This commit is contained in:
bazz2 2015-12-07 08:27:03 +08:00
commit 152c90b1f7
22 changed files with 1723 additions and 932 deletions

View File

@ -0,0 +1,435 @@
如何在 Ubuntu 15.04 中安装 puppet
================================================================================
大家好,本教程将学习如何在 ubuntu 15.04 上面安装 puppet它可以用来管理你的服务器基础环境。puppet 是由puppet 实验室Puppet Labs开发并维护的一款开源的配置管理软件它能够帮我们自动化供给、配置和管理服务器的基础环境。不管我们管理的是几个服务器还是数以千计的计算机组成的业务报表体系puppet 都能够使管理员从繁琐的手动配置调整中解放出来腾出时间和精力去提系统的升整体效率。它能够确保所有自动化流程作业的一致性、可靠性以及稳定性。它让管理员和开发者更紧密的联系在一起使开发者更容易产出付出设计良好、简洁清晰的代码。puppet 提供了配置管理和数据中心自动化的两个解决方案。这两个解决方案分别是 **puppet 开源版****puppet 企业版**。puppet 开源版以 Apache 2.0 许可证发布它是一个非常灵活、可定制的解决方案设置初衷是帮助管理员去完成那些重复性操作工作。pupprt 企业版是一个全平台复杂 IT 环境下的成熟解决方案,它除了拥有开源版本所有优势以外还有移动端 apps、只有商业版才有的加强支持以及模块化和集成管理等。Puppet 使用 SSL 证书来认证主控服务器与代理节点之间的通信。
本教程将要介绍如何在运行 ubuntu 15.04 的主控服务器和代理节点上面安装开源版的 puppet。在这里我们用一台服务器做主控服务器master管理和控制剩余的当作 puppet 代理节点agent node的服务器这些代理节点将依据主控服务器来进行配置。在 ubuntu 15.04 只需要简单的几步就能安装配置好 puppet用它来管理我们的服务器基础环境非常的方便。LCTT 译注puppet 采用 C/S 架构,所以必须有至少有一台作为服务器,其他作为客户端处理)
### 1.设置主机文件 ###
在本教程里我们将使用2台运行 ubuntu 15.04 “Vivid Vervet" 的主机,一台作为主控服务器,另一台作为 puppet 的代理节点。下面是我们将用到的服务器的基础信息。
- puupet 主控服务器 IP44.55.88.6 ,主机名: puppetmaster
- puppet 代理节点 IP 45.55.86.39 ,主机名: puppetnode
我们要在代理节点和服务器这两台机器的 hosts 文件里面都添加上相应的条目,使用 root 或是 sudo 访问权限来编辑 /etc/hosts 文件,命令如下:
# nano /etc/hosts
45.55.88.6 puppetmaster.example.com puppetmaster
45.55.86.39 puppetnode.example.com puppetnode
注意puppet 主控服务器必使用 8140 端口来运行所以请务必保证开启8140端口。
### 2. 用 NTP 更新时间 ###
puppet 代理节点所使用系统时间必须要准确,这样可以避免代理证书出现问题。如果有时间差异,那么证书将过期失效,所以服务器与代理节点的系统时间必须互相同步。我们使用 NTPNetwork Time Protocol网络时间协议来同步时间。**在服务器与代理节点上面分别**运行以下命令来同步时间。
# ntpdate pool.ntp.org
17 Jun 00:17:08 ntpdate[882]: adjust time server 66.175.209.17 offset -0.001938 sec
LCTT 译注:显示类似的输出结果表示运行正常)
如果没有安装 ntp请使用下面的命令更新你的软件仓库安装并运行ntp服务
# apt-get update && sudo apt-get -y install ntp ; service ntp restart
### 3. 安装主控服务器软件 ###
安装开源版本的 puppet 有很多的方法。在本教程中我们在 puppet 实验室官网下载一个名为 puppetlabs-release 的软件包的软件源,安装后它将为我们在软件源里面添加 puppetmaster-passenger。puppetmaster-passenger 包括带有 apache 的 puppet 主控服务器。我们开始下载这个软件包:
# cd /tmp/
# wget https://apt.puppetlabs.com/puppetlabs-release-trusty.deb
--2015-06-17 00:19:26-- https://apt.puppetlabs.com/puppetlabs-release-trusty.deb
Resolving apt.puppetlabs.com (apt.puppetlabs.com)... 192.155.89.90, 2600:3c03::f03c:91ff:fedb:6b1d
Connecting to apt.puppetlabs.com (apt.puppetlabs.com)|192.155.89.90|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7384 (7.2K) [application/x-debian-package]
Saving to: puppetlabs-release-trusty.deb
puppetlabs-release-tr 100%[===========================>] 7.21K --.-KB/s in 0.06s
2015-06-17 00:19:26 (130 KB/s) - puppetlabs-release-trusty.deb saved [7384/7384]
下载完成,我们来安装它:
# dpkg -i puppetlabs-release-trusty.deb
Selecting previously unselected package puppetlabs-release.
(Reading database ... 85899 files and directories currently installed.)
Preparing to unpack puppetlabs-release-trusty.deb ...
Unpacking puppetlabs-release (1.0-11) ...
Setting up puppetlabs-release (1.0-11) ...
使用 apt 包管理命令更新一下本地的软件源:
# apt-get update
现在我们就可以安装 puppetmaster-passenger 了
# apt-get install puppetmaster-passenger
**提示**: 在安装的时候可能会报错:
Warning: Setting templatedir is deprecated.see http://links.puppetlabs.com/env-settings-deprecations (at /usr/lib/ruby/vendor_ruby/puppet/settings.rb:1139:in `issue_deprecation_warning')
不过不用担心,忽略掉它就好,我们只需要在设置配置文件的时候把这一项禁用就行了。
如何来查看puppet 主控服务器是否已经安装成功了呢?非常简单,只需要使用下面的命令查看它的版本就可以了。
# puppet --version
3.8.1
现在我们已经安装好了 puppet 主控服务器。因为我们使用的是配合 apache 的 passenger由 apache 来控制 puppet 主控服务器,当 apache 运行时 puppet 主控才运行。
在开始之前,我们需要通过停止 apache 服务来让 puppet 主控服务器停止运行。
# systemctl stop apache2
### 4. 使用 Apt 工具锁定主控服务器的版本 ###
现在已经安装了 3.8.1 版的 puppet我们锁定这个版本不让它随意升级因为升级会造成配置文件混乱。 使用 apt 工具来锁定它,这里我们需要使用文本编辑器来创建一个新的文件 **/etc/apt/preferences.d/00-puppet.pref**
# nano /etc/apt/preferences.d/00-puppet.pref
在新创建的文件里面添加以下内容:
# /etc/apt/preferences.d/00-puppet.pref
Package: puppet puppet-common puppetmaster-passenger
Pin: version 3.8*
Pin-Priority: 501
这样在以后的系统软件升级中, puppet 主控服务器将不会跟随系统软件一起升级。
### 5. 配置 Puppet 主控服务器###
Puppet 主控服务器作为一个证书发行机构,需要生成它自己的证书,用于签署所有代理的证书的请求。首先我们要删除所有在该软件包安装过程中创建出来的 ssl 证书。本地默认的 puppet 证书放在 /var/lib/puppet/ssl。因此我们只需要使用 rm 命令来整个移除这些证书就可以了。
# rm -rf /var/lib/puppet/ssl
现在来配置该证书,在创建 puppet 主控服务器证书时,我们需要包括代理节点与主控服务器沟通所用的每个 DNS 名称。使用文本编辑器来修改服务器的配置文件 puppet.conf
# nano /etc/puppet/puppet.conf
输出的结果像下面这样
[main]
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
templatedir=$confdir/templates
[master]
# These are needed when the puppetmaster is run by passenger
# and can safely be removed if webrick is used.
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
在这我们需要注释掉 templatedir 这行使它失效。然后在文件的 `[main]` 小节的结尾添加下面的信息。
server = puppetmaster
environment = production
runinterval = 1h
strict_variables = true
certname = puppetmaster
dns_alt_names = puppetmaster, puppetmaster.example.com
还有很多你可能用的到的配置选项。 如果你有需要,在 Puppet 实验室有一份详细的描述文件供你阅读: [Main Config File (puppet.conf)][1]。
编辑完成后保存退出。
使用下面的命令来生成一个新的证书。
# puppet master --verbose --no-daemonize
Info: Creating a new SSL key for ca
Info: Creating a new SSL certificate request for ca
Info: Certificate Request fingerprint (SHA256): F6:2F:69:89:BA:A5:5E:FF:7F:94:15:6B:A7:C4:20:CE:23:C7:E3:C9:63:53:E0:F2:76:D7:2E:E0:BF:BD:A6:78
...
Notice: puppetmaster has a waiting certificate request
Notice: Signed certificate request for puppetmaster
Notice: Removing file Puppet::SSL::CertificateRequest puppetmaster at '/var/lib/puppet/ssl/ca/requests/puppetmaster.pem'
Notice: Removing file Puppet::SSL::CertificateRequest puppetmaster at '/var/lib/puppet/ssl/certificate_requests/puppetmaster.pem'
Notice: Starting Puppet master version 3.8.1
^CNotice: Caught INT; storing stop
Notice: Processing stop
至此,证书已经生成。一旦我们看到 **Notice: Starting Puppet master version 3.8.1**,就表明证书就已经制作好了。我们按下 CTRL-C 回到 shell 命令行。
查看新生成证书的信息,可以使用下面的命令。
# puppet cert list -all
+ "puppetmaster" (SHA256) 33:28:97:86:A1:C3:2F:73:10:D1:FB:42:DA:D5:42:69:71:84:F0:E2:8A:01:B9:58:38:90:E4:7D:B7:25:23:EC (alt names: "DNS:puppetmaster", "DNS:puppetmaster.example.com")
### 6. 创建一个 Puppet 清单 ###
默认的主要清单Manifest是 /etc/puppet/manifests/site.pp。 这个主要清单文件包括了用于在代理节点执行的配置定义。现在我们来创建一个清单文件:
# nano /etc/puppet/manifests/site.pp
在刚打开的文件里面添加下面这几行:
# execute 'apt-get update'
exec { 'apt-update': # exec resource named 'apt-update'
command => '/usr/bin/apt-get update' # command this resource will run
}
# install apache2 package
package { 'apache2':
require => Exec['apt-update'], # require 'apt-update' before installing
ensure => installed,
}
# ensure apache2 service is running
service { 'apache2':
ensure => running,
}
以上这几行的意思是给代理节点部署 apache web 服务。
### 7. 运行 puppet 主控服务 ###
已经准备好运行 puppet 主控服务器 了,那么开启 apache 服务来让它启动
# systemctl start apache2
我们 puppet 主控服务器已经运行,不过它还不能管理任何代理节点。现在我们给 puppet 主控服务器添加代理节点.
**提示**: 如果报错
Job for apache2.service failed. see "systemctl status apache2.service" and "journalctl -xe" for details.
肯定是 apache 服务器有一些问题,我们可以使用 root 或是 sudo 访问权限来运行**apachectl start**查看它输出的日志。在本教程执行过程中, 我们发现一个 **/etc/apache2/sites-enabled/puppetmaster.conf** 的证书配置问题。修改其中的**SSLCertificateFile /var/lib/puppet/ssl/certs/server.pem **为 **SSLCertificateFile /var/lib/puppet/ssl/certs/puppetmaster.pem**,然后注释掉后面这行**SSLCertificateKeyFile** 。然后在命令行重新启动 apache。
### 8. 安装 Puppet 代理节点的软件包 ###
我们已经准备好了 puppet 的服务器,现在需要一个可以管理的代理节点,我们将安装 puppet 代理软件到节点上去。这里我们要给每一个需要管理的节点安装代理软件,并且确保这些节点能够通过 DNS 查询到服务器主机。下面将 安装最新的代理软件到 节点 puppetnode.example.com 上。
在代理节点上使用下面的命令下载 puppet 实验室提供的软件包:
# cd /tmp/
# wget https://apt.puppetlabs.com/puppetlabs-release-trusty.deb\
--2015-06-17 00:54:42-- https://apt.puppetlabs.com/puppetlabs-release-trusty.deb
Resolving apt.puppetlabs.com (apt.puppetlabs.com)... 192.155.89.90, 2600:3c03::f03c:91ff:fedb:6b1d
Connecting to apt.puppetlabs.com (apt.puppetlabs.com)|192.155.89.90|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7384 (7.2K) [application/x-debian-package]
Saving to: puppetlabs-release-trusty.deb
puppetlabs-release-tr 100%[===========================>] 7.21K --.-KB/s in 0.04s
2015-06-17 00:54:42 (162 KB/s) - puppetlabs-release-trusty.deb saved [7384/7384]
在 ubuntu 15.04 上我们使用debian包管理系统来安装它命令如下
# dpkg -i puppetlabs-release-trusty.deb
使用 apt 包管理命令更新一下本地的软件源:
# apt-get update
通过远程仓库安装:
# apt-get install puppet
Puppet 代理默认是不启动的。这里我们需要使用文本编辑器修改 /etc/default/puppet 文件,使它正常工作:
# nano /etc/default/puppet
更改 **START** 的值改成 "yes" 。
START=yes
最后保存并退出。
### 9. 使用 Apt 工具锁定代理软件的版本 ###
和上面的步骤一样为防止随意升级造成的配置文件混乱,我们要使用 apt 工具来把它锁定。具体做法是使用文本编辑器创建一个文件 **/etc/apt/preferences.d/00-puppet.pref**
# nano /etc/apt/preferences.d/00-puppet.pref
在新建的文件里面加入如下内容
# /etc/apt/preferences.d/00-puppet.pref
Package: puppet puppet-common
Pin: version 3.8*
Pin-Priority: 501
这样 puppet 就不会随着系统软件升级而随意升级了。
### 10. 配置 puppet 代理节点 ###
我们需要编辑一下代理节点的 puppet.conf 文件,来使它运行。
# nano /etc/puppet/puppet.conf
它看起来和服务器的配置文件完全一样。同样注释掉**templatedir**这行。不同的是在这里我们需要删除掉所有关于`[master]` 的部分。
假定主控服务器可以通过名字“puppet-master”访问我们的客户端应该可以和它相互连接通信。如果不行的话我们需要使用完整的主机域名 puppetmaster.example.com
[agent]
server = puppetmaster.example.com
certname = puppetnode.example.com
在文件的结尾增加上面3行增加之后文件内容像下面这样
[main]
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
#templatedir=$confdir/templates
[agent]
server = puppetmaster.example.com
certname = puppetnode.example.com
最后保存并退出。
使用下面的命令来启动客户端软件:
# systemctl start puppet
如果一切顺利的话,我们不会看到命令行有任何输出。 第一次运行的时候,代理节点会生成一个 ssl 证书并且给服务器发送一个请求,经过签名确认后,两台机器就可以互相通信了。
**提示** 如果这是你添加的第一个代理节点,建议你在添加其他节点前先给这个证书签名。一旦能够通过并正常运行,回过头来再添加其他代理节点。
### 11. 在主控服务器上对证书请求进行签名 ###
第一次运行的时候,代理节点会生成一个 ssl 证书并且给服务器发送一个签名请求。在主控服务器给代理节点服务器证书签名之后,主服务器才能和代理服务器通信并且控制代理服务器。
在主控服务器上使用下面的命令来列出当前的证书请求:
# puppet cert list
"puppetnode.example.com" (SHA256) 31:A1:7E:23:6B:CD:7B:7D:83:98:33:8B:21:01:A6:C4:01:D5:53:3D:A0:0E:77:9A:77:AE:8F:05:4A:9A:50:B2
因为只设置了一台代理节点服务器,所以我们将只看到一个请求。看起来类似如上,代理节点的完整域名即其主机名。
注意有没有“+”号在前面,代表这个证书有没有被签名。
使用带有主机名的**puppet cert sign**这个命令来签署这个签名请求,如下:
# puppet cert sign puppetnode.example.com
Notice: Signed certificate request for puppetnode.example.com
Notice: Removing file Puppet::SSL::CertificateRequest puppetnode.example.com at '/var/lib/puppet/ssl/ca/requests/puppetnode.example.com.pem'
主控服务器现在可以通讯和控制它签名过的代理节点了。
如果想签署所有的当前请求,可以使用 -all 选项,如下所示:
# puppet cert sign --all
### 12. 删除一个 Puppet 证书 ###
如果我们想移除一个主机,或者想重建一个主机然后再添加它。下面的例子里我们将展示如何删除 puppet 主控服务器上面的一个证书。使用的命令如下:
# puppet cert clean hostname
Notice: Revoked certificate with serial 5
Notice: Removing file Puppet::SSL::Certificate puppetnode.example.com at '/var/lib/puppet/ssl/ca/signed/puppetnode.example.com.pem'
Notice: Removing file Puppet::SSL::Certificate puppetnode.example.com at '/var/lib/puppet/ssl/certs/puppetnode.example.com.pem'
如果我们想查看所有的签署和未签署的请求,使用下面这条命令:
# puppet cert list --all
+ "puppetmaster" (SHA256) 33:28:97:86:A1:C3:2F:73:10:D1:FB:42:DA:D5:42:69:71:84:F0:E2:8A:01:B9:58:38:90:E4:7D:B7:25:23:EC (alt names: "DNS:puppetmaster", "DNS:puppetmaster.example.com")
### 13. 部署 Puppet 清单 ###
当配置并完成 puppet 清单后,现在我们需要部署清单到代理节点服务器上。要应用并加载主 puppet 清单,我们可以在代理节点服务器上面使用下面的命令:
# puppet agent --test
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for puppetnode.example.com
Info: Applying configuration version '1434563858'
Notice: /Stage[main]/Main/Exec[apt-update]/returns: executed successfully
Notice: Finished catalog run in 10.53 seconds
这里向我们展示了主清单如何立即影响到了一个单一的服务器。
如果我们打算运行的 puppet 清单与主清单没有什么关联,我们可以简单使用 puppet apply 带上相应的清单文件的路径即可。它仅将清单应用到我们运行该清单的代理节点上。
# puppet apply /etc/puppet/manifest/test.pp
### 14. 为特定节点配置清单 ###
如果我们想部署一个清单到某个特定的节点,我们需要如下配置清单。
在主控服务器上面使用文本编辑器编辑 /etc/puppet/manifest/site.pp
# nano /etc/puppet/manifest/site.pp
添加下面的内容进去
node 'puppetnode', 'puppetnode1' {
# execute 'apt-get update'
exec { 'apt-update': # exec resource named 'apt-update'
command => '/usr/bin/apt-get update' # command this resource will run
}
# install apache2 package
package { 'apache2':
require => Exec['apt-update'], # require 'apt-update' before installing
ensure => installed,
}
# ensure apache2 service is running
service { 'apache2':
ensure => running,
}
}
这里的配置显示我们将在名为 puppetnode 和 puppetnode1 的2个指定的节点上面安装 apache 服务。这里可以添加其他我们需要安装部署的具体节点进去。
### 15. 配置清单模块 ###
模块对于组合任务是非常有用的,在 Puppet 社区有很多人贡献了自己的模块组件。
在主控服务器上, 我们将使用 puppet module 命令来安装 **puppetlabs-apache** 模块。
# puppet module install puppetlabs-apache
**警告**: 千万不要在一个已经部署 apache 环境的机器上面使用这个模块,否则它将清空你没有被 puppet 管理的 apache 配置。
现在用文本编辑器来修改 **site.pp**
# nano /etc/puppet/manifest/site.pp
添加下面的内容进去,在 puppetnode 上面安装 apache 服务。
node 'puppet-node' {
class { 'apache': } # use apache module
apache::vhost { 'example.com': # define vhost resource
port => '80',
docroot => '/var/www/html'
}
}
保存退出。然后重新运行该清单来为我们的代理节点部署 apache 配置。
### 总结 ###
现在我们已经成功的在 ubuntu 15.04 上面部署并运行 puppet 来管理代理节点服务器的基础运行环境。我们学习了puppet 是如何工作的,编写清单文件,节点与主机间使用 ssl 证书认证的认证过程。使用 puppet 开源软件配置管理工具在众多的代理节点上来控制、管理和配置重复性任务是非常容易的。如果你有任何的问题,建议,反馈,与我们取得联系,我们将第一时间完善更新,谢谢。
--------------------------------------------------------------------------------
via: http://linoxide.com/linux-how-to/install-puppet-ubuntu-15-04/
作者:[Arun Pyasi][a]
译者:[ivo-wang](https://github.com/ivo-wang)
校对:[wxy](https://github.com/wxy)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:http://linoxide.com/author/arunp/
[1]:https://docs.puppetlabs.com/puppet/latest/reference/config_file_main.html

View File

@ -1,12 +1,13 @@
第 10 部分:在 RHEL/CentOS 7 中设置 “NTP网络时间协议 服务器” RHCE 系列(十):在 RHEL/CentOS 7 中设置 NTP网络时间协议服务器
================================================================================ ================================================================================
网络时间协议 - NTP - 是运行在传输层 123 号端口允许计算机通过网络同步准确时间的协议。随着时间的流逝,计算机内部时间会出现漂移,这会导致时间不一致问题,尤其是对于服务器和客户端日志文件,或者你想要备份服务器资源或数据库。
网络时间协议 - NTP - 是运行在传输层 123 号端口的 UDP 协议,它允许计算机通过网络同步准确时间。随着时间的流逝,计算机内部时间会出现漂移,这会导致时间不一致问题,尤其是对于服务器和客户端日志文件,或者你想要复制服务器的资源或数据库。
![在 CentOS 上安装 NTP 服务器](http://www.tecmint.com/wp-content/uploads/2014/09/NTP-Server-Install-in-CentOS.png) ![在 CentOS 上安装 NTP 服务器](http://www.tecmint.com/wp-content/uploads/2014/09/NTP-Server-Install-in-CentOS.png)
在 CentOS 和 RHEL 7 上安装 NTP 服务器 *在 CentOS 和 RHEL 7 上安装 NTP 服务器*
#### 要求: #### #### 前置要求: ####
- [CentOS 7 安装过程][1] - [CentOS 7 安装过程][1]
- [RHEL 安装过程][2] - [RHEL 安装过程][2]
@ -17,62 +18,62 @@
- [在 CentOS/RHCE 7 上配置静态 IP][4] - [在 CentOS/RHCE 7 上配置静态 IP][4]
- [在 CentOS/RHEL 7 上停用并移除不需要的服务][5] - [在 CentOS/RHEL 7 上停用并移除不需要的服务][5]
这篇指南会告诉你如何在 CentOS/RHCE 7 上安装和配置 NTP 服务器,并使用 NTP 公共时间服务器池列表中和你服务器地理位置最近的可用节点中同步时间。 这篇指南会告诉你如何在 CentOS/RHCE 7 上安装和配置 NTP 服务器,并使用 NTP 公共时间服务器池NTP Public Pool Time Servers列表中和你服务器地理位置最近的可用节点中同步时间。
#### 步骤一:安装和配置 NTP 守护进程 #### #### 步骤一:安装和配置 NTP 守护进程 ####
1. 官方 CentOS /RHEL 7 库默认提供 NTP 服务器安装包,可以通过使用下面的命令安装。 1 官方 CentOS /RHEL 7 库默认提供 NTP 服务器安装包,可以通过使用下面的命令安装。
# yum install ntp # yum install ntp
![在 CentOS 上安装 NTP 服务器](http://www.tecmint.com/wp-content/uploads/2014/09/Install-NTP-in-CentOS.png) ![在 CentOS 上安装 NTP 服务器](http://www.tecmint.com/wp-content/uploads/2014/09/Install-NTP-in-CentOS.png)
安装 NTP 服务器 *安装 NTP 服务器*
2. 安装完服务器之后,首先到官方 [NTP 公共时间服务器池][6],选择你服务器物理位置所在的洲,然后搜索你的国家位置,然后会出现 NTP 服务器列表。 2 安装完服务器之后,首先到官方 [NTP 公共时间服务器池NTP Public Pool Time Servers][6],选择你服务器物理位置所在的洲,然后搜索你的国家位置,然后会出现 NTP 服务器列表。
![NTP 服务器池](http://www.tecmint.com/wp-content/uploads/2014/09/NTP-Pool-Server.png) ![NTP 服务器池](http://www.tecmint.com/wp-content/uploads/2014/09/NTP-Pool-Server.png)
NTP 服务器池 *NTP 服务器池*
3. 然后打开编辑 NTP 守护进程主要配置文件,从 pool.ntp.org 中注释掉默认的公共服务器列表并用类似下面截图提供给你国家的列表替换。 3、 然后打开编辑 NTP 守护进程的主配置文件,注释掉来自 pool.ntp.org 项目的公共服务器默认列表并用类似下面截图中提供给你所在国家的列表替换。LCTT 译注:中国使用 0.cn.pool.ntp.org 等)
![在 CentOS 中配置 NTP 服务器](http://www.tecmint.com/wp-content/uploads/2014/09/Configure-NTP-Server.png) ![在 CentOS 中配置 NTP 服务器](http://www.tecmint.com/wp-content/uploads/2014/09/Configure-NTP-Server.png)
配置 NTP 服务器 *配置 NTP 服务器*
4. 下一步,你需要允许客户端从你的网络中和这台服务器同步时间。为了做到这点,添加下面一行到 NTP 配置文件,其中限制语句控制允许哪些网络查询和同步时间 - 根据需要替换网络 IP。 4、 下一步,你需要允许来自你的网络的客户端和这台服务器同步时间。为了做到这点,添加下面一行到 NTP 配置文件,其中 **restrict** 语句控制允许哪些网络查询和同步时间 - 根据需要替换网络 IP。
restrict 192.168.1.0 netmask 255.255.255.0 nomodify notrap restrict 192.168.1.0 netmask 255.255.255.0 nomodify notrap
nomodify notrap 语句意味着不允许你的客户端配置服务器或者作为同步时间的节点。 nomodify notrap 语句意味着不允许你的客户端配置服务器或者作为同步时间的节点。
5. 如果你需要额外的信息用于错误处理,以防你的 NTP 守护进程出现问题,添加一个 logfile 语句,用于记录所有 NTP 服务器问题到一个指定的日志文件。 5、 如果你需要用于错误处理的额外信息,以防你的 NTP 守护进程出现问题,添加一个 logfile 语句,用于记录所有 NTP 服务器问题到一个指定的日志文件。
logfile /var/log/ntp.log logfile /var/log/ntp.log
![在 CentOS 中启用 NTP 日志](http://www.tecmint.com/wp-content/uploads/2014/09/Enable-NTP-Log.png) ![在 CentOS 中启用 NTP 日志](http://www.tecmint.com/wp-content/uploads/2014/09/Enable-NTP-Log.png)
启用 NTP 日志 *启用 NTP 日志*
6. 你编辑完所有上面解释的配置并保存关闭 ntp.conf 文件后,你最终的配置看起来像下面的截图。 6、 在你编辑完所有上面解释的配置并保存关闭 ntp.conf 文件后,你最终的配置看起来像下面的截图。
![CentOS 中 NTP 服务器的配置](http://www.tecmint.com/wp-content/uploads/2014/09/NTP-Server-Configuration.png) ![CentOS 中 NTP 服务器的配置](http://www.tecmint.com/wp-content/uploads/2014/09/NTP-Server-Configuration.png)
NTP 服务器配置 *NTP 服务器配置*
### 步骤二:添加防火墙规则并启动 NTP 守护进程 ### ### 步骤二:添加防火墙规则并启动 NTP 守护进程 ###
7. NTP 服务在传输层(第四层)使用 123 号 UDP 端口。它是针对限制可变延迟的影响特别设计的。要在 RHEL/CentOS 7 中开放这个端口,可以对 Firewalld 服务使用下面的命令。 7、 NTP 服务使用 OSI 传输层(第四层)的 123 号 UDP 端口。它是为了避免可变延迟的影响所特别设计的。要在 RHEL/CentOS 7 中开放这个端口,可以对 Firewalld 服务使用下面的命令。
# firewall-cmd --add-service=ntp --permanent # firewall-cmd --add-service=ntp --permanent
# firewall-cmd --reload # firewall-cmd --reload
![在 Firewall 中开放 NTP 端口](http://www.tecmint.com/wp-content/uploads/2014/09/Open-NTP-Port.png) ![在 Firewall 中开放 NTP 端口](http://www.tecmint.com/wp-content/uploads/2014/09/Open-NTP-Port.png)
在 Firewall 中开放 NTP 端口 *在 Firewall 中开放 NTP 端口*
8. 你在防火墙中开放了 123 号端口之后,启动 NTP 服务器并确保系统范围内可用。用下面的命令管理服务。 8 你在防火墙中开放了 123 号端口之后,启动 NTP 服务器并确保系统范围内可用。用下面的命令管理服务。
# systemctl start ntpd # systemctl start ntpd
# systemctl enable ntpd # systemctl enable ntpd
@ -80,34 +81,34 @@ NTP 服务器配置
![启动 NTP 服务](http://www.tecmint.com/wp-content/uploads/2014/09/Start-NTP-Service.png) ![启动 NTP 服务](http://www.tecmint.com/wp-content/uploads/2014/09/Start-NTP-Service.png)
启动 NTP 服务 *启动 NTP 服务*
### 步骤三:验证服务器时间同步 ### ### 步骤三:验证服务器时间同步 ###
9. 启动了 NTP 守护进程后,用几分钟等服务器和它的服务器池列表同步时间,然后运行下面的命令验证 NTP 节点同步状态和你的系统时间。 9 启动了 NTP 守护进程后,用几分钟等服务器和它的服务器池列表同步时间,然后运行下面的命令验证 NTP 节点同步状态和你的系统时间。
# ntpq -p # ntpq -p
# date -R # date -R
![验证 NTP 服务器时间](http://www.tecmint.com/wp-content/uploads/2014/09/Verify-NTP-Time-Sync.png) ![验证 NTP 服务器时间](http://www.tecmint.com/wp-content/uploads/2014/09/Verify-NTP-Time-Sync.png)
验证 NTP 时间同步 *验证 NTP 时间同步*
10. 如果你想查询或者和你选择的服务器池同步,你可以使用 ntpdate 命令,后面跟服务器名或服务器地址,类似下面建议的命令行例。 10 如果你想查询或者和你选择的服务器池同步,你可以使用 ntpdate 命令,后面跟服务器名或服务器地址,类似下面建议的命令行例。
# ntpdate -q 0.ro.pool.ntp.org 1.ro.pool.ntp.org # ntpdate -q 0.ro.pool.ntp.org 1.ro.pool.ntp.org
![同步 NTP 同步](http://www.tecmint.com/wp-content/uploads/2014/09/Synchronize-NTP-Time.png) ![同步 NTP 同步](http://www.tecmint.com/wp-content/uploads/2014/09/Synchronize-NTP-Time.png)
同步 NTP 时间 *同步 NTP 时间*
### 步骤四:设置 Windows NTP 客户端 ### ### 步骤四:设置 Windows NTP 客户端 ###
11. 如果你的 windows 机器不是域名控制器的一部分,你可以配置 Windows 和你的 NTP服务器同步时间。在任务栏右边 -> 时间 -> 更改日期和时间设置 -> 网络时间标签 -> 更改设置 -> 和一个网络时间服务器检查同步 -> 在 Server 空格输入服务器 IP 或 FQDN -> 马上更新 -> OK。 11 如果你的 windows 机器不是域名控制器的一部分,你可以配置 Windows 和你的 NTP服务器同步时间。在任务栏右边 -> 时间 -> 更改日期和时间设置 -> 网络时间标签 -> 更改设置 -> 和一个网络时间服务器检查同步 -> 在 Server 空格输入服务器 IP 或 FQDN -> 马上更新 -> OK。
![和 NTP 同步 Windows 时间](http://www.tecmint.com/wp-content/uploads/2014/09/Synchronize-Windows-Time-with-NTP.png) ![和 NTP 同步 Windows 时间](http://www.tecmint.com/wp-content/uploads/2014/09/Synchronize-Windows-Time-with-NTP.png)
和 NTP 同步 Windows 时间 *和 NTP 同步 Windows 时间*
就是这些。在你的网络中配置一个本地 NTP 服务器能确保你所有的服务器和客户端有相同的时间设置,以防出现网络连接失败,并且它们彼此都相互同步。 就是这些。在你的网络中配置一个本地 NTP 服务器能确保你所有的服务器和客户端有相同的时间设置,以防出现网络连接失败,并且它们彼此都相互同步。
@ -117,7 +118,7 @@ via: http://www.tecmint.com/install-ntp-server-in-centos/
作者:[Matei Cezar][a] 作者:[Matei Cezar][a]
译者:[ictlyh](http://motouxiaogui.cn/blog) 译者:[ictlyh](http://motouxiaogui.cn/blog)
校对:[校对者ID](https://github.com/校对者ID) 校对:[wxy](https://github.com/wxy)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出

View File

@ -1,11 +1,13 @@
RHCE 系列: 使用网络安全服务NSS为 Apache 通过 TLS 实现 HTTPS RHCE 系列(八) Apache 上使用网络安全服务NSS实现 HTTPS
================================================================================ ================================================================================
如果你是一个负责维护和确保 web 服务器安全的系统管理员,你不能不花费最大的精力确保服务器中处理和通过的数据任何时候都受到保护。
如果你是一个负责维护和确保 web 服务器安全的系统管理员,你需要花费最大的精力确保服务器中处理和通过的数据任何时候都受到保护。
![使用 SSL/TLS 设置 Apache HTTPS](http://www.tecmint.com/wp-content/uploads/2015/09/Setup-Apache-SSL-TLS-Server.png) ![使用 SSL/TLS 设置 Apache HTTPS](http://www.tecmint.com/wp-content/uploads/2015/09/Setup-Apache-SSL-TLS-Server.png)
RHCE 系列:第八部分 - 使用网络安全服务NSS为 Apache 通过 TLS 实现 HTTPS *RHCE 系列:第八部分 - 使用网络安全服务NSS为 Apache 通过 TLS 实现 HTTPS*
为了在客户端和服务器之间提供更安全的连接,作为 HTTP 和 SSL安全套接层或者最近称为 TLS传输层安全的组合产生了 HTTPS 协议。 为了在客户端和服务器之间提供更安全的连接,作为 HTTP 和 SSLSecure Sockets Layer安全套接层)或者最近称为 TLSTransport Layer Security传输层安全)的组合,产生了 HTTPS 协议。
由于一些严重的安全漏洞SSL 已经被更健壮的 TLS 替代。由于这个原因,在这篇文章中我们会解析如何通过 TLS 实现你 web 服务器和客户端之间的安全连接。 由于一些严重的安全漏洞SSL 已经被更健壮的 TLS 替代。由于这个原因,在这篇文章中我们会解析如何通过 TLS 实现你 web 服务器和客户端之间的安全连接。
@ -22,11 +24,11 @@ RHCE 系列:第八部分 - 使用网络安全服务NSS为 Apache 通过
# firewall-cmd --permanent -add-service=http # firewall-cmd --permanent -add-service=http
# firewall-cmd --permanent -add-service=https # firewall-cmd --permanent -add-service=https
然后安装一些必软件包: 然后安装一些必需的软件包:
# yum update && yum install openssl mod_nss crypto-utils # yum update && yum install openssl mod_nss crypto-utils
**重要**:请注意如果你想使用 OpenSSL 库而不是 NSS网络安全服务实现 TLS你可以在上面的命令中用 mod\_ssl 替换 mod\_nss使用哪一个取决于你但在这篇文章中由于更加健壮我们会使用 NSS例如,它支持最新的加密标准,比如 PKCS #11)。 **重要**:请注意如果你想使用 OpenSSL 库而不是 NSSNetwork Security Service网络安全服务)实现 TLS你可以在上面的命令中用 mod\_ssl 替换 mod\_nss使用哪一个取决于你但在这篇文章中我们会使用 NSS因为它更加安全比如说,它支持最新的加密标准,比如 PKCS #11)。
如果你使用 mod\_nss首先要卸载 mod\_ssl反之如此。 如果你使用 mod\_nss首先要卸载 mod\_ssl反之如此。
@ -54,15 +56,15 @@ nss.conf 配置文件
下一步,在 `/etc/httpd/conf.d/nss.conf` 配置文件中做以下更改: 下一步,在 `/etc/httpd/conf.d/nss.conf` 配置文件中做以下更改:
1. 指定 NSS 数据库目录。你可以使用默认的目录或者新建一个。本文中我们使用默认的: 1 指定 NSS 数据库目录。你可以使用默认的目录或者新建一个。本文中我们使用默认的:
NSSCertificateDatabase /etc/httpd/alias NSSCertificateDatabase /etc/httpd/alias
2. 通过保存密码到数据库目录中的 /etc/httpd/nss-db-password.conf 文件避免每次系统启动时要手动输入密码: 2、 通过保存密码到数据库目录中的 `/etc/httpd/nss-db-password.conf` 文件来避免每次系统启动时要手动输入密码:
NSSPassPhraseDialog file:/etc/httpd/nss-db-password.conf NSSPassPhraseDialog file:/etc/httpd/nss-db-password.conf
其中 /etc/httpd/nss-db-password.conf 只包含以下一行,其中 mypassword 是后面你为 NSS 数据库设置的密码: 其中 `/etc/httpd/nss-db-password.conf` 只包含以下一行,其中 mypassword 是后面你为 NSS 数据库设置的密码:
internal:mypassword internal:mypassword
@ -71,27 +73,27 @@ nss.conf 配置文件
# chmod 640 /etc/httpd/nss-db-password.conf # chmod 640 /etc/httpd/nss-db-password.conf
# chgrp apache /etc/httpd/nss-db-password.conf # chgrp apache /etc/httpd/nss-db-password.conf
3. 由于 POODLE SSLv3 漏洞,红帽建议停用 SSL 和 TLSv1.0 之前所有版本的 TLS更多信息可以查看[这里][2])。 3 由于 POODLE SSLv3 漏洞,红帽建议停用 SSL 和 TLSv1.0 之前所有版本的 TLS更多信息可以查看[这里][2])。
确保 NSSProtocol 指令的每个实例都类似下面一样(如果你没有托管其它虚拟主机,很可能只有一条): 确保 NSSProtocol 指令的每个实例都类似下面一样(如果你没有托管其它虚拟主机,很可能只有一条):
NSSProtocol TLSv1.0,TLSv1.1 NSSProtocol TLSv1.0,TLSv1.1
4. 由于这是一个自签名证书Apache 会拒绝重启,并不会识别为有效发行人。由于这个原因,对于这种特殊情况我们还需要添加: 4 由于这是一个自签名证书Apache 会拒绝重启,并不会识别为有效发行人。由于这个原因,对于这种特殊情况我们还需要添加:
NSSEnforceValidCerts off NSSEnforceValidCerts off
5. 虽然并不是严格要求,为 NSS 数据库设置一个密码同样很重要: 5 虽然并不是严格要求,为 NSS 数据库设置一个密码同样很重要:
# certutil -W -d /etc/httpd/alias # certutil -W -d /etc/httpd/alias
![为 NSS 数据库设置密码](http://www.tecmint.com/wp-content/uploads/2015/09/Set-Password-for-NSS-Database.png) ![为 NSS 数据库设置密码](http://www.tecmint.com/wp-content/uploads/2015/09/Set-Password-for-NSS-Database.png)
为 NSS 数据库设置密码 *为 NSS 数据库设置密码*
### 创建一个 Apache SSL 自签名证书 ### ### 创建一个 Apache SSL 自签名证书 ###
下一步,我们会创建一个自签名证书为我们的客户机识别服务器(请注意这个方法对于生产环境并不是最好的选择;对于生产环境你应该考虑购买第三方可信证书机构验证的证书,例如 DigiCert 下一步,我们会创建一个自签名证书来让我们的客户机可以识别服务器(请注意这个方法对于生产环境并不是最好的选择;对于生产环境你应该考虑购买第三方可信证书机构验证的证书,例如 DigiCert
我们用 genkey 命令为 box1 创建有效期为 365 天的 NSS 兼容证书。完成这一步后: 我们用 genkey 命令为 box1 创建有效期为 365 天的 NSS 兼容证书。完成这一步后:
@ -101,19 +103,19 @@ nss.conf 配置文件
![创建 Apache SSL 密钥](http://www.tecmint.com/wp-content/uploads/2015/09/Create-Apache-SSL-Key.png) ![创建 Apache SSL 密钥](http://www.tecmint.com/wp-content/uploads/2015/09/Create-Apache-SSL-Key.png)
创建 Apache SSL 密钥 *创建 Apache SSL 密钥*
你可以使用默认的密钥大小2048然后再次选择 Next 你可以使用默认的密钥大小2048然后再次选择 Next
![选择 Apache SSL 密钥大小](http://www.tecmint.com/wp-content/uploads/2015/09/Select-Apache-SSL-Key-Size.png) ![选择 Apache SSL 密钥大小](http://www.tecmint.com/wp-content/uploads/2015/09/Select-Apache-SSL-Key-Size.png)
选择 Apache SSL 密钥大小 *选择 Apache SSL 密钥大小*
等待系统生成随机比特: 等待系统生成随机比特:
![生成随机密钥比特](http://www.tecmint.com/wp-content/uploads/2015/09/Generating-Random-Bits.png) ![生成随机密钥比特](http://www.tecmint.com/wp-content/uploads/2015/09/Generating-Random-Bits.png)
生成随机密钥比特 *生成随机密钥比特*
为了加快速度,会提示你在控制台输入随机字符,正如下面的截图所示。请注意当没有从键盘接收到输入时进度条是如何停止的。然后,会让你选择: 为了加快速度,会提示你在控制台输入随机字符,正如下面的截图所示。请注意当没有从键盘接收到输入时进度条是如何停止的。然后,会让你选择:
@ -124,35 +126,35 @@ nss.conf 配置文件
youtube 视频 youtube 视频
<iframe width="720" height="405" frameborder="0" src="//www.youtube.com/embed/mgsfeNfuurA" allowfullscreen="allowfullscreen"></iframe> <iframe width="720" height="405" frameborder="0" src="//www.youtube.com/embed/mgsfeNfuurA" allowfullscreen="allowfullscreen"></iframe>
最后,会提示你输入之前设置的密码到 NSS 证书 最后,会提示你输入之前给 NSS 证书设置的密码
# genkey --nss --days 365 box1 # genkey --nss --days 365 box1
![Apache NSS 证书密码](http://www.tecmint.com/wp-content/uploads/2015/09/Apache-NSS-Password.png) ![Apache NSS 证书密码](http://www.tecmint.com/wp-content/uploads/2015/09/Apache-NSS-Password.png)
Apache NSS 证书密码 *Apache NSS 证书密码*
在任何时候你都可以用以下命令列出现有的证书: 需要的话,你可以用以下命令列出现有的证书:
# certutil L d /etc/httpd/alias # certutil L d /etc/httpd/alias
![列出 Apache NSS 证书](http://www.tecmint.com/wp-content/uploads/2015/09/List-Apache-Certificates.png) ![列出 Apache NSS 证书](http://www.tecmint.com/wp-content/uploads/2015/09/List-Apache-Certificates.png)
列出 Apache NSS 证书 *列出 Apache NSS 证书*
然后通过名字删除(除非严格要求,用你自己的证书名称替换 box1 然后通过名字删除(如果你真的需要删除的,用你自己的证书名称替换 box1
# certutil -d /etc/httpd/alias -D -n "box1" # certutil -d /etc/httpd/alias -D -n "box1"
如果你需要继续的话: 如果你需要继续进行的话,请继续阅读。
### 测试 Apache SSL HTTPS 连接 ### ### 测试 Apache SSL HTTPS 连接 ###
最后,是时候测试到我们服务器的安全连接了。当你用浏览器打开 https://<web 服务器 IP 或主机名\>你会看到著名的信息 This connection is untrusted”: 最后,是时候测试到我们服务器的安全连接了。当你用浏览器打开 https://\<web 服务器 IP 或主机名\>,你会看到著名的信息 “This connection is untrusted”
![检查 Apache SSL 连接](http://www.tecmint.com/wp-content/uploads/2015/09/Check-Apache-SSL-Connection.png) ![检查 Apache SSL 连接](http://www.tecmint.com/wp-content/uploads/2015/09/Check-Apache-SSL-Connection.png)
检查 Apache SSL 连接 *检查 Apache SSL 连接*
在上面的情况中你可以点击添加例外Add Exception 然后确认安全例外Confirm Security Exception - 但先不要这么做。让我们首先来看看证书看它的信息是否和我们之前输入的相符(如截图所示)。 在上面的情况中你可以点击添加例外Add Exception 然后确认安全例外Confirm Security Exception - 但先不要这么做。让我们首先来看看证书看它的信息是否和我们之前输入的相符(如截图所示)。
@ -160,37 +162,37 @@ Apache NSS 证书密码
![确认 Apache SSL 证书详情](http://www.tecmint.com/wp-content/uploads/2015/09/Check-Apache-SSL-Certificate-Details.png) ![确认 Apache SSL 证书详情](http://www.tecmint.com/wp-content/uploads/2015/09/Check-Apache-SSL-Certificate-Details.png)
确认 Apache SSL 证书详情 *确认 Apache SSL 证书详情*
现在你继续,确认例外(限于此次或永久),然后会通过 https 把你带到你 web 服务器的 DocumentRoot 目录,在这里你可以使用你浏览器自带的开发者工具检查连接详情: 现在你可以继续,确认例外(限于此次或永久),然后会通过 https 把你带到你 web 服务器的 DocumentRoot 目录,在这里你可以使用你浏览器自带的开发者工具检查连接详情:
在火狐浏览器中你可以通过在屏幕中右击然后从上下文菜单中选择检查元素Inspect Element启动,尤其是通过网络选项卡: 在火狐浏览器中,你可以通过在屏幕中右击然后从上下文菜单中选择检查元素Inspect Element启动开发者工具,尤其要看“网络”选项卡:
![检查 Apache HTTPS 连接](http://www.tecmint.com/wp-content/uploads/2015/09/Inspect-Apache-HTTPS-Connection.png) ![检查 Apache HTTPS 连接](http://www.tecmint.com/wp-content/uploads/2015/09/Inspect-Apache-HTTPS-Connection.png)
检查 Apache HTTPS 连接 *检查 Apache HTTPS 连接*
请注意这和之前显示的在验证过程中输入的信息一致。还有一种方式通过使用命令行工具测试连接: 请注意这和之前显示的在验证过程中输入的信息一致。还有一种方式通过使用命令行工具测试连接:
(测试 SSLv3 (测试 SSLv3
# openssl s_client -connect localhost:443 -ssl3 # openssl s_client -connect localhost:443 -ssl3
(测试 TLS (测试 TLS
# openssl s_client -connect localhost:443 -tls1 # openssl s_client -connect localhost:443 -tls1
![测试 Apache SSL 和 TLS 连接](http://www.tecmint.com/wp-content/uploads/2015/09/Testing-Apache-SSL-and-TLS.png) ![测试 Apache SSL 和 TLS 连接](http://www.tecmint.com/wp-content/uploads/2015/09/Testing-Apache-SSL-and-TLS.png)
测试 Apache SSL 和 TLS 连接 *测试 Apache SSL 和 TLS 连接*
参考上面的截图了解更相信信息。 参考上面的截图了解更详细信息。
### 总结 ### ### 总结 ###
确信你已经知道,使用 HTTPS 会增加会在你站点中输入个人信息的访客的信任(从用户名和密码到任何商业/银行账户信息)。 你已经知道,使用 HTTPS 会增加会在你站点中输入个人信息的访客的信任(从用户名和密码到任何商业/银行账户信息)。
在那种情况下,你会希望获得由可信验证机构签名的证书,正如我们之前解释的(启用的步骤和发送 CSR 到 CA 然后获得签名证书的例子相同);另外的情况,就是像我们的例子中一样使用自签名证书 在那种情况下,你会希望获得由可信验证机构签名的证书,正如我们之前解释的(步骤和设置需要启用例外的证书的步骤相同,发送 CSR 到 CA 然后获得返回的签名证书);否则,就像我们的例子中一样使用自签名证书即可
要获取更多关于使用 NSS 的详情,可以参考关于 [mod-nss][3] 的在线帮助。如果你有任何疑问或评论,请告诉我们。 要获取更多关于使用 NSS 的详情,可以参考关于 [mod-nss][3] 的在线帮助。如果你有任何疑问或评论,请告诉我们。
@ -200,11 +202,11 @@ via: http://www.tecmint.com/create-apache-https-self-signed-certificate-using-ns
作者:[Gabriel Cánepa][a] 作者:[Gabriel Cánepa][a]
译者:[ictlyh](http://www.mutouxiaogui.cn/blog/) 译者:[ictlyh](http://www.mutouxiaogui.cn/blog/)
校对:[校对者ID](https://github.com/校对者ID) 校对:[wxy](https://github.com/wxy)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:http://www.tecmint.com/install-lamp-in-centos-7/ [a]:http://www.tecmint.com/author/gacanepa/
[1]:http://www.tecmint.com/author/gacanepa/ [1]:https://linux.cn/article-5789-1.html
[2]:https://access.redhat.com/articles/1232123 [2]:https://access.redhat.com/articles/1232123
[3]:https://git.fedorahosted.org/cgit/mod_nss.git/plain/docs/mod_nss.html [3]:https://git.fedorahosted.org/cgit/mod_nss.git/plain/docs/mod_nss.html

View File

@ -1,25 +1,25 @@
第九部分 - 如果使用零客户端配置 Postfix 邮件服务器SMTP RHCE 系列(九):如何使用无客户端配置 Postfix 邮件服务器SMTP
================================================================================ ================================================================================
尽管现在有很多在线联系方式,邮件仍然是一个人传递信息给远在世界尽头或办公室里坐在我们旁边的另一个人的有效方式。 尽管现在有很多在线联系方式,电子邮件仍然是一个人传递信息给远在世界尽头或办公室里坐在我们旁边的另一个人的有效方式。
下面的图描述了邮件从发送者发出直到信息到达接收者收件箱的传递过程。 下面的图描述了电子邮件从发送者发出直到信息到达接收者收件箱的传递过程。
![邮件如何工作](http://www.tecmint.com/wp-content/uploads/2015/09/How-Mail-Setup-Works.png) ![电子邮件如何工作](http://www.tecmint.com/wp-content/uploads/2015/09/How-Mail-Setup-Works.png)
邮件如何工作 *电子邮件如何工作*
使这成为可能,背后发生了好多事情。为了使邮件信息从一个客户端应用程序(例如 [Thunderbird][1]、Outlook或者网络邮件服务例如 Gmail 或 Yahoo 邮件)到一个邮件服务器,并从其到目标服务器并最终到目标接收人,每个服务器上都必须有 SMTP简单邮件传输协议服务。 实现这一切,背后发生了好多事情。为了使电子邮件信息从一个客户端应用程序(例如 [Thunderbird][1]、Outlook或者 web 邮件服务,例如 Gmail 或 Yahoo 邮件)投递到一个邮件服务器,并从其投递到目标服务器并最终到目标接收人,每个服务器上都必须有 SMTP简单邮件传输协议服务。
这就是为什么我们要在这篇博文中介绍如何在 RHEL 7 中设置 SMTP 服务器,从本地用户发送的邮件(甚至发送到本地用户)被转发到一个中央邮件服务器以便于访问。 这就是为什么我们要在这篇博文中介绍如何在 RHEL 7 中设置 SMTP 服务器,从本地用户发送的邮件(甚至发送到另外一个本地用户)被转发forward到一个中央邮件服务器以便于访问。
实际需求中这称为零客户端安装。 这个考试的要求中这称为无客户端null-client安装。
在我们的测试环境中将包括一个原始邮件服务器和一个中央服务器或中继主机。 在我们的测试环境中将包括一个起源originating邮件服务器和一个中央服务器或中继主机relayhost
原始邮件服务器: (主机名: box1.mydomain.com / IP: 192.168.0.18 - 起源邮件服务器: (主机名: box1.mydomain.com / IP: 192.168.0.18
中央邮件服务器: (主机名: mail.mydomain.com / IP: 192.168.0.20 - 中央邮件服务器: (主机名: mail.mydomain.com / IP: 192.168.0.20
为了域名解析我们在两台机器中都会使用有名的 /etc/hosts 文件 我们在两台机器中都会使用你熟知的 `/etc/hosts` 文件做名字解析
192.168.0.18 box1.mydomain.com box1 192.168.0.18 box1.mydomain.com box1
192.168.0.20 mail.mydomain.com mail 192.168.0.20 mail.mydomain.com mail
@ -28,34 +28,29 @@
首先,我们需要(在两台机器上): 首先,我们需要(在两台机器上):
**1. 安装 Postfix** **1 安装 Postfix**
# yum update && yum install postfix # yum update && yum install postfix
**2. 启动服务并启用开机自动启动:** **2 启动服务并启用开机自动启动:**
# systemctl start postfix # systemctl start postfix
# systemctl enable postfix # systemctl enable postfix
**3. 允许邮件流量通过防火墙:** **3 允许邮件流量通过防火墙:**
# firewall-cmd --permanent --add-service=smtp # firewall-cmd --permanent --add-service=smtp
# firewall-cmd --add-service=smtp # firewall-cmd --add-service=smtp
![在防火墙中开通邮件服务器端口](http://www.tecmint.com/wp-content/uploads/2015/09/Allow-Traffic-through-Firewall.png) ![在防火墙中开通邮件服务器端口](http://www.tecmint.com/wp-content/uploads/2015/09/Allow-Traffic-through-Firewall.png)
在防火墙中开通邮件服务器端口 *在防火墙中开通邮件服务器端口*
**4. 在 box1.mydomain.com 配置 Postfix** **4 在 box1.mydomain.com 配置 Postfix**
Postfix 的主要配置文件是 /etc/postfix/main.cf。这个文件本身是一个很大的文本因为其中包含的注释解析了程序设置的目的 Postfix 的主要配置文件是 `/etc/postfix/main.cf`。这个文件本身是一个很大的文本文件,因为其中包含了解释程序设置的用途的注释
为了简洁,我们只显示了需要编辑的行(是的,在原始服务器中你需要保留 mydestination 为空;否则邮件会被保存到本地而不是我们实际想要的中央邮件服务器): 为了简洁,我们只显示了需要编辑的行(没错,在起源服务器中你需要保留 `mydestination` 为空;否则邮件会被存储到本地,而不是我们实际想要发往的中央邮件服务器):
**在 box1.mydomain.com 配置 Postfix**
----------
myhostname = box1.mydomain.com myhostname = box1.mydomain.com
mydomain = mydomain.com mydomain = mydomain.com
@ -64,11 +59,7 @@ Postfix 的主要配置文件是 /etc/postfix/main.cf。这个文件本身是一
mydestination = mydestination =
relayhost = 192.168.0.20 relayhost = 192.168.0.20
**5. 在 mail.mydomain.com 配置 Postfix** **5、 在 mail.mydomain.com 配置 Postfix**
** 在 mail.mydomain.com 配置 Postfix **
----------
myhostname = mail.mydomain.com myhostname = mail.mydomain.com
mydomain = mydomain.com mydomain = mydomain.com
@ -83,23 +74,23 @@ Postfix 的主要配置文件是 /etc/postfix/main.cf。这个文件本身是一
![设置 Postfix SELinux 权限](http://www.tecmint.com/wp-content/uploads/2015/09/Set-Postfix-SELinux-Permission.png) ![设置 Postfix SELinux 权限](http://www.tecmint.com/wp-content/uploads/2015/09/Set-Postfix-SELinux-Permission.png)
设置 Postfix SELinux 权限 *设置 Postfix SELinux 权限*
上面的 SELinux 布尔值会允许 Postfix 在中央服务器写入邮件池 上面的 SELinux 布尔值会允许中央服务器上的 Postfix 可以写入邮件池mail spool
**6. 在两台机子上重启服务以使更改生效:** **6 在两台机子上重启服务以使更改生效:**
# systemctl restart postfix # systemctl restart postfix
如果 Postfix 没有正确启动,你可以使用下面的命令进行错误处理。 如果 Postfix 没有正确启动,你可以使用下面的命令进行错误处理。
# systemctl l status postfix # systemctl -l status postfix
# journalctl xn # journalctl -xn
# postconf n # postconf -n
### 测试 Postfix 邮件服务 ### ### 测试 Postfix 邮件服务 ###
为了测试邮件服务器,你可以使用任何邮件用户代理(最常见的简称为 MUA例如 [mail 或 mutt][2]。 要测试邮件服务器你可以使用任何邮件用户代理Mail User Agent常简称为 MUA例如 [mail 或 mutt][2]。
由于我个人喜欢 mutt我会在 box1 中使用它发送邮件给用户 tecmint并把现有文件mailbody.txt作为信息内容 由于我个人喜欢 mutt我会在 box1 中使用它发送邮件给用户 tecmint并把现有文件mailbody.txt作为信息内容
@ -107,7 +98,7 @@ Postfix 的主要配置文件是 /etc/postfix/main.cf。这个文件本身是一
![测试 Postfix 邮件服务器](http://www.tecmint.com/wp-content/uploads/2015/09/Test-Postfix-Mail-Server.png) ![测试 Postfix 邮件服务器](http://www.tecmint.com/wp-content/uploads/2015/09/Test-Postfix-Mail-Server.png)
测试 Postfix 邮件服务器 *测试 Postfix 邮件服务器*
现在到中央邮件服务器mail.mydomain.com以 tecmint 用户登录,并检查是否收到了邮件: 现在到中央邮件服务器mail.mydomain.com以 tecmint 用户登录,并检查是否收到了邮件:
@ -116,15 +107,15 @@ Postfix 的主要配置文件是 /etc/postfix/main.cf。这个文件本身是一
![检查 Postfix 邮件服务器发送](http://www.tecmint.com/wp-content/uploads/2015/09/Check-Postfix-Mail-Server-Delivery.png) ![检查 Postfix 邮件服务器发送](http://www.tecmint.com/wp-content/uploads/2015/09/Check-Postfix-Mail-Server-Delivery.png)
检查 Postfix 邮件服务器发送 *检查 Postfix 邮件服务器发送*
如果没有收到邮件,检查 root 用户的邮件池查看警告或者错误提示。你也需要使用 [nmap 命令][3]确保两台服务器运行了 SMTP 服务,并在中央邮件服务器中 打开了 25 号端口: 如果没有收到邮件,检查 root 用户的邮件池看看是否有警告或者错误提示。你也许需要使用 [nmap 命令][3]确保两台服务器运行了 SMTP 服务,并在中央邮件服务器中打开了 25 号端口:
# nmap -PN 192.168.0.20 # nmap -PN 192.168.0.20
![Postfix 邮件服务器错误处理](http://www.tecmint.com/wp-content/uploads/2015/09/Troubleshoot-Postfix-Mail-Server.png) ![Postfix 邮件服务器错误处理](http://www.tecmint.com/wp-content/uploads/2015/09/Troubleshoot-Postfix-Mail-Server.png)
Postfix 邮件服务器错误处理 *Postfix 邮件服务器错误处理*
### 总结 ### ### 总结 ###
@ -134,7 +125,7 @@ Postfix 邮件服务器错误处理
- [在 CentOS/RHEL 07 上配置仅缓存的 DNS 服务器][4] - [在 CentOS/RHEL 07 上配置仅缓存的 DNS 服务器][4]
最后,我强烈建议你熟悉 Postfix 的配置文件main.cf和这个程序的帮助手册。如果有任何疑问别犹豫使用下面的评论框或者我们的论坛 Linuxsay.com 告诉我们吧,你会从世界各地的 Linux 高手中获得几乎及时的帮助。 最后,我强烈建议你熟悉 Postfix 的配置文件main.cf和这个程序的帮助手册。如果有任何疑问别犹豫使用下面的评论框或者我们的论坛 Linuxsay.com 告诉我们吧,你会从世界各地的 Linux 高手中获得几乎及时的帮助。
-------------------------------------------------------------------------------- --------------------------------------------------------------------------------
@ -142,7 +133,7 @@ via: http://www.tecmint.com/setup-postfix-mail-server-smtp-using-null-client-on-
作者:[Gabriel Cánepa][a] 作者:[Gabriel Cánepa][a]
译者:[ictlyh](https//www.mutouxiaogui.cn/blog/) 译者:[ictlyh](https//www.mutouxiaogui.cn/blog/)
校对:[校对者ID](https://github.com/校对者ID) 校对:[wxy](https://github.com/wxy)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出

View File

@ -0,0 +1,44 @@
Let's Encrypt:Entering Public Beta
================================================================================
Were happy to announce that Lets Encrypt has entered Public Beta. Invitations are no longer needed in order to get free
certificates from Lets Encrypt.
Its time for the Web to take a big step forward in terms of security and privacy. We want to see HTTPS become the default.
Lets Encrypt was built to enable that by making it as easy as possible to get and manage certificates.
Wed like to thank everyone who participated in the Limited Beta. Lets Encrypt issued over 26,000 certificates during the
Limited Beta period. This allowed us to gain valuable insight into how our systems perform, and to be confident about moving
to Public Beta.
Wed also like to thank all of our [sponsors][1] for their support. Were happy to have announced earlier today that
[Facebook is our newest Gold sponsor][2]/
We have more work to do before were comfortable dropping the beta label entirely, particularly on the client experience.
Automation is a cornerstone of our strategy, and we need to make sure that the client works smoothly and reliably on a
wide range of platforms. Well be monitoring feedback from users closely, and making improvements as quickly as possible.
Instructions for getting a certificate with the [Lets Encrypt client][3] can be found [here][4].
[Lets Encrypt Community Support][5] is an invaluable resource for our community, we strongly recommend making use of the
site if you have any questions about Lets Encrypt.
Lets Encrypt depends on support from a wide variety of individuals and organizations. Please consider [getting involved][6]
, and if your company or organization would like to sponsor Lets Encrypt please email us at [sponsor@letsencrypt.org][7].
--------------------------------------------------------------------------------
via: https://letsencrypt.org/2015/12/03/entering-public-beta.html
作者:[Josh Aas][a]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:https://letsencrypt.org/2015/12/03/entering-public-beta.html
[1]:https://letsencrypt.org/sponsors/
[2]:https://letsencrypt.org/2015/12/03/facebook-sponsorship.html
[3]:https://github.com/letsencrypt/letsencrypt
[4]:https://letsencrypt.readthedocs.org/en/latest/
[5]:https://community.letsencrypt.org/
[6]:https://letsencrypt.org/getinvolved/
[7]:mailto:sponsor@letsencrypt.org

View File

@ -0,0 +1,65 @@
Review EXT4 vs. Btrfs vs. XFS
================================================================================
![](http://1426826955.rsc.cdn77.org/wp-content/uploads/2015/09/1385698302_funny_linux_wallpapers-593x445.jpg)
To be honest, one of the things that comes last in peoples thinking is to look at which file system on their PC is being used. Windows users as well as Mac OS X users even have less reason for looking as they have really only 1 choice for their operating system which are NTFS and HFS+. Linux operating system, on the other side, has plenty of various file system options, with the current default is being widely used ext4. However, there is another push for changing the file system to something other which is called btrfs. But what makes btrfs better, what are other file systems, and when can we see the distributions making the change?
Lets first have a general look at file systems and what they really do, then we will make a small comparison between famous file systems.
### So, What Do File Systems Do? ###
Just in case if you are unfamiliar about what file systems really do, it is actually simple when it is summarized. The file systems are mainly used in order for controlling how the data is stored after any program is no longer using it, how access to the data is controlled, what other information (metadata) is attached to the data itself, etc. I know that it does not sound like an easy thing to be programmed, and it is definitely not. The file systems are continually still being revised for including more functionality while becoming more efficient in what it simply needs to do. Therefore, however, it is a basic need for all computers, it is not quite as basic as it sounds like.
### Why Partitioning? ###
Many people have a vague knowledge of what the partitions are since each operating system has an ability for creating or removing them. It can seem strange that Linux operating system uses more than 1 partition on the same disk, even while using the standard installation procedure, so few explanations are called for them. One of the main goals of having different partitions is achieving higher data security in the disaster case.
By dividing your hard disk into partitions, the data may be grouped and also separated. When the accidents occur, only the data stored in the partition which got the hit will only be damaged, while data on the other partitions will survive most likely. These principles date from the days when the Linux operating system didnt have a journaled file system and any power failure might have led to a disaster.
The using of partitions will remain for security and the robustness reasons, then the breach on 1 part of the operating system does not automatically mean that whole computer is under risk or danger. This is currently most important factor for the partitioning process. For example, the users create scripts, the programs or web applications which start filling up the disk. If that disk contains only 1 big partition, then entire system may stop functioning if that disk is full. If the users store data on separate partitions, then only that data partition can be affected, while system partitions and the possible other data partitions will keep functioning.
Mind that to have a journaled file system will only provide data security in case if there is a power failure as well as sudden disconnection of the storage devices. Such will not protect the data against the bad blocks and the logical errors in the file system. In such cases, the user should use a Redundant Array of Inexpensive Disks (RAID) solution.
### Why Switch File Systems? ###
The ext4 file system has been an improvement for the ext3 file system that was also an improvement over the ext2 file system. While the ext4 is a very solid file system which has been the default choice for almost all distributions for the past few years, it is made from an aging code base. Additionally, Linux operating system users are seeking many new different features in file systems which ext4 does not handle on its own. There is software which takes care of some of such needs, but in the performance aspect, being able to do such things on the file system level could be faster.
### Ext4 File System ###
The ext4 has some limits which are still a bit impressive. The maximum file size is 16 tebibytes (which is roughly 17.6 terabytes) and is much bigger than any hard drive a regular consumer can currently buy. While, the largest volume/partition you can make with ext4 is 1 exbibyte (which is roughly 1,152,921.5 terabytes). The ext4 is known to bring the speed improvements over ext3 by using multiple various techniques. Like in the most modern file systems, it is a journaling file system that means that it will keep a journal of where the files are mainly located on the disk and of any other changes that happen to the disk. Regardless all of its features, it doesnt support the transparent compression, the data deduplication, or the transparent encryption. The snapshots are supported technically, but such feature is experimental at best.
### Btrfs File System ###
The btrfs, many of us pronounce it different ways, as an example, Better FS, Butter FS, or B-Tree FS. It is a file system which is completely made from scratch. The btrfs exists because its developers firstly wanted to expand the file system functionality in order to include snapshots, pooling, as well as checksums among the other things. While it is independent from the ext4, it also wants to build off the ideas present in the ext4 that are great for the consumers and the businesses alike as well as incorporate those additional features that will benefit everybody, but specifically the enterprises. For the enterprises who are using very large programs with very large databases, they are having a seemingly continuous file system across the multiple hard drives could be very beneficial as it will make a consolidation of the data much easier. The data deduplication could reduce the amount of the actual space data could occupy, and the data mirroring could become easier with the btrfs as well when there is a single and broad file system which needs to be mirrored.
The user certainly can still choose to create multiple partitions so that he does not need to mirror everything. Considering that the btrfs will be able for spanning over the multiple hard drives, it is a very good thing that it can support 16 times more drive space than the ext4. A maximum partition size of the btrfs file system is 16 exbibytes, as well as maximum file size is 16 exbibytes too.
### XFS File System ###
The XFS file system is an extension of the extent file system. The XFS is a high-performance 64-bit journaling file system. The support of the XFS was merged into Linux kernel in around 2002 and In 2009 Red Hat Enterprise Linux version 5.4 usage of the XFS file system. XFS supports maximum file system size of 8 exbibytes for the 64-bit file system. There is some comparison of XFS file system is XFS file system cant be shrunk and poor performance with deletions of the large numbers of files. Now, the RHEL 7.0 uses XFS as the default filesystem.
### Final Thoughts ###
Unfortunately, the arrival date for the btrfs is not quite known. But officially, the next-generation file system is still classified as “unstable”, but if the user downloads the latest version of Ubuntu, he will be able to choose to install on a btrfs partition. When the btrfs will be classified actually as “stable” is still a mystery, but users shouldnt expect the Ubuntu to use the btrfs by default until its indeed considered “stable”. It has been reported that Fedora 18 will use the btrfs as its default file system as by the time of its release a file system checker for the btrfs should exist. There is a good amount of work still left for the btrfs, as not all the features are yet implemented and the performance is a little sluggish if we compare it to the ext4.
So, which is better to use? Till now, the ext4 will be the winner despite the identical performance. But why? The answer will be the convenience as well as the ubiquity. The ext4 is still excellent file system for the desktop or workstation use. It is provided by default, so the user can install the operating system on it. Also, the ext4 supports volumes up to 1 Exabyte and files up to 16 Terabyte in size, so theres still a plenty of room for the growth where space is concerned.
The btrfs might offer greater volumes up to 16 Exabyte and improved fault tolerance, but, till now, it feels more as an add-on file system rather than one integrated into the Linux operating system. For example, the btrfs-tools have to be present before a drive will be formatted with the btrfs, which means that the btrfs is not an option during the Linux operating system installation though that could vary with the distribution.
Even though the transfer rates are so important, theres more to a just file system than speed of the file transfers. The btrfs has many useful features such as Copy-on-Write (CoW), extensive checksums, snapshots, scrubbing, self-healing data, deduplication, as well as many more good improvements that ensure the data integrity. The btrfs lacks the RAID-Z features of ZFS, so the RAID is still in an experimental state with the btrfs. For pure data storage, however, the btrfs is the winner over the ext4, but time still will tell.
Till the moment, the ext4 seems to be a better choice on the desktop system since it is presented as a default file system, as well as it is faster than the btrfs when transferring files. The btrfs is definitely worth to look into, but to completely switch to replace the ext4 on desktop Linux might be few years later. The data farms and the large storage pools could reveal different stories and show the right differences between ext4, XCF, and btrfs.
If you have a different or additional opinion, kindly let us know by commenting on this article.
--------------------------------------------------------------------------------
via: http://www.unixmen.com/review-ext4-vs-btrfs-vs-xfs/
作者:[M.el Khamlichi][a]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:http://www.unixmen.com/author/pirat9/

View File

@ -1,430 +0,0 @@
Translating by ivowang
Installation Guide for Puppet on Ubuntu 15.04
================================================================================
Hi everyone, today in this article we'll learn how to install puppet to manage your server infrastructure running ubuntu 15.04. Puppet is an open source software configuration management tool which is developed and maintained by Puppet Labs that allows us to automate the provisioning, configuration and management of a server infrastructure. Whether we're managing just a few servers or thousands of physical and virtual machines to orchestration and reporting, puppet automates tasks that system administrators often do manually which frees up time and mental space so sysadmins can work on improving other aspects of your overall setup. It ensures consistency, reliability and stability of the automated jobs processed. It facilitates closer collaboration between sysadmins and developers, enabling more efficient delivery of cleaner, better-designed code. Puppet is available in two solutions configuration management and data center automation. They are **puppet open source and puppet enterprise**. Puppet open source is a flexible, customizable solution available under the Apache 2.0 license, designed to help system administrators automate the many repetitive tasks they regularly perform. Whereas puppet enterprise edition is a proven commercial solution for diverse enterprise IT environments which lets us get all the benefits of open source puppet, plus puppet apps, commercial-only enhancements, supported modules and integrations, and the assurance of a fully supported platform. Puppet uses SSL certificates to authenticate communication between master and agent nodes.
In this tutorial, we will cover how to install open source puppet in an agent and master setup running ubuntu 15.04 linux distribution. Here, Puppet master is a server from where all the configurations will be controlled and managed and all our remaining servers will be puppet agent nodes, which is configured according to the configuration of puppet master server. Here are some easy steps to install and configure puppet to manage our server infrastructure running Ubuntu 15.04.
### 1. Setting up Hosts ###
In this tutorial, we'll use two machines, one as puppet master server and another as puppet node agent both running ubuntu 15.04 "Vivid Vervet" in both the machines. Here is the infrastructure of the server that we're gonna use for this tutorial.
puppet master server with IP 44.55.88.6 and hostname : puppetmaster
puppet node agent with IP 45.55.86.39 and hostname : puppetnode
Now we'll add the entry of the machines to /etc/hosts on both machines node agent and master server.
# nano /etc/hosts
45.55.88.6 puppetmaster.example.com puppetmaster
45.55.86.39 puppetnode.example.com puppetnode
Please note that the Puppet Master server must be reachable on port 8140. So, we'll need to open port 8140 in it.
### 2. Updating Time with NTP ###
As puppet nodes needs to maintain accurate system time to avoid problems when it issues agent certificates. Certificates can appear to be expired if there is time difference, the time of the both the master and the node agent must be synced with each other. To sync the time, we'll update the time with NTP. To do so, here's the command below that we need to run on both master and node agent.
# ntpdate pool.ntp.org
17 Jun 00:17:08 ntpdate[882]: adjust time server 66.175.209.17 offset -0.001938 sec
Now, we'll update our local repository index and install ntp as follows.
# apt-get update && sudo apt-get -y install ntp ; service ntp restart
### 3. Puppet Master Package Installation ###
There are many ways to install open source puppet. In this tutorial, we'll download and install a debian binary package named as **puppetlabs-release** packaged by the Puppet Labs which will add the source of the **puppetmaster-passenger** package. The puppetmaster-passenger includes the puppet master with apache web server. So, we'll now download the Puppet Labs package.
# cd /tmp/
# wget https://apt.puppetlabs.com/puppetlabs-release-trusty.deb
--2015-06-17 00:19:26-- https://apt.puppetlabs.com/puppetlabs-release-trusty.deb
Resolving apt.puppetlabs.com (apt.puppetlabs.com)... 192.155.89.90, 2600:3c03::f03c:91ff:fedb:6b1d
Connecting to apt.puppetlabs.com (apt.puppetlabs.com)|192.155.89.90|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7384 (7.2K) [application/x-debian-package]
Saving to: puppetlabs-release-trusty.deb
puppetlabs-release-tr 100%[===========================>] 7.21K --.-KB/s in 0.06s
2015-06-17 00:19:26 (130 KB/s) - puppetlabs-release-trusty.deb saved [7384/7384]
After the download has been completed, we'll wanna install the package.
# dpkg -i puppetlabs-release-trusty.deb
Selecting previously unselected package puppetlabs-release.
(Reading database ... 85899 files and directories currently installed.)
Preparing to unpack puppetlabs-release-trusty.deb ...
Unpacking puppetlabs-release (1.0-11) ...
Setting up puppetlabs-release (1.0-11) ...
Then, we'll update the local respository index with the server using apt package manager.
# apt-get update
Then, we'll install the puppetmaster-passenger package by running the below command.
# apt-get install puppetmaster-passenger
**Note**: While installing we may get an error **Warning: Setting templatedir is deprecated. See http://links.puppetlabs.com/env-settings-deprecations (at /usr/lib/ruby/vendor_ruby/puppet/settings.rb:1139:in `issue_deprecation_warning')** but we no need to worry, we'll just simply ignore this as it says that the templatedir is deprecated so, we'll simply disbale that setting in the configuration. :)
To check whether puppetmaster has been installed successfully in our Master server not not, we'll gonna try to check its version.
# puppet --version
3.8.1
We have successfully installed puppet master package in our puppet master box. As we are using passenger with apache, the puppet master process is controlled by apache server, that means it runs when apache is running.
Before continuing, we'll need to stop the Puppet master by stopping the apache2 service.
# systemctl stop apache2
### 4. Master version lock with Apt ###
As We have puppet version as 3.8.1, we need to lock the puppet version update as this will mess up the configurations while updating the puppet. So, we'll use apt's locking feature for that. To do so, we'll need to create a new file **/etc/apt/preferences.d/00-puppet.pref** using our favorite text editor.
# nano /etc/apt/preferences.d/00-puppet.pref
Then, we'll gonna add the entries in the newly created file as:
# /etc/apt/preferences.d/00-puppet.pref
Package: puppet puppet-common puppetmaster-passenger
Pin: version 3.8*
Pin-Priority: 501
Now, it will not update the puppet while running updates in the system.
### 5. Configuring Puppet Config ###
Puppet master acts as a certificate authority and must generate its own certificates which is used to sign agent certificate requests. First of all, we'll need to remove any existing SSL certificates that were created during the installation of package. The default location of puppet's SSL certificates is /var/lib/puppet/ssl. So, we'll remove the entire ssl directory using rm command.
# rm -rf /var/lib/puppet/ssl
Then, we'll configure the certificate. While creating the puppet master's certificate, we need to include every DNS name at which agent nodes can contact the master at. So, we'll edit the master's puppet.conf using our favorite text editor.
# nano /etc/puppet/puppet.conf
The output seems as shown below.
[main]
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
templatedir=$confdir/templates
[master]
# These are needed when the puppetmaster is run by passenger
# and can safely be removed if webrick is used.
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
Here, we'll need to comment the templatedir line to disable the setting as it has been already depreciated. After that, we'll add the following line at the end of the file under [main].
server = puppetmaster
environment = production
runinterval = 1h
strict_variables = true
certname = puppetmaster
dns_alt_names = puppetmaster, puppetmaster.example.com
This configuration file has many options which might be useful in order to setup own configuration. A full description of the file is available at Puppet Labs [Main Config File (puppet.conf)][1].
After editing the file, we'll wanna save that and exit.
Now, we'll gonna generate a new CA certificates by running the following command.
# puppet master --verbose --no-daemonize
Info: Creating a new SSL key for ca
Info: Creating a new SSL certificate request for ca
Info: Certificate Request fingerprint (SHA256): F6:2F:69:89:BA:A5:5E:FF:7F:94:15:6B:A7:C4:20:CE:23:C7:E3:C9:63:53:E0:F2:76:D7:2E:E0:BF:BD:A6:78
...
Notice: puppetmaster has a waiting certificate request
Notice: Signed certificate request for puppetmaster
Notice: Removing file Puppet::SSL::CertificateRequest puppetmaster at '/var/lib/puppet/ssl/ca/requests/puppetmaster.pem'
Notice: Removing file Puppet::SSL::CertificateRequest puppetmaster at '/var/lib/puppet/ssl/certificate_requests/puppetmaster.pem'
Notice: Starting Puppet master version 3.8.1
^CNotice: Caught INT; storing stop
Notice: Processing stop
Now, the certificate is being generated. Once we see **Notice: Starting Puppet master version 3.8.1**, the certificate setup is complete. Then we'll press CTRL-C to return to the shell.
If we wanna look at the cert information of the certificate that was just created, we can get the list by running in the following command.
# puppet cert list -all
+ "puppetmaster" (SHA256) 33:28:97:86:A1:C3:2F:73:10:D1:FB:42:DA:D5:42:69:71:84:F0:E2:8A:01:B9:58:38:90:E4:7D:B7:25:23:EC (alt names: "DNS:puppetmaster", "DNS:puppetmaster.example.com")
### 6. Creating a Puppet Manifest ###
The default location of the main manifest is /etc/puppet/manifests/site.pp. The main manifest file contains the definition of configuration that is used to execute in the puppet node agent. Now, we'll create the manifest file by running the following command.
# nano /etc/puppet/manifests/site.pp
Then, we'll add the following lines of configuration in the file that we just opened.
# execute 'apt-get update'
exec { 'apt-update': # exec resource named 'apt-update'
command => '/usr/bin/apt-get update' # command this resource will run
}
# install apache2 package
package { 'apache2':
require => Exec['apt-update'], # require 'apt-update' before installing
ensure => installed,
}
# ensure apache2 service is running
service { 'apache2':
ensure => running,
}
The above lines of configuration are responsible for the deployment of the installation of apache web server across the node agent.
### 7. Starting Master Service ###
We are now ready to start the puppet master. We can start it by running the apache2 service.
# systemctl start apache2
Here, our puppet master is running, but it isn't managing any agent nodes yet. Now, we'll gonna add the puppet node agents to the master.
**Note**: If you get an error **Job for apache2.service failed. See "systemctl status apache2.service" and "journalctl -xe" for details.** then it must be that there is some problem with the apache server. So, we can see the log what exactly has happened by running **apachectl start** under root or sudo mode. Here, while performing this tutorial, we got a misconfiguration of the certificates under **/etc/apache2/sites-enabled/puppetmaster.conf** file. We replaced **SSLCertificateFile /var/lib/puppet/ssl/certs/server.pem with SSLCertificateFile /var/lib/puppet/ssl/certs/puppetmaster.pem** and commented **SSLCertificateKeyFile** line. Then we'll need to rerun the above command to run apache server.
### 8. Puppet Agent Package Installation ###
Now, as we have our puppet master ready and it needs an agent to manage, we'll need to install puppet agent into the nodes. We'll need to install puppet agent in every nodes in our infrastructure we want puppet master to manage. We'll need to make sure that we have added our node agents in the DNS. Now, we'll gonna install the latest puppet agent in our agent node ie. puppetnode.example.com .
We'll run the following command to download the Puppet Labs package in our puppet agent nodes.
# cd /tmp/
# wget https://apt.puppetlabs.com/puppetlabs-release-trusty.deb\
--2015-06-17 00:54:42-- https://apt.puppetlabs.com/puppetlabs-release-trusty.deb
Resolving apt.puppetlabs.com (apt.puppetlabs.com)... 192.155.89.90, 2600:3c03::f03c:91ff:fedb:6b1d
Connecting to apt.puppetlabs.com (apt.puppetlabs.com)|192.155.89.90|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7384 (7.2K) [application/x-debian-package]
Saving to: puppetlabs-release-trusty.deb
puppetlabs-release-tr 100%[===========================>] 7.21K --.-KB/s in 0.04s
2015-06-17 00:54:42 (162 KB/s) - puppetlabs-release-trusty.deb saved [7384/7384]
Then, as we're running ubuntu 15.04, we'll use debian package manager to install it.
# dpkg -i puppetlabs-release-trusty.deb
Now, we'll gonna update the repository index using apt-get.
# apt-get update
Finally, we'll gonna install the puppet agent directly from the remote repository.
# apt-get install puppet
Puppet agent is always disabled by default, so we'll need to enable it. To do so we'll need to edit /etc/default/puppet file using a text editor.
# nano /etc/default/puppet
Then, we'll need to change value of **START** to "yes" as shown below.
START=yes
Then, we'll need to save and exit the file.
### 9. Agent Version Lock with Apt ###
As We have puppet version as 3.8.1, we need to lock the puppet version update as this will mess up the configurations while updating the puppet. So, we'll use apt's locking feature for that. To do so, we'll need to create a file /etc/apt/preferences.d/00-puppet.pref using our favorite text editor.
# nano /etc/apt/preferences.d/00-puppet.pref
Then, we'll gonna add the entries in the newly created file as:
# /etc/apt/preferences.d/00-puppet.pref
Package: puppet puppet-common
Pin: version 3.8*
Pin-Priority: 501
Now, it will not update the Puppet while running updates in the system.
### 10. Configuring Puppet Node Agent ###
Next, We must make a few configuration changes before running the agent. To do so, we'll need to edit the agent's puppet.conf
# nano /etc/puppet/puppet.conf
It will look exactly like the Puppet master's initial configuration file.
This time also we'll comment the **templatedir** line. Then we'll gonna delete the [master] section, and all of the lines below it.
Assuming that the puppet master is reachable at "puppet-master", the agent should be able to connect to the master. If not we'll need to use its fully qualified domain name ie. puppetmaster.example.com .
[agent]
server = puppetmaster.example.com
certname = puppetnode.example.com
After adding this, it will look alike this.
[main]
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
#templatedir=$confdir/templates
[agent]
server = puppetmaster.example.com
certname = puppetnode.example.com
After done with that, we'll gonna save and exit it.
Next, we'll wanna start our latest puppet agent in our Ubuntu 15.04 nodes. To start our puppet agent, we'll need to run the following command.
# systemctl start puppet
If everything went as expected and configured properly, we should not see any output displayed by running the above command. When we run an agent for the first time, it generates an SSL certificate and sends a request to the puppet master then if the master signs the agent's certificate, it will be able to communicate with the agent node.
**Note**: If you are adding your first node, it is recommended that you attempt to sign the certificate on the puppet master before adding your other agents. Once you have verified that everything works properly, then you can go back and add the remaining agent nodes further.
### 11. Signing certificate Requests on Master ###
While puppet agent runs for the first time, it generates an SSL certificate and sends a request for signing to the master server. Before the master will be able to communicate and control the agent node, it must sign that specific agent node's certificate.
To get the list of the certificate requests, we'll run the following command in the puppet master server.
# puppet cert list
"puppetnode.example.com" (SHA256) 31:A1:7E:23:6B:CD:7B:7D:83:98:33:8B:21:01:A6:C4:01:D5:53:3D:A0:0E:77:9A:77:AE:8F:05:4A:9A:50:B2
As we just setup our first agent node, we will see one request. It will look something like the following, with the agent node's Domain name as the hostname.
Note that there is no + in front of it which indicates that it has not been signed yet.
Now, we'll go for signing a certification request. In order to sign a certification request, we should simply run **puppet cert sign** with the **hostname** as shown below.
# puppet cert sign puppetnode.example.com
Notice: Signed certificate request for puppetnode.example.com
Notice: Removing file Puppet::SSL::CertificateRequest puppetnode.example.com at '/var/lib/puppet/ssl/ca/requests/puppetnode.example.com.pem'
The Puppet master can now communicate and control the node that the signed certificate belongs to.
If we want to sign all of the current requests, we can use the -all option as shown below.
# puppet cert sign --all
### Removing a Puppet Certificate ###
If we wanna remove a host from it or wanna rebuild a host then add it back to it. In this case, we will want to revoke the host's certificate from the puppet master. To do this, we will want to use the clean action as follows.
# puppet cert clean hostname
Notice: Revoked certificate with serial 5
Notice: Removing file Puppet::SSL::Certificate puppetnode.example.com at '/var/lib/puppet/ssl/ca/signed/puppetnode.example.com.pem'
Notice: Removing file Puppet::SSL::Certificate puppetnode.example.com at '/var/lib/puppet/ssl/certs/puppetnode.example.com.pem'
If we want to view all of the requests signed and unsigned, run the following command:
# puppet cert list --all
+ "puppetmaster" (SHA256) 33:28:97:86:A1:C3:2F:73:10:D1:FB:42:DA:D5:42:69:71:84:F0:E2:8A:01:B9:58:38:90:E4:7D:B7:25:23:EC (alt names: "DNS:puppetmaster", "DNS:puppetmaster.example.com")
### 12. Deploying a Puppet Manifest ###
After we configure and complete the puppet manifest, we'll wanna deploy the manifest to the agent nodes server. To apply and load the main manifest we can simply run the following command in the agent node.
# puppet agent --test
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for puppetnode.example.com
Info: Applying configuration version '1434563858'
Notice: /Stage[main]/Main/Exec[apt-update]/returns: executed successfully
Notice: Finished catalog run in 10.53 seconds
This will show us all the processes how the main manifest will affect a single server immediately.
If we wanna run a puppet manifest that is not related to the main manifest, we can simply use puppet apply followed by the manifest file path. It only applies the manifest to the node that we run the apply from.
# puppet apply /etc/puppet/manifest/test.pp
### 13. Configuring Manifest for a Specific Node ###
If we wanna deploy a manifest only to a specific node then we'll need to configure the manifest as follows.
We'll need to edit the manifest on the master server using a text editor.
# nano /etc/puppet/manifest/site.pp
Now, we'll gonna add the following lines there.
node 'puppetnode', 'puppetnode1' {
# execute 'apt-get update'
exec { 'apt-update': # exec resource named 'apt-update'
command => '/usr/bin/apt-get update' # command this resource will run
}
# install apache2 package
package { 'apache2':
require => Exec['apt-update'], # require 'apt-update' before installing
ensure => installed,
}
# ensure apache2 service is running
service { 'apache2':
ensure => running,
}
}
Here, the above configuration will install and deploy the apache web server only to the two specified nodes having shortname puppetnode and puppetnode1. We can add more nodes that we need to get deployed with the manifest specifically.
### 14. Configuring Manifest with a Module ###
Modules are useful for grouping tasks together, they are many available in the Puppet community which anyone can contribute further.
On the puppet master, we'll gonna install the **puppetlabs-apache** module using the puppet module command.
# puppet module install puppetlabs-apache
**Warning**: Please do not use this module on an existing apache setup else it will purge your apache configurations that are not managed by puppet.
Now we'll gonna edit the main manifest ie **site.pp** using a text editor.
# nano /etc/puppet/manifest/site.pp
Now add the following lines to install apache under puppetnode.
node 'puppet-node' {
class { 'apache': } # use apache module
apache::vhost { 'example.com': # define vhost resource
port => '80',
docroot => '/var/www/html'
}
}
Then we'll wanna save and exit it. Then, we'll wanna rerun the manifest to deploy the configuration to the agents for our infrastructure.
### Conclusion ###
Finally we have successfully installed puppet to manage our Server Infrastructure running Ubuntu 15.04 "Vivid Vervet" linux operating system. We learned how puppet works, configure a manifest configuration, communicate with nodes and deploy the manifest on the agent nodes with secure SSL certification. Controlling, managing and configuring repeated task in several N number of nodes is very easy with puppet open source software configuration management tool. If you have any questions, suggestions, feedback please write them in the comment box below so that we can improve or update our contents. Thank you ! Enjoy :-)
--------------------------------------------------------------------------------
via: http://linoxide.com/linux-how-to/install-puppet-ubuntu-15-04/
作者:[Arun Pyasi][a]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:http://linoxide.com/author/arunp/
[1]:https://docs.puppetlabs.com/puppet/latest/reference/config_file_main.html

View File

@ -1,3 +1,4 @@
translated by iov-wang
How to Install OsTicket Ticketing System in Fedora 22 / Centos 7 How to Install OsTicket Ticketing System in Fedora 22 / Centos 7
================================================================================ ================================================================================
In this article, we'll learn how to setup help desk ticketing system with osTicket in our machine or server running Fedora 22 or CentOS 7 as operating system. osTicket is a free and open source popular customer support ticketing system developed and maintained by [Enhancesoft][1] and its contributors. osTicket is the best solution for help and support ticketing system and management for better communication and support assistance with clients and customers. It has the ability to easily integrate with inquiries created via email, phone and web based forms into a beautiful multi-user web interface. osTicket makes us easy to manage, organize and log all our support requests and responses in one single place. It is a simple, lightweight, reliable, open source, web-based and easy to setup and use help desk ticketing system. In this article, we'll learn how to setup help desk ticketing system with osTicket in our machine or server running Fedora 22 or CentOS 7 as operating system. osTicket is a free and open source popular customer support ticketing system developed and maintained by [Enhancesoft][1] and its contributors. osTicket is the best solution for help and support ticketing system and management for better communication and support assistance with clients and customers. It has the ability to easily integrate with inquiries created via email, phone and web based forms into a beautiful multi-user web interface. osTicket makes us easy to manage, organize and log all our support requests and responses in one single place. It is a simple, lightweight, reliable, open source, web-based and easy to setup and use help desk ticketing system.

View File

@ -1,3 +1,4 @@
translated by ivo-wang
How to Configure OpenNMS on CentOS 7.x How to Configure OpenNMS on CentOS 7.x
================================================================================ ================================================================================
Systems management and monitoring services are very important that provides information to view important systems management information that allow us to to make decisions based on this information. To make sure the network is running at its best and to minimize the network downtime we need to improve application performance. So, in this article we will make you understand the step by step procedure to setup OpenNMS in your IT infrastructure. OpenNMS is a free open source enterprise level network monitoring and management platform that provides information to allow us to make decisions in regards to future network and capacity planning. Systems management and monitoring services are very important that provides information to view important systems management information that allow us to to make decisions based on this information. To make sure the network is running at its best and to minimize the network downtime we need to improve application performance. So, in this article we will make you understand the step by step procedure to setup OpenNMS in your IT infrastructure. OpenNMS is a free open source enterprise level network monitoring and management platform that provides information to allow us to make decisions in regards to future network and capacity planning.

View File

@ -1,3 +1,4 @@
translated by ivo-wang
How to install Suricata intrusion detection system on Linux How to install Suricata intrusion detection system on Linux
================================================================================ ================================================================================
With incessant security threats, intrusion detection system (IDS) has become one of the most critical requirements in today's data center environments. However, as more and more servers upgrade their NICs to 10GB/40GB Ethernet, it is increasingly difficult to implement compute-intensive intrusion detection on commodity hardware at line rates. One approach to scaling IDS performance is **multi-threaded IDS**, where CPU-intensive deep packet inspection workload is parallelized into multiple concurrent tasks. Such parallelized inspection can exploit multi-core hardware to scale up IDS throughput easily. Two well-known open-source efforts in this area are [Suricata][1] and [Bro][2]. With incessant security threats, intrusion detection system (IDS) has become one of the most critical requirements in today's data center environments. However, as more and more servers upgrade their NICs to 10GB/40GB Ethernet, it is increasingly difficult to implement compute-intensive intrusion detection on commodity hardware at line rates. One approach to scaling IDS performance is **multi-threaded IDS**, where CPU-intensive deep packet inspection workload is parallelized into multiple concurrent tasks. Such parallelized inspection can exploit multi-core hardware to scale up IDS throughput easily. Two well-known open-source efforts in this area are [Suricata][1] and [Bro][2].

View File

@ -1,139 +0,0 @@
How to install Android Studio on Ubuntu 15.04 / CentOS 7
================================================================================
With the advancement of smart phones in the recent years, Android has become one of the biggest phone platforms and all the tools required to build Android applications are also freely available. Android Studio is an Integrated Development Environment (IDE) for developing Android applications based on [IntelliJ IDEA][1]. It is a free and open source software by Google released in 2014 and succeeds Eclipse as the main IDE.
In this article, we will learn how to install Android Studio on Ubuntu 15.04 and CentOS 7.
### Installation on Ubuntu 15.04 ###
We can install Android Studio in two ways. One is to set up the required repository and install it; other is to download it from the official Android site and install it locally. In the following example, we will be setting up the repo using command line and install it. Before proceeding, we need to make sure that we have JDK version1.6 or greater installed.
Here, I'm installing JDK 1.8.
$ sudo add-apt-repository ppa:webupd8team/java
$ sudo apt-get update
$ sudo apt-get install oracle-java8-installer oracle-java8-set-default
Verify if java installation was successful:
poornima@poornima-Lenovo:~$ java -version
Now, setup the repo for installing Android Studio
$ sudo apt-add-repository ppa:paolorotolo/android-studio
![Android-Studio-repo](http://blog.linoxide.com/wp-content/uploads/2015/11/Android-studio-repo.png)
$ sudo apt-get update
$ sudo apt-get install android-studio
Above install command will install android-studio in the directory /opt.
Now, run the following command to start the setup wizard:
$ /opt/android-studio/bin/studio.sh
This will invoke the setup screen. Following are the screen shots that follow to set up Android studio:
![Android Studio setup](http://blog.linoxide.com/wp-content/uploads/2015/11/Studio-setup.png)
![Install-type](Android Studio setup)
![Emulator Settings](http://blog.linoxide.com/wp-content/uploads/2015/11/Emulator-settings.png)
Once you press the Finish button, Licence agreement will be displayed. After you accept the licence, it starts downloading the required components.
![Download components](http://blog.linoxide.com/wp-content/uploads/2015/11/Download.png)
Android studio installation will be complete after this step. When you relaunch Android studio, you will be shown the following welcome screen from where you will be able to start working with your Android Studio.
![Welcome screen](http://blog.linoxide.com/wp-content/uploads/2015/11/Welcome-screen.png)
### Installation on CentOS 7 ###
Let us now learn how to install Android Studio on CentOS 7. Here also, you need to install JDK 1.6 or later. Remember to use 'sudo' before the commands if you are not a root user. You can download the [latest version][2] of JDK. In case you already have an older version installed, remove the same before installing the new one. In the below example, I will be installing JDK version 1.8.0_65 by downloading the required rpm.
[root@li1260-39 ~]# rpm -ivh jdk-8u65-linux-x64.rpm
Preparing... ################################# [100%]
Updating / installing...
1:jdk1.8.0_65-2000:1.8.0_65-fcs ################################# [100%]
Unpacking JAR files...
tools.jar...
plugin.jar...
javaws.jar...
deploy.jar...
rt.jar...
jsse.jar...
charsets.jar...
localedata.jar...
jfxrt.jar...
If Java path is not set properly, you will get error messages. Hence, set the correct path:
export JAVA_HOME=/usr/java/jdk1.8.0_25/
export PATH=$PATH:$JAVA_HOME
Check if the correct version has been installed:
[root@li1260-39 ~]# java -version
java version "1.8.0_65"
Java(TM) SE Runtime Environment (build 1.8.0_65-b17)
Java HotSpot(TM) 64-Bit Server VM (build 25.65-b01, mixed mode)
If you notice any error message of the sort "unable-to-run-mksdcard-sdk-tool:" while trying to install Android Studio, you might also have to install the following packages on CentOS 7 64-bit:
glibc.i686
glibc-devel.i686
libstdc++.i686
zlib-devel.i686
ncurses-devel.i686
libX11-devel.i686
libXrender.i686
libXrandr.i686
Let us know install studio by downloading the ide file from [Android site][3] and unzipping the same.
[root@li1260-39 tmp]# unzip android-studio-ide-141.2343393-linux.zip
Move android-studio directory to /opt directory
[root@li1260-39 tmp]# mv /tmp/android-studio/ /opt/
You can create a simlink to the studio executable to quickly start it whenever you need it.
[root@li1260-39 tmp]# ln -s /opt/android-studio/bin/studio.sh /usr/local/bin/android-studio
Now launch the studio from a terminal:
[root@localhost ~]#studio
The screens that follow for completing the installation are same as the ones shown above for Ubuntu. When the installation completes, you can start creating your own Android applications.
### Conclusion ###
Within a year of its release, Android Studio has taken over as the primary IDE for Android development by eclipsing Eclipse. It is the only official IDE tool that will support future Android SDKs and other Android features that will be provided by Google. So, what are you waiting for? Go install Android Studio and have fun developing Android apps.
--------------------------------------------------------------------------------
via: http://linoxide.com/tools/install-android-studio-ubuntu-15-04-centos-7/
作者:[B N Poornima][a]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:http://linoxide.com/author/bnpoornima/
[1]:https://www.jetbrains.com/idea/
[2]:http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html
[3]:http://developer.android.com/sdk/index.html

View File

@ -1,3 +1,5 @@
Vic020
How to use the Linux ftp command to up- and download files on the shell How to use the Linux ftp command to up- and download files on the shell
================================================================================ ================================================================================
In this tutorial, I will explain how to use the Linux ftp command on the shell. I will show you how to connect to an FTP server, up- and download files and create directories. While there are many nice desktops FTP clients available, the FTP command is still useful when you work remotely on a server over an SSH session and e.g. want to fetch a backup file from your FTP storage. In this tutorial, I will explain how to use the Linux ftp command on the shell. I will show you how to connect to an FTP server, up- and download files and create directories. While there are many nice desktops FTP clients available, the FTP command is still useful when you work remotely on a server over an SSH session and e.g. want to fetch a backup file from your FTP storage.

View File

@ -0,0 +1,175 @@
How to Install Laravel PHP Framework on CentOS 7 / Ubuntu 15.04
================================================================================
Hi All, In this article we are going to setup Laravel on CentOS 7 and Ubuntu 15.04. If you are a PHP web developer then you don't need to worry about of all modern PHP frameworks, Laravel is the easiest to get up and running that saves your time and effort and makes web development a joy. Laravel embraces a general development philosophy that sets a high priority on creating maintainable code by following some simple guidelines, you should be able to keep a rapid pace of development and be free to change your code with little fear of breaking existing functionality.
Laravel's PHP framework installation is not a big deal. You can simply follow the step by step guide in this article for your CentOS 7 or Ubuntu 15 server.
### 1) Server Requirements ###
Laravel depends upon a number of prerequisites that must be setup before installing it. Those prerequisites includes some basic tuning parameter of server like your system update, sudo rights and installation of required packages.
Once you are connected to your server make sure to configure the fully qualified domain name then run the commands below to enable EPEL Repo and update your server.
#### CentOS-7 ####
# yum install epel-release
----------
# rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
# rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
----------
# yum update
#### Ubuntu ####
# apt-get install python-software-properties
# add-apt-repository ppa:ondrej/php5
----------
# apt-get update
----------
# apt-get install -y php5 mcrypt php5-mcrypt php5-gd
### 2) Firewall Setup ###
System Firewall and SELinux setup is an important part regarding the security of your applications in production. You can make firewall off if you are working on test server and keep SELinux to permissive mode using the below command, so that you installing setup won't be affected by it.
# setenforce 0
### 3) Apache, MariaDB, PHP Setup ###
Laravel installation requires a complete LAMP stack with OpenSSL, PDO, Mbstring and Tokenizer PHP Extensions. If you are already running LAMP server then you can skip this step to move on and just make sure that the required PHP extensions are installed.
To install AMP stack you can use the below commands on your respective server.
#### CentOS ####
# yum install httpd mariadb-server php56w php56w-mysql php56w-mcrypt php56w-dom php56w-mbstring
To start and enable Apache web and MySQL/Mariadb services at bootup on CentOS 7 , we will use below commands.
# systemctl start httpd
# systemctl enable httpd
----------
#systemctl start mysqld
#systemctl enable mysqld
After starting MariaDB service, we will configure its secured password with below command.
#mysql_secure_installation
#### Ubuntu ####
# apt-get install mysql-server apache2 libapache2-mod-php5 php5-mysql
### 4) Install Composer ###
Now we are going to install composer that is one of the most important requirement before starting the Laravel installation that helps in installing Laravel's dependencies.
#### CentOS/Ubuntu ####
Run the below commands to setup 'composer' in CentOS/Ubuntu.
# curl -sS https://getcomposer.org/installer | php
# mv composer.phar /usr/local/bin/composer
# chmod +x /usr/local/bin/composer
![composer installation](http://blog.linoxide.com/wp-content/uploads/2015/11/14.png)
### 5) Installing Laravel ###
Laravel's installation package can be downloaded from github using the command below.
# wget https://github.com/laravel/laravel/archive/develop.zip
To extract the archived package and move into the document root directory use below commands.
# unzip develop.zip
----------
# mv laravel-develop /var/www/
Now use the following compose command that will install all required dependencies for Laravel within its directory.
# cd /var/www/laravel-develop/
# composer install
![compose laravel](http://blog.linoxide.com/wp-content/uploads/2015/11/25.png)
### 6) Key Encryption ###
For encrypter service, we will be generating a 32 digit encryption key using the command below.
# php artisan key:generate
Application key [Lf54qK56s3qDh0ywgf9JdRxO2N0oV9qI] set successfully
Now put this key into the 'app.php' file as shown below.
# vim /var/www/laravel-develop/config/app.php
![Key encryption](http://blog.linoxide.com/wp-content/uploads/2015/11/45.png)
### 7) Virtua Host and Ownership ###
After composer installation assign the permissions and apache user ownership to the document root directory as shown.
# chmod 775 /var/www/laravel-develop/app/storage
----------
# chown -R apache:apache /var/www/laravel-develop
Open the default configuration file of apache web server using any editor to add the following lines at the end file for new virtual host entry.
# vim /etc/httpd/conf/httpd.conf
----------
ServerName laravel-develop
DocumentRoot /var/www/laravel/public
start Directory /var/www/laravel
AllowOverride All
Directory close
Now the time is to restart apache web server services as shown below and then open your web browser to check your localhost page.
#### CentOS ####
# systemctl restart httpd
#### Ubuntu ####
# service apache2 restart
### 8) Laravel 5 Web Access ###
Open your web browser and give your server IP or Fully Qualified Domain name and you will see the default web page of Laravel 5 frame work.
![Laravel Default](http://blog.linoxide.com/wp-content/uploads/2015/11/35.png)
### Conclusion ###
Laravel Framework is a great tool to develop your web applications. So, at the end of this article you have learned its installation setup on Ubuntu 15 and CentOS 7 , Now start using this awesome PHP framework that provides you a lot of more features and comfort in your development work. Feel free to comment us back for your valuable suggestions an feedback to guide you in more specific and easiest way.
--------------------------------------------------------------------------------
via: http://linoxide.com/linux-how-to/install-laravel-php-centos-7-ubuntu-15-04/
作者:[Kashif][a]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:http://linoxide.com/author/kashifs/

View File

@ -0,0 +1,145 @@
Install and Configure Munin monitoring server in Linux
================================================================================
![](http://www.linuxnix.com/wp-content/uploads/2015/12/munin_page.jpg)
Munin is an excellent system monitoring tool similar to [RRD tool][1] which will give you ample information about system performance in multiple fronts like **disk, network, process, system and users**. These are some of the default properties Munin monitors.
### How Munin works? ###
Munin works in a client-server model. Munin server process on main server try to collect data from client daemon which is running locally(Munin can monitor itss own resources) or from remote client(Munin can monitor hundreds of machines) and displays them in graphs on its web interface.
### Configuring Munin in nutshell ###
This is of two steps as we have to configure both server and client.
1)Install Munin server package and configure it so that it get data from clients.
2)Configure Munin client so that server will connect to client daemon for data collocation.
### Install munin server in Linux ###
Munin server installation on Ubuntu/Debian based machines
apt-get install munin apache2
Munin server installation on Redhat/Centos based machines. Make sure that you [enable EPEL repo][2] before installing Munin on Redhat based machines as by default Redhat based machines do not have Munin in their repos.
yum install munin httpd
### Configuring Munin server in Linux ###
Below are the steps we have to do in order to bring server up.
1. Add host details which need monitoring in /etc/munin/munin.conf
1. Configure apache web server to include munin details.
1. Create User name and password for web interface
1. Restart apache server
**Step 1**: Add hosts entry in this file in **/etc/munin/munin.conf**. Go to end of the file and a client to monitor. Here in this example, I added my DB server and its IP address to monitor
Example:
[db.linuxnix.com]
address 192.168.1.25
use_node_name yes
Save the file and exit.
**Step 2**: Edit/create munin.conf file in /etc/apache2/conf.d folder to include Munin Apache related configs. In another note, by default other Munin web related configs are kept in /var/www/munin folder.
vi /etc/apache2/conf.d/munin.conf
Content:
Alias /munin /var/www/munin
<Directory /var/www/munin>
Order allow,deny
Allow from localhost 127.0.0.0/8 ::1
AllowOverride None
Options ExecCGI FollowSymlinks
AddHandler cgi-script .cgi
DirectoryIndex index.cgi
AuthUserFile /etc/munin/munin.passwd
AuthType basic
AuthName "Munin stats"
require valid-user
<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault M310
</IfModule>
</Directory>
Save the file and exit
**Step 3**: Now create a username and password for viewing muning graphs:
htpasswd -c /etc/munin/munin-htpasswd munin
**Note**: For Redhat/Centos machines replace “**apache2**” with “**httpd**” in each path to access your config files.
**Step 3**: Restart Apache server so that Munin configurations are picked-up by Apache.
#### Ubuntu/Debian based: ####
service apache2 restart
#### Centos/Redhat based: ####
service httpd restart
### Install and configure Munin client in Linux ###
**Step 1**: Install Munin client in Linux
apt-get install munin-node
**Note**: If you want to monitor your Munin server, then you have to install munin-node on that as well.
**Step 2**: Configure client by editing munin-node.conf file.
vi /etc/munin/munin-node.conf
Example:
allow ^127\.0\.0\.1$
allow ^10\.10\.20\.20$
----------
# Which address to bind to;
host *
----------
# And which port
port 4949
**Note**: 10.10.20.20 is my Munin server and it connections to 4949 port on client to get its data.
**Step 3**: Restart munin-node on client server
service munin-node restart
### Testing connection ###
check if you are able to connect client from server on 4949 port, other wise you have to open that port on client machine.
telnet db.linuxnix.com 4949
Accessing Munin web interface
http://munin.linuxnix.com/munin/index.html
Hope this helps to configure basic Munin server.
--------------------------------------------------------------------------------
via: http://www.linuxnix.com/install-and-configure-munin-monitoring-server-in-linux/
作者:[Surendra Anne][a]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:http://www.linuxnix.com/author/surendra/
[1]:http://www.linuxnix.com/network-monitoringinfo-gathering-tools-in-linux/
[2]:http://www.linuxnix.com/how-to-install-and-enable-epel-repo-in-rhel-centos-oracle-scentific-linux/

View File

@ -0,0 +1,196 @@
translation by strugglingyouth
Linux / Unix: jobs Command Examples
================================================================================
I am new Linux and Unix user. How do I show the active jobs on Linux or Unix-like systems using BASH/KSH/TCSH or POSIX based shell? How can I display status of jobs in the current session on Unix/Linux?
Job control is nothing but the ability to stop/suspend the execution of processes (command) and continue/resume their execution as per your requirements. This is done using your operating system and shell such as bash/ksh or POSIX shell.
You shell keeps a table of currently executing jobs and can be displayed with jobs command.
### Purpose ###
> Displays status of jobs in the current shell session.
### Syntax ###
The basic syntax is as follows:
jobs
OR
jobs jobID
OR
jobs [options] jobID
### Starting few jobs for demonstration purpose ###
Before you start using jobs command, you need to start couple of jobs on your system. Type the following commands to start jobs:
## Start xeyes, calculator, and gedit text editor ###
xeyes &
gnome-calculator &
gedit fetch-stock-prices.py &
Finally, run ping command in foreground:
ping www.cyberciti.biz
To suspend ping command job hit the **Ctrl-Z** key sequence.
### jobs command examples ###
To display the status of jobs in the current shell, enter:
$ jobs
Sample outputs:
[1] 7895 Running gpass &
[2] 7906 Running gnome-calculator &
[3]- 7910 Running gedit fetch-stock-prices.py &
[4]+ 7946 Stopped ping cyberciti.biz
To display the process ID or jobs for the job whose name begins with "p," enter:
$ jobs -p %p
OR
$ jobs %p
Sample outputs:
[4]- Stopped ping cyberciti.biz
The character % introduces a job specification. In this example, you are using the string whose name begins with suspended command such as %ping.
### How do I show process IDs in addition to the normal information? ###
Pass the -l(lowercase L) option to jobs command for more information about each job listed, run:
$ jobs -l
Sample outputs:
![Fig.01: Displaying the status of jobs in the shell](http://s0.cyberciti.org/uploads/faq/2013/02/jobs-command-output.jpg)
Fig.01: Displaying the status of jobs in the shell
### How do I list only processes that have changed status since the last notification? ###
First, start a new job as follows:
$ sleep 100 &
Now, only show jobs that have stopped or exited since last notified, type:
$ jobs -n
Sample outputs:
[5]- Running sleep 100 &
### Display lists process IDs (PIDs) only ###
Pass the -p option to jobs command to display PIDs only:
$ jobs -p
Sample outputs:
7895
7906
7910
7946
7949
### How do I display only running jobs? ###
Pass the -r option to jobs command to display only running jobs only, type:
$ jobs -r
Sample outputs:
[1] Running gpass &
[2] Running gnome-calculator &
[3]- Running gedit fetch-stock-prices.py &
### How do I display only jobs that have stopped? ###
Pass the -s option to jobs command to display only stopped jobs only, type:
$ jobs -s
Sample outputs:
[4]+ Stopped ping cyberciti.biz
To resume the ping cyberciti.biz job by entering the following bg command:
$ bg %4
### jobs command options ###
From the [bash(1)][1] command man page:
注:表格
<table border="1">
<tbody>
<tr>
<td>Option</td>
<td>Description</td>
</tr>
<tr>
<td><kbd><strong>-l</strong></kbd></td>
<td>Show process id's in addition to the normal information.</td>
</tr>
<tr>
<td><kbd><strong>-p</strong></kbd></td>
<td>Show process id's only.</td>
</tr>
<tr>
<td><kbd><strong>-n</strong></kbd></td>
<td>Show only processes that have changed status since the last notification are printed.</td>
</tr>
<tr>
<td><kbd><strong>-r</strong></kbd></td>
<td>Restrict output to running jobs only.</td>
</tr>
<tr>
<td><kbd><strong>-s</strong></kbd></td>
<td>Restrict output to stopped jobs only.</td>
</tr>
<tr>
<td><kbd><strong>-x</strong></kbd></td>
<td>COMMAND is run after all job specifications that appear in ARGS have been replaced with the process ID of that job's process group leader./td&gt;</td>
</tr>
</tbody>
</table>
### A note about /usr/bin/jobs and shell builtin ###
Type the following type command to find out whether jobs is part of shell, external command or both:
$ type -a jobs
Sample outputs:
jobs is a shell builtin
jobs is /usr/bin/jobs
In almost all cases you need to use the jobs command that is implemented as a BASH/KSH/POSIX shell built-in. The /usr/bin/jobs command can not be used in the current shell. The /usr/bin/jobs command operates in a different environment and does not share the parent bash/ksh's shells understanding of jobs.
--------------------------------------------------------------------------------
via:
作者Vivek Gite
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[1]:http://www.manpager.com/linux/man1/bash.1.html

View File

@ -0,0 +1,54 @@
NetworkManager and privacy in the IPv6 internet
======================
IPv6 is gaining momentum. With growing use of the protocol concerns about privacy that were not initially anticipated arise. The Internet community actively publishes solutions to them. Whats the current state and how does NetworkManager catch up? Lets figure out!
![](https://blogs.gnome.org/lkundrak/files/2015/12/cameras1.jpg)
## The identity of a IPv6-connected host
The IPv6 enabled nodes dont need a central authority similar to IPv4 [DHCP](https://tools.ietf.org/html/rfc2132) servers to configure their addresses. They discover the networks they are in and [complete the addresses themselves](https://tools.ietf.org/html/rfc4862) by generating the host part. This makes the network configuration simpler and scales better to larger networks. However, theres some drawbacks to this approach. Firstly, the node needs to ensure that its address doesnt collide with an address of any other node on the network. Secondly, if the node uses the same host part of the address in every network it enters then its movement can be tracked and the privacy is at risk.
Internet Engineering Task Force (IETF), the organization behind the Internet standards, [acknowledged this problem](https://tools.ietf.org/html/draft-iesg-serno-privacy-00) and recommends against use of hardware serial numbers to identify the node in the network.
But what does the actual implementation look like?
The problem of address uniqueness is addressed with [Duplicate Address Detection](https://tools.ietf.org/html/rfc4862#section-5.4) (DAD) mechanism. When a node creates an address for itself it first checks whether another node uses the same address using the [Neighbor Discovery Protocol](https://tools.ietf.org/html/rfc4861) (a mechanism not unlike IPv4 [ARP](https://tools.ietf.org/html/rfc826) protocol). When it discovers the address is already used, it must discard it.
The other problem (privacy) is a bit harder to solve. An IP address (be it IPv4 or IPv6) address consists of a network part and the host part. The host discovers the relevant network parts and is supposed generate the host part. Traditionally it just uses an Interface Identifier derived from the network hardwares (MAC) address. The MAC address is set at manufacturing time and can uniquely identify the machine. This guarantees the address is stable and unique. Thats a good thing for address collision avoidance but a bad thing for privacy. The host part remaining constant in different network means that the machine can be uniquely identified as it enters different networks. This seemed like non-issue at the time the protocol was designed, but the privacy concerns arose as the IPv6 gained popularity. Fortunately, theres a solution to this problem.
## Enter privacy extensions
Its no secret that the biggest problem with IPv4 is that the addresses are scarce. This is no longer true with IPv6 and in fact an IPv6-enabled host can use addresses quite liberally. Theres absolutely nothing wrong with having multiple IPv6 addresses attached to the same interface. On the contrary, its a pretty standard situation. At the very minimum each node has an address that is used for contacting nodes on the same hardware link called a link-local address.  When the network contains a router that connects it to other networks in the internet, a node has an address for every network its directly connected to. If a host has more addresses in the same network the node accepts incoming traffic for all of them. For the outgoing connections which, of course, reveal the address to the remote host, the kernel picks the fittest one. But which one is it?
With privacy extensions enabled, as defined by [RFC4941](https://tools.ietf.org/html/rfc4941), a new address with a random host part is generated every now and then. The newest one is used for new outgoing connections while the older ones are deprecated when theyre unused. This is a nifty trick — the host does not reveal the stable address as its not used for outgoing connections, but still accepts connections to it from the hosts that are aware of it.
Theres a downside to this. Certain applications tie the address to the user identity. Consider a web application that issues a HTTP Cookie for the user during the authentication but only accepts it for the connections that come from the address that conducted the authentications. As the kernel generates a new temporary address, the server would reject the requests that use it, effectively logging the user out. It could be argued that the address is not an appropriate mechanism for establishing users identity but thats what some real-world applications do.
## Privacy stable addressing to the rescue
Another approach would be needed to cope with this. Theres a need for an address that is unique (of course), stable for a particular network but still changes when user enters another network so that tracking is not possible. The RFC7217 introduces a mechanism that provides exactly this.
Creation of a privacy stable address relies on a pseudo-random key thats only known the host itself and never revealed to other hosts in the network. This key is then hashed using a cryptographically secure algorithm along with values specific for a particular network connection. It includes an identifier of the network interface, the network prefix and possibly other values specific to the network such as the wireless SSID. The use of the secret key makes it impossible to predict the resulting address for the other hosts while the network-specific data causes it to be different when entering a different network.
This also solves the duplicate address problem nicely. The random key makes collisions unlikely. If, in spite of this, a collision occurs then the hash can be salted with a DAD failure counter and a different address can be generated instead of failing the network connectivity. Now thats clever.
Using privacy stable address doesnt interfere with the privacy extensions at all. You can use the [RFC7217](https://tools.ietf.org/html/rfc7217) stable address while still employing the RFC4941 temporary addresses at the same time.
## Where does NetworkManager stand?
Weve already enabled the privacy extensions with the release NetworkManager 1.0.4. Theyre turned on by default; you can control them with ipv6.ip6-privacy property.
With the release of NetworkManager 1.2, were adding the stable privacy addressing. Its supposed to address the situations where the privacy extensions dont make the cut. The use of the feature is controlled with the ipv6.addr-gen-mode property. If its set to stable-privacy then stable privacy addressing is used. Setting it to “eui64” or not setting it at all preserves the traditional default behavior.
Stay tuned for NetworkManager 1.2 release in early 2016! If you want to try the bleeding-edge snapshot, give Fedora Rawhide a try. It will eventually become Fedora 24.
*Id like to thank Hannes Frederic Sowa for a valuable feedback. The article would make less sense without his corrections. Hannes also created the in-kernel implementation of the RFC7217 mechanism which can be used when the networking is not managed by NetworkManager.*
--------------------------------------------------------------------------------
via: https://blogs.gnome.org/lkundrak/2015/12/03/networkmanager-and-privacy-in-the-ipv6-internet/
作者:[Lubomir Rintel]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出

View File

@ -0,0 +1,46 @@
Supporting secure DNS in glibc
========================
Credit: Jonathan Corbet
One of the many weak links in Internet security is the domain name system (DNS); it is subject to attacks that, among other things, can mislead applications regarding the IP address of a system they wish to connect to. That, in turn, can cause connections to go to the wrong place, facilitating man-in-the-middle attacks and more. The DNSSEC protocol extensions are meant to address this threat by setting up a cryptographically secure chain of trust for DNS information. When DNSSEC is set up properly, applications should be able to trust the results of domain lookups. As the discussion over an attempt to better integrate DNSSEC into the GNU C Library shows, though, ensuring that DNS lookups are safe is still not a straightforward problem.
In a sense, the problem was solved years ago; one can configure a local nameserver to perform full DNSSEC verification and use that server via glibc calls in applications. DNSSEC can even be used to increase security in other areas; it can, for example, carry SSH or TLS key fingerprints, allowing applications to verify that they are talking to the right server. Things get tricky, though, when one wants to be sure that DNS results claiming to have DNSSEC verification are actually what they claim to be — when one wants the security that DNSSEC is meant to provide, in other words.
The /etc/resolv.conf problem
Part of the problem, from the glibc perspective, is that glibc itself does not do DNSSEC verification. Instead, it consults /etc/resolv.conf and asks the servers found therein to do the lookup and verification; the results are then returned to the application. If the application is using the low-level res_query() interface, those results may include the "authenticated data" (AD) flag (if the nameserver has set it) indicating that DNSSEC verification has been successfully performed. But glibc knows nothing about the trustworthiness of the nameserver that has provided those results, so it cannot tell the application anything about whether they should really be trusted.
One of the first steps suggested by glibc maintainer Carlos O'Donell is to add an option (dns-strip-dnssec-ad-bit) to the resolv.conf file telling glibc to unconditionally remove the AD bit. This option could be set by distributions to indicate that the DNS lookup results cannot be trusted at a DNSSEC level. Once things have been set up so that the results can be trusted, that option can be removed. In the meantime, though, applications would have a way to judge the DNS lookup results they get from glibc, something that does not exist now.
What would a trustworthy setup look like? The standard picture looks something like this: there is a local nameserver, accessed via the loopback interface, as the only entry in /etc/resolv.conf. That nameserver would be configured to do verification and, in the case that verification fails, simply return no results at all. There would, in almost all cases, be no need to worry about whether applications see the AD bit or not; if the results are not trustworthy, applications will simply not see them at all. A number of distributions are moving toward this model, but the situation is still not as simple as some might think.
One problem is that this scheme makes /etc/resolv.conf into a central point of trust for the system. But, in a typical Linux system, there are no end of DHCP clients, networking scripts, and more that will make changes to that file. As Paul Wouters pointed out, locking down this file in the short term is not really an option. Sometimes those changes are necessary: when a diskless system is booting, it may need name-resolution service before it is at a point where it can start up its own nameserver. A system's entire DNS environment may change depending on which network it is attached to. Systems in containers may be best configured to talk to a nameserver on the host. And so on.
So there seems to be a general belief that /etc/resolv.conf cannot really be trusted on current systems. Ideas to add secondary configuration files (/etc/secure-resolv.conf or whatever) have been floated, but they don't much change the basic nature of the situation. Beyond that, some participants felt that even a local nameserver running on the loopback interface is not really trustworthy; Zack Weinberg suggested that administrators might intentionally short out DNSSEC validation, for example.
Since the configuration cannot be trusted on current systems, the reasoning goes, glibc needs to have a way to indicate to applications when the situation has improved and things can be trusted. That could include the AD-stripping option described above (or, conversely, an explicit "this nameserver is trusted" option); that, of course, would require that the system be locked down to a level where surprising changes to /etc/resolv.conf no longer happen. A variant, as suggested by Petr Spacek, is to have a way for an application to ask glibc whether it is talking to a local nameserver or not.
Do it in glibc?
An alternative would be to dispense with the nameserver and have glibc do DNSSEC validation itself. There is, however, resistance to putting a big pile of cryptographic code into glibc itself. That would increase the size of the library and, it is felt, increase the attack surface of any application using it. A variant of this idea, suggested by Zack, would be to put the validation code into the name-service caching daemon (nscd) instead. Since nscd is part of glibc, it is under the control of the glibc developers and there could be a certain amount of confidence that DNSSEC validation is being performed properly. The location of the nscd socket is well known, so the /etc/resolv.confissues don't come into play. Carlos worried, though, that this approach might deter adoption by users who do not want the caching features of nscd; in his mind, that seems to rule out the nscd option.
So, in the short term, at least, it seems unlikely that glibc will take on the full task of performing validated DNSSEC lookups. That means that, if security-conscious applications are going to use glibc for their name lookups, the library will have to provide an indication of how trustworthy the results received from a separate nameserver are. And that will almost certainly require explicit action on the part of the distributor and/or system administrator. As Simo Sorce put it:
A situation in which glibc does not use an explicit configuration option to signal applications that it is using a trusted resolver is not useful ... no scratch that, it is actively harmful, because applications developers will quickly realize they cannot trust any information coming from glibc and will simply not use it for DNSSEC related information.
Configuring a system to properly use DNSSEC involves change to many of the components of that system — it is a distribution-wide problem that will take time to solve fully. The role that glibc plays in this transition is likely to be relatively small, but it is an important one: glibc is probably the only place where applications can receive some assurance that their DNS results are trustworthy without implementing their own resolver code. Running multiple DNSSEC implementations on a system seems like an unlikely path to greater security, so it would be good to get this right.
The glibc project has not yet chosen a path by which it intends to get things right, though some sort of annotation in /etc/resolv.conf looks like a likely outcome. Any such change would then have to get into a release; given the conservative nature of glibc development, it may already be late for the 2.23 release, which is likely to happen in February. So higher DNSSEC awareness in glibc may not happen right away, but there is at least some movement in that direction.
---------------------------
via: https://lwn.net/Articles/663474/
作者Jonathan Corbet
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出

View File

@ -1,230 +0,0 @@
Flowsnow translating...
Part 9 - LFCS: Linux Package Management with Yum, RPM, Apt, Dpkg, Aptitude and Zypper
================================================================================
Last August, the Linux Foundation announced the LFCS certification (Linux Foundation Certified Sysadmin), a shiny chance for system administrators everywhere to demonstrate, through a performance-based exam, that they are capable of succeeding at overall operational support for Linux systems. A Linux Foundation Certified Sysadmin has the expertise to ensure effective system support, first-level troubleshooting and monitoring, including finally issue escalation, when needed, to engineering support teams.
![Linux Package Management](http://www.tecmint.com/wp-content/uploads/2014/11/lfcs-Part-9.png)
Linux Foundation Certified Sysadmin Part 9
Watch the following video that explains about the Linux Foundation Certification Program.
youtube 视频
<iframe width="720" height="405" frameborder="0" allowfullscreen="allowfullscreen" src="//www.youtube.com/embed/Y29qZ71Kicg"></iframe>
This article is a Part 9 of 10-tutorial long series, today in this article we will guide you about Linux Package Management, that are required for the LFCS certification exam.
### Package Management ###
In few words, package management is a method of installing and maintaining (which includes updating and probably removing as well) software on the system.
In the early days of Linux, programs were only distributed as source code, along with the required man pages, the necessary configuration files, and more. Nowadays, most Linux distributors use by default pre-built programs or sets of programs called packages, which are presented to users ready for installation on that distribution. However, one of the wonders of Linux is still the possibility to obtain source code of a program to be studied, improved, and compiled.
**How package management systems work**
If a certain package requires a certain resource such as a shared library, or another package, it is said to have a dependency. All modern package management systems provide some method of dependency resolution to ensure that when a package is installed, all of its dependencies are installed as well.
**Packaging Systems**
Almost all the software that is installed on a modern Linux system will be found on the Internet. It can either be provided by the distribution vendor through central repositories (which can contain several thousands of packages, each of which has been specifically built, tested, and maintained for the distribution) or be available in source code that can be downloaded and installed manually.
Because different distribution families use different packaging systems (Debian: *.deb / CentOS: *.rpm / openSUSE: *.rpm built specially for openSUSE), a package intended for one distribution will not be compatible with another distribution. However, most distributions are likely to fall into one of the three distribution families covered by the LFCS certification.
**High and low-level package tools**
In order to perform the task of package management effectively, you need to be aware that you will have two types of available utilities: low-level tools (which handle in the backend the actual installation, upgrade, and removal of package files), and high-level tools (which are in charge of ensuring that the tasks of dependency resolution and metadata searching -”data about the data”- are performed).
注:表格
<table cellspacing="0" border="0">
<colgroup width="200">
</colgroup>
<colgroup width="200">
</colgroup>
<colgroup width="200">
</colgroup>
<tbody>
<tr>
<td bgcolor="#AEA79F" align="CENTER" height="18" style="border: 1px solid #000001;"><b><span style="color: black;">DISTRIBUTION</span></b></td>
<td bgcolor="#AEA79F" align="CENTER" style="border: 1px solid #000001;"><b><span style="color: black;">LOW-LEVEL TOOL</span></b></td>
<td bgcolor="#AEA79F" align="CENTER" style="border: 1px solid #000001;"><b><span style="color: black;">HIGH-LEVEL TOOL</span></b></td>
</tr>
<tr class="alt">
<td bgcolor="#FFFFFF" align="LEFT" height="18" style="border: 1px solid #000001;"><span style="color: black;">&nbsp;Debian and derivatives</span></td>
<td bgcolor="#FFFFFF" align="LEFT" style="border: 1px solid #000001;"><span style="color: black;">&nbsp;dpkg</span></td>
<td bgcolor="#FFFFFF" align="LEFT" style="border: 1px solid #000001;"><span style="color: black;">&nbsp;apt-get / aptitude</span></td>
</tr>
<tr>
<td bgcolor="#FFFFFF" align="LEFT" height="18" style="border: 1px solid #000001;"><span style="color: black;">&nbsp;CentOS</span></td>
<td bgcolor="#FFFFFF" align="LEFT" style="border: 1px solid #000001;"><span style="color: black;">&nbsp;rpm</span></td>
<td bgcolor="#FFFFFF" align="LEFT" style="border: 1px solid #000001;"><span style="color: black;">&nbsp;yum</span></td>
</tr>
<tr class="alt">
<td bgcolor="#FFFFFF" align="LEFT" height="18" style="border: 1px solid #000001;"><span style="color: black;">&nbsp;openSUSE</span></td>
<td bgcolor="#FFFFFF" align="LEFT" style="border: 1px solid #000001;"><span style="color: black;">&nbsp;rpm</span></td>
<td bgcolor="#FFFFFF" align="LEFT" style="border: 1px solid #000001;"><span style="color: black;">&nbsp;zypper</span></td>
</tr>
</tbody>
</table>
Let us see the descrption of the low-level and high-level tools.
dpkg is a low-level package manager for Debian-based systems. It can install, remove, provide information about and build *.deb packages but it cant automatically download and install their corresponding dependencies.
- Read More: [15 dpkg Command Examples][1]
apt-get is a high-level package manager for Debian and derivatives, and provides a simple way to retrieve and install packages, including dependency resolution, from multiple sources using the command line. Unlike dpkg, apt-get does not work directly with *.deb files, but with the package proper name.
- Read More: [25 apt-get Command Examples][2]
aptitude is another high-level package manager for Debian-based systems, and can be used to perform management tasks (installing, upgrading, and removing packages, also handling dependency resolution automatically) in a fast and easy way. It provides the same functionality as apt-get and additional ones, such as offering access to several versions of a package.
rpm is the package management system used by Linux Standard Base (LSB)-compliant distributions for low-level handling of packages. Just like dpkg, it can query, install, verify, upgrade, and remove packages, and is more frequently used by Fedora-based distributions, such as RHEL and CentOS.
- Read More: [20 rpm Command Examples][3]
yum adds the functionality of automatic updates and package management with dependency management to RPM-based systems. As a high-level tool, like apt-get or aptitude, yum works with repositories.
- Read More: [20 yum Command Examples][4]
-
### Common Usage of Low-Level Tools ###
The most frequent tasks that you will do with low level tools are as follows:
**1. Installing a package from a compiled (*.deb or *.rpm) file**
The downside of this installation method is that no dependency resolution is provided. You will most likely choose to install a package from a compiled file when such package is not available in the distributions repositories and therefore cannot be downloaded and installed through a high-level tool. Since low-level tools do not perform dependency resolution, they will exit with an error if we try to install a package with unmet dependencies.
# dpkg -i file.deb [Debian and derivative]
# rpm -i file.rpm [CentOS / openSUSE]
**Note**: Do not attempt to install on CentOS a *.rpm file that was built for openSUSE, or vice-versa!
**2. Upgrading a package from a compiled file**
Again, you will only upgrade an installed package manually when it is not available in the central repositories.
# dpkg -i file.deb [Debian and derivative]
# rpm -U file.rpm [CentOS / openSUSE]
**3. Listing installed packages**
When you first get your hands on an already working system, chances are youll want to know what packages are installed.
# dpkg -l [Debian and derivative]
# rpm -qa [CentOS / openSUSE]
If you want to know whether a specific package is installed, you can pipe the output of the above commands to grep, as explained in [manipulate files in Linux Part 1][6] of this series. Suppose we need to verify if package mysql-common is installed on an Ubuntu system.
# dpkg -l | grep mysql-common
![Check Installed Packages in Linux](http://www.tecmint.com/wp-content/uploads/2014/11/Check-Installed-Package.png)
Check Installed Packages
Another way to determine if a package is installed.
# dpkg --status package_name [Debian and derivative]
# rpm -q package_name [CentOS / openSUSE]
For example, lets find out whether package sysdig is installed on our system.
# rpm -qa | grep sysdig
![Check sysdig Package](http://www.tecmint.com/wp-content/uploads/2014/11/Check-sysdig-Package.png)
Check sysdig Package
**4. Finding out which package installed a file**
# dpkg --search file_name
# rpm -qf file_name
For example, which package installed pw_dict.hwm?
# rpm -qf /usr/share/cracklib/pw_dict.hwm
![Query File in Linux](http://www.tecmint.com/wp-content/uploads/2014/11/Query-File-in-Linux.png)
Query File in Linux
### Common Usage of High-Level Tools ###
The most frequent tasks that you will do with high level tools are as follows.
**1. Searching for a package**
aptitude update will update the list of available packages, and aptitude search will perform the actual search for package_name.
# aptitude update && aptitude search package_name
In the search all option, yum will search for package_name not only in package names, but also in package descriptions.
# yum search package_name
# yum search all package_name
# yum whatprovides “*/package_name”
Lets supposed we need a file whose name is sysdig. To know that package we will have to install, lets run.
# yum whatprovides “*/sysdig”
![Check Package Description in Linux](http://www.tecmint.com/wp-content/uploads/2014/11/Check-Package-Description.png)
Check Package Description
whatprovides tells yum to search the package the will provide a file that matches the above regular expression.
# zypper refresh && zypper search package_name [On openSUSE]
**2. Installing a package from a repository**
While installing a package, you may be prompted to confirm the installation after the package manager has resolved all dependencies. Note that running update or refresh (according to the package manager being used) is not strictly necessary, but keeping installed packages up to date is a good sysadmin practice for security and dependency reasons.
# aptitude update && aptitude install package_name [Debian and derivatives]
# yum update && yum install package_name [CentOS]
# zypper refresh && zypper install package_name [openSUSE]
**3. Removing a package**
The option remove will uninstall the package but leaving configuration files intact, whereas purge will erase every trace of the program from your system.
# aptitude remove / purge package_name
# yum erase package_name
---Notice the minus sign in front of the package that will be uninstalled, openSUSE ---
# zypper remove -package_name
Most (if not all) package managers will prompt you, by default, if youre sure about proceeding with the uninstallation before actually performing it. So read the onscreen messages carefully to avoid running into unnecessary trouble!
**4. Displaying information about a package**
The following command will display information about the birthday package.
# aptitude show birthday
# yum info birthday
# zypper info birthday
![Check Package Information in Linux](http://www.tecmint.com/wp-content/uploads/2014/11/Check-Package-Information.png)
Check Package Information
### Summary ###
Package management is something you just cant sweep under the rug as a system administrator. You should be prepared to use the tools described in this article at a moments notice. Hope you find it useful in your preparation for the LFCS exam and for your daily tasks. Feel free to leave your comments or questions below. We will be more than glad to get back to you as soon as possible.
--------------------------------------------------------------------------------
via: http://www.tecmint.com/linux-package-management/
作者:[Gabriel Cánepa][a]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:http://www.tecmint.com/author/gacanepa/
[1]:http://www.tecmint.com/dpkg-command-examples/
[2]:http://www.tecmint.com/useful-basic-commands-of-apt-get-and-apt-cache-for-package-management/
[3]:http://www.tecmint.com/20-practical-examples-of-rpm-commands-in-linux/
[4]:http://www.tecmint.com/20-linux-yum-yellowdog-updater-modified-commands-for-package-mangement/
[5]:http://www.tecmint.com/sed-command-to-create-edit-and-manipulate-files-in-linux/

View File

@ -0,0 +1,139 @@
如何在 Ubuntu 15.04 / CentOS 7 上安装 Android Studio
================================================================================
随着最近几年智能手机的进步安卓成为了最大的手机平台之一也有很多免费的用于开发安卓应用的工具。Android Studio 是基于 [IntelliJ IDEA][1] 用于开发安卓应用的集成开发环境。它是 Google 2014 年发布的免费开源软件,继 Eclipse 之后成为主要的 IDE。
在这篇文章,我们一起来学习如何在 Ubuntu 15.04 和 CentOS 7 上安装 Android Studio。
### 在 Ubuntu 15.04 上安装 ###
我们可以用两种方式安装 Android Studio。第一种是配置必须的库然后再安装它另一种是从 Android 官方网站下载然后再本地编译安装。在下面的例子中,我们会使用命令行设置库并安装它。在继续下一步之前,我们需要确保我们已经安装了 JDK 1.6 或者更新版本。
这里,我打算安装 JDK 1.8。
$ sudo add-apt-repository ppa:webupd8team/java
$ sudo apt-get update
$ sudo apt-get install oracle-java8-installer oracle-java8-set-default
验证 java 是否安装成功:
poornima@poornima-Lenovo:~$ java -version
现在,设置安装 Android Studio 需要的库
$ sudo apt-add-repository ppa:paolorotolo/android-studio
![Android-Studio-repo](http://blog.linoxide.com/wp-content/uploads/2015/11/Android-studio-repo.png)
$ sudo apt-get update
$ sudo apt-get install android-studio
上面的安装命令会在 /opt 目录下面安装 Android Studio。
现在,运行下面的命令启动安装窗口:
$ /opt/android-studio/bin/studio.sh
这会激活安装窗口。下面的截图展示了安装 Android Studio 的过程。
![安装 Android Studio](http://blog.linoxide.com/wp-content/uploads/2015/11/Studio-setup.png)
![安装类型](http://blog.linoxide.com/wp-content/uploads/2015/11/Install-type.png)
![设置模拟器](http://blog.linoxide.com/wp-content/uploads/2015/11/Emulator-settings.png)
你点击了 Finish 按钮之后,就会显示同意协议页面。当你接受协议之后,它就开始下载需要的组件。
![下载组件](http://blog.linoxide.com/wp-content/uploads/2015/11/Download.png)
这一步之后就完成了 Android Studio 的安装。当你重启 Android Studio 时,你会看到下面的欢迎界面,从这里你可以开始用 Android Studio 工作了。
![欢迎界面](http://blog.linoxide.com/wp-content/uploads/2015/11/Welcome-screen.png)
### 在 CentOS 7 上安装 ###
现在再让我们来看看如何在 CentOS 7 上安装 Android Studio。这里你同样需要安装 JDK 1.6 或者更新版本。如果你不是 root 用户,记得在命令前面使用 sudo。你可以下载[最新版本][2]的 JDK。如果你已经安装了一个比较旧的版本在安装新的版本之前你需要先卸载旧版本。在下面的例子中我会通过下载需要的 rpm 包安装 JDK 1.8.0_65。
[root@li1260-39 ~]# rpm -ivh jdk-8u65-linux-x64.rpm
Preparing... ################################# [100%]
Updating / installing...
1:jdk1.8.0_65-2000:1.8.0_65-fcs ################################# [100%]
Unpacking JAR files...
tools.jar...
plugin.jar...
javaws.jar...
deploy.jar...
rt.jar...
jsse.jar...
charsets.jar...
localedata.jar...
jfxrt.jar...
如果没有正确设置 Java 路径,你会看到错误信息。因此,设置正确的路径:
export JAVA_HOME=/usr/java/jdk1.8.0_25/
export PATH=$PATH:$JAVA_HOME
检查是否安装了正确的版本:
[root@li1260-39 ~]# java -version
java version "1.8.0_65"
Java(TM) SE Runtime Environment (build 1.8.0_65-b17)
Java HotSpot(TM) 64-Bit Server VM (build 25.65-b01, mixed mode)
如果你安装 Android Studio 的时候看到任何类似 “unable-to-run-mksdcard-sdk-tool:” 的错误信息,你可能要在 CentOS 7 64 位系统中安装以下软件包:
glibc.i686
glibc-devel.i686
libstdc++.i686
zlib-devel.i686
ncurses-devel.i686
libX11-devel.i686
libXrender.i686
libXrandr.i686
通过从 [Android 网站][3] 下载 IDE 文件然后解压安装 studio 也是一样的。
[root@li1260-39 tmp]# unzip android-studio-ide-141.2343393-linux.zip
移动 android-studio 目录到 /opt 目录
[root@li1260-39 tmp]# mv /tmp/android-studio/ /opt/
需要的话你可以创建一个到 studio 可执行文件的符号链接用于快速启动。
[root@li1260-39 tmp]# ln -s /opt/android-studio/bin/studio.sh /usr/local/bin/android-studio
现在在终端中启动 studio
[root@localhost ~]#studio
之后用于完成安装的截图和前面 Ubuntu 安装过程中的是一样的。安装完成后,你就可以开始开发你自己的 Android 应用了。
### 总结 ###
虽然发布不到一年,但是 Android Studio 已经替代 Eclipse 成为了安装开发最主要的 IDE。它是唯一一个能支持之后 Google 提供的 Android SDKs 和其它 Android 特性的官方 IDE 工具。那么,你还在等什么呢?赶快安装 Android Studio 然后体验开发安装应用的乐趣吧。
--------------------------------------------------------------------------------
via: http://linoxide.com/tools/install-android-studio-ubuntu-15-04-centos-7/
作者:[B N Poornima][a]
译者:[ictlyh](http://mutouxiaogui.cn/blog/)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:http://linoxide.com/author/bnpoornima/
[1]:https://www.jetbrains.com/idea/
[2]:http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html
[3]:http://developer.android.com/sdk/index.html

View File

@ -1,24 +1,28 @@
translation by strugglingyouth
Linux and Unix Port Scanning With netcat [nc] Command 使用 netcat [nc] 命令对 Linux 和 Unix 进行端口扫描
================================================================================ ================================================================================
How do I find out which ports are opened on my own server? How do I run port scanning using the nc command instead of [the nmap command on a Linux or Unix-like][1] systems?
The nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. If nmap is not installed and you do not wish to use all of nmap options you can use netcat/nc command for scanning ports. This may useful to know which ports are open and running services on a target machine. You can use [nmap command for port scanning][2] too. 我如何在自己的服务器上找出哪些端口是开放的?如何使用 nc 命令进行端口扫描来替换 [Linux 或 类 Unix 中的 nmap 命令][1]
### How do I use nc to scan Linux, UNIX and Windows server port scanning? ### nmap (“Network Mapper”)是一个开源工具用于网络探测和安全审核。如果 nmap 没有安装或者你不希望使用 nmap那你可以用 netcat/nc 命令进行端口扫描。它对于查看目标计算机上哪些端口是开放的或者运行着服务是非常有用的。你也可以使用 [nmap 命令进行端口扫描][2] 。
### 如何使用 nc 来扫描 LinuxUNIX 和 Windows 服务器的端口呢? ###
If nmap is not installed try nc / netcat command as follow. The -z flag can be used to tell nc to report open ports, rather than initiate a connection. Run nc command with -z flag. You need to specify host name / ip along with the port range to limit and speedup operation: If nmap is not installed try nc / netcat command as follow. The -z flag can be used to tell nc to report open ports, rather than initiate a connection. Run nc command with -z flag. You need to specify host name / ip along with the port range to limit and speedup operation:
## syntax ##
如果未安装 nmap如下所示试试 nc/netcat 命令。-z 参数用来告诉 nc 报告开放的端口,而不是启动连接。在 nc 命令中使用 -z 参数时,你需要在主机名/ip 后面指定端口的范围来限制和加速其运行:
## 语法 ##
nc -z -v {host-name-here} {port-range-here} nc -z -v {host-name-here} {port-range-here}
nc -z -v host-name-here ssh nc -z -v host-name-here ssh
nc -z -v host-name-here 22 nc -z -v host-name-here 22
nc -w 1 -z -v server-name-here port-Number-her nc -w 1 -z -v server-name-here port-Number-her
## scan 1 to 1023 ports ## ## 扫描 1 to 1023 端口 ##
nc -zv vip-1.vsnl.nixcraft.in 1-1023 nc -zv vip-1.vsnl.nixcraft.in 1-1023
Sample outputs: 输出示例:
Connection to localhost 25 port [tcp/smtp] succeeded! Connection to localhost 25 port [tcp/smtp] succeeded!
Connection to vip-1.vsnl.nixcraft.in 25 port [tcp/smtp] succeeded! Connection to vip-1.vsnl.nixcraft.in 25 port [tcp/smtp] succeeded!
@ -29,7 +33,7 @@ Sample outputs:
Connection to vip-1.vsnl.nixcraft.in 904 port [tcp/vmware-authd] succeeded! Connection to vip-1.vsnl.nixcraft.in 904 port [tcp/vmware-authd] succeeded!
Connection to vip-1.vsnl.nixcraft.in 993 port [tcp/imaps] succeeded! Connection to vip-1.vsnl.nixcraft.in 993 port [tcp/imaps] succeeded!
You can scan individual port too: 你也可以扫描单个端口:
nc -zv v.txvip1 443 nc -zv v.txvip1 443
nc -zv v.txvip1 80 nc -zv v.txvip1 80
@ -41,20 +45,18 @@ You can scan individual port too:
## really fast scanner with 1 timeout value ## ## really fast scanner with 1 timeout value ##
netcat -v -z -n -w 1 v.txvip1 1-1023 netcat -v -z -n -w 1 v.txvip1 1-1023
Sample outputs: 输出示例:
![Fig.01: Linux/Unix: Use Netcat to Establish and Test TCP and UDP Connections on a Server](http://s0.cyberciti.org/uploads/faq/2007/07/scan-with-nc.jpg) ![Fig.01: Linux/Unix: Use Netcat to Establish and Test TCP and UDP Connections on a Server](http://s0.cyberciti.org/uploads/faq/2007/07/scan-with-nc.jpg)
Fig.01: Linux/Unix: Use Netcat to Establish and Test TCP and UDP Connections on a Server 图01Linux/Unix使用 Netcat 来测试 TCP 和 UDP 与服务器建立连接,
Where, 1. -z : 端口扫描模式即 I/O 模式。
1. -v : 显示详细信息 [使用 -vv 来输出更详细的信息]。
1. -n : 使用纯数字 IP 地址,即不用 DNS 来解析 IP 地址。
1. -w 1 : 设置超时值设置为1。
1. -z : Port scanning mode i.e. zero I/O mode. 更多例子:
1. -v : Be verbose [use twice -vv to be more verbose].
1. -n : Use numeric-only IP addresses i.e. do not use DNS to resolve ip addresses.
1. -w 1 : Set time out value to 1.
More examples:
$ netcat -z -vv www.cyberciti.biz http $ netcat -z -vv www.cyberciti.biz http
www.cyberciti.biz [75.126.153.206] 80 (http) open www.cyberciti.biz [75.126.153.206] 80 (http) open
@ -75,17 +77,17 @@ More examples:
(UNKNOWN) [192.168.1.254] 443 (https) open (UNKNOWN) [192.168.1.254] 443 (https) open
(UNKNOWN) [192.168.1.254] 53 (domain) open (UNKNOWN) [192.168.1.254] 53 (domain) open
See also 也可以看看
- [Scanning network for open ports with the nmap command][3] for more info. - [使用 nmap 命令扫描网络中开放的端口][3]。
- Man pages - [nc(1)][4], [nmap(1)][5] - 手册页 - [nc(1)][4], [nmap(1)][5]
-------------------------------------------------------------------------------- --------------------------------------------------------------------------------
via: http://www.cyberciti.biz/faq/linux-port-scanning/ via: http://www.cyberciti.biz/faq/linux-port-scanning/
作者Vivek Gite 作者Vivek Gite
译者:[译者ID](https://github.com/译者ID) 译者:[strugglingyouth](https://github.com/strugglingyouth)
校对:[校对者ID](https://github.com/校对者ID) 校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出

View File

@ -0,0 +1,60 @@
如何在CentOS 6/7 上移除被Fail2ban禁止的IP
================================================================================
![](http://www.ehowstuff.com/wp-content/uploads/2015/12/security-265130_1280.jpg)
[Fail2ban][1]是一款用于保护你的服务器免于暴力攻击的入侵保护软件。Fail2ban用python写成并被广泛用户大多数服务器上。Fail2ban将扫描日志文件和IP黑名单来显示恶意软件、过多的密码失败、web服务器利用、Wordpress插件攻击和其他漏洞。如果你已经安装并使用了fail2ban来保护你的web服务器你也许会想知道如何在CentOS 6、CentOS 7、RHEL 6、RHEL 7 和 Oracle Linux 6/7中找到被Fail2ban阻止的IP或者你想将ip从fail2ban监狱中移除。
### 如何列出被禁止的IP ###
要查看所有被禁止的ip地址运行下面的命令
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-AccessForbidden tcp -- anywhere anywhere tcp dpt:http
f2b-WPLogin tcp -- anywhere anywhere tcp dpt:http
f2b-ConnLimit tcp -- anywhere anywhere tcp dpt:http
f2b-ReqLimit tcp -- anywhere anywhere tcp dpt:http
f2b-NoAuthFailures tcp -- anywhere anywhere tcp dpt:http
f2b-SSH tcp -- anywhere anywhere tcp dpt:ssh
f2b-php-url-open tcp -- anywhere anywhere tcp dpt:http
f2b-nginx-http-auth tcp -- anywhere anywhere multiport dports http,https
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:EtherNet/IP-1
ACCEPT tcp -- anywhere anywhere tcp dpt:http
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain f2b-NoAuthFailures (1 references)
target prot opt source destination
REJECT all -- 64.68.50.128 anywhere reject-with icmp-port-unreachable
REJECT all -- 104.194.26.205 anywhere reject-with icmp-port-unreachable
RETURN all -- anywhere anywhere
### 如何从Fail2ban中移除IP ###
# iptables -D f2b-NoAuthFailures -s banned_ip -j REJECT
我希望这篇教程可以给你在CentOS 6、CentOS 7、RHEL 6、RHEL 7 和 Oracle Linux 6/7中移除被禁止的ip一些指导。
--------------------------------------------------------------------------------
via: http://www.ehowstuff.com/how-to-remove-banned-ip-from-fail2ban-on-centos/
作者:[skytech][a]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:http://www.ehowstuff.com/author/skytech/
[1]:http://www.fail2ban.org/wiki/index.php/Main_Page

View File

@ -0,0 +1,230 @@
Flowsnow translating...
LFCS系列第九讲: 使用Yum RPM Apt Dpkg Aptitude Zypper进行Linux包管理
================================================================================
去年八月, Linux基金会宣布了一个全新的LFCSLinux Foundation Certified SysadminLinux基金会认证系统管理员认证计划这对广大系统管理员来说是一个很好的机会管理员们可以通过绩效考试来表明自己可以成功支持Linux系统的整体运营。 当需要的时候一个Linux基金会认证的系统管理员有足够的专业知识来确保系统高效运行提供第一手的故障诊断和监视并且为工程师团队在问题升级时提供智能决策。
![Linux Package Management](http://www.tecmint.com/wp-content/uploads/2014/11/lfcs-Part-9.png)
Linux基金会认证系统管理员 第九讲
请观看下面关于Linux基金会认证计划的演示。
youtube 视频
<iframe width="720" height="405" frameborder="0" allowfullscreen="allowfullscreen" src="http://www.youtube.com/embed/Y29qZ71Kicg"></iframe>
本文是本系列十套教程中的第九讲今天在这篇文章中我们会引导你学习Linux包管理这也是LFCS认证考试所需要的。
### 包管理 ###
简单的说,包管理是系统中安装和维护软件的一种方法,其中维护也包含更新和卸载。
在Linux早期程序只以源代码的方式发行还带有所需的用户使用手册和必备的配置文件甚至更多。现如今大多数发行商使用默认的预装程序或者被称为包的程序集合。用户使用这些预装程序或者包来安装该发行版本。然而Linux最伟大的一点是我们仍然能够获得程序的源代码用来学习、改进和编译。
**包管理系统是如何工作的**
如果某一个包需要一定的资源,如共享库,或者需要另一个包,据说就会存在依赖性问题。所有现在的包管理系统提供了一些解决依赖性的方法,以确保当安装一个包时,相关的依赖包也安装好了
**打包系统**
几乎所有安装在现代Linux系统上的软件都会在互联网上找到。它要么能够通过中央库中央库能包含几千个包每个包都已经构建、测试并且维护好了发行商得到要么能够直接得到可以下载和手动安装的源代码。
由于不同的发行版使用不同的打包系统Debian的*.deb文件/ CentOS的*.rpm文件/ openSUSE的专门为openSUSE构建的*.rpm文件因此为一个发行版本开发的包会与其他发行版本不兼容。然而大多数发行版本都可能是LFCS认证的三个发行版本之一。
**高级和低级打包工具**
为了有效地进行包管理的任务,你需要知道,你将有两种类型的实用工具:低级工具(能在后端实际安装,升级,卸载包文件),以及高级工具(负责确保能很好的执行依赖性解决和元数据检索的任务,元数据也称为关于数据的数据)。
注:表格
<table cellspacing="0" border="0">
<colgroup width="200">
</colgroup>
<colgroup width="200">
</colgroup>
<colgroup width="200">
</colgroup>
<tbody>
<tr>
<td bgcolor="#AEA79F" align="CENTER" height="18" style="border: 1px solid #000001;"><b><span style="color: black;">发行版</span></b></td>
<td bgcolor="#AEA79F" align="CENTER" style="border: 1px solid #000001;"><b><span style="color: black;">低级工具</span></b></td>
<td bgcolor="#AEA79F" align="CENTER" style="border: 1px solid #000001;"><b><span style="color: black;">高级工具</span></b></td>
</tr>
<tr class="alt">
<td bgcolor="#FFFFFF" align="LEFT" height="18" style="border: 1px solid #000001;"><span style="color: black;">&nbsp;Debian版及其衍生版</span></td>
<td bgcolor="#FFFFFF" align="LEFT" style="border: 1px solid #000001;"><span style="color: black;">&nbsp;dpkg</span></td>
<td bgcolor="#FFFFFF" align="LEFT" style="border: 1px solid #000001;"><span style="color: black;">&nbsp;apt-get / aptitude</span></td>
</tr>
<tr>
<td bgcolor="#FFFFFF" align="LEFT" height="18" style="border: 1px solid #000001;"><span style="color: black;">&nbsp;CentOS版</span></td>
<td bgcolor="#FFFFFF" align="LEFT" style="border: 1px solid #000001;"><span style="color: black;">&nbsp;rpm</span></td>
<td bgcolor="#FFFFFF" align="LEFT" style="border: 1px solid #000001;"><span style="color: black;">&nbsp;yum</span></td>
</tr>
<tr class="alt">
<td bgcolor="#FFFFFF" align="LEFT" height="18" style="border: 1px solid #000001;"><span style="color: black;">&nbsp;openSUSE版</span></td>
<td bgcolor="#FFFFFF" align="LEFT" style="border: 1px solid #000001;"><span style="color: black;">&nbsp;rpm</span></td>
<td bgcolor="#FFFFFF" align="LEFT" style="border: 1px solid #000001;"><span style="color: black;">&nbsp;zypper</span></td>
</tr>
</tbody>
</table>
让我们来看下低级工具和高级工具的描述。
dpkg的是基于Debian系统中的一个低级包管理器。它可以安装删除提供有关资料并建立*.deb包但它不能自动下载并安装它们相应的依赖包。
- 阅读更多: [15个dpkg命令实例][1]
apt-get是Debian和衍生版的高级包管理器并提供命令行方式从多个来源检索和安装软件包其中包括解决依赖性。和dpkg不同的是apt-get不是直接基于.deb文件工作而是基于包的正确名称。
- 阅读更多: [25个apt-get命令实力][2]
Aptitude是基于Debian的系统的另一个高级包管理器它可用于快速简便的执行管理任务安装升级和删除软件包还可以自动处理解决依赖性。与atp-get和额外的包管理器相比它提供了相同的功能例如提供对包的几个版本的访问。
rpm是Linux标准基础LSB兼容发布版使用的一种包管理器用来对包进行低级处理。就像dpkgrpm可以查询安装检验升级和卸载软件包并能被基于Fedora的系统频繁地使用比如RHEL和CentOS。
- 阅读更多: [20个rpm命令实例][3]
相对于基于RPM的系统yum增加了系统自动更新的功能和带依赖性管理的包管理功能。作为一个高级工具和apt-get或者aptitude相似yum基于库工作。
- 阅读更多: [20个yum命令实例][4]
-
### 低级工具的常见用法 ###
你用低级工具处理最常见的任务如下。
**1. 从已编译(*.deb或*.rpm的文件安装一个包**
这种安装方法的缺点是没有提供解决依赖性的方案。当你在发行版本库中无法获得某个包并且又不能通过高级工具下载安装时,你很可能会从一个已编译文件安装该包。因为低级工具不需要解决依赖性问题,所以当安装一个没有解决依赖性的包时会出现出错并且退出。
# dpkg -i file.deb [Debian版和衍生版]
# rpm -i file.rpm [CentOS版 / openSUSE版]
**注意** 不要试图在CentOS中安装一个为openSUSE构建的.rpm文件反之亦然
**2. 从已编译文件中更新一个包**
同样,当中央库中没有某安装包时,你只能手动升级该包。
# dpkg -i file.deb [Debian版和衍生版]
# rpm -U file.rpm [CentOS版 / openSUSE版]
**3. 列举安装的包**
当你第一次接触一个已经在工作中的系统时,很可能你会想知道安装了哪些包。
# dpkg -l [Debian版和衍生版]
# rpm -qa [CentOS版 / openSUSE版]
如果你想知道一个特定的包安装在哪儿, 你可以使用管道命令从以上命令的输出中去搜索,这在这个系列的[操作Linux文件 第一讲][5] 中有介绍。假定我们需要验证mysql-common这个包是否安装在Ubuntu系统中。
# dpkg -l | grep mysql-common
![Check Installed Packages in Linux](http://www.tecmint.com/wp-content/uploads/2014/11/Check-Installed-Package.png)
检查安装的包
另外一种方式来判断一个包是否已安装。
# dpkg --status package_name [Debian版和衍生版]
# rpm -q package_name [CentOS版 / openSUSE版]
例如让我们找出sysdig包是否安装在我们的系统。
# rpm -qa | grep sysdig
![Check sysdig Package](http://www.tecmint.com/wp-content/uploads/2014/11/Check-sysdig-Package.png)
检查sysdig包
**4. 查询一个文件是由那个包安装的**
# dpkg --search file_name
# rpm -qf file_name
例如pw_dict.hwm文件是由那个包安装的
# rpm -qf /usr/share/cracklib/pw_dict.hwm
![Query File in Linux](http://www.tecmint.com/wp-content/uploads/2014/11/Query-File-in-Linux.png)
Linux中查询文件
### 高级工具的常见用法 ###
你用高级工具处理最常见的任务如下。
**1. 搜索包**
aptitude更新将会更新可用的软件包列表并且aptitude搜索会根据包名进行实际性的搜索。
# aptitude update && aptitude search package_name
在搜索所有选项中yum不仅可以通过包名还可以通过包的描述搜索程序包。
# yum search package_name
# yum search all package_name
# yum whatprovides “*/package_name”
假定我们需要一个名为sysdig的包要知道的是我们需要先安装然后才能运行。
# yum whatprovides “*/sysdig”
![Check Package Description in Linux](http://www.tecmint.com/wp-content/uploads/2014/11/Check-Package-Description.png)
检查包描述
whatprovides告诉yum搜索一个含有能够匹配上述正则表达式的文件的包。
# zypper refresh && zypper search package_name [在openSUSE上]
**2. 从仓库安装一个包**
当安装一个包时,在包管理器解决了所有依赖性问题后,可能会提醒你确认安装。需要注意的是运行更新或刷新(根据所使用的软件包管理器)不是绝对必要,但是考虑到安全性和依赖性的原因,保持安装的软件包是最新的是一个好的系统管理员的做法。
# aptitude update && aptitude install package_name [Debian版和衍生版]
# yum update && yum install package_name [CentOS版]
# zypper refresh && zypper install package_name [openSUSE版]
**3. 卸载包**
按选项卸载将会卸载软件包,但把配置文件保留完好,然而清除包从系统中完全删去该程序。
# aptitude remove / purge package_name
# yum erase package_name
---注意要卸载的openSUSE包前面的减号 ---
# zypper remove -package_name
在默认情况下,大部分(如果不是全部)的包管理器会提示你,在你实际卸载之前你是否确定要继续卸载。所以,请仔细阅读屏幕上的信息,以避免陷入不必要的麻烦!
**4. 显示包的信息**
下面的命令将会显示birthday这个包的信息。
# aptitude show birthday
# yum info birthday
# zypper info birthday
![Check Package Information in Linux](http://www.tecmint.com/wp-content/uploads/2014/11/Check-Package-Information.png)
检查包信息
### 总结 ###
作为一个系统管理员包管理器是你不能回避的东西。你应该立即准备使用本文中介绍的这些工具。希望你在准备LFCS考试和日常工作中会觉得这些工具好用。欢迎在下面留下您的意见或问题我们将尽可能快的回复你。
--------------------------------------------------------------------------------
via http://www.tecmint.com/linux-package-management/
作者:[Gabriel Cánepa][a]
译者:[Flowsnow](https://github.com/Flowsnow)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:http://www.tecmint.com/author/gacanepa/
[1]:http://www.tecmint.com/dpkg-command-examples/
[2]:http://www.tecmint.com/useful-basic-commands-of-apt-get-and-apt-cache-for-package-management/
[3]:http://www.tecmint.com/20-practical-examples-of-rpm-commands-in-linux/
[4]:http://www.tecmint.com/20-linux-yum-yellowdog-updater-modified-commands-for-package-mangement/
[5]:http://www.tecmint.com/sed-command-to-create-edit-and-manipulate-files-in-linux/