搜索到
211
篇与
cby
的结果
-
Kubernetes(K8S)内核优化常用参数详解 net.ipv4.tcp_keepalive_time=600 net.ipv4.tcp_keepalive_intvl=30 net.ipv4.tcp_keepalive_probes=10 net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1 net.ipv4.neigh.default.gc_stale_time=120 net.ipv4.conf.all.rp_filter=0 net.ipv4.conf.default.rp_filter=0 net.ipv4.conf.default.arp_announce=2 net.ipv4.conf.lo.arp_announce=2 net.ipv4.conf.all.arp_announce=2 net.ipv4.ip_local_port_range= 45001 65000 net.ipv4.ip_forward=1 net.ipv4.tcp_max_tw_buckets=6000 net.ipv4.tcp_syncookies=1 net.ipv4.tcp_synack_retries=2 net.bridge.bridge-nf-call-ip6tables=1 net.bridge.bridge-nf-call-iptables=1 net.netfilter.nf_conntrack_max=2310720 net.ipv6.neigh.default.gc_thresh1=8192 net.ipv6.neigh.default.gc_thresh2=32768 net.ipv6.neigh.default.gc_thresh3=65536 net.core.netdev_max_backlog=16384 net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 net.ipv4.tcp_max_syn_backlog = 8096 net.core.somaxconn = 32768 fs.inotify.max_user_instances=8192 fs.inotify.max_user_watches=524288 fs.file-max=52706963 fs.nr_open=52706963 kernel.pid_max = 4194303 net.bridge.bridge-nf-call-arptables=1 vm.swappiness=0 vm.overcommit_memory=1 vm.panic_on_oom=0 vm.max_map_count = 262144内核参数解释net.ipv4.tcp_keepalive_time=600 #此参数表示TCP发送keepalive探测消息的间隔时间(秒) net.ipv4.tcp_keepalive_intvl=30 #tcp检查间隔时间(keepalive探测包的发送间隔) net.ipv4.tcp_keepalive_probes=10 #tcp检查次数(如果对方不予应答,探测包的发送次数) net.ipv6.conf.all.disable_ipv6=1 #禁用IPv6,修为0为启用IPv6 net.ipv6.conf.default.disable_ipv6=1 #禁用IPv6,修为0为启用IPv6 net.ipv6.conf.lo.disable_ipv6=1 #禁用IPv6,修为0为启用IPv6 net.ipv4.neigh.default.gc_stale_time=120 #ARP缓存条目超时 net.ipv4.conf.all.rp_filter=0 #默认为1,系统会严格校验数据包的反向路径,可能导致丢包 net.ipv4.conf.default.rp_filter=0 #不开启源地址校验 net.ipv4.conf.default.arp_announce=2 #始终使用与目的IP地址对应的最佳本地IP地址作为ARP请求的源IP地址 net.ipv4.conf.lo.arp_announce=2 #始终使用与目的IP地址对应的最佳本地IP地址作为ARP请求的源IP地址 net.ipv4.conf.all.arp_announce=2 #始终使用与目的IP地址对应的最佳本地IP地址作为ARP请求的源IP地址 net.ipv4.ip_local_port_range= 45001 65000 # 定义网络连接可用作其源(本地)端口的最小和最大端口的限制,同时适用于TCP和UDP连接。 net.ipv4.ip_forward=1 # 其值为0,说明禁止进行IP转发;如果是1,则说明IP转发功能已经打开。 net.ipv4.tcp_max_tw_buckets=6000 #配置服务器 TIME_WAIT 数量 net.ipv4.tcp_syncookies=1 #此参数应该设置为1,防止SYN Flood net.ipv4.tcp_synack_retries=2 #表示回应第二个握手包(SYN+ACK包)给客户端IP后,如果收不到第三次握手包(ACK包),进行重试的次数(默认为5) net.bridge.bridge-nf-call-ip6tables=1 # 是否在ip6tables链中过滤IPv6包 net.bridge.bridge-nf-call-iptables=1 # 二层的网桥在转发包时也会被iptables的FORWARD规则所过滤,这样有时会出现L3层的iptables rules去过滤L2的帧的问题 net.netfilter.nf_conntrack_max=2310720 #连接跟踪表的大小,建议根据内存计算该值CONNTRACK_MAX = RAMSIZE (in bytes) / 16384 / (x / 32),并满足nf_conntrack_max=4*nf_conntrack_buckets,默认262144 net.ipv6.neigh.default.gc_thresh1=8192 net.ipv6.neigh.default.gc_thresh2=32768 net.ipv6.neigh.default.gc_thresh3=65536 #gc_thresh3 是表大小的绝对限制 #gc_thresh2 设置为等于系统的最大预期邻居条目数的值 #在这种情况下,gc_thresh3 应该设置为一个比 gc_thresh2 值高的值,例如,比 gc_thresh2 高 25%-50%,将其视为浪涌容量。 #gc_thresh1 提高到较大的值;此设置的作用是,如果表包含的条目少于 gc_thresh1,内核将永远不会删除(超时)过时的条目。 net.core.netdev_max_backlog=16384 # 每CPU网络设备积压队列长度 net.core.rmem_max = 16777216 # 所有协议类型读写的缓存区大小 net.core.wmem_max = 16777216 # 最大的TCP数据发送窗口大小 net.ipv4.tcp_max_syn_backlog = 8096 # 第一个积压队列长度 net.core.somaxconn = 32768 # 第二个积压队列长度 fs.inotify.max_user_instances=8192 # 表示每一个real user ID可创建的inotify instatnces的数量上限,默认128. fs.inotify.max_user_watches=524288 # 同一用户同时可以添加的watch数目,默认8192。 fs.file-max=52706963 # 文件描述符的最大值 fs.nr_open=52706963 #设置最大微博号打开数 kernel.pid_max = 4194303 #最大进程数 net.bridge.bridge-nf-call-arptables=1 #是否在arptables的FORWARD中过滤网桥的ARP包 vm.swappiness=0 # 禁止使用 swap 空间,只有当系统 OOM 时才允许使用它 vm.overcommit_memory=1 # 不检查物理内存是否够用 vm.panic_on_oom=0 # 开启 OOM vm.max_map_count = 262144Linux运维交流社区Linux运维交流社区,互联网新闻以及技术交流。82篇原创内容公众号 https://www.oiox.cn/https://www.chenby.cn/https://cby-chen.github.io/https://weibo.com/u/5982474121https://blog.csdn.net/qq_33921750https://my.oschina.net/u/3981543https://www.zhihu.com/people/chen-bu-yun-2https://segmentfault.com/u/hppyvyv6/articleshttps://juejin.cn/user/3315782802482007https://space.bilibili.com/352476552/articlehttps://cloud.tencent.com/developer/column/93230https://www.jianshu.com/u/0f894314ae2chttps://www.toutiao.com/c/user/token/MS4wLjABAAAAeqOrhjsoRZSj7iBJbjLJyMwYT5D0mLOgCoo4pEmpr4A/CSDN、GitHub、知乎、开源中国、思否、掘金、简书、腾讯云、哔哩哔哩、今日头条、新浪微博、个人博客、全网可搜《小陈运维》 -
CentOS&RHEL内核升级 在安装部署一些环境的时候,会要求内核版本的要求,可以通过YUM工具进行安装配置更高版本的内核,当然更新内核有风险,在操作之前慎重,严谨在生产环境操作!安装源# 为 RHEL-8或 CentOS-8配置源 yum install https://www.elrepo.org/elrepo-release-8.el8.elrepo.noarch.rpm # 为 RHEL-7 SL-7 或 CentOS-7 安装 ELRepo yum install https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm启用内核源,并安装# 查看可用安装包 yum --disablerepo="*" --enablerepo="elrepo-kernel" list available # 安装最新的内核 # 我这里选择的是稳定版kernel-ml 如需更新长期维护版本kernel-lt yum --enablerepo=elrepo-kernel install kernel-ml查看已有内核# 查看已安装哪些内核 rpm -qa | grep kernel kernel-core-4.18.0-358.el8.x86_64 kernel-tools-4.18.0-358.el8.x86_64 kernel-ml-core-5.16.7-1.el8.elrepo.x86_64 kernel-ml-5.16.7-1.el8.elrepo.x86_64 kernel-modules-4.18.0-358.el8.x86_64 kernel-4.18.0-358.el8.x86_64 kernel-tools-libs-4.18.0-358.el8.x86_64 kernel-ml-modules-5.16.7-1.el8.elrepo.x86_64查看当前使用的并设置# 查看默认内核 grubby --default-kernel /boot/vmlinuz-5.16.7-1.el8.elrepo.x86_64 # 若不是最新的使用命令设置 grubby --set-default /boot/vmlinuz-「您的内核版本」.x86_64 # 重启生效 reboot整合一条命令为:yum install https://www.elrepo.org/elrepo-release-8.el8.elrepo.noarch.rpm -y ; yum --disablerepo="*" --enablerepo="elrepo-kernel" list available -y ; yum --enablerepo=elrepo-kernel install kernel-ml -y ; grubby --default-kernel ; rebootLinux运维交流社区Linux运维交流社区,互联网新闻以及技术交流。82篇原创内容公众号 https://www.oiox.cn/https://www.chenby.cn/https://cby-chen.github.io/https://weibo.com/u/5982474121https://blog.csdn.net/qq_33921750https://my.oschina.net/u/3981543https://www.zhihu.com/people/chen-bu-yun-2https://segmentfault.com/u/hppyvyv6/articleshttps://juejin.cn/user/3315782802482007https://space.bilibili.com/352476552/articlehttps://cloud.tencent.com/developer/column/93230https://www.jianshu.com/u/0f894314ae2chttps://www.toutiao.com/c/user/token/MS4wLjABAAAAeqOrhjsoRZSj7iBJbjLJyMwYT5D0mLOgCoo4pEmpr4A/CSDN、GitHub、知乎、开源中国、思否、掘金、简书、腾讯云、哔哩哔哩、今日头条、新浪微博、个人博客、全网可搜《小陈运维》
-
网络抓包 tcpdump 使用指南 在网络问题的调试中,tcpdump应该说是一个必不可少的工具,和大部分linux下优秀工具一样,它的特点就是简单而强大。它是基于Unix系统的命令行式的数据包嗅探工具,可以抓取流动在网卡上的数据包。监听所有网卡所有包tcpdump监听指定网卡的包tcpdump -i ens18监听指定IP的包tcpdump host 192.168.1.11监听指定来源IPtcpdump src host 192.168.1.11监听目标地址IPtcpdump dst host 192.168.1.11监听指定端口tcpdump port 80监听TCPtcpdump tcp监听UDPtcpdump udp监听192.168.1.11的tcp协议的80端口的数据包tcpdump tcp port 80 and src host 192.168.1.11 11:59:07.836563 IP 192.168.1.11.39680 > hello.http: Flags [.], ack 867022485, win 502, length 0 11:59:07.836711 IP 192.168.1.11.39680 > hello.http: Flags [P.], seq 0:77, ack 1, win 502, length 77: HTTP: HEAD / HTTP/1.1 11:59:07.838462 IP 192.168.1.11.39680 > hello.http: Flags [.], ack 248, win 501, length 0 11:59:07.838848 IP 192.168.1.11.39680 > hello.http: Flags [F.], seq 77, ack 248, win 501, length 0 11:59:07.839192 IP 192.168.1.11.39680 > hello.http: Flags [.], ack 249, win 501, length 0监听IP之间的包tcpdump ip host 192.168.1.11 and 192.168.1.60 11:57:52.742468 IP 192.168.1.11.38978 > hello.http: Flags [S], seq 3437424457, win 64240, options [mss 1460,sackOK,TS val 2166810854 ecr 0,nop,wscale 7], length 0 11:57:52.742606 IP hello.http > 192.168.1.11.38978: Flags [S.], seq 3541873211, ack 3437424458, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 11:57:52.742841 IP 192.168.1.11.38978 > hello.http: Flags [.], ack 1, win 502, length 0 11:57:52.742927 IP 192.168.1.11.38978 > hello.http: Flags [P.], seq 1:78, ack 1, win 502, length 77: HTTP: HEAD / HTTP/1.1 11:57:52.742943 IP hello.http > 192.168.1.11.38978: Flags [.], ack 78, win 502, length 0 11:57:52.744407 IP hello.http > 192.168.1.11.38978: Flags [P.], seq 1:248, ack 78, win 502, length 247: HTTP: HTTP/1.1 200 OK 11:57:52.744613 IP 192.168.1.11.38978 > hello.http: Flags [.], ack 248, win 501, length 0 11:57:52.744845 IP 192.168.1.11.38978 > hello.http: Flags [F.], seq 78, ack 248, win 501, length 0 11:57:52.745614 IP hello.http > 192.168.1.11.38978: Flags [F.], seq 248, ack 79, win 502, length 0 11:57:52.745772 IP 192.168.1.11.38978 > hello.http: Flags [.], ack 249, win 501, length 0监听除了与192.168.1.4之外的数据包tcpdump ip host 192.168.1.60 and ! 192.168.1.4 11:57:20.862575 IP 192.168.1.9.47190 > hello.9200: Flags [P.], seq 3233461117:3233461356, ack 1301434191, win 9399, length 239 11:57:20.878165 IP hello.9200 > 192.168.1.9.47190: Flags [P.], seq 1:4097, ack 239, win 3081, length 4096 11:57:20.878340 IP hello.9200 > 192.168.1.9.47190: Flags [P.], seq 4097:8193, ack 239, win 3081, length 4096 11:57:20.878417 IP 192.168.1.9.47190 > hello.9200: Flags [.], ack 4097, win 9384, length 0组合示例tcpdump tcp -i ens18 -v -nn -t -A -s 0 -c 50 and dst port ! 22 and src net 192.168.1.0/24 -w ./cby.cap (1)tcp: ip icmp arp rarp 和 tcp、udp、icmp这些选项等都要放到第一个参数的位置,用来过滤数据报的类型 (2)-i eth1 : 只抓经过接口eth1的包 (3)-t : 不显示时间戳 (4)-s 0 : 抓取数据包时默认抓取长度为68字节。加上-S 0 后可以抓到完整的数据包 (5)-c 50 : 只抓取50个数据包 (6)dst port ! 22 : 不抓取目标端口是22的数据包 (7)src net 192.168.1.0/24 : 数据包的源网络地址为192.168.1.0/24 (8)-w ./cby.cap : 保存成cap文件,方便用ethereal(即wireshark)分析 (9)-v 使用 -v,-vv 和 -vvv 来显示更多的详细信息,通常会显示更多与特定协议相关的信息。 (10)-nn 单个 n 表示不解析域名,直接显示 IP;两个 n 表示不解析域名和端口。 (11)-A 表示使用 ASCII 字符串打印报文的全部数据组合过滤器 《与/AND/&&》 《或/OR/||》 《非/not/!》 and or && or or || not or !在HTTP中提取用户头tcpdump -nn -A -s0 -l | grep "User-Agent:" User-Agent: Prometheus/2.30.0 User-Agent: Microsoft-Delivery-Optimization/10.0在HTTP中同时提取用户头和主机信息tcpdump -nn -A -s0 -l | egrep -i 'User-Agent:|Host:' Host: 192.168.1.42:9200 User-Agent: Prometheus/2.30.0 HOST: 239.255.255.250:1900 USER-AGENT: Microsoft Edge/97.0.1072.55 Windows抓取 HTTP GET 流量tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420' 11:55:13.704801 IP (tos 0x0, ttl 64, id 14605, offset 0, flags [DF], proto TCP (6), length 291) localhost.35498 > localhost.9200: Flags [P.], cksum 0x849a (incorrect -> 0xd0b0), seq 3090925559:3090925798, ack 809492640, win 630, options [nop,nop,TS val 2076158003 ecr 842090965], length 239 E..#9.@.@.}C... ...+..#..;..0?.....v....... {..321I.GET /metrics HTTP/1.1 Host: 192.168.1.43:9200 User-Agent: Prometheus/2.30.0 Accept: application/openmetrics-text; version=0.0.1,text/plain;version=0.0.4;q=0.5,*/*;q=0.1 Accept-Encoding: gzip X-Prometheus-Scrape-Timeout-Seconds: 10抓取 HTTP POST 请求流量tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354' 11:53:10.831855 IP (tos 0x0, ttl 63, id 0, offset 0, flags [none], proto TCP (6), length 643) localhost.47702 > dns50.online.tj.cn.http-alt: Flags [P.], cksum 0x1a41 (correct), seq 3331055769:3331056372, ack 799860501, win 4096, length 603: HTTP, length: 603 POST /?tk=391f8956e632962ee9c1dc661a9b46779d86ca43fe252bddbfc09d2cc66bf875323f6e7f03b881db21133b1bf2ae5bc5 HTTP/1.1 Host: 220.194.116.50:8080 Accept: */* Accept-Language: zh-CN,zh-Hans;q=0.9 Q-Guid: e54764008893a559b852b6e9f1c8ae268958471308f41a96fd42e477e26323b8 Q-UA: Accept-Encoding: gzip,deflate Q-UA2: QV=3&PL=IOS&RF=SDK&PR=IBS&PP=com.tencent.mqq&PPVN=3.8.0.1824&TBSVC=18500&DE=PHONE&VE=GA&CO=IMTT&RL=1170*2532&MO=iPhone14,2&CHID=50001&LCID=9751&OS=15.1.1 Content-Length: 144 User-Agent: QQ-S-ZIP: gzip Connection: keep-alive Content-Type: application/multipart-formdata Q-Auth: E.......?.f.......t2.V....../...P....A..POST /?tk=391f8956e632962ee9c1dc661a9b46779d86ca43fe252bddbfc09d2cc66bf875323f6e7f03b881db21133b1bf2ae5bc5 HTTP/1.1 Host: 220.194.116.50:8080 Accept: */* Accept-Language: zh-CN,zh-Hans;q=0.9 Q-Guid: e54764008893a559b852b6e9f1c8ae268958471308f41a96fd42e477e26323b8 Q-UA: Accept-Encoding: gzip,deflate Q-UA2: QV=3&PL=IOS&RF=SDK&PR=IBS&PP=com.tencent.mqq&PPVN=3.8.0.1824&TBSVC=18500&DE=PHONE&VE=GA&CO=IMTT&RL=1170*2532&MO=iPhone14,2&CHID=50001&LCID=9751&OS=15.1.1 Content-Length: 144 User-Agent: QQ-S-ZIP: gzip Connection: keep-alive Content-Type: application/multipart-formdata Q-Auth:注意:一个 POST 请求会被分割为多个 TCP 数据包提取 HTTP 请求的主机名和路径root@pve:~# tcpdump -s 0 -v -n -l | egrep -i "POST /|GET /|Host:" tcpdump: listening on eno1, link-type EN10MB (Ethernet), snapshot length 262144 bytes GET /gchatpic_new/2779153238/851197814-3116860870-F4902AF1432FE48B812982F082A31097/0?term=255&pictype=0 HTTP/1.1 Host: 112.80.128.33 GET /gchatpic_new/2779153238/851197814-3116860870-F4902AF1432FE48B812982F082A31097/0?term=255&pictype=0 HTTP/1.1 Host: 112.80.128.33 POST /mmtls/74ce36ed HTTP/1.1 Host: extshort.weixin.qq.com POST /mmtls/74ce36ed HTTP/1.1 Host: extshort.weixin.qq.com从 HTTP 请求中提取密码和主机名tcpdump -s 0 -v -n -l | egrep -i "POST /|GET /|pwd=|passwd=|password=|Host:" POST /index.php/action/login?_=b395d487431320461e9a6741e3828918 HTTP/1.1 Host: x.oiox.cn name=cby&password=Cby****&referer=http%3A%2F%2Fx.oiox.cn%2Fadmin%2Fwelcome.php [|http] POST /index.php/action/login?_=b395d487431320461e9a6741e3828918 HTTP/1.1 Host: x.oiox.cn name=cby&password=Cby****&referer=http%3A%2F%2Fx.oiox.cn%2Fadmin%2Fwelcome.php [|http] GET /admin/welcome.php HTTP/1.1 Host: x.oiox.cn从 HTTP 请求中提取Cookie信息tcpdump -nn -A -s0 -l -v | egrep -i 'Set-Cookie|Host:|Cookie:' Host: x.oiox.cn Cookie: 8bf110c223e1a04b7b63ca5aa97c9f61__typecho_uid=1; 8bf110cxxxxxxxb7b63ca5aa97c9f61__typecho_authCode=%24T%24W3hV7B9vRfefa6593049ba02c33b3c4796a7cfa35; PHPSESSID=bq67s1n0cb9ml6dq254qpdvfec通过排除 echo 和 reply 类型的数据包使抓取到的数据包不包括标准的 ping 包tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply' 11:20:32.285428 IP localhost > localhost: ICMP localhost udp port 64594 unreachable, length 36 11:20:32.522061 IP localhost > localhost: ICMP localhost udp port 58617 unreachable, length 36 11:20:37.736249 IP localhost > localhost: ICMP redirect 204.79.197.219 to host localhost, length 48 11:20:44.379646 IP localhost > 111.206.187.34: ICMP localhost udp port 37643 unreachable, length 36 11:20:44.379778 IP localhost > 111.206.187.34: ICMP localhost udp port 37643 unreachable, length 36 11:20:46.351245 IP localhost > localhost: ICMP redirect lt-in-f188.1e100.net to host localhost, length 49可以通过过滤器 ip6 来抓取 IPv6 流量,同时可以指定协议如 TCProot@vm371841:~# tcpdump -nn ip6 proto 6 -v tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 06:40:26.060313 IP6 (flowlabel 0xfe65e, hlim 64, next-header TCP (6) payload length: 40) 2a00:b700::e831:2aff:fe27:e9d9.44428 > 2001:2030:21:181::26e7.443: Flags [S], cksum 0x451c (incorrect -> 0x24cd), seq 3503520271, win 64800, options [mss 1440,sackOK,TS val 2504544710 ecr 0,nop,wscale 6], length 0 06:40:34.296847 IP6 (flowlabel 0xc9f9c, hlim 64, next-header TCP (6) payload length: 40) 2a00:b700::e831:2aff:fe27:e9d9.55082 > 2a00:1450:4010:c0e::84.443: Flags [S], cksum 0x6754 (incorrect -> 0x0813), seq 3899361154, win 64800, options [mss 1440,sackOK,TS val 2141524802 ecr 0,nop,wscale 6], length 0发起的出站 DNS 请求和 A 记录响应tcpdump -i eth0 -s0 port 53 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 06:44:10.499529 IP vm371841.37357 > dns.yandex.ru.domain: 34151+ [1au] A? czr12g1e.slt-dk.sched.tdnsv8.com. (61) 06:44:10.500992 IP vm371841.56195 > dns.yandex.ru.domain: 45667+ [1au] PTR? 219.3.144.45.in-addr.arpa. (54) 06:44:10.661142 IP dns.yandex.ru.domain > vm371841.56195: 45667 NXDomain 0/1/1 (112) 06:44:10.661438 IP vm371841.56195 > dns.yandex.ru.domain: 45667+ PTR? 219.3.144.45.in-addr.arpa. (43) 06:44:10.687147 IP dns.yandex.ru.domain > vm371841.56195: 45667 NXDomain 0/1/0 (101) 06:44:10.806349 IP dns.yandex.ru.domain > vm371841.37357: 34151 11/0/1 A 139.170.156.155, A 220.200.129.141, A 58.243.200.63, A 113.59.43.25, A 124.152.41.39, A 139.170.156.154, A 59.83.204.154, A 123.157.255.158, A 113.200.17.157, A 43.242.166.42, A 116.177.248.23 (237)抓取 DHCP 服务的请求和响应报文tcpdump -v -n port 67 or 68 11:50:28.939726 IP (tos 0x0, ttl 64, id 35862, offset 0, flags [DF], proto UDP (17), length 320) 192.168.1.136.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 70:3a:a6:cb:27:3c, length 292, xid 0x3ccba40c, secs 11529, Flags [none] Client-IP 192.168.1.136 Client-Ethernet-Address 70:3a:a6:cb:27:3c Vendor-rfc1048 Extensions Magic Cookie 0x63825363 DHCP-Message (53), length 1: Request Client-ID (61), length 7: ether 70:3a:a6:cb:27:3c Hostname (12), length 11: "S24G-U_273C" Vendor-Class (60), length 13: "CloudSwitch_1" MSZ (57), length 2: 800 Parameter-Request (55), length 5: Subnet-Mask (1), Default-Gateway (3), Hostname (12), Domain-Name-Server (6) Vendor-Class (60)Linux运维交流社区Linux运维交流社区,互联网新闻以及技术交流。81篇原创内容公众号 https://www.oiox.cn/https://www.chenby.cn/https://cby-chen.github.io/https://weibo.com/u/5982474121https://blog.csdn.net/qq_33921750https://my.oschina.net/u/3981543https://www.zhihu.com/people/chen-bu-yun-2https://segmentfault.com/u/hppyvyv6/articleshttps://juejin.cn/user/3315782802482007https://space.bilibili.com/352476552/articlehttps://cloud.tencent.com/developer/column/93230https://www.jianshu.com/u/0f894314ae2chttps://www.toutiao.com/c/user/token/MS4wLjABAAAAeqOrhjsoRZSj7iBJbjLJyMwYT5D0mLOgCoo4pEmpr4A/CSDN、GitHub、知乎、开源中国、思否、掘金、简书、腾讯云、哔哩哔哩、今日头条、新浪微博、个人博客、全网可搜《小陈运维》
-
KubeSphere离线无网络环境部署 KubeSphere离线无网络环境部署KubeSphere 是 GitHub 上的一个开源项目,是成千上万名社区用户的聚集地。很多用户都在使用 KubeSphere 运行工作负载。对于在 Linux 上的安装,KubeSphere 既可以部署在云端,也可以部署在本地环境中,例如 AWS EC2、Azure VM 和裸机等。KubeSphere 为用户提供轻量级安装程序 KubeKey(该程序支持安装 Kubernetes、KubeSphere 及相关插件),安装过程简单而友好。KubeKey 不仅能帮助用户在线创建集群,还能作为离线安装解决方案。前期准备所需包#前期准备所需包 root@hello:~# wget https://github.com/kubesphere/kubekey/releases/download/v1.2.1/kubekey-v1.2.1-linux-amd64.tar.gz root@hello:~# tar xvf kubekey-v1.2.1-linux-amd64.tar.gz root@hello:~# ls kk kk root@hello:~# root@hello:~# curl -L -O https://github.com/kubesphere/ks-installer/releases/download/v3.2.1/images-list.txt root@hello:~# curl -L -O https://github.com/kubesphere/ks-installer/releases/download/v3.2.1/offline-installation-tool.sh root@hello:~# chmod +x offline-installation-tool.sh root@hello:~# export KKZONE=cn root@hello:~# ./offline-installation-tool.sh -b root@hello:~# ./offline-installation-tool.sh -s -l images-list.txt -d ./kubesphere-images root@hello:~# curl -L -o /root/kubekey/v1.21.5/amd64/docker-20.10.8.tgz https://download.docker.com/linux/static/stable/x86_64/docker-20.10.8.tgz root@hello:~# curl -L -o /root/kubekey/v1.21.5/amd64/crictl-v1.22.0-linux-amd64.tar.gz https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.22.0/crictl-v1.22.0-linux-amd64.tar.gz离线环境安装#创建证书,注意“Common Name” 需要写域名 root@cby:~# mkdir -p certs root@cby:~# openssl req \ > -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \ > -x509 -days 36500 -out certs/domain.crt Generating a RSA private key ............++++ .......++++ writing new private key to 'certs/domain.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:dockerhub.kubekey.local Email Address []: root@cby:~#安装docker#安装docker root@cby:~# root@cby:~/package# ll total 94776 drwxr-xr-x 2 root root 4096 Jan 12 07:17 ./ drwx------ 7 root root 4096 Jan 12 07:16 ../ -rw-r--r-- 1 root root 23703726 Jan 12 07:17 containerd.io_1.4.12-1_amd64.deb -rw-r--r-- 1 root root 21234738 Jan 12 07:16 docker-ce_5%3a20.10.12~3-0~ubuntu-focal_amd64.deb -rw-r--r-- 1 root root 40652850 Jan 12 07:16 docker-ce-cli_5%3a20.10.12~3-0~ubuntu-focal_amd64.deb -rw-r--r-- 1 root root 7921036 Jan 12 07:16 docker-ce-rootless-extras_5%3a20.10.12~3-0~ubuntu-focal_amd64.deb -rw-r--r-- 1 root root 3517780 Jan 12 07:16 docker-scan-plugin_0.12.0~ubuntu-focal_amd64.deb root@cby:~/package# root@cby:~/package# apt install ./*部署镜像仓库# 导入镜像 root@cby:~/cby# docker load -i registry.tar # 启动 Docker 仓库 root@cby:~# docker run -d --restart=always --name registry -v "$(pwd)"/certs:/certs -v /mnt/registry:/var/lib/registry -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key -p 443:443 registry:2 #配置仓库 #在 /etc/hosts 中添加一个条目 root@cby:~# vim /etc/hosts root@cby:~# cat /etc/hosts 3.7.191.234 dockerhub.kubekey.local #配置免证书 root@cby:~# mkdir -p /etc/docker/certs.d/dockerhub.kubekey.local root@cby:~# cp certs/domain.crt /etc/docker/certs.d/dockerhub.kubekey.local/ca.crt root@cby:~# #配置免验证 root@cby:~# cat /etc/docker/daemon.json { "insecure-registries":["https://dockerhub.kubekey.local"] } #重载配置,并重启 root@cby:~# systemctl daemon-reload root@cby:~# systemctl restart docker 部署 KubeSphere 和 kubernetes注意添加字段“privateRegistry”#添加执行权限 root@cby:~# root@cby:~# chmod +x kk root@cby:~# chmod +x offline-installation-tool.sh #推送镜像到私有仓库 root@cby:~# ./offline-installation-tool.sh -l images-list.txt -d ./kubesphere-images -r dockerhub.kubekey.local root@cby:~# apt install conntrack root@cby:~# ./kk create config --with-kubernetes v1.21.5 --with-kubesphere v3.2.1 -f config-sample.yaml root@cby:~# root@cby:~# vim config-sample.yaml root@cby:~# cat config-sample.yaml apiVersion: kubekey.kubesphere.io/v1alpha1 kind: Cluster metadata: name: sample spec: hosts: - {name: master, address: 3.7.191.234, internalAddress: 3.7.191.234, user: root, password: Cby23..} - {name: node1, address: 3.7.191.235, internalAddress: 3.7.191.235, user: root, password: Cby23..} - {name: node2, address: 3.7.191.238, internalAddress: 3.7.191.238, user: root, password: Cby23..} roleGroups: etcd: - master master: - node1 worker: - node1 - node2 controlPlaneEndpoint: ##Internal loadbalancer for apiservers #internalLoadbalancer: haproxy domain: lb.kubesphere.local address: "" port: 6443 kubernetes: version: v1.21.5 clusterName: cluster.local network: plugin: calico kubePodsCIDR: 10.233.64.0/18 kubeServiceCIDR: 10.233.0.0/18 registry: registryMirrors: [] insecureRegistries: [] privateRegistry: dockerhub.kubekey.local addons: [] --- apiVersion: installer.kubesphere.io/v1alpha1 kind: ClusterConfiguration metadata: name: ks-installer namespace: kubesphere-system labels: version: v3.2.1 spec: persistence: storageClass: "" authentication: jwtSecret: "" local_registry: "" # dev_tag: "" etcd: monitoring: false endpointIps: localhost port: 2379 tlsEnable: true common: core: console: enableMultiLogin: true port: 30880 type: NodePort # apiserver: # resources: {} # controllerManager: # resources: {} redis: enabled: false volumeSize: 2Gi openldap: enabled: false volumeSize: 2Gi minio: volumeSize: 20Gi monitoring: # type: external endpoint: http://prometheus-operated.kubesphere-monitoring-system.svc:9090 GPUMonitoring: enabled: false gpu: kinds: - resourceName: "nvidia.com/gpu" resourceType: "GPU" default: true es: # master: # volumeSize: 4Gi # replicas: 1 # resources: {} # data: # volumeSize: 20Gi # replicas: 1 # resources: {} logMaxAge: 7 elkPrefix: logstash basicAuth: enabled: false username: "" password: "" externalElasticsearchHost: "" externalElasticsearchPort: "" alerting: enabled: false # thanosruler: # replicas: 1 # resources: {} auditing: enabled: false # operator: # resources: {} # webhook: # resources: {} devops: enabled: false jenkinsMemoryLim: 2Gi jenkinsMemoryReq: 1500Mi jenkinsVolumeSize: 8Gi jenkinsJavaOpts_Xms: 512m jenkinsJavaOpts_Xmx: 512m jenkinsJavaOpts_MaxRAM: 2g events: enabled: false # operator: # resources: {} # exporter: # resources: {} # ruler: # enabled: true # replicas: 2 # resources: {} logging: enabled: false containerruntime: docker logsidecar: enabled: true replicas: 2 # resources: {} metrics_server: enabled: false monitoring: storageClass: "" # kube_rbac_proxy: # resources: {} # kube_state_metrics: # resources: {} # prometheus: # replicas: 1 # volumeSize: 20Gi # resources: {} # operator: # resources: {} # adapter: # resources: {} # node_exporter: # resources: {} # alertmanager: # replicas: 1 # resources: {} # notification_manager: # resources: {} # operator: # resources: {} # proxy: # resources: {} gpu: nvidia_dcgm_exporter: enabled: false # resources: {} multicluster: clusterRole: none network: networkpolicy: enabled: false ippool: type: none topology: type: none openpitrix: store: enabled: false servicemesh: enabled: false kubeedge: enabled: false cloudCore: nodeSelector: {"node-role.kubernetes.io/worker": ""} tolerations: [] cloudhubPort: "10000" cloudhubQuicPort: "10001" cloudhubHttpsPort: "10002" cloudstreamPort: "10003" tunnelPort: "10004" cloudHub: advertiseAddress: - "" nodeLimit: "100" service: cloudhubNodePort: "30000" cloudhubQuicNodePort: "30001" cloudhubHttpsNodePort: "30002" cloudstreamNodePort: "30003" tunnelNodePort: "30004" edgeWatcher: nodeSelector: {"node-role.kubernetes.io/worker": ""} tolerations: [] edgeWatcherAgent: nodeSelector: {"node-role.kubernetes.io/worker": ""} tolerations: [] root@cby:~# root@cby:~# root@cby:~# root@cby:~# ./kk create cluster -f config-sample.yaml ----略 ##################################################### ### Welcome to KubeSphere! ### ##################################################### Console: http://3.7.191.235:30880 Account: admin Password: P@88w0rd NOTES: 1. After you log into the console, please check the monitoring status of service components in "Cluster Management". If any service is not ready, please wait patiently until all components are up and running. 2. Please change the default password after login. ##################################################### https://kubesphere.io 2022-01-12 09:42:36 ##################################################### INFO[09:42:45 UTC] Installation is complete. Please check the result using the command: kubectl logs -n kubesphere-system $(kubectl get pod -n kubesphere-system -l app=ks-install -o jsonpath='{.items[0].metadata.name}') -f root@cby:~# Linux运维交流社区Linux运维交流社区,互联网新闻以及技术交流。80篇原创内容公众号 https://www.oiox.cn/https://www.chenby.cn/https://cby-chen.github.io/https://weibo.com/u/5982474121https://blog.csdn.net/qq_33921750https://my.oschina.net/u/3981543https://www.zhihu.com/people/chen-bu-yun-2https://segmentfault.com/u/hppyvyv6/articleshttps://juejin.cn/user/3315782802482007https://space.bilibili.com/352476552/articlehttps://cloud.tencent.com/developer/column/93230https://www.jianshu.com/u/0f894314ae2chttps://www.toutiao.com/c/user/token/MS4wLjABAAAAeqOrhjsoRZSj7iBJbjLJyMwYT5D0mLOgCoo4pEmpr4A/CSDN、GitHub、知乎、开源中国、思否、掘金、简书、腾讯云、哔哩哔哩、今日头条、新浪微博、个人博客、全网可搜《小陈运维》
-
GitHub+Hexo 搭建博客网站 Hexo是一款基于Node.js的静态博客框架,依赖少易于安装使用,可以方便的生成静态网页托管在GitHub和Heroku上,是搭建博客的首选框架。配置Githubroot@hello:~/cby# git config --global user.name "cby-chen" root@hello:~/cby# git config --global user.email "cby@chenby.cn" root@hello:~/cby# ssh-keygen -t rsa -C "cby@chenby.cn" Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa Your public key has been saved in /root/.ssh/id_rsa.pub The key fingerprint is: SHA256:57aHSNuHDLRsy/UVOQKwrUmpKOqnkEbRuRc8jNrGVpU cby@chenby.cn The key's randomart image is: +---[RSA 3072]----+ | .o. | | . = .E +. | | . + * + .. . | | = o.oo.o . + | | o.*...oS.. . o | |.oo.. *o. . | |+. + Oo+ . | |+ . =.=.+ | | oo .o | +----[SHA256]-----+ root@hello:~/cby# cat /root/.ssh/ authorized_keys id_rsa id_rsa.pub known_hosts #需要配置到github上 #https://github.com/settings/ssh/new root@hello:~/cby# ssh git@github.com The authenticity of host 'github.com (20.205.243.166)' can't be established. ECDSA key fingerprint is SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'github.com,20.205.243.166' (ECDSA) to the list of known hosts. PTY allocation request failed on channel 0 Hi cby-chen! You've successfully authenticated, but GitHub does not provide shell access. Connection to github.com closed. root@hello:~/cby#*将id_rsa.pub文件中的内容粘贴进去安装nvm工具root@hello:~/cby# curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.1/install.sh | bash root@hello:~/cby# nvm install --lts Installing latest LTS version. Downloading and installing node v16.13.1... Downloading https://nodejs.org/dist/v16.13.1/node-v16.13.1-linux-x64.tar.xz... ############################################################################################################################################### 100.0% Computing checksum with sha256sum Checksums matched! Now using node v16.13.1 (npm v8.1.2) root@hello:~/cby# nvm use --lts Now using node v16.13.1 (npm v8.1.2) root@hello:~/cby# root@hello:~/cby# node -v v16.13.1 root@hello:~/cby#配置hexo环境,并修改主题root@hello:~/cby# npm install -g hexo-cli root@hello:~/cby# npm install hexo -g root@hello:~/cby# npm update hexo -g root@hello:~/cby# hexo init INFO Cloning hexo-starter https://github.com/hexojs/hexo-starter.git INFO Install dependencies INFO Start blogging with Hexo! #修改主题 root@hello:~/cby# rm -rf scaffolds source themes _config.landscape.yml _config.yml package.json yarn.lock root@hello:~/cby# git clone https://github.com/V-Vincen/hexo-theme-livemylife.git root@hello:~/cby# mv hexo-theme-livemylife/* ./ root@hello:~/cby# rm -rf hexo-theme-livemylife root@hello:~/cby# npm install修改配置文件root@hello:~/cby# vim _config.yml root@hello:~/cby# root@hello:~/cby# root@hello:~/cby# cat _config.yml #略 # Deployment ## Docs: https://hexo.io/docs/deployment.html ## deploy: type: git repo: https://github.com/cby-chen/cby-chen.github.io.git # or https://gitee.com/<yourAccount>/<repo> branch: master root@hello:~/cby# root@hello:~/cby# hexo clean root@hello:~/cby# hexo g root@hello:~/cby# hexo d #注意,输入密码是需要输入token,创建时需要勾选所有权限 #https://github.com/settings/tokens/newLinux运维交流社区Linux运维交流社区,互联网新闻以及技术交流。79篇原创内容公众号 https://www.oiox.cn/https://www.chenby.cn/https://cby-chen.github.io/https://weibo.com/u/5982474121https://blog.csdn.net/qq_33921750https://my.oschina.net/u/3981543https://www.zhihu.com/people/chen-bu-yun-2https://segmentfault.com/u/hppyvyv6/articleshttps://juejin.cn/user/3315782802482007https://space.bilibili.com/352476552/articlehttps://cloud.tencent.com/developer/column/93230https://www.jianshu.com/u/0f894314ae2chttps://www.toutiao.com/c/user/token/MS4wLjABAAAAeqOrhjsoRZSj7iBJbjLJyMwYT5D0mLOgCoo4pEmpr4A/CSDN、GitHub、知乎、开源中国、思否、掘金、简书、腾讯云、哔哩哔哩、今日头条、新浪微博、个人博客、全网可搜《小陈运维》