Web01的操作
1安装nginx的eplo源
[root@web01 ~]# cat /etc/yum.repos.d/nginx.repo
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/7/$basearch/
gpgcheck=0
enabled=1
2、yum install nginx -y
3、创建www用户组
[root@web01 ~]# groupadd -g 666 www
[root@web01 ~]# useradd -u666 -g 666 www
4、安装php的eplo源
yum localinstall -y http://mirror.webtatic.com/yum/el7/webtatic-release.rpm
5、安装php插件
[root@nginx ~]# yum -y install php71w php71w-cli php71w-common php71w-devel \
php71w-embedded php71w-gd php71w-mcrypt php71w-mbstring php71w-pdo php71w-xml php71w-fpm \
php71w-mysqlnd php71w-opcache php71w-pecl-memcached php71w-pecl-redis php71w-pecl-mongodb
6、修改Nginx和php的用户组
[root@web01 ~]# sed -i '/^user/c user www;' /etc/nginx/nginx.conf
[root@web01 ~]# sed -i '/^user/c user = www' /etc/php-fpm.d/www.conf
[root@web01 ~]# sed -i '/^group/c group = www' /etc/php-fpm.d/www.conf
7、启动nginx和php-fpm服务
[root@web02 ~]# systemctl restart nginx php-fpm.service
[root@web02 ~]# systemctl enable nginx php-fpm.service
8、修改配置文件名
[root@web02 ~]# cd /etc/nginx/conf.d/
[root@web02 conf.d]# mv default.conf default.off
9、编写conf配置文件
1)编写wordpress配置文件
[root@web02 conf.d]# cat blog.oldboyedu.conf
server {
server_name blog.oldboyedu.com;
listen 80;
root /code/wordpress;
index index.php index.html;
location ~ \.php$ {
root /code/wordpress;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
[root@web01 conf.d]# cat zh.oldboyedu.conf
server {
server_name zh.oldboyedu.com;
listen 80;
root /code/zh;
index index.php index.html;
location ~ \.php$ {
root /code/zh;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
2)创建目录
[root@web02 conf.d]# mkdir /code
3)上传代码解压
wordpress
wecenter
4)授权
[root@web02 /]# chown -R www.www /code/
5)检查语法
[root@web02 conf.d]# nginx -t
6) 重载服务
[root@web02 conf.d]# systemctl restart nginx
[root@web02 conf.d]# systemctl reload nginx
10、域名解析
hosts 10.0.0.8 zh.oldboyedu.com blog.oldboyedu.com
11、安装数据库
1.下载MySQL官方扩展源
[root@nginx ~]# rpm -ivh http://repo.mysql.com/yum/mysql-5.7-community/el/7/x86_64/mysql57-community-release-el7-10.noarch.rpm
2.安装mysql5.7, 文件过大可能会导致下载缓慢
[root@nginx ~]# yum install mysql-community-server -y
#3.启动数据库, 并加入开机自启动
[root@nginx ~]# systemctl start mysqld
[root@nginx ~]# systemctl enable mysqld
#4.由于mysql5.7默认配置了默认密码, 需要过滤temporary password关键字查看对应登陆数据库密码
[root@nginx ~]# grep "temporary password" /var/log/mysqld.log
#5.登陆mysql数据库[password中填写上一步过滤的密码]
[root@web02 ~]# mysql -uroot -p$(awk '/temporary password/{print $NF}' /var/log/mysqld.log)
#6.重新修改数据库密码
mysql> ALTER USER 'root'@'localhost' IDENTIFIED BY 'Bgx123.com';
#7.创建数据库
mysql> create database wordpress;
mysql> create database zh;
mysql> create database jrepss;
mysql> grant all privileges on *.* to 'all'@'%' identified by 'Bgx123.com';
mysql> flush privileges;
12、修改zh的上传文件的大小。
post_max_size = 300M
upload_max_filesize = 300M
memory_limit = 300M
13、登录界面,且迅速安装第二台机器。
web02快速扩展一台
1)创建www用户
[root@web02 ~]# groupadd -g 666 www
[root@web02 ~]# useradd -u666 -g666 w
2)安装nignx与php
[root@web02 ~]# scp root@172.16.1.7:/etc/yum.repos.d/* /etc/yum.repos.d/
3)安装php
[root@web02 ~]# yum -y install php71w php71w-cli php71w-common php71w-devel php71w-embedded php71w-gd php71w-mcrypt php71w-mbstring php71w-pdo php71w-xml php71w-fpm php71w-mysqlnd php71w-opcache php71w-pecl-memcached php71w-pecl-redis php71w-pecl-mongodb nginx
4)修改Nginx和php的用户组
[root@web01 ~]# sed -i '/^user/c user www;' /etc/nginx/nginx.conf
[root@web01 ~]# sed -i '/^user/c user = www' /etc/php-fpm.d/www.conf
[root@web01 ~]# sed -i '/^group/c group = www' /etc/php-fpm.d/www.conf
Web03操作
1、安装Jpress
1、安装JAVA软件
[root@web03 ~]# yum install java -y
2、创建目录
[root@web03 ~]mkdir /code
3、下载软件包
[root@web03 code]# wget http://mirrors.shu.edu.cn/apache/tomcat/tomcat-9/v9.0.12/bin/apache-tomcat-9.0.12.tar.gz
4、解包
[root@web03 code]#tar xf apache-tomcat-9.0.12.tar.gz
[root@web03 code]# ln -s /code/apache-tomcat-9.0.12 /code/tomcat
2、下载jpress
[root@web03 ~]# cd /code/tomcat/webapps
[root@web03 ~]# rz 上传jpress的war
启动Tomcat服务
[root@web03 ~]# /code/tomcat/bin/startup.sh
3、浏览器访问
10.0.0.9:8080
4、创建www用户和组
[root@web03 ~]# groupadd -g 666 www
[root@web03 ~]# useradd -g 666 -u666 www
5、下载nginx做tomcat反向代理
[root@web03 ~]#scp root@172.16.1.7:/etc/yum.repos.d/* /etc/yum.repos.d/
[root@web03 ~]#yum install nginx -yum
[root@web03 ~]systemctl restart nginx
[root@web03 ~]systemctl enable nginx
[root@web03 ~]# sed -i "s/^user/c user www;g" /etc/nginx/nginx.conf
6、编写代理conf文件
[root@web03 ~]# vim /etc/nginx/conf.d/jpress.oldboyedu.conf
server{
listen 80;
server_name jpress.oldboyedu.com;
location / {
proxy_pass http://127.0.0.1:8080;
index index.jsp;
}
}
nfs31共享存储(图片和视频主要)
1、下载nfs应用软件
[root@nfs ~]# yum -y install nfs-utils
[root@nfs ~]# systemctl restart nfs
[root@nfs ~]# systemctl enable nfs
2、创建www用户和组
[root@nfs ~]# groupadd -g 666 www
[root@nfs ~]# useradd -g 666 -u666 www
3、编写共享配置
[root@nfs ~]# cat /etc/exports
/data/blog 172.16.1.0/24(rw,sync,all_squash,anonuid=666,anongid=666)
/data/zh 172.16.1.0/24(rw,sync,all_squash,anonuid=666,anongid=666)
/data/jpress 172.16.1.0/24(rw,sync,all_squash,anonuid=666,anongid=666)
4、创建挂载目录并授权
[root@nfs ~]# mkdir /data/{blog,zh,jpress} -p
[root@nfs ~]# chown -R www.www /data
[root@nfs ~]# systemctl enable nfs-server
[root@nfs ~]# systemctl start nfs-server
5、挂载web1.web2.web3
《jpress》
[root@web03 ~]# cd /code/tomcat/webapps/ROOT/
[root@web03 ROOT]# ls
[root@web03 ROOT]# mv attachment/ attachment_bak
[root@web03 ROOT]# mkdir attachment
[root@web03 ROOT]# mount -t nfs 172.16.1.31:/data/jpress /code/tomcat/webapps/ROOT/attachment
[root@web03 ROOT]# cp -rp attachment_bak/* attachment
[root@web03 ROOT]# cat /etc/fstab
172.16.1.31:/data/jpress /code/apache-tomcat-9.0.12/webapps/ROOT/attachment nfs defaults 0 0 0 0
《web01》wordpress
[root@web02 wp-content]# mv uploads/ uploads_bak
[root@web02 wp-content]# mkdir uploads
[root@web02 wp-content]# mount -t nfs 172.16.1.31:/data/blog /code/wordpress/wp-content/uploads
[root@web02 wp-content]# cp -rp uploads_bak/* uploads/
《web01》wecenter
[root@web01 uploads]# mv article article_bak
[root@web02 uploads]# mkdir article
[root@web02 uploads]#mount -t 172.16.1.31:/data/zh /code/zh/uploads/article
[root@web02 uploads]#cp -rp article_bak/* article
开机自启动
[root@web02 zh]# cat /etc/fstab
172.16.1.31:/data/blog /code/wordpress/wp-content/uploads nfs defaults 0 0 0 0
172.16.1.31:/data/zh /code/zh/uploads/article nfs defaults 0 0 0 0
Sersync实时同步
实时同步
1.安装inotify-tools rsync
[root@nfs ~]# yum install inotify-tools rsync -y
下载sersync软件包解压及重命名
wget https://raw.githubusercontent.com/wsgzao/sersync/master/sersync2.5.4_64bit_binary_stable_final.tar.gz
[root@nfs ~]# tar xf sersync2.5.4_64bit_binary_stable_final.tar.gz
[root@nfs ~]# mv GNU-Linux-x86/ /usr/local/sersync
配置文件
[root@nfs ~]# ==vim /usr/local/sersync/confxml.xml==
``` xml
5 <fileSystem xfs="true"/> <!-- 文件系统 -->
6 <filter start="false"> <!-- 排除不想同步的文件-->
7 <exclude expression="(.*)\.svn"></exclude>
8 <exclude expression="(.*)\.gz"></exclude>
9 <exclude expression="^info/*"></exclude>
10 <exclude expression="^static/*"></exclude>
11 </filter>
12 <inotify> <!-- 监控的事件类型 -->
13 <delete start="true"/>
14 <createFolder start="true"/>
15 <createFile start="true"/>
16 <closeWrite start="true"/>
17 <moveFrom start="true"/>
18 <moveTo start="true"/>
19 <attrib start="false"/>
20 <modify start="false"/>
21 </inotify>
23 <sersync>
24 <localpath watch="/data"> <!-- 监控的目录 -->
25 <remote ip="172.16.1.41" name="data"/> <!-- backup的IP以及模块 -->
28 </localpath>
29 <rsync> <!-- rsync的选项 -->
30 <commonParams params="-az"/>
31 <auth start="true" users="rsync_backup" passwordfile="/etc/rsync.pass"/>
32 <userDefinedPort start="false" port="874"/><!-- port=874 -->
33 <timeout start="true" time="100"/><!-- timeout=100 -->
34 <ssh start="false"/>
35 </rsync>
<!-- 每60分钟执行一次同步-->
36 <failLog path="/tmp/rsync_fail_log.sh" timeToExecute="60"/><!--def
ault every 60mins execute once-->
### .创建密码文件
[root@nfs01 sersync]# echo "123" > /etc/rsync.pass [root@nfs ~]# chmod 600 /etc/rsync.pass
### 启动sersync
[root@nfs ~]# /usr/local/sersync/sersync2 -h
set the system param
execute:echo 50000000 > /proc/sys/fs/inotify/max_user_watches
execute:echo 327679 > /proc/sys/fs/inotify/max_queued_events
parse the command param______________________________________________________
参数-d:启用守护进程模式
参数-r:在监控前,将监控目录与远程主机用rsync命令推送一遍
参数-n: 指定开启守护线程的数量,默认为10个
参数-o:指定配置文件,默认使用confxml.xml文件
参数-m:单独启用其他模块,使用 -m refreshCDN 开启刷新CDN模块
参数-m:单独启用其他模块,使用 -m socket 开启socket模块
参数-m:单独启用其他模块,使用 -m http 开启http模块
不加-m参数,则默认执行同步程序__________________________________________
[root@nfs ~]# /usr/local/sersync/sersync2 -dro /usr/local/sersync/confxml.xml
####**注意:如果发生错误,请手动执行命令检查推送是否正常**
[root@nfs ~]# cd /data && rsync -avz -R --delete ./ --timeout=100 rsync_backup@172.16.1.41::data --password-file=/etc/rsync.pass
/usr/local/sersync/sersync2 -dro /usr/local/sersync/confxml.xml
**如果nfs现在down机了,希望将web客户端挂载至backup服务器上?怎么实现?**
### 1.nfs和backup两台服务器应该保持一样(nfs配置。nfs共享的目录。nfs的权限)
[root@backup ~]# yum install nfs-utils -y [root@backup ~]# rsync -avz root@172.16.1.31:/etc/exports /etc/ [root@backup ~]# groupadd -g 666 www [root@backup ~]# useradd -u666 -g666 www
### 2.启动nfs
[root@backup ~]# systemctl start rpcbind [root@backup ~]# systemctl start nfs-server
### 3.修改rsync的权限vim /etc/rsyncd.conf
uid = www gid = www
### 4.修改授权
[root@backup ~]# chown -R www.www /data/ /backup/
### 5.重启rsync
[root@backup ~]# systemctl restart rsyncd
### 6.模拟nfs故障(挂起虚拟机)
### 7.web强制卸载172.16.1.31:/data
[root@web01 ~]# umount -lf /data
### 8.web尝试挂载172.16.1.41:/data
[root@web01 ~]# mount -t nfs 172.16.1.41:/data /data/
# lb01负载均衡proxy代理
## 1、安装Nginx服务
[root@lb01 ~]# scp -rp root@172.16.1.7:/etc/yum.repos.d/nginx.repo /etc/yum.repos.d/
[root@lb01 ~]# yum install nginx -y
## 2、编写代理conf脚本
[root@lb01 ~]# cat /etc/nginx/conf.d/blog_proxy.conf
upstream blog {
server 172.16.1.7:80;
server 172.16.1.8:80;
}
server {
server_name blog.oldboy.com;
listen 80;
location / {
proxy_pass http://blog;
include proxy_params;
}
}
[root@lb01 ~]# cat /etc/nginx/conf.d/zh_proxy.conf
upstream zh {
server 172.16.1.7:80;
server 172.16.1.8:80;
}
server {
server_name zh.oldboy.com;
listen 80;
location / {
proxy_pass http://zh;
include proxy_params;
}
}
[root@lb01 ~]# cat /etc/nginx/conf.d/jpress_proxy.conf
upstream java {
server 172.16.1.9:8080;
}
server {
listen 80;
server_name jpress.oldboy.com;
location / {
proxy_pass http://java;
include proxy_params;
}
}
3、设置共有优化配置文件
[root@lb01 ~]# cat /etc/nginx/proxy_params
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 30;
proxy_send_timeout 60;
proxy_read_timeout 60;
proxy_buffering on;
proxy_buffer_size 32k;
proxy_buffers 4 128k;
[root@lb01 ~]# systemctl enable nginx
[root@lb01 ~]# systemctl start nginx
4、设置ssl证书https
//生成证书(仅生成一次即可, 其他机器拷贝)
[root@web01 ~]# mkdir /etc/nginx/ssl_key -p
[root@web01 ~]# cd /etc/nginx/ssl_key
[root@web01 ~]# openssl genrsa -idea -out server.key 2048
[root@web01 ~]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
#配置第二台web节点
[root@web01 ~]# scp -rp /etc/nginx/ssl_key/ root@172.16.1.8:/etc/nginx/
[root@web01 ~]# scp -rp /etc/nginx/ssl_key/ root@172.16.1.9:/etc/nginx/
5、配置nginx的负载均衡支持https
[root@lb01 conf.d]# cat blog_proxy.conf
upstream blog {
server 172.16.1.7:80;
server 172.16.1.8:80;
}
server {
server_name blog.oldboy.com;
listen 80;
return 302 https://$server_name$request_uri;
}
server {
server_name blog.oldboy.com;
listen 443;
ssl on;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
proxy_pass http://blog;
include proxy_params;
}
}
[root@lb01 ~]# cat /etc/nginx/conf.d/zh_proxy.conf
upstream zh {
server 172.16.1.7:80;
server 172.16.1.8:80;
}
server {
server_name zh.oldboyedu.com;
listen 80;
return 302 https://$server_name$request_uri;
}
server {
server_name zh.oldboyedu.com;
listen 443;
ssl on;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
proxy_pass http://zh;
include proxy_params;
}
}
[root@lb01 ~]# cat /etc/nginx/conf.d/jpress_proxy.conf
upstream java {
server 172.16.1.9:8080;
}
server {
server_name jpress.oldboyedu.com;
listen 80;
return 302 https://$server_name$request_uri;
}
server {
server_name jpress.oldboyedu.com;
listen 443;
ssl on;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
proxy_pass http://java;
include proxy_params;
}
}
6、检查语法重启服务
[root@lb01 conf.d]# nginx -t
[root@lb01 conf.d]# systemctl restart nginx
7、登录https,点击小盾牌。
lb01和lb02做高可用keepalive
1、下载keepalived
[root@lb01 ~]# yum install keepalived -y
2、编写配置文件
[root@lb01 ~]# cat /etc/keepalived/keepalived.conf
global_defs {
router_id lb01
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 50
priority 150
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.3/24 dev eth0
}
}
[root@lb02 ~]# cat /etc/keepalived/keepalived.conf
global_defs {
router_id lb02
}
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 50
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.3/24 dev eth0
}
}
3、重启服务
[root@lb01 ~]# systemctl enable keepalived
[root@lb01 ~]# systemctl start keepalived
[root@lb02 ~]# systemctl enable keepalived
[root@lb02 ~]# systemctl start keepalived
4、检查keepalived的虚拟IP地址是否漂移
1)在lb01上进行如下操作
# lb01存在vip地址
[root@lb01 ~]# ip addr |grep 10.0.0.3
inet 10.0.0.3/24 scope global secondary eth0
# 停止lb01上的keepalived, 检测vip已不存在
[root@lb01 ~]# systemctl stop keepalived
[root@lb01 ~]# ip addr |grep 10.0.0.3
2)在lb02上进行如下操作
[root@lb02 ~]# ip addr|grep 10.0.0.3
inet 10.0.0.3/24 scope global secondary eth0
lb01重新启动keepalived,发现地址被重新接管
[root@lb01 ~]# systemctl start keepalived
[root@lb01 ~]# ip addr |grep 10.0.0.3
inet 10.0.0.3/24 scope global secondary eth0
lb0和lb02做Nginx缓存
1.修改web端配置文件
[root@web01 ~]# vim /etc/nginx/nginx.conf
proxy_cache_path /soft/cache levels=1:2 keys_zone=code_cache:10m max_size=10g inactive=60m use_temp_path=off;
2.负载端
proxy_cache code_cache;
proxy_cache_valid 200 304 12h;
proxy_cache_valid any 10m;
add_header Nginx-Cache "$upstream_cache_status";
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
相关参数解释:
#proxy_cache 开启缓存
#proxy_cache_valid 状态码200|304的过期为12h, 其余状态码10分钟过期
#proxy_cache_key 缓存key
#add_header 增加头信息, 观察客户端respoce是否命中
#proxy_next_upstream 出现502-504或错误, 会跳过此台服务器访问下台
备份脚本
[root@lb01-05 ~]# mkdir /server/scripts -p
[root@lb01-05 ~]# vim /server/scripts/backup_client.sh
[root@lb01-05 ~]# cat /server/scripts/backup_client.sh
#!/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin
#1.定义变量
Hostname=`hostname`
Addr=`ifconfig eth1 |awk 'NR==2{print $2}'`
Date=`date +%F`
Path=/backup
Dest=${Hostname}_${Addr}_${Date}
#2.创建备份目录
[ -d /$Path/$Dest ] || mkdir /$Path/$Dest -p
#3.打包备份文件
tar zcf $Path/$Dest/system.tar.gz /etc/nginx /etc/zabbix /etc/keepalived/keepalived.conf
tar zcf $Path/$Dest/log.tar.gz /var/log
#4.创建校验
md5sum $Path/$Dest/*.tar.gz >/$Path/mcheck_$Dest
#5.推送数据
export RSYNC_PASSWORD=1
rsync -avz /$Path/ rsync_backup@172.16.1.41::backup
#6.删除七天之前数据
find $Path/ -type f -mtime +7 |xargs rm -rf
Rsync备份(backup41)
1安装rsync
[root@backup ~]# yum install rsync -y
2、配置备份rsync
[root@backup ~]# cat /etc/rsyncd.conf
uid = www
gid = www
port = 873
fake super = yes
use chroot = no
max connections = 200
timeout = 600
ignore errors
read only = false
list = false
auth users = rsync_backup
secrets file = /etc/rsync.passwd
log file = /var/log/rsyncd.log
#####################################
[backup]
comment = welcome to oldboyedu backup!
path = /backup
xjsfmlbonphhbaea
[data]
comment = welcome to oldboyedu data!
path = /data
3、创建目录,www用户和组
[root@backup ~]#mkdir /{backup,data} -p
[root@backup ~]# groupadd -g666 www
[root@backup ~]# useradd -u666 -g666 www
[root@backup ~]# chown -R www.www /{backup,data}
4、准备密码文件
[root@backup ~]# echo 'rsync_backup:123' > /etc/rsync.passwd
[root@backup ~]# chmod 600 /etc/rsync.passwd
5、启动服务并加入开机自启动
[root@backup ~]# systemctl enable rsyncd
[root@backup ~]# systemctl start rsyncd
6、创建目录,编写脚本
[root@lb01 scripts]# mkdir /server/scripts -p
[root@lb01 ~]# cat /server/scripts/client_rsync_backup.sh
客户端
#批量创建数据文件
#!/usr/bin/bash
#1.定义变量
Host=$(hostname)
Addr=$(ifconfig eth1|awk 'NR==2{print $2}')
Date=$(date +%F)
Dest=${Host}_${Addr}_${Date}
Path=/backup
#2.创建备份目录
[ -d $Path/$Dest ] || mkdir -p $Path/$Dest
#3.备份对应的文件
cd / && \
[ -f $Path/$Dest/system.tar.gz ] || tar czf $Path/$Dest/system.tar.gz etc/fstab etc/rsyncd.conf && \
[ -f $Path/$Dest/log.tar.gz ] || tar czf $Path/$Dest/log.tar.gz var/log/messages var/log/secure && \
#4.携带md5验证信息
[ -f $Path/$Dest/flag ] || md5sum $Path/$Dest/*.tar.gz >$Path/$Dest/flag
#4.推送本地数据至备份服务器
export RSYNC_PASSWORD=123
rsync -avz $Path/ rsync_backup@172.16.1.41::backup
#5.本地保留最近7天的数据
find $Path/ -type d -mtime +7|xargs rm -rf
7、测试脚本
[root@lb01 ~]# chmod +x /server/scripts/client_rsync_backup.sh
[root@lb01 ~]# sh /server/scripts/client_rsync_backup.sh
8、编写定时任务
[root@backup ~]# echo '00 00 * * * sh /server/scripts/client_rsync_backup.sh >&/dev/null' >> /var/spool/cron/root
服务端脚本
[root@backup-41 ~]# mkdir /server/scripts -p
[root@backup-41 ~]# vim /server/scripts/backup_check.sh
[root@backup-41 ~]# cat /server/scripts/backup_check.sh
#!/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin
#1.定义变量
Path=/backup
Date=`date +%F`
#2.校验文件
find $Path/ -type f -name "mcheck_*_$Date"|xargs md5sum -c >$Path/result_$Date
#3.发送邮件
mail -s "Rsync_check_backup $Date" 1655582530@qq.com <$Path/result_$Date
#4.删除180天之前文件
find $Path/ -type f -mtime +180 |xargs rm -rf
[root@backup-41 ~]# crontab -l
00 05 * * * /bin/bash /server/scripts/backup_check.sh &>/dev/null
zabbix监控
1、配置zabbix仓库
[root@zabbix-server ~]# https://mirrors.tuna.tsinghua.edu.cn/zabbix/zabbix/3.4/rhel/7/x86_64/zabbix-release-3.4-2.el7.noarch.rpm
2.安装Zabbix程序包,以及MySQL、‘rZabbix-agent’
注:zabbix-agent可以不安装
[root@zabbix-server ~]# yum install -y zabbix-server-mysql zabbix-web-mysql zabbix-agent mariadb-server
3、创建Zabbix数据库以及用户
[root@zabbix-server ~]# mysql -uroot -p
MariaDB [(none)]> create database zabbix character set utf8 collate utf8_bin;
MariaDB [(none)]> grant all privileges on zabbix.* to zabbix@localhost identified by 'zabbix';
4.导入Zabbix数据至数据库中
[root@zabbix-server ~]# cd /usr/share/doc/zabbix-server-mysql-3.4.12/
[root@linux-node1 zabbix-server-mysql-3.4.12]# zcat create.sql.gz |mysql -uroot zabbix
5.编辑/etc/zabbix/zabbix_server.conf文件,修改数据库配置
[root@zabbix-server ~]# grep ^[a-Z] /etc/zabbix/zabbix_server.conf
....
DBHost=localhost
DBName=zabbix
DBUser=zabbix
DBPassword=zabbix
....
6.启动Zabbix服务进程,并加入开机自启
[root@zabbix-server ~]# systemctl start zabbix-server
[root@zabbix-server ~]# systemctl enable zabbix-server
7.配置Apache的配置文件/etc/httpd/conf.d/zabbix.conf,修改时区。
[root@zabbix-server ~]# vim /etc/httpd/conf.d/zabbix.conf
php_value max_execution_time 300
php_value memory_limit 128M
php_value post_max_size 16M
php_value upload_max_filesize 2M
php_value max_input_time 300
php_value always_populate_raw_post_data -1
#取消注释,设置正确的时区
php_value date.timezone Asia/Shanghai
8.重启Apache Web服务器
[root@zabbix-server ~]# systemctl start httpd
9、登录10.0.0.71/zabbix
10、《拆分数据库》
[root@ZabbixServer ~]# ll /etc/zabbix/zabbix_server.conf
DBHost=172.16.1.51
DBName=zabbix
DBUser=zabbix
DBPassword=Bgx123.com
[root@ZabbixServer ~]# systemctl restart zabbix-server
[root@ZabbixServer ~]# ll /etc/zabbix/web/zabbix.conf.php
$DB['TYPE'] = 'MYSQL';
$DB['SERVER'] = '172.16.1.51'; ***
$DB['PORT'] = '0';
$DB['DATABASE'] = 'zabbix';
$DB['USER'] = 'zabbix';
$DB['PASSWORD'] = 'Bgx123.com'; ***
11、在新的数据库上创建zabbix库
mysql> create database zabbix character set utf8 collate utf8_bin;
mysql> grant all privileges on zabbix.* to zabbix@'%' identified by 'Bgx123.com';
12、在旧的zabbix服务器上备份数据库文件
[root@ZabbixServer ~]# mysqldump -uroot \
--databases zabbix \
--single-transaction > `date +%F%H`-zabbix.sql
以上命令(12)是一句话,一次性复制
13、将备份的数据库通过远程的方式导入新数据库中
[root@ZabbixServer ~]# cat 2018-08-2017-zabbix.sql |mysql -h 172.16.1.51 -uzabbix -pBgx123.com zabbix
数据库分离成功
Zabbix监控
[root@zabbix zabbix_agentd.d]# cat free.conf 监控内存
UserParameter=Men_Num,free -m |awk '/^Mem/{print $NF/$2*100}'
UserParameter=Swap_Num,free -m|awk '/^Swap/{print $3/$2*100}
[root@zabbix zabbix_agentd.d]# cat io.conf
UserParameter=tps,iostat | awk '/^sda/{print $2}'
[root@zabbix zabbix_agentd.d]# cat tcp.conf
UserParameter=tcp[*],ss -an|awk '{print $2}'|grep -i "$1"|wc -l
《监控服务Nginx、PHP、nfs、Rsync、mysql、redis》
创建模版
[root@zabbix-server-71 zabbix_agentd.d]# awk '!/^#/' userparameter_mysql.conf
UserParameter=mysql.status[*],echo "show global status where Variable_name='$1';" | HOME=/var/lib/zabbix mysql -N | awk '{print $$2}'
UserParameter=mysql.size[*],bash -c 'echo "select sum($(case "$3" in both|"") echo "data_length+index_length";; data|index) echo "$3_length";; free) echo "data_free";; esac)) from information_schema.tables$([[ "$1" = "all" || ! "$1" ]] || echo " where table_schema=\"$1\"")$([[ "$2" = "all" || ! "$2" ]] || echo "and table_name=\"$2\"");" | HOME=/var/lib/zabbix mysql -N'
UserParameter=mysql.ping,HOME=/var/lib/zabbix mysqladmin ping | grep -c alive
UserParameter=mysql.version,mysql -V
1.TCP
[root@zabbix-server-71 zabbix_agentd.d]# vim tcp_status.conf
UserParameter=tcp[*],ss -an |awk '{print $2}'|grep -i "$1" |wc -l
2.Nginx
[root@web01-07 conf.d]# vim state.conf
[root@web01-07 conf.d]# cat state.conf
server {
listen 80;
server_name _;
allow 127.0.0.1;
deny all;
location /nginx_status {
stub_status;
access_log off;
}
location ~/phpfpm_status {
fastcgi_pass 127.0.0.1:9000;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
[root@web01-07 conf.d]# systemctl restart nginx
[root@zabbix-server-71 zabbix_agentd.d]# vim nginx_status.conf
[root@zabbix-server-71 zabbix_agentd.d]# cat nginx_status.conf
UserParameter=nginx_status[*],/usr/bin/bash /etc/zabbix/zabbix_agentd.d/scripts/nginx_status.sh "$1"
active|reading|writing|waiting|accepts|handled|requests
3.Php-fpm
[root@web01-07 ~]# vim /etc/php-fpm.d/www.conf
pm.status_path = /phpfpm_status
[root@zabbix-server-71 zabbix_agentd.d]# vim phpfpm_status.conf
[root@zabbix-server-71 zabbix_agentd.d]# cat phpfpm_status.conf
UserParameter=fpm[*],curl -s http://127.0.0.1/phpfpm_status|grep ^"$1":|awk '{print $NF}'
4.redis
[root@zabbix-server-71 zabbix_agentd.d]# vim redis_status.conf
[root@zabbix-server-71 zabbix_agentd.d]# cat redis_status.conf
UserParameter=redis_status[*],/bin/bash /etc/zabbix/scripts/redis_status.sh "$1"
5.Tomcat
6.Mysql
[root@db01-51 ~]# yum install percona-zabbix-templates
[root@db01-51 ~]# yum install php php-mysql
[root@db01-51 ~]# cp /var/lib/zabbix/percona/templates/userparameter_percona_mysql.conf /etc/zabbix/zabbix_agentd.d/
[root@db01-51 ~]# vim /var/lib/zabbix/percona/scripts/ss_get_mysql_stats.php
$mysql_user = 'zabbix';
$mysql_pass = 'PHPtest123.com';
$mysql_port = 3306;
上传模版
7.NFS
[root@zabbix-server-71 zabbix_agentd.d]# vim nfs_mount.conf
[root@zabbix-server-71 zabbix_agentd.d]# cat nfs_mount.conf
UserParameter=nfs_mount,showmount -e 172.16.1.31 2>/dev/null| egrep "172.16.1.0/24"|wc -l
8.Sersync
[root@zabbix-server-71 zabbix_agentd.d]# vim shishitongbu.conf
[root@zabbix-server-71 zabbix_agentd.d]# cat shishitongbu.conf
UserParameter=sersync_status,ps aux |grep sersyn[c] |wc -l
9.rsync
[root@zabbix-server-71 zabbix_agentd.d]# vim beifen.conf
[root@zabbix-server-71 zabbix_agentd.d]# cat beifen.conf
UserParameter=nfs_mount,netstat -lntp |grep 873 |wc -l
10.zabbbix-server
安装报警媒介
1.电子邮件
名称 Email
类型 电子邮件
SMTP服务器 smtp.qq.com
SMTP服务器端口 465
SMTP HELO qq.com
SMTP电邮 1655582530@qq.com
安全链接 SSL/TLS
认证
Username and password
用户名称 1655582530@qq.com
密码
2.微信报警
(1)配置发件人
[root@zabbix-server-71 ~]# cd /usr/lib/zabbix/alertscripts/
[root@zabbix-server-71 alertscripts]# rz
[root@zabbix-server-71 alertscripts]# ll
total 4
-rw-r--r-- 1 root root 1350 Oct 10 18:14 weixin.py
[root@zabbix-server-71 alertscripts]# chmod +x weixin.py
[root@zabbix-server-71 alertscripts]# yum install python-pip
[root@zabbix-server-71 alertscripts]# pip install requests
名称 微信 类型 脚本 名称 weixin.py 脚本参数 参数 动作 {ALERT.SENDTO} {ALERT.SUBJECT} {ALERT.MESSAGE}
(2)添加收件人
自定义报警信息
告警消息内容
问题出现时间: {EVENT.TIME} on {EVENT.DATE}
报警主机:{HOST.NAME1}
报警问题: {TRIGGER.NAME}
报警服务: {ITEM.NAME1}
报警Key1: {ITEM.KEY1}:{ITEM.VALUE1}
报警Key2: {ITEM.KEY2}:{ITEM.VALUE2}
严重级别: {TRIGGER.SEVERITY}
Original problem ID: {EVENT.ID}
{TRIGGER.URL}
安装jumpserver (http://www.jumpserver.org/)
1、安装jumpserver的依赖环境
yum install -y redis sqlite-devel xz gcc automake zlib-devel openssl-devel
2、编译下载python3.6版本
wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz
tar xvf Python-3.6.1.tar.xz && cd Python-3.6.1
./configure && make && make install
3、检查python的版本
python -V
4、建立Python虚拟环境
cd /opt
python3 -m venv py3
source /opt/py3/bin/activate
注释:看到下面的提示符代表成功,以后运行 Jumpserver 都要先运行以上 source 命令,以下所有命令均在该虚拟环境中运行 (py3) [root@localhost py3
5、自动载入python虚拟环境
cd /opt
git clone https://github.com/kennethreitz/autoenv.git
echo 'source /opt/autoenv/activate.sh' >>~/.bashrc
source ~/.bashrc
6、安装jumpserver
1)下载或 Clone 项目
cd /opt/
git clone https://github.com/jumpserver/jumpserver.git
cd jumpserver
git checkout master
echo "source /opt/py3/bin/activate" >/opt/jumpserver/.env # 进入 jumpserver 目录时将自动载入 python 虚拟环境
2)安装依赖 RPM 包
首次进入 jumpserver 文件夹会有提示,按 y 即可 Are you sure you want to allow this? (y/N) y
cd /opt/jumpserver/requirements
yum install -y `cat rpm_requirements.txt` # 如果没有任何报错请继续
7、安装python以来的库
1)pip install --upgrade pip 升级pip
2)创建加速器
cd /root
mkdir .pip
vim .pip/pip.conf
键入下面加速器内容
[global]
index-url=http://mirrors.aliyun.com/pypi/simple/
[install]
trusted-host=mirrors.aliyun.com
3)pip install -r requirements.txt 安装python依赖的库
8、安装 Redis, Jumpserver 使用 Redis 做 cache 和 celery broke
yum -y install redis
systemctl enable redis
systemctl start redis
9、安装mysql数据库
rpm -ivh http://repo.mysql.com/yum/mysql-5.7-community/el/7/x86_64/mysql57-community-release-el7-10.noarch.rpm
wget http://dev.mysql.com/get/mysql57-community-release-el7-8.noarch.rpm
yum localinstall mysql57-community-release-el7-8.noarch.rpm
yum repolist enabled | grep "mysql.*-community.*"
yum install mysql-community-server -y
systemctl enable mysqld
grep 'password' /var/log/mysqld.log
Bash
10、修改数据库密码
mysql -uroot -p
password:2f3zd&GnU7pe
SET PASSWORD = PASSWORD('123456');
11、创建数据库 Jumpserver 并授权
mysql -uroot -p123456
> create database jumpserver default charset 'utf8';
> grant all on jumpserver.* to 'jumpserver'@'172.16.1.61' identified by 'Hjs123..';
> flush privileges;
12、修改 Jumpserver 配置文件
cd /opt/jumpserver
cp config_example.py config.py
vi config.py
修改DevelopmentConfig 中的配置,因为默认 Jumpserver 使用该配置,它继承自 Config,配置内容根据实际情况进行修改 注意: 配置文件是 Python 格式,不要用 TAB,而要用空格
DB_ENGINE = os.environ.get("DB_ENGINE") or 'mysql'
DB_HOST = os.environ.get("DB_HOST") or '172.16.1.51'
DB_PORT = os.environ.get("DB_PORT") or 3306
DB_USER = os.environ.get("DB_USER") or 'jumpserver'
DB_PASSWORD = os.environ.get("DB_PASSWORD") or 'Bgx123.com'
DB_NAME = os.environ.get("DB_NAME") or 'jumpserver'
13、生成数据库表结构和初始化数据
cd /opt/jumpserver/utils
sh make_migrations.sh
14、运行 Jumpserver
cd /opt/jumpserver
./jms start all # 后台运行使用 -d 参数./jms start all -d
运行不报错,请浏览器访问 http://10.0.0.61:8080/ 默认账号: admin 密码: admin 页面显示不正常先不用处理,搭建 nginx 代理就可以正常访问了
15、安装 SSH Server 和 WebSocket Server: Coco
websocket server 这里我装在172.16.1.62上,和jumpserver一台机 新开一个终端,别忘了 source /opt/py3/bin/activate
cd /opt
source /opt/py3/bin/activate
git clone https://github.com/jumpserver/coco.git && cd coco && git checkout master
echo "source /opt/py3/bin/activate" > /opt/coco/.env
上面的最后一步和之前一样配置进入 coco 目录时将自动载入 python 虚拟环境 首次进入 coco 文件夹会有提示,按 y 即可 Are you sure you want to allow this? (y/N) y
安装依赖
cd /opt/coco/requirements
yum install -y `cat rpm_requirements.txt`
pip install -r requirements.txt
https://pypi.org/project/jumpserver-python-sdk/#files 官网下载jumpserver-python-sdk-0.0.50.tar.gz 放在当前目录,并执行以下命令 pip install ./jumpserver-python-sdk-0.0.50.tar.gz(包的的名字和路径) 修改配置文件并运行
cd /opt/coco
mkdir keys # 创建keys目录是给coco存放密钥使用
cp conf_example.py conf.py # 如果 coco 与 jumpserver 分开部署,请手动修改 conf.py
vi conf.py
这里修改的需要是:01项目名称 NAME = "COCO",可以随意,没有限制。02 CORE_HOST = 'http://127.0.0.1:8080' 03:LOG_LEVEL = 'WARN'日志级别。其他都和官网保持一致。
16、安装 Web Terminal 前端: Luna
Luna 已改为纯前端,需要 Nginx 来运行访问 访问(https://github.com/jumpserver/luna/releases)下载对应版本的 release 包,直接解压,不需要编译 解压 Luna
$cd /opt
$wget https://github.com/jumpserver/luna/releases/download/1.4.3/luna.tar.gz
$tar xvf luna.tar.gz
$chown -R root:root luna
17、配置 Nginx 整合各组件
1)配置nginx的源
[root@jumpserver ~]# cat /etc/yum.repos.d/nginx.repo
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/7/$basearch/
gpgcheck=0
enabled=1
2)安装nginx
(py3) [root@jumserver coco]# yum install nginx -y
systemcrl restart nginx
systemcrl edable nginx
3)编辑conf文件,修改default.conf的后缀
cat /etc/nginx/conf.d/jumpserver.conf
注意注释 nginx.conf 里面的 server {} 内容 ,CentOS 6 需要修改文件 /etc/nginx/cond.f/default.conf
server {
listen 80; # 代理端口,以后将通过此端口进行访问,不再通过8080端口
server_name jumpserver.oldboyedu.com; # 修改成你的域名
client_max_body_size 100m; # 录像及文件上传大小限制
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; # luna 路径,如果修改安装目录,此处需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 录像位置,如果修改安装目录,此处需要修改
}
location /static/ {
root /opt/jumpserver/data/; # 静态资源,如果修改安装目录,此处需要修改
}
location /socket.io/ {
proxy_pass http://localhost:5000/socket.io/; # 如果coco安装在别的服务器,请填写它的ip
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /coco/ {
proxy_pass http://localhost:5000/coco/; # 如果coco安装在别的服务器,请填写它的ip
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/; # 如果guacamole安装在别的服务器,请填写它的ip
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location / {
proxy_pass http://localhost:8080; # 如果jumpserver安装在别的服务器,请填写它的ip
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
### 4)(py3) [root@jumserver coco]#nginx -t 检查语法
### 5)重启服务 systemclr restart nginx
### 6)加hosts域名解析。10.0.0.62 jumpserver.oldboyedu.com
http://jason.linuxbaodian.com/unixknowledge/linux-basic/239.html
# 安装主从数据库安装
主库将日志打开,将数据库文件导出。
从库导入数据文件,配置实现实时同步
## 1、主库操作
### 1 将安装源倒入至从库
[root@mysql-51 ~]# scp /etc/yum.repos.d/* root@172.16.1.52:/etc/yum.repos.d/
#校验文件发送过去rpm-gpg/RPM-GPG-KEY-mysql
scp -rp /etc/pki/ root@172.16.1.52:/etc/
### 1.2.2 打开主库日志,用于从库实时监控更新
#手写编辑进去
[root@mysql-51 ~]# vim /etc/my.cnf [mysqld] log-bin server-id=160
### #查看一下binlog
[root@mysql-51 ~]# ls /var/lib/mysql mysql-51-bin.000001
### 3 授权从库连接
[root@mysql-51 ~]# mysql -uroot -pBgx123.com mysql> grant all on . to 'all'@'%' identified by ' Bgx123.com' mysql> grant replication slave, replication client on . to 'rep'@'172.16.1.%' identified by 'Rep123.com';
### #查看授权
mysql> select * from mysql.user\G;
### 4 将数据导出,至从库
[root@mysql-51 ~]# mysqldump -uroot -pBgx123.com --all-databases --single-transaction --master-data=1 --flush-logs > /root/db-$(date +%F)-all.sql
### #将数据发送至52从库
[root@mysql-51 ~]# scp db-2018-10-08-all.sql root@172.16.1.52:~
## 3、从库配置
1 安装数据库
### 1.下载MySQL官方扩展源
[root@nginx ~]# rpm -ivh http://repo.mysql.com/yum/mysql-5.7-community/el/7/x86_64/mysql57-community-release-el7-10.noarch.rpm
### #2.安装mysql5.7, 文件过大可能会导致下载缓慢
[root@nginx ~]# yum install mysql-community-server -y
### #3.启动数据库, 并加入开机自启动
[root@nginx ~]# systemctl start mysqld [root@nginx ~]# systemctl enable mysqld
### #4.由于mysql5.7默认配置了默认密码, 需要过滤temporary password关键字查看对应登陆数据库密码
[root@nginx ~]# grep "temporary password" /var/log/mysqld.log
### #5.登陆mysql数据库[password中填写上一步过滤的密码]
[root@web02 ~]# mysql -uroot -p$(awk '/temporary password/{print $NF}' /var/log/mysqld.log)
### #6.重新修改数据库密码
mysql> ALTER USER 'root'@'localhost' IDENTIFIED BY 'Bgx123.com';
### #7.授权
mysql>grant all on . to 'all'@'%' identified by ' Bgx123.com'
1.3.2 修改server id
[root@mysql02-52 ~]# vim /etc/my.cnf [mysqld] server-id=52
1.3.4 导入数据
[root@mysql02-52 ~]# mysql -uroot -pBgx123.com < db-2018-10-09-all.sql
1.3.5 从库指向主库
[root@mysql02-52 ~]# mysql -uroot -pBgx123.com mysql> change master to -> master_host='172.16.1.51', -> master_user='rep', -> master_password='Rep123.com';
### 1.3.6 启动slave
mysql> start slave; mysql> show slave status\G slave_io runing yes; slave_sql runing yes 出现这两者时代表主从步调一致,测试主创建到备份数据库查看是否存在,存在的话说明已完成该备份。
报错SQL Runing 不运行
mysql> show binary logs;查看binlog日志 mysql> purge master logs to'master-bin.000015'; 删除binlog日志
https://dev.mysql.com/doc/refman/5.7/en/
# m01时间同步
## 1安装并配置服务端
[root@m01-61 ~]# yum install chrony [root@m01-61 ~]# rpm -ql chrony [root@m01-61 ~]# chronyc -v chronyc (chrony) version 3.2 (+READLINE +IPV6 +DEBUG) [root@m01-61 ~]# vim /etc/chrony.conf [root@m01-61 ~]# cat /etc/chrony.conf #Use public servers from the pool.ntp.org project. #Please consider joining the pool (http://www.pool.ntp.org/join.html). #使用pool.ntp.org项目中的公共服务器。以server开,理论上你想添加多少时间服务器都可以 server 0.centos.pool.ntp.org iburst server 1.centos.pool.ntp.org iburst server 2.centos.pool.ntp.org iburst server 3.centos.pool.ntp.org iburst #Record the rate at which the system clock gains/losses time. #根据实际时间计算出服务器增减时间的比率,然后记录到一个文件中,在系统重启后为系统做出最佳时间补偿调整 driftfile /var/lib/chrony/drift #Allow the system clock to be stepped in the first three updates #if its offset is larger than 1 second. #chronyd根据需求减慢或加速时间调整, #在某些情况下系统时钟可能漂移过快,导致时间调整用时过长。 #该指令强制chronyd调整时期,大于某个阀值时步进调整系统时钟。 #只有在因chronyd启动时间超过指定的限制时(可使用负值来禁用限制)没有更多时钟更新时才生效。 makestep 1.0 3 #Enable kernel synchronization of the real-time clock (RTC). #将启用一个内核模式,在该模式中,系统时间每11分钟会拷贝到实时时钟(RTC) rtcsync #Enable hardware timestamping on all interfaces that support it. #通过使用hwtimestamp指令启用硬件时间戳. #hwtimestamp * #Increase the minimum number of selectable sources required to adjust #the system clock. #minsources 2 #Allow NTP client access from local network. #指定一台主机、子网,或者网络以允许或拒绝NTP连接到扮演时钟服务器的机器 allow 172.16.1.0/24 #Serve time even if not synchronized to a time source. #local stratum 10 #Specify file containing keys for NTP authentication. #指定包含NTP验证密钥的文件。 #keyfile /etc/chrony.keys #Specify directory for log files. #指定日志文件的目录。 logdir /var/log/chrony #Select which information is logged. #log measurements statistics tracking [root@m01-61 ~]# timedatectl Time zone: Asia/Shanghai (CST, +0800) [root@m01-61 ~]# chronyc -a makestep [root@m01-61 ~]# systemctl start chronyd [root@m01-61 ~]# systemctl enable chronyd
## 2客户端
[root@web03-09 ~]# yum install chrony [root@web03-09 ~]# vim /etc/chrony.conf [root@web03-09 ~]# awk '!/^(#|$)/' /etc/chrony.conf server 172.16.1.61 iburst driftfile /var/lib/chrony/drift makestep 1.0 3 rtcsync logdir /var/log/chrony [root@web03-09 ~]# systemctl start chronyd [root@web03-09 ~]# systemctl enable chronyd
## 3防火墙配置
### 1开启防火墙
[root@m01-61 ~]# systemctl start firewalld.service [root@m01-61 ~]# systemctl enable firewalld.service Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service. Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
### 2只允许10.0.0.1主机ssh登录
[root@m01-61 ~]# firewall-cmd --remove-service=ssh --permanent success [root@m01-61 ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.0.0.1/32 service name=ssh accept' --permanent success
### 3运行Ansible与yum仓库
[root@m01-61 ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=172.16.1.0/24 service name=ssh accept' --permanent success [root@m01-61 ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=172.16.1.0/24 service name=ftp accept' --permanent success
### 4支持监控
[root@m01-61 ~]# firewall-cmd --add-source=172.16.1.71/32 --zone=trusted --permanent success
### 5配置内部上网
[root@m01-61 ~]# firewall-cmd --add-masquerade --permanent success
### 6重载
[root@m01-61 ~]# firewall-cmd --reload success
### 7内部上网客户端配置
[root@web01-07 ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth1 [root@web01-07 ~]# tail -2 /etc/sysconfig/network-scripts/ifcfg-eth1 GATEWAY=172.16.1.61 DNS1=223.5.5.5
## ansible安装配置
### 1创建并推送公钥
[root@m01-61 ~]# ssh-keygen -t rsa -C 1655582530@qq.com ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.5 ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.6 ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.7 ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.8 ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.9 ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.31 ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.41 ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.51 ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.71
