Centos模块学习笔记
Centos模块
本文中例题来自2022全国职业院校技能大赛网络系统管理赛项真题
网络系统管理赛项-模块C-Linux部署-02卷-试卷
网络系统管理赛项-模块C-Linux部署-02卷-评分标准
Centos基础配置
网络配置
vi /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static # 静态配置IP
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33
UUID=dd6603d6-14f2-4d52-ada3-b364a6f54322
DEVICE=ens33
ONBOOT=yes # 把no改为yes,这是开机自动启动网卡
IPADDR=192.168.100.100
NETMASK=255.255.255.0
GATEWAY=192.168.100.254
DNS1=192.168.100.100
####
改完后可以查看一下IP地址
[root@appsrv ~]# ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:e7:9f:a4 brd ff:ff:ff:ff:ff:ff
inet 192.168.100.100/24 brd 192.168.100.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::cdf2:13e3:2117:701e/64 scope link noprefixroute
valid_lft forever preferred_lft forever
####
systemctl restart network #重启网卡的命令
ifup ens33 #开启ens33网卡
Rserver的多网卡配置
加入网卡后输入ip add先查询自己的网卡信息主要是看到ens33,ens3X这类信息
cd /etc/sysconfig/network-scripts/
vi ifcfg-en33
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static # 静态配置IP
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33
UUID=dd6603d6-14f2-4d52-ada3-b364a6f54322 # 这个UUID每个机子都是不一样的,克隆的机子一定要删除此项
DEVICE=ens33
ONBOOT=yes # 把no改为yes,这是开机自动启动网卡
IPADDR=10.10.100.254
NETMASK=255.255.255.0
找到ifcfg-ens33,cp两个相应网卡文件(ifcfg-ens36,ifcfg-ens37)
vi ifcfg-en36
cp ifcfg-ens33 ifcfg-ens36
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static # 静态配置IP
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens36
UUID=dd6603d6-14f2-4d52-ada3-b364a6f54322 # 删除这行
DEVICE=ens36
ONBOOT=yes # 把no改为yes,这是开机自动启动网卡
IPADDR=172.16.100.254
NETMASK=255.255.255.128
vi ifcfg-en37
cp ifcfg-ens33 ifcfg-ens36
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static # 静态配置IP
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens37
UUID=dd6603d6-14f2-4d52-ada3-b364a6f54322 # 删除这行
DEVICE=ens37
ONBOOT=yes # 把no改为yes,这是开机自动启动网卡
IPADDR=192.168.10.2
NETMASK=255.255.255.240
配置主机的主机名和FQDN
FQDN:(Fully Qualified Domain Name)完全合格域名/全称域名
临时修改主机名
hostname 临时主机名 # 系统重启后会被重置
永久修改主机名和FQDN
hostnamectl set-hostname 主机名
完成后输入bash刷新
# FQDN
对 vi /etc/hosts 文件的内容进行修改
IP FQDN 主机名
81.6.63.100 ispsrv.chinaskills.cn ispsrv
测试
root@ispsrv:~# hostname
ispsrv
root@ispsrv:~# hostname -f
ispsru.chinaskills.cn
FQDN的难点在于Rserver的设备上
Rserver 有两个FQDN
以样题一举例
Rserver.skills.com
Rserver.sdskills.com
就要在vi /etc/hosts上设置两个FQDN
172.16.100.254 Rserver.sdskills.com
192.168.10.2 Rserver.skills.com
关闭Selinux和防火墙
1. setenforce 0 # 临时关闭
0 是关闭
1 是运行
2. 永久关闭:
修改/etc/selinux/config配置文件
将SELINUX=enforcing修改为disabled,然后重启生效
3. getenforce # 查询状态是否关闭
Disabled # 彻底关闭
Permissive # 临时关闭
Enforcing # 正在运行
systemctl stop firewalld # 临时关闭
systemctl disable firewalld # 禁止开机启动
systemctl status firwealld # 查看防火墙状态
firewall-cmd --state # 查看防火墙状态
配置登录提示信息
所处区域:CST + 8
系统环境语言:English US (UTF-8)
键盘:English US
注意:当任务是配置TLS,请把根证书或者自签名证书添加到受信任区。控制台登陆后不管是网络登录还是本地登录,都按下方欢迎信息内容显示。
*********************************
ChinaSkills 2022–CSK
Module C Linux
>>hostname<<
>>OS Version<<
>> TIME <<
*********************************
查看当前所属区域,并设置当前所属区域
[root@localhost ~]# timedatectl list-timezones|grep Asia/Shanghai
Asia/Shanghai
[root@localhost ~]# timedatectl set-timezone Asia/Shanghai
[root@localhost ~]# timedatectl |grep "Time zone"
Time zone: Asia/Shanghai (CST, +0800)
[root@localhost ~]#
编写sh文件
[root@appsrv ~]# vi /login.sh
#!/bin/bash
printf "**************************************\n"
printf "%-2s ChinaSkills 2022 - CSK\n"
printf "%-8s Module C Linux\n"
printf "%-11s>>"`hostname -s`"<<\n"
echo ">>"`cat /etc/redhat-release`"<<"
echo ">>" `date` "<<"
printf "**************************************\n"
配置登录后自动运行sh脚本文件
[root@appsrv ~]# echo "sh /login.sh" >> /etc/profile
关闭本地、ssh控制台登录日志
[root@appsrv ~]# vi /etc/ssh/sshd_config
105 PrintMotd no
106 PrintLastLog no
[root@appsrv ~]# systemctl restart sshd # 重启服务让配置生效
Centos本地源配置
首先确定ISO光盘为已连接状态
创建挂载点
[root@Server01 ~]# mkdir /media/cdrom/
进入存放yum源文件的目录
[root@Server01 ~]# cd /etc/yum.repos.d/
删除base源文件
[root@Server01 yum.repos.d]# rm -rf CentOS-Base.repo
编辑需要的repo文件
[root@Server01 yum.repos.d]# vim CentOS-Media.repo
[c7-media]
name=CentOS-$releasever - Media
baseurl=file:///media/CentOS/
file:///media/cdrom/
file:///media/cdrecorder/
gpgcheck=1
enabled=1 # 把这里的0改成1,表示启动该源
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
挂载
[root@Server01 ~]# mount /dev/cdrom /media/cdrom/
mount: /dev/sr0 写保护,将以只读方式挂载
[root@Server01 ~]#
加载yum并缓存
[root@Server01 yum.repos.d]# yum clean all
[root@Server01 yum.repos.d]# yum makecache
测试,安装一个vim
[root@Server01 yum.repos.d]# yum -y install vim
Centos配置squid路由转发
Linux系统本身是没有转发功能,只有路由发送数据。
关闭Selinux和防火墙
安装squid服务,并启动
```
yum -y install squid # 安装
systemctl start squid # 启动
```
开启路由转发
```
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
```
测试
sysctl -p 结果出现刚刚写入的net.ipv4.ip_forward = 1,就成功了
磁盘管理
磁盘分区
- 进入分区表 新建分区 fdisk
- 更新分区表《刷新分区表》
- 格式化分区——文件系统
使用fdisk进行分区
lsblk # 查看磁盘内容
df -h # 查看设备正在挂载的设备情况
blkid # 打印某个已经格式化分区的UUID
fdisk -l # 查看当前系统所有设备的分区情况
磁盘分区
新加的磁盘是在/dev/新磁盘名,可以在/dev/目录下看到新磁盘(一般以sbd开始)
使用命令 fdisk /dev/磁盘名称 进行分区,如 fdisk /dev/sdb(新加的硬盘要重启才能识别到)
使用 fdisk /dev/sdb进行分区
a 切换可启动标志
b 编辑bsd磁盘标签
c 切换dos兼容性标志
d 删除分区
g 创建一个新的空GPT分区表
G 创建IRIX(SGI)分区表
l 列出已知的分区元组
m 打印此菜单
n 添加新分区
o 创建新的空DOS分区表
p 打印分区表
q 退出而不进行更改
s 创建新的emptySun磁盘标签
t 更改分区的系统id
u 更改显示/输入单位
v 验证分区表
w 将表写入磁盘并退出
x 额外功能(仅限专家)
新加分区,总共有5步,下面介绍每一步,每一步以回车结束
输入n添加新分区
输入p新建主分区
指定分区编号,输入1即可
指定起始扇区,默认即可,不推荐更改
指定结束扇区,代表分区大小,可以使用K,M,G指定分区大小(没特殊要求,默认回车就行)
执行上述操作之后,需要输入 w 确定分区,不然不会生效
通过lsblk和lsblk -f可以看到新建的分区已经生效,但是并没有格式化和挂载,此时还是不可以使用
partprobe #刷新分区表
格式分区
mkfs -t 分区系统格式 磁盘分区,如:
mkfs -t ext4 /dev/sdb1或mkfs.ext4 /dev/sdb1
挂载分区
手动挂载
1. 创建一个挂载点
2. mount /dev/sdb1 /XXX
自动挂载
为了实现自动挂载,在/etc/fstab进行编辑
在最后加上:
/dev/sdb1 /data ext4 defaults 0 0
挂载磁盘 挂载点 格式
取消挂载分区
如果不想挂载此分区,那么可以使用命令:umount 分区 或者 umount 挂载目录,以下两种方式都可以
umount /dev/sdb1
umount /data
注意
# 使用umount命令取消挂载分区的时候不要在分区挂载目录内使用或者磁盘没有被使用,否则将会出现:device is busy 提示
# 请不要直接将硬盘挂载到/home /root等系统原有目录下,很容导致问题
逻辑卷介绍(LVM)
它是Linux环境下对磁盘分区进行管理的一种机制,它是建立在物理存储设备之上的一个抽象层,优点在于灵活管理。
特点:
1、动态在线扩容
2、离线裁剪
3、数据条带化
4、数据镜像
逻辑卷概念
主要构成
-
物理卷(Physical Volume,PV)
物理卷是底层真正提供容量,存放数据的设备,它可以是整个硬盘、硬盘上的分区等。 -
卷组(volume Group, vG)
卷组建立在物理卷之上,它由一个或多个物理卷组成。即把物理卷整合起来提供容量分配。一个LVM系统中可以只有一个卷组,也可以包含多个卷组。 -
逻辑卷(Logical Volume, LV)
逻辑卷建立在卷组之上,它是从卷组中"切出"的一块空间。它是最终用户使用的逻辑设备。逻辑卷创建之后,其大小可以伸缩。
-
物理区域PE (physical extent)
每一个物理卷被划分为称为PE(Physical Extents)的基本单元,具有唯一编号的PE是能被LVM寻址的最小单元。PE的大小可指定,默认为4MB。PE的大小一旦确定将不能改变,同一个卷组中的所有物理卷的PE的大小是一致的。4MB=4096kb=4096kb/4kb=1024个block
-
逻辑区域LE (logical extent)
逻辑卷也被划分为被称为LE(Logical Extents)的可被寻址的基本单位。在同一个卷组中,LE的大小和PE是相同的,并一一对应
思路与流程
真实的物理设备 > 物理卷(pv) > 卷组(vg) > 逻辑卷(lv) > 逻辑卷格式化 > 挂载使用
1.物理的设备
2.将物理设备做成物理卷
3.创建卷组并将物理卷加入其中
4.创建逻辑卷
5.格式化逻辑卷
6.挂载使用
创建物理卷
#将sdb1分区创建为物理卷
[root@localhost ~]# pvcreate /dev/sdb1
WARNING: xfs signature detected on /dev/sdb1 at offset 0. Wipe it? [y/n]: y
Wiping xfs signature on /dev/sdb1.
Physical volume "/dev/sdb1" successfully created.
# 查看物理卷是否创建成功: 可以用pvs、pvscan、pvdisplay 【卷名】,这三种办法
[root@localhost ~]# pvs #用pvs来查看物理卷是否创建成功
PV VG Fmt Attr PSize PFree
/dev/sda2 centos lvm2 a-- <59.00g 4.00m
/dev/sdb1 lvm2 --- 5.00g 5.00g
[root@localhost ~]# pvscan # pvscan
PV /dev/sda2 VG centos lvm2 [<59.00 GiB / 4.00 MiB free]
PV /dev/sdb1 lvm2 [5.00 GiB]
Total: 2 [<64.00 GiB] / in use: 1 [<59.00 GiB] / in no VG: 1 [5.00 GiB]
[root@localhost ~]# pvdisplay /dev/sdb1 # pvdisplay 【卷名】
"/dev/sdb1" is a new physical volume of "5.00 GiB"
--- NEW Physical volume ---
PV Name /dev/sdb1
VG Name
PV Size 5.00 GiB
Allocatable NO
PE Size 0
Total PE 0
Free PE 0
Allocated PE 0
PV UUID eygSMu-klBh-5wxx-B5iP-N3Cz-iKdZ-BON6Ay
创建卷组
# vgcreate 【卷组名】 【加入的物理卷】
[root@localhost ~]# vgcreate vg1 /dev/sdb1
Volume group "vg1" successfully created
[root@localhost ~]# vgscan # 查看是否创建成功,还可以用vgdisplay [卷名]来查看
Reading volume groups from cache.
Found volume group "centos" using metadata type lvm2
Found volume group
创建逻辑卷
从卷组中划分空间创建逻辑卷
1.lvcreate -n 【逻辑卷名称】 -L 【逻辑卷大小】 【所属卷组名称】
2.lvcreate -n 【逻辑卷名称】 -l【指定pe个数】 【所属卷组名称】
3.lvcreate -n lv3 -l 50%free vg1 :在vg1里面创建一个大小为剩余空间的50%的逻辑卷lv3
看实际情况做出相应选择
[root@localhost ~]# lvcreate -n lv2 -L 2G vg1
Logical volume "lv2" created.
[root@localhost ~]# ll /dev/mapper/vg1-lv2
lrwxrwxrwx. 1 root root 7 12月 13 21:27 /dev/mapper/vg1-lv2 -> ../dm-2
[root@localhost ~]#
[root@localhost ~]# lvdisplay /dev/vg1/lv2 #查看逻辑卷信息
--- Logical volume ---
LV Path /dev/vg1/lv2
LV Name lv2
VG Name vg1
LV UUID pluka6-8xmj-r3Qn-UCdt-qeIA-R8rX-AIddln
LV Write Access read/write
LV Creation host, time localhost.localdomain, 2022-12-13 21:27:26 +0800
LV Status available
# open 0
LV Size 2.00 GiB
Current LE 512
Segments 1
Allocation inherit
Read ahead sectors auto
- currently set to 8192
Block device 253:2
[root@localhost ~]#
逻辑卷格式化
[root@localhost ~]# mkfs.ext4 /dev/vg1/lv2
mke2fs 1.42.9 (28-Dec-2013)
文件系统标签=
OS type: Linux
块大小=4096 (log=2)
分块大小=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
131072 inodes, 524288 blocks
26214 blocks (5.00%) reserved for the super user
第一个数据块=0
Maximum filesystem blocks=536870912
16 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912
Allocating group tables: 完成
正在写入inode表: 完成
Creating journal (16384 blocks): 完成
Writing superblocks and filesystem accounting information: 完成
[root@localhost ~]#
挂载
[root@localhost ~]# mkdir /lv1 # 创建挂载点
[root@localhost ~]# mount /dev/vg1/lv2 /lv1 # 临时挂载
[root@localhost ~]# df -h # 查看挂载情况
文件系统 容量 已用 可用 已用% 挂载点
/dev/mapper/centos-root 37G 1012M 36G 3% /
devtmpfs 899M 0 899M 0% /dev
tmpfs 911M 0 911M 0% /dev/shm
tmpfs 911M 9.6M 902M 2% /run
tmpfs 911M 0 911M 0% /sys/fs/cgroup
/dev/sda1 1014M 142M 873M 14% /boot
tmpfs 183M 0 183M 0% /run/user/0
/dev/mapper/vg1-lv2 2.0G 6.0M 1.8G 1% /lv1 # 这就是刚刚挂载的
[root@localhost ~]#
LVM磁盘快照
新增 15G 的磁盘,并将其做成 LVM 卷,VG 名称为 snapvg,LV 名称为 snaplv 大小为 5G,挂载至/snapdata 目录下;
写入文本的文件数据至/snapdata 目录下,名称为 cs.txt,内容为 “this is test!”;
对 LV 卷进行快照,要求创建的逻辑卷快照为只读,快照名称为 snapsrc;
删除 cs.txt 文件,将快照挂载至/snap 目录下,进行文件数据的恢复。
添加磁盘
添加好后重启虚拟机:
[root@Server01 ~]# reboot
使用lsblk查看磁盘
[root@storagesrv /]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 20G 0 disk
├─sda1 8:1 0 1G 0 part /boot
└─sda2 8:2 0 19G 0 part
├─centos-root 253:0 0 17G 0 lvm /
└─centos-swap 253:1 0 2G 0 lvm [SWAP]
sdb 8:16 0 10G 0 disk
└─vdodisk 253:2 0 150G 0 vdo /vdodata
sdc 8:32 0 15G 0 disk //刚刚添加的
sr0 11:0 1 9.5G 0 rom /mnt
创建LVM
创建卷组vg
[root@storagesrv /]# vgcreate snapvg /dev/sdc
Physical volume "/dev/sdc" successfully created.
Volume group "snapvg" successfully created
[root@storagesrv /]#
创建逻辑卷组
[root@storagesrv /]# lvcreate -L +5G -n snaplv snapvg
Logical volume "snaplv" created.
[root@storagesrv /]#
逻辑卷格式化
[root@storagesrv /]# vgcreate snapvg /dev/sdc
Physical volume "/dev/sdc" successfully created.
Volume group "snapvg" successfully created
[root@storagesrv /]#
[root@storagesrv /]#
[root@storagesrv /]# lvcreate -L +5G -n snaplv snapvg
Logical volume "snaplv" created.
[root@storagesrv /]# mkfs.ext4 /dev/sn
snapshot snapvg/ snd/
[root@storagesrv /]# mkfs.ext4 /dev/snapvg/snaplv
mke2fs 1.42.9 (28-Dec-2013)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
327680 inodes, 1310720 blocks
65536 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=1342177280
40 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736
Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done
[root@storagesrv /]#
挂载
创建挂载点
[root@storagesrv /]# mkdir /snapdata
[root@storagesrv /]# mount /dev/snapvg/snaplv /snapdata/
[root@storagesrv /]# df -Th
/dev/mapper/snapvg-snaplv ext4 4.8G 20M 4.6G 1% /snapdata
进行LV卷快照和恢复
[root@storagesrv /]# echo "this is test! " >> /snapdata/cs.txt
[root@storagesrv /]# lvcreate -L 64M -s -p r -n snapsrc /dev/snapvg/snaplv
Logical volume "snapsrc" created.
[root@storagesrv /]#
[root@storagesrv/]# mkdir /snap
[root@storagesrv /# rm /snapdata/cs.txt
rm: remove regular file '/snapdata/cs.txt'? y
[root@storagesrv /]# mount /dev/snapvg/snapsrc /snap
mount: /dev/mapper/snapvg-snapsrc is write-protected, mounting read-only
[root@storagesrv /]# tail /snap/cs.txt
this is test!
[root@storagesrv/]#
RAID
常见的RAID级别
RAID0
-
至少需要两块磁盘
-
数据条带化分布到磁盘,高的读写性能,100%高存储空间利用率
-
数据没有冗余策略,一块磁盘故障,数据将无法恢复
-
应用场景:
对性能要求高但对数据安全性和可靠性要求不高的场景,比如音频、视频等的存储。
RAID1
- 至少需要2块磁盘
- 数据镜像备份写到磁盘上(工作盘和镜像盘),可靠性高,磁盘利用率为50%
- 读性能可以,但写性能不佳
- ·一块磁盘故障,不会影响数据的读写
- 应用场景:
对数据安全可靠要求较高的场景,比如邮件系统、交易系统等。
RAID5
- 至少需要3块磁盘
- 数据条带化存储在磁盘,读写性能好,磁盘利用率为(n-1)/n-
- 以奇偶校验(分散)做数据冗余
- 一块磁盘故障,可根据其他数据块和对应的校验数据重构损坏数据(消耗性能)
- 是目前综合性能最佳的数据保护解决方案
- 兼顾了存储性能、数据安全和存储成本等各方面因素(性价比高)
- 适用于大部分的应用场景
RAID6
- 至少需要4块磁盘
- 数据条带化存储在磁盘,读取性能好,容错能力强
- 采用双重校验方式保证数据的安全性
- 如果2块磁盘同时故障,可以通过两个校验数据来重建两个磁盘的数据
- 成本要比其他等级高,并且更复杂
- 一般用于对数据安全性要求非常高的场合
RAID10
- RAID10是raid1+raid0的组合
- 至少需要4块磁盘
- 两块硬盘为一组先做raid1,再将做好raid1的两组做raido
- 兼顾数据的冗余(raid1镜像)和读写性能(raid0数据条带化)
- 磁盘利用率为50%,成本较高
软硬RAID
软RAID
软RAID运行于操作系统底层,将SCSI或者IDE控制器提交上来的物理磁盘,虚拟成虚拟磁盘,再提交给管理程序来进行管理。软RAID有以下特点:
-
节省成本,系统支持就可以使用相应功能
-
占用内存空间
-
占用CPU资源
-
如果程序或者操作系统故障就无法运行
| 选项 | 全称 | 作用 |
| ---- | ----------------- | ---------------------- |
| -C | --create | 创建阵列 |
| -a | --auto | 同意创建设备 |
| -l | --level | 阵列模式 |
| -n | --reid-devices | 阵列中活动磁盘的数目 |
| -x | --spare-devices=N | 当前阵列中热备盘有几块 |
| -S | --stop | 关闭阵列 |
要先安装mdadm,才能使用,这里演示raid5
[root@localhost ~]# yum -y install mdadm
创建一个名为md0的raid5 -l表示级别 -n表示有几个
[root@localhost ~]# mdadm -C /dev/md0 -a yes -l 5 -n3 -x 1 /dev/sdb1 /dev/sdc1 /dev/sdd1 /dev/sde1
mdadm: Defaulting to version 1.2 metadata
mdadm: array /dev/md0 started.
[root@localhost ~]# mdadm -D /dev/md0 # 查看 RAID5 状态
/dev/md0:
Version : 1.2
Creation Time : Tue Dec 13 22:25:34 2022
Raid Level : raid5 # RAID级别
Array Size : 10473472 (9.99 GiB 10.72 GB) # RAID容量
Used Dev Size : 5236736 (4.99 GiB 5.36 GB) # RAID成员容量
Raid Devices : 3
Total Devices : 4
Persistence : Superblock is persistent
Update Time : Tue Dec 13 22:26:01 2022
State : clean # RAID状态正常
Active Devices : 3 # 激活了三个分区
Working Devices : 4 # 有4个分区在工作
Failed Devices : 0 # 0个分区出现问题
Spare Devices : 1 # 有一个备份盘
Layout : left-symmetric
Chunk Size : 512K
Consistency Policy : resync
Name : localhost.localdomain:0 (local to host localhost.localdomain)
UUID : 89c91557:34a7c3bc:e5271a00:b500c359
Events : 18
Number Major Minor RaidDevice State
0 8 17 0 active sync /dev/sdb1
1 8 33 1 active sync /dev/sdc1
4 8 49 2 active sync /dev/sdd1
3 8 65 - spare /dev/sde1
空闲状态,如果上面3个分区有1个出现问 题,就会接替原有工作
[root@localhost ~]#
还可以将将md0 设置为LVM:
格式化磁盘阵列
[root@localhost ~]# mkfs.ext4 /dev/md0
mke2fs 1.42.9 (28-Dec-2013)
文件系统标签=
OS type: Linux
块大小=4096 (log=2)
分块大小=4096 (log=2)
Stride=128 blocks, Stripe width=256 blocks
655360 inodes, 2618368 blocks
130918 blocks (5.00%) reserved for the super user
第一个数据块=0
Maximum filesystem blocks=2151677952
80 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632
Allocating group tables: 完成
正在写入inode表: 完成
Creating journal (32768 blocks): 完成
Writing superblocks and filesystem accounting information: 完成
[root@localhost ~]#
开机自动挂载到/data 目录
echo "/dev/md0 /data ext4 defaults 0 0" >> /etc/fstab
这条命令等效与在/etc/fstab里面直接写入
[root@localhost ~]# echo "/dev/md0 /data ext4 defaults 0 0" >> /etc/fstab
[root@localhost ~]# cat /etc/fstab
#
# /etc/fstab
# Created by anaconda on Sun Nov 6 06:31:37 2022
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/centos-root / xfs defaults 0 0
UUID=1df16acc-b1ff-464e-a073-30de8e4edb60 /boot xfs defaults 0 0
/dev/mapper/centos-swap swap swap defaults 0 0
/dev/md0 /data ext4 defaults 0 0
[root@localhost ~]#
硬RAID
通过用硬件来实现RAID功能的就是硬RAID,独立的RAID卡,主板集成的RAID芯片都是硬RAID。RAID卡就是用来实现RAID功能的板卡。硬RAID的特点︰
- 硬RAID有独立的运算单元,性能好
- 可能需要单独购买额外的硬件
- 不同RAID卡支持的功能不同,需要根据自己的需求选择
vdo(虚拟数据优化)
开机状态下新增硬盘,需要重启
创建vdo
[root@storagesrv ~]# vdo create -n=vdodisk --device /dev/sdb --vdoLogicalSize 150G
Creating VDO vdodisk
Starting VDO vdodisk
Starting compression on VDO vdodisk
VDO instance 0 volume is ready at /dev/mapper/vdodisk
初始化
[root@storagesrv ~]# mkfs.ext4 -K /dev/mapper/vdodisk
Warning: -K option is deprecated and should not be used anymore. Use '-E nodiscard' extended option instead!
mke2fs 1.42.9 (28-Dec-2013)
文件系统标签=
OS type: Linux
块大小=4096 (log=2)
分块大小=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
9830400 inodes, 39321600 blocks
1966080 blocks (5.00%) reserved for the super user
第一个数据块=0
Maximum filesystem blocks=2187329536
1200 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000, 7962624, 11239424, 20480000, 23887872
Allocating group tables: 完成
正在写入inode表: 完成
Creating journal (32768 blocks): 完成
Writing superblocks and filesystem accounting information: 完成
[root@storagesrv ~]#
开机自动挂载
[root@storagesrv ~]# mkdir /vdodata #创建挂载点
[root@storagesrv ~]# echo /dev/mapper/vdodisk /vdodata ext4 defaults 0 0 >> /etc/fstab
[root@storagesrv ~]# mount -a # 重新加载fstab全部内容
[root@storagesrv ~]# cat /etc/fstab | grep vdo
/dev/mapper/vdodisk /vdodata ext4 defaults 0 0
[root@storagesrv ~]#
验证
[root@storagesrv ~]# df -Th
Filesystem Type Size Used Avail Use% Mounted on
devtmpfs devtmpfs 475M 0 475M 0% /dev
tmpfs tmpfs 487M 0 487M 0% /dev/shm
tmpfs tmpfs 487M 7.6M 479M 2% /run
tmpfs tmpfs 487M 0 487M 0% /sys/fs/cgroup
/dev/mapper/centos-root xfs 17G 1.3G 16G 8% /
/dev/sda1 xfs 1014M 137M 878M 14% /boot
tmpfs tmpfs 98M 0 98M 0% /run/user/0
/dev/mapper/vdodisk ext4 148G 61M 140G 1% /vdodata
[root@storagesrv ~]#
[root@storagesrv ~]# vdo status | grep Compression && vdo status | grep Deduplication
Compression: enabled
Deduplication: enabled
[root@storagesrv ~]#
防火墙
centos6和centos7防火墙的区别
centos6自带的防火墙是iptables,centos7自带的防火墙涉是firewall
iptables用于过滤数据包,属于网络层的防火墙,firewall能够允许哪些服务可用,哪些端口号可用,属于更高级一点的防火墙。
firewalld的配置文件在/etc/sysconfig/firewalld,iptables的配置文件在/etc/sysconfig/iptables
Iptables
安装iptables
yum -y install iptables-services
SNAT
SNAT策略
- SNAT 应用环境
局域网主机共享单个公网IP地址接入互联网
实现内网访问外网 - SNAT 原理
源地址转换
修改数据包的源IP地址,通常被叫做源映射。 - SNAT 转换前提条件
局域网各主机已正确设置IP地址、子网掩码、默认网关地址
Linux网关开启IP路由转发
iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j SNAT --to 10.0.0.1
可换成单独IP 出站外网网卡 外网IP
或
iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j SNAT --to-source 10.0.0.1-10.0.0.10
内网IP 出站外网网卡 外网IP或地址池
- MASQUERADE:地址伪装
适用于外网ip地址非固定的情况
将SNAT规则改为MASQUERADE即可
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
DNAT
DNAT策略
- DNAT策略的应用环境
在公网中中发布位于企业局域网内的服务器,对外提供服务 - DNAT策略的原理
目标地址转换
修改数据包的目标地址
iptables -t nat -A PREROUTING -i ens37 -d 12.0.0.254 -p tcp --dport 80 -j DNAT --to 192.168.222.50 #添加规则
案例
- 添加必要的网络地址转换规则,使外部客户端能够访问到内部服务器上的 dns、mail、web 和 ftp 服务;
- INPUT、OUTPUT 和 FOREARD 链默认拒绝(DROP)所有流量通行;
- 配置源地址转换允许内部客户端能够访问互联网区域。
- SNAT规则
[root@routserv ~]# iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ens33 -j MASQUERADE
[root@routserv ~]# iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE
[root@routserv ~]# iptables -t nat -nvL POSTROUTING
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * ens33 192.168.0.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * ens33 192.168.100.0/24 0.0.0.0/0
[root@routserv ~]#
- DNAT规则
[root@routserv ~]# iptables -t nat -A PREROUTING -d 81.6.63.254 -p udp --dport 53 -j DNAT --to 192.168.100.100
[root@routserv ~]# iptables -t nat -A PREROUTING -d 81.6.63.254 -p tcp -m multiport --dport 53,80,443,465,993 -j DNAT --to 192.168.100.100
[root@routserv ~]# iptables -t nat -A PREROUTING -d 81.6.63.254 -p tcp -m multiport --dport 20,21,137,138,139,444,445 -j DNAT --to 192.168.100.200
[root@routserv ~]# iptables -t nat -nvL PREROUTING
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- * * 0.0.0.0/0 81.6.63.254 udp dpt:53 to:192.168.100.100
0 0 DNAT tcp -- * * 0.0.0.0/0 81.6.63.254 multiport dports 53,80,443,465,993 to:192.168.100.100
0 0 DNAT tcp -- * * 0.0.0.0/0 81.6.63.254 multiport dports 20,21,137,138,139,444,445 to:192.168.100.200
[root@routserv ~]#
- 默认拒绝和放行必要流量通行
iptables -P INPUT DROP #
iptables -P FORWARD DROP #
iptables -P OUTPUT DROP #
iptables -A INPUT -p tcp -m multiport --dport 1194,2021 -j ACCEPT
iptables -A INPUT -p udp -m multiport --dport 67,68 -j ACCEPT
iptables -A FORWARD -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -p tcp -m multiport --dport 53,80,443,465,993,20,21,137,138,139,444,445,4500:5000 -j ACCEPT
iptables -A FORWARD -p udp --sport 53 -j ACCEPT
iptables -A FORWARD -p tcp -m multiport --sport 53,80,443,465,993,20,21,137,138,139,444,445,4500:5000 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --sport 1194,2021 -j ACCEPT
iptables -A OUTPUT -p udp -m multiport --sport 67,68 -j ACCEPT
#视情况自行添加服务端口
测试
iptables -nL # 查看规则
iptables -t nat -F POSTROUTING # 清空POSTROUTING规则
iptables -t nat -L POSTROUTING --line-numbers # 查看防火墙规则
配置参数
Firewalld基本使用
firewalld防火墙配置:
命令:firewall-cmd:
--add ##表示添加
--remove ##表示移除
--permanent ##表示永久(没有则表示临时)
-service ##表示服务
-port ##表示端口
启动: systemctl start firewalld
关闭: systemctl stop firewalld
查看状态: systemctl status firewalld # active(running)表示活跃状态,inactive(dead)表示闲置状态
开机禁用 : systemctl disable firewalld
开机启用 : systemctl enable firewalld
查看服务是否开机启动:systemctl is-enabled firewalld #enabled表示开机自启,disabled表示开机关闭
查看服务状态列表:systemctl list-unit-files
查看已启动的服务列表:systemctl list-unit-files|grep enabled
查看已关闭的服务列表:systemctl list-unit-files|grep disabled
firewall-cmd --state #查看防火墙状态,是否是running
(启动了就显示running,没有启动显示no running)
firewall-cmd --version #显示版本信息
firewall-cmd --reload #重新载入配置,比如添加规则之后,需要执行此命令
(刷新成功显示success,没有成功显示FirewallD is not running,(说明防火墙是关闭的状态))
firewall-cmd --get-zones #列出支持的zone
firewall-cmd --get-services #列出支持的服务,在列表中的服务是放行的
(会列出放行的服务比如之前的nfs rpc-bind moutd 三个服务)
firewall-cmd --query-service ftp #查看ftp服务是否支持,返回yes或者no
(yes说明是支持放行,no说明是不支持放行(原因可能是没有开放此服务,临时或永久开放在查看一次就好了))
firewall-cmd --add-service=ftp #临时开放ftp服务
firewall-cmd --add-service=ftp --permanent #永久开放ftp服务
firewall-cmd --remove-service=ftp #临时移除ftp服务
firewall-cmd --remove-service=ftp --permanent #永久移除ftp服务
firewall-cmd --add-port=80/tcp #临时添加80tcp协议端口
firewall-cmd --add-port=80/udp #临时添加80udp协议端口
firewall-cmd --add-port=80/tcp --permanent #永久添加80tcp协议端口
firewall-cmd --add-port=80/upd --permanent #永久添加80udp协议端口
firewall-cmd --remove-port=80/tcp #临时移除80tcp协议端口
firewall-cmd --remove-port=80/udp #临时移除80udp协议端口
firewall-cmd --remove-port=80/tcp --permanent #永久移除80tcp协议端口
firewall-cmd --remove-port=80/udp --permanent #永久移除80udp协议端口
iptables -L -n #查看端口规则,看哪些端口是开放的
(-L是显示放行的服务,-n是显示放行服务的端口)
man firewall-cmd #查看firewall-cmd有哪些可以用的命令
SSH
案列:
AppSrv
SSH 安装 SSH,工作端口监听在 2101;
仅允许 InsideCli 客户端进行 ssh 访问,其余所有主机的请求都应该 拒绝;
在 cskadmin 用户环境下可以免秘钥登录,并且拥有 root 控制权限。
将 SSH 跟 SFTP 进行分离,要求 SFTP 监听端口为 54321,并且通过服务的方式进行启动或停止。
Storagesrv
创建的 user01、user02 用户允许访问 ssh 服务;
服务器本地 root 用户不允许访问;
修改 SSH 服务默认端口,启用新端口 2022
添加用户 user01、user02 到 sudo 组,用于远程接入,提权操作。
Routersrv
工作端口为 2021;
只允许用户 user01,登录到 routersrv。其他用户(包括 root)不能登录
通过 ssh 尝试登录到 RouterSrv,一分钟内最多尝试登录的次数为 3 次,超过后禁止该客户端网络地址访问 ssh 服务;
记录用户登录的日志到/var/log/ssh.log,日志内容要包含:源地址, 目标地址,协议,源端口,目标端口
Appsrv
编辑配置文件
[root@appsrv ~]# vim /etc/ssh/sshd_config
17 Port 2101
43 PubkeyAuthentication yes
限制仅允许客户端访问
[root@appsrv ~]# vim /etc/hosts.allow
sshd:192.168.0.190
[root@appsrv ~]# vim /etc/hosts.deny
sshd:all
客户端免密登录
[root@insidecli ~]# useradd cskadmin
[root@insidecli ~]# su cskadmin
[cskadmin@insidecli root]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/cskadmin/.ssh/id_rsa):
Created directory '/home/cskadmin/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/cskadmin/.ssh/id_rsa.
Your public key has been saved in /home/cskadmin/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:N3o/oLRJE7yFuFHMyIq86WFIQn+y3nWSBRiAN8RD+/8 cskadmin@insidecli.chinaskills.cn
The key's randomart image is:
+---[RSA 2048]----+
| =+.oo+ |
| o =..o.+ |
|..ooo. +.. |
|..ooo.o +.. |
|o. o+. oS+o |
|. =. o+=+.. |
| o... .++=.. |
| .. . =. .. |
| E .. |
+----[SHA256]-----+
[cskadmin@insidecli root]$ ssh-copy-id root@192.168.100.100 -[ 2101
/usr/bin/ssh-copy-id: ERROR: invalid option (-[)
Usage: /usr/bin/ssh-copy-id [-h|-?|-f|-n] [-i [identity_file]] [-p port] [[-o <ssh -o options>] ...] [user@]hostname
-f: force mode -- copy keys without trying to check if they are already installed
-n: dry run -- no keys are actually copied
-h|-?: print this help
[cskadmin@insidecli root]$ ssh-copy-id root@192.168.100.100 -p 2101
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/cskadmin/.ssh/id_rsa.pub"
The authenticity of host '[192.168.100.100]:2101 ([192.168.100.100]:2101)' can't be established.
ECDSA key fingerprint is SHA256:KelE7MchQcq/AsJHmmcL6ULj8nltPHh46CM3TBrDLHc.
ECDSA key fingerprint is MD5:90:bd:a6:ac:43:7b:1a:0e:a7:96:ee:f8:90:7e:2e:3f.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.100.100's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh -p '2101' 'root@192.168.100.100'"
and check to make sure that only the key(s) you wanted were added.
[cskadmin@insidecli root]$
ssh和sftp服务分离
复制ssh文件,当sftp的配置文件
[root@appsrv ~]# cp /usr/lib/systemd/system/sshd.service /etc/systemd/system/sftpd.service
[root@appsrv ~]# cp /etc/pam.d/sshd /etc/pam.d/sftpd
[root@appsrv ~]# cp /etc/ssh/sshd_config /etc/ssh/sftpd_config
建立软连接
[root@appsrv ~]# ln -sf /usr/sbin/service /usr/sbin/rcsftpd
[root@appsrv ~]# ln -sf /usr/sbin/sshd /usr/sbin/sftpd
[root@appsrv ~]# ln -sf /usr/sbin/sshd /usr/sbin/sftpd
[root@appsrv ~]# cp /etc/sysconfig/sshd /etc/sysconfig/sftp
修改复制的sftp文件
[root@appsrv ~]# vim /etc/systemd/system/sftpd.service
2 Description=sftp server daemon
9 EnvironmentFile=/etc/sysconfig/sftp
10 ExecStart=/usr/sbin/sftpd -f /etc/ssh/sftpd_config
[root@appsrv ~]# vim /etc/ssh/sftpd_config
17 Port 54321
重启sftp服务
[root@appsrv ~]# systemctl restart sftpd
Storagesrv
编辑配置文件
[root@storagesrv ~]# vim /etc/ssh/sshd_config
17 Port 2022
18 AllowUsers user01
19 AllowUsers user02
添加用户到sudo组提权
[root@storagesrv ~]# useradd user01
[root@storagesrv ~]# useradd user02
[root@storagesrv ~]# passwd user01
[root@storagesrv ~]# passwd user02
[root@storagesrv ~]# vim /etc/sudoers
100 root ALL=(ALL) ALL
101 user01 ALL=(ALL) ALL
102 user02 ALL=(ALL) ALL
客户端测试
Routersrv
创建用户
[root@routersrv ~]# useradd user01
[root@routersrv ~]# passwd user01
编辑配置文件
[root@routersrv ~]# vim /etc/ssh/sshd_config
17 Port 2021
18 AllowUsers user01
33 SyslogFacility local0
38 LoginGraceTime 1m
39 PermitRootLogin no
41 MaxAuthTries 3
[root@routersrv ~]# ss -ntpl|grep ssh
LISTEN 0 128 *:2021 *:* users:(("sshd",pid=6145,fd=3))
LISTEN 0 128 [::]:2021 [::]:* users:(("sshd",pid=6145,fd=4))
编辑日志配置
[root@routersrv ~]# vim /etc/rsyslog.conf
73 local7.* /var/log/boot.log
74 local0.* /var/log/ssh.log
超时处理
[root@routersrv ~]# vim /root/cs.sh
#!/bin/sh
while true
do
SCANIP=`grep "Failed" /var/log/sshd.log | awk '{print $(NF-3)}' | sort | uniq -c | awk '{print $1"="$2;}'`
for i in $SCANIP
do
NUMBER=`echo $i | awk -F= '{print $1}'`
SCANIP=`echo $i | awk -F= '{print $2}'`
echo "$NUMBER($SCANIP)"
if [ $NUMBER -gt 2 ] && [ -z "`/sbin/iptables -vnL INPUT | grep $SCANIP`" ]
then
/sbin/iptables -I INPUT -s $SCANIP -m state --state NEW,RELATED,ESTABLISHED -j DROP
echo "`date` $SCANIP($NUMBER)" >> /var/log/scanip.log
fi
done
sleep 2s
done
[root@routersrv ~]# vim /root/cs.sh
#! /bin/bash
cat /var/log/secure|awk '/Failed/{print $(NF-3)}'|sort|uniq -c|awk '{print $2"="$1;}' > /usr/local/bin/black.list
for i in `cat /usr/local/bin/black.list`
do
IP=`echo $i |awk -F= '{print $1}'`
NUM=`echo $i|awk -F= '{print $2}'`
if [ ${NUM} -gt 5 ]; then
grep $IP /etc/hosts.deny > /dev/null
if [ $? -gt 0 ];then
echo "sshd:$IP:deny" >> /etc/hosts.deny
fi
fi
done
[root@routersrv ~]# vim /etc/crontab
* * * * * /bin/sh -x /root/cs.sh
重启服务
[root@routersrv ~]# systemctl restart sshd rsyslog
日志查看
[root@routersrv ~]# tail -f /var/log/ssh.log
Dec 5 01:28:49 routersrv sshd[6296]: Accepted password for user01 from 192.168.0.190 port 51440 ssh2
DHCP
DHCP 服务的搭建
安装DHCP
安装前先确保有无本地源
yum -y install dhcpd
复制配置文件
[root@appsrv ~]# cp /usr/share/doc/dhcp-4.2.5/dhcpd.conf.example /etc/dhcp/dhcpd.conf
修改配置文件
[root@appsrv ~]# vim /etc/dhcp/dhcpd.conf # 加入或修改
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.110 192.168.0.190; # DHCP地址池
option domain-name-servers 192.168.100.100; # 本机地址
option domain-name "chinaskills.cn"; # 域名
option routers 192.168.0.254; # 网关
option broadcast-address 192.168.0.255; # 广播地址
default-lease-time 43200; # 默认租约时间
max-lease-time 259200; # 最大租约时间
}
保留地址
在配置文件中继续修改
host insidecli{
hardware ethernet "MAC地址";
fixed-address "IP地址";
}
启动
systemctl start dhcpd
DHCP 中继
配置中继
在需要配置中继服务的主机上安装dhcp服务
[root@localhost ~]# dhcrelay 192.168.100.100
DHCP日志分离
在服务端上的dhcp配置文件中写入
log-facility local1;
然后配置日志信息从系统日志服务分离
[root@appsrv ~]# vim /etc/rsyslog.conf
local1.* /var/log/dhcpd.log
重启日志分离服务
systemctl restart rsyslog
客户端认证
[root@insidecli ~]# dhclient -v
Internet Systems Consortium DHCP Client 4.2.5
Copyright 2004-2013 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Listening on LPF/virbr0-nic/52:54:00:24:50:b4
Sending on LPF/virbr0-nic/52:54:00:24:50:b4
Listening on LPF/virbr0/52:54:00:24:50:b4
Sending on LPF/virbr0/52:54:00:24:50:b4
Listening on LPF/ens33/00:0c:29:01:af:58
Sending on LPF/ens33/00:0c:29:01:af:58
Sending on Socket/fallback
DHCPDISCOVER on virbr0-nic to 255.255.255.255 port 67 interval 7 (xid=0x34434a22)
DHCPDISCOVER on virbr0 to 255.255.255.255 port 67 interval 3 (xid=0x8af6420)
DHCPDISCOVER on ens33 to 255.255.255.255 port 67 interval 4 (xid=0x5800cac2)
DHCPREQUEST on ens33 to 255.255.255.255 port 67 (xid=0x5800cac2)
DHCPOFFER from 192.168.0.254
DHCPACK from 192.168.0.254 (xid=0x5800cac2)
bound to 192.168.0.190 -- renewal in 19641 seconds.
[root@insidecli ~]#
[root@insideCli ~]# ip addr show | grep inet
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
inet 192.168.0.190/24 brd 192.168.0.255 scope global noprefixroute dynamic ens33
inet 192.168.0.189/24 brd 192.168.0.255 scope global secondary dynamic ens33
inet6 fe80::efc6:d4e8:883c:ecb9/64 scope link noprefixroute
[root@insideCli ~]#
[root@insidecli ~]# cat /etc/resolv.conf
; generated by /usr/sbin/dhclient-script
search chinaskills.cn
nameserver 192.168.100.100
[root@insideCli ~]# ip route
default via 192.168.0.254 dev ens33
default via 192.168.0.254 dev ens33 proto dhcp metric 100
192.168.0.0/24 dev ens33 proto kernel scope link src 192.168.0.190 metric 100
[root@insideCli ~]#
DNS配置
安装named服务
yum -y install bind
修改配置
[root@appsrv ~]# vim /etc/named.conf
13 listen-on port 53 { any; }; # 监听的ipv4端口以及ip
14 listen-on-v6 port 53 { none; };
21 allow-query { any; }; # 允许查询的主机
33 recursion yes; #递归查询,
34 forwarders { 81.6.63.100; }; # DNS转发
35 version "[unknow]";
36 dnssec-enable no; # 禁用dnssec认证
37 dnssec-validation no;
54 #zone "." IN {
55 # type hint;
56 # file "named.ca";
57 #};
58
59 #include "/etc/named.rfc1912.zones";
实现内外网解析
在上面的配置文件中加入:
#include "/etc/named.rfc1912.zones";
acl "lan" { 192.168.0.0/16;
localhost;};
view "lan" {
match-clients { "lan"; };
zone "chinaskills.cn" {
type master;
file "chinaskills.cn.zone";
masterfile-format text;
allow-update {81.6.63.254;};
};
};
view "wan" {
match-clients { "any"; };
zone "chinaskills.cn" {
type master;
file "internet.cn.zone";
masterfile-format text;
#不指定格式text的话salve区域接区域收文件是乱码
allow-update {81.6.63.254;};
# 设置动态更新的ip,在master zone的 zone statement 内设置,指定了允许哪些主机提交该zone的动态DNS更新。默认是拒绝来自所有主机的更新。
};
};
编写区域文件
[root@appsrv ~]# cd /var/named
[root@appsrv named]# cp -a named.localhost chinaskills.cn.zone
[root@appsrv named]# cp -a named.localhost internet.com.zone
[root@appsrv named]# vim chinaskills.cn.zone
$TTL 1D
@ IN SOA @ chinaskills.cn. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS www.chinaskills.cn.
@ IN MX 10 mail
www IN A 192.168.100.100
download IN A 192.168.100.100
mail IN A 192.168.100.100
[root@appsrv named]# vim internet.com.zone
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS www.chinaskills.cn.
@ IN MX 10 mail.chinaskills.cn.
@ IN A 192.168.100.100
www A 81.6.63.254
download A 81.6.63.254
mail A 81.6.63.254
修改权限和重启
[root@appsrv named]# chmod 777 chinaskills.cn.zone
[root@appsrv named]# chmod 777 internet.com.zone
[root@appsrv named]# systemctl restart named
测试
[root@insidecli ~]# nslookup
> www.chinaskills.cn
Server: 192.168.100.100
Address: 192.168.100.100#53
Name: www.chinaskills.cn
Address: 192.168.100.100
> download.chinaskills.cn
Server: 192.168.100.100
Address: 192.168.100.100#53
Name: download.chinaskills.cn
Address: 192.168.100.100
> mail.chinaskills.cn
Server: 192.168.100.100
Address: 192.168.100.100#53
Name: mail.chinaskills.cn
Address: 192.168.100.100
[root@insidecli ~]# host -t MX chinaskills.cn 192.168.100.100
Using domain server:
Name: 192.168.100.100
Address: 192.168.100.100#53
Aliases:
chinaskills.cn mail is handled by 10 mail.chinaskills.cn.
不显示版本信息
[root@insidecli ~]# nslookup -q=txt -class=CHAOS version.bind 192.168.100.100
Server: 192.168.100.100
Address: 192.168.100.100#53
version.bind text = "[unknow]"
[root@insidecli ~]#
检查配置
named-checkconf -z "$NAMEDCONF"
CA
安装Openssl
yum -y install openssl
修改根证书存放目录
vim /etc/pki/tls/openssl.cnf
42 dir = /etc/pki/CA # Where everything is kept
50 certificate = $dir/cacert.pem # The CA certificate
修改为:
42 dir = /csk-rootca # Where everything is kept
50 certificate = $dir/csk-ca.pem # The CA certificate
创建根证书存放目录
[root@appsrv]# mkdir /目录名称
[root@appsrv]# cp -ra /etc/pki/CA /csk-rootca
[root@appsrv]# cd /csk-rootca
[root@appsrv csk-rootca]# touch {index.txt,serial}
[root@appsrv csk-rootca]# echo 01 > serial
创建根证书
生成CA私钥
[root@appsrv private]# openssl genrsa -out /csk-rootca/cakey.pem
Generating RSA private key, 2048 bit long modulus
......+++
..........................+++
e is 65537 (0x10001)
生成.pem根证书
[root@appsrv private]# openssl req -new -x509 -key cakey.pem -out /csk-rootca/csk-ca.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:China
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:skills
Organizational Unit Name (eg, section) []:Operations Departments
Common Name (eg, your name or your server's hostname) []:CSK Global Root CA
Email Address []:
测试
[root@appsrv]# openssl x509 -text -in /csk-rootca/csk-ca.pem -noout | grep Subject
Subject: C=CN, ST=China, L=BeiJing, O=skills, OU=Operations Departments, CN=CSK Global Root CA
Subject Public Key Info:
X509v3 Subject Key Identifier:
[root@appsrv private]#
SAMBA
安装Samba服务
[root@StorageSrv ~]# yum install samba samba-client smbldap-tools -y
创建目录
[root@StorageSrv ~]# mkdir -p /data/share1
[root@StorageSrv ~]# mkdir -p /data/public
[root@storagesrv ~]# chmod -R 777 /data
配置LDAP模板
要先做好LDAP
[root@storagesrv ~]# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /usr/share/doc/samba-4.10.16/LDAP/samba.ldif
adding new entry "cn=samba,cn=schema,cn=config"
[root@storagesrv ~]#
修改配置文件
[root@storagesrv ~]# vim /etc/samba/smb.conf
7 workgroup = chinaskills.cn
10 passdb backend = ldapsam:ldap://192.168.100.200
11 ldap suffix = "dc=chinaskills,dc=cn"
12 ldap admin dn = "cn=Manager,dc=chinaskills,dc=cn"
13 ldap user suffix = "ou=users,dc=chinaskills,dc=cn"
14 ldap group suffix = "ou=group,dc=chinaskills,dc=cn"
15 ldap delete dn = no
16 ldap passwd sync = yes
17 ldap ssl = no
18 map to guest = bad user
设置共享目录
在上一步的配置文件中添加
[share1]
path = /data/share1
write list = zsuser
[public]
path = /data/public
guest ok = yes
writeable = yes
添加SMB用户
[root@storagesrv ~]# smbpasswd -a zsuser
New SMB password:
Retype new SMB password:
Added user zsuser.
[root@storagesrv ~]# smbpasswd -a lsusr
New SMB password:
Retype new SMB password:
Added user lsusr.
[root@storagesrv ~]# smbpasswd -a wuusr
New SMB password:
Retype new SMB password:
Added user wuusr.
[root@storagesrv ~]#
重启服务
[root@storagesrv ~]# smbpasswd -w 密码
Setting stored password for "cn=Manager,dc=chinaskills,dc=cn" in secrets.tdb
[root@storagesrv ~]# systemctl restart smb
[root@storagesrv ~]#
验证
查询smb用户
[root@storagesrv ~]# pdbedit -L
zsuser:1001:zsuser
lsusr:1002:lsusr
wuusr:1003:wuusr
[root@storagesrv ~]#
客户端测试
查看共享
[root@insidecli ~]# smbclient -L=192.168.100.200 -U zsuser
Enter SAMBA\zsuser's password:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
share1 Disk
public Disk
IPC$ IPC IPC Service (Samba 4.10.16)
zsuser Disk Home Directories
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@insidecli ~]#
share1目录权限-zsuser
[root@insidecli ~]# smbclient //192.168.100.200/share1 -U zsuser
Enter SAMBA\zsuser's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Dec 5 09:41:24 2022
.. D 0 Mon Dec 5 09:41:29 2022
17811456 blocks of size 1024. 16027816 blocks available
smb: \> put test.txt
putting file test.txt as \test.txt (0.0 kb/s) (average 0.0 kb/s)
smb: \> ls
. D 0 Mon Dec 5 09:53:55 2022
.. D 0 Mon Dec 5 09:41:29 2022
test.txt A 0 Mon Dec 5 09:53:55 2022
17811456 blocks of size 1024. 16027816 blocks available
smb: \>
share1目录权限-lsusr
[root@insidecli ~]# smbclient //192.168.100.200/share1 -U lsusr
Enter SAMBA\lsusr's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Dec 5 09:53:55 2022
.. D 0 Mon Dec 5 09:41:29 2022
test.txt A 0 Mon Dec 5 09:53:55 2022
17811456 blocks of size 1024. 16027816 blocks available
smb: \> put test.txt
NT_STATUS_ACCESS_DENIED opening remote file \test.txt
smb: \> ls
. D 0 Mon Dec 5 09:53:55 2022
.. D 0 Mon Dec 5 09:41:29 2022
test.txt A 0 Mon Dec 5 09:53:55 2022
17811456 blocks of size 1024. 16027816 blocks available
smb: \>
share1目录权限-wuusr
[root@insidecli ~]# smbclient //192.168.100.200/share1 -U wuusr
Enter SAMBA\wuusr's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Dec 5 09:53:55 2022
.. D 0 Mon Dec 5 09:41:29 2022
test.txt A 0 Mon Dec 5 09:53:55 2022
17811456 blocks of size 1024. 16027816 blocks available
smb: \> put test.txt
NT_STATUS_ACCESS_DENIED opening remote file \test.txt
smb: \> ls
. D 0 Mon Dec 5 09:53:55 2022
.. D 0 Mon Dec 5 09:41:29 2022
test.txt A 0 Mon Dec 5 09:53:55 2022
17811456 blocks of size 1024. 16027816 blocks available
smb: \>
Public目录权限
[root@insidecli ~]# smbclient //192.168.100.200/public -U anonymous
Enter SAMBA\anonymous's password: #anonymous是空密码,直接回车就行
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Dec 5 09:41:29 2022
.. D 0 Mon Dec 5 09:41:29 2022
17811456 blocks of size 1024. 16027816 blocks available
smb: \> put test.txt
putting file test.txt as \test.txt (0.0 kb/s) (average 0.0 kb/s)
smb: \> ls
. D 0 Mon Dec 5 09:57:22 2022
.. D 0 Mon Dec 5 09:41:29 2022
test.txt A 0 Mon Dec 5 09:57:22 2022
17811456 blocks of size 1024. 16027816 blocks available
smb: \>
FTP
安装FTP
yum -y install vsftpd
启动:systemctl start vsftpd
创建虚拟用户与目录
[root@storagesrv ~]# mkdir /webdata
[root@storagesrv ~]# chmod 777 /webdata/
[root@storagesrv ~]# useradd webadmin
[root@storagesrv ~]# chown -R webadmin /webdata
[root@storagesrv ~]# vim user
webuser
1234
[root@storagesrv ~]# db_load -T -t hash -f user user.db
申请证书
生成CA私钥
[root@storagesrv ~]# pwd
/root
[root@storagesrv ~]# openssl genrsa -out ftp.key
Generating RSA private key, 2048 bit long modulus
............+++
.....+++
e is 65537 (0x10001)
创建申请证书
[root@storagesrv ~]# openssl req -new -key ftp.key -out ftp.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:China
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:skills
Organizational Unit Name (eg, section) []:Operations Departments
Common Name (eg, your name or your server's hostname) []:ftp.chinaskills.cn
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@storagesrv ~]#
签发证书
[root@appsrv ~]# cd /csk-rootca/
[root@appsrv csk-rootca]# scp root@192.168.100.200:/root/ftp.csr ftp.csr
The authenticity of host '192.168.100.200 (192.168.100.200)' can't be established.
ECDSA key fingerprint is SHA256:KelE7MchQcq/AsJHmmcL6ULj8nltPHh46CM3TBrDLHc.
ECDSA key fingerprint is MD5:90:bd:a6:ac:43:7b:1a:0e:a7:96:ee:f8:90:7e:2e:3f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.100.200' (ECDSA) to the list of known hosts.
root@192.168.100.200's password:
ftp.csr 100% 1033 1.0MB/s 00:00
[root@appsrv csk-rootca]# ls
certs crl csk-ca.pem ftp.csr index.txt newcerts private serial
[root@appsrv csk-rootca]# openssl ca -in ftp.csr -out ftp.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Dec 3 14:21:00 2022 GMT
Not After : Dec 3 14:21:00 2023 GMT
Subject:
countryName = CN
stateOrProvinceName = China
organizationName = skills
organizationalUnitName = Operations Departments
commonName = ftp.chinaskills.cn
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
A2:45:1C:C5:98:43:6F:62:2E:F8:70:84:2F:D3:12:B3:E0:99:FA:D2
X509v3 Authority Key Identifier:
keyid:94:52:4D:A3:EE:10:B8:CA:23:3A:5F:56:7F:D7:5B:B0:AC:97:F9:6D
Certificate is to be certified until Dec 3 14:21:00 2023 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@appsrv csk-rootca]# scp ftp.crt root@192.168.100.200:/root/ftp.crt
root@192.168.100.200's password:
ftp.crt 100% 4558 3.5MB/s 00:00
[root@appsrv csk-rootca]#
编辑FTP配置文件和认证文件
[root@storagesrv ~]# vim /etc/vsftpd/vsftpd.conf
guest_enable=YES
guest_username=webadmin
user_config_dir=/etc/vsftpd
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_enable=YES
rsa_cert_file=/root/ftp.crt
rsa_private_key_file=/root/ftp.key
local_root=/webdata
allow_writeable_chroot=YES
deny_file={*.doc,*.docx,*.xlsx}
local_max_rate=100000
max_per_ip=2
pasv_min_port=40000
pasv_max_port=41000
编辑认证文件,除了以下两行,其他全部注释
[root@storagesrv /]# vim /etc/pam.d/vsftpd
auth required pam_userdb.so db=/root/user
account required pam_userdb.so db=/root/user
编辑用户配置文件
[root@storagesrv /]# vim /etc/vsftpd/webuser
local_root=/webdata
download_enable=YES
write_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
重启FTP
[root@storagesrv ~]# systemctl restart vsftpd
如果发生报错ssl,注意检查selinux
验证
在客户机上安装lftp(也可以在本地(storagesrv)做测试)
[root@insidecli ~]# yum install -y lftp
编辑lftp配置文件新增一行
[root@insidecli ~]# vim /etc/lftp.conf
set ssl:verify-certificate no
touch创建几个文件测试
[root@insidecli ~]# touch test.doc
[root@insidecli ~]# touch test.docx
[root@insidecli ~]# touch test.xlsx
[root@insidecli ~]# touch test.txt
测试
[root@insidecli ~]# lftp -u webuser,1234 ftp.chinaskills.cn
lftp webuser@ftp.chinaskills.cn:~> ls
-rwxrwxrwx 1 1000 0 0 Dec 03 14:47 test
lftp webuser@ftp.chinaskills.cn:/> quote pwd
257 "/"
lftp webuser@ftp.chinaskills.cn:/> put test.doc
put: Access failed: 550 Permission denied. (test.doc)
lftp webuser@ftp.chinaskills.cn:/> put test.docx
put: Access failed: 550 Permission denied. (test.docx)
lftp webuser@ftp.chinaskills.cn:/> put test.xlsx
put: Access failed: 550 Permission denied. (test.xlsx)
lftp webuser@ftp.chinaskills.cn:/> put test.txt
lftp webuser@ftp.chinaskills.cn:/> ls
-rwxrwxrwx 1 1000 0 0 Dec 03 14:47 test
-rw------- 1 1000 50 0 Dec 03 15:10 test.txt
lftp webuser@ftp.chinaskills.cn:/>
NFS
安装NFS
yum -y install nfs-utils
具体参数如下:
配置共享目录
[root@storagesrv ~]# mkdir /webdata
[root@storagesrv ~]# chmod 755 /webdata -R
[root@storagesrv ~]# vim /etc/exports
/webdata 192.168.100.100(rw,all_squash)
启动
[root@storagesrv ~]# systemctl start rpcbind #一定要按顺序启动
[root@storagesrv ~]# systemctl start nfs
检验
[root@storagesrv ~]# showmount -e
Export list for storagesrv.chinaskills.cn:
/webdata 192.168.100.100
[root@appsrv ~]# mount -t nfs 192.168.100.200:/webdata /webdata
mount: wrong fs type, bad option, bad superblock on 192.168.100.200:/webdata,
missing codepage or helper program, or other error
(for several filesystems (e.g. nfs, cifs) you might
need a /sbin/mount.<type> helper program)
In some cases useful info is found in syslog - try
dmesg | tail or so.
出现上面错误是客户端没有安装nfs-utils服务
[root@appsrv ~]# yum install -y nfs-utils
[root@appsrv ~]# mount -t nfs 192.168.100.200:/webdata /webdata #注意在本机上创建挂载点
[root@appsrv ~]# df -Th
Filesystem Type Size Used Avail Use% Mounted on
devtmpfs devtmpfs 475M 0 475M 0% /dev
tmpfs tmpfs 487M 0 487M 0% /dev/shm
tmpfs tmpfs 487M 7.7M 479M 2% /run
tmpfs tmpfs 487M 0 487M 0% /sys/fs/cgroup
/dev/mapper/centos-root xfs 17G 1.6G 16G 10% /
/dev/sda1 xfs 1014M 138M 877M 14% /boot
tmpfs tmpfs 98M 0 98M 0% /run/user/0
/dev/sr0 iso9660 4.4G 4.4G 0 100% /mnt
192.168.100.200:/webdata nfs4 17G 1.4G 16G 8% /webdata
[root@appsrv ~]# vim /etc/fstab
[root@appsrv ~]# cat /etc/fstab | grep webdata
192.168.100.200:/webdata /webdata nfs defaults 0 0
Web
赛题
4.web服务
安装WEB服务;
服务以用户webuser系统用户运行;
限制 web服务只能使用系统500M物理内存;
全站点启用TLS访问,使用本机上的“CSK Global Root CA"颁发机构颁发,网站证书信息如下:
C= CN
ST = China
L= BeiJing
O= skills
OU= Operations Departments
CN= *.chinaskills.cn
客户端访问 https 时应无浏览器(含终端)安全警告信息;
当用户使用 http 访问时自动跳转到 https 安全连接;
搭建 www.chinaskills.cn 站点;
网页文件放在 StorgeSrv 服务器上;
在 StorageSrv 上安装 MriaDB,在本机上安装 PHP,发布 WordPress 网站;
MariaDB 数据库管理员信息:User: root/ Password: Chinaskill21!
创建网站 download.chinaskills.cn 站点;
仅允许 ldsgp 用户组访问;
网页文件存放在 StorageSrv 服务器上;
在该站点的根目录下创建以下文件“test.mp3, test.mp4, test.pdf”,其中 test.mp4 文件的大小为 100M,页面访问成功 后能够列出目录所有文件;
安全加固,在任何页面不会出现系统和 WEB 服务器版本信息。
安装相关服务
Appsrv安装httpd及ssl模块
[root@storagesrv ~]# yum install -y httpd mod_ssl
Appsrv安装WordPress所需服务
[root@appsrv ~]# yum install -y php php-mbstring php-mysql
Storagesrv安装mariadb
[root@appsrv ~]# mariadb-server
设置服务以webuser用户运行
添加系统用户webuser
[root@appsrv ~]# useradd -r webuser
-r, --system create a system account
-r创建用户,UID小于1000
更改httpd服务的运行用户
[root@appsrv ~]# vim /etc/httpd/conf/httpd.conf
67 User webuser
68 Group webuser
限制web服务的物理内存大小
[root@appsrv ~]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[root@appsrv ~]# vim /etc/systemd/system/multi-user.target.wants/httpd.service
[Service]
memory_limit_in_bytes=500*1024*1024
[root@appsrv ~]# systemctl daemon-reload
[root@appsrv ~]# systemctl restart httpd
验证
[root@appsrv wordpress]# id webuser && ps aux | grep webuser
uid=997(webuser) gid=995(webuser) groups=995(webuser)
webuser 3696 0.0 0.7 353180 6972 ? S 18:44 0:00 /usr/sbin/httpd -DFOREGROUND
webuser 3697 0.0 0.7 353180 6972 ? S 18:44 0:00 /usr/sbin/httpd -DFOREGROUND
webuser 3698 0.0 0.7 353180 6972 ? S 18:44 0:00 /usr/sbin/httpd -DFOREGROUND
webuser 3699 0.0 0.7 353180 6972 ? S 18:44 0:00 /usr/sbin/httpd -DFOREGROUND
webuser 3700 0.0 0.7 353180 6972 ? S 18:44 0:00 /usr/sbin/httpd -DFOREGROUND
root 4047 0.0 0.0 112808 964 pts/3 R+ 19:15 0:00 grep --color=auto webuser
申请并签发证书
创建密钥
[root@appsrv ~]# cd /csk-rootca/
[root@appsrv csk-rootca]# openssl genrsa -out httpd.key
Generating RSA private key, 2048 bit long modulus
.....+++
................................................................+++
e is 65537 (0x10001)
创建证书申请
[root@appsrv csk-rootca]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:China
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:skills
Organizational Unit Name (eg, section) []:Operations Departments
Common Name (eg, your name or your server's hostname) []:*.chinaskills.cn
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
本地签发证书
[root@appsrv csk-rootca]# openssl ca -in httpd.csr -out httpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Dec 4 10:28:33 2022 GMT
Not After : Dec 4 10:28:33 2023 GMT
Subject:
countryName = CN
stateOrProvinceName = China
organizationName = skills
organizationalUnitName = Operations Departments
commonName = *.chinaskills.cn
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C0:DD:B4:FF:10:60:EC:B5:35:87:17:85:7E:42:F6:2E:8B:9E:5D:79
X509v3 Authority Key Identifier:
keyid:94:52:4D:A3:EE:10:B8:CA:23:3A:5F:56:7F:D7:5B:B0:AC:97:F9:6D
Certificate is to be certified until Dec 4 10:28:33 2023 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@appsrv csk-rootca]#
挂载nfs目录并上传文件
配置NFS
[root@appsrv csk-rootca]# mkdir /webdata
[root@appsrv csk-rootca]# mount -t nfs 192.168.100.200:/webdata/ /webdata
[root@appsrv ~]# cd /webdata/
[root@appsrv webdata]# ll
-rw-r--r--. 1 nfsnobody nfsnobody 11253497 Dec 4 20:56 wordpress-5.1.15-zh_CN.tar.gz
[root@appsrv webdata]# tar -zxvf wordpress-5.1.15-zh_CN.tar.gz
[root@appsrv webdata]# touch test.mp3
[root@appsrv webdata]# touch test.pdf
[root@appsrv webdata]# dd if=/dev/zero of=test.mp4 bs=100M count=1
1+0 records in
1+0 records out
104857600 bytes (105 MB) copied, 0.784643 s, 134 MB/s
[root@appsrv webdata]# chmod 777 wordpress
在Storagesrv上配置mariadb
Storagesrv配置mariadb服务
mariadb初始化
[root@storagesrv]# systemctl start mariadb
[root@storagesrv]# mysql -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 6
Server version: 5.5.60-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> create database wordpress;
MariaDB [(none)]> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [(none)]> GRANT ALL PRIVILEGES ON *.* TO 'root'@'192.168.100.%'IDENTIFIED BY 'Chinaskill21!' WITH GRANT OPTION;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
MariaDB [mysql]> Ctrl-C -- exit!
Aborted
Appsrv测试连通性
[root@appsrv wordpress]# mysql -u root -pChinaskill21! -h 192.168.100.200
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 13
Server version: 5.5.68-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| wordpress |
+--------------------+
4 rows in set (0.00 sec)
MariaDB [(none)]> Ctrl-C -- exit!
Aborted
[root@appsrv wordpress]#
AppSrv配置WordPress
[root@appsrv wordpress]# cp -a wp-config-sample.php wp-config.php
[root@appsrv wordpress]# vim wp-config.php
23 define( 'DB_NAME', 'wordpress' );
26 define( 'DB_USER', 'root' );
29 define( 'DB_PASSWORD', 'Chinaskill21!' );
32 define( 'DB_HOST', '192.168.100.200' );
创建http站点及重定向https安全链接
[root@appsrv wordpress]# vim /etc/httpd/conf/httpd.conf
#末尾添加
#不显示系统和WEB服务器版本信息
ServerSignature Off
#不显示系统和WEB服务器版本信息
ServerTokens Prod
<VirtualHost *:80>
redirect permanent / https://www.chinaskills.cn/
</VirtualHost>
<VirtualHost www.chinaskills.cn:443>
DocumentRoot "/webdata/wordpress"
ServerName www.chinaskills.cn
SSLEngine on
SSLCertificateFile /csk-rootca/httpd.crt
SSLCertificateKeyFile /csk-rootca/httpd.key
<Directory /webdata>
Require all granted
</Directory>
</VirtualHost>
<VirtualHost download.chinaskills.cn:443>
DocumentRoot "/webdata"
ServerName download.chinaskills.cn
SSLEngine on
SSLCertificateFile /csk-rootca/httpd.crt
SSLCertificateKeyFile /csk-rootca/httpd.key
<directory /webdata>
#目录优先
Options Indexes
authname "download"
authtype basic
authuserfile "/var/passwd"
require valid-user
</directory>
</VirtualHost>
删除默认欢迎页面
[root@appsrv webdata]# rm -f /etc/httpd/conf.d/welcome.conf
创建本地认证用户
[root@appsrv webdata]# htpasswd -c /var/passwd zsuser
New password:
Re-type new password:
Adding password for user zsuser
[root@appsrv webdata]# htpasswd /var/passwd lsusr
New password:
Re-type new password:
Adding password for user lsusr
重启httpd服务
[root@appsrv webdata]# systemctl restart httpd
客户端测试
重要提醒
以下所有操作都要客户机先ping通域名,没有dns请去搭建
拷贝CA证书到客户端
[root@appsrv ~]# scp /csk-rootca/csk-ca.pem root@192.168.0.190:/root
The authenticity of host '192.168.0.190 (192.168.0.190)' can't be established.
ECDSA key fingerprint is SHA256:WlC1Achy51tFGtkiUJ46Ra+oYecitUvRbjDSBEco3VE.
ECDSA key fingerprint is MD5:28:e1:79:fe:31:91:0f:9f:82:14:07:20:fd:42:3e:fc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.190' (ECDSA) to the list of known hosts.
root@192.168.0.190's password:
csk-ca.pem 100% 1383 693.4KB/s 00:00
[root@appsrv ~]#
firefox安全访问
火狐浏览器导入根证书
导入成功后重启一下浏览器
curl安全访问
[root@insidecli ~]# cp -a csk-ca.pem /etc/pki/ca-trust/source/anchors/
[root@insidecli ~]# ln -s /etc/pki/ca-trust/source/anchors/csk-ca.pem /etc/ssl/certs/
[root@insidecli ~]# update-ca-trust
网页访问效果
Firefox测试
www网站访问
download网站访问
curl测试
[root@insidecli ~]# curl -I https://www.chinaskills.cn
HTTP/1.1 200 OK
Date: Sun, 04 Dec 2022 13:20:15 GMT
Server: Apache
X-Powered-By: PHP/5.4.16
Link: <https://www.chinaskills.cn/index.php?rest_route=/>; rel="https://api.w.org/"
Content-Type: text/html; charset=UTF-8
[root@insidecli ~]# curl -I http://www.chinaskills.cn
HTTP/1.1 301 Moved Permanently
Date: Sun, 04 Dec 2022 13:20:38 GMT
Server: Apache
Location: https://www.chinaskills.cn
Content-Type: text/html; charset=iso-8859-1
[root@insidecli ~]#
不显示版本信息
安装数据库mariadb
[root@appsrv ~]# yum -y install mariadb-server
启动和初始化数据库
[root@Server01 ~]# systemctl start mariadb.service
[root@Server01 ~]# mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
Set root password? [Y/n] y
New password: #看题目要求输入密码,下面也是
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n]
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n]
... Success!
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n]
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n]
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
[root@localhost ~]#
本文是原创文章,采用 CC BY-NC-ND 4.0 协议,完整转载请注明来自 Xiaomo's blog
