Merge remote-tracking branch 'LCTT/master'

2024-12-26 21:30:55 +08:00 · 2019-10-29 23:58:29 +08:00 · 2019-10-29 23:58:29 +08:00 · 5260fa63de
commit 5260fa63de
parent e3e0258267 0b3d3005be
9 changed files with 727 additions and 282 deletions
--- a/translated/tech/20191021
+++ b/translated/tech/20191021
@ -1,8 +1,8 @@
 [#]: collector: (lujun9972)
 [#]: translator: (wxy)
-[#]: reviewer: ( )
+[#]: reviewer: (wxy)
-[#]: publisher: ( )
+[#]: publisher: (wxy)
-[#]: url: ( )
+[#]: url: (https://linux.cn/article-11513-1.html)
 [#]: subject: (Transition to Nftables)
 [#]: via: (https://opensourceforu.com/2019/10/transition-to-nftables/)
 [#]: author: (Vijay Marcel D https://opensourceforu.com/author/vijay-marcel/)
@ -10,11 +10,13 @@
 过渡到 nftables
 ======
-![][2]
+![](https://img.linux.net.cn/data/attachment/album/201910/29/085827o8b7rbswjjr7ijsr.jpg)
-> 开源世界中的每个主要发行版都正在演进，而将 nftables 作为默认防火墙。换言之，古老的 iptables 现在已经消亡。本文是有关如何构建 nftables 的教程。
+> 开源世界中的每个主要发行版都在演进，逐渐将 nftables 作为了默认防火墙。换言之，古老的 iptables 现在已经消亡。本文是有关如何构建 nftables 的教程。
-当前，有一个与 nftables 兼容的 iptables-nft 后端，但是很快，即使是它也不再提供了。另外，正如 Red Hat 开发人员所指出的那样，有时它可能会错误地转换规则。我们需要知道如何构建自己的 nftables，而不是依赖于 iptables 到 nftables 的转换器。在 nftables 中，所有地址族都遵循一个规则。与 iptables 不同，nftables 在用户空间中运行，iptables 中的每个模块都运行在内核（空间）中。它很少需要更新内核，并具有一些新功能，例如映射，地址族和字典。
+当前，有一个与 nftables 兼容的 iptables-nft 后端，但是很快，即使是它也不再提供了。另外，正如 Red Hat 开发人员所指出的那样，有时它可能会错误地转换规则。我们需要知道如何构建自己的 nftables，而不是依赖于 iptables 到 nftables 的转换器。
 在 nftables 中，所有地址族都遵循一个规则。与 iptables 不同，nftables 在用户空间中运行，iptables 中的每个模块都运行在内核（空间）中。它很少需要更新内核，并带有一些新功能，例如映射、地址族和字典。
 ### 地址族
@ -27,13 +29,15 @@
 * bridge
 * netdev
-在 nftables 中，ipv4 和 ipv6 协议被合并为一个称为 inet 的单一地址族。因此，我们不需要指定两个规则：一个用于 ipv4，另一个用于 ipv6。如果未指定地址族，它将默认为 ip 协议，即 ipv4。我们感兴趣的领域是 inet 系列，因为大多数家庭用户将使用 ipv4 或 ipv6 协议。
+在 nftables 中，ipv4 和 ipv6 协议可以被合并为一个称为 inet 的单一地址族。因此，我们不需要指定两个规则：一个用于 ipv4，另一个用于 ipv6。如果未指定地址族，它将默认为 ip 协议，即 ipv4。我们感兴趣的领域是 inet 地址族，因为大多数家庭用户将使用 ipv4 或 ipv6 协议。
 ### nftables
 典型的 nftables 规则包含三个部分：表、链和规则。
-表是链和规则的容器。它们由其地址族和名称来标识。链包含 inet/arp/bridge/netdev 等协议所需的规则，并具有三种类型：过滤器、NAT 和路由。nftables 规则可以从脚本加载，也可以在终端键入，然后另存为规则集。对于家庭用户，默认链为过滤器。inet 系列包含以下钩子：
+表是链和规则的容器。它们由其地址族和名称来标识。链包含 inet/arp/bridge/netdev 等协议所需的规则，并具有三种类型：过滤器、NAT 和路由。nftables 规则可以从脚本加载，也可以在终端键入，然后另存为规则集。
 对于家庭用户，默认链为过滤器。inet 系列包含以下钩子：
 * Input
 * Output
@ -43,16 +47,16 @@
 ### 使用脚本还是不用？
-最大的问题之一是我们是否可以使用防火墙脚本。答案是：这是你自己的选择。这里有一些建议：如果防火墙中有数百条规则，那么最好使用脚本，但是如果你是典型的家庭用户，则可以在终端中键入命令，然后加载规则集。每种选择都有其自身的优缺点。在本文中，我们将在终端中键入它们以构建防火墙。
+最大的问题之一是我们是否可以使用防火墙脚本。答案是：这是你自己的选择。这里有一些建议：如果防火墙中有数百条规则，那么最好使用脚本，但是如果你是典型的家庭用户，则可以在终端中键入命令，然后（保存并在重启时）加载规则集。每种选择都有其自身的优缺点。在本文中，我们将在终端中键入它们以构建防火墙。
-nftables 使用一个名为 `nft` 的程序来添加、创建、列出、删除和加载规则。确保使用以下命令将 nftables 与 conntrackd 和 netfilter-persistent 一起安装，并删除 iptables：
+nftables 使用一个名为 `nft` 的程序来添加、创建、列出、删除和加载规则。确保使用以下命令将 nftables 与 conntrackd 和 netfilter-persistent 软件包一起安装，并删除 iptables：
 ```
 apt-get install nftables conntrackd netfilter-persistent
 apt-get purge iptables
 ```
-`nft` 需要以 root 身份运行或使用 sudo 运行。使用以下命令分别列出、刷新、删除规则集和加载脚本。
+`nft` 需要以 root 身份运行或使用 `sudo` 运行。使用以下命令分别列出、刷新、删除规则集和加载脚本。
 ```
 nft list ruleset
@ -63,7 +67,7 @@ nft delete table inet filter
 ### 输入策略
-就像 iptables 一样，防火墙将包含三部分：输入（`input`）、转发（`forward`）和输出（`output`）。在终端中，为“输入（`input`）”防火墙键入以下命令。在开始之前，请确保已刷新规则集。我们的默认政策将会删除所有内容。我们将在防火墙中使用 inet 地址族。将以下规则以 root 身份添加或使用 `sudo` 运行：
+就像 iptables 一样，防火墙将包含三部分：输入（`input`）、转发（`forward`）和输出（`output`）。在终端中，为输入（`input`）策略键入以下命令。在开始之前，请确保已刷新规则集。我们的默认策略将会删除所有内容。我们将在防火墙中使用 inet 地址族。将以下规则以 root 身份添加或使用 `sudo` 运行：
 ```
 nft add table inet filter
@ -78,7 +82,7 @@ nft add chain inet filter input { type filter hook input priority 0 \; counter \
 ip link show
 ```
-它将显示已安装的网络接口，一个本地主机、另一个以太网端口或无线端口。以太网端口的名称如下所示：`enpXsY`，其中 `X` 和 `Y` 是数字，无线端口也是如此。我们必须允许本地主机，并且仅允许从互联网建立的传入连接。
+它将显示已安装的网络接口，一个是本地主机、另一个是以太网端口或无线端口。以太网端口的名称如下所示：`enpXsY`，其中 `X` 和 `Y` 是数字，无线端口也是如此。我们必须允许本地主机的流量，并且仅允许从互联网建立的传入连接。
 nftables 具有一项称为裁决语句的功能，用于解析规则。裁决语句为 `accept`、`drop`、`queue`、`jump`、`goto`、`continue` 和 `return`。由于这是一个很简单的防火墙，因此我们将使用 `accept` 或 `drop` 处理数据包。
@ -102,7 +106,7 @@ nft add rule inet filter input iifname enpXsY tcp flags \& \(ack\|urg\) == urg d
 ### 关于 ICMP 的警告
-互联网控制消息协议（ICMP）是一种诊断工具，因此不应完全丢弃该流量。完全阻止 ICMP 的任何尝试都是不明智的，因为它还会停止向我们提供错误消息。仅启用最重要的控制消息，例如回声请求、回声应答、目的地不可达和超时等消息，并拒绝其余消息。回声请求和回声应答是 `ping` 的一部分。在输入策略中，我们仅允许回声应答、而在输出策略中，我们仅允许回声请求。
+互联网控制消息协议（ICMP）是一种诊断工具，因此不应完全丢弃该流量。完全阻止 ICMP 的任何尝试都是不明智的，因为它还会导致停止向我们提供错误消息。仅启用最重要的控制消息，例如回声请求、回声应答、目的地不可达和超时等消息，并拒绝其余消息。回声请求和回声应答是 `ping` 的一部分。在输入策略中，我们仅允许回声应答、而在输出策略中，我们仅允许回声请求。
 ```
 nft add rule inet filter input iifname enpXsY icmp type { echo-reply, destination-unreachable, time-exceeded } limit rate 1/second accept
@ -143,13 +147,13 @@ nft add rule inet filter output oifname enpXsY ct state invalid drop
 sudo nft list ruleset. > /etc/nftables.conf
 ```
-我们必须在引导时加载 nftables，这将在 systemd 中启用 nftables 服务：
+我们须在引导时加载 nftables，以下将在 systemd 中启用 nftables 服务：
 ```
 sudo systemctl enable nftables
 ```
-接下来，编辑 nftables 单元文件以删除 `Execstop` 选项，以避免在每次引导时刷新规则集。该文件通常位于 `/etc/systemd/system/sysinit.target.wants/nftables.service` 中。现在重新启动nftables：
+接下来，编辑 nftables 单元文件以删除 `Execstop` 选项，以避免在每次引导时刷新规则集。该文件通常位于 `/etc/systemd/system/sysinit.target.wants/nftables.service`。现在重新启动nftables：
 ```
 sudo systemctl restart nftables
@ -157,12 +161,11 @@ sudo systemctl restart nftables
 ### 在 rsyslog 中记录日志
-当你记录丢弃的数据包时，它们直接进入 syslog，这使得读取日志文件非常困难。最好将防火墙日志重定向到单独的文件。在 `/var/log` 目录中创建一个名为 `nftables` 的目录，并在其中创建两个名为 `input.log` 和 `output.log` 的文件，分别存储输入和输出日志。确保系统中已安装 rsyslog。现在转到 `/etc/rsyslog.d` 并创建一个名为 `nftables.conf` 的文件，其内容如下：
+当你记录丢弃的数据包时，它们直接进入 syslog，这使得读取该日志文件非常困难。最好将防火墙日志重定向到单独的文件。在 `/var/log` 目录中创建一个名为 `nftables` 的目录，并在其中创建两个名为 `input.log` 和 `output.log` 的文件，分别存储输入和输出日志。确保系统中已安装 rsyslog。现在转到 `/etc/rsyslog.d` 并创建一个名为 `nftables.conf` 的文件，其内容如下：
 ```
 :msg,regex,”Invalid-Input: “ -/var/log/nftables/Input.log
-:msg,regex,”Invalid-Output: “ -/var/log/nftables/Output.log
+:msg,regex,”Invalid-Output: “ -/var/log/nftables/Output.log & stop
 & stop
 ```
 现在，我们必须确保日志是可管理的。为此，使用以下代码在 `/etc/logrotate.d` 中创建另一个名为 `nftables` 的文件：
@ -180,7 +183,7 @@ via: https://opensourceforu.com/2019/10/transition-to-nftables/
 作者：[Vijay Marcel D][a]
 选题：[lujun9972][b]
 译者：[wxy](https://github.com/wxy)
-校对：[校对者ID](https://github.com/校对者ID)
+校对：[wxy](https://github.com/wxy)
 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译，[Linux中国](https://linux.cn/) 荣誉推出
--- a/published/20191023
+++ b/published/20191023
@ -0,0 +1,106 @@
 [#]: collector: (lujun9972)
 [#]: translator: (geekpi)
 [#]: reviewer: (wxy)
 [#]: publisher: (wxy)
 [#]: url: (https://linux.cn/article-11515-1.html)
 [#]: subject: (Using SSH port forwarding on Fedora)
 [#]: via: (https://fedoramagazine.org/using-ssh-port-forwarding-on-fedora/)
 [#]: author: (Paul W. Frields https://fedoramagazine.org/author/pfrields/)
 在 Fedora 上使用 SSH 端口转发
 ======
 ![](https://img.linux.net.cn/data/attachment/album/201910/29/123804dql3aqqlghza9txt.jpg)
 你可能已经熟悉使用 [ssh 命令][2]访问远程系统。`ssh` 命令背后所使用的协议允许终端的输入和输出流经[安全通道][3]。但是你知道也可以使用 `ssh` 来安全地发送和接收其他数据吗？一种方法是使用“<ruby>端口转发<rt>port forwarding</rt></ruby>”，它允许你在进行 `ssh` 会话时安全地连接网络端口。本文向你展示了它是如何工作的。
 ### 关于端口
 标准 Linux 系统已分配了一组网络端口，范围是 0 - 65535。系统会保留 0 - 1023 的端口以供系统使用。在许多系统中，你不能选择使用这些低端口号。通常有几个端口用于运行特定的服务。你可以在系统的  `/etc/services` 文件中找到这些定义。
 你可以认为网络端口是类似的物理端口或可以连接到电缆的插孔。端口可以连接到系统上的某种服务，类似物理插孔后面的接线。一个例子是 Apache Web 服务器（也称为 `httpd`）。对于 HTTP 非安全连接，Web 服务器通常要求在主机系统上使用端口 80，对于 HTTPS 安全连接通常要求使用 443。
 当你连接到远程系统（例如，使用 Web 浏览器）时，你是将浏览器“连接”到你的主机上的端口。这通常是一个随机的高端口号，例如 54001。你的主机上的端口连接到远程主机上的端口（例如 443）来访问其安全的 Web 服务器。
 那么，当你有这么多可用端口时，为什么还要使用端口转发呢？这是 Web 开发人员生活中的几种常见情况。
 ### 本地端口转发
 想象一下，你正在名为 `remote.example.com` 的远程系统上进行 Web 开发。通常，你是通过 `ssh` 进入此系统的，但是它位于防火墙后面，而且该防火墙很少允许其他类型的访问，并且会阻塞大多数其他端口。要尝试你的网络应用，能够使用浏览器访问远程系统会很有帮助。但是，由于使用了讨厌的防火墙，你无法通过在浏览器中输入 URL 的常规方法来访问它。
 本地转发使你可以通过 `ssh` 连接来建立可通过远程系统访问的端口。该端口在系统上显示为本地端口（因而称为“本地转发”）。
 假设你的网络应用在 `remote.example.com` 的 8000 端口上运行。要将那个系统的 8000 端口本地转发到你系统上的 8000 端口，请在开始会话时将 `-L` 选项与 `ssh` 结合使用：
 ```
 $ ssh -L 8000:localhost:8000 remote.example.com
 ```
 等等，为什么我们使用 `localhost` 作为转发目标？这是因为从 `remote.example.com` 的角度来看，你是在要求主机使用其自己的端口 8000。（回想一下，任何主机通常可以通过网络连接 `localhost` 而连接到自身。）现在那个端口连接到你系统的 8000 端口了。`ssh` 会话准备就绪后，将其保持打开状态，然后可以在浏览器中键入 `http://localhost:8000` 来查看你的 Web 应用。现在，系统之间的流量可以通过 `ssh` 隧道安全地传输！
 如果你有敏锐的眼睛，你可能已经注意到了一些东西。如果我们要 `remote.example.com` 转发到与 `localhost` 不同的主机名怎么办？如果它可以访问该网络上另一个系统上的端口，那么通常可以同样轻松地转发该端口。例如，假设你想访问也在该远程网络中的 `db.example.com` 的 MariaDB 或 MySQL 服务。该服务通常在端口 3306 上运行。因此，即使你无法 `ssh` 到实际的 `db.example.com` 主机，你也可以使用此命令将其转发：
 ```
 $ ssh -L 3306:db.example.com:3306 remote.example.com
 ```
 现在，你可以在 `localhost` 上运行 MariaDB 命令，而实际上是在使用 `db.example.com` 主机。
 ### 远程端口转发
 远程转发让你可以进行相反操作。想象一下，你正在为办公室的朋友设计一个 Web 应用，并想向他们展示你的工作。不过，不幸的是，你在咖啡店里工作，并且由于网络设置，他们无法通过网络连接访问你的笔记本电脑。但是，你同时使用着办公室的 `remote.example.com` 系统，并且仍然可在这里登录。你的 Web 应用似乎在本地 5000 端口上运行良好。
 远程端口转发使你可以通过 `ssh` 连接从本地系统建立端口的隧道，并使该端口在远程系统上可用。在开始 `ssh` 会话时，只需使用 `-R` 选项：
 ```
 $ ssh -R 6000:localhost:5000 remote.example.com
 ```
 现在，当在公司防火墙内的朋友打开浏览器时，他们可以进入 `http://remote.example.com:6000` 查看你的工作。就像在本地端口转发示例中一样，通信通过 `ssh` 会话安全地进行。
 默认情况下，`sshd` 守护进程运行在设置的主机上，因此**只有**该主机可以连接它的远程转发端口。假设你的朋友希望能够让其他 `example.com` 公司主机上的人看到你的工作，而他们不在 `remote.example.com` 上。你需要让 `remote.example.com` 主机的所有者将以下选项**之一**添加到 `/etc/ssh/sshd_config` 中：
 ```
 GatewayPorts yes       # 或
 GatewayPorts clientspecified
 ```
 第一个选项意味着 `remote.example.com` 上的所有网络接口都可以使用远程转发的端口。第二个意味着建立隧道的客户端可以选择地址。默认情况下，此选项设置为 `no`。
 使用此选项，你作为 `ssh` 客户端仍必须指定可以共享你这边转发端口的接口。通过在本地端口之前添加网络地址范围来进行此操作。有几种方法可以做到，包括：
 ```
 $ ssh -R *:6000:localhost:5000                   # 所有网络
 $ ssh -R 0.0.0.0:6000:localhost:5000             # 所有网络
 $ ssh -R 192.168.1.15:6000:localhost:5000        # 单个网络
 $ ssh -R remote.example.com:6000:localhost:5000  # 单个网络
 ```
 ### 其他注意事项
 请注意，本地和远程系统上的端口号不必相同。实际上，有时你甚至可能无法使用相同的端口。例如，普通用户可能不会在默认设置中转发到系统端口。
 另外，可以限制主机上的转发。如果你需要在联网主机上更严格的安全性，那么这你来说可能很重要。 `sshd` 守护程进程的 `PermitOpen` 选项控制是否以及哪些端口可用于 TCP 转发。默认设置为 `any`，这让上面的所有示例都能正常工作。要禁止任何端口转发，请选择 `none`，或仅允许的特定的“主机:端口”。有关更多信息，请在手册页中搜索 `PermitOpen` 来配置 `sshd` 守护进程：
 ```
 $ man sshd_config
 ```
 最后，请记住，只有在 `ssh` 会话处于打开状态时才会端口转发。如果需要长时间保持转发活动，请尝试使用 `-N` 选项在后台运行会话。确保控制台已锁定，以防止在你离开控制台时其被篡夺。
 --------------------------------------------------------------------------------
 via: https://fedoramagazine.org/using-ssh-port-forwarding-on-fedora/
 作者：[Paul W. Frields][a]
 选题：[lujun9972][b]
 译者：[geekpi](https://github.com/geekpi)
 校对：[wxy](https://github.com/wxy)
 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译，[Linux中国](https://linux.cn/) 荣誉推出
 [a]: https://fedoramagazine.org/author/pfrields/
 [b]: https://github.com/lujun9972
 [1]: https://fedoramagazine.org/wp-content/uploads/2019/10/ssh-port-forwarding-816x345.jpg
 [2]: https://en.wikipedia.org/wiki/Secure_Shell
 [3]: https://fedoramagazine.org/open-source-ssh-clients/
--- a/sources/tech/20191008
+++ b/sources/tech/20191008
@ -1,5 +1,5 @@
 [#]: collector: (lujun9972)
-[#]: translator: ( )
+[#]: translator: (geekpi)
 [#]: reviewer: ( )
 [#]: publisher: ( )
 [#]: url: ( )
--- a/sources/tech/20191023
+++ b/sources/tech/20191023
@ -1,154 +0,0 @@
 [#]: collector: (lujun9972)
 [#]: translator: (geekpi)
 [#]: reviewer: ( )
 [#]: publisher: ( )
 [#]: url: ( )
 [#]: subject: (Building container images with the ansible-bender tool)
 [#]: via: (https://opensource.com/article/19/10/building-container-images-ansible)
 [#]: author: (Tomas Tomecek https://opensource.com/users/tomastomecek)
 Building container images with the ansible-bender tool
 ======
 Learn how to use Ansible to execute commands in a container.
 ![Blocks for building][1]
 Containers and [Ansible][2] blend together so nicely—from management and orchestration to provisioning and building. In this article, we'll focus on the building part.
 If you are familiar with Ansible, you know that you can write a series of tasks, and the **ansible-playbook** command will execute them for you. Did you know that you can also execute such commands in a container environment and get the same result as if you'd written a Dockerfile and run **podman build**.
 Here is an example:
 ```
 \- name: Serve our file using httpd
   hosts: all
   tasks:
   - name: Install httpd
     package:
       name: httpd
       state: installed
   - name: Copy our file to httpd’s webroot
     copy:
       src: our-file.txt
       dest: /var/www/html/
 ```
 You could execute this playbook locally on your web server or in a container, and it would work—as long as you remember to create the **our-file.txt** file first.
 But something is missing. You need to start (and configure) httpd in order for your file to be served. This is a difference between container builds and infrastructure provisioning: When building an image, you just prepare the content; running the container is a different task. On the other hand, you can attach metadata to the container image that tells the command to run by default.
 Here's where a tool would help. How about trying **ansible-bender**?
 ```
 `$ ansible-bender build the-playbook.yaml fedora:30 our-httpd`
 ```
 This script uses the ansible-bender tool to execute the playbook against a Fedora 30 container image and names the resulting container image **our-httpd**.
 But when you run that container, it won't start httpd because it doesn't know how to do it. You can fix this by adding some metadata to the playbook:
 ```
 \- name: Serve our file using httpd
   hosts: all
   vars:
     ansible_bender:
       base_image: fedora:30
       target_image:
         name: our-httpd
         cmd: httpd -DFOREGROUND
   tasks:
   - name: Install httpd
     package:
       name: httpd
       state: installed
   - name: Listen on all network interfaces.
     lineinfile:    
       path: /etc/httpd/conf/httpd.conf  
       regexp: '^Listen '
       line: Listen 0.0.0.0:80  
   - name: Copy our file to httpd’s webroot
     copy:
       src: our-file.txt
       dest: /var/www/html
 ```
 Now you can build the image (from here on, please run all the commands as root—currently, Buildah and Podman won't create dedicated networks for rootless containers):
 ```
 # ansible-bender build the-playbook.yaml
 PLAY [Serve our file using httpd] ****************************************************
 TASK [Gathering Facts] ***************************************************************    
 ok: [our-httpd-20191004-131941266141-cont]
 TASK [Install httpd] *****************************************************************
 loaded from cache: 'f053578ed2d47581307e9ba3f64f4b4da945579a082c6f99bd797635e62befd0'
 skipping: [our-httpd-20191004-131941266141-cont]
 TASK [Listen on all network interfaces.] *********************************************
 changed: [our-httpd-20191004-131941266141-cont]
 TASK [Copy our file to httpd’s webroot] **********************************************
 changed: [our-httpd-20191004-131941266141-cont]
 PLAY RECAP ***************************************************************************
 our-httpd-20191004-131941266141-cont : ok=3    changed=2    unreachable=0    failed=0    skipped=1    rescued=0    ignored=0
 Getting image source signatures
 Copying blob sha256:4650c04b851c62897e9c02c6041a0e3127f8253fafa3a09642552a8e77c044c8
 Copying blob sha256:87b740bba596291af8e9d6d91e30a01d5eba9dd815b55895b8705a2acc3a825e
 Copying blob sha256:82c21252bd87532e93e77498e3767ac2617aa9e578e32e4de09e87156b9189a0
 Copying config sha256:44c6dc6dda1afe28892400c825de1c987c4641fd44fa5919a44cf0a94f58949f
 Writing manifest to image destination
 Storing signatures
 44c6dc6dda1afe28892400c825de1c987c4641fd44fa5919a44cf0a94f58949f
 Image 'our-httpd' was built successfully \o/
 ```
 The image is built, and it's time to run the container:
 ```
 # podman run our-httpd
 AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.88.2.106. Set the 'ServerName' directive globally to suppress this message
 ```
 Is your file being served? First, find out the IP of your container:
 ```
 # podman inspect -f '{{ .NetworkSettings.IPAddress }}' 7418570ba5a0
 10.88.2.106
 ```
 And now you can check:
 ```
 $ curl <http://10.88.2.106/our-file.txt>
 Ansible is ❤
 ```
 What were the contents of your file?
 This was just an introduction to building container images with Ansible. If you want to learn more about what ansible-bender can do, please check it out on [GitHub][3]. Happy building!
 --------------------------------------------------------------------------------
 via: https://opensource.com/article/19/10/building-container-images-ansible
 作者：[Tomas Tomecek][a]
 选题：[lujun9972][b]
 译者：[译者ID](https://github.com/译者ID)
 校对：[校对者ID](https://github.com/校对者ID)
 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译，[Linux中国](https://linux.cn/) 荣誉推出
 [a]: https://opensource.com/users/tomastomecek
 [b]: https://github.com/lujun9972
 [1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/blocks_building.png?itok=eMOT-ire (Blocks for building)
 [2]: https://www.ansible.com/
 [3]: https://github.com/ansible-community/ansible-bender
--- a/sources/tech/20191027
+++ b/sources/tech/20191027
@ -0,0 +1,271 @@
 [#]: collector: (lujun9972)
 [#]: translator: ( )
 [#]: reviewer: ( )
 [#]: publisher: ( )
 [#]: url: ( )
 [#]: subject: (How to Install and Configure Nagios Core on CentOS 8 / RHEL 8)
 [#]: via: (https://www.linuxtechi.com/install-nagios-core-rhel-8-centos-8/)
 [#]: author: (James Kiarie https://www.linuxtechi.com/author/james/)
 How to Install and Configure Nagios Core on CentOS 8 / RHEL 8
 ======
 **Nagios** is a free and opensource network and alerting engine used to monitor various devices, such as network devices, and servers in a network. It supports both **Linux** and **Windows OS** and provides an intuitive web interface that allows you to easily monitor network resources. When professionally configured, it can alert you in the event a server or a network device goes down or malfunctions via email alerts. In this topic, we shed light on how you can install and configure Nagios core on **RHEL 8** / **CentOS 8**.
 [![Install-Nagios-Core-RHEL8-CentOS8][1]][2]
 ### Prerequisites of Nagios Core
 Before we begin, perform a flight check and ensure you have the following:
  * An instance of RHEL 8 / CentOS 8
  * SSH access to the instance
  * A fast and stable internet connection
 With the above requirements in check, let’s roll our sleeves!
 ### Step 1: Install LAMP Stack
 For Nagios to work as expected, you need to install LAMP stack or any other web hosting stack since it’s going to run on a browser. To achieve this, execute the command:
 ```
 # dnf install httpd mariadb-server php-mysqlnd php-fpm
 ```
 ![Install-LAMP-stack-CentOS8][1]
 You need to ensure that Apache web server is up and running. To do so, start and enable Apache server using the commands:
 ```
 # systemctl start httpd
 # systemctl enable httpd
 ```
 ![Start-enable-httpd-centos8][1]
 To check the status of Apache server run
 ```
 # systemctl status httpd
 ```
 ![Check-status-httpd-centos8][1]
 Next, we need to start and enable MariaDB server, run the following commands
 ```
 # systemctl start mariadb
 # systemctl enable mariadb
 ```
 ![Start-enable-MariaDB-CentOS8][1]
 To check MariaDB status run:
 ```
 # systemctl status mariadb
 ```
 ![Check-MariaDB-status-CentOS8][1]
 Also, you might consider hardening or securing your server and making it less susceptible to unauthorized access. To secure your server, run the command:
 ```
 # mysql_secure_installation
 ```
 Be sure to set a strong password for your MySQL instance. For the subsequent prompts, Type **Yes** and hit **ENTER**
 ![Secure-MySQL-server-CentOS8][1]
 ### Step 2: Install Required packages
 Apart from installing the LAMP server, some additional packages are needed for the installation and proper configuration of Nagios. Therefore, install the packages as shown below:
 ```
 # dnf install gcc glibc glibc-common wget gd gd-devel perl postfix
 ```
 ![Install-requisite-packages-CentOS8][1]
 ### Step 3: Create a Nagios user account
 Next, we need to create a user account for the Nagios user. To achieve this , run the command:
 ```
 # adduser nagios
 # passwd nagios
 ```
 ![Create-new-user-for-Nagios][1]
 Now, we need to create a group for Nagios and add the Nagios user to this group.
 ```
 # groupadd nagiosxi
 ```
 Now add the Nagios user to the group
 ```
 # usermod -aG nagiosxi nagios
 ```
 Also, add Apache user to the Nagios group
 ```
 # usermod -aG nagiosxi apache
 ```
 ![Add-Nagios-group-user][1]
 ### Step 4: Download and install Nagios core
 We can now proceed and install Nagios Core. The latest stable version in Nagios 4.4.5 which was released on August 19, 2019.  But first, download the Nagios tarball file from its official site.
 To download Nagios core, first head to the tmp directory
 ```
 # cd /tmp
 ```
 Next download the tarball file
 ```
 # wget https://assets.nagios.com/downloads/nagioscore/releases/nagios-4.4.5.tar.gz
 ```
 ![Download-Nagios-CentOS8][1]
 After downloading the tarball file, extract it using the command:
 ```
 # tar -xvf nagios-4.4.5.tar.gz
 ```
 Next, navigate to the uncompressed folder
 ```
 # cd nagios-4.4.5
 ```
 Run the commands below in this order
 ```
 # ./configure --with-command-group=nagcmd
 # make all
 # make install
 # make install-init
 # make install-daemoninit
 # make install-config
 # make install-commandmode
 # make install-exfoliation
 ```
 To setup Apache configuration issue the command:
 ```
 # make install-webconf
 ```
 ### Step 5: Configure Apache Web Server Authentication
 Next, we are going to setup authentication for the user **nagiosadmin**. Please be mindful not to change the username or else, you may be required to perform further configuration which may be quite tedious.
 To set up authentication run the command:
 ```
 # htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin
 ```
 ![Configure-Apache-webserver-authentication-CentOS8][1]
 You will be prompted for the password of the nagiosadmin user. Enter and confirm the password as requested. This is the user that you will use to login to Nagios towards the end of this tutorial.
 For the changes to come into effect, restart your web server.
 ```
 # systemctl restart httpd
 ```
 ### Step 6: Download &amp; install Nagios Plugins
 Plugins will extend the functionality of the Nagios Server. They will help you monitor various services, network devices, and applications. To download the plugin tarball file run the command:
 ```
 # wget https://nagios-plugins.org/download/nagios-plugins-2.2.1.tar.gz
 ```
 Next, extract the tarball file and navigate to the uncompressed plugin folder
 ```
 # tar -xvf nagios-plugins-2.2.1.tar.gz
 # cd nagios-plugins-2.2.1
 ```
 To install the plugins compile the source code as shown
 ```
 # ./configure --with-nagios-user=nagios --with-nagios-group=nagiosxi
 # make
 # make install
 ```
 ### Step 7: Verify and Start Nagios
 After the successful installation of Nagios plugins, verify the Nagios configuration to ensure that all is well and there is no error in the configuration:
 ```
 # /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg
 ```
 ![Verify-Nagios-settings-CentOS8][1]
 Next, start Nagios and verify its status
 ```
 # systemctl start nagios
 # systemctl status nagios
 ```
 ![Start-check-status-Nagios-CentOS8][1]
 In case Firewall is running on system then allow “80” using the following command
 ```
 # firewall-cmd --permanent --add-port=80/tcp# firewall-cmd --reload
 ```
 ### Step 8: Access Nagios dashboard via the web browser
 To access Nagios, browse your server’s IP address as shown
 <http://server-ip/nagios>
 A pop-up will appear prompting for the username and the password of the user we created earlier in Step 5. Enter the credentials and hit ‘**Sign In**’
 ![Access-Nagios-via-web-browser-CentOS8][1]
 This ushers you to the Nagios dashboard as shown below
 ![Nagios-dashboard-CentOS8][1]
 We have finally successfully installed and configured Nagios Core on CentOS 8 / RHEL 8. Your feedback is most welcome.
 --------------------------------------------------------------------------------
 via: https://www.linuxtechi.com/install-nagios-core-rhel-8-centos-8/
 作者：[James Kiarie][a]
 选题：[lujun9972][b]
 译者：[译者ID](https://github.com/译者ID)
 校对：[校对者ID](https://github.com/校对者ID)
 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译，[Linux中国](https://linux.cn/) 荣誉推出
 [a]: https://www.linuxtechi.com/author/james/
 [b]: https://github.com/lujun9972
 [1]: data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7
 [2]: https://www.linuxtechi.com/wp-content/uploads/2019/10/Install-Nagios-Core-RHEL8-CentOS8.jpg
--- a/sources/tech/20191028
+++ b/sources/tech/20191028
@ -0,0 +1,69 @@
 [#]: collector: (lujun9972)
 [#]: translator: ( )
 [#]: reviewer: ( )
 [#]: publisher: ( )
 [#]: url: ( )
 [#]: subject: (Enterprise JavaBeans, infrastructure predictions, and more industry trends)
 [#]: via: (https://opensource.com/article/19/10/enterprise-javabeans-and-more-industry-trends)
 [#]: author: (Tim Hildred https://opensource.com/users/thildred)
 Enterprise JavaBeans, infrastructure predictions, and more industry trends
 ======
 A weekly look at open source community and industry trends.
 ![Person standing in front of a giant computer screen with numbers, data][1]
 As part of my role as a senior product marketing manager at an enterprise software company with an open source development model, I publish a regular update about open source community, market, and industry trends for product marketers, managers, and other influencers. Here are five of my and their favorite articles from that update.
 ## [Gartner: 10 infrastructure trends you need to know][2]
 > Corporate network infrastructure is only going to get more involved  over the next two to three years as automation, network challenges, and hybrid cloud become more integral to the enterprise.
 **The impact:** The theme running through all these predictions is the impact of increased complexity. As consumers of technology, we expect things to get easier and easier. As producers of technology, we know what's going on behind the curtains to make that simplicity possible is its opposite.
 ## [Jakarta EE: What's in store for Enterprise JavaBeans?][3]
 > [Enterprise JavaBeans (EJB)][4] has been very important to the Java EE ecosystem and promoted many robust solutions to enterprise problems. Besides that, in the past when integration techniques were not so advanced, EJB did great work with remote EJB, integrating many Java EE applications. However, remote EJB is not necessary anymore, and we have many techniques and tools that are better for doing that. So, does EJB still have a place in this new cloud-native world?
 **The impact:** This offers some insights into how programming languages and frameworks evolve and change over time. Respond to changes in developer affinity by identifying the good stuff in a language and getting it landed somewhere else. Ideally that "somewhere else" should be an open standard so that no single vendor gets to control your technology destiny.
 ## [From virtualization to containerization][5]
 > Before the telecom industry has got to grips with "step one" virtualization, many industry leaders are already moving on to the next level—containerization. This is a key part of making network software cloud-native i.e. designed, developed, and optimized to exploit cloud technology such as distributed processing and data stores.
 **The impact:** There are certain industries that make big technology decisions on long time horizons; I can only imagine the FOMO that the fast-moving world of infrastructure technology could cause when you've picked something and it starts to look a bit crufty next to the new hotness.
 ## [How do you rollback deployments in Kubernetes?][6]
 > There are several strategies when it comes to deploying apps into production. In Kubernetes, rolling updates are the default strategy to update the running version of your app. The rolling update cycles previous Pod out and bring newer Pod in incrementally.
 **The impact:** What is the cloud-native distributed equivalent to **ctrl+z**? And aren't you glad there is one?
 ## [What's a Trusted Compute Base?][7]
 > A few months ago, in an article called [Turtles—and chains of trust][8], I briefly mentioned Trusted Compute Bases, or TCBs, but then didn’t go any deeper.  I had a bit of a search across the articles on this blog, and realised that I’ve never gone into this topic in much detail, which feels like a mistake, so I’m going to do it now.
 **The impact:** The issue of to what extent you can trust the computer systems that power your whole life is only going to become more prevalent and more vexing. That turns out to be a great argument for open source from the bottom turtle (hardware) all the way up.
 _I hope you enjoyed this list of what stood out to me from last week and come back next Monday for more open source community, market, and industry trends._
 --------------------------------------------------------------------------------
 via: https://opensource.com/article/19/10/enterprise-javabeans-and-more-industry-trends
 作者：[Tim Hildred][a]
 选题：[lujun9972][b]
 译者：[译者ID](https://github.com/译者ID)
 校对：[校对者ID](https://github.com/校对者ID)
 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译，[Linux中国](https://linux.cn/) 荣誉推出
 [a]: https://opensource.com/users/thildred
 [b]: https://github.com/lujun9972
 [1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/data_metrics_analytics_desktop_laptop.png?itok=9QXd7AUr (Person standing in front of a giant computer screen with numbers, data)
 [2]: https://www.networkworld.com/article/3447397/gartner-10-infrastructure-trends-you-need-to-know.html
 [3]: https://developers.redhat.com/blog/2019/10/22/jakarta-ee-whats-in-store-for-enterprise-javabeans/
 [4]: https://docs.oracle.com/cd/E13222_01/wls/docs100/ejb/deploy.html
 [5]: https://www.lightreading.com/nfv/from-virtualization-to-containerization/a/d-id/755016
 [6]: https://learnk8s.io/kubernetes-rollbacks/
 [7]: https://aliceevebob.com/2019/10/22/whats-a-trusted-compute-base/
 [8]: https://aliceevebob.com/2019/07/02/turtles-and-chains-of-trust/
--- a/sources/tech/20191029
+++ b/sources/tech/20191029
@ -0,0 +1,104 @@
 [#]: collector: (lujun9972)
 [#]: translator: ( )
 [#]: reviewer: ( )
 [#]: publisher: ( )
 [#]: url: ( )
 [#]: subject: (Collapse OS – An OS Created to Run After the World Ends)
 [#]: via: (https://itsfoss.com/collapse-os/)
 [#]: author: (John Paul https://itsfoss.com/author/john/)
 Collapse OS – An OS Created to Run After the World Ends
 ======
 When most people think about preparing for a post-apocalyptic world, the first time that comes to mind is food and other living essentials. Recently, a programmer has decided that it would be just as important to create a versatile and survivable operating system after the collapse of society. We will be taking a look at it today, as best we can.
 ### Collapse OS – For when the fecal matter hits the rotating device
 ![][1]
 The operating system in question is called [Collapse OS][2]. According to the website, Collapse OS is a “z80 kernel and a collection of programs, tools and documentation”. It would allow you to:
  * Run on minimal and improvised machines.
  * Interface through improvised means (serial, keyboard, display).
  * Edit text files.
  * Compile assembler source files for a wide range of MCUs and CPUs.
  * Read and write from a wide range of storage devices.
  * Replicate itself.
 The creator, [Virgil Dupras][3], started the project because [he sees][4] “our global supply chain to collapse before we reach 2030”. He bases this conclusion on the works of Pablo Servigne. He seems to understand that not everyone shares [his views][4]. “That being said, I don’t consider it unreasonable to not believe that collapse is likely to happen by 2030, so please, don’t feel attacked by my beliefs.”
 The overall goal of the project is to jumpstart a post-collapse civilization’s return to the computer age. The production of electronics depends on a very complex supply chain. Once that supply chain crumbles, man will go back to a less technical age. It would take decades to regain our previous technical position. Dupras hopes to jump several steps by creating an ecosystem that will work with simpler chips that can be scavenged from a wide variety of sources.
 ### What is the z80?
 The initial CollapseOS kernel is written for the [z80 chip][5]. As a retro computing history buff, I am familiar with [Zilog][6] and it’s z80 chip. In the late 1970s, Zilog introduced the z80 to compete with [Intel’s 8080][7] CPU. The z80 was used in a whole bunch of early personal computers, such as the [Sinclair ZX Spectrum][8] and the [Tandy TRS-80][9]. The majority of these systems used the [CP/M operating system][10], which was the top operating system of the time. (Interestingly, Dupras was originally looking to use an [open-source implementation o][11][f][11] [CP/M][11], but ultimately decided to [start from scratch][12].)
 Both the z80 and CP/M started to decline in popularity after the [IBM PC][13] was released in 1981. Zilog did release several other microprocessors (Z8000 and Z80000), but these did not take off. The company switched its focus to microcontrollers. Today, an updated descendant of the z80 can be found in graphic calculators, embedded devices and consumer electronics.
 Dupras said on [Reddit][14] that he wrote Collapse OS for the z80 because “it’s been in production for so long and because it’s been used in so many machines, scavenger have good chances of getting their hands on it.”
 ### Current status and future of the project
 Collapse OS has a pretty decent start. It can self replicate with enough RAM and storage. It is capable of running on an [RC2014 homebrew computer][15] or a Sega Master System/MegaDrive (Genesis). It can read SD cards. It has a simple text editor. The kernel is made up of modules that are connected with glue code. This is designed to make the system flexible and adaptable.
 There is also a detailed [roadmap][16] laying out the direction of the project. Listed goals include:
  * Support for other CPUs, such as 8080 and [6502][17]
  * Support for improvised peripherals, such as LCD screens, E-ink displays, and [ACIA devices][18].
  * Support for more storage options, such as floppys, CDs, SPI RAM/ROMs, and AVR MCUs
  * Get it to work on other z80 machines, such as [TI-83+][19] and [TI-84+][20] graphing calculators and TRS-80s
 If you are interested in helping out or just taking a peek at the project, be sure to visit their [GitHub page][21].
 ### Final Thoughts
 To put it bluntly, I see Collapse OS as more of a fun hobby project (for those who like building operating systems), than something useful. When a collapse does come, how will Collapse OS get distributed, since I imagine that GitHub will be down? I can’t imagine more than a handful of skill people being able to create a system from scavenged parts. There is a whole new generation of makers out there, but most of them are used to picking up an Arduino or a Raspberry Pi and building their project than starting from scratch.
 Contrary to Dupras, my biggest concern is the use of [EMPs][22]. These things fry all electrical systems, meaning there would be nothing left to scavenge to build system. If that doesn’t happen, I imagine that we would be able to find enough x86 components made over the past 30 years to keep things going.
 That being said, Collapse OS sounds like a fun and challenging project to people who like to program in low-level code for strange applications. If you are such a person, check out [Collapse OS][2].
 Hypothetical question: what is your post-apocalyptic operating system of choice? Please let us know in the comments below.
 If you found this article interesting, please take a minute to share it on social media, Hacker News or [Reddit][23].
 --------------------------------------------------------------------------------
 via: https://itsfoss.com/collapse-os/
 作者：[John Paul][a]
 选题：[lujun9972][b]
 译者：[译者ID](https://github.com/译者ID)
 校对：[校对者ID](https://github.com/校对者ID)
 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译，[Linux中国](https://linux.cn/) 荣誉推出
 [a]: https://itsfoss.com/author/john/
 [b]: https://github.com/lujun9972
 [1]: https://i1.wp.com/itsfoss.com/wp-content/uploads/2019/10/Collapse_OS.jpg?ssl=1
 [2]: https://collapseos.org/
 [3]: https://github.com/hsoft
 [4]: https://collapseos.org/why.html
 [5]: https://en.m.wikipedia.org/wiki/Z80
 [6]: https://en.wikipedia.org/wiki/Zilog
 [7]: https://en.wikipedia.org/wiki/Intel_8080
 [8]: https://en.wikipedia.org/wiki/ZX_Spectrum
 [9]: https://en.wikipedia.org/wiki/TRS-80
 [10]: https://en.wikipedia.org/wiki/CP/M
 [11]: https://github.com/davidgiven/cpmish
 [12]: https://github.com/hsoft/collapseos/issues/52
 [13]: https://en.wikipedia.org/wiki/IBM_Personal_Computer
 [14]: https://old.reddit.com/r/collapse/comments/dejmvz/collapse_os_bootstrap_postcollapse_technology/f2w3sid/?st=k1gujoau&sh=1b344da9
 [15]: https://rc2014.co.uk/
 [16]: https://collapseos.org/roadmap.html
 [17]: https://en.wikipedia.org/wiki/MOS_Technology_6502
 [18]: https://en.wikipedia.org/wiki/MOS_Technology_6551
 [19]: https://en.wikipedia.org/wiki/TI-83_series#TI-83_Plus
 [20]: https://en.wikipedia.org/wiki/TI-84_Plus_series
 [21]: https://github.com/hsoft/collapseos
 [22]: https://en.wikipedia.org/wiki/Electromagnetic_pulse
 [23]: https://reddit.com/r/linuxusersgroup
--- a/translated/tech/20191023
+++ b/translated/tech/20191023
@ -0,0 +1,153 @@
 [#]: collector: (lujun9972)
 [#]: translator: (geekpi)
 [#]: reviewer: ( )
 [#]: publisher: ( )
 [#]: url: ( )
 [#]: subject: (Building container images with the ansible-bender tool)
 [#]: via: (https://opensource.com/article/19/10/building-container-images-ansible)
 [#]: author: (Tomas Tomecek https://opensource.com/users/tomastomecek)
 使用 ansible-bender 构建容器镜像
 ======
 了解如何使用 Ansible 在容器中执行命令。
 ![Blocks for building][1]
 容器和 [Ansible][2] 很好地融合在一起-从管理和编排到供应和构建。在本文中，我们将重点介绍构建部分。
 如果你熟悉 Ansible，就会知道你可以编写一系列任务，**ansible-playbook** 命令将为你执行这些任务。你知道吗，你还可以在容器环境中执行此类命令，并获得与编写 Dockerfile 并运行 **podman build** 相同的结果。
 这是一个例子：
 ```
 \- name: Serve our file using httpd
  hosts: all
  tasks:
  - name: Install httpd
    package:
      name: httpd
      state: installed
  - name: Copy our file to httpd’s webroot
    copy:
      src: our-file.txt
      dest: /var/www/html/
 ```
 你可以在 Web 服务器上或容器中本地执行这个 playbook，并且只要你记得先创建 **our-file.txt**，它就可以工作。
 但是缺少了一些东西。你需要启动（并配置）httpd 以便提供文件。这是容器构建和基础架构供应之间的区别：构建镜像时，你只需准备内容；运行容器是另一项任务。另一方面，你可以将元数据附加到容器镜像，它会默认运行命令。
 这有个工具可以帮助。试试看 **ansible-bender** 怎么样？
 ```
 `$ ansible-bender build the-playbook.yaml fedora:30 our-httpd`
 ```
 该脚本使用 ansible-bender 对 Fedora 30 容器镜像执行 playbook，并将生成的容器镜像命名为 “our-httpd”。
 但是，当你运行该容器时，它不会启动 httpd，因为它不知道如何操作。你可以通过向 playbook 添加一些元数据来解决此问题：
 ```
 \- name: Serve our file using httpd
  hosts: all
  vars:
    ansible_bender:
      base_image: fedora:30
      target_image:
        name: our-httpd
        cmd: httpd -DFOREGROUND
  tasks:
  - name: Install httpd
    package:
      name: httpd
      state: installed
  - name: Listen on all network interfaces.
    lineinfile:    
      path: /etc/httpd/conf/httpd.conf  
      regexp: '^Listen '
      line: Listen 0.0.0.0:80  
  - name: Copy our file to httpd’s webroot
    copy:
      src: our-file.txt
      dest: /var/www/html
 ```
 现在你可以构建镜像（从这里开始，请以 root 用户身份运行所有命令。目前，Buildah 和 Podman 不会为无根容器创建专用网络）：
 ```
 # ansible-bender build the-playbook.yaml
 PLAY [Serve our file using httpd] ****************************************************
 TASK [Gathering Facts] ***************************************************************    
 ok: [our-httpd-20191004-131941266141-cont]
 TASK [Install httpd] *****************************************************************
 loaded from cache: 'f053578ed2d47581307e9ba3f64f4b4da945579a082c6f99bd797635e62befd0'
 skipping: [our-httpd-20191004-131941266141-cont]
 TASK [Listen on all network interfaces.] *********************************************
 changed: [our-httpd-20191004-131941266141-cont]
 TASK [Copy our file to httpd’s webroot] **********************************************
 changed: [our-httpd-20191004-131941266141-cont]
 PLAY RECAP ***************************************************************************
 our-httpd-20191004-131941266141-cont : ok=3    changed=2    unreachable=0    failed=0    skipped=1    rescued=0    ignored=0
 Getting image source signatures
 Copying blob sha256:4650c04b851c62897e9c02c6041a0e3127f8253fafa3a09642552a8e77c044c8
 Copying blob sha256:87b740bba596291af8e9d6d91e30a01d5eba9dd815b55895b8705a2acc3a825e
 Copying blob sha256:82c21252bd87532e93e77498e3767ac2617aa9e578e32e4de09e87156b9189a0
 Copying config sha256:44c6dc6dda1afe28892400c825de1c987c4641fd44fa5919a44cf0a94f58949f
 Writing manifest to image destination
 Storing signatures
 44c6dc6dda1afe28892400c825de1c987c4641fd44fa5919a44cf0a94f58949f
 Image 'our-httpd' was built successfully \o/
 ```
 镜像构建完毕，可以运行容器了：
 ```
 # podman run our-httpd
 AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.88.2.106. Set the 'ServerName' directive globally to suppress this message
 ```
 是否提供文件了？首先，找出你容器的 IP：
 ```
 # podman inspect -f '{{ .NetworkSettings.IPAddress }}' 7418570ba5a0
 10.88.2.106
 ```
 你现在可以检查了：
 ```
 $ curl <http://10.88.2.106/our-file.txt>
 Ansible is ❤
 ```
 你文件内容是什么？
 这只是使用 Ansible 构建容器镜像的介绍。如果你想了解有关 ansible-bender 可以做什么的更多信息，请查看它的 [GitHub][3] 页面。构建快乐！
 --------------------------------------------------------------------------------
 via: https://opensource.com/article/19/10/building-container-images-ansible
 作者：[Tomas Tomecek][a]
 选题：[lujun9972][b]
 译者：[geekpi](https://github.com/geekpi)
 校对：[校对者ID](https://github.com/校对者ID)
 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译，[Linux中国](https://linux.cn/) 荣誉推出
 [a]: https://opensource.com/users/tomastomecek
 [b]: https://github.com/lujun9972
 [1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/blocks_building.png?itok=eMOT-ire (Blocks for building)
 [2]: https://www.ansible.com/
 [3]: https://github.com/ansible-community/ansible-bender
--- a/translated/tech/20191023
+++ b/translated/tech/20191023
@ -1,107 +0,0 @@
 [#]: collector: (lujun9972)
 [#]: translator: (geekpi)
 [#]: reviewer: ( )
 [#]: publisher: ( )
 [#]: url: ( )
 [#]: subject: (Using SSH port forwarding on Fedora)
 [#]: via: (https://fedoramagazine.org/using-ssh-port-forwarding-on-fedora/)
 [#]: author: (Paul W. Frields https://fedoramagazine.org/author/pfrields/)
 在 Fedora 上使用 SSH 端口转发
 ======
 ![][1]
 你可能已经熟悉使用 _ [ssh 命令][2]_ 访问远程系统。 _ssh_ 后面的协议允许终端输入和输出经过[安全通道][3]。但是你知道你也可以使用 _ssh_ 来安全地发送和接收其他数据吗？一种方法是使用_端口转发_，它允许你在进行 _ssh_ 会话时安全地连接网络端口。本文向你展示了它是如何工作的。
 ### 关于端口
 标准 Linux 系统已分配了一组网络端口，范围是 0-65535。你的系统最多保留 1023 个端口供系统使用。在许多系统中，你不能选择使用这些低端口号。通常有几个端口用于运行特定的服务。你可以在系统的  _/etc/services_ 文件中找到这些定义。
 你可以认为网络端口是类似物理端口或可以连接到电缆的插孔。端口可以连接到系统上的某种服务，类似物理插孔后面的接线。一个例子是 Apache Web 服务器（也称为 _httpd_）。对于 HTTP 非安全连接，Web 服务器通常要求在主机系统上使用端口 80，对于 HTTPS 安全连接通常要求使用 443。
 当你连接到远程系统（例如，使用 Web 浏览器）时，你是将浏览器“连接”到主机上的端口。这通常是一个随机的高端口号，例如 54001。主机上的端口连接到远程主机上的端口（例如 443）来访问其安全的 Web 服务器。
 那么，当你有这么多可用端口时，为什么还要使用端口转发呢？这是 Web 开发人员生活中的几种常见情况。
 ### 本地端口转发
 想象一下，你正在名为 _remote.example.com_ 的远程系统上进行 Web 开发。通常，你是通过 _ssh_ 进入此系统的，但是它位于防火墙后面，而且该防火墙允许很少的其他访问，并且会阻塞大多数其他端口。要尝试你的网络应用，能够使用浏览器访问远程系统会很有帮助。但是，由于使用了讨厌的防火墙，你无法通过在浏览器中输入 URL 的常规方法来访问它。
 本地转发使你可以通过 _ssh_ 连接来建立可通过远程系统访问的端口。该端口在系统上显示为本地端口（也称为“本地转发”）。
 假设你的网络应用在 _remote.example.com_ 的 8000 端口上运行。要将那个系统的 8000 端口本地转发到你系统上的 8000 端口，请在开始会话时将 _-L_ 选项与 _ssh_ 结合使用：
 ```
 $ ssh -L 8000:localhost:8000 remote.example.com
 ```
 等等，为什么我们使用 _localhost_ 作为转发目标？这是因为从 _remote.example.com_ 的角度来看，你是在要求主机使用其自己的端口 8000。（回想一下，任何主机通常可以将自己作为 _localhost_ 来通过网络连接其自身。）现在那个端口连接到你系统的 8000 端口了。_ssh_ 会话准备就绪后，将其保持打开状态，然后可以在浏览器中键入 _<http://localhost:8000>_ 来查看你的 Web 应用。现在，系统之间的流量可以通过 _ssh_ 隧道安全地传输！
 如果你有敏锐的眼睛，你可能已经注意到了一些东西。如果我们使用与 _localhost_ 不同的主机名来转发 _remote.example.com_ 怎么办？如果它可以访问其网络上另一个系统上的端口，那么通常可以同样轻松地转发该端口。例如，假设你想在远程网络的 _db.example.com_ 中访问 MariaDB 或 MySQL 服务。该服务通常在端口 3306 上运行。因此，即使你无法 _ssh_ 到实际的 _db.example.com_ 主机，你也可以使用此命令将其转发：
 ```
 $ ssh -L 3306:db.example.com:3306 remote.example.com
 ```
 现在，你可以在 _localhost_ 上运行 MariaDB 命令，这实际上是在使用 _db.example.com_ 主机。
 ### 远程端口转发
 远程转发让你可以进行相反操作。想象一下，你正在为办公室的朋友设计一个 Web 应用，并想向他们展示你的工作。不过，不幸的是，你在咖啡店里工作，并且由于网络设置，他们无法通过网络连接访问你的笔记本电脑。但是，你同时使用着办公室的 _remote.example.com_ 系统，并且仍然可在这里登录。你的 Web 应用似乎在本地 5000 端口上运行良好。
 远程端口转发使你可以通过 _ssh_ 连接从本地系统建立端口的隧道，并使该端口在远程系统上可用。在开始 _ssh_ 会话时，只需使用 _-R_ 选项：
 ```
 $ ssh -R 6000:localhost:5000 remote.example.com
 ```
 现在，当在公司防火墙内的朋友打开浏览器时，他们可以进入 _ <http://remote.example.com:6000> _ 并查看你的工作。就像在本地端口转发示例中一样，通信通过 _ssh_ 会话安全地进行。
 默认情况下，_sshd_ 设置在本机运行，因此**只有**该主机可以连接它的远程转发端口。假设你的朋友希望能够让其他 _example.com_ 公司主机上的人看到你的工作，而他们不在 _remote.example.com_ 上。你需要让 _remote.example.com_ 主机的所有者将以下选项之**一**添加 _/etc/ssh/sshd_config_ 中：
 ```
 GatewayPorts yes       # 或
 GatewayPorts clientspecified
 ```
 第一个选项意味着 _remote.example.com_ 上的所有网络接口都可以使用远程转发的端口。第二个意味着建立隧道的客户端可以选择地址。默认情况下，此选项设置为 **no**。
 With this option, you as the _ssh_ client must still specify the interfaces on which the forwarded port on your side can be shared. Do this by adding a network specification before the local port. There are several ways to do this, including the following:
 使用此选项，作为 _ssh_ 客户端你仍必须指定可以共享你这边转发端口的接口。通过在本地端口之前添加网络规范来进行操作。有几种方法可以做到，包括：
 ```
 $ ssh -R *:6000:localhost:5000                   # 所有网络
 $ ssh -R 0.0.0.0:6000:localhost:5000             # 所有网络
 $ ssh -R 192.168.1.15:6000:localhost:5000        # 单个网络
 $ ssh -R remote.example.com:6000:localhost:5000  # 单个网络
 ```
 ### 其他注意事项
 请注意，本地和远程系统上的端口号不必相同。实际上，有时你甚至可能无法使用相同的端口。例如，普通用户可能不会在默认设置中转发到系统端口。
 另外，可以限制主机上的转发。如果你需要在联网主机上更严格的安全性，那么这你来说可能很重要。 _sshd_ 守护程进程 _PermitOpen_ 选项控制是否以及哪些端口可用于 TCP 转发。默认设置为 **any**，这让上面的所有示例都能正常工作。要禁止任何端口转发，请选择 “none”，或仅允许的特定的“主机:端口”。有关更多信息，请在手册页中搜索 _PermitOpen_ 来配置 _sshd_ 守护进程：
 ```
 $ man sshd_config
 ```
 最后，请记住，只有在 _ssh_ 会话处于打开状态时才会端口转发。如果需要长时间保持转发活动，请尝试使用 _-N_ 选项在后台运行会话。确保控制台已锁定，以防止在你离开控制台时对其进行篡改。
 --------------------------------------------------------------------------------
 via: https://fedoramagazine.org/using-ssh-port-forwarding-on-fedora/
 作者：[Paul W. Frields][a]
 选题：[lujun9972][b]
 译者：[geekpi](https://github.com/geekpi)
 校对：[校对者ID](https://github.com/校对者ID)
 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译，[Linux中国](https://linux.cn/) 荣誉推出
 [a]: https://fedoramagazine.org/author/pfrields/
 [b]: https://github.com/lujun9972
 [1]: https://fedoramagazine.org/wp-content/uploads/2019/10/ssh-port-forwarding-816x345.jpg
 [2]: https://en.wikipedia.org/wiki/Secure_Shell
 [3]: https://fedoramagazine.org/open-source-ssh-clients/