其中架构总体规划_第1张图片

Web01的操作

1安装nginx的eplo源

   [root@web01 ~]# cat /etc/yum.repos.d/nginx.repo 
   [nginx]
   name=nginx repo
   baseurl=http://nginx.org/packages/centos/7/$basearch/
   gpgcheck=0
   enabled=1

2、yum install nginx -y

3、创建www用户组

   [root@web01 ~]# groupadd -g 666 www
   [root@web01 ~]# useradd -u666 -g 666 www

4、安装php的eplo源

   yum localinstall -y http://mirror.webtatic.com/yum/el7/webtatic-release.rpm

5、安装php插件

   [root@nginx ~]# yum -y install php71w php71w-cli php71w-common php71w-devel \
   php71w-embedded php71w-gd php71w-mcrypt php71w-mbstring php71w-pdo php71w-xml php71w-fpm \
   php71w-mysqlnd php71w-opcache php71w-pecl-memcached php71w-pecl-redis php71w-pecl-mongodb

6、修改Nginx和php的用户组

   [root@web01 ~]# sed -i '/^user/c user www;' /etc/nginx/nginx.conf
   [root@web01 ~]# sed -i '/^user/c user = www' /etc/php-fpm.d/www.conf 
   [root@web01 ~]# sed -i '/^group/c group = www' /etc/php-fpm.d/www.conf

7、启动nginx和php-fpm服务

   [root@web02 ~]# systemctl restart nginx php-fpm.service 
   [root@web02 ~]# systemctl enable nginx php-fpm.service

8、修改配置文件名

   [root@web02 ~]# cd /etc/nginx/conf.d/
   [root@web02 conf.d]# mv default.conf default.off

9、编写conf配置文件

1)编写wordpress配置文件

[root@web02 conf.d]# cat  blog.oldboyedu.conf
server {
        server_name blog.oldboyedu.com;
        listen 80;
        root /code/wordpress;
        index index.php index.html;

        location ~ \.php$ {
            root /code/wordpress;
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            include        fastcgi_params;
        }
}
[root@web01 conf.d]# cat zh.oldboyedu.conf 
server {
        server_name zh.oldboyedu.com;
        listen 80;
        root /code/zh;
        index index.php index.html;

        location ~ \.php$ {
            root /code/zh;
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            include        fastcgi_params;
        }
}

2)创建目录

       [root@web02 conf.d]# mkdir /code  

3)上传代码解压

         wordpress
         wecenter

4)授权

    [root@web02 /]# chown -R www.www /code/

5)检查语法

    [root@web02 conf.d]# nginx -t

6) 重载服务

    [root@web02 conf.d]# systemctl restart nginx 
    [root@web02 conf.d]# systemctl reload nginx

10、域名解析

  hosts 10.0.0.8 zh.oldboyedu.com  blog.oldboyedu.com

11、安装数据库

1.下载MySQL官方扩展源

    [root@nginx ~]# rpm -ivh http://repo.mysql.com/yum/mysql-5.7-community/el/7/x86_64/mysql57-community-release-el7-10.noarch.rpm

2.安装mysql5.7, 文件过大可能会导致下载缓慢

    [root@nginx ~]# yum install mysql-community-server -y

3.启动数据库, 并加入开机自启动

    [root@nginx ~]# systemctl start mysqld
    [root@nginx ~]# systemctl enable mysqld

4.由于mysql5.7默认配置了默认密码, 需要过滤temporary password关键字查看对应登陆数据库密码

    [root@nginx ~]# grep "temporary password" /var/log/mysqld.log

5.登陆mysql数据库[password中填写上一步过滤的密码]

    [root@web02 ~]# mysql -uroot -p$(awk '/temporary password/{print $NF}' /var/log/mysqld.log)

6.重新修改数据库密码

    mysql> ALTER USER 'root'@'localhost' IDENTIFIED BY 'Bgx123.com';

7.创建数据库

      mysql> create database wordpress;
    mysql> create database zh;   
    mysql> create database jrepss;
    mysql> grant all privileges on *.* to 'all'@'%' identified by 'Bgx123.com';
    mysql> flush privileges;

12、修改zh的上传文件的大小。

    post_max_size = 300M
    upload_max_filesize = 300M
    memory_limit = 300M

13、登录界面,且迅速安装第二台机器。

web02快速扩展一台

1)创建www用户

    [root@web02 ~]# groupadd -g 666 www
    [root@web02 ~]# useradd -u666 -g666 w   

2)安装nignx与php

    [root@web02 ~]# scp [email protected]:/etc/yum.repos.d/* /etc/yum.repos.d/

3)安装php

     [root@web02 ~]# yum -y install php71w php71w-cli php71w-common php71w-devel php71w-embedded php71w-gd php71w-mcrypt php71w-mbstring php71w-pdo php71w-xml php71w-fpm php71w-mysqlnd php71w-opcache php71w-pecl-memcached php71w-pecl-redis php71w-pecl-mongodb nginx

4)修改Nginx和php的用户组

   [root@web01 ~]# sed -i '/^user/c user www;' /etc/nginx/nginx.conf
   [root@web01 ~]# sed -i '/^user/c user = www' /etc/php-fpm.d/www.conf 
   [root@web01 ~]# sed -i '/^group/c group = www' /etc/php-fpm.d/www.conf

Web03操作

1、安装Jpress

1、安装JAVA软件

   [root@web03 ~]# yum install java -y

2、创建目录

   [root@web03 ~]mkdir  /code

3、下载软件包

   [root@web03 code]# wget http://mirrors.shu.edu.cn/apache/tomcat/tomcat-9/v9.0.12/bin/apache-tomcat-9.0.12.tar.gz

4、解包

   [root@web03 code]#tar xf apache-tomcat-9.0.12.tar.gz 
   [root@web03 code]# ln -s /code/apache-tomcat-9.0.12 /code/tomcat

2、下载jpress

   [root@web03 ~]# cd /code/tomcat/webapps
   [root@web03 ~]# rz 上传jpress的war
   启动Tomcat服务
   [root@web03 ~]# /code/tomcat/bin/startup.sh

3、浏览器访问

    10.0.0.9:8080

4、创建www用户和组

      [root@web03 ~]# groupadd -g 666 www
      [root@web03 ~]# useradd -g 666 -u666 www

5、下载nginx做tomcat反向代理

  [root@web03 ~]#scp [email protected]:/etc/yum.repos.d/* /etc/yum.repos.d/
   [root@web03 ~]#yum install nginx -yum
    [root@web03 ~]systemctl restart nginx 
    [root@web03 ~]systemctl enable nginx
    [root@web03 ~]# sed -i "s/^user/c user www;g" /etc/nginx/nginx.conf

6、编写代理conf文件

    [root@web03 ~]# vim /etc/nginx/conf.d/jpress.oldboyedu.conf 
server{
      listen 80;
      server_name jpress.oldboyedu.com;
      location / {
      proxy_pass http://127.0.0.1:8080;
      index index.jsp;
      }
}

nfs31共享存储(图片和视频主要)

1、下载nfs应用软件

      [root@nfs ~]# yum -y install nfs-utils 
      [root@nfs ~]# systemctl restart nfs
      [root@nfs ~]# systemctl enable nfs

2、创建www用户和组

      [root@nfs ~]# groupadd -g 666 www
      [root@nfs ~]# useradd -g 666 -u666 www

3、编写共享配置

      [root@nfs ~]# cat /etc/exports
      /data/blog 172.16.1.0/24(rw,sync,all_squash,anonuid=666,anongid=666)
      /data/zh 172.16.1.0/24(rw,sync,all_squash,anonuid=666,anongid=666)
      /data/jpress 172.16.1.0/24(rw,sync,all_squash,anonuid=666,anongid=666)

4、创建挂载目录并授权

      [root@nfs ~]# mkdir /data/{blog,zh,jpress} -p
      [root@nfs ~]# chown -R www.www /data
      [root@nfs ~]# systemctl enable nfs-server
      [root@nfs ~]# systemctl start nfs-server

5、挂载web1.web2.web3

《jpress》
       [root@web03 ~]# cd /code/tomcat/webapps/ROOT/
       [root@web03 ROOT]# ls
       [root@web03 ROOT]# mv attachment/ attachment_bak
       [root@web03 ROOT]# mkdir attachment
       [root@web03 ROOT]# mount -t nfs 172.16.1.31:/data/jpress /code/tomcat/webapps/ROOT/attachment
       [root@web03 ROOT]# cp -rp attachment_bak/* attachment
       [root@web03 ROOT]# cat /etc/fstab
       172.16.1.31:/data/jpress /code/apache-tomcat-9.0.12/webapps/ROOT/attachment nfs defaults 0 0 0 0
《web01》wordpress
       [root@web02 wp-content]# mv uploads/ uploads_bak
       [root@web02 wp-content]# mkdir uploads
       [root@web02 wp-content]# mount -t nfs 172.16.1.31:/data/blog /code/wordpress/wp-content/uploads
       [root@web02 wp-content]# cp -rp uploads_bak/* uploads/
《web01》wecenter
       [root@web01 uploads]# mv article article_bak
       [root@web02 uploads]# mkdir  article 
       [root@web02 uploads]#mount -t 172.16.1.31:/data/zh /code/zh/uploads/article
       [root@web02 uploads]#cp -rp article_bak/* article

开机自启动

       [root@web02 zh]# cat /etc/fstab
       172.16.1.31:/data/blog /code/wordpress/wp-content/uploads nfs    defaults        0 0       0 0
       172.16.1.31:/data/zh /code/zh/uploads/article            nfs     defaults        0 0       0 0

Sersync实时同步

实时同步

1.安装inotify-tools rsync

[root@nfs ~]# yum install inotify-tools rsync -y

下载sersync软件包解压及重命名

wget https://raw.githubusercontent.com/wsgzao/sersync/master/sersync2.5.4_64bit_binary_stable_final.tar.gz
[root@nfs ~]# tar xf sersync2.5.4_64bit_binary_stable_final.tar.gz
[root@nfs ~]# mv GNU-Linux-x86/ /usr/local/sersync

配置文件

[root@nfs ~]# ==vim /usr/local/sersync/confxml.xml==

``` xml
  5       
  6       
  7         
  8         
  9         
 10         
 11     

 12      
 13         
 14         
 15         
 16         
 17         
 18         
 19         
 20         
 21     

 23     
 24          
 25               
 28         

 29          
 30             
 31             
 32             
 33             
 34             
 35         

            
  36         
### .创建密码文件

[root@nfs01 sersync]# echo "123" > /etc/rsync.pass
[root@nfs ~]# chmod 600 /etc/rsync.pass

### 启动sersync
[root@nfs ~]# /usr/local/sersync/sersync2  -h
set the system param
execute:echo 50000000 > /proc/sys/fs/inotify/max_user_watches
execute:echo 327679 > /proc/sys/fs/inotify/max_queued_events
parse the command param______________________________________________________
参数-d:启用守护进程模式
参数-r:在监控前,将监控目录与远程主机用rsync命令推送一遍
参数-n: 指定开启守护线程的数量,默认为10个
参数-o:指定配置文件,默认使用confxml.xml文件
参数-m:单独启用其他模块,使用 -m refreshCDN 开启刷新CDN模块
参数-m:单独启用其他模块,使用 -m socket 开启socket模块
参数-m:单独启用其他模块,使用 -m http 开启http模块
不加-m参数,则默认执行同步程序__________________________________________
[root@nfs ~]# /usr/local/sersync/sersync2 -dro /usr/local/sersync/confxml.xml
####**注意:如果发生错误,请手动执行命令检查推送是否正常**
[root@nfs ~]# cd /data && rsync -avz -R --delete ./  --timeout=100 [email protected]::data --password-file=/etc/rsync.pass
/usr/local/sersync/sersync2 -dro /usr/local/sersync/confxml.xml
**如果nfs现在down机了,希望将web客户端挂载至backup服务器上?怎么实现?**
### 1.nfs和backup两台服务器应该保持一样(nfs配置。nfs共享的目录。nfs的权限)

[root@backup ~]# yum install nfs-utils -y
[root@backup ~]# rsync -avz [email protected]:/etc/exports /etc/
[root@backup ~]# groupadd -g 666 www
[root@backup ~]# useradd -u666 -g666 www

### 2.启动nfs

[root@backup ~]# systemctl start rpcbind
[root@backup ~]# systemctl start nfs-server

### 3.修改rsync的权限vim /etc/rsyncd.conf

uid = www
gid = www

### 4.修改授权

[root@backup ~]# chown -R www.www /data/ /backup/

### 5.重启rsync

[root@backup ~]# systemctl restart rsyncd

### 6.模拟nfs故障(挂起虚拟机)
### 7.web强制卸载172.16.1.31:/data       
[root@web01 ~]# umount -lf /data
### 8.web尝试挂载172.16.1.41:/data 
    [root@web01 ~]# mount -t nfs 172.16.1.41:/data /data/
# lb01负载均衡proxy代理
## 1、安装Nginx服务
      [root@lb01 ~]# scp -rp [email protected]:/etc/yum.repos.d/nginx.repo /etc/yum.repos.d/ 
      [root@lb01 ~]# yum install nginx -y   
## 2、编写代理conf脚本
[root@lb01 ~]# cat  /etc/nginx/conf.d/blog_proxy.conf
upstream blog {
    server 172.16.1.7:80;
    server 172.16.1.8:80;
}
server {
    server_name blog.oldboy.com;
    listen 80;
    location / {
        proxy_pass http://blog;
        include proxy_params;
    }
}
[root@lb01 ~]# cat /etc/nginx/conf.d/zh_proxy.conf 
upstream zh {
    server 172.16.1.7:80;
    server 172.16.1.8:80;
}
server {
    server_name zh.oldboy.com;
    listen 80;
    location / {
        proxy_pass http://zh;
        include proxy_params;
    }
}
[root@lb01 ~]# cat /etc/nginx/conf.d/jpress_proxy.conf
upstream java {
    server 172.16.1.9:8080;
}
server {
    listen 80;
    server_name jpress.oldboy.com;
    location / {
        proxy_pass http://java;
        include proxy_params;
    }
}

3、设置共有优化配置文件

        [root@lb01 ~]# cat /etc/nginx/proxy_params 
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_connect_timeout 30;
        proxy_send_timeout 60;
        proxy_read_timeout 60;
        proxy_buffering on;
        proxy_buffer_size 32k;
        proxy_buffers 4 128k;

        [root@lb01 ~]# systemctl enable nginx 
        [root@lb01 ~]# systemctl start nginx

4、设置ssl证书https

//生成证书(仅生成一次即可, 其他机器拷贝)

        [root@web01 ~]# mkdir /etc/nginx/ssl_key -p
        [root@web01 ~]# cd /etc/nginx/ssl_key
        [root@web01 ~]# openssl genrsa -idea -out server.key 2048
        [root@web01 ~]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt

#配置第二台web节点

        [root@web01 ~]# scp -rp /etc/nginx/ssl_key/ [email protected]:/etc/nginx/  
        [root@web01 ~]# scp -rp /etc/nginx/ssl_key/ [email protected]:/etc/nginx/

5、配置nginx的负载均衡支持https

[root@lb01 conf.d]# cat blog_proxy.conf 
upstream blog {
    server 172.16.1.7:80;
    server 172.16.1.8:80;
}
server {
    server_name blog.oldboy.com;
    listen 80;
    return 302 https://$server_name$request_uri;
}
server {
    server_name blog.oldboy.com;
    listen 443;
    ssl on;
        ssl_certificate   ssl_key/server.crt;
        ssl_certificate_key  ssl_key/server.key;
    location / {
        proxy_pass http://blog;
        include proxy_params;
    }
}
[root@lb01 ~]# cat /etc/nginx/conf.d/zh_proxy.conf 
upstream zh {
    server 172.16.1.7:80;
    server 172.16.1.8:80;
}
server {
    server_name zh.oldboyedu.com;
    listen 80;
    return 302 https://$server_name$request_uri;
}
server {
    server_name zh.oldboyedu.com;
    listen 443;
    ssl on;
        ssl_certificate   ssl_key/server.crt;
        ssl_certificate_key  ssl_key/server.key;
    location / {
        proxy_pass http://zh;
        include proxy_params;
    }
}
[root@lb01 ~]# cat /etc/nginx/conf.d/jpress_proxy.conf
upstream java {
    server 172.16.1.9:8080;
}

server {
    server_name jpress.oldboyedu.com;
    listen 80;
    return 302 https://$server_name$request_uri;
}
server {
    server_name jpress.oldboyedu.com;
    listen 443;
    ssl on;
        ssl_certificate   ssl_key/server.crt;
        ssl_certificate_key  ssl_key/server.key;
    location / {
        proxy_pass http://java;
        include proxy_params;
    }
}

6、检查语法重启服务

     [root@lb01 conf.d]# nginx -t
         [root@lb01 conf.d]# systemctl restart nginx

7、登录https,点击小盾牌。

lb01和lb02做高可用keepalive

1、下载keepalived

    [root@lb01 ~]# yum install keepalived -y

2、编写配置文件

[root@lb01 ~]# cat /etc/keepalived/keepalived.conf 
global_defs {     
    router_id lb01   
}

vrrp_instance VI_1 {
    state MASTER
    interface eth0
    virtual_router_id 50
    priority 150
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
}
    virtual_ipaddress {
        10.0.0.3/24 dev eth0
    }
}
[root@lb02 ~]# cat /etc/keepalived/keepalived.conf 
global_defs {
    router_id lb02
}

vrrp_instance VI_1 {
    state BACKUP
    interface eth0
    virtual_router_id 50
    priority 100
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        10.0.0.3/24 dev eth0
    }
}

3、重启服务

     [root@lb01 ~]# systemctl enable keepalived
     [root@lb01 ~]# systemctl start keepalived
     [root@lb02 ~]# systemctl enable keepalived
     [root@lb02 ~]# systemctl start keepalived

4、检查keepalived的虚拟IP地址是否漂移

1)在lb01上进行如下操作

    # lb01存在vip地址
    [root@lb01 ~]# ip addr |grep 10.0.0.3
        inet 10.0.0.3/24 scope global secondary eth0

    # 停止lb01上的keepalived, 检测vip已不存在
    [root@lb01 ~]# systemctl stop keepalived
    [root@lb01 ~]# ip addr |grep 10.0.0.3

2)在lb02上进行如下操作

    [root@lb02 ~]# ip addr|grep 10.0.0.3
        inet 10.0.0.3/24 scope global secondary eth0

    lb01重新启动keepalived,发现地址被重新接管

    [root@lb01 ~]# systemctl start keepalived
    [root@lb01 ~]# ip addr |grep 10.0.0.3
         inet 10.0.0.3/24 scope global secondary eth0

lb0和lb02做Nginx缓存

1.修改web端配置文件

[root@web01 ~]# vim /etc/nginx/nginx.conf
proxy_cache_path /soft/cache levels=1:2 keys_zone=code_cache:10m max_size=10g inactive=60m use_temp_path=off;

2.负载端

 proxy_cache code_cache;
                proxy_cache_valid 200 304 12h;
                proxy_cache_valid any 10m;
                add_header Nginx-Cache "$upstream_cache_status";
                proxy_next_upstream error timeout invalid_header http_500 http_502 http_503  http_504;
相关参数解释:
#proxy_cache 开启缓存
#proxy_cache_valid 状态码200|304的过期为12h, 其余状态码10分钟过期
#proxy_cache_key 缓存key
#add_header 增加头信息, 观察客户端respoce是否命中
#proxy_next_upstream 出现502-504或错误, 会跳过此台服务器访问下台

备份脚本

[root@lb01-05 ~]# mkdir /server/scripts -p
[root@lb01-05 ~]# vim /server/scripts/backup_client.sh
[root@lb01-05 ~]# cat /server/scripts/backup_client.sh
#!/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin
#1.定义变量
Hostname=`hostname`
Addr=`ifconfig eth1 |awk 'NR==2{print $2}'`
Date=`date +%F`
Path=/backup
Dest=${Hostname}_${Addr}_${Date}
#2.创建备份目录
[ -d /$Path/$Dest ] || mkdir /$Path/$Dest -p
#3.打包备份文件
tar zcf $Path/$Dest/system.tar.gz  /etc/nginx /etc/zabbix /etc/keepalived/keepalived.conf
tar zcf $Path/$Dest/log.tar.gz /var/log
#4.创建校验
md5sum $Path/$Dest/*.tar.gz >/$Path/mcheck_$Dest
#5.推送数据
export RSYNC_PASSWORD=1
rsync -avz /$Path/ [email protected]::backup
#6.删除七天之前数据
find $Path/ -type f -mtime +7 |xargs rm -rf

Rsync备份(backup41)

1安装rsync

       [root@backup ~]# yum install rsync -y

2、配置备份rsync

 [root@backup ~]# cat /etc/rsyncd.conf
uid = www
gid = www
port = 873
fake super = yes
use chroot = no
max connections = 200
timeout = 600
ignore errors
read only = false
list = false
auth users = rsync_backup
secrets file = /etc/rsync.passwd
log file = /var/log/rsyncd.log
#####################################
[backup]
comment = welcome to oldboyedu backup!
path = /backup
                                           xjsfmlbonphhbaea
[data]
comment = welcome to oldboyedu data!
path = /data

3、创建目录,www用户和组

      [root@backup ~]#mkdir /{backup,data} -p
      [root@backup ~]# groupadd -g666 www 
      [root@backup ~]# useradd -u666 -g666 www 
      [root@backup ~]# chown -R www.www /{backup,data}

4、准备密码文件

      [root@backup ~]# echo 'rsync_backup:123' > /etc/rsync.passwd
      [root@backup ~]# chmod 600 /etc/rsync.passwd

5、启动服务并加入开机自启动

      [root@backup ~]# systemctl enable rsyncd
      [root@backup ~]# systemctl start rsyncd

6、创建目录,编写脚本

      [root@lb01 scripts]# mkdir /server/scripts -p
      [root@lb01 ~]# cat  /server/scripts/client_rsync_backup.sh 
客户端
#批量创建数据文件
#!/usr/bin/bash
#1.定义变量
Host=$(hostname)
Addr=$(ifconfig eth1|awk 'NR==2{print $2}')
Date=$(date +%F)
Dest=${Host}_${Addr}_${Date}
Path=/backup
#2.创建备份目录
[ -d $Path/$Dest ] || mkdir -p $Path/$Dest
#3.备份对应的文件
cd / && \
[ -f $Path/$Dest/system.tar.gz ] || tar czf $Path/$Dest/system.tar.gz etc/fstab etc/rsyncd.conf && \
[ -f $Path/$Dest/log.tar.gz ] || tar czf $Path/$Dest/log.tar.gz  var/log/messages var/log/secure && \
#4.携带md5验证信息
[ -f $Path/$Dest/flag ] || md5sum $Path/$Dest/*.tar.gz >$Path/$Dest/flag
#4.推送本地数据至备份服务器
export RSYNC_PASSWORD=123
rsync -avz $Path/ [email protected]::backup
#5.本地保留最近7天的数据
find $Path/ -type d -mtime +7|xargs rm -rf
7、测试脚本
       [root@lb01 ~]# chmod +x /server/scripts/client_rsync_backup.sh
       [root@lb01 ~]# sh /server/scripts/client_rsync_backup.sh
8、编写定时任务
       [root@backup ~]# echo '00 00 * * * sh /server/scripts/client_rsync_backup.sh >&/dev/null' >> /var/spool/cron/root

服务端脚本

[root@backup-41 ~]# mkdir /server/scripts -p
[root@backup-41 ~]# vim /server/scripts/backup_check.sh
[root@backup-41 ~]# cat /server/scripts/backup_check.sh
#!/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin
#1.定义变量
Path=/backup
Date=`date +%F`
#2.校验文件
find $Path/ -type f -name "mcheck_*_$Date"|xargs md5sum -c  >$Path/result_$Date
#3.发送邮件
mail -s "Rsync_check_backup $Date" [email protected] <$Path/result_$Date
#4.删除180天之前文件
find $Path/ -type f -mtime +180 |xargs rm -rf
[root@backup-41 ~]# crontab -l
00 05 * * * /bin/bash /server/scripts/backup_check.sh &>/dev/null

zabbix监控

1、配置zabbix仓库

     [root@zabbix-server ~]# https://mirrors.tuna.tsinghua.edu.cn/zabbix/zabbix/3.4/rhel/7/x86_64/zabbix-release-3.4-2.el7.noarch.rpm   

2.安装Zabbix程序包,以及MySQL、‘rZabbix-agent’

注:zabbix-agent可以不安装

       [root@zabbix-server ~]# yum install -y zabbix-server-mysql zabbix-web-mysql zabbix-agent mariadb-server

3、创建Zabbix数据库以及用户

       [root@zabbix-server ~]# mysql -uroot -p
       MariaDB [(none)]> create database zabbix character set utf8 collate utf8_bin;
       MariaDB [(none)]> grant all privileges on zabbix.* to zabbix@localhost identified by 'zabbix';

4.导入Zabbix数据至数据库中

       [root@zabbix-server ~]# cd /usr/share/doc/zabbix-server-mysql-3.4.12/

       [root@linux-node1 zabbix-server-mysql-3.4.12]# zcat create.sql.gz |mysql -uroot zabbix

5.编辑/etc/zabbix/zabbix_server.conf文件,修改数据库配置

       [root@zabbix-server ~]# grep  ^[a-Z]  /etc/zabbix/zabbix_server.conf
       ....
       DBHost=localhost
       DBName=zabbix
       DBUser=zabbix
       DBPassword=zabbix
       ....

6.启动Zabbix服务进程,并加入开机自启

      [root@zabbix-server ~]#  systemctl start zabbix-server
      [root@zabbix-server ~]#  systemctl enable zabbix-server

7.配置Apache的配置文件/etc/httpd/conf.d/zabbix.conf,修改时区。

      [root@zabbix-server ~]# vim /etc/httpd/conf.d/zabbix.conf
      php_value max_execution_time 300
      php_value memory_limit 128M
      php_value post_max_size 16M
      php_value upload_max_filesize 2M
      php_value max_input_time 300
      php_value always_populate_raw_post_data -1
      #取消注释,设置正确的时区
      php_value date.timezone Asia/Shanghai

8.重启Apache Web服务器

     [root@zabbix-server ~]# systemctl start httpd

9、登录10.0.0.71/zabbix

10、《拆分数据库》

[root@ZabbixServer ~]# ll /etc/zabbix/zabbix_server.conf
      DBHost=172.16.1.51
      DBName=zabbix
      DBUser=zabbix
      DBPassword=Bgx123.com
[root@ZabbixServer ~]# systemctl restart zabbix-server
[root@ZabbixServer ~]# ll /etc/zabbix/web/zabbix.conf.php
      $DB['TYPE']     = 'MYSQL';
      $DB['SERVER']   = '172.16.1.51';    ***
      $DB['PORT']     = '0';
      $DB['DATABASE'] = 'zabbix';
      $DB['USER']     = 'zabbix';
      $DB['PASSWORD'] = 'Bgx123.com';    ***

11、在新的数据库上创建zabbix库

      mysql> create database zabbix character set utf8 collate utf8_bin;
      mysql> grant all privileges on zabbix.* to zabbix@'%' identified by 'Bgx123.com';

12、在旧的zabbix服务器上备份数据库文件

     [root@ZabbixServer ~]# mysqldump -uroot \
     --databases zabbix \
     --single-transaction > `date +%F%H`-zabbix.sql

以上命令(12)是一句话,一次性复制

13、将备份的数据库通过远程的方式导入新数据库中

     [root@ZabbixServer ~]# cat 2018-08-2017-zabbix.sql |mysql -h 172.16.1.51 -uzabbix -pBgx123.com zabbix

数据库分离成功

Zabbix监控

     [root@zabbix zabbix_agentd.d]# cat free.conf 监控内存
     UserParameter=Men_Num,free -m |awk '/^Mem/{print $NF/$2*100}'
     UserParameter=Swap_Num,free -m|awk '/^Swap/{print $3/$2*100}
     [root@zabbix zabbix_agentd.d]# cat io.conf 
     UserParameter=tps,iostat | awk '/^sda/{print $2}'
     [root@zabbix zabbix_agentd.d]# cat tcp.conf 
     UserParameter=tcp[*],ss -an|awk '{print $2}'|grep -i "$1"|wc -l

《监控服务Nginx、PHP、nfs、Rsync、mysql、redis》

创建模版

[root@zabbix-server-71 zabbix_agentd.d]# awk  '!/^#/' userparameter_mysql.conf
UserParameter=mysql.status[*],echo "show global status where Variable_name='$1';" | HOME=/var/lib/zabbix mysql -N | awk '{print $$2}'
UserParameter=mysql.size[*],bash -c 'echo "select sum($(case "$3" in both|"") echo "data_length+index_length";; data|index) echo "$3_length";; free) echo "data_free";; esac)) from information_schema.tables$([[ "$1" = "all" || ! "$1" ]] || echo " where table_schema=\"$1\"")$([[ "$2" = "all" || ! "$2" ]] || echo "and table_name=\"$2\"");" | HOME=/var/lib/zabbix mysql -N'
UserParameter=mysql.ping,HOME=/var/lib/zabbix mysqladmin ping | grep -c alive
UserParameter=mysql.version,mysql -V

1.TCP

[root@zabbix-server-71 zabbix_agentd.d]# vim tcp_status.conf 
UserParameter=tcp[*],ss -an |awk '{print $2}'|grep -i "$1" |wc -l

2.Nginx

[root@web01-07 conf.d]# vim state.conf 
[root@web01-07 conf.d]# cat state.conf 
server {
    listen 80;
    server_name _;
    allow 127.0.0.1;
    deny all;
    location /nginx_status {
    stub_status;
    access_log off;
    }
    location ~/phpfpm_status {
            fastcgi_pass 127.0.0.1:9000;
                include fastcgi_params;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
[root@web01-07 conf.d]# systemctl restart nginx

[root@zabbix-server-71 zabbix_agentd.d]# vim nginx_status.conf
[root@zabbix-server-71 zabbix_agentd.d]# cat nginx_status.conf 
UserParameter=nginx_status[*],/usr/bin/bash /etc/zabbix/zabbix_agentd.d/scripts/nginx_status.sh "$1"
active|reading|writing|waiting|accepts|handled|requests

3.Php-fpm

[root@web01-07 ~]# vim /etc/php-fpm.d/www.conf 
pm.status_path = /phpfpm_status
[root@zabbix-server-71 zabbix_agentd.d]# vim phpfpm_status.conf
[root@zabbix-server-71 zabbix_agentd.d]# cat phpfpm_status.conf 
UserParameter=fpm[*],curl -s http://127.0.0.1/phpfpm_status|grep ^"$1":|awk '{print $NF}'

4.redis

[root@zabbix-server-71 zabbix_agentd.d]# vim redis_status.conf
[root@zabbix-server-71 zabbix_agentd.d]# cat redis_status.conf 
UserParameter=redis_status[*],/bin/bash /etc/zabbix/scripts/redis_status.sh "$1"

5.Tomcat

6.Mysql

[root@db01-51 ~]# yum install percona-zabbix-templates
[root@db01-51 ~]# yum install php php-mysql
[root@db01-51 ~]# cp /var/lib/zabbix/percona/templates/userparameter_percona_mysql.conf /etc/zabbix/zabbix_agentd.d/

[root@db01-51 ~]# vim /var/lib/zabbix/percona/scripts/ss_get_mysql_stats.php
$mysql_user = 'zabbix';
$mysql_pass = 'PHPtest123.com';
$mysql_port = 3306;

上传模版

7.NFS

[root@zabbix-server-71 zabbix_agentd.d]# vim nfs_mount.conf
[root@zabbix-server-71 zabbix_agentd.d]# cat nfs_mount.conf 
UserParameter=nfs_mount,showmount -e 172.16.1.31 2>/dev/null| egrep "172.16.1.0/24"|wc -l

8.Sersync

[root@zabbix-server-71 zabbix_agentd.d]# vim shishitongbu.conf 
[root@zabbix-server-71 zabbix_agentd.d]# cat shishitongbu.conf 
UserParameter=sersync_status,ps aux |grep sersyn[c] |wc -l

9.rsync

[root@zabbix-server-71 zabbix_agentd.d]# vim beifen.conf
[root@zabbix-server-71 zabbix_agentd.d]# cat beifen.conf
UserParameter=nfs_mount,netstat -lntp |grep 873 |wc -l

10.zabbbix-server

安装报警媒介

1.电子邮件
名称  Email
类型  电子邮件
SMTP服务器 smtp.qq.com
SMTP服务器端口   465
SMTP HELO   qq.com
SMTP电邮      [email protected]
安全链接    SSL/TLS
认证
Username and password
用户名称    [email protected]
密码  

2.微信报警

(1)配置发件人

[root@zabbix-server-71 ~]# cd /usr/lib/zabbix/alertscripts/
[root@zabbix-server-71 alertscripts]# rz
[root@zabbix-server-71 alertscripts]# ll
total 4
-rw-r--r-- 1 root root 1350 Oct 10 18:14 weixin.py
[root@zabbix-server-71 alertscripts]# chmod +x weixin.py 
[root@zabbix-server-71 alertscripts]# yum install python-pip
[root@zabbix-server-71 alertscripts]# pip install requests

名称 微信
类型 脚本
名称 weixin.py
脚本参数 参数 动作
{ALERT.SENDTO}
{ALERT.SUBJECT}
{ALERT.MESSAGE}

(2)添加收件人

自定义报警信息

告警消息内容
问题出现时间: {EVENT.TIME} on {EVENT.DATE}
报警主机:{HOST.NAME1}
报警问题: {TRIGGER.NAME}
报警服务: {ITEM.NAME1}
报警Key1: {ITEM.KEY1}:{ITEM.VALUE1}
报警Key2: {ITEM.KEY2}:{ITEM.VALUE2}
严重级别: {TRIGGER.SEVERITY}
Original problem ID: {EVENT.ID}
{TRIGGER.URL}

安装jumpserver (http://www.jumpserver.org/)

1、安装jumpserver的依赖环境

      yum install -y redis sqlite-devel xz gcc automake zlib-devel openssl-devel 

2、编译下载python3.6版本

      wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz
      tar xvf Python-3.6.1.tar.xz  && cd Python-3.6.1
      ./configure && make && make install

3、检查python的版本

      python -V

4、建立Python虚拟环境

    cd /opt
    python3 -m venv py3
    source /opt/py3/bin/activate

注释:看到下面的提示符代表成功,以后运行 Jumpserver 都要先运行以上 source 命令,以下所有命令均在该虚拟环境中运行
(py3) [root@localhost py3

5、自动载入python虚拟环境

    cd /opt
    git clone https://github.com/kennethreitz/autoenv.git
    echo 'source /opt/autoenv/activate.sh' >>~/.bashrc
    source ~/.bashrc

6、安装jumpserver

1)下载或 Clone 项目

    cd /opt/
    git clone https://github.com/jumpserver/jumpserver.git 
    cd jumpserver
    git checkout master
    echo "source /opt/py3/bin/activate" >/opt/jumpserver/.env  # 进入 jumpserver 目录时将自动载入 python 虚拟环境

2)安装依赖 RPM 包

首次进入 jumpserver 文件夹会有提示,按 y 即可
Are you sure you want to allow this? (y/N) y

   cd /opt/jumpserver/requirements
   yum install -y `cat rpm_requirements.txt`  # 如果没有任何报错请继续

7、安装python以来的库

1)pip install --upgrade pip 升级pip

2)创建加速器

    cd /root
    mkdir .pip 
    vim .pip/pip.conf
    键入下面加速器内容
    [global]
    index-url=http://mirrors.aliyun.com/pypi/simple/
    [install]
    trusted-host=mirrors.aliyun.com

3)pip install -r requirements.txt 安装python依赖的库

8、安装 Redis, Jumpserver 使用 Redis 做 cache 和 celery broke

     yum -y install redis
     systemctl enable redis
     systemctl start redis

9、安装mysql数据库

     rpm -ivh http://repo.mysql.com/yum/mysql-5.7-community/el/7/x86_64/mysql57-community-release-el7-10.noarch.rpm
     wget http://dev.mysql.com/get/mysql57-community-release-el7-8.noarch.rpm
     yum localinstall mysql57-community-release-el7-8.noarch.rpm
     yum repolist enabled | grep "mysql.*-community.*"
     yum install mysql-community-server -y
     systemctl enable mysqld
     grep 'password' /var/log/mysqld.log
     Bash

10、修改数据库密码

     mysql -uroot -p
     password:2f3zd&GnU7pe
     SET PASSWORD = PASSWORD('123456');

11、创建数据库 Jumpserver 并授权

     mysql -uroot -p123456
     > create database jumpserver default charset 'utf8';
     > grant all on jumpserver.* to 'jumpserver'@'172.16.1.61' identified by 'Hjs123..';
     > flush privileges;

12、修改 Jumpserver 配置文件

     cd /opt/jumpserver
     cp config_example.py config.py
     vi config.py

修改DevelopmentConfig 中的配置,因为默认 Jumpserver 使用该配置,它继承自 Config,配置内容根据实际情况进行修改
注意: 配置文件是 Python 格式,不要用 TAB,而要用空格

    DB_ENGINE = os.environ.get("DB_ENGINE") or 'mysql'
    DB_HOST = os.environ.get("DB_HOST") or '172.16.1.51'
    DB_PORT = os.environ.get("DB_PORT") or 3306
    DB_USER = os.environ.get("DB_USER") or 'jumpserver'
    DB_PASSWORD = os.environ.get("DB_PASSWORD") or 'Bgx123.com'
    DB_NAME = os.environ.get("DB_NAME") or 'jumpserver'

13、生成数据库表结构和初始化数据

    cd /opt/jumpserver/utils
    sh make_migrations.sh

14、运行 Jumpserver

    cd /opt/jumpserver
    ./jms start all  # 后台运行使用 -d 参数./jms start all -d

运行不报错,请浏览器访问 http://10.0.0.61:8080/ 默认账号: admin 密码: admin 页面显示不正常先不用处理,搭建 nginx 代理就可以正常访问了

15、安装 SSH Server 和 WebSocket Server: Coco

websocket server 这里我装在172.16.1.62上,和jumpserver一台机
新开一个终端,别忘了 source /opt/py3/bin/activate

    cd /opt
    source /opt/py3/bin/activate
    git clone https://github.com/jumpserver/coco.git && cd coco && git checkout master
    echo "source /opt/py3/bin/activate" > /opt/coco/.env  

上面的最后一步和之前一样配置进入 coco 目录时将自动载入 python 虚拟环境
首次进入 coco 文件夹会有提示,按 y 即可
Are you sure you want to allow this? (y/N) y

安装依赖

    cd /opt/coco/requirements
    yum install -y `cat rpm_requirements.txt`
    pip install -r requirements.txt

https://pypi.org/project/jumpserver-python-sdk/#files
官网下载jumpserver-python-sdk-0.0.50.tar.gz 放在当前目录,并执行以下命令
pip install ./jumpserver-python-sdk-0.0.50.tar.gz(包的的名字和路径)
修改配置文件并运行

    cd /opt/coco
    mkdir keys                  # 创建keys目录是给coco存放密钥使用
    cp conf_example.py conf.py  # 如果 coco 与 jumpserver 分开部署,请手动修改 conf.py
    vi conf.py

这里修改的需要是:01项目名称 NAME = "COCO",可以随意,没有限制。02 CORE_HOST = 'http://127.0.0.1:8080'
03:LOG_LEVEL = 'WARN'日志级别。其他都和官网保持一致。

16、安装 Web Terminal 前端: Luna

Luna 已改为纯前端,需要 Nginx 来运行访问
访问(https://github.com/jumpserver/luna/releases)下载对应版本的 release 包,直接解压,不需要编译
解压 Luna

     $cd /opt
     $wget https://github.com/jumpserver/luna/releases/download/1.4.3/luna.tar.gz
     $tar xvf luna.tar.gz
     $chown -R root:root luna

17、配置 Nginx 整合各组件

1)配置nginx的源

      [root@jumpserver ~]# cat /etc/yum.repos.d/nginx.repo 
      [nginx]
      name=nginx repo
      baseurl=http://nginx.org/packages/centos/7/$basearch/
      gpgcheck=0
      enabled=1

2)安装nginx

      (py3) [root@jumserver coco]# yum install nginx -y
      systemcrl restart nginx
      systemcrl edable nginx

3)编辑conf文件,修改default.conf的后缀

cat /etc/nginx/conf.d/jumpserver.conf

注意注释 nginx.conf 里面的 server {} 内容 ,CentOS 6 需要修改文件 /etc/nginx/cond.f/default.conf


server {
    listen 80;  # 代理端口,以后将通过此端口进行访问,不再通过8080端口
    server_name jumpserver.oldboyedu.com;  # 修改成你的域名

    client_max_body_size 100m;  # 录像及文件上传大小限制

    location /luna/ {
        try_files $uri / /index.html;
        alias /opt/luna/;  # luna 路径,如果修改安装目录,此处需要修改
    }

    location /media/ {
        add_header Content-Encoding gzip;
        root /opt/jumpserver/data/;  # 录像位置,如果修改安装目录,此处需要修改
    }

    location /static/ {
        root /opt/jumpserver/data/;  # 静态资源,如果修改安装目录,此处需要修改
    }

    location /socket.io/ {
        proxy_pass       http://localhost:5000/socket.io/;  # 如果coco安装在别的服务器,请填写它的ip
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location /coco/ {
        proxy_pass       http://localhost:5000/coco/;  # 如果coco安装在别的服务器,请填写它的ip
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location /guacamole/ {
        proxy_pass       http://localhost:8081/;  # 如果guacamole安装在别的服务器,请填写它的ip
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location / {
        proxy_pass http://localhost:8080;  # 如果jumpserver安装在别的服务器,请填写它的ip
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

### 4)(py3) [root@jumserver coco]#nginx -t  检查语法
### 5)重启服务 systemclr restart nginx
### 6)加hosts域名解析。10.0.0.62   jumpserver.oldboyedu.com

http://jason.linuxbaodian.com/unixknowledge/linux-basic/239.html
# 安装主从数据库安装
   主库将日志打开,将数据库文件导出。
   从库导入数据文件,配置实现实时同步
## 1、主库操作
### 1 将安装源倒入至从库

[root@mysql-51 ~]# scp /etc/yum.repos.d/* [email protected]:/etc/yum.repos.d/

#校验文件发送过去rpm-gpg/RPM-GPG-KEY-mysql
scp -rp /etc/pki/  [email protected]:/etc/
### 1.2.2 打开主库日志,用于从库实时监控更新
#手写编辑进去

[root@mysql-51 ~]# vim /etc/my.cnf
[mysqld]
log-bin
server-id=160

### #查看一下binlog

[root@mysql-51 ~]# ls /var/lib/mysql
mysql-51-bin.000001

### 3 授权从库连接

[root@mysql-51 ~]# mysql -uroot -pBgx123.com
mysql> grant all on . to 'all'@'%' identified by ' Bgx123.com'
mysql> grant replication slave, replication client on . to 'rep'@'172.16.1.%' identified by 'Rep123.com';

### #查看授权

mysql> select * from mysql.user\G;

### 4 将数据导出,至从库

[root@mysql-51 ~]# mysqldump -uroot -pBgx123.com --all-databases --single-transaction --master-data=1 --flush-logs > /root/db-$(date +%F)-all.sql

### #将数据发送至52从库

[root@mysql-51 ~]# scp db-2018-10-08-all.sql [email protected]:~

## 3、从库配置
 1 安装数据库
### 1.下载MySQL官方扩展源

[root@nginx ~]# rpm -ivh http://repo.mysql.com/yum/mysql-5.7-community/el/7/x86_64/mysql57-community-release-el7-10.noarch.rpm

### #2.安装mysql5.7, 文件过大可能会导致下载缓慢

[root@nginx ~]# yum install mysql-community-server -y

### #3.启动数据库, 并加入开机自启动

[root@nginx ~]# systemctl start mysqld
[root@nginx ~]# systemctl enable mysqld

### #4.由于mysql5.7默认配置了默认密码, 需要过滤temporary password关键字查看对应登陆数据库密码

[root@nginx ~]# grep "temporary password" /var/log/mysqld.log

### #5.登陆mysql数据库[password中填写上一步过滤的密码]

[root@web02 ~]# mysql -uroot -p$(awk '/temporary password/{print $NF}' /var/log/mysqld.log)

### #6.重新修改数据库密码

mysql> ALTER USER 'root'@'localhost' IDENTIFIED BY 'Bgx123.com';

### #7.授权

mysql>grant all on . to 'all'@'%' identified by ' Bgx123.com'

1.3.2 修改server id

[root@mysql02-52 ~]# vim /etc/my.cnf
[mysqld]
server-id=52

1.3.4 导入数据

[root@mysql02-52 ~]# mysql -uroot -pBgx123.com < db-2018-10-09-all.sql

1.3.5 从库指向主库

[root@mysql02-52 ~]# mysql -uroot -pBgx123.com
mysql> change master to
-> master_host='172.16.1.51',
-> master_user='rep',
-> master_password='Rep123.com';

### 1.3.6 启动slave

mysql> start slave;
mysql> show slave status\G
slave_io runing yes;
slave_sql runing yes 出现这两者时代表主从步调一致,测试主创建到备份数据库查看是否存在,存在的话说明已完成该备份。

报错SQL Runing 不运行

mysql> show binary logs;查看binlog日志
mysql> purge master logs to'master-bin.000015'; 删除binlog日志

https://dev.mysql.com/doc/refman/5.7/en/
# m01时间同步

## 1安装并配置服务端

[root@m01-61 ~]# yum install chrony
[root@m01-61 ~]# rpm -ql chrony
[root@m01-61 ~]# chronyc -v
chronyc (chrony) version 3.2 (+READLINE +IPV6 +DEBUG)
[root@m01-61 ~]# vim /etc/chrony.conf
[root@m01-61 ~]# cat /etc/chrony.conf
#Use public servers from the pool.ntp.org project.
#Please consider joining the pool (http://www.pool.ntp.org/join.html).
#使用pool.ntp.org项目中的公共服务器。以server开,理论上你想添加多少时间服务器都可以
server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst
#Record the rate at which the system clock gains/losses time.
#根据实际时间计算出服务器增减时间的比率,然后记录到一个文件中,在系统重启后为系统做出最佳时间补偿调整
driftfile /var/lib/chrony/drift
#Allow the system clock to be stepped in the first three updates
#if its offset is larger than 1 second.
#chronyd根据需求减慢或加速时间调整,
#在某些情况下系统时钟可能漂移过快,导致时间调整用时过长。
#该指令强制chronyd调整时期,大于某个阀值时步进调整系统时钟。
#只有在因chronyd启动时间超过指定的限制时(可使用负值来禁用限制)没有更多时钟更新时才生效。
makestep 1.0 3
#Enable kernel synchronization of the real-time clock (RTC).
#将启用一个内核模式,在该模式中,系统时间每11分钟会拷贝到实时时钟(RTC)
rtcsync
#Enable hardware timestamping on all interfaces that support it.
#通过使用hwtimestamp指令启用硬件时间戳.
#hwtimestamp *
#Increase the minimum number of selectable sources required to adjust
#the system clock.
#minsources 2
#Allow NTP client access from local network.
#指定一台主机、子网,或者网络以允许或拒绝NTP连接到扮演时钟服务器的机器
allow 172.16.1.0/24
#Serve time even if not synchronized to a time source.
#local stratum 10
#Specify file containing keys for NTP authentication.
#指定包含NTP验证密钥的文件。
#keyfile /etc/chrony.keys
#Specify directory for log files.
#指定日志文件的目录。
logdir /var/log/chrony
#Select which information is logged.
#log measurements statistics tracking
[root@m01-61 ~]# timedatectl
Time zone: Asia/Shanghai (CST, +0800)
[root@m01-61 ~]# chronyc -a makestep
[root@m01-61 ~]# systemctl start chronyd
[root@m01-61 ~]# systemctl enable chronyd

## 2客户端

[root@web03-09 ~]# yum install chrony
[root@web03-09 ~]# vim /etc/chrony.conf
[root@web03-09 ~]# awk '!/^(#|$)/' /etc/chrony.conf
server 172.16.1.61 iburst
driftfile /var/lib/chrony/drift
makestep 1.0 3
rtcsync
logdir /var/log/chrony
[root@web03-09 ~]# systemctl start chronyd
[root@web03-09 ~]# systemctl enable chronyd

## 3防火墙配置
### 1开启防火墙

[root@m01-61 ~]# systemctl start firewalld.service
[root@m01-61 ~]# systemctl enable firewalld.service
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.

### 2只允许10.0.0.1主机ssh登录

[root@m01-61 ~]# firewall-cmd --remove-service=ssh --permanent
success
[root@m01-61 ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.0.0.1/32 service name=ssh accept' --permanent
success

### 3运行Ansible与yum仓库

[root@m01-61 ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=172.16.1.0/24 service name=ssh accept' --permanent
success
[root@m01-61 ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=172.16.1.0/24 service name=ftp accept' --permanent
success

### 4支持监控

[root@m01-61 ~]# firewall-cmd --add-source=172.16.1.71/32 --zone=trusted --permanent
success

### 5配置内部上网

[root@m01-61 ~]# firewall-cmd --add-masquerade --permanent
success

### 6重载

[root@m01-61 ~]# firewall-cmd --reload
success

### 7内部上网客户端配置

[root@web01-07 ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth1
[root@web01-07 ~]# tail -2 /etc/sysconfig/network-scripts/ifcfg-eth1
GATEWAY=172.16.1.61
DNS1=223.5.5.5

## ansible安装配置
### 1创建并推送公钥

[root@m01-61 ~]# ssh-keygen -t rsa -C [email protected]
ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]
ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]
ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]
ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]
ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]
ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]
ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]
ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]
ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]