jpuyy的网志

Category: Life

  • linux双网卡绑定

    以下操作均在CentOS下,网卡绑定有多种模式,这里是为了增加带宽

    安装需要的组件

    yum install ethtool -y

    添加一个ifcfg-bond0的配置文件,做为master,需要绑定的物理网卡(ifcfg-eth0, ifcfg-eth1)做为slave

    vim /etc/sysconfig/network-scripts/ifcfg-bond0

    添加

    DEVICE=bond0
ONBOOT=yes
IPADDR=192.168.1.12
NETMASK=255.255.255.0
NETWORK=192.168.1.0
USERCTL=no
BOOTPROTO=none

    vim /etc/sysconfig/network-scripts/ifcfg-eth0

    添加

    DEVICE=eth0
ONBOOT=yes
USERCTL=no
MASTER=bond0
SLAVE=yes
BOOTPROTO=none

    vim /etc/sysconfig/network-scripts/ifcfg-eth1

    添加

    DEVICE=eth1
ONBOOT=yes
USERCTL=no
MASTER=bond0
SLAVE=yes
BOOTPROTO=none

    USERCTL=yes/no 是否允许非root用户控制该设备

    BOOTPROTO=none/static/dhcp 指定启动协议,这里不指定

    如果还有更多网卡,照上面写即可

    接下来需要在CentOS中注册一下bonding模块

    vim /etc/modprobe.d/bonding.conf

    添加

    alias bond0 bonding
options bond0 mode=4 miimon=100

    mode参数见:

    http://unixfoo.blogspot.com/2008/02/network-bonding-part-ii-modes-of.html

    • Mode 0 (balance-rr)
      This mode transmits packets in a sequential order from the first available slave through the last. If two real interfaces are slaves in the bond and two packets arrive destined out of the bonded interface the first will be transmitted on the first slave and the second frame will be transmitted on the second slave. The third packet will be sent on the first and so on. This provides load balancing and fault tolerance.
    • Mode 1 (active-backup)
      This mode places one of the interfaces into a backup state and will only make it active if the link is lost by the active interface. Only one slave in the bond is active at an instance of time. A different slave becomes active only when the active slave fails. This mode provides fault tolerance.
    • Mode 2 (balance-xor)
      Transmits based on XOR formula. (Source MAC address is XOR’d with destination MAC address) modula slave count. This selects the same slave for each destination MAC address and provides load balancing and fault tolerance.
    • Mode 3 (broadcast)
      This mode transmits everything on all slave interfaces. This mode is least used (only for specific purpose) and provides only fault tolerance.
    • Mode 4 (802.3ad)
      This mode is known as Dynamic Link Aggregation mode. It creates aggregation groups that share the same speed and duplex settings. This mode requires a switch that supports IEEE 802.3ad Dynamic link.
    • Mode 5 (balance-tlb)
      This is called as Adaptive transmit load balancing. The outgoing traffic is distributed according to the current load and queue on each slave interface. Incoming traffic is received by the current slave.
    • Mode 6 (balance-alb)
      This is Adaptive load balancing mode. This includes balance-tlb + receive load balancing (rlb) for IPV4 traffic. The receive load balancing is achieved by ARP negotiation. The bonding driver intercepts the ARP Replies sent by the server on their way out and overwrites the src hw address with the unique hw address of one of the slaves in the bond such that different clients use different hw addresses for the server.

    mode的值表示工作模式,共有7种模式,常用的为0,1,4三种。

    mode=0表示load balancing (round-robin)为负载均衡方式,两块网卡都工作。
    mode=1表示fault-tolerance (active-backup)提供冗余功能,工作方式是主备的工作方式,也就是说默认情况下只有一块网卡工作,另一块做备份
    mode=4是通用的802.3ad协议,类似于第一种,接思科交换机时需要选LACP模式。

    miimon是用来进行链路监测的。比如:miimon=100,那么系统每100ms监测一次链路连接状态,如果有一条线路不通就转入另一条线路;

    重启网络服务

    service network restart

    使用watch -n 1可以每秒更新bond0的状态

    watch -n 1 'cat /proc/net/bonding/bond0'

    参考:http://www.cyberciti.biz/howto/question/static/linux-ethernet-bonding-driver-howto.php

  • 使用openssl创建CSR文件

    在申请正规的ssl证书之前,需要先在本机生成CSR文件
    Login to your server via your terminal client (ssh). At the prompt, type:

    登陆ssh,在提示符下输入命令:

    openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

    where server is the name of your server.
    这里是server.csr,自己根据自己情况命名。

    This will begin the process of generating two files: the Private-Key file for the decryption of your SSL Certificate, and a certificate signing request (CSR) file used to apply for your SSL Certificate. This command will prompt for the following X.509 attributes of the certificate:

    这将生成两个文件,一个是私钥文件用于解密你的SSL证书,还有就是用于申请SSL的证书签名请求CSR文件。

    在生成过程中有如下提示:
    Country Name (C): Use the two-letter code without punctuation for country, for example: US or CA.
    State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: California.
    Locality or City (L): The Locality field is the city or town name, for example: Berkeley.
    Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll, for example: XY & Z Corporation would be XYZ Corportation or XY and Z Corportation.
    Organizational Unit (OU): This field is the name of the department or organization unit making the request.
    Common Name (CN): The Common Name is the Host + Domain Name. It looks like “www.company.com” or “company.com”.
    Please do not enter your email address, challenge password or an optional company name when generating the CSR.

    在生成CSR过程中,请不要填写email,强密码和备用公司名

    最后将生成server.csr

    如果要自认证证书 server.crt 

    openssl x509 -req -in server.csr -signkey server.key -out server.crt

    计算 crt 的 finger print

    SHA-256
openssl x509 -noout -fingerprint -sha256 -inform pem -in [certificate-file.crt] 
 
SHA-1
openssl x509 -noout -fingerprint -sha1 -inform pem -in [certificate-file.crt]

MD5
openssl x509 -noout -fingerprint -md5 -inform pem -in [certificate-file.crt]

  • 使用监控宝的snmp监控ubuntu

    snmp使用很方便,可以监控cpu, load average, memory, net, 磁盘I/O,监控宝(http://www.jiankongbao.com)提供了简单的snmp监控。

    在监控宝中找到添加snmp服务器,需要准备几样信息:

    *服务器的ip地址
    *snmp的用户名,密码

    这里使用snmp v3版本,同时使用md5加密

    安装snmpd

    apt-get install snmpd

    修改配置文件snmpd.conf,可以使用man snmpd.conf查看snmpd.conf具体段的设置

    vim /etc/snmp/snmpd.conf

    将监听本地ip改为监听所有

    即将agentAddress udp:127.0.0.1:161 改为 agentAddress udp:161

    接下来创建一个用户jpuyy,密码为jpuyy123,这里需要至少8位密码

    # net-snmp-config --create-snmpv3-user -ro -A jpuyy123 -a MD5 jpuyy
 adding the following line to /var/lib/snmp/snmpd.conf:
 createUser jpuyy MD5 "jpuyy123" DES
 adding the following line to /usr/share/snmp/snmpd.conf:
 rouser jpuyy

    可以发现自动将用户信息和权限记录到了不同的文件里。

    启动snmpd服务

    /etc/init.d/snmpd start

    最后检查一下防火墙是否打开了udp 161端口

    参考:

    http://wiki.jiankongbao.com/doku.php/%E6%96%87%E6%A1%A3:%E5%AE%89%E5%85%A8%E6%8C%87%E5%BC%95

    http://blog.jiankongbao.com/?p=160

    snmp小知识:简单网络管理协议(SNMP,Simple Network Management Protocol),snmp管理端叫做snmp manager;snmp代理端为snmp agent,存在于被管理的设备中。snmp是基于udp传输的。

    使用snmpwalk来取出snmp信息,不同版本使用的命令不一样。

    snmpwalk -v 2c -c public 192.168.1.8

    snmpwalk -v 1 -c public 192.168.1.8

  • 使用Windows7-USB-DVD-tool制作windows7安装u盘

    微软早就推出了制作windows7的USB或DVD的工具,Windows7-USB-DVD-tool.exe(简称WUDT),教程:http://www.microsoftstore.com/store/msusa/html/pbPage.Help_Win7_usbdvd_dwnTool

    下载地址:

    http://images2.store.microsoft.com/prod/clustera/framework/w7udt/1.0/en-us/Windows7-USB-DVD-tool.exe

    此工具再加一个windows7的iso镜像,即可制作usb或dvd安装盘。但用u盘制作时出现以下错误:

    We were unable to copy your files. Please check your USB device and the selected ISO file and try again.

    说明你的u盘之前做过分区或mbr有问题,可以使用windows下的diskpart tool解决这个问题,方法如下:

    diskpart
list disk
select disk # (根据大小等特征选择u盘)
clean (会覆盖当前u盘的mbr)
create partition primary
select partition 1
active
format quick fs=fat32 (快速格式化为fat32格式)
assign
exit

    参考:http://4sysops.com/archives/windows-7-usbdvd-download-tool-wudt-is-unable-to-copy-files/

  • 使用netboot方式安装debian

    手头上没有光盘怎么办,用netboot方式来安装debian

    安装debian的电脑需要支持pxe启动

    需要:深度远程启动管理器(netboot server, dhcp server, tftp server),debian的启动文件,网络环境要能上外网

    提供安装服务的电脑需要安装深度远程启动管理器,以及

    http://ftp.nl.debian.org/debian/dists/squeeze/main/installer-i386/current/images/netboot/

    下载netboot.tar.gz,将netboot.tar.gz解压到目录,如D:\netdebian

    接下来配置深度远程启动管理器,

    需要注意的有以下几点

    目录设置正确

    引导文件pxelinux.0

    然后启动时选择网络启动,接下来一步一步安装debian即可

  • 使用rpmbuild制作squid rpm包

    制作RPM包有很多好处,可以较快安装部署喜欢的配置,参数;对于大批量安装省时省力,是一件事半功倍的事。

    制作RPM需要准备好源码包和spec文件,安装好依赖和编译工具,熟悉制作RPM包的几个目录。
    制作rpm包目录说明:
    BUILD解压的目录
    BUILDROOT假定的安装目录(变量为$RPM_BUILD_ROOT%{buildroot})
    RPMS存放制作好的rpm包
    SOURCES存放源码包
    SPECS存放spec文件
    SRPMS存放srpm包

    这里制作squid的rpm包只需要将源码包放置到SOURCES中,再切换到SPEC目录中,运行

    rpmbuild -ba squid.2.7.spec

    在制作过程中需要注意的:

    制作RPM包不能使用root用户,因为权限过大,操作错误会造成较大影响。

    使用普通用户制作时,rpmbuild的宏定义可以在~/.rpmmacros中定义

    在spec中使用自定义宏的方法 %define macro_name value

    在spec中使用宏的方法是 %{macro_name}

    在spec中注释用#,注释信息中不可用%

    制作squid RPM包build过程时,出现的错误及解决

    出现../include/squid_md5.h:27:2: error: #error Cannot find OpenSSL MD5 headers
    解决:需要安装好openssl相关组件

    yum install -y openssl*

    出现rpmbuild: error: Installed (but unpackaged) file(s) found Solution
    解决:需要在段files写全目录

    %files%defattr(-,root,root,-)/path/to/dir//path/to/file/

    squid源码包下载地址:http://www.squid-cache.org/Versions/v2/2.7/squid-2.7.STABLE5.tar.bz2

    squid.2.7.spec内容

    %define squid_user squid
#---RPM包信息
#描述信息
Summary:        hupu web proxy and content serving.
#软件包名
Name:           squid
#软件包版本
Version:        2.7.STABLE5
#rpm包的发行版本,RPM包制作者自己定义,第几次制作找个包就写几次。
Release:        3%{?dist}
#rpm包的下载地址,如果没有下载地址可以写成源码包的官方地址
URL:            http://www.squid-cache.org/Versions/v2/2.7/squid-2.7.STABLE5.tar.bz2
#RPM包的密钥,可以去源码包找对应的密钥,涉及到版权信息。
License:        Creative Commons Attribution Sharealike 2.5 License
#rpm包的所属组
Group:          System Environment/Daemons
#指定rpm包的源文件,地址在_topdir/SOURCES
Source0:        squid-2.7.STABLE5.tar.bz2
#Source1:        squid.conf
#指定rpm包的虚拟目录,类似DNS的chroot
BuildRoot:      %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
#取消自动添加依赖关系
AutoReq: no
#描述信息
%description
Squid is a fully-featured HTTP/1.0 proxy which is almost (but not quite - we're getting ther
e!) a fully-featured HTTP/1.1 proxy. Squid offers a rich access control, authorization and l
ogging environment to develop web proxy and content serving applications. Squid offers a ric
h set of traffic optimization options, most of which are enabled by default for simpler inst
81 lines yanked                                                                                                          1,1           Top
#rpm包的所属组
Group:          System Environment/Daemons
#指定rpm包的源文件,地址在_topdir/SOURCES
Source0:        squid-2.7.STABLE5.tar.bz2
#Source1:        squid.conf
#指定rpm包的虚拟目录,类似DNS的chroot
BuildRoot:      %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
#取消自动添加依赖关系
AutoReq: no
#描述信息
%description
Squid is a fully-featured HTTP/1.0 proxy which is almost (but not quite - we're getting ther
e!) a fully-featured HTTP/1.1 proxy. Squid offers a rich access control, authorization and l
ogging environment to develop web proxy and content serving applications. Squid offers a ric
h set of traffic optimization options, most of which are enabled by default for simpler inst
allation and high performance.

#准备安装,解压 cd等都这这里进行
#rpmbuild -bp
%prep
%setup -q

#编译信息
#rpmbuild -bc
%build
export DESTDIR=%{buildroot}
./configure --prefix=/usr/local/webserver/squid --enable-arp-acl --enable-snmp --enable-dlmalloc --with-pthreads --enable-epoll --enable-poll --disable-internal-dns --enable-stacktrace --enable-removal-policies=heap,lru --enable-delay-po
ols --enable-storeio=ufs,aufs,diskd,coss,null --enable-external-acl --with-large-files --enable-large-files --enable-async-io --enable-dl-malloc --enable-ssl --enable-auth=basic,digest,negotiate,ntlm --enable-icmp --enable-large-cache-fi
les
make %{?_smp_mflags}

#安装信息
%install
%{__rm} -rf %{buildroot}
make install DESTDIR=%{buildroot}
#%{__install} -p -D -m 0755 %{SOURCE1} %{buildroot}/usr/local/webserver/squid/etc/

#可以写一下脚本,安装前,安装后,卸载前,卸载后等脚本
%pre
if [ $1 == 1 ]; then
    /usr/sbin/useradd -s /bin/false -r %{squid_user} 2>/dev/null || :
fi
%preun
%post
%postun

#清除buildroot目录下的信息,以便不影响下次制作
%clean
%{__rm} -rf %{buildroot}

#指定安装后的文件
%files
%defattr(-,%{squid_user},%{squid_user},0755)
/usr/local/webserver/squid/bin/
/usr/local/webserver/squid/libexec/
/usr/local/webserver/squid/sbin/
/usr/local/webserver/squid/share/
%config(noreplace)  /usr/local/webserver/squid/etc/*

#日志信息
%changelog
* Mon Jun 03 2013 -
- second build
* Fri May 31 2013 - Yangyang <[email protected]>
- first build

    参考:

    http://wiki.centos.org/zh/HowTos/SetupRpmBuildEnvironment

    http://mageedu.blog.51cto.com/4265610/1205205