BlueXIII's Blog

热爱技术,持续学习

0%

R1D二级路由规则配置

参考: https://www.right.com.cn/forum/thread-4040453-1-1.html

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
vi /etc/config/firewall
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'

config zone
option name 'wan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'

config forwarding
option src 'wan'
option dest 'lan'

R1D开启SSH

R1D更换硬盘

  1. 使用DiskGenius分区,GPT分区表,4个分区大小为:156M,156M,312M,剩余空间一个区
  2. 刷机包名中带有hdk的bin文件,重命名为miwifi.bin, 放在U盘的根目录

AC2100刷机教程

参考文档

教程

LEDE源码

openwrt.cc项目

过程

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
## 安装依赖
sudo apt update -y
sudo apt full-upgrade -y
sudo apt install -y ack antlr3 aria2 asciidoc autoconf automake autopoint binutils bison build-essential \
bzip2 ccache cmake cpio curl device-tree-compiler fastjar flex gawk gettext gcc-multilib g++-multilib \
git gperf haveged help2man intltool libc6-dev-i386 libelf-dev libglib2.0-dev libgmp3-dev libltdl-dev \
libmpc-dev libmpfr-dev libncurses5-dev libncursesw5-dev libreadline-dev libssl-dev libtool lrzsz \
mkisofs msmtp nano ninja-build p7zip p7zip-full patch pkgconf python2.7 python3 python3-pip libpython3-dev qemu-utils \
rsync scons squashfs-tools subversion swig texinfo uglifyjs upx-ucl unzip vim wget xmlto xxd zlib1g-dev

# 下载源代码
git clone https://github.com/coolsnowwolf/lede
cd lede

# 缝合其他插件
vi feeds.conf.default
src-git kenzo https://github.com/kenzok8/openwrt-packages
src-git small https://github.com/kenzok8/small

# 配置
./scripts/feeds update -a
./scripts/feeds install -a
make menuconfig

# 下载并编译
make download -j8 && make V=s -j1

# 二次编译
cd lede
git pull
./scripts/feeds update -a
./scripts/feeds install -a
make defconfig
make download -j8
make V=s -j$(nproc)

# 重新配置
rm -rf ./tmp && rm -rf .config
make menuconfig
make V=s -j$(nproc)

常用包

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
passwall ** 
全能推送
OpenClash
动态DNS luci-app-ddns
迅雷快鸟 luci-app-xlnetacc
Frpc luci-app-frpc
Frps luci-app-frps
Docker luci-app-dockerman
OpenVPN服务器 luci-app-openvpn-server
静态路由
IP/MAC绑定
Turbo ACC网络加速 luci-app-turboacc
宽带监控
UPnp
ip限速 luci-app-eqos
Qos流量控制 luci-app-sqm
磁盘管理 luci-app-diskman
USB打印机 luci-app-usb-printer
网页命令行 luci-app-ttyd
KMS服务器 luci-app-vlmcsd
流量监控 luci-app-wrtbwmon
释放内存 luci-app-ramfree
负载均衡 luci-app-mwan3
多播 luci-app-syncdial
wireguard luci-app-wireguard
网络唤醒 luci-app-wolplus

## 虚拟机
qemu-ga
open-vm-tools

# 其它
luci-app-ddns
luci-app-xlnetacc
luci-app-frpc
luci-app-frps
luci-app-dockerman **
luci-app-openvpn-server
luci-app-turboacc
luci-app-eqos
luci-app-sqm
luci-app-diskman
luci-app-usb-printer
luci-app-ttyd
luci-app-vlmcsd
luci-app-wrtbwmon
luci-app-ramfree
luci-app-mwan3
luci-app-syncdial
luci-app-wireguard
luci-app-wolplus
qemu-ga
open-vm-tools

参考文档

常规操作

1
2
3
4
5
6
7
8
9
10
# 配置文件
vi /etc/chrony.conf

# 查看同步状态
timedatectl

# 开机自启
systemctl status chronyd
systemctl start chronyd
systemctl enable chronyd

服务端配置

1
2
3
4
driftfile /var/lib/chrony/drift
local stratum 8
manual
allow 0.0.0.0/0

客户端配置

1
2
3
4
server master iburst
driftfile /var/lib/chrony/drift
logdir /var/log/chrony
log measurements statistics tracking

参考文档

tun/tap

1
2
3
4
5
6
7
8
9
10
11
12
13
# 创建 tap 
ip tuntap add dev tap0 mode tap
# 创建 tun
ip tuntap add dev tun0 mode tun

# 删除 tap
ip tuntap del dev tap0 mode tap
# 删除 tun
ip tuntap del dev tun0 mode tun

# 例如使用ip link命令也可以删除tun/tap设备
ip link del tap0
ip link del tun0

netns

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
ip netns list

# 添加并启动虚拟网卡tap设备
ip tuntap add dev tap0 mode tap
ip tuntap add dev tap1 mode tap
ip link set tap0 up
ip link set tap1 up

# 配置IP
ip addr add 10.0.0.1/24 dev tap0
ip addr add 10.0.0.2/24 dev tap1

# 添加netns
ip netns add ns0
ip netns add ns1

# 将虚拟网卡tap0,tap1分别移动到ns0和ns1中
ip link set tap0 netns ns0
ip link set tap1 netns ns1

# 指定netns后查看网卡
ip netns exec ns0 ip a
ip netns exec ns1 ip a

# 重新启动网卡并设置IP
ip netns exec ns0 ip link set lo up
ip netns exec ns0 ip link set tap0 up
ip netns exec ns0 ip addr add 10.0.0.1/24 dev tap0

ip netns exec ns1 ip link set lo up
ip netns exec ns1 ip link set tap1 up
ip netns exec ns1 ip addr add 10.0.0.2/24 dev tap1

# 指定netns后ping
ip netns exec ns0 ping 10.0.0.1
ip netns exec ns1 ping 10.0.0.2

# 清理
ip netns delete ns0
ip netns delete ns1

vethpair

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# 添加netns
ip netns add ns0
ip netns add ns1

# 创建一对veth
ip link add veth0 type veth peer name veth1

# 将veth移动到netns中
ip link set veth0 netns ns0
ip link set veth1 netns ns1

# 指定netns后查看网卡
ip netns exec ns0 ip a
ip netns exec ns1 ip a

# 启动
ip netns exec ns0 ip link set veth0 up
ip netns exec ns1 ip link set veth1 up

# 查看路由表
ip netns exec ns0 route -n
ip netns exec ns1 route -n

# 修改路由出口为veth
ip netns exec ns0 ip route change 10.0.0.0/24 via 0.0.0.0 dev veth0
ip netns exec ns1 ip route change 10.0.0.0/24 via 0.0.0.0 dev veth1

# 跨ns互ping
ip netns exec ns0 ping 10.0.0.2
ip netns exec ns1 ping 10.0.0.1

# 清理
ip netns delete ns0
ip netns delete ns1

bridge

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
# 安装bridge-utils
yum install -y bridge-utils

# 添加网桥
brctl addbr br0

# 启动网桥
ip link set br0 up

# 新增三个netns
ip netns add ns0
ip netns add ns1
ip netns add ns2

# 新增两对veth
ip link add veth0-ns type veth peer name veth0-br
ip link add veth1-ns type veth peer name veth1-br
ip link add veth2-ns type veth peer name veth2-br

# 将veth的一端移动到netns中
ip link set veth0-ns netns ns0
ip link set veth1-ns netns ns1
ip link set veth2-ns netns ns2

# 将netns中的本地环回和veth启动并配置IP
ip netns exec ns0 ip link set lo up
ip netns exec ns0 ip link set veth0-ns up
ip netns exec ns0 ip addr add 10.0.0.1/24 dev veth0-ns

ip netns exec ns1 ip link set lo up
ip netns exec ns1 ip link set veth1-ns up
ip netns exec ns1 ip addr add 10.0.0.2/24 dev veth1-ns

ip netns exec ns2 ip link set lo up
ip netns exec ns2 ip link set veth2-ns up
ip netns exec ns2 ip addr add 10.0.0.3/24 dev veth2-ns

# 查看网卡
ip netns exec ns0 ip a
ip netns exec ns1 ip a
ip netns exec ns2 ip a

# 查看路由表
ip netns exec ns0 route -n
ip netns exec ns1 route -n
ip netns exec ns2 route -n

# 将veth的另一端启动并挂载到网桥上
ip link set veth0-br up
ip link set veth1-br up
ip link set veth2-br up
brctl addif br0 veth0-br
brctl addif br0 veth1-br
brctl addif br0 veth2-br

# 查询网桥
brctl show

# 添加iptables规则
iptables -A FORWARD -i br0 -j ACCEPT

# 测试网络连通性
ip netns exec ns0 ping 10.0.0.1
ip netns exec ns0 ping 10.0.0.2
ip netns exec ns0 ping 10.0.0.3

localhost

1
2
3
4
5
6
7
8
# 查本地的路由表
ip route show table local

# 查主路由表
ip route show table main

# 环回网络接口
ifconfig lo

官网

Grafana

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# rpm方式安装
wget https://dl.grafana.com/oss/release/grafana-9.3.2-1.x86_64.rpm
sudo yum install grafana-9.3.2-1.x86_64.rpm
systemctl start grafana-server
systemctl enable grafana-server

# 二进制方式安装
nohup ./grafana-server 2>&1 &

# 登录地址
http://192.168.101.211:3000

# 钉钉推送地址
https://oapi.zingtalk.com/robot/send?access_token=........

# 备份
/var/lib/grafana/grafana.db
/etc/grafana/grafana.ini

Prometheus

1
2
3
4
# 安装Prometheus
wget https://github.com/prometheus/prometheus/releases/download/v2.41.0/prometheus-2.41.0.linux-amd64.tar.gz
nohup ./prometheus --config.file=prometheus.yml 2>&1 &
open http://192.168.101.211:9090

BlackboxExporter

1
2
3
4
# 安装BlackboxExporter
wget https://github.com/prometheus/blackbox_exporter/releases/download/v0.23.0/blackbox_exporter-0.23.0.linux-amd64.tar.gz
nohup ./blackbox_exporter 2>&1 &
open http://192.168.101.211:9115

NodeExporter

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
# 安装NodeExporter
wget https://github.com/prometheus/node_exporter/releases/download/v1.5.0/node_exporter-1.5.0.linux-amd64.tar.gz
nohup ./node_exporter --web.config.file=config.yml --web.listen-address=:19100 2>&1 &
open http://192.168.101.211:19100

#设置开机自启
cat << EOF >/etc/systemd/system/node_exporter.service
[Unit]
Description=node_exporter Monitoring System
Documentation=node_exporter Monitoring System

[Service]
ExecStart=/opt/node_exporter/node_exporter --web.config.file=/opt/node_exporter/config.yml --web.listen-address=:19100

[Install]
WantedBy=multi-user.target
EOF

# 启动
systemctl daemon-reload
systemctl start node_exporter.service
systemctl status node_exporter.service
systemctl enable node_exporter.service

# 可选: 生成密码
yum install httpd-tools -y
htpasswd -nBC 12 '' | tr -d ':\n' # 输入密码

# 可选:配置密码
cat << EOF >/opt/node_exporter/config.yml
basic_auth_users:
prometheus: \$2y\$12\$hj1xMjOs1iH.......
EOF

# 可选: 卸载
ps -ef|grep node_exporter
systemctl stop node_exporter.service
systemctl disable node_exporter.service
systemctl daemon-reload
rm -f /etc/systemd/system/node_exporter.service

常用命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# 查看系统最大FD总和
cat /proc/sys/fs/file-max
或 sysctl -a|grep fs.file-max

# 设置系统最大FD总和
vi /etc/sysctl.conf
fs.file-max=3244084
sysctl -p

# 查看进程最大FD
ulimit -n

# 设置进程最大FD
vim /etc/security/limits.conf
* soft nofile 65535
* hard nofile 65535

# 进程FD排行(此方式准确)
find /proc -print | grep -P '/proc/\d+/fd/'| awk -F '/' '{print $3}' | uniq -c | sort -rn | head -10

# 进程FD排行(网上流传的此方式,在CentOS7.3之后多了一列线程ID,算成了笛卡尔积)
lsof -n|awk '{print $2}'|sort|uniq -c|sort -nr|head -10

# 进程内线程数排行
ps -efT|grep java|awk '{print $2}'|sort|uniq -c|sort -nr|head -10

# 进程TCP连接排行
lsof -n -i tcp | awk '{print $2}'|sort|uniq -c|sort -nr|head -10

# 查看指定进程的FD数
ls /proc/32484/fd -l | wc -l

# 查看指定进程的线程数
ps huH p 25439 | wc -l

# 查看系统所有TCP CLOSE-WAIT数
ss -tan|grep CLOSE-WAIT|wc -l

确定当前版本号

1
2
3
4
5
openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017

ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017

即将升级为:

  • OpenSSL: 1.0.2k-fips -> 1.1.1s(最新稳定版)
  • OpenSSH: 7.4p1 -> 9.1p1(最新稳定版)

安装TelnetServer

OpenSSH升级有风险,当SSH服务无法正常启动时,需要通过Telnet远程登录并修复。临时开启Telnet,升版完成后再将期关闭。

直接通过本地yum源安装:

1
2
3
4
5
6
7
8
9
# 安装telnet-server
yum install telnet-server -y

# 启动服务
systemctl enable telnet.socket
systemctl start telnet.socket

# 测试能否正常连接(此时可以连接,但禁止登录)
telnet 192.168.23.11

由于PAM规则的限制,telnet默认不允许root用户远程登录,最简单且合法的方式是新建一个临时用户,登录后再su到root:

1
2
3
4
5
6
7
# 新建临时用户
useradd tmpuser
passwd tmpuser # 密码设为 yourpass

# 测试使用临时用户登录
telnet -l tmpuser 192.168.23.11 # 密码 yourpass
su -

下载源码

安全加固需要最新稳定版,而CentOS的yum源中版太旧,所以需要在OpenSSL与OpenSSH官网下载源码编译安装

官网地址:

下载链接:

1
2
wget https://www.openssl.org/source/openssl-1.1.1s.tar.gz
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.1p1.tar.gz

升级OpenSSL

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# 查看版本号
openssl version

# 安装gcc相关依赖
yum install gcc gcc-c++ autoconf automake zlib zlib-devel pcre-devel -y

# 解压
tar -zxvf openssl-1.1.1s.tar.gz
cd openssl-1.1.1s

# 编译
export LANG=C
./config shared
make

# 备份
mv /usr/bin/openssl /usr/bin/openssl_old

# 安装
make install

# 创建软链接
ln -s /usr/local/bin/openssl /usr/bin/openssl
ln -s /usr/local/lib64/libssl.so.1.1 /usr/lib64/
ln -s /usr/local/lib64/libcrypto.so.1.1 /usr/lib64/

# 查看版本号
openssl version

升级OpenSSH

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
# 查看版本号
ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017

# 安装相关依赖
yum install zlib-devel openssl-devel pam-devel -y

# 解压
tar -zxvf openssh-9.1p1.tar.gz
cd openssh-9.1p1

# 编译
./configure \
--prefix=/usr/ \
--sysconfdir=/etc/ssh \
--with-ssl-dir=/usr/local/lib64/ \
--with-zlib \
--with-pam \
--with-md5-password \
--with-ssl-engine \
--with-selinux

make

# 备份
mkdir /etc/ssh_old
mv /etc/ssh/* /etc/ssh_old/

# 安装
make install

# 查看新版本号
ssh -V
OpenSSH_9.1p1, OpenSSL 1.1.1s 1 Nov 2022

# 重新配置sshd_config
vi /etc/ssh/sshd_config
PermitRootLogin yes # 允许root登录
Port 2205 # 修改成之前的端口

# 移走以前的ssh服务, 防止与新的冲突
mv /usr/lib/systemd/system/sshd.service /etc/ssh_old/sshd.service
mv /usr/lib/systemd/system/sshd.socket /etc/ssh_old/sshd.socket

# 在解压包中拷贝一些文件
cp -a contrib/redhat/sshd.init /etc/init.d/sshd

# 重启服务
systemctl daemon-reload
systemctl restart sshd
systemctl status sshd

# 测试登录
ssh root@192.168.23.11 -p2205

配置SSH互信

TiDB与DS所在的服务器,需要重新配置SSH互信。其它服务器不需要配置。

1
ssh-copy-id root@192.168.23.XX

关闭TelnetServer

确认OpenSSH升级成功后,关闭TelnetServer,并删除临时用户

1
2
3
4
5
6
7
# 关闭Telnet服务
systemctl disable telnet.socket
systemctl stop telnet.socket
systemctl status telnet.socket

# 删除临时用户
userdel tmpuser

用途

一个Tampermonkey脚本,用于破解极客时间HTML页面,使其允许选择复制文本

油猴插件安装

https://chrome.google.com/webstore/detail/tampermonkey/dhdgffkkebhmkfjojejmpbldmpobfkfo?utm_source=chrome-ntp-icon

安装后需要右击图标进入插件配置页面,选中Allow access to file URLs

脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
// ==UserScript==
// @name 极客时间允许复制
// @namespace https://www.yourdomain.com/
// @version 1.0
// @description 极客时间允许复制
// @author yourname
// @match file:///path/to*
// @icon https://www.google.com/s2/favicons?sz=64&domain=undefined.
// @run-at document-body
// ==/UserScript==

(function() {
'use strict';
var eles = document.getElementsByTagName('*');
for (var i = 0; i < eles.length; i++) {
eles[i].style.userSelect = 'text';
}
})();

注意将@match 修改为本机路径

说明

  • 针对老项目,多个模块共用一个git仓库的情况,识别出每次push的变更,只构建对应的模块
  • 如果配置多个git地址相同的Jenkins流水线,他们的hook地址也是相同的,无法单独触发其中一个流水线。所以要配置多个镜像仓库。
  • 使用原始方式配置最便捷,不使用gitlab、gogs
  • 当使用ssh协议对外暴露git时,由于jenkins的bug?,可以手工构建但无法通过hook触发。所以必须再配置httpd服务通过http对外暴露。

git镜像仓库配置

参考文档

https://blog.csdn.net/mxdzchallpp/article/details/80597126

  • 使用http协议对外暴露,搭建方式不再赘述
  • 为一个仓库配置多个镜像时,可以用ln -s软链接方式实现

Jenkins流水线配置

为每个模块配置独立的流水线,使用独立的仓库

自动构建测试:

1
curl http://10.133.0.186/devops_webhook/git/?url=http://10.193.2.12:8081/git/develop-alert

Git镜像库同步脚本

使用后台进程while do循环方式,每10秒pull一次

sync.sh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
#!/bin/sh

GIT_PATH=/dubhe/git/develop
BASE_PATH=/dubhe/git/sync-dev
SLEEP_SEC=10

while :
do
echo Git同步开始 `date +"%Y/%m/%d %H:%M:%S"` | tee -a sync.log

# 拉取git仓库更新日志到sync.dat
cd $GIT_PATH
oldsha=`git rev-parse HEAD`
git pull
git diff --name-only $oldsha | tee -a "$BASE_PATH/sync.dat" "$BASE_PATH/sync.log"

# 判断发生变更的模块并发送通知到Jenkins
cd $BASE_PATH
cat sync.cfg|while read line
do
module=`echo $line|awk -F ' ' '{print $1}'`
hook=`echo $line|awk -F ' ' '{print $2}'`
count=`cat sync.dat | grep "$module"|wc -l`
#echo $module $hook $count

if test $count -gt 0
then
echo 触发构建 $module 模块 | tee -a sync.log
curl -s $hook >/dev/null
fi
done

echo Git同步完成 `date +"%Y/%m/%d %H:%M:%S"` | tee -a sync.log

# 清空dat文件
> sync.dat
echo "" | tee -a sync.log

# 休眠
sleep $SLEEP_SEC
done

sync.cfg

1
2
3
4
5
6
7
8
9
efpx-ui    http://10.133.0.186/devops_webhook/git/?url=http://10.193.2.12:8081/git/develop-ui
efpx-upms http://10.133.0.186/devops_webhook/git/?url=http://10.193.2.12:8081/git/develop-upms
dubhe-metadata http://10.133.0.186/devops_webhook/git/?url=http://10.193.2.12:8081/git/develop-metadata
dubhe-scheduler http://10.133.0.186/devops_webhook/git/?url=http://10.193.2.12:8081/git/develop-scheduler
dubhe-data-integration http://10.133.0.186/devops_webhook/git/?url=http://10.193.2.12:8081/git/develop-data-integration
dubhe-alert http://10.133.0.186/devops_webhook/git/?url=http://10.193.2.12:8081/git/develop-alert
dubhe-api-generation http://10.133.0.186/devops_webhook/git/?url=http://10.193.2.12:8081/git/develop-api-generation
dubhe-quality http://10.133.0.186/devops_webhook/git/?url=http://10.193.2.12:8081/git/develop-quality

监听钩子(已废弃)

使用nc搭建简易HTTP服务器
因gitlat至镜像服务器的网络不可达,此方案废弃

listen.sh

1
2
3
4
5
6
while true
do
cat index.http | nc -l 8082
# echo "开始同步git"
# call sync shell
done

index.http

1
2
3
4
5
6
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: netcat!

<!doctype html>
<html><body><h1>开始同步GIT</h1></body></html>

测试

1
2
curl http://10.193.2.12:8082
curl http://10.193.2.12:8083

参考文档

配置健康测试端点

修改Nacos配置,在application-dev.yml中添加management.endpoint.health.show-details参数,注意低版本的SpringBoot中endpoint没有’s’

1
2
3
4
5
6
7
8
management:
endpoint:
health:
show-details: "ALWAYS"
endpoints:
web:
exposure:
include: '*'

健康测试:

1
2
curl http://10.133.0.63:30508/actuator/health/ping
{"status":"UP"}

修改K8S配置添加readinessProbe

1
2
3
4
5
6
7
readinessProbe:
httpGet:
scheme: HTTP
path: /actuator/health/ping
port: 4000
initialDelaySeconds: 10
periodSeconds: 5