linux常用各种服务配置

keepalived+lvs

整体规划如下:
router 外网卡124.126.147.168    内网卡:192.168.0.254
lvs1调整器VIP地址:192.168.0.253  内网卡:192.168.0.200
lvs2调整器VIP地址:192.168.0.253  内网卡:192.168.0.201
下面是真实的2台web服务器:
web1服务器真实网卡192.168.0.1   虚拟网卡ifcfg-lo:0  192.168.0.253(VIP)
web2服务器真实网卡192.168.0.2   虚拟网卡ifcfg-lo:0  192.168.0.253(VIP)
--------------------------------------------------------------------------------
真实web1设置
真实网卡:
BOOTPROTO=static
DEVICE=eno1111
ONBOOT=yes
IPADDR=192.168.0.1
NETMASK=255.255.255.0
GATEWAY=192.168.0.254


新建立一个虚拟网卡
vim  /etc/sysconfig/network-script/ifcfg-lo:0
BOOTPROTO=static
DEVICE=lo:0
ONBOOT=yes
IPADDR=192.168.0.253
NETMASK=255.255.255.255
GATEWAY=192.168.0.254

改arp相关参数:
要禁止对VIP地址ARP响应:
vim /etc/sysctl.conf
net.ipv4.conf.eno1111.arp_ignore = 1
net.ipv4.conf.eno1111.arp_announce = 2
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2

sysctl -p      马上生效不用重启
yum install httpd
systemctl start httpd
systemctl restart network
echo "192.168.0.1" > /var/www/html/index.html
firwall-cmd --permanent --add-port=80/tcp
firwall-cmd --reload
-------------------------------------------------------
真实web2设置
真实网卡:
BOOTPROTO=static
DEVICE=eno2222
ONBOOT=yes
IPADDR=192.168.0.2
NETMASK=255.255.255.0
GATEWAY=192.168.0.254

新建立一个虚拟网卡
vim  /etc/sysconfig/network-script/ifcfg-lo:0
BOOTPROTO=static
DEVICE=lo:0
ONBOOT=yes
IPADDR=192.168.0.253
NETMASK=255.255.255.255
GATEWAY=192.168.0.254

改arp相关参数:
要禁止对VIP地址ARP响应:
vim /etc/sysctl.conf
net.ipv4.conf.eno2222.arp_ignore = 1
net.ipv4.conf.eno2222.arp_announce = 2
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2

sysctl -p      马上生效不用重启
yum install httpd
systemctl start httpd
systemctl restart network
echo "192.168.0.2" > /var/www/html/index.html
firwall-cmd --permanent --add-port=80/tcp
firwall-cmd --reload
----------------------------------------------------------
lvs1调度器:
LVS真实网卡设置:
TYPE=Ethernet
BOOTPROTO=static
DEVICE=eno33554960
ONBOOT=yes
IPADDR=192.168.0.200
NETMASK=255.255.255.0
GATEWAY=192.168.0.254

systemctl restart network

yum -y install keepalived ipvsadm 安装调试器和keepalived

modprobe ip_vs加载模块

vim /etc/keepalived/keepalived.conf

! Configuration File for keepalived
 global_defs {
	notification_email {
	[email protected]
	}
	notification_email_from root@localhost
	smtp_server 127.0.0.1
	smtp_connect_timeout 30
	router_id_lvs_1
               }
vrrp_instance LVS_HA {
	state MASTER
	interface eno4444
	virtual_router_id 60
	priority 100
	advert_int 1
	authentication {
		auth_type PASS
		auth_pass 1111
		}
	virtual_ipaddress {
	192.168.0.253/24
		}
	}

virtual_server 192.168.0.253 80 {
	delay_loop 6
	lb_algo rr
	lb_kind DR
	nat_mask 255.255.255.0
	persistence_timeout 50
	protocol TCP
	
	real_server 192.168.0.1 80 {
	weigth 1
	TCP_CHECK {
	connect_timeout 20
	connect_port 80
	nb_get_retry 3
	}
             }
	real_sever 192.168.0.2 80 {
	weight 1
	TCP_CHECK {
	connect_timeout 20
	connect_port 80
	nb_get_retry 3	
	}
        }
}


systemctl start keepalived
systemctl enable keepablived
ip addr show   看虚拟ip
ipvsadm -Ln
firewall-cmd --set-default-zone=trusted
-----------------------------------------------------
lvs2调试器配置 :
LVS真实网卡设置:
TYPE=Ethernet
BOOTPROTO=static
DEVICE=eno55555
ONBOOT=yes
IPADDR=192.168.0.201
NETMASK=255.255.255.0
GATEWAY=192.168.0.254

systemctl restart network

yum -y install keepalived ipvsadm 安装调试器和keepalived

vim /etc/keepalived/keepalived.conf

! Configuration File for keepalived
 global_defs {
	notification_email {
	[email protected]
	}
	notification_email_from root@localhost
	smtp_server 127.0.0.1
	smtp_connect_timeout 30
	router_id_lvs_2
               }
vrrp_instance LVS_HA {
	state MASTER
	interface eno6666
	virtual_router_id 60
	priority 50
	advert_int 1
	authentication {
		auth_type PASS
		auth_pass 1111
		}
	virtual_ipaddress {
	192.168.0.253/24
		}
	}

virtual_server 192.168.0.253 80 {
	delay_loop 6
	lb_algo rr
	lb_kind DR
	nat_mask 255.255.255.0
	persistence_timeout 50
	protocol TCP
	
	real_server 192.168.0.1 80 {
	weigth 1
	TCP_CHECK {
	connect_timeout 20
	connect_port 80
	nb_get_retry 3
	}
             }
	real_sever 192.168.0.2 80 {
	weight 1
	TCP_CHECK {
	connect_timeout 20
	connect_port 80
	nb_get_retry 3	
	}
        }
}

systemctl start keepalived
systemctl enable keepablived
ip addr show   看虚拟ip
ipvsadm -Ln
firewall-cmd --set-default-zone=trusted	
-------------------------------------------------------------
router路由设置,生产环境用真路由器,现在linux做路由器
router用linux充当:
第一块网卡对内:
TYPE=Ethernet
BOOTPROTO=static
DEVICE=eno7777
ONBOOT=yes
IPADDR=192.168.0.254
NETMASK=255.255.255.0
DNS=202.96.134.133

第二块对外:
TYPE=Ethernet
BOOTPROTO=static
DEVICE=eno8888
ONBOOT=yes
IPADDR=124.126.147.168
NETMASK=255.0.0.0
DNS=202.96.134.133

systemctl restart network
iptables -F
iptables -X
iptables -t nat -X
iptables -t nat -F

iptables -t nat -I PREROUTING -d 124.126.147.168 -p tcp -dport 80  \
-j DNAT --to-destination 192.168.0.253:80

iptables -t nat -I POSTROUTING -s 192.168.0.0/24 -p tcp -j SNAT \
--to-source 124.126.147.168


vim /etc/sysctl.conf
net.ipv4.ip_forward = 1

sysctl -p

关于kvm网络的配置:

终端下把本机实际网卡改成这下面这样
vim ifcfg-eno16777736 
BOOTPROTO="none"
DEVICE="eno16777736"
ONBOOT="yes"
BRIDGE=br0

vimt ifcfg-br0
DEVICE=br0
ONBOOT="yes"
TYPE=Bridge
BOOTPROTO=static
IPADDR="192.168.1.110"
PREFIX="24"
GATEWAY="192.168.1.253"
DNS1="192.168.1.253"

lvm

首先所有的命令pv、vg、lv都是一样的格式,添加为pvcreate,查看pvdisplay ,删除pvremove ,
以下虚拟盘lvm创建完后,如果想删除不用了,记得从最后往上操作,先取消挂载、lvremore删除逻辑虚拟盘
再vg删除虚拟组,再pvremore删除物理虚拟盘
创建循序:pv----vg-----lv
1、先对硬盘分区,记得硬盘为gpt的要xfs,或msdos的要是lvm格式(不用格式化,最后创建完lv分区后再格)
2、首先创建物理虚拟盘例:pvcreage /dev/sdb1 /dev/sdb2  (这两分区是上面第一步创建的)
3、创建虚拟盘分组例:vgcreate test_vg /dev/sdb1 /dev/sdb2  (test_vg为组名)
4、创建逻辑虚拟盘也就是最终要挂的盘lvcreate -n test_web -L 20G test_vg (test_web为逻辑盘名)
5、格式化mkfs.xfs /dev/test_vg/test_web
6、挂载,和普通分区一样的操作不说了
7、增加容量lvextend -L +50G /dev/test_vg/test_web
8、增加完更新 xfs_growfs  /dev/test_vg/test_web

基于nat模式的lvs:

------------------------------服务端----------------------------------------
前端服务器设置:
对外网卡:
TYPE=Ethernet
BOOTPROTO=static
DEVICE=eno16777736
ONBOOT=yes
IPADDR=192.168.1.110
PREFIX=255.255.255.0
GATEWAY=192.168.1.253
DNS1="192.168.1.253"

对应网卡:
TYPE=Ethernet
BOOTPROTO=static
DEVICE=eno33554960
ONBOOT=yes
IPADDR=192.168.17.138
NETMASK=255.255.255.0
DNS1=192.168.1.253

systemctl restart network

yum -y install ipvsadm

ipvsadm -A -t 192.168.1.110:80 -s rr (rr代表轮训)
ipvsadm -a -t 192.168.1.110:80 -r 192.168.17.130:80 -m 后端服务器有几台就加几台
ipvsadm -a -t 192.168.1.110:80 -r 192.168.17.131:80 -m

ipvsadm -Sn > /etc/sysconfig/ipvsadm 保存调度规则
打开/etc/sysctl.conf文件加入:net.ipv4.ip_forward=1 打开路由转发

打开防火墙systemctrl start wirealld
firewall-cmd --set-default-zone=trusted
firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --reload
systemctl start ipvsadm

ipvsadm -Ln 查看配置
ipvsadm -Lnc 看连接情况
ipvsadm -D -t 192.168.1.110:80 删除虚拟服务
ipvsadm -d -t 192.168.1.110:80 -r 192.168.17.130 删除后端服务器130邦
ipvsadm -Sn > /tmp/ipvs.back  备份规则
ipvsadm -C   清空规则
ipvsadm -R  /etc/sysconfig/ipvsadm 保存调试器
firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --reload
--------------------------------------------------------
真实web1设置
真实网卡:
TYPE=Ethernet
BOOTPROTO=static
DEVICE=eno1111
ONBOOT=yes
IPADDR=192.168.0.1
NETMASK=255.255.255.0
GATEWAY=192.168.0.253

新建立一个虚拟网卡
vim  /etc/sysconfig/network-script/ifcfg-lo:0
TYPE=Ethernet
BOOTPROTO=static
DEVICE=lo:0
ONBOOT=yes
IPADDR=124.126.147.168 
NETMASK=255.255.255.0
GATEWAY=192.168.0.253

要禁止对VIP地址ARP响应:
vim /etc/sysctl.conf
net.ipv4.conf.eno1111.arp_ignore = 1
net.ipv4.conf.eno1111.arp_announce = 2
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2

sysctl -p
yum install httpd
systemctl start httpd
systemctl restart network
echo "192.168.0.1" > /var/www/html/index.html
firwall-cmd --permanent --add-port=80/tcp
firwall-cmd --reload
---------------------------------------------------------
真实web2设置
真实网卡:
TYPE=Ethernet
BOOTPROTO=static
DEVICE=eno2222
ONBOOT=yes
IPADDR=192.168.0.2
NETMASK=255.255.255.0
GATEWAY=192.168.0.253

新建立一个虚拟网卡
vim  /etc/sysconfig/network-script/ifcfg-lo:0
TYPE=Ethernet
BOOTPROTO=static
DEVICE=lo:0
ONBOOT=yes
IPADDR=124.126.147.168 
NETMASK=255.255.255.0
GATEWAY=192.168.0.253

要禁止对VIP地址ARP响应:
vim /etc/sysctl.conf
net.ipv4.conf.eno2222.arp_ignore = 1
net.ipv4.conf.eno2222.arp_announce = 2
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2

sysctl -p
yum install httpd
systemctl start httpd
systemctl restart network
echo "192.168.0.2" > /var/www/html/index.html
firwall-cmd --permanent --add-port=80/tcp
firwall-cmd --reload
--------------------------------------------------------
真实web3设置
真实网卡:
TYPE=Ethernet
BOOTPROTO=static
DEVICE=eno3333
ONBOOT=yes
IPADDR=192.168.0.3
NETMASK=255.255.255.0
GATEWAY=192.168.0.253

新建立一个虚拟网卡
vim  /etc/sysconfig/network-script/ifcfg-lo:0
TYPE=Ethernet
BOOTPROTO=static
DEVICE=lo:0
ONBOOT=yes
IPADDR=124.126.147.168 
NETMASK=255.255.255.0
GATEWAY=192.168.0.253

要禁止对VIP地址ARP响应:
vim /etc/sysctl.conf
net.ipv4.conf.eno3333.arp_ignore = 1
net.ipv4.conf.eno3333.arp_announce = 2
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2

sysctl -p
yum install httpd
systemctl start httpd
systemctl restart network
echo "192.168.0.3" > /var/www/html/index.html
firwall-cmd --permanent --add-port=80/tcp
firwall-cmd --reload
-----------------------------------------
router用linux充当:
第一块网卡对内:
TYPE=Ethernet
BOOTPROTO=static
DEVICE=eno4444
ONBOOT=yes
IPADDR=192.168.0.253
NETMASK=255.255.255.0

第二块对外:
TYPE=Ethernet
BOOTPROTO=static
DEVICE=eno5555
ONBOOT=yes
IPADDR=124.126.147.169
NETMASK=255.0.0.0

vim /etc/sysctl.conf
net.ipv4.ip_forward = 1

sysctl -p
systemctl restart network

Mysql主从复制

yum 源安装:wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo

安装依赖包
yum -y install gcc make cmake ncurses-devel libxm12-devel libtool-ltdl-devel gcc-c++ 
autoconf automake bison zlib-devel bison-devel  perl perl-devel


1、建议选择“Server with GUI”,并选择“Development Tools”和“Compatibility Libraries”
两项附加软件。确保gcc、libgcc、gcc-c++等编译器已经正确安装

下载mysql-5.6版本     wget  http://cdn.mysql.com/archives/mysql-5.6/mysql-5.6.11.tar.gz

groupadd mysql
useradd -r -s /sbin/nologin -g mysql mysql

tar -xvf mysql-5.6.tar.gz -C /usr/src/

cd /usr/src/mysql-5.6/
cmake . -DENABLE_DOWNLOADS=1
make && make install
chown -R mysql.mysql /usr/local/mysql

装完后使用mysql_install_db脚本初始化数据库,用user定义数据库存名称,用basedir定义软件主目录,
用datadir定义数据库存存放目录,初始化完后复制主配置文件my.cnf到/etc/my.cnf一份
/usr/local/mysql/scripts/mysql_install_db --user=mysql --basedir=/usr/local/mysql/ --datadir=/usr/local/mysql/data

cp /usr/local/mysql/my.cnf  /etc/my.cnf
vim /etc/my.cnf
[mysqld]


[mysqld_safe]
log-error=/var/log/mysqld.log         //错误日志路径
pid-file=/var/lib/mysql/mysql.pid 

以上步骤可完成安装
---------------------------设备服务管理-------------------------------------
/usr/local/mysql/bin/mysqld_safe --user=mysql &
cp /usr/local/mysql/support-files/mysql.server   /etc/init.d/mysqld
chkconfig --add mysqld
chkconfig mysqld on
PATH=$PATH:/usr/local/mysql/bin/
echo "export PATH=$PATH:/usr/local/mysql/bin/" >> /etc/profile  开机启动

mysql -uroot -e "select User, Host, password from mysql.user" 看默认创建的用户和密码

清除默认用户为了安全(下面进行回答一般全选yes)
/usr/local/mysql/bin/mysql_secure_installation
由于root没有密码,当打完这个命令提示要输入密码,直接回车进行选择Y或n


--------------------------------------主从复制---------------------------------------
 主报务器设置:
创建一个测试用的数据库存及表
mysql -uroot -p

create database hr;

use hr;

create table employees(employee_id int not null auto_increment, name char(20) not null, e_mail varchar(55), primary key(employee_id)); 

insert into employees values (1,'tom','[email protected]'),
(2,'ydaxia','[email protected]');

exit

vim /etc/my.cnf
[mysqld]
log-bin=mysql-bin
binlog_format=mixed
server-id = 254

[mysqld_safe]
log-error=/var/log/mysqld.log         //错误日志路径
pid-file=/var/lib/mysql/mysql.pid 
配置中不可以用skip-networking参数

service mysqld restart 
firewall-cmd --set-default-zone=trusted

设备一个xiaowang用于从服务器连接过来,必须有replcation slave权限
账户:slave        密码;admin
mysql -u root -p
GRANT replication slave ON *.* TO 'slave'@'%' IDENTIFIED BY 'admin'; 
exit

查看主服务器日志服务信息:
mysql -uroot -p
flush tables with read lock; 对所有数据库表只读锁定
show master status;  查看输出:mysql-bin.000001       319 
unlock tables;对全局锁结束
其中File为二进制日志文件名,Position为日志记录位置

对原有的数据进行备份一下:
/usr/local/mysql/bin/mysqldump -uroot -p  --all-databases --lock-all-tables >/db/back.sql

拷贝到从服务器上
scp /db/back.sql  192.168.17.130:/tmp/

-------------------------从服务器配置---------------------------
vim /etc/my.cnf
[mysqld]
log-bin=mysql-bin
binlog_format=mixed
server-id = 100

[mysqld_safe]
log-error=/var/log/mysqld.log         //错误日志路径
pid-file=/var/lib/mysql/mysql.pid 
配置中不可以用skip-networking参数

service mysqld restart 
firewall-cmd --set-default-zone=trusted

mysql -u root -p  CHANGE MASTER TO MASTER_HOST="192.168.17.130",
    -> MASTER_USER="mysql130",
    -> MASTER_PASSWORD='admin',
    -> MASTER_LOG_FILE="mysql-bin.000004",
    -> MASTER_LOG_POS=120;

然后在两台mysql主机都看下是否不yes
show slave status\G;
show master status\G;

NFS

nfs工作在2049端口,rpcbind工作在111端口,两个服务都要启动
exports命令:-r重新读取/etc/exportfs配置文件 nfsstat查看共享状态信息,rpcinfo查看客户端注册信息
如果开启了防火墙要调协端口配置文件/etc/sysconfig/nfs
-------------------------server配置-----------------------------------------
yum install nfs-utils rpcbind -y
useradd -u 1005 test_nfs
mkdir /var/web
chmod 222 /var/web/
vim /etc/exports 编辑:
/var/web/ 192.168.17.130(rw,async,no_root_squash) #130客户机挂上nfs后,切换用户test_nfs具有可写的权限
#如果这样配置/var/web/ 192.168.17.130(ro,sync) 就是客户机挂上后只读
systemctl start rpcbind  
systemctl start nfs
---------------------------------client配置--------------------------------------
ort list for 192.168.17.131  先查看server端情况有没有nfs共享
mkdir /mnt/nfs_test
chmod 777 /mnt/nfs_test
useradd -u 1005 test_nfs   创建和服务器一样的用户和id
mount 192.168.17.131:/var/web /mnt/nfs_test  挂载nfs共享
su test_nfs用户进行测试写入操作

rsync

1、系统光盘yum源安装:yum install rsync

2、创建需要同步的文件夹/common

/home : 表示将整个 /home 目录复制到目标目录
/home/ : 表示将 /home 目录中的所有内容复制到目标目录

2、在/etc/下创建rsyncd.conf文件
添加以下内容:
#/etc/rsyncd.conf
motd  file = /etc/rsyncd.motd
transfer logging = yes
log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsync.lock
port = 873
address = 192.168.17.130
uid = nobody
gid = nobody
use chroot = no
read only = yes
max connections = 10
[common]
comment = web content
path = /common
ignore errors
auth users = tom,jerry
secrets file = /etc/rsyncd.secrets
hosts allow = 192.168.17.0/255.255.255.0
hosts deny = *
list = false

4、echo "tom:pass" > /etc/rsyncd.secrets
echo "jerry:111" >> /etc/rsyncd.secrets

5、chmod 600 /etc/rsyncd.secrets

6、 echo "welcome to access" > /etc/rsyncd.motd

7、rsync --daemon

8、echo "/usr/bin/rsync --daemon"  >> /etc/rc.local

9、firewall-cmd --permanent --add-port=873/tcp

---------------------客户端--------------------------------
1、yum install rsycn

2、访问:rsync -vzrtopg --progress [email protected]::common /test

3、echo "pass" > /etc/rsync.pass   把密码定义这里下面访问不用输入密码了(这个文件的权限一下要600不然报错)

4、rsync -avz --delete --password-file=rsync.pass [email protected]::common /dest
所服务器上的common里的文件都弄过来test下面(以服务器common为准来变)

5、写个脚本自动处理
#!/bin/bash
SRC=common
DEST=/data
Server=192.168.17.130
User=tom
Passfile=/root/rsync.pass
[ ! -d $DEST ] && mkdir $DEST
[ ! -d $Passfile ] && exit 2
rsync -az --delete --password-file=$Passfile ${User}@${Server}::$SRC $DEST/$(date +%Y%m%d)
-----------------------rsync+inotify双剑合并时时同步----------------------------------------------
https://github.com/rvoicilas/inotify-tools.git  下载地址
yum install rsync
 yum install automake libtool
下来解压文件完后进入文件夹,先bash autogen.sh运行出来configure文件
再运行configure再make 再make install
echo "pass" >/root/rsync.pass
chmod 600 rsync.pass
写个脚本实时监控:
#!/bin/bash
SRC=/web_data/
DESR=common
Client=192.168.17.130
User=tom
Passfile=/root/rsync.pass
[ ! -e $Passfile ] && exit 2
/local/src/inotifys/bin/inotifywait -mrq --timefmt '%y-%m-%d %H:%M' --format '%T %w%f %e' --event modify,create,move,delete,attrib \
$SRC|while read line
do
echo "$line" > /var/log/inotify_web 2>&1
/usr/bin/rsync -avz --delete --progress --password-file=/root/rsync.pass $SRC \
${User}@${Client}::$DESR >> /var/log/rsync_web 2>&1
done &

给脚 本755权限,并加入开机启动
-----------------------------------------------------------------------------------
被监控端(web前端)
yum install rsync
mkdir -p /common
chmod 755 /common
chown nobody.nobody /common

vim /etc/rsyncd.conf

#/etc/rsyncd.conf
transfer logging = yes
log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsync.lock
uid = nobody
gid = nobody
use chroot = no
read only = no
ignore errors

[common]
comment = web content
path = /common
auth users = tom
secrets file = /etc/rsyncd.secrets
hosts allow = 192.168.17.131
hosts deny = *
list = false


echo "tom:pass" > /etc/rsyncd.secrets
chmod 600 /etc/rsyncd.secrets
rsync --daemon

svn

1、svn常用两种访问模式:客户端软件(安装客户端软件),客户端网站(需要服务器搭配apache)
2、处一种客户端模式:先用本地光盘yum源安装:yum install subversion
       
3、svnadmin   help 查看
create创建版本库,hotcopy热备库,   lslocks打印所有锁描述

4、svnadmin  hotcopy /var/project1 /var/project1_back 热备份

5、将opt下面的所有文件导入到刚创建的project1版本库中
svn import /opt/  file:///var/project1/ -m "install files.."
svn list file:///var/project1  查看版本库的资料内容
服务启动:svnserve -d -r /var   如重启服务先把之前的killall杀掉再启动

6、每个版本库的配置文件在版本库conf文件夹下:
svnserve.conf
passwd
authz
三个文件设置
7、svnserve.conf开启如果几行注释:
[general]
anon-access = none
auth-access = write
password-db = passwd
authz-db = authz

8、passwd中添加用户密码:
[users]
admin = admin
xiaowang = admin

9、authz
[/]
admin = rw 可读写的用户
xiaowang = r     只读用户

以上设备就可以完成客户端软件访问模式了
客户端下载svn并安装,随便一个文件夹检出输入
svn://ip地址/project1    确定输入admin 就可以了

vsftp

1、yum install vsftpd
systemctl start vsftpd
2、主配置文件/etc/vsftpd/vsftpd.con
3、三种模式登陆(匿名、本地xiaowang、虚拟xiaowang)
4、以虚拟账户为例:
5、yum install libdb-utils
6、新建文件:vim /etc/vsftpd/vslogin 输入用户和密码例:
tomcat 
123456
jerry
123456

7、生成哈希文件:db_load -T -t hash -f /etc/vsftpd/vslogin /etc/vsftpd/vslogin.db
8、chm	600   {vslogin,vslogin.db}
9、vim /etc/pam.d/vsftpd.pam
在里面输入两行:
auth required /lib64/security/pam_userdb.so db=/etc/vsftpd/vslogin
account required /lib64/security/pam_userdb.so db=/etc/vsftpd/vslogin
10、创建一个新用户:useradd  -s /sbin/nologin -d /home/ftp virtual
11、打开主配置文件改(只要这19行其它全部注释):
anonymous_enable=NO
local_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
chroot_local_user=YES
listen=YES
listen_port=21
pam_service_name=vsftpd.pam
guest_enable=YES
guest_username=virtual
pasv_enable=YES
pasv_min_port=30000
pasv_max_port=30099
user_config_dir=/etc/vsftpd_user_conf
user_sub_token=$USER
xferlog_enable=yes
xferlog_std_format=yes
13、mkdir /etc/vsftpd_user_conf
14、mkdir -p /home/ftp/tomcat
15、在/home/ftp/tomcat里面放个测试文件最后重启完服务试
16、vim /etc/vsftpd_user_conf/tomcat
写入:local_root=/home/ftp/$USER
17、重启服务systemctl restart vsftpd

firewall

zone大全:
trusted:允许所有
public ;允许其它主机访问本机ssh,本机访问其它主机后,那台主机才可以进来,否则拒绝
external:通过这个zone来的数据都将nat后再转发出去,不管来源是什么地址全转发,并且
改成本机防火墙的出站ip地址(当路由器用的)
1、查当前用的zone
firewall-cmd --get-default-zone

3、firewall-cmd --list-all-zone 查看所有的zone

2、设置当前的zone为home
firewall-cmd --set-default-zone=public

3、显示预定义的服务名称:firewall-cmd --get-services
意思是在针对服务来限制时这里面有的名字才可以 

4、firewall-cmd --add-service=ftp --zone=public
允许ftp 服务访问
firewall-cmd --list-all --zone=public查看一下刚才添加的

5、删除ftp服务firewall-cmd --remove-service=ftp --zone=public

6、允许端口firewall-cmd  --add-port=3306/tcp --zone=public
(一般常用是这样的:firewall-cmd  --add-port=3306/tcp  添加到默认当前的zone中 )

7、删除端口firewall-cmd  --remove-port=3306/tcp --zone=public

8、把zone和规则邦定网卡
firewall-cmd --add-interface=eno16777736 --zone=public

9、解除邦定网卡
firewall-cmd --remove-interface=eno16777736 --zone=public

10、看当前正使用的zone信息
firewall-cmd --list-all

11、添加永久生效的规则访问3306
firewall-cmd --permanent --add-port=3306/tcp --zone=public

12、重新加载防火墙规则(前面不是永久的人丢失)
firewall-cmd --reload

haproxy

-----------------------------后端web1-------------------
服务器名称:web1.exmple.com
vim /etc/sysconfig/network-script/ifcfg-eno11111

TYPE=Ethernet
BOOTPROTO=static
DEVICE=eno11111
ONBOOT=yes
IPADDR=192.168.0.1
NETMASK=255.255.255.0
GATEWAY=192.168.0.254

systemctl restart network
yum -y install httpd
echo "192.1680.1" >/var/www/html/index.html
systemctl start httpd
firewall-cmd --set-default-zone=trusted
------------------------------后端web2-------------------
服务器名称:web2.exmple.com
vim /etc/sysconfig/network-script/ifcfg-eno22222

TYPE=Ethernet
BOOTPROTO=static
DEVICE=eno22222
ONBOOT=yes
IPADDR=192.168.0.2
NETMASK=255.255.255.0
GATEWAY=192.168.0.254

systemctl restart network
yum -y install httpd
echo "192.1680.2" >/var/www/html/index.html
systemctl start httpd
firewall-cmd --set-default-zone=trusted
------------------------------后端web3-------------------
服务器名称:web3.exmple.com
vim /etc/sysconfig/network-script/ifcfg-eno22222

TYPE=Ethernet
BOOTPROTO=static
DEVICE=eno333333
ONBOOT=yes
IPADDR=192.168.0.3
NETMASK=255.255.255.0
GATEWAY=192.168.0.254

systemctl restart network
yum -y install httpd
echo "192.1680.3" >/var/www/html/index.html
systemctl start httpd
firewall-cmd --set-default-zone=trusted
---------------------------------------------------------
前端服务器设置:
服务器名称:haproxy.example.com
对外网卡:
TYPE=Ethernet
BOOTPROTO=static
DEVICE=eno16777736
ONBOOT=yes
IPADDR=10.10.10.10
PREFIX=255.0.0.0

对应网卡:
TYPE=Ethernet
BOOTPROTO=static
DEVICE=eno33554960
ONBOOT=yes
IPADDR=192.168.0.254
NETMASK=255.255.255.0

systecmctl restart network
firewall-cmd --set-default-zone=trusted

vim /etc/security/limits.conf 内核调优,插入两行
*    soft   nofile  65535
*    hard   nofile  65535


yum -y install haproxy
vim /etc/haproxy/haproxy.cfg

global      
    maxconn   4096     #最大连接数    
	log   127.0.0.1 local3  info   
	# log语法:log [max_level_1] # 全局的日志配置,使用log关键字,
 指定使用127.0.0.1
 上的syslog服务中的local0日志设备,记录日志等级为info的日志
    chroot      /var/haproxy    #改变当前工作目录
    uid 99
    gid 99
    daemon     #以守护进程方式运行haproxy
    nbproc 1
    pidfile     /var/run/haproxy.pid        #当前进程id文件
   ulimit-n   65535
    stats socket /var/tmp/stats
	defaults
    mode    http     #默认的模式mode { tcp|http|health },tcp是4层,http是7层,health只会返回OK
    log   global      #应用全局的日志配置
    maxconn  20480       #每个进程可用的最大连接数
    option   httplog      # 启用日志记录HTTP请求,默认haproxy日志记录是不记录HTTP请求日志
    option   httpclose     option      dontlognull  
	# 启用该项,日志中将不会记录空连接。所谓空连接就是在上游的负载均衡器
   或者监控系统为了探测该 服务是否存活可用时,需要定期的连接或者获取某
  一固定的组件或页面,或者探测扫描端口是否在监听或开放等动作被称为空连接;
  官方文档中标注,如果该服务上游没有其他的负载均衡器的话,建议不要使用
   该参数,因为互联网上的恶意扫描或其他动作就不会被记录下来
    option forwardfor         #如果服务器上的应用程序想记录发起请求的客户端的IP地址,需要在HAProxy
	上 配置此选项, 这样 HAProxy会把客户端的IP信息发送给服务器,在HTTP
	请求中添加"X-Forwarded-For"字段。 
	启用  X-Forwarded-For,在requests头部插入客户端IP发送给后端的server,使后端server获取到客户端的真实IP。 
    option   redispatch   # 当使用了cookie时,haproxy将会将其请求的后端服务器的serverID插入到
	cookie中,以保证会话的SESSION持久性;而此时,如果后端的服务器宕掉
	了, 但是客户端的cookie是不会刷新的,如果设置此参数,将会将客户的请
	求强制定向到另外一个后端server上,以保证服务的正常。
    option    abortonclose
     starts   refresh     30
    retries     3  # 定义连接后端服务器的失败重连次数,连接失败次数超过此值后将会将对应后端
          服务器标记为不可用
      balance     roundrobin         #负载均衡算法
     cookie    SRV
    timeout connect         5000s                #连接超时
    timeout client          5000m                   #客户端超时
    timeout server          5000m                   #服务器端超时
    timeout check           2000s                 #检测超时

    listen admin_status
    bind 0.0.0.0:6553
    mode http
    log 127.0.0.1  local3 info
    stats enable
    stats refresh 5s
    stats realm Haproxy\ Statistics
    stats uri   /admin?stats
    stats auth admin1:AdMiN123
    stats hide-version
frontend  web_serivce
bind 0.0.0.0:80
mode http
log global
option httplog
option httpclose
option  forwardfor
acl  inside_src src 192.168.0.0/24
use_backend inside_servers if inside_src
default_backend external_servers
backend external_servers
mode http
balance roundrobin
option httpchk GET /index.html 
server  web01 192.168.0.1:80 ookie web1    check inter 2000 rise 2 fall 3 weight 1              #定义的多个后端
server  web01 192.168.0.2:80 ookie web2   check inter 2000 rise 2 fall 3 weight 1              #定义的多个后端
backend inside_servers
mode http
balance roundrobin
option httpchk  GET  /index.html
server  web01 192.168.0.3:80 ookie web3  check inter 1500 rise 3 fall 3 weight 1              #定义的多个后端


vim /etc/rsyslog.onf 插入以下三行
$ModLoad imudp
$UDPServerRun 514
local13.*
systemctl restat syslog
haproxy  -f /etc/haproxy/haproxy.cfg
echo "/usr/local/sbin/haproxy -f /etc/haproxy/haproxy.cfg" >>/etc/rc.local  加入开机启动
------------------------------------------------------------------------------------------------
外部机进行测试:
http://10.10.10.10:6553/admin?stats打开查看,刷新网页分别轮流出现web1各web2两台服务器的页面
如果客户机是局域网电脑就http://192.168.0.254 打开永远显示web3的页面

你可能感兴趣的:(笔记,linux,shell,linux,运维)