网易开源镜像使用帮助: http://mirrors.163.com/.help
https://mirrors.aliyun.com/repo/
cp /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
或者
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
cd /etc/yum.repos.d/
wget http://mirrors.163.com/.help/CentOS7-Base-163.repo
yum clean all
yum makecache
更新系统时间可能会比较久取决于服务器网速
yum -y update
systemctl stop firewalld
systemctl disable firewalld
setenforce 0
编辑文件/etc/selinux/config,将SELINUX修改为disabled,如下:
SELINUX=disabled
Kubernetes 1.8开始要求关闭系统的Swap,如果不关闭,默认配置下kubelet将无法启动。方法一,通过kubelet的启动参数–fail-swap-on=false更改这个限制。方法二,关闭系统的Swap。
swapoff -a
修改/etc/fstab文件,注释掉SWAP的自动挂载,使用free -m确认swap已经关闭。
注: 所有节点均需执行该步骤。
mkdir ~/k8s
cd k8s
wget https://download.docker.com/linux/centos/7/x86_64/stable/Packages/docker-ce-selinux-17.03.2.ce-1.el7.centos.noarch.rpm
wget https://download.docker.com/linux/centos/7/x86_64/stable/Packages/docker-ce-17.03.2.ce-1.el7.centos.x86_64.rpm
cd k8s
yum install ./docker-ce-selinux-17.03.2.ce-1.el7.centos.noarch.rpm
yum install ./docker-ce-17.03.2.ce-1.el7.centos.x86_64.rpm
systemctl enable docker
systemctl start docker
ExecStartPost=/usr/sbin/iptables -I FORWARD -s 0.0.0.0/0 -j ACCEPT
如下:
......
ExecStartPost=/usr/sbin/iptables -I FORWARD -s 0.0.0.0/0 -j ACCEPT
ExecStart=/usr/bin/dockerd
......
{
"exec-opts": ["native.cgroupdriver=systemd"]
}
systemctl daemon-reload && systemctl restart docker && systemctl status docker
cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
EOF
cat <<EOF > /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl --system
vm.swappiness=0
执行sysctl -p /etc/sysctl.d/k8s.conf使修改生效。
yum list --showduplicates | grep 'kubeadm|kubectl|kubelet'
② 安装指定版本
yum install kubeadm-1.8.1 kubectl-1.8.1 kubelet-1.8.1
systemctl enable kubelet
systemctl start kubelet
注:该小节仅在Master节点上执行
kubeadm init --kubernetes-version=v1.8.1 --pod-network-cidr=10.244.0.0/16 --apiserver-advertise-address=master.k8s.samwong.im
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
[root@master ~]# kubectl get cs
NAME STATUS MESSAGE ERROR
scheduler Healthy ok
controller-manager Healthy ok
etcd-0 Healthy {"health": "true"}
kubeadm reset
ifconfig cni0 down
ip link delete cni0
ifconfig flannel.1 down
ip link delete flannel.1
rm -rf /var/lib/cni/
注:该小节仅在Master节点上执行
[root@master ~]# cd ~/k8s
[root@master ~]# wget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
[root@master ~]# kubectl apply -f kube-flannel.yml
clusterrole "flannel" created
clusterrolebinding "flannel" created
serviceaccount "flannel" created
configmap "kube-flannel-cfg" created
daemonset "kube-flannel-ds" created
......
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
name: kube-flannel-ds
......
containers:
- name: kube-flannel
image: quay.io/coreos/flannel:v0.9.0-amd64
command: [ "/opt/bin/flanneld", "--ip-masq", "--kube-subnet-mgr", "--iface=eth1" ]
......
kubectl get pod --all-namespaces -o wide
使用kubeadm初始化的集群,出于安全考虑Pod不会被调度到Master Node上,可使用如下命令使Master节点参与工作负载。
kubectl taint nodes node1 node-role.kubernetes.io/master-
kubeadm token list | grep authentication,signing | awk '{print $1}'
openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
kubeadm join --token=a20844.654ef6410d60d465 --discovery-token-ca-cert-hash sha256:0c2dbe69a2721870a59171c6b5158bd1c04bc27665535ebf295c918a96de0bb1 master.k8s.samwong.im:6443
[root@master ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
master.k8s.samwong.im Ready master 1d v1.8.1
kubectl drain master.k8s.samwong.im --delete-local-data --force --ignore-daemonsets
kubectl delete node master.k8s.samwong.im
kubeadm reset
ifconfig cni0 down
ip link delete cni0
ifconfig flannel.1 down
ip link delete flannel.1
rm -rf /var/lib/cni/
kubectl get nodes
cd ~/k8s
wget https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml
# ------------------- Dashboard Service ------------------- #
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
type: NodePort
ports:
- port: 443
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
kubectl create -f kubernetes-dashboard.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-admin
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard-admin
labels:
k8s-app: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard-admin
namespace: kube-system
执行命令:
[root@master ~]# kubectl create -f kubernetes-dashboard-admin.rbac.yaml
serviceaccount "kubernetes-dashboard-admin" created
clusterrolebinding "kubernetes-dashboard-admin" created
[root@master ~]# kubectl -n kube-system get secret | grep kubernetes-dashboard-admin
kubernetes-dashboard-admin-token-jxq7l kubernetes.io/service-account-token 3 22h
[root@master ~]# kubectl describe -n kube-system secret/kubernetes-dashboard-admin-token-jxq7l
Name: kubernetes-dashboard-admin-token-jxq7l
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name=kubernetes-dashboard-admin
kubernetes.io/service-account.uid=686ee8e9-ce63-11e7-b3d5-080027d38be0
Type: kubernetes.io/service-account-token
Data
====
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC1hZG1pbi10b2tlbi1qeHE3bCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC1hZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjY4NmVlOGU5LWNlNjMtMTFlNy1iM2Q1LTA4MDAyN2QzOGJlMCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTprdWJlcm5ldGVzLWRhc2hib2FyZC1hZG1pbiJ9.Ua92im86o585ZPBfsOpuQgUh7zxgZ2p1EfGNhr99gAGLi2c3ss-2wOu0n9un9LFn44uVR7BCPIkRjSpTnlTHb_stRhHbrECfwNiXCoIxA-1TQmcznQ4k1l0P-sQge7YIIjvjBgNvZ5lkBNpsVanvdk97hI_kXpytkjrgIqI-d92Lw2D4xAvHGf1YQVowLJR_VnZp7E-STyTunJuQ9hy4HU0dmvbRXBRXQ1R6TcF-FTe-801qUjYqhporWtCaiO9KFEnkcYFJlIt8aZRSL30vzzpYnOvB_100_DdmW-53fLWIGYL8XFnlEWdU1tkADt3LFogPvBP4i9WwDn81AwKg_Q
ca.crt: 1025 bytes
[root@master k8s]# kubectl get svc -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP 1d
kubernetes-dashboard NodePort 10.102.209.161 <none> 443:32513/TCP 21h
安装Heapster为集群添加使用统计和监控功能,为Dashboard添加仪表盘。
mkdir -p ~/k8s/heapster
cd ~/k8s/heapster
wget https://raw.githubusercontent.com/kubernetes/heapster/master/deploy/kube-config/influxdb/grafana.yaml
wget https://raw.githubusercontent.com/kubernetes/heapster/master/deploy/kube-config/rbac/heapster-rbac.yaml
wget https://raw.githubusercontent.com/kubernetes/heapster/master/deploy/kube-config/influxdb/heapster.yaml
wget https://raw.githubusercontent.com/kubernetes/heapster/master/deploy/kube-config/influxdb/influxdb.yaml
kubectl create -f ./
配置代理客户端
参考链接:https://www.zybuluo.com/ncepuwanghui/note/954160
配置Docker代理
① 创建docker服务配置文件
mkdir -p /etc/systemd/system/docker.service.d
② 编辑vi /etc/systemd/system/docker.service.d/http-proxy.conf,添加如下内容:
[Service]
Environment="HTTP_PROXY=http://master.k8s.samwong.im:8118" "NO_PROXY=localhost,*.samwong.im,192.168.0.0/16,127.0.0.1,10.244.0.0/16"
③ 编辑/etc/systemd/system/docker.service.d/https-proxy.conf,添加如下内容:
[Service]
Environment="HTTPS_PROXY=https://master.k8s.samwong.im:8118" "NO_PROXY=localhost,*.samwong.im,192.168.0.0/16,127.0.0.1,10.244.0.0/16"
④ 重启Docker服务
systemctl daemon-reload && systemctl restart docker
⑤ 查看是否配置成功
[root@master k8s]# systemctl show --property=Environment docker | more
Environment=HTTP_PROXY=http://master.k8s.samwong.im:8118 NO_PROXY=localhost,*.samwong.im,192.168.0.0/16,127.0.0.1,10.244.0.0/16 HTTPS_PROXY=https://master.k8
s.samwong.im:8118
proxy=http://master.k8s.samwong.im:8118
② 更新yum缓存
yum makecache
ftp_proxy=http://master.k8s.samwong.im:8118
http_proxy=http://master.k8s.samwong.im:8118
https_proxy=http://master.k8s.samwong.im:8118
PROXY_HOST=master.k8s.samwong.im
export all_proxy=http://$PROXY_HOST:8118
export ftp_proxy=http://$PROXY_HOST:8118
export http_proxy=http://$PROXY_HOST:8118
export https_proxy=http://$PROXY_HOST:8118
export no_proxy=localhost,*.samwong.im,192.168.0.0/16.,127.0.0.1,10.10.0.0/16
注: 部署Kubernetes时需禁用全局代理,会导致访问内部服务失败。
wget https://storage.googleapis.com/kubernetes-release/release/v1.8.1/bin/linux/amd64/kubeadm
wget https://storage.googleapis.com/kubernetes-release/release/v1.8.1/bin/linux/amd64/kubectl
wget https://storage.googleapis.com/kubernetes-release/release/v1.8.1/bin/linux/amd64/kubelet
参考链接:https://kubernetes.io/docs/tasks/tools/install-kubectl/#install-kubectl-binary-via-curl
docker login -u [email protected] -p xxxxxx hub.c.163.com
docker tag gcr.io/google_containers/kube-apiserver-amd64:v1.8.1 hub.c.163.com/xxxxxx/kube-apiserver-amd64:v1.8.1
docker push hub.c.163.com/xxxxxx/kube-apiserver-amd64:v1.8.1
docker rmi hub.c.163.com/xxxxxx/kube-apiserver-amd64:v1.8.1
docker logout hub.c.163.com
docker pull hub.c.163.com/xxxxxx/kube-apiserver-amd64:v1.8.1
docker tag hub.c.163.com/xxxxxx/kube-apiserver-amd64:v1.8.1 gcr.io/google_containers/kube-apiserver-amd64:v1.8.1
docker rmi hub.c.163.com/xxxxxx/kube-apiserver-amd64:v1.8.1
docker logout hub.c.163.com
docker update --restart=no $(docker ps -q) && docker stop $(docker ps -q) && docker rm $(docker ps -q)
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "nodes is forbidden: User "system:anonymous" cannot list nodes at the cluster scope",
"reason": "Forbidden",
"details": {
"kind": "nodes"
},
"code": 403
}
问题原因
该节点在/etc/profile中配置了全局代理,kubectl访问kube-apiserver也通过代理转发请求,导致证书不对,连接拒绝。
解决方法
取消全局代理,只配置Docker代理、yum代理、wget代理。
参考4.1。
kubeadm join --token=a20844.654ef6410d60d465 --discovery-token-ca-cert-hash sha256:0c2dbe69a2721870a59171c6b5158bd1c04bc27665535ebf295c918a96de0bb1 master.k8s.samwong.im:6443
[kubeadm] WARNING: kubeadm is in beta, please do not use it for production clusters.
[preflight] Running pre-flight checks
[discovery] Trying to connect to API Server "master.k8s.samwong.im:6443"
[discovery] Created cluster-info discovery client, requesting info from "https://master.k8s.samwong.im:6443"
[discovery] Failed to request cluster info, will try again: [Get https://master.k8s.samwong.im:6443/api/v1/namespaces/kube-public/configmaps/cluster-info: EOF]
kubeadm token list
[root@master ~]# kubeadm token create --ttl 0
3a536a.5d22075f49cc5fb8
[root@master ~]# kubeadm token list
TOKEN TTL EXPIRES USAGES DESCRIPTION EXTRA GROUPS
3a536a.5d22075f49cc5fb8 <forever> <never> authentication,signing <none> system:bootstrappers:kubeadm:default-node-token
[root@dream7788 ~]# wget https://repo.mysql.com//mysql57-community-release-el7-9.noarch.rpm
[root@dream7788 ~]# yum localinstall mysql57-community-release-el7-9.noarch.rpm
[root@dream7788 ~]# yum repolist enabled | grep "mysql.*-community.*"
[root@dream7788 ~]# yum install mysql-community-server
[root@dream7788 ~]# systemctl restart mysqld.service
[root@dream7788 ~]# grep 'temporary password' /var/log/mysqld.log
显示如下:
2017-01-08T19:41:01.080513Z 1 [Note] A temporary password is generated for root@localhost: js!iUor1wOTT
[root@dream7788 ~]# mysql -u root -p
修改密码:
mysql> set global validate_password_policy=0;
mysql> ALTER USER 'root'@'localhost' IDENTIFIED BY 'dream7788';
mysql> FLUSH PRIVILEGES;
mysql> GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'dream7788' WITH GRANT OPTION;
mysql> FLUSH PRIVILEGES;
mysql> quit
本篇方法支持的系统版本?
#修改/etc/sysconfig/network文件
vi /etc/sysconfig/network
#修改HOSTNAME
HOSTNAME=MyHost
#查看
hostname
2、修改Host文件(非必要操作)
#增加以下配置
127.0.0.1 MyHost
::1 MyHost
3、重启系统
#重启
reboot
#修改主机名
hostnamectl set-hostname MyHost
#查看主机名
hostname
hostnamectl --static
hostnamectl --transient
hostnamectl --pretty
2、修改Host文件(非必要操作)
#增加以下配置
127.0.0.1 MyHost
::1 MyHost
3、重启系统
#重启
reboot
hostnamectl 是在 centos7 中新增加的命令,它是用来修改主机名称的,centos7 修改主机名称会比以往容易许多。
# hostnamectl -h
-h --help 显示帮助
--version 显示安装包的版本
--transient 修改临时主机名
--static 修改瞬态主机名
--pretty 修改灵活主机名
-P --privileged 在执行之前获得的特权
--no-ask-password 输入密码不提示
-H --host=[USER@]HOST 操作远程主机
Commands:
status 显示当前主机名设置
set-hostname NAME 设置系统主机名
set-icon-name NAME 为主机设置icon名
set-chassis NAME 设置主机平台类型名
在CentOS7中有三种定义的主机名:
静态的(static)、瞬态的(transient)、和灵活的(pretty)。
静态主机名也称为内核主机名,是系统在启动时从/etc/hostname内自动初始化的主机名。
瞬态主机名是在系统运行时临时分配的主机名。
灵活主机名则允许使用特殊字符的主机名。
# hostnamectl 或者 # hostnamectl status (显示的结果都一样)
Static hostname: localhost.localdomain
Icon name: computer-vm
Chassis: vm
Machine ID: 049717292ec9452890e50401d432e43c
Boot ID: 2e69a66a7c724db6a44a8536f1670f7f
Virtualization: kvm
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 3.10.0-229.el7.x86_64
Architecture: x86_64
# hostnamectl set-hostname Linuxprobe
# hostnamectl status
Static hostname: linuxprobe
Pretty hostname: Linuxprobe
Icon name: computer-vm
Chassis: vm
Machine ID: dc99c115d7414d159fa4c5c0c0541c55
Boot ID: 6236b67c13af4d98b5fa3780e66dfdeb
Virtualization: kvm
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 3.10.0-229.el7.x86_64
Architecture: x86_64
去年购买的阿里云到期了,由于阿里云续费比新买贵很多,所以重现买了一台虚拟机,迁移过程中需要重新配置Let’s Encrypt证书,在执行过程中发现了一些问题,经过几个小时的摸索,终于搞定。
yum install epel-release -y
yum install certbot -y
然后执行:
certbot certonly --webroot -w /home/www/www.biaodianfu.com -d www.biaodianfu.com -m [email protected] --agree-tos
相关参数含义:
location ~ /.well-known {
allow all;
}
最终的配置文件如下:
server {
listen 80;
server_name biaodainfu.com www.biaodianfu.com;
index index.html index.htm index.php;
charset utf-8;
root /home/www/www.biaodianfu.com;
location / {
try_files $uri $uri/ =404;
}
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
location ~ .php$ {
try_files $uri =404;
fastcgi_pass php-fpm;
#fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ .*.(gif|jpg|jpeg|png|bmp|swf|flv|mp3|wma)$
{
expires 30d;
}
location ~ .*.(js|css)$
{
expires 12h;
}
location ~ /.well-known {
allow all;
}
}
重新nginx后执行申请证书的操作,正常情况下可以看到如下的显示内容:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/www.biaodianfu.com/fullchain.pem. Your cert will
expire on 2018-02-25. To obtain a new or tweaked version of this
certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
- If you lose your account credentials, you can recover through
e-mails sent to [email protected].
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
完成后,再配置nginx服务器,将服务器配置成支持https的访问。
server {
listen 80;
server_name biaodianfu.com www.biaodianfu.com;
return 301 https://www.biaodianfu.com$request_uri;
}
server {
listen 443 ssl http2;
server_name biaodainfu.com www.biaodianfu.com;
index index.html index.htm index.php;
charset utf-8;
root /home/www/www.biaodianfu.com;
ssl_certificate /etc/letsencrypt/live/www.biaodianfu.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.biaodianfu.com/privkey.pem;
location / {
try_files $uri $uri/ /index.php?$args;
}
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
location ~ .php$ {
try_files $uri =404;
fastcgi_pass php-fpm;
#fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ .*.(gif|jpg|jpeg|png|bmp|swf|flv|mp3|wma)$
{
expires 30d;
}
location ~ .*.(js|css)$
{
expires 12h;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location ~ /.well-known {
allow all;
}
}
以上为一般的步骤与过程,现在在执行centos 7.2时并没有遇到什么问题,这次使用的是centos 7.4却发生了问题。
问题一:ImportError: No module named ‘requests.packages.urllib3’
原因是系统自带的requests的版本太低,参照这个地址上的临时解决方案:
pip install requests urllib3 pyOpenSSL --force --upgrade
执行完引发第二个问题:ImportError: ‘pyOpenSSL’ module missing required functionality. Try upgrading to v0.14 or newer.
主要原因是RHEL/CentOS的官方源和epel源的pyOpenSSL版本太旧了,新版的certbot依赖于高版本的pyOpenSSL库,从而失败。
解决方案,卸载epel中的certbot和PyOpenSSL,使用pip进行安装certbot。
pip search certbot
yum remove certbot pyOpenSSL
pip install certbot
pip install certbot。 如果碰到了Python.h或者pyconfig.h找不到的错误,可以安装Python的devel包: yum install -y python-devel;再次运行命令,提示找不到opensslv.h头文件,再安装OpenSSL的devel包: yum install -y openssl-devel;再次运行pip install certbot命令,成功安装certbot。
完成后执行 certbot certificates 进行验证。输出正常,说明pip安装了最新版的certbot,并且能正确运行。
由于这个证书的时效只有 90 天,我们需要设置自动更新的功能,帮我们自动更新证书的时效。首先先在命令行模拟证书更新:
certbot renew --dry-run
模拟更新成功的效果如下:
[root@iZuf64dhkm7u57qfwrrhw6Z ~]# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/www.biaodianfu.com.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.biaodianfu.com
Waiting for verification...
Cleaning up challenges
-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/www.biaodianfu.com/fullchain.pem
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/www.biaodianfu.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
-------------------------------------------------------------------------------
IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
[root@iZuf64dhkm7u57qfwrrhw6Z ~]#
在无法确认你的 nginx 配置是否正确时,一定要运行模拟更新命令,确保certbot和服务器通讯正常。使用 crontab -e 的命令来启用自动任务,命令行:
crontab -e
添加配置:(每隔两个月凌晨2:30自动执行证书更新操作)后保存退出。
30 2 * */2 * /usr/bin/certbot renew --quiet && /bin/systemctl restart nginx
查看证书有效期的命令:
openssl x509 -noout -dates -in /etc/letsencrypt/live/www.biaodianfu.com/cert.pem
Qualys SSL Labs 提供了全面的 SSL 安全性测试,填写你的网站域名,给自己的 HTTPS 配置打个分。理想情况下得分是A+,如果你和我一样获得的是A-那么还有很多的改善空间。另外又扑云也有一个测试https的工具:https://www.upyun.com/https
相关改进:
mkdir /etc/ssl/private/ -p
cd /etc/ssl/private/
openssl dhparam 2048 -out dhparam.pem
Perfect Forward Security(PFS),中文翻译成完美前向保密,2014年时候,由于心血漏洞(存在服务器私钥泄漏的可能),没有使用前向保密的站点,加密通信的数据可以通过私钥来解密,导致信息泄漏,这使得前向保密被重视起来。总的来说会更加安全,不能获得A+的评分主要原因也是因为它。(生成的时间有点长)
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
server {
listen 80;
server_name biaodianfu.com www.biaodianfu.com;
return 301 https://www.biaodianfu.com$request_uri;
}
server {
listen 443 ssl http2;
server_name biaodainfu.com www.biaodianfu.com;
index index.html index.htm index.php;
charset utf-8;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
root /home/www/www.biaodianfu.com;
ssl_certificate /etc/letsencrypt/live/www.biaodianfu.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.biaodianfu.com/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/ssl/private/dhparam.pem;
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# 一般推荐使用的ssl_ciphers值: https://wiki.mozilla.org/Security/Server_Side_TLS
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
location / {
try_files $uri $uri/ /index.php?$args;
}
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
location ~ .php$ {
try_files $uri =404;
fastcgi_pass php-fpm;
#fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ .*.(gif|jpg|jpeg|png|bmp|swf|flv|mp3|wma)$
{
expires 30d;
}
location ~ .*.(js|css)$
{
expires 12h;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location ~ /.well-known {
allow all;
}
}
其他参考:
#创建用户
adduser yourusername
#设置密码
passwd yourusernamepassword
#切换到root用户下,执行
visudo
#找到root ALL=(ALL) ALL这一行,在下面加上
yourusername ALL=(ALL) ALL
# :wq保存并退出
su yourusername
cd ~
sudo mkdir test
#输入密码后成功创建代表设置成功
vi /etc/ssh/sshd_config
#找到#PermitRootLogin yes”将yes该外no
PermitRootLogin no
#找到#Port 22字段删掉#,将22改为其他不被使用的端口
Port XXXX
service sshd restart
重要提醒:这时切莫退出服务器。你要测试能不能使用刚创建的用户成功地通过ssh进入到服务器。打开终端的另一个实例,以之前创建的用户通过ssh进入到服务器。要是一切都正常,你可以以根用户身份安全地注销退出服务器。
由于软件环境的需要较高版本的python,默认CentOS6是2.6版本,CentOS7是2.7版本。这里要顺带提一下,有网友提到在CentOS6中无法安装Seafile云盘一键包的原因,因为需要默认最低是Python2.7版本才可以。而且在这篇文章中,老左调试的一个软件需要Python3以上版本,所以我准备安装Python 3.6。
备注:建议我们不熟悉的网友不要直接在生产环境中直接安装,可以先在测试环境安装看看是否可行。
yum -y groupinstall development zlib zlib-devel
wget https://www.python.org/ftp/python/3.6.0/Python-3.6.0.tar.xz
tar xJf Python-3.6.0.tar.xz
cd Python-3.6.0
./configure
make
make install
which python3
python3 -V
cd /usr/bin
mv python python.backup
ln -s /usr/local/bin/python3 /usr/bin/python
然后我们重启下机器,再看看当前的python是不是3.6
这样python可以升级安装到3.6版本。
Zabbix是一个基于WEB界面提供分布式系统监视以及网络监视功能的企业级开源解决方案,如果您手里要需要管理多台服务器,使用Zabbix来监控非常合适。Zabbix由2部分构成,Zabbix server与可选组件zabbix agent。
Zabbix server需要用到PHP + Mysql支持,(SQLite、PostgreSQL等数据库也可以),由于服务器已经安装了OneinStack(Linux + Nginx+ MySQL+ PHP)环境,为了当前环境不受到影响,所以选择源码编译方式安装Zabbix server
#安装各种依赖
yum -y install gcc gcc-c++ curl-devel mysql-devel curl-devel net-snmp net-snmp-devel
#创建用户 & 用户组
groupadd zabbix
useradd -g zabbix zabbix
#下载源码,可从官方下载最新版
wget http://soft.xiaoz.org/linux/zabbix-3.4.4.tar.gz
#解压
tar -zxvf zabbix-3.4.4.tar.gz && cd zabbix-3.4.4
#编译安装
./configure --enable-server --enable-agent --with-mysql --with-net-snmp --with-libcurl --with-libxml2
make install
注意事项:
xiaoz在写这篇文章的时候Zabbix 最新稳定版为3.4,可以在官方https://www.zabbix.com/download找到最新的源码包
如果编译的时候提示“checking for mysql_config… configure: error: MySQL library not found”这样的报错,这种情况可以指定mysql_config位置,比如:
#查找mysql_config位置
find / -name 'mysql_config'
#指定位置
--with-mysql=/usr/local/mysql/bin/mysql_config
如果编译的时候依然有报错,请根据实际报错情况搜索处理。CentOS 7编译安装Zabbix server后,配置文件路径如下:
/usr/local/etc/zabbix_server.conf
/usr/local/etc/zabbix_agentd.conf
需要自己创建一个数据库(略过),并将源码包里面有3个数据库文件(位于zabbix-3.4.4/database/mysql),一定要按照下面的顺序依次导入:
├─ zabbix-3.4.4/database/mysql
├─ schema.sql
├─ images.sql
└─ data.sql
修改配置文件/usr/local/etc/zabbix_server.conf填写正确的数据库账号、密码等信息,然后输入zabbix_server && zabbix_agentd启动Zabbix server和Zabbix agent
WEB界面使用PHP开发,所以您需要新建一个站点,PHP源码位于zabbix-3.4.4/frontends/php将里面的所有源码拷贝到您站点目录下,访问您的域名:http://domain.com/输入Zabbix Server的一些基本信息即可完成,安装成功后会看到如下界面。用户名是Admin,密码是zabbix,请登录后务必修改。
设置中文
Zabbix默认界面是英文语言,可以在个人中心设置为中文语言,方便管理,如下图。
中文乱码?
打开自己的电脑C:WindowsFonts随便拖一个中文语言字体出来,比如simkai.ttf上传至站点fonts目录下,替换原来的默认字体。
#对原来的字体备份
mv DejaVuSans.ttf DejaVuSans.ttf.bak
#对新上传的字体命名
mv simkai.ttf DejaVuSans.ttf
先将Zabbix注册为服务,并赋予权限,再设置开机启动,执行下面的命令即可:
cd zabbix-3.4.4
cp misc/init.d/tru64/zabbix_server /etc/init.d/zabbix_server
cp misc/init.d/tru64/zabbix_agentd /etc/init.d/zabbix_agentd
#赋予权限
chmod 755 /etc/init.d/zabbix_*
编辑zabbix_server、zabbix_agentd这两个文件,在头部加入:
#chkconfig: 35 95 95
#description:zabbix Agent server
注册为服务,并开机启动:
chkconfig --add zabbix_server
chkconfig --add zabbix_agentd
chkconfig zabbix_server on
chkconfig zabbix_agentd on
至此安装已基本完成,如果需要监控其它服务器数据,可通过官方RPM包方式仅安装客户端即可。客户端不需要PHP/数据库支持,推荐官方RPM包方式安装客户端,较为便捷。
主机商一般默认带有服务器数据监控功能,但如果您手里有多台服务器且不在一个服务商,管理起来很不方便,而且出现故障无法及时知晓,Zabbix正好可以完美解决这个问题,Zabbix不仅数据详细,且支持多种不同动作及通知等,以及开放的API,可以在现有基础上不断定制和强化。Zabbix功能实在是太强大了,xiaoz连皮毛都还未掌握。
在Bash中有个ulimit命令,提供了对Shell及该Shell启动的进程的可用资源控制。主要包括打开文件描述符数量、用户的最大进程数量、coredump文件的大小等。
在CentOS 5/6等版本中,资源限制的配置可以在/etc/security/limits.conf设置,针对root/user等各个用户或者*代表所有用户来设置。
当然,/etc/security/limits.d/
中可以配置,系统是先加载limits.conf然后按照英文字母顺序加载limits.d目录下的配置文件,后加载配置覆盖之前的配置。 一个配置示例如下:
* soft nofile 100000
* hard nofile 100000
* soft nproc 100000
* hard nproc 100000
* soft core 100000
* hard core 100000
不过,在CentOS 7/RHEL 7的系统中,使用Systemd替代了之前的SysV,因此/etc/security/limits.conf
文件的配置作用域缩小了一些。limits.conf这里的配置,只适用于通过PAM认证登录用户的资源限制,它对systemd的service的资源限制不生效。登录用户的限制,与上面讲的一样,通过/etc/security/limits.conf和
limits.d来配置即可。
对于systemd service的资源限制,如何配置呢?
全局的配置,放在文件/etc/systemd/system.conf和/etc/systemd/user.conf。
同时,也会加载两个对应的目录中的所有.conf文件/etc/systemd/system.conf.d/.conf和/etc/systemd/user.conf.d/.conf
其中,system.conf是系统实例使用的,user.conf用户实例使用的。一般的sevice,使用system.conf中的配置即可。systemd.conf.d/*.conf中配置会覆盖system.conf。
DefaultLimitCORE=infinity
DefaultLimitNOFILE=100000
DefaultLimitNPROC=100000
注意:修改了system.conf后,需要重启系统才会生效。
针对单个Service,也可以设置,以nginx为例。
编辑/usr/lib/systemd/system/nginx.service文件,或者/usr/lib/systemd/system/nginx.service.d/my-limit.conf文件,做如下配置:
[Service]
LimitCORE=infinity
LimitNOFILE=100000
LimitNPROC=100000
然后运行如下命令,才能生效。
sudo systemctl daemon-reload
sudo systemctl restart nginx.service
查看一个进程的limit设置:cat /proc/YOUR-PID/limits
例如我的一个nginx service的配置效果:
$ cat /proc/$(cat /var/run/nginx.pid)/limits
Limit Soft Limit Hard Limit Units
Max cpu time unlimited unlimited seconds
Max file size unlimited unlimited bytes
Max data size unlimited unlimited bytes
Max stack size 8388608 unlimited bytes
Max core file size unlimited unlimited bytes
Max resident set unlimited unlimited bytes
Max processes 100000 100000 processes
Max open files 100000 100000 files
Max locked memory 65536 65536 bytes
Max address space unlimited unlimited bytes
Max file locks unlimited unlimited locks
Max pending signals 1030606 1030606 signals
Max msgqueue size 819200 819200 bytes
Max nice priority 0 0
Max realtime priority 0 0
Max realtime timeout unlimited unlimited us
顺便提一下,CentOS7自带的/etc/security/limits.d/20-nproc.conf,里面默认设置了非root用户的最大进程数为4096,被limit.d目录中的配置覆盖了。