\u9632\u706b\u5899","text":"

\u6211\u4eec\u4e0d\u4f7f\u7528 Proxmox \u81ea\u5e26\u7684\u9632\u706b\u5899\u529f\u80fd\uff0c\u4f46 pve-firewall \u4ecd\u7136\u4f1a\u5c1d\u8bd5\u90e8\u7f72\u6216\u6062\u590d\u9632\u706b\u5899\u8bbe\u7f6e\uff0c\u56e0\u6b64\u9700\u8981\u7981\u7528\u76f8\u5173\u8bbe\u7f6e\u53ca\u670d\u52a1\uff1a

/etc/pve/nodes/$(hostname -s)/host.fw
[OPTIONS]\nenable: 0\n
systemctl stop pve-firewall.service\nsystemctl disable pve-firewall.service\nsystemctl mask pve-firewall.service\n

\u53ef\u9009\u5185\u5bb9\uff1a\u540c\u65f6\u5b89\u88c5 iptables-persistent \u8f6f\u4ef6\u5305\uff0c\u5e76\u5229\u7528 iptables \u5c06 443 \u7aef\u53e3\u8f6c\u53d1\u5230 8006 \u7aef\u53e3\u65b9\u4fbf\u4f7f\u7528\u3002

update-alternatives --set iptables /usr/sbin/iptables-nft\nupdate-alternatives --set ip6tables /usr/sbin/ip6tables-nft\n
/etc/iptables/rules.v4
*nat\nPREROUTING ACCEPT [0:0]\nINPUT ACCEPT [0:0]\nOUTPUT ACCEPT [0:0]\nPOSTROUTING ACCEPT [0:0]\n-A PREROUTING -p tcp --dport 443 -m addrtype --dst-type LOCAL -j REDIRECT --to-ports 8006\nCOMMIT\n

\u5220\u6389 rules.v6 \u6587\u4ef6\uff0c\u7136\u540e\u8fd0\u884c systemctl restart netfilter-persistent.service \u8f7d\u5165 iptables \u89c4\u5219\u3002

"},{"location":"infrastructure/proxmox/pve/#ntp","title":"NTP \u65f6\u95f4","text":"

Proxmox \u9ed8\u8ba4\u4f7f\u7528 chrony \u8f6f\u4ef6\u548c Debian \u63d0\u4f9b\u7684 NTP pool\uff0c\u8fd9\u4e9b\u670d\u52a1\u5668\u90fd\u5728\u6821\u5916\uff0c\u4f7f\u7528\u6821\u56ed\u7f51 IP \u65e0\u6cd5\u8fde\u901a\uff0c\u9700\u8981\u6539\u6210\u6821\u56ed\u7f51\u7684 NTP \u670d\u52a1\u5668\uff1a

/etc/chrony/chrony.conf
# Use Debian vendor zone.\n#pool 2.debian.pool.ntp.org iburst\nserver time.ustc.edu.cn iburst\n

\u7136\u540e\u8fd0\u884c systemctl restart chrony.service \u91cd\u542f\u670d\u52a1\u3002

"},{"location":"infrastructure/proxmox/pve/#ssl","title":"SSL \u8bc1\u4e66","text":"

\u53c2\u89c1 SSL \u8bc1\u4e66\uff0c\u6b63\u597d vdp \u4e0a\u9762\u8fd0\u884c\u4e86 LUG FTP \u800c\u56e0\u6b64\u914d\u7f6e\u4e86\u8bc1\u4e66\u7684\u81ea\u52a8\u66f4\u65b0\uff0c\u5229\u7528 vdp \u63d0\u4f9b\u7684 NFS \u670d\u52a1\uff0c\u6211\u4eec\u5728 vdp \u4e0a\u7684\u8bc1\u4e66\u66f4\u65b0\u811a\u672c\u4e2d\u6dfb\u52a0\u4e86\u5c06 vm \u8bc1\u4e66\u590d\u5236\u5230 NFS \u76ee\u5f55\u7684\u529f\u80fd\uff0c\u7136\u540e\u7531 pve-6 \u90e8\u7f72\u5230\u5404\u4e2a\u4e3b\u673a\u4e0a\u3002

\u4e0b\u9762\u662f pve-6 \u4e0a\u7684\u811a\u672c\uff1a

/etc/cron.daily/sync-cert
#!/bin/bash -e\n\nSRC=\"/etc/pve/nodes/$(hostname -s)\"\nDSTROOT=\"/etc/pve/nodes\"\nCERTSRC=\"/mnt/nfs-el/cert\"\n\ncp -u \"$CERTSRC/privkey.pem\" \"$SRC/pveproxy-ssl.key\"\ncp -u \"$CERTSRC/fullchain.pem\" \"$SRC/pveproxy-ssl.pem\"\nsystemctl reload pveproxy.service\n\nfor DST in \"$DSTROOT\"/*; do\n  [ \"$DST\" = \"$SRC\" ] && continue\n  node=\"$(basename \"$DST\")\"\n  cp \"$SRC/pveproxy-ssl.key\" \"$SRC/pveproxy-ssl.pem\" \"$DST/\"\n  ssh \"$node\" 'systemctl reload pveproxy.service' &\ndone\nwait\n

\u7531\u4e8e PVE \u548c PBS \u7684\u6570\u636e\u4e0d\u4e92\u901a\uff0c\u56e0\u6b64 esxi-5 \u4e0a\u7684\u76f8\u540c\u4f4d\u7f6e\u6709\u53e6\u4e00\u4e2a\u811a\u672c\u4e3a PBS \u90e8\u7f72\u8bc1\u4e66\uff1a

/etc/cron.daily/sync-cert
#!/bin/bash\n\nSRC=\"/etc/pve/nodes/$(hostname -s)\"\nDST=\"/etc/proxmox-backup\"\n\nif ! cmp -s \"$SRC/pveproxy-ssl.pem\" \"$DST/proxy.pem\"; then\n  cp \"$SRC/pveproxy-ssl.key\" \"$DST/proxy.key\"\n  cp \"$SRC/pveproxy-ssl.pem\" \"$DST/proxy.pem\"\n  systemctl reload proxmox-backup-proxy.service\nfi\nexit 0\n\n# Unreachable code, leaving here for reference\nif command -v openssl 2>/dev/null; then\n  FP=\"$(openssl x509 -noout -fingerprint -sha256 -inform pem -in \"$DST/proxy.pem\")\"\n  FP=\"${FP##*=}\"\n  pvesm set esxi-5-data --finerprint \"$FP\"\n  pvesm set esxi-5-vdp2 --finerprint \"$FP\"\nfi\n
"},{"location":"infrastructure/proxmox/pve/#virtiofs","title":"VirtIO FS","text":"

\u5bf9\u4e8e mirrorlog \u7b49\u91cd\u5b58\u50a8\u578b\u7684\u865a\u62df\u673a\uff0c\u6211\u4eec\u5c1d\u8bd5\u628a\u5927\u91cf\u7684\u6570\u636e\u6587\u4ef6\u653e\u5728 host \u4e0a\uff0c\u907f\u514d ZFS\uff08Zvol\uff09\u548c ext4 \u7684\u4e24\u5c42\u5f00\u9500\uff08\u4ee5\u53ca\u5728 ZFS \u4e0a\u4e5f\u53ef\u4ee5\u4f7f\u7528\u66f4\u5927\u7684 recordsize \u83b7\u5f97\u66f4\u597d\u7684 I/O \u4f53\u9a8c\u548c\u66f4\u4f4e\u7684 RAID-Z overhead\uff09\uff0c\u7136\u540e\u4f7f\u7528 virtiofs \u4f9b\u865a\u62df\u673a\u8bbf\u95ee\u3002

Virtiofs \u7684\u914d\u7f6e\u8fc7\u7a0b\u4e3b\u8981\u53c2\u8003\u4e86 https://forum.proxmox.com/threads/virtiofsd-in-pve-8-0-x.130531/\uff1a

\u9996\u5148\u914d\u7f6e\u865a\u62df\u673a\uff1a

/etc/pve/qemu-server/230.conf
args: -chardev socket,id=virtfs0,path=/run/virtiofsd-230.sock -device vhost-user-fs-pci,queue-size=1024,chardev=virtfs0,tag=mirrorlog -object memory-backend-file,id=mem,size=8192M,mem-path=/dev/shm,share=on -numa node,memdev=mem\n

\u5176\u4e2d path= \u6307\u5411 virtiofsd \u7684 socket \u6587\u4ef6\uff0ctag= \u53ef\u4ee5\u4efb\u610f\u6307\u5b9a\uff0c\u7528\u4e8e\u533a\u5206\u591a\u4e2a virtiofsd \u5b9e\u4f8b\uff08\u5bf9\u5e94\u865a\u62df\u673a\u5185\u7684 mount source\uff09\uff0csize= \u662f\u5171\u4eab\u5185\u5b58\u5927\u5c0f\u3002

\u7136\u540e\u5b89\u88c5 virtiofsd\uff0c\u76f4\u63a5 apt install virtiofsd \u5373\u53ef\uff08PVE \u6253\u5305\u4e86 Rust \u91cd\u5199\u7684\u65b0\u7248 virtiofsd\uff09\u3002

\u63a5\u4e0b\u6765\u9700\u8981\u914d\u7f6e virtiofsd \u5728\u865a\u62df\u673a\u5f00\u673a\u524d\u542f\u52a8\u3002\u6ce8\u610f\u4e00\u4e2a virtiofsd \u53ea\u80fd\u4f9b\u4e00\u4e2a\u865a\u62df\u673a\u8bbf\u95ee\u4e00\u4e2a\u4e3b\u673a\u4e0a\u7684\u76ee\u5f55\uff0c\u56e0\u6b64\u9700\u8981\u4f7f\u7528 PVE \u7684 hook script \u6765\u542f\u52a8 virtiofsd\u3002\u8fd9\u4e2a hook script \u653e\u5728 /var/lib/vz \u76ee\u5f55\u4e0b\uff0c\u63a5\u6536\u4e24\u4e2a\u547d\u4ee4\u884c\u53c2\u6570\uff08VMID \u548c\u542f\u52a8\u9636\u6bb5\uff09\uff1a

/var/lib/vz/snippets/mirrorlog.sh
#!/bin/sh\n\nif [ $# -ne 2 ]; then\n  echo \"Need exactly 2 arguments\" >&2\n  exit 1\nfi\n\nVMID=\"$1\"\nPHASE=\"$2\"\n\n[ \"$VMID\" -eq 230 ] || exit 0\n\nNAME=virtiofsd-230\nSOCKPATH=\"/run/$NAME.sock\"\n\ncase \"$PHASE\" in\n  pre-start)\n    systemctl stop \"$NAME\".service\n    rm -f \"$SOCKPATH\" \"$SOCKPATH\".pid\n\n    systemd-run \\\n      --collect \\\n      --unit=\"$NAME\" \\\n      /usr/libexec/virtiofsd \\\n      --syslog \\\n      --socket-path \"$SOCKPATH\" \\\n      --shared-dir /mnt/mirrorlog \\\n      --announce-submounts \\\n      --inode-file-handles=mandatory\n      ;;\n  pre-stop) ;;\n  post-start) ;;\n  post-stop) ;;\n  *) echo \"Unknown phase $PHASE\" >&2; exit 1;;\nesac\n

\u76f8\u6bd4\u4e8e Proxmox \u8bba\u575b\u91cc\u7684\u6559\u7a0b\u8d34\uff0c\u8fd9\u91cc\u6700\u91cd\u8981\u7684\u4fee\u6539\u662f\u7ed9 systemd-run \u52a0\u4e0a\u4e86 --collect \u53c2\u6570\uff0c\u8fd9\u6837 virtiofsd \u9000\u51fa\u65f6\u65e0\u8bba\u662f\u5426 failed\uff0csystemd \u90fd\u4f1a\u6e05\u7406\u6389\u8fd9\u4e2a\u4e34\u65f6\u7684 service unit\u3002

\u7136\u540e\u901a\u8fc7\u547d\u4ee4\u884c\u914d\u7f6e\u4f7f\u7528\uff1a

qm set 230 --hookscript local:snippets/mirrorlog.sh\n

\u7136\u540e\u5c06\u865a\u62df\u673a\u5173\u673a\uff0c\u901a\u8fc7 qm start \u6216\u8005 web \u754c\u9762\u542f\u52a8\uff0c\u5373\u53ef\u5728\u865a\u62df\u673a\u5185\u6302\u8f7d virtiofsd \u63d0\u4f9b\u7684\u76ee\u5f55\u3002

# Manual\nmount -t virtiofs mirrorlog /mnt/mirrorlog\n\n# via /etc/fstab\nmirrorlog /mnt/mirrorlog virtiofs defaults 0 0\n
"},{"location":"infrastructure/proxmox/pve/#pve-5","title":"pve-5","text":"

pve-5 \u4f4d\u4e8e\u7f51\u7edc\u4e2d\u5fc3\uff0c\u914d\u7f6e\u4e3a 2\u00d7 Xeon E5-2603 v4 (Broadwell 6C6T, 1.70 GHz, no HT, no Turbo Boost) Xeon E5-2667 v4 (Broadwell 8C16T, 3.20 GHz, Max 3.60 GHz)\uff0c256 GB \u5185\u5b58\u548c\u4e00\u5927\u5806 SSD\uff082\u00d7 \u4e09\u661f 240 GB SATA + 10x Intel DC S4500 1.92 TB SATA\uff09\u3002\u6211\u4eec\u5c06\u4e24\u5757 240 GB \u7684\u76d8\u7ec4\u6210\u4e00\u4e2a LVM VG\uff0c\u5206\u914d 16 GB \u7684 rootfs\uff08LVM mirror\uff09\u548c 8 GB \u7684 swap\uff0c\u5176\u4f59\u7a7a\u95f4\u7ed9\u4e00\u4e2a thinpool\u3002\u5341\u5757 1.92 TB \u7684\u76d8\u7ec4\u6210\u4e00\u4e2a RAIDZ2 \u7684 zpool\uff0c\u7528\u4e8e\u5b58\u50a8\u865a\u62df\u673a\u7b49\u6570\u636e\u3002

\u5176\u8fde\u63a5\u7684\u5355\u6839 10 Gbps \u7684\u5149\u7ea4\uff0c\u6865\u63a5\u51fa vmbr0 \u81f3 vmbr4 \u7b49\u7f51\u6865\uff08\u7ebf\u8def\u5b9a\u4e49\u89c1\u4e0a\uff09\u3002\u5176\u4e2d\u65e0\u5934\u7f51\u6865\u7528\u4e8e\u4ece gateway-nic \u6865\u63a5 Tinc\u3002

\u786c\u76d8\u63a7\u5236\u5668\u4e0d\u8981\u4f7f\u7528 VirtIO SCSI Single \u6216 LSI \u5f00\u5934\u7684\u9009\u9879

\u53ef\u80fd\u7531\u4e8e ZFS \u6a21\u5757\u7684 bug \u6216\u8005\u5185\u5b58\u6761\u6545\u969c\uff0c\u4f7f\u7528\u8fd9\u4e9b\u6a21\u5f0f\u5728\u865a\u62df\u673a\u91cd\u542f\u65f6\u4f1a\u5bfc\u81f4\u6574\u4e2a Proxmox VE \u4e3b\u673a\u5361\u4f4f\u800c\u4e0d\u5f97\u4e0d\u91cd\u542f\u3002\u8bf7\u4f7f\u7528 VirtIO SCSI\uff08\u4e0d\u5e26 Single\uff09\u3002\u540c\u6837\u539f\u56e0\u521b\u5efa\u865a\u62df\u673a\u786c\u76d8\u65f6\u4e5f\u4e0d\u8981\u52fe\u9009 iothread\u3002

\u4e3b\u673a\u4f7f\u7528 ZFS\uff08Zvol\uff09\u4f5c\u4e3a\u865a\u62df\u673a\u7684\u865a\u62df\u786c\u76d8\uff0c\u5728\u865a\u62df\u673a\u4e2d\u542f\u7528 fstrim.timer\uff08systemd \u7684 fstrim \u5b9a\u65f6\u4efb\u52a1\uff0c\u7531 util-linux \u63d0\u4f9b\uff09\u53ef\u4ee5\u5b9a\u671f\u817e\u51fa\u4e0d\u7528\u7684\u7a7a\u95f4\uff0c\u5e2e\u52a9 ZFS \u66f4\u597d\u5730\u89c4\u5212\u7a7a\u95f4\u3002\u542f\u7528 fstrim \u7684\u865a\u62df\u786c\u76d8\u9700\u8981\u5728 PVE \u4e0a\u542f\u7528 discard \u9009\u9879\uff0c\u5426\u5219 fstrim \u4e0d\u8d77\u4f5c\u7528\u3002\u8be5\u7279\u6027\u662f\u7531\u4e8e ZFS \u662f CoW \u7684\uff0c\u4e0e ZFS \u5e95\u5c42\u4f7f\u7528 SSD \u6ca1\u6709\u5173\u8054\u3002

"},{"location":"infrastructure/proxmox/pve/#esxi-5","title":"esxi-5","text":"

esxi-5 \u4e5f\u4f4d\u4e8e\u7f51\u7edc\u4e2d\u5fc3\uff0c\u914d\u7f6e\u4e3a 2\u00d7 Xeon E5620\uff08Westmere-EP 4C8T, 2.40~2.66 GHz\uff09\uff0c48 GB \u5185\u5b58\uff0c\u4e24\u5757 240 GB SATA SSD \u548c\u4e00\u4e9b\u4e0d\u77e5\u9053\u574f\u4e86\u591a\u5c11\u7684 1 TB \u548c 2 TB HDD\uff08\u89c1\u4e0b\uff09\u3002\u7531\u4e8e\u673a\u8eab\u81ea\u5e26\u7684 RAID \u5361\u4e0d\u652f\u6301\u786c\u76d8\u76f4\u901a\uff08JBOD \u6a21\u5f0f\uff09\uff0c\u56e0\u6b64\u6211\u4eec\u5c06\u4e24\u5757 SSD \u5206\u522b\u505a\u6210\u5355\u76d8\u201c\u9635\u5217\u201d\u7136\u540e\u5728\u7cfb\u7edf\u91cc\u4f7f\u7528 LVM\uff08LVM \u89c4\u683c\u4e0e pve-5 \u76f8\u540c\uff09

\u987e\u540d\u601d\u4e49\u672c\u673a\u5668\u66fe\u7ecf\u8fd0\u884c\u7684\u662f VMware ESXi\uff0c\u5728 2022 \u5e74 1 \u6708\u91cd\u88c5\u4e3a Proxmox VE 7.1\uff0c\u56e0\u4e3a\u54b1\u4eec\u90fd\u662f\u7ea0\u7ed3\u602a\u6240\u4ee5\u51b3\u5b9a\u4e0d\u6539\u540d\uff0c\u8fd8\u53eb esxi-5\u3002\u8003\u8651\u5230\u8be5\u673a\u5668\u914d\u7f6e\u4e86\u591a\u4e2a\u786c\u76d8\u9635\u5217\uff0c\u4e14\u9635\u5217\u7684\u53ef\u7528\u5bb9\u91cf\u6bd4 pve-5 \u7684\u786c\u76d8\u7684\u539f\u59cb\u5bb9\u91cf\u8fd8\u5927\uff0c\u6211\u4eec\u5728\u4e0a\u9762\u52a0\u88c5 Proxmox Backup Server \u8f6f\u4ef6\uff0c\u4e3b\u8981\u7528\u4f5c\u865a\u62df\u673a\u5907\u4efd\uff0c\u66ff\u4ee3\u539f\u5148\u8fd0\u884c\u5728 ESXi \u4e0a\u7684 vSphereDataProtection \u865a\u62df\u673a\u3002

"},{"location":"infrastructure/proxmox/pve/#_1","title":"\u7f51\u7edc","text":"

\u7f51\u7edc\u914d\u7f6e\u4e0e pve-5 \u76f8\u4f3c\uff0c\u5176\u4e0a\u6709\u4e24\u4e2a\u5343\u5146\u7f51\u5361 enp3s0 \u548c enp4s0\u3002enp3s0 \u8fde\u63a5\u7f51\u7edc\u4e2d\u5fc3\u7684\u4ea4\u6362\u673a\uff0c\u6865\u63a5\u4e0d\u540c\u7684 VLAN \u7f51\u7edc\u7ed9\u865a\u62df\u673a\uff0c\u5e76\u4e14\u5404 vmbrX \u7684\u6570\u5b57\u548c\u7aef\u53e3\u4e0e pve-5 \u4e00\u81f4\uff1b\u800c enp4s0 \u8fde\u63a5\u4e00\u4e2a\u5916\u90e8\u9635\u5217\uff08vdp2\uff09\uff0c\u4f7f\u7528 iSCSI \u8bbf\u95ee\u8be5\u9635\u5217\u3002

\u7531\u4e8e\u6211\u4eec\u53ea\u6709\u4e00\u4e2a gateway-nic\uff0c\u800c pve-5 \u548c esxi-5 \u4e24\u4e2a\u4e3b\u673a\u90fd\u4f9d\u8d56 gw-nic \u6865\u63a5\u7684 tinc \u6765\u63a5\u5165\u5185\u7f51\uff0c\u56e0\u6b64\u6211\u4eec\u5728 pve-5 \u548c esxi-5 \u4e4b\u95f4\u62c9\u4e86\u4e00\u6761 GRETAP \u96a7\u9053\uff0c\u5e76\u5728\u4e24\u4e2a\u4e3b\u673a\u4e0a\u5206\u522b\u5c06 VTEP \u6865\u63a5\u5230 vmbr1\u3002

\u53c2\u8003\u914d\u7f6e\uff1a

pve-5:/etc/network/interfaces
auto gretap0esxi-5\niface gretap0esxi-5 inet manual\n    pre-up ip link add name $IFACE mtu $IF_MTU type gretap local 10.38.95.115 remote 10.38.95.111\n    post-down ip link delete $IFACE\n    mtu 1500\n\nauto vmbr1\niface vmbr1 inet static\n    address 10.254.0.240/21\n    bridge-ports gretap0esxi-5\n    bridge-stp off\n    bridge-fd 0\n

esxi-5 \u8fd9\u7aef\u7684\u914d\u7f6e\u5219\u5c06\u5bf9\u5e94\u7684 iface \u540d\u79f0\u548c IP \u5730\u5740\u7b49\u5168\u90e8\u5bf9\u6362\u5373\u53ef\u3002

MTU \u95ee\u9898

2022 \u5e74 2 \u6708\u5904\u7406\u5185\u7f51 tinc ARP \u95ee\u9898\u65f6\u53d1\u73b0 esxi-5 \u548c pve-5 \u7684 vmbr1 MTU \u90fd\u88ab\u8bbe\u7f6e\u6210\u4e86 1462\uff08GRETAP \u7684\u9ed8\u8ba4 MTU\uff09\u3002\u6211\u4eec\u4e0d\u786e\u5b9a MTU \u95ee\u9898\u4e0e tinc \u662f\u5426\u76f8\u5173\uff0c\u4f46\u4fdd\u9669\u8d77\u89c1\u6211\u4eec\u8fd8\u662f\u5c06\u8be5 GRETAP \u754c\u9762\u7684 MTU \u8bbe\u7f6e\u6210\u4e86 1500\uff08GRE \u5177\u6709\u5206\u7247\u529f\u80fd\uff09\u3002

-pre-up ip link add name $IFACE type gretap local 10.38.95.115 remote 10.38.95.111\n+pre-up ip link add name $IFACE mtu $IF_MTU type gretap local 10.38.95.115 remote 10.38.95.111\n post-down ip link delete $IFACE\n+mtu 1500\n
"},{"location":"infrastructure/proxmox/pve/#iscsi","title":"iSCSI","text":"

\u8bbe\u7f6e iSCSI \u5f00\u673a\u81ea\u52a8\u767b\u5f55\uff1a

iscsiadm -m node -T iqn.2002-10.com.infortrend:raid.sn8223150.001 -p 192.168.10.1:3260 -o update -n node.startup -v automatic\niscsiadm -m node -T iqn.2002-10.com.infortrend:raid.sn8223150.001 -p 192.168.10.1:3260 -o update -n node.conn[0].startup -v automatic\n

\u53c2\u8003\u94fe\u63a5\uff1ahttps://library.netapp.com/ecmdocs/ECMP1654943/html/GUID-8EC685B4-8CB6-40D8-A8D5-031A3899BCDC.html

\u8fc7\u65f6\u4fe1\u606f

\u7531\u4e8e\u6211\u4eec\u6ca1\u6709\u7814\u7a76\u6e05\u695a open-iscsi \u7684\u5f00\u673a\u81ea\u52a8\u6302\u8f7d\u673a\u5236\uff0c\u56e0\u6b64\u6211\u4eec\u9009\u62e9\u76f4\u63a5 override \u5bf9\u5e94\u7684 service \u6765\u5b8c\u6210\u8fd9\u4e2a\u4efb\u52a1\uff1a

$ systemctl edit open-iscsi.service
[Service]\nExecStart=\nExecStart=/sbin/iscsiadm -d8 -m node -T iqn.2002-10.com.infortrend:raid.sn8223150.001 -p 192.168.10.1:3260 --login\nExecStart=/lib/open-iscsi/activate-storage.sh\n

\u82e5 iSCSI \u8fde\u63a5\u6210\u529f\uff0c\u5e94\u8be5\u53ef\u4ee5\u5728\u7cfb\u7edf\u4e2d\u770b\u5230\u4e00\u4e2a\u65b0\u7684\u786c\u76d8\uff0c\u5bb9\u91cf\u4e3a 14.55 TiB\uff0c\u578b\u53f7\u663e\u793a\u4e3a RS-3116I-S42-6\u3002

"},{"location":"infrastructure/proxmox/pve/#rootfs-backup","title":"rootfs \u5907\u4efd","text":"

\u5c3d\u7ba1 esxi-5 \u7684 rootfs \u4e5f\u4f7f\u7528\u4e86 LVM mirror \u5728\u4e24\u5757 SSD \u4e0a\u955c\u50cf\uff0c\u4f46\u662f\u6211\u4eec\u4e0d\u592a\u4fe1\u4efb\u8fd9\u5757 RAID \u5361\uff0c\u56e0\u6b64\u6211\u4eec\u5c06 esxi-5 \u7684 rootfs \u6bcf\u5929\u5907\u4efd\u5230 vdp2 \u4e0a\u3002\u4e3a\u4e86\u907f\u514d\u5728 vdp2 \u6389\u7ebf\u7684\u65f6\u5019\u4e71\u201c\u5907\u4efd\u201d\uff0c\u6211\u4eec\u4f7f\u7528\u4e00\u4e2a systemd \u670d\u52a1\uff0c\u8bbe\u7f6e\u4e86 RequiresMountsFor \u4f9d\u8d56\uff1a

/etc/systemd/system/rootfs-backup.service
[Unit]\nDescription=Backup rootfs to vdp2\nRequiresMountsFor=/mnt/vdp2\n\n[Service]\nType=oneshot\nExecStart=/usr/bin/rsync -aHAXx --delete / /mnt/vdp2/rootfs/\n
crontab
21 4 * * * systemctl start rootfs-backup.service\n
"},{"location":"infrastructure/proxmox/pve/#esxi-5-others","title":"\u5176\u4ed6\u8bb0\u5f55","text":"

esxi-5 \u4e8e 2021/8 \u53d1\u73b0\u81ea\u5e26\u9635\u5217\u6709\u4e24\u5757\u574f\u76d8\uff0c\u5728\u66f4\u6362\u540e\u53d1\u73b0 storage \"root\"\uff08\u5b58\u653e vcenter \u865a\u62df\u673a\uff0c\u7ec4\u5efa RAID 1 \u540e\u5927\u5c0f 1.8 TB\uff09\u65e0\u6cd5\u6b63\u5e38 rebuild\uff0c\u5e76\u4e14 vcenter \u865a\u62df\u673a\u7684 vmdk \u6587\u4ef6\u6709 4 \u4e2a\u51fa\u73b0 I/O error\u3002\u6b64\u540e vcenter \u865a\u62df\u673a\u5df2\u7ecf\u8fc1\u79fb\u5230 storage \"data\" (RAID10, 7.2 TB) \u5e76\u6b63\u5e38\u5de5\u4f5c\u3002

"},{"location":"infrastructure/proxmox/pve/#records","title":"\u5de5\u4f5c\u8bb0\u5f55","text":""},{"location":"infrastructure/proxmox/pve/#migrate-docker2","title":"2021-12-31 \u8fc1\u79fb docker2","text":"

docker2 \u539f\u5148\u4f7f\u7528 QEMU \u76f4\u63a5\u8fd0\u884c\u5728 mirrors2 \u4e0a\uff0c\u4e0b\u5c42\u5b58\u50a8\u4e3a ZFS Zvol\uff08pool0/qemu/docker2\uff09\uff0c\u7531\u4e8e ZFS \u8c03\u53c2\u4e0d\u5f53\u4f7f\u5176\u5360\u7528\u4e86 3 \u500d\u7684\u786c\u76d8\u7a7a\u95f4\uff08\u89c1\u8fd9\u4e2a Reddit \u8d34\u5b50\uff09\uff0c\u52a0\u4e0a mirrors2 \u672c\u8eab\u5bf9\u5916\u63d0\u4f9b Rsync \u670d\u52a1\uff0c\u786c\u76d8\u8d1f\u8f7d\u6781\u9ad8\uff0c\u6240\u4ee5\u957f\u671f\u4ee5\u6765 docker2 \u7684 I/O \u6027\u80fd\u5341\u5206\u4f4e\u4e0b\u3002\u6b63\u597d\u501f\u8fd9\u6b21\u5168\u95ea\u7684\u65b0\u5bbf\u4e3b\u673a\u5c06\u5176\u8fc1\u79fb\u8fc7\u53bb\u3002

\u8fc1\u79fb\u65f6\u9700\u8981\u4fdd\u8bc1\u5b8c\u6574\u6027\u7684\u4e3b\u8981\u5185\u5bb9\u5c31\u662f\u865a\u62df\u673a\u5185\u7684\u4e1a\u52a1\uff0c\u56e0\u6b64\u9700\u8981\u5728\u4e3b\u673a\u95f4\u4f20\u8f93\u7684\u5185\u5bb9\u5c31\u662f\u865a\u62df\u78c1\u76d8\uff0c\u5176\u4ed6\u914d\u7f6e\uff08CPU\u3001\u5185\u5b58\u3001\u7f51\u5361\u7b49\uff09\u90fd\u53ef\u4ee5\u76f4\u63a5\u5728\u65b0\u5e73\u53f0\u4e0a\u521b\u5efa\u65b0\u865a\u62df\u673a\u65f6\u4fee\u6539\u3002\u539f\u672c\u6211\u4eec\u6253\u7b97\u4f7f\u7528 rsync \u6216\u8005 dd \u7684\u65b9\u5f0f\u590d\u5236\u78c1\u76d8\uff0c\u4f46\u662f\u8003\u8651\u5230\u4e24\u8fb9\u90fd\u662f ZFS\uff0c\u4f7f\u7528 zfs send \u662f\u4e00\u4e2a\u66f4\u597d\u7684\u65b9\u6848\u3002

\u6211\u4eec\u5728 pve-5 \u4e0a\u8fd0\u884c nc -l -p 9999 </dev/null | pv | zfs recv rpool/data/docker2\uff0c\u7136\u540e\u5728 mirrors2 \u4e0a\u5bf9 zvol \u5148\u6253\u4e2a\u5feb\u7167\uff0c\u8fd0\u884c zfs send pool0/qemu/docker2@20211230 > /dev/tcp/{pve-5}/9999 \u5c06\u5feb\u7167\u5185\u5bb9\u53d1\u9001\u5230 pve-5 \u4e0a\uff08300 GiB \u7684\u6570\u636e\u82b1\u8d39\u4e86 16 \u5c0f\u65f6\uff09\uff0c\u7136\u540e\u518d\u5c06 docker2 \u5173\u673a\u5e76\u589e\u91cf\u4f20\u8f93\uff0czfs send -i @20211230 pool0/qemu/docker2 > /dev/tcp/{pve-5}/9999\uff08\u589e\u91cf\u4f20\u8f93\u53ea\u53d1\u9001\u4e86 10 GB \u6570\u636e\uff09\u3002\u540c\u65f6\u6211\u4eec\u5728 Proxmox \u7684 web \u754c\u9762\u4e0a\u521b\u5efa\u4e00\u4e2a\u65b0\u865a\u62df\u673a\uff0c\u914d\u597d CPU \u5185\u5b58\u7f51\u5361\u7b49\uff0c\u5206\u914d 300 GiB \u7684\u786c\u76d8\u3002

\u7531\u4e8e zfs send \u662f\u539f\u6837\u53d1\u9001\u7684\uff0c\u56e0\u6b64\u63a5\u6536\u5230\u7684 zvol \u786c\u76d8\u5360\u7528\u91cf\u4ecd\u7136\u6709 712 GB\u3002Proxmox \u65b0\u5efa\u7684 zvol \u53c2\u6570\u5c31\u6bd4\u8f83\u5408\u7406\uff08volblocksize=16k\uff09\uff0c\u6ca1\u6709\u4e25\u91cd\u653e\u5927\u7684\u95ee\u9898\uff0c\u56e0\u6b64\u6211\u4eec\u518d\u5c06\u63a5\u6536\u5230\u7684 zvol \u7ed9 dd \u8fdb\u65b0\u865a\u62df\u673a\u7684 zvol \u800c\u4e0d\u662f\u76f4\u63a5\u4f7f\u7528\u3002dd \u7ed3\u679c\u7ea6 345 GiB\uff08\u5341\u5206\u5408\u7406\uff09\uff0c\u5f00\u673a\u8fdb\u7cfb\u7edf\u8fd0\u884c fstrim \u4e4b\u540e\u5360\u7528\u91cf\u7ea6\u4e3a 240 GiB\uff08\u66f4\u52a0\u5408\u7406\u4e86\uff09\u3002

\u8fc1\u79fb\u8fc7\u7a0b\u6ca1\u6709\u9047\u5230\u4efb\u4f55\u5751\uff0c\u4ec5\u6709\u7684\u6ce8\u610f\u4e8b\u9879\u5c31\u662f zvol \u8c03\u53c2\u9700\u8981\u91cd\u65b0 dd \u800c\u4e0d\u80fd\u76f4\u63a5\u6539\uff0c\u4ee5\u53ca\u521b\u5efa\u7f51\u5361\u7684\u987a\u5e8f\uff08\u4f1a\u5f71\u54cd\u865a\u62df\u673a\u5185\u90e8 eth0 \u548c eth1 \u7684\u987a\u5e8f\uff0c\u9664\u975e\u865a\u62df\u673a\u5185\u90e8\u4f7f\u7528 udev persistent net \u65b9\u5f0f\u6839\u636e MAC \u5730\u5740\u5c06\u7f51\u5361\u6539\u540d\uff09\u3002

"},{"location":"infrastructure/proxmox/pve/#esxi-5-syslog-zfs-error-cannot-open-rpool-no-such-pool","title":"esxi-5 \u7684 syslog \u4e00\u76f4\u51fa\u73b0 zfs error: cannot open 'rpool': no such pool","text":"

\u8fd9\u662f\u56e0\u4e3a esxi-5 \u4e0a\u9762\u6839\u672c\u5c31\u6ca1\u6709\u4f7f\u7528 ZFS\uff0c\u800c\u52a0\u5165 pve-5 \u7684\u96c6\u7fa4\u65f6\u865a\u62df\u673a\u7684\u5b58\u50a8\u4fe1\u606f\uff08/etc/pve/storage.cfg\uff09\u4e5f\u4ece pve-5 \u540c\u6b65\u8fc7\u6765\u5408\u5e76\u4e86\uff0c\u56e0\u6b64 esxi-5 \u5728\u6839\u636e pve-5 \u7684\u914d\u7f6e\u5c1d\u8bd5\u542f\u7528 zfs \u5b58\u50a8\u3002

\u89e3\u51b3\u529e\u6cd5\uff1a\u7531\u4e8e /etc/pve \u4e0b\u5927\u591a\u6570\u5185\u5bb9\u5728\u96c6\u7fa4\u95f4\u662f\u540c\u6b65\u7684\uff0c\u6253\u5f00 storage.cfg\uff0c\u5728 zfspool: local-zfs \u4e0b\u9762\u52a0\u5165\u4e00\u884c\uff0c\u7f29\u8fdb\u4e00\u4e2a Tab \u5e76\u52a0\u4e0a nodes pve-5\uff0c\u8868\u793a\u8fd9\u4e2a storage \u53ea\u5728 pve-5 \u4e0a\u4f7f\u7528\u3002

"},{"location":"infrastructure/proxmox/pve/#pve-6","title":"pve-6","text":"

pve-6 \u4f4d\u4e8e\u4e1c\u56fe\uff0c\u662f\u4e00\u53f0 HP DL380G6\uff0c\u914d\u7f6e\u4e3a 2\u00d7 Xeon E5620 (Westmere 4C8T, 2.50 GHz), 72 GB \u5185\u5b58\u548cl\u4e24\u5757 300 GB \u7684 SAS \u786c\u76d8\u3002\u66fe\u7ecf\u53eb\u505a esxi-6\uff0c\u5728 2022 \u5e74 1 \u6708\u7edf\u4e00\u66f4\u6362\u4e3a Proxmox VE\u3002

\u673a\u5668\u6709\u4e24\u4e2a\u7f51\u5361\uff0c\u5171\u6709 4 \u4e2a 1 Gbps \u7684\u63a5\u53e3\uff0c\u5176\u4e2d 3 \u4e2a\u90fd\u63a5\u5728 VLAN \u4ea4\u6362\u673a\u4e0a\uff08\u53e6\u4e00\u4e2a\u4e0d\u77e5\u9053\u63a5\u4e86\u5565\uff09\uff0c\u901a\u8fc7 VLAN \u540c\u65f6\u8fde\u63a5\u56fe\u4e66\u9986\u7684\u4e24\u4e2a\u7f51\u6bb5\u4ee5\u53ca\u7ecf\u7531 gateway-el \u6865\u63a5\u7684\u5185\u7f51\uff0c\u4ee5\u53ca\u8fde\u63a5 vdp \u6302\u8f7d NFS\u3002

HP Smart Array

HP \u7684\u81ea\u5e26 RAID \u5361\u7ba1\u7406\u8f6f\u4ef6\u53ef\u4ee5\u5728 http://downloads.linux.hpe.com/SDR/repo/mcp/Debian/pool/non-free/ \u4e0b\u8f7d\uff0c\u5b89\u88c5 ssacli \u8f6f\u4ef6\u5305\u3002\u76f8\u5173\u4f7f\u7528\u65b9\u6cd5\u53ef\u4ee5\u53c2\u8003 https://sleeplessbeastie.eu/2017/03/06/how-to-use-hp-command-line-array-configuration-utility/\u3002

"},{"location":"services/","title":"LUG \u670d\u52a1\u603b\u89c8","text":"

\u6ce8\u610f

LUG \u7684\u4e3b\u9875\u4e0a\u8fd8\u6709\u4e00\u4efd\u300a\u7f51\u7edc\u670d\u52a1\u5217\u8868\u300b \uff0c\u5982\u679c\u6709\u670d\u52a1\u72b6\u6001\u6539\u53d8\uff0c\u8bb0\u5f97\u540c\u6b65\u66f4\u65b0\u4e3b\u9875\u4e0a\u7684\u5217\u8868\u3002

"},{"location":"services/#mirrors","title":"Mirrors \u955c\u50cf\u7ad9","text":"

\u670d\u52a1\u5668\uff1a

\u955c\u50cf\u7ad9\u65e5\u5fd7\u4f1a\u5907\u4efd\u81f3 mirrorlog \u865a\u62df\u673a\u4e0a\u3002

"},{"location":"services/#auth-dns","title":"\u6743\u5a01 DNS","text":"

\u4ee5\u4e0b\u5185\u5bb9\u7531 GPT-4 \u751f\u6210

User: \u5411\u65b0\u624b\u8fd0\u7ef4\u4ecb\u7ecd\u4ec0\u4e48\u662f\u6743\u5a01 DNS

Bot: \u6743\u5a01DNS\uff08Authoritative DNS\uff09\u670d\u52a1\u662f\u56e0\u7279\u7f51\u57df\u540d\u7cfb\u7edf\uff08DNS\uff09\u7684\u4e00\u90e8\u5206\uff0c\u5b83\u8d1f\u8d23\u5904\u7406\u5173\u4e8e\u5176\u8d1f\u8d23\u7ba1\u7406\u7684\u4e00\u7ec4\u57df\u540d\u7684\u67e5\u8be2\u3002\u8fd9\u4e9bDNS\u670d\u52a1\u5668\u5e26\u6709\u5173\u4e8e\u4ed6\u4eec\u6240\u8d1f\u8d23\u57df\u7684\u6240\u6709\u5fc5\u8981\u6570\u636e\uff0c\u5e76\u4ece\u7ba1\u7406\u8be5\u57df\u7684\u4eba\u6216\u7ec4\u7ec7\u4e2d\u6536\u5230\u66f4\u65b0\u3002

\u6bd4\u5982\uff0c\u5982\u679c\u4f60\u5728\u6d4f\u89c8\u5668\u4e2d\u8f93\u5165\u4e00\u4e2a\u7f51\u7ad9\u5730\u5740\uff0c\u4f60\u7684\u8bf7\u6c42\u9996\u5148\u53d1\u9001\u5230\u9012\u5f52DNS\u670d\u52a1\u5668\uff0c\u7136\u540e\u9012\u5f52\u670d\u52a1\u5668\u67e5\u8be2\u6743\u5a01DNS\u670d\u52a1\u5668\u6765\u83b7\u53d6\u5bf9\u5e94\u7684IP\u5730\u5740\u3002\u6743\u5a01\u670d\u52a1\u5668\u5c31\u662f\u201c\u6743\u5a01\u201d\u8d44\u6e90\uff0c\u80fd\u591f\u544a\u8bc9\u9012\u5f52\u670d\u52a1\u5668\u5bf9\u5e94\u7684IP\u5730\u5740\u662f\u4ec0\u4e48\u3002\u8fd9\u4e2a\u8fc7\u7a0b\u88ab\u79f0\u4e3aDNS\u89e3\u6790\u3002

\u603b\u7684\u6765\u8bf4\uff0c\u6743\u5a01DNS\u670d\u52a1\u5668\u5c31\u662f\u5b58\u50a8\u3001\u7ba1\u7406\u5e76\u54cd\u5e94\u7279\u5b9a\u57df\u540d\u4fe1\u606f\u7684\u201c\u6743\u5a01\u201d\u6765\u6e90\u3002

\u6211\u4eec\u7684\u6743\u5a01 DNS \u670d\u52a1\u5668\u63d0\u4f9b\u4e86\u4e0e LUG \u6709\u5173\u7684\u57df\u540d\u7684\u76f8\u5173\u89e3\u6790\u4fe1\u606f\uff0c\u540c\u65f6\u4e5f\u662f\u4e00\u4e2a\uff08\u901a\u8fc7\u57df\u540d\uff09\u53ef\u4ee5\u6982\u89c8 LUG \u66fe\u7ecf\u4e0e\u76ee\u524d\u6709\u7684\u670d\u52a1\u7684\u5730\u65b9\u3002

"},{"location":"services/#lug-ftp","title":"LUG FTP","text":"

\u4e3b\u670d\u52a1\u5668\uff1avdp.s.ustclug.org\uff0cSSH \u7aef\u53e3 2222\u3002\u5bf9\u5916\u63d0\u4f9b HTTP(S)\uff08\u6587\u4ef6\u5217\u8868\uff09\u4e0e FTP \u670d\u52a1\u3002\u540c\u65f6\u63a5\u5165 LDAP\uff0c\u6bcf\u4e2a LDAP \u7528\u6237\u90fd\u53ef\u4ee5\u4f7f\u7528 LUG FTP \u5b58\u50a8\u81ea\u5df1\u7684\u6587\u4ef6\u3002

\u4e0e\u6b64\u540c\u65f6\uff0cvdp \u4e5f\u627f\u62c5\u4e86\u4f7f\u7528 NFS \u5411 PVE \u670d\u52a1\u5668\u63d0\u4f9b\u4e00\u90e8\u5206\u5b58\u50a8\u7684\u4efb\u52a1\u3002

"},{"location":"services/#gitlab","title":"LUG GitLab","text":"

\u4e3b\u670d\u52a1\u5668\uff1agitlab.s.ustclug.org\uff0cSSH \u7aef\u53e3 2222\u3002

"},{"location":"services/#revproxy","title":"\u4e3b\u9875\u53cd\u4ee3","text":"

\u662f\u591a\u4e2a HTTP \u670d\u52a1\u7684\u5165\u53e3\u3002

\u7531\u4e8e\u653f\u7b56\u548c\u5408\u89c4\u6027\u539f\u56e0\uff0c\u6211\u4eec\u5bf9\u4f7f\u7528\u4e3b\u9875\u53cd\u4ee3\u7684\u57df\u540d\u91c7\u7528\u4e86\u5206\u7ebf\u8def\u89e3\u6790\u7684\u65b9\u6848\uff0c\u5176\u4e2d\u7edd\u5927\u90e8\u5206\u57df\u540d\u5728\u6821\u5916\u90fd\u89e3\u6790\u5230 gateway-jp\uff0c\u5728\u6821\u5185\u89e3\u6790\u5230 gateway-nic\u3002\u8fd9\u4e24\u53f0\u670d\u52a1\u5668\u5747\u63a5\u5165 tinc \u5185\u7f51\uff0c\u91c7\u7528\u540c\u4e00\u5957 Nginx \u914d\u7f6e\uff0c\u4e3a\u5185\u7f51\u670d\u52a1\u5668\u63d0\u4f9b HTTP \u53cd\u4ee3\u3002

\u5b8c\u6574\u5217\u8868\u8bf7\u5728 auth-dns \u4ed3\u5e93\u5185\u5bfb\u627e CNAME \u5230 gateway.cname.ustclug.org. \u7684\u57df\u540d\u3002

\u4e00\u4e9b\u4f8b\u5916\uff1a

"},{"location":"services/#homepage","title":"LUG \u4e3b\u9875","text":"

\u540e\u7aef\u662f docker2 \u4e0a\u7684 website \u5bb9\u5668\u3002

\u89c1 ustclug/website \u4ed3\u5e93\u7684 README\u3002

tky: planet \u73b0\u5728\u7f3a\u4e4f\u7ef4\u62a4\uff0c\u5e0c\u671b\u80fd\u6709\u4eba\u628a\u5b83\u641e\u8d77\u6765\u3002

"},{"location":"services/#linux-101","title":"Linux 101","text":"

\u540e\u7aef\u662f docker2 \u4e0a\u7684 linux101 \u5bb9\u5668\u3002

\u89c1 ustclug/Linux101-docs \u4ed3\u5e93\u7684 README\u3002

"},{"location":"services/#getvpn","title":"\u7533\u8bf7\u7cfb\u7edf","text":"

\u4e00\u4e2a\u4f7f\u7528 Flask \u7f16\u5199\u7684 web \u5e94\u7528\uff0c\u90e8\u7f72\u4e86\u4e24\u5957\uff0c\u5206\u522b\u63d0\u4f9b LUG VPN \u548c Light \u7684\u7533\u8bf7\u670d\u52a1\u3002\u5176\u4e2d\uff1a

"},{"location":"services/#proxy","title":"\u5404\u8def\u53cd\u5411\u4ee3\u7406","text":"

\u57df\u540d\uff1a*.proxy.ustclug.org

\u4f5c\u4e3a\u955c\u50cf\u7ad9\u670d\u52a1\u7684\u4e00\u90e8\u5206\uff0cgateway-jp/nic \u4e5f\u5206\u522b\u4e3a\u6821\u5916\u5185\u63d0\u4f9b\u53cd\u5411\u4ee3\u7406\u5217\u8868\u7684\u53cd\u5411\u4ee3\u7406\u670d\u52a1\u3002

"},{"location":"services/#qt-guide-opensuse-guide","title":"Qt Guide \u548c openSUSE Guide","text":"

\u7531 @winland0704 \u8d1f\u8d23\u7f16\u5199\u5185\u5bb9\uff0c\u6211\u4eec\u5e2e\u52a9\u6258\u7ba1\uff0c\u5e73\u65f6\u653e\u7740\u4e0d\u52a8\u5c31\u884c\u3002

\u540e\u7aef\u662f docker2 \u4e0a\u7684\u4e24\u4e2a\u5bb9\u5668 qtguide \u548c opensuse-guide\u3002

"},{"location":"services/#_1","title":"\u670d\u52a1\u8fd0\u884c\u72b6\u6001\u670d\u52a1\u5668\u9ed1\u677f\u62a5","text":"

TODO: servers \u4e0e status \u7684\u5408\u5e76\u5de5\u4f5c\u3002

"},{"location":"services/#lug-vpn","title":"LUG VPN","text":"

\u4e3b\u670d\u52a1\u5668\uff1avpnstv.s.ustclug.org\uff08\u865a\u62df\u673a\uff0cNIC \u673a\u623f\uff09

RADIUS \u8ba4\u8bc1\u670d\u52a1\u5668\uff1aradius.s.ustclug.org\uff0c\u540c\u65f6\u8fd0\u884c\u4e86 FreeRADIUS \u548c\u5b83\u7684 MySQL \u6570\u636e\u5e93\u3002

\u53e6\u6709\u65e7\u7684 vpn.s.ustclug.org \u8fd0\u884c\u5728\u4e1c\u56fe\uff0c\u6682\u4e0d\u9700\u8981\u5173\u6ce8\u3002

"},{"location":"services/#hackergame","title":"Hackergame","text":"

\u76f8\u5173\u5185\u5bb9\u89c1 hackergame \u5185\u90e8\u6587\u6863\u3002

"},{"location":"services/#docker2","title":"\u5404\u7c7b Docker \u670d\u52a1","text":"

Docker2 \u662f\u4e13\u804c\u8d1f\u8d23\u8fd0\u884c\u5bb9\u5668\u7684\u673a\u5668\u3002

"},{"location":"services/#adrain","title":"Adrain","text":"

ustcflyer\uff08\u79d1\u5927\u98de\u8dc3\u624b\u518c\u7f51\u7ad9\uff09\u7684\u524d\u8eab\uff0c\u76ee\u524d\u4fdd\u6301\u8fd0\u884c\u3002

tky: ustcflyer \u6ca1\u6709\u5b9e\u73b0\u7ed9 session \u5220\u5bf9\u5e94\u8bc4\u8bba\u7684\u529f\u80fd\uff0c\u6240\u4ee5 adrain \u6ca1\u6709\u4e0b\u7ebf\u3002

"},{"location":"services/#grafana","title":"Grafana","text":"

LUG \u7684\u76d1\u63a7\u7ad9\u70b9\u3002

"},{"location":"services/#ldap","title":"LDAP","text":""},{"location":"services/#mail","title":"Mail","text":"

\u4e3a\u670d\u52a1\u5668\u3001IPMI \u7b49\u63d0\u4f9b\u7684\u5185\u90e8\u90ae\u4ef6\u670d\u52a1\u3002

[WIP]: \u9700\u8981\u8865\u5145

"},{"location":"services/#pve","title":"\u865a\u62df\u5316\uff1aPVE \u4e0e PBS","text":"

PVE: \u63d0\u4f9b\u865a\u62df\u5316\u652f\u6301\uff1bPBS: PVE \u7684\u865a\u62df\u673a\u5907\u4efd\u3002

"},{"location":"services/#pxe","title":"PXE","text":"

\u7f51\u7edc\u542f\u52a8\u670d\u52a1\uff0c\u8d1f\u8d23\u4e3a\u5168\u6821\u673a\u5668\u63d0\u4f9b\u63d2\u7f51\u53e3\u5373\u53ef\u5b89\u88c5\u7cfb\u7edf\u7684\u529f\u80fd\uff0c\u4ee5\u53ca\u4e3a\u56fe\u4e66\u9986\u67e5\u8be2\u673a\u63d0\u4f9b\u955c\u50cf\u3002

"},{"location":"services/#others","title":"\u5176\u4ed6","text":"

\u6b64\u5904\u6240\u5217\u51fa\u7684\u201c\u670d\u52a1\u201d\u6ca1\u6709\u4f7f\u7528\u6211\u4eec\u81ea\u5df1\u7684\u670d\u52a1\u5668\u8d44\u6e90\uff0c\u90fd\u6258\u7ba1\u5728\u5916\u90e8\u5e73\u53f0\u4e0a\uff0c\u4ec5\u57df\u540d\uff08\u5373 DNS\uff09\u7531\u6211\u4eec\u7ef4\u62a4\u3002

"},{"location":"services/#documentations","title":"\u6280\u672f\u6587\u6863","text":"

\u4e5f\u5c31\u662f\u672c\u6587\u6863\uff0c\u8fd0\u884c\u5728 Cloudflare Pages \u4e0a\u3002

"},{"location":"services/#ghauth","title":"GHAuth","text":"

https://ghauth.ustclug.org

\u7528\u4e8e\u53cc\u5411\u9a8c\u8bc1 GitHub \u8d26\u53f7\u4e0e\u79d1\u5927\u5b66\u53f7\u7684\u670d\u52a1\uff08\u7c7b\u4f3c\u4e8e https://qq.ustc.life\uff09\uff0c\u76ee\u524d\u5904\u4e8e\u95f2\u7f6e\uff0c\u8fd0\u884c\u5728 iBug \u7684 AWS Lambda \u4e0a\u3002

"},{"location":"services/#discontinued","title":"\u5df2\u5e9f\u5f03\u670d\u52a1","text":""},{"location":"services/discontinued/","title":"Discontinued Services","text":"

\u672c\u9875\u9762\u8bb0\u8f7d\u66fe\u7ecf\u63d0\u4f9b\u7684\u670d\u52a1\uff0c\u4f46\u662f\u7531\u4e8e\u67b6\u6784\u6539\u53d8\u6216\u670d\u52a1\u8fc1\u79fb\uff0c\u8fd9\u4e9b\u670d\u52a1\u4e0d\u518d\u4ee5\u539f\u6765\u7684\u5f62\u5f0f\u63d0\u4f9b\uff0c\u5e76\u53ef\u80fd\u5728\u539f\u5904\u6709\u6b8b\u7559\u7684\u914d\u7f6e\u6587\u4ef6\u3002

\u901a\u5e38\u60c5\u51b5\u4e0b\u6b8b\u7559\u7684\u914d\u7f6e\u6587\u4ef6\u53ef\u4ee5\u76f4\u63a5\u5220\u9664\uff0c\u4f46\u662f\u4fdd\u9669\u8d77\u89c1\uff0c\u4ecd\u7136\u5efa\u8bae\u5728 Internals \u7fa4\u91cc\u5148\u8be2\u95ee\u4e00\u4e0b\u518d\u5904\u7406\u3002

"},{"location":"services/discontinued/#docker-registry","title":"Docker Registry","text":"

\u66fe\u7ecf\u8fd0\u884c\u5728 docker2 \u4e0a\uff0c\u73b0\u5728 LUG \u7684 Docker \u955c\u50cf\u5df2\u8f6c\u79fb\u81f3 Docker Hub\u3002

"},{"location":"services/discontinued/#freeshell","title":"Freeshell","text":"

\uff08\u672a\u5b8c\u5f85\u7eed\uff0c\u914d\u7f6e\u6587\u4ef6\u5148\u4fdd\u7559\uff09

"},{"location":"services/discontinued/#ustc-blog","title":"USTC Blog","text":"

Refer to Gitlab Wiki.

"},{"location":"services/discontinued/#telegram-web","title":"Telegram Web","text":"

Service\uff1atelegram.ustclug.org

Repository\uff1agithub.com/ustclug/telegram-web

DockerHub\uff1austclug/telegram-web

Deployment\uff1atelegram-web.sh

Servers\uff1a

Blog\uff1aadd-telegram-web-service

"},{"location":"services/discontinued/#ustc-life","title":"USTC Life","text":"

USTC Life is a navigation page, which included useful sites in USTC.

Service: ustc.life

2020-04-09 \u66f4\u65b0\u4fe1\u606f

\u76ee\u524d\uff0cUSTC Life \u670d\u52a1\u6258\u7ba1\u5728 GitHub Pages \u4e0a\uff0c\u4ed3\u5e93\u4e5f\u5df2\u8f6c\u79fb\u81f3 SmartHypercube/ustclife\uff0c\u7531 Hypercube \u8d1f\u8d23\u7ef4\u62a4\u3002\u4ee5\u4e0b\u5185\u5bb9\u4ec5\u4e3a\u5386\u53f2\u8bb0\u5f55\u3002

Git Repository: github.com/ustclug/ustclife

DockerHub: ustclug/ustclife

server: docker2.s.ustclug.org

deploy: /srv/webhook/ustclife.sh

webhook from DockerHub: /srv/webhook/hooks.json

"},{"location":"services/discontinued/#wordpress-based-serversustclugorg-planetustclugorg","title":"Wordpress-based servers.ustclug.org & planet.ustclug.org","text":"

\u4e3a\u4e86\u51cf\u5c0f\u653b\u51fb\u9762\u4e0e\u7ef4\u62a4\u6210\u672c\uff0cservers.ustclug.org \u8fc1\u79fb\u5230\u4e86\u57fa\u4e8e Jekyll \u7684\u65b9\u6848\uff1bplanet.ustclug.org \u5728\u65e9\u524d\u5df2\u7ecf\u6574\u5408\u5230\u4e86 LUG \u4e3b\u7ad9\u4e2d\u3002

"},{"location":"services/discontinued/#mail-list","title":"Mail List","text":"

Plugin Email Subscribers & Newsletters on servers.ustclug.org sends a mail to Google Group when a new article posted on mirrors catalogue.

The mails are sent from servers@ustclug.org, which is a member of Google Group with write permission.

Google Group: ustc-mirrors@googlegroups.com

"},{"location":"services/docker2/","title":"Docker services","text":"

Server: docker2.s.ustclug.org

Provides Docker container environment for other services. All non-system services should be run as Docker containers on this host.

Methods to run individual containers are maintained in the ustclug/docker-run-script repository.

"},{"location":"services/docker2/#special-configurations","title":"Special configurations","text":""},{"location":"services/docker2/#network-interfaces","title":"Network interfaces","text":"

We use udev rules to assign consistent names to network interfaces, identified by their MAC addresses.

/etc/udev/rules.d/70-persistent-net.rules
SUBSYSTEM==\"net\", ACTION==\"add\", DRIVERS==\"?*\", ATTR{address}==\"00:50:56:9f:00:22\", NAME=\"Telecom\"\nSUBSYSTEM==\"net\", ACTION==\"add\", DRIVERS==\"?*\", ATTR{address}==\"00:50:56:9f:00:5b\", NAME=\"Mobile\"\nSUBSYSTEM==\"net\", ACTION==\"add\", DRIVERS==\"?*\", ATTR{address}==\"00:50:56:9f:00:5d\", NAME=\"ustclug\"\n

We then refer to these interfaces using their new names in /etc/network/interfaces to ensure consistent network configuration.

2022 \u5e74 2 \u6708 21 \u65e5\u66f4\u65b0

\u4eca\u65e5\u53d1\u73b0 docker2 \u65e0\u6cd5\u8fde\u63a5\u5bb9\u5668\u7f51\u7edc\uff0810.254.1.0/21\uff09\uff0c\u8c03\u8bd5\u540e\u53d1\u73b0\u4e3a Linux macvlan \u7f51\u7edc\u7279\u6027\uff08Stack Overflow\uff09\u3002\u4e3a\u4e86\u4fee\u590d\u8fde\u63a5\u95ee\u9898\uff0c\u8fdb\u884c\u4e86\u4ee5\u4e0b\u4fee\u6539\uff1a

  1. \u5c06 /etc/udev/rules.d/70-persistent-net.rules \u4e2d Policy \u66f4\u540d\u4e3a ustclug\uff1b
  2. \u5728 /etc/network/interfaces \u4e2d\u8bbe\u7f6e Policy \u548c ustclug \u4e24\u4e2a interface \u7684\u76f8\u5173\u914d\u7f6e\u5982\u4e0b\uff1a

    auto Policy\niface Policy inet static\n    address 10.254.0.16/21\n    pre-up ip link add $IFACE link ustclug type macvlan mode bridge\n    post-down ip link del $IFACE\n\nauto ustclug\niface ustclug inet manual\n
"},{"location":"services/docker2/#docker-daemon-service","title":"Docker daemon service","text":"

docker2 \u4e0a\u9762\u7684 Docker \u4f7f\u7528 macvlan \u6765\u5c06\u865a\u62df\u673a\u63a5\u5165 lugi \u5185\u7f51\uff0c\u56e0\u6b64\u5c06 macvlan \u7684\u4e3b\u7aef\u53e3 Policy \u914d\u7f6e\u4e3a docker.service \u7684\u5f3a\u4f9d\u8d56\u3002

systemctl edit docker.service
[Unit]\nBindsTo=sys-subsystem-net-devices-Policy.device\nAfter=sys-subsystem-net-devices-Policy.device\n

\u5b9e\u9645\u4e0a After=network-online.target \u5c31\u591f\u4e86\uff0c\u4f46\u662f\u51fa\u4e8e\u5386\u53f2\u539f\u56e0\u4f7f\u7528\u4e86 BindsTo \u5f3a\u4f9d\u8d56\u5185\u7f51\u7aef\u53e3\uff0c\u8fd9\u662f\u56e0\u4e3a docker2 \u66fe\u7ecf\u5355\u72ec\u8fd0\u884c tinc \u63a5\u5165\u5185\u7f51\uff0c\u800c tinc \u7684\u7aef\u53e3\u53ea\u5728 tinc \u542f\u52a8\u540e\u624d\u4f1a\u51fa\u73b0\uff08\u624d\u80fd\u5206\u51fa macvlan \u5b50\u7aef\u53e3\uff09\uff0c\u56e0\u6b64\u4f7f\u7528 BindsTo \u4fdd\u8bc1 docker \u968f\u8be5\u7aef\u53e3\u7684\u51fa\u73b0\u548c\u6d88\u5931\u800c\u542f\u52a8/\u505c\u6b62\u3002

2022 \u5e74 1 \u6708 15 \u65e5\u4ee5\u540e docker2 \u4e0e\u5176\u4ed6\u865a\u62df\u673a\u4e00\u6837\u901a\u8fc7 gateway-nic \u6865\u63a5\u7684 tinc \u63a5\u5165\u5185\u7f51\uff0c\u4e0d\u518d\u5355\u72ec\u8fd0\u884c tinc\u3002

"},{"location":"services/docker2/#opensuse-guide-qtguide","title":"opensuse-guide \u4e0e qtguide \u6bcf\u65e5\u66f4\u65b0","text":"

\u7531\u4e8e\u6ca1\u6709\u8bbe\u7f6e webhook\uff0c\u76ee\u524d\u914d\u7f6e\u4e86 systemd timer\uff0c\u6267\u884c /srv/docker/guide \u4e2d\u7684\u811a\u672c\uff0c\u4ee5\u5206\u522b\u5728\u6bcf\u65e5\u665a\u4e0a 23:15 \u548c 23:30 \u66f4\u65b0 opensuse-guide \u548c qtguide \u4e24\u4e2a\u5bb9\u5668\u7684 image \u5e76\u91cd\u542f\u5bb9\u5668\u3002

\u8be6\u7ec6\u7684\u914d\u7f6e\u6587\u4ef6\u53ef\u67e5\u770b docker-run-script \u4e2d\u7684 opensuse-guide \u548c qtguide \u4e24\u4e2a\u6587\u4ef6\u5939\u3002

"},{"location":"services/docker2/#workflows-troubleshooting","title":"Workflows & Troubleshooting","text":""},{"location":"services/docker2/#docker-pingd","title":"Docker \"pingd\"","text":"

\u66f4\u65b0

\u95ee\u9898\u5df2\u7ecf\u67e5\u660e\u4e3a Debian \u7684 Linux \u5185\u6838 bug (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952660)\uff0c\u5df2\u7ecf\u901a\u8fc7\u66f4\u65b0\u5185\u6838\u5e76\u91cd\u542f\u800c\u89e3\u51b3\u3002\u4ee5\u4e0b\u5185\u5bb9\u4ec5\u4f5c\u5b58\u6863\u3002

\u51fa\u4e8e\u672a\u77e5\u539f\u56e0\u6709\u65f6\u5019\u5916\u90e8\u4e3b\u673a\u4f1a\u65e0\u6cd5\u4e3b\u52a8\u8fde\u901a Docker \u5bb9\u5668\uff08\u53ef\u80fd\u4e0e ARP \u6709\u5173\uff09\uff0c\u4f46\u662f\u5982\u679c\u67d0\u4e2a\u5bb9\u5668\u5148 ping \u4e86\u4e00\u4e0b\u5916\u90e8\u4e3b\u673a\uff0c\u5c31\u80fd\u53cc\u5411\u8fde\u901a\u4e86\u3002

\u7531\u4e8e\u6211\u4eec\u6682\u672a\u627e\u5230\u6b63\u5e38\u7684\u89e3\u51b3\u65b9\u6848\uff0c\u56e0\u6b64\u4f7f\u7528 \u201cping daemon\u201d \u4f5c\u4e3a\u4e00\u4e2a workaround\uff0c\u5728\u5bb9\u5668\u4e2d\u8fd0\u884c ping \u4fdd\u6301\u5916\u90e8\u4e3b\u673a\u7684\u8fde\u901a\u6027\u3002

docker-pingd@.service
[Unit]\nDescription=Docker pingd service %I\nDocumentation=man:ping(8)\nAfter=network.target\nStartLimitIntervalSec=0\n\n[Service]\nType=simple\nUser=root\nGroup=root\nExecStart=/bin/sh -c 'IVAR=\"%i\"; exec /usr/bin/docker exec \"$${IVAR%:*}\" ping -q -s 32 \"$${IVAR#*:}\"'\nExecStop=/bin/kill -s INT $MAINPID\nRestart=on-failure\nRestartSec=3\n\n[Install]\nWantedBy=multi-user.target\nAlias=docker-ping@.service\n

\u4f7f\u7528\u65b9\u5f0f\uff1asystemctl enable docker-pingd@container:host.service\uff0ccontainer \u6362\u6210\u5bb9\u5668\u540d\uff0chost \u6362\u6210 ping \u7684\u76ee\u6807\u3002

Trick \u4ecb\u7ecd\uff1aSystemd service \u914d\u7f6e\u6682\u4e0d\u652f\u6301\u591a\u4e2a\u6a21\u677f\u53c2\u6570 %i\uff0c\u56e0\u6b64\u8c03\u7528 shell \u6765\u89e3\u6790\u53c2\u6570\u3002Ref: https://github.com/systemd/systemd/issues/14895#issuecomment-612270690

"},{"location":"services/docker2/#wordpress","title":"WordPress \u5347\u7ea7","text":"

taoky

\u5f88\u9ebb\u70e6\uff0c\u5efa\u8bae lug \u4ee5\u540e\u518d\u4e5f\u522b\u7528\uff08\u522b\u5f00\u65b0\u7684\uff09wordpress \u4e86\u3002

servers \u4e0e\u65e7 planet \u4f7f\u7528 WordPress\uff0c\u6258\u7ba1\u5728 docker2 \u4e0a\u3002\u56e0\u4e3a docker2 \u73b0\u5728\u78c1\u76d8 IO \u5f88\u6162\uff0c\u6240\u4ee5\u53ef\u80fd\u4f1a\u51fa\u73b0\u4e00\u4e9b\u989d\u5916\u7684\u95ee\u9898\u3002

\u63a8\u8350\u4f7f\u7528 https://wp-cli.org/#installing\u3002\u547d\u4ee4\uff1a

chmod +x wp-cli.phar\nmv wp-cli.phar /usr/local/bin/wp\ncd /var/www/public/\nsudo -u www-data -- wp core update --version=5.8.1 /tmp/wordpress-5.8.1.zip\n

\u5bb9\u5668\u91cc sudo \u8981\u624b\u52a8\u88c5\u3002

\u4ee5\u4e0b\u5185\u5bb9\u4ec5\u4f9b\u53c2\u8003\u3002

\u5c1d\u8bd5\u5347\u7ea7\u65f6\u5982\u679c\u672a\u51fa\u73b0\u5347\u7ea7\u63d0\u793a\uff0c\u53ef\u4ee5\u4fee\u6539\uff1a

\u5982\u679c\u51fa\u73b0\u300c\u53e6\u4e00\u66f4\u65b0\u6b63\u5728\u8fd0\u884c\u300d\uff0c\u4e14\u786e\u8ba4\u4e0d\u5728\u66f4\u65b0\uff0c\u53ef\u4ee5\u5728\u6570\u636e\u5e93\u7684 wordpress \u8868\u4e2d\u6267\u884c\uff1a

DELETE FROM wp_options WHERE option_name = 'core_updater.lock';\n
"},{"location":"services/docker2/#docker","title":"\u770b\u8d77\u6765\u6b63\u5728\u8fd0\u884c\u4f46\u662f\u6ca1\u6709\u8fdb\u7a0b\u7684 Docker \u5bb9\u5668","text":"

2021/10/25 \u53d1\u73b0\u67d0\u5bb9\u5668\u663e\u793a\u6b63\u5728\u8fd0\u884c\uff0c\u4f46\u662f\u5b9e\u9645\u6ca1\u6709\u8fdb\u7a0b\u3002\u540e\u53d1\u73b0\u4e3a Docker \u7684 bug\uff0c\u5728\u5bb9\u5668\u8fdb\u7a0b\u88ab cgroups \u5e72\u6389\u4e4b\u540e\u53ef\u80fd\u4f1a\u51fa\u73b0\u6b64\u60c5\u51b5\u3002

\u5bf9\u5e94 issue\uff1ahttps://github.com/moby/moby/issues/38501

\u89e3\u51b3\u65b9\u6cd5\uff1a\u5c06\u5bb9\u5668 ID \u5bf9\u5e94\u7684 containerd-shim \u6740\u6b7b\u5373\u53ef\u8ba9 Docker \u66f4\u65b0\u5176\u72b6\u6001\u4e3a\u5df2\u505c\u6b62\uff0c\u7136\u540e\u91cd\u65b0\u5f00\u542f\u5373\u53ef\u3002

"},{"location":"services/documentations/","title":"LUG \u6587\u6863","text":""},{"location":"services/ftp/","title":"LUG FTP","text":"

Services: FTP/FTPS, SFTP, HTTP, HTTPS

Git repository: ustclug/lugftp

Docker Hub: ustclug/ftp

Server: vdp.s.ustclug.org (management ssh port 2222)

Theme: h5ai

Deploy: ftp.sh

"},{"location":"services/ftp/#notes","title":"Notes","text":"
  1. SSL cert is required when running LUG FTP.
  2. ssh-keygen -A is required to be manually run when initializing.
  3. About directory permission:
    1. It is strongly suggested to keep permission & owner metadata when backing up/restoring.
    2. Public folder root: set owner root:root and permission 0755.
    3. Subfolders: set owner to 1000:1000. _h5ai and wp-content needs to be set to a different owner (misconfigured?). And Incoming shall be set to 0775.
  4. Do not use Google DNS in host, as China Mobile network may drop UDP packets to 8.8.8.8. A misconfigured DNS may lead to LDAP in container broken.
  5. Port 22 is delegated to the LUG FTP container for SFTP, and SSH access to the host has been reassigned to port 2222.
"},{"location":"services/gateway-el/","title":"Gateway: East Campus Library (gateway-el)","text":"

Todo

Currently systemctl restart networking is required after a reboot to set up tunnel. This bug should be fixed.

"},{"location":"services/gateway-el/#configurations","title":"Configurations","text":""},{"location":"services/gateway-el/#ip-virtual-server","title":"IP Virtual Server","text":"

gateway-el uses IPVS to send requests from one port to other machines directly. IPVS is a Linux kernel feature. Use ipvsadm -Ln to get its status.

"},{"location":"services/gateway-el/#tunnelmonitor","title":"tunnelmonitor","text":"

The tunnels used by gateway-el is mainly maintained by tunnelmonitor. Its config files are in /etc/tunnelmonitor, service is tunnelmonitor.service, and log is /var/log/tunnel_monitor.log.

When starting, netfilter-persistent.service should be run before tunnelmonitor. tunnelmonitor generates new mangle chains when starting, and pings all tunnels periodically and selects all available tunnels, and generates statistc rules.

You check check /var/log/tunnel_monitor.log to see if one tunnel has been down. Currently (2021/09), only one tunnel is available among all tunnel settings in /etc/tunnelmonitor/tunnel.ini.

"},{"location":"services/gateway-el/#iptables-mangle-rt_tables-and-ip-rule","title":"iptables mangle, rt_tables and ip rule","text":"

The following example is for demonstration purposes only.

You can get current status by iptables -t mangle -S. It is expected to see something like this:

-A DemonstrateManglePrerouting -m statistic --mode nth --every 1 --packet 0 -j MARK --set-xmark 0x12345/0xffffffff\n// ...\n-A PREOUT -m mark --mark 0x0 -j DemonstrateManglePrerouting\n

In this case, all packages to DemonstrateManglePrerouting chain will get fwmark 0x12345 (= 74565).

Check ip rule for that:

// ...\n10: from all fwmark 0x12345 lookup ExtraDemoTunnel\n// ...\n

You can get tunnel information in ip a:

29: ExtraDemoTunnel: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000\n    link/none\n    inet 192.168.252.17 peer 192.168.253.17/32 brd 192.168.252.17 scope global ExtraDemoTunnel\n       valid_lft forever preferred_lft forever\n

Here 192.168.252.17 is the local server of tunnel, and 192.168.253.17 is the remote server.

Let's check /etc/network/interfaces.d:

/etc/network/interfaces.d/03ExtraDemoTunnel
auto ExtraDemoTunnel\niface ExtraDemoTunnel inet static\n    address 192.168.252.17\n    netmask 255.255.255.255\n    pre-up ip link add dev $IFACE type wireguard\n    post-down ip link del dev $IFACE\n    up wg set $IFACE listen-port 4601 private-key /etc/wireguard/privkey peer pkeypkeypkeypkeypkeypkeypkeypkeypkeypkeypkey endpoint 23.3.3.3:4600 allowed-ips 0.0.0.0/0\n    up ip route replace default dev $IFACE table $IFACE\n    up ip rule add from all fwmark 74565 table $IFACE prio 10\n    pointopoint 192.168.253.17\n

Here we know that this is a wireguard tunnel, and the endpoint is 23.3.3.3:4600. The fwmark here is 74565 (in decimal).

Why is 74565 set? Let's check /etc/iproute2/rt_tables!

// ...\n74565   ExtraDemoTunnel\n// ...\n

For wireguard, you can use wg to check status. If you find that the \"received\" is 0 in transferred, something is going wrong.

"},{"location":"services/gateway-el/#nginx","title":"Nginx","text":""},{"location":"services/gateway-el/#ustclugorg-issue","title":"ustclug.org issue","text":"

See Gateway-NIC

"},{"location":"services/gateway-el/#issues","title":"Issues & resolution","text":""},{"location":"services/gateway-el/#ipvs-conntrack","title":"IPVS Conntrack","text":"

In early March 2022 we noticed Light connectivity issues from outside USTCnet, which was narrowed down to connections bypassing Linux Conntrack mechanism.

Thanks to TUNA group we learned about /proc/sys/net/ipv4/vs/conntrack, which at the time the problem was located, was zero. Settings this to 1 solved the problem.

However after writing net.ipv4.vs.conntrack = 1 to /etc/sysctl.d/10-ipvs-conntrack.conf and rebooting, the problem returned. Checking systemctl status systemd-sysctl.service we noticed this:

Mar 05 00:00:00 gateway-el systemd-sysctl[218]: Couldn't write '0' to 'net/ipv4/vs/conntrack', ignoring: No such file or directory\n

Adding ip_vs to /etc/modules and rebooting again correctly fixed the problem.

This is because the module was automatically loaded the first time ipvsadm is called (namely, /etc/init.d/ipvsadm), which happened at a very late stage. Adding to /etc/modules gets the module loaded earlier (and before systemd-sysctl.service) so it worked.

"},{"location":"services/gateway-el/#tinc-issue","title":"Tinc issue","text":"

See gateway

"},{"location":"services/gateway-jp/","title":"Gateway: Japan (gateway-jp)","text":"

This page is currently a stub.

"},{"location":"services/gateway-jp/#network-configuration","title":"Network configuration","text":""},{"location":"services/gateway-jp/#iptables","title":"iptables","text":"

See Gateway NIC

Blacklists are also managed with ipset, see /root/iptables.

"},{"location":"services/gateway-jp/#sysctl","title":"sysctl","text":"

When first applying iptables rules, we experienced severe performance degradation. Dmesg was flooded with messages like this:

nf_conntrack: nf_conntrack: table full, dropping packet\n

So we increased this sysctl setting:

/etc/sysctl.d/00-ustclug.conf
net.nf_conntrack_max = 262144\nnet.ipv4.tcp_fin_timeout = 10\n

To ensure net.nf_conntrack_max is available at boot, we also added nf_conntrack to /etc/modules and ran update-initramfs -u.

The other setting is to prevent TCP connections from lingering too long in FIN_WAIT_2 and TIME_WAIT states.

"},{"location":"services/gateway-nic/","title":"Gateway: Network Information Center (gateway-nic)","text":"

Previously gateway-nic used CentOS 7 to 8 to Stream, to \"avoid putting all eggs in one basket\". This VM was replaced by a newly setup Debian Bullseye VM on January 2022 during migration from ESXi to Proxmox VE.

The virtual disk of the old gateway-nic was copied onto pve-5, located at ZFS Zvol rpool/data/gateway-nic. The current VM uses rpool/data/vm-200-disk-0 instead (Proxmox naming convention).

"},{"location":"services/gateway-nic/#config-file-management","title":"Config file management","text":"

Git repositories exist for these directories:

/etc/nginx\n/etc/systemd/network\n/etc/tinc\n
"},{"location":"services/gateway-nic/#networking","title":"Networking","text":"

We use systemd-networkd to configure network on gateway-nic. This replaces both ifupdown (config file /etc/network/interfaces)

$ systemctl edit systemd-networkd.service
[Service]\nExecStartPre=-/sbin/ip -4 rule flush\nExecStartPre=-/sbin/ip -6 rule flush\n\n[Install]\nAlias=networkd.service\n

The ExecStartPre= commands flush (clear) existing rules so that systemd-networkd can fully manage all rules. This is because ManageForeignRoutingPolicyRules is a new setting in systemd 249, while Debian Bullseye uses systemd 247, so we have to do this manually.

We then load the regular \"main\" and \"default\" rules on the loopback interface (routing rules aren't bound to interfaces, but are added/removed when the configured interface is brought up/turned down).

/etc/systemd/network/00-lo.network
[Match]\nName=lo\n\n# Route \"main\"\n[RoutingPolicyRule]\nFamily=both\nTable=254\nPriority=2\nSuppressPrefixLength=1\n\n# Route \"Special\"\n[RoutingPolicyRule]\nFamily=both\nTable=1000\nPriority=5\nSuppressPrefixLength=1\n\n# Route \"default\"\n[RoutingPolicyRule]\nFamily=both\nTable=253\nPriority=32767\n
"},{"location":"services/gateway-nic/#interfaces","title":"Interfaces","text":"

Systemd-networkd has built-in capability to rename interfaces, so there's no need to use udev rules.

For example, to assign a name for the cernet interface, we use:

/etc/systemd/network/12-Cernet.link
[Match]\nPermanentMACAddress=00:50:56:a2:02:8c\n\n[Link]\nName=Cernet\n

We then configure addresses and routing rules for this interface:

/etc/systemd/network/12-Cernet.network
[Match]\nName=Cernet\n\n[Network]\nAddress=202.38.95.102/25\nAddress=2001:da8:d800:95::102/64\nIPv6AcceptRA=no\n\n[Route]\nGateway=202.38.95.126\nTable=253\nMetric=2\n\n[Route]\nGateway=2001:da8:d800:95::1\nTable=253\nMetric=2\n\n[Route]\nGateway=202.38.95.126\nTable=1002\n\n[Route]\nGateway=2001:da8:d800:95::1\nTable=1002\n\n[RoutingPolicyRule]\nFrom=202.38.95.102\nTable=1002\nPriority=3\n\n[RoutingPolicyRule]\nFrom=2001:da8:d800:95::102\nTable=1002\nPriority=3\n\n[RoutingPolicyRule]\nFamily=both\nOutgoingInterface=Cernet\nTable=1002\nPriority=3\n\n[RoutingPolicyRule]\nFamily=both\nFirewallMark=0x2\nTable=1002\nPriority=4\n

This config file assigns one IPv4 and one IPv6 address to the interface, as well as one IPv4 route and one IPv6 route for both the default routing table and an interface-specific routing table. It then adds three routing rules in both IPv4 and IPv6 for replying on the same interface, for sockets bound to this interfaces, and for firewall mark routing.

Other interfaces are configured similarly, so just refer to their configuration files for details.

"},{"location":"services/gateway-nic/#routes","title":"Routes","text":"

Outgoing connections are routed through different ISPs. We use ISP IP data from gaoyifan/china-operator-ip. Relevant files are located under /usr/local/network_config.

The said repository (branch ip-lists) is cloned and we symlink select files to iplist directory for consumption. A custom script converts these IP data into additional systemd-networkd config files (under /run/systemd).

$ ls -l /usr/local/network_config/iplist/
lrwxrwxrwx cernet.txt -> ../china-operator-ip/cernet.txt\nlrwxrwxrwx cernet6.txt -> ../china-operator-ip/cernet6.txt\nlrwxrwxrwx china.txt -> ../china-operator-ip/china.txt\nlrwxrwxrwx china6.txt -> ../china-operator-ip/china6.txt\nlrwxrwxrwx cstnet.txt -> ../china-operator-ip/cstnet.txt\nlrwxrwxrwx cstnet6.txt -> ../china-operator-ip/cstnet6.txt\nlrwxrwxrwx mobile.txt -> ../china-operator-ip/cmcc.txt\nlrwxrwxrwx telecom.txt -> ../china-operator-ip/chinanet.txt\nlrwxrwxrwx unicom.txt -> ../china-operator-ip/unicom.txt\n-rw-r--r-- ustcnet.txt\n-rw-r--r-- ustcnet6.txt\n
/usr/local/network_config/route-all.sh
#!/bin/bash\n\n[ -n \"$BASH_VERSION\" ] || exit 1\n\nWD=\"$(dirname \"$0\")\"\nROOT_IP_LIST=\"$WD/iplist\"\nROOT_CONF=/etc/systemd/network\nROOT_RT=/run/systemd/network\n\ngen_route() {\n  local DEVFILE=\"$1\"\n  local DEV=\"$(awk -F = '/^Name=/{print $2; exit}' \"$ROOT_CONF/$DEVFILE.network\")\"\n  local GW=\"$2\" FAMILY=ipv4 V6\n  if [[ \"$GW\" =~ : ]]; then\n    FAMILY=ipv6\n    V6=\"-v6\"\n  fi\n  # Convert table to number\n  local TABLENAME=\"$3\"\n  local TABLE=\"$(awk 'substr($0, 1, 1) != \"#\" && $2 == \"'\"$TABLENAME\"'\" { print $1 }' /etc/iproute2/rt_tables | head -1)\"\n  local PRIORITY=\"$4\"\n  shift 4\n\n  F=\"$ROOT_RT/$DEVFILE.network.d\"\n  mkdir -p \"$F\"\n  F=\"$F/route-${TABLENAME,,}${V6}.conf\"\n  echo -e \"[RoutingPolicyRule]\\nFamily=$FAMILY\\nTable=$TABLE\\nPriority=$PRIORITY\\n\" > \"$F\"\n\n  awk '{ print \"[Route]\\nDestination=\" $1 \"\\nGateway='\"$GW\"'\\nTable='\"$TABLE\"'\\n\" }' \"${@/#/$ROOT_IP_LIST/}\" >> \"$F\"\n}\n\ngen_route 12-Cernet 202.38.95.126 ustcnet 5 ustcnet.txt\ngen_route 12-Cernet 2001:da8:d800:95::1 ustcnet 5 ustcnet6.txt\ngen_route 12-Cernet 202.38.95.126 cernet 6 cernet.txt cstnet.txt\ngen_route 12-Cernet 2001:da8:d800:95::1 cernet 6 cernet6.txt cstnet6.txt\ngen_route 13-Telecom 202.141.160.126 telecom 6 telecom.txt unicom.txt\ngen_route 14-Mobile 202.141.176.126 mobile 6 mobile.txt\ngen_route 12-Cernet 202.38.95.126 china 7 china.txt\ngen_route 12-Cernet 2001:da8:d800:95::1 china 7 china6.txt\n

We then use a systemd service to ensure additional files for systemd-networkd are generated before it starts.

/etc/systemd/system/route-all.service
[Unit]\nDescription=Generate routes for systemd-networkd\nBefore=systemd-networkd.service\n\n[Service]\nType=oneshot\nExecStart=/bin/bash /usr/local/network_config/route-all.sh\n#ExecStart=/usr/local/network_config/special.rb\nRemainAfterExit=true\n\n[Install]\nWantedBy=network.target systemd-networkd.service\n

Updating routes from upstream is easy:

/usr/local/network_config/update.sh
#!/bin/sh\n\ncd \"$(dirname \"$0\")\"\n\ngit -C china-operator-ip pull\nsystemctl restart route-all.service\n

The resulting routing policies look like this:

$ ip rule
0:      from all lookup local\n2:      from all lookup main suppress_prefixlength 1\n3:      from 172.16.0.2 lookup Warp\n3:      from all oif Warp lookup Warp\n3:      from 202.141.176.102 lookup Mobile\n3:      from all oif Mobile lookup Mobile\n3:      from 202.141.160.102 lookup Telecom\n3:      from all oif Telecom lookup Telecom\n3:      from 202.38.95.102 lookup Cernet\n3:      from all oif Cernet lookup Cernet\n4:      from all fwmark 0x5 lookup Warp\n4:      from all fwmark 0x4 lookup Mobile\n4:      from all fwmark 0x3 lookup Telecom\n4:      from all fwmark 0x2 lookup Cernet\n5:      from all lookup Special suppress_prefixlength 1\n5:      from all lookup Ustcnet\n6:      from all lookup mobile\n6:      from all lookup telecom\n6:      from all lookup cernet\n7:      from all lookup china\n32767:  from all lookup default\n
"},{"location":"services/gateway-nic/#tinc-vpn","title":"Tinc VPN","text":"

Gateway-NIC connects to intranet with Tinc. There's no special Tinc configuration other than those described at the Tinc VPN page.

Because Tinc now uses systemd services instead of System V init.d scripts, we need to systemctl enable tinc@ustclug.service to make it start on boot. Everything is managed through this templated systemd service.

"},{"location":"services/gateway-nic/#systemd-networkd-wait-onlineservice","title":"systemd-networkd-wait-online.service","text":"

We also override systemd-networkd's online detection for goodness' sake, so it doesn't block booting. Note that it may interfere with services depending on network-online.target, though we have yet to discover any issues.

$ systemctl edit systemd-networkd-wait-online.service
[Service]\nExecStart=\nExecStart=/bin/sleep 1\n
"},{"location":"services/gateway-nic/#iptables","title":"iptables","text":"

All iptables firewall rules are managed manually. We use iptables-persistent to automatically load firewall rules on boot.

To change the rules, manually edit /root/iptables/rules.v4 or rules.v6 and then run apply.sh to apply the changes.

"},{"location":"services/gateway-nic/#fail2ban","title":"Fail2ban","text":"

We use fail2ban to stop SSH scanning and brute-force attempts.

Because fail2ban relies on changing iptables to work, to improve its performance as well as minimize its tampering of iptables rules, we use ipsets for fail2ban.

After stock installation of fail2ban package, remove defaults-debian.conf and add this file to secure SSH daemon:

/etc/fail2ban/jail.d/sshd.conf
[sshd]\nenabled = true\nmode    = aggressive\nfilter  = sshd[mode=%(mode)s]\nlogpath = /var/log/auth.log\nbackend = pyinotify\naction  = iptables-ipset-proto6[chain=\"fail2ban\"]\n

We provide a pre-created empty chain named fail2ban for fail2ban to manipulate (see iptables above).

To make sure fail2ban rules can be re-applied after reloading iptables manually, we override the systemd service so that fail2ban is restarted whenever the iptables service is restarted.

$ systemctl edit fail2ban.service
[Unit]\nAfter=netfilter-persistent.service\nBindsTo=netfilter-persistent.service\n

For some servers where we want to manually start fail2ban, we use Requires= + PartOf=. This will propagate \"restart\" event from iptables to fail2ban, but not \"start\".

$ systemctl edit fail2ban.service
[Unit]\nAfter=netfilter-persistent.service\nRequires=netfilter-persistent.service\nPartOf=netfilter-persistent.service\n
"},{"location":"services/gateway-nic/#nginx","title":"Nginx","text":""},{"location":"services/gateway-nic/#unregistered-domain-traffic","title":"ustclug.org issue","text":"

To mitigate the issue of the complaints from ISPs and the regulation authorities caused by the gateways in USTCnet responding to the requests for ustclug.org, which is a unregistered domain in China MIIT, we make nginx listen on an alternative port 81/444 for HTTP and HTTPS respectively, to respond to requests for lug.ustc.edu.cn only, and rejecting the handshake for any other domain.

/etc/nginx/sites-available/default
server {\n  listen 81 default_server;\n  listen [::]:81 default_server;\n  listen 444 ssl http2 default_server;\n  listen [::]:444 ssl http2 default_server;\n  server_name _;\n  ssl_reject_handshake on; \n  return 444;\n}\n

To whitelist any domain, add listen 81 and listen 444 http2 ssl to corresponding site's server block.

We use iptables to redirect any traffic from outside USTCnet whose destination is TCP port 80/443 on local machine to TCP port 81/444 respectively.

-A PREROUTING -m addrtype --dst-type LOCAL -j NGINX-REDIRECT\n-A NGINX-REDIRECT -i lo -j RETURN\n-A NGINX-REDIRECT -m set --match-set ustcnet src -j RETURN\n-A NGINX-REDIRECT -p tcp --dport 80 -j REDIRECT --to-port 81\n-A NGINX-REDIRECT -p tcp --dport 443 -j REDIRECT --to-port 444\n
"},{"location":"services/generate-204/","title":"Generate 204","text":"

Service: 204.ustclug.org (HTTP / HTTPS)

Server: (gateway)

Blog: add-http-204-service

"},{"location":"services/generate-204/#configration","title":"Configration","text":"/etc/nginx/sites-available/204.ustclug.org
server {\n    listen      80;\n    listen      [::]:80;\n    listen      443 ssl http2;\n    listen      [::]:443 ssl http2;\n    server_name 204.ustclug.org;\n    access_log  /var/log/nginx/204_access.log;\n    error_log   /var/log/nginx/204_error.log;\n    return 204;\n}\n

The authoritative copy is on LUG GitLab.

"},{"location":"services/gitlab/","title":"GitLab","text":"

Server: gitlab.s.ustclug.org (management ssh port 2222)

Git Repository: gitlab-scripts

"},{"location":"services/gitlab/#gitlab-security","title":"GitLab & Security","text":"

GitLab \u7ef4\u62a4\u8005\u9700\u8981\u8ba2\u9605\uff1a

  1. GitLab Security Notices \u90ae\u4ef6\u5217\u8868 (https://about.gitlab.com/company/contact/ \u53f3\u4fa7 \"Sign up for security notices\")
  2. sameersbn/docker-gitlab Releases (Watch \u2192 Custom \u2192 Releases)

\u5728 GitLab \u6709 Security Release \u4e14 docker-gitlab \u53d1\u5e03\u65b0\u7248\u672c\u4e4b\u540e\u9700\u8981\u5b89\u6392\u65f6\u95f4\u66f4\u65b0\u3002\u5c24\u5176 Critical Security Release \u9700\u8981\u5c3d\u5feb\u627e\u65f6\u95f4\u66f4\u65b0\u3002

"},{"location":"services/gitlab/#_1","title":"\u66f4\u65b0","text":"

\uff08\u5efa\u8bae\u9605\u8bfb https://docs.gitlab.com/ee/update/index.html\uff0c\u4ee5\u53ca GitLab \u5b98\u65b9\u7684\u5347\u7ea7\u8def\u5f84\u5206\u6790\u5de5\u5177\uff1ahttps://gitlab-com.gitlab.io/support/toolbox/upgrade-path/\uff09

GitLab 16.0 \u8d77\u79fb\u9664\u4e86\u5bf9 CAS3 \u7684\u652f\u6301\uff0c\u56e0\u6b64\u6211\u4eec\u5207\u6362\u5230\u4e86 OAuth2 \u6765\u5bf9\u63a5\u4e2d\u56fd\u79d1\u5b66\u6280\u672f\u5927\u5b66\u7edf\u4e00\u8eab\u4efd\u8ba4\u8bc1\u3002\u4e3a\u4e86\u5b9e\u73b0\u81ea\u5b9a\u4e49 OAuth2 \u767b\u5f55\u53c2\u6570\uff0c\u6211\u4eec fork \u4e86 sameersbn/docker-gitlab\uff0c\u4ed3\u5e93\u4f4d\u4e8e ustclug/docker-gitlab\u3002\u66f4\u65b0\u65f6\uff0c\u9700\u8981\u9996\u5148\u6309\u7167 ustclug/docker-gitlab \u7684 README.md \u6240\u8ff0\u7684\u6b65\u9aa4\u66f4\u65b0\u955c\u50cf\uff0c\u4e00\u822c\u53ea\u9700\u66f4\u6539\u6240\u8ff0\u7684\u4e24\u4e2a\u4f4d\u7f6e\u7684\u7248\u672c\u53f7\uff0c\u63a8\u9001\u5230\u4ed3\u5e93\u540e\uff0cGitHub Actions \u5c06\u81ea\u52a8\u5b8c\u6210\u955c\u50cf\u7684\u6784\u5efa\uff0c\u5e76\u4e0a\u4f20\u5230 ghcr.io\u3002\u9700\u8981\u6ce8\u610f\u7684\u662f\uff0c\u82e5\u4e0a\u6e38\u66f4\u65b0\u5305\u542b\u5bf9 assets/runtime \u76ee\u5f55\u7684\u53d8\u66f4\uff0c\u5219\u9700\u5148\u5c06\u4e0a\u6e38\u66f4\u65b0\u5408\u5e76\u5230\u6211\u4eec\u7684\u4ed3\u5e93\uff0c\u5426\u5219\u53ef\u80fd\u51fa\u73b0\u6784\u5efa\u6216\u8fd0\u884c\u65f6\u9519\u8bef\u3002

\u7531\u4e8e\u5df2\u7ecf docker \u5316\uff0c\u56e0\u6b64\u6211\u4eec\u7684\u66f4\u65b0\u662f\u901a\u8fc7\u62c9\u53d6 ustclug/docker-gitlab \u7684 docker image\uff0c\u8fdb\u884c\u6570\u636e\u5e93\u51c6\u5907\u4ee5\u53ca\u542f\u52a8\u955c\u50cf\u5b9e\u4f8b\u6765\u8fdb\u884c\u66f4\u65b0\uff0cZack Zeng \u5b66\u957f\u5df2\u7ecf\u5199\u597d\u4e86\u4e00\u5957\u811a\u672c\u7cfb\u7edf\uff1agitlab-scripts\uff0c\u56e0\u6b64\u66f4\u65b0\u65f6\u53ea\u8981\u8dd1\u811a\u672c\u5c31\u53ef\u4ee5\u4e86\u3002

\u7531\u4e8e\u66f4\u65b0\u9700\u8981\u505c\u6b62\u670d\u52a1\uff0c\u56e0\u6b64\u8bf7\u4e8e\u66f4\u65b0\u524d\u81f3\u5c11\u51e0\u5c0f\u65f6\u53d1\u5e03\u66f4\u65b0\u516c\u544a\uff08\u5305\u62ec\u5177\u4f53\u65f6\u95f4\u7b49\uff09\uff0c\u5e76\u68c0\u67e5 Admin -> Monitoring -> Background Migrations \u4e2d\u6240\u6709 migration \u662f\u5426\u90fd\u5df2\u7ecf\u6210\u529f\u5b8c\u6210\u3002

\u66f4\u65b0\u524d\u8bf7\u5148\u63d0\u524d\u4e8e Proxmox VE \u4e0a\u5bf9\u865a\u62df\u673a\u6253\u5feb\u7167\uff08\u6253\u5feb\u7167\u65f6\u670d\u52a1\u4f1a\u6682\u65f6\u505c\u6b62\uff09

\u6253\u5b8c\u5feb\u7167\u4e4b\u540e\u4f7f\u7528\u811a\u672c\u8fdb\u884c\u66f4\u65b0\uff08\u76ee\u524d\u811a\u672c\u4f4d\u4e8e /home/sirius/gitlab-scripts\uff09\uff0c\u9996\u5148\u4f7f\u7528 ./gitlab.sh db \u8fdb\u884c\u6570\u636e\u5e93\u7684\u51c6\u5907\u5de5\u4f5c\u3002\u4e4b\u540e\u53ef\u4ee5\u901a\u8fc7 ./gitlab.sh run <\u7248\u672c\u53f7> \u6765\u8fdb\u884c docker container \u7684\u66ff\u6362\u3002\u66f4\u6362\u524d\u811a\u672c\u4f1a\u81ea\u52a8\u62c9\u53d6\u76f8\u5e94\u7248\u672c\u53f7\u7684 docker \u955c\u50cf\uff0c\u5982\u679c\u62c5\u5fc3\u62c9\u53d6\u65f6\u95f4\u8fc7\u957f\u53ef\u4ee5\u5728\u6253\u5feb\u7167\u524d\u63d0\u524d\u901a\u8fc7 docker pull ghcr.io/ustclug/docker-gitlab:<\u7248\u672c\u53f7> \u6765\u62c9\u53d6\u76f8\u5e94\u7684\u955c\u50cf\u3002

\u4e00\u822c\u60c5\u51b5\u4e0b\u7ecf\u4ee5\u4e0a\u64cd\u4f5c\u540e\u66f4\u65b0\u5c31\u6b63\u5e38\u7ed3\u675f\uff0c\u5982\u679c\u957f\u65f6\u95f4\u65e0\u6cd5\u542f\u52a8\uff0c\u53ef\u4ee5\u901a\u8fc7 docker logs gitlab \u67e5\u770b\u65e5\u5fd7\uff0c\u5982\u679c\u53d1\u73b0\u66f4\u65b0\u540e\u7684\u542f\u52a8\u51fa\u73b0\u95ee\u9898\uff0c\u53ef\u4ee5\u5230 sameersbn/docker-gitlab \u7684 issue \u533a\u7b49\u5730\u67e5\u770b\u76f8\u5173 issue\uff0c\u4ee5\u53ca\u901a\u8fc7\u5bf9\u51fa\u9519\u65e5\u5fd7\u8fdb\u884c Google \u53ef\u80fd\u4f1a\u53d1\u73b0\u662f gitlab \u4e0a\u6e38\u7b49\u51fa\u73b0\u7684\u95ee\u9898\u3002\u5982\u679c\u6709\u89e3\u51b3\u529e\u6cd5\uff0c\u53ef\u4ee5\u6309\u7167\u76f8\u5e94\u89e3\u51b3\u529e\u6cd5\u89e3\u51b3\uff0c\u5982\u679c\u6ca1\u6709\u3002\u53ef\u4ee5\u901a\u8fc7\u627e\u5230\u6709\u76f8\u5e94\u95ee\u9898\u524d\u7684\u6b63\u5e38\u7248\u672c\u53f7\uff0c\u56de\u6eda\u5feb\u7167\uff0c\u4e4b\u540e\u66f4\u5230\u8868\u73b0\u6b63\u5e38\u7684\u7248\u672c\u3002\uff08\u6700\u8fd1\u7684\u66f4\u65b0\u4f1a\u5728\u542f\u52a8\u4e4b\u540e\u77ed\u6682\u51fa\u73b0 502 \u7684\u60c5\u51b5\uff0c\u4f46\u5f88\u5feb\u5c31\u4f1a\u6062\u590d\uff0c\u9047\u5230\u8fd9\u79cd\u60c5\u51b5\u65f6\u4e0d\u8981\u60ca\u614c\uff09\u3002

\u7531\u4e8e\u66f4\u65b0\u53ef\u80fd\u4f1a\u51fa\u73b0\u95ee\u9898\u5bfc\u81f4\u670d\u52a1\u4e0d\u53ef\u7528\uff0c\u56e0\u6b64\u4e0d\u5efa\u8bae\u901a\u8fc7 cron \u7b49\u65b9\u5f0f\u81ea\u52a8\u8fdb\u884c\u66f4\u65b0\u3002

"},{"location":"services/gitlab/#postgresql-redis","title":"postgresql \u4e0e redis \u7684\u66f4\u65b0","text":"

\u7531\u4e8e gitlab \u66f4\u65b0\u540e\u53ef\u80fd\u5bf9 postgresql \u4e0e redis \u7684\u7248\u672c\u6709\u8981\u6c42\uff0c\u56e0\u6b64\u6709\u53ef\u80fd\u9700\u8981\u5b9a\u671f\u66f4\u65b0 redis \u4e0e postgresql\u3002

\u66f4\u65b0\u524d\u8bf7\u5148\u505c\u6b62 gitlab \u7684 container\u3002

\u66f4\u65b0\u65f6\u53ef\u4ee5\u6309\u7167\u5b98\u7f51\u6559\u7a0b docker-postgresql \u8fdb\u884c\u66f4\u65b0\uff0c\u53ef\u4ee5\u901a\u8fc7\u62c9\u53d6 latest \u6807\u7b7e\u7684\u955c\u50cf\uff0c\u5220\u9664\u539f\u6765\u7684 container\uff0c\u518d\u901a\u8fc7\u811a\u672c ./gitlab.sh db \u81ea\u52a8\u542f\u52a8\uff0c\u6570\u636e\u5e93\u66f4\u65b0\u65f6\u53ef\u80fd\u4f1a\u9700\u8981\u4e00\u5b9a\u65f6\u95f4\u6765\u8fc1\u79fb\u6570\u636e\uff0c\u8bf7\u901a\u8fc7 docker logs -f gitlab-postgresql \u547d\u4ee4\u6765\u67e5\u770b\u8fc1\u79fb\u8fdb\u5ea6\uff0c\u5f85\u8fc1\u79fb\u5b8c\u6210\u540e\u518d\u8fd0\u884c GitLab \u7684 container\u3002

"},{"location":"services/gitlab/#rails-console","title":"\u8bbf\u95ee Rails console","text":"

Rails console \u53ef\u4ee5\u5b8c\u6210\u4e00\u4e9b\u9ad8\u7ea7\u7684\u7ef4\u62a4\u4efb\u52a1\u3002\u5728 gitlab \u5bb9\u5668\u4e2d\u6267\u884c bin/rails console \u542f\u52a8\u3002\u6ce8\u610f console \u7684\u542f\u52a8\u65f6\u95f4\u5f88\u957f\uff08 1 \u5206\u949f\u4ee5\u4e0a\uff09\uff0c\u9700\u8981\u6709\u8010\u5fc3\u3002

\u53ef\u4ee5\u6267\u884c\u7684\u547d\u4ee4\u53ef\u53c2\u8003 https://docs.gitlab.com/ee/administration/troubleshooting/gitlab_rails_cheat_sheet.html\u3002

"},{"location":"services/gitlab/#_2","title":"\u67e5\u8be2","text":""},{"location":"services/gitlab/#hashed-storage","title":"\u67e5\u8be2 Hashed storage \u4e0b\u4ed3\u5e93\u5bf9\u5e94\u7684\u9879\u76ee","text":"
ProjectRepository.find_by(disk_path: '@hashed/23/33/2333333333333333333333333333333333333333333333333333333333333333').project\n

\u5982\u679c\u5b58\u5728\uff0c\u4f1a\u8fd4\u56de\u7c7b\u4f3c\u4ee5\u4e0b\u7684\u5185\u5bb9\uff1a

=> #<Project id:23333 username/project>>\n
"},{"location":"services/gitlab/#sql-like","title":"\u67e5\u8be2\u65e0\u9879\u76ee\u4e14\u90ae\u7bb1\u6ee1\u8db3\u6761\u4ef6\u7684\u7528\u6237 (SQL like)","text":"
users = User.where('id NOT IN (select distinct(user_id) from project_authorizations)')\nusers = users.where('email like ?', '%.ru')\nusers.count\n\nusers.each do |user|\n    puts user.last_activity_on\nend\n
"},{"location":"services/gitlab/#_3","title":"\u5237\u65b0\u67d0\u4e2a\u9879\u76ee\u7684\u7edf\u8ba1\u4fe1\u606f","text":"
p = Project.find_by_full_path('<namespace>/<project>')\npp p.statistics\np.statistics.refresh!\npp p.statistics\n
"},{"location":"services/gitlab/#lfs-id","title":"\u83b7\u53d6\u6240\u6709\u5305\u542b LFS \u7684\u9879\u76ee ID","text":"
LfsObject.all.each do |lo|\n    puts LfsObjectsProject.find_by_lfs_object_id(lo.id).project_id\nend\n

\u8f93\u51fa\u8f83\u591a\u3002\u53ef\u4ee5\u4f7f\u7528 rails r xxx.rb \u8fd0\u884c\uff0c\u91cd\u5b9a\u5411\u5230\u6587\u4ef6\uff0c\u53bb\u91cd\u540e\u67e5\u770b\u6240\u6709\u5305\u542b LFS \u7684\u9879\u76ee\u3002

"},{"location":"services/gitlab/#rake-tasks","title":"\u4f7f\u7528 Rake tasks","text":"

\u8be6\u89c1 https://github.com/sameersbn/docker-gitlab#rake-tasks\u3002\u548c Rails console \u4e00\u6837\uff0c\u521d\u59cb\u5316\u5f88\u6162\u3002

\u5f53\u524d\u5b9e\u4f8b\u4fe1\u606f\uff1a

docker exec --user git -it gitlab bundle exec rake gitlab:env:info RAILS_ENV=production\n
"},{"location":"services/gitlab/#_4","title":"\u6e05\u7406","text":"

\u53c2\u8003 https://github.com/gitlabhq/gitlabhq/blob/master/doc/raketasks/cleanup.md\u3002

\u4e0d\u8fc7\u4f5c\u7528\u6709\u9650\u3002

"},{"location":"services/gitlab/#_5","title":"\u6e05\u7406\u4e0a\u4f20\u76ee\u5f55","text":"

\u67e5\u770b\u4f1a\u88ab\u6e05\u7406\u7684\u6587\u4ef6\uff1a

docker exec --user git -it gitlab bundle exec rake gitlab:cleanup:project_uploads RAILS_ENV=production\n

\u6e05\u7406\uff08\u79fb\u52a8\u5230 /-/project-lost-found/\uff09\uff1a

docker exec --user git -it gitlab bundle exec rake gitlab:cleanup:project_uploads RAILS_ENV=production DRY_RUN=false\n
"},{"location":"services/gitlab/#artifact","title":"\u6e05\u7406\u672a\u88ab\u5f15\u7528\u7684 artifact \u6587\u4ef6","text":"

\u67e5\u770b\u4f1a\u88ab\u6e05\u7406\u7684 artifact \u6570\u91cf\uff1a

docker exec --user git -it gitlab bundle exec rake gitlab:cleanup:orphan_job_artifact_files RAILS_ENV=production\n

\u6e05\u7406\uff1a

docker exec --user git -it gitlab bundle exec rake gitlab:cleanup:orphan_job_artifact_files RAILS_ENV=production DRY_RUN=false\n

\u6ce8\u610f\uff0c\u65b0\u8bbe\u7f6e\u7684 expire \u671f\u9650\u4e0d\u4f1a\u5f71\u54cd\u4ee5\u524d\u7684 artifact\uff0c\u8fd9\u91cc\u7684\u547d\u4ee4\u4e5f\u65e0\u6cd5\u6e05\u7406\u3002

"},{"location":"services/gitlab/#lfs-reference","title":"\u6e05\u7406\u65e0\u6548\u7684 LFS reference","text":"
for i in `cat projectid_lfs`; do docker exec --user git -it gitlab bundle exec rake gitlab:cleanup:orphan_lfs_file_references PROJECT_ID=$i RAILS_ENV=production DRY_RUN=false; done\n

projectid_lfs \u662f\u4e0a\u6587\u4e2d\u300c\u83b7\u53d6\u6240\u6709\u5305\u542b LFS \u7684\u9879\u76ee ID\u300d\u7684\u53bb\u91cd\u540e\u7684\u8f93\u51fa\u3002

\u65e0 reference \u7684 LFS \u6587\u4ef6\u6bcf\u65e5 GitLab \u4f1a\u81ea\u52a8\u6e05\u9664\u3002\u5982\u679c\u9700\u8981\u7acb\u523b\u5220\u9664\uff0c\u53ef\u4ee5\u4f7f\u7528 gitlab:cleanup:orphan_lfs_files\u3002

"},{"location":"services/gitlab/#_6","title":"\u7d27\u6025\u64cd\u4f5c","text":""},{"location":"services/gitlab/#_7","title":"\u8bbe\u7f6e\u4e3a\u53ea\u8bfb","text":"

Ref: https://docs.gitlab.com/ee/administration/read_only_gitlab.html

docker exec --user git -it gitlab bin/rails console\n

\u4e4b\u540e\u6267\u884c

Project.all.find_each { |project| puts project.name; project.update!(repository_read_only: true) }\n

\u5c06\u6240\u6709\u4ed3\u5e93\u8bbe\u7f6e\u4e3a\u53ea\u8bfb\u3002\u5982\u679c\u4e2d\u95f4\u51fa\u73b0\u9519\u8bef\uff08\u7279\u6b8a\u7684\u9879\u76ee\u540d\u53ef\u80fd\u4f1a\u5bfc\u81f4\u8fd0\u884c\u4e2d\u65ad\uff09\uff0c\u91cd\u547d\u540d\u6700\u540e\u8f93\u51fa\u5bf9\u5e94\u7684\u9879\u76ee\u3002

\u5728\u8bbe\u7f6e\u524d\uff0c\u9700\u8981\u6dfb\u52a0 Messages \u901a\u77e5\u7528\u6237\u3002

\u6b64\u65f6\u6570\u636e\u5e93\u4ecd\u7136\u53ef\u5199\u5165\u3002\u5982\u679c\u9700\u8981\u6570\u636e\u5e93\u53ea\u8bfb\uff0c\u53c2\u8003\u4ee5\u4e0a\u94fe\u63a5\u914d\u7f6e\u3002

"},{"location":"services/light/","title":"Light Accelerator","text":"

Service: light.ustclug.org

Git Repository:

Docker Hub:

Mailing list: \u8f7b\u91cf\u7ea7\u7f51\u7edc\u52a0\u901f\u670d\u52a1

Servers:

"},{"location":"services/light/#deploy","title":"Deploy","text":"

Deploy script: docker-run-script/light

Deploy order:

  1. mysql
  2. freeradius, light-web
  3. squid
"},{"location":"services/light/#add-new-domain","title":"Add new domain","text":"
git clone https://github.com/ustclug/light-list\ncd accelerate-list\n./tools/add-domain.sh accelerate.list www.example.com\ngit commit -v -a\ngit push origin master\n

GitHub Actions will update PAC files in LUG FTP automatically.

"},{"location":"services/light/#database-maintenance","title":"Database maintenance","text":"

Example:

select count(*) from radacct where acctstoptime < '2021-01-01 00:00:00';\ninsert into radacct_backup select * from radacct where acctstoptime < '2021-01-01 00:00:00';\ndelete from radacct where acctstoptime < '2021-01-01 00:00:00';\ndelete from radacct_backup where acctstoptime < '2020-06-01 00:00:00';\noptimize table radacct;\noptimize table radacct_backup;\n
"},{"location":"services/light/#shutdown","title":"Shutdown","text":"
  1. Stop two containers: light-server & light-socks
  2. Set restart policy to no (See Docker Documentation)
"},{"location":"services/light/#logs","title":"Logs","text":"

Proxy related log is under /srv/docker/light/log. Container log (stdout & stderr) is under /srv/docker/docker/containers/<container id>/*.log* (use docker logs <container> to view).

Logrotate is configured to save logs for 180 days. Please manually backup logs when removing the container.

"},{"location":"services/mirrorz/","title":"MirrorZ CERNET server","text":"

MirrorZ \u9879\u76ee\u5728 CERNET \u5317\u4eac\u8282\u70b9\u6709\u4e00\u4e2a\u865a\u62df\u673a\uff0c\u901a\u8fc7 *.mirrors.cernet.edu.cn \u7684\u57df\u540d\u63d0\u4f9b 302 \u8df3\u8f6c\u548c\u5e2e\u52a9\u9875\u9762\u7b49\u670d\u52a1\u3002

\u7531\u4e8e CentOS 7 \u5728 2024 \u5e74 6 \u6708\u7ed3\u675f\u652f\u6301\uff0ciBug \u548c taoky \u5728 2024 \u5e74 2 \u6708\u914d\u7f6e\u4e86\u4e00\u4e2a\u8fd0\u884c Debian 12 \u7684\u65b0\u865a\u62df\u673a\u3002\u65b0\u865a\u62df\u673a\u955c\u50cf\u57fa\u4e8e debian-cdimage \u63d0\u4f9b\u7684 debian-12-genericcloud-amd64.qcow2\u3002

"},{"location":"services/mirrorz/#system","title":"\u7cfb\u7edf\u914d\u7f6e","text":""},{"location":"services/mirrorz/#network","title":"\u7f51\u7edc","text":"

\u865a\u62df\u673a\u7684\u7f51\u7edc\u91c7\u7528 systemd-networkd \u914d\u7f6e\uff0c\u914d\u7f6e\u6587\u4ef6\u5728 /etc/systemd/network \u4e0b\uff0cv4/v6 \u5747\u4f7f\u7528\u9759\u6001 IP \u914d\u7f6e\u3002\u5176\u4e2d [Match] \u5757\u4f7f\u7528 MACAddress=... \u6765\u5339\u914d\u7f51\u5361\u3002

"},{"location":"services/mirrorz/#ssh","title":"SSH","text":"/etc/ssh/sshd_config.d/ibug.conf
PasswordAuthentication no\nPermitRootLogin prohibit-password\n
"},{"location":"services/mirrorz/#ntp","title":"NTP","text":"/etc/systemd/timesyncd.conf.d/ibug.conf
[Time]\nNTP=ntp.tuna.tsinghua.edu.cn\n
"},{"location":"services/mirrorz/#software","title":"\u8f6f\u4ef6","text":"

etckeeper\uff08\u4e0d\u77e5\u9053\u600e\u4e48\u914d\u7f6e\u7684\uff0c\u88c5\u597d\u5373\u7528\uff1f\uff09

\u4ee5\u4e0a\u56db\u4e2a\u8f6f\u4ef6\u5206\u522b\u4ece\u56db\u4e2a\u4e0d\u540c\u7684 APT \u6e90\u5b89\u88c5\uff0c\u5bf9\u5e94\u7684 APT \u516c\u94a5\u90fd\u5b58\u5728 /etc/apt/keyrings \u4e2d\u3002

APT \u6e90\u914d\u7f6e

/etc/apt/sources.list.d/docker.list
deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.asc] https://mirrors.ustc.edu.cn/docker-ce/linux/debian bookworm stable\n
/etc/apt/sources.list.d/grafana.list
deb [signed-by=/etc/apt/keyrings/grafana.gpg] https://mirrors.tuna.tsinghua.edu.cn/grafana/apt stable main\n
/etc/apt/sources.list.d/influxdata.list
deb [signed-by=/etc/apt/keyrings/influxdata.asc] https://mirrors.ustc.edu.cn/influxdata/debian stable main\n
/etc/apt/sources.list.d/nodesource.list
deb [arch=amd64 signed-by=/etc/apt/keyrings/nodesource.asc] https://deb.nodesource.com/node_18.x nodistro main\n
/etc/apt/sources.list.d/sb-nginx.list
deb [arch=amd64 signed-by=/etc/apt/keyrings/sb-nginx.asc] https://mirror.xtom.com.hk/sb/nginx/ bookworm main\n
"},{"location":"services/mirrorz/#go","title":"Go","text":"

\u4ece\u5b98\u65b9\u7f51\u7ad9\u4e0b\u8f7d\u6700\u65b0\u7684 tar.gz \u5e76\u89e3\u538b\u5230 /usr/local/go\uff0c\u7136\u540e\u5c06 /usr/local/go/bin \u4e2d\u7684\u4e24\u4e2a\u4e8c\u8fdb\u5236\u6587\u4ef6\u8f6f\u94fe\u63a5\u5230 /usr/local/bin\u3002

\u66f4\u65b0 Go \u7684\u5feb\u6377\u811a\u672c\u4f4d\u4e8e /root/go/update.sh\uff0c\u5185\u5bb9\u89c1 iBug/shGadgets\u3002

"},{"location":"services/mirrorz/#_1","title":"\u6570\u636e\u76ee\u5f55","text":"

MirrorZ \u4e3b\u9879\u76ee\u548c\u5e2e\u52a9\u9875\u9762\u7b49\u53ef\u4ee5\u901a\u8fc7\u6d4f\u89c8\u5668\u8bbf\u95ee\u7684\u9875\u9762\u90fd\u5728 /var/www \u4e0b\u3002

"},{"location":"services/mirrorz/#_2","title":"\u81ea\u52a8\u66f4\u65b0","text":"

\u5229\u7528 GitHub \u7684 webhook \u529f\u80fd\uff0c\u90e8\u7f72\u4e86\u4e00\u4efd iBug/uniAPI\u3002\u76f8\u5173\u6587\u4ef6\u5982\u4e0b\uff1a

/usr/bin/uniAPI\n/etc/uniAPI.yml\n/etc/systemd/system/uniAPI.service\n

\u914d\u7f6e\u6837\u4f8b\u5982\u4e0b\uff1a

services:\n  uniAPI:\n    type: server\n    services:\n      mirrorz-json-legacy:\n        type: github.webhook\n        path: /home/mirrorz/mirrorz-org/mirrorz-json-legacy\n        branch: master\n        secret: # empty\n
location ^~ /uniAPI {\n    proxy_pass http://127.0.1.1:1024;\n}\n
"},{"location":"services/neat-dns/","title":"Neat DNS","text":"

Services: neatdns.ustclug.org (UDP, TCP, HTTPS, DNSCrypt)

Server: docker2

Deploy: docker-run-script/neatdns

"},{"location":"services/neat-dns/#notes","title":"Notes","text":"

Previously all containers on docker2 had gateway-el as their gateway, which generated heavy load on the Tinc network. Docker2 has since been updated to use gateway-nic as gateway for containers, bypassing Tinc for most of the traffic. This, however, broke NAT-based service like Neat DNS, which required that reply traffic goes back through gateway-el (but now gateway-nic).

What's worse, Docker doesn't support setting gateways for individual containers, nor can network config be changed from within the container (default setup). So we chose to selectively route traffic back to gateway-el on gateway-nic. This is accomplished with two parts:

"},{"location":"services/vpn/","title":"LUG VPN","text":""},{"location":"services/vpn/#iptables","title":"iptables \u9632\u706b\u5899\u7ba1\u7406","text":"

\u672c\u8282\u5185\u5bb9\u9002\u7528\u4e8e\u5305\u62ec VPN \u5728\u5185\u7684\u591a\u4e2a\u670d\u52a1\u5668

"},{"location":"services/vpn/#tftp-helper","title":"TFTP helper","text":"

\u76ee\u524d\u4ec5\u5bf9 IPv4 \u542f\u7528\u3002

*raw\n:PREROUTING ACCEPT [0:0]\n:OUTPUT ACCEPT [0:0]\n-A PREROUTING -p udp --dport 69 -j CT --helper tftp\nCOMMIT\n
/etc/modules
nf_conntrack_tftp\nnf_nat_tftp\n
"},{"location":"services/vpn/#ssl-certs","title":"SSL Certificates","text":"

The certificate for *.vpn.lug.ustc.edu.cn + *.vpn.ustclug.org is acquired with our certificate infrastructure and the vpn server runs updater.sh with cron.

Two services running in Docker (strongswan and ocserv) use the certificate, so another cron job exists to copy the certificate files into the Docker volume (vpn-certs). The second updater script is listed below:

/usr/local/docker_sh/vpn-cert-updater.sh
#!/bin/sh\n\n# outside, call docker\nif command -v docker >/dev/null 2>&1; then\n  exec docker run --rm \\\n    --name=vpn-cert-updater \\\n    --net=none \\\n    -v \"$(realpath \"$0\")\":/update.sh:ro \\\n    -v vpn-certs:/vpn-certs \\\n    -v /etc/ssl/private:/ssl-certs:ro \\\n    alpine \\\n    /update.sh\n  exit 1 # exec failed\nfi\n\nset -eux\n\nSSL_CERTS=\"/ssl-certs\"\nVPN_CERTS=\"/vpn-certs\"\n\ncp -p \"${SSL_CERTS}/lugvpn/fullchain.pem\" \"${VPN_CERTS}/certs/vpn.ustclug.org.crt\"\ncp -p \"${SSL_CERTS}/lugvpn/privkey.pem\" \"${VPN_CERTS}/private/vpn.ustclug.org.key\"\necho \"Cert Update Complete\"\n
"},{"location":"services/mirrors/","title":"\u5f00\u6e90\u955c\u50cf\u7ad9","text":""},{"location":"services/mirrors/#_2","title":"\u5386\u53f2","text":""},{"location":"services/mirrors/#debianustceducn","title":"debian.ustc.edu.cn","text":"

2000 \u5e74\u5de6\u53f3\uff0c\u79d1\u5927\u6821\u5185\u7684 Debian \u7231\u597d\u8005\u4f7f\u7528\u81ea\u5df1\u5b9e\u9a8c\u5ba4\u7684\u673a\u5668\u4e3a\u5927\u5bb6\u63d0\u4f9b Debian \u955c\u50cf\u670d\u52a1\u3002\u968f\u7740\u4e00\u5c4a\u5c4a\u5e08\u5144\u7684\u6bd5\u4e1a\uff0c\u670d\u52a1\u5668\u5728\u5404\u5b9e\u9a8c\u5ba4\u95f4\u63a5\u529b\u3002

2002 \u5e74 5 \u6708\uff0cDebian \u955c\u50cf\u7ad9\u6709\u4e86\u81ea\u5df1\u7684\u57df\u540d debian.ustc.edu.cn\uff0c\u4f46\u670d\u52a1\u5668\u4ecd\u5728\u5b9e\u9a8c\u5ba4\u95f4\u8f97\u8f6c\u3002

2002 \u5e74 6 \u6708 23 \u65e5\uff0c\u79d1\u5927Debian\u955c\u50cf\u7ad9\u5f00\u59cb\u63d0\u4f9b\u975e\u5b98\u65b9(UO)\u8f6f\u4ef6\u4ed3\u5e93\u30022004\u5e744\u670823\u65e5\uff0c\u63d0\u4f9b\u65b0\u7684UO\u4ed3\u5e93\u3002

2005 \u5e74 6 \u6708 20 \u65e5\uff0c\u79d1\u5927 LUG \u53d1\u8d77\u4e3a\u79d1\u5927 Debian \u955c\u50cf\u7ad9\u6350\u6b3e\u7684\u5021\u8bae\uff0c\u622a\u81f3 10 \u6708 1 \u65e5\u52df\u6350\u6d3b\u52a8\u505c\u6b62\uff0cLUG \u5171\u6536\u5230 2922.05 \u5143\u6350\u6b3e\u300210 \u6708 6 \u65e5\u65b0\u673a\u5668\u5b89\u88c5\u914d\u7f6e\u5230\u4f4d\u3002\u5728\u5927\u5bb6\u7684\u9f50\u5fc3\u52aa\u529b\u4e4b\u4e0b\uff0c\u79d1\u5927 Debian \u955c\u50cf\u7ad9\u6709\u4e86\u4e00\u4e2a\u76f8\u5bf9\u56fa\u5b9a\u7684\u201c\u5bb6\u201d\u3002

2009 \u5e74\u5e95\uff0cdebian.ustc \u843d\u6237\u56fe\u4e66\u9986\u6280\u672f\u90e8\u3002

"},{"location":"services/mirrors/#ossustceducn","title":"oss.ustc.edu.cn","text":"

2008 \u5e74 12 \u6708 25 \u65e5\uff0c\u79d1\u5927\u5f00\u6e90\u8f6f\u4ef6 (OSS) \u955c\u50cf\u7ad9\u6b63\u5f0f\u542f\u7528\u3002\u5176\u670d\u52a1\u5668\u7531\u5434\u5cf0\u5149\u5e08\u5144\u63d0\u4f9b\u3002Novell \u516c\u53f8\u4e3a\u6211\u4eec\u63d0\u4f9b\u4e86\u4e00\u57571.5T \u7684\u786c\u76d8\u3002

2009 \u5e74 12 \u6708\uff0c\u5f20\u6210\u5e08\u5144\u4e3a OSS \u955c\u50cf\u7ad9\u63d0\u4f9b\u6350\u8d60 1T \u786c\u76d8\u3002

2010 \u5e74 6 \u6708\uff0c\u79d1\u5927 LUG \u4f7f\u7528\u51fa\u552e\u7248\u886b\u4f59\u4e0b\u7684\u94b1\u4e3a OSS \u955c\u50cf\u7ad9\u6dfb\u7f6e\u4e86\u4e00\u5757 2T \u786c\u76d8\u3002

"},{"location":"services/mirrors/#mirrorsustceducn","title":"mirrors.ustc.edu.cn","text":"

2011 \u5e74 4 \u6708 8 \u65e5\uff0c\u79d1\u5927 LUG \u4ece\u7f51\u7edc\u4e2d\u5fc3\u5904\u83b7\u5f97\u4e86\u65b0\u7684\u670d\u52a1\u5668\uff0c\u5e76\u7533\u8bf7\u5230\u4e86 mirrors.ustc \u7684\u57df\u540d\u3002debian.ustc \u4e0e oss.ustc \u5f00\u59cb\u5411 mirrors.ustc \u8fc1\u79fb\u3002

\u540c\u5e74 4 \u6708 15 \u65e5\uff0c\u51e0\u5927\u70ed\u95e8\u53d1\u884c\u7248\u955c\u50cf\u540c\u6b65\u5b8c\u6bd5\uff0cmirrors \u5f00\u59cb\u6b63\u5f0f\u5bf9\u5916\u63d0\u4f9b\u670d\u52a1\uff0c\u540c\u65f6 debian.ustc \u4e0e oss.ustc \u9000\u51fa\u4e86\u5386\u53f2\u821e\u53f0\u3002

2013 \u5e74 1 \u6708 6 \u65e5\uff0c\u79d1\u5927 LUG \u4ece\u7f51\u7edc\u4e2d\u5fc3\u5904\u83b7\u5f97\u4e86\u65b0\u7684\u78c1\u76d8\u9635\u5217\uff0c\u5927\u5927\u7f13\u89e3\u4e86 mirrors \u56e0\u78c1\u76d8\u7a7a\u95f4\u4e0d\u8db3\u800c\u5e26\u6765\u7684\u538b\u529b\u3002

2016 \u5e74 12 \u6708 29 \u65e5\uff0c\u79d1\u5927 LUG \u4ece\u7f51\u7edc\u4e2d\u5fc3\u5904\u83b7\u5f97\u4e86\u65b0\u7684\u670d\u52a1\u5668\u3002\u89e3\u51b3\u4e86\u8fd1\u4e00\u5e74\u6765\u7531\u4e8e\u670d\u52a1\u5668\u548c\u9635\u5217\u8001\u5316\u5e26\u6765\u7684\u7a33\u5b9a\u6027\u95ee\u9898\u3002

2019 \u5e74 6 \u6708\uff0c\u79d1\u5927 LUG \u4ece\u56fe\u4e66\u9986\u6280\u672f\u90e8\u83b7\u5f97\u4e86\u4e00\u53f0\u65e7\u670d\u52a1\u5668\uff0c\u7f13\u89e3\u4e86 mirrors \u5bb9\u91cf\u7d27\u5f20\u7684\u95ee\u9898\u3002

2020 \u5e74 3 \u6708 24 \u65e5\uff0c\u79d1\u5927 LUG \u518d\u6b21\u4ece\u7f51\u7edc\u4e2d\u5fc3\u5904\u83b7\u5f97\u4e86\u65b0\u7684\u670d\u52a1\u5668\uff0c\u89e3\u51b3\u4e86\u591a\u5e74\u6765\u7531\u4e8e\u670d\u52a1\u5668\u5bb9\u91cf\u4e0d\u8db3\u548c\u8d1f\u8f7d\u8fc7\u5927\u5e26\u6765\u7684\u538b\u529b\u3002

"},{"location":"services/mirrors/#hardware","title":"\u786c\u4ef6\u914d\u7f6e","text":""},{"location":"services/mirrors/docker/","title":"Docker","text":""},{"location":"services/mirrors/docker/#networking","title":"Networking","text":"

Docker \u9ed8\u8ba4\u521b\u5efa\u4e00\u4e2a\u540d\u4e3a bridge \u7684\u7f51\u7edc\uff0c\u4e3b\u673a\u754c\u9762\u4e3a docker0\uff0cIP \u5730\u5740\u6bb5\u4e3a 172.17.0.0/16\u3002\u8fd9\u4e2a\u9ed8\u8ba4\u5730\u5740\u6bb5\u8fc7\u4e8e\u6d6a\u8d39\uff0c\u56e0\u6b64\u6211\u4eec\u7ed9\u5b83\u914d\u7f6e\u4e00\u4e2a\u66f4\u5c0f\u7684\u5730\u5740\u6bb5\uff1a

/etc/docker/daemon.json
{\n  \"bip\": \"172.17.0.0/22\"\n}\n

\u6211\u4eec\u5c06 Docker Registry \u7684\u53cd\u4ee3\u6302\u5728\u53e6\u5916\u4e00\u4e2a\u5b50\u7f51\u4e0b\uff0c\u9700\u8981\u5148\u884c\u521b\u5efa\u3002

docker network create \\\n  --opt com.docker.network.bridge.name=docker1 \\\n  --subnet=172.18.0.0/24 \\\n  --gateway=172.18.0.1 \\\n  docker-registry\n
"},{"location":"services/mirrors/docker/#routing","title":"Routing","text":"

\u4e00\u4e9b\u540c\u6b65\u7a0b\u5e8f\u4e0d\u652f\u6301 bindIP \u7684\u914d\u7f6e\uff0c\u5bf9\u4e8e\u8fd9\u4e9b\u540c\u6b65\u7a0b\u5e8f\uff0c\u6211\u4eec\u901a\u8fc7\u521b\u5efa\u591a\u4e2a Docker network\uff0c\u7136\u540e\u5728\u4e3b\u673a\u4e0a\u6839\u636e Docker network \u8fdb\u884c\u7b56\u7565\u8def\u7531\uff0c\u8fbe\u5230\u9009\u62e9\u51fa\u53e3\u7684\u6548\u679c\u3002

\u521b\u5efa Docker network \u7684\u547d\u4ee4\u5982\u4e0b\uff1a

docker network create --driver=bridge --subnet=172.17.4.0/24 --gateway=172.17.4.1 -o \"com.docker.network.bridge.name=dockerC\" cernet\ndocker network create --driver=bridge --subnet=172.17.5.0/24 --gateway=172.17.5.1 -o \"com.docker.network.bridge.name=dockerT\" telecom\ndocker network create --driver=bridge --subnet=172.17.6.0/24 --gateway=172.17.6.1 -o \"com.docker.network.bridge.name=dockerM\" mobile\ndocker network create --driver=bridge --subnet=172.17.7.0/24 --gateway=172.17.7.1 -o \"com.docker.network.bridge.name=dockerU\" unicom\n\ndocker network create --driver=bridge --subnet=172.17.8.0/24 --gateway=172.17.8.1 \\\n  --ipv6 --subnet=fd00:6::/64 --gateway=fd00:6::1 \\\n  -o \"com.docker.network.bridge.name=dockerC6\" cernet6\n

\u5bf9\u5e94\u5730\uff0c\u4e3b\u673a\u4e0a\u4e5f\u914d\u7f6e\u597d\u4e86\u7b56\u7565\u8def\u7531\uff0c\u4f8b\u5982\uff1a

/etc/systemd/network/cernet.network
# Docker Cernet\n[RoutingPolicyRule]\nFrom=172.17.4.0/24\nTable=1011\nPriority=6\n[RoutingPolicyRule]\nFrom=172.17.8.0/24\nTable=1011\nPriority=6\n
/etc/systemd/network/telecom.network
# Docker Telecom\n[RoutingPolicyRule]\nFrom=172.17.5.0/24\nTable=1012\nPriority=6\n

mobile.network \u548c unicom.network \u4e5f\u7c7b\u4f3c\u3002

\u9700\u8981\u4f7f\u7528\u8fd9\u79cd\u65b9\u5f0f\u8fdb\u884c\u8def\u7531\u7684\u540c\u6b65\u955c\u50cf\uff0c\u53ef\u4ee5\u5728 YAML \u4e2d\u6307\u5b9a network\uff0c\u4f8b\u5982\uff1a

adoptium.yum.yaml
network: telecom\n
"},{"location":"services/mirrors/ipmi/","title":"IPMI","text":""},{"location":"services/mirrors/ipmi/#mirrors4","title":"Mirrors4","text":"

\u8fd9\u53f0\u673a\u5668\u7684 IPMI \u6709 HTML5 KVM\uff0c\u53ef\u4ee5\u76f4\u63a5\u7f51\u9875\u4f7f\u7528\uff0c\u6bd4\u8f83\u65b9\u4fbf\u3002

"},{"location":"services/mirrors/ipmi/#mirrors23","title":"Mirrors2/3","text":"

\u767b\u5f55 IPMI \u540e\uff0c\u4e3a\u4e86\u4f7f\u7528\u8fdc\u7a0b Shell\uff0c\u9700\u8981\u8fd0\u884c\u4e00\u4e2a jnlp \u6587\u4ef6\u3002 \u6b64\u6587\u4ef6\u4e0b\u8f7d\u65f6\u4f1a\u88ab Chrome \u62e6\u622a\uff0c\u9700\u8981\u989d\u5916\u5141\u8bb8\u4e00\u4e0b\u3002

\u6b64 jnlp \u6587\u4ef6\u9700\u8981 Oracle JDK 7 \u8fd0\u884c\uff0cOpenJDK 7 \u65e0\u6cd5\u8fd0\u884c\u3002 \u6307\u4ee4\u7528 javaws a.jnlp \u5373\u53ef\u3002

Java 8 \u53ca\u4e4b\u524d Java \u7684\u5404\u4e2a\u5de5\u5177\u662f\u6253\u5305\u5728 JDK \u4e2d\u7684\uff0c\u5305\u62ec Java Web Starter\uff0c\u5373\u6211\u4eec\u7528\u7684 javaws\u3002 \u6240\u4ee5\u53ea\u9700\u8981\u5b89\u88c5 Oracle JDK 7 \u5373\u53ef\uff0c\u65e0\u9700\u5b89\u88c5\u5176\u4ed6\u7684\u3001\u9488\u5bf9 Java 9 \u53ca\u4e4b\u540e\u7248\u672c\u7684\u5176\u4ed6\u5de5\u5177\u3002

"},{"location":"services/mirrors/limiter/","title":"\u9650\u5236\u7b56\u7565","text":"

\u7531\u4e8e mirrors \u5c5e\u4e8e I/O\u3001\u7f51\u7edc\u5bc6\u96c6\u578b\u670d\u52a1\uff0c\u5728\u90e8\u5206\u7684\u8d1f\u8f7d\u573a\u666f\u4e0b\u6781\u6613\u51fa\u73b0 I/O \u6216\u7f51\u7edc\u8fc7\u8f7d\u3002\u9650\u5236\u7b56\u7565\u4e3b\u8981\u662f\u4e3a\u4e86\u51cf\u5f31\u4ee5\u4e0b\u51e0\u7c7b\u8bf7\u6c42\u5bf9 mirrors \u6574\u4f53\u670d\u52a1\u8d28\u91cf\u7684\u5f71\u54cd\uff1a

  1. \u7a81\u53d1\u6027\u7684\u9ad8\u5e76\u53d1\u8bf7\u6c42
  2. \u722c\u866b\u7c7b\u6d41\u91cf
  3. \u4e0d\u5408\u7406\u7684\u8bf7\u6c42\uff08\u5982\uff1a\u6781\u5c11\u6570\u7528\u6237\u7684\u5927\u91cf\u8bf7\u6c42\uff09
"},{"location":"services/mirrors/limiter/#whitelists","title":"\u767d\u540d\u5355","text":"

\u4e00\u822c\u800c\u8a00\uff0c\u79d1\u5927\u6821\u5185\u7684\u5730\u5740\u4f4d\u4e8e\u9650\u5236\u89c4\u5219\u7684\u767d\u540d\u5355\u4e2d\uff0c\u4e0d\u53d7\u5230\u9650\u5236\u7b56\u7565\u7684\u5f71\u54cd\u3002\u5982\u679c\u6ca1\u6709\u7279\u6b8a\u8bf4\u660e\uff0c\u79d1\u5927\u5730\u5740\u9ed8\u8ba4\u4e0d\u53d7\u9650\u5236\u3002

\u767d\u540d\u5355\u4f4d\u4e8e\uff1a

"},{"location":"services/mirrors/limiter/#firewall","title":"\u9632\u706b\u5899\u7ea7\u522b\u9650\u5236","text":"

\u9632\u706b\u5899 (iptables) \u76ee\u524d\u53ea\u8d1f\u8d23\u9650\u5236\u5355 IP \u7684\u5e76\u53d1\u94fe\u63a5\u6570\u3002\u8fd9\u662f\u4e3a\u4e86\u9632\u6b62\u540c\u65f6\u6d8c\u5165\u5927\u91cf\u5e76\u53d1\u8fde\u63a5\uff0c\u5bfc\u81f4\u540e\u7aef\u5e94\u7528\u8017\u8d39\u5927\u91cf CPU \u548c I/O \u8d44\u6e90\u5904\u7406\u8fd9\u4e9b\u4e0d\u5408\u5e38\u7406\u7684\u8bf7\u6c42\u3002

\u5e8f\u53f7 \u7aef\u53e3 \u670d\u52a1 \u6700\u5927\u8fde\u63a5\u6570 IPv4 CIDR IPv6 CIDR 1 80,443 HTTP/HTTPS 12 29 64 2 20,21,50100:50200 FTP 4* 32 64 3 873 Rsync 5 32 64 4 9418 Git 10 32 64

\u6ce8\u610f\u4e8b\u9879

\u8fde\u63a5\u6570\u9650\u5236\u4ec5\u9650\u5236\u77ac\u65f6\u5e76\u53d1\uff08connlimit\uff09\u3002

\u8bf7\u6ce8\u610f\uff0c\u540c\u7ec4\u5185\u7684\u8fde\u63a5\u5171\u4eab\u8fde\u63a5\u6570\u914d\u989d\u3002\u5982\uff1a

\u8d85\u8fc7\u914d\u989d\u7684\u8fde\u63a5\u4f1a\u8fd4\u56de TCP Reset\u3002

* FTP \u670d\u52a1\u5df2\u505c\u6b62\u63d0\u4f9b\u3002

"},{"location":"services/mirrors/limiter/#application","title":"\u5e94\u7528\u7ea7\u522b\u9650\u5236","text":"

\u6b64\u7c7b\u9650\u5236\u89c4\u5219\u4f4d\u4e8e\u5e94\u7528\u7a0b\u5e8f\u5185\u3002\u7531\u4e8e\u5728\u7528\u6237\u6001\u7a0b\u5e8f\u4e2d\u5b9e\u73b0\uff0c\u56e0\u6b64\u66f4\u52a0\u7075\u6d3b\u3002

"},{"location":"services/mirrors/limiter/#nginx-mod-lua","title":"Nginx Lua \u7ec4\u4ef6","text":"

\u4ee3\u7801\u4f4d\u4e8e /etc/nginx/lua/module/access_limiter.lua

\u76ee\u524d\u4f7f\u7528\u4e86 Nginx \u7684 Lua \u8bed\u8a00\u6269\u5c55\u5b9e\u73b0\u5bf9\u8bf7\u6c42\u7684\u9650\u5236\u3002\u4e3b\u8981\u6709\u4ee5\u4e0b\u4e09\u7c7b\u9650\u5236\u65b9\u5f0f\uff1a

  1. \u6309\u8fde\u63a5\u6570\u9650\u5236\uff08\u5373\uff1a\u5e76\u53d1\u8bf7\u6c42\u6570\uff09
  2. \u6309\u8bf7\u6c42\u901f\u7387\u9650\u5236
  3. \u6309\u7d2f\u8ba1\u8bf7\u6c42\u6570\u9650\u5236\uff08\u5468\u671f\u6027\u91cd\u7f6e\u8ba1\u6570\u5668\uff09

\u76ee\u524d\uff0c\u955c\u50cf\u7ad9\u914d\u7f6e\u4e86\u4ee5\u4e0b\u51e0\u79cd\u529f\u80fd\u7684\u9650\u5236\u5668\uff1a

  1. \u5168\u5c40\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668\uff1a\u5bf9\u6240\u6709\u8bf7\u6c42\uff0c\u9650\u5236\u5355 IP \u7684\u8bf7\u6c42\u901f\u7387\u3002
  2. \u5168\u5c40\u8bf7\u6c42\u6570\u9650\u5236\u5668\uff1a\u5bf9\u4e8e\u6240\u6709\u8bf7\u6c42\uff0c\u68c0\u6d4b\u5355 IP \u5728\u4e00\u5929\u5185\u7684\u7d2f\u8ba1\u8bf7\u6c42\u6570\u3002\u8d85\u8fc7\u9608\u503c\u540e\uff0c\u964d\u4f4e\u8be5 IP \u7684\u5168\u5c40\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668\u7684\u9608\u503c\u3002
  3. HEAD \u8bf7\u6c42\u6570\u9650\u5236\u5668\uff1a\u5bf9\u4e8e HTTP Method = HEAD \u7c7b\u578b\u7684\u8bf7\u6c42\uff0c\u68c0\u6d4b\u5355 IP \u5728\u4e00\u5929\u5185\u7684\u7d2f\u8ba1\u8bf7\u6c42\u6570\u3002\u8d85\u8fc7\u9608\u503c\u540e\uff0c\u5f00\u542f HEAD \u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668\u3002
  4. HEAD \u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668\uff1a\u5bf9\u4e8e HTTP Method = HEAD \u7c7b\u578b\u7684\u8bf7\u6c42\uff0c\u9650\u5236\u5355 IP \u7684\u8bf7\u6c42\u901f\u7387\u3002\u8be5\u9650\u5236\u5668\u9ed8\u8ba4\u5173\u95ed\u3002
  5. \u65ad\u70b9\u7eed\u4f20\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668\uff1a\u5bf9\u4e8e\u65ad\u70b9\u7eed\u4f20\u7c7b\u578b\u7684\u8bf7\u6c42\uff0c\u9650\u5236\u5355 IP \u7684\u8bf7\u6c42\u901f\u7387\u3002
  6. \u65ad\u70b9\u7eed\u4f20\u8fde\u63a5\u6570\u9650\u5236\u5668\uff1a\u5bf9\u4e8e\u65ad\u70b9\u7eed\u4f20\u7c7b\u578b\u7684\u8bf7\u6c42\uff0c\u9650\u5236\u5355 IP \u5355 URI \u7684\u8fde\u63a5\u6570\u3002
  7. \u76ee\u5f55\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668\uff1a\u5bf9\u4e8e\u5217\u76ee\u5f55\u7c7b\u578b\u7684\u8bf7\u6c42\uff0c\u9650\u5236\u5355 IP \u8bf7\u6c42\u901f\u7387\u3002
  8. \u6587\u4ef6\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668\uff1a\u5bf9\u4e8e\u975e\u76ee\u5f55\u7c7b\u578b\u7684\u8bf7\u6c42\uff0c\u9650\u5236\u5355\u6587\u4ef6\u8bf7\u6c42\u901f\u7387\u3002\u5373\uff1a\u6240\u6709\u7528\u6237\u4e4b\u95f4\u5171\u4eab\u540c\u4e00\u4e2a\u914d\u989d\u3002

\u4f8b\u5916\uff1a

  1. apt/yum \u4ed3\u5e93\u7684\u7d22\u5f15\u6587\u4ef6\u4e0d\u53d7\u9650\u5236\u3002
  2. AOSP \u4ed3\u5e93\u4e0d\u9650\u5236\u5168\u5c40\u8bf7\u6c42\u6570\uff08git objects \u592a\u591a\u4e86\uff0c\u7528\u6237\u53cd\u9988\u89c1 Issue 397\uff09\uff1bnix-channels \u4e5f\u4e0d\u9650\u5236\u5168\u5c40\u8bf7\u6c42\u6570\uff08nix \u5305\u7ba1\u7406\u5668\u9ed8\u8ba4\u5f00\u542f 16 \u5e76\u53d1\uff09\u3002
  3. \u5bf9\u8fd4\u56de 403 \u7684\u6076\u610f\u8bf7\u6c42\uff08\u89c1\u4e0b\uff09\uff0c\u4ec5\u5e94\u7528\u5168\u5c40\u8bf7\u6c42\u901f\u7387/\u8bf7\u6c42\u6570\u9650\u5236\u5668\uff08Main-Req \u548c Main-Count\uff09\uff0c\u4e14\u5728\u8fd9\u4e24\u4e2a\u9650\u5236\u5668\u91cc\u6309\u53cc\u500d\u8ba1\u6570\uff1b\u540c\u65f6\u8df3\u8fc7\u65ad\u70b9\u7eed\u4f20/\u76ee\u5f55/\u6587\u4ef6\u9650\u5236\u5668\uff0c\u907f\u514d\u56e0\u4e3a\u6076\u610f\u8bf7\u6c42\u5237\u6ee1\u4e86\u76ee\u5f55/\u6587\u4ef6\u7684\u9650\u989d\u5bfc\u81f4\u6b63\u5e38\u7528\u6237\u7684\u8bbf\u95ee\u53d7\u9650\u3002

    \u4f8b\u5916\u6587\u4ef6\u7684\u5b9a\u4e49\u53c2\u8003 /etc/nginx/conf.d/access_limiter.conf\u3002

\u6848\u4f8b\uff1a\u66fe\u9047\u5230\u8fc7\u653b\u51fb\u8005\u5206\u5e03\u5f0f\u8bf7\u6c42\u540c\u4e00\u4e2a\u5927\u6587\u4ef6\uff0c\u5bfc\u81f4 IO\u3001\u7f51\u7edc\u540c\u65f6\u8fc7\u8f7d\u3002\u57fa\u4e8e IP \u5730\u5740\u7684\u9650\u5236\u63aa\u65bd\u5bf9\u4e8e\u6e90\u5730\u5740\u6c60\u5f88\u5927\u7684\u653b\u51fb\u5f80\u5f80\u6ca1\u6709\u6548\u679c\uff0c\u9650\u5236\u5355\u6587\u4ef6\u7684\u8bf7\u6c42\u901f\u7387\u80fd\u591f\u6709\u6548\u7f13\u89e3\u8fd9\u7c7b\u653b\u51fb\u3002

\u5177\u4f53\u53c2\u6570\u53c2\u8003\u4e0b\u8868\uff1a

\u9650\u5236\u5668\u540d\u79f0\u4e0e\u4ee3\u53f7 \u9608\u503c\u5355\u4f4d \u9608\u503c \u7a81\u53d1\u91cf \u8ba1\u6570\u5668\u91cd\u7f6e\u5468\u671f \u52a8\u4f5c \u5168\u5c40\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668Main-Req \u6b21/\u79d2 40 100 / \u8fd4\u56de 429 \u9519\u8bef \u5168\u5c40\u8bf7\u6c42\u6570\u9650\u5236\u5668Main-Count \u6b21 15000 / 1 \u5929 \u8bbe\u7f6e\u5168\u5c40\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668\u9608\u503c\u4e3a 0.2 \u6b21/\u79d2 HEAD \u8bf7\u6c42\u6570\u9650\u5236\u5668Head-Count \u6b21 300 / 1 \u5929 \u5f00\u542f HEAD \u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668 HEAD \u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668Head-Req \u6b21/\u79d2 0.05 5 / \u8fd4\u56de 429 \u9519\u8bef \u65ad\u70b9\u7eed\u4f20\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668Partial-Req \u6b21/\u79d2 1 10 / \u8fd4\u56de 429 \u9519\u8bef \u65ad\u70b9\u7eed\u4f20\u8fde\u63a5\u6570\u9650\u5236\u5668Partial-Conn \u6761 1 0 / \u8fd4\u56de 429 \u9519\u8bef \u76ee\u5f55\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668Ls-Req \u6b21/\u79d2 0.5 10 / \u8fd4\u56de 429 \u9519\u8bef \u6587\u4ef6\u8bf7\u6c42\u901f\u7387\u9650\u5236\u5668File-Req \u6b21/\u79d2 5 25 / \u8fd4\u56de 429 \u9519\u8bef \u6587\u4ef6\u8bf7\u6c42\u8fde\u63a5\u6570\u9650\u5236\u5668File-Conn \u6761 100 0 / \u8fd4\u56de 429 \u9519\u8bef

HEAD \u9650\u5236\u5668\u5df2\u5173\u95ed

\u8003\u8651\u5230 ZFS \u5bf9 dnode \u7684\u7f13\u5b58\u975e\u5e38\u6709\u6548\uff0c\u5728\u63a5\u5230 AOSC \u793e\u533a\u7684\u53cd\u9988\u540e\uff0c\u6211\u4eec\u5b8c\u5168\u5173\u95ed\u4e86 HEAD \u8bf7\u6c42\u6570\u9650\u5236\u5668\u3002

How lua-resty-limit-traffic works

\u9650\u5236\u5668\u903b\u8f91\u4f7f\u7528 https://github.com/openresty/lua-resty-limit-traffic \u5b9e\u73b0\uff0c\u5176\u4e2d\u4e0a\u8868\u4ee3\u53f7\u5206\u522b\u5bf9\u5e94\u5176 req, count, conn \u4e09\u79cd\u5b9e\u73b0\uff0ctraffic \u5219 aggregate \u4e86 count \u4e4b\u5916\u7684\u9650\u5236\u5668\uff0c\u8fd4\u56de\u6700\u5927\u7684\u5ef6\u8fdf\u3002

req \u7684\u6838\u5fc3\u516c\u5f0f\u662f\uff1aexcess = max(excess - rate * elapsed / 1000 + 1000, 0)\uff0c\u5176\u4e2d\u65f6\u95f4\u5355\u4f4d\u662f\u6beb\u79d2\uff08rate \u548c burst \u53c2\u6570\u8ba1\u7b97\u65f6\u90fd\u9700\u8981\u4e58\u4ee5 1000\uff09\u3002excess \u4f1a\u5148\u548c burst \u6bd4\u8f83\uff08\u5982\u679c\u8d85\u51fa\uff0c\u5219 reject\uff09\uff0c\u5982\u679c\u6ca1\u6709\u8d85\u51fa\uff0c\u5219 delay excess / rate \u79d2\u3002

\u5f53 elapsed = 1000/rate \u65f6\uff0c\u6070\u597d\u4e0d\u4f1a\u589e\u52a0 excess \u7684\u503c\uff0c\u6b64\u65f6 1 \u79d2\u5185\u6070\u597d\u53ef\u4ee5\u5bb9\u7eb3 rate \u4e2a\u8bf7\u6c42\uff1b\u5f53 elapsed = 1000/(rate+burst) \u65f6\uff0cexcess \u589e\u91cf\u4e3a 1000(1-r/(r+b))\uff0c\u6b64\u65f6 1 \u79d2\u5185\u6070\u597d\u6709 (rate+burst) \u4e2a\u8bf7\u6c42\u4e0d\u4f1a\u88ab reject\u3002

\u7406\u60f3\u60c5\u51b5\u4e0b\u7684\u4f8b\u5b50\uff1a\u5982\u679c rate = 40r/s = 40 * 1000 r/ms\uff0c\u5219 elapsed \u9700\u8981\u81f3\u5c11\u4e3a 1/40 \u79d2\uff0825 \u6beb\u79d2\uff09\uff0c\u624d\u80fd\u548c\u540e\u9762\u7684 + 1000 \u62b5\u6d88\uff0c\u5426\u5219 excess \u4f1a\u4e00\u76f4\u589e\u52a0\u3002\u5982\u679c burst = 100r/s = 100 * 1000 r/ms\uff0c\u90a3\u4e48\u5047\u8bbe\u6709\u7528\u6237\u6bcf 1/140 \u79d2\uff087.1 \u6beb\u79d2\uff09\u8bbf\u95ee\u4e00\u6b21\uff0c\u90a3\u4e48 excess \u6bcf\u6b21\u4f1a\u589e\u52a0 714.28\uff0c\u5982\u679c\u6709 140 \u4e2a\u8fd9\u6837\u7684\u8bf7\u6c42\uff0c\u90a3\u4e48 excess \u7684\u503c\u5219\u6070\u597d\u662f burst \u7684\u503c\u3002

count \u7684\u903b\u8f91\u7b80\u5355\u5f88\u591a\uff0c\u4f7f\u7528 lua-nginx-module \u5e26\u7684 https://github.com/openresty/lua-nginx-module?tab=readme-ov-file#ngxshareddictincr \u4e3a\u6bcf\u6b21\u81ea\u589e\u8bbe\u7f6e TTL \u5373\u53ef\u3002

conn \u4f7f\u7528\u5b57\u5178\u8ba1\u6570\u5668\u7edf\u8ba1\u5f53\u524d\u8fde\u63a5\u6570\uff0c\u5982\u679c\u8d85\u8fc7\u4e86 max + burst\uff0c\u5219 reject\u3002\u5426\u5219\u5982\u679c\u8d85\u8fc7\u4e86 max \u5219\u5ef6\u8fdf unit_delay * floor((conn - 1) / max) \u79d2\u3002unit_delay \u8d77\u59cb\u4e3a\u7528\u6237\u7ed9\u5b9a\u7684\u503c\uff0c\u5728\u4e4b\u540e\u4f1a\u6309\u7167 unit_delay = (req_latency + unit_delay) / 2 \u5b9a\u65f6\u8c03\u6574\u3002

\u5230\u8fbe\u9608\u503c\u540e\u4f1a\u53d1\u751f\u4ec0\u4e48\uff1f

\u9650\u5236\u5668\u4e4b\u95f4\u76f8\u4e92\u72ec\u7acb\uff0c\u5f53\u88ab\u89e6\u53d1\u7684\u6240\u6709\u9650\u5236\u5668\u4ea7\u751f\u4e0d\u4e00\u81f4\u7684\u7b49\u5f85\u65f6\u95f4\u65f6\uff0c\u5e94\u7528\u6700\u957f\u7684\u7b49\u5f85\u65f6\u95f4\u3002

"},{"location":"services/mirrors/limiter/#large-files","title":"\u5927\u6587\u4ef6\u4e0b\u8f7d\u901f\u5ea6\u9650\u5236","text":"

\u4ee3\u7801\u4f4d\u4e8e /etc/nginx/lua/header_filter.lua

\u9488\u5bf9\u5927\u6587\u4ef6\u4e0b\u8f7d\uff0c\u9650\u5236\u6bcf\u4e2a\u6587\u4ef6\u7684\u603b\u5e26\u5bbd\u4e3a 1 Gbps\uff0c\u4ee5\u907f\u514d\u5927\u6587\u4ef6\u6d41\u91cf\u5360\u6ee1\u603b\u5e26\u5bbd\u3002

\u6ce8\u610f\u4e8b\u9879

\u5982\u679c\u6709\u591a\u4e2a\u6587\u4ef6\u9762\u4e34\u9ad8\u538b\u529b\u8bbf\u95ee\uff0c\u603b\u5e26\u5bbd\u4f9d\u7136\u53ef\u80fd\u88ab\u5360\u6ee1

\u5177\u4f53\u505a\u6cd5\u4e3a\uff0c\u8bbe\u7f6e\u4e0b\u8f7d\u901f\u5ea6\u9608\u503c = 1 Gbps / (\u8be5\u5927\u6587\u4ef6\u7684\u540c\u65f6\u8fde\u63a5\u6570 + 1)

\u5f53\u4e0b\u8f7d\u7684\u6587\u4ef6\u65e0\u7a77\u5927\u65f6\uff0c\u5c06\u51fa\u73b0\u6700\u5dee\u60c5\u5f62\uff0c\u5373\u7528\u6237\u88ab\u5206\u914d\u5230\u7684\u4e0b\u8f7d\u901f\u7387\u670d\u4ece\u7c7b\u8c03\u548c\u7ea7\u6570\uff0c\u51fd\u6570\u53d1\u6563\u3002\u5b9e\u9645\u60c5\u51b5\u4e0b\uff0c\u65e9\u671f\u7528\u6237\u4e0b\u8f7d\u5b8c\u6210\u540e\u8fde\u63a5\u91ca\u653e\uff0c\u6700\u7ec8\u5e26\u5bbd\u5c06\u6536\u655b\u5230 1 Gbps\u3002

\u6ce8\uff1a\u5927\u6587\u4ef6\u5b9a\u4e49\u53c2\u7167\u76ee\u524d\u7684 Lua \u811a\u672c\u914d\u7f6e\u3002

"},{"location":"services/mirrors/limiter/#nginx-js-challenge","title":"Nginx JavaScript \u6311\u6218","text":"

\u4ee3\u7801\u4f4d\u4e8e /etc/nginx/lua/access-with-challenge.lua

\u4e3a\u4e86\u62b5\u6297\u201c\u8fc5\u96f7\u653b\u51fb\u201d\u3002\u5bf9\u4e8e\u7279\u5b9a\u7c7b\u578b\u7684\u6587\u4ef6\uff0c\u5f00\u542f\u4e86 JS \u6311\u6218\u3002\u5982\u679c\u5ba2\u6237\u7aef User-Agent \u4e3a Mozilla\uff08\u5373\u6d4f\u89c8\u5668\uff09\uff0c\u5219\u53d1\u9001\u4e00\u6bb5\u5305\u542b JS \u811a\u672c\u7684\u9875\u9762\uff0c\u68c0\u9a8c\u8fd0\u884c\u7684\u7ed3\u679c\u3002\u5982\u679c\u6311\u6218\u5931\u8d25\uff0c\u5219\u7981\u6b62\u8bbf\u95ee\u3002

\u88ab\u4fdd\u62a4\u7684\u6587\u4ef6\u7c7b\u578b\u53c2\u89c1 /etc/nginx/conf.d/map_access.conf\uff0c\u90e8\u5206\u5185\u5bb9\u8282\u9009\u5982\u4e0b\uff1a

map $uri $access_url_type {\n    default 0;\n\n    # 1: large files\n    \"~*\\.(iso|exe|dmg|run|zip|tar)$\" 1;\n}\n
"},{"location":"services/mirrors/limiter/#robots","title":"\u722c\u866b\u9650\u5236","text":"

\u4ee3\u7801\u4f4d\u4e8e map_access.conf\uff08\u89c1\u4e0a\uff09\u548c /etc/nginx/snippets/robots\uff0c\u5229\u7528 nginx \u7684 map \u5b9e\u73b0\u7ec4\u5408\u903b\u8f91\uff0c\u8fdb\u884c\u5982\u4e0b\u9650\u5236\uff1a

"},{"location":"services/mirrors/limiter/#rsync-connections","title":"Rsync \u603b\u8fde\u63a5\u6570\u9650\u5236","text":"

Rsync \u670d\u52a1\u8bbe\u7f6e\u4e86\u603b\u8fde\u63a5\u6570\u9650\u5236\u3002\u5373\uff1a\u5f53\u5efa\u7acb\u7684\u8fde\u63a5\u6570\u5230\u8fbe\u67d0\u4e2a\u9608\u503c\u540e\uff0c\u62d2\u7edd\u4e4b\u540e\u6536\u5230\u7684\u8fde\u63a5\u3002

\u5386\u53f2\u8bb0\u5f55

\u4ee5\u524d HTTP \u548c Rsync \u670d\u52a1\u7531\u540c\u4e00\u53f0\u670d\u52a1\u5668\u63d0\u4f9b\uff0c\u7531\u4e8e\u767d\u5929 HTTP \u8bbf\u95ee\u538b\u529b\u8f83\u5927\uff0c\u591c\u665a HTTP \u8bbf\u95ee\u91cf\u8f83\u5c0f\uff0c\u4e3a\u4e86\u5b9e\u73b0\u9519\u5cf0\u540c\u6b65\uff0c\u4fdd\u8bc1\u767d\u5929 HTTP \u7684\u670d\u52a1\u8d28\u91cf\uff0c\u56e0\u6b64\u9488\u5bf9\u4e0d\u540c\u65f6\u6bb5\u8bbe\u7f6e\u4e86\u4e0d\u540c\u7684\u9608\u503c\uff0c\u5177\u4f53\u5982\u4e0b\uff1a

\u5728 2020 \u5e74 8 \u6708 25 \u65e5\u540e\uff0c\u7531\u4e8e\u66f4\u6362\u4e86\u65b0\u670d\u52a1\u5668\uff0cRsync \u7531\u5355\u72ec\u673a\u5668\u63d0\u4f9b\u670d\u52a1\uff0c\u603b\u8fde\u63a5\u6570\u63d0\u5347\u5230\u4e86\u5168\u5929 60 \u4e2a\u8fde\u63a5\u3002

\u7279\u522b\u7684\uff0c\u79d1\u5927\u6821\u5185 IP \u5730\u5740\u53d7\u5230 rsync \u8fde\u63a5\u6570\u9650\u5236\u3002

"},{"location":"services/mirrors/limiter/#interface-limit","title":"\u7f51\u7edc\u63a5\u53e3\u7ea7\u522b\u9650\u5236","text":"

mirrors \u5e38\u6001\u4e0b\u6ca1\u6709\u7f51\u7edc\u63a5\u53e3\u9650\u5236\uff0c\u4f46\u5728\u9700\u8981\u4e34\u65f6\u5bf9\u67d0\u4e00\u63a5\u53e3\u8fdb\u884c\u9650\u5236\u65f6\uff0c\u53ef\u4ee5\u4f7f\u7528 tc \u6765\u5b8c\u6210\u3002

\u4f8b\u5982\u53ef\u4ee5\u53c2\u8003\u8fd9\u4efd\u56de\u7b54\uff1aiptables - Limiting interface bandwidth with tc under Linux - Server Fault\uff0c\u4f7f\u7528\u5982\u4e0b\u6307\u4ee4\u9650\u5236\u67d0\u4e00\u63a5\u53e3\u7684\u7f51\u7edc\u901f\u7387\u4e3a 1.5Gbps\uff1a

tc qdisc add dev <interface> root handle 1: tbf rate 1500Mbit burst 750K latency 14ms\n

\u8fd9\u91cc\u4f7f\u7528\u4e86 TBF\uff08\u4ee4\u724c\u6876\uff09\u7b97\u6cd5\uff0c\u540e\u9762\u7684 burst \u548c latency \u53c2\u6570\u610f\u4e49\u53ef\u4ee5\u53c2\u89c1 man tc-tbf\u3002 \u5177\u4f53\u800c\u8a00\uff0clatency \u6ca1\u6709\u63a8\u8350\u503c\uff0c\u4f46 burst \u8981\u6c42\u81f3\u5c11\u4e3a rate / HZ\uff0cHZ = 100 \u65f6 10Mbps \u81f3\u5c11\u7ea6 10MB\u3002 HZ \u7684\u503c\u9700\u8981\u4ece\u5185\u6838\u7684\u7f16\u8bd1\u53c2\u6570\u4e2d\u67e5\u770b\uff1aegrep '^CONFIG_HZ_[0-9]+' /boot/config-`uname -r`\u3002\u73b0\u4ee3\u53d1\u884c\u7248\u63d0\u4f9b\u7684\u5185\u6838\u4e2d\u8fd9\u4e2a\u503c\u4e00\u822c\u4e3a 250\u3002

\u53c2\u8003\u8d44\u6599\uff1aBucket size in tbf

\u76ee\u524d\u90e8\u7f72\u7684\u9650\u5236\u6709\uff1a

\u5728 mirrors4 \u4e0a\u8be5\u914d\u7f6e\u7684\u5f00\u673a\u81ea\u542f\u5206\u522b\u4f4d\u4e8e tc-unicom.service \u548c tc-telecom.service \u4e24\u4e2a\u670d\u52a1\u4e2d\uff0c\u5176\u4e2d tc-unicom.service \u914d\u7f6e\u5982\u4e0b\uff1a

[Unit]\nDescription=Rate Limiting for Unicom Interface\n\n[Service]\nType=oneshot\nRemainAfterExit=true\nExecStart=/usr/sbin/tc qdisc replace dev unicom root handle 1: tbf rate 1500Mbit burst 750K latency 14ms\nExecStop=/usr/sbin/tc qdisc delete dev unicom root handle 1\n\n[Install]\nWantedBy=sys-subsystem-net-devices-unicom.device\n

Install \u90e8\u5206\u7684 WantedBy \u4f7f\u7528\u8fd9\u79cd\u5199\u6cd5\u53ef\u4ee5\u4f7f\u8be5\u670d\u52a1\u4f9d\u8d56\u4e8e\u540d\u4e3a unicom \u7684\u7f51\u53e3\uff0c\u8be6\u7ec6\u56de\u7b54\u53ef\u4ee5\u770b What is the systemd-networkd equivalent of post-up?\u3002

"},{"location":"services/mirrors/limiter/#blacklists","title":"IP \u9ed1\u540d\u5355\u9650\u5236","text":"

\u5bf9\u4e8e\u6ee5\u7528\u7684 IP \u6bb5\uff0c\u53ef\u4ee5\u4f7f\u7528 ipset \u548c iptables \u5b9e\u73b0\u9ed1\u540d\u5355\u9650\u5236\u3002 ipset \u5c06\u67d0\u4e2a IP \u5339\u914d\u5230\u4e00\u4e2a\u96c6\u5408\u4e2d\uff0ciptables \u518d\u9488\u5bf9\u67d0\u4e00\u96c6\u5408\u8fdb\u884c\u9650\u5236\u3002

ipset \u548c iptables \u7684\u4f7f\u7528\u53ef\u4ee5\u53c2\u8003\uff1aIpset - Arch Wiki \u3002

\u6211\u4eec\u5df2\u5728 mirrors4 \u4e0a\u914d\u7f6e\u4e86 blacklist \u548c blacklist6 \u96c6\u5408\uff0c\u82e5\u8981\u5c01\u7981\u67d0\u4e2a IP \u6216\u7f51\u6bb5\uff0c\u53ef\u4ee5\u76f4\u63a5\u5c06\u8be5\u7f51\u6bb5\u52a0\u5165\u96c6\u5408\uff0c\u4f8b\u5982\uff1a

ipset add blacklist 192.0.2.0/24\nipset add blacklist6 2001:db8:114:514::/64\n

\u4e0e iptables \u7c7b\u4f3c\uff0cipset \u4e5f\u9700\u8981\u6301\u4e45\u5316\u3002\u5c01\u7981\u540d\u5355\u7684\u6587\u4ef6\u4f4d\u4e8e\uff08mirrors4\uff09/usr/local/network_config/iptables/blacklist.list\uff0c\u4fee\u6539\u6b64\u6587\u4ef6\u589e\u51cf\u6761\u76ee\u540e\u8fd0\u884c\u8be5\u76ee\u5f55\u4e0b\u7684 apply.sh \u5373\u53ef\u3002

\u7531\u4e8e\u5c01\u7981\u4ec5\u5bf9\u65b0\u5efa\u7acb\u7684\u8fde\u63a5\u6709\u6548\uff0c\u8bf7\u5728\u4fee\u6539\u5c01\u7981\u540d\u5355\u540e\uff0c\u4f7f\u7528 ss -K dst \u5bf9\u5e94\u7684\u7f51\u6bb5 \u5173\u95ed\u5df2\u7ecf\u5efa\u7acb\u7684\u8fde\u63a5\uff08\u4f8b\u5982\u5bf9\u4e8e\u4ee5\u4e0a\u4e24\u884c\u89c4\u5219\uff0c\u547d\u4ee4\u5206\u522b\u4e3a ss -K dst 192.0.2.0/24 \u4e0e ss -K dst 2001:db8:114:514::/64\uff09\u3002

"},{"location":"services/mirrors/limiter/#ipset-persistent","title":"ipset \u6301\u4e45\u5316","text":"

\u6211\u4eec\u4f7f\u7528\u8f6f\u4ef6\u6e90\u91cc\u7684 ipset-persistent \u5305\u6765\u5e2e\u52a9 ipset \u5728\u5f00\u673a\u65f6\u81ea\u52a8\u6062\u590d\uff0c\u8be5\u8f6f\u4ef6\u5305\u4f1a\u5728\u5f00\u673a\u52a0\u8f7d iptables \u524d\u5148\u4ece /etc/iptables/ipsets \u4e2d\u6062\u590d ipset \u4ee5\u786e\u4fdd iptables \u4e2d\u7684\u5f15\u7528\u80fd\u6b63\u786e\u5904\u7406\u3002

\u56e0\u4e3a ipset-persistent \u5728\u5f00\u673a\u65f6\u81ea\u52a8\u52a0\u8f7d\uff0c\u6211\u4eec\u9009\u62e9\u4ec5\u52a0\u8f7d\u4e00\u4e2a\u8f83\u5c0f\u7684\u5b50\u96c6\uff0c\u5305\u542b\u5fc5\u8981\u914d\u7f6e\uff08create set\uff09\u548c\u8f83\u5c11\u53d1\u751f\u53d8\u5316\u7684\u5185\u5bb9\uff08\u5982 ustcnet \u7684\u7f51\u6bb5\uff09\u3002\u76ee\u524d /etc/iptables/ipsets \u5305\u542b\u4ee5\u4e0b\u5185\u5bb9\uff1a

create ustcnet hash:net family inet hashsize 1024 maxelem 65536\ncreate f2b-sshd hash:ip family inet hashsize 1024 maxelem 65536 timeout 3600\ncreate blacklist hash:net family inet hashsize 1024 maxelem 65536\ncreate blacklist6 hash:net family inet6 hashsize 1024 maxelem 65536\n\nadd ustcnet 202.38.64.0/19\n# more ustcnet entries...\n
"},{"location":"services/mirrors/limiter/#403","title":"403 \u9875\u9762","text":"

\u76ee\u524d mirrors4 \u5c06\u6765\u6e90 IP \u5c5e\u4e8e blacklist \u6216 blacklist6 \u96c6\u5408\u4e14\u76ee\u6807\u7aef\u53e3\u4e3a 80 \u6216 443 \u7684\u8fde\u63a5\u91cd\u5b9a\u5411\u81f3 403 \u7aef\u53e3\u3002403 \u9875\u9762\u4f4d\u4e8e /var/www/html/403.html\u3002

\u76f8\u5173 nginx \u914d\u7f6e\u4f4d\u4e8e /etc/nginx/sites-available/mirrors.ustc.edu.cn-403\u3002

\u6211\u4eec\u4f7f\u7528 ip{,6}tables \u5c06\u5bf9 80 \u6216 443 \u7aef\u53e3\u7684\u8bbf\u95ee\u91cd\u5b9a\u5411\u81f3 403 \u7aef\u53e3\uff0c\u5728 nat \u8868\u7684 PREROUTING \u94fe\u6dfb\u52a0\u89c4\u5219\uff1a

-A PREROUTING -m set --match-set blacklist src -p tcp -m multiport --dports 80,443 -j REDIRECT --to-port 403\n

\u5e76\u5728 filter \u8868 BLACKLIST \u94fe\u653e\u884c\u5df2\u5efa\u7acb\u8fde\u63a5\uff0c\u5bf9 403 \u7aef\u53e3\u9650\u901f\uff1a

-A BLACKLIST -m conntrack --ctstate ESTABLISHED -j RETURN\n-A BLACKLIST -p tcp --dport 403 -m hashlimit --hashlimit-upto 60/min --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-srcmask 64 --hashlimit-name nginx-403 --hashlimit-htable-expire 60000 -j RETURN\n-A BLACKLIST -j DROP\n
"},{"location":"services/mirrors/monitor/","title":"Mirrors-specific monitoring","text":""},{"location":"services/mirrors/monitor/#connections-users-online","title":"Connections (Users online)","text":"/etc/telegraf/telegraf.d/exec.conf
[[inputs.exec]]\n  commands = [\n    \"/opt/monitor/telegraf/connection.sh 21:80:443:873:9418\",\n    \"/opt/monitor/telegraf/nfacct.sh\",\n    \"/opt/monitor/telegraf/process.sh\",\n  ]\n  timeout = \"5s\"\n  data_format = \"influx\"\n
/opt/monitor/telegraf/connection.sh
#!/bin/bash\n\nport_list_input=${1//:/|}\nport_list=${port_list_input:-\"80|443\"}\nnetstat -ntW | gawk '{print tolower($6),gensub(/^(.+):([^:]+)$/,\"\\\\1 \\\\2\",\"g\",$4)}' | grep -P \" ($port_list)\\$\" | sort | uniq -c | sort -k 4 -k 3 | awk \"{printf(\\\"connection,protocol=tcp,port=%s,address=%s %s=%s\\n\\\",\\$4,\\$3,\\$2,\\$1)}\"\nnetstat -ntW | gawk '{print tolower($6),gensub(/^(.+):([^:]+)$/,\"\\\\2\",\"g\",$4)}' | grep -P \" ($port_list)\\$\" | sort | uniq -c | sort -k 3 | awk \"{printf(\\\"connection,protocol=tcp,port=%s,address=any %s=%s\\n\\\",\\$3,\\$2,\\$1)}\"\n
/opt/monitor/telegraf/nfacct.sh
#!/bin/bash\n\nsudo nfacct list | awk '-F[ ,;]' \"{printf(\\\"nfacct,object=%s bytes=%i,pkgs=%i\\n\\\",\\$11,\\$8,\\$4)}\"\n
/opt/monitor/telegraf/process.sh
#!/bin/sh\n\nps -e -o s= -o comm= |\n  grep -v '^[SI] ' |\n  sed 's|/.*$|/|g' |\n  sort | uniq -c |\n  awk '{printf(\"process,state=%s,name=%s count=%ii\\n\",$2,$3,$1)}'\n
"},{"location":"services/mirrors/repos/","title":"Repositories","text":"

\u955c\u50cf\u7ad9\u670d\u52a1\u5668\u7edf\u4e00\u4f7f\u7528 /srv/repo \u5b58\u50a8\u955c\u50cf\u4ed3\u5e93\u3002

"},{"location":"services/mirrors/repos/#new-repo","title":"\u6dfb\u52a0\u4e00\u4e2a\u65b0\u4ed3\u5e93","text":""},{"location":"services/mirrors/repos/#_1","title":"\u521b\u5efa\u5b58\u50a8\u76ee\u5f55","text":"

\u6839\u636e\u670d\u52a1\u5668\u4f7f\u7528\u7684\u6587\u4ef6\u7cfb\u7edf\uff0c\u53c2\u8003 ZFS \u6216\u8005 XFS\u3002

"},{"location":"services/mirrors/repos/#_2","title":"\u6dfb\u52a0\u540c\u6b65\u914d\u7f6e","text":"

\u7167\u7740 /home/mirror/repos \u4e0b\u7684\u73b0\u6709\u6587\u4ef6\u81ea\u5df1\u7814\u7a76\u4e00\u4e0b\u5427\uff0c\u8fd9\u4e2a\u4e0d\u96be\u3002\u9700\u8981\u6ce8\u610f\u7684\u5c31\u4e00\u70b9\uff0c\u6587\u4ef6\u540d\u7ed3\u5c3e\u5fc5\u987b\u662f .yaml\uff08\u800c\u4e0d\u80fd\u662f .yml\uff09\uff0c\u8fd9\u662f Yuki \u4ee3\u7801\u91cc\u5199\u7684\u3002

\u51b3\u5b9a bindIP \u6216 network \u7684\u503c

\u955c\u50cf\u7ad9\u6709\u591a\u4e2a\u6765\u81ea\u4e0d\u540c\u8fd0\u8425\u5546\u7684 IP \u53ef\u7528\u4e8e\u540c\u6b65\u4efb\u52a1\u3002\u7531\u4e8e\u7f51\u7edc\u73af\u5883\u7684\u4e0d\u786e\u5b9a\u6027\uff0c\u6709\u65f6\u4f1a\u51fa\u73b0\u67d0\u4e2a IP \u540c\u6b65\u901f\u5ea6\u6781\u6162\u7684\u60c5\u51b5\u3002

@taoky \u7684 admirror-speedtest \u53ef\u4ee5\u5e2e\u52a9\u51b3\u5b9a\u6700\u5feb\u901f\u7684 IP\u3002

\u53e6\u5916\uff0cbindIP \u4e0d\u9002\u7528\u4e8e\u6240\u6709\u7684\u540c\u6b65\u955c\u50cf\uff08\u4e00\u90e8\u5206\u7a0b\u5e8f\u4e0d\u652f\u6301\u4fee\u6539 bind() \u7684\u53c2\u6570\uff09\uff0c\u6b64\u65f6\u53ef\u4ee5\u4f7f\u7528\u57fa\u4e8e Docker Network \u7684 network \u914d\u7f6e\u3002

\u5199\u597d\u65b0\u4ed3\u5e93\u7684\u914d\u7f6e\u6587\u4ef6\u4e4b\u540e\u8fd0\u884c yuki reload\uff0c\u7136\u540e yuki sync <repo> \u5c31\u53ef\u4ee5\u5f00\u59cb\u521d\u6b21\u540c\u6b65\u4e86\u3002

"},{"location":"services/mirrors/repos/#git-srvgit","title":"\u4e3a Git \u7c7b\u578b\u4ed3\u5e93\u6dfb\u52a0\u8f6f\u94fe\u63a5\u81f3 /srv/git","text":"

git-daemon.service \u6839\u636e /srv/git \u4e0b\u7684\u5185\u5bb9\u5bf9\u5916\u63d0\u4f9b Git \u670d\u52a1\u3002\u6240\u4ee5\u5982\u679c\u662f git \u7c7b\u578b\u7684\u4ed3\u5e93\uff0c\u9700\u8981\u6dfb\u52a0\u8f6f\u94fe\u63a5\uff0c\u5426\u5219\u65e0\u6cd5\u4f7f\u7528 git:// \u7684\u534f\u8bae\u8bbf\u95ee\u3002\uff08http(s):// \u534f\u8bae\u6ca1\u6709\u95ee\u9898\uff09

Git \u4ed3\u5e93\u670d\u52a1\u7684\u5176\u4ed6\u76f8\u5173\u914d\u7f6e

\u90e8\u5206\u514b\u9686\u914d\u7f6e (See https://github.com/ustclug/discussions/issues/432)\uff1a

/etc/gitconfig
[uploadpack]\n    allowfilter = true\n

\u7531\u4e8e git daemon/fcgiwrap \u7684\u7528\u6237\u4e0d\u662f mirror\uff0c\u6240\u4ee5\u9700\u8981\u8bbe\u7f6e\u7ed5\u8fc7 git \u65b0\u7684\u5b89\u5168\u9650\u5236\uff1a

/etc/gitconfig
[safe]\n    directory = *\n
"},{"location":"services/mirrors/repos/#_3","title":"\u79fb\u52a8\uff08\u5220\u9664\uff09\u4e00\u4e2a\u4ed3\u5e93","text":"

Note

\u4ee5\u4e0b\u4ee5 2023 \u5e74 12 \u6708 27 \u65e5\u5c06 .private/sb \u79fb\u52a8\u5230 sb \u7684\u64cd\u4f5c\u4e3a\u4f8b\u5b50\uff0c\u4ecb\u7ecd\u6211\u4eec\u9700\u8981\u505a\u7684\u4e8b\u60c5\u3002

\u5f7c\u65f6\u7684 mirrors4 \u4ecd\u7136\u4f7f\u7528 XFS\uff0c\u5bf9\u4e8e\u4f7f\u7528 ZFS \u7684\u670d\u52a1\u5668\uff0c\u6587\u4ef6\u90e8\u5206\u64cd\u4f5c\u6709\u6240\u4e0d\u540c\u3002

"},{"location":"services/mirrors/repos/#sb","title":"\u521b\u5efa sb \u76ee\u5f55","text":"

\u53c2\u8003\u4e0a\u6587\uff0c\u521b\u5efa\u76ee\u5f55\uff0c\u4fee\u6539 /etc/projects \u7684\u8def\u5f84\uff08ID \u4e0d\u9700\u8981\u4fee\u6539\uff09\uff0c\u7136\u540e\u6267\u884c\u76f8\u5173\u7684 xfs_quota \u547d\u4ee4\uff08\u89c1 XFS\uff09\u3002

\u7531\u4e8e\u6211\u4eec\u7684\u4f8b\u5b50\u662f\u79fb\u52a8\u76ee\u5f55\uff0c\u53ef\u4ee5\u76f4\u63a5\u4f7f\u7528 mv \u547d\u4ee4\uff08sb \u4ed3\u5e93\u5f88\u5c0f\uff09\u3002

"},{"location":"services/mirrors/repos/#yuki","title":"\u4fee\u6539 Yuki \u914d\u7f6e","text":"

\u4fee\u6539 /home/mirror/repos/sb.yaml\uff0c\u5c06 path \u4fee\u6539\u4e3a /srv/repo/sb\u3002\u7136\u540e\u91cd\u65b0\u52a0\u8f7d\uff1a

yukictl reload sb\n
"},{"location":"services/mirrors/repos/#rsync-attrs","title":"\u6d4b\u8bd5\u540c\u6b65\uff0c\u5e76\u5220\u9664 rsync-attrs \u4e2d\u7684\u65e7\u76ee\u5f55","text":"
yukictl sync --debug sb\n

\u786e\u8ba4\u540c\u6b65\u65e0\u8bef\u540e\uff0c\u68c0\u67e5 /srv/rsync-attrs \u7684\u5185\u5bb9\uff0c\u5e76\u5220\u9664\u65e7\u76ee\u5f55 /srv/rsync-attrs/.private\u3002

/srv/rsync-attrs

\u8be5\u76ee\u5f55\u7684\u7528\u9014\u662f\u4e3a\u574f\u4eba\u4fee\u6539\u7248\u7684 rsyncd\uff08\u5373 rsyncd-huai\uff09\u63d0\u4f9b\u5feb\u901f\u7684\u6587\u4ef6\u5c5e\u6027\u67e5\u8be2\uff08\u5bf9\u5e94\u4f7f\u7528 Reiserfs \u683c\u5f0f\u5316\uff0c\u6302\u8f7d\u5728 SSD \u4e0a\uff09\u3002 \u540c\u65f6\u8be5\u76ee\u5f55\u4e5f\u7528\u4e8e\u4e3b\u9875\u751f\u6210\u3002

"},{"location":"services/mirrors/repos/#nginx","title":"\u4fee\u6539 nginx \u914d\u7f6e","text":"

\u7531\u4e8e\u6211\u4eec\u8fd9\u91cc\u662f\u79fb\u52a8\u4ed3\u5e93\uff0c\u4e3a\u4e86\u4fdd\u8bc1\u65e7\u7528\u6237\u80fd\u591f\u6b63\u5e38\u4f7f\u7528\uff0c\u9700\u8981\u4fee\u6539 nginx \u914d\u7f6e\uff0c\u5c06\u65e7\u7684\u8def\u5f84\u91cd\u5b9a\u5411\u5230\u65b0\u7684\u8def\u5f84\u3002

\u76f8\u5173\u7684\u914d\u7f6e\u4e00\u822c\u4f4d\u4e8e /etc/nginx/snippets/mirrors-locations\uff0c\u672c\u6b21\u6211\u4eec\u65b0\u589e\u7684\u5185\u5bb9\u5982\u4e0b\uff1a

location /.private/sb/ {\n    rewrite ^/.private(/sb/.*$) $1 permanent;\n}\n

Nginx rewrite \u76f8\u5173\u7684\u8bed\u6cd5\u77e5\u8bc6\u9700\u8bfb\u8005\u81ea\u884c\u5b66\u4e60\u3002

\u4fee\u6539\u5b8c\u6210\u540e\uff0c\u91cd\u8f7d\u914d\u7f6e\uff1a

nginx -t\nnginx -s reload  # \u6216\u8005 systemctl reload nginx\n

\u5e76\u4e14 commit \u6709\u5173\u4fee\u6539\uff1a

git -c user.name=\u4f60\u7684\u540d\u5b57 -c user.email=\u4f60\u7684\u90ae\u7bb1 commit -m \"...\"\n
"},{"location":"services/mirrors/repos/#rsync-proxy-rsyncd","title":"\u4fee\u6539 rsync-proxy \u4e0e rsyncd \u914d\u7f6e","text":"

rsync-proxy \u4e3a\u8fd1\u5e74\u6765\u6211\u4eec\u81ea\u884c\u7f16\u5199\u7684 rsync \u53cd\u5411\u4ee3\u7406\u670d\u52a1\u3002 \u4fee\u6539\u4e86 /etc/rsync-proxy/config.toml\uff0c\u5220\u9664 mirrors2 \u4e2d\u7684 \".private\" \u9879\uff0c\u5728 mirrors4 \u4e2d\u65b0\u589e \"sb\" \u9879\u3002

\u56e0\u4e3a rsync-proxy \u6700\u7ec8\u8fd8\u9700\u8981\u8fde\u63a5\u5230\u540e\u7aef\u7684 rsyncd\uff0c\u56e0\u6b64 mirrors4 \u7684 rsyncd \u914d\u7f6e\u4e5f\u9700\u8981\u4fee\u6539\u3002 \u5728 /etc/rsyncd \u4e0b\u6267\u884c python3 generate_common.py --write \u5199\u5165\u914d\u7f6e\uff0c\u4f7f\u7528 git diff \u68c0\u67e5\u65e0\u8bef\u540e git commit\u3002 rsyncd \u914d\u7f6e\u4e2d\u5305\u542b\u4e0d\u516c\u5f00 rsync \u7684\u5185\u5bb9\uff08\u5982 git \u76ee\u5f55\uff09\u4e0d\u4f1a\u5bfc\u81f4\u95ee\u9898\uff0c\u56e0\u4e3a\u6240\u6709\u7528\u6237\u63a5\u89e6\u5230\u7684\u90fd\u662f rsync-proxy\u3002

\u786e\u8ba4\u540e\u91cd\u8f7d rsync-proxy:

systemctl reload rsync-proxy\n

Rsyncd \u4e0d\u9700\u8981\u91cd\u8f7d\uff1a\u6bcf\u4e2a\u6709\u6548\u8fde\u63a5\u4f1a\u542f\u52a8\u65b0\u8fdb\u7a0b\uff0c\u800c\u65b0\u8fdb\u7a0b\u4f1a\u91cd\u65b0\u8bfb\u53d6\u914d\u7f6e\u3002

"},{"location":"services/mirrors/repos/#mirrors2","title":"\u5220\u9664 mirrors2 \u4e0a\u7684\u4ed3\u5e93\u4e0e\u76f8\u5173\u9879","text":"

\u6267\u884c yukictl repo rm sb\uff0c\u7136\u540e\u5220\u9664 Yuki \u540c\u6b65\u914d\u7f6e\uff08~mirror/repos-etc/sb.yaml\uff09\uff0c\u540c\u6837\u4e5f\u9700\u8981 git commit\u3002

\u4e4b\u540e\u5220\u9664\u5b58\u50a8\u7684\u5185\u5bb9\uff1a\u6267\u884c /sbin/zfs list \u786e\u8ba4\u8981\u4e0b\u624b\u5220\u9664\u7684\u5b58\u50a8\u6c60\uff0c\u7136\u540e sudo zfs destroy pool0/repo/\u5bf9\u5e94\u7684\u540d\u5b57 \u5220\u9664\u3002

\u540c\u6837\uff0c/srv/rsync-attrs/.private \u7684\u5185\u5bb9\u4e5f\u9700\u8981\u5220\u9664\u3002

"},{"location":"services/mirrors/rsync/","title":"Rsync","text":""},{"location":"services/mirrors/rsync/#rsync-huai","title":"rsync-huai","text":"

rsync-huai \u662f\u574f\u4eba\u7684\u5143\u6570\u636e\u52a0\u901f\u7248\u7684 rsync\uff0c\u539f\u59cb\u4ee3\u7801\u5728 https://github.com/tuna/rsync\u3002

\u7531\u4e8e TUNA \u73b0\u5728\u4f7f\u7528\u5168\u95ea\u7684\u65b9\u6848\uff0c\u4e0d\u518d\u9700\u8981\u8fd9\u4e2a patch \u4e86\uff0c\u56e0\u6b64\u6211\u4eec\u81ea\u5df1\u7ef4\u62a4\u5bf9\u5e94\u7684\u7248\u672c\uff1ahttps://github.com/ustclug/rsync/tree/rsync-3.2.7\u3002

\u7279\u522b\u5730\uff0c/etc/systemd/system/rsyncd-huai@.service \u5185\u5bb9\u5982\u4e0b\uff1a

[Unit]\nDescription=fast remote file copy program daemon\nConditionPathExists=/etc/rsyncd/rsyncd-%i.conf\nAfter=network.target network-online.target\n\n[Service]\nType=simple\nPIDFile=/run/rsyncd-%i.pid\nExecStart=/usr/bin/rsync-huai --daemon --no-detach --config=/etc/rsyncd/rsyncd-%i.conf\nIOSchedulingClass=best-effort\nIOSchedulingPriority=7\nIOAccounting=true\n\n[Install]\nWantedBy=multi-user.target\n
"},{"location":"services/mirrors/rsync/#rsync-proxy","title":"rsync-proxy","text":"

\u8be6\u53c2 https://github.com/ustclug/rsync-proxy\u3002\u4e3a\u4e86\u8ba9\u670d\u52a1\u5668\u80fd\u591f\u8bb0\u5f55 IP \u4e0e\u8bbf\u95ee\u8def\u5f84\u7684\u5173\u7cfb\uff0c\u6211\u4eec\u6253\u5f00\u4e86 proxy protocol \u7279\u6027\u3002

"},{"location":"services/mirrors/services/","title":"\u955c\u50cf\u670d\u52a1","text":""},{"location":"services/mirrors/services/#_2","title":"\u9996\u9875\u751f\u6210","text":"

\u955c\u50cf\u7ad9\u4e3b\u9875\u662f\u9759\u6001\u7684\uff0c\u7531 https://git.lug.ustc.edu.cn/mirrors/mirrors-index \u811a\u672c\u751f\u6210\u3002

crontab \u4f1a\u5b9a\u65f6\u8fd0\u884c\u8be5\u811a\u672c\uff0c\u751f\u6210\u9996\u9875\u548c mirrorz \u9879\u76ee\u9700\u8981\u7684\u6570\u636e\u3002

\u5728\u9996\u9875\u5c55\u793a\u7684\u300c\u83b7\u53d6\u5b89\u88c5\u955c\u50cf\u300d\u3001\u300c\u83b7\u53d6\u5f00\u6e90\u8f6f\u4ef6\u300d\u3001\u300c\u53cd\u5411\u4ee3\u7406\u5217\u8868\u300d\u5206\u522b\u7531 config \u5185\u914d\u7f6e\u6307\u5b9a\uff0c\u300c\u6587\u4ef6\u5217\u8868\u300d\u5185\u5bb9\u5219\u4f1a\u4ece\u540c\u6b65\u7a0b\u5e8f yuki \u7684 api \u4e2d\u83b7\u53d6\u3002

"},{"location":"services/mirrors/services/#http","title":"HTTP \u670d\u52a1","text":"

Mirrors \u4f7f\u7528 OpenResty\uff08\u4e00\u4e2a\u6253\u5305 Nginx \u548c\u4e00\u5806\u6709\u7528\u7684 Lua \u6a21\u5757\u7684\u8f6f\u4ef6\u5305\uff09\u63d0\u4f9b HTTP \u670d\u52a1\u3002

\u914d\u7f6e\u6587\u4ef6\u4f4d\u4e8e LUG GitLab \u4e0a\uff1ahttps://git.lug.ustc.edu.cn/mirrors/nginx-config\uff0c\u6b64\u4ed3\u5e93\u5bf9\u5e94 mirrors \u4e0a\u7684 /etc/nginx \u76ee\u5f55\u3002

"},{"location":"services/mirrors/services/#_3","title":"\u8bf7\u6c42\u9650\u5236\u7b56\u7565","text":"

\u89c1\u9650\u5236\u7b56\u7565\u3002

"},{"location":"services/mirrors/services/#repo-stats","title":"\u6bcf\u65e5\u6d41\u91cf\u7edf\u8ba1","text":"

\u8bbf\u95ee\u8def\u5f84\uff1ahttps://mirrors.ustc.edu.cn/status/stats.json

\u811a\u672c\u4f4d\u4e8e https://git.lug.ustc.edu.cn/mirrors/sync/-/blob/scripts/repo_stats.py

\u6bcf\u5929\u5728 logrotate \u6eda\u5b8c nginx \u65e5\u5fd7\u540e\uff0c\u901a\u8fc7\u5206\u6790\u521a\u6eda\u51fa\u6765\u7684\u65e5\u5fd7\u6587\u4ef6\uff0c\u7edf\u8ba1\u6bcf\u4e2a\u4ed3\u5e93\u7684\u8bbf\u95ee\u91cf\u4e0e\u8f93\u51fa\u6d41\u91cf\uff08\u56e0\u6b64\u4ec5\u5305\u542b HTTP \u6d41\u91cf\u7edf\u8ba1\uff09\uff0c\u7136\u540e\u8f93\u51fa\u5230 json \u6587\u4ef6\uff0c\u5e76\u4e14\u989d\u5916\u8f93\u51fa\u4e00\u4efd json \u5230 /var/log/nginx/stats \u4f5c\u4e3a\u5f52\u6863\u5b58\u50a8\uff0c\u65b9\u4fbf\u4ee5\u540e\u5206\u6790\u3002

\u9700\u8981\u6ce8\u610f\u7684\u662f\u8fd9\u4e2a\u811a\u672c\u662f\u7531 logrotate \u5728 nginx \u7684 postrotate script \u91cc\u8fd0\u884c\u7684\uff0c\u800c\u4e0d\u662f\u7531 cron \u6216\u8005 systemd timer\uff0c\u56e0\u6b64\u8c03\u7528\u5165\u53e3\u5728\u8fd9\u91cc\uff1a

/etc/logrotate.d/nginx
postrotate\n    # [...]\n    sudo -iu mirror ~mirror/scripts/repo_stats.py\nendscript\n
"},{"location":"services/mirrors/services/#rsync","title":"Rsync \u670d\u52a1","text":"

\u672a\u5b8c\u5f85\u7eed\u3002

"},{"location":"services/mirrors/services/#_4","title":"\u53cd\u5411\u4ee3\u7406\u670d\u52a1","text":"

\u672a\u5b8c\u5f85\u7eed\u3002

"},{"location":"services/mirrors/services/#git","title":"Git \u670d\u52a1","text":"

Mirrors \u4e0a\u7684 Git \u670d\u52a1\u7531\u4e24\u90e8\u5206\u7ec4\u6210\uff1a

\u5176\u4e2d system-cgi.slice \u662f\u6211\u4eec\u81ea\u5df1\u5b9a\u4e49\u7684\u4e00\u4e2a slice\uff0c\u7528\u4e8e\u9650\u5236 CGI \u670d\u52a1\u7684\u8d44\u6e90\u4f7f\u7528\u3002

/etc/systemd/system/system-cgi.slice
[Unit]\nDescription=Slice for CGI services (notably Git daemon)\n\n[Slice]\nMemoryMax=32G\nMemoryHigh=28G\n\nIOAccounting=true\n
"},{"location":"services/mirrors/services/#ftp","title":"FTP \u670d\u52a1\uff08\u5df2\u5e9f\u5f03\uff09","text":"

Mirrors \u66fe\u7ecf\u63d0\u4f9b FTP \u670d\u52a1\uff0c\u7531 vsftpd \u63d0\u4f9b\u3002\u5728\u5c06\u4e3b\u529b\u670d\u52a1\u5668\u4ece mirrors2 \u8fc1\u79fb\u81f3 mirrors4 \u65f6\u5e9f\u5f03\uff0c\u5373 mirrors4 \u4e0a\u4ece\u672a\u5b89\u88c5\u914d\u7f6e\u8fc7 vsftpd\uff08\u4f46 mirrors2 \u4e0a\u8fd8\u7559\u5b58\u6709\u914d\u7f6e\u6587\u4ef6\uff09\u3002

\u7531\u4e8e\u5e74\u4ee3\u4e45\u8fdc\u4e14\u6211\u4eec\u4e0d\u518d\u6253\u7b97\u6062\u590d FTP \u670d\u52a1\uff0c\u8fd9\u90e8\u5206\u6587\u6863\u4e5f\u5c31\u5495\u5495\u5495\u4e86\u3002

"},{"location":"services/mirrors/xfs/","title":"XFS","text":"

\u5bf9\u4e8e\u4f7f\u7528 XFS \u5b58\u50a8\u955c\u50cf\u4ed3\u5e93\u7684\u670d\u52a1\u5668\uff0c\u6211\u4eec\u4f7f\u7528 XFS \u7684 quota \u529f\u80fd\u76d1\u89c6\u4ed3\u5e93\u5bb9\u91cf\u3002/srv/repo \u4e0b\u7684\u6bcf\u4e2a\u76ee\u5f55\u4e3a\u4e00\u4e2a\u4ed3\u5e93\uff0c\u6709\u4e00\u4e2a\u5bf9\u5e94\u7684 XFS project\u3002\u6b64 XFS \u6587\u4ef6\u7cfb\u7edf\u9700\u8981\u4f7f\u7528 pqnoenforce \u9009\u9879\u6302\u8f7d\uff0c\u56e0\u4e3a\u6211\u4eec\u53ea\u4f7f\u7528\u5bb9\u91cf\u7edf\u8ba1\u529f\u80fd\uff0c\u4e0d\u9700\u8981\u9650\u5236\u4ed3\u5e93\u7684\u78c1\u76d8\u4f7f\u7528\u3002

Todo

\u9700\u8981\u8c03\u7814\uff1a\u5feb\u901f\u5220\u9664\u4ed3\u5e93\u4e0e\u91cd\u547d\u540d\u4ed3\u5e93 (mv \u548c rm \u53ef\u80fd\u592a\u6162\u4e86)

"},{"location":"services/mirrors/xfs/#new-repo","title":"\u6dfb\u52a0\u4e00\u4e2a\u65b0\u4ed3\u5e93","text":""},{"location":"services/mirrors/xfs/#_1","title":"\u521b\u5efa\u76ee\u5f55","text":"

\u5728 /srv/repo/ \u4e0b\u521b\u5efa\u5bf9\u5e94\u7684\u76ee\u5f55\u3002\u6ce8\u610f\u5bf9\u5e94\u76ee\u5f55\u7684\u6240\u6709\u8005\u548c\u6240\u6709\u7ec4\u5747\u5e94\u8be5\u662f mirror\u3002

chown mirror: /srv/repo/example\n
"},{"location":"services/mirrors/xfs/#xfs-project","title":"\u521b\u5efa XFS project","text":"

\u4e3a\u65b0\u4ed3\u5e93\u521b\u5efa XFS quota \u4ee5\u4fbf\u4e8e\u76d1\u89c6\u5bb9\u91cf\u3002\u9996\u5148\u68c0\u67e5 /etc/projects \u548c /etc/projid\uff0c\u627e\u5230\u5927\u4e8e 1000 \u7684 ID \u5e8f\u5217\uff0c\u627e\u51fa\u4e0b\u4e00\u4e2a ID\uff08\u4f8b\u5982 1111\uff0c\u4e0b\u9762\u4f7f\u7528\u8fd9\u4e2a\u4f5c\u4e3a\u4f8b\u5b50\uff09\u3002

mkdir /srv/repo/example\n

\u7f16\u8f91 /etc/projects\uff0c\u52a0\u5165\u5982\u4e0b\u4e00\u884c

1111:/srv/repo/example\n

\u7136\u540e\u6267\u884c\uff1a

xfs_quota -x -c 'project -s 1111'\n

\u7f16\u8f91 /etc/projid\uff0c\u52a0\u5165\u5982\u4e0b\u4e00\u884c

example:1111\n

\u4fe1\u606f

\u6211\u4eec\u7684\u955c\u50cf\u7ba1\u7406\u5668 Yuki \u6839\u636e\u955c\u50cf\u76ee\u5f55\u7684\u6700\u540e\u4e00\u6bb5\u540d\u79f0\uff08\u5373 basename\uff09\u6765\u4ece XFS \u4e2d\u83b7\u53d6\u5bb9\u91cf\u4fe1\u606f\uff0c\u56e0\u6b64 /etc/projid \u6587\u4ef6\u5185\u5bb9\u6b63\u786e\u624d\u80fd\u4f7f Yuki \u5f97\u5230\u6b63\u786e\u7684\u5bb9\u91cf\u3002

"},{"location":"services/mirrors/xfs/#_2","title":"\u4fbf\u6377\u914d\u7f6e\u811a\u672c","text":"
#!/bin/bash\n\n# Determine largest project ID\nnext_id() {\n  local PROJID=$(cut -d':' -f1 /etc/projects | sort -n | tail -1)\n  echo $((++PROJID))\n}\n\nBASE=\"/srv/repo\"\nreadonly BASE\n\nif [ \"$1\" = \"-m\" ]; then\n  MKDIR=yes\n  shift\nfi\n\nwhile [ $# -ne 0 ]; do\n  N=\"${1//\\//}\"\n  shift\n  if grep -q \"$BASE/$N\\$\" /etc/projects; then\n    echo \"Repo $N exists, skipped.\" >&2\n    continue\n  fi\n\n  if [ ! -e \"$BASE/$N\" ]; then\n    if [ -n \"$MKDIR\" ]; then\n      echo \"Path $BASE/$N does not exist, creating directory.\" >&2\n      mkdir -p \"$BASE/$N\"\n    else\n      echo \"Path $BASE/$N does not exist, ignored.\" >&2\n      continue\n    fi\n  elif [ ! -d \"$BASE/$N\" ]; then\n    echo \"Path $BASE/$N is not a directory, ignored.\" >&2\n    continue\n  fi\n\n  ID=\"$(next_id)\"\n  echo \"$ID:$BASE/$N\" >> /etc/projects\n  echo \"$N:$ID\" >> /etc/projid\n  xfs_quota -x -c \"project -s $ID\" &>/dev/null\n  echo \"Added $N (ID $ID)\"\ndone\n
"},{"location":"services/mirrors/xfs/#quota","title":"\u67e5\u770b quota \u60c5\u51b5","text":"
xfs_quota -c 'df -h'\n
"},{"location":"services/mirrors/zfs/","title":"ZFS","text":""},{"location":"services/mirrors/zfs/#common-operations","title":"Common Operations","text":"Get zpool status
zpool status\n
Get IO status
zpool iostat -v 1\n
Replace Disk
zpool replace pool0 old-disk new-disk\n
New ZFS file system
zfs create [-o option=value ...] <filesystem>\n\n# Example\nzfs create pool0/repo/debian\n

If mountpoint is not specified, then it's inherited from the parent with a subpath appended. E.g. when pool0/example is mounted on /mnt/haha then pool0/example/test will by default mount on /mnt/haha/test.

Destory ZFS file system
zfs destroy <filesystem>\n\n# Example\nzfs destroy pool0/repo/debian\n
"},{"location":"services/mirrors/zfs/#new-repo","title":"Create new repository","text":"
zfs create pool0/repo/example\n

Contrary to XFS, no other steps are needed.

"},{"location":"services/mirrors/zfs/#setup","title":"Setup","text":"

This section is recorded for reference only.

"},{"location":"services/mirrors/zfs/#pool-setup-mirrors2","title":"Pool setup (mirrors2)","text":"
zpool create pool0 \\\n  -O canmount=off \\\n  -O xattr=sa \\\n  -O relatime=on \\\n  -O compress=zstd \\\n  raidz2 \\\n  ata-HGST_HUS726060ALE610_K1GKVAAD \\\n  ata-HGST_HUS726060ALE610_K1GHTLND \\\n  ata-HGST_HUS726060ALE610_K1GHTVWD \\\n  ata-HGST_HUS726060ALE610_K1GKNJUD \\\n  ata-HGST_HUS726060ALE610_K1GK5KND \\\n  ata-HGST_HUS726060ALE610_K1GK9GXD \\\n  raidz2 \\\n  ata-HGST_HUS726060ALE610_NCH13D2V \\\n  ata-HGST_HUS726T6TALE6L4_V9KWJ1PL \\\n  ata-HGST_HUS726T6TALE6L4_V9HU810L \\\n  ata-HGST_HUS726060ALE610_NCH141WV \\\n  ata-HGST_HUS726060ALE610_K1GKPDSD \\\n  ata-HGST_HUS726T6TALE6L4_V9KTTT5L \\\n  cache nvme0n1\n

Note

The -O option applies to the root dataset.

Create ZFS (2016)
zpool create -f pool0 \\\n  raidz3 \\\n  ata-HGST_HUS726060ALE610_K1GHTLND \\\n  ata-HGST_HUS726060ALE610_K1GHTVWD \\\n  ata-HGST_HUS726060ALE610_K1GK5KND \\\n  ata-HGST_HUS726060ALE610_K1GK9GXD \\\n  ata-HGST_HUS726060ALE610_K1GKNJUD \\\n  ata-HGST_HUS726060ALE610_K1GKNP5D \\\n  ata-HGST_HUS726060ALE610_K1GKNR6D \\\n  ata-HGST_HUS726060ALE610_K1GKPDSD \\\n  ata-HGST_HUS726060ALE610_K1GKVAAD \\\n  ata-HGST_HUS726060ALE610_NCH04T5V \\\n  ata-HGST_HUS726060ALE610_NCH13D2V \\\n  spare \\\n  ata-HGST_HUS726060ALE610_NCH141WV \\\n  log mirror \\\n  ata-INTEL_SSDSC2BB240G6_PHWA64410400240AGN-part1 \\\n  ata-INTEL_SSDSC2BB240G6_PHWA6441041N240AGN-part1 \\\n  cache \\\n  ata-INTEL_SSDSC2BB240G6_PHWA64410400240AGN-part2 \\\n  ata-INTEL_SSDSC2BB240G6_PHWA6441041N240AGN-part2\n
"},{"location":"services/mirrors/zfs/#zfs-kernel-module","title":"ZFS kernel module","text":"

For OpenZFS 2.2:

/etc/modprobe.d/zfs.conf
# Set ARC size to 160-200 GiB, keep 16 GiB free for OS\noptions zfs zfs_arc_max=214748364800\noptions zfs zfs_arc_min=171798691840\noptions zfs zfs_arc_sys_free=17179869184\n\n# Favor metadata to data by 20x (OpenZFS 2.2+)\noptions zfs zfs_arc_meta_balance=2000\n\n# Allow up to 80% of ARC to be used for dnodes\noptions zfs zfs_arc_dnode_limit_percent=80\n\n# Allow every block to be written to ZIL\noptions zfs zfs_immediate_write_sz=16777216\n\n# See man page section \"ZFS I/O Scheduler\"\noptions zfs zfs_vdev_async_read_max_active=8\noptions zfs zfs_vdev_async_read_min_active=2\noptions zfs zfs_vdev_scrub_max_active=5\noptions zfs zfs_vdev_max_active=20000\n\n# Never throttle the ARC\noptions zfs zfs_arc_lotsfree_percent=0\n\n# Tune L2ARC\noptions zfs l2arc_headroom=8\noptions zfs l2arc_write_max=67108864\noptions zfs l2arc_noprefetch=0\n

Refer to zfs(4).

Note

zfs_dmu_offset_next_sync is 1 by default since OpenZFS v2.1.5, so it's omitted in the configuration.

"},{"location":"services/mirrors/zfs/#dataset-properties","title":"Dataset properties","text":"

On mirrors2:

zfs create -o compress=zstd-8 -o recordsize=1M -o atime=off pool0/backup\n\nzfs create pool0/backup/rootfs # inherit everything\nzfs create -o acltype=posix pool0/backup/oldlog\n\nzfs create \\\n  -o mountpoint=/srv/repo \\\n  -o recordsize=1M \\\n  -o xattr=off \\\n  -o atime=off \\\n  -o setuid=off \\\n  -o exec=off \\\n  -o devices=off \\\n  -o sync=disabled \\\n  -o secondarycache=metadata \\\n  -o redundant_metadata=some \\\n  pool0/repo\n

Refer to zfsprops(7).

"},{"location":"services/mirrors/zfs/#considerations","title":"Considerations","text":"mountpoint

Self-explanatory.

recordsize=1M

This is the \"block size\" for ZFS, i.e. how large files are split into blocks. Each block (record) is stored contiguously on disk and is read/written as a whole.

Since the typical read pattern on mirror sites is whole-file sequential read, it makes sense to set recordsize to the maximum value permitted1. Larger recordsize allows the compression algorithm to exploit more opportunities, while also reducing I/O count for large files.

Note that files under a single recordsize will not be padded up and will be stored as a single block, so no space is wasted.

compression=zstd (inherited from pool0)

Enable compression so anything will be tried to compress. The default algorithm (i.e. compression=on) is LZ4, which is very fast but not as effective. Zstd is a modern multi-threaded algorithm that is also very fast but compresses better. The default compression level is 3 (i.e. zstd = zstd-3).

Since OpenZFS 2.2, there's an \"early-abort\" mechanism for Zstd level 3 or up: Every block is first tried with LZ4, then Zstd-1, and if and only if both algorithms suggest that the data block would compress well, the actual algorithm will be applied and the compressed result will be written to disk. This early-abort mechanism ensures minimal CPU wasted for incompressible data.

xattr=off

Apparently mirror data do not need extended attributes.

atime=off, setuid=off, exec=off, devices=off

These simply maps to the noatime, nosuid, noexec, and nodev mount options respectively. It's safe to assume we don't need these features for mirror data.

sync=disabled

Disable any \"synchronous write\" semantics. This means files will not respond to open(O_SYNC) and sync(2) calls. Pending writes will only be committed to disk after zfs_txg_timeout seconds (default 5) or when the write buffer is full.

While normally this is a bad idea as it goes against data integrity (namely, the \"D\" in ACID), for mirror data that can be easily regenerated, this improves write performance and reduces fragmentation (also note that zfs_dmu_offset_next_sync is enabled by default).

secondarycache=metadata

As mirrors2 only serves Rsync requests, caching file content provides little benefit. Instead, we cache metadata only to reduce the number of disk seeks.

redundant_metadata=some

(Just read zfsprops(7) and you'll be able to reason about this.)

"},{"location":"services/mirrors/zfs/#traps","title":"Traps","text":"

Do NOT install zfs-dkms and related packages from Debian backports repositories. They'll easily break when upgrading.

As of Debian Buster the ZFS packages from the mainstream repository is stable and new enough for our use.

\u4ecd\u7136\u5efa\u8bae\u5b89\u88c5 Backports \u7248\u672c\u7684 ZFS\u3002\u300cStable \u8d8a\u5f80\u540e\uff08\u5bf9 ZFS \u76f8\u5173\u8f6f\u4ef6\u5305\u7684\uff09\u7ef4\u62a4\u8d8a\u5f31\u300d\uff0c\u4ece\u800c\u5bfc\u81f4 stable \u7684 ZFS \u53cd\u800c\u8d28\u91cf\u4e0d\u5982 backports \u7248\u672c\u7684\u3002

  1. Actually, there's the zfs_max_recordsize module parameter which can be increased to up to 16 MiB. There's a reason this is set to 1 MiB by default, so we're not going to blindly aim for the maximum.\u00a0\u21a9

"},{"location":"services/mirrors/1/","title":"mirrors1","text":"

mirrors1 \u662f 2011 \u5e74\u7f51\u7edc\u4fe1\u606f\u4e2d\u5fc3\u63d0\u4f9b\u7ed9 LUG \u7528\u4f5c\u521d\u4ee3 mirrors.ustc.edu.cn \u670d\u52a1\u7684\u673a\u5668\uff0c\u662f\u4e00\u53f0\u66d9\u5149 i620r-G

\u53c2\u6570 \u914d\u7f6e CPU Intel(R) Xeon(R) CPU E5620 @ 2.40GHz x 2 \u5185\u5b58 48 GB \u5b58\u50a8 LSI Logic MegaRAID SAS 8708EM2 x 2 DFT RS-3016I-S/D30 \u78c1\u76d8\u9635\u5217 \u7f51\u7edc Ethernet Intel 82574L Gigabit x 2

\u7528\u6237\u624b\u518c

\u7531\u4e8e\u672c\u6587\u7f16\u5199\u65f6\uff082020 \u5e74\uff09\u8be5\u670d\u52a1\u5668\u65e9\u5df2\u4e0d\u518d\u7528\u4f5c mirrors\uff08\u73b0\u5728\u662f esxi-5\uff09\uff0c\u56e0\u6b64\u66f4\u591a\u7684\u4fe1\u606f\u6682\u65e0\u4ece\u8003\u5bdf\u3002

"},{"location":"services/mirrors/1/#ipmi","title":"IPMI","text":"

\u8fd9\u53f0\u673a\u5668\u7684 IPMI \u4f7f\u7528\u6761\u4ef6\u8f83\u4e3a\u82db\u523b\uff0c\u7279\u522b\u662f\u5b83\u7684 Java \u63a7\u5236\u53f0\u53ea\u80fd\u5728 Windows XP\uff0cIE 6 \u548c Java 6 \u73af\u5883\u4e0b\u8fd0\u884c\u3002\u56e0\u6b64\u6211\u4eec\u914d\u7f6e\u4e86\u4e00\u4e2a\u865a\u62df\u673a\u955c\u50cf\u653e\u5728 LUG FTP \u4e0a\u3002

\u4f7f\u7528\u73b0\u4ee3\u7684 HTTP \u5ba2\u6237\u7aef\uff08\u5305\u62ec\u6d4f\u89c8\u5668\u548c cURL \u7b49\uff09\u5c1d\u8bd5\u4e0b\u8f7d viewer.jnlp \u65f6\u4f1a\u9047\u5230\u95ee\u9898\uff0c\u539f\u56e0\u5728\u4e8e IPMI \u4f1a\u8fd4\u56de\u4e00\u4e2a\u9519\u8bef\u7684 Content-Length\uff08\u7ea6 3 KiB\uff09\uff0c\u4f46 jnlp \u6587\u4ef6\u5b9e\u9645\u53ea\u6709 1.6 KiB\uff0c\u4f7f\u5ba2\u6237\u7aef\u8ba4\u4e3a\u6587\u4ef6\u672a\u5b8c\u6574\u4e0b\u8f7d\u3002\u5947\u5999\u7684\u662f\uff0cIE 6 \u4f3c\u4e4e\u4f1a\u5ffd\u7565\u8fd9\u4e2a\u95ee\u9898\uff0c\u7136\u540e\u6b63\u5e38\u6253\u5f00 Java \u63a7\u5236\u53f0\u3002

"},{"location":"services/mirrors/2/","title":"mirrors2","text":"

2016 \u5e74\u5e95\u4ece\u7f51\u7edc\u4fe1\u606f\u4e2d\u5fc3\u83b7\u5f97\u7684\u65b0\u673a\u5668\uff0c\u8fd0\u884c\u81f3\u4eca\uff0c\u627f\u62c5\u4e86\u76ee\u524d mirrors \u7684 rsync \u6d41\u91cf\u3002

\u53c2\u6570 \u914d\u7f6e CPU \u53cc\u8def E5-2620 v4 \u5185\u5b58 256 GB DDR4 \u5b58\u50a8 6 TB * 12 (HDD), 250 GB *2 (SSD) \u7f51\u7edc 1 Gbps * 2

\u66d9\u5149 I620-G20 \u5bfc\u822a\u5149\u76d8

"},{"location":"services/mirrors/2/#networking","title":"Networking","text":"

mirrors2 \u4e0a\u7684\u7f51\u7edc\u914d\u7f6e\u81ea 2024-07-19 \u7ef4\u62a4\u540e\u4e5f\u5207\u6362\u5230\u4e86 systemd-networkd \u65b9\u6848\uff0c\u6587\u6863\u53ef\u4ee5\u53c2\u8003 mirrors4\u3002

Old info

mirrors2 \u4e0a\u7684\u7f51\u7edc\u4f7f\u7528\u9ed8\u8ba4\u7684 ifupdown \u914d\u7f6e\u3002

\u5728 /etc/network/interfaces.d \u4e2d\u5b58\u653e\u7740\u63a5\u53e3\u914d\u7f6e\uff0c\u4f7f\u7528 ifup/ifdown \u6765\u542f\u7528/\u505c\u7528\u67d0\u4e00\u63a5\u53e3\u3002

\u91cd\u542f\u6240\u6709\u7f51\u7edc\u63a5\u53e3

\u5728\u67d0\u6b21 mirrors2 \u79bb\u7ebf\u6545\u969c\u4e2d\uff0c\u8bef\u64cd\u4f5c\u7684 systemctl restart networking \u8fd4\u56de\u4e86\u5931\u8d25\u7684\u7ed3\u679c\uff0c\u4ece\u800c\u5bfc\u81f4\u4e86 mirrors2 \u4ece\u67d0\u4e00\u7f51\u7edc\u63a5\u53e3\u65ad\u5f00\uff08\u731c\u6d4b\uff09\uff08\u5b9e\u9645\u539f\u56e0\u89c1\u4e0b\uff09\uff0c\u91cd\u542f\u6240\u6709\u63a5\u53e3\u4fee\u590d\u4e86\u95ee\u9898\uff1aifdown -a && ifup -a

\u5b9e\u9645\u539f\u56e0\u662f bridge interface \u8fde\u63a5\u7684\u90a3\u4e2a interface \u5728 ifupdown \u7684 config \u91cc\u7684\u914d\u7f6e\u65b9\u5f0f\u662f static \u7684\uff0c\u5728\u542f\u7528 bridge interface \u65f6\u4f1a\u81ea\u52a8\u66f4\u6539\u914d\u7f6e\u5bfc\u81f4 offline\u3002\u6539\u6210 manual \u7981\u6b62\u5b83\u7684\u81ea\u52a8\u884c\u4e3a\u4e4b\u540e\u5c31\u6ca1\u4e8b\u4e86\u3002

"},{"location":"services/mirrors/3/","title":"mirrors3","text":"

2020 \u5e74\u521d\u4ece\u56fe\u4e66\u9986\u6280\u672f\u90e8\u83b7\u5f97\u7684\u4e00\u53f0\u65e7\u670d\u52a1\u5668\uff0c\u4e3a\u6234\u5c14 PowerEdge R510\uff0c\u8d1f\u8f7d\u6bd4\u8f83\u6742\u4e71,\u4e3b\u8981\u662f\u4e00\u4e9b\u65e2\u51b7\u95e8\u53c8\u5927\u7684\u4ed3\u5e93\u7684 HTTP + rsync \u6d41\u91cf\u3002

\u53c2\u6570 \u914d\u7f6e CPU \u53cc\u8def\u81f3\u5f3a E5620 \u5185\u5b58 32 GB DDR3 \u5b58\u50a8 1 TB*2 (HDD), 2 TB*5 (HDD), 3 TB*1 (HDD) 1 TB (SAS HDD), 1.8 TB * 3 (SATA HDD), 1 TB (SATA HDD) \u540c\u53cb iSCSI \u9635\u5217\uff0c4 TB * 16 (HDD) \u7f51\u7edc 1 Gbps * 2

\u5b58\u50a8\u7ed3\u6784\uff1a

\u6ce8\u610f\u4e8b\u9879

\u7531\u4e8e PERC 6/i \u9635\u5217\u5361\u7684\u9650\u5236\uff0c\u7269\u7406\u78c1\u76d8\u5927\u5c0f\u6700\u5927\u652f\u6301 2TB\uff08SAS 4TB \u76d8\u65e0\u6cd5\u8bc6\u522b\u5927\u5c0f\uff09\u3002\u5728\u5c06 SAS \u574f\u76d8\u79fb\u9664\u540e\uff0c\u76ee\u524d\uff082022/5/10\uff09rootfs VD \u5904\u4e8e degraded \u72b6\u6001\u3002

PERC H700 \u9635\u5217\u5361\u7531\u4e8e\u7f3a\u5c11\u4e24\u6839 SAS \u8f6c\u63a5\u7ebf\uff0c\u5e76\u4e14 mirrors3 \u673a\u67b6\u524d\u53f3\u4fa7\u8f68\u9053\u5904\u65e0\u6cd5\u89e3\u9664\u9501\u5b9a\uff0c\u4e14\u66f4\u6362\u9635\u5217\u5361\u9700\u8981\u5c06\u5176\u4ed6\u6269\u5c55\u5361\u5168\u90e8\u79fb\u9664\uff08\u53c2\u89c1 PowerEdge R510 \u786c\u4ef6\u7528\u6237\u624b\u518c\uff09\uff0c\u7ed9\u65b0\u9635\u5217\u5361\u5b89\u88c5\u5e26\u6765\u4e86\u5f88\u5927\u7684\u96be\u5ea6\u3002

1 TB * 2

\u4f4d\u4e8e\u673a\u8eab\uff0c\u7ec4\u6210 RAID1 \u5b89\u88c5\u64cd\u4f5c\u7cfb\u7edf\uff0c\u6302\u8f7d\u4e3a rootfs

2 TB * 5 + 3 TB * 1

\u540c\u6837\u4f4d\u4e8e\u673a\u8eab\uff0c\u7ec4\u6210 RAID6 \u5b58\u653e\u8d44\u6599\uff08\u6240\u4ee5\u552f\u4e00\u4e00\u5757 3 TB \u7684\u786c\u76d8\u5b9e\u9645\u4e0a\u5f53\u505a 2 TB \u7684\u6765\u7528\uff09

\u5916\u90e8\u9635\u5217\uff0c4 TB * 16

\u901a\u8fc7 SFP+ \u5149\u7ea4\u6302\u8f7d\u4e3a iSCSI \u8bbe\u5907\uff0c\u5206\u4e3a\u4e24\u7ec4 RAID60\uff08\u53ef\u7528\u5bb9\u91cf\u4e3a 12 \u5757\u76d8\uff09\u5b58\u50a8\u8d44\u6599

"},{"location":"services/mirrors/4/","title":"mirrors4","text":"

mirrors4 \u662f 2020 \u5e74 3 \u6708 24 \u65e5\u7f51\u7edc\u4fe1\u606f\u4e2d\u5fc3\u63d0\u4f9b\u7ed9 LUG \u7684\u65b0\u673a\u5668\uff0c\u662f\u4e00\u53f0\u6d6a\u6f6e NF5280M5\u3002

"},{"location":"services/mirrors/4/#_1","title":"\u786c\u4ef6\u914d\u7f6e","text":"CPU

\u53cc\u8def Intel Xeon Gold 6230

\u5185\u5b58

256 GB DDR4 2933 (8 * 32 GB SKHynix)

\u786c\u76d8

\u4e00\u5757\u4e09\u661f PM883 2TB

12 \u5757 HGST HUH721010AL (10 TB)

\u4e24\u4e2a\u786c\u76d8\u63a7\u5236\u5668 MegaRAID SAS-3 3108

\u91c7\u7528 ZFS \u5c06 12 \u5757 HDD \u7ec4\u6210\u4e00\u4e2a pool\u3002

\u7f51\u5361

\u677f\u8f7d Intel X722 GbE (4 \u4e2a\u5343\u5146\u7f51\u53e3)

PCI-e \u6269\u5c55\u5361\uff1aIntel X520 (82599ES) SFP+ (2 \u4e2a\u4e07\u5146\u5149\u53e3)

"},{"location":"services/mirrors/4/#_2","title":"\u78c1\u76d8\u5206\u533a","text":"

\u4e00\u5757 SSD \u5206\u4e3a 512M \u7684 EFI \u5206\u533a\uff0c\u5269\u4f59\u7a7a\u95f4\u5efa\u4e86\u4e00\u4e2a LVM\uff08VG lug\uff09\u3002LVM \u4e0a\u88c5\u7cfb\u7edf\uff08lug/root\uff09\u3001swap\uff08lug/swap\uff09\u3001Docker \u6570\u636e\uff08lug/docker\uff09\u548c L2ARC\uff08lug/l2arc\uff0c1.5 TB\uff09\u3002

\u5168\u90e8 12 \u5757 HDD \u7528 ZFS \u505a\u4e86\u4e00\u4e2a pool\uff0c\u6bcf\u4e2a\u63a7\u5236\u5668\u4e0a\u9762\u7684 6 \u5757\u76d8\u4f5c\u4e3a\u4e00\u4e2a RAIDZ2 vdev\uff0c\u8fd9\u4e2a ZFS pool \u7528\u4e8e /home \u548c /srv/repo\uff08\u4ed3\u5e93\u6570\u636e\uff09\u7b49\u3002

"},{"location":"services/mirrors/4/#swap-oom","title":"Swap \u4e0e OOM","text":"

\u8fd9\u53f0\u670d\u52a1\u5668\u521d\u88c5\u65f6\u662f\u6ca1\u6709\u914d\u7f6e swap \u7684\uff0c\u5728 2024-10-31 17:12 \u5de6\u53f3\u7531 git daemon \u5bfc\u81f4 OOM \u540e\u8865\u5145\u4e86 64G swap\uff0c\u6b64\u65f6 VG \u5269\u4f59\u7a7a\u95f4\u8fd8\u6709 100 \u591a GB \u7559\u7ed9\u4ee5\u540e\u4f7f\u7528\u3002

\u540c\u65f6\u6211\u4eec\u4e5f\u7ed9 git daemon \u4e0a\u4e86\u5185\u5b58\u9650\u5236\uff0c\u8be6\u60c5\u89c1 Service\u3002

"},{"location":"services/mirrors/4/volumes-old/","title":"Volumes on mirrors4","text":"

\u6ce8\u610f

mirrors4 \u4e8e 2024 \u5e74 7 \u6708\u91cd\u5efa\u4e3a ZFS pool\uff0c\u4ee5\u4e0b\u5185\u5bb9\u5df2\u7ecf\u8fc7\u65f6\u3002

"},{"location":"services/mirrors/4/volumes-old/#_1","title":"\u78c1\u76d8\u5206\u533a","text":"

\u7531\u4e8e\u4e0d\u80fd\u8de8\u63a7\u5236\u5668\u7ec4 RAID \u6216 LUN\uff0c\u4e14\u6bcf\u4e2a\u63a7\u5236\u5668\u53ea\u6709 8 \u4e2a\u63d2\u69fd\uff0c\u56e0\u6b64\u5c06 12 \u5757 HDD \u5206\u4e3a 6 \u5757\u4e00\u7ec4\u63d2\u5728\u4e24\u4e2a\u63a7\u5236\u5668\u4e0a\u7ec4\u6210 RAID6\uff0c\u4ee5\u4e24\u4e2a\u903b\u8f91\u5377\u5448\u73b0\u7ed9\u64cd\u4f5c\u7cfb\u7edf\uff0c\u4e0a\u5c42\u7528 LVM \u5904\u7406\u3002SSD \u5355\u72ec\u521b\u5efa\u4e00\u4e2a\u903b\u8f91\u5377\u7ed9\u64cd\u4f5c\u7cfb\u7edf\u3002

\u6ce8\u610f

\u8fd9\u91cc\u7ed9\u51fa\u7684\u547d\u4ee4\u4ec5\u7528\u4e8e\u5c55\u793a\u5206\u533a\uff08\u5377\uff09\u7684\u521b\u5efa\u65b9\u5f0f\uff0c\u9664\u975e\u5b8c\u5168\u91cd\u88c5\uff0c\u5426\u5219\u4e0d\u5e94\u8be5\u6267\u884c\u5176\u4e2d\u4efb\u4f55\u4e00\u6761\u6709\u526f\u4f5c\u7528\u7684\u547d\u4ee4\u3002

\u64cd\u4f5c\u7cfb\u7edf\u770b\u5230\u4e09\u4e2a\u786c\u76d8\uff1a\u4e24\u4e2a RAID6 \u5927\u76d8\uff0840 TB / 36.4 TiB\uff09\u548c\u4e00\u4e2a SSD\uff082 TB / 1.86 TiB\uff09\u3002\u8bbe\u4e24\u4e2a\u5927\u76d8\u4e3a /dev/sda \u548c /dev/sdb\uff0cSSD \u4e3a /dev/sdc\u3002

\u7531\u4e8e\u542f\u52a8\u5206\u533a\u4e0d\u80fd\u653e\u5728 LVM \u4e0a\uff0c\u56e0\u6b64\u4ee5\u5982\u4e0b\u65b9\u5f0f\u521b\u5efa\u5206\u533a\uff1a

root@mirrors4:~# fdisk -l /dev/sda\nDisk /dev/sda: 36.4 TiB, 40001177911296 bytes, 78127300608 sectors\nDisk model: MR9361-8i\nUnits: sectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 4096 bytes\nI/O size (minimum/optimal): 262144 bytes / 262144 bytes\nDisklabel type: gpt\nDisk identifier: AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA\n\nDevice       Start         End     Sectors  Size Type\n/dev/sda1     2048        4095        2048    1M BIOS boot\n/dev/sda2     4096     1052671     1048576  512M EFI System\n/dev/sda3  1052672 78127300574 78126247903 36.4T Linux LVM\n

sdb \u7684\u53c2\u6570\u5b8c\u5168\u4e00\u6837\u3002

\u5b9e\u9645\u7684\u542f\u52a8\u5206\u533a\u4e3a /dev/sda2\uff0c\u5c06\u5176 dd \u5230 /dev/sdb2 \u505a\u5907\u4efd\u3002

\u7136\u540e\u662f SSD \u7684\u5206\u533a\uff1a

Disk /dev/sdc: 1.8 TiB, 1919816826880 bytes, 3749642240 sectors\nDisk model: MR9361-8i\nUnits: sectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 4096 bytes\nI/O size (minimum/optimal): 65536 bytes / 65536 bytes\nDisklabel type: gpt\nDisk identifier: AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA\n\nDevice     Start        End    Sectors  Size Type\n/dev/sdc1   2048 3749642206 3749640159  1.8T Linux LVM\n
"},{"location":"services/mirrors/4/volumes-old/#lvm","title":"LVM","text":"

\u628a sda3 \u548c sdb3 \u90fd\u653e\u8fdb LVM\uff1a

# fdisk \u5206\u533a\u5b8c\u6bd5\uff0cw \u5199\u5165\u9000\u51fa\npvcreate /dev/sda3 /dev/sdb3\nvgcreate lug /dev/sda3 /dev/sdb3\n

\u521b\u5efa rootfs\uff0c\u8fd9\u91cc\u4ee5 RAID1 \u7684\u65b9\u5f0f\uff08--type raid1\uff09\u521b\u5efa\u8fd9\u4e2a\u5206\u533a\uff0c\u8fd9\u6837\u5373\u4f7f sda / sdb \u574f\u6389\u4e00\u6574\u7ec4\u4e4b\u540e\u8fd8\u6709 rootfs \u53ef\u4ee5\u7528\u3002

\u6ce8\u610f\uff1a

lvcreate -n root -L 32G --type raid1 -m 1 lug\nmkfs.ext4 /dev/lug/root\n

\u521b\u5efa home\uff0c\u8fd9\u91cc\u53cd\u6b63\u4e0d\u6015\u574f\uff0c\u7528 RAID0\uff08--type striped \u6216 --type raid0\uff09\u3002

lvcreate -n root -L 64G --type striped -i 2 lug\nmkfs.ext4 /dev/lug/home\n

\u521b\u5efa\u653e\u955c\u50cf\u7684\u5206\u533a\uff0c\u8fd9\u6b21\u8981\u7528 xfs

XFS \u4e0d\u652f\u6301\u7f29\u5c0f

\u56e0\u6b64\u6211\u4eec\u5728\u521d\u88c5\u65f6\u9009\u62e9\u4e3a\u5176\u5206\u914d 48 TiB \u7684\u7a7a\u95f4\uff0c\u800c\u4e0d\u662f VG lug \u7684\u5269\u4f59\u5168\u90e8\u2014\u2014\u8fd9\u6837\u65b9\u4fbf\u4ee5\u540e\u7ef4\u62a4

lvcreate -n repo -L 48T --type striped -i 2 lug\nmkfs.xfs /dev/lug/repo\n

\u5176\u5b9e\u672c\u6765\u8981\u8c03\u4e00\u4e0b\u53c2\u7684\uff0c\u4e0d\u8fc7\u6839\u636e Arch Wiki\uff0cmkfs.xfs \u7684\u9ed8\u8ba4\u53c2\u6570\u5c31\u662f\u6700\u4f18\u7684\uff0c\u6240\u4ee5\u6211\u4eec\u51b3\u5b9a\u4e0d\u52a8\u4e86\u3002

"},{"location":"services/mirrors/4/volumes-old/#ssd","title":"SSD","text":"

SSD \u7684\u7528\u9014\u4e3a\u5b58\u653e Docker \u6570\u636e /var/lib/docker\uff088 GiB \u5c31\u591f\u4e86\uff0c\u4f46\u662f overlay2 \u7684\u540e\u7aef\u7528 ext4 \u66f4\u597d\uff09\uff0c\u5269\u4e0b\u7528\u4f5c lvmcache(7)\u3002

iBug \u5907\u6ce8

\u867d\u7136\u4f3c\u4e4e\u6ca1\u6709\u8fd9\u6837\u505a\uff08\u5148\u521b\u5efa\u5355\u72ec\u7684 VG \u518d\u5408\u5e76\uff09\u7684\u5fc5\u8981\uff0c\u4f46\u662f\u8fd9\u4e48\u505a\u4e00\u5b9a\u4e0d\u4f1a\u51fa\u9519\uff0c\u5c31\u8fd9\u6837\u5427\u3002

\u5728 SSD \u4e0a\u65b0\u5efa\u4e00\u4e2a VG\uff1a

# fdisk \u521b\u5efa\u552f\u4e00\u4e00\u4e2a\u5206\u533a sdc1\uff0c\u4fdd\u5b58\u9000\u51fa\npvcreate /dev/sdc1\nvgcreate ssd /dev/sdc1\n

\u521b\u5efa Docker \u6570\u636e\u76d8\uff1a

lvcreate -L 8G -n docker ssd\nmkfs.ext4 /dev/ssd/docker\n

\u91cd\u8981\uff1a\u521b\u5efa\u7f13\u5b58\u76d8\u548c\u7f13\u5b58\u5143\u6570\u636e\u76d8\u3002\u6839\u636e Red Hat Documentation \u7684\u4ecb\u7ecd\uff0c\u5148\u624b\u52a8\u521b\u5efa\u6570\u636e\u76d8\u548c\u5143\u6570\u636e\u76d8\uff0c\u7136\u540e\u5c06\u4ed6\u4eec\u5408\u5e76\u4e3a\u4e00\u4e2a cache pool\u3002\u5927\u5c0f\u65b9\u9762\uff0c\u6587\u7ae0\u7684\u53c2\u8003\u662f 2G data \u2194 12M meta\uff0c\u8fd9\u91cc\u6211\u4eec\u6709\u63a5\u8fd1 2 TB \u7684 data\uff0c\u5c31\u5206\u914d 16 GB \u4f5c\u4e3a meta \u5427\u3002

lvcreate -L 16G -n mcache_meta ssd\nlvcreate -l 100%FREE -n mcache ssd\nlvreduce -l -2048 ssd/mcache\nlvconvert --type cache-pool --poolmetadata ssd/mcache_meta --cachemode writethrough -c 64K --config allocation/cache_pool_max_chunks=30000000 ssd/mcache\n

\u8fd9\u91cc\u7684\u7f13\u5b58\u6a21\u5f0f\u91c7\u7528 passthrough\uff0c\u5373\u5199\u5165\u52a8\u4f5c\u7ed5\u8fc7\u7f13\u5b58\u76f4\u63a5\u5199\u56de\u539f\u8bbe\u5907\uff08\u5f53\u7136\u5566\uff0c\u5199\u5165\u90fd\u662f\u7531\u4ece\u4e0a\u6e38\u540c\u6b65\u4ea7\u751f\u7684\uff09\uff0c\u53e6\u5916\u4e24\u79cd writeback \u548c writethrough \u90fd\u4f1a\u5199\u5165\u7f13\u5b58\uff0c\u4e0d\u662f\u6211\u4eec\u60f3\u8981\u7684\u3002 passthrough \u6a21\u5f0f\u4e2d\uff0c\u8bfb\u5199\u90fd\u4f1a\u7ed5\u8fc7 cache\uff0c\u552f\u4e00\u7684\u4f5c\u7528\u662f write hit \u4f1a\u4f7f\u5f97 cache \u5bf9\u5e94\u7684\u5757\u5931\u6548\u3002

\u8fd9\u91cc\u4f7f\u7528 writeback \u6a21\u5f0f\uff0c\u56e0\u4e3a\u4ed3\u5e93\u6570\u636e\u6ca1\u4e86\u8fd8\u80fd\u518d\u540c\u6b65\uff0c\u4f7f\u7528 writeback \u63d0\u5347\u6027\u80fd\u66f4\u5408\u9002\u3002

\u51fa\u4e8e\u7a33\u5b9a\u8003\u8651\uff0c\u4f7f\u7528 writethrough \u6a21\u5f0f\u3002\uff08\u6211\u4eec\u7684 Cache \u592a\u5927\u4e86\uff0cwriteback \u53ef\u80fd\u4f1a\u5f04\u574f\u4e0d\u5c11\u4e1c\u897f\uff0c\u5982\u679c metadata \u574f\u4e86\u5c31\u66f4\u9ebb\u70e6\u4e86\uff09

\u5751

\u76f4\u63a5\u4f7f\u7528 lvconvert(8) \u5c1d\u8bd5\u5408\u5e76\u4f1a\u5bfc\u81f4\u5410\u69fd\uff0c\u8fd9\u662f\u4e0a\u9762 lvreduce(8) \u7684\u539f\u56e0\u3002

Volume group \"ssd\" has insufficient free space (0 extents): 2048 required.\n

iBug \u5907\u6ce8

LVM \u63a8\u8350\u7684\u662f\u4e00\u4e2a\u7f13\u5b58\u6c60\u91cc\u4e0d\u8d85\u8fc7 100 \u4e07\u4e2a chunk\uff08\u8fd9\u4e5f\u662f allocation/cache_pool_max_chunks \u7684\u9ed8\u8ba4\u503c\uff09\uff0c\u4f46\u662f\u8fd9\u6837\u6bcf\u4e2a chunk \u7684\u6700\u5c0f\u5927\u5c0f\u4e3a 1.84 MiB \u592a\u5927\u4e86\uff0c\u8003\u8651\u5230\u6211\u4eec\u6709\u8db3\u591f\u7684 CPU \u548c\u5185\u5b58\uff0c\u8fd9\u91cc\u5c31\u94e4\u800c\u8d70\u9669\u5c1d\u8bd5\u4e00\u4e0b\u8f83\u5927\u7684 chunk count\u3002

\u5751 2

\u7f13\u5b58\u76d8\uff08cache pool\uff09\u548c\u88ab\u7f13\u5b58\u7684\u5377\u5fc5\u987b\u5728\u540c\u4e00\u4e2a VG \u4e2d\u3002

\u5751 3 (taoky \u5907\u6ce8)

LVM Cache \u7684\u5e95\u5c42\u662f\u5728\u5185\u6838\u5b9e\u73b0\u7684 dm-cache\u3002\u76ee\u524d\u5df2\u77e5\u7684\u5751\u5982\u4e0b\uff1a

  1. \u5f53\u51fa\u73b0 dirty blocks\uff08\u4e14 cache policy \u4e3a cleaner \u65f6\uff09\uff0c\u65e0\u6cd5\u6b63\u5e38 flush\u3002\u7f51\u7edc\u4e0a\u53ef\u4ee5\u627e\u5230\u7684\u8fd9\u4e2a bug \u7684\u89e3\u51b3\u65b9\u6cd5\u662f\u589e\u5927 migration_threshold \u7684\u503c\uff08\u5728\u65b0\u7248\u672c LVM \u4e2d\uff0cmigration_threshold \u9ed8\u8ba4\u81f3\u5c11\u4f1a\u662f chunk size \u7684 8 \u500d\uff0c\u5728\u6211\u4eec\u7684\u914d\u7f6e\u4e0b\u5c31\u662f 16384 = 2048 * 8\u3002\u8fd9\u4e2a\u7248\u672c\u7684 LVM \u6682\u65f6\u4e0d\u5728 Buster \u4e2d\uff09\uff0c\u4f46\u662f\u7ecf\u8fc7\u6d4b\u8bd5\uff0c\u5355\u7eaf\u589e\u5927 migration_threshold \u6ca1\u6709\u4efb\u4f55\u6548\u679c\u3002Jiahao \u7ffb\u4e86\u4e00\u4e0b dm-cache \u7684\u6e90\u4ee3\u7801\uff0c\u53d1\u73b0 flush \u7684\u6761\u4ef6\u5728 https://elixir.bootlin.com/linux/latest/source/drivers/md/dm-cache-target.c#L1649\uff0c\u53ea\u5728\u72b6\u6001\u4e3a IDLE \u65f6\u624d\u4f1a flush\u3002IDLE \u7684\u7b2c\u4e00\u4e2a\u6761\u4ef6\u9700\u8981 inflight io = 0\uff0c\u6bd4\u8f83\u82db\u523b\uff0c\u53ef\u80fd\u662f\u65e0\u6cd5\u6b63\u5e38 flush \u7684\u539f\u56e0\u3002

    \u4e00\u4e2a\u626d\u66f2\u7684\u89e3\u51b3\u65b9\u6cd5\u662f\uff1a\u5148\u628a migration_threshold \u8bbe\u7f6e\u5f97\u5f88\u5927\uff08\u8bbe\u5927\u5c0f\u4e3a x\uff09\uff0c\u7136\u540e\u9a6c\u4e0a\u7f29\u5c0f\uff0c\u8fd9\u6837\u5c31\u80fd\u628a x \u90a3\u4e48\u591a\u5927\u5c0f\u7684\u810f\u5757\u5f04\u6389\uff08\u539f\u7406\u6682\u65f6\u4e0d\u660e\uff0c\u9700\u8981\u8865\u5145\uff09\u3002\u57fa\u4e8e\u8fd9\u4e2a\u65b9\u6cd5\uff0c\u53ef\u4ee5\u5199\u4e00\u4e2a\u811a\u672c\u6765\u505a flush \u7684\u5de5\u4f5c\uff1a

    # dirty hack\nsudo lvchange --cachepolicy cleaner lug/repo\nfor i in `seq 1 1500`; do sudo lvchange --cachesettings migration_threshold=2113536 lug/repo && sudo lvchange --cachesettings migration_threshold=16384 lug/repo && echo $i && sleep 15; done;\n# \u9700\u8981\u786e\u8ba4\u6ca1\u6709\u810f\u5757\u3002\u5982\u679c\u8fd8\u6709\u7684\u8bdd\u7ee7\u7eed\u6267\u884c\uff08\u6b21\u6570\u8c03\u5c0f\u4e00\u4e9b\uff09\n# \u5982\u679c\u662f\u4ece writeback \u5207\u6362\uff0c\u9700\u8981\u5148\u628a\u6a21\u5f0f\u5207\u5230 writethrough\n# \u7136\u540e\u518d\u4fee\u6539 cachepolicy \u5230 smq\nsudo lvchange --cachepolicy smq lug/repo\n

    \u5728\u6267\u884c\u65f6\uff0c\u53ef\u4ee5\u67e5\u770b\uff1a

    sudo dmsetup status lug-repo\n# \u5728 \"metadata2\" \u524d\u9762\u7684\u524d\u9762\u7684\u6570\u5b57\u5c31\u662f dirty block \u7684\u6570\u91cf\n# \u5982\u679c\u4e0d\u5728\u6267\u884c lvchange\uff08\u6ca1\u6709\u8fdb\u7a0b\u62a2\u5360\u4e86 LVM \u7684\u9501\uff09\uff0c\u53ef\u4ee5\u6267\u884c\u4ee5\u4e0b\u547d\u4ee4\u786e\u8ba4\u810f\u5757\u6570\u91cf\u4ee5\u53ca\u5176\u4ed6\u4e00\u4e9b\u53c2\u6570\u3002\nsudo lvs -o name,cache_policy,cache_settings,chunk_size,cache_used_blocks,cache_dirty_blocks /dev/mapper/lug-repo\n
  2. \u6bcf\u6b21 unclean shutdown \u4e4b\u540e\uff0ccache \u4e2d\u6240\u6709\u5757\u90fd\u4f1a\u88ab\u6807\u8bb0\u4e3a dirty\u3002\u5c3d\u7ba1\u4e0d\u592a\u53ef\u80fd\u963b\u585e\u7cfb\u7edf\u542f\u52a8\uff0c\u8fd9\u53ef\u80fd\u4f1a\u7ed9 HDD \u4e00\u5b9a\u7684\u538b\u529b\u3002

  3. \u6269\u5927 lug/repo \u7684\u5927\u5c0f\u524d\u9700\u8981 uncache\uff0c\u4e14 uncache \u7684\u524d\u63d0\u6761\u4ef6\u662f\u6ca1\u6709\u810f\u5757\u3002

\u5751 4

\u4fee\u6539 migration_threshold \u7b49\u8bbe\u7f6e\u4f1a\u5bfc\u81f4\u76ee\u524d\u7248\u672c\u7684 GRUB \u65e0\u6cd5\u6b63\u786e\u8bc6\u522b LVM \u5143\u6570\u636e\u3002

\u4e34\u65f6\u4fee\u590d\u7248\u672c\uff1ahttps://github.com/taoky/grub/releases/tag/2.02%2Bdfsg1-20%2Bdeb10u4taoky3_amd64\u3002\u76ee\u524d\u5df2\u90e8\u7f72\uff0c\u4e14\u8bbe\u7f6e\u4e86 apt hold\u3002

\u5751 5

\u8bbe\u7f6e chunksize \u5230 1M \u4f1a\u6709\u4e25\u91cd\u7684\u5199\u5165\u653e\u5927\u95ee\u9898\uff0c\u56e0\u6b64\u8fd9\u91cc\u4fee\u6539\u4e3a\u4e86 64K\u3002

\u6240\u4ee5\u63a5\u4e0b\u6765\u8981\u5408\u5e76 VG\uff0c\u7136\u540e\u624d\u80fd\u4e3a\u4ed3\u5e93\u5377\u52a0\u4e0a\u7f13\u5b58\u3002

lvchange -a n ssd/docker\nvgmerge lug ssd\nlvconvert --type cache --cachepool lug/mcache lug/repo\n

\u63a5\u4e0b\u6765\u6302\u4e0a Docker \u5377\uff08\u6ce8\u610f VG \u540d\u5df2\u7ecf\u4ece ssd \u53d8\u6210\u4e86 lug\uff09\uff1a

lvchange -a y lug/docker\nmount /dev/lug/docker /var/lib/docker\n
"},{"location":"services/mirrors/4/volumes-old/#repo","title":"repo \u6269\u5bb9","text":"

\u67e5\u770b\u5f53\u524d\u903b\u8f91\u5377\u4fe1\u606f\uff1a

# lvs -a -o +devices\n  LV              VG  Attr       LSize   Pool     Origin       Data%  Meta%  Move Log         Cpy%Sync Convert Devices\n  backup          lug -wi-ao----   8.00g                                                                       /dev/sda3(6307840)\n  docker          lug -wi-ao----  64.00g                                                                       /dev/sdc1(0)\n  docker2         lug -wi-a----- 300.00g                                                                       /dev/sda3(7925248)\n  home            lug -wi-ao----  64.00g                                                                       /dev/sda3(8192),/dev/sdb3(8193)\n  log             lug -wi-ao---- 300.00g                                                                       /dev/sda3(6309888),/dev/sdb3(6307841)\n  log             lug -wi-ao---- 300.00g                                                                       /dev/sda3(7888896),/dev/sdb3(7882753)\n  [lvol0_pmspare] lug ewi-------  16.00g                                                                       /dev/sda3(7884800)\n  [mcache]        lug Cwi---C---   1.50t                       99.99  0.12                    0.00             mcache_cdata(0)\n  [mcache_cdata]  lug Cwi-ao----   1.50t                                                                       /dev/sdc1(20480)\n  [mcache_cmeta]  lug ewi-ao----  16.00g                                                                       /dev/sdc1(16384)\n  repo            lug Cwi-aoC---  60.00t [mcache] [repo_corig] 99.99  0.12                    0.00             repo_corig(0)\n  [repo_corig]    lug owi-aoC---  60.00t                                                                       /dev/sda3(16384),/dev/sdb3(16385)\n  [repo_corig]    lug owi-aoC---  60.00t                                                                       /dev/sda3(6311936),/dev/sdb3(6309889)\n  root            lug mwi-aom---  32.00g                                          [root_mlog] 100.00           root_mimage_0(0),root_mimage_1(0)\n  [root_mimage_0] lug iwi-aom---  32.00g                                                                       /dev/sda3(0)\n  [root_mimage_1] lug iwi-aom---  32.00g                                                                       /dev/sdb3(0)\n  [root_mlog]     lug lwi-aom---   4.00m                                                                       /dev/sdb3(8192)\n

\u68c0\u67e5 cache \u662f\u5426\u6709 dirty block\uff1a

$ sudo lvs -o name,cache_policy,cache_settings,chunk_size,cache_used_blocks,cache_dirty_blocks /dev/mapper/lug-repo\n  LV   CachePolicy CacheSettings Chunk CacheUsedBlocks  CacheDirtyBlocks\n  repo smq                       1.00m          1048551                0\n

\uff08\u6b63\u5e38\u91cd\u542f\u4e4b\u540e\u53ef\u80fd\u4f1a\u51fa\u73b0 dirty block\uff0c\u539f\u56e0\u4e0d\u660e\u3002\u5982\u679c\u770b\u5230\u6709\u7684\u8bdd\uff0c\u90a3\u53ea\u80fd \u518d\u6b21\u8fdb\u5165\u75db\u82e6\u7684\u8f6e\u56de \u7528\u4e0a\u8ff0\u7684\u65b9\u6cd5\u6e05\u9664\uff0c\u5e76\u4e14\u6e05\u9664\u7684\u65f6\u5019\u5bf9\u7cfb\u7edf\u8d1f\u8f7d\u5f71\u54cd\u5f88\u5927\uff0c\u56e0\u4e3a\u843d\u76d8\u7684\u65f6\u5019\u5176\u4ed6\u8fdb\u7a0b\u5bf9\u5e94\u7684 IO \u4f1a\u88ab\u6682\u505c\uff0c\u5728\u76f8\u5bf9\u5e73\u8861\u65f6\u95f4\u548c\u8d1f\u8f7d\u7684\u547d\u4ee4\u4e0b\uff0c\u4f30\u8ba1\u9700\u8981 10 \u5c0f\u65f6\u7684\u65f6\u95f4\u3002\uff09

\u7136\u540e uncache\u3001\u6269\u5bb9\uff1a

# lvconvert --uncache lug/repo\n# lvextend -L +5T lug/repo\n# xfs_growfs /srv\n

\u7136\u540e\u6062\u590d cache\uff08\u53c2\u8003\u4e0a\u9762 mcache_meta \u548c mcache \u903b\u8f91\u5377\u7684\u914d\u7f6e\uff0c\u8bf7\u6ce8\u610f\u5728\u7406\u89e3\u547d\u4ee4\u540e\u518d\u6267\u884c\uff01\uff09\uff1a

# lvcreate -L 16G -n mcache_meta lug /dev/sdc1  # SSD \u8bbe\u5907\u8def\u5f84\u91cd\u542f\u540e\u53ef\u80fd\u4f1a\u53d8\u5316\n# lvcreate -l 100%FREE -n mcache lug /dev/sdc1\n# lvreduce -l -2048 lug/mcache\n# lvconvert --type cache-pool --poolmetadata lug/mcache_meta --cachemode writethrough -c 64K --config allocation/cache_pool_max_chunks=30000000 lug/mcache\n# lvconvert --type cache --cachepool lug/mcache lug/repo\n

\u5751 5

\u65b0\u5efa\u65f6\u5728\u5012\u6570\u7b2c\u4e8c\u6b65\u7684 lvconvert \u53ef\u80fd\u4f1a\u5361\u6b7b\u8d85\u8fc7\u534a\u5c0f\u65f6\uff08\u4f46\u662f\u6700\u540e\u8fd8\u662f\u80fd\u5b8c\u6210\u7684\uff09\uff0c\u6808\u7684\u4fe1\u606f\u663e\u793a\u6808\u9876\u51fd\u6570\u662f submit_bio_wait()\uff0c\u5728\u6e05\u96f6\u5bf9\u5e94\u7684 block range\uff0c\u56e0\u4e3a RAID \u5361\u4e0d\u652f\u6301\u4e0b\u4f20 discarding \u6240\u4ee5\u4f1a\u5f88\u6162\uff0c\u9700\u8981\u7b49\u4e00\u6bb5\u65f6\u95f4\u3002

"},{"location":"services/mirrors/4/volumes-old/#fstab","title":"fstab","text":"

\u5206\u533a\u5b8c\u6bd5\u540e\u7ed9 /etc/fstab \u8865\u4e0a\u76f8\u5173\u7684\u5185\u5bb9\u5e76\u6302\u8f7d\uff1a

/dev/mapper/lug-home   /home           ext4 defaults             0 2\n/dev/mapper/lug-docker /var/lib/docker ext4 defaults             0 2\n/dev/mapper/lug-repo   /srv            xfs  defaults,pqnoenforce 0 2\n/dev/mapper/lug-log    /var/log        ext4 defaults             0 2\n

\uff08\u8fd9\u4e2a log \u5206\u533a\u524d\u9762\u6ca1\u63d0\uff0c\u53cd\u6b63\u50cf\u6a21\u50cf\u6837\u77e5\u9053\u5c31\u884c\u4e86\uff09

"},{"location":"services/mirrors/4/networking/","title":"Networking on mirrors4","text":"

\u51fa\u4e8e\u597d\u7528\u7684\u8003\u8651\uff0cmirrors4 \u4e0a\u7684\u7f51\u7edc\u4f7f\u7528 systemd-networkd \u914d\u7f6e\u3002\u4f5c\u4e3a\u5165\u95e8\uff0c\u4e0b\u9762\u662f\u4e24\u4e2a\u53c2\u8003\u94fe\u63a5\uff1a

Debian \u9ed8\u8ba4\u7528\u7684\u662f ifupdown\uff0c\u628a\u5b83\u76f4\u63a5\u5378\u6389\u5c31\u884c\u4e86\u3002\u5168\u90e8\u914d\u7f6e\u5b8c\u6bd5\u4e4b\u540e\u9700\u8981 systemctl enable systemd-networkd.service \u5e76\u4e14 start \u4e00\u4e0b\uff08\u6216\u8005\u76f4\u63a5\u91cd\u542f\uff09\u3002

/etc/systemd/network \u76ee\u5f55\u4e0b\u6709\u4e2a Git \u4ed3\u5e93\uff0c\u65b9\u4fbf\u4fdd\u5b58\u4e0e\u6062\u590d

"},{"location":"services/mirrors/4/networking/#bond","title":"Bond","text":"

Bond \u7528\u4e8e\u5c06\u591a\u4e2a\u7f51\u5361\u805a\u5408\u5f53\u4f5c\u4e00\u4e2a\u4f7f\u7528\u3002

"},{"location":"services/mirrors/4/networking/#_1","title":"\u5b50\u7f51\u5361","text":"

\u5411 /etc/systemd/network/ens41f0.network \u5199\u5165\u5982\u4e0b\u5185\u5bb9\uff1a

[Match]\nName=ens41f0\n\n[Network]\nBond=bond1\n\n[Link]\nRequiredForOnline=no\n

\u5373\u53ef\u5c06\u5176\u8bbe\u7f6e\u4e3a bond1 \u7684\u4e00\u4e2a\u5b50\u7f51\u5361\u3002\u7528\u540c\u6837\u65b9\u5f0f\u628a ens41f1 \u4e5f\u8bbe\u4e3a\u5b50\u7f51\u5361\u3002

\u4e00\u4e2a\u5c0f\u5751

systemd-networkd \u6709\u4e00\u4e2a\u9ed8\u8ba4\u7684 bond0 \u805a\u5408\u7f51\u5361\uff0c\u6a21\u5f0f\u6c38\u8fdc\u662f round-robin\uff0c\u800c\u4e14\u5c1d\u8bd5\u8bbe\u7f6e\u8fd9\u4e2a\u7f51\u5361\u5f88\u5bb9\u6613\u51fa\u95ee\u9898\uff0c\u6240\u4ee5\u6211\u4eec\u907f\u5f00\u8fd9\u4e2a\u540d\u5b57\uff0c\u7528 bond1\u3002

"},{"location":"services/mirrors/4/networking/#bond1","title":"bond1 \u805a\u5408\u7f51\u5361","text":"

\u5199\u5165 /etc/systemd/network/bond1.netdev\uff1a

[NetDev]\nName=bond1\nKind=bond\n\n[Bond]\nMode=balance-tlb\nMIIMonitorSec=1\n

\u5173\u4e8e bond \u6a21\u5f0f\uff08balance-tlb vs balance-alb\uff09\uff0c\u53c2\u8003\u8fd9\u4e2a Server Fault \u4e0a\u7684\u56de\u7b54\u3002

\u7136\u540e\u521b\u5efa VLAN\uff0c\u5199\u5165 /etc/systemd/network/bond1.network\uff1a

[Match]\nName=bond1\n\n[Network]\nDHCP=no\nVLAN=cernet\nVLAN=telecom\nVLAN=mobile\nVLAN=unicom\n
"},{"location":"services/mirrors/4/networking/#vlan","title":"VLAN","text":"

NIC \u673a\u623f\u6709 4 \u4e2a VLAN\uff0c\u5206\u522b\u662f

\u6ce8\u610f\u8fd9\u51e0\u4e2a\u7f51\u6bb5\u90fd\u6ca1\u6709 DHCP\uff0c\u53ea\u6709\u6559\u80b2\u7f51 VLAN \u6709 IPv6 RA\u3002

\u4e0b\u9762\u4ee5\u6559\u80b2\u7f51 VLAN \u4e3a\u4f8b\u3002

\u56e0\u4e3a VLAN \u5728\u7269\u7406\u4e0a\u5c5e\u4e8e\u4e00\u4e2a\u7f51\u5361\uff0c\u56e0\u6b64\u5411\u5bf9\u5e94\u7f51\u5361\u7684 .network \u6587\u4ef6\u7684 [Network] \u6bb5\u8ffd\u52a0\u4e00\u884c\uff08\u89c1\u4e0a\u9762\u4e00\u8282 bond1.network \u6587\u4ef6\uff09\uff1a

VLAN=cernet\n

\u521b\u5efa VLAN \u754c\u9762\uff0c\u521b\u5efa cernet.netdev \u5e76\u5199\u5165

[NetDev]\nName=cernet\nKind=vlan\n\n[VLAN]\nId=95\n

\u7136\u540e\u5c31\u53ef\u4ee5\u6307\u5b9a IP \u5730\u5740\u7b49\u5177\u4f53\u4fe1\u606f\u4e86\uff0c\u521b\u5efa\u4e00\u4e2a\u540d\u5b57\u76f8\u540c\uff0c\u540e\u7f00\u6362\u6210 .network \u7684\u6587\u4ef6\u5e76\u5199\u5165

[Match]\nName=cernet\n\n[Network]\nDHCP=no\nAddress=202.38.95.110/25\n#Gateway=202.38.95.126\nAddress=2001:da8:d800:95::110/64\n#Gateway=2001:da8:d800:95::1\nIPv6AcceptRA=false\n

\u4fdd\u5b58\u540e\u91cd\u542f systemd-networkd.service \u5c31\u53ef\u4ee5\u770b\u5230\u6548\u679c\u4e86\u3002

\u4e3a\u4ec0\u4e48 Gateway \u88ab\u6ce8\u91ca\u6389\u4e86

\u6839\u636e systemd \u5b98\u65b9\u6587\u6863\uff0c\u5728 [Network] \u4e00\u8282\u51fa\u73b0\u7684 Gateway= \u7b49\u4ef7\u4e8e\u4e00\u4e2a\u5355\u72ec\u7684\u3001\u4ec5\u5305\u542b\u4e00\u884c Gateway= \u7684 [Route] \u8282\u3002\u7531\u4e8e\u6211\u4eec\u9700\u8981\u6df1\u5ea6\u81ea\u5b9a\u4e49\u8def\u7531\uff0c\u8fd9\u91cc\u4e0d\u65b9\u4fbf\u91c7\u7528\u8fd9\u4e2a\u8fc7\u4e8e\u7b80\u6d01\u7684\u8bbe\u5b9a\uff08\u4f8b\u5982\u5404\u79cd\u9ed8\u8ba4\u503c Table=main \u7b49\uff09\u3002

"},{"location":"services/mirrors/4/networking/#docker-network","title":"Docker network","text":"

\u9488\u5bf9\u4e2a\u522b\u4e0d\u652f\u6301 bind address \u7684\u540c\u6b65\u5de5\u5177\uff0c\u6211\u4eec\u901a\u8fc7\u5c06\u5176\u653e\u5165\u7279\u5b9a\u7684 docker network \u6765\u5b9e\u73b0\u9009\u62e9\u7ebf\u8def\u7684\u529f\u80fd\u3002

\u521b\u5efa\u547d\u4ee4
docker network create --driver=bridge --subnet=172.17.4.1/24 -o \"com.docker.network.bridge.name=dockerC\" cernet\ndocker network create --driver=bridge --subnet=172.17.5.1/24 -o \"com.docker.network.bridge.name=dockerT\" telecom\ndocker network create --driver=bridge --subnet=172.17.6.1/24 -o \"com.docker.network.bridge.name=dockerM\" mobile\ndocker network create --driver=bridge --subnet=172.17.7.1/24 -o \"com.docker.network.bridge.name=dockerU\" unicom\ndocker network create --driver=bridge --ipv6 --subnet=172.17.8.1/24 --subnet=fd00:6::/64 -o \"com.docker.network.bridge.name=dockerC6\" cernet6\ndocker network create --driver=bridge --subnet=172.17.9.1/24 -o \"com.docker.network.bridge.name=dockerV\" lugvpn\n

\u7136\u540e\u4f7f\u7528 systemd-networkd \u5bf9\u521b\u5efa\u597d\u7684 docker network \u7f51\u6bb5\u914d\u7f6e\u89c4\u5219\u8def\u7531\u3002

/etc/systemd/network/cernet.network
# Docker Cernet\n[RoutingPolicyRule]\nFrom=172.17.4.0/24\nTable=1011\nPriority=5\n\n[RoutingPolicyRule]\nFrom=172.17.8.0/24\nTable=1011\nPriority=5\n

\u5176\u4ed6\u51e0\u4e2a\u6587\u4ef6\u7c7b\u4f3c\uff0c\u53ea\u9700\u8981\u4fee\u6539\u7f51\u6bb5\u548c Table \u5373\u53ef\u3002

"},{"location":"services/mirrors/4/networking/#docker-network-cernet6","title":"Docker network: cernet6","text":"

\u7531\u4e8e\u4e00\u4e9b\u7a0b\u5e8f\u6216\u7cfb\u7edf\u73af\u5883\u5728\u53cc\u6808\u7f51\u7edc\u4e2d\u4ecd\u7136\u4f1a\u4f18\u5148\u5c1d\u8bd5 IPv4\uff0c\u6211\u4eec\u5c06 cernet6 \u7f51\u7edc\u7684 v4 \u516c\u7f51\u8bbf\u95ee\u5c4f\u853d\u6389\u3002

rules.v4
*filter\n:FORWARD DROP [0:0]\n# ...\n-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n-A FORWARD -i dockerC6 -j REJECT\n-A FORWARD -i docker+ -j ACCEPT\n
"},{"location":"services/mirrors/4/networking/misc/","title":"mirrors \u7f51\u7edc\u914d\u7f6e\u6742\u9879","text":""},{"location":"services/mirrors/4/networking/misc/#sniproxy","title":"sniproxy","text":"

Sniproxy \u7528\u4e8e\u4e3a Docker \u5bb9\u5668\u63d0\u4f9b\u65b9\u4fbf\u7684 HTTP(S) \u7f51\u7edc\u5206\u6d41\u3002\u76ee\u524d\u5728 mirrors \u4e0a\u7528\u4e8e\u4e3a dockerhub \u5bb9\u5668\u63d0\u4f9b\uff08\u5230 Cloudflare \u7684\uff09IPv6 \u63a5\u5165\uff08Docker \u505a IPv6 NAT \u975e\u5e38\u4e0d\u65b9\u4fbf\uff0c\u6240\u4ee5\u4ee5\u6b64\u4e3a\u6743\u5b9c\u4e4b\u4e3e\uff09\uff0c\u4ee5\u63d0\u9ad8\u6821\u5185\u8bbf\u95ee\u65f6\u7684\u901f\u5ea6\u3002

"},{"location":"services/mirrors/4/networking/misc/#_1","title":"\u914d\u7f6e","text":"

\u5b89\u88c5 sniproxy\uff0c\u5e76\u4e14 mask \u539f\u670d\u52a1\u914d\u7f6e\uff08\u6211\u4eec\u81ea\u5df1\u5199\u4e00\u4e2a\uff09\uff1a

sudo apt install sniproxy\nsudo mkdir -p /etc/sniproxy\nsudo systemctl mask sniproxy.service\n

\u521b\u5efa /etc/systemd/system/sniproxy@.service\uff1a

[Unit]\nDescription=SNIProxy (%i.conf)\nAfter=network.target network-online.target\nStartLimitIntervalSec=1\n\n[Service]\nType=simple\nExecStart=/usr/sbin/sniproxy -f -c /etc/sniproxy/%i.conf\nRestart=on-failure\nRestartSec=3\n\n[Install]\nWantedBy=multi-user.target\n

\u5728 /etc/sniproxy \u4e2d\u521b\u5efa\u914d\u7f6e\u3002\u4ee5\u4e0b\u4e3a IPv6 + TLS (443) only \u7684\u914d\u7f6e\u4f8b\u5b50\uff1a

resolver {\n    nameserver 2001:da8:d800::1\n    mode ipv6_only\n}\n\naccess_log {\n    filename /dev/null\n}\n\nlisten <Bind \u5230\u7684 IP \u5730\u5740>:443 {\n    proto tls\n    reuseport yes\n    table all\n    source <IPv6 \u51fa\u53e3\u5730\u5740>\n}\n\ntable all {\n    .* *\n}\n

\u6700\u540e\u542f\u52a8\u670d\u52a1\uff1a

sudo systemctl enable sniproxy@\u914d\u7f6e\u6587\u4ef6\u540d.service\nsudo systemctl start sniproxy@\u914d\u7f6e\u6587\u4ef6\u540d.service\n
"},{"location":"services/mirrors/4/networking/route/","title":"Routing on mirrors4","text":"

\u7531\u4e8e mirrors4 \u6ca1\u6709\u4f7f\u7528 ifupdown \u4f5c\u4e3a\u7f51\u7edc\u7ba1\u7406\u7cfb\u7edf\uff0c\u800c\u662f\u91c7\u7528 systemd-networkd\uff0c\u56e0\u6b64\u6211\u4eec\u6ca1\u6709 pre-up, up, down, post-down \u7b49\u8fd0\u884c\u547d\u4ee4\u7684\u65b9\u5f0f\uff0c\u6240\u4ee5 mirrors2 \u4e0a\u4f7f\u7528\u7684\u90a3\u5957\u811a\u672c\uff08ip-route.sh \u7b49\uff09\u65e0\u6cd5\u76f4\u63a5\u5728 mirrors4 \u4e0a\u7ee7\u7eed\u4f7f\u7528\u3002

\u597d\u5728\u6211\u4eec\u4f7f\u7528 up \u7b49\u8fd0\u884c\u547d\u4ee4\u53ea\u662f\u4e3a\u4e86\u914d\u7f6e\u8def\u7531\uff0c\u56e0\u6b64\u6362\u4e86\u4e2a\u529e\u6cd5\uff0c\u6574\u4e86\u4e2a\u65b0\u811a\u672c\u628a IP \u5730\u5740\u5217\u8868\uff08\u6765\u81ea gaoyifan/china-operator-ip\uff09\u8f6c\u6362\u6210 networkd \u6240\u4f7f\u7528\u7684\u914d\u7f6e\u6587\u4ef6\u683c\u5f0f\u3002\u4ee3\u7801\u4e0d\u957f\uff1a

#!/bin/bash\n\nROOT_IP_LIST=/usr/local/network_config/iplist\nROOT_RT=/run/systemd/network\n\ngen_route() {\n  IPLIST=\"$ROOT_IP_LIST/$1\"\n  GW=\"$2\"\n  DEV=\"$3\"\n  # Convert table to number\n  TABLENAME=\"$4\"\n  TABLE=\"$(awk 'substr($0, 1, 1) != \"#\" && $2 == \"'\"$TABLENAME\"'\" { print $1 }' /etc/iproute2/rt_tables | head -1)\"\n  PRIORITY=\"$5\"\n\n  F=\"$ROOT_RT/$DEV.network.d\"\n  mkdir -p \"$F\"\n  F=\"$F/route-${TABLENAME,,}.conf\"\n\n  echo -e \"[RoutingPolicyRule]\\nTable=$TABLE\\nPriority=$PRIORITY\\n\" > \"$F\"\n  awk '{ print \"[Route]\\nDestination=\" $1 \"\\nGateway='\"$GW\"'\\nTable='\"$TABLE\"'\\n\" }' \"$IPLIST\" >> \"$F\"\n}\n\ngen_route ustcnet.txt 202.38.95.126 cernet Ustcnet 5\ngen_route cernet.txt 202.38.95.126 cernet Cernet 6\ngen_route telecom.txt 202.141.160.126 telecom Telecom 6\ngen_route mobile.txt 202.141.176.126 mobile Mobile 6\ngen_route unicom.txt 218.104.71.161 unicom Unicom 6\ngen_route china.txt 218.104.71.161 unicom China 7\n

\u8fd9\u4e2a\u4ed3\u5e93\u91cc\u6709\u5f88\u591a\u4e2a txt \u6587\u4ef6\uff0c\u6bcf\u4e2a\u6587\u4ef6\u5bf9\u5e94\u4e00\u4e2a ISP \u7684\u5730\u5740\u5217\u8868\uff0c\u6bcf\u884c\u4e00\u4e2a CIDR\u3002\u811a\u672c\u4e2d\u7684 gen_route \u51fd\u6570\u6839\u636e\u53c2\u6570\u8bfb\u53d6\u6587\u4ef6\uff0c\u5e76\u8f6c\u6362\u6210\u4e0b\u9762\u8fd9\u6837\u7684\u683c\u5f0f\uff1a

[Route]\nDestination=1.0.0.0/24\nGateway=202.38.95.126\nTable=1011\n

\u8fd9\u6837\u4e00\u4e2a [Route] \u8282\u5bf9\u5e94\u4e00\u6761\u8def\u7531\u89c4\u5219\uff0c\u6574\u4e2a txt \u7684\u8f6c\u6362\u7ed3\u679c\u8f93\u51fa\u5230 /run/systemd/network/cernet.network.d/route-example.conf\u3002\u5176\u4e2d cernet.network.d/*.conf \u7528\u4e8e\u5411\u73b0\u6709\u7684\u914d\u7f6e\u4e2d\u6dfb\u52a0\u5185\u5bb9\uff08\u4e0e systemd service \u7c7b\u4f3c\uff09\uff0c\u800c /run \u76ee\u5f55\uff08\u6309\u7406\u6765\u8bf4\uff09\u91cd\u542f\u4f1a\u6e05\u7a7a\uff0c\u9002\u5408\u653e\u7f6e\u8fd9\u4e9b\u7528\u4e8e\u52a8\u6001\u751f\u6210\u7684\u5185\u5bb9\u3002\u53e6\u5916\u7531\u4e8e\u8def\u7531\u89c4\u5219\uff08ip rule\uff09\u4e5f\u7531 networkd \u7ba1\u7406\u548c\u751f\u6210\u4e86\uff0c\u56e0\u6b64\u6bcf\u4e2a route-xxx.conf \u5f00\u5934\u4f1a\u5305\u542b\u4e00\u4e2a [RoutingPolicyRule] \u8282\u7528\u4e8e\u751f\u6210\u8def\u7531\u8868\u5bf9\u5e94\u7684\u8def\u7531\u89c4\u5219\u3002

\u6ce8\u610f\u8def\u7531\u8868\u662f\u7528\u540d\u79f0\u6307\u5b9a\u7684\uff0c\u4ece /etc/iproute2/rt_tables \u4e2d\u67e5\u51fa\u5bf9\u5e94\u7684\u6570\u5b57 ID\u3002\u8fd9\u4e2a\u6587\u4ef6\u672c\u6765\u4e5f\u662f ip \u547d\u4ee4\u6240\u4f7f\u7528\u7684\uff08\u6ce8\u610f\u5b83\u7684\u76ee\u5f55\u540d\u53eb iproute2\uff09\u3002

\u6700\u540e\u7ed9\u8fd9\u4e2a\u811a\u672c\u914d\u4e2a service\uff0c\u8ba9\u5b83\u5728 networkd \u4e4b\u524d\u8fd0\u884c\uff1a

# WARNING: This is NOT the final configuration file!\n[Unit]\nDescription=Generate routes for systemd-networkd\nBefore=systemd-networkd.service\n\n[Service]\nType=oneshot\nExecStart=/bin/bash /usr/local/network_config/route-all.sh\nRemainAfterExit=true\n\n[Install]\nWantedBy=network.target systemd-networkd.service\nWants=systemd-networkd.service\n

\u8fd9\u4e2a\u6587\u4ef6\u5b58\u5230 /etc/systemd/system/route-all.service\uff0creload \u518d enable \u5c31\u53ef\u4ee5\u4e86\u3002

\u6539 systemd-networkd.service \u9700\u8981\u989d\u5916\u6ce8\u610f

\u8fd9\u4e2a\u81ea\u5e26\u7684\u670d\u52a1\u6709\u4e00\u4e2a User=systemd-networkd\uff0c\u4f60\u65e2\u4e0d\u80fd ip rule \u4e5f\u4e0d\u80fd\u5199\u5165 /run/systemd \u7b49\uff0c\u4f1a\u5bfc\u81f4\u670d\u52a1\u70b8\u6389\uff0c\u7136\u540e\u7f51\u4e5f\u70b8\u4e86\u3002\u3002\u3002

\u5982\u679c\u8981\u6539 networkd \u670d\u52a1\u64cd\u4f5c ip rule \u7684\u8bdd\uff0c\u9700\u8981\u5728\u547d\u4ee4\u884c\u524d\u9762\u52a0\u4e00\u4e2a + \u8868\u793a\u8be5\u547d\u4ee4\u4e0d\u53d7 User= \u7b49\u6743\u9650\u8bbe\u7f6e\u5f71\u54cd\uff0c\u8be6\u7ec6\u89e3\u91ca\u89c1 systemd.service \u6587\u6863\u3002

"},{"location":"services/mirrors/4/networking/route/#special-routing","title":"Special routing","text":"

\u90e8\u5206 IP \u9700\u8981\u914d\u7f6e\u7279\u6b8a\u8def\u7531\u89c4\u5219\u65f6\uff08\u800c\u4e0d\u662f\u4f7f\u7528\u9ed8\u8ba4\uff09\uff0c\u7f16\u8f91 /usr/local/network_config/special.yml\uff0c\u5176\u683c\u5f0f\u5982\u4e0b\uff1a

routes: # Root key\uff0c\u4fdd\u7559\n  lugvpn: # /etc/systemd/network \u4e2d\u5bf9\u5e94\u7684 .network \u6587\u4ef6\u540d\n    # \u4e0b\u9762\u662f\u4e00\u4e2a\u8def\u7531\u6587\u4ef6\u7684\u914d\u7f6e\uff0c\u4e00\u4e2a\u6587\u4ef6\u5171\u4eab\u4e00\u4e2a table \u548c gateway \u8bbe\u7f6e\n    - name: route-special # \u5c06\u8981\u521b\u5efa\u7684 .conf \u6587\u4ef6\u540d\uff0c\u53ef\u4ee5\u968f\u610f\n      table: Special # \u8def\u7531\u8868\uff0c\u5373 ip route add table \u540e\u9762\u7684\u53c2\u6570\uff0c\u6570\u5b57\u6216\u8868\u540d\n      gateway: false # \u662f\u5426\u5305\u542b\u7f51\u5173\uff0c\u6216\u8005 ip route \u7684 via \u53c2\u6570\n      routes: # \u6240\u6709\u7684\u8def\u7531\u6761\u76ee\n        - 1.2.3.4\n        - 5.6.7.8/28\n        - 2001:db8::2333/64\n\n  cernet: # \u66f4\u591a\u7684\u914d\u7f6e\n    - ...\n

\u4fee\u6539 special.yml \u4e4b\u540e\u91cd\u542f route-all.service\u3002\u8be5\u670d\u52a1\u4f1a\u81ea\u52a8\u5bfc\u81f4 systemd-networkd.service \u91cd\u542f\u5e76\u8f7d\u5165\u65b0\u7684\u8def\u7531\u914d\u7f6e\u4fe1\u606f\u3002

special.rb \u5904\u7406\u811a\u672c\uff08\u653e\u5728\u8fd9\u5907\u4efd\uff09
#!/usr/bin/ruby\n\nrequire 'fileutils'\nrequire 'yaml'\n\nBASEDIR = '/run/systemd/network'\nRT_TABLES = '/etc/iproute2/rt_tables'\n\nrt_tables = Hash.new\nFile.readlines(RT_TABLES).each do |l|\n  next if l =~ /^\\s*#/\n  id, name = l.split\n  rt_tables[name] = id\nend\n\ndata = YAML.load_file File.join(__dir__, 'special.yml')\ndata['routes'].each do |fn, setups|\n  confdir = File.join(BASEDIR, \"#{fn}.network.d\")\n  FileUtils.mkdir_p confdir\n\n  setups.each do |config|\n    table = config['table']\n    gateway = config['gateway']\n    File.open File.join(confdir, \"#{config['name']}.conf\"), 'w' do |f|\n      config['routes'].each do |dst|\n        t = \"[Route]\\nDestination=#{dst}\\n\"\n        t += \"Table=#{rt_tables.fetch table, table}\\n\" if table\n        t += \"Gateway=#{gateway}\\n\" if gateway\n        f.write t + \"\\n\"\n      end\n    end\n  end\nend\n

route-all.service \u6709\u5f88\u591a\u6ce8\u610f\u4e8b\u9879

\u4e3a\u4e86\u6e05\u7406\u5f00\u673a\u81ea\u52a8\u4ea7\u751f\u7684 32766 \u548c 32767 \u4e24\u6761\u8def\u7531\u89c4\u5219\uff0c\u6211\u4eec\u540c\u65f6\u4e3a systemd-networkd.service \u6dfb\u52a0\u4e86\u4e24\u4e2a ExecStartPre \u5982\u4e0b\uff1a

[Service]\nExecStartPre=-+/sbin/ip rule delete from all table main pref 32766\nExecStartPre=-+/sbin/ip rule delete from all table default pref 32767\n

\u53e6\u9644\u5b8c\u6574\u7684 route-all.service \u6587\u4ef6\uff1a

[Unit]\nDescription=Generate routes for systemd-networkd\nBefore=systemd-networkd.service\n\n[Service]\nType=oneshot\nExecStart=/bin/bash /usr/local/network_config/route-all.sh\nExecStart=/usr/local/network_config/special.rb\nRemainAfterExit=true\n\n[Install]\nWantedBy=network.target systemd-networkd.service\nWants=systemd-networkd.service\n
"},{"location":"services/pxe/","title":"PXE","text":"

\u5bf9\u6821\u56ed\u7f51\u7528\u6237\u4e0e\u6821\u5916\u7528\u6237\u516c\u5f00\u7684 PXE \u670d\u52a1\u3002LIIMS \u4e0e\u76ee\u524d\u7684 PXE \u867d\u7136\u8fd0\u884c\u5728\u540c\u4e00\u53f0\u670d\u52a1\u5668\u4e0a\uff0c\u4f46\u662f\u914d\u7f6e\u6709\u6240\u4e0d\u540c\u3002

\u672c\u6587\u6863\u9700\u8981\u5927\u5e45\u6269\u5145

"},{"location":"services/pxe/#intro","title":"Intro","text":"

https://lug.ustc.edu.cn/wiki/server/pxe/

https://lug.ustc.edu.cn/planet/2018/10/PXE-intro/

\u5173\u4e8e FAQ

https://lug.ustc.edu.cn/wiki/server/pxe/faq/ \u5b9e\u5728\u662f\u5e74\u5934\u592a\u4e45\u8fdc\u4e86\uff0c\u65e0\u6cd5\u66f4\u65b0\u3002\u65b0\u7684\u5185\u5bb9\u8bb0\u5f55\u5728\u672c\u6587\u6863\u4e2d\u3002

\u4e00\u822c\u7684\u542f\u52a8\u6d41\u7a0b\u662f\uff1a

  1. iPXE\uff0c\u6216\u8005\u4e3b\u677f\u4e0a\u83b7\u53d6\u7684 DHCP \u542f\u52a8\u4fe1\u606f\u7684\u56fa\u4ef6\u4e0b\u8f7d\u5e76\u52a0\u8f7d GRUB \u76f8\u5173\u6587\u4ef6\u3002
  2. \u5982\u679c MAC \u5730\u5740\u4e0d\u4e3a\u6307\u5b9a\u503c\uff0c\u90a3\u4e48\u52a0\u8f7d\u83dc\u5355\u5e76\u663e\u793a\uff1b\u7136\u540e\u52a0\u8f7d Linux \u5185\u6838\u4e0e initramfs \u7b49\u4e8b\u9879\u7531 GRUB \u8d1f\u8d23\u3002
  3. Initramfs \u4ece\u542f\u52a8\u53c2\u6570\u6302\u8f7d NFS \u4e3a rootfs\uff0c\u8fdb\u884c\u4e0b\u4e00\u6b65\u7684\u542f\u52a8\u3002
"},{"location":"services/pxe/#_1","title":"\u4f7f\u7528/\u8c03\u8bd5","text":"

PXE \u5728\u6821\u56ed\u7f51\u4e2d\u76f4\u63a5\u53ef\u7528\uff0c\u56e0\u4e3a\u5b66\u6821\u7684 DHCP \u670d\u52a1\u5668\u7ecf\u8fc7\u4e86\u914d\u7f6e\u3002

\u5982\u679c\u9700\u8981\u5728\u865a\u62df\u673a\u4e2d\u8c03\u8bd5\uff0c\u53ef\u4ee5\uff1a

\u63a8\u8350\u4f7f\u7528\u7684\u865a\u62df\u673a\u65b9\u6848

PXE \u80fd\u591f\u6210\u529f\u8fd0\u884c\u4e0e\u5426\u6709\u53ef\u80fd\u548c\u865a\u62df\u673a\u73af\u5883\uff08\u7279\u522b\u662f\u865a\u62df\u7f51\u5361\u578b\u53f7\uff09\u9ad8\u5ea6\u76f8\u5173\u3002\u63a8\u8350\u4f7f\u7528 QEMU\u3002

\u5176\u4e2d\u4e3b\u8981\u4f7f\u7528\u7684\u662f\u57fa\u4e8e GRUB2 \u548c simple-pxe \u7684\u65b0 PXE \u65b9\u6848\u3002\u4e3b\u677f\u56fa\u4ef6\u4f7f\u7528 TFTP \u534f\u8bae\u83b7\u53d6 GRUB2 \u7a0b\u5e8f\uff08core.0 \u6216\u8005 core.efi\uff09\u4e4b\u540e\uff0cGRUB2 \u4f1a\u901a\u8fc7 HTTP \u534f\u8bae\u83b7\u53d6\u5269\u4e0b\u6240\u6709\u7684\u6587\u4ef6\u3002

TFTP

\u548c FTP active \u6a21\u5f0f\u4e00\u6837\uff0cTFTP \u662f\u4e00\u4e2a\u6709\u70b9\u9ebb\u70e6\u7684\u534f\u8bae\uff0c\u5982\u679c\u4f60\u7684\u865a\u62df\u673a\u65e0\u6cd5\u4e0d\u7ecf\u8fc7 NAT \u8fde\u63a5 PXE \u670d\u52a1\u5668\uff0c\u90a3\u4e48\u5c31\u9700\u8981\u8c03\u6574\u7f51\u7edc\u914d\u7f6e\uff0c\u4f1a\u5f88\u9ebb\u70e6\uff0c\u518d\u52a0\u4e0a\u5bf9\u6821\u5916\u8bbf\u95ee\u9700\u6c42\u7684\u8003\u91cf\uff0c\u56e0\u6b64\u76ee\u524d\u7684\u8003\u8651\u662f\u5c3d\u91cf\u4f7f\u7528 HTTP\u3002

\u57fa\u4e8e SYSLINUX \u7684\u8001 PXE \u65b9\u6848\uff08lpxelinux.0 -> bin/lpxelinux.0\uff09\u76ee\u524d\u4ecd\u53ef\u542f\u52a8\uff0c\u4f46\u662f\u4e0d\u4f7f\u7528\u3002

"},{"location":"services/pxe/#syslinux","title":"SYSLINUX \u66f4\u65b0","text":"

\u867d\u7136\u4e0d\u7ef4\u62a4\u4e86\uff0c\u4f46\u662f\u4ee5\u4e0b\u5185\u5bb9\u4ecd\u4f5c\u8bb0\u5f55\uff1a

wget https://mirrors.ustc.edu.cn/fedora/releases/40/Everything/x86_64/os/Packages/s/syslinux-tftpboot-6.04-0.26.fc40.noarch.rpm\n# decompress\nrpm2cpio syslinux-tftpboot-6.04-0.26.fc40.noarch.rpm | cpio -idmv\ncd tftpboot\nln -s lpxelinux.0 pxelinux.0\nln -s lpxelinux.0 undionly.kpxe\n

\u5f97\u5230\u7684 tftpboot \u76ee\u5f55\u66ff\u4ee3\u539f\u5148\u7684 tftp/bin \u76ee\u5f55\u3002\u542f\u52a8 VM \u7684\u65f6\u5019\u53ef\u4ee5 Wireshark \u770b\u770b\u5b83\u4e0b\u8f7d\u4e86\u54ea\u4e9b\u6587\u4ef6\u3002\u540c\u65f6\u8fd8\u6709\u4e2a pxeknife\uff0c\u76ee\u524d\u53ea\u5728 SYSLINUX \u7684 PXE \u65b9\u6848\u4e2d\u53ef\u7528\u3002

pypxe

pypxe \u4f3c\u4e4e\u53ea\u5728 SYSLINUX \u65b9\u6848\u4e2d\u4f7f\u7528\u3002

"},{"location":"services/pxe/#uefi","title":"\u4f7f\u7528 UEFI \u76f4\u63a5\u542f\u52a8","text":"

QEMU \u4e00\u822c\u4f7f\u7528\u7684 UEFI \u56fa\u4ef6 OVMF \u652f\u6301\u76f4\u63a5\u4ece HTTP \u542f\u52a8\u3002\u5728\u5199\u4f5c\u65f6\uff0cArch Linux \u6253\u5305\u7684 OVMF \u6ca1\u7f16\u8bd1\u6b64\u7279\u6027\uff0c\u5176\u4ed6\u7684\u53d1\u884c\u7248\u4e5f\u6709\u53ef\u80fd\u4e0d\u652f\u6301\uff0c\u56e0\u6b64\u9700\u8981\uff1a

  1. \u4ece https://www.kraxel.org/repos/jenkins/edk2/ \u4e0b\u8f7d x64 \u7248\u672c\u7684 rpm \u5e76\u89e3\u538b
  2. \u7136\u540e\u4f7f\u7528\u4ee5\u4e0b\u547d\u4ee4\u542f\u52a8 QEMU\uff1a

    qemu-system-x86_64 -L . --bios ../ovmf-x64/OVMF-pure-efi.fd\n

    \u542f\u52a8\u540e\u9a6c\u4e0a\u6309\u4e0b ESC\uff0c\u8fdb\u5165\u914d\u7f6e\u754c\u9762\uff0c\u7136\u540e\u9605\u8bfb https://github.com/tianocore/tianocore.github.io/wiki/HTTP-Boot \u505a\u8fdb\u4e00\u6b65\u914d\u7f6e\u3002

"},{"location":"services/pxe/#grub2","title":"\u5236\u4f5c GRUB2 \u955c\u50cf","text":"

\u65e7\u7248\u672c\u7684 GRUB2 \u53ef\u80fd\u6709 bug\uff08\u4f8b\u5982 https://github.com/ustclug/discussions/issues/456\uff09\uff0c\u56e0\u6b64\u6709\u65f6\u5019\u9700\u8981\u5347\u7ea7\u3002

\u66f4\u65b0\u7b56\u7565\u8003\u8651\u4f7f\u7528 Debian stable \u7684 grub2\u3002\u542f\u52a8\u5bb9\u5668\u5e76\u4e14\u5c06\u5916\u9762\u7684\u76ee\u5f55 bind mount\uff1a

docker run -it --rm -v $(pwd)/tftp:/srv/tftp ustclug/debian:12\n

\u7136\u540e\u5728\u5bb9\u5668\u4e2d\u6267\u884c\uff1a

apt update && apt install grub-common grub-pc grub-efi-amd64-signed\ngrub-mknetdir\ngrub-mkimage -d /usr/lib/grub/i386-pc -O i386-pc-pxe -o /srv/tftp/boot/grub/i386-pc/core.0 -p '(http,202.38.93.94)/boot/tftp/grub/' pxe http\ngrub-mkimage -d /usr/lib/grub/x86_64-efi -O x86_64-efi -o /srv/tftp/boot/grub/x86_64-efi/core.efi -p '(http,202.38.93.94)/boot/tftp/grub/' efinet http\n

\u6700\u540e\u4e24\u4e2a grub-mkimage \u662f\u56e0\u4e3a grub-mknetdir \u751f\u6210\u7684\u955c\u50cf\u4f7f\u7528 tftp \u534f\u8bae\uff0c\u5728\u8c03\u8bd5\u65f6\u53ef\u80fd\u4f1a\u6709\u95ee\u9898\u3002\u6211\u4eec\u5e0c\u671b GRUB2 \u80fd\u591f\u5168\u7a0b\u4f7f\u7528 HTTP \u505a\u5269\u4e0b\u7684\u5de5\u4f5c\u3002

\u66f4\u6362\u6587\u4ef6\u7684\u65f6\u5019\u522b\u628a\u914d\u7f6e\u8986\u76d6\u4e86\u3002

"},{"location":"services/pxe/#ipxe-iso","title":"\u6784\u5efa iPXE ISO","text":"

\u53c2\u8003 https://ipxe.org/embed\u3002

#!ipxe\n\n# Generated by GPT-4\ndhcp\nset 210:string http://202.38.93.94/boot/tftp/\n\n# UEFI boot?\niseq ${platform} efi && goto uefi || goto bios\n\n:uefi\necho \"UEFI boot detected\"\nchain ${210:string}bootx64.efi\nexit\n\n:bios\necho \"BIOS boot detected\"\nchain ${210:string}pxelinux.0\nexit\n

clone ipxe/ipxe \u4ed3\u5e93\uff0c\u8fdb\u5165 src \u76ee\u5f55\uff0c\u7136\u540e\u6267\u884c\uff1a

# https://github.com/ipxe/ipxe/pull/50\nmake bin-x86_64-efi/ipxe.efi bin/ipxe.lkrn\n./util/genfsimg -o ustc.ipxe.iso -s ../../ustc.ipxe bin-x86_64-efi/ipxe.efi bin/ipxe.lkrn\n
"},{"location":"services/pxe/#_2","title":"\u67b6\u6784","text":"

\u65b0 PXE \u65b9\u6848\u7684 HTTP \u670d\u52a1\u5668\u4e3a Apache + Nginx\u3002URL \u4e2d\u7684 boot2 \u5bf9\u5e94 /nfsroot/pxe\u3002

\u5904\u7406 web \u670d\u52a1\u5668

\u76ee\u524d PXE \u673a\u5668\u7684 web \u670d\u52a1\u5668\u6709\u70b9\u8be1\u5f02\uff0cApache2 \u76d1\u542c 80\uff0cNginx \u76d1\u542c 443\uff0c\u540e\u7eed\u9700\u8981\u8c03\u6574\u5904\u7406\u3002

\u6587\u4ef6\u8df3\u8f6c\u914d\u7f6e

Apache2 \u4e2d\u914d\u7f6e\u4e86\u4e00\u4e9b alias \u8df3\u8f6c\uff0c\u540c\u6837\u7684\uff0cTFTP \u4e5f\u6709\u7c7b\u4f3c\u7684\u914d\u7f6e\uff08/etc/xinetd.d/tftp \u7684 server_args \u91cc\u9762\u6709 -m /home/pxe/tftp/REMAP\uff09\u3002

\u9700\u8981\u68c0\u67e5\u4e00\u81f4\u6027\u3002

\u5982\u679c\u51fa\u73b0\u95ee\u9898\u9700\u8981\u8c03\u8bd5\uff0c\u5efa\u8bae\u6293\u5305\uff08\u53ef\u4ee5\u4f7f\u7528 Wireshark \u67e5\u770b TFTP \u6216 HTTP \u534f\u8bae\uff09\u770b\u662f\u5426\u6b63\u5e38\u3002

\u6bcf\u5929\u51cc\u6668\uff0cpxe \u7528\u6237\u7684 crontab \u4efb\u52a1\u4f1a\u6267\u884c https://github.com/ustclug/simple-pxe/blob/master/simple-pxe-in-docker\uff08\u6587\u4ef6\u4f4d\u4e8e pxe \u7528\u6237\u7684 home \u4e2d\uff09\uff0c\u5b9e\u73b0 PXE \u76f8\u5173\u6587\u4ef6\u7684\u66f4\u65b0\u3002

"},{"location":"services/pxe/#faults","title":"\u6545\u969c","text":"

pxe \u670d\u52a1\u5668\u5728\u5347\u7ea7\u5230 Debian Bullseye (11) \u540e\u65e0\u6cd5\u6b63\u5e38\u5f00\u673a\uff0c\u7ecf\u8fc7 GRUB \u8fdb\u5165\u5185\u6838\u540e\u6bcf 5 \u79d2\u5237\u51fa\u4ee5\u4e0b\u4fe1\u606f\uff1a

DMAR: DRHD: handling fault status reg 2\nDMAR: [DMA Read] Request device [03:00.0] PASID ffffffff fault addr cb2f0000 [fault reason 06] PTE Read access is not set\nDMAR: DRHD: handling fault status reg 102\n

\u7531\u4e8e\u6b64\u65f6\u521a\u5347\u7ea7\u81f3 Debian Bullseye\uff0c\u6240\u4ee5\u7cfb\u7edf\u4ecd\u7136\u4fdd\u7559\u4e86 Debian Buster \u7684 4.19 \u7248\u5185\u6838\u3002\u91cd\u542f\u8fdb\u8be5\u5185\u6838\u53ef\u6b63\u5e38\u542f\u52a8\u5e76\u8fd0\u884c\u670d\u52a1\uff0c\u4f46\u53ea\u8981\u8fdb 5.10 \u7684\u5185\u6838\u5c31\u4f1a\u51fa\u73b0\u4ee5\u4e0a\u9519\u8bef\u3002\u6d4b\u8bd5 Proxmox VE \u63d0\u4f9b\u7684 pve-kernel-5.15 \u4e5f\u662f\u540c\u6837\u95ee\u9898\u3002

\u641c\u7d22\u53d1\u73b0\u4e3b\u673a\u4f7f\u7528\u7684 RAID \u5361 PERC H310 \u4e0d\u652f\u6301\u76f4\u901a\uff08IOMMU \u865a\u62df\u5316\uff09\uff0c\u914d\u7f6e GRUB \u52a0\u5165 intel_iommu=off \u540e\u53ef\u4ee5\u6b63\u5e38\u8fdb\u5165 5.10 \u7684\u5185\u6838\uff0c\u4f5c\u4e3a\u89e3\u51b3\u65b9\u6848\u3002

\u8c03\u67e5\u7ed3\u679c

\u6309\u8bf4 IOMMU\uff08VT-d\uff09\u4e0d\u5e94\u8be5\u9ed8\u8ba4\u542f\u7528\uff0c\u56e0\u6b64\u731c\u6d4b 5.10+ \u7684\u5185\u6838\u4f1a\u4e3b\u52a8\u5c1d\u8bd5\u5f00\u542f IOMMU\uff0c\u5bfc\u81f4 RAID \u5361\u51fa\u9519\u3002

\u6bd4\u8f83 /boot/config-4.19.0-18-amd64 \u548c /boot/config-5.10.0-11-amd64 \u540e\u53d1\u73b0 5.10 \u7248\u7684 config \u591a\u4e86\u4e00\u884c CONFIG_INTEL_IOMMU_DEFAULT_ON_INTGPU_OFF=y\uff0c\u641c\u7d22\u53d1\u73b0 Debian bug #932086\uff0c\u5373 Debian \u9ed8\u8ba4\u5bf9\u9664\u4e86 Intel GPU \u4ee5\u5916\u7684\u8bbe\u5907\u542f\u7528 IOMMU\uff08linux 5.2.9-2\uff09\u3002

\u53c2\u8003\u94fe\u63a5\uff1a

"},{"location":"services/pxe/images/","title":"PXE \u955c\u50cf","text":""},{"location":"services/pxe/images/#uefi-shell","title":"UEFI Shell","text":"

https://github.com/ustclug/simple-pxe/blob/master/menu.d/tool.sh

\u4f9d\u8d56\u4e8e Arch Linux \u63d0\u4f9b\u7684 EFI \u6587\u4ef6\u3002

"},{"location":"services/pxe/images/#memtest86","title":"Memtest86+","text":"

https://github.com/memtest86plus/memtest86plus

\u6b64\u5916 memtest86 \u6709\u4e2a\u95ed\u6e90\u5b9e\u73b0\uff0c\u4e0d\u8003\u8651\u7ee7\u7eed\u7ef4\u62a4\u3002

\u4ee5\u4e0b\u6b65\u9aa4\u53c2\u8003\u4e86 https://gitlab.archlinux.org/archlinux/packaging/packages/memtest86plus/-/blob/main/PKGBUILD?ref_type=heads\u3002

git clone https://github.com/memtest86plus/memtest86plus.git\ncd memtest86plus/build64\nmake\n

\u5f97\u5230\u7684 memtest.bin \u662f BIOS \u7248\u7684\uff0cmemtest.efi \u662f UEFI \u7248\u7684\u3002

\u542f\u52a8\u83dc\u5355\uff1ahttps://github.com/ustclug/simple-pxe/blob/master/menu.d/tool.sh\u3002

"},{"location":"services/pxe/images/#gparted","title":"GParted","text":"

https://github.com/ustclug/simple-pxe/blob/master/menu.d/gparted.sh\u3002

\u542f\u52a8\u53c2\u6570\u4e0d\u80fd\u52a0 ip=\uff1ahttps://gitlab.gnome.org/GNOME/gparted/-/issues/141\u3002

"},{"location":"services/pxe/liims/","title":"LIIMS","text":"

Short for Libray Independent Inquery Machine System.

Server: pxe.s.ustclug.org

Git Repository:

It is strongly advised to clone liimstrap and read through it when reading this document.

"},{"location":"services/pxe/liims/#add-machine","title":"\u542f\u52a8\u914d\u7f6e","text":"

\u914d\u7f6e\u6587\u4ef6\u5728 /home/pxe/tftp/grub/grub.cfg.d\uff0c\u82e5\u8981\u5141\u8bb8\u65b0\u673a\u5668\u542f\u52a8 liims \u955c\u50cf\uff0c\u521b\u5efa\u4e00\u4e2a\u7b26\u53f7\u94fe\u63a5\u5230\u5bf9\u5e94\u7684\u914d\u7f6e\u6587\u4ef6\u3002\u4f8b\u5982\uff1a

ln -s common_el 02:23:45:67:89:ab\n

\u76ee\u524d\u6211\u4eec\u901a\u8fc7\u51e0\u4e2a\u7b26\u53f7\u94fe\u63a5\u5c06\u914d\u7f6e\u6587\u4ef6\u201c\u5206\u7ec4\u201d\uff0cMAC \u5730\u5740\u5bf9\u5e94\u7684\u7b26\u53f7\u94fe\u63a5\u5e94\u8be5\u94fe\u63a5\u5230\u8fd9\u4e9b\u5206\u7ec4\u4e0a\u3002\u5df2\u6709\u7684\u5206\u7ec4\u5982\u4e0b\uff1a

\u9664\u6b64\u4e4b\u5916\uff0c\u8fd8\u9700\u8981\u5728\u67e5\u8be2\u673a\u76d1\u63a7\u7a0b\u5e8f\u4e2d\u6dfb\u52a0\u8be5 MAC \u5730\u5740\uff0c\u89c1\u4e0b\u65b9\u67e5\u8be2\u673a\u76d1\u63a7\u3002

"},{"location":"services/pxe/liims/#lib-api","title":"\u4e3a\u56fe\u4e66\u9986\u8001\u5e08\u5f00\u653e\u7684\u63a5\u53e3","text":"

\u56fe\u4e66\u9986\u8001\u5e08\u53ef\u4ee5\u901a\u8fc7 SSH \u767b\u5f55\u673a\u5668\u76f4\u63a5\u521b\u5efa\u6240\u9700\u7684\u7b26\u53f7\u94fe\u63a5\uff08\u4f46\u662f\u8fd8\u9700\u8981\u6211\u4eec\u6765\u6539\u76d1\u63a7\u7a0b\u5e8f\u7684 json\uff09\u3002\u76f8\u5173\u914d\u7f6e\u5982\u4e0b\uff1a

/etc/sudoers.d/sonnie
sonnie ALL=(pxe) NOPASSWD: /home/pxe/tftp/grub/grub.cfg.d/add_host.py *\n
/etc/ssh/sshd_config
Match User sonnie\n    AllowUsers sonnie\n    PubkeyAuthentication yes\n    AuthorizedKeysFile .ssh/authorized_keys\n

/etc/nsswitch.conf

\u628a sudoers \u4e00\u884c\u4e2d\u7684 ldap \u79fb\u5230 files \u524d\u9762\u3002

\u9ed8\u8ba4\u60c5\u51b5\u4e0b ldap \u5728 files \u540e\u9762\uff0c\u90a3\u4e48\u6765\u81ea LDAP \u7684 sudo rules \u4f1a\u6392\u5728 sudoers \u6587\u4ef6\u4e2d\u7684 rules \u7684\u540e\u9762\uff0c\u800c sudo \u662f\u540e\u9762\u7684\u89c4\u5219\u4f18\u5148\u7ea7\u66f4\u9ad8\uff0c\u4f1a\u5bfc\u81f4\u65e0\u6cd5 NOPASSWD \u8fd0\u884c\u811a\u672c\u3002

"},{"location":"services/pxe/liims/#_1","title":"\u542f\u52a8\u955c\u50cf","text":"

\u4f4d\u4e8e /home/pxe/nfsroot/<category>/<name>\uff0c\u5176\u4e2d <name> \u5c31\u662f\u955c\u50cf\u540d\u79f0\uff08\u4f8b\u5982 liims160909\uff09\u3002\u76ee\u524d\u6709\u4e24\u79cd\u90e8\u7f72\u65b9\u5f0f\uff1a\u4e00\u79cd\u662f NFS as rootfs\uff0c\u6587\u4ef6\u5939\u4e2d\u5c31\u662f\u6574\u4e2a rootfs\uff0c\u76f4\u63a5\u4fee\u6539\u8fd9\u91cc\u7684\u6587\u4ef6\uff0c\u673a\u5668\u91cd\u542f\u540e\u5c31\u4f1a\u8f7d\u5165\u3002\uff08\u6ce8\u610f\uff1a\u8986\u76d6\u6587\u4ef6\u53ef\u80fd\u5bfc\u81f4\u5df2\u6709\u7684\u673a\u5668\u8fd0\u884c\u9519\u8bef\uff09

\u53e6\u4e00\u79cd\u662f\u6253\u5305\u538b\u7f29\u4e3a squashfs\uff0c\u6b64\u65f6\u6587\u4ef6\u5939\u4e0b\u4e09\u4e2a\u6587\u4ef6\u5206\u522b\u4e3a vmlinuz\uff08kernel\uff09, initrd.img \u548c root.sfs\uff08squashfs \u955c\u50cf\uff09\u3002\u5982\u679c\u9700\u8981\u4fee\u6539\uff0c\u53ef\u4ee5\u4f7f\u7528 unsquashfs \u89e3\u538b\u7f29\uff0c\u4fee\u6539\u5b8c\u6210\u540e\u53c2\u8003\u4ed3\u5e93\u4e2d deploy \u6587\u4ef6\u518d\u538b\u7f29\u4e3a squashfs\u3002

IP \u767d\u540d\u5355\u91c7\u7528 iptables \u5b9e\u73b0\uff0c\u4fee\u6539 rootfs \u4e0b\u7684 etc/iptables/rules.v4 \u548c rules.v6 \u53ef\u4fee\u6539\u7b56\u7565\u3002\u6ce8\u610f\uff1a\u9632\u706b\u5899\u7b56\u7565\u4ec5\u5728\u673a\u5668\u542f\u52a8\u65f6\u4f1a\u8f7d\u5165\u4e00\u6b21\u3002

"},{"location":"services/pxe/liims/#_2","title":"\u955c\u50cf\u6784\u5efa","text":"

\u5907\u6ce8

\u6b64\u8282\u7684\u5185\u5bb9\u4ec5\u9002\u7528\u4e8e 2022 \u4e4b\u524d\u7684\u8001\u7248\u672c\uff0c\u65b0\u7248\u672c\u6709\u5173\u6784\u5efa\u3001\u8c03\u8bd5\u7b49\u5185\u5bb9\u8bf7\u76f4\u63a5\u9605\u8bfb liimstrap \u4ed3\u5e93 README\u3002

\u4f7f\u7528 liimstrap \u5728 ArchLinux \u4e0b\u8fdb\u884c\u6784\u5efa\uff0cliimstrap \u4f7f\u7528\u65b9\u6cd5\u53c2\u8003\u4ed3\u5e93\u4e2d\u7684\u8bf4\u660e\u3002

\u6784\u5efa\u540e\u9700\u8981\u63a8\u9001\u5230\u670d\u52a1\u5668\u4e0a\u7684 /nfsroot/liims \u4e0b\uff0c\u5e76\u8bbe\u7f6e /usr \u7684\u6240\u6709\u8005\u4e3a liims\u3002\u673a\u5668\u7684\u9ed8\u8ba4 pxe \u542f\u52a8\u914d\u7f6e\u5728 /home/pxe/tftp/pxelinux.cfg/ \u4e0b

"},{"location":"services/pxe/liims/#qemu","title":"\u793a\u4f8b qemu \u8c03\u8bd5\u65b9\u6cd5","text":"

\u521b\u5efa\u5e76\u6302\u8f7d\u4e34\u65f6\u955c\u50cf:

dd if=/dev/zero of=liims.img bs=4k count=1200000\nmkfs.ext4 liims.img\nmount -o loop liims.img /mnt\n

\u5047\u8bbe\u5f53\u524d\u8def\u5f84\u4e3a liimstrap\uff0c\u4fee\u6539 initcpio/mkinitcpio.conf\uff0c\u53bb\u6389 HOOKS \u4e2d\u7684 liims_root\uff0c\u589e\u52a0 block\uff08\u4ec5\u8c03\u8bd5\u65f6\u9700\u8981\uff09\u3002 \u4f7f\u7528 liimstrap \u5236\u4f5c\u955c\u50cf ./liimstrap /mnt\u3002\u5b8c\u6210\u540e\u4f7f\u7528 qemu \u6253\u5f00\u8c03\u8bd5:

qemu -kernel /mnt/boot/vmlinuz-lts\\\n     -initrd /mnt/boot/initramfs-linux-lts.img\\\n     -hda liims.img\\\n     -netdev user,id=mynet0,net=114.214.188.0/24,dhcpstart=114.214.188.9\\\n     -device i82557a,netdev=mynet0\\\n     -append \"root=/dev/sda rootflags=rw\"\n

\u6ce8\uff1a\u5176\u4e2d netdev \u4e2d\u7684 ip \u6bb5\u53ef\u4ee5\u81ea\u7531\u9009\u53d6\uff0cdevice \u4e2d\u7684\u8bbe\u5907\u540d\u901a\u8fc7 qemu -device \\? \u67e5\u770b\u540e\u9009\u62e9\u4efb\u4e00\u7f51\u7edc\u8bbe\u5907\u5373\u53ef

"},{"location":"services/pxe/liims/#monitor","title":"\u67e5\u8be2\u673a\u76d1\u63a7","text":"

http://pxe.ustc.edu.cn:3000/

2022 \u5e74\u524d\uff0c\u63d0\u4f9b\u670d\u52a1\u7684\u662f\u4e00\u4e2a Docker \u5bb9\u5668\u3002\u5728 iBug \u7528 Go \u91cd\u5199\u4e4b\u540e\uff0c\u76ee\u524d\u76f4\u63a5\u8dd1\u5728 host \u4e0a\u3002

\u6dfb\u52a0\u65b0\u673a\u5668

\u4fee\u6539 https://github.com/ustclug/liimstrap/blob/master/monitor/clients.json \u540e\uff0c\u5728 pxe \u4e0a clone \u5e76\u5728\u5f53\u524d\u76ee\u5f55 build\u3002\u4f7f\u7528 docker-run-script \u4e2d\u5bf9\u5e94\u811a\u672c\u6267\u884c\u5bb9\u5668\u5373\u53ef\u3002

\u4fee\u6539 /etc/liims-monitor/clients.json \u4e4b\u540e systemctl reload liims-monitor.service \u5373\u53ef\u3002

/etc/liims-monitor/clients.json
{\n    \"name\": \"\u4e1c\u533a\u4e09\u697c\u4e1c01\",\n    \"mac\": \"0223456789ab\"\n}\n
"},{"location":"workflow/new-server/","title":"New Server Setup Checklist","text":""},{"location":"workflow/new-server/#ntp-date","title":"NTP Date","text":"

Install either chrony or systemd-timesyncd (recommended). Usually chrony comes pre-installed so it's easily forgot.

=== \"Chrony\"

Replace the default NTP pool with USTC's NTP server `time.ustc.edu.cn`, like this:\n\n```shell title=\"/etc/chrony/chrony.conf\" linenums=\"7\"\n# Use Debian vendor zone.\n#pool 2.debian.pool.ntp.org iburst\nserver time.ustc.edu.cn iburst\n```\n\nThen restart the service:\n\n```shell\nsystemctl restart chrony\n```\n

=== \"systemd-timesyncd\"

For Debian 11 and up, we use an override file to configure the NTP server:\n\n```shell title=\"/etc/systemd/timesyncd.conf.d/ustc.conf\"\n[Time]\nNTP=time.ustc.edu.cn\n```\n\nThen restart the service:\n\n```shell\nsystemctl restart systemd-timesyncd\n```\n
"},{"location":"workflow/new-server/#time-zone","title":"Time zone","text":"

Run dpkg-reconfigure tzdata and select Asia/Shanghai as the timezone. Reboot the server.

"},{"location":"workflow/new-server/#use-nft-backend-for-iptables","title":"Use nft-backend for iptables","text":"
update-alternatives --set iptables /usr/sbin/iptables-nft\nupdate-alternatives --set ip6tables /usr/sbin/ip6tables-nft\n
"},{"location":"workflow/new-server/#update-resolvconf","title":"Update resolv.conf","text":""},{"location":"workflow/new-server/#install-console-setup","title":"Install console-setup","text":"

This may have already come with the base system. It's more likely missed if the system is installed from scratch (bootstrapped).

"},{"location":"workflow/new-vm/","title":"Create new server in LUGi","text":"

We no longer have a vSphere cluster, so anything mentioning vSphere is left only for references.

"},{"location":"workflow/new-vm/#create-vm-in-vcenter","title":"Create VM in vCenter","text":"

vCenter \u5730\u5740\uff1avcenter2.vm.ustclug.org

\u6309\u7167\u63d0\u793a\u521b\u5efa\u865a\u62df\u673a

"},{"location":"workflow/new-vm/#install-os-vsphere","title":"Install OS (vSphere)","text":"

Note

\u5c06\u7f51\u7edc\u6539\u4e3a cernet\uff0c\u4ee5\u4fbf\u7528 DHCP \u83b7\u5f97 IP \u5730\u5740\uff0c\u7528 PXE \u5b89\u88c5\u7cfb\u7edf\u3002

\u51e0\u4e2a\u5173\u952e\u914d\u7f6e\uff1a

"},{"location":"workflow/new-vm/#create-vm-on-proxmox-ve","title":"Create VM on Proxmox VE","text":"

\u6211\u4eec\u76ee\u524d\u4e0d\u4f7f\u7528 PVE \u8fd0\u884c LXC \u5bb9\u5668\uff0c\u56e0\u6b64\u672c\u6587\u6863\u53ea\u4ecb\u7ecd\u521b\u5efa KVM \u865a\u62df\u673a\u7684\u6b65\u9aa4\u3002\u63a8\u8350\u4f7f\u7528 web \u754c\u9762\u64cd\u4f5c\uff0c\u9664\u975e\u4f60\u9700\u8981\u6279\u91cf\u521b\u5efa\u865a\u62df\u673a\uff08\u6b64\u65f6\u901a\u8fc7 SSH \u767b\u5f55\u540e\u53ef\u4ee5\u4f7f\u7528 qm \u547d\u4ee4\u6279\u5904\u7406\uff09\u3002

\u767b\u5f55 web \u754c\u9762\uff0c\u70b9\u51fb\u53f3\u4e0a\u89d2\u7684 Create VM\uff0c\u5f39\u51fa\u521b\u5efa\u865a\u62df\u673a\u7684\u5bf9\u8bdd\u6846\u3002

General

\u6b63\u786e\u9009\u62e9\u865a\u62df\u673a\u6240\u5728\u7684 Node\uff08\u5373 Host\uff09\uff0c\u5e76\u6307\u5b9a\u4e00\u4e2a VMID\u3002\u76ee\u524d VMID \u7684\u5206\u914d\u65b9\u6848\u662f\u4e1c\u56fe 300-399\uff0cNIC 200-299\uff0c\u5728\u6b64\u57fa\u7840\u4e0a\u9012\u589e\u5373\u53ef\u3002\u7ed9 VM \u8d77\u4e2a\u6613\u4e8e\u8fa8\u8bc6\u7684\u540d\u79f0\uff0c\u4e0d\u8981\u4e0e\u5df2\u6709 VM \u91cd\u590d\u3002Resource Pool \u7559\u7a7a\u5373\u53ef\u3002

OS

\u9664\u975e\u4f60\u8981\u4f7f\u7528 iso \u955c\u50cf\u624b\u52a8\u5b89\u88c5\u7cfb\u7edf\uff0c\u5426\u5219\u8bf7\u9009\u62e9\u300cDo not use any media\u300d\u3002\u6b63\u786e\u9009\u62e9 Guest OS \u7684\u7c7b\u578b\u548c\u7248\u672c\u3002

System

\u5c06 SCSI Controller \u8bbe\u4e3a VirtIO SCSI\uff08\u6ce8\u610f\u4e0d\u8981\u9009 VirtIO SCSI Single\uff09\uff0c\u52fe\u4e0a Qemu Agent \u9009\u9879\uff0c\u5176\u4ed6\u9009\u9879\u90fd\u9009 Default \u5373\u53ef\u3002

Disks, CPU, Memory

\u6309\u9700\u5206\u914d\uff0c\u78c1\u76d8\u5bb9\u91cf\u5efa\u8bae\u63a7\u5236\u5728 10 GB \u4ee5\u5185\uff08\u4ec5\u7cfb\u7edf\u76d8\uff0c\u53ef\u53e6\u52a0\u6570\u636e\u76d8\uff09\uff0c\u5176\u4e2d Disk \u52fe\u9009\u4e0a Discard\uff0cCPU Type \u63a8\u8350\u9009\u62e9 Host\u3002

Network

\u6309\u9700\u9009\u62e9\uff0cModel \u9009 VirtIO\uff0c\u7136\u540e\u53d6\u6d88\u52fe\u9009 Firewall\u3002

\u8bb0\u5f97\u5728\u865a\u62df\u673a\u7684 Options \u91cc\u5c06 Start at boot \u8bbe\u4e3a Yes

\u5728 Proxmox VE \u4e0a\uff0c\u901a\u8fc7 web \u754c\u9762\u521b\u5efa\u65b0\u865a\u62df\u673a\u540e\uff0c\u53ef\u4ee5\u4f7f\u7528\u666e\u901a\u65b9\u5f0f\u5b89\u88c5\u7cfb\u7edf\uff0c\u4e5f\u53ef\u4ee5\u76f4\u63a5\u5bfc\u5165\u53d1\u884c\u7248\u63d0\u4f9b\u7684\u865a\u62df\u673a\u955c\u50cf\uff08\u9700\u8981\u901a\u8fc7 SSH \u767b\u5f55 Proxmox VE \u6216 NFS \u670d\u52a1\u5668\uff09\u3002

\u4e0b\u9762\u4ee5 Debian \u4e3a\u4f8b\uff0c\u521b\u5efa\u4e00\u4e2a\u65b0\u865a\u62df\u673a\uff0c\u7136\u540e\u6253\u5f00 https://mirrors.ustc.edu.cn/debian-cdimage/cloud/bullseye/\uff0c\u70b9\u51fb\u6700\u65b0\u7684\u76ee\u5f55\uff08\u51fa\u4e8e\u672a\u77e5\u539f\u56e0 latest \u94fe\u63a5\u662f\u574f\u7684\uff09\uff0c\u590d\u5236 debian-11-genericcloud-amd64-<date>-<rev> \u7684\u94fe\u63a5\uff08\u63a8\u8350\u4f7f\u7528 genericcloud \u800c\u4e0d\u662f generic\uff0c\u5176\u9884\u88c5 linux-image-cloud-amd64\uff0c\u76f8\u6bd4\u4e8e\u201c\u5b8c\u6574\u7248\u201d\u5185\u6838\u7cbe\u7b80\u6389\u4e86\u5927\u90e8\u5206\u7269\u7406\u8bbe\u5907\u7684\u9a71\u52a8\u7a0b\u5e8f\uff0c\u9002\u7528\u4e8e\u865a\u62df\u673a\u73af\u5883\uff09\uff0c\u7136\u540e\u767b\u5f55 Proxmox VE \u6216 vdp\uff08NFS \u670d\u52a1\u5668\uff09\uff0c\u4f7f\u7528\u4ee5\u4e0b\u547d\u4ee4\u76f4\u63a5\u4e0b\u8f7d\u955c\u50cf\u81f3\u865a\u62df\u673a\u78c1\u76d8\uff1a

# Proxmox VE (ZFS / LVM), use RAW\nwget -O /dev/zvol/rpool/data/vm-<id>-disk-0 https://mirrors.ustc.edu.cn/<...>.raw\nwget -O /dev/<vg>/<lv> https://mirrors.ustc.edu.cn/<...>.raw\n\n# vdp over NFS, use QCOW2\nwget -O /media/vdp/pve/images/<path>.qcow2 https://mirrors.ustc.edu.cn/<...>.qcow2\n

\u7136\u540e\u5728 web \u754c\u9762\u6307\u5b9a\u865a\u62df\u673a\u7684\u78c1\u76d8\uff08\u5982\u6709\u9700\u8981\uff09\u3002

"},{"location":"workflow/new-vm/#reset-password","title":"Reset password","text":"

\u7531\u4e8e Debian \u63d0\u4f9b\u7684 cloud image \u9ed8\u8ba4\u7981\u7528\u4e86 root \u7528\u6237\uff0c\u9700\u8981\u624b\u52a8\u6302\u8f7d\u78c1\u76d8\uff0c\u7f16\u8f91\u78c1\u76d8\u4e2d\u7684 /etc/shadow \u6587\u4ef6\uff0c\u5c06\u7b2c\u4e00\u884c\u7684 root:*:... \u6539\u4e3a root::...\uff08\u5373\u5220\u6389\u661f\u53f7\uff09\u3002\u6ce8\u610f\u4e0d\u8981\u8bef\u6539\u4e3b\u673a\u7684 shadow \u6587\u4ef6\u3002

Tip

\u6b64\u6b65\u9aa4\u4e5f\u53ef\u4ee5\u66ff\u6362\u4e3a chroot \u8fdb\u53bb\u540e\u4f7f\u7528 passwd \u4fee\u6539\u6216\u6e05\u7a7a\u5bc6\u7801\u3002\u5982\u679c\u4f60\u4e0d\u591f\u719f\u6089 shadow \u6587\u4ef6\u7684\u683c\u5f0f\uff0c\u8fd9\u6837\u505a\u66f4\u5b89\u5168\u3002

\u5bf9\u4e8e ZFS \u548c LVM \u5b58\u50a8\u7684\u78c1\u76d8\uff0c\u53ef\u4ee5\u76f4\u63a5\u6302\u8f7d /dev/zvol/<...> \u6216 /dev/<vg>/<lv>\uff08\u4f60\u53ef\u80fd\u9700\u8981\u4f7f\u7528 kpartx \u5de5\u5177\u52a0\u8f7d\u5206\u533a\uff09\u3002\u5bf9\u4e8e Qcow2 \u6587\u4ef6\u7684\u78c1\u76d8\uff0c\u53ef\u4ee5\u53c2\u8003\u8fd9\u4e2a Gist \u4f7f\u7528 qemu-nbd \u5de5\u5177\u6765\u6302\u8f7d\u3002\u5176\u4e2d nbd \u662f Linux \u539f\u751f\u7684\u5185\u6838\u6a21\u5757\uff0c\u53ef\u4ee5\u653e\u5fc3 modprobe\u3002

\u4f60\u4e5f\u53ef\u4ee5\u5728\u8fd9\u4e00\u6b65\u540c\u65f6\u4fee\u6539\u522b\u7684\u914d\u7f6e\u6587\u4ef6\uff0c\u4f8b\u5982\u628a /etc/apt/sources.list \u6362\u6389\u7b49\u3002\u4fee\u6539\u5b8c\u6210\u540e\u4e0d\u8981\u5fd8\u8bb0 umount\u3002

"},{"location":"workflow/new-vm/#extra-configurations-for-cloud-images","title":"Extra configurations for cloud images","text":"

The first two or three boots may hang or end up in kernel panic - this is completely normal. The cloud image will grow the root partition and filesystem to the virtual disk size. After it's all set, purge everything related to cloud-init.

For better console experiences, install and configure console-setup, and add vga=792 to GRUB_CMDLINE_LINUX in /etc/default/grub. Then run update-grub and reboot.

"},{"location":"workflow/new-vm/#configure-network","title":"Configure network","text":""},{"location":"workflow/new-vm/#install-software","title":"Install software","text":""},{"location":"workflow/new-vm/#configure-ldap-and-ssh-ca","title":"Configure LDAP and SSH CA","text":"

\u89c1 LDAP \u670d\u52a1\u4f7f\u7528\u53ca\u914d\u7f6e\u8bf4\u660e \u548c \u4e3a\u670d\u52a1\u5668\u8bbe\u7f6e SSH CA

"},{"location":"workflow/ldap/add-new-user/","title":"\u5728 LDAP \u4e2d\u6dfb\u52a0\u65b0\u7528\u6237","text":""},{"location":"workflow/ldap/add-new-user/#ldap_1","title":"\u65b0\u5efa LDAP \u7528\u6237","text":"
  1. \u767b\u9646\u7f51\u9875\u754c\u9762
  2. Users > Actions > Create > User
  3. Generic: \u8f93\u5165 Last name\uff0cFirst name\uff0cLogin\uff08\u767b\u5f55\u540d\uff09
  4. POSIX > Generic\uff1a\u8f93\u5165 Home directory\u3002\u4f7f\u7528 Force UID/GID \uff0c\u5177\u4f53\u8bf4\u660e\u8be6\u89c1 LDAP Users \u548c Groups
"},{"location":"workflow/ldap/add-new-user/#ldap_2","title":"\u6dfb\u52a0 LDAP \u7528\u6237\u6743\u9650","text":"

POSIX > Group membership > Add\uff1a\u6839\u636e\u9700\u8981\u6dfb\u52a0\u7684\u6743\u9650\u9009\u62e9\u5bf9\u5e94\u7684\u7ec4\uff0c\u5177\u4f53\u8bf4\u660e\u8be6\u89c1 LDAP Users \u548c Groups

LDAP \u7f13\u5b58

\u82e5\u53d1\u73b0\u7528\u6237\u65e0\u6cd5\u767b\u9646\u7b49\u60c5\u51b5\uff0c\u53ef\u80fd\u662f\u7f13\u5b58\u670d\u52a1 NSCD \u5bfc\u81f4\u7684\uff0c\u5177\u4f53\u53c2\u8003 LDAP Users \u548c Groups\uff1a

"},{"location":"workflow/mirrors/maintenance/","title":"\u5f00\u6e90\u8f6f\u4ef6\u955c\u50cf\u7ad9\u7ef4\u62a4\u65b9\u5f0f","text":"

\u79d1\u5927\u5f00\u6e90\u8f6f\u4ef6\u955c\u50cf\u7ad9\u662f LUG \u6700\u91cd\u8981\u7684\u670d\u52a1\u4e4b\u4e00\uff0c\u56e0\u6b64\u7ef4\u62a4\u64cd\u4f5c\u5fc5\u987b\u8c28\u614e\u3002

"},{"location":"workflow/mirrors/maintenance/#_2","title":"\u91cd\u542f\u7cfb\u7edf","text":"

\u7531\u4e8e mirrors \u670d\u52a1\u91cf\u5927\uff0c\u91cd\u542f\u5e94\u63d0\u524d\u5728 LUG \u670d\u52a1\u5668\u65b0\u95fb\u7ad9 \u53d1\u5e03\u516c\u544a\u3002

"},{"location":"workflow/mirrors/maintenance/#_3","title":"\u5b89\u88c5\u66f4\u65b0","text":""},{"location":"workflow/mirrors/maintenance/#_4","title":"\u666e\u901a\u66f4\u65b0","text":"

\u591a\u6570\u66f4\u65b0\u53ef\u4ee5\u76f4\u63a5\u4ece apt \u6e90\u5b89\u88c5\uff0c\u4f46\u662f\u90e8\u5206\u8f6f\u4ef6\u5e76\u975e\u6765\u81ea Debian \u5b98\u65b9\u4ed3\u5e93\uff08\u4f8b\u5982 OpenResty\uff09\uff0c\u56e0\u6b64\u66f4\u65b0\u7b56\u7565\u53ef\u80fd\u4e0d\u50cf Debian \u90a3\u4e48\u7a33\u5b9a\u3002\u5982\u679c\u9047\u5230\u63d0\u793a\u914d\u7f6e\u6587\u4ef6\u51b2\u7a81\uff0c\u8bf7\u5c3d\u91cf\u9009\u62e9 3-way merge\uff0c\u5982\u679c\u5931\u8d25\u7684\u8bdd\u53ef\u4ee5\u5148 keep local version\uff0c\u7136\u540e\u624b\u52a8\u89e3\u51b3\u5408\u5e76\u51b2\u7a81\u3002

"},{"location":"workflow/mirrors/maintenance/#_5","title":"\u5185\u6838\u66f4\u65b0","text":"

mirrors \u4f7f\u7528\u4e86\u5185\u6838\u6a21\u5757\u63d0\u4f9b\u4e00\u4e9b\u529f\u80fd\u652f\u6301\uff0c\u5982 ZFS\u3002\u56e0\u6b64\u53ea\u8981\u66f4\u65b0\u4e86\u5185\u6838\uff0c\u5c31\u4e00\u5b9a\u8981\u6ce8\u610f\u5185\u6838\u6a21\u5757\u662f\u5426\u5b89\u88c5\u6210\u529f\uff0c\u5982\u679c apt \u5b89\u88c5\u5931\u8d25\u53ef\u4ee5\u624b\u52a8\u8fd0\u884c dkms autoinstall\uff0c\u4ee5\u786e\u4fdd\u65b0\u5185\u6838\u91cd\u542f\u65f6\u80fd\u6b63\u786e\u52a0\u8f7d\u5fc5\u987b\u7684\u5185\u6838\u6a21\u5757\u3002

"},{"location":"workflow/mirrors/maintenance/#ipmi","title":"IPMI","text":"

\u5730\u5740\u6682\u65e0\uff0c\u4e00\u822c\u7528\u6d4f\u89c8\u5668\u76f4\u63a5\u8bbf\u95ee\u5c31\u884c\u4e86\u3002\u5982\u679c\u9700\u8981\u63a5\u5165\u7ec8\u7aef\uff0cDashboard \u5de6\u8fb9\u7684 Remote Control \u6709 Launch \u6309\u94ae\u3002\u5982\u679c\u6d4f\u89c8\u5668\u4e0d\u652f\u6301 Java \u5c31\u4f1a\u4e0b\u8f7d\u4e00\u4e2a jviewer.jnlp\uff0c\u81ea\u884c\u89e3\u51b3 Java \u7684\u5b89\u5168\u8b66\u544a\u5373\u53ef\u4f7f\u7528\u3002

\u5f53\u7136\u5982\u679c\u4f1a\u7528 ipmitool \u66f4\u597d\uff0c\u90a3\u8fd9\u4e00\u6bb5\u7684\u8bf4\u660e\u5c31\u4ea4\u7ed9\u4f60\u6765\u8865\u5145\u4e86 :)

"},{"location":"workflow/mirrors/maintenance/#ipmitool","title":"ipmitool \u7b80\u4ecb","text":"

\u5c3d\u7ba1\u51e0\u4e4e\u6211\u4eec\u673a\u5668\u7684 IPMI \u90fd\u6709 Web \u754c\u9762\uff0c\u4f46\u662f Web \u754c\u9762\u4e0d\u4e00\u5b9a\u9760\u8c31\uff0c\u53ef\u80fd\u4f1a\u51fa\u73b0\u6545\u969c\u3002\u6b64\u65f6\uff0c\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528 ipmitool \u91cd\u7f6e IPMI \u7684\u72b6\u6001\uff08\u7cfb\u7edf\u914d\u7f6e\u4e0d\u4f1a\u6539\u53d8\uff09

\u53c2\u8003\u547d\u4ee4\uff1a

# \u4e00\u90e8\u5206 IPMI \u7684 interface \u662f lanplus \u800c\u4e0d\u662f lan\uff0c\u6bd4\u5982\u8bf4 mirrors3\nipmitool -I lan -H IPMI\u7684IP -U \u7528\u6237\u540d -a mc reset cold\n

\u5177\u4f53\u8be6\u60c5\u53ef\u4ee5\u770b ipmitool \u7684 manpage\u3002

\u53e6\u5916:

"}]} \ No newline at end of file