jpuyy的网志

Author: jpuyy

  • linux双网卡绑定

    以下操作均在CentOS下,网卡绑定有多种模式,这里是为了增加带宽

    安装需要的组件

    yum install ethtool -y

    添加一个ifcfg-bond0的配置文件,做为master,需要绑定的物理网卡(ifcfg-eth0, ifcfg-eth1)做为slave

    vim /etc/sysconfig/network-scripts/ifcfg-bond0

    添加

    DEVICE=bond0
ONBOOT=yes
IPADDR=192.168.1.12
NETMASK=255.255.255.0
NETWORK=192.168.1.0
USERCTL=no
BOOTPROTO=none

    vim /etc/sysconfig/network-scripts/ifcfg-eth0

    添加

    DEVICE=eth0
ONBOOT=yes
USERCTL=no
MASTER=bond0
SLAVE=yes
BOOTPROTO=none

    vim /etc/sysconfig/network-scripts/ifcfg-eth1

    添加

    DEVICE=eth1
ONBOOT=yes
USERCTL=no
MASTER=bond0
SLAVE=yes
BOOTPROTO=none

    USERCTL=yes/no 是否允许非root用户控制该设备

    BOOTPROTO=none/static/dhcp 指定启动协议,这里不指定

    如果还有更多网卡,照上面写即可

    接下来需要在CentOS中注册一下bonding模块

    vim /etc/modprobe.d/bonding.conf

    添加

    alias bond0 bonding
options bond0 mode=4 miimon=100

    mode参数见:

    http://unixfoo.blogspot.com/2008/02/network-bonding-part-ii-modes-of.html

    • Mode 0 (balance-rr)
      This mode transmits packets in a sequential order from the first available slave through the last. If two real interfaces are slaves in the bond and two packets arrive destined out of the bonded interface the first will be transmitted on the first slave and the second frame will be transmitted on the second slave. The third packet will be sent on the first and so on. This provides load balancing and fault tolerance.
    • Mode 1 (active-backup)
      This mode places one of the interfaces into a backup state and will only make it active if the link is lost by the active interface. Only one slave in the bond is active at an instance of time. A different slave becomes active only when the active slave fails. This mode provides fault tolerance.
    • Mode 2 (balance-xor)
      Transmits based on XOR formula. (Source MAC address is XOR’d with destination MAC address) modula slave count. This selects the same slave for each destination MAC address and provides load balancing and fault tolerance.
    • Mode 3 (broadcast)
      This mode transmits everything on all slave interfaces. This mode is least used (only for specific purpose) and provides only fault tolerance.
    • Mode 4 (802.3ad)
      This mode is known as Dynamic Link Aggregation mode. It creates aggregation groups that share the same speed and duplex settings. This mode requires a switch that supports IEEE 802.3ad Dynamic link.
    • Mode 5 (balance-tlb)
      This is called as Adaptive transmit load balancing. The outgoing traffic is distributed according to the current load and queue on each slave interface. Incoming traffic is received by the current slave.
    • Mode 6 (balance-alb)
      This is Adaptive load balancing mode. This includes balance-tlb + receive load balancing (rlb) for IPV4 traffic. The receive load balancing is achieved by ARP negotiation. The bonding driver intercepts the ARP Replies sent by the server on their way out and overwrites the src hw address with the unique hw address of one of the slaves in the bond such that different clients use different hw addresses for the server.

    mode的值表示工作模式,共有7种模式,常用的为0,1,4三种。

    mode=0表示load balancing (round-robin)为负载均衡方式,两块网卡都工作。
    mode=1表示fault-tolerance (active-backup)提供冗余功能,工作方式是主备的工作方式,也就是说默认情况下只有一块网卡工作,另一块做备份
    mode=4是通用的802.3ad协议,类似于第一种,接思科交换机时需要选LACP模式。

    miimon是用来进行链路监测的。比如:miimon=100,那么系统每100ms监测一次链路连接状态,如果有一条线路不通就转入另一条线路;

    重启网络服务

    service network restart

    使用watch -n 1可以每秒更新bond0的状态

    watch -n 1 'cat /proc/net/bonding/bond0'

    参考:http://www.cyberciti.biz/howto/question/static/linux-ethernet-bonding-driver-howto.php

  • 使用openssl创建CSR文件

    在申请正规的ssl证书之前,需要先在本机生成CSR文件
    Login to your server via your terminal client (ssh). At the prompt, type:

    登陆ssh,在提示符下输入命令:

    openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

    where server is the name of your server.
    这里是server.csr,自己根据自己情况命名。

    This will begin the process of generating two files: the Private-Key file for the decryption of your SSL Certificate, and a certificate signing request (CSR) file used to apply for your SSL Certificate. This command will prompt for the following X.509 attributes of the certificate:

    这将生成两个文件,一个是私钥文件用于解密你的SSL证书,还有就是用于申请SSL的证书签名请求CSR文件。

    在生成过程中有如下提示:
    Country Name (C): Use the two-letter code without punctuation for country, for example: US or CA.
    State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: California.
    Locality or City (L): The Locality field is the city or town name, for example: Berkeley.
    Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll, for example: XY & Z Corporation would be XYZ Corportation or XY and Z Corportation.
    Organizational Unit (OU): This field is the name of the department or organization unit making the request.
    Common Name (CN): The Common Name is the Host + Domain Name. It looks like “www.company.com” or “company.com”.
    Please do not enter your email address, challenge password or an optional company name when generating the CSR.

    在生成CSR过程中,请不要填写email,强密码和备用公司名

    最后将生成server.csr

    如果要自认证证书 server.crt 

    openssl x509 -req -in server.csr -signkey server.key -out server.crt

    计算 crt 的 finger print

    SHA-256
openssl x509 -noout -fingerprint -sha256 -inform pem -in [certificate-file.crt] 
 
SHA-1
openssl x509 -noout -fingerprint -sha1 -inform pem -in [certificate-file.crt]

MD5
openssl x509 -noout -fingerprint -md5 -inform pem -in [certificate-file.crt]

  • puppet master与agent认证

    首先要更改主机名和hosts
    时间要一致

    server端

    puppet master --verbose --no-daemon
    agent端
    puppet agent --server=master-test.hupu.com --no-daemonize --verbose --debug
    然后到master查看申请
    puppet cert --list
    通过申请
    puppet cert --sign agent-test.hupu.com
    清理不需要的申请
    puppet cert --clean agent-test.localdomain
puppetca clean db2-1-220.jh.abc.com
    认证完成之后
    在agent上应用master上的配置
    puppet agent --server=master-test.hupu.com --no-daemonize --verbose --onetime
     master 端查看所有已经认证的机器
    puppetca list --all
puppet cert list --all

  • iptables的表和链

    iptables包含 4 个表,5 个链

    其中表是按照对数据包的操作区分的,链是按照不同的Hook点来区分的,表和链实际上是netfilter的两个维度

    4个表:filter, nat, mangle, raw,默认表是filter(没有指定表的时候就是filter表)。表的处理优先级:raw>mangle>nat>filter

    filter:一般的过滤功能
    nat:用于nat功能(端口映射,地址映射等)
    mangle:用于对特定数据包的修改
    raw: 优先级最高,设置raw时一般是为了不再让 iptables 做数据包的链接跟踪处理,提高性能

    5个链:PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING

    PREROUTING: 数据包进入路由表之前
    INPUT: 通过路由表后目的地为本机
    FORWARD: 通过路由表后,目的地不为本机
    OUTPUT: 由本机产生,向外转发
    POSTROUTIONG: 发送到网卡接口之前

  • 关闭烦人的IE安全风险提示

    IE提示“您的安全设置级别导致计算机存在安全风险”。有些网页做的很垃圾,必须降低安全风险,虽然微软初衷是好的,但是很烦人

    关闭方法如下:

    快捷键Win+R打开“运行”对话框,在对话框中输入gpedit.msc后回车打开组策略。

    依次展开“本地计算机策略 – 计算机配置 – 管理模块 – Windows 组件 – Internet Explorer”,在右边的窗口中找到“关闭安全设置检查功能”策略项。双击此项打开属性对话框,在“设置 ”选项中选择“已启用”项,确定生效后,以后就不会执行安全设置检查了,也不会再出现烦人的安全提示了。

  • 在xenserver中添加iso文件

    一般添加iso都是为了装系统

    首先,登录xenserver的命令行界面,执行以下命令:

    mkdir /boot-iso
xe sr-create name-label=boot-iso type=iso device-config:location=/boot-iso device-config:legacy_mode=true content-type=iso

    这样就创建了iso的存储库(SR-Storage Repositories),在XenCenter中可以看到多了一个boot-iso

    接下来使用SFTP(如filezilla)上传iso文件至主机的/boot-iso即可。

    注:

    1.如果不小心创建错误,或重复新增,想删除存储库时,就使用 XenCenter,直接选择Detach即可。

    2.上传iso文件至主机后,如果XenCenter不能同步显示,在 console 执行xe-toolstack-restart,XenCenter就可以识别到。