1、实现基于MYSQL验证的vsftpd虚拟用户访问
本实验在两台主机上实现 一台做为FTP服务器CentOS 7 一台做 Mariadb 数据库服务器centos 8
在数据库服务器上安装mysql数据库
#注意:MySQL8.0由于取消了PASSWORD()函数不支持,因此选择Mariadb
[root@xiaozz ~]# yum -y install mariadb-server
[root@xiaozz ~]# systemctl enable --now mariadb.service
在数据库服务上配置数据库支持vsftpd服务
#建立存储虚拟用户数据库和表
[root@xiaozz ~]# mysql
MariaDB [(none)]> CREATE DATABASE vsftpd;
MariaDB [(none)]> USE vsftpd;
MariaDB [vsftpd]> CREATE TABLE users (
-> id INT AUTO_INCREMENT NOT NULL PRIMARY KEY,
-> name CHAR(50) BINARY NOT NULL,
-> password CHAR(48) BINARY NOT NULL
-> );
#添加虚拟用户,为了安全应该使用PASSWORD函数加密
MariaDB [vsftpd]> INSERT INTO users(name,password) values('ftp_wang',password('123456'));
MariaDB [vsftpd]> INSERT INTO users(name,password) values('ftp_mage',password('123456'));
MariaDB [vsftpd]> select * from users;
+----+----------+-------------------------------------------+
| id | name | password |
+----+----------+-------------------------------------------+
| 1 | ftp_wang | *6B8CCC83799A26CD19D7AD9AEEADBCD30D8A8664 |
| 2 | ftp_mage | *6B8CCC83799A26CD19D7AD9AEEADBCD30D8A8664 |
+----+----------+-------------------------------------------+
#创建连接的数据库用户
MariaDB [vsftpd]> GRANT SELECT ON vsftpd.* TO vsftpd@'10.0.0.%' IDENTIFIED BY '123456';
MariaDB [vsftpd]> FLUSH PRIVILEGES;
在FTP服务器上安装 pam_mysql
# pam-mysql 源码进行编译
[root@xiaozz ~]# yum -y install vsftpd gcc gcc-c++ make mariadb-devel pam-devel
[root@xiaozz ~]# wget http://prdownloads.sourceforge.net/pam-mysql/pam_mysql-0.7RC1.tar.gz
[root@xiaozz ~]# tar xf pam_mysql-0.7RC1.tar.gz
[root@xiaozz ~]# cd pam_mysql-0.7RC1
[root@xiaozz pam_mysql-0.7RC1]# ./configure --with-pam-mods-dir=lib64/sevurity
#如果上面命令不指定 --with-pam-mods-dir=/lib64/security 会报错误
[root@xiaozz pam_mysql-0.7RC1]# make install
[root@xiaozz pam_mysql-0.7RC1]# ll /lib64/security/pam_mysql*
-rwxr-xr-x 1 root root 882 Dec 5 15:56 /lib64/security/pam_mysql.la
-rwxr-xr-x 1 root root 141712 Dec 5 15:56 /lib64/security/pam_mysql.so
在FTP服务器上建立pam认证所需文件
[root@xiaozz ~]# vim /etc/pam.d/vsftpd.mysql
auth required pam_mysql.so user=vsftpd passwd=123456 host=10.0.0.17 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
account required pam_mysql.so user=vsftpd passwd=123456 host=10.0.0.17 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
建立相应用户和修改vsftpd配置文件
[root@xiaozz ~]# useradd -s /sbin/nologin -d /data/ftproot -r vuser
[root@xiaozz ~]# mkdir -pv /data/ftproot/upload
[root@xiaozz ~]# setfacl -m u:vuser:rwx /data/ftproot/upload
[root@xiaozz ~]# vim /etc/vsftpd/vsftpd.conf
#添加下面两项
guest_enable=YES
guest_username=vuser
#修改下面一项,原系统用户无法登录
pam_service_name=vsftpd.mysql
[root@xiaozz ~]# systemctl enable --now vsftpd
#在FTP服务器上配置虚拟用户具有不同的访问权限
[root@xiaozz ~]# vim /etc/vsftpd/vsftpd.conf
#添加如下选项
user_config_dir=/etc/vsftpd/conf.d/
[root@xiaozz ~]# mkdir /etc/vsftpd/conf.d/
[root@centos7 ~]#vim /etc/vsftpd/conf.d/ftp_wang
anon_upload_enable={YES|NO}
anon_mkdir_write_enable={YES|NO}
anon_other_write_enable={YES|NO}
#登录目录改变至指定的目录
local_root=/data/ftproot2
测试:[root@xiaozz ~]# ftp 10.0.0.9
2、配置samba共享,实现/www目录共享
#在samba服务器上安装samba包
[root@xiaozz ~]# yum -y install samba
#创建samba用户和组
[root@xiaozz ~]# groupadd -r admins
[root@xiaozz ~]# useradd -s /sbin/nologin -G admins xiaozz
[root@xiaozz ~]# smbpasswd -a xiaozz
#创建samba共享目录,并设置SElinux
[root@xiaozz ~]# mkdir /testdir/smbshare
[root@xiaozz ~]# chgrp admins /testdir/smbshare
[root@xiaozz ~]# chmod 2775 /testdir/smbshare
#samba服务器配置
[root@xiaozz ~]# vim /etc/samba/smb.conf
#添加下面3行
[share]
path = /testdir/smbshare
write list = @admins
[root@xiaozz ~]# systemctl enable --now smb nmb
[root@xiaozz ~]# mkdir /mnt/xiaozz
[root@xiaozz ~]# mount -o username=xiaozz //smbserver/share /mnt/xiaozz
#samba客户端访问
[root@xiaozz ~]# yum -y install cifs-utils
#用xiaozz用户挂载smb共享并访问
3、使用rsync+inotify实现/www目录实时同步
配置服务器端:10.0.0.18
#安装inotify工具
[root@centos7 ~]# yum install -y rsync inotify-tools
#配置/etc/rsyncd.conf文件
[root@centos7 ~]# cat /etc/rsyncd.conf
uid = root
gid = root
use chroot = no
max connections = 0
ignore errors
exclude = lost+found/
log file = /var/log/rsyncd.log pid file = /var/run/rsyncd.pid lock file = /var/run/rsyncd.lock reverse lookup = no
hosts allow = 10.0.0.0/24
[www]
path = /www
comment = www
read only = no
auth users = rsyncuser
secrets file = /etc/rsync.pas
#创建rsync账号
[root@centos7 ~]# echo "rsyncuser:centos" > /etc/rsync.pass
[root@centos7 ~]# chmod 660 /etc/rsync.pas
#创建同步目录并启动服务
[root@centos7 ~]# mkdir /www
[root@centos7 ~]# systemctl start rsyncd
客户端:
backup
[root@client ~]# yum install -y rsync inotify-tools
#创建inotify连接文件
[root@client ~]# echo "centos" > /etc/rsync.pas
[root@client ~]# chmod 600 /etc/rsync.pas
#用命令连接测试是否同步
[root@client test]# rsync -avz --password-file=/etc/rsync.pas rsyncuser@10.0.0.18::www /test
receiving incremental file list
f1.txt
[root@client test]# ll
total 4
-rw-r--r-- 1 root root 595 Oct 16 11:22 f1.txt
-rw-r--r-- 1 root root 0 Oct 16 11:24 f2.txt
客户端创建inotify_rsync.sh脚本
[root@client ~]# cat inotify_rsync.sh
SRC='/test/'
DEST='rsyncuser@10.0.0.18::www'
inotifywait -mrq --timefmt '%Y-%m-%d %H:%M' --format '%T %w %f' -e create,delete,moved_to,close_write,attrib ${SRC} |while read DATE TIME DIR FILE;do
FILEPATH=${DIR}${FILE}
rsync -az --delete --password-file=/etc/rsync.pass $SRC $DEST && echo "At ${TIME} on ${DATE}, file $FILEPATH was backuped up via rsync" >> /var/log/changelist.log
done
#执行脚本
[root@client ~]# nohup bash inotify_rsync.sh &
4、LVS调度算法总结
静态方法
仅根据算法本身进行调度。 1、RR:roundrobin,轮询,较常用。 2、WRR:Weighted RR,加权轮询,较常用。 3、SH:Source Hashing,实现session sticky,源IP地址hash;将来自于同一个IP地址的请求始终发往 第一次挑中的RS,从而实现会话绑定。 4、DH:Destination Hashing;目标地址哈希,第一次轮询调度至RS,后续将发往同一个目标地址的 请求始终转发至第一次挑中的RS,典型使用场景是正向代理缓存场景中的负载均衡,如: Web缓存。
动态方法
主要根据每RS当前的负载状态及调度算法进行调度Overhead=value 较小的RS将被调度 。 1、LC:least connections 适用于长连接应用。 Overhead=activeconns256+inactiveconns 2、WLC:Weighted LC,默认调度方法,较常用。 Overhead=(activeconns256+inactiveconns)/weight 3、SED:Shortest Expection Delay,初始连接高权重优先,只检查活动连接,而不考虑非活动连接。 Overhead=(activeconns+1)*256/weight 4、NQ:Never Queue,第一轮均匀分配,后续SED。 5、LBLC:Locality-Based LC,动态的DH算法,使用场景:根据负载状态实现正向代理,实现Web Cache等 。 6、LBLCR:LBLC with Replication,带复制功能的LBLC,解决LBLC负载不均衡问题,从负载重的复制 到负载轻的RS,,实现Web Cache等。
内核版本 4.15 版本后新增调度算法:FO和OVF
FO(Weighted Fail Over)调度算法,在此FO算法中,遍历虚拟服务所关联的真实服务器链表,找到还未 过载(未设置IP_VS_DEST_F_OVERLOAD标志)的且权重最高的真实服务器,进行调度,属于静态算法。 OVF(Overflow-connection)调度算法,基于真实服务器的活动连接数量和权重值实现。将新连接调度 到权重值最高的真实服务器,直到其活动连接数量超过权重值,之后调度到下一个权重值最高的真实服 务器,在此OVF算法中,遍历虚拟服务相关联的真实服务器链表,找到权重值最高的可用真实服务器。,属 于动态算法。
一个可用的真实服务器需要同时满足以下条件:
未过载(未设置IP_VS_DEST_F_OVERLOAD标志) 真实服务器当前的活动连接数量小于其权重值 其权重值不为零
5、LVS的跨网络DR实现
环境:5台主机 一台:ROUTER eth0 :NAT 10.0.0.200/24 eth1: 仅主机 192.168.10.200/24 启用 IP_FORWARD 一台:LVS eth0:NAT:DIP:10.0.0.8/24 GW:10.0.0.200 两台RS: RS1:eth0:NAT:10.0.0.7/24 GW:10.0.0.200 RS2:eth0:NAT:10.0.0.17/24 GW:10.0.0.200 所有主机禁用iptables和selinux
internet主机环境
[root@internet ~]#hostname
internet
[root@internet ~]#hostname -I
192.168.10.6
[root@internet ~]#route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.10.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0
0.0.0.0 192.168.10.200 0.0.0.0 UG 0 0 0 eth0
[root@internet ~]#ping 10.0.0.7 -c1
PING 10.0.0.7 (10.0.0.7) 56(84) bytes of data.
64 bytes from 10.0.0.7: icmp_seq=1 ttl=63 time=0.565 ms
[root@internet ~]#ping 10.0.0.17 -c1
PING 10.0.0.7 (10.0.0.17) 56(84) bytes of data.
64 bytes from 10.0.0.17: icmp_seq=1 ttl=63 time=0.565 ms
路由器的网络配置
[root@router ~]#echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
[root@router ~]#sysctl -p
[root@router network-scripts]#pwd
/etc/sysconfig/network-scripts
[root@router network-scripts]#cat ifcfg-eth0
DEVICE=eth0
NAME=eth0
BOOTPROTO=static
IPADDR=10.0.0.200
PREFIX=24
ONBOOT=yes
[root@router network-scripts]#cat ifcfg-eth1
DEVICE=eth1
NAME=eth1
BOOTPROTO=static
IPADDR=192.168.10.200
PREFIX=24
ONBOOT=yes
RS1的网络配置
[root@rs1 ~]#hostname
rs1.magedu.org
[root@rs1 ~]#hostname -I
10.0.0.7
[root@rs1 ~]#cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
NAME=eth0
BOOTPROTO=static
IPADDR=10.0.0.7
PREFIX=24
GATEWAY=10.0.0.200
ONBOOT=yes
[root@rs1 ~]#route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.0.200 0.0.0.0 UG 100 0 0 eth0
10.0.0.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
[root@rs1 ~]#yum -y install httpd
[root@rs1 ~]#systemctl enable --now httpd
[root@rs1 ~]#hostname -I > /var/www/html/index.html
[root@rs1 ~]#ping 192.168.10.6 -c1
PING 192.168.10.6 (192.168.10.6) 56(84) bytes of data.
64 bytes from 192.168.10.6: icmp_seq=1 ttl=63 time=1.14 ms
[root@rs1 ~]#curl 10.0.0.7
10.0.0.7
RS2 的网络配置
[root@rs2 ~]#cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
NAME=eth0
BOOTPROTO=static
IPADDR=10.0.0.17
PREFIX=24
GATEWAY=10.0.0.200
ONBOOT=yes
[root@rs2 ~]#route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.0.200 0.0.0.0 UG 100 0 0 eth0
10.0.0.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
[root@rs2 ~]#yum -y install httpd
[root@rs2 ~]#systemctl enable --now httpd
[root@rs2 ~]#hostname -I > /var/www/html/index.html
[root@rs2 ~]#curl 10.0.0.17
10.0.0.17
[root@rs1 ~]#ping 192.168.10.6 -c1
PING 192.168.10.6 (192.168.10.6) 56(84) bytes of data.
64 bytes from 192.168.10.6: icmp_seq=1 ttl=63 time=1.14 ms
[root@rs2 ~]#curl 10.0.0.17
10.0.0.17
LVS的网络配置
[root@lvs ~]#hostname
lvs.magedu.org
[root@lvs ~]#hostname -I
10.0.0.8
[root@lvs ~]#cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
NAME=eth0
BOOTPROTO=static
IPADDR=10.0.0.8
PREFIX=24
GATEWAY=10.0.0.200
ONBOOT=yes
[root@lvs ~]#route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.0.200 0.0.0.0 UG 100 0 0 eth0
10.0.0.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
[root@lvs ~]#ping 192.168.10.6 -c1
PING 192.168.10.6 (192.168.10.6) 56(84) bytes of data.
64 bytes from 192.168.10.6: icmp_seq=1 ttl=63 time=2.32 ms
后端RS的IPVS配置
#RS1的IPVS配置
[root@rs1 ~]#echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
[root@rs1 ~]#echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
[root@rs1 ~]#echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore
[root@rs1 ~]#echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce
[root@rs1 ~]#ifconfig lo:1 10.0.0.100/32
[root@rs1 ~]#ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet 10.0.0.100/0 scope global lo:1
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
group default qlen 1000
link/ether 00:0c:29:01:f9:48 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.7/24 brd 10.0.0.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe01:f948/64 scope link
valid_lft forever preferred_lft forever
#RS2的IPVS配置
[root@rs2 ~]#echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
[root@rs2 ~]#echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore
[root@rs2 ~]#echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
[root@rs2 ~]#echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce
[root@rs2 ~]#ifconfig lo:1 10.0.0.100/32
[root@rs2 ~]#ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet 10.0.0.100/0 scope global lo:1
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
group default qlen 1000
link/ether 00:0c:29:94:1a:f6 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.17/24 brd 10.0.0.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe94:1af6/64 scope link
valid_lft forever preferred_lft forever
LVS主机的配置
#在LVS上添加VIP
[root@lvs ~]#ifconfig lo:1 10.0.0.100/32
[root@lvs ~]#ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet 10.0.0.100/0 scope global lo:1
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP
group default qlen 1000
link/ether 00:0c:29:8a:51:21 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.8/24 brd 10.0.0.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
#实现LVS 规则
[root@lvs ~]#dnf -y install ipvsadm
[root@lvs ~]#ipvsadm -A -t 10.0.0.100:80 -s rr
[root@lvs ~]#ipvsadm -a -t 10.0.0.100:80 -r 10.0.0.7:80 -g
[root@lvs ~]#ipvsadm -a -t 10.0.0.100:80 -r 10.0.0.17:80 -g
[root@lvs ~]#ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 10.0.0.100:80 rr
-> 10.0.0.7:80 Route 1 0 0
-> 10.0.0.17:80 Route 1 0 0
测试访问
[root@internet ~]#curl 10.0.0.100
10.0.0.17
[root@internet ~]#curl 10.0.0.100
10.0.0.7
[root@rs1 ~]#tail -f /var/log/httpd/access_log -n0
192.168.10.6 - - [12/Jul/2020:10:36:21 +0800] "GET / HTTP/1.1" 200 10 "-"
"curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3
libidn/1.18 libssh2/1.4.2"